From da574983de9f9283ba35662c8723627096e160de Mon Sep 17 00:00:00 2001
From: Al Viro <viro@zeniv.linux.org.uk>
Date: Tue, 12 Aug 2008 00:04:22 -0400
Subject: [PATCH] fix hpux_getdents()

Missing checks for -EFAULT, broken handling of overflow.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
---
 arch/parisc/hpux/fs.c | 30 +++++++++++++++++++-----------
 1 file changed, 19 insertions(+), 11 deletions(-)

(limited to 'arch/parisc/hpux/fs.c')

diff --git a/arch/parisc/hpux/fs.c b/arch/parisc/hpux/fs.c
index 1263f00dc35d..69ff671498e5 100644
--- a/arch/parisc/hpux/fs.c
+++ b/arch/parisc/hpux/fs.c
@@ -84,22 +84,28 @@ static int filldir(void * __buf, const char * name, int namlen, loff_t offset,
 	if (reclen > buf->count)
 		return -EINVAL;
 	d_ino = ino;
-	if (sizeof(d_ino) < sizeof(ino) && d_ino != ino)
+	if (sizeof(d_ino) < sizeof(ino) && d_ino != ino) {
+		buf->error = -EOVERFLOW;
 		return -EOVERFLOW;
+	}
 	dirent = buf->previous;
 	if (dirent)
-		put_user(offset, &dirent->d_off);
+		if (put_user(offset, &dirent->d_off))
+			goto Efault;
 	dirent = buf->current_dir;
+	if (put_user(d_ino, &dirent->d_ino) ||
+	    put_user(reclen, &dirent->d_reclen) ||
+	    put_user(namlen, &dirent->d_namlen) ||
+	    copy_to_user(dirent->d_name, name, namlen) ||
+	    put_user(0, dirent->d_name + namlen))
+		goto Efault;
 	buf->previous = dirent;
-	put_user(d_ino, &dirent->d_ino);
-	put_user(reclen, &dirent->d_reclen);
-	put_user(namlen, &dirent->d_namlen);
-	copy_to_user(dirent->d_name, name, namlen);
-	put_user(0, dirent->d_name + namlen);
-	dirent = (void __user *)dirent + reclen;
-	buf->current_dir = dirent;
+	buf->current_dir = (void __user *)dirent + reclen;
 	buf->count -= reclen;
 	return 0;
+Efault:
+	buffer->error = -EFAULT;
+	return -EFAULT;
 }
 
 #undef NAME_OFFSET
@@ -126,8 +132,10 @@ int hpux_getdents(unsigned int fd, struct hpux_dirent __user *dirent, unsigned i
 	error = buf.error;
 	lastdirent = buf.previous;
 	if (lastdirent) {
-		put_user(file->f_pos, &lastdirent->d_off);
-		error = count - buf.count;
+		if (put_user(file->f_pos, &lastdirent->d_off))
+			error = -EFAULT;
+		else
+			error = count - buf.count;
 	}
 
 out_putf:
-- 
cgit v1.2.1


From 2ecbf813d5e6361eb7c7520a6f5e6afa168df39a Mon Sep 17 00:00:00 2001
From: Stephen Rothwell <sfr@canb.auug.org.au>
Date: Tue, 2 Sep 2008 03:43:27 +1000
Subject: fix typo in arch/parisc/hpux/fs.c

A parisc allmodconfig build produces this:

arch/parisc/hpux/fs.c:107: error: 'buffer' undeclared (first use in this function)

Introduced by commit da574983de9f9283ba35662c8723627096e160de ("[PATCH]
fix hpux_getdents()").

Helge Dille also reported this in bugzilla 11461:

	http://bugzilla.kernel.org/show_bug.cgi?id=11461

and he posted an identical patch.

Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---
 arch/parisc/hpux/fs.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'arch/parisc/hpux/fs.c')

diff --git a/arch/parisc/hpux/fs.c b/arch/parisc/hpux/fs.c
index 69ff671498e5..12c04c5e558b 100644
--- a/arch/parisc/hpux/fs.c
+++ b/arch/parisc/hpux/fs.c
@@ -104,7 +104,7 @@ static int filldir(void * __buf, const char * name, int namlen, loff_t offset,
 	buf->count -= reclen;
 	return 0;
 Efault:
-	buffer->error = -EFAULT;
+	buf->error = -EFAULT;
 	return -EFAULT;
 }
 
-- 
cgit v1.2.1