Commit 326ba910 authored by Darrick J. Wong's avatar Darrick J. Wong Committed by Greg Kroah-Hartman

splice: only read in as much information as there is pipe buffer space

commit 3253d9d0 upstream.

Andreas Grünbacher reports that on the two filesystems that support
iomap directio, it's possible for splice() to return -EAGAIN (instead of
a short splice) if the pipe being written to has less space available in
its pipe buffers than the length supplied by the calling process.

Months ago we fixed splice_direct_to_actor to clamp the length of the
read request to the size of the splice pipe.  Do the same to do_splice.

Fixes: 17614445 ("splice: don't read more than available pipe space")
Reported-by: syzbot+3c01db6025f26530cf8d@syzkaller.appspotmail.com
Reported-by: default avatarAndreas Grünbacher <andreas.gruenbacher@gmail.com>
Reviewed-by: default avatarAndreas Grünbacher <andreas.gruenbacher@gmail.com>
Signed-off-by: default avatarDarrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 42a929ed
......@@ -949,12 +949,13 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd,
WARN_ON_ONCE(pipe->nrbufs != 0);
while (len) {
unsigned int pipe_pages;
size_t read_len;
loff_t pos = sd->pos, prev_pos = pos;
/* Don't try to read more the pipe has space for. */
read_len = min_t(size_t, len,
(pipe->buffers - pipe->nrbufs) << PAGE_SHIFT);
pipe_pages = pipe->buffers - pipe->nrbufs;
read_len = min(len, (size_t)pipe_pages << PAGE_SHIFT);
ret = do_splice_to(in, &pos, pipe, read_len, flags);
if (unlikely(ret <= 0))
goto out_release;
......@@ -1175,8 +1176,15 @@ static long do_splice(struct file *in, loff_t __user *off_in,
pipe_lock(opipe);
ret = wait_for_space(opipe, flags);
if (!ret)
if (!ret) {
unsigned int pipe_pages;
/* Don't try to read more the pipe has space for. */
pipe_pages = opipe->buffers - opipe->nrbufs;
len = min(len, (size_t)pipe_pages << PAGE_SHIFT);
ret = do_splice_to(in, &offset, opipe, len, flags);
}
pipe_unlock(opipe);
if (ret > 0)
wakeup_pipe_readers(opipe);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment