splice: fix leak of pages on short splice to pipe

If the destination pipe is full and we already transferred
data, we break out instead of waiting for more pipe room.
The exit logic looks at spd->nr_pages to see if we moved
everything inside the spd container, but we decrement that
variable in the loop to decide when spd has emptied.

Instead we want to compare to the original page count in
the spd, so cache that in a local variable.

Signed-off-by: Jens Axboe <jens.axboe@oracle.com>

diff --git a/fs/splice.c b/fs/splice.c
index 12d247f6ece5aa540b45a9d19d8f757028add613..186fad463c4379280dcfbbd2c5422f5188f46c69 100644 (file)
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -176,6 +176,7 @@ static const struct pipe_buf_operations user_page_pipe_buf_ops = {
 static ssize_t splice_to_pipe(struct pipe_inode_info *pipe,
                              struct splice_pipe_desc *spd)
 {
+       unsigned int spd_pages = spd->nr_pages;
        int ret, do_wakeup, page_nr;
 
        ret = 0;
@@ -254,7 +255,7 @@ static ssize_t splice_to_pipe(struct pipe_inode_info *pipe,
                kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
        }
 
-       while (page_nr < spd->nr_pages)
+       while (page_nr < spd_pages)
                page_cache_release(spd->pages[page_nr++]);
 
        return ret;