adding-syscalls.rst (27227B)
1 2.. _addsyscalls: 3 4Adding a New System Call 5======================== 6 7This document describes what's involved in adding a new system call to the 8Linux kernel, over and above the normal submission advice in 9:ref:`Documentation/process/submitting-patches.rst <submittingpatches>`. 10 11 12System Call Alternatives 13------------------------ 14 15The first thing to consider when adding a new system call is whether one of 16the alternatives might be suitable instead. Although system calls are the 17most traditional and most obvious interaction points between userspace and the 18kernel, there are other possibilities -- choose what fits best for your 19interface. 20 21 - If the operations involved can be made to look like a filesystem-like 22 object, it may make more sense to create a new filesystem or device. This 23 also makes it easier to encapsulate the new functionality in a kernel module 24 rather than requiring it to be built into the main kernel. 25 26 - If the new functionality involves operations where the kernel notifies 27 userspace that something has happened, then returning a new file 28 descriptor for the relevant object allows userspace to use 29 ``poll``/``select``/``epoll`` to receive that notification. 30 - However, operations that don't map to 31 :manpage:`read(2)`/:manpage:`write(2)`-like operations 32 have to be implemented as :manpage:`ioctl(2)` requests, which can lead 33 to a somewhat opaque API. 34 35 - If you're just exposing runtime system information, a new node in sysfs 36 (see ``Documentation/filesystems/sysfs.rst``) or the ``/proc`` filesystem may 37 be more appropriate. However, access to these mechanisms requires that the 38 relevant filesystem is mounted, which might not always be the case (e.g. 39 in a namespaced/sandboxed/chrooted environment). Avoid adding any API to 40 debugfs, as this is not considered a 'production' interface to userspace. 41 - If the operation is specific to a particular file or file descriptor, then 42 an additional :manpage:`fcntl(2)` command option may be more appropriate. However, 43 :manpage:`fcntl(2)` is a multiplexing system call that hides a lot of complexity, so 44 this option is best for when the new function is closely analogous to 45 existing :manpage:`fcntl(2)` functionality, or the new functionality is very simple 46 (for example, getting/setting a simple flag related to a file descriptor). 47 - If the operation is specific to a particular task or process, then an 48 additional :manpage:`prctl(2)` command option may be more appropriate. As 49 with :manpage:`fcntl(2)`, this system call is a complicated multiplexor so 50 is best reserved for near-analogs of existing ``prctl()`` commands or 51 getting/setting a simple flag related to a process. 52 53 54Designing the API: Planning for Extension 55----------------------------------------- 56 57A new system call forms part of the API of the kernel, and has to be supported 58indefinitely. As such, it's a very good idea to explicitly discuss the 59interface on the kernel mailing list, and it's important to plan for future 60extensions of the interface. 61 62(The syscall table is littered with historical examples where this wasn't done, 63together with the corresponding follow-up system calls -- 64``eventfd``/``eventfd2``, ``dup2``/``dup3``, ``inotify_init``/``inotify_init1``, 65``pipe``/``pipe2``, ``renameat``/``renameat2`` -- so 66learn from the history of the kernel and plan for extensions from the start.) 