[PATCH 0/3] vmsplice: make vmsplice a trivial wrapper for preadv2/pwritev2
From: Askar Safin <hidden>
Date: 2026-05-31 01:01:50
Also in:
linux-api, linux-fsdevel, linux-mm, linux-patches, lkml
This patchset is for VFS. Recently we got a lot of vulnerabilities in splice/vmsplice. Also vmsplice already was source of vulnerabilities in the past: CVE-2020-29374 (see https://lwn.net/Articles/849638/ ). Also vmsplice is problematic for other reasons. Here is what other developers say: Linus Torvalds in 2023:
So I'd personally be perfectly ok with just making vmsplice() be exactly the same as write, and turn all of vmsplice() into just "it's a read() if the pipe is open for read, and a write if it's open for writing".
https://lore.kernel.org/all/CAHk-=wgG_2cmHgZwKjydi7=iimyHyN8aessnbM9XQ9ufbaUz9g@mail.gmail.com/ (local) Christoph Hellwig in May 2026:
vmsplice is the worst, as it is one of the few remaining places that can incorrectly dirty file backed pages without telling the file system and cause the other problems fixed by a FOLL_PIN conversion, but it is the only one where we do not have any idea yet how we could convert it to FOLL_PIN due to the unbounded pin time.
https://lore.kernel.org/all/agwFlBKvKytjURDO@infradead.org/ (local) See recent discussion here: https://lore.kernel.org/all/20260516182126.530498-1-pfalcato@suse.de/T/#u (local) For all these reasons I propose to make vmsplice a simple wrapper for preadv2/pwritev2. vmsplice(fd, vec, vlen, vmsplice_flags) will be equivalent to preadv2(fd, vec, vlen, -1, rw_flags) if you have readable pipe and to pwritev2(fd, vec, vlen, -1, rw_flags) if you have writable pipe. SPLICE_F_NONBLOCK is translated to RWF_NOWAIT, all other SPLICE_F_* flags are ignored. There is a small change to handling of NONBLOCK-related flags, see commit messages for details. I tested this patch in Qemu. This patchset was written by me, not by LLMs. Askar Safin (3): tee: fs/splice.c: remove unused parameter "flags" from "link_pipe" vmsplice: make vmsplice a trivial wrapper for preadv2/pwritev2 splice: remove PIPE_BUF_FLAG_GIFT fs/fuse/dev.c | 1 - fs/read_write.c | 23 +++++ fs/splice.c | 202 +------------------------------------- include/linux/pipe_fs_i.h | 1 - include/linux/skbuff.h | 4 +- include/linux/splice.h | 2 +- include/linux/syscalls.h | 4 +- 7 files changed, 33 insertions(+), 204 deletions(-) base-commit: e7ae89a0c97ce2b68b0983cd01eda67cf373517d (7.1-rc5) -- 2.47.3