aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJens Axboe <axboe@suse.de>2006-05-01 13:50:48 -0400
committerJens Axboe <axboe@suse.de>2006-05-01 13:50:48 -0400
commit0568b409c74f7a125d92a09a3f386785700ef688 (patch)
tree79125b2f4755e98949f0d941a0092e5d3367bbff
parent46e678c96bbd775abd05d3ddbe2fd334794f9157 (diff)
[PATCH] splice: fix bugs in pipe_to_file()
Found by Oleg Nesterov <oleg@tv-sign.ru>, fixed by me. - Only allow full pages to go to the page cache. - Check page != buf->page instead of using PIPE_BUF_FLAG_STOLEN. - Remember to clear 'stolen' if add_to_page_cache() fails. And as a cleanup on that: - Make the bottom fall-through logic a little less convoluted. Also make the steal path hold an extra reference to the page, so we don't have to differentiate between stolen and non-stolen at the end. Signed-off-by: Jens Axboe <axboe@suse.de>
Diffstat
-rw-r--r--fs/pipe.c3
-rw-r--r--fs/splice.c37
-rw-r--r--include/linux/pipe_fs_i.h3
3 files changed, 20 insertions, 23 deletions
diff --git a/fs/pipe.c b/fs/pipe.c
index 5a369273c51b..888f265011bf 100644
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -99,8 +99,6 @@ static void anon_pipe_buf_release(struct pipe_inode_info *pipe,
99{ 99{
100 struct page *page = buf->page; 100 struct page *page = buf->page;
101 101
102 buf->flags &= ~PIPE_BUF_FLAG_STOLEN;
103
104 /* 102 /*
105 * If nobody else uses this page, and we don't already have a 103 * If nobody else uses this page, and we don't already have a
106 * temporary page, let's keep track of it as a one-deep 104 * temporary page, let's keep track of it as a one-deep
@@ -130,7 +128,6 @@ static int anon_pipe_buf_steal(struct pipe_inode_info *pipe,
130 struct page *page = buf->page; 128 struct page *page = buf->page;
131 129
132 if (page_count(page) == 1) { 130 if (page_count(page) == 1) {
133 buf->flags |= PIPE_BUF_FLAG_STOLEN;
134 lock_page(page); 131 lock_page(page);
135 return 0; 132 return 0;
136 } 133 }
diff --git a/fs/splice.c b/fs/splice.c
index 9df28d30efa0..1633778f3652 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -78,7 +78,7 @@ static int page_cache_pipe_buf_steal(struct pipe_inode_info *info,
78 return 1; 78 return 1;
79 } 79 }
80 80
81 buf->flags |= PIPE_BUF_FLAG_STOLEN | PIPE_BUF_FLAG_LRU; 81 buf->flags |= PIPE_BUF_FLAG_LRU;
82 return 0; 82 return 0;
83} 83}
84 84
@@ -87,7 +87,7 @@ static void page_cache_pipe_buf_release(struct pipe_inode_info *info,
87{ 87{
88 page_cache_release(buf->page); 88 page_cache_release(buf->page);
89 buf->page = NULL; 89 buf->page = NULL;
90 buf->flags &= ~(PIPE_BUF_FLAG_STOLEN | PIPE_BUF_FLAG_LRU); 90 buf->flags &= ~PIPE_BUF_FLAG_LRU;
91} 91}
92 92
93static void *page_cache_pipe_buf_map(struct file *file, 93static void *page_cache_pipe_buf_map(struct file *file,
@@ -587,9 +587,10 @@ static int pipe_to_file(struct pipe_inode_info *info, struct pipe_buffer *buf,
587 this_len = PAGE_CACHE_SIZE - offset; 587 this_len = PAGE_CACHE_SIZE - offset;
588 588
589 /* 589 /*
590 * Reuse buf page, if SPLICE_F_MOVE is set. 590 * Reuse buf page, if SPLICE_F_MOVE is set and we are doing a full
591 * page.
591 */ 592 */
592 if (sd->flags & SPLICE_F_MOVE) { 593 if ((sd->flags & SPLICE_F_MOVE) && this_len == PAGE_CACHE_SIZE) {
593 /* 594 /*
594 * If steal succeeds, buf->page is now pruned from the vm 595 * If steal succeeds, buf->page is now pruned from the vm
595 * side (LRU and page cache) and we can reuse it. The page 596 * side (LRU and page cache) and we can reuse it. The page
@@ -604,6 +605,8 @@ static int pipe_to_file(struct pipe_inode_info *info, struct pipe_buffer *buf,
604 goto find_page; 605 goto find_page;
605 } 606 }
606 607
608 page_cache_get(page);
609
607 if (!(buf->flags & PIPE_BUF_FLAG_LRU)) 610 if (!(buf->flags & PIPE_BUF_FLAG_LRU))
608 lru_cache_add(page); 611 lru_cache_add(page);
609 } else { 612 } else {
@@ -662,7 +665,7 @@ find_page:
662 } else if (ret) 665 } else if (ret)
663 goto out; 666 goto out;
664 667
665 if (!(buf->flags & PIPE_BUF_FLAG_STOLEN)) { 668 if (buf->page != page) {
666 char *dst = kmap_atomic(page, KM_USER0); 669 char *dst = kmap_atomic(page, KM_USER0);
667 670
668 memcpy(dst + offset, src + buf->offset, this_len); 671 memcpy(dst + offset, src + buf->offset, this_len);
@@ -671,22 +674,20 @@ find_page:
671 } 674 }
672 675
673 ret = mapping->a_ops->commit_write(file, page, offset, offset+this_len); 676 ret = mapping->a_ops->commit_write(file, page, offset, offset+this_len);
674 if (ret == AOP_TRUNCATED_PAGE) { 677 if (!ret) {
678 /*
679 * Return the number of bytes written and mark page as
680 * accessed, we are now done!
681 */
682 ret = this_len;
683 mark_page_accessed(page);
684 balance_dirty_pages_ratelimited(mapping);
685 } else if (ret == AOP_TRUNCATED_PAGE) {
675 page_cache_release(page); 686 page_cache_release(page);
676 goto find_page; 687 goto find_page;
677 } else if (ret) 688 }
678 goto out;
679
680 /*
681 * Return the number of bytes written.
682 */
683 ret = this_len;
684 mark_page_accessed(page);
685 balance_dirty_pages_ratelimited(mapping);
686out: 689out:
687 if (!(buf->flags & PIPE_BUF_FLAG_STOLEN)) 690 page_cache_release(page);
688 page_cache_release(page);
689
690 unlock_page(page); 691 unlock_page(page);
691out_nomem: 692out_nomem:
692 buf->ops->unmap(info, buf); 693 buf->ops->unmap(info, buf);
diff --git a/include/linux/pipe_fs_i.h b/include/linux/pipe_fs_i.h
index 0008d4bd4059..3130977fc6ab 100644
--- a/include/linux/pipe_fs_i.h
+++ b/include/linux/pipe_fs_i.h
@@ -5,8 +5,7 @@
5 5
6#define PIPE_BUFFERS (16) 6#define PIPE_BUFFERS (16)
7 7
8#define PIPE_BUF_FLAG_STOLEN 0x01 8#define PIPE_BUF_FLAG_LRU 0x01
9#define PIPE_BUF_FLAG_LRU 0x02
10 9
11struct pipe_buffer { 10struct pipe_buffer {
12 struct page *page; 11 struct page *page;
generated by cgit v1.2.2 (git 2.25.0) at 2024-09-30 18:16:52 -0400