aboutsummaryrefslogtreecommitdiffstats
path: root/fs
diff options
context:
space:
mode:
Diffstat (limited to 'fs')
-rw-r--r--fs/afs/file.c2
-rw-r--r--fs/autofs/dirhash.c34
-rw-r--r--fs/autofs4/dev-ioctl.c12
-rw-r--r--fs/bio.c18
-rw-r--r--fs/btrfs/ioctl.c49
-rw-r--r--fs/btrfs/super.c13
-rw-r--r--fs/buffer.c56
-rw-r--r--fs/cifs/CHANGES3
-rw-r--r--fs/cifs/cifs_spnego.c2
-rw-r--r--fs/cifs/cifsfs.c48
-rw-r--r--fs/cifs/cifsglob.h3
-rw-r--r--fs/cifs/cifspdu.h8
-rw-r--r--fs/cifs/cifssmb.c6
-rw-r--r--fs/cifs/connect.c205
-rw-r--r--fs/cifs/dir.c145
-rw-r--r--fs/cifs/dns_resolve.c2
-rw-r--r--fs/cifs/file.c127
-rw-r--r--fs/cifs/inode.c77
-rw-r--r--fs/cifs/readdir.c6
-rw-r--r--fs/cifs/sess.c47
-rw-r--r--fs/compat.c37
-rw-r--r--fs/compat_ioctl.c7
-rw-r--r--fs/dcache.c1
-rw-r--r--fs/direct-io.c2
-rw-r--r--fs/ecryptfs/miscdev.c15
-rw-r--r--fs/ext4/extents.c2
-rw-r--r--fs/fat/Kconfig3
-rw-r--r--fs/filesystems.c2
-rw-r--r--fs/gfs2/glock.c10
-rw-r--r--fs/gfs2/glops.c6
-rw-r--r--fs/gfs2/inode.c8
-rw-r--r--fs/gfs2/inode.h14
-rw-r--r--fs/gfs2/ops_file.c12
-rw-r--r--fs/gfs2/ops_fstype.c5
-rw-r--r--fs/gfs2/ops_inode.c1
-rw-r--r--fs/gfs2/quota.c4
-rw-r--r--fs/hugetlbfs/inode.c3
-rw-r--r--fs/inode.c36
-rw-r--r--fs/namei.c2
-rw-r--r--fs/namespace.c7
-rw-r--r--fs/ncpfs/ioctl.c21
-rw-r--r--fs/nfs/nfs3xdr.c3
-rw-r--r--fs/nfsd/nfs4recover.c46
-rw-r--r--fs/nfsd/vfs.c34
-rw-r--r--fs/ocfs2/file.c94
-rw-r--r--fs/pipe.c42
-rw-r--r--fs/proc/base.c4
-rw-r--r--fs/splice.c370
-rw-r--r--fs/stat.c137
-rw-r--r--fs/sysfs/bin.c13
-rw-r--r--fs/sysfs/file.c16
-rw-r--r--fs/xattr.c10
-rw-r--r--fs/xfs/linux-2.6/xfs_ioctl.c23
-rw-r--r--fs/xfs/linux-2.6/xfs_ioctl32.c12
54 files changed, 1007 insertions, 858 deletions
diff --git a/fs/afs/file.c b/fs/afs/file.c
index 7a1d942ef68d..0149dab365e7 100644
--- a/fs/afs/file.c
+++ b/fs/afs/file.c
@@ -102,6 +102,7 @@ int afs_release(struct inode *inode, struct file *file)
102 return 0; 102 return 0;
103} 103}
104 104
105#ifdef CONFIG_AFS_FSCACHE
105/* 106/*
106 * deal with notification that a page was read from the cache 107 * deal with notification that a page was read from the cache
107 */ 108 */
@@ -117,6 +118,7 @@ static void afs_file_readpage_read_complete(struct page *page,
117 SetPageUptodate(page); 118 SetPageUptodate(page);
118 unlock_page(page); 119 unlock_page(page);
119} 120}
121#endif
120 122
121/* 123/*
122 * AFS read page from file, directory or symlink 124 * AFS read page from file, directory or symlink
diff --git a/fs/autofs/dirhash.c b/fs/autofs/dirhash.c
index bf8c8af98004..4eb4d8dfb2f1 100644
--- a/fs/autofs/dirhash.c
+++ b/fs/autofs/dirhash.c
@@ -39,10 +39,12 @@ struct autofs_dir_ent *autofs_expire(struct super_block *sb,
39{ 39{
40 struct autofs_dirhash *dh = &sbi->dirhash; 40 struct autofs_dirhash *dh = &sbi->dirhash;
41 struct autofs_dir_ent *ent; 41 struct autofs_dir_ent *ent;
42 struct dentry *dentry;
43 unsigned long timeout = sbi->exp_timeout; 42 unsigned long timeout = sbi->exp_timeout;
44 43
45 while (1) { 44 while (1) {
45 struct path path;
46 int umount_ok;
47
46 if ( list_empty(&dh->expiry_head) || sbi->catatonic ) 48 if ( list_empty(&dh->expiry_head) || sbi->catatonic )
47 return NULL; /* No entries */ 49 return NULL; /* No entries */
48 /* We keep the list sorted by last_usage and want old stuff */ 50 /* We keep the list sorted by last_usage and want old stuff */
@@ -57,17 +59,17 @@ struct autofs_dir_ent *autofs_expire(struct super_block *sb,
57 return ent; /* Symlinks are always expirable */ 59 return ent; /* Symlinks are always expirable */
58 60
59 /* Get the dentry for the autofs subdirectory */ 61 /* Get the dentry for the autofs subdirectory */
60 dentry = ent->dentry; 62 path.dentry = ent->dentry;
61 63
62 if ( !dentry ) { 64 if (!path.dentry) {
63 /* Should only happen in catatonic mode */ 65 /* Should only happen in catatonic mode */
64 printk("autofs: dentry == NULL but inode range is directory, entry %s\n", ent->name); 66 printk("autofs: dentry == NULL but inode range is directory, entry %s\n", ent->name);
65 autofs_delete_usage(ent); 67 autofs_delete_usage(ent);
66 continue; 68 continue;
67 } 69 }
68 70
69 if ( !dentry->d_inode ) { 71 if (!path.dentry->d_inode) {
70 dput(dentry); 72 dput(path.dentry);
71 printk("autofs: negative dentry on expiry queue: %s\n", 73 printk("autofs: negative dentry on expiry queue: %s\n",
72 ent->name); 74 ent->name);
73 autofs_delete_usage(ent); 75 autofs_delete_usage(ent);
@@ -76,29 +78,29 @@ struct autofs_dir_ent *autofs_expire(struct super_block *sb,
76 78
77 /* Make sure entry is mounted and unused; note that dentry will 79 /* Make sure entry is mounted and unused; note that dentry will
78 point to the mounted-on-top root. */ 80 point to the mounted-on-top root. */
79 if (!S_ISDIR(dentry->d_inode->i_mode)||!d_mountpoint(dentry)) { 81 if (!S_ISDIR(path.dentry->d_inode->i_mode) ||
82 !d_mountpoint(path.dentry)) {
80 DPRINTK(("autofs: not expirable (not a mounted directory): %s\n", ent->name)); 83 DPRINTK(("autofs: not expirable (not a mounted directory): %s\n", ent->name));
81 continue; 84 continue;
82 } 85 }
83 mntget(mnt); 86 path.mnt = mnt;
84 dget(dentry); 87 path_get(&path);
85 if (!follow_down(&mnt, &dentry)) { 88 if (!follow_down(&path.mnt, &path.dentry)) {
86 dput(dentry); 89 path_put(&path);
87 mntput(mnt);
88 DPRINTK(("autofs: not expirable (not a mounted directory): %s\n", ent->name)); 90 DPRINTK(("autofs: not expirable (not a mounted directory): %s\n", ent->name));
89 continue; 91 continue;
90 } 92 }
91 while (d_mountpoint(dentry) && follow_down(&mnt, &dentry)) 93 while (d_mountpoint(path.dentry) &&
94 follow_down(&path.mnt, &path.dentry))
92 ; 95 ;
93 dput(dentry); 96 umount_ok = may_umount(path.mnt);
97 path_put(&path);
94 98
95 if ( may_umount(mnt) ) { 99 if (umount_ok) {
96 mntput(mnt);
97 DPRINTK(("autofs: signaling expire on %s\n", ent->name)); 100 DPRINTK(("autofs: signaling expire on %s\n", ent->name));
98 return ent; /* Expirable! */ 101 return ent; /* Expirable! */
99 } 102 }
100 DPRINTK(("autofs: didn't expire due to may_umount: %s\n", ent->name)); 103 DPRINTK(("autofs: didn't expire due to may_umount: %s\n", ent->name));
101 mntput(mnt);
102 } 104 }
103 return NULL; /* No expirable entries */ 105 return NULL; /* No expirable entries */
104} 106}
diff --git a/fs/autofs4/dev-ioctl.c b/fs/autofs4/dev-ioctl.c
index 9e5ae8a4f5c8..84168c0dcc2d 100644
--- a/fs/autofs4/dev-ioctl.c
+++ b/fs/autofs4/dev-ioctl.c
@@ -54,11 +54,10 @@ static int check_name(const char *name)
54 * Check a string doesn't overrun the chunk of 54 * Check a string doesn't overrun the chunk of
55 * memory we copied from user land. 55 * memory we copied from user land.
56 */ 56 */
57static int invalid_str(char *str, void *end) 57static int invalid_str(char *str, size_t size)
58{ 58{
59 while ((void *) str <= end) 59 if (memchr(str, 0, size))
60 if (!*str++) 60 return 0;
61 return 0;
62 return -EINVAL; 61 return -EINVAL;
63} 62}
64 63
@@ -138,8 +137,7 @@ static int validate_dev_ioctl(int cmd, struct autofs_dev_ioctl *param)
138 } 137 }
139 138
140 if (param->size > sizeof(*param)) { 139 if (param->size > sizeof(*param)) {
141 err = invalid_str(param->path, 140 err = invalid_str(param->path, param->size - sizeof(*param));
142 (void *) ((size_t) param + param->size));
143 if (err) { 141 if (err) {
144 AUTOFS_WARN( 142 AUTOFS_WARN(
145 "path string terminator missing for cmd(0x%08x)", 143 "path string terminator missing for cmd(0x%08x)",
@@ -488,7 +486,7 @@ static int autofs_dev_ioctl_requester(struct file *fp,
488 } 486 }
489 487
490 path = param->path; 488 path = param->path;
491 devid = sbi->sb->s_dev; 489 devid = new_encode_dev(sbi->sb->s_dev);
492 490
493 param->requester.uid = param->requester.gid = -1; 491 param->requester.uid = param->requester.gid = -1;
494 492
diff --git a/fs/bio.c b/fs/bio.c
index e0c9e545bbfa..cd42bb882f30 100644
--- a/fs/bio.c
+++ b/fs/bio.c
@@ -348,6 +348,24 @@ err:
348 return NULL; 348 return NULL;
349} 349}
350 350
351/**
352 * bio_alloc - allocate a bio for I/O
353 * @gfp_mask: the GFP_ mask given to the slab allocator
354 * @nr_iovecs: number of iovecs to pre-allocate
355 *
356 * Description:
357 * bio_alloc will allocate a bio and associated bio_vec array that can hold
358 * at least @nr_iovecs entries. Allocations will be done from the
359 * fs_bio_set. Also see @bio_alloc_bioset.
360 *
361 * If %__GFP_WAIT is set, then bio_alloc will always be able to allocate
362 * a bio. This is due to the mempool guarantees. To make this work, callers
363 * must never allocate more than 1 bio at the time from this pool. Callers
364 * that need to allocate more than 1 bio must always submit the previously
365 * allocate bio for IO before attempting to allocate a new one. Failure to
366 * do so can cause livelocks under memory pressure.
367 *
368 **/
351struct bio *bio_alloc(gfp_t gfp_mask, int nr_iovecs) 369struct bio *bio_alloc(gfp_t gfp_mask, int nr_iovecs)
352{ 370{
353 struct bio *bio = bio_alloc_bioset(gfp_mask, nr_iovecs, fs_bio_set); 371 struct bio *bio = bio_alloc_bioset(gfp_mask, nr_iovecs, fs_bio_set);
diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
index 7594bec1be10..9f135e878507 100644
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -461,15 +461,9 @@ static int btrfs_ioctl_resize(struct btrfs_root *root, void __user *arg)
461 if (!capable(CAP_SYS_ADMIN)) 461 if (!capable(CAP_SYS_ADMIN))
462 return -EPERM; 462 return -EPERM;
463 463
464 vol_args = kmalloc(sizeof(*vol_args), GFP_NOFS); 464 vol_args = memdup_user(arg, sizeof(*vol_args));
465 465 if (IS_ERR(vol_args))
466 if (!vol_args) 466 return PTR_ERR(vol_args);
467 return -ENOMEM;
468
469 if (copy_from_user(vol_args, arg, sizeof(*vol_args))) {
470 ret = -EFAULT;
471 goto out;
472 }
473 467
474 vol_args->name[BTRFS_PATH_NAME_MAX] = '\0'; 468 vol_args->name[BTRFS_PATH_NAME_MAX] = '\0';
475 namelen = strlen(vol_args->name); 469 namelen = strlen(vol_args->name);
@@ -545,7 +539,6 @@ static int btrfs_ioctl_resize(struct btrfs_root *root, void __user *arg)
545 539
546out_unlock: 540out_unlock:
547 mutex_unlock(&root->fs_info->volume_mutex); 541 mutex_unlock(&root->fs_info->volume_mutex);
548out:
549 kfree(vol_args); 542 kfree(vol_args);
550 return ret; 543 return ret;
551} 544}
@@ -565,15 +558,9 @@ static noinline int btrfs_ioctl_snap_create(struct file *file,
565 if (root->fs_info->sb->s_flags & MS_RDONLY) 558 if (root->fs_info->sb->s_flags & MS_RDONLY)
566 return -EROFS; 559 return -EROFS;
567 560
568 vol_args = kmalloc(sizeof(*vol_args), GFP_NOFS); 561 vol_args = memdup_user(arg, sizeof(*vol_args));
569 562 if (IS_ERR(vol_args))
570 if (!vol_args) 563 return PTR_ERR(vol_args);
571 return -ENOMEM;
572
573 if (copy_from_user(vol_args, arg, sizeof(*vol_args))) {
574 ret = -EFAULT;
575 goto out;
576 }
577 564
578 vol_args->name[BTRFS_PATH_NAME_MAX] = '\0'; 565 vol_args->name[BTRFS_PATH_NAME_MAX] = '\0';
579 namelen = strlen(vol_args->name); 566 namelen = strlen(vol_args->name);
@@ -675,19 +662,13 @@ static long btrfs_ioctl_add_dev(struct btrfs_root *root, void __user *arg)
675 if (!capable(CAP_SYS_ADMIN)) 662 if (!capable(CAP_SYS_ADMIN))
676 return -EPERM; 663 return -EPERM;
677 664
678 vol_args = kmalloc(sizeof(*vol_args), GFP_NOFS); 665 vol_args = memdup_user(arg, sizeof(*vol_args));
666 if (IS_ERR(vol_args))
667 return PTR_ERR(vol_args);
679 668
680 if (!vol_args)
681 return -ENOMEM;
682
683 if (copy_from_user(vol_args, arg, sizeof(*vol_args))) {
684 ret = -EFAULT;
685 goto out;
686 }
687 vol_args->name[BTRFS_PATH_NAME_MAX] = '\0'; 669 vol_args->name[BTRFS_PATH_NAME_MAX] = '\0';
688 ret = btrfs_init_new_device(root, vol_args->name); 670 ret = btrfs_init_new_device(root, vol_args->name);
689 671
690out:
691 kfree(vol_args); 672 kfree(vol_args);
692 return ret; 673 return ret;
693} 674}
@@ -703,19 +684,13 @@ static long btrfs_ioctl_rm_dev(struct btrfs_root *root, void __user *arg)
703 if (root->fs_info->sb->s_flags & MS_RDONLY) 684 if (root->fs_info->sb->s_flags & MS_RDONLY)
704 return -EROFS; 685 return -EROFS;
705 686
706 vol_args = kmalloc(sizeof(*vol_args), GFP_NOFS); 687 vol_args = memdup_user(arg, sizeof(*vol_args));
688 if (IS_ERR(vol_args))
689 return PTR_ERR(vol_args);
707 690
708 if (!vol_args)
709 return -ENOMEM;
710
711 if (copy_from_user(vol_args, arg, sizeof(*vol_args))) {
712 ret = -EFAULT;
713 goto out;
714 }
715 vol_args->name[BTRFS_PATH_NAME_MAX] = '\0'; 691 vol_args->name[BTRFS_PATH_NAME_MAX] = '\0';
716 ret = btrfs_rm_device(root, vol_args->name); 692 ret = btrfs_rm_device(root, vol_args->name);
717 693
718out:
719 kfree(vol_args); 694 kfree(vol_args);
720 return ret; 695 return ret;
721} 696}
diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c
index 9744af9d71e9..a7acfe639a44 100644
--- a/fs/btrfs/super.c
+++ b/fs/btrfs/super.c
@@ -635,14 +635,9 @@ static long btrfs_control_ioctl(struct file *file, unsigned int cmd,
635 if (!capable(CAP_SYS_ADMIN)) 635 if (!capable(CAP_SYS_ADMIN))
636 return -EPERM; 636 return -EPERM;
637 637
638 vol = kmalloc(sizeof(*vol), GFP_KERNEL); 638 vol = memdup_user((void __user *)arg, sizeof(*vol));
639 if (!vol) 639 if (IS_ERR(vol))
640 return -ENOMEM; 640 return PTR_ERR(vol);
641
642 if (copy_from_user(vol, (void __user *)arg, sizeof(*vol))) {
643 ret = -EFAULT;
644 goto out;
645 }
646 641
647 switch (cmd) { 642 switch (cmd) {
648 case BTRFS_IOC_SCAN_DEV: 643 case BTRFS_IOC_SCAN_DEV:
@@ -650,7 +645,7 @@ static long btrfs_control_ioctl(struct file *file, unsigned int cmd,
650 &btrfs_fs_type, &fs_devices); 645 &btrfs_fs_type, &fs_devices);
651 break; 646 break;
652 } 647 }
653out: 648
654 kfree(vol); 649 kfree(vol);
655 return ret; 650 return ret;
656} 651}
diff --git a/fs/buffer.c b/fs/buffer.c
index 13edf7ad3ff1..b3e5be7514f5 100644
--- a/fs/buffer.c
+++ b/fs/buffer.c
@@ -360,7 +360,7 @@ still_busy:
360 * Completion handler for block_write_full_page() - pages which are unlocked 360 * Completion handler for block_write_full_page() - pages which are unlocked
361 * during I/O, and which have PageWriteback cleared upon I/O completion. 361 * during I/O, and which have PageWriteback cleared upon I/O completion.
362 */ 362 */
363static void end_buffer_async_write(struct buffer_head *bh, int uptodate) 363void end_buffer_async_write(struct buffer_head *bh, int uptodate)
364{ 364{
365 char b[BDEVNAME_SIZE]; 365 char b[BDEVNAME_SIZE];
366 unsigned long flags; 366 unsigned long flags;
@@ -438,11 +438,17 @@ static void mark_buffer_async_read(struct buffer_head *bh)
438 set_buffer_async_read(bh); 438 set_buffer_async_read(bh);
439} 439}
440 440
441void mark_buffer_async_write(struct buffer_head *bh) 441void mark_buffer_async_write_endio(struct buffer_head *bh,
442 bh_end_io_t *handler)
442{ 443{
443 bh->b_end_io = end_buffer_async_write; 444 bh->b_end_io = handler;
444 set_buffer_async_write(bh); 445 set_buffer_async_write(bh);
445} 446}
447
448void mark_buffer_async_write(struct buffer_head *bh)
449{
450 mark_buffer_async_write_endio(bh, end_buffer_async_write);
451}
446EXPORT_SYMBOL(mark_buffer_async_write); 452EXPORT_SYMBOL(mark_buffer_async_write);
447 453
448 454
@@ -547,7 +553,7 @@ repeat:
547 return err; 553 return err;
548} 554}
549 555
550void do_thaw_all(unsigned long unused) 556void do_thaw_all(struct work_struct *work)
551{ 557{
552 struct super_block *sb; 558 struct super_block *sb;
553 char b[BDEVNAME_SIZE]; 559 char b[BDEVNAME_SIZE];
@@ -567,6 +573,7 @@ restart:
567 goto restart; 573 goto restart;
568 } 574 }
569 spin_unlock(&sb_lock); 575 spin_unlock(&sb_lock);
576 kfree(work);
570 printk(KERN_WARNING "Emergency Thaw complete\n"); 577 printk(KERN_WARNING "Emergency Thaw complete\n");
571} 578}
572 579
@@ -577,7 +584,13 @@ restart:
577 */ 584 */
578void emergency_thaw_all(void) 585void emergency_thaw_all(void)
579{ 586{
580 pdflush_operation(do_thaw_all, 0); 587 struct work_struct *work;
588
589 work = kmalloc(sizeof(*work), GFP_ATOMIC);
590 if (work) {
591 INIT_WORK(work, do_thaw_all);
592 schedule_work(work);
593 }
581} 594}
582 595
583/** 596/**
@@ -1608,7 +1621,8 @@ EXPORT_SYMBOL(unmap_underlying_metadata);
1608 * unplugging the device queue. 1621 * unplugging the device queue.
1609 */ 1622 */
1610static int __block_write_full_page(struct inode *inode, struct page *page, 1623static int __block_write_full_page(struct inode *inode, struct page *page,
1611 get_block_t *get_block, struct writeback_control *wbc) 1624 get_block_t *get_block, struct writeback_control *wbc,
1625 bh_end_io_t *handler)
1612{ 1626{
1613 int err; 1627 int err;
1614 sector_t block; 1628 sector_t block;
@@ -1693,7 +1707,7 @@ static int __block_write_full_page(struct inode *inode, struct page *page,
1693 continue; 1707 continue;
1694 } 1708 }
1695 if (test_clear_buffer_dirty(bh)) { 1709 if (test_clear_buffer_dirty(bh)) {
1696 mark_buffer_async_write(bh); 1710 mark_buffer_async_write_endio(bh, handler);
1697 } else { 1711 } else {
1698 unlock_buffer(bh); 1712 unlock_buffer(bh);
1699 } 1713 }
@@ -1746,7 +1760,7 @@ recover:
1746 if (buffer_mapped(bh) && buffer_dirty(bh) && 1760 if (buffer_mapped(bh) && buffer_dirty(bh) &&
1747 !buffer_delay(bh)) { 1761 !buffer_delay(bh)) {
1748 lock_buffer(bh); 1762 lock_buffer(bh);
1749 mark_buffer_async_write(bh); 1763 mark_buffer_async_write_endio(bh, handler);
1750 } else { 1764 } else {
1751 /* 1765 /*
1752 * The buffer may have been set dirty during 1766 * The buffer may have been set dirty during
@@ -2672,7 +2686,8 @@ int nobh_writepage(struct page *page, get_block_t *get_block,
2672out: 2686out:
2673 ret = mpage_writepage(page, get_block, wbc); 2687 ret = mpage_writepage(page, get_block, wbc);
2674 if (ret == -EAGAIN) 2688 if (ret == -EAGAIN)
2675 ret = __block_write_full_page(inode, page, get_block, wbc); 2689 ret = __block_write_full_page(inode, page, get_block, wbc,
2690 end_buffer_async_write);
2676 return ret; 2691 return ret;
2677} 2692}
2678EXPORT_SYMBOL(nobh_writepage); 2693EXPORT_SYMBOL(nobh_writepage);
@@ -2830,9 +2845,10 @@ out:
2830 2845
2831/* 2846/*
2832 * The generic ->writepage function for buffer-backed address_spaces 2847 * The generic ->writepage function for buffer-backed address_spaces
2848 * this form passes in the end_io handler used to finish the IO.
2833 */ 2849 */
2834int block_write_full_page(struct page *page, get_block_t *get_block, 2850int block_write_full_page_endio(struct page *page, get_block_t *get_block,
2835 struct writeback_control *wbc) 2851 struct writeback_control *wbc, bh_end_io_t *handler)
2836{ 2852{
2837 struct inode * const inode = page->mapping->host; 2853 struct inode * const inode = page->mapping->host;
2838 loff_t i_size = i_size_read(inode); 2854 loff_t i_size = i_size_read(inode);
@@ -2841,7 +2857,8 @@ int block_write_full_page(struct page *page, get_block_t *get_block,
2841 2857
2842 /* Is the page fully inside i_size? */ 2858 /* Is the page fully inside i_size? */
2843 if (page->index < end_index) 2859 if (page->index < end_index)
2844 return __block_write_full_page(inode, page, get_block, wbc); 2860 return __block_write_full_page(inode, page, get_block, wbc,
2861 handler);
2845 2862
2846 /* Is the page fully outside i_size? (truncate in progress) */ 2863 /* Is the page fully outside i_size? (truncate in progress) */
2847 offset = i_size & (PAGE_CACHE_SIZE-1); 2864 offset = i_size & (PAGE_CACHE_SIZE-1);
@@ -2864,9 +2881,20 @@ int block_write_full_page(struct page *page, get_block_t *get_block,
2864 * writes to that region are not written out to the file." 2881 * writes to that region are not written out to the file."
2865 */ 2882 */
2866 zero_user_segment(page, offset, PAGE_CACHE_SIZE); 2883 zero_user_segment(page, offset, PAGE_CACHE_SIZE);
2867 return __block_write_full_page(inode, page, get_block, wbc); 2884 return __block_write_full_page(inode, page, get_block, wbc, handler);
2868} 2885}
2869 2886
2887/*
2888 * The generic ->writepage function for buffer-backed address_spaces
2889 */
2890int block_write_full_page(struct page *page, get_block_t *get_block,
2891 struct writeback_control *wbc)
2892{
2893 return block_write_full_page_endio(page, get_block, wbc,
2894 end_buffer_async_write);
2895}
2896
2897
2870sector_t generic_block_bmap(struct address_space *mapping, sector_t block, 2898sector_t generic_block_bmap(struct address_space *mapping, sector_t block,
2871 get_block_t *get_block) 2899 get_block_t *get_block)
2872{ 2900{
@@ -3335,9 +3363,11 @@ EXPORT_SYMBOL(block_read_full_page);
3335EXPORT_SYMBOL(block_sync_page); 3363EXPORT_SYMBOL(block_sync_page);
3336EXPORT_SYMBOL(block_truncate_page); 3364EXPORT_SYMBOL(block_truncate_page);
3337EXPORT_SYMBOL(block_write_full_page); 3365EXPORT_SYMBOL(block_write_full_page);
3366EXPORT_SYMBOL(block_write_full_page_endio);
3338EXPORT_SYMBOL(cont_write_begin); 3367EXPORT_SYMBOL(cont_write_begin);
3339EXPORT_SYMBOL(end_buffer_read_sync); 3368EXPORT_SYMBOL(end_buffer_read_sync);
3340EXPORT_SYMBOL(end_buffer_write_sync); 3369EXPORT_SYMBOL(end_buffer_write_sync);
3370EXPORT_SYMBOL(end_buffer_async_write);
3341EXPORT_SYMBOL(file_fsync); 3371EXPORT_SYMBOL(file_fsync);
3342EXPORT_SYMBOL(generic_block_bmap); 3372EXPORT_SYMBOL(generic_block_bmap);
3343EXPORT_SYMBOL(generic_cont_expand_simple); 3373EXPORT_SYMBOL(generic_cont_expand_simple);
diff --git a/fs/cifs/CHANGES b/fs/cifs/CHANGES
index 65984006192c..9d1fb6ec8a5a 100644
--- a/fs/cifs/CHANGES
+++ b/fs/cifs/CHANGES
@@ -15,7 +15,8 @@ Posix file open support added (turned off after one attempt if server
15fails to support it properly, as with Samba server versions prior to 3.3.2) 15fails to support it properly, as with Samba server versions prior to 3.3.2)
16Fix "redzone overwritten" bug in cifs_put_tcon (CIFSTcon may allocate too 16Fix "redzone overwritten" bug in cifs_put_tcon (CIFSTcon may allocate too
17little memory for the "nativeFileSystem" field returned by the server 17little memory for the "nativeFileSystem" field returned by the server
18during mount). 18during mount). Endian convert inode numbers if necessary (makes it easier
19to compare inode numbers on network files from big endian systems).
19 20
20Version 1.56 21Version 1.56
21------------ 22------------
diff --git a/fs/cifs/cifs_spnego.c b/fs/cifs/cifs_spnego.c
index 3fd3a9df043a..67bf93a40d2e 100644
--- a/fs/cifs/cifs_spnego.c
+++ b/fs/cifs/cifs_spnego.c
@@ -41,7 +41,7 @@ cifs_spnego_key_instantiate(struct key *key, const void *data, size_t datalen)
41 41
42 /* attach the data */ 42 /* attach the data */
43 memcpy(payload, data, datalen); 43 memcpy(payload, data, datalen);
44 rcu_assign_pointer(key->payload.data, payload); 44 key->payload.data = payload;
45 ret = 0; 45 ret = 0;
46 46
47error: 47error:
diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c
index 38491fd3871d..0d6d8b573652 100644
--- a/fs/cifs/cifsfs.c
+++ b/fs/cifs/cifsfs.c
@@ -66,9 +66,6 @@ unsigned int sign_CIFS_PDUs = 1;
66extern struct task_struct *oplockThread; /* remove sparse warning */ 66extern struct task_struct *oplockThread; /* remove sparse warning */
67struct task_struct *oplockThread = NULL; 67struct task_struct *oplockThread = NULL;
68/* extern struct task_struct * dnotifyThread; remove sparse warning */ 68/* extern struct task_struct * dnotifyThread; remove sparse warning */
69#ifdef CONFIG_CIFS_EXPERIMENTAL
70static struct task_struct *dnotifyThread = NULL;
71#endif
72static const struct super_operations cifs_super_ops; 69static const struct super_operations cifs_super_ops;
73unsigned int CIFSMaxBufSize = CIFS_MAX_MSGSIZE; 70unsigned int CIFSMaxBufSize = CIFS_MAX_MSGSIZE;
74module_param(CIFSMaxBufSize, int, 0); 71module_param(CIFSMaxBufSize, int, 0);
@@ -316,6 +313,7 @@ cifs_alloc_inode(struct super_block *sb)
316 cifs_inode->clientCanCacheAll = false; 313 cifs_inode->clientCanCacheAll = false;
317 cifs_inode->delete_pending = false; 314 cifs_inode->delete_pending = false;
318 cifs_inode->vfs_inode.i_blkbits = 14; /* 2**14 = CIFS_MAX_MSGSIZE */ 315 cifs_inode->vfs_inode.i_blkbits = 14; /* 2**14 = CIFS_MAX_MSGSIZE */
316 cifs_inode->server_eof = 0;
319 317
320 /* Can not set i_flags here - they get immediately overwritten 318 /* Can not set i_flags here - they get immediately overwritten
321 to zero by the VFS */ 319 to zero by the VFS */
@@ -1040,34 +1038,6 @@ static int cifs_oplock_thread(void *dummyarg)
1040 return 0; 1038 return 0;
1041} 1039}
1042 1040
1043#ifdef CONFIG_CIFS_EXPERIMENTAL
1044static int cifs_dnotify_thread(void *dummyarg)
1045{
1046 struct list_head *tmp;
1047 struct TCP_Server_Info *server;
1048
1049 do {
1050 if (try_to_freeze())
1051 continue;
1052 set_current_state(TASK_INTERRUPTIBLE);
1053 schedule_timeout(15*HZ);
1054 /* check if any stuck requests that need
1055 to be woken up and wakeq so the
1056 thread can wake up and error out */
1057 read_lock(&cifs_tcp_ses_lock);
1058 list_for_each(tmp, &cifs_tcp_ses_list) {
1059 server = list_entry(tmp, struct TCP_Server_Info,
1060 tcp_ses_list);
1061 if (atomic_read(&server->inFlight))
1062 wake_up_all(&server->response_q);
1063 }
1064 read_unlock(&cifs_tcp_ses_lock);
1065 } while (!kthread_should_stop());
1066
1067 return 0;
1068}
1069#endif
1070
1071static int __init 1041static int __init
1072init_cifs(void) 1042init_cifs(void)
1073{ 1043{
@@ -1144,21 +1114,8 @@ init_cifs(void)
1144 goto out_unregister_dfs_key_type; 1114 goto out_unregister_dfs_key_type;
1145 } 1115 }
1146 1116
1147#ifdef CONFIG_CIFS_EXPERIMENTAL
1148 dnotifyThread = kthread_run(cifs_dnotify_thread, NULL, "cifsdnotifyd");
1149 if (IS_ERR(dnotifyThread)) {
1150 rc = PTR_ERR(dnotifyThread);
1151 cERROR(1, ("error %d create dnotify thread", rc));
1152 goto out_stop_oplock_thread;
1153 }
1154#endif
1155
1156 return 0; 1117 return 0;
1157 1118
1158#ifdef CONFIG_CIFS_EXPERIMENTAL
1159 out_stop_oplock_thread:
1160#endif
1161 kthread_stop(oplockThread);
1162 out_unregister_dfs_key_type: 1119 out_unregister_dfs_key_type:
1163#ifdef CONFIG_CIFS_DFS_UPCALL 1120#ifdef CONFIG_CIFS_DFS_UPCALL
1164 unregister_key_type(&key_type_dns_resolver); 1121 unregister_key_type(&key_type_dns_resolver);
@@ -1196,9 +1153,6 @@ exit_cifs(void)
1196 cifs_destroy_inodecache(); 1153 cifs_destroy_inodecache();
1197 cifs_destroy_mids(); 1154 cifs_destroy_mids();
1198 cifs_destroy_request_bufs(); 1155 cifs_destroy_request_bufs();
1199#ifdef CONFIG_CIFS_EXPERIMENTAL
1200 kthread_stop(dnotifyThread);
1201#endif
1202 kthread_stop(oplockThread); 1156 kthread_stop(oplockThread);
1203} 1157}
1204 1158
diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h
index 9fbf4dff5da6..df40ab64cd95 100644
--- a/fs/cifs/cifsglob.h
+++ b/fs/cifs/cifsglob.h
@@ -350,7 +350,7 @@ struct cifsFileInfo {
350 bool invalidHandle:1; /* file closed via session abend */ 350 bool invalidHandle:1; /* file closed via session abend */
351 bool messageMode:1; /* for pipes: message vs byte mode */ 351 bool messageMode:1; /* for pipes: message vs byte mode */
352 atomic_t wrtPending; /* handle in use - defer close */ 352 atomic_t wrtPending; /* handle in use - defer close */
353 struct semaphore fh_sem; /* prevents reopen race after dead ses*/ 353 struct mutex fh_mutex; /* prevents reopen race after dead ses*/
354 struct cifs_search_info srch_inf; 354 struct cifs_search_info srch_inf;
355}; 355};
356 356
@@ -370,6 +370,7 @@ struct cifsInodeInfo {
370 bool clientCanCacheAll:1; /* read and writebehind oplock */ 370 bool clientCanCacheAll:1; /* read and writebehind oplock */
371 bool oplockPending:1; 371 bool oplockPending:1;
372 bool delete_pending:1; /* DELETE_ON_CLOSE is set */ 372 bool delete_pending:1; /* DELETE_ON_CLOSE is set */
373 u64 server_eof; /* current file size on server */
373 struct inode vfs_inode; 374 struct inode vfs_inode;
374}; 375};
375 376
diff --git a/fs/cifs/cifspdu.h b/fs/cifs/cifspdu.h
index b370489c8da5..a785f69dbc9f 100644
--- a/fs/cifs/cifspdu.h
+++ b/fs/cifs/cifspdu.h
@@ -2163,7 +2163,7 @@ typedef struct {
2163 __le32 Type; 2163 __le32 Type;
2164 __le64 DevMajor; 2164 __le64 DevMajor;
2165 __le64 DevMinor; 2165 __le64 DevMinor;
2166 __u64 UniqueId; 2166 __le64 UniqueId;
2167 __le64 Permissions; 2167 __le64 Permissions;
2168 __le64 Nlinks; 2168 __le64 Nlinks;
2169} __attribute__((packed)) FILE_UNIX_BASIC_INFO; /* level 0x200 QPathInfo */ 2169} __attribute__((packed)) FILE_UNIX_BASIC_INFO; /* level 0x200 QPathInfo */
@@ -2308,7 +2308,7 @@ struct unlink_psx_rq { /* level 0x20a SetPathInfo */
2308} __attribute__((packed)); 2308} __attribute__((packed));
2309 2309
2310struct file_internal_info { 2310struct file_internal_info {
2311 __u64 UniqueId; /* inode number */ 2311 __le64 UniqueId; /* inode number */
2312} __attribute__((packed)); /* level 0x3ee */ 2312} __attribute__((packed)); /* level 0x3ee */
2313 2313
2314struct file_mode_info { 2314struct file_mode_info {
@@ -2338,7 +2338,7 @@ typedef struct {
2338 __le32 Type; 2338 __le32 Type;
2339 __le64 DevMajor; 2339 __le64 DevMajor;
2340 __le64 DevMinor; 2340 __le64 DevMinor;
2341 __u64 UniqueId; 2341 __le64 UniqueId;
2342 __le64 Permissions; 2342 __le64 Permissions;
2343 __le64 Nlinks; 2343 __le64 Nlinks;
2344 char FileName[1]; 2344 char FileName[1];
@@ -2386,7 +2386,7 @@ typedef struct {
2386 __le32 FileNameLength; 2386 __le32 FileNameLength;
2387 __le32 EaSize; /* EA size */ 2387 __le32 EaSize; /* EA size */
2388 __le32 Reserved; 2388 __le32 Reserved;
2389 __u64 UniqueId; /* inode num - le since Samba puts ino in low 32 bit*/ 2389 __le64 UniqueId; /* inode num - le since Samba puts ino in low 32 bit*/
2390 char FileName[1]; 2390 char FileName[1];
2391} __attribute__((packed)) SEARCH_ID_FULL_DIR_INFO; /* level 0x105 FF rsp data */ 2391} __attribute__((packed)) SEARCH_ID_FULL_DIR_INFO; /* level 0x105 FF rsp data */
2392 2392
diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c
index bc09c998631f..a0845dc7b8a9 100644
--- a/fs/cifs/cifssmb.c
+++ b/fs/cifs/cifssmb.c
@@ -1626,6 +1626,8 @@ CIFSSMBWrite2(const int xid, struct cifsTconInfo *tcon,
1626 int smb_hdr_len; 1626 int smb_hdr_len;
1627 int resp_buf_type = 0; 1627 int resp_buf_type = 0;
1628 1628
1629 *nbytes = 0;
1630
1629 cFYI(1, ("write2 at %lld %d bytes", (long long)offset, count)); 1631 cFYI(1, ("write2 at %lld %d bytes", (long long)offset, count));
1630 1632
1631 if (tcon->ses->capabilities & CAP_LARGE_FILES) { 1633 if (tcon->ses->capabilities & CAP_LARGE_FILES) {
@@ -1682,11 +1684,9 @@ CIFSSMBWrite2(const int xid, struct cifsTconInfo *tcon,
1682 cifs_stats_inc(&tcon->num_writes); 1684 cifs_stats_inc(&tcon->num_writes);
1683 if (rc) { 1685 if (rc) {
1684 cFYI(1, ("Send error Write2 = %d", rc)); 1686 cFYI(1, ("Send error Write2 = %d", rc));
1685 *nbytes = 0;
1686 } else if (resp_buf_type == 0) { 1687 } else if (resp_buf_type == 0) {
1687 /* presumably this can not happen, but best to be safe */ 1688 /* presumably this can not happen, but best to be safe */
1688 rc = -EIO; 1689 rc = -EIO;
1689 *nbytes = 0;
1690 } else { 1690 } else {
1691 WRITE_RSP *pSMBr = (WRITE_RSP *)iov[0].iov_base; 1691 WRITE_RSP *pSMBr = (WRITE_RSP *)iov[0].iov_base;
1692 *nbytes = le16_to_cpu(pSMBr->CountHigh); 1692 *nbytes = le16_to_cpu(pSMBr->CountHigh);
@@ -3918,7 +3918,7 @@ GetInodeNumberRetry:
3918 } 3918 }
3919 pfinfo = (struct file_internal_info *) 3919 pfinfo = (struct file_internal_info *)
3920 (data_offset + (char *) &pSMBr->hdr.Protocol); 3920 (data_offset + (char *) &pSMBr->hdr.Protocol);
3921 *inode_number = pfinfo->UniqueId; 3921 *inode_number = le64_to_cpu(pfinfo->UniqueId);
3922 } 3922 }
3923 } 3923 }
3924GetInodeNumOut: 3924GetInodeNumOut:
diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
index 0de3b5615a22..bacdef1546b7 100644
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -2214,9 +2214,58 @@ is_path_accessible(int xid, struct cifsTconInfo *tcon,
2214 return rc; 2214 return rc;
2215} 2215}
2216 2216
2217static void
2218cleanup_volume_info(struct smb_vol **pvolume_info)
2219{
2220 struct smb_vol *volume_info;
2221
2222 if (!pvolume_info && !*pvolume_info)
2223 return;
2224
2225 volume_info = *pvolume_info;
2226 kzfree(volume_info->password);
2227 kfree(volume_info->UNC);
2228 kfree(volume_info->prepath);
2229 kfree(volume_info);
2230 *pvolume_info = NULL;
2231 return;
2232}
2233
2234#ifdef CONFIG_CIFS_DFS_UPCALL
2235/* build_path_to_root returns full path to root when
2236 * we do not have an exiting connection (tcon) */
2237static char *
2238build_unc_path_to_root(const struct smb_vol *volume_info,
2239 const struct cifs_sb_info *cifs_sb)
2240{
2241 char *full_path;
2242
2243 int unc_len = strnlen(volume_info->UNC, MAX_TREE_SIZE + 1);
2244 full_path = kmalloc(unc_len + cifs_sb->prepathlen + 1, GFP_KERNEL);
2245 if (full_path == NULL)
2246 return ERR_PTR(-ENOMEM);
2247
2248 strncpy(full_path, volume_info->UNC, unc_len);
2249 if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_POSIX_PATHS) {
2250 int i;
2251 for (i = 0; i < unc_len; i++) {
2252 if (full_path[i] == '\\')
2253 full_path[i] = '/';
2254 }
2255 }
2256
2257 if (cifs_sb->prepathlen)
2258 strncpy(full_path + unc_len, cifs_sb->prepath,
2259 cifs_sb->prepathlen);
2260
2261 full_path[unc_len + cifs_sb->prepathlen] = 0; /* add trailing null */
2262 return full_path;
2263}
2264#endif
2265
2217int 2266int
2218cifs_mount(struct super_block *sb, struct cifs_sb_info *cifs_sb, 2267cifs_mount(struct super_block *sb, struct cifs_sb_info *cifs_sb,
2219 char *mount_data, const char *devname) 2268 char *mount_data_global, const char *devname)
2220{ 2269{
2221 int rc = 0; 2270 int rc = 0;
2222 int xid; 2271 int xid;
@@ -2225,6 +2274,13 @@ cifs_mount(struct super_block *sb, struct cifs_sb_info *cifs_sb,
2225 struct cifsTconInfo *tcon = NULL; 2274 struct cifsTconInfo *tcon = NULL;
2226 struct TCP_Server_Info *srvTcp = NULL; 2275 struct TCP_Server_Info *srvTcp = NULL;
2227 char *full_path; 2276 char *full_path;
2277 char *mount_data = mount_data_global;
2278#ifdef CONFIG_CIFS_DFS_UPCALL
2279 struct dfs_info3_param *referrals = NULL;
2280 unsigned int num_referrals = 0;
2281try_mount_again:
2282#endif
2283 full_path = NULL;
2228 2284
2229 xid = GetXid(); 2285 xid = GetXid();
2230 2286
@@ -2371,11 +2427,9 @@ cifs_mount(struct super_block *sb, struct cifs_sb_info *cifs_sb,
2371 } 2427 }
2372 } 2428 }
2373 2429
2374 /* check for null share name ie connect to dfs root */
2375 if ((strchr(volume_info->UNC + 3, '\\') == NULL) 2430 if ((strchr(volume_info->UNC + 3, '\\') == NULL)
2376 && (strchr(volume_info->UNC + 3, '/') == NULL)) { 2431 && (strchr(volume_info->UNC + 3, '/') == NULL)) {
2377 /* rc = connect_to_dfs_path(...) */ 2432 cERROR(1, ("Missing share name"));
2378 cFYI(1, ("DFS root not supported"));
2379 rc = -ENODEV; 2433 rc = -ENODEV;
2380 goto mount_fail_check; 2434 goto mount_fail_check;
2381 } else { 2435 } else {
@@ -2392,7 +2446,7 @@ cifs_mount(struct super_block *sb, struct cifs_sb_info *cifs_sb,
2392 } 2446 }
2393 } 2447 }
2394 if (rc) 2448 if (rc)
2395 goto mount_fail_check; 2449 goto remote_path_check;
2396 tcon->seal = volume_info->seal; 2450 tcon->seal = volume_info->seal;
2397 write_lock(&cifs_tcp_ses_lock); 2451 write_lock(&cifs_tcp_ses_lock);
2398 list_add(&tcon->tcon_list, &pSesInfo->tcon_list); 2452 list_add(&tcon->tcon_list, &pSesInfo->tcon_list);
@@ -2417,19 +2471,9 @@ cifs_mount(struct super_block *sb, struct cifs_sb_info *cifs_sb,
2417 /* BB FIXME fix time_gran to be larger for LANMAN sessions */ 2471 /* BB FIXME fix time_gran to be larger for LANMAN sessions */
2418 sb->s_time_gran = 100; 2472 sb->s_time_gran = 100;
2419 2473
2420mount_fail_check: 2474 if (rc)
2421 /* on error free sesinfo and tcon struct if needed */ 2475 goto remote_path_check;
2422 if (rc) { 2476
2423 /* If find_unc succeeded then rc == 0 so we can not end */
2424 /* up accidently freeing someone elses tcon struct */
2425 if (tcon)
2426 cifs_put_tcon(tcon);
2427 else if (pSesInfo)
2428 cifs_put_smb_ses(pSesInfo);
2429 else
2430 cifs_put_tcp_session(srvTcp);
2431 goto out;
2432 }
2433 cifs_sb->tcon = tcon; 2477 cifs_sb->tcon = tcon;
2434 2478
2435 /* do not care if following two calls succeed - informational */ 2479 /* do not care if following two calls succeed - informational */
@@ -2461,7 +2505,9 @@ mount_fail_check:
2461 cifs_sb->rsize = min(cifs_sb->rsize, 2505 cifs_sb->rsize = min(cifs_sb->rsize,
2462 (tcon->ses->server->maxBuf - MAX_CIFS_HDR_SIZE)); 2506 (tcon->ses->server->maxBuf - MAX_CIFS_HDR_SIZE));
2463 2507
2464 if (!rc && cifs_sb->prepathlen) { 2508remote_path_check:
2509 /* check if a whole path (including prepath) is not remote */
2510 if (!rc && cifs_sb->prepathlen && tcon) {
2465 /* build_path_to_root works only when we have a valid tcon */ 2511 /* build_path_to_root works only when we have a valid tcon */
2466 full_path = cifs_build_path_to_root(cifs_sb); 2512 full_path = cifs_build_path_to_root(cifs_sb);
2467 if (full_path == NULL) { 2513 if (full_path == NULL) {
@@ -2469,31 +2515,79 @@ mount_fail_check:
2469 goto mount_fail_check; 2515 goto mount_fail_check;
2470 } 2516 }
2471 rc = is_path_accessible(xid, tcon, cifs_sb, full_path); 2517 rc = is_path_accessible(xid, tcon, cifs_sb, full_path);
2472 if (rc) { 2518 if (rc != -EREMOTE) {
2473 cERROR(1, ("Path %s in not accessible: %d",
2474 full_path, rc));
2475 kfree(full_path); 2519 kfree(full_path);
2476 goto mount_fail_check; 2520 goto mount_fail_check;
2477 } 2521 }
2478 kfree(full_path); 2522 kfree(full_path);
2479 } 2523 }
2480 2524
2525 /* get referral if needed */
2526 if (rc == -EREMOTE) {
2527#ifdef CONFIG_CIFS_DFS_UPCALL
2528 /* convert forward to back slashes in prepath here if needed */
2529 if ((cifs_sb->mnt_cifs_flags & CIFS_MOUNT_POSIX_PATHS) == 0)
2530 convert_delimiter(cifs_sb->prepath,
2531 CIFS_DIR_SEP(cifs_sb));
2532 full_path = build_unc_path_to_root(volume_info, cifs_sb);
2533 if (IS_ERR(full_path)) {
2534 rc = PTR_ERR(full_path);
2535 goto mount_fail_check;
2536 }
2537
2538 cFYI(1, ("Getting referral for: %s", full_path));
2539 rc = get_dfs_path(xid, pSesInfo , full_path + 1,
2540 cifs_sb->local_nls, &num_referrals, &referrals,
2541 cifs_sb->mnt_cifs_flags & CIFS_MOUNT_MAP_SPECIAL_CHR);
2542 if (!rc && num_referrals > 0) {
2543 char *fake_devname = NULL;
2544
2545 if (mount_data != mount_data_global)
2546 kfree(mount_data);
2547 mount_data = cifs_compose_mount_options(
2548 cifs_sb->mountdata, full_path + 1,
2549 referrals, &fake_devname);
2550 kfree(fake_devname);
2551 free_dfs_info_array(referrals, num_referrals);
2552
2553 if (tcon)
2554 cifs_put_tcon(tcon);
2555 else if (pSesInfo)
2556 cifs_put_smb_ses(pSesInfo);
2557
2558 cleanup_volume_info(&volume_info);
2559 FreeXid(xid);
2560 kfree(full_path);
2561 goto try_mount_again;
2562 }
2563#else /* No DFS support, return error on mount */
2564 rc = -EOPNOTSUPP;
2565#endif
2566 }
2567
2568mount_fail_check:
2569 /* on error free sesinfo and tcon struct if needed */
2570 if (rc) {
2571 if (mount_data != mount_data_global)
2572 kfree(mount_data);
2573 /* If find_unc succeeded then rc == 0 so we can not end */
2574 /* up accidently freeing someone elses tcon struct */
2575 if (tcon)
2576 cifs_put_tcon(tcon);
2577 else if (pSesInfo)
2578 cifs_put_smb_ses(pSesInfo);
2579 else
2580 cifs_put_tcp_session(srvTcp);
2581 goto out;
2582 }
2583
2481 /* volume_info->password is freed above when existing session found 2584 /* volume_info->password is freed above when existing session found
2482 (in which case it is not needed anymore) but when new sesion is created 2585 (in which case it is not needed anymore) but when new sesion is created
2483 the password ptr is put in the new session structure (in which case the 2586 the password ptr is put in the new session structure (in which case the
2484 password will be freed at unmount time) */ 2587 password will be freed at unmount time) */
2485out: 2588out:
2486 /* zero out password before freeing */ 2589 /* zero out password before freeing */
2487 if (volume_info) { 2590 cleanup_volume_info(&volume_info);
2488 if (volume_info->password != NULL) {
2489 memset(volume_info->password, 0,
2490 strlen(volume_info->password));
2491 kfree(volume_info->password);
2492 }
2493 kfree(volume_info->UNC);
2494 kfree(volume_info->prepath);
2495 kfree(volume_info);
2496 }
2497 FreeXid(xid); 2591 FreeXid(xid);
2498 return rc; 2592 return rc;
2499} 2593}
@@ -2673,8 +2767,7 @@ CIFSSessSetup(unsigned int xid, struct cifsSesInfo *ses,
2673/* We look for obvious messed up bcc or strings in response so we do not go off 2767/* We look for obvious messed up bcc or strings in response so we do not go off
2674 the end since (at least) WIN2K and Windows XP have a major bug in not null 2768 the end since (at least) WIN2K and Windows XP have a major bug in not null
2675 terminating last Unicode string in response */ 2769 terminating last Unicode string in response */
2676 if (ses->serverOS) 2770 kfree(ses->serverOS);
2677 kfree(ses->serverOS);
2678 ses->serverOS = kzalloc(2 * (len + 1), 2771 ses->serverOS = kzalloc(2 * (len + 1),
2679 GFP_KERNEL); 2772 GFP_KERNEL);
2680 if (ses->serverOS == NULL) 2773 if (ses->serverOS == NULL)
@@ -2710,8 +2803,7 @@ CIFSSessSetup(unsigned int xid, struct cifsSesInfo *ses,
2710 len = UniStrnlen((wchar_t *) bcc_ptr, remaining_words); 2803 len = UniStrnlen((wchar_t *) bcc_ptr, remaining_words);
2711 /* last string is not always null terminated 2804 /* last string is not always null terminated
2712 (for e.g. for Windows XP & 2000) */ 2805 (for e.g. for Windows XP & 2000) */
2713 if (ses->serverDomain) 2806 kfree(ses->serverDomain);
2714 kfree(ses->serverDomain);
2715 ses->serverDomain = 2807 ses->serverDomain =
2716 kzalloc(2*(len+1), 2808 kzalloc(2*(len+1),
2717 GFP_KERNEL); 2809 GFP_KERNEL);
@@ -2725,8 +2817,7 @@ CIFSSessSetup(unsigned int xid, struct cifsSesInfo *ses,
2725 ses->serverDomain[1+(2*len)] = 0; 2817 ses->serverDomain[1+(2*len)] = 0;
2726 } else { /* else no more room so create 2818 } else { /* else no more room so create
2727 dummy domain string */ 2819 dummy domain string */
2728 if (ses->serverDomain) 2820 kfree(ses->serverDomain);
2729 kfree(ses->serverDomain);
2730 ses->serverDomain = 2821 ses->serverDomain =
2731 kzalloc(2, GFP_KERNEL); 2822 kzalloc(2, GFP_KERNEL);
2732 } 2823 }
@@ -2772,8 +2863,7 @@ CIFSSessSetup(unsigned int xid, struct cifsSesInfo *ses,
2772 bcc_ptr++; 2863 bcc_ptr++;
2773 2864
2774 len = strnlen(bcc_ptr, 1024); 2865 len = strnlen(bcc_ptr, 1024);
2775 if (ses->serverDomain) 2866 kfree(ses->serverDomain);
2776 kfree(ses->serverDomain);
2777 ses->serverDomain = kzalloc(len + 1, 2867 ses->serverDomain = kzalloc(len + 1,
2778 GFP_KERNEL); 2868 GFP_KERNEL);
2779 if (ses->serverDomain == NULL) 2869 if (ses->serverDomain == NULL)
@@ -3013,8 +3103,7 @@ CIFSNTLMSSPNegotiateSessSetup(unsigned int xid,
3013/* We look for obvious messed up bcc or strings in response so we do not go off 3103/* We look for obvious messed up bcc or strings in response so we do not go off
3014 the end since (at least) WIN2K and Windows XP have a major bug in not null 3104 the end since (at least) WIN2K and Windows XP have a major bug in not null
3015 terminating last Unicode string in response */ 3105 terminating last Unicode string in response */
3016 if (ses->serverOS) 3106 kfree(ses->serverOS);
3017 kfree(ses->serverOS);
3018 ses->serverOS = 3107 ses->serverOS =
3019 kzalloc(2 * (len + 1), GFP_KERNEL); 3108 kzalloc(2 * (len + 1), GFP_KERNEL);
3020 cifs_strfromUCS_le(ses->serverOS, 3109 cifs_strfromUCS_le(ses->serverOS,
@@ -3086,8 +3175,7 @@ CIFSNTLMSSPNegotiateSessSetup(unsigned int xid,
3086 if (((long) bcc_ptr + len) - (long) 3175 if (((long) bcc_ptr + len) - (long)
3087 pByteArea(smb_buffer_response) 3176 pByteArea(smb_buffer_response)
3088 <= BCC(smb_buffer_response)) { 3177 <= BCC(smb_buffer_response)) {
3089 if (ses->serverOS) 3178 kfree(ses->serverOS);
3090 kfree(ses->serverOS);
3091 ses->serverOS = 3179 ses->serverOS =
3092 kzalloc(len + 1, 3180 kzalloc(len + 1,
3093 GFP_KERNEL); 3181 GFP_KERNEL);
@@ -3414,8 +3502,7 @@ CIFSNTLMSSPAuthSessSetup(unsigned int xid, struct cifsSesInfo *ses,
3414/* We look for obvious messed up bcc or strings in response so we do not go off 3502/* We look for obvious messed up bcc or strings in response so we do not go off
3415 the end since (at least) WIN2K and Windows XP have a major bug in not null 3503 the end since (at least) WIN2K and Windows XP have a major bug in not null
3416 terminating last Unicode string in response */ 3504 terminating last Unicode string in response */
3417 if (ses->serverOS) 3505 kfree(ses->serverOS);
3418 kfree(ses->serverOS);
3419 ses->serverOS = 3506 ses->serverOS =
3420 kzalloc(2 * (len + 1), GFP_KERNEL); 3507 kzalloc(2 * (len + 1), GFP_KERNEL);
3421 cifs_strfromUCS_le(ses->serverOS, 3508 cifs_strfromUCS_le(ses->serverOS,
@@ -3448,8 +3535,7 @@ CIFSNTLMSSPAuthSessSetup(unsigned int xid, struct cifsSesInfo *ses,
3448 if (remaining_words > 0) { 3535 if (remaining_words > 0) {
3449 len = UniStrnlen((wchar_t *) bcc_ptr, remaining_words); 3536 len = UniStrnlen((wchar_t *) bcc_ptr, remaining_words);
3450 /* last string not always null terminated (e.g. for Windows XP & 2000) */ 3537 /* last string not always null terminated (e.g. for Windows XP & 2000) */
3451 if (ses->serverDomain) 3538 kfree(ses->serverDomain);
3452 kfree(ses->serverDomain);
3453 ses->serverDomain = 3539 ses->serverDomain =
3454 kzalloc(2 * 3540 kzalloc(2 *
3455 (len + 3541 (len +
@@ -3476,13 +3562,11 @@ CIFSNTLMSSPAuthSessSetup(unsigned int xid, struct cifsSesInfo *ses,
3476 = 0; 3562 = 0;
3477 } /* else no more room so create dummy domain string */ 3563 } /* else no more room so create dummy domain string */
3478 else { 3564 else {
3479 if (ses->serverDomain) 3565 kfree(ses->serverDomain);
3480 kfree(ses->serverDomain);
3481 ses->serverDomain = kzalloc(2,GFP_KERNEL); 3566 ses->serverDomain = kzalloc(2,GFP_KERNEL);
3482 } 3567 }
3483 } else { /* no room so create dummy domain and NOS string */ 3568 } else { /* no room so create dummy domain and NOS string */
3484 if (ses->serverDomain) 3569 kfree(ses->serverDomain);
3485 kfree(ses->serverDomain);
3486 ses->serverDomain = kzalloc(2, GFP_KERNEL); 3570 ses->serverDomain = kzalloc(2, GFP_KERNEL);
3487 kfree(ses->serverNOS); 3571 kfree(ses->serverNOS);
3488 ses->serverNOS = kzalloc(2, GFP_KERNEL); 3572 ses->serverNOS = kzalloc(2, GFP_KERNEL);
@@ -3492,8 +3576,7 @@ CIFSNTLMSSPAuthSessSetup(unsigned int xid, struct cifsSesInfo *ses,
3492 if (((long) bcc_ptr + len) - 3576 if (((long) bcc_ptr + len) -
3493 (long) pByteArea(smb_buffer_response) 3577 (long) pByteArea(smb_buffer_response)
3494 <= BCC(smb_buffer_response)) { 3578 <= BCC(smb_buffer_response)) {
3495 if (ses->serverOS) 3579 kfree(ses->serverOS);
3496 kfree(ses->serverOS);
3497 ses->serverOS = kzalloc(len + 1, GFP_KERNEL); 3580 ses->serverOS = kzalloc(len + 1, GFP_KERNEL);
3498 strncpy(ses->serverOS,bcc_ptr, len); 3581 strncpy(ses->serverOS,bcc_ptr, len);
3499 3582
@@ -3512,8 +3595,7 @@ CIFSNTLMSSPAuthSessSetup(unsigned int xid, struct cifsSesInfo *ses,
3512 bcc_ptr++; 3595 bcc_ptr++;
3513 3596
3514 len = strnlen(bcc_ptr, 1024); 3597 len = strnlen(bcc_ptr, 1024);
3515 if (ses->serverDomain) 3598 kfree(ses->serverDomain);
3516 kfree(ses->serverDomain);
3517 ses->serverDomain = 3599 ses->serverDomain =
3518 kzalloc(len+1, 3600 kzalloc(len+1,
3519 GFP_KERNEL); 3601 GFP_KERNEL);
@@ -3674,16 +3756,15 @@ CIFSTCon(unsigned int xid, struct cifsSesInfo *ses,
3674 BCC(smb_buffer_response)) { 3756 BCC(smb_buffer_response)) {
3675 kfree(tcon->nativeFileSystem); 3757 kfree(tcon->nativeFileSystem);
3676 tcon->nativeFileSystem = 3758 tcon->nativeFileSystem =
3677 kzalloc(2*(length + 1), GFP_KERNEL); 3759 kzalloc((4 * length) + 2, GFP_KERNEL);
3678 if (tcon->nativeFileSystem) 3760 if (tcon->nativeFileSystem) {
3679 cifs_strfromUCS_le( 3761 cifs_strfromUCS_le(
3680 tcon->nativeFileSystem, 3762 tcon->nativeFileSystem,
3681 (__le16 *) bcc_ptr, 3763 (__le16 *) bcc_ptr,
3682 length, nls_codepage); 3764 length, nls_codepage);
3683 bcc_ptr += 2 * length; 3765 cFYI(1, ("nativeFileSystem=%s",
3684 bcc_ptr[0] = 0; /* null terminate the string */ 3766 tcon->nativeFileSystem));
3685 bcc_ptr[1] = 0; 3767 }
3686 bcc_ptr += 2;
3687 } 3768 }
3688 /* else do not bother copying these information fields*/ 3769 /* else do not bother copying these information fields*/
3689 } else { 3770 } else {
diff --git a/fs/cifs/dir.c b/fs/cifs/dir.c
index 54dce78fbb73..461750e01364 100644
--- a/fs/cifs/dir.c
+++ b/fs/cifs/dir.c
@@ -129,12 +129,62 @@ cifs_bp_rename_retry:
129 return full_path; 129 return full_path;
130} 130}
131 131
132static void
133cifs_fill_fileinfo(struct inode *newinode, __u16 fileHandle,
134 struct cifsTconInfo *tcon, bool write_only)
135{
136 int oplock = 0;
137 struct cifsFileInfo *pCifsFile;
138 struct cifsInodeInfo *pCifsInode;
139
140 pCifsFile = kzalloc(sizeof(struct cifsFileInfo), GFP_KERNEL);
141
142 if (pCifsFile == NULL)
143 return;
144
145 if (oplockEnabled)
146 oplock = REQ_OPLOCK;
147
148 pCifsFile->netfid = fileHandle;
149 pCifsFile->pid = current->tgid;
150 pCifsFile->pInode = newinode;
151 pCifsFile->invalidHandle = false;
152 pCifsFile->closePend = false;
153 mutex_init(&pCifsFile->fh_mutex);
154 mutex_init(&pCifsFile->lock_mutex);
155 INIT_LIST_HEAD(&pCifsFile->llist);
156 atomic_set(&pCifsFile->wrtPending, 0);
157
158 /* set the following in open now
159 pCifsFile->pfile = file; */
160 write_lock(&GlobalSMBSeslock);
161 list_add(&pCifsFile->tlist, &tcon->openFileList);
162 pCifsInode = CIFS_I(newinode);
163 if (pCifsInode) {
164 /* if readable file instance put first in list*/
165 if (write_only)
166 list_add_tail(&pCifsFile->flist,
167 &pCifsInode->openFileList);
168 else
169 list_add(&pCifsFile->flist, &pCifsInode->openFileList);
170
171 if ((oplock & 0xF) == OPLOCK_EXCLUSIVE) {
172 pCifsInode->clientCanCacheAll = true;
173 pCifsInode->clientCanCacheRead = true;
174 cFYI(1, ("Exclusive Oplock inode %p", newinode));
175 } else if ((oplock & 0xF) == OPLOCK_READ)
176 pCifsInode->clientCanCacheRead = true;
177 }
178 write_unlock(&GlobalSMBSeslock);
179}
180
132int cifs_posix_open(char *full_path, struct inode **pinode, 181int cifs_posix_open(char *full_path, struct inode **pinode,
133 struct super_block *sb, int mode, int oflags, 182 struct super_block *sb, int mode, int oflags,
134 int *poplock, __u16 *pnetfid, int xid) 183 int *poplock, __u16 *pnetfid, int xid)
135{ 184{
136 int rc; 185 int rc;
137 __u32 oplock; 186 __u32 oplock;
187 bool write_only = false;
138 FILE_UNIX_BASIC_INFO *presp_data; 188 FILE_UNIX_BASIC_INFO *presp_data;
139 __u32 posix_flags = 0; 189 __u32 posix_flags = 0;
140 struct cifs_sb_info *cifs_sb = CIFS_SB(sb); 190 struct cifs_sb_info *cifs_sb = CIFS_SB(sb);
@@ -172,6 +222,8 @@ int cifs_posix_open(char *full_path, struct inode **pinode,
172 if (oflags & O_DIRECT) 222 if (oflags & O_DIRECT)
173 posix_flags |= SMB_O_DIRECT; 223 posix_flags |= SMB_O_DIRECT;
174 224
225 if (!(oflags & FMODE_READ))
226 write_only = true;
175 227
176 rc = CIFSPOSIXCreate(xid, cifs_sb->tcon, posix_flags, mode, 228 rc = CIFSPOSIXCreate(xid, cifs_sb->tcon, posix_flags, mode,
177 pnetfid, presp_data, &oplock, full_path, 229 pnetfid, presp_data, &oplock, full_path,
@@ -187,8 +239,10 @@ int cifs_posix_open(char *full_path, struct inode **pinode,
187 if (!pinode) 239 if (!pinode)
188 goto posix_open_ret; /* caller does not need info */ 240 goto posix_open_ret; /* caller does not need info */
189 241
190 if (*pinode == NULL) 242 if (*pinode == NULL) {
191 *pinode = cifs_new_inode(sb, &presp_data->UniqueId); 243 __u64 unique_id = le64_to_cpu(presp_data->UniqueId);
244 *pinode = cifs_new_inode(sb, &unique_id);
245 }
192 /* else an inode was passed in. Update its info, don't create one */ 246 /* else an inode was passed in. Update its info, don't create one */
193 247
194 /* We do not need to close the file if new_inode fails since 248 /* We do not need to close the file if new_inode fails since
@@ -198,6 +252,8 @@ int cifs_posix_open(char *full_path, struct inode **pinode,
198 252
199 posix_fill_in_inode(*pinode, presp_data, 1); 253 posix_fill_in_inode(*pinode, presp_data, 1);
200 254
255 cifs_fill_fileinfo(*pinode, *pnetfid, cifs_sb->tcon, write_only);
256
201posix_open_ret: 257posix_open_ret:
202 kfree(presp_data); 258 kfree(presp_data);
203 return rc; 259 return rc;
@@ -239,7 +295,6 @@ cifs_create(struct inode *inode, struct dentry *direntry, int mode,
239 char *full_path = NULL; 295 char *full_path = NULL;
240 FILE_ALL_INFO *buf = NULL; 296 FILE_ALL_INFO *buf = NULL;
241 struct inode *newinode = NULL; 297 struct inode *newinode = NULL;
242 struct cifsInodeInfo *pCifsInode;
243 int disposition = FILE_OVERWRITE_IF; 298 int disposition = FILE_OVERWRITE_IF;
244 bool write_only = false; 299 bool write_only = false;
245 300
@@ -410,44 +465,8 @@ cifs_create_set_dentry:
410 /* mknod case - do not leave file open */ 465 /* mknod case - do not leave file open */
411 CIFSSMBClose(xid, tcon, fileHandle); 466 CIFSSMBClose(xid, tcon, fileHandle);
412 } else if (newinode) { 467 } else if (newinode) {
413 struct cifsFileInfo *pCifsFile = 468 cifs_fill_fileinfo(newinode, fileHandle,
414 kzalloc(sizeof(struct cifsFileInfo), GFP_KERNEL); 469 cifs_sb->tcon, write_only);
415
416 if (pCifsFile == NULL)
417 goto cifs_create_out;
418 pCifsFile->netfid = fileHandle;
419 pCifsFile->pid = current->tgid;
420 pCifsFile->pInode = newinode;
421 pCifsFile->invalidHandle = false;
422 pCifsFile->closePend = false;
423 init_MUTEX(&pCifsFile->fh_sem);
424 mutex_init(&pCifsFile->lock_mutex);
425 INIT_LIST_HEAD(&pCifsFile->llist);
426 atomic_set(&pCifsFile->wrtPending, 0);
427
428 /* set the following in open now
429 pCifsFile->pfile = file; */
430 write_lock(&GlobalSMBSeslock);
431 list_add(&pCifsFile->tlist, &tcon->openFileList);
432 pCifsInode = CIFS_I(newinode);
433 if (pCifsInode) {
434 /* if readable file instance put first in list*/
435 if (write_only) {
436 list_add_tail(&pCifsFile->flist,
437 &pCifsInode->openFileList);
438 } else {
439 list_add(&pCifsFile->flist,
440 &pCifsInode->openFileList);
441 }
442 if ((oplock & 0xF) == OPLOCK_EXCLUSIVE) {
443 pCifsInode->clientCanCacheAll = true;
444 pCifsInode->clientCanCacheRead = true;
445 cFYI(1, ("Exclusive Oplock inode %p",
446 newinode));
447 } else if ((oplock & 0xF) == OPLOCK_READ)
448 pCifsInode->clientCanCacheRead = true;
449 }
450 write_unlock(&GlobalSMBSeslock);
451 } 470 }
452cifs_create_out: 471cifs_create_out:
453 kfree(buf); 472 kfree(buf);
@@ -580,17 +599,21 @@ int cifs_mknod(struct inode *inode, struct dentry *direntry, int mode,
580 return rc; 599 return rc;
581} 600}
582 601
583
584struct dentry * 602struct dentry *
585cifs_lookup(struct inode *parent_dir_inode, struct dentry *direntry, 603cifs_lookup(struct inode *parent_dir_inode, struct dentry *direntry,
586 struct nameidata *nd) 604 struct nameidata *nd)
587{ 605{
588 int xid; 606 int xid;
589 int rc = 0; /* to get around spurious gcc warning, set to zero here */ 607 int rc = 0; /* to get around spurious gcc warning, set to zero here */
608 int oplock = 0;
609 int mode;
610 __u16 fileHandle = 0;
611 bool posix_open = false;
590 struct cifs_sb_info *cifs_sb; 612 struct cifs_sb_info *cifs_sb;
591 struct cifsTconInfo *pTcon; 613 struct cifsTconInfo *pTcon;
592 struct inode *newInode = NULL; 614 struct inode *newInode = NULL;
593 char *full_path = NULL; 615 char *full_path = NULL;
616 struct file *filp;
594 617
595 xid = GetXid(); 618 xid = GetXid();
596 619
@@ -632,12 +655,37 @@ cifs_lookup(struct inode *parent_dir_inode, struct dentry *direntry,
632 } 655 }
633 cFYI(1, ("Full path: %s inode = 0x%p", full_path, direntry->d_inode)); 656 cFYI(1, ("Full path: %s inode = 0x%p", full_path, direntry->d_inode));
634 657
635 if (pTcon->unix_ext) 658 if (pTcon->unix_ext) {
636 rc = cifs_get_inode_info_unix(&newInode, full_path, 659 if (!(nd->flags & (LOOKUP_PARENT | LOOKUP_DIRECTORY)) &&
637 parent_dir_inode->i_sb, xid); 660 (nd->flags & LOOKUP_OPEN)) {
638 else 661 if (!((nd->intent.open.flags & O_CREAT) &&
662 (nd->intent.open.flags & O_EXCL))) {
663 mode = nd->intent.open.create_mode &
664 ~current_umask();
665 rc = cifs_posix_open(full_path, &newInode,
666 parent_dir_inode->i_sb, mode,
667 nd->intent.open.flags, &oplock,
668 &fileHandle, xid);
669 /*
670 * This code works around a bug in
671 * samba posix open in samba versions 3.3.1
672 * and earlier where create works
673 * but open fails with invalid parameter.
674 * If either of these error codes are
675 * returned, follow the normal lookup.
676 * Otherwise, the error during posix open
677 * is handled.
678 */
679 if ((rc != -EINVAL) && (rc != -EOPNOTSUPP))
680 posix_open = true;
681 }
682 }
683 if (!posix_open)
684 rc = cifs_get_inode_info_unix(&newInode, full_path,
685 parent_dir_inode->i_sb, xid);
686 } else
639 rc = cifs_get_inode_info(&newInode, full_path, NULL, 687 rc = cifs_get_inode_info(&newInode, full_path, NULL,
640 parent_dir_inode->i_sb, xid, NULL); 688 parent_dir_inode->i_sb, xid, NULL);
641 689
642 if ((rc == 0) && (newInode != NULL)) { 690 if ((rc == 0) && (newInode != NULL)) {
643 if (pTcon->nocase) 691 if (pTcon->nocase)
@@ -645,7 +693,8 @@ cifs_lookup(struct inode *parent_dir_inode, struct dentry *direntry,
645 else 693 else
646 direntry->d_op = &cifs_dentry_ops; 694 direntry->d_op = &cifs_dentry_ops;
647 d_add(direntry, newInode); 695 d_add(direntry, newInode);
648 696 if (posix_open)
697 filp = lookup_instantiate_filp(nd, direntry, NULL);
649 /* since paths are not looked up by component - the parent 698 /* since paths are not looked up by component - the parent
650 directories are presumed to be good here */ 699 directories are presumed to be good here */
651 renew_parental_timestamps(direntry); 700 renew_parental_timestamps(direntry);
diff --git a/fs/cifs/dns_resolve.c b/fs/cifs/dns_resolve.c
index 1e0c1bd8f2e4..df4a306f697e 100644
--- a/fs/cifs/dns_resolve.c
+++ b/fs/cifs/dns_resolve.c
@@ -78,7 +78,7 @@ dns_resolver_instantiate(struct key *key, const void *data,
78 } 78 }
79 79
80 key->type_data.x[0] = datalen; 80 key->type_data.x[0] = datalen;
81 rcu_assign_pointer(key->payload.data, ip); 81 key->payload.data = ip;
82 82
83 return rc; 83 return rc;
84} 84}
diff --git a/fs/cifs/file.c b/fs/cifs/file.c
index 81747acca4c4..50ca088d8860 100644
--- a/fs/cifs/file.c
+++ b/fs/cifs/file.c
@@ -46,7 +46,7 @@ static inline struct cifsFileInfo *cifs_init_private(
46 memset(private_data, 0, sizeof(struct cifsFileInfo)); 46 memset(private_data, 0, sizeof(struct cifsFileInfo));
47 private_data->netfid = netfid; 47 private_data->netfid = netfid;
48 private_data->pid = current->tgid; 48 private_data->pid = current->tgid;
49 init_MUTEX(&private_data->fh_sem); 49 mutex_init(&private_data->fh_mutex);
50 mutex_init(&private_data->lock_mutex); 50 mutex_init(&private_data->lock_mutex);
51 INIT_LIST_HEAD(&private_data->llist); 51 INIT_LIST_HEAD(&private_data->llist);
52 private_data->pfile = file; /* needed for writepage */ 52 private_data->pfile = file; /* needed for writepage */
@@ -284,35 +284,32 @@ int cifs_open(struct inode *inode, struct file *file)
284 cifs_sb = CIFS_SB(inode->i_sb); 284 cifs_sb = CIFS_SB(inode->i_sb);
285 tcon = cifs_sb->tcon; 285 tcon = cifs_sb->tcon;
286 286
287 if (file->f_flags & O_CREAT) { 287 /* search inode for this file and fill in file->private_data */
288 /* search inode for this file and fill in file->private_data */ 288 pCifsInode = CIFS_I(file->f_path.dentry->d_inode);
289 pCifsInode = CIFS_I(file->f_path.dentry->d_inode); 289 read_lock(&GlobalSMBSeslock);
290 read_lock(&GlobalSMBSeslock); 290 list_for_each(tmp, &pCifsInode->openFileList) {
291 list_for_each(tmp, &pCifsInode->openFileList) { 291 pCifsFile = list_entry(tmp, struct cifsFileInfo,
292 pCifsFile = list_entry(tmp, struct cifsFileInfo, 292 flist);
293 flist); 293 if ((pCifsFile->pfile == NULL) &&
294 if ((pCifsFile->pfile == NULL) && 294 (pCifsFile->pid == current->tgid)) {
295 (pCifsFile->pid == current->tgid)) { 295 /* mode set in cifs_create */
296 /* mode set in cifs_create */ 296
297 297 /* needed for writepage */
298 /* needed for writepage */ 298 pCifsFile->pfile = file;
299 pCifsFile->pfile = file; 299
300 300 file->private_data = pCifsFile;
301 file->private_data = pCifsFile; 301 break;
302 break;
303 }
304 }
305 read_unlock(&GlobalSMBSeslock);
306 if (file->private_data != NULL) {
307 rc = 0;
308 FreeXid(xid);
309 return rc;
310 } else {
311 if (file->f_flags & O_EXCL)
312 cERROR(1, ("could not find file instance for "
313 "new file %p", file));
314 } 302 }
315 } 303 }
304 read_unlock(&GlobalSMBSeslock);
305
306 if (file->private_data != NULL) {
307 rc = 0;
308 FreeXid(xid);
309 return rc;
310 } else if ((file->f_flags & O_CREAT) && (file->f_flags & O_EXCL))
311 cERROR(1, ("could not find file instance for "
312 "new file %p", file));
316 313
317 full_path = build_path_from_dentry(file->f_path.dentry); 314 full_path = build_path_from_dentry(file->f_path.dentry);
318 if (full_path == NULL) { 315 if (full_path == NULL) {
@@ -500,9 +497,9 @@ static int cifs_reopen_file(struct file *file, bool can_flush)
500 return -EBADF; 497 return -EBADF;
501 498
502 xid = GetXid(); 499 xid = GetXid();
503 down(&pCifsFile->fh_sem); 500 mutex_unlock(&pCifsFile->fh_mutex);
504 if (!pCifsFile->invalidHandle) { 501 if (!pCifsFile->invalidHandle) {
505 up(&pCifsFile->fh_sem); 502 mutex_lock(&pCifsFile->fh_mutex);
506 FreeXid(xid); 503 FreeXid(xid);
507 return 0; 504 return 0;
508 } 505 }
@@ -533,7 +530,7 @@ static int cifs_reopen_file(struct file *file, bool can_flush)
533 if (full_path == NULL) { 530 if (full_path == NULL) {
534 rc = -ENOMEM; 531 rc = -ENOMEM;
535reopen_error_exit: 532reopen_error_exit:
536 up(&pCifsFile->fh_sem); 533 mutex_lock(&pCifsFile->fh_mutex);
537 FreeXid(xid); 534 FreeXid(xid);
538 return rc; 535 return rc;
539 } 536 }
@@ -575,14 +572,14 @@ reopen_error_exit:
575 cifs_sb->local_nls, cifs_sb->mnt_cifs_flags & 572 cifs_sb->local_nls, cifs_sb->mnt_cifs_flags &
576 CIFS_MOUNT_MAP_SPECIAL_CHR); 573 CIFS_MOUNT_MAP_SPECIAL_CHR);
577 if (rc) { 574 if (rc) {
578 up(&pCifsFile->fh_sem); 575 mutex_lock(&pCifsFile->fh_mutex);
579 cFYI(1, ("cifs_open returned 0x%x", rc)); 576 cFYI(1, ("cifs_open returned 0x%x", rc));
580 cFYI(1, ("oplock: %d", oplock)); 577 cFYI(1, ("oplock: %d", oplock));
581 } else { 578 } else {
582reopen_success: 579reopen_success:
583 pCifsFile->netfid = netfid; 580 pCifsFile->netfid = netfid;
584 pCifsFile->invalidHandle = false; 581 pCifsFile->invalidHandle = false;
585 up(&pCifsFile->fh_sem); 582 mutex_lock(&pCifsFile->fh_mutex);
586 pCifsInode = CIFS_I(inode); 583 pCifsInode = CIFS_I(inode);
587 if (pCifsInode) { 584 if (pCifsInode) {
588 if (can_flush) { 585 if (can_flush) {
@@ -971,6 +968,40 @@ int cifs_lock(struct file *file, int cmd, struct file_lock *pfLock)
971 return rc; 968 return rc;
972} 969}
973 970
971/*
972 * Set the timeout on write requests past EOF. For some servers (Windows)
973 * these calls can be very long.
974 *
975 * If we're writing >10M past the EOF we give a 180s timeout. Anything less
976 * than that gets a 45s timeout. Writes not past EOF get 15s timeouts.
977 * The 10M cutoff is totally arbitrary. A better scheme for this would be
978 * welcome if someone wants to suggest one.
979 *
980 * We may be able to do a better job with this if there were some way to
981 * declare that a file should be sparse.
982 */
983static int
984cifs_write_timeout(struct cifsInodeInfo *cifsi, loff_t offset)
985{
986 if (offset <= cifsi->server_eof)
987 return CIFS_STD_OP;
988 else if (offset > (cifsi->server_eof + (10 * 1024 * 1024)))
989 return CIFS_VLONG_OP;
990 else
991 return CIFS_LONG_OP;
992}
993
994/* update the file size (if needed) after a write */
995static void
996cifs_update_eof(struct cifsInodeInfo *cifsi, loff_t offset,
997 unsigned int bytes_written)
998{
999 loff_t end_of_write = offset + bytes_written;
1000
1001 if (end_of_write > cifsi->server_eof)
1002 cifsi->server_eof = end_of_write;
1003}
1004
974ssize_t cifs_user_write(struct file *file, const char __user *write_data, 1005ssize_t cifs_user_write(struct file *file, const char __user *write_data,
975 size_t write_size, loff_t *poffset) 1006 size_t write_size, loff_t *poffset)
976{ 1007{
@@ -981,6 +1012,7 @@ ssize_t cifs_user_write(struct file *file, const char __user *write_data,
981 struct cifsTconInfo *pTcon; 1012 struct cifsTconInfo *pTcon;
982 int xid, long_op; 1013 int xid, long_op;
983 struct cifsFileInfo *open_file; 1014 struct cifsFileInfo *open_file;
1015 struct cifsInodeInfo *cifsi = CIFS_I(file->f_path.dentry->d_inode);
984 1016
985 cifs_sb = CIFS_SB(file->f_path.dentry->d_sb); 1017 cifs_sb = CIFS_SB(file->f_path.dentry->d_sb);
986 1018
@@ -1000,11 +1032,7 @@ ssize_t cifs_user_write(struct file *file, const char __user *write_data,
1000 1032
1001 xid = GetXid(); 1033 xid = GetXid();
1002 1034
1003 if (*poffset > file->f_path.dentry->d_inode->i_size) 1035 long_op = cifs_write_timeout(cifsi, *poffset);
1004 long_op = CIFS_VLONG_OP; /* writes past EOF take long time */
1005 else
1006 long_op = CIFS_LONG_OP;
1007
1008 for (total_written = 0; write_size > total_written; 1036 for (total_written = 0; write_size > total_written;
1009 total_written += bytes_written) { 1037 total_written += bytes_written) {
1010 rc = -EAGAIN; 1038 rc = -EAGAIN;
@@ -1048,8 +1076,10 @@ ssize_t cifs_user_write(struct file *file, const char __user *write_data,
1048 FreeXid(xid); 1076 FreeXid(xid);
1049 return rc; 1077 return rc;
1050 } 1078 }
1051 } else 1079 } else {
1080 cifs_update_eof(cifsi, *poffset, bytes_written);
1052 *poffset += bytes_written; 1081 *poffset += bytes_written;
1082 }
1053 long_op = CIFS_STD_OP; /* subsequent writes fast - 1083 long_op = CIFS_STD_OP; /* subsequent writes fast -
1054 15 seconds is plenty */ 1084 15 seconds is plenty */
1055 } 1085 }
@@ -1085,6 +1115,7 @@ static ssize_t cifs_write(struct file *file, const char *write_data,
1085 struct cifsTconInfo *pTcon; 1115 struct cifsTconInfo *pTcon;
1086 int xid, long_op; 1116 int xid, long_op;
1087 struct cifsFileInfo *open_file; 1117 struct cifsFileInfo *open_file;
1118 struct cifsInodeInfo *cifsi = CIFS_I(file->f_path.dentry->d_inode);
1088 1119
1089 cifs_sb = CIFS_SB(file->f_path.dentry->d_sb); 1120 cifs_sb = CIFS_SB(file->f_path.dentry->d_sb);
1090 1121
@@ -1099,11 +1130,7 @@ static ssize_t cifs_write(struct file *file, const char *write_data,
1099 1130
1100 xid = GetXid(); 1131 xid = GetXid();
1101 1132
1102 if (*poffset > file->f_path.dentry->d_inode->i_size) 1133 long_op = cifs_write_timeout(cifsi, *poffset);
1103 long_op = CIFS_VLONG_OP; /* writes past EOF can be slow */
1104 else
1105 long_op = CIFS_LONG_OP;
1106
1107 for (total_written = 0; write_size > total_written; 1134 for (total_written = 0; write_size > total_written;
1108 total_written += bytes_written) { 1135 total_written += bytes_written) {
1109 rc = -EAGAIN; 1136 rc = -EAGAIN;
@@ -1166,8 +1193,10 @@ static ssize_t cifs_write(struct file *file, const char *write_data,
1166 FreeXid(xid); 1193 FreeXid(xid);
1167 return rc; 1194 return rc;
1168 } 1195 }
1169 } else 1196 } else {
1197 cifs_update_eof(cifsi, *poffset, bytes_written);
1170 *poffset += bytes_written; 1198 *poffset += bytes_written;
1199 }
1171 long_op = CIFS_STD_OP; /* subsequent writes fast - 1200 long_op = CIFS_STD_OP; /* subsequent writes fast -
1172 15 seconds is plenty */ 1201 15 seconds is plenty */
1173 } 1202 }
@@ -1380,11 +1409,12 @@ static int cifs_writepages(struct address_space *mapping,
1380 int nr_pages; 1409 int nr_pages;
1381 __u64 offset = 0; 1410 __u64 offset = 0;
1382 struct cifsFileInfo *open_file; 1411 struct cifsFileInfo *open_file;
1412 struct cifsInodeInfo *cifsi = CIFS_I(mapping->host);
1383 struct page *page; 1413 struct page *page;
1384 struct pagevec pvec; 1414 struct pagevec pvec;
1385 int rc = 0; 1415 int rc = 0;
1386 int scanned = 0; 1416 int scanned = 0;
1387 int xid; 1417 int xid, long_op;
1388 1418
1389 cifs_sb = CIFS_SB(mapping->host->i_sb); 1419 cifs_sb = CIFS_SB(mapping->host->i_sb);
1390 1420
@@ -1528,12 +1558,15 @@ retry:
1528 cERROR(1, ("No writable handles for inode")); 1558 cERROR(1, ("No writable handles for inode"));
1529 rc = -EBADF; 1559 rc = -EBADF;
1530 } else { 1560 } else {
1561 long_op = cifs_write_timeout(cifsi, offset);
1531 rc = CIFSSMBWrite2(xid, cifs_sb->tcon, 1562 rc = CIFSSMBWrite2(xid, cifs_sb->tcon,
1532 open_file->netfid, 1563 open_file->netfid,
1533 bytes_to_write, offset, 1564 bytes_to_write, offset,
1534 &bytes_written, iov, n_iov, 1565 &bytes_written, iov, n_iov,
1535 CIFS_LONG_OP); 1566 long_op);
1536 atomic_dec(&open_file->wrtPending); 1567 atomic_dec(&open_file->wrtPending);
1568 cifs_update_eof(cifsi, offset, bytes_written);
1569
1537 if (rc || bytes_written < bytes_to_write) { 1570 if (rc || bytes_written < bytes_to_write) {
1538 cERROR(1, ("Write2 ret %d, wrote %d", 1571 cERROR(1, ("Write2 ret %d, wrote %d",
1539 rc, bytes_written)); 1572 rc, bytes_written));
diff --git a/fs/cifs/inode.c b/fs/cifs/inode.c
index f121a80fdd6f..f36b4e40e443 100644
--- a/fs/cifs/inode.c
+++ b/fs/cifs/inode.c
@@ -143,6 +143,7 @@ static void cifs_unix_info_to_inode(struct inode *inode,
143 143
144 inode->i_nlink = le64_to_cpu(info->Nlinks); 144 inode->i_nlink = le64_to_cpu(info->Nlinks);
145 145
146 cifsInfo->server_eof = end_of_file;
146 spin_lock(&inode->i_lock); 147 spin_lock(&inode->i_lock);
147 if (is_size_safe_to_change(cifsInfo, end_of_file)) { 148 if (is_size_safe_to_change(cifsInfo, end_of_file)) {
148 /* 149 /*
@@ -276,7 +277,8 @@ int cifs_get_inode_info_unix(struct inode **pinode,
276 277
277 /* get new inode */ 278 /* get new inode */
278 if (*pinode == NULL) { 279 if (*pinode == NULL) {
279 *pinode = cifs_new_inode(sb, &find_data.UniqueId); 280 __u64 unique_id = le64_to_cpu(find_data.UniqueId);
281 *pinode = cifs_new_inode(sb, &unique_id);
280 if (*pinode == NULL) { 282 if (*pinode == NULL) {
281 rc = -ENOMEM; 283 rc = -ENOMEM;
282 goto cgiiu_exit; 284 goto cgiiu_exit;
@@ -605,12 +607,12 @@ int cifs_get_inode_info(struct inode **pinode,
605 inode->i_mode |= S_IFREG; 607 inode->i_mode |= S_IFREG;
606 } 608 }
607 609
610 cifsInfo->server_eof = le64_to_cpu(pfindData->EndOfFile);
608 spin_lock(&inode->i_lock); 611 spin_lock(&inode->i_lock);
609 if (is_size_safe_to_change(cifsInfo, 612 if (is_size_safe_to_change(cifsInfo, cifsInfo->server_eof)) {
610 le64_to_cpu(pfindData->EndOfFile))) {
611 /* can not safely shrink the file size here if the 613 /* can not safely shrink the file size here if the
612 client is writing to it due to potential races */ 614 client is writing to it due to potential races */
613 i_size_write(inode, le64_to_cpu(pfindData->EndOfFile)); 615 i_size_write(inode, cifsInfo->server_eof);
614 616
615 /* 512 bytes (2**9) is the fake blocksize that must be 617 /* 512 bytes (2**9) is the fake blocksize that must be
616 used for this calculation */ 618 used for this calculation */
@@ -1138,6 +1140,7 @@ int cifs_mkdir(struct inode *inode, struct dentry *direntry, int mode)
1138 cFYI(1, ("posix mkdir returned 0x%x", rc)); 1140 cFYI(1, ("posix mkdir returned 0x%x", rc));
1139 d_drop(direntry); 1141 d_drop(direntry);
1140 } else { 1142 } else {
1143 __u64 unique_id;
1141 if (pInfo->Type == cpu_to_le32(-1)) { 1144 if (pInfo->Type == cpu_to_le32(-1)) {
1142 /* no return info, go query for it */ 1145 /* no return info, go query for it */
1143 kfree(pInfo); 1146 kfree(pInfo);
@@ -1151,8 +1154,8 @@ int cifs_mkdir(struct inode *inode, struct dentry *direntry, int mode)
1151 else 1154 else
1152 direntry->d_op = &cifs_dentry_ops; 1155 direntry->d_op = &cifs_dentry_ops;
1153 1156
1154 newinode = cifs_new_inode(inode->i_sb, 1157 unique_id = le64_to_cpu(pInfo->UniqueId);
1155 &pInfo->UniqueId); 1158 newinode = cifs_new_inode(inode->i_sb, &unique_id);
1156 if (newinode == NULL) { 1159 if (newinode == NULL) {
1157 kfree(pInfo); 1160 kfree(pInfo);
1158 goto mkdir_get_info; 1161 goto mkdir_get_info;
@@ -1450,7 +1453,8 @@ int cifs_rename(struct inode *source_dir, struct dentry *source_dentry,
1450 checking the UniqueId via FILE_INTERNAL_INFO */ 1453 checking the UniqueId via FILE_INTERNAL_INFO */
1451 1454
1452unlink_target: 1455unlink_target:
1453 if ((rc == -EACCES) || (rc == -EEXIST)) { 1456 /* Try unlinking the target dentry if it's not negative */
1457 if (target_dentry->d_inode && (rc == -EACCES || rc == -EEXIST)) {
1454 tmprc = cifs_unlink(target_dir, target_dentry); 1458 tmprc = cifs_unlink(target_dir, target_dentry);
1455 if (tmprc) 1459 if (tmprc)
1456 goto cifs_rename_exit; 1460 goto cifs_rename_exit;
@@ -1753,6 +1757,7 @@ cifs_set_file_size(struct inode *inode, struct iattr *attrs,
1753 } 1757 }
1754 1758
1755 if (rc == 0) { 1759 if (rc == 0) {
1760 cifsInode->server_eof = attrs->ia_size;
1756 rc = cifs_vmtruncate(inode, attrs->ia_size); 1761 rc = cifs_vmtruncate(inode, attrs->ia_size);
1757 cifs_truncate_page(inode->i_mapping, inode->i_size); 1762 cifs_truncate_page(inode->i_mapping, inode->i_size);
1758 } 1763 }
@@ -1792,20 +1797,21 @@ cifs_setattr_unix(struct dentry *direntry, struct iattr *attrs)
1792 goto out; 1797 goto out;
1793 } 1798 }
1794 1799
1795 if ((attrs->ia_valid & ATTR_MTIME) || (attrs->ia_valid & ATTR_SIZE)) { 1800 /*
1796 /* 1801 * Attempt to flush data before changing attributes. We need to do
1797 Flush data before changing file size or changing the last 1802 * this for ATTR_SIZE and ATTR_MTIME for sure, and if we change the
1798 write time of the file on the server. If the 1803 * ownership or mode then we may also need to do this. Here, we take
1799 flush returns error, store it to report later and continue. 1804 * the safe way out and just do the flush on all setattr requests. If
1800 BB: This should be smarter. Why bother flushing pages that 1805 * the flush returns error, store it to report later and continue.
1801 will be truncated anyway? Also, should we error out here if 1806 *
1802 the flush returns error? 1807 * BB: This should be smarter. Why bother flushing pages that
1803 */ 1808 * will be truncated anyway? Also, should we error out here if
1804 rc = filemap_write_and_wait(inode->i_mapping); 1809 * the flush returns error?
1805 if (rc != 0) { 1810 */
1806 cifsInode->write_behind_rc = rc; 1811 rc = filemap_write_and_wait(inode->i_mapping);
1807 rc = 0; 1812 if (rc != 0) {
1808 } 1813 cifsInode->write_behind_rc = rc;
1814 rc = 0;
1809 } 1815 }
1810 1816
1811 if (attrs->ia_valid & ATTR_SIZE) { 1817 if (attrs->ia_valid & ATTR_SIZE) {
@@ -1903,20 +1909,21 @@ cifs_setattr_nounix(struct dentry *direntry, struct iattr *attrs)
1903 return -ENOMEM; 1909 return -ENOMEM;
1904 } 1910 }
1905 1911
1906 if ((attrs->ia_valid & ATTR_MTIME) || (attrs->ia_valid & ATTR_SIZE)) { 1912 /*
1907 /* 1913 * Attempt to flush data before changing attributes. We need to do
1908 Flush data before changing file size or changing the last 1914 * this for ATTR_SIZE and ATTR_MTIME for sure, and if we change the
1909 write time of the file on the server. If the 1915 * ownership or mode then we may also need to do this. Here, we take
1910 flush returns error, store it to report later and continue. 1916 * the safe way out and just do the flush on all setattr requests. If
1911 BB: This should be smarter. Why bother flushing pages that 1917 * the flush returns error, store it to report later and continue.
1912 will be truncated anyway? Also, should we error out here if 1918 *
1913 the flush returns error? 1919 * BB: This should be smarter. Why bother flushing pages that
1914 */ 1920 * will be truncated anyway? Also, should we error out here if
1915 rc = filemap_write_and_wait(inode->i_mapping); 1921 * the flush returns error?
1916 if (rc != 0) { 1922 */
1917 cifsInode->write_behind_rc = rc; 1923 rc = filemap_write_and_wait(inode->i_mapping);
1918 rc = 0; 1924 if (rc != 0) {
1919 } 1925 cifsInode->write_behind_rc = rc;
1926 rc = 0;
1920 } 1927 }
1921 1928
1922 if (attrs->ia_valid & ATTR_SIZE) { 1929 if (attrs->ia_valid & ATTR_SIZE) {
diff --git a/fs/cifs/readdir.c b/fs/cifs/readdir.c
index c2c01ff4c32c..1a8be6228333 100644
--- a/fs/cifs/readdir.c
+++ b/fs/cifs/readdir.c
@@ -239,6 +239,7 @@ static void fill_in_inode(struct inode *tmp_inode, int new_buf_type,
239 if (atomic_read(&cifsInfo->inUse) == 0) 239 if (atomic_read(&cifsInfo->inUse) == 0)
240 atomic_set(&cifsInfo->inUse, 1); 240 atomic_set(&cifsInfo->inUse, 1);
241 241
242 cifsInfo->server_eof = end_of_file;
242 spin_lock(&tmp_inode->i_lock); 243 spin_lock(&tmp_inode->i_lock);
243 if (is_size_safe_to_change(cifsInfo, end_of_file)) { 244 if (is_size_safe_to_change(cifsInfo, end_of_file)) {
244 /* can not safely change the file size here if the 245 /* can not safely change the file size here if the
@@ -375,6 +376,7 @@ static void unix_fill_in_inode(struct inode *tmp_inode,
375 tmp_inode->i_gid = le64_to_cpu(pfindData->Gid); 376 tmp_inode->i_gid = le64_to_cpu(pfindData->Gid);
376 tmp_inode->i_nlink = le64_to_cpu(pfindData->Nlinks); 377 tmp_inode->i_nlink = le64_to_cpu(pfindData->Nlinks);
377 378
379 cifsInfo->server_eof = end_of_file;
378 spin_lock(&tmp_inode->i_lock); 380 spin_lock(&tmp_inode->i_lock);
379 if (is_size_safe_to_change(cifsInfo, end_of_file)) { 381 if (is_size_safe_to_change(cifsInfo, end_of_file)) {
380 /* can not safely change the file size here if the 382 /* can not safely change the file size here if the
@@ -840,7 +842,7 @@ static int cifs_get_name_from_search_buf(struct qstr *pqst,
840 len = strnlen(filename, PATH_MAX); 842 len = strnlen(filename, PATH_MAX);
841 } 843 }
842 844
843 *pinum = pFindData->UniqueId; 845 *pinum = le64_to_cpu(pFindData->UniqueId);
844 } else if (level == SMB_FIND_FILE_DIRECTORY_INFO) { 846 } else if (level == SMB_FIND_FILE_DIRECTORY_INFO) {
845 FILE_DIRECTORY_INFO *pFindData = 847 FILE_DIRECTORY_INFO *pFindData =
846 (FILE_DIRECTORY_INFO *)current_entry; 848 (FILE_DIRECTORY_INFO *)current_entry;
@@ -856,7 +858,7 @@ static int cifs_get_name_from_search_buf(struct qstr *pqst,
856 (SEARCH_ID_FULL_DIR_INFO *)current_entry; 858 (SEARCH_ID_FULL_DIR_INFO *)current_entry;
857 filename = &pFindData->FileName[0]; 859 filename = &pFindData->FileName[0];
858 len = le32_to_cpu(pFindData->FileNameLength); 860 len = le32_to_cpu(pFindData->FileNameLength);
859 *pinum = pFindData->UniqueId; 861 *pinum = le64_to_cpu(pFindData->UniqueId);
860 } else if (level == SMB_FIND_FILE_BOTH_DIRECTORY_INFO) { 862 } else if (level == SMB_FIND_FILE_BOTH_DIRECTORY_INFO) {
861 FILE_BOTH_DIRECTORY_INFO *pFindData = 863 FILE_BOTH_DIRECTORY_INFO *pFindData =
862 (FILE_BOTH_DIRECTORY_INFO *)current_entry; 864 (FILE_BOTH_DIRECTORY_INFO *)current_entry;
diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
index 5c68b4282be9..c652c73760dd 100644
--- a/fs/cifs/sess.c
+++ b/fs/cifs/sess.c
@@ -285,35 +285,36 @@ static int decode_unicode_ssetup(char **pbcc_area, int bleft,
285 int words_left, len; 285 int words_left, len;
286 char *data = *pbcc_area; 286 char *data = *pbcc_area;
287 287
288
289
290 cFYI(1, ("bleft %d", bleft)); 288 cFYI(1, ("bleft %d", bleft));
291 289
292 290 /*
293 /* SMB header is unaligned, so cifs servers word align start of 291 * Windows servers do not always double null terminate their final
294 Unicode strings */ 292 * Unicode string. Check to see if there are an uneven number of bytes
295 data++; 293 * left. If so, then add an extra NULL pad byte to the end of the
296 bleft--; /* Windows servers do not always double null terminate 294 * response.
297 their final Unicode string - in which case we 295 *
298 now will not attempt to decode the byte of junk 296 * See section 2.7.2 in "Implementing CIFS" for details
299 which follows it */ 297 */
298 if (bleft % 2) {
299 data[bleft] = 0;
300 ++bleft;
301 }
300 302
301 words_left = bleft / 2; 303 words_left = bleft / 2;
302 304
303 /* save off server operating system */ 305 /* save off server operating system */
304 len = UniStrnlen((wchar_t *) data, words_left); 306 len = UniStrnlen((wchar_t *) data, words_left);
305 307
306/* We look for obvious messed up bcc or strings in response so we do not go off
307 the end since (at least) WIN2K and Windows XP have a major bug in not null
308 terminating last Unicode string in response */
309 if (len >= words_left) 308 if (len >= words_left)
310 return rc; 309 return rc;
311 310
312 kfree(ses->serverOS); 311 kfree(ses->serverOS);
313 /* UTF-8 string will not grow more than four times as big as UCS-16 */ 312 /* UTF-8 string will not grow more than four times as big as UCS-16 */
314 ses->serverOS = kzalloc((4 * len) + 2 /* trailing null */, GFP_KERNEL); 313 ses->serverOS = kzalloc((4 * len) + 2 /* trailing null */, GFP_KERNEL);
315 if (ses->serverOS != NULL) 314 if (ses->serverOS != NULL) {
316 cifs_strfromUCS_le(ses->serverOS, (__le16 *)data, len, nls_cp); 315 cifs_strfromUCS_le(ses->serverOS, (__le16 *)data, len, nls_cp);
316 cFYI(1, ("serverOS=%s", ses->serverOS));
317 }
317 data += 2 * (len + 1); 318 data += 2 * (len + 1);
318 words_left -= len + 1; 319 words_left -= len + 1;
319 320
@@ -328,6 +329,7 @@ static int decode_unicode_ssetup(char **pbcc_area, int bleft,
328 if (ses->serverNOS != NULL) { 329 if (ses->serverNOS != NULL) {
329 cifs_strfromUCS_le(ses->serverNOS, (__le16 *)data, len, 330 cifs_strfromUCS_le(ses->serverNOS, (__le16 *)data, len,
330 nls_cp); 331 nls_cp);
332 cFYI(1, ("serverNOS=%s", ses->serverNOS));
331 if (strncmp(ses->serverNOS, "NT LAN Manager 4", 16) == 0) { 333 if (strncmp(ses->serverNOS, "NT LAN Manager 4", 16) == 0) {
332 cFYI(1, ("NT4 server")); 334 cFYI(1, ("NT4 server"));
333 ses->flags |= CIFS_SES_NT4; 335 ses->flags |= CIFS_SES_NT4;
@@ -343,12 +345,11 @@ static int decode_unicode_ssetup(char **pbcc_area, int bleft,
343 return rc; 345 return rc;
344 346
345 kfree(ses->serverDomain); 347 kfree(ses->serverDomain);
346 ses->serverDomain = kzalloc(2 * (len + 1), GFP_KERNEL); /* BB FIXME wrong length */ 348 ses->serverDomain = kzalloc((4 * len) + 2, GFP_KERNEL);
347 if (ses->serverDomain != NULL) { 349 if (ses->serverDomain != NULL) {
348 cifs_strfromUCS_le(ses->serverDomain, (__le16 *)data, len, 350 cifs_strfromUCS_le(ses->serverDomain, (__le16 *)data, len,
349 nls_cp); 351 nls_cp);
350 ses->serverDomain[2*len] = 0; 352 cFYI(1, ("serverDomain=%s", ses->serverDomain));
351 ses->serverDomain[(2*len) + 1] = 0;
352 } 353 }
353 data += 2 * (len + 1); 354 data += 2 * (len + 1);
354 words_left -= len + 1; 355 words_left -= len + 1;
@@ -702,12 +703,18 @@ CIFS_SessSetup(unsigned int xid, struct cifsSesInfo *ses, int first_time,
702 } 703 }
703 704
704 /* BB check if Unicode and decode strings */ 705 /* BB check if Unicode and decode strings */
705 if (smb_buf->Flags2 & SMBFLG2_UNICODE) 706 if (smb_buf->Flags2 & SMBFLG2_UNICODE) {
707 /* unicode string area must be word-aligned */
708 if (((unsigned long) bcc_ptr - (unsigned long) smb_buf) % 2) {
709 ++bcc_ptr;
710 --bytes_remaining;
711 }
706 rc = decode_unicode_ssetup(&bcc_ptr, bytes_remaining, 712 rc = decode_unicode_ssetup(&bcc_ptr, bytes_remaining,
707 ses, nls_cp); 713 ses, nls_cp);
708 else 714 } else {
709 rc = decode_ascii_ssetup(&bcc_ptr, bytes_remaining, 715 rc = decode_ascii_ssetup(&bcc_ptr, bytes_remaining,
710 ses, nls_cp); 716 ses, nls_cp);
717 }
711 718
712ssetup_exit: 719ssetup_exit:
713 if (spnego_key) { 720 if (spnego_key) {
diff --git a/fs/compat.c b/fs/compat.c
index 3f84d5f15889..379a399bf5c3 100644
--- a/fs/compat.c
+++ b/fs/compat.c
@@ -181,22 +181,24 @@ asmlinkage long compat_sys_newstat(char __user * filename,
181 struct compat_stat __user *statbuf) 181 struct compat_stat __user *statbuf)
182{ 182{
183 struct kstat stat; 183 struct kstat stat;
184 int error = vfs_stat_fd(AT_FDCWD, filename, &stat); 184 int error;
185 185
186 if (!error) 186 error = vfs_stat(filename, &stat);
187 error = cp_compat_stat(&stat, statbuf); 187 if (error)
188 return error; 188 return error;
189 return cp_compat_stat(&stat, statbuf);
189} 190}
190 191
191asmlinkage long compat_sys_newlstat(char __user * filename, 192asmlinkage long compat_sys_newlstat(char __user * filename,
192 struct compat_stat __user *statbuf) 193 struct compat_stat __user *statbuf)
193{ 194{
194 struct kstat stat; 195 struct kstat stat;
195 int error = vfs_lstat_fd(AT_FDCWD, filename, &stat); 196 int error;
196 197
197 if (!error) 198 error = vfs_lstat(filename, &stat);
198 error = cp_compat_stat(&stat, statbuf); 199 if (error)
199 return error; 200 return error;
201 return cp_compat_stat(&stat, statbuf);
200} 202}
201 203
202#ifndef __ARCH_WANT_STAT64 204#ifndef __ARCH_WANT_STAT64
@@ -204,21 +206,12 @@ asmlinkage long compat_sys_newfstatat(unsigned int dfd, char __user *filename,
204 struct compat_stat __user *statbuf, int flag) 206 struct compat_stat __user *statbuf, int flag)
205{ 207{
206 struct kstat stat; 208 struct kstat stat;
207 int error = -EINVAL; 209 int error;
208
209 if ((flag & ~AT_SYMLINK_NOFOLLOW) != 0)
210 goto out;
211
212 if (flag & AT_SYMLINK_NOFOLLOW)
213 error = vfs_lstat_fd(dfd, filename, &stat);
214 else
215 error = vfs_stat_fd(dfd, filename, &stat);
216
217 if (!error)
218 error = cp_compat_stat(&stat, statbuf);
219 210
220out: 211 error = vfs_fstatat(dfd, filename, &stat, flag);
221 return error; 212 if (error)
213 return error;
214 return cp_compat_stat(&stat, statbuf);
222} 215}
223#endif 216#endif
224 217
diff --git a/fs/compat_ioctl.c b/fs/compat_ioctl.c
index 3e87ce443ea2..b83f6bcfa51a 100644
--- a/fs/compat_ioctl.c
+++ b/fs/compat_ioctl.c
@@ -58,7 +58,6 @@
58#include <linux/i2c.h> 58#include <linux/i2c.h>
59#include <linux/i2c-dev.h> 59#include <linux/i2c-dev.h>
60#include <linux/atalk.h> 60#include <linux/atalk.h>
61#include <linux/loop.h>
62 61
63#include <net/bluetooth/bluetooth.h> 62#include <net/bluetooth/bluetooth.h>
64#include <net/bluetooth/hci.h> 63#include <net/bluetooth/hci.h>
@@ -68,6 +67,7 @@
68#include <linux/gigaset_dev.h> 67#include <linux/gigaset_dev.h>
69 68
70#ifdef CONFIG_BLOCK 69#ifdef CONFIG_BLOCK
70#include <linux/loop.h>
71#include <scsi/scsi.h> 71#include <scsi/scsi.h>
72#include <scsi/scsi_ioctl.h> 72#include <scsi/scsi_ioctl.h>
73#include <scsi/sg.h> 73#include <scsi/sg.h>
@@ -2660,6 +2660,8 @@ HANDLE_IOCTL(SONET_GETFRAMING, do_atm_ioctl)
2660HANDLE_IOCTL(SONET_GETFRSENSE, do_atm_ioctl) 2660HANDLE_IOCTL(SONET_GETFRSENSE, do_atm_ioctl)
2661/* block stuff */ 2661/* block stuff */
2662#ifdef CONFIG_BLOCK 2662#ifdef CONFIG_BLOCK
2663/* loop */
2664IGNORE_IOCTL(LOOP_CLR_FD)
2663/* Raw devices */ 2665/* Raw devices */
2664HANDLE_IOCTL(RAW_SETBIND, raw_ioctl) 2666HANDLE_IOCTL(RAW_SETBIND, raw_ioctl)
2665HANDLE_IOCTL(RAW_GETBIND, raw_ioctl) 2667HANDLE_IOCTL(RAW_GETBIND, raw_ioctl)
@@ -2728,9 +2730,6 @@ HANDLE_IOCTL(LPSETTIMEOUT, lp_timeout_trans)
2728IGNORE_IOCTL(VFAT_IOCTL_READDIR_BOTH32) 2730IGNORE_IOCTL(VFAT_IOCTL_READDIR_BOTH32)
2729IGNORE_IOCTL(VFAT_IOCTL_READDIR_SHORT32) 2731IGNORE_IOCTL(VFAT_IOCTL_READDIR_SHORT32)
2730 2732
2731/* loop */
2732IGNORE_IOCTL(LOOP_CLR_FD)
2733
2734#ifdef CONFIG_SPARC 2733#ifdef CONFIG_SPARC
2735/* Sparc framebuffers, handled in sbusfb_compat_ioctl() */ 2734/* Sparc framebuffers, handled in sbusfb_compat_ioctl() */
2736IGNORE_IOCTL(FBIOGTYPE) 2735IGNORE_IOCTL(FBIOGTYPE)
diff --git a/fs/dcache.c b/fs/dcache.c
index 761d30be2683..1fcffebfb44f 100644
--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -2149,7 +2149,6 @@ int is_subdir(struct dentry *new_dentry, struct dentry *old_dentry)
2149 int result; 2149 int result;
2150 unsigned long seq; 2150 unsigned long seq;
2151 2151
2152 /* FIXME: This is old behavior, needed? Please check callers. */
2153 if (new_dentry == old_dentry) 2152 if (new_dentry == old_dentry)
2154 return 1; 2153 return 1;
2155 2154
diff --git a/fs/direct-io.c b/fs/direct-io.c
index da258e7249cc..05763bbc2050 100644
--- a/fs/direct-io.c
+++ b/fs/direct-io.c
@@ -307,8 +307,6 @@ dio_bio_alloc(struct dio *dio, struct block_device *bdev,
307 struct bio *bio; 307 struct bio *bio;
308 308
309 bio = bio_alloc(GFP_KERNEL, nr_vecs); 309 bio = bio_alloc(GFP_KERNEL, nr_vecs);
310 if (bio == NULL)
311 return -ENOMEM;
312 310
313 bio->bi_bdev = bdev; 311 bio->bi_bdev = bdev;
314 bio->bi_sector = first_sector; 312 bio->bi_sector = first_sector;
diff --git a/fs/ecryptfs/miscdev.c b/fs/ecryptfs/miscdev.c
index a67fea655f49..dda3c58eefc0 100644
--- a/fs/ecryptfs/miscdev.c
+++ b/fs/ecryptfs/miscdev.c
@@ -418,18 +418,13 @@ ecryptfs_miscdev_write(struct file *file, const char __user *buf,
418 418
419 if (count == 0) 419 if (count == 0)
420 goto out; 420 goto out;
421 data = kmalloc(count, GFP_KERNEL); 421
422 if (!data) { 422 data = memdup_user(buf, count);
423 printk(KERN_ERR "%s: Out of memory whilst attempting to " 423 if (IS_ERR(data)) {
424 "kmalloc([%zd], GFP_KERNEL)\n", __func__, count); 424 printk(KERN_ERR "%s: memdup_user returned error [%ld]\n",
425 __func__, PTR_ERR(data));
425 goto out; 426 goto out;
426 } 427 }
427 rc = copy_from_user(data, buf, count);
428 if (rc) {
429 printk(KERN_ERR "%s: copy_from_user returned error [%d]\n",
430 __func__, rc);
431 goto out_free;
432 }
433 sz = count; 428 sz = count;
434 i = 0; 429 i = 0;
435 switch (data[i++]) { 430 switch (data[i++]) {
diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
index 6132353dcf62..2a1cb0979768 100644
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -2416,8 +2416,6 @@ static int ext4_ext_zeroout(struct inode *inode, struct ext4_extent *ex)
2416 len = ee_len; 2416 len = ee_len;
2417 2417
2418 bio = bio_alloc(GFP_NOIO, len); 2418 bio = bio_alloc(GFP_NOIO, len);
2419 if (!bio)
2420 return -ENOMEM;
2421 bio->bi_sector = ee_pblock; 2419 bio->bi_sector = ee_pblock;
2422 bio->bi_bdev = inode->i_sb->s_bdev; 2420 bio->bi_bdev = inode->i_sb->s_bdev;
2423 2421
diff --git a/fs/fat/Kconfig b/fs/fat/Kconfig
index d0a69ff25375..182f9ffe2b51 100644
--- a/fs/fat/Kconfig
+++ b/fs/fat/Kconfig
@@ -95,3 +95,6 @@ config FAT_DEFAULT_IOCHARSET
95 Note that "utf8" is not recommended for FAT filesystems. 95 Note that "utf8" is not recommended for FAT filesystems.
96 If unsure, you shouldn't set "utf8" here. 96 If unsure, you shouldn't set "utf8" here.
97 See <file:Documentation/filesystems/vfat.txt> for more information. 97 See <file:Documentation/filesystems/vfat.txt> for more information.
98
99 Enable any character sets you need in File Systems/Native Language
100 Support.
diff --git a/fs/filesystems.c b/fs/filesystems.c
index 1aa70260e6d1..a24c58e181db 100644
--- a/fs/filesystems.c
+++ b/fs/filesystems.c
@@ -199,7 +199,7 @@ SYSCALL_DEFINE3(sysfs, int, option, unsigned long, arg1, unsigned long, arg2)
199 return retval; 199 return retval;
200} 200}
201 201
202int get_filesystem_list(char * buf) 202int __init get_filesystem_list(char *buf)
203{ 203{
204 int len = 0; 204 int len = 0;
205 struct file_system_type * tmp; 205 struct file_system_type * tmp;
diff --git a/fs/gfs2/glock.c b/fs/gfs2/glock.c
index 3984e47d1d33..1afd9f26bcb1 100644
--- a/fs/gfs2/glock.c
+++ b/fs/gfs2/glock.c
@@ -597,7 +597,6 @@ __acquires(&gl->gl_spin)
597 597
598 GLOCK_BUG_ON(gl, test_bit(GLF_DEMOTE_IN_PROGRESS, &gl->gl_flags)); 598 GLOCK_BUG_ON(gl, test_bit(GLF_DEMOTE_IN_PROGRESS, &gl->gl_flags));
599 599
600 down_read(&gfs2_umount_flush_sem);
601 if (test_bit(GLF_DEMOTE, &gl->gl_flags) && 600 if (test_bit(GLF_DEMOTE, &gl->gl_flags) &&
602 gl->gl_demote_state != gl->gl_state) { 601 gl->gl_demote_state != gl->gl_state) {
603 if (find_first_holder(gl)) 602 if (find_first_holder(gl))
@@ -614,15 +613,14 @@ __acquires(&gl->gl_spin)
614 if (ret == 0) 613 if (ret == 0)
615 goto out_unlock; 614 goto out_unlock;
616 if (ret == 2) 615 if (ret == 2)
617 goto out_sem; 616 goto out;
618 gh = find_first_waiter(gl); 617 gh = find_first_waiter(gl);
619 gl->gl_target = gh->gh_state; 618 gl->gl_target = gh->gh_state;
620 if (!(gh->gh_flags & (LM_FLAG_TRY | LM_FLAG_TRY_1CB))) 619 if (!(gh->gh_flags & (LM_FLAG_TRY | LM_FLAG_TRY_1CB)))
621 do_error(gl, 0); /* Fail queued try locks */ 620 do_error(gl, 0); /* Fail queued try locks */
622 } 621 }
623 do_xmote(gl, gh, gl->gl_target); 622 do_xmote(gl, gh, gl->gl_target);
624out_sem: 623out:
625 up_read(&gfs2_umount_flush_sem);
626 return; 624 return;
627 625
628out_sched: 626out_sched:
@@ -631,7 +629,7 @@ out_sched:
631 gfs2_glock_put(gl); 629 gfs2_glock_put(gl);
632out_unlock: 630out_unlock:
633 clear_bit(GLF_LOCK, &gl->gl_flags); 631 clear_bit(GLF_LOCK, &gl->gl_flags);
634 goto out_sem; 632 goto out;
635} 633}
636 634
637static void glock_work_func(struct work_struct *work) 635static void glock_work_func(struct work_struct *work)
@@ -641,6 +639,7 @@ static void glock_work_func(struct work_struct *work)
641 639
642 if (test_and_clear_bit(GLF_REPLY_PENDING, &gl->gl_flags)) 640 if (test_and_clear_bit(GLF_REPLY_PENDING, &gl->gl_flags))
643 finish_xmote(gl, gl->gl_reply); 641 finish_xmote(gl, gl->gl_reply);
642 down_read(&gfs2_umount_flush_sem);
644 spin_lock(&gl->gl_spin); 643 spin_lock(&gl->gl_spin);
645 if (test_and_clear_bit(GLF_PENDING_DEMOTE, &gl->gl_flags) && 644 if (test_and_clear_bit(GLF_PENDING_DEMOTE, &gl->gl_flags) &&
646 gl->gl_state != LM_ST_UNLOCKED && 645 gl->gl_state != LM_ST_UNLOCKED &&
@@ -653,6 +652,7 @@ static void glock_work_func(struct work_struct *work)
653 } 652 }
654 run_queue(gl, 0); 653 run_queue(gl, 0);
655 spin_unlock(&gl->gl_spin); 654 spin_unlock(&gl->gl_spin);
655 up_read(&gfs2_umount_flush_sem);
656 if (!delay || 656 if (!delay ||
657 queue_delayed_work(glock_workqueue, &gl->gl_work, delay) == 0) 657 queue_delayed_work(glock_workqueue, &gl->gl_work, delay) == 0)
658 gfs2_glock_put(gl); 658 gfs2_glock_put(gl);
diff --git a/fs/gfs2/glops.c b/fs/gfs2/glops.c
index bf23a62aa925..70f87f43afa2 100644
--- a/fs/gfs2/glops.c
+++ b/fs/gfs2/glops.c
@@ -156,6 +156,12 @@ static void inode_go_sync(struct gfs2_glock *gl)
156 error = filemap_fdatawait(metamapping); 156 error = filemap_fdatawait(metamapping);
157 mapping_set_error(metamapping, error); 157 mapping_set_error(metamapping, error);
158 gfs2_ail_empty_gl(gl); 158 gfs2_ail_empty_gl(gl);
159 /*
160 * Writeback of the data mapping may cause the dirty flag to be set
161 * so we have to clear it again here.
162 */
163 smp_mb__before_clear_bit();
164 clear_bit(GLF_DIRTY, &gl->gl_flags);
159} 165}
160 166
161/** 167/**
diff --git a/fs/gfs2/inode.c b/fs/gfs2/inode.c
index 7b277d449155..5a31d426116f 100644
--- a/fs/gfs2/inode.c
+++ b/fs/gfs2/inode.c
@@ -137,15 +137,15 @@ void gfs2_set_iop(struct inode *inode)
137 if (S_ISREG(mode)) { 137 if (S_ISREG(mode)) {
138 inode->i_op = &gfs2_file_iops; 138 inode->i_op = &gfs2_file_iops;
139 if (gfs2_localflocks(sdp)) 139 if (gfs2_localflocks(sdp))
140 inode->i_fop = gfs2_file_fops_nolock; 140 inode->i_fop = &gfs2_file_fops_nolock;
141 else 141 else
142 inode->i_fop = gfs2_file_fops; 142 inode->i_fop = &gfs2_file_fops;
143 } else if (S_ISDIR(mode)) { 143 } else if (S_ISDIR(mode)) {
144 inode->i_op = &gfs2_dir_iops; 144 inode->i_op = &gfs2_dir_iops;
145 if (gfs2_localflocks(sdp)) 145 if (gfs2_localflocks(sdp))
146 inode->i_fop = gfs2_dir_fops_nolock; 146 inode->i_fop = &gfs2_dir_fops_nolock;
147 else 147 else
148 inode->i_fop = gfs2_dir_fops; 148 inode->i_fop = &gfs2_dir_fops;
149 } else if (S_ISLNK(mode)) { 149 } else if (S_ISLNK(mode)) {
150 inode->i_op = &gfs2_symlink_iops; 150 inode->i_op = &gfs2_symlink_iops;
151 } else { 151 } else {
diff --git a/fs/gfs2/inode.h b/fs/gfs2/inode.h
index dca4fee3078b..c30be2b66580 100644
--- a/fs/gfs2/inode.h
+++ b/fs/gfs2/inode.h
@@ -101,21 +101,23 @@ void gfs2_dinode_print(const struct gfs2_inode *ip);
101extern const struct inode_operations gfs2_file_iops; 101extern const struct inode_operations gfs2_file_iops;
102extern const struct inode_operations gfs2_dir_iops; 102extern const struct inode_operations gfs2_dir_iops;
103extern const struct inode_operations gfs2_symlink_iops; 103extern const struct inode_operations gfs2_symlink_iops;
104extern const struct file_operations *gfs2_file_fops_nolock; 104extern const struct file_operations gfs2_file_fops_nolock;
105extern const struct file_operations *gfs2_dir_fops_nolock; 105extern const struct file_operations gfs2_dir_fops_nolock;
106 106
107extern void gfs2_set_inode_flags(struct inode *inode); 107extern void gfs2_set_inode_flags(struct inode *inode);
108 108
109#ifdef CONFIG_GFS2_FS_LOCKING_DLM 109#ifdef CONFIG_GFS2_FS_LOCKING_DLM
110extern const struct file_operations *gfs2_file_fops; 110extern const struct file_operations gfs2_file_fops;
111extern const struct file_operations *gfs2_dir_fops; 111extern const struct file_operations gfs2_dir_fops;
112
112static inline int gfs2_localflocks(const struct gfs2_sbd *sdp) 113static inline int gfs2_localflocks(const struct gfs2_sbd *sdp)
113{ 114{
114 return sdp->sd_args.ar_localflocks; 115 return sdp->sd_args.ar_localflocks;
115} 116}
116#else /* Single node only */ 117#else /* Single node only */
117#define gfs2_file_fops NULL 118#define gfs2_file_fops gfs2_file_fops_nolock
118#define gfs2_dir_fops NULL 119#define gfs2_dir_fops gfs2_dir_fops_nolock
120
119static inline int gfs2_localflocks(const struct gfs2_sbd *sdp) 121static inline int gfs2_localflocks(const struct gfs2_sbd *sdp)
120{ 122{
121 return 1; 123 return 1;
diff --git a/fs/gfs2/ops_file.c b/fs/gfs2/ops_file.c
index 70b9b8548945..5d82e91887e3 100644
--- a/fs/gfs2/ops_file.c
+++ b/fs/gfs2/ops_file.c
@@ -413,7 +413,9 @@ out_unlock:
413 gfs2_glock_dq(&gh); 413 gfs2_glock_dq(&gh);
414out: 414out:
415 gfs2_holder_uninit(&gh); 415 gfs2_holder_uninit(&gh);
416 if (ret) 416 if (ret == -ENOMEM)
417 ret = VM_FAULT_OOM;
418 else if (ret)
417 ret = VM_FAULT_SIGBUS; 419 ret = VM_FAULT_SIGBUS;
418 return ret; 420 return ret;
419} 421}
@@ -705,7 +707,7 @@ static int gfs2_flock(struct file *file, int cmd, struct file_lock *fl)
705 } 707 }
706} 708}
707 709
708const struct file_operations *gfs2_file_fops = &(const struct file_operations){ 710const struct file_operations gfs2_file_fops = {
709 .llseek = gfs2_llseek, 711 .llseek = gfs2_llseek,
710 .read = do_sync_read, 712 .read = do_sync_read,
711 .aio_read = generic_file_aio_read, 713 .aio_read = generic_file_aio_read,
@@ -723,7 +725,7 @@ const struct file_operations *gfs2_file_fops = &(const struct file_operations){
723 .setlease = gfs2_setlease, 725 .setlease = gfs2_setlease,
724}; 726};
725 727
726const struct file_operations *gfs2_dir_fops = &(const struct file_operations){ 728const struct file_operations gfs2_dir_fops = {
727 .readdir = gfs2_readdir, 729 .readdir = gfs2_readdir,
728 .unlocked_ioctl = gfs2_ioctl, 730 .unlocked_ioctl = gfs2_ioctl,
729 .open = gfs2_open, 731 .open = gfs2_open,
@@ -735,7 +737,7 @@ const struct file_operations *gfs2_dir_fops = &(const struct file_operations){
735 737
736#endif /* CONFIG_GFS2_FS_LOCKING_DLM */ 738#endif /* CONFIG_GFS2_FS_LOCKING_DLM */
737 739
738const struct file_operations *gfs2_file_fops_nolock = &(const struct file_operations){ 740const struct file_operations gfs2_file_fops_nolock = {
739 .llseek = gfs2_llseek, 741 .llseek = gfs2_llseek,
740 .read = do_sync_read, 742 .read = do_sync_read,
741 .aio_read = generic_file_aio_read, 743 .aio_read = generic_file_aio_read,
@@ -751,7 +753,7 @@ const struct file_operations *gfs2_file_fops_nolock = &(const struct file_operat
751 .setlease = generic_setlease, 753 .setlease = generic_setlease,
752}; 754};
753 755
754const struct file_operations *gfs2_dir_fops_nolock = &(const struct file_operations){ 756const struct file_operations gfs2_dir_fops_nolock = {
755 .readdir = gfs2_readdir, 757 .readdir = gfs2_readdir,
756 .unlocked_ioctl = gfs2_ioctl, 758 .unlocked_ioctl = gfs2_ioctl,
757 .open = gfs2_open, 759 .open = gfs2_open,
diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c
index 51883b3ad89c..650a730707b7 100644
--- a/fs/gfs2/ops_fstype.c
+++ b/fs/gfs2/ops_fstype.c
@@ -272,11 +272,6 @@ static int gfs2_read_super(struct gfs2_sbd *sdp, sector_t sector)
272 lock_page(page); 272 lock_page(page);
273 273
274 bio = bio_alloc(GFP_NOFS, 1); 274 bio = bio_alloc(GFP_NOFS, 1);
275 if (unlikely(!bio)) {
276 __free_page(page);
277 return -ENOBUFS;
278 }
279
280 bio->bi_sector = sector * (sb->s_blocksize >> 9); 275 bio->bi_sector = sector * (sb->s_blocksize >> 9);
281 bio->bi_bdev = sb->s_bdev; 276 bio->bi_bdev = sb->s_bdev;
282 bio_add_page(bio, page, PAGE_SIZE, 0); 277 bio_add_page(bio, page, PAGE_SIZE, 0);
diff --git a/fs/gfs2/ops_inode.c b/fs/gfs2/ops_inode.c
index abd5429ae285..1c70fa5168d6 100644
--- a/fs/gfs2/ops_inode.c
+++ b/fs/gfs2/ops_inode.c
@@ -371,6 +371,7 @@ static int gfs2_symlink(struct inode *dir, struct dentry *dentry,
371 ip = ghs[1].gh_gl->gl_object; 371 ip = ghs[1].gh_gl->gl_object;
372 372
373 ip->i_disksize = size; 373 ip->i_disksize = size;
374 i_size_write(inode, size);
374 375
375 error = gfs2_meta_inode_buffer(ip, &dibh); 376 error = gfs2_meta_inode_buffer(ip, &dibh);
376 377
diff --git a/fs/gfs2/quota.c b/fs/gfs2/quota.c
index 8d53f66b5bcc..152e6c4a0dca 100644
--- a/fs/gfs2/quota.c
+++ b/fs/gfs2/quota.c
@@ -81,7 +81,7 @@ struct gfs2_quota_change_host {
81 81
82static LIST_HEAD(qd_lru_list); 82static LIST_HEAD(qd_lru_list);
83static atomic_t qd_lru_count = ATOMIC_INIT(0); 83static atomic_t qd_lru_count = ATOMIC_INIT(0);
84static spinlock_t qd_lru_lock = SPIN_LOCK_UNLOCKED; 84static DEFINE_SPINLOCK(qd_lru_lock);
85 85
86int gfs2_shrink_qd_memory(int nr, gfp_t gfp_mask) 86int gfs2_shrink_qd_memory(int nr, gfp_t gfp_mask)
87{ 87{
@@ -1364,7 +1364,7 @@ int gfs2_quotad(void *data)
1364 refrigerator(); 1364 refrigerator();
1365 t = min(quotad_timeo, statfs_timeo); 1365 t = min(quotad_timeo, statfs_timeo);
1366 1366
1367 prepare_to_wait(&sdp->sd_quota_wait, &wait, TASK_UNINTERRUPTIBLE); 1367 prepare_to_wait(&sdp->sd_quota_wait, &wait, TASK_INTERRUPTIBLE);
1368 spin_lock(&sdp->sd_trunc_lock); 1368 spin_lock(&sdp->sd_trunc_lock);
1369 empty = list_empty(&sdp->sd_trunc_list); 1369 empty = list_empty(&sdp->sd_trunc_list);
1370 spin_unlock(&sdp->sd_trunc_lock); 1370 spin_unlock(&sdp->sd_trunc_lock);
diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c
index 23a3c76711e0..153d9681192b 100644
--- a/fs/hugetlbfs/inode.c
+++ b/fs/hugetlbfs/inode.c
@@ -26,7 +26,6 @@
26#include <linux/pagevec.h> 26#include <linux/pagevec.h>
27#include <linux/parser.h> 27#include <linux/parser.h>
28#include <linux/mman.h> 28#include <linux/mman.h>
29#include <linux/quotaops.h>
30#include <linux/slab.h> 29#include <linux/slab.h>
31#include <linux/dnotify.h> 30#include <linux/dnotify.h>
32#include <linux/statfs.h> 31#include <linux/statfs.h>
@@ -842,7 +841,7 @@ hugetlbfs_parse_options(char *options, struct hugetlbfs_config *pconfig)
842bad_val: 841bad_val:
843 printk(KERN_ERR "hugetlbfs: Bad value '%s' for mount option '%s'\n", 842 printk(KERN_ERR "hugetlbfs: Bad value '%s' for mount option '%s'\n",
844 args[0].from, p); 843 args[0].from, p);
845 return 1; 844 return -EINVAL;
846} 845}
847 846
848static int 847static int
diff --git a/fs/inode.c b/fs/inode.c
index d06d6d268de9..6ad14a1cd8c9 100644
--- a/fs/inode.c
+++ b/fs/inode.c
@@ -1470,42 +1470,6 @@ static void __wait_on_freeing_inode(struct inode *inode)
1470 spin_lock(&inode_lock); 1470 spin_lock(&inode_lock);
1471} 1471}
1472 1472
1473/*
1474 * We rarely want to lock two inodes that do not have a parent/child
1475 * relationship (such as directory, child inode) simultaneously. The
1476 * vast majority of file systems should be able to get along fine
1477 * without this. Do not use these functions except as a last resort.
1478 */
1479void inode_double_lock(struct inode *inode1, struct inode *inode2)
1480{
1481 if (inode1 == NULL || inode2 == NULL || inode1 == inode2) {
1482 if (inode1)
1483 mutex_lock(&inode1->i_mutex);
1484 else if (inode2)
1485 mutex_lock(&inode2->i_mutex);
1486 return;
1487 }
1488
1489 if (inode1 < inode2) {
1490 mutex_lock_nested(&inode1->i_mutex, I_MUTEX_PARENT);
1491 mutex_lock_nested(&inode2->i_mutex, I_MUTEX_CHILD);
1492 } else {
1493 mutex_lock_nested(&inode2->i_mutex, I_MUTEX_PARENT);
1494 mutex_lock_nested(&inode1->i_mutex, I_MUTEX_CHILD);
1495 }
1496}
1497EXPORT_SYMBOL(inode_double_lock);
1498
1499void inode_double_unlock(struct inode *inode1, struct inode *inode2)
1500{
1501 if (inode1)
1502 mutex_unlock(&inode1->i_mutex);
1503
1504 if (inode2 && inode2 != inode1)
1505 mutex_unlock(&inode2->i_mutex);
1506}
1507EXPORT_SYMBOL(inode_double_unlock);
1508
1509static __initdata unsigned long ihash_entries; 1473static __initdata unsigned long ihash_entries;
1510static int __init set_ihash_entries(char *str) 1474static int __init set_ihash_entries(char *str)
1511{ 1475{
diff --git a/fs/namei.c b/fs/namei.c
index b8433ebfae05..78f253cd2d4f 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -1248,6 +1248,8 @@ struct dentry *lookup_one_len(const char *name, struct dentry *base, int len)
1248 int err; 1248 int err;
1249 struct qstr this; 1249 struct qstr this;
1250 1250
1251 WARN_ON_ONCE(!mutex_is_locked(&base->d_inode->i_mutex));
1252
1251 err = __lookup_one_len(name, &this, base, len); 1253 err = __lookup_one_len(name, &this, base, len);
1252 if (err) 1254 if (err)
1253 return ERR_PTR(err); 1255 return ERR_PTR(err);
diff --git a/fs/namespace.c b/fs/namespace.c
index c6f54e4c4290..41196209a906 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -1377,7 +1377,7 @@ static int attach_recursive_mnt(struct vfsmount *source_mnt,
1377 if (parent_path) { 1377 if (parent_path) {
1378 detach_mnt(source_mnt, parent_path); 1378 detach_mnt(source_mnt, parent_path);
1379 attach_mnt(source_mnt, path); 1379 attach_mnt(source_mnt, path);
1380 touch_mnt_namespace(current->nsproxy->mnt_ns); 1380 touch_mnt_namespace(parent_path->mnt->mnt_ns);
1381 } else { 1381 } else {
1382 mnt_set_mountpoint(dest_mnt, dest_dentry, source_mnt); 1382 mnt_set_mountpoint(dest_mnt, dest_dentry, source_mnt);
1383 commit_tree(source_mnt); 1383 commit_tree(source_mnt);
@@ -1920,8 +1920,9 @@ long do_mount(char *dev_name, char *dir_name, char *type_page,
1920 if (data_page) 1920 if (data_page)
1921 ((char *)data_page)[PAGE_SIZE - 1] = 0; 1921 ((char *)data_page)[PAGE_SIZE - 1] = 0;
1922 1922
1923 /* Default to relatime */ 1923 /* Default to relatime unless overriden */
1924 mnt_flags |= MNT_RELATIME; 1924 if (!(flags & MS_NOATIME))
1925 mnt_flags |= MNT_RELATIME;
1925 1926
1926 /* Separate the per-mountpoint flags */ 1927 /* Separate the per-mountpoint flags */
1927 if (flags & MS_NOSUID) 1928 if (flags & MS_NOSUID)
diff --git a/fs/ncpfs/ioctl.c b/fs/ncpfs/ioctl.c
index f54360f50a9c..fa038df63ac8 100644
--- a/fs/ncpfs/ioctl.c
+++ b/fs/ncpfs/ioctl.c
@@ -660,13 +660,10 @@ outrel:
660 if (user.object_name_len > NCP_OBJECT_NAME_MAX_LEN) 660 if (user.object_name_len > NCP_OBJECT_NAME_MAX_LEN)
661 return -ENOMEM; 661 return -ENOMEM;
662 if (user.object_name_len) { 662 if (user.object_name_len) {
663 newname = kmalloc(user.object_name_len, GFP_USER); 663 newname = memdup_user(user.object_name,
664 if (!newname) 664 user.object_name_len);
665 return -ENOMEM; 665 if (IS_ERR(newname))
666 if (copy_from_user(newname, user.object_name, user.object_name_len)) { 666 return PTR_ERR(newname);
667 kfree(newname);
668 return -EFAULT;
669 }
670 } else { 667 } else {
671 newname = NULL; 668 newname = NULL;
672 } 669 }
@@ -760,13 +757,9 @@ outrel:
760 if (user.len > NCP_PRIVATE_DATA_MAX_LEN) 757 if (user.len > NCP_PRIVATE_DATA_MAX_LEN)
761 return -ENOMEM; 758 return -ENOMEM;
762 if (user.len) { 759 if (user.len) {
763 new = kmalloc(user.len, GFP_USER); 760 new = memdup_user(user.data, user.len);
764 if (!new) 761 if (IS_ERR(new))
765 return -ENOMEM; 762 return PTR_ERR(new);
766 if (copy_from_user(new, user.data, user.len)) {
767 kfree(new);
768 return -EFAULT;
769 }
770 } else { 763 } else {
771 new = NULL; 764 new = NULL;
772 } 765 }
diff --git a/fs/nfs/nfs3xdr.c b/fs/nfs/nfs3xdr.c
index e6a1932c7110..35869a4921f1 100644
--- a/fs/nfs/nfs3xdr.c
+++ b/fs/nfs/nfs3xdr.c
@@ -713,7 +713,8 @@ nfs3_xdr_setaclargs(struct rpc_rqst *req, __be32 *p,
713 if (args->npages != 0) 713 if (args->npages != 0)
714 xdr_encode_pages(buf, args->pages, 0, args->len); 714 xdr_encode_pages(buf, args->pages, 0, args->len);
715 else 715 else
716 req->rq_slen += args->len; 716 req->rq_slen = xdr_adjust_iovec(req->rq_svec,
717 p + XDR_QUADLEN(args->len));
717 718
718 err = nfsacl_encode(buf, base, args->inode, 719 err = nfsacl_encode(buf, base, args->inode,
719 (args->mask & NFS_ACL) ? 720 (args->mask & NFS_ACL) ?
diff --git a/fs/nfsd/nfs4recover.c b/fs/nfsd/nfs4recover.c
index 3444c0052a87..5275097a7565 100644
--- a/fs/nfsd/nfs4recover.c
+++ b/fs/nfsd/nfs4recover.c
@@ -229,21 +229,23 @@ nfsd4_list_rec_dir(struct dentry *dir, recdir_func *f)
229 goto out; 229 goto out;
230 status = vfs_readdir(filp, nfsd4_build_namelist, &names); 230 status = vfs_readdir(filp, nfsd4_build_namelist, &names);
231 fput(filp); 231 fput(filp);
232 mutex_lock(&dir->d_inode->i_mutex);
232 while (!list_empty(&names)) { 233 while (!list_empty(&names)) {
233 entry = list_entry(names.next, struct name_list, list); 234 entry = list_entry(names.next, struct name_list, list);
234 235
235 dentry = lookup_one_len(entry->name, dir, HEXDIR_LEN-1); 236 dentry = lookup_one_len(entry->name, dir, HEXDIR_LEN-1);
236 if (IS_ERR(dentry)) { 237 if (IS_ERR(dentry)) {
237 status = PTR_ERR(dentry); 238 status = PTR_ERR(dentry);
238 goto out; 239 break;
239 } 240 }
240 status = f(dir, dentry); 241 status = f(dir, dentry);
241 dput(dentry); 242 dput(dentry);
242 if (status) 243 if (status)
243 goto out; 244 break;
244 list_del(&entry->list); 245 list_del(&entry->list);
245 kfree(entry); 246 kfree(entry);
246 } 247 }
248 mutex_unlock(&dir->d_inode->i_mutex);
247out: 249out:
248 while (!list_empty(&names)) { 250 while (!list_empty(&names)) {
249 entry = list_entry(names.next, struct name_list, list); 251 entry = list_entry(names.next, struct name_list, list);
@@ -255,36 +257,6 @@ out:
255} 257}
256 258
257static int 259static int
258nfsd4_remove_clid_file(struct dentry *dir, struct dentry *dentry)
259{
260 int status;
261
262 if (!S_ISREG(dir->d_inode->i_mode)) {
263 printk("nfsd4: non-file found in client recovery directory\n");
264 return -EINVAL;
265 }
266 mutex_lock_nested(&dir->d_inode->i_mutex, I_MUTEX_PARENT);
267 status = vfs_unlink(dir->d_inode, dentry);
268 mutex_unlock(&dir->d_inode->i_mutex);
269 return status;
270}
271
272static int
273nfsd4_clear_clid_dir(struct dentry *dir, struct dentry *dentry)
274{
275 int status;
276
277 /* For now this directory should already be empty, but we empty it of
278 * any regular files anyway, just in case the directory was created by
279 * a kernel from the future.... */
280 nfsd4_list_rec_dir(dentry, nfsd4_remove_clid_file);
281 mutex_lock_nested(&dir->d_inode->i_mutex, I_MUTEX_PARENT);
282 status = vfs_rmdir(dir->d_inode, dentry);
283 mutex_unlock(&dir->d_inode->i_mutex);
284 return status;
285}
286
287static int
288nfsd4_unlink_clid_dir(char *name, int namlen) 260nfsd4_unlink_clid_dir(char *name, int namlen)
289{ 261{
290 struct dentry *dentry; 262 struct dentry *dentry;
@@ -294,18 +266,18 @@ nfsd4_unlink_clid_dir(char *name, int namlen)
294 266
295 mutex_lock(&rec_dir.dentry->d_inode->i_mutex); 267 mutex_lock(&rec_dir.dentry->d_inode->i_mutex);
296 dentry = lookup_one_len(name, rec_dir.dentry, namlen); 268 dentry = lookup_one_len(name, rec_dir.dentry, namlen);
297 mutex_unlock(&rec_dir.dentry->d_inode->i_mutex);
298 if (IS_ERR(dentry)) { 269 if (IS_ERR(dentry)) {
299 status = PTR_ERR(dentry); 270 status = PTR_ERR(dentry);
300 return status; 271 goto out_unlock;
301 } 272 }
302 status = -ENOENT; 273 status = -ENOENT;
303 if (!dentry->d_inode) 274 if (!dentry->d_inode)
304 goto out; 275 goto out;
305 276 status = vfs_rmdir(rec_dir.dentry->d_inode, dentry);
306 status = nfsd4_clear_clid_dir(rec_dir.dentry, dentry);
307out: 277out:
308 dput(dentry); 278 dput(dentry);
279out_unlock:
280 mutex_unlock(&rec_dir.dentry->d_inode->i_mutex);
309 return status; 281 return status;
310} 282}
311 283
@@ -348,7 +320,7 @@ purge_old(struct dentry *parent, struct dentry *child)
348 if (nfs4_has_reclaimed_state(child->d_name.name, false)) 320 if (nfs4_has_reclaimed_state(child->d_name.name, false))
349 return 0; 321 return 0;
350 322
351 status = nfsd4_clear_clid_dir(parent, child); 323 status = vfs_rmdir(parent->d_inode, child);
352 if (status) 324 if (status)
353 printk("failed to remove client recovery directory %s\n", 325 printk("failed to remove client recovery directory %s\n",
354 child->d_name.name); 326 child->d_name.name);
diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
index ab93fcfef254..6c68ffd6b4bb 100644
--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -116,10 +116,15 @@ nfsd_cross_mnt(struct svc_rqst *rqstp, struct dentry **dpp,
116 } 116 }
117 if ((exp->ex_flags & NFSEXP_CROSSMOUNT) || EX_NOHIDE(exp2)) { 117 if ((exp->ex_flags & NFSEXP_CROSSMOUNT) || EX_NOHIDE(exp2)) {
118 /* successfully crossed mount point */ 118 /* successfully crossed mount point */
119 exp_put(exp); 119 /*
120 *expp = exp2; 120 * This is subtle: dentry is *not* under mnt at this point.
121 * The only reason we are safe is that original mnt is pinned
122 * down by exp, so we should dput before putting exp.
123 */
121 dput(dentry); 124 dput(dentry);
122 *dpp = mounts; 125 *dpp = mounts;
126 exp_put(exp);
127 *expp = exp2;
123 } else { 128 } else {
124 exp_put(exp2); 129 exp_put(exp2);
125 dput(mounts); 130 dput(mounts);
@@ -1885,8 +1890,8 @@ static int nfsd_buffered_filldir(void *__buf, const char *name, int namlen,
1885 return 0; 1890 return 0;
1886} 1891}
1887 1892
1888static int nfsd_buffered_readdir(struct file *file, filldir_t func, 1893static __be32 nfsd_buffered_readdir(struct file *file, filldir_t func,
1889 struct readdir_cd *cdp, loff_t *offsetp) 1894 struct readdir_cd *cdp, loff_t *offsetp)
1890{ 1895{
1891 struct readdir_data buf; 1896 struct readdir_data buf;
1892 struct buffered_dirent *de; 1897 struct buffered_dirent *de;
@@ -1896,11 +1901,12 @@ static int nfsd_buffered_readdir(struct file *file, filldir_t func,
1896 1901
1897 buf.dirent = (void *)__get_free_page(GFP_KERNEL); 1902 buf.dirent = (void *)__get_free_page(GFP_KERNEL);
1898 if (!buf.dirent) 1903 if (!buf.dirent)
1899 return -ENOMEM; 1904 return nfserrno(-ENOMEM);
1900 1905
1901 offset = *offsetp; 1906 offset = *offsetp;
1902 1907
1903 while (1) { 1908 while (1) {
1909 struct inode *dir_inode = file->f_path.dentry->d_inode;
1904 unsigned int reclen; 1910 unsigned int reclen;
1905 1911
1906 cdp->err = nfserr_eof; /* will be cleared on successful read */ 1912 cdp->err = nfserr_eof; /* will be cleared on successful read */
@@ -1919,26 +1925,38 @@ static int nfsd_buffered_readdir(struct file *file, filldir_t func,
1919 if (!size) 1925 if (!size)
1920 break; 1926 break;
1921 1927
1928 /*
1929 * Various filldir functions may end up calling back into
1930 * lookup_one_len() and the file system's ->lookup() method.
1931 * These expect i_mutex to be held, as it would within readdir.
1932 */
1933 host_err = mutex_lock_killable(&dir_inode->i_mutex);
1934 if (host_err)
1935 break;
1936
1922 de = (struct buffered_dirent *)buf.dirent; 1937 de = (struct buffered_dirent *)buf.dirent;
1923 while (size > 0) { 1938 while (size > 0) {
1924 offset = de->offset; 1939 offset = de->offset;
1925 1940
1926 if (func(cdp, de->name, de->namlen, de->offset, 1941 if (func(cdp, de->name, de->namlen, de->offset,
1927 de->ino, de->d_type)) 1942 de->ino, de->d_type))
1928 goto done; 1943 break;
1929 1944
1930 if (cdp->err != nfs_ok) 1945 if (cdp->err != nfs_ok)
1931 goto done; 1946 break;
1932 1947
1933 reclen = ALIGN(sizeof(*de) + de->namlen, 1948 reclen = ALIGN(sizeof(*de) + de->namlen,
1934 sizeof(u64)); 1949 sizeof(u64));
1935 size -= reclen; 1950 size -= reclen;
1936 de = (struct buffered_dirent *)((char *)de + reclen); 1951 de = (struct buffered_dirent *)((char *)de + reclen);
1937 } 1952 }
1953 mutex_unlock(&dir_inode->i_mutex);
1954 if (size > 0) /* We bailed out early */
1955 break;
1956
1938 offset = vfs_llseek(file, 0, SEEK_CUR); 1957 offset = vfs_llseek(file, 0, SEEK_CUR);
1939 } 1958 }
1940 1959
1941 done:
1942 free_page((unsigned long)(buf.dirent)); 1960 free_page((unsigned long)(buf.dirent));
1943 1961
1944 if (host_err) 1962 if (host_err)
diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c
index 8672b9536039..c2a87c885b73 100644
--- a/fs/ocfs2/file.c
+++ b/fs/ocfs2/file.c
@@ -1912,6 +1912,22 @@ out_sems:
1912 return written ? written : ret; 1912 return written ? written : ret;
1913} 1913}
1914 1914
1915static int ocfs2_splice_to_file(struct pipe_inode_info *pipe,
1916 struct file *out,
1917 struct splice_desc *sd)
1918{
1919 int ret;
1920
1921 ret = ocfs2_prepare_inode_for_write(out->f_path.dentry, &sd->pos,
1922 sd->total_len, 0, NULL);
1923 if (ret < 0) {
1924 mlog_errno(ret);
1925 return ret;
1926 }
1927
1928 return splice_from_pipe_feed(pipe, sd, pipe_to_file);
1929}
1930
1915static ssize_t ocfs2_file_splice_write(struct pipe_inode_info *pipe, 1931static ssize_t ocfs2_file_splice_write(struct pipe_inode_info *pipe,
1916 struct file *out, 1932 struct file *out,
1917 loff_t *ppos, 1933 loff_t *ppos,
@@ -1919,38 +1935,76 @@ static ssize_t ocfs2_file_splice_write(struct pipe_inode_info *pipe,
1919 unsigned int flags) 1935 unsigned int flags)
1920{ 1936{
1921 int ret; 1937 int ret;
1922 struct inode *inode = out->f_path.dentry->d_inode; 1938 struct address_space *mapping = out->f_mapping;
1939 struct inode *inode = mapping->host;
1940 struct splice_desc sd = {
1941 .total_len = len,
1942 .flags = flags,
1943 .pos = *ppos,
1944 .u.file = out,
1945 };
1923 1946
1924 mlog_entry("(0x%p, 0x%p, %u, '%.*s')\n", out, pipe, 1947 mlog_entry("(0x%p, 0x%p, %u, '%.*s')\n", out, pipe,
1925 (unsigned int)len, 1948 (unsigned int)len,
1926 out->f_path.dentry->d_name.len, 1949 out->f_path.dentry->d_name.len,
1927 out->f_path.dentry->d_name.name); 1950 out->f_path.dentry->d_name.name);
1928 1951
1929 mutex_lock_nested(&inode->i_mutex, I_MUTEX_PARENT); 1952 if (pipe->inode)
1953 mutex_lock_nested(&pipe->inode->i_mutex, I_MUTEX_PARENT);
1930 1954
1931 ret = ocfs2_rw_lock(inode, 1); 1955 splice_from_pipe_begin(&sd);
1932 if (ret < 0) { 1956 do {
1933 mlog_errno(ret); 1957 ret = splice_from_pipe_next(pipe, &sd);
1934 goto out; 1958 if (ret <= 0)
1935 } 1959 break;
1936 1960
1937 ret = ocfs2_prepare_inode_for_write(out->f_path.dentry, ppos, len, 0, 1961 mutex_lock_nested(&inode->i_mutex, I_MUTEX_CHILD);
1938 NULL); 1962 ret = ocfs2_rw_lock(inode, 1);
1939 if (ret < 0) { 1963 if (ret < 0)
1940 mlog_errno(ret); 1964 mlog_errno(ret);
1941 goto out_unlock; 1965 else {
1942 } 1966 ret = ocfs2_splice_to_file(pipe, out, &sd);
1967 ocfs2_rw_unlock(inode, 1);
1968 }
1969 mutex_unlock(&inode->i_mutex);
1970 } while (ret > 0);
1971 splice_from_pipe_end(pipe, &sd);
1943 1972
1944 if (pipe->inode) 1973 if (pipe->inode)
1945 mutex_lock_nested(&pipe->inode->i_mutex, I_MUTEX_CHILD);
1946 ret = generic_file_splice_write_nolock(pipe, out, ppos, len, flags);
1947 if (pipe->inode)
1948 mutex_unlock(&pipe->inode->i_mutex); 1974 mutex_unlock(&pipe->inode->i_mutex);
1949 1975
1950out_unlock: 1976 if (sd.num_spliced)
1951 ocfs2_rw_unlock(inode, 1); 1977 ret = sd.num_spliced;
1952out: 1978
1953 mutex_unlock(&inode->i_mutex); 1979 if (ret > 0) {
1980 unsigned long nr_pages;
1981
1982 *ppos += ret;
1983 nr_pages = (ret + PAGE_CACHE_SIZE - 1) >> PAGE_CACHE_SHIFT;
1984
1985 /*
1986 * If file or inode is SYNC and we actually wrote some data,
1987 * sync it.
1988 */
1989 if (unlikely((out->f_flags & O_SYNC) || IS_SYNC(inode))) {
1990 int err;
1991
1992 mutex_lock(&inode->i_mutex);
1993 err = ocfs2_rw_lock(inode, 1);
1994 if (err < 0) {
1995 mlog_errno(err);
1996 } else {
1997 err = generic_osync_inode(inode, mapping,
1998 OSYNC_METADATA|OSYNC_DATA);
1999 ocfs2_rw_unlock(inode, 1);
2000 }
2001 mutex_unlock(&inode->i_mutex);
2002
2003 if (err)
2004 ret = err;
2005 }
2006 balance_dirty_pages_ratelimited_nr(mapping, nr_pages);
2007 }
1954 2008
1955 mlog_exit(ret); 2009 mlog_exit(ret);
1956 return ret; 2010 return ret;
diff --git a/fs/pipe.c b/fs/pipe.c
index 4af7aa521813..13414ec45b8d 100644
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -37,6 +37,42 @@
37 * -- Manfred Spraul <manfred@colorfullife.com> 2002-05-09 37 * -- Manfred Spraul <manfred@colorfullife.com> 2002-05-09
38 */ 38 */
39 39
40static void pipe_lock_nested(struct pipe_inode_info *pipe, int subclass)
41{
42 if (pipe->inode)
43 mutex_lock_nested(&pipe->inode->i_mutex, subclass);
44}
45
46void pipe_lock(struct pipe_inode_info *pipe)
47{
48 /*
49 * pipe_lock() nests non-pipe inode locks (for writing to a file)
50 */
51 pipe_lock_nested(pipe, I_MUTEX_PARENT);
52}
53EXPORT_SYMBOL(pipe_lock);
54
55void pipe_unlock(struct pipe_inode_info *pipe)
56{
57 if (pipe->inode)
58 mutex_unlock(&pipe->inode->i_mutex);
59}
60EXPORT_SYMBOL(pipe_unlock);
61
62void pipe_double_lock(struct pipe_inode_info *pipe1,
63 struct pipe_inode_info *pipe2)
64{
65 BUG_ON(pipe1 == pipe2);
66
67 if (pipe1 < pipe2) {
68 pipe_lock_nested(pipe1, I_MUTEX_PARENT);
69 pipe_lock_nested(pipe2, I_MUTEX_CHILD);
70 } else {
71 pipe_lock_nested(pipe2, I_MUTEX_CHILD);
72 pipe_lock_nested(pipe1, I_MUTEX_PARENT);
73 }
74}
75
40/* Drop the inode semaphore and wait for a pipe event, atomically */ 76/* Drop the inode semaphore and wait for a pipe event, atomically */
41void pipe_wait(struct pipe_inode_info *pipe) 77void pipe_wait(struct pipe_inode_info *pipe)
42{ 78{
@@ -47,12 +83,10 @@ void pipe_wait(struct pipe_inode_info *pipe)
47 * is considered a noninteractive wait: 83 * is considered a noninteractive wait:
48 */ 84 */
49 prepare_to_wait(&pipe->wait, &wait, TASK_INTERRUPTIBLE); 85 prepare_to_wait(&pipe->wait, &wait, TASK_INTERRUPTIBLE);
50 if (pipe->inode) 86 pipe_unlock(pipe);
51 mutex_unlock(&pipe->inode->i_mutex);
52 schedule(); 87 schedule();
53 finish_wait(&pipe->wait, &wait); 88 finish_wait(&pipe->wait, &wait);
54 if (pipe->inode) 89 pipe_lock(pipe);
55 mutex_lock(&pipe->inode->i_mutex);
56} 90}
57 91
58static int 92static int
diff --git a/fs/proc/base.c b/fs/proc/base.c
index f71559784bfb..aa763ab00777 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -648,14 +648,14 @@ static unsigned mounts_poll(struct file *file, poll_table *wait)
648{ 648{
649 struct proc_mounts *p = file->private_data; 649 struct proc_mounts *p = file->private_data;
650 struct mnt_namespace *ns = p->ns; 650 struct mnt_namespace *ns = p->ns;
651 unsigned res = 0; 651 unsigned res = POLLIN | POLLRDNORM;
652 652
653 poll_wait(file, &ns->poll, wait); 653 poll_wait(file, &ns->poll, wait);
654 654
655 spin_lock(&vfsmount_lock); 655 spin_lock(&vfsmount_lock);
656 if (p->event != ns->event) { 656 if (p->event != ns->event) {
657 p->event = ns->event; 657 p->event = ns->event;
658 res = POLLERR; 658 res |= POLLERR | POLLPRI;
659 } 659 }
660 spin_unlock(&vfsmount_lock); 660 spin_unlock(&vfsmount_lock);
661 661
diff --git a/fs/splice.c b/fs/splice.c
index c18aa7e03e2b..666953d59a35 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -182,8 +182,7 @@ ssize_t splice_to_pipe(struct pipe_inode_info *pipe,
182 do_wakeup = 0; 182 do_wakeup = 0;
183 page_nr = 0; 183 page_nr = 0;
184 184
185 if (pipe->inode) 185 pipe_lock(pipe);
186 mutex_lock(&pipe->inode->i_mutex);
187 186
188 for (;;) { 187 for (;;) {
189 if (!pipe->readers) { 188 if (!pipe->readers) {
@@ -245,15 +244,13 @@ ssize_t splice_to_pipe(struct pipe_inode_info *pipe,
245 pipe->waiting_writers--; 244 pipe->waiting_writers--;
246 } 245 }
247 246
248 if (pipe->inode) { 247 pipe_unlock(pipe);
249 mutex_unlock(&pipe->inode->i_mutex);
250 248
251 if (do_wakeup) { 249 if (do_wakeup) {
252 smp_mb(); 250 smp_mb();
253 if (waitqueue_active(&pipe->wait)) 251 if (waitqueue_active(&pipe->wait))
254 wake_up_interruptible(&pipe->wait); 252 wake_up_interruptible(&pipe->wait);
255 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN); 253 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
256 }
257 } 254 }
258 255
259 while (page_nr < spd_pages) 256 while (page_nr < spd_pages)
@@ -555,8 +552,8 @@ static int pipe_to_sendpage(struct pipe_inode_info *pipe,
555 * SPLICE_F_MOVE isn't set, or we cannot move the page, we simply create 552 * SPLICE_F_MOVE isn't set, or we cannot move the page, we simply create
556 * a new page in the output file page cache and fill/dirty that. 553 * a new page in the output file page cache and fill/dirty that.
557 */ 554 */
558static int pipe_to_file(struct pipe_inode_info *pipe, struct pipe_buffer *buf, 555int pipe_to_file(struct pipe_inode_info *pipe, struct pipe_buffer *buf,
559 struct splice_desc *sd) 556 struct splice_desc *sd)
560{ 557{
561 struct file *file = sd->u.file; 558 struct file *file = sd->u.file;
562 struct address_space *mapping = file->f_mapping; 559 struct address_space *mapping = file->f_mapping;
@@ -600,108 +597,177 @@ static int pipe_to_file(struct pipe_inode_info *pipe, struct pipe_buffer *buf,
600out: 597out:
601 return ret; 598 return ret;
602} 599}
600EXPORT_SYMBOL(pipe_to_file);
601
602static void wakeup_pipe_writers(struct pipe_inode_info *pipe)
603{
604 smp_mb();
605 if (waitqueue_active(&pipe->wait))
606 wake_up_interruptible(&pipe->wait);
607 kill_fasync(&pipe->fasync_writers, SIGIO, POLL_OUT);
608}
603 609
604/** 610/**
605 * __splice_from_pipe - splice data from a pipe to given actor 611 * splice_from_pipe_feed - feed available data from a pipe to a file
606 * @pipe: pipe to splice from 612 * @pipe: pipe to splice from
607 * @sd: information to @actor 613 * @sd: information to @actor
608 * @actor: handler that splices the data 614 * @actor: handler that splices the data
609 * 615 *
610 * Description: 616 * Description:
611 * This function does little more than loop over the pipe and call 617 * This function loops over the pipe and calls @actor to do the
612 * @actor to do the actual moving of a single struct pipe_buffer to 618 * actual moving of a single struct pipe_buffer to the desired
613 * the desired destination. See pipe_to_file, pipe_to_sendpage, or 619 * destination. It returns when there's no more buffers left in
614 * pipe_to_user. 620 * the pipe or if the requested number of bytes (@sd->total_len)
621 * have been copied. It returns a positive number (one) if the
622 * pipe needs to be filled with more data, zero if the required
623 * number of bytes have been copied and -errno on error.
615 * 624 *
625 * This, together with splice_from_pipe_{begin,end,next}, may be
626 * used to implement the functionality of __splice_from_pipe() when
627 * locking is required around copying the pipe buffers to the
628 * destination.
616 */ 629 */
617ssize_t __splice_from_pipe(struct pipe_inode_info *pipe, struct splice_desc *sd, 630int splice_from_pipe_feed(struct pipe_inode_info *pipe, struct splice_desc *sd,
618 splice_actor *actor) 631 splice_actor *actor)
619{ 632{
620 int ret, do_wakeup, err; 633 int ret;
621
622 ret = 0;
623 do_wakeup = 0;
624
625 for (;;) {
626 if (pipe->nrbufs) {
627 struct pipe_buffer *buf = pipe->bufs + pipe->curbuf;
628 const struct pipe_buf_operations *ops = buf->ops;
629 634
630 sd->len = buf->len; 635 while (pipe->nrbufs) {
631 if (sd->len > sd->total_len) 636 struct pipe_buffer *buf = pipe->bufs + pipe->curbuf;
632 sd->len = sd->total_len; 637 const struct pipe_buf_operations *ops = buf->ops;
633 638
634 err = actor(pipe, buf, sd); 639 sd->len = buf->len;
635 if (err <= 0) { 640 if (sd->len > sd->total_len)
636 if (!ret && err != -ENODATA) 641 sd->len = sd->total_len;
637 ret = err;
638 642
639 break; 643 ret = actor(pipe, buf, sd);
640 } 644 if (ret <= 0) {
645 if (ret == -ENODATA)
646 ret = 0;
647 return ret;
648 }
649 buf->offset += ret;
650 buf->len -= ret;
641 651
642 ret += err; 652 sd->num_spliced += ret;
643 buf->offset += err; 653 sd->len -= ret;
644 buf->len -= err; 654 sd->pos += ret;
655 sd->total_len -= ret;
645 656
646 sd->len -= err; 657 if (!buf->len) {
647 sd->pos += err; 658 buf->ops = NULL;
648 sd->total_len -= err; 659 ops->release(pipe, buf);
649 if (sd->len) 660 pipe->curbuf = (pipe->curbuf + 1) & (PIPE_BUFFERS - 1);
650 continue; 661 pipe->nrbufs--;
662 if (pipe->inode)
663 sd->need_wakeup = true;
664 }
651 665
652 if (!buf->len) { 666 if (!sd->total_len)
653 buf->ops = NULL; 667 return 0;
654 ops->release(pipe, buf); 668 }
655 pipe->curbuf = (pipe->curbuf + 1) & (PIPE_BUFFERS - 1);
656 pipe->nrbufs--;
657 if (pipe->inode)
658 do_wakeup = 1;
659 }
660 669
661 if (!sd->total_len) 670 return 1;
662 break; 671}
663 } 672EXPORT_SYMBOL(splice_from_pipe_feed);
664 673
665 if (pipe->nrbufs) 674/**
666 continue; 675 * splice_from_pipe_next - wait for some data to splice from
676 * @pipe: pipe to splice from
677 * @sd: information about the splice operation
678 *
679 * Description:
680 * This function will wait for some data and return a positive
681 * value (one) if pipe buffers are available. It will return zero
682 * or -errno if no more data needs to be spliced.
683 */
684int splice_from_pipe_next(struct pipe_inode_info *pipe, struct splice_desc *sd)
685{
686 while (!pipe->nrbufs) {
667 if (!pipe->writers) 687 if (!pipe->writers)
668 break; 688 return 0;
669 if (!pipe->waiting_writers) {
670 if (ret)
671 break;
672 }
673 689
674 if (sd->flags & SPLICE_F_NONBLOCK) { 690 if (!pipe->waiting_writers && sd->num_spliced)
675 if (!ret) 691 return 0;
676 ret = -EAGAIN;
677 break;
678 }
679 692
680 if (signal_pending(current)) { 693 if (sd->flags & SPLICE_F_NONBLOCK)
681 if (!ret) 694 return -EAGAIN;
682 ret = -ERESTARTSYS;
683 break;
684 }
685 695
686 if (do_wakeup) { 696 if (signal_pending(current))
687 smp_mb(); 697 return -ERESTARTSYS;
688 if (waitqueue_active(&pipe->wait)) 698
689 wake_up_interruptible_sync(&pipe->wait); 699 if (sd->need_wakeup) {
690 kill_fasync(&pipe->fasync_writers, SIGIO, POLL_OUT); 700 wakeup_pipe_writers(pipe);
691 do_wakeup = 0; 701 sd->need_wakeup = false;
692 } 702 }
693 703
694 pipe_wait(pipe); 704 pipe_wait(pipe);
695 } 705 }
696 706
697 if (do_wakeup) { 707 return 1;
698 smp_mb(); 708}
699 if (waitqueue_active(&pipe->wait)) 709EXPORT_SYMBOL(splice_from_pipe_next);
700 wake_up_interruptible(&pipe->wait);
701 kill_fasync(&pipe->fasync_writers, SIGIO, POLL_OUT);
702 }
703 710
704 return ret; 711/**
712 * splice_from_pipe_begin - start splicing from pipe
713 * @sd: information about the splice operation
714 *
715 * Description:
716 * This function should be called before a loop containing
717 * splice_from_pipe_next() and splice_from_pipe_feed() to
718 * initialize the necessary fields of @sd.
719 */
720void splice_from_pipe_begin(struct splice_desc *sd)
721{
722 sd->num_spliced = 0;
723 sd->need_wakeup = false;
724}
725EXPORT_SYMBOL(splice_from_pipe_begin);
726
727/**
728 * splice_from_pipe_end - finish splicing from pipe
729 * @pipe: pipe to splice from
730 * @sd: information about the splice operation
731 *
732 * Description:
733 * This function will wake up pipe writers if necessary. It should
734 * be called after a loop containing splice_from_pipe_next() and
735 * splice_from_pipe_feed().
736 */
737void splice_from_pipe_end(struct pipe_inode_info *pipe, struct splice_desc *sd)
738{
739 if (sd->need_wakeup)
740 wakeup_pipe_writers(pipe);
741}
742EXPORT_SYMBOL(splice_from_pipe_end);
743
744/**
745 * __splice_from_pipe - splice data from a pipe to given actor
746 * @pipe: pipe to splice from
747 * @sd: information to @actor
748 * @actor: handler that splices the data
749 *
750 * Description:
751 * This function does little more than loop over the pipe and call
752 * @actor to do the actual moving of a single struct pipe_buffer to
753 * the desired destination. See pipe_to_file, pipe_to_sendpage, or
754 * pipe_to_user.
755 *
756 */
757ssize_t __splice_from_pipe(struct pipe_inode_info *pipe, struct splice_desc *sd,
758 splice_actor *actor)
759{
760 int ret;
761
762 splice_from_pipe_begin(sd);
763 do {
764 ret = splice_from_pipe_next(pipe, sd);
765 if (ret > 0)
766 ret = splice_from_pipe_feed(pipe, sd, actor);
767 } while (ret > 0);
768 splice_from_pipe_end(pipe, sd);
769
770 return sd->num_spliced ? sd->num_spliced : ret;
705} 771}
706EXPORT_SYMBOL(__splice_from_pipe); 772EXPORT_SYMBOL(__splice_from_pipe);
707 773
@@ -715,7 +781,7 @@ EXPORT_SYMBOL(__splice_from_pipe);
715 * @actor: handler that splices the data 781 * @actor: handler that splices the data
716 * 782 *
717 * Description: 783 * Description:
718 * See __splice_from_pipe. This function locks the input and output inodes, 784 * See __splice_from_pipe. This function locks the pipe inode,
719 * otherwise it's identical to __splice_from_pipe(). 785 * otherwise it's identical to __splice_from_pipe().
720 * 786 *
721 */ 787 */
@@ -724,7 +790,6 @@ ssize_t splice_from_pipe(struct pipe_inode_info *pipe, struct file *out,
724 splice_actor *actor) 790 splice_actor *actor)
725{ 791{
726 ssize_t ret; 792 ssize_t ret;
727 struct inode *inode = out->f_mapping->host;
728 struct splice_desc sd = { 793 struct splice_desc sd = {
729 .total_len = len, 794 .total_len = len,
730 .flags = flags, 795 .flags = flags,
@@ -732,30 +797,15 @@ ssize_t splice_from_pipe(struct pipe_inode_info *pipe, struct file *out,
732 .u.file = out, 797 .u.file = out,
733 }; 798 };
734 799
735 /* 800 pipe_lock(pipe);
736 * The actor worker might be calling ->write_begin and
737 * ->write_end. Most of the time, these expect i_mutex to
738 * be held. Since this may result in an ABBA deadlock with
739 * pipe->inode, we have to order lock acquiry here.
740 *
741 * Outer lock must be inode->i_mutex, as pipe_wait() will
742 * release and reacquire pipe->inode->i_mutex, AND inode must
743 * never be a pipe.
744 */
745 WARN_ON(S_ISFIFO(inode->i_mode));
746 mutex_lock_nested(&inode->i_mutex, I_MUTEX_PARENT);
747 if (pipe->inode)
748 mutex_lock_nested(&pipe->inode->i_mutex, I_MUTEX_CHILD);
749 ret = __splice_from_pipe(pipe, &sd, actor); 801 ret = __splice_from_pipe(pipe, &sd, actor);
750 if (pipe->inode) 802 pipe_unlock(pipe);
751 mutex_unlock(&pipe->inode->i_mutex);
752 mutex_unlock(&inode->i_mutex);
753 803
754 return ret; 804 return ret;
755} 805}
756 806
757/** 807/**
758 * generic_file_splice_write_nolock - generic_file_splice_write without mutexes 808 * generic_file_splice_write - splice data from a pipe to a file
759 * @pipe: pipe info 809 * @pipe: pipe info
760 * @out: file to write to 810 * @out: file to write to
761 * @ppos: position in @out 811 * @ppos: position in @out
@@ -764,13 +814,12 @@ ssize_t splice_from_pipe(struct pipe_inode_info *pipe, struct file *out,
764 * 814 *
765 * Description: 815 * Description:
766 * Will either move or copy pages (determined by @flags options) from 816 * Will either move or copy pages (determined by @flags options) from
767 * the given pipe inode to the given file. The caller is responsible 817 * the given pipe inode to the given file.
768 * for acquiring i_mutex on both inodes.
769 * 818 *
770 */ 819 */
771ssize_t 820ssize_t
772generic_file_splice_write_nolock(struct pipe_inode_info *pipe, struct file *out, 821generic_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
773 loff_t *ppos, size_t len, unsigned int flags) 822 loff_t *ppos, size_t len, unsigned int flags)
774{ 823{
775 struct address_space *mapping = out->f_mapping; 824 struct address_space *mapping = out->f_mapping;
776 struct inode *inode = mapping->host; 825 struct inode *inode = mapping->host;
@@ -781,76 +830,28 @@ generic_file_splice_write_nolock(struct pipe_inode_info *pipe, struct file *out,
781 .u.file = out, 830 .u.file = out,
782 }; 831 };
783 ssize_t ret; 832 ssize_t ret;
784 int err;
785
786 err = file_remove_suid(out);
787 if (unlikely(err))
788 return err;
789
790 ret = __splice_from_pipe(pipe, &sd, pipe_to_file);
791 if (ret > 0) {
792 unsigned long nr_pages;
793 833
794 *ppos += ret; 834 pipe_lock(pipe);
795 nr_pages = (ret + PAGE_CACHE_SIZE - 1) >> PAGE_CACHE_SHIFT;
796
797 /*
798 * If file or inode is SYNC and we actually wrote some data,
799 * sync it.
800 */
801 if (unlikely((out->f_flags & O_SYNC) || IS_SYNC(inode))) {
802 err = generic_osync_inode(inode, mapping,
803 OSYNC_METADATA|OSYNC_DATA);
804 835
805 if (err) 836 splice_from_pipe_begin(&sd);
806 ret = err; 837 do {
807 } 838 ret = splice_from_pipe_next(pipe, &sd);
808 balance_dirty_pages_ratelimited_nr(mapping, nr_pages); 839 if (ret <= 0)
809 } 840 break;
810 841
811 return ret; 842 mutex_lock_nested(&inode->i_mutex, I_MUTEX_CHILD);
812} 843 ret = file_remove_suid(out);
844 if (!ret)
845 ret = splice_from_pipe_feed(pipe, &sd, pipe_to_file);
846 mutex_unlock(&inode->i_mutex);
847 } while (ret > 0);
848 splice_from_pipe_end(pipe, &sd);
813 849
814EXPORT_SYMBOL(generic_file_splice_write_nolock); 850 pipe_unlock(pipe);
815 851
816/** 852 if (sd.num_spliced)
817 * generic_file_splice_write - splice data from a pipe to a file 853 ret = sd.num_spliced;
818 * @pipe: pipe info
819 * @out: file to write to
820 * @ppos: position in @out
821 * @len: number of bytes to splice
822 * @flags: splice modifier flags
823 *
824 * Description:
825 * Will either move or copy pages (determined by @flags options) from
826 * the given pipe inode to the given file.
827 *
828 */
829ssize_t
830generic_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
831 loff_t *ppos, size_t len, unsigned int flags)
832{
833 struct address_space *mapping = out->f_mapping;
834 struct inode *inode = mapping->host;
835 struct splice_desc sd = {
836 .total_len = len,
837 .flags = flags,
838 .pos = *ppos,
839 .u.file = out,
840 };
841 ssize_t ret;
842 854
843 WARN_ON(S_ISFIFO(inode->i_mode));
844 mutex_lock_nested(&inode->i_mutex, I_MUTEX_PARENT);
845 ret = file_remove_suid(out);
846 if (likely(!ret)) {
847 if (pipe->inode)
848 mutex_lock_nested(&pipe->inode->i_mutex, I_MUTEX_CHILD);
849 ret = __splice_from_pipe(pipe, &sd, pipe_to_file);
850 if (pipe->inode)
851 mutex_unlock(&pipe->inode->i_mutex);
852 }
853 mutex_unlock(&inode->i_mutex);
854 if (ret > 0) { 855 if (ret > 0) {
855 unsigned long nr_pages; 856 unsigned long nr_pages;
856 857
@@ -1339,8 +1340,7 @@ static long vmsplice_to_user(struct file *file, const struct iovec __user *iov,
1339 if (!pipe) 1340 if (!pipe)
1340 return -EBADF; 1341 return -EBADF;
1341 1342
1342 if (pipe->inode) 1343 pipe_lock(pipe);
1343 mutex_lock(&pipe->inode->i_mutex);
1344 1344
1345 error = ret = 0; 1345 error = ret = 0;
1346 while (nr_segs) { 1346 while (nr_segs) {
@@ -1395,8 +1395,7 @@ static long vmsplice_to_user(struct file *file, const struct iovec __user *iov,
1395 iov++; 1395 iov++;
1396 } 1396 }
1397 1397
1398 if (pipe->inode) 1398 pipe_unlock(pipe);
1399 mutex_unlock(&pipe->inode->i_mutex);
1400 1399
1401 if (!ret) 1400 if (!ret)
1402 ret = error; 1401 ret = error;
@@ -1524,7 +1523,7 @@ static int link_ipipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
1524 return 0; 1523 return 0;
1525 1524
1526 ret = 0; 1525 ret = 0;
1527 mutex_lock(&pipe->inode->i_mutex); 1526 pipe_lock(pipe);
1528 1527
1529 while (!pipe->nrbufs) { 1528 while (!pipe->nrbufs) {
1530 if (signal_pending(current)) { 1529 if (signal_pending(current)) {
@@ -1542,7 +1541,7 @@ static int link_ipipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
1542 pipe_wait(pipe); 1541 pipe_wait(pipe);
1543 } 1542 }
1544 1543
1545 mutex_unlock(&pipe->inode->i_mutex); 1544 pipe_unlock(pipe);
1546 return ret; 1545 return ret;
1547} 1546}
1548 1547
@@ -1562,7 +1561,7 @@ static int link_opipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
1562 return 0; 1561 return 0;
1563 1562
1564 ret = 0; 1563 ret = 0;
1565 mutex_lock(&pipe->inode->i_mutex); 1564 pipe_lock(pipe);
1566 1565
1567 while (pipe->nrbufs >= PIPE_BUFFERS) { 1566 while (pipe->nrbufs >= PIPE_BUFFERS) {
1568 if (!pipe->readers) { 1567 if (!pipe->readers) {
@@ -1583,7 +1582,7 @@ static int link_opipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
1583 pipe->waiting_writers--; 1582 pipe->waiting_writers--;
1584 } 1583 }
1585 1584
1586 mutex_unlock(&pipe->inode->i_mutex); 1585 pipe_unlock(pipe);
1587 return ret; 1586 return ret;
1588} 1587}
1589 1588
@@ -1599,10 +1598,10 @@ static int link_pipe(struct pipe_inode_info *ipipe,
1599 1598
1600 /* 1599 /*
1601 * Potential ABBA deadlock, work around it by ordering lock 1600 * Potential ABBA deadlock, work around it by ordering lock
1602 * grabbing by inode address. Otherwise two different processes 1601 * grabbing by pipe info address. Otherwise two different processes
1603 * could deadlock (one doing tee from A -> B, the other from B -> A). 1602 * could deadlock (one doing tee from A -> B, the other from B -> A).
1604 */ 1603 */
1605 inode_double_lock(ipipe->inode, opipe->inode); 1604 pipe_double_lock(ipipe, opipe);
1606 1605
1607 do { 1606 do {
1608 if (!opipe->readers) { 1607 if (!opipe->readers) {
@@ -1653,7 +1652,8 @@ static int link_pipe(struct pipe_inode_info *ipipe,
1653 if (!ret && ipipe->waiting_writers && (flags & SPLICE_F_NONBLOCK)) 1652 if (!ret && ipipe->waiting_writers && (flags & SPLICE_F_NONBLOCK))
1654 ret = -EAGAIN; 1653 ret = -EAGAIN;
1655 1654
1656 inode_double_unlock(ipipe->inode, opipe->inode); 1655 pipe_unlock(ipipe);
1656 pipe_unlock(opipe);
1657 1657
1658 /* 1658 /*
1659 * If we put data in the output pipe, wakeup any potential readers. 1659 * If we put data in the output pipe, wakeup any potential readers.
diff --git a/fs/stat.c b/fs/stat.c
index 2db740a0cfb5..075694e31d8b 100644
--- a/fs/stat.c
+++ b/fs/stat.c
@@ -55,59 +55,54 @@ int vfs_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat)
55 55
56EXPORT_SYMBOL(vfs_getattr); 56EXPORT_SYMBOL(vfs_getattr);
57 57
58int vfs_stat_fd(int dfd, char __user *name, struct kstat *stat) 58int vfs_fstat(unsigned int fd, struct kstat *stat)
59{ 59{
60 struct path path; 60 struct file *f = fget(fd);
61 int error; 61 int error = -EBADF;
62 62
63 error = user_path_at(dfd, name, LOOKUP_FOLLOW, &path); 63 if (f) {
64 if (!error) { 64 error = vfs_getattr(f->f_path.mnt, f->f_path.dentry, stat);
65 error = vfs_getattr(path.mnt, path.dentry, stat); 65 fput(f);
66 path_put(&path);
67 } 66 }
68 return error; 67 return error;
69} 68}
69EXPORT_SYMBOL(vfs_fstat);
70 70
71int vfs_stat(char __user *name, struct kstat *stat) 71int vfs_fstatat(int dfd, char __user *filename, struct kstat *stat, int flag)
72{ 72{
73 return vfs_stat_fd(AT_FDCWD, name, stat); 73 struct path path;
74} 74 int error = -EINVAL;
75 int lookup_flags = 0;
75 76
76EXPORT_SYMBOL(vfs_stat); 77 if ((flag & ~AT_SYMLINK_NOFOLLOW) != 0)
78 goto out;
77 79
78int vfs_lstat_fd(int dfd, char __user *name, struct kstat *stat) 80 if (!(flag & AT_SYMLINK_NOFOLLOW))
79{ 81 lookup_flags |= LOOKUP_FOLLOW;
80 struct path path;
81 int error;
82 82
83 error = user_path_at(dfd, name, 0, &path); 83 error = user_path_at(dfd, filename, lookup_flags, &path);
84 if (!error) { 84 if (error)
85 error = vfs_getattr(path.mnt, path.dentry, stat); 85 goto out;
86 path_put(&path); 86
87 } 87 error = vfs_getattr(path.mnt, path.dentry, stat);
88 path_put(&path);
89out:
88 return error; 90 return error;
89} 91}
92EXPORT_SYMBOL(vfs_fstatat);
90 93
91int vfs_lstat(char __user *name, struct kstat *stat) 94int vfs_stat(char __user *name, struct kstat *stat)
92{ 95{
93 return vfs_lstat_fd(AT_FDCWD, name, stat); 96 return vfs_fstatat(AT_FDCWD, name, stat, 0);
94} 97}
98EXPORT_SYMBOL(vfs_stat);
95 99
96EXPORT_SYMBOL(vfs_lstat); 100int vfs_lstat(char __user *name, struct kstat *stat)
97
98int vfs_fstat(unsigned int fd, struct kstat *stat)
99{ 101{
100 struct file *f = fget(fd); 102 return vfs_fstatat(AT_FDCWD, name, stat, AT_SYMLINK_NOFOLLOW);
101 int error = -EBADF;
102
103 if (f) {
104 error = vfs_getattr(f->f_path.mnt, f->f_path.dentry, stat);
105 fput(f);
106 }
107 return error;
108} 103}
104EXPORT_SYMBOL(vfs_lstat);
109 105
110EXPORT_SYMBOL(vfs_fstat);
111 106
112#ifdef __ARCH_WANT_OLD_STAT 107#ifdef __ARCH_WANT_OLD_STAT
113 108
@@ -155,23 +150,25 @@ static int cp_old_stat(struct kstat *stat, struct __old_kernel_stat __user * sta
155SYSCALL_DEFINE2(stat, char __user *, filename, struct __old_kernel_stat __user *, statbuf) 150SYSCALL_DEFINE2(stat, char __user *, filename, struct __old_kernel_stat __user *, statbuf)
156{ 151{
157 struct kstat stat; 152 struct kstat stat;
158 int error = vfs_stat_fd(AT_FDCWD, filename, &stat); 153 int error;
159 154
160 if (!error) 155 error = vfs_stat(filename, &stat);
161 error = cp_old_stat(&stat, statbuf); 156 if (error)
157 return error;
162 158
163 return error; 159 return cp_old_stat(&stat, statbuf);
164} 160}
165 161
166SYSCALL_DEFINE2(lstat, char __user *, filename, struct __old_kernel_stat __user *, statbuf) 162SYSCALL_DEFINE2(lstat, char __user *, filename, struct __old_kernel_stat __user *, statbuf)
167{ 163{
168 struct kstat stat; 164 struct kstat stat;
169 int error = vfs_lstat_fd(AT_FDCWD, filename, &stat); 165 int error;
170 166
171 if (!error) 167 error = vfs_lstat(filename, &stat);
172 error = cp_old_stat(&stat, statbuf); 168 if (error)
169 return error;
173 170
174 return error; 171 return cp_old_stat(&stat, statbuf);
175} 172}
176 173
177SYSCALL_DEFINE2(fstat, unsigned int, fd, struct __old_kernel_stat __user *, statbuf) 174SYSCALL_DEFINE2(fstat, unsigned int, fd, struct __old_kernel_stat __user *, statbuf)
@@ -240,23 +237,23 @@ static int cp_new_stat(struct kstat *stat, struct stat __user *statbuf)
240SYSCALL_DEFINE2(newstat, char __user *, filename, struct stat __user *, statbuf) 237SYSCALL_DEFINE2(newstat, char __user *, filename, struct stat __user *, statbuf)
241{ 238{
242 struct kstat stat; 239 struct kstat stat;
243 int error = vfs_stat_fd(AT_FDCWD, filename, &stat); 240 int error = vfs_stat(filename, &stat);
244
245 if (!error)
246 error = cp_new_stat(&stat, statbuf);
247 241
248 return error; 242 if (error)
243 return error;
244 return cp_new_stat(&stat, statbuf);
249} 245}
250 246
251SYSCALL_DEFINE2(newlstat, char __user *, filename, struct stat __user *, statbuf) 247SYSCALL_DEFINE2(newlstat, char __user *, filename, struct stat __user *, statbuf)
252{ 248{
253 struct kstat stat; 249 struct kstat stat;
254 int error = vfs_lstat_fd(AT_FDCWD, filename, &stat); 250 int error;
255 251
256 if (!error) 252 error = vfs_lstat(filename, &stat);
257 error = cp_new_stat(&stat, statbuf); 253 if (error)
254 return error;
258 255
259 return error; 256 return cp_new_stat(&stat, statbuf);
260} 257}
261 258
262#if !defined(__ARCH_WANT_STAT64) || defined(__ARCH_WANT_SYS_NEWFSTATAT) 259#if !defined(__ARCH_WANT_STAT64) || defined(__ARCH_WANT_SYS_NEWFSTATAT)
@@ -264,21 +261,12 @@ SYSCALL_DEFINE4(newfstatat, int, dfd, char __user *, filename,
264 struct stat __user *, statbuf, int, flag) 261 struct stat __user *, statbuf, int, flag)
265{ 262{
266 struct kstat stat; 263 struct kstat stat;
267 int error = -EINVAL; 264 int error;
268
269 if ((flag & ~AT_SYMLINK_NOFOLLOW) != 0)
270 goto out;
271
272 if (flag & AT_SYMLINK_NOFOLLOW)
273 error = vfs_lstat_fd(dfd, filename, &stat);
274 else
275 error = vfs_stat_fd(dfd, filename, &stat);
276
277 if (!error)
278 error = cp_new_stat(&stat, statbuf);
279 265
280out: 266 error = vfs_fstatat(dfd, filename, &stat, flag);
281 return error; 267 if (error)
268 return error;
269 return cp_new_stat(&stat, statbuf);
282} 270}
283#endif 271#endif
284 272
@@ -404,21 +392,12 @@ SYSCALL_DEFINE4(fstatat64, int, dfd, char __user *, filename,
404 struct stat64 __user *, statbuf, int, flag) 392 struct stat64 __user *, statbuf, int, flag)
405{ 393{
406 struct kstat stat; 394 struct kstat stat;
407 int error = -EINVAL; 395 int error;
408
409 if ((flag & ~AT_SYMLINK_NOFOLLOW) != 0)
410 goto out;
411
412 if (flag & AT_SYMLINK_NOFOLLOW)
413 error = vfs_lstat_fd(dfd, filename, &stat);
414 else
415 error = vfs_stat_fd(dfd, filename, &stat);
416
417 if (!error)
418 error = cp_new_stat64(&stat, statbuf);
419 396
420out: 397 error = vfs_fstatat(dfd, filename, &stat, flag);
421 return error; 398 if (error)
399 return error;
400 return cp_new_stat64(&stat, statbuf);
422} 401}
423#endif /* __ARCH_WANT_STAT64 */ 402#endif /* __ARCH_WANT_STAT64 */
424 403
diff --git a/fs/sysfs/bin.c b/fs/sysfs/bin.c
index 93e0c0281d45..9345806c8853 100644
--- a/fs/sysfs/bin.c
+++ b/fs/sysfs/bin.c
@@ -157,14 +157,9 @@ static ssize_t write(struct file *file, const char __user *userbuf,
157 count = size - offs; 157 count = size - offs;
158 } 158 }
159 159
160 temp = kmalloc(count, GFP_KERNEL); 160 temp = memdup_user(userbuf, count);
161 if (!temp) 161 if (IS_ERR(temp))
162 return -ENOMEM; 162 return PTR_ERR(temp);
163
164 if (copy_from_user(temp, userbuf, count)) {
165 count = -EFAULT;
166 goto out_free;
167 }
168 163
169 mutex_lock(&bb->mutex); 164 mutex_lock(&bb->mutex);
170 165
@@ -176,8 +171,6 @@ static ssize_t write(struct file *file, const char __user *userbuf,
176 if (count > 0) 171 if (count > 0)
177 *off = offs + count; 172 *off = offs + count;
178 173
179out_free:
180 kfree(temp);
181 return count; 174 return count;
182} 175}
183 176
diff --git a/fs/sysfs/file.c b/fs/sysfs/file.c
index 289c43a47263..b1606e07b7a3 100644
--- a/fs/sysfs/file.c
+++ b/fs/sysfs/file.c
@@ -446,11 +446,11 @@ static unsigned int sysfs_poll(struct file *filp, poll_table *wait)
446 if (buffer->event != atomic_read(&od->event)) 446 if (buffer->event != atomic_read(&od->event))
447 goto trigger; 447 goto trigger;
448 448
449 return 0; 449 return DEFAULT_POLLMASK;
450 450
451 trigger: 451 trigger:
452 buffer->needs_read_fill = 1; 452 buffer->needs_read_fill = 1;
453 return POLLERR|POLLPRI; 453 return DEFAULT_POLLMASK|POLLERR|POLLPRI;
454} 454}
455 455
456void sysfs_notify_dirent(struct sysfs_dirent *sd) 456void sysfs_notify_dirent(struct sysfs_dirent *sd)
@@ -667,6 +667,7 @@ struct sysfs_schedule_callback_struct {
667 struct work_struct work; 667 struct work_struct work;
668}; 668};
669 669
670static struct workqueue_struct *sysfs_workqueue;
670static DEFINE_MUTEX(sysfs_workq_mutex); 671static DEFINE_MUTEX(sysfs_workq_mutex);
671static LIST_HEAD(sysfs_workq); 672static LIST_HEAD(sysfs_workq);
672static void sysfs_schedule_callback_work(struct work_struct *work) 673static void sysfs_schedule_callback_work(struct work_struct *work)
@@ -715,11 +716,20 @@ int sysfs_schedule_callback(struct kobject *kobj, void (*func)(void *),
715 mutex_lock(&sysfs_workq_mutex); 716 mutex_lock(&sysfs_workq_mutex);
716 list_for_each_entry_safe(ss, tmp, &sysfs_workq, workq_list) 717 list_for_each_entry_safe(ss, tmp, &sysfs_workq, workq_list)
717 if (ss->kobj == kobj) { 718 if (ss->kobj == kobj) {
719 module_put(owner);
718 mutex_unlock(&sysfs_workq_mutex); 720 mutex_unlock(&sysfs_workq_mutex);
719 return -EAGAIN; 721 return -EAGAIN;
720 } 722 }
721 mutex_unlock(&sysfs_workq_mutex); 723 mutex_unlock(&sysfs_workq_mutex);
722 724
725 if (sysfs_workqueue == NULL) {
726 sysfs_workqueue = create_workqueue("sysfsd");
727 if (sysfs_workqueue == NULL) {
728 module_put(owner);
729 return -ENOMEM;
730 }
731 }
732
723 ss = kmalloc(sizeof(*ss), GFP_KERNEL); 733 ss = kmalloc(sizeof(*ss), GFP_KERNEL);
724 if (!ss) { 734 if (!ss) {
725 module_put(owner); 735 module_put(owner);
@@ -735,7 +745,7 @@ int sysfs_schedule_callback(struct kobject *kobj, void (*func)(void *),
735 mutex_lock(&sysfs_workq_mutex); 745 mutex_lock(&sysfs_workq_mutex);
736 list_add_tail(&ss->workq_list, &sysfs_workq); 746 list_add_tail(&ss->workq_list, &sysfs_workq);
737 mutex_unlock(&sysfs_workq_mutex); 747 mutex_unlock(&sysfs_workq_mutex);
738 schedule_work(&ss->work); 748 queue_work(sysfs_workqueue, &ss->work);
739 return 0; 749 return 0;
740} 750}
741EXPORT_SYMBOL_GPL(sysfs_schedule_callback); 751EXPORT_SYMBOL_GPL(sysfs_schedule_callback);
diff --git a/fs/xattr.c b/fs/xattr.c
index 197c4fcac032..d51b8f9db921 100644
--- a/fs/xattr.c
+++ b/fs/xattr.c
@@ -237,13 +237,9 @@ setxattr(struct dentry *d, const char __user *name, const void __user *value,
237 if (size) { 237 if (size) {
238 if (size > XATTR_SIZE_MAX) 238 if (size > XATTR_SIZE_MAX)
239 return -E2BIG; 239 return -E2BIG;
240 kvalue = kmalloc(size, GFP_KERNEL); 240 kvalue = memdup_user(value, size);
241 if (!kvalue) 241 if (IS_ERR(kvalue))
242 return -ENOMEM; 242 return PTR_ERR(kvalue);
243 if (copy_from_user(kvalue, value, size)) {
244 kfree(kvalue);
245 return -EFAULT;
246 }
247 } 243 }
248 244
249 error = vfs_setxattr(d, kname, kvalue, size, flags); 245 error = vfs_setxattr(d, kname, kvalue, size, flags);
diff --git a/fs/xfs/linux-2.6/xfs_ioctl.c b/fs/xfs/linux-2.6/xfs_ioctl.c
index d0b499418a7d..34eaab608e6e 100644
--- a/fs/xfs/linux-2.6/xfs_ioctl.c
+++ b/fs/xfs/linux-2.6/xfs_ioctl.c
@@ -489,17 +489,12 @@ xfs_attrmulti_attr_set(
489 if (len > XATTR_SIZE_MAX) 489 if (len > XATTR_SIZE_MAX)
490 return EINVAL; 490 return EINVAL;
491 491
492 kbuf = kmalloc(len, GFP_KERNEL); 492 kbuf = memdup_user(ubuf, len);
493 if (!kbuf) 493 if (IS_ERR(kbuf))
494 return ENOMEM; 494 return PTR_ERR(kbuf);
495
496 if (copy_from_user(kbuf, ubuf, len))
497 goto out_kfree;
498 495
499 error = xfs_attr_set(XFS_I(inode), name, kbuf, len, flags); 496 error = xfs_attr_set(XFS_I(inode), name, kbuf, len, flags);
500 497
501 out_kfree:
502 kfree(kbuf);
503 return error; 498 return error;
504} 499}
505 500
@@ -540,20 +535,16 @@ xfs_attrmulti_by_handle(
540 if (!size || size > 16 * PAGE_SIZE) 535 if (!size || size > 16 * PAGE_SIZE)
541 goto out_dput; 536 goto out_dput;
542 537
543 error = ENOMEM; 538 ops = memdup_user(am_hreq.ops, size);
544 ops = kmalloc(size, GFP_KERNEL); 539 if (IS_ERR(ops)) {
545 if (!ops) 540 error = PTR_ERR(ops);
546 goto out_dput; 541 goto out_dput;
547 542 }
548 error = EFAULT;
549 if (copy_from_user(ops, am_hreq.ops, size))
550 goto out_kfree_ops;
551 543
552 attr_name = kmalloc(MAXNAMELEN, GFP_KERNEL); 544 attr_name = kmalloc(MAXNAMELEN, GFP_KERNEL);
553 if (!attr_name) 545 if (!attr_name)
554 goto out_kfree_ops; 546 goto out_kfree_ops;
555 547
556
557 error = 0; 548 error = 0;
558 for (i = 0; i < am_hreq.opcount; i++) { 549 for (i = 0; i < am_hreq.opcount; i++) {
559 ops[i].am_error = strncpy_from_user(attr_name, 550 ops[i].am_error = strncpy_from_user(attr_name,
diff --git a/fs/xfs/linux-2.6/xfs_ioctl32.c b/fs/xfs/linux-2.6/xfs_ioctl32.c
index c70c4e3db790..0882d166239a 100644
--- a/fs/xfs/linux-2.6/xfs_ioctl32.c
+++ b/fs/xfs/linux-2.6/xfs_ioctl32.c
@@ -427,20 +427,16 @@ xfs_compat_attrmulti_by_handle(
427 if (!size || size > 16 * PAGE_SIZE) 427 if (!size || size > 16 * PAGE_SIZE)
428 goto out_dput; 428 goto out_dput;
429 429
430 error = ENOMEM; 430 ops = memdup_user(compat_ptr(am_hreq.ops), size);
431 ops = kmalloc(size, GFP_KERNEL); 431 if (IS_ERR(ops)) {
432 if (!ops) 432 error = PTR_ERR(ops);
433 goto out_dput; 433 goto out_dput;
434 434 }
435 error = EFAULT;
436 if (copy_from_user(ops, compat_ptr(am_hreq.ops), size))
437 goto out_kfree_ops;
438 435
439 attr_name = kmalloc(MAXNAMELEN, GFP_KERNEL); 436 attr_name = kmalloc(MAXNAMELEN, GFP_KERNEL);
440 if (!attr_name) 437 if (!attr_name)
441 goto out_kfree_ops; 438 goto out_kfree_ops;
442 439
443
444 error = 0; 440 error = 0;
445 for (i = 0; i < am_hreq.opcount; i++) { 441 for (i = 0; i < am_hreq.opcount; i++) {
446 ops[i].am_error = strncpy_from_user(attr_name, 442 ops[i].am_error = strncpy_from_user(attr_name,