From: Al Viro <viro@zeniv.linux.org.uk>
Date: Sun, 23 Mar 2014 04:28:40 +0000 (-0400)
Subject: make prepend_name() work correctly when called with negative *buflen
X-Git-Tag: submit/tizen_common/20140905.094502~228
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=a41fd7536d9cbc81cf02033c3efa4078431fa4d0;p=sdk%2Femulator%2Femulator-kernel.git

make prepend_name() work correctly when called with negative *buflen

commit e825196d48d2b89a6ec3a8eff280098d2a78207e upstream.

In all callchains leading to prepend_name(), the value left in *buflen
is eventually discarded unused if prepend_name() has returned a negative.
So we are free to do what prepend() does, and subtract from *buflen
*before* checking for underflow (which turns into checking the sign
of subtraction result, of course).

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---

diff --git a/fs/dcache.c b/fs/dcache.c
index 4021e0172602..30b38e23caa7 100644
--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -2846,9 +2846,9 @@ static int prepend_name(char **buffer, int *buflen, struct qstr *name)
 	u32 dlen = ACCESS_ONCE(name->len);
 	char *p;
 
-	if (*buflen < dlen + 1)
-		return -ENAMETOOLONG;
 	*buflen -= dlen + 1;
+	if (*buflen < 0)
+		return -ENAMETOOLONG;
 	p = *buffer -= dlen + 1;
 	*p++ = '/';
 	while (dlen--) {