[PATCH] sched/numa: fix division by zero in task_nr_scan_windows() and task_scan_min()
From: Xiang Gao
Date: Thu Apr 16 2026 - 02:15:17 EST
From: Xiang Gao <gaoxiang17@xxxxxxxxxx>
sysctl_numa_balancing_scan_size is exposed to userspace via debugfs as
scan_size_mb with no lower-bound validation. Writing 0 triggers
division-by-zero crashes in two places:
task_nr_scan_windows():
nr_scan_pages = MB_TO_PAGES(0) = 0
rss = round_up(rss, 0) <- undefined
return rss / 0 <- division by zero
task_scan_min():
windows = MAX_SCAN_WINDOW / 0 <- division by zero
The third call site in task_numa_work() already guards against this
with an explicit "if (!pages) return;" check at line 3522, but these
two functions lack the same protection.
Fix by clamping scan_size to a minimum of 1 in both functions before
using it as a divisor, consistent with the existing guard in
task_numa_work().
Signed-off-by: Xiang Gao <gaoxiang17@xxxxxxxxxx>
---
kernel/sched/fair.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
index 69361c63353a..32e146796bd5 100644
--- a/kernel/sched/fair.c
+++ b/kernel/sched/fair.c
@@ -1665,6 +1665,8 @@ static unsigned int task_nr_scan_windows(struct task_struct *p)
* on resident pages
*/
nr_scan_pages = MB_TO_PAGES(sysctl_numa_balancing_scan_size);
+ if (!nr_scan_pages)
+ nr_scan_pages = 1;
rss = get_mm_rss(p->mm);
if (!rss)
rss = nr_scan_pages;
@@ -1682,6 +1684,8 @@ static unsigned int task_scan_min(struct task_struct *p)
unsigned int scan, floor;
unsigned int windows = 1;
+ if (!scan_size)
+ scan_size = 1;
if (scan_size < MAX_SCAN_WINDOW)
windows = MAX_SCAN_WINDOW / scan_size;
floor = 1000 / windows;
--
2.34.1