missing bits of "splice: fix racy pipe->buffers uses" that commit has fixed only the parts of that mess in fs/splice.c itself; there had been more in several other ->splice_read() instances... Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit: a786c06d9f2719203c00b3d97b21f9a96980d0b5 [log] [tgz]
author: Al Viro <viro@zeniv.linux.org.uk> Fri Apr 11 12:01:03 2014 -0400
committer: Al Viro <viro@zeniv.linux.org.uk> Sat Apr 12 07:04:19 2014 -0400
tree: 29a5e2ea710084cc115ec496e667658704ab72c2
parent: 19dfc1f5f2ef03a52aa30c8257c5745edef23f55 [diff] [blame]
diff --git a/kernel/relay.c b/kernel/relay.c
index 98833f6..7d38607 100644
--- a/kernel/relay.c
+++ b/kernel/relay.c

@@ -1251,7 +1251,7 @@
 	subbuf_pages = rbuf->chan->alloc_size >> PAGE_SHIFT;
 	pidx = (read_start / PAGE_SIZE) % subbuf_pages;
 	poff = read_start & ~PAGE_MASK;
-	nr_pages = min_t(unsigned int, subbuf_pages, pipe->buffers);
+	nr_pages = min_t(unsigned int, subbuf_pages, spd.nr_pages_max);
 
 	for (total_len = 0; spd.nr_pages < nr_pages; spd.nr_pages++) {
 		unsigned int this_len, this_end, private;
commit	a786c06d9f2719203c00b3d97b21f9a96980d0b5	[log] [tgz]
author	Al Viro <viro@zeniv.linux.org.uk>	Fri Apr 11 12:01:03 2014 -0400
committer	Al Viro <viro@zeniv.linux.org.uk>	Sat Apr 12 07:04:19 2014 -0400
tree	29a5e2ea710084cc115ec496e667658704ab72c2
parent	19dfc1f5f2ef03a52aa30c8257c5745edef23f55 [diff] [blame]