This could maybe just be a single call to copy_to_user here which would avoid the need for the dummy_pos.

Possibly we shouldn't call next if this was a short read (i.e. if (rc < sbuf_len(sbuf)))

Thanks for fixing also that one. I still had in my tree from the debug session but I had caused too much confusion already.

There is data left in the sbuf not copied to ubuf in that case.
If that understanding is correct, I believe we should error and break as I cannot see how the current code could recover from that.
But that leaves the question below then.

If you experience an error in a second or later iteration, rc is negative but we still return a success value.
Does that match the callers expectations to recover/continue/abort?
I think leaving a comment about this (why one takes precedence over the other) would be helpful

This is not right; we come in with a 4k ubuf and a 4k size; we will iterate n times (printing the same thing possibly) until the page is full.
Then we return with a partial read (currently no effect) out of the function with nread=4k.

Then the entire function is called again and again and again and again... I hit ^c when *ppos was 1190.

I believe if sbuf_len < size, we should just break somewhere below before ->next ?

This works because we won't update *ppos when we break here, so the next read() call on the file will start at the item whose description was truncated.

Is there a reason to use the FreeBSD native copyout and not copy_to_user/linux_copyout here?

Because the error handling sucks less in that you get the error back (e.g. for CHERI copyout can return EPROT not just EFAULT). We already use malloc(9) in this file instead of kmalloc().

I originally did use copy_from_user here and had written it as

rc = copy_to_user(ubuf, sbut_data(sbuf), todo);
if (rc != todo)
     return (-EFAULT)

I was asking because linux_copyout has that linux_remap_address() magic before it tries copyout; I don't know why that is there but a direct copyout circumvents it. If that is fine, I am fine. [Y/n]

Hummm, I suspect this will never be used as part of an ioctl request, but perhaps it is better to use copy_to_user after all. Blech.

If you find the time to do this the next days I can still test it again.

Belatedly done.

Sorry for asking, are we going to Blech change this to copy_to_user in the end or not or did you mark them done and forgot to update the review?
If we are not going to do it, this is fine to go in as-is I believe.

I had changed it, but apparently failed to upload it. Hopefully now updated.

Oh, I believe I want to check against zero. IIRC, copy_to_user in Linux returns the number of bytes _not_ read (here I had misremembered it as the number of bytes _read_). I think I prefer rc != 0 as even a theoretical partial transfer should still be treated as a fault.

ACK.