On Tue, Nov 26, 2019 at 12:43 PM Hans Verkuil <hverkuil@xxxxxxxxx> wrote:
> On 11/26/19 12:34 PM, Arnd Bergmann wrote:
> > On Mon, Nov 25, 2019 at 4:52 PM Hans Verkuil <hverkuil@xxxxxxxxx> wrote:
> >>>
> >>> +static inline u64 v4l2_buffer_get_timestamp(const struct v4l2_buffer *buf)
> >>> +{
> >>> + return buf->timestamp.tv_sec * NSEC_PER_SEC +
> >>> + (u32)buf->timestamp.tv_usec * NSEC_PER_USEC;
> >>
> >> Why the (u32) cast?
> >
> > Simple question, long answer:
> >
> > on 32-bit architectures, the tv_usec member may be 32-bit wide plus
> > padding in user space when interpreted as a regular 'struct timeval',
> > but the kernel implementation now sees it as a 64-bit member,
> > with half of it being possibly uninitialized user space data.
> >
> > The 32-bit cast avoids that uninitialized data and ensures user space
> > passing garbage in the upper half gets ignored, as it has to be on 32-bit
> > user space.
>
> But that's only valid for little endian 32 bit systems, right?
> Is this only an issue for x86 platforms?
Uninitialized data is an issue on all 32-bit architectures. The layout
of the new timeval is such that the low 32 bits of tv_sec are in the
same place on both 32-bit and 64-bit architectures of the same
endianess, but if an application initializes the fields individually
without a memset before it, it may still pass invalid data.
> > On 64-bit native user space, the tv_usec field is always 64 bit wide,
> > so this is a change in behavior for denormalized timeval data
> > with tv_usec > U32_MAX, but the current behavior does not appear
> > worth preserving either.
> >
> > The correct way would probably be to return an error for
> > tv_usec >USEC_PER_SEC, but as the code never did that, this
> > would risk a regression for user space that relies on passing
> > invalid timestamps without getting an error.
>
> This long answer needs to be added to a comment to that function.
> Because otherwise someone will come along later and remove that
> seemingly unnecessary cast.
>
> It's OK if it is a long comment, it's a non-trivial reason.
Added this comment now:
/*
* When the timestamp comes from 32-bit user space, there may be
* uninitialized data in tv_usec, so cast it to u32.
* Otherwise allow invalid input for backwards compatibility.
*/
Let me know if you prefer a more elaborate version.
> >> so media/v4l2-common.h would be a good place.
> >
> > Ok, sounds good. I wasn't sure where to put it, and ended up
> > with include/linux/videodev2.h as the best replacement for
> > include/uapi/linux/videodev2.h, changed it to
> > include/media/v4l2-common.h now.
>
> Never use include/linux/videodev2.h. It's just a wrapper around
> the uapi header and should not contain any 'real' code.
>
> It's also why I missed that you modified that header since we never
> touch it.
Ok, got it. I now tried to remove this file completely, hoping that the
include <linux/time.h> is no longer needed after my series, but
it seems we still need it.
Arnd
