From: Russell King - ARM Linux <linux@arm.linux.org.uk>
To: Rob Clark <rob.clark@linaro.org>
Cc: linux-arm-kernel@lists.infradead.org, patches@linaro.org,
linux-kernel@vger.kernel.org, linux-omap@vger.kernel.org,
dri-devel@lists.freedesktop.org, Arnd Bergmann <arnd@arndb.de>
Subject: Re: [PATCH] ARM: add get_user() support for 8 byte types
Date: Mon, 12 Nov 2012 23:53:48 +0000 [thread overview]
Message-ID: <20121112235348.GD28341@n2100.arm.linux.org.uk> (raw)
In-Reply-To: <CAF6AEGtLKjJ=BfBnOq+oE6cgneF5YqsbYqNnCPrz4sTFRzdibg@mail.gmail.com>
On Mon, Nov 12, 2012 at 05:33:41PM -0600, Rob Clark wrote:
> I'm sort of thinking maybe we want to change 'switch (sizeof(*(__p)))'
> with 'switch (sizeof(typeof(x)))' in case someone ignores the compiler
> warning when they try something like:
Definitely not. Ttype of access is controlled by the pointer, not by the
size of what it's being assigned to. Switching that around is likely to
break stuff hugely. Consider this:
unsigned char __user *p;
int val;
get_user(val, p);
If the pointer type is used to determine the access size, a char will be
accessed. This is legal - because we end up assigning an unsigned character
to an int.
If the size of the destination was used, we'd access an int instead, which
is larger than the pointer, and probably the wrong thing to do anyway.
Think of get_user(a, b) as being a special accessor having the ultimate
semantics of: "a = *b;" but done in a safe way with error checking.
> uint32_t x;
> uint64_t *p = ...;
> get_user(x, p);
>
> that was my one concern about 'register typeof(x) __r2 ...', but I
> think just changing the switch condition is enough. But maybe good to
> have some eyes on in case there is something else I'm not thinking of.
And what should happen in the above is exactly the same as what happens
if you do:
x = *p;
with those types. For ARM, that would be a 64-bit access (if the
compiler decides not to optimize away the upper 32-bit access) followed
by a narrowing cast down to 32-bit. With get_user() of course, there's
no option not to optimize it away.
However, this _does_ reveal a bug with your approach. With sizeof(*p)
being 8, and the type of __r2 being a 32-bit quantity, the compiler will
choose the 64-bit accessor, which will corrupt r3 - and the compiler
won't know that r3 has been corrupted.
That's too unsafe.
I just tried a variant of your approach, but got lots of warnings again:
register unsigned long long __r2 asm("r2");
__get_user_x(__r2, __p, __e, 8, "lr");
x = (typeof(*(__p))) ((typeof(x))__r2);
because typeof(x) in the test_ptr() case ends up being a pointer itself.
So, back to the drawing board, and I think back to the original position
of "we don't support this".
next prev parent reply other threads:[~2012-11-12 23:53 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-11-09 21:17 [PATCH] ARM: add get_user() support for 8 byte types Rob Clark
2012-11-12 10:46 ` Will Deacon
2012-11-12 13:46 ` Rob Clark
2012-11-12 14:38 ` Will Deacon
2012-11-12 15:09 ` Rob Clark
2012-11-12 19:27 ` Russell King - ARM Linux
2012-11-12 19:58 ` Rob Clark
2012-11-12 23:08 ` Russell King - ARM Linux
2012-11-12 23:33 ` Rob Clark
2012-11-12 23:53 ` Russell King - ARM Linux [this message]
2012-11-13 0:31 ` Rob Clark
2012-11-13 9:11 ` Arnd Bergmann
2012-11-13 11:24 ` Russell King - ARM Linux
2012-11-15 9:19 ` Arnd Bergmann
2012-11-15 13:04 ` Rob Clark
2012-11-15 13:39 ` Arnd Bergmann
2012-11-15 13:46 ` Rob Clark
2012-11-15 14:39 ` Arnd Bergmann
2012-11-19 14:32 ` Ville Syrjälä
2012-11-19 14:48 ` Russell King - ARM Linux
2012-11-19 15:18 ` Ville Syrjälä
2012-11-13 11:04 ` Russell King - ARM Linux
-- strict thread matches above, loose matches on Subject: below --
2012-11-13 15:00 Rob Clark
2012-11-15 22:01 Rob Clark
2012-11-15 22:22 ` Nicolas Pitre
2012-11-16 8:18 ` Arnd Bergmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20121112235348.GD28341@n2100.arm.linux.org.uk \
--to=linux@arm.linux.org.uk \
--cc=arnd@arndb.de \
--cc=dri-devel@lists.freedesktop.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-omap@vger.kernel.org \
--cc=patches@linaro.org \
--cc=rob.clark@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).