Commit feebea75 authored by Amir Goldstein's avatar Amir Goldstein Committed by Christian Brauner
Browse files

splice: move permission hook out of splice_direct_to_actor() 



vfs_splice_read() has a permission hook inside rw_verify_area() and
it is called from do_splice_direct() -> splice_direct_to_actor().

The callers of do_splice_direct() (e.g. vfs_copy_file_range()) already
call rw_verify_area() for the entire range, but the other caller of
splice_direct_to_actor() (nfsd) does not.

Add the rw_verify_area() checks in nfsd_splice_read() and use a
variant of vfs_splice_read() without rw_verify_area() check in
splice_direct_to_actor() to avoid the redundant rw_verify_area() checks.

This is needed for fanotify "pre content" events.

Acked-by: default avatarChuck Lever <chuck.lever@oracle.com>
Reviewed-by: default avatarJosef Bacik <josef@toxicpanda.com>
Signed-off-by: default avatarAmir Goldstein <amir73il@gmail.com>
Link: https://lore.kernel.org/r/20231122122715.2561213-4-amir73il@gmail.com


Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
Reviewed-by: default avatarJan Kara <jack@suse.cz>
Signed-off-by: default avatarChristian Brauner <brauner@kernel.org>
parent 2a33e2dd

fs/nfsd/vfs.c

+4 −1
Original line number Diff line number Diff line
@@ -1046,7 +1046,10 @@ __be32 nfsd_splice_read(struct svc_rqst *rqstp, struct svc_fh *fhp, 
	ssize_t host_err;



	trace_nfsd_read_splice(rqstp, fhp, offset, *count);

	host_err = splice_direct_to_actor(file, &sd, nfsd_direct_splice_actor);

	host_err = rw_verify_area(READ, file, &offset, *count);

	if (!host_err)

		host_err = splice_direct_to_actor(file, &sd,

						  nfsd_direct_splice_actor);

	return nfsd_finish_read(rqstp, fhp, file, offset, count, eof, host_err);

}

fs/splice.c

+35 −23
Original line number Diff line number Diff line
@@ -944,27 +944,15 @@ static void do_splice_eof(struct splice_desc *sd) 
		sd->splice_eof(sd);

}



/**

 * vfs_splice_read - Read data from a file and splice it into a pipe

 * @in:		File to splice from

 * @ppos:	Input file offset

 * @pipe:	Pipe to splice to

 * @len:	Number of bytes to splice

 * @flags:	Splice modifier flags (SPLICE_F_*)

 *

 * Splice the requested amount of data from the input file to the pipe.  This

 * is synchronous as the caller must hold the pipe lock across the entire

 * operation.

 *

 * If successful, it returns the amount of data spliced, 0 if it hit the EOF or

 * a hole and a negative error code otherwise.

/*

 * Callers already called rw_verify_area() on the entire range.

 * No need to call it for sub ranges.

 */

long vfs_splice_read(struct file *in, loff_t *ppos,

static long do_splice_read(struct file *in, loff_t *ppos,

			   struct pipe_inode_info *pipe, size_t len,

			   unsigned int flags)

{

	unsigned int p_space;

	int ret;



	if (unlikely(!(in->f_mode & FMODE_READ)))

		return -EBADF;
@@ -975,10 +963,6 @@ long vfs_splice_read(struct file *in, loff_t *ppos, 
	p_space = pipe->max_usage - pipe_occupancy(pipe->head, pipe->tail);

	len = min_t(size_t, len, p_space << PAGE_SHIFT);



	ret = rw_verify_area(READ, in, ppos, len);

	if (unlikely(ret < 0))

		return ret;



	if (unlikely(len > MAX_RW_COUNT))

		len = MAX_RW_COUNT;
@@ -992,6 +976,34 @@ long vfs_splice_read(struct file *in, loff_t *ppos, 
		return copy_splice_read(in, ppos, pipe, len, flags);

	return in->f_op->splice_read(in, ppos, pipe, len, flags);

}



/**

 * vfs_splice_read - Read data from a file and splice it into a pipe

 * @in:		File to splice from

 * @ppos:	Input file offset

 * @pipe:	Pipe to splice to

 * @len:	Number of bytes to splice

 * @flags:	Splice modifier flags (SPLICE_F_*)

 *

 * Splice the requested amount of data from the input file to the pipe.  This

 * is synchronous as the caller must hold the pipe lock across the entire

 * operation.

 *

 * If successful, it returns the amount of data spliced, 0 if it hit the EOF or

 * a hole and a negative error code otherwise.

 */

long vfs_splice_read(struct file *in, loff_t *ppos,

		     struct pipe_inode_info *pipe, size_t len,

		     unsigned int flags)

{

	int ret;



	ret = rw_verify_area(READ, in, ppos, len);

	if (unlikely(ret < 0))

		return ret;



	return do_splice_read(in, ppos, pipe, len, flags);

}

EXPORT_SYMBOL_GPL(vfs_splice_read);



/**
@@ -1066,7 +1078,7 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd, 
		size_t read_len;

		loff_t pos = sd->pos, prev_pos = pos;



		ret = vfs_splice_read(in, &pos, pipe, len, flags);

		ret = do_splice_read(in, &pos, pipe, len, flags);

		if (unlikely(ret <= 0))

			goto read_failure;