--- fs/splice.c.orig	2008-02-13 00:33:26.000000000 +1100
+++ fs/splice.c	2008-02-13 01:13:46.000000000 +1100
@@ -1123,8 +1123,18 @@ static int get_iovec_page_array(const st
 		int i;
 
 		/*
+		 * Make sure that the iovec is in accessible space.
+		 */
+
+		if (unlikely(!access_ok(VERIFY_READ, iov, (sizeof *iov)))) {
+			error = -EFAULT;
+			break;
+		}
+
+		/*
 		 * Get user address base and length for this iovec.
 		 */
+
 		error = get_user(base, &iov->iov_base);
 		if (unlikely(error))
 			break;
@@ -1138,7 +1148,7 @@ static int get_iovec_page_array(const st
 		if (unlikely(!len))
 			break;
 		error = -EFAULT;
-		if (unlikely(!base))
+		if (!access_ok(VERIFY_READ, base, len))
 			break;
 
 		/*
@@ -1241,6 +1251,14 @@ static long do_vmsplice(struct file *fil
 		.ops = &user_page_pipe_buf_ops,
 	};
 
+	/*
+	 * Make sure that the iovec is in accessible space.
+	 */
+
+	if (unlikely(!access_ok(VERIFY_READ, iov, (sizeof *iov)))) {
+		return -EFAULT;
+	}
+
 	if (unlikely(!pipe))
 		return -EBADF;
 	if (unlikely(nr_segs > UIO_MAXIOV))