Hi Chao, On 2019/2/18 9:39, Chao Yu wrote: > If the image is corrupted, qn->name[i] may be anything, as you commented > above DBG_BUGON(), we really don't need to go through any later codes, it > can avoid potentially encoutnering wrong condition. > > * otherwise, it will return 1 to just skip the invalid name > Just I commented in the following source code, qn is actually the user requested name allocated in __d_alloc, which can be guaranteed with the trailing '\0' and it is a valid string. Thanks, Gao Xiang >>>> + >>>> + /* qd could not have trailing '\0' */ >>>> + /* However it is absolutely safe if < qd->end */ >>>> + while (qd->name + i < qd->end && qd->name[i] != '\0') { >>>> + if (qn->name[i] != qd->name[i]) { >>>> + *matched = i; >>>> + return qn->name[i] > qd->name[i] ? 1 : -1; >>>> } >>>> - return (qn->len > qd->len); >>>> + ++i; >>>> } >>>> - >>>> - if (qn->name[i] != qd->name[i]) { >>>> - *matched = i; >>>> - return qn->name[i] > qd->name[i] ? 1 : -1; >>>> - } >>>> - >>>> - ++i; >>>> - goto loop; >>>> + *matched = i; >>>> + /* See comments in __d_alloc on the terminating NUL character */ >>>> + return qn->name[i] == '\0' ? 0 : 1; >>>> }