Ubuntu
linux package

kernel panic using CIFS share in smb2_push_mandatory_locks()

Bionic (18.04)
Bug #1795659

Bug #1795659 reported by Stefan Stranz on 2018-10-02

This bug affects 5 people

	Status	Importance	Assigned to
linux (Ubuntu)	Fix Released	High	Guilherme G. Piccoli
Xenial	Invalid	Undecided	Guilherme G. Piccoli
Bionic	Fix Released	High	Guilherme G. Piccoli
Cosmic	Won't Fix	High	Guilherme G. Piccoli
Disco	Fix Released	High	Guilherme G. Piccoli
linux-azure (Ubuntu)	Fix Released	Critical	Unassigned
Xenial	Fix Released	Critical	Unassigned
Bionic	Invalid	Undecided	Unassigned
Cosmic	Invalid	Undecided	Unassigned
Disco	Invalid	Undecided	Unassigned

Bug Description

NOTICE: The new patch merge is being worked on https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1856949 - if you face this issue, please report there!

[Impact]

* We got reports of a kernel crash in cifs module with the following signature:

BUG: unable to handle kernel NULL pointer dereference at 0000000000000038
IP: smb2_push_mandatory_locks+0x10e/0x3b0 [cifs]
PGD 0 P4D 0
RIP: 0010:smb2_push_mandatory_locks+0x10e/0x3b0 [cifs]
Call Trace:
cifs_oplock_break+0x12f/0x3d0 [cifs]
process_one_work+0x14d/0x410
worker_thread+0x4b/0x460
kthread+0x105/0x140
[...]

* Low-level analysis (decodecode script output and the objdump of the function) revealed that we are crashing in a NULL ptr dereference when trying to access "cfile->tlink"; below, a snippet of the objdump at function smb2_push_mandatory_locks():

[...]
mov 0x10(%r14),%r15 # %r15 = cifsFileInfo *cfile
mov 0x18(%r14),%rbx # %rbx = cifsLockInfo *li = (fdlocks->locks)
lea 0x18(%r14),%r12
mov 0x90(%r15),%rax # %rax = struct tcon_link *tlink (cfile->tlink)
cmp %r12,%rbx
mov 0x38(%rax),%rax # <--- TRAP [trying to get cifs_tcon *tl_tcon]
[...]

* After discussing the issue with CIFS maintainers (Steve French and Pavel Shilovsky) they suggested commit b98749cac4a6 ("CIFS: keep FileInfo handle live during oplock break") [http://git.kernel.org/linus/b98749cac4a6] as a fix for multiple reports of this kind of crash.

* The fix was sent to stable kernels and is present in Ubuntu kernels 5.0 and newer. We are requesting the SRU for this patch here in order to fix the crashes, after reports of successful testing with the patch (see below section) and since the patch is restricted to the cifs module scope and accepted on linux stable.

* Alternatively the issue is known to be avoided when oplocks are disabled using "cifs.enable_oplocks=N" module parameter.

[Test case]

* Unfortunately we cannot reproduce the issue. The patch proposed here was
validated by us with xfstests (instructions followed from
https://wiki.samba.org/index.php/Xfstesting-cifs) and fio. Also, we
have a user report of test validation using LISA (https://github.com/LIS/LISAv2).

* Using xfstest with the exclusions proposed in the link above we managed to get the same results as a non-patched kernel, i.e., the same tests failed in both kernels, we didn't get worse results with the patch. Fio also didn't show noticeable performance regression with the patch.

[Regression potential]

* The patch was validated by the cifs filesystem maintainers (in fact they suggested its inclusion in Ubuntu) and by the aforementioned tests; also, the scope is restricted to cifs only so the likelihood of regressions is considered low.

* Due to the nature of the code modification (add a new reference of a file handler and manipulate it in different places), I consider that if we have a regression it'll manifest as deadlock/blocked tasks, not something more serious like crashes or data corruption.

See original description

Tags:

CVE References

Revision history for this message

Stefan Stranz (sfs1988) wrote on 2018-10-02:

dmesg from /var/crash Edit (36.5 KiB, text/plain)

Revision history for this message

Joseph Salisbury (jsalisbury) wrote on 2018-10-02:

Did this issue start happening after an update/upgrade? Was there a prior kernel version where you were not having this particular problem?

Would it be possible for you to test the latest upstream kernel? Refer to https://wiki.ubuntu.com/KernelMainlineBuilds . Please test the latest v4.19 kernel[0].

If this bug is fixed in the mainline kernel, please add the following tag 'kernel-fixed-upstream'.

If the mainline kernel does not fix this bug, please add the tag: 'kernel-bug-exists-upstream'.

Once testing of the upstream kernel is complete, please mark this bug as "Confirmed".

Thanks in advance.

[0] http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.19-rc6

affects:	linux-hwe (Ubuntu) → linux (Ubuntu)
Changed in linux (Ubuntu):
importance:	Undecided → High
status:	New → Triaged
tags:	added: kernel-da-key
Changed in linux (Ubuntu):
status:	Triaged → Incomplete

Revision history for this message

Stefan Stranz (sfs1988) wrote on 2018-10-02:

I'm unable to fully test the upstream bugs as I can't install linux-headers-4.19.0-041900rc6-generic due to libssl1.1 not being available for 4.15. System does boot without the generic package on the new version though.

While i'm looking at upgrading the boxes to 18.04 from the 16.04 install, these are production servers and I can't just swap them over.

I can see the random reboots happening as far back as February, but I don't have a log from those so it could be a different issue then. I know both -34 and -36 kernel builds had the issue.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2018-12-02:

[Expired for linux (Ubuntu) because there has been no activity for 60 days.]

Changed in linux (Ubuntu):
status:	Incomplete → Expired

Revision history for this message

Guilherme G. Piccoli (gpiccoli) wrote on 2019-04-10:

Thanks for reporting that Stefan! There's a Debian bug report (although the kernel
version is different, seems the same issue): https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=830771 .

Also, recently I had a report of this issue happening in Azure instance, kernel version 4.15.0-1041-azure.

Cheers,

Guilherme

Changed in linux (Ubuntu):
assignee:	nobody → Guilherme G. Piccoli (gpiccoli)
status:	Expired → Confirmed
Changed in linux (Ubuntu Bionic):
status:	New → Confirmed
importance:	Undecided → High
assignee:	nobody → Guilherme G. Piccoli (gpiccoli)

Guilherme G. Piccoli (gpiccoli) on 2019-04-11

tags:

added: sts

Revision history for this message

Guilherme G. Piccoli (gpiccoli) wrote on 2019-05-06:

Hi, have some news in this one. I've emailed Microsoft CIFS maintainers, they recommended the following patch as a potential fix:
b98749cac4a6 ("CIFS: keep FileInfo handle live during oplock break").

There's a PPA with a kernel built including this patch, for those interested in testing: https://launchpad.net/~dragan-s/+archive/ubuntu/lp1795659 .

Cheers,

Guilherme

Guilherme G. Piccoli (gpiccoli) on 2019-05-23

Changed in linux (Ubuntu Cosmic):
status:	New → Confirmed
Changed in linux (Ubuntu Disco):
status:	New → Confirmed
Changed in linux (Ubuntu Cosmic):
importance:	Undecided → High
Changed in linux (Ubuntu Disco):
importance:	Undecided → High
Changed in linux (Ubuntu Cosmic):
assignee:	nobody → Guilherme G. Piccoli (gpiccoli)
Changed in linux (Ubuntu Disco):
assignee:	nobody → Guilherme G. Piccoli (gpiccoli)

Guilherme G. Piccoli (gpiccoli) on 2019-07-16

Changed in linux (Ubuntu Disco):
status:	Confirmed → Fix Released
Changed in linux (Ubuntu Cosmic):
status:	Confirmed → Won't Fix
Changed in linux (Ubuntu Bionic):
status:	Confirmed → In Progress

Guilherme G. Piccoli (gpiccoli) on 2019-07-17

summary:	- kernel panic using CIFS share smb2_push_mandatory_locks + kernel panic using CIFS share in smb2_push_mandatory_locks()
description:	updated
description:	updated

Revision history for this message

Guilherme G. Piccoli (gpiccoli) wrote on 2019-07-17:

SRU request sent to kernel-team mailing list: https://lists.ubuntu.com/archives/kernel-team/2019-July/102354.html

Cheers,

Guilherme

Khaled El Mously (kmously) on 2019-07-19

Changed in linux (Ubuntu Bionic):
status:	In Progress → Fix Committed

Marcelo Cerri (mhcerri) on 2019-07-23

Changed in linux (Ubuntu Xenial):
status:	New → Invalid
Changed in linux-azure (Ubuntu Bionic):
status:	New → Invalid
Changed in linux-azure (Ubuntu Cosmic):
status:	New → Invalid
Changed in linux-azure (Ubuntu Disco):
status:	New → Invalid
Changed in linux-azure (Ubuntu):
importance:	Undecided → Critical
status:	New → Confirmed
Changed in linux-azure (Ubuntu Xenial):
importance:	Undecided → Critical

Marcelo Cerri (mhcerri) on 2019-07-23

Changed in linux-azure (Ubuntu Xenial):
status:	New → Fix Committed

Brad Figg (brad-figg) on 2019-07-24

tags:

added: cscc

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2019-07-25:

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed-bionic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: verification-needed-bionic

Revision history for this message

Launchpad Janitor (janitor) wrote on 2019-07-29:

This bug was fixed in the package linux-azure - 4.15.0-1052.57

---------------
linux-azure (4.15.0-1052.57) xenial; urgency=medium

* xenial/linux-azure: 4.15.0-1052.57 -proposed tracker (LP: #1837632)

* kernel panic using CIFS share in smb2_push_mandatory_locks() (LP: #1795659)
- CIFS: keep FileInfo handle live during oplock break

-- Marcelo Henrique Cerri <email address hidden> Tue, 23 Jul 2019 13:19:53 -0300

Changed in linux-azure (Ubuntu Xenial):
status:	Fix Committed → Fix Released

Guilherme G. Piccoli (gpiccoli) on 2019-07-31

Changed in linux-azure (Ubuntu):
status:	Confirmed → Fix Released
Changed in linux (Ubuntu Xenial):
assignee:	nobody → Guilherme G. Piccoli (gpiccoli)

Revision history for this message

Guilherme G. Piccoli (gpiccoli) wrote on 2019-07-31:

#10

I've validated the -proposed kernel for Bionic (4.15.0-56) using the xfstests suite mentioned in the description. Interestingly, the patch seems to fix the test generic/504, which failed both in smb2 and smb3 only in kernel 4.15.0-55. Other than that, the same amount of tests failed in both cases, and no significant performance impact was noticed.

Cheers,

Guilherme

tags:

added: verification-done-bionic
removed: verification-needed-bionic

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2019-08-07:

#11

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-xenial' to 'verification-done-xenial'. If the problem still exists, change the tag 'verification-needed-xenial' to 'verification-failed-xenial'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: verification-needed-xenial

Revision history for this message

Launchpad Janitor (janitor) wrote on 2019-08-13:

#12

Download full text (171.3 KiB)

This bug was fixed in the package linux - 4.15.0-58.64

---------------
linux (4.15.0-58.64) bionic; urgency=medium

  * unable to handle kernel NULL pointer dereference at 000000000000002c (IP:
    iget5_locked+0x9e/0x1f0) (LP: #1838982)
    - Revert "ovl: set I_CREATING on inode being created"
    - Revert "new primitive: discard_new_inode()"

linux (4.15.0-57.63) bionic; urgency=medium

  * CVE-2019-1125
    - x86/cpufeatures: Carve out CQM features retrieval
    - x86/cpufeatures: Combine word 11 and 12 into a new scattered features word
    - x86/speculation: Prepare entry code for Spectre v1 swapgs mitigations
    - x86/speculation: Enable Spectre v1 swapgs mitigations
    - x86/entry/64: Use JMP instead of JMPQ
    - x86/speculation/swapgs: Exclude ATOMs from speculation through SWAPGS

* Packaging resync (LP: #1786013)
- update dkms package versions

linux (4.15.0-56.62) bionic; urgency=medium

* bionic/linux: 4.15.0-56.62 -proposed tracker (LP: #1837626)

  * Packaging resync (LP: #1786013)
    - [Packaging] resync git-ubuntu-log
    - [Packaging] update helper scripts

* CVE-2019-2101
- media: uvcvideo: Fix 'type' check leading to overflow

  * hibmc-drm Causes Unreadable Display for Huawei amd64 Servers (LP: #1762940)
    - [Config] Set CONFIG_DRM_HISI_HIBMC to arm64 only
    - SAUCE: Make CONFIG_DRM_HISI_HIBMC depend on ARM64

  * Bionic: support for Solarflare X2542 network adapter (sfc driver)
    (LP: #1836635)
    - sfc: make mem_bar a function rather than a constant
    - sfc: support VI strides other than 8k
    - sfc: add Medford2 (SFC9250) PCI Device IDs
    - sfc: improve PTP error reporting
    - sfc: update EF10 register definitions
    - sfc: populate the timer reload field
    - sfc: update MCDI protocol headers
    - sfc: support variable number of MAC stats
    - sfc: expose FEC stats on Medford2
    - sfc: expose CTPIO stats on NICs that support them
    - sfc: basic MCDI mapping of 25/50/100G link speeds
    - sfc: support the ethtool ksettings API properly so that 25/50/100G works
    - sfc: add bits for 25/50/100G supported/advertised speeds
    - sfc: remove tx and MCDI handling from NAPI budget consideration
    - sfc: handle TX timestamps in the normal data path
    - sfc: add function to determine which TX timestamping method to use
    - sfc: use main datapath for HW timestamps if available
    - sfc: only enable TX timestamping if the adapter is licensed for it
    - sfc: MAC TX timestamp handling on the 8000 series
    - sfc: on 8000 series use TX queues for TX timestamps
    - sfc: only advertise TX timestamping if we have the license for it
    - sfc: simplify RX datapath timestamping
    - sfc: support separate PTP and general timestamping
    - sfc: support second + quarter ns time format for receive datapath
    - sfc: support Medford2 frequency adjustment format
    - sfc: add suffix to large constant in ptp
    - sfc: mark some unexported symbols as static
    - sfc: update MCDI protocol headers
    - sfc: support FEC configuration through ethtool
    - sfc: remove ctpio_dmabuf_start from stats
    - sfc: stop the TX queue before pushing new buffers

* [18.04 FEAT] zKVM: Add hardwar...

This bug was fixed in the package linux - 4.15.0-58.64

---------------
linux (4.15.0-58.64) bionic; urgency=medium

linux (4.15.0-57.63) bionic; urgency=medium

* Packaging resync (LP: #1786013)
    - update dkms package versions

linux (4.15.0-56.62) bionic; urgency=medium

* bionic/linux: 4.15.0-56.62 -proposed tracker (LP: #1837626)

* Packaging resync (LP: #1786013)
    - [Packaging] resync git-ubuntu-log
    - [Packaging] update helper scripts

* CVE-2019-2101
    - media: uvcvideo: Fix 'type' check leading to overflow

* hibmc-drm Causes Unreadable Display for Huawei amd64 Servers (LP: #1762940)
    - [Config] Set CONFIG_DRM_HISI_HIBMC to arm64 only
    - SAUCE: Make CONFIG_DRM_HISI_HIBMC depend on ARM64

* [18.04 FEAT] zKVM: Add hardware CPU Model - kernel part (LP: #1836153)
    - KVM: s390: add debug logging for cpu model subfunctions
    - KVM: s390: implement subfunction processor calls
    - KVM: s390: add vector enhancements facility 2 to cpumodel
    - KVM: s390: add vector BCD enhancements facility to cpumodel
    - KVM: s390: add MSA9 to cpumodel
    - KVM: s390: provide query function for instructions returning 32 byte
    - KVM: s390: add enhanced sort facilty to cpu model
    - KVM: s390: add deflate conversion facilty to cpu model
    - KVM: s390: enable MSA9 keywrapping functions depending on cpu model

* Intel ethernet I219 has slow RX speed (LP: #1836152)
    - SAUCE: e1000e: add workaround for possible stalled packet
    - SAUCE: e1000e: disable force K1-off feature

* Intel ethernet I219 may wrongly detect connection speed as 10Mbps
    (LP: #1836177)
    - SAUCE: e1000e: Make watchdog use delayed work

* Unhide Nvidia HDA audio controller (LP: #1836308)
    - PCI: Enable NVIDIA HDA controllers

* selftests: Remove broken Power9 paste tests and fix compilation issue
    (LP: #1836715)
    - selftests/powerpc: Remove Power9 paste tests
    - selftests/powerpc: Fix Makefiles for headers_install change

* ixgbe{vf} - Physical Function gets IRQ when VF checks link state
    (LP: #1836760)
    - ixgbevf: Use cached link state instead of re-reading the value for ethtool

* Fix nf_conntrack races when dealing with same origin requests in NAT
    environments (LP: #1836816)
    - netfilter: nf_conntrack: resolve clash for matching conntracks
    - netfilter: nf_nat: skip nat clash resolution for same-origin entries

* CVE-2018-5383
    - crypto: ecdh - add public key verification test

* sched: Prevent CPU lockups when task groups take longer than the period
    (LP: #1836971)
    - sched/fair: Limit sched_cfs_period_timer() loop to avoid hard lockup

* depmod may prefer unsigned l-r-m nvidia modules to signed modules
    (LP: #1834479)
    - [Packaging] dkms-build--nvidia-N -- clean up unsigned ko files
    - [Packaging] Add update-version-dkms
    - update dkms package versions

* Build Nvidia drivers in conjunction with kernel (LP: #1764792) // zfs/spl
    build in conjunction with the kernel from DKMS source (LP: #1807378)
    - [Packaging] dkms-build--nvidia-* -- convert to generic -N form

* zfs/spl build in conjunction with the kernel from DKMS source (LP: #1807378)
    - [Packaging] dkms -- dkms package build packaging support
    - [Packaging] dkms -- build zfs/spl packages
    - [Packaging] dkms -- drop zfs/spl source code from kernel

* Build Nvidia drivers in conjunction with kernel (LP: #1764792)
    - [Packaging] dkms -- introduce dkms package versions
    - [Packaging] dkms -- add per package post-process step
    - [Packaging] dkms -- switch to a consistent build prefix length and strip
    - [Packaging] dkms-build -- support building against packages in PPAs
    - [Packaging] dkms-build: do not redownload files on subsequent passes
    - [Packaging] dkms-build -- add support for unversioned overrides
    - [Packaging] dkms-build -- backport latest version from disco
    - [Packaging] nvidia -- build and sign nvidia packages and ship signatures
    - [Packaging] nvidia -- make nvidia package version explicit

* CVE-2019-13233
    - x86/insn-eval: Fix use-after-free access to LDT entry

* kernel panic using CIFS share in smb2_push_mandatory_locks() (LP: #1795659)
    - CIFS: keep FileInfo handle live during oplock break

* cifs set_oplock buffer overflow in strcat (LP: #1824981)
    - cifs: fix strcat buffer overflow and reduce raciness in
      smb21_set_oplock_level()

