diff options
| author | Eric Dumazet <edumazet@google.com> | 2012-06-12 09:24:40 -0400 |
|---|---|---|
| committer | Jens Axboe <axboe@kernel.dk> | 2012-06-13 15:16:42 -0400 |
| commit | 047fe3605235888f3ebcda0c728cb31937eadfe6 (patch) | |
| tree | 9c33ef4b076bd54f686afe924cee01e21c55f427 | |
| parent | 27e1f9d1cc87be4e53c6eb7158cafc21c4b85a14 (diff) | |
splice: fix racy pipe->buffers uses
Dave Jones reported a kernel BUG at mm/slub.c:3474! triggered
by splice_shrink_spd() called from vmsplice_to_pipe()
commit 35f3d14dbbc5 (pipe: add support for shrinking and growing pipes)
added capability to adjust pipe->buffers.
Problem is some paths don't hold pipe mutex and assume pipe->buffers
doesn't change for their duration.
Fix this by adding nr_pages_max field in struct splice_pipe_desc, and
use it in place of pipe->buffers where appropriate.
splice_shrink_spd() loses its struct pipe_inode_info argument.
Reported-by: Dave Jones <davej@redhat.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Tom Herbert <therbert@google.com>
Cc: stable <stable@vger.kernel.org> # 2.6.35
Tested-by: Dave Jones <davej@redhat.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
| -rw-r--r-- | fs/splice.c | 35 | ||||
| -rw-r--r-- | include/linux/splice.h | 8 | ||||
| -rw-r--r-- | kernel/relay.c | 5 | ||||
| -rw-r--r-- | kernel/trace/trace.c | 6 | ||||
| -rw-r--r-- | mm/shmem.c | 3 | ||||
| -rw-r--r-- | net/core/skbuff.c | 1 |
6 files changed, 34 insertions, 24 deletions
diff --git a/fs/splice.c b/fs/splice.c index c9f1318a3b82..7bf08fa22ec9 100644 --- a/fs/splice.c +++ b/fs/splice.c | |||
| @@ -273,13 +273,16 @@ void spd_release_page(struct splice_pipe_desc *spd, unsigned int i) | |||
| 273 | * Check if we need to grow the arrays holding pages and partial page | 273 | * Check if we need to grow the arrays holding pages and partial page |
| 274 | * descriptions. | 274 | * descriptions. |
| 275 | */ | 275 | */ |
| 276 | int splice_grow_spd(struct pipe_inode_info *pipe, struct splice_pipe_desc *spd) | 276 | int splice_grow_spd(const struct pipe_inode_info *pipe, struct splice_pipe_desc *spd) |
| 277 | { | 277 | { |
| 278 | if (pipe->buffers <= PIPE_DEF_BUFFERS) | 278 | unsigned int buffers = ACCESS_ONCE(pipe->buffers); |
| 279 | |||
| 280 | spd->nr_pages_max = buffers; | ||
| 281 | if (buffers <= PIPE_DEF_BUFFERS) | ||
| 279 | return 0; | 282 | return 0; |
| 280 | 283 | ||
| 281 | spd->pages = kmalloc(pipe->buffers * sizeof(struct page *), GFP_KERNEL); | 284 | spd->pages = kmalloc(buffers * sizeof(struct page *), GFP_KERNEL); |
| 282 | spd->partial = kmalloc(pipe->buffers * sizeof(struct partial_page), GFP_KERNEL); | 285 | spd->partial = kmalloc(buffers * sizeof(struct partial_page), GFP_KERNEL); |
| 283 | 286 | ||
| 284 | if (spd->pages && spd->partial) | 287 | if (spd->pages && spd->partial) |
| 285 | return 0; | 288 | return 0; |
| @@ -289,10 +292,9 @@ int splice_grow_spd(struct pipe_inode_info *pipe, struct splice_pipe_desc *spd) | |||
| 289 | return -ENOMEM; | 292 | return -ENOMEM; |
| 290 | } | 293 | } |
| 291 | 294 | ||
| 292 | void splice_shrink_spd(struct pipe_inode_info *pipe, | 295 | void splice_shrink_spd(struct splice_pipe_desc *spd) |
| 293 | struct splice_pipe_desc *spd) | ||
| 294 | { | 296 | { |
| 295 | if (pipe->buffers <= PIPE_DEF_BUFFERS) | 297 | if (spd->nr_pages_max <= PIPE_DEF_BUFFERS) |
| 296 | return; | 298 | return; |
| 297 | 299 | ||
| 298 | kfree(spd->pages); | 300 | kfree(spd->pages); |
| @@ -315,6 +317,7 @@ __generic_file_splice_read(struct file *in, loff_t *ppos, | |||
| 315 | struct splice_pipe_desc spd = { | 317 | struct splice_pipe_desc spd = { |
| 316 | .pages = pages, | 318 | .pages = pages, |
| 317 | .partial = partial, | 319 | .partial = partial, |
| 320 | .nr_pages_max = PIPE_DEF_BUFFERS, | ||
| 318 | .flags = flags, | 321 | .flags = flags, |
| 319 | .ops = &page_cache_pipe_buf_ops, | 322 | .ops = &page_cache_pipe_buf_ops, |
| 320 | .spd_release = spd_release_page, | 323 | .spd_release = spd_release_page, |
| @@ -326,7 +329,7 @@ __generic_file_splice_read(struct file *in, loff_t *ppos, | |||
| 326 | index = *ppos >> PAGE_CACHE_SHIFT; | 329 | index = *ppos >> PAGE_CACHE_SHIFT; |
| 327 | loff = *ppos & ~PAGE_CACHE_MASK; | 330 | loff = *ppos & ~PAGE_CACHE_MASK; |
| 328 | req_pages = (len + loff + PAGE_CACHE_SIZE - 1) >> PAGE_CACHE_SHIFT; | 331 | req_pages = (len + loff + PAGE_CACHE_SIZE - 1) >> PAGE_CACHE_SHIFT; |
| 329 | nr_pages = min(req_pages, pipe->buffers); | 332 | nr_pages = min(req_pages, spd.nr_pages_max); |
| 330 | 333 | ||
| 331 | /* | 334 | /* |
| 332 | * Lookup the (hopefully) full range of pages we need. | 335 | * Lookup the (hopefully) full range of pages we need. |
| @@ -497,7 +500,7 @@ fill_it: | |||
| 497 | if (spd.nr_pages) | 500 | if (spd.nr_pages) |
| 498 | error = splice_to_pipe(pipe, &spd); | 501 | error = splice_to_pipe(pipe, &spd); |
| 499 | 502 | ||
| 500 | splice_shrink_spd(pipe, &spd); | 503 | splice_shrink_spd(&spd); |
| 501 | return error; | 504 | return error; |
| 502 | } | 505 | } |
| 503 | 506 | ||
| @@ -598,6 +601,7 @@ ssize_t default_file_splice_read(struct file *in, loff_t *ppos, | |||
| 598 | struct splice_pipe_desc spd = { | 601 | struct splice_pipe_desc spd = { |
| 599 | .pages = pages, | 602 | .pages = pages, |
| 600 | .partial = partial, | 603 | .partial = partial, |
| 604 | .nr_pages_max = PIPE_DEF_BUFFERS, | ||
| 601 | .flags = flags, | 605 | .flags = flags, |
| 602 | .ops = &default_pipe_buf_ops, | 606 | .ops = &default_pipe_buf_ops, |
| 603 | .spd_release = spd_release_page, | 607 | .spd_release = spd_release_page, |
| @@ -608,8 +612,8 @@ ssize_t default_file_splice_read(struct file *in, loff_t *ppos, | |||
| 608 | 612 | ||
| 609 | res = -ENOMEM; | 613 | res = -ENOMEM; |
| 610 | vec = __vec; | 614 | vec = __vec; |
| 611 | if (pipe->buffers > PIPE_DEF_BUFFERS) { | 615 | if (spd.nr_pages_max > PIPE_DEF_BUFFERS) { |
| 612 | vec = kmalloc(pipe->buffers * sizeof(struct iovec), GFP_KERNEL); | 616 | vec = kmalloc(spd.nr_pages_max * sizeof(struct iovec), GFP_KERNEL); |
| 613 | if (!vec) | 617 | if (!vec) |
| 614 | goto shrink_ret; | 618 | goto shrink_ret; |
| 615 | } | 619 | } |
| @@ -617,7 +621,7 @@ ssize_t default_file_splice_read(struct file *in, loff_t *ppos, | |||
| 617 | offset = *ppos & ~PAGE_CACHE_MASK; | 621 | offset = *ppos & ~PAGE_CACHE_MASK; |
| 618 | nr_pages = (len + offset + PAGE_CACHE_SIZE - 1) >> PAGE_CACHE_SHIFT; | 622 | nr_pages = (len + offset + PAGE_CACHE_SIZE - 1) >> PAGE_CACHE_SHIFT; |
| 619 | 623 | ||
| 620 | for (i = 0; i < nr_pages && i < pipe->buffers && len; i++) { | 624 | for (i = 0; i < nr_pages && i < spd.nr_pages_max && len; i++) { |
| 621 | struct page *page; | 625 | struct page *page; |
| 622 | 626 | ||
| 623 | page = alloc_page(GFP_USER); | 627 | page = alloc_page(GFP_USER); |
| @@ -665,7 +669,7 @@ ssize_t default_file_splice_read(struct file *in, loff_t *ppos, | |||
| 665 | shrink_ret: | 669 | shrink_ret: |
| 666 | if (vec != __vec) | 670 | if (vec != __vec) |
| 667 | kfree(vec); | 671 | kfree(vec); |
| 668 | splice_shrink_spd(pipe, &spd); | 672 | splice_shrink_spd(&spd); |
| 669 | return res; | 673 | return res; |
| 670 | 674 | ||
| 671 | err: | 675 | err: |
| @@ -1614,6 +1618,7 @@ static long vmsplice_to_pipe(struct file *file, const struct iovec __user *iov, | |||
| 1614 | struct splice_pipe_desc spd = { | 1618 | struct splice_pipe_desc spd = { |
| 1615 | .pages = pages, | 1619 | .pages = pages, |
| 1616 | .partial = partial, | 1620 | .partial = partial, |
| 1621 | .nr_pages_max = PIPE_DEF_BUFFERS, | ||
| 1617 | .flags = flags, | 1622 | .flags = flags, |
| 1618 | .ops = &user_page_pipe_buf_ops, | 1623 | .ops = &user_page_pipe_buf_ops, |
| 1619 | .spd_release = spd_release_page, | 1624 | .spd_release = spd_release_page, |
| @@ -1629,13 +1634,13 @@ static long vmsplice_to_pipe(struct file *file, const struct iovec __user *iov, | |||
| 1629 | 1634 | ||
| 1630 | spd.nr_pages = get_iovec_page_array(iov, nr_segs, spd.pages, | 1635 | spd.nr_pages = get_iovec_page_array(iov, nr_segs, spd.pages, |
| 1631 | spd.partial, false, | 1636 | spd.partial, false, |
| 1632 | pipe->buffers); | 1637 | spd.nr_pages_max); |
| 1633 | if (spd.nr_pages <= 0) | 1638 | if (spd.nr_pages <= 0) |
| 1634 | ret = spd.nr_pages; | 1639 | ret = spd.nr_pages; |
| 1635 | else | 1640 | else |
| 1636 | ret = splice_to_pipe(pipe, &spd); | 1641 | ret = splice_to_pipe(pipe, &spd); |
| 1637 | 1642 | ||
| 1638 | splice_shrink_spd(pipe, &spd); | 1643 | splice_shrink_spd(&spd); |
| 1639 | return ret; | 1644 | return ret; |
| 1640 | } | 1645 | } |
| 1641 | 1646 | ||
diff --git a/include/linux/splice.h b/include/linux/splice.h index 26e5b613deda..09a545a7dfa3 100644 --- a/include/linux/splice.h +++ b/include/linux/splice.h | |||
| @@ -51,7 +51,8 @@ struct partial_page { | |||
| 51 | struct splice_pipe_desc { | 51 | struct splice_pipe_desc { |
| 52 | struct page **pages; /* page map */ | 52 | struct page **pages; /* page map */ |
| 53 | struct partial_page *partial; /* pages[] may not be contig */ | 53 | struct partial_page *partial; /* pages[] may not be contig */ |
| 54 | int nr_pages; /* number of pages in map */ | 54 | int nr_pages; /* number of populated pages in map */ |
| 55 | unsigned int nr_pages_max; /* pages[] & partial[] arrays size */ | ||
| 55 | unsigned int flags; /* splice flags */ | 56 | unsigned int flags; /* splice flags */ |
| 56 | const struct pipe_buf_operations *ops;/* ops associated with output pipe */ | 57 | const struct pipe_buf_operations *ops;/* ops associated with output pipe */ |
| 57 | void (*spd_release)(struct splice_pipe_desc *, unsigned int); | 58 | void (*spd_release)(struct splice_pipe_desc *, unsigned int); |
| @@ -85,9 +86,8 @@ extern ssize_t splice_direct_to_actor(struct file *, struct splice_desc *, | |||
| 85 | /* | 86 | /* |
| 86 | * for dynamic pipe sizing | 87 | * for dynamic pipe sizing |
| 87 | */ | 88 | */ |
| 88 | extern int splice_grow_spd(struct pipe_inode_info *, struct splice_pipe_desc *); | 89 | extern int splice_grow_spd(const struct pipe_inode_info *, struct splice_pipe_desc *); |
| 89 | extern void splice_shrink_spd(struct pipe_inode_info *, | 90 | extern void splice_shrink_spd(struct splice_pipe_desc *); |
| 90 | struct splice_pipe_desc *); | ||
| 91 | extern void spd_release_page(struct splice_pipe_desc *, unsigned int); | 91 | extern void spd_release_page(struct splice_pipe_desc *, unsigned int); |
| 92 | 92 | ||
| 93 | extern const struct pipe_buf_operations page_cache_pipe_buf_ops; | 93 | extern const struct pipe_buf_operations page_cache_pipe_buf_ops; |
diff --git a/kernel/relay.c b/kernel/relay.c index ab56a1764d4d..e8cd2027abbd 100644 --- a/kernel/relay.c +++ b/kernel/relay.c | |||
| @@ -1235,6 +1235,7 @@ static ssize_t subbuf_splice_actor(struct file *in, | |||
| 1235 | struct splice_pipe_desc spd = { | 1235 | struct splice_pipe_desc spd = { |
| 1236 | .pages = pages, | 1236 | .pages = pages, |
| 1237 | .nr_pages = 0, | 1237 | .nr_pages = 0, |
| 1238 | .nr_pages_max = PIPE_DEF_BUFFERS, | ||
| 1238 | .partial = partial, | 1239 | .partial = partial, |
| 1239 | .flags = flags, | 1240 | .flags = flags, |
| 1240 | .ops = &relay_pipe_buf_ops, | 1241 | .ops = &relay_pipe_buf_ops, |
| @@ -1302,8 +1303,8 @@ static ssize_t subbuf_splice_actor(struct file *in, | |||
| 1302 | ret += padding; | 1303 | ret += padding; |
| 1303 | 1304 | ||
| 1304 | out: | 1305 | out: |
| 1305 | splice_shrink_spd(pipe, &spd); | 1306 | splice_shrink_spd(&spd); |
| 1306 | return ret; | 1307 | return ret; |
| 1307 | } | 1308 | } |
| 1308 | 1309 | ||
| 1309 | static ssize_t relay_file_splice_read(struct file *in, | 1310 | static ssize_t relay_file_splice_read(struct file *in, |
diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c index 68032c6177db..288488082224 100644 --- a/kernel/trace/trace.c +++ b/kernel/trace/trace.c | |||
| @@ -3609,6 +3609,7 @@ static ssize_t tracing_splice_read_pipe(struct file *filp, | |||
| 3609 | .pages = pages_def, | 3609 | .pages = pages_def, |
| 3610 | .partial = partial_def, | 3610 | .partial = partial_def, |
| 3611 | .nr_pages = 0, /* This gets updated below. */ | 3611 | .nr_pages = 0, /* This gets updated below. */ |
| 3612 | .nr_pages_max = PIPE_DEF_BUFFERS, | ||
| 3612 | .flags = flags, | 3613 | .flags = flags, |
| 3613 | .ops = &tracing_pipe_buf_ops, | 3614 | .ops = &tracing_pipe_buf_ops, |
| 3614 | .spd_release = tracing_spd_release_pipe, | 3615 | .spd_release = tracing_spd_release_pipe, |
| @@ -3680,7 +3681,7 @@ static ssize_t tracing_splice_read_pipe(struct file *filp, | |||
| 3680 | 3681 | ||
| 3681 | ret = splice_to_pipe(pipe, &spd); | 3682 | ret = splice_to_pipe(pipe, &spd); |
| 3682 | out: | 3683 | out: |
| 3683 | splice_shrink_spd(pipe, &spd); | 3684 | splice_shrink_spd(&spd); |
| 3684 | return ret; | 3685 | return ret; |
| 3685 | 3686 | ||
| 3686 | out_err: | 3687 | out_err: |
| @@ -4231,6 +4232,7 @@ tracing_buffers_splice_read(struct file *file, loff_t *ppos, | |||
| 4231 | struct splice_pipe_desc spd = { | 4232 | struct splice_pipe_desc spd = { |
| 4232 | .pages = pages_def, | 4233 | .pages = pages_def, |
| 4233 | .partial = partial_def, | 4234 | .partial = partial_def, |
| 4235 | .nr_pages_max = PIPE_DEF_BUFFERS, | ||
| 4234 | .flags = flags, | 4236 | .flags = flags, |
| 4235 | .ops = &buffer_pipe_buf_ops, | 4237 | .ops = &buffer_pipe_buf_ops, |
| 4236 | .spd_release = buffer_spd_release, | 4238 | .spd_release = buffer_spd_release, |
| @@ -4318,7 +4320,7 @@ tracing_buffers_splice_read(struct file *file, loff_t *ppos, | |||
| 4318 | } | 4320 | } |
| 4319 | 4321 | ||
| 4320 | ret = splice_to_pipe(pipe, &spd); | 4322 | ret = splice_to_pipe(pipe, &spd); |
| 4321 | splice_shrink_spd(pipe, &spd); | 4323 | splice_shrink_spd(&spd); |
| 4322 | out: | 4324 | out: |
| 4323 | return ret; | 4325 | return ret; |
| 4324 | } | 4326 | } |
diff --git a/mm/shmem.c b/mm/shmem.c index 585bd220a21e..c244e93a70fa 100644 --- a/mm/shmem.c +++ b/mm/shmem.c | |||
| @@ -1577,6 +1577,7 @@ static ssize_t shmem_file_splice_read(struct file *in, loff_t *ppos, | |||
| 1577 | struct splice_pipe_desc spd = { | 1577 | struct splice_pipe_desc spd = { |
| 1578 | .pages = pages, | 1578 | .pages = pages, |
| 1579 | .partial = partial, | 1579 | .partial = partial, |
| 1580 | .nr_pages_max = PIPE_DEF_BUFFERS, | ||
| 1580 | .flags = flags, | 1581 | .flags = flags, |
| 1581 | .ops = &page_cache_pipe_buf_ops, | 1582 | .ops = &page_cache_pipe_buf_ops, |
| 1582 | .spd_release = spd_release_page, | 1583 | .spd_release = spd_release_page, |
| @@ -1665,7 +1666,7 @@ static ssize_t shmem_file_splice_read(struct file *in, loff_t *ppos, | |||
| 1665 | if (spd.nr_pages) | 1666 | if (spd.nr_pages) |
| 1666 | error = splice_to_pipe(pipe, &spd); | 1667 | error = splice_to_pipe(pipe, &spd); |
| 1667 | 1668 | ||
| 1668 | splice_shrink_spd(pipe, &spd); | 1669 | splice_shrink_spd(&spd); |
| 1669 | 1670 | ||
| 1670 | if (error > 0) { | 1671 | if (error > 0) { |
| 1671 | *ppos += error; | 1672 | *ppos += error; |
diff --git a/net/core/skbuff.c b/net/core/skbuff.c index 016694d62484..bac3c5756d63 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c | |||
| @@ -1755,6 +1755,7 @@ int skb_splice_bits(struct sk_buff *skb, unsigned int offset, | |||
| 1755 | struct splice_pipe_desc spd = { | 1755 | struct splice_pipe_desc spd = { |
| 1756 | .pages = pages, | 1756 | .pages = pages, |
| 1757 | .partial = partial, | 1757 | .partial = partial, |
| 1758 | .nr_pages_max = MAX_SKB_FRAGS, | ||
| 1758 | .flags = flags, | 1759 | .flags = flags, |
| 1759 | .ops = &sock_pipe_buf_ops, | 1760 | .ops = &sock_pipe_buf_ops, |
| 1760 | .spd_release = sock_spd_release, | 1761 | .spd_release = sock_spd_release, |