PATCH: sendfile() checks f_op.sendpage() instead of f_op.splice_write() wrongly

PATCH: sendfile() checks f_op.sendpage() instead of f_op.splice_write() wrongly

[Changli Gao]

sendfile(2) checks f_op.sendpage() instead of f_op.splice_write() wrongly.

sendfile(2) was reworked with the splice infrastructure, but it still
checks f_op.sendpage() instead of f_op.splice_write() wrongly. Although
if f_op.sendpage() exists, f_op.splice_write() always exists at the same
time currently, the assumption will be broken in future silently. This
patch also brings a side effect: sendfile(2) can work with any output
file, which supports splice_write() not only mmap(2).

Signed-off-by: Changli Gao <xiaosuo@gmail.com>
----
fs/read_write.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/read_write.c
+++ b/fs/read_write.c
@@ -826,7 +826,7 @@ static ssize_t do_sendfile(int out_fd, int in_fd, loff_t *ppos,
 	if (!(out_file->f_mode & FMODE_WRITE))
 		goto fput_out;
 	retval = -EINVAL;
-	if (!out_file->f_op || !out_file->f_op->sendpage)
+	if (!out_file->f_op || !out_file->f_op->splice_write)
 		goto fput_out;
 	in_inode = in_file->f_path.dentry->d_inode;
 	out_inode = out_file->f_path.dentry->d_inode;

Re: PATCH: sendfile() checks f_op.sendpage() instead of f_op.splice_write() wrongly

[Jens Axboe]

On Mon, Oct 19 2009, Changli Gao wrote:
> sendfile(2) checks f_op.sendpage() instead of f_op.splice_write() wrongly.
> 
> sendfile(2) was reworked with the splice infrastructure, but it still
> checks f_op.sendpage() instead of f_op.splice_write() wrongly. Although
> if f_op.sendpage() exists, f_op.splice_write() always exists at the same
> time currently, the assumption will be broken in future silently. This
> patch also brings a side effect: sendfile(2) can work with any output
> file, which supports splice_write() not only mmap(2).

Question is, if the check should just be dropped completely, since we
use fallback default handlers if the fs doesn't have
->splice_read/->splice_write().

-- 
Jens Axboe

Re: PATCH: sendfile() checks f_op.sendpage() instead of f_op.splice_write() wrongly

[Changli Gao]

On Mon, Oct 19, 2009 at 4:25 PM, Jens Axboe <jens.axboe@oracle.com> wrote:
> On Mon, Oct 19 2009, Changli Gao wrote:
>
> Question is, if the check should just be dropped completely, since we
> use fallback default handlers if the fs doesn't have
> ->splice_read/->splice_write().

Agree with you. I think we can drop it.


-- 
Regards，
Changli Gao(xiaosuo@gmail.com)

PATCH: sendfile() checks f_op.sendpage() instead of f_op.splice_write() wrongly

[Changli Gao]

sendfile(2) checks f_op.sendpage() instead of f_op.splice_write() wrongly.

sendfile(2) was reworked with the splice infrastructure, but it still
checks f_op.sendpage() instead of f_op.splice_write() wrongly. Although
if f_op.sendpage() exists, f_op.splice_write() always exists at the same
time currently, the assumption will be broken in future silently. This
patch also brings a side effect: sendfile(2) can work with any output
file. Some security checks related to f_op are added too.

Signed-off-by: Changli Gao <xiaosuo@gmail.com>
----

read_write.c | 2 --
splice.c | 24 +++++++++++++++---------
2 files changed, 15 insertions(+), 11 deletions(-)

diff --git a/fs/read_write.c b/fs/read_write.c
index 3ac2898..b7f4a1f 100644
--- a/fs/read_write.c
+++ b/fs/read_write.c
@@ -826,8 +826,6 @@ static ssize_t do_sendfile(int out_fd, int in_fd, loff_t *ppos,
 	if (!(out_file->f_mode & FMODE_WRITE))
 		goto fput_out;
 	retval = -EINVAL;
-	if (!out_file->f_op || !out_file->f_op->sendpage)
-		goto fput_out;
 	in_inode = in_file->f_path.dentry->d_inode;
 	out_inode = out_file->f_path.dentry->d_inode;
 	retval = rw_verify_area(WRITE, out_file, &out_file->f_pos, count);
diff --git a/fs/splice.c b/fs/splice.c
index 7394e9e..5724845 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -648,9 +648,11 @@ static int pipe_to_sendpage(struct pipe_inode_info *pipe,
 	ret = buf->ops->confirm(pipe, buf);
 	if (!ret) {
 		more = (sd->flags & SPLICE_F_MORE) || sd->len < sd->total_len;
-
-		ret = file->f_op->sendpage(file, buf->page, buf->offset,
-					   sd->len, &pos, more);
+		if (file->f_op && file->f_op->sendpage)
+			ret = file->f_op->sendpage(file, buf->page, buf->offset,
+						   sd->len, &pos, more);
+		else
+			ret = -EINVAL;
 	}
 
 	return ret;
@@ -1068,8 +1070,9 @@ static long do_splice_from(struct pipe_inode_info *pipe, struct file *out,
 	if (unlikely(ret < 0))
 		return ret;
 
-	splice_write = out->f_op->splice_write;
-	if (!splice_write)
+	if (out->f_op && out->f_op->splice_write)
+		splice_write = out->f_op->splice_write;
+	else
 		splice_write = default_file_splice_write;
 
 	return splice_write(pipe, out, ppos, len, flags);
@@ -1093,8 +1096,9 @@ static long do_splice_to(struct file *in, loff_t *ppos,
 	if (unlikely(ret < 0))
 		return ret;
 
-	splice_read = in->f_op->splice_read;
-	if (!splice_read)
+	if (in->f_op && in->f_op->splice_read)
+		splice_read = in->f_op->splice_read;
+	else
 		splice_read = default_file_splice_read;
 
 	return splice_read(in, ppos, pipe, len, flags);
@@ -1316,7 +1320,8 @@ static long do_splice(struct file *in, loff_t __user *off_in,
 		if (off_in)
 			return -ESPIPE;
 		if (off_out) {
-			if (out->f_op->llseek == no_llseek)
+			if (!out->f_op || !out->f_op->llseek ||
+			    out->f_op->llseek == no_llseek)
 				return -EINVAL;
 			if (copy_from_user(&offset, off_out, sizeof(loff_t)))
 				return -EFAULT;
@@ -1336,7 +1341,8 @@ static long do_splice(struct file *in, loff_t __user *off_in,
 		if (off_out)
 			return -ESPIPE;
 		if (off_in) {
-			if (in->f_op->llseek == no_llseek)
+			if (!in->f_op || !in->f_op->llseek ||
+			    in->f_op->llseek == no_llseek)
 				return -EINVAL;
 			if (copy_from_user(&offset, off_in, sizeof(loff_t)))
 				return -EFAULT;