* CVE-2019-13272
    - ptrace: Fix ->ptracer_cred handling for PTRACE_TRACEME

* Bionic update: upstream stable patchset 2019-07-18 (LP: #1837161)
    - Kbuild: suppress packed-not-aligned warning for default setting only
    - disable stringop truncation warnings for now
    - test_hexdump: use memcpy instead of strncpy
    - kobject: Replace strncpy with memcpy
    - ALSA: intel_hdmi: Use strlcpy() instead of strncpy()
    - unifdef: use memcpy instead of strncpy
    - kernfs: Replace strncpy with memcpy
    - ip_tunnel: Fix name string concatenate in __ip_tunnel_create()
    - scsi: bfa: convert to strlcpy/strlcat
    - kdb: use memmove instead of overlapping memcpy
    - iser: set sector for ambiguous mr status errors
    - uprobes: Fix handle_swbp() vs. unregister() + register() race once more
    - MIPS: ralink: Fix mt7620 nd_sd pinmux
    - mips: fix mips_get_syscall_arg o32 check
    - IB/mlx5: Avoid load failure due to unknown link width
    - drm/ast: Fix incorrect free on ioregs
    - drm: set is_master to 0 upon drm_new_set_master() failure
    - drm/meson: Enable fast_io in meson_dw_hdmi_regmap_config
    - drm/meson: Fix OOB memory accesses in meson_viu_set_osd_lut()
    - ALSA: trident: Suppress gcc string warning
    - kgdboc: Fix restrict error
    - kgdboc: Fix warning with module build
    - svm: Add mutex_lock to protect apic_access_page_done on AMD systems
    - drm/msm: fix OF child-node lookup
    - Input: xpad - quirk all PDP Xbox One gamepads
    - Input: synaptics - add PNP ID for ThinkPad P50 to SMBus
    - Input: matrix_keypad - check for errors from of_get_named_gpio()
    - Input: cros_ec_keyb - fix button/switch capability reports
    - Input: elan_i2c - add ELAN0620 to the ACPI table
    - Input: elan_i2c - add ACPI ID for Lenovo IdeaPad 330-15ARR
    - Input: elan_i2c - add support for ELAN0621 touchpad
    - btrfs: tree-checker: Don't check max block group size as current max chunk
      size limit is unreliable
    - ARC: change defconfig defaults to ARCv2
    - arc: [devboards] Add support of NFSv3 ACL
    - reset: make device_reset_optional() really optional
    - reset: remove remaining WARN_ON() in <linux/reset.h>
    - mm: hide incomplete nr_indirectly_reclaimable in /proc/zoneinfo
    - net: qed: use correct strncpy() size
    - tipc: use destination length for copy string
    - arm64: ftrace: Fix to enable syscall events on arm64
    - sched, trace: Fix prev_state output in sched_switch tracepoint
    - tracing/fgraph: Fix set_graph_function from showing interrupts
    - drm/meson: Fixes for drm_crtc_vblank_on/off support
    - scsi: lpfc: fix block guard enablement on SLI3 adapters
    - media: omap3isp: Unregister media device as first
    - iommu/vt-d: Fix NULL pointer dereference in prq_event_thread()
    - brcmutil: really fix decoding channel info for 160 MHz bandwidth
    - iommu/ipmmu-vmsa: Fix crash on early domain free
    - can: rcar_can: Fix erroneous registration
    - test_firmware: fix error return getting clobbered
    - HID: input: Ignore battery reported by Symbol DS4308
    - batman-adv: Use explicit tvlv padding for ELP packets
    - batman-adv: Expand merged fragment buffer for full packet
    - amd/iommu: Fix Guest Virtual APIC Log Tail Address Register
    - bnx2x: Assign unique DMAE channel number for FW DMAE transactions.
    - qed: Fix PTT leak in qed_drain()
    - qed: Fix reading wrong value in loop condition
    - net/mlx4_core: Zero out lkey field in SW2HW_MPT fw command
    - net/mlx4_core: Fix uninitialized variable compilation warning
    - net/mlx4: Fix UBSAN warning of signed integer overflow
    - gpio: mockup: fix indicated direction
    - mtd: rawnand: qcom: Namespace prefix some commands
    - mtd: spi-nor: Fix Cadence QSPI page fault kernel panic
    - qed: Fix bitmap_weight() check
    - qed: Fix QM getters to always return a valid pq
    - net: faraday: ftmac100: remove netif_running(netdev) check before disabling
      interrupts
    - iommu/vt-d: Use memunmap to free memremap
    - flexfiles: use per-mirror specified stateid for IO
    - ibmvnic: Fix RX queue buffer cleanup
    - team: no need to do team_notify_peers or team_mcast_rejoin when disabling
      port
    - net: amd: add missing of_node_put()
    - usb: quirk: add no-LPM quirk on SanDisk Ultra Flair device
    - usb: appledisplay: Add 27" Apple Cinema Display
    - USB: check usb_get_extra_descriptor for proper size
    - ALSA: hda: Add support for AMD Stoney Ridge
    - ALSA: pcm: Fix starvation on down_write_nonblock()
    - ALSA: pcm: Call snd_pcm_unlink() conditionally at closing
    - ALSA: pcm: Fix interval evaluation with openmin/max
    - ALSA: hda/realtek - Fix speaker output regression on Thinkpad T570
    - SUNRPC: Fix leak of krb5p encode pages
    - dmaengine: dw: Fix FIFO size for Intel Merrifield
    - dmaengine: cppi41: delete channel from pending list when stop channel
    - ARM: 8806/1: kprobes: Fix false positive with FORTIFY_SOURCE
    - xhci: Prevent U1/U2 link pm states if exit latency is too long
    - f2fs: fix to do sanity check with block address in main area v2
    - swiotlb: clean up reporting
    - Staging: lustre: remove two build warnings
    - staging: atomisp: remove "fun" strncpy warning
    - cifs: Fix separator when building path from dentry
    - staging: rtl8712: Fix possible buffer overrun
    - Revert commit ef9209b642f "staging: rtl8723bs: Fix indenting errors and an
      off-by-one mistake in core/rtw_mlme_ext.c"
    - drm/amdgpu: update mc firmware image for polaris12 variants
    - drm/amdgpu/gmc8: update MC firmware for polaris
    - tty: serial: 8250_mtk: always resume the device in probe.
    - kgdboc: fix KASAN global-out-of-bounds bug in param_set_kgdboc_var()
    - libnvdimm, pfn: Pad pfn namespaces relative to other regions
    - mac80211: Clear beacon_int in ieee80211_do_stop
    - mac80211: ignore tx status for PS stations in ieee80211_tx_status_ext
    - mac80211: fix reordering of buffered broadcast packets
    - mac80211: ignore NullFunc frames in the duplicate detection
    - qed: Fix rdma_info structure allocation
    - drm/amdgpu: Add amdgpu "max bpc" connector property (v2)
    - drivers/net/ethernet/qlogic/qed/qed_rdma.h: fix typo
    - gpio: pxa: fix legacy non pinctrl aware builds again
    - tc-testing: tdc.py: ignore errors when decoding stdout/stderr
    - NFSv4: Fix a NFSv4 state manager deadlock
    - USB: serial: console: fix reported terminal settings
    - ALSA: usb-audio: Add SMSL D1 to quirks for native DSD support
    - ALSA: hda/realtek: ALC286 mic and headset-mode fixups for Acer Aspire
      U27-880
    - ALSA: hda/realtek - Add support for Acer Aspire C24-860 headset mic
    - ALSA: hda/realtek: Fix mic issue on Acer AIO Veriton Z4660G
    - ALSA: hda/realtek: Fix mic issue on Acer AIO Veriton Z4860G/Z6860G
    - media: dvb-pll: don't re-validate tuner frequencies
    - parisc: Enable -ffunction-sections for modules on 32-bit kernel
    - Revert "x86/e820: put !E820_TYPE_RAM regions into memblock.reserved"
    - drm/lease: Send a distinct uevent
    - drm/msm: Move fence put to where failure occurs
    - drm/amdgpu/gmc8: always load MC firmware in the driver
    - drm/i915: Downgrade Gen9 Plane WM latency error
    - x86/efi: Allocate e820 buffer before calling efi_exit_boot_service
    - cfg80211: Fix busy loop regression in ieee80211_ie_split_ric()
    - ipv4: ipv6: netfilter: Adjust the frag mem limit when truesize changes
    - ipv6: Check available headroom in ip6_xmit() even without options
    - neighbour: Avoid writing before skb->head in neigh_hh_output()
    - ipv6: sr: properly initialize flowi6 prior passing to ip6_route_output
    - net: 8139cp: fix a BUG triggered by changing mtu with network traffic
    - net/mlx4_core: Correctly set PFC param if global pause is turned off.
    - net/mlx4_en: Change min MTU size to ETH_MIN_MTU
    - net: phy: don't allow __set_phy_supported to add unsupported modes
    - net: Prevent invalid access to skb->prev in __qdisc_drop_all
    - rtnetlink: ndo_dflt_fdb_dump() only work for ARPHRD_ETHER devices
    - sctp: kfree_rcu asoc
    - tcp: Do not underestimate rwnd_limited
    - tcp: fix NULL ref in tail loss probe
    - tun: forbid iface creation with rtnl ops
    - virtio-net: keep vnet header zeroed after processing XDP
    - ARM: OMAP2+: prm44xx: Fix section annotation on
      omap44xx_prm_enable_io_wakeup
    - ASoC: rsnd: fixup clock start checker
    - staging: rtl8723bs: Fix the return value in case of error in
      'rtw_wx_read32()'
    - ARM: dts: logicpd-somlv: Fix interrupt on mmc3_dat1
    - ARM: OMAP1: ams-delta: Fix possible use of uninitialized field
    - sysv: return 'err' instead of 0 in __sysv_write_inode
    - selftests: add script to stress-test nft packet path vs. control plane
    - netfilter: nf_tables: fix use-after-free when deleting compat expressions
    - hwmon (ina2xx) Fix NULL id pointer in probe()
    - ASoC: wm_adsp: Fix dma-unsafe read of scratch registers
    - s390/cpum_cf: Reject request for sampling in event initialization
    - hwmon: (ina2xx) Fix current value calculation
    - ASoC: omap-abe-twl6040: Fix missing audio card caused by deferred probing
    - ASoC: dapm: Recalculate audio map forcely when card instantiated
    - netfilter: xt_hashlimit: fix a possible memory leak in htable_create()
    - hwmon: (w83795) temp4_type has writable permission
    - perf tools: Restore proper cwd on return from mnt namespace
    - PCI: imx6: Fix link training status detection in link up check
    - objtool: Fix double-free in .cold detection error path
    - objtool: Fix segfault in .cold detection with -ffunction-sections
    - ARM: dts: at91: sama5d2: use the divided clock for SMC
    - Btrfs: send, fix infinite loop due to directory rename dependencies
    - RDMA/mlx5: Fix fence type for IB_WR_LOCAL_INV WR
    - RDMA/rdmavt: Fix rvt_create_ah function signature
    - ASoC: omap-mcbsp: Fix latency value calculation for pm_qos
    - ASoC: omap-mcpdm: Add pm_qos handling to avoid under/overruns with CPU_IDLE
    - ASoC: omap-dmic: Add pm_qos handling to avoid overruns with CPU_IDLE
    - exportfs: do not read dentry after free
    - bpf: fix check of allowed specifiers in bpf_trace_printk
    - ipvs: call ip_vs_dst_notifier earlier than ipv6_dev_notf
    - USB: omap_udc: use devm_request_irq()
    - USB: omap_udc: fix crashes on probe error and module removal
    - USB: omap_udc: fix omap_udc_start() on 15xx machines
    - USB: omap_udc: fix USB gadget functionality on Palm Tungsten E
    - USB: omap_udc: fix rejection of out transfers when DMA is used
    - drm/meson: add support for 1080p25 mode
    - netfilter: ipv6: Preserve link scope traffic original oif
    - IB/mlx5: Fix page fault handling for MW
    - KVM: x86: fix empty-body warnings
    - x86/kvm/vmx: fix old-style function declaration
    - net: thunderx: fix NULL pointer dereference in nic_remove
    - usb: gadget: u_ether: fix unsafe list iteration
    - netfilter: nf_tables: deactivate expressions in rule replecement routine
    - igb: fix uninitialized variables
    - ixgbe: recognize 1000BaseLX SFP modules as 1Gbps
    - net: hisilicon: remove unexpected free_netdev
    - drm/amdgpu: Add delay after enable RLC ucode
    - drm/ast: fixed reading monitor EDID not stable issue
    - xen: xlate_mmu: add missing header to fix 'W=1' warning
    - Revert "xen/balloon: Mark unallocated host memory as UNUSABLE"
    - pstore/ram: Correctly calculate usable PRZ bytes
    - fscache, cachefiles: remove redundant variable 'cache'
    - nvme: flush namespace scanning work just before removing namespaces
    - ACPI/IORT: Fix iort_get_platform_device_domain() uninitialized pointer value
    - ocfs2: fix deadlock caused by ocfs2_defrag_extent()
    - mm/page_alloc.c: fix calculation of pgdat->nr_zones
    - hfs: do not free node before using
    - hfsplus: do not free node before using
    - debugobjects: avoid recursive calls with kmemleak
    - ocfs2: fix potential use after free
    - printk: Add console owner and waiter logic to load balance console writes
    - printk: Hide console waiter logic into helpers
    - printk: Never set console_may_schedule in console_trylock()
    - printk: Wake klogd when passing console_lock owner
    - flexfiles: enforce per-mirror stateid only for v4 DSes
    - staging: speakup: Replace strncpy with memcpy
    - ALSA: fireface: fix reference to wrong register for clock configuration
    - IB/hfi1: Fix an out-of-bounds access in get_hw_stats
    - tcp: lack of available data can also cause TSO defer
    - Revert "net/ibm/emac: wrong bit is used for STA control"
    - tools: bpftool: prevent infinite loop in get_fdinfo()
    - ASoC: sun8i-codec: fix crash on module removal
    - ASoC: acpi: fix: continue searching when machine is ignored
    - RDMA/bnxt_re: Fix system hang when registration with L2 driver fails
    - RDMA/bnxt_re: Avoid accessing the device structure after it is freed
    - RDMA/hns: Bugfix pbl configuration for rereg mr
    - thunderbolt: Prevent root port runtime suspend during NVM upgrade
    - netfilter: add missing error handling code for register functions
    - netfilter: nat: fix double register in masquerade modules
    - cachefiles: Fix an assertion failure when trying to update a failed object
    - fscache: Fix race in fscache_op_complete() due to split atomic_sub & read
    - pvcalls-front: fixes incorrect error handling
    - nvme: warn when finding multi-port subsystems without multipathing enabled
    - kernel/kcov.c: mark funcs in __sanitizer_cov_trace_pc() as notrace
    - ALSA: hda/realtek: ALC294 mic and headset-mode fixups for ASUS X542UN
    - ALSA: hda/realtek: Enable audio jacks of ASUS UX533FD with ALC294
    - ALSA: hda/realtek: Enable audio jacks of ASUS UX433FN/UX333FA with ALC294

* Bionic update: upstream stable patchset 2019-07-17 (LP: #1836968)
    - flow_dissector: do not dissect l4 ports for fragments
    - ibmvnic: fix accelerated VLAN handling
    - ip_tunnel: don't force DF when MTU is locked
    - ipv6: Fix PMTU updates for UDP/raw sockets in presence of VRF
    - net-gro: reset skb->pkt_type in napi_reuse_skb()
    - sctp: not allow to set asoc prsctp_enable by sockopt
    - tg3: Add PHY reset for 5717/5719/5720 in change ring and flow control paths
    - tuntap: fix multiqueue rx
    - net: systemport: Protect stop from timeout
    - net: qualcomm: rmnet: Fix incorrect assignment of real_dev
    - net: dsa: microchip: initialize mutex before use
    - sctp: fix strchange_flags name for Stream Change Event
    - net: phy: mdio-gpio: Fix working over slow can_sleep GPIOs
    - sctp: not increase stream's incnt before sending addstrm_in request
    - mlxsw: spectrum: Fix IP2ME CPU policer configuration
    - net: smsc95xx: Fix MTU range
    - usbnet: smsc95xx: disable carrier check while suspending
    - inet: frags: better deal with smp races
    - ARM: dts: r8a7791: Correct critical CPU temperature
    - ARM: dts: r8a7793: Correct critical CPU temperature
    - net: bcmgenet: protect stop from timeout
    - tcp: Fix SOF_TIMESTAMPING_RX_HARDWARE to use the latest timestamp during TCP
      coalescing
    - tipc: don't assume linear buffer when reading ancillary data
    - tipc: fix link re-establish failure
    - net/mlx5e: Claim TC hw offloads support only under a proper build config
    - net/mlx5e: Adjust to max number of channles when re-attaching
    - net/mlx5e: Fix selftest for small MTUs
    - l2tp: fix a sock refcnt leak in l2tp_tunnel_register
    - net/mlx5e: IPoIB, Reset QP after channels are closed
    - net: dsa: mv88e6xxx: Fix clearing of stats counters
    - net: phy: realtek: fix RTL8201F sysfs name
    - sctp: define SCTP_SS_DEFAULT for Stream schedulers
    - rxrpc: Fix lockup due to no error backoff after ack transmit error
    - cifs: don't dereference smb_file_target before null check
    - cifs: fix return value for cifs_listxattr
    - arm64: kprobe: make page to RO mode when allocate it
    - ixgbe: fix MAC anti-spoofing filter after VFLR
    - reiserfs: propagate errors from fill_with_dentries() properly
    - hfs: prevent btree data loss on root split
    - hfsplus: prevent btree data loss on root split
    - um: Give start_idle_thread() a return code
    - drm/edid: Add 6 bpc quirk for BOE panel.
    - platform/x86: intel_telemetry: report debugfs failure
    - clk: fixed-rate: fix of_node_get-put imbalance
    - perf symbols: Set PLT entry/header sizes properly on Sparc
    - fs/exofs: fix potential memory leak in mount option parsing
    - clk: samsung: exynos5420: Enable PERIS clocks for suspend
    - apparmor: Fix uninitialized value in aa_split_fqname
    - x86/earlyprintk: Add a force option for pciserial device
    - platform/x86: acerhdf: Add BIOS entry for Gateway LT31 v1.3307
    - arm64: percpu: Initialize ret in the default case
    - s390/vdso: add missing FORCE to build targets
    - netfilter: ipset: list:set: Decrease refcount synchronously on deletion and
      replace
    - netfilter: ipset: actually allow allowable CIDR 0 in hash:net,port,net
    - s390/mm: Fix ERROR: "__node_distance" undefined!
    - netfilter: ipset: Correct rcu_dereference() call in ip_set_put_comment()
    - netfilter: xt_IDLETIMER: add sysfs filename checking routine
    - s390/qeth: fix HiperSockets sniffer
    - hwmon: (ibmpowernv) Remove bogus __init annotations
    - Revert "drm/exynos/decon5433: implement frame counter"
    - clk: fixed-factor: fix of_node_get-put imbalance
    - lib/raid6: Fix arm64 test build
    - s390/perf: Change CPUM_CF return code in event init function
    - sched/core: Take the hotplug lock in sched_init_smp()
    - i40e: restore NETIF_F_GSO_IPXIP[46] to netdev features
    - qed: Fix memory/entry leak in qed_init_sp_request()
    - qed: Fix blocking/unlimited SPQ entries leak
    - qed: Fix potential memory corruption
    - net: stmmac: Fix RX packet size > 8191
    - SUNRPC: drop pointless static qualifier in xdr_get_next_encode_buffer()
    - ACPI / watchdog: Prefer iTCO_wdt always when WDAT table uses RTC SRAM
    - perf machine: Add machine__is() to identify machine arch
    - perf tools: Fix kernel_start for PTI on x86
    - perf machine: Add nr_cpus_avail()
    - perf machine: Workaround missing maps for x86 PTI entry trampolines
    - perf test code-reading: Fix perf_env setup for PTI entry trampolines
    - media: v4l: event: Add subscription to list before calling "add" operation
    - MIPS: OCTEON: cavium_octeon_defconfig: re-enable OCTEON USB driver
    - uio: Fix an Oops on load
    - usb: cdc-acm: add entry for Hiro (Conexant) modem
    - usb: quirks: Add delay-init quirk for Corsair K70 LUX RGB
    - misc: atmel-ssc: Fix section annotation on atmel_ssc_get_driver_data
    - USB: misc: appledisplay: add 20" Apple Cinema Display
    - ACPI / platform: Add SMB0001 HID to forbidden_id_list
    - HID: uhid: forbid UHID_CREATE under KERNEL_DS or elevated privileges
    - libceph: fall back to sendmsg for slab pages
    - drm/i915: Replace some PAGE_SIZE with I915_GTT_PAGE_SIZE
    - perf unwind: Take pgoff into account when reporting elf to libdwfl
    - netfilter: bridge: define INT_MIN & INT_MAX in userspace
    - s390/decompressor: add missing FORCE to build targets
    - Revert "HID: add NOGET quirk for Eaton Ellipse MAX UPS"
    - HID: alps: allow incoming reports when only the trackstick is opened
    - s390/mm: fix mis-accounting of pgtable_bytes
    - drm/amd/display: Stop leaking planes
    - drm/amd/amdgpu/dm: Fix dm_dp_create_fake_mst_encoder()
    - ceph: quota: fix null pointer dereference in quota check
    - nvme: make sure ns head inherits underlying device limits
    - i2c: omap: Enable for ARCH_K3
    - net: aquantia: fix potential IOMMU fault after driver unbind
    - net: aquantia: fixed enable unicast on 32 macvlan
    - net: aquantia: invalid checksumm offload implementation
    - mtd: rawnand: atmel: fix OF child-node lookup
    - efi/libstub: arm: support building with clang
    - ARM: 8766/1: drop no-thumb-interwork in EABI mode
    - ARM: 8767/1: add support for building ARM kernel with clang
    - bus: arm-cci: remove unnecessary unreachable()
    - ARM: trusted_foundations: do not use naked function
    - usb: core: Fix hub port connection events lost
    - usb: dwc3: gadget: fix ISOC TRB type on unaligned transfers
    - usb: dwc3: gadget: Properly check last unaligned/zero chain TRB
    - usb: dwc3: core: Clean up ULPI device
    - xhci: Add check for invalid byte size error when UAS devices are connected.
    - ALSA: oss: Use kvzalloc() for local buffer allocations
    - MAINTAINERS: Add Sasha as a stable branch maintainer
    - mmc: sdhci-pci: Try "cd" for card-detect lookup before using NULL
    - gpio: don't free unallocated ida on gpiochip_add_data_with_key() error path
    - iwlwifi: mvm: support sta_statistics() even on older firmware
    - iwlwifi: mvm: fix regulatory domain update when the firmware starts
    - iwlwifi: mvm: don't use SAR Geo if basic SAR is not used
    - brcmfmac: fix reporting support for 160 MHz channels
    - tools/power/cpupower: fix compilation with STATIC=true
    - v9fs_dir_readdir: fix double-free on p9stat_read error
    - selinux: Add __GFP_NOWARN to allocation at str_read()
    - Input: synaptics - avoid using uninitialized variable when probing
    - bfs: add sanity check at bfs_fill_super()
    - sctp: clear the transport of some out_chunk_list chunks in
      sctp_assoc_rm_peer
    - gfs2: Don't leave s_fs_info pointing to freed memory in init_sbd
    - llc: do not use sk_eat_skb()
    - mm: don't warn about large allocations for slab
    - mm/memory.c: recheck page table entry with page table lock held
    - IB/core: Perform modify QP on real one
    - usb: xhci: Prevent bus suspend if a port connect change or polling state is
      detected
    - drm/ast: change resolution may cause screen blurred
    - drm/ast: fixed cursor may disappear sometimes
    - can: dev: can_get_echo_skb(): factor out non sending code to
      __can_get_echo_skb()
    - can: dev: __can_get_echo_skb(): replace struct can_frame by canfd_frame to
      access frame length
    - can: dev: __can_get_echo_skb(): Don't crash the kernel if can_priv::echo_skb
      is accessed out of bounds
    - can: dev: __can_get_echo_skb(): print error message, if trying to echo non
      existing skb
    - can: rx-offload: introduce can_rx_offload_get_echo_skb() and
      can_rx_offload_queue_sorted() functions
    - can: rx-offload: rename can_rx_offload_irq_queue_err_skb() to
      can_rx_offload_queue_tail()
    - can: raw: check for CAN FD capable netdev in raw_sendmsg()
    - can: hi311x: Use level-triggered interrupt
    - IB/hfi1: Eliminate races in the SDMA send error path
    - pinctrl: meson: fix pinconf bias disable
    - KVM: PPC: Move and undef TRACE_INCLUDE_PATH/FILE
    - cpufreq: imx6q: add return value check for voltage scale
    - rtc: pcf2127: fix a kmemleak caused in pcf2127_i2c_gather_write
    - crypto: simd - correctly take reqsize of wrapped skcipher into account
    - floppy: fix race condition in __floppy_read_block_0()
    - powerpc/io: Fix the IO workarounds code to work with Radix
    - perf/x86/intel/uncore: Add more IMC PCI IDs for KabyLake and CoffeeLake CPUs
    - SUNRPC: Fix a bogus get/put in generic_key_to_expire()
    - kdb: Use strscpy with destination buffer size
    - powerpc/numa: Suppress "VPHN is not supported" messages
    - tmpfs: make lseek(SEEK_DATA/SEK_HOLE) return ENXIO with a negative offset
    - mm, page_alloc: check for max order in hot path
    - arm64: remove no-op -p linker flag
    - ubi: fastmap: Check each mapping only once
    - Input: xpad - add PDP device id 0x02a4
    - Input: xpad - fix some coding style issues
    - Input: xpad - avoid using __set_bit() for capabilities
    - Input: xpad - add support for Xbox1 PDP Camo series gamepad
    - iwlwifi: fix wrong WGDS_WIFI_DATA_SIZE
    - kbuild: allow to use GCC toolchain not in Clang search path
    - PCI: endpoint: Populate func_no before calling pci_epc_add_epf()
    - i40iw: Fix memory leak in error path of create QP
    - clk: samsung: exynos5250: Add missing clocks for FIMC LITE SYSMMU devices
    - ARM: dts: exynos: Fix invalid node referenced by i2c20 alias in Peach Pit
      and Pi
    - include/linux/pfn_t.h: force '~' to be parsed as an unary operator
    - tty: wipe buffer.
    - tty: wipe buffer if not echoing data
    - lan78xx: Read MAC address from DT if present
    - s390/mm: Check for valid vma before zapping in gmap_discard
    - rcu: Make need_resched() respond to urgent RCU-QS needs
    - net: ieee802154: 6lowpan: fix frag reassembly
    - EVM: Add support for portable signature format
    - ima: re-introduce own integrity cache lock
    - ima: re-initialize iint->atomic_flags
    - xhci: Fix leaking USB3 shared_hcd at xhci removal
    - Documentation/security-bugs: Clarify treatment of embargoed information
    - Documentation/security-bugs: Postpone fix publication in exceptional cases
    - ACPICA: AML interpreter: add region addresses in global list during
      initialization
    - fsnotify: generalize handling of extra event flags
    - pinctrl: meson: fix gxbb ao pull register bits
    - pinctrl: meson: fix gxl ao pull register bits
    - pinctrl: meson: fix meson8 ao pull register bits
    - pinctrl: meson: fix meson8b ao pull register bits
    - riscv: add missing vdso_install target
    - media: ov5640: fix wrong binning value in exposure calculation
    - media: ov5640: fix auto controls values when switching to manual mode
    - mm/huge_memory: rename freeze_page() to unmap_page()
    - mm/huge_memory.c: reorder operations in __split_huge_page_tail()
    - mm/huge_memory: splitting set mapping+index before unfreeze
    - mm/huge_memory: fix lockdep complaint on 32-bit i_size_read()
    - mm/khugepaged: collapse_shmem() stop if punched or truncated
    - mm/khugepaged: fix crashes due to misaccounted holes
    - mm/khugepaged: collapse_shmem() remember to clear holes
    - mm/khugepaged: minor reorderings in collapse_shmem()
    - mm/khugepaged: collapse_shmem() without freezing new_page
    - mm/khugepaged: collapse_shmem() do not crash on Compound
    - media: em28xx: Fix use-after-free when disconnecting
    - ubi: Initialize Fastmap checkmapping correctly
    - libceph: store ceph_auth_handshake pointer in ceph_connection
    - libceph: factor out __prepare_write_connect()
    - libceph: factor out __ceph_x_decrypt()
    - libceph: factor out encrypt_authorizer()
    - libceph: add authorizer challenge
    - libceph: implement CEPHX_V2 calculation mode
    - net/tls: Fixed return value when tls_complete_pending_work() fails
    - wil6210: missing length check in wmi_set_ie
    - btrfs: validate type when reading a chunk
    - btrfs: Verify that every chunk has corresponding block group at mount time
    - btrfs: tree-checker: Add checker for dir item
    - btrfs: tree-checker: use %zu format string for size_t
    - btrfs: tree-check: reduce stack consumption in check_dir_item
    - btrfs: tree-checker: Verify block_group_item
    - btrfs: tree-checker: Detect invalid and empty essential trees
    - btrfs: Check that each block group has corresponding chunk at mount time
    - btrfs: tree-checker: Check level for leaves and nodes
    - btrfs: tree-checker: Fix misleading group system information
    - f2fs: check blkaddr more accuratly before issue a bio
    - f2fs: enhance sanity_check_raw_super() to avoid potential overflow
    - f2fs: clean up with is_valid_blkaddr()
    - f2fs: introduce and spread verify_blkaddr
    - f2fs: fix to do sanity check with secs_per_zone
    - f2fs: fix to do sanity check with user_block_count
    - f2fs: fix to do sanity check with node footer and iblocks
    - f2fs: fix to do sanity check with block address in main area
    - f2fs: fix to do sanity check with i_extra_isize
    - f2fs: fix to do sanity check with cp_pack_start_sum
    - net: skb_scrub_packet(): Scrub offload_fwd_mark
    - net: thunderx: set xdp_prog to NULL if bpf_prog_add fails
    - virtio-net: disable guest csum during XDP set
    - virtio-net: fail XDP set if guest csum is negotiated
    - net: thunderx: set tso_hdrs pointer to NULL in nicvf_free_snd_queue
    - packet: copy user buffers before orphan or clone
    - rapidio/rionet: do not free skb before reading its length
    - usbnet: ipheth: fix potential recvmsg bug and recvmsg bug 2
    - kvm: mmu: Fix race in emulated page table writes
    - KVM: x86: Fix kernel info-leak in KVM_HC_CLOCK_PAIRING hypercall
    - xtensa: enable coprocessors that are being flushed
    - xtensa: fix coprocessor context offset definitions
    - xtensa: fix coprocessor part of ptrace_{get,set}xregs
    - Btrfs: ensure path name is null terminated at btrfs_control_ioctl
    - btrfs: relocation: set trans to be NULL after ending transaction
    - PCI: layerscape: Fix wrong invocation of outbound window disable accessor
    - arm64: dts: rockchip: Fix PCIe reset polarity for rk3399-puma-haikou.
    - x86/fpu: Disable bottom halves while loading FPU registers
    - perf/x86/intel: Move branch tracing setup to the Intel-specific source file
    - perf/x86/intel: Add generic branch tracing check to intel_pmu_has_bts()
    - fs: fix lost error code in dio_complete
    - ALSA: wss: Fix invalid snd_free_pages() at error path
    - ALSA: ac97: Fix incorrect bit shift at AC97-SPSA control write
    - ALSA: control: Fix race between adding and removing a user element
    - ALSA: sparc: Fix invalid snd_free_pages() at error path
    - ALSA: hda/realtek - Support ALC300
    - ALSA: hda/realtek - fix headset mic detection for MSI MS-B171
    - ext2: fix potential use after free
    - ARM: dts: rockchip: Remove @0 from the veyron memory node
    - dmaengine: at_hdmac: fix memory leak in at_dma_xlate()
    - dmaengine: at_hdmac: fix module unloading
    - staging: vchiq_arm: fix compat VCHIQ_IOC_AWAIT_COMPLETION
    - staging: rtl8723bs: Add missing return for cfg80211_rtw_get_station
    - usb: core: quirks: add RESET_RESUME quirk for Cherry G230 Stream series
    - Revert "usb: dwc3: gadget: skip Set/Clear Halt when invalid"
    - iio:st_magn: Fix enable device after trigger
    - lib/test_kmod.c: fix rmmod double free
    - mm: use swp_offset as key in shmem_replace_page()
    - misc: mic/scif: fix copy-paste error in scif_create_remote_lookup
    - binder: fix race that allows malicious free of live buffer
    - libceph: weaken sizeof check in ceph_x_verify_authorizer_reply()
    - libceph: check authorizer reply/challenge length before reading
    - f2fs: fix missing up_read
    - net: don't keep lonely packets forever in the gro hash
    - net: phy: add workaround for issue where PHY driver doesn't bind to the
      device
    - KVM: nVMX/nSVM: Fix bug which sets vcpu->arch.tsc_offset to L1 tsc_offset
    - udf: Allow mounting volumes with incorrect identification strings
    - btrfs: Always try all copies when reading extent buffers
    - Btrfs: fix rare chances for data loss when doing a fast fsync
    - Btrfs: fix race between enabling quotas and subvolume creation
    - perf/x86/intel: Disallow precise_ip on BTS events
    - ALSA: hda: Add ASRock H81M-HDS to the power_save blacklist
    - ALSA: hda: Add ASRock N68C-S UCC the power_save blacklist
    - function_graph: Create function_graph_enter() to consolidate architecture
      code
    - ARM: function_graph: Simplify with function_graph_enter()
    - microblaze: function_graph: Simplify with function_graph_enter()
    - x86/function_graph: Simplify with function_graph_enter()
    - powerpc/function_graph: Simplify with function_graph_enter()
    - sh/function_graph: Simplify with function_graph_enter()
    - sparc/function_graph: Simplify with function_graph_enter()
    - parisc: function_graph: Simplify with function_graph_enter()
    - s390/function_graph: Simplify with function_graph_enter()
    - arm64: function_graph: Simplify with function_graph_enter()
    - MIPS: function_graph: Simplify with function_graph_enter()
    - function_graph: Make ftrace_push_return_trace() static
    - function_graph: Use new curr_ret_depth to manage depth instead of
      curr_ret_stack
    - function_graph: Have profiler use curr_ret_stack and not depth
    - function_graph: Move return callback before update of curr_ret_stack
    - function_graph: Reverse the order of pushing the ret_stack and the callback
    - ext2: initialize opts.s_mount_opt as zero before using it
    - ASoC: intel: cht_bsw_max98090_ti: Add quirk for boards using pmc_plt_clk_0
    - staging: most: use format specifier "%s" in snprintf
    - iio/hid-sensors: Fix IIO_CHAN_INFO_RAW returning wrong values for signed
      numbers
    - mm: cleancache: fix corruption on missed inode invalidation

