From: Martin Peschke <mp3@de.ibm.com>

Make sure strsep() in statistic_release_def() finds a terminanal '\0' and
doesn't attempt to access bytes outside the given buffer.

(Patch fixes
statistics-infrastructure-simplify-statistics-debugfs-write-function.patch)

Signed-off-by: Martin Peschke <mp3@de.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

 lib/statistic.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletion(-)

diff -puN lib/statistic.c~statistics-infrastructure-fix-string-termination lib/statistic.c
--- a/lib/statistic.c~statistics-infrastructure-fix-string-termination
+++ a/lib/statistic.c
@@ -627,9 +627,10 @@ static ssize_t statistic_write_def(struc
 		return -EPIPE;
 	if (*offset + len > 16 * PAGE_SIZE)
 		return -ENOMEM;
-	larger = kmalloc(*offset + len, GFP_KERNEL);
+	larger = kmalloc(*offset + len + 1, GFP_KERNEL);
 	if (!larger)
 		return -ENOMEM;
+	larger[*offset + len] = '\0';
 	memcpy(larger, seq_priv->w_buf, *offset);
 	if (copy_from_user(larger + *offset, buf, len))
 		return -EFAULT;
_