1 // SPDX-License-Identifier: GPL-2.0-only
3 * "splice": joining two ropes together by interweaving their strands.
5 * This is the "extended pipe" functionality, where a pipe is used as
6 * an arbitrary in-memory buffer. Think of a pipe as a small kernel
7 * buffer that you can use to transfer data from one end to the other.
9 * The traditional unix read/write is extended with a "splice()" operation
10 * that transfers data buffers to or from a pipe buffer.
12 * Named by Larry McVoy, original implementation from Linus, extended by
13 * Jens to support splicing to files, network, direct splicing, etc and
14 * fixing lots of bugs.
16 * Copyright (C) 2005-2006 Jens Axboe <axboe@kernel.dk>
17 * Copyright (C) 2005-2006 Linus Torvalds <torvalds@osdl.org>
18 * Copyright (C) 2006 Ingo Molnar <mingo@elte.hu>
21 #include <linux/bvec.h>
23 #include <linux/file.h>
24 #include <linux/pagemap.h>
25 #include <linux/splice.h>
26 #include <linux/memcontrol.h>
27 #include <linux/mm_inline.h>
28 #include <linux/swap.h>
29 #include <linux/writeback.h>
30 #include <linux/export.h>
31 #include <linux/syscalls.h>
32 #include <linux/uio.h>
33 #include <linux/fsnotify.h>
34 #include <linux/security.h>
35 #include <linux/gfp.h>
36 #include <linux/socket.h>
37 #include <linux/sched/signal.h>
42 * Attempt to steal a page from a pipe buffer. This should perhaps go into
43 * a vm helper function, it's already simplified quite a bit by the
44 * addition of remove_mapping(). If success is returned, the caller may
45 * attempt to reuse this page for another destination.
47 static bool page_cache_pipe_buf_try_steal(struct pipe_inode_info *pipe,
48 struct pipe_buffer *buf)
50 struct folio *folio = page_folio(buf->page);
51 struct address_space *mapping;
55 mapping = folio_mapping(folio);
57 WARN_ON(!folio_test_uptodate(folio));
60 * At least for ext2 with nobh option, we need to wait on
61 * writeback completing on this folio, since we'll remove it
62 * from the pagecache. Otherwise truncate wont wait on the
63 * folio, allowing the disk blocks to be reused by someone else
64 * before we actually wrote our data to them. fs corruption
67 folio_wait_writeback(folio);
69 if (folio_has_private(folio) &&
70 !filemap_release_folio(folio, GFP_KERNEL))
74 * If we succeeded in removing the mapping, set LRU flag
77 if (remove_mapping(mapping, folio)) {
78 buf->flags |= PIPE_BUF_FLAG_LRU;
84 * Raced with truncate or failed to remove folio from current
85 * address space, unlock and return failure.
92 static void page_cache_pipe_buf_release(struct pipe_inode_info *pipe,
93 struct pipe_buffer *buf)
96 buf->flags &= ~PIPE_BUF_FLAG_LRU;
100 * Check whether the contents of buf is OK to access. Since the content
101 * is a page cache page, IO may be in flight.
103 static int page_cache_pipe_buf_confirm(struct pipe_inode_info *pipe,
104 struct pipe_buffer *buf)
106 struct page *page = buf->page;
109 if (!PageUptodate(page)) {
113 * Page got truncated/unhashed. This will cause a 0-byte
114 * splice, if this is the first page.
116 if (!page->mapping) {
122 * Uh oh, read-error from disk.
124 if (!PageUptodate(page)) {
130 * Page is ok afterall, we are done.
141 const struct pipe_buf_operations page_cache_pipe_buf_ops = {
142 .confirm = page_cache_pipe_buf_confirm,
143 .release = page_cache_pipe_buf_release,
144 .try_steal = page_cache_pipe_buf_try_steal,
145 .get = generic_pipe_buf_get,
148 static bool user_page_pipe_buf_try_steal(struct pipe_inode_info *pipe,
149 struct pipe_buffer *buf)
151 if (!(buf->flags & PIPE_BUF_FLAG_GIFT))
154 buf->flags |= PIPE_BUF_FLAG_LRU;
155 return generic_pipe_buf_try_steal(pipe, buf);
158 static const struct pipe_buf_operations user_page_pipe_buf_ops = {
159 .release = page_cache_pipe_buf_release,
160 .try_steal = user_page_pipe_buf_try_steal,
161 .get = generic_pipe_buf_get,
164 static void wakeup_pipe_readers(struct pipe_inode_info *pipe)
167 if (waitqueue_active(&pipe->rd_wait))
168 wake_up_interruptible(&pipe->rd_wait);
169 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
173 * splice_to_pipe - fill passed data into a pipe
174 * @pipe: pipe to fill
178 * @spd contains a map of pages and len/offset tuples, along with
179 * the struct pipe_buf_operations associated with these pages. This
180 * function will link that data to the pipe.
183 ssize_t splice_to_pipe(struct pipe_inode_info *pipe,
184 struct splice_pipe_desc *spd)
186 unsigned int spd_pages = spd->nr_pages;
187 unsigned int tail = pipe->tail;
188 unsigned int head = pipe->head;
189 unsigned int mask = pipe->ring_size - 1;
190 int ret = 0, page_nr = 0;
195 if (unlikely(!pipe->readers)) {
196 send_sig(SIGPIPE, current, 0);
201 while (!pipe_full(head, tail, pipe->max_usage)) {
202 struct pipe_buffer *buf = &pipe->bufs[head & mask];
204 buf->page = spd->pages[page_nr];
205 buf->offset = spd->partial[page_nr].offset;
206 buf->len = spd->partial[page_nr].len;
207 buf->private = spd->partial[page_nr].private;
216 if (!--spd->nr_pages)
224 while (page_nr < spd_pages)
225 spd->spd_release(spd, page_nr++);
229 EXPORT_SYMBOL_GPL(splice_to_pipe);
231 ssize_t add_to_pipe(struct pipe_inode_info *pipe, struct pipe_buffer *buf)
233 unsigned int head = pipe->head;
234 unsigned int tail = pipe->tail;
235 unsigned int mask = pipe->ring_size - 1;
238 if (unlikely(!pipe->readers)) {
239 send_sig(SIGPIPE, current, 0);
241 } else if (pipe_full(head, tail, pipe->max_usage)) {
244 pipe->bufs[head & mask] = *buf;
245 pipe->head = head + 1;
248 pipe_buf_release(pipe, buf);
251 EXPORT_SYMBOL(add_to_pipe);
254 * Check if we need to grow the arrays holding pages and partial page
257 int splice_grow_spd(const struct pipe_inode_info *pipe, struct splice_pipe_desc *spd)
259 unsigned int max_usage = READ_ONCE(pipe->max_usage);
261 spd->nr_pages_max = max_usage;
262 if (max_usage <= PIPE_DEF_BUFFERS)
265 spd->pages = kmalloc_array(max_usage, sizeof(struct page *), GFP_KERNEL);
266 spd->partial = kmalloc_array(max_usage, sizeof(struct partial_page),
269 if (spd->pages && spd->partial)
277 void splice_shrink_spd(struct splice_pipe_desc *spd)
279 if (spd->nr_pages_max <= PIPE_DEF_BUFFERS)
287 * Splice data from an O_DIRECT file into pages and then add them to the output
290 ssize_t direct_splice_read(struct file *in, loff_t *ppos,
291 struct pipe_inode_info *pipe,
292 size_t len, unsigned int flags)
299 size_t used, npages, chunk, remain, reclaim;
302 /* Work out how much data we can actually add into the pipe */
303 used = pipe_occupancy(pipe->head, pipe->tail);
304 npages = max_t(ssize_t, pipe->max_usage - used, 0);
305 len = min_t(size_t, len, npages * PAGE_SIZE);
306 npages = DIV_ROUND_UP(len, PAGE_SIZE);
308 bv = kzalloc(array_size(npages, sizeof(bv[0])) +
309 array_size(npages, sizeof(struct page *)), GFP_KERNEL);
313 pages = (void *)(bv + npages);
314 npages = alloc_pages_bulk_array(GFP_USER, npages, pages);
320 remain = len = min_t(size_t, len, npages * PAGE_SIZE);
322 for (i = 0; i < npages; i++) {
323 chunk = min_t(size_t, PAGE_SIZE, remain);
324 bv[i].bv_page = pages[i];
326 bv[i].bv_len = chunk;
331 iov_iter_bvec(&to, ITER_DEST, bv, npages, len);
332 init_sync_kiocb(&kiocb, in);
333 kiocb.ki_pos = *ppos;
334 ret = call_read_iter(in, &kiocb, &to);
336 reclaim = npages * PAGE_SIZE;
341 *ppos = kiocb.ki_pos;
343 } else if (ret < 0) {
345 * callers of ->splice_read() expect -EAGAIN on
346 * "can't put anything in there", rather than -EFAULT.
352 /* Free any pages that didn't get touched at all. */
353 reclaim /= PAGE_SIZE;
356 release_pages(pages + npages, reclaim);
359 /* Push the remaining pages into the pipe. */
360 for (i = 0; i < npages; i++) {
361 struct pipe_buffer *buf = pipe_head_buf(pipe);
363 chunk = min_t(size_t, remain, PAGE_SIZE);
364 *buf = (struct pipe_buffer) {
365 .ops = &default_pipe_buf_ops,
366 .page = bv[i].bv_page,
377 EXPORT_SYMBOL(direct_splice_read);
380 * generic_file_splice_read - splice data from file to a pipe
381 * @in: file to splice from
382 * @ppos: position in @in
383 * @pipe: pipe to splice to
384 * @len: number of bytes to splice
385 * @flags: splice modifier flags
388 * Will read pages from given file and fill them into a pipe. Can be
389 * used as long as it has more or less sane ->read_iter().
392 ssize_t generic_file_splice_read(struct file *in, loff_t *ppos,
393 struct pipe_inode_info *pipe, size_t len,
400 iov_iter_pipe(&to, ITER_DEST, pipe, len);
401 init_sync_kiocb(&kiocb, in);
402 kiocb.ki_pos = *ppos;
403 ret = call_read_iter(in, &kiocb, &to);
405 *ppos = kiocb.ki_pos;
407 } else if (ret < 0) {
408 /* free what was emitted */
409 pipe_discard_from(pipe, to.start_head);
411 * callers of ->splice_read() expect -EAGAIN on
412 * "can't put anything in there", rather than -EFAULT.
420 EXPORT_SYMBOL(generic_file_splice_read);
422 const struct pipe_buf_operations default_pipe_buf_ops = {
423 .release = generic_pipe_buf_release,
424 .try_steal = generic_pipe_buf_try_steal,
425 .get = generic_pipe_buf_get,
428 /* Pipe buffer operations for a socket and similar. */
429 const struct pipe_buf_operations nosteal_pipe_buf_ops = {
430 .release = generic_pipe_buf_release,
431 .get = generic_pipe_buf_get,
433 EXPORT_SYMBOL(nosteal_pipe_buf_ops);
436 * Send 'sd->len' bytes to socket from 'sd->file' at position 'sd->pos'
437 * using sendpage(). Return the number of bytes sent.
439 static int pipe_to_sendpage(struct pipe_inode_info *pipe,
440 struct pipe_buffer *buf, struct splice_desc *sd)
442 struct file *file = sd->u.file;
443 loff_t pos = sd->pos;
446 if (!likely(file->f_op->sendpage))
449 more = (sd->flags & SPLICE_F_MORE) ? MSG_MORE : 0;
451 if (sd->len < sd->total_len &&
452 pipe_occupancy(pipe->head, pipe->tail) > 1)
453 more |= MSG_SENDPAGE_NOTLAST;
455 return file->f_op->sendpage(file, buf->page, buf->offset,
456 sd->len, &pos, more);
459 static void wakeup_pipe_writers(struct pipe_inode_info *pipe)
462 if (waitqueue_active(&pipe->wr_wait))
463 wake_up_interruptible(&pipe->wr_wait);
464 kill_fasync(&pipe->fasync_writers, SIGIO, POLL_OUT);
468 * splice_from_pipe_feed - feed available data from a pipe to a file
469 * @pipe: pipe to splice from
470 * @sd: information to @actor
471 * @actor: handler that splices the data
474 * This function loops over the pipe and calls @actor to do the
475 * actual moving of a single struct pipe_buffer to the desired
476 * destination. It returns when there's no more buffers left in
477 * the pipe or if the requested number of bytes (@sd->total_len)
478 * have been copied. It returns a positive number (one) if the
479 * pipe needs to be filled with more data, zero if the required
480 * number of bytes have been copied and -errno on error.
482 * This, together with splice_from_pipe_{begin,end,next}, may be
483 * used to implement the functionality of __splice_from_pipe() when
484 * locking is required around copying the pipe buffers to the
487 static int splice_from_pipe_feed(struct pipe_inode_info *pipe, struct splice_desc *sd,
490 unsigned int head = pipe->head;
491 unsigned int tail = pipe->tail;
492 unsigned int mask = pipe->ring_size - 1;
495 while (!pipe_empty(head, tail)) {
496 struct pipe_buffer *buf = &pipe->bufs[tail & mask];
499 if (sd->len > sd->total_len)
500 sd->len = sd->total_len;
502 ret = pipe_buf_confirm(pipe, buf);
509 ret = actor(pipe, buf, sd);
516 sd->num_spliced += ret;
519 sd->total_len -= ret;
522 pipe_buf_release(pipe, buf);
526 sd->need_wakeup = true;
536 /* We know we have a pipe buffer, but maybe it's empty? */
537 static inline bool eat_empty_buffer(struct pipe_inode_info *pipe)
539 unsigned int tail = pipe->tail;
540 unsigned int mask = pipe->ring_size - 1;
541 struct pipe_buffer *buf = &pipe->bufs[tail & mask];
543 if (unlikely(!buf->len)) {
544 pipe_buf_release(pipe, buf);
553 * splice_from_pipe_next - wait for some data to splice from
554 * @pipe: pipe to splice from
555 * @sd: information about the splice operation
558 * This function will wait for some data and return a positive
559 * value (one) if pipe buffers are available. It will return zero
560 * or -errno if no more data needs to be spliced.
562 static int splice_from_pipe_next(struct pipe_inode_info *pipe, struct splice_desc *sd)
565 * Check for signal early to make process killable when there are
566 * always buffers available
568 if (signal_pending(current))
572 while (pipe_empty(pipe->head, pipe->tail)) {
579 if (sd->flags & SPLICE_F_NONBLOCK)
582 if (signal_pending(current))
585 if (sd->need_wakeup) {
586 wakeup_pipe_writers(pipe);
587 sd->need_wakeup = false;
590 pipe_wait_readable(pipe);
593 if (eat_empty_buffer(pipe))
600 * splice_from_pipe_begin - start splicing from pipe
601 * @sd: information about the splice operation
604 * This function should be called before a loop containing
605 * splice_from_pipe_next() and splice_from_pipe_feed() to
606 * initialize the necessary fields of @sd.
