27400 – TCP: division by zero in __tcp_select_window() when MSS becomes zero

Bug 27400 - TCP: division by zero in __tcp_select_window() when MSS becomes zero

Summary: TCP: division by zero in __tcp_select_window() when MSS becomes zero

Status:	NEW

Alias:	None

Product:	Upstream
Classification:	Unclassified
Component:	net (show other bugs)	net
Sub Component:
Version:	unspecified
Hardware:	All Linux

Importance:	P3-Medium S3-normal
Target Milestone:	---
Assignee:	abaci-robot
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2025-11-27 17:24 UTC by abaci-robot
Modified:	2025-11-27 17:24 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description abaci-robot alibaba_cloud_group

2025-11-27 17:24:38 UTC

In the following kernel version:

name:linux
url:http://github.com/gregkh/linux.git
branch: master
commit: ac3fd01e4c1efce8f2c054cdeb2ddd2fc0fb150d

bug report:
------------[ cut here ]------------
UBSAN: division-overflow in net/ipv4/tcp_output.c:3333:13
division by zero
CPU: 0 UID: 0 PID: 4151 Comm: syz.0.268 Not tainted 6.18.0-rc7 #1 PREEMPT(none) 
Hardware name: Red Hat KVM, BIOS 1.16.0-4.al8 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x168/0x1f0 lib/dump_stack.c:120
 ubsan_epilogue lib/ubsan.c:233 [inline]
 __ubsan_handle_divrem_overflow lib/ubsan.c:351 [inline]
 __ubsan_handle_divrem_overflow+0x1ae/0x2a0 lib/ubsan.c:333
 __tcp_select_window.cold+0x16/0x35 net/ipv4/tcp_output.c:3333
 tcp_select_window net/ipv4/tcp_output.c:280 [inline]
 __tcp_transmit_skb+0xca3/0x38b0 net/ipv4/tcp_output.c:1565
 tcp_transmit_skb net/ipv4/tcp_output.c:1646 [inline]
 tcp_send_active_reset+0x422/0x7e0 net/ipv4/tcp_output.c:3828
 mptcp_do_fastclose.part.0+0x158/0x1e0 net/mptcp/protocol.c:2792
 mptcp_do_fastclose net/mptcp/protocol.c:2779 [inline]
 mptcp_disconnect+0x2c6/0x9b0 net/mptcp/protocol.c:3252
 inet_shutdown+0x270/0x440 net/ipv4/af_inet.c:937
 __sys_shutdown_sock net/socket.c:2470 [inline]
 __sys_shutdown_sock net/socket.c:2464 [inline]
 __sys_shutdown+0x117/0x1b0 net/socket.c:2486
 __do_sys_shutdown net/socket.c:2491 [inline]
 __se_sys_shutdown net/socket.c:2489 [inline]
 __x64_sys_shutdown+0x54/0x80 net/socket.c:2489
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x6e/0x940 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7ff5e46fb4dd
Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 6b 89 0c 00 f7 d8 64 89 01 48
RSP: 002b:00007ff5e31f0cb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000030
RAX: ffffffffffffffda RBX: 00000000005c5fa0 RCX: 00007ff5e46fb4dd
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00000000005c5fa0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00000000005c6038 R14: 0000000000000000 R15: 00007ff5e31f1640
 </TASK>
---[ end trace ]---
Oops: divide error: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 4151 Comm: syz.0.268 Not tainted 6.18.0-rc7 #1 PREEMPT(none) 
Hardware name: Red Hat KVM, BIOS 1.16.0-4.al8 04/01/2014
RIP: 0010:__tcp_select_window+0x58a/0x1240 net/ipv4/tcp_output.c:3333
Code: e3 0f 8c 8a 02 00 00 e8 34 dc a3 fd 8b 5c 24 0c 31 ff 89 de e8 c7 d5 a3 fd 85 db 0f 84 6c 9d 36 fd e8 1a dc a3 fd 44 89 f0 99 <f7> 7c 24 0c 41 29 d6 45 89 f4 e9 2a ff ff ff e8 02 dc a3 fd 48 89
RSP: 0018:ffff88800b5f7ae0 EFLAGS: 00010283
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffc90000d11000
RDX: 0000000000000000 RSI: ffffffff83f30a16 RDI: 0000000000000005
RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
R13: ffff888028a9f400 R14: 0000000000000000 R15: 0000000000000000
FS:  00007ff5e31f1640(0000) GS:ffff8880e70ab000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000f711faa0 CR3: 000000001de2e003 CR4: 0000000000770ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
PKRU: 80000000
Call Trace:
 <TASK>
 tcp_select_window net/ipv4/tcp_output.c:280 [inline]
 __tcp_transmit_skb+0xca3/0x38b0 net/ipv4/tcp_output.c:1565
 tcp_transmit_skb net/ipv4/tcp_output.c:1646 [inline]
 tcp_send_active_reset+0x422/0x7e0 net/ipv4/tcp_output.c:3828
 mptcp_do_fastclose.part.0+0x158/0x1e0 net/mptcp/protocol.c:2792
 mptcp_do_fastclose net/mptcp/protocol.c:2779 [inline]
 mptcp_disconnect+0x2c6/0x9b0 net/mptcp/protocol.c:3252
 inet_shutdown+0x270/0x440 net/ipv4/af_inet.c:937
 __sys_shutdown_sock net/socket.c:2470 [inline]
 __sys_shutdown_sock net/socket.c:2464 [inline]
 __sys_shutdown+0x117/0x1b0 net/socket.c:2486
 __do_sys_shutdown net/socket.c:2491 [inline]
 __se_sys_shutdown net/socket.c:2489 [inline]
 __x64_sys_shutdown+0x54/0x80 net/socket.c:2489
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x6e/0x940 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7ff5e46fb4dd
Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 6b 89 0c 00 f7 d8 64 89 01 48
RSP: 002b:00007ff5e31f0cb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000030
RAX: ffffffffffffffda RBX: 00000000005c5fa0 RCX: 00007ff5e46fb4dd
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00000000005c5fa0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00000000005c6038 R14: 0000000000000000 R15: 00007ff5e31f1640
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__tcp_select_window+0x58a/0x1240 net/ipv4/tcp_output.c:3333
Code: e3 0f 8c 8a 02 00 00 e8 34 dc a3 fd 8b 5c 24 0c 31 ff 89 de e8 c7 d5 a3 fd 85 db 0f 84 6c 9d 36 fd e8 1a dc a3 fd 44 89 f0 99 <f7> 7c 24 0c 41 29 d6 45 89 f4 e9 2a ff ff ff e8 02 dc a3 fd 48 89
RSP: 0018:ffff88800b5f7ae0 EFLAGS: 00010283
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffc90000d11000
RDX: 0000000000000000 RSI: ffffffff83f30a16 RDI: 0000000000000005
RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
R13: ffff888028a9f400 R14: 0000000000000000 R15: 0000000000000000
FS:  00007ff5e31f1640(0000) GS:ffff8880e70ab000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000f711faa0 CR3: 000000001de2e003 CR4: 0000000000770ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
PKRU: 80000000
----------------
Code disassembly (best guess), 1 bytes skipped:
   0:	0f 8c 8a 02 00 00    	jl     0x290
   6:	e8 34 dc a3 fd       	callq  0xfda3dc3f
   b:	8b 5c 24 0c          	mov    0xc(%rsp),%ebx
   f:	31 ff                	xor    %edi,%edi
  11:	89 de                	mov    %ebx,%esi
  13:	e8 c7 d5 a3 fd       	callq  0xfda3d5df
  18:	85 db                	test   %ebx,%ebx
  1a:	0f 84 6c 9d 36 fd    	je     0xfd369d8c
  20:	e8 1a dc a3 fd       	callq  0xfda3dc3f
  25:	44 89 f0             	mov    %r14d,%eax
  28:	99                   	cltd
* 29:	f7 7c 24 0c          	idivl  0xc(%rsp) <-- trapping instruction
  2d:	41 29 d6             	sub    %edx,%r14d
  30:	45 89 f4             	mov    %r14d,%r12d
  33:	e9 2a ff ff ff       	jmpq   0xffffff62
  38:	e8 02 dc a3 fd       	callq  0xfda3dc3f
  3d:	48                   	rex.W
  3e:	89                   	.byte 0x89

