From: arnd@arndb.de (Arnd Bergmann)
To: linux-arm-kernel@lists.infradead.org
Subject: [musl] Re: [PATCHv3 00/24] ILP32 support in ARM64
Date: Mon, 16 Feb 2015 18:20:18 +0100 [thread overview]
Message-ID: <95765022.dfzNYZrNVS@wuerfel> (raw)
In-Reply-To: <20150211213758.GN23507@brightrain.aerifal.cx>
On Wednesday 11 February 2015 16:37:58 Rich Felker wrote:
> On Wed, Feb 11, 2015 at 10:02:55PM +0100, arnd at arndb.de wrote:
> > Rich Felker <dalias@libc.org> hat am 11. Februar 2015 um 21:12 geschrieben:
> > > On Wed, Feb 11, 2015 at 08:50:06PM +0100, arnd at arndb.de wrote:
> > > > > > At least for AArch64 ILP32 we are still free to change the user/kernel
> > > > > > ABI, so we could add wrappers for the affected syscalls to fix this up.
> > > > > yes, afaik on x32 the 64bit kernel expects 64bit layout,
> > > > > arm64 can fix this
> > > >
> > > > We have to fix it on all 32-bit architectures when we move to 64-bit time_t.
> > > >
> > > > I think ideally you'd want a user space definition like
> > > >
> > > > typedef long long time_t;
> > > > struct timespec {
> > > > time_t tv_sec;
> > > > long long tv_nsec;
> > > > };
> > > >
> > > > which is the only way to avoid passing uninitialized tv_nsec into the kernel
> > > > from arbitrary user space doing ioctl. This is of course against POSIX and
> > > > C99. Changing POSIX to allow it is probably easier than the C standard,
> > > > but we have a couple of years before we need to make this the default.
> > >
> > > I don't see why you want it to be long long. There is no harm in
> > > passing uninitialized padding to the kernel; the kernel just needs to
> > > do the right thing and ignore it (or avoid reading it to begin with).
> >
> > This would however mean having three different implementations
> > in the kernel rather than just two: Every driver that can pass a timespec
> > with this model needs to handle the native 64-bit case (64/64), the legacy
> > 32-bit case (32/32) and the y2038-safe case (64/32). Most code can
> > already handle the first two, and none today handles the third. If you
> > want to make the handling explicitly incompatible with native 64-bit
> > mode, you get a lot of untested code in obscure places that are never
> > tested properly, while using the normal behavior in the kernel at least
> > gives us the same bugs that we already have on native 64-bit systems.
>
> Would it really be that hard to do:
>
> if (ILP32_on_64_process) tv_nsec = (int)tv_nsec;
>
> or similar? That's all that's needed.
>
> > In some cases, there may also be a measurable performance penalty
> > in interpreting a user space data structure manually over copying
> > it (including the timespec values) in one chunk.
>
> I don't think the above would be measurable.
It depends: Copying the structure first and then doing the conversion
in kernel space on the specific members as you do in the example
should indeed have a trivial performance impact. However, it is also
the hardest for driver writers to get right, and it's better not to
trust them with corner cases like this.
To make it more readable, we would probably introduce a helper function
that copies the timespec from user space memory to kernel space and
then does all the checks and conversions as required. However, doing
separate copies can (depending on the architecture) have a noticeable
impact. An example for this would be architectures that require setting
up a page table entry for the user space page in order to access the
data and then destroy it again afterwards, with the correct TLB flushes.
We can do something like this for the old-style compat handlers that
use 32-bit time_t, but I'd prefer not to have it in the fast path for
the native 64-bit time_t on 64-bit architectures.
> > An alternative would be to change the native 64-bit case to ignore the upper
> > half of tv_nsec and always just copy the low bits. This should work
> > fine almost all of the time, but I fear that there might be corner cases
> > where existing 64-bit user space depends on passing large or negative
> > tv_nsec values into the kernel.
>
> Most functions using caller-provided timespecs are required to
> diagnose invalid forms with EINVAL when tv_nsec>=1000000000 or <0, so
> if the kernel examines only the low 32 bits on ABIs where long is
> 64-bit, userspace would need to be responsible for doing this
> checking.
Right, that would not be good, in particular because we should not
change that for existing architectures.
