1 // SPDX-License-Identifier: GPL-2.0-only
3 * "splice": joining two ropes together by interweaving their strands.
5 * This is the "extended pipe" functionality, where a pipe is used as
6 * an arbitrary in-memory buffer. Think of a pipe as a small kernel
7 * buffer that you can use to transfer data from one end to the other.
9 * The traditional unix read/write is extended with a "splice()" operation
10 * that transfers data buffers to or from a pipe buffer.
12 * Named by Larry McVoy, original implementation from Linus, extended by
13 * Jens to support splicing to files, network, direct splicing, etc and
14 * fixing lots of bugs.
16 * Copyright (C) 2005-2006 Jens Axboe <axboe@kernel.dk>
17 * Copyright (C) 2005-2006 Linus Torvalds <torvalds@osdl.org>
18 * Copyright (C) 2006 Ingo Molnar <mingo@elte.hu>
21 #include <linux/bvec.h>
23 #include <linux/file.h>
24 #include <linux/pagemap.h>
25 #include <linux/splice.h>
26 #include <linux/memcontrol.h>
27 #include <linux/mm_inline.h>
28 #include <linux/swap.h>
29 #include <linux/writeback.h>
30 #include <linux/export.h>
31 #include <linux/syscalls.h>
32 #include <linux/uio.h>
33 #include <linux/fsnotify.h>
34 #include <linux/security.h>
35 #include <linux/gfp.h>
36 #include <linux/socket.h>
37 #include <linux/sched/signal.h>
42 * Splice doesn't support FMODE_NOWAIT. Since pipes may set this flag to
43 * indicate they support non-blocking reads or writes, we must clear it
44 * here if set to avoid blocking other users of this pipe if splice is
47 static noinline void noinline pipe_clear_nowait(struct file *file)
49 fmode_t fmode = READ_ONCE(file->f_mode);
52 if (!(fmode & FMODE_NOWAIT))
54 } while (!try_cmpxchg(&file->f_mode, &fmode, fmode & ~FMODE_NOWAIT));
58 * Attempt to steal a page from a pipe buffer. This should perhaps go into
59 * a vm helper function, it's already simplified quite a bit by the
60 * addition of remove_mapping(). If success is returned, the caller may
61 * attempt to reuse this page for another destination.
63 static bool page_cache_pipe_buf_try_steal(struct pipe_inode_info *pipe,
64 struct pipe_buffer *buf)
66 struct folio *folio = page_folio(buf->page);
67 struct address_space *mapping;
71 mapping = folio_mapping(folio);
73 WARN_ON(!folio_test_uptodate(folio));
76 * At least for ext2 with nobh option, we need to wait on
77 * writeback completing on this folio, since we'll remove it
78 * from the pagecache. Otherwise truncate wont wait on the
79 * folio, allowing the disk blocks to be reused by someone else
80 * before we actually wrote our data to them. fs corruption
83 folio_wait_writeback(folio);
85 if (folio_has_private(folio) &&
86 !filemap_release_folio(folio, GFP_KERNEL))
90 * If we succeeded in removing the mapping, set LRU flag
93 if (remove_mapping(mapping, folio)) {
94 buf->flags |= PIPE_BUF_FLAG_LRU;
100 * Raced with truncate or failed to remove folio from current
101 * address space, unlock and return failure.
108 static void page_cache_pipe_buf_release(struct pipe_inode_info *pipe,
109 struct pipe_buffer *buf)
112 buf->flags &= ~PIPE_BUF_FLAG_LRU;
116 * Check whether the contents of buf is OK to access. Since the content
117 * is a page cache page, IO may be in flight.
119 static int page_cache_pipe_buf_confirm(struct pipe_inode_info *pipe,
120 struct pipe_buffer *buf)
122 struct page *page = buf->page;
125 if (!PageUptodate(page)) {
129 * Page got truncated/unhashed. This will cause a 0-byte
130 * splice, if this is the first page.
132 if (!page->mapping) {
138 * Uh oh, read-error from disk.
140 if (!PageUptodate(page)) {
146 * Page is ok afterall, we are done.
157 const struct pipe_buf_operations page_cache_pipe_buf_ops = {
158 .confirm = page_cache_pipe_buf_confirm,
159 .release = page_cache_pipe_buf_release,
160 .try_steal = page_cache_pipe_buf_try_steal,
161 .get = generic_pipe_buf_get,
164 static bool user_page_pipe_buf_try_steal(struct pipe_inode_info *pipe,
165 struct pipe_buffer *buf)
167 if (!(buf->flags & PIPE_BUF_FLAG_GIFT))
170 buf->flags |= PIPE_BUF_FLAG_LRU;
171 return generic_pipe_buf_try_steal(pipe, buf);
174 static const struct pipe_buf_operations user_page_pipe_buf_ops = {
175 .release = page_cache_pipe_buf_release,
176 .try_steal = user_page_pipe_buf_try_steal,
177 .get = generic_pipe_buf_get,
180 static void wakeup_pipe_readers(struct pipe_inode_info *pipe)
183 if (waitqueue_active(&pipe->rd_wait))
184 wake_up_interruptible(&pipe->rd_wait);
185 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
189 * splice_to_pipe - fill passed data into a pipe
190 * @pipe: pipe to fill
194 * @spd contains a map of pages and len/offset tuples, along with
195 * the struct pipe_buf_operations associated with these pages. This
196 * function will link that data to the pipe.
199 ssize_t splice_to_pipe(struct pipe_inode_info *pipe,
200 struct splice_pipe_desc *spd)
202 unsigned int spd_pages = spd->nr_pages;
203 unsigned int tail = pipe->tail;
204 unsigned int head = pipe->head;
205 unsigned int mask = pipe->ring_size - 1;
206 int ret = 0, page_nr = 0;
211 if (unlikely(!pipe->readers)) {
212 send_sig(SIGPIPE, current, 0);
217 while (!pipe_full(head, tail, pipe->max_usage)) {
218 struct pipe_buffer *buf = &pipe->bufs[head & mask];
220 buf->page = spd->pages[page_nr];
221 buf->offset = spd->partial[page_nr].offset;
222 buf->len = spd->partial[page_nr].len;
223 buf->private = spd->partial[page_nr].private;
232 if (!--spd->nr_pages)
240 while (page_nr < spd_pages)
241 spd->spd_release(spd, page_nr++);
245 EXPORT_SYMBOL_GPL(splice_to_pipe);
247 ssize_t add_to_pipe(struct pipe_inode_info *pipe, struct pipe_buffer *buf)
249 unsigned int head = pipe->head;
250 unsigned int tail = pipe->tail;
251 unsigned int mask = pipe->ring_size - 1;
254 if (unlikely(!pipe->readers)) {
255 send_sig(SIGPIPE, current, 0);
257 } else if (pipe_full(head, tail, pipe->max_usage)) {
260 pipe->bufs[head & mask] = *buf;
261 pipe->head = head + 1;
264 pipe_buf_release(pipe, buf);
267 EXPORT_SYMBOL(add_to_pipe);
270 * Check if we need to grow the arrays holding pages and partial page
273 int splice_grow_spd(const struct pipe_inode_info *pipe, struct splice_pipe_desc *spd)
275 unsigned int max_usage = READ_ONCE(pipe->max_usage);
277 spd->nr_pages_max = max_usage;
278 if (max_usage <= PIPE_DEF_BUFFERS)
281 spd->pages = kmalloc_array(max_usage, sizeof(struct page *), GFP_KERNEL);
282 spd->partial = kmalloc_array(max_usage, sizeof(struct partial_page),
285 if (spd->pages && spd->partial)
293 void splice_shrink_spd(struct splice_pipe_desc *spd)
295 if (spd->nr_pages_max <= PIPE_DEF_BUFFERS)
303 * copy_splice_read - Copy data from a file and splice the copy into a pipe
304 * @in: The file to read from
305 * @ppos: Pointer to the file position to read from
306 * @pipe: The pipe to splice into
307 * @len: The amount to splice
308 * @flags: The SPLICE_F_* flags
310 * This function allocates a bunch of pages sufficient to hold the requested
311 * amount of data (but limited by the remaining pipe capacity), passes it to
312 * the file's ->read_iter() to read into and then splices the used pages into
315 * Return: On success, the number of bytes read will be returned and *@ppos
316 * will be updated if appropriate; 0 will be returned if there is no more data
317 * to be read; -EAGAIN will be returned if the pipe had no space, and some
318 * other negative error code will be returned on error. A short read may occur
319 * if the pipe has insufficient space, we reach the end of the data or we hit a
322 ssize_t copy_splice_read(struct file *in, loff_t *ppos,
323 struct pipe_inode_info *pipe,
324 size_t len, unsigned int flags)
331 size_t used, npages, chunk, remain, keep = 0;
334 /* Work out how much data we can actually add into the pipe */
335 used = pipe_occupancy(pipe->head, pipe->tail);
336 npages = max_t(ssize_t, pipe->max_usage - used, 0);
337 len = min_t(size_t, len, npages * PAGE_SIZE);
338 npages = DIV_ROUND_UP(len, PAGE_SIZE);
340 bv = kzalloc(array_size(npages, sizeof(bv[0])) +
341 array_size(npages, sizeof(struct page *)), GFP_KERNEL);
345 pages = (struct page **)(bv + npages);
346 npages = alloc_pages_bulk_array(GFP_USER, npages, pages);
352 remain = len = min_t(size_t, len, npages * PAGE_SIZE);
354 for (i = 0; i < npages; i++) {
355 chunk = min_t(size_t, PAGE_SIZE, remain);
356 bv[i].bv_page = pages[i];
358 bv[i].bv_len = chunk;
363 iov_iter_bvec(&to, ITER_DEST, bv, npages, len);
364 init_sync_kiocb(&kiocb, in);
365 kiocb.ki_pos = *ppos;
366 ret = call_read_iter(in, &kiocb, &to);
369 keep = DIV_ROUND_UP(ret, PAGE_SIZE);
370 *ppos = kiocb.ki_pos;
372 } else if (ret < 0) {
374 * callers of ->splice_read() expect -EAGAIN on
375 * "can't put anything in there", rather than -EFAULT.
