From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-wm1-f52.google.com (mail-wm1-f52.google.com [209.85.128.52])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id E3970C2FF
	for <linux-kernel@vger.kernel.org>; Thu,  5 Feb 2026 22:15:40 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.52
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1770329741; cv=none; b=FcIWY/UFwFCO/HmM1G1XqiXcoHGUaJqVot7XUHxnOfo5tl5i5lS6TtTEBAx1goGIW5ecRssqA+PR3zCOezJ3n/o5ltOC59l6R12ktD9+2/HobkU15o5Xn3w00/+tGJwJV+hCJUznIINDE3ySx73Xe15Ud2kw4bhPNdRe5GH3GjE=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1770329741; c=relaxed/simple;
	bh=s7uFUf1HP9tkMoTKzYe53D6lm84A+4nOtVfMCdzTH9o=;
	h=Date:From:To:Cc:Subject:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type; b=iBPvMsJ9lmxAJnXbU41GaE8En9TV8v3xYcDdIZDTgTp8kjyVhz6pIfp7sqq4WWaehwlMeDZzhNHn44MUyJrt1tIR42sJEvrE4EZf7p13l2qFlZdXCgFknn8I+ghfqvYfLcLz8cByWrxViWePp+JEx6sGVh+u679zVWDZd/6zGC8=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=UWa+li9B; arc=none smtp.client-ip=209.85.128.52
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="UWa+li9B"
Received: by mail-wm1-f52.google.com with SMTP id 5b1f17b1804b1-4801bc32725so680345e9.0
        for <linux-kernel@vger.kernel.org>; Thu, 05 Feb 2026 14:15:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1770329739; x=1770934539; darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:subject:cc:to:from:date:from:to:cc:subject:date
         :message-id:reply-to;
        bh=VTsDmInbI2tRLigQMHn2tnLgVdMKoIYGwyixFddcuYY=;
        b=UWa+li9B6b7ZrthnPlNEhvhB9sU/+gOaSIdsFjFAK83IhfvxVty0/4Kzz73xm+6Kow
         RMeU/EpLHOripbCFb3sF4p6Klrm7Ys+BgK2PCeQrNHntLY2JWlo/TVsLOqiye4+XnI8F
         eGy/bPAyQ0VDMQ2IIevhxo9IJEycjxNPv9DvWYq1S+MVqUypTGXp1fBxOnGB/hmeROsD
         Tg6wV7K1ruiJreZTuKQWwYvFFb4S0qtx+8mJhStPCaRM6I6I3JKqw+3lpuVpaBlPL2to
         CToxX1iB4Lna1S5fOMlRRhNl09WYtThA7+t9tBrqxMetAZF68DpTpxHPijOgBbkegfLE
         59zw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1770329739; x=1770934539;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:subject:cc:to:from:date:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=VTsDmInbI2tRLigQMHn2tnLgVdMKoIYGwyixFddcuYY=;
        b=Jh27npr3KlT/3p56g1X6Hh5phVpRAA697Yw268yqJ/w3+KXBNCcmJYhwyAFnTF9Tl3
         9UtbWc4y67cuc/uS4iDGLy5pQQ5Mmf4FdcTUg4V29ilEdOVOGdLi9VrMrCW4vFEOlihS
         70Elus41q/NdlLNH1iv+3rU9ybGlMV3dCN+VPBsIpC8bm67JBYYVYHZTtCG3bgaiq85s
         hkEKl9FCeDpKkEdCIg/9TrEXXk8rcFtRudhe015lypfX02AKI9kMVZwpS79KEVRgQXfV
         l6CkzJSN0h0p5Hbmw0SYBkhpqI+cknfOGiW1i0jHTnekql0W4ZDMY73sEj7hBpNvOpYJ
         43Pg==
X-Forwarded-Encrypted: i=1; AJvYcCVvN9mBba/MbODw0DjFminL47yw2WSmQim4L4QIT99PJ0lrMrL9je6+uCMg756Ww5yspqdzs8Iqm326w9M=@vger.kernel.org
X-Gm-Message-State: AOJu0YyjVw8u4Elv270Rwd5dDMMkoKZNECXtRmw/2TsGy7isHvCxuVsw
	3dOkRgK0VWD8l9BSi6joscYAhF/PIA4d6Ni9Sla6AqLcgpIrNHgtEcU+W7dtyw==
X-Gm-Gg: AZuq6aKz53E9bpQKq80vvH6M1UtBMwgXrEVCpYWx3vplaPzjpZM95mwovw513CjP3xC
	XBl2IsldRIQxJmcJLwmH4EsqMDf6cFOs5SQYXGqZLyQqv5PiU1/Xj5c776MNh1MePOeRmxQxczF
	r0W90lKqf6y9My/v0UmiIulQmkrEGXFxmOec2+LfrJEiMD7nVv7E0Dqne3jk2zE/1SWgV5jHqP2
	1RcSlnKGSPzBC9QGdH1sOwpf7sV3ZA/qqA9wdb0OyORrg+WX/OAjqpDmVDn+tsaELsdEleieouc
	CWrbEseCx0DVnWLhtOtO6U2vdMka/ezE5xb8ktcyOS41U16z8s/HnFnKTfOQbeMl1mq9NJjyqdm
	lgXVv7z9nE0bOGrM6cOoAVrKE432CxIXH8+7yJqindFlOFRE0294QcER0DLJ0+8qKpE6a3mumKx
	K/ApzooXgt39I+PIEls1elXSQoezs4/8Jc5O01jbBw6V80p/rp1YJs
X-Received: by 2002:a05:600c:4f54:b0:46e:1a5e:211 with SMTP id 5b1f17b1804b1-48320212d61mr11478545e9.21.1770329739101;
        Thu, 05 Feb 2026 14:15:39 -0800 (PST)
Received: from pumpkin (82-69-66-36.dsl.in-addr.zen.co.uk. [82.69.66.36])
        by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48320983f18sm3676755e9.8.2026.02.05.14.15.38
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 05 Feb 2026 14:15:38 -0800 (PST)
Date: Thu, 5 Feb 2026 22:15:37 +0000
From: David Laight <david.laight.linux@gmail.com>
To: Dmitry Antipov <dmantipov@yandex.ru>
Cc: Andy Shevchenko <andriy.shevchenko@intel.com>, Andrew Morton
 <akpm@linux-foundation.org>, Kees Cook <kees@kernel.org>, "Darrick J .
 Wong" <djwong@kernel.org>, linux-hardening@vger.kernel.org,
 linux-kernel@vger.kernel.org
Subject: Re: [PATCH v5 1/5] lib: fix _parse_integer_limit() to handle
 overflow
Message-ID: <20260205221537.34778ff0@pumpkin>
In-Reply-To: <20260204135717.941256-2-dmantipov@yandex.ru>
References: <20260204135717.941256-1-dmantipov@yandex.ru>
	<20260204135717.941256-2-dmantipov@yandex.ru>
X-Mailer: Claws Mail 4.1.1 (GTK 3.24.38; arm-unknown-linux-gnueabihf)
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

On Wed,  4 Feb 2026 16:57:13 +0300
Dmitry Antipov <dmantipov@yandex.ru> wrote:

> In '_parse_integer_limit()', adjust native integer arithmetic
> with near-to-overflow branch where 'check_mul_overflow()' and
> 'check_add_overflow()' are used to check whether an intermediate
> result goes out of range, and denote such a case with ULLONG_MAX,
> thus making the function more similar to standard C library's
> 'strtoull()'. Adjust comment to kernel-doc style as well.
> 
> Reviewed-by: Andy Shevchenko <andriy.shevchenko@intel.com>
> Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
> ---
> v5: minor brace style adjustment
> v4: restore plain integer arithmetic and use check_xxx_overflow()
>     on near-to-overflow branch only
> v3: adjust commit message and comments as suggested by Andy
> v2: initial version to join the series
> ---
>  lib/kstrtox.c | 39 ++++++++++++++++++++++++++-------------
>  1 file changed, 26 insertions(+), 13 deletions(-)
> 
> diff --git a/lib/kstrtox.c b/lib/kstrtox.c
> index bdde40cd69d7..8691f85cf2ce 100644
> --- a/lib/kstrtox.c
> +++ b/lib/kstrtox.c
> @@ -39,20 +39,26 @@ const char *_parse_integer_fixup_radix(const char *s, unsigned int *base)
>  	return s;
>  }
>  
> -/*
> - * Convert non-negative integer string representation in explicitly given radix
> - * to an integer. A maximum of max_chars characters will be converted.
> +/**
> + * _parse_integer_limit - Convert integer string representation to an integer
> + * @s: Integer string representation
> + * @base: Radix
> + * @p: Where to store result
> + * @max_chars: Maximum amount of characters to convert
> + *
> + * Convert non-negative integer string representation in explicitly given
> + * radix to an integer. If overflow occurs, value at @p is set to ULLONG_MAX.
>   *
> - * Return number of characters consumed maybe or-ed with overflow bit.
> - * If overflow occurs, result integer (incorrect) is still returned.
> + * This function is the workhorse of other string conversion functions and it
> + * is discouraged to use it explicitly. Consider kstrto*() family instead.
>   *
> - * Don't you dare use this function.
> + * Return: Number of characters consumed, maybe ORed with overflow bit
>   */
>  noinline
>  unsigned int _parse_integer_limit(const char *s, unsigned int base, unsigned long long *p,
>  				  size_t max_chars)
>  {
> -	unsigned long long res;
> +	unsigned long long tmp, res;
>  	unsigned int rv;
>  
>  	res = 0;
> @@ -72,14 +78,21 @@ unsigned int _parse_integer_limit(const char *s, unsigned int base, unsigned lon
>  		if (val >= base)
>  			break;
>  		/*
> -		 * Check for overflow only if we are within range of
> -		 * it in the max base we support (16)
> +		 * Accumulate result if no overflow detected.
> +		 * Otherwise just consume valid characters.
>  		 */
> -		if (unlikely(res & (~0ull << 60))) {
> -			if (res > div_u64(ULLONG_MAX - val, base))
> -				rv |= KSTRTOX_OVERFLOW;
> +		if (likely(res != ULLONG_MAX)) {
> +			if (unlikely(res & (~0ull << 60))) {

Aren't those two checks in the wrong order?
The likely/unlikely really don't make that much difference
you want the main test first.

In any case what is the first check for?
I think it just stops 0xffffffffffffffff0 being treated as an error.
If you are trying to skip the rest of the digits after an overflow
you need to check 'rv'.

Although I wonder whether strtoul() (etc) should stop 'eating' input
when the value would overflow and return a pointer to the digit that
caused the error.
Code looking at the terminating character wont be expecting a digit
and will treat it as a syntax error - which is what you are trying to do.

That is a much easier API to use, and a 'drop-in' for existing code.

	David

> +				/* We're close to possible overflow. */
> +				if (check_mul_overflow(res, base, &tmp) ||
> +				    check_add_overflow(tmp, val, &res)) {
> +					res = ULLONG_MAX;
> +					rv |= KSTRTOX_OVERFLOW;
> +				}
> +			} else {
> +				res = res * base + val;
> +			}
>  		}
> -		res = res * base + val;
>  		rv++;
>  		s++;
>  	}