or should this be fixed, with

        if (!buf || len > x)

if so, what should x be?

This patch wasn't tested in any way.
------------------------------>8-------------8<---------------------------------
len is unsigned, so the '< 0' test won't work.

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
---
diff --git a/net/ipv4/tcp_probe.c b/net/ipv4/tcp_probe.c
index 25524d4..0b9d63f 100644
--- a/net/ipv4/tcp_probe.c
+++ b/net/ipv4/tcp_probe.c
@@ -167,7 +167,7 @@ static ssize_t tcpprobe_read(struct file *file, char __user *buf,
 {
 	int error = 0, cnt = 0;
 
-	if (!buf || len < 0)
+	if (!buf || (ssize_t)len < 0)
 		return -EINVAL;
 
 	while (cnt < len) {
--

[ message continues ]

Either cnt needs to be promoted, or you need to limit len to INT_MAX.

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--

[ message continues ]

From: Herbert Xu <herbert@gondor.apana.org.au>

Right, since the positive range of 'size_t' can exceed that of 'int'
--

[ message continues ]

like this then?
------------------------------>8-------------8<---------------------------------
promote 'cnt' to size_t, to match 'len'.

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
---
diff --git a/net/ipv4/tcp_probe.c b/net/ipv4/tcp_probe.c
index 25524d4..59f5b5e 100644
--- a/net/ipv4/tcp_probe.c
+++ b/net/ipv4/tcp_probe.c
@@ -165,9 +165,10 @@ static int tcpprobe_sprint(char *tbuf, int n)
 static ssize_t tcpprobe_read(struct file *file, char __user *buf,
 			     size_t len, loff_t *ppos)
 {
-	int error = 0, cnt = 0;
+	int error = 0;
+	size_t cnt = 0;
 
-	if (!buf || len < 0)
+	if (!buf)
 		return -EINVAL;
 
 	while (cnt < len) {
--

[ message continues ]

From: Roel Kluin <roel.kluin@gmail.com>

Applied, thanks.
--

[ message continues ]