[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20130914021755.GY13318@ZenIV.linux.org.uk>
Date: Sat, 14 Sep 2013 03:17:56 +0100
From: Al Viro <viro@...IV.linux.org.uk>
To: Kees Cook <keescook@...omium.org>
Cc: Joe Perches <joe@...ches.com>, George Spelvin <linux@...izon.com>,
Andrew Morton <akpm@...ux-foundation.org>,
Dan Carpenter <dan.carpenter@...cle.com>,
"David S. Miller" <davem@...emloft.net>,
Eldad Zack <eldad@...refinery.com>,
Jan Beulich <jbeulich@...e.com>, Jiri Kosina <jkosina@...e.cz>,
LKML <linux-kernel@...r.kernel.org>,
Randy Dunlap <rdunlap@...radead.org>,
Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>
Subject: Re: [PATCH] vsprintf: drop comment claiming %n is ignored
On Fri, Sep 13, 2013 at 04:03:25PM -0700, Kees Cook wrote:
> Maybe I missed this somewhere in the thread, but I'm not sure I
> understand the move to "void". Here's what I see, please correct me:
>
> 1- seq_printf currently returns success/failure
> 2- some callers of seq_printf (correctly) use the return value as
> success/failure indication
Not all uses as success/failure are right, at that - you should *NOT*
return non-zero from ->show() on overflow. Ever. It should only
happen when you have a hard error and do *not* want the operation
retried. On success ->show() returns zero - not the number of characters
written or anything like that.
> 3- some callers of seq_printf (incorrectly) use the return value as a
> length indication
> 4- both success/failure and length are important outputs from seq_printf
Not really. Success/failure is used if you want to optimize ->show() a bit;
usually you don't. Again, failure == overflow and it's both rare *and*
will cause all subsequent seq_...() to be no-ops until the retry. Which
retry will follow. Shortly.
> 5- we need a way to access the length written during the call
_Very_ rarely. And I'd seriously suggest the use of %n in such cases.
> 6- want to minimize impact on the code base
Majority of the code base simply calls seq_printf() without caring what
it returns. Very small minority is broken and needs to be fixed.
> Due to 1 and 2, it seems like there's no sense in changing the return
> value to void. Success/failure is already returned, and there are
> users of it. No sense changing them.
... most of them incorrect.
> The normal way to handle multiple return values (4 and 5) is to add a
> pointer argument. For example: seq_printf(s, &len, fmt, args...) where
> len can be NULL. But this runs against 6.
>
> Due to 6, to solve 4 and 5, usually macro or inline tricks are used,
> for example:
>
> __printf(3, 4) int seq_printf_len(struct seq_file *, size_t *len, ...);
> #define seq_printf(s, fmt, ...) seq_printf_len(s, NULL, fmt, ##__VA_ARGS__)
>
> With this, solving 3 becomes possible (your void patch has already
> detected all the users of the return value, so we can sort out which
> expect length and which expect success/failure), and lets us actually
> remove the %n uses trivially too.
Consider that NAKed. Reason: fucking ugly and pointless at the same time.
I don't believe that seq_printf() itself needs to be changed at all (or that
%n should be removed, actually). Callers should be audited and fixed, of
course. With dire warnings added to seq_file.[ch]. And no, it shouldn't
be returning void - the current calling conventions are actually right.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists