public inbox for netdev@vger.kernel.org
 help / color / mirror / Atom feed
* [PATCH net v2] net/sched: sch_hfsc: fix divide-by-zero in rtsc_min()
@ 2026-03-26  7:58 Xiang Mei
  2026-03-26 18:54 ` Xiang Mei
  0 siblings, 1 reply; 5+ messages in thread
From: Xiang Mei @ 2026-03-26  7:58 UTC (permalink / raw)
  To: security
  Cc: netdev, pabeni, jhs, jiri, davem, edumazet, kuba, horms,
	bestswngs, Xiang Mei

m2sm() converts a u32 slope to a u64 scaled value.  For large inputs
(e.g. m1=4000000000), the result can reach 2^32.  rtsc_min() stores
the difference of two such u64 values in a u32 variable `dsm` and
uses it as a divisor.  When the difference is exactly 2^32 the
truncation yields zero, causing a divide-by-zero oops in the
concave-curve intersection path:

  Oops: divide error: 0000
  RIP: 0010:rtsc_min (net/sched/sch_hfsc.c:601)
  Call Trace:
   init_ed (net/sched/sch_hfsc.c:629)
   hfsc_enqueue (net/sched/sch_hfsc.c:1569)
   [...]

Widen `dsm` to u64 and replace do_div() with div64_u64() so the full
difference is preserved.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Weiming Shi <bestswngs@gmail.com>
Signed-off-by: Xiang Mei <xmei5@asu.edu>
---
v2: resend to netdev ML

 net/sched/sch_hfsc.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/sched/sch_hfsc.c b/net/sched/sch_hfsc.c
index b5657ffbbf84..83b2ca2e37fc 100644
--- a/net/sched/sch_hfsc.c
+++ b/net/sched/sch_hfsc.c
@@ -555,7 +555,7 @@ static void
 rtsc_min(struct runtime_sc *rtsc, struct internal_sc *isc, u64 x, u64 y)
 {
 	u64 y1, y2, dx, dy;
-	u32 dsm;
+	u64 dsm;
 
 	if (isc->sm1 <= isc->sm2) {
 		/* service curve is convex */
@@ -598,7 +598,7 @@ rtsc_min(struct runtime_sc *rtsc, struct internal_sc *isc, u64 x, u64 y)
 	 */
 	dx = (y1 - y) << SM_SHIFT;
 	dsm = isc->sm1 - isc->sm2;
-	do_div(dx, dsm);
+	dx = div64_u64(dx, dsm);
 	/*
 	 * check if (x, y1) belongs to the 1st segment of rtsc.
 	 * if so, add the offset.
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: [PATCH net v2] net/sched: sch_hfsc: fix divide-by-zero in rtsc_min()
  2026-03-26  7:58 [PATCH net v2] net/sched: sch_hfsc: fix divide-by-zero in rtsc_min() Xiang Mei
@ 2026-03-26 18:54 ` Xiang Mei
  2026-03-26 19:21   ` Jakub Kicinski
  0 siblings, 1 reply; 5+ messages in thread
From: Xiang Mei @ 2026-03-26 18:54 UTC (permalink / raw)
  To: security; +Cc: netdev, pabeni, jhs, jiri, davem, edumazet, kuba, horms,
	bestswngs

