git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Sven Eckelmann <sven@narfation.org>
	Sun, 31 May 2026 10:38:05 +0000 (12:38 +0200)
committer	Sven Eckelmann <sven@narfation.org>
	Wed, 3 Jun 2026 06:02:20 +0000 (08:02 +0200)
commit	33ccd52f3cc9ed46ce395199f89aa3234dc83314
tree	6eaaca1da58cae3accc3f74c1013f63126fb3571	tree \| snapshot
parent	765947b81fb54b6ebb0bc1cfe55c0fa399e002b8	commit \| diff

batman-adv: tp_meter: avoid divide-by-zero for dec_cwnd

The cwnd is always MSS <= cwnd <= 0x20000000. But the calculation in
batadv_tp_update_cwnd() assumes unsigned 32 bit arithmetics.

    ((mss * 8) ** 2) / (cwnd * 8)

In case cwnd is actually 0x20000000, it will be shifted by 3 bit to the
left end up at 0x100000000 or U32_MAX + 1. It will therefore wrap around
and be 0 - resulting in:

    ((mss * 8) ** 2) / 0

This is of course invalid and cannot be calculated. The calculation should
must be simplified to avoid this overflow:

   (mss ** 2) * 8 / cwnd

It will keep the precision enhancement from the scaling (by 8) but avoid
the overflow in the divisor.

In theory, there could still be an overflow in the dividend. It is at the
moment fixed to BATADV_TP_PLEN in batadv_tp_recv_ack() - so it is not an
imminent problem. But allowing it to use the whole u32 bit range, would
mean that it can still use up to 67 bits. To keep this calculation safe for
32 bit arithmetic, mss must never use more than floor((32 - 3) / 2) bits -
or in other words: must never be larger than 16383.

Cc: stable@kernel.org
Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation")
Signed-off-by: Sven Eckelmann <sven@narfation.org>