We discovered a division-by-zero bug in __tcp_select_window() since commit ae155060247b ("mptcp: fix duplicate reset on fastclose"). Under certain conditions during MPTCP fastclose, the mss value passed to __tcp_select_window can be zero. The existing logic attempts to perform rounddown(free_space, mss) without validating mss, leading to a division operation in the helper (via do_div() or inline assembly) that triggers a UBSAN overflow and kernel oops: UBSAN: division-overflow in net/ipv4/tcp_output.c:3333:13 division by zero RIP: __tcp_select_window+0x58a/0x1240 Call Trace: __tcp_transmit_skb+0xca3/0x38b0 tcp_send_active_reset+0x422/0x7e0 mptcp_do_fastclose+0x158/0x1e0 ... The issue occurs when tcp_send_active_reset() is called on a subflow with an unset or zero mss, which can happen during fastclose teardown due to earlier state transitions. This patch adds a guard to return 0 immediately if mss == 0, preventing the unsafe rounding operation. This is safe because a zero MSS implies invalid or uninitialized state, and returning zero window reflects that no reliable data transmission can proceed. Fixes: ae155060247b ("mptcp: fix duplicate reset on fastclose") Reported-by: kitta Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220820 Co-developed-by: kitta Signed-off-by: Evan Li --- net/ipv4/tcp_output.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c index b94efb3050d2..e6d2851a0ae9 100644 --- a/net/ipv4/tcp_output.c +++ b/net/ipv4/tcp_output.c @@ -3329,9 +3329,11 @@ u32 __tcp_select_window(struct sock *sk) * We also don't do any window rounding when the free space * is too small. */ - if (window <= free_space - mss || window > free_space) + if (window <= free_space - mss || window > free_space) { + if (unlikely(mss == 0)) + return 0; /* Prevent division by zero */ window = rounddown(free_space, mss); - else if (mss == full_space && + } else if (mss == full_space && free_space > window + (full_space >> 1)) window = free_space; } -- 2.43.7