From: Simon Wunderlich <sw@simonwunderlich.de>
To: netdev@vger.kernel.org
Cc: "David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Simon Horman <horms@kernel.org>,
b.a.t.m.a.n@lists.open-mesh.org,
Sven Eckelmann <sven@narfation.org>,
stable@kernel.org, Simon Wunderlich <sw@simonwunderlich.de>
Subject: [PATCH net-next 05/15] batman-adv: tp_meter: avoid divide-by-zero for dec_cwnd
Date: Wed, 3 Jun 2026 09:25:16 +0200 [thread overview]
Message-ID: <20260603072527.174487-6-sw@simonwunderlich.de> (raw)
In-Reply-To: <20260603072527.174487-1-sw@simonwunderlich.de>
From: Sven Eckelmann <sven@narfation.org>
The cwnd is always MSS <= cwnd <= 0x20000000. But the calculation in
batadv_tp_update_cwnd() assumes unsigned 32 bit arithmetics.
((mss * 8) ** 2) / (cwnd * 8)
In case cwnd is actually 0x20000000, it will be shifted by 3 bit to the
left end up at 0x100000000 or U32_MAX + 1. It will therefore wrap around
and be 0 - resulting in:
((mss * 8) ** 2) / 0
This is of course invalid and cannot be calculated. The calculation should
must be simplified to avoid this overflow:
(mss ** 2) * 8 / cwnd
It will keep the precision enhancement from the scaling (by 8) but avoid
the overflow in the divisor.
In theory, there could still be an overflow in the dividend. It is at the
moment fixed to BATADV_TP_PLEN in batadv_tp_recv_ack() - so it is not an
imminent problem. But allowing it to use the whole u32 bit range, would
mean that it can still use up to 67 bits. To keep this calculation safe for
32 bit arithmetic, mss must never use more than floor((32 - 3) / 2) bits -
or in other words: must never be larger than 16383.
Cc: stable@kernel.org
Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
---
net/batman-adv/tp_meter.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/batman-adv/tp_meter.c b/net/batman-adv/tp_meter.c
index 9ecbc6023cfc9..1655f181c9293 100644
--- a/net/batman-adv/tp_meter.c
+++ b/net/batman-adv/tp_meter.c
@@ -154,9 +154,12 @@ static void batadv_tp_update_cwnd(struct batadv_tp_vars *tp_vars, u32 mss)
return;
}
+ /* prevent overflow in (mss * mss) << 3 */
+ mss = min_t(u32, mss, (1U << 14) - 1);
+
/* increment CWND at least of 1 (section 3.1 of RFC5681) */
tp_vars->dec_cwnd += max_t(u32, 1U << 3,
- ((mss * mss) << 6) / (tp_vars->cwnd << 3));
+ ((mss * mss) << 3) / tp_vars->cwnd);
if (tp_vars->dec_cwnd < (mss << 3)) {
spin_unlock_bh(&tp_vars->cwnd_lock);
return;
--
2.47.3
next prev parent reply other threads:[~2026-06-03 7:25 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-03 7:25 [PATCH net-next 00/15] pull request for net-next: batman-adv 2026-06-03 Simon Wunderlich
2026-06-03 7:25 ` [PATCH net-next 01/15] batman-adv: tp_meter: keep unacked list in ascending ordered Simon Wunderlich
2026-06-05 2:20 ` patchwork-bot+netdevbpf
2026-06-03 7:25 ` [PATCH net-next 02/15] batman-adv: tp_meter: initialize dup_acks explicitly Simon Wunderlich
2026-06-03 7:25 ` [PATCH net-next 03/15] batman-adv: tp_meter: initialize dec_cwnd explicitly Simon Wunderlich
2026-06-03 7:25 ` [PATCH net-next 04/15] batman-adv: tp_meter: avoid window underflow Simon Wunderlich
2026-06-03 7:25 ` Simon Wunderlich [this message]
2026-06-03 7:25 ` [PATCH net-next 06/15] batman-adv: tp_meter: fix fast recovery precondition Simon Wunderlich
2026-06-03 7:25 ` [PATCH net-next 07/15] batman-adv: tp_meter: handle seqno wrap-around for fast recovery detection Simon Wunderlich
2026-06-03 7:25 ` [PATCH net-next 08/15] batman-adv: tp_meter: add only finished tp_vars to lists Simon Wunderlich
2026-06-03 7:25 ` [PATCH net-next 09/15] batman-adv: tp_meter: split vars into sender and receiver types Simon Wunderlich
2026-06-03 7:25 ` [PATCH net-next 10/15] batman-adv: tp_meter: use locking for all congestion control variables Simon Wunderlich
2026-06-03 7:25 ` [PATCH net-next 11/15] batman-adv: tp_meter: consolidate " Simon Wunderlich
2026-06-03 7:25 ` [PATCH net-next 12/15] batman-adv: bla: annotate lasttime access with READ/WRITE_ONCE Simon Wunderlich
2026-06-03 7:25 ` [PATCH net-next 13/15] batman-adv: prevent ELP transmission interval underflow Simon Wunderlich
2026-06-03 7:25 ` [PATCH net-next 14/15] batman-adv: tt: sync local and global tvlv preparation return values Simon Wunderlich
2026-06-03 7:25 ` [PATCH net-next 15/15] batman-adv: tt: directly retrieve wifi flags of net_device Simon Wunderlich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260603072527.174487-6-sw@simonwunderlich.de \
--to=sw@simonwunderlich.de \
--cc=b.a.t.m.a.n@lists.open-mesh.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=stable@kernel.org \
--cc=sven@narfation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox