David Howells wrote: > Willem de Bruijn <willemdebruijn.kernel@xxxxxxxxx> wrote: > > > __ip6_append_data probably needs the same. > > Now that's interesting. __ip6_append_data() has a check for this and returns > -EINVAL in this case: > > copy = datalen - transhdrlen - fraggap - pagedlen; > if (copy < 0) { > err = -EINVAL; > goto error; > } > > but should I bypass that check for MSG_SPLICE_PAGES? It hits the check when > it should be able to get past it. The code seems to go back to prehistoric > times, so I'm not sure why it's there. Argh, saved by inconsistency between the two stacks. I don't immediately understand the race that caused this code to move, in commit 232cd35d0804 ("ipv6: fix out of bound writes in __ip6_append_data()"). Maybe a race with a mtu update? Technically there is no Fixes tag to apply, so this would not be a fix for net. If we want equivalent behavior, a patch removing this branch is probably best sent to net-next, in a way that works from the start.