It is possible for the len argument to afs_write_end() to overrun the end of the page (len is used to key the size of the page in afs_write_start() when compound pages become a regular thing). Fix afs_write_end() to correctly trim the write length so that it doesn't exceed the end of the page. Fixes: 3003bbd0697b ("afs: Use the netfs_write_begin() helper") Reported-by: Jeff Layton <jlayton@xxxxxxxxxx> Signed-off-by: David Howells <dhowells@xxxxxxxxxx> Acked-by: Jeff Layton <jlayton@xxxxxxxxxx> cc: Marc Dionne <marc.dionne@xxxxxxxxxxxx> cc: Al Viro <viro@xxxxxxxxxxxxxxxxxx> cc: Matthew Wilcox <willy@xxxxxxxxxxxxx> cc: linux-afs@xxxxxxxxxxxxxxxxxxx Link: https://lore.kernel.org/r/162367682522.460125.5652091227576721609.stgit@xxxxxxxxxxxxxxxxxxxxxx/ # v1 Link: https://lore.kernel.org/r/163819660464.215744.4576104569408497052.stgit@xxxxxxxxxxxxxxxxxxxxxx/ # v1 --- fs/afs/write.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/afs/write.c b/fs/afs/write.c index 8e4e87d66855..9db3ddb1c45b 100644 --- a/fs/afs/write.c +++ b/fs/afs/write.c @@ -120,6 +120,7 @@ int afs_write_end(struct file *file, struct address_space *mapping, _enter("{%llx:%llu},{%lx}", vnode->fid.vid, vnode->fid.vnode, folio_index(folio)); + len = min_t(size_t, len, folio_size(folio) - from); if (!folio_test_uptodate(folio)) { if (copied < len) { copied = 0;