From: Simon Horman <horms@kernel.org>
To: ja@ssi.bg
Cc: 'Simon Horman' <horms@kernel.org>,
horms@verge.net.au, pablo@netfilter.org, fw@strlen.de,
lvs-devel@vger.kernel.org, netfilter-devel@vger.kernel.org,
netdev@vger.kernel.org
Subject: Re: [PATCH net] ipvs: fix shift-out-of-bounds in ip_vs_rht_desired_size
Date: Thu, 30 Apr 2026 13:39:17 +0100 [thread overview]
Message-ID: <20260430123917.1628871-2-horms@kernel.org> (raw)
In-Reply-To: <20260427234014.86256-1-ja@ssi.bg>
From: 'Simon Horman' <horms@kernel.org>
This is an AI-generated review of your patch. The human sending this
email has considered the AI review valid, or at least plausible.
Full review at: https://sashiko.dev
---
ipvs: fix shift-out-of-bounds in ip_vs_rht_desired_size
This commit addresses a shift-out-of-bounds issue when roundup_pow_of_two()
is called with 0 in ip_vs_rht_desired_size. It updates the assignment to fall
back to 1 if n is 0.
> diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
> index f5b7a2047291..ea450944465f 100644
> --- a/net/netfilter/ipvs/ip_vs_core.c
> +++ b/net/netfilter/ipvs/ip_vs_core.c
> @@ -237,7 +237,7 @@ int ip_vs_rht_desired_size(struct netns_ipvs *ipvs, struct ip_vs_rht *t, int n,
> {
> if (!t)
> return 1 << min_bits;
> - n = roundup_pow_of_two(n);
> + n = n ? roundup_pow_of_two(n) : 1;
The parameter n is a signed int. If n happens to be negative, it will evaluate
to true and be passed to roundup_pow_of_two().
Because roundup_pow_of_two() casts the input to unsigned long, a negative
value like -1 becomes ULONG_MAX. This results in a shift exponent of 64,
triggering a shift-out-of-bounds regression. Would it be safer to check
for n <= 0 instead?
Additionally, if n exceeds 1.07 billion (1 << 30) on systems with large
amounts of RAM, roundup_pow_of_two(n) evaluates to 1UL << 31. Since n is
a 32-bit signed int, assigning 1UL << 31 back to n overflows and results
in a negative number.
Since subsequent bounds checks use signed comparisons:
> if (lfactor < 0) {
> int factor = min(-lfactor, max_bits);
>
> n = min(n, 1 << (max_bits - factor));
These checks will fail to constrain the size correctly.
[ ... ]
> /* Shrink but keep it n * 2 to prevent frequent resizing */
> return clamp(n << 1, 1 << min_bits, 1 << max_bits);
> }
Eventually, the function returns clamp(n << 1, 1 << min_bits, 1 << max_bits).
Shifting a negative number causes undefined behavior, and the clamp operation
will force the hash table to its absolute minimum size.
Could this cause millions of connections to be placed into a minimally sized
hash table, causing severe collisions during RCU hash lookups?
next prev parent reply other threads:[~2026-04-30 12:39 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-27 23:40 [PATCH net] ipvs: fix shift-out-of-bounds in ip_vs_rht_desired_size Julian Anastasov
2026-04-30 12:39 ` Simon Horman [this message]
2026-04-30 13:10 ` Julian Anastasov
2026-04-30 16:14 ` Simon Horman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260430123917.1628871-2-horms@kernel.org \
--to=horms@kernel.org \
--cc=fw@strlen.de \
--cc=horms@verge.net.au \
--cc=ja@ssi.bg \
--cc=lvs-devel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox