Flaws with "UIO: Add the User IO core code"

From: Alan Cox
Date: Fri Apr 27 2007 - 19:16:31 EST

> +static ssize_t uio_read(struct file *filep, char __user *buf,
> + size_t count, loff_t *ppos)
> +{
> + struct uio_listener *listener = filep->private_data;
> + struct uio_device *idev = listener->dev;
> + DECLARE_WAITQUEUE(wait, current);
> + ssize_t retval;
> + int event_count;
> +
> + if (idev->info->irq == UIO_IRQ_NONE)
> + return -EIO;
> +
> + if (count != sizeof(int))
> + return -EINVAL;

AFAIK we don't currently have any platform that runs binaries with
different sizes of "int" but this is a) an unsigned value anyway, and b)
should be a fixed type (eg u32)

Otherwise it looks ok at the momenmt, although there is a real nasty
waiting for anyone who tries to use it. At the point open is possible or
IRQs can be enabled you are safe in the core merged as idev->info is
always valid, but any driver module trying to go back via info->uio_dev
has a NULL pointer for an early IRQ or open event.

This means that the fasync support in the current code is basically
unusable until this is fixed

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/