Subject: Re: [PATCH][RFC] Lightweight user-level semaphores
To: matthew@hairy.beasts.org (Matthew Kirkwood)
Date: Tue, 8 Jan 2002 13:56:30 +0000 (GMT)
Cc: torvalds@transmeta.com (Linus Torvalds), linux-kernel@vger.kernel.org
In-Reply-To: <Pine.LNX.4.33.0201071902070.5064-101000@sphinx.mythic-beasts.com> from "Matthew Kirkwood" at Jan 07, 2002 08:05:41 PM
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <E16Nwju-0006TB-00@the-village.bc.nu>
From: Alan Cox <alan@lxorguk.ukuu.org.uk>
Sender: linux-kernel-owner@vger.kernel.org

>  * I don't do the:
> 
> 	if (kfs->user_address != fs)
> 		goto bad_sem;
> 
>    because it doesn't seem to add anything, and prevents
>    putting these locks in a non-fixed file or SysV SHM
>    map.

The security side of it is basically non existant anyway. If you can map it
you can play naughty. If I decide to do raw I/O DMA directly into that
segment you either litter the kernel with special cases or accept that
if you do stupid things it breaks. 

I'm for the latter 8)

> +static inline struct ksem *get_ksem(struct fast_sem *s)
> +{
> +	struct ksem *r = (struct ksem*)s->__opaque_ksem;
> +	if(!r) return NULL;
> +	if(r->magic != FS_SIG_MAGIC) return NULL;

Bang, dead, raw hardware access - game over. You can't dereference the
untrusted pointer to check if its valid, even to look at it. Wouldn't it
be easier and safer to create a two page map, where page 0 is the r/w
objects and page 1 is mapped r/o or kernel private and consists of identical 
sized objects ? Then its a case of offset from page start + array bias.

> +	struct ksem *s;
> +	s = kmalloc(sizeof(*s), GFP_KERNEL);

if(s==NULL) check missing
 

Alan
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/