Received: by 10.213.65.68 with SMTP id h4csp1708646imn; Mon, 26 Mar 2018 13:03:02 -0700 (PDT) X-Google-Smtp-Source: AG47ELvbvxisg4mzWP7y6qIG/aPyjXi5OTPVl4d0jEXvKT55ZSG86zmZkUp6hxFwTPXqFIVD1xSr X-Received: by 2002:a17:902:b414:: with SMTP id x20-v6mr15714730plr.165.1522094582233; Mon, 26 Mar 2018 13:03:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522094582; cv=none; d=google.com; s=arc-20160816; b=A5D3K1vtNWLZksrK0fe5eC7nYYLNDl1BJ4c/gflmpo0vjkMno3Tdo2SdUKzccTeYP6 S+4Ipu76QKfCjhkCYCFlMxiGxXCm5M1g9GtOJBRm/M58XJ6fAHEIL502nZ/qlMsk1xKT 6P0v/E3UDMulq1dOZurN9Qd1YybpPZIVsAOoemJdAPYODfUZvHttva32DY1oiNKcdA/I MCw7tWK/RaNHWSzlRxZK5b7J9Sb450/XhmVpvoujO5JMzOFbRhfmm8FSzZEhkjopWL80 2/H4MQfHfzaEARhcMRsAH0wbaVPvCYUoqq+iyFqiW4IRpJ9Y2/zlIDPzpspCJRZXBI+m fQ2g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=5ZFUVDI6TJH5uF1iYk//C87kEpROnKQuYR1RLiZ8+h4=; b=h71Ig7rMMqzDKENH1SThJT8m6reKZHrqTpUnXYSTD8zAYE8ZRDJ+uLPBRai0v51Yo3 jouJcN+XrapkdZjPw6Yee8fspSoL3IHS0k3KEMunsLwhrNZiGoNypcnvTA6u3xqTr+Ig PjZ4SVfRl8TglOdsJ55zRU9WTQPsQyg4iMREnHLCznu8uKY8pPAtBELasHrI7WzTlmUM E+ZvOZXLodgr/zwpV5ipqbtZ7aLQ4dyUSSqyPkIlhv19OgOWQAr7/hd7xDsHH83lfWpK 1nogJ+cA+j4tmBzkd4uvG/mEL2F3UV1yOva6OSBiSUAXW3qErDs4OrkyU74AoA/AIrO1 YIow== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=MLkb99F4; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l6si10425298pgq.562.2018.03.26.13.02.47; Mon, 26 Mar 2018 13:03:02 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=MLkb99F4; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751912AbeCZUBe (ORCPT + 99 others); Mon, 26 Mar 2018 16:01:34 -0400 Received: from mail-qt0-f195.google.com ([209.85.216.195]:38202 "EHLO mail-qt0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751107AbeCZUBc (ORCPT ); Mon, 26 Mar 2018 16:01:32 -0400 Received: by mail-qt0-f195.google.com with SMTP id c23so2334615qtj.5; Mon, 26 Mar 2018 13:01:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=5ZFUVDI6TJH5uF1iYk//C87kEpROnKQuYR1RLiZ8+h4=; b=MLkb99F4kpQar9F6Uma5PDFp38sUu2+s1iomYXRYAgiKvkkXQK6/7ZaI0u5PtORfaX zvfyY0bWJpqfwb1Ryhbf9rxerDgPNXWO5BMOXbc+I8tcl7ClNiV5NSMACxktUjgbS9WW sFOwwET22+kTWKhGgijjzawL521Q1owxIBas4eyxvJ5jypQsjjx3B5zNHkKn0R/kLB6S OpUjhps0ZMIAAEF4O0sgh/yCLKaO/y3iZeVjfuW9vqjaIBcaf9InA9y204bPEI2+OTxJ /JG4uYMmH66V7zZJtoTvu2uwtsHSy2tiQinwKjJcJjCVqPp94rJ6dR2eMcTpExrtxIho okOQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=5ZFUVDI6TJH5uF1iYk//C87kEpROnKQuYR1RLiZ8+h4=; b=meghlvcWQVmVo+JEF788W3Hsnvf9C52vZ9uoYWXrtN46bHmf3jOEHts9jywUvbiW5s E6NVN7+fJLOYqWlMkbFzMWRBPiXX9Y75snd6pg5uZeUWZCLTlV8YtS8mHC+9bMj47TB9 sw1N9eB6v6zKx/bJf0EhzWpZDPvC9yTrvMR/u/s0MIO5vYW8y3jV1eeyS4HxmJ29qL5S 9vjMAAvjdONZTROQEEjYNYLMh9s2H0WvhsfErZVrQBNPWCUtFT2tnkekCRoOfW9c5i7M k2gLvxhK+WycvfTqJ3XH/NdCVgNx9WihNfCKsBTD7otUYitYhySG26EGqChIP/sdaQD6 au2w== X-Gm-Message-State: AElRT7ET673eSCUKT5dKZhULRGt4K84f3bwP4Gsj1jzONEQlEDFEM+ka iBpdLrgFoLIzjFQMkNzw3zelHch30oT+CXBHNS0= X-Received: by 10.200.47.26 with SMTP id j26mr58123690qta.185.1522094491445; Mon, 26 Mar 2018 13:01:31 -0700 (PDT) MIME-Version: 1.0 Received: by 10.12.185.25 with HTTP; Mon, 26 Mar 2018 13:01:30 -0700 (PDT) In-Reply-To: References: <1513172572-16724-1-git-send-email-thunder.leizhen@huawei.com> <20171213141112.GA11217@bombadil.infradead.org> <20171213193100.GA19700@bombadil.infradead.org> <5A31ED86.5000800@huawei.com> <20180102145155.GD8222@bombadil.infradead.org> From: Arnd Bergmann Date: Mon, 26 Mar 2018 22:01:30 +0200 X-Google-Sender-Auth: NQv3E5eP9DAs8CGmglaH_oeOg-4 Message-ID: Subject: Re: [PATCH 1/1] aio: make sure the input "timeout" value is valid To: Jeff Moyer Cc: Matthew Wilcox , "Leizhen (ThunderTown)" , Alexander Viro , Benjamin LaHaise , linux-fsdevel , linux-aio , linux-kernel , Tianhong Ding , Hanjun Guo , Libin , Kefeng Wang , Deepa Dinamani Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jan 12, 2018 at 8:49 PM, Jeff Moyer wrote: > Matthew Wilcox writes: > >> On Thu, Dec 14, 2017 at 11:18:30AM +0800, Leizhen (ThunderTown) wrote: >>> On 2017/12/14 3:31, Matthew Wilcox wrote: >>> > On Wed, Dec 13, 2017 at 11:27:00AM -0500, Jeff Moyer wrote: >>> >> Matthew Wilcox writes: >>> >> >>> >>> On Wed, Dec 13, 2017 at 09:42:52PM +0800, Zhen Lei wrote: >>> >>>> Below information is reported by a lower kernel version, and I saw the >>> >>>> problem still exist in current version. >>> >>> >>> >>> I think you're right, but what an awful interface we have here! >>> >>> The user must not only fetch it, they must validate it separately? >>> >>> And if they forget, then userspace is provoking undefined behaviour? Ugh. >>> >>> Why not this: >>> >> >>> >> Why not go a step further and have get_timespec64 check for validity? >>> >> I wonder what caller doesn't want that to happen... >>> I tried this before. But I found some places call get_timespec64 in the following function. >>> If we do the check in get_timespec64, the check will be duplicated. >>> >>> For example: >>> static long do_pselect(int n, fd_set __user *inp, fd_set __user *outp, >>> .... >>> if (get_timespec64(&ts, tsp)) >>> return -EFAULT; >>> >>> to = &end_time; >>> if (poll_select_set_timeout(to, ts.tv_sec, ts.tv_nsec)) >>> >>> int poll_select_set_timeout(struct timespec64 *to, time64_t sec, long nsec) >>> { >>> struct timespec64 ts = {.tv_sec = sec, .tv_nsec = nsec}; >>> >>> if (!timespec64_valid(&ts)) >>> return -EINVAL; >> >> The check is only two comparisons! Why do we have an interface that can >> cause bugs for the sake of saving *two comparisons*?! Can we talk about >> the cost of a cache miss versus the cost of executing these comparisons? > > Any update on this? Willy, I'd be okay with your get_valid_timespec64 > patch if you wanted to formally submit that. I had suggested a more complete helper function at some point, to take care of all combinations of checking/non-checking, 32/64 bit, microsecond/nanosecond, and zeroing/checking the upper 32 bits of nanoseconds before comparing against 1 billion, but Deepa thought that was overkill, so I didn't continue that. For all I can tell, the get_timespec64() helper should almost always include the check, the one exception I know is utimensat() and related functions that may encode the special UTIME_NOW and UTIME_OMIT constants in the nanoseconds. Arnd