I think the attached is probably an equivalent cleaned up reproducer. Note
that if the length given to sendfile() is less than 65536, it fails with
EINVAL before it gets into __ip6_append_data().
David
---
#define _GNU_SOURCE
#include <arpa/inet.h>
#include <fcntl.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/socket.h>
#include <sys/sendfile.h>
#include <sys/uio.h>
#include <netinet/ip6.h>
#include <netinet/in.h>
#define IPPROTO_L2TP 115
#define OSERROR(R, S) \
do { if ((long)(R) == -1L) { perror((S)); exit(1); } } while(0)
static char buffer[16776960];
int main()
{
struct sockaddr_in6 sin6;
int ffd, dfd, sfd;
ffd = openat(AT_FDCWD, "cgroup.controllers",
O_RDWR | O_CREAT | O_TRUNC, 0);
OSERROR(ffd, "cgroup.controllers/f");
OSERROR(write(ffd, buffer, sizeof(buffer)), "write");
dfd = openat(AT_FDCWD, "cgroup.controllers",
O_RDONLY | O_NONBLOCK | O_DIRECT);
OSERROR(dfd, "cgroup.controllers/d");
sfd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_L2TP);
OSERROR(dfd, "socket");
memset(&sin6, 0, sizeof(sin6));
sin6.sin6_family = AF_INET6;
sin6.sin6_port = htons(0);
sin6.sin6_addr.s6_addr32[0] = htonl(0);
sin6.sin6_addr.s6_addr32[1] = htonl(0);
sin6.sin6_addr.s6_addr32[2] = htonl(0);
sin6.sin6_addr.s6_addr32[3] = htonl(1);
OSERROR(bind(sfd, (struct sockaddr *)&sin6, 32),
"bind");
memset(&sin6, 0, sizeof(sin6));
sin6.sin6_family = AF_INET6;
sin6.sin6_port = htons(7);
sin6.sin6_addr.s6_addr32[0] = htonl(0);
sin6.sin6_addr.s6_addr32[1] = htonl(0);
sin6.sin6_addr.s6_addr32[2] = htonl(0);
sin6.sin6_addr.s6_addr32[3] = htonl(1);
OSERROR(connect(sfd, (struct sockaddr *)&sin6, 32),
"connect");
OSERROR(sendfile(sfd, dfd, NULL, 65536), "sendfile");
return 0;
}
