From: Avi Kivity <avi@redhat.com>
To: Arjan van de Ven <arjan@infradead.org>
Cc: Andrew Morton <akpm@linux-foundation.org>,
viro@ZenIV.linux.org.uk, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 0/3][RFC] ioctl dispatcher
Date: Sat, 27 Sep 2008 20:40:38 +0300 [thread overview]
Message-ID: <48DE7016.5040209@redhat.com> (raw)
In-Reply-To: <20080927091304.12b8c4c3@infradead.org>
Arjan van de Ven wrote:
>
>> While ioctls are officially ugly, they are the best choice for some
>> use cases, not to mention compatibility issues. Currently ioctl
>> writers face the following hurdles:
>>
>> - if the ioctl uses a data buffer, the ioctl handler must allocate
>> kernel memory for this buffer
>> - the memory may be allocated on the heap or on the stack,
>> depending on the buffer size
>> - handle any errors from the operation
>> - copy the data from userspace, if necessary
>> - handle any errors from the operation
>> - actually perform the operation
>> - copy the data back to userspace, if necessary
>> - handle any errors from the operation
>> - free the buffer, if allocated from the heap
>>
>> The first patch automates these operations, only requiring the caller
>> to supply the ioctl number and a callback in a table.
>>
>>
> this doesn't seem to be much different from the way the DRM code deals
> with ioctls. Or the V4L code.
> Personally I hate that code though.....
>
> There is a fine balance here; between driver writers screwing something
> up they shouldn't be doing in the first place and us being able to
> clearly see what the code is doing; your patch kinda hides some key
> elements of the ioctl path...
Which key elements?
It hides the big switch (ioctl), memory allocation, and error handling,
and exposes the actual ioctl-specific code, which I thought was the key
element.
Why are we interested in boilerplate?
> I'm afraid it gives a false sense of
> security though. Not having to deal with one aspect of security just to
> have to deal with the rest....
>
It reduces the number of potential mistakes a driver author can make.
> Lets put it this way: if the driver author has to type "copy_from_user"
> there's a chance that he'll remember that the data comes from the user
> and isn't to be trusted on face value.
>
I'll rename the argp variable to argp_user_supplied.
I can't believe you think writing the copy code from scratch (or worse,
copy/paste) each time helps security.
--
I have a truly marvellous patch that fixes the bug which this
signature is too narrow to contain.
prev parent reply other threads:[~2008-09-27 17:51 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-09-27 15:43 [PATCH 0/3][RFC] ioctl dispatcher Avi Kivity
2008-09-27 15:44 ` [PATCH 1/3] ioctl: generic " Avi Kivity
2008-09-29 17:16 ` Andi Kleen
2008-09-30 9:08 ` Avi Kivity
2008-09-27 15:44 ` [PATCH 2/3] ioctl: extensible ioctl dispatch Avi Kivity
2008-09-27 15:44 ` [PATCH 3/3] KVM: Convert x86 vcpu ioctls to use dispatch_ioctl_extensible() Avi Kivity
2008-09-27 16:13 ` [PATCH 0/3][RFC] ioctl dispatcher Arjan van de Ven
2008-09-27 17:40 ` Avi Kivity [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48DE7016.5040209@redhat.com \
--to=avi@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=arjan@infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=viro@ZenIV.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.