Revert "pipe: iovec: Fix memory corruption when retrying atomic copy as non-atomic"
* This commit was pulled during the CAF merge, but it breaks RIL for us
This reverts commit 91ec8cc248
.
This commit is contained in:
parent
95bf835906
commit
fc6e011da2
57
fs/pipe.c
57
fs/pipe.c
|
@ -110,27 +110,25 @@ void pipe_wait(struct pipe_inode_info *pipe)
|
|||
}
|
||||
|
||||
static int
|
||||
pipe_iov_copy_from_user(void *addr, int *offset, struct iovec *iov,
|
||||
size_t *remaining, int atomic)
|
||||
pipe_iov_copy_from_user(void *to, struct iovec *iov, unsigned long len,
|
||||
int atomic)
|
||||
{
|
||||
unsigned long copy;
|
||||
|
||||
while (*remaining > 0) {
|
||||
while (len > 0) {
|
||||
while (!iov->iov_len)
|
||||
iov++;
|
||||
copy = min_t(unsigned long, *remaining, iov->iov_len);
|
||||
copy = min_t(unsigned long, len, iov->iov_len);
|
||||
|
||||
if (atomic) {
|
||||
if (__copy_from_user_inatomic(addr + *offset,
|
||||
iov->iov_base, copy))
|
||||
if (__copy_from_user_inatomic(to, iov->iov_base, copy))
|
||||
return -EFAULT;
|
||||
} else {
|
||||
if (copy_from_user(addr + *offset,
|
||||
iov->iov_base, copy))
|
||||
if (copy_from_user(to, iov->iov_base, copy))
|
||||
return -EFAULT;
|
||||
}
|
||||
*offset += copy;
|
||||
*remaining -= copy;
|
||||
to += copy;
|
||||
len -= copy;
|
||||
iov->iov_base += copy;
|
||||
iov->iov_len -= copy;
|
||||
}
|
||||
|
@ -138,27 +136,25 @@ pipe_iov_copy_from_user(void *addr, int *offset, struct iovec *iov,
|
|||
}
|
||||
|
||||
static int
|
||||
pipe_iov_copy_to_user(struct iovec *iov, void *addr, int *offset,
|
||||
size_t *remaining, int atomic)
|
||||
pipe_iov_copy_to_user(struct iovec *iov, const void *from, unsigned long len,
|
||||
int atomic)
|
||||
{
|
||||
unsigned long copy;
|
||||
|
||||
while (*remaining > 0) {
|
||||
while (len > 0) {
|
||||
while (!iov->iov_len)
|
||||
iov++;
|
||||
copy = min_t(unsigned long, *remaining, iov->iov_len);
|
||||
copy = min_t(unsigned long, len, iov->iov_len);
|
||||
|
||||
if (atomic) {
|
||||
if (__copy_to_user_inatomic(iov->iov_base,
|
||||
addr + *offset, copy))
|
||||
if (__copy_to_user_inatomic(iov->iov_base, from, copy))
|
||||
return -EFAULT;
|
||||
} else {
|
||||
if (copy_to_user(iov->iov_base,
|
||||
addr + *offset, copy))
|
||||
if (copy_to_user(iov->iov_base, from, copy))
|
||||
return -EFAULT;
|
||||
}
|
||||
*offset += copy;
|
||||
*remaining -= copy;
|
||||
from += copy;
|
||||
len -= copy;
|
||||
iov->iov_base += copy;
|
||||
iov->iov_len -= copy;
|
||||
}
|
||||
|
@ -394,7 +390,7 @@ pipe_read(struct kiocb *iocb, const struct iovec *_iov,
|
|||
struct pipe_buffer *buf = pipe->bufs + curbuf;
|
||||
const struct pipe_buf_operations *ops = buf->ops;
|
||||
void *addr;
|
||||
size_t chars = buf->len, remaining;
|
||||
size_t chars = buf->len;
|
||||
int error, atomic;
|
||||
int offset;
|
||||
|
||||
|
@ -409,12 +405,10 @@ pipe_read(struct kiocb *iocb, const struct iovec *_iov,
|
|||
}
|
||||
|
||||
atomic = !iov_fault_in_pages_write(iov, chars);
|
||||
remaining = chars;
|
||||
offset = buf->offset;
|
||||
|
||||
redo:
|
||||
addr = ops->map(pipe, buf, atomic);
|
||||
error = pipe_iov_copy_to_user(iov, addr, &offset,
|
||||
&remaining, atomic);
|
||||
error = pipe_iov_copy_to_user(iov, addr + buf->offset, chars, atomic);
|
||||
ops->unmap(pipe, buf, addr);
|
||||
if (unlikely(error)) {
|
||||
/*
|
||||
|
@ -429,6 +423,7 @@ redo:
|
|||
break;
|
||||
}
|
||||
ret += chars;
|
||||
buf->offset += chars;
|
||||
buf->len -= chars;
|
||||
|
||||
/* Was it a packet buffer? Clean up and exit */
|
||||
|
@ -535,7 +530,6 @@ pipe_write(struct kiocb *iocb, const struct iovec *_iov,
|
|||
if (ops->can_merge && offset + chars <= PAGE_SIZE) {
|
||||
int error, atomic = 1;
|
||||
void *addr;
|
||||
size_t remaining = chars;
|
||||
|
||||
error = ops->confirm(pipe, buf);
|
||||
if (error)
|
||||
|
@ -544,8 +538,8 @@ pipe_write(struct kiocb *iocb, const struct iovec *_iov,
|
|||
iov_fault_in_pages_read(iov, chars);
|
||||
redo1:
|
||||
addr = ops->map(pipe, buf, atomic);
|
||||
error = pipe_iov_copy_from_user(addr, &offset, iov,
|
||||
&remaining, atomic);
|
||||
error = pipe_iov_copy_from_user(offset + addr, iov,
|
||||
chars, atomic);
|
||||
ops->unmap(pipe, buf, addr);
|
||||
ret = error;
|
||||
do_wakeup = 1;
|
||||
|
@ -580,8 +574,6 @@ redo1:
|
|||
struct page *page = pipe->tmp_page;
|
||||
char *src;
|
||||
int error, atomic = 1;
|
||||
int offset = 0;
|
||||
size_t remaining;
|
||||
|
||||
if (!page) {
|
||||
page = alloc_page(GFP_HIGHUSER);
|
||||
|
@ -602,15 +594,14 @@ redo1:
|
|||
chars = total_len;
|
||||
|
||||
iov_fault_in_pages_read(iov, chars);
|
||||
remaining = chars;
|
||||
redo2:
|
||||
if (atomic)
|
||||
src = kmap_atomic(page);
|
||||
else
|
||||
src = kmap(page);
|
||||
|
||||
error = pipe_iov_copy_from_user(src, &offset, iov,
|
||||
&remaining, atomic);
|
||||
error = pipe_iov_copy_from_user(src, iov, chars,
|
||||
atomic);
|
||||
if (atomic)
|
||||
kunmap_atomic(src);
|
||||
else
|
||||
|
|
Loading…
Reference in New Issue