Re: [PATCH net-next v10 08/16] tls: Inline do_tcp_sendpages()
From: David Howells
Date: Thu Aug 10 2023 - 09:08:43 EST
Tariq Toukan <ttoukan.linux@xxxxxxxxx> wrote:
> We are collecting more info on how the repro is affected by the different
> parameters.
I'm wondering if userspace is feeding the unspliceable page in somehow. Could
you try running with the attached changes? It might help catch the point at
which the offending page is first spliced into the pipe and any backtrace
might help localise the driver that's producing it.
Thanks,
David
---
diff --git a/fs/splice.c b/fs/splice.c
index 3e2a31e1ce6a..877df1de3863 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -218,6 +218,8 @@ ssize_t splice_to_pipe(struct pipe_inode_info *pipe,
while (!pipe_full(head, tail, pipe->max_usage)) {
struct pipe_buffer *buf = &pipe->bufs[head & mask];
+ WARN_ON_ONCE(!sendpage_ok(spd->pages[page_nr]));
+
buf->page = spd->pages[page_nr];
buf->offset = spd->partial[page_nr].offset;
buf->len = spd->partial[page_nr].len;
@@ -252,6 +254,8 @@ ssize_t add_to_pipe(struct pipe_inode_info *pipe, struct pipe_buffer *buf)
unsigned int mask = pipe->ring_size - 1;
int ret;
+ WARN_ON_ONCE(!sendpage_ok(buf->page));
+
if (unlikely(!pipe->readers)) {
send_sig(SIGPIPE, current, 0);
ret = -EPIPE;
@@ -861,6 +865,8 @@ ssize_t splice_to_socket(struct pipe_inode_info *pipe, struct file *out,
break;
}
+ WARN_ON_ONCE(!sendpage_ok(buf->page));
+
bvec_set_page(&bvec[bc++], buf->page, seg, buf->offset);
remain -= seg;
if (remain == 0 || bc >= ARRAY_SIZE(bvec))
@@ -1411,6 +1417,8 @@ static int iter_to_pipe(struct iov_iter *from,
for (i = 0; i < n; i++) {
int size = min_t(int, left, PAGE_SIZE - start);
+ WARN_ON_ONCE(!sendpage_ok(pages[i]));
+
buf.page = pages[i];
buf.offset = start;
buf.len = size;