From mboxrd@z Thu Jan  1 00:00:00 1970
From: Al Viro <viro@ZenIV.linux.org.uk>
Subject: Re: [PATCH]QNX6 filesystem (RO) driver
Date: Tue, 21 Feb 2012 22:04:55 +0000
Message-ID: <20120221220455.GT23916@ZenIV.linux.org.uk>
References: <20120215071119.GF23916@ZenIV.linux.org.uk>
 <20120215075750.GG23916@ZenIV.linux.org.uk>
 <20120215144037.GH23916@ZenIV.linux.org.uk>
 <20120216100043.GJ23916@ZenIV.linux.org.uk>
 <2977b399b903a3b7bff1ffe93e8d3dd9.squirrel@www.ontika.net>
 <20120217162006.GO23916@ZenIV.linux.org.uk>
 <def86ad9f4b3bd6be39b1c8ebb95864b.squirrel@www.ontika.net>
 <20120217183548.GQ23916@ZenIV.linux.org.uk>
 <20120217185335.GR23916@ZenIV.linux.org.uk>
 <4F3EC8C4.3050707@ontika.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: linux-fsdevel@vger.kernel.org
To: Kai Bankett <chaosman@ontika.net>
Return-path: <linux-fsdevel-owner@vger.kernel.org>
Received: from zeniv.linux.org.uk ([195.92.253.2]:34198 "EHLO
	ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1755757Ab2BUWE5 (ORCPT
	<rfc822;linux-fsdevel@vger.kernel.org>);
	Tue, 21 Feb 2012 17:04:57 -0500
Content-Disposition: inline
In-Reply-To: <4F3EC8C4.3050707@ontika.net>
Sender: linux-fsdevel-owner@vger.kernel.org
List-ID: <linux-fsdevel.vger.kernel.org>

On Fri, Feb 17, 2012 at 10:38:12PM +0100, Kai Bankett wrote:
> At least code was robust enough to deal with it ;)
> I guess ino was set to 0 anyways by compiler? At least it does not
> seem to have been sort of random.

Nope.  Uninitialized is uninitialized - in reality it's "whatever happens
to be in that word on stack", in theory it's "compiler has every right
to do _anything_ to reads from it".  Nasal daemon country...

> Otherwise testing would have shown strange effects - right?

Depends.

> http://a6.ontika.net/patches/0001-fs-initial-qnx6fs-addition.patch.gz

Still a problem with memcmp() use in qnx6_long_match() - suppose you've
got lf_size (on corrupt fs) set to 3Kb.  With 2Kb blocks and odd
->de_long_inode.  You are doing a lookup for 3Kb name.  What we get is
qnx6_longname() returning a pointer 2Kb into 4Kb page.  And qnx6_long_match()
proceeding to do memcmp() on 3Kb starting from that point.  Oops - literally.

What we need to do is either
	* silently return 0 on thislen > QNX6_LONG_NAME_MAX, or
	* return 0 and yell about corrupt /longfiles, or
	* have qnx6_lookup() check that len <= QNX6_LONG_NAME_MAX and
return ERR_PTR(-ENAMETOOLONG) if it isn't.  And lose the thislen check
completely.

I'd probably go for the last variant; it's consistent with what other
filesystems are doing and it would avoid mess if we ever try to do
r/w variant.  BTW, thislen check in qnx6_match() is also pointless -
we'd already checked that in caller.  Otherwise it would be wrong in
the same way as for long ones...