[PATCH v2 01/10] VFS generic copy_file_range() support

[Olga Kornievskaia <olga.kornievskaia@gmail.com>]

Relax the condition that input files must be from the same
file systems.

Add checks that input parameters adhere semantics.

If no copy_file_range() support is found, then do generic
checks for the unsupported page cache ranges, LFS, limits,
and clear setuid/setgid if not running as root before calling
do_splice_direct(). Update atime,ctime,mtime afterwards.

Signed-off-by: Olga Kornievskaia <kolga@netapp.com>
---
 fs/read_write.c    | 66 ++++++++++++++++++++++++++++++++++++++++++------------
 include/linux/fs.h |  7 ++++++
 mm/filemap.c       |  6 ++---
 3 files changed, 61 insertions(+), 18 deletions(-)

diff --git a/fs/read_write.c b/fs/read_write.c
index 7b9e59d..2d309b0 100644
--- a/fs/read_write.c
+++ b/fs/read_write.c
@@ -1540,6 +1540,44 @@ static ssize_t do_sendfile(int out_fd, int in_fd, loff_t *ppos,
 }
 #endif
 
+ssize_t generic_copy_file_range(struct file *file_in, loff_t pos_in,
+				struct file *file_out, loff_t pos_out,
+				loff_t len, unsigned int flags)
+{
+	ssize_t ret;
+	loff_t size_in = i_size_read(file_inode(file_in)), count;
+
+	/* preform generic checks for unsupported page cache ranges, LFS
+	 * limits. If pos exceeds the limit, returns EFBIG
+	 */
+	count = min(len, size_in - pos_in);
+	ret = generic_access_check_limits(file_in, pos_in, &count);
+	if (ret)
+		goto done;
+	ret = generic_write_check_limits(file_out, pos_out, &count);
+	if (ret)
+		goto done;
+	/* If not running as root, clear setuid/setgid bits. This keeps
+	 * people from modifying setuid and setgid binaries.
+	 */
+	if (!IS_NOSEC(file_inode(file_out))) {
+		ret = file_remove_privs(file_out);
+		if (ret)
+			goto done;
+	}
+
+	ret = do_splice_direct(file_in, &pos_in, file_out, &pos_out,
+			count > MAX_RW_COUNT ? MAX_RW_COUNT : count, 0);
+
+	file_accessed(file_in);
+	if (!(file_out->f_mode & FMODE_NOCMTIME))
+		file_update_time(file_out);
+
+done:
+	return ret;
+}
+EXPORT_SYMBOL(generic_copy_file_range);
+
 /*
  * copy_file_range() differs from regular file read and write in that it
  * specifically allows return partial success.  When it does so is up to
@@ -1552,6 +1590,7 @@ ssize_t vfs_copy_file_range(struct file *file_in, loff_t pos_in,
 	struct inode *inode_in = file_inode(file_in);
 	struct inode *inode_out = file_inode(file_out);
 	ssize_t ret;
+	loff_t size_in;
 
 	if (flags != 0)
 		return -EINVAL;
@@ -1577,6 +1616,15 @@ ssize_t vfs_copy_file_range(struct file *file_in, loff_t pos_in,
 	if (len == 0)
 		return 0;
 
+	/* Ensure offsets don't wrap. */
+	if (pos_in + len < pos_in || pos_out + len < pos_out)
+		return -EINVAL;
+
+	size_in = i_size_read(inode_in);
+	/* Ensure that source range is within EOF. */
+	if (pos_in >= size_in || pos_in + len > size_in)
+		return -EINVAL;
+
 	file_start_write(file_out);
 
 	/*
@@ -1597,22 +1645,12 @@ ssize_t vfs_copy_file_range(struct file *file_in, loff_t pos_in,
 		}
 	}
 
-	if (file_out->f_op->copy_file_range) {
+	if (file_out->f_op->copy_file_range)
 		ret = file_out->f_op->copy_file_range(file_in, pos_in, file_out,
 						      pos_out, len, flags);
-		if (ret != -EOPNOTSUPP)
-			goto done;
-	}
-
-	/* this could be relaxed once generic cross fs support is added */
-	if (inode_in->i_sb != inode_out->i_sb) {
-		ret = -EXDEV;
-		goto done;
-	}
-
-	ret = do_splice_direct(file_in, &pos_in, file_out, &pos_out,
-			len > MAX_RW_COUNT ? MAX_RW_COUNT : len, 0);
-
+	else
+		ret = generic_copy_file_range(file_in, pos_in, file_out,
+					      pos_out, len, flags);
 done:
 	if (ret > 0) {
 		fsnotify_access(file_in);
diff --git a/include/linux/fs.h b/include/linux/fs.h
index c95c080..c88ad09 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -1874,6 +1874,9 @@ extern ssize_t vfs_readv(struct file *, const struct iovec __user *,
 		unsigned long, loff_t *, rwf_t);
 extern ssize_t vfs_copy_file_range(struct file *, loff_t , struct file *,
 				   loff_t, size_t, unsigned int);
+extern ssize_t generic_copy_file_range(struct file *file_int, loff_t pos_in,
+				       struct file *file_out, loff_t pos_out,
+				       loff_t len, unsigned int flags);
 extern int generic_remap_file_range_prep(struct file *file_in, loff_t pos_in,
 					 struct file *file_out, loff_t pos_out,
 					 loff_t *count,
@@ -3016,6 +3019,10 @@ static inline void remove_inode_hash(struct inode *inode)
 extern int generic_file_mmap(struct file *, struct vm_area_struct *);
 extern int generic_file_readonly_mmap(struct file *, struct vm_area_struct *);
 extern ssize_t generic_write_checks(struct kiocb *, struct iov_iter *);
+extern int generic_access_check_limits(struct file *file, loff_t pos,
+				       loff_t *count);
+extern int generic_write_check_limits(struct file *file, loff_t pos,
+				      loff_t *count);
 extern int generic_remap_checks(struct file *file_in, loff_t pos_in,
 				struct file *file_out, loff_t pos_out,
 				loff_t *count, unsigned int remap_flags);
diff --git a/mm/filemap.c b/mm/filemap.c
index 81adec8..894f3ae 100644
--- a/mm/filemap.c
+++ b/mm/filemap.c
@@ -2829,8 +2829,7 @@ struct page *read_cache_page_gfp(struct address_space *mapping,
  * LFS limits.  If pos is under the limit it becomes a short access.  If it
  * exceeds the limit we return -EFBIG.
  */
-static int generic_access_check_limits(struct file *file, loff_t pos,
-				       loff_t *count)
+int generic_access_check_limits(struct file *file, loff_t pos, loff_t *count)
 {
 	struct inode *inode = file->f_mapping->host;
 	loff_t max_size = inode->i_sb->s_maxbytes;
@@ -2844,8 +2843,7 @@ static int generic_access_check_limits(struct file *file, loff_t pos,
 	return 0;
 }
 
-static int generic_write_check_limits(struct file *file, loff_t pos,
-				      loff_t *count)
+int generic_write_check_limits(struct file *file, loff_t pos, loff_t *count)
 {
 	loff_t limit = rlimit(RLIMIT_FSIZE);
 
-- 
1.8.3.1