The memcpy() will unconditionally copy PAGE_SIZE bytes, which far exceeds
the length of the array (96 bytes) that it's copying from. You can't
see the results using read() because it'll be limmited by i_size (which
is less than 96 bytes), but if you mmap the file, you can load the bytes
from the page which are beyond i_size. We need to zero the tail of the
page before marking it uptodate.
Cc: stable@xxxxxxxxxxxxxxx
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") # actually v2.4.4.4
Signed-off-by: Matthew Wilcox (Oracle) <willy@xxxxxxxxxxxxx>
---
fs/freevxfs/vxfs_immed.c | 13 +++++--------
1 file changed, 5 insertions(+), 8 deletions(-)
diff --git a/fs/freevxfs/vxfs_immed.c b/fs/freevxfs/vxfs_immed.c
index 9b49ec36e667..c49612a24c18 100644
--- a/fs/freevxfs/vxfs_immed.c
+++ b/fs/freevxfs/vxfs_immed.c
@@ -30,15 +30,12 @@
*/
static int vxfs_immed_read_folio(struct file *fp, struct folio *folio)
{
- struct vxfs_inode_info *vip = VXFS_INO(folio->mapping->host);
- void *src = vip->vii_immed.vi_immed + folio_pos(folio);
- unsigned long i;
-
- for (i = 0; i < folio_nr_pages(folio); i++) {
- memcpy_to_page(folio_page(folio, i), 0, src, PAGE_SIZE);
- src += PAGE_SIZE;
- }
+ struct inode *inode = folio->mapping->host;
+ struct vxfs_inode_info *vip = VXFS_INO(inode);
+ loff_t isize = i_size_read(inode);
+ memcpy_to_file_folio(folio, 0, vip->vii_immed.vi_immed, isize);
+ folio_zero_segment(folio, isize, folio_size(folio));
folio_mark_uptodate(folio);
folio_unlock(folio);
--
2.39.1
