I keep trying to leave this bug report but I keep getting dragged in. It's worse than Twitter.
"As I suspected, you're in this not to contribute something to the community, but as a destructive influence. You will not be missed."
You seriously think I came to this thread to start a fight with you? What about the several *hundred* other security bugs I've fixed in open source software on my own free time?
"Every time I was convinced of the existence of an actual exploit, I have attempted to fix it."
Except for the part where I posted a working exploit and you completely ignored me.
"Maybe my fixes were naive, but dont forget that it's a lot easier to find holes in something, than to build somethig without holes in the first place."
I disagree, I think it's more like "it's easier to do something properly from the beginning than to patch a broken implementation one exploit at a time."
Your code is still broken, you can mount a legitimate block device on top of another directory in /dev by exploiting the mountpoint race that still exists, and then use that now-writable directory in /dev to mount an arbitrary filesystem on top of wherever. I suggest you accept Jason's patch and stop trying to fix this code.