From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id DD667C83F17 for ; Thu, 10 Jul 2025 21:30:47 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 674AC6B009B; Thu, 10 Jul 2025 17:30:47 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 6452C6B009D; Thu, 10 Jul 2025 17:30:47 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 582AF6B009E; Thu, 10 Jul 2025 17:30:47 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id 481FB6B009B for ; Thu, 10 Jul 2025 17:30:47 -0400 (EDT) Received: from smtpin10.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id EC31C10A64D for ; Thu, 10 Jul 2025 21:30:46 +0000 (UTC) X-FDA: 83649649692.10.AB2A73A Received: from nyc.source.kernel.org (nyc.source.kernel.org [147.75.193.91]) by imf12.hostedemail.com (Postfix) with ESMTP id 4D75540018 for ; Thu, 10 Jul 2025 21:30:45 +0000 (UTC) Authentication-Results: imf12.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=SHxRN2zF; spf=pass (imf12.hostedemail.com: domain of alx@kernel.org designates 147.75.193.91 as permitted sender) smtp.mailfrom=alx@kernel.org; dmarc=pass (policy=quarantine) header.from=kernel.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1752183045; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=Z2ExmJthtYwpDpsJZIDGDpDtUQzlQ2X/0+RptXBPkxY=; b=5QzadCPjQa5qW+VY5v1ZpxPV8WWgIFDaAtRmBrO+D2h/qdb3M/ttBHgOx0wUpQu3t86Wgh 0q3/B9Ipdk+mX9IQnU4vGgl68PQRyj6ovfyCNPcMXirln9qo8n12GzWc3ZfhW9tyZ93mV5 cA7FShadRCssAn863wN/2PzjbKAKlKw= ARC-Authentication-Results: i=1; imf12.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=SHxRN2zF; spf=pass (imf12.hostedemail.com: domain of alx@kernel.org designates 147.75.193.91 as permitted sender) smtp.mailfrom=alx@kernel.org; dmarc=pass (policy=quarantine) header.from=kernel.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1752183045; a=rsa-sha256; cv=none; b=xiOYlVaMVu3oACD2JfjCRrngF14nJqfR2Gm5iPMdt33w/8xNXHP4z1r3oUX9YZzC5tHZjI yZ2KCIukqUddDw64m+SPmOwQFwr2O51M1550cG/mep9zU8R1Kdtfd+YKdAoqpMY30zofiK 1o84z4U7jpFYgYdX5KAGjmXbT3NZxyM= Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by nyc.source.kernel.org (Postfix) with ESMTP id 689B2A547D5; Thu, 10 Jul 2025 21:30:44 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6F644C4CEE3; Thu, 10 Jul 2025 21:30:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1752183044; bh=Xnn+IXQj5m7Kdx+hyHxFwBQBHZWWRRJZ9gvulG8mFuU=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=SHxRN2zFHN69cp9iL1eyYv8XCqgL5BhTDAhR4lUWXWb/dVpS9FcGzQkBvBROBtRbN 6S0WIbivYRBn/nBd2yLo7PaHvpEXCtuFcV+wsfCpLAc3Ls1AGZnFzH76h1vCGb8cp1 fSDJ/m4EOjWYXtQesd7trSnp3uJKTl3TkMxWXE2lVkHsbRgULemPY33Dk5mNzSCHkP G4/lo8XU7/sXel4GyQMrfHIp0mCiuRT5Waa7wbj6e2k+56akymnL8dGBUMeue67vt2 9I35fZQpOfoYM235g4Ijyc8e3/b+kPHLpDNsri0TWb2JSd/0WYhZpLUymKEoePwz+N PbbygFR9ht89Q== Date: Thu, 10 Jul 2025 23:30:37 +0200 From: Alejandro Colomar To: linux-mm@kvack.org, linux-hardening@vger.kernel.org Cc: Alejandro Colomar , Kees Cook , Christopher Bazley , shadow <~hallyn/shadow@lists.sr.ht>, linux-kernel@vger.kernel.org, Andrew Morton , kasan-dev@googlegroups.com, Dmitry Vyukov , Alexander Potapenko , Marco Elver , Christoph Lameter , David Rientjes , Vlastimil Babka , Roman Gushchin , Harry Yoo , Andrew Clayton , Rasmus Villemoes , Michal Hocko , Linus Torvalds , Al Viro , Martin Uecker , Sam James , Andrew Pinski Subject: [RFC v5 0/7] Add and use sprintf_{end,array}() instead of less ergonomic APIs Message-ID: X-Mailer: git-send-email 2.50.0 References: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: X-Rspam-User: X-Stat-Signature: waqr8fy5e6xd48gadw7pwjwn43fzu7bt X-Rspamd-Server: rspam12 X-Rspamd-Queue-Id: 4D75540018 X-HE-Tag: 1752183045-277025 X-HE-Meta: U2FsdGVkX1/2ACIojgTkaTvk1dtBOb5Oo2OrlxBXMkM55b4N19c2XtVsgWGMQADdAEiSXnod+N+o4HNSyfFlm/lIOclCLbjPztxzq3ukzgtzU3oRU5H2QT/fDUXans2iNzJnI7NOo4Iom/htM+Qpt6+wJCaRYWn2/aC/r536uTXm0gQRrZro3SCQkY/PPlmHQ4lXDSFHbOa4zne2lmK86Ucfjubv4ZUvih8xTOsBxLqfNYREdTc5pMr8dYOIEh8hTLaH7N5hIvojGnuCgFg1hTm9lSsVviiMTjGk7lKVgR4kWkld8Sy01YysFf/wAdZ2ATo08863EUN1DtFthhMevW9uJEm74gysXq2k/XB1aWJbNHsNBUSwU5VmufcbPAobzxPuVTKD0SJ0BD7111vGfmHJSwnRGDf+NS0kLPnYMU9LyDUdnCk36XfiWxdpOtgg4UdrEGRwHoRBybk5jNF2aSyZxNpwkBKNMSvDx/kpVbLX2swG9V6hLQf+3X22uIu0tCBLcRt06Jkpe/GDG6seIEbqEybr5vToUYkb9yJLJendje9qDvg4S9zyNUvX3nnO8Z1B25UbYj7kfLmdpcNUC21mjmNYTUcOjrzKUQar9NKUXa3DI/1apGLJ01CDSPsN28S5aRZ074vsllVWFIO/wGz6CYlfaOu2/vHLEnoJAxlLfWi3QPN+OB4sSDLnwYLG7dQ4K08GvbN8OX+mePpsh+U8QLazp5kAhsxIZgL3xK628TgbkdMnuKW96rwhLDX630Tkc2sdayUh2Ju1dnN6W2M1UBqjBL3dP3D8It31E5k7Q0tcel8eY06IJZLdBaKgfqYVIXACNkjFKXmlu0cdGmJiUe3eGh/UEySUP65AfsW8SKT5hf3HrvlANOEnwWekVoEbXX2tAtrpfcRChb/R8tS4S21/S8+SXUWJKEQs+pytvAXasVvd15dT2J5XP6EhiNjfajxPzxVB7R45n2K pw0cgtM/ hUnfqLHeQZc4dUbCByzOKoJHjw/nh9wGw35Tjk3c6h+c5caRQBaFPE54Isz/YMUt4b50HzJoZDYZyULX2rIY30+eohtStIrwG7EKUZY4wi4xIlsK1QbCDCDuh+55n8NCyg0YhR1uTQGQxxMHaVU8drlzT28Khcs4+P0vYNzbnzs4bRVH7lypaHGNzWVlR3BViL5DAbgiPHiMkTOEzfwS3l4zV/VhqBRNhAnfbwVG21gmoYGVx2d30X5rjtMGtUR0uWRL9lPAbzaFOruLHpir6hvsOUCGaL6I4fVeyMMk7yy/julAhnpgqEjx3sPob4FhoPQUuuNcANTuIXzbfumYqWooxtE8KZHK5qmQHeY1znQzC4wz2FcuuRMTInS837TapxcUKwKArtaDmsvSO5NVGIy1S4g== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Hi, Changes in v5: - Minor fix in commit message. - Rename [V]SPRINTF_END() => [v]sprintf_array(), keeping the implementation. Remaining questions: - There are only 3 remaining calls to snprintf(3) under mm/. They are just fine for now, which is why I didn't replace them. If anyone wants to replace them, to get rid of all snprintf(3), we could that. I think for now we can leave them, to minimize the churn. $ grep -rnI snprintf mm/ mm/hugetlb_cgroup.c:674: snprintf(buf, size, "%luGB", hsize / SZ_1G); mm/hugetlb_cgroup.c:676: snprintf(buf, size, "%luMB", hsize / SZ_1M); mm/hugetlb_cgroup.c:678: snprintf(buf, size, "%luKB", hsize / SZ_1K); - There are only 2 remaining calls to the kernel's scnprintf(). This one I would really like to get rid of. Also, those calls are quite suspicious of not being what we want. Please do have a look at them and confirm what's the appropriate behavior in the 2 cases when the string is truncated or not copied at all. That code is very scary for me to try to guess. $ grep -rnI scnprintf mm/ mm/kfence/report.c:75: int len = scnprintf(buf, sizeof(buf), "%ps", (void *)stack_entries[skipnr]); mm/kfence/kfence_test.mod.c:22: { 0x96848186, "scnprintf" }, mm/kmsan/report.c:42: len = scnprintf(buf, sizeof(buf), "%ps", Apart from two calls, I see a string literal with that name. Please let me know if I should do anything about it. I don't know what that is. - I think we should remove one error handling check in "mm/page_owner.c" (marked with an XXX comment), but I'm not 100% sure. Please confirm. Other comments: - This is still not complying to coding style. I'll keep it like that while questions remain open. - I've tested the tests under CONFIG_KFENCE_KUNIT_TEST=y, and this has no regressions at all. - With the current style of the sprintf_end() prototyope, this triggers a diagnostic due to a GCC bug: It would be interesting to ask GCC to fix that bug. (Added relevant GCC maintainers and contributors to CC in this cover letter.) For anyone new to the thread, sprintf_end() will be proposed for standardization soon as seprintf(): Have a lovely night! Alex Alejandro Colomar (7): vsprintf: Add [v]sprintf_end() stacktrace, stackdepot: Add sprintf_end()-like variants of functions mm: Use sprintf_end() instead of less ergonomic APIs array_size.h: Add ENDOF() mm: Fix benign off-by-one bugs sprintf: Add [v]sprintf_array() mm: Use [v]sprintf_array() to avoid specifying the array size include/linux/array_size.h | 6 ++++ include/linux/sprintf.h | 6 ++++ include/linux/stackdepot.h | 13 +++++++++ include/linux/stacktrace.h | 3 ++ kernel/stacktrace.c | 28 ++++++++++++++++++ lib/stackdepot.c | 13 +++++++++ lib/vsprintf.c | 59 ++++++++++++++++++++++++++++++++++++++ mm/backing-dev.c | 2 +- mm/cma.c | 4 +-- mm/cma_debug.c | 2 +- mm/hugetlb.c | 3 +- mm/hugetlb_cgroup.c | 2 +- mm/hugetlb_cma.c | 2 +- mm/kasan/report.c | 3 +- mm/kfence/kfence_test.c | 28 +++++++++--------- mm/kmsan/kmsan_test.c | 6 ++-- mm/memblock.c | 4 +-- mm/mempolicy.c | 18 ++++++------ mm/page_owner.c | 32 +++++++++++---------- mm/percpu.c | 2 +- mm/shrinker_debug.c | 2 +- mm/slub.c | 5 ++-- mm/zswap.c | 2 +- 23 files changed, 187 insertions(+), 58 deletions(-) Range-diff against v4: 1: 2c4f793de0b8 = 1: 2c4f793de0b8 vsprintf: Add [v]sprintf_end() 2: 894d02b08056 = 2: 894d02b08056 stacktrace, stackdepot: Add sprintf_end()-like variants of functions 3: 690ed4d22f57 = 3: 690ed4d22f57 mm: Use sprintf_end() instead of less ergonomic APIs 4: e05c5afabb3c = 4: e05c5afabb3c array_size.h: Add ENDOF() 5: 44a5cfc82acf ! 5: 515445ae064d mm: Fix benign off-by-one bugs @@ Commit message We were wasting a byte due to an off-by-one bug. s[c]nprintf() doesn't write more than $2 bytes including the null byte, so trying to - pass 'size-1' there is wasting one byte. Now that we use seprintf(), - the situation isn't different: seprintf() will stop writing *before* + pass 'size-1' there is wasting one byte. Now that we use sprintf_end(), + the situation isn't different: sprintf_end() will stop writing *before* 'end' --that is, at most the terminating null byte will be written at 'end-1'--. 6: 0314948eb225 ! 6: 04c1e026a67f sprintf: Add [V]SPRINTF_END() @@ Metadata Author: Alejandro Colomar ## Commit message ## - sprintf: Add [V]SPRINTF_END() + sprintf: Add [v]sprintf_array() These macros take the end of the array argument implicitly to avoid programmer mistakes. This guarantees that the input is an array, unlike @@ include/linux/sprintf.h #include +#include + -+#define SPRINTF_END(a, fmt, ...) sprintf_end(a, ENDOF(a), fmt, ##__VA_ARGS__) -+#define VSPRINTF_END(a, fmt, ap) vsprintf_end(a, ENDOF(a), fmt, ap) ++#define sprintf_array(a, fmt, ...) sprintf_end(a, ENDOF(a), fmt, ##__VA_ARGS__) ++#define vsprintf_array(a, fmt, ap) vsprintf_end(a, ENDOF(a), fmt, ap) int num_to_str(char *buf, int size, unsigned long long num, unsigned int width); 7: f99632f42eee ! 7: e53d87e684ef mm: Use [V]SPRINTF_END() to avoid specifying the array size @@ Metadata Author: Alejandro Colomar ## Commit message ## - mm: Use [V]SPRINTF_END() to avoid specifying the array size + mm: Use [v]sprintf_array() to avoid specifying the array size Cc: Rasmus Villemoes Cc: Marco Elver @@ mm/backing-dev.c: int bdi_register_va(struct backing_dev_info *bdi, const char * return 0; - vsnprintf(bdi->dev_name, sizeof(bdi->dev_name), fmt, args); -+ VSPRINTF_END(bdi->dev_name, fmt, args); ++ vsprintf_array(bdi->dev_name, fmt, args); dev = device_create(&bdi_class, NULL, MKDEV(0, 0), bdi, bdi->dev_name); if (IS_ERR(dev)) return PTR_ERR(dev); @@ mm/cma.c: static int __init cma_new_area(const char *name, phys_addr_t size, if (name) - snprintf(cma->name, CMA_MAX_NAME, "%s", name); -+ SPRINTF_END(cma->name, "%s", name); ++ sprintf_array(cma->name, "%s", name); else - snprintf(cma->name, CMA_MAX_NAME, "cma%d\n", cma_area_count); -+ SPRINTF_END(cma->name, "cma%d\n", cma_area_count); ++ sprintf_array(cma->name, "cma%d\n", cma_area_count); cma->available_count = cma->count = size >> PAGE_SHIFT; cma->order_per_bit = order_per_bit; @@ mm/cma_debug.c: static void cma_debugfs_add_one(struct cma *cma, struct dentry * for (r = 0; r < cma->nranges; r++) { cmr = &cma->ranges[r]; - snprintf(rdirname, sizeof(rdirname), "%d", r); -+ SPRINTF_END(rdirname, "%d", r); ++ sprintf_array(rdirname, "%d", r); dir = debugfs_create_dir(rdirname, rangedir); debugfs_create_file("base_pfn", 0444, dir, &cmr->base_pfn, &cma_debugfs_fops); @@ mm/hugetlb.c: void __init hugetlb_add_hstate(unsigned int order) INIT_LIST_HEAD(&h->hugepage_activelist); - snprintf(h->name, HSTATE_NAME_LEN, "hugepages-%lukB", - huge_page_size(h)/SZ_1K); -+ SPRINTF_END(h->name, "hugepages-%lukB", huge_page_size(h)/SZ_1K); ++ sprintf_array(h->name, "hugepages-%lukB", huge_page_size(h)/SZ_1K); parsed_hstate = h; } @@ mm/hugetlb_cgroup.c: hugetlb_cgroup_cfttypes_init(struct hstate *h, struct cftyp *cft = *tmpl; /* rebuild the name */ - snprintf(cft->name, MAX_CFTYPE_NAME, "%s.