<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/include/linux, branch v4.8.13</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>PCI: Export pcie_find_root_port</title>
<updated>2016-12-08T06:16:18+00:00</updated>
<author>
<name>Johannes Thumshirn</name>
<email>jthumshirn@suse.de</email>
</author>
<published>2016-11-02T22:35:51+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=4f4857148b4ae50b2936b0aed991fd18e8c3ba44'/>
<id>4f4857148b4ae50b2936b0aed991fd18e8c3ba44</id>
<content type='text'>
commit e784930bd645e7df78c66e7872fec282b0620075 upstream.

Export pcie_find_root_port() so we can use it outside of PCIe-AER error
injection.

Signed-off-by: Johannes Thumshirn &lt;jthumshirn@suse.de&gt;
Signed-off-by: Bjorn Helgaas &lt;bhelgaas@google.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit e784930bd645e7df78c66e7872fec282b0620075 upstream.

Export pcie_find_root_port() so we can use it outside of PCIe-AER error
injection.

Signed-off-by: Johannes Thumshirn &lt;jthumshirn@suse.de&gt;
Signed-off-by: Bjorn Helgaas &lt;bhelgaas@google.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>mm: fix false-positive WARN_ON() in truncate/invalidate for hugetlb</title>
<updated>2016-12-08T06:16:18+00:00</updated>
<author>
<name>Kirill A. Shutemov</name>
<email>kirill.shutemov@linux.intel.com</email>
</author>
<published>2016-11-30T23:54:19+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=5661a69268715cde3489a668251926b314a59173'/>
<id>5661a69268715cde3489a668251926b314a59173</id>
<content type='text'>
commit 5cbc198ae08d84bd416b672ad8bd1222acd0855c upstream.

Hugetlb pages have -&gt;index in size of the huge pages (PMD_SIZE or
PUD_SIZE), not in PAGE_SIZE as other types of pages.  This means we
cannot user page_to_pgoff() to check whether we've got the right page
for the radix-tree index.

Let's introduce page_to_index() which would return radix-tree index for
given page.

We will be able to get rid of this once hugetlb will be switched to
multi-order entries.

Fixes: fc127da085c2 ("truncate: handle file thp")
Link: http://lkml.kernel.org/r/20161123093053.mjbnvn5zwxw5e6lk@black.fi.intel.com
Signed-off-by: Kirill A. Shutemov &lt;kirill.shutemov@linux.intel.com&gt;
Reported-by: Doug Nelson &lt;doug.nelson@intel.com&gt;
Tested-by: Doug Nelson &lt;doug.nelson@intel.com&gt;
Reviewed-by: Naoya Horiguchi &lt;n-horiguchi@ah.jp.nec.com&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 5cbc198ae08d84bd416b672ad8bd1222acd0855c upstream.

Hugetlb pages have -&gt;index in size of the huge pages (PMD_SIZE or
PUD_SIZE), not in PAGE_SIZE as other types of pages.  This means we
cannot user page_to_pgoff() to check whether we've got the right page
for the radix-tree index.

Let's introduce page_to_index() which would return radix-tree index for
given page.

We will be able to get rid of this once hugetlb will be switched to
multi-order entries.

Fixes: fc127da085c2 ("truncate: handle file thp")
Link: http://lkml.kernel.org/r/20161123093053.mjbnvn5zwxw5e6lk@black.fi.intel.com
Signed-off-by: Kirill A. Shutemov &lt;kirill.shutemov@linux.intel.com&gt;
Reported-by: Doug Nelson &lt;doug.nelson@intel.com&gt;
Tested-by: Doug Nelson &lt;doug.nelson@intel.com&gt;
Reviewed-by: Naoya Horiguchi &lt;n-horiguchi@ah.jp.nec.com&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>kasan: update kasan_global for gcc 7</title>
<updated>2016-12-08T06:16:18+00:00</updated>
<author>
<name>Dmitry Vyukov</name>
<email>dvyukov@google.com</email>
</author>
<published>2016-11-30T23:54:13+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=48b6b50a2ba5fa74399e9fb0abf3c26982a0048e'/>
<id>48b6b50a2ba5fa74399e9fb0abf3c26982a0048e</id>
<content type='text'>
commit 045d599a286bc01daa3510d59272440a17b23c2e upstream.

kasan_global struct is part of compiler/runtime ABI.  gcc revision
241983 has added a new field to kasan_global struct.  Update kernel
definition of kasan_global struct to include the new field.

Without this patch KASAN is broken with gcc 7.

Link: http://lkml.kernel.org/r/1479219743-28682-1-git-send-email-dvyukov@google.com
Signed-off-by: Dmitry Vyukov &lt;dvyukov@google.com&gt;
Acked-by: Andrey Ryabinin &lt;aryabinin@virtuozzo.com&gt;
Cc: Alexander Potapenko &lt;glider@google.com&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 045d599a286bc01daa3510d59272440a17b23c2e upstream.

kasan_global struct is part of compiler/runtime ABI.  gcc revision
241983 has added a new field to kasan_global struct.  Update kernel
definition of kasan_global struct to include the new field.

Without this patch KASAN is broken with gcc 7.

Link: http://lkml.kernel.org/r/1479219743-28682-1-git-send-email-dvyukov@google.com
Signed-off-by: Dmitry Vyukov &lt;dvyukov@google.com&gt;
Acked-by: Andrey Ryabinin &lt;aryabinin@virtuozzo.com&gt;
Cc: Alexander Potapenko &lt;glider@google.com&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>iommu/vt-d: Fix PASID table allocation</title>
<updated>2016-12-02T08:10:30+00:00</updated>
<author>
<name>David Woodhouse</name>
<email>dwmw2@infradead.org</email>
</author>
<published>2016-09-12T02:49:11+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=8b23f16343f6e1b7ffc3d4f2cd2239bcb97bfbb3'/>
<id>8b23f16343f6e1b7ffc3d4f2cd2239bcb97bfbb3</id>
<content type='text'>
commit 910170442944e1f8674fd5ddbeeb8ccd1877ea98 upstream.

Somehow I ended up with an off-by-three error in calculating the size of
the PASID and PASID State tables, which triggers allocations failures as
those tables unfortunately have to be physically contiguous.

In fact, even the *correct* maximum size of 8MiB is problematic and is
wont to lead to allocation failures. Since I have extracted a promise
that this *will* be fixed in hardware, I'm happy to limit it on the
current hardware to a maximum of 0x20000 PASIDs, which gives us 1MiB
tables — still not ideal, but better than before.

Reported by Mika Kuoppala &lt;mika.kuoppala@linux.intel.com&gt; and also by
Xunlei Pang &lt;xlpang@redhat.com&gt; who submitted a simpler patch to fix
only the allocation (and not the free) to the "correct" limit... which
was still problematic.

Signed-off-by: David Woodhouse &lt;dwmw2@infradead.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 910170442944e1f8674fd5ddbeeb8ccd1877ea98 upstream.

Somehow I ended up with an off-by-three error in calculating the size of
the PASID and PASID State tables, which triggers allocations failures as
those tables unfortunately have to be physically contiguous.

In fact, even the *correct* maximum size of 8MiB is problematic and is
wont to lead to allocation failures. Since I have extracted a promise
that this *will* be fixed in hardware, I'm happy to limit it on the
current hardware to a maximum of 0x20000 PASIDs, which gives us 1MiB
tables — still not ideal, but better than before.

Reported by Mika Kuoppala &lt;mika.kuoppala@linux.intel.com&gt; and also by
Xunlei Pang &lt;xlpang@redhat.com&gt; who submitted a simpler patch to fix
only the allocation (and not the free) to the "correct" limit... which
was still problematic.

Signed-off-by: David Woodhouse &lt;dwmw2@infradead.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>sunrpc: svc_age_temp_xprts_now should not call setsockopt non-tcp transports</title>
<updated>2016-11-26T08:56:57+00:00</updated>
<author>
<name>Scott Mayhew</name>
<email>smayhew@redhat.com</email>
</author>
<published>2016-11-11T18:16:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=ab17baeaea9108fc9ad22955bf8bba8ed363577f'/>
<id>ab17baeaea9108fc9ad22955bf8bba8ed363577f</id>
<content type='text'>
commit ea08e39230e898844d9de5b60cdbb30067cebfe7 upstream.

This fixes the following panic that can occur with NFSoRDMA.

general protection fault: 0000 [#1] SMP
Modules linked in: rpcrdma ib_isert iscsi_target_mod ib_iser libiscsi
scsi_transport_iscsi ib_srpt target_core_mod ib_srp scsi_transport_srp
scsi_tgt ib_ipoib rdma_ucm ib_ucm ib_uverbs ib_umad rdma_cm ib_cm iw_cm
mlx5_ib ib_core intel_powerclamp coretemp kvm_intel kvm sg ioatdma
ipmi_devintf ipmi_ssif dcdbas iTCO_wdt iTCO_vendor_support pcspkr
irqbypass sb_edac shpchp dca crc32_pclmul ghash_clmulni_intel edac_core
lpc_ich aesni_intel lrw gf128mul glue_helper ablk_helper mei_me mei
ipmi_si cryptd wmi ipmi_msghandler acpi_pad acpi_power_meter nfsd
auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c sd_mod
crc_t10dif crct10dif_generic mgag200 i2c_algo_bit drm_kms_helper
syscopyarea sysfillrect sysimgblt ahci fb_sys_fops ttm libahci mlx5_core
tg3 crct10dif_pclmul drm crct10dif_common
ptp i2c_core libata crc32c_intel pps_core fjes dm_mirror dm_region_hash
dm_log dm_mod
CPU: 1 PID: 120 Comm: kworker/1:1 Not tainted 3.10.0-514.el7.x86_64 #1
Hardware name: Dell Inc. PowerEdge R320/0KM5PX, BIOS 2.4.2 01/29/2015
Workqueue: events check_lifetime
task: ffff88031f506dd0 ti: ffff88031f584000 task.ti: ffff88031f584000
RIP: 0010:[&lt;ffffffff8168d847&gt;]  [&lt;ffffffff8168d847&gt;]
_raw_spin_lock_bh+0x17/0x50
RSP: 0018:ffff88031f587ba8  EFLAGS: 00010206
RAX: 0000000000020000 RBX: 20041fac02080072 RCX: ffff88031f587fd8
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 20041fac02080072
RBP: ffff88031f587bb0 R08: 0000000000000008 R09: ffffffff8155be77
R10: ffff880322a59b00 R11: ffffea000bf39f00 R12: 20041fac02080072
R13: 000000000000000d R14: ffff8800c4fbd800 R15: 0000000000000001
FS:  0000000000000000(0000) GS:ffff880322a40000(0000)
knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f3c52d4547e CR3: 00000000019ba000 CR4: 00000000001407e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Stack:
20041fac02080002 ffff88031f587bd0 ffffffff81557830 20041fac02080002
ffff88031f587c78 ffff88031f587c40 ffffffff8155ae08 000000010157df32
0000000800000001 ffff88031f587c20 ffffffff81096acb ffffffff81aa37d0
Call Trace:
[&lt;ffffffff81557830&gt;] lock_sock_nested+0x20/0x50
[&lt;ffffffff8155ae08&gt;] sock_setsockopt+0x78/0x940
[&lt;ffffffff81096acb&gt;] ? lock_timer_base.isra.33+0x2b/0x50
[&lt;ffffffff8155397d&gt;] kernel_setsockopt+0x4d/0x50
[&lt;ffffffffa0386284&gt;] svc_age_temp_xprts_now+0x174/0x1e0 [sunrpc]
[&lt;ffffffffa03b681d&gt;] nfsd_inetaddr_event+0x9d/0xd0 [nfsd]
[&lt;ffffffff81691ebc&gt;] notifier_call_chain+0x4c/0x70
[&lt;ffffffff810b687d&gt;] __blocking_notifier_call_chain+0x4d/0x70
[&lt;ffffffff810b68b6&gt;] blocking_notifier_call_chain+0x16/0x20
[&lt;ffffffff815e8538&gt;] __inet_del_ifa+0x168/0x2d0
[&lt;ffffffff815e8cef&gt;] check_lifetime+0x25f/0x270
[&lt;ffffffff810a7f3b&gt;] process_one_work+0x17b/0x470
[&lt;ffffffff810a8d76&gt;] worker_thread+0x126/0x410
[&lt;ffffffff810a8c50&gt;] ? rescuer_thread+0x460/0x460
[&lt;ffffffff810b052f&gt;] kthread+0xcf/0xe0
[&lt;ffffffff810b0460&gt;] ? kthread_create_on_node+0x140/0x140
[&lt;ffffffff81696418&gt;] ret_from_fork+0x58/0x90
[&lt;ffffffff810b0460&gt;] ? kthread_create_on_node+0x140/0x140
Code: ca 75 f1 5d c3 0f 1f 80 00 00 00 00 eb d9 66 0f 1f 44 00 00 0f 1f
44 00 00 55 48 89 e5 53 48 89 fb e8 7e 04 a0 ff b8 00 00 02 00 &lt;f0&gt; 0f
c1 03 89 c2 c1 ea 10 66 39 c2 75 03 5b 5d c3 83 e2 fe 0f
RIP  [&lt;ffffffff8168d847&gt;] _raw_spin_lock_bh+0x17/0x50
RSP &lt;ffff88031f587ba8&gt;

Signed-off-by: Scott Mayhew &lt;smayhew@redhat.com&gt;
Fixes: c3d4879e ("sunrpc: Add a function to close temporary transports immediately")
Reviewed-by: Chuck Lever &lt;chuck.lever@oracle.com&gt;
Signed-off-by: J. Bruce Fields &lt;bfields@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit ea08e39230e898844d9de5b60cdbb30067cebfe7 upstream.

This fixes the following panic that can occur with NFSoRDMA.

general protection fault: 0000 [#1] SMP
Modules linked in: rpcrdma ib_isert iscsi_target_mod ib_iser libiscsi
scsi_transport_iscsi ib_srpt target_core_mod ib_srp scsi_transport_srp
scsi_tgt ib_ipoib rdma_ucm ib_ucm ib_uverbs ib_umad rdma_cm ib_cm iw_cm
mlx5_ib ib_core intel_powerclamp coretemp kvm_intel kvm sg ioatdma
ipmi_devintf ipmi_ssif dcdbas iTCO_wdt iTCO_vendor_support pcspkr
irqbypass sb_edac shpchp dca crc32_pclmul ghash_clmulni_intel edac_core
lpc_ich aesni_intel lrw gf128mul glue_helper ablk_helper mei_me mei
ipmi_si cryptd wmi ipmi_msghandler acpi_pad acpi_power_meter nfsd
auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c sd_mod
crc_t10dif crct10dif_generic mgag200 i2c_algo_bit drm_kms_helper
syscopyarea sysfillrect sysimgblt ahci fb_sys_fops ttm libahci mlx5_core
tg3 crct10dif_pclmul drm crct10dif_common
ptp i2c_core libata crc32c_intel pps_core fjes dm_mirror dm_region_hash
dm_log dm_mod
CPU: 1 PID: 120 Comm: kworker/1:1 Not tainted 3.10.0-514.el7.x86_64 #1
Hardware name: Dell Inc. PowerEdge R320/0KM5PX, BIOS 2.4.2 01/29/2015
Workqueue: events check_lifetime
task: ffff88031f506dd0 ti: ffff88031f584000 task.ti: ffff88031f584000
RIP: 0010:[&lt;ffffffff8168d847&gt;]  [&lt;ffffffff8168d847&gt;]
_raw_spin_lock_bh+0x17/0x50
RSP: 0018:ffff88031f587ba8  EFLAGS: 00010206
RAX: 0000000000020000 RBX: 20041fac02080072 RCX: ffff88031f587fd8
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 20041fac02080072
RBP: ffff88031f587bb0 R08: 0000000000000008 R09: ffffffff8155be77
R10: ffff880322a59b00 R11: ffffea000bf39f00 R12: 20041fac02080072
R13: 000000000000000d R14: ffff8800c4fbd800 R15: 0000000000000001
FS:  0000000000000000(0000) GS:ffff880322a40000(0000)
knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f3c52d4547e CR3: 00000000019ba000 CR4: 00000000001407e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Stack:
20041fac02080002 ffff88031f587bd0 ffffffff81557830 20041fac02080002
ffff88031f587c78 ffff88031f587c40 ffffffff8155ae08 000000010157df32
0000000800000001 ffff88031f587c20 ffffffff81096acb ffffffff81aa37d0
Call Trace:
[&lt;ffffffff81557830&gt;] lock_sock_nested+0x20/0x50
[&lt;ffffffff8155ae08&gt;] sock_setsockopt+0x78/0x940
[&lt;ffffffff81096acb&gt;] ? lock_timer_base.isra.33+0x2b/0x50
[&lt;ffffffff8155397d&gt;] kernel_setsockopt+0x4d/0x50
[&lt;ffffffffa0386284&gt;] svc_age_temp_xprts_now+0x174/0x1e0 [sunrpc]
[&lt;ffffffffa03b681d&gt;] nfsd_inetaddr_event+0x9d/0xd0 [nfsd]
[&lt;ffffffff81691ebc&gt;] notifier_call_chain+0x4c/0x70
[&lt;ffffffff810b687d&gt;] __blocking_notifier_call_chain+0x4d/0x70
[&lt;ffffffff810b68b6&gt;] blocking_notifier_call_chain+0x16/0x20
[&lt;ffffffff815e8538&gt;] __inet_del_ifa+0x168/0x2d0
[&lt;ffffffff815e8cef&gt;] check_lifetime+0x25f/0x270
[&lt;ffffffff810a7f3b&gt;] process_one_work+0x17b/0x470
[&lt;ffffffff810a8d76&gt;] worker_thread+0x126/0x410
[&lt;ffffffff810a8c50&gt;] ? rescuer_thread+0x460/0x460
[&lt;ffffffff810b052f&gt;] kthread+0xcf/0xe0
[&lt;ffffffff810b0460&gt;] ? kthread_create_on_node+0x140/0x140
[&lt;ffffffff81696418&gt;] ret_from_fork+0x58/0x90
[&lt;ffffffff810b0460&gt;] ? kthread_create_on_node+0x140/0x140
Code: ca 75 f1 5d c3 0f 1f 80 00 00 00 00 eb d9 66 0f 1f 44 00 00 0f 1f
44 00 00 55 48 89 e5 53 48 89 fb e8 7e 04 a0 ff b8 00 00 02 00 &lt;f0&gt; 0f
c1 03 89 c2 c1 ea 10 66 39 c2 75 03 5b 5d c3 83 e2 fe 0f
RIP  [&lt;ffffffff8168d847&gt;] _raw_spin_lock_bh+0x17/0x50
RSP &lt;ffff88031f587ba8&gt;

Signed-off-by: Scott Mayhew &lt;smayhew@redhat.com&gt;
Fixes: c3d4879e ("sunrpc: Add a function to close temporary transports immediately")
Reviewed-by: Chuck Lever &lt;chuck.lever@oracle.com&gt;
Signed-off-by: J. Bruce Fields &lt;bfields@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>ACPI/PCI: pci_link: penalize SCI correctly</title>
<updated>2016-11-18T09:51:51+00:00</updated>
<author>
<name>Sinan Kaya</name>
<email>okaya@codeaurora.org</email>
</author>
<published>2016-10-24T04:31:31+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=6c76dd0c70662573615fd5aa4c3d0763da24d6e8'/>
<id>6c76dd0c70662573615fd5aa4c3d0763da24d6e8</id>
<content type='text'>
commit f1caa61df2a3dc4c58316295c5dc5edba4c68d85 upstream.

Ondrej reported that IRQs stopped working in v4.7 on several
platforms.  A typical scenario, from Ondrej's VT82C694X/694X, is:

ACPI: Using PIC for interrupt routing
ACPI: PCI Interrupt Link [LNKA] (IRQs 1 3 4 5 6 7 10 *11 12 14 15)
ACPI: No IRQ available for PCI Interrupt Link [LNKA]
8139too 0000:00:0f.0: PCI INT A: no GSI

We're using PIC routing, so acpi_irq_balance == 0, and LNKA is already
active at IRQ 11. In that case, acpi_pci_link_allocate() only tries
to use the active IRQ (IRQ 11) which also happens to be the SCI.

We should penalize the SCI by PIRQ_PENALTY_PCI_USING, but
irq_get_trigger_type(11) returns something other than
IRQ_TYPE_LEVEL_LOW, so we penalize it by PIRQ_PENALTY_ISA_ALWAYS
instead, which makes acpi_pci_link_allocate() assume the IRQ isn't
available and give up.

Add acpi_penalize_sci_irq() so platforms can tell us the SCI IRQ,
trigger, and polarity directly and we don't have to depend on
irq_get_trigger_type().

Fixes: 103544d86976 (ACPI,PCI,IRQ: reduce resource requirements)
Link: http://lkml.kernel.org/r/201609251512.05657.linux@rainbow-software.org
Reported-by: Ondrej Zary &lt;linux@rainbow-software.org&gt;
Acked-by: Bjorn Helgaas &lt;bhelgaas@google.com&gt;
Signed-off-by: Sinan Kaya &lt;okaya@codeaurora.org&gt;
Tested-by: Jonathan Liu &lt;net147@gmail.com&gt;
Signed-off-by: Rafael J. Wysocki &lt;rafael.j.wysocki@intel.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit f1caa61df2a3dc4c58316295c5dc5edba4c68d85 upstream.

Ondrej reported that IRQs stopped working in v4.7 on several
platforms.  A typical scenario, from Ondrej's VT82C694X/694X, is:

ACPI: Using PIC for interrupt routing
ACPI: PCI Interrupt Link [LNKA] (IRQs 1 3 4 5 6 7 10 *11 12 14 15)
ACPI: No IRQ available for PCI Interrupt Link [LNKA]
8139too 0000:00:0f.0: PCI INT A: no GSI

We're using PIC routing, so acpi_irq_balance == 0, and LNKA is already
active at IRQ 11. In that case, acpi_pci_link_allocate() only tries
to use the active IRQ (IRQ 11) which also happens to be the SCI.

We should penalize the SCI by PIRQ_PENALTY_PCI_USING, but
irq_get_trigger_type(11) returns something other than
IRQ_TYPE_LEVEL_LOW, so we penalize it by PIRQ_PENALTY_ISA_ALWAYS
instead, which makes acpi_pci_link_allocate() assume the IRQ isn't
available and give up.

Add acpi_penalize_sci_irq() so platforms can tell us the SCI IRQ,
trigger, and polarity directly and we don't have to depend on
irq_get_trigger_type().

Fixes: 103544d86976 (ACPI,PCI,IRQ: reduce resource requirements)
Link: http://lkml.kernel.org/r/201609251512.05657.linux@rainbow-software.org
Reported-by: Ondrej Zary &lt;linux@rainbow-software.org&gt;
Acked-by: Bjorn Helgaas &lt;bhelgaas@google.com&gt;
Signed-off-by: Sinan Kaya &lt;okaya@codeaurora.org&gt;
Tested-by: Jonathan Liu &lt;net147@gmail.com&gt;
Signed-off-by: Rafael J. Wysocki &lt;rafael.j.wysocki@intel.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>svcrdma: Tail iovec leaves an orphaned DMA mapping</title>
<updated>2016-11-18T09:51:50+00:00</updated>
<author>
<name>Chuck Lever</name>
<email>chuck.lever@oracle.com</email>
</author>
<published>2016-09-13T14:52:50+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=07c4cbe0134111fe10e6eab2a16a6d23c5134392'/>
<id>07c4cbe0134111fe10e6eab2a16a6d23c5134392</id>
<content type='text'>
commit cace564f8b6260e806f5e28d7f192fd0e0c603ed upstream.

The ctxt's count field is overloaded to mean the number of pages in
the ctxt-&gt;page array and the number of SGEs in the ctxt-&gt;sge array.
Typically these two numbers are the same.

However, when an inline RPC reply is constructed from an xdr_buf
with a tail iovec, the head and tail often occupy the same page,
but each are DMA mapped independently. In that case, -&gt;count equals
the number of pages, but it does not equal the number of SGEs.
There's one more SGE, for the tail iovec. Hence there is one more
DMA mapping than there are pages in the ctxt-&gt;page array.

This isn't a real problem until the server's iommu is enabled. Then
each RPC reply that has content in that iovec orphans a DMA mapping
that consists of real resources.

krb5i and krb5p always populate that tail iovec. After a couple
million sent krb5i/p RPC replies, the NFS server starts behaving
erratically. Reboot is needed to clear the problem.

Fixes: 9d11b51ce7c1 ("svcrdma: Fix send_reply() scatter/gather set-up")
Signed-off-by: Chuck Lever &lt;chuck.lever@oracle.com&gt;
Signed-off-by: J. Bruce Fields &lt;bfields@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit cace564f8b6260e806f5e28d7f192fd0e0c603ed upstream.

The ctxt's count field is overloaded to mean the number of pages in
the ctxt-&gt;page array and the number of SGEs in the ctxt-&gt;sge array.
Typically these two numbers are the same.

However, when an inline RPC reply is constructed from an xdr_buf
with a tail iovec, the head and tail often occupy the same page,
but each are DMA mapped independently. In that case, -&gt;count equals
the number of pages, but it does not equal the number of SGEs.
There's one more SGE, for the tail iovec. Hence there is one more
DMA mapping than there are pages in the ctxt-&gt;page array.

This isn't a real problem until the server's iommu is enabled. Then
each RPC reply that has content in that iovec orphans a DMA mapping
that consists of real resources.

krb5i and krb5p always populate that tail iovec. After a couple
million sent krb5i/p RPC replies, the NFS server starts behaving
erratically. Reboot is needed to clear the problem.

Fixes: 9d11b51ce7c1 ("svcrdma: Fix send_reply() scatter/gather set-up")
Signed-off-by: Chuck Lever &lt;chuck.lever@oracle.com&gt;
Signed-off-by: J. Bruce Fields &lt;bfields@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>mm, frontswap: make sure allocated frontswap map is assigned</title>
<updated>2016-11-18T09:51:44+00:00</updated>
<author>
<name>Vlastimil Babka</name>
<email>vbabka@suse.cz</email>
</author>
<published>2016-11-10T18:46:07+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=5b5243b606ec0de2988d32207a537841d4ead721'/>
<id>5b5243b606ec0de2988d32207a537841d4ead721</id>
<content type='text'>
commit 5e322beefc8699b5747cfb35539a9496034e4296 upstream.

Christian Borntraeger reports:

With commit 8ea1d2a1985a ("mm, frontswap: convert frontswap_enabled to
static key") kmemleak complains about a memory leak in swapon

    unreferenced object 0x3e09ba56000 (size 32112640):
      comm "swapon", pid 7852, jiffies 4294968787 (age 1490.770s)
      hex dump (first 32 bytes):
        00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      backtrace:
         __vmalloc_node_range+0x194/0x2d8
         vzalloc+0x58/0x68
         SyS_swapon+0xd60/0x12f8
         system_call+0xd6/0x270

Turns out kmemleak is right.  We now allocate the frontswap map
depending on the kernel config (and no longer on the enablement)

  swapfile.c:
  [...]
      if (IS_ENABLED(CONFIG_FRONTSWAP))
                frontswap_map = vzalloc(BITS_TO_LONGS(maxpages) * sizeof(long));

but later on this is passed along
  --&gt; enable_swap_info(p, prio, swap_map, cluster_info, frontswap_map);

and ignored if frontswap is disabled
  --&gt; frontswap_init(p-&gt;type, frontswap_map);

  static inline void frontswap_init(unsigned type, unsigned long *map)
  {
        if (frontswap_enabled())
                __frontswap_init(type, map);
  }

Thing is, that frontswap map is never freed.

The leakage is relatively not that bad, because swapon is an infrequent
and privileged operation.  However, if the first frontswap backend is
registered after a swap type has been already enabled, it will WARN_ON
in frontswap_register_ops() and frontswap will not be available for the
swap type.

Fix this by making sure the map is assigned by frontswap_init() as long
as CONFIG_FRONTSWAP is enabled.

Fixes: 8ea1d2a1985a ("mm, frontswap: convert frontswap_enabled to static key")
Link: http://lkml.kernel.org/r/20161026134220.2566-1-vbabka@suse.cz
Signed-off-by: Vlastimil Babka &lt;vbabka@suse.cz&gt;
Reported-by: Christian Borntraeger &lt;borntraeger@de.ibm.com&gt;
Cc: Konrad Rzeszutek Wilk &lt;konrad.wilk@oracle.com&gt;
Cc: Boris Ostrovsky &lt;boris.ostrovsky@oracle.com&gt;
Cc: David Vrabel &lt;david.vrabel@citrix.com&gt;
Cc: Juergen Gross &lt;jgross@suse.com&gt;
Cc: "Kirill A. Shutemov" &lt;kirill.shutemov@linux.intel.com&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 5e322beefc8699b5747cfb35539a9496034e4296 upstream.

Christian Borntraeger reports:

With commit 8ea1d2a1985a ("mm, frontswap: convert frontswap_enabled to
static key") kmemleak complains about a memory leak in swapon

    unreferenced object 0x3e09ba56000 (size 32112640):
      comm "swapon", pid 7852, jiffies 4294968787 (age 1490.770s)
      hex dump (first 32 bytes):
        00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      backtrace:
         __vmalloc_node_range+0x194/0x2d8
         vzalloc+0x58/0x68
         SyS_swapon+0xd60/0x12f8
         system_call+0xd6/0x270

Turns out kmemleak is right.  We now allocate the frontswap map
depending on the kernel config (and no longer on the enablement)

  swapfile.c:
  [...]
      if (IS_ENABLED(CONFIG_FRONTSWAP))
                frontswap_map = vzalloc(BITS_TO_LONGS(maxpages) * sizeof(long));

but later on this is passed along
  --&gt; enable_swap_info(p, prio, swap_map, cluster_info, frontswap_map);

and ignored if frontswap is disabled
  --&gt; frontswap_init(p-&gt;type, frontswap_map);

  static inline void frontswap_init(unsigned type, unsigned long *map)
  {
        if (frontswap_enabled())
                __frontswap_init(type, map);
  }

Thing is, that frontswap map is never freed.

The leakage is relatively not that bad, because swapon is an infrequent
and privileged operation.  However, if the first frontswap backend is
registered after a swap type has been already enabled, it will WARN_ON
in frontswap_register_ops() and frontswap will not be available for the
swap type.

Fix this by making sure the map is assigned by frontswap_init() as long
as CONFIG_FRONTSWAP is enabled.

Fixes: 8ea1d2a1985a ("mm, frontswap: convert frontswap_enabled to static key")
Link: http://lkml.kernel.org/r/20161026134220.2566-1-vbabka@suse.cz
Signed-off-by: Vlastimil Babka &lt;vbabka@suse.cz&gt;
Reported-by: Christian Borntraeger &lt;borntraeger@de.ibm.com&gt;
Cc: Konrad Rzeszutek Wilk &lt;konrad.wilk@oracle.com&gt;
Cc: Boris Ostrovsky &lt;boris.ostrovsky@oracle.com&gt;
Cc: David Vrabel &lt;david.vrabel@citrix.com&gt;
Cc: Juergen Gross &lt;jgross@suse.com&gt;
Cc: "Kirill A. Shutemov" &lt;kirill.shutemov@linux.intel.com&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>net: add recursion limit to GRO</title>
<updated>2016-11-15T06:48:52+00:00</updated>
<author>
<name>Sabrina Dubroca</name>
<email>sd@queasysnail.net</email>
</author>
<published>2016-10-20T13:58:02+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=23c110c4cdbce17b6c5df90298168fc4b990ecc1'/>
<id>23c110c4cdbce17b6c5df90298168fc4b990ecc1</id>
<content type='text'>
[ Upstream commit fcd91dd449867c6bfe56a81cabba76b829fd05cd ]

Currently, GRO can do unlimited recursion through the gro_receive
handlers.  This was fixed for tunneling protocols by limiting tunnel GRO
to one level with encap_mark, but both VLAN and TEB still have this
problem.  Thus, the kernel is vulnerable to a stack overflow, if we
receive a packet composed entirely of VLAN headers.

This patch adds a recursion counter to the GRO layer to prevent stack
overflow.  When a gro_receive function hits the recursion limit, GRO is
aborted for this skb and it is processed normally.  This recursion
counter is put in the GRO CB, but could be turned into a percpu counter
if we run out of space in the CB.

Thanks to Vladimír Beneš &lt;vbenes@redhat.com&gt; for the initial bug report.

Fixes: CVE-2016-7039
Fixes: 9b174d88c257 ("net: Add Transparent Ethernet Bridging GRO support.")
Fixes: 66e5133f19e9 ("vlan: Add GRO support for non hardware accelerated vlan")
Signed-off-by: Sabrina Dubroca &lt;sd@queasysnail.net&gt;
Reviewed-by: Jiri Benc &lt;jbenc@redhat.com&gt;
Acked-by: Hannes Frederic Sowa &lt;hannes@stressinduktion.org&gt;
Acked-by: Tom Herbert &lt;tom@herbertland.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit fcd91dd449867c6bfe56a81cabba76b829fd05cd ]

Currently, GRO can do unlimited recursion through the gro_receive
handlers.  This was fixed for tunneling protocols by limiting tunnel GRO
to one level with encap_mark, but both VLAN and TEB still have this
problem.  Thus, the kernel is vulnerable to a stack overflow, if we
receive a packet composed entirely of VLAN headers.

This patch adds a recursion counter to the GRO layer to prevent stack
overflow.  When a gro_receive function hits the recursion limit, GRO is
aborted for this skb and it is processed normally.  This recursion
counter is put in the GRO CB, but could be turned into a percpu counter
if we run out of space in the CB.

Thanks to Vladimír Beneš &lt;vbenes@redhat.com&gt; for the initial bug report.

Fixes: CVE-2016-7039
Fixes: 9b174d88c257 ("net: Add Transparent Ethernet Bridging GRO support.")
Fixes: 66e5133f19e9 ("vlan: Add GRO support for non hardware accelerated vlan")
Signed-off-by: Sabrina Dubroca &lt;sd@queasysnail.net&gt;
Reviewed-by: Jiri Benc &lt;jbenc@redhat.com&gt;
Acked-by: Hannes Frederic Sowa &lt;hannes@stressinduktion.org&gt;
Acked-by: Tom Herbert &lt;tom@herbertland.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: core: Correctly iterate over lower adjacency list</title>
<updated>2016-11-15T06:48:52+00:00</updated>
<author>
<name>Ido Schimmel</name>
<email>idosch@mellanox.com</email>
</author>
<published>2016-10-19T13:57:08+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=d3bbd04b92fddeb25a798d44b0fb9c903b6038e8'/>
<id>d3bbd04b92fddeb25a798d44b0fb9c903b6038e8</id>
<content type='text'>
[ Upstream commit e4961b0768852d9eb7383e1a5df178eacb714656 ]

Tamir reported the following trace when processing ARP requests received
via a vlan device on top of a VLAN-aware bridge:

 NMI watchdog: BUG: soft lockup - CPU#1 stuck for 22s! [swapper/1:0]
[...]
 CPU: 1 PID: 0 Comm: swapper/1 Tainted: G        W       4.8.0-rc7 #1
 Hardware name: Mellanox Technologies Ltd. "MSN2100-CB2F"/"SA001017", BIOS 5.6.5 06/07/2016
 task: ffff88017edfea40 task.stack: ffff88017ee10000
 RIP: 0010:[&lt;ffffffff815dcc73&gt;]  [&lt;ffffffff815dcc73&gt;] netdev_all_lower_get_next_rcu+0x33/0x60
[...]
 Call Trace:
  &lt;IRQ&gt;
  [&lt;ffffffffa015de0a&gt;] mlxsw_sp_port_lower_dev_hold+0x5a/0xa0 [mlxsw_spectrum]
  [&lt;ffffffffa016f1b0&gt;] mlxsw_sp_router_netevent_event+0x80/0x150 [mlxsw_spectrum]
  [&lt;ffffffff810ad07a&gt;] notifier_call_chain+0x4a/0x70
  [&lt;ffffffff810ad13a&gt;] atomic_notifier_call_chain+0x1a/0x20
  [&lt;ffffffff815ee77b&gt;] call_netevent_notifiers+0x1b/0x20
  [&lt;ffffffff815f2eb6&gt;] neigh_update+0x306/0x740
  [&lt;ffffffff815f38ce&gt;] neigh_event_ns+0x4e/0xb0
  [&lt;ffffffff8165ea3f&gt;] arp_process+0x66f/0x700
  [&lt;ffffffff8170214c&gt;] ? common_interrupt+0x8c/0x8c
  [&lt;ffffffff8165ec29&gt;] arp_rcv+0x139/0x1d0
  [&lt;ffffffff816e505a&gt;] ? vlan_do_receive+0xda/0x320
  [&lt;ffffffff815e3794&gt;] __netif_receive_skb_core+0x524/0xab0
  [&lt;ffffffff815e6830&gt;] ? dev_queue_xmit+0x10/0x20
  [&lt;ffffffffa06d612d&gt;] ? br_forward_finish+0x3d/0xc0 [bridge]
  [&lt;ffffffffa06e5796&gt;] ? br_handle_vlan+0xf6/0x1b0 [bridge]
  [&lt;ffffffff815e3d38&gt;] __netif_receive_skb+0x18/0x60
  [&lt;ffffffff815e3dc0&gt;] netif_receive_skb_internal+0x40/0xb0
  [&lt;ffffffff815e3e4c&gt;] netif_receive_skb+0x1c/0x70
  [&lt;ffffffffa06d7856&gt;] br_pass_frame_up+0xc6/0x160 [bridge]
  [&lt;ffffffffa06d63d7&gt;] ? deliver_clone+0x37/0x50 [bridge]
  [&lt;ffffffffa06d656c&gt;] ? br_flood+0xcc/0x160 [bridge]
  [&lt;ffffffffa06d7b14&gt;] br_handle_frame_finish+0x224/0x4f0 [bridge]
  [&lt;ffffffffa06d7f94&gt;] br_handle_frame+0x174/0x300 [bridge]
  [&lt;ffffffff815e3599&gt;] __netif_receive_skb_core+0x329/0xab0
  [&lt;ffffffff81374815&gt;] ? find_next_bit+0x15/0x20
  [&lt;ffffffff8135e802&gt;] ? cpumask_next_and+0x32/0x50
  [&lt;ffffffff810c9968&gt;] ? load_balance+0x178/0x9b0
  [&lt;ffffffff815e3d38&gt;] __netif_receive_skb+0x18/0x60
  [&lt;ffffffff815e3dc0&gt;] netif_receive_skb_internal+0x40/0xb0
  [&lt;ffffffff815e3e4c&gt;] netif_receive_skb+0x1c/0x70
  [&lt;ffffffffa01544a1&gt;] mlxsw_sp_rx_listener_func+0x61/0xb0 [mlxsw_spectrum]
  [&lt;ffffffffa005c9f7&gt;] mlxsw_core_skb_receive+0x187/0x200 [mlxsw_core]
  [&lt;ffffffffa007332a&gt;] mlxsw_pci_cq_tasklet+0x63a/0x9b0 [mlxsw_pci]
  [&lt;ffffffff81091986&gt;] tasklet_action+0xf6/0x110
  [&lt;ffffffff81704556&gt;] __do_softirq+0xf6/0x280
  [&lt;ffffffff8109213f&gt;] irq_exit+0xdf/0xf0
  [&lt;ffffffff817042b4&gt;] do_IRQ+0x54/0xd0
  [&lt;ffffffff8170214c&gt;] common_interrupt+0x8c/0x8c

The problem is that netdev_all_lower_get_next_rcu() never advances the
iterator, thereby causing the loop over the lower adjacency list to run
forever.

Fix this by advancing the iterator and avoid the infinite loop.

Fixes: 7ce856aaaf13 ("mlxsw: spectrum: Add couple of lower device helper functions")
Signed-off-by: Ido Schimmel &lt;idosch@mellanox.com&gt;
Reported-by: Tamir Winetroub &lt;tamirw@mellanox.com&gt;
Reviewed-by: Jiri Pirko &lt;jiri@mellanox.com&gt;
Acked-by: David Ahern &lt;dsa@cumulusnetworks.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit e4961b0768852d9eb7383e1a5df178eacb714656 ]

Tamir reported the following trace when processing ARP requests received
via a vlan device on top of a VLAN-aware bridge:

 NMI watchdog: BUG: soft lockup - CPU#1 stuck for 22s! [swapper/1:0]
[...]
 CPU: 1 PID: 0 Comm: swapper/1 Tainted: G        W       4.8.0-rc7 #1
 Hardware name: Mellanox Technologies Ltd. "MSN2100-CB2F"/"SA001017", BIOS 5.6.5 06/07/2016
 task: ffff88017edfea40 task.stack: ffff88017ee10000
 RIP: 0010:[&lt;ffffffff815dcc73&gt;]  [&lt;ffffffff815dcc73&gt;] netdev_all_lower_get_next_rcu+0x33/0x60
[...]
 Call Trace:
  &lt;IRQ&gt;
  [&lt;ffffffffa015de0a&gt;] mlxsw_sp_port_lower_dev_hold+0x5a/0xa0 [mlxsw_spectrum]
  [&lt;ffffffffa016f1b0&gt;] mlxsw_sp_router_netevent_event+0x80/0x150 [mlxsw_spectrum]
  [&lt;ffffffff810ad07a&gt;] notifier_call_chain+0x4a/0x70
  [&lt;ffffffff810ad13a&gt;] atomic_notifier_call_chain+0x1a/0x20
  [&lt;ffffffff815ee77b&gt;] call_netevent_notifiers+0x1b/0x20
  [&lt;ffffffff815f2eb6&gt;] neigh_update+0x306/0x740
  [&lt;ffffffff815f38ce&gt;] neigh_event_ns+0x4e/0xb0
  [&lt;ffffffff8165ea3f&gt;] arp_process+0x66f/0x700
  [&lt;ffffffff8170214c&gt;] ? common_interrupt+0x8c/0x8c
  [&lt;ffffffff8165ec29&gt;] arp_rcv+0x139/0x1d0
  [&lt;ffffffff816e505a&gt;] ? vlan_do_receive+0xda/0x320
  [&lt;ffffffff815e3794&gt;] __netif_receive_skb_core+0x524/0xab0
  [&lt;ffffffff815e6830&gt;] ? dev_queue_xmit+0x10/0x20
  [&lt;ffffffffa06d612d&gt;] ? br_forward_finish+0x3d/0xc0 [bridge]
  [&lt;ffffffffa06e5796&gt;] ? br_handle_vlan+0xf6/0x1b0 [bridge]
  [&lt;ffffffff815e3d38&gt;] __netif_receive_skb+0x18/0x60
  [&lt;ffffffff815e3dc0&gt;] netif_receive_skb_internal+0x40/0xb0
  [&lt;ffffffff815e3e4c&gt;] netif_receive_skb+0x1c/0x70
  [&lt;ffffffffa06d7856&gt;] br_pass_frame_up+0xc6/0x160 [bridge]
  [&lt;ffffffffa06d63d7&gt;] ? deliver_clone+0x37/0x50 [bridge]
  [&lt;ffffffffa06d656c&gt;] ? br_flood+0xcc/0x160 [bridge]
  [&lt;ffffffffa06d7b14&gt;] br_handle_frame_finish+0x224/0x4f0 [bridge]
  [&lt;ffffffffa06d7f94&gt;] br_handle_frame+0x174/0x300 [bridge]
  [&lt;ffffffff815e3599&gt;] __netif_receive_skb_core+0x329/0xab0
  [&lt;ffffffff81374815&gt;] ? find_next_bit+0x15/0x20
  [&lt;ffffffff8135e802&gt;] ? cpumask_next_and+0x32/0x50
  [&lt;ffffffff810c9968&gt;] ? load_balance+0x178/0x9b0
  [&lt;ffffffff815e3d38&gt;] __netif_receive_skb+0x18/0x60
  [&lt;ffffffff815e3dc0&gt;] netif_receive_skb_internal+0x40/0xb0
  [&lt;ffffffff815e3e4c&gt;] netif_receive_skb+0x1c/0x70
  [&lt;ffffffffa01544a1&gt;] mlxsw_sp_rx_listener_func+0x61/0xb0 [mlxsw_spectrum]
  [&lt;ffffffffa005c9f7&gt;] mlxsw_core_skb_receive+0x187/0x200 [mlxsw_core]
  [&lt;ffffffffa007332a&gt;] mlxsw_pci_cq_tasklet+0x63a/0x9b0 [mlxsw_pci]
  [&lt;ffffffff81091986&gt;] tasklet_action+0xf6/0x110
  [&lt;ffffffff81704556&gt;] __do_softirq+0xf6/0x280
  [&lt;ffffffff8109213f&gt;] irq_exit+0xdf/0xf0
  [&lt;ffffffff817042b4&gt;] do_IRQ+0x54/0xd0
  [&lt;ffffffff8170214c&gt;] common_interrupt+0x8c/0x8c

The problem is that netdev_all_lower_get_next_rcu() never advances the
iterator, thereby causing the loop over the lower adjacency list to run
forever.

Fix this by advancing the iterator and avoid the infinite loop.

Fixes: 7ce856aaaf13 ("mlxsw: spectrum: Add couple of lower device helper functions")
Signed-off-by: Ido Schimmel &lt;idosch@mellanox.com&gt;
Reported-by: Tamir Winetroub &lt;tamirw@mellanox.com&gt;
Reviewed-by: Jiri Pirko &lt;jiri@mellanox.com&gt;
Acked-by: David Ahern &lt;dsa@cumulusnetworks.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
</feed>
