From: Willem de Bruijn > Sent: 19 May 2023 16:09 ... > Since that is a limited well understood list, I'm not in favor of the > suggestion to add an explicit length argument that then needs to be > checked in each callee. While calls from userspace and direct calls from drivers can be reasonably expected to have the required length buffer, I'm not sure that is guaranteed for indirect calls via io_uring and bpf. In those cases the associated length is likely to come from userspace and a suitably sized kernel buffer allocated. So something needs to ensure the buffer is long enough (and, indeed, not stupidly long). Now you could require that the caller always supply a buffer of at least (say) 64 bytes as well as the actual length. Then only callee functions that have a long buffer need check. An alternate option is to define a union of all the valid argument types and require that any code making 'unknown' requests supply a kernel buffer of that length. (With due care taken to avoid overlong copies of uninitialised kernel memory back to userspace.) The same union would be useful as an upper bound for the kernel buffer size - even if it is too large to always allocate on stack. David - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)