aboutsummaryrefslogtreecommitdiffstats
path: root/include/linux
diff options
context:
space:
mode:
authorEric Dumazet <edumazet@google.com>2012-06-12 09:24:40 -0400
committerJens Axboe <axboe@kernel.dk>2012-06-13 15:16:42 -0400
commit047fe3605235888f3ebcda0c728cb31937eadfe6 (patch)
tree9c33ef4b076bd54f686afe924cee01e21c55f427 /include/linux
parent27e1f9d1cc87be4e53c6eb7158cafc21c4b85a14 (diff)
splice: fix racy pipe->buffers uses
Dave Jones reported a kernel BUG at mm/slub.c:3474! triggered by splice_shrink_spd() called from vmsplice_to_pipe() commit 35f3d14dbbc5 (pipe: add support for shrinking and growing pipes) added capability to adjust pipe->buffers. Problem is some paths don't hold pipe mutex and assume pipe->buffers doesn't change for their duration. Fix this by adding nr_pages_max field in struct splice_pipe_desc, and use it in place of pipe->buffers where appropriate. splice_shrink_spd() loses its struct pipe_inode_info argument. Reported-by: Dave Jones <davej@redhat.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Jens Axboe <axboe@kernel.dk> Cc: Alexander Viro <viro@zeniv.linux.org.uk> Cc: Tom Herbert <therbert@google.com> Cc: stable <stable@vger.kernel.org> # 2.6.35 Tested-by: Dave Jones <davej@redhat.com> Signed-off-by: Jens Axboe <axboe@kernel.dk>
Diffstat (limited to 'include/linux')
-rw-r--r--include/linux/splice.h8
1 files changed, 4 insertions, 4 deletions
diff --git a/include/linux/splice.h b/include/linux/splice.h
index 26e5b613deda..09a545a7dfa3 100644
--- a/include/linux/splice.h
+++ b/include/linux/splice.h
@@ -51,7 +51,8 @@ struct partial_page {
51struct splice_pipe_desc { 51struct splice_pipe_desc {
52 struct page **pages; /* page map */ 52 struct page **pages; /* page map */
53 struct partial_page *partial; /* pages[] may not be contig */ 53 struct partial_page *partial; /* pages[] may not be contig */
54 int nr_pages; /* number of pages in map */ 54 int nr_pages; /* number of populated pages in map */
55 unsigned int nr_pages_max; /* pages[] & partial[] arrays size */
55 unsigned int flags; /* splice flags */ 56 unsigned int flags; /* splice flags */
56 const struct pipe_buf_operations *ops;/* ops associated with output pipe */ 57 const struct pipe_buf_operations *ops;/* ops associated with output pipe */
57 void (*spd_release)(struct splice_pipe_desc *, unsigned int); 58 void (*spd_release)(struct splice_pipe_desc *, unsigned int);
@@ -85,9 +86,8 @@ extern ssize_t splice_direct_to_actor(struct file *, struct splice_desc *,
85/* 86/*
86 * for dynamic pipe sizing 87 * for dynamic pipe sizing
87 */ 88 */
88extern int splice_grow_spd(struct pipe_inode_info *, struct splice_pipe_desc *); 89extern int splice_grow_spd(const struct pipe_inode_info *, struct splice_pipe_desc *);
89extern void splice_shrink_spd(struct pipe_inode_info *, 90extern void splice_shrink_spd(struct splice_pipe_desc *);
90 struct splice_pipe_desc *);
91extern void spd_release_page(struct splice_pipe_desc *, unsigned int); 91extern void spd_release_page(struct splice_pipe_desc *, unsigned int);
92 92
93extern const struct pipe_buf_operations page_cache_pipe_buf_ops; 93extern const struct pipe_buf_operations page_cache_pipe_buf_ops;