From 0039840dabdb856805b4dd5c9a38341fb97662bf Mon Sep 17 00:00:00 2001
From: Bob Liu <lliubbo@gmail.com>
Date: Mon, 27 Jun 2011 16:18:06 -0700
Subject: [PATCH] --- yaml --- r: 254103 b: refs/heads/master c:
 2b4b2482e70eba10dd98653a3a5ac68126565e24 h: refs/heads/master i:   254101:
 07ebf6140c1d4bff06512630105e231eb773d38e   254099:
 00fe0425ae5ff08d7082125749a3bb2341a934ed   254095:
 9b5c704f33e710a8348f15b374d742ad75487740 v: v3

---
 [refs]                      | 2 +-
 trunk/fs/romfs/mmap-nommu.c | 8 ++++++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/[refs] b/[refs]
index 4c355513d698..1f41f9409e51 100644
--- a/[refs]
+++ b/[refs]
@@ -1,2 +1,2 @@
 ---
-refs/heads/master: 8c95aa60d2ae3c4e63705ee0f18e155898b09662
+refs/heads/master: 2b4b2482e70eba10dd98653a3a5ac68126565e24
diff --git a/trunk/fs/romfs/mmap-nommu.c b/trunk/fs/romfs/mmap-nommu.c
index f0511e816967..eed99428f104 100644
--- a/trunk/fs/romfs/mmap-nommu.c
+++ b/trunk/fs/romfs/mmap-nommu.c
@@ -27,14 +27,18 @@ static unsigned long romfs_get_unmapped_area(struct file *file,
 {
 	struct inode *inode = file->f_mapping->host;
 	struct mtd_info *mtd = inode->i_sb->s_mtd;
-	unsigned long isize, offset;
+	unsigned long isize, offset, maxpages, lpages;
 
 	if (!mtd)
 		goto cant_map_directly;
 
+	/* the mapping mustn't extend beyond the EOF */
+	lpages = (len + PAGE_SIZE - 1) >> PAGE_SHIFT;
 	isize = i_size_read(inode);
 	offset = pgoff << PAGE_SHIFT;
-	if (offset > isize || len > isize || offset > isize - len)
+
+	maxpages = (isize + PAGE_SIZE - 1) >> PAGE_SHIFT;
+	if ((pgoff >= maxpages) || (maxpages - pgoff < lpages))
 		return (unsigned long) -EINVAL;
 
 	/* we need to call down to the MTD layer to do the actual mapping */