From: Catalin Marinas <catalin.marinas@arm.com>
To: Arnd Bergmann <arnd@arndb.de>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>,
Yury Norov <ynorov@caviumnetworks.com>,
David Miller <davem@davemloft.net>,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org,
linux-arch@vger.kernel.org, linux-s390@vger.kernel.org,
libc-alpha@sourceware.org, schwidefsky@de.ibm.com,
pinskia@gmail.com, broonie@kernel.org, joseph@codesourcery.com,
christoph.muellner@theobroma-systems.com,
bamvor.zhangjian@huawei.com, szabolcs.nagy@arm.com,
klimov.linux@gmail.com, Nathan_Lynch@mentor.com, agraf@suse.de,
Prasun.Kapoor@caviumnetworks.com, kilobyte@angband.pl,
geert@linux-m68k.org, philipp.tomsich@theobroma-systems.com
Subject: Re: [PATCH 01/23] all: syscall wrappers: add documentation
Date: Fri, 27 May 2016 14:04:47 +0100 [thread overview]
Message-ID: <20160527130446.GD7865@e104818-lin.cambridge.arm.com> (raw)
In-Reply-To: <5422652.7gdoDlB8u0@wuerfel>
On Fri, May 27, 2016 at 12:49:11PM +0200, Arnd Bergmann wrote:
> On Friday, May 27, 2016 10:30:52 AM CEST Catalin Marinas wrote:
> > On Fri, May 27, 2016 at 10:42:59AM +0200, Arnd Bergmann wrote:
> > > On Friday, May 27, 2016 8:03:57 AM CEST Heiko Carstens wrote:
> > > > > > > > Cost wise, this seems like it all cancels out in the end, but what
> > > > > > > > do I know?
> > > > > > >
> > > > > > > I think you know something, and I also think Heiko and other s390 guys
> > > > > > > know something as well. So I'd like to listen their arguments here.
> > > >
> > > > If it comes to 64 bit arguments for compat system calls: s390 also has an
> > > > x32-like ABI extension which allows user space to use full 64 bit
> > > > registers. As far as I know hardly anybody ever made use of that.
> > > >
> > > > However even if that would be widely used, to me it wouldn't make sense to
> > > > add new compat system calls which allow 64 bit arguments, simply because
> > > > something like
> > > >
> > > > c = (u32)a | (u64)b << 32;
> > > >
> > > > can be done with a single 1-cycle instruction. It's just not worth the
> > > > extra effort to maintain additional system call variants.
> > >
> > > For reference, both tile and mips also have separate 32-bit ABIs that are
> > > only used on 64-bit kernels (aside from the normal 32-bit ABI). Tile
> > > does it like s390 and passes 64-bit arguments as pairs, while MIPS
> > > and x86 and pass them as single registers.
> >
> > AFAIK, x32 also requires that the upper half of a 64-bit reg is zeroed
> > by the user when a 32-bit value is passed. We could require the same on
> > AArch64/ILP32 but I'm a bit uneasy on trusting a multitude of C
> > libraries on this.
>
> It's not about trusting a C library, it's about ensuring malicious code
> cannot pass argumentst that the kernel code assumes will never happen.
At least for pointers and sizes, we have additional checks in place
already, like __access_ok(). Most of the syscalls should be safe since
they either go through some compat functions taking 32-bit arguments or
are routed to native functions which already need to cope with a full
random 64-bit value.
On arm64, I think the only risk comes from syscall handlers expecting
32-bit arguments but using 64-bit types. Apart from pointer types, I
don't expect this to happen but we could enforce it via a
BUILD_BUG_ON(sizeof(t) > 4 && !__TYPE_IS_PTR(t)) in __SC_DELOUSE as per
the s390 implementation. With ILP32 if we go for 64-bit off_t, those
syscalls would be routed directly to the native layer.
--
Catalin
WARNING: multiple messages have this Message-ID (diff)
From: catalin.marinas@arm.com (Catalin Marinas)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH 01/23] all: syscall wrappers: add documentation
Date: Fri, 27 May 2016 14:04:47 +0100 [thread overview]
Message-ID: <20160527130446.GD7865@e104818-lin.cambridge.arm.com> (raw)
In-Reply-To: <5422652.7gdoDlB8u0@wuerfel>
On Fri, May 27, 2016 at 12:49:11PM +0200, Arnd Bergmann wrote:
> On Friday, May 27, 2016 10:30:52 AM CEST Catalin Marinas wrote:
> > On Fri, May 27, 2016 at 10:42:59AM +0200, Arnd Bergmann wrote:
> > > On Friday, May 27, 2016 8:03:57 AM CEST Heiko Carstens wrote:
> > > > > > > > Cost wise, this seems like it all cancels out in the end, but what
> > > > > > > > do I know?
> > > > > > >
> > > > > > > I think you know something, and I also think Heiko and other s390 guys
> > > > > > > know something as well. So I'd like to listen their arguments here.
> > > >
> > > > If it comes to 64 bit arguments for compat system calls: s390 also has an
> > > > x32-like ABI extension which allows user space to use full 64 bit
> > > > registers. As far as I know hardly anybody ever made use of that.
> > > >
> > > > However even if that would be widely used, to me it wouldn't make sense to
> > > > add new compat system calls which allow 64 bit arguments, simply because
> > > > something like
> > > >
> > > > c = (u32)a | (u64)b << 32;
> > > >
> > > > can be done with a single 1-cycle instruction. It's just not worth the
> > > > extra effort to maintain additional system call variants.
> > >
> > > For reference, both tile and mips also have separate 32-bit ABIs that are
> > > only used on 64-bit kernels (aside from the normal 32-bit ABI). Tile
> > > does it like s390 and passes 64-bit arguments as pairs, while MIPS
> > > and x86 and pass them as single registers.
> >
> > AFAIK, x32 also requires that the upper half of a 64-bit reg is zeroed
> > by the user when a 32-bit value is passed. We could require the same on
> > AArch64/ILP32 but I'm a bit uneasy on trusting a multitude of C
> > libraries on this.
>
> It's not about trusting a C library, it's about ensuring malicious code
> cannot pass argumentst that the kernel code assumes will never happen.
At least for pointers and sizes, we have additional checks in place
already, like __access_ok(). Most of the syscalls should be safe since
they either go through some compat functions taking 32-bit arguments or
are routed to native functions which already need to cope with a full
random 64-bit value.
On arm64, I think the only risk comes from syscall handlers expecting
32-bit arguments but using 64-bit types. Apart from pointer types, I
don't expect this to happen but we could enforce it via a
BUILD_BUG_ON(sizeof(t) > 4 && !__TYPE_IS_PTR(t)) in __SC_DELOUSE as per
the s390 implementation. With ILP32 if we go for 64-bit off_t, those
syscalls would be routed directly to the native layer.
--
Catalin
next prev parent reply other threads:[~2016-05-27 13:04 UTC|newest]
Thread overview: 207+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-24 0:04 [PATCH v6 00/21] ILP32 for ARM64 Yury Norov
2016-05-24 0:04 ` Yury Norov
2016-05-24 0:04 ` Yury Norov
2016-05-24 0:04 ` [PATCH 01/23] all: syscall wrappers: add documentation Yury Norov
2016-05-24 0:04 ` Yury Norov
2016-05-24 0:04 ` Yury Norov
2016-05-25 19:30 ` David Miller
2016-05-25 19:30 ` David Miller
2016-05-25 20:03 ` Yury Norov
2016-05-25 20:03 ` Yury Norov
2016-05-25 20:03 ` Yury Norov
2016-05-25 20:21 ` David Miller
2016-05-25 20:21 ` David Miller
2016-05-25 20:47 ` Arnd Bergmann
2016-05-25 20:47 ` Arnd Bergmann
2016-05-25 20:50 ` David Miller
2016-05-25 20:50 ` David Miller
2016-05-25 21:01 ` Arnd Bergmann
2016-05-25 21:01 ` Arnd Bergmann
2016-05-25 21:28 ` David Miller
2016-05-25 21:28 ` David Miller
2016-05-26 14:20 ` Catalin Marinas
2016-05-26 14:20 ` Catalin Marinas
2016-05-26 14:50 ` Szabolcs Nagy
2016-05-26 14:50 ` Szabolcs Nagy
2016-05-26 14:50 ` Szabolcs Nagy
2016-05-26 15:19 ` Catalin Marinas
2016-05-26 15:19 ` Catalin Marinas
2016-05-26 19:43 ` David Miller
2016-05-26 19:43 ` David Miller
2016-05-27 10:10 ` Catalin Marinas
2016-05-27 10:10 ` Catalin Marinas
2016-05-26 20:48 ` Yury Norov
2016-05-26 20:48 ` Yury Norov
2016-05-26 20:48 ` Yury Norov
2016-05-26 22:29 ` Catalin Marinas
2016-05-26 22:29 ` Catalin Marinas
2016-05-27 0:37 ` Yury Norov
2016-05-27 0:37 ` Yury Norov
2016-05-27 0:37 ` Yury Norov
2016-05-27 6:03 ` Heiko Carstens
2016-05-27 6:03 ` Heiko Carstens
2016-05-27 8:42 ` Arnd Bergmann
2016-05-27 8:42 ` Arnd Bergmann
2016-05-27 9:30 ` Catalin Marinas
2016-05-27 9:30 ` Catalin Marinas
2016-05-27 10:49 ` Arnd Bergmann
2016-05-27 10:49 ` Arnd Bergmann
2016-05-27 13:04 ` Catalin Marinas [this message]
2016-05-27 13:04 ` Catalin Marinas
2016-05-27 16:58 ` Yury Norov
2016-05-27 16:58 ` Yury Norov
2016-05-27 16:58 ` Yury Norov
2016-05-27 17:36 ` Catalin Marinas
2016-05-27 17:36 ` Catalin Marinas
2016-05-27 9:01 ` Catalin Marinas
2016-05-27 9:01 ` Catalin Marinas
2016-06-14 23:08 ` Yury Norov
2016-06-14 23:08 ` Yury Norov
2016-06-14 23:08 ` Yury Norov
2016-05-27 5:52 ` Heiko Carstens
2016-05-27 5:52 ` Heiko Carstens
2016-05-24 0:04 ` [PATCH 02/23] all: introduce COMPAT_WRAPPER option and enable it for s390 Yury Norov
2016-05-24 0:04 ` Yury Norov
2016-05-24 0:04 ` Yury Norov
2016-05-24 0:04 ` Yury Norov
2016-05-24 0:04 ` [PATCH 03/23] all: s390: move wrapper infrastructure to generic headers Yury Norov
2016-05-24 0:04 ` Yury Norov
2016-05-24 0:04 ` Yury Norov
2016-05-24 0:04 ` [PATCH 04/23] all: s390: move compat_wrappers.c from arch/s390/kernel to kernel/ Yury Norov
2016-05-24 0:04 ` Yury Norov
2016-05-24 0:04 ` Yury Norov
2016-05-24 0:04 ` Yury Norov
2016-05-24 0:04 ` [PATCH 05/23] all: wrap needed syscalls in generic unistd Yury Norov
2016-05-24 0:04 ` Yury Norov
2016-05-24 0:04 ` Yury Norov
2016-05-24 0:04 ` Yury Norov
2016-05-24 0:04 ` [PATCH 06/23] compat ABI: use non-compat openat and open_by_handle_at variants Yury Norov
2016-05-24 0:04 ` Yury Norov
2016-05-24 0:04 ` Yury Norov
2016-05-24 0:04 ` [PATCH 07/23] 32-bit ABI: introduce ARCH_32BIT_OFF_T config option Yury Norov
2016-05-24 0:04 ` Yury Norov
2016-05-24 0:04 ` Yury Norov
2016-05-24 0:04 ` Yury Norov
2016-05-24 0:04 ` [PATCH 08/23] arm64: ilp32: add documentation on the ILP32 ABI for ARM64 Yury Norov
2016-05-24 0:04 ` Yury Norov
2016-05-24 0:04 ` Yury Norov
2016-05-24 0:04 ` [PATCH 09/23] arm64: ensure the kernel is compiled for LP64 Yury Norov
2016-05-24 0:04 ` Yury Norov
2016-05-24 0:04 ` Yury Norov
2016-05-24 0:04 ` [PATCH 10/23] arm64: rename COMPAT to AARCH32_EL0 in Kconfig Yury Norov
2016-05-24 0:04 ` Yury Norov
2016-05-24 0:04 ` Yury Norov
2016-05-24 0:04 ` Yury Norov
2016-05-24 0:04 ` [PATCH 11/23] arm64:uapi: set __BITS_PER_LONG correctly for ILP32 and LP64 Yury Norov
2016-05-24 0:04 ` Yury Norov
2016-05-24 0:04 ` Yury Norov
2016-05-24 0:04 ` [PATCH 12/23] thread: move thread bits accessors to separated file Yury Norov
2016-05-24 0:04 ` Yury Norov
2016-05-24 0:04 ` Yury Norov
2016-05-24 0:04 ` [PATCH 13/23] arm64: introduce is_a32_task and is_a32_thread (for AArch32 compat) Yury Norov
2016-05-24 0:04 ` Yury Norov
2016-05-24 0:04 ` Yury Norov
2016-05-24 0:04 ` Yury Norov
2016-06-12 12:21 ` Zhangjian (Bamvor)
2016-06-12 12:21 ` Zhangjian (Bamvor)
2016-06-12 12:21 ` Zhangjian (Bamvor)
2016-06-12 13:08 ` Zhangjian (Bamvor)
2016-06-12 13:08 ` Zhangjian (Bamvor)
2016-06-12 13:08 ` Zhangjian (Bamvor)
2016-06-12 17:56 ` Yury Norov
2016-06-12 17:56 ` Yury Norov
2016-06-12 17:56 ` Yury Norov
2016-05-24 0:04 ` [PATCH 14/23] arm64: ilp32: add is_ilp32_compat_{task,thread} and TIF_32BIT_AARCH64 Yury Norov
2016-05-24 0:04 ` [PATCH 14/23] arm64: ilp32: add is_ilp32_compat_{task, thread} " Yury Norov
2016-05-24 0:04 ` [PATCH 14/23] arm64: ilp32: add is_ilp32_compat_{task,thread} " Yury Norov
2016-05-24 0:04 ` [PATCH 15/23] arm64: introduce binfmt_elf32.c Yury Norov
2016-05-24 0:04 ` Yury Norov
2016-05-24 0:04 ` Yury Norov
2016-05-24 0:04 ` Yury Norov
2016-05-24 0:04 ` [PATCH 16/23] arm64: ilp32: introduce binfmt_ilp32.c Yury Norov
2016-05-24 0:04 ` Yury Norov
2016-05-24 0:04 ` Yury Norov
2016-05-26 13:49 ` Zhangjian (Bamvor)
2016-05-26 13:49 ` Zhangjian (Bamvor)
2016-05-26 13:49 ` Zhangjian (Bamvor)
2016-05-26 21:08 ` Yury Norov
2016-05-26 21:08 ` Yury Norov
2016-05-26 21:08 ` Yury Norov
2016-06-15 0:40 ` Yury Norov
2016-06-15 0:40 ` Yury Norov
2016-06-15 0:40 ` Yury Norov
2016-06-13 3:05 ` Zhangjian (Bamvor)
2016-06-13 3:05 ` Zhangjian (Bamvor)
2016-06-13 3:05 ` Zhangjian (Bamvor)
2016-06-13 13:22 ` Zhangjian (Bamvor)
2016-06-13 13:22 ` Zhangjian (Bamvor)
2016-06-13 13:22 ` Zhangjian (Bamvor)
2016-05-24 0:04 ` [PATCH 17/23] arm64: ptrace: handle ptrace_request differently for aarch32 and ilp32 Yury Norov
2016-05-24 0:04 ` Yury Norov
2016-05-24 0:04 ` Yury Norov
2016-05-24 0:04 ` Yury Norov
2016-06-08 1:34 ` zhouchengming
2016-06-08 1:34 ` zhouchengming
2016-06-08 1:34 ` zhouchengming
2016-06-08 17:00 ` Yury Norov
2016-06-08 17:00 ` Yury Norov
2016-06-08 17:00 ` Yury Norov
2016-06-25 9:36 ` zhouchengming
2016-06-25 9:36 ` zhouchengming
2016-06-25 9:36 ` zhouchengming
2016-06-25 14:15 ` Bamvor Zhang
2016-06-25 14:15 ` Bamvor Zhang
2016-06-27 2:09 ` zhouchengming
2016-06-27 2:09 ` zhouchengming
2016-06-27 2:09 ` zhouchengming
2016-05-24 0:04 ` [PATCH 18/23] arm64: ilp32: add sys_ilp32.c and a separate table (in entry.S) to use it Yury Norov
2016-05-24 0:04 ` Yury Norov
2016-05-24 0:04 ` Yury Norov
2016-05-25 20:26 ` Arnd Bergmann
2016-05-25 20:26 ` Arnd Bergmann
2016-05-24 0:04 ` [PATCH 19/23] arm64: signal: share lp64 signal routines to ilp32 Yury Norov
2016-05-24 0:04 ` Yury Norov
2016-05-24 0:04 ` Yury Norov
2016-05-24 0:04 ` [PATCH 20/23] arm64: signal32: move ilp32 and aarch32 common code to separated file Yury Norov
2016-05-24 0:04 ` Yury Norov
2016-05-24 0:04 ` Yury Norov
2016-05-24 0:04 ` [PATCH 21/23] arm64: ilp32: introduce ilp32-specific handlers for sigframe and ucontext Yury Norov
2016-05-24 0:04 ` Yury Norov
2016-05-24 0:04 ` Yury Norov
2016-06-04 11:34 ` Zhangjian (Bamvor)
2016-06-04 11:34 ` Zhangjian (Bamvor)
2016-06-04 11:34 ` Zhangjian (Bamvor)
2016-06-12 12:34 ` Zhangjian (Bamvor)
2016-06-12 12:34 ` Zhangjian (Bamvor)
2016-06-12 12:34 ` Zhangjian (Bamvor)
2016-06-12 13:12 ` Zhangjian (Bamvor)
2016-06-12 13:12 ` Zhangjian (Bamvor)
2016-06-12 13:12 ` Zhangjian (Bamvor)
2016-06-12 17:44 ` Yury Norov
2016-06-12 17:44 ` Yury Norov
2016-06-12 17:44 ` Yury Norov
2016-06-16 11:21 ` Zhangjian (Bamvor)
2016-06-16 11:21 ` Zhangjian (Bamvor)
2016-06-16 11:21 ` Zhangjian (Bamvor)
2016-06-12 12:39 ` Zhangjian (Bamvor)
2016-06-12 12:39 ` Zhangjian (Bamvor)
2016-06-12 12:39 ` Zhangjian (Bamvor)
2016-05-24 0:04 ` [PATCH 22/23] arm64:ilp32: add vdso-ilp32 and use for signal return Yury Norov
2016-05-24 0:04 ` Yury Norov
2016-05-24 0:04 ` Yury Norov
2016-05-24 0:04 ` [PATCH 23/23] arm64:ilp32: add ARM64_ILP32 to Kconfig Yury Norov
2016-05-24 0:04 ` Yury Norov
2016-05-24 0:04 ` Yury Norov
2016-05-25 10:42 ` [PATCH v6 00/21] ILP32 for ARM64 Szabolcs Nagy
2016-05-25 10:42 ` Szabolcs Nagy
2016-05-25 10:42 ` Szabolcs Nagy
2016-05-25 16:41 ` Yury Norov
2016-05-25 16:41 ` Yury Norov
2016-05-25 16:41 ` Yury Norov
2016-06-02 19:03 ` Yury Norov
2016-06-02 19:03 ` Yury Norov
2016-06-02 19:03 ` Yury Norov
2016-06-02 19:03 ` Yury Norov
2016-06-03 11:02 ` Szabolcs Nagy
2016-06-03 11:02 ` Szabolcs Nagy
2016-06-03 11:02 ` Szabolcs Nagy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160527130446.GD7865@e104818-lin.cambridge.arm.com \
--to=catalin.marinas@arm.com \
--cc=Nathan_Lynch@mentor.com \
--cc=Prasun.Kapoor@caviumnetworks.com \
--cc=agraf@suse.de \
--cc=arnd@arndb.de \
--cc=bamvor.zhangjian@huawei.com \
--cc=broonie@kernel.org \
--cc=christoph.muellner@theobroma-systems.com \
--cc=davem@davemloft.net \
--cc=geert@linux-m68k.org \
--cc=heiko.carstens@de.ibm.com \
--cc=joseph@codesourcery.com \
--cc=kilobyte@angband.pl \
--cc=klimov.linux@gmail.com \
--cc=libc-alpha@sourceware.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=philipp.tomsich@theobroma-systems.com \
--cc=pinskia@gmail.com \
--cc=schwidefsky@de.ibm.com \
--cc=szabolcs.nagy@arm.com \
--cc=ynorov@caviumnetworks.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.