From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Gleb Mazovetskiy <glex.spb@gmail.com>,
Kuniyuki Iwashima <kuniyu@amazon.com>,
"David S. Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.9 28/62] tcp: configurable source port perturb table size
Date: Mon, 5 Dec 2022 20:09:25 +0100 [thread overview]
Message-ID: <20221205190759.159365142@linuxfoundation.org> (raw)
In-Reply-To: <20221205190758.073114639@linuxfoundation.org>
From: Gleb Mazovetskiy <glex.spb@gmail.com>
[ Upstream commit aeac4ec8f46d610a10adbaeff5e2edf6a88ffc62 ]
On embedded systems with little memory and no relevant
security concerns, it is beneficial to reduce the size
of the table.
Reducing the size from 2^16 to 2^8 saves 255 KiB
of kernel RAM.
Makes the table size configurable as an expert option.
The size was previously increased from 2^8 to 2^16
in commit 4c2c8f03a5ab ("tcp: increase source port perturb table to
2^16").
Signed-off-by: Gleb Mazovetskiy <glex.spb@gmail.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/Kconfig | 10 ++++++++++
net/ipv4/inet_hashtables.c | 10 +++++-----
2 files changed, 15 insertions(+), 5 deletions(-)
diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig
index 4d265d4a0dbe..29be5bcbe7ac 100644
--- a/net/ipv4/Kconfig
+++ b/net/ipv4/Kconfig
@@ -371,6 +371,16 @@ config INET_IPCOMP
If unsure, say Y.
+config INET_TABLE_PERTURB_ORDER
+ int "INET: Source port perturbation table size (as power of 2)" if EXPERT
+ default 16
+ help
+ Source port perturbation table size (as power of 2) for
+ RFC 6056 3.3.4. Algorithm 4: Double-Hash Port Selection Algorithm.
+
+ The default is almost always what you want.
+ Only change this if you know what you are doing.
+
config INET_XFRM_TUNNEL
tristate
select INET_TUNNEL
diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
index db47e1c407d9..9958850b6cee 100644
--- a/net/ipv4/inet_hashtables.c
+++ b/net/ipv4/inet_hashtables.c
@@ -541,13 +541,13 @@ EXPORT_SYMBOL_GPL(inet_unhash);
* Note that we use 32bit integers (vs RFC 'short integers')
* because 2^16 is not a multiple of num_ephemeral and this
* property might be used by clever attacker.
+ *
* RFC claims using TABLE_LENGTH=10 buckets gives an improvement, though
- * attacks were since demonstrated, thus we use 65536 instead to really
- * give more isolation and privacy, at the expense of 256kB of kernel
- * memory.
+ * attacks were since demonstrated, thus we use 65536 by default instead
+ * to really give more isolation and privacy, at the expense of 256kB
+ * of kernel memory.
*/
-#define INET_TABLE_PERTURB_SHIFT 16
-#define INET_TABLE_PERTURB_SIZE (1 << INET_TABLE_PERTURB_SHIFT)
+#define INET_TABLE_PERTURB_SIZE (1 << CONFIG_INET_TABLE_PERTURB_ORDER)
static u32 *table_perturb;
int __inet_hash_connect(struct inet_timewait_death_row *death_row,
--
2.35.1
next prev parent reply other threads:[~2022-12-05 19:13 UTC|newest]
Thread overview: 70+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-05 19:08 [PATCH 4.9 00/62] 4.9.335-rc1 review Greg Kroah-Hartman
2022-12-05 19:08 ` [PATCH 4.9 01/62] wifi: mac80211_hwsim: fix debugfs attribute ps with rc table support Greg Kroah-Hartman
2022-12-05 19:08 ` [PATCH 4.9 02/62] audit: fix undefined behavior in bit shift for AUDIT_BIT Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 03/62] wifi: mac80211: Fix ack frame idr leak when mesh has no route Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 04/62] MIPS: pic32: treat port as signed integer Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 05/62] af_key: Fix send_acquire race with pfkey_register Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 06/62] bus: sunxi-rsb: Support atomic transfers Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 07/62] ARM: dts: at91: sam9g20ek: enable udc vbus gpio pinctrl Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 08/62] nfc/nci: fix race with opening and closing Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 09/62] net: pch_gbe: fix potential memleak in pch_gbe_tx_queue() Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 10/62] 9p/fd: fix issue of list_del corruption in p9_fd_cancel() Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 11/62] ARM: mxs: fix memory leak in mxs_machine_init() Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 12/62] net/mlx4: Check retval of mlx4_bitmap_init Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 13/62] net/qla3xxx: fix potential memleak in ql3xxx_send() Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 14/62] xfrm: Fix ignored return value in xfrm6_init() Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 15/62] NFC: nci: fix memory leak in nci_rx_data_packet() Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 16/62] nfc: st-nci: fix incorrect validating logic in EVT_TRANSACTION Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 17/62] nfc: st-nci: fix memory leaks " Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 18/62] net: thunderx: Fix the ACPI memory leak Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 19/62] s390/crashdump: fix TOD programmable field size Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 20/62] iio: light: apds9960: fix wrong register for gesture gain Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 21/62] iio: core: Fix entry not deleted when iio_register_sw_trigger_type() fails Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 22/62] kconfig: display recursive dependency resolution hint just once Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 23/62] nios2: add FORCE for vmlinuz.gz Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 25/62] serial: 8250: 8250_omap: Avoid RS485 RTS glitch on ->set_termios() Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 26/62] xen/platform-pci: add missing free_irq() in error path Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 27/62] platform/x86: asus-wmi: add missing pci_dev_put() in asus_wmi_set_xusb2pr() Greg Kroah-Hartman
2022-12-05 19:09 ` Greg Kroah-Hartman [this message]
2022-12-05 19:09 ` [PATCH 4.9 29/62] net: usb: qmi_wwan: add Telit 0x103a composition Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 30/62] drm/amdgpu: always register an MMU notifier for userptr Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 31/62] iio: health: afe4403: Fix oob read in afe4403_read_raw Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 32/62] iio: health: afe4404: Fix oob read in afe4404_[read|write]_raw Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 33/62] hwmon: (i5500_temp) fix missing pci_disable_device() Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 34/62] hwmon: (ibmpex) Fix possible UAF when ibmpex_register_bmc() fails Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 35/62] net/mlx5: Fix uninitialized variable bug in outlen_write() Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 36/62] can: sja1000_isa: sja1000_isa_probe(): add missing free_sja1000dev() Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 37/62] can: cc770: cc770_isa_probe(): add missing free_cc770dev() Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 38/62] qlcnic: fix sleep-in-atomic-context bugs caused by msleep Greg Kroah-Hartman
2022-12-06 12:51 ` Pavel Machek
2022-12-05 19:09 ` [PATCH 4.9 39/62] net: phy: fix null-ptr-deref while probe() failed Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 40/62] net: net_netdev: Fix error handling in ntb_netdev_init_module() Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 41/62] net/9p: Fix a potential socket leak in p9_socket_open Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 42/62] net: hsr: Fix potential use-after-free Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 43/62] packet: do not set TP_STATUS_CSUM_VALID on CHECKSUM_COMPLETE Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 44/62] net: ethernet: renesas: ravb: Fix promiscuous mode after system resumed Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 45/62] hwmon: (coretemp) Check for null before removing sysfs attrs Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 46/62] hwmon: (coretemp) fix pci device refcount leak in nv1a_ram_new() Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 47/62] btrfs: qgroup: fix sleep from invalid context bug in btrfs_qgroup_inherit() Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 48/62] tools/vm/slabinfo-gnuplot: use "grep -E" instead of "egrep" Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 49/62] nilfs2: fix NULL pointer dereference in nilfs_palloc_commit_free_entry() Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 50/62] arm64: Fix panic() when Spectre-v2 causes Spectre-BHB to re-allocate KVM vectors Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 51/62] arm64: errata: Fix KVM Spectre-v2 mitigation selection for Cortex-A57/A72 Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 52/62] ASoC: ops: Fix bounds check for _sx controls Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 53/62] pinctrl: single: Fix potential division by zero Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 54/62] iommu/vt-d: Fix PCI device refcount leak in dmar_dev_scope_init() Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 55/62] tcp/udp: Fix memory leak in ipv6_renew_options() Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 56/62] Revert "fbdev: fb_pm2fb: Avoid potential divide by zero error" Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 57/62] x86/tsx: Add a feature bit for TSX control MSR support Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 58/62] x86/pm: Add enumeration check before spec MSRs save/restore setup Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 59/62] Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 60/62] x86/ioremap: Fix page aligned size calculation in __ioremap_caller() Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 61/62] mmc: sdhci: use FIELD_GET for preset value bit masks Greg Kroah-Hartman
2022-12-05 19:09 ` [PATCH 4.9 62/62] mmc: sdhci: Fix voltage switch delay Greg Kroah-Hartman
2022-12-05 22:28 ` [PATCH 4.9 00/62] 4.9.335-rc1 review Jon Hunter
2022-12-05 22:48 ` Florian Fainelli
2022-12-06 0:11 ` Florian Fainelli
2022-12-06 9:23 ` Adrian Hunter
2022-12-06 11:37 ` Greg Kroah-Hartman
2022-12-06 2:51 ` Shuah Khan
2022-12-06 10:31 ` Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221205190759.159365142@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=glex.spb@gmail.com \
--cc=kuniyu@amazon.com \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).