It is possible for the len argument to afs_write_end() to overrun the end of the page (len is used to key the size of the page in afs_write_start() when compound pages become a regular thing). Fix afs_write_end() to correctly trim the write length so that it doesn't exceed the end of the page. Fixes: 3003bbd0697b ("afs: Use the netfs_write_begin() helper") Reported-by: Jeff Layton <jlayton@xxxxxxxxxx> Signed-off-by: David Howells <dhowells@xxxxxxxxxx> Acked-by: Jeff Layton <jlayton@xxxxxxxxxx> cc: Al Viro <viro@xxxxxxxxxxxxxxxxxx> cc: Matthew Wilcox <willy@xxxxxxxxxxxxx> cc: linux-afs@xxxxxxxxxxxxxxxxxxx Link: https://lore.kernel.org/r/162367682522.460125.5652091227576721609.stgit@xxxxxxxxxxxxxxxxxxxxxx/ # v1 --- fs/afs/write.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/afs/write.c b/fs/afs/write.c index c09830c9dc43..e1cb19cb6314 100644 --- a/fs/afs/write.c +++ b/fs/afs/write.c @@ -119,6 +119,7 @@ int afs_write_end(struct file *file, struct address_space *mapping, _enter("{%llx:%llu},{%lx}", vnode->fid.vid, vnode->fid.vnode, page->index); + len = min_t(size_t, len, thp_size(page) - from); if (!PageUptodate(page)) { if (copied < len) { copied = 0;