[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <202310270847.87B9B46EE@keescook>
Date: Fri, 27 Oct 2023 08:49:28 -0700
From: Kees Cook <keescook@...omium.org>
To: Andy Shevchenko <andriy.shevchenko@...ux.intel.com>
Cc: Steven Rostedt <rostedt@...dmis.org>,
"Matthew Wilcox (Oracle)" <willy@...radead.org>,
Christoph Hellwig <hch@....de>,
Justin Stitt <justinstitt@...gle.com>,
Kent Overstreet <kent.overstreet@...ux.dev>,
Petr Mladek <pmladek@...e.com>,
Rasmus Villemoes <linux@...musvillemoes.dk>,
Sergey Senozhatsky <senozhatsky@...omium.org>,
Masami Hiramatsu <mhiramat@...nel.org>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Arnd Bergmann <arnd@...db.de>,
Jonathan Corbet <corbet@....net>,
Yun Zhou <yun.zhou@...driver.com>,
Jacob Keller <jacob.e.keller@...el.com>,
Zhen Lei <thunder.leizhen@...wei.com>,
linux-trace-kernel@...r.kernel.org,
Yosry Ahmed <yosryahmed@...gle.com>,
linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org
Subject: Re: [PATCH v2] seq_buf: Introduce DECLARE_SEQ_BUF and seq_buf_str()
On Thu, Oct 26, 2023 at 11:20:15PM +0300, Andy Shevchenko wrote:
> On Thu, Oct 26, 2023 at 12:40:37PM -0700, Kees Cook wrote:
> > Solve two ergonomic issues with struct seq_buf;
> >
> > 1) Too much boilerplate is required to initialize:
> >
> > struct seq_buf s;
> > char buf[32];
> >
> > seq_buf_init(s, buf, sizeof(buf));
> >
> > Instead, we can build this directly on the stack. Provide
> > DECLARE_SEQ_BUF() macro to do this:
> >
> > DECLARE_SEQ_BUF(s, 32);
> >
> > 2) %NUL termination is fragile and requires 2 steps to get a valid
> > C String (and is a layering violation exposing the "internals" of
> > seq_buf):
> >
> > seq_buf_terminate(s);
> > do_something(s->buffer);
> >
> > Instead, we can just return s->buffer direction after terminating it
> > in refactored seq_buf_terminate(), now known as seq_buf_str():
> >
> > do_soemthing(seq_buf_str(s));
>
> ...
>
> > +#define DECLARE_SEQ_BUF(NAME, SIZE) \
> > + char __ ## NAME ## _buffer[SIZE] = ""; \
> > + struct seq_buf NAME = { .buffer = &__ ## NAME ## _buffer, \
> > + .size = SIZE }
>
> Hmm... Wouldn't be more readable to have it as
>
> #define DECLARE_SEQ_BUF(NAME, SIZE) \
> char __ ## NAME ## _buffer[SIZE] = ""; \
> struct seq_buf NAME = { \
> .buffer = &__ ## NAME ## _buffer, \
> .size = SIZE, \
> }
>
> ?
Yes, I don't know why I did it the smooshed way. Fixed for v3.
> > +static inline char *seq_buf_str(struct seq_buf *s)
> > {
> > if (WARN_ON(s->size == 0))
> > - return;
> > + return "";
>
> I'm wondering why it's a problem to have an empty string?
Well, it's a pathological case where "size" is 0 -- it shouldn't happen
(hence the warn), but it's more robust to return an empty .data string
pointer than a NULL s->buffer or an s->buffer that isn't intended to be
used (i.e. the size == 0).
--
Kees Cook
Powered by blists - more mailing lists