All of lore.kernel.org
 help / color / mirror / Atom feed
From: Sven Schnelle <svens@linux.ibm.com>
To: "H. Peter Anvin" <hpa@zytor.com>
Cc: "Michal Suchánek" <msuchanek@suse.de>,
	"Peter Zijlstra" <peterz@infradead.org>,
	"Thomas Gleixner" <tglx@kernel.org>,
	"Jonathan Corbet" <corbet@lwn.net>,
	"Shuah Khan" <skhan@linuxfoundation.org>,
	"Huacai Chen" <chenhuacai@kernel.org>,
	"WANG Xuerui" <kernel@xen0n.name>,
	"Madhavan Srinivasan" <maddy@linux.ibm.com>,
	"Michael Ellerman" <mpe@ellerman.id.au>,
	"Nicholas Piggin" <npiggin@gmail.com>,
	"Christophe Leroy (CS GROUP)" <chleroy@kernel.org>,
	"Paul Walmsley" <pjw@kernel.org>,
	"Palmer Dabbelt" <palmer@dabbelt.com>,
	"Albert Ou" <aou@eecs.berkeley.edu>,
	"Alexandre Ghiti" <alex@ghiti.fr>,
	"Heiko Carstens" <hca@linux.ibm.com>,
	"Vasily Gorbik" <gor@linux.ibm.com>,
	"Alexander Gordeev" <agordeev@linux.ibm.com>,
	"Christian Borntraeger" <borntraeger@linux.ibm.com>,
	"Andy Lutomirski" <luto@kernel.org>,
	"Ingo Molnar" <mingo@redhat.com>,
	"Borislav Petkov" <bp@alien8.de>,
	"Dave Hansen" <dave.hansen@linux.intel.com>,
	x86@kernel.org,
	"Andrew Donnellan" <andrew+kernel@donnellan.id.au>,
	"Mark Rutland" <mark.rutland@arm.com>,
	"Arnd Bergmann" <arnd@arndb.de>,
	"Jiaxun Yang" <jiaxun.yang@flygoat.com>,
	"Ryan Roberts" <ryan.roberts@arm.com>,
	"Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
	"Mukesh Kumar Chaurasiya" <mkchauras@linux.ibm.com>,
	"Shrikanth Hegde" <sshegde@linux.ibm.com>,
	"Zong Li" <zong.li@sifive.com>, "Nam Cao" <namcao@linutronix.de>,
	"Deepak Gupta" <debug@rivosinc.com>,
	"Lukas Gerlach" <lukas.gerlach@cispa.de>,
	"Rui Qi" <qirui.001@bytedance.com>, "Kees Cook" <kees@kernel.org>,
	linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
	loongarch@lists.linux.dev, linuxppc-dev@lists.ozlabs.org,
	linux-riscv@lists.infradead.org, linux-s390@vger.kernel.org
Subject: Re: [RFC] entry: Untangle the return value of syscall_enter_from_user_mode from syscall NR
Date: Mon, 06 Jul 2026 07:27:17 +0200	[thread overview]
Message-ID: <yt9dwlv8adsa.fsf@linux.ibm.com> (raw)
In-Reply-To: <69ACC6A7-7845-41B4-B0D0-2E6FCDA7443D@zytor.com>

"H. Peter Anvin" <hpa@zytor.com> writes:

> On July 3, 2026 4:39:18 AM PDT, Sven Schnelle <svens@linux.ibm.com>
> wrote:
>>Michal Suchánek <msuchanek@suse.de> writes:
>>
>>> The same could be asked of syscall_enter_from_user_mode. I find it
> very
>>> odd. Why does it conflate the syscall number with its return value?
>>>
>>> It never uses the syscall number passed in except when returning it
>>> unchanged. When it pokes the registers it reads the syscall number
> from
>>> them.
>>>
>>> If the caller of syscall_enter_from_user_mode only read the syscall
>>> number from the registers when syscall_enter_from_user_mode returns
> and
>>> indicates the syscall should be still executed this whole shenigan
> would
>>
>>I agree. The fact that if (nr < NR_syscall) just works because -1
> gets
>>casted to 0xffffffff and is therefore out of bounds is very odd.
>>
>
> Not at all strange. It is an *extremely* common construct in C,
> especially for range checking values into [0, n).

A clear indication that this is not as common as you think is that
there's an extra comment in arch/x86/entry/syscall_64.c:

       /*
	* Convert negative numbers to very high and thus out of range
	* numbers for comparisons.
	*/

If everyone knows what this is the comment wouldn't be necessary. But
that cast is not the thing i'm really interested in - if it stays
that way, fine with me. But I would like to see the change from Michal
going in which untangles the secure_computing() return value from the
syscall number. Because this behaviour is very subtle and removing that
would make things easier. (And also easier to read/audit, which is
always importand with security related code, which seccomp/syscall
clearly is).

> In addition to being idiomatic, keep in mind that this is one of the
> absolutely most performance critical paths in the entire kernel. One
> of the fundamental cornerstones behind Unix is to keep system calls
> cheap so that they can be simple building blocks for more complex
> operations. It is not the only possible design philosophy, but it is
> the one we chose to adopt, quite successfully.
>
> The downside? Squeezing every possible cycle out of the system call
> path becomes one of the most essential tuning tasks. The good part is
> that keeping the system call path clean also makes it maintainable,
> even when there are quirks.

I haven't measured it, but I doubt that the unsigned vs signed syscall
bounds check makes a difference in real world scenarios. Even for
ni_syscall cases it would be small. With the C entry code we have
nowadays such optimizations should be left to the compiler. I wouldn't
be surprised if the generated code is even the same.

But as written above, I don't really care about this.


WARNING: multiple messages have this Message-ID (diff)
From: Sven Schnelle <svens@linux.ibm.com>
To: "H. Peter Anvin" <hpa@zytor.com>
Cc: "Michal Suchánek" <msuchanek@suse.de>,
	"Peter Zijlstra" <peterz@infradead.org>,
	"Thomas Gleixner" <tglx@kernel.org>,
	"Jonathan Corbet" <corbet@lwn.net>,
	"Shuah Khan" <skhan@linuxfoundation.org>,
	"Huacai Chen" <chenhuacai@kernel.org>,
	"WANG Xuerui" <kernel@xen0n.name>,
	"Madhavan Srinivasan" <maddy@linux.ibm.com>,
	"Michael Ellerman" <mpe@ellerman.id.au>,
	"Nicholas Piggin" <npiggin@gmail.com>,
	"Christophe Leroy (CS GROUP)" <chleroy@kernel.org>,
	"Paul Walmsley" <pjw@kernel.org>,
	"Palmer Dabbelt" <palmer@dabbelt.com>,
	"Albert Ou" <aou@eecs.berkeley.edu>,
	"Alexandre Ghiti" <alex@ghiti.fr>,
	"Heiko Carstens" <hca@linux.ibm.com>,
	"Vasily Gorbik" <gor@linux.ibm.com>,
	"Alexander Gordeev" <agordeev@linux.ibm.com>,
	"Christian Borntraeger" <borntraeger@linux.ibm.com>,
	"Andy Lutomirski" <luto@kernel.org>,
	"Ingo Molnar" <mingo@redhat.com>,
	"Borislav Petkov" <bp@alien8.de>,
	"Dave Hansen" <dave.hansen@linux.intel.com>,
	x86@kernel.org,
	"Andrew Donnellan" <andrew+kernel@donnellan.id.au>,
	"Mark Rutland" <mark.rutland@arm.com>,
	"Arnd Bergmann" <arnd@arndb.de>,
	"Jiaxun Yang" <jiaxun.yang@flygoat.com>,
	"Ryan Roberts" <ryan.roberts@arm.com>,
	"Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
	"Mukesh Kumar Chaurasiya" <mkchauras@linux.ibm.com>,
	"Shrikanth Hegde" <sshegde@linux.ibm.com>,
	"Zong Li" <zong.li@sifive.com>, "Nam Cao" <namcao@linutronix.de>,
	"Deepak Gupta" <debug@rivosinc.com>,
	"Lukas Gerlach" <lukas.gerlach@cispa.de>,
	"Rui Qi" <qirui.001@bytedance.com>, "Kees Cook" <kees@kernel.org>,
	linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
	loongarch@lists.linux.dev, linuxppc-dev@lists.ozlabs.org,
	linux-riscv@lists.infradead.org, linux-s390@vger.kernel.org
Subject: Re: [RFC] entry: Untangle the return value of syscall_enter_from_user_mode from syscall NR
Date: Mon, 06 Jul 2026 07:27:17 +0200	[thread overview]
Message-ID: <yt9dwlv8adsa.fsf@linux.ibm.com> (raw)
In-Reply-To: <69ACC6A7-7845-41B4-B0D0-2E6FCDA7443D@zytor.com>

"H. Peter Anvin" <hpa@zytor.com> writes:

> On July 3, 2026 4:39:18 AM PDT, Sven Schnelle <svens@linux.ibm.com>
> wrote:
>>Michal Suchánek <msuchanek@suse.de> writes:
>>
>>> The same could be asked of syscall_enter_from_user_mode. I find it
> very
>>> odd. Why does it conflate the syscall number with its return value?
>>>
>>> It never uses the syscall number passed in except when returning it
>>> unchanged. When it pokes the registers it reads the syscall number
> from
>>> them.
>>>
>>> If the caller of syscall_enter_from_user_mode only read the syscall
>>> number from the registers when syscall_enter_from_user_mode returns
> and
>>> indicates the syscall should be still executed this whole shenigan
> would
>>
>>I agree. The fact that if (nr < NR_syscall) just works because -1
> gets
>>casted to 0xffffffff and is therefore out of bounds is very odd.
>>
>
> Not at all strange. It is an *extremely* common construct in C,
> especially for range checking values into [0, n).

A clear indication that this is not as common as you think is that
there's an extra comment in arch/x86/entry/syscall_64.c:

       /*
	* Convert negative numbers to very high and thus out of range
	* numbers for comparisons.
	*/

If everyone knows what this is the comment wouldn't be necessary. But
that cast is not the thing i'm really interested in - if it stays
that way, fine with me. But I would like to see the change from Michal
going in which untangles the secure_computing() return value from the
syscall number. Because this behaviour is very subtle and removing that
would make things easier. (And also easier to read/audit, which is
always importand with security related code, which seccomp/syscall
clearly is).

> In addition to being idiomatic, keep in mind that this is one of the
> absolutely most performance critical paths in the entire kernel. One
> of the fundamental cornerstones behind Unix is to keep system calls
> cheap so that they can be simple building blocks for more complex
> operations. It is not the only possible design philosophy, but it is
> the one we chose to adopt, quite successfully.
>
> The downside? Squeezing every possible cycle out of the system call
> path becomes one of the most essential tuning tasks. The good part is
> that keeping the system call path clean also makes it maintainable,
> even when there are quirks.

I haven't measured it, but I doubt that the unsigned vs signed syscall
bounds check makes a difference in real world scenarios. Even for
ni_syscall cases it would be small. With the C entry code we have
nowadays such optimizations should be left to the compiler. I wouldn't
be surprised if the generated code is even the same.

But as written above, I don't really care about this.

_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv

  reply	other threads:[~2026-07-06  5:28 UTC|newest]

