[1/4] btrfs: fix 64bit division in btrfs_insert_striped_mirrored_raid_extents

  Fix modpost error due to 64bit division on 32bit systems in
btrfs_insert_striped_mirrored_raid_extents.

Cc: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
---
 fs/btrfs/raid-stripe-tree.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)
  

On 18.09.23 16:19, Geert Uytterhoeven wrote:
> Hi Johannes,
> 
> On Mon, Sep 18, 2023 at 4:14 PM Johannes Thumshirn
> <johannes.thumshirn@wdc.com> wrote:
>> Fix modpost error due to 64bit division on 32bit systems in
>> btrfs_insert_striped_mirrored_raid_extents.
>>
>> Cc: Geert Uytterhoeven <geert@linux-m68k.org>
>> Signed-off-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
> 
> Thanks for your patch!
> 
>> --- a/fs/btrfs/raid-stripe-tree.c
>> +++ b/fs/btrfs/raid-stripe-tree.c
>> @@ -148,10 +148,10 @@ static int btrfs_insert_striped_mirrored_raid_extents(
>>   {
>>          struct btrfs_io_context *bioc;
>>          struct btrfs_io_context *rbioc;
>> -       const int nstripes = list_count_nodes(&ordered->bioc_list);
>> -       const int index = btrfs_bg_flags_to_raid_index(map_type);
>> -       const int substripes = btrfs_raid_array[index].sub_stripes;
>> -       const int max_stripes = trans->fs_info->fs_devices->rw_devices / substripes;
>> +       const size_t nstripes = list_count_nodes(&ordered->bioc_list);
>> +       const enum btrfs_raid_types index = btrfs_bg_flags_to_raid_index(map_type);
>> +       const u8 substripes = btrfs_raid_array[index].sub_stripes;
>> +       const int max_stripes = div_u64(trans->fs_info->fs_devices->rw_devices, substripes);
> 
> What if the quotient does not fit in a signed 32-bit value?

Then you've bought a lot of HDDs ;-)

Jokes aside, yes this is theoretically correct. Dave can you fix 
max_stripes up to be u64 when applying?
  

On Mon, Sep 18, 2023 at 03:03:10PM +0000, Johannes Thumshirn wrote:
> On 18.09.23 16:19, Geert Uytterhoeven wrote:
> > Hi Johannes,
> > 
> > On Mon, Sep 18, 2023 at 4:14 PM Johannes Thumshirn
> > <johannes.thumshirn@wdc.com> wrote:
> >> Fix modpost error due to 64bit division on 32bit systems in
> >> btrfs_insert_striped_mirrored_raid_extents.
> >>
> >> Cc: Geert Uytterhoeven <geert@linux-m68k.org>
> >> Signed-off-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
> > 
> > Thanks for your patch!
> > 
> >> --- a/fs/btrfs/raid-stripe-tree.c
> >> +++ b/fs/btrfs/raid-stripe-tree.c
> >> @@ -148,10 +148,10 @@ static int btrfs_insert_striped_mirrored_raid_extents(
> >>   {
> >>          struct btrfs_io_context *bioc;
> >>          struct btrfs_io_context *rbioc;
> >> -       const int nstripes = list_count_nodes(&ordered->bioc_list);
> >> -       const int index = btrfs_bg_flags_to_raid_index(map_type);
> >> -       const int substripes = btrfs_raid_array[index].sub_stripes;
> >> -       const int max_stripes = trans->fs_info->fs_devices->rw_devices / substripes;
> >> +       const size_t nstripes = list_count_nodes(&ordered->bioc_list);
> >> +       const enum btrfs_raid_types index = btrfs_bg_flags_to_raid_index(map_type);
> >> +       const u8 substripes = btrfs_raid_array[index].sub_stripes;
> >> +       const int max_stripes = div_u64(trans->fs_info->fs_devices->rw_devices, substripes);
> > 
> > What if the quotient does not fit in a signed 32-bit value?
> 
> Then you've bought a lot of HDDs ;-)
> 
> Jokes aside, yes this is theoretically correct. Dave can you fix 
> max_stripes up to be u64 when applying?

I think we can keep it int, or unsigned int if needed, we can't hit such
huge values for rw_devices. The 'theoretically' would fit for a machine
with infinite resources, otherwise the maximum number of devices I'd
expect is a few thousand.
  

Hi David,

On Mon, Sep 18, 2023 at 6:31 PM David Sterba <dsterba@suse.cz> wrote:
> On Mon, Sep 18, 2023 at 03:03:10PM +0000, Johannes Thumshirn wrote:
> > On 18.09.23 16:19, Geert Uytterhoeven wrote:
> > > Hi Johannes,
> > >
> > > On Mon, Sep 18, 2023 at 4:14 PM Johannes Thumshirn
> > > <johannes.thumshirn@wdc.com> wrote:
> > >> Fix modpost error due to 64bit division on 32bit systems in
> > >> btrfs_insert_striped_mirrored_raid_extents.
> > >>
> > >> Cc: Geert Uytterhoeven <geert@linux-m68k.org>
> > >> Signed-off-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
> > >
> > > Thanks for your patch!
> > >
> > >> --- a/fs/btrfs/raid-stripe-tree.c
> > >> +++ b/fs/btrfs/raid-stripe-tree.c
> > >> @@ -148,10 +148,10 @@ static int btrfs_insert_striped_mirrored_raid_extents(
> > >>   {
> > >>          struct btrfs_io_context *bioc;
> > >>          struct btrfs_io_context *rbioc;
> > >> -       const int nstripes = list_count_nodes(&ordered->bioc_list);
> > >> -       const int index = btrfs_bg_flags_to_raid_index(map_type);
> > >> -       const int substripes = btrfs_raid_array[index].sub_stripes;
> > >> -       const int max_stripes = trans->fs_info->fs_devices->rw_devices / substripes;
> > >> +       const size_t nstripes = list_count_nodes(&ordered->bioc_list);
> > >> +       const enum btrfs_raid_types index = btrfs_bg_flags_to_raid_index(map_type);
> > >> +       const u8 substripes = btrfs_raid_array[index].sub_stripes;
> > >> +       const int max_stripes = div_u64(trans->fs_info->fs_devices->rw_devices, substripes);
> > >
> > > What if the quotient does not fit in a signed 32-bit value?
> >
> > Then you've bought a lot of HDDs ;-)
> >
> > Jokes aside, yes this is theoretically correct. Dave can you fix
> > max_stripes up to be u64 when applying?
>
> I think we can keep it int, or unsigned int if needed, we can't hit such
> huge values for rw_devices. The 'theoretically' would fit for a machine
> with infinite resources, otherwise the maximum number of devices I'd
> expect is a few thousand.

rw_devices and various other *_devices are u64.
Is there a good reason they are that big?
With the fs fuzzing threads in mind, is any validation done on their values?

Gr{oetje,eeting}s,

                        Geert
  

On Mon, Sep 18, 2023 at 08:31:19PM +0200, Geert Uytterhoeven wrote:
> Hi David,
> 
> On Mon, Sep 18, 2023 at 6:31 PM David Sterba <dsterba@suse.cz> wrote:
> > On Mon, Sep 18, 2023 at 03:03:10PM +0000, Johannes Thumshirn wrote:
> > > On 18.09.23 16:19, Geert Uytterhoeven wrote:
> > > > Hi Johannes,
> > > >
> > > > On Mon, Sep 18, 2023 at 4:14 PM Johannes Thumshirn
> > > > <johannes.thumshirn@wdc.com> wrote:
> > > >> Fix modpost error due to 64bit division on 32bit systems in
> > > >> btrfs_insert_striped_mirrored_raid_extents.
> > > >>
> > > >> Cc: Geert Uytterhoeven <geert@linux-m68k.org>
> > > >> Signed-off-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
> > > >
> > > > Thanks for your patch!
> > > >
> > > >> --- a/fs/btrfs/raid-stripe-tree.c
> > > >> +++ b/fs/btrfs/raid-stripe-tree.c
> > > >> @@ -148,10 +148,10 @@ static int btrfs_insert_striped_mirrored_raid_extents(
> > > >>   {
> > > >>          struct btrfs_io_context *bioc;
> > > >>          struct btrfs_io_context *rbioc;
> > > >> -       const int nstripes = list_count_nodes(&ordered->bioc_list);
> > > >> -       const int index = btrfs_bg_flags_to_raid_index(map_type);
> > > >> -       const int substripes = btrfs_raid_array[index].sub_stripes;
> > > >> -       const int max_stripes = trans->fs_info->fs_devices->rw_devices / substripes;
> > > >> +       const size_t nstripes = list_count_nodes(&ordered->bioc_list);
> > > >> +       const enum btrfs_raid_types index = btrfs_bg_flags_to_raid_index(map_type);
> > > >> +       const u8 substripes = btrfs_raid_array[index].sub_stripes;
> > > >> +       const int max_stripes = div_u64(trans->fs_info->fs_devices->rw_devices, substripes);
> > > >
> > > > What if the quotient does not fit in a signed 32-bit value?
> > >
> > > Then you've bought a lot of HDDs ;-)
> > >
> > > Jokes aside, yes this is theoretically correct. Dave can you fix
> > > max_stripes up to be u64 when applying?
> >
> > I think we can keep it int, or unsigned int if needed, we can't hit such
> > huge values for rw_devices. The 'theoretically' would fit for a machine
> > with infinite resources, otherwise the maximum number of devices I'd
> > expect is a few thousand.
> 
> rw_devices and various other *_devices are u64.
> Is there a good reason they are that big?

