Commit 4576100b authored Mar 26, 2026 by Xiang Mei Committed by Jakub Kicinski Mar 27, 2026

net/sched: sch_hfsc: fix divide-by-zero in rtsc_min()



m2sm() converts a u32 slope to a u64 scaled value.  For large inputs
(e.g. m1=4000000000), the result can reach 2^32.  rtsc_min() stores
the difference of two such u64 values in a u32 variable `dsm` and
uses it as a divisor.  When the difference is exactly 2^32 the
truncation yields zero, causing a divide-by-zero oops in the
concave-curve intersection path:

  Oops: divide error: 0000
  RIP: 0010:rtsc_min (net/sched/sch_hfsc.c:601)
  Call Trace:
   init_ed (net/sched/sch_hfsc.c:629)
   hfsc_enqueue (net/sched/sch_hfsc.c:1569)
   [...]

Widen `dsm` to u64 and replace do_div() with div64_u64() so the full
difference is preserved.

Fixes: 1da177e4 ("Linux-2.6.12-rc2")
Reported-by: Weiming Shi <bestswngs@gmail.com>
Signed-off-by: Xiang Mei <xmei5@asu.edu>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://patch.msgid.link/20260326204310.1549327-1-xmei5@asu.edu


Signed-off-by: Jakub Kicinski <kuba@kernel.org>

parent 1a6fdb35

net/sched/sch_hfsc.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -555,7 +555,7 @@ static void
		rtsc_min(struct runtime_sc rtsc, struct internal_sc isc, u64 x, u64 y)
		{
		u64 y1, y2, dx, dy;
		u32 dsm;
		u64 dsm;

		if (isc->sm1 <= isc->sm2) {
		/* service curve is convex */
		@@ -598,7 +598,7 @@ rtsc_min(struct runtime_sc rtsc, struct internal_sc isc, u64 x, u64 y)
		*/
		dx = (y1 - y) << SM_SHIFT;
		dsm = isc->sm1 - isc->sm2;
		do_div(dx, dsm);
		dx = div64_u64(dx, dsm);
		/*
		* check if (x, y1) belongs to the 1st segment of rtsc.
		* if so, add the offset.