Commit b6dd6f47 authored by Miklos Szeredi's avatar Miklos Szeredi Committed by Al Viro

vfs: fix vmplice_to_user()

Commit 6130f531 "switch vmsplice_to_user() to copy_page_to_iter()" in
v3.15-rc1 broke vmsplice(2).

This patch fixes two bugs:

 - count is not initialized to a proper value, which resulted in no data
   being copied

 - if rw_copy_check_uvector() returns negative then the iov might be leaked.

Tested OK.
Signed-off-by: default avatarMiklos Szeredi <mszeredi@suse.cz>
Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
parent c7208164
...@@ -1537,7 +1537,7 @@ static long vmsplice_to_user(struct file *file, const struct iovec __user *uiov, ...@@ -1537,7 +1537,7 @@ static long vmsplice_to_user(struct file *file, const struct iovec __user *uiov,
struct iovec iovstack[UIO_FASTIOV]; struct iovec iovstack[UIO_FASTIOV];
struct iovec *iov = iovstack; struct iovec *iov = iovstack;
struct iov_iter iter; struct iov_iter iter;
ssize_t count = 0; ssize_t count;
pipe = get_pipe_info(file); pipe = get_pipe_info(file);
if (!pipe) if (!pipe)
...@@ -1546,8 +1546,9 @@ static long vmsplice_to_user(struct file *file, const struct iovec __user *uiov, ...@@ -1546,8 +1546,9 @@ static long vmsplice_to_user(struct file *file, const struct iovec __user *uiov,
ret = rw_copy_check_uvector(READ, uiov, nr_segs, ret = rw_copy_check_uvector(READ, uiov, nr_segs,
ARRAY_SIZE(iovstack), iovstack, &iov); ARRAY_SIZE(iovstack), iovstack, &iov);
if (ret <= 0) if (ret <= 0)
return ret; goto out;
count = ret;
iov_iter_init(&iter, iov, nr_segs, count, 0); iov_iter_init(&iter, iov, nr_segs, count, 0);
sd.len = 0; sd.len = 0;
...@@ -1560,6 +1561,7 @@ static long vmsplice_to_user(struct file *file, const struct iovec __user *uiov, ...@@ -1560,6 +1561,7 @@ static long vmsplice_to_user(struct file *file, const struct iovec __user *uiov,
ret = __splice_from_pipe(pipe, &sd, pipe_to_user); ret = __splice_from_pipe(pipe, &sd, pipe_to_user);
pipe_unlock(pipe); pipe_unlock(pipe);
out:
if (iov != iovstack) if (iov != iovstack)
kfree(iov); kfree(iov);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment