From: Al Viro <viro@ZenIV.linux.org.uk>
To: Kees Cook <keescook@chromium.org>
Cc: Joe Perches <joe@perches.com>, George Spelvin <linux@horizon.com>,
Andrew Morton <akpm@linux-foundation.org>,
Dan Carpenter <dan.carpenter@oracle.com>,
"David S. Miller" <davem@davemloft.net>,
Eldad Zack <eldad@fogrefinery.com>,
Jan Beulich <jbeulich@suse.com>, Jiri Kosina <jkosina@suse.cz>,
LKML <linux-kernel@vger.kernel.org>,
Randy Dunlap <rdunlap@infradead.org>,
Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Subject: Re: [PATCH] vsprintf: drop comment claiming %n is ignored
Date: Sat, 14 Sep 2013 03:17:56 +0100 [thread overview]
Message-ID: <20130914021755.GY13318@ZenIV.linux.org.uk> (raw)
In-Reply-To: <CAGXu5jJxJVK7cu2Sc4Sdng_rLDL8ziC6aecAi7G0zL4fYnY-9Q@mail.gmail.com>
On Fri, Sep 13, 2013 at 04:03:25PM -0700, Kees Cook wrote:
> Maybe I missed this somewhere in the thread, but I'm not sure I
> understand the move to "void". Here's what I see, please correct me:
>
> 1- seq_printf currently returns success/failure
> 2- some callers of seq_printf (correctly) use the return value as
> success/failure indication
Not all uses as success/failure are right, at that - you should *NOT*
return non-zero from ->show() on overflow. Ever. It should only
happen when you have a hard error and do *not* want the operation
retried. On success ->show() returns zero - not the number of characters
written or anything like that.
> 3- some callers of seq_printf (incorrectly) use the return value as a
> length indication
> 4- both success/failure and length are important outputs from seq_printf
Not really. Success/failure is used if you want to optimize ->show() a bit;
usually you don't. Again, failure == overflow and it's both rare *and*
will cause all subsequent seq_...() to be no-ops until the retry. Which
retry will follow. Shortly.
> 5- we need a way to access the length written during the call
_Very_ rarely. And I'd seriously suggest the use of %n in such cases.
> 6- want to minimize impact on the code base
Majority of the code base simply calls seq_printf() without caring what
it returns. Very small minority is broken and needs to be fixed.
> Due to 1 and 2, it seems like there's no sense in changing the return
> value to void. Success/failure is already returned, and there are
> users of it. No sense changing them.
... most of them incorrect.
> The normal way to handle multiple return values (4 and 5) is to add a
> pointer argument. For example: seq_printf(s, &len, fmt, args...) where
> len can be NULL. But this runs against 6.
>
> Due to 6, to solve 4 and 5, usually macro or inline tricks are used,
> for example:
>
> __printf(3, 4) int seq_printf_len(struct seq_file *, size_t *len, ...);
> #define seq_printf(s, fmt, ...) seq_printf_len(s, NULL, fmt, ##__VA_ARGS__)
>
> With this, solving 3 becomes possible (your void patch has already
> detected all the users of the return value, so we can sort out which
> expect length and which expect success/failure), and lets us actually
> remove the %n uses trivially too.
Consider that NAKed. Reason: fucking ugly and pointless at the same time.
I don't believe that seq_printf() itself needs to be changed at all (or that
%n should be removed, actually). Callers should be audited and fixed, of
course. With dire warnings added to seq_file.[ch]. And no, it shouldn't
be returning void - the current calling conventions are actually right.
next prev parent reply other threads:[~2013-09-14 2:18 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-09-11 19:30 [PATCH] vsprintf: drop comment claiming %n is ignored Kees Cook
2013-09-11 20:06 ` Joe Perches
2013-09-11 20:18 ` Kees Cook
2013-09-11 20:20 ` Joe Perches
2013-09-11 20:30 ` KOSAKI Motohiro
2013-09-11 20:28 ` Joe Perches
2013-09-13 19:53 ` George Spelvin
2013-09-13 22:27 ` Joe Perches
2013-09-13 23:03 ` Kees Cook
2013-09-13 23:23 ` Joe Perches
2013-09-16 2:53 ` George Spelvin
2013-09-14 2:17 ` Al Viro [this message]
2013-09-14 2:49 ` Tetsuo Handa
2013-09-14 3:05 ` Al Viro
2013-09-14 3:48 ` Al Viro
2013-09-14 4:53 ` Al Viro
2013-09-14 5:26 ` Joe Perches
2013-09-12 7:03 ` Jan Beulich
2013-09-12 7:31 ` Kees Cook
2013-09-12 7:51 ` Jan Beulich
2013-09-12 7:57 ` Dan Carpenter
2013-09-13 19:49 ` George Spelvin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130914021755.GY13318@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=akpm@linux-foundation.org \
--cc=dan.carpenter@oracle.com \
--cc=davem@davemloft.net \
--cc=eldad@fogrefinery.com \
--cc=jbeulich@suse.com \
--cc=jkosina@suse.cz \
--cc=joe@perches.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@horizon.com \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=rdunlap@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.