Tariq Toukan <ttoukan.linux@xxxxxxxxx> wrote: > We are collecting more info on how the repro is affected by the different > parameters. I'm wondering if userspace is feeding the unspliceable page in somehow. Could you try running with the attached changes? It might help catch the point at which the offending page is first spliced into the pipe and any backtrace might help localise the driver that's producing it. Thanks, David --- diff --git a/fs/splice.c b/fs/splice.c index 3e2a31e1ce6a..877df1de3863 100644 --- a/fs/splice.c +++ b/fs/splice.c @@ -218,6 +218,8 @@ ssize_t splice_to_pipe(struct pipe_inode_info *pipe, while (!pipe_full(head, tail, pipe->max_usage)) { struct pipe_buffer *buf = &pipe->bufs[head & mask]; + WARN_ON_ONCE(!sendpage_ok(spd->pages[page_nr])); + buf->page = spd->pages[page_nr]; buf->offset = spd->partial[page_nr].offset; buf->len = spd->partial[page_nr].len; @@ -252,6 +254,8 @@ ssize_t add_to_pipe(struct pipe_inode_info *pipe, struct pipe_buffer *buf) unsigned int mask = pipe->ring_size - 1; int ret; + WARN_ON_ONCE(!sendpage_ok(buf->page)); + if (unlikely(!pipe->readers)) { send_sig(SIGPIPE, current, 0); ret = -EPIPE; @@ -861,6 +865,8 @@ ssize_t splice_to_socket(struct pipe_inode_info *pipe, struct file *out, break; } + WARN_ON_ONCE(!sendpage_ok(buf->page)); + bvec_set_page(&bvec[bc++], buf->page, seg, buf->offset); remain -= seg; if (remain == 0 || bc >= ARRAY_SIZE(bvec)) @@ -1411,6 +1417,8 @@ static int iter_to_pipe(struct iov_iter *from, for (i = 0; i < n; i++) { int size = min_t(int, left, PAGE_SIZE - start); + WARN_ON_ONCE(!sendpage_ok(pages[i])); + buf.page = pages[i]; buf.offset = start; buf.len = size;