A peer (or local user) may cause TCP to use a nominal MSS of as little as 88 (actual MSS of 76 with timestamps). Given that we have a sufficiently prodigious local sender and the peer ACKs quickly enough, it is nevertheless possible to grow the window for such a connection to the point that we will try to send just under 64K at once. This results in a single skb that expands to 861 segments. In some drivers with TSO support, such an skb will require hundreds of DMA descriptors; a substantial fraction of a TX ring or even more than a full ring. The TX queue selected for the skb may stall and trigger the TX watchdog repeatedly (since the problem skb will be retried after the TX reset). Upstream patch: http://www.spinics.net/lists/netdev/msg206332.html References: http://seclists.org/oss-sec/2012/q3/171 Acknowledgements: Red Hat would like to thank Ben Hutchings of Solarflare (tm) for reporting this issue.
Created kernel tracking bugs for this issue Affects: fedora-all [bug 845558]
Mitigation as recommended by Ben Hutchings ------------------------------------------ If all processes that may send on the sfc interface use Onload, or do not use TCP, the vulnerability does not exist. The vulnerability can otherwise be avoided by making a temporary configuration change. For an sfc interface named eth0, either: a. Increase the TX queue size: ethtool -G eth0 tx 4096 This can increase TX latency and memory usage. or: b. Disable TSO: ethtool -K eth0 tso off This can reduce TX throughput and/or increase CPU usage.
This issue has been addressed in following products: RHEV-H, V2V and Agents for RHEL-5 Via RHSA-2012:1324 https://rhn.redhat.com/errata/RHSA-2012-1324.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2012:1323 https://rhn.redhat.com/errata/RHSA-2012-1323.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5.6 EUS - Server Only Via RHSA-2012:1347 https://rhn.redhat.com/errata/RHSA-2012-1347.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2012:1366 https://rhn.redhat.com/errata/RHSA-2012-1366.html
This issue has been addressed in following products: RHEV-H and Agents for RHEL-6 Via RHSA-2012:1375 https://rhn.redhat.com/errata/RHSA-2012-1375.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6.2 EUS - Server Only Via RHSA-2012:1401 https://rhn.redhat.com/errata/RHSA-2012-1401.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6.1 EUS - Server Only Via RHSA-2012:1430 https://rhn.redhat.com/errata/RHSA-2012-1430.html