commit 343f981c760801e7cd4715bcdb54fb075f59335a
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Wed Feb 6 19:43:08 2019 +0100

    Linux 4.4.173

commit 16925957b829f725e71fe4a662552a80e3d7d0ad
Author: Dave Chinner <dchinner@redhat.com>
Date:   Fri May 11 11:20:57 2018 +1000

    fs: don't scan the inode cache before SB_BORN is set
    
    commit 79f546a696bff2590169fb5684e23d65f4d9f591 upstream.
    
    We recently had an oops reported on a 4.14 kernel in
    xfs_reclaim_inodes_count() where sb->s_fs_info pointed to garbage
    and so the m_perag_tree lookup walked into lala land.  It produces
    an oops down this path during the failed mount:
    
      radix_tree_gang_lookup_tag+0xc4/0x130
      xfs_perag_get_tag+0x37/0xf0
      xfs_reclaim_inodes_count+0x32/0x40
      xfs_fs_nr_cached_objects+0x11/0x20
      super_cache_count+0x35/0xc0
      shrink_slab.part.66+0xb1/0x370
      shrink_node+0x7e/0x1a0
      try_to_free_pages+0x199/0x470
      __alloc_pages_slowpath+0x3a1/0xd20
      __alloc_pages_nodemask+0x1c3/0x200
      cache_grow_begin+0x20b/0x2e0
      fallback_alloc+0x160/0x200
      kmem_cache_alloc+0x111/0x4e0
    
    The problem is that the superblock shrinker is running before the
    filesystem structures it depends on have been fully set up. i.e.
    the shrinker is registered in sget(), before ->fill_super() has been
    called, and the shrinker can call into the filesystem before
    fill_super() does it's setup work. Essentially we are exposed to
    both use-after-free and use-before-initialisation bugs here.
    
    To fix this, add a check for the SB_BORN flag in super_cache_count.
    In general, this flag is not set until ->fs_mount() completes
    successfully, so we know that it is set after the filesystem
    setup has completed. This matches the trylock_super() behaviour
    which will not let super_cache_scan() run if SB_BORN is not set, and
    hence will not allow the superblock shrinker from entering the
    filesystem while it is being set up or after it has failed setup
    and is being torn down.
    
    Cc: stable@kernel.org
    Signed-Off-By: Dave Chinner <dchinner@redhat.com>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Aaron Lu <aaron.lu@linux.alibaba.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 57d813863143eb18769ac685d300487625f7e75a
Author: David Hildenbrand <david@redhat.com>
Date:   Fri Feb 1 14:21:19 2019 -0800

    mm: migrate: don't rely on __PageMovable() of newpage after unlocking it
    
    commit e0a352fabce61f730341d119fbedf71ffdb8663f upstream.
    
    We had a race in the old balloon compaction code before b1123ea6d3b3
    ("mm: balloon: use general non-lru movable page feature") refactored it
    that became visible after backporting 195a8c43e93d ("virtio-balloon:
    deflate via a page list") without the refactoring.
    
    The bug existed from commit d6d86c0a7f8d ("mm/balloon_compaction:
    redesign ballooned pages management") till b1123ea6d3b3 ("mm: balloon:
    use general non-lru movable page feature").  d6d86c0a7f8d
    ("mm/balloon_compaction: redesign ballooned pages management") was
    backported to 3.12, so the broken kernels are stable kernels [3.12 -
    4.7].
    
    There was a subtle race between dropping the page lock of the newpage in
    __unmap_and_move() and checking for __is_movable_balloon_page(newpage).
    
    Just after dropping this page lock, virtio-balloon could go ahead and
    deflate the newpage, effectively dequeueing it and clearing PageBalloon,
    in turn making __is_movable_balloon_page(newpage) fail.
    
    This resulted in dropping the reference of the newpage via
    putback_lru_page(newpage) instead of put_page(newpage), leading to
    page->lru getting modified and a !LRU page ending up in the LRU lists.
    With 195a8c43e93d ("virtio-balloon: deflate via a page list")
    backported, one would suddenly get corrupted lists in
    release_pages_balloon():
    
    - WARNING: CPU: 13 PID: 6586 at lib/list_debug.c:59 __list_del_entry+0xa1/0xd0
    - list_del corruption. prev->next should be ffffe253961090a0, but was dead000000000100
    
    Nowadays this race is no longer possible, but it is hidden behind very
    ugly handling of __ClearPageMovable() and __PageMovable().
    
    __ClearPageMovable() will not make __PageMovable() fail, only
    PageMovable().  So the new check (__PageMovable(newpage)) will still
    hold even after newpage was dequeued by virtio-balloon.
    
    If anybody would ever change that special handling, the BUG would be
    introduced again.  So instead, make it explicit and use the information
    of the original isolated page before migration.
    
    This patch can be backported fairly easy to stable kernels (in contrast
    to the refactoring).
    
    Link: http://lkml.kernel.org/r/20190129233217.10747-1-david@redhat.com
    Fixes: d6d86c0a7f8d ("mm/balloon_compaction: redesign ballooned pages management")
    Signed-off-by: David Hildenbrand <david@redhat.com>
    Reported-by: Vratislav Bendel <vbendel@redhat.com>
    Acked-by: Michal Hocko <mhocko@suse.com>
    Acked-by: Rafael Aquini <aquini@redhat.com>
    Cc: Mel Gorman <mgorman@techsingularity.net>
    Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
    Cc: Michal Hocko <mhocko@suse.com>
    Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
    Cc: Jan Kara <jack@suse.cz>
    Cc: Andrea Arcangeli <aarcange@redhat.com>
    Cc: Dominik Brodowski <linux@dominikbrodowski.net>
    Cc: Matthew Wilcox <willy@infradead.org>
    Cc: Vratislav Bendel <vbendel@redhat.com>
    Cc: Rafael Aquini <aquini@redhat.com>
    Cc: Konstantin Khlebnikov <k.khlebnikov@samsung.com>
    Cc: Minchan Kim <minchan@kernel.org>
    Cc: <stable@vger.kernel.org>    [3.12 - 4.7]
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: David Hildenbrand <david@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a51bbfef6d1e4513ab6ed7ccd44a881db7e97222
Author: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Date:   Tue Jul 10 10:29:10 2018 +1000

    drivers: core: Remove glue dirs from sysfs earlier
    
    commit 726e41097920a73e4c7c33385dcc0debb1281e18 upstream.
    
    For devices with a class, we create a "glue" directory between
    the parent device and the new device with the class name.
    
    This directory is never "explicitely" removed when empty however,
    this is left to the implicit sysfs removal done by kobject_release()
    when the object loses its last reference via kobject_put().
    
    This is problematic because as long as it's not been removed from
    sysfs, it is still present in the class kset and in sysfs directory
    structure.
    
    The presence in the class kset exposes a use after free bug fixed
    by the previous patch, but the presence in sysfs means that until
    the kobject is released, which can take a while (especially with
    kobject debugging), any attempt at re-creating such as binding a
    new device for that class/parent pair, will result in a sysfs
    duplicate file name error.
    
    This fixes it by instead doing an explicit kobject_del() when
    the glue dir is empty, by keeping track of the number of
    child devices of the gluedir.
    
    This is made easy by the fact that all glue dir operations are
    done with a global mutex, and there's already a function
    (cleanup_glue_dir) called in all the right places taking that
    mutex that can be enhanced for this. It appears that this was
    in fact the intent of the function, but the implementation was
    wrong.
    
    Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
    Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Zubin Mithra <zsm@chromium.org>
    Cc: Guenter Roeck <groeck@google.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8f51e79ceeb40daddeac931b2c542574f6eae231
Author: Paulo Alcantara <paulo@paulo.ac>
Date:   Tue Nov 20 15:16:36 2018 -0200

    cifs: Always resolve hostname before reconnecting
    
    commit 28eb24ff75c5ac130eb326b3b4d0dcecfc0f427d upstream.
    
    In case a hostname resolves to a different IP address (e.g. long
    running mounts), make sure to resolve it every time prior to calling
    generic_ip_connect() in reconnect.
    
    Suggested-by: Steve French <stfrench@microsoft.com>
    Signed-off-by: Paulo Alcantara <palcantara@suse.de>
    Signed-off-by: Steve French <stfrench@microsoft.com>
    Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c3ef8a44e758f9596f09c684c617eb197e8f0df8
Author: Shakeel Butt <shakeelb@google.com>
Date:   Fri Feb 1 14:20:54 2019 -0800

    mm, oom: fix use-after-free in oom_kill_process
    
    commit cefc7ef3c87d02fc9307835868ff721ea12cc597 upstream.
    
    Syzbot instance running on upstream kernel found a use-after-free bug in
    oom_kill_process.  On further inspection it seems like the process
    selected to be oom-killed has exited even before reaching
    read_lock(&tasklist_lock) in oom_kill_process().  More specifically the
    tsk->usage is 1 which is due to get_task_struct() in oom_evaluate_task()
    and the put_task_struct within for_each_thread() frees the tsk and
    for_each_thread() tries to access the tsk.  The easiest fix is to do
    get/put across the for_each_thread() on the selected task.
    
    Now the next question is should we continue with the oom-kill as the
    previously selected task has exited? However before adding more
    complexity and heuristics, let's answer why we even look at the children
    of oom-kill selected task? The select_bad_process() has already selected
    the worst process in the system/memcg.  Due to race, the selected
    process might not be the worst at the kill time but does that matter?
    The userspace can use the oom_score_adj interface to prefer children to
    be killed before the parent.  I looked at the history but it seems like
    this is there before git history.
    
    Link: http://lkml.kernel.org/r/20190121215850.221745-1-shakeelb@google.com
    Reported-by: syzbot+7fbbfa368521945f0e3d@syzkaller.appspotmail.com
    Fixes: 6b0c81b3be11 ("mm, oom: reduce dependency on tasklist_lock")
    Signed-off-by: Shakeel Butt <shakeelb@google.com>
    Reviewed-by: Roman Gushchin <guro@fb.com>
    Acked-by: Michal Hocko <mhocko@suse.com>
    Cc: David Rientjes <rientjes@google.com>
    Cc: Johannes Weiner <hannes@cmpxchg.org>
    Cc: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e790eeabc47cd4905606839fe3eb18df2bbd4d3e
Author: Andrei Vagin <avagin@gmail.com>
Date:   Fri Feb 1 14:20:24 2019 -0800

    kernel/exit.c: release ptraced tasks before zap_pid_ns_processes
    
    commit 8fb335e078378c8426fabeed1ebee1fbf915690c upstream.
    
    Currently, exit_ptrace() adds all ptraced tasks in a dead list, then
    zap_pid_ns_processes() waits on all tasks in a current pidns, and only
    then are tasks from the dead list released.
    
    zap_pid_ns_processes() can get stuck on waiting tasks from the dead
    list.  In this case, we will have one unkillable process with one or
    more dead children.
    
    Thanks to Oleg for the advice to release tasks in find_child_reaper().
    
    Link: http://lkml.kernel.org/r/20190110175200.12442-1-avagin@gmail.com
    Fixes: 7c8bd2322c7f ("exit: ptrace: shift "reap dead" code from exit_ptrace() to forget_original_parent()")
    Signed-off-by: Andrei Vagin <avagin@gmail.com>
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Cc: "Eric W. Biederman" <ebiederm@xmission.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3027ecc100683caa1b95aa807503d4b57c9e5496
Author: Stefan Wahren <stefan.wahren@i2se.com>
Date:   Sun Dec 23 21:59:17 2018 +0100

    mmc: sdhci-iproc: handle mmc_of_parse() errors during probe
    
    commit 2bd44dadd5bfb4135162322fd0b45a174d4ad5bf upstream.
    
    We need to handle mmc_of_parse() errors during probe.
    
    This finally fixes the wifi regression on Raspberry Pi 3 series.
    In error case the wifi chip was permanently in reset because of
    the power sequence depending on the deferred probe of the GPIO expander.
    
    Fixes: b580c52d58d9 ("mmc: sdhci-iproc: add IPROC SDHCI driver")
    Cc: stable@vger.kernel.org
    Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
    Acked-by: Adrian Hunter <adrian.hunter@intel.com>
    Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 86a395c27a5d264ccecf50eaf9b5cd035c5b3a4e
Author: João Paulo Rechi Vita <jprvita@gmail.com>
Date:   Wed Oct 31 17:21:28 2018 -0700

    platform/x86: asus-nb-wmi: Drop mapping of 0x33 and 0x34 scan codes
    
    [ Upstream commit 71b12beaf12f21a53bfe100795d0797f1035b570 ]
    
    According to Asus firmware engineers, the meaning of these codes is only
    to notify the OS that the screen brightness has been turned on/off by
    the EC. This does not match the meaning of KEY_DISPLAYTOGGLE /
    KEY_DISPLAY_OFF, where userspace is expected to change the display
    brightness.
    
    Signed-off-by: João Paulo Rechi Vita <jprvita@endlessm.com>
    Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 5d0868d8729221d0fcf7651c2e4f882138fcaf85
Author: João Paulo Rechi Vita <jprvita@gmail.com>
Date:   Wed Oct 31 17:21:27 2018 -0700

    platform/x86: asus-nb-wmi: Map 0x35 to KEY_SCREENLOCK
    
    [ Upstream commit b3f2f3799a972d3863d0fdc2ab6287aef6ca631f ]
    
    When the OS registers to handle events from the display off hotkey the
    EC will send a notification with 0x35 for every key press, independent
    of the backlight state.
    
    The behavior of this key on Windows, with the ATKACPI driver from Asus
    installed, is turning off the backlight of all connected displays with a
    fading effect, and any cursor input or key press turning the backlight
    back on. The key press or cursor input that wakes up the display is also
    passed through to the application under the cursor or under focus.
    
    The key that matches this behavior the closest is KEY_SCREENLOCK.
    
    Signed-off-by: João Paulo Rechi Vita <jprvita@endlessm.com>
    Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 970e5c267cf0c803058e373389b76b4b37c07eb8
Author: Andreas Gruenbacher <agruenba@redhat.com>
Date:   Wed Jan 30 21:30:36 2019 +0100

    gfs2: Revert "Fix loop in gfs2_rbm_find"
    
    commit e74c98ca2d6ae4376cc15fa2a22483430909d96b upstream.
    
    This reverts commit 2d29f6b96d8f80322ed2dd895bca590491c38d34.
    
    It turns out that the fix can lead to a ~20 percent performance regression
    in initial writes to the page cache according to iozone.  Let's revert this
    for now to have more time for a proper fix.
    
    Cc: stable@vger.kernel.org # v3.13+
    Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
    Signed-off-by: Bob Peterson <rpeterso@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 7685bb0efb0c9ecec18abe9c6226243014222344
Author: James Morse <james.morse@arm.com>
Date:   Thu Jan 24 16:32:56 2019 +0000

    arm64: hyp-stub: Forbid kprobing of the hyp-stub
    
    commit 8fac5cbdfe0f01254d9d265c6aa1a95f94f58595 upstream.
    
    The hyp-stub is loaded by the kernel's early startup code at EL2
    during boot, before KVM takes ownership later. The hyp-stub's
    text is part of the regular kernel text, meaning it can be kprobed.
    
    A breakpoint in the hyp-stub causes the CPU to spin in el2_sync_invalid.
    
    Add it to the __hyp_text.
    
    Signed-off-by: James Morse <james.morse@arm.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Will Deacon <will.deacon@arm.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 1472585f511fc3a6e95f1be1d6acf87fbb4cde43
Author: Koen Vandeputte <koen.vandeputte@ncentric.com>
Date:   Thu Jan 31 15:00:01 2019 -0600

    ARM: cns3xxx: Fix writing to wrong PCI config registers after alignment
    
    commit 65dbb423cf28232fed1732b779249d6164c5999b upstream.
    
    Originally, cns3xxx used its own functions for mapping, reading and
    writing config registers.
    
    Commit 802b7c06adc7 ("ARM: cns3xxx: Convert PCI to use generic config
    accessors") removed the internal PCI config write function in favor of
    the generic one:
    
      cns3xxx_pci_write_config() --> pci_generic_config_write()
    
    cns3xxx_pci_write_config() expected aligned addresses, being produced by
    cns3xxx_pci_map_bus() while the generic one pci_generic_config_write()
    actually expects the real address as both the function and hardware are
    capable of byte-aligned writes.
    
    This currently leads to pci_generic_config_write() writing to the wrong
    registers.
    
    For instance, upon ath9k module loading:
    
    - driver ath9k gets loaded
    - The driver wants to write value 0xA8 to register PCI_LATENCY_TIMER,
      located at 0x0D
    - cns3xxx_pci_map_bus() aligns the address to 0x0C
    - pci_generic_config_write() effectively writes 0xA8 into register 0x0C
      (CACHE_LINE_SIZE)
    
    Fix the bug by removing the alignment in the cns3xxx mapping function.
    
    Fixes: 802b7c06adc7 ("ARM: cns3xxx: Convert PCI to use generic config accessors")
    Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
    [lorenzo.pieralisi@arm.com: updated commit log]
    Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
    Acked-by: Krzysztof Halasa <khalasa@piap.pl>
    Acked-by: Tim Harvey <tharvey@gateworks.com>
    Acked-by: Arnd Bergmann <arnd@arndb.de>
    CC: stable@vger.kernel.org      # v4.0+
    CC: Bjorn Helgaas <bhelgaas@google.com>
    CC: Olof Johansson <olof@lixom.net>
    CC: Robin Leblon <robin.leblon@ncentric.com>
    CC: Rob Herring <robh@kernel.org>
    CC: Russell King <linux@armlinux.org.uk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e31a6a9d27cdf8ef407cc7051a4784785caeb76b
Author: Waiman Long <longman@redhat.com>
Date:   Wed Jan 30 13:52:36 2019 -0500

    fs/dcache: Fix incorrect nr_dentry_unused accounting in shrink_dcache_sb()
    
    commit 1dbd449c9943e3145148cc893c2461b72ba6fef0 upstream.
    
    The nr_dentry_unused per-cpu counter tracks dentries in both the LRU
    lists and the shrink lists where the DCACHE_LRU_LIST bit is set.
    
    The shrink_dcache_sb() function moves dentries from the LRU list to a
    shrink list and subtracts the dentry count from nr_dentry_unused.  This
    is incorrect as the nr_dentry_unused count will also be decremented in
    shrink_dentry_list() via d_shrink_del().
    
    To fix this double decrement, the decrement in the shrink_dcache_sb()
    function is taken out.
    
    Fixes: 4e717f5c1083 ("list_lru: remove special case function list_lru_dispose_all."
    Cc: stable@kernel.org
    Signed-off-by: Waiman Long <longman@redhat.com>
    Reviewed-by: Dave Chinner <dchinner@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 600c4bd14dc7aee84427e01dfd5d4bbe91bbb79b
Author: Pavel Shilovsky <pshilov@microsoft.com>
Date:   Sat Jan 26 12:21:32 2019 -0800

    CIFS: Do not count -ENODATA as failure for query directory
    
    commit 8e6e72aeceaaed5aeeb1cb43d3085de7ceb14f79 upstream.
    
    Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
    Signed-off-by: Steve French <stfrench@microsoft.com>
    CC: Stable <stable@vger.kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 245426dc30affbdfd0488f85014e25340e3004ee
Author: Jacob Wen <jian.w.wen@oracle.com>
Date:   Wed Jan 30 14:55:14 2019 +0800

    l2tp: fix reading optional fields of L2TPv3
    
    [ Upstream commit 4522a70db7aa5e77526a4079628578599821b193 ]
    
    Use pskb_may_pull() to make sure the optional fields are in skb linear
    parts, so we can safely read them later.
    
    It's easy to reproduce the issue with a net driver that supports paged
    skb data. Just create a L2TPv3 over IP tunnel and then generates some
    network traffic.
    Once reproduced, rx err in /sys/kernel/debug/l2tp/tunnels will increase.
    
    Changes in v4:
    1. s/l2tp_v3_pull_opt/l2tp_v3_ensure_opt_in_linear/
    2. s/tunnel->version != L2TP_HDR_VER_2/tunnel->version == L2TP_HDR_VER_3/
    3. Add 'Fixes' in commit messages.
    
    Changes in v3:
    1. To keep consistency, move the code out of l2tp_recv_common.
    2. Use "net" instead of "net-next", since this is a bug fix.
    
    Changes in v2:
    1. Only fix L2TPv3 to make code simple.
       To fix both L2TPv3 and L2TPv2, we'd better refactor l2tp_recv_common.
       It's complicated to do so.
    2. Reloading pointers after pskb_may_pull
    
    Fixes: f7faffa3ff8e ("l2tp: Add L2TPv3 protocol support")
    Fixes: 0d76751fad77 ("l2tp: Add L2TPv3 IP encapsulation (no UDP) support")
    Fixes: a32e0eec7042 ("l2tp: introduce L2TPv3 IP encapsulation support for IPv6")
    Signed-off-by: Jacob Wen <jian.w.wen@oracle.com>
    Acked-by: Guillaume Nault <gnault@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f5f5d316fa2959cd2bd85e61ff50d0a68cd885a8
Author: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Date:   Tue Jan 16 23:01:55 2018 +0100

    l2tp: remove l2specific_len dependency in l2tp_core
    
    commit 62e7b6a57c7b9bf3c6fd99418eeec05b08a85c38 upstream.
    
    Remove l2specific_len dependency while building l2tpv3 header or
    parsing the received frame since default L2-Specific Sublayer is
    always four bytes long and we don't need to rely on a user supplied
    value.
    Moreover in l2tp netlink code there are no sanity checks to
    enforce the relation between l2specific_len and l2specific_type,
    so sending a malformed netlink message is possible to set
    l2specific_type to L2TP_L2SPECTYPE_DEFAULT (or even
    L2TP_L2SPECTYPE_NONE) and set l2specific_len to a value greater than
    4 leaking memory on the wire and sending corrupted frames.
    
    Reviewed-by: Guillaume Nault <g.nault@alphalink.fr>
    Tested-by: Guillaume Nault <g.nault@alphalink.fr>
    Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3154a8ad0541dae3665a08b1c60f1c81ee7d5cd8
Author: Mathias Thore <mathias.thore@infinera.com>
Date:   Mon Jan 28 10:07:47 2019 +0100

    ucc_geth: Reset BQL queue when stopping device
    
    [ Upstream commit e15aa3b2b1388c399c1a2ce08550d2cc4f7e3e14 ]
    
    After a timeout event caused by for example a broadcast storm, when
    the MAC and PHY are reset, the BQL TX queue needs to be reset as
    well. Otherwise, the device will exhibit severe performance issues
    even after the storm has ended.
    
    Co-authored-by: David Gounaris <david.gounaris@infinera.com>
    Signed-off-by: Mathias Thore <mathias.thore@infinera.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8034f3610b7840f58ffbacf2db49680a81779d6d
Author: Bernard Pidoux <f6bvp@free.fr>
Date:   Fri Jan 25 11:46:40 2019 +0100

    net/rose: fix NULL ax25_cb kernel panic
    
    [ Upstream commit b0cf029234f9b18e10703ba5147f0389c382bccc ]
    
    When an internally generated frame is handled by rose_xmit(),
    rose_route_frame() is called:
    
            if (!rose_route_frame(skb, NULL)) {
                    dev_kfree_skb(skb);
                    stats->tx_errors++;
                    return NETDEV_TX_OK;
            }
    
    We have the same code sequence in Net/Rom where an internally generated
    frame is handled by nr_xmit() calling nr_route_frame(skb, NULL).
    However, in this function NULL argument is tested while it is not in
    rose_route_frame().
    Then kernel panic occurs later on when calling ax25cmp() with a NULL
    ax25_cb argument as reported many times and recently with syzbot.
    
    We need to test if ax25 is NULL before using it.
    
    Testing:
    Built kernel with CONFIG_ROSE=y.
    
    Signed-off-by: Bernard Pidoux <f6bvp@free.fr>
    Acked-by: Dmitry Vyukov <dvyukov@google.com>
    Reported-by: syzbot+1a2c456a1ea08fa5b5f7@syzkaller.appspotmail.com
    Cc: "David S. Miller" <davem@davemloft.net>
    Cc: Ralf Baechle <ralf@linux-mips.org>
    Cc: Bernard Pidoux <f6bvp@free.fr>
    Cc: linux-hams@vger.kernel.org
    Cc: netdev@vger.kernel.org
    Cc: linux-kernel@vger.kernel.org
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ce29e8a259de767f7210d346ad2b031cb8ab2732
Author: Cong Wang <xiyou.wangcong@gmail.com>
Date:   Thu Jan 24 14:18:18 2019 -0800

    netrom: switch to sock timer API
    
    [ Upstream commit 63346650c1a94a92be61a57416ac88c0a47c4327 ]
    
    sk_reset_timer() and sk_stop_timer() properly handle
    sock refcnt for timer function. Switching to them
    could fix a refcounting bug reported by syzbot.
    
    Reported-and-tested-by: syzbot+defa700d16f1bd1b9a05@syzkaller.appspotmail.com
    Cc: Ralf Baechle <ralf@linux-mips.org>
    Cc: linux-hams@vger.kernel.org
    Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 265f211a29ca2649d5102f0257128e2ea0f0d8a3
Author: Aya Levin <ayal@mellanox.com>
Date:   Tue Jan 22 15:19:44 2019 +0200

    net/mlx4_core: Add masking for a few queries on HCA caps
    
    [ Upstream commit a40ded6043658444ee4dd6ee374119e4e98b33fc ]
    
    Driver reads the query HCA capabilities without the corresponding masks.
    Without the correct masks, the base addresses of the queues are
    unaligned.  In addition some reserved bits were wrongly read.  Using the
    correct masks, ensures alignment of the base addresses and allows future
    firmware versions safe use of the reserved bits.
    
    Fixes: ab9c17a009ee ("mlx4_core: Modify driver initialization flow to accommodate SRIOV for Ethernet")
    Fixes: 0ff1fb654bec ("{NET, IB}/mlx4: Add device managed flow steering firmware API")
    Signed-off-by: Aya Levin <ayal@mellanox.com>
    Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a0d1b4af6e9a9185c20deb5c9d61f14f5f1a6380
Author: Jacob Wen <jian.w.wen@oracle.com>
Date:   Thu Jan 31 15:18:56 2019 +0800

    l2tp: copy 4 more bytes to linear part if necessary
    
    [ Upstream commit 91c524708de6207f59dd3512518d8a1c7b434ee3 ]
    
    The size of L2TPv2 header with all optional fields is 14 bytes.
    l2tp_udp_recv_core only moves 10 bytes to the linear part of a
    skb. This may lead to l2tp_recv_common read data outside of a skb.
    
    This patch make sure that there is at least 14 bytes in the linear
    part of a skb to meet the maximum need of l2tp_udp_recv_core and
    l2tp_recv_common. The minimum size of both PPP HDLC-like frame and
    Ethernet frame is larger than 14 bytes, so we are safe to do so.
    
    Also remove L2TP_HDR_SIZE_NOSEQ, it is unused now.
    
    Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
    Suggested-by: Guillaume Nault <gnault@redhat.com>
    Signed-off-by: Jacob Wen <jian.w.wen@oracle.com>
    Acked-by: Guillaume Nault <gnault@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f9b9a8ea4796767bc56a3a188dde62f31298d287
Author: David Ahern <dsahern@gmail.com>
Date:   Wed Jan 2 18:57:09 2019 -0800

    ipv6: Consider sk_bound_dev_if when binding a socket to an address
    
    [ Upstream commit c5ee066333ebc322a24a00a743ed941a0c68617e ]
    
    IPv6 does not consider if the socket is bound to a device when binding
    to an address. The result is that a socket can be bound to eth0 and then
    bound to the address of eth1. If the device is a VRF, the result is that
    a socket can only be bound to an address in the default VRF.
    
    Resolve by considering the device if sk_bound_dev_if is set.
    
    This problem exists from the beginning of git history.
    
    Signed-off-by: David Ahern <dsahern@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit fb0c3321e03f14e9c7b0c8ac9e724ae3b59a14a9
Author: Jimmy Durand Wesolowski <jdw@amazon.de>
Date:   Thu Jan 31 15:19:39 2019 +0100

    fs: add the fsnotify call to vfs_iter_write
    
    A bug has been discovered when redirecting splice output to regular files
    on EXT4 and tmpfs. Other filesystems might be affected.
    This commit fixes the issue for stable series kernel, using one of the
    change introduced during the rewrite and refactoring of vfs_iter_write in
    4.13, specifically in the
    commit abbb65899aec ("fs: implement vfs_iter_write using do_iter_write").
    
    This issue affects v4.4 and v4.9 stable series of kernels.
    
    Without this fix for v4.4 and v4.9 stable, the following upstream commits
    (and their dependencies would need to be backported):
    * commit abbb65899aec ("fs: implement vfs_iter_write using do_iter_write")
    * commit 18e9710ee59c ("fs: implement vfs_iter_read using do_iter_read")
    * commit edab5fe38c2c
      ("fs: move more code into do_iter_read/do_iter_write")
    * commit 19c735868dd0 ("fs: remove __do_readv_writev")
    * commit 26c87fb7d10d ("fs: remove do_compat_readv_writev")
    * commit 251b42a1dc64 ("fs: remove do_readv_writev")
    
    as well as the following dependencies:
    * commit bb7462b6fd64
      ("vfs: use helpers for calling f_op->{read,write}_iter()")
    * commit 0f78d06ac1e9
      ("vfs: pass type instead of fn to do_{loop,iter}_readv_writev()")
    * commit 7687a7a4435f
      ("vfs: extract common parts of {compat_,}do_readv_writev()")
    
    In order to reduce the changes, this commit uses only the part of
    commit abbb65899aec ("fs: implement vfs_iter_write using do_iter_write")
    that fixes the issue.
    
    This issue and the reproducer can be found on
    https://bugzilla.kernel.org/show_bug.cgi?id=85381
    
    Reported-by: Richard Li <richardpku@gmail.com>
    Reported-by: Chad Miller <millchad@amazon.com>
    Reviewed-by: Stefan Nuernberger <snu@amazon.de>
    Reviewed-by: Frank Becker <becke@amazon.de>
    Signed-off-by: Jimmy Durand Wesolowski <jdw@amazon.de>

commit dda201759ece8134d389257b5a762b01b588b28b
Author: David Hildenbrand <david@redhat.com>
Date:   Fri Jan 11 15:18:22 2019 +0100

    s390/smp: Fix calling smp_call_ipl_cpu() from ipl CPU
    
    commit 60f1bf29c0b2519989927cae640cd1f50f59dc7f upstream.
    
    When calling smp_call_ipl_cpu() from the IPL CPU, we will try to read
    from pcpu_devices->lowcore. However, due to prefixing, that will result
    in reading from absolute address 0 on that CPU. We have to go via the
    actual lowcore instead.
    
    This means that right now, we will read lc->nodat_stack == 0 and
    therfore work on a very wrong stack.
    
    This BUG essentially broke rebooting under QEMU TCG (which will report
    a low address protection exception). And checking under KVM, it is
    also broken under KVM. With 1 VCPU it can be easily triggered.
    
    :/# echo 1 > /proc/sys/kernel/sysrq
    :/# echo b > /proc/sysrq-trigger
    [   28.476745] sysrq: SysRq : Resetting
    [   28.476793] Kernel stack overflow.
    [   28.476817] CPU: 0 PID: 424 Comm: sh Not tainted 5.0.0-rc1+ #13
    [   28.476820] Hardware name: IBM 2964 NE1 716 (KVM/Linux)
    [   28.476826] Krnl PSW : 0400c00180000000 0000000000115c0c (pcpu_delegate+0x12c/0x140)
    [   28.476861]            R:0 T:1 IO:0 EX:0 Key:0 M:0 W:0 P:0 AS:3 CC:0 PM:0 RI:0 EA:3
    [   28.476863] Krnl GPRS: ffffffffffffffff 0000000000000000 000000000010dff8 0000000000000000
    [   28.476864]            0000000000000000 0000000000000000 0000000000ab7090 000003e0006efbf0
    [   28.476864]            000000000010dff8 0000000000000000 0000000000000000 0000000000000000
    [   28.476865]            000000007fffc000 0000000000730408 000003e0006efc58 0000000000000000
    [   28.476887] Krnl Code: 0000000000115bfe: 4170f000            la      %r7,0(%r15)
    [   28.476887]            0000000000115c02: 41f0a000            la      %r15,0(%r10)
    [   28.476887]           #0000000000115c06: e370f0980024        stg     %r7,152(%r15)
    [   28.476887]           >0000000000115c0c: c0e5fffff86e        brasl   %r14,114ce8
    [   28.476887]            0000000000115c12: 41f07000            la      %r15,0(%r7)
    [   28.476887]            0000000000115c16: a7f4ffa8            brc     15,115b66
    [   28.476887]            0000000000115c1a: 0707                bcr     0,%r7
    [   28.476887]            0000000000115c1c: 0707                bcr     0,%r7
    [   28.476901] Call Trace:
    [   28.476902] Last Breaking-Event-Address:
    [   28.476920]  [<0000000000a01c4a>] arch_call_rest_init+0x22/0x80
    [   28.476927] Kernel panic - not syncing: Corrupt kernel stack, can't continue.
    [   28.476930] CPU: 0 PID: 424 Comm: sh Not tainted 5.0.0-rc1+ #13
    [   28.476932] Hardware name: IBM 2964 NE1 716 (KVM/Linux)
    [   28.476932] Call Trace:
    
    Fixes: 2f859d0dad81 ("s390/smp: reduce size of struct pcpu")
    Cc: stable@vger.kernel.org # 4.0+
    Reported-by: Cornelia Huck <cohuck@redhat.com>
    Signed-off-by: David Hildenbrand <david@redhat.com>
    Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e1e584bb545427d1cb754a0831c2520699444114
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Wed Jan 30 08:35:00 2019 +0100

    Revert "loop: Fold __loop_release into loop_release"
    
    This reverts commit 4ee414c3b6021db621901f2697d35774926268f6 which is
    commit 967d1dc144b50ad005e5eecdfadfbcfb399ffff6 upstream.
    
    It is not needed in the 4.4.y tree at this time.
    
    Reported-by: Jan Kara <jack@suse.cz>
    Cc: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f1f952b305344a9d3b1b6a9021067d1d9809f5a6
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Wed Jan 30 08:34:22 2019 +0100

    Revert "loop: Get rid of loop_index_mutex"
    
    This reverts commit 611f77199cd763e6b7c0462c2f199ddb3a089750 which is
    commit 0a42e99b58a208839626465af194cfe640ef9493 upstream.
    
    It is not needed in the 4.4.y tree at this time.
    
    Reported-by: Jan Kara <jack@suse.cz>
    Cc: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 55bbe71559ac574f4be070194a9170ca16f965fe
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Wed Jan 30 08:33:14 2019 +0100

    Revert "loop: Fix double mutex_unlock(&loop_ctl_mutex) in loop_control_ioctl()"
    
    This reverts commit 9ec298cc874d08020f45791a8396e1593c3278c1 which is
    commit 628bd85947091830a8c4872adfd5ed1d515a9cf2 upstream.
    
    It is not needed in the 4.4.y tree at this point in time.
    
    Reported-by: Jan Kara <jack@suse.cz>
    Cc: Ming Lei <ming.lei@redhat.com>
    Cc: Jan Kara <jack@suse.cz>
    Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
    Cc: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 896354cce3866a4b505307e940273d3109b19470
Author: Pan Bian <bianpan2016@163.com>
Date:   Thu Nov 22 18:58:46 2018 +0800

    f2fs: read page index before freeing
    
    commit 0ea295dd853e0879a9a30ab61f923c26be35b902 upstream.
    
    The function truncate_node frees the page with f2fs_put_page. However,
    the page index is read after that. So, the patch reads the index before
    freeing the page.
    
    Fixes: bf39c00a9a7f ("f2fs: drop obsolete node page when it is truncated")
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Pan Bian <bianpan2016@163.com>
    Reviewed-by: Chao Yu <yuchao0@huawei.com>
    Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
    Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 029b5be50938e6f13ce76ca747b43a16fd010252
Author: Shaokun Zhang <zhangshaokun@hisilicon.com>
Date:   Tue Jun 21 15:32:57 2016 +0800

    arm64: mm: remove page_mapping check in __sync_icache_dcache
    
    commit 20c27a4270c775d7ed661491af8ac03264d60fc6 upstream.
    
    __sync_icache_dcache unconditionally skips the cache maintenance for
    anonymous pages, under the assumption that flushing is only required in
    the presence of D-side aliases [see 7249b79f6b4cc ("arm64: Do not flush
    the D-cache for anonymous pages")].
    
    Unfortunately, this breaks migration of anonymous pages holding
    self-modifying code, where userspace cannot be reasonably expected to
    reissue maintenance instructions in response to a migration.
    
    This patch fixes the problem by removing the broken page_mapping(page)
    check from the cache syncing code, otherwise we may end up fetching and
    executing stale instructions from the PoU.
    
    Cc: Catalin Marinas <catalin.marinas@arm.com>
    Cc: Will Deacon <will.deacon@arm.com>
    Cc: Mark Rutland <mark.rutland@arm.com>
    Cc: <stable@vger.kernel.org>
    Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
    Signed-off-by: Shaokun Zhang <zhangshaokun@hisilicon.com>
    Signed-off-by: Will Deacon <will.deacon@arm.com>
    Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
    Cc: Amanieu d'Antras <amanieu@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 1b284d784624dbe747f24936b7b3e29e5eaffabc
Author: Marc Zyngier <marc.zyngier@arm.com>
Date:   Fri Jan 18 14:08:59 2019 +0000

    irqchip/gic-v3-its: Align PCI Multi-MSI allocation on their size
    
    commit 8208d1708b88b412ca97f50a6d951242c88cbbac upstream.
    
    The way we allocate events works fine in most cases, except
    when multiple PCI devices share an ITS-visible DevID, and that
    one of them is trying to use MultiMSI allocation.
    
    In that case, our allocation is not guaranteed to be zero-based
    anymore, and we have to make sure we allocate it on a boundary
    that is compatible with the PCI Multi-MSI constraints.
    
    Fix this by allocating the full region upfront instead of iterating
    over the number of MSIs. MSI-X are always allocated one by one,
    so this shouldn't change anything on that front.
    
    Fixes: b48ac83d6bbc2 ("irqchip: GICv3: ITS: MSI support")
    Cc: stable@vger.kernel.org
    Reported-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
    Tested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
    Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
    [ardb: rebased onto v4.9.153, should apply cleanly onto v4.4.y as well]
    Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>

commit 2cbf0a6c9a6267aeb9d5ddf95a2e2222c41a1343
Author: Milian Wolff <milian.wolff@kdab.com>
Date:   Mon Oct 29 15:16:44 2018 +0100

    perf unwind: Take pgoff into account when reporting elf to libdwfl
    
    [ Upstream commit 1fe627da30331024f453faef04d500079b901107 ]
    
    libdwfl parses an ELF file itself and creates mappings for the
    individual sections. perf on the other hand sees raw mmap events which
    represent individual sections. When we encounter an address pointing
    into a mapping with pgoff != 0, we must take that into account and
    report the file at the non-offset base address.
    
    This fixes unwinding with libdwfl in some cases. E.g. for a file like:
    
    ```
    
    using namespace std;
    
    mutex g_mutex;
    
    double worker()
    {
        lock_guard<mutex> guard(g_mutex);
        uniform_real_distribution<double> uniform(-1E5, 1E5);
        default_random_engine engine;
        double s = 0;
        for (int i = 0; i < 1000; ++i) {
            s += norm(complex<double>(uniform(engine), uniform(engine)));
        }
        cout << s << endl;
        return s;
    }
    
    int main()
    {
        vector<std::future<double>> results;
        for (int i = 0; i < 10000; ++i) {
            results.push_back(async(launch::async, worker));
        }
        return 0;
    }
    ```
    
    Compile it with `g++ -g -O2 -lpthread cpp-locking.cpp  -o cpp-locking`,
    then record it with `perf record --call-graph dwarf -e
    sched:sched_switch`.
    
    When you analyze it with `perf script` and libunwind, you should see:
    
    ```
    cpp-locking 20038 [005] 54830.236589: sched:sched_switch: prev_comm=cpp-locking prev_pid=20038 prev_prio=120 prev_state=T ==> next_comm=swapper/5 next_pid=0 next_prio=120
            ffffffffb166fec5 __sched_text_start+0x545 (/lib/modules/4.14.78-1-lts/build/vmlinux)
            ffffffffb166fec5 __sched_text_start+0x545 (/lib/modules/4.14.78-1-lts/build/vmlinux)
            ffffffffb1670208 schedule+0x28 (/lib/modules/4.14.78-1-lts/build/vmlinux)
            ffffffffb16737cc rwsem_down_read_failed+0xec (/lib/modules/4.14.78-1-lts/build/vmlinux)
            ffffffffb1665e04 call_rwsem_down_read_failed+0x14 (/lib/modules/4.14.78-1-lts/build/vmlinux)
            ffffffffb1672a03 down_read+0x13 (/lib/modules/4.14.78-1-lts/build/vmlinux)
            ffffffffb106bd85 __do_page_fault+0x445 (/lib/modules/4.14.78-1-lts/build/vmlinux)
            ffffffffb18015f5 page_fault+0x45 (/lib/modules/4.14.78-1-lts/build/vmlinux)
                7f38e4252591 new_heap+0x101 (/usr/lib/libc-2.28.so)
                7f38e4252d0b arena_get2.part.4+0x2fb (/usr/lib/libc-2.28.so)
                7f38e4255b1c tcache_init.part.6+0xec (/usr/lib/libc-2.28.so)
                7f38e42569e5 __GI___libc_malloc+0x115 (inlined)
                7f38e4241790 __GI__IO_file_doallocate+0x90 (inlined)
                7f38e424fbbf __GI__IO_doallocbuf+0x4f (inlined)
                7f38e424ee47 __GI__IO_file_overflow+0x197 (inlined)
                7f38e424df36 _IO_new_file_xsputn+0x116 (inlined)
                7f38e4242bfb __GI__IO_fwrite+0xdb (inlined)
                7f38e463fa6d std::basic_streambuf<char, std::char_traits<char> >::sputn(char const*, long)+0x1cd (inlined)
                7f38e463fa6d std::ostreambuf_iterator<char, std::char_traits<char> >::_M_put(char const*, long)+0x1cd (inlined)
                7f38e463fa6d std::ostreambuf_iterator<char, std::char_traits<char> > std::__write<char>(std::ostreambuf_iterator<char, std::char_traits<char> >, char const*, int)+0x1cd (inlined)
                7f38e463fa6d std::ostreambuf_iterator<char, std::char_traits<char> > std::num_put<char, std::ostreambuf_iterator<char, std::char_traits<char> > >::_M_insert_float<double>(std::ostreambuf_iterator<c>
                7f38e464bd70 std::num_put<char, std::ostreambuf_iterator<char, std::char_traits<char> > >::put(std::ostreambuf_iterator<char, std::char_traits<char> >, std::ios_base&, char, double) const+0x90 (inl>
                7f38e464bd70 std::ostream& std::ostream::_M_insert<double>(double)+0x90 (/usr/lib/libstdc++.so.6.0.25)
                563b9cb502f7 std::ostream::operator<<(double)+0xb7 (inlined)
                563b9cb502f7 worker()+0xb7 (/ssd/milian/projects/kdab/rnd/hotspot/build/tests/test-clients/cpp-locking/cpp-locking)
                563b9cb506fb double std::__invoke_impl<double, double (*)()>(std::__invoke_other, double (*&&)())+0x2b (inlined)
                563b9cb506fb std::__invoke_result<double (*)()>::type std::__invoke<double (*)()>(double (*&&)())+0x2b (inlined)
                563b9cb506fb decltype (__invoke((_S_declval<0ul>)())) std::thread::_Invoker<std::tuple<double (*)()> >::_M_invoke<0ul>(std::_Index_tuple<0ul>)+0x2b (inlined)
                563b9cb506fb std::thread::_Invoker<std::tuple<double (*)()> >::operator()()+0x2b (inlined)
                563b9cb506fb std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<double>, std::__future_base::_Result_base::_Deleter>, std::thread::_Invoker<std::tuple<double (*)()> >, dou>
                563b9cb506fb std::_Function_handler<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> (), std::__future_base::_Task_setter<std::unique_ptr<std::__future_>
                563b9cb507e8 std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>::operator()() const+0x28 (inlined)
                563b9cb507e8 std::__future_base::_State_baseV2::_M_do_set(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*)+0x28 (/ssd/milian/>
                7f38e46d24fe __pthread_once_slow+0xbe (/usr/lib/libpthread-2.28.so)
                563b9cb51149 __gthread_once+0xe9 (inlined)
                563b9cb51149 void std::call_once<void (std::__future_base::_State_baseV2::*)(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*)>
                563b9cb51149 std::__future_base::_State_baseV2::_M_set_result(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>, bool)+0xe9 (inlined)
                563b9cb51149 std::__future_base::_Async_state_impl<std::thread::_Invoker<std::tuple<double (*)()> >, double>::_Async_state_impl(std::thread::_Invoker<std::tuple<double (*)()> >&&)::{lambda()#1}::op>
                563b9cb51149 void std::__invoke_impl<void, std::__future_base::_Async_state_impl<std::thread::_Invoker<std::tuple<double (*)()> >, double>::_Async_state_impl(std::thread::_Invoker<std::tuple<double>
                563b9cb51149 std::__invoke_result<std::__future_base::_Async_state_impl<std::thread::_Invoker<std::tuple<double (*)()> >, double>::_Async_state_impl(std::thread::_Invoker<std::tuple<double (*)()> >>
                563b9cb51149 decltype (__invoke((_S_declval<0ul>)())) std::thread::_Invoker<std::tuple<std::__future_base::_Async_state_impl<std::thread::_Invoker<std::tuple<double (*)()> >, double>::_Async_state_>
                563b9cb51149 std::thread::_Invoker<std::tuple<std::__future_base::_Async_state_impl<std::thread::_Invoker<std::tuple<double (*)()> >, double>::_Async_state_impl(std::thread::_Invoker<std::tuple<dou>
                563b9cb51149 std::thread::_State_impl<std::thread::_Invoker<std::tuple<std::__future_base::_Async_state_impl<std::thread::_Invoker<std::tuple<double (*)()> >, double>::_Async_state_impl(std::thread>
                7f38e45f0062 execute_native_thread_routine+0x12 (/usr/lib/libstdc++.so.6.0.25)
                7f38e46caa9c start_thread+0xfc (/usr/lib/libpthread-2.28.so)
                7f38e42ccb22 __GI___clone+0x42 (inlined)
    ```
    
    Before this patch, using libdwfl, you would see:
    
    ```
    cpp-locking 20038 [005] 54830.236589: sched:sched_switch: prev_comm=cpp-locking prev_pid=20038 prev_prio=120 prev_state=T ==> next_comm=swapper/5 next_pid=0 next_prio=120
            ffffffffb166fec5 __sched_text_start+0x545 (/lib/modules/4.14.78-1-lts/build/vmlinux)
            ffffffffb166fec5 __sched_text_start+0x545 (/lib/modules/4.14.78-1-lts/build/vmlinux)
            ffffffffb1670208 schedule+0x28 (/lib/modules/4.14.78-1-lts/build/vmlinux)
            ffffffffb16737cc rwsem_down_read_failed+0xec (/lib/modules/4.14.78-1-lts/build/vmlinux)
            ffffffffb1665e04 call_rwsem_down_read_failed+0x14 (/lib/modules/4.14.78-1-lts/build/vmlinux)
            ffffffffb1672a03 down_read+0x13 (/lib/modules/4.14.78-1-lts/build/vmlinux)
            ffffffffb106bd85 __do_page_fault+0x445 (/lib/modules/4.14.78-1-lts/build/vmlinux)
            ffffffffb18015f5 page_fault+0x45 (/lib/modules/4.14.78-1-lts/build/vmlinux)
                7f38e4252591 new_heap+0x101 (/usr/lib/libc-2.28.so)
            a041161e77950c5c [unknown] ([unknown])
    ```
    
    With this patch applied, we get a bit further in unwinding:
    
    ```
    cpp-locking 20038 [005] 54830.236589: sched:sched_switch: prev_comm=cpp-locking prev_pid=20038 prev_prio=120 prev_state=T ==> next_comm=swapper/5 next_pid=0 next_prio=120
            ffffffffb166fec5 __sched_text_start+0x545 (/lib/modules/4.14.78-1-lts/build/vmlinux)
            ffffffffb166fec5 __sched_text_start+0x545 (/lib/modules/4.14.78-1-lts/build/vmlinux)
            ffffffffb1670208 schedule+0x28 (/lib/modules/4.14.78-1-lts/build/vmlinux)
            ffffffffb16737cc rwsem_down_read_failed+0xec (/lib/modules/4.14.78-1-lts/build/vmlinux)
            ffffffffb1665e04 call_rwsem_down_read_failed+0x14 (/lib/modules/4.14.78-1-lts/build/vmlinux)
            ffffffffb1672a03 down_read+0x13 (/lib/modules/4.14.78-1-lts/build/vmlinux)
            ffffffffb106bd85 __do_page_fault+0x445 (/lib/modules/4.14.78-1-lts/build/vmlinux)
            ffffffffb18015f5 page_fault+0x45 (/lib/modules/4.14.78-1-lts/build/vmlinux)
                7f38e4252591 new_heap+0x101 (/usr/lib/libc-2.28.so)
                7f38e4252d0b arena_get2.part.4+0x2fb (/usr/lib/libc-2.28.so)
                7f38e4255b1c tcache_init.part.6+0xec (/usr/lib/libc-2.28.so)
                7f38e42569e5 __GI___libc_malloc+0x115 (inlined)
                7f38e4241790 __GI__IO_file_doallocate+0x90 (inlined)
                7f38e424fbbf __GI__IO_doallocbuf+0x4f (inlined)
                7f38e424ee47 __GI__IO_file_overflow+0x197 (inlined)
                7f38e424df36 _IO_new_file_xsputn+0x116 (inlined)
                7f38e4242bfb __GI__IO_fwrite+0xdb (inlined)
                7f38e463fa6d std::basic_streambuf<char, std::char_traits<char> >::sputn(char const*, long)+0x1cd (inlined)
                7f38e463fa6d std::ostreambuf_iterator<char, std::char_traits<char> >::_M_put(char const*, long)+0x1cd (inlined)
                7f38e463fa6d std::ostreambuf_iterator<char, std::char_traits<char> > std::__write<char>(std::ostreambuf_iterator<char, std::char_traits<char> >, char const*, int)+0x1cd (inlined)
                7f38e463fa6d std::ostreambuf_iterator<char, std::char_traits<char> > std::num_put<char, std::ostreambuf_iterator<char, std::char_traits<char> > >::_M_insert_float<double>(std::ostreambuf_iterator<c>
                7f38e464bd70 std::num_put<char, std::ostreambuf_iterator<char, std::char_traits<char> > >::put(std::ostreambuf_iterator<char, std::char_traits<char> >, std::ios_base&, char, double) const+0x90 (inl>
                7f38e464bd70 std::ostream& std::ostream::_M_insert<double>(double)+0x90 (/usr/lib/libstdc++.so.6.0.25)
                563b9cb502f7 std::ostream::operator<<(double)+0xb7 (inlined)
                563b9cb502f7 worker()+0xb7 (/ssd/milian/projects/kdab/rnd/hotspot/build/tests/test-clients/cpp-locking/cpp-locking)
            6eab825c1ee3e4ff [unknown] ([unknown])
    ```
    
    Note that the backtrace is still stopping too early, when compared to
    the nice results obtained via libunwind. It's unclear so far what the
    reason for that is.
    
    Committer note:
    
    Further comment by Milian on the thread started on the Link: tag below:
    
     ---
    The remaining issue is due to a bug in elfutils:
    
    https://sourceware.org/ml/elfutils-devel/2018-q4/msg00089.html
    
    With both patches applied, libunwind and elfutils produce the same output for
    the above scenario.
     ---
    
    Signed-off-by: Milian Wolff <milian.wolff@kdab.com>
    Acked-by: Jiri Olsa <jolsa@kernel.org>
    Link: http://lkml.kernel.org/r/20181029141644.3907-1-milian.wolff@kdab.com
    Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 38155e1044c86c91ee18ca62d1aca3a15021d39d
Author: Martin Vuille <jpmv27@aim.com>
Date:   Sun Feb 11 16:24:20 2018 -0500

    perf unwind: Unwind with libdw doesn't take symfs into account
    
    [ Upstream commit 3d20c6246690219881786de10d2dda93f616d0ac ]
    
    Path passed to libdw for unwinding doesn't include symfs path
    if specified, so unwinding fails because ELF file is not found.
    
    Similar to unwinding with libunwind, pass symsrc_filename instead
    of long_name. If there is no symsrc_filename, fallback to long_name.
    
    Signed-off-by: Martin Vuille <jpmv27@aim.com>
    Cc: Adrian Hunter <adrian.hunter@intel.com>
    Cc: David Ahern <dsahern@gmail.com>
    Cc: Jiri Olsa <jolsa@kernel.org>
    Cc: Namhyung Kim <namhyung@kernel.org>
    Cc: Wang Nan <wangnan0@huawei.com>
    Link: http://lkml.kernel.org/r/20180211212420.18388-1-jpmv27@aim.com
    Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
    Signed-off-by: Sasha Levin <sashal@kernel.org>

commit 6a923fc6fe1e887e3f260d060144f01f85b1f081
Author: Nicolas Pitre <nicolas.pitre@linaro.org>
Date:   Tue Jan 8 22:55:01 2019 -0500

    vt: invoke notifier on screen size change
    
    commit 0c9b1965faddad7534b6974b5b36c4ad37998f8e upstream.
    
    User space using poll() on /dev/vcs devices are not awaken when a
    screen size change occurs. Let's fix that.
    
    Signed-off-by: Nicolas Pitre <nico@linaro.org>
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8781bfdf733ec4c078454535f1354fc915a13786
Author: Oliver Hartkopp <socketcan@hartkopp.net>
Date:   Sun Jan 13 19:31:43 2019 +0100

    can: bcm: check timer values before ktime conversion
    
    commit 93171ba6f1deffd82f381d36cb13177872d023f6 upstream.
    
    Kyungtae Kim detected a potential integer overflow in bcm_[rx|tx]_setup()
    when the conversion into ktime multiplies the given value with NSEC_PER_USEC
    (1000).
    
    Reference: https://marc.info/?l=linux-can&m=154732118819828&w=2
    
    Add a check for the given tv_usec, so that the value stays below one second.
    Additionally limit the tv_sec value to a reasonable value for CAN related
    use-cases of 400 days and ensure all values to be positive.
    
    Reported-by: Kyungtae Kim <kt0755@gmail.com>
    Tested-by: Oliver Hartkopp <socketcan@hartkopp.net>
    Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
    Cc: linux-stable <stable@vger.kernel.org> # versions 2.6.26 to 4.7
    Tested-by: Kyungtae Kim <kt0755@gmail.com>
    Acked-by: Andre Naujoks <nautsch2@gmail.com>
    Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 17cb93920405fe8d7105191cc1733cc8a4e2d19e
Author: Manfred Schlaegl <manfred.schlaegl@ginzinger.com>
Date:   Wed Dec 19 19:39:58 2018 +0100

    can: dev: __can_get_echo_skb(): fix bogous check for non-existing skb by removing it
    
    commit 7b12c8189a3dc50638e7d53714c88007268d47ef upstream.
    
    This patch revert commit 7da11ba5c506
    ("can: dev: __can_get_echo_skb(): print error message, if trying to echo non existing skb")
    
    After introduction of this change we encountered following new error
    message on various i.MX plattforms (flexcan):
    
    | flexcan 53fc8000.can can0: __can_get_echo_skb: BUG! Trying to echo non
    | existing skb: can_priv::echo_skb[0]
    
    The introduction of the message was a mistake because
    priv->echo_skb[idx] = NULL is a perfectly valid in following case: If
    CAN_RAW_LOOPBACK is disabled (setsockopt) in applications, the pkt_type
    of the tx skb's given to can_put_echo_skb is set to PACKET_LOOPBACK. In
    this case can_put_echo_skb will not set priv->echo_skb[idx]. It is
    therefore kept NULL.
    
    As additional argument for revert: The order of check and usage of idx
    was changed. idx is used to access an array element before checking it's
    boundaries.
    
    Signed-off-by: Manfred Schlaegl <manfred.schlaegl@ginzinger.com>
    Fixes: 7da11ba5c506 ("can: dev: __can_get_echo_skb(): print error message, if trying to echo non existing skb")
    Cc: linux-stable <stable@vger.kernel.org>
    Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5efadf3b3e7f7387e48527e8581976968dc2d11c
Author: Daniel Drake <drake@endlessm.com>
Date:   Mon Jan 7 11:40:24 2019 +0800

    x86/kaslr: Fix incorrect i8254 outb() parameters
    
    commit 7e6fc2f50a3197d0e82d1c0e86282976c9e6c8a4 upstream.
    
    The outb() function takes parameters value and port, in that order.  Fix
    the parameters used in the kalsr i8254 fallback code.
    
    Fixes: 5bfce5ef55cb ("x86, kaslr: Provide randomness functions")
    Signed-off-by: Daniel Drake <drake@endlessm.com>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Cc: bp@alien8.de
    Cc: hpa@zytor.com
    Cc: linux@endlessm.com
    Cc: stable@vger.kernel.org
    Link: https://lkml.kernel.org/r/20190107034024.15005-1-drake@endlessm.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 43473a6f6734e83ff5d458bedfe2e88b51d161e9
Author: Alexander Popov <alex.popov@linux.com>
Date:   Mon Jan 21 15:48:40 2019 +0300

    KVM: x86: Fix single-step debugging
    
    commit 5cc244a20b86090c087073c124284381cdf47234 upstream.
    
    The single-step debugging of KVM guests on x86 is broken: if we run
    gdb 'stepi' command at the breakpoint when the guest interrupts are
    enabled, RIP always jumps to native_apic_mem_write(). Then other
    nasty effects follow.
    
    Long investigation showed that on Jun 7, 2017 the
    commit c8401dda2f0a00cd25c0 ("KVM: x86: fix singlestepping over syscall")
    introduced the kvm_run.debug corruption: kvm_vcpu_do_singlestep() can
    be called without X86_EFLAGS_TF set.
    
    Let's fix it. Please consider that for -stable.
    
    Signed-off-by: Alexander Popov <alex.popov@linux.com>
    Cc: stable@vger.kernel.org
    Fixes: c8401dda2f0a00cd25c0 ("KVM: x86: fix singlestepping over syscall")
    Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 74d609f091fee1af788f5e47f9e761364b1fad54
Author: Tom Panfil <tom@steelseries.com>
Date:   Fri Jan 11 17:49:40 2019 -0800

    Input: xpad - add support for SteelSeries Stratus Duo
    
    commit fe2bfd0d40c935763812973ce15f5764f1c12833 upstream.
    
    Add support for the SteelSeries Stratus Duo, a wireless Xbox 360
    controller. The Stratus Duo ships with a USB dongle to enable wireless
    connectivity, but it can also function as a wired controller by connecting
    it directly to a PC via USB, hence the need for two USD PIDs. 0x1430 is the
    dongle, and 0x1431 is the controller.
    
    Signed-off-by: Tom Panfil <tom@steelseries.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 278541ac0534bc199cf228d945653c04cbbd06a5
Author: Pavel Shilovsky <pshilov@microsoft.com>
Date:   Thu Jan 17 08:21:24 2019 -0800

    CIFS: Fix possible hang during async MTU reads and writes
    
    commit acc58d0bab55a50e02c25f00bd6a210ee121595f upstream.
    
    When doing MTU i/o we need to leave some credits for
    possible reopen requests and other operations happening
    in parallel. Currently we leave 1 credit which is not
    enough even for reopen only: we need at least 2 credits
    if durable handle reconnect fails. Also there may be
    other operations at the same time including compounding
    ones which require 3 credits at a time each. Fix this
    by leaving 8 credits which is big enough to cover most
    scenarios.
    
    Was able to reproduce this when server was configured
    to give out fewer credits than usual.
    
    The proper fix would be to reconnect a file handle first
    and then obtain credits for an MTU request but this leads
    to bigger code changes and should happen in other patches.
    
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
    Signed-off-by: Steve French <stfrench@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 8db4fe27f2a6ae978bd231d71853308b41e2d609
Author: Paul Fulghum <paulkf@microgate.com>
Date:   Tue Jan 1 12:28:53 2019 -0800

    tty/n_hdlc: fix __might_sleep warning
    
    commit fc01d8c61ce02c034e67378cd3e645734bc18c8c upstream.
    
    Fix __might_sleep warning[1] in tty/n_hdlc.c read due to copy_to_user
    call while current is TASK_INTERRUPTIBLE.  This is a false positive
    since the code path does not depend on current state remaining
    TASK_INTERRUPTIBLE.  The loop breaks out and sets TASK_RUNNING after
    calling copy_to_user.
    
    This patch supresses the warning by setting TASK_RUNNING before calling
    copy_to_user.
    
    [1] https://syzkaller.appspot.com/bug?id=17d5de7f1fcab794cb8c40032f893f52de899324
    
    Signed-off-by: Paul Fulghum <paulkf@microgate.com>
    Reported-by: syzbot <syzbot+c244af085a0159d22879@syzkaller.appspotmail.com>
    Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
    Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
    Cc: stable <stable@vger.kernel.org>
    Acked-by: Arnd Bergmann <arnd@arndb.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit fe881381874a2dd2b790ffe5399aaa2b1ed51bc9
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Sun Jan 20 10:46:58 2019 +0100

    tty: Handle problem if line discipline does not have receive_buf
    
    commit 27cfb3a53be46a54ec5e0bd04e51995b74c90343 upstream.
    
    Some tty line disciplines do not have a receive buf callback, so
    properly check for that before calling it.  If they do not have this
    callback, just eat the character quietly, as we can't fail this call.
    
    Reported-by: Jann Horn <jannh@google.com>
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b6a23bda233ae5dce88f48108016d545c7e84e01
Author: Michael Straube <straube.linux@gmail.com>
Date:   Mon Jan 7 18:28:58 2019 +0100

    staging: rtl8188eu: Add device code for D-Link DWA-121 rev B1
    
    commit 5f74a8cbb38d10615ed46bc3e37d9a4c9af8045a upstream.
    
    This device was added to the stand-alone driver on github.
    Add it to the staging driver as well.
    
    Link: https://github.com/lwfinger/rtl8188eu/commit/a0619a07cd1e
    Signed-off-by: Michael Straube <straube.linux@gmail.com>
    Acked-by: Larry Finger <Larry.Finger@lwfinger.net>
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 29f7c747a57ee9f38d5b91bc42b20f125a43bb1e
Author: Gustavo A. R. Silva <gustavo@embeddedor.com>
Date:   Wed Jan 9 13:02:36 2019 -0600

    char/mwave: fix potential Spectre v1 vulnerability
    
    commit 701956d4018e5d5438570e39e8bda47edd32c489 upstream.
    
    ipcnum is indirectly controlled by user-space, hence leading to
    a potential exploitation of the Spectre variant 1 vulnerability.
    
    This issue was detected with the help of Smatch:
    
    drivers/char/mwave/mwavedd.c:299 mwave_ioctl() warn: potential spectre issue 'pDrvData->IPCs' [w] (local cap)
    
    Fix this by sanitizing ipcnum before using it to index pDrvData->IPCs.
    
    Notice that given that speculation windows are large, the policy is
    to kill the speculation on the first load and not worry if it can be
    completed with a dependent load/store [1].
    
    [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
    
    Cc: stable@vger.kernel.org
    Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 86dd006cffecc263f8dc2cf2a787e0c53bb03b80
Author: Gerald Schaefer <gerald.schaefer@de.ibm.com>
Date:   Wed Jan 9 13:00:03 2019 +0100

    s390/smp: fix CPU hotplug deadlock with CPU rescan
    
    commit b7cb707c373094ce4008d4a6ac9b6b366ec52da5 upstream.
    
    smp_rescan_cpus() is called without the device_hotplug_lock, which can lead
    to a dedlock when a new CPU is found and immediately set online by a udev
    rule.
    
    This was observed on an older kernel version, where the cpu_hotplug_begin()
    loop was still present, and it resulted in hanging chcpu and systemd-udev
    processes. This specific deadlock will not show on current kernels. However,
    there may be other possible deadlocks, and since smp_rescan_cpus() can still
    trigger a CPU hotplug operation, the device_hotplug_lock should be held.
    
    For reference, this was the deadlock with the old cpu_hotplug_begin() loop:
    
            chcpu (rescan)                       systemd-udevd
    
     echo 1 > /sys/../rescan
     -> smp_rescan_cpus()
     -> (*) get_online_cpus()
        (increases refcount)
     -> smp_add_present_cpu()
        (new CPU found)
     -> register_cpu()
     -> device_add()
     -> udev "add" event triggered -----------> udev rule sets CPU online
                                             -> echo 1 > /sys/.../online
                                             -> lock_device_hotplug_sysfs()
                                                (this is missing in rescan path)
                                             -> device_online()
                                             -> (**) device_lock(new CPU dev)
                                             -> cpu_up()
                                             -> cpu_hotplug_begin()
                                                (loops until refcount == 0)
                                                -> deadlock with (*)
     -> bus_probe_device()
     -> device_attach()
     -> device_lock(new CPU dev)
        -> deadlock with (**)
    
    Fix this by taking the device_hotplug_lock in the CPU rescan path.
    
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Gerald Schaefer <gerald.schaefer@de.ibm.com>
    Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 74be2fcda651e596fe4e96c3c1ae4d76aa683655
Author: Christian Borntraeger <borntraeger@de.ibm.com>
Date:   Fri Nov 9 09:21:47 2018 +0100

    s390/early: improve machine detection
    
    commit 03aa047ef2db4985e444af6ee1c1dd084ad9fb4c upstream.
    
    Right now the early machine detection code check stsi 3.2.2 for "KVM"
    and set MACHINE_IS_VM if this is different. As the console detection
    uses diagnose 8 if MACHINE_IS_VM returns true this will crash Linux
    early for any non z/VM system that sets a different value than KVM.
    So instead of assuming z/VM, do not set any of MACHINE_IS_LPAR,
    MACHINE_IS_VM, or MACHINE_IS_KVM.
    
    CC: stable@vger.kernel.org
    Reviewed-by: Heiko Carstens <heiko.carstens@de.ibm.com>
    Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
    Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c25a126d1a651a07dcdddc8f8eb3ef8c01fec932
Author: Eugeniy Paltsev <Eugeniy.Paltsev@synopsys.com>
Date:   Mon Dec 17 12:54:23 2018 +0300

    ARC: perf: map generic branches to correct hardware condition
    
    commit 3affbf0e154ee351add6fcc254c59c3f3947fa8f upstream.
    
    So far we've mapped branches to "ijmp" which also counts conditional
    branches NOT taken. This makes us different from other architectures
    such as ARM which seem to be counting only taken branches.
    
    So use "ijmptak" hardware condition which only counts (all jump
    instructions that are taken)
    
    'ijmptak' event is available on both ARCompact and ARCv2 ISA based
    cores.
    
    Signed-off-by: Eugeniy Paltsev <Eugeniy.Paltsev@synopsys.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
    [vgupta: reworked changelog]
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d9084840d00a91e9820f074b9d3e1988f6431f82
Author: Kangjie Lu <kjlu@umn.edu>
Date:   Tue Dec 25 20:29:48 2018 -0600

    ASoC: atom: fix a missing check of snd_pcm_lib_malloc_pages
    
    commit 44fabd8cdaaa3acb80ad2bb3b5c61ae2136af661 upstream.
    
    snd_pcm_lib_malloc_pages() may fail, so let's check its status and
    return its error code upstream.
    
    Signed-off-by: Kangjie Lu <kjlu@umn.edu>
    Acked-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Cc: stable@vger.kernel.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 437f0e444ddfc098294f7c60ef25fbb9c2f180d9
Author: Charles Yeh <charlesyeh522@gmail.com>
Date:   Tue Jan 15 23:13:56 2019 +0800

    USB: serial: pl2303: add new PID to support PL2303TB
    
    commit 4dcf9ddc9ad5ab649abafa98c5a4d54b1a33dabb upstream.
    
    Add new PID to support PL2303TB (TYPE_HX)
    
    Signed-off-by: Charles Yeh <charlesyeh522@gmail.com>
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 1d8dfede3f718d9edbab9fd3c5ece9b044c1baeb
Author: Max Schulze <max.schulze@posteo.de>
Date:   Mon Jan 7 08:31:49 2019 +0100

    USB: serial: simple: add Motorola Tetra TPG2200 device id
    
    commit b81c2c33eab79dfd3650293b2227ee5c6036585c upstream.
    
    Add new Motorola Tetra device id for Motorola Solutions TETRA PEI device
    
    T:  Bus=02 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#=  4 Spd=480 MxCh= 0
    D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
    P:  Vendor=0cad ProdID=9016 Rev=24.16
    S:  Manufacturer=Motorola Solutions, Inc.
    S:  Product=TETRA PEI interface
    C:  #Ifs= 2 Cfg#= 1 Atr=80 MxPwr=500mA
    I:  If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=usb_serial_simple
    I:  If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=usb_serial_simple
    
    Signed-off-by: Max Schulze <max.schulze@posteo.de>
    Cc: stable <stable@vger.kernel.org>
    Signed-off-by: Johan Hovold <johan@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e98f787a9975c3fe268f87ac611ac26697df7a20
Author: Yunjian Wang <wangyunjian@huawei.com>
Date:   Thu Jan 17 09:46:41 2019 +0800

    net: bridge: Fix ethernet header pointer before check skb forwardable
    
    [ Upstream commit 28c1382fa28f2e2d9d0d6f25ae879b5af2ecbd03 ]
    
    The skb header should be set to ethernet header before using
    is_skb_forwardable. Because the ethernet header length has been
    considered in is_skb_forwardable(including dev->hard_header_len
    length).
    
    To reproduce the issue:
    1, add 2 ports on linux bridge br using following commands:
    $ brctl addbr br
    $ brctl addif br eth0
    $ brctl addif br eth1
    2, the MTU of eth0 and eth1 is 1500
    3, send a packet(Data 1480, UDP 8, IP 20, Ethernet 14, VLAN 4)
    from eth0 to eth1
    
    So the expect result is packet larger than 1500 cannot pass through
    eth0 and eth1. But currently, the packet passes through success, it
    means eth1's MTU limit doesn't take effect.
    
    Fixes: f6367b4660dd ("bridge: use is_skb_forwardable in forward path")
    Cc: bridge@lists.linux-foundation.org
    Cc: Nkolay Aleksandrov <nikolay@cumulusnetworks.com>
    Cc: Roopa Prabhu <roopa@cumulusnetworks.com>
    Cc: Stephen Hemminger <stephen@networkplumber.org>
    Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 749cbfc0ad60f21a759950c782338d74dfac873b
Author: Cong Wang <xiyou.wangcong@gmail.com>
Date:   Fri Jan 11 18:55:42 2019 -0800

    net_sched: refetch skb protocol for each filter
    
    [ Upstream commit cd0c4e70fc0ccfa705cdf55efb27519ce9337a26 ]
    
    Martin reported a set of filters don't work after changing
    from reclassify to continue. Looking into the code, it
    looks like skb protocol is not always fetched for each
    iteration of the filters. But, as demonstrated by Martin,
    TC actions could modify skb->protocol, for example act_vlan,
    this means we have to refetch skb protocol in each iteration,
    rather than using the one we fetch in the beginning of the loop.
    
    This bug is _not_ introduced by commit 3b3ae880266d
    ("net: sched: consolidate tc_classify{,_compat}"), technically,
    if act_vlan is the only action that modifies skb protocol, then
    it is commit c7e2b9689ef8 ("sched: introduce vlan action") which
    introduced this bug.
    
    Reported-by: Martin Olsson <martin.olsson+netdev@sentorsecurity.com>
    Cc: Jamal Hadi Salim <jhs@mojatatu.com>
    Cc: Jiri Pirko <jiri@resnulli.us>
    Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
    Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 289992eb6c1af89f8e9265276788e99cacd601b2
Author: Ido Schimmel <idosch@mellanox.com>
Date:   Wed Jan 9 09:57:39 2019 +0000

    net: ipv4: Fix memory leak in network namespace dismantle
    
    [ Upstream commit f97f4dd8b3bb9d0993d2491e0f22024c68109184 ]
    
    IPv4 routing tables are flushed in two cases:
    
    1. In response to events in the netdev and inetaddr notification chains
    2. When a network namespace is being dismantled
    
    In both cases only routes associated with a dead nexthop group are
    flushed. However, a nexthop group will only be marked as dead in case it
    is populated with actual nexthops using a nexthop device. This is not
    the case when the route in question is an error route (e.g.,
    'blackhole', 'unreachable').
    
    Therefore, when a network namespace is being dismantled such routes are
    not flushed and leaked [1].
    
    To reproduce:
    # ip netns add blue
    # ip -n blue route add unreachable 192.0.2.0/24
    # ip netns del blue
    
    Fix this by not skipping error routes that are not marked with
    RTNH_F_DEAD when flushing the routing tables.
    
    To prevent the flushing of such routes in case #1, add a parameter to
    fib_table_flush() that indicates if the table is flushed as part of
    namespace dismantle or not.
    
    Note that this problem does not exist in IPv6 since error routes are
    associated with the loopback device.
    
    [1]
    unreferenced object 0xffff888066650338 (size 56):
      comm "ip", pid 1206, jiffies 4294786063 (age 26.235s)
      hex dump (first 32 bytes):
        00 00 00 00 00 00 00 00 b0 1c 62 61 80 88 ff ff  ..........ba....
        e8 8b a1 64 80 88 ff ff 00 07 00 08 fe 00 00 00  ...d............
      backtrace:
        [<00000000856ed27d>] inet_rtm_newroute+0x129/0x220
        [<00000000fcdfc00a>] rtnetlink_rcv_msg+0x397/0xa20
        [<00000000cb85801a>] netlink_rcv_skb+0x132/0x380
        [<00000000ebc991d2>] netlink_unicast+0x4c0/0x690
        [<0000000014f62875>] netlink_sendmsg+0x929/0xe10
        [<00000000bac9d967>] sock_sendmsg+0xc8/0x110
        [<00000000223e6485>] ___sys_sendmsg+0x77a/0x8f0
        [<000000002e94f880>] __sys_sendmsg+0xf7/0x250
        [<00000000ccb1fa72>] do_syscall_64+0x14d/0x610
        [<00000000ffbe3dae>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
        [<000000003a8b605b>] 0xffffffffffffffff
    unreferenced object 0xffff888061621c88 (size 48):
      comm "ip", pid 1206, jiffies 4294786063 (age 26.235s)
      hex dump (first 32 bytes):
        6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
        6b 6b 6b 6b 6b 6b 6b 6b d8 8e 26 5f 80 88 ff ff  kkkkkkkk..&_....
      backtrace:
        [<00000000733609e3>] fib_table_insert+0x978/0x1500
        [<00000000856ed27d>] inet_rtm_newroute+0x129/0x220
        [<00000000fcdfc00a>] rtnetlink_rcv_msg+0x397/0xa20
        [<00000000cb85801a>] netlink_rcv_skb+0x132/0x380
        [<00000000ebc991d2>] netlink_unicast+0x4c0/0x690
        [<0000000014f62875>] netlink_sendmsg+0x929/0xe10
        [<00000000bac9d967>] sock_sendmsg+0xc8/0x110
        [<00000000223e6485>] ___sys_sendmsg+0x77a/0x8f0
        [<000000002e94f880>] __sys_sendmsg+0xf7/0x250
        [<00000000ccb1fa72>] do_syscall_64+0x14d/0x610
        [<00000000ffbe3dae>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
        [<000000003a8b605b>] 0xffffffffffffffff
    
    Fixes: 8cced9eff1d4 ("[NETNS]: Enable routing configuration in non-initial namespace.")
    Signed-off-by: Ido Schimmel <idosch@mellanox.com>
    Reviewed-by: David Ahern <dsahern@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e5c13a9c75ea5db2290c06efd2a83e658b406bdd
Author: Ross Lagerwall <ross.lagerwall@citrix.com>
Date:   Mon Jan 14 09:16:56 2019 +0000

    openvswitch: Avoid OOB read when parsing flow nlattrs
    
    [ Upstream commit 04a4af334b971814eedf4e4a413343ad3287d9a9 ]
    
    For nested and variable attributes, the expected length of an attribute
    is not known and marked by a negative number.  This results in an OOB
    read when the expected length is later used to check if the attribute is
    all zeros. Fix this by using the actual length of the attribute rather
    than the expected length.
    
    Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
    Acked-by: Pravin B Shelar <pshelar@ovn.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 52a30a6e141a103601e3039fb9cabb3babf9b2c2
Author: Ross Lagerwall <ross.lagerwall@citrix.com>
Date:   Thu Jan 17 15:34:38 2019 +0000

    net: Fix usage of pskb_trim_rcsum
    
    [ Upstream commit 6c57f0458022298e4da1729c67bd33ce41c14e7a ]
    
    In certain cases, pskb_trim_rcsum() may change skb pointers.
    Reinitialize header pointers afterwards to avoid potential
    use-after-frees. Add a note in the documentation of
    pskb_trim_rcsum(). Found by KASAN.
    
    Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>