[PATCH] compat_sys_vmsplice: one-off in UIO_MAXIOV check
[linux-2.6] / fs / splice.c
1 /*
2  * "splice": joining two ropes together by interweaving their strands.
3  *
4  * This is the "extended pipe" functionality, where a pipe is used as
5  * an arbitrary in-memory buffer. Think of a pipe as a small kernel
6  * buffer that you can use to transfer data from one end to the other.
7  *
8  * The traditional unix read/write is extended with a "splice()" operation
9  * that transfers data buffers to or from a pipe buffer.
10  *
11  * Named by Larry McVoy, original implementation from Linus, extended by
12  * Jens to support splicing to files, network, direct splicing, etc and
13  * fixing lots of bugs.
14  *
15  * Copyright (C) 2005-2006 Jens Axboe <axboe@suse.de>
16  * Copyright (C) 2005-2006 Linus Torvalds <torvalds@osdl.org>
17  * Copyright (C) 2006 Ingo Molnar <mingo@elte.hu>
18  *
19  */
20 #include <linux/fs.h>
21 #include <linux/file.h>
22 #include <linux/pagemap.h>
23 #include <linux/pipe_fs_i.h>
24 #include <linux/mm_inline.h>
25 #include <linux/swap.h>
26 #include <linux/writeback.h>
27 #include <linux/buffer_head.h>
28 #include <linux/module.h>
29 #include <linux/syscalls.h>
30 #include <linux/uio.h>
31
32 struct partial_page {
33         unsigned int offset;
34         unsigned int len;
35 };
36
37 /*
38  * Passed to splice_to_pipe
39  */
40 struct splice_pipe_desc {
41         struct page **pages;            /* page map */
42         struct partial_page *partial;   /* pages[] may not be contig */
43         int nr_pages;                   /* number of pages in map */
44         unsigned int flags;             /* splice flags */
45         struct pipe_buf_operations *ops;/* ops associated with output pipe */
46 };
47
48 /*
49  * Attempt to steal a page from a pipe buffer. This should perhaps go into
50  * a vm helper function, it's already simplified quite a bit by the
51  * addition of remove_mapping(). If success is returned, the caller may
52  * attempt to reuse this page for another destination.
53  */
54 static int page_cache_pipe_buf_steal(struct pipe_inode_info *pipe,
55                                      struct pipe_buffer *buf)
56 {
57         struct page *page = buf->page;
58         struct address_space *mapping = page_mapping(page);
59
60         lock_page(page);
61
62         WARN_ON(!PageUptodate(page));
63
64         /*
65          * At least for ext2 with nobh option, we need to wait on writeback
66          * completing on this page, since we'll remove it from the pagecache.
67          * Otherwise truncate wont wait on the page, allowing the disk
68          * blocks to be reused by someone else before we actually wrote our
69          * data to them. fs corruption ensues.
70          */
71         wait_on_page_writeback(page);
72
73         if (PagePrivate(page))
74                 try_to_release_page(page, mapping_gfp_mask(mapping));
75
76         if (!remove_mapping(mapping, page)) {
77                 unlock_page(page);
78                 return 1;
79         }
80
81         buf->flags |= PIPE_BUF_FLAG_LRU;
82         return 0;
83 }
84
85 static void page_cache_pipe_buf_release(struct pipe_inode_info *pipe,
86                                         struct pipe_buffer *buf)
87 {
88         page_cache_release(buf->page);
89         buf->flags &= ~PIPE_BUF_FLAG_LRU;
90 }
91
92 static int page_cache_pipe_buf_pin(struct pipe_inode_info *pipe,
93                                    struct pipe_buffer *buf)
94 {
95         struct page *page = buf->page;
96         int err;
97
98         if (!PageUptodate(page)) {
99                 lock_page(page);
100
101                 /*
102                  * Page got truncated/unhashed. This will cause a 0-byte
103                  * splice, if this is the first page.
104                  */
105                 if (!page->mapping) {
106                         err = -ENODATA;
107                         goto error;
108                 }
109
110                 /*
111                  * Uh oh, read-error from disk.
112                  */
113                 if (!PageUptodate(page)) {
114                         err = -EIO;
115                         goto error;
116                 }
117
118                 /*
119                  * Page is ok afterall, we are done.
120                  */
121                 unlock_page(page);
122         }
123
124         return 0;
125 error:
126         unlock_page(page);
127         return err;
128 }
129
130 static struct pipe_buf_operations page_cache_pipe_buf_ops = {
131         .can_merge = 0,
132         .map = generic_pipe_buf_map,
133         .unmap = generic_pipe_buf_unmap,
134         .pin = page_cache_pipe_buf_pin,
135         .release = page_cache_pipe_buf_release,
136         .steal = page_cache_pipe_buf_steal,
137         .get = generic_pipe_buf_get,
138 };
139
140 static int user_page_pipe_buf_steal(struct pipe_inode_info *pipe,
141                                     struct pipe_buffer *buf)
142 {
143         if (!(buf->flags & PIPE_BUF_FLAG_GIFT))
144                 return 1;
145
146         buf->flags |= PIPE_BUF_FLAG_LRU;
147         return generic_pipe_buf_steal(pipe, buf);
148 }
149
150 static struct pipe_buf_operations user_page_pipe_buf_ops = {
151         .can_merge = 0,
152         .map = generic_pipe_buf_map,
153         .unmap = generic_pipe_buf_unmap,
154         .pin = generic_pipe_buf_pin,
155         .release = page_cache_pipe_buf_release,
156         .steal = user_page_pipe_buf_steal,
157         .get = generic_pipe_buf_get,
158 };
159
160 /*
161  * Pipe output worker. This sets up our pipe format with the page cache
162  * pipe buffer operations. Otherwise very similar to the regular pipe_writev().
