Instead of returning an inconclusive value of NULL for an error in calling
bio_split(), return a ERR_PTR() always.

Also remove the BUG_ON() calls, and WARN_ON_ONCE() instead. Indeed, since
almost all callers don't check the return code from bio_split(), we'll
crash anyway (for those failures).

Fix up the only user which checks bio_split() return code today (directly
or indirectly), blk_crypto_fallback_split_bio_if_needed(). The md/bcache
code does check the return code in cached_dev_cache_miss() ->
bio_next_split() -> bio_split(), but only to see if there was a split, so
there would be no change in behaviour here (when returning a ERR_PTR()).

Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Signed-off-by: John Garry <john.g.garry@oracle.com>
---
 block/bio.c                 | 10 ++++++----
 block/blk-crypto-fallback.c |  2 +-
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/block/bio.c b/block/bio.c
index 95e2ee14cea2..7a93724e4a49 100644
--- a/block/bio.c
+++ b/block/bio.c
@@ -1740,16 +1740,18 @@ struct bio *bio_split(struct bio *bio, int sectors,
 {
 	struct bio *split;
 
-	BUG_ON(sectors <= 0);
-	BUG_ON(sectors >= bio_sectors(bio));
+	if (WARN_ON_ONCE(sectors <= 0))
+		return ERR_PTR(-EINVAL);
+	if (WARN_ON_ONCE(sectors >= bio_sectors(bio)))
+		return ERR_PTR(-EINVAL);
 
 	/* Zone append commands cannot be split */
 	if (WARN_ON_ONCE(bio_op(bio) == REQ_OP_ZONE_APPEND))
-		return NULL;
+		return ERR_PTR(-EINVAL);
 
 	split = bio_alloc_clone(bio->bi_bdev, bio, gfp, bs);
 	if (!split)
-		return NULL;
+		return ERR_PTR(-ENOMEM);
 
 	split->bi_iter.bi_size = sectors << 9;
 
diff --git a/block/blk-crypto-fallback.c b/block/blk-crypto-fallback.c
index b1e7415f8439..29a205482617 100644
--- a/block/blk-crypto-fallback.c
+++ b/block/blk-crypto-fallback.c
@@ -226,7 +226,7 @@ static bool blk_crypto_fallback_split_bio_if_needed(struct bio **bio_ptr)
 
 		split_bio = bio_split(bio, num_sectors, GFP_NOIO,
 				      &crypto_bio_split);
-		if (!split_bio) {
+		if (IS_ERR(split_bio)) {
 			bio->bi_status = BLK_STS_RESOURCE;
 			return false;
 		}
-- 
2.31.1

On 10/31/24 10:59, John Garry wrote:
> Instead of returning an inconclusive value of NULL for an error in calling
> bio_split(), return a ERR_PTR() always.
> 
> Also remove the BUG_ON() calls, and WARN_ON_ONCE() instead. Indeed, since
> almost all callers don't check the return code from bio_split(), we'll
> crash anyway (for those failures).
> 
> Fix up the only user which checks bio_split() return code today (directly
> or indirectly), blk_crypto_fallback_split_bio_if_needed(). The md/bcache
> code does check the return code in cached_dev_cache_miss() ->
> bio_next_split() -> bio_split(), but only to see if there was a split, so
> there would be no change in behaviour here (when returning a ERR_PTR()).
> 
> Reviewed-by: Christoph Hellwig <hch@lst.de>
> Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
> Signed-off-by: John Garry <john.g.garry@oracle.com>
> ---
>   block/bio.c                 | 10 ++++++----
>   block/blk-crypto-fallback.c |  2 +-
>   2 files changed, 7 insertions(+), 5 deletions(-)
> 
> diff --git a/block/bio.c b/block/bio.c
> index 95e2ee14cea2..7a93724e4a49 100644
> --- a/block/bio.c
> +++ b/block/bio.c
> @@ -1740,16 +1740,18 @@ struct bio *bio_split(struct bio *bio, int sectors,
>   {
>   	struct bio *split;
>   
> -	BUG_ON(sectors <= 0);
> -	BUG_ON(sectors >= bio_sectors(bio));
> +	if (WARN_ON_ONCE(sectors <= 0))
> +		return ERR_PTR(-EINVAL);
> +	if (WARN_ON_ONCE(sectors >= bio_sectors(bio)))
> +		return ERR_PTR(-EINVAL);
>   
>   	/* Zone append commands cannot be split */
>   	if (WARN_ON_ONCE(bio_op(bio) == REQ_OP_ZONE_APPEND))
> -		return NULL;
> +		return ERR_PTR(-EINVAL);
>   
>   	split = bio_alloc_clone(bio->bi_bdev, bio, gfp, bs);
>   	if (!split)
> -		return NULL;
> +		return ERR_PTR(-ENOMEM);
>   
>   	split->bi_iter.bi_size = sectors << 9;
>   
> diff --git a/block/blk-crypto-fallback.c b/block/blk-crypto-fallback.c
> index b1e7415f8439..29a205482617 100644
> --- a/block/blk-crypto-fallback.c
> +++ b/block/blk-crypto-fallback.c
> @@ -226,7 +226,7 @@ static bool blk_crypto_fallback_split_bio_if_needed(struct bio **bio_ptr)
>   
>   		split_bio = bio_split(bio, num_sectors, GFP_NOIO,
>   				      &crypto_bio_split);
> -		if (!split_bio) {
> +		if (IS_ERR(split_bio)) {
>   			bio->bi_status = BLK_STS_RESOURCE;
>   			return false;
>   		}

Don't you need to modify block/bounce.c, too?

Cheers,

Hannes
-- 
Dr. Hannes Reinecke                  Kernel Storage Architect
hare@suse.de                                +49 911 74053 688
SUSE Software Solutions GmbH, Frankenstr. 146, 90461 Nürnberg
HRB 36809 (AG Nürnberg), GF: I. Totev, A. McDonald, W. Knoblich

On 05/11/2024 07:21, Hannes Reinecke wrote:
> On 10/31/24 10:59, John Garry wrote:
>> Instead of returning an inconclusive value of NULL for an error in 
>> calling
>> bio_split(), return a ERR_PTR() always.
>>
>> Also remove the BUG_ON() calls, and WARN_ON_ONCE() instead. Indeed, since
>> almost all callers don't check the return code from bio_split(), we'll
>> crash anyway (for those failures).
>>
>> Fix up the only user which checks bio_split() return code today (directly
>> or indirectly), blk_crypto_fallback_split_bio_if_needed(). The md/bcache
>> code does check the return code in cached_dev_cache_miss() ->
>> bio_next_split() -> bio_split(), but only to see if there was a split, so
>> there would be no change in behaviour here (when returning a ERR_PTR()).
>>
>> Reviewed-by: Christoph Hellwig <hch@lst.de>
>> Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
>> Signed-off-by: John Garry <john.g.garry@oracle.com>
>> ---
>>   block/bio.c                 | 10 ++++++----
>>   block/blk-crypto-fallback.c |  2 +-
>>   2 files changed, 7 insertions(+), 5 deletions(-)
>>
>> diff --git a/block/bio.c b/block/bio.c
>> index 95e2ee14cea2..7a93724e4a49 100644
>> --- a/block/bio.c
>> +++ b/block/bio.c
>> @@ -1740,16 +1740,18 @@ struct bio *bio_split(struct bio *bio, int 
>> sectors,
>>   {
>>       struct bio *split;
>> -    BUG_ON(sectors <= 0);
>> -    BUG_ON(sectors >= bio_sectors(bio));
>> +    if (WARN_ON_ONCE(sectors <= 0))
>> +        return ERR_PTR(-EINVAL);
>> +    if (WARN_ON_ONCE(sectors >= bio_sectors(bio)))
>> +        return ERR_PTR(-EINVAL);
>>       /* Zone append commands cannot be split */
>>       if (WARN_ON_ONCE(bio_op(bio) == REQ_OP_ZONE_APPEND))
>> -        return NULL;
>> +        return ERR_PTR(-EINVAL);
>>       split = bio_alloc_clone(bio->bi_bdev, bio, gfp, bs);
>>       if (!split)
>> -        return NULL;
>> +        return ERR_PTR(-ENOMEM);
>>       split->bi_iter.bi_size = sectors << 9;
>> diff --git a/block/blk-crypto-fallback.c b/block/blk-crypto-fallback.c
>> index b1e7415f8439..29a205482617 100644
>> --- a/block/blk-crypto-fallback.c
>> +++ b/block/blk-crypto-fallback.c
>> @@ -226,7 +226,7 @@ static bool 
>> blk_crypto_fallback_split_bio_if_needed(struct bio **bio_ptr)
>>           split_bio = bio_split(bio, num_sectors, GFP_NOIO,
>>                         &crypto_bio_split);
>> -        if (!split_bio) {
>> +        if (IS_ERR(split_bio)) {
>>               bio->bi_status = BLK_STS_RESOURCE;
>>               return false;
>>           }
> 
> Don't you need to modify block/bounce.c, too?

Today we have __blk_queue_bounce() -> bio_split(), but the return value 
from bio_split() is not checked for errors (NULL) there, so it is 
already in a poor state.

I will look to remedy that and other callsites which don't check 
bio_split() return value for errors in next phase.

Thanks,
John