Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit cc56f7de authored by Changli Gao's avatar Changli Gao Committed by Jens Axboe
Browse files

sendfile(): check f_op.splice_write() rather than f_op.sendpage() 



sendfile(2) was reworked with the splice infrastructure, but it still
checks f_op.sendpage() instead of f_op.splice_write() wrongly.  Although
if f_op.sendpage() exists, f_op.splice_write() always exists at the same
time currently, the assumption will be broken in future silently.  This
patch also brings a side effect: sendfile(2) can work with any output
file.  Some security checks related to f_op are added too.

Signed-off-by: default avatarChangli Gao <xiaosuo@gmail.com>
Signed-off-by: default avatarJens Axboe <jens.axboe@oracle.com>
parent f21121cd

fs/read_write.c

+0 −2
Original line number Diff line number Diff line
@@ -826,8 +826,6 @@ static ssize_t do_sendfile(int out_fd, int in_fd, loff_t *ppos, 
	if (!(out_file->f_mode & FMODE_WRITE))

		goto fput_out;

	retval = -EINVAL;

	if (!out_file->f_op || !out_file->f_op->sendpage)

		goto fput_out;

	in_inode = in_file->f_path.dentry->d_inode;

	out_inode = out_file->f_path.dentry->d_inode;

	retval = rw_verify_area(WRITE, out_file, &out_file->f_pos, count);

fs/splice.c

+15 −9
Original line number Diff line number Diff line
@@ -648,9 +648,11 @@ static int pipe_to_sendpage(struct pipe_inode_info *pipe, 
	ret = buf->ops->confirm(pipe, buf);

	if (!ret) {

		more = (sd->flags & SPLICE_F_MORE) || sd->len < sd->total_len;



		if (file->f_op && file->f_op->sendpage)

			ret = file->f_op->sendpage(file, buf->page, buf->offset,

						   sd->len, &pos, more);

		else

			ret = -EINVAL;

	}



	return ret;
@@ -1068,8 +1070,9 @@ static long do_splice_from(struct pipe_inode_info *pipe, struct file *out, 
	if (unlikely(ret < 0))

		return ret;



	if (out->f_op && out->f_op->splice_write)

		splice_write = out->f_op->splice_write;

	if (!splice_write)

	else

		splice_write = default_file_splice_write;



	return splice_write(pipe, out, ppos, len, flags);
@@ -1093,8 +1096,9 @@ static long do_splice_to(struct file *in, loff_t *ppos, 
	if (unlikely(ret < 0))

		return ret;



	if (in->f_op && in->f_op->splice_read)

		splice_read = in->f_op->splice_read;

	if (!splice_read)

	else

		splice_read = default_file_splice_read;



	return splice_read(in, ppos, pipe, len, flags);
@@ -1316,7 +1320,8 @@ static long do_splice(struct file *in, loff_t __user *off_in, 
		if (off_in)

			return -ESPIPE;

		if (off_out) {

			if (out->f_op->llseek == no_llseek)

			if (!out->f_op || !out->f_op->llseek ||

			    out->f_op->llseek == no_llseek)

				return -EINVAL;

			if (copy_from_user(&offset, off_out, sizeof(loff_t)))

				return -EFAULT;
@@ -1336,7 +1341,8 @@ static long do_splice(struct file *in, loff_t __user *off_in, 
		if (off_out)

			return -ESPIPE;

		if (off_in) {

			if (in->f_op->llseek == no_llseek)

			if (!in->f_op || !in->f_op->llseek ||

			    in->f_op->llseek == no_llseek)

				return -EINVAL;

			if (copy_from_user(&offset, off_in, sizeof(loff_t)))

				return -EFAULT;