linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* A possible divide by zero bug in alloc_nodes_vectors
@ 2021-05-14 11:31 Yiyuan guo
  2021-05-14 20:04 ` Thomas Gleixner
  0 siblings, 1 reply; 2+ messages in thread
From: Yiyuan guo @ 2021-05-14 11:31 UTC (permalink / raw)
  To: tglx; +Cc: linux-nvme, linux-kernel

In kernel/irq/affinity.c, the function alloc_nodes_vectors has the
following code:

static void alloc_nodes_vectors(unsigned int numvecs,
                cpumask_var_t *node_to_cpumask,
                const struct cpumask *cpu_mask,
                const nodemask_t nodemsk,
                struct cpumask *nmsk,
                struct node_vectors *node_vectors) {
    unsigned n, remaining_ncpus = 0;
    ...
    for_each_node_mask(n, nodemsk) {
        ...
        ncpus = cpumask_weight(nmsk);

        if (!ncpus)
            continue;
        remaining_ncpus += ncpus;
        ...
    }

    numvecs = min_t(unsigned, remaining_ncpus, numvecs);
    ...
    for (n = 0; n < nr_node_ids; n++) {
        ...
        WARN_ON_ONCE(numvecs == 0);
        ...
        nvectors = max_t(unsigned, 1,
                       numvecs * ncpus / remaining_ncpus);
    }
}

The variable remaining_ncpus may remain 0 if cpumask_weight(nmsk)
keeps returning 0 in the for loop. However, remaining_ncpus is used as
a divisor, leading to a potential divide by zero problem.

Notice that the code explicitly warns about numvecs being zero. And
since it is likely that numvecs equals to remaining_ncpus (because of
assignment: numvecs = min_t(unsigned, remaining_ncpus, numvecs)),
we should probably also check on remaining_ncpus before the division.

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: A possible divide by zero bug in alloc_nodes_vectors
  2021-05-14 11:31 A possible divide by zero bug in alloc_nodes_vectors Yiyuan guo
@ 2021-05-14 20:04 ` Thomas Gleixner
  0 siblings, 0 replies; 2+ messages in thread
From: Thomas Gleixner @ 2021-05-14 20:04 UTC (permalink / raw)
  To: Yiyuan guo; +Cc: linux-nvme, linux-kernel

On Fri, May 14 2021 at 19:31, Yiyuan guo wrote:

> In kernel/irq/affinity.c, the function alloc_nodes_vectors has the
> following code:
>
> static void alloc_nodes_vectors(unsigned int numvecs,
>                 cpumask_var_t *node_to_cpumask,
>                 const struct cpumask *cpu_mask,
>                 const nodemask_t nodemsk,
>                 struct cpumask *nmsk,
>                 struct node_vectors *node_vectors) {
>     unsigned n, remaining_ncpus = 0;
>     ...
>     for_each_node_mask(n, nodemsk) {
>         ...
>         ncpus = cpumask_weight(nmsk);
>
>         if (!ncpus)
>             continue;
>         remaining_ncpus += ncpus;
>         ...
>     }
>
>     numvecs = min_t(unsigned, remaining_ncpus, numvecs);
>     ...
>     for (n = 0; n < nr_node_ids; n++) {
>         ...
>         WARN_ON_ONCE(numvecs == 0);
>         ...
>         nvectors = max_t(unsigned, 1,
>                        numvecs * ncpus / remaining_ncpus);
>     }
> }
>
> The variable remaining_ncpus may remain 0 if cpumask_weight(nmsk)
> keeps returning 0 in the for loop. However, remaining_ncpus is used as
> a divisor, leading to a potential divide by zero problem.

How so? It's guaranteed that there is at least ONE node which is not
empty. So remaining_ncpus cannot be 0.

Thanks,

        tglx




^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-05-14 20:04 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-14 11:31 A possible divide by zero bug in alloc_nodes_vectors Yiyuan guo
2021-05-14 20:04 ` Thomas Gleixner

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).