Commit 51e94e1e authored Apr 17, 2026 by Stephen Hemminger Committed by Jakub Kicinski Apr 27, 2026

net/sched: netem: fix slot delay calculation overflow



get_slot_next() computes a random delay between min_delay and
max_delay using:

  get_random_u32() * (max_delay - min_delay) >> 32

This overflows signed 64-bit arithmetic when the delay range exceeds
approximately 2.1 seconds (2^31 nanoseconds), producing a negative
result that effectively disables slot-based pacing. This is a
realistic configuration for WAN emulation (e.g., slot 1s 5s).

Use mul_u64_u32_shr() which handles the widening multiply without
overflow.

Fixes: 0a9fe5c3 ("netem: slotting with non-uniform distribution")
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260418032027.900913-6-stephen@networkplumber.org


Signed-off-by: Jakub Kicinski <kuba@kernel.org>

parent 01801c35

net/sched/sch_netem.c

+2 −3

Original line number	Diff line number	Diff line
		@@ -659,9 +659,8 @@ static void get_slot_next(struct netem_sched_data *q, u64 now)

		if (!q->slot_dist)
		next_delay = q->slot_config.min_delay +
		(get_random_u32() *
		(q->slot_config.max_delay -
		q->slot_config.min_delay) >> 32);
		mul_u64_u32_shr(q->slot_config.max_delay - q->slot_config.min_delay,
		get_random_u32(), 32);
		else
		next_delay = tabledist(q->slot_config.dist_delay,
		(s32)(q->slot_config.dist_jitter),