From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id EBDA1C83F1A
	for <linux-mm@archiver.kernel.org>; Fri, 11 Jul 2025 06:19:52 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 8EE566B0095; Fri, 11 Jul 2025 02:19:52 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 8C61F6B0098; Fri, 11 Jul 2025 02:19:52 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 7DC086B0099; Fri, 11 Jul 2025 02:19:52 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14])
	by kanga.kvack.org (Postfix) with ESMTP id 6DAB56B0095
	for <linux-mm@kvack.org>; Fri, 11 Jul 2025 02:19:52 -0400 (EDT)
Received: from smtpin30.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay08.hostedemail.com (Postfix) with ESMTP id 215AE14234B
	for <linux-mm@kvack.org>; Fri, 11 Jul 2025 06:19:52 +0000 (UTC)
X-FDA: 83650983024.30.16D67D1
Received: from mail-wr1-f49.google.com (mail-wr1-f49.google.com [209.85.221.49])
	by imf24.hostedemail.com (Postfix) with ESMTP id 3746718000A
	for <linux-mm@kvack.org>; Fri, 11 Jul 2025 06:19:49 +0000 (UTC)
Authentication-Results: imf24.hostedemail.com;
	dkim=pass header.d=gmail.com header.s=20230601 header.b=MsibvoXB;
	dmarc=pass (policy=none) header.from=gmail.com;
	spf=pass (imf24.hostedemail.com: domain of ma.uecker@gmail.com designates 209.85.221.49 as permitted sender) smtp.mailfrom=ma.uecker@gmail.com
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1752214790; a=rsa-sha256;
	cv=none;
	b=mILfUTzR4iG1PtvxhWJ2MvPNq5axbg8PjsG9Fr4hFiexTkf6YEWXzZGM93syEXK1Epw14A
	4lT/mOG3kPV4OEwidD0EXUSUi7dNEtwpK1kiS+nCzRx0soZm+7O3fLCdI9VeTjAtpppCrM
	7VjvpexKUO4jRN0aaeaNoXXq/NXtm4c=
ARC-Authentication-Results: i=1;
	imf24.hostedemail.com;
	dkim=pass header.d=gmail.com header.s=20230601 header.b=MsibvoXB;
	dmarc=pass (policy=none) header.from=gmail.com;
	spf=pass (imf24.hostedemail.com: domain of ma.uecker@gmail.com designates 209.85.221.49 as permitted sender) smtp.mailfrom=ma.uecker@gmail.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1752214790;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=tVh9hsjl81v4ae22eJ2co4oKHaNUT7Y20uC96jCSTXU=;
	b=sYhQ0xI/PhR9gxlSW8RLHC/B47XbG3sOBAb1p2KEbM7EyU+kEPWGpoU1sVCDOVD7QSt1aR
	/aixaSMC6kiHhRxlHXEKx4GdAHwjzDHF8RJnlt5a50cU4dPs8YiofKcxdwJJ2UJwivcXsi
	l0kPwFJh/EtW6wmwOLFWK63vFOmnSVw=
Received: by mail-wr1-f49.google.com with SMTP id ffacd0b85a97d-3a536ecbf6fso1041517f8f.2
        for <linux-mm@kvack.org>; Thu, 10 Jul 2025 23:19:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1752214789; x=1752819589; darn=kvack.org;
        h=mime-version:user-agent:content-transfer-encoding:references
         :in-reply-to:date:cc:to:from:subject:message-id:from:to:cc:subject
         :date:message-id:reply-to;
        bh=tVh9hsjl81v4ae22eJ2co4oKHaNUT7Y20uC96jCSTXU=;
        b=MsibvoXBEAX2NY4/XE3HLWAcBOS8KwnT8LR8ib9n+xB+WQ3h5/k31WyeEDb8k2+bhx
         GRfTbuj3aVGSetfq1el4PRD4N1O9IlyJprDTjWYd+REkzZkHPqccmS4CdcZC1bTkqA6z
         MJOV6ggfYPqX0bYZUDvXAyOJ0e7W/ngSMFHFUVvn6MUfKUZ9JrdC+H9YcZUcVg+okUV9
         wzygTEl4WuQjcl0/WkKjdbysYAY52AZ/Q5fAyhMWAYz+Y1L3FdQMiJFdYOWRHZHTQwQY
         Y2bDLjx/trg5F7mSjVwGTQDveb+p7KI0ze2XQ2nJQnb0eyoJXS/ZmZJvQkyo28N9eP+n
         HTjA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1752214789; x=1752819589;
        h=mime-version:user-agent:content-transfer-encoding:references
         :in-reply-to:date:cc:to:from:subject:message-id:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=tVh9hsjl81v4ae22eJ2co4oKHaNUT7Y20uC96jCSTXU=;
        b=mM+IcKHb4P3iRo1RCC8TWzu0f0jxh4P7EkFq5yuaKRvN43S5NyNQJmfL8D1tE7vKpr
         V+cM2NDMmy8PY6tbI0QoHBk3/ayLVs9VwTkYMyIhUmyy9LjZ49wfqOwleDDrG7MDA5FF
         yBf12lAMuZeU9JimUcCMSwTZKDcI9gr36fiO5vtGZ1cmlnDK1jiPI1FeV9gT8OrxpPbb
         9OQyxuUYUtEXh9d7q5DAkXK068Euin9+ErkM32kz4oJDsGhMJ7KcEF6Bw/ZLD7dfkenP
         13e741c3zr7tl6TUWnmpXBLvPjtVVW+Zj5/nSW47pJRVc1mZDLAE5dAxVGAdvN+1qMUB
         c2pw==
X-Gm-Message-State: AOJu0YzaCcrzPQBqlloQhed1sQDZUk/tPAuZVdKIEp44ggcRp8P03AfW
	hV5NAuuOBVb+sBgUn88hCS+8WB2GXSfJXe5VjtytzuioAfTkkrzFnUyP
X-Gm-Gg: ASbGncuSlGZoeVWtY+RYSpPKi33P08YJXxzkKxu6sE8DrKkcvAjAa9Bpv9EFGFHFqKL
	mbZvIToOKMzmjxUMjLyI7dv5oG2z6+LvGcT6PjPV9Q00zcDgErAfDSeHBZ44KYo08qfIYIHO55n
	BBqekVEodFTMyYsfz6i3fLucwoLiY+PtJorUKU42dpMI+3JfLcxjHXcXcG8EYnP0LEzLE4a5n0/
	6q3zYXV5lpxFJNZrUgsYP8aQ72fTCWH8gKYmpQoY5JFZsKNGFI0m3zePJwlPrapFxX1MZzXXHoq
	5onMmyFm0E7TuOh+2r3kfW9TGKV7MB6xmKKvoUmTk8QjdR1ITyKrRCRhkckqyQVndntr4by+V5J
	c7gYikEehfZRJo2+3BHEZe7qqnlqth11NAA4D+Cz58BJ5pKBzStc1wuJYX0H7qm9n6BkyJKyXTs
	2LBhwGQglLb1kgJPdjF3izWpMPFhEf4+Cvywi0v83Da/p0yoLBUUloeY/Jbdt9Oczz/j8FL6tfa
	ERPY6BG+b+LTtd6mtTUan3slYxIKIQ=
X-Google-Smtp-Source: AGHT+IG5gmT2Z5CmKkYsqChaThq+JaG9rapQ1KiS6taqexfjAtXJ7e0m6bSjCiyRWl39uWz+ystjGA==
X-Received: by 2002:a5d:5f52:0:b0:3a6:c923:bc5f with SMTP id ffacd0b85a97d-3b5f187ebaamr2048139f8f.17.1752214788443;
        Thu, 10 Jul 2025 23:19:48 -0700 (PDT)
Received: from 2a02-8388-e6bb-e300-2ae5-f1e1-5796-cbba.cable.dynamic.v6.surfer.at (2a02-8388-e6bb-e300-2ae5-f1e1-5796-cbba.cable.dynamic.v6.surfer.at. [2a02:8388:e6bb:e300:2ae5:f1e1:5796:cbba])
        by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-3b5e8dc21fdsm3608080f8f.33.2025.07.10.23.19.46
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 10 Jul 2025 23:19:48 -0700 (PDT)
Message-ID: <bf3eb247c98cd96c602653bbec8c8e34a8c718ec.camel@gmail.com>
Subject: Re: [RFC v5 6/7] sprintf: Add [v]sprintf_array()
From: Martin Uecker <ma.uecker@gmail.com>
To: Linus Torvalds <torvalds@linux-foundation.org>, Alejandro Colomar
	 <alx@kernel.org>
Cc: linux-mm@kvack.org, linux-hardening@vger.kernel.org, Kees Cook
 <kees@kernel.org>, Christopher Bazley <chris.bazley.wg14@gmail.com>, shadow
 <~hallyn/shadow@lists.sr.ht>, linux-kernel@vger.kernel.org, Andrew Morton
 <akpm@linux-foundation.org>, kasan-dev@googlegroups.com, Dmitry Vyukov
 <dvyukov@google.com>, Alexander Potapenko <glider@google.com>, Marco Elver
 <elver@google.com>, Christoph Lameter <cl@linux.com>, David Rientjes
 <rientjes@google.com>, Vlastimil Babka <vbabka@suse.cz>, Roman Gushchin
 <roman.gushchin@linux.dev>, Harry Yoo <harry.yoo@oracle.com>, Andrew
 Clayton <andrew@digital-domain.net>, Rasmus Villemoes
 <linux@rasmusvillemoes.dk>,  Michal Hocko <mhocko@suse.com>, Al Viro
 <viro@zeniv.linux.org.uk>, Sam James <sam@gentoo.org>, Andrew Pinski
 <pinskia@gmail.com>
Date: Fri, 11 Jul 2025 08:19:46 +0200
In-Reply-To: <28c8689c7976b4755c0b5c2937326b0a3627ebf6.camel@gmail.com>
References: <cover.1751823326.git.alx@kernel.org>
	 <cover.1752182685.git.alx@kernel.org>
	 <04c1e026a67f1609167e834471d0f2fe977d9cb0.1752182685.git.alx@kernel.org>
	 <CAHk-=wiNJQ6dVU8t7oM0sFpSqxyK8JZQXV5NGx7h+AE0PY4kag@mail.gmail.com>
	 <28c8689c7976b4755c0b5c2937326b0a3627ebf6.camel@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
User-Agent: Evolution 3.46.4-2 
MIME-Version: 1.0
X-Rspamd-Queue-Id: 3746718000A
X-Stat-Signature: 7c5d17a35g69wgbmykyycqsfaqbksrqk
X-Rspam-User: 
X-Rspamd-Server: rspam10
X-HE-Tag: 1752214789-267876
X-HE-Meta: U2FsdGVkX19LLMug+PlgjkER0J1fmaBnjwHB4F50T8bx3ErhE3ZBLUlRixqSMYKMwBcslQypPDiCHRWCZkaaWzEmFjcgKDEPZvjKyX4ZCZGCUS8QRnXqDUQ0lovrQ100YaJo11/g8emvNvyyoBigtSO4Rvg0wzeqFuj8/d6A0ybTWp0RCUYJQiMRzlNgoqaJZMI6dbihKJ6IX44jKQgmdC1qvX/pNS9ycK+SgN/ekAsfj8UAeqKmxVbpDUv6v8WcInh4mR2Q7bZSG7Vqnw5zVDnqt8uPDEOCbpuOj+LOXVrg0Kv5qygrCAN7R1wjnXlpD/hTB4O1qXe7gf+XbolRHbTbIwsfgWbj9P7NMLJaghUp+Vw4qJ1yD4axhI9rXfTkldazG6mdaiEPuLsjr3+lihyYQAtb5Ifv6+CnEqYkwv1cKu2S057cZPb1NhYdOlmkeUSIeKMob+YFhvxzogpX8QtMGgJiRdlx8i2PLYgC8omvn/tu8uW9qHPs24FDo3z6uRqdofOvGfnUx7rMDdupjREh1mBJcjXhtSsImbouOtL9t83wgP3ZZBIacgcCkZX6F2hQZYKU+VxENuhJEOB7MifjBpEocq5WL0xi3fkJpwpLKjXCRXPr0EjSe5axqconF1Rz3cLu3O5BXxI8mikkRy6jOF+/LZlRkoZpeNPQCCU3BvTZ5wAGfIU9oAf9iJGvQyW+n7CLkm+88PJ0IpDYWPk1axO3AXLQCd5m6lGqo7yq9BrdT3h3V0gtHxW7Y7z5mRogA3PkjGwxqp9xKOsCbNJH7KB5SVqMjhz6kGcEYOkOs8tL6ofU+AQtL9MUwd81UrYJjcFf1++neECaYUyE3JjLWQqbalK4xPQZqzDA7AEChu2BVgycPBK/H5hrqTa1xyPkz1Yo/ADrFV/SIrsKkPZDTuxDyAjU7UhSxev4xLADH+bbnkrO4M2B2ypFJdb5JLps59aEknNsslReaZZ
 qqe3YTbi
 KKLzNb7zWDpR2f9wrXhdblTIkipJzfavrm7zdWVRHo/flXNi3w0UHpplMsVCLlFJ5dGyioBN5eDUC9oM/KC+Gr6VhFvy/VX7bWj+dCmKpaeXpptvmb9XRXGfKVhBh3OWwnA+qLh62NNNXp8Sdf5XM/M9sUvG78aO7LCWFeG3O9JM/SE5oQPxVQYjc+AzdN48bHQNIV69M+MwnBgVIVTxi9YK5hsRmjJCTrD0d2Xw+yYeSI2VeFUfM8eBBUS5FF2n4Oj/yXti6SlfaP47UAfgIVU1e6HUBcGaMK7Y4yd/xkapMcBBod1KiseBfOm562c+cEcacGfQJapJPpZZDKgYKN6tAIrNN2tJUWvOqVS+XLifVSPNSiniUf7e1yD5z/o+LxIy1V7h/ZHG+8S8AjKQXXO4nTOPFwtLbczMSIRTSupMiU4prjGyT/VxvFp0Mv0ZGSNRErO1H07987NMZyeIXAVthHrWRGYgS6X2pC82tKvKy3EPBrZ7Z55aEEkHkFvuxm8zwoG6DHcLpfaaJZzm0tzA5vsUPVw7643exLvs4NEzL8RJv3mY9suoyHzqCpNWL5VmQI8qMbO01sGejpvhUYRBMBLwKNsWjQ6nmqeBJ1AgqvHwJmWEmICPIA+DxezwmXeJ7mprmLLbjoM2+JGMISUJiQdRmlc5GEpF0VuKEqknMUKA=
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

Am Freitag, dem 11.07.2025 um 08:05 +0200 schrieb Martin Uecker:
> Am Donnerstag, dem 10.07.2025 um 14:58 -0700 schrieb Linus Torvalds:
> > On Thu, 10 Jul 2025 at 14:31, Alejandro Colomar <alx@kernel.org> wrote:
> > >=20
> > > These macros are essentially the same as the 2-argument version of
> > > strscpy(), but with a formatted string, and returning a pointer to th=
e
> > > terminating '\0' (or NULL, on error).
> >=20
> > No.
> >=20
> > Stop this garbage.
> >=20
> > You took my suggestion, and then you messed it up.
> >=20
> > Your version of sprintf_array() is broken. It evaluates 'a' twice.
> > Because unlike ARRAY_SIZE(), your broken ENDOF() macro evaluates the
> > argument.
> >=20
> > And you did it for no reason I can see. You said that you wanted to
> > return the end of the resulting string, but the fact is, not a single
> > user seems to care, and honestly, I think it would be wrong to care.
> > The size of the result is likely the more useful thing, or you could
> > even make these 'void' or something.
> >=20
> > But instead you made the macro be dangerous to use.
> >=20
> > This kind of churn is WRONG. It _looks_ like a cleanup that doesn't
> > change anything, but then it has subtle bugs that will come and bite
> > us later because you did things wrong.
> >=20
> > I'm NAK'ing all of this. This is BAD. Cleanup patches had better be
> > fundamentally correct, not introduce broken "helpers" that will make
> > for really subtle bugs.
> >=20
> > Maybe nobody ever ends up having that first argument with a side
> > effect. MAYBE. It's still very very wrong.
> >=20
> >                 Linus
>=20
> What I am puzzled about is that - if you revise your string APIs -,
> you do not directly go for a safe abstraction that combines length
> and pointer and instead keep using these fragile 80s-style string
> functions and open-coded pointer and size computations that everybody
> gets wrong all the time.
>=20
> String handling could also look like this:
>=20
>=20
> https://godbolt.org/z/dqGz9b4sM
>=20
> and be completely bounds safe.
>=20
> (Note that those function abort() on allocation failure, but this
> is an unfinished demo and also not for kernel use. Also I need to
> rewrite this using string views.)
>=20

And *if* you want functions that manipulate buffers, why not pass
a pointer to the buffer instead of to its first element to not loose
the type information.

int foo(size_t s, char (*p)[s]);

char buf[10;
foo(ARRAY_SIZE(buf), &buf);

may look slightly unusual but is a lot safer than

int foo(char *buf, size_t len);

char buf[10];
foo(buf, ARRAY_SIZE(buf);

and - once you are used to it - also more logical because why would
you pass a pointer to part of an object to a function that is supposed
to work on the complete object.

Martin