* [sigh] binder shite is back ;-/
@ 2011-12-22 19:58 Al Viro
2011-12-22 20:51 ` Christoph Hellwig
0 siblings, 1 reply; 3+ messages in thread
From: Al Viro @ 2011-12-22 19:58 UTC (permalink / raw)
To: linux-kernel; +Cc: linux-fsdevel
Thesis: binder is a true example of what "Enterprise Quality" means.
Nothing good, that is.
Exhibit 1:
in their ->mmap() they have
if (proc->buffer) {
ret = -EBUSY;
failure_string = "already mapped";
goto err_already_mapped;
}
area = get_vm_area(vma->vm_end - vma->vm_start, VM_IOREMAP);
if (area == NULL) {
ret = -ENOMEM;
failure_string = "get_vm_area";
goto err_get_vm_area_failed;
}
proc->buffer = area->addr;
Note that there's nothing stopping two processes from doing mmap() on the
same file at the same time.
Exhibit 2: while proc->files is set to the ->files of whoever does mmap(),
proc->tsk is set to task_struct of whoever does open(). Then
task_get_unused_fd_flags() does expand ->files after having checked
rlimit on ->tsk.
Exhibit 3:
if (vma)
mm = NULL;
else
mm = get_task_mm(proc->tsk);
if (mm) {
down_write(&mm->mmap_sem);
vma = proc->vma;
}
Note that proc->vma is created by whoever had done mmap(), _not_ whoever
had done open(). Not to mention that there's no reason why either task would
still have the original ->mm...
Exhibit 4: mmap that thing and then fork(). Leaving aside the joy of
getting stack dumps in your face, it will succeed. And then when you
unmap that thing in child (or child exits, for that matter) you'll get
proc->vma = NULL. On a live one.
Exhibit 5: while we are at it, mmap one and then munmap its middle.
As far as I can see, the basic attitude in that code is "surely, nobody
will do anything unexpected to poor li'l me". As far as I can tell,
manipulations of descriptor tables suffer the same kind of braindamage,
etc.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [sigh] binder shite is back ;-/
2011-12-22 19:58 [sigh] binder shite is back ;-/ Al Viro
@ 2011-12-22 20:51 ` Christoph Hellwig
2011-12-22 21:00 ` Al Viro
0 siblings, 1 reply; 3+ messages in thread
From: Christoph Hellwig @ 2011-12-22 20:51 UTC (permalink / raw)
To: Al Viro; +Cc: linux-kernel, linux-fsdevel
On Thu, Dec 22, 2011 at 07:58:07PM +0000, Al Viro wrote:
> Thesis: binder is a true example of what "Enterprise Quality" means.
> Nothing good, that is.
We already knew that it is a massive piece of junk, but why is it back?
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [sigh] binder shite is back ;-/
2011-12-22 20:51 ` Christoph Hellwig
@ 2011-12-22 21:00 ` Al Viro
0 siblings, 0 replies; 3+ messages in thread
From: Al Viro @ 2011-12-22 21:00 UTC (permalink / raw)
To: Christoph Hellwig; +Cc: linux-kernel, linux-fsdevel
On Thu, Dec 22, 2011 at 03:51:48PM -0500, Christoph Hellwig wrote:
> On Thu, Dec 22, 2011 at 07:58:07PM +0000, Al Viro wrote:
> > Thesis: binder is a true example of what "Enterprise Quality" means.
> > Nothing good, that is.
>
> We already knew that it is a massive piece of junk, but why is it back?
Can't keep a good turd down, I guess. It'll always float back and land
in drivers/staging...
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2011-12-22 21:00 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-12-22 19:58 [sigh] binder shite is back ;-/ Al Viro
2011-12-22 20:51 ` Christoph Hellwig
2011-12-22 21:00 ` Al Viro
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.