Merge branch 'akpm' (patches from Andrew)

Merge yet more updates from Andrew Morton:

 - the rest of MM

 - various misc fixes and tweaks

* emailed patches from Andrew Morton <akpm@linux-foundation.org>: (22 commits)
  mm: Change return type int to vm_fault_t for fault handlers
  lib/fonts: convert comments to utf-8
  s390: ebcdic: convert comments to UTF-8
  treewide: convert ISO_8859-1 text comments to utf-8
  drivers/gpu/drm/gma500/: change return type to vm_fault_t
  docs/core-api: mm-api: add section about GFP flags
  docs/mm: make GFP flags descriptions usable as kernel-doc
  docs/core-api: split memory management API to a separate file
  docs/core-api: move *{str,mem}dup* to "String Manipulation"
  docs/core-api: kill trailing whitespace in kernel-api.rst
  mm/util: add kernel-doc for kvfree
  mm/util: make strndup_user description a kernel-doc comment
  fs/proc/vmcore.c: hide vmcoredd_mmap_dumps() for nommu builds
  treewide: correct "differenciate" and "instanciate" typos
  fs/afs: use new return type vm_fault_t
  drivers/hwtracing/intel_th/msu.c: change return type to vm_fault_t
  mm: soft-offline: close the race against page allocation
  mm: fix race on soft-offlining free huge pages
  namei: allow restricted O_CREAT of FIFOs and regular files
  hfs: prevent crash on exit from failed search
  ...

8 files changed, 67 insertions, 17 deletions

diff --git a/fs/afs/internal.h b/fs/afs/internal.h
index 9778df135717..871a228d7f37 100644
--- a/fs/afs/internal.h
+++ b/fs/afs/internal.h
@@ -21,6 +21,7 @@
 #include <linux/fscache.h>
 #include <linux/backing-dev.h>
 #include <linux/uuid.h>
+#include <linux/mm_types.h>
 #include <net/net_namespace.h>
 #include <net/netns/generic.h>
 #include <net/sock.h>
@@ -1076,7 +1077,7 @@ extern int afs_writepages(struct address_space *, struct writeback_control *);
 extern void afs_pages_written_back(struct afs_vnode *, struct afs_call *);
 extern ssize_t afs_file_write(struct kiocb *, struct iov_iter *);
 extern int afs_fsync(struct file *, loff_t, loff_t, int);
-extern int afs_page_mkwrite(struct vm_fault *);
+extern vm_fault_t afs_page_mkwrite(struct vm_fault *vmf);
 extern void afs_prune_wb_keys(struct afs_vnode *);
 extern int afs_launder_page(struct page *);
 
diff --git a/fs/afs/write.c b/fs/afs/write.c
index 8b39e6ebb40b..19c04caf3c01 100644
--- a/fs/afs/write.c
+++ b/fs/afs/write.c
@@ -753,7 +753,7 @@ int afs_fsync(struct file *file, loff_t start, loff_t end, int datasync)
  * notification that a previously read-only page is about to become writable
  * - if it returns an error, the caller will deliver a bus error signal
  */
-int afs_page_mkwrite(struct vm_fault *vmf)
+vm_fault_t afs_page_mkwrite(struct vm_fault *vmf)
 {
         struct file *file = vmf->vma->vm_file;
         struct inode *inode = file_inode(file);
diff --git a/fs/hfs/brec.c b/fs/hfs/brec.c
index ad04a5741016..9a8772465a90 100644
--- a/fs/hfs/brec.c
+++ b/fs/hfs/brec.c
@@ -75,9 +75,10 @@ int hfs_brec_insert(struct hfs_find_data *fd, void *entry, int entry_len)
         if (!fd->bnode) {
                 if (!tree->root)
                         hfs_btree_inc_height(tree);
-                fd->bnode = hfs_bnode_find(tree, tree->leaf_head);
-                if (IS_ERR(fd->bnode))
-                        return PTR_ERR(fd->bnode);
+                node = hfs_bnode_find(tree, tree->leaf_head);
+                if (IS_ERR(node))
+                        return PTR_ERR(node);
+                fd->bnode = node;
                 fd->record = -1;
         }
         new_node = NULL;
diff --git a/fs/hfsplus/brec.c b/fs/hfsplus/brec.c
index 808f4d8c859c..ed8eacb34452 100644
--- a/fs/hfsplus/brec.c
+++ b/fs/hfsplus/brec.c
@@ -73,9 +73,10 @@ int hfs_brec_insert(struct hfs_find_data *fd, void *entry, int entry_len)
         if (!fd->bnode) {
                 if (!tree->root)
                         hfs_btree_inc_height(tree);
-                fd->bnode = hfs_bnode_find(tree, tree->leaf_head);
-                if (IS_ERR(fd->bnode))
-                        return PTR_ERR(fd->bnode);
+                node = hfs_bnode_find(tree, tree->leaf_head);
+                if (IS_ERR(node))
+                        return PTR_ERR(node);
+                fd->bnode = node;
                 fd->record = -1;
         }
         new_node = NULL;
diff --git a/fs/hfsplus/dir.c b/fs/hfsplus/dir.c
index c5a70f83dbe7..f37662675c3a 100644
--- a/fs/hfsplus/dir.c
+++ b/fs/hfsplus/dir.c
@@ -77,13 +77,13 @@ again:
                                 cpu_to_be32(HFSP_HARDLINK_TYPE) &&
                                 entry.file.user_info.fdCreator ==
                                 cpu_to_be32(HFSP_HFSPLUS_CREATOR) &&
+                                HFSPLUS_SB(sb)->hidden_dir &&
                                 (entry.file.create_date ==
                                         HFSPLUS_I(HFSPLUS_SB(sb)->hidden_dir)->
                                                 create_date ||
                                 entry.file.create_date ==
                                         HFSPLUS_I(d_inode(sb->s_root))->
-                                                create_date) &&
-                                HFSPLUS_SB(sb)->hidden_dir) {
+                                                create_date)) {
                         struct qstr str;
                         char name[32];
 
diff --git a/fs/namei.c b/fs/namei.c
index ae6aa9ae757c..0cab6494978c 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -887,6 +887,8 @@ static inline void put_link(struct nameidata *nd)
 
 int sysctl_protected_symlinks __read_mostly = 0;
 int sysctl_protected_hardlinks __read_mostly = 0;
+int sysctl_protected_fifos __read_mostly;
+int sysctl_protected_regular __read_mostly;
 
 /**
  * may_follow_link - Check symlink following for unsafe situations
@@ -1003,6 +1005,45 @@ static int may_linkat(struct path *link)
         return -EPERM;
 }
 
+/**
+ * may_create_in_sticky - Check whether an O_CREAT open in a sticky directory
+ *                        should be allowed, or not, on files that already
+ *                        exist.
+ * @dir: the sticky parent directory
+ * @inode: the inode of the file to open
+ *
+ * Block an O_CREAT open of a FIFO (or a regular file) when:
+ *   - sysctl_protected_fifos (or sysctl_protected_regular) is enabled
+ *   - the file already exists
+ *   - we are in a sticky directory
+ *   - we don't own the file
+ *   - the owner of the directory doesn't own the file
+ *   - the directory is world writable
+ * If the sysctl_protected_fifos (or sysctl_protected_regular) is set to 2
+ * the directory doesn't have to be world writable: being group writable will
+ * be enough.
+ *
+ * Returns 0 if the open is allowed, -ve on error.
+ */
+static int may_create_in_sticky(struct dentry * const dir,
+                                struct inode * const inode)
+{
+        if ((!sysctl_protected_fifos && S_ISFIFO(inode->i_mode)) ||
+            (!sysctl_protected_regular && S_ISREG(inode->i_mode)) ||
+            likely(!(dir->d_inode->i_mode & S_ISVTX)) ||
+            uid_eq(inode->i_uid, dir->d_inode->i_uid) ||
+            uid_eq(current_fsuid(), inode->i_uid))
+                return 0;
+
+        if (likely(dir->d_inode->i_mode & 0002) ||
+            (dir->d_inode->i_mode & 0020 &&
+             ((sysctl_protected_fifos >= 2 && S_ISFIFO(inode->i_mode)) ||
+              (sysctl_protected_regular >= 2 && S_ISREG(inode->i_mode))))) {
+                return -EACCES;
+        }
+        return 0;
+}
+
 static __always_inline
 const char *get_link(struct nameidata *nd)
 {
@@ -3348,9 +3389,15 @@ finish_open:
         if (error)
                 return error;
         audit_inode(nd->name, nd->path.dentry, 0);
-        error = -EISDIR;
-        if ((open_flag & O_CREAT) && d_is_dir(nd->path.dentry))
-                goto out;
+        if (open_flag & O_CREAT) {
+                error = -EISDIR;
+                if (d_is_dir(nd->path.dentry))
+                        goto out;
+                error = may_create_in_sticky(dir,
+                                             d_backing_inode(nd->path.dentry));
+                if (unlikely(error))
+                        goto out;
+        }
         error = -ENOTDIR;
         if ((nd->flags & LOOKUP_DIRECTORY) && !d_can_lookup(nd->path.dentry))
                 goto out;
diff --git a/fs/proc/vmcore.c b/fs/proc/vmcore.c
index 6c1c2607e9e4..cbde728f8ac6 100644
--- a/fs/proc/vmcore.c
+++ b/fs/proc/vmcore.c
@@ -225,6 +225,7 @@ out_unlock:
         return ret;
 }
 
+#ifdef CONFIG_MMU
 static int vmcoredd_mmap_dumps(struct vm_area_struct *vma, unsigned long dst,
                                u64 start, size_t size)
 {
@@ -259,6 +260,7 @@ out_unlock:
         mutex_unlock(&vmcoredd_mutex);
         return ret;
 }
+#endif /* CONFIG_MMU */
 #endif /* CONFIG_PROC_VMCORE_DEVICE_DUMP */
 
 /* Read from the ELF header and then the crash dump. On error, negative value is
diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c
index f649023b19b5..bfa0ec69f924 100644
--- a/fs/userfaultfd.c
+++ b/fs/userfaultfd.c
@@ -340,17 +340,15 @@ out:
  * fatal_signal_pending()s, and the mmap_sem must be released before
  * returning it.
  */
-int handle_userfault(struct vm_fault *vmf, unsigned long reason)
+vm_fault_t handle_userfault(struct vm_fault *vmf, unsigned long reason)
 {
         struct mm_struct *mm = vmf->vma->vm_mm;
         struct userfaultfd_ctx *ctx;
         struct userfaultfd_wait_queue uwq;
-        int ret;
+        vm_fault_t ret = VM_FAULT_SIGBUS;
         bool must_wait, return_to_userland;
         long blocking_state;
 
-        ret = VM_FAULT_SIGBUS;
-
         /*
          * We don't do userfault handling for the final child pid update.
          *