In prepend_name(), *buflen < dlen + 1 comparison is buggy because dlen has unsigned data type, and we can reach this location with *buflen == -1.
The fix casts dlen to int. Bug reports: https://bugzilla.redhat.com/show_bug.cgi?id=1050964 https://bugzilla.redhat.com/show_bug.cgi?id=1060384 Signed-off-by: Denys Vlasenko <dvlas...@redhat.com> Cc: Al Viro <v...@zeniv.linux.org.uk> Cc: Oleg Nesterov <o...@redhat.com> Cc: Jan Kratochvil <jan.kratoch...@redhat.com> Cc: Amerigo Wang <amw...@redhat.com> Cc: "Jonathan M. Foote" <jmfo...@cert.org> Cc: Roland McGrath <rol...@hack.frob.com> Cc: Pedro Alves <pal...@redhat.com> Cc: Fengguang Wu <fengguang...@intel.com> Cc: Stephen Rothwell <s...@canb.auug.org.au> --- fs/dcache.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/dcache.c b/fs/dcache.c index 265e0ce..40ded0c 100644 --- a/fs/dcache.c +++ b/fs/dcache.c @@ -2833,7 +2833,7 @@ static int prepend_name(char **buffer, int *buflen, struct qstr *name) u32 dlen = ACCESS_ONCE(name->len); char *p; - if (*buflen < dlen + 1) + if (*buflen < (int)dlen + 1) return -ENAMETOOLONG; *buflen -= dlen + 1; p = *buffer -= dlen + 1; -- 1.8.1.4 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/