Re: [RFC PATCH] fs/splice: allow for a way to block splice() with read-only files

Next message: kenner azevedi: "Re: [PATCH] Fix kernel-doc for amdgpu_display_manager"
Previous message: kernel test robot: "Re: [PATCH] staging: sm750fb: add const to g_fbmode array"
In reply to: Jann Horn: "Re: [RFC PATCH] fs/splice: allow for a way to block splice() with read-only files"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Askar Safin

Date: Sat May 23 2026 - 16:42:03 EST

Christian Brauner <brauner@xxxxxxxxxx>:
> Let's discuss the other aggressive alternative: Can we try and
> unconditionally degrade to copy. This would affect sendfile(), splice(),
> and vmsplice(). Worst-case we would have to introduce the sysctl
> retroactively.
>
> Thoughts?

I think as a first step we should make vmsplice unconditionally equivalent
to readv/writev.

vmsplice already was problematic from security point of view long time
ago. I mean CVE-2020-29374 (see https://lwn.net/Articles/849638/ ).

David Howells also doesn't like vmsplice:
https://lore.kernel.org/all/1763225.1769180226@xxxxxxxxxxxxxxxxxxxxxx/

Linus said in 2023:
> So I'd personally be perfectly ok with just making vmsplice() be
> exactly the same as write, and turn all of vmsplice() into just "it's
> a read() if the pipe is open for read, and a write if it's open for
> writing".
https://lore.kernel.org/all/CAHk-=wgG_2cmHgZwKjydi7=iimyHyN8aessnbM9XQ9ufbaUz9g@xxxxxxxxxxxxxx/

Even experts get vmsplice wrong, as can be seen in this thread:
https://lore.kernel.org/all/CAAUqJDvFuvms55Td1c=XKv6epfRnnP78438nZQ-JKyuCptGBiQ@xxxxxxxxxxxxxx/T/#u
As you can see in that thread, it is very hard to understand what vmsplice
man page supposed to mean. And you can also see that vmsplice is very
fragile.

--
Askar Safin