1. 20 Jun, 2018 3 commits
  2. 16 Jun, 2018 37 commits
    • Greg Kroah-Hartman's avatar
      Linux 4.14.50 · cda6fd4d
      Greg Kroah-Hartman authored
      cda6fd4d
    • Bin Liu's avatar
      crypto: omap-sham - fix memleak · 87883c89
      Bin Liu authored
      commit 9dbc8a03 upstream.
      
      Fixes: 8043bb1a ("crypto: omap-sham - convert driver logic to use sgs for data xmit")
      
      The memory pages freed in omap_sham_finish_req() were less than those
      allocated in omap_sham_copy_sgs().
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarBin Liu <b-liu@ti.com>
      Acked-by: default avatarTero Kristo <t-kristo@ti.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      87883c89
    • Michael Ellerman's avatar
      crypto: vmx - Remove overly verbose printk from AES XTS init · efc67e74
      Michael Ellerman authored
      commit 730f23b6 upstream.
      
      In p8_aes_xts_init() we do a printk(KERN_INFO ...) to report the
      fallback implementation we're using. However with a slow console this
      can significantly affect the speed of crypto operations. So remove it.
      
      Fixes: c07f5d3d ("crypto: vmx - Adding support for XTS")
      Cc: stable@vger.kernel.org # v4.8+
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      efc67e74
    • Michael Ellerman's avatar
      crypto: vmx - Remove overly verbose printk from AES init routines · 1bc36d12
      Michael Ellerman authored
      commit 1411b521 upstream.
      
      In the vmx AES init routines we do a printk(KERN_INFO ...) to report
      the fallback implementation we're using.
      
      However with a slow console this can significantly affect the speed of
      crypto operations. Using 'cryptsetup benchmark' the removal of the
      printk() leads to a ~5x speedup for aes-cbc decryption.
      
      So remove them.
      
      Fixes: 8676590a ("crypto: vmx - Adding AES routines for VMX module")
      Fixes: 8c755ace ("crypto: vmx - Adding CBC routines for VMX module")
      Fixes: 4f7f60d3 ("crypto: vmx - Adding CTR routines for VMX module")
      Fixes: cc333cd6 ("crypto: vmx - Adding GHASH routines for VMX module")
      Cc: stable@vger.kernel.org # v4.1+
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1bc36d12
    • Jan Glauber's avatar
      crypto: cavium - Limit result reading attempts · b9705796
      Jan Glauber authored
      commit c782a8c4 upstream.
      
      After issuing a request an endless loop was used to read the
      completion state from memory which is asynchronously updated
      by the ZIP coprocessor.
      
      Add an upper bound to the retry attempts to prevent a CPU getting stuck
      forever in case of an error. Additionally, add a read memory barrier
      and a small delay between the reading attempts.
      Signed-off-by: default avatarJan Glauber <jglauber@cavium.com>
      Reviewed-by: default avatarRobert Richter <rrichter@cavium.com>
      Cc: stable <stable@vger.kernel.org> # 4.14
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b9705796
    • Jan Glauber's avatar
      crypto: cavium - Fix fallout from CONFIG_VMAP_STACK · 072e8b1f
      Jan Glauber authored
      commit 37ff02ac upstream.
      
      Enabling virtual mapped kernel stacks breaks the thunderx_zip
      driver. On compression or decompression the executing CPU hangs
      in an endless loop. The reason for this is the usage of __pa
      by the driver which does no longer work for an address that is
      not part of the 1:1 mapping.
      
      The zip driver allocates a result struct on the stack and needs
      to tell the hardware the physical address within this struct
      that is used to signal the completion of the request.
      
      As the hardware gets the wrong address after the broken __pa
      conversion it writes to an arbitrary address. The zip driver then
      waits forever for the completion byte to contain a non-zero value.
      
      Allocating the result struct from 1:1 mapped memory resolves this
      bug.
      Signed-off-by: default avatarJan Glauber <jglauber@cavium.com>
      Reviewed-by: default avatarRobert Richter <rrichter@cavium.com>
      Cc: stable <stable@vger.kernel.org> # 4.14
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      072e8b1f
    • Horia Geantă's avatar
      crypto: caam - fix size of RSA prime factor q · 4854c879
      Horia Geantă authored
      commit 4bffaab3 upstream.
      
      Fix a typo where size of RSA prime factor q is using the size of
      prime factor p.
      
      Cc: <stable@vger.kernel.org> # 4.13+
      Fixes: 52e26d77 ("crypto: caam - add support for RSA key form 2")
      Fixes: 4a651b12 ("crypto: caam - add support for RSA key form 3")
      Reported-by: default avatarDavid Binderman <dcb314@hotmail.com>
      Signed-off-by: default avatarHoria Geantă <horia.geanta@nxp.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4854c879
    • Horia Geantă's avatar
      crypto: caam/qi - fix IV DMA mapping and updating · f535e1c3
      Horia Geantă authored
      commit 3a488aae upstream.
      
      There are two IV-related issues:
      (1) crypto API does not guarantee to provide an IV buffer that is DMAable,
      thus it's incorrect to DMA map it
      (2) for in-place decryption, since ciphertext is overwritten with
      plaintext, updated IV (req->info) will contain the last block of plaintext
      (instead of the last block of ciphertext)
      
      While these two issues could be fixed separately, it's straightforward
      to fix both in the same time - by using the {ablkcipher,aead}_edesc
      extended descriptor to store the IV that will be fed to the crypto engine;
      this allows for fixing (2) by saving req->src[last_block] in req->info
      directly, i.e. without allocating yet another temporary buffer.
      
      A side effect of the fix is that it's no longer possible to have the IV
      contiguous with req->src or req->dst.
      Code checking for this case is removed.
      
      Cc: <stable@vger.kernel.org> # 4.14+
      Fixes: a68a1938 ("crypto: caam/qi - properly set IV after {en,de}crypt")
      Link: http://lkml.kernel.org/r/20170113084620.GF22022@gondor.apana.org.auReported-by: default avatarGilad Ben-Yossef <gilad@benyossef.com>
      Signed-off-by: default avatarHoria Geantă <horia.geanta@nxp.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f535e1c3
    • Horia Geantă's avatar
      crypto: caam - fix IV DMA mapping and updating · 9ed3135c
      Horia Geantă authored
      commit 115957bb upstream.
      