67 68For simpler system calls that only take a couple of arguments, the preferred 69way to allow for future extensibility is to include a flags argument to the 70system call. To make sure that userspace programs can safely use flags 71between kernel versions, check whether the flags value holds any unknown 72flags, and reject the system call (with ``EINVAL``) if it does:: 73 74 if (flags & ~(THING_FLAG1 | THING_FLAG2 | THING_FLAG3)) 75 return -EINVAL; 76 77(If no flags values are used yet, check that the flags argument is zero.) 78 79For more sophisticated system calls that involve a larger number of arguments, 80it's preferred to encapsulate the majority of the arguments into a structure 81that is passed in by pointer. Such a structure can cope with future extension 82by including a size argument in the structure:: 83 84 struct xyzzy_params { 85 u32 size; /* userspace sets p->size = sizeof(struct xyzzy_params) */ 86 u32 param_1; 87 u64 param_2; 88 u64 param_3; 89 }; 90 91As long as any subsequently added field, say ``param_4``, is designed so that a 92zero value gives the previous behaviour, then this allows both directions of 93version mismatch: 94 95 - To cope with a later userspace program calling an older kernel, the kernel 96 code should check that any memory beyond the size of the structure that it 97 expects is zero (effectively checking that ``param_4 == 0``). 98 - To cope with an older userspace program calling a newer kernel, the kernel 99 code can zero-extend a smaller instance of the structure (effectively 100 setting ``param_4 = 0``). 101 102See :manpage:`perf_event_open(2)` and the ``perf_copy_attr()`` function (in 103``kernel/events/core.c``) for an example of this approach. 104 105 106Designing the API: Other Considerations 107--------------------------------------- 108 109If your new system call allows userspace to refer to a kernel object, it 110should use a file descriptor as the handle for that object -- don't invent a 111new type of userspace object handle when the kernel already has mechanisms and 112well-defined semantics for using file descriptors. 113 114If your new :manpage:`xyzzy(2)` system call does return a new file descriptor, 115then the flags argument should include a value that is equivalent to setting 116``O_CLOEXEC`` on the new FD. This makes it possible for userspace to close 117the timing window between ``xyzzy()`` and calling 118``fcntl(fd, F_SETFD, FD_CLOEXEC)``, where an unexpected ``fork()`` and 119``execve()`` in another thread could leak a descriptor to 120the exec'ed program. (However, resist the temptation to re-use the actual value 121of the ``O_CLOEXEC`` constant, as it is architecture-specific and is part of a 122numbering space of ``O_*`` flags that is fairly full.) 123 124If your system call returns a new file descriptor, you should also consider 125what it means to use the :manpage:`poll(2)` family of system calls on that file 126descriptor. Making a file descriptor ready for reading or writing is the 127normal way for the kernel to indicate to userspace that an event has 128occurred on the corresponding kernel object. 129 130If your new :manpage:`xyzzy(2)` system call involves a filename argument:: 131 132 int sys_xyzzy(const char __user *path, ..., unsigned int flags); 133 134you should also consider whether an :manpage:`xyzzyat(2)` version is more appropriate:: 135 136 int sys_xyzzyat(int dfd, const char __user *path, ..., unsigned int flags); 137 138This allows more flexibility for how userspace specifies the file in question; 139in particular it allows userspace to request the functionality for an 140already-opened file descriptor using the ``AT_EMPTY_PATH`` flag, effectively 141giving an :manpage:`fxyzzy(3)` operation for free:: 142 143 - xyzzyat(AT_FDCWD, path, ..., 0) is equivalent to xyzzy(path,...) 144 - xyzzyat(fd, "", ..., AT_EMPTY_PATH) is equivalent to fxyzzy(fd, ...) 145 146(For more details on the rationale of the \*at() calls, see the 147:manpage:`openat(2)` man page; for an example of AT_EMPTY_PATH, see the 148:manpage:`fstatat(2)` man page.) 149 150If your new :manpage:`xyzzy(2)` system call involves a parameter describing an 151offset within a file, make its type ``loff_t`` so that 64-bit offsets can be 152supported even on 32-bit architectures. 153 154If your new :manpage:`xyzzy(2)` system call involves privileged functionality, 155it needs to be governed by the appropriate Linux capability bit (checked with 156a call to ``capable()``), as described in the :manpage:`capabilities(7)` man 157page. Choose an existing capability bit that governs related functionality, 158but try to avoid combining lots of only vaguely related functions together 159under the same bit, as this goes against capabilities' purpose of splitting 160the power of root. In particular, avoid adding new uses of the already 161overly-general ``CAP_SYS_ADMIN`` capability. 162 163If your new :manpage:`xyzzy(2)` system call manipulates a process other than 164the calling process, it should be restricted (using a call to 165``ptrace_may_access()``) so that only a calling process with the same 166permissions as the target process, or with the necessary capabilities, can 167manipulate the target process. 168 169Finally, be aware that some non-x86 architectures have an easier time if 170system call parameters that are explicitly 64-bit fall on odd-numbered 171arguments (i.e. parameter 1, 3, 5), to allow use of contiguous pairs of 32-bit 172registers. (This concern does not apply if the arguments are part of a 173structure that's passed in by pointer.) 174 175 176Proposing the API 177----------------- 178 179To make new system calls easy to review, it's best to divide up the patchset 180into separate chunks. These should include at least the following items as 181distinct commits (each of which is described further below): 182 183 - The core implementation of the system call, together with prototypes, 184 generic numbering, Kconfig changes and fallback stub implementation. 185 - Wiring up of the new system call for one particular architecture, usually 186 x86 (including all of x86_64, x86_32 and x32). 187 - A demonstration of the use of the new system call in userspace via a 188 selftest in ``tools/testing/selftests/``. 189 - A draft man-page for the new system call, either as plain text in the 190 cover letter, or as a patch to the (separate) man-pages repository. 191 192New system call proposals, like any change to the kernel's API, should always 193be cc'ed to linux-api@vger.kernel.org. 194 195 196Generic System Call Implementation 197---------------------------------- 198 199The main entry point for your new :manpage:`xyzzy(2)` system call will be called 200``sys_xyzzy()``, but you add this entry point with the appropriate 201``SYSCALL_DEFINEn()`` macro rather than explicitly. The 'n' indicates the 202number of arguments to the system call, and the macro takes the system call name 203followed by the (type, name) pairs for the parameters as arguments. Using 204this macro allows metadata about the new system call to be made available for 205other tools. 206 207The new entry point also needs a corresponding function prototype, in 208``include/linux/syscalls.h``, marked as asmlinkage to match the way that system 209calls are invoked:: 210 211 asmlinkage long sys_xyzzy(...); 212 213Some architectures (e.g. x86) have their own architecture-specific syscall 214tables, but several other architectures share a generic syscall table. Add your 215new system call to the generic list by adding an entry to the list in 216``include/uapi/asm-generic/unistd.h``:: 217 218 #define __NR_xyzzy 292 219 __SYSCALL(__NR_xyzzy, sys_xyzzy) 220 221Also update the __NR_syscalls count to reflect the additional system call, and 222note that if multiple new system calls are added in the same merge window, 223your new syscall number may get adjusted to resolve conflicts. 224 225The file ``kernel/sys_ni.c`` provides a fallback stub implementation of each 226system call, returning ``-ENOSYS``. Add your new system call here too:: 227 228 COND_SYSCALL(xyzzy); 229 230Your new kernel functionality, and the system call that controls it, should 231normally be optional, so add a ``CONFIG`` option (typically to 232``init/Kconfig``) for it. As usual for new ``CONFIG`` options: 233 234 - Include a description of the new functionality and system call controlled 235 by the option. 236 - Make the option depend on EXPERT if it should be hidden from normal users. 237 - Make any new source files implementing the function dependent on the CONFIG 238 option in the Makefile (e.g. ``obj-$(CONFIG_XYZZY_SYSCALL) += xyzzy.o``). 239 - Double check that the kernel still builds with the new CONFIG option turned 240 off. 241 242To summarize, you need a commit that includes: 243 244 - ``CONFIG`` option for the new function, normally in ``init/Kconfig`` 245 - ``SYSCALL_DEFINEn(xyzzy, ...)`` for the entry point 246 - corresponding prototype in ``include/linux/syscalls.h`` 247 - generic table entry in ``include/uapi/asm-generic/unistd.h`` 248 - fallback stub in ``kernel/sys_ni.c`` 249 250 251x86 System Call Implementation 252------------------------------ 253 254To wire up your new system call for x86 platforms, you need to update the 255master syscall tables. Assuming your new system call isn't special in some 256way (see below), this involves a "common" entry (for x86_64 and x32) in 257arch/x86/entry/syscalls/syscall_64.tbl:: 258 259 333 common xyzzy sys_xyzzy 260 261and an "i386" entry in ``arch/x86/entry/syscalls/syscall_32.tbl``:: 262 263 380 i386 xyzzy sys_xyzzy 264 265Again, these numbers are liable to be changed if there are conflicts in the 266relevant merge window. 267 268 269Compatibility System Calls (Generic) 270------------------------------------ 271 272For most system calls the same 64-bit implementation can be invoked even when 273the userspace program is itself 32-bit; even if the system call's parameters 274include an explicit pointer, this is handled transparently. 275 276However, there are a couple of situations where a compatibility layer is 277needed to cope with size differences between 32-bit and 64-bit. 278 279The first is if the 64-bit kernel also supports 32-bit userspace programs, and 280so needs to parse areas of (``__user``) memory that could hold either 32-bit or 28164-bit values. In particular, this is needed whenever a system call argument 282is: 283 284 - a pointer to a pointer 285 - a pointer to a struct containing a pointer (e.g. ``struct iovec __user *``) 286 - a pointer to a varying sized integral type (``time_t``, ``off_t``, 287 ``long``, ...) 288 - a pointer to a struct containing a varying sized integral type. 289 290The second situation that requires a compatibility layer is if one of the 291system call's arguments has a type that is explicitly 64-bit even on a 32-bit 292architecture, for example ``loff_t`` or ``__u64``. In this case, a value that 293arrives at a 64-bit kernel from a 32-bit application will be split into two 29432-bit values, which then need to be re-assembled in the compatibility layer. 295 296(Note that a system call argument that's a pointer to an explicit 64-bit type 297does **not** need a compatibility layer; for example, :manpage:`splice(2)`'s arguments of 298type ``loff_t __user *`` do not trigger the need for a ``compat_`` system call.) 299 300The compatibility version of the system call is called ``compat_sys_xyzzy()``, 301and is added with the ``COMPAT_SYSCALL_DEFINEn()`` macro, analogously to 302SYSCALL_DEFINEn. This version of the implementation runs as part of a 64-bit 303kernel, but expects to receive 32-bit parameter values and does whatever is 304needed to deal with them. (Typically, the ``compat_sys_`` version converts the 305values to 64-bit versions and either calls on to the ``sys_`` version, or both of 306them call a common inner implementation function.) 307 308The compat entry point also needs a corresponding function prototype, in 309``include/linux/compat.h``, marked as asmlinkage to match the way that system 310calls are invoked:: 311 312 asmlinkage long compat_sys_xyzzy(...); 313 314If the system call involves a structure that is laid out differently on 32-bit 315and 64-bit systems, say ``struct xyzzy_args``, then the include/linux/compat.h 316header file should also include a compat version of the structure (``struct 317compat_xyzzy_args``) where each variable-size field has the appropriate 318``compat_`` type that corresponds to the type in ``struct xyzzy_args``. The 319``compat_sys_xyzzy()`` routine can then use this ``compat_`` structure to 320parse the arguments from a 32-bit invocation. 321 322For example, if there are fields:: 323 324 struct xyzzy_args { 325 const char __user *ptr; 326 __kernel_long_t varying_val; 327 u64 fixed_val; 328 /* ... */ 329 }; 330 331in struct xyzzy_args, then struct compat_xyzzy_args would have:: 332 333 struct compat_xyzzy_args { 334 compat_uptr_t ptr; 335 compat_long_t varying_val; 336 u64 fixed_val; 337 /* ... */ 338 }; 339 340The generic system call list also needs adjusting to allow for the compat 341version; the entry in ``include/uapi/asm-generic/unistd.h`` should use 342``__SC_COMP`` rather than ``__SYSCALL``:: 343 344 #define __NR_xyzzy 292 345 __SC_COMP(__NR_xyzzy, sys_xyzzy, compat_sys_xyzzy) 346 347To summarize, you need: 348 349 - a ``COMPAT_SYSCALL_DEFINEn(xyzzy, ...)`` for the compat entry point 350 - corresponding prototype in ``include/linux/compat.h`` 351 - (if needed) 32-bit mapping struct in ``include/linux/compat.h`` 352 - instance of ``__SC_COMP`` not ``__SYSCALL`` in 353 ``include/uapi/asm-generic/unistd.h`` 354 355 356Compatibility System Calls (x86) 357-------------------------------- 358 359To wire up the x86 architecture of a system call with a compatibility version, 360the entries in the syscall tables need to be adjusted. 361 362First, the entry in ``arch/x86/entry/syscalls/syscall_32.tbl`` gets an extra 363column to indicate that a 32-bit userspace program running on a 64-bit kernel 364should hit the compat entry point:: 365 366 380 i386 xyzzy sys_xyzzy __ia32_compat_sys_xyzzy 367 368Second, you need to figure out what should happen for the x32 ABI version of 369the new system call. There's a choice here: the layout of the arguments 370should either match the 64-bit version or the 32-bit version. 371 372If there's a pointer-to-a-pointer involved, the decision is easy: x32 is 373ILP32, so the layout should match the 32-bit version, and the entry in 374``arch/x86/entry/syscalls/syscall_64.tbl`` is split so that x32 programs hit 375the compatibility wrapper:: 376 377 333 64 xyzzy sys_xyzzy 378 ... 379 555 x32 xyzzy __x32_compat_sys_xyzzy 380 381If no pointers are involved, then it is preferable to re-use the 64-bit system 382call for the x32 ABI (and consequently the entry in 383arch/x86/entry/syscalls/syscall_64.tbl is unchanged). 384 385In either case, you should check that the types involved in your argument 386layout do indeed map exactly from x32 (-mx32) to either the 32-bit (-m32) or 38764-bit (-m64) equivalents. 388 389 390System Calls Returning Elsewhere 391-------------------------------- 392 393For most system calls, once the system call is complete the user program 394continues exactly where it left off -- at the next instruction, with the 395stack the same and most of the registers the same as before the system call, 396and with the same virtual memory space. 397 398However, a few system calls do things differently. They might return to a 399different location (``rt_sigreturn``) or change the memory space 400(``fork``/``vfork``/``clone``) or even architecture (``execve``/``execveat``) 401of the program. 402 403To allow for this, the kernel implementation of the system call may need to 404save and restore additional registers to the kernel stack, allowing complete 405control of where and how execution continues after the system call. 406 407This is arch-specific, but typically involves defining assembly entry points 408that save/restore additional registers and invoke the real system call entry 409point. 410 411For x86_64, this is implemented as a ``stub_xyzzy`` entry point in 412``arch/x86/entry/entry_64.S``, and the entry in the syscall table 413(``arch/x86/entry/syscalls/syscall_64.tbl``) is adjusted to match:: 414 415 333 common xyzzy stub_xyzzy 416 417The equivalent for 32-bit programs running on a 64-bit kernel is normally 418called ``stub32_xyzzy`` and implemented in ``arch/x86/entry/entry_64_compat.S``, 419with the corresponding syscall table adjustment in 420``arch/x86/entry/syscalls/syscall_32.tbl``:: 421 422 380 i386 xyzzy sys_xyzzy stub32_xyzzy 423 424If the system call needs a compatibility layer (as in the previous section) 425then the ``stub32_`` version needs to call on to the ``compat_sys_`` version 426of the system call rather than the native 64-bit version. Also, if the x32 ABI 427implementation is not common with the x86_64 version, then its syscall 428table will also need to invoke a stub that calls on to the ``compat_sys_`` 429version. 430 431For completeness, it's also nice to set up a mapping so that user-mode Linux 432still works -- its syscall table will reference stub_xyzzy, but the UML build 433doesn't include ``arch/x86/entry/entry_64.S`` implementation (because UML 434simulates registers etc). Fixing this is as simple as adding a #define to 435``arch/x86/um/sys_call_table_64.c``:: 436 437 #define stub_xyzzy sys_xyzzy 438 439 440Other Details 441------------- 442 443Most of the kernel treats system calls in a generic way, but there is the 444occasional exception that may need updating for your particular system call. 445 446The audit subsystem is one such special case; it includes (arch-specific) 447functions that classify some special types of system call -- specifically 448file open (``open``/``openat``), program execution (``execve``/``exeveat``) or 449socket multiplexor (``socketcall``) operations. If your new system call is 450analogous to one of these, then the audit system should be updated. 451 452More generally, if there is an existing system call that is analogous to your 453new system call, it's worth doing a kernel-wide grep for the existing system 454call to check there are no other special cases. 455 456 457Testing 458------- 459 460A new system call should obviously be tested; it is also useful to provide 461reviewers with a demonstration of how user space programs will use the system 462call. A good way to combine these aims is to include a simple self-test 463program in a new directory under ``tools/testing/selftests/``. 464 465For a new system call, there will obviously be no libc wrapper function and so 466the test will need to invoke it using ``syscall()``; also, if the system call 467involves a new userspace-visible structure, the corresponding header will need 468to be installed to compile the test. 469 470Make sure the selftest runs successfully on all supported architectures. For 471example, check that it works when compiled as an x86_64 (-m64), x86_32 (-m32) 472and x32 (-mx32) ABI program. 473 474For more extensive and thorough testing of new functionality, you should also 475consider adding tests to the Linux Test Project, or to the xfstests project 476for filesystem-related changes. 477 478 - https://linux-test-project.github.io/ 479 - git://git.kernel.org/pub/scm/fs/xfs/xfstests-dev.git 480 481 482Man Page 483-------- 484 485All new system calls should come with a complete man page, ideally using groff 486markup, but plain text will do. If groff is used, it's helpful to include a 487pre-rendered ASCII version of the man page in the cover email for the 488patchset, for the convenience of reviewers. 489 490The man page should be cc'ed to linux-man@vger.kernel.org 491For more details, see https://www.kernel.org/doc/man-pages/patches.html 492 493 494Do not call System Calls in the Kernel 495-------------------------------------- 496 497System calls are, as stated above, interaction points between userspace and 498the kernel. Therefore, system call functions such as ``sys_xyzzy()`` or 499``compat_sys_xyzzy()`` should only be called from userspace via the syscall 500table, but not from elsewhere in the kernel. If the syscall functionality is 501useful to be used within the kernel, needs to be shared between an old and a 502new syscall, or needs to be shared between a syscall and its compatibility 503variant, it should be implemented by means of a "helper" function (such as 504``ksys_xyzzy()``). This kernel function may then be called within the 505syscall stub (``sys_xyzzy()``), the compatibility syscall stub 506(``compat_sys_xyzzy()``), and/or other kernel code. 507 508At least on 64-bit x86, it will be a hard requirement from v4.17 onwards to not 509call system call functions in the kernel. It uses a different calling 510convention for system calls where ``struct pt_regs`` is decoded on-the-fly in a 511syscall wrapper which then hands processing over to the actual syscall function. 512This means that only those parameters which are actually needed for a specific 513syscall are passed on during syscall entry, instead of filling in six CPU 514registers with random user space content all the time (which may cause serious 515trouble down the call chain). 516 517Moreover, rules on how data may be accessed may differ between kernel data and 518user data. This is another reason why calling ``sys_xyzzy()`` is generally a 519bad idea. 520 521Exceptions to this rule are only allowed in architecture-specific overrides, 522architecture-specific compatibility wrappers, or other code in arch/. 523 524 525References and Sources 526---------------------- 527 528 - LWN article from Michael Kerrisk on use of flags argument in system calls: 529 https://lwn.net/Articles/585415/ 530 - LWN article from Michael Kerrisk on how to handle unknown flags in a system 531 call: https://lwn.net/Articles/588444/ 532 - LWN article from Jake Edge describing constraints on 64-bit system call 533 arguments: https://lwn.net/Articles/311630/ 534 - Pair of LWN articles from David Drysdale that describe the system call 535 implementation paths in detail for v3.14: 536 537 - https://lwn.net/Articles/604287/ 538 - https://lwn.net/Articles/604515/ 539 540 - Architecture-specific requirements for system calls are discussed in the 541 :manpage:`syscall(2)` man-page: 542 http://man7.org/linux/man-pages/man2/syscall.2.html#NOTES 543 - Collated emails from Linus Torvalds discussing the problems with ``ioctl()``: 544 https://yarchive.net/comp/linux/ioctl.html 545 - "How to not invent kernel interfaces", Arnd Bergmann, 546 https://www.ukuug.org/events/linux2007/2007/papers/Bergmann.pdf 547 - LWN article from Michael Kerrisk on avoiding new uses of CAP_SYS_ADMIN: 548 https://lwn.net/Articles/486306/ 549 - Recommendation from Andrew Morton that all related information for a new 550 system call should come in the same email thread: 551 https://lore.kernel.org/r/20140724144747.3041b208832bbdf9fbce5d96@linux-foundation.org 552 - Recommendation from Michael Kerrisk that a new system call should come with 553 a man page: https://lore.kernel.org/r/CAKgNAkgMA39AfoSoA5Pe1r9N+ZzfYQNvNPvcRN7tOvRb8+v06Q@mail.gmail.com 554 - Suggestion from Thomas Gleixner that x86 wire-up should be in a separate 555 commit: https://lore.kernel.org/r/alpine.DEB.2.11.1411191249560.3909@nanos 556 - Suggestion from Greg Kroah-Hartman that it's good for new system calls to 557 come with a man-page & selftest: https://lore.kernel.org/r/20140320025530.GA25469@kroah.com 558 - Discussion from Michael Kerrisk of new system call vs. :manpage:`prctl(2)` extension: 559 https://lore.kernel.org/r/CAHO5Pa3F2MjfTtfNxa8LbnkeeU8=YJ+9tDqxZpw7Gz59E-4AUg@mail.gmail.com 560 - Suggestion from Ingo Molnar that system calls that involve multiple 561 arguments should encapsulate those arguments in a struct, which includes a 562 size field for future extensibility: https://lore.kernel.org/r/20150730083831.GA22182@gmail.com 563 - Numbering oddities arising from (re-)use of O_* numbering space flags: 564 565 - commit 75069f2b5bfb ("vfs: renumber FMODE_NONOTIFY and add to uniqueness 566 check") 567 - commit 12ed2e36c98a ("fanotify: FMODE_NONOTIFY and __O_SYNC in sparc 568 conflict") 569 - commit bb458c644a59 ("Safer ABI for O_TMPFILE") 570 571 - Discussion from Matthew Wilcox about restrictions on 64-bit arguments: 572 https://lore.kernel.org/r/20081212152929.GM26095@parisc-linux.org 573 - Recommendation from Greg Kroah-Hartman that unknown flags should be 574 policed: https://lore.kernel.org/r/20140717193330.GB4703@kroah.com 575 - Recommendation from Linus Torvalds that x32 system calls should prefer 576 compatibility with 64-bit versions rather than 32-bit versions: 577 https://lore.kernel.org/r/CA+55aFxfmwfB7jbbrXxa=K7VBYPfAvmu3XOkGrLbB1UFjX1+Ew@mail.gmail.com