--- /dev/null
+From 18ae68fff392e445af3c2d8be9bef8a16e1c72a7 Mon Sep 17 00:00:00 2001
+From: Michal Kazior <michal.kazior@tieto.com>
+Date: Mon, 14 Nov 2016 14:25:23 +0100
+Subject: ath10k: fix null deref on wmi-tlv when trying spectral scan
+
+From: Michal Kazior <michal.kazior@tieto.com>
+
+commit 18ae68fff392e445af3c2d8be9bef8a16e1c72a7 upstream.
+
+WMI ops wrappers did not properly check for null
+function pointers for spectral scan. This caused
+null dereference crash with WMI-TLV based firmware
+which doesn't implement spectral scan.
+
+The crash could be triggered with:
+
+ ip link set dev wlan0 up
+ echo background > /sys/kernel/debug/ieee80211/phy0/ath10k/spectral_scan_ctl
+
+The crash looked like this:
+
+ [ 168.031989] BUG: unable to handle kernel NULL pointer dereference at (null)
+ [ 168.037406] IP: [< (null)>] (null)
+ [ 168.040395] PGD cdd4067 PUD fa0f067 PMD 0
+ [ 168.043303] Oops: 0010 [#1] SMP
+ [ 168.045377] Modules linked in: ath10k_pci(O) ath10k_core(O) ath mac80211 cfg80211 [last unloaded: cfg80211]
+ [ 168.051560] CPU: 1 PID: 1380 Comm: bash Tainted: G W O 4.8.0 #78
+ [ 168.054336] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014
+ [ 168.059183] task: ffff88000c460c00 task.stack: ffff88000d4bc000
+ [ 168.061736] RIP: 0010:[<0000000000000000>] [< (null)>] (null)
+ ...
+ [ 168.100620] Call Trace:
+ [ 168.101910] [<ffffffffa03b9566>] ? ath10k_spectral_scan_config+0x96/0x200 [ath10k_core]
+ [ 168.104871] [<ffffffff811386e2>] ? filemap_fault+0xb2/0x4a0
+ [ 168.106696] [<ffffffffa03b97e6>] write_file_spec_scan_ctl+0x116/0x280 [ath10k_core]
+ [ 168.109618] [<ffffffff812da3a1>] full_proxy_write+0x51/0x80
+ [ 168.111443] [<ffffffff811957b8>] __vfs_write+0x28/0x120
+ [ 168.113090] [<ffffffff812f1a2d>] ? security_file_permission+0x3d/0xc0
+ [ 168.114932] [<ffffffff8109b912>] ? percpu_down_read+0x12/0x60
+ [ 168.116680] [<ffffffff811965f8>] vfs_write+0xb8/0x1a0
+ [ 168.118293] [<ffffffff81197966>] SyS_write+0x46/0xa0
+ [ 168.119912] [<ffffffff818f2972>] entry_SYSCALL_64_fastpath+0x1a/0xa4
+ [ 168.121737] Code: Bad RIP value.
+ [ 168.123318] RIP [< (null)>] (null)
+
+Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
+Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
+Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ath/ath10k/wmi-ops.h | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/net/wireless/ath/ath10k/wmi-ops.h
++++ b/drivers/net/wireless/ath/ath10k/wmi-ops.h
+@@ -639,6 +639,9 @@ ath10k_wmi_vdev_spectral_conf(struct ath
+ struct sk_buff *skb;
+ u32 cmd_id;
+
++ if (!ar->wmi.ops->gen_vdev_spectral_conf)
++ return -EOPNOTSUPP;
++
+ skb = ar->wmi.ops->gen_vdev_spectral_conf(ar, arg);
+ if (IS_ERR(skb))
+ return PTR_ERR(skb);
+@@ -654,6 +657,9 @@ ath10k_wmi_vdev_spectral_enable(struct a
+ struct sk_buff *skb;
+ u32 cmd_id;
+
++ if (!ar->wmi.ops->gen_vdev_spectral_enable)
++ return -EOPNOTSUPP;
++
+ skb = ar->wmi.ops->gen_vdev_spectral_enable(ar, vdev_id, trigger,
+ enable);
+ if (IS_ERR(skb))
--- /dev/null
+From e8f4ae85439f34bec3b0ab69223a41809dab28c9 Mon Sep 17 00:00:00 2001
+From: Jia-Ju Bai <baijiaju1990@163.com>
+Date: Wed, 31 May 2017 09:40:11 +0800
+Subject: isdn: Fix a sleep-in-atomic bug
+
+From: Jia-Ju Bai <baijiaju1990@163.com>
+
+commit e8f4ae85439f34bec3b0ab69223a41809dab28c9 upstream.
+
+The driver may sleep under a spin lock, the function call path is:
+isdn_ppp_mp_receive (acquire the lock)
+ isdn_ppp_mp_reassembly
+ isdn_ppp_push_higher
+ isdn_ppp_decompress
+ isdn_ppp_ccp_reset_trans
+ isdn_ppp_ccp_reset_alloc_state
+ kzalloc(GFP_KERNEL) --> may sleep
+
+To fixed it, the "GFP_KERNEL" is replaced with "GFP_ATOMIC".
+
+Signed-off-by: Jia-Ju Bai <baijiaju1990@163.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/isdn/i4l/isdn_ppp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/isdn/i4l/isdn_ppp.c
++++ b/drivers/isdn/i4l/isdn_ppp.c
+@@ -2364,7 +2364,7 @@ static struct ippp_ccp_reset_state *isdn
+ id);
+ return NULL;
+ } else {
+- rs = kzalloc(sizeof(struct ippp_ccp_reset_state), GFP_KERNEL);
++ rs = kzalloc(sizeof(struct ippp_ccp_reset_state), GFP_ATOMIC);
+ if (!rs)
+ return NULL;
+ rs->state = CCPResetIdle;
--- /dev/null
+From 9f5af546e6acc30f075828cb58c7f09665033967 Mon Sep 17 00:00:00 2001
+From: Annie Cherkaev <annie.cherk@gmail.com>
+Date: Sat, 15 Jul 2017 15:08:58 -0600
+Subject: isdn/i4l: fix buffer overflow
+
+From: Annie Cherkaev <annie.cherk@gmail.com>
+
+commit 9f5af546e6acc30f075828cb58c7f09665033967 upstream.
+
+This fixes a potential buffer overflow in isdn_net.c caused by an
+unbounded strcpy.
+
+[ ISDN seems to be effectively unmaintained, and the I4L driver in
+ particular is long deprecated, but in case somebody uses this..
+ - Linus ]
+
+Signed-off-by: Jiten Thakkar <jitenmt@gmail.com>
+Signed-off-by: Annie Cherkaev <annie.cherk@gmail.com>
+Cc: Karsten Keil <isdn@linux-pingi.de>
+Cc: Kees Cook <keescook@chromium.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/isdn/i4l/isdn_common.c | 1 +
+ drivers/isdn/i4l/isdn_net.c | 5 ++---
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/isdn/i4l/isdn_common.c
++++ b/drivers/isdn/i4l/isdn_common.c
+@@ -1379,6 +1379,7 @@ isdn_ioctl(struct file *file, uint cmd,
+ if (arg) {
+ if (copy_from_user(bname, argp, sizeof(bname) - 1))
+ return -EFAULT;
++ bname[sizeof(bname)-1] = 0;
+ } else
+ return -EINVAL;
+ ret = mutex_lock_interruptible(&dev->mtx);
+--- a/drivers/isdn/i4l/isdn_net.c
++++ b/drivers/isdn/i4l/isdn_net.c
+@@ -2611,10 +2611,9 @@ isdn_net_newslave(char *parm)
+ char newname[10];
+
+ if (p) {
+- /* Slave-Name MUST not be empty */
+- if (!strlen(p + 1))
++ /* Slave-Name MUST not be empty or overflow 'newname' */
++ if (strscpy(newname, p + 1, sizeof(newname)) <= 0)
+ return NULL;
+- strcpy(newname, p + 1);
+ *p = 0;
+ /* Master must already exist */
+ if (!(n = isdn_net_findif(parm)))
--- /dev/null
+From 60bcabd080f53561efa9288be45c128feda1a8bb Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Wed, 17 Aug 2016 15:51:55 +0200
+Subject: kaweth: fix firmware download
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit 60bcabd080f53561efa9288be45c128feda1a8bb upstream.
+
+This fixes the oops discovered by the Umap2 project and Alan Stern.
+The intf member needs to be set before the firmware is downloaded.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/usb/kaweth.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/net/usb/kaweth.c
++++ b/drivers/net/usb/kaweth.c
+@@ -1029,6 +1029,7 @@ static int kaweth_probe(
+ kaweth = netdev_priv(netdev);
+ kaweth->dev = udev;
+ kaweth->net = netdev;
++ kaweth->intf = intf;
+
+ spin_lock_init(&kaweth->device_lock);
+ init_waitqueue_head(&kaweth->term_wait);
+@@ -1139,8 +1140,6 @@ err_fw:
+
+ dev_dbg(dev, "Initializing net device.\n");
+
+- kaweth->intf = intf;
+-
+ kaweth->tx_urb = usb_alloc_urb(0, GFP_KERNEL);
+ if (!kaweth->tx_urb)
+ goto err_free_netdev;
--- /dev/null
+From 575ced7f8090c1a4e91e2daf8da9352a6a1fc7a7 Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Wed, 17 Aug 2016 15:51:56 +0200
+Subject: kaweth: fix oops upon failed memory allocation
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit 575ced7f8090c1a4e91e2daf8da9352a6a1fc7a7 upstream.
+
+Just return an error upon failure.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/usb/kaweth.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/usb/kaweth.c
++++ b/drivers/net/usb/kaweth.c
+@@ -1009,6 +1009,7 @@ static int kaweth_probe(
+ struct net_device *netdev;
+ const eth_addr_t bcast_addr = { 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF };
+ int result = 0;
++ int rv = -EIO;
+
+ dev_dbg(dev,
+ "Kawasaki Device Probe (Device number:%d): 0x%4.4x:0x%4.4x:0x%4.4x\n",
+@@ -1049,6 +1050,10 @@ static int kaweth_probe(
+ /* Download the firmware */
+ dev_info(dev, "Downloading firmware...\n");
+ kaweth->firmware_buf = (__u8 *)__get_free_page(GFP_KERNEL);
++ if (!kaweth->firmware_buf) {
++ rv = -ENOMEM;
++ goto err_free_netdev;
++ }
+ if ((result = kaweth_download_firmware(kaweth,
+ "kaweth/new_code.bin",
+ 100,
+@@ -1203,7 +1208,7 @@ err_only_tx:
+ err_free_netdev:
+ free_netdev(netdev);
+
+- return -EIO;
++ return rv;
+ }
+
+ /****************************************************************
--- /dev/null
+From c61b781ee084e69855477d23dd33e7e6caad652c Mon Sep 17 00:00:00 2001
+From: Sudeep Holla <sudeep.holla@arm.com>
+Date: Tue, 21 Mar 2017 11:30:14 +0000
+Subject: mailbox: always wait in mbox_send_message for blocking Tx mode
+
+From: Sudeep Holla <sudeep.holla@arm.com>
+
+commit c61b781ee084e69855477d23dd33e7e6caad652c upstream.
+
+There exists a race when msg_submit return immediately as there was an
+active request being processed which may have completed just before it's
+checked again in mbox_send_message. This will result in return to the
+caller without waiting in mbox_send_message even when it's blocking Tx.
+
+This patch fixes the issue by waiting for the completion always if Tx
+is in blocking mode.
+
+Fixes: 2b6d83e2b8b7 ("mailbox: Introduce framework for mailbox")
+Reported-by: Alexey Klimov <alexey.klimov@arm.com>
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Reviewed-by: Alexey Klimov <alexey.klimov@arm.com>
+Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
+Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mailbox/mailbox.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mailbox/mailbox.c
++++ b/drivers/mailbox/mailbox.c
+@@ -261,7 +261,7 @@ int mbox_send_message(struct mbox_chan *
+
+ msg_submit(chan);
+
+- if (chan->cl->tx_block && chan->active_req) {
++ if (chan->cl->tx_block) {
+ unsigned long wait;
+ int ret;
+
--- /dev/null
+From cb710ab1d8a23f68ff8f45aedf3e552bb90e70de Mon Sep 17 00:00:00 2001
+From: Sudeep Holla <sudeep.holla@arm.com>
+Date: Tue, 21 Mar 2017 11:30:16 +0000
+Subject: mailbox: handle empty message in tx_tick
+
+From: Sudeep Holla <sudeep.holla@arm.com>
+
+commit cb710ab1d8a23f68ff8f45aedf3e552bb90e70de upstream.
+
+We already check if the message is empty before calling the client
+tx_done callback. Calling completion on a wait event is also invalid
+if the message is empty.
+
+This patch moves the existing empty message check earlier.
+
+Fixes: 2b6d83e2b8b7 ("mailbox: Introduce framework for mailbox")
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
+Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mailbox/mailbox.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/mailbox/mailbox.c
++++ b/drivers/mailbox/mailbox.c
+@@ -104,8 +104,11 @@ static void tx_tick(struct mbox_chan *ch
+ /* Submit next message */
+ msg_submit(chan);
+
++ if (!mssg)
++ return;
++
+ /* Notify the client */
+- if (mssg && chan->cl->tx_done)
++ if (chan->cl->tx_done)
+ chan->cl->tx_done(chan->cl, mssg, r);
+
+ if (r != -ETIME && chan->cl->tx_block)
--- /dev/null
+From cc6eeaa3029a6dbcb4ad41b1f92876483bd88965 Mon Sep 17 00:00:00 2001
+From: Sudeep Holla <sudeep.holla@arm.com>
+Date: Tue, 21 Mar 2017 11:30:15 +0000
+Subject: mailbox: skip complete wait event if timer expired
+
+From: Sudeep Holla <sudeep.holla@arm.com>
+
+commit cc6eeaa3029a6dbcb4ad41b1f92876483bd88965 upstream.
+
+If a wait_for_completion_timeout() call returns due to a timeout,
+complete() can get called after returning from the wait which is
+incorrect and can cause subsequent transmissions on a channel to fail.
+Since the wait_for_completion_timeout() sees the completion variable
+is non-zero caused by the erroneous/spurious complete() call, and
+it immediately returns without waiting for the time as expected by the
+client.
+
+This patch fixes the issue by skipping complete() call for the timer
+expiry.
+
+Fixes: 2b6d83e2b8b7 ("mailbox: Introduce framework for mailbox")
+Reported-by: Alexey Klimov <alexey.klimov@arm.com>
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
+Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mailbox/mailbox.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/mailbox/mailbox.c
++++ b/drivers/mailbox/mailbox.c
+@@ -108,7 +108,7 @@ static void tx_tick(struct mbox_chan *ch
+ if (mssg && chan->cl->tx_done)
+ chan->cl->tx_done(chan->cl, mssg, r);
+
+- if (chan->cl->tx_block)
++ if (r != -ETIME && chan->cl->tx_block)
+ complete(&chan->tx_complete);
+ }
+
+@@ -272,8 +272,8 @@ int mbox_send_message(struct mbox_chan *
+
+ ret = wait_for_completion_timeout(&chan->tx_complete, wait);
+ if (ret == 0) {
+- t = -EIO;
+- tx_tick(chan, -EIO);
++ t = -ETIME;
++ tx_tick(chan, t);
+ }
+ }
+
--- /dev/null
+From 5ec8a1753bc29efa7e4b1391d691c9c719b30257 Mon Sep 17 00:00:00 2001
+From: Calvin Owens <calvinowens@fb.com>
+Date: Fri, 18 Mar 2016 12:45:42 -0700
+Subject: mpt3sas: Don't overreach ioc->reply_post[] during initialization
+
+From: Calvin Owens <calvinowens@fb.com>
+
+commit 5ec8a1753bc29efa7e4b1391d691c9c719b30257 upstream.
+
+In _base_make_ioc_operational(), we walk ioc->reply_queue_list and pull
+a pointer out of successive elements of ioc->reply_post[] for each entry
+in that list if RDPQ is enabled.
+
+Since the code pulls the pointer for the next iteration at the bottom of
+the loop, it triggers the a KASAN dump on the final iteration:
+
+ BUG: KASAN: slab-out-of-bounds in _base_make_ioc_operational+0x47b7/0x47e0 [mpt3sas] at addr ffff880754816ab0
+ Read of size 8 by task modprobe/305
+ <snip>
+ Call Trace:
+ [<ffffffff81dfc591>] dump_stack+0x4d/0x6c
+ [<ffffffff814c9689>] print_trailer+0xf9/0x150
+ [<ffffffff814ceda4>] object_err+0x34/0x40
+ [<ffffffff814d1231>] kasan_report_error+0x221/0x530
+ [<ffffffff814d1673>] __asan_report_load8_noabort+0x43/0x50
+ [<ffffffffa0043637>] _base_make_ioc_operational+0x47b7/0x47e0 [mpt3sas]
+ [<ffffffffa0049a51>] mpt3sas_base_attach+0x1991/0x2120 [mpt3sas]
+ [<ffffffffa0053c93>] _scsih_probe+0xeb3/0x16b0 [mpt3sas]
+ [<ffffffff81ebd047>] local_pci_probe+0xc7/0x170
+ [<ffffffff81ebf2cf>] pci_device_probe+0x20f/0x290
+ [<ffffffff820d50cd>] really_probe+0x17d/0x600
+ [<ffffffff820d56a3>] __driver_attach+0x153/0x190
+ [<ffffffff820cffac>] bus_for_each_dev+0x11c/0x1a0
+ [<ffffffff820d421d>] driver_attach+0x3d/0x50
+ [<ffffffff820d378a>] bus_add_driver+0x44a/0x5f0
+ [<ffffffff820d666c>] driver_register+0x18c/0x3b0
+ [<ffffffff81ebcb76>] __pci_register_driver+0x156/0x200
+ [<ffffffffa00c8135>] _mpt3sas_init+0x135/0x1000 [mpt3sas]
+ [<ffffffff81000423>] do_one_initcall+0x113/0x2b0
+ [<ffffffff813caa5a>] do_init_module+0x1d0/0x4d8
+ [<ffffffff81273909>] load_module+0x6729/0x8dc0
+ [<ffffffff81276123>] SYSC_init_module+0x183/0x1a0
+ [<ffffffff8127625e>] SyS_init_module+0xe/0x10
+ [<ffffffff828fe7d7>] entry_SYSCALL_64_fastpath+0x12/0x6a
+
+Fix this by pulling the value at the beginning of the loop.
+
+Signed-off-by: Calvin Owens <calvinowens@fb.com>
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Reviewed-by: Jens Axboe <axboe@fb.com>
+Acked-by: Chaitra Basappa <chaitra.basappa@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/mpt3sas/mpt3sas_base.c | 33 ++++++++++++++++-----------------
+ 1 file changed, 16 insertions(+), 17 deletions(-)
+
+--- a/drivers/scsi/mpt3sas/mpt3sas_base.c
++++ b/drivers/scsi/mpt3sas/mpt3sas_base.c
+@@ -4981,15 +4981,14 @@ _base_make_ioc_ready(struct MPT3SAS_ADAP
+ static int
+ _base_make_ioc_operational(struct MPT3SAS_ADAPTER *ioc, int sleep_flag)
+ {
+- int r, i;
++ int r, i, index;
+ unsigned long flags;
+ u32 reply_address;
+ u16 smid;
+ struct _tr_list *delayed_tr, *delayed_tr_next;
+ u8 hide_flag;
+ struct adapter_reply_queue *reply_q;
+- long reply_post_free;
+- u32 reply_post_free_sz, index = 0;
++ Mpi2ReplyDescriptorsUnion_t *reply_post_free_contig;
+
+ dinitprintk(ioc, pr_info(MPT3SAS_FMT "%s\n", ioc->name,
+ __func__));
+@@ -5061,27 +5060,27 @@ _base_make_ioc_operational(struct MPT3SA
+ _base_assign_reply_queues(ioc);
+
+ /* initialize Reply Post Free Queue */
+- reply_post_free_sz = ioc->reply_post_queue_depth *
+- sizeof(Mpi2DefaultReplyDescriptor_t);
+- reply_post_free = (long)ioc->reply_post[index].reply_post_free;
++ index = 0;
++ reply_post_free_contig = ioc->reply_post[0].reply_post_free;
+ list_for_each_entry(reply_q, &ioc->reply_queue_list, list) {
++ /*
++ * If RDPQ is enabled, switch to the next allocation.
++ * Otherwise advance within the contiguous region.
++ */
++ if (ioc->rdpq_array_enable) {
++ reply_q->reply_post_free =
++ ioc->reply_post[index++].reply_post_free;
++ } else {
++ reply_q->reply_post_free = reply_post_free_contig;
++ reply_post_free_contig += ioc->reply_post_queue_depth;
++ }
++
+ reply_q->reply_post_host_index = 0;
+- reply_q->reply_post_free = (Mpi2ReplyDescriptorsUnion_t *)
+- reply_post_free;
+ for (i = 0; i < ioc->reply_post_queue_depth; i++)
+ reply_q->reply_post_free[i].Words =
+ cpu_to_le64(ULLONG_MAX);
+ if (!_base_is_controller_msix_enabled(ioc))
+ goto skip_init_reply_post_free_queue;
+- /*
+- * If RDPQ is enabled, switch to the next allocation.
+- * Otherwise advance within the contiguous region.
+- */
+- if (ioc->rdpq_array_enable)
+- reply_post_free = (long)
+- ioc->reply_post[++index].reply_post_free;
+- else
+- reply_post_free += reply_post_free_sz;
+ }
+ skip_init_reply_post_free_queue:
+
xfs-don-t-bug-on-mixed-direct-and-mapped-i-o.patch
nfc-fdp-fix-null-pointer-dereference.patch
net-phy-do-not-perform-software-reset-for-generic-phy.patch
+isdn-fix-a-sleep-in-atomic-bug.patch
+isdn-i4l-fix-buffer-overflow.patch
+ath10k-fix-null-deref-on-wmi-tlv-when-trying-spectral-scan.patch
+wil6210-fix-deadlock-when-using-fw_no_recovery-option.patch
+mailbox-always-wait-in-mbox_send_message-for-blocking-tx-mode.patch
+mailbox-skip-complete-wait-event-if-timer-expired.patch
+mailbox-handle-empty-message-in-tx_tick.patch
+mpt3sas-don-t-overreach-ioc-reply_post-during-initialization.patch
+kaweth-fix-firmware-download.patch
+kaweth-fix-oops-upon-failed-memory-allocation.patch
--- /dev/null
+From dfb5b098e0f40b68aa07f2ec55f4dd762efefbfa Mon Sep 17 00:00:00 2001
+From: Lior David <qca_liord@qca.qualcomm.com>
+Date: Wed, 23 Nov 2016 16:06:41 +0200
+Subject: wil6210: fix deadlock when using fw_no_recovery option
+
+From: Lior David <qca_liord@qca.qualcomm.com>
+
+commit dfb5b098e0f40b68aa07f2ec55f4dd762efefbfa upstream.
+
+When FW crashes with no_fw_recovery option, driver
+waits for manual recovery with wil->mutex held, this
+can easily create deadlocks.
+Fix the problem by moving the wait outside the lock.
+
+Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
+Signed-off-by: Maya Erez <qca_merez@qca.qualcomm.com>
+Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
+Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ath/wil6210/main.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/wireless/ath/wil6210/main.c
++++ b/drivers/net/wireless/ath/wil6210/main.c
+@@ -330,18 +330,19 @@ static void wil_fw_error_worker(struct w
+
+ wil->last_fw_recovery = jiffies;
+
++ wil_info(wil, "fw error recovery requested (try %d)...\n",
++ wil->recovery_count);
++ if (!no_fw_recovery)
++ wil->recovery_state = fw_recovery_running;
++ if (wil_wait_for_recovery(wil) != 0)
++ return;
++
+ mutex_lock(&wil->mutex);
+ switch (wdev->iftype) {
+ case NL80211_IFTYPE_STATION:
+ case NL80211_IFTYPE_P2P_CLIENT:
+ case NL80211_IFTYPE_MONITOR:
+- wil_info(wil, "fw error recovery requested (try %d)...\n",
+- wil->recovery_count);
+- if (!no_fw_recovery)
+- wil->recovery_state = fw_recovery_running;
+- if (0 != wil_wait_for_recovery(wil))
+- break;
+-
++ /* silent recovery, upper layers will see disconnect */
+ __wil_down(wil);
+ __wil_up(wil);
+ break;
projects / thirdparty / kernel / stable-queue.git / commitdiff
