On 09/14/2010 05:17 AM, David Miller wrote:

From: Shirley Ma<redacted>
Date: Mon, 13 Sep 2010 13:48:03 -0700

quoted

+		base = (unsigned long)from->iov_base + offset1;
+		size = ((base&  ~PAGE_MASK) + len + ~PAGE_MASK)>>  PAGE_SHIFT;
+		num_pages = get_user_pages_fast(base, size, 0,&page[i]);
+		if ((num_pages != size) ||
+		    (num_pages>  MAX_SKB_FRAGS - skb_shinfo(skb)->nr_frags))
+			/* put_page is in skb free */
+			return -EFAULT;

What keeps the user from writing to these pages in it's address space
after the write call returns?

A write() return of success means:

	"I wrote what you gave to me"

not

	"I wrote what you gave to me, oh and BTW don't touch these
          pages for a while."

In fact "a while" isn't even defined in any way, as there is no way
for the write() invoker to know when the networking card is done with
those pages.

That's what io_submit() is for.  Then io_getevents() tells you what "a 
while" actually was.

-- 
error compiling committee.c: too many arguments to function