Commit 9aa6d860 authored Apr 16, 2026 by Junrui Luo Committed by Yu Kuai Apr 28, 2026

md/raid10: fix divide-by-zero in setup_geo() with zero far_copies



setup_geo() extracts near_copies (nc) and far_copies (fc) from the
user-provided layout parameter without checking for zero. When fc=0
with the "improved" far set layout selected, 'geo->far_set_size =
disks / fc' triggers a divide-by-zero.

Validate nc and fc immediately after extraction, returning -1 if
either is zero.

Fixes: 475901af ("MD RAID10: Improve redundancy for 'far' and 'offset' algorithms (part 1)")
Cc: stable@vger.kernel.org
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Link: https://lore.kernel.org/linux-raid/SYBPR01MB7881A5E2556806CC1D318582AF232@SYBPR01MB7881.ausprd01.prod.outlook.com


Signed-off-by: Yu Kuai <yukuai@fnnas.com>

parent f7b24c7b

drivers/md/raid10.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -3791,6 +3791,8 @@ static int setup_geo(struct geom geo, struct mddev mddev, enum geo_type new)
		nc = layout & 255;
		fc = (layout >> 8) & 255;
		fo = layout & (1<<16);
		if (!nc \|\| !fc)
		return -1;
		geo->raid_disks = disks;
		geo->near_copies = nc;
		geo->far_copies = fc;