Re: [PATCH 0/3][RFC] ioctl dispatcher

From: Arjan van de Ven
Date: Sat Sep 27 2008 - 12:13:17 EST

Next message: Ingo Molnar: "Re: [PATCH 0/4] futex: get_user_pages_fast() for shared futexes"
Previous message: Ingo Molnar: "Re: [PATCH 2/4] x86: Add UV bios call infrastructure v2"
In reply to: Avi Kivity: "[PATCH 3/3] KVM: Convert x86 vcpu ioctls to use dispatch_ioctl_extensible()"
Next in thread: Avi Kivity: "Re: [PATCH 0/3][RFC] ioctl dispatcher"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, 27 Sep 2008 18:43:59 +0300
Avi Kivity <avi@xxxxxxxxxx> wrote:

> While ioctls are officially ugly, they are the best choice for some
> use cases, not to mention compatibility issues. Currently ioctl
> writers face the following hurdles:
>
> - if the ioctl uses a data buffer, the ioctl handler must allocate
> kernel memory for this buffer
> - the memory may be allocated on the heap or on the stack,
> depending on the buffer size
> - handle any errors from the operation
> - copy the data from userspace, if necessary
> - handle any errors from the operation
> - actually perform the operation
> - copy the data back to userspace, if necessary
> - handle any errors from the operation
> - free the buffer, if allocated from the heap
>
> The first patch automates these operations, only requiring the caller
> to supply the ioctl number and a callback in a table.
>
> The second patch addresses another problem with ioctls: they are
> brittle. Once written, an ioctl cannot be extended, since the buffer
> sizes used for transferring data are encoded in the ioctl number.
> This is addressed by allowing the user-supplied size and the
> kernel-visible size of the data buffer to be different; the kernel
> will zero fill or truncate appropriately. With the new mechanism, it
> is easy to write forward- and backward- compatible ioctl handlers.
>
> The third patch demonstrates the effectiveness of the first patch; it
> converts some of kvm's ioctl handlers to the new mechanism, removing
> around 90 lines in the process.
>

this doesn't seem to be much different from the way the DRM code deals
with ioctls. Or the V4L code.
Personally I hate that code though.....

There is a fine balance here; between driver writers screwing something
up they shouldn't be doing in the first place and us being able to
clearly see what the code is doing; your patch kinda hides some key
elements of the ioctl path... I'm afraid it gives a false sense of
security though. Not having to deal with one aspect of security just to
have to deal with the rest....
Lets put it this way: if the driver author has to type "copy_from_user"
there's a chance that he'll remember that the data comes from the user
and isn't to be trusted on face value.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Ingo Molnar: "Re: [PATCH 0/4] futex: get_user_pages_fast() for shared futexes"
Previous message: Ingo Molnar: "Re: [PATCH 2/4] x86: Add UV bios call infrastructure v2"
In reply to: Avi Kivity: "[PATCH 3/3] KVM: Convert x86 vcpu ioctls to use dispatch_ioctl_extensible()"
Next in thread: Avi Kivity: "Re: [PATCH 0/3][RFC] ioctl dispatcher"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]