On Thu, 2018-08-09 at 14:47 +0200, Greg KH wrote: > On Thu, Aug 09, 2018 at 08:37:13PM +0800, maowenan wrote: > > There are two patches in stable branch linux-4.4, but I have tested with > > below patches, and found that the cpu usage was very high. > > dc6ae4d tcp: detect malicious patterns in tcp_collapse_ofo_queue() > > 5fbec48 tcp: avoid collapses in tcp_prune_queue() if possible > > > > test results: > > with fix patch: 78.2% ksoftirqd > > no fix patch: 90% ksoftirqd > > > > there is %0 when no attack packets. > > > > so please help verify that fixed patches are enough in linux-stable 4.4. > > > > I do not know, I am not a network developer. Please try to reproduce > the same thing on a newer kernel release and see if the result is the > same or not. If you can find a change that I missed, please let me know > and I will be glad to apply it.
maowenan, there were five patches in the original upstream set to address SegmentSmack: tcp: free batches of packets in tcp_prune_ofo_queue() tcp: avoid collapses in tcp_prune_queue() if possible tcp: detect malicious patterns in tcp_collapse_ofo_queue() t cp: call tcp_drop() from tcp_data_queue_ofo() tcp: add tcp_ooo_try_coalesce() helper I believe that the first one, "free batches of packets..." is not needed in 4.4 because we only have a simple queue of packets there anyway, so we're dropping everything each time and don't need the heuristics for how many to drop. That leaves two more which have so far not been backported to 4.4; can you try applying them and see if it resolves the problem for you? Thanks.
smime.p7s
Description: S/MIME cryptographic signature
