diff --git a/[refs] b/[refs]
index fe1a5df6b707..49fee6de9d45 100644
--- a/[refs]
+++ b/[refs]
@@ -1,2 +1,2 @@
 ---
-refs/heads/master: f9a3879abf2f1a27c39915e6074b8ff15a24cb55
+refs/heads/master: 143f412eb4c7cc48b9eb4381f9133b7d36c68075
diff --git a/trunk/fs/nfs/direct.c b/trunk/fs/nfs/direct.c
index 04ab2fc360e7..4e9b3a1b36c5 100644
--- a/trunk/fs/nfs/direct.c
+++ b/trunk/fs/nfs/direct.c
@@ -57,6 +57,7 @@
 #define NFSDBG_FACILITY		NFSDBG_VFS
 #define MAX_DIRECTIO_SIZE	(4096UL << PAGE_SHIFT)
 
+static void nfs_free_user_pages(struct page **pages, int npages, int do_dirty);
 static kmem_cache_t *nfs_direct_cachep;
 
 /*
@@ -107,6 +108,15 @@ nfs_get_user_pages(int rw, unsigned long user_addr, size_t size,
 					page_count, (rw == READ), 0,
 					*pages, NULL);
 		up_read(&current->mm->mmap_sem);
+		/*
+		 * If we got fewer pages than expected from get_user_pages(),
+		 * the user buffer runs off the end of a mapping; return EFAULT.
+		 */
+		if (result >= 0 && result < page_count) {
+			nfs_free_user_pages(*pages, result, 0);
+			*pages = NULL;
+			result = -EFAULT;
+		}
 	}
 	return result;
 }