From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: passt.top; dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=WG3WQgl+; dkim-atps=neutral Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by passt.top (Postfix) with ESMTPS id 8E7785A0619 for ; Fri, 17 Oct 2025 04:11:38 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1760667097; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=KzmsdjR5VI5y6lMNa1dMvRbLoj2/q9FG4nQTuwvdfxA=; b=WG3WQgl+iW5D2Syd8DTG2zAreZQk990r8UXwnPU00srNa758BHn5he1mUgrsY3Tb9IsLmt +zWZrJivNAP5CD2ClCtVd87MaoEMQzRTdBPh+L636wdXOvxOyr8VSVtd3E7MxLvXyMo6SW FUI6pT4qDBs23Ti89wHOvenSgw7B5WE= Received: from mail-ed1-f72.google.com (mail-ed1-f72.google.com [209.85.208.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-102-8jmVo6yTPCGkxpy7TWJXpw-1; Thu, 16 Oct 2025 22:11:35 -0400 X-MC-Unique: 8jmVo6yTPCGkxpy7TWJXpw-1 X-Mimecast-MFC-AGG-ID: 8jmVo6yTPCGkxpy7TWJXpw_1760667094 Received: by mail-ed1-f72.google.com with SMTP id 4fb4d7f45d1cf-634bff4ccc6so1748122a12.1 for ; Thu, 16 Oct 2025 19:11:35 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760667094; x=1761271894; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=KzmsdjR5VI5y6lMNa1dMvRbLoj2/q9FG4nQTuwvdfxA=; b=Hh5kt7NaU1dVaC4Jynces97w4ulPZQYqHbEbgGL/hlcoMwNitJeQJMgwfZ8eD5SrtF 7LcwvGJciUZLEzwyNToZVLO1PfbL4WwA+n6oFLvZGam/F7JVCk8eY/WUSISmGzKOZoWJ 3Fd7wFkgMKV7rnNDWqNHoiA5gnndqvFWlgZ8xIGxv9JuznZhMNRz1qd13okTmSTAkRzm fqp3wUmca7yhmsvUvG6jCxLaxh+WW7UtF3+zg6oHfbWFvEEZz2WPvejdPVW/OedUHqK1 07AHOMJT+VHSayN7335IRg8r1QAXMWGyCr4wp9w730YQdu2145aQfnsXLELbUQRA53Lu WaBw== X-Forwarded-Encrypted: i=1; AJvYcCX2sxwJxCD+obAWQYaWI9DuDvr/F3GL/4aIsZse4PhbRL2m4muxJcZDAfVl3y5wxEqIBokpQ3FzrMY=@passt.top X-Gm-Message-State: AOJu0Yy2hT4p6ZDdByV9HVRJA3XdpgTqJ+OHCgWlOfToJXgOeUt+uayd vBYkvS9BLFrahnqQpA8SNBmajc5c4jtZ162Hi7rZzPPZoltHIst1wHXKPtBt1sjQq2V0+NEjCb8 E8UFwrqf4ounePewpBWdEuqssJ0lPG3YjmRKpvLolhvEH6gnaEvcpUQlbobkxsP3cDwfsrfnH8C Ib9KfWdqWM3bEu/O7TN2iOJlNE/wuv X-Gm-Gg: ASbGncuJX4acwLRzDaPvkED9zv63YI2A7TcJecsCY7r/wXMvM5HPRB9SdMvveiLBfpj X+1yvUAiN7xK13YzZB06GcocOcH+3E2XfjHZdX43m8E4xTB5+93e2riYXdox71fd6/uac2FPtG9 R/oKDoDeTSXGLp4cQeq3tzOlNgRcuVrqfsfKpW1p7/hoZBhabq4VtsGaZO X-Received: by 2002:a05:6402:51d3:b0:631:b058:bef0 with SMTP id 4fb4d7f45d1cf-63c1f6c36b5mr1980275a12.32.1760667093714; Thu, 16 Oct 2025 19:11:33 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGeMVdZI70GwJRFnlvMUcMEGWyHPx6i+OKinF2pgvRHLo6FFtRxXly7CC0Th5hNHSKb9yMnb4vwcBdid0ODN44= X-Received: by 2002:a05:6402:51d3:b0:631:b058:bef0 with SMTP id 4fb4d7f45d1cf-63c1f6c36b5mr1980257a12.32.1760667093249; Thu, 16 Oct 2025 19:11:33 -0700 (PDT) MIME-Version: 1.0 References: <20251016023423.8923-1-yuhuang@redhat.com> <20251016023423.8923-3-yuhuang@redhat.com> <20251017002214.3fd4955b@elisabeth> In-Reply-To: From: Yumei Huang Date: Fri, 17 Oct 2025 10:11:21 +0800 X-Gm-Features: AS18NWB_YsiIxQyh8fLKyxaMWYKYEECXAp0iaXUyLUF0KD2hdsXUnMu_zSHlREA Message-ID: Subject: Re: [PATCH v4 2/4] util: Introduce read_file() and read_file_integer() function To: David Gibson X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: v--8G2kX9kSXJf7DA3GcanR6jBSRXSlpIT1ZGJSFQu8_1760667094 