splice: only read in as much information as there is pipe buffer space

Andreas Grünbacher reports that on the two filesystems that support
iomap directio, it's possible for splice() to return -EAGAIN (instead of
a short splice) if the pipe being written to has less space available in
its pipe buffers than the length supplied by the calling process.

Months ago we fixed splice_direct_to_actor to clamp the length of the
read request to the size of the splice pipe.  Do the same to do_splice.

Fixes: 17614445576b6 ("splice: don't read more than available pipe space")
Reported-by: syzbot+3c01db6025f26530cf8d@syzkaller.appspotmail.com
Reported-by: Andreas Grünbacher <andreas.gruenbacher@gmail.com>
Reviewed-by: Andreas Grünbacher <andreas.gruenbacher@gmail.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>

diff --git a/fs/splice.c b/fs/splice.c
index 98412721f0562c3e2f20332e28f756df6eddc7a1..e509239d7e06ad53c7c8e3be4e9a3aec21ab2935 100644 (file)
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -945,12 +945,13 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd,
        WARN_ON_ONCE(pipe->nrbufs != 0);
 
        while (len) {
+               unsigned int pipe_pages;
                size_t read_len;
                loff_t pos = sd->pos, prev_pos = pos;
 
                /* Don't try to read more the pipe has space for. */
-               read_len = min_t(size_t, len,
-                                (pipe->buffers - pipe->nrbufs) << PAGE_SHIFT);
+               pipe_pages = pipe->buffers - pipe->nrbufs;
+               read_len = min(len, (size_t)pipe_pages << PAGE_SHIFT);
                ret = do_splice_to(in, &pos, pipe, read_len, flags);
                if (unlikely(ret <= 0))
                        goto out_release;
@@ -1180,8 +1181,15 @@ static long do_splice(struct file *in, loff_t __user *off_in,
 
                pipe_lock(opipe);
                ret = wait_for_space(opipe, flags);
-               if (!ret)
+               if (!ret) {
+                       unsigned int pipe_pages;
+
+                       /* Don't try to read more the pipe has space for. */
+                       pipe_pages = opipe->buffers - opipe->nrbufs;
+                       len = min(len, (size_t)pipe_pages << PAGE_SHIFT);
+
                        ret = do_splice_to(in, &offset, opipe, len, flags);
+               }
                pipe_unlock(opipe);
                if (ret > 0)
                        wakeup_pipe_readers(opipe);