{"id":2230897,"url":"http://patchwork.ozlabs.org/api/patches/2230897/?format=json","web_url":"http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260430074420.26697-7-ja@ssi.bg/","project":{"id":26,"url":"http://patchwork.ozlabs.org/api/projects/26/?format=json","name":"Netfilter Development","link_name":"netfilter-devel","list_id":"netfilter-devel.vger.kernel.org","list_email":"netfilter-devel@vger.kernel.org","web_url":null,"scm_url":null,"webscm_url":null,"list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260430074420.26697-7-ja@ssi.bg>","list_archive_url":null,"date":"2026-04-30T07:44:18","name":"[PATCHv3,nf,6/8] ipvs: fix shift-out-of-bounds in ip_vs_rht_desired_size","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"5d2c28c1d04bd61b3f6d52e03300a101f712b97d","submitter":{"id":2825,"url":"http://patchwork.ozlabs.org/api/people/2825/?format=json","name":"Julian Anastasov","email":"ja@ssi.bg"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260430074420.26697-7-ja@ssi.bg/mbox/","series":[{"id":502227,"url":"http://patchwork.ozlabs.org/api/series/502227/?format=json","web_url":"http://patchwork.ozlabs.org/project/netfilter-devel/list/?series=502227","date":"2026-04-30T07:44:12","name":"IPVS fixes for nf","version":1,"mbox":"http://patchwork.ozlabs.org/series/502227/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2230897/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2230897/checks/","tags":{},"related":[],"headers":{"Return-Path":"\n <netfilter-devel+bounces-12327-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (4096-bit key;\n unprotected) header.d=ssi.bg header.i=@ssi.bg header.a=rsa-sha256\n header.s=ssi header.b=CEh5f4GD;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c15:e001:75::12fc:5321; helo=sin.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12327-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (4096-bit key) header.d=ssi.bg header.i=@ssi.bg header.b=\"CEh5f4GD\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=193.238.174.39","smtp.subspace.kernel.org;\n dmarc=pass (p=reject dis=none) header.from=ssi.bg","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=ssi.bg"],"Received":["from sin.lore.kernel.org (sin.lore.kernel.org\n [IPv6:2600:3c15:e001:75::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g5mWk60Kmz1yHZ\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 30 Apr 2026 17:48:50 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sin.lore.kernel.org (Postfix) with ESMTP id 2140F300EB50\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 30 Apr 2026 07:48:29 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 6EE1C37F8C4;\n\tThu, 30 Apr 2026 07:48:26 +0000 (UTC)","from mx.ssi.bg (mx.ssi.bg [193.238.174.39])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 42CC83FA5FA;\n\tThu, 30 Apr 2026 07:48:24 +0000 (UTC)","from mx.ssi.bg (localhost [127.0.0.1])\n\tby mx.ssi.bg (Potsfix) with ESMTP id 127892292E;\n\tThu, 30 Apr 2026 10:47:55 +0300 (EEST)","from box.ssi.bg (box.ssi.bg [193.238.174.46])\n\tby mx.ssi.bg (Potsfix) with ESMTPS;\n\tThu, 30 Apr 2026 10:47:53 +0300 (EEST)","from ja.ssi.bg (unknown [213.16.62.126])\n\tby box.ssi.bg (Potsfix) with ESMTPSA id 8F03660980;\n\tThu, 30 Apr 2026 10:47:52 +0300 (EEST)","from ja.home.ssi.bg (localhost.localdomain [127.0.0.1])\n\tby ja.ssi.bg (8.18.1/8.18.1) with ESMTP id 63U7ixD9027474;\n\tThu, 30 Apr 2026 10:44:59 +0300","(from root@localhost)\n\tby ja.home.ssi.bg (8.18.1/8.18.1/Submit) id 63U7ixTa027473;\n\tThu, 30 Apr 2026 10:44:59 +0300"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1777535305; cv=none;\n b=eEgBWRnUFSrdTr3dx6yksAvxLJrECTj0QNKA++3vX01ORAV6v9WliyLXtZ+Xb0x1g60CjyaIJGmmStYCkiai32qGPM967rhQYscMV2nW4BGY8Ge+gFbNjkWTT4wPX7DPs5zouX4nvtnF2mTPffTZ4/NCZzxlNHhcN5XGLJf2ONw=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1777535305; c=relaxed/simple;\n\tbh=C2hWpN7sSjdGkm4rOVk6n/xWQGh7Kysu6wMLYYWievA=;\n\th=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:\n\t MIME-Version;\n b=KE18zgPGK8ZcMR4ZkDhm7G6qcLamQesV4tE/fwH1oD0v8sX3AKs7qgrFCKZ2MD5HOUtAlEshGh0+rjlPCykcabLlGmDd7g9/D3YJ8Z1M6xNm7netFfHTPNAM33chCVCvxmqhJTdP72f59yOKOfuIhARkSLdIYE2MrMmk9syvvvo=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=reject dis=none) header.from=ssi.bg;\n spf=pass smtp.mailfrom=ssi.bg;\n dkim=pass (4096-bit key) header.d=ssi.bg header.i=@ssi.bg header.b=CEh5f4GD;\n arc=none smtp.client-ip=193.238.174.39","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=ssi.bg; h=cc:cc\n\t:content-transfer-encoding:date:from:from:in-reply-to:message-id\n\t:mime-version:references:reply-to:subject:subject:to:to; s=ssi;\n\t bh=Uqax325+N5JDs/S0EJd8JLZMGuyA5PI6DaXMbKDlAP4=; b=CEh5f4GDo9s0\n\thrY2APBtEq1mtRLihUwrP1iEC4NzVCCiqNb/uXkMBMD1dDlfmV3bCi9+I1g2c3Kb\n\t164dYHYPY3urvIqu1UtHuVaw1do1wX7GOeQEx/QBDWPCPXZntM/aBTxhgECwm8nY\n\tGo4rwEgypJ2n4jH+O57fhqWP+28KevpGLmmdCyZ4bZV+fQWAst1cLdTSlOtUIq7p\n\tg87K+esT2aQxzwr20G6f4EZdu+++vNdeBFYLTxTgYyTivn/evVcV2U1YBHkBiDYl\n\ttE5qLGWi1T9e0rwIcGzs63Q6nNg4rZX37+mUNJ0Wyk2Zvr/A1nfCZa5AHWyF1xMy\n\tYFI8IMajbxS+LGaOAk6oTwgONtKyzTn1Rde06lUYVR8EcNLVjVgcT4FKdWvesHy0\n\tSUvLnjzfIGbeDYXYZi6tKXxdX8/UvxnESR0kZQzm3H0XS0VjMkdUfya9ij0VbJN5\n\tSHJCsD0EF5xRjnvJLyFt0t+8tTK9ni6HMqxO00SUgLBSpbaamG4uOyYREQQc78Th\n\tnrLsbrADVZbrYd8xJRSUotd/d2gBLgq9tAuXZNqQsCmThp5JhDmuUnSUn6rMW98Z\n\tBjmD/4EUYfJAiDCEw0sVSFmJdTJUGS2d4MxjPCnZX/NA2py5pmGNBHeSbujbSRX1\n\tjB5VTqBEgmmKf2boR2YtVod412MnWrU=","From":"Julian Anastasov <ja@ssi.bg>","To":"Simon Horman <horms@verge.net.au>","Cc":"Pablo Neira Ayuso <pablo@netfilter.org>, Florian Westphal <fw@strlen.de>,\n        Waiman Long <longman@redhat.com>, lvs-devel@vger.kernel.org,\n        netfilter-devel@vger.kernel.org","Subject":"[PATCHv3 nf 6/8] ipvs: fix shift-out-of-bounds in\n ip_vs_rht_desired_size","Date":"Thu, 30 Apr 2026 10:44:18 +0300","Message-ID":"<20260430074420.26697-7-ja@ssi.bg>","X-Mailer":"git-send-email 2.53.0","In-Reply-To":"<20260430074420.26697-1-ja@ssi.bg>","References":"<20260430074420.26697-1-ja@ssi.bg>","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"<netfilter-devel.vger.kernel.org>","List-Subscribe":"<mailto:netfilter-devel+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:netfilter-devel+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit"},"content":"Calling roundup_pow_of_two() with 0 has undefined result:\n\nUBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13\nshift exponent 64 is too large for 64-bit type 'unsigned long'\nCPU: 1 UID: 0 PID: 77 Comm: kworker/u8:4 Not tainted syzkaller #0 PREEMPT(full)\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026\nWorkqueue: events_unbound conn_resize_work_handler\nCall Trace:\n <TASK>\n dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120\n ubsan_epilogue+0xa/0x30 lib/ubsan.c:233\n __ubsan_handle_shift_out_of_bounds+0x385/0x410 lib/ubsan.c:494\n __roundup_pow_of_two include/linux/log2.h:57 [inline]\n ip_vs_rht_desired_size+0x2cf/0x410 net/netfilter/ipvs/ip_vs_core.c:240\n ip_vs_conn_desired_size net/netfilter/ipvs/ip_vs_conn.c:765 [inline]\n conn_resize_work_handler+0x1b6/0x14c0 net/netfilter/ipvs/ip_vs_conn.c:822\n process_one_work kernel/workqueue.c:3302 [inline]\n process_scheduled_works+0xb5d/0x1860 kernel/workqueue.c:3385\n worker_thread+0xa53/0xfc0 kernel/workqueue.c:3466\n kthread+0x388/0x470 kernel/kthread.c:436\n ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245\n </TASK>\n\nReported-by: syzbot+217f1db9c791e27fe54a@syzkaller.appspotmail.com\nFixes: b655388111cf (\"ipvs: add resizable hash tables\")\nSigned-off-by: Julian Anastasov <ja@ssi.bg>\n---\n net/netfilter/ipvs/ip_vs_core.c | 2 +-\n 1 file changed, 1 insertion(+), 1 deletion(-)","diff":"diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c\nindex f5b7a2047291..d40b404c1bf6 100644\n--- a/net/netfilter/ipvs/ip_vs_core.c\n+++ b/net/netfilter/ipvs/ip_vs_core.c\n@@ -237,7 +237,7 @@ int ip_vs_rht_desired_size(struct netns_ipvs *ipvs, struct ip_vs_rht *t, int n,\n {\n \tif (!t)\n \t\treturn 1 << min_bits;\n-\tn = roundup_pow_of_two(n);\n+\tn = n > 0 ? roundup_pow_of_two(n) : 1;\n \tif (lfactor < 0) {\n \t\tint factor = min(-lfactor, max_bits);\n \n","prefixes":["PATCHv3","nf","6/8"]}