On 5/14/21 10:28 AM, Yiyuan guo wrote:
> In block/blk-mq-cpumap.c, blk_mq_map_queues has the following code:
>
> int blk_mq_map_queues(struct blk_mq_queue_map *qmap) {
> ...
> unsigned int nr_queues = qmap->nr_queues;
> unsigned q = 0;
> ...
> for_each_present_cpu(cpu) {
> if (q >= nr_queues)
> break;
> ...
> }
>
> for_each_possible_cpu(cpu) {
> ...
> if (q < nr_queues) {
> map[cpu] = queue_index(qmap, nr_queues, q++);
> } else {
> ...
> if (first_sibling == cpu)
> map[cpu] = queue_index(qmap, nr_queues, q++);
>
> }
> }
> }
>
> if qmap->nr_queues equals to zero when entering the function, then by
> passing zero to function queue_index we have a divide by zero bug:
>
> static int queue_index(struct blk_mq_queue_map *qmap,
> unsigned int nr_queues, const int q)
> {
> return qmap->queue_offset + (q % nr_queues);
> }
>
> It seems possible to me that qmap->nr_queues may equal zero because
> this field is explicitly checked in other functions.
>
> For example, in the function blk_mq_map_swqueue (block/blk-mq.c),
> there is a check comparing nr_queues with 0:
>
> for (j = 0; j < set->nr_maps; j++) {
> if (!set->map[j].nr_queues) {
> ...
> continue;
> }
> ...
> }
>
Theoretically, but yes, possible.
Care to send a patch?
Cheers,
Hannes
--
Dr. Hannes Reinecke Kernel Storage Architect
hare@xxxxxxx +49 911 74053 688
SUSE Software Solutions Germany GmbH, 90409 Nürnberg
GF: F. Imendörffer, HRB 36809 (AG Nürnberg)
