8 files changed, 80 insertions, 39 deletions
diff --git a/fs/exec.c b/fs/exec.c
index 8344ba73a2a6..f7aabfeca033 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -486,8 +486,6 @@ struct file *open_exec(const char *name)
                if (!(nd.mnt->mnt_flags & MNT_NOEXEC) &&
                    S_ISREG(inode->i_mode)) {
                        int err = vfs_permission(&nd, MAY_EXEC);
-                        if (!err && !(inode->i_mode & 0111))
-                                err = -EACCES;
                        file = ERR_PTR(err);
                        if (!err) {
                                file = nameidata_to_filp(&nd, O_RDONLY);
@@ -922,12 +920,6 @@ int prepare_binprm(struct linux_binprm *bprm)
        int retval;
        mode = inode->i_mode;
-        /*
-         * Check execute perms again - if the caller has CAP_DAC_OVERRIDE,
-         * generic_permission lets a non-executable through
-         */
-        if (!(mode & 0111))     /* with at least _one_ execute bit set */
-                return -EACCES;
        if (bprm->file->f_op == NULL)
                return -EACCES;
diff --git a/fs/lockd/svcsubs.c b/fs/lockd/svcsubs.c
index 2a4df9b3779a..01b4db9e5466 100644
--- a/fs/lockd/svcsubs.c
+++ b/fs/lockd/svcsubs.c
@@ -237,19 +237,22 @@ static int
 nlm_traverse_files(struct nlm_host *host, int action)
 {
        struct nlm_file *file, **fp;
-        int             i;
+        int i, ret = 0;
        mutex_lock(&nlm_file_mutex);
        for (i = 0; i < FILE_NRHASH; i++) {
                fp = nlm_files + i;
                while ((file = *fp) != NULL) {
+                        file->f_count++;
+                        mutex_unlock(&nlm_file_mutex);
                        /* Traverse locks, blocks and shares of this file
                         * and update file->f_locks count */
-                        if (nlm_inspect_file(host, file, action)) {
+                        if (nlm_inspect_file(host, file, action))
-                                mutex_unlock(&nlm_file_mutex);
+                                ret = 1;
-                                return 1;
-                        }
+                        mutex_lock(&nlm_file_mutex);
+                        file->f_count--;
                        /* No more references to this file. Let go of it. */
                        if (!file->f_blocks && !file->f_locks
                         && !file->f_shares && !file->f_count) {
@@ -262,7 +265,7 @@ nlm_traverse_files(struct nlm_host *host, int action)
                }
        }
        mutex_unlock(&nlm_file_mutex);
-        return 0;
+        return ret;
 }
 /*
diff --git a/fs/namei.c b/fs/namei.c
index 55a131230f94..432d6bc6fab0 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -227,10 +227,10 @@ int generic_permission(struct inode *inode, int mask,
 int permission(struct inode *inode, int mask, struct nameidata *nd)
 {
+        umode_t mode = inode->i_mode;
        int retval, submask;
        if (mask & MAY_WRITE) {
-                umode_t mode = inode->i_mode;
                /*
                 * Nobody gets write access to a read-only fs.
@@ -247,6 +247,13 @@ int permission(struct inode *inode, int mask, struct nameidata *nd)
        }
+        /*
+         * MAY_EXEC on regular files requires special handling: We override
+         * filesystem execute permissions if the mode bits aren't set.
+         */
+        if ((mask & MAY_EXEC) && S_ISREG(mode) && !(mode & S_IXUGO))
+                return -EACCES;
        /* Ordinary permission routines do not understand MAY_APPEND. */
        submask = mask & ~MAY_APPEND;
        if (inode->i_op && inode->i_op->permission)
@@ -1767,6 +1774,8 @@ struct dentry *lookup_create(struct nameidata *nd, int is_dir)
        if (nd->last_type != LAST_NORM)
                goto fail;
        nd->flags &= ~LOOKUP_PARENT;
+        nd->flags |= LOOKUP_CREATE;
+        nd->intent.open.flags = O_EXCL;
        /*
         * Do the final lookup.
diff --git a/fs/nfs/file.c b/fs/nfs/file.c
index cc2b874ad5a4..48e892880d5b 100644
--- a/fs/nfs/file.c
+++ b/fs/nfs/file.c
@@ -312,7 +312,13 @@ static void nfs_invalidate_page(struct page *page, unsigned long offset)
 static int nfs_release_page(struct page *page, gfp_t gfp)
 {
-        return !nfs_wb_page(page->mapping->host, page);
+        if (gfp & __GFP_FS)
+                return !nfs_wb_page(page->mapping->host, page);
+        else
+                /*
+                 * Avoid deadlock on nfs_wait_on_request().
+                 */
+                return 0;
 }
 const struct address_space_operations nfs_file_aops = {
diff --git a/fs/nfs/idmap.c b/fs/nfs/idmap.c
index b81e7ed3c902..07a5dd57646e 100644
--- a/fs/nfs/idmap.c
+++ b/fs/nfs/idmap.c
@@ -130,9 +130,7 @@ nfs_idmap_delete(struct nfs4_client *clp)
        if (!idmap)
                return;
-        dput(idmap->idmap_dentry);
+        rpc_unlink(idmap->idmap_dentry);
-        idmap->idmap_dentry = NULL;
-        rpc_unlink(idmap->idmap_path);
        clp->cl_idmap = NULL;
        kfree(idmap);
 }
diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
index e6ee97f19d81..153898e1331f 100644
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -2668,7 +2668,7 @@ out:
        nfs4_set_cached_acl(inode, acl);
 }
-static inline ssize_t nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t buflen)
+static ssize_t __nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t buflen)
 {
        struct page *pages[NFS4ACL_MAXPAGES];
        struct nfs_getaclargs args = {
@@ -2721,6 +2721,19 @@ out_free:
        return ret;
 }
+static ssize_t nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t buflen)
+{
+        struct nfs4_exception exception = { };
+        ssize_t ret;
+        do {
+                ret = __nfs4_get_acl_uncached(inode, buf, buflen);
+                if (ret >= 0)
+                        break;
+                ret = nfs4_handle_exception(NFS_SERVER(inode), ret, &exception);
+        } while (exception.retry);
+        return ret;
+}
 static ssize_t nfs4_proc_get_acl(struct inode *inode, void *buf, size_t buflen)
 {
        struct nfs_server *server = NFS_SERVER(inode);
@@ -2737,7 +2750,7 @@ static ssize_t nfs4_proc_get_acl(struct inode *inode, void *buf, size_t buflen)
        return nfs4_get_acl_uncached(inode, buf, buflen);
 }
-static int nfs4_proc_set_acl(struct inode *inode, const void *buf, size_t buflen)
+static int __nfs4_proc_set_acl(struct inode *inode, const void *buf, size_t buflen)
 {
        struct nfs_server *server = NFS_SERVER(inode);
        struct page *pages[NFS4ACL_MAXPAGES];
@@ -2763,6 +2776,18 @@ static int nfs4_proc_set_acl(struct inode *inode, const void *buf, size_t buflen
        return ret;
 }
+static int nfs4_proc_set_acl(struct inode *inode, const void *buf, size_t buflen)
+{
+        struct nfs4_exception exception = { };
+        int err;
+        do {
+                err = nfs4_handle_exception(NFS_SERVER(inode),
+                                __nfs4_proc_set_acl(inode, buf, buflen),
+                                &exception);
+        } while (exception.retry);
+        return err;
+}
 static int
 nfs4_async_handle_error(struct rpc_task *task, const struct nfs_server *server)
 {
diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c
index 1750d996f49f..730ec8fb31c6 100644
--- a/fs/nfs/nfs4xdr.c
+++ b/fs/nfs/nfs4xdr.c
@@ -3355,7 +3355,7 @@ static int decode_readdir(struct xdr_stream *xdr, struct rpc_rqst *req, struct n
        struct kvec     *iov = rcvbuf->head;
        unsigned int    nr, pglen = rcvbuf->page_len;
        uint32_t        *end, *entry, *p, *kaddr;
-        uint32_t        len, attrlen;
+        uint32_t        len, attrlen, xlen;
        int             hdrlen, recvd, status;
        status = decode_op_hdr(xdr, OP_READDIR);
@@ -3377,10 +3377,10 @@ static int decode_readdir(struct xdr_stream *xdr, struct rpc_rqst *req, struct n
        BUG_ON(pglen + readdir->pgbase > PAGE_CACHE_SIZE);
        kaddr = p = (uint32_t *) kmap_atomic(page, KM_USER0);
-        end = (uint32_t *) ((char *)p + pglen + readdir->pgbase);
+        end = p + ((pglen + readdir->pgbase) >> 2);
        entry = p;
        for (nr = 0; *p++; nr++) {
-                if (p + 3 > end)
+                if (end - p < 3)
                        goto short_pkt;
                dprintk("cookie = %Lu, ", *((unsigned long long *)p));
                p += 2;                 /* cookie */
@@ -3389,18 +3389,19 @@ static int decode_readdir(struct xdr_stream *xdr, struct rpc_rqst *req, struct n
                        printk(KERN_WARNING "NFS: giant filename in readdir (len 0x%x)\n", len);
                        goto err_unmap;
                }
-                dprintk("filename = %*s\n", len, (char *)p);
+                xlen = XDR_QUADLEN(len);
-                p += XDR_QUADLEN(len);
+                if (end - p < xlen + 1)
-                if (p + 1 > end)
                        goto short_pkt;
+                dprintk("filename = %*s\n", len, (char *)p);
+                p += xlen;
                len = ntohl(*p++);      /* bitmap length */
-                p += len;
+                if (end - p < len + 1)
-                if (p + 1 > end)
                        goto short_pkt;
+                p += len;
                attrlen = XDR_QUADLEN(ntohl(*p++));
-                p += attrlen;           /* attributes */
+                if (end - p < attrlen + 2)
-                if (p + 2 > end)
                        goto short_pkt;
+                p += attrlen;           /* attributes */
                entry = p;
        }
        if (!nr && (entry[0] != 0 || entry[1] == 0))
diff --git a/fs/nfs/read.c b/fs/nfs/read.c
index 65c0c5b32351..da9cf11c326f 100644
--- a/fs/nfs/read.c
+++ b/fs/nfs/read.c
@@ -116,10 +116,17 @@ static void nfs_readpage_truncate_uninitialised_page(struct nfs_read_data *data)
        pages = &data->args.pages[base >> PAGE_CACHE_SHIFT];
        base &= ~PAGE_CACHE_MASK;
        pglen = PAGE_CACHE_SIZE - base;
-        if (pglen < remainder)
+        for (;;) {
+                if (remainder <= pglen) {
+                        memclear_highpage_flush(*pages, base, remainder);
+                        break;
+                }
                memclear_highpage_flush(*pages, base, pglen);
-        else
+                pages++;
-                memclear_highpage_flush(*pages, base, remainder);
+                remainder -= pglen;
+                pglen = PAGE_CACHE_SIZE;
+                base = 0;
+        }
 }
 /*
@@ -476,6 +483,8 @@ static void nfs_readpage_set_pages_uptodate(struct nfs_read_data *data)
        unsigned int base = data->args.pgbase;
        struct page **pages;
+        if (data->res.eof)
+                count = data->args.count;
        if (unlikely(count == 0))
                return;
        pages = &data->args.pages[base >> PAGE_CACHE_SHIFT];
@@ -483,11 +492,7 @@ static void nfs_readpage_set_pages_uptodate(struct nfs_read_data *data)
        count += base;
        for (;count >= PAGE_CACHE_SIZE; count -= PAGE_CACHE_SIZE, pages++)
                SetPageUptodate(*pages);
-        /*
+        if (count != 0)
-         * Was this an eof or a short read? If the latter, don't mark the page
-         * as uptodate yet.
-         */
-        if (count > 0 && (data->res.eof || data->args.count == data->res.count))
                SetPageUptodate(*pages);
 }
@@ -502,6 +507,8 @@ static void nfs_readpage_set_pages_error(struct nfs_read_data *data)
        count += base;
        for (;count >= PAGE_CACHE_SIZE; count -= PAGE_CACHE_SIZE, pages++)
                SetPageError(*pages);
+        if (count != 0)
+                SetPageError(*pages);
 }
 /*