2 * "splice": joining two ropes together by interweaving their strands.
4 * This is the "extended pipe" functionality, where a pipe is used as
5 * an arbitrary in-memory buffer. Think of a pipe as a small kernel
6 * buffer that you can use to transfer data from one end to the other.
8 * The traditional unix read/write is extended with a "splice()" operation
9 * that transfers data buffers to or from a pipe buffer.
11 * Named by Larry McVoy, original implementation from Linus, extended by
12 * Jens to support splicing to files, network, direct splicing, etc and
13 * fixing lots of bugs.
15 * Copyright (C) 2005-2006 Jens Axboe <axboe@kernel.dk>
16 * Copyright (C) 2005-2006 Linus Torvalds <torvalds@osdl.org>
17 * Copyright (C) 2006 Ingo Molnar <mingo@elte.hu>
21 #include <linux/file.h>
22 #include <linux/pagemap.h>
23 #include <linux/splice.h>
24 #include <linux/memcontrol.h>
25 #include <linux/mm_inline.h>
26 #include <linux/swap.h>
27 #include <linux/writeback.h>
28 #include <linux/export.h>
29 #include <linux/syscalls.h>
30 #include <linux/uio.h>
31 #include <linux/security.h>
32 #include <linux/gfp.h>
33 #include <linux/socket.h>
34 #include <linux/compat.h>
38 * Attempt to steal a page from a pipe buffer. This should perhaps go into
39 * a vm helper function, it's already simplified quite a bit by the
40 * addition of remove_mapping(). If success is returned, the caller may
41 * attempt to reuse this page for another destination.
43 static int page_cache_pipe_buf_steal(struct pipe_inode_info *pipe,
44 struct pipe_buffer *buf)
46 struct page *page = buf->page;
47 struct address_space *mapping;
51 mapping = page_mapping(page);
53 WARN_ON(!PageUptodate(page));
56 * At least for ext2 with nobh option, we need to wait on
57 * writeback completing on this page, since we'll remove it
58 * from the pagecache. Otherwise truncate wont wait on the
59 * page, allowing the disk blocks to be reused by someone else
60 * before we actually wrote our data to them. fs corruption
63 wait_on_page_writeback(page);
65 if (page_has_private(page) &&
66 !try_to_release_page(page, GFP_KERNEL))
70 * If we succeeded in removing the mapping, set LRU flag
73 if (remove_mapping(mapping, page)) {
74 buf->flags |= PIPE_BUF_FLAG_LRU;
80 * Raced with truncate or failed to remove page from current
81 * address space, unlock and return failure.
88 static void page_cache_pipe_buf_release(struct pipe_inode_info *pipe,
89 struct pipe_buffer *buf)
92 buf->flags &= ~PIPE_BUF_FLAG_LRU;
96 * Check whether the contents of buf is OK to access. Since the content
97 * is a page cache page, IO may be in flight.
99 static int page_cache_pipe_buf_confirm(struct pipe_inode_info *pipe,
100 struct pipe_buffer *buf)
102 struct page *page = buf->page;
105 if (!PageUptodate(page)) {
109 * Page got truncated/unhashed. This will cause a 0-byte
110 * splice, if this is the first page.
112 if (!page->mapping) {
118 * Uh oh, read-error from disk.
120 if (!PageUptodate(page)) {
126 * Page is ok afterall, we are done.
137 const struct pipe_buf_operations page_cache_pipe_buf_ops = {
139 .confirm = page_cache_pipe_buf_confirm,
140 .release = page_cache_pipe_buf_release,
141 .steal = page_cache_pipe_buf_steal,
142 .get = generic_pipe_buf_get,
145 static int user_page_pipe_buf_steal(struct pipe_inode_info *pipe,
146 struct pipe_buffer *buf)
148 if (!(buf->flags & PIPE_BUF_FLAG_GIFT))
151 buf->flags |= PIPE_BUF_FLAG_LRU;
152 return generic_pipe_buf_steal(pipe, buf);
155 static const struct pipe_buf_operations user_page_pipe_buf_ops = {
157 .confirm = generic_pipe_buf_confirm,
158 .release = page_cache_pipe_buf_release,
159 .steal = user_page_pipe_buf_steal,
160 .get = generic_pipe_buf_get,
163 static void wakeup_pipe_readers(struct pipe_inode_info *pipe)
166 if (waitqueue_active(&pipe->wait))
167 wake_up_interruptible(&pipe->wait);
168 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
172 * splice_to_pipe - fill passed data into a pipe
173 * @pipe: pipe to fill
177 * @spd contains a map of pages and len/offset tuples, along with
178 * the struct pipe_buf_operations associated with these pages. This
179 * function will link that data to the pipe.
