On Fri, Jan 18, 2019 at 03:53:39PM +0100, Christian Brauner wrote: > Hey everyone, > > Al gave me a really helpful review of binderfs and pointed out a range > of bugs. The most obvious and serious ones have fortunately already been > taken care of by patches sitting in Greg's char-misc-linus tree. The > others are hopefully all covered in this patchset. BTW, binderfs_binder_device_create() looks rather odd - it would be easier to do this: inode_lock(d_inode(root)); /* look it up */ dentry = lookup_one_len(name, root, strlen(name)); if (IS_ERR(dentry)) { /* some kind of error (ENOMEM, permissions) - report */ inode_unlock(d_inode(root)); ret = PTR_ERR(dentry); goto err; } if (d_really_is_positive(dentry)) { /* already exists */ dput(dentry); inode_unlock(d_inode(root)); ret = -EEXIST; goto err; } inode->i_private = device; ... and from that point on - as in your variant. Another thing in there: name = kmalloc(name_len, GFP_KERNEL); if (!name) goto err; strscpy(name, req->name, name_len); is an odd way to go; more straightforward would be req->name[BINDERFS_MAX_NAME] = '\0'; /* NUL-terminate */ name = kmemdup(req->name, sizeof(req->name), GEP_KERNEL); if (!name) ....