Currently ext4_mb_good_group() only returns 0 or 1 depending on whether
the allocation group is suitable for use or not. However we might get
various errors and fail while initializing new group including -EIO
which would never get propagated up the call chain. This might lead to
an endless loop at writeback when we're trying to find a good group to
allocate from and we fail to initialize new group (read error for
example).

Fix this by returning proper error code from ext4_mb_good_group() and
using it in ext4_mb_regular_allocator(). In ext4_mb_regular_allocator()
we will always return only the first occurred error from
ext4_mb_good_group() and we only propagate it back  to the caller if we
do not get any other errors and we fail to allocate any blocks.

Note that with other modes than errors=continue, we will fail
immediately in ext4_mb_good_group() in case of error, however with
errors=continue we should try to continue using the file system, that's
why we're not going to fail immediately when we see an error from
ext4_mb_good_group(), but rather when we fail to find a suitable block
group to allocate from due to an problem in group initialization.
Signed-off-by: Lukas Czerner <lczerner@redhat.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>

Currently on the machines with page size > block size when initializing
block group buddy cache we initialize it for all the block group bitmaps
in the page. However in the case of read error, checksum error, or if
a single bitmap is in any way corrupted we would fail to initialize all
of the bitmaps. This is problematic because we will not have access to
the other allocation groups even though those might be perfectly fine
and usable.

Fix this by reading all the bitmaps instead of error out on the first
problem and simply skip the bitmaps which were either not read properly,
or are not valid.
Signed-off-by: Lukas Czerner <lczerner@redhat.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>

If we want to rely on the buffer_verified() flag of the block bitmap
buffer, we have to set it consistently. However currently if we're
initializing uninitialized block bitmap in
ext4_read_block_bitmap_nowait() we're not going to set buffer verified
at all.

We can do this by simply setting the flag on the buffer, but I think
it's actually better to run ext4_validate_block_bitmap() to make sure
that what we did in the ext4_init_block_bitmap() is right.

So run ext4_validate_block_bitmap() even after the block bitmap
initialization. Also bail out early from ext4_validate_block_bitmap() if
we see corrupt bitmap, since we already know it's corrupt and we do not
need to verify that.
Signed-off-by: Lukas Czerner <lczerner@redhat.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>

This basically reverts 47def826 (jbd2: Remove __GFP_NOFAIL from jbd2
layer). The deprecation of __GFP_NOFAIL was a bad choice because it led
to open coding the endless loop around the allocator rather than
removing the dependency on the non failing allocation. So the
deprecation was a clear failure and the reality tells us that
__GFP_NOFAIL is not even close to go away.

It is still true that __GFP_NOFAIL allocations are generally discouraged
and new uses should be evaluated and an alternative (pre-allocations or
reservations) should be considered but it doesn't make any sense to lie
the allocator about the requirements. Allocator can take steps to help
making a progress if it knows the requirements.
Signed-off-by: Michal Hocko <mhocko@suse.cz>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Acked-by: David Rientjes <rientjes@google.com>

Previously we allocated bounce pages using a combination of
alloc_page() and mempool_alloc() with the __GFP_WAIT bit set.
Instead, use mempool_alloc() with GFP_NOWAIT.  The mempool_alloc()
function will try using alloc_pages() initially, and then only use the
mempool reserve of pages if alloc_pages() is unable to fulfill the
request.

This minimizes the the impact on the mm layer when we need to do a
large amount of writeback of encrypted files, as Jaeguk Kim had
reported that under a heavy fio workload on a system with restricted
amounts memory (which unfortunately, includes many mobile handsets),
he had observed the the OOM killer getting triggered several times.
Using GFP_NOWAIT

If the mempool_alloc() function fails, we will retry the page
writeback at a later time; the function of the mempool is to ensure
that we can writeback at least 32 pages at a time, so we can more
efficiently dispatch I/O under high memory pressure situations.  In
the future we should make this be a tunable so we can determine the
best tradeoff between permanently sequestering memory and the ability
to quickly launder pages so we can free up memory quickly when
necessary.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>

Crypto resource should be released when ext4 module exits, otherwise
it will cause memory leak.
Signed-off-by: Chao Yu <chao2.yu@samsung.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>

Fix up attempts by users to try to write to a file when they don't
have access to the encryption key.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>

Previously we were taking the required padding when allocating space
for the on-disk symlink.  This caused a buffer overrun which could
trigger a krenel crash when running fsstress.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>

Fix a potential memory leak where fname->crypto_buf.name wouldn't get
freed in some error paths, and also make the error handling easier to
understand/audit.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>

Thanks to Chao Yu <chao2.yu@samsung.com> for pointing out we were
missing this check.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>

Thanks to Chao Yu <chao2.yu@samsung.com> for pointing out the need for
this check.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>

Factor out calls to ext4_inherit_context() and move them to
__ext4_new_inode(); this fixes a problem where ext4_tmpfile() wasn't
calling calling ext4_inherit_context(), so the temporary file wasn't
getting protected.  Since the blocks for the tmpfile could end up on
disk, they really should be protected if the tmpfile is created within
the context of an encrypted directory.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>

Signed-off-by: Theodore Ts'o <tytso@mit.edu>

Set up the encryption information for newly created inodes immediately
after they inherit their encryption context from their parent
directories.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>

ext4_encrypted_zeroout() could end up leaking a bio and bounce page.
Fortunately it's not used much.  While we're fixing things up,
refactor out common code into the static function alloc_bounce_page()
and fix up error handling if mempool_alloc() fails.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>

As suggested by Herbert Xu, we shouldn't allocate a new tfm each time
we read or write a page.  Instead we can use a single tfm hanging off
the inode's crypt_info structure for all of our encryption needs for
that inode, since the tfm can be used by multiple crypto requests in
parallel.

Also use cmpxchg() to avoid races that could result in crypt_info
structure getting doubly allocated or doubly freed.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>

On arm64 this is apparently needed for CTS mode to function correctly.
Otherwise attempts to use CTS return ENOENT.

Change-Id: I732ea9a5157acc76de5b89edec195d0365f4ca63
Signed-off-by: Theodore Ts'o <tytso@mit.edu>

Some fields are only used when the crypto_ctx is being used on the
read path, some are only used on the write path, and some are only
used when the structure is on free list.  Optimize memory use by using
a union.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>

The ci_mode field was superfluous, and getting rid of it gets rid of
an unused hole in the structure.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>

Use slab caches the ext4_crypto_ctx and ext4_crypt_info structures for
slighly better memory efficiency and debuggability.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>

The superblock fields s_file_encryption_mode and s_dir_encryption_mode
are vestigal, so remove them as a cleanup.  While we're at it, allow
file systems with both encryption and inline_data enabled at the same
time to work correctly.  We can't have encrypted inodes with inline
data, but there's no reason to prohibit unencrypted inodes from using
the inline data feature.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>

This is a pretty massive patch which does a number of different things:

1) The per-inode encryption information is now stored in an allocated
   data structure, ext4_crypt_info, instead of directly in the node.
   This reduces the size usage of an in-memory inode when it is not
   using encryption.

2) We drop the ext4_fname_crypto_ctx entirely, and use the per-inode
   encryption structure instead.  This remove an unnecessary memory
   allocation and free for the fname_crypto_ctx as well as allowing us
   to reuse the ctfm in a directory for multiple lookups and file
   creations.

3) We also cache the inode's policy information in the ext4_crypt_info
   structure so we don't have to continually read it out of the
   extended attributes.

4) We now keep the keyring key in the inode's encryption structure
   instead of releasing it after we are done using it to derive the
   per-inode key.  This allows us to test to see if the key has been
   revoked; if it has, we prevent the use of the derived key and free
   it.

5) When an inode is released (or when the derived key is freed), we
   will use memset_explicit() to zero out the derived key, so it's not
   left hanging around in memory.  This implies that when a user logs
   out, it is important to first revoke the key, and then unlink it,
   and then finally, to use "echo 3 > /proc/sys/vm/drop_caches" to
   release any decrypted pages and dcache entries from the system
   caches.

6) All this, and we also shrink the number of lines of code by around
   100.  :-)
Signed-off-by: Theodore Ts'o <tytso@mit.edu>

Use struct ext4_encryption_key only for the master key passed via the
kernel keyring.

For internal kernel space users, we now use struct ext4_crypt_info.
This will allow us to put information from the policy structure so we
can cache it and avoid needing to constantly looking up the extended
attribute.  We will do this in a spearate patch.  This patch is mostly
mechnical to make it easier for patch review.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>

Signed-off-by: Theodore Ts'o <tytso@mit.edu>

Encrypt the filename as soon it is passed in by the user.  This avoids
our needing to encrypt the filename 2 or 3 times while in the process
of creating a filename.

Similarly, when looking up a directory entry, encrypt the filename
early, or if the encryption key is not available, base-64 decode the
file syystem so that the hash value and the last 16 bytes of the
encrypted filename is available in the new struct ext4_filename data
structure.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>

Two watchdog changes that came through different trees had a non
conflicting conflict, that is, one changed the semantics of a variable
but no actual code conflict happened. So the merge appeared fine, but
the resulting code did not behave as expected.

Commit 195daf66 ("watchdog: enable the new user interface of the
watchdog mechanism") changes the semantics of watchdog_user_enabled,
which thereafter is only used by the functions introduced by
b3738d29 ("watchdog: Add watchdog enable/disable all functions").

There further appears to be a distinct lack of serialization between
setting and using watchdog_enabled, so perhaps we should wrap the
{en,dis}able_all() things in watchdog_proc_mutex.

This patch fixes a s2r failure reported by Michal; which I cannot
readily explain. But this does make the code internally consistent
again.
Reported-and-tested-by: Michal Hocko <mhocko@suse.cz>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Pull MTD fixes from Brian Norris:
 "Two MTD fixes for 4.1:

   - readtest: the signal-handling code was clobbering the error codes
     we should be handling/reporting in this test, rendering it useless.
     Noticed by Coverity.

   - the common SPI NOR flash DT binding (merged for 4.1-rc1) is being
     revised, so let's change that before 4.1 is minted"

* tag 'for-linus-20150516' of git://git.infradead.org/linux-mtd:
  Documentation: dt: mtd: replace "nor-jedec" binding with "jedec, spi-nor"
  mtd: readtest: don't clobber error reports

Pull USB fixes from Greg KH:
 "Here are some USB fixes and new device ids for 4.1-rc4.

  All are pretty minor, and have been in linux-next successfully"

* tag 'usb-4.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
  usb-storage: Add NO_WP_DETECT quirk for Lacie 059f:0651 devices
  Added another USB product ID for ELAN touchscreen quirks.
  xhci: gracefully handle xhci_irq dead device
  xhci: Solve full event ring by increasing TRBS_PER_SEGMENT to 256
  xhci: fix isoc endpoint dequeue from advancing too far on transaction error
  usb: chipidea: debug: avoid out of bound read
  USB: visor: Match I330 phone more precisely
  USB: pl2303: Remove support for Samsung I330
  USB: cp210x: add ID for KCF Technologies PRN device
  usb: gadget: remove incorrect __init/__exit annotations
  usb: phy: isp1301: work around tps65010 dependency
  usb: gadget: serial: fix re-ordering of tx data
  usb: gadget: hid: Fix static variable usage
  usb: gadget: configfs: Fix interfaces array NULL-termination
  usb: gadget: xilinx: fix devm_ioremap_resource() check
  usb: dwc3: dwc3-omap: correct the register macros

Pull tty/serial fixes from Greg KH:
 "Here's some TTY and serial driver fixes for reported issues.

  All of these have been in linux-next successfully"

* tag 'tty-4.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
  pty: Fix input race when closing
  tty/n_gsm.c: fix a memory leak when gsmtty is removed
  Revert "serial/amba-pl011: Leave the TX IRQ alone when the UART is not open"
  serial: omap: Fix error handling in probe
  earlycon: Revert log warnings

Pull staging / IIO driver fixes from Greg KH:
 "Here's some staging and iio driver fixes to resolve a number of
  reported issues.

  All of these have been in linux-next for a while"

* tag 'staging-4.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging: (31 commits)
  iio: light: hid-sensor-prox: Fix memory leak in probe()
  iio: adc: cc10001: Add delay before setting START bit
  iio: adc: cc10001: Fix regulator_get_voltage() return value check
  iio: adc: cc10001: Fix incorrect use of power-up/power-down register
  staging: gdm724x: Correction of variable usage after applying ALIGN()
  iio: adc: cc10001: Fix the channel number mapping
  staging: vt6655: lock MACvWriteBSSIDAddress.
  staging: vt6655: CARDbUpdateTSF bss timestamp correct tsf counter value.
  staging: vt6655: vnt_tx_packet Correct TX order of OWNED_BY_NIC
  staging: vt6655: Fix 80211 control and management status reporting.
  staging: vt6655: implement IEEE80211_TX_STAT_NOACK_TRANSMITTED
  staging: vt6655: device_free_tx_buf use only ieee80211_tx_status_irqsafe
  staging: vt6656: use ieee80211_tx_info to select packet type.
  staging: rtl8712: freeing an ERR_PTR
  staging: sm750: remove incorrect __exit annotation
  iio: kfifo: Set update_needed to false only if a buffer was allocated
  iio: mcp320x: Fix occasional incorrect readings
  iio: accel: mma9553: check input value for activity period
  iio: accel: mma9553: add enable channel for activity
  iio: accel: mma9551_core: prevent buffer overrun
  ...

Pull char/misc fix from Greg KH:
 "Here is one fix, in the extcon subsystem, that resolves a reported
  issue.

  It's been in linux-next for a number of weeks now, sorry for not
  getting it to you sooner"

* tag 'char-misc-4.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
  extcon: usb-gpio: register extcon device before IRQ registration

Pull UML hostfs fix from Richard Weinberger:
 "This contains a single fix for a regression introduced in 4.1-rc1"

* 'for-linus-4.1-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/uml:
  hostfs: Use correct mask for file mode

Pull UBI bufix from Richard Weinberger:
 "This contains a single bug fix for the UBI block driver"

* tag 'upstream-4.1-rc4' of git://git.infradead.org/linux-ubifs:
  UBI: block: Add missing cache flushes

Pull ext4 fixes from Ted Ts'o:
 "Fix a number of ext4 bugs; the most serious of which is a bug in the
  lazytime mount optimization code where we could end up updating the
  timestamps to the wrong inode"

* tag 'for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4:
  ext4: fix an ext3 collapse range regression in xfstests
  jbd2: fix r_count overflows leading to buffer overflow in journal recovery
  ext4: check for zero length extent explicitly
  ext4: fix NULL pointer dereference when journal restart fails
  ext4: remove unused function prototype from ext4.h
  ext4: don't save the error information if the block device is read-only
  ext4: fix lazytime optimization

Pull btrfs fixes from Chris Mason:
 "The first commit is a fix from Filipe for a very old extent buffer
  reuse race that triggered a BUG_ON.  It hasn't come up often, I looked
  through old logs at FB and we hit it a handful of times over the last
  year.

  The rest are other corners he hit during testing"

* 'for-linus-4.1' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs:
  Btrfs: fix race when reusing stale extent buffers that leads to BUG_ON
  Btrfs: fix race between block group creation and their cache writeout
  Btrfs: fix panic when starting bg cache writeout after IO error
  Btrfs: fix crash after inode cache writeback failure

Pull MIPS fixes from Ralf Baechle:
 "Seven small fixes.  The shortlog below is a good description so no
  need to elaborate.

  It has sat in linux-next and survived the usual automated testing by
  Imagination's test farm"

* 'master' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus:
  MIPS: tlb-r4k: Fix PG_ELPA comment
  MIPS: Fix up obsolete cpu_set usage
  MIPS: IP32: Fix build errors in reset code in DS1685 platform hook.
  MIPS: KVM: Fix unused variable build warning
  MIPS: traps: remove extra Tainted: line from __show_regs() output
  MIPS: Fix wrong CHECKFLAGS (sparse builds) with GCC 5.1
  MIPS: Fix a preemption issue with thread's FPU defaults

Pull ARC fixes from Vineet Gupta.

* tag 'arc-4.1-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc:
  ARC: inline cache flush toggle helpers
  ARC: With earlycon in use, retire EARLY_PRINTK
  ARC: unbork !LLSC build

Pull ARM SoC fixes from Arnd Bergmann:
 "Nothing frightening this time, just smaller fixes in a number of
  places.

  The other changes contained here are:

   MAINTAINERS file updates:

   - The mach-gemini maintainer is back in action and has a new git tree

   - Krzysztof Kozlowski has volunteered to be a new co-maintainer for
     the samsung platforms

   - updates to the files that belong to Marvell mvebu

  Bug fixes:

   - The largest changes are on omap2, but are only to avoid some
     harmless warnings and to fix reset on omap4

   - a small regression fix on tegra

   - multiple fixes for incorrect IRQ affinity on vexpress

   - the missing system controller on arm64 juno is added

   - one revert of a patch that was accidentally applied twice for
     mach-rockchip

   - two clock related DT fixes for mvebu

   - a workaround for suspend with old DT binaries on new exynos kernels

   - Another fix for suspend on exynos, needs to be backported"

* tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc: (21 commits)
  MAINTAINERS: Add dts entries for some of the Marvell SoCs
  MAINTAINERS: ARM: EXYNOS: Add Krzysztof Kozlowski as co-maintainer
  ARM: EXYNOS: Use of_machine_is_compatible instead of soc_is_exynos4
  ARM: EXYNOS: Fix failed second suspend on Exynos4
  Revert "ARM: rockchip: fix undefined instruction of reset_ctrl_regs"
  ARM: EXYNOS: Fix dereference of ERR_PTR returned by of_genpd_get_from_provider
  ARM: EXYNOS: Don't try to initialize suspend on old DT
  ARM: dts: Add keep-power-in-suspend to WiFi SDIO node for Peach Boards
  ARM: gemini: fix compiler warning due wrong data type
  ARM: vexpress/tc2: Add interrupt-affinity to the PMU node
  ARM: vexpress/ca9: Add interrupt-affinity to the PMU node
  ARM: vexpress/ca9: Add unified-cache property to l2 cache node
  ARM64: juno: add sp810 support and fix sp804 clock frequency
  ARM: Gemini: Maintainers update
  ARM: OMAP2+: Remove bogus struct clk comparison for timer clock
  ARM: dove: Add clock-names to CuBox Si5351 clk generator
  ARM: AM33xx+: hwmod: re-use omap4 implementations for reset functionality
  ARM: OMAP4+: PRM: add support for passing status register/bit info to reset
  ARM: AM43xx: hwmod: add VPFE hwmod entries
  ARM: mvebu: Fix the main PLL frequency on Armada 375, 38x and 39x SoCs
  ...

Pull thermal fixes from Zhang Rui:
 "Specifics:

   - fix an issue in intel_powerclamp driver that idle injection target
     is not accurately maintained on newer Intel CPUs.  Package C8 to
     C10 states are introduced on these CPUs but they were not included
     in the package c-state residency calculation.  From Jacob Pan.

   - fix a problem that package c-state idle injection was missing on
     Broadwell server, by adding its id to intel_powerclamp driver.
     From Jacob Pan.

   - a couple of small fixes and cleanups from Joe Perches, Mathias
     Krause, Dan Carpenter and Anand Moon"

* 'for-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux:
  tools/thermal: tmon: fixed the 'make install' command
  thermal: rockchip: fix an error code
  thermal/powerclamp: fix missing newer package c-states
  thermal/intel_powerclamp: add id for broadwell server
  thermal/intel_powerclamp: add __init / __exit annotations
  thermal: Use bool function return values of true/false not 1/0