On Wed, 4 Dec 2013 10:35:54 -0800 Greg KH <gre...@linuxfoundation.org> wrote:
> On Wed, Dec 04, 2013 at 06:09:41PM +0000, Serban Constantinescu wrote: > > +#define size_helper(x) ({ \ > > + size_t __size; \ > > + if (!is_compat_task()) \ > > + __size = sizeof(x); \ > > + else if (sizeof(x) == sizeof(struct flat_binder_object)) \ > > + __size = sizeof(struct compat_flat_binder_object); \ > > + else if (sizeof(x) == sizeof(struct binder_transaction_data)) \ > > + __size = sizeof(struct compat_binder_transaction_data); \ > > + else if (sizeof(x) == sizeof(size_t)) \ > > + __size = sizeof(compat_size_t); \ > > + else \ > > + BUG(); \ > > + __size; \ > > + }) > > Ick. > > First off, no driver should ever be able to crash the kernel, which you > just did. And which would appear to mean that this code hasn't actually been tested - at least not properly with error cases ? You talk about type safety too but your code is already full of "put_user(node->ptr, (void * __user *)ptr))" The binder_copy_to_user thing is pretty confusingly named - it sounds like a wrapper but is in fact a whole set of operations with two different values and extra cookie structures and the like Would something like binder_put_userptr(mode->ptr, &ptr) perhaps be a shade easier to follow as a set of changes, and less clunky ? And 3/9 you could have done a clean up .. instead of replacing endless repeats of - cmd == BC_INCREFS_DONE ? - "BC_INCREFS_DONE" : - "BC_ACQUIRE_DONE", + acquire ? + "BC_ACQUIRE_DONE" : + "BC_INCREFS_DONE", couldn't you do that bit in just one place ? Ditto - cmd == BC_REQUEST_DEATH_NOTIFICATION ? + request ? "BC_REQUEST_DEATH_NOTIFICATION" : "BC_CLEAR_DEATH_NOTIFICATION", The "_helper" stuff with type and size magic also really obfuscates the code horribly +static inline struct flat_binder_object *copy_flat_binder_object(void __user *ptr) +{ + return (struct flat_binder_object *)ptr; +} What were you arguing about type safety again ? While I'm tempted to answer "and that children is what happens when you don't take your interfaces mainstream and peer review them in the first place" I appreciate it won't help ;-) I think I'd rather see the structures fixed up to be correct and properly type stable for 64bit on a 64bit box including u64 user pointers. For 32bit then yes you probably have to do something icky like struct binder_foo64 { } struct binder_foo_compat { } #if 32bit #define binder_foo binder_foo_compat #else #define binder_foo binder_foo64 #endif but I do think it would make the rest of the code look less like a lesson on pointer and GNU extension obfuscation and when 32bit finally gets buried the uglies can be removed. Alan -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/