> The kernel should not be validating -trusted- userland inputs. Root is > allowed to scrag the disk, violate limits, and/or crash his own machine. > > A simple example is requiring userland, when submitting ATA taskfiles via > an ioctl, to specify the data phase (pio read, dma write, no-data, etc.). > If the data phase is specified incorrectly, you kill the OS driver's ATA > host wwtate machine, and the results are very unpredictable. Since this > is a trusted operation, requiring CAP_RAW_IO, it's up to userland to get the > required details right (just like following a spec). That's unfortunate for those using ATA. A command submitted from userland to the SCSI drivers I've written that causes a protocol violation will be detected, result in appropriate recovery, and a nice diagnostic that can be used to diagnose the problem. Part of this is because I cannot know if the protocol violation stems from a target defect, the input from the user or, for that matter, from the kernel. The main reason is for robustness and ease of debugging. In SCSI case, there is almost no run-time cost, and the system will stop before data corruption occurs. In the meta-data case we've been discussing in terms of EMD, there is no runtime cost, the validation has to occur somewhere anyway, and in many cases some validation is already required to avoid races with external events. If the validation is done in the kernel, then you get the benefit of nice diagnostics instead of strange crashes that are difficult to debug. -- Justin - To unsubscribe from this list: send the line "unsubscribe linux-raid" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
