[mirror_qemu.git] / linux-user / safe-syscall.h

/*
 * safe-syscall.h: prototypes for linux-user signal-race-safe syscalls
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, see <http://www.gnu.org/licenses/>.
 */

#ifndef LINUX_USER_SAFE_SYSCALL_H
#define LINUX_USER_SAFE_SYSCALL_H

/**
 * safe_syscall:
 * @int number: number of system call to make
 * ...: arguments to the system call
 *
 * Call a system call if guest signal not pending.
 * This has the same API as the libc syscall() function, except that it
 * may return -1 with errno == TARGET_ERESTARTSYS if a signal was pending.
 *
 * Returns: the system call result, or -1 with an error code in errno
 * (Errnos are host errnos; we rely on TARGET_ERESTARTSYS not clashing
 * with any of the host errno values.)
 */

/*
 * A guide to using safe_syscall() to handle interactions between guest
 * syscalls and guest signals:
 *
 * Guest syscalls come in two flavours:
 *
 * (1) Non-interruptible syscalls
 *
 * These are guest syscalls that never get interrupted by signals and
 * so never return EINTR. They can be implemented straightforwardly in
 * QEMU: just make sure that if the implementation code has to make any
 * blocking calls that those calls are retried if they return EINTR.
 * It's also OK to implement these with safe_syscall, though it will be
 * a little less efficient if a signal is delivered at the 'wrong' moment.
 *
 * Some non-interruptible syscalls need to be handled using block_signals()
 * to block signals for the duration of the syscall. This mainly applies
 * to code which needs to modify the data structures used by the
 * host_signal_handler() function and the functions it calls, including
 * all syscalls which change the thread's signal mask.
 *
 * (2) Interruptible syscalls
 *
 * These are guest syscalls that can be interrupted by signals and
 * for which we need to either return EINTR or arrange for the guest
 * syscall to be restarted. This category includes both syscalls which
 * always restart (and in the kernel return -ERESTARTNOINTR), ones
 * which only restart if there is no handler (kernel returns -ERESTARTNOHAND
 * or -ERESTART_RESTARTBLOCK), and the most common kind which restart
 * if the handler was registered with SA_RESTART (kernel returns
 * -ERESTARTSYS). System calls which are only interruptible in some
 * situations (like 'open') also need to be handled this way.
 *
 * Here it is important that the host syscall is made
 * via this safe_syscall() function, and *not* via the host libc.
 * If the host libc is used then the implementation will appear to work
 * most of the time, but there will be a race condition where a
 * signal could arrive just before we make the host syscall inside libc,
 * and then then guest syscall will not correctly be interrupted.
 * Instead the implementation of the guest syscall can use the safe_syscall
 * function but otherwise just return the result or errno in the usual
 * way; the main loop code will take care of restarting the syscall
 * if appropriate.
 *
 * (If the implementation needs to make multiple host syscalls this is
 * OK; any which might really block must be via safe_syscall(); for those
 * which are only technically blocking (ie which we know in practice won't
 * stay in the host kernel indefinitely) it's OK to use libc if necessary.
 * You must be able to cope with backing out correctly if some safe_syscall
 * you make in the implementation returns either -TARGET_ERESTARTSYS or
 * EINTR though.)
 *
 * block_signals() cannot be used for interruptible syscalls.
 *
 *
 * How and why the safe_syscall implementation works:
 *
 * The basic setup is that we make the host syscall via a known
 * section of host native assembly. If a signal occurs, our signal
 * handler checks the interrupted host PC against the addresse of that
 * known section. If the PC is before or at the address of the syscall
 * instruction then we change the PC to point at a "return
 * -TARGET_ERESTARTSYS" code path instead, and then exit the signal handler
 * (causing the safe_syscall() call to immediately return that value).
 * Then in the main.c loop if we see this magic return value we adjust
 * the guest PC to wind it back to before the system call, and invoke
 * the guest signal handler as usual.
 *
 * This winding-back will happen in two cases:
 * (1) signal came in just before we took the host syscall (a race);
 *   in this case we'll take the guest signal and have another go
 *   at the syscall afterwards, and this is indistinguishable for the
 *   guest from the timing having been different such that the guest
 *   signal really did win the race
 * (2) signal came in while the host syscall was blocking, and the
 *   host kernel decided the syscall should be restarted;
 *   in this case we want to restart the guest syscall also, and so
 *   rewinding is the right thing. (Note that "restart" semantics mean
 *   "first call the signal handler, then reattempt the syscall".)
 * The other situation to consider is when a signal came in while the
 * host syscall was blocking, and the host kernel decided that the syscall
 * should not be restarted; in this case QEMU's host signal handler will
 * be invoked with the PC pointing just after the syscall instruction,
 * with registers indicating an EINTR return; the special code in the
 * handler will not kick in, and we will return EINTR to the guest as
 * we should.
 *
 * Notice that we can leave the host kernel to make the decision for
 * us about whether to do a restart of the syscall or not; we do not
 * need to check SA_RESTART flags in QEMU or distinguish the various
 * kinds of restartability.
 */
#ifdef HAVE_SAFE_SYSCALL
/* The core part of this function is implemented in assembly */
extern long safe_syscall_base(int *pending, long number, ...);

#define safe_syscall(...)                                               \
    ({                                                                  \
        long ret_;                                                      \
        int *psp_ = &((TaskState *)thread_cpu->opaque)->signal_pending; \
        ret_ = safe_syscall_base(psp_, __VA_ARGS__);                    \
        if (is_error(ret_)) {                                           \
            errno = -ret_;                                              \
            ret_ = -1;                                                  \
        }                                                               \
        ret_;                                                           \
    })

#else

/*
 * Fallback for architectures which don't yet provide a safe-syscall assembly
 * fragment; note that this is racy!
 * This should go away when all host architectures have been updated.
 */
#define safe_syscall syscall

#endif

#endif
Commit	Line	Data
a57e0c36 PM	1	/*
	2	* safe-syscall.h: prototypes for linux-user signal-race-safe syscalls
	3	*
	4	* This program is free software; you can redistribute it and/or modify
	5	* it under the terms of the GNU General Public License as published by
	6	* the Free Software Foundation; either version 2 of the License, or
	7	* (at your option) any later version.
	8	*
	9	* This program is distributed in the hope that it will be useful,
	10	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	11	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	12	* GNU General Public License for more details.
	13	*
	14	* You should have received a copy of the GNU General Public License
	15	* along with this program; if not, see <http://www.gnu.org/licenses/>.
	16	*/
	17
	18	#ifndef LINUX_USER_SAFE_SYSCALL_H
	19	#define LINUX_USER_SAFE_SYSCALL_H
	20
	21	/**
	22	* safe_syscall:
	23	* @int number: number of system call to make
	24	* ...: arguments to the system call
	25	*
	26	* Call a system call if guest signal not pending.
	27	* This has the same API as the libc syscall() function, except that it
	28	* may return -1 with errno == TARGET_ERESTARTSYS if a signal was pending.
	29	*
	30	* Returns: the system call result, or -1 with an error code in errno
	31	* (Errnos are host errnos; we rely on TARGET_ERESTARTSYS not clashing
	32	* with any of the host errno values.)
	33	*/
	34
	35	/*
	36	* A guide to using safe_syscall() to handle interactions between guest
	37	* syscalls and guest signals:
	38	*
	39	* Guest syscalls come in two flavours:
	40	*
	41	* (1) Non-interruptible syscalls
	42	*
	43	* These are guest syscalls that never get interrupted by signals and
	44	* so never return EINTR. They can be implemented straightforwardly in
	45	* QEMU: just make sure that if the implementation code has to make any
	46	* blocking calls that those calls are retried if they return EINTR.
	47	* It's also OK to implement these with safe_syscall, though it will be
	48	* a little less efficient if a signal is delivered at the 'wrong' moment.
	49	*
	50	* Some non-interruptible syscalls need to be handled using block_signals()
	51	* to block signals for the duration of the syscall. This mainly applies
	52	* to code which needs to modify the data structures used by the
	53	* host_signal_handler() function and the functions it calls, including
	54	* all syscalls which change the thread's signal mask.
	55	*
	56	* (2) Interruptible syscalls
	57	*
	58	* These are guest syscalls that can be interrupted by signals and
	59	* for which we need to either return EINTR or arrange for the guest
	60	* syscall to be restarted. This category includes both syscalls which
	61	* always restart (and in the kernel return -ERESTARTNOINTR), ones
	62	* which only restart if there is no handler (kernel returns -ERESTARTNOHAND
	63	* or -ERESTART_RESTARTBLOCK), and the most common kind which restart
	64	* if the handler was registered with SA_RESTART (kernel returns
65	* -ERESTARTSYS). System calls which are only interruptible in some
66	* situations (like 'open') also need to be handled this way.
67	*
68	* Here it is important that the host syscall is made
69	* via this safe_syscall() function, and not via the host libc.
70	* If the host libc is used then the implementation will appear to work
71	* most of the time, but there will be a race condition where a
72	* signal could arrive just before we make the host syscall inside libc,
73	* and then then guest syscall will not correctly be interrupted.
74	* Instead the implementation of the guest syscall can use the safe_syscall
75	* function but otherwise just return the result or errno in the usual
76	* way; the main loop code will take care of restarting the syscall
77	* if appropriate.
78	*
79	* (If the implementation needs to make multiple host syscalls this is
80	* OK; any which might really block must be via safe_syscall(); for those
81	* which are only technically blocking (ie which we know in practice won't
82	* stay in the host kernel indefinitely) it's OK to use libc if necessary.
83	* You must be able to cope with backing out correctly if some safe_syscall
84	* you make in the implementation returns either -TARGET_ERESTARTSYS or
85	* EINTR though.)
86	*
87	* block_signals() cannot be used for interruptible syscalls.
88	*
89	*
90	* How and why the safe_syscall implementation works:
91	*
92	* The basic setup is that we make the host syscall via a known
93	* section of host native assembly. If a signal occurs, our signal
94	* handler checks the interrupted host PC against the addresse of that
95	* known section. If the PC is before or at the address of the syscall
96	* instruction then we change the PC to point at a "return
97	* -TARGET_ERESTARTSYS" code path instead, and then exit the signal handler
98	* (causing the safe_syscall() call to immediately return that value).
99	* Then in the main.c loop if we see this magic return value we adjust
100	* the guest PC to wind it back to before the system call, and invoke
101	* the guest signal handler as usual.
102	*
103	* This winding-back will happen in two cases:
104	* (1) signal came in just before we took the host syscall (a race);
105	* in this case we'll take the guest signal and have another go
106	* at the syscall afterwards, and this is indistinguishable for the
107	* guest from the timing having been different such that the guest
108	* signal really did win the race
109	* (2) signal came in while the host syscall was blocking, and the
110	* host kernel decided the syscall should be restarted;
111	* in this case we want to restart the guest syscall also, and so
112	* rewinding is the right thing. (Note that "restart" semantics mean
113	* "first call the signal handler, then reattempt the syscall".)
114	* The other situation to consider is when a signal came in while the
115	* host syscall was blocking, and the host kernel decided that the syscall
116	* should not be restarted; in this case QEMU's host signal handler will
117	* be invoked with the PC pointing just after the syscall instruction,
118	* with registers indicating an EINTR return; the special code in the
119	* handler will not kick in, and we will return EINTR to the guest as
120	* we should.
121	*
122	* Notice that we can leave the host kernel to make the decision for
123	* us about whether to do a restart of the syscall or not; we do not
124	* need to check SA_RESTART flags in QEMU or distinguish the various
125	* kinds of restartability.
126	*/
127	#ifdef HAVE_SAFE_SYSCALL
128	/* The core part of this function is implemented in assembly */
129	extern long safe_syscall_base(int *pending, long number, ...);
130
131	#define safe_syscall(...) \
132	({ \
133	long ret_; \
134	int psp_ = &((TaskState )thread_cpu->opaque)->signal_pending; \
135	ret_ = safe_syscall_base(psp_, __VA_ARGS__); \
136	if (is_error(ret_)) { \
137	errno = -ret_; \
138	ret_ = -1; \
139	} \
140	ret_; \
141	})
142
143	#else
144
145	/*
146	* Fallback for architectures which don't yet provide a safe-syscall assembly
147	* fragment; note that this is racy!
148	* This should go away when all host architectures have been updated.
149	*/
150	#define safe_syscall syscall
151
152	#endif
153
154	#endif