608 static void splice_from_pipe_begin(struct splice_desc *sd)
611 sd->need_wakeup = false;
615 * splice_from_pipe_end - finish splicing from pipe
616 * @pipe: pipe to splice from
617 * @sd: information about the splice operation
620 * This function will wake up pipe writers if necessary. It should
621 * be called after a loop containing splice_from_pipe_next() and
622 * splice_from_pipe_feed().
624 static void splice_from_pipe_end(struct pipe_inode_info *pipe, struct splice_desc *sd)
627 wakeup_pipe_writers(pipe);
631 * __splice_from_pipe - splice data from a pipe to given actor
632 * @pipe: pipe to splice from
633 * @sd: information to @actor
634 * @actor: handler that splices the data
637 * This function does little more than loop over the pipe and call
638 * @actor to do the actual moving of a single struct pipe_buffer to
639 * the desired destination. See pipe_to_file, pipe_to_sendpage, or
643 ssize_t __splice_from_pipe(struct pipe_inode_info *pipe, struct splice_desc *sd,
648 splice_from_pipe_begin(sd);
651 ret = splice_from_pipe_next(pipe, sd);
653 ret = splice_from_pipe_feed(pipe, sd, actor);
655 splice_from_pipe_end(pipe, sd);
657 return sd->num_spliced ? sd->num_spliced : ret;
659 EXPORT_SYMBOL(__splice_from_pipe);
662 * splice_from_pipe - splice data from a pipe to a file
663 * @pipe: pipe to splice from
664 * @out: file to splice to
665 * @ppos: position in @out
666 * @len: how many bytes to splice
667 * @flags: splice modifier flags
668 * @actor: handler that splices the data
671 * See __splice_from_pipe. This function locks the pipe inode,
672 * otherwise it's identical to __splice_from_pipe().
675 ssize_t splice_from_pipe(struct pipe_inode_info *pipe, struct file *out,
676 loff_t *ppos, size_t len, unsigned int flags,
680 struct splice_desc sd = {
688 ret = __splice_from_pipe(pipe, &sd, actor);
695 * iter_file_splice_write - splice data from a pipe to a file
697 * @out: file to write to
698 * @ppos: position in @out
699 * @len: number of bytes to splice
700 * @flags: splice modifier flags
703 * Will either move or copy pages (determined by @flags options) from
704 * the given pipe inode to the given file.
705 * This one is ->write_iter-based.
709 iter_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
710 loff_t *ppos, size_t len, unsigned int flags)
712 struct splice_desc sd = {
718 int nbufs = pipe->max_usage;
719 struct bio_vec *array = kcalloc(nbufs, sizeof(struct bio_vec),
723 if (unlikely(!array))
728 splice_from_pipe_begin(&sd);
729 while (sd.total_len) {
730 struct iov_iter from;
731 unsigned int head, tail, mask;
735 ret = splice_from_pipe_next(pipe, &sd);
739 if (unlikely(nbufs < pipe->max_usage)) {
741 nbufs = pipe->max_usage;
742 array = kcalloc(nbufs, sizeof(struct bio_vec),
752 mask = pipe->ring_size - 1;
754 /* build the vector */
756 for (n = 0; !pipe_empty(head, tail) && left && n < nbufs; tail++) {
757 struct pipe_buffer *buf = &pipe->bufs[tail & mask];
758 size_t this_len = buf->len;
760 /* zero-length bvecs are not supported, skip them */
763 this_len = min(this_len, left);
765 ret = pipe_buf_confirm(pipe, buf);
772 bvec_set_page(&array[n], buf->page, this_len,
778 iov_iter_bvec(&from, ITER_SOURCE, array, n, sd.total_len - left);
779 ret = vfs_iter_write(out, &from, &sd.pos, 0);
783 sd.num_spliced += ret;
787 /* dismiss the fully eaten buffers, adjust the partial one */
790 struct pipe_buffer *buf = &pipe->bufs[tail & mask];
791 if (ret >= buf->len) {
794 pipe_buf_release(pipe, buf);
798 sd.need_wakeup = true;
808 splice_from_pipe_end(pipe, &sd);
813 ret = sd.num_spliced;
818 EXPORT_SYMBOL(iter_file_splice_write);
821 * generic_splice_sendpage - splice data from a pipe to a socket
822 * @pipe: pipe to splice from
823 * @out: socket to write to
824 * @ppos: position in @out
825 * @len: number of bytes to splice
826 * @flags: splice modifier flags
829 * Will send @len bytes from the pipe to a network socket. No data copying
833 ssize_t generic_splice_sendpage(struct pipe_inode_info *pipe, struct file *out,
834 loff_t *ppos, size_t len, unsigned int flags)
836 return splice_from_pipe(pipe, out, ppos, len, flags, pipe_to_sendpage);
839 EXPORT_SYMBOL(generic_splice_sendpage);
841 static int warn_unsupported(struct file *file, const char *op)
843 pr_debug_ratelimited(
844 "splice %s not supported for file %pD4 (pid: %d comm: %.20s)\n",
845 op, file, current->pid, current->comm);
850 * Attempt to initiate a splice from pipe to file.
852 static long do_splice_from(struct pipe_inode_info *pipe, struct file *out,
853 loff_t *ppos, size_t len, unsigned int flags)
855 if (unlikely(!out->f_op->splice_write))
856 return warn_unsupported(out, "write");
857 return out->f_op->splice_write(pipe, out, ppos, len, flags);
861 * Attempt to initiate a splice from a file to a pipe.
863 static long do_splice_to(struct file *in, loff_t *ppos,
864 struct pipe_inode_info *pipe, size_t len,
867 unsigned int p_space;
870 if (unlikely(!(in->f_mode & FMODE_READ)))
873 /* Don't try to read more the pipe has space for. */
874 p_space = pipe->max_usage - pipe_occupancy(pipe->head, pipe->tail);
875 len = min_t(size_t, len, p_space << PAGE_SHIFT);
877 ret = rw_verify_area(READ, in, ppos, len);
878 if (unlikely(ret < 0))
881 if (unlikely(len > MAX_RW_COUNT))
884 if (unlikely(!in->f_op->splice_read))
885 return warn_unsupported(in, "read");
886 return in->f_op->splice_read(in, ppos, pipe, len, flags);
890 * splice_direct_to_actor - splices data directly between two non-pipes
891 * @in: file to splice from
892 * @sd: actor information on where to splice to
893 * @actor: handles the data splicing
896 * This is a special case helper to splice directly between two
897 * points, without requiring an explicit pipe. Internally an allocated
898 * pipe is cached in the process, and reused during the lifetime of
902 ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd,
903 splice_direct_actor *actor)
905 struct pipe_inode_info *pipe;
911 * We require the input to be seekable, as we don't want to randomly
912 * drop data for eg socket -> socket splicing. Use the piped splicing
915 if (unlikely(!(in->f_mode & FMODE_LSEEK)))
919 * neither in nor out is a pipe, setup an internal pipe attached to
920 * 'out' and transfer the wanted data from 'in' to 'out' through that
922 pipe = current->splice_pipe;
923 if (unlikely(!pipe)) {
924 pipe = alloc_pipe_info();
929 * We don't have an immediate reader, but we'll read the stuff
930 * out of the pipe right after the splice_to_pipe(). So set
931 * PIPE_READERS appropriately.
935 current->splice_pipe = pipe;
946 * Don't block on output, we have to drain the direct pipe.
948 sd->flags &= ~SPLICE_F_NONBLOCK;
949 more = sd->flags & SPLICE_F_MORE;
951 WARN_ON_ONCE(!pipe_empty(pipe->head, pipe->tail));
955 loff_t pos = sd->pos, prev_pos = pos;
957 ret = do_splice_to(in, &pos, pipe, len, flags);
958 if (unlikely(ret <= 0))
962 sd->total_len = read_len;
965 * If more data is pending, set SPLICE_F_MORE
966 * If this is the last data and SPLICE_F_MORE was not set
967 * initially, clears it.
970 sd->flags |= SPLICE_F_MORE;
972 sd->flags &= ~SPLICE_F_MORE;
974 * NOTE: nonblocking mode only applies to the input. We
975 * must not do the output in nonblocking mode as then we
976 * could get stuck data in the internal pipe:
978 ret = actor(pipe, sd);
979 if (unlikely(ret <= 0)) {
988 if (ret < read_len) {
989 sd->pos = prev_pos + ret;
995 pipe->tail = pipe->head = 0;
1001 * If we did an incomplete transfer we must release
1002 * the pipe buffers in question:
1004 for (i = 0; i < pipe->ring_size; i++) {
1005 struct pipe_buffer *buf = &pipe->bufs[i];
1008 pipe_buf_release(pipe, buf);
1016 EXPORT_SYMBOL(splice_direct_to_actor);
1018 static int direct_splice_actor(struct pipe_inode_info *pipe,
1019 struct splice_desc *sd)
1021 struct file *file = sd->u.file;
1023 return do_splice_from(pipe, file, sd->opos, sd->total_len,
1028 * do_splice_direct - splices data directly between two files
1029 * @in: file to splice from
1030 * @ppos: input file offset
1031 * @out: file to splice to
1032 * @opos: output file offset
1033 * @len: number of bytes to splice
1034 * @flags: splice modifier flags
1037 * For use by do_sendfile(). splice can easily emulate sendfile, but
1038 * doing it in the application would incur an extra system call
1039 * (splice in + splice out, as compared to just sendfile()). So this helper
1040 * can splice directly through a process-private pipe.
1043 long do_splice_direct(struct file *in, loff_t *ppos, struct file *out,
1044 loff_t *opos, size_t len, unsigned int flags)
1046 struct splice_desc sd = {
1056 if (unlikely(!(out->f_mode & FMODE_WRITE)))
1059 if (unlikely(out->f_flags & O_APPEND))
1062 ret = rw_verify_area(WRITE, out, opos, len);
1063 if (unlikely(ret < 0))
1066 ret = splice_direct_to_actor(in, &sd, direct_splice_actor);
1072 EXPORT_SYMBOL(do_splice_direct);
1074 static int wait_for_space(struct pipe_inode_info *pipe, unsigned flags)
1077 if (unlikely(!pipe->readers)) {
1078 send_sig(SIGPIPE, current, 0);
1081 if (!pipe_full(pipe->head, pipe->tail, pipe->max_usage))
1083 if (flags & SPLICE_F_NONBLOCK)
1085 if (signal_pending(current))
1086 return -ERESTARTSYS;
1087 pipe_wait_writable(pipe);
1091 static int splice_pipe_to_pipe(struct pipe_inode_info *ipipe,
1092 struct pipe_inode_info *opipe,
1093 size_t len, unsigned int flags);
1095 long splice_file_to_pipe(struct file *in,
1096 struct pipe_inode_info *opipe,
1098 size_t len, unsigned int flags)
1103 ret = wait_for_space(opipe, flags);
1105 ret = do_splice_to(in, offset, opipe, len, flags);
1108 wakeup_pipe_readers(opipe);
1113 * Determine where to splice to/from.
1115 long do_splice(struct file *in, loff_t *off_in, struct file *out,
1116 loff_t *off_out, size_t len, unsigned int flags)
1118 struct pipe_inode_info *ipipe;
1119 struct pipe_inode_info *opipe;
1123 if (unlikely(!(in->f_mode & FMODE_READ) ||
1124 !(out->f_mode & FMODE_WRITE)))
1127 ipipe = get_pipe_info(in, true);
1128 opipe = get_pipe_info(out, true);
1130 if (ipipe && opipe) {
1131 if (off_in || off_out)
1134 /* Splicing to self would be fun, but... */
1138 if ((in->f_flags | out->f_flags) & O_NONBLOCK)
1139 flags |= SPLICE_F_NONBLOCK;
1141 return splice_pipe_to_pipe(ipipe, opipe, len, flags);
1148 if (!(out->f_mode & FMODE_PWRITE))
1152 offset = out->f_pos;
1155 if (unlikely(out->f_flags & O_APPEND))
1158 ret = rw_verify_area(WRITE, out, &offset, len);
1159 if (unlikely(ret < 0))
1162 if (in->f_flags & O_NONBLOCK)
1163 flags |= SPLICE_F_NONBLOCK;
1165 file_start_write(out);
1166 ret = do_splice_from(ipipe, out, &offset, len, flags);
1167 file_end_write(out);
1170 fsnotify_modify(out);
1173 out->f_pos = offset;
1184 if (!(in->f_mode & FMODE_PREAD))
1191 if (out->f_flags & O_NONBLOCK)
1192 flags |= SPLICE_F_NONBLOCK;
1194 ret = splice_file_to_pipe(in, opipe, &offset, len, flags);
1197 fsnotify_access(in);
1210 static long __do_splice(struct file *in, loff_t __user *off_in,
1211 struct file *out, loff_t __user *off_out,
1212 size_t len, unsigned int flags)
1214 struct pipe_inode_info *ipipe;
1215 struct pipe_inode_info *opipe;
1216 loff_t offset, *__off_in = NULL, *__off_out = NULL;
1219 ipipe = get_pipe_info(in, true);
1220 opipe = get_pipe_info(out, true);
1222 if (ipipe && off_in)
1224 if (opipe && off_out)
1228 if (copy_from_user(&offset, off_out, sizeof(loff_t)))
1230 __off_out = &offset;
1233 if (copy_from_user(&offset, off_in, sizeof(loff_t)))
1238 ret = do_splice(in, __off_in, out, __off_out, len, flags);
1242 if (__off_out && copy_to_user(off_out, __off_out, sizeof(loff_t)))
1244 if (__off_in && copy_to_user(off_in, __off_in, sizeof(loff_t)))
1250 static int iter_to_pipe(struct iov_iter *from,
1251 struct pipe_inode_info *pipe,
1254 struct pipe_buffer buf = {
1255 .ops = &user_page_pipe_buf_ops,
1261 while (iov_iter_count(from)) {
1262 struct page *pages[16];
1267 left = iov_iter_get_pages2(from, pages, ~0UL, 16, &start);
1273 n = DIV_ROUND_UP(left + start, PAGE_SIZE);
1274 for (i = 0; i < n; i++) {
1275 int size = min_t(int, left, PAGE_SIZE - start);
1277 buf.page = pages[i];
1280 ret = add_to_pipe(pipe, &buf);
1281 if (unlikely(ret < 0)) {
1282 iov_iter_revert(from, left);
1283 // this one got dropped by add_to_pipe()
1294 return total ? total : ret;
1297 static int pipe_to_user(struct pipe_inode_info *pipe, struct pipe_buffer *buf,
1298 struct splice_desc *sd)
1300 int n = copy_page_to_iter(buf->page, buf->offset, sd->len, sd->u.data);
1301 return n == sd->len ? n : -EFAULT;
1305 * For lack of a better implementation, implement vmsplice() to userspace
1306 * as a simple copy of the pipes pages to the user iov.
1308 static long vmsplice_to_user(struct file *file, struct iov_iter *iter,
1311 struct pipe_inode_info *pipe = get_pipe_info(file, true);
1312 struct splice_desc sd = {
1313 .total_len = iov_iter_count(iter),
1324 ret = __splice_from_pipe(pipe, &sd, pipe_to_user);
1332 * vmsplice splices a user address range into a pipe. It can be thought of
1333 * as splice-from-memory, where the regular splice is splice-from-file (or
1334 * to file). In both cases the output is a pipe, naturally.
1336 static long vmsplice_to_pipe(struct file *file, struct iov_iter *iter,
1339 struct pipe_inode_info *pipe;
1341 unsigned buf_flag = 0;
1343 if (flags & SPLICE_F_GIFT)
1344 buf_flag = PIPE_BUF_FLAG_GIFT;
1346 pipe = get_pipe_info(file, true);
1351 ret = wait_for_space(pipe, flags);
1353 ret = iter_to_pipe(iter, pipe, buf_flag);
1356 wakeup_pipe_readers(pipe);
1360 static int vmsplice_type(struct fd f, int *type)
1364 if (f.file->f_mode & FMODE_WRITE) {
1365 *type = ITER_SOURCE;
1366 } else if (f.file->f_mode & FMODE_READ) {
1376 * Note that vmsplice only really supports true splicing _from_ user memory
1377 * to a pipe, not the other way around. Splicing from user memory is a simple
1378 * operation that can be supported without any funky alignment restrictions
1379 * or nasty vm tricks. We simply map in the user memory and fill them into
1380 * a pipe. The reverse isn't quite as easy, though. There are two possible
1381 * solutions for that:
1383 * - memcpy() the data internally, at which point we might as well just
1384 * do a regular read() on the buffer anyway.
1385 * - Lots of nasty vm tricks, that are neither fast nor flexible (it
1386 * has restriction limitations on both ends of the pipe).
1388 * Currently we punt and implement it as a normal copy, see pipe_to_user().
1391 SYSCALL_DEFINE4(vmsplice, int, fd, const struct iovec __user *, uiov,
1392 unsigned long, nr_segs, unsigned int, flags)
1394 struct iovec iovstack[UIO_FASTIOV];
1395 struct iovec *iov = iovstack;
1396 struct iov_iter iter;
1401 if (unlikely(flags & ~SPLICE_F_ALL))
1405 error = vmsplice_type(f, &type);
1409 error = import_iovec(type, uiov, nr_segs,
1410 ARRAY_SIZE(iovstack), &iov, &iter);
1414 if (!iov_iter_count(&iter))
1416 else if (type == ITER_SOURCE)
1417 error = vmsplice_to_pipe(f.file, &iter, flags);
1419 error = vmsplice_to_user(f.file, &iter, flags);
1427 SYSCALL_DEFINE6(splice, int, fd_in, loff_t __user *, off_in,
1428 int, fd_out, loff_t __user *, off_out,
1429 size_t, len, unsigned int, flags)
1437 if (unlikely(flags & ~SPLICE_F_ALL))
1443 out = fdget(fd_out);
1445 error = __do_splice(in.file, off_in, out.file, off_out,
1455 * Make sure there's data to read. Wait for input if we can, otherwise
1456 * return an appropriate error.
1458 static int ipipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
1463 * Check the pipe occupancy without the inode lock first. This function
1464 * is speculative anyways, so missing one is ok.
1466 if (!pipe_empty(pipe->head, pipe->tail))
1472 while (pipe_empty(pipe->head, pipe->tail)) {
1473 if (signal_pending(current)) {
1479 if (flags & SPLICE_F_NONBLOCK) {
1483 pipe_wait_readable(pipe);
1491 * Make sure there's writeable room. Wait for room if we can, otherwise
1492 * return an appropriate error.
1494 static int opipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
1499 * Check pipe occupancy without the inode lock first. This function
1500 * is speculative anyways, so missing one is ok.
1502 if (!pipe_full(pipe->head, pipe->tail, pipe->max_usage))
1508 while (pipe_full(pipe->head, pipe->tail, pipe->max_usage)) {
1509 if (!pipe->readers) {
1510 send_sig(SIGPIPE, current, 0);
1514 if (flags & SPLICE_F_NONBLOCK) {
1518 if (signal_pending(current)) {
1522 pipe_wait_writable(pipe);
1530 * Splice contents of ipipe to opipe.
1532 static int splice_pipe_to_pipe(struct pipe_inode_info *ipipe,
1533 struct pipe_inode_info *opipe,
1534 size_t len, unsigned int flags)
1536 struct pipe_buffer *ibuf, *obuf;
1537 unsigned int i_head, o_head;
1538 unsigned int i_tail, o_tail;
1539 unsigned int i_mask, o_mask;
1541 bool input_wakeup = false;
1545 ret = ipipe_prep(ipipe, flags);
1549 ret = opipe_prep(opipe, flags);
1554 * Potential ABBA deadlock, work around it by ordering lock
1555 * grabbing by pipe info address. Otherwise two different processes
1556 * could deadlock (one doing tee from A -> B, the other from B -> A).
1558 pipe_double_lock(ipipe, opipe);
1560 i_tail = ipipe->tail;
1561 i_mask = ipipe->ring_size - 1;
1562 o_head = opipe->head;
1563 o_mask = opipe->ring_size - 1;
1568 if (!opipe->readers) {
1569 send_sig(SIGPIPE, current, 0);
1575 i_head = ipipe->head;
1576 o_tail = opipe->tail;
1578 if (pipe_empty(i_head, i_tail) && !ipipe->writers)
1582 * Cannot make any progress, because either the input
1583 * pipe is empty or the output pipe is full.
1585 if (pipe_empty(i_head, i_tail) ||
1586 pipe_full(o_head, o_tail, opipe->max_usage)) {
1587 /* Already processed some buffers, break */
1591 if (flags & SPLICE_F_NONBLOCK) {
1597 * We raced with another reader/writer and haven't
1598 * managed to process any buffers. A zero return
1599 * value means EOF, so retry instead.
1606 ibuf = &ipipe->bufs[i_tail & i_mask];
1607 obuf = &opipe->bufs[o_head & o_mask];
1609 if (len >= ibuf->len) {
1611 * Simply move the whole buffer from ipipe to opipe
1616 ipipe->tail = i_tail;
1617 input_wakeup = true;
1620 opipe->head = o_head;
1623 * Get a reference to this pipe buffer,
1624 * so we can copy the contents over.
1626 if (!pipe_buf_get(ipipe, ibuf)) {
1634 * Don't inherit the gift and merge flags, we need to
1635 * prevent multiple steals of this page.
1637 obuf->flags &= ~PIPE_BUF_FLAG_GIFT;
1638 obuf->flags &= ~PIPE_BUF_FLAG_CAN_MERGE;
1641 ibuf->offset += len;
1645 opipe->head = o_head;
1655 * If we put data in the output pipe, wakeup any potential readers.
1658 wakeup_pipe_readers(opipe);
1661 wakeup_pipe_writers(ipipe);
1667 * Link contents of ipipe to opipe.
1669 static int link_pipe(struct pipe_inode_info *ipipe,
1670 struct pipe_inode_info *opipe,
1671 size_t len, unsigned int flags)
1673 struct pipe_buffer *ibuf, *obuf;
1674 unsigned int i_head, o_head;
1675 unsigned int i_tail, o_tail;
1676 unsigned int i_mask, o_mask;
1680 * Potential ABBA deadlock, work around it by ordering lock
1681 * grabbing by pipe info address. Otherwise two different processes
1682 * could deadlock (one doing tee from A -> B, the other from B -> A).
1684 pipe_double_lock(ipipe, opipe);
1686 i_tail = ipipe->tail;
1687 i_mask = ipipe->ring_size - 1;
1688 o_head = opipe->head;
1689 o_mask = opipe->ring_size - 1;
1692 if (!opipe->readers) {
1693 send_sig(SIGPIPE, current, 0);
1699 i_head = ipipe->head;
1700 o_tail = opipe->tail;
1703 * If we have iterated all input buffers or run out of
1704 * output room, break.
1706 if (pipe_empty(i_head, i_tail) ||
1707 pipe_full(o_head, o_tail, opipe->max_usage))
1710 ibuf = &ipipe->bufs[i_tail & i_mask];
1711 obuf = &opipe->bufs[o_head & o_mask];
1714 * Get a reference to this pipe buffer,
1715 * so we can copy the contents over.
1717 if (!pipe_buf_get(ipipe, ibuf)) {
1726 * Don't inherit the gift and merge flag, we need to prevent
1727 * multiple steals of this page.
1729 obuf->flags &= ~PIPE_BUF_FLAG_GIFT;
1730 obuf->flags &= ~PIPE_BUF_FLAG_CAN_MERGE;
1732 if (obuf->len > len)
1738 opipe->head = o_head;
1746 * If we put data in the output pipe, wakeup any potential readers.
1749 wakeup_pipe_readers(opipe);
1755 * This is a tee(1) implementation that works on pipes. It doesn't copy
1756 * any data, it simply references the 'in' pages on the 'out' pipe.
1757 * The 'flags' used are the SPLICE_F_* variants, currently the only
1758 * applicable one is SPLICE_F_NONBLOCK.
1760 long do_tee(struct file *in, struct file *out, size_t len, unsigned int flags)
1762 struct pipe_inode_info *ipipe = get_pipe_info(in, true);
1763 struct pipe_inode_info *opipe = get_pipe_info(out, true);
1766 if (unlikely(!(in->f_mode & FMODE_READ) ||
1767 !(out->f_mode & FMODE_WRITE)))
1771 * Duplicate the contents of ipipe to opipe without actually
1774 if (ipipe && opipe && ipipe != opipe) {
1775 if ((in->f_flags | out->f_flags) & O_NONBLOCK)
1776 flags |= SPLICE_F_NONBLOCK;
1779 * Keep going, unless we encounter an error. The ipipe/opipe
1780 * ordering doesn't really matter.
1782 ret = ipipe_prep(ipipe, flags);
1784 ret = opipe_prep(opipe, flags);
1786 ret = link_pipe(ipipe, opipe, len, flags);
1793 SYSCALL_DEFINE4(tee, int, fdin, int, fdout, size_t, len, unsigned int, flags)
1798 if (unlikely(flags & ~SPLICE_F_ALL))
1809 error = do_tee(in.file, out.file, len, flags);