From: Adhemerval Zanella Netto <adhemerval.zanella@linaro.org>
To: Paul Eggert <eggert@cs.ucla.edu>, Arjun Shankar <arjun@redhat.com>
Cc: Aleksa Sarai <cyphar@cyphar.com>,
libc-alpha@sourceware.org, linux-api@vger.kernel.org
Subject: Re: [PATCH v4] linux: Add openat2 (BZ 31664)
Date: Tue, 2 Sep 2025 14:11:14 -0300 [thread overview]
Message-ID: <2a979a5e-a78d-4ee1-ac96-7176a8c45fb4@linaro.org> (raw)
In-Reply-To: <d88d7228-fabe-41d1-9a09-298fcb313647@cs.ucla.edu>
On 02/09/25 13:34, Paul Eggert wrote:
> On 2025-09-01 19:41, Arjun Shankar wrote:
>> While it is true that openat cannot be extended in this way, for
>> openat2 (whether or not it eventually materializes in Linux) there
>> already is the RFC patch series proposing CHECK_FIELDS that Aleksa
>> referred to earlier.
>
> Is this the RFC Aleksa proposed last October <https://lkml.org/lkml/2024/10/10/25>? If so, I don't exactly see a rousing endorsement there.
>
> If not, where is the later RFC? I'd like to send the critical comments I've already sent on this thread. These comments have not been responded to adequately.
>
>
>> Unless the kernel marks open_how as const
>
> ? The kernel doesn't mark anything as const. It merely copies in or copies out. And for openat2, it copies only one way.
I think in this case we can refer to the SYSCALL_DEFINE4 at the kernel
source kernel, since there is no explicit contract w.r.t to argument
point-to-const in the kernel header. But I am not sure which is the
Linux policy for changing the implementation, or if Linus or other
maintainer will chime in if someone tries to do it.
>
>
>> future if the kernel starts modifying open_how, glibc's openat2
>> wrapper will no longer align with the kernel's behavior. At that
>> point, glibc will either need to discard the const (which will cause
>> any existing users of the wrapper to fail to recompile),
>
> There are multiple easy ways out there. For example, glibc could document the argument as being pointer-to-const now, but warn that this may change to unrestricted pointer later, if the misguided change is made to the kernel. This would be similar to the already-existing warning in the proposed glibc patch, which warns that you can't assume sizeof (struct open_how) is a constant and so you can't expose it in library APIs. Of course people can ignore the documentation warnings but that's on them.
Yes, we could proper document it but changing it later is always troublesome
and may force users to start to resort to hacks like bypassing the libc with
assemble hacks, and/or redefine the function prototype, or just using syscall()
instead (all far from ideal) to support multiple glibc version.
So I would *really* like to avoid going forward with this path.
>
> Better, though, would be to keep the API pointer-to-const. That's much cleaner. We can extend it later for a "give me the supported flags" flag, wwithout changing it the API away from pointer-to-const.
>
>> Earlier on in this thread, Aleksa mentioned sched_setattr as
>> establishing precedent for the kernel modifying non-const objects. It
>> looks like glibc actually does provide a sched_setattr wrapper since
>> 2.41.
>
> Although it may be too late to change that misfeature, it's not too late to change this one. And even if it was a good idea for sched_setattr, that doesn't mean it's a good a good idea for openat2.
>
The main problem I see is if we set for point-to-const, the kernel eventually
adds some API that changes the input, and the users will start to deploy the
aforementioned hacks to overcome possible issues using the glibc interface.
So I think if kernel developers are planing to make the argument in/out I think
glibc should just follow the kernel.
next prev parent reply other threads:[~2025-09-02 17:11 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <5d4eaca9-930c-4fca-bdbd-5174733642ee@cs.ucla.edu>
[not found] ` <b34176ff-883b-4a3d-b48a-8c6421f53ec7@cs.ucla.edu>
[not found] ` <2c5ae756-c624-4855-9afb-7b8e8ce91011@linaro.org>
[not found] ` <828f6dfb-7402-45e1-a9ed-9e17b6356c5c@linaro.org>
[not found] ` <2025-08-25.1756160579-pudgy-swank-chard-regalia-j3jdtD@cyphar.com>
[not found] ` <5c3b9baf-76b4-40d7-87fb-9b8dd5afd1ee@cs.ucla.edu>
[not found] ` <2025-08-26.1756212515-wealthy-molten-melody-nobody-a5HmWg@cyphar.com>
[not found] ` <6432a34d-fba9-414e-ad38-d3354fa0d775@cs.ucla.edu>
[not found] ` <2025-08-27.1756273344-decaf-ominous-thrift-twinge-h1gGBI@cyphar.com>
[not found] ` <5c9fa556-da00-4b76-8a70-8e2d1dddd92d@cs.ucla.edu>
2025-08-27 22:48 ` [PATCH v4] linux: Add openat2 (BZ 31664) Aleksa Sarai
2025-08-27 23:19 ` Paul Eggert
2025-08-28 8:42 ` Aleksa Sarai
2025-08-28 13:43 ` Paul Eggert
2025-08-28 17:06 ` Adhemerval Zanella Netto
2025-09-02 2:41 ` Arjun Shankar
2025-09-02 16:23 ` enh
2025-09-03 12:09 ` Arjun Shankar
2025-09-03 14:33 ` enh
2025-09-02 16:34 ` Paul Eggert
2025-09-02 17:11 ` Adhemerval Zanella Netto [this message]
2025-09-02 18:17 ` Paul Eggert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2a979a5e-a78d-4ee1-ac96-7176a8c45fb4@linaro.org \
--to=adhemerval.zanella@linaro.org \
--cc=arjun@redhat.com \
--cc=cyphar@cyphar.com \
--cc=eggert@cs.ucla.edu \
--cc=libc-alpha@sourceware.org \
--cc=linux-api@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).