On Mon, May 18, 2026 at 08:59:13PM +0200, Jann Horn wrote: > I feel like a sysctl for "disable all the splice-like interfaces and > zerocopy TX" would be reasonable to have? Either by blocking such > operations, or better, silently downgrading all such operations to > normal copies.
Yes. > FWIW, vmsplice() and splice() are also weird in how much memory they > can implicitly pin - if you call vmsplice() on a single byte in a 2M > THP page, I believe you'll implicitly pin 2M of memory... vmsplice is the worst, as it is one of the few remaining places that can incorrectly dirty file backed pages without telling the file system and cause the other problems fixed by a FOLL_PIN conversion, but it is the only one where we do not have any idea yet how we could convert it to FOLL_PIN due to the unbounded pin time. Note that we sometimes use splice underneath other operations that do not have these issue. The most important one is sendfile, which has very clearly defined semantics avoid all these pinning problems, but there also are similar in-kernel users as in nfsd.
