Re: [PATCH 0/3][RFC] ioctl dispatcher

From: Avi Kivity
Date: Sat Sep 27 2008 - 13:51:15 EST

Next message: Ingo Molnar: "Re: [PATCH] - UV fix for size of hub mappings"
Previous message: Ingo Molnar: "Re: [RFC PATCH 1/3] Unified trace buffer"
In reply to: Arjan van de Ven: "Re: [PATCH 0/3][RFC] ioctl dispatcher"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Arjan van de Ven wrote:

While ioctls are officially ugly, they are the best choice for some
use cases, not to mention compatibility issues. Currently ioctl
writers face the following hurdles:

- if the ioctl uses a data buffer, the ioctl handler must allocate
kernel memory for this buffer
- the memory may be allocated on the heap or on the stack,
depending on the buffer size
- handle any errors from the operation
- copy the data from userspace, if necessary
- handle any errors from the operation
- actually perform the operation
- copy the data back to userspace, if necessary
- handle any errors from the operation
- free the buffer, if allocated from the heap

The first patch automates these operations, only requiring the caller
to supply the ioctl number and a callback in a table.

this doesn't seem to be much different from the way the DRM code deals
with ioctls. Or the V4L code.
Personally I hate that code though.....

There is a fine balance here; between driver writers screwing something
up they shouldn't be doing in the first place and us being able to
clearly see what the code is doing; your patch kinda hides some key
elements of the ioctl path...

Which key elements?

It hides the big switch (ioctl), memory allocation, and error handling, and exposes the actual ioctl-specific code, which I thought was the key element.

Why are we interested in boilerplate?

I'm afraid it gives a false sense of
security though. Not having to deal with one aspect of security just to
have to deal with the rest....

It reduces the number of potential mistakes a driver author can make.

Lets put it this way: if the driver author has to type "copy_from_user"
there's a chance that he'll remember that the data comes from the user
and isn't to be trusted on face value.

I'll rename the argp variable to argp_user_supplied.

I can't believe you think writing the copy code from scratch (or worse, copy/paste) each time helps security.

--
I have a truly marvellous patch that fixes the bug which this
signature is too narrow to contain.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Ingo Molnar: "Re: [PATCH] - UV fix for size of hub mappings"
Previous message: Ingo Molnar: "Re: [RFC PATCH 1/3] Unified trace buffer"
In reply to: Arjan van de Ven: "Re: [PATCH 0/3][RFC] ioctl dispatcher"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]