Re: + drivers-acpi-apei-erst-dbgc-get_useru64-doesnt-work-on-i386.patch added to -mm tree

Re: + drivers-acpi-apei-erst-dbgc-get_useru64-doesnt-work-on-i386.patch added to -mm tree

[H. Peter Anvin]

[Adding Linux and linux-arch.  The context is that get_user/put_user
don't work on 64 bit values on i386.]

On 08/11/2010 05:33 PM, Andrew Morton wrote:
> 
> Anyway, this should be fixed in x86 core, I suspect.

After looking at it -- and suffering a bad case of déjà vu -- I'm
reluctant to change it, as get/put_user are specified to work only on
locally atomic data:

 * This macro copies a single simple variable from user space to kernel
 * space.  It supports simple types like char and int, but not larger
 * data types like structures or arrays.

Given that u64 is not a simple type on 32 bits, it would appear that the
behavior is intentional.

A user might very well find that supporting u64 and/or structure types
would be beneficial, but it would a) be a semantic change, and b) would
introduce the possibility of a partially completed transfer.  That is a
semantic change to the interface.  However, it may very well be nicer to
have a generally available get_user()/put_user() for the cases which
would just kick an EFAULT up the stack when they fail anyway.

If there is consensus for making get_user/put_user a general interface,
I'm more than willing to do the x86 changes, but I don't want to do them
a) unilaterally and b) for 2.6.36.  This seems like .37 material at this
point.

	-hpa

-- 
H. Peter Anvin, Intel Open Source Technology Center
I work for Intel.  I don't speak on their behalf.

Re: + drivers-acpi-apei-erst-dbgc-get_useru64-doesnt-work-on-i386.patch added to -mm tree

[H. Peter Anvin]

[Adding Linux and linux-arch.  The context is that get_user/put_user
don't work on 64 bit values on i386.]

On 08/11/2010 05:33 PM, Andrew Morton wrote:
> 
> Anyway, this should be fixed in x86 core, I suspect.

After looking at it -- and suffering a bad case of déjà vu -- I'm
reluctant to change it, as get/put_user are specified to work only on
locally atomic data:

 * This macro copies a single simple variable from user space to kernel
 * space.  It supports simple types like char and int, but not larger
 * data types like structures or arrays.

Given that u64 is not a simple type on 32 bits, it would appear that the
behavior is intentional.

A user might very well find that supporting u64 and/or structure types
would be beneficial, but it would a) be a semantic change, and b) would
introduce the possibility of a partially completed transfer.  That is a
semantic change to the interface.  However, it may very well be nicer to
have a generally available get_user()/put_user() for the cases which
would just kick an EFAULT up the stack when they fail anyway.

If there is consensus for making get_user/put_user a general interface,
I'm more than willing to do the x86 changes, but I don't want to do them
a) unilaterally and b) for 2.6.36.  This seems like .37 material at this
point.

	-hpa

-- 
H. Peter Anvin, Intel Open Source Technology Center
I work for Intel.  I don't speak on their behalf.

Re: + drivers-acpi-apei-erst-dbgc-get_useru64-doesnt-work-on-i386.patch added to -mm tree

[Andrew Morton]

On Wed, 11 Aug 2010 21:22:51 -0700 "H. Peter Anvin" <hpa@zytor.com> wrote:

> [Adding Linux and linux-arch.  The context is that get_user/put_user
> don't work on 64 bit values on i386.]
> 
> On 08/11/2010 05:33 PM, Andrew Morton wrote:
> > 
> > Anyway, this should be fixed in x86 core, I suspect.
> 
> After looking at it -- and suffering a bad case of d__j__ vu -- I'm
> reluctant to change it, as get/put_user are specified to work only on
> locally atomic data:
> 
>  * This macro copies a single simple variable from user space to kernel
>  * space.  It supports simple types like char and int, but not larger
>  * data types like structures or arrays.
> 
> Given that u64 is not a simple type on 32 bits, it would appear that the
> behavior is intentional.
> 
> A user might very well find that supporting u64 and/or structure types
> would be beneficial, but it would a) be a semantic change, and b) would
> introduce the possibility of a partially completed transfer.  That is a
> semantic change to the interface.  However, it may very well be nicer to
> have a generally available get_user()/put_user() for the cases which
> would just kick an EFAULT up the stack when they fail anyway.
> 
> If there is consensus for making get_user/put_user a general interface,
> I'm more than willing to do the x86 changes, but I don't want to do them
> a) unilaterally and b) for 2.6.36.  This seems like .37 material at this
> point.

It occurs so rarely that it's probably not worth bothering about, IMO.

However we should arrange for it to fail at compile time rather than
at link time, please.

Re: + drivers-acpi-apei-erst-dbgc-get_useru64-doesnt-work-on-i386.patch added to -mm tree

[Andrew Morton]

On Wed, 11 Aug 2010 21:22:51 -0700 "H. Peter Anvin" <hpa@zytor.com> wrote:

> [Adding Linux and linux-arch.  The context is that get_user/put_user
> don't work on 64 bit values on i386.]
> 
> On 08/11/2010 05:33 PM, Andrew Morton wrote:
> > 
> > Anyway, this should be fixed in x86 core, I suspect.
> 
> After looking at it -- and suffering a bad case of d__j__ vu -- I'm
> reluctant to change it, as get/put_user are specified to work only on
> locally atomic data:
> 
>  * This macro copies a single simple variable from user space to kernel
>  * space.  It supports simple types like char and int, but not larger
>  * data types like structures or arrays.
> 
> Given that u64 is not a simple type on 32 bits, it would appear that the
> behavior is intentional.
> 
> A user might very well find that supporting u64 and/or structure types
> would be beneficial, but it would a) be a semantic change, and b) would
> introduce the possibility of a partially completed transfer.  That is a
> semantic change to the interface.  However, it may very well be nicer to
> have a generally available get_user()/put_user() for the cases which
> would just kick an EFAULT up the stack when they fail anyway.
> 
> If there is consensus for making get_user/put_user a general interface,
> I'm more than willing to do the x86 changes, but I don't want to do them
> a) unilaterally and b) for 2.6.36.  This seems like .37 material at this
> point.

It occurs so rarely that it's probably not worth bothering about, IMO.

However we should arrange for it to fail at compile time rather than
at link time, please.

Re: + drivers-acpi-apei-erst-dbgc-get_useru64-doesnt-work-on-i386.patch added to -mm tree

[H. Peter Anvin]

On 08/11/2010 09:30 PM, Andrew Morton wrote:
> 
> However we should arrange for it to fail at compile time rather than
> at link time, please.
> 

That is easy to do, of course.

	-hpa

-- 
H. Peter Anvin, Intel Open Source Technology Center
I work for Intel.  I don't speak on their behalf.

Re: + drivers-acpi-apei-erst-dbgc-get_useru64-doesnt-work-on-i386.patch added to -mm tree

[H. Peter Anvin]

On 08/11/2010 09:30 PM, Andrew Morton wrote:
> 
> It occurs so rarely that it's probably not worth bothering about, IMO.
> 

I think the real question is if we want people to convert:

	if (copy_from_user(foo, bar, sizeof *foo))
		return -EFAULT;

... into ...

	if (get_user(*foo, bar))
		return -EFAULT;

... or ...

	rv = get_user(*foo, bar);
	if (rv)
		return rv;

... where *foo is a structure type.  It does have the advantage that a
single API does everything, simple or not, but has the disadvantage that
the partial-access semantics are now less explicit.

	-hpa

-- 
H. Peter Anvin, Intel Open Source Technology Center
I work for Intel.  I don't speak on their behalf.

Re: + drivers-acpi-apei-erst-dbgc-get_useru64-doesnt-work-on-i386.patch added to -mm tree

[Andrew Morton]

On Wed, 11 Aug 2010 22:06:08 -0700 "H. Peter Anvin" <hpa@zytor.com> wrote:

> On 08/11/2010 09:30 PM, Andrew Morton wrote:
> > 
> > It occurs so rarely that it's probably not worth bothering about, IMO.
> > 
> 
> I think the real question is if we want people to convert:
> 
> 	if (copy_from_user(foo, bar, sizeof *foo))
> 		return -EFAULT;
> 
> ... into ...
> 
> 	if (get_user(*foo, bar))
> 		return -EFAULT;
> 
> ... or ...
> 
> 	rv = get_user(*foo, bar);
> 	if (rv)
> 		return rv;
> 
> ... where *foo is a structure type.  It does have the advantage that a
> single API does everything, simple or not, but has the disadvantage that
> the partial-access semantics are now less explicit.
> 

Well, anyone who does get_user() on a struct while expecting it to be
atomic gets to own both pieces.  I think the problem here is
specifically u64/s64.  These work on 64-bit but don't work on 32-bit.

Is the atomicity really a problem?  If userspace updates the 64-bit
number while the kernel is copying it, the kernel gets a garbage
number.  But so what?  Userspace can feed the kernel garbage numbers in
lots of ways, and the kernel must be able to cope with it
appropriately.


<I suspect you can do get_user() on a 4-byte or 8-byte struct right now
and it'll work>

Re: + drivers-acpi-apei-erst-dbgc-get_useru64-doesnt-work-on-i386.patch added to -mm tree

[H. Peter Anvin]

[-- Attachment #1: Type: text/plain, Size: 268 bytes --]

On 08/11/2010 11:03 PM, Andrew Morton wrote:
> <I suspect you can do get_user() on a 4-byte or 8-byte struct right now
> and it'll work>

Not so:

/home/hpa/kernel/linux-2.6-tip.urgent/arch/x86/lib/testuser.c:12: error: 
conversion to non-scalar type requested

	-hpa

[-- Attachment #2: testuser.c --]
[-- Type: text/x-csrc, Size: 194 bytes --]

#include <linux/types.h>
#include <linux/uaccess.h>

struct foo {
	u16 a, b;
};

int bluttan(struct foo *foo)
{
	struct foo bar;

	if (get_user(bar, foo))
		return -1;

	return bar.a + bar.b;
}