      There are two IV-related issues:
      (1) crypto API does not guarantee to provide an IV buffer that is DMAable,
      thus it's incorrect to DMA map it
      (2) for in-place decryption, since ciphertext is overwritten with
      plaintext, updated req->info will contain the last block of plaintext
      (instead of the last block of ciphertext)
      
      While these two issues could be fixed separately, it's straightforward
      to fix both in the same time - by allocating extra space in the
      ablkcipher_edesc for the IV that will be fed to the crypto engine;
      this allows for fixing (2) by saving req->src[last_block] in req->info
      directly, i.e. without allocating another temporary buffer.
      
      A side effect of the fix is that it's no longer possible to have the IV
      and req->src contiguous. Code checking for this case is removed.
      
      Cc: <stable@vger.kernel.org> # 4.13+
      Fixes: 854b06f7 ("crypto: caam - properly set IV after {en,de}crypt")
      Link: http://lkml.kernel.org/r/20170113084620.GF22022@gondor.apana.org.auReported-by: default avatarGilad Ben-Yossef <gilad@benyossef.com>
      Signed-off-by: default avatarHoria Geantă <horia.geanta@nxp.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9ed3135c
    • Horia Geantă's avatar
      crypto: caam - fix DMA mapping dir for generated IV · 635ac89e
      Horia Geantă authored
      commit a38acd23 upstream.
      
      In case of GIVCIPHER, IV is generated by the device.
      Fix the DMA mapping direction.
      
      Cc: <stable@vger.kernel.org> # 3.19+
      Fixes: 7222d1a3 ("crypto: caam - add support for givencrypt cbc(aes) and rfc3686(ctr(aes))")
      Signed-off-by: default avatarHoria Geantă <horia.geanta@nxp.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      635ac89e
    • Horia Geantă's avatar
      crypto: caam - strip input zeros from RSA input buffer · ed0a7956
      Horia Geantă authored
      commit 8a2a0dd3 upstream.
      
      Sometimes the provided RSA input buffer provided is not stripped
      of leading zeros. This could cause its size to be bigger than that
      of the modulus, making the HW complain:
      
      caam_jr 2142000.jr1: 40000789: DECO: desc idx 7:
      Protocol Size Error - A protocol has seen an error in size. When
      running RSA, pdb size N < (size of F) when no formatting is used; or
      pdb size N < (F + 11) when formatting is used.
      
      Fix the problem by stripping off the leading zero from input data
      before feeding it to the CAAM accelerator.
      
      Fixes: 8c419778 ("crypto: caam - add support for RSA algorithm")
      Cc: <stable@vger.kernel.org> # 4.8+
      Reported-by: default avatarMartin Townsend <mtownsend1973@gmail.com>
      Link: https://lkml.kernel.org/r/CABatt_ytYORYKtApcB4izhNanEKkGFi9XAQMjHi_n-8YWoCRiw@mail.gmail.comSigned-off-by: default avatarHoria Geantă <horia.geanta@nxp.com>
      Tested-by: default avatarFabio Estevam <fabio.estevam@nxp.com>
      Reviewed-by: default avatarTudor Ambarus <tudor.ambarus@microchip.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ed0a7956
    • Johannes Wienke's avatar
      Input: elan_i2c - add ELAN0612 (Lenovo v330 14IKB) ACPI ID · 3c42aa03
      Johannes Wienke authored
      commit e6e7e9cd upstream.
      
      Add ELAN0612 to the list of supported touchpads; this ID is used in Lenovo
      v330 14IKB devices.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199253Signed-off-by: default avatarJohannes Wienke <languitar@semipol.de>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3c42aa03
    • Ethan Lee's avatar
      Input: goodix - add new ACPI id for GPD Win 2 touch screen · c4168f19
      Ethan Lee authored
      commit 5ca4d1ae upstream.
      
      GPD Win 2 Website: http://www.gpd.hk/gpdwin2.asp
      
      Tested on a unit from the first production run sent to Indiegogo backers
      Signed-off-by: default avatarEthan Lee <flibitijibibo@gmail.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c4168f19
    • Paolo Bonzini's avatar
      kvm: x86: use correct privilege level for sgdt/sidt/fxsave/fxrstor access · 53e4b19f
      Paolo Bonzini authored
      commit 3c9fa24c upstream.
      
      The functions that were used in the emulation of fxrstor, fxsave, sgdt and
      sidt were originally meant for task switching, and as such they did not
      check privilege levels.  This is very bad when the same functions are used
      in the emulation of unprivileged instructions.  This is CVE-2018-10853.
      
      The obvious fix is to add a new argument to ops->read_std and ops->write_std,
      which decides whether the access is a "system" access or should use the
      processor's CPL.
      
      Fixes: 129a72a0 ("KVM: x86: Introduce segmented_write_std", 2017-01-12)
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      53e4b19f
    • Dave Martin's avatar
      tty: pl011: Avoid spuriously stuck-off interrupts · 739ac8f4
      Dave Martin authored
      commit 4a7e625c upstream.
      
      Commit 9b96fbac ("serial: PL011: clear pending interrupts")
      clears the RX and receive timeout interrupts on pl011 startup, to
      avoid a screaming-interrupt scenario that can occur when the
      firmware or bootloader leaves these interrupts asserted.
      
      This has been noted as an issue when running Linux on qemu [1].
      
      Unfortunately, the above fix seems to lead to potential
      misbehaviour if the RX FIFO interrupt is asserted _non_ spuriously
      on driver startup, if the RX FIFO is also already full to the
      trigger level.
      
      Clearing the RX FIFO interrupt does not change the FIFO fill level.
      In this scenario, because the interrupt is now clear and because
      the FIFO is already full to the trigger level, no new assertion of
      the RX FIFO interrupt can occur unless the FIFO is drained back
      below the trigger level.  This never occurs because the pl011
      driver is waiting for an RX FIFO interrupt to tell it that there is
      something to read, and does not read the FIFO at all until that
      interrupt occurs.
      
      Thus, simply clearing "spurious" interrupts on startup may be
      misguided, since there is no way to be sure that the interrupts are
      truly spurious, and things can go wrong if they are not.
      
      This patch instead clears the interrupt condition by draining the
      RX FIFO during UART startup, after clearing any potentially
      spurious interrupt.  This should ensure that an interrupt will
      definitely be asserted if the RX FIFO subsequently becomes
      sufficiently full.
      
      The drain is done at the point of enabling interrupts only.  This
      means that it will occur any time the UART is newly opened through
      the tty layer.  It will not apply to polled-mode use of the UART by
      kgdboc: since that scenario cannot use interrupts by design, this
      should not matter.  kgdboc will interact badly with "normal" use of
      the UART in any case: this patch makes no attempt to paper over
      such issues.
      
      This patch does not attempt to address the case where the RX FIFO
      fills faster than it can be drained: that is a pathological
      hardware design problem that is beyond the scope of the driver to
      work around.  As a failsafe, the number of poll iterations for
      draining the FIFO is limited to twice the FIFO size.  This will
      ensure that the kernel at least boots even if it is impossible to
      drain the FIFO for some reason.
      
      [1] [Qemu-devel] [Qemu-arm] [PATCH] pl011: do not put into fifo
      before enabled the interruption
      https://lists.gnu.org/archive/html/qemu-devel/2018-01/msg06446.htmlReported-by: default avatarWei Xu <xuwei5@hisilicon.com>
      Cc: Russell King <linux@armlinux.org.uk>
      Cc: Linus Walleij <linus.walleij@linaro.org>
      Cc: Peter Maydell <peter.maydell@linaro.org>
      Fixes: 9b96fbac ("serial: PL011: clear pending interrupts")
      Signed-off-by: default avatarDave Martin <Dave.Martin@arm.com>
      Cc: stable <stable@vger.kernel.org>
      Tested-by: default avatarWei Xu <xuwei5@hisilicon.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      739ac8f4
    • Gil Kupfer's avatar
      vmw_balloon: fixing double free when batching mode is off · 5ee296fd
      Gil Kupfer authored
      commit b23220fe upstream.
      
      The balloon.page field is used for two different purposes if batching is
      on or off. If batching is on, the field point to the page which is used
      to communicate with with the hypervisor. If it is off, balloon.page
      points to the page that is about to be (un)locked.
      
      Unfortunately, this dual-purpose of the field introduced a bug: when the
      balloon is popped (e.g., when the machine is reset or the balloon driver
      is explicitly removed), the balloon driver frees, unconditionally, the
      page that is held in balloon.page.  As a result, if batching is
      disabled, this leads to double freeing the last page that is sent to the
      hypervisor.
      
      The following error occurs during rmmod when kernel checkers are on, and
      the balloon is not empty:
      
      [   42.307653] ------------[ cut here ]------------
      [   42.307657] Kernel BUG at ffffffffba1e4b28 [verbose debug info unavailable]
      [   42.307720] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC
      [   42.312512] Modules linked in: vmw_vsock_vmci_transport vsock ppdev joydev vmw_balloon(-) input_leds serio_raw vmw_vmci parport_pc shpchp parport i2c_piix4 nfit mac_hid autofs4 vmwgfx drm_kms_helper hid_generic syscopyarea sysfillrect usbhid sysimgblt fb_sys_fops hid ttm mptspi scsi_transport_spi ahci mptscsih drm psmouse vmxnet3 libahci mptbase pata_acpi
      [   42.312766] CPU: 10 PID: 1527 Comm: rmmod Not tainted 4.12.0+ #5
      [   42.312803] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 09/30/2016
      [   42.313042] task: ffff9bf9680f8000 task.stack: ffffbfefc1638000
      [   42.313290] RIP: 0010:__free_pages+0x38/0x40
      [   42.313510] RSP: 0018:ffffbfefc163be98 EFLAGS: 00010246
      [   42.313731] RAX: 000000000000003e RBX: ffffffffc02b9720 RCX: 0000000000000006
      [   42.313972] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff9bf97e08e0a0
      [   42.314201] RBP: ffffbfefc163be98 R08: 0000000000000000 R09: 0000000000000000
      [   42.314435] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffc02b97e4
      [   42.314505] R13: ffffffffc02b9748 R14: ffffffffc02b9728 R15: 0000000000000200
      [   42.314550] FS:  00007f3af5fec700(0000) GS:ffff9bf97e080000(0000) knlGS:0000000000000000
      [   42.314599] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   42.314635] CR2: 00007f44f6f4ab24 CR3: 00000003a7d12000 CR4: 00000000000006e0
      [   42.314864] Call Trace:
      [   42.315774]  vmballoon_pop+0x102/0x130 [vmw_balloon]
      [   42.315816]  vmballoon_exit+0x42/0xd64 [vmw_balloon]
      [   42.315853]  SyS_delete_module+0x1e2/0x250
      [   42.315891]  entry_SYSCALL_64_fastpath+0x23/0xc2
      [   42.315924] RIP: 0033:0x7f3af5b0e8e7
      [   42.315949] RSP: 002b:00007fffe6ce0148 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
      [   42.315996] RAX: ffffffffffffffda RBX: 000055be676401e0 RCX: 00007f3af5b0e8e7
      [   42.316951] RDX: 000000000000000a RSI: 0000000000000800 RDI: 000055be67640248
      [   42.317887] RBP: 0000000000000003 R08: 0000000000000000 R09: 1999999999999999
      [   42.318845] R10: 0000000000000883 R11: 0000000000000206 R12: 00007fffe6cdf130
      [   42.319755] R13: 0000000000000000 R14: 0000000000000000 R15: 000055be676401e0
      [   42.320606] Code: c0 74 1c f0 ff 4f 1c 74 02 5d c3 85 f6 74 07 e8 0f d8 ff ff 5d c3 31 f6 e8 c6 fb ff ff 5d c3 48 c7 c6 c8 0f c5 ba e8 58 be 02 00 <0f> 0b 66 0f 1f 44 00 00 66 66 66 66 90 48 85 ff 75 01 c3 55 48
      [   42.323462] RIP: __free_pages+0x38/0x40 RSP: ffffbfefc163be98
      [   42.325735] ---[ end trace 872e008e33f81508 ]---
      
      To solve the bug, we eliminate the dual purpose of balloon.page.
      
      Fixes: f220a80f ("VMware balloon: add batching to the vmw_balloon.")
      Cc: stable@vger.kernel.org
      Reported-by: default avatarOleksandr Natalenko <onatalen@redhat.com>
      Signed-off-by: default avatarGil Kupfer <gilkup@gmail.com>
      Signed-off-by: default avatarNadav Amit <namit@vmware.com>
      Reviewed-by: default avatarXavier Deguillard <xdeguillard@vmware.com>
      Tested-by: default avatarOleksandr Natalenko <oleksandr@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5ee296fd
    • Tony Lindgren's avatar
      serial: 8250: omap: Fix idling of clocks for unused uarts · a64ff0be
      Tony Lindgren authored
      commit 13dc04d0 upstream.
      
      I noticed that unused UARTs won't necessarily idle properly always
      unless at least one byte tx transfer is done first.
      
      After some debugging I narrowed down the problem to the scr register
      dma configuration bits that need to be set before softreset for the
      clocks to idle. Unless we do this, the module clkctrl idlest bits
      may be set to 1 instead of 3 meaning the clock will never idle and
      is blocking deeper idle states for the whole domain.
      
      This might be related to the configuration done by the bootloader
      or kexec booting where certain configurations cause the 8250 or
      the clkctrl clock to jam in a way where setting of the scr bits
      and reset is needed to clear it. I've tried diffing the 8250
      registers for the various modes, but did not see anything specific.
      So far I've only seen this on omap4 but I'm suspecting this might
      also happen on the other clkctrl using SoCs considering they
      already have a quirk enabled for UART_ERRATA_CLOCK_DISABLE.
      
      Let's fix the issue by configuring scr before reset for basic dma
      even if we don't use it. The scr register will be reset when we do
      softreset few lines after, and we restore scr on resume. We should
      do this for all the SoCs with UART_ERRATA_CLOCK_DISABLE quirk flag
      set since the ones with UART_ERRATA_CLOCK_DISABLE are all based
      using clkctrl similar to omap4.
      
      Looks like both OMAP_UART_SCR_DMAMODE_1 | OMAP_UART_SCR_DMAMODE_CTL
      bits are needed for the clkctrl to idle after a softreset.
      
      And we need to add omap4 to also use the UART_ERRATA_CLOCK_DISABLE
      for the related workaround to be enabled. This same compatible
      value will also be used for omap5.
      
      Fixes: cdb929e4 ("serial: 8250_omap: workaround errata around idling UART after using DMA")
      Cc: Keerthy <j-keerthy@ti.com>
      Cc: Matthijs van Duin <matthijsvanduin@gmail.com>
      Cc: Sekhar Nori <nsekhar@ti.com>
      Cc: Tero Kristo <t-kristo@ti.com>
      Signed-off-by: default avatarTony Lindgren <tony@atomide.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a64ff0be
    • Marek Szyprowski's avatar
      serial: samsung: fix maxburst parameter for DMA transactions · 804f0901
      Marek Szyprowski authored
      commit aa2f80e7 upstream.
      
      The best granularity of residue that DMA engine can report is in the BURST
      units, so the serial driver must use MAXBURST = 1 and DMA_SLAVE_BUSWIDTH_1_BYTE
      if it relies on exact number of bytes transferred by DMA engine.
      
      Fixes: 62c37eed ("serial: samsung: add dma reqest/release functions")
      Signed-off-by: default avatarMarek Szyprowski <m.szyprowski@samsung.com>
      Acked-by: default avatarKrzysztof Kozlowski <krzk@kernel.org>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      804f0901
    • Sebastian Andrzej Siewior's avatar
      tty/serial: atmel: use port->name as name in request_irq() · db30b8eb
      Sebastian Andrzej Siewior authored
      commit 9594b5be upstream.
      
      I was puzzled while looking at /proc/interrupts and random things showed
      up between reboots. This occurred more often but I realised it later. The
      "correct" output should be:
      |38:      11861  atmel-aic5   2 Level     ttyS0
      
      but I saw sometimes
      |38:       6426  atmel-aic5   2 Level     tty1
      
      and accounted it wrongly as correct. This is use after free and the
      former example randomly got the "old" pointer which pointed to the same
      content. With SLAB_FREELIST_RANDOM and HARDENED I even got
      |38:       7067  atmel-aic5   2 Level     E=Started User Manager for UID 0
      
      or other nonsense.
      As it turns out the tty, pointer that is accessed in atmel_startup(), is
      freed() before atmel_shutdown(). It seems to happen quite often that the
      tty for ttyS0 is allocated and freed while ->shutdown is not invoked. I
      don't do anything special - just a systemd boot :)
      
      Use dev_name(&pdev->dev) as the IRQ name for request_irq(). This exists
      as long as the driver is loaded so no use-after-free here.
      
      Cc: stable@vger.kernel.org
      Fixes: 761ed4a9 ("tty: serial_core: convert uart_close to use tty_port_close")
      Acked-by: default avatarRichard Genoud <richard.genoud@gmail.com>
      Acked-by: default avatarRob Herring <robh@kernel.org>
      Signed-off-by: default avatarSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      db30b8eb
    • Geert Uytterhoeven's avatar
      serial: sh-sci: Stop using printk format %pCr · 95b8204b
      Geert Uytterhoeven authored
      commit d63c16f8 upstream.
      
      Printk format "%pCr" will be removed soon, as clk_get_rate() must not be
      called in atomic context.
      
      Replace it by open-coding the operation.  This is safe here, as the code
      runs in task context.
      
      Link: http://lkml.kernel.org/r/1527845302-12159-4-git-send-email-geert+renesas@glider.be
      To: Jia-Ju Bai <baijiaju1990@gmail.com>
      To: Jonathan Corbet <corbet@lwn.net>
      To: Michael Turquette <mturquette@baylibre.com>
      To: Stephen Boyd <sboyd@kernel.org>
      To: Zhang Rui <rui.zhang@intel.com>
      To: Eduardo Valentin <edubezval@gmail.com>
      To: Eric Anholt <eric@anholt.net>
      To: Stefan Wahren <stefan.wahren@i2se.com>
      To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>
      Cc: Petr Mladek <pmladek@suse.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Steven Rostedt <rostedt@goodmis.org>
      Cc: linux-doc@vger.kernel.org
      Cc: linux-clk@vger.kernel.org
      Cc: linux-pm@vger.kernel.org
      Cc: linux-serial@vger.kernel.org
      Cc: linux-arm-kernel@lists.infradead.org
      Cc: linux-renesas-soc@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      Cc: Geert Uytterhoeven <geert+renesas@glider.be>
      Cc: stable@vger.kernel.org # 4.5+
      Signed-off-by: default avatarGeert Uytterhoeven <geert+renesas@glider.be>
      Signed-off-by: default avatarPetr Mladek <pmladek@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      95b8204b
    • Yoshihiro Shimoda's avatar
      usb: gadget: udc: renesas_usb3: disable the controller's irqs for reconnecting · d6a9e699
      Yoshihiro Shimoda authored
      commit bd6bce00 upstream.
      
      This patch fixes an issue that reconnection is possible to fail
      because unexpected state handling happens by the irqs. To fix the issue,
      the driver disables the controller's irqs when disconnected.
      
      Fixes: 746bfe63 ("usb: gadget: renesas_usb3: add support for Renesas USB3.0 peripheral controller")
      Cc: <stable@vger.kernel.org> # v4.5+
      Reviewed-by: default avatarSimon Horman <horms+renesas@verge.net.au>
      Signed-off-by: default avatarYoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d6a9e699
    • Yoshihiro Shimoda's avatar
      usb: gadget: function: printer: avoid wrong list handling in printer_write() · 262af4fe
      Yoshihiro Shimoda authored
      commit 4a014a73 upstream.
      
      When printer_write() calls usb_ep_queue(), a udc driver (e.g.
      renesas_usbhs driver) may call usb_gadget_giveback_request() in
      the udc .queue ops immediately. Then, printer_write() calls
      list_add(&req->list, &dev->tx_reqs_active) wrongly. After that,
      if we do unbind the printer driver, WARN_ON() happens in
      printer_func_unbind() because the list entry is not removed.
      
      So, this patch moves list_add(&req->list, &dev->tx_reqs_active)
      calling before usb_ep_queue().
      Signed-off-by: default avatarYoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
      Acked-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      262af4fe
    • Manu Gautam's avatar
      phy: qcom-qusb2: Fix crash if nvmem cell not specified · 874cb201
      Manu Gautam authored
      commit 0b4555e7 upstream.
      
      Driver currently crashes due to NULL pointer deference
      while updating PHY tune register if nvmem cell is NULL.
      Since, fused value for Tune1/2 register is optional,
      we'd rather bail out.
      
      Fixes: ca04d9d3 ("phy: qcom-qusb2: New driver for QUSB2 PHY on Qcom chips")
      Reviewed-by: default avatarVivek Gautam <vivek.gautam@codeaurora.org>
      Reviewed-by: default avatarEvan Green <evgreen@chromium.org>
      Cc: stable <stable@vger.kernel.org> # 4.14+
      Signed-off-by: default avatarManu Gautam <mgautam@codeaurora.org>
      Signed-off-by: default avatarKishon Vijay Abraham I <kishon@ti.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      874cb201
    • Ethan Lee's avatar
      Input: xpad - add GPD Win 2 Controller USB IDs · cb6b5869
      Ethan Lee authored
      commit c1ba0839 upstream.
      
      GPD Win 2 Website: http://www.gpd.hk/gpdwin2.asp
      
      Tested on a unit from the first production run sent to Indiegogo backers
      Signed-off-by: default avatarEthan Lee <flibitijibibo@gmail.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cb6b5869
    • Alexander Kappner's avatar
      usb-storage: Add compatibility quirk flags for G-Technologies G-Drive · 5c2e9e9b
      Alexander Kappner authored
      commit ca7d9515 upstream.
      
      The "G-Drive" (sold by G-Technology) external USB 3.0 drive
       hangs on write access under UAS and usb-storage:
      
      [  136.079121] sd 15:0:0:0: [sdi] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE
      [  136.079144] sd 15:0:0:0: [sdi] tag#0 Sense Key : Illegal Request [current]
      [  136.079152] sd 15:0:0:0: [sdi] tag#0 Add. Sense: Invalid field in cdb
      [  136.079176] sd 15:0:0:0: [sdi] tag#0 CDB: Write(16) 8a 08 00 00 00 00 00 00 00 00 00 00 00 08 00 00
      [  136.079180] print_req_error: critical target error, dev sdi, sector 0
      [  136.079183] Buffer I/O error on dev sdi, logical block 0, lost sync page write
      [  136.173148] EXT4-fs (sdi): mounted filesystem with ordered data mode. Opts: (null)
      [  140.583998] sd 15:0:0:0: [sdi] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE
      [  140.584010] sd 15:0:0:0: [sdi] tag#0 Sense Key : Illegal Request [current]
      [  140.584016] sd 15:0:0:0: [sdi] tag#0 Add. Sense: Invalid field in cdb
      [  140.584022] sd 15:0:0:0: [sdi] tag#0 CDB: Write(16) 8a 08 00 00 00 00 e8 c4 00 18 00 00 00 08 00 00
      [  140.584025] print_req_error: critical target error, dev sdi, sector 3905159192
      [  140.584044] print_req_error: critical target error, dev sdi, sector 3905159192
      [  140.584052] Aborting journal on device sdi-8.
      
      The proposed patch adds compatibility quirks. Because the drive requires two
      quirks (one to work with UAS, and another to work with usb-storage), adding this
      under unusual_devs.h and not just unusual_uas.h so kernels compiled without UAS
      receive the quirk. With the patch, the drive works reliably on UAS and usb-
      storage.
      (tested on NEC Corporation uPD720200 USB 3.0 host controller).
      Signed-off-by: default avatarAlexander Kappner <agk@godking.net>
      Acked-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5c2e9e9b
    • Alexander Kappner's avatar
      usb-storage: Add support for FL_ALWAYS_SYNC flag in the UAS driver · c839680e
      Alexander Kappner authored
      commit 8c4e97dd upstream.
      
      The ALWAYS_SYNC flag is currently honored by the usb-storage driver but not UAS
      and is required to work around devices that become unstable upon being
      queried for cache. This code is taken straight from:
      drivers/usb/storage/scsiglue.c:284
      Signed-off-by: default avatarAlexander Kappner <agk@godking.net>
      Acked-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Cc: stable <stable@vger.kernel.org>
      Acked-by: default avatarOliver Neukum <oneukum@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c839680e
    • Gustavo A. R. Silva's avatar
      usbip: vhci_sysfs: fix potential Spectre v1 · f31eb729
      Gustavo A. R. Silva authored
      commit a0d6ec88 upstream.
      
      pdev_nr and rhport can be controlled by user-space, hence leading to
      a potential exploitation of the Spectre variant 1 vulnerability.
      
      This issue was detected with the help of Smatch:
      drivers/usb/usbip/vhci_sysfs.c:238 detach_store() warn: potential spectre issue 'vhcis'
      drivers/usb/usbip/vhci_sysfs.c:328 attach_store() warn: potential spectre issue 'vhcis'
      drivers/usb/usbip/vhci_sysfs.c:338 attach_store() warn: potential spectre issue 'vhci->vhci_hcd_ss->vdev'
      drivers/usb/usbip/vhci_sysfs.c:340 attach_store() warn: potential spectre issue 'vhci->vhci_hcd_hs->vdev'
      
      Fix this by sanitizing pdev_nr and rhport before using them to index
      vhcis and vhci->vhci_hcd_ss->vdev respectively.
      
      Notice that given that speculation windows are large, the policy is
      to kill the speculation on the first load and not worry if it can be
      completed with a dependent load/store [1].
      
      [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGustavo A. R. Silva <gustavo@embeddedor.com>
      Acked-by: default avatarShuah Khan (Samsung OSG) <shuah@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f31eb729
    • Greg Kroah-Hartman's avatar
      NFC: pn533: don't send USB data off of the stack · 1caeb502
      Greg Kroah-Hartman authored
      commit dbafc289 upstream.
      
      It's amazing that this driver ever worked, but now that x86 doesn't
      allow USB data to be sent off of the stack, it really does not work at
      all.  Fix this up by properly allocating the data for the small
      "commands" that get sent to the device off of the stack.
      
      We do this for one command by having a whole urb just for ack messages,
      as they can be submitted in interrupt context, so we can not use
      usb_bulk_msg().  But the poweron command can sleep (and does), so use
      usb_bulk_msg() for that transfer.
      Reported-by: default avatarCarlos Manuel Santos <cmmpsantos@gmail.com>
      Cc: Samuel Ortiz <sameo@linux.intel.com>
      Cc: Stephen Hemminger <stephen@networkplumber.org>
      Cc: stable <stable@vger.kernel.org>
      Reviewed-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1caeb502
    • Laura Abbott's avatar
      staging: android: ion: Switch to pr_warn_once in ion_buffer_destroy · f1769a9b
      Laura Abbott authored
      commit 45ad559a upstream.
      
      Syzbot reported yet another warning with Ion:
      
      WARNING: CPU: 0 PID: 1467 at drivers/staging/android/ion/ion.c:122
      ion_buffer_destroy+0xd4/0x190 drivers/staging/android/ion/ion.c:122
      Kernel panic - not syncing: panic_on_warn set ...
      
      This is catching that a buffer was freed with an existing kernel mapping
      still present. This can be easily be triggered from userspace by calling
      DMA_BUF_SYNC_START without calling DMA_BUF_SYNC_END. Switch to a single
      pr_warn_once to indicate the error without being disruptive.
      
      Reported-by: syzbot+cd8bcd40cb049efa2770@syzkaller.appspotmail.com
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarLaura Abbott <labbott@redhat.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f1769a9b
    • Paolo Bonzini's avatar
      KVM: x86: pass kvm_vcpu to kvm_read_guest_virt and kvm_write_guest_virt_system · bd2742e8
      Paolo Bonzini authored
      commit ce14e868 upstream.
      
      Int the next patch the emulator's .read_std and .write_std callbacks will
      grow another argument, which is not needed in kvm_read_guest_virt and
      kvm_write_guest_virt_system's callers.  Since we have to make separate
      functions, let's give the currently existing names a nicer interface, too.
      
      Fixes: 129a72a0 ("KVM: x86: Introduce segmented_write_std", 2017-01-12)
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bd2742e8
    • Felix Wilhelm's avatar
      kvm: nVMX: Enforce cpl=0 for VMX instructions · b1bd9caf
      Felix Wilhelm authored
      commit 727ba748 upstream.
      
      VMX instructions executed inside a L1 VM will always trigger a VM exit
      even when executed with cpl 3. This means we must perform the
      privilege check in software.
      
      Fixes: 70f3aac9("kvm: nVMX: Remove superfluous VMX instruction fault checks")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarFelix Wilhelm <fwilhelm@google.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b1bd9caf
    • Paolo Bonzini's avatar
      KVM: x86: introduce linear_{read,write}_system · 3d2f0339
      Paolo Bonzini authored
      commit 79367a65 upstream.
      
      Wrap the common invocation of ctxt->ops->read_std and ctxt->ops->write_std, so
      as to have a smaller patch when the functions grow another argument.
      
      Fixes: 129a72a0 ("KVM: x86: Introduce segmented_write_std", 2017-01-12)
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3d2f0339
    • Wanpeng Li's avatar
      KVM: X86: Fix reserved bits check for MOV to CR3 · 9791d9d7
      Wanpeng Li authored
      commit a780a3ea upstream.
      
      MSB of CR3 is a reserved bit if the PCIDE bit is not set in CR4.
      It should be checked when PCIDE bit is not set, however commit
      'd1cd3ce9 ("KVM: MMU: check guest CR3 reserved bits based on
      its physical address width")' removes the bit 63 checking
      unconditionally. This patch fixes it by checking bit 63 of CR3
      when PCIDE bit is not set in CR4.
      
      Fixes: d1cd3ce9 (KVM: MMU: check guest CR3 reserved bits based on its physical address width)
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: Radim Krčmář <rkrcmar@redhat.com>
      Cc: Liran Alon <liran.alon@oracle.com>
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarJunaid Shahid <junaids@google.com>
      Signed-off-by: default avatarWanpeng Li <wanpengli@tencent.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9791d9d7
    • Linus Walleij's avatar
      gpio: No NULL owner · c7a372dd
      Linus Walleij authored
      commit 7d18f0a1 upstream.
      
      Sometimes a GPIO is fetched with NULL as parent device, and
      that is just fine. So under these circumstances, avoid using
      dev_name() to provide a name for the GPIO line.
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Cc: Daniel Rosenberg <drosen@google.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c7a372dd
    • Kevin Easton's avatar
      af_key: Always verify length of provided sadb_key · 7d970250
      Kevin Easton authored
      commit 4b66af2d upstream.
      
      Key extensions (struct sadb_key) include a user-specified number of key
      bits.  The kernel uses that number to determine how much key data to copy
      out of the message in pfkey_msg2xfrm_state().
      
      The length of the sadb_key message must be verified to be long enough,
      even in the case of SADB_X_AALG_NULL.  Furthermore, the sadb_key_len value
      must be long enough to include both the key data and the struct sadb_key
      itself.
      
      Introduce a helper function verify_key_len(), and call it from
      parse_exthdrs() where other exthdr types are similarly checked for
      correctness.
      Signed-off-by: default avatarKevin Easton <kevin@guarana.org>
      Reported-by: syzbot+5022a34ca5a3d49b84223653fab632dfb7b4cf37@syzkaller.appspotmail.com
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      Cc: Zubin Mithra <zsm@chromium.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7d970250
    • Bart Van Assche's avatar
      blkdev_report_zones_ioctl(): Use vmalloc() to allocate large buffers · 1cbd5ece
      Bart Van Assche authored
      commit 327ea4ad upstream.
      
      Avoid that complaints similar to the following appear in the kernel log
      if the number of zones is sufficiently large:
      
        fio: page allocation failure: order:9, mode:0x140c0c0(GFP_KERNEL|__GFP_COMP|__GFP_ZERO), nodemask=(null)
        Call Trace:
        dump_stack+0x63/0x88
        warn_alloc+0xf5/0x190
        __alloc_pages_slowpath+0x8f0/0xb0d
        __alloc_pages_nodemask+0x242/0x260
        alloc_pages_current+0x6a/0xb0
        kmalloc_order+0x18/0x50
        kmalloc_order_trace+0x26/0xb0
        __kmalloc+0x20e/0x220
        blkdev_report_zones_ioctl+0xa5/0x1a0
        blkdev_ioctl+0x1ba/0x930
        block_ioctl+0x41/0x50
        do_vfs_ioctl+0xaa/0x610
        SyS_ioctl+0x79/0x90
        do_syscall_64+0x79/0x1b0
        entry_SYSCALL_64_after_hwframe+0x3d/0xa2
      
      Fixes: 3ed05a98 ("blk-zoned: implement ioctls")
      Signed-off-by: default avatarBart Van Assche <bart.vanassche@wdc.com>
      Cc: Shaun Tancheff <shaun.tancheff@seagate.com>
      Cc: Damien Le Moal <damien.lemoal@hgst.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Martin K. Petersen <martin.petersen@oracle.com>
      Cc: Hannes Reinecke <hare@suse.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1cbd5ece
    • Taehee Yoo's avatar
      netfilter: nf_tables: fix NULL pointer dereference on nft_ct_helper_obj_dump() · d02ae00a
      Taehee Yoo authored
      commit b7153458 upstream.
      
      In the nft_ct_helper_obj_dump(), always priv->helper4 is dereferenced.
      But if family is ipv6, priv->helper6 should be dereferenced.
      
      Steps to reproduces:
      
         #test.nft
         table ip6 filter {
      	   ct helper ftp {
      		   type "ftp" protocol tcp
      	   }
      	   chain input {
      		   type filter hook input priority 4;
      		   ct helper set "ftp"
      	   }
         }
      
         %nft -f test.nft
         %nft list ruleset
      
      we can see the below messages:
      
      [  916.286233] kasan: GPF could be caused by NULL-ptr deref or user memory access
      [  916.294777] general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
      [  916.302613] Modules linked in: nft_objref nf_conntrack_sip nf_conntrack_snmp nf_conntrack_broadcast nf_conntrack_ftp nft_ct nf_conntrack nf_tables nfnetlink [last unloaded: nfnetlink]
      [  916.318758] CPU: 1 PID: 2093 Comm: nft Not tainted 4.17.0-rc4+ #181
      [  916.326772] Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB, BIOS 5.6.5 07/08/2015
      [  916.338773] RIP: 0010:strlen+0x1a/0x90
      [  916.342781] RSP: 0018:ffff88010ff0f2f8 EFLAGS: 00010292
      [  916.346773] RAX: dffffc0000000000 RBX: ffff880119b26ee8 RCX: ffff88010c150038
      [  916.354777] RDX: 0000000000000002 RSI: ffff880119b26ee8 RDI: 0000000000000010
      [  916.362773] RBP: 0000000000000010 R08: 0000000000007e88 R09: ffff88010c15003c
      [  916.370773] R10: ffff88010c150037 R11: ffffed002182a007 R12: ffff88010ff04040
      [  916.378779] R13: 0000000000000010 R14: ffff880119b26f30 R15: ffff88010ff04110
      [  916.387265] FS:  00007f57a1997700(0000) GS:ffff88011b800000(0000) knlGS:0000000000000000
      [  916.394785] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  916.402778] CR2: 00007f57a0ac80f0 CR3: 000000010ff02000 CR4: 00000000001006e0
      [  916.410772] Call Trace:
      [  916.414787]  nft_ct_helper_obj_dump+0x94/0x200 [nft_ct]
      [  916.418779]  ? nft_ct_set_eval+0x560/0x560 [nft_ct]
      [  916.426771]  ? memset+0x1f/0x40
      [  916.426771]  ? __nla_reserve+0x92/0xb0
      [  916.434774]  ? memcpy+0x34/0x50
      [  916.434774]  nf_tables_fill_obj_info+0x484/0x860 [nf_tables]
      [  916.442773]  ? __nft_release_basechain+0x600/0x600 [nf_tables]
      [  916.450779]  ? lock_acquire+0x193/0x380
      [  916.454771]  ? lock_acquire+0x193/0x380
      [  916.458789]  ? nf_tables_dump_obj+0x148/0xcb0 [nf_tables]
      [  916.462777]  nf_tables_dump_obj+0x5f0/0xcb0 [nf_tables]
      [  916.470769]  ? __alloc_skb+0x30b/0x500
      [  916.474779]  netlink_dump+0x752/0xb50
      [  916.478775]  __netlink_dump_start+0x4d3/0x750
      [  916.482784]  nf_tables_getobj+0x27a/0x930 [nf_tables]
      [  916.490774]  ? nft_obj_notify+0x100/0x100 [nf_tables]
      [  916.494772]  ? nf_tables_getobj+0x930/0x930 [nf_tables]
      [  916.502579]  ? nf_tables_dump_flowtable_done+0x70/0x70 [nf_tables]
      [  916.506774]  ? nft_obj_notify+0x100/0x100 [nf_tables]
      [  916.514808]  nfnetlink_rcv_msg+0x8ab/0xa86 [nfnetlink]
      [  916.518771]  ? nfnetlink_rcv_msg+0x550/0xa86 [nfnetlink]
      [  916.526782]  netlink_rcv_skb+0x23e/0x360
      [  916.530773]  ? nfnetlink_bind+0x200/0x200 [nfnetlink]
      [  916.534778]  ? debug_check_no_locks_freed+0x280/0x280
      [  916.542770]  ? netlink_ack+0x870/0x870
      [  916.546786]  ? ns_capable_common+0xf4/0x130
      [  916.550765]  nfnetlink_rcv+0x172/0x16c0 [nfnetlink]
      [  916.554771]  ? sched_clock_local+0xe2/0x150
      [  916.558774]  ? sched_clock_cpu+0x144/0x180
      [  916.566575]  ? lock_acquire+0x380/0x380
      [  916.570775]  ? sched_clock_local+0xe2/0x150
      [  916.574765]  ? nfnetlink_net_init+0x130/0x130 [nfnetlink]
      [  916.578763]  ? sched_clock_cpu+0x144/0x180
      [  916.582770]  ? lock_acquire+0x193/0x380
      [  916.590771]  ? lock_acquire+0x193/0x380
      [  916.594766]  ? lock_acquire+0x380/0x380
      [  916.598760]  ? netlink_deliver_tap+0x262/0xa60
      [  916.602766]  ? lock_acquire+0x193/0x380
      [  916.606766]  netlink_unicast+0x3ef/0x5a0
      [  916.610771]  ? netlink_attachskb+0x630/0x630
      [  916.614763]  netlink_sendmsg+0x72a/0xb00
      [  916.618769]  ? netlink_unicast+0x5a0/0x5a0
      [  916.626766]  ? _copy_from_user+0x92/0xc0
      [  916.630773]  __sys_sendto+0x202/0x300
      [  916.634772]  ? __ia32_sys_getpeername+0xb0/0xb0
      [  916.638759]  ? lock_acquire+0x380/0x380
      [  916.642769]  ? lock_acquire+0x193/0x380
      [  916.646761]  ? finish_task_switch+0xf4/0x560
      [  916.650763]  ? __schedule+0x582/0x19a0
      [  916.655301]  ? __sched_text_start+0x8/0x8
      [  916.655301]  ? up_read+0x1c/0x110
      [  916.655301]  ? __do_page_fault+0x48b/0xaa0
      [  916.655301]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
      [  916.655301]  __x64_sys_sendto+0xdd/0x1b0
      [  916.655301]  do_syscall_64+0x96/0x3d0
      [  916.655301]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
      [  916.655301] RIP: 0033:0x7f57a0ff5e03
      [  916.655301] RSP: 002b:00007fff6367e0a8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
      [  916.655301] RAX: ffffffffffffffda RBX: 00007fff6367f1e0 RCX: 00007f57a0ff5e03
      [  916.655301] RDX: 0000000000000020 RSI: 00007fff6367e110 RDI: 0000000000000003
      [  916.655301] RBP: 00007fff6367e100 R08: 00007f57a0ce9160 R09: 000000000000000c
      [  916.655301] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff6367e110
      [  916.655301] R13: 0000000000000020 R14: 00007f57a153c610 R15: 0000562417258de0
      [  916.655301] Code: ff ff ff 0f 1f 40 00 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 fa 53 48 c1 ea 03 48 b8 00 00 00 00 00 fc ff df 48 89 fd 48 83 ec 08 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f
      [  916.655301] RIP: strlen+0x1a/0x90 RSP: ffff88010ff0f2f8
      [  916.771929] ---[ end trace 1065e048e72479fe ]---
      [  916.777204] Kernel panic - not syncing: Fatal exception
      [  916.778158] Kernel Offset: 0x14000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
      Signed-off-by: default avatarTaehee Yoo <ap420073@gmail.com>
      Acked-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d02ae00a