Fix http://bugme.osdl.org/show_bug.cgi?id=2710.

When the user passed madvise a length of -1 through -4095, madvise blindly
rounds this up to 0 then "succeeds".


---

 25-akpm/mm/madvise.c |   10 ++++++++--
 1 files changed, 8 insertions(+), 2 deletions(-)

diff -puN mm/madvise.c~madvise-len-check mm/madvise.c
--- 25/mm/madvise.c~madvise-len-check	2004-05-18 18:32:00.201704672 -0700
+++ 25-akpm/mm/madvise.c	2004-05-18 18:32:00.205704064 -0700
@@ -169,18 +169,24 @@ static long madvise_vma(struct vm_area_s
  *  -EBADF  - map exists, but area maps something that isn't a file.
  *  -EAGAIN - a kernel resource was temporarily unavailable.
  */
-asmlinkage long sys_madvise(unsigned long start, size_t len, int behavior)
+asmlinkage long sys_madvise(unsigned long start, size_t len_in, int behavior)
 {
 	unsigned long end;
 	struct vm_area_struct * vma;
 	int unmapped_error = 0;
 	int error = -EINVAL;
+	size_t len;
 
 	down_write(&current->mm->mmap_sem);
 
 	if (start & ~PAGE_MASK)
 		goto out;
-	len = (len + ~PAGE_MASK) & PAGE_MASK;
+	len = (len_in + ~PAGE_MASK) & PAGE_MASK;
+
+	/* Check to see whether len was rounded up from small -ve to zero */
+	if (len_in && !len)
+		goto out;
+
 	end = start + len;
 	if (end < start)
 		goto out;

_