| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20241028.095030.2023085589483262207.fujita.tomonori@gmail.com>
Date: Mon, 28 Oct 2024 09:50:30 +0900 (JST)
From: FUJITA Tomonori <fujita.tomonori@...il.com>
To: boqun.feng@...il.com
Cc: fujita.tomonori@...il.com, anna-maria@...utronix.de,
frederic@...nel.org, tglx@...utronix.de, jstultz@...gle.com,
sboyd@...nel.org, linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
rust-for-linux@...r.kernel.org, andrew@...n.ch, hkallweit1@...il.com,
tmgross@...ch.edu, ojeda@...nel.org, alex.gaynor@...il.com,
gary@...yguo.net, bjorn3_gh@...tonmail.com, benno.lossin@...ton.me,
a.hindborg@...sung.com, aliceryhl@...gle.com, arnd@...db.de
Subject: Re: [PATCH v4 4/7] rust: time: Add wrapper for fsleep function
On Fri, 25 Oct 2024 15:03:37 -0700
Boqun Feng <boqun.feng@...il.com> wrote:
>> +/// Sleeps for a given duration at least.
>> +///
>> +/// Equivalent to the kernel's [`fsleep`], flexible sleep function,
>> +/// which automatically chooses the best sleep method based on a duration.
>> +///
>> +/// The function sleeps infinitely (MAX_JIFFY_OFFSET) if `Delta` is negative
>> +/// or exceedes i32::MAX milliseconds.
>> +///
>
> I know Miguel has made his suggestion:
>
> https://lore.kernel.org/rust-for-linux/CANiq72kWqSCSkUk1efZyAi+0ScNTtfALn+wiJY_aoQefu2TNvg@mail.gmail.com/
>
> , but I think what we should really do here is just panic if `Delta` is
> negative or exceedes i32::MAX milliseconds, and document clearly that
> this function expects `Delta` to be in a certain range, i.e. it's the
> user's responsibility to check. Because:
>
> * You can simply call schedule() with task state set properly to
> "sleep infinitely".
>
> * Most of the users of fsleep() don't need this "sleep infinitely"
> functionality. Instead, they want to sleep with a reasonable
> short time.
I agree with the above reasons but I'm not sure about just panic with
a driver's invalid argument.
Can we just return an error instead?
>> +/// This function can only be used in a nonatomic context.
>> +pub fn fsleep(delta: time::Delta) {
>> + // SAFETY: FFI call.
>> + unsafe {
>> + // Convert the duration to microseconds and round up to preserve
>> + // the guarantee; fsleep sleeps for at least the provided duration,
>> + // but that it may sleep for longer under some circumstances.
>> + bindings::fsleep(delta.as_micros_ceil() as c_ulong)
>
> If delta is 0x10000_0000i64 * 1000_000 (=0xf424000000000i64), which
> exceeds i32::MAX milliseconds, the result of `delta.as_micros_ceil() as
> c_ulong` is:
>
> * 0 on 32bit
> * 0x3e800000000 on 64bit
>
> , if I got my math right. The first is obviously not "sleeps
> infinitely".
>
> Continue on 64bit case, in C's fsleep(), 0x3e800000000 will be cast to
> "int" (to call msleep()), which results as 0, still not "sleep
> infinitely"?
You mean "unsigned int" (to call msleep())?
You are correct that we can't say "the function sleeps infinitely
(MAX_JIFFY_OFFSET) if `Delta` is negative or exceeds i32::MAX
milliseconds.". There are some exceptional ranges.
Considering that Rust-for-Linux might eventually support 32-bit
systems, fsleep's arguments must be less than u32::MAX (usecs).
Additionally, Because of DIV_ROUND_UP (to call msleep()), it must be
less than u32::MAX - 1000. To simplify the expression, the maximum
Delta is u32::MAX / 2 (usecs)? I think that it's long enough for
the users of fsleep().
Powered by blists - more mailing lists