From 0adcf014734f6769515a4c55c82f1518bf71a75b Mon Sep 17 00:00:00 2001
From: Wu Fengguang <fengguang.wu@intel.com>
Date: Wed, 10 Mar 2010 15:21:51 -0800
Subject: [PATCH] --- yaml --- r: 187192 b: refs/heads/master c:
 dcefafb6ac90ece8d68a6c203105f3d313e52da4 h: refs/heads/master v: v3

---
 [refs]                   |  2 +-
 trunk/drivers/char/mem.c | 19 +++++++++++++------
 2 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/[refs] b/[refs]
index 72923d4f7e6a..66794c675992 100644
--- a/[refs]
+++ b/[refs]
@@ -1,2 +1,2 @@
 ---
-refs/heads/master: 2cb9a75d13676d75bcc6fbc6f885403795581913
+refs/heads/master: dcefafb6ac90ece8d68a6c203105f3d313e52da4
diff --git a/trunk/drivers/char/mem.c b/trunk/drivers/char/mem.c
index 48788db4e280..e3f5577cbce3 100644
--- a/trunk/drivers/char/mem.c
+++ b/trunk/drivers/char/mem.c
@@ -708,16 +708,23 @@ static loff_t memory_lseek(struct file * file, loff_t offset, int orig)
 
 	mutex_lock(&file->f_path.dentry->d_inode->i_mutex);
 	switch (orig) {
-		case 0:
+		case SEEK_CUR:
+			offset += file->f_pos;
+			if ((unsigned long long)offset <
+			    (unsigned long long)file->f_pos) {
+				ret = -EOVERFLOW;
+				break;
+			}
+		case SEEK_SET:
+			/* to avoid userland mistaking f_pos=-9 as -EBADF=-9 */
+			if ((unsigned long long)offset >= ~0xFFFULL) {
+				ret = -EOVERFLOW;
+				break;
+			}
 			file->f_pos = offset;
 			ret = file->f_pos;
 			force_successful_syscall_return();
 			break;
-		case 1:
-			file->f_pos += offset;
-			ret = file->f_pos;
-			force_successful_syscall_return();
-			break;
 		default:
 			ret = -EINVAL;
 	}