All of lore.kernel.org
 help / color / mirror / Atom feed
From: Yiyuan guo <yguoaz@gmail.com>
To: axboe@kernel.dk
Cc: linux-block@vger.kernel.org, Yiyuan guo <yguoaz@gmail.com>
Subject: A possible divide by zero bug in blk_mq_map_queues
Date: Fri, 14 May 2021 16:28:47 +0800	[thread overview]
Message-ID: <CAM7=BFrvCdsW1xekOb9QAdVkhRAU6kdg1g98OUz6YYyXOuMZRg@mail.gmail.com> (raw)

In block/blk-mq-cpumap.c, blk_mq_map_queues has the following code:

int blk_mq_map_queues(struct blk_mq_queue_map *qmap) {
    ...
    unsigned int nr_queues = qmap->nr_queues;
    unsigned q = 0;
    ...
    for_each_present_cpu(cpu) {
        if (q >= nr_queues)
            break;
        ...
    }

    for_each_possible_cpu(cpu) {
        ...
        if (q < nr_queues) {
            map[cpu] = queue_index(qmap, nr_queues, q++);
        } else {
           ...
            if (first_sibling == cpu)
                map[cpu] = queue_index(qmap, nr_queues, q++);

        }
    }
}

if qmap->nr_queues equals to zero when entering the function, then by
passing zero to function queue_index we have a divide by zero bug:

static int queue_index(struct blk_mq_queue_map *qmap,
               unsigned int nr_queues, const int q)
{
    return qmap->queue_offset + (q % nr_queues);
}

It seems possible to me that qmap->nr_queues may equal zero because
this field is explicitly checked in other functions.

For example, in the function blk_mq_map_swqueue (block/blk-mq.c),
there is a check comparing nr_queues with 0:

for (j = 0; j < set->nr_maps; j++) {
            if (!set->map[j].nr_queues) {
                ...
                continue;
            }
            ...
}

             reply	other threads:[~2021-05-14  8:29 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-05-14  8:28 Yiyuan guo [this message]
2021-05-14  8:34 ` A possible divide by zero bug in blk_mq_map_queues Hannes Reinecke
2021-05-14  9:16   ` [PATCH] block: add protection for divide by zero " Yiyuan GUO
2021-05-14  9:24     ` Hannes Reinecke
2021-05-14  9:38       ` [PATCH v2] " Yiyuan GUO

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAM7=BFrvCdsW1xekOb9QAdVkhRAU6kdg1g98OUz6YYyXOuMZRg@mail.gmail.com' \
    --to=yguoaz@gmail.com \
    --cc=axboe@kernel.dk \
    --cc=linux-block@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.