[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
[dm-devel] Re: "Enhanced" MD code avaible for review
- From: Bartlomiej Zolnierkiewicz <B Zolnierkiewicz elka pw edu pl>
- To: "Justin T. Gibbs" <gibbs scsiguy com>, Jeff Garzik <jgarzik pobox com>
- Cc: linux-raid vger kernel org, dm-devel redhat com, Kevin Corry <kevcorry us ibm com>, Neil Brown <neilb cse unsw edu au>, linux-kernel vger kernel org
- Subject: [dm-devel] Re: "Enhanced" MD code avaible for review
- Date: Tue, 30 Mar 2004 20:11:18 +0200
On Tuesday 30 of March 2004 19:35, Justin T. Gibbs wrote:
> > The kernel should not be validating -trusted- userland inputs. Root is
> > allowed to scrag the disk, violate limits, and/or crash his own machine.
> >
> > A simple example is requiring userland, when submitting ATA taskfiles via
> > an ioctl, to specify the data phase (pio read, dma write, no-data, etc.).
> > If the data phase is specified incorrectly, you kill the OS driver's ATA
> > host wwtate machine, and the results are very unpredictable. Since this
> > is a trusted operation, requiring CAP_RAW_IO, it's up to userland to get
> > the required details right (just like following a spec).
>
> That's unfortunate for those using ATA. A command submitted from userland
> to the SCSI drivers I've written that causes a protocol violation will
> be detected, result in appropriate recovery, and a nice diagnostic that
> can be used to diagnose the problem. Part of this is because I cannot know
> if the protocol violation stems from a target defect, the input from the
> user or, for that matter, from the kernel. The main reason is for
> robustness and ease of debugging. In SCSI case, there is almost no
> run-time cost, and the system will stop before data corruption occurs. In
In ATA case detection of protocol violation is not possible w/o checking every
possible command opcode. Even if implemented (notice that checking commands
coming from kernel is out of question - for performance reasons) this breaks
for future and vendor specific commands.
> the meta-data case we've been discussing in terms of EMD, there is no
> runtime cost, the validation has to occur somewhere anyway, and in many
> cases some validation is already required to avoid races with external
> events. If the validation is done in the kernel, then you get the benefit
> of nice diagnostics instead of strange crashes that are difficult to debug.
Unless code that crashes is the one doing validation. ;-)
Bartlomiej
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]