23 files changed, 243 insertions, 259 deletions
diff --git a/fs/afs/mntpt.c b/fs/afs/mntpt.c
index 2f5503902c37..78db4953a800 100644
--- a/fs/afs/mntpt.c
+++ b/fs/afs/mntpt.c
@@ -232,7 +232,7 @@ static void *afs_mntpt_follow_link(struct dentry *dentry, struct nameidata *nd)
        }
        mntget(newmnt);
-        err = do_add_mount(newmnt, nd, MNT_SHRINKABLE, &afs_vfsmounts);
+        err = do_add_mount(newmnt, &nd->path, MNT_SHRINKABLE, &afs_vfsmounts);
        switch (err) {
        case 0:
                path_put(&nd->path);
diff --git a/fs/block_dev.c b/fs/block_dev.c
index dcf37cada369..aff54219e049 100644
--- a/fs/block_dev.c
+++ b/fs/block_dev.c
@@ -941,8 +941,10 @@ static int do_open(struct block_device *bdev, struct file *file, int for_part)
         * hooks: /n/, see "layering violations".
         */
        ret = devcgroup_inode_permission(bdev->bd_inode, perm);
-        if (ret != 0)
+        if (ret != 0) {
+                bdput(bdev);
                return ret;
+        }
        ret = -ENXIO;
        file->f_mapping = bdev->bd_inode->i_mapping;
@@ -1234,6 +1236,7 @@ fail:
        bdev = ERR_PTR(error);
        goto out;
 }
+EXPORT_SYMBOL(lookup_bdev);
 /**
 * open_bdev_excl  -  open a block device by name and set it up for use
diff --git a/fs/buffer.c b/fs/buffer.c
index ca12a6bb82b1..4dbe52948e8f 100644
--- a/fs/buffer.c
+++ b/fs/buffer.c
@@ -580,7 +580,7 @@ EXPORT_SYMBOL(mark_buffer_async_write);
 /*
 * The buffer's backing address_space's private_lock must be held
 */
-static inline void __remove_assoc_queue(struct buffer_head *bh)
+static void __remove_assoc_queue(struct buffer_head *bh)
 {
        list_del_init(&bh->b_assoc_buffers);
        WARN_ON(!bh->b_assoc_map);
diff --git a/fs/cifs/cifs_dfs_ref.c b/fs/cifs/cifs_dfs_ref.c
index d82374c9e329..d2c8eef84f3c 100644
--- a/fs/cifs/cifs_dfs_ref.c
+++ b/fs/cifs/cifs_dfs_ref.c
@@ -226,7 +226,7 @@ static int add_mount_helper(struct vfsmount *newmnt, struct nameidata *nd,
        int err;
        mntget(newmnt);
-        err = do_add_mount(newmnt, nd, nd->path.mnt->mnt_flags, mntlist);
+        err = do_add_mount(newmnt, &nd->path, nd->path.mnt->mnt_flags, mntlist);
        switch (err) {
        case 0:
                path_put(&nd->path);
diff --git a/fs/devpts/inode.c b/fs/devpts/inode.c
index 285b64a8b06e..488eb424f662 100644
--- a/fs/devpts/inode.c
+++ b/fs/devpts/inode.c
@@ -29,7 +29,7 @@
 #define DEVPTS_DEFAULT_MODE 0600
 extern int pty_limit;                   /* Config limit on Unix98 ptys */
-static DEFINE_IDR(allocated_ptys);
+static DEFINE_IDA(allocated_ptys);
 static DEFINE_MUTEX(allocated_ptys_lock);
 static struct vfsmount *devpts_mnt;
@@ -180,24 +180,24 @@ static struct dentry *get_node(int num)
 int devpts_new_index(void)
 {
        int index;
-        int idr_ret;
+        int ida_ret;
 retry:
-        if (!idr_pre_get(&allocated_ptys, GFP_KERNEL)) {
+        if (!ida_pre_get(&allocated_ptys, GFP_KERNEL)) {
                return -ENOMEM;
        }
        mutex_lock(&allocated_ptys_lock);
-        idr_ret = idr_get_new(&allocated_ptys, NULL, &index);
+        ida_ret = ida_get_new(&allocated_ptys, &index);
-        if (idr_ret < 0) {
+        if (ida_ret < 0) {
                mutex_unlock(&allocated_ptys_lock);
-                if (idr_ret == -EAGAIN)
+                if (ida_ret == -EAGAIN)
                        goto retry;
                return -EIO;
        }
        if (index >= pty_limit) {
-                idr_remove(&allocated_ptys, index);
+                ida_remove(&allocated_ptys, index);
                mutex_unlock(&allocated_ptys_lock);
                return -EIO;
        }
@@ -208,7 +208,7 @@ retry:
 void devpts_kill_index(int idx)
 {
        mutex_lock(&allocated_ptys_lock);
-        idr_remove(&allocated_ptys, idx);
+        ida_remove(&allocated_ptys, idx);
        mutex_unlock(&allocated_ptys_lock);
 }
diff --git a/fs/dquot.c b/fs/dquot.c
index 1346eebe74ce..8ec4d6cc7633 100644
--- a/fs/dquot.c
+++ b/fs/dquot.c
@@ -1793,6 +1793,21 @@ static int vfs_quota_on_remount(struct super_block *sb, int type)
        return ret;
 }
+int vfs_quota_on_path(struct super_block *sb, int type, int format_id,
