The memcpy() will unconditionally copy PAGE_SIZE bytes, which far exceeds the length of the array (96 bytes) that it's copying from. You can't see the results using read() because it'll be limmited by i_size (which is less than 96 bytes), but if you mmap the file, you can load the bytes from the page which are beyond i_size. We need to zero the tail of the page before marking it uptodate.
Cc: stable@vger.kernel.org Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") # actually v2.4.4.4 Signed-off-by: Matthew Wilcox (Oracle) willy@infradead.org --- fs/freevxfs/vxfs_immed.c | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-)
diff --git a/fs/freevxfs/vxfs_immed.c b/fs/freevxfs/vxfs_immed.c index 9b49ec36e667..c49612a24c18 100644 --- a/fs/freevxfs/vxfs_immed.c +++ b/fs/freevxfs/vxfs_immed.c @@ -30,15 +30,12 @@ */ static int vxfs_immed_read_folio(struct file *fp, struct folio *folio) { - struct vxfs_inode_info *vip = VXFS_INO(folio->mapping->host); - void *src = vip->vii_immed.vi_immed + folio_pos(folio); - unsigned long i; - - for (i = 0; i < folio_nr_pages(folio); i++) { - memcpy_to_page(folio_page(folio, i), 0, src, PAGE_SIZE); - src += PAGE_SIZE; - } + struct inode *inode = folio->mapping->host; + struct vxfs_inode_info *vip = VXFS_INO(inode); + loff_t isize = i_size_read(inode);
+ memcpy_to_file_folio(folio, 0, vip->vii_immed.vi_immed, isize); + folio_zero_segment(folio, isize, folio_size(folio)); folio_mark_uptodate(folio); folio_unlock(folio);