pipe: fix incorrect caching of pipe state over pipe_wait()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Similarly to commit 8f868d68d335 ("pipe: Fix missing mask update after
pipe_wait()") this fixes a case where the pipe rewrite ended up caching
the pipe state incorrectly over a pipe lock drop event.

It wasn't quite as obvious, because you needed to splice data from a
pipe to a file, which is a fairly unusual operation, but it's completely
wrong.

Make sure we load the pipe head/tail/size information only after we've
waited for there to be data in the pipe.

While in that file, also make one of the splice helper functions use the
canonical arghument order for pipe_empty(). That's syntactic - pipe
emptiness is just that head and tail are equal, and thus mixing up head
and tail doesn't really matter. It's still wrong, though.

Reported-by: David Sterba <dsterba@suse.cz>
Cc: David Howells <dhowells@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Linus Torvalds 6 years ago ec057595 7ada90eb

+6 -4

1 changed file

expand all

splice.c

+6 -4

fs/splice.c

··· 495 495 unsigned int mask = pipe->ring_size - 1; 496 496 int ret; 497 497 498 - while (!pipe_empty(tail, head)) { 498 + while (!pipe_empty(head, tail)) { 499 499 struct pipe_buffer *buf = &pipe->bufs[tail & mask]; 500 500 501 501 sd->len = buf->len; ··· 711 711 splice_from_pipe_begin(&sd); 712 712 while (sd.total_len) { 713 713 struct iov_iter from; 714 - unsigned int head = pipe->head; 715 - unsigned int tail = pipe->tail; 716 - unsigned int mask = pipe->ring_size - 1; 714 + unsigned int head, tail, mask; 717 715 size_t left; 718 716 int n; 719 717 ··· 729 731 break; 730 732 } 731 733 } 734 + 735 + head = pipe->head; 736 + tail = pipe->tail; 737 + mask = pipe->ring_size - 1; 732 738 733 739 /* build the vector */ 734 740 left = sd.total_len;