On Wed 22-11-23 14:27:03, Amir Goldstein wrote: > vfs_splice_read() has a permission hook inside rw_verify_area() and > it is called from splice_file_to_pipe(), which is called from > do_splice() and do_sendfile(). > > do_sendfile() already has a rw_verify_area() check for the entire range. > do_splice() has a rw_verify_check() for the splice to file case, not for > the splice from file case. > > Add the rw_verify_area() check for splice from file case in do_splice() > and use a variant of vfs_splice_read() without rw_verify_area() check > in splice_file_to_pipe() to avoid the redundant rw_verify_area() checks. > > This is needed for fanotify "pre content" events. > > Reviewed-by: Josef Bacik <josef@xxxxxxxxxxxxxx> > Signed-off-by: Amir Goldstein <amir73il@xxxxxxxxx> Looks good. Feel free to add: Reviewed-by: Jan Kara <jack@xxxxxxx> Honza > --- > fs/splice.c | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) > > diff --git a/fs/splice.c b/fs/splice.c > index 6fc2c27e9520..d4fdd44c0b32 100644 > --- a/fs/splice.c > +++ b/fs/splice.c > @@ -1239,7 +1239,7 @@ long splice_file_to_pipe(struct file *in, > pipe_lock(opipe); > ret = wait_for_space(opipe, flags); > if (!ret) > - ret = vfs_splice_read(in, offset, opipe, len, flags); > + ret = do_splice_read(in, offset, opipe, len, flags); > pipe_unlock(opipe); > if (ret > 0) > wakeup_pipe_readers(opipe); > @@ -1316,6 +1316,10 @@ long do_splice(struct file *in, loff_t *off_in, struct file *out, > offset = in->f_pos; > } > > + ret = rw_verify_area(READ, in, &offset, len); > + if (unlikely(ret < 0)) > + return ret; > + > if (out->f_flags & O_NONBLOCK) > flags |= SPLICE_F_NONBLOCK; > > -- > 2.34.1 > -- Jan Kara <jack@xxxxxxxx> SUSE Labs, CR