* [PATCH net] packet: avoid out of bounds read in round robin fanout
@ 2015-06-16 21:07 Willem de Bruijn
2015-06-16 21:51 ` Willem de Bruijn
2015-06-17 12:09 ` Sergei Shtylyov
0 siblings, 2 replies; 6+ messages in thread
From: Willem de Bruijn @ 2015-06-16 21:07 UTC (permalink / raw)
To: netdev; +Cc: davem, edumazet, Willem de Bruijn
From: Willem de Bruijn <willemb@google.com>
PACKET_FANOUT_LB computes f->rr_cur such that it is modulo
f->num_members. It returns the old value unconditionally, but
f->num_members may have changed since the last store. This can be
fixed with
- return cur
+ return cur < num ? : 0;
When modifying the logic, simplify it further by replacing the loop
with an unconditional atomic increment.
Fixes: dc99f600698d ("packet: Add fanout support.")
Suggested-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
---
net/packet/af_packet.c | 19 ++-----------------
1 file changed, 2 insertions(+), 17 deletions(-)
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index b5989c6..efd35e8 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -1272,16 +1272,6 @@ static void packet_sock_destruct(struct sock *sk)
sk_refcnt_debug_dec(sk);
}
-static int fanout_rr_next(struct packet_fanout *f, unsigned int num)
-{
- int x = atomic_read(&f->rr_cur) + 1;
-
- if (x >= num)
- x = 0;
-
- return x;
-}
-
static unsigned int fanout_demux_hash(struct packet_fanout *f,
struct sk_buff *skb,
unsigned int num)
@@ -1293,13 +1283,8 @@ static unsigned int fanout_demux_lb(struct packet_fanout *f,
struct sk_buff *skb,
unsigned int num)
{
- int cur, old;
-
- cur = atomic_read(&f->rr_cur);
- while ((old = atomic_cmpxchg(&f->rr_cur, cur,
- fanout_rr_next(f, num))) != cur)
- cur = old;
- return cur;
+ unsigned int val = atomic_inc_return(&f->rr_cur);
+ return val % num;
}
static unsigned int fanout_demux_cpu(struct packet_fanout *f,
--
2.2.0.rc0.207.ga3a616c
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH net] packet: avoid out of bounds read in round robin fanout
2015-06-16 21:07 [PATCH net] packet: avoid out of bounds read in round robin fanout Willem de Bruijn
@ 2015-06-16 21:51 ` Willem de Bruijn
2015-06-17 12:09 ` Sergei Shtylyov
1 sibling, 0 replies; 6+ messages in thread
From: Willem de Bruijn @ 2015-06-16 21:51 UTC (permalink / raw)
To: Network Development; +Cc: David Miller, Eric Dumazet, Willem de Bruijn
On Tue, Jun 16, 2015 at 5:07 PM, Willem de Bruijn <willemb@google.com> wrote:
> From: Willem de Bruijn <willemb@google.com>
>
> PACKET_FANOUT_LB computes f->rr_cur such that it is modulo
> f->num_members. It returns the old value unconditionally, but
> f->num_members may have changed since the last store. This can be
> fixed with
>
> - return cur
> + return cur < num ? : 0;
Well, that test is bad. Should be return cur < num ? cur : 0. But the
patch is more concise, anyway.
>
> When modifying the logic, simplify it further by replacing the loop
> with an unconditional atomic increment.
>
> Fixes: dc99f600698d ("packet: Add fanout support.")
> Suggested-by: Eric Dumazet <edumazet@google.com>
> Signed-off-by: Willem de Bruijn <willemb@google.com>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH net] packet: avoid out of bounds read in round robin fanout
2015-06-16 21:07 [PATCH net] packet: avoid out of bounds read in round robin fanout Willem de Bruijn
2015-06-16 21:51 ` Willem de Bruijn
@ 2015-06-17 12:09 ` Sergei Shtylyov
2015-06-17 19:59 ` [PATCH net v2] " Willem de Bruijn
1 sibling, 1 reply; 6+ messages in thread
From: Sergei Shtylyov @ 2015-06-17 12:09 UTC (permalink / raw)
To: Willem de Bruijn, netdev; +Cc: davem, edumazet
Hello.
On 6/17/2015 12:07 AM, Willem de Bruijn wrote:
> From: Willem de Bruijn <willemb@google.com>
> PACKET_FANOUT_LB computes f->rr_cur such that it is modulo
> f->num_members. It returns the old value unconditionally, but
> f->num_members may have changed since the last store. This can be
> fixed with
> - return cur
> + return cur < num ? : 0;
> When modifying the logic, simplify it further by replacing the loop
> with an unconditional atomic increment.
> Fixes: dc99f600698d ("packet: Add fanout support.")
> Suggested-by: Eric Dumazet <edumazet@google.com>
> Signed-off-by: Willem de Bruijn <willemb@google.com>
> ---
> net/packet/af_packet.c | 19 ++-----------------
> 1 file changed, 2 insertions(+), 17 deletions(-)
> diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
> index b5989c6..efd35e8 100644
> --- a/net/packet/af_packet.c
> +++ b/net/packet/af_packet.c
[...]
> @@ -1293,13 +1283,8 @@ static unsigned int fanout_demux_lb(struct packet_fanout *f,
> struct sk_buff *skb,
> unsigned int num)
> {
> - int cur, old;
> -
> - cur = atomic_read(&f->rr_cur);
> - while ((old = atomic_cmpxchg(&f->rr_cur, cur,
> - fanout_rr_next(f, num))) != cur)
> - cur = old;
> - return cur;
> + unsigned int val = atomic_inc_return(&f->rr_cur);
Please insert an empty line after declaration, as it was before your patch.
> + return val % num;
> }
[...]
WBR, Sergei
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH net v2] packet: avoid out of bounds read in round robin fanout
2015-06-17 12:09 ` Sergei Shtylyov
@ 2015-06-17 19:59 ` Willem de Bruijn
2015-06-18 11:08 ` Eric Dumazet
2015-06-21 17:27 ` David Miller
0 siblings, 2 replies; 6+ messages in thread
From: Willem de Bruijn @ 2015-06-17 19:59 UTC (permalink / raw)
To: netdev; +Cc: davem, edumazet, Willem de Bruijn
From: Willem de Bruijn <willemb@google.com>
PACKET_FANOUT_LB computes f->rr_cur such that it is modulo
f->num_members. It returns the old value unconditionally, but
f->num_members may have changed since the last store. Ensure
that the return value is always < num.
When modifying the logic, simplify it further by replacing the loop
with an unconditional atomic increment.
Fixes: dc99f600698d ("packet: Add fanout support.")
Suggested-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
---
net/packet/af_packet.c | 18 ++----------------
1 file changed, 2 insertions(+), 16 deletions(-)
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index b5989c6..104f902 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -1272,16 +1272,6 @@ static void packet_sock_destruct(struct sock *sk)
sk_refcnt_debug_dec(sk);
}
-static int fanout_rr_next(struct packet_fanout *f, unsigned int num)
-{
- int x = atomic_read(&f->rr_cur) + 1;
-
- if (x >= num)
- x = 0;
-
- return x;
-}
-
static unsigned int fanout_demux_hash(struct packet_fanout *f,
struct sk_buff *skb,
unsigned int num)
@@ -1293,13 +1283,9 @@ static unsigned int fanout_demux_lb(struct packet_fanout *f,
struct sk_buff *skb,
unsigned int num)
{
- int cur, old;
+ unsigned int val = atomic_inc_return(&f->rr_cur);
- cur = atomic_read(&f->rr_cur);
- while ((old = atomic_cmpxchg(&f->rr_cur, cur,
- fanout_rr_next(f, num))) != cur)
- cur = old;
- return cur;
+ return val % num;
}
static unsigned int fanout_demux_cpu(struct packet_fanout *f,
--
2.4.3.573.g4eafbef
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH net v2] packet: avoid out of bounds read in round robin fanout
2015-06-17 19:59 ` [PATCH net v2] " Willem de Bruijn
@ 2015-06-18 11:08 ` Eric Dumazet
2015-06-21 17:27 ` David Miller
1 sibling, 0 replies; 6+ messages in thread
From: Eric Dumazet @ 2015-06-18 11:08 UTC (permalink / raw)
To: Willem de Bruijn; +Cc: netdev, davem, edumazet
On Wed, 2015-06-17 at 15:59 -0400, Willem de Bruijn wrote:
> From: Willem de Bruijn <willemb@google.com>
>
> PACKET_FANOUT_LB computes f->rr_cur such that it is modulo
> f->num_members. It returns the old value unconditionally, but
> f->num_members may have changed since the last store. Ensure
> that the return value is always < num.
>
> When modifying the logic, simplify it further by replacing the loop
> with an unconditional atomic increment.
>
> Fixes: dc99f600698d ("packet: Add fanout support.")
> Suggested-by: Eric Dumazet <edumazet@google.com>
> Signed-off-by: Willem de Bruijn <willemb@google.com>
> ---
Acked-by: Eric Dumazet <edumazet@google.com>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH net v2] packet: avoid out of bounds read in round robin fanout
2015-06-17 19:59 ` [PATCH net v2] " Willem de Bruijn
2015-06-18 11:08 ` Eric Dumazet
@ 2015-06-21 17:27 ` David Miller
1 sibling, 0 replies; 6+ messages in thread
From: David Miller @ 2015-06-21 17:27 UTC (permalink / raw)
To: willemb; +Cc: netdev, edumazet
From: Willem de Bruijn <willemb@google.com>
Date: Wed, 17 Jun 2015 15:59:34 -0400
> From: Willem de Bruijn <willemb@google.com>
>
> PACKET_FANOUT_LB computes f->rr_cur such that it is modulo
> f->num_members. It returns the old value unconditionally, but
> f->num_members may have changed since the last store. Ensure
> that the return value is always < num.
>
> When modifying the logic, simplify it further by replacing the loop
> with an unconditional atomic increment.
>
> Fixes: dc99f600698d ("packet: Add fanout support.")
> Suggested-by: Eric Dumazet <edumazet@google.com>
> Signed-off-by: Willem de Bruijn <willemb@google.com>
Applied and queued up for -stable, thanks.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2015-06-21 17:15 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-06-16 21:07 [PATCH net] packet: avoid out of bounds read in round robin fanout Willem de Bruijn
2015-06-16 21:51 ` Willem de Bruijn
2015-06-17 12:09 ` Sergei Shtylyov
2015-06-17 19:59 ` [PATCH net v2] " Willem de Bruijn
2015-06-18 11:08 ` Eric Dumazet
2015-06-21 17:27 ` David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).