commit 927556eb3a72306db1ba5ab8b9bb9914433302ba
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Sat Sep 15 09:43:07 2018 +0200

    Linux 4.9.127

commit 67badb25211c374d5c5bbac5f72678c9410dcfd1
Author: Suzuki K Poulose <suzuki.poulose@arm.com>
Date:   Wed Jul 4 23:07:46 2018 +0100

    arm64: Handle mismatched cache type
    
    commit 314d53d297980676011e6fd83dac60db4a01dc70 upstream.
    
    Track mismatches in the cache type register (CTR_EL0), other
    than the D/I min line sizes and trap user accesses if there are any.
    
    Fixes: be68a8aaf925 ("arm64: cpufeature: Fix CTR_EL0 field definitions")
    Cc: <stable@vger.kernel.org>
    Cc: Mark Rutland <mark.rutland@arm.com>
    Cc: Will Deacon <will.deacon@arm.com>
    Cc: Catalin Marinas <catalin.marinas@arm.com>
    Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
    Signed-off-by: Will Deacon <will.deacon@arm.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a6830095680b0161a0dc47c67d14160f79479ed3
Author: Suzuki K Poulose <suzuki.poulose@arm.com>
Date:   Wed Jul 4 23:07:45 2018 +0100

    arm64: Fix mismatched cache line size detection
    
    commit 4c4a39dd5fe2d13e2d2fa5fceb8ef95d19fc389a upstream.
    
    If there is a mismatch in the I/D min line size, we must
    always use the system wide safe value both in applications
    and in the kernel, while performing cache operations. However,
    we have been checking more bits than just the min line sizes,
    which triggers false negatives. We may need to trap the user
    accesses in such cases, but not necessarily patch the kernel.
    
    This patch fixes the check to do the right thing as advertised.
    A new capability will be added to check mismatches in other
    fields and ensure we trap the CTR accesses.
    
    Fixes: be68a8aaf925 ("arm64: cpufeature: Fix CTR_EL0 field definitions")
    Cc: <stable@vger.kernel.org>
    Cc: Mark Rutland <mark.rutland@arm.com>
    Cc: Catalin Marinas <catalin.marinas@arm.com>
    Reported-by: Will Deacon <will.deacon@arm.com>
    Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
    Signed-off-by: Will Deacon <will.deacon@arm.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d92fa5e18a42ef9d88473ff7fd99dce68b808a6c
Author: Ethan Lien <ethanlien@synology.com>
Date:   Mon Jul 2 15:44:58 2018 +0800

    btrfs: use correct compare function of dirty_metadata_bytes
    
    commit d814a49198eafa6163698bdd93961302f3a877a4 upstream.
    
    We use customized, nodesize batch value to update dirty_metadata_bytes.
    We should also use batch version of compare function or we will easily
    goto fast path and get false result from percpu_counter_compare().
    
    Fixes: e2d845211eda ("Btrfs: use percpu counter for dirty metadata count")
    CC: stable@vger.kernel.org # 4.4+
    Signed-off-by: Ethan Lien <ethanlien@synology.com>
    Reviewed-by: Nikolay Borisov <nborisov@suse.com>
    Signed-off-by: David Sterba <dsterba@suse.com>
    nb: Rebased on 4.4.y ]
    Signed-off-by: Nikolay Borisov <nborisov@suse.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d1f7cdc0db808f16e5ac43a454affc8e6a5ebc2e
Author: Gustavo A. R. Silva <gustavo@embeddedor.com>
Date:   Mon Aug 6 07:14:51 2018 -0500

    ASoC: wm8994: Fix missing break in switch
    
    commit ad0eaee6195db1db1749dd46b9e6f4466793d178 upstream.
    
    Add missing break statement in order to prevent the code from falling
    through to the default case.
    
    Addresses-Coverity-ID: 115050 ("Missing break in switch")
    Reported-by: Valdis Kletnieks <valdis.kletnieks@vt.edu>
    Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
    Acked-by: Charles Keepax <ckeepax@opensource.cirrus.com>
    Signed-off-by: Mark Brown <broonie@kernel.org>
    Cc: stable@vger.kernel.org
    [Gustavo: Backported to 3.16..4.18 - Remove code comment removal]
    Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9e9792d3ffc813a6aef88a06891fbc13c96b979a
Author: Martin Schwidefsky <schwidefsky@de.ibm.com>
Date:   Mon Aug 6 13:49:47 2018 +0200

    s390/lib: use expoline for all bcr instructions
    
    commit 5eda25b10297684c1f46a14199ec00210f3c346e upstream.
    
    The memove, memset, memcpy, __memset16, __memset32 and __memset64
    function have an additional indirect return branch in form of a
    "bzr" instruction. These need to use expolines as well.
    
    Cc: <stable@vger.kernel.org> # v4.17+
    Fixes: 97489e0663 ("s390/lib: use expoline for indirect branches")
    Reviewed-by: Heiko Carstens <heiko.carstens@de.ibm.com>
    Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c0b809985a7a418fcc3361c239ae79250245282d
Author: Tomas Winkler <tomas.winkler@intel.com>
Date:   Tue Jan 2 12:01:41 2018 +0200

    mei: me: allow runtime pm for platform with D0i3
    
    commit cc365dcf0e56271bedf3de95f88922abe248e951 upstream.
    
    >From the pci power documentation:
    "The driver itself should not call pm_runtime_allow(), though. Instead,
    it should let user space or some platform-specific code do that (user space
    can do it via sysfs as stated above)..."
    
    However, the S0ix residency cannot be reached without MEI device getting
    into low power state. Hence, for mei devices that support D0i3, it's better
    to make runtime power management mandatory and not rely on the system
    integration such as udev rules.
    This policy cannot be applied globally as some older platforms
    were found to have broken power management.
    
    Cc: <stable@vger.kernel.org> v4.13+
    Cc: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
    Reviewed-by: Alexander Usyskin <alexander.usyskin@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 3d343258091119b53792beed2082bc87340ab5de
Author: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Date:   Wed Aug 30 12:49:05 2017 +0300

    sch_tbf: fix two null pointer dereferences on init failure
    
    commit c2d6511e6a4f1f3673d711569c00c3849549e9b0 upstream.
    
    sch_tbf calls qdisc_watchdog_cancel() in both its ->reset and ->destroy
    callbacks but it may fail before the timer is initialized due to missing
    options (either not supplied by user-space or set as a default qdisc),
    also q->qdisc is used by ->reset and ->destroy so we need it initialized.
    
    Reproduce:
    $ sysctl net.core.default_qdisc=tbf
    $ ip l set ethX up
    
    Crash log:
    [  959.160172] BUG: unable to handle kernel NULL pointer dereference at 0000000000000018
    [  959.160323] IP: qdisc_reset+0xa/0x5c
    [  959.160400] PGD 59cdb067
    [  959.160401] P4D 59cdb067
    [  959.160466] PUD 59ccb067
    [  959.160532] PMD 0
    [  959.160597]
    [  959.160706] Oops: 0000 [#1] SMP
    [  959.160778] Modules linked in: sch_tbf sch_sfb sch_prio sch_netem
    [  959.160891] CPU: 2 PID: 1562 Comm: ip Not tainted 4.13.0-rc6+ #62
    [  959.160998] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014
    [  959.161157] task: ffff880059c9a700 task.stack: ffff8800376d0000
    [  959.161263] RIP: 0010:qdisc_reset+0xa/0x5c
    [  959.161347] RSP: 0018:ffff8800376d3610 EFLAGS: 00010286
    [  959.161531] RAX: ffffffffa001b1dd RBX: ffff8800373a2800 RCX: 0000000000000000
    [  959.161733] RDX: ffffffff8215f160 RSI: ffffffff8215f160 RDI: 0000000000000000
    [  959.161939] RBP: ffff8800376d3618 R08: 00000000014080c0 R09: 00000000ffffffff
    [  959.162141] R10: ffff8800376d3578 R11: 0000000000000020 R12: ffffffffa001d2c0
    [  959.162343] R13: ffff880037538000 R14: 00000000ffffffff R15: 0000000000000001
    [  959.162546] FS:  00007fcc5126b740(0000) GS:ffff88005d900000(0000) knlGS:0000000000000000
    [  959.162844] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [  959.163030] CR2: 0000000000000018 CR3: 000000005abc4000 CR4: 00000000000406e0
    [  959.163233] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    [  959.163436] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
    [  959.163638] Call Trace:
    [  959.163788]  tbf_reset+0x19/0x64 [sch_tbf]
    [  959.163957]  qdisc_destroy+0x8b/0xe5
    [  959.164119]  qdisc_create_dflt+0x86/0x94
    [  959.164284]  ? dev_activate+0x129/0x129
    [  959.164449]  attach_one_default_qdisc+0x36/0x63
    [  959.164623]  netdev_for_each_tx_queue+0x3d/0x48
    [  959.164795]  dev_activate+0x4b/0x129
    [  959.164957]  __dev_open+0xe7/0x104
    [  959.165118]  __dev_change_flags+0xc6/0x15c
    [  959.165287]  dev_change_flags+0x25/0x59
    [  959.165451]  do_setlink+0x30c/0xb3f
    [  959.165613]  ? check_chain_key+0xb0/0xfd
    [  959.165782]  rtnl_newlink+0x3a4/0x729
    [  959.165947]  ? rtnl_newlink+0x117/0x729
    [  959.166121]  ? ns_capable_common+0xd/0xb1
    [  959.166288]  ? ns_capable+0x13/0x15
    [  959.166450]  rtnetlink_rcv_msg+0x188/0x197
    [  959.166617]  ? rcu_read_unlock+0x3e/0x5f
    [  959.166783]  ? rtnl_newlink+0x729/0x729
    [  959.166948]  netlink_rcv_skb+0x6c/0xce
    [  959.167113]  rtnetlink_rcv+0x23/0x2a
    [  959.167273]  netlink_unicast+0x103/0x181
    [  959.167439]  netlink_sendmsg+0x326/0x337
    [  959.167607]  sock_sendmsg_nosec+0x14/0x3f
    [  959.167772]  sock_sendmsg+0x29/0x2e
    [  959.167932]  ___sys_sendmsg+0x209/0x28b
    [  959.168098]  ? do_raw_spin_unlock+0xcd/0xf8
    [  959.168267]  ? _raw_spin_unlock+0x27/0x31
    [  959.168432]  ? __handle_mm_fault+0x651/0xdb1
    [  959.168602]  ? check_chain_key+0xb0/0xfd
    [  959.168773]  __sys_sendmsg+0x45/0x63
    [  959.168934]  ? __sys_sendmsg+0x45/0x63
    [  959.169100]  SyS_sendmsg+0x19/0x1b
    [  959.169260]  entry_SYSCALL_64_fastpath+0x23/0xc2
    [  959.169432] RIP: 0033:0x7fcc5097e690
    [  959.169592] RSP: 002b:00007ffd0d5c7b48 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
    [  959.169887] RAX: ffffffffffffffda RBX: ffffffff810d278c RCX: 00007fcc5097e690
    [  959.170089] RDX: 0000000000000000 RSI: 00007ffd0d5c7b90 RDI: 0000000000000003
    [  959.170292] RBP: ffff8800376d3f98 R08: 0000000000000001 R09: 0000000000000003
    [  959.170494] R10: 00007ffd0d5c7910 R11: 0000000000000246 R12: 0000000000000006
    [  959.170697] R13: 000000000066f1a0 R14: 00007ffd0d5cfc40 R15: 0000000000000000
    [  959.170900]  ? trace_hardirqs_off_caller+0xa7/0xcf
    [  959.171076] Code: 00 41 c7 84 24 14 01 00 00 00 00 00 00 41 c7 84 24
    98 00 00 00 00 00 00 00 41 5c 41 5d 41 5e 5d c3 66 66 66 66 90 55 48 89
    e5 53 <48> 8b 47 18 48 89 fb 48 8b 40 48 48 85 c0 74 02 ff d0 48 8b bb
    [  959.171637] RIP: qdisc_reset+0xa/0x5c RSP: ffff8800376d3610
    [  959.171821] CR2: 0000000000000018
    
    Fixes: 87b60cfacf9f ("net_sched: fix error recovery at qdisc creation")
    Fixes: 0fbbeb1ba43b ("[PKT_SCHED]: Fix missing qdisc_destroy() in qdisc_create_dflt()")
    Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 977f75d5c361cce54b42c5e60c5ec4dc8bf034f3
Author: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Date:   Wed Aug 30 12:49:03 2017 +0300

    sch_netem: avoid null pointer deref on init failure
    
    commit 634576a1844dba15bc5e6fc61d72f37e13a21615 upstream.
    
    netem can fail in ->init due to missing options (either not supplied by
    user-space or used as a default qdisc) causing a timer->base null
    pointer deref in its ->destroy() and ->reset() callbacks.
    
    Reproduce:
    $ sysctl net.core.default_qdisc=netem
    $ ip l set ethX up
    
    Crash log:
    [ 1814.846943] BUG: unable to handle kernel NULL pointer dereference at (null)
    [ 1814.847181] IP: hrtimer_active+0x17/0x8a
    [ 1814.847270] PGD 59c34067
    [ 1814.847271] P4D 59c34067
    [ 1814.847337] PUD 37374067
    [ 1814.847403] PMD 0
    [ 1814.847468]
    [ 1814.847582] Oops: 0000 [#1] SMP
    [ 1814.847655] Modules linked in: sch_netem(O) sch_fq_codel(O)
    [ 1814.847761] CPU: 3 PID: 1573 Comm: ip Tainted: G           O 4.13.0-rc6+ #62
    [ 1814.847884] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014
    [ 1814.848043] task: ffff88003723a700 task.stack: ffff88005adc8000
    [ 1814.848235] RIP: 0010:hrtimer_active+0x17/0x8a
    [ 1814.848407] RSP: 0018:ffff88005adcb590 EFLAGS: 00010246
    [ 1814.848590] RAX: 0000000000000000 RBX: ffff880058e359d8 RCX: 0000000000000000
    [ 1814.848793] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff880058e359d8
    [ 1814.848998] RBP: ffff88005adcb5b0 R08: 00000000014080c0 R09: 00000000ffffffff
    [ 1814.849204] R10: ffff88005adcb660 R11: 0000000000000020 R12: 0000000000000000
    [ 1814.849410] R13: ffff880058e359d8 R14: 00000000ffffffff R15: 0000000000000001
    [ 1814.849616] FS:  00007f733bbca740(0000) GS:ffff88005d980000(0000) knlGS:0000000000000000
    [ 1814.849919] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [ 1814.850107] CR2: 0000000000000000 CR3: 0000000059f0d000 CR4: 00000000000406e0
    [ 1814.850313] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    [ 1814.850518] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
    [ 1814.850723] Call Trace:
    [ 1814.850875]  hrtimer_try_to_cancel+0x1a/0x93
    [ 1814.851047]  hrtimer_cancel+0x15/0x20
    [ 1814.851211]  qdisc_watchdog_cancel+0x12/0x14
    [ 1814.851383]  netem_reset+0xe6/0xed [sch_netem]
    [ 1814.851561]  qdisc_destroy+0x8b/0xe5
    [ 1814.851723]  qdisc_create_dflt+0x86/0x94
    [ 1814.851890]  ? dev_activate+0x129/0x129
    [ 1814.852057]  attach_one_default_qdisc+0x36/0x63
    [ 1814.852232]  netdev_for_each_tx_queue+0x3d/0x48
    [ 1814.852406]  dev_activate+0x4b/0x129
    [ 1814.852569]  __dev_open+0xe7/0x104
    [ 1814.852730]  __dev_change_flags+0xc6/0x15c
    [ 1814.852899]  dev_change_flags+0x25/0x59
    [ 1814.853064]  do_setlink+0x30c/0xb3f
    [ 1814.853228]  ? check_chain_key+0xb0/0xfd
    [ 1814.853396]  ? check_chain_key+0xb0/0xfd
    [ 1814.853565]  rtnl_newlink+0x3a4/0x729
    [ 1814.853728]  ? rtnl_newlink+0x117/0x729
    [ 1814.853905]  ? ns_capable_common+0xd/0xb1
    [ 1814.854072]  ? ns_capable+0x13/0x15
    [ 1814.854234]  rtnetlink_rcv_msg+0x188/0x197
    [ 1814.854404]  ? rcu_read_unlock+0x3e/0x5f
    [ 1814.854572]  ? rtnl_newlink+0x729/0x729
    [ 1814.854737]  netlink_rcv_skb+0x6c/0xce
    [ 1814.854902]  rtnetlink_rcv+0x23/0x2a
    [ 1814.855064]  netlink_unicast+0x103/0x181
    [ 1814.855230]  netlink_sendmsg+0x326/0x337
    [ 1814.855398]  sock_sendmsg_nosec+0x14/0x3f
    [ 1814.855584]  sock_sendmsg+0x29/0x2e
    [ 1814.855747]  ___sys_sendmsg+0x209/0x28b
    [ 1814.855912]  ? do_raw_spin_unlock+0xcd/0xf8
    [ 1814.856082]  ? _raw_spin_unlock+0x27/0x31
    [ 1814.856251]  ? __handle_mm_fault+0x651/0xdb1
    [ 1814.856421]  ? check_chain_key+0xb0/0xfd
    [ 1814.856592]  __sys_sendmsg+0x45/0x63
    [ 1814.856755]  ? __sys_sendmsg+0x45/0x63
    [ 1814.856923]  SyS_sendmsg+0x19/0x1b
    [ 1814.857083]  entry_SYSCALL_64_fastpath+0x23/0xc2
    [ 1814.857256] RIP: 0033:0x7f733b2dd690
    [ 1814.857419] RSP: 002b:00007ffe1d3387d8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
    [ 1814.858238] RAX: ffffffffffffffda RBX: ffffffff810d278c RCX: 00007f733b2dd690
    [ 1814.858445] RDX: 0000000000000000 RSI: 00007ffe1d338820 RDI: 0000000000000003
    [ 1814.858651] RBP: ffff88005adcbf98 R08: 0000000000000001 R09: 0000000000000003
    [ 1814.858856] R10: 00007ffe1d3385a0 R11: 0000000000000246 R12: 0000000000000002
    [ 1814.859060] R13: 000000000066f1a0 R14: 00007ffe1d3408d0 R15: 0000000000000000
    [ 1814.859267]  ? trace_hardirqs_off_caller+0xa7/0xcf
    [ 1814.859446] Code: 10 55 48 89 c7 48 89 e5 e8 45 a1 fb ff 31 c0 5d c3
    31 c0 c3 66 66 66 66 90 55 48 89 e5 41 56 41 55 41 54 53 49 89 fd 49 8b
    45 30 <4c> 8b 20 41 8b 5c 24 38 31 c9 31 d2 48 c7 c7 50 8e 1d 82 41 89
    [ 1814.860022] RIP: hrtimer_active+0x17/0x8a RSP: ffff88005adcb590
    [ 1814.860214] CR2: 0000000000000000
    
    Fixes: 87b60cfacf9f ("net_sched: fix error recovery at qdisc creation")
    Fixes: 0fbbeb1ba43b ("[PKT_SCHED]: Fix missing qdisc_destroy() in qdisc_create_dflt()")
    Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit bafe019d5ff66db88a7547b5a41592146966bb1d
Author: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Date:   Wed Aug 30 12:48:59 2017 +0300

    sch_hhf: fix null pointer dereference on init failure
    
    commit 32db864d33c21fd70a217ba53cb7224889354ffb upstream.
    
    If sch_hhf fails in its ->init() function (either due to wrong
    user-space arguments as below or memory alloc failure of hh_flows) it
    will do a null pointer deref of q->hh_flows in its ->destroy() function.
    
    To reproduce the crash:
    $ tc qdisc add dev eth0 root hhf quantum 2000000 non_hh_weight 10000000
    
    Crash log:
    [  690.654882] BUG: unable to handle kernel NULL pointer dereference at (null)
    [  690.655565] IP: hhf_destroy+0x48/0xbc
    [  690.655944] PGD 37345067
    [  690.655948] P4D 37345067
    [  690.656252] PUD 58402067
    [  690.656554] PMD 0
    [  690.656857]
    [  690.657362] Oops: 0000 [#1] SMP
    [  690.657696] Modules linked in:
    [  690.658032] CPU: 3 PID: 920 Comm: tc Not tainted 4.13.0-rc6+ #57
    [  690.658525] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014
    [  690.659255] task: ffff880058578000 task.stack: ffff88005acbc000
    [  690.659747] RIP: 0010:hhf_destroy+0x48/0xbc
    [  690.660146] RSP: 0018:ffff88005acbf9e0 EFLAGS: 00010246
    [  690.660601] RAX: 0000000000000000 RBX: 0000000000000020 RCX: 0000000000000000
    [  690.661155] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffffffff821f63f0
    [  690.661710] RBP: ffff88005acbfa08 R08: ffffffff81b10a90 R09: 0000000000000000
    [  690.662267] R10: 00000000f42b7019 R11: ffff880058578000 R12: 00000000ffffffea
    [  690.662820] R13: ffff8800372f6400 R14: 0000000000000000 R15: 0000000000000000
    [  690.663769] FS:  00007f8ae5e8b740(0000) GS:ffff88005d980000(0000) knlGS:0000000000000000
    [  690.667069] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [  690.667965] CR2: 0000000000000000 CR3: 0000000058523000 CR4: 00000000000406e0
    [  690.668918] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    [  690.669945] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
    [  690.671003] Call Trace:
    [  690.671743]  qdisc_create+0x377/0x3fd
    [  690.672534]  tc_modify_qdisc+0x4d2/0x4fd
    [  690.673324]  rtnetlink_rcv_msg+0x188/0x197
    [  690.674204]  ? rcu_read_unlock+0x3e/0x5f
    [  690.675091]  ? rtnl_newlink+0x729/0x729
    [  690.675877]  netlink_rcv_skb+0x6c/0xce
    [  690.676648]  rtnetlink_rcv+0x23/0x2a
    [  690.677405]  netlink_unicast+0x103/0x181
    [  690.678179]  netlink_sendmsg+0x326/0x337
    [  690.678958]  sock_sendmsg_nosec+0x14/0x3f
    [  690.679743]  sock_sendmsg+0x29/0x2e
    [  690.680506]  ___sys_sendmsg+0x209/0x28b
    [  690.681283]  ? __handle_mm_fault+0xc7d/0xdb1
    [  690.681915]  ? check_chain_key+0xb0/0xfd
    [  690.682449]  __sys_sendmsg+0x45/0x63
    [  690.682954]  ? __sys_sendmsg+0x45/0x63
    [  690.683471]  SyS_sendmsg+0x19/0x1b
    [  690.683974]  entry_SYSCALL_64_fastpath+0x23/0xc2
    [  690.684516] RIP: 0033:0x7f8ae529d690
    [  690.685016] RSP: 002b:00007fff26d2d6b8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
    [  690.685931] RAX: ffffffffffffffda RBX: ffffffff810d278c RCX: 00007f8ae529d690
    [  690.686573] RDX: 0000000000000000 RSI: 00007fff26d2d700 RDI: 0000000000000003
    [  690.687047] RBP: ffff88005acbff98 R08: 0000000000000001 R09: 0000000000000000
    [  690.687519] R10: 00007fff26d2d480 R11: 0000000000000246 R12: 0000000000000002
    [  690.687996] R13: 0000000001258070 R14: 0000000000000001 R15: 0000000000000000
    [  690.688475]  ? trace_hardirqs_off_caller+0xa7/0xcf
    [  690.688887] Code: 00 00 e8 2a 02 ae ff 49 8b bc 1d 60 02 00 00 48 83
    c3 08 e8 19 02 ae ff 48 83 fb 20 75 dc 45 31 f6 4d 89 f7 4d 03 bd 20 02
    00 00 <49> 8b 07 49 39 c7 75 24 49 83 c6 10 49 81 fe 00 40 00 00 75 e1
    [  690.690200] RIP: hhf_destroy+0x48/0xbc RSP: ffff88005acbf9e0
    [  690.690636] CR2: 0000000000000000
    
    Fixes: 87b60cfacf9f ("net_sched: fix error recovery at qdisc creation")
    Fixes: 10239edf86f1 ("net-qdisc-hhf: Heavy-Hitter Filter (HHF) qdisc")
    Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9db519dc793994d702876c815f1d903c29280ab5
Author: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Date:   Wed Aug 30 12:48:58 2017 +0300

    sch_multiq: fix double free on init failure
    
    commit e89d469e3be3ed3d7124a803211a463ff83d0964 upstream.
    
    The below commit added a call to ->destroy() on init failure, but multiq
    still frees ->queues on error in init, but ->queues is also freed by
    ->destroy() thus we get double free and corrupted memory.
    
    Very easy to reproduce (eth0 not multiqueue):
    $ tc qdisc add dev eth0 root multiq
    RTNETLINK answers: Operation not supported
    $ ip l add dumdum type dummy
    (crash)
    
    Trace log:
    [ 3929.467747] general protection fault: 0000 [#1] SMP
    [ 3929.468083] Modules linked in:
    [ 3929.468302] CPU: 3 PID: 967 Comm: ip Not tainted 4.13.0-rc6+ #56
    [ 3929.468625] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014
    [ 3929.469124] task: ffff88003716a700 task.stack: ffff88005872c000
    [ 3929.469449] RIP: 0010:__kmalloc_track_caller+0x117/0x1be
    [ 3929.469746] RSP: 0018:ffff88005872f6a0 EFLAGS: 00010246
    [ 3929.470042] RAX: 00000000000002de RBX: 0000000058a59000 RCX: 00000000000002df
    [ 3929.470406] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff821f7020
    [ 3929.470770] RBP: ffff88005872f6e8 R08: 000000000001f010 R09: 0000000000000000
    [ 3929.471133] R10: ffff88005872f730 R11: 0000000000008cdd R12: ff006d75646d7564
    [ 3929.471496] R13: 00000000014000c0 R14: ffff88005b403c00 R15: ffff88005b403c00
    [ 3929.471869] FS:  00007f0b70480740(0000) GS:ffff88005d980000(0000) knlGS:0000000000000000
    [ 3929.472286] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [ 3929.472677] CR2: 00007ffcee4f3000 CR3: 0000000059d45000 CR4: 00000000000406e0
    [ 3929.473209] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    [ 3929.474109] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
    [ 3929.474873] Call Trace:
    [ 3929.475337]  ? kstrdup_const+0x23/0x25
    [ 3929.475863]  kstrdup+0x2e/0x4b
    [ 3929.476338]  kstrdup_const+0x23/0x25
    [ 3929.478084]  __kernfs_new_node+0x28/0xbc
    [ 3929.478478]  kernfs_new_node+0x35/0x55
    [ 3929.478929]  kernfs_create_link+0x23/0x76
    [ 3929.479478]  sysfs_do_create_link_sd.isra.2+0x85/0xd7
    [ 3929.480096]  sysfs_create_link+0x33/0x35
    [ 3929.480649]  device_add+0x200/0x589
    [ 3929.481184]  netdev_register_kobject+0x7c/0x12f
    [ 3929.481711]  register_netdevice+0x373/0x471
    [ 3929.482174]  rtnl_newlink+0x614/0x729
    [ 3929.482610]  ? rtnl_newlink+0x17f/0x729
    [ 3929.483080]  rtnetlink_rcv_msg+0x188/0x197
    [ 3929.483533]  ? rcu_read_unlock+0x3e/0x5f
    [ 3929.483984]  ? rtnl_newlink+0x729/0x729
    [ 3929.484420]  netlink_rcv_skb+0x6c/0xce
    [ 3929.484858]  rtnetlink_rcv+0x23/0x2a
    [ 3929.485291]  netlink_unicast+0x103/0x181
    [ 3929.485735]  netlink_sendmsg+0x326/0x337
    [ 3929.486181]  sock_sendmsg_nosec+0x14/0x3f
    [ 3929.486614]  sock_sendmsg+0x29/0x2e
    [ 3929.486973]  ___sys_sendmsg+0x209/0x28b
    [ 3929.487340]  ? do_raw_spin_unlock+0xcd/0xf8
    [ 3929.487719]  ? _raw_spin_unlock+0x27/0x31
    [ 3929.488092]  ? __handle_mm_fault+0x651/0xdb1
    [ 3929.488471]  ? check_chain_key+0xb0/0xfd
    [ 3929.488847]  __sys_sendmsg+0x45/0x63
    [ 3929.489206]  ? __sys_sendmsg+0x45/0x63
    [ 3929.489576]  SyS_sendmsg+0x19/0x1b
    [ 3929.489901]  entry_SYSCALL_64_fastpath+0x23/0xc2
    [ 3929.490172] RIP: 0033:0x7f0b6fb93690
    [ 3929.490423] RSP: 002b:00007ffcee4ed588 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
    [ 3929.490881] RAX: ffffffffffffffda RBX: ffffffff810d278c RCX: 00007f0b6fb93690
    [ 3929.491198] RDX: 0000000000000000 RSI: 00007ffcee4ed5d0 RDI: 0000000000000003
    [ 3929.491521] RBP: ffff88005872ff98 R08: 0000000000000001 R09: 0000000000000000
    [ 3929.491801] R10: 00007ffcee4ed350 R11: 0000000000000246 R12: 0000000000000002
    [ 3929.492075] R13: 000000000066f1a0 R14: 00007ffcee4f5680 R15: 0000000000000000
    [ 3929.492352]  ? trace_hardirqs_off_caller+0xa7/0xcf
    [ 3929.492590] Code: 8b 45 c0 48 8b 45 b8 74 17 48 8b 4d c8 83 ca ff 44
    89 ee 4c 89 f7 e8 83 ca ff ff 49 89 c4 eb 49 49 63 56 20 48 8d 48 01 4d
    8b 06 <49> 8b 1c 14 48 89 c2 4c 89 e0 65 49 0f c7 08 0f 94 c0 83 f0 01
    [ 3929.493335] RIP: __kmalloc_track_caller+0x117/0x1be RSP: ffff88005872f6a0
    
    Fixes: 87b60cfacf9f ("net_sched: fix error recovery at qdisc creation")
    Fixes: f07d1501292b ("multiq: Further multiqueue cleanup")
    Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    [AmitP: Removed unused variable 'err' in multiq_init()]
    Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 951104e4805f9eeb236edf02f31096c43d68f6b8
Author: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Date:   Wed Aug 30 12:48:57 2017 +0300

    sch_htb: fix crash on init failure
    
    commit 88c2ace69dbef696edba77712882af03879abc9c upstream.
    
    The commit below added a call to the ->destroy() callback for all qdiscs
    which failed in their ->init(), but some were not prepared for such
    change and can't handle partially initialized qdisc. HTB is one of them
    and if any error occurs before the qdisc watchdog timer and qdisc work are
    initialized then we can hit either a null ptr deref (timer->base) when
    canceling in ->destroy or lockdep error info about trying to register
    a non-static key and a stack dump. So to fix these two move the watchdog
    timer and workqueue init before anything that can err out.
    To reproduce userspace needs to send broken htb qdisc create request,
    tested with a modified tc (q_htb.c).
    
    Trace log:
    [ 2710.897602] BUG: unable to handle kernel NULL pointer dereference at (null)
    [ 2710.897977] IP: hrtimer_active+0x17/0x8a
    [ 2710.898174] PGD 58fab067
    [ 2710.898175] P4D 58fab067
    [ 2710.898353] PUD 586c0067
    [ 2710.898531] PMD 0
    [ 2710.898710]
    [ 2710.899045] Oops: 0000 [#1] SMP
    [ 2710.899232] Modules linked in:
    [ 2710.899419] CPU: 1 PID: 950 Comm: tc Not tainted 4.13.0-rc6+ #54
    [ 2710.899646] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014
    [ 2710.900035] task: ffff880059ed2700 task.stack: ffff88005ad4c000
    [ 2710.900262] RIP: 0010:hrtimer_active+0x17/0x8a
    [ 2710.900467] RSP: 0018:ffff88005ad4f960 EFLAGS: 00010246
    [ 2710.900684] RAX: 0000000000000000 RBX: ffff88003701e298 RCX: 0000000000000000
    [ 2710.900933] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88003701e298
    [ 2710.901177] RBP: ffff88005ad4f980 R08: 0000000000000001 R09: 0000000000000001
    [ 2710.901419] R10: ffff88005ad4f800 R11: 0000000000000400 R12: 0000000000000000
    [ 2710.901663] R13: ffff88003701e298 R14: ffffffff822a4540 R15: ffff88005ad4fac0
    [ 2710.901907] FS:  00007f2f5e90f740(0000) GS:ffff88005d880000(0000) knlGS:0000000000000000
    [ 2710.902277] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [ 2710.902500] CR2: 0000000000000000 CR3: 0000000058ca3000 CR4: 00000000000406e0
    [ 2710.902744] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
    [ 2710.902977] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
    [ 2710.903180] Call Trace:
    [ 2710.903332]  hrtimer_try_to_cancel+0x1a/0x93
    [ 2710.903504]  hrtimer_cancel+0x15/0x20
    [ 2710.903667]  qdisc_watchdog_cancel+0x12/0x14
    [ 2710.903866]  htb_destroy+0x2e/0xf7
    [ 2710.904097]  qdisc_create+0x377/0x3fd
    [ 2710.904330]  tc_modify_qdisc+0x4d2/0x4fd
    [ 2710.904511]  rtnetlink_rcv_msg+0x188/0x197
    [ 2710.904682]  ? rcu_read_unlock+0x3e/0x5f
    [ 2710.904849]  ? rtnl_newlink+0x729/0x729
    [ 2710.905017]  netlink_rcv_skb+0x6c/0xce
    [ 2710.905183]  rtnetlink_rcv+0x23/0x2a
    [ 2710.905345]  netlink_unicast+0x103/0x181
    [ 2710.905511]  netlink_sendmsg+0x326/0x337
    [ 2710.905679]  sock_sendmsg_nosec+0x14/0x3f
    [ 2710.905847]  sock_sendmsg+0x29/0x2e
    [ 2710.906010]  ___sys_sendmsg+0x209/0x28b
    [ 2710.906176]  ? do_raw_spin_unlock+0xcd/0xf8
    [ 2710.906346]  ? _raw_spin_unlock+0x27/0x31
    [ 2710.906514]  ? __handle_mm_fault+0x651/0xdb1
    [ 2710.906685]  ? check_chain_key+0xb0/0xfd
    [ 2710.906855]  __sys_sendmsg+0x45/0x63
    [ 2710.907018]  ? __sys_sendmsg+0x45/0x63
    [ 2710.907185]  SyS_sendmsg+0x19/0x1b
    [ 2710.907344]  entry_SYSCALL_64_fastpath+0x23/0xc2
    
    Note that probably this bug goes further back because the default qdisc
    handling always calls ->destroy on init failure too.
    
    Fixes: 87b60cfacf9f ("net_sched: fix error recovery at qdisc creation")
    Fixes: 0fbbeb1ba43b ("[PKT_SCHED]: Fix missing qdisc_destroy() in qdisc_create_dflt()")
    Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 77d1a435f8c635038198ff0b962bfde83dd88764
Author: Chas Williams <chas3@att.com>
Date:   Thu Sep 6 11:09:10 2018 -0400

    Fixes: Commit 2aa6d036b716 ("mm: numa: avoid waiting on freed migrated pages")
    
    Commit 2aa6d036b716 ("mm: numa: avoid waiting on freed migrated pages")
    was an incomplete backport of the upstream commit.  It is necessary to
    always reset page_nid before attempting any early exit.
    
    The original commit conflicted due to lack of commit 82b0f8c39a38
    ("mm: join struct fault_env and vm_fault") in 4.9 so it wasn't a clean
    application, and the change must have just gotten lost in the noise.
    
    Signed-off-by: Chas Williams <chas3@att.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4438e9db9574040e583574fd69da1ce0ff99cb86
Author: Govindarajulu Varadarajan <gvaradar@cisco.com>
Date:   Mon Jul 30 09:56:54 2018 -0700

    enic: do not call enic_change_mtu in enic_probe
    
    commit cb5c6568867325f9905e80c96531d963bec8e5ea upstream.
    
    In commit ab123fe071c9 ("enic: handle mtu change for vf properly")
    ASSERT_RTNL() is added to _enic_change_mtu() to prevent it from being
    called without rtnl held. enic_probe() calls enic_change_mtu()
    without rtnl held. At this point netdev is not registered yet.
    Remove call to enic_change_mtu and assign the mtu to netdev->mtu.
    
    Fixes: ab123fe071c9 ("enic: handle mtu change for vf properly")
    Signed-off-by: Govindarajulu Varadarajan <gvaradar@cisco.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 55c6de19ec2369dfb8b1c04471e4247666b97b1c
Author: Fabio Estevam <fabio.estevam@nxp.com>
Date:   Mon Sep 3 10:39:34 2018 -0300

    Revert "ARM: imx_v6_v7_defconfig: Select ULPI support"
    
    This reverts commit 721476147fd2571309b6aa6daa695b39170602ef.
    
    This commit causes reboot to fail on imx6 wandboard, so let's
    revert it.
    
    Cc: <stable@vger.kernel.org> #4.9
    Reported-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
    Signed-off-by: Fabio Estevam <fabio.estevam@nxp.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 18d94895f505d6eef2da8868e87a403cde1d9ef0
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Tue Sep 4 15:24:05 2018 +0000

    irda: Only insert new objects into the global database via setsockopt
    
    The irda_setsockopt() function conditionally allocates memory for a new
    self->ias_object or, in some cases, reuses the existing
    self->ias_object. Existing objects were incorrectly reinserted into the
    LM_IAS database which corrupted the doubly linked list used for the
    hashbin implementation of the LM_IAS database. When combined with a
    memory leak in irda_bind(), this issue could be leveraged to create a
    use-after-free vulnerability in the hashbin list. This patch fixes the
    issue by only inserting newly allocated objects into the database.
    
    CVE-2018-6555
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Reviewed-by: Seth Arnold <seth.arnold@canonical.com>
    Reviewed-by: Stefan Bader <stefan.bader@canonical.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ce54bf4aec595c479b462180d682783b3776fb80
Author: Tyler Hicks <tyhicks@canonical.com>
Date:   Tue Sep 4 15:24:04 2018 +0000

    irda: Fix memory leak caused by repeated binds of irda socket
    
    The irda_bind() function allocates memory for self->ias_obj without
    checking to see if the socket is already bound. A userspace process
    could repeatedly bind the socket, have each new object added into the
    LM-IAS database, and lose the reference to the old object assigned to
    the socket to exhaust memory resources. This patch errors out of the
    bind operation when self->ias_obj is already assigned.
    
    CVE-2018-6554
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
    Reviewed-by: Seth Arnold <seth.arnold@canonical.com>
    Reviewed-by: Stefan Bader <stefan.bader@canonical.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a75228044ef6f99b057784d46b98df0cd0dd8a5b
Author: Randy Dunlap <rdunlap@infradead.org>
Date:   Tue Aug 28 12:59:10 2018 -0700

    kbuild: make missing $DEPMOD a Warning instead of an Error
    
    commit 914b087ff9e0e9a399a4927fa30793064afc0178 upstream.
    
    When $DEPMOD is not found, only print a warning instead of exiting
    with an error message and error status:
    
    Warning: 'make modules_install' requires /sbin/depmod. Please install it.
    This is probably in the kmod package.
    
    Change the Error to a Warning because "not all build hosts for cross
    compiling Linux are Linux systems and are able to provide a working
    port of depmod, especially at the file patch /sbin/depmod."
    
    I.e., "make modules_install" may be used to copy/install the
    loadable modules files to a target directory on a build system and
    then transferred to an embedded device where /sbin/depmod is run
    instead of it being run on the build system.
    
    Fixes: 934193a654c1 ("kbuild: verify that $DEPMOD is installed")
    Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
    Reported-by: H. Nikolaus Schaller <hns@goldelico.com>
    Cc: stable@vger.kernel.org
    Cc: Lucas De Marchi <lucas.demarchi@profusion.mobi>
    Cc: Lucas De Marchi <lucas.de.marchi@gmail.com>
    Cc: Michal Marek <michal.lkml@markovi.net>
    Cc: Jessica Yu <jeyu@kernel.org>
    Cc: Chih-Wei Huang <cwhuang@linux.org.tw>
    Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
    Signed-off-by: Maxim Zhukov <mussitantesmortem@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f3913ee267da0722c3731997545a6c4747323779
Author: Juergen Gross <jgross@suse.com>
Date:   Tue Aug 21 17:37:55 2018 +0200

    x86/pae: use 64 bit atomic xchg function in native_ptep_get_and_clear
    
    commit b2d7a075a1ccef2fb321d595802190c8e9b39004 upstream.
    
    Using only 32-bit writes for the pte will result in an intermediate
    L1TF vulnerable PTE. When running as a Xen PV guest this will at once
    switch the guest to shadow mode resulting in a loss of performance.
    
    Use arch_atomic64_xchg() instead which will perform the requested
    operation atomically with all 64 bits.
    
    Some performance considerations according to:
    
    https://software.intel.com/sites/default/files/managed/ad/dc/Intel-Xeon-Scalable-Processor-throughput-latency.pdf
    
    The main number should be the latency, as there is no tight loop around
    native_ptep_get_and_clear().
    
    "lock cmpxchg8b" has a latency of 20 cycles, while "lock xchg" (with a
    memory operand) isn't mentioned in that document. "lock xadd" (with xadd
    having 3 cycles less latency than xchg) has a latency of 11, so we can
    assume a latency of 14 for "lock xchg".
    
    Signed-off-by: Juergen Gross <jgross@suse.com>
    Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
    Reviewed-by: Jan Beulich <jbeulich@suse.com>
    Tested-by: Jason Andryuk <jandryuk@gmail.com>
    Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
    [ Atomic operations gained an arch_ prefix in 8bf705d13039
    ("locking/atomic/x86: Switch atomic.h to use atomic-instrumented.h") so
    s/arch_atomic64_xchg/atomic64_xchg/ for backport.]
    Signed-off-by: Jason Andryuk <jandryuk@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 414bd73f37bd3306506ad53f94be6dbdef327a01
Author: Joel Fernandes (Google) <joel@joelfernandes.org>
Date:   Mon Jul 23 14:25:31 2018 -0700

    debugobjects: Make stack check warning more informative
    
    commit fc91a3c4c27acdca0bc13af6fbb68c35cfd519f2 upstream.
    
    While debugging an issue debugobject tracking warned about an annotation
    issue of an object on stack. It turned out that the issue was due to the
    object in concern being on a different stack which was due to another
    issue.
    
    Thomas suggested to print the pointers and the location of the stack for
    the currently running task. This helped to figure out that the object was
    on the wrong stack.
    
    As this is general useful information for debugging similar issues, make
    the error message more informative by printing the pointers.
    
    [ tglx: Massaged changelog ]
    
    Signed-off-by: Joel Fernandes (Google) <joel@joelfernandes.org>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Acked-by: Waiman Long <longman@redhat.com>
    Acked-by: Yang Shi <yang.shi@linux.alibaba.com>
    Cc: kernel-team@android.com
    Cc: Arnd Bergmann <arnd@arndb.de>
    Cc: astrachan@google.com
    Link: https://lkml.kernel.org/r/20180723212531.202328-1-joel@joelfernandes.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 33d2811df75e94d34a098907ca9cfb138b85cd31
Author: Eric Dumazet <edumazet@google.com>
Date:   Tue Feb 21 06:21:47 2017 -0800

    tcp: Revert "tcp: tcp_probe: use spin_lock_bh()"
    
    commit 29869d66870a715177bfb505f66a7e0e8bcc89c3 upstream.
    
    This reverts commit e70ac171658679ecf6bea4bbd9e9325cd6079d2b.
    
    jtcp_rcv_established() is in fact called with hard irq being disabled.
    
    Initial bug report from Ricardo Nabinger Sanchez [1] still needs
    to be investigated, but does not look like a TCP bug.
    
    [1] https://www.spinics.net/lists/netdev/msg420960.html
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reported-by: kernel test robot <xiaolong.ye@intel.com>
    Cc: Ricardo Nabinger Sanchez <rnsanchez@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ee45a6792b26134b9b31f0048db3f5b99dc229d3
Author: Kai-Heng Feng <kai.heng.feng@canonical.com>
Date:   Thu Aug 23 05:53:32 2018 +0000

    drm/edid: Add 6 bpc quirk for SDC panel in Lenovo B50-80
    
    commit 25da75043f8690fd083878447c91f289dfb63b87 upstream.
    
    Another panel that reports "DFP 1.x compliant TMDS" but it supports 6bpc
    instead of 8 bpc.
    
    Apply 6 bpc quirk for the panel to fix it.
    
    BugLink: https://bugs.launchpad.net/bugs/1788308
    Cc: <stable@vger.kernel.org> # v4.8+
    Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
    Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
    Link: https://patchwork.freedesktop.org/patch/msgid/20180823055332.7723-1-kai.heng.feng@canonical.com
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 36a7f0ad9405853a862c139638f93e5a6370e3d2
Author: Marc Zyngier <marc.zyngier@arm.com>
Date:   Fri Aug 24 16:06:34 2018 +0100

    ARM: rockchip: Force CONFIG_PM on Rockchip systems
    
    [ Upstream commit d1558dfd9f22c99a5b8e1354ad881ee40749da89 ]
    
    A number of the Rockchip-specific drivers (IOMMU, display controllers)
    are now assuming that CONFIG_PM is set, and may completely misbehave
    if that's not the case.
    
    Since there is hardly any reason for this configuration option not
    to be selected anyway, let's require it (in the same way Tegra already
    does).
    
    Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
    Signed-off-by: Olof Johansson <olof@lixom.net>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 04a24a7d6a8af5e607f69b0c384700624fffeaf0
Author: Marc Zyngier <marc.zyngier@arm.com>
Date:   Fri Aug 24 16:06:35 2018 +0100

    arm64: rockchip: Force CONFIG_PM on Rockchip systems
    
    [ Upstream commit 7db7a8f5638a2ffe0c0c0d55b5186b6191fd6af7 ]
    
    A number of the Rockchip-specific drivers (IOMMU, display controllers)
    are now assuming that CONFIG_PM is set, and may completely misbehave
    if that's not the case.
    
    Since there is hardly any reason for this configuration option not
    to be selected anyway, let's require it (in the same way Tegra already
    does).
    
    Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
    Signed-off-by: Olof Johansson <olof@lixom.net>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 1249b611523658f12f0fbb72e324f56e4bb51a69
Author: Qu Wenruo <wqu@suse.com>
Date:   Fri Jun 22 12:35:00 2018 +0800

    btrfs: Don't remove block group that still has pinned down bytes
    
    [ Upstream commit 43794446548730ac8461be30bbe47d5d027d1d16 ]
    
    [BUG]
    Under certain KVM load and LTP tests, it is possible to hit the
    following calltrace if quota is enabled:
    
    BTRFS critical (device vda2): unable to find logical 8820195328 length 4096
    BTRFS critical (device vda2): unable to find logical 8820195328 length 4096
    
    WARNING: CPU: 0 PID: 49 at ../block/blk-core.c:172 blk_status_to_errno+0x1a/0x30
    CPU: 0 PID: 49 Comm: kworker/u2:1 Not tainted 4.12.14-15-default #1 SLE15 (unreleased)
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014
    Workqueue: btrfs-endio-write btrfs_endio_write_helper [btrfs]
    task: ffff9f827b340bc0 task.stack: ffffb4f8c0304000
    RIP: 0010:blk_status_to_errno+0x1a/0x30
    Call Trace:
     submit_extent_page+0x191/0x270 [btrfs]
     ? btrfs_create_repair_bio+0x130/0x130 [btrfs]
     __do_readpage+0x2d2/0x810 [btrfs]
     ? btrfs_create_repair_bio+0x130/0x130 [btrfs]
     ? run_one_async_done+0xc0/0xc0 [btrfs]
     __extent_read_full_page+0xe7/0x100 [btrfs]
     ? run_one_async_done+0xc0/0xc0 [btrfs]
     read_extent_buffer_pages+0x1ab/0x2d0 [btrfs]
     ? run_one_async_done+0xc0/0xc0 [btrfs]
     btree_read_extent_buffer_pages+0x94/0xf0 [btrfs]
     read_tree_block+0x31/0x60 [btrfs]
     read_block_for_search.isra.35+0xf0/0x2e0 [btrfs]
     btrfs_search_slot+0x46b/0xa00 [btrfs]
     ? kmem_cache_alloc+0x1a8/0x510
     ? btrfs_get_token_32+0x5b/0x120 [btrfs]
     find_parent_nodes+0x11d/0xeb0 [btrfs]
     ? leaf_space_used+0xb8/0xd0 [btrfs]
     ? btrfs_leaf_free_space+0x49/0x90 [btrfs]
     ? btrfs_find_all_roots_safe+0x93/0x100 [btrfs]
     btrfs_find_all_roots_safe+0x93/0x100 [btrfs]
     btrfs_find_all_roots+0x45/0x60 [btrfs]
     btrfs_qgroup_trace_extent_post+0x20/0x40 [btrfs]
     btrfs_add_delayed_data_ref+0x1a3/0x1d0 [btrfs]
     btrfs_alloc_reserved_file_extent+0x38/0x40 [btrfs]
     insert_reserved_file_extent.constprop.71+0x289/0x2e0 [btrfs]
     btrfs_finish_ordered_io+0x2f4/0x7f0 [btrfs]
     ? pick_next_task_fair+0x2cd/0x530
     ? __switch_to+0x92/0x4b0
     btrfs_worker_helper+0x81/0x300 [btrfs]
     process_one_work+0x1da/0x3f0
     worker_thread+0x2b/0x3f0
     ? process_one_work+0x3f0/0x3f0
     kthread+0x11a/0x130
     ? kthread_create_on_node+0x40/0x40
     ret_from_fork+0x35/0x40
    
    BTRFS critical (device vda2): unable to find logical 8820195328 length 16384
    BTRFS: error (device vda2) in btrfs_finish_ordered_io:3023: errno=-5 IO failure
    BTRFS info (device vda2): forced readonly
    BTRFS error (device vda2): pending csums is 2887680
    
    [CAUSE]
    It's caused by race with block group auto removal:
    
    - There is a meta block group X, which has only one tree block
      The tree block belongs to fs tree 257.
    - In current transaction, some operation modified fs tree 257
      The tree block gets COWed, so the block group X is empty, and marked
      as unused, queued to be deleted.
    - Some workload (like fsync) wakes up cleaner_kthread()
      Which will call btrfs_delete_unused_bgs() to remove unused block
      groups.
      So block group X along its chunk map get removed.
    - Some delalloc work finished for fs tree 257
      Quota needs to get the original reference of the extent, which will
      read tree blocks of commit root of 257.
      Then since the chunk map gets removed, the above warning gets
      triggered.
    
    [FIX]
    Just let btrfs_delete_unused_bgs() skip block group which still has
    pinned bytes.
    
    However there is a minor side effect: currently we only queue empty
    blocks at update_block_group(), and such empty block group with pinned
    bytes won't go through update_block_group() again, such block group
    won't be removed, until it gets new extent allocated and removed.
    
    Signed-off-by: Qu Wenruo <wqu@suse.com>
    Reviewed-by: Filipe Manana <fdmanana@suse.com>
    Signed-off-by: David Sterba <dsterba@suse.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 93d960de56cef4582088dfc0ba9494143351772f
Author: Qu Wenruo <wqu@suse.com>
Date:   Tue Jul 3 17:10:07 2018 +0800

    btrfs: relocation: Only remove reloc rb_trees if reloc control has been initialized
    
    [ Upstream commit 389305b2aa68723c754f88d9dbd268a400e10664 ]
    
    Invalid reloc tree can cause kernel NULL pointer dereference when btrfs
    does some cleanup of the reloc roots.
    
    It turns out that fs_info::reloc_ctl can be NULL in
    btrfs_recover_relocation() as we allocate relocation control after all
    reloc roots have been verified.
    So when we hit: note, we haven't called set_reloc_control() thus
    fs_info::reloc_ctl is still NULL.
    
    Link: https://bugzilla.kernel.org/show_bug.cgi?id=199833
    Reported-by: Xu Wen <wen.xu@gatech.edu>
    Signed-off-by: Qu Wenruo <wqu@suse.com>
    Tested-by: Gu Jinxiang <gujx@cn.fujitsu.com>
    Reviewed-by: David Sterba <dsterba@suse.com>
    Signed-off-by: David Sterba <dsterba@suse.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e22b36a336fa637efb8f2d52fe1a8ebbd2cb1f57
Author: Misono Tomohiro <misono.tomohiro@jp.fujitsu.com>
Date:   Tue Jul 31 16:20:21 2018 +0900

    btrfs: replace: Reset on-disk dev stats value after replace
    
    [ Upstream commit 1e7e1f9e3aba00c9b9c323bfeeddafe69ff21ff6 ]
    
    on-disk devs stats value is updated in btrfs_run_dev_stats(),
    which is called during commit transaction, if device->dev_stats_ccnt
    is not zero.
    
    Since current replace operation does not touch dev_stats_ccnt,
    on-disk dev stats value is not updated. Therefore "btrfs device stats"
    may return old device's value after umount/mount
    (Example: See "btrfs ins dump-t -t DEV $DEV" after btrfs/100 finish).
    
    Fix this by just incrementing dev_stats_ccnt in
    btrfs_dev_replace_finishing() when replace is succeeded and this will
    update the values.
    
    Signed-off-by: Misono Tomohiro <misono.tomohiro@jp.fujitsu.com>
    Reviewed-by: David Sterba <dsterba@suse.com>
    Signed-off-by: David Sterba <dsterba@suse.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4678c00e9dd5f246ea1078912e9564b9e938400a
Author: Levin Du <djw@t-chip.com.cn>
Date:   Sat Aug 4 15:31:02 2018 +0800

    clk: rockchip: Add pclk_rkpwm_pmu to PMU critical clocks in rk3399
    
    [ Upstream commit 640332d1a089909df08bc9f3e42888a2019c66e2 ]
    
    PWM2 is commonly used to control voltage of PWM regulator of VDD_LOG in
    RK3399. On the Firefly-RK3399 board, PWM2 outputs 40 KHz square wave
    from power on and the VDD_LOG is about 0.9V. When the kernel boots
    normally into the system, the PWM2 keeps outputing PWM signal.
    
    But the kernel hangs randomly after "Starting kernel ..." line on that
    board. When it happens, PWM2 outputs high level which causes VDD_LOG
    drops to 0.4V below the normal operating voltage.
    
    By adding "pclk_rkpwm_pmu" to the rk3399_pmucru_critical_clocks array,
    PWM clock is ensured to be prepared at startup and the PWM2 output is
    normal. After repeated tests, the early boot hang is gone.
    
    This patch works on both Firefly-RK3399 and ROC-RK3399-PC boards.
    
    Signed-off-by: Levin Du <djw@t-chip.com.cn>
    Signed-off-by: Heiko Stuebner <heiko@sntech.de>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 5cb808572c23db828f2ac35c0c1e7088aef5ec03
Author: Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>
Date:   Wed Jul 4 23:27:02 2018 +0530

    powerpc/pseries: Avoid using the size greater than RTAS_ERROR_LOG_MAX.
    
    [ Upstream commit 74e96bf44f430cf7a01de19ba6cf49b361cdfd6e ]
    
    The global mce data buffer that used to copy rtas error log is of 2048
    (RTAS_ERROR_LOG_MAX) bytes in size. Before the copy we read
    extended_log_length from rtas error log header, then use max of
    extended_log_length and RTAS_ERROR_LOG_MAX as a size of data to be copied.
    Ideally the platform (phyp) will never send extended error log with
    size > 2048. But if that happens, then we have a risk of buffer overrun
    and corruption. Fix this by using min_t instead.
    
    Fixes: d368514c3097 ("powerpc: Fix corruption when grabbing FWNMI data")
    Reported-by: Michal Suchanek <msuchanek@suse.com>
    Signed-off-by: Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 7aed5a52b85f345370501b95ec44ebab5b40f043
Author: Steve French <stfrench@microsoft.com>
Date:   Mon Jul 23 09:15:18 2018 -0500

    SMB3: Number of requests sent should be displayed for SMB3 not just CIFS
    
    [ Upstream commit 289131e1f1e6ad8c661ec05e176b8f0915672059 ]
    
    For SMB2/SMB3 the number of requests sent was not displayed
    in /proc/fs/cifs/Stats unless CONFIG_CIFS_STATS2 was
    enabled (only number of failed requests displayed). As
    with earlier dialects, we should be displaying these
    counters if CONFIG_CIFS_STATS is enabled. They
    are important for debugging.
    
    e.g. when you cat /proc/fs/cifs/Stats (before the patch)
    Resources in use
    CIFS Session: 1
    Share (unique mount targets): 2
    SMB Request/Response Buffer: 1 Pool size: 5
    SMB Small Req/Resp Buffer: 1 Pool size: 30
    Operations (MIDs): 0
    
    0 session 0 share reconnects
    Total vfs operations: 690 maximum at one time: 2
    
    1) \\localhost\test
    SMBs: 975
    Negotiates: 0 sent 0 failed
    SessionSetups: 0 sent 0 failed
    Logoffs: 0 sent 0 failed
    TreeConnects: 0 sent 0 failed
    TreeDisconnects: 0 sent 0 failed
    Creates: 0 sent 2 failed
    Closes: 0 sent 0 failed
    Flushes: 0 sent 0 failed
    Reads: 0 sent 0 failed
    Writes: 0 sent 0 failed
    Locks: 0 sent 0 failed
    IOCTLs: 0 sent 1 failed
    Cancels: 0 sent 0 failed
    Echos: 0 sent 0 failed
    QueryDirectories: 0 sent 63 failed
    
    Signed-off-by: Steve French <stfrench@microsoft.com>
    Reviewed-by: Aurelien Aptel <aaptel@suse.com>
    Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0da6c7d59a6ff8bbc4843ac2eb2d671efd8376ac
Author: Steve French <stfrench@microsoft.com>
Date:   Wed Aug 1 00:56:12 2018 -0500

    smb3: fix reset of bytes read and written stats
    
    [ Upstream commit c281bc0c7412308c7ec0888904f7c99353da4796 ]
    
    echo 0 > /proc/fs/cifs/Stats is supposed to reset the stats
    but there were four (see example below) that were not reset
    (bytes read and witten, total vfs ops and max ops
    at one time).
    
    ...
    0 session 0 share reconnects
    Total vfs operations: 100 maximum at one time: 2
    
    1) \\localhost\test
    SMBs: 0
    Bytes read: 502092  Bytes written: 31457286
    TreeConnects: 0 total 0 failed
    TreeDisconnects: 0 total 0 failed
    ...
    
    This patch fixes cifs_stats_proc_write to properly reset
    those four.
    
    Signed-off-by: Steve French <stfrench@microsoft.com>
    Reviewed-by: Aurelien Aptel <aaptel@suse.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit fdb52b4f48f12565e8985b13d88a0dce16adccd4
Author: YueHaibing <yuehaibing@huawei.com>
Date:   Tue Aug 7 19:34:16 2018 +0800

    RDS: IB: fix 'passing zero to ERR_PTR()' warning
    
    [ Upstream commit 5941923da29e84bc9e2a1abb2c14fffaf8d71e2f ]
    
    Fix a static code checker warning:
     net/rds/ib_frmr.c:82 rds_ib_alloc_frmr() warn: passing zero to 'ERR_PTR'
    
    The error path for ib_alloc_mr failure should set err to PTR_ERR.
    
    Fixes: 1659185fb4d0 ("RDS: IB: Support Fastreg MR (FRMR) memory registration mode")
    Signed-off-by: YueHaibing <yuehaibing@huawei.com>
    Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 82e1e872273b584a6850365f4eaa0e3a72b4880d
Author: Breno Leitao <leitao@debian.org>
Date:   Tue Aug 7 11:15:39 2018 -0300

    selftests/powerpc: Kill child processes on SIGINT
    
    [ Upstream commit 7c27a26e1ed5a7dd709aa19685d2c98f64e1cf0c ]
    
    There are some powerpc selftests, as tm/tm-unavailable, that run for a long
    period (>120 seconds), and if it is interrupted, as pressing CRTL-C
    (SIGINT), the foreground process (harness) dies but the child process and
    threads continue to execute (with PPID = 1 now) in background.
    
    In this case, you'd think the whole test exited, but there are remaining
    threads and processes being executed in background. Sometimes these
    zombies processes are doing annoying things, as consuming the whole CPU or
    dumping things to STDOUT.
    
    This patch fixes this problem by attaching an empty signal handler to
    SIGINT in the harness process. This handler will interrupt (EINTR) the
    parent process waitpid() call, letting the code to follow through the
    normal flow, which will kill all the processes in the child process group.
    
    This patch also fixes a typo.
    
    Signed-off-by: Breno Leitao <leitao@debian.org>
    Signed-off-by: Gustavo Romero <gromero@linux.vnet.ibm.com>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 50f8c8e401f027ac650bd9441603cb51c3388801
Author: Ian Abbott <abbotti@mev.co.uk>
Date:   Mon Aug 6 11:05:13 2018 +0100

    staging: comedi: ni_mio_common: fix subdevice flags for PFI subdevice
    
    [ Upstream commit e083926b3e269d4064825dcf2ad50c636fddf8cf ]
    
    The PFI subdevice flags indicate that the subdevice is readable and
    writeable, but that is only true for the supported "M-series" boards,
    not the older "E-series" boards.  Only set the SDF_READABLE and
    SDF_WRITABLE subdevice flags for the M-series boards.  These two flags
    are mainly for informational purposes.
    
    Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c2910ee6e72ff5075326146b8727cb2c54741aa7
Author: John Pittman <jpittman@redhat.com>
Date:   Mon Aug 6 15:53:12 2018 -0400

    dm kcopyd: avoid softlockup in run_complete_job
    
    [ Upstream commit 784c9a29e99eb40b842c29ecf1cc3a79e00fb629 ]
    
    It was reported that softlockups occur when using dm-snapshot ontop of
    slow (rbd) storage.  E.g.:
    
    [ 4047.990647] watchdog: BUG: soft lockup - CPU#10 stuck for 22s! [kworker/10:23:26177]
    ...
    [ 4048.034151] Workqueue: kcopyd do_work [dm_mod]
    [ 4048.034156] RIP: 0010:copy_callback+0x41/0x160 [dm_snapshot]
    ...
    [ 4048.034190] Call Trace:
    [ 4048.034196]  ? __chunk_is_tracked+0x70/0x70 [dm_snapshot]
    [ 4048.034200]  run_complete_job+0x5f/0xb0 [dm_mod]
    [ 4048.034205]  process_jobs+0x91/0x220 [dm_mod]
    [ 4048.034210]  ? kcopyd_put_pages+0x40/0x40 [dm_mod]
    [ 4048.034214]  do_work+0x46/0xa0 [dm_mod]
    [ 4048.034219]  process_one_work+0x171/0x370
    [ 4048.034221]  worker_thread+0x1fc/0x3f0
    [ 4048.034224]  kthread+0xf8/0x130
    [ 4048.034226]  ? max_active_store+0x80/0x80
    [ 4048.034227]  ? kthread_bind+0x10/0x10
    [ 4048.034231]  ret_from_fork+0x35/0x40
    [ 4048.034233] Kernel panic - not syncing: softlockup: hung tasks
    
    Fix this by calling cond_resched() after run_complete_job()'s callout to
    the dm_kcopyd_notify_fn (which is dm-snap.c:copy_callback in the above
    trace).
    
    Signed-off-by: John Pittman <jpittman@redhat.com>
    Signed-off-by: Mike Snitzer <snitzer@redhat.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e93d8210c7769e4cac59f2430ba81589a76ca5e5
Author: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Date:   Fri Aug 3 16:38:44 2018 +0200

    PCI: mvebu: Fix I/O space end address calculation
    
    [ Upstream commit dfd0309fd7b30a5baffaf47b2fccb88b46d64d69 ]
    
    pcie->realio.end should be the address of last byte of the area,
    therefore using resource_size() of another resource is not correct, we
    must substract 1 to get the address of the last byte.
    
    Fixes: 11be65472a427 ("PCI: mvebu: Adapt to the new device tree layout")
    Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
    Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c2842d10e7d274a67d12c3f2f19ce062467d4d62
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Wed Aug 8 17:29:09 2018 +0300

    scsi: aic94xx: fix an error code in aic94xx_init()
    
    [ Upstream commit 0756c57bce3d26da2592d834d8910b6887021701 ]
    
    We accidentally return success instead of -ENOMEM on this error path.
    
    Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver")
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
    Reviewed-by: John Garry <john.garry@huawei.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 51c849246ff75469fd3e3f82a6ecbd39100869a5
Author: Hans de Goede <hdegoede@redhat.com>
Date:   Wed Aug 8 10:30:03 2018 +0200

    ACPI / scan: Initialize status to ACPI_STA_DEFAULT
    
    [ Upstream commit 5971b0c1594d6c34e257101ed5fdffec65205c50 ]
    
    Since commit 63347db0affa "ACPI / scan: Use acpi_bus_get_status() to
    initialize ACPI_TYPE_DEVICE devs" the status field of normal acpi_devices
    gets set to 0 by acpi_bus_type_and_status() and filled with its actual
    value later when acpi_add_single_object() calls acpi_bus_get_status().
    
    This means that any acpi_match_device_ids() calls in between will always
    fail with -ENOENT.
    
    We already have a workaround for this, which temporary forces status to
    ACPI_STA_DEFAULT in drivers/acpi/x86/utils.c: acpi_device_always_present()
    and the next commit in this series adds another acpi_match_device_ids()
    call between status being initialized as 0 and the acpi_bus_get_status()
    call.
    
    Rather then adding another workaround, this commit makes
    acpi_bus_type_and_status() initialize status to ACPI_STA_DEFAULT, this is
    safe to do as the only code looking at status between the initialization
    and the acpi_bus_get_status() call is those acpi_match_device_ids() calls.
    
    Note this does mean that we need to (re)set status to 0 in case the
    acpi_bus_get_status() call fails.
    
    Signed-off-by: Hans de Goede <hdegoede@redhat.com>
    Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b84452f38e79b76e423598eaf6a297c92be5bb09
Author: Stefan Haberland <sth@linux.ibm.com>
Date:   Wed Jul 25 13:27:10 2018 +0200

    s390/dasd: fix panic for failed online processing
    
    [ Upstream commit 7c6553d4db03350dad0110c3224194c19df76a8f ]
    
    Fix a panic that occurs for a device that got an error in
    dasd_eckd_check_characteristics() during online processing.
    For example the read configuration data command may have failed.
    
    If this error occurs the device is not being set online and the earlier
    invoked steps during online processing are rolled back. Therefore
    dasd_eckd_uncheck_device() is called which needs a valid private
    structure. But this pointer is not valid if
    dasd_eckd_check_characteristics() has failed.
    
    Check for a valid device->private pointer to prevent a panic.
    
    Reviewed-by: Jan Hoeppner <hoeppner@linux.ibm.com>
    Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
    Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 0eee05ce4372de16952bfcacca77d64783c6374f
Author: Stefan Haberland <sth@linux.ibm.com>
Date:   Wed Jul 25 14:00:47 2018 +0200

    s390/dasd: fix hanging offline processing due to canceled worker
    
    [ Upstream commit 669f3765b755fd8739ab46ce3a9c6292ce8b3d2a ]
    
    During offline processing two worker threads are canceled without
    freeing the device reference which leads to a hanging offline process.
    
    Reviewed-by: Jan Hoeppner <hoeppner@linux.ibm.com>
    Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
    Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit bbab86e8918c7211d32f18de7e0bcb0c52403621
Author: Greg Edwards <gedwards@ddn.com>
Date:   Wed Aug 8 13:27:53 2018 -0600

    block: bvec_nr_vecs() returns value for wrong slab
    
    [ Upstream commit d6c02a9beb67f13d5f14f23e72fa9981e8b84477 ]
    
    In commit ed996a52c868 ("block: simplify and cleanup bvec pool
    handling"), the value of the slab index is incremented by one in
    bvec_alloc() after the allocation is done to indicate an index value of
    0 does not need to be later freed.
    
    bvec_nr_vecs() was not updated accordingly, and thus returns the wrong
    value.  Decrement idx before performing the lookup.
    
    Fixes: ed996a52c868 ("block: simplify and cleanup bvec pool handling")
    Signed-off-by: Greg Edwards <gedwards@ddn.com>
    Signed-off-by: Jens Axboe <axboe@kernel.dk>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 6841830ae6e924a66bbe24d0e3c01a21ba4757d8
Author: Sandipan Das <sandipan@linux.ibm.com>
Date:   Thu Aug 9 21:49:29 2018 +0530

    perf probe powerpc: Fix trace event post-processing
    
    [ Upstream commit 354b064b8ebc1e1ede58550ca9e08bfa81e6af43 ]
    
    In some cases, a symbol may have multiple aliases. Attempting to add an
    entry probe for such symbols results in a probe being added at an
    incorrect location while it fails altogether for return probes. This is
    only applicable for binaries with debug information.
    
    During the arch-dependent post-processing, the offset from the start of
    the symbol at which the probe is to be attached is determined and added
    to the start address of the symbol to get the probe's location.  In case
    there are multiple aliases, this offset gets added multiple times for
    each alias of the symbol and we end up with an incorrect probe location.
    
    This can be verified on a powerpc64le system as shown below.
    
      $ nm /lib/modules/$(uname -r)/build/vmlinux | grep "sys_open$"
      ...
      c000000000414290 T __se_sys_open
      c000000000414290 T sys_open
    
      $ objdump -d /lib/modules/$(uname -r)/build/vmlinux | grep -A 10 "<__se_sys_open>:"
    
      c000000000414290 <__se_sys_open>:
      c000000000414290:       19 01 4c 3c     addis   r2,r12,281
      c000000000414294:       70 c4 42 38     addi    r2,r2,-15248
      c000000000414298:       a6 02 08 7c     mflr    r0
      c00000000041429c:       e8 ff a1 fb     std     r29,-24(r1)
      c0000000004142a0:       f0 ff c1 fb     std     r30,-16(r1)
      c0000000004142a4:       f8 ff e1 fb     std     r31,-8(r1)
      c0000000004142a8:       10 00 01 f8     std     r0,16(r1)
      c0000000004142ac:       c1 ff 21 f8     stdu    r1,-64(r1)
      c0000000004142b0:       78 23 9f 7c     mr      r31,r4
      c0000000004142b4:       78 1b 7e 7c     mr      r30,r3
    
      For both the entry probe and the return probe, the probe location
      should be _text+4276888 (0xc000000000414298). Since another alias
      exists for 'sys_open', the post-processing code will end up adding
      the offset (8 for powerpc64le) twice and perf will attempt to add
      the probe at _text+4276896 (0xc0000000004142a0) instead.
    
    Before:
    
      # perf probe -v -a sys_open
    
      probe-definition(0): sys_open
      symbol:sys_open file:(null) line:0 offset:0 return:0 lazy:(null)
      0 arguments
      Looking at the vmlinux_path (8 entries long)
      Using /lib/modules/4.18.0-rc8+/build/vmlinux for symbols
      Open Debuginfo file: /lib/modules/4.18.0-rc8+/build/vmlinux
      Try to find probe point from debuginfo.
      Symbol sys_open address found : c000000000414290
      Matched function: __se_sys_open [2ad03a0]
      Probe point found: __se_sys_open+0
      Found 1 probe_trace_events.
      Opening /sys/kernel/debug/tracing/kprobe_events write=1
      Writing event: p:probe/sys_open _text+4276896
      Added new event:
        probe:sys_open       (on sys_open)
      ...
    
      # perf probe -v -a sys_open%return $retval
    
      probe-definition(0): sys_open%return
      symbol:sys_open file:(null) line:0 offset:0 return:1 lazy:(null)
      0 arguments
      Looking at the vmlinux_path (8 entries long)
      Using /lib/modules/4.18.0-rc8+/build/vmlinux for symbols
      Open Debuginfo file: /lib/modules/4.18.0-rc8+/build/vmlinux
      Try to find probe point from debuginfo.
      Symbol sys_open address found : c000000000414290
      Matched function: __se_sys_open [2ad03a0]
      Probe point found: __se_sys_open+0
      Found 1 probe_trace_events.
      Opening /sys/kernel/debug/tracing/README write=0
      Opening /sys/kernel/debug/tracing/kprobe_events write=1
      Parsing probe_events: p:probe/sys_open _text+4276896
      Group:probe Event:sys_open probe:p
      Writing event: r:probe/sys_open__return _text+4276896
      Failed to write event: Invalid argument
        Error: Failed to add events. Reason: Invalid argument (Code: -22)
    
    After:
    
      # perf probe -v -a sys_open
    
      probe-definition(0): sys_open
      symbol:sys_open file:(null) line:0 offset:0 return:0 lazy:(null)
      0 arguments
      Looking at the vmlinux_path (8 entries long)
      Using /lib/modules/4.18.0-rc8+/build/vmlinux for symbols
      Open Debuginfo file: /lib/modules/4.18.0-rc8+/build/vmlinux
      Try to find probe point from debuginfo.
      Symbol sys_open address found : c000000000414290
      Matched function: __se_sys_open [2ad03a0]
      Probe point found: __se_sys_open+0
      Found 1 probe_trace_events.
      Opening /sys/kernel/debug/tracing/kprobe_events write=1
      Writing event: p:probe/sys_open _text+4276888
      Added new event:
        probe:sys_open       (on sys_open)
      ...
    
      # perf probe -v -a sys_open%return $retval
    
      probe-definition(0): sys_open%return
      symbol:sys_open file:(null) line:0 offset:0 return:1 lazy:(null)
      0 arguments
      Looking at the vmlinux_path (8 entries long)
      Using /lib/modules/4.18.0-rc8+/build/vmlinux for symbols
      Open Debuginfo file: /lib/modules/4.18.0-rc8+/build/vmlinux
      Try to find probe point from debuginfo.
      Symbol sys_open address found : c000000000414290
      Matched function: __se_sys_open [2ad03a0]
      Probe point found: __se_sys_open+0
      Found 1 probe_trace_events.
      Opening /sys/kernel/debug/tracing/README write=0
      Opening /sys/kernel/debug/tracing/kprobe_events write=1
      Parsing probe_events: p:probe/sys_open _text+4276888
      Group:probe Event:sys_open probe:p
      Writing event: r:probe/sys_open__return _text+4276888
      Added new event:
        probe:sys_open__return (on sys_open%return)
      ...
    
    Reported-by: Aneesh Kumar <aneesh.kumar@linux.vnet.ibm.com>
    Signed-off-by: Sandipan Das <sandipan@linux.ibm.com>
    Acked-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
    Cc: Aneesh Kumar <aneesh.kumar@linux.vnet.ibm.com>
    Cc: Jiri Olsa <jolsa@redhat.com>
    Cc: Ravi Bangoria <ravi.bangoria@linux.ibm.com>
    Fixes: 99e608b5954c ("perf probe ppc64le: Fix probe location when using DWARF")
    Link: http://lkml.kernel.org/r/20180809161929.35058-1-sandipan@linux.ibm.com
    Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c80c4c93e47ede426bd4ba6ba6ee242862dbdc49
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Wed Aug 8 14:57:24 2018 +0300

    powerpc: Fix size calculation using resource_size()
    
    [ Upstream commit c42d3be0c06f0c1c416054022aa535c08a1f9b39 ]
    
    The problem is the the calculation should be "end - start + 1" but the
    plus one is missing in this calculation.
    
    Fixes: 8626816e905e ("powerpc: add support for MPIC message register API")
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Reviewed-by: Tyrel Datwyler <tyreld@linux.vnet.ibm.com>
    Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 45b7e1d5f20692864a073fae23bb03cec626edfa
Author: Jean-Philippe Brucker <jean-philippe.brucker@arm.com>
Date:   Tue Jul 17 19:14:45 2018 -0700

    net/9p: fix error path of p9_virtio_probe
    
    [ Upstream commit 92aef4675d5b1b55404e1532379e343bed0e5cf2 ]
    
    Currently when virtio_find_single_vq fails, we go through del_vqs which
    throws a warning (Trying to free already-free IRQ).  Skip del_vqs if vq
    allocation failed.
    
    Link: http://lkml.kernel.org/r/20180524101021.49880-1-jean-philippe.brucker@arm.com
    Signed-off-by: Jean-Philippe Brucker <jean-philippe.brucker@arm.com>
    Reviewed-by: Greg Kurz <groug@kaod.org>
    Cc: Eric Van Hensbergen <ericvh@gmail.com>
    Cc: Ron Minnich <rminnich@sandia.gov>
    Cc: Latchesar Ionkov <lucho@ionkov.net>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit eb1ca07f4343b4e58b97e792a85d5ba1ba103f5d
Author: Tomas Bortoli <tomasbortoli@gmail.com>
Date:   Mon Jul 23 20:42:53 2018 +0200

    net/9p/trans_fd.c: fix race by holding the lock
    
    [ Upstream commit 9f476d7c540cb57556d3cc7e78704e6cd5100f5f ]
    
    It may be possible to run p9_fd_cancel() with a deleted req->req_list
    and incur in a double del. To fix hold the client->lock while changing
    the status, so the other threads will be synchronized.
    
    Link: http://lkml.kernel.org/r/20180723184253.6682-1-tomasbortoli@gmail.com
    Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>
    Reported-by: syzbot+735d926e9d1317c3310c@syzkaller.appspotmail.com
    To: Eric Van Hensbergen <ericvh@gmail.com>
    To: Ron Minnich <rminnich@sandia.gov>
    To: Latchesar Ionkov <lucho@ionkov.net>
    Cc: Yiwen Jiang <jiangyiwen@huwei.com>
    Cc: David S. Miller <davem@davemloft.net>
    Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a8e5ec201e3ab74a8afda07338e9fd8d0fccb5bb
Author: Jonas Gorski <jonas.gorski@gmail.com>
Date:   Thu Aug 9 10:59:01 2018 +0200

    irqchip/bcm7038-l1: Hide cpu offline callback when building for !SMP
    
    [ Upstream commit 0702bc4d2fe793018ad9aa0eb14bff7f526c4095 ]
    
    When compiling bmips with SMP disabled, the build fails with:
    
    drivers/irqchip/irq-bcm7038-l1.o: In function `bcm7038_l1_cpu_offline':
    drivers/irqchip/irq-bcm7038-l1.c:242: undefined reference to `irq_set_affinity_locked'
    make[5]: *** [vmlinux] Error 1
    
    Fix this by adding and setting bcm7038_l1_cpu_offline only when actually
    compiling for SMP. It wouldn't have been used anyway, as it requires
    CPU_HOTPLUG, which in turn requires SMP.
    
    Fixes: 34c535793bcb ("irqchip/bcm7038-l1: Implement irq_cpu_offline() callback")
    Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
    Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 070492dd2053be06709b42ba42cb0aebf4bf556e
Author: Gal Pressman <pressmangal@gmail.com>
Date:   Thu Aug 9 22:00:47 2018 +0300

    RDMA/hns: Fix usage of bitmap allocation functions return values
    
    [ Upstream commit a1ceeca679dccc492235f0f629d9e9f7b3d51ca8 ]
    
    hns bitmap allocation functions return 0 on success and -1 on failure.
    Callers of these functions wrongly used their return value as an errno,
    fix that by making a proper conversion.
    
    Fixes: a598c6f4c5a8 ("IB/hns: Simplify function of pd alloc and qp alloc")
    Signed-off-by: Gal Pressman <pressmangal@gmail.com>
    Acked-by: Lijun Ou <oulijun@huawei.com>
    Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 345afadf16eb84f71f7678a7fb2ceec715fea998
Author: Aleh Filipovich <aleh@vaolix.com>
Date:   Fri Aug 10 22:07:25 2018 +0200

    platform/x86: asus-nb-wmi: Add keymap entry for lid flip action on UX360
    
    [ Upstream commit 880b29ac107d15644bf4da228376ba3cd6af6d71 ]
    
    Add entry to WMI keymap for lid flip event on Asus UX360.
    
    On Asus Zenbook ux360 flipping lid from/to tablet mode triggers
    keyscan code 0xfa which cannot be handled and results in kernel
    log message "Unknown key fa pressed".
    
    Signed-off-by: Aleh Filipovich<aleh@appnexus.com>
    Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e11e70c5089205ce3468e1d4423b8946ecaa34b8
Author: Guenter Roeck <linux@roeck-us.net>
Date:   Fri Aug 3 20:59:51 2018 -0700

    mfd: sm501: Set coherent_dma_mask when creating subdevices
    
    [ Upstream commit 2f606da78230f09cf1a71fde6ee91d0c710fa2b2 ]
    
    Instantiating the sm501 OHCI subdevice results in a kernel warning.
    
    sm501-usb sm501-usb: SM501 OHCI
    sm501-usb sm501-usb: new USB bus registered, assigned bus number 1
    WARNING: CPU: 0 PID: 1 at ./include/linux/dma-mapping.h:516
    ohci_init+0x194/0x2d8
    Modules linked in:
    
    CPU: 0 PID: 1 Comm: swapper Tainted: G        W
    4.18.0-rc7-00178-g0b5b1f9a78b5 #1
    PC is at ohci_init+0x194/0x2d8
    PR is at ohci_init+0x168/0x2d8
    PC  : 8c27844c SP  : 8f81dd94 SR  : 40008001
    TEA : 29613060
    R0  : 00000000 R1  : 00000000 R2  : 00000000 R3  : 00000202
    R4  : 8fa98b88 R5  : 8c277e68 R6  : 00000000 R7  : 00000000
    R8  : 8f965814 R9  : 8c388100 R10 : 8fa98800 R11 : 8fa98928
    R12 : 8c48302c R13 : 8fa98920 R14 : 8c48302c
    MACH: 00000096 MACL: 0000017c GBR : 00000000 PR  : 8c278420
    
    Call trace:
     [<(ptrval)>] usb_add_hcd+0x1e8/0x6ec
     [<(ptrval)>] _dev_info+0x0/0x54
     [<(ptrval)>] arch_local_save_flags+0x0/0x8
     [<(ptrval)>] arch_local_irq_restore+0x0/0x24
     [<(ptrval)>] ohci_hcd_sm501_drv_probe+0x114/0x2d8
    ...
    
    Initialize coherent_dma_mask when creating SM501 subdevices to fix
    the problem.
    
    Fixes: b6d6454fdb66f ("mfd: SM501 core driver")
    Signed-off-by: Guenter Roeck <linux@roeck-us.net>
    Signed-off-by: Lee Jones <lee.jones@linaro.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a3db0342deb9eec25623a46fd4bdc5808479e692
Author: Tan Hu <tan.hu@zte.com.cn>
Date:   Wed Jul 25 15:23:07 2018 +0800

    ipvs: fix race between ip_vs_conn_new() and ip_vs_del_dest()
    
    [ Upstream commit a53b42c11815d2357e31a9403ae3950517525894 ]
    
    We came across infinite loop in ipvs when using ipvs in docker
    env.
    
    When ipvs receives new packets and cannot find an ipvs connection,
    it will create a new connection, then if the dest is unavailable
    (i.e. IP_VS_DEST_F_AVAILABLE), the packet will be dropped sliently.
    
    But if the dropped packet is the first packet of this connection,
    the connection control timer never has a chance to start and the
    ipvs connection cannot be released. This will lead to memory leak, or
    infinite loop in cleanup_net() when net namespace is released like
    this:
    
        ip_vs_conn_net_cleanup at ffffffffa0a9f31a [ip_vs]
        __ip_vs_cleanup at ffffffffa0a9f60a [ip_vs]
        ops_exit_list at ffffffff81567a49
        cleanup_net at ffffffff81568b40
        process_one_work at ffffffff810a851b
        worker_thread at ffffffff810a9356
        kthread at ffffffff810b0b6f
        ret_from_fork at ffffffff81697a18
    
    race condition:
        CPU1                           CPU2
        ip_vs_in()
          ip_vs_conn_new()
                                       ip_vs_del_dest()
                                         __ip_vs_unlink_dest()
                                           ~IP_VS_DEST_F_AVAILABLE
          cp->dest && !IP_VS_DEST_F_AVAILABLE
          __ip_vs_conn_put
        ...
        cleanup_net  ---> infinite looping
    
    Fix this by checking whether the timer already started.
    
    Signed-off-by: Tan Hu <tan.hu@zte.com.cn>
    Reviewed-by: Jiang Biao <jiang.biao2@zte.com.cn>
    Acked-by: Julian Anastasov <ja@ssi.bg>
    Acked-by: Simon Horman <horms@verge.net.au>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 74bc618db41cb5344c86870e26830df5eb91889c
Author: Philipp Rudo <prudo@linux.ibm.com>
Date:   Mon Aug 13 11:16:57 2018 +0200

    s390/kdump: Fix memleak in nt_vmcoreinfo
    
    [ Upstream commit 2d2e7075b87181ed0c675e4936e20bdadba02e1f ]
    
    The vmcoreinfo of a crashed system is potentially fragmented. Thus the
    crash kernel has an intermediate step where the vmcoreinfo is copied into a
    temporary, continuous buffer in the crash kernel memory. This temporary
    buffer is never freed. Free it now to prevent the memleak.
    
    While at it replace all occurrences of "VMCOREINFO" by its corresponding
    macro to prevent potential renaming issues.
    
    Signed-off-by: Philipp Rudo <prudo@linux.ibm.com>
    Acked-by: Heiko Carstens <heiko.carstens@de.ibm.com>
    Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 2efb5989dd72b8e4348876ee6ab9d7422f5de530
Author: Randy Dunlap <rdunlap@infradead.org>
Date:   Wed Aug 15 09:12:07 2018 -0700

    platform/x86: intel_punit_ipc: fix build errors
    
    [ Upstream commit 340fd4cff43f18bace9358d4decdc9b6ed0715be ]
    
    Fix build errors by #including <linux/io.h>.
    
    ../drivers/platform/x86/intel_punit_ipc.c: In function 'ipc_read_status':
    ../drivers/platform/x86/intel_punit_ipc.c:55:2: error: implicit declaration of function 'readl' [-Werror=implicit-function-declaration]
      return readl(ipcdev->base[type][BASE_IFACE]);
    ../drivers/platform/x86/intel_punit_ipc.c: In function 'ipc_write_cmd':
    ../drivers/platform/x86/intel_punit_ipc.c:60:2: error: implicit declaration of function 'writel' [-Werror=implicit-function-declaration]
      writel(cmd, ipcdev->base[type][BASE_IFACE]);
    
    Fixes: 447ae3166702 ("x86: Don't include linux/irq.h from asm/hardirq.h")
    Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
    Cc: Zha Qipeng <qipeng.zha@intel.com>
    Cc: platform-driver-x86@vger.kernel.org
    Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit fc2afa8065098d4a691c6d7684156dcd4f650dc1
Author: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Date:   Fri Aug 17 15:44:34 2018 -0700

    fs/dcache.c: fix kmemcheck splat at take_dentry_name_snapshot()
    
    [ Upstream commit 6cd00a01f0c1ae6a852b09c59b8dd55cc6c35d1d ]
    
    Since only dentry->d_name.len + 1 bytes out of DNAME_INLINE_LEN bytes
    are initialized at __d_alloc(), we can't copy the whole size
    unconditionally.
    
     WARNING: kmemcheck: Caught 32-bit read from uninitialized memory (ffff8fa27465ac50)
     636f6e66696766732e746d70000000000010000000000000020000000188ffff
      i i i i i i i i i i i i i u u u u u u u u u u i i i i i u u u u
                                      ^
     RIP: 0010:take_dentry_name_snapshot+0x28/0x50
     RSP: 0018:ffffa83000f5bdf8 EFLAGS: 00010246
     RAX: 0000000000000020 RBX: ffff8fa274b20550 RCX: 0000000000000002
     RDX: ffffa83000f5be40 RSI: ffff8fa27465ac50 RDI: ffffa83000f5be60
     RBP: ffffa83000f5bdf8 R08: ffffa83000f5be48 R09: 0000000000000001
     R10: ffff8fa27465ac00 R11: ffff8fa27465acc0 R12: ffff8fa27465ac00
     R13: ffff8fa27465acc0 R14: 0000000000000000 R15: 0000000000000000
     FS:  00007f79737ac8c0(0000) GS:ffffffff8fc30000(0000) knlGS:0000000000000000
     CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
     CR2: ffff8fa274c0b000 CR3: 0000000134aa7002 CR4: 00000000000606f0
      take_dentry_name_snapshot+0x28/0x50
      vfs_rename+0x128/0x870
      SyS_rename+0x3b2/0x3d0
      entry_SYSCALL_64_fastpath+0x1a/0xa4
      0xffffffffffffffff
    
    Link: http://lkml.kernel.org/r/201709131912.GBG39012.QMJLOVFSFFOOtH@I-love.SAKURA.ne.jp
    Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
    Cc: Vegard Nossum <vegard.nossum@gmail.com>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c5804ddfc3d3b08b2d3f616b245312f694123f88
Author: Andrey Ryabinin <aryabinin@virtuozzo.com>
Date:   Fri Aug 17 15:46:57 2018 -0700

    mm/fadvise.c: fix signed overflow UBSAN complaint
    
    [ Upstream commit a718e28f538441a3b6612da9ff226973376cdf0f ]
    
    Signed integer overflow is undefined according to the C standard.  The
    overflow in ksys_fadvise64_64() is deliberate, but since it is signed
    overflow, UBSAN complains:
    
            UBSAN: Undefined behaviour in mm/fadvise.c:76:10
            signed integer overflow:
            4 + 9223372036854775805 cannot be represented in type 'long long int'
    
    Use unsigned types to do math.  Unsigned overflow is defined so UBSAN
    will not complain about it.  This patch doesn't change generated code.
    
    [akpm@linux-foundation.org: add comment explaining the casts]
    Link: http://lkml.kernel.org/r/20180629184453.7614-1-aryabinin@virtuozzo.com
    Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
    Reported-by: <icytxw@gmail.com>
    Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
    Cc: Alexander Potapenko <glider@google.com>
    Cc: Dmitry Vyukov <dvyukov@google.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 904728d7601ed5586461e6fe15601704e6d1bb90
Author: Suzuki K Poulose <suzuki.poulose@arm.com>
Date:   Wed Jul 18 10:18:45 2018 +0100

    virtio: pci-legacy: Validate queue pfn
    
    [ Upstream commit 69599206ea9a3f8f2e94d46580579cbf9d08ad6c ]
    
    Legacy PCI over virtio uses a 32bit PFN for the queue. If the
    queue pfn is too large to fit in 32bits, which we could hit on
    arm64 systems with 52bit physical addresses (even with 64K page
    size), we simply miss out a proper link to the other side of
    the queue.
    
    Add a check to validate the PFN, rather than silently breaking
    the devices.
    
    Cc: "Michael S. Tsirkin" <mst@redhat.com>
    Cc: Jason Wang <jasowang@redhat.com>
    Cc: Marc Zyngier <marc.zyngier@arm.com>
    Cc: Christoffer Dall <cdall@kernel.org>
    Cc: Peter Maydel <peter.maydell@linaro.org>
    Cc: Jean-Philippe Brucker <jean-philippe.brucker@arm.com>
    Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
    Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 94279fa683e9984261701b5a42160c258b61d3e9
Author: Randy Dunlap <rdunlap@infradead.org>
Date:   Wed Aug 15 12:30:38 2018 -0700

    scripts: modpost: check memory allocation results
    
    [ Upstream commit 1f3aa9002dc6a0d59a4b599b4fc8f01cf43ef014 ]
    
    Fix missing error check for memory allocation functions in
    scripts/mod/modpost.c.
    
    Fixes kernel bugzilla #200319:
    https://bugzilla.kernel.org/show_bug.cgi?id=200319
    
    Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
    Cc: Yuexing Wang <wangyxlandq@gmail.com>
    Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b6e77fa4a741e56256510621f4821a6337298cd5
Author: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
Date:   Tue Aug 21 21:59:44 2018 -0700

    fat: validate ->i_start before using
    
    [ Upstream commit 0afa9626667c3659ef8bd82d42a11e39fedf235c ]
    
    On corrupted FATfs may have invalid ->i_start.  To handle it, this checks
    ->i_start before using, and return proper error code.
    
    Link: http://lkml.kernel.org/r/87o9f8y1t5.fsf_-_@mail.parknet.co.jp
    Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
    Reported-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
    Tested-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
    Cc: Alan Cox <gnomes@lxorguk.ukuu.org.uk>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 1cedd72d0f688b9c169836649ac9ec07a3c601d6
Author: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
Date:   Thu Aug 23 17:00:25 2018 -0700

    hfsplus: fix NULL dereference in hfsplus_lookup()
    
    [ Upstream commit a7ec7a4193a2eb3b5341243fc0b621c1ac9e4ec4 ]
    
    An HFS+ filesystem can be mounted read-only without having a metadata
    directory, which is needed to support hardlinks.  But if the catalog
    data is corrupted, a directory lookup may still find dentries claiming
    to be hardlinks.
    
    hfsplus_lookup() does check that ->hidden_dir is not NULL in such a
    situation, but mistakenly does so after dereferencing it for the first
    time.  Reorder this check to prevent a crash.
    
    This happens when looking up corrupted catalog data (dentry) on a
    filesystem with no metadata directory (this could only ever happen on a
    read-only mount).  Wen Xu sent the replication steps in detail to the
    fsdevel list: https://bugzilla.kernel.org/show_bug.cgi?id=200297
    
    Link: http://lkml.kernel.org/r/20180712215344.q44dyrhymm4ajkao@eaf
    Signed-off-by: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
    Reported-by: Wen Xu <wen.xu@gatech.edu>
    Cc: Viacheslav Dubeyko <slava@dubeyko.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b631562275be9dab2d80e50e311b6dd3a36d59ec
Author: Arnd Bergmann <arnd@arndb.de>
Date:   Tue Aug 21 21:59:34 2018 -0700

    reiserfs: change j_timestamp type to time64_t
    
    [ Upstream commit 8b73ce6a4bae4fe12bcb2c361c0da4183c2e1b6f ]
    
    This uses the deprecated time_t type but is write-only, and could be
    removed, but as Jeff explains, having a timestamp can be usefule for
    post-mortem analysis in crash dumps.
    
    In order to remove one of the last instances of time_t, this changes the
    type to time64_t, same as j_trans_start_time.
    
    Link: http://lkml.kernel.org/r/20180622133315.221210-1-arnd@arndb.de
    Signed-off-by: Arnd Bergmann <arnd@arndb.de>
    Cc: Jan Kara <jack@suse.cz>
    Cc: Jeff Mahoney <jeffm@suse.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 015fd7e0a66f615ade1ec8cf789a79a29b3ffde1
Author: Jann Horn <jannh@google.com>
Date:   Tue Aug 21 22:00:58 2018 -0700

    fork: don't copy inconsistent signal handler state to child
    
    [ Upstream commit 06e62a46bbba20aa5286102016a04214bb446141 ]
    
    Before this change, if a multithreaded process forks while one of its
    threads is changing a signal handler using sigaction(), the memcpy() in
    copy_sighand() can race with the struct assignment in do_sigaction().  It
    isn't clear whether this can cause corruption of the userspace signal
    handler pointer, but it definitely can cause inconsistency between
    different fields of struct sigaction.
    
    Take the appropriate spinlock to avoid this.
    
    I have tested that this patch prevents inconsistency between sa_sigaction
    and sa_flags, which is possible before this patch.
    
    Link: http://lkml.kernel.org/r/20180702145108.73189-1-jannh@google.com
    Signed-off-by: Jann Horn <jannh@google.com>
    Acked-by: Michal Hocko <mhocko@suse.com>
    Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
    Cc: Rik van Riel <riel@redhat.com>
    Cc: "Peter Zijlstra (Intel)" <peterz@infradead.org>
    Cc: Kees Cook <keescook@chromium.org>
    Cc: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e9ec9111582ccef7c51c0e6c966a44bcd0293ac9
Author: Laura Abbott <labbott@redhat.com>
Date:   Fri Aug 17 14:43:54 2018 -0700

    sunrpc: Don't use stack buffer with scatterlist
    
    [ Upstream commit 44090cc876926277329e1608bafc01b9f6da627f ]
    
    Fedora got a bug report from NFS:
    
    kernel BUG at include/linux/scatterlist.h:143!
    ...
    RIP: 0010:sg_init_one+0x7d/0x90
    ..
      make_checksum+0x4e7/0x760 [rpcsec_gss_krb5]
      gss_get_mic_kerberos+0x26e/0x310 [rpcsec_gss_krb5]
      gss_marshal+0x126/0x1a0 [auth_rpcgss]
      ? __local_bh_enable_ip+0x80/0xe0
      ? call_transmit_status+0x1d0/0x1d0 [sunrpc]
      call_transmit+0x137/0x230 [sunrpc]
      __rpc_execute+0x9b/0x490 [sunrpc]
      rpc_run_task+0x119/0x150 [sunrpc]
      nfs4_run_exchange_id+0x1bd/0x250 [nfsv4]
      _nfs4_proc_exchange_id+0x2d/0x490 [nfsv4]
      nfs41_discover_server_trunking+0x1c/0xa0 [nfsv4]
      nfs4_discover_server_trunking+0x80/0x270 [nfsv4]
      nfs4_init_client+0x16e/0x240 [nfsv4]
      ? nfs_get_client+0x4c9/0x5d0 [nfs]
      ? _raw_spin_unlock+0x24/0x30
      ? nfs_get_client+0x4c9/0x5d0 [nfs]
      nfs4_set_client+0xb2/0x100 [nfsv4]
      nfs4_create_server+0xff/0x290 [nfsv4]
      nfs4_remote_mount+0x28/0x50 [nfsv4]
      mount_fs+0x3b/0x16a
      vfs_kern_mount.part.35+0x54/0x160
      nfs_do_root_mount+0x7f/0xc0 [nfsv4]
      nfs4_try_mount+0x43/0x70 [nfsv4]
      ? get_nfs_version+0x21/0x80 [nfs]
      nfs_fs_mount+0x789/0xbf0 [nfs]
      ? pcpu_alloc+0x6ca/0x7e0
      ? nfs_clone_super+0x70/0x70 [nfs]
      ? nfs_parse_mount_options+0xb40/0xb40 [nfs]
      mount_fs+0x3b/0x16a
      vfs_kern_mount.part.35+0x54/0x160
      do_mount+0x1fd/0xd50
      ksys_mount+0xba/0xd0
      __x64_sys_mount+0x21/0x30
      do_syscall_64+0x60/0x1f0
      entry_SYSCALL_64_after_hwframe+0x49/0xbe
    
    This is BUG_ON(!virt_addr_valid(buf)) triggered by using a stack
    allocated buffer with a scatterlist. Convert the buffer for
    rc4salt to be dynamically allocated instead.
    
    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1615258
    Signed-off-by: Laura Abbott <labbott@redhat.com>
    Signed-off-by: J. Bruce Fields <bfields@redhat.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a9d3f38e1da185a21cc8c998514be51b9725a32f
Author: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
Date:   Thu Aug 23 17:00:31 2018 -0700

    hfs: prevent crash on exit from failed search
    
    [ Upstream commit dc2572791d3a41bab94400af2b6bca9d71ccd303 ]
    
    hfs_find_exit() expects fd->bnode to be NULL after a search has failed.
    hfs_brec_insert() may instead set it to an error-valued pointer.  Fix
    this to prevent a crash.
    
    Link: http://lkml.kernel.org/r/53d9749a029c41b4016c495fc5838c9dba3afc52.1530294815.git.ernesto.mnd.fernandez@gmail.com
    Signed-off-by: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
    Cc: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
    Cc: Viacheslav Dubeyko <slava@dubeyko.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b570baff463ab7a358757b4a572ee1fd258ebfcd
Author: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Date:   Tue Aug 21 21:59:12 2018 -0700

    hfsplus: don't return 0 when fill_super() failed
    
    [ Upstream commit 7464726cb5998846306ed0a7d6714afb2e37b25d ]
    
    syzbot is reporting NULL pointer dereference at mount_fs() [1].  This is
    because hfsplus_fill_super() is by error returning 0 when
    hfsplus_fill_super() detected invalid filesystem image, and mount_bdev()
    is returning NULL because dget(s->s_root) == NULL if s->s_root == NULL,
    and mount_fs() is accessing root->d_sb because IS_ERR(root) == false if
    root == NULL.  Fix this by returning -EINVAL when hfsplus_fill_super()
    detected invalid filesystem image.
    
    [1] https://syzkaller.appspot.com/bug?id=21acb6850cecbc960c927229e597158cf35f33d0
    
    Link: http://lkml.kernel.org/r/d83ce31a-874c-dd5b-f790-41405983a5be@I-love.SAKURA.ne.jp
    Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
    Reported-by: syzbot <syzbot+01ffaf5d9568dd1609f7@syzkaller.appspotmail.com>
    Reviewed-by: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
    Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f440ea422c263d788001dfa9a2890909fe60b63d
Author: Ronnie Sahlberg <lsahlber@redhat.com>
Date:   Wed Aug 22 12:19:24 2018 +1000

    cifs: check if SMB2 PDU size has been padded and suppress the warning
    
    [ Upstream commit e6c47dd0da1e3a484e778046fc10da0b20606a86 ]
    
    Some SMB2/3 servers, Win2016 but possibly others too, adds padding
    not only between PDUs in a compound but also to the final PDU.
    This padding extends the PDU to a multiple of 8 bytes.
    
    Check if the unexpected length looks like this might be the case
    and avoid triggering the log messages for :
    
      "SMB2 server sent bad RFC1001 len %d not %d\n"
    
    Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
    Signed-off-by: Steve French <stfrench@microsoft.com>
    Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 947c262a14951b9c99abe72499fda2331f542f2b
Author: Vlad Buslov <vladbu@mellanox.com>
Date:   Tue Sep 4 00:44:42 2018 +0300

    net: sched: action_ife: take reference to meta module
    
    [ Upstream commit 84cb8eb26cb9ce3c79928094962a475a9d850a53 ]
    
    Recent refactoring of add_metainfo() caused use_all_metadata() to add
    metainfo to ife action metalist without taking reference to module. This
    causes warning in module_put called from ife action cleanup function.
    
    Implement add_metainfo_and_get_ops() function that returns with reference
    to module taken if metainfo was added successfully, and call it from
    use_all_metadata(), instead of calling __add_metainfo() directly.
    
    Example warning:
    
    [  646.344393] WARNING: CPU: 1 PID: 2278 at kernel/module.c:1139 module_put+0x1cb/0x230
    [  646.352437] Modules linked in: act_meta_skbtcindex act_meta_mark act_meta_skbprio act_ife ife veth nfsv3 nfs fscache xt_CHECKSUM iptable_mangle ipt_MASQUERADE iptable_nat nf_nat_ipv4 nf_nat xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c tun ebtable_filter ebtables ip6table_filter ip6_tables bridge stp llc mlx5_ib ib_uverbs ib_core intel_rapl sb_edac x86_pkg_temp_thermal mlx5_core coretemp kvm_intel kvm nfsd igb irqbypass crct10dif_pclmul devlink crc32_pclmul mei_me joydev ses crc32c_intel enclosure auth_rpcgss i2c_algo_bit ioatdma ptp mei pps_core ghash_clmulni_intel iTCO_wdt iTCO_vendor_support pcspkr dca ipmi_ssif lpc_ich target_core_mod i2c_i801 ipmi_si ipmi_devintf pcc_cpufreq wmi ipmi_msghandler nfs_acl lockd acpi_pad acpi_power_meter grace sunrpc mpt3sas raid_class scsi_transport_sas
    [  646.425631] CPU: 1 PID: 2278 Comm: tc Not tainted 4.19.0-rc1+ #799
    [  646.432187] Hardware name: Supermicro SYS-2028TP-DECR/X10DRT-P, BIOS 2.0b 03/30/2017
    [  646.440595] RIP: 0010:module_put+0x1cb/0x230
    [  646.445238] Code: f3 66 94 02 e8 26 ff fa ff 85 c0 74 11 0f b6 1d 51 30 94 02 80 fb 01 77 60 83 e3 01 74 13 65 ff 0d 3a 83 db 73 e9 2b ff ff ff <0f> 0b e9 00 ff ff ff e8 59 01 fb ff 85 c0 75 e4 48 c7 c2 20 62 6b
    [  646.464997] RSP: 0018:ffff880354d37068 EFLAGS: 00010286
    [  646.470599] RAX: 0000000000000000 RBX: ffffffffc0a52518 RCX: ffffffff8c2668db
    [  646.478118] RDX: 0000000000000003 RSI: dffffc0000000000 RDI: ffffffffc0a52518
    [  646.485641] RBP: ffffffffc0a52180 R08: fffffbfff814a4a4 R09: fffffbfff814a4a3
    [  646.493164] R10: ffffffffc0a5251b R11: fffffbfff814a4a4 R12: 1ffff1006a9a6e0d
    [  646.500687] R13: 00000000ffffffff R14: ffff880362bab890 R15: dead000000000100
    [  646.508213] FS:  00007f4164c99800(0000) GS:ffff88036fe40000(0000) knlGS:0000000000000000
    [  646.516961] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [  646.523080] CR2: 00007f41638b8420 CR3: 0000000351df0004 CR4: 00000000001606e0
    [  646.530595] Call Trace:
    [  646.533408]  ? find_symbol_in_section+0x260/0x260
    [  646.538509]  tcf_ife_cleanup+0x11b/0x200 [act_ife]
    [  646.543695]  tcf_action_cleanup+0x29/0xa0
    [  646.548078]  __tcf_action_put+0x5a/0xb0
    [  646.552289]  ? nla_put+0x65/0xe0
    [  646.555889]  __tcf_idr_release+0x48/0x60
    [  646.560187]  tcf_generic_walker+0x448/0x6b0
    [  646.564764]  ? tcf_action_dump_1+0x450/0x450
    [  646.569411]  ? __lock_is_held+0x84/0x110
    [  646.573720]  ? tcf_ife_walker+0x10c/0x20f [act_ife]
    [  646.578982]  tca_action_gd+0x972/0xc40
    [  646.583129]  ? tca_get_fill.constprop.17+0x250/0x250
    [  646.588471]  ? mark_lock+0xcf/0x980
    [  646.592324]  ? check_chain_key+0x140/0x1f0
    [  646.596832]  ? debug_show_all_locks+0x240/0x240
    [  646.601839]  ? memset+0x1f/0x40
    [  646.605350]  ? nla_parse+0xca/0x1a0
    [  646.609217]  tc_ctl_action+0x215/0x230
    [  646.613339]  ? tcf_action_add+0x220/0x220
    [  646.617748]  rtnetlink_rcv_msg+0x56a/0x6d0
    [  646.622227]  ? rtnl_fdb_del+0x3f0/0x3f0
    [  646.626466]  netlink_rcv_skb+0x18d/0x200
    [  646.630752]  ? rtnl_fdb_del+0x3f0/0x3f0
    [  646.634959]  ? netlink_ack+0x500/0x500
    [  646.639106]  netlink_unicast+0x2d0/0x370
    [  646.643409]  ? netlink_attachskb+0x340/0x340
    [  646.648050]  ? _copy_from_iter_full+0xe9/0x3e0
    [  646.652870]  ? import_iovec+0x11e/0x1c0
    [  646.657083]  netlink_sendmsg+0x3b9/0x6a0
    [  646.661388]  ? netlink_unicast+0x370/0x370
    [  646.665877]  ? netlink_unicast+0x370/0x370
    [  646.670351]  sock_sendmsg+0x6b/0x80
    [  646.674212]  ___sys_sendmsg+0x4a1/0x520
    [  646.678443]  ? copy_msghdr_from_user+0x210/0x210
    [  646.683463]  ? lock_downgrade+0x320/0x320
    [  646.687849]  ? debug_show_all_locks+0x240/0x240
    [  646.692760]  ? do_raw_spin_unlock+0xa2/0x130
    [  646.697418]  ? _raw_spin_unlock+0x24/0x30
    [  646.701798]  ? __handle_mm_fault+0x1819/0x1c10
    [  646.706619]  ? __pmd_alloc+0x320/0x320
    [  646.710738]  ? debug_show_all_locks+0x240/0x240
    [  646.715649]  ? restore_nameidata+0x7b/0xa0
    [  646.720117]  ? check_chain_key+0x140/0x1f0
    [  646.724590]  ? check_chain_key+0x140/0x1f0
    [  646.729070]  ? __fget_light+0xbc/0xd0
    [  646.733121]  ? __sys_sendmsg+0xd7/0x150
    [  646.737329]  __sys_sendmsg+0xd7/0x150
    [  646.741359]  ? __ia32_sys_shutdown+0x30/0x30
    [  646.746003]  ? up_read+0x53/0x90
    [  646.749601]  ? __do_page_fault+0x484/0x780
    [  646.754105]  ? do_syscall_64+0x1e/0x2c0
    [  646.758320]  do_syscall_64+0x72/0x2c0
    [  646.762353]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
    [  646.767776] RIP: 0033:0x7f4163872150
    [  646.771713] Code: 8b 15 3c 7d 2b 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb cd 66 0f 1f 44 00 00 83 3d b9 d5 2b 00 00 75 10 b8 2e 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 be cd 00 00 48 89 04 24
    [  646.791474] RSP: 002b:00007ffdef7d6b58 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
    [  646.799721] RAX: ffffffffffffffda RBX: 0000000000000024 RCX: 00007f4163872150
    [  646.807240] RDX: 0000000000000000 RSI: 00007ffdef7d6bd0 RDI: 0000000000000003
    [  646.814760] RBP: 000000005b8b9482 R08: 0000000000000001 R09: 0000000000000000
    [  646.822286] R10: 00000000000005e7 R11: 0000000000000246 R12: 00007ffdef7dad20
    [  646.829807] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000679bc0
    [  646.837360] irq event stamp: 6083
    [  646.841043] hardirqs last  enabled at (6081): [<ffffffff8c220a7d>] __call_rcu+0x17d/0x500
    [  646.849882] hardirqs last disabled at (6083): [<ffffffff8c004f06>] trace_hardirqs_off_thunk+0x1a/0x1c
    [  646.859775] softirqs last  enabled at (5968): [<ffffffff8d4004a1>] __do_softirq+0x4a1/0x6ee
    [  646.868784] softirqs last disabled at (6082): [<ffffffffc0a78759>] tcf_ife_cleanup+0x39/0x200 [act_ife]
    [  646.878845] ---[ end trace b1b8c12ffe51e657 ]---
    
    Fixes: 5ffe57da29b3 ("act_ife: fix a potential deadlock")
    Signed-off-by: Vlad Buslov <vladbu@mellanox.com>
    Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a93288c512cd92e2452f585e551279c776ff16af
Author: Cong Wang <xiyou.wangcong@gmail.com>
Date:   Sun Aug 19 12:22:13 2018 -0700

    act_ife: fix a potential deadlock
    
    [ Upstream commit 5ffe57da29b3802baeddaa40909682bbb4cb4d48 ]
    
    use_all_metadata() acquires read_lock(&ife_mod_lock), then calls
    add_metainfo() which calls find_ife_oplist() which acquires the same
    lock again. Deadlock!
    
    Introduce __add_metainfo() which accepts struct tcf_meta_ops *ops
    as an additional parameter and let its callers to decide how
    to find it. For use_all_metadata(), it already has ops, no
    need to find it again, just call __add_metainfo() directly.
    
    And, as ife_mod_lock is only needed for find_ife_oplist(),
    this means we can make non-atomic allocation for populate_metalist()
    now.
    
    Fixes: 817e9f2c5c26 ("act_ife: acquire ife_mod_lock before reading ifeoplist")
    Cc: Jamal Hadi Salim <jhs@mojatatu.com>
    Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c892575c97268007a56c2b94df8651e9d08c650b
Author: Cong Wang <xiyou.wangcong@gmail.com>
Date:   Sun Aug 19 12:22:12 2018 -0700

    act_ife: move tcfa_lock down to where necessary
    
    [ Upstream commit 4e407ff5cd67ec76eeeea1deec227b7982dc7f66 ]
    
    The only time we need to take tcfa_lock is when adding
    a new metainfo to an existing ife->metalist. We don't need
    to take tcfa_lock so early and so broadly in tcf_ife_init().
    
    This means we can always take ife_mod_lock first, avoid the
    reverse locking ordering warning as reported by Vlad.
    
    Reported-by: Vlad Buslov <vladbu@mellanox.com>
    Tested-by: Vlad Buslov <vladbu@mellanox.com>
    Cc: Vlad Buslov <vladbu@mellanox.com>
    Cc: Jamal Hadi Salim <jhs@mojatatu.com>
    Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit dfb2b5b8ed4ffdc23c473e44c6e154297c7bc552
Author: Stephen Hemminger <stephen@networkplumber.org>
Date:   Tue Aug 21 10:40:38 2018 -0700

    hv_netvsc: ignore devices that are not PCI
    
    [ Upstream commit b93c1b5ac8643cc08bb74fa8ae21d6c63dfcb23d ]
    
    Registering another device with same MAC address (such as TAP, VPN or
    DPDK KNI) will confuse the VF autobinding logic.  Restrict the search
    to only run if the device is known to be a PCI attached VF.
    
    Fixes: e8ff40d4bff1 ("hv_netvsc: improve VF device matching")
    Signed-off-by: Stephen Hemminger <sthemmin@microsoft.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a21a39a9c37b8f629633d22a29cab69bbce38261
Author: Jason Wang <jasowang@redhat.com>
Date:   Fri Aug 24 16:53:13 2018 +0800

    vhost: correctly check the iova range when waking virtqueue
    
    [ Upstream commit 2d66f997f0545c8f7fc5cf0b49af1decb35170e7 ]
    
    We don't wakeup the virtqueue if the first byte of pending iova range
    is the last byte of the range we just got updated. This will lead a
    virtqueue to wait for IOTLB updating forever. Fixing by correct the
    check and wake up the virtqueue in this case.
    
    Fixes: 6b1e6cc7855b ("vhost: new device IOTLB API")
    Reported-by: Peter Xu <peterx@redhat.com>
    Signed-off-by: Jason Wang <jasowang@redhat.com>
    Reviewed-by: Peter Xu <peterx@redhat.com>
    Tested-by: Peter Xu <peterx@redhat.com>
    Acked-by: Michael S. Tsirkin <mst@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 36bf8bc54a59c14ce9b27283ff9f2225908fce1f
Author: Xin Long <lucien.xin@gmail.com>
Date:   Mon Aug 27 18:38:31 2018 +0800

    sctp: hold transport before accessing its asoc in sctp_transport_get_next
    
    [ Upstream commit bab1be79a5169ac748d8292b20c86d874022d7ba ]
    
    As Marcelo noticed, in sctp_transport_get_next, it is iterating over
    transports but then also accessing the association directly, without
    checking any refcnts before that, which can cause an use-after-free
    Read.
    
    So fix it by holding transport before accessing the association. With
    that, sctp_transport_hold calls can be removed in the later places.
    
    Fixes: 626d16f50f39 ("sctp: export some apis or variables for sctp_diag and reuse some for proc")
    Reported-by: syzbot+fe62a0c9aa6a85c6de16@syzkaller.appspotmail.com
    Signed-off-by: Xin Long <lucien.xin@gmail.com>
    Acked-by: Neil Horman <nhorman@tuxdriver.com>
    Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d669bd62756ff89c3d49fc9e23973087ea27dfdd
Author: Alexey Kodanev <alexey.kodanev@oracle.com>
Date:   Thu Aug 23 19:49:54 2018 +0300

    vti6: remove !skb->ignore_df check from vti6_xmit()
    
    [ Upstream commit 9f2895461439fda2801a7906fb4c5fb3dbb37a0a ]
    
    Before the commit d6990976af7c ("vti6: fix PMTU caching and reporting
    on xmit") '!skb->ignore_df' check was always true because the function
    skb_scrub_packet() was called before it, resetting ignore_df to zero.
    
    In the commit, skb_scrub_packet() was moved below, and now this check
    can be false for the packet, e.g. when sending it in the two fragments,
    this prevents successful PMTU updates in such case. The next attempts
    to send the packet lead to the same tx error. Moreover, vti6 initial
    MTU value relies on PMTU adjustments.
    
    This issue can be reproduced with the following LTP test script:
        udp_ipsec_vti.sh -6 -p ah -m tunnel -s 2000
    
    Fixes: ccd740cbc6e0 ("vti6: Add pmtu handling to vti6_xmit.")
    Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
    Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit fe55bef40cd7652cfd665167c745bc9127cd2a66
Author: Florian Westphal <fw@strlen.de>
Date:   Thu Aug 30 14:24:29 2018 +0200

    tcp: do not restart timewait timer on rst reception
    
    [ Upstream commit 63cc357f7bba6729869565a12df08441a5995d9a ]
    
    RFC 1337 says:
     ''Ignore RST segments in TIME-WAIT state.
       If the 2 minute MSL is enforced, this fix avoids all three hazards.''
    
    So with net.ipv4.tcp_rfc1337=1, expected behaviour is to have TIME-WAIT sk
    expire rather than removing it instantly when a reset is received.
    
    However, Linux will also re-start the TIME-WAIT timer.
    
    This causes connect to fail when tying to re-use ports or very long
    delays (until syn retry interval exceeds MSL).
    
    packetdrill test case:
    // Demonstrate bogus rearming of TIME-WAIT timer in rfc1337 mode.
    `sysctl net.ipv4.tcp_rfc1337=1`
    
    0.000 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3
    0.000 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
    0.000 bind(3, ..., ...) = 0
    0.000 listen(3, 1) = 0
    
    0.100 < S 0:0(0) win 29200 <mss 1460,nop,nop,sackOK,nop,wscale 7>
    0.100 > S. 0:0(0) ack 1 <mss 1460,nop,nop,sackOK,nop,wscale 7>
    0.200 < . 1:1(0) ack 1 win 257
    0.200 accept(3, ..., ...) = 4
    
    // Receive first segment
    0.310 < P. 1:1001(1000) ack 1 win 46
    
    // Send one ACK
    0.310 > . 1:1(0) ack 1001
    
    // read 1000 byte
    0.310 read(4, ..., 1000) = 1000
    
    // Application writes 100 bytes
    0.350 write(4, ..., 100) = 100
    0.350 > P. 1:101(100) ack 1001
    
    // ACK
    0.500 < . 1001:1001(0) ack 101 win 257
    
    // close the connection
    0.600 close(4) = 0
    0.600 > F. 101:101(0) ack 1001 win 244
    
    // Our side is in FIN_WAIT_1 & waits for ack to fin
    0.7 < . 1001:1001(0) ack 102 win 244
    
    // Our side is in FIN_WAIT_2 with no outstanding data.
    0.8 < F. 1001:1001(0) ack 102 win 244
    0.8 > . 102:102(0) ack 1002 win 244
    
    // Our side is now in TIME_WAIT state, send ack for fin.
    0.9 < F. 1002:1002(0) ack 102 win 244
    0.9 > . 102:102(0) ack 1002 win 244
    
    // Peer reopens with in-window SYN:
    1.000 < S 1000:1000(0) win 9200 <mss 1460,nop,nop,sackOK,nop,wscale 7>
    
    // Therefore, reply with ACK.
    1.000 > . 102:102(0) ack 1002 win 244
    
    // Peer sends RST for this ACK.  Normally this RST results
    // in tw socket removal, but rfc1337=1 setting prevents this.
    1.100 < R 1002:1002(0) win 244
    
    // second syn. Due to rfc1337=1 expect another pure ACK.
    31.0 < S 1000:1000(0) win 9200 <mss 1460,nop,nop,sackOK,nop,wscale 7>
    31.0 > . 102:102(0) ack 1002 win 244
    
    // .. and another RST from peer.
    31.1 < R 1002:1002(0) win 244
    31.2 `echo no timer restart;ss -m -e -a -i -n -t -o state TIME-WAIT`
    
    // third syn after one minute.  Time-Wait socket should have expired by now.
    63.0 < S 1000:1000(0) win 9200 <mss 1460,nop,nop,sackOK,nop,wscale 7>
    
    // so we expect a syn-ack & 3whs to proceed from here on.
    63.0 > S. 0:0(0) ack 1 <mss 1460,nop,nop,sackOK,nop,wscale 7>
    
    Without this patch, 'ss' shows restarts of tw timer and last packet is
    thus just another pure ack, more than one minute later.
    
    This restores the original code from commit 283fd6cf0be690a83
    ("Merge in ANK networking jumbo patch") in netdev-vger-cvs.git .
    
    For some reason the else branch was removed/lost in 1f28b683339f7
    ("Merge in TCP/UDP optimizations and [..]") and timer restart became
    unconditional.
    
    Reported-by: Michal Tesar <mtesar@redhat.com>
    Signed-off-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 35a90212011a3344a5a91e153e393652b481995d
Author: Anthony Wong <anthony.wong@ubuntu.com>
Date:   Fri Aug 31 20:06:42 2018 +0800

    r8169: add support for NCube 8168 network card
    
    [ Upstream commit 9fd0e09a4e86499639653243edfcb417a05c5c46 ]
    
    This card identifies itself as:
      Ethernet controller [0200]: NCube Device [10ff:8168] (rev 06)
      Subsystem: TP-LINK Technologies Co., Ltd. Device [7470:3468]
    
    Adding a new entry to rtl8169_pci_tbl makes the card work.
    
    Link: http://launchpad.net/bugs/1788730
    Signed-off-by: Anthony Wong <anthony.wong@ubuntu.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 142e7b5832c3e41705b8723faa6692b5e016549d
Author: Manish Chopra <manish.chopra@cavium.com>
Date:   Thu Aug 23 13:20:52 2018 -0700

    qlge: Fix netdev features configuration.
    
    [ Upstream commit 6750c87074c5b534d82fdaabb1deb45b8f1f57de ]
    
    qlge_fix_features() is not supposed to modify hardware or
    driver state, rather it is supposed to only fix requested
    fetures bits. Currently qlge_fix_features() also goes for
    interface down and up unnecessarily if there is not even
    any change in features set.
    
    This patch changes/fixes following -
    
    1) Move reload of interface or device re-config from
       qlge_fix_features() to qlge_set_features().
    2) Reload of interface in qlge_set_features() only if
       relevant feature bit (NETIF_F_HW_VLAN_CTAG_RX) is changed.
    3) Get rid of qlge_fix_features() since driver is not really
       required to fix any features bit.
    
    Signed-off-by: Manish <manish.chopra@cavium.com>
    Reviewed-by: Benjamin Poirier <bpoirier@suse.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 214339f16c3afe5e56961b925e47a3b7ca2c86f0
Author: Kees Cook <keescook@chromium.org>
Date:   Sat Aug 25 22:58:01 2018 -0700

    net: sched: Fix memory exposure from short TCA_U32_SEL
    
    [ Upstream commit 98c8f125fd8a6240ea343c1aa50a1be9047791b8 ]
    
    Via u32_change(), TCA_U32_SEL has an unspecified type in the netlink
    policy, so max length isn't enforced, only minimum. This means nkeys
    (from userspace) was being trusted without checking the actual size of
    nla_len(), which could lead to a memory over-read, and ultimately an
    exposure via a call to u32_dump(). Reachability is CAP_NET_ADMIN within
    a namespace.
    
    Reported-by: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Jamal Hadi Salim <jhs@mojatatu.com>
    Cc: Cong Wang <xiyou.wangcong@gmail.com>
    Cc: Jiri Pirko <jiri@resnulli.us>
    Cc: "David S. Miller" <davem@davemloft.net>
    Cc: netdev@vger.kernel.org
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 89550ec53fce04edc5de7570449cf9e140b0424a
Author: Doug Berger <opendmb@gmail.com>
Date:   Tue Aug 28 12:33:15 2018 -0700

    net: bcmgenet: use MAC link status for fixed phy
    
    [ Upstream commit c3c397c1f16c51601a3fac4fe0c63ad8aa85a904 ]
    
    When using the fixed PHY with GENET (e.g. MOCA) the PHY link
    status can be determined from the internal link status captured
    by the MAC. This allows the PHY state machine to use the correct
    link state with the fixed PHY even if MAC link event interrupts
    are missed when the net device is opened.
    
    Fixes: 8d88c6ebb34c ("net: bcmgenet: enable MoCA link state change detection")
    Signed-off-by: Doug Berger <opendmb@gmail.com>
    Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e801b695c3e749ab02ff06274ec1cd06369342ca
Author: Eric Dumazet <edumazet@google.com>
Date:   Wed Aug 22 13:30:45 2018 -0700

    ipv4: tcp: send zero IPID for RST and ACK sent in SYN-RECV and TIME-WAIT state
    
    [ Upstream commit 431280eebed9f5079553daf003011097763e71fd ]
    
    tcp uses per-cpu (and per namespace) sockets (net->ipv4.tcp_sk) internally
    to send some control packets.
    
    1) RST packets, through tcp_v4_send_reset()
    2) ACK packets in SYN-RECV and TIME-WAIT state, through tcp_v4_send_ack()
    
    These packets assert IP_DF, and also use the hashed IP ident generator
    to provide an IPv4 ID number.
    
    Geoff Alexander reported this could be used to build off-path attacks.
    
    These packets should not be fragmented, since their size is smaller than
    IPV4_MIN_MTU. Only some tunneled paths could eventually have to fragment,
    regardless of inner IPID.
    
    We really can use zero IPID, to address the flaw, and as a bonus,
    avoid a couple of atomic operations in ip_idents_reserve()
    
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reported-by: Geoff Alexander <alexandg@cs.unm.edu>
    Tested-by: Geoff Alexander <alexandg@cs.unm.edu>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4fb15ff15b2c196b0e0a1df160181545c7b1d527
Author: Cong Wang <xiyou.wangcong@gmail.com>
Date:   Mon Sep 3 11:08:15 2018 -0700

    act_ife: fix a potential use-after-free
    
    [ Upstream commit 6d784f1625ea68783cc1fb17de8f6cd3e1660c3f ]
    
    Immediately after module_put(), user could delete this
    module, so e->ops could be already freed before we call
    e->ops->release().
    
    Fix this by moving module_put() after ops->release().
    
    Fixes: ef6980b6becb ("introduce IFE action")
    Cc: Jamal Hadi Salim <jhs@mojatatu.com>
    Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit bc71f393d31c68d3173381aab8f8b3bfdc43bbb9
Author: Michal Hocko <mhocko@suse.cz>
Date:   Wed Jun 27 17:46:50 2018 +0200

    x86/speculation/l1tf: Fix up pte->pfn conversion for PAE
    
    commit e14d7dfb41f5807a0c1c26a13f2b8ef16af24935 upstream.
    
    Jan has noticed that pte_pfn and co. resp. pfn_pte are incorrect for
    CONFIG_PAE because phys_addr_t is wider than unsigned long and so the
    pte_val reps. shift left would get truncated. Fix this up by using proper
    types.
    
    [Just one chunk, again, needed here.  Thanks to Ben and Guenter for
    finding and fixing this. - gregkh]
    
    Fixes: 6b28baca9b1f ("x86/speculation/l1tf: Protect PROT_NONE PTEs against speculation")
    Reported-by: Jan Beulich <JBeulich@suse.com>
    Signed-off-by: Michal Hocko <mhocko@suse.com>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Acked-by: Vlastimil Babka <vbabka@suse.cz>
    Cc: Guenter Roeck <linux@roeck-us.net>
    Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>