From woods@tap.zeus.leitch.com  Tue Jul 14 12:44:51 1998
Received: from gateman.zeus.leitch.com (gateman.zeus.leitch.com [204.187.61.193])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA01816
          for <FreeBSD-gnats-submit@freebsd.org>; Tue, 14 Jul 1998 12:44:38 -0700 (PDT)
          (envelope-from woods@tap.zeus.leitch.com)
Received: from zeus.leitch.com (tap.zeus.leitch.com [204.187.61.10]) by gateman.zeus.leitch.com (8.8.5/8.7.3/1.0) with ESMTP id PAA26952; Tue, 14 Jul 1998 15:42:38 -0400 (EDT)
Received: from brain.zeus.leitch.com (brain.zeus.leitch.com [204.187.61.32]) by zeus.leitch.com (8.7.5/8.7.3/1.0) with ESMTP id PAA03063; Tue, 14 Jul 1998 15:42:37 -0400 (EDT)
Received: (from woods@localhost)
	by brain.zeus.leitch.com (8.8.8/8.8.8) id PAA03527;
	Tue, 14 Jul 1998 15:42:37 -0400 (EDT)
	(envelope-from woods@tap.zeus.leitch.com)
Message-Id: <199807141942.PAA03527@brain.zeus.leitch.com>
Date: Tue, 14 Jul 1998 15:42:37 -0400 (EDT)
From: woods@zeus.leitch.com
Reply-To: woods@zeus.leitch.com
To: FreeBSD-gnats-submit@freebsd.org
Cc: erich@rrnet.com
Subject: some old and rarely used drivers have apparently become broken
X-Send-Pr-Version: 3.2

>Number:         7282
>Category:       kern
>Synopsis:       some old and rarely used drivers have apparently become broken
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jul 14 12:50:02 PDT 1998
>Closed-Date:    Sat Jan 5 16:27:53 PST 2002
>Last-Modified:  Sat Jan 05 16:28:39 PST 2002
>Originator:     Greg A. Woods
>Release:        FreeBSD 2.2.6-STABLE i386
>Organization:
Planix, Inc.; Toronto, Ontario; Canada
>Environment:

>Description:

	It would seem as though all drivers were not converted to use
	the new driver ioctl() interface, i.e. the the one where driver
	ioctl() routines should not use copyin()/copyout() because this
	is done for them one level up.

>How-To-Repeat:

	Write a driver the old fashioned (and still documented way) that
	uses copyin()/copyout() in its ioctl() routine and then spend
	days wondering why attempts to use the new driver's ioctl() fail
	with EFAULT.

>Fix:
	
	Finish hacking all the drivers to the new kernel interface.
	This probably only means sys/i386/isa/labpc.c, but I've not
	checked thoroughly.

	Document more thoroughly the driver/kernel interface.

	Update the available copy of "FreeBSD Device Driver Writer's
	Guide" (Eric L. Hernes, May 29, 1996).

	Possibly even mention in copyin.9 et al that these routines
	should not be used in driver ioctl() routines.

>Release-Note:
>Audit-Trail:

From: Bruce Evans <bde@zeta.org.au>
To: FreeBSD-gnats-submit@FreeBSD.ORG, woods@zeus.leitch.com
Cc: erich@rrnet.com
Subject: Re: kern/7282: some old and rarely used drivers have apparently become broken
Date: Wed, 15 Jul 1998 09:57:27 +1000

 >	It would seem as though all drivers were not converted to use
 >	the new driver ioctl() interface, i.e. the the one where driver
 >	ioctl() routines should not use copyin()/copyout() because this
 >	is done for them one level up.
 
 It's not new.  It's (much?) older than Net/3, much older than any
 FreeBSD driver.
 
 >	Possibly even mention in copyin.9 et al that these routines
 >	should not be used in driver ioctl() routines.
 
 But they should be used if the data is larger than will fit in the
 ioctl data.  labpc uses them to copy rather small data that probably
 should have been put in the ioctl data.  If DSI_SOFT_MODEM is
 configured, then sio uses copyin() to copy arbitrarly large data
 (large enough to use all of kernel memory :-().
 
 Bruce

From: woods@zeus.leitch.com (Greg A. Woods)
To: Bruce Evans <bde@zeta.org.au>
Cc: FreeBSD-gnats-submit@FreeBSD.ORG, erich@rrnet.com
Subject: Re: kern/7282: some old and rarely used drivers have apparently become broken
Date: Wed, 15 Jul 1998 11:41:59 -0400 (EDT)

 [ On Wed, July 15, 1998 at 09:57:27 (+1000), Bruce Evans wrote: ]
 > Subject: Re: kern/7282: some old and rarely used drivers have apparently become broken
 >
 > >	It would seem as though all drivers were not converted to use
 > >	the new driver ioctl() interface, i.e. the the one where driver
 > >	ioctl() routines should not use copyin()/copyout() because this
 > >	is done for them one level up.
 > 
 > It's not new.  It's (much?) older than Net/3, much older than any
 > FreeBSD driver.
 
 I guess I should have run "cvs annotate" on sys/kern/sys_generic.c once
 I'd found out that the ioctl() driver wrapper in there actually does the
 copyin() already.  Then I would have noticed that the copyin() and
 copyout() calls in that wrapper have been there since the file was added
 to the FreeBSD repository.  Yes, this same code is also in my archive of
 Net/2 (i.e. 4.3Tahoe).
 
 However given the way other Unix variants implement driver ioctl()
 routines, and according to the document written by Eric, and all of my
 past experience writing drivers for other Unix variants, I fully
 expected I would have to use copyin()/copyout() in the driver ioctl()
 routine.  Now that I think I understand how BSD truely implements the
 ioctl() system call I don't see how use of copyin()/copyout() in a
 driver ioctl() routine could ever work.
 
 The other clue that on hindsight is quite obvious is that the macros
 used to "create" ioctl command descriptors know the size of the data
 structure to be copied.  (I've been rather annoyed at this change in the
 kernel/driver interface for some time though because it totally prevents
 any chance of backwards compatability with userland should one need to
 add a new field to a data structure passed through ioctl().  Perhaps my
 annoyance clouded my ability to see this as a clue to the problem I was
 seeing.)
 
 > >	Possibly even mention in copyin.9 et al that these routines
 > >	should not be used in driver ioctl() routines.
 > 
 > But they should be used if the data is larger than will fit in the
 > ioctl data.  labpc uses them to copy rather small data that probably
 > should have been put in the ioctl data.  If DSI_SOFT_MODEM is
 > configured, then sio uses copyin() to copy arbitrarly large data
 > (large enough to use all of kernel memory :-().
 
 Given my experimentation, and subsequent code walkthrough to find out
 how the driver *_ioctl() routines get called, I can't see how any driver
 can ever successfully use copyin() or copyout() in the driver *_ioctl()
 routines themselves.  Any time I tried, no matter how small or large the
 data segment being copied, all I ever got back from thouse routines was
 EFAULT.  I.e. the labpc driver *must* be broken (though it may be lucky
 enough not to fail if the copyin()/copyout() calls it makes never cause
 a page fault in practice).
 
 -- 
 							Greg A. Woods
 
 +1 416 443-1734      VE3TCP      <gwoods@acm.org>      <robohack!woods>
 Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>
State-Changed-From-To: open->closed 
State-Changed-By: silby 
State-Changed-When: Sat Jan 5 16:27:53 PST 2002 
State-Changed-Why:  
2.2.6 is now obsolete, this PR can be retired. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=7282 
>Unformatted:
