]> git.proxmox.com Git - mirror_ubuntu-zesty-kernel.git/blame - fs/splice.c
projects / mirror_ubuntu-zesty-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
bcm2835-v4l2: Fix buffer overflow problem
[mirror_ubuntu-zesty-kernel.git] / fs / splice.c
CommitLineData
5274f052
JA		 1/*
2 * "splice": joining two ropes together by interweaving their strands.
3 *
4 * This is the "extended pipe" functionality, where a pipe is used as
5 * an arbitrary in-memory buffer. Think of a pipe as a small kernel
6 * buffer that you can use to transfer data from one end to the other.
7 *
8 * The traditional unix read/write is extended with a "splice()" operation
9 * that transfers data buffers to or from a pipe buffer.
10 *
11 * Named by Larry McVoy, original implementation from Linus, extended by
c2058e06
JA		 12 * Jens to support splicing to files, network, direct splicing, etc and
13 * fixing lots of bugs.
5274f052 14 *
0fe23479 15 * Copyright (C) 2005-2006 Jens Axboe <axboe@kernel.dk>
c2058e06
JA		 16 * Copyright (C) 2005-2006 Linus Torvalds <torvalds@osdl.org>
17 * Copyright (C) 2006 Ingo Molnar <mingo@elte.hu>
5274f052
JA		 18 *
19 */
be297968 20#include <linux/bvec.h>
5274f052
JA		 21#include <linux/fs.h>
22#include <linux/file.h>
23#include <linux/pagemap.h>
d6b29d7c 24#include <linux/splice.h>
08e552c6 25#include <linux/memcontrol.h>
5274f052 26#include <linux/mm_inline.h>
5abc97aa 27#include <linux/swap.h>
4f6f0bd2 28#include <linux/writeback.h>
630d9c47 29#include <linux/export.h>
4f6f0bd2 30#include <linux/syscalls.h>
912d35f8 31#include <linux/uio.h>
29ce2058 32#include <linux/security.h>
5a0e3ad6 33#include <linux/gfp.h>
35f9c09f 34#include <linux/socket.h>
76b021d0 35#include <linux/compat.h>
06ae43f3 36#include "internal.h"
5274f052 37
83f9135b
JA		 38/*
39 * Attempt to steal a page from a pipe buffer. This should perhaps go into
40 * a vm helper function, it's already simplified quite a bit by the
41 * addition of remove_mapping(). If success is returned, the caller may
42 * attempt to reuse this page for another destination.
43 */
76ad4d11 44static int page_cache_pipe_buf_steal(struct pipe_inode_info *pipe,
5abc97aa
JA		 45 struct pipe_buffer *buf)
46{
47 struct page *page = buf->page;
9e94cd4f 48 struct address_space *mapping;
5abc97aa 49
9e0267c2
JA		 50 lock_page(page);
51
9e94cd4f
JA		 52 mapping = page_mapping(page);
53 if (mapping) {
54 WARN_ON(!PageUptodate(page));
5abc97aa 55
9e94cd4f
JA		 56 /*
57 * At least for ext2 with nobh option, we need to wait on
58 * writeback completing on this page, since we'll remove it
59 * from the pagecache. Otherwise truncate wont wait on the
60 * page, allowing the disk blocks to be reused by someone else
61 * before we actually wrote our data to them. fs corruption
62 * ensues.
63 */
64 wait_on_page_writeback(page);
ad8d6f0a 65
266cf658
DH		 66 if (page_has_private(page) &&
67 !try_to_release_page(page, GFP_KERNEL))
ca39d651 68 goto out_unlock;
4f6f0bd2 69
9e94cd4f
JA		 70 /*
71 * If we succeeded in removing the mapping, set LRU flag
72 * and return good.
73 */
74 if (remove_mapping(mapping, page)) {
75 buf->flags |= PIPE_BUF_FLAG_LRU;
76 return 0;
77 }
9e0267c2 78 }
5abc97aa 79
9e94cd4f
JA		 80 /*
81 * Raced with truncate or failed to remove page from current
82 * address space, unlock and return failure.
83 */
ca39d651 84out_unlock:
9e94cd4f
JA		 85 unlock_page(page);
86 return 1;
5abc97aa
JA		 87}
88
76ad4d11 89static void page_cache_pipe_buf_release(struct pipe_inode_info *pipe,
5274f052
JA		 90 struct pipe_buffer *buf)
91{
09cbfeaf 92 put_page(buf->page);
1432873a 93 buf->flags &= ~PIPE_BUF_FLAG_LRU;
5274f052
JA		 94}
95
0845718d
JA		 96/*
97 * Check whether the contents of buf is OK to access. Since the content
98 * is a page cache page, IO may be in flight.
99 */
cac36bb0
JA		 100static int page_cache_pipe_buf_confirm(struct pipe_inode_info *pipe,
101 struct pipe_buffer *buf)
5274f052
JA		 102{
103 struct page *page = buf->page;
49d0b21b 104 int err;
5274f052
JA		 105
106 if (!PageUptodate(page)) {
49d0b21b
JA		 107 lock_page(page);
108
109 /*
110 * Page got truncated/unhashed. This will cause a 0-byte
73d62d83 111 * splice, if this is the first page.
49d0b21b
JA		 112 */
113 if (!page->mapping) {
114 err = -ENODATA;
115 goto error;
116 }
5274f052 117
49d0b21b 118 /*
73d62d83 119 * Uh oh, read-error from disk.
49d0b21b
JA		 120 */
121 if (!PageUptodate(page)) {
122 err = -EIO;
123 goto error;
124 }
125
126 /*
f84d7519 127 * Page is ok afterall, we are done.
49d0b21b 128 */
5274f052 129 unlock_page(page);
5274f052
JA		 130 }
131
f84d7519 132 return 0;
49d0b21b
JA		 133error:
134 unlock_page(page);
f84d7519 135 return err;
70524490
JA		 136}
137
708e3508 138const struct pipe_buf_operations page_cache_pipe_buf_ops = {
5274f052 139 .can_merge = 0,
cac36bb0 140 .confirm = page_cache_pipe_buf_confirm,
5274f052 141 .release = page_cache_pipe_buf_release,
5abc97aa 142 .steal = page_cache_pipe_buf_steal,
f84d7519 143 .get = generic_pipe_buf_get,
5274f052
JA		 144};
145
912d35f8
JA		 146static int user_page_pipe_buf_steal(struct pipe_inode_info *pipe,
147 struct pipe_buffer *buf)
148{
7afa6fd0
JA		 149 if (!(buf->flags & PIPE_BUF_FLAG_GIFT))
150 return 1;
151
1432873a 152 buf->flags |= PIPE_BUF_FLAG_LRU;
330ab716 153 return generic_pipe_buf_steal(pipe, buf);
912d35f8
JA		 154}
155
d4c3cca9 156static const struct pipe_buf_operations user_page_pipe_buf_ops = {
912d35f8 157 .can_merge = 0,
cac36bb0 158 .confirm = generic_pipe_buf_confirm,
912d35f8
JA		 159 .release = page_cache_pipe_buf_release,
160 .steal = user_page_pipe_buf_steal,
f84d7519 161 .get = generic_pipe_buf_get,
912d35f8
JA		 162};
163
825cdcb1
NK		 164static void wakeup_pipe_readers(struct pipe_inode_info *pipe)
165{
166 smp_mb();
167 if (waitqueue_active(&pipe->wait))
168 wake_up_interruptible(&pipe->wait);
169 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
170}
171
932cc6d4
JA		 172/**
173 * splice_to_pipe - fill passed data into a pipe
174 * @pipe: pipe to fill
175 * @spd: data to fill
176 *
177 * Description:
79685b8d 178 * @spd contains a map of pages and len/offset tuples, along with
932cc6d4
JA		 179 * the struct pipe_buf_operations associated with these pages. This
180 * function will link that data to the pipe.
181 *
83f9135b 182 */
d6b29d7c
JA		 183ssize_t splice_to_pipe(struct pipe_inode_info *pipe,
184 struct splice_pipe_desc *spd)
5274f052 185{
00de00bd 186 unsigned int spd_pages = spd->nr_pages;
8924feff 187 int ret = 0, page_nr = 0;
5274f052 188
d6785d91
RV		 189 if (!spd_pages)
190 return 0;
191
8924feff
AV		 192 if (unlikely(!pipe->readers)) {
193 send_sig(SIGPIPE, current, 0);
194 ret = -EPIPE;
195 goto out;
196 }
5274f052 197
8924feff
AV		 198 while (pipe->nrbufs < pipe->buffers) {
199 int newbuf = (pipe->curbuf + pipe->nrbufs) & (pipe->buffers - 1);
200 struct pipe_buffer *buf = pipe->bufs + newbuf;
5274f052 201
8924feff
AV		 202 buf->page = spd->pages[page_nr];
203 buf->offset = spd->partial[page_nr].offset;
204 buf->len = spd->partial[page_nr].len;
205 buf->private = spd->partial[page_nr].private;
206 buf->ops = spd->ops;
5a81e6a1 207 buf->flags = 0;
5274f052 208
8924feff
AV		 209 pipe->nrbufs++;
210 page_nr++;
211 ret += buf->len;
29e35094 212
8924feff 213 if (!--spd->nr_pages)
5274f052 214 break;
5274f052
JA		 215 }
216
8924feff
AV		 217 if (!ret)
218 ret = -EAGAIN;
5274f052 219
8924feff 220out:
00de00bd 221 while (page_nr < spd_pages)
bbdfc2f7 222 spd->spd_release(spd, page_nr++);
5274f052
JA		 223
224 return ret;
225}
2b514574 226EXPORT_SYMBOL_GPL(splice_to_pipe);
5274f052 227
79fddc4e
AV		 228ssize_t add_to_pipe(struct pipe_inode_info *pipe, struct pipe_buffer *buf)
229{
230 int ret;
231
232 if (unlikely(!pipe->readers)) {
233 send_sig(SIGPIPE, current, 0);
234 ret = -EPIPE;
235 } else if (pipe->nrbufs == pipe->buffers) {
236 ret = -EAGAIN;
237 } else {
238 int newbuf = (pipe->curbuf + pipe->nrbufs) & (pipe->buffers - 1);
239 pipe->bufs[newbuf] = *buf;
240 pipe->nrbufs++;
241 return buf->len;
242 }
a779638c 243 pipe_buf_release(pipe, buf);
79fddc4e
AV		 244 return ret;
245}
246EXPORT_SYMBOL(add_to_pipe);
247
708e3508 248void spd_release_page(struct splice_pipe_desc *spd, unsigned int i)
bbdfc2f7 249{
09cbfeaf 250 put_page(spd->pages[i]);
bbdfc2f7
JA		 251}
252
35f3d14d
JA		 253/*
254 * Check if we need to grow the arrays holding pages and partial page
255 * descriptions.
256 */
047fe360 257int splice_grow_spd(const struct pipe_inode_info *pipe, struct splice_pipe_desc *spd)
35f3d14d 258{
047fe360
ED		 259 unsigned int buffers = ACCESS_ONCE(pipe->buffers);
260
261 spd->nr_pages_max = buffers;
262 if (buffers <= PIPE_DEF_BUFFERS)
35f3d14d
JA		 263 return 0;
264
047fe360
ED		 265 spd->pages = kmalloc(buffers * sizeof(struct page *), GFP_KERNEL);
266 spd->partial = kmalloc(buffers * sizeof(struct partial_page), GFP_KERNEL);
35f3d14d
JA		 267
268 if (spd->pages && spd->partial)
269 return 0;
270
271 kfree(spd->pages);
272 kfree(spd->partial);
273 return -ENOMEM;
274}
275
047fe360 276void splice_shrink_spd(struct splice_pipe_desc *spd)
35f3d14d 277{
047fe360 278 if (spd->nr_pages_max <= PIPE_DEF_BUFFERS)
35f3d14d
JA		 279 return;
280
281 kfree(spd->pages);
282 kfree(spd->partial);
283}
284
83f9135b
JA		 285/**
286 * generic_file_splice_read - splice data from file to a pipe
287 * @in: file to splice from
932cc6d4 288 * @ppos: position in @in
83f9135b
JA		 289 * @pipe: pipe to splice to
290 * @len: number of bytes to splice
291 * @flags: splice modifier flags
292 *
932cc6d4
JA		 293 * Description:
294 * Will read pages from given file and fill them into a pipe. Can be
82c156f8 295 * used as long as it has more or less sane ->read_iter().
932cc6d4 296 *
83f9135b 297 */
cbb7e577
JA		 298ssize_t generic_file_splice_read(struct file *in, loff_t *ppos,
299 struct pipe_inode_info *pipe, size_t len,
300 unsigned int flags)
5274f052 301{
82c156f8
AV		 302 struct iov_iter to;
303 struct kiocb kiocb;
82c156f8 304 int idx, ret;
be64f884 305
82c156f8
AV		 306 iov_iter_pipe(&to, ITER_PIPE | READ, pipe, len);
307 idx = to.idx;
308 init_sync_kiocb(&kiocb, in);
309 kiocb.ki_pos = *ppos;
310 ret = in->f_op->read_iter(&kiocb, &to);
723590ed 311 if (ret > 0) {
82c156f8 312 *ppos = kiocb.ki_pos;
723590ed 313 file_accessed(in);
82c156f8 314 } else if (ret < 0) {
c3a69024
AV		 315 to.idx = idx;
316 to.iov_offset = 0;
317 iov_iter_advance(&to, 0); /* to free what was emitted */
82c156f8
AV		 318 /*
319 * callers of ->splice_read() expect -EAGAIN on
320 * "can't put anything in there", rather than -EFAULT.
321 */
322 if (ret == -EFAULT)
323 ret = -EAGAIN;
723590ed 324 }
5274f052
JA		 325
326 return ret;
327}
059a8f37
JA		 328EXPORT_SYMBOL(generic_file_splice_read);
329
241699cd 330const struct pipe_buf_operations default_pipe_buf_ops = {
6818173b 331 .can_merge = 0,
6818173b
MS		 332 .confirm = generic_pipe_buf_confirm,
333 .release = generic_pipe_buf_release,
334 .steal = generic_pipe_buf_steal,
335 .get = generic_pipe_buf_get,
336};
337
28a625cb
MS		 338static int generic_pipe_buf_nosteal(struct pipe_inode_info *pipe,
339 struct pipe_buffer *buf)
340{
341 return 1;
342}
343
344/* Pipe buffer operations for a socket and similar. */
345const struct pipe_buf_operations nosteal_pipe_buf_ops = {
346 .can_merge = 0,
28a625cb
MS		 347 .confirm = generic_pipe_buf_confirm,
348 .release = generic_pipe_buf_release,
349 .steal = generic_pipe_buf_nosteal,
350 .get = generic_pipe_buf_get,
351};
352EXPORT_SYMBOL(nosteal_pipe_buf_ops);
353
523ac9af 354static ssize_t kernel_readv(struct file *file, const struct kvec *vec,
6818173b
MS		 355 unsigned long vlen, loff_t offset)
356{
357 mm_segment_t old_fs;
358 loff_t pos = offset;
359 ssize_t res;
360
361 old_fs = get_fs();
362 set_fs(get_ds());
363 /* The cast to a user pointer is valid due to the set_fs() */
793b80ef 364 res = vfs_readv(file, (const struct iovec __user *)vec, vlen, &pos, 0);
6818173b
MS		 365 set_fs(old_fs);
366
367 return res;
368}
369
7bb307e8 370ssize_t kernel_write(struct file *file, const char *buf, size_t count,
b2858d7d 371 loff_t pos)
0b0a47f5
MS		 372{
373 mm_segment_t old_fs;
374 ssize_t res;
375
376 old_fs = get_fs();
377 set_fs(get_ds());
378 /* The cast to a user pointer is valid due to the set_fs() */
7bb307e8 379 res = vfs_write(file, (__force const char __user *)buf, count, &pos);
0b0a47f5
MS		 380 set_fs(old_fs);
381
382 return res;
383}
7bb307e8 384EXPORT_SYMBOL(kernel_write);
0b0a47f5 385
82c156f8 386static ssize_t default_file_splice_read(struct file *in, loff_t *ppos,
6818173b
MS		 387 struct pipe_inode_info *pipe, size_t len,
388 unsigned int flags)
389{
523ac9af
AV		 390 struct kvec *vec, __vec[PIPE_DEF_BUFFERS];
391 struct iov_iter to;
392 struct page **pages;
6818173b 393 unsigned int nr_pages;
523ac9af 394 size_t offset, dummy, copied = 0;
6818173b 395 ssize_t res;
6818173b 396 int i;
35f3d14d 397
523ac9af
AV		 398 if (pipe->nrbufs == pipe->buffers)
399 return -EAGAIN;
35f3d14d 400
523ac9af
AV		 401 /*
402 * Try to keep page boundaries matching to source pagecache ones -
403 * it probably won't be much help, but...
