Commit 464d1387 authored by Tejun Heo's avatar Tejun Heo Committed by Jens Axboe
Browse files

writeback: use |1 instead of +1 to protect against div by zero 



mm/page-writeback.c has several places where 1 is added to the divisor
to prevent division by zero exceptions; however, if the original
divisor is equivalent to -1, adding 1 leads to division by zero.

There are three places where +1 is used for this purpose - one in
pos_ratio_polynom() and two in bdi_position_ratio().  The second one
in bdi_position_ratio() actually triggered div-by-zero oops on a
machine running a 3.10 kernel.  The divisor is

  x_intercept - bdi_setpoint + 1 == span + 1

span is confirmed to be (u32)-1.  It isn't clear how it ended up that
but it could be from write bandwidth calculation underflow fixed by
c72efb65 ("writeback: fix possible underflow in write bandwidth
calculation").

At any rate, +1 isn't a proper protection against div-by-zero.  This
patch converts all +1 protections to |1.  Note that
bdi_update_dirty_ratelimit() was already using |1 before this patch.

Signed-off-by: default avatarTejun Heo <tj@kernel.org>
Cc: stable@vger.kernel.org
Reviewed-by: default avatarJan Kara <jack@suse.cz>
Signed-off-by: default avatarJens Axboe <axboe@fb.com>
parent 2a34c087

mm/page-writeback.c

+3 −3
Original line number Diff line number Diff line
@@ -580,7 +580,7 @@ static long long pos_ratio_polynom(unsigned long setpoint, 
	long x;



	x = div64_s64(((s64)setpoint - (s64)dirty) << RATELIMIT_CALC_SHIFT,

		    limit - setpoint + 1);

		      (limit - setpoint) | 1);

	pos_ratio = x;

	pos_ratio = pos_ratio * x >> RATELIMIT_CALC_SHIFT;

	pos_ratio = pos_ratio * x >> RATELIMIT_CALC_SHIFT;
@@ -807,7 +807,7 @@ static unsigned long bdi_position_ratio(struct backing_dev_info *bdi, 
	 * scale global setpoint to bdi's:

	 *	bdi_setpoint = setpoint * bdi_thresh / thresh

	 */

	x = div_u64((u64)bdi_thresh << 16, thresh + 1);

	x = div_u64((u64)bdi_thresh << 16, thresh | 1);

	bdi_setpoint = setpoint * (u64)x >> 16;

	/*

	 * Use span=(8*write_bw) in single bdi case as indicated by
@@ -822,7 +822,7 @@ static unsigned long bdi_position_ratio(struct backing_dev_info *bdi, 


	if (bdi_dirty < x_intercept - span / 4) {

		pos_ratio = div64_u64(pos_ratio * (x_intercept - bdi_dirty),

				    x_intercept - bdi_setpoint + 1);

				      (x_intercept - bdi_setpoint) | 1);

	} else

		pos_ratio /= 4;

CRA Git | Maintained and supported by SUSTech CRA and CCSE