163  */
164 static ssize_t splice_to_pipe(struct pipe_inode_info *pipe,
165                               struct splice_pipe_desc *spd)
166 {
167         int ret, do_wakeup, page_nr;
168
169         ret = 0;
170         do_wakeup = 0;
171         page_nr = 0;
172
173         if (pipe->inode)
174                 mutex_lock(&pipe->inode->i_mutex);
175
176         for (;;) {
177                 if (!pipe->readers) {
178                         send_sig(SIGPIPE, current, 0);
179                         if (!ret)
180                                 ret = -EPIPE;
181                         break;
182                 }
183
184                 if (pipe->nrbufs < PIPE_BUFFERS) {
185                         int newbuf = (pipe->curbuf + pipe->nrbufs) & (PIPE_BUFFERS - 1);
186                         struct pipe_buffer *buf = pipe->bufs + newbuf;
187
188                         buf->page = spd->pages[page_nr];
189                         buf->offset = spd->partial[page_nr].offset;
190                         buf->len = spd->partial[page_nr].len;
191                         buf->ops = spd->ops;
192                         if (spd->flags & SPLICE_F_GIFT)
193                                 buf->flags |= PIPE_BUF_FLAG_GIFT;
194
195                         pipe->nrbufs++;
196                         page_nr++;
197                         ret += buf->len;
198
199                         if (pipe->inode)
200                                 do_wakeup = 1;
201
202                         if (!--spd->nr_pages)
203                                 break;
204                         if (pipe->nrbufs < PIPE_BUFFERS)
205                                 continue;
206
207                         break;
208                 }
209
210                 if (spd->flags & SPLICE_F_NONBLOCK) {
211                         if (!ret)
212                                 ret = -EAGAIN;
213                         break;
214                 }
215
216                 if (signal_pending(current)) {
217                         if (!ret)
218                                 ret = -ERESTARTSYS;
219                         break;
220                 }
221
222                 if (do_wakeup) {
223                         smp_mb();
224                         if (waitqueue_active(&pipe->wait))
225                                 wake_up_interruptible_sync(&pipe->wait);
226                         kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
227                         do_wakeup = 0;
228                 }
229
230                 pipe->waiting_writers++;
231                 pipe_wait(pipe);
232                 pipe->waiting_writers--;
233         }
234
235         if (pipe->inode)
236                 mutex_unlock(&pipe->inode->i_mutex);
237
238         if (do_wakeup) {
239                 smp_mb();
240                 if (waitqueue_active(&pipe->wait))
241                         wake_up_interruptible(&pipe->wait);
242                 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
243         }
244
245         while (page_nr < spd->nr_pages)
246                 page_cache_release(spd->pages[page_nr++]);
247
248         return ret;
249 }
250
251 static int
252 __generic_file_splice_read(struct file *in, loff_t *ppos,
253                            struct pipe_inode_info *pipe, size_t len,
254                            unsigned int flags)
255 {
256         struct address_space *mapping = in->f_mapping;
257         unsigned int loff, nr_pages;
258         struct page *pages[PIPE_BUFFERS];
259         struct partial_page partial[PIPE_BUFFERS];
260         struct page *page;
261         pgoff_t index, end_index;
262         loff_t isize;
263         size_t total_len;
264         int error, page_nr;
265         struct splice_pipe_desc spd = {
266                 .pages = pages,
267                 .partial = partial,
268                 .flags = flags,
269                 .ops = &page_cache_pipe_buf_ops,
270         };
271
272         index = *ppos >> PAGE_CACHE_SHIFT;
273         loff = *ppos & ~PAGE_CACHE_MASK;
274         nr_pages = (len + loff + PAGE_CACHE_SIZE - 1) >> PAGE_CACHE_SHIFT;
275
276         if (nr_pages > PIPE_BUFFERS)
277                 nr_pages = PIPE_BUFFERS;
278
279         /*
280          * Initiate read-ahead on this page range. however, don't call into
281          * read-ahead if this is a non-zero offset (we are likely doing small
282          * chunk splice and the page is already there) for a single page.
283          */
284         if (!loff || nr_pages > 1)
285                 page_cache_readahead(mapping, &in->f_ra, in, index, nr_pages);
286
287         /*
288          * Now fill in the holes:
289          */
290         error = 0;
291         total_len = 0;
292
293         /*
294          * Lookup the (hopefully) full range of pages we need.
295          */
296         spd.nr_pages = find_get_pages_contig(mapping, index, nr_pages, pages);
297
298         /*
299          * If find_get_pages_contig() returned fewer pages than we needed,
300          * allocate the rest.
301          */
302         index += spd.nr_pages;
303         while (spd.nr_pages < nr_pages) {
304                 /*
305                  * Page could be there, find_get_pages_contig() breaks on
306                  * the first hole.
307                  */
308                 page = find_get_page(mapping, index);
309                 if (!page) {
310                         /*
311                          * Make sure the read-ahead engine is notified
312                          * about this failure.
313                          */
314                         handle_ra_miss(mapping, &in->f_ra, index);
315
316                         /*
317                          * page didn't exist, allocate one.
318                          */
319                         page = page_cache_alloc_cold(mapping);
320                         if (!page)
321                                 break;
322
323                         error = add_to_page_cache_lru(page, mapping, index,
324                                               mapping_gfp_mask(mapping));
325                         if (unlikely(error)) {
326                                 page_cache_release(page);
327                                 if (error == -EEXIST)
328                                         continue;
329                                 break;
330                         }
331                         /*
332                          * add_to_page_cache() locks the page, unlock it
333                          * to avoid convoluting the logic below even more.
334                          */
335                         unlock_page(page);
336                 }
337
338                 pages[spd.nr_pages++] = page;
339                 index++;
340         }
341
342         /*
343          * Now loop over the map and see if we need to start IO on any
344          * pages, fill in the partial map, etc.
345          */
346         index = *ppos >> PAGE_CACHE_SHIFT;
347         nr_pages = spd.nr_pages;
348         spd.nr_pages = 0;
349         for (page_nr = 0; page_nr < nr_pages; page_nr++) {
350                 unsigned int this_len;
351
352                 if (!len)
353                         break;
354
355                 /*
356                  * this_len is the max we'll use from this page
357                  */
358                 this_len = min_t(unsigned long, len, PAGE_CACHE_SIZE - loff);
359                 page = pages[page_nr];
360
361                 /*
362                  * If the page isn't uptodate, we may need to start io on it
363                  */
364                 if (!PageUptodate(page)) {
365                         /*
366                          * If in nonblock mode then dont block on waiting
367                          * for an in-flight io page
368                          */
369                         if (flags & SPLICE_F_NONBLOCK)
370                                 break;
371
372                         lock_page(page);
373
374                         /*
375                          * page was truncated, stop here. if this isn't the
376                          * first page, we'll just complete what we already
377                          * added
378                          */
379                         if (!page->mapping) {
380                                 unlock_page(page);
381                                 break;
382                         }
383                         /*
384                          * page was already under io and is now done, great
385                          */
386                         if (PageUptodate(page)) {
387                                 unlock_page(page);
388                                 goto fill_it;
389                         }
390
391                         /*
392                          * need to read in the page
393                          */
394                         error = mapping->a_ops->readpage(in, page);
395                         if (unlikely(error)) {
396                                 /*
397                                  * We really should re-lookup the page here,
398                                  * but it complicates things a lot. Instead
399                                  * lets just do what we already stored, and
400                                  * we'll get it the next time we are called.
401                                  */
402                                 if (error == AOP_TRUNCATED_PAGE)
403                                         error = 0;
404
405                                 break;
406                         }
407
408                         /*
409                          * i_size must be checked after ->readpage().
410                          */
411                         isize = i_size_read(mapping->host);
412                         end_index = (isize - 1) >> PAGE_CACHE_SHIFT;
413                         if (unlikely(!isize || index > end_index))
414                                 break;
415
416                         /*
417                          * if this is the last page, see if we need to shrink
418                          * the length and stop
419                          */
420                         if (end_index == index) {
421                                 loff = PAGE_CACHE_SIZE - (isize & ~PAGE_CACHE_MASK);
422                                 if (total_len + loff > isize)
423                                         break;
424                                 /*
425                                  * force quit after adding this page
426                                  */
427                                 len = this_len;
428                                 this_len = min(this_len, loff);
429                                 loff = 0;
430                         }
431                 }
432 fill_it:
433                 partial[page_nr].offset = loff;
434                 partial[page_nr].len = this_len;
435                 len -= this_len;
436                 total_len += this_len;
437                 loff = 0;
438                 spd.nr_pages++;
439                 index++;
440         }
441
442         /*
443          * Release any pages at the end, if we quit early. 'i' is how far
444          * we got, 'nr_pages' is how many pages are in the map.
445          */
446         while (page_nr < nr_pages)
447                 page_cache_release(pages[page_nr++]);
448
449         if (spd.nr_pages)
450                 return splice_to_pipe(pipe, &spd);
451
452         return error;
453 }
454
455 /**
456  * generic_file_splice_read - splice data from file to a pipe
457  * @in:         file to splice from
458  * @pipe:       pipe to splice to
459  * @len:        number of bytes to splice
460  * @flags:      splice modifier flags
461  *
462  * Will read pages from given file and fill them into a pipe.
463  */
464 ssize_t generic_file_splice_read(struct file *in, loff_t *ppos,
465                                  struct pipe_inode_info *pipe, size_t len,
466                                  unsigned int flags)
467 {
468         ssize_t spliced;
469         int ret;
470
471         ret = 0;
472         spliced = 0;
473
474         while (len) {
475                 ret = __generic_file_splice_read(in, ppos, pipe, len, flags);
476
477                 if (ret < 0)
478                         break;
479                 else if (!ret) {
480                         if (spliced)
481                                 break;
482                         if (flags & SPLICE_F_NONBLOCK) {
483                                 ret = -EAGAIN;
484                                 break;
485                         }
486                 }
487
488                 *ppos += ret;
489                 len -= ret;
490                 spliced += ret;
491         }
492
493         if (spliced)
494                 return spliced;
495
496         return ret;
497 }
498
499 EXPORT_SYMBOL(generic_file_splice_read);
500
501 /*
502  * Send 'sd->len' bytes to socket from 'sd->file' at position 'sd->pos'
503  * using sendpage(). Return the number of bytes sent.
504  */
505 static int pipe_to_sendpage(struct pipe_inode_info *pipe,
506                             struct pipe_buffer *buf, struct splice_desc *sd)
507 {
508         struct file *file = sd->file;
509         loff_t pos = sd->pos;
510         int ret, more;
511
512         ret = buf->ops->pin(pipe, buf);
513         if (!ret) {
514                 more = (sd->flags & SPLICE_F_MORE) || sd->len < sd->total_len;
515
516                 ret = file->f_op->sendpage(file, buf->page, buf->offset,
517                                            sd->len, &pos, more);
518         }
519
520         return ret;
521 }
522
523 /*
524  * This is a little more tricky than the file -> pipe splicing. There are
525  * basically three cases:
526  *
527  *      - Destination page already exists in the address space and there
528  *        are users of it. For that case we have no other option that
529  *        copying the data. Tough luck.
530  *      - Destination page already exists in the address space, but there
531  *        are no users of it. Make sure it's uptodate, then drop it. Fall
532  *        through to last case.
533  *      - Destination page does not exist, we can add the pipe page to
534  *        the page cache and avoid the copy.
535  *
536  * If asked to move pages to the output file (SPLICE_F_MOVE is set in
537  * sd->flags), we attempt to migrate pages from the pipe to the output
538  * file address space page cache. This is possible if no one else has
539  * the pipe page referenced outside of the pipe and page cache. If
540  * SPLICE_F_MOVE isn't set, or we cannot move the page, we simply create
541  * a new page in the output file page cache and fill/dirty that.
542  */
543 static int pipe_to_file(struct pipe_inode_info *pipe, struct pipe_buffer *buf,
544                         struct splice_desc *sd)
545 {
546         struct file *file = sd->file;
547         struct address_space *mapping = file->f_mapping;
548         gfp_t gfp_mask = mapping_gfp_mask(mapping);
549         unsigned int offset, this_len;
550         struct page *page;
551         pgoff_t index;
552         int ret;
553
554         /*
555          * make sure the data in this buffer is uptodate
556          */
557         ret = buf->ops->pin(pipe, buf);
558         if (unlikely(ret))
559                 return ret;
560
561         index = sd->pos >> PAGE_CACHE_SHIFT;
562         offset = sd->pos & ~PAGE_CACHE_MASK;
563
564         this_len = sd->len;
565         if (this_len + offset > PAGE_CACHE_SIZE)
566                 this_len = PAGE_CACHE_SIZE - offset;
567
568         /*
569          * Reuse buf page, if SPLICE_F_MOVE is set and we are doing a full
570          * page.
571          */
572         if ((sd->flags & SPLICE_F_MOVE) && this_len == PAGE_CACHE_SIZE) {
573                 /*
574                  * If steal succeeds, buf->page is now pruned from the
575                  * pagecache and we can reuse it. The page will also be
576                  * locked on successful return.
577                  */
578                 if (buf->ops->steal(pipe, buf))
579                         goto find_page;
580
581                 page = buf->page;
582                 if (add_to_page_cache(page, mapping, index, gfp_mask)) {
583                         unlock_page(page);
584                         goto find_page;
585                 }
586
587                 page_cache_get(page);
588
589                 if (!(buf->flags & PIPE_BUF_FLAG_LRU))
590                         lru_cache_add(page);
591         } else {
592 find_page:
593                 page = find_lock_page(mapping, index);
594                 if (!page) {
595                         ret = -ENOMEM;
596                         page = page_cache_alloc_cold(mapping);
597                         if (unlikely(!page))
598                                 goto out_nomem;
599
600                         /*
601                          * This will also lock the page
602                          */
603                         ret = add_to_page_cache_lru(page, mapping, index,
604                                                     gfp_mask);
605                         if (unlikely(ret))
606                                 goto out;
607                 }
608
609                 /*
610                  * We get here with the page locked. If the page is also
611                  * uptodate, we don't need to do more. If it isn't, we
612                  * may need to bring it in if we are not going to overwrite
613                  * the full page.
614                  */
615                 if (!PageUptodate(page)) {
616                         if (this_len < PAGE_CACHE_SIZE) {
617                                 ret = mapping->a_ops->readpage(file, page);
618                                 if (unlikely(ret))
619                                         goto out;
620
621                                 lock_page(page);
622
623                                 if (!PageUptodate(page)) {
624                                         /*
625                                          * Page got invalidated, repeat.
626                                          */
627                                         if (!page->mapping) {
628                                                 unlock_page(page);
629                                                 page_cache_release(page);
630                                                 goto find_page;
631                                         }
632                                         ret = -EIO;
633                                         goto out;
634                                 }
635                         } else
636                                 SetPageUptodate(page);
637                 }
638         }
639
640         ret = mapping->a_ops->prepare_write(file, page, offset, offset+this_len);
641         if (unlikely(ret)) {
642                 loff_t isize = i_size_read(mapping->host);
643
644                 if (ret != AOP_TRUNCATED_PAGE)
645                         unlock_page(page);
646                 page_cache_release(page);
647                 if (ret == AOP_TRUNCATED_PAGE)
648                         goto find_page;
649
650                 /*
651                  * prepare_write() may have instantiated a few blocks
652                  * outside i_size.  Trim these off again.
653                  */
654                 if (sd->pos + this_len > isize)
655                         vmtruncate(mapping->host, isize);
656
657                 goto out;
658         }
659
660         if (buf->page != page) {
661                 /*
662                  * Careful, ->map() uses KM_USER0!
663                  */
664                 char *src = buf->ops->map(pipe, buf, 1);
665                 char *dst = kmap_atomic(page, KM_USER1);
666
667                 memcpy(dst + offset, src + buf->offset, this_len);
668                 flush_dcache_page(page);
669                 kunmap_atomic(dst, KM_USER1);
670                 buf->ops->unmap(pipe, buf, src);
671         }
672
673         ret = mapping->a_ops->commit_write(file, page, offset, offset+this_len);
674         if (!ret) {
675                 /*
676                  * Return the number of bytes written and mark page as
677                  * accessed, we are now done!
678                  */
679                 ret = this_len;
680                 mark_page_accessed(page);
681                 balance_dirty_pages_ratelimited(mapping);
682         } else if (ret == AOP_TRUNCATED_PAGE) {
683                 page_cache_release(page);
684                 goto find_page;
685         }
686 out:
687         page_cache_release(page);
688         unlock_page(page);
689 out_nomem:
690         return ret;
691 }
692
693 /*
694  * Pipe input worker. Most of this logic works like a regular pipe, the
695  * key here is the 'actor' worker passed in that actually moves the data
696  * to the wanted destination. See pipe_to_file/pipe_to_sendpage above.
697  */
698 ssize_t splice_from_pipe(struct pipe_inode_info *pipe, struct file *out,
699                          loff_t *ppos, size_t len, unsigned int flags,
700                          splice_actor *actor)
701 {
702         int ret, do_wakeup, err;
703         struct splice_desc sd;
704
705         ret = 0;
706         do_wakeup = 0;
707
708         sd.total_len = len;
709         sd.flags = flags;
710         sd.file = out;
711         sd.pos = *ppos;
712
713         if (pipe->inode)
714                 mutex_lock(&pipe->inode->i_mutex);
715
716         for (;;) {
717                 if (pipe->nrbufs) {
718                         struct pipe_buffer *buf = pipe->bufs + pipe->curbuf;
719                         struct pipe_buf_operations *ops = buf->ops;
720
721                         sd.len = buf->len;
722                         if (sd.len > sd.total_len)
723                                 sd.len = sd.total_len;
724
725                         err = actor(pipe, buf, &sd);
726                         if (err <= 0) {
727                                 if (!ret && err != -ENODATA)
728                                         ret = err;
729
730                                 break;
731                         }
732
733                         ret += err;
734                         buf->offset += err;
735                         buf->len -= err;
736
737                         sd.len -= err;
738                         sd.pos += err;
739                         sd.total_len -= err;
740                         if (sd.len)
741                                 continue;
742
743                         if (!buf->len) {
744                                 buf->ops = NULL;
745                                 ops->release(pipe, buf);
746                                 pipe->curbuf = (pipe->curbuf + 1) & (PIPE_BUFFERS - 1);
747                                 pipe->nrbufs--;
748                                 if (pipe->inode)
749                                         do_wakeup = 1;
750                         }
751
752                         if (!sd.total_len)
753                                 break;
754                 }
755
756                 if (pipe->nrbufs)
757                         continue;
758                 if (!pipe->writers)
759                         break;
760                 if (!pipe->waiting_writers) {
761                         if (ret)
762                                 break;
763                 }
764
765                 if (flags & SPLICE_F_NONBLOCK) {
766                         if (!ret)
767                                 ret = -EAGAIN;
768                         break;
769                 }
770
771                 if (signal_pending(current)) {
772                         if (!ret)
773                                 ret = -ERESTARTSYS;
774                         break;
775                 }
776
777                 if (do_wakeup) {
778                         smp_mb();
779                         if (waitqueue_active(&pipe->wait))
780                                 wake_up_interruptible_sync(&pipe->wait);
781                         kill_fasync(&pipe->fasync_writers, SIGIO, POLL_OUT);
782                         do_wakeup = 0;
783                 }
784
785                 pipe_wait(pipe);
786         }
787
788         if (pipe->inode)
789                 mutex_unlock(&pipe->inode->i_mutex);
790
791         if (do_wakeup) {
792                 smp_mb();
793                 if (waitqueue_active(&pipe->wait))
794                         wake_up_interruptible(&pipe->wait);
795                 kill_fasync(&pipe->fasync_writers, SIGIO, POLL_OUT);
796         }
797
798         return ret;
799 }
800
801 /**
802  * generic_file_splice_write - splice data from a pipe to a file
803  * @pipe:       pipe info
804  * @out:        file to write to
805  * @len:        number of bytes to splice
806  * @flags:      splice modifier flags
807  *
808  * Will either move or copy pages (determined by @flags options) from
809  * the given pipe inode to the given file.
810  *
811  */
812 ssize_t
813 generic_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
814                           loff_t *ppos, size_t len, unsigned int flags)
815 {
816         struct address_space *mapping = out->f_mapping;
817         ssize_t ret;
818
819         ret = splice_from_pipe(pipe, out, ppos, len, flags, pipe_to_file);
820         if (ret > 0) {
821                 struct inode *inode = mapping->host;
822
823                 *ppos += ret;
824
825                 /*
826                  * If file or inode is SYNC and we actually wrote some data,
827                  * sync it.
828                  */
829                 if (unlikely((out->f_flags & O_SYNC) || IS_SYNC(inode))) {
830                         int err;
831
832                         mutex_lock(&inode->i_mutex);
833                         err = generic_osync_inode(inode, mapping,
834                                                   OSYNC_METADATA|OSYNC_DATA);
835                         mutex_unlock(&inode->i_mutex);
836
837                         if (err)
838                                 ret = err;
839                 }
840         }
841
842         return ret;
843 }
844
845 EXPORT_SYMBOL(generic_file_splice_write);
846
847 /**
848  * generic_splice_sendpage - splice data from a pipe to a socket
849  * @inode:      pipe inode
850  * @out:        socket to write to
851  * @len:        number of bytes to splice
852  * @flags:      splice modifier flags
853  *
854  * Will send @len bytes from the pipe to a network socket. No data copying
855  * is involved.
856  *
857  */
858 ssize_t generic_splice_sendpage(struct pipe_inode_info *pipe, struct file *out,
859                                 loff_t *ppos, size_t len, unsigned int flags)
860 {
861         return splice_from_pipe(pipe, out, ppos, len, flags, pipe_to_sendpage);
862 }
863
864 EXPORT_SYMBOL(generic_splice_sendpage);
865
866 /*
867  * Attempt to initiate a splice from pipe to file.
868  */
869 static long do_splice_from(struct pipe_inode_info *pipe, struct file *out,
870                            loff_t *ppos, size_t len, unsigned int flags)
871 {
872         int ret;
873
874         if (unlikely(!out->f_op || !out->f_op->splice_write))
875                 return -EINVAL;
876
877         if (unlikely(!(out->f_mode & FMODE_WRITE)))
878                 return -EBADF;
879
880         ret = rw_verify_area(WRITE, out, ppos, len);
881         if (unlikely(ret < 0))
882                 return ret;
883
884         return out->f_op->splice_write(pipe, out, ppos, len, flags);
885 }
886
887 /*
888  * Attempt to initiate a splice from a file to a pipe.
889  */
890 static long do_splice_to(struct file *in, loff_t *ppos,
891                          struct pipe_inode_info *pipe, size_t len,
892                          unsigned int flags)
893 {
894         loff_t isize, left;
895         int ret;
896
897         if (unlikely(!in->f_op || !in->f_op->splice_read))
898                 return -EINVAL;
899
900         if (unlikely(!(in->f_mode & FMODE_READ)))
901                 return -EBADF;
902
903         ret = rw_verify_area(READ, in, ppos, len);
904         if (unlikely(ret < 0))
905                 return ret;
906
907         isize = i_size_read(in->f_mapping->host);
908         if (unlikely(*ppos >= isize))
909                 return 0;
910         
911         left = isize - *ppos;
912         if (unlikely(left < len))
913                 len = left;
914
915         return in->f_op->splice_read(in, ppos, pipe, len, flags);
916 }
917
918 long do_splice_direct(struct file *in, loff_t *ppos, struct file *out,
919                       size_t len, unsigned int flags)
920 {
921         struct pipe_inode_info *pipe;
922         long ret, bytes;
923         loff_t out_off;
924         umode_t i_mode;
925         int i;
926
927         /*
928          * We require the input being a regular file, as we don't want to
929          * randomly drop data for eg socket -> socket splicing. Use the
930          * piped splicing for that!
931          */
932         i_mode = in->f_dentry->d_inode->i_mode;
933         if (unlikely(!S_ISREG(i_mode) && !S_ISBLK(i_mode)))
934                 return -EINVAL;
935
936         /*
937          * neither in nor out is a pipe, setup an internal pipe attached to
938          * 'out' and transfer the wanted data from 'in' to 'out' through that
939          */
940         pipe = current->splice_pipe;
941         if (unlikely(!pipe)) {
942                 pipe = alloc_pipe_info(NULL);
943                 if (!pipe)
944                         return -ENOMEM;
945
946                 /*
947                  * We don't have an immediate reader, but we'll read the stuff
948                  * out of the pipe right after the splice_to_pipe(). So set
949                  * PIPE_READERS appropriately.
950                  */
951                 pipe->readers = 1;
952
953                 current->splice_pipe = pipe;
954         }
955
956         /*
957          * Do the splice.
958          */
959         ret = 0;
960         bytes = 0;
961         out_off = 0;
962
963         while (len) {
964                 size_t read_len, max_read_len;
965
966                 /*
967                  * Do at most PIPE_BUFFERS pages worth of transfer:
968                  */
969                 max_read_len = min(len, (size_t)(PIPE_BUFFERS*PAGE_SIZE));
970
971                 ret = do_splice_to(in, ppos, pipe, max_read_len, flags);
972                 if (unlikely(ret < 0))
973                         goto out_release;
974
975                 read_len = ret;
976
977                 /*
978                  * NOTE: nonblocking mode only applies to the input. We
979                  * must not do the output in nonblocking mode as then we
980                  * could get stuck data in the internal pipe:
981                  */
982                 ret = do_splice_from(pipe, out, &out_off, read_len,
983                                      flags & ~SPLICE_F_NONBLOCK);
984                 if (unlikely(ret < 0))
985                         goto out_release;
986
987                 bytes += ret;
988                 len -= ret;
989
990                 /*
991                  * In nonblocking mode, if we got back a short read then
992                  * that was due to either an IO error or due to the
993                  * pagecache entry not being there. In the IO error case
994                  * the _next_ splice attempt will produce a clean IO error
995                  * return value (not a short read), so in both cases it's
996                  * correct to break out of the loop here:
997                  */
998                 if ((flags & SPLICE_F_NONBLOCK) && (read_len < max_read_len))
999                         break;
1000         }
1001
1002         pipe->nrbufs = pipe->curbuf = 0;
1003
1004         return bytes;
1005
1006 out_release:
1007         /*
1008          * If we did an incomplete transfer we must release
1009          * the pipe buffers in question:
1010          */
1011         for (i = 0; i < PIPE_BUFFERS; i++) {
1012                 struct pipe_buffer *buf = pipe->bufs + i;
1013
1014                 if (buf->ops) {
1015                         buf->ops->release(pipe, buf);
1016                         buf->ops = NULL;
1017                 }
1018         }
1019         pipe->nrbufs = pipe->curbuf = 0;
1020
1021         /*
1022          * If we transferred some data, return the number of bytes:
1023          */
1024         if (bytes > 0)
1025                 return bytes;
1026
1027         return ret;
1028 }
1029
1030 EXPORT_SYMBOL(do_splice_direct);
1031
1032 /*
1033  * Determine where to splice to/from.
1034  */
1035 static long do_splice(struct file *in, loff_t __user *off_in,
1036                       struct file *out, loff_t __user *off_out,
1037                       size_t len, unsigned int flags)
1038 {
1039         struct pipe_inode_info *pipe;
1040         loff_t offset, *off;
1041         long ret;
1042
1043         pipe = in->f_dentry->d_inode->i_pipe;
1044         if (pipe) {
1045                 if (off_in)
1046                         return -ESPIPE;
1047                 if (off_out) {
1048                         if (out->f_op->llseek == no_llseek)
1049                                 return -EINVAL;
1050                         if (copy_from_user(&offset, off_out, sizeof(loff_t)))
1051                                 return -EFAULT;
1052                         off = &offset;
1053                 } else
1054                         off = &out->f_pos;
1055
1056                 ret = do_splice_from(pipe, out, off, len, flags);
1057
1058                 if (off_out && copy_to_user(off_out, off, sizeof(loff_t)))
1059                         ret = -EFAULT;
1060
1061                 return ret;
1062         }
1063
1064         pipe = out->f_dentry->d_inode->i_pipe;
1065         if (pipe) {
1066                 if (off_out)
1067                         return -ESPIPE;
1068                 if (off_in) {
1069                         if (in->f_op->llseek == no_llseek)
1070                                 return -EINVAL;
1071                         if (copy_from_user(&offset, off_in, sizeof(loff_t)))
1072                                 return -EFAULT;
1073                         off = &offset;
1074                 } else
1075                         off = &in->f_pos;
1076
1077                 ret = do_splice_to(in, off, pipe, len, flags);
1078
1079                 if (off_in && copy_to_user(off_in, off, sizeof(loff_t)))
1080                         ret = -EFAULT;
1081
1082                 return ret;
1083         }
1084
1085         return -EINVAL;
1086 }
1087
1088 /*
1089  * Map an iov into an array of pages and offset/length tupples. With the
1090  * partial_page structure, we can map several non-contiguous ranges into
1091  * our ones pages[] map instead of splitting that operation into pieces.
1092  * Could easily be exported as a generic helper for other users, in which
1093  * case one would probably want to add a 'max_nr_pages' parameter as well.
1094  */
1095 static int get_iovec_page_array(const struct iovec __user *iov,
1096                                 unsigned int nr_vecs, struct page **pages,
1097                                 struct partial_page *partial, int aligned)
1098 {
1099         int buffers = 0, error = 0;
1100
1101         /*
1102          * It's ok to take the mmap_sem for reading, even
1103          * across a "get_user()".
1104          */
1105         down_read(&current->mm->mmap_sem);
1106
1107         while (nr_vecs) {
1108                 unsigned long off, npages;
1109                 void __user *base;
1110                 size_t len;
1111                 int i;
1112
1113                 /*
1114                  * Get user address base and length for this iovec.
1115                  */
1116                 error = get_user(base, &iov->iov_base);
1117                 if (unlikely(error))
1118                         break;
1119                 error = get_user(len, &iov->iov_len);
1120                 if (unlikely(error))
1121                         break;
1122
1123                 /*
1124                  * Sanity check this iovec. 0 read succeeds.
1125                  */
1126                 if (unlikely(!len))
1127                         break;
1128                 error = -EFAULT;
1129                 if (unlikely(!base))
1130                         break;
1131
1132                 /*
1133                  * Get this base offset and number of pages, then map
1134                  * in the user pages.
1135                  */
1136                 off = (unsigned long) base & ~PAGE_MASK;
1137
1138                 /*
1139                  * If asked for alignment, the offset must be zero and the
1140                  * length a multiple of the PAGE_SIZE.
1141                  */
1142                 error = -EINVAL;
1143                 if (aligned && (off || len & ~PAGE_MASK))
1144                         break;
1145
1146                 npages = (off + len + PAGE_SIZE - 1) >> PAGE_SHIFT;
1147                 if (npages > PIPE_BUFFERS - buffers)
1148                         npages = PIPE_BUFFERS - buffers;
1149
1150                 error = get_user_pages(current, current->mm,
1151                                        (unsigned long) base, npages, 0, 0,
1152                                        &pages[buffers], NULL);
1153
1154                 if (unlikely(error <= 0))
1155                         break;
1156
1157                 /*
1158                  * Fill this contiguous range into the partial page map.
1159                  */
1160                 for (i = 0; i < error; i++) {
1161                         const int plen = min_t(size_t, len, PAGE_SIZE - off);
1162
1163                         partial[buffers].offset = off;
1164                         partial[buffers].len = plen;
1165
1166                         off = 0;
1167                         len -= plen;
1168                         buffers++;
1169                 }
1170
1171                 /*
1172                  * We didn't complete this iov, stop here since it probably
1173                  * means we have to move some of this into a pipe to
1174                  * be able to continue.
1175                  */
1176                 if (len)
1177                         break;
1178
1179                 /*
1180                  * Don't continue if we mapped fewer pages than we asked for,
1181                  * or if we mapped the max number of pages that we have
1182                  * room for.
1183                  */
1184                 if (error < npages || buffers == PIPE_BUFFERS)
1185                         break;
1186
1187                 nr_vecs--;
1188                 iov++;
1189         }
1190
1191         up_read(&current->mm->mmap_sem);
1192
1193         if (buffers)
1194                 return buffers;
1195
1196         return error;
1197 }
1198
1199 /*
1200  * vmsplice splices a user address range into a pipe. It can be thought of
1201  * as splice-from-memory, where the regular splice is splice-from-file (or
1202  * to file). In both cases the output is a pipe, naturally.
1203  *
1204  * Note that vmsplice only supports splicing _from_ user memory to a pipe,
1205  * not the other way around. Splicing from user memory is a simple operation
1206  * that can be supported without any funky alignment restrictions or nasty
1207  * vm tricks. We simply map in the user memory and fill them into a pipe.
1208  * The reverse isn't quite as easy, though. There are two possible solutions
1209  * for that:
1210  *
1211  *      - memcpy() the data internally, at which point we might as well just
1212  *        do a regular read() on the buffer anyway.
1213  *      - Lots of nasty vm tricks, that are neither fast nor flexible (it
1214  *        has restriction limitations on both ends of the pipe).
1215  *
1216  * Alas, it isn't here.
1217  *
1218  */
1219 static long do_vmsplice(struct file *file, const struct iovec __user *iov,
1220                         unsigned long nr_segs, unsigned int flags)
1221 {
1222         struct pipe_inode_info *pipe = file->f_dentry->d_inode->i_pipe;
1223         struct page *pages[PIPE_BUFFERS];
1224         struct partial_page partial[PIPE_BUFFERS];
1225         struct splice_pipe_desc spd = {
1226                 .pages = pages,
1227                 .partial = partial,
1228                 .flags = flags,
1229                 .ops = &user_page_pipe_buf_ops,
1230         };
1231
1232         if (unlikely(!pipe))
1233                 return -EBADF;
1234         if (unlikely(nr_segs > UIO_MAXIOV))
1235                 return -EINVAL;
1236         else if (unlikely(!nr_segs))
1237                 return 0;
1238
1239         spd.nr_pages = get_iovec_page_array(iov, nr_segs, pages, partial,
1240                                             flags & SPLICE_F_GIFT);
1241         if (spd.nr_pages <= 0)
1242                 return spd.nr_pages;
1243
1244         return splice_to_pipe(pipe, &spd);
1245 }
1246
1247 asmlinkage long sys_vmsplice(int fd, const struct iovec __user *iov,
1248                              unsigned long nr_segs, unsigned int flags)
1249 {
1250         struct file *file;
1251         long error;
1252         int fput;
1253
1254         error = -EBADF;
1255         file = fget_light(fd, &fput);
1256         if (file) {
1257                 if (file->f_mode & FMODE_WRITE)
1258                         error = do_vmsplice(file, iov, nr_segs, flags);
1259
1260                 fput_light(file, fput);
1261         }
1262
1263         return error;
1264 }
1265
1266 asmlinkage long sys_splice(int fd_in, loff_t __user *off_in,
1267                            int fd_out, loff_t __user *off_out,
1268                            size_t len, unsigned int flags)
1269 {
1270         long error;
1271         struct file *in, *out;
1272         int fput_in, fput_out;
1273
1274         if (unlikely(!len))
1275                 return 0;
1276
1277         error = -EBADF;
1278         in = fget_light(fd_in, &fput_in);
1279         if (in) {
1280                 if (in->f_mode & FMODE_READ) {
1281                         out = fget_light(fd_out, &fput_out);
1282                         if (out) {
1283                                 if (out->f_mode & FMODE_WRITE)
1284                                         error = do_splice(in, off_in,
1285                                                           out, off_out,
1286                                                           len, flags);
1287                                 fput_light(out, fput_out);
1288                         }
1289                 }
1290
1291                 fput_light(in, fput_in);
1292         }
1293
1294         return error;
1295 }
1296
1297 /*
1298  * Link contents of ipipe to opipe.
1299  */
1300 static int link_pipe(struct pipe_inode_info *ipipe,
1301                      struct pipe_inode_info *opipe,
1302                      size_t len, unsigned int flags)
1303 {
1304         struct pipe_buffer *ibuf, *obuf;
1305         int ret, do_wakeup, i, ipipe_first;
1306
1307         ret = do_wakeup = ipipe_first = 0;
1308
1309         /*
1310          * Potential ABBA deadlock, work around it by ordering lock
1311          * grabbing by inode address. Otherwise two different processes
1312          * could deadlock (one doing tee from A -> B, the other from B -> A).
1313          */
1314         if (ipipe->inode < opipe->inode) {
1315                 ipipe_first = 1;
1316                 mutex_lock(&ipipe->inode->i_mutex);
1317                 mutex_lock(&opipe->inode->i_mutex);
1318         } else {
1319                 mutex_lock(&opipe->inode->i_mutex);
1320                 mutex_lock(&ipipe->inode->i_mutex);
1321         }
1322
1323         for (i = 0;; i++) {
1324                 if (!opipe->readers) {
1325                         send_sig(SIGPIPE, current, 0);
1326                         if (!ret)
1327                                 ret = -EPIPE;
1328                         break;
1329                 }
1330                 if (ipipe->nrbufs - i) {
1331                         ibuf = ipipe->bufs + ((ipipe->curbuf + i) & (PIPE_BUFFERS - 1));
1332
1333                         /*
1334                          * If we have room, fill this buffer
1335                          */
1336                         if (opipe->nrbufs < PIPE_BUFFERS) {
1337                                 int nbuf = (opipe->curbuf + opipe->nrbufs) & (PIPE_BUFFERS - 1);
1338
1339                                 /*
1340                                  * Get a reference to this pipe buffer,
1341                                  * so we can copy the contents over.
1342                                  */
1343                                 ibuf->ops->get(ipipe, ibuf);
1344
1345                                 obuf = opipe->bufs + nbuf;
1346                                 *obuf = *ibuf;
1347
1348                                 /*
1349                                  * Don't inherit the gift flag, we need to
1350                                  * prevent multiple steals of this page.
1351                                  */
1352                                 obuf->flags &= ~PIPE_BUF_FLAG_GIFT;
1353
1354                                 if (obuf->len > len)
1355                                         obuf->len = len;
1356
1357                                 opipe->nrbufs++;
1358                                 do_wakeup = 1;
1359                                 ret += obuf->len;
1360                                 len -= obuf->len;
1361
1362                                 if (!len)
1363                                         break;
1364                                 if (opipe->nrbufs < PIPE_BUFFERS)
1365                                         continue;
1366                         }
1367
1368                         /*
1369                          * We have input available, but no output room.
1370                          * If we already copied data, return that. If we
1371                          * need to drop the opipe lock, it must be ordered
1372                          * last to avoid deadlocks.
1373                          */
1374                         if ((flags & SPLICE_F_NONBLOCK) || !ipipe_first) {
1375                                 if (!ret)
1376                                         ret = -EAGAIN;
1377                                 break;
1378                         }
1379                         if (signal_pending(current)) {
1380                                 if (!ret)
1381                                         ret = -ERESTARTSYS;
1382                                 break;
1383                         }
1384                         if (do_wakeup) {
1385                                 smp_mb();
1386                                 if (waitqueue_active(&opipe->wait))
1387                                         wake_up_interruptible(&opipe->wait);
1388                                 kill_fasync(&opipe->fasync_readers, SIGIO, POLL_IN);
1389                                 do_wakeup = 0;
1390                         }
1391
1392                         opipe->waiting_writers++;
1393                         pipe_wait(opipe);
1394                         opipe->waiting_writers--;
1395                         continue;
1396                 }
1397
1398                 /*
1399                  * No input buffers, do the usual checks for available
1400                  * writers and blocking and wait if necessary
1401                  */
1402                 if (!ipipe->writers)
1403                         break;
1404                 if (!ipipe->waiting_writers) {
1405                         if (ret)
1406                                 break;
1407                 }
1408                 /*
1409                  * pipe_wait() drops the ipipe mutex. To avoid deadlocks
1410                  * with another process, we can only safely do that if
1411                  * the ipipe lock is ordered last.
1412                  */
1413                 if ((flags & SPLICE_F_NONBLOCK) || ipipe_first) {
1414                         if (!ret)
1415                                 ret = -EAGAIN;
1416                         break;
1417                 }
1418                 if (signal_pending(current)) {
1419                         if (!ret)
1420                                 ret = -ERESTARTSYS;
1421                         break;
1422                 }
1423
1424                 if (waitqueue_active(&ipipe->wait))
1425                         wake_up_interruptible_sync(&ipipe->wait);
1426                 kill_fasync(&ipipe->fasync_writers, SIGIO, POLL_OUT);
1427
1428                 pipe_wait(ipipe);
1429         }
1430
1431         mutex_unlock(&ipipe->inode->i_mutex);
1432         mutex_unlock(&opipe->inode->i_mutex);
1433
1434         if (do_wakeup) {
1435                 smp_mb();
1436                 if (waitqueue_active(&opipe->wait))
1437                         wake_up_interruptible(&opipe->wait);
1438                 kill_fasync(&opipe->fasync_readers, SIGIO, POLL_IN);
1439         }
1440
1441         return ret;
1442 }
1443
1444 /*
1445  * This is a tee(1) implementation that works on pipes. It doesn't copy
1446  * any data, it simply references the 'in' pages on the 'out' pipe.
1447  * The 'flags' used are the SPLICE_F_* variants, currently the only
1448  * applicable one is SPLICE_F_NONBLOCK.
1449  */
1450 static long do_tee(struct file *in, struct file *out, size_t len,
1451                    unsigned int flags)
1452 {
1453         struct pipe_inode_info *ipipe = in->f_dentry->d_inode->i_pipe;
1454         struct pipe_inode_info *opipe = out->f_dentry->d_inode->i_pipe;
1455
1456         /*
1457          * Link ipipe to the two output pipes, consuming as we go along.
1458          */
1459         if (ipipe && opipe)
1460                 return link_pipe(ipipe, opipe, len, flags);
1461
1462         return -EINVAL;
1463 }
1464
1465 asmlinkage long sys_tee(int fdin, int fdout, size_t len, unsigned int flags)
1466 {
1467         struct file *in;
1468         int error, fput_in;
1469
1470         if (unlikely(!len))
1471                 return 0;
1472
1473         error = -EBADF;
1474         in = fget_light(fdin, &fput_in);
1475         if (in) {
1476                 if (in->f_mode & FMODE_READ) {
1477                         int fput_out;
1478                         struct file *out = fget_light(fdout, &fput_out);
1479
1480                         if (out) {
1481                                 if (out->f_mode & FMODE_WRITE)
1482                                         error = do_tee(in, out, len, flags);
1483                                 fput_light(out, fput_out);
1484                         }
1485                 }
1486                 fput_light(in, fput_in);
1487         }
1488
1489         return error;
1490 }