iomap: Fix overflow in iomap_page_mkwrite

BugLink: https://bugs.launchpad.net/bugs/1900624
[ Upstream commit add66fcbd3fbe5aa0dd4dddfa23e119c12989a27 ]

On architectures where loff_t is wider than pgoff_t, the expression
((page->index + 1) << PAGE_SHIFT) can overflow.  Rewrite to use the page
offset, which we already compute here anyway.

Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: Ian May <ian.may@canonical.com>

diff --git a/fs/iomap/buffered-io.c b/fs/iomap/buffered-io.c
index e25901ae3ff447712ec6d5635bb7d9ddfd180d3e..a30ea7ecb790a242ebf1ce221c5fb5fe19682df0 100644 (file)
--- a/fs/iomap/buffered-io.c
+++ b/fs/iomap/buffered-io.c
@@ -1040,20 +1040,19 @@ vm_fault_t iomap_page_mkwrite(struct vm_fault *vmf, const struct iomap_ops *ops)
 
        lock_page(page);
        size = i_size_read(inode);
-       if ((page->mapping != inode->i_mapping) ||
-           (page_offset(page) > size)) {
+       offset = page_offset(page);
+       if (page->mapping != inode->i_mapping || offset > size) {
                /* We overload EFAULT to mean page got truncated */
                ret = -EFAULT;
                goto out_unlock;
        }
 
        /* page is wholly or partially inside EOF */
-       if (((page->index + 1) << PAGE_SHIFT) > size)
+       if (offset > size - PAGE_SIZE)
                length = offset_in_page(size);
        else
                length = PAGE_SIZE;
 
-       offset = page_offset(page);
        while (length > 0) {
                ret = iomap_apply(inode, offset, length,
                                IOMAP_WRITE | IOMAP_FAULT, ops, page,