diff options
| author | Darrick J. Wong <darrick.wong@oracle.com> | 2019-10-15 08:44:32 -0700 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-12-17 20:35:43 +0100 |
| commit | 326ba910fa716dfcc721d7fd30889e4b1f85b1e0 (patch) | |
| tree | d160a52ae927f153e4d3a87754f302bf3cb84e47 /fs | |
| parent | 42a929edf5674aa5c9e2883dafca7eff2013729e (diff) | |
| download | linux-stable-326ba910fa716dfcc721d7fd30889e4b1f85b1e0.tar.gz linux-stable-326ba910fa716dfcc721d7fd30889e4b1f85b1e0.tar.bz2 linux-stable-326ba910fa716dfcc721d7fd30889e4b1f85b1e0.zip | |
splice: only read in as much information as there is pipe buffer space
commit 3253d9d093376d62b4a56e609f15d2ec5085ac73 upstream.
Andreas Grünbacher reports that on the two filesystems that support
iomap directio, it's possible for splice() to return -EAGAIN (instead of
a short splice) if the pipe being written to has less space available in
its pipe buffers than the length supplied by the calling process.
Months ago we fixed splice_direct_to_actor to clamp the length of the
read request to the size of the splice pipe. Do the same to do_splice.
Fixes: 17614445576b6 ("splice: don't read more than available pipe space")
Reported-by: syzbot+3c01db6025f26530cf8d@syzkaller.appspotmail.com
Reported-by: Andreas Grünbacher <andreas.gruenbacher@gmail.com>
Reviewed-by: Andreas Grünbacher <andreas.gruenbacher@gmail.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'fs')
| -rw-r--r-- | fs/splice.c | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/fs/splice.c b/fs/splice.c index 8af8c318afd6..fd28c7da3c83 100644 --- a/fs/splice.c +++ b/fs/splice.c @@ -949,12 +949,13 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd, WARN_ON_ONCE(pipe->nrbufs != 0); while (len) { + unsigned int pipe_pages; size_t read_len; loff_t pos = sd->pos, prev_pos = pos; /* Don't try to read more the pipe has space for. */ - read_len = min_t(size_t, len, - (pipe->buffers - pipe->nrbufs) << PAGE_SHIFT); + pipe_pages = pipe->buffers - pipe->nrbufs; + read_len = min(len, (size_t)pipe_pages << PAGE_SHIFT); ret = do_splice_to(in, &pos, pipe, read_len, flags); if (unlikely(ret <= 0)) goto out_release; @@ -1175,8 +1176,15 @@ static long do_splice(struct file *in, loff_t __user *off_in, pipe_lock(opipe); ret = wait_for_space(opipe, flags); - if (!ret) + if (!ret) { + unsigned int pipe_pages; + + /* Don't try to read more the pipe has space for. */ + pipe_pages = opipe->buffers - opipe->nrbufs; + len = min(len, (size_t)pipe_pages << PAGE_SHIFT); + ret = do_splice_to(in, &offset, opipe, len, flags); + } pipe_unlock(opipe); if (ret > 0) wakeup_pipe_readers(opipe); |