* Re: a question regarding sys_poll() on x86_64 via tha ia32 layer
@ 2011-09-15 11:40 Thomas Meyer
2011-09-15 12:23 ` Eric Dumazet
0 siblings, 1 reply; 6+ messages in thread
From: Thomas Meyer @ 2011-09-15 11:40 UTC (permalink / raw)
To: Linux Kernel Mailing List; +Cc: viro, mingo
cc'ed some people on this assumed bug.
Am Dienstag, den 13.09.2011, 14:04 +0200 schrieb Thomas Meyer:
> Hello,
>
> the ia32 poll system call is routed through the "standard" function
> sys_poll().
>
> This function is defined as:
>
> SYSCALL_DEFINE3(poll, struct pollfd __user *, ufds, unsigned int, nfds,
> long, timeout_msecs)
>
> in fs/select.c
>
> timeout_msecs is of type long which is AFAIK is 4 bytes on x86 and 8
> bytes on x86_64.
>
> the test for sign (i.e. < 0) in the objdump is done against the 64 bit
> register (here %rbx):
>
> ffffffff811313e0 <sys_poll>:
> ffffffff811313e0: 55 push %rbp
> ffffffff811313e1: 48 89 e5 mov %rsp,%rbp
> ffffffff811313e4: 48 83 ec 30 sub $0x30,%rsp
> ffffffff811313e8: 48 89 5d e8 mov %rbx,-0x18(%rbp)
> ffffffff811313ec: 48 89 d3 mov %rdx,%rbx
> ffffffff811313ef: 31 d2 xor %edx,%edx
> ffffffff811313f1: 48 85 db test %rbx,%rbx
> ffffffff811313f4: 4c 89 65 f0 mov %r12,-0x10(%rbp)
> ffffffff811313f8: 4c 89 6d f8 mov %r13,-0x8(%rbp)
> ffffffff811313fc: 41 89 f4 mov %esi,%r12d
> ffffffff811313ff: 49 89 fd mov %rdi,%r13
> ffffffff81131402: 78 42 js ffffffff81131446 <sys_poll+0x66>
>
> on an x86 kernel the test is done against %ebx
>
> so when the system call is called with %rbx = 00000000ffffffff (i.e. -1
> from %ebx) on an x86_64 kernel via the ia32 layer the test for sign will
> fail and the timer will be set.
>
> btw. <sys/poll.h> seems to define the function as
>
> extern int poll (struct pollfd *__fds, nfds_t __nfds, int __timeout);
>
> what am I overloking?
>
> mfg
> thomas
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: a question regarding sys_poll() on x86_64 via tha ia32 layer
2011-09-15 11:40 a question regarding sys_poll() on x86_64 via tha ia32 layer Thomas Meyer
@ 2011-09-15 12:23 ` Eric Dumazet
2011-09-15 13:00 ` Thomas Meyer
2011-09-15 17:44 ` Andi Kleen
0 siblings, 2 replies; 6+ messages in thread
From: Eric Dumazet @ 2011-09-15 12:23 UTC (permalink / raw)
To: Thomas Meyer; +Cc: Linux Kernel Mailing List, viro, mingo
Le jeudi 15 septembre 2011 à 13:40 +0200, Thomas Meyer a écrit :
> cc'ed some people on this assumed bug.
>
> Am Dienstag, den 13.09.2011, 14:04 +0200 schrieb Thomas Meyer:
> > Hello,
> >
> > the ia32 poll system call is routed through the "standard" function
> > sys_poll().
> >
> > This function is defined as:
> >
> > SYSCALL_DEFINE3(poll, struct pollfd __user *, ufds, unsigned int, nfds,
> > long, timeout_msecs)
> >
> > in fs/select.c
> >
> > timeout_msecs is of type long which is AFAIK is 4 bytes on x86 and 8
> > bytes on x86_64.
