| Message ID | 20210708131057.259327-4-naohiro.aota@wdc.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | fix argument type of bio_trim() | expand |
On Thu, Jul 08, 2021 at 10:10:57PM +0900, Naohiro Aota wrote: > When on SINGLE block group, btrfs_get_io_geometry() will return "the > size of the block group - the offset of the logical address within the > block group" as geom.len. Since we allow up to 8 GB zone size on zoned > btrfs, we can have up to 8 GB block group, so can have up to 8 GB > geom.len. With this setup, we easily hit the "ASSERT(geom.len <= > INT_MAX);". > > The ASSERT looks like to guard btrfs_bio_clone_partial() and bio_trim() > which both take "int" (now "unsigned int" with the previous patch). So to > be precise the ASSERT should check if clone_len <= UINT_MAX. But > actually, clone_len is already capped by bio.bi_iter.bi_size which is > unsigned int. So the ASSERT is not necessary. > > Drop the ASSERT and properly compare submit_len and geom.len in u64. Then, > let the implicit casting to convert it to unsigned int. > > Signed-off-by: Naohiro Aota <naohiro.aota@wdc.com> > --- > fs/btrfs/inode.c | 12 ++++++++---- > 1 file changed, 8 insertions(+), 4 deletions(-) > > diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c > index 8f60314c36c5..b6cc26dd7919 100644 > --- a/fs/btrfs/inode.c > +++ b/fs/btrfs/inode.c > @@ -8206,8 +8206,8 @@ static blk_qc_t btrfs_submit_direct(struct inode *inode, struct iomap *iomap, > u64 start_sector; > int async_submit = 0; > u64 submit_len; > - int clone_offset = 0; > - int clone_len; > + unsigned int clone_offset = 0; > + unsigned int clone_len; > u64 logical; > int ret; > blk_status_t status; > @@ -8255,9 +8255,13 @@ static blk_qc_t btrfs_submit_direct(struct inode *inode, struct iomap *iomap, > status = errno_to_blk_status(ret); > goto out_err_em; > } > - ASSERT(geom.len <= INT_MAX); > > - clone_len = min_t(int, submit_len, geom.len); > + /* > + * min()'s result is always capped by bio.bi_iter.bi_size > + * which is unsigned int. So the implicit casting it to > + * unsigned int is safe. > + */ > + clone_len = min(submit_len, geom.len); I'd rather rely on explicit casts and asserts than a comment stating what should happen. submit_len ang geom.len are both u64 and cast to u32 clone_len. I think submit_len should be u32 too (to copy the bio.bi_size) to match the types used for the purpose and also clone_len.
On Thu, Jul 08, 2021 at 10:10:57PM +0900, Naohiro Aota wrote: > When on SINGLE block group, btrfs_get_io_geometry() will return "the > size of the block group - the offset of the logical address within the > block group" as geom.len. Since we allow up to 8 GB zone size on zoned > btrfs, we can have up to 8 GB block group, so can have up to 8 GB > geom.len. With this setup, we easily hit the "ASSERT(geom.len <= > INT_MAX);". > > The ASSERT looks like to guard btrfs_bio_clone_partial() and bio_trim() > which both take "int" (now "unsigned int" with the previous patch). So to > be precise the ASSERT should check if clone_len <= UINT_MAX. But > actually, clone_len is already capped by bio.bi_iter.bi_size which is > unsigned int. So the ASSERT is not necessary. > > Drop the ASSERT and properly compare submit_len and geom.len in u64. Then, > let the implicit casting to convert it to unsigned int. > > Signed-off-by: Naohiro Aota <naohiro.aota@wdc.com> > --- > fs/btrfs/inode.c | 12 ++++++++---- > 1 file changed, 8 insertions(+), 4 deletions(-) > > diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c > index 8f60314c36c5..b6cc26dd7919 100644 > --- a/fs/btrfs/inode.c > +++ b/fs/btrfs/inode.c > @@ -8206,8 +8206,8 @@ static blk_qc_t btrfs_submit_direct(struct inode *inode, struct iomap *iomap, > u64 start_sector; > int async_submit = 0; > u64 submit_len; > - int clone_offset = 0; > - int clone_len; > + unsigned int clone_offset = 0; > + unsigned int clone_len; After reading the other patches, clone_offset should be sector_t or u64. clone_len is fine as u32 as it only gets update from the bio.bi_size, but later in the code there's clone_offset += clone_len; and clone_offset is passed to btrfs_bio_clone_partial -> bio_trim, that you've changed to sector_t.
diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c index 8f60314c36c5..b6cc26dd7919 100644 --- a/fs/btrfs/inode.c +++ b/fs/btrfs/inode.c @@ -8206,8 +8206,8 @@ static blk_qc_t btrfs_submit_direct(struct inode *inode, struct iomap *iomap, u64 start_sector; int async_submit = 0; u64 submit_len; - int clone_offset = 0; - int clone_len; + unsigned int clone_offset = 0; + unsigned int clone_len; u64 logical; int ret; blk_status_t status; @@ -8255,9 +8255,13 @@ static blk_qc_t btrfs_submit_direct(struct inode *inode, struct iomap *iomap, status = errno_to_blk_status(ret); goto out_err_em; } - ASSERT(geom.len <= INT_MAX); - clone_len = min_t(int, submit_len, geom.len); + /* + * min()'s result is always capped by bio.bi_iter.bi_size + * which is unsigned int. So the implicit casting it to + * unsigned int is safe. + */ + clone_len = min(submit_len, geom.len); /* * This will never fail as it's passing GPF_NOFS and
When on SINGLE block group, btrfs_get_io_geometry() will return "the size of the block group - the offset of the logical address within the block group" as geom.len. Since we allow up to 8 GB zone size on zoned btrfs, we can have up to 8 GB block group, so can have up to 8 GB geom.len. With this setup, we easily hit the "ASSERT(geom.len <= INT_MAX);". The ASSERT looks like to guard btrfs_bio_clone_partial() and bio_trim() which both take "int" (now "unsigned int" with the previous patch). So to be precise the ASSERT should check if clone_len <= UINT_MAX. But actually, clone_len is already capped by bio.bi_iter.bi_size which is unsigned int. So the ASSERT is not necessary. Drop the ASSERT and properly compare submit_len and geom.len in u64. Then, let the implicit casting to convert it to unsigned int. Signed-off-by: Naohiro Aota <naohiro.aota@wdc.com> --- fs/btrfs/inode.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-)