Things like that are decent initial step but as programmer with kernel background, not picking a fight here, type systems can be abused by inexperienced programmers. Sometimes type systems aren't the most direct or sustainable way of writing that type of code
Conversation
Linux kernel driver layers can have rather complicated nested structures. Some are a hybrid of of two subsystems like USB and ALSA (audio). Both have smaller structures inside them per each subsystems. In the case of a class compliant USB audio driver, both subsystems 1/
2
This is just a bad driver model. There's no reason for a driver to have any complex data structures or structure lifetimes. Hardware is highly finite and static.
2
This Tweet was deleted by the Tweet author. Learn more
What do you claim a driver needs dynamic object relationships for?
This Tweet was deleted by the Tweet author. Learn more
Sharing actual list (including access to pointers) with hardware is unsafe, bogus to do. Sharing the data buffer space does not require any complex data structures. Storage for that should be allocated and managed by OS infrastructure outside of the driver.
1
1
The driver can read and sanity check that kind of data. The Linux kernel has a lot of drivers that are insane enough to even put function pointers inside areas where the hardware has DMA access. Linux screws up IOMMU isolation quite a bit even without taking bugs into account.
1
1
As in never directly use that kind of data without first copying it out and sanity checking the copy. It's a common anti-pattern in the drivers to trust the hardware completely or to do racy checks where they sanity check it but then use the memory the driver can write to.
3
1
3
Hard to say. It really depends on the scenario and what kind of driver it might be. Copying potentially stale data and validating before use isn't a convention typically done in Linux kernel
2
It's not stale data unless the device is evil but that does matter. Lots of the drivers definitely put their data structures into memory that the driver writes to with DMA (even including function pointers in some cases, but that's not required for it to be a code execution bug).
The convention there is to use MP traversal safe data structures and a spin-lock to control access to the data. Copying it is an expensive operation and not typically done without good cause. There's a performance aspect to kernel programming that's critical and implicit
1
Drivers are a bit different but the safety guarantees typically don't involve a copy unless you're actually moving data for read/write userspace operations