[PATCH net v3] tipc: fix divide-by-zero in tipc_sk_filter

public inbox for netdev@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH net v3] tipc: fix divide-by-zero in tipc_sk_filter_connect()
@ 2026-03-10 17:07 Mehul Rao
  2026-03-11  2:03 ` Tung Quang Nguyen
  2026-03-12  2:10 ` patchwork-bot+netdevbpf
  0 siblings, 2 replies; 3+ messages in thread
From: Mehul Rao @ 2026-03-10 17:07 UTC (permalink / raw)
  To: jmaloy, davem
  Cc: edumazet, kuba, pabeni, horms, ying.xue, tung.q.nguyen, netdev,
	tipc-discussion, stable, Mehul Rao

A user can set conn_timeout to any value via
setsockopt(TIPC_CONN_TIMEOUT), including values less than 4.  When a
SYN is rejected with TIPC_ERR_OVERLOAD and the retry path in
tipc_sk_filter_connect() executes:

    delay %= (tsk->conn_timeout / 4);

If conn_timeout is in the range [0, 3], the integer division yields 0,
and the modulo operation triggers a divide-by-zero exception, causing a
kernel oops/panic.

Fix this by clamping conn_timeout to a minimum of 4 at the point of use
in tipc_sk_filter_connect().

Oops: divide error: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 119 Comm: poc-F144 Not tainted 7.0.0-rc2+
RIP: 0010:tipc_sk_filter_rcv (net/tipc/socket.c:2236 net/tipc/socket.c:2362)
Call Trace:
 tipc_sk_backlog_rcv (include/linux/instrumented.h:82 include/linux/atomic/atomic-instrumented.h:32 include/net/sock.h:2357 net/tipc/socket.c:2406)
 __release_sock (include/net/sock.h:1185 net/core/sock.c:3213)
 release_sock (net/core/sock.c:3797)
 tipc_connect (net/tipc/socket.c:2570)
 __sys_connect (include/linux/file.h:62 include/linux/file.h:83 net/socket.c:2098)

Fixes: 6787927475e5 ("tipc: buffer overflow handling in listener socket")
Cc: stable@vger.kernel.org
Signed-off-by: Mehul Rao <mehulrao@gmail.com>
---
Changes in v3:
- Decode stack trace symbols (Eric Dumazet)
- Link to v2: https://lore.kernel.org/netdev/20260306185005.22120-1-mehulrao@gmail.com/

Changes in v2:
- Clamp conn_timeout at the point of use in tipc_sk_filter_connect()
  instead of rejecting small values in tipc_setsockopt()
- Link to v1: https://lore.kernel.org/netdev/20260305215336.645186-1-mehulrao@gmail.com/
---
 net/tipc/socket.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/tipc/socket.c b/net/tipc/socket.c
index 4c618c2b871d..9329919fb07f 100644
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -2233,6 +2233,8 @@ static bool tipc_sk_filter_connect(struct tipc_sock *tsk, struct sk_buff *skb,
 		if (skb_queue_empty(&sk->sk_write_queue))
 			break;
 		get_random_bytes(&delay, 2);
+		if (tsk->conn_timeout < 4)
+			tsk->conn_timeout = 4;
 		delay %= (tsk->conn_timeout / 4);
 		delay = msecs_to_jiffies(delay + 100);
 		sk_reset_timer(sk, &sk->sk_timer, jiffies + delay);
-- 
2.53.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* RE: [PATCH net v3] tipc: fix divide-by-zero in tipc_sk_filter_connect()
  2026-03-10 17:07 [PATCH net v3] tipc: fix divide-by-zero in tipc_sk_filter_connect() Mehul Rao
@ 2026-03-11  2:03 ` Tung Quang Nguyen
  2026-03-12  2:10 ` patchwork-bot+netdevbpf
  1 sibling, 0 replies; 3+ messages in thread
From: Tung Quang Nguyen @ 2026-03-11  2:03 UTC (permalink / raw)
  To: Mehul Rao
  Cc: edumazet@google.com, kuba@kernel.org, pabeni@redhat.com,
	horms@kernel.org, netdev@vger.kernel.org,
	tipc-discussion@lists.sourceforge.net, stable@vger.kernel.org,
	jmaloy@redhat.com, davem@davemloft.net

>Subject: [PATCH net v3] tipc: fix divide-by-zero in tipc_sk_filter_connect()
>
>A user can set conn_timeout to any value via
>setsockopt(TIPC_CONN_TIMEOUT), including values less than 4.  When a SYN
>is rejected with TIPC_ERR_OVERLOAD and the retry path in
>tipc_sk_filter_connect() executes:
>
>    delay %= (tsk->conn_timeout / 4);
>
>If conn_timeout is in the range [0, 3], the integer division yields 0, and the
>modulo operation triggers a divide-by-zero exception, causing a kernel
>oops/panic.
>
>Fix this by clamping conn_timeout to a minimum of 4 at the point of use in
>tipc_sk_filter_connect().
>
>Oops: divide error: 0000 [#1] SMP KASAN NOPTI
>CPU: 0 UID: 0 PID: 119 Comm: poc-F144 Not tainted 7.0.0-rc2+
>RIP: 0010:tipc_sk_filter_rcv (net/tipc/socket.c:2236 net/tipc/socket.c:2362) Call
>Trace:
> tipc_sk_backlog_rcv (include/linux/instrumented.h:82
>include/linux/atomic/atomic-instrumented.h:32 include/net/sock.h:2357
>net/tipc/socket.c:2406)  __release_sock (include/net/sock.h:1185
>net/core/sock.c:3213)  release_sock (net/core/sock.c:3797)  tipc_connect
>(net/tipc/socket.c:2570)  __sys_connect (include/linux/file.h:62
>include/linux/file.h:83 net/socket.c:2098)
>
>Fixes: 6787927475e5 ("tipc: buffer overflow handling in listener socket")
>Cc: stable@vger.kernel.org
>Signed-off-by: Mehul Rao <mehulrao@gmail.com>
>---
>Changes in v3:
>- Decode stack trace symbols (Eric Dumazet)
>- Link to v2: https://lore.kernel.org/netdev/20260306185005.22120-1-
>mehulrao@gmail.com/
>
>Changes in v2:
>- Clamp conn_timeout at the point of use in tipc_sk_filter_connect()
>  instead of rejecting small values in tipc_setsockopt()
>- Link to v1: https://lore.kernel.org/netdev/20260305215336.645186-1-
>mehulrao@gmail.com/
>---
> net/tipc/socket.c | 2 ++
> 1 file changed, 2 insertions(+)
>
>diff --git a/net/tipc/socket.c b/net/tipc/socket.c index
>4c618c2b871d..9329919fb07f 100644
>--- a/net/tipc/socket.c
>+++ b/net/tipc/socket.c
>@@ -2233,6 +2233,8 @@ static bool tipc_sk_filter_connect(struct tipc_sock
>*tsk, struct sk_buff *skb,
> 		if (skb_queue_empty(&sk->sk_write_queue))
> 			break;
> 		get_random_bytes(&delay, 2);
>+		if (tsk->conn_timeout < 4)
>+			tsk->conn_timeout = 4;
> 		delay %= (tsk->conn_timeout / 4);
> 		delay = msecs_to_jiffies(delay + 100);
> 		sk_reset_timer(sk, &sk->sk_timer, jiffies + delay);
>--
>2.53.0
>
Reviewed-by: Tung Nguyen <tung.quang.nguyen@est.tech>

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH net v3] tipc: fix divide-by-zero in tipc_sk_filter_connect()
  2026-03-10 17:07 [PATCH net v3] tipc: fix divide-by-zero in tipc_sk_filter_connect() Mehul Rao
  2026-03-11  2:03 ` Tung Quang Nguyen
@ 2026-03-12  2:10 ` patchwork-bot+netdevbpf
  1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+netdevbpf @ 2026-03-12  2:10 UTC (permalink / raw)
  To: Mehul Rao
  Cc: jmaloy, davem, edumazet, kuba, pabeni, horms, ying.xue,
	tung.q.nguyen, netdev, tipc-discussion, stable

Hello:

This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Tue, 10 Mar 2026 13:07:30 -0400 you wrote:
> A user can set conn_timeout to any value via
> setsockopt(TIPC_CONN_TIMEOUT), including values less than 4.  When a
> SYN is rejected with TIPC_ERR_OVERLOAD and the retry path in
> tipc_sk_filter_connect() executes:
> 
>     delay %= (tsk->conn_timeout / 4);
> 
> [...]

Here is the summary with links:
  - [net,v3] tipc: fix divide-by-zero in tipc_sk_filter_connect()
    https://git.kernel.org/netdev/net/c/6c5a9baa15de

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-03-12  2:10 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-10 17:07 [PATCH net v3] tipc: fix divide-by-zero in tipc_sk_filter_connect() Mehul Rao
2026-03-11  2:03 ` Tung Quang Nguyen
2026-03-12  2:10 ` patchwork-bot+netdevbpf

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox