[PATCH v2 0/3] fix argument type of bio_trim()

[PATCH v2 0/3] fix argument type of bio_trim()

[Naohiro Aota]

The function bio_trim has offset and size arguments that are declared as
int. But it actually expects sector value and the range of int is not
enough for bio->bi_iter.bi_size and bio_advance() which is/takes unsigned
int. So, let's fix the argument type of bio_trim() and its callers.

Patches 1 and 2 fix bio_trim() argument and its caller's argument.

Patch 3 is depending on patch 1 and 2 and do some cleanup for btrfs.

Changes:
- v2:
  - Add WARN_ON and ASSERT to catch overflow values
  - Change argument type of btrfs_bio_clone_partial() to u64

Chaitanya Kulkarni (2):
  block: fix arg type of bio_trim()
  btrfs: fix argument type of btrfs_bio_clone_partial()

Naohiro Aota (1):
  btrfs: drop unnecessary ASSERT from btrfs_submit_direct()

 block/bio.c          | 14 +++++++++++---
 fs/btrfs/extent_io.c |  6 ++++--
 fs/btrfs/extent_io.h |  2 +-
 fs/btrfs/inode.c     |  8 ++++----
 include/linux/bio.h  |  2 +-
 5 files changed, 21 insertions(+), 11 deletions(-)

-- 
2.32.0

[PATCH v2 1/3] block: fix arg type of bio_trim()

[Naohiro Aota]

From: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>

The function bio_trim has offset and size arguments that are declared
as int.

The callers of this function uses sector_t type when passing the offset
and size e,g. drivers/md/raid1.c:narrow_write_error() and
drivers/md/raid1.c:narrow_write_error().

Change offset and size arguments to sector_t type for bio_trim(). Also, add
WARN_ON() to catch their overflow.

Signed-off-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
Signed-off-by: Naohiro Aota <naohiro.aota@wdc.com>
---
 block/bio.c         | 14 +++++++++++---
 include/linux/bio.h |  2 +-
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/block/bio.c b/block/bio.c
index 44205dfb6b60..69a9751b18e7 100644
--- a/block/bio.c
+++ b/block/bio.c
@@ -1465,12 +1465,20 @@ EXPORT_SYMBOL(bio_split);
  * @offset:	number of sectors to trim from the front of @bio
  * @size:	size we want to trim @bio to, in sectors
  */
-void bio_trim(struct bio *bio, int offset, int size)
+void bio_trim(struct bio *bio, sector_t offset, sector_t size)
 {
-	/* 'bio' is a cloned bio which we need to trim to match
-	 * the given offset and size.
+	const sector_t uint_max_sectors = UINT_MAX >> SECTOR_SHIFT;
+
+	/*
+	 * 'bio' is a cloned bio which we need to trim to match the given
+	 * offset and size.
 	 */
 
+	/* sanity check */
+	if (WARN_ON(offset > uint_max_sectors || size > uint_max_sectors ||
+		    offset + size > bio->bi_iter.bi_size))
+		return;
+
 	size <<= 9;
 	if (offset == 0 && size == bio->bi_iter.bi_size)
 		return;
diff --git a/include/linux/bio.h b/include/linux/bio.h
index a0b4cfdf62a4..c91bc70add06 100644
--- a/include/linux/bio.h
+++ b/include/linux/bio.h
@@ -379,7 +379,7 @@ static inline void bip_set_seed(struct bio_integrity_payload *bip,
 
 #endif /* CONFIG_BLK_DEV_INTEGRITY */
 
-extern void bio_trim(struct bio *bio, int offset, int size);
+extern void bio_trim(struct bio *bio, sector_t offset, sector_t size);
 extern struct bio *bio_split(struct bio *bio, int sectors,
 			     gfp_t gfp, struct bio_set *bs);
 
-- 
2.32.0

[PATCH v2 2/3] btrfs: fix argument type of btrfs_bio_clone_partial()

[Naohiro Aota]

From: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>

The offset and can never be negative use unsigned int instead of int type
for them.

Signed-off-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
Signed-off-by: Naohiro Aota <naohiro.aota@wdc.com>
---
 fs/btrfs/extent_io.c | 6 ++++--
 fs/btrfs/extent_io.h | 2 +-
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c
index 1f947e24091a..0040577c2f4e 100644
--- a/fs/btrfs/extent_io.c
+++ b/fs/btrfs/extent_io.c
@@ -3153,11 +3153,13 @@ struct bio *btrfs_io_bio_alloc(unsigned int nr_iovecs)
 	return bio;
 }
 
-struct bio *btrfs_bio_clone_partial(struct bio *orig, int offset, int size)
+struct bio *btrfs_bio_clone_partial(struct bio *orig, u64 offset, u64 size)
 {
 	struct bio *bio;
 	struct btrfs_io_bio *btrfs_bio;
 
+	ASSERT(offset <= UINT_MAX && size <= UINT_MAX);
+
 	/* this will never fail when it's backed by a bioset */
 	bio = bio_clone_fast(orig, GFP_NOFS, &btrfs_bioset);
 	ASSERT(bio);
@@ -3165,7 +3167,7 @@ struct bio *btrfs_bio_clone_partial(struct bio *orig, int offset, int size)
 	btrfs_bio = btrfs_io_bio(bio);
 	btrfs_io_bio_init(btrfs_bio);
 
-	bio_trim(bio, offset >> 9, size >> 9);
+	bio_trim(bio, (sector_t)offset >> 9, (sector_t)size >> 9);
 	btrfs_bio->iter = bio->bi_iter;
 	return bio;
 }
diff --git a/fs/btrfs/extent_io.h b/fs/btrfs/extent_io.h
index 62027f551b44..53abdc280451 100644
--- a/fs/btrfs/extent_io.h
+++ b/fs/btrfs/extent_io.h
@@ -280,7 +280,7 @@ void extent_clear_unlock_delalloc(struct btrfs_inode *inode, u64 start, u64 end,
 struct bio *btrfs_bio_alloc(u64 first_byte);
 struct bio *btrfs_io_bio_alloc(unsigned int nr_iovecs);
 struct bio *btrfs_bio_clone(struct bio *bio);
-struct bio *btrfs_bio_clone_partial(struct bio *orig, int offset, int size);
+struct bio *btrfs_bio_clone_partial(struct bio *orig, u64 offset, u64 size);
 
 int repair_io_failure(struct btrfs_fs_info *fs_info, u64 ino, u64 start,
 		      u64 length, u64 logical, struct page *page,
-- 
2.32.0

[PATCH v2 3/3] btrfs: drop unnecessary ASSERT from btrfs_submit_direct()

[Naohiro Aota]

When on SINGLE block group, btrfs_get_io_geometry() will return "the
size of the block group - the offset of the logical address within the
block group" as geom.len. Since we allow up to 8 GB zone size on zoned
btrfs, we can have up to 8 GB block group, so can have up to 8 GB
geom.len. With this setup, we easily hit the "ASSERT(geom.len <=
INT_MAX);".

The ASSERT looks like to guard btrfs_bio_clone_partial() and bio_trim()
which both take "int" (now "unsigned int" with the previous patch). So to
be precise the ASSERT should check if clone_len <= UINT_MAX. But
actually, clone_len is already capped by bio.bi_iter.bi_size which is
unsigned int. So the ASSERT is not necessary.

Drop the ASSERT and properly compare submit_len and geom.len in u64. Then,
let the implicit casting to convert it to unsigned int.

Signed-off-by: Naohiro Aota <naohiro.aota@wdc.com>
---
 fs/btrfs/inode.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
index 8f60314c36c5..8cd1a4f0174a 100644
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -8206,8 +8206,8 @@ static blk_qc_t btrfs_submit_direct(struct inode *inode, struct iomap *iomap,
 	u64 start_sector;
 	int async_submit = 0;
 	u64 submit_len;
-	int clone_offset = 0;
-	int clone_len;
+	u64 clone_offset = 0;
+	u64 clone_len;
 	u64 logical;
 	int ret;
 	blk_status_t status;
@@ -8255,9 +8255,9 @@ static blk_qc_t btrfs_submit_direct(struct inode *inode, struct iomap *iomap,
 			status = errno_to_blk_status(ret);
 			goto out_err_em;
 		}
-		ASSERT(geom.len <= INT_MAX);
 
-		clone_len = min_t(int, submit_len, geom.len);
+		clone_len = min(submit_len, geom.len);
+		ASSERT(clone_len <= UINT_MAX);
 
 		/*
 		 * This will never fail as it's passing GPF_NOFS and
-- 
2.32.0

Re: [PATCH v2 1/3] block: fix arg type of bio_trim()

[Christoph Hellwig]

On Wed, Jul 21, 2021 at 03:26:58PM +0900, Naohiro Aota wrote:
> +void bio_trim(struct bio *bio, sector_t offset, sector_t size)
>  {
> +	const sector_t uint_max_sectors = UINT_MAX >> SECTOR_SHIFT;

I'd make this a #define and keep it close to the struct bio definition
named something like BIO_MAX_SECTORS

> +
> +	/*
> +	 * 'bio' is a cloned bio which we need to trim to match the given
> +	 * offset and size.
>  	 */

This should go into the kernel doc comment.

Something like:

/**
 * bio_trim - trim a bio to the given offset and size
 * @bio:        bio to trim
 * @offset:     number of sectors to trim from the front of @bio
 * @size:       size we want to trim @bio to, in sectors
 *
 * This function is typically used for bios that are cloned and
 * submitted to the underlying device in parts.
 */


> +	/* sanity check */
> +	if (WARN_ON(offset > uint_max_sectors || size > uint_max_sectors ||
> +		    offset + size > bio->bi_iter.bi_size))
> +		return;

No real need for the comment. WARN_ON pretty much implies a sanity
check.  I'd make this a WARN_ON_ONCE as otherwise you'll probably
drown in these warnings if they ever hit.

> -extern void bio_trim(struct bio *bio, int offset, int size);
> +extern void bio_trim(struct bio *bio, sector_t offset, sector_t size);

Please drop the extern while you're at it.

Re: [PATCH v2 2/3] btrfs: fix argument type of btrfs_bio_clone_partial()

[Christoph Hellwig]

On Wed, Jul 21, 2021 at 03:26:59PM +0900, Naohiro Aota wrote:
>  	btrfs_bio = btrfs_io_bio(bio);
>  	btrfs_io_bio_init(btrfs_bio);
>  
> -	bio_trim(bio, offset >> 9, size >> 9);
> +	bio_trim(bio, (sector_t)offset >> 9, (sector_t)size >> 9);

No need for the casts when shifting down.

Re: [PATCH v2 1/3] block: fix arg type of bio_trim()

[Naohiro Aota]

-Chaitanya, as the address is unavailable.

On Wed, Jul 21, 2021 at 07:36:05AM +0100, Christoph Hellwig wrote:
> On Wed, Jul 21, 2021 at 03:26:58PM +0900, Naohiro Aota wrote:
> > +void bio_trim(struct bio *bio, sector_t offset, sector_t size)
> >  {
> > +	const sector_t uint_max_sectors = UINT_MAX >> SECTOR_SHIFT;
> 
> I'd make this a #define and keep it close to the struct bio definition
> named something like BIO_MAX_SECTORS

Sure. I'll do so.

> > +
> > +	/*
> > +	 * 'bio' is a cloned bio which we need to trim to match the given
> > +	 * offset and size.
> >  	 */
> 
> This should go into the kernel doc comment.
> 
> Something like:
> 
> /**
>  * bio_trim - trim a bio to the given offset and size
>  * @bio:        bio to trim
>  * @offset:     number of sectors to trim from the front of @bio
>  * @size:       size we want to trim @bio to, in sectors
>  *
>  * This function is typically used for bios that are cloned and
>  * submitted to the underlying device in parts.
>  */

Thanks. I'll use this.
 
> > +	/* sanity check */
> > +	if (WARN_ON(offset > uint_max_sectors || size > uint_max_sectors ||
> > +		    offset + size > bio->bi_iter.bi_size))
> > +		return;
> 
> No real need for the comment. WARN_ON pretty much implies a sanity
> check.  I'd make this a WARN_ON_ONCE as otherwise you'll probably
> drown in these warnings if they ever hit.

Done.

> > -extern void bio_trim(struct bio *bio, int offset, int size);
> > +extern void bio_trim(struct bio *bio, sector_t offset, sector_t size);
> 
> Please drop the extern while you're at it.

Ah, I didn't know that. I'll keep it in mind.

Re: [PATCH v2 2/3] btrfs: fix argument type of btrfs_bio_clone_partial()

[Naohiro Aota]

On Wed, Jul 21, 2021 at 07:37:48AM +0100, Christoph Hellwig wrote:
> On Wed, Jul 21, 2021 at 03:26:59PM +0900, Naohiro Aota wrote:
> >  	btrfs_bio = btrfs_io_bio(bio);
> >  	btrfs_io_bio_init(btrfs_bio);
> >  
> > -	bio_trim(bio, offset >> 9, size >> 9);
> > +	bio_trim(bio, (sector_t)offset >> 9, (sector_t)size >> 9);
> 
> No need for the casts when shifting down.

Ah, OK. As, I switched the type to "u64", they are actually the same
type anyway.