fuse: fix pipe_buf_operations
Having this struct in module memory could Oops when if the module is unloaded while the buffer still persists in a pipe. Since sock_pipe_buf_ops is essentially the same as fuse_dev_pipe_buf_steal merge them into nosteal_pipe_buf_ops (this is the same as default_pipe_buf_ops except stealing the page from the buffer is not allowed). Reported-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Miklos Szeredi <mszeredi@suse.cz> Cc: stable@vger.kernel.org
This commit is contained in:
parent
d8ec26d7f8
commit
28a625cbc2
|
@ -1296,22 +1296,6 @@ static ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
|
||||||
return fuse_dev_do_read(fc, file, &cs, iov_length(iov, nr_segs));
|
return fuse_dev_do_read(fc, file, &cs, iov_length(iov, nr_segs));
|
||||||
}
|
}
|
||||||
|
|
||||||
static int fuse_dev_pipe_buf_steal(struct pipe_inode_info *pipe,
|
|
||||||
struct pipe_buffer *buf)
|
|
||||||
{
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
static const struct pipe_buf_operations fuse_dev_pipe_buf_ops = {
|
|
||||||
.can_merge = 0,
|
|
||||||
.map = generic_pipe_buf_map,
|
|
||||||
.unmap = generic_pipe_buf_unmap,
|
|
||||||
.confirm = generic_pipe_buf_confirm,
|
|
||||||
.release = generic_pipe_buf_release,
|
|
||||||
.steal = fuse_dev_pipe_buf_steal,
|
|
||||||
.get = generic_pipe_buf_get,
|
|
||||||
};
|
|
||||||
|
|
||||||
static ssize_t fuse_dev_splice_read(struct file *in, loff_t *ppos,
|
static ssize_t fuse_dev_splice_read(struct file *in, loff_t *ppos,
|
||||||
struct pipe_inode_info *pipe,
|
struct pipe_inode_info *pipe,
|
||||||
size_t len, unsigned int flags)
|
size_t len, unsigned int flags)
|
||||||
|
@ -1358,7 +1342,11 @@ static ssize_t fuse_dev_splice_read(struct file *in, loff_t *ppos,
|
||||||
buf->page = bufs[page_nr].page;
|
buf->page = bufs[page_nr].page;
|
||||||
buf->offset = bufs[page_nr].offset;
|
buf->offset = bufs[page_nr].offset;
|
||||||
buf->len = bufs[page_nr].len;
|
buf->len = bufs[page_nr].len;
|
||||||
buf->ops = &fuse_dev_pipe_buf_ops;
|
/*
|
||||||
|
* Need to be careful about this. Having buf->ops in module
|
||||||
|
* code can Oops if the buffer persists after module unload.
|
||||||
|
*/
|
||||||
|
buf->ops = &nosteal_pipe_buf_ops;
|
||||||
|
|
||||||
pipe->nrbufs++;
|
pipe->nrbufs++;
|
||||||
page_nr++;
|
page_nr++;
|
||||||
|
|
18
fs/splice.c
18
fs/splice.c
|
@ -555,6 +555,24 @@ static const struct pipe_buf_operations default_pipe_buf_ops = {
|
||||||
.get = generic_pipe_buf_get,
|
.get = generic_pipe_buf_get,
|
||||||
};
|
};
|
||||||
|
|
||||||
|
static int generic_pipe_buf_nosteal(struct pipe_inode_info *pipe,
|
||||||
|
struct pipe_buffer *buf)
|
||||||
|
{
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Pipe buffer operations for a socket and similar. */
|
||||||
|
const struct pipe_buf_operations nosteal_pipe_buf_ops = {
|
||||||
|
.can_merge = 0,
|
||||||
|
.map = generic_pipe_buf_map,
|
||||||
|
.unmap = generic_pipe_buf_unmap,
|
||||||
|
.confirm = generic_pipe_buf_confirm,
|
||||||
|
.release = generic_pipe_buf_release,
|
||||||
|
.steal = generic_pipe_buf_nosteal,
|
||||||
|
.get = generic_pipe_buf_get,
|
||||||
|
};
|
||||||
|
EXPORT_SYMBOL(nosteal_pipe_buf_ops);
|
||||||
|
|
||||||
static ssize_t kernel_readv(struct file *file, const struct iovec *vec,
|
static ssize_t kernel_readv(struct file *file, const struct iovec *vec,
|
||||||
unsigned long vlen, loff_t offset)
|
unsigned long vlen, loff_t offset)
|
||||||
{
|
{
|
||||||
|
|
|
@ -157,6 +157,8 @@ int generic_pipe_buf_confirm(struct pipe_inode_info *, struct pipe_buffer *);
|
||||||
int generic_pipe_buf_steal(struct pipe_inode_info *, struct pipe_buffer *);
|
int generic_pipe_buf_steal(struct pipe_inode_info *, struct pipe_buffer *);
|
||||||
void generic_pipe_buf_release(struct pipe_inode_info *, struct pipe_buffer *);
|
void generic_pipe_buf_release(struct pipe_inode_info *, struct pipe_buffer *);
|
||||||
|
|
||||||
|
extern const struct pipe_buf_operations nosteal_pipe_buf_ops;
|
||||||
|
|
||||||
/* for F_SETPIPE_SZ and F_GETPIPE_SZ */
|
/* for F_SETPIPE_SZ and F_GETPIPE_SZ */
|
||||||
long pipe_fcntl(struct file *, unsigned int, unsigned long arg);
|
long pipe_fcntl(struct file *, unsigned int, unsigned long arg);
|
||||||
struct pipe_inode_info *get_pipe_info(struct file *file);
|
struct pipe_inode_info *get_pipe_info(struct file *file);
|
||||||
|
|
|
@ -74,36 +74,6 @@
|
||||||
struct kmem_cache *skbuff_head_cache __read_mostly;
|
struct kmem_cache *skbuff_head_cache __read_mostly;
|
||||||
static struct kmem_cache *skbuff_fclone_cache __read_mostly;
|
static struct kmem_cache *skbuff_fclone_cache __read_mostly;
|
||||||
|
|
||||||
static void sock_pipe_buf_release(struct pipe_inode_info *pipe,
|
|
||||||
struct pipe_buffer *buf)
|
|
||||||
{
|
|
||||||
put_page(buf->page);
|
|
||||||
}
|
|
||||||
|
|
||||||
static void sock_pipe_buf_get(struct pipe_inode_info *pipe,
|
|
||||||
struct pipe_buffer *buf)
|
|
||||||
{
|
|
||||||
get_page(buf->page);
|
|
||||||
}
|
|
||||||
|
|
||||||
static int sock_pipe_buf_steal(struct pipe_inode_info *pipe,
|
|
||||||
struct pipe_buffer *buf)
|
|
||||||
{
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
/* Pipe buffer operations for a socket. */
|
|
||||||
static const struct pipe_buf_operations sock_pipe_buf_ops = {
|
|
||||||
.can_merge = 0,
|
|
||||||
.map = generic_pipe_buf_map,
|
|
||||||
.unmap = generic_pipe_buf_unmap,
|
|
||||||
.confirm = generic_pipe_buf_confirm,
|
|
||||||
.release = sock_pipe_buf_release,
|
|
||||||
.steal = sock_pipe_buf_steal,
|
|
||||||
.get = sock_pipe_buf_get,
|
|
||||||
};
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* skb_panic - private function for out-of-line support
|
* skb_panic - private function for out-of-line support
|
||||||
* @skb: buffer
|
* @skb: buffer
|
||||||
|
@ -1830,7 +1800,7 @@ int skb_splice_bits(struct sk_buff *skb, unsigned int offset,
|
||||||
.partial = partial,
|
.partial = partial,
|
||||||
.nr_pages_max = MAX_SKB_FRAGS,
|
.nr_pages_max = MAX_SKB_FRAGS,
|
||||||
.flags = flags,
|
.flags = flags,
|
||||||
.ops = &sock_pipe_buf_ops,
|
.ops = &nosteal_pipe_buf_ops,
|
||||||
.spd_release = sock_spd_release,
|
.spd_release = sock_spd_release,
|
||||||
};
|
};
|
||||||
struct sk_buff *frag_iter;
|
struct sk_buff *frag_iter;
|
||||||
|
|
Loading…
Reference in New Issue