> >
> > the test for sign (i.e. < 0) in the objdump is done against the 64 bit
> > register (here %rbx):
> >
> > ffffffff811313e0 <sys_poll>:
> > ffffffff811313e0: 55 push %rbp
> > ffffffff811313e1: 48 89 e5 mov %rsp,%rbp
> > ffffffff811313e4: 48 83 ec 30 sub $0x30,%rsp
> > ffffffff811313e8: 48 89 5d e8 mov %rbx,-0x18(%rbp)
> > ffffffff811313ec: 48 89 d3 mov %rdx,%rbx
> > ffffffff811313ef: 31 d2 xor %edx,%edx
> > ffffffff811313f1: 48 85 db test %rbx,%rbx
> > ffffffff811313f4: 4c 89 65 f0 mov %r12,-0x10(%rbp)
> > ffffffff811313f8: 4c 89 6d f8 mov %r13,-0x8(%rbp)
> > ffffffff811313fc: 41 89 f4 mov %esi,%r12d
> > ffffffff811313ff: 49 89 fd mov %rdi,%r13
> > ffffffff81131402: 78 42 js ffffffff81131446 <sys_poll+0x66>
> >
> > on an x86 kernel the test is done against %ebx
> >
> > so when the system call is called with %rbx = 00000000ffffffff (i.e. -1
> > from %ebx) on an x86_64 kernel via the ia32 layer the test for sign will
> > fail and the timer will be set.
> >
> > btw. <sys/poll.h> seems to define the function as
> >
> > extern int poll (struct pollfd *__fds, nfds_t __nfds, int __timeout);
> >
> > what am I overloking?
> >
> > mfg
> > thomas
>
Its a plain bug, please submit a formal patch.
Probably not noticed because timer is set to more than 24 days.
diff --git a/fs/select.c b/fs/select.c
index d33418f..e782258 100644
--- a/fs/select.c
+++ b/fs/select.c
@@ -912,7 +912,7 @@ static long do_restart_poll(struct restart_block *restart_block)
}
SYSCALL_DEFINE3(poll, struct pollfd __user *, ufds, unsigned int, nfds,
- long, timeout_msecs)
+ int, timeout_msecs)
{
struct timespec end_time, *to = NULL;
int ret;
^ permalink raw reply related [flat|nested] 6+ messages in thread* Re: a question regarding sys_poll() on x86_64 via tha ia32 layer
2011-09-15 12:23 ` Eric Dumazet
@ 2011-09-15 13:00 ` Thomas Meyer
2011-09-15 14:37 ` Eric Dumazet
2011-09-15 17:44 ` Andi Kleen
1 sibling, 1 reply; 6+ messages in thread
From: Thomas Meyer @ 2011-09-15 13:00 UTC (permalink / raw)
To: Eric Dumazet; +Cc: Linux Kernel Mailing List, viro, mingo
[-- Attachment #1: Type: text/plain, Size: 648 bytes --]
Am Donnerstag, den 15.09.2011, 14:23 +0200 schrieb Eric Dumazet:
> Its a plain bug, please submit a formal patch.
>
> Probably not noticed because timer is set to more than 24 days.
>
okay. I think a similar problem exists for sys_truncate() in ia32 layer
on x86_64:
the ia32 syscall is directly wired to sys_truncate(char *, long).
signed long will use %rbx on x86_64 and %ebx on x86.
call sys_truncate on x86_64 from x86 userspace will handle length
0xffffffff not as -1.
maybe an easy fix would be to change long to unsigned long for
sys_truncate(), like sys_ftruncate(). what do you think?
with kind regards
thomas
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 490 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: a question regarding sys_poll() on x86_64 via tha ia32 layer
2011-09-15 13:00 ` Thomas Meyer
@ 2011-09-15 14:37 ` Eric Dumazet
0 siblings, 0 replies; 6+ messages in thread
From: Eric Dumazet @ 2011-09-15 14:37 UTC (permalink / raw)
To: Thomas Meyer; +Cc: Linux Kernel Mailing List, viro, mingo
Le jeudi 15 septembre 2011 à 15:00 +0200, Thomas Meyer a écrit :
> Am Donnerstag, den 15.09.2011, 14:23 +0200 schrieb Eric Dumazet:
> > Its a plain bug, please submit a formal patch.
> >
> > Probably not noticed because timer is set to more than 24 days.
> >
>
> okay. I think a similar problem exists for sys_truncate() in ia32 layer
> on x86_64:
>
> the ia32 syscall is directly wired to sys_truncate(char *, long).
>
> signed long will use %rbx on x86_64 and %ebx on x86.
>
> call sys_truncate on x86_64 from x86 userspace will handle length
> 0xffffffff not as -1.
>
> maybe an easy fix would be to change long to unsigned long for
> sys_truncate(), like sys_ftruncate(). what do you think?
I think you should take a look at fs/compat.c
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: a question regarding sys_poll() on x86_64 via tha ia32 layer
2011-09-15 12:23 ` Eric Dumazet
2011-09-15 13:00 ` Thomas Meyer
@ 2011-09-15 17:44 ` Andi Kleen
1 sibling, 0 replies; 6+ messages in thread
From: Andi Kleen @ 2011-09-15 17:44 UTC (permalink / raw)
To: Eric Dumazet; +Cc: Thomas Meyer, Linux Kernel Mailing List, viro, mingo
Eric Dumazet <eric.dumazet@gmail.com> writes:
>
> SYSCALL_DEFINE3(poll, struct pollfd __user *, ufds, unsigned int, nfds,
> - long, timeout_msecs)
> + int, timeout_msecs)
The preferred fix is normally to write a compat wrapper that sign
extends.
Maybe someone on 64bit really wants to wait for a long time, but
not forever.
-Andi
--
ak@linux.intel.com -- Speaking for myself only
^ permalink raw reply [flat|nested] 6+ messages in thread
* a question regarding sys_poll() on x86_64 via tha ia32 layer
@ 2011-09-13 12:04 Thomas Meyer
0 siblings, 0 replies; 6+ messages in thread
From: Thomas Meyer @ 2011-09-13 12:04 UTC (permalink / raw)
To: Linux Kernel Mailing List
Hello,
the ia32 poll system call is routed through the "standard" function
sys_poll().
This function is defined as:
SYSCALL_DEFINE3(poll, struct pollfd __user *, ufds, unsigned int, nfds,
long, timeout_msecs)
in fs/select.c
timeout_msecs is of type long which is AFAIK is 4 bytes on x86 and 8
bytes on x86_64.
the test for sign (i.e. < 0) in the objdump is done against the 64 bit
register (here %rbx):
ffffffff811313e0 <sys_poll>:
ffffffff811313e0: 55 push %rbp
ffffffff811313e1: 48 89 e5 mov %rsp,%rbp
ffffffff811313e4: 48 83 ec 30 sub $0x30,%rsp
ffffffff811313e8: 48 89 5d e8 mov %rbx,-0x18(%rbp)
ffffffff811313ec: 48 89 d3 mov %rdx,%rbx
ffffffff811313ef: 31 d2 xor %edx,%edx
ffffffff811313f1: 48 85 db test %rbx,%rbx
ffffffff811313f4: 4c 89 65 f0 mov %r12,-0x10(%rbp)
ffffffff811313f8: 4c 89 6d f8 mov %r13,-0x8(%rbp)
ffffffff811313fc: 41 89 f4 mov %esi,%r12d
ffffffff811313ff: 49 89 fd mov %rdi,%r13
ffffffff81131402: 78 42 js ffffffff81131446 <sys_poll+0x66>
on an x86 kernel the test is done against %ebx
so when the system call is called with %rbx = 00000000ffffffff (i.e. -1
from %ebx) on an x86_64 kernel via the ia32 layer the test for sign will
fail and the timer will be set.
btw. <sys/poll.h> seems to define the function as
extern int poll (struct pollfd *__fds, nfds_t __nfds, int __timeout);
what am I overloking?
mfg
thomas
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2011-09-15 17:44 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-09-15 11:40 a question regarding sys_poll() on x86_64 via tha ia32 layer Thomas Meyer
2011-09-15 12:23 ` Eric Dumazet
2011-09-15 13:00 ` Thomas Meyer
2011-09-15 14:37 ` Eric Dumazet
2011-09-15 17:44 ` Andi Kleen
-- strict thread matches above, loose matches on Subject: below --
2011-09-13 12:04 Thomas Meyer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox