Re: [RFC PATCH] fs/splice: allow for a way to block splice() with read-only files

Next message: Vjaceslavs Klimovs: "Re: [REGRESSION] block: virtio-blk + LVM raid1 spurious sector-0 read failures on libaio/threads submit since 5ff3f74e145a (&quot;block: simplify direct io validity check&quot;)"
Previous message: Hillf Danton: "Re: Academic acceptance of custom LFS &amp; kernel builds for student developers"
In reply to: Pedro Falcato: "Re: [RFC PATCH] fs/splice: allow for a way to block splice() with read-only files"
Next in thread: Mateusz Guzik: "Re: [RFC PATCH] fs/splice: allow for a way to block splice() with read-only files"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Matthew Wilcox

Date: Sun May 17 2026 - 18:30:46 EST

On Sun, May 17, 2026 at 10:01:30AM +0100, Pedro Falcato wrote:
> On Sun, May 17, 2026 at 02:17:18AM +0100, Matthew Wilcox wrote:
> > If we have a buggy user which
> > can write to read-only file pages, then it should also be prevented from
> > writing to KSM pages.
>
> Hmm, I see. Are you suggesting we unshare KSM pages here? Or just straight
> up reject them?
>
> Rejecting would be relatively sane if only we had access to the VMA here
> (in normal GUP), testing on folio_test_ksm() is less robust :/

I think we have to unshare? As I understand KSM, it's done to a task,
so it wouldn't be aware that it's done something potentially dangerous
(unlike mapping a read-only file then splicing from it). Also, it'll be
non-deterministic whether any given splice might fail.

Bleh. Maybe just declare KSM to be vulnerable.