fuse: Block access to folio overlimit

syz reported a slab-out-of-bounds Write in fuse_dev_do_write.

When the number of bytes to be retrieved is truncated to the upper limit
by fc->max_pages and there is an offset, the oob is triggered.

Add a loop termination condition to prevent overruns.

Fixes: 3568a95 ("fuse: support large folios for retrieves")
Reported-by: [email protected]
Closes: https://syzkaller.appspot.com/bug?extid=2d215d165f9354b9c4ea
Tested-by: [email protected]
Signed-off-by: Edward Adam Davis <[email protected]>
Reviewed-by: Joanne Koong <[email protected]>
Signed-off-by: Miklos Szeredi <[email protected]>

Author: ea1davis

fs/fuse/dev.c

@@ -1893,7 +1893,7 @@ static int fuse_retrieve(struct fuse_mount *fm, struct inode *inode,
 
 	index = outarg->offset >> PAGE_SHIFT;
 
-	while (num) {
+	while (num && ap->num_folios < num_pages) {
 		struct folio *folio;
 		unsigned int folio_offset;
 		unsigned int nr_bytes;