Many members' types of the on-disk structures are generous and u64 was
the default choice, in many cases practically meaning "you don't have to
care about it for the whole fileystem lifetime" or when u32 would be
close to some potentially reachable value (like 4GiB chunks). You could
find examples where u64 is too much but it's not a big deal for data
stored once and over time I don't remember that we'd have to regret that
some struct member is not big enough.

> With the fs fuzzing threads in mind, is any validation done on their values?

I think the superblock is the most fuzzed structure of btrfs and we do a
lot of direct validation,

https://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux.git/tree/fs/btrfs/disk-io.c#n2299

regarding the number of devices there's a warning when the value is
larger than "1<<31"

https://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux.git/tree/fs/btrfs/disk-io.c#n2433

The rw_devices are counting how many devices are actually found (i.e.
represented by a block device) and compared against the value stored in
the super block.

The u64 is also convenient for calculations where a e.g. a type counting
zones was u32 because it's a sane type but then we need to convert it to
bytes the shift overflows, we had such bugs.  Fortunatelly the sector_t
is u64 for a long time but it was also source of subtle errors when
converting to bytes.
  

On 2023/9/19 01:54, David Sterba wrote:
> On Mon, Sep 18, 2023 at 03:03:10PM +0000, Johannes Thumshirn wrote:
>> On 18.09.23 16:19, Geert Uytterhoeven wrote:
>>> Hi Johannes,
>>>
>>> On Mon, Sep 18, 2023 at 4:14 PM Johannes Thumshirn
>>> <johannes.thumshirn@wdc.com> wrote:
>>>> Fix modpost error due to 64bit division on 32bit systems in
>>>> btrfs_insert_striped_mirrored_raid_extents.
>>>>
>>>> Cc: Geert Uytterhoeven <geert@linux-m68k.org>
>>>> Signed-off-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
>>>
>>> Thanks for your patch!
>>>
>>>> --- a/fs/btrfs/raid-stripe-tree.c
>>>> +++ b/fs/btrfs/raid-stripe-tree.c
>>>> @@ -148,10 +148,10 @@ static int btrfs_insert_striped_mirrored_raid_extents(
>>>>    {
>>>>           struct btrfs_io_context *bioc;
>>>>           struct btrfs_io_context *rbioc;
>>>> -       const int nstripes = list_count_nodes(&ordered->bioc_list);
>>>> -       const int index = btrfs_bg_flags_to_raid_index(map_type);
>>>> -       const int substripes = btrfs_raid_array[index].sub_stripes;
>>>> -       const int max_stripes = trans->fs_info->fs_devices->rw_devices / substripes;
>>>> +       const size_t nstripes = list_count_nodes(&ordered->bioc_list);
>>>> +       const enum btrfs_raid_types index = btrfs_bg_flags_to_raid_index(map_type);
>>>> +       const u8 substripes = btrfs_raid_array[index].sub_stripes;
>>>> +       const int max_stripes = div_u64(trans->fs_info->fs_devices->rw_devices, substripes);
>>>
>>> What if the quotient does not fit in a signed 32-bit value?
>>
>> Then you've bought a lot of HDDs ;-)
>>
>> Jokes aside, yes this is theoretically correct. Dave can you fix
>> max_stripes up to be u64 when applying?
>
> I think we can keep it int, or unsigned int if needed, we can't hit such
> huge values for rw_devices. The 'theoretically' would fit for a machine
> with infinite resources, otherwise the maximum number of devices I'd
> expect is a few thousand.

In fact, we already have an check in btrfs_validate_super(), if the
num_devices is over 1<<31, we would reject the fs.

I think we should be safe to further reduce the threshold.

U16_MAX sounds a valid and sane value to me.
If no rejection I can send out a patch for this.

And later change internal rw_devices/num_devices to u16.

