mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
synced 2025-01-01 10:42:11 +00:00
ipv6: properly prevent temp_prefered_lft sysctl race
The check for an underflow of tmp_prefered_lft is always false
because tmp_prefered_lft is unsigned. The intention of the check
was to guard against racing with an update of the
temp_prefered_lft sysctl, potentially resulting in an underflow.
As suggested by David Miller, the best way to prevent the race is
by reading the sysctl variable using READ_ONCE.
Signed-off-by: Jiri Bohac <jbohac@suse.cz>
Reported-by: Julia Lawall <julia.lawall@lip6.fr>
Fixes: 76506a986d
("IPv6: fix DESYNC_FACTOR")
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
8be0328e52
commit
7aa8e63f0d
@ -1185,6 +1185,7 @@ static int ipv6_create_tempaddr(struct inet6_ifaddr *ifp, struct inet6_ifaddr *i
|
||||
u32 addr_flags;
|
||||
unsigned long now = jiffies;
|
||||
long max_desync_factor;
|
||||
s32 cnf_temp_preferred_lft;
|
||||
|
||||
write_lock_bh(&idev->lock);
|
||||
if (ift) {
|
||||
@ -1228,9 +1229,10 @@ static int ipv6_create_tempaddr(struct inet6_ifaddr *ifp, struct inet6_ifaddr *i
|
||||
/* recalculate max_desync_factor each time and update
|
||||
* idev->desync_factor if it's larger
|
||||
*/
|
||||
cnf_temp_preferred_lft = READ_ONCE(idev->cnf.temp_prefered_lft);
|
||||
max_desync_factor = min_t(__u32,
|
||||
idev->cnf.max_desync_factor,
|
||||
idev->cnf.temp_prefered_lft - regen_advance);
|
||||
cnf_temp_preferred_lft - regen_advance);
|
||||
|
||||
if (unlikely(idev->desync_factor > max_desync_factor)) {
|
||||
if (max_desync_factor > 0) {
|
||||
@ -1245,11 +1247,8 @@ static int ipv6_create_tempaddr(struct inet6_ifaddr *ifp, struct inet6_ifaddr *i
|
||||
tmp_valid_lft = min_t(__u32,
|
||||
ifp->valid_lft,
|
||||
idev->cnf.temp_valid_lft + age);
|
||||
tmp_prefered_lft = idev->cnf.temp_prefered_lft + age -
|
||||
tmp_prefered_lft = cnf_temp_preferred_lft + age -
|
||||
idev->desync_factor;
|
||||
/* guard against underflow in case of concurrent updates to cnf */
|
||||
if (unlikely(tmp_prefered_lft < 0))
|
||||
tmp_prefered_lft = 0;
|
||||
tmp_prefered_lft = min_t(__u32, ifp->prefered_lft, tmp_prefered_lft);
|
||||
tmp_plen = ifp->prefix_len;
|
||||
tmp_tstamp = ifp->tstamp;
|
||||
|
Loading…
Reference in New Issue
Block a user