On Thu, Mar 26, 2026 at 12:58:51AM -0700, Xiang Mei wrote:
> m2sm() converts a u32 slope to a u64 scaled value.  For large inputs
> (e.g. m1=4000000000), the result can reach 2^32.  rtsc_min() stores
> the difference of two such u64 values in a u32 variable `dsm` and
> uses it as a divisor.  When the difference is exactly 2^32 the
> truncation yields zero, causing a divide-by-zero oops in the
> concave-curve intersection path:
> 
>   Oops: divide error: 0000
>   RIP: 0010:rtsc_min (net/sched/sch_hfsc.c:601)
>   Call Trace:
>    init_ed (net/sched/sch_hfsc.c:629)
>    hfsc_enqueue (net/sched/sch_hfsc.c:1569)
>    [...]
> 
> Widen `dsm` to u64 and replace do_div() with div64_u64() so the full
> difference is preserved.
> 
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Reported-by: Weiming Shi <bestswngs@gmail.com>
> Signed-off-by: Xiang Mei <xmei5@asu.edu>
> ---
> v2: resend to netdev ML
> 
>  net/sched/sch_hfsc.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/net/sched/sch_hfsc.c b/net/sched/sch_hfsc.c
> index b5657ffbbf84..83b2ca2e37fc 100644
> --- a/net/sched/sch_hfsc.c
> +++ b/net/sched/sch_hfsc.c
> @@ -555,7 +555,7 @@ static void
>  rtsc_min(struct runtime_sc *rtsc, struct internal_sc *isc, u64 x, u64 y)
>  {
>  	u64 y1, y2, dx, dy;
> -	u32 dsm;
> +	u64 dsm;
>  
>  	if (isc->sm1 <= isc->sm2) {
>  		/* service curve is convex */
> @@ -598,7 +598,7 @@ rtsc_min(struct runtime_sc *rtsc, struct internal_sc *isc, u64 x, u64 y)
>  	 */
>  	dx = (y1 - y) << SM_SHIFT;
>  	dsm = isc->sm1 - isc->sm2;
> -	do_div(dx, dsm);
> +	dx = div64_u64(dx, dsm);
>  	/*
>  	 * check if (x, y1) belongs to the 1st segment of rtsc.
>  	 * if so, add the offset.
> -- 
> 2.43.0
>

Thanks for your attention for this bug.
The following information could help you to reproduce the bug:

PoC:
```sh
#!/bin/sh
ip link set lo up

tc qdisc replace dev lo root handle 1: \
    stab overhead 3000000 mtu 0 tsize 0 \
    hfsc default 1
tc class replace dev lo parent 1: classid 1:1 hfsc \
    rt m1 32gbit d 1ms m2 0bit \
    ls m1 32gbit d 1ms m2 0bit

# Send UDP to loopback (same method as C PoC)
python3 -c "
import socket,time
s=socket.socket(socket.AF_INET,socket.SOCK_DGRAM)
s.sendto(b'A'*64,('127.0.0.1',1337))  # activate class
time.sleep(1)                           # drain → idle
s.sendto(b'A'*64,('127.0.0.1',1337))  # reactivation → div-by-zero
"
```

Intended Crash:
```log
[   25.713426] Oops: divide error: 0000 [#1] SMP KASAN NOPTI
[   25.713720] CPU: 1 UID: 0 PID: 335 Comm: python3 Not tainted 7.0.0-rc4+ #4 PREEMPTLAZY
[   25.714102] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094
[   25.714825] RIP: 0010:rtsc_min+0x148/0x360
[   25.715034] Code: 0f 85 ad 01 00 00 48 8b 53 18 4c 01 f2 48 39 d0 0f 83 ea 00 00 00 8b 0c 24 4c c
[   25.715928] RSP: 0018:ffff888013eef438 EFLAGS: 00010206
[   25.716198] RAX: 00000f41d6000000 RBX: ffff888010e2c150 RCX: 0000000000000000
[   25.716555] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888010e2c168
[   25.716896] RBP: ffff888010e2c1e0 R08: 0000000000000001 R09: ffff888010e2c008
[   25.717238] R10: ffff888013488000 R11: ffff888013eefb30 R12: 00000000003d0900
[   25.717724] R13: 0000000100000000 R14: 00000000002dc72a R15: 0000000017f10a4c
[   25.718065] FS:  000078cd1f4cf040(0000) GS:ffff8881781cb000(0000) knlGS:0000000000000000
[   25.718456] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   25.718766] CR2: 000078cd1f5f87d0 CR3: 0000000013fb8002 CR4: 0000000000772ef0
[   25.719118] PKRU: 55555554
[   25.719262] Call Trace:
[   25.719390]  <TASK>
[   25.719503]  ? ktime_get+0x65/0x150
[   25.719704]  init_ed+0x70/0x4d0
[   25.719870]  hfsc_enqueue+0x7bb/0xef0
[   25.720059]  ? kmalloc_reserve+0x10c/0x2c0
```

This bug is a DoS bug requiring ns_capable(CAP_NET_ADMIN).
Please let me know if you have any questions for the patch and poc.

