Re: Interface for the new fallocate() system call

From: Linus Torvalds
Date: Thu Mar 29 2007 - 14:41:19 EST

Next message: linux: "Re: Why is NCQ enabled by default by libata? (2.6.20)"
Previous message: Matt Mackall: "Re: 2.6.21-rc5-mm1"
In reply to: Jan Engelhardt: "Re: Interface for the new fallocate() system call"
Next in thread: Heiko Carstens: "Re: Interface for the new fallocate() system call"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 29 Mar 2007, Jan Engelhardt wrote:
>
> I have to disagree, since wrapping it into a struct and copying the struct
> in kernelspace from userspace requires more code.

Not just more code, but more security issues too.

Passing system call arguments by value means that there are no subtle
security issues - the value you use is the value you got. But once you
pass-by-reference, you have to make damn sure that you do the proper user
space accesses and verify the pointer correctly.

User-space (aka "user-supplied") pointers are just more dangerous. We
obviously can't avoid them, but they need much more care than just a
random value directly passed in a register.

Linus
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: linux: "Re: Why is NCQ enabled by default by libata? (2.6.20)"
Previous message: Matt Mackall: "Re: 2.6.21-rc5-mm1"
In reply to: Jan Engelhardt: "Re: Interface for the new fallocate() system call"
Next in thread: Heiko Carstens: "Re: Interface for the new fallocate() system call"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]