5 files changed, 13 insertions, 12 deletions

diff --git a/fs/proc/array.c b/fs/proc/array.c
index 64db2bceac59..3e1290b0492e 100644
--- a/fs/proc/array.c
+++ b/fs/proc/array.c
@@ -297,15 +297,11 @@ static void render_cap_t(struct seq_file *m, const char *header,
         seq_puts(m, header);
         CAP_FOR_EACH_U32(__capi) {
                 seq_printf(m, "%08x",
-                           a->cap[(_KERNEL_CAPABILITY_U32S-1) - __capi]);
+                           a->cap[CAP_LAST_U32 - __capi]);
         }
         seq_putc(m, '\n');
 }
 
-/* Remove non-existent capabilities */
-#define NORM_CAPS(v) (v.cap[CAP_TO_INDEX(CAP_LAST_CAP)] &= \
-                                CAP_TO_MASK(CAP_LAST_CAP + 1) - 1)
-
 static inline void task_cap(struct seq_file *m, struct task_struct *p)
 {
         const struct cred *cred;
@@ -319,11 +315,6 @@ static inline void task_cap(struct seq_file *m, struct task_struct *p)
         cap_bset        = cred->cap_bset;
         rcu_read_unlock();
 
-        NORM_CAPS(cap_inheritable);
-        NORM_CAPS(cap_permitted);
-        NORM_CAPS(cap_effective);
-        NORM_CAPS(cap_bset);
-
         render_cap_t(m, "CapInh:\t", &cap_inheritable);
         render_cap_t(m, "CapPrm:\t", &cap_permitted);
         render_cap_t(m, "CapEff:\t", &cap_effective);
diff --git a/include/linux/capability.h b/include/linux/capability.h
index 84b13ad67c1c..aa93e5ef594c 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -78,8 +78,11 @@ extern const kernel_cap_t __cap_init_eff_set;
 # error Fix up hand-coded capability macro initializers
 #else /* HAND-CODED capability initializers */
 
+#define CAP_LAST_U32                    ((_KERNEL_CAPABILITY_U32S) - 1)
+#define CAP_LAST_U32_VALID_MASK         (CAP_TO_MASK(CAP_LAST_CAP + 1) -1)
+
 # define CAP_EMPTY_SET    ((kernel_cap_t){{ 0, 0 }})
-# define CAP_FULL_SET     ((kernel_cap_t){{ ~0, ~0 }})
+# define CAP_FULL_SET     ((kernel_cap_t){{ ~0, CAP_LAST_U32_VALID_MASK }})
 # define CAP_FS_SET       ((kernel_cap_t){{ CAP_FS_MASK_B0 \
                                     | CAP_TO_MASK(CAP_LINUX_IMMUTABLE), \
                                     CAP_FS_MASK_B1 } })
diff --git a/kernel/audit.c b/kernel/audit.c
index 3ef2e0e797e8..ba2ff5a5c600 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1677,7 +1677,7 @@ void audit_log_cap(struct audit_buffer *ab, char *prefix, kernel_cap_t *cap)
         audit_log_format(ab, " %s=", prefix);
         CAP_FOR_EACH_U32(i) {
                 audit_log_format(ab, "%08x",
-                                 cap->cap[(_KERNEL_CAPABILITY_U32S-1) - i]);
+                                 cap->cap[CAP_LAST_U32 - i]);
         }
 }
 
diff --git a/kernel/capability.c b/kernel/capability.c
index a5cf13c018ce..989f5bfc57dc 100644
--- a/kernel/capability.c
+++ b/kernel/capability.c
@@ -258,6 +258,10 @@ SYSCALL_DEFINE2(capset, cap_user_header_t, header, const cap_user_data_t, data)
                 i++;
         }
 
+        effective.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK;
+        permitted.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK;
+        inheritable.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK;
+
         new = prepare_creds();
         if (!new)
                 return -ENOMEM;
diff --git a/security/commoncap.c b/security/commoncap.c
index 9fe46e22c7f2..bab0611afc1e 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -421,6 +421,9 @@ int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data
                 cpu_caps->inheritable.cap[i] = le32_to_cpu(caps.data[i].inheritable);
         }
 
+        cpu_caps->permitted.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK;
+        cpu_caps->inheritable.cap[CAP_LAST_U32] &= CAP_LAST_U32_VALID_MASK;
+
         return 0;
 }