In prepend_name(), *buflen < dlen + 1 comparison is buggy because dlen has unsigned data type, and we can reach this location with *buflen == -1.
The fix casts dlen to int. Bug reports: https://bugzilla.redhat.com/show_bug.cgi?id=1050964 https://bugzilla.redhat.com/show_bug.cgi?id=1060384 Signed-off-by: Denys Vlasenko <[email protected]> Cc: Al Viro <[email protected]> Cc: Oleg Nesterov <[email protected]> Cc: Jan Kratochvil <[email protected]> Cc: Amerigo Wang <[email protected]> Cc: "Jonathan M. Foote" <[email protected]> Cc: Roland McGrath <[email protected]> Cc: Pedro Alves <[email protected]> Cc: Fengguang Wu <[email protected]> Cc: Stephen Rothwell <[email protected]> --- fs/dcache.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/dcache.c b/fs/dcache.c index 265e0ce..40ded0c 100644 --- a/fs/dcache.c +++ b/fs/dcache.c @@ -2833,7 +2833,7 @@ static int prepend_name(char **buffer, int *buflen, struct qstr *name) u32 dlen = ACCESS_ONCE(name->len); char *p; - if (*buflen < dlen + 1) + if (*buflen < (int)dlen + 1) return -ENAMETOOLONG; *buflen -= dlen + 1; p = *buffer -= dlen + 1; -- 1.8.1.4 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
