pstore: Fix buffer overflow while write offset equal to buffer size

In case new offset is equal to prz->buffer_size, it won't wrap at this
time and will return old(overflow) value next time.

Signed-off-by: Liu ShuoX <shuox.liu@intel.com>
Acked-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Tony Luck <tony.luck@intel.com>

diff --git a/fs/pstore/ram_core.c b/fs/pstore/ram_core.c
index de272d4267634f220e61a436c9fc5a7d9f5d3083..ff7e3d4df5a15a4673b630812985d6164c5dfd21 100644 (file)
--- a/fs/pstore/ram_core.c
+++ b/fs/pstore/ram_core.c
@@ -54,7 +54,7 @@ static size_t buffer_start_add_atomic(struct persistent_ram_zone *prz, size_t a)
        do {
                old = atomic_read(&prz->buffer->start);
                new = old + a;
-               while (unlikely(new > prz->buffer_size))
+               while (unlikely(new >= prz->buffer_size))
                        new -= prz->buffer_size;
        } while (atomic_cmpxchg(&prz->buffer->start, old, new) != old);
 
@@ -91,7 +91,7 @@ static size_t buffer_start_add_locked(struct persistent_ram_zone *prz, size_t a)
 
        old = atomic_read(&prz->buffer->start);
        new = old + a;
-       while (unlikely(new > prz->buffer_size))
+       while (unlikely(new >= prz->buffer_size))
                new -= prz->buffer_size;
        atomic_set(&prz->buffer->start, new);