1 files changed, 18 insertions, 10 deletions

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 4bf4807f2d44..d39b59cf8a08 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -180,7 +180,7 @@ static int inode_alloc_security(struct inode *inode)
         struct task_security_struct *tsec = current->security;
         struct inode_security_struct *isec;
 
-        isec = kmem_cache_zalloc(sel_inode_cache, GFP_KERNEL);
+        isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
         if (!isec)
                 return -ENOMEM;
 
@@ -760,13 +760,13 @@ static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
          * this early in the boot process. */
         BUG_ON(!ss_initialized);
 
-        /* this might go away sometime down the line if there is a new user
-         * of clone, but for now, nfs better not get here... */
-        BUG_ON(newsbsec->initialized);
-
         /* how can we clone if the old one wasn't set up?? */
         BUG_ON(!oldsbsec->initialized);
 
+        /* if fs is reusing a sb, just let its options stand... */
+        if (newsbsec->initialized)
+                return;
+
         mutex_lock(&newsbsec->lock);
 
         newsbsec->flags = oldsbsec->flags;
@@ -800,7 +800,8 @@ static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
         mutex_unlock(&newsbsec->lock);
 }
 
-int selinux_parse_opts_str(char *options, struct security_mnt_opts *opts)
+static int selinux_parse_opts_str(char *options,
+                                  struct security_mnt_opts *opts)
 {
         char *p;
         char *context = NULL, *defcontext = NULL;
@@ -1142,7 +1143,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
                 }
 
                 len = INITCONTEXTLEN;
-                context = kmalloc(len, GFP_KERNEL);
+                context = kmalloc(len, GFP_NOFS);
                 if (!context) {
                         rc = -ENOMEM;
                         dput(dentry);
@@ -1160,7 +1161,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
                         }
                         kfree(context);
                         len = rc;
-                        context = kmalloc(len, GFP_KERNEL);
+                        context = kmalloc(len, GFP_NOFS);
                         if (!context) {
                                 rc = -ENOMEM;
                                 dput(dentry);
@@ -1184,7 +1185,8 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
                         rc = 0;
                 } else {
                         rc = security_context_to_sid_default(context, rc, &sid,
-                                                             sbsec->def_sid);
+                                                             sbsec->def_sid,
+                                                             GFP_NOFS);
                         if (rc) {
                                 printk(KERN_WARNING "%s:  context_to_sid(%s) "
                                        "returned %d for dev=%s ino=%ld\n",
@@ -1629,6 +1631,12 @@ static inline u32 file_to_av(struct file *file)
                 else
                         av |= FILE__WRITE;
         }
+        if (!av) {
+                /*
+                 * Special file opened with flags 3 for ioctl-only use.
+                 */
+                av = FILE__IOCTL;
+        }
 
         return av;
 }
@@ -2422,7 +2430,7 @@ static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
                 return -EOPNOTSUPP;
 
         if (name) {
-                namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_KERNEL);
+                namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
                 if (!namep)
                         return -ENOMEM;
                 *name = namep;