1. 12 Mar, 2020 1 commit
  2. 11 Mar, 2020 7 commits
    • Linus Torvalds's avatar
      Merge tag 'fscrypt-for-linus' of git://git.kernel.org/pub/scm/fs/fscrypt/fscrypt · e6e6ec48
      Linus Torvalds authored
      Pull fscrypt fix from Eric Biggers:
       "Fix a bug where if userspace is writing to encrypted files while the
        FS_IOC_REMOVE_ENCRYPTION_KEY ioctl (introduced in v5.4) is running,
        dirty inodes could be evicted, causing writes could be lost or the
        filesystem to hang due to a use-after-free. This was encountered
        during real-world use, not just theoretical.
      
        Tested with the existing fscrypt xfstests, and with a new xfstest I
        wrote to reproduce this bug. This fix does expose an existing bug with
        '-o lazytime' that Ted is working on fixing, but this fix is more
        critical and needed anyway regardless of the lazytime fix"
      
      * tag 'fscrypt-for-linus' of git://git.kernel.org/pub/scm/fs/fscrypt/fscrypt:
        fscrypt: don't evict dirty inodes after removing key
      e6e6ec48
    • Linus Torvalds's avatar
      Merge tag 'for-linus-2020-03-10' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux · addcb1d0
      Linus Torvalds authored
      Pull thread fix from Christian Brauner:
       "This contains a single fix for a regression which was introduced when
        we introduced the ability to select a specific pid at process creation
        time.
      
        When this feature is requested, the error value will be set to -EPERM
        after exiting the pid allocation loop. This caused EPERM to be
        returned when e.g. the init process/child subreaper of the pid
        namespace has already died where we used to return ENOMEM before.
      
        The first patch here simply fixes the regression by unconditionally
        setting the return value back to ENOMEM again once we've successfully
        allocated the requested pid number. This should be easy to backport to
        v5.5.
      
        The second patch adds a comment explaining that we must keep returning
        ENOMEM since we've been doing it for a long time and have explicitly
        documented this behavior for userspace. This seemed worthwhile because
        we now have at least two separate example where people tried to change
        the return value to something other than ENOMEM (The first version of
        the regression fix did that too and the commit message links to an
        earlier patch that tried to do the same.).
      
        I have a simple regression test to make sure we catch this regression
        in the future but since that introduces a whole new selftest subdir
        and test files I'll keep this for v5.7"
      
      * tag 'for-linus-2020-03-10' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux:
        pid: make ENOMEM return value more obvious
        pid: Fix error return value in some cases
      addcb1d0
    • Linus Torvalds's avatar
      Merge tag 'trace-v5.6-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace · 36feb996
      Linus Torvalds authored
      Pull ftrace fix from Steven Rostedt:
       "Have ftrace lookup_rec() return a consistent record otherwise it can
        break live patching"
      
      * tag 'trace-v5.6-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace:
        ftrace: Return the first found result in lookup_rec()
      36feb996
    • Linus Torvalds's avatar
      Merge tag 'mips_fixes_5.6.1' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux · c7f26a0c
      Linus Torvalds authored
      Pull MIPS fixes from Thomas Bogendoerfer:
       "A few MIPS fixes:
      
         - DT fixes for CI20
      
         - Fix command line handling
      
         - Correct patchwork URL"
      
      * tag 'mips_fixes_5.6.1' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux:
        MAINTAINERS: Correct MIPS patchwork URL
        MIPS: DTS: CI20: fix interrupt for pcf8563 RTC
        MIPS: DTS: CI20: fix PMU definitions for ACT8600
        MIPS: Fix CONFIG_MIPS_CMDLINE_DTB_EXTEND handling
      c7f26a0c
    • Linus Torvalds's avatar
      Merge tag 'pinctrl-v5.6-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl · a6ff4631
      Linus Torvalds authored
      Pull pin control fixes from Linus Walleij:
       "Some pin control fixes for the v5.6 series.
      
        It comes down to memory leaks in the core and driver fixes. Some
        should have been sent earlier but they kept piling up and the world is
        just so full of distractions these days.
      
         - Fix some inverted pins in the Meson GLX driver.
      
         - Align the i.MX SC message structs causing warnings from KASan.
      
         - Balance the kref in pinctrl hogs so they are actually free:d when
           removing a pin control module. We haven't seen it before as people
           don't use modules for pin control that much, I think.
      
         - Add a missing call to pinctrl_unregister_mappings() another memory
           leak when using modules.
      
         - Fix the fwspec parsing in the Qualcomm driver.
      
         - Fix a syntax error in the Falcon driver.
      
         - Assign .irq_eoi conditionally in the Qualcomm driver, fixing a bug
           affecting elder Qualcomm platforms"
      
      * tag 'pinctrl-v5.6-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
        pinctrl: qcom: Assign irq_eoi conditionally
        pinctrl: falcon: fix syntax error
        pinctrl: qcom: ssbi-gpio: Fix fwspec parsing bug
        pinctrl: madera: Add missing call to pinctrl_unregister_mappings
        pinctrl: core: Remove extra kref_get which blocks hogs being freed
        pinctrl: imx: scu: Align imx sc msg structs to 4
        pinctrl: meson-gxl: fix GPIOX sdio pins
      a6ff4631
    • Christoph Hellwig's avatar
      driver code: clarify and fix platform device DMA mask allocation · e3a36eb6
      Christoph Hellwig authored
      This does three inter-related things to clarify the usage of the
      platform device dma_mask field. In the process, fix the bug introduced
      by cdfee562 ("driver core: initialize a default DMA mask for
      platform device") that caused Artem Tashkinov's laptop to not boot with
      newer Fedora kernels.
      
      This does:
      
       - First off, rename the field to "platform_dma_mask" to make it
         greppable.
      
         We have way too many different random fields called "dma_mask" in
         various data structures, where some of them are actual masks, and
         some of them are just pointers to the mask. And the structures all
         have pointers to each other, or embed each other inside themselves,
         and "pdev" sometimes means "platform device" and sometimes it means
         "PCI device".
      
         So to make it clear in the code when you actually use this new field,
         give it a unique name (it really should be something even more unique
         like "platform_device_dma_mask", since it's per platform device, not
         per platform, but that gets old really fast, and this is unique
         enough in context).
      
         To further clarify when the field gets used, initialize it when we
         actually start using it with the default value.
      
       - Then, use this field instead of the random one-off allocation in
         platform_device_register_full() that is now unnecessary since we now
         already have a perfectly fine allocation for it in the platform
         device structure.
      
       - The above then allows us to fix the actual bug, where the error path
         of platform_device_register_full() would unconditionally free the
         platform device DMA allocation with 'kfree()'.
      
         That kfree() was dont regardless of whether the allocation had been
         done earlier with the (now removed) kmalloc, or whether
         setup_pdev_dma_masks() had already been used and the dma_mask pointer
         pointed to the mask that was part of the platform device.
      
      It seems most people never triggered the error path, or only triggered
      it from a call chain that set an explicit pdevinfo->dma_mask value (and
      thus caused the unnecessary allocation that was "cleaned up" in the
      error path) before calling platform_device_register_full().
      
      Robin Murphy points out that in Artem's case the wdat_wdt driver failed
      in platform_device_add(), and that was the one that had called
      platform_device_register_full() with pdevinfo.dma_mask = 0, and would
      have caused that kfree() of pdev.dma_mask corrupting the heap.
      
      A later unrelated kmalloc() then oopsed due to the heap corruption.
      
      Fixes: cdfee562 ("driver core: initialize a default DMA mask for platform device")
      Reported-bisected-and-tested-by: default avatarArtem S. Tashkinov <aros@gmx.com>
      Reviewed-by: default avatarRobin Murphy <robin.murphy@arm.com>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      e3a36eb6
    • Artem Savkov's avatar
      ftrace: Return the first found result in lookup_rec() · d9815bff
      Artem Savkov authored
      It appears that ip ranges can overlap so. In that case lookup_rec()
      returns whatever results it got last even if it found nothing in last
      searched page.
      
      This breaks an obscure livepatch late module patching usecase:
        - load livepatch
        - load the patched module
        - unload livepatch
        - try to load livepatch again
      
      To fix this return from lookup_rec() as soon as it found the record
      containing searched-for ip. This used to be this way prior lookup_rec()
      introduction.
      
      Link: http://lkml.kernel.org/r/20200306174317.21699-1-asavkov@redhat.com
      
      Cc: stable@vger.kernel.org
      Fixes: 7e16f581 ("ftrace: Separate out functionality from ftrace_location_range()")
      Signed-off-by: default avatarArtem Savkov <asavkov@redhat.com>
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      d9815bff
  3. 10 Mar, 2020 5 commits
    • Linus Torvalds's avatar
      Merge tag 'clang-format-for-linus-v5.6-rc6' of git://github.com/ojeda/linux · f35111a9
      Linus Torvalds authored
      Pull clang-format update from Miguel Ojeda:
       "Another update for the .clang-format macro list
      
        It has been a while since the last time I sent one!"
      
      * tag 'clang-format-for-linus-v5.6-rc6' of git://github.com/ojeda/linux:
        clang-format: Update with the latest for_each macro list
      f35111a9
    • Linus Torvalds's avatar
      Merge tag 'auxdisplay-for-linus-v5.6-rc6' of git://github.com/ojeda/linux · 2a48b379
      Linus Torvalds authored
      Pull auxdisplay updates from Miguel Ojeda:
       "A few minor auxdisplay improvements:
      
         - charlcd: replace zero-length array with flexible-array member
           (kernel-wide cleanup by Gustavo A. R. Silva)
      
         - img-ascii-lcd: convert to devm_platform_ioremap_resource (Yangtao
           Li)
      
         - Fix Kconfig indentation (Krzysztof Kozlowski)
      
      * tag 'auxdisplay-for-linus-v5.6-rc6' of git://github.com/ojeda/linux:
        auxdisplay: charlcd: replace zero-length array with flexible-array member
        auxdisplay: img-ascii-lcd: convert to devm_platform_ioremap_resource
        auxdisplay: Fix Kconfig indentation
      2a48b379
    • Linus Torvalds's avatar
      Merge branch 'for-5.6-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup · e9414845
      Linus Torvalds authored
      Pull cgroup fixes from Tejun Heo:
      
       - cgroup.procs listing related fixes.
      
         It didn't interlock properly with exiting tasks leaving a short
         window where a cgroup has empty cgroup.procs but still can't be
         removed and misbehaved on short reads.
      
       - psi_show() crash fix on 32bit ino archs
      
       - Empty release_agent handling fix
      
      * 'for-5.6-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup:
        cgroup1: don't call release_agent when it is ""
        cgroup: fix psi_show() crash on 32bit ino archs
        cgroup: Iterate tasks that did not finish do_exit()
        cgroup: cgroup_procs_next should increase position index
        cgroup-v1: cgroup_pidlist_next should update position index
      e9414845
    • Linus Torvalds's avatar
      Merge branch 'for-5.6-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq · 2c1aca4b
      Linus Torvalds authored
      Pull workqueue fixes from Tejun Heo:
       "Workqueue has been incorrectly round-robining per-cpu work items.
        Hillf's patch fixes that.
      
        The other patch documents memory-ordering properties of workqueue
        operations"
      
      * 'for-5.6-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq:
        workqueue: don't use wq_select_unbound_cpu() for bound works
        workqueue: Document (some) memory-ordering properties of {queue,schedule}_work()
      2c1aca4b
    • Hillf Danton's avatar
      workqueue: don't use wq_select_unbound_cpu() for bound works · aa202f1f
      Hillf Danton authored
      wq_select_unbound_cpu() is designed for unbound workqueues only, but
      it's wrongly called when using a bound workqueue too.
      
      Fixing this ensures work queued to a bound workqueue with
      cpu=WORK_CPU_UNBOUND always runs on the local CPU.
      
      Before, that would happen only if wq_unbound_cpumask happened to include
      it (likely almost always the case), or was empty, or we got lucky with
      forced round-robin placement.  So restricting
      /sys/devices/virtual/workqueue/cpumask to a small subset of a machine's
      CPUs would cause some bound work items to run unexpectedly there.
      
      Fixes: ef557180 ("workqueue: schedule WORK_CPU_UNBOUND work on wq_unbound_cpumask CPUs")
      Cc: stable@vger.kernel.org # v4.5+
      Signed-off-by: default avatarHillf Danton <hdanton@sina.com>
      [dj: massage changelog]
      Signed-off-by: default avatarDaniel Jordan <daniel.m.jordan@oracle.com>
      Cc: Tejun Heo <tj@kernel.org>
      Cc: Lai Jiangshan <jiangshanlai@gmail.com>
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      aa202f1f
  4. 09 Mar, 2020 15 commits
  5. 08 Mar, 2020 11 commits
    • Linus Torvalds's avatar
      Merge tag 'char-misc-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc · 378fee2e
      Linus Torvalds authored
      Pull char/misc fixes from Greg KH:
       "Here are four small char/misc driver fixes for reported issues for
        5.6-rc5.
      
        These fixes are:
      
         - binder fix for a potential use-after-free problem found (took two
           tries to get it right)
      
         - interconnect core fix
      
         - altera-stapl driver fix
      
        All four of these have been in linux-next for a while with no reported
        issues"
      
      * tag 'char-misc-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
        binder: prevent UAF for binderfs devices II
        interconnect: Handle memory allocation errors
        altera-stapl: altera_get_note: prevent write beyond end of 'key'
        binder: prevent UAF for binderfs devices
      378fee2e
    • Linus Torvalds's avatar
      Merge tag 'driver-core-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core · b34e5c13
      Linus Torvalds authored
      Pull driver core and debugfs fixes from Greg KH:
       "Here are four small driver core / debugfs patches for 5.6-rc3:
      
         - debugfs api cleanup now that all debugfs_create_regset32() callers
           have been fixed up. This was waiting until after the -rc1 merge as
           these fixes came in through different trees
      
         - driver core sync state fixes based on reports of minor issues found
           in the feature
      
        All of these have been in linux-next with no reported issues"
      
      * tag 'driver-core-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core:
        driver core: Skip unnecessary work when device doesn't have sync_state()
        driver core: Add dev_has_sync_state()
        driver core: Call sync_state() even if supplier has no consumers
        debugfs: remove return value of debugfs_create_regset32()
      b34e5c13
    • Linus Torvalds's avatar
      Merge tag 'tty-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty · cc432aee
      Linus Torvalds authored
      Pull tty/serial fixes from Greg KH:
       "Here are some small tty/serial fixes for 5.6-rc5
      
        Just some small serial driver fixes, and a vt core fixup, full details
        are:
      
         - vt fixes for issues found by syzbot
      
         - serdev fix for Apple boxes
      
         - fsl_lpuart serial driver fixes
      
         - MAINTAINER update for incorrect serial files
      
         - new device ids for 8250_exar driver
      
         - mvebu-uart fix
      
        All of these have been in linux-next with no reported issues"
      
      * tag 'tty-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
        tty: serial: fsl_lpuart: free IDs allocated by IDA
        Revert "tty: serial: fsl_lpuart: drop EARLYCON_DECLARE"
        serdev: Fix detection of UART devices on Apple machines.
        MAINTAINERS: Add missed files related to Synopsys DesignWare UART
        serial: 8250_exar: add support for ACCES cards
        tty:serial:mvebu-uart:fix a wrong return
        vt: selection, push sel_lock up
        vt: selection, push console lock down
      cc432aee
    • Linus Torvalds's avatar
      Merge tag 'usb-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · fd3f6cc9
      Linus Torvalds authored
      Pull USB/PHY fixes from Greg KH:
       "Here are some small USB and PHY driver fixes for reported issues for
        5.6-rc5.
      
        Included in here are:
      
         - phy driver fixes
      
         - new USB quirks
      
         - USB cdns3 gadget driver fixes
      
         - USB hub core fixes
      
        All of these have been in linux-next with no reported issues"
      
      * tag 'usb-5.6-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
        usb: dwc3: gadget: Update chain bit correctly when using sg list
        usb: core: port: do error out if usb_autopm_get_interface() fails
        usb: core: hub: do error out if usb_autopm_get_interface() fails
        usb: core: hub: fix unhandled return by employing a void function
        usb: storage: Add quirk for Samsung Fit flash
        usb: quirks: add NO_LPM quirk for Logitech Screen Share
        usb: usb251xb: fix regulator probe and error handling
        phy: allwinner: Fix GENMASK misuse
        usb: cdns3: gadget: toggle cycle bit before reset endpoint
        usb: cdns3: gadget: link trb should point to next request
        phy: mapphone-mdm6600: Fix timeouts by adding wake-up handling
        phy: brcm-sata: Correct MDIO operations for 40nm platforms
        phy: ti: gmii-sel: do not fail in case of gmii
        phy: ti: gmii-sel: fix set of copy-paste errors
        phy: core: Fix phy_get() to not return error on link creation failure
        phy: mapphone-mdm6600: Fix write timeouts with shorter GPIO toggle interval
      fd3f6cc9
    • Corey Minyard's avatar
      pid: Fix error return value in some cases · b26ebfe1
      Corey Minyard authored
      Recent changes to alloc_pid() allow the pid number to be specified on
      the command line.  If set_tid_size is set, then the code scanning the
      levels will hard-set retval to -EPERM, overriding it's previous -ENOMEM
      value.
      
      After the code scanning the levels, there are error returns that do not
      set retval, assuming it is still set to -ENOMEM.
      
      So set retval back to -ENOMEM after scanning the levels.
      
      Fixes: 49cb2fc4 ("fork: extend clone3() to support setting a PID")
      Signed-off-by: default avatarCorey Minyard <cminyard@mvista.com>
      Acked-by: default avatarChristian Brauner <christian.brauner@ubuntu.com>
      Cc: Andrei Vagin <avagin@gmail.com>
      Cc: Dmitry Safonov <0x7f454c46@gmail.com>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Cc: Adrian Reber <areber@redhat.com>
      Cc: <stable@vger.kernel.org> # 5.5
      Link: https://lore.kernel.org/r/20200306172314.12232-1-minyard@acm.org
      [christian.brauner@ubuntu.com: fixup commit message]
      Signed-off-by: default avatarChristian Brauner <christian.brauner@ubuntu.com>
      b26ebfe1
    • Nathan Chancellor's avatar
      virtio_balloon: Adjust label in virtballoon_probe · 6ae4edab
      Nathan Chancellor authored
      Clang warns when CONFIG_BALLOON_COMPACTION is unset:
      
      ../drivers/virtio/virtio_balloon.c:963:1: warning: unused label
      'out_del_vqs' [-Wunused-label]
      out_del_vqs:
      ^~~~~~~~~~~~
      1 warning generated.
      
      Move the label within the preprocessor block since it is only used when
      CONFIG_BALLOON_COMPACTION is set.
      
      Fixes: 1ad6f58e ("virtio_balloon: Fix memory leaks on errors in virtballoon_probe()")
      Link: https://github.com/ClangBuiltLinux/linux/issues/886Signed-off-by: default avatarNathan Chancellor <natechancellor@gmail.com>
      Link: https://lore.kernel.org/r/20200216004039.23464-1-natechancellor@gmail.comSigned-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Reviewed-by: default avatarDavid Hildenbrand <david@redhat.com>
      6ae4edab
    • Halil Pasic's avatar
      virtio-blk: improve virtqueue error to BLK_STS · 3d973b2e
      Halil Pasic authored
      Let's change the mapping between virtqueue_add errors to BLK_STS
      statuses, so that -ENOSPC, which indicates virtqueue full is still
      mapped to BLK_STS_DEV_RESOURCE, but -ENOMEM which indicates non-device
      specific resource outage is mapped to BLK_STS_RESOURCE.
      Signed-off-by: default avatarHalil Pasic <pasic@linux.ibm.com>
      Link: https://lore.kernel.org/r/20200213123728.61216-3-pasic@linux.ibm.comSigned-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Reviewed-by: default avatarStefan Hajnoczi <stefanha@redhat.com>
      3d973b2e
    • Halil Pasic's avatar
      virtio-blk: fix hw_queue stopped on arbitrary error · f5f6b95c
      Halil Pasic authored
      Since nobody else is going to restart our hw_queue for us, the
      blk_mq_start_stopped_hw_queues() is in virtblk_done() is not sufficient
      necessarily sufficient to ensure that the queue will get started again.
      In case of global resource outage (-ENOMEM because mapping failure,
      because of swiotlb full) our virtqueue may be empty and we can get
      stuck with a stopped hw_queue.
      
      Let us not stop the queue on arbitrary errors, but only on -EONSPC which
      indicates a full virtqueue, where the hw_queue is guaranteed to get
      started by virtblk_done() before when it makes sense to carry on
      submitting requests. Let us also remove a stale comment.
      Signed-off-by: default avatarHalil Pasic <pasic@linux.ibm.com>
      Cc: Jens Axboe <axboe@kernel.dk>
      Fixes: f7728002 ("virtio_ring: fix return code on DMA mapping fails")
      Link: https://lore.kernel.org/r/20200213123728.61216-2-pasic@linux.ibm.comSigned-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Reviewed-by: default avatarStefan Hajnoczi <stefanha@redhat.com>
      f5f6b95c
    • Suman Anna's avatar
      virtio_ring: Fix mem leak with vring_new_virtqueue() · f13f09a1
      Suman Anna authored
      The functions vring_new_virtqueue() and __vring_new_virtqueue() are used
      with split rings, and any allocations within these functions are managed
      outside of the .we_own_ring flag. The commit cbeedb72 ("virtio_ring:
      allocate desc state for split ring separately") allocates the desc state
      within the __vring_new_virtqueue() but frees it only when the .we_own_ring
      flag is set. This leads to a memory leak when freeing such allocated
      virtqueues with the vring_del_virtqueue() function.
      
      Fix this by moving the desc_state free code outside the flag and only
      for split rings. Issue was discovered during testing with remoteproc
      and virtio_rpmsg.
      
      Fixes: cbeedb72 ("virtio_ring: allocate desc state for split ring separately")
      Signed-off-by: default avatarSuman Anna <s-anna@ti.com>
      Link: https://lore.kernel.org/r/20200224212643.30672-1-s-anna@ti.comSigned-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Acked-by: default avatarJason Wang <jasowang@redhat.com>
      f13f09a1
    • Eric Biggers's avatar
      fscrypt: don't evict dirty inodes after removing key · 2b4eae95
      Eric Biggers authored
      After FS_IOC_REMOVE_ENCRYPTION_KEY removes a key, it syncs the
      filesystem and tries to get and put all inodes that were unlocked by the
      key so that unused inodes get evicted via fscrypt_drop_inode().
      Normally, the inodes are all clean due to the sync.
      
      However, after the filesystem is sync'ed, userspace can modify and close
      one of the files.  (Userspace is *supposed* to close the files before
      removing the key.  But it doesn't always happen, and the kernel can't
      assume it.)  This causes the inode to be dirtied and have i_count == 0.
      Then, fscrypt_drop_inode() failed to consider this case and indicated
      that the inode can be dropped, causing the write to be lost.
      
      On f2fs, other problems such as a filesystem freeze could occur due to
      the inode being freed while still on f2fs's dirty inode list.
      
      Fix this bug by making fscrypt_drop_inode() only drop clean inodes.
      
      I've written an xfstest which detects this bug on ext4, f2fs, and ubifs.
      
      Fixes: b1c0ec35 ("fscrypt: add FS_IOC_REMOVE_ENCRYPTION_KEY ioctl")
      Cc: <stable@vger.kernel.org> # v5.4+
      Link: https://lore.kernel.org/r/20200305084138.653498-1-ebiggers@kernel.orgSigned-off-by: default avatarEric Biggers <ebiggers@google.com>
      2b4eae95
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma · 61a09258
      Linus Torvalds authored
      Pull rdma fixes from Jason Gunthorpe:
       "Nothing particularly exciting, some small ODP regressions from the mmu
        notifier rework, another bunch of syzkaller fixes, and a bug fix for a
        botched syzkaller fix in the first rc pull request.
      
         - Fix busted syzkaller fix in 'get_new_pps' - this turned out to
           crash on certain HW configurations
      
         - Bug fixes for various missed things in error unwinds
      
         - Add a missing rcu_read_lock annotation in hfi/qib
      
         - Fix two ODP related regressions from the recent mmu notifier
           changes
      
         - Several more syzkaller bugs in siw, RDMA netlink, verbs and iwcm
      
         - Revert an old patch in CMA as it is now shown to not be allocating
           port numbers properly"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
        RDMA/iwcm: Fix iwcm work deallocation
        RDMA/siw: Fix failure handling during device creation
        RDMA/nldev: Fix crash when set a QP to a new counter but QPN is missing
        RDMA/odp: Ensure the mm is still alive before creating an implicit child
        RDMA/core: Fix protection fault in ib_mr_pool_destroy
        IB/mlx5: Fix implicit ODP race
        IB/hfi1, qib: Ensure RCU is locked when accessing list
        RDMA/core: Fix pkey and port assignment in get_new_pps
        RMDA/cm: Fix missing ib_cm_destroy_id() in ib_cm_insert_listen()
        RDMA/rw: Fix error flow during RDMA context initialization
        RDMA/core: Fix use of logical OR in get_new_pps
        Revert "RDMA/cma: Simplify rdma_resolve_addr() error flow"
      61a09258
  6. 07 Mar, 2020 1 commit
    • Linus Torvalds's avatar
      Merge tag 'io_uring-5.6-2020-03-07' of git://git.kernel.dk/linux-block · c2003765
      Linus Torvalds authored
      Pull io_uring fixes from Jens Axboe:
       "Here are a few io_uring fixes that should go into this release. This
        contains:
      
         - Removal of (now) unused io_wq_flush() and associated flag (Pavel)
      
         - Fix cancelation lockup with linked timeouts (Pavel)
      
         - Fix for potential use-after-free when freeing percpu ref for fixed
           file sets
      
         - io-wq cancelation fixups (Pavel)"
      
      * tag 'io_uring-5.6-2020-03-07' of git://git.kernel.dk/linux-block:
        io_uring: fix lockup with timeouts
        io_uring: free fixed_file_data after RCU grace period
        io-wq: remove io_wq_flush and IO_WQ_WORK_INTERNAL
        io-wq: fix IO_WQ_WORK_NO_CANCEL cancellation
      c2003765