381 /* Free any pages that didn't get touched at all. */
383 release_pages(pages + keep, npages - keep);
385 /* Push the remaining pages into the pipe. */
387 for (i = 0; i < keep; i++) {
388 struct pipe_buffer *buf = pipe_head_buf(pipe);
390 chunk = min_t(size_t, remain, PAGE_SIZE);
391 *buf = (struct pipe_buffer) {
392 .ops = &default_pipe_buf_ops,
393 .page = bv[i].bv_page,
404 EXPORT_SYMBOL(copy_splice_read);
406 const struct pipe_buf_operations default_pipe_buf_ops = {
407 .release = generic_pipe_buf_release,
408 .try_steal = generic_pipe_buf_try_steal,
409 .get = generic_pipe_buf_get,
412 /* Pipe buffer operations for a socket and similar. */
413 const struct pipe_buf_operations nosteal_pipe_buf_ops = {
414 .release = generic_pipe_buf_release,
415 .get = generic_pipe_buf_get,
417 EXPORT_SYMBOL(nosteal_pipe_buf_ops);
420 * Send 'sd->len' bytes to socket from 'sd->file' at position 'sd->pos'
421 * using sendpage(). Return the number of bytes sent.
423 static int pipe_to_sendpage(struct pipe_inode_info *pipe,
424 struct pipe_buffer *buf, struct splice_desc *sd)
426 struct file *file = sd->u.file;
427 loff_t pos = sd->pos;
430 if (!likely(file->f_op->sendpage))
433 more = (sd->flags & SPLICE_F_MORE) ? MSG_MORE : 0;
435 if (sd->len < sd->total_len &&
436 pipe_occupancy(pipe->head, pipe->tail) > 1)
437 more |= MSG_SENDPAGE_NOTLAST;
439 return file->f_op->sendpage(file, buf->page, buf->offset,
440 sd->len, &pos, more);
443 static void wakeup_pipe_writers(struct pipe_inode_info *pipe)
446 if (waitqueue_active(&pipe->wr_wait))
447 wake_up_interruptible(&pipe->wr_wait);
448 kill_fasync(&pipe->fasync_writers, SIGIO, POLL_OUT);
452 * splice_from_pipe_feed - feed available data from a pipe to a file
453 * @pipe: pipe to splice from
454 * @sd: information to @actor
455 * @actor: handler that splices the data
458 * This function loops over the pipe and calls @actor to do the
459 * actual moving of a single struct pipe_buffer to the desired
460 * destination. It returns when there's no more buffers left in
461 * the pipe or if the requested number of bytes (@sd->total_len)
462 * have been copied. It returns a positive number (one) if the
463 * pipe needs to be filled with more data, zero if the required
464 * number of bytes have been copied and -errno on error.
466 * This, together with splice_from_pipe_{begin,end,next}, may be
467 * used to implement the functionality of __splice_from_pipe() when
468 * locking is required around copying the pipe buffers to the
471 static int splice_from_pipe_feed(struct pipe_inode_info *pipe, struct splice_desc *sd,
474 unsigned int head = pipe->head;
475 unsigned int tail = pipe->tail;
476 unsigned int mask = pipe->ring_size - 1;
479 while (!pipe_empty(head, tail)) {
480 struct pipe_buffer *buf = &pipe->bufs[tail & mask];
483 if (sd->len > sd->total_len)
484 sd->len = sd->total_len;
486 ret = pipe_buf_confirm(pipe, buf);
493 ret = actor(pipe, buf, sd);
500 sd->num_spliced += ret;
503 sd->total_len -= ret;
506 pipe_buf_release(pipe, buf);
510 sd->need_wakeup = true;
520 /* We know we have a pipe buffer, but maybe it's empty? */
521 static inline bool eat_empty_buffer(struct pipe_inode_info *pipe)
523 unsigned int tail = pipe->tail;
524 unsigned int mask = pipe->ring_size - 1;
525 struct pipe_buffer *buf = &pipe->bufs[tail & mask];
527 if (unlikely(!buf->len)) {
528 pipe_buf_release(pipe, buf);
537 * splice_from_pipe_next - wait for some data to splice from
538 * @pipe: pipe to splice from
539 * @sd: information about the splice operation
542 * This function will wait for some data and return a positive
543 * value (one) if pipe buffers are available. It will return zero
544 * or -errno if no more data needs to be spliced.
546 static int splice_from_pipe_next(struct pipe_inode_info *pipe, struct splice_desc *sd)
549 * Check for signal early to make process killable when there are
550 * always buffers available
552 if (signal_pending(current))
556 while (pipe_empty(pipe->head, pipe->tail)) {
563 if (sd->flags & SPLICE_F_NONBLOCK)
566 if (signal_pending(current))
569 if (sd->need_wakeup) {
570 wakeup_pipe_writers(pipe);
571 sd->need_wakeup = false;
574 pipe_wait_readable(pipe);
577 if (eat_empty_buffer(pipe))
584 * splice_from_pipe_begin - start splicing from pipe
585 * @sd: information about the splice operation
588 * This function should be called before a loop containing
589 * splice_from_pipe_next() and splice_from_pipe_feed() to
590 * initialize the necessary fields of @sd.
592 static void splice_from_pipe_begin(struct splice_desc *sd)
595 sd->need_wakeup = false;
599 * splice_from_pipe_end - finish splicing from pipe
600 * @pipe: pipe to splice from
601 * @sd: information about the splice operation
604 * This function will wake up pipe writers if necessary. It should
605 * be called after a loop containing splice_from_pipe_next() and
606 * splice_from_pipe_feed().
608 static void splice_from_pipe_end(struct pipe_inode_info *pipe, struct splice_desc *sd)
611 wakeup_pipe_writers(pipe);
615 * __splice_from_pipe - splice data from a pipe to given actor
616 * @pipe: pipe to splice from
617 * @sd: information to @actor
618 * @actor: handler that splices the data
621 * This function does little more than loop over the pipe and call
622 * @actor to do the actual moving of a single struct pipe_buffer to
623 * the desired destination. See pipe_to_file, pipe_to_sendpage, or
627 ssize_t __splice_from_pipe(struct pipe_inode_info *pipe, struct splice_desc *sd,
632 splice_from_pipe_begin(sd);
635 ret = splice_from_pipe_next(pipe, sd);
637 ret = splice_from_pipe_feed(pipe, sd, actor);
639 splice_from_pipe_end(pipe, sd);
641 return sd->num_spliced ? sd->num_spliced : ret;
643 EXPORT_SYMBOL(__splice_from_pipe);
646 * splice_from_pipe - splice data from a pipe to a file
647 * @pipe: pipe to splice from
648 * @out: file to splice to
649 * @ppos: position in @out
650 * @len: how many bytes to splice
651 * @flags: splice modifier flags
652 * @actor: handler that splices the data
655 * See __splice_from_pipe. This function locks the pipe inode,
656 * otherwise it's identical to __splice_from_pipe().
659 ssize_t splice_from_pipe(struct pipe_inode_info *pipe, struct file *out,
660 loff_t *ppos, size_t len, unsigned int flags,
664 struct splice_desc sd = {
672 ret = __splice_from_pipe(pipe, &sd, actor);
679 * iter_file_splice_write - splice data from a pipe to a file
681 * @out: file to write to
682 * @ppos: position in @out
683 * @len: number of bytes to splice
684 * @flags: splice modifier flags
687 * Will either move or copy pages (determined by @flags options) from
688 * the given pipe inode to the given file.
689 * This one is ->write_iter-based.
693 iter_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
694 loff_t *ppos, size_t len, unsigned int flags)
696 struct splice_desc sd = {
702 int nbufs = pipe->max_usage;
703 struct bio_vec *array = kcalloc(nbufs, sizeof(struct bio_vec),
707 if (unlikely(!array))
712 splice_from_pipe_begin(&sd);
713 while (sd.total_len) {
714 struct iov_iter from;
715 unsigned int head, tail, mask;
719 ret = splice_from_pipe_next(pipe, &sd);
723 if (unlikely(nbufs < pipe->max_usage)) {
725 nbufs = pipe->max_usage;
726 array = kcalloc(nbufs, sizeof(struct bio_vec),
736 mask = pipe->ring_size - 1;
738 /* build the vector */
740 for (n = 0; !pipe_empty(head, tail) && left && n < nbufs; tail++) {
741 struct pipe_buffer *buf = &pipe->bufs[tail & mask];
742 size_t this_len = buf->len;
744 /* zero-length bvecs are not supported, skip them */
747 this_len = min(this_len, left);
749 ret = pipe_buf_confirm(pipe, buf);
756 bvec_set_page(&array[n], buf->page, this_len,
762 iov_iter_bvec(&from, ITER_SOURCE, array, n, sd.total_len - left);
763 ret = vfs_iter_write(out, &from, &sd.pos, 0);
767 sd.num_spliced += ret;
771 /* dismiss the fully eaten buffers, adjust the partial one */
774 struct pipe_buffer *buf = &pipe->bufs[tail & mask];
775 if (ret >= buf->len) {
778 pipe_buf_release(pipe, buf);
782 sd.need_wakeup = true;
792 splice_from_pipe_end(pipe, &sd);
797 ret = sd.num_spliced;
802 EXPORT_SYMBOL(iter_file_splice_write);
805 * generic_splice_sendpage - splice data from a pipe to a socket
806 * @pipe: pipe to splice from
807 * @out: socket to write to
808 * @ppos: position in @out
809 * @len: number of bytes to splice
810 * @flags: splice modifier flags
813 * Will send @len bytes from the pipe to a network socket. No data copying
817 ssize_t generic_splice_sendpage(struct pipe_inode_info *pipe, struct file *out,
818 loff_t *ppos, size_t len, unsigned int flags)
820 return splice_from_pipe(pipe, out, ppos, len, flags, pipe_to_sendpage);
823 EXPORT_SYMBOL(generic_splice_sendpage);
825 static int warn_unsupported(struct file *file, const char *op)
827 pr_debug_ratelimited(
828 "splice %s not supported for file %pD4 (pid: %d comm: %.20s)\n",
829 op, file, current->pid, current->comm);
834 * Attempt to initiate a splice from pipe to file.
836 static long do_splice_from(struct pipe_inode_info *pipe, struct file *out,
837 loff_t *ppos, size_t len, unsigned int flags)
839 if (unlikely(!out->f_op->splice_write))
840 return warn_unsupported(out, "write");
841 return out->f_op->splice_write(pipe, out, ppos, len, flags);
845 * vfs_splice_read - Read data from a file and splice it into a pipe
846 * @in: File to splice from
847 * @ppos: Input file offset
848 * @pipe: Pipe to splice to
849 * @len: Number of bytes to splice
850 * @flags: Splice modifier flags (SPLICE_F_*)
852 * Splice the requested amount of data from the input file to the pipe. This
853 * is synchronous as the caller must hold the pipe lock across the entire
856 * If successful, it returns the amount of data spliced, 0 if it hit the EOF or
857 * a hole and a negative error code otherwise.
859 long vfs_splice_read(struct file *in, loff_t *ppos,
860 struct pipe_inode_info *pipe, size_t len,
863 unsigned int p_space;
866 if (unlikely(!(in->f_mode & FMODE_READ)))
871 /* Don't try to read more the pipe has space for. */
872 p_space = pipe->max_usage - pipe_occupancy(pipe->head, pipe->tail);
873 len = min_t(size_t, len, p_space << PAGE_SHIFT);
875 ret = rw_verify_area(READ, in, ppos, len);
876 if (unlikely(ret < 0))
879 if (unlikely(len > MAX_RW_COUNT))
882 if (unlikely(!in->f_op->splice_read))
883 return warn_unsupported(in, "read");
885 * O_DIRECT and DAX don't deal with the pagecache, so we allocate a
886 * buffer, copy into it and splice that into the pipe.
888 if ((in->f_flags & O_DIRECT) || IS_DAX(in->f_mapping->host))
889 return copy_splice_read(in, ppos, pipe, len, flags);
890 return in->f_op->splice_read(in, ppos, pipe, len, flags);
892 EXPORT_SYMBOL_GPL(vfs_splice_read);
895 * splice_direct_to_actor - splices data directly between two non-pipes
896 * @in: file to splice from
897 * @sd: actor information on where to splice to
898 * @actor: handles the data splicing
901 * This is a special case helper to splice directly between two
902 * points, without requiring an explicit pipe. Internally an allocated
903 * pipe is cached in the process, and reused during the lifetime of
907 ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd,
908 splice_direct_actor *actor)
910 struct pipe_inode_info *pipe;
916 * We require the input to be seekable, as we don't want to randomly
917 * drop data for eg socket -> socket splicing. Use the piped splicing
920 if (unlikely(!(in->f_mode & FMODE_LSEEK)))
924 * neither in nor out is a pipe, setup an internal pipe attached to
925 * 'out' and transfer the wanted data from 'in' to 'out' through that
927 pipe = current->splice_pipe;
928 if (unlikely(!pipe)) {
929 pipe = alloc_pipe_info();
934 * We don't have an immediate reader, but we'll read the stuff
935 * out of the pipe right after the splice_to_pipe(). So set
936 * PIPE_READERS appropriately.
940 current->splice_pipe = pipe;
951 * Don't block on output, we have to drain the direct pipe.
953 sd->flags &= ~SPLICE_F_NONBLOCK;
954 more = sd->flags & SPLICE_F_MORE;
956 WARN_ON_ONCE(!pipe_empty(pipe->head, pipe->tail));
960 loff_t pos = sd->pos, prev_pos = pos;
962 ret = vfs_splice_read(in, &pos, pipe, len, flags);
963 if (unlikely(ret <= 0))
967 sd->total_len = read_len;
970 * If more data is pending, set SPLICE_F_MORE
971 * If this is the last data and SPLICE_F_MORE was not set
972 * initially, clears it.
975 sd->flags |= SPLICE_F_MORE;
977 sd->flags &= ~SPLICE_F_MORE;
979 * NOTE: nonblocking mode only applies to the input. We
980 * must not do the output in nonblocking mode as then we
981 * could get stuck data in the internal pipe:
983 ret = actor(pipe, sd);
984 if (unlikely(ret <= 0)) {
993 if (ret < read_len) {
994 sd->pos = prev_pos + ret;
1000 pipe->tail = pipe->head = 0;
1006 * If we did an incomplete transfer we must release
1007 * the pipe buffers in question:
1009 for (i = 0; i < pipe->ring_size; i++) {
1010 struct pipe_buffer *buf = &pipe->bufs[i];
1013 pipe_buf_release(pipe, buf);
1021 EXPORT_SYMBOL(splice_direct_to_actor);
1023 static int direct_splice_actor(struct pipe_inode_info *pipe,
1024 struct splice_desc *sd)
1026 struct file *file = sd->u.file;
1028 return do_splice_from(pipe, file, sd->opos, sd->total_len,
1033 * do_splice_direct - splices data directly between two files
1034 * @in: file to splice from
1035 * @ppos: input file offset
1036 * @out: file to splice to
1037 * @opos: output file offset
1038 * @len: number of bytes to splice
1039 * @flags: splice modifier flags
1042 * For use by do_sendfile(). splice can easily emulate sendfile, but
1043 * doing it in the application would incur an extra system call
1044 * (splice in + splice out, as compared to just sendfile()). So this helper
1045 * can splice directly through a process-private pipe.
1048 long do_splice_direct(struct file *in, loff_t *ppos, struct file *out,
1049 loff_t *opos, size_t len, unsigned int flags)
1051 struct splice_desc sd = {
1061 if (unlikely(!(out->f_mode & FMODE_WRITE)))
1064 if (unlikely(out->f_flags & O_APPEND))
1067 ret = rw_verify_area(WRITE, out, opos, len);
1068 if (unlikely(ret < 0))
1071 ret = splice_direct_to_actor(in, &sd, direct_splice_actor);
1077 EXPORT_SYMBOL(do_splice_direct);
1079 static int wait_for_space(struct pipe_inode_info *pipe, unsigned flags)
1082 if (unlikely(!pipe->readers)) {
1083 send_sig(SIGPIPE, current, 0);
1086 if (!pipe_full(pipe->head, pipe->tail, pipe->max_usage))
1088 if (flags & SPLICE_F_NONBLOCK)
1090 if (signal_pending(current))
1091 return -ERESTARTSYS;
1092 pipe_wait_writable(pipe);
1096 static int splice_pipe_to_pipe(struct pipe_inode_info *ipipe,
1097 struct pipe_inode_info *opipe,
1098 size_t len, unsigned int flags);
1100 long splice_file_to_pipe(struct file *in,
1101 struct pipe_inode_info *opipe,
1103 size_t len, unsigned int flags)
1108 ret = wait_for_space(opipe, flags);
1110 ret = vfs_splice_read(in, offset, opipe, len, flags);
1113 wakeup_pipe_readers(opipe);
1118 * Determine where to splice to/from.
1120 long do_splice(struct file *in, loff_t *off_in, struct file *out,
1121 loff_t *off_out, size_t len, unsigned int flags)
1123 struct pipe_inode_info *ipipe;
1124 struct pipe_inode_info *opipe;
1128 if (unlikely(!(in->f_mode & FMODE_READ) ||
1129 !(out->f_mode & FMODE_WRITE)))
1132 ipipe = get_pipe_info(in, true);
1133 opipe = get_pipe_info(out, true);
1135 if (ipipe && opipe) {
1136 if (off_in || off_out)
1139 /* Splicing to self would be fun, but... */
1143 if ((in->f_flags | out->f_flags) & O_NONBLOCK)
1144 flags |= SPLICE_F_NONBLOCK;
1146 return splice_pipe_to_pipe(ipipe, opipe, len, flags);
1153 if (!(out->f_mode & FMODE_PWRITE))
1157 offset = out->f_pos;
1160 if (unlikely(out->f_flags & O_APPEND))
1163 ret = rw_verify_area(WRITE, out, &offset, len);
1164 if (unlikely(ret < 0))
1167 if (in->f_flags & O_NONBLOCK)
1168 flags |= SPLICE_F_NONBLOCK;
1170 file_start_write(out);
1171 ret = do_splice_from(ipipe, out, &offset, len, flags);
1172 file_end_write(out);
1175 fsnotify_modify(out);
1178 out->f_pos = offset;
1189 if (!(in->f_mode & FMODE_PREAD))
1196 if (out->f_flags & O_NONBLOCK)
1197 flags |= SPLICE_F_NONBLOCK;
1199 ret = splice_file_to_pipe(in, opipe, &offset, len, flags);
1202 fsnotify_access(in);
1215 static long __do_splice(struct file *in, loff_t __user *off_in,
1216 struct file *out, loff_t __user *off_out,
1217 size_t len, unsigned int flags)
1219 struct pipe_inode_info *ipipe;
1220 struct pipe_inode_info *opipe;
1221 loff_t offset, *__off_in = NULL, *__off_out = NULL;
1224 ipipe = get_pipe_info(in, true);
1225 opipe = get_pipe_info(out, true);
1230 pipe_clear_nowait(in);
1235 pipe_clear_nowait(out);
1239 if (copy_from_user(&offset, off_out, sizeof(loff_t)))
1241 __off_out = &offset;
1244 if (copy_from_user(&offset, off_in, sizeof(loff_t)))
1249 ret = do_splice(in, __off_in, out, __off_out, len, flags);
1253 if (__off_out && copy_to_user(off_out, __off_out, sizeof(loff_t)))
1255 if (__off_in && copy_to_user(off_in, __off_in, sizeof(loff_t)))
1261 static int iter_to_pipe(struct iov_iter *from,
1262 struct pipe_inode_info *pipe,
1265 struct pipe_buffer buf = {
1266 .ops = &user_page_pipe_buf_ops,
1272 while (iov_iter_count(from)) {
1273 struct page *pages[16];
1278 left = iov_iter_get_pages2(from, pages, ~0UL, 16, &start);
1284 n = DIV_ROUND_UP(left + start, PAGE_SIZE);
1285 for (i = 0; i < n; i++) {
1286 int size = min_t(int, left, PAGE_SIZE - start);
1288 buf.page = pages[i];
1291 ret = add_to_pipe(pipe, &buf);
1292 if (unlikely(ret < 0)) {
1293 iov_iter_revert(from, left);
1294 // this one got dropped by add_to_pipe()
1305 return total ? total : ret;
1308 static int pipe_to_user(struct pipe_inode_info *pipe, struct pipe_buffer *buf,
1309 struct splice_desc *sd)
1311 int n = copy_page_to_iter(buf->page, buf->offset, sd->len, sd->u.data);
1312 return n == sd->len ? n : -EFAULT;
1316 * For lack of a better implementation, implement vmsplice() to userspace
1317 * as a simple copy of the pipes pages to the user iov.
1319 static long vmsplice_to_user(struct file *file, struct iov_iter *iter,
1322 struct pipe_inode_info *pipe = get_pipe_info(file, true);
1323 struct splice_desc sd = {
1324 .total_len = iov_iter_count(iter),
1333 pipe_clear_nowait(file);
1337 ret = __splice_from_pipe(pipe, &sd, pipe_to_user);
1345 * vmsplice splices a user address range into a pipe. It can be thought of
1346 * as splice-from-memory, where the regular splice is splice-from-file (or
1347 * to file). In both cases the output is a pipe, naturally.
1349 static long vmsplice_to_pipe(struct file *file, struct iov_iter *iter,
1352 struct pipe_inode_info *pipe;
1354 unsigned buf_flag = 0;
1356 if (flags & SPLICE_F_GIFT)
1357 buf_flag = PIPE_BUF_FLAG_GIFT;
1359 pipe = get_pipe_info(file, true);
1363 pipe_clear_nowait(file);
1366 ret = wait_for_space(pipe, flags);
1368 ret = iter_to_pipe(iter, pipe, buf_flag);
1371 wakeup_pipe_readers(pipe);
1375 static int vmsplice_type(struct fd f, int *type)
1379 if (f.file->f_mode & FMODE_WRITE) {
1380 *type = ITER_SOURCE;
1381 } else if (f.file->f_mode & FMODE_READ) {
1391 * Note that vmsplice only really supports true splicing _from_ user memory
1392 * to a pipe, not the other way around. Splicing from user memory is a simple
1393 * operation that can be supported without any funky alignment restrictions
1394 * or nasty vm tricks. We simply map in the user memory and fill them into
1395 * a pipe. The reverse isn't quite as easy, though. There are two possible
1396 * solutions for that:
1398 * - memcpy() the data internally, at which point we might as well just
1399 * do a regular read() on the buffer anyway.
1400 * - Lots of nasty vm tricks, that are neither fast nor flexible (it
1401 * has restriction limitations on both ends of the pipe).
1403 * Currently we punt and implement it as a normal copy, see pipe_to_user().
1406 SYSCALL_DEFINE4(vmsplice, int, fd, const struct iovec __user *, uiov,
1407 unsigned long, nr_segs, unsigned int, flags)
1409 struct iovec iovstack[UIO_FASTIOV];
1410 struct iovec *iov = iovstack;
1411 struct iov_iter iter;
1416 if (unlikely(flags & ~SPLICE_F_ALL))
1420 error = vmsplice_type(f, &type);
1424 error = import_iovec(type, uiov, nr_segs,
1425 ARRAY_SIZE(iovstack), &iov, &iter);
1429 if (!iov_iter_count(&iter))
1431 else if (type == ITER_SOURCE)
1432 error = vmsplice_to_pipe(f.file, &iter, flags);
1434 error = vmsplice_to_user(f.file, &iter, flags);
1442 SYSCALL_DEFINE6(splice, int, fd_in, loff_t __user *, off_in,
1443 int, fd_out, loff_t __user *, off_out,
1444 size_t, len, unsigned int, flags)
1452 if (unlikely(flags & ~SPLICE_F_ALL))
1458 out = fdget(fd_out);
1460 error = __do_splice(in.file, off_in, out.file, off_out,
1470 * Make sure there's data to read. Wait for input if we can, otherwise
1471 * return an appropriate error.
1473 static int ipipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
1478 * Check the pipe occupancy without the inode lock first. This function
1479 * is speculative anyways, so missing one is ok.
1481 if (!pipe_empty(pipe->head, pipe->tail))
1487 while (pipe_empty(pipe->head, pipe->tail)) {
1488 if (signal_pending(current)) {
1494 if (flags & SPLICE_F_NONBLOCK) {
1498 pipe_wait_readable(pipe);
1506 * Make sure there's writeable room. Wait for room if we can, otherwise
1507 * return an appropriate error.
1509 static int opipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
1514 * Check pipe occupancy without the inode lock first. This function
1515 * is speculative anyways, so missing one is ok.
1517 if (!pipe_full(pipe->head, pipe->tail, pipe->max_usage))
1523 while (pipe_full(pipe->head, pipe->tail, pipe->max_usage)) {
1524 if (!pipe->readers) {
1525 send_sig(SIGPIPE, current, 0);
1529 if (flags & SPLICE_F_NONBLOCK) {
1533 if (signal_pending(current)) {
1537 pipe_wait_writable(pipe);
1545 * Splice contents of ipipe to opipe.
1547 static int splice_pipe_to_pipe(struct pipe_inode_info *ipipe,
1548 struct pipe_inode_info *opipe,
1549 size_t len, unsigned int flags)
1551 struct pipe_buffer *ibuf, *obuf;
1552 unsigned int i_head, o_head;
1553 unsigned int i_tail, o_tail;
1554 unsigned int i_mask, o_mask;
1556 bool input_wakeup = false;
1560 ret = ipipe_prep(ipipe, flags);
1564 ret = opipe_prep(opipe, flags);
1569 * Potential ABBA deadlock, work around it by ordering lock
1570 * grabbing by pipe info address. Otherwise two different processes
1571 * could deadlock (one doing tee from A -> B, the other from B -> A).
1573 pipe_double_lock(ipipe, opipe);
1575 i_tail = ipipe->tail;
1576 i_mask = ipipe->ring_size - 1;
1577 o_head = opipe->head;
1578 o_mask = opipe->ring_size - 1;
1583 if (!opipe->readers) {
1584 send_sig(SIGPIPE, current, 0);
1590 i_head = ipipe->head;
1591 o_tail = opipe->tail;
1593 if (pipe_empty(i_head, i_tail) && !ipipe->writers)
1597 * Cannot make any progress, because either the input
1598 * pipe is empty or the output pipe is full.
1600 if (pipe_empty(i_head, i_tail) ||
1601 pipe_full(o_head, o_tail, opipe->max_usage)) {
1602 /* Already processed some buffers, break */
1606 if (flags & SPLICE_F_NONBLOCK) {
1612 * We raced with another reader/writer and haven't
1613 * managed to process any buffers. A zero return
1614 * value means EOF, so retry instead.
1621 ibuf = &ipipe->bufs[i_tail & i_mask];
1622 obuf = &opipe->bufs[o_head & o_mask];
1624 if (len >= ibuf->len) {
1626 * Simply move the whole buffer from ipipe to opipe
1631 ipipe->tail = i_tail;
1632 input_wakeup = true;
1635 opipe->head = o_head;
1638 * Get a reference to this pipe buffer,
1639 * so we can copy the contents over.
1641 if (!pipe_buf_get(ipipe, ibuf)) {
1649 * Don't inherit the gift and merge flags, we need to
1650 * prevent multiple steals of this page.
1652 obuf->flags &= ~PIPE_BUF_FLAG_GIFT;
1653 obuf->flags &= ~PIPE_BUF_FLAG_CAN_MERGE;
1656 ibuf->offset += len;
1660 opipe->head = o_head;
1670 * If we put data in the output pipe, wakeup any potential readers.
1673 wakeup_pipe_readers(opipe);
1676 wakeup_pipe_writers(ipipe);
1682 * Link contents of ipipe to opipe.
1684 static int link_pipe(struct pipe_inode_info *ipipe,
1685 struct pipe_inode_info *opipe,
1686 size_t len, unsigned int flags)
1688 struct pipe_buffer *ibuf, *obuf;
1689 unsigned int i_head, o_head;
1690 unsigned int i_tail, o_tail;
1691 unsigned int i_mask, o_mask;
1695 * Potential ABBA deadlock, work around it by ordering lock
1696 * grabbing by pipe info address. Otherwise two different processes
1697 * could deadlock (one doing tee from A -> B, the other from B -> A).
1699 pipe_double_lock(ipipe, opipe);
1701 i_tail = ipipe->tail;
1702 i_mask = ipipe->ring_size - 1;
1703 o_head = opipe->head;
1704 o_mask = opipe->ring_size - 1;
1707 if (!opipe->readers) {
1708 send_sig(SIGPIPE, current, 0);
1714 i_head = ipipe->head;
1715 o_tail = opipe->tail;
1718 * If we have iterated all input buffers or run out of
1719 * output room, break.
1721 if (pipe_empty(i_head, i_tail) ||
1722 pipe_full(o_head, o_tail, opipe->max_usage))
1725 ibuf = &ipipe->bufs[i_tail & i_mask];
1726 obuf = &opipe->bufs[o_head & o_mask];
1729 * Get a reference to this pipe buffer,
1730 * so we can copy the contents over.
1732 if (!pipe_buf_get(ipipe, ibuf)) {
1741 * Don't inherit the gift and merge flag, we need to prevent
1742 * multiple steals of this page.
1744 obuf->flags &= ~PIPE_BUF_FLAG_GIFT;
1745 obuf->flags &= ~PIPE_BUF_FLAG_CAN_MERGE;
1747 if (obuf->len > len)
1753 opipe->head = o_head;
1761 * If we put data in the output pipe, wakeup any potential readers.
1764 wakeup_pipe_readers(opipe);
1770 * This is a tee(1) implementation that works on pipes. It doesn't copy
1771 * any data, it simply references the 'in' pages on the 'out' pipe.
1772 * The 'flags' used are the SPLICE_F_* variants, currently the only
1773 * applicable one is SPLICE_F_NONBLOCK.
1775 long do_tee(struct file *in, struct file *out, size_t len, unsigned int flags)
1777 struct pipe_inode_info *ipipe = get_pipe_info(in, true);
1778 struct pipe_inode_info *opipe = get_pipe_info(out, true);
1781 if (unlikely(!(in->f_mode & FMODE_READ) ||
1782 !(out->f_mode & FMODE_WRITE)))
1786 * Duplicate the contents of ipipe to opipe without actually
1789 if (ipipe && opipe && ipipe != opipe) {
1790 if ((in->f_flags | out->f_flags) & O_NONBLOCK)
1791 flags |= SPLICE_F_NONBLOCK;
1794 * Keep going, unless we encounter an error. The ipipe/opipe
1795 * ordering doesn't really matter.
1797 ret = ipipe_prep(ipipe, flags);
1799 ret = opipe_prep(opipe, flags);
1801 ret = link_pipe(ipipe, opipe, len, flags);
1808 SYSCALL_DEFINE4(tee, int, fdin, int, fdout, size_t, len, unsigned int, flags)
1813 if (unlikely(flags & ~SPLICE_F_ALL))
1824 error = do_tee(in.file, out.file, len, flags);