1. Patchew
  2. linux
  3. View series

[PATCH v3] net/sched: act_skbedit: fix divide-by-zero in tcf_skbedit_hash()

Ruitong Liu posted 1 patch 1 month, 2 weeks ago 
net/sched/act_skbedit.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
[PATCH v3] net/sched: act_skbedit: fix divide-by-zero in tcf_skbedit_hash()
Posted by Ruitong Liu 1 month, 2 weeks ago 
Commit 38a6f0865796 ("net: sched: support hash selecting tx queue")
added SKBEDIT_F_TXQ_SKBHASH support. The inclusive range size is
computed as:

mapping_mod = queue_mapping_max - queue_mapping + 1;

The range size can be 65536 when the requested range covers all possible
u16 queue IDs (e.g. queue_mapping=0 and queue_mapping_max=U16_MAX).
That value cannot be represented in a u16 and previously wrapped to 0,
so tcf_skbedit_hash() could trigger a divide-by-zero:

queue_mapping += skb_get_hash(skb) % params->mapping_mod;

Compute mapping_mod in a wider type and reject ranges larger than U16_MAX
to prevent params->mapping_mod from becoming 0 and avoid the crash.

Fixes: 38a6f0865796 ("net: sched: support hash selecting tx queue")
Cc: stable@vger.kernel.org # 6.12+
Reported-by: Ruitong Liu <cnitlrt@gmail.com>
Closes: https://lore.kernel.org/all/20260211184848.731894-1-cnitlrt@gmail.com/
Reported-by: Shuyuan Liu <L0x1c3r@gmail.com>
Closes: https://lore.kernel.org/all/20260211184848.731894-1-cnitlrt@gmail.com/
Signed-off-by: Ruitong Liu <cnitlrt@gmail.com>
---
 net/sched/act_skbedit.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/net/sched/act_skbedit.c b/net/sched/act_skbedit.c
index 8c1d1554f657..5450c1293eb5 100644
--- a/net/sched/act_skbedit.c
+++ b/net/sched/act_skbedit.c
@@ -126,7 +126,7 @@ static int tcf_skbedit_init(struct net *net, struct nlattr *nla,
 	struct tcf_skbedit *d;
 	u32 flags = 0, *priority = NULL, *mark = NULL, *mask = NULL;
 	u16 *queue_mapping = NULL, *ptype = NULL;
-	u16 mapping_mod = 1;
+	u32 mapping_mod = 1;
 	bool exists = false;
 	int ret = 0, err;
 	u32 index;
@@ -194,6 +194,10 @@ static int tcf_skbedit_init(struct net *net, struct nlattr *nla,
 			}
 
 			mapping_mod = *queue_mapping_max - *queue_mapping + 1;
+			if (mapping_mod > U16_MAX) {
+				NL_SET_ERR_MSG_MOD(extack, "The range of queue_mapping is invalid.");
+				return -EINVAL;
+			}
 			flags |= SKBEDIT_F_TXQ_SKBHASH;
 		}
 		if (*pure_flags & SKBEDIT_F_INHERITDSFIELD)
-- 
2.34.1
Re: [PATCH v3] net/sched: act_skbedit: fix divide-by-zero in tcf_skbedit_hash()
Posted by Jakub Kicinski 1 month, 1 week ago 
On Sat, 14 Feb 2026 01:59:48 +0800 Ruitong Liu wrote:
> Reported-by: Ruitong Liu <cnitlrt@gmail.com>
> Closes: https://lore.kernel.org/all/20260211184848.731894-1-cnitlrt@gmail.com/
> Reported-by: Shuyuan Liu <L0x1c3r@gmail.com>
> Closes: https://lore.kernel.org/all/20260211184848.731894-1-cnitlrt@gmail.com/

Please don't abuse reported-by tags.
These tags are only used when the reporter is not the same
as the author. If you're sending a fix without a reported-by
tag it's implied that you found the issue yourself.

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.