leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

vfs: fix vmplice_to_user()

Browse Source 
Commit 6130f5315e "switch vmsplice_to_user() to copy_page_to_iter()" in
v3.15-rc1 broke vmsplice(2).

This patch fixes two bugs:

 - count is not initialized to a proper value, which resulted in no data
   being copied

 - if rw_copy_check_uvector() returns negative then the iov might be leaked.

Tested OK.

Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
This commit is contained in:
Miklos Szeredi 2014-05-27 16:41:16 +02:00 committed by Al Viro
parent c7208164e6
commit b6dd6f4738
1 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
fs/splice.c
View File

@ -1537,7 +1537,7 @@ static long vmsplice_to_user(struct file *file, const struct iovec __user *uiov,
struct iovec iovstack[UIO_FASTIOV]; struct iovec iovstack[UIO_FASTIOV];
struct iovec *iov = iovstack; struct iovec *iov = iovstack;
struct iov_iter iter; struct iov_iter iter;
ssize_t count = 0; ssize_t count;
pipe = get_pipe_info(file); pipe = get_pipe_info(file);
if (!pipe) if (!pipe)
@ -1546,8 +1546,9 @@ static long vmsplice_to_user(struct file *file, const struct iovec __user *uiov,
ret = rw_copy_check_uvector(READ, uiov, nr_segs, ret = rw_copy_check_uvector(READ, uiov, nr_segs,
ARRAY_SIZE(iovstack), iovstack, &iov); ARRAY_SIZE(iovstack), iovstack, &iov);
if (ret <= 0) if (ret <= 0)
return ret; goto out;
count = ret;
iov_iter_init(&iter, iov, nr_segs, count, 0); iov_iter_init(&iter, iov, nr_segs, count, 0);
sd.len = 0; sd.len = 0;
@ -1560,6 +1561,7 @@ static long vmsplice_to_user(struct file *file, const struct iovec __user *uiov,
ret = __splice_from_pipe(pipe, &sd, pipe_to_user); ret = __splice_from_pipe(pipe, &sd, pipe_to_user);
pipe_unlock(pipe); pipe_unlock(pipe);
out:
if (iov != iovstack) if (iov != iovstack)
kfree(iov); kfree(iov);