Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp3056690pxu; Sat, 19 Dec 2020 10:22:56 -0800 (PST) X-Google-Smtp-Source: ABdhPJworggmLsXjU+Nmb2xk0PD4KQ5p9hmGdhjYNLmO8XreNw01D5F+LR+pm1ErI5UWP2xZrSTr X-Received: by 2002:a50:c053:: with SMTP id u19mr9729602edd.109.1608402175824; Sat, 19 Dec 2020 10:22:55 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1608402175; cv=none; d=google.com; s=arc-20160816; b=ehwyNuMda6hToqZoHO2rURlzZ64+m8l7n6c/xCB1sr6gEx3EwIfYe9lPDOJ8VWNQqg gYR0YSLSBmZs1NyVYXnfbmuNmR7ecnFVLMt/UCRXeOow2k9IeVTHlnToYFOr2vaknJsh /PDGn4zw3ga5xjvReQPf97sqnpUmp+DsFvG83n/boOHqkeZ+WYi9VdqmVaV1It9BZeES QisTzuPOWvHA0RmIqGrIuqKLCz0boNx8De5CwfoMMW5hvcIlvWOGS6P0Msrq23ba/iiT kQDXwzbi6r/A/H1kD1txy/YxJH7d2RgCAA1KfzoR7qtkhTayC/vB+8NOJAz7j3NX49VL zK+w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:subject:cc:to:from:dkim-signature :date; bh=wWoQC87NQ+McDNiM2IK6AzbU2COvt46As//QNd46SiQ=; b=0aUYSWEsLnGZ8qrxARi+QX5ZPKSOfUsCwX4hZiAHoos+gE+bjCJbk2SDYFDJYkMiix xlveMMwsxun8qAMomLAgD9xig2/D46ZZbzZtx0bfUiy3Gldoa0geaimBFO9O7WVs0KOi TdOD+VH6sM/bFJ0CAWdV4O1PklI6KceaLxjN69xrAn3ZQVlWaB/91+1UlbbZBql6MyRB ygUnzWE1H/8rYZNU8e5z3dkSSa2jbnclpxpZ8vLru27CrHXUWz2J+DlHAQCq5jKBMj4w Z9WoOHkjO86C19RAwqzEQ+6JqMrIVgbwIE0ITm9tQFDH+r1/h9qeOna7vdXjD2CuhPgJ kabA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=eRsUzkUv; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id u10si2943173ejm.606.2020.12.19.10.22.33; Sat, 19 Dec 2020 10:22:55 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=eRsUzkUv; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727384AbgLSSV6 (ORCPT + 99 others); Sat, 19 Dec 2020 13:21:58 -0500 Received: from mail.kernel.org ([198.145.29.99]:59868 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726144AbgLSSV6 (ORCPT ); Sat, 19 Dec 2020 13:21:58 -0500 Date: Sat, 19 Dec 2020 10:21:16 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1608402077; bh=9anSoEyGYfwJXexpe6AJSpZfREs9m9aRLDWzjrBcS+4=; h=From:To:Cc:Subject:In-Reply-To:References:From; b=eRsUzkUv7P5atJeg5AJ+M/FUr1Xe/SC+T0zH0T9jEQz3uDHCWgy/YaWidKSZkdn8y 02zDl8WpDmKwYzq12Z8KXRogx7MRBtYhZY31H4nhdb6NLnQToffek+G7BA2TnT9ILK QGr1dIaPIrdF/Er7oYa0GSNeUn8YhNzRgXHek1wZR/p8O+kk4IDErMzcsOGPhkdmTt TksQ8wUkma8m/S4nov+Pp7PyvrxMEoKBAtDUu9eQmyrwndrMlzXMSKncUz7Kesy5Wh ioMMjyr2ZAzLpjDswBwpa6iGEwfYig60X5fJJnZ+ByxepjGwvynPuAW5wsoKGAQt8V S0xPrW6/LqbLA== From: Jakub Kicinski To: weichenchen Cc: davem@davemloft.net, liuhangbin@gmail.com, dsahern@kernel.org, jdike@akamai.com, mrv@mojatatu.com, lirongqing@baidu.com, nikolay@cumulusnetworks.com, roopa@cumulusnetworks.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, splendidsky.cwc@alibaba-inc.com, yanxu.zw@alibaba-inc.com Subject: Re: [PATCH] net: neighbor: fix a crash caused by mod zero Message-ID: <20201219102116.3cc0d74c@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com> In-Reply-To: <20201218042019.52096-1-weichen.chen@linux.alibaba.com> References: <20201218042019.52096-1-weichen.chen@linux.alibaba.com> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 18 Dec 2020 12:20:19 +0800 weichenchen wrote: > pneigh_enqueue() tries to obtain a random delay by mod > NEIGH_VAR(p, PROXY_DELAY). However, NEIGH_VAR(p, PROXY_DELAY) > migth be zero at that point because someone could write zero > to /proc/sys/net/ipv4/neigh/[device]/proxy_delay after the > callers check it. > > This patch double-checks NEIGH_VAR(p, PROXY_DELAY) in > pneigh_enqueue() to ensure not to take zero as modulus. > > Signed-off-by: weichenchen Let's have the caller pass in the value since it did the checking? > diff --git a/net/core/neighbour.c b/net/core/neighbour.c > index 9500d28a43b0..eb5d015c53d3 100644 > --- a/net/core/neighbour.c > +++ b/net/core/neighbour.c > @@ -1570,9 +1570,14 @@ void pneigh_enqueue(struct neigh_table *tbl, struct neigh_parms *p, > struct sk_buff *skb) > { > unsigned long now = jiffies; > + unsigned long sched_next; > > - unsigned long sched_next = now + (prandom_u32() % > - NEIGH_VAR(p, PROXY_DELAY)); > + int delay = NEIGH_VAR(p, PROXY_DELAY); > + > + if (delay <= 0) Not that this still doesn't guarantee that the compiler won't re-read the value (however unlikely). We need a READ_ONCE(). > + sched_next = now; > + else > + sched_next = now + (prandom_u32() % delay); > > if (tbl->proxy_queue.qlen > NEIGH_VAR(p, PROXY_QLEN)) { > kfree_skb(skb);