On Tuesday, 23 January 2024 19:14:17 CST Greg Kroah-Hartman wrote:
> On Tue, Jan 23, 2024 at 06:40:22PM -0600, Elizabeth Figura wrote:
> > +static int ntsync_create_sem(struct ntsync_device *dev, void __user
> > *argp)
> > +{
> > + struct ntsync_sem_args __user *user_args = argp;
> > + struct ntsync_sem_args args;
> > + struct ntsync_obj *sem;
> > + __u32 id;
> > + int ret;
> > +
> > + if (copy_from_user(&args, argp, sizeof(args)))
> > + return -EFAULT;
> > +
> > + if (args.count > args.max)
> > + return -EINVAL;
>
> No bounds checking on count or max?
>
> What's the relationship between count and max?
Indeed, no bounds checking. The counter is just the semaphore's internal value
and has no meaning other than that.
It's basically like an EFD_SEMAPHORE, except that the maximum is configurable
rather than always being 2**64-2.
> Some sort of real
> documentation is needed here, the changelog needs to explain this. Or
> somewhere, but as-is, this patch series is pretty unreviewable as I
> can't figure out how to review it because I don't know what it wants to
> do.
There is some comprehensive documentation in the series, but for ease of
review I will try to write a basic description of the API in each relevant
patch in v2.