<<<<<<<<<<<<<<< tail report >>>>>>>>>>>>>>>

division by zero
CPU: 0 UID: 0 PID: 4151 Comm: syz.0.268 Not tainted 6.18.0-rc7 #1 PREEMPT(none) 
Hardware name: Red Hat KVM, BIOS 1.16.0-4.al8 04/01/2014
Call Trace:
 <TASK>
 dump_stack_lvl+0x168/0x1f0
 __ubsan_handle_divrem_overflow+0x1ae/0x2a0
 __tcp_select_window.cold+0x16/0x35
 __tcp_transmit_skb+0xca3/0x38b0
 tcp_send_active_reset+0x422/0x7e0
 mptcp_do_fastclose.part.0+0x158/0x1e0
 mptcp_disconnect+0x2c6/0x9b0
 inet_shutdown+0x270/0x440
 __sys_shutdown+0x117/0x1b0
 __x64_sys_shutdown+0x54/0x80
 do_syscall_64+0x6e/0x940
 entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7ff5e46fb4dd
Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 6b 89 0c 00 f7 d8 64 89 01 48
RSP: 002b:00007ff5e31f0cb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000030
RAX: ffffffffffffffda RBX: 00000000005c5fa0 RCX: 00007ff5e46fb4dd
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00000000005c5fa0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00000000005c6038 R14: 0000000000000000 R15: 00007ff5e31f1640
 </TASK>
---[ end trace ]---
Oops: divide error: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 4151 Comm: syz.0.268 Not tainted 6.18.0-rc7 #1 PREEMPT(none) 
Hardware name: Red Hat KVM, BIOS 1.16.0-4.al8 04/01/2014
RIP: 0010:__tcp_select_window+0x58a/0x1240
Code: e3 0f 8c 8a 02 00 00 e8 34 dc a3 fd 8b 5c 24 0c 31 ff 89 de e8 c7 d5 a3 fd 85 db 0f 84 6c 9d 36 fd e8 1a dc a3 fd 44 89 f0 99 <f7> 7c 24 0c 41 29 d6 45 89 f4 e9 2a ff ff ff e8 02 dc a3 fd 48 89
RSP: 0018:ffff88800b5f7ae0 EFLAGS: 00010283
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffc90000d11000
RDX: 0000000000000000 RSI: ffffffff83f30a16 RDI: 0000000000000005
RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
R13: ffff888028a9f400 R14: 0000000000000000 R15: 0000000000000000
FS:  00007ff5e31f1640(0000) GS:ffff8880e70ab000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000f711faa0 CR3: 000000001de2e003 CR4: 0000000000770ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
PKRU: 80000000
Call Trace:
 <TASK>
 __tcp_transmit_skb+0xca3/0x38b0
 tcp_send_active_reset+0x422/0x7e0
 mptcp_do_fastclose.part.0+0x158/0x1e0
 mptcp_disconnect+0x2c6/0x9b0
 inet_shutdown+0x270/0x440
 __sys_shutdown+0x117/0x1b0
 __x64_sys_shutdown+0x54/0x80
 do_syscall_64+0x6e/0x940
 entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7ff5e46fb4dd
Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 6b 89 0c 00 f7 d8 64 89 01 48
RSP: 002b:00007ff5e31f0cb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000030
RAX: ffffffffffffffda RBX: 00000000005c5fa0 RCX: 00007ff5e46fb4dd
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00000000005c5fa0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00000000005c6038 R14: 0000000000000000 R15: 00007ff5e31f1640
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__tcp_select_window+0x58a/0x1240
Code: e3 0f 8c 8a 02 00 00 e8 34 dc a3 fd 8b 5c 24 0c 31 ff 89 de e8 c7 d5 a3 fd 85 db 0f 84 6c 9d 36 fd e8 1a dc a3 fd 44 89 f0 99 <f7> 7c 24 0c 41 29 d6 45 89 f4 e9 2a ff ff ff e8 02 dc a3 fd 48 89
RSP: 0018:ffff88800b5f7ae0 EFLAGS: 00010283
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffc90000d11000
RDX: 0000000000000000 RSI: ffffffff83f30a16 RDI: 0000000000000005
RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
R13: ffff888028a9f400 R14: 0000000000000000 R15: 0000000000000000
FS:  00007ff5e31f1640(0000) GS:ffff8880e70ab000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000f711faa0 CR3: 000000001de2e003 CR4: 0000000000770ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
PKRU: 80000000

<<<<<<<<<<<<<<< tail report >>>>>>>>>>>>>>>