[PATCH] md/raid10: fix divide-by-zero in setup_geo() with zero far_copies

[PATCH] md/raid10: fix divide-by-zero in setup_geo() with zero far_copies

[Junrui Luo]

setup_geo() extracts near_copies (nc) and far_copies (fc) from the
user-provided layout parameter without checking for zero. When fc=0
with the "improved" far set layout selected, 'geo->far_set_size =
disks / fc' triggers a divide-by-zero.

Validate nc and fc immediately after extraction, returning -1 if
either is zero.

Fixes: 475901aff158 ("MD RAID10: Improve redundancy for 'far' and 'offset' algorithms (part 1)")
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
---
 drivers/md/raid10.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
index 0653b5d8545a..811ea3d23b80 100644
--- a/drivers/md/raid10.c
+++ b/drivers/md/raid10.c
@@ -3791,6 +3791,8 @@ static int setup_geo(struct geom *geo, struct mddev *mddev, enum geo_type new)
 	nc = layout & 255;
 	fc = (layout >> 8) & 255;
 	fo = layout & (1<<16);
+	if (!nc || !fc)
+		return -1;
 	geo->raid_disks = disks;
 	geo->near_copies = nc;
 	geo->far_copies = fc;

---
base-commit: 7aaa8047eafd0bd628065b15757d9b48c5f9c07d
change-id: 20260416-fixes-6ba978713ab3

Best regards,
-- 
Junrui Luo <moonafterrain@outlook.com>

Re: [PATCH] md/raid10: fix divide-by-zero in setup_geo() with zero far_copies

[Paul Menzel]

Dear Junrui,


Thank you for the patch.

Am 16.04.26 um 05:39 schrieb Junrui Luo:
> setup_geo() extracts near_copies (nc) and far_copies (fc) from the
> user-provided layout parameter without checking for zero. When fc=0
> with the "improved" far set layout selected, 'geo->far_set_size =
> disks / fc' triggers a divide-by-zero.
> 
> Validate nc and fc immediately after extraction, returning -1 if
> either is zero.

Why also `nc` and not just `fc`?

It’d be great, if you documented the command how to create such a layout.

> Fixes: 475901aff158 ("MD RAID10: Improve redundancy for 'far' and 'offset' algorithms (part 1)")
> Reported-by: Yuhao Jiang <danisjiang@gmail.com>
> Cc: stable@vger.kernel.org
> Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
> ---
>   drivers/md/raid10.c | 2 ++
>   1 file changed, 2 insertions(+)
> 
> diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
> index 0653b5d8545a..811ea3d23b80 100644
> --- a/drivers/md/raid10.c
> +++ b/drivers/md/raid10.c
> @@ -3791,6 +3791,8 @@ static int setup_geo(struct geom *geo, struct mddev *mddev, enum geo_type new)
>   	nc = layout & 255;
>   	fc = (layout >> 8) & 255;
>   	fo = layout & (1<<16);
> +	if (!nc || !fc)
> +		return -1;

I’d also print a warning, so the user knows, what was wrong:

     pr_warn(md/raid10:%s: near and far copies need to be greater than 
0, mdname(mddev));

>   	geo->raid_disks = disks;
>   	geo->near_copies = nc;
>   	geo->far_copies = fc;


Kind regards,

Paul

Re: [PATCH] md/raid10: fix divide-by-zero in setup_geo() with zero far_copies

[Junrui Luo]

Hi Paul,

Thank you for the review.

On Thu, Apr 16, 2026 at 08:17:26AM +0200, Paul Menzel wrote:
> Why also `nc` and not just `fc`?

nc and fc are documented as "must be at least one" (raid10.c
line 47), it seemed cleaner to reject both together.

> It’d be great, if you documented the command how to create such a layout.

Here is a reproducer that triggers the divide-by-zero

  for i in 0 1 2 3; do
    dd if=/dev/zero of=/tmp/loop$i bs=1M count=64
    losetup /dev/loop$i /tmp/loop$i
  done

  gcc -o raid10_poc raid10_poc.c
  ./raid10_poc

```
  #include <stdio.h>
  #include <stdlib.h>
  #include <fcntl.h>
  #include <unistd.h>
  #include <string.h>
  #include <sys/ioctl.h>
  #include <sys/stat.h>
  #include <sys/sysmacros.h>
  #include <linux/major.h>
  #include <linux/raid/md_u.h>

  int main(void)
  {
  	int fd, i;
  	mdu_array_info_t array;
  	mdu_disk_info_t disk;

  	mknod("/dev/md0", S_IFBLK | 0600, makedev(9, 0));

  	fd = open("/dev/md0", O_RDWR);
  	if (fd < 0) {
  		perror("open /dev/md0");
  		return 1;
  	}

  	memset(&array, 0, sizeof(array));
  	array.major_version = 1;
  	array.minor_version = 2;
  	array.level = 10;
  	array.layout = 0x20000;
  	array.raid_disks = 4;
  	array.chunk_size = 65536;

  	if (ioctl(fd, SET_ARRAY_INFO, &array) < 0) {
  		perror("SET_ARRAY_INFO");
  		return 1;
  	}

  	for (i = 0; i < 4; i++) {
  		memset(&disk, 0, sizeof(disk));
  		disk.number = i;
  		disk.raid_disk = i;
  		disk.state = (1 << 1) | (1 << 2);
  		disk.major = 7;
  		disk.minor = i;
  		if (ioctl(fd, ADD_NEW_DISK, &disk) < 0) {
  			perror("ADD_NEW_DISK");
  			return 1;
  		}
  	}

  	/* triggers setup_conf() -> setup_geo() -> disks/fc with fc=0 */
  	ioctl(fd, RUN_ARRAY, NULL);

  	close(fd);
  	return 0;
  }
```

> I’d also print a warning, so the user knows, what was wrong:
> 
>     pr_warn(md/raid10:%s: near and far copies need to be greater than 0,
> mdname(mddev));
 
With this fix, nc=0 or fc=0 returns -1, which hits the `copies < 2`
check and prints the existing warning. Adding another pr_warn inside
setup_geo() would be inconsistent with the other `return -1` paths in
that function, which all silently return -1 and let the caller report.
Adding a pr_warn for this case alone would be inconsistent; doing it
properly would mean adding warnings to all the return -1 paths, which
is a larger change better done separately.

Thanks,
Junrui Luo

Re: [PATCH] md/raid10: fix divide-by-zero in setup_geo() with zero far_copies

[Yu Kuai]

Hi,

在 2026/4/16 11:39, Junrui Luo 写道:
> setup_geo() extracts near_copies (nc) and far_copies (fc) from the
> user-provided layout parameter without checking for zero. When fc=0
> with the "improved" far set layout selected, 'geo->far_set_size =
> disks / fc' triggers a divide-by-zero.
>
> Validate nc and fc immediately after extraction, returning -1 if
> either is zero.
>
> Fixes: 475901aff158 ("MD RAID10: Improve redundancy for 'far' and 'offset' algorithms (part 1)")
> Reported-by: Yuhao Jiang<danisjiang@gmail.com>

So again I can't find a report, and Reported-by usually should be followed
by a Closes link to the original report.

Applied with Reported-by tag removed.

> Cc:stable@vger.kernel.org
> Signed-off-by: Junrui Luo<moonafterrain@outlook.com>
> ---
>   drivers/md/raid10.c | 2 ++
>   1 file changed, 2 insertions(+)

-- 
Thansk,
Kuai

Re: [PATCH] md/raid10: fix divide-by-zero in setup_geo() with zero far_copies

[Yuhao Jiang]

Hi Kuai,

This report was reported by me, so Junrui added me as Reported-by.

Thanks,


On Sun, Apr 19, 2026 at 12:43 AM Yu Kuai <yukuai@fnnas.com> wrote:
>
> Hi,
>
> 在 2026/4/16 11:39, Junrui Luo 写道:
> > setup_geo() extracts near_copies (nc) and far_copies (fc) from the
> > user-provided layout parameter without checking for zero. When fc=0
> > with the "improved" far set layout selected, 'geo->far_set_size =
> > disks / fc' triggers a divide-by-zero.
> >
> > Validate nc and fc immediately after extraction, returning -1 if
> > either is zero.
> >
> > Fixes: 475901aff158 ("MD RAID10: Improve redundancy for 'far' and 'offset' algorithms (part 1)")
> > Reported-by: Yuhao Jiang<danisjiang@gmail.com>
>
> So again I can't find a report, and Reported-by usually should be followed
> by a Closes link to the original report.
>
> Applied with Reported-by tag removed.
>
> > Cc:stable@vger.kernel.org
> > Signed-off-by: Junrui Luo<moonafterrain@outlook.com>
> > ---
> >   drivers/md/raid10.c | 2 ++
> >   1 file changed, 2 insertions(+)
>
> --
> Thansk,
> Kuai



-- 
Yuhao Jiang

Re: [PATCH] md/raid10: fix divide-by-zero in setup_geo() with zero far_copies

[Yu Kuai]

Hi,

在 2026/4/19 13:59, Yuhao Jiang 写道:
> Hi Kuai,
>
> This report was reported by me, so Junrui added me as Reported-by.

This is fine, however, please do not add downstream reported-by tag.
If you want to add the reported-by tag, please report the problem to
patchwork first. :)

>
> Thanks,
>
> On Sun, Apr 19, 2026 at 12:43 AM Yu Kuai <yukuai@fnnas.com> wrote:
>
>     Hi,
>
>     在 2026/4/16 11:39, Junrui Luo 写道:
>     > setup_geo() extracts near_copies (nc) and far_copies (fc) from the
>     > user-provided layout parameter without checking for zero. When fc=0
>     > with the "improved" far set layout selected, 'geo->far_set_size =
>     > disks / fc' triggers a divide-by-zero.
>     >
>     > Validate nc and fc immediately after extraction, returning -1 if
>     > either is zero.
>     >
>     > Fixes: 475901aff158 ("MD RAID10: Improve redundancy for 'far'
>     and 'offset' algorithms (part 1)")
>     > Reported-by: Yuhao Jiang<danisjiang@gmail.com>
>
>     So again I can't find a report, and Reported-by usually should be
>     followed
>     by a Closes link to the original report.
>
>     Applied with Reported-by tag removed.
>
>     > Cc:stable@vger.kernel.org <mailto:Cc%3Astable@vger.kernel.org>
>     > Signed-off-by: Junrui Luo<moonafterrain@outlook.com>
>     > ---
>     >   drivers/md/raid10.c | 2 ++
>     >   1 file changed, 2 insertions(+)
>
>     -- 
>     Thansk,
>     Kuai
>
>
>
> -- 
> Yuhao Jiang

-- 
Thansk,
Kuai

Re: [PATCH] md/raid10: fix divide-by-zero in setup_geo() with zero far_copies

[Yuhao Jiang]

Hi Kuai,

Looks like different maintainers have different rules. :(
Can you send me the patchwork resource?

Thanks.

On Tue, Apr 28, 2026 at 4:32 PM Yu Kuai <yukuai@fnnas.com> wrote:
>
> Hi,
>
> 在 2026/4/19 13:59, Yuhao Jiang 写道:
> > Hi Kuai,
> >
> > This report was reported by me, so Junrui added me as Reported-by.
>
> This is fine, however, please do not add downstream reported-by tag.
> If you want to add the reported-by tag, please report the problem to
> patchwork first. :)
>
> >
> > Thanks,
> >
> > On Sun, Apr 19, 2026 at 12:43 AM Yu Kuai <yukuai@fnnas.com> wrote:
> >
> >     Hi,
> >
> >     在 2026/4/16 11:39, Junrui Luo 写道:
> >     > setup_geo() extracts near_copies (nc) and far_copies (fc) from the
> >     > user-provided layout parameter without checking for zero. When fc=0
> >     > with the "improved" far set layout selected, 'geo->far_set_size =
> >     > disks / fc' triggers a divide-by-zero.
> >     >
> >     > Validate nc and fc immediately after extraction, returning -1 if
> >     > either is zero.
> >     >
> >     > Fixes: 475901aff158 ("MD RAID10: Improve redundancy for 'far'
> >     and 'offset' algorithms (part 1)")
> >     > Reported-by: Yuhao Jiang<danisjiang@gmail.com>
> >
> >     So again I can't find a report, and Reported-by usually should be
> >     followed
> >     by a Closes link to the original report.
> >
> >     Applied with Reported-by tag removed.
> >
> >     > Cc:stable@vger.kernel.org <mailto:Cc%3Astable@vger.kernel.org>
> >     > Signed-off-by: Junrui Luo<moonafterrain@outlook.com>
> >     > ---
> >     >   drivers/md/raid10.c | 2 ++
> >     >   1 file changed, 2 insertions(+)
> >
> >     --
> >     Thansk,
> >     Kuai
> >
> >
> >
> > --
> > Yuhao Jiang
>
> --
> Thansk,
> Kuai



-- 
Yuhao Jiang