From: Hannes Frederic Sowa <hannes@stressinduktion.org>
To: Christoph Lameter <cl@linux.com>, David Laight <David.Laight@ACULAB.COM>
Cc: "Jesper Dangaard Brouer" <brouer@redhat.com>,
"John Fastabend" <john.fastabend@gmail.com>,
"Mike Rapoport" <rppt@linux.vnet.ibm.com>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>,
linux-mm <linux-mm@kvack.org>,
"Willem de Bruijn" <willemdebruijn.kernel@gmail.com>,
"Björn Töpel" <bjorn.topel@intel.com>,
"Karlsson, Magnus" <magnus.karlsson@intel.com>,
"Alexander Duyck" <alexander.duyck@gmail.com>,
"Mel Gorman" <mgorman@techsingularity.net>,
"Tom Herbert" <tom@herbertland.com>,
"Brenden Blanco" <bblanco@plumgrid.com>,
"Tariq Toukan" <tariqt@mellanox.com>,
"Saeed Mahameed" <saeedm@mellanox.com>,
"Jesse Brandeburg" <jesse.brandeburg@intel.com>,
"Kalman Meth" <METH@il.ibm.com>,
"Vladislav Yasevich" <vyasevich@gmail.com>
Subject: Re: Designing a safe RX-zero-copy Memory Model for Networking
Date: Wed, 14 Dec 2016 21:37:23 +0100 [thread overview]
Message-ID: <c122d91d-9506-ac35-29e5-3d80791259ef@stressinduktion.org> (raw)
In-Reply-To: <alpine.DEB.2.20.1612141342080.23516@east.gentwo.org>
On 14.12.2016 20:43, Christoph Lameter wrote:
> On Wed, 14 Dec 2016, David Laight wrote:
>
>> If the kernel is doing ANY validation on the frames it must copy the
>> data to memory the application cannot modify before doing the validation.
>> Otherwise the application could change the data afterwards.
>
> The application is not allowed to change the data after a work request has
> been submitted to send the frame. Changes are possible after the
> completion request has been received.
>
> The kernel can enforce that by making the frame(s) readonly and thus
> getting a page fault if the app would do such a thing.
As far as I remember right now, if you gift with vmsplice the memory
over a pipe to a tcp socket, you can in fact change the user data while
the data is in transmit. So you should not touch the memory region until
you received a SOF_TIMESTAMPING_TX_ACK error message in your sockets
error queue or stuff might break horribly. I don't think we have a
proper event for UDP that fires after we know the data left the hardware.
In my opinion this is still fine within the kernel protection limits.
E.g. due to scatter gather I/O you don't get access to the TCP header
nor UDP header and thus can't e.g. spoof or modify the header or
administration policies, albeit TOCTTOU races with netfilter which
matches inside the TCP/UDP packets are very well possible on transmit.
Wouldn't changing of the pages cause expensive TLB flushes?
Bye,
Hannes
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2016-12-14 20:37 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-05 14:31 Jesper Dangaard Brouer
2016-12-12 8:38 ` Mike Rapoport
2016-12-12 9:40 ` Jesper Dangaard Brouer
2016-12-12 14:14 ` Mike Rapoport
2016-12-12 14:49 ` John Fastabend
2016-12-12 17:13 ` Jesper Dangaard Brouer
2016-12-12 18:06 ` Christoph Lameter
2016-12-13 16:10 ` Jesper Dangaard Brouer
2016-12-13 16:36 ` Christoph Lameter
2016-12-13 17:43 ` John Fastabend
2016-12-13 19:53 ` David Miller
2016-12-13 20:08 ` John Fastabend
2016-12-14 9:39 ` Jesper Dangaard Brouer
2016-12-14 16:32 ` John Fastabend
2016-12-14 16:45 ` Alexander Duyck
2016-12-14 21:29 ` Jesper Dangaard Brouer
2016-12-14 22:45 ` Alexander Duyck
2016-12-15 8:28 ` Jesper Dangaard Brouer
2016-12-15 15:59 ` Alexander Duyck
2016-12-15 16:38 ` Christoph Lameter
2016-12-14 21:04 ` Jesper Dangaard Brouer
2016-12-13 18:39 ` Hannes Frederic Sowa
2016-12-14 17:00 ` Christoph Lameter
2016-12-14 17:37 ` David Laight
2016-12-14 19:43 ` Christoph Lameter
2016-12-14 20:37 ` Hannes Frederic Sowa [this message]
2016-12-14 21:22 ` Christoph Lameter
2016-12-13 9:42 ` Mike Rapoport
2016-12-12 15:10 ` Jesper Dangaard Brouer
2016-12-13 8:43 ` Mike Rapoport
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c122d91d-9506-ac35-29e5-3d80791259ef@stressinduktion.org \
--to=hannes@stressinduktion.org \
--cc=David.Laight@ACULAB.COM \
--cc=METH@il.ibm.com \
--cc=alexander.duyck@gmail.com \
--cc=bblanco@plumgrid.com \
--cc=bjorn.topel@intel.com \
--cc=brouer@redhat.com \
--cc=cl@linux.com \
--cc=jesse.brandeburg@intel.com \
--cc=john.fastabend@gmail.com \
--cc=linux-mm@kvack.org \
--cc=magnus.karlsson@intel.com \
--cc=mgorman@techsingularity.net \
--cc=netdev@vger.kernel.org \
--cc=rppt@linux.vnet.ibm.com \
--cc=saeedm@mellanox.com \
--cc=tariqt@mellanox.com \
--cc=tom@herbertland.com \
--cc=vyasevich@gmail.com \
--cc=willemdebruijn.kernel@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox