Permalink
Commits on Dec 14, 2018
Commits on Dec 13, 2018
  1. media: atmel-isc: Add safety checks for NULL isc->raw_fmt struct

    ksloat authored and ehristev committed Nov 20, 2018
    In some usages isc->raw_fmt will not be initialized. If this
    is the case, it is very possible that a NULL struct de-reference
    will occur, as this member is referenced many times.
    
    To prevent this, add safety checks for this member and handle
    situations accordingly.
    
    Signed-off-by: Ken Sloat <ksloat@aampglobal.com>
  2. Linux 4.14.88

    gregkh committed Dec 13, 2018
  3. mac80211: ignore NullFunc frames in the duplicate detection

    Emmanuel Grumbach authored and gregkh committed Dec 3, 2018
    commit 990d718 upstream.
    
    NullFunc packets should never be duplicate just like
    QoS-NullFunc packets.
    
    We saw a client that enters / exits power save with
    NullFunc frames (and not with QoS-NullFunc) despite the
    fact that the association supports HT.
    This specific client also re-uses a non-zero sequence number
    for different NullFunc frames.
    At some point, the client had to send a retransmission of
    the NullFunc frame and we dropped it, leading to a
    misalignment in the power save state.
    Fix this by never consider a NullFunc frame as duplicate,
    just like we do for QoS NullFunc frames.
    
    This fixes https://bugzilla.kernel.org/show_bug.cgi?id=201449
    
    CC: <stable@vger.kernel.org>
    Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  4. mac80211: fix reordering of buffered broadcast packets

    nbd168 authored and gregkh committed Nov 28, 2018
    commit 9ec1190 upstream.
    
    If the buffered broadcast queue contains packets, letting new packets bypass
    that queue can lead to heavy reordering, since the driver is probably throttling
    transmission of buffered multicast packets after beacons.
    
    Keep buffering packets until the buffer has been cleared (and no client
    is in powersave mode).
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Felix Fietkau <nbd@nbd.name>
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  5. mac80211: ignore tx status for PS stations in ieee80211_tx_status_ext

    nbd168 authored and gregkh committed Nov 13, 2018
    commit a317e65 upstream.
    
    Make it behave like regular ieee80211_tx_status calls, except for the lack of
    filtered frame processing.
    This fixes spurious low-ack triggered disconnections with powersave clients
    connected to an AP.
    
    Fixes: f027c2a ("mac80211: add ieee80211_tx_status_noskb")
    Cc: stable@vger.kernel.org
    Signed-off-by: Felix Fietkau <nbd@nbd.name>
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  6. mac80211: Clear beacon_int in ieee80211_do_stop

    greearb authored and gregkh committed Oct 23, 2018
    commit 5c21e81 upstream.
    
    This fixes stale beacon-int values that would keep a netdev
    from going up.
    
    To reproduce:
    
    Create two VAP on one radio.
    vap1 has beacon-int 100, start it.
    vap2 has beacon-int 240, start it (and it will fail
      because beacon-int mismatch).
    reconfigure vap2 to have beacon-int 100 and start it.
      It will fail because the stale beacon-int 240 will be used
      in the ifup path and hostapd never gets a chance to set the
      new beacon interval.
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Ben Greear <greearb@candelatech.com>
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  7. mac80211_hwsim: Timer should be initialized before device registered

    Vasyl Vavrychuk authored and gregkh committed Oct 17, 2018
    commit a1881c9 upstream.
    
    Otherwise if network manager starts configuring Wi-Fi interface
    immidiatelly after getting notification of its creation, we will get
    NULL pointer dereference:
    
      BUG: unable to handle kernel NULL pointer dereference at           (null)
      IP: [<ffffffff95ae94c8>] hrtimer_active+0x28/0x50
      ...
      Call Trace:
       [<ffffffff95ae9997>] ? hrtimer_try_to_cancel+0x27/0x110
       [<ffffffff95ae9a95>] ? hrtimer_cancel+0x15/0x20
       [<ffffffffc0803bf0>] ? mac80211_hwsim_config+0x140/0x1c0 [mac80211_hwsim]
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Vasyl Vavrychuk <vasyl.vavrychuk@globallogic.com>
    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  8. libnvdimm, pfn: Pad pfn namespaces relative to other regions

    djbw authored and gregkh committed Nov 24, 2018
    commit ae86cbf upstream.
    
    Commit cfe30b8 "libnvdimm, pmem: adjust for section collisions with
    'System RAM'" enabled Linux to workaround occasions where platform
    firmware arranges for "System RAM" and "Persistent Memory" to collide
    within a single section boundary. Unfortunately, as reported in this
    issue [1], platform firmware can inflict the same collision between
    persistent memory regions.
    
    The approach of interrogating iomem_resource does not work in this
    case because platform firmware may merge multiple regions into a single
    iomem_resource range. Instead provide a method to interrogate regions
    that share the same parent bus.
    
    This is a stop-gap until the core-MM can grow support for hotplug on
    sub-section boundaries.
    
    [1]: pmem/ndctl#76
    
    Fixes: cfe30b8 ("libnvdimm, pmem: adjust for section collisions with...")
    Cc: <stable@vger.kernel.org>
    Reported-by: Patrick Geary <patrickg@supermicro.com>
    Tested-by: Patrick Geary <patrickg@supermicro.com>
    Reviewed-by: Vishal Verma <vishal.l.verma@intel.com>
    Signed-off-by: Dan Williams <dan.j.williams@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  9. kgdboc: fix KASAN global-out-of-bounds bug in param_set_kgdboc_var()

    macpaul authored and gregkh committed Oct 17, 2018
    commit dada6a4 upstream.
    
    This patch is trying to fix KE issue due to
    "BUG: KASAN: global-out-of-bounds in param_set_kgdboc_var+0x194/0x198"
    reported by Syzkaller scan."
    
    [26364:syz-executor0][name:report8t]BUG: KASAN: global-out-of-bounds in param_set_kgdboc_var+0x194/0x198
    [26364:syz-executor0][name:report&]Read of size 1 at addr ffffff900e44f95f by task syz-executor0/26364
    [26364:syz-executor0][name:report&]
    [26364:syz-executor0]CPU: 7 PID: 26364 Comm: syz-executor0 Tainted: G W 0
    [26364:syz-executor0]Call trace:
    [26364:syz-executor0][<ffffff9008095cf8>] dump_bacIctrace+Ox0/0x470
    [26364:syz-executor0][<ffffff9008096de0>] show_stack+0x20/0x30
    [26364:syz-executor0][<ffffff90089cc9c8>] dump_stack+Oxd8/0x128
    [26364:syz-executor0][<ffffff90084edb38>] print_address_description +0x80/0x4a8
    [26364:syz-executor0][<ffffff90084ee270>] kasan_report+Ox178/0x390
    [26364:syz-executor0][<ffffff90084ee4a0>] _asan_report_loadi_noabort+Ox18/0x20
    [26364:syz-executor0][<ffffff9008b092ac>] param_set_kgdboc_var+Ox194/0x198
    [26364:syz-executor0][<ffffff900813af64>] param_attr_store+Ox14c/0x270
    [26364:syz-executor0][<ffffff90081394c8>] module_attr_store+0x60/0x90
    [26364:syz-executor0][<ffffff90086690c0>] sysfs_kl_write+Ox100/0x158
    [26364:syz-executor0][<ffffff9008666d84>] kernfs_fop_write+0x27c/0x3a8
    [26364:syz-executor0][<ffffff9008508264>] do_loop_readv_writev+0x114/0x1b0
    [26364:syz-executor0][<ffffff9008509ac8>] do_readv_writev+0x4f8/0x5e0
    [26364:syz-executor0][<ffffff9008509ce4>] vfs_writev+0x7c/Oxb8
    [26364:syz-executor0][<ffffff900850ba64>] SyS_writev+Oxcc/0x208
    [26364:syz-executor0][<ffffff90080883f0>] elO_svc_naked +0x24/0x28
    [26364:syz-executor0][name:report&]
    [26364:syz-executor0][name:report&]The buggy address belongs to the variable:
    [26364:syz-executor0][name:report&] kgdb_tty_line+Ox3f/0x40
    [26364:syz-executor0][name:report&]
    [26364:syz-executor0][name:report&]Memory state around the buggy address:
    [26364:syz-executor0] ffffff900e44f800: 00 00 00 00 00 04 fa fa fa fa fa fa 00 fa fa fa
    [26364:syz-executor0] ffffff900e44f880: fa fa fa fa 00 fa fa fa fa fa fa fa 00 fa fa fa
    [26364:syz-executor0]> ffffff900e44f900: fa fa fa fa 04 fa fa fa fa fa fa fa 00 00 00 00
    [26364:syz-executor0][name:report&]                                       ^
    [26364:syz-executor0] ffffff900e44f980: 00 fa fa fa fa fa fa fa 04 fa fa fa fa fa fa fa
    [26364:syz-executor0] ffffff900e44fa00: 04 fa fa fa fa fa fa fa 00 fa fa fa fa fa fa fa
    [26364:syz-executor0][name:report&]
    [26364:syz-executor0][name:panic&]Disabling lock debugging due to kernel taint
    [26364:syz-executor0]------------[cut here]------------
    
    After checking the source code, we've found there might be an out-of-bounds
    access to "config[len - 1]" array when the variable "len" is zero.
    
    Signed-off-by: Macpaul Lin <macpaul@gmail.com>
    Acked-by: Daniel Thompson <daniel.thompson@linaro.org>
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  10. tty: do not set TTY_IO_ERROR flag if console port

    cometzero authored and gregkh committed Nov 22, 2018
    commit 2a48602 upstream.
    
    Since Commit 761ed4a ('tty: serial_core: convert uart_close to use
    tty_port_close') and Commit 4dda864 ('tty: serial_core: Fix serial
    console crash on port shutdown), a serial port which is used as
    console can be stuck when logging out if there is a remained process.
    After logged out, agetty will try to grab the serial port but it will
    be failed because the previous process did not release the port
    correctly. To fix this, TTY_IO_ERROR bit should not be enabled of
    tty_port_close if the port is console port.
    
    Reproduce step:
    - Run background processes from serial console
    $ while true; do sleep 10; done &
    
    - Log out
    $ logout
    -> Stuck
    
    - Read journal log by journalctl | tail
    Jan 28 16:07:01 ubuntu systemd[1]: Stopped Serial Getty on ttyAMA0.
    Jan 28 16:07:01 ubuntu systemd[1]: Started Serial Getty on ttyAMA0.
    Jan 28 16:07:02 ubuntu agetty[1643]: /dev/ttyAMA0: not a tty
    
    Fixes: 761ed4a ("tty: serial_core: convert uart_close to use tty_port_close")
    Cc: Geert Uytterhoeven <geert+renesas@glider.be>
    Cc: Rob Herring <robh@kernel.org>
    Cc: Jiri Slaby <jslaby@suse.com>
    Signed-off-by: Chanho Park <parkch98@gmail.com>
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  11. tty: serial: 8250_mtk: always resume the device in probe.

    Peter Shih authored and gregkh committed Nov 27, 2018
    commit 100bc3e upstream.
    
    serial8250_register_8250_port calls uart_config_port, which calls
    config_port on the port before it tries to power on the port. So we need
    the port to be on before calling serial8250_register_8250_port. Change
    the code to always do a runtime resume in probe before registering port,
    and always do a runtime suspend in remove.
    
    This basically reverts the change in commit 68e5fc4 ("tty: serial:
    8250_mtk: use pm_runtime callbacks for enabling"), but still use
    pm_runtime callbacks.
    
    Fixes: 68e5fc4 ("tty: serial: 8250_mtk: use pm_runtime callbacks for enabling")
    Signed-off-by: Peter Shih <pihsun@chromium.org>
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  12. Drivers: hv: vmbus: Offload the handling of channels to two workqueues

    dcui authored and gregkh committed Dec 3, 2018
    commit 37c2578 upstream.
    
    vmbus_process_offer() mustn't call channel->sc_creation_callback()
    directly for sub-channels, because sc_creation_callback() ->
    vmbus_open() may never get the host's response to the
    OPEN_CHANNEL message (the host may rescind a channel at any time,
    e.g. in the case of hot removing a NIC), and vmbus_onoffer_rescind()
    may not wake up the vmbus_open() as it's blocked due to a non-zero
    vmbus_connection.offer_in_progress, and finally we have a deadlock.
    
    The above is also true for primary channels, if the related device
    drivers use sync probing mode by default.
    
    And, usually the handling of primary channels and sub-channels can
    depend on each other, so we should offload them to different
    workqueues to avoid possible deadlock, e.g. in sync-probing mode,
    NIC1's netvsc_subchan_work() can race with NIC2's netvsc_probe() ->
    rtnl_lock(), and causes deadlock: the former gets the rtnl_lock
    and waits for all the sub-channels to appear, but the latter
    can't get the rtnl_lock and this blocks the handling of sub-channels.
    
    The patch can fix the multiple-NIC deadlock described above for
    v3.x kernels (e.g. RHEL 7.x) which don't support async-probing
    of devices, and v4.4, v4.9, v4.14 and v4.18 which support async-probing
    but don't enable async-probing for Hyper-V drivers (yet).
    
    The patch can also fix the hang issue in sub-channel's handling described
    above for all versions of kernels, including v4.19 and v4.20-rc4.
    
    So actually the patch should be applied to all the existing kernels,
    not only the kernels that have 8195b13.
    
    Fixes: 8195b13 ("hv_netvsc: fix deadlock on hotplug")
    Cc: stable@vger.kernel.org
    Cc: Stephen Hemminger <sthemmin@microsoft.com>
    Cc: K. Y. Srinivasan <kys@microsoft.com>
    Cc: Haiyang Zhang <haiyangz@microsoft.com>
    Signed-off-by: Dexuan Cui <decui@microsoft.com>
    Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  13. drm/amdgpu/gmc8: update MC firmware for polaris

    Alex Deucher authored and gregkh committed Nov 29, 2018
    commit a81a7c9 upstream.
    
    Some variants require different MC firmware images.
    
    Acked-by: Christian König <christian.koenig@amd.com>
    Reviewed-by: Junwei Zhang <Jerry.Zhang@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  14. drm/amdgpu: update mc firmware image for polaris12 variants

    Junwei Zhang authored and gregkh committed Nov 22, 2018
    commit d7fd676 upstream.
    
    Some new variants require updated firmware.
    
    Signed-off-by: Junwei Zhang <Jerry.Zhang@amd.com>
    Reviewed-by: Evan Quan <evan.quan@amd.com>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  15. Revert commit ef9209b "staging: rtl8723bs: Fix indenting errors and a…

    Young Xiao authored and gregkh committed Nov 27, 2018
    …n off-by-one mistake in core/rtw_mlme_ext.c"
    
    commit 87e4a54 upstream.
    
    pstapriv->max_num_sta is always <= NUM_STA, since max_num_sta is either
    set in _rtw_init_sta_priv() or rtw_set_beacon().
    
    Fixes: ef9209b ("staging: rtl8723bs: Fix indenting errors and an off-by-one mistake in core/rtw_mlme_ext.c")
    Signed-off-by: Young Xiao <YangX92@hotmail.com>
    Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  16. staging: rtl8712: Fix possible buffer overrun

    Young Xiao authored and gregkh committed Nov 28, 2018
    commit 300cd66 upstream.
    
    In commit 8b7a13c ("staging: r8712u: Fix possible buffer
    overrun") we fix a potential off by one by making the limit smaller.
    The better fix is to make the buffer larger.  This makes it match up
    with the similar code in other drivers.
    
    Fixes: 8b7a13c ("staging: r8712u: Fix possible buffer overrun")
    Signed-off-by: Young Xiao <YangX92@hotmail.com>
    Cc: stable <stable@vger.kernel.org>
    Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  17. cifs: Fix separator when building path from dentry

    Paulo Alcantara authored and gregkh committed Nov 15, 2018
    commit c988de2 upstream.
    
    Make sure to use the CIFS_DIR_SEP(cifs_sb) as path separator for
    prefixpath too. Fixes a bug with smb1 UNIX extensions.
    
    Fixes: a6b5058 ("fs/cifs: make share unaccessible at root level mountable")
    Signed-off-by: Paulo Alcantara <palcantara@suse.com>
    Reviewed-by: Aurelien Aptel <aaptel@suse.com>
    Signed-off-by: Steve French <stfrench@microsoft.com>
    CC: Stable <stable@vger.kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  18. staging: atomisp: remove "fun" strncpy warning

    gregkh committed Dec 11, 2018
    [for older kernels only, atomisp has been removed from upstream]
    
    gcc-8 rightfully warns that this instance of strncpy is just copying
    from the source, to the same source, for a few bytes.  Meaning this call
    does nothing.  As the author of the code obviously meant it to do
    something, but this code must be working properly, just replace the call
    to the kernel internal strscpy() which gcc doesn't know about, so the
    warning goes away.
    
    As this driver was deleted from newer kernel versions, none of this
    really matters but now at least we do not have to worry about a build
    warning in the stable trees.
    
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  19. Staging: lustre: remove two build warnings

    gregkh committed Dec 11, 2018
    [for older kernels only, lustre has been removed from upstream]
    
    When someone writes:
    	strncpy(dest, source, sizeof(source));
    they really are just doing the same thing as:
    	strcpy(dest, source);
    but somehow they feel better because they are now using the "safe"
    version of the string functions.  Cargo-cult programming at its
    finest...
    
    gcc-8 rightfully warns you about doing foolish things like this.  Now
    that the stable kernels are all starting to be built using gcc-8, let's
    get rid of this warning so that we do not have to gaze at this horror.
    
    To dropt the warning, just convert the code to using strcpy() so that if
    someone really wants to audit this code and find all of the obvious
    problems, it will be easier to do so.
    
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  20. swiotlb: clean up reporting

    kees authored and gregkh committed Dec 10, 2018
    commit 7d63fb3 upstream.
    
    This removes needless use of '%p', and refactors the printk calls to
    use pr_*() helpers instead.
    
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
    Signed-off-by: Christoph Hellwig <hch@lst.de>
    [bwh: Backported to 4.14:
     - Adjust filename
     - Remove "swiotlb: " prefix from an additional log message]
    Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
    Signed-off-by: Sasha Levin <sashal@kernel.org>
  21. f2fs: fix to do sanity check with block address in main area v2

    chaseyu authored and gregkh committed Dec 10, 2018
    commit 91291e9 upstream.
    
    This patch adds f2fs_is_valid_blkaddr() in below functions to do sanity
    check with block address to avoid pentential panic:
    - f2fs_grab_read_bio()
    - __written_first_block()
    
    https://bugzilla.kernel.org/show_bug.cgi?id=200465
    
    - Reproduce
    
    - POC (poc.c)
        #define _GNU_SOURCE
        #include <sys/types.h>
        #include <sys/mount.h>
        #include <sys/mman.h>
        #include <sys/stat.h>
        #include <sys/xattr.h>
    
        #include <dirent.h>
        #include <errno.h>
        #include <error.h>
        #include <fcntl.h>
        #include <stdio.h>
        #include <stdlib.h>
        #include <string.h>
        #include <unistd.h>
    
        #include <linux/falloc.h>
        #include <linux/loop.h>
    
        static void activity(char *mpoint) {
    
          char *xattr;
          int err;
    
          err = asprintf(&xattr, "%s/foo/bar/xattr", mpoint);
    
          char buf2[113];
          memset(buf2, 0, sizeof(buf2));
          listxattr(xattr, buf2, sizeof(buf2));
    
        }
    
        int main(int argc, char *argv[]) {
          activity(argv[1]);
          return 0;
        }
    
    - kernel message
    [  844.718738] F2FS-fs (loop0): Mounted with checkpoint version = 2
    [  846.430929] F2FS-fs (loop0): access invalid blkaddr:1024
    [  846.431058] WARNING: CPU: 1 PID: 1249 at fs/f2fs/checkpoint.c:154 f2fs_is_valid_blkaddr+0x10f/0x160
    [  846.431059] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_timer snd input_leds joydev soundcore serio_raw i2c_piix4 mac_hid ib_iser rdma_cm iw_cm ib_cm ib_core configfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 raid10 raid456 libcrc32c async_raid6_recov async_memcpy async_pq async_xor xor async_tx raid6_pq raid1 raid0 multipath linear qxl ttm crct10dif_pclmul crc32_pclmul drm_kms_helper ghash_clmulni_intel syscopyarea sysfillrect sysimgblt fb_sys_fops pcbc drm 8139too aesni_intel 8139cp floppy psmouse mii aes_x86_64 crypto_simd pata_acpi cryptd glue_helper
    [  846.431310] CPU: 1 PID: 1249 Comm: a.out Not tainted 4.18.0-rc3+ #1
    [  846.431312] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
    [  846.431315] RIP: 0010:f2fs_is_valid_blkaddr+0x10f/0x160
    [  846.431316] Code: 00 eb ed 31 c0 83 fa 05 75 ae 48 83 ec 08 48 8b 3f 89 f1 48 c7 c2 fc 0b 0f 8b 48 c7 c6 8b d7 09 8b 88 44 24 07 e8 61 8b ff ff <0f> 0b 0f b6 44 24 07 48 83 c4 08 eb 81 4c 8b 47 10 8b 8f 38 04 00
    [  846.431347] RSP: 0018:ffff961c414a7bc0 EFLAGS: 00010282
    [  846.431349] RAX: 0000000000000000 RBX: ffffc5f787b8ea80 RCX: 0000000000000000
    [  846.431350] RDX: 0000000000000000 RSI: ffff89dfffd165d8 RDI: ffff89dfffd165d8
    [  846.431351] RBP: ffff961c414a7c20 R08: 0000000000000001 R09: 0000000000000248
    [  846.431353] R10: 0000000000000000 R11: 0000000000000248 R12: 0000000000000007
    [  846.431369] R13: ffff89dff5492800 R14: ffff89dfae3aa000 R15: ffff89dff4ff88d0
    [  846.431372] FS:  00007f882e2fb700(0000) GS:ffff89dfffd00000(0000) knlGS:0000000000000000
    [  846.431373] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [  846.431374] CR2: 0000000001a88008 CR3: 00000001eb572000 CR4: 00000000000006e0
    [  846.431384] Call Trace:
    [  846.431426]  f2fs_iget+0x6f4/0xe70
    [  846.431430]  ? f2fs_find_entry+0x71/0x90
    [  846.431432]  f2fs_lookup+0x1aa/0x390
    [  846.431452]  __lookup_slow+0x97/0x150
    [  846.431459]  lookup_slow+0x35/0x50
    [  846.431462]  walk_component+0x1c6/0x470
    [  846.431479]  ? memcg_kmem_charge_memcg+0x70/0x90
    [  846.431488]  ? page_add_file_rmap+0x13/0x200
    [  846.431491]  path_lookupat+0x76/0x230
    [  846.431501]  ? __alloc_pages_nodemask+0xfc/0x280
    [  846.431504]  filename_lookup+0xb8/0x1a0
    [  846.431534]  ? _cond_resched+0x16/0x40
    [  846.431541]  ? kmem_cache_alloc+0x160/0x1d0
    [  846.431549]  ? path_listxattr+0x41/0xa0
    [  846.431551]  path_listxattr+0x41/0xa0
    [  846.431570]  do_syscall_64+0x55/0x100
    [  846.431583]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
    [  846.431607] RIP: 0033:0x7f882de1c0d7
    [  846.431607] Code: f0 ff ff 73 01 c3 48 8b 0d be dd 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 c2 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 91 dd 2b 00 f7 d8 64 89 01 48
    [  846.431639] RSP: 002b:00007ffe8e66c238 EFLAGS: 00000202 ORIG_RAX: 00000000000000c2
    [  846.431641] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f882de1c0d7
    [  846.431642] RDX: 0000000000000071 RSI: 00007ffe8e66c280 RDI: 0000000001a880c0
    [  846.431643] RBP: 00007ffe8e66c300 R08: 0000000001a88010 R09: 0000000000000000
    [  846.431645] R10: 00000000000001ab R11: 0000000000000202 R12: 0000000000400550
    [  846.431646] R13: 00007ffe8e66c400 R14: 0000000000000000 R15: 0000000000000000
    [  846.431648] ---[ end trace abca54df39d14f5c ]---
    [  846.431651] F2FS-fs (loop0): invalid blkaddr: 1024, type: 5, run fsck to fix.
    [  846.431762] WARNING: CPU: 1 PID: 1249 at fs/f2fs/f2fs.h:2697 f2fs_iget+0xd17/0xe70
    [  846.431763] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_timer snd input_leds joydev soundcore serio_raw i2c_piix4 mac_hid ib_iser rdma_cm iw_cm ib_cm ib_core configfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 raid10 raid456 libcrc32c async_raid6_recov async_memcpy async_pq async_xor xor async_tx raid6_pq raid1 raid0 multipath linear qxl ttm crct10dif_pclmul crc32_pclmul drm_kms_helper ghash_clmulni_intel syscopyarea sysfillrect sysimgblt fb_sys_fops pcbc drm 8139too aesni_intel 8139cp floppy psmouse mii aes_x86_64 crypto_simd pata_acpi cryptd glue_helper
    [  846.431797] CPU: 1 PID: 1249 Comm: a.out Tainted: G        W         4.18.0-rc3+ #1
    [  846.431798] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
    [  846.431800] RIP: 0010:f2fs_iget+0xd17/0xe70
    [  846.431801] Code: ff ff 48 63 d8 e9 e1 f6 ff ff 48 8b 45 c8 41 b8 05 00 00 00 48 c7 c2 d8 e8 0e 8b 48 c7 c6 1d b0 0a 8b 48 8b 38 e8 f9 b4 00 00 <0f> 0b 48 8b 45 c8 f0 80 48 48 04 e9 d8 f9 ff ff 0f 0b 48 8b 43 18
    [  846.431832] RSP: 0018:ffff961c414a7bd0 EFLAGS: 00010282
    [  846.431834] RAX: 0000000000000000 RBX: ffffc5f787b8ea80 RCX: 0000000000000006
    [  846.431835] RDX: 0000000000000000 RSI: 0000000000000096 RDI: ffff89dfffd165d0
    [  846.431836] RBP: ffff961c414a7c20 R08: 0000000000000000 R09: 0000000000000273
    [  846.431837] R10: 0000000000000000 R11: ffff89dfad50ca60 R12: 0000000000000007
    [  846.431838] R13: ffff89dff5492800 R14: ffff89dfae3aa000 R15: ffff89dff4ff88d0
    [  846.431840] FS:  00007f882e2fb700(0000) GS:ffff89dfffd00000(0000) knlGS:0000000000000000
    [  846.431841] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [  846.431842] CR2: 0000000001a88008 CR3: 00000001eb572000 CR4: 00000000000006e0
    [  846.431846] Call Trace:
    [  846.431850]  ? f2fs_find_entry+0x71/0x90
    [  846.431853]  f2fs_lookup+0x1aa/0x390
    [  846.431856]  __lookup_slow+0x97/0x150
    [  846.431858]  lookup_slow+0x35/0x50
    [  846.431874]  walk_component+0x1c6/0x470
    [  846.431878]  ? memcg_kmem_charge_memcg+0x70/0x90
    [  846.431880]  ? page_add_file_rmap+0x13/0x200
    [  846.431882]  path_lookupat+0x76/0x230
    [  846.431884]  ? __alloc_pages_nodemask+0xfc/0x280
    [  846.431886]  filename_lookup+0xb8/0x1a0
    [  846.431890]  ? _cond_resched+0x16/0x40
    [  846.431891]  ? kmem_cache_alloc+0x160/0x1d0
    [  846.431894]  ? path_listxattr+0x41/0xa0
    [  846.431896]  path_listxattr+0x41/0xa0
    [  846.431898]  do_syscall_64+0x55/0x100
    [  846.431901]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
    [  846.431902] RIP: 0033:0x7f882de1c0d7
    [  846.431903] Code: f0 ff ff 73 01 c3 48 8b 0d be dd 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 c2 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 91 dd 2b 00 f7 d8 64 89 01 48
    [  846.431934] RSP: 002b:00007ffe8e66c238 EFLAGS: 00000202 ORIG_RAX: 00000000000000c2
    [  846.431936] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f882de1c0d7
    [  846.431937] RDX: 0000000000000071 RSI: 00007ffe8e66c280 RDI: 0000000001a880c0
    [  846.431939] RBP: 00007ffe8e66c300 R08: 0000000001a88010 R09: 0000000000000000
    [  846.431940] R10: 00000000000001ab R11: 0000000000000202 R12: 0000000000400550
    [  846.431941] R13: 00007ffe8e66c400 R14: 0000000000000000 R15: 0000000000000000
    [  846.431943] ---[ end trace abca54df39d14f5d ]---
    [  846.432033] F2FS-fs (loop0): access invalid blkaddr:1024
    [  846.432051] WARNING: CPU: 1 PID: 1249 at fs/f2fs/checkpoint.c:154 f2fs_is_valid_blkaddr+0x10f/0x160
    [  846.432051] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_timer snd input_leds joydev soundcore serio_raw i2c_piix4 mac_hid ib_iser rdma_cm iw_cm ib_cm ib_core configfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 raid10 raid456 libcrc32c async_raid6_recov async_memcpy async_pq async_xor xor async_tx raid6_pq raid1 raid0 multipath linear qxl ttm crct10dif_pclmul crc32_pclmul drm_kms_helper ghash_clmulni_intel syscopyarea sysfillrect sysimgblt fb_sys_fops pcbc drm 8139too aesni_intel 8139cp floppy psmouse mii aes_x86_64 crypto_simd pata_acpi cryptd glue_helper
    [  846.432085] CPU: 1 PID: 1249 Comm: a.out Tainted: G        W         4.18.0-rc3+ #1
    [  846.432086] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
    [  846.432089] RIP: 0010:f2fs_is_valid_blkaddr+0x10f/0x160
    [  846.432089] Code: 00 eb ed 31 c0 83 fa 05 75 ae 48 83 ec 08 48 8b 3f 89 f1 48 c7 c2 fc 0b 0f 8b 48 c7 c6 8b d7 09 8b 88 44 24 07 e8 61 8b ff ff <0f> 0b 0f b6 44 24 07 48 83 c4 08 eb 81 4c 8b 47 10 8b 8f 38 04 00
    [  846.432120] RSP: 0018:ffff961c414a7900 EFLAGS: 00010286
    [  846.432122] RAX: 0000000000000000 RBX: 0000000000000400 RCX: 0000000000000006
    [  846.432123] RDX: 0000000000000000 RSI: 0000000000000096 RDI: ffff89dfffd165d0
    [  846.432124] RBP: ffff89dff5492800 R08: 0000000000000001 R09: 000000000000029d
    [  846.432125] R10: ffff961c414a7820 R11: 000000000000029d R12: 0000000000000400
    [  846.432126] R13: 0000000000000000 R14: ffff89dff4ff88d0 R15: 0000000000000000
    [  846.432128] FS:  00007f882e2fb700(0000) GS:ffff89dfffd00000(0000) knlGS:0000000000000000
    [  846.432130] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [  846.432131] CR2: 0000000001a88008 CR3: 00000001eb572000 CR4: 00000000000006e0
    [  846.432135] Call Trace:
    [  846.432151]  f2fs_wait_on_block_writeback+0x20/0x110
    [  846.432158]  f2fs_grab_read_bio+0xbc/0xe0
    [  846.432161]  f2fs_submit_page_read+0x21/0x280
    [  846.432163]  f2fs_get_read_data_page+0xb7/0x3c0
    [  846.432165]  f2fs_get_lock_data_page+0x29/0x1e0
    [  846.432167]  f2fs_get_new_data_page+0x148/0x550
    [  846.432170]  f2fs_add_regular_entry+0x1d2/0x550
    [  846.432178]  ? __switch_to+0x12f/0x460
    [  846.432181]  f2fs_add_dentry+0x6a/0xd0
    [  846.432184]  f2fs_do_add_link+0xe9/0x140
    [  846.432186]  __recover_dot_dentries+0x260/0x280
    [  846.432189]  f2fs_lookup+0x343/0x390
    [  846.432193]  __lookup_slow+0x97/0x150
    [  846.432195]  lookup_slow+0x35/0x50
    [  846.432208]  walk_component+0x1c6/0x470
    [  846.432212]  ? memcg_kmem_charge_memcg+0x70/0x90
    [  846.432215]  ? page_add_file_rmap+0x13/0x200
    [  846.432217]  path_lookupat+0x76/0x230
    [  846.432219]  ? __alloc_pages_nodemask+0xfc/0x280
    [  846.432221]  filename_lookup+0xb8/0x1a0
    [  846.432224]  ? _cond_resched+0x16/0x40
    [  846.432226]  ? kmem_cache_alloc+0x160/0x1d0
    [  846.432228]  ? path_listxattr+0x41/0xa0
    [  846.432230]  path_listxattr+0x41/0xa0
    [  846.432233]  do_syscall_64+0x55/0x100
    [  846.432235]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
    [  846.432237] RIP: 0033:0x7f882de1c0d7
    [  846.432237] Code: f0 ff ff 73 01 c3 48 8b 0d be dd 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 c2 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 91 dd 2b 00 f7 d8 64 89 01 48
    [  846.432269] RSP: 002b:00007ffe8e66c238 EFLAGS: 00000202 ORIG_RAX: 00000000000000c2
    [  846.432271] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f882de1c0d7
    [  846.432272] RDX: 0000000000000071 RSI: 00007ffe8e66c280 RDI: 0000000001a880c0
    [  846.432273] RBP: 00007ffe8e66c300 R08: 0000000001a88010 R09: 0000000000000000
    [  846.432274] R10: 00000000000001ab R11: 0000000000000202 R12: 0000000000400550
    [  846.432275] R13: 00007ffe8e66c400 R14: 0000000000000000 R15: 0000000000000000
    [  846.432277] ---[ end trace abca54df39d14f5e ]---
    [  846.432279] F2FS-fs (loop0): invalid blkaddr: 1024, type: 5, run fsck to fix.
    [  846.432376] WARNING: CPU: 1 PID: 1249 at fs/f2fs/f2fs.h:2697 f2fs_wait_on_block_writeback+0xb1/0x110
    [  846.432376] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_timer snd input_leds joydev soundcore serio_raw i2c_piix4 mac_hid ib_iser rdma_cm iw_cm ib_cm ib_core configfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 raid10 raid456 libcrc32c async_raid6_recov async_memcpy async_pq async_xor xor async_tx raid6_pq raid1 raid0 multipath linear qxl ttm crct10dif_pclmul crc32_pclmul drm_kms_helper ghash_clmulni_intel syscopyarea sysfillrect sysimgblt fb_sys_fops pcbc drm 8139too aesni_intel 8139cp floppy psmouse mii aes_x86_64 crypto_simd pata_acpi cryptd glue_helper
    [  846.432410] CPU: 1 PID: 1249 Comm: a.out Tainted: G        W         4.18.0-rc3+ #1
    [  846.432411] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
    [  846.432413] RIP: 0010:f2fs_wait_on_block_writeback+0xb1/0x110
    [  846.432414] Code: 66 90 f0 ff 4b 34 74 59 5b 5d c3 48 8b 7d 00 41 b8 05 00 00 00 89 d9 48 c7 c2 d8 e8 0e 8b 48 c7 c6 1d b0 0a 8b e8 df bc fd ff <0f> 0b f0 80 4d 48 04 e9 67 ff ff ff 48 8b 03 48 c1 e8 37 83 e0 07
    [  846.432445] RSP: 0018:ffff961c414a7910 EFLAGS: 00010286
    [  846.432447] RAX: 0000000000000000 RBX: 0000000000000400 RCX: 0000000000000006
    [  846.432448] RDX: 0000000000000000 RSI: 0000000000000092 RDI: ffff89dfffd165d0
    [  846.432449] RBP: ffff89dff5492800 R08: 0000000000000000 R09: 00000000000002d1
    [  846.432450] R10: ffff961c414a7820 R11: ffff89dfad50cf80 R12: 0000000000000400
    [  846.432451] R13: 0000000000000000 R14: ffff89dff4ff88d0 R15: 0000000000000000
    [  846.432453] FS:  00007f882e2fb700(0000) GS:ffff89dfffd00000(0000) knlGS:0000000000000000
    [  846.432454] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [  846.432455] CR2: 0000000001a88008 CR3: 00000001eb572000 CR4: 00000000000006e0
    [  846.432459] Call Trace:
    [  846.432463]  f2fs_grab_read_bio+0xbc/0xe0
    [  846.432464]  f2fs_submit_page_read+0x21/0x280
    [  846.432466]  f2fs_get_read_data_page+0xb7/0x3c0
    [  846.432468]  f2fs_get_lock_data_page+0x29/0x1e0
    [  846.432470]  f2fs_get_new_data_page+0x148/0x550
    [  846.432473]  f2fs_add_regular_entry+0x1d2/0x550
    [  846.432475]  ? __switch_to+0x12f/0x460
    [  846.432477]  f2fs_add_dentry+0x6a/0xd0
    [  846.432480]  f2fs_do_add_link+0xe9/0x140
    [  846.432483]  __recover_dot_dentries+0x260/0x280
    [  846.432485]  f2fs_lookup+0x343/0x390
    [  846.432488]  __lookup_slow+0x97/0x150
    [  846.432490]  lookup_slow+0x35/0x50
    [  846.432505]  walk_component+0x1c6/0x470
    [  846.432509]  ? memcg_kmem_charge_memcg+0x70/0x90
    [  846.432511]  ? page_add_file_rmap+0x13/0x200
    [  846.432513]  path_lookupat+0x76/0x230
    [  846.432515]  ? __alloc_pages_nodemask+0xfc/0x280
    [  846.432517]  filename_lookup+0xb8/0x1a0
    [  846.432520]  ? _cond_resched+0x16/0x40
    [  846.432522]  ? kmem_cache_alloc+0x160/0x1d0
    [  846.432525]  ? path_listxattr+0x41/0xa0
    [  846.432526]  path_listxattr+0x41/0xa0
    [  846.432529]  do_syscall_64+0x55/0x100
    [  846.432531]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
    [  846.432533] RIP: 0033:0x7f882de1c0d7
    [  846.432533] Code: f0 ff ff 73 01 c3 48 8b 0d be dd 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 c2 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 91 dd 2b 00 f7 d8 64 89 01 48
    [  846.432565] RSP: 002b:00007ffe8e66c238 EFLAGS: 00000202 ORIG_RAX: 00000000000000c2
    [  846.432567] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f882de1c0d7
    [  846.432568] RDX: 0000000000000071 RSI: 00007ffe8e66c280 RDI: 0000000001a880c0
    [  846.432569] RBP: 00007ffe8e66c300 R08: 0000000001a88010 R09: 0000000000000000
    [  846.432570] R10: 00000000000001ab R11: 0000000000000202 R12: 0000000000400550
    [  846.432571] R13: 00007ffe8e66c400 R14: 0000000000000000 R15: 0000000000000000
    [  846.432573] ---[ end trace abca54df39d14f5f ]---
    [  846.434280] BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
    [  846.434424] PGD 80000001ebd3a067 P4D 80000001ebd3a067 PUD 1eb1ae067 PMD 0
    [  846.434551] Oops: 0000 [#1] SMP PTI
    [  846.434697] CPU: 0 PID: 44 Comm: kworker/u5:0 Tainted: G        W         4.18.0-rc3+ #1
    [  846.434805] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
    [  846.435000] Workqueue: fscrypt_read_queue decrypt_work
    [  846.435174] RIP: 0010:fscrypt_do_page_crypto+0x6e/0x2d0
    [  846.435351] Code: 00 65 48 8b 04 25 28 00 00 00 48 89 84 24 88 00 00 00 31 c0 e8 43 c2 e0 ff 49 8b 86 48 02 00 00 85 ed c7 44 24 70 00 00 00 00 <48> 8b 58 08 0f 84 14 02 00 00 48 8b 78 10 48 8b 0c 24 48 c7 84 24
    [  846.435696] RSP: 0018:ffff961c40f9bd60 EFLAGS: 00010206
    [  846.435870] RAX: 0000000000000000 RBX: ffffc5f787719b80 RCX: ffffc5f787719b80
    [  846.436051] RDX: ffffffff8b9f4b88 RSI: ffffffff8b0ae622 RDI: ffff961c40f9bdb8
    [  846.436261] RBP: 0000000000001000 R08: ffffc5f787719b80 R09: 0000000000001000
    [  846.436433] R10: 0000000000000018 R11: fefefefefefefeff R12: ffffc5f787719b80
    [  846.436562] R13: ffffc5f787719b80 R14: ffff89dff4ff88d0 R15: 0ffff89dfaddee60
    [  846.436658] FS:  0000000000000000(0000) GS:ffff89dfffc00000(0000) knlGS:0000000000000000
    [  846.436758] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [  846.436898] CR2: 0000000000000008 CR3: 00000001eddd0000 CR4: 00000000000006f0
    [  846.437001] Call Trace:
    [  846.437181]  ? check_preempt_wakeup+0xf2/0x230
    [  846.437276]  ? check_preempt_curr+0x7c/0x90
    [  846.437370]  fscrypt_decrypt_page+0x48/0x4d
    [  846.437466]  __fscrypt_decrypt_bio+0x5b/0x90
    [  846.437542]  decrypt_work+0x12/0x20
    [  846.437651]  process_one_work+0x15e/0x3d0
    [  846.437740]  worker_thread+0x4c/0x440
    [  846.437848]  kthread+0xf8/0x130
    [  846.437938]  ? rescuer_thread+0x350/0x350
    [  846.438022]  ? kthread_associate_blkcg+0x90/0x90
    [  846.438117]  ret_from_fork+0x35/0x40
    [  846.438201] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_timer snd input_leds joydev soundcore serio_raw i2c_piix4 mac_hid ib_iser rdma_cm iw_cm ib_cm ib_core configfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 raid10 raid456 libcrc32c async_raid6_recov async_memcpy async_pq async_xor xor async_tx raid6_pq raid1 raid0 multipath linear qxl ttm crct10dif_pclmul crc32_pclmul drm_kms_helper ghash_clmulni_intel syscopyarea sysfillrect sysimgblt fb_sys_fops pcbc drm 8139too aesni_intel 8139cp floppy psmouse mii aes_x86_64 crypto_simd pata_acpi cryptd glue_helper
    [  846.438653] CR2: 0000000000000008
    [  846.438713] ---[ end trace abca54df39d14f60 ]---
    [  846.438796] RIP: 0010:fscrypt_do_page_crypto+0x6e/0x2d0
    [  846.438844] Code: 00 65 48 8b 04 25 28 00 00 00 48 89 84 24 88 00 00 00 31 c0 e8 43 c2 e0 ff 49 8b 86 48 02 00 00 85 ed c7 44 24 70 00 00 00 00 <48> 8b 58 08 0f 84 14 02 00 00 48 8b 78 10 48 8b 0c 24 48 c7 84 24
    [  846.439084] RSP: 0018:ffff961c40f9bd60 EFLAGS: 00010206
    [  846.439176] RAX: 0000000000000000 RBX: ffffc5f787719b80 RCX: ffffc5f787719b80
    [  846.440927] RDX: ffffffff8b9f4b88 RSI: ffffffff8b0ae622 RDI: ffff961c40f9bdb8
    [  846.442083] RBP: 0000000000001000 R08: ffffc5f787719b80 R09: 0000000000001000
    [  846.443284] R10: 0000000000000018 R11: fefefefefefefeff R12: ffffc5f787719b80
    [  846.444448] R13: ffffc5f787719b80 R14: ffff89dff4ff88d0 R15: 0ffff89dfaddee60
    [  846.445558] FS:  0000000000000000(0000) GS:ffff89dfffc00000(0000) knlGS:0000000000000000
    [  846.446687] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [  846.447796] CR2: 0000000000000008 CR3: 00000001eddd0000 CR4: 00000000000006f0
    
    - Location
    https://elixir.bootlin.com/linux/v4.18-rc4/source/fs/crypto/crypto.c#L149
    	struct crypto_skcipher *tfm = ci->ci_ctfm;
    Here ci can be NULL
    
    Note that this issue maybe require CONFIG_F2FS_FS_ENCRYPTION=y to reproduce.
    
    Reported-by Wen Xu <wen.xu@gatech.edu>
    Signed-off-by: Chao Yu <yuchao0@huawei.com>
    Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
    [bwh: Backported to 4.14: adjust context]
    Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
    Signed-off-by: Sasha Levin <sashal@kernel.org>
  22. xhci: Prevent U1/U2 link pm states if exit latency is too long

    matnyman authored and gregkh committed Dec 5, 2018
    commit 0472bf0 upstream.
    
    Don't allow USB3 U1 or U2 if the latency to wake up from the U-state
    reaches the service interval for a periodic endpoint.
    
    This is according to xhci 1.1 specification section 4.23.5.2 extra note:
    
    "Software shall ensure that a device is prevented from entering a U-state
     where its worst case exit latency approaches the ESIT."
    
    Allowing too long exit latencies for periodic endpoint confuses xHC
    internal scheduling, and new devices may fail to enumerate with a
    "Not enough bandwidth for new device state" error from the host.
    
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  23. xhci: workaround CSS timeout on AMD SNPS 3.0 xHC

    Sandeep Singh authored and gregkh committed Dec 5, 2018
    commit a7d57ab upstream.
    
    Occasionally AMD SNPS 3.0 xHC does not respond to
    CSS when set, also it does not flag anything on SRE and HCE
    to point the internal xHC errors on USBSTS register. This stalls
    the entire system wide suspend and there is no point in stalling
    just because of xHC CSS is not responding.
    
    To work around this problem, if the xHC does not flag
    anything on SRE and HCE, we can skip the CSS
    timeout and allow the system to continue the suspend. Once the
    system resume happens we can internally reset the controller
    using XHCI_RESET_ON_RESUME quirk
    
    Signed-off-by: Shyam Sundar S K <Shyam-sundar.S-k@amd.com>
    Signed-off-by: Sandeep Singh <Sandeep.Singh@amd.com>
    cc: Nehal Shah <Nehal-bakulchandra.Shah@amd.com>
    Cc: <stable@vger.kernel.org>
    Tested-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
    Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  24. ARM: 8806/1: kprobes: Fix false positive with FORTIFY_SOURCE

    kees authored and gregkh committed Oct 30, 2018
    commit e46daee upstream.
    
    The arm compiler internally interprets an inline assembly label
    as an unsigned long value, not a pointer. As a result, under
    CONFIG_FORTIFY_SOURCE, the address of a label has a size of 4 bytes,
    which was tripping the runtime checks. Instead, we can just cast the label
    (as done with the size calculations earlier).
    
    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1639397
    
    Reported-by: William Cohen <wcohen@redhat.com>
    Fixes: 6974f0c ("include/linux/string.h: add the option of fortified string.h functions")
    Cc: stable@vger.kernel.org
    Acked-by: Laura Abbott <labbott@redhat.com>
    Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
    Tested-by: William Cohen <wcohen@redhat.com>
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  25. dmaengine: cppi41: delete channel from pending list when stop channel

    Bin Liu authored and gregkh committed Nov 12, 2018
    commit 5986154 upstream.
    
    The driver defines three states for a cppi channel.
    - idle: .chan_busy == 0 && not in .pending list
    - pending: .chan_busy == 0 && in .pending list
    - busy: .chan_busy == 1 && not in .pending list
    
    There are cases in which the cppi channel could be in the pending state
    when cppi41_dma_issue_pending() is called after cppi41_runtime_suspend()
    is called.
    
    cppi41_stop_chan() has a bug for these cases to set channels to idle state.
    It only checks the .chan_busy flag, but not the .pending list, then later
    when cppi41_runtime_resume() is called the channels in .pending list will
    be transitioned to busy state.
    
    Removing channels from the .pending list solves the problem.
    
    Fixes: 975faae ("dma: cppi41: start tear down only if channel is busy")
    Cc: stable@vger.kernel.org # v3.15+
    Signed-off-by: Bin Liu <b-liu@ti.com>
    Reviewed-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
    Signed-off-by: Vinod Koul <vkoul@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  26. dmaengine: dw: Fix FIFO size for Intel Merrifield

    andy-shev authored and gregkh committed Dec 5, 2018
    commit ffe843b upstream.
    
    Intel Merrifield has a reduced size of FIFO used in iDMA 32-bit controller,
    i.e. 512 bytes instead of 1024.
    
    Fix this by partitioning it as 64 bytes per channel.
    
    Note, in the future we might switch to 'fifo-size' property instead of
    hard coded value.
    
    Fixes: 199244d ("dmaengine: dw: add support of iDMA 32-bit hardware")
    Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Vinod Koul <vkoul@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  27. SUNRPC: Fix leak of krb5p encode pages

    chucklever authored and gregkh committed Nov 30, 2018
    commit 8dae539 upstream.
    
    call_encode can be invoked more than once per RPC call. Ensure that
    each call to gss_wrap_req_priv does not overwrite pointers to
    previously allocated memory.
    
    Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
    Cc: stable@kernel.org
    Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  28. vhost/vsock: fix use-after-free in network stack callers

    Stefan Hajnoczi authored and gregkh committed Nov 5, 2018
    commit 834e772 upstream.
    
    If the network stack calls .send_pkt()/.cancel_pkt() during .release(),
    a struct vhost_vsock use-after-free is possible.  This occurs because
    .release() does not wait for other CPUs to stop using struct
    vhost_vsock.
    
    Switch to an RCU-enabled hashtable (indexed by guest CID) so that
    .release() can wait for other CPUs by calling synchronize_rcu().  This
    also eliminates vhost_vsock_lock acquisition in the data path so it
    could have a positive effect on performance.
    
    This is CVE-2018-14625 "kernel: use-after-free Read in vhost_transport_send_pkt".
    
    Cc: stable@vger.kernel.org
    Reported-and-tested-by: syzbot+bd391451452fb0b93039@syzkaller.appspotmail.com
    Reported-by: syzbot+e3e074963495f92a89ed@syzkaller.appspotmail.com
    Reported-by: syzbot+d5a0a170c5069658b141@syzkaller.appspotmail.com
    Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
    Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
    Acked-by: Jason Wang <jasowang@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  29. virtio/s390: fix race in ccw_io_helper()

    halil-pasic authored and gregkh committed Sep 26, 2018
    commit 78b1a52 upstream.
    
    While ccw_io_helper() seems like intended to be exclusive in a sense that
    it is supposed to facilitate I/O for at most one thread at any given
    time, there is actually nothing ensuring that threads won't pile up at
    vcdev->wait_q. If they do, all threads get woken up and see the status
    that belongs to some other request than their own. This can lead to bugs.
    For an example see:
    https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1788432
    
    This race normally does not cause any problems. The operations provided
    by struct virtio_config_ops are usually invoked in a well defined
    sequence, normally don't fail, and are normally used quite infrequent
    too.
    
    Yet, if some of the these operations are directly triggered via sysfs
    attributes, like in the case described by the referenced bug, userspace
    is given an opportunity to force races by increasing the frequency of the
    given operations.
    
    Let us fix the problem by ensuring, that for each device, we finish
    processing the previous request before starting with a new one.
    
    Signed-off-by: Halil Pasic <pasic@linux.ibm.com>
    Reported-by: Colin Ian King <colin.king@canonical.com>
    Cc: stable@vger.kernel.org
    Message-Id: <20180925121309.58524-3-pasic@linux.ibm.com>
    Signed-off-by: Cornelia Huck <cohuck@redhat.com>
    Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  30. virtio/s390: avoid race on vcdev->config

    halil-pasic authored and gregkh committed Sep 26, 2018
    commit 2448a29 upstream.
    
    Currently we have a race on vcdev->config in virtio_ccw_get_config() and
    in virtio_ccw_set_config().
    
    This normally does not cause problems, as these are usually infrequent
    operations. However, for some devices writing to/reading from the config
    space can be triggered through sysfs attributes. For these, userspace can
    force the race by increasing the frequency.
    
    Signed-off-by: Halil Pasic <pasic@linux.ibm.com>
    Cc: stable@vger.kernel.org
    Message-Id: <20180925121309.58524-2-pasic@linux.ibm.com>
    Signed-off-by: Cornelia Huck <cohuck@redhat.com>
    Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  31. ALSA: hda/realtek - Fix speaker output regression on Thinkpad T570

    tiwai authored and gregkh committed Dec 3, 2018
    commit 54947cd upstream.
    
    We've got a regression report for some Thinkpad models (at least
    T570s) which shows the too low speaker output volume.  The bisection
    leaded to the commit 61fcf8e ("ALSA: hda/realtek - Enable Thinkpad
    Dock device for ALC298 platform"), and it's basically adding the two
    pin configurations for the dock, and looks harmless.
    
    The real culprit seems, though, that the DAC assignment for the
    speaker pin is implicitly assumed on these devices, i.e. pin NID 0x14
    to be coupled with DAC NID 0x03.  When more pins are configured by the
    commit above, the auto-parser changes the DAC assignment, and this
    resulted in the regression.
    
    As a workaround, just provide the fixed pin / DAC mapping table for
    this Thinkpad fixup function.  It's no generic solution, but the
    problem itself is pretty much device-specific, so must be good
    enough.
    
    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1554304
    Fixes: 61fcf8e ("ALSA: hda/realtek - Enable Thinkpad Dock device for ALC298 platform")
    Cc: <stable@vger.kernel.org>
    Reported-and-tested-by: Jeremy Cline <jcline@redhat.com>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  32. ALSA: pcm: Fix interval evaluation with openmin/max

    tiwai authored and gregkh committed Nov 29, 2018
    commit 5363857 upstream.
    
    As addressed in alsa-lib (commit b420056604f0), we need to fix the
    case where the evaluation of PCM interval "(x x+1]" leading to
    -EINVAL.  After applying rules, such an interval may be translated as
    "(x x+1)".
    
    Fixes: ff2d6ac ("ALSA: pcm: Fix snd_interval_refine first/last with open min/max")
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  33. ALSA: pcm: Call snd_pcm_unlink() conditionally at closing

    tiwai authored and gregkh committed Nov 29, 2018
    commit b51abed upstream.
    
    Currently the PCM core calls snd_pcm_unlink() always unconditionally
    at closing a stream.  However, since snd_pcm_unlink() invokes the
    global rwsem down, the lock can be easily contended.  More badly, when
    a thread runs in a high priority RT-FIFO, it may stall at spinning.
    
    Basically the call of snd_pcm_unlink() is required only for the linked
    streams that are already rare occasion.  For normal use cases, this
    code path is fairly superfluous.
    
    As an optimization (and also as a workaround for the RT problem
    above in normal situations without linked streams), this patch adds a
    check before calling snd_pcm_unlink() and calls it only when needed.
    
    Reported-by: Chanho Min <chanho.min@lge.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>