From: Jamie Hill-Daniel <jamie@xxxxxxxxxxxxxxxxx> commit 722d94847de29310e8aa03fcbdb41fc92c521756 upstream. The "PAGE_SIZE - 2 - size" calculation in legacy_parse_param() is an unsigned type so a large value of "size" results in a high positive value instead of a negative value as expected. Fix this by getting rid of the subtraction. Signed-off-by: Jamie Hill-Daniel <jamie@xxxxxxxxxxxxxxxxx> Signed-off-by: William Liu <willsroot@xxxxxxxxxxxxxx> Tested-by: Salvatore Bonaccorso <carnil@xxxxxxxxxx> Tested-by: Thadeu Lima de Souza Cascardo <cascardo@xxxxxxxxxxxxx> Acked-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> Acked-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx> Signed-off-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- fs/fs_context.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/fs/fs_context.c +++ b/fs/fs_context.c @@ -530,7 +530,7 @@ static int legacy_parse_param(struct fs_ param->key); } - if (len > PAGE_SIZE - 2 - size) + if (size + len + 2 > PAGE_SIZE) return invalf(fc, "VFS: Legacy: Cumulative options too large"); if (strchr(param->key, ',') || (param->type == fs_value_is_string &&