Thread overview: 50+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-01 17:42 [RFC] entry: Untangle the return value of syscall_enter_from_user_mode from syscall NR Michal Suchánek
2026-07-01 17:42 ` Michal Suchánek
2026-07-01 17:58 ` sashiko-bot
2026-07-01 18:29 ` H. Peter Anvin
2026-07-01 18:29   ` H. Peter Anvin
2026-07-02  9:30   ` Michal Suchánek
2026-07-02  9:30     ` Michal Suchánek
2026-07-02 21:49   ` Thomas Gleixner
2026-07-02 21:49     ` Thomas Gleixner
2026-07-03  6:26     ` Sven Schnelle
2026-07-03  6:26       ` Sven Schnelle
2026-07-03  9:25       ` Peter Zijlstra
2026-07-03  9:25         ` Peter Zijlstra
2026-07-03  9:27       ` Thomas Gleixner
2026-07-03  9:27         ` Thomas Gleixner
2026-07-03  9:59         ` Sven Schnelle
2026-07-03  9:59           ` Sven Schnelle
2026-07-03 10:57           ` Peter Zijlstra
2026-07-03 10:57             ` Peter Zijlstra
2026-07-03 11:17             ` Sven Schnelle
2026-07-03 11:17               ` Sven Schnelle
2026-07-03 11:25             ` Michal Suchánek
2026-07-03 11:25               ` Michal Suchánek
2026-07-03 11:39               ` Sven Schnelle
2026-07-03 11:39                 ` Sven Schnelle
2026-07-04 17:18                 ` H. Peter Anvin
2026-07-04 17:18                   ` H. Peter Anvin
2026-07-06  5:27                   ` Sven Schnelle [this message]
2026-07-06  5:27                     ` Sven Schnelle
2026-07-04 17:23     ` H. Peter Anvin
2026-07-04 17:23       ` H. Peter Anvin
2026-07-02  8:12 ` Sven Schnelle
2026-07-02  8:12   ` Sven Schnelle
2026-07-02  9:12   ` Michal Suchánek
2026-07-02 12:01     ` Sven Schnelle
2026-07-02 12:01       ` Sven Schnelle
2026-07-02 12:13       ` Michal Suchánek
2026-07-03  6:16         ` Sven Schnelle
2026-07-03  6:16           ` Sven Schnelle
2026-07-02 11:24 ` Thomas Gleixner
2026-07-02 11:24   ` Thomas Gleixner
2026-07-02 11:45   ` Michal Suchánek
2026-07-02 11:45     ` Michal Suchánek
2026-07-02 20:45     ` Thomas Gleixner
2026-07-02 20:45       ` Thomas Gleixner
2026-07-03  7:53       ` Michal Suchánek
2026-07-03  9:34         ` Thomas Gleixner
2026-07-03  9:34           ` Thomas Gleixner
2026-07-06  8:16 ` Thomas Gleixner
2026-07-06  8:16   ` Thomas Gleixner

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=yt9dwlv8adsa.fsf@linux.ibm.com \
    --to=svens@linux.ibm.com \
    --cc=agordeev@linux.ibm.com \
    --cc=alex@ghiti.fr \
    --cc=andrew+kernel@donnellan.id.au \
    --cc=aou@eecs.berkeley.edu \
    --cc=arnd@arndb.de \
    --cc=borntraeger@linux.ibm.com \
    --cc=bp@alien8.de \
    --cc=chenhuacai@kernel.org \
    --cc=chleroy@kernel.org \
    --cc=corbet@lwn.net \
    --cc=dave.hansen@linux.intel.com \
    --cc=debug@rivosinc.com \
    --cc=gor@linux.ibm.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=hca@linux.ibm.com \
    --cc=hpa@zytor.com \
    --cc=jiaxun.yang@flygoat.com \
    --cc=kees@kernel.org \
    --cc=kernel@xen0n.name \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-riscv@lists.infradead.org \
    --cc=linux-s390@vger.kernel.org \
    --cc=linuxppc-dev@lists.ozlabs.org \
    --cc=loongarch@lists.linux.dev \
    --cc=lukas.gerlach@cispa.de \
    --cc=luto@kernel.org \
    --cc=maddy@linux.ibm.com \
    --cc=mark.rutland@arm.com \
    --cc=mingo@redhat.com \
    --cc=mkchauras@linux.ibm.com \
    --cc=mpe@ellerman.id.au \
    --cc=msuchanek@suse.de \
    --cc=namcao@linutronix.de \
    --cc=npiggin@gmail.com \
    --cc=palmer@dabbelt.com \
    --cc=peterz@infradead.org \
    --cc=pjw@kernel.org \
    --cc=qirui.001@bytedance.com \
    --cc=ryan.roberts@arm.com \
    --cc=skhan@linuxfoundation.org \
    --cc=sshegde@linux.ibm.com \
    --cc=tglx@kernel.org \
    --cc=x86@kernel.org \
    --cc=zong.li@sifive.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.