From: "J. Bruce Fields" <bfields@xxxxxxxxxx> We shouldn't be returning success from this function without also filling in the return values ctx and ctxlen. Note currently this doesn't appear to cause bugs since the only inode_getsecctx caller I can find is fs/sysfs/inode.c, which only calls this if security_inode_setsecurity succeeds. Assuming security_inode_setsecurity is set to cap_inode_setsecurity whenever inode_getsecctx is set to cap_inode_getsecctx, this function can never actually called. So I noticed this only because the server labeled NFS patches add a real caller. Signed-off-by: J. Bruce Fields <bfields@xxxxxxxxxx> --- security/capability.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Also, assuming this is correct, would you be willing to apply it for 3.10? If you'd prefer it wait till the next merge window: could you ACK it, and let me merge it through the nfsd tree? (It's a prerequisite for the labeled NFS patches that I hope to merge for 3.11.) diff --git a/security/capability.c b/security/capability.c index d32e16e..32b5157 100644 --- a/security/capability.c +++ b/security/capability.c @@ -858,7 +858,7 @@ static int cap_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) static int cap_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) { - return 0; + return -EOPNOTSUPP; } #ifdef CONFIG_KEYS static int cap_key_alloc(struct key *key, const struct cred *cred, -- 1.7.9.5 -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html