Re: [PATCH 3/6] string: Introduce strtostr() for safe and performance string copies
From: André Almeida
Date: Mon May 18 2026 - 10:52:35 EST
Hi David, thanks for the feedback!
Em 17/05/2026 18:34, David Laight escreveu:
On Sun, 17 May 2026 15:36:13 -0300[...]>> +/**
André Almeida <andrealmeid@xxxxxxxxxx> wrote:
Some parts of the kernel uses memcpy() instead of strscpy() because they
are performance sensitive and doesn't care about the return value of
strscpy(). One such common case is to copy current->comm to a different
buffer.
As the command name is guaranteed to be NUL-terminated in the range of
TASK_COMM_LEN, this is safe enough and doesn't create unterminated
strings. However, in order to expand the size of current->comm, this
expectation will be broken and those memcpy() could create such strings
without trailing NUL byte.
In order to support a fast and safe string copy, create strtostr(), to copy
a NUL-terminated string to a new string buffer. If the destination buffer
is bigger than the source, no pad is applied, but the string is
NUL-terminated. If the destination buffer is smaller, the string is
truncated. The last byte of the destination is always set to NUL for safety.
Signed-off-by: André Almeida <andrealmeid@xxxxxxxxxx>
---
+ * strtostr - Copy NUL-terminanted string to NUL-terminate string
+ *
+ * @dest: Pointer of destination string
+ * @src: Pointer to NUL-terminates string
+ *
+ * This is a replacement for strcpy() where the caller doesn't care about the
+ * return value and if the string is going to be truncated, albeit it needs
+ * to mark sure that it will be NUL-terminated. Intended for performance
+ * sensitive cases, such as tracing.
If you care about performance, and the destination isn't smaller (especially
if the sizes are the same) then just use memcpy().
The problem is that as I'm expanding current->comm, the source buffer might be bigger than destination, and when we truncate the string, it won't have the termination NUL byte. So we need an extra dest[len-1] = \0 after the memcpy.
+ *
+ * If the destination is bigger than the source, no padding happens. It it's
+ * smaller the strings gets truncated.
+ *
+ * Both arguments needs to be arrays with lengths discoverable by the compiler.
+ */
+#define strtostr(dest, src) do { \
+ const size_t _dest_len = __must_be_cstr(dest) + \
+ ARRAY_SIZE(dest); \
+ const size_t _src_len = __must_be_cstr(src) + \
+ __builtin_object_size(src, 1); \
+ \
+ BUILD_BUG_ON(!__builtin_constant_p(_dest_len) || \
+ _dest_len == (size_t)-1); \
+ memcpy(dest, src, strnlen(src, min(_src_len, _dest_len))); \
+ dest[_dest_len - 1] = '\0'; \
+} while (0)
That doesn't work (for all sorts of reasons).
_dest_len can be the size of a pointer - no array check.
You need to use __is_array() and sizeof () for both dest and src.
You might have meant to check that _src_len is constant, not _dest_len.
You must not leave the destination unterminated.
__builtin_object_size(x->y,1) is also entirely useless!
If you have a pointer to a structure that ends in an array then the
object size of that array is SIZE_MAX (as if the array continues past
the end of the structure).
See https://godbolt.org/z/csenjfvxe (which I happened to prepare earlier today).
__builtin_object_size(x->y,0) also seems to always return SIZE_MAX.
You do get a sane answer for (x->y,3) on recent clang - but nowhere else.
Oops, you are right, thanks for pointing that out. This is how it would look like checking that both args are arrays and using sizeof to get their length, if it sounds good I can apply for the v2:
#define strtostr(dest, src) do { \
const size_t _dest_len = __must_be_array(dest) + \
sizeof(dest); \
const size_t _src_len = __must_be_array(src) + \
sizeof(src); \
\
BUILD_BUG_ON(!__builtin_constant_p(_dest_len) || \
_dest_len == (size_t)-1); \
memcpy(dest, src, min(_src_len, _dest_len))); \
dest[_dest_len - 1] = '\0'; \
} while (0)
-- David