Thanks,
Xiang

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH net v2] net/sched: sch_hfsc: fix divide-by-zero in rtsc_min()
  2026-03-26 18:54 ` Xiang Mei
@ 2026-03-26 19:21   ` Jakub Kicinski
  2026-03-26 20:44     ` Xiang Mei
  0 siblings, 1 reply; 5+ messages in thread
From: Jakub Kicinski @ 2026-03-26 19:21 UTC (permalink / raw)
  To: Xiang Mei
  Cc: security, netdev, pabeni, jhs, jiri, davem, edumazet, horms,
	bestswngs

On Thu, 26 Mar 2026 11:54:52 -0700 Xiang Mei wrote:
> PoC:
> ```sh
> #!/bin/sh
> ip link set lo up
> 
> tc qdisc replace dev lo root handle 1: \
>     stab overhead 3000000 mtu 0 tsize 0 \
>     hfsc default 1
> tc class replace dev lo parent 1: classid 1:1 hfsc \
>     rt m1 32gbit d 1ms m2 0bit \
>     ls m1 32gbit d 1ms m2 0bit
> 
> # Send UDP to loopback (same method as C PoC)
> python3 -c "
> import socket,time
> s=socket.socket(socket.AF_INET,socket.SOCK_DGRAM)
> s.sendto(b'A'*64,('127.0.0.1',1337))  # activate class
> time.sleep(1)                           # drain → idle
> s.sendto(b'A'*64,('127.0.0.1',1337))  # reactivation → div-by-zero
> "
> ```

Please turn this into a TDC selftest.

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH net v2] net/sched: sch_hfsc: fix divide-by-zero in rtsc_min()
  2026-03-26 19:21   ` Jakub Kicinski
@ 2026-03-26 20:44     ` Xiang Mei
  2026-03-27  0:50       ` Jakub Kicinski
  0 siblings, 1 reply; 5+ messages in thread
From: Xiang Mei @ 2026-03-26 20:44 UTC (permalink / raw)
  To: Jakub Kicinski
  Cc: security, netdev, pabeni, jhs, jiri, davem, edumazet, horms,
	bestswngs

Thanks for the suggestion. A TDC selftest was added to v3.

On Thu, Mar 26, 2026 at 12:21 PM Jakub Kicinski <kuba@kernel.org> wrote:
>
> On Thu, 26 Mar 2026 11:54:52 -0700 Xiang Mei wrote:
> > PoC:
> > ```sh
> > #!/bin/sh
> > ip link set lo up
> >
> > tc qdisc replace dev lo root handle 1: \
> >     stab overhead 3000000 mtu 0 tsize 0 \
> >     hfsc default 1
> > tc class replace dev lo parent 1: classid 1:1 hfsc \
> >     rt m1 32gbit d 1ms m2 0bit \
> >     ls m1 32gbit d 1ms m2 0bit
> >
> > # Send UDP to loopback (same method as C PoC)
> > python3 -c "
> > import socket,time
> > s=socket.socket(socket.AF_INET,socket.SOCK_DGRAM)
> > s.sendto(b'A'*64,('127.0.0.1',1337))  # activate class
> > time.sleep(1)                           # drain → idle
> > s.sendto(b'A'*64,('127.0.0.1',1337))  # reactivation → div-by-zero
> > "
> > ```
>
> Please turn this into a TDC selftest.

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH net v2] net/sched: sch_hfsc: fix divide-by-zero in rtsc_min()
  2026-03-26 20:44     ` Xiang Mei
@ 2026-03-27  0:50       ` Jakub Kicinski
  0 siblings, 0 replies; 5+ messages in thread
From: Jakub Kicinski @ 2026-03-27  0:50 UTC (permalink / raw)
  To: Xiang Mei
  Cc: security, netdev, pabeni, jhs, jiri, davem, edumazet, horms,
	bestswngs

On Thu, 26 Mar 2026 13:44:37 -0700 Xiang Mei wrote:
> Thanks for the suggestion. A TDC selftest was added to v3.

Excellent, thanks!

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-03-27  0:50 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-26  7:58 [PATCH net v2] net/sched: sch_hfsc: fix divide-by-zero in rtsc_min() Xiang Mei
2026-03-26 18:54 ` Xiang Mei
2026-03-26 19:21   ` Jakub Kicinski
2026-03-26 20:44     ` Xiang Mei
2026-03-27  0:50       ` Jakub Kicinski

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox