On Fri, 2014-05-23 at 12:13 +0100, Jim Baxter wrote: > What are the side effects of changing the truesize, if the original > uncloned skb has the full truesize then isn't the potential memory usage > still counted for the avoidance of OOM? Nope. This can be disastrous. A malicious remote peer can crash your host by sending specially cooked TCP messages. Send messages with one byte of payload, and out of order so that they cant be consumed by receiver, and cant be coalesced/collapsed. If you claim the true size is sizeof(sk_buff) + 512, TCP stack will accumulate these messages in out of order queue, and will not bother with them, unless you hit sk_rcvbuf limit. But in reality these messages uses sizeof(sk_buff) + 32768 bytes. Divide your physical memory by 32768 : How many such messages will fit in memory before the host crashes ? I've seen that kind of attacks in real cases. Even the fast clones sk_buff mismatch can be noticed. Luckily a 10% error has no severe impact. TCP stack uses fast clones, and current stack gives them a truesize of 2048 + sizeof(sk_buff), while it really should be 2048 + 2*sizeof(sk_buff) Luckily, GSO/TSO tends to reduce the error, as skbs overhead is lower. -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html