From: Ingo Molnar <mingo@kernel.org>
To: Johannes Berg <johannes@sipsolutions.net>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>,
Peter Zijlstra <a.p.zijlstra@chello.nl>,
Ingo Molnar <mingo@redhat.com>,
linux-kernel@vger.kernel.org, adrian.hunter@intel.com,
Arnaldo Carvalho de Melo <acme@infradead.org>,
Vince Weaver <vince@deater.net>,
Stephane Eranian <eranian@google.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Andrew Morton <akpm@linux-foundation.org>,
Thomas Gleixner <tglx@linutronix.de>,
Borislav Petkov <bp@alien8.de>, "H. Peter Anvin" <hpa@zytor.com>
Subject: Re: [PATCH v2 0/6] perf: Introduce extended syscall error reporting
Date: Wed, 26 Aug 2015 06:49:48 +0200 [thread overview]
Message-ID: <20150826044948.GC14584@gmail.com> (raw)
In-Reply-To: <1440497981.2192.39.camel@sipsolutions.net>
* Johannes Berg <johannes@sipsolutions.net> wrote:
> On Tue, 2015-08-25 at 12:07 +0200, Ingo Molnar wrote:
> > Having a separate syscall has two (big!) appeals:
> >
> > - we wouldn't have to touch existing system calls at all.
> >
> > - extended error reporting would be available for any system call that opts to
> > use it. (The current scheme as submitted is only available to system calls
> > using the perf-style flexible attribute ABI.)
>
> Yeah, I agree this is nice. However, more generally, I think we need to
> actually think more about the module problem then since while syscalls
> can't be implemented in modules (I think) they can still end up calling
> into modules.
>
> Of course a first iteration could be exactly like what Alexander
> posted.
>
> The other issue with this is namespacing - can all syscalls, and
> everything that eventually gets called, really use a single error code
> namespace with its 3k limit? [...]
No, the current MAX_ERRNO is probably not big enough if this scheme is successful,
and I don't see any reason why it wouldn't be successful: I think this feature
would be the biggest usability feature added to Linux system calls and to Linux
system tooling in the last 10 years or so.
> [...] On the one hand I'm thinking "3k strings are so big ... we don't want
> more", but on the other hand all kinds of drivers etc. might start getting
> annotations?
We could extend it with some arch work. The per arch work involves making sure
there's no valid kernel address at [-MAX_ERRNO...-1].
So I wouldn't worry about it too much, let's agree on a good ABI and let's just
start using it, and if we grow out of -4K we can extend things step by step.
> > Ok. So assuming we can make a 1:1 mapping between the 'extended error code'
> > integer space and the message:owner strings, it would be enough for netlink to
> > pass along the integer code itself, not the full strings?
>
> Considering that this would likely have to be opt-in at the netlink level (e.g.
> through a flag in the request message), perhaps. I'd say it'd still be easier
> for the message to carry the intended error code (e.g. -EINVAL) and the actual
> message in the ACK message [where requested]. That way, applications that
> actually behave depending on the error code can far more easily be extended.
Ok. I think we should include the extended error code as well, in case an app
wants to pass it to some more generic library.
> > That would simplify things and make the scheme more robust from a security POV
> > I suspect.
>
> You could also argue the other way around, in that being able to look up (from
> userspace) arbitrary extended error IDs, even those that haven't ever been used,
> could be an information leak of sorts.
The fact is that kernel<->tooling error reporting sucks big time here and today,
in large part due to errno limitations, and arguing that it's somehow helping
security is the Stockholm Syndrome at its best.
> > So my hope would be that we can represent this all with a single 'large' error
> > code integer space. That integer would be constant and translateable (as long
> > as the module is loaded).
>
> Ok, I wasn't really what I was assuming. As I said above, on the one
> hand I agree, but on the other I'm looking at the reality of a few
> hundred (!) -EINVAL callsites in net/wireless/nl80211.c alone, so
> having an overall 3k limit seems somewhat low.
Agreed - but it's not a hard limit really.
> > That way the error passing mechanism wouldn't have to be specifically
> > module-aware - during build we generate the integer space, with all possible
> > modules considered.
>
> That would be no improvement for me as I work heavily with (upstream) modules
> that are compiled out-of-tree, so I'm not all inclined to spend much time on it
> if that ends up being the solution ;)
Perhaps, as long as the number allocation is dynamic and non-ABI there's no reason
why this couldn't be added later on.
Thanks,
Ingo
next prev parent reply other threads:[~2015-08-26 4:49 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-24 14:32 [PATCH v2 0/6] perf: Introduce extended syscall error reporting Alexander Shishkin
2015-08-24 14:32 ` [PATCH v2 1/6] " Alexander Shishkin
2015-08-31 18:47 ` Andy Shevchenko
2015-09-01 6:38 ` Alexander Shishkin
2015-08-24 14:32 ` [PATCH v2 2/6] perf: Add file name and line number to perf extended error reports Alexander Shishkin
2015-08-24 14:32 ` [PATCH v2 3/6] perf: Annotate some of the error codes with perf_err() Alexander Shishkin
2015-08-24 14:32 ` [PATCH v2 4/6] perf/x86: " Alexander Shishkin
2015-08-24 14:32 ` [PATCH v2 5/6] perf/x86/intel/pt: Use extended error reporting in event initialization Alexander Shishkin
2015-08-24 14:33 ` [PATCH v2 6/6] perf/x86/intel/bts: " Alexander Shishkin
2015-08-25 8:22 ` [PATCH v2 0/6] perf: Introduce extended syscall error reporting Ingo Molnar
2015-08-25 8:52 ` Johannes Berg
2015-08-25 9:02 ` Ingo Molnar
2015-08-25 9:17 ` Ingo Molnar
2015-08-25 9:34 ` Johannes Berg
2015-08-25 10:07 ` Ingo Molnar
2015-08-25 10:19 ` Johannes Berg
2015-08-26 4:49 ` Ingo Molnar [this message]
[not found] ` <CA+55aFw--OFczoY=v17+e2-Q3O0GXnMKRuwzpYpB2qKBpZo=fw@mail.gmail.com>
2015-08-26 7:02 ` Ingo Molnar
2015-08-26 7:06 ` Johannes Berg
2015-08-26 7:20 ` Ingo Molnar
2015-08-26 7:26 ` Ingo Molnar
2015-08-26 16:56 ` Alexander Shishkin
2015-08-26 20:58 ` Arnaldo Carvalho de Melo
2015-09-11 16:11 ` Alexander Shishkin
2015-08-26 18:41 ` Andrew Morton
2015-08-26 20:05 ` Peter Zijlstra
2015-08-26 20:22 ` Andrew Morton
2015-08-26 20:50 ` Vince Weaver
2015-08-26 20:56 ` Andrew Morton
2015-08-26 21:14 ` Vince Weaver
2015-08-28 10:07 ` Ingo Molnar
2015-08-26 21:04 ` Arnaldo Carvalho de Melo
2015-08-26 7:36 ` Johannes Berg
2015-08-26 11:37 ` Alexander Shishkin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150826044948.GC14584@gmail.com \
--to=mingo@kernel.org \
--cc=a.p.zijlstra@chello.nl \
--cc=acme@infradead.org \
--cc=adrian.hunter@intel.com \
--cc=akpm@linux-foundation.org \
--cc=alexander.shishkin@linux.intel.com \
--cc=bp@alien8.de \
--cc=eranian@google.com \
--cc=hpa@zytor.com \
--cc=johannes@sipsolutions.net \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=vince@deater.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.