[RFC,1/4] io_uring/splice: support do_splice_direct

Commit Message

Ming Lei Nov. 3, 2022, 8:50 a.m. UTC

do_splice_direct() has at least two advantages:

1) the extra pipe isn't required from user viewpoint, so userspace
code can be simplified, meantime easy to relax current pipe
limit since curret->splice_pipe is used for direct splice

2) in some situation, it isn't good to expose file data via
->splice_read() to userspace, such as the coming ublk driver's
zero copy support, request pages will be spliced to pipe for
supporting zero copy, and if it is READ, userspace may read
data of kernel pages, and direct splice can avoid this kind
of info leaks

Signed-off-by: Ming Lei <ming.lei@redhat.com>
---
 fs/read_write.c        |  5 +++--
 include/linux/splice.h |  3 +++
 io_uring/splice.c      | 13 ++++++++++---
 3 files changed, 16 insertions(+), 5 deletions(-)

Comments

Christoph Hellwig Nov. 8, 2022, 7:42 a.m. UTC | #1

On Thu, Nov 03, 2022 at 04:50:01PM +0800, Ming Lei wrote:
> do_splice_direct() has at least two advantages:
> 
> 1) the extra pipe isn't required from user viewpoint, so userspace
> code can be simplified, meantime easy to relax current pipe
> limit since curret->splice_pipe is used for direct splice
> 
> 2) in some situation, it isn't good to expose file data via
> ->splice_read() to userspace, such as the coming ublk driver's
> zero copy support, request pages will be spliced to pipe for
> supporting zero copy, and if it is READ, userspace may read
> data of kernel pages, and direct splice can avoid this kind
> of info leaks

Please make this a separate opcode instead of overloading the splice
op with a flag that causes very different behavior and isn't supported
for the regular splice syscall.

Patch

diff --git a/fs/read_write.c b/fs/read_write.c
index 328ce8cf9a85..98869d15e884 100644
--- a/fs/read_write.c
+++ b/fs/read_write.c
@@ -1253,7 +1253,7 @@  static ssize_t do_sendfile(int out_fd, int in_fd, loff_t *ppos,
 			goto fput_out;
 		file_start_write(out.file);
 		retval = do_splice_direct(in.file, &pos, out.file, &out_pos,
-					  count, fl);
+					  count, fl | SPLICE_F_DIRECT);
 		file_end_write(out.file);
 	} else {
 		if (out.file->f_flags & O_NONBLOCK)
@@ -1389,7 +1389,8 @@  ssize_t generic_copy_file_range(struct file *file_in, loff_t pos_in,
 				size_t len, unsigned int flags)
 {
 	return do_splice_direct(file_in, &pos_in, file_out, &pos_out,
-				len > MAX_RW_COUNT ? MAX_RW_COUNT : len, 0);
+				len > MAX_RW_COUNT ? MAX_RW_COUNT : len,
+				SPLICE_F_DIRECT);
 }
 EXPORT_SYMBOL(generic_copy_file_range);
 
diff --git a/include/linux/splice.h b/include/linux/splice.h
index a55179fd60fc..9121624ad198 100644
--- a/include/linux/splice.h
+++ b/include/linux/splice.h
@@ -23,6 +23,9 @@ 
 
 #define SPLICE_F_ALL (SPLICE_F_MOVE|SPLICE_F_NONBLOCK|SPLICE_F_MORE|SPLICE_F_GIFT)
 
+/* used for io_uring interface only */
+#define SPLICE_F_DIRECT	(0x10)	/* direct splice and user needn't provide pipe */
+
 /*
  * Passed to the actors
  */
diff --git a/io_uring/splice.c b/io_uring/splice.c
index 53e4232d0866..c11ea4cd1c7e 100644
--- a/io_uring/splice.c
+++ b/io_uring/splice.c
@@ -27,7 +27,8 @@  static int __io_splice_prep(struct io_kiocb *req,
 			    const struct io_uring_sqe *sqe)
 {
 	struct io_splice *sp = io_kiocb_to_cmd(req, struct io_splice);
-	unsigned int valid_flags = SPLICE_F_FD_IN_FIXED | SPLICE_F_ALL;
+	unsigned int valid_flags = SPLICE_F_FD_IN_FIXED | SPLICE_F_ALL |
+		SPLICE_F_DIRECT;
 
 	sp->len = READ_ONCE(sqe->len);
 	sp->flags = READ_ONCE(sqe->splice_flags);
@@ -109,8 +110,14 @@  int io_splice(struct io_kiocb *req, unsigned int issue_flags)
 	poff_in = (sp->off_in == -1) ? NULL : &sp->off_in;
 	poff_out = (sp->off_out == -1) ? NULL : &sp->off_out;
 
-	if (sp->len)
-		ret = do_splice(in, poff_in, out, poff_out, sp->len, flags);
+	if (sp->len) {
+		if (flags & SPLICE_F_DIRECT)
+			ret = do_splice_direct(in, poff_in, out, poff_out,
+					sp->len, flags);
+		else
+			ret = do_splice(in, poff_in, out, poff_out, sp->len,
+					flags);
+	}
 
 	if (!(sp->flags & SPLICE_F_FD_IN_FIXED))
 		io_put_file(in);