lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Fri, 18 Jul 2008 21:16:43 +0300
From:	Octavian Purdila <>
To:	Evgeniy Polyakov <>
Subject: Re: [PATCH] tcp: do not promote SPLICE_F_NONBLOCK to socket O_NONBLOCK

On Friday 18 July 2008, Evgeniy Polyakov wrote:
> Hi.
> On Fri, Jul 18, 2008 at 08:04:44PM +0300, Octavian Purdila 
( wrote:
> > Suppose we have 20 packets in the socket queue and the pipe is empty and
> > the application calls splice(sock, pipe, 17, flags=0).
> >
> > Then, tcp_splice_read will be called, which in turn calls tcp_read_sock.
> >
> > tcp_read_sock will loop until all the 17 bytes will be read from the
> > socket. tcp_read_sock calls skb_splice_bits which calls splice_to_pipe.
> How come?
> spd_fill_page() should fail when it will be called for the 17'th skb and
> all reading from the socket will return, and thus can be sent to the
> file.

spd_fill_page work with the splice_pipe_descriptor declared in 
skb_splice_bits, thus spd_fill_page does not have visibility across multiple 
skb_splice_bits calls.

> > Now while skb_splice_bits is carefull to only put a maximum of
> > PIPE_BUFFERS during its iteration, due to the looping in tcp_read_sock,
> > we will end up with 17 calls to splice_to_pipe. Thus on the 17th call,
> > splice_to_pipe will block.
> Where exactly?
> Why
> tcp_splice_data_recv()->skb_splice_bits()->__skb_splice_bits()->spd_fill_pa
>ge() callchain does not return error and that pipe is full?

Ok, let me try to move through the function calls:

 ... -> skb_splice_bits -> spd_fill_page; 
  on return (spd->nr_page is 1 and pipe->nrbufs is 1)
 ... -> skb_splice_bits -> spd_fill_page; 
  on return (spd->nr_page is 1 and pipe->nrbufs is 2)
 ... -> skb_splice_bits -> spd_fill_page; 
  on return (spd->nr_page is 1 and pipe->nrbufs is 3)

and so on until pipe->nrbufs is 16. At than point, we will block in pipe_wait, 
inside splice_to_pipe.


To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to
More majordomo info at

Powered by blists - more mailing lists