Commit 00de00bd authored by Jens Axboe's avatar Jens Axboe

splice: fix leak of pages on short splice to pipe

If the destination pipe is full and we already transferred
data, we break out instead of waiting for more pipe room.
The exit logic looks at spd->nr_pages to see if we moved
everything inside the spd container, but we decrement that
variable in the loop to decide when spd has emptied.

Instead we want to compare to the original page count in
the spd, so cache that in a local variable.
Signed-off-by: default avatarJens Axboe <jens.axboe@oracle.com>
parent 17ee4f49
...@@ -176,6 +176,7 @@ static const struct pipe_buf_operations user_page_pipe_buf_ops = { ...@@ -176,6 +176,7 @@ static const struct pipe_buf_operations user_page_pipe_buf_ops = {
static ssize_t splice_to_pipe(struct pipe_inode_info *pipe, static ssize_t splice_to_pipe(struct pipe_inode_info *pipe,
struct splice_pipe_desc *spd) struct splice_pipe_desc *spd)
{ {
unsigned int spd_pages = spd->nr_pages;
int ret, do_wakeup, page_nr; int ret, do_wakeup, page_nr;
ret = 0; ret = 0;
...@@ -254,7 +255,7 @@ static ssize_t splice_to_pipe(struct pipe_inode_info *pipe, ...@@ -254,7 +255,7 @@ static ssize_t splice_to_pipe(struct pipe_inode_info *pipe,
kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN); kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
} }
while (page_nr < spd->nr_pages) while (page_nr < spd_pages)
page_cache_release(spd->pages[page_nr++]); page_cache_release(spd->pages[page_nr++]);
return ret; return ret;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment