linux/fs, branch v2.6.34

Merge git://git.kernel.org/pub/scm/linux/kernel/git/mason/btrfs-unstable

2010-05-15T19:55:31Z

* git://git.kernel.org/pub/scm/linux/kernel/git/mason/btrfs-unstable: Btrfs: check for read permission on src file in the clone ioctl

Btrfs: check for read permission on src file in the clone ioctl

2010-05-15T16:05:50Z

The existing code would have allowed you to clone a file that was only open for writing Signed-off-by: Chris Mason

Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6

2010-05-15T16:03:15Z

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6: JFS: Free sbi memory in error path fs/sysv: dereferencing ERR_PTR() Fix double-free in logfs Fix the regression created by "set S_DEAD on unlink()..." commit

JFS: Free sbi memory in error path

2010-05-15T11:16:34Z

I spotted the missing kfree() while removing the BKL. [akpm@linux-foundation.org: avoid multiple returns so it doesn't happen again] Signed-off-by: Jan Blunck Cc: Dave Kleikamp Signed-off-by: Andrew Morton Signed-off-by: Al Viro

fs/sysv: dereferencing ERR_PTR()

2010-05-15T11:16:33Z

I moved the dir_put_page() inside the if condition so we don't dereference "page", if it's an ERR_PTR(). Signed-off-by: Dan Carpenter Signed-off-by: Al Viro

Fix double-free in logfs

2010-05-15T11:16:33Z

iput() is needed *until* we'd done successful d_alloc_root() Signed-off-by: Al Viro

Fix the regression created by "set S_DEAD on unlink()..." commit

2010-05-15T11:16:33Z

1) i_flags simply doesn't work for mount/unlink race prevention; we may have many links to file and rm on one of those obviously shouldn't prevent bind on top of another later on. To fix it right way we need to mark _dentry_ as unsuitable for mounting upon; new flag (DCACHE_CANT_MOUNT) is protected by d_flags and i_mutex on the inode in question. Set it (with dont_mount(dentry)) in unlink/rmdir/etc., check (with cant_mount(dentry)) in places in namespace.c that used to check for S_DEAD. Setting S_DEAD is still needed in places where we used to set it (for directories getting killed), since we rely on it for readdir/rmdir race prevention. 2) rename()/mount() protection has another bogosity - we unhash the target before we'd checked that it's not a mountpoint. Fixed. 3) ancient bogosity in pivot_root() - we locked i_mutex on the right directory, but checked S_DEAD on the different (and wrong) one. Noticed and fixed. Signed-off-by: Al Viro

Merge branch 'for-linus' of git://git.infradead.org/users/eparis/notify

2010-05-14T18:49:42Z

* 'for-linus' of git://git.infradead.org/users/eparis/notify: inotify: don't leak user struct on inotify release inotify: race use after free/double free in inotify inode marks inotify: clean up the inotify_add_watch out path Inotify: undefined reference to `anon_inode_getfd' Manual merge to remove duplicate "select ANON_INODES" from Kconfig file

inotify: don't leak user struct on inotify release

2010-05-14T15:53:36Z

inotify_new_group() receives a get_uid-ed user_struct and saves the reference on group->inotify_data.user. The problem is that free_uid() is never called on it. Issue seem to be introduced by 63c882a0 (inotify: reimplement inotify using fsnotify) after 2.6.30. Signed-off-by: Pavel Emelyanov Eric Paris Cc: Signed-off-by: Andrew Morton Signed-off-by: Eric Paris

inotify: race use after free/double free in inotify inode marks

2010-05-14T15:52:57Z

There is a race in the inotify add/rm watch code. A task can find and remove a mark which doesn't have all of it's references. This can result in a use after free/double free situation. Task A Task B ------------ ----------- inotify_new_watch() allocate a mark (refcnt == 1) add it to the idr inotify_rm_watch() inotify_remove_from_idr() fsnotify_put_mark() refcnt hits 0, free take reference because we are on idr [at this point it is a use after free] [time goes on] refcnt may hit 0 again, double free The fix is to take the reference BEFORE the object can be found in the idr. Signed-off-by: Eric Paris Cc: