Industrial device driver uio/uio_*

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This passed me by while I was away so I only saw it to review in mm6. It
looks like it has a few problems...


uio_lseek locking ?

uio_read uses f->f_pos which it should never do
ditto uio_write ...

The uio_read/write functions can race seek or other read/write

The uio_read/write functions do signed maths checks on unsigned types
(size_t) so the count check fails.

Partially completed I/O returns -EFAULT, should return the length
transferred OK

The *ppos adjustment means you can get f_pos to interestingly unsafe
values. Generally speaking do

	loff_t pos = *ppos;

	do stuff with pos

	pos += movement;
	*ppos = pos;


If idev->virtaddr is an mmio object you can't use copy_from/to_user on
it

uio_event is based on sizeof(int) so makes 32bit compat code insanely
hard

event_poll is wrong - poll methods shouldn't error just return "ready"

idev->event_listener appears to have no locking versus the irq handler
and the like.

Anyone appears to be able to select any process as the task to signal or
out of range or negative values

I've not begun to look at uio_base.c in detail but it seems a lot of
code to do very little. That said I can see the problem it is trying to
solve, I'm just not sure it helps as is.

Alan

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux