From mboxrd@z Thu Jan  1 00:00:00 1970
From: Al Viro <viro@ZenIV.linux.org.uk>
Subject: Re: [git pull] vfs fixes
Date: Sun, 23 Mar 2014 16:45:26 +0000
Message-ID: <20140323164526.GJ18016@ZenIV.linux.org.uk>
References: <20140323071601.GH18016@ZenIV.linux.org.uk>
 <CA+55aFw=1TcAtk-0tFp7rP-8c2dv8ap4tr-RKiMsULWEC=i0qA@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
	linux-fsdevel <linux-fsdevel@vger.kernel.org>
To: Linus Torvalds <torvalds@linux-foundation.org>
Return-path: <linux-kernel-owner@vger.kernel.org>
Content-Disposition: inline
In-Reply-To: <CA+55aFw=1TcAtk-0tFp7rP-8c2dv8ap4tr-RKiMsULWEC=i0qA@mail.gmail.com>
Sender: linux-kernel-owner@vger.kernel.org
List-Id: linux-fsdevel.vger.kernel.org

On Sun, Mar 23, 2014 at 09:36:28AM -0700, Linus Torvalds wrote:
> On Sun, Mar 23, 2014 at 12:16 AM, Al Viro <viro@zeniv.linux.org.uk> wrote:
> >         Several fixes; first 4 commits are obvious fixes (a couple
> > of fdget_pos()-related ones from Eric Biggers, prepend_name() fix, missing
> > checks for false negatives from __lookup_mnt() in fs/namei.c)
> 
> I'm not seeing the obvious fix in the prepend_name() thing, and I
> think it's horrible to *update* the name-len to negative like it now
> does.
> 
> Why is anybody calling it with a negative buffer length in the first
> place? *That* is the bug. Making the buflen become negative just makes
> the bug worse, imnsho.

It's easier to skip checking the overflow on prepend() of "\0" in the
beginning of the whole thing and just let the next operation to fail.
That's where the corner case comes from.