From: Russell King - ARM Linux <linux@armlinux.org.uk>
To: Julia Lawall <julia.lawall@lip6.fr>
Cc: Alexandre Belloni <alexandre.belloni@free-electrons.com>,
Kees Cook <keescook@chromium.org>,
andrew@lunn.ch, Jason Cooper <jason@lakedaemon.net>,
rtc-linux@googlegroups.com, a.zummo@towertech.it,
LKML <linux-kernel@vger.kernel.org>,
"linux-arm-kernel@lists.infradead.org"
<linux-arm-kernel@lists.infradead.org>,
gregory.clement@free-electrons.com,
Bhumika Goyal <bhumirks@gmail.com>,
sebastian.hesselbarth@gmail.com
Subject: Re: [PATCH] rtc: armada38x: add __ro_after_init to armada38x_rtc_ops
Date: Wed, 4 Jan 2017 12:14:25 +0000 [thread overview]
Message-ID: <20170104121425.GP14217@n2100.armlinux.org.uk> (raw)
In-Reply-To: <alpine.DEB.2.20.1701041242080.3073@hadrien>
On Wed, Jan 04, 2017 at 12:43:32PM +0100, Julia Lawall wrote:
> > The question was whether the point to the rtc_class_ops could be made
> > __ro_after_init. And Russell is right, it is pointed to by the ops
> > pointer in a struct rtc_device and that struct is dynamically allocated
> > in rtc_device_register().
>
> OK, I think it's a terminology issue. You mean the structure that
> contains the pointer, and not the pointer itself, which is already const.
That statement is really ambiguous, and really doesn't help the cause -
we have several structures here which contain pointers and it's far from
clear which you're talking about:
- The armada38x_rtc_ops and armada38x_rtc_ops_noirq structures contain
pointers to functions.
- The dynamically allocated struct rtc_device contains an ops pointer,
which will point at one or other of these two structures.
Now, as soon as we make armada38x_rtc_ops and armada38x_rtc_ops_noirq
const, if the pointer is passed through any function call where the
argument is not also marked const, or is assigned to a pointer that is
not marked const (without an explicit cast), the compiler will complain.
Remember that a const pointer (iow, const void *ptr) is just a hint to
the compiler that "ptr" _may_ point at read-only data, and dereferences
of the pointer are not allowed to write - it's just syntactic checking.
Given that this is stuff we should all know, I'm not quite sure what
people are getting in a tiz over... I'm finding it worrying that I'm
even writing this mail, reviewing this stuff! _Really_ worried that
Kees even brought it up in the first place - I suspect that came from
a misunderstanding of my suggestion which is why I later provided the
suggestion in patch form.
What I suggested, and what my patch does is:
1. It places both the armada38x_rtc_ops and armada38x_rtc_ops_noirq
structures into the .rodata section, which will be protected from
writes by hardware when appropriate kernel options are enabled.
2. The driver does _not_ store a local pointer to this memory at a
static address which could be subsequently modified (*).
3. The only pointer to this memory is during driver initialisation
(which may well reside in a CPU register only) before being passed
to the RTC subsystem.
4. The RTC subsystem dynamically allocates a struct rtc_device
structure (in rtc_device_register()) where it eventually stores
this pointer. This pointer is already marked const. This structure
contains read/write data, and can't be marked read-only, just in the
same way as "struct file" can't be.
The whole __ro_after_init thing is completely irrelevant and a total
distraction at this point - there is nothing that you could add a
__ro_after_init annotation to after my patch in regard of these ops
structures.
* - however, a compiler may decide to store the addresses of these
structures as a literal constant near the function, but with RONX
protection for the .text section, this memory is also read-only, and
so can't be modified.
--
RMK's Patch system: http://www.armlinux.org.uk/developer/patches/
FTTC broadband for 0.8mile line: currently at 9.6Mbps down 400kbps up
according to speedtest.net.
WARNING: multiple messages have this Message-ID (diff)
From: Russell King - ARM Linux <linux@armlinux.org.uk>
To: Julia Lawall <julia.lawall@lip6.fr>
Cc: Alexandre Belloni <alexandre.belloni@free-electrons.com>,
Kees Cook <keescook@chromium.org>,
andrew@lunn.ch, Jason Cooper <jason@lakedaemon.net>,
rtc-linux@googlegroups.com, a.zummo@towertech.it,
LKML <linux-kernel@vger.kernel.org>,
"linux-arm-kernel@lists.infradead.org"
<linux-arm-kernel@lists.infradead.org>,
gregory.clement@free-electrons.com,
Bhumika Goyal <bhumirks@gmail.com>,
sebastian.hesselbarth@gmail.com
Subject: [rtc-linux] Re: [PATCH] rtc: armada38x: add __ro_after_init to armada38x_rtc_ops
Date: Wed, 4 Jan 2017 12:14:25 +0000 [thread overview]
Message-ID: <20170104121425.GP14217@n2100.armlinux.org.uk> (raw)
In-Reply-To: <alpine.DEB.2.20.1701041242080.3073@hadrien>
On Wed, Jan 04, 2017 at 12:43:32PM +0100, Julia Lawall wrote:
> > The question was whether the point to the rtc_class_ops could be made
> > __ro_after_init. And Russell is right, it is pointed to by the ops
> > pointer in a struct rtc_device and that struct is dynamically allocated
> > in rtc_device_register().
>
> OK, I think it's a terminology issue. You mean the structure that
> contains the pointer, and not the pointer itself, which is already const.
That statement is really ambiguous, and really doesn't help the cause -
we have several structures here which contain pointers and it's far from
clear which you're talking about:
- The armada38x_rtc_ops and armada38x_rtc_ops_noirq structures contain
pointers to functions.
- The dynamically allocated struct rtc_device contains an ops pointer,
which will point at one or other of these two structures.
Now, as soon as we make armada38x_rtc_ops and armada38x_rtc_ops_noirq
const, if the pointer is passed through any function call where the
argument is not also marked const, or is assigned to a pointer that is
not marked const (without an explicit cast), the compiler will complain.
Remember that a const pointer (iow, const void *ptr) is just a hint to
the compiler that "ptr" _may_ point at read-only data, and dereferences
of the pointer are not allowed to write - it's just syntactic checking.
Given that this is stuff we should all know, I'm not quite sure what
people are getting in a tiz over... I'm finding it worrying that I'm
even writing this mail, reviewing this stuff! _Really_ worried that
Kees even brought it up in the first place - I suspect that came from
a misunderstanding of my suggestion which is why I later provided the
suggestion in patch form.
What I suggested, and what my patch does is:
1. It places both the armada38x_rtc_ops and armada38x_rtc_ops_noirq
structures into the .rodata section, which will be protected from
writes by hardware when appropriate kernel options are enabled.
2. The driver does _not_ store a local pointer to this memory at a
static address which could be subsequently modified (*).
3. The only pointer to this memory is during driver initialisation
(which may well reside in a CPU register only) before being passed
to the RTC subsystem.
4. The RTC subsystem dynamically allocates a struct rtc_device
structure (in rtc_device_register()) where it eventually stores
this pointer. This pointer is already marked const. This structure
contains read/write data, and can't be marked read-only, just in the
same way as "struct file" can't be.
The whole __ro_after_init thing is completely irrelevant and a total
distraction at this point - there is nothing that you could add a
__ro_after_init annotation to after my patch in regard of these ops
structures.
* - however, a compiler may decide to store the addresses of these
structures as a literal constant near the function, but with RONX
protection for the .text section, this memory is also read-only, and
so can't be modified.
--
RMK's Patch system: http://www.armlinux.org.uk/developer/patches/
FTTC broadband for 0.8mile line: currently at 9.6Mbps down 400kbps up
according to speedtest.net.
--
You received this message because you are subscribed to "rtc-linux".
Membership options at http://groups.google.com/group/rtc-linux .
Please read http://groups.google.com/group/rtc-linux/web/checklist
before submitting a driver.
---
You received this message because you are subscribed to the Google Groups "rtc-linux" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rtc-linux+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
WARNING: multiple messages have this Message-ID (diff)
From: linux@armlinux.org.uk (Russell King - ARM Linux)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH] rtc: armada38x: add __ro_after_init to armada38x_rtc_ops
Date: Wed, 4 Jan 2017 12:14:25 +0000 [thread overview]
Message-ID: <20170104121425.GP14217@n2100.armlinux.org.uk> (raw)
In-Reply-To: <alpine.DEB.2.20.1701041242080.3073@hadrien>
On Wed, Jan 04, 2017 at 12:43:32PM +0100, Julia Lawall wrote:
> > The question was whether the point to the rtc_class_ops could be made
> > __ro_after_init. And Russell is right, it is pointed to by the ops
> > pointer in a struct rtc_device and that struct is dynamically allocated
> > in rtc_device_register().
>
> OK, I think it's a terminology issue. You mean the structure that
> contains the pointer, and not the pointer itself, which is already const.
That statement is really ambiguous, and really doesn't help the cause -
we have several structures here which contain pointers and it's far from
clear which you're talking about:
- The armada38x_rtc_ops and armada38x_rtc_ops_noirq structures contain
pointers to functions.
- The dynamically allocated struct rtc_device contains an ops pointer,
which will point at one or other of these two structures.
Now, as soon as we make armada38x_rtc_ops and armada38x_rtc_ops_noirq
const, if the pointer is passed through any function call where the
argument is not also marked const, or is assigned to a pointer that is
not marked const (without an explicit cast), the compiler will complain.
Remember that a const pointer (iow, const void *ptr) is just a hint to
the compiler that "ptr" _may_ point at read-only data, and dereferences
of the pointer are not allowed to write - it's just syntactic checking.
Given that this is stuff we should all know, I'm not quite sure what
people are getting in a tiz over... I'm finding it worrying that I'm
even writing this mail, reviewing this stuff! _Really_ worried that
Kees even brought it up in the first place - I suspect that came from
a misunderstanding of my suggestion which is why I later provided the
suggestion in patch form.
What I suggested, and what my patch does is:
1. It places both the armada38x_rtc_ops and armada38x_rtc_ops_noirq
structures into the .rodata section, which will be protected from
writes by hardware when appropriate kernel options are enabled.
2. The driver does _not_ store a local pointer to this memory at a
static address which could be subsequently modified (*).
3. The only pointer to this memory is during driver initialisation
(which may well reside in a CPU register only) before being passed
to the RTC subsystem.
4. The RTC subsystem dynamically allocates a struct rtc_device
structure (in rtc_device_register()) where it eventually stores
this pointer. This pointer is already marked const. This structure
contains read/write data, and can't be marked read-only, just in the
same way as "struct file" can't be.
The whole __ro_after_init thing is completely irrelevant and a total
distraction at this point - there is nothing that you could add a
__ro_after_init annotation to after my patch in regard of these ops
structures.
* - however, a compiler may decide to store the addresses of these
structures as a literal constant near the function, but with RONX
protection for the .text section, this memory is also read-only, and
so can't be modified.
--
RMK's Patch system: http://www.armlinux.org.uk/developer/patches/
FTTC broadband for 0.8mile line: currently at 9.6Mbps down 400kbps up
according to speedtest.net.
next prev parent reply other threads:[~2017-01-04 12:15 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-26 11:31 [PATCH] rtc: armada38x: add __ro_after_init to armada38x_rtc_ops Bhumika Goyal
2016-12-26 11:31 ` Bhumika Goyal
2016-12-26 11:31 ` [rtc-linux] " Bhumika Goyal
2017-01-02 14:06 ` Russell King - ARM Linux
2017-01-02 14:06 ` Russell King - ARM Linux
2017-01-02 14:06 ` [rtc-linux] " Russell King - ARM Linux
2017-01-03 21:18 ` Kees Cook
2017-01-03 21:18 ` Kees Cook
2017-01-03 21:18 ` [rtc-linux] " Kees Cook
2017-01-03 21:31 ` Russell King - ARM Linux
2017-01-03 21:31 ` Russell King - ARM Linux
2017-01-03 21:31 ` [rtc-linux] " Russell King - ARM Linux
2017-01-03 21:54 ` Russell King - ARM Linux
2017-01-03 21:54 ` Russell King - ARM Linux
2017-01-03 21:54 ` [rtc-linux] " Russell King - ARM Linux
2017-01-04 10:57 ` Julia Lawall
2017-01-04 10:57 ` Julia Lawall
2017-01-04 10:57 ` [rtc-linux] " Julia Lawall
2017-01-04 11:07 ` Alexandre Belloni
2017-01-04 11:07 ` Alexandre Belloni
2017-01-04 11:07 ` [rtc-linux] " Alexandre Belloni
2017-01-04 11:43 ` Julia Lawall
2017-01-04 11:43 ` Julia Lawall
2017-01-04 11:43 ` [rtc-linux] " Julia Lawall
2017-01-04 12:14 ` Russell King - ARM Linux [this message]
2017-01-04 12:14 ` Russell King - ARM Linux
2017-01-04 12:14 ` [rtc-linux] " Russell King - ARM Linux
2017-01-04 12:23 ` Julia Lawall
2017-01-04 12:23 ` Julia Lawall
2017-01-04 12:23 ` [rtc-linux] " Julia Lawall
2017-01-04 13:06 ` Russell King - ARM Linux
2017-01-04 13:06 ` Russell King - ARM Linux
2017-01-04 13:06 ` [rtc-linux] " Russell King - ARM Linux
2017-01-04 13:41 ` Julia Lawall
2017-01-04 13:41 ` Julia Lawall
2017-01-04 13:41 ` [rtc-linux] " Julia Lawall
2017-01-04 21:53 ` Kees Cook
2017-01-04 21:53 ` Kees Cook
2017-01-04 21:53 ` [rtc-linux] " Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170104121425.GP14217@n2100.armlinux.org.uk \
--to=linux@armlinux.org.uk \
--cc=a.zummo@towertech.it \
--cc=alexandre.belloni@free-electrons.com \
--cc=andrew@lunn.ch \
--cc=bhumirks@gmail.com \
--cc=gregory.clement@free-electrons.com \
--cc=jason@lakedaemon.net \
--cc=julia.lawall@lip6.fr \
--cc=keescook@chromium.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=rtc-linux@googlegroups.com \
--cc=sebastian.hesselbarth@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.