> > - pipe_buf_release(pipe, buf); > > + if (buf->ops) > > + pipe_buf_release(pipe, buf); > > Umm, already released pipe buf? How would it get here? If you're talking about the pipe_buf_release before the if statement, that line is a - not a + so I basically just added the if statement before release to check that buf->ops does not get deterrences in pipe_buf_release while null. It's the same two lines as when pipe is released in splice_direct_to_actor. > We have filled the > buffers shortly before so IMHO it indicates some deeper problem. Can you > please explain a bit more? I just worked off of this crash log: https://syzkaller.appspot.com/text?tag=CrashReport&x=16adfaa7980000 If the buffer is filled before, does that mean the issue would be in do_send_file or do_splice_direct?
