From: Ruitong Liu <cnitlrt@gmail.com>
To: netdev@vger.kernel.org
Cc: jhs@mojatatu.com, xiyou.wangcong@gmail.com, jiri@resnulli.us,
davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
pabeni@redhat.com, horms@kernel.org,
linux-kernel@vger.kernel.org, Ruitong Liu <cnitlrt@gmail.com>,
stable@vger.kernel.org, Shuyuan Liu <L0x1c3r@gmail.com>
Subject: [PATCH] net/sched: act_skbedit: fix divide-by-zero in tcf_skbedit_hash()
Date: Thu, 12 Feb 2026 02:48:48 +0800 [thread overview]
Message-ID: <20260211184848.731894-1-cnitlrt@gmail.com> (raw)
mapping_mod is computed as:
mapping_mod = queue_mapping_max - queue_mapping + 1;
mapping_mod is stored as u16, so the calculation can overflow when
queue_mapping=0 and queue_mapping_max=0xffff. In this case the value
wraps to 0, leading to a divide-by-zero in tcf_skbedit_hash():
queue_mapping += skb_get_hash(skb) % params->mapping_mod;
Fix it by using a wider type for mapping_mod and performing the
calculation in u32, preventing overflow to zero.
Fixes: 38a6f0865796 ("net: sched: support hash selecting tx queue")
Cc: stable@vger.kernel.org # 6.12+
Reported-by: Ruitong Liu <cnitlrt@gmail.com>
Reported-by: Shuyuan Liu <L0x1c3r@gmail.com>
Signed-off-by: Ruitong Liu <cnitlrt@gmail.com>
---
include/net/tc_act/tc_skbedit.h | 2 +-
net/sched/act_skbedit.c | 10 +++++-----
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/include/net/tc_act/tc_skbedit.h b/include/net/tc_act/tc_skbedit.h
index 31b2cd0bebb5..1353bcb15ac7 100644
--- a/include/net/tc_act/tc_skbedit.h
+++ b/include/net/tc_act/tc_skbedit.h
@@ -18,7 +18,7 @@ struct tcf_skbedit_params {
u32 mark;
u32 mask;
u16 queue_mapping;
- u16 mapping_mod;
+ u32 mapping_mod;
u16 ptype;
struct rcu_head rcu;
};
diff --git a/net/sched/act_skbedit.c b/net/sched/act_skbedit.c
index 8c1d1554f657..52f6ea6436b9 100644
--- a/net/sched/act_skbedit.c
+++ b/net/sched/act_skbedit.c
@@ -26,7 +26,7 @@ static struct tc_action_ops act_skbedit_ops;
static u16 tcf_skbedit_hash(struct tcf_skbedit_params *params,
struct sk_buff *skb)
{
- u16 queue_mapping = params->queue_mapping;
+ u32 queue_mapping = params->queue_mapping;
if (params->flags & SKBEDIT_F_TXQ_SKBHASH) {
u32 hash = skb_get_hash(skb);
@@ -34,7 +34,7 @@ static u16 tcf_skbedit_hash(struct tcf_skbedit_params *params,
queue_mapping += hash % params->mapping_mod;
}
- return netdev_cap_txqueue(skb->dev, queue_mapping);
+ return netdev_cap_txqueue(skb->dev, (u16)queue_mapping);
}
TC_INDIRECT_SCOPE int tcf_skbedit_act(struct sk_buff *skb,
@@ -126,7 +126,7 @@ static int tcf_skbedit_init(struct net *net, struct nlattr *nla,
struct tcf_skbedit *d;
u32 flags = 0, *priority = NULL, *mark = NULL, *mask = NULL;
u16 *queue_mapping = NULL, *ptype = NULL;
- u16 mapping_mod = 1;
+ u32 mapping_mod = 1;
bool exists = false;
int ret = 0, err;
u32 index;
@@ -193,7 +193,7 @@ static int tcf_skbedit_init(struct net *net, struct nlattr *nla,
return -EINVAL;
}
- mapping_mod = *queue_mapping_max - *queue_mapping + 1;
+ mapping_mod = (u32)(*queue_mapping_max) - (u32)(*queue_mapping) + 1;
flags |= SKBEDIT_F_TXQ_SKBHASH;
}
if (*pure_flags & SKBEDIT_F_INHERITDSFIELD)
@@ -319,7 +319,7 @@ static int tcf_skbedit_dump(struct sk_buff *skb, struct tc_action *a,
pure_flags |= SKBEDIT_F_INHERITDSFIELD;
if (params->flags & SKBEDIT_F_TXQ_SKBHASH) {
if (nla_put_u16(skb, TCA_SKBEDIT_QUEUE_MAPPING_MAX,
- params->queue_mapping + params->mapping_mod - 1))
+ (u16)(params->queue_mapping + params->mapping_mod - 1)))
goto nla_put_failure;
pure_flags |= SKBEDIT_F_TXQ_SKBHASH;
--
2.34.1
next reply other threads:[~2026-02-11 18:48 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-11 18:48 Ruitong Liu [this message]
2026-02-11 19:07 ` [PATCH] net/sched: act_skbedit: fix divide-by-zero in tcf_skbedit_hash() Eric Dumazet
2026-02-11 19:43 ` [PATCH v2] " Ruitong Liu
2026-02-13 2:08 ` Jakub Kicinski
2026-02-13 3:29 ` RUITONG LIU
2026-02-13 16:24 ` Jakub Kicinski
2026-02-13 17:59 ` [PATCH v3] " Ruitong Liu
2026-02-18 1:29 ` Jakub Kicinski
2026-02-18 1:40 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260211184848.731894-1-cnitlrt@gmail.com \
--to=cnitlrt@gmail.com \
--cc=L0x1c3r@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=jhs@mojatatu.com \
--cc=jiri@resnulli.us \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=stable@vger.kernel.org \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.