On 14.12.2016 20:43, Christoph Lameter wrote: > On Wed, 14 Dec 2016, David Laight wrote: > >> If the kernel is doing ANY validation on the frames it must copy the >> data to memory the application cannot modify before doing the validation. >> Otherwise the application could change the data afterwards. > > The application is not allowed to change the data after a work request has > been submitted to send the frame. Changes are possible after the > completion request has been received. > > The kernel can enforce that by making the frame(s) readonly and thus > getting a page fault if the app would do such a thing. As far as I remember right now, if you gift with vmsplice the memory over a pipe to a tcp socket, you can in fact change the user data while the data is in transmit. So you should not touch the memory region until you received a SOF_TIMESTAMPING_TX_ACK error message in your sockets error queue or stuff might break horribly. I don't think we have a proper event for UDP that fires after we know the data left the hardware. In my opinion this is still fine within the kernel protection limits. E.g. due to scatter gather I/O you don't get access to the TCP header nor UDP header and thus can't e.g. spoof or modify the header or administration policies, albeit TOCTTOU races with netfilter which matches inside the TCP/UDP packets are very well possible on transmit. Wouldn't changing of the pages cause expensive TLB flushes? Bye, Hannes -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@xxxxxxxxx. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@xxxxxxxxx"> email@xxxxxxxxx </a>