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Message-ID-Hash: MYVBNZEIO2DS3F7T72A2XFRU5ISOPIXY X-Message-ID-Hash: MYVBNZEIO2DS3F7T72A2XFRU5ISOPIXY X-MailFrom: yuhuang@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Stefano Brivio , passt-dev@passt.top X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Fri, Oct 17, 2025 at 7:16=E2=80=AFAM David Gibson wrote: > > On Fri, Oct 17, 2025 at 12:22:14AM +0200, Stefano Brivio wrote: > > On Thu, 16 Oct 2025 15:49:39 +0800 > > Yumei Huang wrote: > > > > > On Thu, Oct 16, 2025 at 2:30=E2=80=AFPM David Gibson > > > wrote: > > > > > > > > On Thu, Oct 16, 2025 at 10:34:21AM +0800, Yumei Huang wrote: > > > > > Signed-off-by: Yumei Huang > [snip] > > > > > + if (total_read =3D=3D buf_size) { > > > > > + warn_perror("File %s truncated, buffer too small", = path); > > > > > + return -2; > > > > > + } > > > > > + > > > > > + buf[total_read] =3D '\0'; > > > > > + > > > > > + return (int)total_read; > > > > > > > > Probably makes more sense for total_read and the return type to be = ssize_t. > > > > > > Just tried to be consistent with write_file(). I can change it to > > > ssize_t if needed. > > > > ssize_t is the type designed for this, if write_file() has it wrong (I > > didn't check), we should fix that as well. > > It does, and we should :). Checked write_file(), seems the return value is not the same to read_file(). It returns 0 or 1 depending on success or failure. So int works fine here. I will update read_file() only. > > > > > > +} > > > > > + > > > > > +/** > > > > > + * read_file_integer() - Read an integer value from a file > > > > > + * @path: File to read > > > > > + * @fallback: Default value if file can't be read > > > > > + * > > > > > + * Return: Integer value, fallback on failure > > > > > +*/ > > > > > +intmax_t read_file_integer(const char *path, intmax_t fallback) > > > > > +{ > > > > > + char buf[INTMAX_STRLEN]; > > > > > + char *end; > > > > > > > > passt coding style is to list (where possible) local variables in > > > > reverse order of line length, so this should go after bytes_read. > > > > > > Oh, I didn't notice that. Will update later. > > > > Rationale (added to my further list for CONTRIBUTING.md): > > > > https://hisham.hm/2018/06/16/when-listing-repeated-things-make-pyrami= ds/ > > > > and see also https://lwn.net/Articles/758552/. > > If you want to update CONTRIBUTING.md to cover this, Yumei, that would > be much appreciated. Sure, will do it. > > > > > > + intmax_t value; > > > > > + int bytes_read; > > > > > + > > > > > + bytes_read =3D read_file(path, buf, sizeof(buf)); > > > > > + > > > > > + if (bytes_read < 0) > > > > > + return fallback; > > > > > + > > > > > + if (bytes_read =3D=3D 0) { > > > > > + debug("Empty file %s", path); > > > > > + return fallback; > > > > > + } > > > > > + > > > > > + errno =3D 0; > > > > > + value =3D strtoimax(buf, &end, 10); > > > > > + if (*end && *end !