<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/include, branch v4.8.9</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>ACPI/PCI: pci_link: penalize SCI correctly</title>
<updated>2016-11-18T09:51:51+00:00</updated>
<author>
<name>Sinan Kaya</name>
<email>okaya@codeaurora.org</email>
</author>
<published>2016-10-24T04:31:31+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=6c76dd0c70662573615fd5aa4c3d0763da24d6e8'/>
<id>6c76dd0c70662573615fd5aa4c3d0763da24d6e8</id>
<content type='text'>
commit f1caa61df2a3dc4c58316295c5dc5edba4c68d85 upstream.

Ondrej reported that IRQs stopped working in v4.7 on several
platforms.  A typical scenario, from Ondrej's VT82C694X/694X, is:

ACPI: Using PIC for interrupt routing
ACPI: PCI Interrupt Link [LNKA] (IRQs 1 3 4 5 6 7 10 *11 12 14 15)
ACPI: No IRQ available for PCI Interrupt Link [LNKA]
8139too 0000:00:0f.0: PCI INT A: no GSI

We're using PIC routing, so acpi_irq_balance == 0, and LNKA is already
active at IRQ 11. In that case, acpi_pci_link_allocate() only tries
to use the active IRQ (IRQ 11) which also happens to be the SCI.

We should penalize the SCI by PIRQ_PENALTY_PCI_USING, but
irq_get_trigger_type(11) returns something other than
IRQ_TYPE_LEVEL_LOW, so we penalize it by PIRQ_PENALTY_ISA_ALWAYS
instead, which makes acpi_pci_link_allocate() assume the IRQ isn't
available and give up.

Add acpi_penalize_sci_irq() so platforms can tell us the SCI IRQ,
trigger, and polarity directly and we don't have to depend on
irq_get_trigger_type().

Fixes: 103544d86976 (ACPI,PCI,IRQ: reduce resource requirements)
Link: http://lkml.kernel.org/r/201609251512.05657.linux@rainbow-software.org
Reported-by: Ondrej Zary &lt;linux@rainbow-software.org&gt;
Acked-by: Bjorn Helgaas &lt;bhelgaas@google.com&gt;
Signed-off-by: Sinan Kaya &lt;okaya@codeaurora.org&gt;
Tested-by: Jonathan Liu &lt;net147@gmail.com&gt;
Signed-off-by: Rafael J. Wysocki &lt;rafael.j.wysocki@intel.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit f1caa61df2a3dc4c58316295c5dc5edba4c68d85 upstream.

Ondrej reported that IRQs stopped working in v4.7 on several
platforms.  A typical scenario, from Ondrej's VT82C694X/694X, is:

ACPI: Using PIC for interrupt routing
ACPI: PCI Interrupt Link [LNKA] (IRQs 1 3 4 5 6 7 10 *11 12 14 15)
ACPI: No IRQ available for PCI Interrupt Link [LNKA]
8139too 0000:00:0f.0: PCI INT A: no GSI

We're using PIC routing, so acpi_irq_balance == 0, and LNKA is already
active at IRQ 11. In that case, acpi_pci_link_allocate() only tries
to use the active IRQ (IRQ 11) which also happens to be the SCI.

We should penalize the SCI by PIRQ_PENALTY_PCI_USING, but
irq_get_trigger_type(11) returns something other than
IRQ_TYPE_LEVEL_LOW, so we penalize it by PIRQ_PENALTY_ISA_ALWAYS
instead, which makes acpi_pci_link_allocate() assume the IRQ isn't
available and give up.

Add acpi_penalize_sci_irq() so platforms can tell us the SCI IRQ,
trigger, and polarity directly and we don't have to depend on
irq_get_trigger_type().

Fixes: 103544d86976 (ACPI,PCI,IRQ: reduce resource requirements)
Link: http://lkml.kernel.org/r/201609251512.05657.linux@rainbow-software.org
Reported-by: Ondrej Zary &lt;linux@rainbow-software.org&gt;
Acked-by: Bjorn Helgaas &lt;bhelgaas@google.com&gt;
Signed-off-by: Sinan Kaya &lt;okaya@codeaurora.org&gt;
Tested-by: Jonathan Liu &lt;net147@gmail.com&gt;
Signed-off-by: Rafael J. Wysocki &lt;rafael.j.wysocki@intel.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>svcrdma: Tail iovec leaves an orphaned DMA mapping</title>
<updated>2016-11-18T09:51:50+00:00</updated>
<author>
<name>Chuck Lever</name>
<email>chuck.lever@oracle.com</email>
</author>
<published>2016-09-13T14:52:50+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=07c4cbe0134111fe10e6eab2a16a6d23c5134392'/>
<id>07c4cbe0134111fe10e6eab2a16a6d23c5134392</id>
<content type='text'>
commit cace564f8b6260e806f5e28d7f192fd0e0c603ed upstream.

The ctxt's count field is overloaded to mean the number of pages in
the ctxt-&gt;page array and the number of SGEs in the ctxt-&gt;sge array.
Typically these two numbers are the same.

However, when an inline RPC reply is constructed from an xdr_buf
with a tail iovec, the head and tail often occupy the same page,
but each are DMA mapped independently. In that case, -&gt;count equals
the number of pages, but it does not equal the number of SGEs.
There's one more SGE, for the tail iovec. Hence there is one more
DMA mapping than there are pages in the ctxt-&gt;page array.

This isn't a real problem until the server's iommu is enabled. Then
each RPC reply that has content in that iovec orphans a DMA mapping
that consists of real resources.

krb5i and krb5p always populate that tail iovec. After a couple
million sent krb5i/p RPC replies, the NFS server starts behaving
erratically. Reboot is needed to clear the problem.

Fixes: 9d11b51ce7c1 ("svcrdma: Fix send_reply() scatter/gather set-up")
Signed-off-by: Chuck Lever &lt;chuck.lever@oracle.com&gt;
Signed-off-by: J. Bruce Fields &lt;bfields@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit cace564f8b6260e806f5e28d7f192fd0e0c603ed upstream.

The ctxt's count field is overloaded to mean the number of pages in
the ctxt-&gt;page array and the number of SGEs in the ctxt-&gt;sge array.
Typically these two numbers are the same.

However, when an inline RPC reply is constructed from an xdr_buf
with a tail iovec, the head and tail often occupy the same page,
but each are DMA mapped independently. In that case, -&gt;count equals
the number of pages, but it does not equal the number of SGEs.
There's one more SGE, for the tail iovec. Hence there is one more
DMA mapping than there are pages in the ctxt-&gt;page array.

This isn't a real problem until the server's iommu is enabled. Then
each RPC reply that has content in that iovec orphans a DMA mapping
that consists of real resources.

krb5i and krb5p always populate that tail iovec. After a couple
million sent krb5i/p RPC replies, the NFS server starts behaving
erratically. Reboot is needed to clear the problem.

Fixes: 9d11b51ce7c1 ("svcrdma: Fix send_reply() scatter/gather set-up")
Signed-off-by: Chuck Lever &lt;chuck.lever@oracle.com&gt;
Signed-off-by: J. Bruce Fields &lt;bfields@redhat.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>mm, frontswap: make sure allocated frontswap map is assigned</title>
<updated>2016-11-18T09:51:44+00:00</updated>
<author>
<name>Vlastimil Babka</name>
<email>vbabka@suse.cz</email>
</author>
<published>2016-11-10T18:46:07+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=5b5243b606ec0de2988d32207a537841d4ead721'/>
<id>5b5243b606ec0de2988d32207a537841d4ead721</id>
<content type='text'>
commit 5e322beefc8699b5747cfb35539a9496034e4296 upstream.

Christian Borntraeger reports:

With commit 8ea1d2a1985a ("mm, frontswap: convert frontswap_enabled to
static key") kmemleak complains about a memory leak in swapon

    unreferenced object 0x3e09ba56000 (size 32112640):
      comm "swapon", pid 7852, jiffies 4294968787 (age 1490.770s)
      hex dump (first 32 bytes):
        00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      backtrace:
         __vmalloc_node_range+0x194/0x2d8
         vzalloc+0x58/0x68
         SyS_swapon+0xd60/0x12f8
         system_call+0xd6/0x270

Turns out kmemleak is right.  We now allocate the frontswap map
depending on the kernel config (and no longer on the enablement)

  swapfile.c:
  [...]
      if (IS_ENABLED(CONFIG_FRONTSWAP))
                frontswap_map = vzalloc(BITS_TO_LONGS(maxpages) * sizeof(long));

but later on this is passed along
  --&gt; enable_swap_info(p, prio, swap_map, cluster_info, frontswap_map);

and ignored if frontswap is disabled
  --&gt; frontswap_init(p-&gt;type, frontswap_map);

  static inline void frontswap_init(unsigned type, unsigned long *map)
  {
        if (frontswap_enabled())
                __frontswap_init(type, map);
  }

Thing is, that frontswap map is never freed.

The leakage is relatively not that bad, because swapon is an infrequent
and privileged operation.  However, if the first frontswap backend is
registered after a swap type has been already enabled, it will WARN_ON
in frontswap_register_ops() and frontswap will not be available for the
swap type.

Fix this by making sure the map is assigned by frontswap_init() as long
as CONFIG_FRONTSWAP is enabled.

Fixes: 8ea1d2a1985a ("mm, frontswap: convert frontswap_enabled to static key")
Link: http://lkml.kernel.org/r/20161026134220.2566-1-vbabka@suse.cz
Signed-off-by: Vlastimil Babka &lt;vbabka@suse.cz&gt;
Reported-by: Christian Borntraeger &lt;borntraeger@de.ibm.com&gt;
Cc: Konrad Rzeszutek Wilk &lt;konrad.wilk@oracle.com&gt;
Cc: Boris Ostrovsky &lt;boris.ostrovsky@oracle.com&gt;
Cc: David Vrabel &lt;david.vrabel@citrix.com&gt;
Cc: Juergen Gross &lt;jgross@suse.com&gt;
Cc: "Kirill A. Shutemov" &lt;kirill.shutemov@linux.intel.com&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 5e322beefc8699b5747cfb35539a9496034e4296 upstream.

Christian Borntraeger reports:

With commit 8ea1d2a1985a ("mm, frontswap: convert frontswap_enabled to
static key") kmemleak complains about a memory leak in swapon

    unreferenced object 0x3e09ba56000 (size 32112640):
      comm "swapon", pid 7852, jiffies 4294968787 (age 1490.770s)
      hex dump (first 32 bytes):
        00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      backtrace:
         __vmalloc_node_range+0x194/0x2d8
         vzalloc+0x58/0x68
         SyS_swapon+0xd60/0x12f8
         system_call+0xd6/0x270

Turns out kmemleak is right.  We now allocate the frontswap map
depending on the kernel config (and no longer on the enablement)

  swapfile.c:
  [...]
      if (IS_ENABLED(CONFIG_FRONTSWAP))
                frontswap_map = vzalloc(BITS_TO_LONGS(maxpages) * sizeof(long));

but later on this is passed along
  --&gt; enable_swap_info(p, prio, swap_map, cluster_info, frontswap_map);

and ignored if frontswap is disabled
  --&gt; frontswap_init(p-&gt;type, frontswap_map);

  static inline void frontswap_init(unsigned type, unsigned long *map)
  {
        if (frontswap_enabled())
                __frontswap_init(type, map);
  }

Thing is, that frontswap map is never freed.

The leakage is relatively not that bad, because swapon is an infrequent
and privileged operation.  However, if the first frontswap backend is
registered after a swap type has been already enabled, it will WARN_ON
in frontswap_register_ops() and frontswap will not be available for the
swap type.

Fix this by making sure the map is assigned by frontswap_init() as long
as CONFIG_FRONTSWAP is enabled.

Fixes: 8ea1d2a1985a ("mm, frontswap: convert frontswap_enabled to static key")
Link: http://lkml.kernel.org/r/20161026134220.2566-1-vbabka@suse.cz
Signed-off-by: Vlastimil Babka &lt;vbabka@suse.cz&gt;
Reported-by: Christian Borntraeger &lt;borntraeger@de.ibm.com&gt;
Cc: Konrad Rzeszutek Wilk &lt;konrad.wilk@oracle.com&gt;
Cc: Boris Ostrovsky &lt;boris.ostrovsky@oracle.com&gt;
Cc: David Vrabel &lt;david.vrabel@citrix.com&gt;
Cc: Juergen Gross &lt;jgross@suse.com&gt;
Cc: "Kirill A. Shutemov" &lt;kirill.shutemov@linux.intel.com&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>net: ipv6: Do not consider link state for nexthop validation</title>
<updated>2016-11-15T06:48:53+00:00</updated>
<author>
<name>David Ahern</name>
<email>dsa@cumulusnetworks.com</email>
</author>
<published>2016-10-24T19:27:23+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=d46b19687feca220e933f8d92844151154a51775'/>
<id>d46b19687feca220e933f8d92844151154a51775</id>
<content type='text'>
[ Upstream commit d5d32e4b76687f4df9ad3ba8d3702b7347f51fa6 ]

Similar to IPv4, do not consider link state when validating next hops.

Currently, if the link is down default routes can fail to insert:
 $ ip -6 ro add vrf blue default via 2100:2::64 dev eth2
 RTNETLINK answers: No route to host

With this patch the command succeeds.

Fixes: 8c14586fc320 ("net: ipv6: Use passed in table for nexthop lookups")
Signed-off-by: David Ahern &lt;dsa@cumulusnetworks.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit d5d32e4b76687f4df9ad3ba8d3702b7347f51fa6 ]

Similar to IPv4, do not consider link state when validating next hops.

Currently, if the link is down default routes can fail to insert:
 $ ip -6 ro add vrf blue default via 2100:2::64 dev eth2
 RTNETLINK answers: No route to host

With this patch the command succeeds.

Fixes: 8c14586fc320 ("net: ipv6: Use passed in table for nexthop lookups")
Signed-off-by: David Ahern &lt;dsa@cumulusnetworks.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>udp: fix IP_CHECKSUM handling</title>
<updated>2016-11-15T06:48:53+00:00</updated>
<author>
<name>Eric Dumazet</name>
<email>edumazet@google.com</email>
</author>
<published>2016-10-24T01:03:06+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b75edf27a6c3ea4f6ef4fd6e5497cf0de1733e1b'/>
<id>b75edf27a6c3ea4f6ef4fd6e5497cf0de1733e1b</id>
<content type='text'>
[ Upstream commit 10df8e6152c6c400a563a673e9956320bfce1871 ]

First bug was added in commit ad6f939ab193 ("ip: Add offset parameter to
ip_cmsg_recv") : Tom missed that ipv4 udp messages could be received on
AF_INET6 socket. ip_cmsg_recv(msg, skb) should have been replaced by
ip_cmsg_recv_offset(msg, skb, sizeof(struct udphdr));

Then commit e6afc8ace6dd ("udp: remove headers from UDP packets before
queueing") forgot to adjust the offsets now UDP headers are pulled
before skb are put in receive queue.

Fixes: ad6f939ab193 ("ip: Add offset parameter to ip_cmsg_recv")
Fixes: e6afc8ace6dd ("udp: remove headers from UDP packets before queueing")
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Cc: Sam Kumar &lt;samanthakumar@google.com&gt;
Cc: Willem de Bruijn &lt;willemb@google.com&gt;
Tested-by: Willem de Bruijn &lt;willemb@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 10df8e6152c6c400a563a673e9956320bfce1871 ]

First bug was added in commit ad6f939ab193 ("ip: Add offset parameter to
ip_cmsg_recv") : Tom missed that ipv4 udp messages could be received on
AF_INET6 socket. ip_cmsg_recv(msg, skb) should have been replaced by
ip_cmsg_recv_offset(msg, skb, sizeof(struct udphdr));

Then commit e6afc8ace6dd ("udp: remove headers from UDP packets before
queueing") forgot to adjust the offsets now UDP headers are pulled
before skb are put in receive queue.

Fixes: ad6f939ab193 ("ip: Add offset parameter to ip_cmsg_recv")
Fixes: e6afc8ace6dd ("udp: remove headers from UDP packets before queueing")
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Cc: Sam Kumar &lt;samanthakumar@google.com&gt;
Cc: Willem de Bruijn &lt;willemb@google.com&gt;
Tested-by: Willem de Bruijn &lt;willemb@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: add recursion limit to GRO</title>
<updated>2016-11-15T06:48:52+00:00</updated>
<author>
<name>Sabrina Dubroca</name>
<email>sd@queasysnail.net</email>
</author>
<published>2016-10-20T13:58:02+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=23c110c4cdbce17b6c5df90298168fc4b990ecc1'/>
<id>23c110c4cdbce17b6c5df90298168fc4b990ecc1</id>
<content type='text'>
[ Upstream commit fcd91dd449867c6bfe56a81cabba76b829fd05cd ]

Currently, GRO can do unlimited recursion through the gro_receive
handlers.  This was fixed for tunneling protocols by limiting tunnel GRO
to one level with encap_mark, but both VLAN and TEB still have this
problem.  Thus, the kernel is vulnerable to a stack overflow, if we
receive a packet composed entirely of VLAN headers.

This patch adds a recursion counter to the GRO layer to prevent stack
overflow.  When a gro_receive function hits the recursion limit, GRO is
aborted for this skb and it is processed normally.  This recursion
counter is put in the GRO CB, but could be turned into a percpu counter
if we run out of space in the CB.

Thanks to Vladimír Beneš &lt;vbenes@redhat.com&gt; for the initial bug report.

Fixes: CVE-2016-7039
Fixes: 9b174d88c257 ("net: Add Transparent Ethernet Bridging GRO support.")
Fixes: 66e5133f19e9 ("vlan: Add GRO support for non hardware accelerated vlan")
Signed-off-by: Sabrina Dubroca &lt;sd@queasysnail.net&gt;
Reviewed-by: Jiri Benc &lt;jbenc@redhat.com&gt;
Acked-by: Hannes Frederic Sowa &lt;hannes@stressinduktion.org&gt;
Acked-by: Tom Herbert &lt;tom@herbertland.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit fcd91dd449867c6bfe56a81cabba76b829fd05cd ]

Currently, GRO can do unlimited recursion through the gro_receive
handlers.  This was fixed for tunneling protocols by limiting tunnel GRO
to one level with encap_mark, but both VLAN and TEB still have this
problem.  Thus, the kernel is vulnerable to a stack overflow, if we
receive a packet composed entirely of VLAN headers.

This patch adds a recursion counter to the GRO layer to prevent stack
overflow.  When a gro_receive function hits the recursion limit, GRO is
aborted for this skb and it is processed normally.  This recursion
counter is put in the GRO CB, but could be turned into a percpu counter
if we run out of space in the CB.

Thanks to Vladimír Beneš &lt;vbenes@redhat.com&gt; for the initial bug report.

Fixes: CVE-2016-7039
Fixes: 9b174d88c257 ("net: Add Transparent Ethernet Bridging GRO support.")
Fixes: 66e5133f19e9 ("vlan: Add GRO support for non hardware accelerated vlan")
Signed-off-by: Sabrina Dubroca &lt;sd@queasysnail.net&gt;
Reviewed-by: Jiri Benc &lt;jbenc@redhat.com&gt;
Acked-by: Hannes Frederic Sowa &lt;hannes@stressinduktion.org&gt;
Acked-by: Tom Herbert &lt;tom@herbertland.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: core: Correctly iterate over lower adjacency list</title>
<updated>2016-11-15T06:48:52+00:00</updated>
<author>
<name>Ido Schimmel</name>
<email>idosch@mellanox.com</email>
</author>
<published>2016-10-19T13:57:08+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=d3bbd04b92fddeb25a798d44b0fb9c903b6038e8'/>
<id>d3bbd04b92fddeb25a798d44b0fb9c903b6038e8</id>
<content type='text'>
[ Upstream commit e4961b0768852d9eb7383e1a5df178eacb714656 ]

Tamir reported the following trace when processing ARP requests received
via a vlan device on top of a VLAN-aware bridge:

 NMI watchdog: BUG: soft lockup - CPU#1 stuck for 22s! [swapper/1:0]
[...]
 CPU: 1 PID: 0 Comm: swapper/1 Tainted: G        W       4.8.0-rc7 #1
 Hardware name: Mellanox Technologies Ltd. "MSN2100-CB2F"/"SA001017", BIOS 5.6.5 06/07/2016
 task: ffff88017edfea40 task.stack: ffff88017ee10000
 RIP: 0010:[&lt;ffffffff815dcc73&gt;]  [&lt;ffffffff815dcc73&gt;] netdev_all_lower_get_next_rcu+0x33/0x60
[...]
 Call Trace:
  &lt;IRQ&gt;
  [&lt;ffffffffa015de0a&gt;] mlxsw_sp_port_lower_dev_hold+0x5a/0xa0 [mlxsw_spectrum]
  [&lt;ffffffffa016f1b0&gt;] mlxsw_sp_router_netevent_event+0x80/0x150 [mlxsw_spectrum]
  [&lt;ffffffff810ad07a&gt;] notifier_call_chain+0x4a/0x70
  [&lt;ffffffff810ad13a&gt;] atomic_notifier_call_chain+0x1a/0x20
  [&lt;ffffffff815ee77b&gt;] call_netevent_notifiers+0x1b/0x20
  [&lt;ffffffff815f2eb6&gt;] neigh_update+0x306/0x740
  [&lt;ffffffff815f38ce&gt;] neigh_event_ns+0x4e/0xb0
  [&lt;ffffffff8165ea3f&gt;] arp_process+0x66f/0x700
  [&lt;ffffffff8170214c&gt;] ? common_interrupt+0x8c/0x8c
  [&lt;ffffffff8165ec29&gt;] arp_rcv+0x139/0x1d0
  [&lt;ffffffff816e505a&gt;] ? vlan_do_receive+0xda/0x320
  [&lt;ffffffff815e3794&gt;] __netif_receive_skb_core+0x524/0xab0
  [&lt;ffffffff815e6830&gt;] ? dev_queue_xmit+0x10/0x20
  [&lt;ffffffffa06d612d&gt;] ? br_forward_finish+0x3d/0xc0 [bridge]
  [&lt;ffffffffa06e5796&gt;] ? br_handle_vlan+0xf6/0x1b0 [bridge]
  [&lt;ffffffff815e3d38&gt;] __netif_receive_skb+0x18/0x60
  [&lt;ffffffff815e3dc0&gt;] netif_receive_skb_internal+0x40/0xb0
  [&lt;ffffffff815e3e4c&gt;] netif_receive_skb+0x1c/0x70
  [&lt;ffffffffa06d7856&gt;] br_pass_frame_up+0xc6/0x160 [bridge]
  [&lt;ffffffffa06d63d7&gt;] ? deliver_clone+0x37/0x50 [bridge]
  [&lt;ffffffffa06d656c&gt;] ? br_flood+0xcc/0x160 [bridge]
  [&lt;ffffffffa06d7b14&gt;] br_handle_frame_finish+0x224/0x4f0 [bridge]
  [&lt;ffffffffa06d7f94&gt;] br_handle_frame+0x174/0x300 [bridge]
  [&lt;ffffffff815e3599&gt;] __netif_receive_skb_core+0x329/0xab0
  [&lt;ffffffff81374815&gt;] ? find_next_bit+0x15/0x20
  [&lt;ffffffff8135e802&gt;] ? cpumask_next_and+0x32/0x50
  [&lt;ffffffff810c9968&gt;] ? load_balance+0x178/0x9b0
  [&lt;ffffffff815e3d38&gt;] __netif_receive_skb+0x18/0x60
  [&lt;ffffffff815e3dc0&gt;] netif_receive_skb_internal+0x40/0xb0
  [&lt;ffffffff815e3e4c&gt;] netif_receive_skb+0x1c/0x70
  [&lt;ffffffffa01544a1&gt;] mlxsw_sp_rx_listener_func+0x61/0xb0 [mlxsw_spectrum]
  [&lt;ffffffffa005c9f7&gt;] mlxsw_core_skb_receive+0x187/0x200 [mlxsw_core]
  [&lt;ffffffffa007332a&gt;] mlxsw_pci_cq_tasklet+0x63a/0x9b0 [mlxsw_pci]
  [&lt;ffffffff81091986&gt;] tasklet_action+0xf6/0x110
  [&lt;ffffffff81704556&gt;] __do_softirq+0xf6/0x280
  [&lt;ffffffff8109213f&gt;] irq_exit+0xdf/0xf0
  [&lt;ffffffff817042b4&gt;] do_IRQ+0x54/0xd0
  [&lt;ffffffff8170214c&gt;] common_interrupt+0x8c/0x8c

The problem is that netdev_all_lower_get_next_rcu() never advances the
iterator, thereby causing the loop over the lower adjacency list to run
forever.

Fix this by advancing the iterator and avoid the infinite loop.

Fixes: 7ce856aaaf13 ("mlxsw: spectrum: Add couple of lower device helper functions")
Signed-off-by: Ido Schimmel &lt;idosch@mellanox.com&gt;
Reported-by: Tamir Winetroub &lt;tamirw@mellanox.com&gt;
Reviewed-by: Jiri Pirko &lt;jiri@mellanox.com&gt;
Acked-by: David Ahern &lt;dsa@cumulusnetworks.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit e4961b0768852d9eb7383e1a5df178eacb714656 ]

Tamir reported the following trace when processing ARP requests received
via a vlan device on top of a VLAN-aware bridge:

 NMI watchdog: BUG: soft lockup - CPU#1 stuck for 22s! [swapper/1:0]
[...]
 CPU: 1 PID: 0 Comm: swapper/1 Tainted: G        W       4.8.0-rc7 #1
 Hardware name: Mellanox Technologies Ltd. "MSN2100-CB2F"/"SA001017", BIOS 5.6.5 06/07/2016
 task: ffff88017edfea40 task.stack: ffff88017ee10000
 RIP: 0010:[&lt;ffffffff815dcc73&gt;]  [&lt;ffffffff815dcc73&gt;] netdev_all_lower_get_next_rcu+0x33/0x60
[...]
 Call Trace:
  &lt;IRQ&gt;
  [&lt;ffffffffa015de0a&gt;] mlxsw_sp_port_lower_dev_hold+0x5a/0xa0 [mlxsw_spectrum]
  [&lt;ffffffffa016f1b0&gt;] mlxsw_sp_router_netevent_event+0x80/0x150 [mlxsw_spectrum]
  [&lt;ffffffff810ad07a&gt;] notifier_call_chain+0x4a/0x70
  [&lt;ffffffff810ad13a&gt;] atomic_notifier_call_chain+0x1a/0x20
  [&lt;ffffffff815ee77b&gt;] call_netevent_notifiers+0x1b/0x20
  [&lt;ffffffff815f2eb6&gt;] neigh_update+0x306/0x740
  [&lt;ffffffff815f38ce&gt;] neigh_event_ns+0x4e/0xb0
  [&lt;ffffffff8165ea3f&gt;] arp_process+0x66f/0x700
  [&lt;ffffffff8170214c&gt;] ? common_interrupt+0x8c/0x8c
  [&lt;ffffffff8165ec29&gt;] arp_rcv+0x139/0x1d0
  [&lt;ffffffff816e505a&gt;] ? vlan_do_receive+0xda/0x320
  [&lt;ffffffff815e3794&gt;] __netif_receive_skb_core+0x524/0xab0
  [&lt;ffffffff815e6830&gt;] ? dev_queue_xmit+0x10/0x20
  [&lt;ffffffffa06d612d&gt;] ? br_forward_finish+0x3d/0xc0 [bridge]
  [&lt;ffffffffa06e5796&gt;] ? br_handle_vlan+0xf6/0x1b0 [bridge]
  [&lt;ffffffff815e3d38&gt;] __netif_receive_skb+0x18/0x60
  [&lt;ffffffff815e3dc0&gt;] netif_receive_skb_internal+0x40/0xb0
  [&lt;ffffffff815e3e4c&gt;] netif_receive_skb+0x1c/0x70
  [&lt;ffffffffa06d7856&gt;] br_pass_frame_up+0xc6/0x160 [bridge]
  [&lt;ffffffffa06d63d7&gt;] ? deliver_clone+0x37/0x50 [bridge]
  [&lt;ffffffffa06d656c&gt;] ? br_flood+0xcc/0x160 [bridge]
  [&lt;ffffffffa06d7b14&gt;] br_handle_frame_finish+0x224/0x4f0 [bridge]
  [&lt;ffffffffa06d7f94&gt;] br_handle_frame+0x174/0x300 [bridge]
  [&lt;ffffffff815e3599&gt;] __netif_receive_skb_core+0x329/0xab0
  [&lt;ffffffff81374815&gt;] ? find_next_bit+0x15/0x20
  [&lt;ffffffff8135e802&gt;] ? cpumask_next_and+0x32/0x50
  [&lt;ffffffff810c9968&gt;] ? load_balance+0x178/0x9b0
  [&lt;ffffffff815e3d38&gt;] __netif_receive_skb+0x18/0x60
  [&lt;ffffffff815e3dc0&gt;] netif_receive_skb_internal+0x40/0xb0
  [&lt;ffffffff815e3e4c&gt;] netif_receive_skb+0x1c/0x70
  [&lt;ffffffffa01544a1&gt;] mlxsw_sp_rx_listener_func+0x61/0xb0 [mlxsw_spectrum]
  [&lt;ffffffffa005c9f7&gt;] mlxsw_core_skb_receive+0x187/0x200 [mlxsw_core]
  [&lt;ffffffffa007332a&gt;] mlxsw_pci_cq_tasklet+0x63a/0x9b0 [mlxsw_pci]
  [&lt;ffffffff81091986&gt;] tasklet_action+0xf6/0x110
  [&lt;ffffffff81704556&gt;] __do_softirq+0xf6/0x280
  [&lt;ffffffff8109213f&gt;] irq_exit+0xdf/0xf0
  [&lt;ffffffff817042b4&gt;] do_IRQ+0x54/0xd0
  [&lt;ffffffff8170214c&gt;] common_interrupt+0x8c/0x8c

The problem is that netdev_all_lower_get_next_rcu() never advances the
iterator, thereby causing the loop over the lower adjacency list to run
forever.

Fix this by advancing the iterator and avoid the infinite loop.

Fixes: 7ce856aaaf13 ("mlxsw: spectrum: Add couple of lower device helper functions")
Signed-off-by: Ido Schimmel &lt;idosch@mellanox.com&gt;
Reported-by: Tamir Winetroub &lt;tamirw@mellanox.com&gt;
Reviewed-by: Jiri Pirko &lt;jiri@mellanox.com&gt;
Acked-by: David Ahern &lt;dsa@cumulusnetworks.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>rtnetlink: Add rtnexthop offload flag to compare mask</title>
<updated>2016-11-15T06:48:52+00:00</updated>
<author>
<name>Jiri Pirko</name>
<email>jiri@mellanox.com</email>
</author>
<published>2016-10-18T16:59:34+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=fc5722f8f8f26b4c0a2e21cab62ebdde51a493c3'/>
<id>fc5722f8f8f26b4c0a2e21cab62ebdde51a493c3</id>
<content type='text'>
[ Upstream commit 85dda4e5b0ee1f5b4e8cc93d39e475006bc61ccd ]

The offload flag is a status flag and should not be used by
FIB semantics for comparison.

Fixes: 37ed9493699c ("rtnetlink: add RTNH_F_EXTERNAL flag for fib offload")
Signed-off-by: Jiri Pirko &lt;jiri@mellanox.com&gt;
Reviewed-by: Andy Gospodarek &lt;andy@greyhouse.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 85dda4e5b0ee1f5b4e8cc93d39e475006bc61ccd ]

The offload flag is a status flag and should not be used by
FIB semantics for comparison.

Fixes: 37ed9493699c ("rtnetlink: add RTNH_F_EXTERNAL flag for fib offload")
Signed-off-by: Jiri Pirko &lt;jiri@mellanox.com&gt;
Reviewed-by: Andy Gospodarek &lt;andy@greyhouse.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>pwm: Unexport children before chip removal</title>
<updated>2016-11-10T15:38:56+00:00</updated>
<author>
<name>David Hsu</name>
<email>davidhsu@google.com</email>
</author>
<published>2016-08-09T21:57:46+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=fedede0963c48829992a810d9ae61f0424949373'/>
<id>fedede0963c48829992a810d9ae61f0424949373</id>
<content type='text'>
commit 0733424c9ba9f42242409d1ece780777272f7ea1 upstream.

Exported pwm channels aren't removed before the pwmchip and are
leaked. This results in invalid sysfs files. This fix removes
all exported pwm channels before chip removal.

Signed-off-by: David Hsu &lt;davidhsu@google.com&gt;
Fixes: 76abbdde2d95 ("pwm: Add sysfs interface")
Signed-off-by: Thierry Reding &lt;thierry.reding@gmail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 0733424c9ba9f42242409d1ece780777272f7ea1 upstream.

Exported pwm channels aren't removed before the pwmchip and are
leaked. This results in invalid sysfs files. This fix removes
all exported pwm channels before chip removal.

Signed-off-by: David Hsu &lt;davidhsu@google.com&gt;
Fixes: 76abbdde2d95 ("pwm: Add sysfs interface")
Signed-off-by: Thierry Reding &lt;thierry.reding@gmail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>uapi: add missing install of sync_file.h</title>
<updated>2016-11-10T15:38:56+00:00</updated>
<author>
<name>Emilio López</name>
<email>emilio.lopez@collabora.co.uk</email>
</author>
<published>2016-09-27T14:31:42+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=13d0f5b3a399bb3e473457eec756e6e1bbd0ea42'/>
<id>13d0f5b3a399bb3e473457eec756e6e1bbd0ea42</id>
<content type='text'>
commit 58f0f9f75c1b94dabbfc3daa333a4e68536b0a42 upstream.

As part of the sync framework destaging, the sync_file.h header
was moved, but an entry was not added on Kbuild to install it.
This patch resolves this omission so that "make headers_install"
installs this header.

Fixes: 460bfc41fd52 ("dma-buf/sync_file: de-stage sync_file headers")
Reported-by: Michael Ellerman &lt;mpe@ellerman.id.au&gt;
Reviewed-by: Gustavo Padovan &lt;gustavo.padovan@collabora.co.uk&gt;
Signed-off-by: Emilio López &lt;emilio.lopez@collabora.co.uk&gt;
Signed-off-by: Sean Paul &lt;seanpaul@chromium.org&gt;
Link: http://patchwork.freedesktop.org/patch/msgid/20160927143142.8975-1-emilio.lopez@collabora.co.uk
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 58f0f9f75c1b94dabbfc3daa333a4e68536b0a42 upstream.

As part of the sync framework destaging, the sync_file.h header
was moved, but an entry was not added on Kbuild to install it.
This patch resolves this omission so that "make headers_install"
installs this header.

Fixes: 460bfc41fd52 ("dma-buf/sync_file: de-stage sync_file headers")
Reported-by: Michael Ellerman &lt;mpe@ellerman.id.au&gt;
Reviewed-by: Gustavo Padovan &lt;gustavo.padovan@collabora.co.uk&gt;
Signed-off-by: Emilio López &lt;emilio.lopez@collabora.co.uk&gt;
Signed-off-by: Sean Paul &lt;seanpaul@chromium.org&gt;
Link: http://patchwork.freedesktop.org/patch/msgid/20160927143142.8975-1-emilio.lopez@collabora.co.uk
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
</feed>
