Re: "Enhanced" MD code avaible for review

From: Jeff Garzik
Date: Tue Mar 30 2004 - 17:38:39 EST

Justin T. Gibbs wrote:
So you are saying that this presents an unrecoverable situation?

No, I'm saying that the data phase need not have a bunch of in-kernel
checks, it should be generated correctly from the source.

The SCSI drivers validate the controller's data phase based on the
expected phase presented to them from an upper layer. I never talked
about adding checks that make little sense or are overly expensive. You
seem to equate validation with huge expense. That is just not the
general case.

Hmm. I've never had someone tell me that my SCSI drivers are slow.

This would be noticed in the CPU utilization area. Your drivers are
probably a long way from being CPU-bound.

I very much doubt that. There are perhaps four or five tests in the
I/O path where some value already in a cache line that has to be accessed
anyway is compared against a constant. We're talking about something
down in the noise of any type of profiling you could perform. As I said,
validation makes sense where there is basically no-cost to do it.

I don't think that your statement is true in the general case. My
belief is that validation should occur where it is cheap and efficient
to do so. More expensive checks should be pushed into diagnostic code
that is disabled by default, but the code *should be there*. In any event,
for RAID meta-data, we're talking about code that is *not* in the common
or time critical path of the kernel. A few dozen lines of validation code
there has almost no impact on the size of the kernel and yields huge
benefits for debugging and maintaining the code. This is even more
the case in Linux the end user is often your test lab.

It doesn't scale terribly well, because the checks themselves become a
source of bugs.

So now the complaint is that validation code is somehow harder to write
and maintain than the rest of the code?

Actually, yes. Validation of random user input has always been a source of bugs (usually in edge cases), in Linux and in other operating systems. It is often the area where security bugs are found.

Basically you want to avoid add checks for conditions that don't occur in properly written software, and make sure that the kernel always generates correct requests. Obviously that excludes anything on the target side, but other than that... in userland, a priveleged user is free to do anything they wish, including violate protocols, cook their disk, etc.


To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at