On Sun, Mar 23, 2014 at 09:36:28AM -0700, Linus Torvalds wrote: > On Sun, Mar 23, 2014 at 12:16 AM, Al Viro <viro@xxxxxxxxxxxxxxxxxx> wrote: > > Several fixes; first 4 commits are obvious fixes (a couple > > of fdget_pos()-related ones from Eric Biggers, prepend_name() fix, missing > > checks for false negatives from __lookup_mnt() in fs/namei.c) > > I'm not seeing the obvious fix in the prepend_name() thing, and I > think it's horrible to *update* the name-len to negative like it now > does. > > Why is anybody calling it with a negative buffer length in the first > place? *That* is the bug. Making the buflen become negative just makes > the bug worse, imnsho. It's easier to skip checking the overflow on prepend() of "\0" in the beginning of the whole thing and just let the next operation to fail. That's where the corner case comes from. -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html