Re: [RFC PATCH 3/9] ntsync: Introduce NTSYNC_IOC_CREATE_SEM and NTSYNC_IOC_DELETE.

[Elizabeth Figura]

On Tuesday, 23 January 2024 19:14:17 CST Greg Kroah-Hartman wrote:
> On Tue, Jan 23, 2024 at 06:40:22PM -0600, Elizabeth Figura wrote:
> > +static int ntsync_create_sem(struct ntsync_device *dev, void __user
> > *argp)
> > +{
> > +	struct ntsync_sem_args __user *user_args = argp;
> > +	struct ntsync_sem_args args;
> > +	struct ntsync_obj *sem;
> > +	__u32 id;
> > +	int ret;
> > +
> > +	if (copy_from_user(&args, argp, sizeof(args)))
> > +		return -EFAULT;
> > +
> > +	if (args.count > args.max)
> > +		return -EINVAL;
> 
> No bounds checking on count or max?
> 
> What's the relationship between count and max?  

Indeed, no bounds checking. The counter is just the semaphore's internal value 
and has no meaning other than that.

It's basically like an EFD_SEMAPHORE, except that the maximum is configurable 
rather than always being 2**64-2.

> Some sort of real
> documentation is needed here, the changelog needs to explain this.  Or
> somewhere, but as-is, this patch series is pretty unreviewable as I
> can't figure out how to review it because I don't know what it wants to
> do.

There is some comprehensive documentation in the series, but for ease of 
review I will try to write a basic description of the API in each relevant 
patch in v2.