The NR_OPEN check in F_DUPFD is unneeded.  viro says:

"We check the limits in locate_fd() (called by dupfd()).  Check for NR_OPEN
can (and should) be dropped - locate_fd() will never go beyond that
(expand_fd() will check it and refuse to go).

"IOW, simply lose the check.  We _might_ want to check signedness, but that's
it (IOW, check that arg will fit into 0..MAX_INT; second argument of dupfd()
is an int).  OTOH, we might actually make dupfd() et.al.  take unsigned long
and kill that crap completely."

And indeed, the signedness is suspicious, so make various things in there
unsigned too.



 fs/fcntl.c |   12 +++++-------
 1 files changed, 5 insertions(+), 7 deletions(-)

diff -puN fs/fcntl.c~remove-fcntl-check fs/fcntl.c
--- 25/fs/fcntl.c~remove-fcntl-check	2003-05-26 23:16:55.000000000 -0700
+++ 25-akpm/fs/fcntl.c	2003-05-26 23:16:55.000000000 -0700
@@ -80,11 +80,11 @@ static int expand_files(struct files_str
  */
 
 static int locate_fd(struct files_struct *files, 
-			    struct file *file, int orig_start)
+			    struct file *file, unsigned int orig_start)
 {
 	unsigned int newfd;
+	unsigned int start;
 	int error;
-	int start;
 
 	error = -EINVAL;
 	if (orig_start >= current->rlim[RLIMIT_NOFILE].rlim_cur)
@@ -129,7 +129,7 @@ out:
 	return error;
 }
 
-static int dupfd(struct file *file, int start)
+static int dupfd(struct file *file, unsigned int start)
 {
 	struct files_struct * files = current->files;
 	int fd;
@@ -286,10 +286,8 @@ static long do_fcntl(unsigned int fd, un
 
 	switch (cmd) {
 		case F_DUPFD:
-			if (arg < NR_OPEN) {
-				get_file(filp);
-				err = dupfd(filp, arg);
-			}
+			get_file(filp);
+			err = dupfd(filp, arg);
 			break;
 		case F_GETFD:
 			err = get_close_on_exec(fd);

_