> > > > In the kernel headers, the current plan is to provide interfaces taking
> > > > structures
> > > >
> > > > typedef long long __kernel_time64_t;
> > > > struct __kernel_timespec64_t {
> > > > __kernel_time64_t tv_sec;
> > > > long long tv_nsec;
> > > > };
> > > >
> > > > at least for ioctls, to avoid the ambiguity with libc headers specifying
> > > > something else.
> > >
> > > This seems hideous from an application standpoint. Application
> > > programmers don't want to know, and shouldn't need to know, these
> > > silly implementation details that make no sense except as historical
> > > baggage. They should just be able to use "struct timespec" everywhere
> > > and have it work.
> >
> > The kernel does not even know how timespec is defined by libc, and we have
> > to at least be able to handle the common cases of timespec being 32/32
> > and 64/64 (or 64/32 plus explicit padding). For system calls, we can rely
> > on libc calling the syscalls that match the definition (or convert the
> > structure as necessary), while for ioctl the command number is chosen
> > by the application and has to match the structure definition provided in
> > the same header.
>
> Generally I would think the kernel knows the model the process is
> using, but if not, all you need is separate ioctl numbers for
> userspace to use depending on which definition it's using.
I've checked now, and indeed the kernel knows for ilp32 x86 and arm, since
it uses a different ELF interpreter. I thought it might be running the
ilp32 binaries as ELF64, but it does not.
I would like to avoid separate ioctl command numbers, but we have to
do it for 64-bit time_t on the original 32-bit architectures in the
cases where the size is not already encoded in the command number.
Arnd
next prev parent reply other threads:[~2015-02-16 17:20 UTC|newest]
Thread overview: 77+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-09-03 21:18 [PATCHv3 00/24] ILP32 support in ARM64 Andrew Pinski
2014-09-03 21:18 ` [PATCH 01/24] ARM64: Force LP64 to compile the kernel Andrew Pinski
2014-09-03 21:18 ` [PATCH 02/24] ARM64: Rename COMPAT to AARCH32_EL0 in Kconfig Andrew Pinski
2014-09-03 21:18 ` [PATCH 03/24] ARM64: Change some CONFIG_COMPAT over to use CONFIG_AARCH32_EL0 instead Andrew Pinski
2014-09-03 21:18 ` [PATCH 04/24] ARM64:ILP32: Set kernel_long to long long so we can reuse most of the same syscalls as LP64 Andrew Pinski
2014-09-03 21:18 ` [PATCH 05/24] ARM64:UAPI: Set the correct __BITS_PER_LONG for ILP32 Andrew Pinski
2014-09-03 21:19 ` [PATCH 06/24] Allow for some signal structures to be the same between a 32bit ABI and the 64bit ABI Andrew Pinski
2014-09-03 21:19 ` [PATCH 07/24] ARM64:ILP32: Use the same size and layout of the signal structures for ILP32 as for LP64 Andrew Pinski
2014-09-18 3:41 ` zhangjian
2014-09-03 21:19 ` [PATCH 08/24] Allow a 32bit ABI to use the naming of the 64bit ABI syscalls to avoid confusion of not splitting the registers Andrew Pinski
2014-09-04 10:11 ` Arnd Bergmann
2014-10-01 12:42 ` Catalin Marinas
2014-10-01 14:00 ` Arnd Bergmann
2014-10-02 11:19 ` Catalin Marinas
2014-09-03 21:19 ` [PATCH 09/24] ARM64:ILP32: Use the same syscall names as LP64 Andrew Pinski
2014-10-01 12:48 ` Catalin Marinas
2014-09-03 21:19 ` [PATCH 10/24] ARM64: Introduce is_a32_task/is_a32_thread and TIF_AARCH32 and use them in the correct locations Andrew Pinski
2014-09-03 21:19 ` [PATCH 11/24] ARM64: Add is_ilp32_compat_task and is_ilp32_compat_thread Andrew Pinski
2014-09-03 21:19 ` [PATCH 12/24] ARM64:ILP32: COMPAT_USE_64BIT_TIME is true for ILP32 tasks Andrew Pinski
2014-09-03 21:19 ` [PATCH 13/24] ARM64:ILP32: Use the non compat HWCAP for ILP32 Andrew Pinski
2014-10-01 13:12 ` Catalin Marinas
2014-09-03 21:19 ` [PATCH 14/24] ARM64:ILP32 use the standard start_thread for ILP32 so the processor state is not AARCH32 Andrew Pinski
2014-09-03 21:19 ` [PATCH 15/24] compat_binfmt_elf: coredump: Allow some core dump macros be overridden for compat Andrew Pinski
2014-09-03 21:19 ` [PATCH 16/24] ARM64:ILP32: Support core dump for ILP32 Andrew Pinski
2014-10-01 13:22 ` Catalin Marinas
2014-09-03 21:19 ` [PATCH 17/24] ARM64: Add loading of ILP32 binaries Andrew Pinski
2014-09-03 21:19 ` [PATCH 18/24] ARM64: Add vdso for ILP32 and use it for the signal return Andrew Pinski
2014-09-10 14:31 ` Christopher Covington
2014-10-01 13:59 ` Catalin Marinas
2014-10-02 13:38 ` Catalin Marinas
2014-09-03 21:19 ` [PATCH 19/24] ptrace: Allow compat to use the native siginfo Andrew Pinski
2014-10-02 14:13 ` Catalin Marinas
2014-09-03 21:19 ` [PATCH 20/24] ARM64:ILP32: The native siginfo is used instead of the compat siginfo Andrew Pinski
2014-09-03 21:19 ` [PATCH 21/24] ARM64:ILP32: Use a seperate syscall table as a few syscalls need to be using the compat syscalls Andrew Pinski
2014-10-02 15:23 ` Catalin Marinas
2014-10-02 15:46 ` Catalin Marinas
2014-09-03 21:19 ` [PATCH 22/24] ARM64:ILP32: Fix signal return for ILP32 when the user modified the signal stack Andrew Pinski
2014-09-03 21:19 ` [PATCH 23/24] ARM64: Add ARM64_ILP32 to Kconfig Andrew Pinski
2014-09-03 21:19 ` [PATCH 24/24] Add documentation about ARM64 ILP32 ABI Andrew Pinski
2014-09-04 10:01 ` Arnd Bergmann
2014-10-02 15:52 ` [PATCHv3 00/24] ILP32 support in ARM64 Catalin Marinas
2015-02-10 18:13 ` Rich Felker
2015-02-11 17:39 ` Catalin Marinas
2015-02-11 19:05 ` [musl] " Szabolcs Nagy
2015-02-11 19:22 ` H.J. Lu
2015-02-11 19:50 ` arnd at arndb.de
2015-02-11 20:12 ` Rich Felker
[not found] ` <1383502854.512344.1423688575473.JavaMail.open-xchange@oxbaltgw09.schlund.de>
2015-02-11 21:09 ` arnd at arndb.de
2015-02-11 21:37 ` Rich Felker
2015-02-16 17:20 ` Arnd Bergmann [this message]
2015-02-16 17:51 ` Rich Felker
2015-02-16 19:38 ` Arnd Bergmann
2015-02-12 8:12 ` Szabolcs Nagy
2015-02-12 17:07 ` Catalin Marinas
2015-02-11 19:21 ` Rich Felker
2015-02-12 18:17 ` Catalin Marinas
2015-02-12 18:59 ` arnd at arndb.de
2015-02-13 13:33 ` Catalin Marinas
2015-02-13 16:30 ` Rich Felker
2015-02-13 17:33 ` Catalin Marinas
2015-02-13 18:37 ` Rich Felker
2015-02-16 14:40 ` Arnd Bergmann
2015-02-16 15:38 ` Rich Felker
2015-02-16 16:54 ` Arnd Bergmann
2015-02-11 18:33 ` H.J. Lu
2015-02-11 19:02 ` Rich Felker
2015-02-11 19:16 ` H.J. Lu
2015-02-11 19:25 ` Rich Felker
2015-02-11 19:34 ` H.J. Lu
2015-02-11 19:47 ` Rich Felker
2015-02-11 19:57 ` H.J. Lu
2015-02-11 20:15 ` Andy Lutomirski
2015-02-12 15:50 ` Catalin Marinas
2015-02-12 16:13 ` Rich Felker
2015-02-12 16:30 ` H.J. Lu
2015-02-12 17:00 ` Rich Felker
2015-02-11 21:41 ` Joseph Myers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=95765022.dfzNYZrNVS@wuerfel \
--to=arnd@arndb.de \
--cc=linux-arm-kernel@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox