14 files changed, 81 insertions, 34 deletions
diff --git a/fs/afs/rxrpc.c b/fs/afs/rxrpc.c
index 2c588f9bbbda..c14001b42d20 100644
--- a/fs/afs/rxrpc.c
+++ b/fs/afs/rxrpc.c
@@ -610,6 +610,7 @@ static long afs_wait_for_call_to_complete(struct afs_call *call,
        bool stalled = false;
        u64 rtt;
        u32 life, last_life;
+        bool rxrpc_complete = false;
        DECLARE_WAITQUEUE(myself, current);
@@ -621,7 +622,7 @@ static long afs_wait_for_call_to_complete(struct afs_call *call,
                rtt2 = 2;
        timeout = rtt2;
-        last_life = rxrpc_kernel_check_life(call->net->socket, call->rxcall);
+        rxrpc_kernel_check_life(call->net->socket, call->rxcall, &last_life);
        add_wait_queue(&call->waitq, &myself);
        for (;;) {
@@ -639,7 +640,12 @@ static long afs_wait_for_call_to_complete(struct afs_call *call,
                if (afs_check_call_state(call, AFS_CALL_COMPLETE))
                        break;
-                life = rxrpc_kernel_check_life(call->net->socket, call->rxcall);
+                if (!rxrpc_kernel_check_life(call->net->socket, call->rxcall, &life)) {
+                        /* rxrpc terminated the call. */
+                        rxrpc_complete = true;
+                        break;
+                }
                if (timeout == 0 &&
                    life == last_life && signal_pending(current)) {
                        if (stalled)
@@ -663,12 +669,16 @@ static long afs_wait_for_call_to_complete(struct afs_call *call,
        remove_wait_queue(&call->waitq, &myself);
        __set_current_state(TASK_RUNNING);
-        /* Kill off the call if it's still live. */
        if (!afs_check_call_state(call, AFS_CALL_COMPLETE)) {
-                _debug("call interrupted");
+                if (rxrpc_complete) {
-                if (rxrpc_kernel_abort_call(call->net->socket, call->rxcall,
+                        afs_set_call_complete(call, call->error, call->abort_code);
-                                            RX_USER_ABORT, -EINTR, "KWI"))
+                } else {
-                        afs_set_call_complete(call, -EINTR, 0);
+                        /* Kill off the call if it's still live. */
+                        _debug("call interrupted");
+                        if (rxrpc_kernel_abort_call(call->net->socket, call->rxcall,
+                                                    RX_USER_ABORT, -EINTR, "KWI"))
+                                afs_set_call_complete(call, -EINTR, 0);
+                }
        }
        spin_lock_bh(&call->state_lock);
diff --git a/fs/aio.c b/fs/aio.c
index a4cc2a1cccb7..3490d1fa0e16 100644
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -1034,7 +1034,7 @@ static inline struct aio_kiocb *aio_get_req(struct kioctx *ctx)
                return NULL;
        if (unlikely(!get_reqs_available(ctx))) {
-                kfree(req);
+                kmem_cache_free(kiocb_cachep, req);
                return NULL;
        }
@@ -1794,7 +1794,7 @@ static int __io_submit_one(struct kioctx *ctx, const struct iocb *iocb,
                 */
                eventfd = eventfd_ctx_fdget(iocb->aio_resfd);
                if (IS_ERR(eventfd))
-                        return PTR_ERR(req->ki_eventfd);
+                        return PTR_ERR(eventfd);
                req->ki_eventfd = eventfd;
        }
diff --git a/fs/block_dev.c b/fs/block_dev.c
index 78d3257435c0..24615c76c1d0 100644
--- a/fs/block_dev.c
+++ b/fs/block_dev.c
@@ -307,10 +307,10 @@ static void blkdev_bio_end_io(struct bio *bio)
        struct blkdev_dio *dio = bio->bi_private;
        bool should_dirty = dio->should_dirty;
-        if (dio->multi_bio && !atomic_dec_and_test(&dio->ref)) {
+        if (bio->bi_status && !dio->bio.bi_status)
-                if (bio->bi_status && !dio->bio.bi_status)
+                dio->bio.bi_status = bio->bi_status;
-                        dio->bio.bi_status = bio->bi_status;
-        } else {
+        if (!dio->multi_bio || atomic_dec_and_test(&dio->ref)) {
                if (!dio->is_sync) {
                        struct kiocb *iocb = dio->iocb;
                        ssize_t ret;
diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
index ec2d8919e7fb..cd4e693406a0 100644
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -501,6 +501,16 @@ static noinline int btrfs_ioctl_fitrim(struct file *file, void __user *arg)
        if (!capable(CAP_SYS_ADMIN))
                return -EPERM;
+        /*
+         * If the fs is mounted with nologreplay, which requires it to be
+         * mounted in RO mode as well, we can not allow discard on free space
+         * inside block groups, because log trees refer to extents that are not
+         * pinned in a block group's free space cache (pinning the extents is
+         * precisely the first phase of replaying a log tree).
+         */
+        if (btrfs_test_opt(fs_info, NOLOGREPLAY))
+                return -EROFS;
        rcu_read_lock();
        list_for_each_entry_rcu(device, &fs_info->fs_devices->devices,
                                dev_list) {
diff --git a/fs/btrfs/props.c b/fs/btrfs/props.c
index dc6140013ae8..61d22a56c0ba 100644
--- a/fs/btrfs/props.c
+++ b/fs/btrfs/props.c
@@ -366,11 +366,11 @@ int btrfs_subvol_inherit_props(struct btrfs_trans_handle *trans,
 static int prop_compression_validate(const char *value, size_t len)
 {
-        if (!strncmp("lzo", value, len))
+        if (!strncmp("lzo", value, 3))
                return 0;
-        else if (!strncmp("zlib", value, len))
+        else if (!strncmp("zlib", value, 4))
                return 0;
-        else if (!strncmp("zstd", value, len))
+        else if (!strncmp("zstd", value, 4))
                return 0;
        return -EINVAL;
@@ -396,7 +396,7 @@ static int prop_compression_apply(struct inode *inode,
                btrfs_set_fs_incompat(fs_info, COMPRESS_LZO);
        } else if (!strncmp("zlib", value, 4)) {
                type = BTRFS_COMPRESS_ZLIB;
-        } else if (!strncmp("zstd", value, len)) {
+        } else if (!strncmp("zstd", value, 4)) {
                type = BTRFS_COMPRESS_ZSTD;
                btrfs_set_fs_incompat(fs_info, COMPRESS_ZSTD);
        } else {
diff --git a/fs/dax.c b/fs/dax.c
index ca0671d55aa6..e5e54da1715f 100644
--- a/fs/dax.c
+++ b/fs/dax.c
@@ -33,6 +33,7 @@
 #include <linux/sizes.h>
 #include <linux/mmu_notifier.h>
 #include <linux/iomap.h>
+#include <asm/pgalloc.h>
 #include "internal.h"
 #define CREATE_TRACE_POINTS
@@ -1407,7 +1408,9 @@ static vm_fault_t dax_pmd_load_hole(struct xa_state *xas, struct vm_fault *vmf,
 {
        struct address_space *mapping = vmf->vma->vm_file->f_mapping;
        unsigned long pmd_addr = vmf->address & PMD_MASK;
+        struct vm_area_struct *vma = vmf->vma;
        struct inode *inode = mapping->host;
+        pgtable_t pgtable = NULL;
        struct page *zero_page;
        spinlock_t *ptl;
        pmd_t pmd_entry;
@@ -1422,12 +1425,22 @@ static vm_fault_t dax_pmd_load_hole(struct xa_state *xas, struct vm_fault *vmf,
        *entry = dax_insert_entry(xas, mapping, vmf, *entry, pfn,
                        DAX_PMD | DAX_ZERO_PAGE, false);
+        if (arch_needs_pgtable_deposit()) {
+                pgtable = pte_alloc_one(vma->vm_mm);
+                if (!pgtable)
+                        return VM_FAULT_OOM;
+        }
        ptl = pmd_lock(vmf->vma->vm_mm, vmf->pmd);
        if (!pmd_none(*(vmf->pmd))) {
                spin_unlock(ptl);
                goto fallback;
        }
+        if (pgtable) {
+                pgtable_trans_huge_deposit(vma->vm_mm, vmf->pmd, pgtable);
+                mm_inc_nr_ptes(vma->vm_mm);
+        }
        pmd_entry = mk_pmd(zero_page, vmf->vma->vm_page_prot);
        pmd_entry = pmd_mkhuge(pmd_entry);
        set_pmd_at(vmf->vma->vm_mm, pmd_addr, vmf->pmd, pmd_entry);
@@ -1436,6 +1449,8 @@ static vm_fault_t dax_pmd_load_hole(struct xa_state *xas, struct vm_fault *vmf,
        return VM_FAULT_NOPAGE;
 fallback:
+        if (pgtable)
+                pte_free(vma->vm_mm, pgtable);
        trace_dax_pmd_load_hole_fallback(inode, vmf, zero_page, *entry);
        return VM_FAULT_FALLBACK;
 }
diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c
index 8a63e52785e9..9971a35cf1ef 100644
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -2056,10 +2056,8 @@ static ssize_t fuse_dev_splice_write(struct pipe_inode_info *pipe,
                rem += pipe->bufs[(pipe->curbuf + idx) & (pipe->buffers - 1)].len;
        ret = -EINVAL;
-        if (rem < len) {
+        if (rem < len)
-                pipe_unlock(pipe);
+                goto out_free;
-                goto out;
-        }
        rem = len;
        while (rem) {
@@ -2077,7 +2075,9 @@ static ssize_t fuse_dev_splice_write(struct pipe_inode_info *pipe,
                        pipe->curbuf = (pipe->curbuf + 1) & (pipe->buffers - 1);
                        pipe->nrbufs--;
                } else {
-                        pipe_buf_get(pipe, ibuf);
+                        if (!pipe_buf_get(pipe, ibuf))
+                                goto out_free;
                        *obuf = *ibuf;
                        obuf->flags &= ~PIPE_BUF_FLAG_GIFT;
                        obuf->len = rem;
@@ -2100,11 +2100,11 @@ static ssize_t fuse_dev_splice_write(struct pipe_inode_info *pipe,
        ret = fuse_dev_do_write(fud, &cs, len);
        pipe_lock(pipe);
+out_free:
        for (idx = 0; idx < nbuf; idx++)
                pipe_buf_release(pipe, &bufs[idx]);
        pipe_unlock(pipe);
-out:
        kvfree(bufs);
        return ret;
 }
diff --git a/fs/io_uring.c b/fs/io_uring.c
index 07d6ef195d05..89aa8412b5f5 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -2245,6 +2245,10 @@ static int io_sq_offload_start(struct io_ring_ctx *ctx,
                goto err;
        if (ctx->flags & IORING_SETUP_SQPOLL) {
+                ret = -EPERM;
+                if (!capable(CAP_SYS_ADMIN))
+                        goto err;
                if (p->flags & IORING_SETUP_SQ_AFF) {
                        int cpu;
diff --git a/fs/nfs/nfs42proc.c b/fs/nfs/nfs42proc.c
index ff6f85fb676b..5196bfa7894d 100644
--- a/fs/nfs/nfs42proc.c
+++ b/fs/nfs/nfs42proc.c
@@ -329,9 +329,6 @@ ssize_t nfs42_proc_copy(struct file *src, loff_t pos_src,
        };
        ssize_t err, err2;
-        if (!nfs_server_capable(file_inode(dst), NFS_CAP_COPY))
-                return -EOPNOTSUPP;
        src_lock = nfs_get_lock_context(nfs_file_open_context(src));
        if (IS_ERR(src_lock))
                return PTR_ERR(src_lock);
diff --git a/fs/nfs/nfs4file.c b/fs/nfs/nfs4file.c
index 45b2322e092d..00d17198ee12 100644
--- a/fs/nfs/nfs4file.c
+++ b/fs/nfs/nfs4file.c
@@ -133,8 +133,10 @@ static ssize_t nfs4_copy_file_range(struct file *file_in, loff_t pos_in,
                                    struct file *file_out, loff_t pos_out,
                                    size_t count, unsigned int flags)
 {
+        if (!nfs_server_capable(file_inode(file_out), NFS_CAP_COPY))
+                return -EOPNOTSUPP;
        if (file_inode(file_in) == file_inode(file_out))
-                return -EINVAL;
+                return -EOPNOTSUPP;
        return nfs42_proc_copy(file_in, pos_in, file_out, pos_out, count);
 }
diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c
index cfcabc33e24d..602446158bfb 100644
--- a/fs/nfs/nfs4xdr.c
+++ b/fs/nfs/nfs4xdr.c
@@ -2589,7 +2589,7 @@ static void nfs4_xdr_enc_getacl(struct rpc_rqst *req, struct xdr_stream *xdr,
                        ARRAY_SIZE(nfs4_acl_bitmap), &hdr);
        rpc_prepare_reply_pages(req, args->acl_pages, 0,
-                                args->acl_len, replen);
+                                args->acl_len, replen + 1);
        encode_nops(&hdr);
 }
@@ -2811,7 +2811,7 @@ static void nfs4_xdr_enc_fs_locations(struct rpc_rqst *req,
        }
        rpc_prepare_reply_pages(req, (struct page **)&args->page, 0,
-                                PAGE_SIZE, replen);
+                                PAGE_SIZE, replen + 1);
        encode_nops(&hdr);
 }
diff --git a/fs/nfs/super.c b/fs/nfs/super.c
index 23790c7b2289..c27ac96a95bd 100644
--- a/fs/nfs/super.c
+++ b/fs/nfs/super.c
@@ -2041,7 +2041,8 @@ static int nfs23_validate_mount_data(void *options,
                memcpy(sap, &data->addr, sizeof(data->addr));
                args->nfs_server.addrlen = sizeof(data->addr);
                args->nfs_server.port = ntohs(data->addr.sin_port);
-                if (!nfs_verify_server_address(sap))
+                if (sap->sa_family != AF_INET ||
+                    !nfs_verify_server_address(sap))
                        goto out_no_address;
                if (!(data->flags & NFS_MOUNT_TCP))
diff --git a/fs/pipe.c b/fs/pipe.c
index 070aad543382..41065901106b 100644
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -188,9 +188,9 @@ EXPORT_SYMBOL(generic_pipe_buf_steal);
 *      in the tee() system call, when we duplicate the buffers in one
 *      pipe into another.
 */
-void generic_pipe_buf_get(struct pipe_inode_info *pipe, struct pipe_buffer *buf)
+bool generic_pipe_buf_get(struct pipe_inode_info *pipe, struct pipe_buffer *buf)
 {
-        get_page(buf->page);
+        return try_get_page(buf->page);
 }
 EXPORT_SYMBOL(generic_pipe_buf_get);
diff --git a/fs/splice.c b/fs/splice.c
index 3ee7e82df48f..98943d9b219c 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -1593,7 +1593,11 @@ retry:
                         * Get a reference to this pipe buffer,
                         * so we can copy the contents over.
                         */
-                        pipe_buf_get(ipipe, ibuf);
+                        if (!pipe_buf_get(ipipe, ibuf)) {
+                                if (ret == 0)
+                                        ret = -EFAULT;
+                                break;
+                        }
                        *obuf = *ibuf;
                        /*
@@ -1667,7 +1671,11 @@ static int link_pipe(struct pipe_inode_info *ipipe,
                 * Get a reference to this pipe buffer,
                 * so we can copy the contents over.
                 */
-                pipe_buf_get(ipipe, ibuf);
+                if (!pipe_buf_get(ipipe, ibuf)) {
+                        if (ret == 0)
+                                ret = -EFAULT;
+                        break;
+                }
                obuf = opipe->bufs + nbuf;
                *obuf = *ibuf;

diff --git a/fs/afs/rxrpc.c b/fs/afs/rxrpc.c index 2c588f9bbbda..c14001b42d20 100644 --- a/fs/afs/rxrpc.c +++ b/fs/afs/rxrpc.c
@@ -610,6 +610,7 @@ static long afs_wait_for_call_to_complete(struct afs_call *call,
610	bool stalled = false;	610	bool stalled = false;
611	u64 rtt;	611	u64 rtt;
612	u32 life, last_life;	612	u32 life, last_life;
		613	bool rxrpc_complete = false;
613		614
614	DECLARE_WAITQUEUE(myself, current);	615	DECLARE_WAITQUEUE(myself, current);
615		616
@@ -621,7 +622,7 @@ static long afs_wait_for_call_to_complete(struct afs_call *call,
621	rtt2 = 2;	622	rtt2 = 2;
622		623
623	timeout = rtt2;	624	timeout = rtt2;
624	last_life = rxrpc_kernel_check_life(call->net->socket, call->rxcall);	625	rxrpc_kernel_check_life(call->net->socket, call->rxcall, &last_life);
625		626
626	add_wait_queue(&call->waitq, &myself);	627	add_wait_queue(&call->waitq, &myself);
627	for (;;) {	628	for (;;) {
@@ -639,7 +640,12 @@ static long afs_wait_for_call_to_complete(struct afs_call *call,
639	if (afs_check_call_state(call, AFS_CALL_COMPLETE))	640	if (afs_check_call_state(call, AFS_CALL_COMPLETE))
640	break;	641	break;
641		642
642	life = rxrpc_kernel_check_life(call->net->socket, call->rxcall);	643	if (!rxrpc_kernel_check_life(call->net->socket, call->rxcall, &life)) {
		644	/* rxrpc terminated the call. */
		645	rxrpc_complete = true;
		646	break;
		647	}
		648
643	if (timeout == 0 &&	649	if (timeout == 0 &&
644	life == last_life && signal_pending(current)) {	650	life == last_life && signal_pending(current)) {
645	if (stalled)	651	if (stalled)
@@ -663,12 +669,16 @@ static long afs_wait_for_call_to_complete(struct afs_call *call,
663	remove_wait_queue(&call->waitq, &myself);	669	remove_wait_queue(&call->waitq, &myself);
664	__set_current_state(TASK_RUNNING);	670	__set_current_state(TASK_RUNNING);
665		671
666	/* Kill off the call if it's still live. */
667	if (!afs_check_call_state(call, AFS_CALL_COMPLETE)) {	672	if (!afs_check_call_state(call, AFS_CALL_COMPLETE)) {
668	_debug("call interrupted");	673	if (rxrpc_complete) {
669	if (rxrpc_kernel_abort_call(call->net->socket, call->rxcall,	674	afs_set_call_complete(call, call->error, call->abort_code);
670	RX_USER_ABORT, -EINTR, "KWI"))	675	} else {
671	afs_set_call_complete(call, -EINTR, 0);	676	/* Kill off the call if it's still live. */
		677	_debug("call interrupted");
		678	if (rxrpc_kernel_abort_call(call->net->socket, call->rxcall,
		679	RX_USER_ABORT, -EINTR, "KWI"))
		680	afs_set_call_complete(call, -EINTR, 0);
		681	}
672	}	682	}
673		683
674	spin_lock_bh(&call->state_lock);	684	spin_lock_bh(&call->state_lock);


diff --git a/fs/aio.c b/fs/aio.c index a4cc2a1cccb7..3490d1fa0e16 100644 --- a/fs/aio.c +++ b/fs/aio.c
@@ -1034,7 +1034,7 @@ static inline struct aio_kiocb aio_get_req(struct kioctx ctx)
1034	return NULL;	1034	return NULL;
1035		1035
1036	if (unlikely(!get_reqs_available(ctx))) {	1036	if (unlikely(!get_reqs_available(ctx))) {
1037	kfree(req);	1037	kmem_cache_free(kiocb_cachep, req);
1038	return NULL;	1038	return NULL;
1039	}	1039	}
1040		1040
@@ -1794,7 +1794,7 @@ static int __io_submit_one(struct kioctx ctx, const struct iocb iocb,
1794	*/	1794	*/
1795	eventfd = eventfd_ctx_fdget(iocb->aio_resfd);	1795	eventfd = eventfd_ctx_fdget(iocb->aio_resfd);
1796	if (IS_ERR(eventfd))	1796	if (IS_ERR(eventfd))
1797	return PTR_ERR(req->ki_eventfd);	1797	return PTR_ERR(eventfd);
1798		1798
1799	req->ki_eventfd = eventfd;	1799	req->ki_eventfd = eventfd;
1800	}	1800	}


diff --git a/fs/block_dev.c b/fs/block_dev.c index 78d3257435c0..24615c76c1d0 100644 --- a/fs/block_dev.c +++ b/fs/block_dev.c
@@ -307,10 +307,10 @@ static void blkdev_bio_end_io(struct bio *bio)
307	struct blkdev_dio *dio = bio->bi_private;	307	struct blkdev_dio *dio = bio->bi_private;
308	bool should_dirty = dio->should_dirty;	308	bool should_dirty = dio->should_dirty;
309		309
310	if (dio->multi_bio && !atomic_dec_and_test(&dio->ref)) {	310	if (bio->bi_status && !dio->bio.bi_status)
311	if (bio->bi_status && !dio->bio.bi_status)	311	dio->bio.bi_status = bio->bi_status;
312	dio->bio.bi_status = bio->bi_status;	312
313	} else {	313	if (!dio->multi_bio \|\| atomic_dec_and_test(&dio->ref)) {
314	if (!dio->is_sync) {	314	if (!dio->is_sync) {
315	struct kiocb *iocb = dio->iocb;	315	struct kiocb *iocb = dio->iocb;
316	ssize_t ret;	316	ssize_t ret;


diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c index ec2d8919e7fb..cd4e693406a0 100644 --- a/fs/btrfs/ioctl.c +++ b/fs/btrfs/ioctl.c
@@ -501,6 +501,16 @@ static noinline int btrfs_ioctl_fitrim(struct file file, void __user arg)
501	if (!capable(CAP_SYS_ADMIN))	501	if (!capable(CAP_SYS_ADMIN))
502	return -EPERM;	502	return -EPERM;
503		503
		504	/*
		505	* If the fs is mounted with nologreplay, which requires it to be
		506	* mounted in RO mode as well, we can not allow discard on free space
		507	* inside block groups, because log trees refer to extents that are not
		508	* pinned in a block group's free space cache (pinning the extents is
		509	* precisely the first phase of replaying a log tree).
		510	*/
		511	if (btrfs_test_opt(fs_info, NOLOGREPLAY))
		512	return -EROFS;
		513
504	rcu_read_lock();	514	rcu_read_lock();
505	list_for_each_entry_rcu(device, &fs_info->fs_devices->devices,	515	list_for_each_entry_rcu(device, &fs_info->fs_devices->devices,
506	dev_list) {	516	dev_list) {


diff --git a/fs/btrfs/props.c b/fs/btrfs/props.c index dc6140013ae8..61d22a56c0ba 100644 --- a/fs/btrfs/props.c +++ b/fs/btrfs/props.c
@@ -366,11 +366,11 @@ int btrfs_subvol_inherit_props(struct btrfs_trans_handle *trans,
366		366
367	static int prop_compression_validate(const char *value, size_t len)	367	static int prop_compression_validate(const char *value, size_t len)
368	{	368	{
369	if (!strncmp("lzo", value, len))	369	if (!strncmp("lzo", value, 3))
370	return 0;	370	return 0;
371	else if (!strncmp("zlib", value, len))	371	else if (!strncmp("zlib", value, 4))
372	return 0;	372	return 0;
373	else if (!strncmp("zstd", value, len))	373	else if (!strncmp("zstd", value, 4))
374	return 0;	374	return 0;
375		375
376	return -EINVAL;	376	return -EINVAL;
@@ -396,7 +396,7 @@ static int prop_compression_apply(struct inode *inode,
396	btrfs_set_fs_incompat(fs_info, COMPRESS_LZO);	396	btrfs_set_fs_incompat(fs_info, COMPRESS_LZO);
397	} else if (!strncmp("zlib", value, 4)) {	397	} else if (!strncmp("zlib", value, 4)) {
398	type = BTRFS_COMPRESS_ZLIB;	398	type = BTRFS_COMPRESS_ZLIB;
399	} else if (!strncmp("zstd", value, len)) {	399	} else if (!strncmp("zstd", value, 4)) {
400	type = BTRFS_COMPRESS_ZSTD;	400	type = BTRFS_COMPRESS_ZSTD;
401	btrfs_set_fs_incompat(fs_info, COMPRESS_ZSTD);	401	btrfs_set_fs_incompat(fs_info, COMPRESS_ZSTD);
402	} else {	402	} else {


diff --git a/fs/dax.c b/fs/dax.c index ca0671d55aa6..e5e54da1715f 100644 --- a/fs/dax.c +++ b/fs/dax.c
@@ -33,6 +33,7 @@
33	#include <linux/sizes.h>	33	#include <linux/sizes.h>
34	#include <linux/mmu_notifier.h>	34	#include <linux/mmu_notifier.h>
35	#include <linux/iomap.h>	35	#include <linux/iomap.h>
		36	#include <asm/pgalloc.h>
36	#include "internal.h"	37	#include "internal.h"
37		38
38	#define CREATE_TRACE_POINTS	39	#define CREATE_TRACE_POINTS
@@ -1407,7 +1408,9 @@ static vm_fault_t dax_pmd_load_hole(struct xa_state xas, struct vm_fault vmf,
1407	{	1408	{
1408	struct address_space *mapping = vmf->vma->vm_file->f_mapping;	1409	struct address_space *mapping = vmf->vma->vm_file->f_mapping;
1409	unsigned long pmd_addr = vmf->address & PMD_MASK;	1410	unsigned long pmd_addr = vmf->address & PMD_MASK;
		1411	struct vm_area_struct *vma = vmf->vma;
1410	struct inode *inode = mapping->host;	1412	struct inode *inode = mapping->host;
		1413	pgtable_t pgtable = NULL;
1411	struct page *zero_page;	1414	struct page *zero_page;
1412	spinlock_t *ptl;	1415	spinlock_t *ptl;
1413	pmd_t pmd_entry;	1416	pmd_t pmd_entry;
@@ -1422,12 +1425,22 @@ static vm_fault_t dax_pmd_load_hole(struct xa_state xas, struct vm_fault vmf,
1422	entry = dax_insert_entry(xas, mapping, vmf, entry, pfn,	1425	entry = dax_insert_entry(xas, mapping, vmf, entry, pfn,
1423	DAX_PMD \| DAX_ZERO_PAGE, false);	1426	DAX_PMD \| DAX_ZERO_PAGE, false);
1424		1427
		1428	if (arch_needs_pgtable_deposit()) {
		1429	pgtable = pte_alloc_one(vma->vm_mm);
		1430	if (!pgtable)
		1431	return VM_FAULT_OOM;
		1432	}
		1433
1425	ptl = pmd_lock(vmf->vma->vm_mm, vmf->pmd);	1434	ptl = pmd_lock(vmf->vma->vm_mm, vmf->pmd);
1426	if (!pmd_none(*(vmf->pmd))) {	1435	if (!pmd_none(*(vmf->pmd))) {
1427	spin_unlock(ptl);	1436	spin_unlock(ptl);
1428	goto fallback;	1437	goto fallback;
1429	}	1438	}
1430		1439
		1440	if (pgtable) {
		1441	pgtable_trans_huge_deposit(vma->vm_mm, vmf->pmd, pgtable);
		1442	mm_inc_nr_ptes(vma->vm_mm);
		1443	}
1431	pmd_entry = mk_pmd(zero_page, vmf->vma->vm_page_prot);	1444	pmd_entry = mk_pmd(zero_page, vmf->vma->vm_page_prot);
1432	pmd_entry = pmd_mkhuge(pmd_entry);	1445	pmd_entry = pmd_mkhuge(pmd_entry);
1433	set_pmd_at(vmf->vma->vm_mm, pmd_addr, vmf->pmd, pmd_entry);	1446	set_pmd_at(vmf->vma->vm_mm, pmd_addr, vmf->pmd, pmd_entry);
@@ -1436,6 +1449,8 @@ static vm_fault_t dax_pmd_load_hole(struct xa_state xas, struct vm_fault vmf,
1436	return VM_FAULT_NOPAGE;	1449	return VM_FAULT_NOPAGE;
1437		1450
1438	fallback:	1451	fallback:
		1452	if (pgtable)
		1453	pte_free(vma->vm_mm, pgtable);
1439	trace_dax_pmd_load_hole_fallback(inode, vmf, zero_page, *entry);	1454	trace_dax_pmd_load_hole_fallback(inode, vmf, zero_page, *entry);
1440	return VM_FAULT_FALLBACK;	1455	return VM_FAULT_FALLBACK;
1441	}	1456	}


diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c index 8a63e52785e9..9971a35cf1ef 100644 --- a/fs/fuse/dev.c +++ b/fs/fuse/dev.c
@@ -2056,10 +2056,8 @@ static ssize_t fuse_dev_splice_write(struct pipe_inode_info *pipe,
2056	rem += pipe->bufs[(pipe->curbuf + idx) & (pipe->buffers - 1)].len;	2056	rem += pipe->bufs[(pipe->curbuf + idx) & (pipe->buffers - 1)].len;
2057		2057
2058	ret = -EINVAL;	2058	ret = -EINVAL;
2059	if (rem < len) {	2059	if (rem < len)
2060	pipe_unlock(pipe);	2060	goto out_free;
2061	goto out;
2062	}
2063		2061
2064	rem = len;	2062	rem = len;
2065	while (rem) {	2063	while (rem) {
@@ -2077,7 +2075,9 @@ static ssize_t fuse_dev_splice_write(struct pipe_inode_info *pipe,
2077	pipe->curbuf = (pipe->curbuf + 1) & (pipe->buffers - 1);	2075	pipe->curbuf = (pipe->curbuf + 1) & (pipe->buffers - 1);
2078	pipe->nrbufs--;	2076	pipe->nrbufs--;
2079	} else {	2077	} else {
2080	pipe_buf_get(pipe, ibuf);	2078	if (!pipe_buf_get(pipe, ibuf))
		2079	goto out_free;
		2080
2081	obuf = ibuf;	2081	obuf = ibuf;
2082	obuf->flags &= ~PIPE_BUF_FLAG_GIFT;	2082	obuf->flags &= ~PIPE_BUF_FLAG_GIFT;
2083	obuf->len = rem;	2083	obuf->len = rem;
@@ -2100,11 +2100,11 @@ static ssize_t fuse_dev_splice_write(struct pipe_inode_info *pipe,
2100	ret = fuse_dev_do_write(fud, &cs, len);	2100	ret = fuse_dev_do_write(fud, &cs, len);
2101		2101
2102	pipe_lock(pipe);	2102	pipe_lock(pipe);
		2103	out_free:
2103	for (idx = 0; idx < nbuf; idx++)	2104	for (idx = 0; idx < nbuf; idx++)
2104	pipe_buf_release(pipe, &bufs[idx]);	2105	pipe_buf_release(pipe, &bufs[idx]);
2105	pipe_unlock(pipe);	2106	pipe_unlock(pipe);
2106		2107
2107	out:
2108	kvfree(bufs);	2108	kvfree(bufs);
2109	return ret;	2109	return ret;
2110	}	2110	}


diff --git a/fs/io_uring.c b/fs/io_uring.c index 07d6ef195d05..89aa8412b5f5 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c
@@ -2245,6 +2245,10 @@ static int io_sq_offload_start(struct io_ring_ctx *ctx,
2245	goto err;	2245	goto err;
2246		2246
2247	if (ctx->flags & IORING_SETUP_SQPOLL) {	2247	if (ctx->flags & IORING_SETUP_SQPOLL) {
		2248	ret = -EPERM;
		2249	if (!capable(CAP_SYS_ADMIN))
		2250	goto err;
		2251
2248	if (p->flags & IORING_SETUP_SQ_AFF) {	2252	if (p->flags & IORING_SETUP_SQ_AFF) {
2249	int cpu;	2253	int cpu;
2250		2254


diff --git a/fs/nfs/nfs42proc.c b/fs/nfs/nfs42proc.c index ff6f85fb676b..5196bfa7894d 100644 --- a/fs/nfs/nfs42proc.c +++ b/fs/nfs/nfs42proc.c
@@ -329,9 +329,6 @@ ssize_t nfs42_proc_copy(struct file *src, loff_t pos_src,
329	};	329	};
330	ssize_t err, err2;	330	ssize_t err, err2;
331		331
332	if (!nfs_server_capable(file_inode(dst), NFS_CAP_COPY))
333	return -EOPNOTSUPP;
334
335	src_lock = nfs_get_lock_context(nfs_file_open_context(src));	332	src_lock = nfs_get_lock_context(nfs_file_open_context(src));
336	if (IS_ERR(src_lock))	333	if (IS_ERR(src_lock))
337	return PTR_ERR(src_lock);	334	return PTR_ERR(src_lock);


diff --git a/fs/nfs/nfs4file.c b/fs/nfs/nfs4file.c index 45b2322e092d..00d17198ee12 100644 --- a/fs/nfs/nfs4file.c +++ b/fs/nfs/nfs4file.c
@@ -133,8 +133,10 @@ static ssize_t nfs4_copy_file_range(struct file *file_in, loff_t pos_in,
133	struct file *file_out, loff_t pos_out,	133	struct file *file_out, loff_t pos_out,
134	size_t count, unsigned int flags)	134	size_t count, unsigned int flags)
135	{	135	{
		136	if (!nfs_server_capable(file_inode(file_out), NFS_CAP_COPY))
		137	return -EOPNOTSUPP;
136	if (file_inode(file_in) == file_inode(file_out))	138	if (file_inode(file_in) == file_inode(file_out))
137	return -EINVAL;	139	return -EOPNOTSUPP;
138	return nfs42_proc_copy(file_in, pos_in, file_out, pos_out, count);	140	return nfs42_proc_copy(file_in, pos_in, file_out, pos_out, count);
139	}	141	}
140		142


diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c index cfcabc33e24d..602446158bfb 100644 --- a/fs/nfs/nfs4xdr.c +++ b/fs/nfs/nfs4xdr.c
@@ -2589,7 +2589,7 @@ static void nfs4_xdr_enc_getacl(struct rpc_rqst req, struct xdr_stream xdr,
2589	ARRAY_SIZE(nfs4_acl_bitmap), &hdr);	2589	ARRAY_SIZE(nfs4_acl_bitmap), &hdr);
2590		2590
2591	rpc_prepare_reply_pages(req, args->acl_pages, 0,	2591	rpc_prepare_reply_pages(req, args->acl_pages, 0,
2592	args->acl_len, replen);	2592	args->acl_len, replen + 1);
2593	encode_nops(&hdr);	2593	encode_nops(&hdr);
2594	}	2594	}
2595		2595
@@ -2811,7 +2811,7 @@ static void nfs4_xdr_enc_fs_locations(struct rpc_rqst *req,
2811	}	2811	}
2812		2812
2813	rpc_prepare_reply_pages(req, (struct page **)&args->page, 0,	2813	rpc_prepare_reply_pages(req, (struct page **)&args->page, 0,
2814	PAGE_SIZE, replen);	2814	PAGE_SIZE, replen + 1);
2815	encode_nops(&hdr);	2815	encode_nops(&hdr);
2816	}	2816	}
2817		2817


diff --git a/fs/nfs/super.c b/fs/nfs/super.c index 23790c7b2289..c27ac96a95bd 100644 --- a/fs/nfs/super.c +++ b/fs/nfs/super.c
@@ -2041,7 +2041,8 @@ static int nfs23_validate_mount_data(void *options,
2041	memcpy(sap, &data->addr, sizeof(data->addr));	2041	memcpy(sap, &data->addr, sizeof(data->addr));
2042	args->nfs_server.addrlen = sizeof(data->addr);	2042	args->nfs_server.addrlen = sizeof(data->addr);
2043	args->nfs_server.port = ntohs(data->addr.sin_port);	2043	args->nfs_server.port = ntohs(data->addr.sin_port);
2044	if (!nfs_verify_server_address(sap))	2044	if (sap->sa_family != AF_INET \|\|
		2045	!nfs_verify_server_address(sap))
2045	goto out_no_address;	2046	goto out_no_address;
2046		2047
2047	if (!(data->flags & NFS_MOUNT_TCP))	2048	if (!(data->flags & NFS_MOUNT_TCP))


diff --git a/fs/pipe.c b/fs/pipe.c index 070aad543382..41065901106b 100644 --- a/fs/pipe.c +++ b/fs/pipe.c
@@ -188,9 +188,9 @@ EXPORT_SYMBOL(generic_pipe_buf_steal);
188	* in the tee() system call, when we duplicate the buffers in one	188	* in the tee() system call, when we duplicate the buffers in one
189	* pipe into another.	189	* pipe into another.
190	*/	190	*/
191	void generic_pipe_buf_get(struct pipe_inode_info pipe, struct pipe_buffer buf)	191	bool generic_pipe_buf_get(struct pipe_inode_info pipe, struct pipe_buffer buf)
192	{	192	{
193	get_page(buf->page);	193	return try_get_page(buf->page);
194	}	194	}
195	EXPORT_SYMBOL(generic_pipe_buf_get);	195	EXPORT_SYMBOL(generic_pipe_buf_get);
196		196


diff --git a/fs/splice.c b/fs/splice.c index 3ee7e82df48f..98943d9b219c 100644 --- a/fs/splice.c +++ b/fs/splice.c
@@ -1593,7 +1593,11 @@ retry:
1593	* Get a reference to this pipe buffer,	1593	* Get a reference to this pipe buffer,
1594	* so we can copy the contents over.	1594	* so we can copy the contents over.
1595	*/	1595	*/
1596	pipe_buf_get(ipipe, ibuf);	1596	if (!pipe_buf_get(ipipe, ibuf)) {
		1597	if (ret == 0)
		1598	ret = -EFAULT;
		1599	break;
		1600	}
1597	obuf = ibuf;	1601	obuf = ibuf;
1598		1602
1599	/*	1603	/*
@@ -1667,7 +1671,11 @@ static int link_pipe(struct pipe_inode_info *ipipe,
1667	* Get a reference to this pipe buffer,	1671	* Get a reference to this pipe buffer,
1668	* so we can copy the contents over.	1672	* so we can copy the contents over.
1669	*/	1673	*/
1670	pipe_buf_get(ipipe, ibuf);	1674	if (!pipe_buf_get(ipipe, ibuf)) {
		1675	if (ret == 0)
		1676	ret = -EFAULT;
		1677	break;
		1678	}
1671		1679
1672	obuf = opipe->bufs + nbuf;	1680	obuf = opipe->bufs + nbuf;
1673	obuf = ibuf;	1681	obuf = ibuf;