svn commit: r274017 - head/sys/kern

Bruce Evans brde at optusnet.com.au
Mon Nov 3 17:51:42 UTC 2014


On Mon, 3 Nov 2014, Julian Elischer wrote:

> On 11/3/14, 3:46 PM, Mateusz Guzik wrote:
>> Author: mjg
>> Date: Mon Nov  3 07:46:51 2014
>> New Revision: 274017
>> URL: https://svnweb.freebsd.org/changeset/base/274017
>> 
>> Log:
>>    Provide an on-stack temporary buffer for small ioctl requests.
> I'm not sure I like this. We don't know how many more levels
> of stack may be needed.

128 bytes is nothing.  select() always used a 512-byte array of 2048
bits for similar purposes.  poll() uses an array of 32 struct pollfd's
similarly.  (The names of these seem to have rotted.  I think select()
used to use the name smallbits, and this was a good name for an array
of bits.  Now select() uses the name s_selbits for its small array of
bits, and poll() uses the name smallbits for its small array of non-bits).
The struct is subject to uncontrolled bloat, unlike the bit array which
is limited by its hard-coded 2048.  struct pollfd actually has size just
8 on all arches, so 32 of it is small.

> I know that machines are getting faster with more memory,
> but the current move towards bloating out the
> worries me.  we started out with a single page of stack (SHARED
> with the U-area!). I think we are now at several pages.. I forget, is it 8?

It is still only 2 plus 1 guard page on i386.  KSTACK_PAGES is a bogus
option (any use of the option to change it breaks it when the options
header is not included).  KSTACK_GUARD_PAGES isn't a bogus option, so
it can only be changed by editing the source code; then changing it only
breaks things previously compiled with the old value.

On amd64, it is 4 plus 1.

The depth of syscalls is indeed horrifying.  Similar techniques were
used in Slowaris to blow out its register windows on Sparc many years
ago.

> I'm open to being persuaded but I think we need to have a discussion
> about stack usage. We used to say that anything greater that, say
> 64 bytes should probably be allocated.

The top level of a syscall should be allowed to use more like a full
page (leaving 1 page for everything else).  Only the top level can
resonably control its usage.

>> Modified:
>>    head/sys/kern/sys_generic.c

Excessive quoting not deleted.  I will complain about style bugs here instead
of in a reply to the original mail.

>> Modified: head/sys/kern/sys_generic.c
>> ==============================================================================
>> --- head/sys/kern/sys_generic.c	Mon Nov  3 07:18:42 2014 
>> (r274016)
>> +++ head/sys/kern/sys_generic.c	Mon Nov  3 07:46:51 2014 
>> (r274017)
>> @@ -649,6 +649,7 @@ sys_ioctl(struct thread *td, struct ioct
>>   	u_long com;
>>   	int arg, error;
>>   	u_int size;
>> +	u_char smalldata[128];
>>   	caddr_t data;

The bogus type caddr_t is still used.

>>     	if (uap->com > 0xffffffff) {
>> @@ -680,17 +681,18 @@ sys_ioctl(struct thread *td, struct ioct
>>   			arg = (intptr_t)uap->data;

Bogus cast.  intptr_t is only valid on void *, but uap->data has the
bogus opaque type caddr_t.

>>   			data = (void *)&arg;

The cast is correct.  Then it is assumed that the opaque type caddr_t is
a pointer.  If 'data; had type void *, then no assumptions would be needed
here (assumptions and conversions would be needed later, since the KPI has
some caddr_t mistakes built in).

>>   			size = 0;
>> -		} else
>> -			data = malloc((u_long)size, M_IOCTLOPS, M_WAITOK);
>> +		} else {
>> +			if (size <= sizeof(smalldata))
>> +				data = smalldata;
>> +			else
>> +				data = malloc((u_long)size, M_IOCTLOPS, 
>> M_WAITOK);

Style bugs:
- old: unnecessary cast to u_long.  It was to support unprototyped code.
- new: line too long, by blind re-indentation.

>> +		}
>>   	} else
>>   		data = (void *)&uap->data;

Many more bogus casts like this.

>>   	if (com & IOC_IN) {
>>   		error = copyin(uap->data, data, (u_int)size);

A more bogus cast to u_int.  It was to support unprotyped code, but has
been wrong for that for more than 20 years, since copyin()'s KPI was
changed to take a size_t.

>> -		if (error) {
>> -			if (size > 0)
>> -				free(data, M_IOCTLOPS);
>> -			return (error);
>> -		}
>> +		if (error != 0)
>> +			goto out;
>>   	} else if (com & IOC_OUT) {
>>   		/*
>>   		 * Zero the buffer so the user always
>> @@ -704,7 +706,8 @@ sys_ioctl(struct thread *td, struct ioct
>>   	if (error == 0 && (com & IOC_OUT))
>>   		error = copyout(data, uap->data, (u_int)size);

Another bogus cast for the copyin() family.

>>   -	if (size > 0)
>> +out:
>> +	if (size > 0 && data != (caddr_t)&smalldata)
>>   		free(data, M_IOCTLOPS);

'size' is unsigned, so (size > 0) should be written as (size != 0).
Using caddr_t requires another bogus cast here.  &smalldata should
be written as &smalldata[0] or simply smalldata.  The address of
the array is subtly different and not wanted here, but reduces to
the same in the explicit conversion to caddr_t, assuming that caddr_t
is char * like it is, or void *; otherwise, the subtle difference
might have an effect.

>>   	return (error);
>>   }

Bruce


More information about the svn-src-all mailing list