Re: compat_sys_times() bogus until jiffies >= 0.

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Denys Vlasenko <vda.linux@googlemail.com>
To: David Miller <davem@davemloft.net>
Cc: paulus@samba.org, akpm@linux-foundation.org, lkml@davidb.org,
	linux-kernel@vger.kernel.org, drepper@redhat.com,
	mtk-manpages@gmx.net
Subject: Re: compat_sys_times() bogus until jiffies >= 0.
Date: Thu, 8 Nov 2007 19:25:52 +0000	[thread overview]
Message-ID: <200711081925.52747.vda.linux@googlemail.com> (raw)
In-Reply-To: <20071107.180918.263752219.davem@davemloft.net>

On Thursday 08 November 2007 02:09, David Miller wrote:
> > I think the best thing would be to ignore any error from copy_to_user
> > and always return the number of clock ticks.  We should call
> > force_successful_syscall_return, and glibc on x86 should be taught not
> > to interpret negative values as an error.
> > 
> > POSIX doesn't require us to return an EFAULT error if the buf argument
> > is bogus.  If userspace does supply a bogus buf pointer, then either
> > it will dereference it itself and get a segfault, or it won't
> > dereference it, in which case it obviously didn't care about the
> > values we tried to put there.
> > 
> > If we try to return an error under some circumstances, then there is
> > at least one 32-bit value for the number of ticks that will cause
> > confusion.  We can either change that value (or values) to some other
> > value, which seems pretty bogus, or we can just decide not to return
> > any errors.  The latter seems to me to have no significant downside
> > and to be the simplest solution to the problem.
> 
> I agree with this analysis.
> 
> The Linux man page for times() explicitly lists (clock_t) -1 as a
> return value meaning error.
> 
> So even if we did make some effort to return errors "properly" (via
> force_successful_syscall_return() et al.) userspace would still be
> screwed because (clock_t) -1 would be interpreted as an error.
> 
> Actually I think this basically proves we cannot return (clock_t) -1
> ever because all existing userland (I'm not talking about inside
> glibc, I'm talking about inside of applications) will see this as an
> error.

What error? I'd argue it's perfectly sane for application to
assume that times() never fails.

        struct tms t;
        clock_t start = times(&t);
        ...
        clock_t end = times(&t);
        clock_t delta = end - start;

The only error form kernel POV is that passed pointer can be
invalid. But from application POV in the above example it
cannot be true and

        if (start == -1)
                 error("error in times!");

would be and exercise in wasting CPU cycles, producing dead code
and feeding one's paranoia.

> User applications have no other way to check for error.

And in all realistic scenarios it doesn't need to.

In this particular case, it makes sense to ignore standards and
never return an error. If user indeed passed invalid pointer,
just don't store anything there, but still return valid value.
--
vda

next prev parent reply	other threads:[~2007-11-08 19:26 UTC|newest]

Thread overview: 37+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-11-07 22:47 compat_sys_times() bogus until jiffies >= 0 David Brown
2007-11-07 23:28 ` Andrew Morton
2007-11-08  0:18   ` Andrew Morton
2007-11-08  0:54     ` Andreas Schwab
2007-11-08  1:17       ` Andrew Morton
2007-11-08  1:53     ` Paul Mackerras
2007-11-08  2:09       ` David Miller
2007-11-08 10:20         ` Andreas Schwab
2007-11-08 14:42           ` Chris Friesen
2007-11-09 18:20             ` Ulrich Drepper
2007-12-20 11:36               ` Michael Kerrisk
2007-12-20 11:51                 ` David Miller
2007-12-22  0:42                   ` Andi Kleen
2007-12-22  1:41                     ` David Miller
2007-12-22  1:45                       ` David Miller
2007-12-22  1:53                         ` Andi Kleen
2007-12-22  4:36                           ` David Miller
2007-12-22 12:47                             ` Andi Kleen
2007-12-22  1:49                       ` Andi Kleen
2007-11-08 19:25         ` Denys Vlasenko [this message]
2007-11-08  3:07       ` Andrew Morton
2007-11-08  3:13         ` David Miller
2007-11-08  5:15           ` Paul Mackerras
2007-11-08  6:24             ` David Miller
2007-11-08  4:59         ` Paul Mackerras
2007-11-08  5:20           ` Andrew Morton
2007-11-08  5:36             ` Paul Mackerras
2007-11-08  6:12               ` Andrew Morton
2007-11-08  6:25             ` David Miller
2007-11-08  7:09               ` Andrew Morton
2007-11-08  7:14                 ` David Miller
2007-11-08  8:53               ` Paul Mackerras
2007-11-08  6:22           ` David Miller
2007-11-08 19:27         ` Denys Vlasenko
2007-11-08  0:50   ` David Miller
2007-11-08  1:13     ` Andrew Morton
2007-11-08  6:00   ` David Brown

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200711081925.52747.vda.linux@googlemail.com \
    --to=vda.linux@googlemail.com \
    --cc=akpm@linux-foundation.org \
    --cc=davem@davemloft.net \
    --cc=drepper@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=lkml@davidb.org \
    --cc=mtk-manpages@gmx.net \
    --cc=paulus@samba.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox