14 files changed, 47 insertions, 63 deletions

diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index 60f0c76a27d3..859abdaac1ea 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -349,8 +349,8 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
         unsigned int state;
         struct file_perms perms = {};
         struct path_cond cond = {
-                bprm->file->f_path.dentry->d_inode->i_uid,
-                bprm->file->f_path.dentry->d_inode->i_mode
+                file_inode(bprm->file)->i_uid,
+                file_inode(bprm->file)->i_mode
         };
         const char *name = NULL, *target = NULL, *info = NULL;
         int error = cap_bprm_set_creds(bprm);
diff --git a/security/apparmor/file.c b/security/apparmor/file.c
index cd21ec5b90af..fdaa50cb1876 100644
--- a/security/apparmor/file.c
+++ b/security/apparmor/file.c
@@ -449,8 +449,8 @@ int aa_file_perm(int op, struct aa_profile *profile, struct file *file,
                  u32 request)
 {
         struct path_cond cond = {
-                .uid = file->f_path.dentry->d_inode->i_uid,
-                .mode = file->f_path.dentry->d_inode->i_mode
+                .uid = file_inode(file)->i_uid,
+                .mode = file_inode(file)->i_mode
         };
 
         return aa_path_perm(op, profile, &file->f_path, PATH_DELEGATE_DELETED,
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 8c2a7f6b35e2..b21830eced41 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -379,7 +379,7 @@ static int apparmor_file_open(struct file *file, const struct cred *cred)
         struct aa_profile *profile;
         int error = 0;
 
-        if (!mediated_filesystem(file->f_path.dentry->d_inode))
+        if (!mediated_filesystem(file_inode(file)))
                 return 0;
 
         /* If in exec, permission is handled by bprm hooks.
@@ -394,7 +394,7 @@ static int apparmor_file_open(struct file *file, const struct cred *cred)
 
         profile = aa_cred_profile(cred);
         if (!unconfined(profile)) {
-                struct inode *inode = file->f_path.dentry->d_inode;
+                struct inode *inode = file_inode(file);
                 struct path_cond cond = { inode->i_uid, inode->i_mode };
 
                 error = aa_path_perm(OP_OPEN, profile, &file->f_path, 0,
@@ -432,7 +432,7 @@ static int common_file_perm(int op, struct file *file, u32 mask)
         BUG_ON(!fprofile);
 
         if (!file->f_path.mnt ||
-            !mediated_filesystem(file->f_path.dentry->d_inode))
+            !mediated_filesystem(file_inode(file)))
                 return 0;
 
         profile = __aa_current_profile();
diff --git a/security/commoncap.c b/security/commoncap.c
index 7ee08c756d6b..c44b6fe6648e 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -440,7 +440,7 @@ static int get_file_caps(struct linux_binprm *bprm, bool *effective, bool *has_c
         if (!file_caps_enabled)
                 return 0;
 
-        if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
+        if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
                 return 0;
 
         dentry = dget(bprm->file->f_dentry);
diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
index d9030b29d84d..1c03e8f1e0e1 100644
--- a/security/integrity/ima/ima_api.c
+++ b/security/integrity/ima/ima_api.c
@@ -140,12 +140,12 @@ int ima_must_measure(struct inode *inode, int mask, int function)
 int ima_collect_measurement(struct integrity_iint_cache *iint,
                             struct file *file)
 {
-        struct inode *inode = file->f_dentry->d_inode;
+        struct inode *inode = file_inode(file);
         const char *filename = file->f_dentry->d_name.name;
         int result = 0;
 
         if (!(iint->flags & IMA_COLLECTED)) {
-                u64 i_version = file->f_dentry->d_inode->i_version;
+                u64 i_version = file_inode(file)->i_version;
 
                 iint->ima_xattr.type = IMA_XATTR_DIGEST;
                 result = ima_calc_file_hash(file, iint->ima_xattr.digest);
@@ -182,7 +182,7 @@ void ima_store_measurement(struct integrity_iint_cache *iint,
         const char *op = "add_template_measure";
         const char *audit_cause = "ENOMEM";
         int result = -ENOMEM;
-        struct inode *inode = file->f_dentry->d_inode;
+        struct inode *inode = file_inode(file);
         struct ima_template_entry *entry;
         int violation = 0;
 
diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c
index b691e0f3830c..a02e0791cf15 100644
--- a/security/integrity/ima/ima_crypto.c
+++ b/security/integrity/ima/ima_crypto.c
@@ -66,7 +66,7 @@ int ima_calc_file_hash(struct file *file, char *digest)
                 file->f_mode |= FMODE_READ;
                 read = 1;
         }
-        i_size = i_size_read(file->f_dentry->d_inode);
+        i_size = i_size_read(file_inode(file));
         while (offset < i_size) {
                 int rbuf_len;
 
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 5127afcc4b89..3b3b7e6bf8da 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -126,7 +126,7 @@ static void ima_check_last_writer(struct integrity_iint_cache *iint,
  */
 void ima_file_free(struct file *file)
 {
-        struct inode *inode = file->f_dentry->d_inode;
+        struct inode *inode = file_inode(file);
         struct integrity_iint_cache *iint;
 
         if (!iint_initialized || !S_ISREG(inode->i_mode))
@@ -142,7 +142,7 @@ void ima_file_free(struct file *file)
 static int process_measurement(struct file *file, const char *filename,
                                int mask, int function)
 {
-        struct inode *inode = file->f_dentry->d_inode;
+        struct inode *inode = file_inode(file);
         struct integrity_iint_cache *iint;
         char *pathbuf = NULL;
         const char *pathname = NULL;
@@ -284,7 +284,8 @@ int ima_module_check(struct file *file)
 {
         if (!file) {
 #ifndef CONFIG_MODULE_SIG_FORCE
-                if (ima_appraise & IMA_APPRAISE_MODULES)
+                if ((ima_appraise & IMA_APPRAISE_MODULES) &&
+                    (ima_appraise & IMA_APPRAISE_ENFORCE))
                         return -EACCES; /* INTEGRITY_UNKNOWN */
 #endif
                 return 0;       /* We rely on module signature checking */
diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c
index b27535a13a79..399433ad614e 100644
--- a/security/integrity/ima/ima_policy.c
+++ b/security/integrity/ima/ima_policy.c
@@ -176,7 +176,7 @@ static bool ima_match_rules(struct ima_rule_entry *rule,
             && rule->fsmagic != inode->i_sb->s_magic)
                 return false;
         if ((rule->flags & IMA_FSUUID) &&
-                memcmp(rule->fsuuid, inode->i_sb->s_uuid, sizeof(rule->fsuuid)))
+            memcmp(rule->fsuuid, inode->i_sb->s_uuid, sizeof(rule->fsuuid)))
                 return false;
         if ((rule->flags & IMA_UID) && !uid_eq(rule->uid, cred->uid))
                 return false;
@@ -530,14 +530,15 @@ static int ima_parse_rule(char *rule, struct ima_rule_entry *entry)
                         ima_log_string(ab, "fsuuid", args[0].from);
 
                         if (memchr_inv(entry->fsuuid, 0x00,
-                            sizeof(entry->fsuuid))) {
+                                       sizeof(entry->fsuuid))) {
                                 result = -EINVAL;
                                 break;
                         }
 
-                        part_pack_uuid(args[0].from, entry->fsuuid);
-                        entry->flags |= IMA_FSUUID;
-                        result = 0;
+                        result = blk_part_pack_uuid(args[0].from,
+                                                    entry->fsuuid);
+                        if (!result)
+                                entry->flags |= IMA_FSUUID;
                         break;
                 case Opt_uid:
                         ima_log_string(ab, "uid", args[0].from);
diff --git a/security/integrity/ima/ima_queue.c b/security/integrity/ima/ima_queue.c
index 55a6271bce7a..ff63fe00c195 100644
--- a/security/integrity/ima/ima_queue.c
+++ b/security/integrity/ima/ima_queue.c
@@ -45,12 +45,11 @@ static struct ima_queue_entry *ima_lookup_digest_entry(u8 *digest_value)
 {
         struct ima_queue_entry *qe, *ret = NULL;
         unsigned int key;
-        struct hlist_node *pos;
         int rc;
 
         key = ima_hash_key(digest_value);
         rcu_read_lock();
-        hlist_for_each_entry_rcu(qe, pos, &ima_htable.queue[key], hnext) {
+        hlist_for_each_entry_rcu(qe, &ima_htable.queue[key], hnext) {
                 rc = memcmp(qe->entry->digest, digest_value, IMA_DIGEST_SIZE);
                 if (rc == 0) {
                         ret = qe;
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 4d3fab47e643..dad36a6ab45f 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -188,11 +188,9 @@ int avc_get_hash_stats(char *page)
         for (i = 0; i < AVC_CACHE_SLOTS; i++) {
                 head = &avc_cache.slots[i];
                 if (!hlist_empty(head)) {
-                        struct hlist_node *next;
-
                         slots_used++;
                         chain_len = 0;
-                        hlist_for_each_entry_rcu(node, next, head, list)
+                        hlist_for_each_entry_rcu(node, head, list)
                                 chain_len++;
                         if (chain_len > max_chain_len)
                                 max_chain_len = chain_len;
@@ -241,7 +239,6 @@ static inline int avc_reclaim_node(void)
         int hvalue, try, ecx;
         unsigned long flags;
         struct hlist_head *head;
-        struct hlist_node *next;
         spinlock_t *lock;
 
         for (try = 0, ecx = 0; try < AVC_CACHE_SLOTS; try++) {
@@ -253,7 +250,7 @@ static inline int avc_reclaim_node(void)
                         continue;
 
                 rcu_read_lock();
-                hlist_for_each_entry(node, next, head, list) {
+                hlist_for_each_entry(node, head, list) {
                         avc_node_delete(node);
                         avc_cache_stats_incr(reclaims);
                         ecx++;
@@ -301,11 +298,10 @@ static inline struct avc_node *avc_search_node(u32 ssid, u32 tsid, u16 tclass)
         struct avc_node *node, *ret = NULL;
         int hvalue;
         struct hlist_head *head;
-        struct hlist_node *next;
 
         hvalue = avc_hash(ssid, tsid, tclass);
         head = &avc_cache.slots[hvalue];
-        hlist_for_each_entry_rcu(node, next, head, list) {
+        hlist_for_each_entry_rcu(node, head, list) {
                 if (ssid == node->ae.ssid &&
                     tclass == node->ae.tclass &&
                     tsid == node->ae.tsid) {
@@ -394,7 +390,6 @@ static struct avc_node *avc_insert(u32 ssid, u32 tsid, u16 tclass, struct av_dec
         node = avc_alloc_node();
         if (node) {
                 struct hlist_head *head;
-                struct hlist_node *next;
                 spinlock_t *lock;
 
                 hvalue = avc_hash(ssid, tsid, tclass);
@@ -404,7 +399,7 @@ static struct avc_node *avc_insert(u32 ssid, u32 tsid, u16 tclass, struct av_dec
                 lock = &avc_cache.slots_lock[hvalue];
 
                 spin_lock_irqsave(lock, flag);
-                hlist_for_each_entry(pos, next, head, list) {
+                hlist_for_each_entry(pos, head, list) {
                         if (pos->ae.ssid == ssid &&
                             pos->ae.tsid == tsid &&
                             pos->ae.tclass == tclass) {
@@ -541,7 +536,6 @@ static int avc_update_node(u32 event, u32 perms, u32 ssid, u32 tsid, u16 tclass,
         unsigned long flag;
         struct avc_node *pos, *node, *orig = NULL;
         struct hlist_head *head;
-        struct hlist_node *next;
         spinlock_t *lock;
 
         node = avc_alloc_node();
@@ -558,7 +552,7 @@ static int avc_update_node(u32 event, u32 perms, u32 ssid, u32 tsid, u16 tclass,
 
         spin_lock_irqsave(lock, flag);
 
