splice: don't read more than available pipe space

commit 17614445576b6af24e9cf36607c6448164719c96 upstream. In commit 4721a601099, we tried to fix a problem wherein directio reads into a splice pipe will bounce EFAULT/EAGAIN all the way out to userspace by simulating a zero-byte short read. This happens because some directio read implementations (xfs) will call bio_iov_iter_get_pages to grab pipe buffer pages and issue asynchronous reads, but as soon as we run out of pipe buffers that _get_pages call returns EFAULT, which the splice code translates to EAGAIN and bounces out to userspace. In that commit, the iomap code catches the EFAULT and simulates a zero-byte read, but that causes assertion errors on regular splice reads because xfs doesn't allow short directio reads. The brokenness is compounded by splice_direct_to_actor immediately bailing on do_splice_to returning <= 0 without ever calling ->actor (which empties out the pipe), so if userspace calls back we'll EFAULT again on the full pipe, and nothing ever gets copied. Therefore, teach splice_direct_to_actor to clamp its requests to the amount of free space in the pipe and remove the simulated short read from the iomap directio code. Fixes: 4721a601099 ("iomap: dio data corruption and spurious errors when pipes fill") Reported-by: N Murphy Zhou <jencce.kernel@gmail.com> Ranted-by: N Amir Goldstein <amir73il@gmail.com> Reviewed-by: N Christoph Hellwig <hch@lst.de> Signed-off-by: N Darrick J. Wong <darrick.wong@oracle.com> Signed-off-by: N Jeffle Xu <jefflexu@linux.alibaba.com> Acked-by: N Caspar Zhang <caspar@linux.alibaba.com>

splice: don't read more than available pipe space
commit 17614445576b6af24e9cf36607c6448164719c96 upstream. In commit 4721a601099, we tried to fix a problem wherein directio reads into a splice pipe will bounce EFAULT/EAGAIN all the way out to userspace by simulating a zero-byte short read. This happens because some directio read implementations (xfs) will call bio_iov_iter_get_pages to grab pipe buffer pages and issue asynchronous reads, but as soon as we run out of pipe buffers that _get_pages call returns EFAULT, which the splice code translates to EAGAIN and bounces out to userspace. In that commit, the iomap code catches the EFAULT and simulates a zero-byte read, but that causes assertion errors on regular splice reads because xfs doesn't allow short directio reads. The brokenness is compounded by splice_direct_to_actor immediately bailing on do_splice_to returning <= 0 without ever calling ->actor (which empties out the pipe), so if userspace calls back we'll EFAULT again on the full pipe, and nothing ever gets copied. Therefore, teach splice_direct_to_actor to clamp its requests to the amount of free space in the pipe and remove the simulated short read from the iomap directio code. Fixes: 4721a601099 ("iomap: dio data corruption and spurious errors when pipes fill") Reported-by: N Murphy Zhou <jencce.kernel@gmail.com> Ranted-by: N Amir Goldstein <amir73il@gmail.com> Reviewed-by: N Christoph Hellwig <hch@lst.de> Signed-off-by: N Darrick J. Wong <darrick.wong@oracle.com> Signed-off-by: N Jeffle Xu <jefflexu@linux.alibaba.com> Acked-by: N Caspar Zhang <caspar@linux.alibaba.com>
67c14e68 · Darrick J. Wong · Caspar Zhang · e8dbd741 · 67c14e68
显示空白变更内容
内联并排

Showing with 6 addition and 1 deletion

fs/splice.c fs/splice.c +6 -1

未找到文件。
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -946,11 +946,16 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd,
 	sd->flags &= ~SPLICE_F_NONBLOCK;
 	more = sd->flags & SPLICE_F_MORE;

+	WARN_ON_ONCE(pipe->nrbufs != 0);
+
 	while (len) {
 		size_t read_len;
 		loff_t pos = sd->pos, prev_pos = pos;

-		ret = do_splice_to(in, &pos, pipe, len, flags);
+		/* Don't try to read more the pipe has space for. */
+		read_len = min_t(size_t, len,
+				 (pipe->buffers - pipe->nrbufs) << PAGE_SHIFT);
+		ret = do_splice_to(in, &pos, pipe, read_len, flags);
 		if (unlikely(ret <= 0))
 			goto out_release;