From: Simon Horman <horms@kernel.org>
To: ja@ssi.bg
Cc: 'Simon Horman' <horms@kernel.org>,
horms@verge.net.au, pablo@netfilter.org, fw@strlen.de,
lvs-devel@vger.kernel.org, netfilter-devel@vger.kernel.org,
netdev@vger.kernel.org
Subject: Re: [PATCH net] ipvs: fix shift-out-of-bounds in ip_vs_rht_desired_size
Date: Thu, 30 Apr 2026 13:39:17 +0100 [thread overview]
Message-ID: <20260430123917.1628871-2-horms@kernel.org> (raw)
In-Reply-To: <20260427234014.86256-1-ja@ssi.bg>
From: 'Simon Horman' <horms@kernel.org>
This is an AI-generated review of your patch. The human sending this
email has considered the AI review valid, or at least plausible.
Full review at: https://sashiko.dev
---
ipvs: fix shift-out-of-bounds in ip_vs_rht_desired_size
This commit addresses a shift-out-of-bounds issue when roundup_pow_of_two()
is called with 0 in ip_vs_rht_desired_size. It updates the assignment to fall
back to 1 if n is 0.
> diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
> index f5b7a2047291..ea450944465f 100644
> --- a/net/netfilter/ipvs/ip_vs_core.c
> +++ b/net/netfilter/ipvs/ip_vs_core.c
> @@ -237,7 +237,7 @@ int ip_vs_rht_desired_size(struct netns_ipvs *ipvs, struct ip_vs_rht *t, int n,
> {
> if (!t)
> return 1 << min_bits;
> - n = roundup_pow_of_two(n);
> + n = n ? roundup_pow_of_two(n) : 1;
The parameter n is a signed int. If n happens to be negative, it will evaluate
to true and be passed to roundup_pow_of_two().
Because roundup_pow_of_two() casts the input to unsigned long, a negative
value like -1 becomes ULONG_MAX. This results in a shift exponent of 64,
triggering a shift-out-of-bounds regression. Would it be safer to check
for n <= 0 instead?
Additionally, if n exceeds 1.07 billion (1 << 30) on systems with large
amounts of RAM, roundup_pow_of_two(n) evaluates to 1UL << 31. Since n is
a 32-bit signed int, assigning 1UL << 31 back to n overflows and results
in a negative number.
Since subsequent bounds checks use signed comparisons:
> if (lfactor < 0) {
> int factor = min(-lfactor, max_bits);
>
> n = min(n, 1 << (max_bits - factor));
These checks will fail to constrain the size correctly.
[ ... ]
> /* Shrink but keep it n * 2 to prevent frequent resizing */
> return clamp(n << 1, 1 << min_bits, 1 << max_bits);
> }
Eventually, the function returns clamp(n << 1, 1 << min_bits, 1 << max_bits).
Shifting a negative number causes undefined behavior, and the clamp operation
will force the hash table to its absolute minimum size.
Could this cause millions of connections to be placed into a minimally sized
hash table, causing severe collisions during RCU hash lookups?
next prev parent reply other threads:[~2026-04-30 12:39 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-27 23:40 [PATCH net] ipvs: fix shift-out-of-bounds in ip_vs_rht_desired_size Julian Anastasov
2026-04-30 12:39 ` Simon Horman [this message]
2026-04-30 13:10 ` Julian Anastasov
2026-04-30 16:14 ` Simon Horman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260430123917.1628871-2-horms@kernel.org \
--to=horms@kernel.org \
--cc=fw@strlen.de \
--cc=horms@verge.net.au \
--cc=ja@ssi.bg \
--cc=lvs-devel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.