On Wed, Jun 16, 2021 at 1:19 PM David Laight David.Laight@aculab.com wrote:
Can someone explain why this is a good idea for a 'normal' system?
This patch mitigates some techniques that leak internal state due to table hash collisions.
Why should my desktop system 'waste' 2MB of memory on a massive hash table that I don't need.
In the patch's defense, it only consumes 2MB when the physical RAM is >= 16GB.
It might be needed by systems than handle massive numbers of concurrent connections - but that isn't 'most systems'.
Surely it would be better to detect when the number of entries is comparable to the table size and then resize the table.
Security-wise, this approach is not effective. The table size was increased to reduce the likelihood of hash collisions. These start happening when you have ~N^(1/2) elements (for table size N), so you'll need to resize pretty quickly anyway.