+                      struct path *path)
+{
+        int error = security_quota_on(path->dentry);
+        if (error)
+                return error;
+        /* Quota file not on the same filesystem? */
+        if (path->mnt->mnt_sb != sb)
+                error = -EXDEV;
+        else
+                error = vfs_quota_on_inode(path->dentry->d_inode, type,
+                                           format_id);
+        return error;
+}
 /* Actual function called from quotactl() */
 int vfs_quota_on(struct super_block *sb, int type, int format_id, char *path,
                 int remount)
@@ -1804,19 +1819,10 @@ int vfs_quota_on(struct super_block *sb, int type, int format_id, char *path,
                return vfs_quota_on_remount(sb, type);
        error = path_lookup(path, LOOKUP_FOLLOW, &nd);
-        if (error < 0)
+        if (!error) {
-                return error;
+                error = vfs_quota_on_path(sb, type, format_id, &nd.path);
-        error = security_quota_on(nd.path.dentry);
+                path_put(&nd.path);
-        if (error)
+        }
-                goto out_path;
-        /* Quota file not on the same filesystem? */
-        if (nd.path.mnt->mnt_sb != sb)
-                error = -EXDEV;
-        else
-                error = vfs_quota_on_inode(nd.path.dentry->d_inode, type,
-                                           format_id);
-out_path:
-        path_put(&nd.path);
        return error;
 }
@@ -2185,6 +2191,7 @@ EXPORT_SYMBOL(unregister_quota_format);
 EXPORT_SYMBOL(dqstats);
 EXPORT_SYMBOL(dq_data_lock);
 EXPORT_SYMBOL(vfs_quota_on);
+EXPORT_SYMBOL(vfs_quota_on_path);
 EXPORT_SYMBOL(vfs_quota_on_mount);
 EXPORT_SYMBOL(vfs_quota_off);
 EXPORT_SYMBOL(vfs_quota_sync);
diff --git a/fs/ext3/super.c b/fs/ext3/super.c
index 8ddced384674..f38a5afc39a1 100644
--- a/fs/ext3/super.c
+++ b/fs/ext3/super.c
@@ -2810,8 +2810,9 @@ static int ext3_quota_on(struct super_block *sb, int type, int format_id,
                journal_unlock_updates(EXT3_SB(sb)->s_journal);
        }
+        err = vfs_quota_on_path(sb, type, format_id, &nd.path);
        path_put(&nd.path);
-        return vfs_quota_on(sb, type, format_id, path, remount);
+        return err;
 }
 /* Read data from quotafile - avoid pagecache and such because we cannot afford
diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index b5479b1dff14..1e69f29a8c55 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -3352,8 +3352,9 @@ static int ext4_quota_on(struct super_block *sb, int type, int format_id,
                jbd2_journal_unlock_updates(EXT4_SB(sb)->s_journal);
        }
+        err = vfs_quota_on_path(sb, type, format_id, &nd.path);
        path_put(&nd.path);
-        return vfs_quota_on(sb, type, format_id, path, remount);
+        return err;
 }
 /* Read data from quotafile - avoid pagecache and such because we cannot afford
diff --git a/fs/fcntl.c b/fs/fcntl.c
index 61d625136813..ac4f7db9f134 100644
--- a/fs/fcntl.c
+++ b/fs/fcntl.c
@@ -49,73 +49,6 @@ static int get_close_on_exec(unsigned int fd)
        return res;
 }
-/*
- * locate_fd finds a free file descriptor in the open_fds fdset,
- * expanding the fd arrays if necessary.  Must be called with the
- * file_lock held for write.
- */
-static int locate_fd(unsigned int orig_start, int cloexec)
-{
-        struct files_struct *files = current->files;
-        unsigned int newfd;
-        unsigned int start;
-        int error;
-        struct fdtable *fdt;
-        spin_lock(&files->file_lock);
-repeat:
-        fdt = files_fdtable(files);
-        /*
-         * Someone might have closed fd's in the range
-         * orig_start..fdt->next_fd
-         */
-        start = orig_start;
-        if (start < files->next_fd)
-                start = files->next_fd;
-        newfd = start;
-        if (start < fdt->max_fds)
-                newfd = find_next_zero_bit(fdt->open_fds->fds_bits,
-                                           fdt->max_fds, start);
-        error = expand_files(files, newfd);
-        if (error < 0)
-                goto out;
-        /*
-         * If we needed to expand the fs array we
-         * might have blocked - try again.
-         */
-        if (error)
-                goto repeat;
-        if (start <= files->next_fd)
-                files->next_fd = newfd + 1;
-        FD_SET(newfd, fdt->open_fds);
-        if (cloexec)
-                FD_SET(newfd, fdt->close_on_exec);
-        else
-                FD_CLR(newfd, fdt->close_on_exec);
-        error = newfd;
-out:
-        spin_unlock(&files->file_lock);
-        return error;
-}
-static int dupfd(struct file *file, unsigned int start, int cloexec)
-{
-        int fd = locate_fd(start, cloexec);
-        if (fd >= 0)
-                fd_install(fd, file);
-        else
-                fput(file);
-        return fd;
-}
 asmlinkage long sys_dup3(unsigned int oldfd, unsigned int newfd, int flags)
 {
        int err = -EBADF;
@@ -130,31 +63,35 @@ asmlinkage long sys_dup3(unsigned int oldfd, unsigned int newfd, int flags)
                return -EINVAL;
        spin_lock(&files->file_lock);
-        if (!(file = fcheck(oldfd)))
-                goto out_unlock;
-        get_file(file);                 /* We are now finished with oldfd */
        err = expand_files(files, newfd);
+        file = fcheck(oldfd);
+        if (unlikely(!file))
+                goto Ebadf;
        if (unlikely(err < 0)) {
                if (err == -EMFILE)
-                        err = -EBADF;
+                        goto Ebadf;
-                goto out_fput;
+                goto out_unlock;
        }
+        /*
-        /* To avoid races with open() and dup(), we will mark the fd as
+         * We need to detect attempts to do dup2() over allocated but still
-         * in-use in the open-file bitmap throughout the entire dup2()
+         * not finished descriptor.  NB: OpenBSD avoids that at the price of
-         * process.  This is quite safe: do_close() uses the fd array
+         * extra work in their equivalent of fget() - they insert struct
-         * entry, not the bitmap, to decide what work needs to be
+         * file immediately after grabbing descriptor, mark it larval if
-         * done.  --sct */
+         * more work (e.g. actual opening) is needed and make sure that
-        /* Doesn't work. open() might be there first. --AV */
+         * fget() treats larval files as absent.  Potentially interesting,
+         * but while extra work in fget() is trivial, locking implications
-        /* Yes. It's a race. In user space. Nothing sane to do */
+         * and amount of surgery on open()-related paths in VFS are not.
+         * FreeBSD fails with -EBADF in the same situation, NetBSD "solution"
+         * deadlocks in rather amusing ways, AFAICS.  All of that is out of
+         * scope of POSIX or SUS, since neither considers shared descriptor
+         * tables and this condition does not arise without those.
+         */
        err = -EBUSY;
        fdt = files_fdtable(files);
        tofree = fdt->fd[newfd];
        if (!tofree && FD_ISSET(newfd, fdt->open_fds))
-                goto out_fput;
+                goto out_unlock;
+        get_file(file);
        rcu_assign_pointer(fdt->fd[newfd], file);
        FD_SET(newfd, fdt->open_fds);
        if (flags & O_CLOEXEC)
@@ -165,17 +102,14 @@ asmlinkage long sys_dup3(unsigned int oldfd, unsigned int newfd, int flags)
        if (tofree)
                filp_close(tofree, files);
-        err = newfd;
-out:
-        return err;
-out_unlock:
-        spin_unlock(&files->file_lock);
-        goto out;
-out_fput:
+        return newfd;
+Ebadf:
+        err = -EBADF;
+out_unlock:
        spin_unlock(&files->file_lock);
-        fput(file);
+        return err;
-        goto out;
 }
 asmlinkage long sys_dup2(unsigned int oldfd, unsigned int newfd)
@@ -194,10 +128,15 @@ asmlinkage long sys_dup2(unsigned int oldfd, unsigned int newfd)
 asmlinkage long sys_dup(unsigned int fildes)
 {
        int ret = -EBADF;
-        struct file * file = fget(fildes);
+        struct file *file = fget(fildes);
-        if (file)
+        if (file) {
-                ret = dupfd(file, 0, 0);
+                ret = get_unused_fd();
+                if (ret >= 0)
+                        fd_install(ret, file);
+                else
+                        fput(file);
+        }
        return ret;
 }
@@ -322,8 +261,11 @@ static long do_fcntl(int fd, unsigned int cmd, unsigned long arg,
        case F_DUPFD_CLOEXEC:
                if (arg >= current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
                        break;
-                get_file(filp);
+                err = alloc_fd(arg, cmd == F_DUPFD_CLOEXEC ? O_CLOEXEC : 0);
-                err = dupfd(filp, arg, cmd == F_DUPFD_CLOEXEC);
+                if (err >= 0) {
+                        get_file(filp);
+                        fd_install(err, filp);
+                }
                break;
        case F_GETFD:
                err = get_close_on_exec(fd) ? FD_CLOEXEC : 0;
diff --git a/fs/file.c b/fs/file.c
index d8773b19fe47..f313314f996f 100644
--- a/fs/file.c
+++ b/fs/file.c
@@ -6,6 +6,7 @@
 *  Manage the dynamic fd arrays in the process files_struct.
 */
+#include <linux/module.h>
 #include <linux/fs.h>
 #include <linux/mm.h>
 #include <linux/time.h>
@@ -432,3 +433,63 @@ struct files_struct init_files = {
        },
        .file_lock      = __SPIN_LOCK_UNLOCKED(init_task.file_lock),
 };
+/*
+ * allocate a file descriptor, mark it busy.
+ */
+int alloc_fd(unsigned start, unsigned flags)
+{
+        struct files_struct *files = current->files;
+        unsigned int fd;
+        int error;
+        struct fdtable *fdt;
+        spin_lock(&files->file_lock);
+repeat:
+        fdt = files_fdtable(files);
+        fd = start;
+        if (fd < files->next_fd)
+                fd = files->next_fd;
+        if (fd < fdt->max_fds)
+                fd = find_next_zero_bit(fdt->open_fds->fds_bits,
+                                           fdt->max_fds, fd);
+        error = expand_files(files, fd);
+        if (error < 0)
+                goto out;
+        /*
+         * If we needed to expand the fs array we
+         * might have blocked - try again.
+         */
+        if (error)
+                goto repeat;
+        if (start <= files->next_fd)
+                files->next_fd = fd + 1;
+        FD_SET(fd, fdt->open_fds);
+        if (flags & O_CLOEXEC)
+                FD_SET(fd, fdt->close_on_exec);
+        else
+                FD_CLR(fd, fdt->close_on_exec);
+        error = fd;
+#if 1
+        /* Sanity check */
+        if (rcu_dereference(fdt->fd[fd]) != NULL) {
+                printk(KERN_WARNING "alloc_fd: slot %d not NULL!\n", fd);
+                rcu_assign_pointer(fdt->fd[fd], NULL);
+        }
+#endif
+out:
+        spin_unlock(&files->file_lock);
+        return error;
+}
+int get_unused_fd(void)
+{
+        return alloc_fd(0, 0);
+}
+EXPORT_SYMBOL(get_unused_fd);
diff --git a/fs/jffs2/summary.c b/fs/jffs2/summary.c
index 629af01e5ade..6caf1e1ee26d 100644
--- a/fs/jffs2/summary.c
+++ b/fs/jffs2/summary.c
@@ -23,6 +23,8 @@
 int jffs2_sum_init(struct jffs2_sb_info *c)
 {
+        uint32_t sum_size = max_t(uint32_t, c->sector_size, MAX_SUMMARY_SIZE);
        c->summary = kzalloc(sizeof(struct jffs2_summary), GFP_KERNEL);
        if (!c->summary) {
@@ -30,7 +32,7 @@ int jffs2_sum_init(struct jffs2_sb_info *c)
                return -ENOMEM;
        }
-        c->summary->sum_buf = vmalloc(c->sector_size);
+        c->summary->sum_buf = kmalloc(sum_size, GFP_KERNEL);
        if (!c->summary->sum_buf) {
                JFFS2_WARNING("Can't allocate buffer for writing out summary information!\n");
@@ -49,7 +51,7 @@ void jffs2_sum_exit(struct jffs2_sb_info *c)
        jffs2_sum_disable_collecting(c->summary);
-        vfree(c->summary->sum_buf);
+        kfree(c->summary->sum_buf);
        c->summary->sum_buf = NULL;
        kfree(c->summary);
@@ -665,7 +667,7 @@ crc_err:
 /* Write summary data to flash - helper function for jffs2_sum_write_sumnode() */
 static int jffs2_sum_write_data(struct jffs2_sb_info *c, struct jffs2_eraseblock *jeb,
-                                        uint32_t infosize, uint32_t datasize, int padsize)
+                                uint32_t infosize, uint32_t datasize, int padsize)
 {
        struct jffs2_raw_summary isum;
        union jffs2_sum_mem *temp;
@@ -676,6 +678,26 @@ static int jffs2_sum_write_data(struct jffs2_sb_info *c, struct jffs2_eraseblock
        int ret;
        size_t retlen;
+        if (padsize + datasize > MAX_SUMMARY_SIZE) {
+                /* It won't fit in the buffer. Abort summary for this jeb */
+                jffs2_sum_disable_collecting(c->summary);
+                JFFS2_WARNING("Summary too big (%d data, %d pad) in eraseblock at %08x\n",
+                              datasize, padsize, jeb->offset);
+                /* Non-fatal */
+                return 0;
+        }
+        /* Is there enough space for summary? */
+        if (padsize < 0) {
+                /* don't try to write out summary for this jeb */
+                jffs2_sum_disable_collecting(c->summary);
+                JFFS2_WARNING("Not enough space for summary, padsize = %d\n",
+                              padsize);
+                /* Non-fatal */
+                return 0;
+        }
        memset(c->summary->sum_buf, 0xff, datasize);
        memset(&isum, 0, sizeof(isum));
@@ -821,7 +843,7 @@ int jffs2_sum_write_sumnode(struct jffs2_sb_info *c)
 {
        int datasize, infosize, padsize;
        struct jffs2_eraseblock *jeb;
-        int ret;
+        int ret = 0;
        dbg_summary("called\n");
@@ -841,16 +863,6 @@ int jffs2_sum_write_sumnode(struct jffs2_sb_info *c)
        infosize += padsize;
        datasize += padsize;
-        /* Is there enough space for summary? */
-        if (padsize < 0) {
-                /* don't try to write out summary for this jeb */
-                jffs2_sum_disable_collecting(c->summary);
-                JFFS2_WARNING("Not enough space for summary, padsize = %d\n", padsize);
-                spin_lock(&c->erase_completion_lock);
-                return 0;
-        }
        ret = jffs2_sum_write_data(c, jeb, infosize, datasize, padsize);
        spin_lock(&c->erase_completion_lock);
        return ret;
diff --git a/fs/jffs2/summary.h b/fs/jffs2/summary.h
index 8bf34f2fa5ce..60207a2ae952 100644
--- a/fs/jffs2/summary.h
+++ b/fs/jffs2/summary.h
@@ -13,6 +13,12 @@
 #ifndef JFFS2_SUMMARY_H
 #define JFFS2_SUMMARY_H
+/* Limit summary size to 64KiB so that we can kmalloc it. If the summary
+   is larger than that, we have to just ditch it and avoid using summary
+   for the eraseblock in question... and it probably doesn't hurt us much
+   anyway. */
+#define MAX_SUMMARY_SIZE 65536
 #include <linux/uio.h>
 #include <linux/jffs2.h>
diff --git a/fs/libfs.c b/fs/libfs.c
index baeb71ee1cde..1add676a19df 100644
--- a/fs/libfs.c
+++ b/fs/libfs.c
@@ -216,8 +216,8 @@ int get_sb_pseudo(struct file_system_type *fs_type, char *name,
        s->s_flags = MS_NOUSER;
        s->s_maxbytes = ~0ULL;
-        s->s_blocksize = 1024;
+        s->s_blocksize = PAGE_SIZE;
-        s->s_blocksize_bits = 10;
+        s->s_blocksize_bits = PAGE_SHIFT;
        s->s_magic = magic;
        s->s_op = ops ? ops : &simple_super_operations;
        s->s_time_gran = 1;
diff --git a/fs/namei.c b/fs/namei.c
index a7b0a0b80128..4ea63ed5e791 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -274,7 +274,7 @@ int inode_permission(struct inode *inode, int mask)
                return retval;
        return security_inode_permission(inode,
-                        mask & (MAY_READ|MAY_WRITE|MAY_EXEC));
+                        mask & (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND));
 }
 /**
@@ -1431,8 +1431,7 @@ static int may_delete(struct inode *dir,struct dentry *victim,int isdir)
 *  3. We should have write and exec permissions on dir
 *  4. We can't do it if dir is immutable (done in permission())
 */
-static inline int may_create(struct inode *dir, struct dentry *child,
+static inline int may_create(struct inode *dir, struct dentry *child)
-                             struct nameidata *nd)
 {
        if (child->d_inode)
                return -EEXIST;
@@ -1504,7 +1503,7 @@ void unlock_rename(struct dentry *p1, struct dentry *p2)
 int vfs_create(struct inode *dir, struct dentry *dentry, int mode,
                struct nameidata *nd)
 {
-        int error = may_create(dir, dentry, nd);
+        int error = may_create(dir, dentry);
        if (error)
                return error;
@@ -1948,7 +1947,7 @@ EXPORT_SYMBOL_GPL(lookup_create);
 int vfs_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
 {
-        int error = may_create(dir, dentry, NULL);
+        int error = may_create(dir, dentry);
        if (error)
                return error;
@@ -2049,7 +2048,7 @@ asmlinkage long sys_mknod(const char __user *filename, int mode, unsigned dev)
 int vfs_mkdir(struct inode *dir, struct dentry *dentry, int mode)
 {
-        int error = may_create(dir, dentry, NULL);
+        int error = may_create(dir, dentry);
        if (error)
                return error;
@@ -2316,7 +2315,7 @@ asmlinkage long sys_unlink(const char __user *pathname)
 int vfs_symlink(struct inode *dir, struct dentry *dentry, const char *oldname)
 {
-        int error = may_create(dir, dentry, NULL);
+        int error = may_create(dir, dentry);
        if (error)
                return error;
@@ -2386,7 +2385,7 @@ int vfs_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_de
        if (!inode)
                return -ENOENT;
-        error = may_create(dir, new_dentry, NULL);
+        error = may_create(dir, new_dentry);
        if (error)
                return error;
@@ -2595,7 +2594,7 @@ int vfs_rename(struct inode *old_dir, struct dentry *old_dentry,
                return error;
        if (!new_dentry->d_inode)
-                error = may_create(new_dir, new_dentry, NULL);
+                error = may_create(new_dir, new_dentry);
        else
                error = may_delete(new_dir, new_dentry, is_dir);
        if (error)
diff --git a/fs/namespace.c b/fs/namespace.c
index 411728c0c8bb..6e283c93b50d 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -1667,31 +1667,31 @@ static noinline int do_new_mount(struct nameidata *nd, char *type, int flags,
        if (IS_ERR(mnt))
                return PTR_ERR(mnt);
-        return do_add_mount(mnt, nd, mnt_flags, NULL);
+        return do_add_mount(mnt, &nd->path, mnt_flags, NULL);
 }
 /*
 * add a mount into a namespace's mount tree
 * - provide the option of adding the new mount to an expiration list
 */
-int do_add_mount(struct vfsmount *newmnt, struct nameidata *nd,
+int do_add_mount(struct vfsmount *newmnt, struct path *path,
                 int mnt_flags, struct list_head *fslist)
 {
        int err;
        down_write(&namespace_sem);
        /* Something was mounted here while we slept */
-        while (d_mountpoint(nd->path.dentry) &&
+        while (d_mountpoint(path->dentry) &&
-               follow_down(&nd->path.mnt, &nd->path.dentry))
+               follow_down(&path->mnt, &path->dentry))
                ;
        err = -EINVAL;
-        if (!check_mnt(nd->path.mnt))
+        if (!check_mnt(path->mnt))
                goto unlock;
        /* Refuse the same filesystem on the same mount point */
        err = -EBUSY;
-        if (nd->path.mnt->mnt_sb == newmnt->mnt_sb &&
+        if (path->mnt->mnt_sb == newmnt->mnt_sb &&
-            nd->path.mnt->mnt_root == nd->path.dentry)
+            path->mnt->mnt_root == path->dentry)
                goto unlock;
        err = -EINVAL;
@@ -1699,7 +1699,7 @@ int do_add_mount(struct vfsmount *newmnt, struct nameidata *nd,
                goto unlock;
        newmnt->mnt_flags = mnt_flags;
-        if ((err = graft_tree(newmnt, &nd->path)))
+        if ((err = graft_tree(newmnt, path)))
                goto unlock;
        if (fslist) /* add to the specified expiration list */
diff --git a/fs/nfs/namespace.c b/fs/nfs/namespace.c
index 2f285ef76399..66df08dd1caf 100644
--- a/fs/nfs/namespace.c
+++ b/fs/nfs/namespace.c
@@ -129,7 +129,7 @@ static void * nfs_follow_mountpoint(struct dentry *dentry, struct nameidata *nd)
                goto out_err;
        mntget(mnt);
-        err = do_add_mount(mnt, nd, nd->path.mnt->mnt_flags|MNT_SHRINKABLE,
+        err = do_add_mount(mnt, &nd->path, nd->path.mnt->mnt_flags|MNT_SHRINKABLE,
                           &nfs_automount_list);
        if (err < 0) {
                mntput(mnt);
diff --git a/fs/omfs/bitmap.c b/fs/omfs/bitmap.c
index dc75f22be3f2..697663b01bae 100644
--- a/fs/omfs/bitmap.c
+++ b/fs/omfs/bitmap.c
@@ -71,10 +71,10 @@ static int set_run(struct super_block *sb, int map,
                }
                if (set) {
                        set_bit(bit, sbi->s_imap[map]);
-                        set_bit(bit, (long *) bh->b_data);
+                        set_bit(bit, (unsigned long *)bh->b_data);
                } else {
                        clear_bit(bit, sbi->s_imap[map]);
-                        clear_bit(bit, (long *) bh->b_data);
+                        clear_bit(bit, (unsigned long *)bh->b_data);
                }
        }
        mark_buffer_dirty(bh);
@@ -109,7 +109,7 @@ int omfs_allocate_block(struct super_block *sb, u64 block)
                if (!bh)
                        goto out;
-                set_bit(bit, (long *) bh->b_data);
+                set_bit(bit, (unsigned long *)bh->b_data);
                mark_buffer_dirty(bh);
                brelse(bh);
        }
diff --git a/fs/omfs/dir.c b/fs/omfs/dir.c
index 05a5bc31e4bd..c0757e998876 100644
--- a/fs/omfs/dir.c
+++ b/fs/omfs/dir.c
@@ -104,7 +104,7 @@ int omfs_make_empty(struct inode *inode, struct super_block *sb)
        oi = (struct omfs_inode *) bh->b_data;
        oi->i_head.h_self = cpu_to_be64(inode->i_ino);
-        oi->i_sibling = ~0ULL;
+        oi->i_sibling = ~cpu_to_be64(0ULL);
        mark_buffer_dirty(bh);
        brelse(bh);
diff --git a/fs/omfs/file.c b/fs/omfs/file.c
index 66e01fae4384..7e2499053e4d 100644
--- a/fs/omfs/file.c
+++ b/fs/omfs/file.c
@@ -30,11 +30,11 @@ void omfs_make_empty_table(struct buffer_head *bh, int offset)
 {
        struct omfs_extent *oe = (struct omfs_extent *) &bh->b_data[offset];
-        oe->e_next = ~0ULL;
+        oe->e_next = ~cpu_to_be64(0ULL);
        oe->e_extent_count = cpu_to_be32(1),
        oe->e_fill = cpu_to_be32(0x22),
-        oe->e_entry.e_cluster = ~0ULL;
+        oe->e_entry.e_cluster = ~cpu_to_be64(0ULL);
-        oe->e_entry.e_blocks = ~0ULL;
+        oe->e_entry.e_blocks = ~cpu_to_be64(0ULL);
 }
 int omfs_shrink_inode(struct inode *inode)
diff --git a/fs/open.c b/fs/open.c
index 52647be277a2..07da9359481c 100644
--- a/fs/open.c
+++ b/fs/open.c
@@ -963,62 +963,6 @@ struct file *dentry_open(struct dentry *dentry, struct vfsmount *mnt, int flags)
 }
 EXPORT_SYMBOL(dentry_open);
-/*
- * Find an empty file descriptor entry, and mark it busy.
- */
-int get_unused_fd_flags(int flags)
-{
-        struct files_struct * files = current->files;
-        int fd, error;
-        struct fdtable *fdt;
-        spin_lock(&files->file_lock);
-repeat:
-        fdt = files_fdtable(files);
-        fd = find_next_zero_bit(fdt->open_fds->fds_bits, fdt->max_fds,
-                                files->next_fd);
-        /* Do we need to expand the fd array or fd set?  */
-        error = expand_files(files, fd);
-        if (error < 0)
-                goto out;
-        if (error) {
-                /*
-                 * If we needed to expand the fs array we
-                 * might have blocked - try again.
-                 */
-                goto repeat;
-        }
-        FD_SET(fd, fdt->open_fds);
-        if (flags & O_CLOEXEC)
-                FD_SET(fd, fdt->close_on_exec);
-        else
-                FD_CLR(fd, fdt->close_on_exec);
-        files->next_fd = fd + 1;
-#if 1
-        /* Sanity check */
-        if (fdt->fd[fd] != NULL) {
-                printk(KERN_WARNING "get_unused_fd: slot %d not NULL!\n", fd);
-                fdt->fd[fd] = NULL;
-        }
-#endif
-        error = fd;
-out:
-        spin_unlock(&files->file_lock);
-        return error;
-}
-int get_unused_fd(void)
-{
-        return get_unused_fd_flags(0);
-}
-EXPORT_SYMBOL(get_unused_fd);
 static void __put_unused_fd(struct files_struct *files, unsigned int fd)
 {
        struct fdtable *fdt = files_fdtable(files);
diff --git a/fs/proc/generic.c b/fs/proc/generic.c
index cb4096cc3fb7..4fb81e9c94e3 100644
--- a/fs/proc/generic.c
+++ b/fs/proc/generic.c
@@ -300,10 +300,10 @@ out:
        return rtn;
 }
-static DEFINE_IDR(proc_inum_idr);
+static DEFINE_IDA(proc_inum_ida);
 static DEFINE_SPINLOCK(proc_inum_lock); /* protects the above */
-#define PROC_DYNAMIC_FIRST 0xF0000000UL
+#define PROC_DYNAMIC_FIRST 0xF0000000U
 /*
 * Return an inode number between PROC_DYNAMIC_FIRST and
@@ -311,36 +311,33 @@ static DEFINE_SPINLOCK(proc_inum_lock); /* protects the above */
 */
 static unsigned int get_inode_number(void)
 {
-        int i, inum = 0;
+        unsigned int i;
        int error;
 retry:
-        if (idr_pre_get(&proc_inum_idr, GFP_KERNEL) == 0)
+        if (ida_pre_get(&proc_inum_ida, GFP_KERNEL) == 0)
                return 0;
        spin_lock(&proc_inum_lock);
-        error = idr_get_new(&proc_inum_idr, NULL, &i);
+        error = ida_get_new(&proc_inum_ida, &i);
        spin_unlock(&proc_inum_lock);
        if (error == -EAGAIN)
                goto retry;
        else if (error)
                return 0;
-        inum = (i & MAX_ID_MASK) + PROC_DYNAMIC_FIRST;
+        if (i > UINT_MAX - PROC_DYNAMIC_FIRST) {
+                spin_lock(&proc_inum_lock);
-        /* inum will never be more than 0xf0ffffff, so no check
+                ida_remove(&proc_inum_ida, i);
-         * for overflow.
+                spin_unlock(&proc_inum_lock);
-         */
+        }
+        return PROC_DYNAMIC_FIRST + i;
-        return inum;
 }
 static void release_inode_number(unsigned int inum)
 {
-        int id = (inum - PROC_DYNAMIC_FIRST) | ~MAX_ID_MASK;
        spin_lock(&proc_inum_lock);
-        idr_remove(&proc_inum_idr, id);
+        ida_remove(&proc_inum_ida, inum - PROC_DYNAMIC_FIRST);
        spin_unlock(&proc_inum_lock);
 }
diff --git a/fs/reiserfs/super.c b/fs/reiserfs/super.c
index 879e54d35c2d..282a13596c70 100644
--- a/fs/reiserfs/super.c
+++ b/fs/reiserfs/super.c
@@ -2076,8 +2076,8 @@ static int reiserfs_quota_on(struct super_block *sb, int type, int format_id,
                return err;
        /* Quotafile not on the same filesystem? */
        if (nd.path.mnt->mnt_sb != sb) {
-                path_put(&nd.path);
+                err = -EXDEV;
-                return -EXDEV;
+                goto out;
        }
        inode = nd.path.dentry->d_inode;
        /* We must not pack tails for quota files on reiserfs for quota IO to work */
@@ -2087,8 +2087,8 @@ static int reiserfs_quota_on(struct super_block *sb, int type, int format_id,
                        reiserfs_warning(sb,
                                "reiserfs: Unpacking tail of quota file failed"
                                " (%d). Cannot turn on quotas.", err);
-                        path_put(&nd.path);
+                        err = -EINVAL;
-                        return -EINVAL;
+                        goto out;
                }
                mark_inode_dirty(inode);
        }
@@ -2109,13 +2109,15 @@ static int reiserfs_quota_on(struct super_block *sb, int type, int format_id,
                /* Just start temporary transaction and finish it */
                err = journal_begin(&th, sb, 1);
                if (err)
-                        return err;
+                        goto out;
                err = journal_end_sync(&th, sb, 1);
                if (err)
-                        return err;
+                        goto out;
        }
+        err = vfs_quota_on_path(sb, type, format_id, &nd.path);
+out:
        path_put(&nd.path);
-        return vfs_quota_on(sb, type, format_id, path, 0);
+        return err;
 }
 /* Read data from quotafile - avoid pagecache and such because we cannot afford
diff --git a/fs/romfs/inode.c b/fs/romfs/inode.c
index 8e51a2aaa977..60d2f822e87b 100644
--- a/fs/romfs/inode.c
+++ b/fs/romfs/inode.c
@@ -418,7 +418,8 @@ static int
 romfs_readpage(struct file *file, struct page * page)
 {
        struct inode *inode = page->mapping->host;
-        loff_t offset, avail, readlen;
+        loff_t offset, size;
+        unsigned long filled;
        void *buf;
        int result = -EIO;
@@ -430,21 +431,29 @@ romfs_readpage(struct file *file, struct page * page)
        /* 32 bit warning -- but not for us :) */
        offset = page_offset(page);
-        if (offset < i_size_read(inode)) {
+        size = i_size_read(inode);
-                avail = inode->i_size-offset;
+        filled = 0;
-                readlen = min_t(unsigned long, avail, PAGE_SIZE);
+        result = 0;
-                if (romfs_copyfrom(inode, buf, ROMFS_I(inode)->i_dataoffset+offset, readlen) == readlen) {
+        if (offset < size) {
-                        if (readlen < PAGE_SIZE) {
+                unsigned long readlen;
-                                memset(buf + readlen,0,PAGE_SIZE-readlen);
-                        }
+                size -= offset;
-                        SetPageUptodate(page);
+                readlen = size > PAGE_SIZE ? PAGE_SIZE : size;
-                        result = 0;
+                filled = romfs_copyfrom(inode, buf, ROMFS_I(inode)->i_dataoffset+offset, readlen);
+                if (filled != readlen) {
+                        SetPageError(page);
+                        filled = 0;
+                        result = -EIO;
                }
        }
-        if (result) {
-                memset(buf, 0, PAGE_SIZE);
+        if (filled < PAGE_SIZE)
-                SetPageError(page);
+                memset(buf + filled, 0, PAGE_SIZE-filled);
-        }
+        if (!result)
+                SetPageUptodate(page);
        flush_dcache_page(page);
        unlock_page(page);