%s", buf, tmpl->name); -+ SPRINTF_END(cft->name, "%s.%s", buf, tmpl->name); ++ sprintf_array(cft->name, "%s.%s", buf, tmpl->name); /* rebuild the private */ cft->private = MEMFILE_PRIVATE(idx, tmpl->private); /* rebuild the file_offset */ @@ mm/hugetlb_cma.c: void __init hugetlb_cma_reserve(int order) size = round_up(size, PAGE_SIZE << order); - snprintf(name, sizeof(name), "hugetlb%d", nid); -+ SPRINTF_END(name, "hugetlb%d", nid); ++ sprintf_array(name, "hugetlb%d", nid); /* * Note that 'order per bit' is based on smallest size that * may be returned to CMA allocator in the case of @@ mm/kasan/report.c: static void print_memory_metadata(const void *addr) - snprintf(buffer, sizeof(buffer), - (i == 0) ? ">%px: " : " %px: ", row); -+ SPRINTF_END(buffer, (i == 0) ? ">%px: " : " %px: ", row); ++ sprintf_array(buffer, (i == 0) ? ">%px: " : " %px: ", row); /* * We should not pass a shadow pointer to generic @@ mm/memblock.c: static void __init_memblock memblock_dump(struct memblock_type *t #ifdef CONFIG_NUMA if (numa_valid_node(memblock_get_region_node(rgn))) - snprintf(nid_buf, sizeof(nid_buf), " on node %d", -+ SPRINTF_END(nid_buf, " on node %d", ++ sprintf_array(nid_buf, " on node %d", memblock_get_region_node(rgn)); #endif pr_info(" %s[%#x]\t[%pa-%pa], %pa bytes%s flags: %#x\n", @@ mm/memblock.c: int reserve_mem_release_by_name(const char *name) start = phys_to_virt(map->start); end = start + map->size - 1; - snprintf(buf, sizeof(buf), "reserve_mem:%s", name); -+ SPRINTF_END(buf, "reserve_mem:%s", name); ++ sprintf_array(buf, "reserve_mem:%s", name); free_reserved_area(start, end, 0, buf); map->size = 0; @@ mm/percpu.c: int __init pcpu_page_first_chunk(size_t reserved_size, pcpu_fc_cpu_ int nr_g0_units; - snprintf(psize_str, sizeof(psize_str), "%luK", PAGE_SIZE >> 10); -+ SPRINTF_END(psize_str, "%luK", PAGE_SIZE >> 10); ++ sprintf_array(psize_str, "%luK", PAGE_SIZE >> 10); ai = pcpu_build_alloc_info(reserved_size, 0, PAGE_SIZE, NULL); if (IS_ERR(ai)) @@ mm/shrinker_debug.c: int shrinker_debugfs_add(struct shrinker *shrinker) shrinker->debugfs_id = id; - snprintf(buf, sizeof(buf), "%s-%d", shrinker->name, id); -+ SPRINTF_END(buf, "%s-%d", shrinker->name, id); ++ sprintf_array(buf, "%s-%d", shrinker->name, id); /* create debugfs entry */ entry = debugfs_create_dir(buf, shrinker_debugfs_root); @@ mm/zswap.c: static struct zswap_pool *zswap_pool_create(char *type, char *compre /* unique name for each pool specifically required by zsmalloc */ - snprintf(name, 38, "zswap%x", atomic_inc_return(&zswap_pools_count)); -+ SPRINTF_END(name, "zswap%x", atomic_inc_return(&zswap_pools_count)); ++ sprintf_array(name, "zswap%x", atomic_inc_return(&zswap_pools_count)); pool->zpool = zpool_create_pool(type, name, gfp); if (!pool->zpool) { pr_err("%s zpool not available\n", type); -- 2.50.0