[PATCH] splice: fix bugs in pipe_to_file()
Found by Oleg Nesterov <oleg@tv-sign.ru>, fixed by me. - Only allow full pages to go to the page cache. - Check page != buf->page instead of using PIPE_BUF_FLAG_STOLEN. - Remember to clear 'stolen' if add_to_page_cache() fails. And as a cleanup on that: - Make the bottom fall-through logic a little less convoluted. Also make the steal path hold an extra reference to the page, so we don't have to differentiate between stolen and non-stolen at the end. Signed-off-by: Jens Axboe <axboe@suse.de>
This commit is contained in:
Jens Axboe
@@ -99,8 +99,6 @@ static void anon_pipe_buf_release(struct pipe_inode_info *pipe,
|
||||
{
|
||||
struct page *page = buf->page;
|
||||
|
||||
buf->flags &= ~PIPE_BUF_FLAG_STOLEN;
|
||||
|
||||
/*
|
||||
* If nobody else uses this page, and we don't already have a
|
||||
* temporary page, let's keep track of it as a one-deep
|
||||
@@ -130,7 +128,6 @@ static int anon_pipe_buf_steal(struct pipe_inode_info *pipe,
|
||||
struct page *page = buf->page;
|
||||
|
||||
if (page_count(page) == 1) {
|
||||
buf->flags |= PIPE_BUF_FLAG_STOLEN;
|
||||
lock_page(page);
|
||||
return 0;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user