On (02/21/18 19:39), Willem de Bruijn wrote: > >> By the way, the put_cmsg is unconditional even if the caller did > >> not supply msg_control. So it is basically no longer safe to ever > >> call read, recv or recvfrom on a socket if zerocopy notifications > >> are outstanding. > > > > Wait, I thought put_cmsg already checks for these things. > > It does, and sets MSG_CTRUNC to signal that it was unable to > write all control data. But by then the notifications have already > been dequeued.
Putting hyperbole about "no longer safe to ever call read etc" aside, put_cmsg can also return EFAULT if uspace provides a bogus cmsghdr, (i.e., copy_to_user fails). So the only thing you can do to really protect against every possible thing is to requeue the notification if put_cmsg fails.
