[RFC PATCH] splice: don't read more than available pipe space

[RFC PATCH] splice: don't read more than available pipe space

[Darrick J. Wong]

From: Darrick J. Wong <darrick.wong@oracle.com>

In commit 4721a601099, we tried to fix a problem wherein directio reads
into a splice pipe will bounce EFAULT/EAGAIN all the way out to
userspace by simulating a zero-byte short read.  This happens because
some directio read implementations (xfs) will call
bio_iov_iter_get_pages to grab pipe buffer pages and issue asynchronous
reads, but as soon as we run out of pipe buffers that _get_pages call
returns EFAULT, which the splice code translates to EAGAIN and bounces
out to userspace.

In that commit, the iomap code catches the EFAULT and simulates a
zero-byte read, but that causes assertion errors on regular splice reads
because xfs doesn't allow short directio reads.

The brokenness is compounded by splice_direct_to_actor immediately
bailing on do_splice_to returning <= 0 without ever calling ->actor
(which empties out the pipe), so if userspace calls back we'll EFAULT
again on the full pipe, and nothing ever gets copied.

Therefore, teach splice_direct_to_actor to clamp its requests to the
amount of free space in the pipe and remove the simulated short read
from the iomap directio code.

Fixes: 4721a601099 ("iomap: dio data corruption and spurious errors when pipes fill")
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
---
 fs/iomap.c  |    9 ---------
 fs/splice.c |    5 ++++-
 2 files changed, 4 insertions(+), 10 deletions(-)

diff --git a/fs/iomap.c b/fs/iomap.c
index 3ffb776fbebe..d6bc98ae8d35 100644
--- a/fs/iomap.c
+++ b/fs/iomap.c
@@ -1877,15 +1877,6 @@ iomap_dio_rw(struct kiocb *iocb, struct iov_iter *iter,
 				dio->wait_for_completion = true;
 				ret = 0;
 			}
-
-			/*
-			 * Splicing to pipes can fail on a full pipe. We have to
-			 * swallow this to make it look like a short IO
-			 * otherwise the higher splice layers will completely
-			 * mishandle the error and stop moving data.
-			 */
-			if (ret == -EFAULT)
-				ret = 0;
 			break;
 		}
 		pos += ret;
diff --git a/fs/splice.c b/fs/splice.c
index 3553f1956508..4bd9d9590199 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -949,7 +949,10 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd,
 		size_t read_len;
 		loff_t pos = sd->pos, prev_pos = pos;
 
-		ret = do_splice_to(in, &pos, pipe, len, flags);
+		/* Don't try to read more the pipe has space for. */
+		read_len = min_t(size_t, len,
+				 (pipe->buffers - pipe->nrbufs) << PAGE_SHIFT);
+		ret = do_splice_to(in, &pos, pipe, read_len, flags);
 		if (unlikely(ret <= 0))
 			goto out_release;
 

Re: [RFC PATCH] splice: don't read more than available pipe space

[Amir Goldstein]

On Fri, Nov 30, 2018 at 9:20 PM Darrick J. Wong <darrick.wong@oracle.com> wrote:
>
> From: Darrick J. Wong <darrick.wong@oracle.com>
>
> In commit 4721a601099, we tried to fix a problem wherein directio reads
> into a splice pipe will bounce EFAULT/EAGAIN all the way out to
> userspace by simulating a zero-byte short read.  This happens because
> some directio read implementations (xfs) will call
> bio_iov_iter_get_pages to grab pipe buffer pages and issue asynchronous
> reads, but as soon as we run out of pipe buffers that _get_pages call
> returns EFAULT, which the splice code translates to EAGAIN and bounces
> out to userspace.
>
> In that commit, the iomap code catches the EFAULT and simulates a
> zero-byte read, but that causes assertion errors on regular splice reads
> because xfs doesn't allow short directio reads.
>
> The brokenness is compounded by splice_direct_to_actor immediately
> bailing on do_splice_to returning <= 0 without ever calling ->actor
> (which empties out the pipe), so if userspace calls back we'll EFAULT
> again on the full pipe, and nothing ever gets copied.
>
> Therefore, teach splice_direct_to_actor to clamp its requests to the
> amount of free space in the pipe and remove the simulated short read
> from the iomap directio code.
>
> Fixes: 4721a601099 ("iomap: dio data corruption and spurious errors when pipes fill")
> Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
> ---

Problem is the regressing commit does two things and you here revert one
of them and re-fix the bug.

IMO, it would be nicer to:
- Revert the regression commit
- Attribute Reported-by and specify regression details in revert commit
- Re-apply Dave's zero_tail fix with its own commit instead of a
  "To make matters worse..." clause.
- Apply your re-fix with description of original problem and without the
  story about the regression

Your call.

Miklos,

Can you please review the suggested re-fix?

Thanks,
Amir.

Re: [RFC PATCH] splice: don't read more than available pipe space

[Christoph Hellwig]

On Fri, Nov 30, 2018 at 11:20:47AM -0800, Darrick J. Wong wrote:
> Therefore, teach splice_direct_to_actor to clamp its requests to the
> amount of free space in the pipe and remove the simulated short read
> from the iomap directio code.

Seems like this should be two different commits?  E.g. fix the splice
code first, remove the hack from XFS next?  (and yes, I know we already
have a similar but slightly different suggestion from Amir, but I
don't think explicit reverts buy us anything).

Otherwise this looks good to me:

Reviewed-by: Christoph Hellwig <hch@lst.de>