182 ssize_t splice_to_pipe(struct pipe_inode_info *pipe,
183 struct splice_pipe_desc *spd)
185 unsigned int spd_pages = spd->nr_pages;
186 int ret = 0, page_nr = 0;
191 if (unlikely(!pipe->readers)) {
192 send_sig(SIGPIPE, current, 0);
197 while (pipe->nrbufs < pipe->buffers) {
198 int newbuf = (pipe->curbuf + pipe->nrbufs) & (pipe->buffers - 1);
199 struct pipe_buffer *buf = pipe->bufs + newbuf;
201 buf->page = spd->pages[page_nr];
202 buf->offset = spd->partial[page_nr].offset;
203 buf->len = spd->partial[page_nr].len;
204 buf->private = spd->partial[page_nr].private;
211 if (!--spd->nr_pages)
219 while (page_nr < spd_pages)
220 spd->spd_release(spd, page_nr++);
224 EXPORT_SYMBOL_GPL(splice_to_pipe);
226 ssize_t add_to_pipe(struct pipe_inode_info *pipe, struct pipe_buffer *buf)
230 if (unlikely(!pipe->readers)) {
231 send_sig(SIGPIPE, current, 0);
233 } else if (pipe->nrbufs == pipe->buffers) {
236 int newbuf = (pipe->curbuf + pipe->nrbufs) & (pipe->buffers - 1);
237 pipe->bufs[newbuf] = *buf;
241 buf->ops->release(pipe, buf);
245 EXPORT_SYMBOL(add_to_pipe);
247 void spd_release_page(struct splice_pipe_desc *spd, unsigned int i)
249 put_page(spd->pages[i]);
253 * Check if we need to grow the arrays holding pages and partial page
256 int splice_grow_spd(const struct pipe_inode_info *pipe, struct splice_pipe_desc *spd)
258 unsigned int buffers = ACCESS_ONCE(pipe->buffers);
260 spd->nr_pages_max = buffers;
261 if (buffers <= PIPE_DEF_BUFFERS)
264 spd->pages = kmalloc(buffers * sizeof(struct page *), GFP_KERNEL);
265 spd->partial = kmalloc(buffers * sizeof(struct partial_page), GFP_KERNEL);
267 if (spd->pages && spd->partial)
275 void splice_shrink_spd(struct splice_pipe_desc *spd)
277 if (spd->nr_pages_max <= PIPE_DEF_BUFFERS)
285 * generic_file_splice_read - splice data from file to a pipe
286 * @in: file to splice from
287 * @ppos: position in @in
288 * @pipe: pipe to splice to
289 * @len: number of bytes to splice
290 * @flags: splice modifier flags
293 * Will read pages from given file and fill them into a pipe. Can be
294 * used as long as it has more or less sane ->read_iter().
297 ssize_t generic_file_splice_read(struct file *in, loff_t *ppos,
298 struct pipe_inode_info *pipe, size_t len,
306 isize = i_size_read(in->f_mapping->host);
307 if (unlikely(*ppos >= isize))
310 iov_iter_pipe(&to, ITER_PIPE | READ, pipe, len);
312 init_sync_kiocb(&kiocb, in);
313 kiocb.ki_pos = *ppos;
314 ret = in->f_op->read_iter(&kiocb, &to);
316 *ppos = kiocb.ki_pos;
318 } else if (ret < 0) {
319 if (WARN_ON(to.idx != idx || to.iov_offset)) {
321 * a bogus ->read_iter() has copied something and still
322 * returned an error instead of a short read.
326 iov_iter_advance(&to, 0); /* to free what was emitted */
329 * callers of ->splice_read() expect -EAGAIN on
330 * "can't put anything in there", rather than -EFAULT.
338 EXPORT_SYMBOL(generic_file_splice_read);
340 const struct pipe_buf_operations default_pipe_buf_ops = {
342 .confirm = generic_pipe_buf_confirm,
343 .release = generic_pipe_buf_release,
344 .steal = generic_pipe_buf_steal,
345 .get = generic_pipe_buf_get,
348 static int generic_pipe_buf_nosteal(struct pipe_inode_info *pipe,
349 struct pipe_buffer *buf)
354 /* Pipe buffer operations for a socket and similar. */
355 const struct pipe_buf_operations nosteal_pipe_buf_ops = {
357 .confirm = generic_pipe_buf_confirm,
358 .release = generic_pipe_buf_release,
359 .steal = generic_pipe_buf_nosteal,
360 .get = generic_pipe_buf_get,
362 EXPORT_SYMBOL(nosteal_pipe_buf_ops);
364 static ssize_t kernel_readv(struct file *file, const struct iovec *vec,
365 unsigned long vlen, loff_t offset)
373 /* The cast to a user pointer is valid due to the set_fs() */
374 res = vfs_readv(file, (const struct iovec __user *)vec, vlen, &pos, 0);
380 ssize_t kernel_write(struct file *file, const char *buf, size_t count,
388 /* The cast to a user pointer is valid due to the set_fs() */
389 res = vfs_write(file, (__force const char __user *)buf, count, &pos);
394 EXPORT_SYMBOL(kernel_write);
396 static ssize_t default_file_splice_read(struct file *in, loff_t *ppos,
397 struct pipe_inode_info *pipe, size_t len,
400 unsigned int nr_pages;
401 unsigned int nr_freed;
403 struct page *pages[PIPE_DEF_BUFFERS];
404 struct partial_page partial[PIPE_DEF_BUFFERS];