Thanks,
Qu
  

On Tue, Sep 19, 2023 at 10:07:00AM +0930, Qu Wenruo wrote:
> On 2023/9/19 01:54, David Sterba wrote:
> > On Mon, Sep 18, 2023 at 03:03:10PM +0000, Johannes Thumshirn wrote:
> >> On 18.09.23 16:19, Geert Uytterhoeven wrote:
> >>> Hi Johannes,
> >>>
> >>> On Mon, Sep 18, 2023 at 4:14 PM Johannes Thumshirn
> >>> <johannes.thumshirn@wdc.com> wrote:
> >>>> Fix modpost error due to 64bit division on 32bit systems in
> >>>> btrfs_insert_striped_mirrored_raid_extents.
> >>>>
> >>>> Cc: Geert Uytterhoeven <geert@linux-m68k.org>
> >>>> Signed-off-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
> >>>
> >>> Thanks for your patch!
> >>>
> >>>> --- a/fs/btrfs/raid-stripe-tree.c
> >>>> +++ b/fs/btrfs/raid-stripe-tree.c
> >>>> @@ -148,10 +148,10 @@ static int btrfs_insert_striped_mirrored_raid_extents(
> >>>>    {
> >>>>           struct btrfs_io_context *bioc;
> >>>>           struct btrfs_io_context *rbioc;
> >>>> -       const int nstripes = list_count_nodes(&ordered->bioc_list);
> >>>> -       const int index = btrfs_bg_flags_to_raid_index(map_type);
> >>>> -       const int substripes = btrfs_raid_array[index].sub_stripes;
> >>>> -       const int max_stripes = trans->fs_info->fs_devices->rw_devices / substripes;
> >>>> +       const size_t nstripes = list_count_nodes(&ordered->bioc_list);
> >>>> +       const enum btrfs_raid_types index = btrfs_bg_flags_to_raid_index(map_type);
> >>>> +       const u8 substripes = btrfs_raid_array[index].sub_stripes;
> >>>> +       const int max_stripes = div_u64(trans->fs_info->fs_devices->rw_devices, substripes);
> >>>
> >>> What if the quotient does not fit in a signed 32-bit value?
> >>
> >> Then you've bought a lot of HDDs ;-)
> >>
> >> Jokes aside, yes this is theoretically correct. Dave can you fix
> >> max_stripes up to be u64 when applying?
> >
> > I think we can keep it int, or unsigned int if needed, we can't hit such
> > huge values for rw_devices. The 'theoretically' would fit for a machine
> > with infinite resources, otherwise the maximum number of devices I'd
> > expect is a few thousand.
> 
> In fact, we already have an check in btrfs_validate_super(), if the
> num_devices is over 1<<31, we would reject the fs.

No, it's just a warning in that case.

> I think we should be safe to further reduce the threshold.
> 
> U16_MAX sounds a valid and sane value to me.
> If no rejection I can send out a patch for this.
> 
> And later change internal rw_devices/num_devices to u16.

U16 does not make sense here, it's not a native int type on many
architectures and generates awkward assembly code. We use it in
justified cases where it's saving space in structures that are allocated
thousand times. The arbitrary limit 65536 is probably sane but not
much different than 1<<31, practically not hit and was useful to
note fuzzed superblocks.
  

On 2023/9/19 23:28, David Sterba wrote:
> On Tue, Sep 19, 2023 at 10:07:00AM +0930, Qu Wenruo wrote:
>> On 2023/9/19 01:54, David Sterba wrote:
>>> On Mon, Sep 18, 2023 at 03:03:10PM +0000, Johannes Thumshirn wrote:
>>>> On 18.09.23 16:19, Geert Uytterhoeven wrote:
>>>>> Hi Johannes,
>>>>>
>>>>> On Mon, Sep 18, 2023 at 4:14 PM Johannes Thumshirn
>>>>> <johannes.thumshirn@wdc.com> wrote:
>>>>>> Fix modpost error due to 64bit division on 32bit systems in
>>>>>> btrfs_insert_striped_mirrored_raid_extents.
>>>>>>
>>>>>> Cc: Geert Uytterhoeven <geert@linux-m68k.org>
>>>>>> Signed-off-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
>>>>>
>>>>> Thanks for your patch!
>>>>>
>>>>>> --- a/fs/btrfs/raid-stripe-tree.c
>>>>>> +++ b/fs/btrfs/raid-stripe-tree.c
>>>>>> @@ -148,10 +148,10 @@ static int btrfs_insert_striped_mirrored_raid_extents(
>>>>>>     {
>>>>>>            struct btrfs_io_context *bioc;
>>>>>>            struct btrfs_io_context *rbioc;
>>>>>> -       const int nstripes = list_count_nodes(&ordered->bioc_list);
>>>>>> -       const int index = btrfs_bg_flags_to_raid_index(map_type);
>>>>>> -       const int substripes = btrfs_raid_array[index].sub_stripes;
>>>>>> -       const int max_stripes = trans->fs_info->fs_devices->rw_devices / substripes;
>>>>>> +       const size_t nstripes = list_count_nodes(&ordered->bioc_list);
>>>>>> +       const enum btrfs_raid_types index = btrfs_bg_flags_to_raid_index(map_type);
>>>>>> +       const u8 substripes = btrfs_raid_array[index].sub_stripes;
>>>>>> +       const int max_stripes = div_u64(trans->fs_info->fs_devices->rw_devices, substripes);
>>>>>
>>>>> What if the quotient does not fit in a signed 32-bit value?
>>>>
>>>> Then you've bought a lot of HDDs ;-)
>>>>
>>>> Jokes aside, yes this is theoretically correct. Dave can you fix
>>>> max_stripes up to be u64 when applying?
>>>
>>> I think we can keep it int, or unsigned int if needed, we can't hit such
>>> huge values for rw_devices. The 'theoretically' would fit for a machine
>>> with infinite resources, otherwise the maximum number of devices I'd
>>> expect is a few thousand.
>>
>> In fact, we already have an check in btrfs_validate_super(), if the
>> num_devices is over 1<<31, we would reject the fs.
>
> No, it's just a warning in that case.

We can make it a proper reject.

>
>> I think we should be safe to further reduce the threshold.
>>
>> U16_MAX sounds a valid and sane value to me.
>> If no rejection I can send out a patch for this.
>>
>> And later change internal rw_devices/num_devices to u16.
>
> U16 does not make sense here, it's not a native int type on many
> architectures and generates awkward assembly code. We use it in
> justified cases where it's saving space in structures that are allocated
> thousand times. The arbitrary limit 65536 is probably sane but not
> much different than 1<<31, practically not hit and was useful to
> note fuzzed superblocks.

OK, we can make it unsigned int (mostly u32) for fs_info::*_devices, but
still do extra limits on things like device add to limit it to U16_MAX.

Would this be a better solution?
At least it would still half the width while keep it native to most (if
not all) archs.

Thanks,
Qu
  

On Wed, Sep 20, 2023 at 07:20:49AM +0930, Qu Wenruo wrote:
> >>>>> What if the quotient does not fit in a signed 32-bit value?
> >>>>
> >>>> Then you've bought a lot of HDDs ;-)
> >>>>
> >>>> Jokes aside, yes this is theoretically correct. Dave can you fix
> >>>> max_stripes up to be u64 when applying?
> >>>
> >>> I think we can keep it int, or unsigned int if needed, we can't hit such
> >>> huge values for rw_devices. The 'theoretically' would fit for a machine
> >>> with infinite resources, otherwise the maximum number of devices I'd
> >>> expect is a few thousand.
> >>
> >> In fact, we already have an check in btrfs_validate_super(), if the
> >> num_devices is over 1<<31, we would reject the fs.
> >
> > No, it's just a warning in that case.
> 
> We can make it a proper reject.
> 
> >
> >> I think we should be safe to further reduce the threshold.
> >>
> >> U16_MAX sounds a valid and sane value to me.
> >> If no rejection I can send out a patch for this.
> >>
> >> And later change internal rw_devices/num_devices to u16.
> >
> > U16 does not make sense here, it's not a native int type on many
> > architectures and generates awkward assembly code. We use it in
> > justified cases where it's saving space in structures that are allocated
> > thousand times. The arbitrary limit 65536 is probably sane but not
> > much different than 1<<31, practically not hit and was useful to
> > note fuzzed superblocks.
> 
> OK, we can make it unsigned int (mostly u32) for fs_info::*_devices, but
> still do extra limits on things like device add to limit it to U16_MAX.
> 
> Would this be a better solution?
> At least it would still half the width while keep it native to most (if
> not all) archs.

I don't see much point changing it from u64, it copies the on-disk type,
we validate the value on input, then use it as an int type. There are
not even theoretical problems stemming from the type width. With the
validations in place we don't need to add any artificial limits to the
number of devices, like we don't add such limitations elsewhere if not
necessary.