1 /* 2 * "splice": joining two ropes together by interweaving their strands. 3 * 4 * This is the "extended pipe" functionality, where a pipe is used as 5 * an arbitrary in-memory buffer. Think of a pipe as a small kernel 6 * buffer that you can use to transfer data from one end to the other. 7 * 8 * The traditional unix read/write is extended with a "splice()" operation 9 * that transfers data buffers to or from a pipe buffer. 10 * 11 * Named by Larry McVoy, original implementation from Linus, extended by 12 * Jens to support splicing to files, network, direct splicing, etc and 13 * fixing lots of bugs. 14 * 15 * Copyright (C) 2005-2006 Jens Axboe <axboe@kernel.dk> 16 * Copyright (C) 2005-2006 Linus Torvalds <torvalds@osdl.org> 17 * Copyright (C) 2006 Ingo Molnar <mingo@elte.hu> 18 * 19 */ 20 #include <linux/fs.h> 21 #include <linux/file.h> 22 #include <linux/pagemap.h> 23 #include <linux/splice.h> 24 #include <linux/mm_inline.h> 25 #include <linux/swap.h> 26 #include <linux/writeback.h> 27 #include <linux/buffer_head.h> 28 #include <linux/module.h> 29 #include <linux/syscalls.h> 30 #include <linux/uio.h> 31 #include <linux/security.h> 32 33 /* 34 * Attempt to steal a page from a pipe buffer. This should perhaps go into 35 * a vm helper function, it's already simplified quite a bit by the 36 * addition of remove_mapping(). If success is returned, the caller may 37 * attempt to reuse this page for another destination. 38 */ 39 static int page_cache_pipe_buf_steal(struct pipe_inode_info *pipe, 40 struct pipe_buffer *buf) 41 { 42 struct page *page = buf->page; 43 struct address_space *mapping; 44 45 lock_page(page); 46 47 mapping = page_mapping(page); 48 if (mapping) { 49 WARN_ON(!PageUptodate(page)); 50 51 /* 52 * At least for ext2 with nobh option, we need to wait on 53 * writeback completing on this page, since we'll remove it 54 * from the pagecache. Otherwise truncate wont wait on the 55 * page, allowing the disk blocks to be reused by someone else 56 * before we actually wrote our data to them. fs corruption 57 * ensues. 58 */ 59 wait_on_page_writeback(page); 60 61 if (PagePrivate(page) && !try_to_release_page(page, GFP_KERNEL)) 62 goto out_unlock; 63 64 /* 65 * If we succeeded in removing the mapping, set LRU flag 66 * and return good. 67 */ 68 if (remove_mapping(mapping, page)) { 69 buf->flags |= PIPE_BUF_FLAG_LRU; 70 return 0; 71 } 72 } 73 74 /* 75 * Raced with truncate or failed to remove page from current 76 * address space, unlock and return failure. 77 */ 78 out_unlock: 79 unlock_page(page); 80 return 1; 81 } 82 83 static void page_cache_pipe_buf_release(struct pipe_inode_info *pipe, 84 struct pipe_buffer *buf) 85 { 86 page_cache_release(buf->page); 87 buf->flags &= ~PIPE_BUF_FLAG_LRU; 88 } 89 90 /* 91 * Check whether the contents of buf is OK to access. Since the content 92 * is a page cache page, IO may be in flight. 93 */ 94 static int page_cache_pipe_buf_confirm(struct pipe_inode_info *pipe, 95 struct pipe_buffer *buf) 96 { 97 struct page *page = buf->page; 98 int err; 99 100 if (!PageUptodate(page)) { 101 lock_page(page); 102 103 /* 104 * Page got truncated/unhashed. This will cause a 0-byte 105 * splice, if this is the first page. 106 */ 107 if (!page->mapping) { 108 err = -ENODATA; 109 goto error; 110 } 111 112 /* 113 * Uh oh, read-error from disk. 114 */ 115 if (!PageUptodate(page)) { 116 err = -EIO; 117 goto error; 118 } 119 120 /* 121 * Page is ok afterall, we are done. 122 */ 123 unlock_page(page); 124 } 125 126 return 0; 127 error: 128 unlock_page(page); 129 return err; 130 } 131 132 static const struct pipe_buf_operations page_cache_pipe_buf_ops = { 133 .can_merge = 0, 134 .map = generic_pipe_buf_map, 135 .unmap = generic_pipe_buf_unmap, 136 .confirm = page_cache_pipe_buf_confirm, 137 .release = page_cache_pipe_buf_release, 138 .steal = page_cache_pipe_buf_steal, 139 .get = generic_pipe_buf_get, 140 }; 141 142 static int user_page_pipe_buf_steal(struct pipe_inode_info *pipe, 143 struct pipe_buffer *buf) 144 { 145 if (!(buf->flags & PIPE_BUF_FLAG_GIFT)) 146 return 1; 147 148 buf->flags |= PIPE_BUF_FLAG_LRU; 149 return generic_pipe_buf_steal(pipe, buf); 150 } 151 152 static const struct pipe_buf_operations user_page_pipe_buf_ops = { 153 .can_merge = 0, 154 .map = generic_pipe_buf_map, 155 .unmap = generic_pipe_buf_unmap, 156 .confirm = generic_pipe_buf_confirm, 157 .release = page_cache_pipe_buf_release, 158 .steal = user_page_pipe_buf_steal, 159 .get = generic_pipe_buf_get, 160 }; 161 162 /** 163 * splice_to_pipe - fill passed data into a pipe 164 * @pipe: pipe to fill 165 * @spd: data to fill 166 * 167 * Description: 168 * @spd contains a map of pages and len/offset tuples, along with 169 * the struct pipe_buf_operations associated with these pages. This 170 * function will link that data to the pipe. 171 * 172 */ 173 ssize_t splice_to_pipe(struct pipe_inode_info *pipe, 174 struct splice_pipe_desc *spd) 175 { 176 unsigned int spd_pages = spd->nr_pages; 177 int ret, do_wakeup, page_nr; 178 179 ret = 0; 180 do_wakeup = 0; 181 page_nr = 0; 182 183 if (pipe->inode) 184 mutex_lock(&pipe->inode->i_mutex); 185 186 for (;;) { 187 if (!pipe->readers) { 188 send_sig(SIGPIPE, current, 0); 189 if (!ret) 190 ret = -EPIPE; 191 break; 192 } 193 194 if (pipe->nrbufs < PIPE_BUFFERS) { 195 int newbuf = (pipe->curbuf + pipe->nrbufs) & (PIPE_BUFFERS - 1); 196 struct pipe_buffer *buf = pipe->bufs + newbuf; 197 198 buf->page = spd->pages[page_nr]; 199 buf->offset = spd->partial[page_nr].offset; 200 buf->len = spd->partial[page_nr].len; 201 buf->private = spd->partial[page_nr].private; 202 buf->ops = spd->ops; 203 if (spd->flags & SPLICE_F_GIFT) 204 buf->flags |= PIPE_BUF_FLAG_GIFT; 205 206 pipe->nrbufs++; 207 page_nr++; 208 ret += buf->len; 209 210 if (pipe->inode) 211 do_wakeup = 1; 212 213 if (!--spd->nr_pages) 214 break; 215 if (pipe->nrbufs < PIPE_BUFFERS) 216 continue; 217 218 break; 219 } 220 221 if (spd->flags & SPLICE_F_NONBLOCK) { 222 if (!ret) 223 ret = -EAGAIN; 224 break; 225 } 226 227 if (signal_pending(current)) { 228 if (!ret) 229 ret = -ERESTARTSYS; 230 break; 231 } 232 233 if (do_wakeup) { 234 smp_mb(); 235 if (waitqueue_active(&pipe->wait)) 236 wake_up_interruptible_sync(&pipe->wait); 237 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN); 238 do_wakeup = 0; 239 } 240 241 pipe->waiting_writers++; 242 pipe_wait(pipe); 243 pipe->waiting_writers--; 244 } 245 246 if (pipe->inode) { 247 mutex_unlock(&pipe->inode->i_mutex); 248 249 if (do_wakeup) { 250 smp_mb(); 251 if (waitqueue_active(&pipe->wait)) 252 wake_up_interruptible(&pipe->wait); 253 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN); 254 } 255 } 256 257 while (page_nr < spd_pages) 258 spd->spd_release(spd, page_nr++); 259 260 return ret; 261 } 262 263 static void spd_release_page(struct splice_pipe_desc *spd, unsigned int i) 264 { 265 page_cache_release(spd->pages[i]); 266 } 267 268 static int 269 __generic_file_splice_read(struct file *in, loff_t *ppos, 270 struct pipe_inode_info *pipe, size_t len, 271 unsigned int flags) 272 { 273 struct address_space *mapping = in->f_mapping; 274 unsigned int loff, nr_pages, req_pages; 275 struct page *pages[PIPE_BUFFERS]; 276 struct partial_page partial[PIPE_BUFFERS]; 277 struct page *page; 278 pgoff_t index, end_index; 279 loff_t isize; 280 int error, page_nr; 281 struct splice_pipe_desc spd = { 282 .pages = pages, 283 .partial = partial, 284 .flags = flags, 285 .ops = &page_cache_pipe_buf_ops, 286 .spd_release = spd_release_page, 287 }; 288 289 index = *ppos >> PAGE_CACHE_SHIFT; 290 loff = *ppos & ~PAGE_CACHE_MASK; 291 req_pages = (len + loff + PAGE_CACHE_SIZE - 1) >> PAGE_CACHE_SHIFT; 292 nr_pages = min(req_pages, (unsigned)PIPE_BUFFERS); 293 294 /* 295 * Lookup the (hopefully) full range of pages we need. 296 */ 297 spd.nr_pages = find_get_pages_contig(mapping, index, nr_pages, pages); 298 index += spd.nr_pages; 299 300 /* 301 * If find_get_pages_contig() returned fewer pages than we needed, 302 * readahead/allocate the rest and fill in the holes. 303 */ 304 if (spd.nr_pages < nr_pages) 305 page_cache_sync_readahead(mapping, &in->f_ra, in, 306 index, req_pages - spd.nr_pages); 307 308 error = 0; 309 while (spd.nr_pages < nr_pages) { 310 /* 311 * Page could be there, find_get_pages_contig() breaks on 312 * the first hole. 313 */ 314 page = find_get_page(mapping, index); 315 if (!page) { 316 /* 317 * page didn't exist, allocate one. 318 */ 319 page = page_cache_alloc_cold(mapping); 320 if (!page) 321 break; 322 323 error = add_to_page_cache_lru(page, mapping, index, 324 mapping_gfp_mask(mapping)); 325 if (unlikely(error)) { 326 page_cache_release(page); 327 if (error == -EEXIST) 328 continue; 329 break; 330 } 331 /* 332 * add_to_page_cache() locks the page, unlock it 333 * to avoid convoluting the logic below even more. 334 */ 335 unlock_page(page); 336 } 337 338 pages[spd.nr_pages++] = page; 339 index++; 340 } 341 342 /* 343 * Now loop over the map and see if we need to start IO on any 344 * pages, fill in the partial map, etc. 345 */ 346 index = *ppos >> PAGE_CACHE_SHIFT; 347 nr_pages = spd.nr_pages; 348 spd.nr_pages = 0; 349 for (page_nr = 0; page_nr < nr_pages; page_nr++) { 350 unsigned int this_len; 351 352 if (!len) 353 break; 354 355 /* 356 * this_len is the max we'll use from this page 357 */ 358 this_len = min_t(unsigned long, len, PAGE_CACHE_SIZE - loff); 359 page = pages[page_nr]; 360 361 if (PageReadahead(page)) 362 page_cache_async_readahead(mapping, &in->f_ra, in, 363 page, index, req_pages - page_nr); 364 365 /* 366 * If the page isn't uptodate, we may need to start io on it 367 */ 368 if (!PageUptodate(page)) { 369 /* 370 * If in nonblock mode then dont block on waiting 371 * for an in-flight io page 372 */ 373 if (flags & SPLICE_F_NONBLOCK) { 374 if (TestSetPageLocked(page)) { 375 error = -EAGAIN; 376 break; 377 } 378 } else 379 lock_page(page); 380 381 /* 382 * page was truncated, stop here. if this isn't the 383 * first page, we'll just complete what we already 384 * added 385 */ 386 if (!page->mapping) { 387 unlock_page(page); 388 break; 389 } 390 /* 391 * page was already under io and is now done, great 392 */ 393 if (PageUptodate(page)) { 394 unlock_page(page); 395 goto fill_it; 396 } 397 398 /* 399 * need to read in the page 400 */ 401 error = mapping->a_ops->readpage(in, page); 402 if (unlikely(error)) { 403 /* 404 * We really should re-lookup the page here, 405 * but it complicates things a lot. Instead 406 * lets just do what we already stored, and 407 * we'll get it the next time we are called. 408 */ 409 if (error == AOP_TRUNCATED_PAGE) 410 error = 0; 411 412 break; 413 } 414 } 415 fill_it: 416 /* 417 * i_size must be checked after PageUptodate. 418 */ 419 isize = i_size_read(mapping->host); 420 end_index = (isize - 1) >> PAGE_CACHE_SHIFT; 421 if (unlikely(!isize || index > end_index)) 422 break; 423 424 /* 425 * if this is the last page, see if we need to shrink 426 * the length and stop 427 */ 428 if (end_index == index) { 429 unsigned int plen; 430 431 /* 432 * max good bytes in this page 433 */ 434 plen = ((isize - 1) & ~PAGE_CACHE_MASK) + 1; 435 if (plen <= loff) 436 break; 437 438 /* 439 * force quit after adding this page 440 */ 441 this_len = min(this_len, plen - loff); 442 len = this_len; 443 } 444 445 partial[page_nr].offset = loff; 446 partial[page_nr].len = this_len; 447 len -= this_len; 448 loff = 0; 449 spd.nr_pages++; 450 index++; 451 } 452 453 /* 454 * Release any pages at the end, if we quit early. 'page_nr' is how far 455 * we got, 'nr_pages' is how many pages are in the map. 456 */ 457 while (page_nr < nr_pages) 458 page_cache_release(pages[page_nr++]); 459 in->f_ra.prev_pos = (loff_t)index << PAGE_CACHE_SHIFT; 460 461 if (spd.nr_pages) 462 return splice_to_pipe(pipe, &spd); 463 464 return error; 465 } 466 467 /** 468 * generic_file_splice_read - splice data from file to a pipe 469 * @in: file to splice from 470 * @ppos: position in @in 471 * @pipe: pipe to splice to 472 * @len: number of bytes to splice 473 * @flags: splice modifier flags 474 * 475 * Description: 476 * Will read pages from given file and fill them into a pipe. Can be 477 * used as long as the address_space operations for the source implements 478 * a readpage() hook. 479 * 480 */ 481 ssize_t generic_file_splice_read(struct file *in, loff_t *ppos, 482 struct pipe_inode_info *pipe, size_t len, 483 unsigned int flags) 484 { 485 loff_t isize, left; 486 int ret; 487 488 isize = i_size_read(in->f_mapping->host); 489 if (unlikely(*ppos >= isize)) 490 return 0; 491 492 left = isize - *ppos; 493 if (unlikely(left < len)) 494 len = left; 495 496 ret = __generic_file_splice_read(in, ppos, pipe, len, flags); 497 if (ret > 0) 498 *ppos += ret; 499 500 return ret; 501 } 502 503 EXPORT_SYMBOL(generic_file_splice_read); 504 505 /* 506 * Send 'sd->len' bytes to socket from 'sd->file' at position 'sd->pos' 507 * using sendpage(). Return the number of bytes sent. 508 */ 509 static int pipe_to_sendpage(struct pipe_inode_info *pipe, 510 struct pipe_buffer *buf, struct splice_desc *sd) 511 { 512 struct file *file = sd->u.file; 513 loff_t pos = sd->pos; 514 int ret, more; 515 516 ret = buf->ops->confirm(pipe, buf); 517 if (!ret) { 518 more = (sd->flags & SPLICE_F_MORE) || sd->len < sd->total_len; 519 520 ret = file->f_op->sendpage(file, buf->page, buf->offset, 521 sd->len, &pos, more); 522 } 523 524 return ret; 525 } 526 527 /* 528 * This is a little more tricky than the file -> pipe splicing. There are 529 * basically three cases: 530 * 531 * - Destination page already exists in the address space and there 532 * are users of it. For that case we have no other option that 533 * copying the data. Tough luck. 534 * - Destination page already exists in the address space, but there 535 * are no users of it. Make sure it's uptodate, then drop it. Fall 536 * through to last case. 537 * - Destination page does not exist, we can add the pipe page to 538 * the page cache and avoid the copy. 539 * 540 * If asked to move pages to the output file (SPLICE_F_MOVE is set in 541 * sd->flags), we attempt to migrate pages from the pipe to the output 542 * file address space page cache. This is possible if no one else has 543 * the pipe page referenced outside of the pipe and page cache. If 544 * SPLICE_F_MOVE isn't set, or we cannot move the page, we simply create 545 * a new page in the output file page cache and fill/dirty that. 546 */ 547 static int pipe_to_file(struct pipe_inode_info *pipe, struct pipe_buffer *buf, 548 struct splice_desc *sd) 549 { 550 struct file *file = sd->u.file; 551 struct address_space *mapping = file->f_mapping; 552 unsigned int offset, this_len; 553 struct page *page; 554 void *fsdata; 555 int ret; 556 557 /* 558 * make sure the data in this buffer is uptodate 559 */ 560 ret = buf->ops->confirm(pipe, buf); 561 if (unlikely(ret)) 562 return ret; 563 564 offset = sd->pos & ~PAGE_CACHE_MASK; 565 566 this_len = sd->len; 567 if (this_len + offset > PAGE_CACHE_SIZE) 568 this_len = PAGE_CACHE_SIZE - offset; 569 570 ret = pagecache_write_begin(file, mapping, sd->pos, this_len, 571 AOP_FLAG_UNINTERRUPTIBLE, &page, &fsdata); 572 if (unlikely(ret)) 573 goto out; 574 575 if (buf->page != page) { 576 /* 577 * Careful, ->map() uses KM_USER0! 578 */ 579 char *src = buf->ops->map(pipe, buf, 1); 580 char *dst = kmap_atomic(page, KM_USER1); 581 582 memcpy(dst + offset, src + buf->offset, this_len); 583 flush_dcache_page(page); 584 kunmap_atomic(dst, KM_USER1); 585 buf->ops->unmap(pipe, buf, src); 586 } 587 ret = pagecache_write_end(file, mapping, sd->pos, this_len, this_len, 588 page, fsdata); 589 out: 590 return ret; 591 } 592 593 /** 594 * __splice_from_pipe - splice data from a pipe to given actor 595 * @pipe: pipe to splice from 596 * @sd: information to @actor 597 * @actor: handler that splices the data 598 * 599 * Description: 600 * This function does little more than loop over the pipe and call 601 * @actor to do the actual moving of a single struct pipe_buffer to 602 * the desired destination. See pipe_to_file, pipe_to_sendpage, or 603 * pipe_to_user. 604 * 605 */ 606 ssize_t __splice_from_pipe(struct pipe_inode_info *pipe, struct splice_desc *sd, 607 splice_actor *actor) 608 { 609 int ret, do_wakeup, err; 610 611 ret = 0; 612 do_wakeup = 0; 613 614 for (;;) { 615 if (pipe->nrbufs) { 616 struct pipe_buffer *buf = pipe->bufs + pipe->curbuf; 617 const struct pipe_buf_operations *ops = buf->ops; 618 619 sd->len = buf->len; 620 if (sd->len > sd->total_len) 621 sd->len = sd->total_len; 622 623 err = actor(pipe, buf, sd); 624 if (err <= 0) { 625 if (!ret && err != -ENODATA) 626 ret = err; 627 628 break; 629 } 630 631 ret += err; 632 buf->offset += err; 633 buf->len -= err; 634 635 sd->len -= err; 636 sd->pos += err; 637 sd->total_len -= err; 638 if (sd->len) 639 continue; 640 641 if (!buf->len) { 642 buf->ops = NULL; 643 ops->release(pipe, buf); 644 pipe->curbuf = (pipe->curbuf + 1) & (PIPE_BUFFERS - 1); 645 pipe->nrbufs--; 646 if (pipe->inode) 647 do_wakeup = 1; 648 } 649 650 if (!sd->total_len) 651 break; 652 } 653 654 if (pipe->nrbufs) 655 continue; 656 if (!pipe->writers) 657 break; 658 if (!pipe->waiting_writers) { 659 if (ret) 660 break; 661 } 662 663 if (sd->flags & SPLICE_F_NONBLOCK) { 664 if (!ret) 665 ret = -EAGAIN; 666 break; 667 } 668 669 if (signal_pending(current)) { 670 if (!ret) 671 ret = -ERESTARTSYS; 672 break; 673 } 674 675 if (do_wakeup) { 676 smp_mb(); 677 if (waitqueue_active(&pipe->wait)) 678 wake_up_interruptible_sync(&pipe->wait); 679 kill_fasync(&pipe->fasync_writers, SIGIO, POLL_OUT); 680 do_wakeup = 0; 681 } 682 683 pipe_wait(pipe); 684 } 685 686 if (do_wakeup) { 687 smp_mb(); 688 if (waitqueue_active(&pipe->wait)) 689 wake_up_interruptible(&pipe->wait); 690 kill_fasync(&pipe->fasync_writers, SIGIO, POLL_OUT); 691 } 692 693 return ret; 694 } 695 EXPORT_SYMBOL(__splice_from_pipe); 696 697 /** 698 * splice_from_pipe - splice data from a pipe to a file 699 * @pipe: pipe to splice from 700 * @out: file to splice to 701 * @ppos: position in @out 702 * @len: how many bytes to splice 703 * @flags: splice modifier flags 704 * @actor: handler that splices the data 705 * 706 * Description: 707 * See __splice_from_pipe. This function locks the input and output inodes, 708 * otherwise it's identical to __splice_from_pipe(). 709 * 710 */ 711 ssize_t splice_from_pipe(struct pipe_inode_info *pipe, struct file *out, 712 loff_t *ppos, size_t len, unsigned int flags, 713 splice_actor *actor) 714 { 715 ssize_t ret; 716 struct inode *inode = out->f_mapping->host; 717 struct splice_desc sd = { 718 .total_len = len, 719 .flags = flags, 720 .pos = *ppos, 721 .u.file = out, 722 }; 723 724 /* 725 * The actor worker might be calling ->prepare_write and 726 * ->commit_write. Most of the time, these expect i_mutex to 727 * be held. Since this may result in an ABBA deadlock with 728 * pipe->inode, we have to order lock acquiry here. 729 */ 730 inode_double_lock(inode, pipe->inode); 731 ret = __splice_from_pipe(pipe, &sd, actor); 732 inode_double_unlock(inode, pipe->inode); 733 734 return ret; 735 } 736 737 /** 738 * generic_file_splice_write_nolock - generic_file_splice_write without mutexes 739 * @pipe: pipe info 740 * @out: file to write to 741 * @ppos: position in @out 742 * @len: number of bytes to splice 743 * @flags: splice modifier flags 744 * 745 * Description: 746 * Will either move or copy pages (determined by @flags options) from 747 * the given pipe inode to the given file. The caller is responsible 748 * for acquiring i_mutex on both inodes. 749 * 750 */ 751 ssize_t 752 generic_file_splice_write_nolock(struct pipe_inode_info *pipe, struct file *out, 753 loff_t *ppos, size_t len, unsigned int flags) 754 { 755 struct address_space *mapping = out->f_mapping; 756 struct inode *inode = mapping->host; 757 struct splice_desc sd = { 758 .total_len = len, 759 .flags = flags, 760 .pos = *ppos, 761 .u.file = out, 762 }; 763 ssize_t ret; 764 int err; 765 766 err = remove_suid(out->f_path.dentry); 767 if (unlikely(err)) 768 return err; 769 770 ret = __splice_from_pipe(pipe, &sd, pipe_to_file); 771 if (ret > 0) { 772 unsigned long nr_pages; 773 774 *ppos += ret; 775 nr_pages = (ret + PAGE_CACHE_SIZE - 1) >> PAGE_CACHE_SHIFT; 776 777 /* 778 * If file or inode is SYNC and we actually wrote some data, 779 * sync it. 780 */ 781 if (unlikely((out->f_flags & O_SYNC) || IS_SYNC(inode))) { 782 err = generic_osync_inode(inode, mapping, 783 OSYNC_METADATA|OSYNC_DATA); 784 785 if (err) 786 ret = err; 787 } 788 balance_dirty_pages_ratelimited_nr(mapping, nr_pages); 789 } 790 791 return ret; 792 } 793 794 EXPORT_SYMBOL(generic_file_splice_write_nolock); 795 796 /** 797 * generic_file_splice_write - splice data from a pipe to a file 798 * @pipe: pipe info 799 * @out: file to write to 800 * @ppos: position in @out 801 * @len: number of bytes to splice 802 * @flags: splice modifier flags 803 * 804 * Description: 805 * Will either move or copy pages (determined by @flags options) from 806 * the given pipe inode to the given file. 807 * 808 */ 809 ssize_t 810 generic_file_splice_write(struct pipe_inode_info *pipe, struct file *out, 811 loff_t *ppos, size_t len, unsigned int flags) 812 { 813 struct address_space *mapping = out->f_mapping; 814 struct inode *inode = mapping->host; 815 struct splice_desc sd = { 816 .total_len = len, 817 .flags = flags, 818 .pos = *ppos, 819 .u.file = out, 820 }; 821 ssize_t ret; 822 823 inode_double_lock(inode, pipe->inode); 824 ret = remove_suid(out->f_path.dentry); 825 if (likely(!ret)) 826 ret = __splice_from_pipe(pipe, &sd, pipe_to_file); 827 inode_double_unlock(inode, pipe->inode); 828 if (ret > 0) { 829 unsigned long nr_pages; 830 831 *ppos += ret; 832 nr_pages = (ret + PAGE_CACHE_SIZE - 1) >> PAGE_CACHE_SHIFT; 833 834 /* 835 * If file or inode is SYNC and we actually wrote some data, 836 * sync it. 837 */ 838 if (unlikely((out->f_flags & O_SYNC) || IS_SYNC(inode))) { 839 int err; 840 841 mutex_lock(&inode->i_mutex); 842 err = generic_osync_inode(inode, mapping, 843 OSYNC_METADATA|OSYNC_DATA); 844 mutex_unlock(&inode->i_mutex); 845 846 if (err) 847 ret = err; 848 } 849 balance_dirty_pages_ratelimited_nr(mapping, nr_pages); 850 } 851 852 return ret; 853 } 854 855 EXPORT_SYMBOL(generic_file_splice_write); 856 857 /** 858 * generic_splice_sendpage - splice data from a pipe to a socket 859 * @pipe: pipe to splice from 860 * @out: socket to write to 861 * @ppos: position in @out 862 * @len: number of bytes to splice 863 * @flags: splice modifier flags 864 * 865 * Description: 866 * Will send @len bytes from the pipe to a network socket. No data copying 867 * is involved. 868 * 869 */ 870 ssize_t generic_splice_sendpage(struct pipe_inode_info *pipe, struct file *out, 871 loff_t *ppos, size_t len, unsigned int flags) 872 { 873 return splice_from_pipe(pipe, out, ppos, len, flags, pipe_to_sendpage); 874 } 875 876 EXPORT_SYMBOL(generic_splice_sendpage); 877 878 /* 879 * Attempt to initiate a splice from pipe to file. 880 */ 881 static long do_splice_from(struct pipe_inode_info *pipe, struct file *out, 882 loff_t *ppos, size_t len, unsigned int flags) 883 { 884 int ret; 885 886 if (unlikely(!out->f_op || !out->f_op->splice_write)) 887 return -EINVAL; 888 889 if (unlikely(!(out->f_mode & FMODE_WRITE))) 890 return -EBADF; 891 892 ret = rw_verify_area(WRITE, out, ppos, len); 893 if (unlikely(ret < 0)) 894 return ret; 895 896 return out->f_op->splice_write(pipe, out, ppos, len, flags); 897 } 898 899 /* 900 * Attempt to initiate a splice from a file to a pipe. 901 */ 902 static long do_splice_to(struct file *in, loff_t *ppos, 903 struct pipe_inode_info *pipe, size_t len, 904 unsigned int flags) 905 { 906 int ret; 907 908 if (unlikely(!in->f_op || !in->f_op->splice_read)) 909 return -EINVAL; 910 911 if (unlikely(!(in->f_mode & FMODE_READ))) 912 return -EBADF; 913 914 ret = rw_verify_area(READ, in, ppos, len); 915 if (unlikely(ret < 0)) 916 return ret; 917 918 return in->f_op->splice_read(in, ppos, pipe, len, flags); 919 } 920 921 /** 922 * splice_direct_to_actor - splices data directly between two non-pipes 923 * @in: file to splice from 924 * @sd: actor information on where to splice to 925 * @actor: handles the data splicing 926 * 927 * Description: 928 * This is a special case helper to splice directly between two 929 * points, without requiring an explicit pipe. Internally an allocated 930 * pipe is cached in the process, and reused during the lifetime of 931 * that process. 932 * 933 */ 934 ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd, 935 splice_direct_actor *actor) 936 { 937 struct pipe_inode_info *pipe; 938 long ret, bytes; 939 umode_t i_mode; 940 size_t len; 941 int i, flags; 942 943 /* 944 * We require the input being a regular file, as we don't want to 945 * randomly drop data for eg socket -> socket splicing. Use the 946 * piped splicing for that! 947 */ 948 i_mode = in->f_path.dentry->d_inode->i_mode; 949 if (unlikely(!S_ISREG(i_mode) && !S_ISBLK(i_mode))) 950 return -EINVAL; 951 952 /* 953 * neither in nor out is a pipe, setup an internal pipe attached to 954 * 'out' and transfer the wanted data from 'in' to 'out' through that 955 */ 956 pipe = current->splice_pipe; 957 if (unlikely(!pipe)) { 958 pipe = alloc_pipe_info(NULL); 959 if (!pipe) 960 return -ENOMEM; 961 962 /* 963 * We don't have an immediate reader, but we'll read the stuff 964 * out of the pipe right after the splice_to_pipe(). So set 965 * PIPE_READERS appropriately. 966 */ 967 pipe->readers = 1; 968 969 current->splice_pipe = pipe; 970 } 971 972 /* 973 * Do the splice. 974 */ 975 ret = 0; 976 bytes = 0; 977 len = sd->total_len; 978 flags = sd->flags; 979 980 /* 981 * Don't block on output, we have to drain the direct pipe. 982 */ 983 sd->flags &= ~SPLICE_F_NONBLOCK; 984 985 while (len) { 986 size_t read_len; 987 loff_t pos = sd->pos, prev_pos = pos; 988 989 ret = do_splice_to(in, &pos, pipe, len, flags); 990 if (unlikely(ret <= 0)) 991 goto out_release; 992 993 read_len = ret; 994 sd->total_len = read_len; 995 996 /* 997 * NOTE: nonblocking mode only applies to the input. We 998 * must not do the output in nonblocking mode as then we 999 * could get stuck data in the internal pipe: 1000 */ 1001 ret = actor(pipe, sd); 1002 if (unlikely(ret <= 0)) { 1003 sd->pos = prev_pos; 1004 goto out_release; 1005 } 1006 1007 bytes += ret; 1008 len -= ret; 1009 sd->pos = pos; 1010 1011 if (ret < read_len) { 1012 sd->pos = prev_pos + ret; 1013 goto out_release; 1014 } 1015 } 1016 1017 done: 1018 pipe->nrbufs = pipe->curbuf = 0; 1019 file_accessed(in); 1020 return bytes; 1021 1022 out_release: 1023 /* 1024 * If we did an incomplete transfer we must release 1025 * the pipe buffers in question: 1026 */ 1027 for (i = 0; i < PIPE_BUFFERS; i++) { 1028 struct pipe_buffer *buf = pipe->bufs + i; 1029 1030 if (buf->ops) { 1031 buf->ops->release(pipe, buf); 1032 buf->ops = NULL; 1033 } 1034 } 1035 1036 if (!bytes) 1037 bytes = ret; 1038 1039 goto done; 1040 } 1041 EXPORT_SYMBOL(splice_direct_to_actor); 1042 1043 static int direct_splice_actor(struct pipe_inode_info *pipe, 1044 struct splice_desc *sd) 1045 { 1046 struct file *file = sd->u.file; 1047 1048 return do_splice_from(pipe, file, &sd->pos, sd->total_len, sd->flags); 1049 } 1050 1051 /** 1052 * do_splice_direct - splices data directly between two files 1053 * @in: file to splice from 1054 * @ppos: input file offset 1055 * @out: file to splice to 1056 * @len: number of bytes to splice 1057 * @flags: splice modifier flags 1058 * 1059 * Description: 1060 * For use by do_sendfile(). splice can easily emulate sendfile, but 1061 * doing it in the application would incur an extra system call 1062 * (splice in + splice out, as compared to just sendfile()). So this helper 1063 * can splice directly through a process-private pipe. 1064 * 1065 */ 1066 long do_splice_direct(struct file *in, loff_t *ppos, struct file *out, 1067 size_t len, unsigned int flags) 1068 { 1069 struct splice_desc sd = { 1070 .len = len, 1071 .total_len = len, 1072 .flags = flags, 1073 .pos = *ppos, 1074 .u.file = out, 1075 }; 1076 long ret; 1077 1078 ret = splice_direct_to_actor(in, &sd, direct_splice_actor); 1079 if (ret > 0) 1080 *ppos = sd.pos; 1081 1082 return ret; 1083 } 1084 1085 /* 1086 * After the inode slimming patch, i_pipe/i_bdev/i_cdev share the same 1087 * location, so checking ->i_pipe is not enough to verify that this is a 1088 * pipe. 1089 */ 1090 static inline struct pipe_inode_info *pipe_info(struct inode *inode) 1091 { 1092 if (S_ISFIFO(inode->i_mode)) 1093 return inode->i_pipe; 1094 1095 return NULL; 1096 } 1097 1098 /* 1099 * Determine where to splice to/from. 1100 */ 1101 static long do_splice(struct file *in, loff_t __user *off_in, 1102 struct file *out, loff_t __user *off_out, 1103 size_t len, unsigned int flags) 1104 { 1105 struct pipe_inode_info *pipe; 1106 loff_t offset, *off; 1107 long ret; 1108 1109 pipe = pipe_info(in->f_path.dentry->d_inode); 1110 if (pipe) { 1111 if (off_in) 1112 return -ESPIPE; 1113 if (off_out) { 1114 if (out->f_op->llseek == no_llseek) 1115 return -EINVAL; 1116 if (copy_from_user(&offset, off_out, sizeof(loff_t))) 1117 return -EFAULT; 1118 off = &offset; 1119 } else 1120 off = &out->f_pos; 1121 1122 ret = do_splice_from(pipe, out, off, len, flags); 1123 1124 if (off_out && copy_to_user(off_out, off, sizeof(loff_t))) 1125 ret = -EFAULT; 1126 1127 return ret; 1128 } 1129 1130 pipe = pipe_info(out->f_path.dentry->d_inode); 1131 if (pipe) { 1132 if (off_out) 1133 return -ESPIPE; 1134 if (off_in) { 1135 if (in->f_op->llseek == no_llseek) 1136 return -EINVAL; 1137 if (copy_from_user(&offset, off_in, sizeof(loff_t))) 1138 return -EFAULT; 1139 off = &offset; 1140 } else 1141 off = &in->f_pos; 1142 1143 ret = do_splice_to(in, off, pipe, len, flags); 1144 1145 if (off_in && copy_to_user(off_in, off, sizeof(loff_t))) 1146 ret = -EFAULT; 1147 1148 return ret; 1149 } 1150 1151 return -EINVAL; 1152 } 1153 1154 /* 1155 * Do a copy-from-user while holding the mmap_semaphore for reading, in a 1156 * manner safe from deadlocking with simultaneous mmap() (grabbing mmap_sem 1157 * for writing) and page faulting on the user memory pointed to by src. 1158 * This assumes that we will very rarely hit the partial != 0 path, or this 1159 * will not be a win. 1160 */ 1161 static int copy_from_user_mmap_sem(void *dst, const void __user *src, size_t n) 1162 { 1163 int partial; 1164 1165 if (!access_ok(VERIFY_READ, src, n)) 1166 return -EFAULT; 1167 1168 pagefault_disable(); 1169 partial = __copy_from_user_inatomic(dst, src, n); 1170 pagefault_enable(); 1171 1172 /* 1173 * Didn't copy everything, drop the mmap_sem and do a faulting copy 1174 */ 1175 if (unlikely(partial)) { 1176 up_read(¤t->mm->mmap_sem); 1177 partial = copy_from_user(dst, src, n); 1178 down_read(¤t->mm->mmap_sem); 1179 } 1180 1181 return partial; 1182 } 1183 1184 /* 1185 * Map an iov into an array of pages and offset/length tupples. With the 1186 * partial_page structure, we can map several non-contiguous ranges into 1187 * our ones pages[] map instead of splitting that operation into pieces. 1188 * Could easily be exported as a generic helper for other users, in which 1189 * case one would probably want to add a 'max_nr_pages' parameter as well. 1190 */ 1191 static int get_iovec_page_array(const struct iovec __user *iov, 1192 unsigned int nr_vecs, struct page **pages, 1193 struct partial_page *partial, int aligned) 1194 { 1195 int buffers = 0, error = 0; 1196 1197 down_read(¤t->mm->mmap_sem); 1198 1199 while (nr_vecs) { 1200 unsigned long off, npages; 1201 struct iovec entry; 1202 void __user *base; 1203 size_t len; 1204 int i; 1205 1206 error = -EFAULT; 1207 if (copy_from_user_mmap_sem(&entry, iov, sizeof(entry))) 1208 break; 1209 1210 base = entry.iov_base; 1211 len = entry.iov_len; 1212 1213 /* 1214 * Sanity check this iovec. 0 read succeeds. 1215 */ 1216 error = 0; 1217 if (unlikely(!len)) 1218 break; 1219 error = -EFAULT; 1220 if (!access_ok(VERIFY_READ, base, len)) 1221 break; 1222 1223 /* 1224 * Get this base offset and number of pages, then map 1225 * in the user pages. 1226 */ 1227 off = (unsigned long) base & ~PAGE_MASK; 1228 1229 /* 1230 * If asked for alignment, the offset must be zero and the 1231 * length a multiple of the PAGE_SIZE. 1232 */ 1233 error = -EINVAL; 1234 if (aligned && (off || len & ~PAGE_MASK)) 1235 break; 1236 1237 npages = (off + len + PAGE_SIZE - 1) >> PAGE_SHIFT; 1238 if (npages > PIPE_BUFFERS - buffers) 1239 npages = PIPE_BUFFERS - buffers; 1240 1241 error = get_user_pages(current, current->mm, 1242 (unsigned long) base, npages, 0, 0, 1243 &pages[buffers], NULL); 1244 1245 if (unlikely(error <= 0)) 1246 break; 1247 1248 /* 1249 * Fill this contiguous range into the partial page map. 1250 */ 1251 for (i = 0; i < error; i++) { 1252 const int plen = min_t(size_t, len, PAGE_SIZE - off); 1253 1254 partial[buffers].offset = off; 1255 partial[buffers].len = plen; 1256 1257 off = 0; 1258 len -= plen; 1259 buffers++; 1260 } 1261 1262 /* 1263 * We didn't complete this iov, stop here since it probably 1264 * means we have to move some of this into a pipe to 1265 * be able to continue. 1266 */ 1267 if (len) 1268 break; 1269 1270 /* 1271 * Don't continue if we mapped fewer pages than we asked for, 1272 * or if we mapped the max number of pages that we have 1273 * room for. 1274 */ 1275 if (error < npages || buffers == PIPE_BUFFERS) 1276 break; 1277 1278 nr_vecs--; 1279 iov++; 1280 } 1281 1282 up_read(¤t->mm->mmap_sem); 1283 1284 if (buffers) 1285 return buffers; 1286 1287 return error; 1288 } 1289 1290 static int pipe_to_user(struct pipe_inode_info *pipe, struct pipe_buffer *buf, 1291 struct splice_desc *sd) 1292 { 1293 char *src; 1294 int ret; 1295 1296 ret = buf->ops->confirm(pipe, buf); 1297 if (unlikely(ret)) 1298 return ret; 1299 1300 /* 1301 * See if we can use the atomic maps, by prefaulting in the 1302 * pages and doing an atomic copy 1303 */ 1304 if (!fault_in_pages_writeable(sd->u.userptr, sd->len)) { 1305 src = buf->ops->map(pipe, buf, 1); 1306 ret = __copy_to_user_inatomic(sd->u.userptr, src + buf->offset, 1307 sd->len); 1308 buf->ops->unmap(pipe, buf, src); 1309 if (!ret) { 1310 ret = sd->len; 1311 goto out; 1312 } 1313 } 1314 1315 /* 1316 * No dice, use slow non-atomic map and copy 1317 */ 1318 src = buf->ops->map(pipe, buf, 0); 1319 1320 ret = sd->len; 1321 if (copy_to_user(sd->u.userptr, src + buf->offset, sd->len)) 1322 ret = -EFAULT; 1323 1324 buf->ops->unmap(pipe, buf, src); 1325 out: 1326 if (ret > 0) 1327 sd->u.userptr += ret; 1328 return ret; 1329 } 1330 1331 /* 1332 * For lack of a better implementation, implement vmsplice() to userspace 1333 * as a simple copy of the pipes pages to the user iov. 1334 */ 1335 static long vmsplice_to_user(struct file *file, const struct iovec __user *iov, 1336 unsigned long nr_segs, unsigned int flags) 1337 { 1338 struct pipe_inode_info *pipe; 1339 struct splice_desc sd; 1340 ssize_t size; 1341 int error; 1342 long ret; 1343 1344 pipe = pipe_info(file->f_path.dentry->d_inode); 1345 if (!pipe) 1346 return -EBADF; 1347 1348 if (pipe->inode) 1349 mutex_lock(&pipe->inode->i_mutex); 1350 1351 error = ret = 0; 1352 while (nr_segs) { 1353 void __user *base; 1354 size_t len; 1355 1356 /* 1357 * Get user address base and length for this iovec. 1358 */ 1359 error = get_user(base, &iov->iov_base); 1360 if (unlikely(error)) 1361 break; 1362 error = get_user(len, &iov->iov_len); 1363 if (unlikely(error)) 1364 break; 1365 1366 /* 1367 * Sanity check this iovec. 0 read succeeds. 1368 */ 1369 if (unlikely(!len)) 1370 break; 1371 if (unlikely(!base)) { 1372 error = -EFAULT; 1373 break; 1374 } 1375 1376 if (unlikely(!access_ok(VERIFY_WRITE, base, len))) { 1377 error = -EFAULT; 1378 break; 1379 } 1380 1381 sd.len = 0; 1382 sd.total_len = len; 1383 sd.flags = flags; 1384 sd.u.userptr = base; 1385 sd.pos = 0; 1386 1387 size = __splice_from_pipe(pipe, &sd, pipe_to_user); 1388 if (size < 0) { 1389 if (!ret) 1390 ret = size; 1391 1392 break; 1393 } 1394 1395 ret += size; 1396 1397 if (size < len) 1398 break; 1399 1400 nr_segs--; 1401 iov++; 1402 } 1403 1404 if (pipe->inode) 1405 mutex_unlock(&pipe->inode->i_mutex); 1406 1407 if (!ret) 1408 ret = error; 1409 1410 return ret; 1411 } 1412 1413 /* 1414 * vmsplice splices a user address range into a pipe. It can be thought of 1415 * as splice-from-memory, where the regular splice is splice-from-file (or 1416 * to file). In both cases the output is a pipe, naturally. 1417 */ 1418 static long vmsplice_to_pipe(struct file *file, const struct iovec __user *iov, 1419 unsigned long nr_segs, unsigned int flags) 1420 { 1421 struct pipe_inode_info *pipe; 1422 struct page *pages[PIPE_BUFFERS]; 1423 struct partial_page partial[PIPE_BUFFERS]; 1424 struct splice_pipe_desc spd = { 1425 .pages = pages, 1426 .partial = partial, 1427 .flags = flags, 1428 .ops = &user_page_pipe_buf_ops, 1429 .spd_release = spd_release_page, 1430 }; 1431 1432 pipe = pipe_info(file->f_path.dentry->d_inode); 1433 if (!pipe) 1434 return -EBADF; 1435 1436 spd.nr_pages = get_iovec_page_array(iov, nr_segs, pages, partial, 1437 flags & SPLICE_F_GIFT); 1438 if (spd.nr_pages <= 0) 1439 return spd.nr_pages; 1440 1441 return splice_to_pipe(pipe, &spd); 1442 } 1443 1444 /* 1445 * Note that vmsplice only really supports true splicing _from_ user memory 1446 * to a pipe, not the other way around. Splicing from user memory is a simple 1447 * operation that can be supported without any funky alignment restrictions 1448 * or nasty vm tricks. We simply map in the user memory and fill them into 1449 * a pipe. The reverse isn't quite as easy, though. There are two possible 1450 * solutions for that: 1451 * 1452 * - memcpy() the data internally, at which point we might as well just 1453 * do a regular read() on the buffer anyway. 1454 * - Lots of nasty vm tricks, that are neither fast nor flexible (it 1455 * has restriction limitations on both ends of the pipe). 1456 * 1457 * Currently we punt and implement it as a normal copy, see pipe_to_user(). 1458 * 1459 */ 1460 asmlinkage long sys_vmsplice(int fd, const struct iovec __user *iov, 1461 unsigned long nr_segs, unsigned int flags) 1462 { 1463 struct file *file; 1464 long error; 1465 int fput; 1466 1467 if (unlikely(nr_segs > UIO_MAXIOV)) 1468 return -EINVAL; 1469 else if (unlikely(!nr_segs)) 1470 return 0; 1471 1472 error = -EBADF; 1473 file = fget_light(fd, &fput); 1474 if (file) { 1475 if (file->f_mode & FMODE_WRITE) 1476 error = vmsplice_to_pipe(file, iov, nr_segs, flags); 1477 else if (file->f_mode & FMODE_READ) 1478 error = vmsplice_to_user(file, iov, nr_segs, flags); 1479 1480 fput_light(file, fput); 1481 } 1482 1483 return error; 1484 } 1485 1486 asmlinkage long sys_splice(int fd_in, loff_t __user *off_in, 1487 int fd_out, loff_t __user *off_out, 1488 size_t len, unsigned int flags) 1489 { 1490 long error; 1491 struct file *in, *out; 1492 int fput_in, fput_out; 1493 1494 if (unlikely(!len)) 1495 return 0; 1496 1497 error = -EBADF; 1498 in = fget_light(fd_in, &fput_in); 1499 if (in) { 1500 if (in->f_mode & FMODE_READ) { 1501 out = fget_light(fd_out, &fput_out); 1502 if (out) { 1503 if (out->f_mode & FMODE_WRITE) 1504 error = do_splice(in, off_in, 1505 out, off_out, 1506 len, flags); 1507 fput_light(out, fput_out); 1508 } 1509 } 1510 1511 fput_light(in, fput_in); 1512 } 1513 1514 return error; 1515 } 1516 1517 /* 1518 * Make sure there's data to read. Wait for input if we can, otherwise 1519 * return an appropriate error. 1520 */ 1521 static int link_ipipe_prep(struct pipe_inode_info *pipe, unsigned int flags) 1522 { 1523 int ret; 1524 1525 /* 1526 * Check ->nrbufs without the inode lock first. This function 1527 * is speculative anyways, so missing one is ok. 1528 */ 1529 if (pipe->nrbufs) 1530 return 0; 1531 1532 ret = 0; 1533 mutex_lock(&pipe->inode->i_mutex); 1534 1535 while (!pipe->nrbufs) { 1536 if (signal_pending(current)) { 1537 ret = -ERESTARTSYS; 1538 break; 1539 } 1540 if (!pipe->writers) 1541 break; 1542 if (!pipe->waiting_writers) { 1543 if (flags & SPLICE_F_NONBLOCK) { 1544 ret = -EAGAIN; 1545 break; 1546 } 1547 } 1548 pipe_wait(pipe); 1549 } 1550 1551 mutex_unlock(&pipe->inode->i_mutex); 1552 return ret; 1553 } 1554 1555 /* 1556 * Make sure there's writeable room. Wait for room if we can, otherwise 1557 * return an appropriate error. 1558 */ 1559 static int link_opipe_prep(struct pipe_inode_info *pipe, unsigned int flags) 1560 { 1561 int ret; 1562 1563 /* 1564 * Check ->nrbufs without the inode lock first. This function 1565 * is speculative anyways, so missing one is ok. 1566 */ 1567 if (pipe->nrbufs < PIPE_BUFFERS) 1568 return 0; 1569 1570 ret = 0; 1571 mutex_lock(&pipe->inode->i_mutex); 1572 1573 while (pipe->nrbufs >= PIPE_BUFFERS) { 1574 if (!pipe->readers) { 1575 send_sig(SIGPIPE, current, 0); 1576 ret = -EPIPE; 1577 break; 1578 } 1579 if (flags & SPLICE_F_NONBLOCK) { 1580 ret = -EAGAIN; 1581 break; 1582 } 1583 if (signal_pending(current)) { 1584 ret = -ERESTARTSYS; 1585 break; 1586 } 1587 pipe->waiting_writers++; 1588 pipe_wait(pipe); 1589 pipe->waiting_writers--; 1590 } 1591 1592 mutex_unlock(&pipe->inode->i_mutex); 1593 return ret; 1594 } 1595 1596 /* 1597 * Link contents of ipipe to opipe. 1598 */ 1599 static int link_pipe(struct pipe_inode_info *ipipe, 1600 struct pipe_inode_info *opipe, 1601 size_t len, unsigned int flags) 1602 { 1603 struct pipe_buffer *ibuf, *obuf; 1604 int ret = 0, i = 0, nbuf; 1605 1606 /* 1607 * Potential ABBA deadlock, work around it by ordering lock 1608 * grabbing by inode address. Otherwise two different processes 1609 * could deadlock (one doing tee from A -> B, the other from B -> A). 1610 */ 1611 inode_double_lock(ipipe->inode, opipe->inode); 1612 1613 do { 1614 if (!opipe->readers) { 1615 send_sig(SIGPIPE, current, 0); 1616 if (!ret) 1617 ret = -EPIPE; 1618 break; 1619 } 1620 1621 /* 1622 * If we have iterated all input buffers or ran out of 1623 * output room, break. 1624 */ 1625 if (i >= ipipe->nrbufs || opipe->nrbufs >= PIPE_BUFFERS) 1626 break; 1627 1628 ibuf = ipipe->bufs + ((ipipe->curbuf + i) & (PIPE_BUFFERS - 1)); 1629 nbuf = (opipe->curbuf + opipe->nrbufs) & (PIPE_BUFFERS - 1); 1630 1631 /* 1632 * Get a reference to this pipe buffer, 1633 * so we can copy the contents over. 1634 */ 1635 ibuf->ops->get(ipipe, ibuf); 1636 1637 obuf = opipe->bufs + nbuf; 1638 *obuf = *ibuf; 1639 1640 /* 1641 * Don't inherit the gift flag, we need to 1642 * prevent multiple steals of this page. 1643 */ 1644 obuf->flags &= ~PIPE_BUF_FLAG_GIFT; 1645 1646 if (obuf->len > len) 1647 obuf->len = len; 1648 1649 opipe->nrbufs++; 1650 ret += obuf->len; 1651 len -= obuf->len; 1652 i++; 1653 } while (len); 1654 1655 /* 1656 * return EAGAIN if we have the potential of some data in the 1657 * future, otherwise just return 0 1658 */ 1659 if (!ret && ipipe->waiting_writers && (flags & SPLICE_F_NONBLOCK)) 1660 ret = -EAGAIN; 1661 1662 inode_double_unlock(ipipe->inode, opipe->inode); 1663 1664 /* 1665 * If we put data in the output pipe, wakeup any potential readers. 1666 */ 1667 if (ret > 0) { 1668 smp_mb(); 1669 if (waitqueue_active(&opipe->wait)) 1670 wake_up_interruptible(&opipe->wait); 1671 kill_fasync(&opipe->fasync_readers, SIGIO, POLL_IN); 1672 } 1673 1674 return ret; 1675 } 1676 1677 /* 1678 * This is a tee(1) implementation that works on pipes. It doesn't copy 1679 * any data, it simply references the 'in' pages on the 'out' pipe. 1680 * The 'flags' used are the SPLICE_F_* variants, currently the only 1681 * applicable one is SPLICE_F_NONBLOCK. 1682 */ 1683 static long do_tee(struct file *in, struct file *out, size_t len, 1684 unsigned int flags) 1685 { 1686 struct pipe_inode_info *ipipe = pipe_info(in->f_path.dentry->d_inode); 1687 struct pipe_inode_info *opipe = pipe_info(out->f_path.dentry->d_inode); 1688 int ret = -EINVAL; 1689 1690 /* 1691 * Duplicate the contents of ipipe to opipe without actually 1692 * copying the data. 1693 */ 1694 if (ipipe && opipe && ipipe != opipe) { 1695 /* 1696 * Keep going, unless we encounter an error. The ipipe/opipe 1697 * ordering doesn't really matter. 1698 */ 1699 ret = link_ipipe_prep(ipipe, flags); 1700 if (!ret) { 1701 ret = link_opipe_prep(opipe, flags); 1702 if (!ret) 1703 ret = link_pipe(ipipe, opipe, len, flags); 1704 } 1705 } 1706 1707 return ret; 1708 } 1709 1710 asmlinkage long sys_tee(int fdin, int fdout, size_t len, unsigned int flags) 1711 { 1712 struct file *in; 1713 int error, fput_in; 1714 1715 if (unlikely(!len)) 1716 return 0; 1717 1718 error = -EBADF; 1719 in = fget_light(fdin, &fput_in); 1720 if (in) { 1721 if (in->f_mode & FMODE_READ) { 1722 int fput_out; 1723 struct file *out = fget_light(fdout, &fput_out); 1724 1725 if (out) { 1726 if (out->f_mode & FMODE_WRITE) 1727 error = do_tee(in, out, len, flags); 1728 fput_light(out, fput_out); 1729 } 1730 } 1731 fput_light(in, fput_in); 1732 } 1733 1734 return error; 1735 } 1736