ldisc crash on reopened tty

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1791758

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Kernel core dump analysis:

crash> set
PID: 23697
COMMAND: "kworker/u82:0"
TASK: 88370bcfaa80 [THREAD_INFO: 883708104000]
CPU: 33
STATE: TASK_RUNNING (PANIC)

crash> bt
PID: 23697 TASK: 88370bcfaa80 CPU: 33 COMMAND: "kworker/u82:0"
[...]
#3 [883708107b78] __bad_area_nosemaphore at 8106a889
#4 [883708107bc0] bad_area_nosemaphore at 8106a9a3
#5 [883708107bd0] __do_page_fault at 8106aff2
#6 [883708107c30] trace_do_page_fault at 8106b3f7
#7 [883708107c60] do_async_page_fault at 81063e19
#8 [883708107c70] async_page_fault at 81822958
#9 [883708107cf8] n_tty_receive_buf_common at 814e676a
#10 [883708107dc8] n_tty_receive_buf2 at 814e71f4
#11 [883708107dd8] flush_to_ldisc at 814e9be5
#12 [883708107e20] process_one_work at 8109b0b6
#13 [883708107e68] worker_thread at 8109ba9a
[...]

crash> bt -f
[...]
#9 [883708107cf8] n_tty_receive_buf_common at 814e676a
[...]
883708107d80: 881bc78e4c20 0000000000000000
883708107d90: 0000000000000014 881bc78e4c00
883708107da0: 881bc78e7800 881cba173d80
883708107db0: 883706cae828 883706cae808
883708107dc0: 883708107dd0 814e71f4
#10 [883708107dc8] n_tty_receive_buf2 at 814e71f4
[...]

From the stack frame, we can infer that "struct tty_struct" is at
0x881bc78e7800 :

crash> tty_struct -x 881bc78e7800 | grep name
name = "pts3\000...

Also, from the stack frame we see a value 0x14 there, which represents
the count value in the function:

static int n_tty_receive_buf2(struct tty_struct *tty, const unsigned char *cp,
char *fp, int count)
{
return n_tty_receive_buf_common(tty, cp, fp, count, 1);
}

Since 0x14 mean 20 in decimal, I'd expect a 20 characters string,
which turns to be true ( char *cp is at 881bc78e4c20):

crash> rd -a 881bc78e4c20
881bc78e4c20: source /root/openrc

Something is issuing the command "source /root/openrc" to PTS/3.

Checking the "files" command, we get:

crash> foreach files -R dev/pts/3
PID: 2288 TASK: 883786e2ea40 CPU: 29 COMMAND: "sshd"
ROOT: / CWD: /
FD FILE DENTRY INODE TYPE PATH
9 8839b4ce9a00 881a0ba4da40 8838f71fcf88 CHR /dev/pts/3

And checking ssh processes:

crash> ps|grep ssh
2236 7180 18 8836f9dd2a80 IN 0.0 149480 8636 sshd
2275 2274 37 883706e01540 IN 0.0 37836 4940 ssh
2288 2236 29 883786e2ea40 UN 0.0 149480 1372 sshd
7180 1 17 881cb99b6a40 IN 0.0 57204 5240 sshd
14319 7180 2 8836dfd91540 IN 0.0 149480 8460 sshd

All except 2288 are scheduled after a select() syscall.
PID 2288 looks interesting:

crash> bt 2288
PID: 2288 TASK: 883786e2ea40 CPU: 29 COMMAND: "sshd"
[...]
#4 [88373e0bfb48] down_write at 8181e42d
#5 [88373e0bfb60] tty_unthrottle at 814e75be
#6 [88373e0bfb80] n_tty_open at 814e4fb9
#7 [88373e0bfba0] tty_ldisc_open at 814e8bd5
#8 [88373e0bfbc0] tty_ldisc_reinit at 814e9112
#9 [88373e0bfbf0] tty_reopen at 814df50a
#10 [88373e0bfc08] tty_open at 814e318e
#11 [88373e0bfc70] chrdev_open at 8120d5c4
#12 [88373e0bfcb0] do_dentry_open at 81206a6a
#13 [88373e0bfcf8] vfs_open at 81207b35
#14 [88373e0bfd20] path_openat at 81215fed
[...]

This is the one that seems to be racing with the flush_work from CPU 33
that led to the crash.
Since we have the tty_reopen() in the call trace, it's clear it's re-ope...

Quick summary about this issue upstream:

The first thread I found about this dates back to 2016, an user report followed by some approaches from Peter: https://lkml.org/lkml/2016/5/16/452

After that, seems the thread died, even with a functional patch, it wasn't "upstreamed". After about an year, another instance of the issue was observed by the powerpc community: https://lore.kernel.org/patchwork/patch/777639

The approach of powerpc guys wasn't the ideal, so Peter was asked to merge a new version of his patch, which ended-up being the candidate we've already considered in this LP.
Despite merged, it was reverted after the following discussion: https://lkml.org/lkml/2017/3/20/95

Finally, a new approach seems to be near acceptance, from this year; it's in version 5, and I expect to see one more respin before the merge: https://marc.info/?l=linux-kernel&m=153722838802856

The patchset contains 7 patches, but the number #3 is the one that aims to fix our issue - I've commented there today in order to request some status, since it's just waiting a "cosmetic" change to get merged: https://marc.info/?l=linux-kernel&m=153842049510424

Worth to notice a similar approach than this last one from Dmitry was accepted to fix tty_init_dev() - that may not resolve the problem in this LP, but it's a fix and necessary as a dependency of Dmitry's patch: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b027e2298bd5

So, in summary, for this LP we need a patch that is not upstream yet (although it's
near) plus a recent patch from January 2018.

There's news - a V6 patchset was proposed recently, that address this issue
and there are good chances to get merged: https://marc.info/?l=linux-kernel&m=154103190111795
("[PATCHv6 0/7] tty: Hold write ldisc sem in tty_reopen()").

Will update here with SRU request when it gets merged.

Cheers,

Guilherme

SRU request was submitted to kernel team.

* For Xenial and trusty-HWE (kernel 4.4): https://lists.ubuntu.com/archives/kernel-team/2019-January/097556.html
* For Bionic (kernel 4.15) and Cosmic (kernel 4.18): https://lists.ubuntu.com/archives/kernel-team/2019-January/097562.html

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-cosmic' to 'verification-done-cosmic'. If the problem still exists, change the tag 'verification-needed-cosmic' to 'verification-failed-cosmic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed-bionic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-xenial' to 'verification-done-xenial'. If the problem still exists, change the tag 'verification-needed-xenial' to 'verification-failed-xenial'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

I was able to verify/test in both Bionic and Cosmic proposed kernels, respectively: 4.15.0-44.47 and 4.18.0-14.15.

I don't have a reproducer, but to exercise the paths modified by the patches, the following approach was taken:

(a) Open ssh connection to the host/test machine, and run the following there:

DIR="/sys/kernel/debug/tracing"
echo tty_reopen > $DIR/set_ftrace_filter
echo function > $DIR/current_tracer

echo 'p:tty_name n_tty_receive_buf2 tty=+0x170(%di):string' > $DIR/kprobe_events
echo 1 > $DIR/events/kprobes/tty_name/enable

echo > trace

Then, start running the following loop:
$ while true; do pkill -9 -t pts/1; sleep 1; done

In this point, we don't have a pts/1 there, but keep it running.

(b) In another terminal from the ssh client, run:
$ while true; do ssh <host/test machine ip>; done

Notice it's interesting to have the following in the .ssh/config of the ssh client machine:
Host <test/host machine alias>
        ControlMaster auto
        ControlPath ~/.ssh/%r@%h-%p
        ControlPersist 600
in order to keep only one ssh connection opened.

(c) While the SSH in pts/1 is opened and killed automatically (and reopened by the loop), user must keep typing things in the keyboard in that terminal to force the tty flush.

(d) After running that for some seconds, one can verify in the trace output that the functions modified by the main patch in the SRUed series are there:

$ grep "pts1\|reopen" $DIR/trace|cut -f2- -d]|cut -f2- -d:|sort |uniq -c
     66 tty_name: (n_tty_receive_buf2+0x0/0x20) tty="pts1"
     60 tty_reopen <-tty_open

Also, the pattern showed in the trace file shows that the functions are called intermixed:
[...]
kworker/u56:1-3602 [000] .... 881.779225: tty_name: (n_tty_receive_buf2+0x0/0x20) tty="pts1"
kworker/u56:1-3602 [000] .... 881.861901: tty_name: (n_tty_receive_buf2+0x0/0x20) tty="pts1"
         sshd-3403 [023] .... 882.249355: tty_reopen <-tty_open
         bash-4052 [008] .... 882.250432: tty_reopen <-tty_open
         bash-4052 [008] .... 882.250441: tty_reopen <-tty_open
         bash-4052 [008] .... 882.251935: tty_reopen <-tty_open
kworker/u56:1-3602 [000] .... 882.440866: tty_name: (n_tty_receive_buf2+0x0/0x20) tty="pts1"
kworker/u56:1-3602 [000] .... 882.482994: tty_name: (n_tty_receive_buf2+0x0/0x20) tty="pts1"
[...]

Worth to notice that I've ran the test in 4.18.0-13 before, and I've noticed a small delay in the machine while running the test after updating to the -proposed version, probably due to the lock mechanism added.

We're still pending the Xenial verification; I'm waiting for the trusty-HWE kernel to be released in -proposed, since we have a user capable of reproducing the crash in that version, so I'm planning to ask them to try in the trusty-HWE package.

This bug was fixed in the package linux - 4.15.0-44.47

---------------
linux (4.15.0-44.47) bionic; urgency=medium

  * linux: 4.15.0-44.47 -proposed tracker (LP: #1811419)

  * Packaging resync (LP: #1786013)
    - [Packaging] update helper scripts

  * CPU hard lockup with rigorous writes to NVMe drive (LP: #1810998)
    - blk-wbt: pass in enum wbt_flags to get_rq_wait()
    - blk-wbt: Avoid lock contention and thundering herd issue in wbt_wait
    - blk-wbt: move disable check into get_limit()
    - blk-wbt: use wq_has_sleeper() for wq active check
    - blk-wbt: fix has-sleeper queueing check
    - blk-wbt: abstract out end IO completion handler
    - blk-wbt: improve waking of tasks

  * To reduce the Realtek USB cardreader power consumption (LP: #1811337)
    - mmc: sdhci: Disable 1.8v modes (HS200/HS400/UHS) if controller can't support
      1.8v
    - mmc: core: Introduce MMC_CAP_SYNC_RUNTIME_PM
    - mmc: rtsx_usb_sdmmc: Don't runtime resume the device while changing led
    - mmc: rtsx_usb: Use MMC_CAP2_NO_SDIO
    - mmc: rtsx_usb: Enable MMC_CAP_ERASE to allow erase/discard/trim requests
    - mmc: rtsx_usb_sdmmc: Re-work runtime PM support
    - mmc: rtsx_usb_sdmmc: Re-work card detection/removal support
    - memstick: rtsx_usb_ms: Add missing pm_runtime_disable() in probe function
    - misc: rtsx_usb: Use USB remote wakeup signaling for card insertion detection
    - memstick: Prevent memstick host from getting runtime suspended during card
      detection
    - memstick: rtsx_usb_ms: Use ms_dev() helper
    - memstick: rtsx_usb_ms: Support runtime power management

  * Support non-strict iommu mode on arm64 (LP: #1806488)
    - iommu/io-pgtable-arm: Fix race handling in split_blk_unmap()
    - iommu/arm-smmu-v3: Implement flush_iotlb_all hook
    - iommu/dma: Add support for non-strict mode
    - iommu: Add "iommu.strict" command line option
    - iommu/io-pgtable-arm: Add support for non-strict mode
    - iommu/arm-smmu-v3: Add support for non-strict mode
    - iommu/io-pgtable-arm-v7s: Add support for non-strict mode
    - iommu/arm-smmu: Support non-strict mode

  * ELAN900C:00 04F3:2844 touchscreen doesn't work (LP: #1811335)
    - pinctrl: cannonlake: Fix community ordering for H variant
    - pinctrl: cannonlake: Fix HOSTSW_OWN register offset of H variant

  * Add Cavium ThunderX2 SoC UNCORE PMU driver (LP: #1811200)
    - perf: Export perf_event_update_userpage
    - Documentation: perf: Add documentation for ThunderX2 PMU uncore driver
    - drivers/perf: Add Cavium ThunderX2 SoC UNCORE PMU driver
    - [Config] New config CONFIG_THUNDERX2_PMU=m

  * Update hisilicon SoC-specific drivers (LP: #1810457)
    - SAUCE: Revert "net: hns3: Updates RX packet info fetch in case of multi BD"
    - Revert "UBUNTU: SAUCE: {topost} net: hns3: separate roce from nic when
      resetting"
    - Revert "UBUNTU: SAUCE: {topost} net: hns3: Use roce handle when calling roce
      callback function"
    - Revert "UBUNTU: SAUCE: {topost} net: hns3: Add calling roce callback
      function when link status change"
    - Revert "UBUNTU: SAUCE: {topost} net: hns3: optimize the process of notifying
      roce client"
    - Revert "UBUNTU: S...

There was an userspace regression reported after the inclusion of these backports;
it's being handled in https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1813873.

The fix patch was released upstream and the SRU request was sent to kernel-team
ML (thanks smb!): https://lists.ubuntu.com/archives/kernel-team/2019-January/098186.html

This bug was fixed in the package linux - 4.4.0-142.168

---------------
linux (4.4.0-142.168) xenial; urgency=medium

  * linux: 4.4.0-142.168 -proposed tracker (LP: #1811846)

  * Packaging resync (LP: #1786013)
    - [Packaging] update helper scripts

  * iptables connlimit allows more connections than the limit when using
    multiple CPUs (LP: #1811094)
    - netfilter: xt_connlimit: don't store address in the conn nodes
    - SAUCE: netfilter: xt_connlimit: remove the 'addr' parameter in add_hlist()
    - netfilter: nf_conncount: expose connection list interface
    - netfilter: nf_conncount: Fix garbage collection with zones
    - netfilter: nf_conncount: fix garbage collection confirm race
    - netfilter: nf_conncount: don't skip eviction when age is negative

  * CVE-2017-5715
    - SAUCE: x86/speculation: Cleanup IBPB runtime control handling
    - SAUCE: x86/speculation: Cleanup IBRS runtime control handling
    - SAUCE: x86/speculation: Use x86_spec_ctrl_base in entry/exit code
    - SAUCE: x86/speculation: Move RSB_CTXSW hunk

  * Xenial update: 4.4.167 upstream stable release (LP: #1811077)
    - media: em28xx: Fix use-after-free when disconnecting
    - Revert "wlcore: Add missing PM call for
      wlcore_cmd_wait_for_event_or_timeout()"
    - rapidio/rionet: do not free skb before reading its length
    - s390/qeth: fix length check in SNMP processing
    - usbnet: ipheth: fix potential recvmsg bug and recvmsg bug 2
    - kvm: mmu: Fix race in emulated page table writes
    - xtensa: enable coprocessors that are being flushed
    - xtensa: fix coprocessor context offset definitions
    - Btrfs: ensure path name is null terminated at btrfs_control_ioctl
    - ALSA: wss: Fix invalid snd_free_pages() at error path
    - ALSA: ac97: Fix incorrect bit shift at AC97-SPSA control write
    - ALSA: control: Fix race between adding and removing a user element
    - ALSA: sparc: Fix invalid snd_free_pages() at error path
    - ext2: fix potential use after free
    - dmaengine: at_hdmac: fix memory leak in at_dma_xlate()
    - dmaengine: at_hdmac: fix module unloading
    - btrfs: release metadata before running delayed refs
    - USB: usb-storage: Add new IDs to ums-realtek
    - usb: core: quirks: add RESET_RESUME quirk for Cherry G230 Stream series
    - misc: mic/scif: fix copy-paste error in scif_create_remote_lookup
    - Kbuild: suppress packed-not-aligned warning for default setting only
    - exec: avoid gcc-8 warning for get_task_comm
    - disable stringop truncation warnings for now
    - kobject: Replace strncpy with memcpy
    - unifdef: use memcpy instead of strncpy
    - kernfs: Replace strncpy with memcpy
    - ip_tunnel: Fix name string concatenate in __ip_tunnel_create()
    - drm: gma500: fix logic error
    - scsi: bfa: convert to strlcpy/strlcat
    - staging: rts5208: fix gcc-8 logic error warning
    - kdb: use memmove instead of overlapping memcpy
    - iser: set sector for ambiguous mr status errors
    - uprobes: Fix handle_swbp() vs. unregister() + register() race once more
    - MIPS: ralink: Fix mt7620 nd_sd pinmux
    - mips: fix mips_get_syscall_arg o32 check
    - drm/ast: Fix incorrect free on ioregs
 ...

This bug was fixed in the package linux - 4.18.0-14.15

---------------
linux (4.18.0-14.15) cosmic; urgency=medium

  * linux: 4.18.0-14.15 -proposed tracker (LP: #1811406)

  * CPU hard lockup with rigorous writes to NVMe drive (LP: #1810998)
    - blk-wbt: Avoid lock contention and thundering herd issue in wbt_wait
    - blk-wbt: move disable check into get_limit()
    - blk-wbt: use wq_has_sleeper() for wq active check
    - blk-wbt: fix has-sleeper queueing check
    - blk-wbt: abstract out end IO completion handler
    - blk-wbt: improve waking of tasks

  * To reduce the Realtek USB cardreader power consumption (LP: #1811337)
    - mmc: core: Introduce MMC_CAP_SYNC_RUNTIME_PM
    - mmc: rtsx_usb_sdmmc: Don't runtime resume the device while changing led
    - mmc: rtsx_usb_sdmmc: Re-work runtime PM support
    - mmc: rtsx_usb_sdmmc: Re-work card detection/removal support
    - memstick: rtsx_usb_ms: Add missing pm_runtime_disable() in probe function
    - misc: rtsx_usb: Use USB remote wakeup signaling for card insertion detection
    - memstick: Prevent memstick host from getting runtime suspended during card
      detection
    - memstick: rtsx_usb_ms: Use ms_dev() helper
    - memstick: rtsx_usb_ms: Support runtime power management

  * Support non-strict iommu mode on arm64 (LP: #1806488)
    - iommu/io-pgtable-arm: Fix race handling in split_blk_unmap()
    - iommu/arm-smmu-v3: Implement flush_iotlb_all hook
    - iommu/dma: Add support for non-strict mode
    - iommu: Add "iommu.strict" command line option
    - iommu/io-pgtable-arm: Add support for non-strict mode
    - iommu/arm-smmu-v3: Add support for non-strict mode
    - iommu/io-pgtable-arm-v7s: Add support for non-strict mode
    - iommu/arm-smmu: Support non-strict mode

  * [Regression] crashkernel fails on HiSilicon D05 (LP: #1806766)
    - efi: honour memory reservations passed via a linux specific config table
    - efi/arm: libstub: add a root memreserve config table
    - efi: add API to reserve memory persistently across kexec reboot
    - irqchip/gic-v3-its: Change initialization ordering for LPIs
    - irqchip/gic-v3-its: Simplify LPI_PENDBASE_SZ usage
    - irqchip/gic-v3-its: Split property table clearing from allocation
    - irqchip/gic-v3-its: Move pending table allocation to init time
    - irqchip/gic-v3-its: Keep track of property table's PA and VA
    - irqchip/gic-v3-its: Allow use of pre-programmed LPI tables
    - irqchip/gic-v3-its: Use pre-programmed redistributor tables with kdump
      kernels
    - irqchip/gic-v3-its: Check that all RDs have the same property table
    - irqchip/gic-v3-its: Register LPI tables with EFI config table
    - irqchip/gic-v3-its: Allow use of LPI tables in reserved memory
    - arm64: memblock: don't permit memblock resizing until linear mapping is up
    - efi/arm: Defer persistent reservations until after paging_init()
    - efi: Permit calling efi_mem_reserve_persistent() from atomic context
    - efi: Prevent GICv3 WARN() by mapping the memreserve table before first use

  * ELAN900C:00 04F3:2844 touchscreen doesn't work (LP: #1811335)
    - pinctrl: cannonlake: Fix community ordering for H variant
    - pinctrl: c...

This bug was fixed in the package linux - 4.19.0-12.13

---------------
linux (4.19.0-12.13) disco; urgency=medium

  * linux: 4.19.0-12.13 -proposed tracker (LP: #1813664)

  * kernel oops in bcache module (LP: #1793901)
    - SAUCE: bcache: never writeback a discard operation

  * Disco update: 4.19.18 upstream stable release (LP: #1813611)
    - ipv6: Consider sk_bound_dev_if when binding a socket to a v4 mapped address
    - mlxsw: spectrum: Disable lag port TX before removing it
    - mlxsw: spectrum_switchdev: Set PVID correctly during VLAN deletion
    - net: dsa: mv88x6xxx: mv88e6390 errata
    - net, skbuff: do not prefer skb allocation fails early
    - qmi_wwan: add MTU default to qmap network interface
    - ipv6: Take rcu_read_lock in __inet6_bind for mapped addresses
    - net: clear skb->tstamp in bridge forwarding path
    - netfilter: ipset: Allow matching on destination MAC address for mac and
      ipmac sets
    - gpio: pl061: Move irq_chip definition inside struct pl061
    - drm/amd/display: Guard against null stream_state in set_crc_source
    - drm/amdkfd: fix interrupt spin lock
    - ixgbe: allow IPsec Tx offload in VEPA mode
    - platform/x86: asus-wmi: Tell the EC the OS will handle the display off
      hotkey
    - e1000e: allow non-monotonic SYSTIM readings
    - usb: typec: tcpm: Do not disconnect link for self powered devices
    - selftests/bpf: enable (uncomment) all tests in test_libbpf.sh
    - of: overlay: add missing of_node_put() after add new node to changeset
    - writeback: don't decrement wb->refcnt if !wb->bdi
    - serial: set suppress_bind_attrs flag only if builtin
    - bpf: Allow narrow loads with offset > 0
    - ALSA: oxfw: add support for APOGEE duet FireWire
    - x86/mce: Fix -Wmissing-prototypes warnings
    - MIPS: SiByte: Enable swiotlb for SWARM, LittleSur and BigSur
    - crypto: ecc - regularize scalar for scalar multiplication
    - arm64: perf: set suppress_bind_attrs flag to true
    - drm/atomic-helper: Complete fake_commit->flip_done potentially earlier
    - clk: meson: meson8b: fix incorrect divider mapping in cpu_scale_table
    - samples: bpf: fix: error handling regarding kprobe_events
    - usb: gadget: udc: renesas_usb3: add a safety connection way for
      forced_b_device
    - fpga: altera-cvp: fix probing for multiple FPGAs on the bus
    - selinux: always allow mounting submounts
    - ASoC: pcm3168a: Don't disable pcm3168a when CONFIG_PM defined
    - scsi: qedi: Check for session online before getting iSCSI TLV data.
    - drm/amdgpu: Reorder uvd ring init before uvd resume
    - rxe: IB_WR_REG_MR does not capture MR's iova field
    - efi/libstub: Disable some warnings for x86{,_64}
    - jffs2: Fix use of uninitialized delayed_work, lockdep breakage
    - clk: imx: make mux parent strings const
    - pstore/ram: Do not treat empty buffers as valid
    - media: uvcvideo: Refactor teardown of uvc on USB disconnect
    - powerpc/xmon: Fix invocation inside lock region
    - powerpc/pseries/cpuidle: Fix preempt warning
    - media: firewire: Fix app_info parameter type in avc_ca{,_app}_info
    - ASoC: use dma_ops of parent device for acp_audio_dma
    - media: ve...

The userspace regression is fixed in latest available kernels for all series:
Xenial (Trusty-HWE): 4.4.0-143
Bionic (Xenial-HWE): 4.15.0-46
Cosmic (Bionic-HWE): 4.18.0-16
Disco (development series): 5.0.0-7.8

Cheers,

Guilherme