Commit 12a22960 authored by Linus Torvalds's avatar Linus Torvalds

Merge branch 'splice-2.6.23' of git://git.kernel.dk/data/git/linux-2.6-block

* 'splice-2.6.23' of git://git.kernel.dk/data/git/linux-2.6-block:
  splice: fix offset mangling with direct splicing (sendfile)
  security: revalidate rw permissions for sys_splice and sys_vmsplice
  relay: fixup kerneldoc comment
  relay: fix bogus cast in subbuf_splice_actor()
parents 31c4ab43 51a92c0f
...@@ -28,6 +28,7 @@ ...@@ -28,6 +28,7 @@
#include <linux/module.h> #include <linux/module.h>
#include <linux/syscalls.h> #include <linux/syscalls.h>
#include <linux/uio.h> #include <linux/uio.h>
#include <linux/security.h>
/* /*
* Attempt to steal a page from a pipe buffer. This should perhaps go into * Attempt to steal a page from a pipe buffer. This should perhaps go into
...@@ -491,7 +492,7 @@ ssize_t generic_file_splice_read(struct file *in, loff_t *ppos, ...@@ -491,7 +492,7 @@ ssize_t generic_file_splice_read(struct file *in, loff_t *ppos,
ret = 0; ret = 0;
spliced = 0; spliced = 0;
while (len) { while (len && !spliced) {
ret = __generic_file_splice_read(in, ppos, pipe, len, flags); ret = __generic_file_splice_read(in, ppos, pipe, len, flags);
if (ret < 0) if (ret < 0)
...@@ -961,6 +962,10 @@ static long do_splice_from(struct pipe_inode_info *pipe, struct file *out, ...@@ -961,6 +962,10 @@ static long do_splice_from(struct pipe_inode_info *pipe, struct file *out,
if (unlikely(ret < 0)) if (unlikely(ret < 0))
return ret; return ret;
ret = security_file_permission(out, MAY_WRITE);
if (unlikely(ret < 0))
return ret;
return out->f_op->splice_write(pipe, out, ppos, len, flags); return out->f_op->splice_write(pipe, out, ppos, len, flags);
} }
...@@ -983,6 +988,10 @@ static long do_splice_to(struct file *in, loff_t *ppos, ...@@ -983,6 +988,10 @@ static long do_splice_to(struct file *in, loff_t *ppos,
if (unlikely(ret < 0)) if (unlikely(ret < 0))
return ret; return ret;
ret = security_file_permission(in, MAY_READ);
if (unlikely(ret < 0))
return ret;
return in->f_op->splice_read(in, ppos, pipe, len, flags); return in->f_op->splice_read(in, ppos, pipe, len, flags);
} }
...@@ -1051,15 +1060,10 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd, ...@@ -1051,15 +1060,10 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd,
sd->flags &= ~SPLICE_F_NONBLOCK; sd->flags &= ~SPLICE_F_NONBLOCK;
while (len) { while (len) {
size_t read_len, max_read_len; size_t read_len;
/* ret = do_splice_to(in, &sd->pos, pipe, len, flags);
* Do at most PIPE_BUFFERS pages worth of transfer: if (unlikely(ret <= 0))
*/
max_read_len = min(len, (size_t)(PIPE_BUFFERS*PAGE_SIZE));
ret = do_splice_to(in, &sd->pos, pipe, max_read_len, flags);
if (unlikely(ret < 0))
goto out_release; goto out_release;
read_len = ret; read_len = ret;
...@@ -1071,26 +1075,17 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd, ...@@ -1071,26 +1075,17 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd,
* could get stuck data in the internal pipe: * could get stuck data in the internal pipe:
*/ */
ret = actor(pipe, sd); ret = actor(pipe, sd);
if (unlikely(ret < 0)) if (unlikely(ret <= 0))
goto out_release; goto out_release;
bytes += ret; bytes += ret;
len -= ret; len -= ret;
/* if (ret < read_len)
* In nonblocking mode, if we got back a short read then goto out_release;
* that was due to either an IO error or due to the
* pagecache entry not being there. In the IO error case
* the _next_ splice attempt will produce a clean IO error
* return value (not a short read), so in both cases it's
* correct to break out of the loop here:
*/
if ((flags & SPLICE_F_NONBLOCK) && (read_len < max_read_len))
break;
} }
pipe->nrbufs = pipe->curbuf = 0; pipe->nrbufs = pipe->curbuf = 0;
return bytes; return bytes;
out_release: out_release:
...@@ -1152,10 +1147,12 @@ long do_splice_direct(struct file *in, loff_t *ppos, struct file *out, ...@@ -1152,10 +1147,12 @@ long do_splice_direct(struct file *in, loff_t *ppos, struct file *out,
.pos = *ppos, .pos = *ppos,
.u.file = out, .u.file = out,
}; };
size_t ret; long ret;
ret = splice_direct_to_actor(in, &sd, direct_splice_actor); ret = splice_direct_to_actor(in, &sd, direct_splice_actor);
*ppos = sd.pos; if (ret > 0)
*ppos += ret;
return ret; return ret;
} }
......
...@@ -1061,7 +1061,7 @@ static struct pipe_buf_operations relay_pipe_buf_ops = { ...@@ -1061,7 +1061,7 @@ static struct pipe_buf_operations relay_pipe_buf_ops = {
.get = generic_pipe_buf_get, .get = generic_pipe_buf_get,
}; };
/** /*
* subbuf_splice_actor - splice up to one subbuf's worth of data * subbuf_splice_actor - splice up to one subbuf's worth of data
*/ */
static int subbuf_splice_actor(struct file *in, static int subbuf_splice_actor(struct file *in,
...@@ -1074,7 +1074,9 @@ static int subbuf_splice_actor(struct file *in, ...@@ -1074,7 +1074,9 @@ static int subbuf_splice_actor(struct file *in,
unsigned int pidx, poff, total_len, subbuf_pages, ret; unsigned int pidx, poff, total_len, subbuf_pages, ret;
struct rchan_buf *rbuf = in->private_data; struct rchan_buf *rbuf = in->private_data;
unsigned int subbuf_size = rbuf->chan->subbuf_size; unsigned int subbuf_size = rbuf->chan->subbuf_size;
size_t read_start = ((size_t)*ppos) % rbuf->chan->alloc_size; uint64_t pos = (uint64_t) *ppos;
uint32_t alloc_size = (uint32_t) rbuf->chan->alloc_size;
size_t read_start = (size_t) do_div(pos, alloc_size);
size_t read_subbuf = read_start / subbuf_size; size_t read_subbuf = read_start / subbuf_size;
size_t padding = rbuf->padding[read_subbuf]; size_t padding = rbuf->padding[read_subbuf];
size_t nonpad_end = read_subbuf * subbuf_size + subbuf_size - padding; size_t nonpad_end = read_subbuf * subbuf_size + subbuf_size - padding;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment