splice: fix infinite loop in generic_file_splice_read()

[linux-2.6-omap-h63xx.git] / fs / splice.c
diff --git a/fs/splice.c b/fs/splice.c

index 1577a7391d23fa47cd74fb5089278dba81daee55..eeb1a86a701467fcc90882f803ff7b39585003fc 100644 (file)
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -320,7 +320,7 @@ __generic_file_splice_read(struct file *in, loff_t *ppos,
                                 break;
  
                         error = add_to_page_cache_lru(page, mapping, index,
-                                             GFP_KERNEL);
+                                               mapping_gfp_mask(mapping));
                         if (unlikely(error)) {
                                 page_cache_release(page);
                                 if (error == -EEXIST)
@@ -370,8 +370,10 @@ __generic_file_splice_read(struct file *in, loff_t *ppos,
                          * for an in-flight io page
                          */
                         if (flags & SPLICE_F_NONBLOCK) {
-                               if (TestSetPageLocked(page))
+                               if (TestSetPageLocked(page)) {
+                                       error = -EAGAIN;
                                         break;
+                               }
                         } else
                                 lock_page(page);
  
@@ -479,9 +481,8 @@ ssize_t generic_file_splice_read(struct file *in, loff_t *ppos,
                                  struct pipe_inode_info *pipe, size_t len,
                                  unsigned int flags)
  {
-       ssize_t spliced;
-       int ret;
         loff_t isize, left;
+       int ret;
  
         isize = i_size_read(in->f_mapping->host);
         if (unlikely(*ppos >= isize))
@@ -491,29 +492,9 @@ ssize_t generic_file_splice_read(struct file *in, loff_t *ppos,
         if (unlikely(left < len))
                 len = left;
  
-       ret = 0;
-       spliced = 0;
-       while (len && !spliced) {
-               ret = __generic_file_splice_read(in, ppos, pipe, len, flags);
-
-               if (ret < 0)
-                       break;
-               else if (!ret) {
-                       if (spliced)
-                               break;
-                       if (flags & SPLICE_F_NONBLOCK) {
-                               ret = -EAGAIN;
-                               break;
-                       }
-               }
-
+       ret = __generic_file_splice_read(in, ppos, pipe, len, flags);
+       if (ret > 0)
                 *ppos += ret;
-               len -= ret;
-               spliced += ret;
-       }
-
-       if (spliced)
-               return spliced;
  
         return ret;
  }
@@ -1033,9 +1014,7 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd,
  
  done:
         pipe->nrbufs = pipe->curbuf = 0;
-       if (bytes > 0)
-               file_accessed(in);
-
+       file_accessed(in);
         return bytes;
  
  out_release:
@@ -1181,6 +1160,9 @@ static int copy_from_user_mmap_sem(void *dst, const void __user *src, size_t n)
  {
         int partial;
  
+       if (!access_ok(VERIFY_READ, src, n))
+               return -EFAULT;
+
         pagefault_disable();
         partial = __copy_from_user_inatomic(dst, src, n);
         pagefault_enable();
@@ -1233,7 +1215,7 @@ static int get_iovec_page_array(const struct iovec __user *iov,
                 if (unlikely(!len))
                         break;
                 error = -EFAULT;
-               if (unlikely(!base))
+               if (!access_ok(VERIFY_READ, base, len))
                         break;
  
                 /*
@@ -1389,6 +1371,11 @@ static long vmsplice_to_user(struct file *file, const struct iovec __user *iov,
                         break;
                 }
  
+               if (unlikely(!access_ok(VERIFY_WRITE, base, len))) {
+                       error = -EFAULT;
+                       break;
+               }
+
                 sd.len = 0;
                 sd.total_len = len;
                 sd.flags = flags;
@@ -1663,6 +1650,13 @@ static int link_pipe(struct pipe_inode_info *ipipe,
                 i++;
         } while (len);
  
+       /*
+        * return EAGAIN if we have the potential of some data in the
+        * future, otherwise just return 0
+        */
+       if (!ret && ipipe->waiting_writers && (flags & SPLICE_F_NONBLOCK))
+               ret = -EAGAIN;
+
         inode_double_unlock(ipipe->inode, opipe->inode);
  
         /*
@@ -1703,11 +1697,8 @@ static long do_tee(struct file *in, struct file *out, size_t len,
                 ret = link_ipipe_prep(ipipe, flags);
                 if (!ret) {
                         ret = link_opipe_prep(opipe, flags);
-                       if (!ret) {
+                       if (!ret)
                                 ret = link_pipe(ipipe, opipe, len, flags);
-                               if (!ret && (flags & SPLICE_F_NONBLOCK))
-                                       ret = -EAGAIN;
-                       }
                 }
         }