-        hlist_for_each_entry(pos, next, head, list) {
+        hlist_for_each_entry(pos, head, list) {
                 if (ssid == pos->ae.ssid &&
                     tsid == pos->ae.tsid &&
                     tclass == pos->ae.tclass &&
@@ -614,7 +608,6 @@ out:
 static void avc_flush(void)
 {
         struct hlist_head *head;
-        struct hlist_node *next;
         struct avc_node *node;
         spinlock_t *lock;
         unsigned long flag;
@@ -630,7 +623,7 @@ static void avc_flush(void)
                  * prevent RCU grace periods from ending.
                  */
                 rcu_read_lock();
-                hlist_for_each_entry(node, next, head, list)
+                hlist_for_each_entry(node, head, list)
                         avc_node_delete(node);
                 rcu_read_unlock();
                 spin_unlock_irqrestore(lock, flag);
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index ef26e9611ffb..84b591711eec 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1528,7 +1528,7 @@ static int file_has_perm(const struct cred *cred,
                          u32 av)
 {
         struct file_security_struct *fsec = file->f_security;
-        struct inode *inode = file->f_path.dentry->d_inode;
+        struct inode *inode = file_inode(file);
         struct common_audit_data ad;
         u32 sid = cred_sid(cred);
         int rc;
@@ -1957,7 +1957,7 @@ static int selinux_bprm_set_creds(struct linux_binprm *bprm)
         struct task_security_struct *new_tsec;
         struct inode_security_struct *isec;
         struct common_audit_data ad;
-        struct inode *inode = bprm->file->f_path.dentry->d_inode;
+        struct inode *inode = file_inode(bprm->file);
         int rc;
 
         rc = cap_bprm_set_creds(bprm);
@@ -2929,7 +2929,7 @@ static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
 static int selinux_revalidate_file_permission(struct file *file, int mask)
 {
         const struct cred *cred = current_cred();
-        struct inode *inode = file->f_path.dentry->d_inode;
+        struct inode *inode = file_inode(file);
 
         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
@@ -2941,7 +2941,7 @@ static int selinux_revalidate_file_permission(struct file *file, int mask)
 
 static int selinux_file_permission(struct file *file, int mask)
 {
-        struct inode *inode = file->f_path.dentry->d_inode;
+        struct inode *inode = file_inode(file);
         struct file_security_struct *fsec = file->f_security;
         struct inode_security_struct *isec = inode->i_security;
         u32 sid = current_sid();
@@ -3218,7 +3218,7 @@ static int selinux_file_open(struct file *file, const struct cred *cred)
         struct inode_security_struct *isec;
 
         fsec = file->f_security;
-        isec = file->f_path.dentry->d_inode->i_security;
+        isec = file_inode(file)->i_security;
         /*
          * Save inode label and policy sequence number
          * at open-time so that selinux_file_permission
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 3a6e8731646c..ff427733c290 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -202,7 +202,7 @@ static ssize_t sel_read_handle_unknown(struct file *filp, char __user *buf,
 {
         char tmpbuf[TMPBUFLEN];
         ssize_t length;
-        ino_t ino = filp->f_path.dentry->d_inode->i_ino;
+        ino_t ino = file_inode(filp)->i_ino;
         int handle_unknown = (ino == SEL_REJECT_UNKNOWN) ?
                 security_get_reject_unknown() : !security_get_allow_unknown();
 
@@ -671,7 +671,7 @@ static ssize_t (*write_op[])(struct file *, char *, size_t) = {
 
 static ssize_t selinux_transaction_write(struct file *file, const char __user *buf, size_t size, loff_t *pos)
 {
-        ino_t ino = file->f_path.dentry->d_inode->i_ino;
+        ino_t ino = file_inode(file)->i_ino;
         char *data;
         ssize_t rv;
 
@@ -1042,8 +1042,7 @@ static ssize_t sel_read_bool(struct file *filep, char __user *buf,
         ssize_t length;
         ssize_t ret;
         int cur_enforcing;
-        struct inode *inode = filep->f_path.dentry->d_inode;
-        unsigned index = inode->i_ino & SEL_INO_MASK;
+        unsigned index = file_inode(filep)->i_ino & SEL_INO_MASK;
         const char *name = filep->f_path.dentry->d_name.name;
 
         mutex_lock(&sel_mutex);
@@ -1077,8 +1076,7 @@ static ssize_t sel_write_bool(struct file *filep, const char __user *buf,
         char *page = NULL;
         ssize_t length;
         int new_value;
-        struct inode *inode = filep->f_path.dentry->d_inode;
-        unsigned index = inode->i_ino & SEL_INO_MASK;
+        unsigned index = file_inode(filep)->i_ino & SEL_INO_MASK;
         const char *name = filep->f_path.dentry->d_name.name;
 
         mutex_lock(&sel_mutex);
@@ -1486,13 +1484,11 @@ static int sel_make_avc_files(struct dentry *dir)
 static ssize_t sel_read_initcon(struct file *file, char __user *buf,
                                 size_t count, loff_t *ppos)
 {
-        struct inode *inode;
         char *con;
         u32 sid, len;
         ssize_t ret;
 
-        inode = file->f_path.dentry->d_inode;
-        sid = inode->i_ino&SEL_INO_MASK;
+        sid = file_inode(file)->i_ino&SEL_INO_MASK;
         ret = security_sid_to_context(sid, &con, &len);
         if (ret)
                 return ret;
@@ -1553,7 +1549,7 @@ static inline u32 sel_ino_to_perm(unsigned long ino)
 static ssize_t sel_read_class(struct file *file, char __user *buf,
                                 size_t count, loff_t *ppos)
 {
-        unsigned long ino = file->f_path.dentry->d_inode->i_ino;
+        unsigned long ino = file_inode(file)->i_ino;
         char res[TMPBUFLEN];
         ssize_t len = snprintf(res, sizeof(res), "%d", sel_ino_to_class(ino));
         return simple_read_from_buffer(buf, count, ppos, res, len);
@@ -1567,7 +1563,7 @@ static const struct file_operations sel_class_ops = {
 static ssize_t sel_read_perm(struct file *file, char __user *buf,
                                 size_t count, loff_t *ppos)
 {
-        unsigned long ino = file->f_path.dentry->d_inode->i_ino;
+        unsigned long ino = file_inode(file)->i_ino;
         char res[TMPBUFLEN];
         ssize_t len = snprintf(res, sizeof(res), "%d", sel_ino_to_perm(ino));
         return simple_read_from_buffer(buf, count, ppos, res, len);
@@ -1584,7 +1580,7 @@ static ssize_t sel_read_policycap(struct file *file, char __user *buf,
         int value;
         char tmpbuf[TMPBUFLEN];
         ssize_t length;
-        unsigned long i_ino = file->f_path.dentry->d_inode->i_ino;
+        unsigned long i_ino = file_inode(file)->i_ino;
 
         value = security_policycap_supported(i_ino & SEL_INO_MASK);
         length = scnprintf(tmpbuf, TMPBUFLEN, "%d", value);
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 38be92ce901e..fa64740abb59 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -456,7 +456,7 @@ static int smack_sb_umount(struct vfsmount *mnt, int flags)
  */
 static int smack_bprm_set_creds(struct linux_binprm *bprm)
 {
-        struct inode *inode = bprm->file->f_path.dentry->d_inode;
+        struct inode *inode = file_inode(bprm->file);
         struct task_smack *bsp = bprm->cred->security;
         struct inode_smack *isp;
         int rc;
@@ -1187,21 +1187,15 @@ static int smack_mmap_file(struct file *file,
         char *msmack;
         char *osmack;
         struct inode_smack *isp;
-        struct dentry *dp;
         int may;
         int mmay;
         int tmay;
         int rc;
 
-        if (file == NULL || file->f_dentry == NULL)
-                return 0;
-
-        dp = file->f_dentry;
-
-        if (dp->d_inode == NULL)
+        if (file == NULL)
                 return 0;
 
-        isp = dp->d_inode->i_security;
+        isp = file_inode(file)->i_security;
         if (isp->smk_mmap == NULL)
                 return 0;
         msmack = isp->smk_mmap;
@@ -1359,7 +1353,7 @@ static int smack_file_receive(struct file *file)
  */
 static int smack_file_open(struct file *file, const struct cred *cred)
 {
-        struct inode_smack *isp = file->f_path.dentry->d_inode->i_security;
+        struct inode_smack *isp = file_inode(file)->i_security;
 
         file->f_security = isp->smk_inode;
 
diff --git a/security/tomoyo/securityfs_if.c b/security/tomoyo/securityfs_if.c
index 8592f2fc6ebb..fcf32783b66b 100644
--- a/security/tomoyo/securityfs_if.c
+++ b/security/tomoyo/securityfs_if.c
@@ -135,7 +135,7 @@ static const struct file_operations tomoyo_self_operations = {
  */
 static int tomoyo_open(struct inode *inode, struct file *file)
 {
-        const int key = ((u8 *) file->f_path.dentry->d_inode->i_private)
+        const int key = ((u8 *) file_inode(file)->i_private)
                 - ((u8 *) NULL);
         return tomoyo_open_control(key, file);
 }