From 319f6ae14a05974ed6eeb7704717f2ad23be9c46 Mon Sep 17 00:00:00 2001 From: Linus Torvalds Date: Mon, 1 Oct 2007 13:17:28 -0700 Subject: [PATCH] --- yaml --- r: 65237 b: refs/heads/master c: 75723957673bfa10c98b735259f891cc79cf0450 h: refs/heads/master i: 65235: 54b28c3437c93253a8a32d1c387f672e2506a8f3 v: v3 --- [refs] | 2 +- trunk/fs/splice.c | 46 ++++++++++++++++++++++++++++++++++------------ 2 files changed, 35 insertions(+), 13 deletions(-) diff --git a/[refs] b/[refs] index 968e3b2ca2f6..7e7a7efe9e96 100644 --- a/[refs] +++ b/[refs] @@ -1,2 +1,2 @@ --- -refs/heads/master: e2cd68f7cd07cc898581bd736ebdd6f2c2323c2e +refs/heads/master: 75723957673bfa10c98b735259f891cc79cf0450 diff --git a/trunk/fs/splice.c b/trunk/fs/splice.c index c010a72ca2d2..e95a36228863 100644 --- a/trunk/fs/splice.c +++ b/trunk/fs/splice.c @@ -1223,6 +1223,33 @@ static long do_splice(struct file *in, loff_t __user *off_in, return -EINVAL; } +/* + * Do a copy-from-user while holding the mmap_semaphore for reading, in a + * manner safe from deadlocking with simultaneous mmap() (grabbing mmap_sem + * for writing) and page faulting on the user memory pointed to by src. + * This assumes that we will very rarely hit the partial != 0 path, or this + * will not be a win. + */ +static int copy_from_user_mmap_sem(void *dst, const void __user *src, size_t n) +{ + int partial; + + pagefault_disable(); + partial = __copy_from_user_inatomic(dst, src, n); + pagefault_enable(); + + /* + * Didn't copy everything, drop the mmap_sem and do a faulting copy + */ + if (unlikely(partial)) { + up_read(¤t->mm->mmap_sem); + partial = copy_from_user(dst, src, n); + down_read(¤t->mm->mmap_sem); + } + + return partial; +} + /* * Map an iov into an array of pages and offset/length tupples. With the * partial_page structure, we can map several non-contiguous ranges into @@ -1236,31 +1263,26 @@ static int get_iovec_page_array(const struct iovec __user *iov, { int buffers = 0, error = 0; - /* - * It's ok to take the mmap_sem for reading, even - * across a "get_user()". - */ down_read(¤t->mm->mmap_sem); while (nr_vecs) { unsigned long off, npages; + struct iovec entry; void __user *base; size_t len; int i; - /* - * Get user address base and length for this iovec. - */ - error = get_user(base, &iov->iov_base); - if (unlikely(error)) - break; - error = get_user(len, &iov->iov_len); - if (unlikely(error)) + error = -EFAULT; + if (copy_from_user_mmap_sem(&entry, iov, sizeof(entry))) break; + base = entry.iov_base; + len = entry.iov_len; + /* * Sanity check this iovec. 0 read succeeds. */ + error = 0; if (unlikely(!len)) break; error = -EFAULT;