Re: [PATCH v3 01/17] y2038: asm-generic: Extend sysvipc data structures
On Fri, Apr 20, 2018 at 12:12 AM, Eric W. Biederman
wrote:
> Arnd Bergmann writes:
>
>> On Thu, Apr 19, 2018 at 5:20 PM, Arnd Bergmann wrote:
>>> On Thu, Apr 19, 2018 at 4:59 PM, Eric W. Biederman
>>> wrote:
I suspect you want to use __kernel_ulong_t here instead of a raw
unsigned long. If nothing else it seems inconsistent to use typedefs
in one half of the structure and no typedefs in the other half.
>>>
>>> Good catch, there is definitely something wrong here, but I think using
>>> __kernel_ulong_t for all members would also be wrong, as that
>>> still changes the layout on x32, which effectively is
>>>
>>> struct msqid64_ds {
>>> ipc64_perm msg_perm;
>>> u64 msg_stime;
>>> u32 __unused1;
>>> /* 32 bit implict padding */
>>> u64 msg_rtime;
>>> u32 __unused2;
>>> /* 32 bit implict padding */
>>> u64 msg_ctime;
>>> u32 __unused3;
>>> /* 32 bit implict padding */
>>> __kernel_pid_t shm_cpid; /* pid of creator */
>>> __kernel_pid_t shm_lpid; /* pid of last operator */
>>>
>>> };
>>>
>>> The choices here would be to either use a mix of
>>> __kernel_ulong_t and unsigned long, or taking the x32
>>> version back into arch/x86/include/uapi/asm/ so the
>>> generic version at least makes some sense.
>>>
>>> I can't use __kernel_time_t for the lower half on 32-bit
>>> since it really should be unsigned.
>>
>> After thinking about it some more, I conclude that the structure is simply
>> incorrect on x32: The __kernel_ulong_t usage was introduced in 2013
>> in commit b9cd5ca22d67 ("uapi: Use __kernel_ulong_t in struct
>> msqid64_ds") and apparently was correct initially as __BITS_PER_LONG
>> evaluated to 64, but it broke with commit f4b4aae18288 ("x86/headers/uapi:
>> Fix __BITS_PER_LONG value for x32 builds") that changed the value
>> of __BITS_PER_LONG and introduced the extra padding in 2015.
>>
>> The same change apparently also broke a lot of other definitions, e.g.
>>
>> $ echo "#include " | gcc -mx32 -E -xc - | grep -A3
>> __kernel_size_t
>> typedef unsigned int __kernel_size_t;
>> typedef int __kernel_ssize_t;
>> typedef int __kernel_ptrdiff_t;
>>
>> Those used to be defined as 'unsigned long long' and 'long long'
>> respectively, so now all kernel interfaces using those on x32
>> became incompatible!
>
> Is this just for the uapi header as seen by userspace? I expect we are
> using the a normal kernel interface with 64bit longs and 64bit pointers
> when we build the kernel.
Yes, that patch shouldn't have changed anything in the kernel, which
continues to be built with __BITS_PER_LONG=64. I haven't
checked the vdso, which is the only bit of the kernel that gets built
with -mx32, but I assume it's fine as well.
> If this is just a header as seen from userspace mess it seems
> unfortunate but fixable.
Right. I'll fix the IPC stuff for this series to make it work with
any value of __BITS_PER_LONG on x32, but I don't plan to
do anything about the rest of x32. The patch that caused the
problem was intended as a bugfix, so we can't just revert it
without first understanding how to properly fix the original bug,
and which other interfaces have now come to rely on
__BITS_PER_LONG=32 for x32.
Adding a few other folks that have been involved in the x32
kernel support or the Debian port in the past. Maybe one of
them is motivated to figure out how to fix this properly.
Arnd
Re: [PATCH v3 01/17] y2038: asm-generic: Extend sysvipc data structures
Arnd Bergmann writes:
> On Thu, Apr 19, 2018 at 5:20 PM, Arnd Bergmann wrote:
>> On Thu, Apr 19, 2018 at 4:59 PM, Eric W. Biederman
>> wrote:
>>> I suspect you want to use __kernel_ulong_t here instead of a raw
>>> unsigned long. If nothing else it seems inconsistent to use typedefs
>>> in one half of the structure and no typedefs in the other half.
>>
>> Good catch, there is definitely something wrong here, but I think using
>> __kernel_ulong_t for all members would also be wrong, as that
>> still changes the layout on x32, which effectively is
>>
>> struct msqid64_ds {
>> ipc64_perm msg_perm;
>> u64 msg_stime;
>> u32 __unused1;
>> /* 32 bit implict padding */
>> u64 msg_rtime;
>> u32 __unused2;
>> /* 32 bit implict padding */
>> u64 msg_ctime;
>> u32 __unused3;
>> /* 32 bit implict padding */
>> __kernel_pid_t shm_cpid; /* pid of creator */
>> __kernel_pid_t shm_lpid; /* pid of last operator */
>>
>> };
>>
>> The choices here would be to either use a mix of
>> __kernel_ulong_t and unsigned long, or taking the x32
>> version back into arch/x86/include/uapi/asm/ so the
>> generic version at least makes some sense.
>>
>> I can't use __kernel_time_t for the lower half on 32-bit
>> since it really should be unsigned.
>
> After thinking about it some more, I conclude that the structure is simply
> incorrect on x32: The __kernel_ulong_t usage was introduced in 2013
> in commit b9cd5ca22d67 ("uapi: Use __kernel_ulong_t in struct
> msqid64_ds") and apparently was correct initially as __BITS_PER_LONG
> evaluated to 64, but it broke with commit f4b4aae18288 ("x86/headers/uapi:
> Fix __BITS_PER_LONG value for x32 builds") that changed the value
> of __BITS_PER_LONG and introduced the extra padding in 2015.
>
> The same change apparently also broke a lot of other definitions, e.g.
>
> $ echo "#include " | gcc -mx32 -E -xc - | grep -A3
> __kernel_size_t
> typedef unsigned int __kernel_size_t;
> typedef int __kernel_ssize_t;
> typedef int __kernel_ptrdiff_t;
>
> Those used to be defined as 'unsigned long long' and 'long long'
> respectively, so now all kernel interfaces using those on x32
> became incompatible!
That seems like a real mess.
Is this just for the uapi header as seen by userspace? I expect we are
using the a normal kernel interface with 64bit longs and 64bit pointers
when we build the kernel.
If this is just a header as seen from userspace mess it seems
unfortunate but fixable.
Eric
Re: [PATCH v3 01/17] y2038: asm-generic: Extend sysvipc data structures
On Thu, Apr 19, 2018 at 5:20 PM, Arnd Bergmann wrote:
> On Thu, Apr 19, 2018 at 4:59 PM, Eric W. Biederman
> wrote:
>> I suspect you want to use __kernel_ulong_t here instead of a raw
>> unsigned long. If nothing else it seems inconsistent to use typedefs
>> in one half of the structure and no typedefs in the other half.
>
> Good catch, there is definitely something wrong here, but I think using
> __kernel_ulong_t for all members would also be wrong, as that
> still changes the layout on x32, which effectively is
>
> struct msqid64_ds {
> ipc64_perm msg_perm;
> u64 msg_stime;
> u32 __unused1;
> /* 32 bit implict padding */
> u64 msg_rtime;
> u32 __unused2;
> /* 32 bit implict padding */
> u64 msg_ctime;
> u32 __unused3;
> /* 32 bit implict padding */
> __kernel_pid_t shm_cpid; /* pid of creator */
> __kernel_pid_t shm_lpid; /* pid of last operator */
>
> };
>
> The choices here would be to either use a mix of
> __kernel_ulong_t and unsigned long, or taking the x32
> version back into arch/x86/include/uapi/asm/ so the
> generic version at least makes some sense.
>
> I can't use __kernel_time_t for the lower half on 32-bit
> since it really should be unsigned.
After thinking about it some more, I conclude that the structure is simply
incorrect on x32: The __kernel_ulong_t usage was introduced in 2013
in commit b9cd5ca22d67 ("uapi: Use __kernel_ulong_t in struct
msqid64_ds") and apparently was correct initially as __BITS_PER_LONG
evaluated to 64, but it broke with commit f4b4aae18288 ("x86/headers/uapi:
Fix __BITS_PER_LONG value for x32 builds") that changed the value
of __BITS_PER_LONG and introduced the extra padding in 2015.
The same change apparently also broke a lot of other definitions, e.g.
$ echo "#include " | gcc -mx32 -E -xc - | grep -A3
__kernel_size_t
typedef unsigned int __kernel_size_t;
typedef int __kernel_ssize_t;
typedef int __kernel_ptrdiff_t;
Those used to be defined as 'unsigned long long' and 'long long'
respectively, so now all kernel interfaces using those on x32
became incompatible!
Arnd
Re: [PATCH v3 01/17] y2038: asm-generic: Extend sysvipc data structures
On Thu, Apr 19, 2018 at 4:59 PM, Eric W. Biederman
wrote:
> Arnd Bergmann writes:
>>
>> struct msqid64_ds {
>> struct ipc64_perm msg_perm;
>> +#if __BITS_PER_LONG == 64
>> __kernel_time_t msg_stime; /* last msgsnd time */
>> -#if __BITS_PER_LONG != 64
>> - unsigned long __unused1;
>> -#endif
>> __kernel_time_t msg_rtime; /* last msgrcv time */
>> -#if __BITS_PER_LONG != 64
>> - unsigned long __unused2;
>> -#endif
>> __kernel_time_t msg_ctime; /* last change time */
>> -#if __BITS_PER_LONG != 64
>> - unsigned long __unused3;
>> +#else
>> + unsigned long msg_stime; /* last msgsnd time */
>> + unsigned long msg_stime_high;
>> + unsigned long msg_rtime; /* last msgrcv time */
>> + unsigned long msg_rtime_high;
>> + unsigned long msg_ctime; /* last change time */
>> + unsigned long msg_ctime_high;
>> #endif
>
> I suspect you want to use __kernel_ulong_t here instead of a raw
> unsigned long. If nothing else it seems inconsistent to use typedefs
> in one half of the structure and no typedefs in the other half.
Good catch, there is definitely something wrong here, but I think using
__kernel_ulong_t for all members would also be wrong, as that
still changes the layout on x32, which effectively is
struct msqid64_ds {
ipc64_perm msg_perm;
u64 msg_stime;
u32 __unused1;
/* 32 bit implict padding */
u64 msg_rtime;
u32 __unused2;
/* 32 bit implict padding */
u64 msg_ctime;
u32 __unused3;
/* 32 bit implict padding */
__kernel_pid_t shm_cpid; /* pid of creator */
__kernel_pid_t shm_lpid; /* pid of last operator */
};
The choices here would be to either use a mix of
__kernel_ulong_t and unsigned long, or taking the x32
version back into arch/x86/include/uapi/asm/ so the
generic version at least makes some sense.
I can't use __kernel_time_t for the lower half on 32-bit
since it really should be unsigned.
Arnd
Re: [PATCH v3 01/17] y2038: asm-generic: Extend sysvipc data structures
Arnd Bergmann writes:
> Most architectures now use the asm-generic copy of the sysvipc data
> structures (msqid64_ds, semid64_ds, shmid64_ds), which use 32-bit
> __kernel_time_t on 32-bit architectures but have padding behind them to
> allow extending the type to 64-bit.
>
> Unfortunately, that fails on all big-endian architectures, which have the
> padding on the wrong side. As so many of them get it wrong, we decided to
> not bother even trying to fix it up when we introduced the asm-generic
> copy. Instead we always use the padding word now to provide the upper
> 32 bits of the seconds value, regardless of the endianess.
>
> A libc implementation on a typical big-endian system can deal with
> this by providing its own copy of the structure definition to user
> space, and swapping the two 32-bit words before returning from the
> semctl/shmctl/msgctl system calls.
>
> ARM64 and s/390 are architectures that use these generic headers and
> also provide support for compat mode on 64-bit kernels, so we adapt
> their copies here as well.
>
> Signed-off-by: Arnd Bergmann
> ---
> include/uapi/asm-generic/msgbuf.h | 17 -
> include/uapi/asm-generic/sembuf.h | 26 --
> include/uapi/asm-generic/shmbuf.h | 17 -
> 3 files changed, 32 insertions(+), 28 deletions(-)
>
> diff --git a/include/uapi/asm-generic/msgbuf.h
> b/include/uapi/asm-generic/msgbuf.h
> index fb306ebdb36f..d2169cae93b8 100644
> --- a/include/uapi/asm-generic/msgbuf.h
> +++ b/include/uapi/asm-generic/msgbuf.h
> @@ -18,23 +18,22 @@
> * On big-endian systems, the padding is in the wrong place.
> *
> * Pad space is left for:
> - * - 64-bit time_t to solve y2038 problem
> * - 2 miscellaneous 32-bit values
> */
>
> struct msqid64_ds {
> struct ipc64_perm msg_perm;
> +#if __BITS_PER_LONG == 64
> __kernel_time_t msg_stime; /* last msgsnd time */
> -#if __BITS_PER_LONG != 64
> - unsigned long __unused1;
> -#endif
> __kernel_time_t msg_rtime; /* last msgrcv time */
> -#if __BITS_PER_LONG != 64
> - unsigned long __unused2;
> -#endif
> __kernel_time_t msg_ctime; /* last change time */
> -#if __BITS_PER_LONG != 64
> - unsigned long __unused3;
> +#else
> + unsigned long msg_stime; /* last msgsnd time */
> + unsigned long msg_stime_high;
> + unsigned long msg_rtime; /* last msgrcv time */
> + unsigned long msg_rtime_high;
> + unsigned long msg_ctime; /* last change time */
> + unsigned long msg_ctime_high;
> #endif
I suspect you want to use __kernel_ulong_t here instead of a raw
unsigned long. If nothing else it seems inconsistent to use typedefs
in one half of the structure and no typedefs in the other half.
> __kernel_ulong_t msg_cbytes;/* current number of bytes on queue */
> __kernel_ulong_t msg_qnum; /* number of messages in queue */
> diff --git a/include/uapi/asm-generic/sembuf.h
> b/include/uapi/asm-generic/sembuf.h
> index cbf9cfe977d6..0bae010f1b64 100644
> --- a/include/uapi/asm-generic/sembuf.h
> +++ b/include/uapi/asm-generic/sembuf.h
> @@ -13,23 +13,29 @@
> * everyone just ended up making identical copies without specific
> * optimizations, so we may just as well all use the same one.
> *
> - * 64 bit architectures typically define a 64 bit __kernel_time_t,
> + * 64 bit architectures use a 64-bit __kernel_time_t here, while
> + * 32 bit architectures have a pair of unsigned long values.
> * so they do not need the first two padding words.
> - * On big-endian systems, the padding is in the wrong place.
> *
> - * Pad space is left for:
> - * - 64-bit time_t to solve y2038 problem
> - * - 2 miscellaneous 32-bit values
> + * On big-endian systems, the padding is in the wrong place for
> + * historic reasons, so user space has to reconstruct a time_t
> + * value using
> + *
> + * user_semid_ds.sem_otime = kernel_semid64_ds.sem_otime +
> + * ((long long)kernel_semid64_ds.sem_otime_high << 32)
> + *
> + * Pad space is left for 2 miscellaneous 32-bit values
> */
> struct semid64_ds {
> struct ipc64_perm sem_perm; /* permissions .. see ipc.h */
> +#if __BITS_PER_LONG == 64
> __kernel_time_t sem_otime; /* last semop time */
> -#if __BITS_PER_LONG != 64
> - unsigned long __unused1;
> -#endif
> __kernel_time_t sem_ctime; /* last change time */
> -#if __BITS_PER_LONG != 64
> - unsigned long __unused2;
> +#else
> + unsigned long sem_otime; /* last semop time */
> + unsigned long sem_otime_high;
> + unsigned long sem_ctime; /* last change time */
> + unsigned long sem_ctime_high;
> #endif
> unsigned long sem_nsems; /* no. of semaphores in array */
> unsigned long __unused3;
> diff --git a/include/uapi/asm-generic/shmbuf.h
> b/include/uapi/asm-generic/shmbuf.h
> index 2b6c3bb97f97..602f1b5b462b 100644
> --- a/include/uapi/asm-generic/shmbuf
[PATCH v3 01/17] y2038: asm-generic: Extend sysvipc data structures
Most architectures now use the asm-generic copy of the sysvipc data
structures (msqid64_ds, semid64_ds, shmid64_ds), which use 32-bit
__kernel_time_t on 32-bit architectures but have padding behind them to
allow extending the type to 64-bit.
Unfortunately, that fails on all big-endian architectures, which have the
padding on the wrong side. As so many of them get it wrong, we decided to
not bother even trying to fix it up when we introduced the asm-generic
copy. Instead we always use the padding word now to provide the upper
32 bits of the seconds value, regardless of the endianess.
A libc implementation on a typical big-endian system can deal with
this by providing its own copy of the structure definition to user
space, and swapping the two 32-bit words before returning from the
semctl/shmctl/msgctl system calls.
ARM64 and s/390 are architectures that use these generic headers and
also provide support for compat mode on 64-bit kernels, so we adapt
their copies here as well.
Signed-off-by: Arnd Bergmann
---
include/uapi/asm-generic/msgbuf.h | 17 -
include/uapi/asm-generic/sembuf.h | 26 --
include/uapi/asm-generic/shmbuf.h | 17 -
3 files changed, 32 insertions(+), 28 deletions(-)
diff --git a/include/uapi/asm-generic/msgbuf.h
b/include/uapi/asm-generic/msgbuf.h
index fb306ebdb36f..d2169cae93b8 100644
--- a/include/uapi/asm-generic/msgbuf.h
+++ b/include/uapi/asm-generic/msgbuf.h
@@ -18,23 +18,22 @@
* On big-endian systems, the padding is in the wrong place.
*
* Pad space is left for:
- * - 64-bit time_t to solve y2038 problem
* - 2 miscellaneous 32-bit values
*/
struct msqid64_ds {
struct ipc64_perm msg_perm;
+#if __BITS_PER_LONG == 64
__kernel_time_t msg_stime; /* last msgsnd time */
-#if __BITS_PER_LONG != 64
- unsigned long __unused1;
-#endif
__kernel_time_t msg_rtime; /* last msgrcv time */
-#if __BITS_PER_LONG != 64
- unsigned long __unused2;
-#endif
__kernel_time_t msg_ctime; /* last change time */
-#if __BITS_PER_LONG != 64
- unsigned long __unused3;
+#else
+ unsigned long msg_stime; /* last msgsnd time */
+ unsigned long msg_stime_high;
+ unsigned long msg_rtime; /* last msgrcv time */
+ unsigned long msg_rtime_high;
+ unsigned long msg_ctime; /* last change time */
+ unsigned long msg_ctime_high;
#endif
__kernel_ulong_t msg_cbytes;/* current number of bytes on queue */
__kernel_ulong_t msg_qnum; /* number of messages in queue */
diff --git a/include/uapi/asm-generic/sembuf.h
b/include/uapi/asm-generic/sembuf.h
index cbf9cfe977d6..0bae010f1b64 100644
--- a/include/uapi/asm-generic/sembuf.h
+++ b/include/uapi/asm-generic/sembuf.h
@@ -13,23 +13,29 @@
* everyone just ended up making identical copies without specific
* optimizations, so we may just as well all use the same one.
*
- * 64 bit architectures typically define a 64 bit __kernel_time_t,
+ * 64 bit architectures use a 64-bit __kernel_time_t here, while
+ * 32 bit architectures have a pair of unsigned long values.
* so they do not need the first two padding words.
- * On big-endian systems, the padding is in the wrong place.
*
- * Pad space is left for:
- * - 64-bit time_t to solve y2038 problem
- * - 2 miscellaneous 32-bit values
+ * On big-endian systems, the padding is in the wrong place for
+ * historic reasons, so user space has to reconstruct a time_t
+ * value using
+ *
+ * user_semid_ds.sem_otime = kernel_semid64_ds.sem_otime +
+ * ((long long)kernel_semid64_ds.sem_otime_high << 32)
+ *
+ * Pad space is left for 2 miscellaneous 32-bit values
*/
struct semid64_ds {
struct ipc64_perm sem_perm; /* permissions .. see ipc.h */
+#if __BITS_PER_LONG == 64
__kernel_time_t sem_otime; /* last semop time */
-#if __BITS_PER_LONG != 64
- unsigned long __unused1;
-#endif
__kernel_time_t sem_ctime; /* last change time */
-#if __BITS_PER_LONG != 64
- unsigned long __unused2;
+#else
+ unsigned long sem_otime; /* last semop time */
+ unsigned long sem_otime_high;
+ unsigned long sem_ctime; /* last change time */
+ unsigned long sem_ctime_high;
#endif
unsigned long sem_nsems; /* no. of semaphores in array */
unsigned long __unused3;
diff --git a/include/uapi/asm-generic/shmbuf.h
b/include/uapi/asm-generic/shmbuf.h
index 2b6c3bb97f97..602f1b5b462b 100644
--- a/include/uapi/asm-generic/shmbuf.h
+++ b/include/uapi/asm-generic/shmbuf.h
@@ -19,24 +19,23 @@
*
*
* Pad space is left for:
- * - 64-bit time_t to solve y2038 problem
* - 2 miscellaneous 32-bit values
*/
struct shmid64_ds {
struct ipc64_perm shm_perm; /* operation perms */
size_t shm_segsz; /* size of segment (bytes) */
+#if __BITS_PER_LONG == 64
__ke
