Message ID | 20201225054448.73256-1-weichen.chen@linux.alibaba.com |
---|---|
State | New |
Headers | show |
Series | [v4] net: neighbor: fix a crash caused by mod zero | expand |
From: weichenchen <weichen.chen@linux.alibaba.com> Date: Fri, 25 Dec 2020 13:44:45 +0800 > pneigh_enqueue() tries to obtain a random delay by mod > NEIGH_VAR(p, PROXY_DELAY). However, NEIGH_VAR(p, PROXY_DELAY) > migth be zero at that point because someone could write zero > to /proc/sys/net/ipv4/neigh/[device]/proxy_delay after the > callers check it. > > This patch uses prandom_u32_max() to get a random delay instead > which avoids potential division by zero. > > Signed-off-by: weichenchen <weichen.chen@linux.alibaba.com> > --- > V4: > - Use prandom_u32_max() to get a random delay in > pneigh_enqueue(). > V3: > - Callers need to pass the delay time to pneigh_enqueue() > now and they should guarantee it is not zero. > - Use READ_ONCE() to read NEIGH_VAR(p, PROXY_DELAY) in both > of the existing callers of pneigh_enqueue() and then pass > it to pneigh_enqueue(). > V2: > - Use READ_ONCE() to prevent the complier from re-reading > NEIGH_VAR(p, PROXY_DELAY). > - Give a hint to the complier that delay <= 0 is unlikely > to happen. > > V4 is quite concise and works well. > Thanks for Eric's and Jakub's advice. Applied and queued up for -stable, thanks.
diff --git a/net/core/neighbour.c b/net/core/neighbour.c index 9500d28a43b0..277ed854aef1 100644 --- a/net/core/neighbour.c +++ b/net/core/neighbour.c @@ -1569,10 +1569,8 @@ static void neigh_proxy_process(struct timer_list *t) void pneigh_enqueue(struct neigh_table *tbl, struct neigh_parms *p, struct sk_buff *skb) { - unsigned long now = jiffies; - - unsigned long sched_next = now + (prandom_u32() % - NEIGH_VAR(p, PROXY_DELAY)); + unsigned long sched_next = jiffies + + prandom_u32_max(NEIGH_VAR(p, PROXY_DELAY)); if (tbl->proxy_queue.qlen > NEIGH_VAR(p, PROXY_QLEN)) { kfree_skb(skb);
pneigh_enqueue() tries to obtain a random delay by mod NEIGH_VAR(p, PROXY_DELAY). However, NEIGH_VAR(p, PROXY_DELAY) migth be zero at that point because someone could write zero to /proc/sys/net/ipv4/neigh/[device]/proxy_delay after the callers check it. This patch uses prandom_u32_max() to get a random delay instead which avoids potential division by zero. Signed-off-by: weichenchen <weichen.chen@linux.alibaba.com> --- V4: - Use prandom_u32_max() to get a random delay in pneigh_enqueue(). V3: - Callers need to pass the delay time to pneigh_enqueue() now and they should guarantee it is not zero. - Use READ_ONCE() to read NEIGH_VAR(p, PROXY_DELAY) in both of the existing callers of pneigh_enqueue() and then pass it to pneigh_enqueue(). V2: - Use READ_ONCE() to prevent the complier from re-reading NEIGH_VAR(p, PROXY_DELAY). - Give a hint to the complier that delay <= 0 is unlikely to happen. V4 is quite concise and works well. Thanks for Eric's and Jakub's advice. --- net/core/neighbour.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-)