Message ID | 20201218042019.52096-1-weichen.chen@linux.alibaba.com (mailing list archive) |
---|---|
State | Superseded |
Delegated to: | Netdev Maintainers |
Headers | show |
Series | net: neighbor: fix a crash caused by mod zero | expand |
Context | Check | Description |
---|---|---|
netdev/cover_letter | success | Link |
netdev/fixes_present | success | Link |
netdev/patch_count | success | Link |
netdev/tree_selection | success | Guessed tree name to be net-next |
netdev/subject_prefix | warning | Target tree name not specified in the subject |
netdev/source_inline | success | Was 0 now: 0 |
netdev/verify_signedoff | success | Link |
netdev/module_param | success | Was 0 now: 0 |
netdev/build_32bit | success | Errors and warnings before: 3 this patch: 3 |
netdev/kdoc | success | Errors and warnings before: 0 this patch: 0 |
netdev/verify_fixes | success | Link |
netdev/checkpatch | success | total: 0 errors, 0 warnings, 0 checks, 16 lines checked |
netdev/build_allmodconfig_warn | success | Errors and warnings before: 3 this patch: 3 |
netdev/header_inline | success | Link |
netdev/stable | success | Stable not CCed |
On Fri, 18 Dec 2020 12:20:19 +0800 weichenchen wrote: > pneigh_enqueue() tries to obtain a random delay by mod > NEIGH_VAR(p, PROXY_DELAY). However, NEIGH_VAR(p, PROXY_DELAY) > migth be zero at that point because someone could write zero > to /proc/sys/net/ipv4/neigh/[device]/proxy_delay after the > callers check it. > > This patch double-checks NEIGH_VAR(p, PROXY_DELAY) in > pneigh_enqueue() to ensure not to take zero as modulus. > > Signed-off-by: weichenchen <weichen.chen@linux.alibaba.com> Let's have the caller pass in the value since it did the checking? > diff --git a/net/core/neighbour.c b/net/core/neighbour.c > index 9500d28a43b0..eb5d015c53d3 100644 > --- a/net/core/neighbour.c > +++ b/net/core/neighbour.c > @@ -1570,9 +1570,14 @@ void pneigh_enqueue(struct neigh_table *tbl, struct neigh_parms *p, > struct sk_buff *skb) > { > unsigned long now = jiffies; > + unsigned long sched_next; > > - unsigned long sched_next = now + (prandom_u32() % > - NEIGH_VAR(p, PROXY_DELAY)); > + int delay = NEIGH_VAR(p, PROXY_DELAY); > + > + if (delay <= 0) Not that this still doesn't guarantee that the compiler won't re-read the value (however unlikely). We need a READ_ONCE(). > + sched_next = now; > + else > + sched_next = now + (prandom_u32() % delay); > > if (tbl->proxy_queue.qlen > NEIGH_VAR(p, PROXY_QLEN)) { > kfree_skb(skb);
diff --git a/net/core/neighbour.c b/net/core/neighbour.c index 9500d28a43b0..eb5d015c53d3 100644 --- a/net/core/neighbour.c +++ b/net/core/neighbour.c @@ -1570,9 +1570,14 @@ void pneigh_enqueue(struct neigh_table *tbl, struct neigh_parms *p, struct sk_buff *skb) { unsigned long now = jiffies; + unsigned long sched_next; - unsigned long sched_next = now + (prandom_u32() % - NEIGH_VAR(p, PROXY_DELAY)); + int delay = NEIGH_VAR(p, PROXY_DELAY); + + if (delay <= 0) + sched_next = now; + else + sched_next = now + (prandom_u32() % delay); if (tbl->proxy_queue.qlen > NEIGH_VAR(p, PROXY_QLEN)) { kfree_skb(skb);
pneigh_enqueue() tries to obtain a random delay by mod NEIGH_VAR(p, PROXY_DELAY). However, NEIGH_VAR(p, PROXY_DELAY) migth be zero at that point because someone could write zero to /proc/sys/net/ipv4/neigh/[device]/proxy_delay after the callers check it. This patch double-checks NEIGH_VAR(p, PROXY_DELAY) in pneigh_enqueue() to ensure not to take zero as modulus. Signed-off-by: weichenchen <weichen.chen@linux.alibaba.com> --- net/core/neighbour.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-)