Re: [PATCH v1 9/9] staging: android: binder: Add binder compat layer

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 4 Dec 2013 10:35:54 -0800
Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx> wrote:

> On Wed, Dec 04, 2013 at 06:09:41PM +0000, Serban Constantinescu wrote:
> > +#define size_helper(x) ({						    \
> > +	size_t __size;							    \
> > +	if (!is_compat_task())						    \
> > +		__size = sizeof(x);					    \
> > +	else if (sizeof(x) == sizeof(struct flat_binder_object))	    \
> > +		__size = sizeof(struct compat_flat_binder_object);	    \
> > +	else if (sizeof(x) == sizeof(struct binder_transaction_data))	    \
> > +		__size = sizeof(struct compat_binder_transaction_data);	    \
> > +	else if (sizeof(x) == sizeof(size_t))				    \
> > +		__size = sizeof(compat_size_t);				    \
> > +	else								    \
> > +		 BUG();							    \
> > +	__size;								    \
> > +	})
> 
> Ick.
> 
> First off, no driver should ever be able to crash the kernel, which you
> just did.

And which would appear to mean that this code hasn't actually been
tested - at least not properly with error cases ?

You talk about type safety too but your code is already full of
"put_user(node->ptr, (void * __user *)ptr))"

The binder_copy_to_user thing is pretty confusingly named - it sounds
like a wrapper but is in fact a whole set of operations with two
different values and extra cookie structures and the like

Would something like

binder_put_userptr(mode->ptr, &ptr)

perhaps be a shade easier to follow as a set of changes, and less clunky ?


And 3/9 you could have done a clean up .. instead of replacing endless
repeats of 

-			cmd == BC_INCREFS_DONE ?
-			"BC_INCREFS_DONE" :
-			"BC_ACQUIRE_DONE",
+			acquire ?
+			"BC_ACQUIRE_DONE" :
+			"BC_INCREFS_DONE",

couldn't you do that bit in just one place ?

Ditto


-			cmd == BC_REQUEST_DEATH_NOTIFICATION ?
+			request ?
 			"BC_REQUEST_DEATH_NOTIFICATION" :
 			"BC_CLEAR_DEATH_NOTIFICATION",


The "_helper" stuff with type and size magic also really obfuscates the
code horribly


+static inline struct flat_binder_object *copy_flat_binder_object(void
__user *ptr) +{
+	return (struct flat_binder_object *)ptr;
+}


What were you arguing about type safety again ?


While I'm tempted to answer "and that children is what happens when you
don't take your interfaces mainstream and peer review them in the first
place" I appreciate it won't help ;-)

I think I'd rather see the structures fixed up to be correct and properly
type stable for 64bit on a 64bit box including u64 user pointers.

For 32bit then yes you probably have to do something icky like


struct binder_foo64 {
}

struct binder_foo_compat {
}

#if 32bit
#define binder_foo binder_foo_compat
#else
#define binder_foo binder_foo64
#endif

but I do think it would make the rest of the code look less like a lesson
on pointer and GNU extension obfuscation and when 32bit finally gets
buried the uglies can be removed.

Alan
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel




[Index of Archives]     [Linux Driver Backports]     [DMA Engine]     [Linux GPIO]     [Linux SPI]     [Video for Linux]     [Linux USB Devel]     [Linux Coverity]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Yosemite Backpacking]
  Powered by Linux