diff options
author | Darrick J. Wong <darrick.wong@oracle.com> | 2018-11-30 10:37:49 -0800 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-12-13 08:52:55 +0100 |
commit | 019b63253f8651ed305683368d3ddfe56082dcac (patch) | |
tree | 6be6653750c38f05552c00527efa6c01b2edb163 /fs/splice.c | |
parent | 484c4d9a9cce1fc457ed45b597672c822857b037 (diff) | |
download | linux-stable-019b63253f8651ed305683368d3ddfe56082dcac.tar.gz linux-stable-019b63253f8651ed305683368d3ddfe56082dcac.tar.bz2 linux-stable-019b63253f8651ed305683368d3ddfe56082dcac.zip |
splice: don't read more than available pipe space
[ Upstream commit 17614445576b6af24e9cf36607c6448164719c96 ]
In commit 4721a601099, we tried to fix a problem wherein directio reads
into a splice pipe will bounce EFAULT/EAGAIN all the way out to
userspace by simulating a zero-byte short read. This happens because
some directio read implementations (xfs) will call
bio_iov_iter_get_pages to grab pipe buffer pages and issue asynchronous
reads, but as soon as we run out of pipe buffers that _get_pages call
returns EFAULT, which the splice code translates to EAGAIN and bounces
out to userspace.
In that commit, the iomap code catches the EFAULT and simulates a
zero-byte read, but that causes assertion errors on regular splice reads
because xfs doesn't allow short directio reads.
The brokenness is compounded by splice_direct_to_actor immediately
bailing on do_splice_to returning <= 0 without ever calling ->actor
(which empties out the pipe), so if userspace calls back we'll EFAULT
again on the full pipe, and nothing ever gets copied.
Therefore, teach splice_direct_to_actor to clamp its requests to the
amount of free space in the pipe and remove the simulated short read
from the iomap directio code.
Fixes: 4721a601099 ("iomap: dio data corruption and spurious errors when pipes fill")
Reported-by: Murphy Zhou <jencce.kernel@gmail.com>
Ranted-by: Amir Goldstein <amir73il@gmail.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'fs/splice.c')
-rw-r--r-- | fs/splice.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/fs/splice.c b/fs/splice.c index 485e409ef841..8af8c318afd6 100644 --- a/fs/splice.c +++ b/fs/splice.c @@ -946,11 +946,16 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd, sd->flags &= ~SPLICE_F_NONBLOCK; more = sd->flags & SPLICE_F_MORE; + WARN_ON_ONCE(pipe->nrbufs != 0); + while (len) { size_t read_len; loff_t pos = sd->pos, prev_pos = pos; - ret = do_splice_to(in, &pos, pipe, len, flags); + /* Don't try to read more the pipe has space for. */ + read_len = min_t(size_t, len, + (pipe->buffers - pipe->nrbufs) << PAGE_SHIFT); + ret = do_splice_to(in, &pos, pipe, read_len, flags); if (unlikely(ret <= 0)) goto out_release; |