* Bionic update: upstream stable patchset 2019-07-17 (LP: #1836968) //
    CVE-2000-1134 // CVE-2007-3852 // CVE-2008-0525 // CVE-2009-0416 //
    CVE-2011-4834 // CVE-2015-1838 // CVE-2015-7442 // CVE-2016-7489
    - namei: allow restricted O_CREAT of FIFOs and regular files

* bcache: risk of data loss on I/O errors in backing or caching devices
    (LP: #1829563)
    - bcache: add CACHE_SET_IO_DISABLE to struct cache_set flags
    - bcache: add stop_when_cache_set_failed option to backing device
    - bcache: fix inaccurate io state for detached bcache devices
    - bcache: add backing_request_endio() for bi_end_io
    - bcache: add io_disable to struct cached_dev
    - bcache: store disk name in struct cache and struct cached_dev
    - bcache: count backing device I/O error for writeback I/O
    - bcache: add wait_for_kthread_stop() in bch_allocator_thread()
    - bcache: set dc->io_disable to true in conditional_stop_bcache_device()
    - bcache: stop bcache device when backing device is offline
    - bcache: fix ioctl in flash device

* Bionic update: upstream stable patchset 2019-07-16 (LP: #1836802)
    - mtd: spi-nor: fsl-quadspi: fix read error for flash size larger than 16MB
    - spi: bcm-qspi: switch back to reading flash using smaller chunks
    - bcache: trace missed reading by cache_missed
    - bcache: fix miss key refill->end in writeback
    - hwmon: (pmbus) Fix page count auto-detection.
    - jffs2: free jffs2_sb_info through jffs2_kill_sb()
    - cpufreq: conservative: Take limits changes into account properly
    - pcmcia: Implement CLKRUN protocol disabling for Ricoh bridges
    - parisc: Fix address in HPMC IVA
    - parisc: Fix map_pages() to not overwrite existing pte entries
    - parisc: Fix exported address of os_hpmc handler
    - ALSA: hda - Add quirk for ASUS G751 laptop
    - ALSA: hda - Fix headphone pin config for ASUS G751
    - ALSA: hda - Add mic quirk for the Lenovo G50-30 (17aa:3905)
    - ALSA: ca0106: Disable IZD on SB0570 DAC to fix audio pops
    - x86/xen: Fix boot loader version reported for PVH guests
    - x86/corruption-check: Fix panic in memory_corruption_check() when boot
      option without value is provided
    - ARM: dts: exynos: Disable pull control for MAX8997 interrupts on Origen
    - bpf: do not blindly change rlimit in reuseport net selftest
    - Revert "perf tools: Fix PMU term format max value calculation"
    - xfrm: policy: use hlist rcu variants on insert
    - perf vendor events intel: Fix wrong filter_band* values for uncore events
    - sched/fair: Fix the min_vruntime update logic in dequeue_entity()
    - perf tools: Fix use of alternatives to find JDIR
    - perf cpu_map: Align cpu map synthesized events properly.
    - x86/fpu: Remove second definition of fpu in __fpu__restore_sig()
    - net: qla3xxx: Remove overflowing shift statement
    - selftests: ftrace: Add synthetic event syntax testcase
    - i2c: rcar: cleanup DMA for all kinds of failure
    - locking/lockdep: Fix debug_locks off performance problem
    - ataflop: fix error handling during setup
    - swim: fix cleanup on setup error
    - nfp: devlink port split support for 1x100G CXP NIC
    - tun: Consistently configure generic netdev params via rtnetlink
    - s390/sthyi: Fix machine name validity indication
    - hwmon: (pwm-fan) Set fan speed to 0 on suspend
    - lightnvm: pblk: fix two sleep-in-atomic-context bugs
    - spi: spi-ep93xx: Use dma_data_direction for ep93xx_spi_dma_{finish,prepare}
    - perf tools: Free temporary 'sys' string in read_event_files()
    - perf tools: Cleanup trace-event-info 'tdata' leak
    - perf strbuf: Match va_{add,copy} with va_end
    - cpupower: Fix coredump on VMWare
    - mmc: sdhci-pci-o2micro: Add quirk for O2 Micro dev 0x8620 rev 0x01
    - iwlwifi: pcie: avoid empty free RB queue
    - iwlwifi: mvm: clear HW_RESTART_REQUESTED when stopping the interface
    - x86/olpc: Indicate that legacy PC XO-1 platform should not register RTC
    - ACPI / processor: Fix the return value of acpi_processor_ids_walk()
    - cpufreq: dt: Try freeing static OPPs only if we have added them
    - mtd: rawnand: atmel: Fix potential NULL pointer dereference
    - signal: Introduce COMPAT_SIGMINSTKSZ for use in compat_sys_sigaltstack
    - Bluetooth: btbcm: Add entry for BCM4335C0 UART bluetooth
    - x86: boot: Fix EFI stub alignment
    - pinctrl: qcom: spmi-mpp: Fix err handling of pmic_mpp_set_mux
    - brcmfmac: fix for proper support of 160MHz bandwidth
    - net: phy: phylink: ensure the carrier is off when starting phylink
    - block, bfq: correctly charge and reset entity service in all cases
    - kprobes: Return error if we fail to reuse kprobe instead of BUG_ON()
    - ACPI / LPSS: Add alternative ACPI HIDs for Cherry Trail DMA controllers
    - pinctrl: qcom: spmi-mpp: Fix drive strength setting
    - pinctrl: spmi-mpp: Fix pmic_mpp_config_get() to be compliant
    - pinctrl: ssbi-gpio: Fix pm8xxx_pin_config_get() to be compliant
    - net: dsa: mv88e6xxx: Fix writing to a PHY page.
    - iwlwifi: mvm: fix BAR seq ctrl reporting
    - ixgbevf: VF2VF TCP RSS
    - ath10k: schedule hardware restart if WMI command times out
    - thermal: da9062/61: Prevent hardware access during system suspend
    - cgroup, netclassid: add a preemption point to write_classid
    - scsi: esp_scsi: Track residual for PIO transfers
    - UAPI: ndctl: Fix g++-unsupported initialisation in headers
    - KVM: nVMX: Clear reserved bits of #DB exit qualification
    - scsi: megaraid_sas: fix a missing-check bug
    - RDMA/core: Do not expose unsupported counters
    - IB/ipoib: Clear IPCB before icmp_send
    - RDMA/bnxt_re: Fix recursive lock warning in debug kernel
    - usb: host: ohci-at91: fix request of irq for optional gpio
    - PCI: mediatek: Fix mtk_pcie_find_port() endpoint/port matching logic
    - tpm: suppress transmit cmd error logs when TPM 1.2 is disabled/deactivated
    - Drivers: hv: vmbus: Use cpumask_var_t for on-stack cpu mask
    - VMCI: Resource wildcard match fixed
    - PCI / ACPI: Enable wake automatically for power managed bridges
    - usb: gadget: udc: atmel: handle at91sam9rl PMC
    - ext4: fix argument checking in EXT4_IOC_MOVE_EXT
    - MD: fix invalid stored role for a disk
    - f2fs: fix to recover inode's i_flags during POR
    - PCI/MSI: Warn and return error if driver enables MSI/MSI-X twice
    - coresight: etb10: Fix handling of perf mode
    - PCI: dwc: pci-dra7xx: Enable errata i870 for both EP and RC mode
    - crypto: caam - fix implicit casts in endianness helpers
    - usb: chipidea: Prevent unbalanced IRQ disable
    - driver/dma/ioat: Call del_timer_sync() without holding prep_lock
    - uio: ensure class is registered before devices
    - scsi: lpfc: Correct soft lockup when running mds diagnostics
    - scsi: lpfc: Correct race with abort on completion path
    - f2fs: report error if quota off error during umount
    - signal: Always deliver the kernel's SIGKILL and SIGSTOP to a pid namespace
      init
    - mfd: menelaus: Fix possible race condition and leak
    - dmaengine: dma-jz4780: Return error if not probed from DT
    - IB/rxe: fix for duplicate request processing and ack psns
    - ALSA: hda: Check the non-cached stream buffers more explicitly
    - cpupower: Fix AMD Family 0x17 msr_pstate size
    - f2fs: fix to account IO correctly
    - ARM: dts: exynos: Remove "cooling-{min|max}-level" for CPU nodes
    - arm: dts: exynos: Add missing cooling device properties for CPUs
    - ARM: dts: exynos: Convert exynos5250.dtsi to opp-v2 bindings
    - ARM: dts: exynos: Mark 1 GHz CPU OPP as suspend OPP on Exynos5250
    - xen-swiotlb: use actually allocated size on check physical continuous
    - tpm: Restore functionality to xen vtpm driver.
    - xen/blkfront: avoid NULL blkfront_info dereference on device removal
    - xen/balloon: Support xend-based toolstack
    - xen: fix race in xen_qlock_wait()
    - xen: make xen_qlock_wait() nestable
    - xen/pvh: increase early stack size
    - xen/pvh: don't try to unplug emulated devices
    - libertas: don't set URB_ZERO_PACKET on IN USB transfer
    - usbip:vudc: BUG kmalloc-2048 (Not tainted): Poison overwritten
    - usb: gadget: udc: renesas_usb3: Fix b-device mode for "workaround"
    - iwlwifi: mvm: check return value of rs_rate_from_ucode_rate()
    - net/ipv4: defensive cipso option parsing
    - dmaengine: ppc4xx: fix off-by-one build failure
    - dmaengine: stm32-dma: fix incomplete configuration in cyclic mode
    - libnvdimm: Hold reference on parent while scheduling async init
    - libnvdimm, region: Fail badblocks listing for inactive regions
    - ASoC: intel: skylake: Add missing break in skl_tplg_get_token()
    - IB/mlx5: Fix MR cache initialization
    - jbd2: fix use after free in jbd2_log_do_checkpoint()
    - gfs2_meta: ->mount() can get NULL dev_name
    - ext4: initialize retries variable in ext4_da_write_inline_data_begin()
    - ext4: fix setattr project check in fssetxattr ioctl
    - ext4: propagate error from dquot_initialize() in EXT4_IOC_FSSETXATTR
    - ext4: fix use-after-free race in ext4_remount()'s error path
    - EDAC, amd64: Add Family 17h, models 10h-2fh support
    - EDAC, {i7core,sb,skx}_edac: Fix uncorrected error counting
    - EDAC, skx_edac: Fix logical channel intermediate decoding
    - ARM: dts: dra7: Fix up unaligned access setting for PCIe EP
    - PCI/ASPM: Fix link_state teardown on device removal
    - PCI: Add Device IDs for Intel GPU "spurious interrupt" quirk
    - PCI: vmd: White list for fast interrupt handlers
    - signal/GenWQE: Fix sending of SIGKILL
    - signal: Guard against negative signal numbers in copy_siginfo_from_user32
    - crypto: lrw - Fix out-of bounds access on counter overflow
    - crypto: tcrypt - fix ghash-generic speed test
    - mm: /proc/pid/smaps_rollup: fix NULL pointer deref in smaps_pte_range()
    - ima: fix showing large 'violations' or 'runtime_measurements_count'
    - hugetlbfs: dirty pages as they are added to pagecache
    - mm/rmap: map_pte() was not handling private ZONE_DEVICE page properly
    - KVM: arm64: Fix caching of host MDCR_EL2 value
    - kbuild: fix kernel/bounds.c 'W=1' warning
    - iio: ad5064: Fix regulator handling
    - iio: adc: imx25-gcq: Fix leak of device_node in mx25_gcq_setup_cfgs()
    - iio: adc: at91: fix acking DRDY irq on simple conversions
    - iio: adc: at91: fix wrong channel number in triggered buffer mode
    - w1: omap-hdq: fix missing bus unregister at removal
    - smb3: allow stats which track session and share reconnects to be reset
    - smb3: do not attempt cifs operation in smb3 query info error path
    - smb3: on kerberos mount if server doesn't specify auth type use krb5
    - printk: Fix panic caused by passing log_buf_len to command line
    - genirq: Fix race on spurious interrupt detection
    - NFSv4.1: Fix the r/wsize checking
    - nfs: Fix a missed page unlock after pg_doio()
    - nfsd: Fix an Oops in free_session()
    - lockd: fix access beyond unterminated strings in prints
    - dm ioctl: harden copy_params()'s copy_from_user() from malicious users
    - dm zoned: fix metadata block ref counting
    - dm zoned: fix various dmz_get_mblock() issues
    - powerpc/msi: Fix compile error on mpc83xx
    - MIPS: OCTEON: fix out of bounds array access on CN68XX
    - iommu/arm-smmu: Ensure that page-table updates are visible before TLBI
    - TC: Set DMA masks for devices
    - media: v4l2-tpg: fix kernel oops when enabling HFLIP and OSD
    - kgdboc: Passing ekgdboc to command line causes panic
    - xen: fix xen_qlock_wait()
    - xen-blkfront: fix kernel panic with negotiate_mq error path
    - media: em28xx: use a default format if TRY_FMT fails
    - media: tvp5150: avoid going past array on v4l2_querymenu()
    - media: em28xx: fix input name for Terratec AV 350
    - media: em28xx: make v4l2-compliance happier by starting sequence on zero
    - media: media colorspaces*.rst: rename AdobeRGB to opRGB
    - arm64: lse: remove -fcall-used-x0 flag
    - rpmsg: smd: fix memory leak on channel create
    - Cramfs: fix abad comparison when wrap-arounds occur
    - ARM: dts: socfpga: Fix SDRAM node address for Arria10
    - arm64: dts: stratix10: Correct System Manager register size
    - soc/tegra: pmc: Fix child-node lookup
    - btrfs: qgroup: Avoid calling qgroup functions if qgroup is not enabled
    - btrfs: Handle owner mismatch gracefully when walking up tree
    - btrfs: locking: Add extra check in btrfs_init_new_buffer() to avoid deadlock
    - btrfs: fix error handling in free_log_tree
    - btrfs: Enhance btrfs_trim_fs function to handle error better
    - btrfs: Ensure btrfs_trim_fs can trim the whole filesystem
    - btrfs: iterate all devices during trim, instead of fs_devices::alloc_list
    - btrfs: don't attempt to trim devices that don't support it
    - btrfs: wait on caching when putting the bg cache
    - btrfs: protect space cache inode alloc with GFP_NOFS
    - btrfs: reset max_extent_size on clear in a bitmap
    - btrfs: make sure we create all new block groups
    - Btrfs: fix warning when replaying log after fsync of a tmpfile
    - Btrfs: fix wrong dentries after fsync of file that got its parent replaced
    - btrfs: qgroup: Dirty all qgroups before rescan
    - Btrfs: fix null pointer dereference on compressed write path error
    - Btrfs: fix assertion on fsync of regular file when using no-holes feature
    - btrfs: set max_extent_size properly
    - btrfs: don't use ctl->free_space for max_extent_size
    - btrfs: only free reserved extent if we didn't insert it
    - btrfs: don't run delayed_iputs in commit
    - btrfs: move the dio_sem higher up the callchain
    - Btrfs: fix use-after-free during inode eviction
    - Btrfs: fix use-after-free when dumping free space
    - Btrfs: fix fsync after hole punching when using no-holes feature
    - net: sched: Remove TCA_OPTIONS from policy
    - bpf: wait for running BPF programs when updating map-in-map
    - MD: fix invalid stored role for a disk - try2
    - mtd: spi-nor: intel-spi: Add support for Intel Ice Lake SPI serial flash
    - mtd: spi-nor: fsl-quadspi: Don't let -EINVAL on the bus
    - bcache: correct dirty data statistics
    - block: don't deal with discard limit in blkdev_issue_discard()
    - block: make sure discard bio is aligned with logical block size
    - block: make sure writesame bio is aligned with logical block size
    - dma-mapping: fix panic caused by passing empty cma command line argument
    - ACPI / OSL: Use 'jiffies' as the time bassis for acpi_os_get_timer()
    - ACPICA: AML Parser: fix parse loop to correctly skip erroneous extended
      opcodes
    - kprobes/x86: Use preempt_enable() in optimized_callback()
    - mailbox: PCC: handle parse error
    - ALSA: hda: Add 2 more models to the power_save blacklist
    - drm: fix use of freed memory in drm_mode_setcrtc
    - nvme: remove ns sibling before clearing path
    - nfp: flower: fix pedit set actions for multiple partial masks
    - nfp: flower: use offsets provided by pedit instead of index for ipv6
    - perf report: Don't crash on invalid inline debug information
    - drm: Get ref on CRTC commit object when waiting for flip_done
    - net: socionext: Reset tx queue in ndo_stop
    - lightnvm: pblk: fix race on sysfs line state
    - lightnvm: pblk: fix race condition on metadata I/O
    - bcache: Populate writeback_rate_minimum attribute
    - sdhci: acpi: add free_slot callback
    - mtd: rawnand: denali: set SPARE_AREA_SKIP_BYTES register to 8 if unset
    - iwlwifi: mvm: check for n_profiles validity in EWRD ACPI
    - ACPI/PPTT: Handle architecturally unknown cache types
    - ACPI / PM: LPIT: Register sysfs attributes based on FADT
    - pinctrl: sunxi: fix 'pctrl->functions' allocation in
      sunxi_pinctrl_build_state
    - arm64: entry: Allow handling of undefined instructions from EL1
    - bpf/verifier: fix verifier instability
    - gpio: brcmstb: allow 0 width GPIO banks
    - libata: Apply NOLPM quirk for SAMSUNG MZ7TD256HAFV-000L9
    - thermal: rcar_thermal: Prevent doing work after unbind
    - net: stmmac: dwmac-sun8i: fix OF child-node lookup
    - f2fs: clear PageError on the read path
    - xprtrdma: Reset credit grant properly after a disconnect
    - nvmem: check the return value of nvmem_add_cells()
    - f2fs: avoid sleeping under spin_lock
    - f2fs: fix to recover cold bit of inode block during POR
    - OPP: Free OPP table properly on performance state irregularities
    - IB/rxe: Revise the ib_wr_opcode enum
    - ext4: fix EXT4_IOC_SWAP_BOOT
    - selinux: fix mounting of cgroup2 under older policies
    - KVM: arm/arm64: Ensure only THP is candidate for adjustment
    - NFC: nfcmrvl_uart: fix OF child-node lookup
    - media: ov7670: make "xclk" clock optional
    - powerpc/tm: Fix HFSCR bit for no suspend case
    - powerpc/64s/hash: Do not use PPC_INVALIDATE_ERAT on CPUs before POWER9
    - MIPS: memset: Fix CPU_DADDI_WORKAROUNDS `small_fixup' regression
    - power: supply: twl4030-charger: fix OF sibling-node lookup
    - ocxl: Fix access to the AFU Descriptor Data
    - net: bcmgenet: fix OF child-node lookup
    - media: cec: make cec_get_edid_spa_location() an inline function
    - media: cec: integrate cec_validate_phys_addr() in cec-api.c
    - media: adv7604: when the EDID is cleared, unconfigure CEC as well
    - media: adv7842: when the EDID is cleared, unconfigure CEC as well
    - drm/mediatek: fix OF sibling-node lookup
    - media: replace ADOBERGB by OPRGB
    - media: hdmi.h: rename ADOBE_RGB to OPRGB and ADOBE_YCC to OPYCC
    - btrfs: fix error handling in btrfs_dev_replace_start
    - btrfs: keep trim from interfering with transaction commits
    - Btrfs: don't clean dirty pages during buffered writes
    - btrfs: release metadata before running delayed refs
    - Btrfs: fix deadlock when writing out free space caches
    - btrfs: reset max_extent_size properly
    - btrfs: fix insert_reserved error handling
    - powerpc/traps: restore recoverability of machine_check interrupts
    - powerpc/64/module: REL32 relocation range check
    - powerpc/mm: Fix page table dump to work on Radix
    - powerpc/eeh: Fix possible null deref in eeh_dump_dev_log()
    - tty: check name length in tty_find_polling_driver()
    - ARM: imx_v6_v7_defconfig: Select CONFIG_TMPFS_POSIX_ACL
    - powerpc/nohash: fix undefined behaviour when testing page size support
    - powerpc/mm: Don't report hugepage tables as memory leaks when using kmemleak
    - drm/omap: fix memory barrier bug in DMM driver
    - drm/hisilicon: hibmc: Do not carry error code in HiBMC framebuffer pointer
    - media: pci: cx23885: handle adding to list failure
    - media: coda: don't overwrite h.264 profile_idc on decoder instance
    - MIPS: kexec: Mark CPU offline before disabling local IRQ
    - powerpc/boot: Ensure _zimage_start is a weak symbol
    - powerpc/memtrace: Remove memory in chunks
    - MIPS/PCI: Call pcie_bus_configure_settings() to set MPS/MRRS
    - sc16is7xx: Fix for multi-channel stall
    - media: tvp5150: fix width alignment during set_selection()
    - powerpc/selftests: Wait all threads to join
    - staging:iio:ad7606: fix voltage scales
    - 9p locks: fix glock.client_id leak in do_lock
    - 9p: clear dangling pointers in p9stat_free
    - ovl: fix error handling in ovl_verify_set_fh()
    - scsi: qla2xxx: Fix incorrect port speed being set for FC adapters
    - scsi: qla2xxx: Fix process response queue for ISP26XX and above
    - scsi: qla2xxx: Remove stale debug trace message from tcm_qla2xxx
    - scsi: qla2xxx: shutdown chip if reset fail
    - scsi: qla2xxx: Fix re-using LoopID when handle is in use
    - ovl: fix recursive oi->lock in ovl_link()
    - MIPS: Loongson-3: Fix CPU UART irq delivery problem
    - MIPS: Loongson-3: Fix BRIDGE irq delivery problem
    - xtensa: add NOTES section to the linker script
    - xtensa: make sure bFLT stack is 16 byte aligned
    - xtensa: fix boot parameters address translation
    - um: Drop own definition of PTRACE_SYSEMU/_SINGLESTEP
    - clk: s2mps11: Fix matching when built as module and DT node contains
      compatible
    - clk: at91: Fix division by zero in PLL recalc_rate()
    - clk: rockchip: Fix static checker warning in rockchip_ddrclk_get_parent call
    - clk: mvebu: use correct bit for 98DX3236 NAND
    - libceph: bump CEPH_MSG_MAX_DATA_LEN
    - mach64: fix display corruption on big endian machines
    - mach64: fix image corruption due to reading accelerator registers
    - reset: hisilicon: fix potential NULL pointer dereference
    - vhost/scsi: truncate T10 PI iov_iter to prot_bytes
    - scsi: qla2xxx: Initialize port speed to avoid setting lower speed
    - SCSI: fix queue cleanup race before queue initialization is done
    - soc: ti: QMSS: Fix usage of irq_set_affinity_hint
    - ocfs2: fix a misuse a of brelse after failing ocfs2_check_dir_entry
    - ocfs2: free up write context when direct IO failed
    - mm: thp: relax __GFP_THISNODE for MADV_HUGEPAGE mappings
    - netfilter: conntrack: fix calculation of next bucket number in early_drop
    - ARM: 8809/1: proc-v7: fix Thumb annotation of cpu_v7_hvc_switch_mm
    - mtd: docg3: don't set conflicting BCH_CONST_PARAMS option
    - of, numa: Validate some distance map rules
    - x86/cpu/vmware: Do not trace vmware_sched_clock()
    - x86/hyper-v: Enable PIT shutdown quirk
    - termios, tty/tty_baudrate.c: fix buffer overrun
    - arch/alpha, termios: implement BOTHER, IBSHIFT and termios2
    - watchdog/core: Add missing prototypes for weak functions
    - btrfs: fix pinned underflow after transaction aborted
    - Btrfs: fix cur_offset in the error case for nocow
    - Btrfs: fix infinite loop on inode eviction after deduplication of eof block
    - Btrfs: fix data corruption due to cloning of eof block
    - clockevents/drivers/i8253: Add support for PIT shutdown quirk
    - ext4: add missing brelse() update_backups()'s error path
    - ext4: add missing brelse() in set_flexbg_block_bitmap()'s error path
    - ext4: add missing brelse() add_new_gdb_meta_bg()'s error path
    - ext4: avoid potential extra brelse in setup_new_flex_group_blocks()
    - ext4: missing !bh check in ext4_xattr_inode_write()
    - ext4: fix possible inode leak in the retry loop of ext4_resize_fs()
    - ext4: avoid buffer leak on shutdown in ext4_mark_iloc_dirty()
    - ext4: avoid buffer leak in ext4_orphan_add() after prior errors
    - ext4: fix missing cleanup if ext4_alloc_flex_bg_array() fails while resizing
    - ext4: avoid possible double brelse() in add_new_gdb() on error path
    - ext4: fix possible leak of sbi->s_group_desc_leak in error path
    - ext4: fix possible leak of s_journal_flag_rwsem in error path
    - ext4: fix buffer leak in ext4_xattr_get_block() on error path
    - ext4: release bs.bh before re-using in ext4_xattr_block_find()
    - ext4: fix buffer leak in ext4_xattr_move_to_block() on error path
    - ext4: fix buffer leak in ext4_expand_extra_isize_ea() on error path
    - ext4: fix buffer leak in __ext4_read_dirblock() on error path
    - mount: Prevent MNT_DETACH from disconnecting locked mounts
    - kdb: use correct pointer when 'btc' calls 'btt'
    - kdb: print real address of pointers instead of hashed addresses
    - sunrpc: correct the computation for page_ptr when truncating
    - rtc: hctosys: Add missing range error reporting
    - configfs: replace strncpy with memcpy
    - gfs2: Put bitmap buffers in put_super
    - lib/ubsan.c: don't mark __ubsan_handle_builtin_unreachable as noreturn
    - hugetlbfs: fix kernel BUG at fs/hugetlbfs/inode.c:444!
    - mm/swapfile.c: use kvzalloc for swap_info_struct allocation
    - efi/arm/libstub: Pack FDT after populating it
    - drm/amdgpu: add missing CHIP_HAINAN in amdgpu_ucode_get_load_type
    - drm/nouveau: Check backlight IDs are >= 0, not > 0
    - drm/dp_mst: Check if primary mstb is null
    - drm/i915: Restore vblank interrupts earlier
    - drm/i915: Don't unset intel_connector->mst_port
    - drm/i915: Skip vcpi allocation for MSTB ports that are gone
    - drm/i915: Large page offsets for pread/pwrite
    - drm/i915/hdmi: Add HDMI 2.0 audio clock recovery N values
    - drm/i915: Don't oops during modeset shutdown after lpe audio deinit
    - drm/i915: Mark pin flags as u64
    - drm/i915/execlists: Force write serialisation into context image vs
      execution
    - CONFIG_XEN_PV breaks xen_create_contiguous_region on ARM
    - ovl: check whiteout in ovl_create_over_whiteout()
    - nvme-loop: fix kernel oops in case of unhandled command
    - Input: wm97xx-ts - fix exit path
    - powerpc/Makefile: Fix PPC_BOOK3S_64 ASFLAGS
    - tracing/kprobes: Check the probe on unloaded module correctly
    - drm/amdgpu/powerplay: fix missing break in switch statements
    - udf: Prevent write-unsupported filesystem to be remounted read-write
    - serial: sh-sci: Fix could not remove dev_attr_rx_fifo_timeout
    - zram: close udev startup race condition as default groups
    - clk: rockchip: fix wrong mmc sample phase shift for rk3328
    - bonding/802.3ad: fix link_failure_count tracking
    - hwmon: (core) Fix double-free in __hwmon_device_register()
    - perf stat: Handle different PMU names with common prefix
    - mnt: fix __detach_mounts infinite loop
    - NFSv4: Don't exit the state manager without clearing
      NFS4CLNT_MANAGER_RUNNING
    - libata: blacklist SAMSUNG MZ7TD256HAFV-000L9 SSD
    - drm/i915/dp: Link train Fallback on eDP only if fallback link BW can fit
      panel's native mode
    - drm/i915: Fix ilk+ watermarks when disabling pipes
    - drm/i915: Fix possible race in intel_dp_add_mst_connector()

* [SRU][B/B-OEM]Fix resume failure on some TPM chips (LP: #1836031)
    - tpm: tpm_try_transmit() refactor error flow.

* Linux md raid-10 freezes during resync (LP: #1767992)
    - md: fix raid10 hang issue caused by barrier

* hda/realtek: can't detect external mic on a Dell machine (LP: #1836755)
    - ALSA: hda/realtek: apply ALC891 headset fixup to one Dell machine

* CVE-2019-12614
    - powerpc/pseries/dlpar: Fix a missing check in dlpar_parse_cc_property()

* x86: mm: early boot problem on i386 with KPTI enabled (LP: #1827884)
    - Revert "perf/core: Make sure the ring-buffer is mapped in all page-tables"
    - x86/mm: Clarify hardware vs. software "error_code"
    - x86/mm: Break out kernel address space handling
    - x86/mm: Break out user address space handling
    - x86/mm/fault: Allow stack access below %rsp

* bnx2x driver causes 100% CPU load (LP: #1832082)
    - bnx2x: Prevent ptp_task to be rescheduled indefinitely

* Sometimes touchpad detected as mouse(i2c designware fails to get adapter
    number) (LP: #1835150)
    - i2c: i2c-designware-platdrv: Cleanup setting of the adapter number
    - i2c: i2c-designware-platdrv: Always use a dynamic adapter number

* HP EliteBook 745 G5 (Ryzen 2500U) fails to boot unless `mce=off` is set on
    command line (LP: #1796443)
    - x86/MCE/AMD: Turn off MC4_MISC thresholding on all family 0x15 models
    - x86/MCE/AMD: Carve out the MC4_MISC thresholding quirk
    - x86/MCE: Add an MCE-record filtering function
    - x86/MCE/AMD: Don't report L1 BTB MCA errors on some family 17h models

* Bionic update: upstream stable patchset 2019-07-15 (LP: #1836654)
    - media: af9035: prevent buffer overflow on write
    - batman-adv: Avoid probe ELP information leak
    - batman-adv: Fix segfault when writing to throughput_override
    - batman-adv: Fix segfault when writing to sysfs elp_interval
    - batman-adv: Prevent duplicated gateway_node entry
    - batman-adv: Prevent duplicated nc_node entry
    - batman-adv: Prevent duplicated softif_vlan entry
    - batman-adv: Prevent duplicated global TT entry
    - batman-adv: Prevent duplicated tvlv handler
    - batman-adv: fix backbone_gw refcount on queue_work() failure
    - batman-adv: fix hardif_neigh refcount on queue_work() failure
    - clocksource/drivers/ti-32k: Add CLOCK_SOURCE_SUSPEND_NONSTOP flag for non-
      am43 SoCs
    - scsi: ibmvscsis: Fix a stringop-overflow warning
    - scsi: ibmvscsis: Ensure partition name is properly NUL terminated
    - intel_th: pci: Add Ice Lake PCH support
    - Input: atakbd - fix Atari keymap
    - Input: atakbd - fix Atari CapsLock behaviour
    - net: emac: fix fixed-link setup for the RTL8363SB switch
    - ravb: do not write 1 to reserved bits
    - PCI: dwc: Fix scheduling while atomic issues
    - drm: mali-dp: Call drm_crtc_vblank_reset on device init
    - scsi: ipr: System hung while dlpar adding primary ipr adapter back
    - scsi: sd: don't crash the host on invalid commands
    - net/mlx4: Use cpumask_available for eq->affinity_mask
    - clocksource/drivers/fttmr010: Fix set_next_event handler
    - powerpc/tm: Fix userspace r13 corruption
    - powerpc/tm: Avoid possible userspace r1 corruption on reclaim
    - iommu/amd: Return devid as alias for ACPI HID devices
    - ARC: build: Get rid of toolchain check
    - ARC: build: Don't set CROSS_COMPILE in arch's Makefile
    - HID: quirks: fix support for Apple Magic Keyboards
    - staging: ccree: check DMA pool buf !NULL before free
    - net/smc: fix sizeof to int comparison
    - qed: Fix populating the invalid stag value in multi function mode.
    - RDMA/uverbs: Fix validity check for modify QP
    - bpf: test_maps, only support ESTABLISHED socks
    - RDMA/bnxt_re: Fix system crash during RDMA resource initialization
    - RISC-V: include linux/ftrace.h in asm-prototypes.h
    - powerpc/numa: Use associativity if VPHN hcall is successful
    - x86/boot: Fix kexec booting failure in the SEV bit detection code
    - xfrm: Validate address prefix lengths in the xfrm selector.
    - xfrm6: call kfree_skb when skb is toobig
    - xfrm: reset transport header back to network header after all input
      transforms ahave been applied
    - xfrm: reset crypto_done when iterating over multiple input xfrms
    - mac80211: Always report TX status
    - cfg80211: reg: Init wiphy_idx in regulatory_hint_core()
    - mac80211: fix pending queue hang due to TX_DROP
    - cfg80211: Address some corner cases in scan result channel updating
    - mac80211: TDLS: fix skb queue/priority assignment
    - mac80211: fix TX status reporting for ieee80211s
    - ARM: 8799/1: mm: fix pci_ioremap_io() offset check
    - xfrm: validate template mode
    - netfilter: bridge: Don't sabotage nf_hook calls from an l3mdev
    - arm64: hugetlb: Fix handling of young ptes
    - ARM: dts: BCM63xx: Fix incorrect interrupt specifiers
    - net: macb: Clean 64b dma addresses if they are not detected
    - soc: fsl: qbman: qman: avoid allocating from non existing gen_pool
    - soc: fsl: qe: Fix copy/paste bug in ucc_get_tdm_sync_shift()
    - mac80211_hwsim: do not omit multicast announce of first added radio
    - Bluetooth: SMP: fix crash in unpairing
    - pxa168fb: prepare the clock
    - qed: Avoid implicit enum conversion in qed_set_tunn_cls_info
    - qed: Fix mask parameter in qed_vf_prep_tunn_req_tlv
    - qed: Avoid implicit enum conversion in qed_roce_mode_to_flavor
    - qed: Avoid constant logical operation warning in qed_vf_pf_acquire
    - qed: Avoid implicit enum conversion in qed_iwarp_parse_rx_pkt
    - asix: Check for supported Wake-on-LAN modes
    - ax88179_178a: Check for supported Wake-on-LAN modes
    - lan78xx: Check for supported Wake-on-LAN modes
    - sr9800: Check for supported Wake-on-LAN modes
    - r8152: Check for supported Wake-on-LAN Modes
    - smsc75xx: Check for Wake-on-LAN modes
    - smsc95xx: Check for Wake-on-LAN modes
    - cfg80211: fix use-after-free in reg_process_hint()
    - perf/core: Fix perf_pmu_unregister() locking
    - perf/ring_buffer: Prevent concurent ring buffer access
    - perf/x86/intel/uncore: Fix PCI BDF address of M3UPI on SKX
    - perf/x86/amd/uncore: Set ThreadMask and SliceMask for L3 Cache perf events
    - net: fec: fix rare tx timeout
    - declance: Fix continuation with the adapter identification message
    - locking/ww_mutex: Fix runtime warning in the WW mutex selftest
    - be2net: don't flip hw_features when VXLANs are added/deleted
    - net: cxgb3_main: fix a missing-check bug
    - yam: fix a missing-check bug
    - ocfs2: fix crash in ocfs2_duplicate_clusters_by_page()
    - iwlwifi: mvm: check for short GI only for OFDM
    - iwlwifi: dbg: allow wrt collection before ALIVE
    - iwlwifi: fix the ALIVE notification layout
    - usbip: vhci_hcd: update 'status' file header and format
    - net/mlx5: Fix mlx5_get_vector_affinity function
    - powerpc/pseries: Add empty update_numa_cpu_lookup_table() for NUMA=n
    - dm integrity: fail early if required HMAC key is not available
    - net: phy: realtek: Use the dummy stubs for MMD register access for rtl8211b
    - net: phy: Add general dummy stubs for MMD register access
    - scsi: qla2xxx: Avoid double completion of abort command
    - kbuild: set no-integrated-as before incl. arch Makefile
    - IB/mlx5: Avoid passing an invalid QP type to firmware
    - l2tp: remove configurable payload offset
    - cifs: Use ULL suffix for 64-bit constant
    - KVM: x86: Update the exit_qualification access bits while walking an address
    - sparc64: Fix regression in pmdp_invalidate().
    - tpm: move the delay_msec increment after sleep in tpm_transmit()
    - bpf: sockmap, map_release does not hold refcnt for pinned maps
    - tpm: tpm_crb: relinquish locality on error path.
    - IB/usnic: Update with bug fixes from core code
    - mmc: dw_mmc-rockchip: correct property names in debug
    - MIPS: Workaround GCC __builtin_unreachable reordering bug
    - iio: buffer: fix the function signature to match implementation
    - selftests/powerpc: Add ptrace hw breakpoint test
    - scsi: ibmvfc: Avoid unnecessary port relogin
    - scsi: sd: Remember that READ CAPACITY(16) succeeded
    - btrfs: quota: Set rescan progress to (u64)-1 if we hit last leaf
    - net: phy: phylink: Don't release NULL GPIO
    - x86/paravirt: Fix some warning messages
    - net: stmmac: mark PM functions as __maybe_unused
    - kconfig: fix the rule of mainmenu_stmt symbol
    - libertas: call into generic suspend code before turning off power
    - compiler.h: Allow arch-specific asm/compiler.h
    - ARM: dts: imx53-qsb: disable 1.2GHz OPP
    - perf python: Use -Wno-redundant-decls to build with PYTHON=python3
    - rxrpc: Don't check RXRPC_CALL_TX_LAST after calling rxrpc_rotate_tx_window()
    - rxrpc: Only take the rwind and mtu values from latest ACK
    - rxrpc: Fix connection-level abort handling
    - selftests: rtnetlink.sh explicitly requires bash.
    - fs/fat/fatent.c: add cond_resched() to fat_count_free_clusters()
    - mtd: spi-nor: Add support for is25wp series chips
    - ARM: dts: r8a7790: Correct critical CPU temperature
    - media: uvcvideo: Fix driver reference counting
    - Revert "netfilter: ipv6: nf_defrag: drop skb dst before queueing"
    - perf tools: Disable parallelism for 'make clean'
    - drm/i915/gvt: fix memory leak of a cmd_entry struct on error exit path
    - bridge: do not add port to router list when receives query with source
      0.0.0.0
    - net: bridge: remove ipv6 zero address check in mcast queries
    - ipv6: mcast: fix a use-after-free in inet6_mc_check
    - ipv6/ndisc: Preserve IPv6 control buffer if protocol error handlers are
      called
    - llc: set SOCK_RCU_FREE in llc_sap_add_socket()
    - net: fec: don't dump RX FIFO register when not available
    - net/ipv6: Fix index counter for unicast addresses in in6_dump_addrs
    - net: sched: gred: pass the right attribute to gred_change_table_def()
    - net: socket: fix a missing-check bug
    - net: stmmac: Fix stmmac_mdio_reset() when building stmmac as modules
    - net: udp: fix handling of CHECKSUM_COMPLETE packets
    - r8169: fix NAPI handling under high load
    - sctp: fix race on sctp_id2asoc
    - udp6: fix encap return code for resubmitting
    - virtio_net: avoid using netif_tx_disable() for serializing tx routine
    - ethtool: fix a privilege escalation bug
    - bonding: fix length of actor system
    - ip6_tunnel: Fix encapsulation layout
    - openvswitch: Fix push/pop ethernet validation
    - net/mlx5: Take only bit 24-26 of wqe.pftype_wq for page fault type
    - net: sched: Fix for duplicate class dump
    - net: drop skb on failure in ip_check_defrag()
    - net: fix pskb_trim_rcsum_slow() with odd trim offset
    - net/mlx5e: fix csum adjustments caused by RXFCS
    - rtnetlink: Disallow FDB configuration for non-Ethernet device
    - net: ipmr: fix unresolved entry dumps
    - net: bcmgenet: Poll internal PHY for GENETv5
    - net/sched: cls_api: add missing validation of netlink attributes
    - net/mlx5: Fix build break when CONFIG_SMP=n
    - mac80211_hwsim: fix locking when iterating radios during ns exit
    - rxrpc: Fix checks as to whether we should set up a new call
    - rxrpc: Fix transport sockopts to get IPv4 errors on an IPv6 socket
    - thunderbolt: Do not handle ICM events after domain is stopped
    - thunderbolt: Initialize after IOMMUs
    - RISCV: Fix end PFN for low memory
    - drm/amd/display: Signal hw_done() after waiting for flip_done()
    - powerpc/numa: Skip onlining a offline node in kdump path
    - mm/gup_benchmark: fix unsigned comparison to zero in __gup_benchmark_ioctl
    - perf report: Don't try to map ip to invalid map
    - perf record: Use unmapped IP for inline callchain cursors
    - rxrpc: Carry call state out of locked section in rxrpc_rotate_tx_window()
    - gpio: Assign gpio_irq_chip::parents to non-stack pointer
    - IB/mlx5: Unmap DMA addr from HCA before IOMMU
    - rds: RDS (tcp) hangs on sendto() to unresponding address
    - sparc64: Export __node_distance.
    - sparc64: Make corrupted user stacks more debuggable.
    - sparc64: Make proc_id signed.
    - sparc64: Set %l4 properly on trap return after handling signals.
    - sparc: Fix single-pcr perf event counter management.
    - sparc: Fix syscall fallback bugs in VDSO.
    - sparc: Throttle perf events properly.
    - eeprom: at24: Add support for address-width property
    - vfs: swap names of {do,vfs}_clone_file_range()
    - bpf: fix partial copy of map_ptr when dst is scalar
    - gpio: mxs: Get rid of external API call
    - xfs: truncate transaction does not modify the inobt
    - cachefiles: fix the race between cachefiles_bury_object() and rmdir(2)
    - drm/edid: VSDB yCBCr420 Deep Color mode bit definitions
    - drm: fb-helper: Reject all pixel format changing requests
    - cdc-acm: do not reset notification buffer index upon urb unlinking
    - cdc-acm: correct counting of UART states in serial state notification
    - cdc-acm: fix race between reset and control messaging
    - usb: usbip: Fix BUG: KASAN: slab-out-of-bounds in vhci_hub_control()
    - USB: fix the usbfs flag sanitization for control transfers
    - Input: elan_i2c - add ACPI ID for Lenovo IdeaPad 330-15IGM
    - sched/fair: Fix throttle_list starvation with low CFS quota
    - x86/tsc: Force inlining of cyc2ns bits
    - x86, hibernate: Fix nosave_regions setup for hibernation
    - x86/percpu: Fix this_cpu_read()
    - x86/time: Correct the attribute on jiffies' definition
    - x86/fpu: Fix i486 + no387 boot crash by only saving FPU registers on context
      switch if there is an FPU
    - clk: sunxi-ng: sun4i: Set VCO and PLL bias current to lowest setting
    - drm/sun4i: Fix an ulong overflow in the dotclock driver
    - x86/swiotlb: Enable swiotlb for > 4GiG RAM on 32-bit kernels

* Colour banding in HP Pavilion 15-n233sl integrated display (LP: #1794387) //
    Bionic update: upstream stable patchset 2019-07-15 (LP: #1836654)
    - drm/edid: Add 6 bpc quirk for BOE panel in HP Pavilion 15-n233sl

* Bionic update: upstream stable patchset 2019-07-12 (LP: #1836426)
    - drm/amd/pp: initialize result to before or'ing in data
    - drm/amdgpu: add another ATPX quirk for TOPAZ
    - tools/power turbostat: fix possible sprintf buffer overflow
    - mac80211: Run TXQ teardown code before de-registering interfaces
    - mac80211_hwsim: require at least one channel
    - btrfs: btrfs_shrink_device should call commit transaction at the end
    - scsi: csiostor: add a check for NULL pointer after kmalloc()
    - mac80211: correct use of IEEE80211_VHT_CAP_RXSTBC_X
    - mac80211_hwsim: correct use of IEEE80211_VHT_CAP_RXSTBC_X
    - gpio: adp5588: Fix sleep-in-atomic-context bug
    - mac80211: mesh: fix HWMP sequence numbering to follow standard
    - mac80211: avoid kernel panic when building AMSDU from non-linear SKB
    - gpiolib: acpi: Switch to cansleep version of GPIO library call
    - gpiolib-acpi: Register GpioInt ACPI event handlers from a late_initcall
    - cfg80211: nl80211_update_ft_ies() to validate NL80211_ATTR_IE
    - mac80211: do not convert to A-MSDU if frag/subframe limited
    - mac80211: always account for A-MSDU header changes
    - tools/kvm_stat: fix handling of invalid paths in debugfs provider
    - gpio: Fix crash due to registration race
    - ARC: atomics: unbork atomic_fetch_##op()
    - md/raid5-cache: disable reshape completely
    - RAID10 BUG_ON in raise_barrier when force is true and conf->barrier is 0
    - i2c: uniphier: issue STOP only for last message or I2C_M_STOP
    - i2c: uniphier-f: issue STOP only for last message or I2C_M_STOP
    - net: cadence: Fix a sleep-in-atomic-context bug in macb_halt_tx()
    - fs/cifs: don't translate SFM_SLASH (U+F026) to backslash
    - mac80211: fix an off-by-one issue in A-MSDU max_subframe computation
    - cfg80211: fix a type issue in ieee80211_chandef_to_operating_class()
    - mac80211: fix a race between restart and CSA flows
    - mac80211: Fix station bandwidth setting after channel switch
    - mac80211: don't Tx a deauth frame if the AP forbade Tx
    - mac80211: shorten the IBSS debug messages
    - tools/vm/slabinfo.c: fix sign-compare warning
    - tools/vm/page-types.c: fix "defined but not used" warning
    - mm: madvise(MADV_DODUMP): allow hugetlbfs pages
    - netfilter: xt_cluster: add dependency on conntrack module
    - HID: add support for Apple Magic Keyboards
    - usb: gadget: fotg210-udc: Fix memory leak of fotg210->ep[i]
    - HID: hid-saitek: Add device ID for RAT 7 Contagion
    - scsi: qedi: Add the CRC size within iSCSI NVM image
    - perf evsel: Fix potential null pointer dereference in perf_evsel__new_idx()
    - perf util: Fix bad memory access in trace info.
    - perf probe powerpc: Ignore SyS symbols irrespective of endianness
    - netfilter: nf_tables: release chain in flushing set
    - Revert "iio: temperature: maxim_thermocouple: add MAX31856 part"
    - RDMA/ucma: check fd type in ucma_migrate_id()
    - HID: sensor-hub: Restore fixup for Lenovo ThinkPad Helix 2 sensor hub report
    - USB: yurex: Check for truncation in yurex_read()
    - nvmet-rdma: fix possible bogus dereference under heavy load
    - net/mlx5: Consider PCI domain in search for next dev
    - drm/nouveau/TBDdevinit: don't fail when PMU/PRE_OS is missing from VBIOS
    - drm/nouveau/disp: fix DP disable race
    - dm raid: fix rebuild of specific devices by updating superblock
    - fs/cifs: suppress a string overflow warning
    - perf/x86/intel: Add support/quirk for the MISPREDICT bit on Knights Landing
      CPUs
    - dm thin metadata: try to avoid ever aborting transactions
    - arch/hexagon: fix kernel/dma.c build warning
    - hexagon: modify ffs() and fls() to return int
    - arm64: jump_label.h: use asm_volatile_goto macro instead of "asm goto"
    - drm/amdgpu: fix error handling in amdgpu_cs_user_fence_chunk
    - r8169: Clear RTL_FLAG_TASK_*_PENDING when clearing RTL_FLAG_TASK_ENABLED
    - s390/qeth: don't dump past end of unknown HW header
    - cifs: read overflow in is_valid_oplock_break()
    - xen/manage: don't complain about an empty value in control/sysrq node
    - xen: avoid crash in disable_hotplug_cpu
    - xen: fix GCC warning and remove duplicate EVTCHN_ROW/EVTCHN_COL usage
    - ovl: fix access beyond unterminated strings
    - ovl: fix memory leak on unlink of indexed file
    - ovl: fix format of setxattr debug
    - sysfs: Do not return POSIX ACL xattrs via listxattr
    - smb2: fix missing files in root share directory listing
    - iommu/amd: Clear memory encryption mask from physical address
    - crypto: qat - Fix KASAN stack-out-of-bounds bug in adf_probe()
    - crypto: mxs-dcp - Fix wait logic on chan threads
    - crypto: caam/jr - fix ablkcipher_edesc pointer arithmetic
    - gpiolib: Free the last requested descriptor
    - Drivers: hv: vmbus: Use get/put_cpu() in vmbus_connect()
    - tools: hv: fcopy: set 'error' in case an unknown operation was requested
    - ocfs2: fix locking for res->tracking and dlm->tracking_list
    - ixgbe: check return value of napi_complete_done()
    - dm thin metadata: fix __udivdi3 undefined on 32-bit
    - Btrfs: fix unexpected failure of nocow buffered writes after snapshotting
      when low on space
    - scsi: aacraid: fix a signedness bug
    - tipc: switch to rhashtable iterator
    - net: mvpp2: initialize port of_node pointer
    - tc-testing: add test-cases for numeric and invalid control action
    - tools/kvm_stat: fix updates for dead guests
    - ibmvnic: Include missing return code checks in reset function
    - net/ibm/emac: wrong emac_calc_base call was used by typo
    - ceph: avoid a use-after-free in ceph_destroy_options()
    - afs: Fix cell specification to permit an empty address list
    - netfilter: xt_checksum: ignore gso skbs
    - HID: intel-ish-hid: Enable Sunrise Point-H ish driver
    - iio: imu: st_lsm6dsx: take into account ts samples in wm configuration
    - riscv: Do not overwrite initrd_start and initrd_end
    - drm/nouveau: fix oops in client init failure path
    - drm/nouveau/mmu: don't attempt to dereference vmm without valid instance
      pointer
    - drm/nouveau/disp/gm200-: enforce identity-mapped SOR assignment for LVDS/eDP
      panels
    - sched/topology: Set correct NUMA topology type
    - drm/amdgpu: Fix SDMA hang in prt mode v2
    - asm-generic: io: Fix ioport_map() for !CONFIG_GENERIC_IOMAP &&
      CONFIG_INDIRECT_PIO
    - x86/APM: Fix build warning when PROC_FS is not enabled
    - new primitive: discard_new_inode()
    - ovl: set I_CREATING on inode being created
    - crypto: chelsio - Fix memory corruption in DMA Mapped buffers.
    - perf/core: Add sanity check to deal with pinned event failure
    - mm: migration: fix migration of huge PMD shared pages
    - mm, thp: fix mlocking THP page with migration enabled
    - mm/vmstat.c: skip NR_TLB_REMOTE_FLUSH* properly
    - KVM: x86: fix L1TF's MMIO GFN calculation
    - blk-mq: I/O and timer unplugs are inverted in blktrace
    - clocksource/drivers/timer-atmel-pit: Properly handle error cases
    - fbdev/omapfb: fix omapfb_memory_read infoleak
    - drm/amdgpu: Fix vce work queue was not cancelled when suspend
    - x86/vdso: Fix asm constraints on vDSO syscall fallbacks
    - selftests/x86: Add clock_gettime() tests to test_vdso
    - x86/vdso: Only enable vDSO retpolines when enabled and supported
    - x86/vdso: Fix vDSO syscall fallback asm constraint regression
    - mac80211: fix setting IEEE80211_KEY_FLAG_RX_MGMT for AP mode keys
    - PM / core: Clear the direct_complete flag on errors
    - dm cache metadata: ignore hints array being too small during resize
    - dm cache: fix resize crash if user doesn't reload cache table
    - xhci: Add missing CAS workaround for Intel Sunrise Point xHCI
    - usb: xhci-mtk: resume USB3 roothub first
    - USB: serial: simple: add Motorola Tetra MTP6550 id
    - usb: cdc_acm: Do not leak URB buffers
    - of: unittest: Disable interrupt node tests for old world MAC systems
    - perf annotate: Use asprintf when formatting objdump command line
    - perf tools: Fix python extension build for gcc 8
    - ath10k: fix use-after-free in ath10k_wmi_cmd_send_nowait
    - ath10k: fix kernel panic issue during pci probe
    - nvme_fc: fix ctrl create failures racing with workq items
    - powerpc/lib: fix book3s/32 boot failure due to code patching
    - ARC: clone syscall to setp r25 as thread pointer
    - perf utils: Move is_directory() to path.h
    - f2fs: fix invalid memory access
    - ucma: fix a use-after-free in ucma_resolve_ip()
    - ubifs: Check for name being NULL while mounting
    - rds: rds_ib_recv_alloc_cache() should call alloc_percpu_gfp() instead
    - ath10k: fix scan crash due to incorrect length calculation
    - pstore/ram: Fix failure-path memory leak in ramoops_init
    - mac80211: allocate TXQs for active monitor interfaces
    - drm: fix use-after-free read in drm_mode_create_lease_ioctl()
    - USB: serial: option: improve Quectel EP06 detection
    - USB: serial: option: add two-endpoints device-id flag
    - tipc: call start and done ops directly in __tipc_nl_compat_dumpit()
    - bnxt_en: Fix TX timeout during netpoll.
    - bnxt_en: free hwrm resources, if driver probe fails.
    - bonding: avoid possible dead-lock
    - ip6_tunnel: be careful when accessing the inner header
    - ip_tunnel: be careful when accessing the inner header
    - ipv4: fix use-after-free in ip_cmsg_recv_dstaddr()
    - ipv6: take rcu lock in rawv6_send_hdrinc()
    - net: dsa: bcm_sf2: Call setup during switch resume
    - net: hns: fix for unmapping problem when SMMU is on
    - net: ipv4: update fnhe_pmtu when first hop's MTU changes
    - net/ipv6: Display all addresses in output of /proc/net/if_inet6
    - netlabel: check for IPV4MASK in addrinfo_get
    - net: mvpp2: Extract the correct ethtype from the skb for tx csum offload
    - net: mvpp2: fix a txq_done race condition
    - net: sched: Add policy validation for tc attributes
    - net: systemport: Fix wake-up interrupt race during resume
    - net/usb: cancel pending work when unbinding smsc75xx
    - qmi_wwan: Added support for Gemalto's Cinterion ALASxx WWAN interface
    - rtnl: limit IFLA_NUM_TX_QUEUES and IFLA_NUM_RX_QUEUES to 4096
    - sctp: update dst pmtu with the correct daddr
    - team: Forbid enslaving team device to itself
    - tipc: fix flow control accounting for implicit connect
    - udp: Unbreak modules that rely on external __skb_recv_udp() availability
    - net: stmmac: Fixup the tail addr setting in xmit path
    - net/packet: fix packet drop as of virtio gso
    - net: dsa: bcm_sf2: Fix unbind ordering
    - net/mlx5e: Set vlan masks for all offloaded TC rules
    - net: aquantia: memory corruption on jumbo frames
    - net/mlx5: E-Switch, Fix out of bound access when setting vport rate
    - bonding: pass link-local packets to bonding master also.
    - bonding: fix warning message
    - nfp: avoid soft lockups under control message storm
    - bnxt_en: don't try to offload VLAN 'modify' action
    - net-ethtool: ETHTOOL_GUFO did not and should not require CAP_NET_ADMIN
    - tcp/dccp: fix lockdep issue when SYN is backlogged
    - inet: make sure to grab rcu_read_lock before using ireq->ireq_opt
    - ASoC: rt5514: Fix the issue of the delay volume applied again
    - ASoC: wm8804: Add ACPI support
    - ASoC: sigmadsp: safeload should not have lower byte limit
    - selftests/efivarfs: add required kernel configs
    - selftests: memory-hotplug: add required configs
    - ASoC: rsnd: adg: care clock-frequency size
    - ASoC: rsnd: don't fallback to PIO mode when -EPROBE_DEFER
    - Bluetooth: hci_ldisc: Free rw_semaphore on close
    - mfd: omap-usb-host: Fix dts probe of children
    - scsi: iscsi: target: Don't use stack buffer for scatterlist
    - scsi: qla2xxx: Fix an endian bug in fcpcmd_is_corrupted()
    - sound: enable interrupt after dma buffer initialization
    - sound: don't call skl_init_chip() to reset intel skl soc
    - stmmac: fix valid numbers of unicast filter entries
    - net: macb: disable scatter-gather for macb on sama5d3
    - ARM: dts: at91: add new compatibility string for macb on sama5d3
    - PCI: hv: support reporting serial number as slot information
    - clk: x86: add "ether_clk" alias for Bay Trail / Cherry Trail
    - clk: x86: Stop marking clocks as CLK_IS_CRITICAL
    - x86/kvm/lapic: always disable MMIO interface in x2APIC mode
    - drm/amdgpu: Fix SDMA HQD destroy error on gfx_v7
    - mm/vmstat.c: fix outdated vmstat_text
    - MIPS: VDSO: Always map near top of user memory
    - mach64: detect the dot clock divider correctly on sparc
    - percpu: stop leaking bitmap metadata blocks
    - perf script python: Fix export-to-postgresql.py occasional failure
    - perf script python: Fix export-to-sqlite.py sample columns
    - s390/cio: Fix how vfio-ccw checks pinned pages
    - dm cache: destroy migration_cache if cache target registration failed
    - dm: fix report zone remapping to account for partition offset
    - dm linear: eliminate linear_end_io call if CONFIG_DM_ZONED disabled
    - dm linear: fix linear_end_io conditional definition
    - cgroup: Fix dom_cgrp propagation when enabling threaded mode
    - mmc: block: avoid multiblock reads for the last sector in SPI mode
    - pinctrl: mcp23s08: fix irq and irqchip setup order
    - arm64: perf: Reject stand-alone CHAIN events for PMUv3
    - mm/thp: fix call to mmu_notifier in set_pmd_migration_entry() v2
    - mm: Preserve _PAGE_DEVMAP across mprotect() calls
    - i2c: i2c-scmi: fix for i2c_smbus_write_block_data
    - xhci: Don't print a warning when setting link state for disabled ports
    - mm: introduce NR_INDIRECTLY_RECLAIMABLE_BYTES
    - mm: treat indirectly reclaimable memory as available in MemAvailable
    - dcache: account external names as indirectly reclaimable memory
    - mm: treat indirectly reclaimable memory as free in overcommit logic
    - mm: don't show nr_indirectly_reclaimable in /proc/vmstat
    - ARM: add more CPU part numbers for Cortex and Brahma B15 CPUs
    - ARM: bugs: prepare processor bug infrastructure
    - ARM: bugs: hook processor bug checking into SMP and suspend paths
    - ARM: bugs: add support for per-processor bug checking
    - [Config] updateconfigs for CPU_SPECTRE
    - ARM: spectre: add Kconfig symbol for CPUs vulnerable to Spectre
    - ARM: spectre-v2: harden branch predictor on context switches
    - ARM: spectre-v2: add Cortex A8 and A15 validation of the IBE bit
    - ARM: spectre-v2: harden user aborts in kernel space
    - ARM: spectre-v2: add firmware based hardening
    - ARM: spectre-v2: warn about incorrect context switching functions
    - ARM: KVM: invalidate BTB on guest exit for Cortex-A12/A17
    - ARM: KVM: invalidate icache on guest exit for Cortex-A15
    - ARM: spectre-v2: KVM: invalidate icache on guest exit for Brahma B15
    - ARM: KVM: Add SMCCC_ARCH_WORKAROUND_1 fast handling
    - ARM: KVM: report support for SMCCC_ARCH_WORKAROUND_1
    - ARM: spectre-v1: add speculation barrier (csdb) macros
    - ARM: spectre-v1: add array_index_mask_nospec() implementation
    - ARM: spectre-v1: fix syscall entry
    - ARM: signal: copy registers using __copy_from_user()
    - ARM: vfp: use __copy_from_user() when restoring VFP state
    - ARM: oabi-compat: copy semops using __copy_from_user()
    - ARM: use __inttype() in get_user()
    - ARM: spectre-v1: use get_user() for __get_user()
    - ARM: spectre-v1: mitigate user accesses
    - perf tools: Fix snprint warnings for gcc 8
    - net: sched: cls_u32: fix hnode refcounting
    - net: qualcomm: rmnet: Skip processing loopback packets
    - net: qualcomm: rmnet: Fix incorrect allocation flag in transmit
    - tun: remove unused parameters
    - tun: initialize napi_mutex unconditionally
    - tun: napi flags belong to tfile
    - net: dsa: b53: Keep CPU port as tagged in all VLANs
    - rtnetlink: Fail dump if target netnsid is invalid
    - net: ipv4: don't let PMTU updates increase route MTU
    - ASoC: dapm: Fix NULL pointer deference on CODEC to CODEC DAIs
    - selftests: android: move config up a level
    - selftests: add headers_install to lib.mk
    - Bluetooth: SMP: Fix trying to use non-existent local OOB data
    - Bluetooth: Use correct tfm to generate OOB data
    - net: ethernet: ti: add missing GENERIC_ALLOCATOR dependency
    - afs: Fix afs_server struct leak
    - afs: Fix clearance of reply

* Volume control not working Dell XPS 27 (7760) (LP: #1775068) // Bionic
    update: upstream stable patchset 2019-07-12 (LP: #1836426)
    - ALSA: hda/realtek - Cannot adjust speaker's volume on Dell XPS 27 7760

* Bionic update: upstream stable patchset 2019-07-11 (LP: #1836287)
    - perf tools: Fix undefined symbol scnprintf in libperf-jvmti.so
    - gso_segment: Reset skb->mac_len after modifying network header
    - ipv6: fix possible use-after-free in ip6_xmit()
    - net/appletalk: fix minor pointer leak to userspace in SIOCFINDIPDDPRT
    - net: hp100: fix always-true check for link up state
    - pppoe: fix reception of frames with no mac header
    - qmi_wwan: set DTR for modems in forced USB2 mode
    - udp4: fix IP_CMSG_CHECKSUM for connected sockets
    - neighbour: confirm neigh entries when ARP packet is received
    - udp6: add missing checks on edumux packet processing
    - net/sched: act_sample: fix NULL dereference in the data path
    - tls: don't copy the key out of tls12_crypto_info_aes_gcm_128
    - tls: zero the crypto information from tls_context before freeing
    - tls: clear key material from kernel memory when do_tls_setsockopt_conf fails
    - NFC: Fix possible memory corruption when handling SHDLC I-Frame commands
    - NFC: Fix the number of pipes
    - ASoC: cs4265: fix MMTLR Data switch control
    - ASoC: rsnd: fixup not to call clk_get/set under non-atomic
    - ALSA: bebob: fix memory leak for M-Audio FW1814 and ProjectMix I/O at error
      path
    - ALSA: bebob: use address returned by kmalloc() instead of kernel stack for
      streaming DMA mapping
    - ALSA: emu10k1: fix possible info leak to userspace on
      SNDRV_EMU10K1_IOCTL_INFO
    - ALSA: fireface: fix memory leak in ff400_switch_fetching_mode()
    - ALSA: firewire-digi00x: fix memory leak of private data
    - ALSA: firewire-tascam: fix memory leak of private data
    - ALSA: fireworks: fix memory leak of response buffer at error path
    - ALSA: oxfw: fix memory leak for model-dependent data at error path
    - ALSA: oxfw: fix memory leak of discovered stream formats at error path
    - ALSA: oxfw: fix memory leak of private data
    - platform/x86: alienware-wmi: Correct a memory leak
    - xen/netfront: don't bug in case of too many frags
    - xen/x86/vpmu: Zero struct pt_regs before calling into sample handling code
    - spi: fix IDR collision on systems with both fixed and dynamic SPI bus
      numbers
    - ring-buffer: Allow for rescheduling when removing pages
    - mm: shmem.c: Correctly annotate new inodes for lockdep
    - scsi: target: iscsi: Use bin2hex instead of a re-implementation
    - ocfs2: fix ocfs2 read block panic
    - drm/nouveau: Fix deadlocks in nouveau_connector_detect()
    - drm/nouveau/drm/nouveau: Don't forget to cancel hpd_work on suspend/unload
    - drm/nouveau/drm/nouveau: Fix bogus drm_kms_helper_poll_enable() placement
    - drm/nouveau/drm/nouveau: Use pm_runtime_get_noresume() in connector_detect()
    - drm/nouveau/drm/nouveau: Prevent handling ACPI HPD events too early
    - drm/vc4: Fix the "no scaling" case on multi-planar YUV formats
    - drm: udl: Destroy framebuffer only if it was initialized
    - drm/amdgpu: add new polaris pci id
    - ext4: check to make sure the rename(2)'s destination is not freed
    - ext4: avoid divide by zero fault when deleting corrupted inline directories
    - ext4: avoid arithemetic overflow that can trigger a BUG
    - ext4: recalucate superblock checksum after updating free blocks/inodes
    - ext4: fix online resize's handling of a too-small final block group
    - ext4: fix online resizing for bigalloc file systems with a 1k block size
    - ext4: don't mark mmp buffer head dirty
    - ext4: show test_dummy_encryption mount option in /proc/mounts
    - sched/fair: Fix vruntime_normalized() for remote non-migration wakeup
    - PCI: aardvark: Size bridges before resources allocation
    - vmw_balloon: include asm/io.h
    - iw_cxgb4: only allow 1 flush on user qps
    - tick/nohz: Prevent bogus softirq pending warning
    - spi: Fix double IDR allocation with DT aliases
    - hv_netvsc: fix schedule in RCU context
    - bnxt_en: Fix VF mac address regression.
    - net: rtnl_configure_link: fix dev flags changes arg to __dev_notify_flags
    - mtd: rawnand: denali: fix a race condition when DMA is kicked
    - platform/x86: dell-smbios-wmi: Correct a memory leak
    - fork: report pid exhaustion correctly
    - mm: disable deferred struct page for 32-bit arches
    - libata: mask swap internal and hardware tag
    - drm/i915/bdw: Increase IPS disable timeout to 100ms
    - drm/nouveau: Reset MST branching unit before enabling
    - drm/nouveau: Only write DP_MSTM_CTRL when needed
    - drm/nouveau: Remove duplicate poll_enable() in pmops_runtime_suspend()
    - ext4, dax: set ext4_dax_aops for dax files
    - crypto: skcipher - Fix -Wstringop-truncation warnings
    - iio: adc: ina2xx: avoid kthread_stop() with stale task_struct
    - tsl2550: fix lux1_input error in low light
    - vmci: type promotion bug in qp_host_get_user_memory()
    - x86/numa_emulation: Fix emulated-to-physical node mapping
    - staging: rts5208: fix missing error check on call to rtsx_write_register
    - power: supply: axp288_charger: Fix initial constant_charge_current value
    - misc: sram: enable clock before registering regions
    - serial: sh-sci: Stop RX FIFO timer during port shutdown
    - uwb: hwa-rc: fix memory leak at probe
    - power: vexpress: fix corruption in notifier registration
    - iommu/amd: make sure TLB to be flushed before IOVA freed
    - Bluetooth: Add a new Realtek 8723DE ID 0bda:b009
    - USB: serial: kobil_sct: fix modem-status error handling
    - 6lowpan: iphc: reset mac_header after decompress to fix panic
    - iommu/msm: Don't call iommu_device_{,un}link from atomic context
    - s390/mm: correct allocate_pgste proc_handler callback
    - power: remove possible deadlock when unregistering power_supply
    - md-cluster: clear another node's suspend_area after the copy is finished
    - RDMA/bnxt_re: Fix a couple off by one bugs
    - RDMA/i40w: Hold read semaphore while looking after VMA
    - IB/core: type promotion bug in rdma_rw_init_one_mr()
    - media: exynos4-is: Prevent NULL pointer dereference in __isp_video_try_fmt()
    - IB/mlx4: Test port number before querying type.
    - powerpc/kdump: Handle crashkernel memory reservation failure
    - media: fsl-viu: fix error handling in viu_of_probe()
    - media: staging/imx: fill vb2_v4l2_buffer field entry
    - x86/tsc: Add missing header to tsc_msr.c
    - ARM: hwmod: RTC: Don't assume lock/unlock will be called with irq enabled
    - x86/entry/64: Add two more instruction suffixes
    - ARM: dts: ls1021a: Add missing cooling device properties for CPUs
    - scsi: target/iscsi: Make iscsit_ta_authentication() respect the output
      buffer size
    - scsi: klist: Make it safe to use klists in atomic context
    - scsi: ibmvscsi: Improve strings handling
    - scsi: target: Avoid that EXTENDED COPY commands trigger lock inversion
    - usb: wusbcore: security: cast sizeof to int for comparison
    - ath10k: sdio: use same endpoint id for all packets in a bundle
    - ath10k: sdio: set skb len for all rx packets
    - powerpc/powernv/ioda2: Reduce upper limit for DMA window size
    - s390/sysinfo: add missing #ifdef CONFIG_PROC_FS
    - alarmtimer: Prevent overflow for relative nanosleep
    - s390/dasd: correct numa_node in dasd_alloc_queue
    - s390/scm_blk: correct numa_node in scm_blk_dev_setup
    - s390/extmem: fix gcc 8 stringop-overflow warning
    - mtd: rawnand: atmel: add module param to avoid using dma
    - iio: accel: adxl345: convert address field usage in iio_chan_spec
    - posix-timers: Make forward callback return s64
    - ALSA: snd-aoa: add of_node_put() in error path
    - media: s3c-camif: ignore -ENOIOCTLCMD from v4l2_subdev_call for s_power
    - media: soc_camera: ov772x: correct setting of banding filter
    - media: omap3isp: zero-initialize the isp cam_xclk{a,b} initial data
    - staging: android: ashmem: Fix mmap size validation
    - drivers/tty: add error handling for pcmcia_loop_config
    - media: tm6000: add error handling for dvb_register_adapter
    - net: phy: xgmiitorgmii: Check read_status results
    - ath10k: protect ath10k_htt_rx_ring_free with rx_ring.lock
    - net: phy: xgmiitorgmii: Check phy_driver ready before accessing
    - drm/sun4i: Fix releasing node when enumerating enpoints
    - ath10k: transmit queued frames after processing rx packets
    - rndis_wlan: potential buffer overflow in rndis_wlan_auth_indication()
    - brcmsmac: fix wrap around in conversion from constant to s16
    - ARM: mvebu: declare asm symbols as character arrays in pmsu.c
    - arm: dts: mediatek: Add missing cooling device properties for CPUs
    - HID: hid-ntrig: add error handling for sysfs_create_group
    - MIPS: boot: fix build rule of vmlinux.its.S
    - perf/x86/intel/lbr: Fix incomplete LBR call stack
    - scsi: bnx2i: add error handling for ioremap_nocache
    - iomap: complete partial direct I/O writes synchronously
    - scsi: megaraid_sas: Update controller info during resume
    - EDAC, i7core: Fix memleaks and use-after-free on probe and remove
    - ASoC: dapm: Fix potential DAI widget pointer deref when linking DAIs
    - module: exclude SHN_UNDEF symbols from kallsyms api
    - gpio: Fix wrong rounding in gpio-menz127
    - nfsd: fix corrupted reply to badly ordered compound
    - EDAC: Fix memleak in module init error path
    - fs/lock: skip lock owner pid translation in case we are in init_pid_ns
    - Input: xen-kbdfront - fix multi-touch XenStore node's locations
    - iio: 104-quad-8: Fix off-by-one error in register selection
    - ARM: dts: dra7: fix DCAN node addresses
    - x86/mm: Expand static page table for fixmap space
    - tty: serial: lpuart: avoid leaking struct tty_struct
    - serial: cpm_uart: return immediately from console poll
    - intel_th: Fix device removal logic
    - spi: tegra20-slink: explicitly enable/disable clock
    - spi: sh-msiof: Fix invalid SPI use during system suspend
    - spi: sh-msiof: Fix handling of write value for SISTR register
    - spi: rspi: Fix invalid SPI use during system suspend
    - spi: rspi: Fix interrupted DMA transfers
    - regulator: fix crash caused by null driver data
    - USB: fix error handling in usb_driver_claim_interface()
    - USB: handle NULL config in usb_find_alt_setting()
    - usb: musb: dsps: do not disable CPPI41 irq in driver teardown
    - slub: make ->cpu_partial unsigned int
    - USB: usbdevfs: sanitize flags more
    - USB: usbdevfs: restore warning for nonsensical flags
    - USB: remove LPM management from usb_driver_claim_interface()
    - IB/srp: Avoid that sg_reset -d ${srp_device} triggers an infinite loop
    - IB/hfi1: Fix SL array bounds check
    - IB/hfi1: Invalid user input can result in crash
    - IB/hfi1: Fix context recovery when PBC has an UnsupportedVL
    - RDMA/uverbs: Atomically flush and mark closed the comp event queue
    - ovl: hash non-dir by lower inode for fsnotify
    - drm/i915: Remove vma from object on destroy, not close
    - serial: imx: restore handshaking irq for imx1
    - qed: Wait for ready indication before rereading the shmem
    - qed: Wait for MCP halt and resume commands to take place
    - qed: Prevent a possible deadlock during driver load and unload
    - qed: Avoid sending mailbox commands when MFW is not responsive
    - thermal: of-thermal: disable passive polling when thermal zone is disabled
    - isofs: reject hardware sector size > 2048 bytes
    - tls: possible hang when do_tcp_sendpages hits sndbuf is full case
    - bpf: sockmap: write_space events need to be passed to TCP handler
    - net: hns: fix length and page_offset overflow when CONFIG_ARM64_64K_PAGES
    - e1000: check on netif_running() before calling e1000_up()
    - e1000: ensure to free old tx/rx rings in set_ringparam()
    - crypto: cavium/nitrox - fix for command corruption in queue full case with
      backlog submissions.
    - hwmon: (ina2xx) fix sysfs shunt resistor read access
    - hwmon: (adt7475) Make adt7475_read_word() return errors
    - Revert "ARM: dts: imx7d: Invert legacy PCI irq mapping"
    - drm/amdgpu: Enable/disable gfx PG feature in rlc safe mode
    - drm/amdgpu: Update power state at the end of smu hw_init.
    - ata: ftide010: Add a quirk for SQ201
    - nvme-fcloop: Fix dropped LS's to removed target port
    - ARM: dts: omap4-droid4: Fix emmc errors seen on some devices
    - arm/arm64: smccc-1.1: Make return values unsigned long
    - arm/arm64: smccc-1.1: Handle function result as parameters
    - i2c: i801: Allow ACPI AML access I/O ports not reserved for SMBus
    - x86/pti: Fix section mismatch warning/error
    - media: v4l: event: Prevent freeing event subscriptions while accessed
    - drm/amd/display/dc/dce: Fix multiple potential integer overflows
    - drm/amd/display: fix use of uninitialized memory
    - RDMA/bnxt_re: Fix a bunch of off by one bugs in qplib_fp.c
    - vhost_net: Avoid tx vring kicks during busyloop
    - thermal: i.MX: Allow thermal probe to fail gracefully in case of bad
      calibration.
    - platform/x86: asus-wireless: Fix uninitialized symbol usage
    - ACPI / button: increment wakeup count only when notified
    - media: ov772x: add checks for register read errors
    - media: ov772x: allow i2c controllers without I2C_FUNC_PROTOCOL_MANGLING
    - drm/omap: gem: Fix mm_list locking
    - ASoC: rsnd: SSI parent cares SWSP bit
    - staging: pi433: fix race condition in pi433_ioctl
    - perf tests: Fix indexing when invoking subtests
    - gpio: tegra: Fix tegra_gpio_irq_set_type()
    - block: fix deadline elevator drain for zoned block devices
    - serial: mvebu-uart: Fix reporting of effective CSIZE to userspace
    - intel_th: Fix resource handling for ACPI glue layer
    - ext2, dax: set ext2_dax_aops for dax files
    - IB/hfi1: Fix destroy_qp hang after a link down
    - ARM: OMAP2+: Fix null hwmod for ti-sysc debug
    - ARM: OMAP2+: Fix module address for modules using mpu_rt_idx
    - bus: ti-sysc: Fix module register ioremap for larger offsets
    - drm/amdgpu: fix preamble handling
    - amdgpu: fix multi-process hang issue
    - tcp_bbr: add bbr_check_probe_rtt_done() helper
    - tcp_bbr: in restart from idle, see if we should exit PROBE_RTT
    - net: hns3: fix page_offset overflow when CONFIG_ARM64_64K_PAGES
    - ixgbe: fix driver behaviour after issuing VFLR
    - powerpc/pseries: Fix unitialized timer reset on migration

* Kernel 4.15.0-50 or newer wont boot as Xen-DomU with PVH (LP: #1829378)
    - SAUCE: ACPI / bus: Fix NULL pointer dereference in
      acpi_quirk_matches_bios_ids()

* CVE-2019-10126
    - mwifiex: Fix heap overflow in mwifiex_uap_parse_tail_ies()

* CVE-2019-3846
    - mwifiex: Fix possible buffer overflows at parsing bss descriptor

* CVE-2019-12818
    - net: nfc: Fix NULL dereference on nfc_llcp_build_tlv fails

* CVE-2019-12984
    - nfc: Ensure presence of required attributes in the deactivate_target handler

* Bionic update: upstream stable patchset 2019-07-10 (LP: #1836117)
    - i2c: xiic: Make the start and the byte count write atomic
    - i2c: i801: fix DNV's SMBCTRL register offset
    - scsi: lpfc: Correct MDS diag and nvmet configuration
    - nbd: don't allow invalid blocksize settings
    - block: bfq: swap puts in bfqg_and_blkg_put
    - android: binder: fix the race mmap and alloc_new_buf_locked
    - MIPS: VDSO: Match data page cache colouring when D$ aliases
    - SMB3: Backup intent flag missing for directory opens with backupuid mounts
    - smb3: check for and properly advertise directory lease support
    - Btrfs: fix data corruption when deduplicating between different files
    - KVM: s390: vsie: copy wrapping keys to right place
    - KVM: VMX: Do not allow reexecute_instruction() when skipping MMIO instr
    - ALSA: hda - Fix cancel_work_sync() stall from jackpoll work
    - cpu/hotplug: Adjust misplaced smb() in cpuhp_thread_fun()
    - cpu/hotplug: Prevent state corruption on error rollback
    - x86/microcode: Make sure boot_cpu_data.microcode is up-to-date
    - x86/microcode: Update the new microcode revision unconditionally
    - crypto: aes-generic - fix aes-generic regression on powerpc
    - tpm: separate cmd_ready/go_idle from runtime_pm
    - ARC: [plat-axs*]: Enable SWAP
    - misc: mic: SCIF Fix scif_get_new_port() error handling
    - ethtool: Remove trailing semicolon for static inline
    - i2c: aspeed: Add an explicit type casting for *get_clk_reg_val
    - Bluetooth: h5: Fix missing dependency on BT_HCIUART_SERDEV
    - gpio: tegra: Move driver registration to subsys_init level
    - selftests/bpf: fix a typo in map in map test
    - media: davinci: vpif_display: Mix memory leak on probe error path
    - media: dw2102: Fix memleak on sequence of probes
    - net: phy: Fix the register offsets in Broadcom iProc mdio mux driver
    - blk-mq: fix updating tags depth
    - scsi: target: fix __transport_register_session locking
    - md/raid5: fix data corruption of replacements after originals dropped
    - timers: Clear timer_base::must_forward_clk with timer_base::lock held
    - media: camss: csid: Configure data type and decode format properly
    - gpu: ipu-v3: default to id 0 on missing OF alias
    - misc: ti-st: Fix memory leak in the error path of probe()
    - uio: potential double frees if __uio_register_device() fails
    - firmware: vpd: Fix section enabled flag on vpd_section_destroy
    - Drivers: hv: vmbus: Cleanup synic memory free path
    - tty: rocket: Fix possible buffer overwrite on register_PCI
    - f2fs: fix to active page in lru list for read path
    - f2fs: do not set free of current section
    - f2fs: fix defined but not used build warnings
    - perf tools: Allow overriding MAX_NR_CPUS at compile time
    - NFSv4.0 fix client reference leak in callback
    - perf c2c report: Fix crash for empty browser
    - perf evlist: Fix error out while applying initial delay and LBR
    - macintosh/via-pmu: Add missing mmio accessors
    - ath9k: report tx status on EOSP
    - ath9k_hw: fix channel maximum power level test
    - ath10k: prevent active scans on potential unusable channels
    - wlcore: Set rx_status boottime_ns field on rx
    - MIPS: Fix ISA virt/bus conversion for non-zero PHYS_OFFSET
    - scsi: 3ware: fix return 0 on the error path of probe
    - tools/testing/nvdimm: kaddr and pfn can be NULL to ->direct_access()
    - ath10k: disable bundle mgmt tx completion event support
    - Bluetooth: hidp: Fix handling of strncpy for hid->name information
    - pinctrl: imx: off by one in imx_pinconf_group_dbg_show()
    - gpio: ml-ioh: Fix buffer underwrite on probe error path
    - pinctrl/amd: only handle irq if it is pending and unmasked
    - net: mvneta: fix mtu change on port without link
    - f2fs: try grabbing node page lock aggressively in sync scenario
    - f2fs: fix to skip GC if type in SSA and SIT is inconsistent
    - tpm_tis_spi: Pass the SPI IRQ down to the driver
    - tpm/tpm_i2c_infineon: switch to i2c_lock_bus(..., I2C_LOCK_SEGMENT)
    - f2fs: fix to do sanity check with reserved blkaddr of inline inode
    - MIPS: Octeon: add missing of_node_put()
    - MIPS: generic: fix missing of_node_put()
    - net: dcb: For wild-card lookups, use priority -1, not 0
    - dm cache: only allow a single io_mode cache feature to be requested
    - Input: atmel_mxt_ts - only use first T9 instance
    - media: s5p-mfc: Fix buffer look up in s5p_mfc_handle_frame_{new, copy_time}
      functions
    - media: helene: fix xtal frequency setting at power on
    - f2fs: fix to wait on page writeback before updating page
    - f2fs: Fix uninitialized return in f2fs_ioc_shutdown()
    - iommu/ipmmu-vmsa: Fix allocation in atomic context
    - mfd: ti_am335x_tscadc: Fix struct clk memory leak
    - f2fs: fix to do sanity check with {sit,nat}_ver_bitmap_bytesize
    - NFSv4.1: Fix a potential layoutget/layoutrecall deadlock
    - MIPS: WARN_ON invalid DMA cache maintenance, not BUG_ON
    - RDMA/cma: Do not ignore net namespace for unbound cm_id
    - inet: frags: change inet_frags_init_net() return value
    - inet: frags: add a pointer to struct netns_frags
    - inet: frags: refactor ipfrag_init()
    - inet: frags: refactor ipv6_frag_init()
    - inet: frags: refactor lowpan_net_frag_init()
    - ipv6: export ip6 fragments sysctl to unprivileged users
    - rhashtable: add schedule points
    - inet: frags: use rhashtables for reassembly units
    - inet: frags: remove some helpers
    - inet: frags: get rif of inet_frag_evicting()
    - inet: frags: remove inet_frag_maybe_warn_overflow()
    - inet: frags: break the 2GB limit for frags storage
    - inet: frags: do not clone skb in ip_expire()
    - ipv6: frags: rewrite ip6_expire_frag_queue()
    - rhashtable: reorganize struct rhashtable layout
    - inet: frags: reorganize struct netns_frags
    - inet: frags: get rid of ipfrag_skb_cb/FRAG_CB
    - inet: frags: fix ip6frag_low_thresh boundary
    - ip: discard IPv4 datagrams with overlapping segments.
    - net: modify skb_rbtree_purge to return the truesize of all purged skbs.
    - ipv6: defrag: drop non-last frags smaller than min mtu
    - net: pskb_trim_rcsum() and CHECKSUM_COMPLETE are friends
    - mtd: ubi: wl: Fix error return code in ubi_wl_init()
    - tun: fix use after free for ptr_ring
    - tuntap: fix use after free during release
    - autofs: fix autofs_sbi() does not check super block type
    - KVM: PPC: Book3S HV: Use correct pagesize in kvm_unmap_radix()
    - ARC: [plat-axs*/plat-hsdk]: Allow U-Boot to pass MAC-address to the kernel
    - x86/apic/vector: Make error return value negative
    - tc-testing: flush gact actions on test teardown
    - pinctrl: berlin: fix 'pctrl->functions' allocation in
      berlin_pinctrl_build_state
    - powerpc/4xx: Fix error return path in ppc4xx_msi_probe()
    - scsi: qla2xxx: Fix unintended Logout
    - iwlwifi: pcie: don't access periphery registers when not available
    - f2fs: Keep alloc_valid_block_count in sync
    - f2fs: issue discard align to section in LFS mode
    - device-dax: avoid hang on error before devm_memremap_pages()
    - regulator: tps65217: Fix NULL pointer dereference on probe
    - gpio: pxa: disable pinctrl calls for PXA3xx
    - thermal_hwmon: Sanitize attribute name passed to hwmon
    - f2fs: fix to do sanity check with extra_attr feature
    - RDMA/hns: Add illegal hop_num judgement
    - RDMA/hns: Update the data type of immediate data
    - be2net: Fix memory leak in be_cmd_get_profile_config()
    - net/mlx5: Fix use-after-free in self-healing flow
    - net: qca_spi: Fix race condition in spi transfers
    - rds: fix two RCU related problems
    - net/mlx5: Check for error in mlx5_attach_interface
    - net/mlx5: Fix debugfs cleanup in the device init/remove flow
    - net/mlx5: E-Switch, Fix memory leak when creating switchdev mode FDB tables
    - net/tls: Set count of SG entries if sk_alloc_sg returns -ENOSPC
    - erspan: fix error handling for erspan tunnel
    - erspan: return PACKET_REJECT when the appropriate tunnel is not found
    - tcp: really ignore MSG_ZEROCOPY if no SO_ZEROCOPY
    - usb: dwc3: change stream event enable bit back to 13
    - iommu/io-pgtable-arm-v7s: Abort allocation when table address overflows the
      PTE
    - ALSA: msnd: Fix the default sample sizes
    - ALSA: usb-audio: Fix multiple definitions in AU0828_DEVICE() macro
    - xfrm: fix 'passing zero to ERR_PTR()' warning
    - amd-xgbe: use dma_mapping_error to check map errors
    - gfs2: Special-case rindex for gfs2_grow
    - clk: imx6ul: fix missing of_node_put()
    - clk: core: Potentially free connection id
    - clk: clk-fixed-factor: Clear OF_POPULATED flag in case of failure
    - kbuild: add .DELETE_ON_ERROR special target
    - media: tw686x: Fix oops on buffer alloc failure
    - dmaengine: pl330: fix irq race with terminate_all
    - MIPS: ath79: fix system restart
    - media: videobuf2-core: check for q->error in vb2_core_qbuf()
    - IB/rxe: Drop QP0 silently
    - block: allow max_discard_segments to be stacked
    - IB/ipoib: Fix error return code in ipoib_dev_init()
    - mtd/maps: fix solutionengine.c printk format warnings
    - media: ov5645: Supported external clock is 24MHz
    - perf test: Fix subtest number when showing results
    - gfs2: Don't reject a supposedly full bitmap if we have blocks reserved
    - perf tools: Synthesize GROUP_DESC feature in pipe mode
    - fbdev: omapfb: off by one in omapfb_register_client()
    - perf tools: Fix struct comm_str removal crash
    - video: goldfishfb: fix memory leak on driver remove
    - fbdev/via: fix defined but not used warning
    - perf powerpc: Fix callchain ip filtering when return address is in a
      register
    - video: fbdev: pxafb: clear allocated memory for video modes
    - fbdev: Distinguish between interlaced and progressive modes
    - ARM: exynos: Clear global variable on init error path
    - perf powerpc: Fix callchain ip filtering
    - nvme-rdma: unquiesce queues when deleting the controller
    - powerpc/powernv: opal_put_chars partial write fix
    - staging: bcm2835-camera: fix timeout handling in wait_for_completion_timeout
    - staging: bcm2835-camera: handle wait_for_completion_timeout return properly
    - ASoC: rt5514: Fix the issue of the delay volume applied
    - MIPS: jz4740: Bump zload address
    - mac80211: restrict delayed tailroom needed decrement
    - Smack: Fix handling of IPv4 traffic received by PF_INET6 sockets
    - wan/fsl_ucc_hdlc: use IS_ERR_VALUE() to check return value of qe_muram_alloc
    - reset: imx7: Fix always writing bits as 0
    - nfp: avoid buffer leak when FW communication fails
    - xen-netfront: fix queue name setting
    - arm64: dts: qcom: db410c: Fix Bluetooth LED trigger
    - ARM: dts: qcom: msm8974-hammerhead: increase load on l20 for sdhci
    - s390/qeth: fix race in used-buffer accounting
    - s390/qeth: reset layer2 attribute on layer switch
    - platform/x86: toshiba_acpi: Fix defined but not used build warnings
    - KVM: arm/arm64: Fix vgic init race
    - drivers/base: stop new probing during shutdown
    - i2c: aspeed: Fix initial values of master and slave state
    - dmaengine: mv_xor_v2: kill the tasklets upon exit
    - crypto: sharah - Unregister correct algorithms for SAHARA 3
    - xen-netfront: fix warn message as irq device name has '/'
    - RDMA/cma: Protect cma dev list with lock
    - pstore: Fix incorrect persistent ram buffer mapping
    - xen/netfront: fix waiting for xenbus state change
    - IB/ipoib: Avoid a race condition between start_xmit and cm_rep_handler
    - mmc: omap_hsmmc: fix wakeirq handling on removal
    - ipmi: Fix I2C client removal in the SSIF driver
    - Tools: hv: Fix a bug in the key delete code
    - xhci: Fix use after free for URB cancellation on a reallocated endpoint
    - usb: Don't die twice if PCI xhci host is not responding in resume
    - mei: ignore not found client in the enumeration
    - mei: bus: need to unlink client before freeing
    - USB: Add quirk to support DJI CineSSD
    - usb: uas: add support for more quirk flags
    - usb: Avoid use-after-free by flushing endpoints early in usb_set_interface()
    - usb: host: u132-hcd: Fix a sleep-in-atomic-context bug in u132_get_frame()
    - USB: add quirk for WORLDE Controller KS49 or Prodipe MIDI 49C USB controller
    - usb: gadget: udc: renesas_usb3: fix maxpacket size of ep0
    - USB: net2280: Fix erroneous synchronization change
    - USB: serial: io_ti: fix array underflow in completion handler
    - usb: misc: uss720: Fix two sleep-in-atomic-context bugs
    - USB: serial: ti_usb_3410_5052: fix array underflow in completion handler
    - USB: yurex: Fix buffer over-read in yurex_write()
    - Revert "cdc-acm: implement put_char() and flush_chars()"
    - cifs: prevent integer overflow in nxt_dir_entry()
    - CIFS: fix wrapping bugs in num_entries()
    - xtensa: ISS: don't allocate memory in platform_setup
    - perf/core: Force USER_DS when recording user stack data
    - NFSv4.1 fix infinite loop on I/O.
    - binfmt_elf: Respect error return from `regset->active'
    - net/mlx5: Add missing SET_DRIVER_VERSION command translation
    - arm64: dts: uniphier: Add missing cooling device properties for CPUs
    - audit: fix use-after-free in audit_add_watch
    - mtdchar: fix overflows in adjustment of `count`
    - Bluetooth: Use lock_sock_nested in bt_accept_enqueue
    - evm: Don't deadlock if a crypto algorithm is unavailable
    - KVM: PPC: Book3S HV: Add of_node_put() in success path
    - security: check for kstrdup() failure in lsm_append()
    - MIPS: loongson64: cs5536: Fix PCI_OHCI_INT_REG reads
    - configfs: fix registered group removal
    - pinctrl: rza1: Fix selector use for groups and functions
    - sched/core: Use smp_mb() in wake_woken_function()
    - efi/esrt: Only call efi_mem_reserve() for boot services memory
    - ARM: hisi: handle of_iomap and fix missing of_node_put
    - ARM: hisi: fix error handling and missing of_node_put
    - ARM: hisi: check of_iomap and fix missing of_node_put
    - liquidio: fix hang when re-binding VF host drv after running DPDK VF driver
    - gpu: ipu-v3: csi: pass back mbus_code_to_bus_cfg error codes
    - tty: fix termios input-speed encoding when using BOTHER
    - tty: fix termios input-speed encoding
    - mmc: sdhci-of-esdhc: set proper dma mask for ls104x chips
    - mmc: tegra: prevent HS200 on Tegra 3
    - mmc: sdhci: do not try to use 3.3V signaling if not supported
    - drm/nouveau: Fix runtime PM leak in drm_open()
    - drm/nouveau/debugfs: Wake up GPU before doing any reclocking
    - drm/nouveau: tegra: Detach from ARM DMA/IOMMU mapping
    - parport: sunbpp: fix error return code
    - sched/fair: Fix util_avg of new tasks for asymmetric systems
    - coresight: Handle errors in finding input/output ports
    - coresight: tpiu: Fix disabling timeouts
    - coresight: ETM: Add support for Arm Cortex-A73 and Cortex-A35
    - staging: bcm2835-audio: Don't leak workqueue if open fails
    - gpio: pxa: Fix potential NULL dereference
    - gpiolib: Mark gpio_suffixes array with __maybe_unused
    - mfd: 88pm860x-i2c: switch to i2c_lock_bus(..., I2C_LOCK_SEGMENT)
    - input: rohm_bu21023: switch to i2c_lock_bus(..., I2C_LOCK_SEGMENT)
    - drm/amdkfd: Fix error codes in kfd_get_process
    - rtc: bq4802: add error handling for devm_ioremap
    - ALSA: pcm: Fix snd_interval_refine first/last with open min/max
    - scsi: libfc: fixup 'sleeping function called from invalid context'
    - drm/panel: type promotion bug in s6e8aa0_read_mtp_id()
    - blk-mq: only attempt to merge bio if there is rq in sw queue
    - blk-mq: avoid to synchronize rcu inside blk_cleanup_queue()
    - pinctrl: msm: Fix msm_config_group_get() to be compliant
    - pinctrl: qcom: spmi-gpio: Fix pmic_gpio_config_get() to be compliant
    - clk: tegra: bpmp: Don't crash when a clock fails to register
    - mei: bus: type promotion bug in mei_nfc_if_version()
    - earlycon: Initialize port->uartclk based on clock-frequency property
    - earlycon: Remove hardcoded port->uartclk initialization in of_setup_earlycon
    - net/ipv6: prevent use after free in ip6_route_mpath_notify
    - Partial revert "e1000e: Avoid receiver overrun interrupt bursts"
    - e1000e: Fix queue interrupt re-raising in Other interrupt
    - e1000e: Avoid missed interrupts following ICR read
    - Revert "e1000e: Separate signaling for link check/link up"
    - e1000e: Fix link check race condition
    - e1000e: Fix check_for_link return value with autoneg off
    - tipc: orphan sock in tipc_release()
    - net/mlx5: Fix not releasing read lock when adding flow rules
    - iommu/arm-smmu-v3: sync the OVACKFLG to PRIQ consumer register
    - iwlwifi: cancel the injective function between hw pointers to tfd entry
      index
    - kbuild: do not update config when running install targets
    - omapfb: rename omap2 module to omap2fb.ko
    - [Config] Rename omapfb to omap2fb
    - perf script: Show correct offsets for DWARF-based unwinding
    - iommu/ipmmu-vmsa: IMUCTRn.TTSEL needs a special usage on R-Car Gen3
    - ipmi: Move BT capabilities detection to the detect call
    - ovl: fix oopses in ovl_fill_super() failure paths
    - usb: xhci: fix interrupt transfer error happened on MTK platforms
    - usb: mtu3: fix error of xhci port id when enable U3 dual role
    - dm verity: fix crash on bufio buffer that was allocated with vmalloc
    - cifs: integer overflow in in SMB2_ioctl()
    - perf tools: Fix maps__find_symbol_by_name()
    - NFSv4: Fix a tracepoint Oops in initiate_file_draining()
    - of: add helper to lookup compatible child node
    - mmc: meson-mx-sdio: fix OF child-node lookup
    - bpf: fix rcu annotations in compute_effective_progs()
    - spi: dw: fix possible race condition
    - PM / devfreq: use put_device() instead of kfree()
    - ASoC: hdmi-codec: fix routing
    - drm/amd/display: support access ddc for mst branch
    - rcutorture: Use monotonic timestamp for stall detection
    - selftests: vDSO - fix to return KSFT_SKIP when test couldn't be run
    - selftests/android: initialize heap_type to avoid compiling warning
    - scsi: lpfc: Fix NVME Target crash in defer rcv logic
    - scsi: lpfc: Fix panic if driver unloaded when port is offline
    - arm64: perf: Disable PMU while processing counter overflows
    - staging: fsl-dpaa2/eth: Fix DMA mapping direction
    - block/DAC960.c: fix defined but not used build warnings
    - IB/mlx5: fix uaccess beyond "count" in debugfs read/write handlers

* Bionic update: upstream stable patchset 2019-07-09 (LP: #1835972)
    - vti6: fix PMTU caching and reporting on xmit
    - xfrm: fix missing dst_release() after policy blocking lbcast and multicast
    - xfrm: free skb if nlsk pointer is NULL
    - esp6: fix memleak on error path in esp6_input
    - mac80211: add stations tied to AP_VLANs during hw reconfig
    - ext4: clear mmp sequence number when remounting read-only
    - nl80211: Add a missing break in parse_station_flags
    - drm/bridge: adv7511: Reset registers on hotplug
    - scsi: target: iscsi: cxgbit: fix max iso npdu calculation
    - scsi: libiscsi: fix possible NULL pointer dereference in case of TMF
    - drm/imx: imx-ldb: disable LDB on driver bind
    - drm/imx: imx-ldb: check if channel is enabled before printing warning
    - nbd: don't requeue the same request twice.
    - nbd: handle unexpected replies better
    - usb: gadget: r8a66597: Fix two possible sleep-in-atomic-context bugs in
      init_controller()
    - usb: gadget: r8a66597: Fix a possible sleep-in-atomic-context bugs in
      r8a66597_queue()
    - usb: gadget: f_uac2: fix error handling in afunc_bind (again)
    - usb: gadget: u_audio: fix pcm/card naming in g_audio_setup()
    - usb: gadget: u_audio: update hw_ptr in iso_complete after data copied
    - usb: gadget: u_audio: remove caching of stream buffer parameters
    - usb: gadget: u_audio: remove cached period bytes value
    - usb: gadget: u_audio: protect stream runtime fields with stream spinlock
    - usb/phy: fix PPC64 build errors in phy-fsl-usb.c
    - tools: usb: ffs-test: Fix build on big endian systems
    - usb: gadget: f_uac2: fix endianness of 'struct cntrl_*_lay3'
    - netfilter: nft_set_hash: add rcu_barrier() in the nft_rhash_destroy()
    - bpf, ppc64: fix unexpected r0=0 exit path inside bpf_xadd
    - netfilter: nf_tables: fix memory leaks on chain rename
    - netfilter: nf_tables: don't allow to rename to already-pending name
    - KVM: vmx: use local variable for current_vmptr when emulating VMPTRST
    - tools/power turbostat: fix -S on UP systems
    - net: caif: Add a missing rcu_read_unlock() in caif_flow_cb
    - qed: Fix link flap issue due to mismatching EEE capabilities.
    - qed: Fix possible race for the link state value.
    - qed: Correct Multicast API to reflect existence of 256 approximate buckets.
    - atl1c: reserve min skb headroom
    - net: prevent ISA drivers from building on PPC32
    - can: mpc5xxx_can: check of_iomap return before use
    - can: m_can: Move accessing of message ram to after clocks are enabled
    - i2c: davinci: Avoid zero value of CLKH
    - perf/x86/amd/ibs: Don't access non-started event
    - media: staging: omap4iss: Include asm/cacheflush.h after generic includes
    - bnx2x: Fix invalid memory access in rss hash config path.
    - net: axienet: Fix double deregister of mdio
    - locking/rtmutex: Allow specifying a subclass for nested locking
    - i2c/mux, locking/core: Annotate the nested rt_mutex usage
    - sched/rt: Restore rt_runtime after disabling RT_RUNTIME_SHARE
    - x86/boot: Fix if_changed build flip/flop bug
    - selftests/ftrace: Add snapshot and tracing_on test case
    - ipc/sem.c: prevent queue.status tearing in semop
    - zswap: re-check zswap_is_full() after do zswap_shrink()
    - tools/power turbostat: Read extended processor family from CPUID
    - ARC: dma [non-IOC] setup SMP_CACHE_BYTES and cache_line_size
    - bpf: use GFP_ATOMIC instead of GFP_KERNEL in bpf_parse_prog()
    - nfp: flower: fix port metadata conversion bug
    - enic: handle mtu change for vf properly
    - ARC: [plat-eznps] Add missing struct nps_host_reg_aux_dpc
    - arc: [plat-eznps] fix data type errors in platform headers
    - arc: [plat-eznps] fix printk warning in arc/plat-eznps/mtm.c
    - arc: fix build errors in arc/include/asm/delay.h
    - arc: fix type warnings in arc/mm/cache.c
    - sparc/time: Add missing __init to init_tick_ops()
    - sparc: use asm-generic version of msi.h
    - enic: do not call enic_change_mtu in enic_probe
    - mm: delete historical BUG from zap_pmd_range()
    - drivers: net: lmc: fix case value for target abort error
    - memcg: remove memcg_cgroup::id from IDR on mem_cgroup_css_alloc() failure
    - gpiolib-acpi: make sure we trigger edge events at least once on boot
    - scsi: fcoe: fix use-after-free in fcoe_ctlr_els_send
    - scsi: fcoe: drop frames in ELS LOGO error path
    - scsi: vmw_pvscsi: Return DID_RESET for status SAM_STAT_COMMAND_TERMINATED
    - mm/memory.c: check return value of ioremap_prot
    - mei: don't update offset in write
    - cifs: add missing debug entries for kconfig options
    - cifs: check kmalloc before use
    - smb3: enumerating snapshots was leaving part of the data off end
    - smb3: Do not send SMB3 SET_INFO if nothing changed
    - smb3: don't request leases in symlink creation and query
    - smb3: fill in statfs fsid and correct namelen
    - btrfs: use correct compare function of dirty_metadata_bytes
    - btrfs: don't leak ret from do_chunk_alloc
    - Btrfs: fix btrfs_write_inode vs delayed iput deadlock
    - iommu/arm-smmu: Error out only if not enough context interrupts
    - printk: Split the code for storing a message into the log buffer
    - printk: Create helper function to queue deferred console handling
    - printk/nmi: Prevent deadlock when accessing the main log buffer in NMI
    - kprobes/arm64: Fix %p uses in error messages
    - arm64: mm: check for upper PAGE_SHIFT bits in pfn_valid()
    - arm64: dts: rockchip: corrected uart1 clock-names for rk3328
    - KVM: arm/arm64: Skip updating PMD entry if no change
    - KVM: arm/arm64: Skip updating PTE entry if no change
    - stop_machine: Reflow cpu_stop_queue_two_works()
    - ext4: check for NUL characters in extended attribute's name
    - ext4: sysfs: print ext4_super_block fields as little-endian
    - ext4: reset error code in ext4_find_entry in fallback
    - platform/x86: ideapad-laptop: Apply no_hw_rfkill to Y20-15IKBM, too
    - x86/vdso: Fix vDSO build if a retpoline is emitted
    - x86/process: Re-export start_thread()
    - x86/kvm/vmx: Remove duplicate l1d flush definitions
    - fuse: Add missed unlock_page() to fuse_readpages_fill()
    - udl-kms: change down_interruptible to down
    - udl-kms: handle allocation failure
    - udl-kms: fix crash due to uninitialized memory
    - udl-kms: avoid division
    - b43legacy/leds: Ensure NUL-termination of LED name string
    - b43/leds: Ensure NUL-termination of LED name string
    - ASoC: dpcm: don't merge format from invalid codec dai
    - ASoC: zte: Fix incorrect PCM format bit usages
    - ASoC: sirf: Fix potential NULL pointer dereference
    - pinctrl: freescale: off by one in imx1_pinconf_group_dbg_show()
    - x86/vdso: Fix lsl operand order
    - x86/irqflags: Mark native_restore_fl extern inline
    - x86/entry/64: Wipe KASAN stack shadow before rewind_stack_do_exit()
    - s390/mm: fix addressing exception after suspend/resume
    - s390/numa: move initial setup of node_to_cpumask_map
    - kprobes/arm: Fix %p uses in error messages
    - kprobes: Make list and blacklist root user read only
    - MIPS: Correct the 64-bit DSP accumulator register size
    - MIPS: Always use -march=<arch>, not -<arch> shortcuts
    - MIPS: Change definition of cpu_relax() for Loongson-3
    - MIPS: lib: Provide MIPS64r6 __multi3() for GCC < 7
    - tpm: Return the actual size when receiving an unsupported command
    - scsi: mpt3sas: Fix _transport_smp_handler() error path
    - scsi: sysfs: Introduce sysfs_{un,}break_active_protection()
    - scsi: core: Avoid that SCSI device removal through sysfs triggers a deadlock
    - clk: rockchip: fix clk_i2sout parent selection bits on rk3399
    - PM / clk: signedness bug in of_pm_clk_add_clks()
    - power: generic-adc-battery: fix out-of-bounds write when copying channel
      properties
    - power: generic-adc-battery: check for duplicate properties copied from iio
      channels
    - watchdog: Mark watchdog touch functions as notrace
    - gcc-plugins: Add include required by GCC release 8
    - gcc-plugins: Use dynamic initializers
    - Btrfs: fix send failure when root has deleted files still open
    - Btrfs: send, fix incorrect file layout after hole punching beyond eof
    - hwmon: (k10temp) 27C Offset needed for Threadripper2
    - KVM: arm/arm64: Fix potential loss of ptimer interrupts
    - KVM: arm/arm64: Fix lost IRQs from emulated physcial timer when blocked
    - perf kvm: Fix subcommands on s390
    - ext4: use ext4_warning() for sb_getblk failure
    - platform/x86: wmi: Do not mix pages and kmalloc
    - KVM: x86: ensure all MSRs can always be KVM_GET/SET_MSR'd
    - lib/vsprintf: Do not handle %pO[^F] as %px
    - soc: qcom: rmtfs-mem: fix memleak in probe error paths
    - kprobes: Show blacklist addresses as same as kallsyms does
    - kprobes: Replace %p with other pointer types
    - MIPS: memset.S: Fix byte_fixup for MIPSr6
    - mtd: rawnand: qcom: wait for desc completion in all BAM channels
    - net: 6lowpan: fix reserved space for single frames
    - net: mac802154: tx: expand tailroom if necessary
    - 9p/net: Fix zero-copy path in the 9p virtio transport
    - spi: davinci: fix a NULL pointer dereference
    - spi: pxa2xx: Add support for Intel Ice Lake
    - spi: spi-fsl-dspi: Fix imprecise abort on VF500 during probe
    - spi: cadence: Change usleep_range() to udelay(), for atomic context
    - mmc: renesas_sdhi_internal_dmac: fix #define RST_RESERVED_BITS
    - readahead: stricter check for bdi io_pages
    - block: blk_init_allocated_queue() set q->fq as NULL in the fail case
    - block: really disable runtime-pm for blk-mq
    - drm/i915/userptr: reject zero user_size
    - libertas: fix suspend and resume for SDIO connected cards
    - media: Revert "[media] tvp5150: fix pad format frame height"
    - mailbox: xgene-slimpro: Fix potential NULL pointer dereference
    - Replace magic for trusting the secondary keyring with #define
    - powerpc/fadump: handle crash memory ranges array index overflow
    - powerpc/pseries: Fix endianness while restoring of r3 in MCE handler.
    - PCI: Add wrappers for dev_printk()
    - cxl: Fix wrong comparison in cxl_adapter_context_get()
    - ib_srpt: Fix a use-after-free in srpt_close_ch()
    - RDMA/rxe: Set wqe->status correctly if an unexpected response is received
    - 9p: fix multiple NULL-pointer-dereferences
    - fs/9p/xattr.c: catch the error of p9_client_clunk when setting xattr failed
    - 9p/virtio: fix off-by-one error in sg list bounds check
    - net/9p/client.c: version pointer uninitialized
    - net/9p/trans_fd.c: fix race-condition by flushing workqueue before the
      kfree()
    - dm integrity: change 'suspending' variable from bool to int
    - dm thin: stop no_space_timeout worker when switching to write-mode
    - dm cache metadata: save in-core policy_hint_size to on-disk superblock
    - dm cache metadata: set dirty on all cache blocks after a crash
    - dm crypt: don't decrease device limits
    - uart: fix race between uart_put_char() and uart_shutdown()
    - Drivers: hv: vmbus: Reset the channel callback in vmbus_onoffer_rescind()
    - iio: sca3000: Fix missing return in switch
    - iio: ad9523: Fix displayed phase
    - iio: ad9523: Fix return value for ad952x_store()
    - extcon: Release locking when sending the notification of connector state
    - vmw_balloon: fix inflation of 64-bit GFNs
    - vmw_balloon: do not use 2MB without batching
    - vmw_balloon: VMCI_DOORBELL_SET does not check status
    - vmw_balloon: fix VMCI use when balloon built into kernel
    - rtc: omap: fix potential crash on power off
    - tracing: Do not call start/stop() functions when tracing_on does not change
    - tracing/blktrace: Fix to allow setting same value
    - printk/tracing: Do not trace printk_nmi_enter()
    - livepatch: Validate module/old func name length
    - uprobes: Use synchronize_rcu() not synchronize_sched()
    - mfd: hi655x: Fix regmap area declared size for hi655x
    - ovl: fix wrong use of impure dir cache in ovl_iterate()
    - drivers/block/zram/zram_drv.c: fix bug storing backing_dev
    - cpufreq: governor: Avoid accessing invalid governor_data
    - PM / sleep: wakeup: Fix build error caused by missing SRCU support
    - KVM: PPC: Book3S: Fix guest DMA when guest partially backed by THP pages
    - xtensa: limit offsets in __loop_cache_{all,page}
    - xtensa: increase ranges in ___invalidate_{i,d}cache_all
    - block, bfq: return nbytes and not zero from struct cftype .write() method
    - pnfs/blocklayout: off by one in bl_map_stripe()
    - NFSv4 client live hangs after live data migration recovery
    - NFSv4: Fix locking in pnfs_generic_recover_commit_reqs
    - NFSv4: Fix a sleep in atomic context in nfs4_callback_sequence()
    - ARM: tegra: Fix Tegra30 Cardhu PCA954x reset
    - iommu/vt-d: Add definitions for PFSID
    - iommu/vt-d: Fix dev iotlb pfsid use
    - sys: don't hold uts_sem while accessing userspace memory
    - userns: move user access out of the mutex
    - ubifs: Fix memory leak in lprobs self-check
    - ubifs: Check data node size before truncate
    - ubifs: Fix synced_i_size calculation for xattr inodes
    - pwm: tiehrpwm: Don't use emulation mode bits to control PWM output
    - pwm: tiehrpwm: Fix disabling of output of PWMs
    - fb: fix lost console when the user unplugs a USB adapter
    - udlfb: set optimal write delay
    - libnvdimm: fix ars_status output length calculation
    - bcache: release dc->writeback_lock properly in bch_writeback_thread()
    - perf auxtrace: Fix queue resize
    - crypto: caam - fix DMA mapping direction for RSA forms 2 & 3
    - crypto: caam/jr - fix descriptor DMA unmapping
    - crypto: caam/qi - fix error path in xts setkey
    - arm64: mm: always enable CONFIG_HOLES_IN_ZONE
    - mmc: renesas_sdhi_internal_dmac: mask DMAC interrupts
    - blkcg: Introduce blkg_root_lookup()
    - powerpc64/ftrace: Include ftrace.h needed for enable/disable calls
    - IB/mlx5: Fix leaking stack memory to userspace
    - rtc: omap: fix resource leak in registration error path
    - ACPICA: AML Parser: skip opcodes that open a scope upon parse failure
    - ALSA: ac97: fix device initialization in the compat layer
    - ALSA: ac97: fix check of pm_runtime_get_sync failure
    - ALSA: ac97: fix unbalanced pm_runtime_enable
    - nfsd: fix leaked file lock with nfs exported overlayfs
    - ubifs: Fix directory size calculation for symlinks
    - mm, dev_pagemap: Do not clear ->mapping on final put
    - act_ife: fix a potential use-after-free
    - ipv4: tcp: send zero IPID for RST and ACK sent in SYN-RECV and TIME-WAIT
      state
    - net: bcmgenet: use MAC link status for fixed phy
    - net: macb: do not disable MDIO bus at open/close time
    - qlge: Fix netdev features configuration.
    - r8169: add support for NCube 8168 network card
    - tcp: do not restart timewait timer on rst reception
    - vti6: remove !skb->ignore_df check from vti6_xmit()
    - net/sched: act_pedit: fix dump of extended layered op
    - tipc: fix a missing rhashtable_walk_exit()
    - nfp: wait for posted reconfigs when disabling the device
    - sctp: hold transport before accessing its asoc in sctp_transport_get_next
    - mlxsw: spectrum_switchdev: Do not leak RIFs when removing bridge
    - vhost: correctly check the iova range when waking virtqueue
    - hv_netvsc: ignore devices that are not PCI
    - act_ife: move tcfa_lock down to where necessary
    - act_ife: fix a potential deadlock
    - net: sched: action_ife: take reference to meta module
    - cifs: check if SMB2 PDU size has been padded and suppress the warning
    - hfsplus: don't return 0 when fill_super() failed
    - hfs: prevent crash on exit from failed search
    - sunrpc: Don't use stack buffer with scatterlist
    - fork: don't copy inconsistent signal handler state to child
    - reiserfs: change j_timestamp type to time64_t
    - hfsplus: fix NULL dereference in hfsplus_lookup()
    - fs/proc/kcore.c: use __pa_symbol() for KCORE_TEXT list entries
    - fat: validate ->i_start before using
    - scripts: modpost: check memory allocation results
    - virtio: pci-legacy: Validate queue pfn
    - x86/mce: Add notifier_block forward declaration
    - IB/hfi1: Invalid NUMA node information can cause a divide by zero
    - pwm: meson: Fix mux clock names
    - mm/fadvise.c: fix signed overflow UBSAN complaint
    - fs/dcache.c: fix kmemcheck splat at take_dentry_name_snapshot()
    - platform/x86: intel_punit_ipc: fix build errors
    - netfilter: ip6t_rpfilter: set F_IFACE for linklocal addresses
    - s390/kdump: Fix memleak in nt_vmcoreinfo
    - ipvs: fix race between ip_vs_conn_new() and ip_vs_del_dest()
    - mfd: sm501: Set coherent_dma_mask when creating subdevices
    - platform/x86: asus-nb-wmi: Add keymap entry for lid flip action on UX360
    - netfilter: fix memory leaks on netlink_dump_start error
    - tcp, ulp: add alias for all ulp modules
    - RDMA/hns: Fix usage of bitmap allocation functions return values
    - net: hns3: Fix for command format parsing error in
      hclge_is_all_function_id_zero
    - perf tools: Check for null when copying nsinfo.
    - irqchip/bcm7038-l1: Hide cpu offline callback when building for !SMP
    - net/9p/trans_fd.c: fix race by holding the lock
    - net/9p: fix error path of p9_virtio_probe
    - powerpc/uaccess: Enable get_user(u64, *p) on 32-bit
    - powerpc: Fix size calculation using resource_size()
    - perf probe powerpc: Fix trace event post-processing
    - block: bvec_nr_vecs() returns value for wrong slab
    - s390/dasd: fix hanging offline processing due to canceled worker
    - s390/dasd: fix panic for failed online processing
    - ACPI / scan: Initialize status to ACPI_STA_DEFAULT
    - scsi: aic94xx: fix an error code in aic94xx_init()
    - NFSv4: Fix error handling in nfs4_sp4_select_mode()
    - Input: do not use WARN() in input_alloc_absinfo()
    - xen/balloon: fix balloon initialization for PVH Dom0
    - PCI: mvebu: Fix I/O space end address calculation
    - dm kcopyd: avoid softlockup in run_complete_job
    - staging: comedi: ni_mio_common: fix subdevice flags for PFI subdevice
    - ASoC: rt5677: Fix initialization of rt5677_of_match.data
    - iommu/omap: Fix cache flushes on L2 table entries
    - selftests/powerpc: Kill child processes on SIGINT
    - RDS: IB: fix 'passing zero to ERR_PTR()' warning
    - cfq: Suppress compiler warnings about comparisons
    - smb3: fix reset of bytes read and written stats
    - SMB3: Number of requests sent should be displayed for SMB3 not just CIFS
    - powerpc/platforms/85xx: fix t1042rdb_diu.c build errors & warning
    - powerpc/64s: Make rfi_flush_fallback a little more robust
    - powerpc/pseries: Avoid using the size greater than RTAS_ERROR_LOG_MAX.
    - clk: rockchip: Add pclk_rkpwm_pmu to PMU critical clocks in rk3399
    - KVM: vmx: track host_state.loaded using a loaded_vmcs pointer
    - kvm: nVMX: Fix fault vector for VMX operation at CPL > 0
    - btrfs: Exit gracefully when chunk map cannot be inserted to the tree
    - btrfs: replace: Reset on-disk dev stats value after replace
    - btrfs: relocation: Only remove reloc rb_trees if reloc control has been
      initialized
    - btrfs: Don't remove block group that still has pinned down bytes
    - arm64: rockchip: Force CONFIG_PM on Rockchip systems
    - ARM: rockchip: Force CONFIG_PM on Rockchip systems
    - drm/i915/lpe: Mark LPE audio runtime pm as "no callbacks"
    - drm/amdgpu: Fix RLC safe mode test in gfx_v9_0_enter_rlc_safe_mode
    - drm/amd/pp/Polaris12: Fix a chunk of registers missed to program
    - drm/amdgpu: update tmr mc address
    - drm/amdgpu:add tmr mc address into amdgpu_firmware_info
    - drm/amdgpu:add new firmware id for VCN
    - drm/amdgpu:add VCN support in PSP driver
    - drm/amdgpu:add VCN booting with firmware loaded by PSP
    - debugobjects: Make stack check warning more informative
    - mm: Fix devm_memremap_pages() collision handling
    - HID: add quirk for another PIXART OEM mouse used by HP
    - usb: dwc3: core: Fix ULPI PHYs and prevent phy_get/ulpi_init during
      suspend/resume
    - x86/pae: use 64 bit atomic xchg function in native_ptep_get_and_clear
    - x86/xen: don't write ptes directly in 32-bit PV guests
    - drm/i915: Increase LSPCON timeout
    - kbuild: make missing $DEPMOD a Warning instead of an Error
    - kvm: x86: Set highest physical address bits in non-present/reserved SPTEs
    - x86: kvm: avoid unused variable warning
    - arm64: cpu_errata: include required headers
    - ASoC: wm8994: Fix missing break in switch
    - arm64: Fix mismatched cache line size detection
    - arm64: Handle mismatched cache type
    - tipc: fix the big/little endian issue in tipc_dest
    - ip6_vti: fix a null pointer deference when destroy vti6 tunnel
    - workqueue: skip lockdep wq dependency in cancel_work_sync()
    - workqueue: re-add lockdep dependencies for flushing
    - apparmor: fix an error code in __aa_create_ns()
    - tcp, ulp: fix leftover icsk_ulp_ops preventing sock from reattach
    - netfilter: x_tables: do not fail xt_alloc_table_info too easilly
    - ACPICA: ACPICA: add status check for acpi_hw_read before assigning return
      value
    - PCI: Match Root Port's MPS to endpoint's MPSS as necessary
    - coccicheck: return proper error code on fail
    - RISC-V: Use KBUILD_CFLAGS instead of KCFLAGS when building the vDSO
    - blk-mq: count the hctx as active before allocating tag
    - selinux: cleanup dentry and inodes on error in selinuxfs
    - drm/amd/display: Read back max backlight value at boot
    - btrfs: check-integrity: Fix NULL pointer dereference for degraded mount
    - btrfs: lift uuid_mutex to callers of btrfs_open_devices
    - btrfs: Fix a C compliance issue
    - drm/i915: Nuke the LVDS lid notifier
    - drm/edid: Quirk Vive Pro VR headset non-desktop.
    - drm/amd/display: fix type of variable
    - drm/amd/display: Don't share clk source between DP and HDMI
    - drm/amd/display: update clk for various HDMI color depths
    - drm/amd/display: Use requested HDMI aspect ratio
    - drm/rockchip: lvds: add missing of_node_put
    - drm/amd/display: Pass connector id when executing VBIOS CT
    - drm/amd/display: Check if clock source in use before disabling
    - drm/amdgpu: fix incorrect use of fcheck
    - drm/amdgpu: fix incorrect use of drm_file->pid
    - drm/i915: set DP Main Stream Attribute for color range on DDI platforms
    - x86/tsc: Prevent result truncation on 32bit

* [Regression] Colour banding appears on Lenovo B50-80 integrated display
    (LP: #1788308) // Bionic update: upstream stable patchset 2019-07-09
    (LP: #1835972)
    - drm/edid: Add 6 bpc quirk for SDC panel in Lenovo B50-80

* CVE-2019-12819
    - mdio_bus: Fix use-after-free on device_register fails

* proc_thermal flooding dmesg (LP: #1824690)
    - drivers: thermal: processor_thermal: Downgrade error message

* Bionic update: upstream stable patchset 2019-07-08 (LP: #1835845)
    - bonding: avoid lockdep confusion in bond_get_stats()
    - inet: frag: enforce memory limits earlier
    - ipv4: frags: handle possible skb truesize change
    - net: dsa: Do not suspend/resume closed slave_dev
    - net: stmmac: Fix WoL for PCI-based setups
    - rxrpc: Fix user call ID check in rxrpc_service_prealloc_one
    - can: ems_usb: Fix memory leak on ems_usb_disconnect()
    - virtio_balloon: fix another race between migration and ballooning
    - x86/apic: Future-proof the TSC_DEADLINE quirk for SKX
    - kvm: x86: vmx: fix vpid leak
    - audit: fix potential null dereference 'context->module.name'
    - userfaultfd: remove uffd flags from vma->vm_flags if UFFD_EVENT_FORK fails
    - RDMA/uverbs: Expand primary and alt AV port checks
    - crypto: padlock-aes - Fix Nano workaround data corruption
    - drm/vc4: Reset ->{x, y}_scaling[1] when dealing with uniplanar formats
    - scsi: sg: fix minor memory leak in error path
    - net/mlx5e: E-Switch, Initialize eswitch only if eswitch manager
    - net/mlx5e: Set port trust mode to PCP as default
    - x86/efi: Access EFI MMIO data as unencrypted when SEV is active
    - drm/atomic: Check old_plane_state->crtc in drm_atomic_helper_async_check()
    - drm/atomic: Initialize variables in drm_atomic_helper_async_check() to make
      gcc happy
    - scsi: qla2xxx: Fix unintialized List head crash
    - scsi: qla2xxx: Fix NPIV deletion by calling wait_for_sess_deletion
    - scsi: qla2xxx: Fix ISP recovery on unload
    - scsi: qla2xxx: Return error when TMF returns
    - genirq: Make force irq threading setup more robust
    - nohz: Fix local_timer_softirq_pending()
    - nohz: Fix missing tick reprogram when interrupting an inline softirq
    - ring_buffer: tracing: Inherit the tracing setting to next ring buffer
    - i2c: imx: Fix reinit_completion() use
    - Btrfs: fix file data corruption after cloning a range and fsync
    - nvme-pci: allocate device queues storage space at probe
    - nvme-pci: Fix queue double allocations
    - xfs: catch inode allocation state mismatch corruption
    - xfs: validate cached inodes are free when allocated
    - perf/x86/intel/uncore: Fix hardcoded index of Broadwell extra PCI devices
    - parisc: Enable CONFIG_MLONGCALLS by default
    - parisc: Define mb() and add memory barriers to assembler unlock sequences
    - kasan: add no_sanitize attribute for clang builds
    - Mark HI and TASKLET softirq synchronous
    - xen/netfront: don't cache skb_shinfo()
    - scsi: sr: Avoid that opening a CD-ROM hangs with runtime power management
      enabled
    - scsi: qla2xxx: Fix memory leak for allocating abort IOCB
    - init: rename and re-order boot_cpu_state_init()
    - root dentries need RCU-delayed freeing
    - make sure that __dentry_kill() always invalidates d_seq, unhashed or not
    - fix mntput/mntput race
    - fix __legitimize_mnt()/mntput() race
    - mtd: nand: qcom: Add a NULL check for devm_kasprintf()
    - phy: phy-mtk-tphy: use auto instead of force to bypass utmi signals
    - ARM: dts: imx6sx: fix irq for pcie bridge
    - kprobes/x86: Fix %p uses in error messages
    - x86/irqflags: Provide a declaration for native_save_fl
    - x86/apic: Ignore secondary threads if nosmt=force
    - x86/mm/kmmio: Make the tracer robust against L1TF
    - tools headers: Synchronise x86 cpufeatures.h for L1TF additions
    - x86/microcode: Allow late microcode loading with SMT disabled
    - x86/smp: fix non-SMP broken build due to redefinition of
      apic_id_is_primary_thread
    - cpu/hotplug: Non-SMP machines do not make use of booted_once
    - sched/deadline: Update rq_clock of later_rq when pushing a task
    - zram: remove BD_CAP_SYNCHRONOUS_IO with writeback feature
    - x86/l1tf: Fix build error seen if CONFIG_KVM_INTEL is disabled
    - x86: i8259: Add missing include file
    - kbuild: verify that $DEPMOD is installed
    - crypto: x86/sha256-mb - fix digest copy in sha256_mb_mgr_get_comp_job_avx2()
    - crypto: vmac - require a block cipher with 128-bit block size
    - crypto: vmac - separate tfm and request context
    - crypto: blkcipher - fix crash flushing dcache in error path
    - crypto: ablkcipher - fix crash flushing dcache in error path
    - crypto: skcipher - fix aligning block size in skcipher_copy_iv()
    - crypto: skcipher - fix crash flushing dcache in error path
    - x86/platform/UV: Mark memblock related init code and data correctly
    - dccp: fix undefined behavior with 'cwnd' shift in ccid2_cwnd_restart()
    - l2tp: use sk_dst_check() to avoid race on sk->sk_dst_cache
    - llc: use refcount_inc_not_zero() for llc_sap_find()
    - vsock: split dwork to avoid reinitializations
    - net_sched: Fix missing res info when create new tc_index filter
    - vhost: reset metadata cache when initializing new IOTLB
    - ip6_tunnel: use the right value for ipv4 min mtu check in ip6_tnl_xmit
    - net: aquantia: Fix IFF_ALLMULTI flag functionality
    - ALSA: hda - Sleep for 10ms after entering D3 on Conexant codecs
    - ALSA: hda - Turn CX8200 into D3 as well upon reboot
    - ALSA: vx222: Fix invalid endian conversions
    - ALSA: virmidi: Fix too long output trigger loop
    - ALSA: cs5535audio: Fix invalid endian conversion
    - ALSA: hda: Correct Asrock B85M-ITX power_save blacklist entry
    - ALSA: memalloc: Don't exceed over the requested size
    - ALSA: vxpocket: Fix invalid endian conversions
    - USB: serial: sierra: fix potential deadlock at close
    - USB: serial: pl2303: add a new device id for ATEN
    - ACPI / PM: save NVS memory for ASUS 1025C laptop
    - tty: serial: 8250: Revert NXP SC16C2552 workaround
    - serial: 8250_exar: Read INT0 from slave device, too
    - serial: 8250_dw: always set baud rate in dw8250_set_termios
    - serial: 8250_dw: Add ACPI support for uart on Broadcom SoC
    - misc: sram: fix resource leaks in probe error path
    - Bluetooth: avoid killing an already killed socket
    - isdn: Disable IIOCDBGVAR
    - cls_matchall: fix tcf_unbind_filter missing
    - mlxsw: core_acl_flex_actions: Return error for conflicting actions
    - ip_vti: fix a null pointer deferrence when create vti fallback tunnel
    - net: ethernet: mvneta: Fix napi structure mixup on armada 3700
    - net: mvneta: fix mvneta_config_rss on armada 3700
    - EDAC: Add missing MEM_LRDDR4 entry in edac_mem_types[]
    - pty: fix O_CLOEXEC for TIOCGPTPEER
    - arm: dts: armada: Fix "#cooling-cells" property's name
    - vfio: ccw: fix error return in vfio_ccw_sch_event
    - perf tools: Fix error index for pmu event parser
    - Input: synaptics-rmi4 - fix axis-swap behavior
    - IB/mlx4: Fix an error handling path in 'mlx4_ib_rereg_user_mr()'
    - drm/bridge/sii8620: fix loops in EDID fetch logic
    - drm/bridge/sii8620: fix potential buffer overflow
    - ARC: Explicitly add -mmedium-calls to CFLAGS
    - hwmon: (nct6775) Fix loop limit
    - soc: imx: gpcv2: correct PGC offset
    - usb: dwc3: pci: add support for Intel IceLake
    - usb: dwc2: gadget: Fix issue in dwc2_gadget_start_isoc()
    - usb: dwc3: of-simple: fix use-after-free on remove
    - ACPI / EC: Use ec_no_wakeup on Thinkpad X1 Carbon 6th
    - netfilter: ipv6: nf_defrag: reduce struct net memory waste
    - netfilter: nf_ct_helper: Fix possible panic after
      nf_conntrack_helper_unregister
    - selftests: pstore: return Kselftest Skip code for skipped tests
    - selftests: static_keys: return Kselftest Skip code for skipped tests
    - selftests: sysctl: return Kselftest Skip code for skipped tests
    - selftests: zram: return Kselftest Skip code for skipped tests
    - selftests: vm: return Kselftest Skip code for skipped tests
    - selftests: sync: add config fragment for testing sync framework
    - ARM: dts: NSP: Fix i2c controller interrupt type
    - ARM: dts: NSP: Fix PCIe controllers interrupt types
    - ARM: dts: BCM5301x: Fix i2c controller interrupt type
    - ARM: dts: Cygnus: Fix I2C controller interrupt type
    - ARM: dts: Cygnus: Fix PCIe controller interrupt type
    - arm64: dts: specify 1.8V EMMC capabilities for bcm958742k
    - arm64: dts: specify 1.8V EMMC capabilities for bcm958742t
    - arm64: dts: ns2: Fix I2C controller interrupt type
    - arm64: dts: ns2: Fix PCIe controller interrupt type
    - arm64: dts: Stingray: Fix I2C controller interrupt type
    - drivers/perf: xgene_pmu: Fix IOB SLOW PMU parser error
    - drm: mali-dp: Enable Global SE interrupts mask for DP500
    - drm/arm/malidp: Preserve LAYER_FORMAT contents when setting format
    - IB/rxe: Fix missing completion for mem_reg work requests
    - usb: dwc2: alloc dma aligned buffer for isoc split in
    - usb: dwc2: fix isoc split in transfer with no data
    - usb: gadget: composite: fix delayed_status race condition when set_interface
    - usb: gadget: dwc2: fix memory leak in gadget_init()
    - dwc2: gadget: Fix ISOC IN DDMA PID bitfield value calculation
    - xen: add error handling for xenbus_printf
    - pNFS: Always free the session slot on error in
      nfs4_layoutget_handle_exception
    - scsi: xen-scsifront: add error handling for xenbus_printf
    - xen/scsiback: add error handling for xenbus_printf
    - arm64: dma-mapping: clear buffers allocated with FORCE_CONTIGUOUS flag
    - arm64: make secondary_start_kernel() notrace
    - qed: Fix possible memory leak in Rx error path handling.
    - qed: Add sanity check for SIMD fastpath handler.
    - qed: Do not advertise DCBX_LLD_MANAGED capability.
    - enic: initialize enic->rfs_h.lock in enic_probe
    - net: hamradio: use eth_broadcast_addr
    - net: propagate dev_get_valid_name return code
    - net: stmmac: socfpga: add additional ocp reset line for Stratix10
    - nvmet: reset keep alive timer in controller enable
    - block: sed-opal: Fix a couple off by one bugs
    - ARC: Enable machine_desc->init_per_cpu for !CONFIG_SMP
    - nbd: Add the nbd NBD_DISCONNECT_ON_CLOSE config flag.
    - net: davinci_emac: match the mdio device against its compatible if possible
    - sctp: fix erroneous inc of snmp SctpFragUsrMsgs
    - KVM: arm/arm64: Drop resource size check for GICV window
    - drm/bridge/sii8620: fix display of packed pixel modes in MHL2
    - locking/lockdep: Do not record IRQ state within lockdep code
    - selftests: bpf: notification about privilege required to run test_kmod.sh
      testing script
    - mtd: dataflash: Use ULL suffix for 64-bit constants
    - x86/microcode/intel: Fix memleak in save_microcode_patch()
    - ipv6: mcast: fix unsolicited report interval after receiving querys
    - Smack: Mark inode instant in smack_task_to_inode
    - arm64: dts: msm8916: fix Coresight ETF graph connections
    - batman-adv: Fix bat_ogm_iv best gw refcnt after netlink dump
    - batman-adv: Fix bat_v best gw refcnt after netlink dump
    - batman-adv: Avoid storing non-TT-sync flags on singular entries too
    - batman-adv: Fix multicast TT issues with bogus ROAM flags
    - cxgb4: when disabling dcb set txq dcb priority to 0
    - iio: pressure: bmp280: fix relative humidity unit
    - brcmfmac: stop watchdog before detach and free everything
    - ARM: dts: am437x: make edt-ft5x06 a wakeup source
    - ALSA: seq: Fix UBSAN warning at SNDRV_SEQ_IOCTL_QUERY_NEXT_CLIENT ioctl
    - usb: xhci: remove the code build warning
    - usb: xhci: increase CRS timeout value
    - NFC: pn533: Fix wrong GFP flag usage
    - typec: tcpm: Fix a msecs vs jiffies bug
    - kconfig: fix line numbers for if-entries in menu tree
    - perf record: Support s390 random socket_id assignment
    - perf test session topology: Fix test on s390
    - perf report powerpc: Fix crash if callchain is empty
    - perf tools: Fix a clang 7.0 compilation error
    - perf bench: Fix numa report output code
    - ARM: davinci: board-da850-evm: fix WP pin polarity for MMC/SD
    - netfilter: nf_log: fix uninit read in nf_log_proc_dostring
    - net/mlx5: E-Switch, Disallow vlan/spoofcheck setup if not being esw manager
    - nfp: cast sizeof() to int when comparing with error code
    - selftests/x86/sigreturn/64: Fix spurious failures on AMD CPUs
    - selftests/x86/sigreturn: Do minor cleanups
    - ARM: dts: da850: Fix interrups property for gpio
    - ARM64: dts: meson-gxl: fix Mali GPU compatible string
    - dmaengine: pl330: report BURST residue granularity
    - dmaengine: k3dma: Off by one in k3_of_dma_simple_xlate()
    - ath10k: update the phymode along with bandwidth change request
    - md/raid10: fix that replacement cannot complete recovery after reassemble
    - dev-dax: check_vma: ratelimit dev_info-s
    - nl80211: relax ht operation checks for mesh
    - nl80211: check nla_parse_nested() return values
    - drm/exynos: gsc: Fix support for NV16/61, YUV420/YVU420 and YUV422 modes
    - drm/exynos: decon5433: Fix per-plane global alpha for XRGB modes
    - drm/exynos: decon5433: Fix WINCONx reset value
    - drbd: Fix drbd_request_prepare() discard handling
    - bpf, s390: fix potential memleak when later bpf_jit_prog fails
    - PCI: xilinx: Add missing of_node_put()
    - PCI: xilinx-nwl: Add missing of_node_put()
    - PCI: faraday: Add missing of_node_put()
    - bnx2x: Fix receiving tx-timeout in error or recovery state.
    - fsl/fman: fix parser reporting bad checksum on short frames
    - dpaa_eth: DPAA SGT needs to be 256B
    - acpi/nfit: fix cmd_rc for acpi_nfit_ctl to always return a value
    - openrisc: entry: Fix delay slot exception detection
    - m68k: fix "bad page state" oops on ColdFire boot
    - objtool: Support GCC 8 '-fnoreorder-functions'
    - ipvlan: call dev_change_flags when ipvlan mode is reset
    - drm/amdgpu: fix swapped emit_ib_size in vce3
    - x86/mm/32: Initialize the CR4 shadow before __flush_tlb_all()
    - HID: wacom: Correct touch maximum XY of 2nd-gen Intuos
    - ARM: imx_v4_v5_defconfig: Select ULPI support
    - bpf: hash map: decrement counter on error
    - tracing: Use __printf markup to silence compiler
    - kasan: fix shadow_size calculation error in kasan_module_alloc
    - smsc75xx: Add workaround for gigabit link up hardware errata.
    - drm/bridge/sii8620: Fix display of packed pixel modes
    - samples/bpf: add missing <linux/if_vlan.h>
    - samples/bpf: Check the result of system()
    - samples/bpf: Check the error of write() and read()
    - ieee802154: 6lowpan: set IFLA_LINK
    - netfilter: x_tables: set module owner for icmp(6) matches
    - ipv6: make ipv6_renew_options() interrupt/kernel safe
    - net: qrtr: Broadcast messages only from control port
    - sh_eth: fix invalid context bug while calling auto-negotiation by ethtool
    - sh_eth: fix invalid context bug while changing link options by ethtool
    - ravb: fix invalid context bug while calling auto-negotiation by ethtool
    - ravb: fix invalid context bug while changing link options by ethtool
    - ARM: pxa: irq: fix handling of ICMR registers in suspend/resume
    - net/sched: act_tunnel_key: fix NULL dereference when 'goto chain' is used
    - nvmem: Don't let a NULL cell_id for nvmem_cell_get() crash us
    - ieee802154: at86rf230: switch from BUG_ON() to WARN_ON() on problem
    - ieee802154: at86rf230: use __func__ macro for debug messages
    - ieee802154: fakelb: switch from BUG_ON() to WARN_ON() on problem
    - gpu: host1x: Check whether size of unpin isn't 0
    - drm/tegra: Fix comparison operator for buffer size
    - drm/armada: fix colorkey mode property
    - drm/armada: fix irq handling
    - netfilter: nft_compat: explicitly reject ERROR and standard target
    - netfilter: nf_conntrack: Fix possible possible crash on module loading.
    - ARC: Improve cmpxchg syscall implementation
    - bnxt_en: Fix inconsistent BNXT_FLAG_AGG_RINGS logic.
    - bnxt_en: Always set output parameters in bnxt_get_max_rings().
    - bnxt_en: Fix for system hang if request_irq fails
    - scsi: qedf: Send the driver state to MFW
    - scsi: qedi: Send driver state to MFW
    - perf llvm-utils: Remove bashism from kernel include fetch script
    - perf tools: Fix compilation errors on gcc8
    - perf script python: Fix dict reference counting
    - nfit: fix unchecked dereference in acpi_nfit_ctl
    - RDMA/mlx5: Fix memory leak in mlx5_ib_create_srq() error path
    - ARM: 8780/1: ftrace: Only set kernel memory back to read-only after boot
    - ARM: DRA7/OMAP5: Enable ACTLR[0] (Enable invalidates of BTB) for secondary
      cores
    - ARM: dts: am3517.dtsi: Disable reference to OMAP3 OTG controller
    - ixgbe: Be more careful when modifying MAC filters
    - tools: build: Use HOSTLDFLAGS with fixdep
    - kbuild: suppress warnings from 'getconf LFS_*'
    - packet: reset network header if packet shorter than ll reserved space
    - qlogic: check kstrtoul() for errors
    - tcp: remove DELAYED ACK events in DCTCP
    - pinctrl: ingenic: Fix inverted direction for < JZ4770
    - pinctrl: nsp: off by ones in nsp_pinmux_enable()
    - pinctrl: nsp: Fix potential NULL dereference
    - drm/nouveau/gem: off by one bugs in nouveau_gem_pushbuf_reloc_apply()
    - net/ethernet/freescale/fman: fix cross-build error
    - ibmvnic: Fix error recovery on login failure
    - btrfs: scrub: Don't use inode page cache in scrub_handle_errored_block()
    - octeon_mgmt: Fix MIX registers configuration on MTU setup
    - net: usb: rtl8150: demote allmulti message to dev_dbg()
    - PCI: OF: Fix I/O space page leak
    - PCI: versatile: Fix I/O space page leak
    - net: qca_spi: Avoid packet drop during initial sync
    - net: qca_spi: Make sure the QCA7000 reset is triggered
    - net: qca_spi: Fix log level if probe fails
    - tcp: identify cryptic messages as TCP seq # bugs
    - soc: imx: gpc: restrict register range for regmap access
    - ACPI / EC: Use ec_no_wakeup on more Thinkpad X1 Carbon 6th systems
    - ARM: dts: imx6: RDU2: fix irq type for mv88e6xxx switch
    - nvme: fix handling of metadata_len for NVME_IOCTL_IO_CMD
    - parisc: Remove ordered stores from syscall.S
    - xfrm_user: prevent leaking 2 bytes of kernel memory
    - netfilter: conntrack: dccp: treat SYNC/SYNCACK as invalid if no prior state
    - packet: refine ring v3 block size test to hold one frame
    - net/smc: no shutdown in state SMC_LISTEN
    - parisc: Remove unnecessary barriers from spinlock.h
    - PCI: hotplug: Don't leak pci_slot on registration failure
    - PCI: Skip MPS logic for Virtual Functions (VFs)
    - PCI: pciehp: Fix use-after-free on unplug
    - PCI: pciehp: Fix unprotected list iteration in IRQ handler
    - i2c: core: ACPI: Properly set status byte to 0 for multi-byte writes
    - i2c: imx: Fix race condition in dma read
    - reiserfs: fix broken xattr handling (heap corruption, bad retval)
    - updateconfigs for v4.14.67
    - IB/rxe: avoid double kfree skb
    - RDMA/qedr: Fix NULL pointer dereference when running over iWARP without
      RDMA-CM
    - smb3: increase initial number of credits requested to allow write
    - hwmon: (dell-smm) Disable fan support for Dell XPS13 9333
    - ARM: dts: HR2: Fix interrupt types for i2c and PCIe
    - drm/arm/malidp: Ensure that the crtcs are shutdown before removing any
      encoder/connector
    - drm/mali-dp: Rectify the width and height passed to rotmem_required()
    - dmaengine: ti: omap-dma: Fix OMAP1510 incorrect residue_granularity
    - nvme-rdma: fix possible double free condition when failing to create a
      controller
    - nvme-rdma: Fix command completion race at error recovery
    - nvme-pci: move nvme_kill_queues to nvme_remove_dead_ctrl
    - clk: sunxi-ng: replace lib-y with obj-y
    - batman-adv: Fix debugfs path for renamed hardif
    - batman-adv: Fix debugfs path for renamed softif
    - nfp: bpf: don't stop offload if replace failed
    - perf tests: Add event parsing error handling to parse events test
    - perf script: Fix crash because of missing evsel->priv
    - perf tools: Fix crash caused by accessing feat_ops[HEADER_LAST_FEATURE]
    - s390/qeth: consistently re-enable device features
    - sched/fair: Fix bandwidth timer clock drift condition
    - r8169: fix mac address change
    - RISC-V: Don't include irq-riscv-intc.h
    - RISC-V: Fix PTRACE_SETREGSET bug.
    - net: qrtr: Reset the node and port ID of broadcast messages
    - cxgb4: assume flash part size to be 4MB, if it can't be determined
    - bpf: fix sk_skb programs without skb->dev assigned
    - ipfrag: really prevent allocation on netns exit
    - gpu: host1x: Skip IOMMU initialization if firewall is enabled
    - ARC: [plat-hsdk]: Configure APB GPIO controller on ARC HSDK platform
    - bnxt_en: Do not modify max IRQ count after RDMA driver requests/frees IRQs.
    - scsi: hpsa: correct enclosure sas address
    - perf tools: Use python-config --includes rather than --cflags
    - sfp: ensure we clean up properly on bus registration failure
    - amd/dc/dce100: On dce100, set clocks to 0 on suspend
    - tools: build: Fixup host c flags
    - kvm: nVMX: Restore exit qual for VM-entry failure due to MSR loading
    - ibmvnic: Revise RX/TX queue error messages
    - net/smc: reset recv timeout after clc handshake
    - PCI: xgene: Fix I/O space page leak
    - PCI: designware: Fix I/O space page leak
    - PCI: aardvark: Fix I/O space page leak
    - PCI: faraday: Fix I/O space page leak
    - PCI: mediatek: Fix I/O space page leak
    - PCI: v3-semi: Fix I/O space page leak
    - platform/x86: dell-laptop: Fix backlight detection
    - mm: use helper functions for allocating and freeing vm_area structs
    - mm: make vm_area_dup() actually copy the old vma data
    - mm: make vm_area_alloc() initialize core fields
    - PCI / ACPI / PM: Resume all bridges on suspend-to-RAM

-- Stefan Bader <stefan.bader@canonical.com>  Tue, 06 Aug 2019 12:45:37 +0200

Changed in linux (Ubuntu Bionic):
status:	Fix Committed → Fix Released

Revision history for this message

Guillaume Penin (guillaume-penin) wrote on 2019-11-04:

#13

Download full text (3.8 KiB)

Hi,

Unfortunately, the patch does not seem to solve the problem. Running Ubuntu 18.04 LTS with kernel 4.15.0-64, the crash still occurs with the same signature :

Oct 14 08:00:01 uzorldsp01 kernel: [109699.415372] BUG: unable to handle kernel NULL pointer dereference at 0000000000000038
Oct 14 08:00:01 uzorldsp01 kernel: [109699.420042] IP: smb2_push_mandatory_locks+0x10d/0x3c0 [cifs]
Oct 14 08:00:01 uzorldsp01 kernel: [109699.420042] PGD 0 P4D 0
Oct 14 08:00:01 uzorldsp01 kernel: [109699.420042] Oops: 0000 [#1] SMP PTI
Oct 14 08:00:01 uzorldsp01 kernel: [109699.420042] Modules linked in: btrfs zstd_compress xor raid6_pq ufs qnx4 minix ntfs msdos jfs xfs dm_snapshot dm_bufio cmac arc4 md4 nls_utf8 cifs ccm fscache nf_conntr
ack_ipv4 nf_defrag_ipv4 xt_owner xt_conntrack nf_conntrack libcrc32c iptable_security sb_edac kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd
glue_helper cryptd intel_rapl_perf input_leds serio_raw hyperv_fb hv_balloon joydev mac_hid sch_fq_codel nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables x_tables autofs4 hid_generic hid_hyperv hv_util
s hv_storvsc ptp hyperv_keyboard hv_netvsc hid scsi_transport_fc pps_core psmouse i2c_piix4 pata_acpi hv_vmbus floppy
Oct 14 08:00:01 uzorldsp01 kernel: [109699.472261] CPU: 0 PID: 50766 Comm: kworker/0:0 Not tainted 4.15.0-64-generic #73-Ubuntu
Oct 14 08:00:01 uzorldsp01 kernel: [109699.472261] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS 090007 06/02/2017
Oct 14 08:00:01 uzorldsp01 kernel: [109699.472261] Workqueue: cifsoplockd cifs_oplock_break [cifs]
Oct 14 08:00:01 uzorldsp01 kernel: [109699.472261] RIP: 0010:smb2_push_mandatory_locks+0x10d/0x3c0 [cifs]
Oct 14 08:00:01 uzorldsp01 kernel: [109699.472261] RSP: 0000:ffffab360da2bdd8 EFLAGS: 00010246
Oct 14 08:00:01 uzorldsp01 kernel: [109699.472261] RAX: 0000000000000000 RBX: ffff9887646617d8 RCX: 0000000000000000
Oct 14 08:00:01 uzorldsp01 kernel: [109699.472261] RDX: 0000000000001000 RSI: 0000000000000000 RDI: ffff98876d006b80
Oct 14 08:00:02 uzorldsp01 kernel: [109699.472261] RBP: ffffab360da2be28 R08: ffff988568596000 R09: ffff98876d006b80
Oct 14 08:00:02 uzorldsp01 kernel: [109699.472261] R10: ffffab360da2bd98 R11: ffff988568596000 R12: 00000000000000aa
Oct 14 08:00:02 uzorldsp01 kernel: [109699.472261] R13: ffff9887646617d8 R14: ffff9887646617c0 R15: ffff988764d7f200
Oct 14 08:00:02 uzorldsp01 kernel: [109699.472261] FS: 0000000000000000(0000) GS:ffff98876d600000(0000) knlGS:0000000000000000
Oct 14 08:00:02 uzorldsp01 kernel: [109699.472261] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Oct 14 08:00:02 uzorldsp01 kernel: [109699.472261] CR2: 0000000000000038 CR3: 000000046d80a003 CR4: 00000000001606f0
Oct 14 08:00:02 uzorldsp01 kernel: [109699.472261] Call Trace:
Oct 14 08:00:02 uzorldsp01 kernel: [109699.472261] cifs_oplock_break+0x131/0x410 [cifs]
Oct 14 08:00:02 uzorldsp01 kernel: [109699.472261] process_one_work+0x1de/0x420
Oct 14 08:00:02 uzorldsp01 kernel: [109699.472261] worker_thread+0x32/0x410
Oct 14 08:00:02 uzorldsp01 kernel: [109699.472261] kthread+0x121/0x140
Oct 14 08:00:02 uzorldsp01 kernel: [109699.472...

Other bug subscribers

Bug attachments

dmesg from /var/crash Edit

Add attachment

Remote bug watches

debbugs #830771
[done important] Edit

Bug watches keep track of this bug in other bug trackers.

Ubuntulinux package

kernel panic using CIFS share in smb2_push_mandatory_locks()

Bug Description

CVE References

Other bug subscribers

Bug attachments

Remote bug watches

Ubuntu
linux package