=3D '\n') { > > > > > + debug("Invalid format in %s", path); > > > > > + return fallback; > > > > > + } > > > > > + if (errno) { > > > > > + debug("Invalid value in %s: %s", path, buf); > > > > > + return fallback; > > > > > + } > > > > > + > > > > > + return value; > > > > > +} > > > > > + > > > > > #ifdef __ia64__ > > > > > /* Needed by do_clone() below: glibc doesn't export the prototyp= e of __clone2(), > > > > > * use the description from clone(2). > > > > > diff --git a/util.h b/util.h > > > > > index 22eaac5..887d795 100644 > > > > > --- a/util.h > > > > > +++ b/util.h > > > > > @@ -222,6 +222,8 @@ void pidfile_write(int fd, pid_t pid); > > > > > int __daemon(int pidfile_fd, int devnull_fd); > > > > > int fls(unsigned long x); > > > > > int write_file(const char *path, const char *buf); > > > > > +int read_file(const char *path, char *buf, size_t buf_size); > > > > > +intmax_t read_file_integer(const char *path, intmax_t fallback); > > > > > int write_all_buf(int fd, const void *buf, size_t len); > > > > > int write_remainder(int fd, const struct iovec *iov, size_t iovc= nt, size_t skip); > > > > > int read_all_buf(int fd, void *buf, size_t len); > > > > > @@ -249,6 +251,7 @@ static inline const char *af_name(sa_family_t= af) > > > > > } > > > > > > > > > > #define UINT16_STRLEN (sizeof("65535")) > > > > > +#define INTMAX_STRLEN (sizeof("-92233720368547758= 08")) > > > > > > > > It's correct for now, and probably for any systems we're likely to = run > > > > on, but I dislike hard-assuming the size of intmax_t here. I feel > > > > like there must be a better way to derive the correct string length= , > > > > but I haven't figured out what it is yet :(. > > > > > > How about this: > > > > > > #define INTMAX_STRLEN (sizeof(intmax_t) * 3 + 2) > > > > > > Each byte can represent about 2.4 decimal digits as below, > > > sizeof(intmax_t) * 3 gives us a safe upper bound, +2 for sign and nul= l > > > terminator. > > > > > > 1 bit =3D log=E2=82=81=E2=82=80(2) =E2=89=88 0.30103 decimal digits > > > 1 byte =3D 8 bits =3D 8 =C3=97 0.30103 =E2=89=88 2.408 decimal digi= ts > > Works for me. > > > If it's sourced from https://stackoverflow.com/a/10536254 and comment, > > don't forget to mention that in whatever implementation / commit > > message. Actually, it's a suggestion from Claude and I double checked the logic and = math. Maybe I should mention Claude and the logic in the commit message instead? > > Good point. > > > But I was thinking... what if we keep it much simpler, use BUFSIZ, and > > error out if the buffer is too small? It would be good to be robust > > against any potential kernel issue anyway, so I think we need a > > mechanism like that in any case. > > It already handles the case where the buffer isn't big enough (in > read_file()). We could use BUFSIZ, but it's massive overkill for > reading a single integer: 8192 versus ~21 bytes (or ~42 bytes if > intmax_t were 128-bit). > > > It's not a security matter, because if the kernel was compromised, > > we're compromised too, simply a matter of robustness. > > > > -- > > Stefano > > > > -- > David Gibson (he or they) | I'll have my music baroque, and my code > david AT gibson.dropbear.id.au | minimalist, thank you, not the other wa= y > | around. > http://www.ozlabs.org/~dgibson --=20 Thanks, Yumei Huang