The patch titled
splice: must fully check for fifos
has been added to the -mm tree. Its filename is
splice-must-fully-check-for-fifo.patch
See http://www.zip.com.au/~akpm/linux/patches/stuff/added-to-mm.txt to find
out what to do about this
------------------------------------------------------
Subject: splice: must fully check for fifos
From: Eric Dumazet <dada1@xxxxxxxxxxxxx>
It appears that i_pipe, i_cdev and i_bdev share the same memory location
(anonymous union in struct inode) since commits
577c4eb09d1034d0739e3135fd2cff50588024be
eaf796e7ef6014f208c409b2b14fddcfaafe7e3a
Because of that, testing i_pipe being NULL is not anymore sufficient to tell
if an inode is a FIFO or not.
Therefore, we must use the S_ISFIFO(inode->i_mode) test before assuming i_pipe
pointer is pointing to a struct pipe_inode_info.
Signed-off-by: Eric Dumazet <dada1@xxxxxxxxxxxxx>
Cc: Jens Axboe <axboe@xxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxx>
---
fs/splice.c | 30 ++++++++++++++++++++++--------
1 files changed, 22 insertions(+), 8 deletions(-)
diff -puN fs/splice.c~splice-must-fully-check-for-fifo fs/splice.c
--- a/fs/splice.c~splice-must-fully-check-for-fifo
+++ a/fs/splice.c
@@ -1115,12 +1115,14 @@ static long do_splice(struct file *in, l
struct file *out, loff_t __user *off_out,
size_t len, unsigned int flags)
{
+ struct inode *inode;
struct pipe_inode_info *pipe;
loff_t offset, *off;
long ret;
- pipe = in->f_dentry->d_inode->i_pipe;
- if (pipe) {
+ inode = in->f_dentry->d_inode;
+ pipe = inode->i_pipe;
+ if (pipe && S_ISFIFO(inode->i_mode)) {
if (off_in)
return -ESPIPE;
if (off_out) {
@@ -1140,8 +1142,9 @@ static long do_splice(struct file *in, l
return ret;
}
- pipe = out->f_dentry->d_inode->i_pipe;
- if (pipe) {
+ inode = out->f_dentry->d_inode;
+ pipe = inode->i_pipe;
+ if (pipe && S_ISFIFO(inode->i_mode)) {
if (off_out)
return -ESPIPE;
if (off_in) {
@@ -1298,7 +1301,8 @@ static int get_iovec_page_array(const st
static long do_vmsplice(struct file *file, const struct iovec __user *iov,
unsigned long nr_segs, unsigned int flags)
{
- struct pipe_inode_info *pipe = file->f_dentry->d_inode->i_pipe;
+ struct inode *inode = file->f_dentry->d_inode;
+ struct pipe_inode_info *pipe = inode->i_pipe;
struct page *pages[PIPE_BUFFERS];
struct partial_page partial[PIPE_BUFFERS];
struct splice_pipe_desc spd = {
@@ -1308,7 +1312,7 @@ static long do_vmsplice(struct file *fil
.ops = &user_page_pipe_buf_ops,
};
- if (unlikely(!pipe))
+ if (unlikely(!pipe || !S_ISFIFO(inode->i_mode)))
return -EBADF;
if (unlikely(nr_segs > UIO_MAXIOV))
return -EINVAL;
@@ -1535,11 +1539,21 @@ static int link_pipe(struct pipe_inode_i
static long do_tee(struct file *in, struct file *out, size_t len,
unsigned int flags)
{
- struct pipe_inode_info *ipipe = in->f_dentry->d_inode->i_pipe;
- struct pipe_inode_info *opipe = out->f_dentry->d_inode->i_pipe;
+ struct inode *in_inode = in->f_dentry->d_inode;
+ struct inode *out_inode = out->f_dentry->d_inode;
+ struct pipe_inode_info *ipipe;
+ struct pipe_inode_info *opipe;
int ret = -EINVAL;
/*
+ * CAUTION : As i_pipe/i_bdev/i_cdev share the same location,
+ * we must check we deal with fifos/pipes, not cdev or bdev.
+ */
+ if (!S_ISFIFO(in_inode->i_mode) || !S_ISFIFO(out_inode->i_mode))
+ return ret;
+ ipipe = in_inode->i_pipe;
+ opipe = out_inode->i_pipe;
+ /*
* Duplicate the contents of ipipe to opipe without actually
* copying the data.
*/
_
Patches currently in -mm which might be from dada1@xxxxxxxxxxxxx are
splice-must-fully-check-for-fifo.patch
vmalloc-optimization-cleanup-bugfixes.patch
vmalloc-optimization-cleanup-bugfixes-tweak.patch
-
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