404 */
09cbfeaf 405 offset = *ppos & ~PAGE_MASK;
6818173b 406
523ac9af 407 iov_iter_pipe(&to, ITER_PIPE | READ, pipe, len + offset);
6818173b 408
523ac9af
AV		 409 res = iov_iter_get_pages_alloc(&to, &pages, len + offset, &dummy);
410 if (res <= 0)
411 return -ENOMEM;
6818173b 412
8e54cada
AV		 413 BUG_ON(dummy);
414 nr_pages = DIV_ROUND_UP(res, PAGE_SIZE);
6818173b 415
523ac9af
AV		 416 vec = __vec;
417 if (nr_pages > PIPE_DEF_BUFFERS) {
418 vec = kmalloc(nr_pages * sizeof(struct kvec), GFP_KERNEL);
419 if (unlikely(!vec)) {
420 res = -ENOMEM;
421 goto out;
422 }
77f6bf57 423 }
6818173b 424
523ac9af
AV		 425 pipe->bufs[to.idx].offset = offset;
426 pipe->bufs[to.idx].len -= offset;
427
428 for (i = 0; i < nr_pages; i++) {
429 size_t this_len = min_t(size_t, len, PAGE_SIZE - offset);
430 vec[i].iov_base = page_address(pages[i]) + offset;
431 vec[i].iov_len = this_len;
432 len -= this_len;
433 offset = 0;
6818173b 434 }
6818173b 435
523ac9af
AV		 436 res = kernel_readv(in, vec, nr_pages, *ppos);
437 if (res > 0) {
438 copied = res;
6818173b 439 *ppos += res;
523ac9af 440 }
6818173b 441
35f3d14d
JA		 442 if (vec != __vec)
443 kfree(vec);
523ac9af
AV		 444out:
445 for (i = 0; i < nr_pages; i++)
446 put_page(pages[i]);
447 kvfree(pages);
448 iov_iter_advance(&to, copied); /* truncates and discards */
6818173b 449 return res;
6818173b 450}
6818173b 451
5274f052 452/*
4f6f0bd2 453 * Send 'sd->len' bytes to socket from 'sd->file' at position 'sd->pos'
016b661e 454 * using sendpage(). Return the number of bytes sent.
5274f052 455 */
76ad4d11 456static int pipe_to_sendpage(struct pipe_inode_info *pipe,
5274f052
JA		 457 struct pipe_buffer *buf, struct splice_desc *sd)
458{
6a14b90b 459 struct file *file = sd->u.file;
5274f052 460 loff_t pos = sd->pos;
a8adbe37 461 int more;
5274f052 462
72c2d531 463 if (!likely(file->f_op->sendpage))
a8adbe37
MM		 464 return -EINVAL;
465
35f9c09f 466 more = (sd->flags & SPLICE_F_MORE) ? MSG_MORE : 0;
ae62ca7b
ED		 467
468 if (sd->len < sd->total_len && pipe->nrbufs > 1)
35f9c09f 469 more |= MSG_SENDPAGE_NOTLAST;
ae62ca7b 470
a8adbe37
MM		 471 return file->f_op->sendpage(file, buf->page, buf->offset,
472 sd->len, &pos, more);
5274f052
JA		 473}
474
b3c2d2dd
MS		 475static void wakeup_pipe_writers(struct pipe_inode_info *pipe)
476{
477 smp_mb();
478 if (waitqueue_active(&pipe->wait))
479 wake_up_interruptible(&pipe->wait);
480 kill_fasync(&pipe->fasync_writers, SIGIO, POLL_OUT);
481}
482
932cc6d4 483/**
b3c2d2dd 484 * splice_from_pipe_feed - feed available data from a pipe to a file
932cc6d4
JA		 485 * @pipe: pipe to splice from
486 * @sd: information to @actor
487 * @actor: handler that splices the data
488 *
489 * Description:
b3c2d2dd
MS		 490 * This function loops over the pipe and calls @actor to do the
491 * actual moving of a single struct pipe_buffer to the desired
492 * destination. It returns when there's no more buffers left in
493 * the pipe or if the requested number of bytes (@sd->total_len)
494 * have been copied. It returns a positive number (one) if the
495 * pipe needs to be filled with more data, zero if the required
496 * number of bytes have been copied and -errno on error.
932cc6d4 497 *
b3c2d2dd
MS		 498 * This, together with splice_from_pipe_{begin,end,next}, may be
499 * used to implement the functionality of __splice_from_pipe() when
500 * locking is required around copying the pipe buffers to the
501 * destination.
83f9135b 502 */
96f9bc8f 503static int splice_from_pipe_feed(struct pipe_inode_info *pipe, struct splice_desc *sd,
b3c2d2dd 504 splice_actor *actor)
5274f052 505{
b3c2d2dd 506 int ret;
5274f052 507
b3c2d2dd
MS		 508 while (pipe->nrbufs) {
509 struct pipe_buffer *buf = pipe->bufs + pipe->curbuf;
5274f052 510
b3c2d2dd
MS		 511 sd->len = buf->len;
512 if (sd->len > sd->total_len)
513 sd->len = sd->total_len;
5274f052 514
fba597db 515 ret = pipe_buf_confirm(pipe, buf);
a8adbe37 516 if (unlikely(ret)) {
b3c2d2dd
MS		 517 if (ret == -ENODATA)
518 ret = 0;
519 return ret;
520 }
a8adbe37
MM		 521
522 ret = actor(pipe, buf, sd);
523 if (ret <= 0)
524 return ret;
525
b3c2d2dd
MS		 526 buf->offset += ret;
527 buf->len -= ret;
528
529 sd->num_spliced += ret;
530 sd->len -= ret;
531 sd->pos += ret;
532 sd->total_len -= ret;
533
534 if (!buf->len) {
a779638c 535 pipe_buf_release(pipe, buf);
35f3d14d 536 pipe->curbuf = (pipe->curbuf + 1) & (pipe->buffers - 1);
b3c2d2dd 537 pipe->nrbufs--;
6447a3cf 538 if (pipe->files)
b3c2d2dd
MS		 539 sd->need_wakeup = true;
540 }
5274f052 541
b3c2d2dd
MS		 542 if (!sd->total_len)
543 return 0;
544 }
5274f052 545
b3c2d2dd
MS		 546 return 1;
547}
5274f052 548
b3c2d2dd
MS		 549/**
550 * splice_from_pipe_next - wait for some data to splice from
551 * @pipe: pipe to splice from
552 * @sd: information about the splice operation
553 *
554 * Description:
555 * This function will wait for some data and return a positive
556 * value (one) if pipe buffers are available. It will return zero
557 * or -errno if no more data needs to be spliced.
558 */
96f9bc8f 559static int splice_from_pipe_next(struct pipe_inode_info *pipe, struct splice_desc *sd)
b3c2d2dd 560{
c725bfce
JK		 561 /*
562 * Check for signal early to make process killable when there are
563 * always buffers available
564 */
565 if (signal_pending(current))
566 return -ERESTARTSYS;
567
b3c2d2dd
MS		 568 while (!pipe->nrbufs) {
569 if (!pipe->writers)
570 return 0;
016b661e 571
b3c2d2dd
MS		 572 if (!pipe->waiting_writers && sd->num_spliced)
573 return 0;
73d62d83 574
b3c2d2dd
MS		 575 if (sd->flags & SPLICE_F_NONBLOCK)
576 return -EAGAIN;
5274f052 577
b3c2d2dd
MS		 578 if (signal_pending(current))
579 return -ERESTARTSYS;
5274f052 580
b3c2d2dd
MS		 581 if (sd->need_wakeup) {
582 wakeup_pipe_writers(pipe);
583 sd->need_wakeup = false;
5274f052
JA		 584 }
585
b3c2d2dd
MS		 586 pipe_wait(pipe);
587 }
29e35094 588
b3c2d2dd
MS		 589 return 1;
590}
5274f052 591
b3c2d2dd
MS		 592/**
593 * splice_from_pipe_begin - start splicing from pipe
b80901bb 594 * @sd: information about the splice operation
b3c2d2dd
MS		 595 *
596 * Description:
597 * This function should be called before a loop containing
598 * splice_from_pipe_next() and splice_from_pipe_feed() to
599 * initialize the necessary fields of @sd.
600 */
96f9bc8f 601static void splice_from_pipe_begin(struct splice_desc *sd)
b3c2d2dd
MS		 602{
603 sd->num_spliced = 0;
604 sd->need_wakeup = false;
605}
5274f052 606
b3c2d2dd
MS		 607/**
608 * splice_from_pipe_end - finish splicing from pipe
609 * @pipe: pipe to splice from
610 * @sd: information about the splice operation
611 *
612 * Description:
613 * This function will wake up pipe writers if necessary. It should
614 * be called after a loop containing splice_from_pipe_next() and
615 * splice_from_pipe_feed().
616 */
96f9bc8f 617static void splice_from_pipe_end(struct pipe_inode_info *pipe, struct splice_desc *sd)
b3c2d2dd
MS		 618{
619 if (sd->need_wakeup)
620 wakeup_pipe_writers(pipe);
621}
5274f052 622
b3c2d2dd
MS		 623/**
624 * __splice_from_pipe - splice data from a pipe to given actor
625 * @pipe: pipe to splice from
626 * @sd: information to @actor
627 * @actor: handler that splices the data
628 *
629 * Description:
630 * This function does little more than loop over the pipe and call
631 * @actor to do the actual moving of a single struct pipe_buffer to
632 * the desired destination. See pipe_to_file, pipe_to_sendpage, or
633 * pipe_to_user.
634 *
635 */
636ssize_t __splice_from_pipe(struct pipe_inode_info *pipe, struct splice_desc *sd,
637 splice_actor *actor)
638{
639 int ret;
5274f052 640
b3c2d2dd
MS		 641 splice_from_pipe_begin(sd);
642 do {
c2489e07 643 cond_resched();
b3c2d2dd
MS		 644 ret = splice_from_pipe_next(pipe, sd);
645 if (ret > 0)
646 ret = splice_from_pipe_feed(pipe, sd, actor);
647 } while (ret > 0);
648 splice_from_pipe_end(pipe, sd);
649
650 return sd->num_spliced ? sd->num_spliced : ret;
5274f052 651}
40bee44e 652EXPORT_SYMBOL(__splice_from_pipe);
5274f052 653
932cc6d4
JA		 654/**
655 * splice_from_pipe - splice data from a pipe to a file
656 * @pipe: pipe to splice from
657 * @out: file to splice to
658 * @ppos: position in @out
659 * @len: how many bytes to splice
660 * @flags: splice modifier flags
661 * @actor: handler that splices the data
662 *
663 * Description:
2933970b 664 * See __splice_from_pipe. This function locks the pipe inode,
932cc6d4
JA		 665 * otherwise it's identical to __splice_from_pipe().
666 *
667 */
6da61809
MF		 668ssize_t splice_from_pipe(struct pipe_inode_info *pipe, struct file *out,
669 loff_t *ppos, size_t len, unsigned int flags,
670 splice_actor *actor)
671{
672 ssize_t ret;
c66ab6fa
JA		 673 struct splice_desc sd = {
674 .total_len = len,
675 .flags = flags,
676 .pos = *ppos,
6a14b90b 677 .u.file = out,
c66ab6fa 678 };
6da61809 679
61e0d47c 680 pipe_lock(pipe);
c66ab6fa 681 ret = __splice_from_pipe(pipe, &sd, actor);
61e0d47c 682 pipe_unlock(pipe);
6da61809
MF		 683
684 return ret;
685}
686
8d020765
AV		 687/**
688 * iter_file_splice_write - splice data from a pipe to a file
689 * @pipe: pipe info
690 * @out: file to write to
691 * @ppos: position in @out
692 * @len: number of bytes to splice
693 * @flags: splice modifier flags
694 *
695 * Description:
696 * Will either move or copy pages (determined by @flags options) from
697 * the given pipe inode to the given file.
698 * This one is ->write_iter-based.
699 *
700 */
701ssize_t
702iter_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
703 loff_t *ppos, size_t len, unsigned int flags)
704{
705 struct splice_desc sd = {
706 .total_len = len,
707 .flags = flags,
708 .pos = *ppos,
709 .u.file = out,
710 };
711 int nbufs = pipe->buffers;
712 struct bio_vec *array = kcalloc(nbufs, sizeof(struct bio_vec),
713 GFP_KERNEL);
714 ssize_t ret;
715
716 if (unlikely(!array))
717 return -ENOMEM;
718
719 pipe_lock(pipe);
720
721 splice_from_pipe_begin(&sd);
722 while (sd.total_len) {
723 struct iov_iter from;
8d020765
AV		 724 size_t left;
725 int n, idx;
726
727 ret = splice_from_pipe_next(pipe, &sd);
728 if (ret <= 0)
729 break;
730
731 if (unlikely(nbufs < pipe->buffers)) {
732 kfree(array);
733 nbufs = pipe->buffers;
734 array = kcalloc(nbufs, sizeof(struct bio_vec),
735 GFP_KERNEL);
736 if (!array) {
737 ret = -ENOMEM;
738 break;
739 }
740 }
741
742 /* build the vector */
743 left = sd.total_len;
744 for (n = 0, idx = pipe->curbuf; left && n < pipe->nrbufs; n++, idx++) {
745 struct pipe_buffer *buf = pipe->bufs + idx;
746 size_t this_len = buf->len;
747
748 if (this_len > left)
749 this_len = left;
750
751 if (idx == pipe->buffers - 1)
752 idx = -1;
753
fba597db 754 ret = pipe_buf_confirm(pipe, buf);
8d020765
AV		 755 if (unlikely(ret)) {
756 if (ret == -ENODATA)
757 ret = 0;
758 goto done;
759 }
760
761 array[n].bv_page = buf->page;
762 array[n].bv_len = this_len;
763 array[n].bv_offset = buf->offset;
764 left -= this_len;
765 }
766
05afcb77
AV		 767 iov_iter_bvec(&from, ITER_BVEC | WRITE, array, n,
768 sd.total_len - left);
dbe4e192 769 ret = vfs_iter_write(out, &from, &sd.pos);
8d020765
AV		 770 if (ret <= 0)
771 break;
772
773 sd.num_spliced += ret;
774 sd.total_len -= ret;
dbe4e192 775 *ppos = sd.pos;
8d020765
AV		 776
777 /* dismiss the fully eaten buffers, adjust the partial one */
778 while (ret) {
779 struct pipe_buffer *buf = pipe->bufs + pipe->curbuf;
780 if (ret >= buf->len) {
8d020765
AV		 781 ret -= buf->len;
782 buf->len = 0;
a779638c 783 pipe_buf_release(pipe, buf);
8d020765
AV		 784 pipe->curbuf = (pipe->curbuf + 1) & (pipe->buffers - 1);
785 pipe->nrbufs--;
786 if (pipe->files)
787 sd.need_wakeup = true;
788 } else {
789 buf->offset += ret;
790 buf->len -= ret;
791 ret = 0;
792 }
793 }
794 }
795done:
796 kfree(array);
797 splice_from_pipe_end(pipe, &sd);
798
799 pipe_unlock(pipe);
800
801 if (sd.num_spliced)
802 ret = sd.num_spliced;
803
804 return ret;
805}
806
807EXPORT_SYMBOL(iter_file_splice_write);
808
b2858d7d
MS		 809static int write_pipe_buf(struct pipe_inode_info *pipe, struct pipe_buffer *buf,
810 struct splice_desc *sd)
0b0a47f5 811{
b2858d7d
MS		 812 int ret;
813 void *data;
06ae43f3 814 loff_t tmp = sd->pos;
b2858d7d 815
fbb32750 816 data = kmap(buf->page);
06ae43f3 817 ret = __kernel_write(sd->u.file, data + buf->offset, sd->len, &tmp);
fbb32750 818 kunmap(buf->page);
b2858d7d
MS		 819
820 return ret;
0b0a47f5
MS		 821}
822
823static ssize_t default_file_splice_write(struct pipe_inode_info *pipe,
824 struct file *out, loff_t *ppos,
825 size_t len, unsigned int flags)
826{
b2858d7d 827 ssize_t ret;
0b0a47f5 828
b2858d7d
MS		 829 ret = splice_from_pipe(pipe, out, ppos, len, flags, write_pipe_buf);
830 if (ret > 0)
831 *ppos += ret;
0b0a47f5 832
b2858d7d 833 return ret;
0b0a47f5
MS		 834}
835
83f9135b
JA		 836/**
837 * generic_splice_sendpage - splice data from a pipe to a socket
932cc6d4 838 * @pipe: pipe to splice from
83f9135b 839 * @out: socket to write to
932cc6d4 840 * @ppos: position in @out
83f9135b
JA		 841 * @len: number of bytes to splice
842 * @flags: splice modifier flags
843 *
932cc6d4
JA		 844 * Description:
845 * Will send @len bytes from the pipe to a network socket. No data copying
846 * is involved.
83f9135b
JA		 847 *
848 */
3a326a2c 849ssize_t generic_splice_sendpage(struct pipe_inode_info *pipe, struct file *out,
cbb7e577 850 loff_t *ppos, size_t len, unsigned int flags)
5274f052 851{
00522fb4 852 return splice_from_pipe(pipe, out, ppos, len, flags, pipe_to_sendpage);
5274f052
JA		 853}
854
059a8f37 855EXPORT_SYMBOL(generic_splice_sendpage);
a0f06780 856
83f9135b
JA		 857/*
858 * Attempt to initiate a splice from pipe to file.
859 */
e14748e8
SF		 860long do_splice_from(struct pipe_inode_info *pipe, struct file *out,
861 loff_t *ppos, size_t len, unsigned int flags)
5274f052 862{
0b0a47f5
MS		 863 ssize_t (*splice_write)(struct pipe_inode_info *, struct file *,
864 loff_t *, size_t, unsigned int);
5274f052 865
72c2d531 866 if (out->f_op->splice_write)
cc56f7de
CG		 867 splice_write = out->f_op->splice_write;
868 else
0b0a47f5
MS		 869 splice_write = default_file_splice_write;
870
500368f7 871 return splice_write(pipe, out, ppos, len, flags);
5274f052 872}
e14748e8 873EXPORT_SYMBOL_GPL(do_splice_from);
5274f052 874
83f9135b
JA		 875/*
876 * Attempt to initiate a splice from a file to a pipe.
877 */
e14748e8
SF		 878long do_splice_to(struct file *in, loff_t *ppos,
879 struct pipe_inode_info *pipe, size_t len,
880 unsigned int flags)
5274f052 881{
6818173b
MS		 882 ssize_t (*splice_read)(struct file *, loff_t *,
883 struct pipe_inode_info *, size_t, unsigned int);
5274f052
JA		 884 int ret;
885
49570e9b 886 if (unlikely(!(in->f_mode & FMODE_READ)))
5274f052
JA		 887 return -EBADF;
888
cbb7e577 889 ret = rw_verify_area(READ, in, ppos, len);
5274f052
JA		 890 if (unlikely(ret < 0))
891 return ret;
892
03cc0789
AV		 893 if (unlikely(len > MAX_RW_COUNT))
894 len = MAX_RW_COUNT;
895
72c2d531 896 if (in->f_op->splice_read)
cc56f7de
CG		 897 splice_read = in->f_op->splice_read;
898 else
6818173b
MS		 899 splice_read = default_file_splice_read;
900
901 return splice_read(in, ppos, pipe, len, flags);
5274f052 902}
e14748e8 903EXPORT_SYMBOL_GPL(do_splice_to);
5274f052 904
932cc6d4
JA		 905/**
906 * splice_direct_to_actor - splices data directly between two non-pipes
907 * @in: file to splice from
908 * @sd: actor information on where to splice to
909 * @actor: handles the data splicing
910 *
911 * Description:
912 * This is a special case helper to splice directly between two
913 * points, without requiring an explicit pipe. Internally an allocated
79685b8d 914 * pipe is cached in the process, and reused during the lifetime of
932cc6d4
JA		 915 * that process.
916 *
c66ab6fa
JA		 917 */
918ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd,
919 splice_direct_actor *actor)
b92ce558
JA		 920{
921 struct pipe_inode_info *pipe;
922 long ret, bytes;
923 umode_t i_mode;
c66ab6fa 924 size_t len;
0ff28d9f 925 int i, flags, more;
b92ce558
JA		 926
927 /*
928 * We require the input being a regular file, as we don't want to
929 * randomly drop data for eg socket -> socket splicing. Use the
930 * piped splicing for that!
931 */
496ad9aa 932 i_mode = file_inode(in)->i_mode;
b92ce558
JA		 933 if (unlikely(!S_ISREG(i_mode) && !S_ISBLK(i_mode)))
934 return -EINVAL;
935
936 /*
937 * neither in nor out is a pipe, setup an internal pipe attached to
938 * 'out' and transfer the wanted data from 'in' to 'out' through that
939 */
940 pipe = current->splice_pipe;
49570e9b 941 if (unlikely(!pipe)) {
7bee130e 942 pipe = alloc_pipe_info();
b92ce558
JA		 943 if (!pipe)
944 return -ENOMEM;
945
946 /*
947 * We don't have an immediate reader, but we'll read the stuff
00522fb4 948 * out of the pipe right after the splice_to_pipe(). So set
b92ce558
JA		 949 * PIPE_READERS appropriately.
950 */
951 pipe->readers = 1;
952
953 current->splice_pipe = pipe;
954 }
955
956 /*
73d62d83 957 * Do the splice.
b92ce558
JA		 958 */
959 ret = 0;
960 bytes = 0;
c66ab6fa
JA		 961 len = sd->total_len;
962 flags = sd->flags;
963
964 /*
965 * Don't block on output, we have to drain the direct pipe.
966 */
967 sd->flags &= ~SPLICE_F_NONBLOCK;
0ff28d9f 968 more = sd->flags & SPLICE_F_MORE;
b92ce558
JA		 969
970 while (len) {
51a92c0f 971 size_t read_len;
a82c53a0 972 loff_t pos = sd->pos, prev_pos = pos;
b92ce558 973
bcd4f3ac 974 ret = do_splice_to(in, &pos, pipe, len, flags);
51a92c0f 975 if (unlikely(ret <= 0))
b92ce558
JA		 976 goto out_release;
977
978 read_len = ret;
c66ab6fa 979 sd->total_len = read_len;
b92ce558 980
0ff28d9f
CL		 981 /*
982 * If more data is pending, set SPLICE_F_MORE
983 * If this is the last data and SPLICE_F_MORE was not set
984 * initially, clears it.
985 */
986 if (read_len < len)
987 sd->flags |= SPLICE_F_MORE;
988 else if (!more)
989 sd->flags &= ~SPLICE_F_MORE;
b92ce558
JA		 990 /*
991 * NOTE: nonblocking mode only applies to the input. We
992 * must not do the output in nonblocking mode as then we
993 * could get stuck data in the internal pipe:
994 */
c66ab6fa 995 ret = actor(pipe, sd);
a82c53a0
TZ		 996 if (unlikely(ret <= 0)) {
997 sd->pos = prev_pos;
b92ce558 998 goto out_release;
a82c53a0 999 }
b92ce558
JA		 1000
1001 bytes += ret;
1002 len -= ret;
bcd4f3ac 1003 sd->pos = pos;
b92ce558 1004
a82c53a0
TZ		 1005 if (ret < read_len) {
1006 sd->pos = prev_pos + ret;
51a92c0f 1007 goto out_release;
a82c53a0 1008 }
b92ce558
JA		 1009 }
1010
9e97198d 1011done:
b92ce558 1012 pipe->nrbufs = pipe->curbuf = 0;
80848708 1013 file_accessed(in);
b92ce558
JA		 1014 return bytes;
1015
1016out_release:
1017 /*
1018 * If we did an incomplete transfer we must release
1019 * the pipe buffers in question:
1020 */
35f3d14d 1021 for (i = 0; i < pipe->buffers; i++) {
b92ce558
JA		 1022 struct pipe_buffer *buf = pipe->bufs + i;
1023
a779638c
MS		 1024 if (buf->ops)
1025 pipe_buf_release(pipe, buf);
b92ce558 1026 }
b92ce558 1027
9e97198d
JA		 1028 if (!bytes)
1029 bytes = ret;
c66ab6fa 1030
9e97198d 1031 goto done;
c66ab6fa
JA		 1032}
1033EXPORT_SYMBOL(splice_direct_to_actor);
1034
1035static int direct_splice_actor(struct pipe_inode_info *pipe,
1036 struct splice_desc *sd)
1037{
6a14b90b 1038 struct file *file = sd->u.file;
c66ab6fa 1039
7995bd28 1040 return do_splice_from(pipe, file, sd->opos, sd->total_len,
2cb4b05e 1041 sd->flags);
c66ab6fa
JA		 1042}
1043
932cc6d4
JA		 1044/**
1045 * do_splice_direct - splices data directly between two files
1046 * @in: file to splice from
1047 * @ppos: input file offset
1048 * @out: file to splice to
acdb37c3 1049 * @opos: output file offset
932cc6d4
JA		 1050 * @len: number of bytes to splice
1051 * @flags: splice modifier flags
1052 *
1053 * Description:
1054 * For use by do_sendfile(). splice can easily emulate sendfile, but
1055 * doing it in the application would incur an extra system call
1056 * (splice in + splice out, as compared to just sendfile()). So this helper
1057 * can splice directly through a process-private pipe.
1058 *
1059 */
c66ab6fa 1060long do_splice_direct(struct file *in, loff_t *ppos, struct file *out,
7995bd28 1061 loff_t *opos, size_t len, unsigned int flags)
c66ab6fa
JA		 1062{
1063 struct splice_desc sd = {
1064 .len = len,
1065 .total_len = len,
1066 .flags = flags,
1067 .pos = *ppos,
6a14b90b 1068 .u.file = out,
7995bd28 1069 .opos = opos,
c66ab6fa 1070 };
51a92c0f 1071 long ret;
c66ab6fa 1072
18c67cb9
AV		 1073 if (unlikely(!(out->f_mode & FMODE_WRITE)))
1074 return -EBADF;
1075
1076 if (unlikely(out->f_flags & O_APPEND))
1077 return -EINVAL;
1078
1079 ret = rw_verify_area(WRITE, out, opos, len);
1080 if (unlikely(ret < 0))
1081 return ret;
1082
c66ab6fa 1083 ret = splice_direct_to_actor(in, &sd, direct_splice_actor);
51a92c0f 1084 if (ret > 0)
a82c53a0 1085 *ppos = sd.pos;
51a92c0f 1086
c66ab6fa 1087 return ret;
b92ce558 1088}
1c118596 1089EXPORT_SYMBOL(do_splice_direct);
b92ce558 1090
8924feff
AV		 1091static int wait_for_space(struct pipe_inode_info *pipe, unsigned flags)
1092{
52bce911
LT		 1093 for (;;) {
1094 if (unlikely(!pipe->readers)) {
1095 send_sig(SIGPIPE, current, 0);
1096 return -EPIPE;
1097 }
1098 if (pipe->nrbufs != pipe->buffers)
1099 return 0;
8924feff
AV		 1100 if (flags & SPLICE_F_NONBLOCK)
1101 return -EAGAIN;
1102 if (signal_pending(current))
1103 return -ERESTARTSYS;
1104 pipe->waiting_writers++;
1105 pipe_wait(pipe);
1106 pipe->waiting_writers--;
1107 }
8924feff
AV		 1108}
1109
7c77f0b3
MS		 1110static int splice_pipe_to_pipe(struct pipe_inode_info *ipipe,
1111 struct pipe_inode_info *opipe,
1112 size_t len, unsigned int flags);
ddac0d39 1113
83f9135b
JA		 1114/*
1115 * Determine where to splice to/from.
1116 */
529565dc
IM		 1117static long do_splice(struct file *in, loff_t __user *off_in,
1118 struct file *out, loff_t __user *off_out,
1119 size_t len, unsigned int flags)
5274f052 1120{
7c77f0b3
MS		 1121 struct pipe_inode_info *ipipe;
1122 struct pipe_inode_info *opipe;
7995bd28 1123 loff_t offset;
a4514ebd 1124 long ret;
5274f052 1125
71993e62
LT		 1126 ipipe = get_pipe_info(in);
1127 opipe = get_pipe_info(out);
7c77f0b3
MS		 1128
1129 if (ipipe && opipe) {
1130 if (off_in || off_out)
1131 return -ESPIPE;
1132
1133 if (!(in->f_mode & FMODE_READ))
1134 return -EBADF;
1135
1136 if (!(out->f_mode & FMODE_WRITE))
1137 return -EBADF;
1138
1139 /* Splicing to self would be fun, but... */
1140 if (ipipe == opipe)
1141 return -EINVAL;
1142
1143 return splice_pipe_to_pipe(ipipe, opipe, len, flags);
1144 }
1145
1146 if (ipipe) {
529565dc
IM		 1147 if (off_in)
1148 return -ESPIPE;
b92ce558 1149 if (off_out) {
19c9a49b 1150 if (!(out->f_mode & FMODE_PWRITE))
b92ce558 1151 return -EINVAL;
cbb7e577 1152 if (copy_from_user(&offset, off_out, sizeof(loff_t)))
b92ce558 1153 return -EFAULT;
7995bd28
AV		 1154 } else {
1155 offset = out->f_pos;
1156 }
529565dc 1157
18c67cb9
AV		 1158 if (unlikely(!(out->f_mode & FMODE_WRITE)))
1159 return -EBADF;
1160
1161 if (unlikely(out->f_flags & O_APPEND))
1162 return -EINVAL;
1163
1164 ret = rw_verify_area(WRITE, out, &offset, len);
1165 if (unlikely(ret < 0))
1166 return ret;
1167
500368f7 1168 file_start_write(out);
7995bd28 1169 ret = do_splice_from(ipipe, out, &offset, len, flags);
500368f7 1170 file_end_write(out);
a4514ebd 1171
7995bd28
AV		 1172 if (!off_out)
1173 out->f_pos = offset;
1174 else if (copy_to_user(off_out, &offset, sizeof(loff_t)))
a4514ebd
JA		 1175 ret = -EFAULT;
1176
1177 return ret;
529565dc 1178 }
5274f052 1179
7c77f0b3 1180 if (opipe) {
529565dc
IM		 1181 if (off_out)
1182 return -ESPIPE;
b92ce558 1183 if (off_in) {
19c9a49b 1184 if (!(in->f_mode & FMODE_PREAD))
b92ce558 1185 return -EINVAL;
cbb7e577 1186 if (copy_from_user(&offset, off_in, sizeof(loff_t)))
b92ce558 1187 return -EFAULT;
7995bd28
AV		 1188 } else {
1189 offset = in->f_pos;
1190 }
529565dc 1191
8924feff
AV		 1192 pipe_lock(opipe);
1193 ret = wait_for_space(opipe, flags);
1194 if (!ret)
1195 ret = do_splice_to(in, &offset, opipe, len, flags);
1196 pipe_unlock(opipe);
1197 if (ret > 0)
1198 wakeup_pipe_readers(opipe);
7995bd28
AV		 1199 if (!off_in)
1200 in->f_pos = offset;
1201 else if (copy_to_user(off_in, &offset, sizeof(loff_t)))
a4514ebd
JA		 1202 ret = -EFAULT;
1203
1204 return ret;
529565dc 1205 }
5274f052
JA		 1206
1207 return -EINVAL;
1208}
1209
79fddc4e
AV		 1210static int iter_to_pipe(struct iov_iter *from,
1211 struct pipe_inode_info *pipe,
1212 unsigned flags)
912d35f8 1213{
79fddc4e
AV		 1214 struct pipe_buffer buf = {
1215 .ops = &user_page_pipe_buf_ops,
1216 .flags = flags
1217 };
1218 size_t total = 0;
1219 int ret = 0;
1220 bool failed = false;
1221
1222 while (iov_iter_count(from) && !failed) {
1223 struct page *pages[16];
db85a9eb
AV		 1224 ssize_t copied;
1225 size_t start;
79fddc4e 1226 int n;
db85a9eb 1227
79fddc4e
AV		 1228 copied = iov_iter_get_pages(from, pages, ~0UL, 16, &start);
1229 if (copied <= 0) {
1230 ret = copied;
1231 break;
1232 }
db85a9eb 1233
79fddc4e 1234 for (n = 0; copied; n++, start = 0) {
db85a9eb 1235 int size = min_t(int, copied, PAGE_SIZE - start);
79fddc4e
AV		 1236 if (!failed) {
1237 buf.page = pages[n];
1238 buf.offset = start;
1239 buf.len = size;
1240 ret = add_to_pipe(pipe, &buf);
1241 if (unlikely(ret < 0)) {
1242 failed = true;
1243 } else {
1244 iov_iter_advance(from, ret);
1245 total += ret;
1246 }
1247 } else {
1248 put_page(pages[n]);
1249 }
db85a9eb 1250 copied -= size;
912d35f8 1251 }
912d35f8 1252 }
79fddc4e 1253 return total ? total : ret;
912d35f8
JA		 1254}
1255
6a14b90b
JA		 1256static int pipe_to_user(struct pipe_inode_info *pipe, struct pipe_buffer *buf,
1257 struct splice_desc *sd)
1258{
6130f531
AV		 1259 int n = copy_page_to_iter(buf->page, buf->offset, sd->len, sd->u.data);
1260 return n == sd->len ? n : -EFAULT;
6a14b90b
JA		 1261}
1262
1263/*
1264 * For lack of a better implementation, implement vmsplice() to userspace
1265 * as a simple copy of the pipes pages to the user iov.
1266 */
6130f531 1267static long vmsplice_to_user(struct file *file, const struct iovec __user *uiov,
6a14b90b
JA		 1268 unsigned long nr_segs, unsigned int flags)
1269{
1270 struct pipe_inode_info *pipe;
1271 struct splice_desc sd;
6a14b90b 1272 long ret;
6130f531
AV		 1273 struct iovec iovstack[UIO_FASTIOV];
1274 struct iovec *iov = iovstack;
1275 struct iov_iter iter;
6a14b90b 1276
71993e62 1277 pipe = get_pipe_info(file);
6a14b90b
JA		 1278 if (!pipe)
1279 return -EBADF;
1280
345995fa
AV		 1281 ret = import_iovec(READ, uiov, nr_segs,
1282 ARRAY_SIZE(iovstack), &iov, &iter);
1283 if (ret < 0)
1284 return ret;
6a14b90b 1285
345995fa 1286 sd.total_len = iov_iter_count(&iter);
6130f531 1287 sd.len = 0;
6130f531
AV		 1288 sd.flags = flags;
1289 sd.u.data = &iter;
1290 sd.pos = 0;
6a14b90b 1291
345995fa
AV		 1292 if (sd.total_len) {
1293 pipe_lock(pipe);
1294 ret = __splice_from_pipe(pipe, &sd, pipe_to_user);
1295 pipe_unlock(pipe);
1296 }
6a14b90b 1297
345995fa 1298 kfree(iov);
6a14b90b
JA		 1299 return ret;
1300}
1301
912d35f8
JA		 1302/*
1303 * vmsplice splices a user address range into a pipe. It can be thought of
1304 * as splice-from-memory, where the regular splice is splice-from-file (or
1305 * to file). In both cases the output is a pipe, naturally.
912d35f8 1306 */
db85a9eb 1307static long vmsplice_to_pipe(struct file *file, const struct iovec __user *uiov,
6a14b90b 1308 unsigned long nr_segs, unsigned int flags)
912d35f8 1309{
ddac0d39 1310 struct pipe_inode_info *pipe;
db85a9eb
AV		 1311 struct iovec iovstack[UIO_FASTIOV];
1312 struct iovec *iov = iovstack;
1313 struct iov_iter from;
35f3d14d 1314 long ret;
79fddc4e
AV		 1315 unsigned buf_flag = 0;
1316
1317 if (flags & SPLICE_F_GIFT)
1318 buf_flag = PIPE_BUF_FLAG_GIFT;
912d35f8 1319
71993e62 1320 pipe = get_pipe_info(file);
ddac0d39 1321 if (!pipe)
912d35f8 1322 return -EBADF;
912d35f8 1323
db85a9eb
AV		 1324 ret = import_iovec(WRITE, uiov, nr_segs,
1325 ARRAY_SIZE(iovstack), &iov, &from);
1326 if (ret < 0)
1327 return ret;
1328
8924feff
AV		 1329 pipe_lock(pipe);
1330 ret = wait_for_space(pipe, flags);
79fddc4e
AV		 1331 if (!ret)
1332 ret = iter_to_pipe(&from, pipe, buf_flag);
8924feff
AV		 1333 pipe_unlock(pipe);
1334 if (ret > 0)
1335 wakeup_pipe_readers(pipe);
db85a9eb 1336 kfree(iov);
35f3d14d 1337 return ret;
912d35f8
JA		 1338}
1339
6a14b90b
JA		 1340/*
1341 * Note that vmsplice only really supports true splicing _from_ user memory
1342 * to a pipe, not the other way around. Splicing from user memory is a simple
1343 * operation that can be supported without any funky alignment restrictions
1344 * or nasty vm tricks. We simply map in the user memory and fill them into
1345 * a pipe. The reverse isn't quite as easy, though. There are two possible
1346 * solutions for that:
1347 *
1348 * - memcpy() the data internally, at which point we might as well just
1349 * do a regular read() on the buffer anyway.
1350 * - Lots of nasty vm tricks, that are neither fast nor flexible (it
1351 * has restriction limitations on both ends of the pipe).
1352 *
1353 * Currently we punt and implement it as a normal copy, see pipe_to_user().
1354 *
1355 */
836f92ad
HC		 1356SYSCALL_DEFINE4(vmsplice, int, fd, const struct iovec __user *, iov,
1357 unsigned long, nr_segs, unsigned int, flags)
912d35f8 1358{
2903ff01 1359 struct fd f;
912d35f8 1360 long error;
912d35f8 1361
6a14b90b
JA		 1362 if (unlikely(nr_segs > UIO_MAXIOV))
1363 return -EINVAL;
1364 else if (unlikely(!nr_segs))
1365 return 0;
1366
912d35f8 1367 error = -EBADF;
2903ff01
AV		 1368 f = fdget(fd);
1369 if (f.file) {
1370 if (f.file->f_mode & FMODE_WRITE)
1371 error = vmsplice_to_pipe(f.file, iov, nr_segs, flags);
1372 else if (f.file->f_mode & FMODE_READ)
1373 error = vmsplice_to_user(f.file, iov, nr_segs, flags);
1374
1375 fdput(f);
912d35f8
JA		 1376 }
1377
1378 return error;
1379}
1380
76b021d0
AV		 1381#ifdef CONFIG_COMPAT
1382COMPAT_SYSCALL_DEFINE4(vmsplice, int, fd, const struct compat_iovec __user *, iov32,
1383 unsigned int, nr_segs, unsigned int, flags)
1384{
1385 unsigned i;
1386 struct iovec __user *iov;
1387 if (nr_segs > UIO_MAXIOV)
1388 return -EINVAL;
1389 iov = compat_alloc_user_space(nr_segs * sizeof(struct iovec));
1390 for (i = 0; i < nr_segs; i++) {
1391 struct compat_iovec v;
1392 if (get_user(v.iov_base, &iov32[i].iov_base) ||
1393 get_user(v.iov_len, &iov32[i].iov_len) ||
1394 put_user(compat_ptr(v.iov_base), &iov[i].iov_base) ||
1395 put_user(v.iov_len, &iov[i].iov_len))
1396 return -EFAULT;
1397 }
1398 return sys_vmsplice(fd, iov, nr_segs, flags);
1399}
1400#endif
1401
836f92ad
HC		 1402SYSCALL_DEFINE6(splice, int, fd_in, loff_t __user *, off_in,
1403 int, fd_out, loff_t __user *, off_out,
1404 size_t, len, unsigned int, flags)
5274f052 1405{
2903ff01 1406 struct fd in, out;
5274f052 1407 long error;
5274f052
JA		 1408
1409 if (unlikely(!len))
1410 return 0;
1411
1412 error = -EBADF;
2903ff01
AV		 1413 in = fdget(fd_in);
1414 if (in.file) {
1415 if (in.file->f_mode & FMODE_READ) {
1416 out = fdget(fd_out);
1417 if (out.file) {
1418 if (out.file->f_mode & FMODE_WRITE)
1419 error = do_splice(in.file, off_in,
1420 out.file, off_out,
529565dc 1421 len, flags);
2903ff01 1422 fdput(out);
5274f052
JA		 1423 }
1424 }
2903ff01 1425 fdput(in);
5274f052 1426 }
5274f052
JA		 1427 return error;
1428}
70524490 1429
aadd06e5
JA		 1430/*
1431 * Make sure there's data to read. Wait for input if we can, otherwise
1432 * return an appropriate error.
1433 */
7c77f0b3 1434static int ipipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
aadd06e5
JA		 1435{
1436 int ret;
1437
1438 /*
1439 * Check ->nrbufs without the inode lock first. This function
1440 * is speculative anyways, so missing one is ok.
1441 */
1442 if (pipe->nrbufs)
1443 return 0;
1444
1445 ret = 0;
61e0d47c 1446 pipe_lock(pipe);
aadd06e5
JA		 1447
1448 while (!pipe->nrbufs) {
1449 if (signal_pending(current)) {
1450 ret = -ERESTARTSYS;
1451 break;
1452 }
1453 if (!pipe->writers)
1454 break;
1455 if (!pipe->waiting_writers) {
1456 if (flags & SPLICE_F_NONBLOCK) {
1457 ret = -EAGAIN;
1458 break;
1459 }
1460 }
1461 pipe_wait(pipe);
1462 }
1463
61e0d47c 1464 pipe_unlock(pipe);
aadd06e5
JA		 1465 return ret;
1466}
1467
1468/*
1469 * Make sure there's writeable room. Wait for room if we can, otherwise
1470 * return an appropriate error.
1471 */
7c77f0b3 1472static int opipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
aadd06e5
JA		 1473{
1474 int ret;
1475
1476 /*
1477 * Check ->nrbufs without the inode lock first. This function
1478 * is speculative anyways, so missing one is ok.
1479 */
35f3d14d 1480 if (pipe->nrbufs < pipe->buffers)
aadd06e5
JA		 1481 return 0;
1482
1483 ret = 0;
61e0d47c 1484 pipe_lock(pipe);
aadd06e5 1485
35f3d14d 1486 while (pipe->nrbufs >= pipe->buffers) {
aadd06e5
JA		 1487 if (!pipe->readers) {
1488 send_sig(SIGPIPE, current, 0);
1489 ret = -EPIPE;
1490 break;
1491 }
1492 if (flags & SPLICE_F_NONBLOCK) {
1493 ret = -EAGAIN;
1494 break;
1495 }
1496 if (signal_pending(current)) {
1497 ret = -ERESTARTSYS;
1498 break;
1499 }
1500 pipe->waiting_writers++;
1501 pipe_wait(pipe);
1502 pipe->waiting_writers--;
1503 }
1504
61e0d47c 1505 pipe_unlock(pipe);
aadd06e5
JA		 1506 return ret;
1507}
1508
7c77f0b3
MS		 1509/*
1510 * Splice contents of ipipe to opipe.
1511 */
1512static int splice_pipe_to_pipe(struct pipe_inode_info *ipipe,
1513 struct pipe_inode_info *opipe,
1514 size_t len, unsigned int flags)
1515{
1516 struct pipe_buffer *ibuf, *obuf;
1517 int ret = 0, nbuf;
1518 bool input_wakeup = false;
1519
1520
1521retry:
1522 ret = ipipe_prep(ipipe, flags);
1523 if (ret)
1524 return ret;
1525
1526 ret = opipe_prep(opipe, flags);
1527 if (ret)
1528 return ret;
1529
1530 /*
1531 * Potential ABBA deadlock, work around it by ordering lock
1532 * grabbing by pipe info address. Otherwise two different processes
1533 * could deadlock (one doing tee from A -> B, the other from B -> A).
