Received: by 2002:a05:6358:9144:b0:117:f937:c515 with SMTP id r4csp7113040rwr;
        Tue, 2 May 2023 09:37:12 -0700 (PDT)
X-Google-Smtp-Source: ACHHUZ48rQt+xEKwxVFkpDQjQb639MKCgOtIvCG3cXsGpp2TjD3mCBMeZJvmRz3oyYRXH03dkom2
X-Received: by 2002:a17:903:5cd:b0:1a6:3799:ec2a with SMTP id kf13-20020a17090305cd00b001a63799ec2amr16797607plb.35.1683045432036;
        Tue, 02 May 2023 09:37:12 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1683045432; cv=none;
        d=google.com; s=arc-20160816;
        b=Q7OeAve5iVnJZdRUhhnVozXp70081FyeY8uSHRZvHnTliK1MvoAKS/s8vtKbchf6Vg
         Wcdd+X9HR1nvhrm5DT87OSkBGbXTDCz4PzQg8JywdTLTV/JL1rBstFRh2kKpjNTBgFmC
         2VpTkLhYea2pAioqQSGfhFyz+waIe2lRraoKhpPzQbreiVGa7PyBa9r7LEy8Qkoq34MU
         nvIHZ72v4XehMXr/hDITXpHb63rpjIUQHJSsN651ViXoJT/buhf+ND9+CzlaHtF/Lfir
         meNF7i439tGinb3vtinmEMMR5m+PpgSk2cAAhHa4vOnhjOrzO0PL5hyY++qy8YjXahns
         vv7A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:user-agent:in-reply-to:content-disposition
         :mime-version:references:reply-to:message-id:subject:cc:to:from:date
         :dkim-signature:dkim-signature;
        bh=g6KTKbqX3sWDdrjAvv9lOrddrK/sGrPHCnlc+jGiqxY=;
        b=L/TZx+ewCPrMNBAcToR2e8eSFzHfQb+QoWgwDaBvRD+C8fcoQOC6bWN5HIBXF5xp68
         re7P7hYcjw1mdY5f8zHP6TIb5A6Aak4+DCC6lcmORGqqlFpJAcxgN2vy4kwwHHxODZNH
         GvhYVW7OmYBtt5Zy9uzU3gacYAN3FY/mChUHP6urBNkHwW8rYIQEb1Zs1qPYCSsp3dvY
         0xa6ognZyMZu2QKpKaNrh8n/FB+YUVafikcUD/NjlceX5OEihAFKNqeG6ku4TKX3a3mF
         ZUOTXGudlBzfAxTeiBbFfCoszCfTt8ppJMjGRiHzcNr4IYOfhNeEK6RqzRA4eAj8rnvG
         OBvw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b=kqcZZK4X;
       dkim=neutral (no key) header.i=@suse.cz header.s=susede2_ed25519;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id oc17-20020a17090b1c1100b00247bd63c3c5si36038379pjb.37.2023.05.02.09.36.59;
        Tue, 02 May 2023 09:37:12 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b=kqcZZK4X;
       dkim=neutral (no key) header.i=@suse.cz header.s=susede2_ed25519;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S233800AbjEBQRi (ORCPT <rfc822;bainonline@gmail.com> + 99 others);
        Tue, 2 May 2023 12:17:38 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46220 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S233610AbjEBQRh (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 2 May 2023 12:17:37 -0400
Received: from smtp-out2.suse.de (smtp-out2.suse.de [IPv6:2001:67c:2178:6::1d])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9360610F;
        Tue,  2 May 2023 09:17:35 -0700 (PDT)
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512)
        (No client certificate requested)
        by smtp-out2.suse.de (Postfix) with ESMTPS id 4DB2C1F8AA;
        Tue,  2 May 2023 16:17:34 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa;
        t=1683044254;
        h=from:from:reply-to:reply-to:date:date:message-id:message-id:to:to:
         cc:cc:mime-version:mime-version:content-type:content-type:
         in-reply-to:in-reply-to:references:references;
        bh=g6KTKbqX3sWDdrjAvv9lOrddrK/sGrPHCnlc+jGiqxY=;
        b=kqcZZK4XpCd6CTzx46jJlu9OIlpAp9/VoiSiuEzUevI5m8CBFOkl8kSg+zhcXAQ8nJ2u8h
        nWheARBHHHHB641X8exLeM0ujrNts5m6BTRlsrf8pQh4jaMFhZYF2KmlB45wj98I6jjPU0
        iPmBeNegHvainHdcO5+AgNLCAS+4aHU=
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz;
        s=susede2_ed25519; t=1683044254;
        h=from:from:reply-to:reply-to:date:date:message-id:message-id:to:to:
         cc:cc:mime-version:mime-version:content-type:content-type:
         in-reply-to:in-reply-to:references:references;
        bh=g6KTKbqX3sWDdrjAvv9lOrddrK/sGrPHCnlc+jGiqxY=;
        b=7rn91GjvtQ8TuFcV2RpSUA+ktOZZjbnJXk8tgq247OE0rN6MrQIfOhxlbuuevkBeyvoc4K
        pdUDJePeXrFGOZDA==
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512)
        (No client certificate requested)
        by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 1417B139C3;
        Tue,  2 May 2023 16:17:34 +0000 (UTC)
Received: from dovecot-director2.suse.de ([192.168.254.65])
        by imap2.suse-dmz.suse.de with ESMTPSA
        id 51/bA543UWQfPAAAMHmgww
        (envelope-from <dsterba@suse.cz>); Tue, 02 May 2023 16:17:34 +0000
Date:   Tue, 2 May 2023 18:11:38 +0200
From:   David Sterba <dsterba@suse.cz>
To:     Qu Wenruo <quwenruo.btrfs@gmx.com>
Cc:     Nur Hussein <hussein@unixcat.org>, clm@fb.com,
        josef@toxicpanda.com, dsterba@suse.com,
        linux-btrfs@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] btrfs: Avoid potential integer overflow when
 left-shifting 32-bit int
Message-ID: <20230502161138.GK8111@twin.jikos.cz>
Reply-To: dsterba@suse.cz
References: <20230406192406.2300379-1-hussein@unixcat.org>
 <353b44f3-fb95-ac43-53ba-0d3b45fff574@gmx.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <353b44f3-fb95-ac43-53ba-0d3b45fff574@gmx.com>
User-Agent: Mutt/1.5.23.1-rc1 (2014-03-12)
X-Spam-Status: No, score=-3.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE,
        SPF_SOFTFAIL,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no
        version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, Apr 07, 2023 at 08:35:40AM +0800, Qu Wenruo wrote:
> On 2023/4/7 03:24, Nur Hussein wrote:
> > In scrub_stripe(), the 32-bit signed value returned by the
> > nr_data_stripes(map) function call should be cast to u64
> > before being shifted left by BTRFS_STRIPE_LEN_SHIFT (16),
> > as a cautionary measure to avoid potential overflows. We
> > then assign it to a u64 value anyway, so a cast before a
> > shift seems prudent.
> 
> I'd say it's a little overkilled.
> 
> For nr_data_stripes(), it's at most hundreds of stripes (which is 
> already insane).
> Even with 16 bits left shift, we need to get 2 ** 16 stripes to overflow 
> 32bits.

I don't like adding casts unless really necessary. That the values won't
overflow is what we know because there are other constraints.

In this case I'd rather switch the return type of nr_data_stripes to u32
as the return value from the helper is used for shifts by
BTRFS_STRIPE_LEN_SHIFT in several places.

For the struct map_lookup we should use u32 for all values that simply
count something and there's no semantic value for -1 (like uninitialzed
or invalid). I did a quick grep and the values are assigned from
unsigned types in most if not all cases.