405 struct iovec *vec, __vec[PIPE_DEF_BUFFERS];
410 struct splice_pipe_desc spd = {
413 .nr_pages_max = PIPE_DEF_BUFFERS,
415 .ops = &default_pipe_buf_ops,
416 .spd_release = spd_release_page,
419 if (splice_grow_spd(pipe, &spd))
424 if (spd.nr_pages_max > PIPE_DEF_BUFFERS) {
425 vec = kmalloc(spd.nr_pages_max * sizeof(struct iovec), GFP_KERNEL);
430 offset = *ppos & ~PAGE_MASK;
431 nr_pages = (len + offset + PAGE_SIZE - 1) >> PAGE_SHIFT;
433 for (i = 0; i < nr_pages && i < spd.nr_pages_max && len; i++) {
436 page = alloc_page(GFP_USER);
441 this_len = min_t(size_t, len, PAGE_SIZE - offset);
442 vec[i].iov_base = (void __user *) page_address(page);
443 vec[i].iov_len = this_len;
450 res = kernel_readv(in, vec, spd.nr_pages, *ppos);
461 for (i = 0; i < spd.nr_pages; i++) {
462 this_len = min_t(size_t, vec[i].iov_len, res);
463 spd.partial[i].offset = 0;
464 spd.partial[i].len = this_len;
466 __free_page(spd.pages[i]);
472 spd.nr_pages -= nr_freed;
474 res = splice_to_pipe(pipe, &spd);
481 splice_shrink_spd(&spd);
485 for (i = 0; i < spd.nr_pages; i++)
486 __free_page(spd.pages[i]);
493 * Send 'sd->len' bytes to socket from 'sd->file' at position 'sd->pos'
494 * using sendpage(). Return the number of bytes sent.
496 static int pipe_to_sendpage(struct pipe_inode_info *pipe,
497 struct pipe_buffer *buf, struct splice_desc *sd)
499 struct file *file = sd->u.file;
500 loff_t pos = sd->pos;
503 if (!likely(file->f_op->sendpage))
506 more = (sd->flags & SPLICE_F_MORE) ? MSG_MORE : 0;
508 if (sd->len < sd->total_len && pipe->nrbufs > 1)
509 more |= MSG_SENDPAGE_NOTLAST;
511 return file->f_op->sendpage(file, buf->page, buf->offset,
512 sd->len, &pos, more);
515 static void wakeup_pipe_writers(struct pipe_inode_info *pipe)
518 if (waitqueue_active(&pipe->wait))
519 wake_up_interruptible(&pipe->wait);
520 kill_fasync(&pipe->fasync_writers, SIGIO, POLL_OUT);
524 * splice_from_pipe_feed - feed available data from a pipe to a file
525 * @pipe: pipe to splice from
526 * @sd: information to @actor
527 * @actor: handler that splices the data
530 * This function loops over the pipe and calls @actor to do the
531 * actual moving of a single struct pipe_buffer to the desired
532 * destination. It returns when there's no more buffers left in
533 * the pipe or if the requested number of bytes (@sd->total_len)
534 * have been copied. It returns a positive number (one) if the
535 * pipe needs to be filled with more data, zero if the required
536 * number of bytes have been copied and -errno on error.
538 * This, together with splice_from_pipe_{begin,end,next}, may be
539 * used to implement the functionality of __splice_from_pipe() when
540 * locking is required around copying the pipe buffers to the
543 static int splice_from_pipe_feed(struct pipe_inode_info *pipe, struct splice_desc *sd,
548 while (pipe->nrbufs) {
549 struct pipe_buffer *buf = pipe->bufs + pipe->curbuf;
550 const struct pipe_buf_operations *ops = buf->ops;
553 if (sd->len > sd->total_len)
554 sd->len = sd->total_len;
556 ret = buf->ops->confirm(pipe, buf);
563 ret = actor(pipe, buf, sd);
570 sd->num_spliced += ret;
573 sd->total_len -= ret;
577 ops->release(pipe, buf);
578 pipe->curbuf = (pipe->curbuf + 1) & (pipe->buffers - 1);
581 sd->need_wakeup = true;
592 * splice_from_pipe_next - wait for some data to splice from
593 * @pipe: pipe to splice from
594 * @sd: information about the splice operation
597 * This function will wait for some data and return a positive
598 * value (one) if pipe buffers are available. It will return zero
599 * or -errno if no more data needs to be spliced.
601 static int splice_from_pipe_next(struct pipe_inode_info *pipe, struct splice_desc *sd)
604 * Check for signal early to make process killable when there are
605 * always buffers available
607 if (signal_pending(current))
610 while (!pipe->nrbufs) {
614 if (!pipe->waiting_writers && sd->num_spliced)
617 if (sd->flags & SPLICE_F_NONBLOCK)
620 if (signal_pending(current))
623 if (sd->need_wakeup) {
624 wakeup_pipe_writers(pipe);
625 sd->need_wakeup = false;
635 * splice_from_pipe_begin - start splicing from pipe
636 * @sd: information about the splice operation
639 * This function should be called before a loop containing
640 * splice_from_pipe_next() and splice_from_pipe_feed() to
641 * initialize the necessary fields of @sd.
643 static void splice_from_pipe_begin(struct splice_desc *sd)
646 sd->need_wakeup = false;
650 * splice_from_pipe_end - finish splicing from pipe
651 * @pipe: pipe to splice from
652 * @sd: information about the splice operation
655 * This function will wake up pipe writers if necessary. It should
656 * be called after a loop containing splice_from_pipe_next() and
657 * splice_from_pipe_feed().
659 static void splice_from_pipe_end(struct pipe_inode_info *pipe, struct splice_desc *sd)
662 wakeup_pipe_writers(pipe);
666 * __splice_from_pipe - splice data from a pipe to given actor
667 * @pipe: pipe to splice from
668 * @sd: information to @actor
669 * @actor: handler that splices the data
672 * This function does little more than loop over the pipe and call
673 * @actor to do the actual moving of a single struct pipe_buffer to
674 * the desired destination. See pipe_to_file, pipe_to_sendpage, or
678 ssize_t __splice_from_pipe(struct pipe_inode_info *pipe, struct splice_desc *sd,
683 splice_from_pipe_begin(sd);
686 ret = splice_from_pipe_next(pipe, sd);
688 ret = splice_from_pipe_feed(pipe, sd, actor);
690 splice_from_pipe_end(pipe, sd);
692 return sd->num_spliced ? sd->num_spliced : ret;
694 EXPORT_SYMBOL(__splice_from_pipe);
697 * splice_from_pipe - splice data from a pipe to a file
698 * @pipe: pipe to splice from
699 * @out: file to splice to
700 * @ppos: position in @out
701 * @len: how many bytes to splice
702 * @flags: splice modifier flags
703 * @actor: handler that splices the data
706 * See __splice_from_pipe. This function locks the pipe inode,
707 * otherwise it's identical to __splice_from_pipe().
710 ssize_t splice_from_pipe(struct pipe_inode_info *pipe, struct file *out,
711 loff_t *ppos, size_t len, unsigned int flags,
715 struct splice_desc sd = {
723 ret = __splice_from_pipe(pipe, &sd, actor);
730 * iter_file_splice_write - splice data from a pipe to a file
732 * @out: file to write to
733 * @ppos: position in @out
734 * @len: number of bytes to splice
735 * @flags: splice modifier flags
738 * Will either move or copy pages (determined by @flags options) from
739 * the given pipe inode to the given file.
740 * This one is ->write_iter-based.
744 iter_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
745 loff_t *ppos, size_t len, unsigned int flags)
747 struct splice_desc sd = {
753 int nbufs = pipe->buffers;
754 struct bio_vec *array = kcalloc(nbufs, sizeof(struct bio_vec),
758 if (unlikely(!array))
763 splice_from_pipe_begin(&sd);
764 while (sd.total_len) {
765 struct iov_iter from;
769 ret = splice_from_pipe_next(pipe, &sd);
773 if (unlikely(nbufs < pipe->buffers)) {
775 nbufs = pipe->buffers;
776 array = kcalloc(nbufs, sizeof(struct bio_vec),
784 /* build the vector */
786 for (n = 0, idx = pipe->curbuf; left && n < pipe->nrbufs; n++, idx++) {
787 struct pipe_buffer *buf = pipe->bufs + idx;
788 size_t this_len = buf->len;
793 if (idx == pipe->buffers - 1)
796 ret = buf->ops->confirm(pipe, buf);
803 array[n].bv_page = buf->page;
804 array[n].bv_len = this_len;
805 array[n].bv_offset = buf->offset;
809 iov_iter_bvec(&from, ITER_BVEC | WRITE, array, n,
810 sd.total_len - left);
811 ret = vfs_iter_write(out, &from, &sd.pos);
815 sd.num_spliced += ret;
819 /* dismiss the fully eaten buffers, adjust the partial one */
821 struct pipe_buffer *buf = pipe->bufs + pipe->curbuf;
822 if (ret >= buf->len) {
823 const struct pipe_buf_operations *ops = buf->ops;
827 ops->release(pipe, buf);
828 pipe->curbuf = (pipe->curbuf + 1) & (pipe->buffers - 1);
831 sd.need_wakeup = true;
841 splice_from_pipe_end(pipe, &sd);
846 ret = sd.num_spliced;
851 EXPORT_SYMBOL(iter_file_splice_write);
853 static int write_pipe_buf(struct pipe_inode_info *pipe, struct pipe_buffer *buf,
854 struct splice_desc *sd)
858 loff_t tmp = sd->pos;
860 data = kmap(buf->page);
861 ret = __kernel_write(sd->u.file, data + buf->offset, sd->len, &tmp);
867 static ssize_t default_file_splice_write(struct pipe_inode_info *pipe,
868 struct file *out, loff_t *ppos,
869 size_t len, unsigned int flags)
873 ret = splice_from_pipe(pipe, out, ppos, len, flags, write_pipe_buf);
881 * generic_splice_sendpage - splice data from a pipe to a socket
882 * @pipe: pipe to splice from
883 * @out: socket to write to
884 * @ppos: position in @out
885 * @len: number of bytes to splice
886 * @flags: splice modifier flags
889 * Will send @len bytes from the pipe to a network socket. No data copying
893 ssize_t generic_splice_sendpage(struct pipe_inode_info *pipe, struct file *out,
894 loff_t *ppos, size_t len, unsigned int flags)
896 return splice_from_pipe(pipe, out, ppos, len, flags, pipe_to_sendpage);
899 EXPORT_SYMBOL(generic_splice_sendpage);
902 * Attempt to initiate a splice from pipe to file.
904 static long do_splice_from(struct pipe_inode_info *pipe, struct file *out,
905 loff_t *ppos, size_t len, unsigned int flags)
907 ssize_t (*splice_write)(struct pipe_inode_info *, struct file *,
908 loff_t *, size_t, unsigned int);
910 if (out->f_op->splice_write)
911 splice_write = out->f_op->splice_write;
913 splice_write = default_file_splice_write;
915 return splice_write(pipe, out, ppos, len, flags);
919 * Attempt to initiate a splice from a file to a pipe.
921 static long do_splice_to(struct file *in, loff_t *ppos,
922 struct pipe_inode_info *pipe, size_t len,
925 ssize_t (*splice_read)(struct file *, loff_t *,
926 struct pipe_inode_info *, size_t, unsigned int);
929 if (unlikely(!(in->f_mode & FMODE_READ)))
932 ret = rw_verify_area(READ, in, ppos, len);
933 if (unlikely(ret < 0))
936 if (unlikely(len > MAX_RW_COUNT))
939 if (in->f_op->splice_read)
940 splice_read = in->f_op->splice_read;
942 splice_read = default_file_splice_read;
944 return splice_read(in, ppos, pipe, len, flags);
948 * splice_direct_to_actor - splices data directly between two non-pipes
949 * @in: file to splice from
950 * @sd: actor information on where to splice to
951 * @actor: handles the data splicing
954 * This is a special case helper to splice directly between two
955 * points, without requiring an explicit pipe. Internally an allocated
956 * pipe is cached in the process, and reused during the lifetime of
960 ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd,
961 splice_direct_actor *actor)
963 struct pipe_inode_info *pipe;
970 * We require the input being a regular file, as we don't want to
971 * randomly drop data for eg socket -> socket splicing. Use the
972 * piped splicing for that!
974 i_mode = file_inode(in)->i_mode;
975 if (unlikely(!S_ISREG(i_mode) && !S_ISBLK(i_mode)))
979 * neither in nor out is a pipe, setup an internal pipe attached to
980 * 'out' and transfer the wanted data from 'in' to 'out' through that
982 pipe = current->splice_pipe;
983 if (unlikely(!pipe)) {
984 pipe = alloc_pipe_info();
989 * We don't have an immediate reader, but we'll read the stuff
990 * out of the pipe right after the splice_to_pipe(). So set
991 * PIPE_READERS appropriately.
995 current->splice_pipe = pipe;
1003 len = sd->total_len;
1007 * Don't block on output, we have to drain the direct pipe.
1009 sd->flags &= ~SPLICE_F_NONBLOCK;
1010 more = sd->flags & SPLICE_F_MORE;
1014 loff_t pos = sd->pos, prev_pos = pos;
1016 ret = do_splice_to(in, &pos, pipe, len, flags);
1017 if (unlikely(ret <= 0))
1021 sd->total_len = read_len;
1024 * If more data is pending, set SPLICE_F_MORE
1025 * If this is the last data and SPLICE_F_MORE was not set
1026 * initially, clears it.
1029 sd->flags |= SPLICE_F_MORE;
1031 sd->flags &= ~SPLICE_F_MORE;
1033 * NOTE: nonblocking mode only applies to the input. We
1034 * must not do the output in nonblocking mode as then we
1035 * could get stuck data in the internal pipe:
1037 ret = actor(pipe, sd);
1038 if (unlikely(ret <= 0)) {
1047 if (ret < read_len) {
1048 sd->pos = prev_pos + ret;
1054 pipe->nrbufs = pipe->curbuf = 0;
1060 * If we did an incomplete transfer we must release
1061 * the pipe buffers in question:
1063 for (i = 0; i < pipe->buffers; i++) {
1064 struct pipe_buffer *buf = pipe->bufs + i;
1067 buf->ops->release(pipe, buf);
1077 EXPORT_SYMBOL(splice_direct_to_actor);
1079 static int direct_splice_actor(struct pipe_inode_info *pipe,
1080 struct splice_desc *sd)
1082 struct file *file = sd->u.file;
1084 return do_splice_from(pipe, file, sd->opos, sd->total_len,
1089 * do_splice_direct - splices data directly between two files
1090 * @in: file to splice from
1091 * @ppos: input file offset
1092 * @out: file to splice to
1093 * @opos: output file offset
1094 * @len: number of bytes to splice
1095 * @flags: splice modifier flags
1098 * For use by do_sendfile(). splice can easily emulate sendfile, but
1099 * doing it in the application would incur an extra system call
1100 * (splice in + splice out, as compared to just sendfile()). So this helper
1101 * can splice directly through a process-private pipe.
1104 long do_splice_direct(struct file *in, loff_t *ppos, struct file *out,
1105 loff_t *opos, size_t len, unsigned int flags)
1107 struct splice_desc sd = {
1117 if (unlikely(!(out->f_mode & FMODE_WRITE)))
1120 if (unlikely(out->f_flags & O_APPEND))
1123 ret = rw_verify_area(WRITE, out, opos, len);
1124 if (unlikely(ret < 0))
1127 ret = splice_direct_to_actor(in, &sd, direct_splice_actor);
1133 EXPORT_SYMBOL(do_splice_direct);
1135 static int wait_for_space(struct pipe_inode_info *pipe, unsigned flags)
1137 while (pipe->nrbufs == pipe->buffers) {
1138 if (flags & SPLICE_F_NONBLOCK)
1140 if (signal_pending(current))
1141 return -ERESTARTSYS;
1142 pipe->waiting_writers++;
1144 pipe->waiting_writers--;
1149 static int splice_pipe_to_pipe(struct pipe_inode_info *ipipe,
1150 struct pipe_inode_info *opipe,
1151 size_t len, unsigned int flags);
1154 * Determine where to splice to/from.
1156 static long do_splice(struct file *in, loff_t __user *off_in,
1157 struct file *out, loff_t __user *off_out,
1158 size_t len, unsigned int flags)
1160 struct pipe_inode_info *ipipe;
1161 struct pipe_inode_info *opipe;
1165 ipipe = get_pipe_info(in);
1166 opipe = get_pipe_info(out);
1168 if (ipipe && opipe) {
1169 if (off_in || off_out)
1172 if (!(in->f_mode & FMODE_READ))
1175 if (!(out->f_mode & FMODE_WRITE))
1178 /* Splicing to self would be fun, but... */
1182 return splice_pipe_to_pipe(ipipe, opipe, len, flags);
1189 if (!(out->f_mode & FMODE_PWRITE))
1191 if (copy_from_user(&offset, off_out, sizeof(loff_t)))
1194 offset = out->f_pos;
1197 if (unlikely(!(out->f_mode & FMODE_WRITE)))
1200 if (unlikely(out->f_flags & O_APPEND))
1203 ret = rw_verify_area(WRITE, out, &offset, len);
1204 if (unlikely(ret < 0))
1207 file_start_write(out);
1208 ret = do_splice_from(ipipe, out, &offset, len, flags);
1209 file_end_write(out);
1212 out->f_pos = offset;
1213 else if (copy_to_user(off_out, &offset, sizeof(loff_t)))
1223 if (!(in->f_mode & FMODE_PREAD))
1225 if (copy_from_user(&offset, off_in, sizeof(loff_t)))
1232 ret = wait_for_space(opipe, flags);
1234 ret = do_splice_to(in, &offset, opipe, len, flags);
1237 wakeup_pipe_readers(opipe);
1240 else if (copy_to_user(off_in, &offset, sizeof(loff_t)))
1249 static int iter_to_pipe(struct iov_iter *from,
1250 struct pipe_inode_info *pipe,
1253 struct pipe_buffer buf = {
1254 .ops = &user_page_pipe_buf_ops,
1259 bool failed = false;
1261 while (iov_iter_count(from) && !failed) {
1262 struct page *pages[16];
1267 copied = iov_iter_get_pages(from, pages, ~0UL, 16, &start);
1273 for (n = 0; copied; n++, start = 0) {
1274 int size = min_t(int, copied, PAGE_SIZE - start);
1276 buf.page = pages[n];
1279 ret = add_to_pipe(pipe, &buf);
1280 if (unlikely(ret < 0)) {
1283 iov_iter_advance(from, ret);
1292 return total ? total : ret;
1295 static int pipe_to_user(struct pipe_inode_info *pipe, struct pipe_buffer *buf,
1296 struct splice_desc *sd)
1298 int n = copy_page_to_iter(buf->page, buf->offset, sd->len, sd->u.data);
1299 return n == sd->len ? n : -EFAULT;
1303 * For lack of a better implementation, implement vmsplice() to userspace
1304 * as a simple copy of the pipes pages to the user iov.
1306 static long vmsplice_to_user(struct file *file, const struct iovec __user *uiov,
1307 unsigned long nr_segs, unsigned int flags)
1309 struct pipe_inode_info *pipe;
1310 struct splice_desc sd;
1312 struct iovec iovstack[UIO_FASTIOV];
1313 struct iovec *iov = iovstack;
1314 struct iov_iter iter;
1316 pipe = get_pipe_info(file);
1320 ret = import_iovec(READ, uiov, nr_segs,
1321 ARRAY_SIZE(iovstack), &iov, &iter);
1325 sd.total_len = iov_iter_count(&iter);
1333 ret = __splice_from_pipe(pipe, &sd, pipe_to_user);
1342 * vmsplice splices a user address range into a pipe. It can be thought of
1343 * as splice-from-memory, where the regular splice is splice-from-file (or
1344 * to file). In both cases the output is a pipe, naturally.
1346 static long vmsplice_to_pipe(struct file *file, const struct iovec __user *uiov,
1347 unsigned long nr_segs, unsigned int flags)
1349 struct pipe_inode_info *pipe;
1350 struct iovec iovstack[UIO_FASTIOV];
1351 struct iovec *iov = iovstack;
1352 struct iov_iter from;
1354 unsigned buf_flag = 0;
1356 if (flags & SPLICE_F_GIFT)
1357 buf_flag = PIPE_BUF_FLAG_GIFT;
1359 pipe = get_pipe_info(file);
1363 ret = import_iovec(WRITE, uiov, nr_segs,
1364 ARRAY_SIZE(iovstack), &iov, &from);
1369 ret = wait_for_space(pipe, flags);
1371 ret = iter_to_pipe(&from, pipe, buf_flag);
1374 wakeup_pipe_readers(pipe);
1380 * Note that vmsplice only really supports true splicing _from_ user memory
1381 * to a pipe, not the other way around. Splicing from user memory is a simple
1382 * operation that can be supported without any funky alignment restrictions
1383 * or nasty vm tricks. We simply map in the user memory and fill them into
1384 * a pipe. The reverse isn't quite as easy, though. There are two possible
1385 * solutions for that:
1387 * - memcpy() the data internally, at which point we might as well just
1388 * do a regular read() on the buffer anyway.
1389 * - Lots of nasty vm tricks, that are neither fast nor flexible (it
1390 * has restriction limitations on both ends of the pipe).
1392 * Currently we punt and implement it as a normal copy, see pipe_to_user().
1395 SYSCALL_DEFINE4(vmsplice, int, fd, const struct iovec __user *, iov,
1396 unsigned long, nr_segs, unsigned int, flags)
1401 if (unlikely(nr_segs > UIO_MAXIOV))
1403 else if (unlikely(!nr_segs))
1409 if (f.file->f_mode & FMODE_WRITE)
1410 error = vmsplice_to_pipe(f.file, iov, nr_segs, flags);
1411 else if (f.file->f_mode & FMODE_READ)
1412 error = vmsplice_to_user(f.file, iov, nr_segs, flags);
1420 #ifdef CONFIG_COMPAT
1421 COMPAT_SYSCALL_DEFINE4(vmsplice, int, fd, const struct compat_iovec __user *, iov32,
1422 unsigned int, nr_segs, unsigned int, flags)
1425 struct iovec __user *iov;
1426 if (nr_segs > UIO_MAXIOV)
1428 iov = compat_alloc_user_space(nr_segs * sizeof(struct iovec));
1429 for (i = 0; i < nr_segs; i++) {
1430 struct compat_iovec v;
1431 if (get_user(v.iov_base, &iov32[i].iov_base) ||
1432 get_user(v.iov_len, &iov32[i].iov_len) ||
1433 put_user(compat_ptr(v.iov_base), &iov[i].iov_base) ||
1434 put_user(v.iov_len, &iov[i].iov_len))
1437 return sys_vmsplice(fd, iov, nr_segs, flags);
1441 SYSCALL_DEFINE6(splice, int, fd_in, loff_t __user *, off_in,
1442 int, fd_out, loff_t __user *, off_out,
1443 size_t, len, unsigned int, flags)
1454 if (in.file->f_mode & FMODE_READ) {
1455 out = fdget(fd_out);
1457 if (out.file->f_mode & FMODE_WRITE)
1458 error = do_splice(in.file, off_in,
1470 * Make sure there's data to read. Wait for input if we can, otherwise
1471 * return an appropriate error.
1473 static int ipipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
1478 * Check ->nrbufs without the inode lock first. This function
1479 * is speculative anyways, so missing one is ok.
1487 while (!pipe->nrbufs) {
1488 if (signal_pending(current)) {
1494 if (!pipe->waiting_writers) {
1495 if (flags & SPLICE_F_NONBLOCK) {
1508 * Make sure there's writeable room. Wait for room if we can, otherwise
1509 * return an appropriate error.
1511 static int opipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
1516 * Check ->nrbufs without the inode lock first. This function
1517 * is speculative anyways, so missing one is ok.
1519 if (pipe->nrbufs < pipe->buffers)
1525 while (pipe->nrbufs >= pipe->buffers) {
1526 if (!pipe->readers) {
1527 send_sig(SIGPIPE, current, 0);
1531 if (flags & SPLICE_F_NONBLOCK) {
1535 if (signal_pending(current)) {
1539 pipe->waiting_writers++;
1541 pipe->waiting_writers--;
1549 * Splice contents of ipipe to opipe.
1551 static int splice_pipe_to_pipe(struct pipe_inode_info *ipipe,
1552 struct pipe_inode_info *opipe,
1553 size_t len, unsigned int flags)
1555 struct pipe_buffer *ibuf, *obuf;
1557 bool input_wakeup = false;
1561 ret = ipipe_prep(ipipe, flags);
1565 ret = opipe_prep(opipe, flags);
1570 * Potential ABBA deadlock, work around it by ordering lock
1571 * grabbing by pipe info address. Otherwise two different processes
1572 * could deadlock (one doing tee from A -> B, the other from B -> A).
1574 pipe_double_lock(ipipe, opipe);
1577 if (!opipe->readers) {
1578 send_sig(SIGPIPE, current, 0);
1584 if (!ipipe->nrbufs && !ipipe->writers)
1588 * Cannot make any progress, because either the input
1589 * pipe is empty or the output pipe is full.
1591 if (!ipipe->nrbufs || opipe->nrbufs >= opipe->buffers) {
1592 /* Already processed some buffers, break */
1596 if (flags & SPLICE_F_NONBLOCK) {
1602 * We raced with another reader/writer and haven't
1603 * managed to process any buffers. A zero return
1604 * value means EOF, so retry instead.
1611 ibuf = ipipe->bufs + ipipe->curbuf;
1612 nbuf = (opipe->curbuf + opipe->nrbufs) & (opipe->buffers - 1);
1613 obuf = opipe->bufs + nbuf;
1615 if (len >= ibuf->len) {
1617 * Simply move the whole buffer from ipipe to opipe
1622 ipipe->curbuf = (ipipe->curbuf + 1) & (ipipe->buffers - 1);
1624 input_wakeup = true;
1627 * Get a reference to this pipe buffer,
1628 * so we can copy the contents over.
1630 ibuf->ops->get(ipipe, ibuf);
1634 * Don't inherit the gift flag, we need to
1635 * prevent multiple steals of this page.
1637 obuf->flags &= ~PIPE_BUF_FLAG_GIFT;
1641 ibuf->offset += obuf->len;
1642 ibuf->len -= obuf->len;
1652 * If we put data in the output pipe, wakeup any potential readers.
1655 wakeup_pipe_readers(opipe);
1658 wakeup_pipe_writers(ipipe);
1664 * Link contents of ipipe to opipe.
1666 static int link_pipe(struct pipe_inode_info *ipipe,
1667 struct pipe_inode_info *opipe,
1668 size_t len, unsigned int flags)
1670 struct pipe_buffer *ibuf, *obuf;
1671 int ret = 0, i = 0, nbuf;
1674 * Potential ABBA deadlock, work around it by ordering lock
1675 * grabbing by pipe info address. Otherwise two different processes
1676 * could deadlock (one doing tee from A -> B, the other from B -> A).
1678 pipe_double_lock(ipipe, opipe);
1681 if (!opipe->readers) {
1682 send_sig(SIGPIPE, current, 0);
1689 * If we have iterated all input buffers or ran out of
1690 * output room, break.
1692 if (i >= ipipe->nrbufs || opipe->nrbufs >= opipe->buffers)
1695 ibuf = ipipe->bufs + ((ipipe->curbuf + i) & (ipipe->buffers-1));
1696 nbuf = (opipe->curbuf + opipe->nrbufs) & (opipe->buffers - 1);
1699 * Get a reference to this pipe buffer,
1700 * so we can copy the contents over.
1702 ibuf->ops->get(ipipe, ibuf);
1704 obuf = opipe->bufs + nbuf;
1708 * Don't inherit the gift flag, we need to
1709 * prevent multiple steals of this page.
1711 obuf->flags &= ~PIPE_BUF_FLAG_GIFT;
1713 if (obuf->len > len)
1723 * return EAGAIN if we have the potential of some data in the
1724 * future, otherwise just return 0
1726 if (!ret && ipipe->waiting_writers && (flags & SPLICE_F_NONBLOCK))
1733 * If we put data in the output pipe, wakeup any potential readers.
1736 wakeup_pipe_readers(opipe);
1742 * This is a tee(1) implementation that works on pipes. It doesn't copy
1743 * any data, it simply references the 'in' pages on the 'out' pipe.
1744 * The 'flags' used are the SPLICE_F_* variants, currently the only
1745 * applicable one is SPLICE_F_NONBLOCK.
1747 static long do_tee(struct file *in, struct file *out, size_t len,
1750 struct pipe_inode_info *ipipe = get_pipe_info(in);
1751 struct pipe_inode_info *opipe = get_pipe_info(out);
1755 * Duplicate the contents of ipipe to opipe without actually
1758 if (ipipe && opipe && ipipe != opipe) {
1760 * Keep going, unless we encounter an error. The ipipe/opipe
1761 * ordering doesn't really matter.
1763 ret = ipipe_prep(ipipe, flags);
1765 ret = opipe_prep(opipe, flags);
1767 ret = link_pipe(ipipe, opipe, len, flags);
1774 SYSCALL_DEFINE4(tee, int, fdin, int, fdout, size_t, len, unsigned int, flags)
1785 if (in.file->f_mode & FMODE_READ) {
1786 struct fd out = fdget(fdout);
1788 if (out.file->f_mode & FMODE_WRITE)
1789 error = do_tee(in.file, out.file,