[v3] splice: only read in as much information as there is pipe buffer space
diff mbox series

Message ID 20191014220940.GF13098@magnolia
State New
Headers show
Series
  • [v3] splice: only read in as much information as there is pipe buffer space
Related show

Commit Message

Darrick J. Wong Oct. 14, 2019, 10:09 p.m. UTC
From: Darrick J. Wong <darrick.wong@oracle.com>

Andreas Grünbacher reports that on the two filesystems that support
iomap directio, it's possible for splice() to return -EAGAIN (instead of
a short splice) if the pipe being written to has less space available in
its pipe buffers than the length supplied by the calling process.

Months ago we fixed splice_direct_to_actor to clamp the length of the
read request to the size of the splice pipe.  Do the same to do_splice.

Fixes: 17614445576b6 ("splice: don't read more than available pipe space")
Reported-by: syzbot+3c01db6025f26530cf8d@syzkaller.appspotmail.com
Reported-by: Andreas Grünbacher <andreas.gruenbacher@gmail.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
---
 fs/splice.c |   14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

Comments

Andreas Grünbacher Oct. 15, 2019, 11:31 a.m. UTC | #1
Hi Darrick,

Am Di., 15. Okt. 2019 um 07:33 Uhr schrieb Darrick J. Wong
<darrick.wong@oracle.com>:
> From: Darrick J. Wong <darrick.wong@oracle.com>
>
> Andreas Grünbacher reports that on the two filesystems that support
> iomap directio, it's possible for splice() to return -EAGAIN (instead of
> a short splice) if the pipe being written to has less space available in
> its pipe buffers than the length supplied by the calling process.
>
> Months ago we fixed splice_direct_to_actor to clamp the length of the
> read request to the size of the splice pipe.  Do the same to do_splice.
>
> Fixes: 17614445576b6 ("splice: don't read more than available pipe space")
> Reported-by: syzbot+3c01db6025f26530cf8d@syzkaller.appspotmail.com
> Reported-by: Andreas Grünbacher <andreas.gruenbacher@gmail.com>
> Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>

I've done some minimal testing on top of 5.4-rc3. This patch fixes the
splice issue and also passes the syzbot reproducer. I'll add it to the
set of patches I regularly run fstests on now, but we already know
fstests doesn't cover splice in the greatest depth possible, so that's
unlikely to reveal anything new.

Thanks,
Andreas

> ---
>  fs/splice.c |   14 +++++++++++---
>  1 file changed, 11 insertions(+), 3 deletions(-)
>
> diff --git a/fs/splice.c b/fs/splice.c
> index 98412721f056..e509239d7e06 100644
> --- a/fs/splice.c
> +++ b/fs/splice.c
> @@ -945,12 +945,13 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd,
>         WARN_ON_ONCE(pipe->nrbufs != 0);
>
>         while (len) {
> +               unsigned int pipe_pages;
>                 size_t read_len;
>                 loff_t pos = sd->pos, prev_pos = pos;
>
>                 /* Don't try to read more the pipe has space for. */
> -               read_len = min_t(size_t, len,
> -                                (pipe->buffers - pipe->nrbufs) << PAGE_SHIFT);
> +               pipe_pages = pipe->buffers - pipe->nrbufs;
> +               read_len = min(len, (size_t)pipe_pages << PAGE_SHIFT);
>                 ret = do_splice_to(in, &pos, pipe, read_len, flags);
>                 if (unlikely(ret <= 0))
>                         goto out_release;
> @@ -1180,8 +1181,15 @@ static long do_splice(struct file *in, loff_t __user *off_in,
>
>                 pipe_lock(opipe);
>                 ret = wait_for_space(opipe, flags);
> -               if (!ret)
> +               if (!ret) {
> +                       unsigned int pipe_pages;
> +
> +                       /* Don't try to read more the pipe has space for. */
> +                       pipe_pages = opipe->buffers - opipe->nrbufs;
> +                       len = min(len, (size_t)pipe_pages << PAGE_SHIFT);
> +
>                         ret = do_splice_to(in, &offset, opipe, len, flags);
> +               }
>                 pipe_unlock(opipe);
>                 if (ret > 0)
>                         wakeup_pipe_readers(opipe);
Dave Chinner Oct. 16, 2019, 3:12 a.m. UTC | #2
On Mon, Oct 14, 2019 at 03:09:40PM -0700, Darrick J. Wong wrote:
> From: Darrick J. Wong <darrick.wong@oracle.com>
> 
> Andreas Grünbacher reports that on the two filesystems that support
> iomap directio, it's possible for splice() to return -EAGAIN (instead of
> a short splice) if the pipe being written to has less space available in
> its pipe buffers than the length supplied by the calling process.
> 
> Months ago we fixed splice_direct_to_actor to clamp the length of the
> read request to the size of the splice pipe.  Do the same to do_splice.
> 
> Fixes: 17614445576b6 ("splice: don't read more than available pipe space")
> Reported-by: syzbot+3c01db6025f26530cf8d@syzkaller.appspotmail.com
> Reported-by: Andreas Grünbacher <andreas.gruenbacher@gmail.com>
> Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
> ---
>  fs/splice.c |   14 +++++++++++---
>  1 file changed, 11 insertions(+), 3 deletions(-)
> 
> diff --git a/fs/splice.c b/fs/splice.c
> index 98412721f056..e509239d7e06 100644
> --- a/fs/splice.c
> +++ b/fs/splice.c
> @@ -945,12 +945,13 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd,
>  	WARN_ON_ONCE(pipe->nrbufs != 0);
>  
>  	while (len) {
> +		unsigned int pipe_pages;

define this as a size_t...

>  		size_t read_len;
>  		loff_t pos = sd->pos, prev_pos = pos;
>  
>  		/* Don't try to read more the pipe has space for. */
> -		read_len = min_t(size_t, len,
> -				 (pipe->buffers - pipe->nrbufs) << PAGE_SHIFT);
> +		pipe_pages = pipe->buffers - pipe->nrbufs;
> +		read_len = min(len, (size_t)pipe_pages << PAGE_SHIFT);

		read_len = min_t(size_t, len, pipe_pages << PAGER_SHIFT);

>  		ret = do_splice_to(in, &pos, pipe, read_len, flags);
>  		if (unlikely(ret <= 0))
>  			goto out_release;
> @@ -1180,8 +1181,15 @@ static long do_splice(struct file *in, loff_t __user *off_in,
>  
>  		pipe_lock(opipe);
>  		ret = wait_for_space(opipe, flags);
> -		if (!ret)
> +		if (!ret) {
> +			unsigned int pipe_pages;
> +
> +			/* Don't try to read more the pipe has space for. */
> +			pipe_pages = opipe->buffers - opipe->nrbufs;
> +			len = min(len, (size_t)pipe_pages << PAGE_SHIFT);

And same here...

Cheers,

Dave.
Eric Biggers Oct. 16, 2019, 6:45 p.m. UTC | #3
On Mon, Oct 14, 2019 at 03:09:40PM -0700, Darrick J. Wong wrote:
> From: Darrick J. Wong <darrick.wong@oracle.com>
> 
> Andreas Grünbacher reports that on the two filesystems that support
> iomap directio, it's possible for splice() to return -EAGAIN (instead of
> a short splice) if the pipe being written to has less space available in
> its pipe buffers than the length supplied by the calling process.
> 
> Months ago we fixed splice_direct_to_actor to clamp the length of the
> read request to the size of the splice pipe.  Do the same to do_splice.
> 
> Fixes: 17614445576b6 ("splice: don't read more than available pipe space")
> Reported-by: syzbot+3c01db6025f26530cf8d@syzkaller.appspotmail.com

I already invalidated this syzbot report when the previous version of this patch
was dropped, as that was what the report appeared to be for.  So you don't need
this Reported-by line.  It's not a big deal, but including it could mislead
people into thinking that syzbot found a problem with the commit in the Fixes:
line, rather than a prior version of this patch.

- Eric
Darrick J. Wong Oct. 16, 2019, 6:52 p.m. UTC | #4
On Wed, Oct 16, 2019 at 11:45:49AM -0700, Eric Biggers wrote:
> On Mon, Oct 14, 2019 at 03:09:40PM -0700, Darrick J. Wong wrote:
> > From: Darrick J. Wong <darrick.wong@oracle.com>
> > 
> > Andreas Grünbacher reports that on the two filesystems that support
> > iomap directio, it's possible for splice() to return -EAGAIN (instead of
> > a short splice) if the pipe being written to has less space available in
> > its pipe buffers than the length supplied by the calling process.
> > 
> > Months ago we fixed splice_direct_to_actor to clamp the length of the
> > read request to the size of the splice pipe.  Do the same to do_splice.
> > 
> > Fixes: 17614445576b6 ("splice: don't read more than available pipe space")
> > Reported-by: syzbot+3c01db6025f26530cf8d@syzkaller.appspotmail.com
> 
> I already invalidated this syzbot report when the previous version of this patch
> was dropped, as that was what the report appeared to be for.  So you don't need
> this Reported-by line.  It's not a big deal, but including it could mislead
> people into thinking that syzbot found a problem with the commit in the Fixes:
> line, rather than a prior version of this patch.

Ok, will drop for v4.  Thanks for taking care of the report.

--D

> - Eric
Darrick J. Wong Oct. 16, 2019, 6:54 p.m. UTC | #5
On Wed, Oct 16, 2019 at 02:12:59PM +1100, Dave Chinner wrote:
> On Mon, Oct 14, 2019 at 03:09:40PM -0700, Darrick J. Wong wrote:
> > From: Darrick J. Wong <darrick.wong@oracle.com>
> > 
> > Andreas Grünbacher reports that on the two filesystems that support
> > iomap directio, it's possible for splice() to return -EAGAIN (instead of
> > a short splice) if the pipe being written to has less space available in
> > its pipe buffers than the length supplied by the calling process.
> > 
> > Months ago we fixed splice_direct_to_actor to clamp the length of the
> > read request to the size of the splice pipe.  Do the same to do_splice.
> > 
> > Fixes: 17614445576b6 ("splice: don't read more than available pipe space")
> > Reported-by: syzbot+3c01db6025f26530cf8d@syzkaller.appspotmail.com
> > Reported-by: Andreas Grünbacher <andreas.gruenbacher@gmail.com>
> > Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
> > ---
> >  fs/splice.c |   14 +++++++++++---
> >  1 file changed, 11 insertions(+), 3 deletions(-)
> > 
> > diff --git a/fs/splice.c b/fs/splice.c
> > index 98412721f056..e509239d7e06 100644
> > --- a/fs/splice.c
> > +++ b/fs/splice.c
> > @@ -945,12 +945,13 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd,
> >  	WARN_ON_ONCE(pipe->nrbufs != 0);
> >  
> >  	while (len) {
> > +		unsigned int pipe_pages;
> 
> define this as a size_t...
> 
> >  		size_t read_len;
> >  		loff_t pos = sd->pos, prev_pos = pos;
> >  
> >  		/* Don't try to read more the pipe has space for. */
> > -		read_len = min_t(size_t, len,
> > -				 (pipe->buffers - pipe->nrbufs) << PAGE_SHIFT);
> > +		pipe_pages = pipe->buffers - pipe->nrbufs;
> > +		read_len = min(len, (size_t)pipe_pages << PAGE_SHIFT);
> 
> 		read_len = min_t(size_t, len, pipe_pages << PAGER_SHIFT);

If we make pipe_pages have type size_t then we don't need min_t here,
right?  Since len and read_len are already size_t.

--D

> >  		ret = do_splice_to(in, &pos, pipe, read_len, flags);
> >  		if (unlikely(ret <= 0))
> >  			goto out_release;
> > @@ -1180,8 +1181,15 @@ static long do_splice(struct file *in, loff_t __user *off_in,
> >  
> >  		pipe_lock(opipe);
> >  		ret = wait_for_space(opipe, flags);
> > -		if (!ret)
> > +		if (!ret) {
> > +			unsigned int pipe_pages;
> > +
> > +			/* Don't try to read more the pipe has space for. */
> > +			pipe_pages = opipe->buffers - opipe->nrbufs;
> > +			len = min(len, (size_t)pipe_pages << PAGE_SHIFT);
> 
> And same here...
> 
> Cheers,
> 
> Dave.
> 
> -- 
> Dave Chinner
> david@fromorbit.com

Patch
diff mbox series

diff --git a/fs/splice.c b/fs/splice.c
index 98412721f056..e509239d7e06 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -945,12 +945,13 @@  ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd,
 	WARN_ON_ONCE(pipe->nrbufs != 0);
 
 	while (len) {
+		unsigned int pipe_pages;
 		size_t read_len;
 		loff_t pos = sd->pos, prev_pos = pos;
 
 		/* Don't try to read more the pipe has space for. */
-		read_len = min_t(size_t, len,
-				 (pipe->buffers - pipe->nrbufs) << PAGE_SHIFT);
+		pipe_pages = pipe->buffers - pipe->nrbufs;
+		read_len = min(len, (size_t)pipe_pages << PAGE_SHIFT);
 		ret = do_splice_to(in, &pos, pipe, read_len, flags);
 		if (unlikely(ret <= 0))
 			goto out_release;
@@ -1180,8 +1181,15 @@  static long do_splice(struct file *in, loff_t __user *off_in,
 
 		pipe_lock(opipe);
 		ret = wait_for_space(opipe, flags);
-		if (!ret)
+		if (!ret) {
+			unsigned int pipe_pages;
+
+			/* Don't try to read more the pipe has space for. */
+			pipe_pages = opipe->buffers - opipe->nrbufs;
+			len = min(len, (size_t)pipe_pages << PAGE_SHIFT);
+
 			ret = do_splice_to(in, &offset, opipe, len, flags);
+		}
 		pipe_unlock(opipe);
 		if (ret > 0)
 			wakeup_pipe_readers(opipe);