This is a note to let you know that I've just added the patch titled make prepend_name() work correctly when called with negative *buflen to the 3.13-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: make-prepend_name-work-correctly-when-called-with-negative-buflen.patch and it can be found in the queue-3.13 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From e825196d48d2b89a6ec3a8eff280098d2a78207e Mon Sep 17 00:00:00 2001 From: Al Viro <viro@xxxxxxxxxxxxxxxxxx> Date: Sun, 23 Mar 2014 00:28:40 -0400 Subject: make prepend_name() work correctly when called with negative *buflen From: Al Viro <viro@xxxxxxxxxxxxxxxxxx> commit e825196d48d2b89a6ec3a8eff280098d2a78207e upstream. In all callchains leading to prepend_name(), the value left in *buflen is eventually discarded unused if prepend_name() has returned a negative. So we are free to do what prepend() does, and subtract from *buflen *before* checking for underflow (which turns into checking the sign of subtraction result, of course). Signed-off-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- fs/dcache.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/fs/dcache.c +++ b/fs/dcache.c @@ -2833,9 +2833,9 @@ static int prepend_name(char **buffer, i u32 dlen = ACCESS_ONCE(name->len); char *p; - if (*buflen < dlen + 1) - return -ENAMETOOLONG; *buflen -= dlen + 1; + if (*buflen < 0) + return -ENAMETOOLONG; p = *buffer -= dlen + 1; *p++ = '/'; while (dlen--) { Patches currently in stable-queue which might be from viro@xxxxxxxxxxxxxxxxxx are queue-3.13/rcuwalk-recheck-mount_lock-after-mountpoint-crossing-attempts.patch queue-3.13/make-prepend_name-work-correctly-when-called-with-negative-buflen.patch -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html