From: Eric Dumazet <eric.dumazet@gmail.com>
To: weichenchen <weichen.chen@linux.alibaba.com>
Cc: splendidsky.cwc@alibaba-inc.com, yanxu.zw@alibaba-inc.com,
"David S. Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>,
Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>,
Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
Hangbin Liu <liuhangbin@gmail.com>,
David Ahern <dsahern@kernel.org>, Jeff Dike <jdike@akamai.com>,
Roman Mashak <mrv@mojatatu.com>,
Nikolay Aleksandrov <nikolay@cumulusnetworks.com>,
Roopa Prabhu <roopa@cumulusnetworks.com>,
Li RongQing <lirongqing@baidu.com>,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v3] net: neighbor: fix a crash caused by mod zero
Date: Tue, 22 Dec 2020 17:34:18 +0100 [thread overview]
Message-ID: <dbc6cd85-c58b-add2-5801-06e8e94b7d6b@gmail.com> (raw)
In-Reply-To: <20201222123838.12951-1-weichen.chen@linux.alibaba.com>
On 12/22/20 1:38 PM, weichenchen wrote:
> pneigh_enqueue() tries to obtain a random delay by mod
> NEIGH_VAR(p, PROXY_DELAY). However, NEIGH_VAR(p, PROXY_DELAY)
> migth be zero at that point because someone could write zero
> to /proc/sys/net/ipv4/neigh/[device]/proxy_delay after the
> callers check it.
>
> This patch makes pneigh_enqueue() get a delay time passed in
> by the callers and the callers guarantee it is not zero.
>
> Signed-off-by: weichenchen <weichen.chen@linux.alibaba.com>
> ---
> V3:
> - Callers need to pass the delay time to pneigh_enqueue()
> now and they should guarantee it is not zero.
> - Use READ_ONCE() to read NEIGH_VAR(p, PROXY_DELAY) in both
> of the existing callers of pneigh_enqueue() and then pass
> it to pneigh_enqueue().
> V2:
> - Use READ_ONCE() to prevent the complier from re-reading
> NEIGH_VAR(p, PROXY_DELAY).
> - Give a hint to the complier that delay <= 0 is unlikely
> to happen.
> ---
> include/net/neighbour.h | 2 +-
> net/core/neighbour.c | 5 ++---
> net/ipv4/arp.c | 8 +++++---
> net/ipv6/ndisc.c | 6 +++---
> 4 files changed, 11 insertions(+), 10 deletions(-)
>
> diff --git a/include/net/neighbour.h b/include/net/neighbour.h
> index 22ced1381ede..f7564dc5304d 100644
> --- a/include/net/neighbour.h
> +++ b/include/net/neighbour.h
> @@ -352,7 +352,7 @@ struct net *neigh_parms_net(const struct neigh_parms *parms)
> unsigned long neigh_rand_reach_time(unsigned long base);
>
> void pneigh_enqueue(struct neigh_table *tbl, struct neigh_parms *p,
> - struct sk_buff *skb);
> + struct sk_buff *skb, int delay);
> struct pneigh_entry *pneigh_lookup(struct neigh_table *tbl, struct net *net,
> const void *key, struct net_device *dev,
> int creat);
> diff --git a/net/core/neighbour.c b/net/core/neighbour.c
> index 9500d28a43b0..b440f966d109 100644
> --- a/net/core/neighbour.c
> +++ b/net/core/neighbour.c
> @@ -1567,12 +1567,11 @@ static void neigh_proxy_process(struct timer_list *t)
> }
>
> void pneigh_enqueue(struct neigh_table *tbl, struct neigh_parms *p,
> - struct sk_buff *skb)
> + struct sk_buff *skb, int delay)
> {
> unsigned long now = jiffies;
>
> - unsigned long sched_next = now + (prandom_u32() %
> - NEIGH_VAR(p, PROXY_DELAY));
> + unsigned long sched_next = now + (prandom_u32() % delay);
>
> if (tbl->proxy_queue.qlen > NEIGH_VAR(p, PROXY_QLEN)) {
> kfree_skb(skb);
This seems rather complex, what about not using a divide in the first place ? :
diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index 9500d28a43b0e1a390382912b6fb59db935e727b..745bc89acc87c2a4802fb6f301c11edd2f0096da 100644
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -1569,10 +1569,7 @@ static void neigh_proxy_process(struct timer_list *t)
void pneigh_enqueue(struct neigh_table *tbl, struct neigh_parms *p,
struct sk_buff *skb)
{
- unsigned long now = jiffies;
-
- unsigned long sched_next = now + (prandom_u32() %
- NEIGH_VAR(p, PROXY_DELAY));
+ unsigned long sched_next = jiffies + prandom_u32_max(NEIGH_VAR(p, PROXY_DELAY));
if (tbl->proxy_queue.qlen > NEIGH_VAR(p, PROXY_QLEN)) {
kfree_skb(skb);
next prev parent reply other threads:[~2020-12-22 16:35 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-18 4:20 [PATCH] net: neighbor: fix a crash caused by mod zero weichenchen
2020-12-19 18:21 ` Jakub Kicinski
2020-12-21 13:07 ` [PATCH v2] " weichenchen
2020-12-21 19:32 ` Jakub Kicinski
2020-12-22 12:38 ` [PATCH v3] " weichenchen
2020-12-22 16:34 ` Eric Dumazet [this message]
2020-12-25 5:44 ` [PATCH v4] " weichenchen
2020-12-28 22:51 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=dbc6cd85-c58b-add2-5801-06e8e94b7d6b@gmail.com \
--to=eric.dumazet@gmail.com \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=jdike@akamai.com \
--cc=kuba@kernel.org \
--cc=kuznet@ms2.inr.ac.ru \
--cc=linux-kernel@vger.kernel.org \
--cc=lirongqing@baidu.com \
--cc=liuhangbin@gmail.com \
--cc=mrv@mojatatu.com \
--cc=netdev@vger.kernel.org \
--cc=nikolay@cumulusnetworks.com \
--cc=roopa@cumulusnetworks.com \
--cc=splendidsky.cwc@alibaba-inc.com \
--cc=weichen.chen@linux.alibaba.com \
--cc=yanxu.zw@alibaba-inc.com \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.