1534 */
1535 pipe_double_lock(ipipe, opipe);
1536
1537 do {
1538 if (!opipe->readers) {
1539 send_sig(SIGPIPE, current, 0);
1540 if (!ret)
1541 ret = -EPIPE;
1542 break;
1543 }
1544
1545 if (!ipipe->nrbufs && !ipipe->writers)
1546 break;
1547
1548 /*
1549 * Cannot make any progress, because either the input
1550 * pipe is empty or the output pipe is full.
1551 */
35f3d14d 1552 if (!ipipe->nrbufs || opipe->nrbufs >= opipe->buffers) {
7c77f0b3
MS		 1553 /* Already processed some buffers, break */
1554 if (ret)
1555 break;
1556
1557 if (flags & SPLICE_F_NONBLOCK) {
1558 ret = -EAGAIN;
1559 break;
1560 }
1561
1562 /*
1563 * We raced with another reader/writer and haven't
1564 * managed to process any buffers. A zero return
1565 * value means EOF, so retry instead.
1566 */
1567 pipe_unlock(ipipe);
1568 pipe_unlock(opipe);
1569 goto retry;
1570 }
1571
1572 ibuf = ipipe->bufs + ipipe->curbuf;
35f3d14d 1573 nbuf = (opipe->curbuf + opipe->nrbufs) & (opipe->buffers - 1);
7c77f0b3
MS		 1574 obuf = opipe->bufs + nbuf;
1575
1576 if (len >= ibuf->len) {
1577 /*
1578 * Simply move the whole buffer from ipipe to opipe
1579 */
1580 *obuf = *ibuf;
1581 ibuf->ops = NULL;
1582 opipe->nrbufs++;
35f3d14d 1583 ipipe->curbuf = (ipipe->curbuf + 1) & (ipipe->buffers - 1);
7c77f0b3
MS		 1584 ipipe->nrbufs--;
1585 input_wakeup = true;
1586 } else {
1587 /*
1588 * Get a reference to this pipe buffer,
1589 * so we can copy the contents over.
1590 */
7bf2d1df 1591 pipe_buf_get(ipipe, ibuf);
7c77f0b3
MS		 1592 *obuf = *ibuf;
1593
1594 /*
1595 * Don't inherit the gift flag, we need to
1596 * prevent multiple steals of this page.
1597 */
1598 obuf->flags &= ~PIPE_BUF_FLAG_GIFT;
1599
1600 obuf->len = len;
1601 opipe->nrbufs++;
1602 ibuf->offset += obuf->len;
1603 ibuf->len -= obuf->len;
1604 }
1605 ret += obuf->len;
1606 len -= obuf->len;
1607 } while (len);
1608
1609 pipe_unlock(ipipe);
1610 pipe_unlock(opipe);
1611
1612 /*
1613 * If we put data in the output pipe, wakeup any potential readers.
1614 */
825cdcb1
NK		 1615 if (ret > 0)
1616 wakeup_pipe_readers(opipe);
1617
7c77f0b3
MS		 1618 if (input_wakeup)
1619 wakeup_pipe_writers(ipipe);
1620
1621 return ret;
1622}
1623
70524490
JA		 1624/*
1625 * Link contents of ipipe to opipe.
1626 */
1627static int link_pipe(struct pipe_inode_info *ipipe,
1628 struct pipe_inode_info *opipe,
1629 size_t len, unsigned int flags)
1630{
1631 struct pipe_buffer *ibuf, *obuf;
aadd06e5 1632 int ret = 0, i = 0, nbuf;
70524490
JA		 1633
1634 /*
1635 * Potential ABBA deadlock, work around it by ordering lock
61e0d47c 1636 * grabbing by pipe info address. Otherwise two different processes
70524490
JA		 1637 * could deadlock (one doing tee from A -> B, the other from B -> A).
1638 */
61e0d47c 1639 pipe_double_lock(ipipe, opipe);
70524490 1640
aadd06e5 1641 do {
70524490
JA		 1642 if (!opipe->readers) {
1643 send_sig(SIGPIPE, current, 0);
1644 if (!ret)
1645 ret = -EPIPE;
1646 break;
1647 }
70524490 1648
aadd06e5
JA		 1649 /*
1650 * If we have iterated all input buffers or ran out of
1651 * output room, break.
1652 */
35f3d14d 1653 if (i >= ipipe->nrbufs || opipe->nrbufs >= opipe->buffers)
aadd06e5 1654 break;
70524490 1655
35f3d14d
JA		 1656 ibuf = ipipe->bufs + ((ipipe->curbuf + i) & (ipipe->buffers-1));
1657 nbuf = (opipe->curbuf + opipe->nrbufs) & (opipe->buffers - 1);
70524490
JA		 1658
1659 /*
aadd06e5
JA		 1660 * Get a reference to this pipe buffer,
1661 * so we can copy the contents over.
70524490 1662 */
7bf2d1df 1663 pipe_buf_get(ipipe, ibuf);
aadd06e5
JA		 1664
1665 obuf = opipe->bufs + nbuf;
1666 *obuf = *ibuf;
1667
2a27250e 1668 /*
aadd06e5
JA		 1669 * Don't inherit the gift flag, we need to
1670 * prevent multiple steals of this page.
2a27250e 1671 */
aadd06e5 1672 obuf->flags &= ~PIPE_BUF_FLAG_GIFT;
70524490 1673
aadd06e5
JA		 1674 if (obuf->len > len)
1675 obuf->len = len;
70524490 1676
aadd06e5
JA		 1677 opipe->nrbufs++;
1678 ret += obuf->len;
1679 len -= obuf->len;
1680 i++;
1681 } while (len);
70524490 1682
02cf01ae
JA		 1683 /*
1684 * return EAGAIN if we have the potential of some data in the
1685 * future, otherwise just return 0
1686 */
1687 if (!ret && ipipe->waiting_writers && (flags & SPLICE_F_NONBLOCK))
1688 ret = -EAGAIN;
1689
61e0d47c
MS		 1690 pipe_unlock(ipipe);
1691 pipe_unlock(opipe);
70524490 1692
aadd06e5
JA		 1693 /*
1694 * If we put data in the output pipe, wakeup any potential readers.
1695 */
825cdcb1
NK		 1696 if (ret > 0)
1697 wakeup_pipe_readers(opipe);
70524490
JA		 1698
1699 return ret;
1700}
1701
1702/*
1703 * This is a tee(1) implementation that works on pipes. It doesn't copy
1704 * any data, it simply references the 'in' pages on the 'out' pipe.
1705 * The 'flags' used are the SPLICE_F_* variants, currently the only
1706 * applicable one is SPLICE_F_NONBLOCK.
1707 */
1708static long do_tee(struct file *in, struct file *out, size_t len,
1709 unsigned int flags)
1710{
71993e62
LT		 1711 struct pipe_inode_info *ipipe = get_pipe_info(in);
1712 struct pipe_inode_info *opipe = get_pipe_info(out);
aadd06e5 1713 int ret = -EINVAL;
70524490
JA		 1714
1715 /*
aadd06e5
JA		 1716 * Duplicate the contents of ipipe to opipe without actually
1717 * copying the data.
70524490 1718 */
aadd06e5
JA		 1719 if (ipipe && opipe && ipipe != opipe) {
1720 /*
1721 * Keep going, unless we encounter an error. The ipipe/opipe
1722 * ordering doesn't really matter.
1723 */
7c77f0b3 1724 ret = ipipe_prep(ipipe, flags);
aadd06e5 1725 if (!ret) {
7c77f0b3 1726 ret = opipe_prep(opipe, flags);
02cf01ae 1727 if (!ret)
aadd06e5 1728 ret = link_pipe(ipipe, opipe, len, flags);
aadd06e5
JA		 1729 }
1730 }
70524490 1731
aadd06e5 1732 return ret;
70524490
JA		 1733}
1734
836f92ad 1735SYSCALL_DEFINE4(tee, int, fdin, int, fdout, size_t, len, unsigned int, flags)
70524490 1736{
2903ff01
AV		 1737 struct fd in;
1738 int error;
70524490
JA		 1739
1740 if (unlikely(!len))
1741 return 0;
1742
1743 error = -EBADF;
2903ff01
AV		 1744 in = fdget(fdin);
1745 if (in.file) {
1746 if (in.file->f_mode & FMODE_READ) {
1747 struct fd out = fdget(fdout);
1748 if (out.file) {
1749 if (out.file->f_mode & FMODE_WRITE)
1750 error = do_tee(in.file, out.file,
1751 len, flags);
1752 fdput(out);
70524490
JA		 1753 }
1754 }
2903ff01 1755 fdput(in);
70524490
JA		 1756 }
1757
1758 return error;
1759}
ubuntu-zesty-kernel mirror