After reviewing the tcp splice receive code, I found that instead of increasing the page reference counter, pipe buffer holds the socket buffer by calling skb_get(skb). When you splice this pipe buffer to another socket, such as a TCP socket, though the function sendpage returns, the page buffer will be still in use, then you drop the reference to the skb, so the buffer is free to another process. At this time, the buffer is shared between socket and another part of Linux kernel silently. It is possible that the data sent out is corrupted.
The reason is splice send process knows nothing but page, so before submitting the buffer to sendpage, we must ensure that the page is an actual page not a fake one. A solution is adding a member function get_page, which is used to get a actual page, to structure pipe_buffer_operations. It the page in structure pipe_buffer isn't an actual page, a page will be allocated, filled with the corresponding data and returned. Before calling sendpage, get_page should be called to get the actual page, and after calling sendpage, the page will be freed by calling put_page. Beside splice send process, other code paths maybe have the same problem. -- Regards, Changli Gao([EMAIL PROTECTED]) -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
