--- /dev/null
+From f4831605f2dacd12730fe73961c77253cc2ea425 Mon Sep 17 00:00:00 2001
+From: Nishanth Menon <nm@ti.com>
+Date: Sat, 7 Mar 2015 03:39:05 -0600
+Subject: C6x: time: Ensure consistency in __init
+
+From: Nishanth Menon <nm@ti.com>
+
+commit f4831605f2dacd12730fe73961c77253cc2ea425 upstream.
+
+time_init invokes timer64_init (which is __init annotation)
+since all of these are invoked at init time, lets maintain
+consistency by ensuring time_init is marked appropriately
+as well.
+
+This fixes the following warning with CONFIG_DEBUG_SECTION_MISMATCH=y
+
+WARNING: vmlinux.o(.text+0x3bfc): Section mismatch in reference from the function time_init() to the function .init.text:timer64_init()
+The function time_init() references
+the function __init timer64_init().
+This is often because time_init lacks a __init
+annotation or the annotation of timer64_init is wrong.
+
+Fixes: 546a39546c64 ("C6X: time management")
+Signed-off-by: Nishanth Menon <nm@ti.com>
+Signed-off-by: Mark Salter <msalter@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/c6x/kernel/time.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/c6x/kernel/time.c
++++ b/arch/c6x/kernel/time.c
+@@ -49,7 +49,7 @@ u64 sched_clock(void)
+ return (tsc * sched_clock_multiplier) >> SCHED_CLOCK_SHIFT;
+ }
+
+-void time_init(void)
++void __init time_init(void)
+ {
+ u64 tmp = (u64)NSEC_PER_SEC << SCHED_CLOCK_SHIFT;
+
--- /dev/null
+From 6d7e7e02a044025237b6f62a20521170b794537f Mon Sep 17 00:00:00 2001
+From: "Vutla, Lokesh" <lokeshvutla@ti.com>
+Date: Tue, 31 Mar 2015 09:52:25 +0530
+Subject: crypto: omap-aes - Fix support for unequal lengths
+
+From: "Vutla, Lokesh" <lokeshvutla@ti.com>
+
+commit 6d7e7e02a044025237b6f62a20521170b794537f upstream.
+
+For cases where total length of an input SGs is not same as
+length of the input data for encryption, omap-aes driver
+crashes. This happens in the case when IPsec is trying to use
+omap-aes driver.
+
+To avoid this, we copy all the pages from the input SG list
+into a contiguous buffer and prepare a single element SG list
+for this buffer with length as the total bytes to crypt, which is
+similar thing that is done in case of unaligned lengths.
+
+Fixes: 6242332ff2f3 ("crypto: omap-aes - Add support for cases of unaligned lengths")
+Signed-off-by: Lokesh Vutla <lokeshvutla@ti.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/omap-aes.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+--- a/drivers/crypto/omap-aes.c
++++ b/drivers/crypto/omap-aes.c
+@@ -554,15 +554,23 @@ static int omap_aes_crypt_dma_stop(struc
+ return err;
+ }
+
+-static int omap_aes_check_aligned(struct scatterlist *sg)
++static int omap_aes_check_aligned(struct scatterlist *sg, int total)
+ {
++ int len = 0;
++
+ while (sg) {
+ if (!IS_ALIGNED(sg->offset, 4))
+ return -1;
+ if (!IS_ALIGNED(sg->length, AES_BLOCK_SIZE))
+ return -1;
++
++ len += sg->length;
+ sg = sg_next(sg);
+ }
++
++ if (len != total)
++ return -1;
++
+ return 0;
+ }
+
+@@ -633,8 +641,8 @@ static int omap_aes_handle_queue(struct
+ dd->in_sg = req->src;
+ dd->out_sg = req->dst;
+
+- if (omap_aes_check_aligned(dd->in_sg) ||
+- omap_aes_check_aligned(dd->out_sg)) {
++ if (omap_aes_check_aligned(dd->in_sg, dd->total) ||
++ omap_aes_check_aligned(dd->out_sg, dd->total)) {
+ if (omap_aes_copy_sgs(dd))
+ pr_err("Failed to copy SGs for unaligned cases\n");
+ dd->sgs_copied = 1;
--- /dev/null
+From 7085a7401ba54e92bbb5aa24d6f428071e18e509 Mon Sep 17 00:00:00 2001
+From: Linus Walleij <linus.walleij@linaro.org>
+Date: Wed, 18 Feb 2015 17:12:18 +0100
+Subject: drivers: platform: parse IRQ flags from resources
+
+From: Linus Walleij <linus.walleij@linaro.org>
+
+commit 7085a7401ba54e92bbb5aa24d6f428071e18e509 upstream.
+
+This fixes a regression from the net subsystem:
+After commit d52fdbb735c36a209f36a628d40ca9185b349ba7
+"smc91x: retrieve IRQ and trigger flags in a modern way"
+a regression would appear on some legacy platforms such
+as the ARM PXA Zylonite that specify IRQ resources like
+this:
+
+static struct resource r = {
+ .start = X,
+ .end = X,
+ .flags = IORESOURCE_IRQ | IORESOURCE_IRQ_HIGHEDGE,
+};
+
+The previous code would retrieve the resource and parse
+the high edge setting in the SMC91x driver, a use pattern
+that means every driver specifying an IRQ flag from a
+static resource need to parse resource flags and apply
+them at runtime.
+
+As we switched the code to use IRQ descriptors to retrieve
+the the trigger type like this:
+
+ irqd_get_trigger_type(irq_get_irq_data(...));
+
+the code would work for new platforms using e.g. device
+tree as the backing irq descriptor would have its flags
+properly set, whereas this kind of oldstyle static
+resources at no point assign the trigger flags to the
+corresponding IRQ descriptor.
+
+To make the behaviour identical on modern device tree
+and legacy static platform data platforms, modify
+platform_get_irq() to assign the trigger flags to the
+irq descriptor when a client looks up an IRQ from static
+resources.
+
+Fixes: d52fdbb735c3 ("smc91x: retrieve IRQ and trigger flags in a modern way")
+Tested-by: Robert Jarzmik <robert.jarzmik@free.fr>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/platform.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/base/platform.c
++++ b/drivers/base/platform.c
+@@ -101,6 +101,15 @@ int platform_get_irq(struct platform_dev
+ }
+
+ r = platform_get_resource(dev, IORESOURCE_IRQ, num);
++ /*
++ * The resources may pass trigger flags to the irqs that need
++ * to be set up. It so happens that the trigger flags for
++ * IORESOURCE_BITS correspond 1-to-1 to the IRQF_TRIGGER*
++ * settings.
++ */
++ if (r && r->flags & IORESOURCE_BITS)
++ irqd_set_trigger_type(irq_get_irq_data(r->start),
++ r->flags & IORESOURCE_BITS);
+
+ return r ? r->start : -ENXIO;
+ #endif
--- /dev/null
+From 08e8331654d1d7b2c58045e549005bc356aa7810 Mon Sep 17 00:00:00 2001
+From: Sabrina Dubroca <sd@queasysnail.net>
+Date: Thu, 26 Feb 2015 05:35:41 +0000
+Subject: e1000: add dummy allocator to fix race condition between mtu change and netpoll
+
+From: Sabrina Dubroca <sd@queasysnail.net>
+
+commit 08e8331654d1d7b2c58045e549005bc356aa7810 upstream.
+
+There is a race condition between e1000_change_mtu's cleanups and
+netpoll, when we change the MTU across jumbo size:
+
+Changing MTU frees all the rx buffers:
+ e1000_change_mtu -> e1000_down -> e1000_clean_all_rx_rings ->
+ e1000_clean_rx_ring
+
+Then, close to the end of e1000_change_mtu:
+ pr_info -> ... -> netpoll_poll_dev -> e1000_clean ->
+ e1000_clean_rx_irq -> e1000_alloc_rx_buffers -> e1000_alloc_frag
+
+And when we come back to do the rest of the MTU change:
+ e1000_up -> e1000_configure -> e1000_configure_rx ->
+ e1000_alloc_jumbo_rx_buffers
+
+alloc_jumbo finds the buffers already != NULL, since data (shared with
+page in e1000_rx_buffer->rxbuf) has been re-alloc'd, but it's garbage,
+or at least not what is expected when in jumbo state.
+
+This results in an unusable adapter (packets don't get through), and a
+NULL pointer dereference on the next call to e1000_clean_rx_ring
+(other mtu change, link down, shutdown):
+
+BUG: unable to handle kernel NULL pointer dereference at (null)
+IP: [<ffffffff81194d6e>] put_compound_page+0x7e/0x330
+
+ [...]
+
+Call Trace:
+ [<ffffffff81195445>] put_page+0x55/0x60
+ [<ffffffff815d9f44>] e1000_clean_rx_ring+0x134/0x200
+ [<ffffffff815da055>] e1000_clean_all_rx_rings+0x45/0x60
+ [<ffffffff815df5e0>] e1000_down+0x1c0/0x1d0
+ [<ffffffff811e2260>] ? deactivate_slab+0x7f0/0x840
+ [<ffffffff815e21bc>] e1000_change_mtu+0xdc/0x170
+ [<ffffffff81647050>] dev_set_mtu+0xa0/0x140
+ [<ffffffff81664218>] do_setlink+0x218/0xac0
+ [<ffffffff814459e9>] ? nla_parse+0xb9/0x120
+ [<ffffffff816652d0>] rtnl_newlink+0x6d0/0x890
+ [<ffffffff8104f000>] ? kvm_clock_read+0x20/0x40
+ [<ffffffff810a2068>] ? sched_clock_cpu+0xa8/0x100
+ [<ffffffff81663802>] rtnetlink_rcv_msg+0x92/0x260
+
+By setting the allocator to a dummy version, netpoll can't mess up our
+rx buffers. The allocator is set back to a sane value in
+e1000_configure_rx.
+
+Fixes: edbbb3ca1077 ("e1000: implement jumbo receive with partial descriptors")
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/intel/e1000/e1000_main.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/intel/e1000/e1000_main.c
++++ b/drivers/net/ethernet/intel/e1000/e1000_main.c
+@@ -144,6 +144,11 @@ static bool e1000_clean_rx_irq(struct e1
+ static bool e1000_clean_jumbo_rx_irq(struct e1000_adapter *adapter,
+ struct e1000_rx_ring *rx_ring,
+ int *work_done, int work_to_do);
++static void e1000_alloc_dummy_rx_buffers(struct e1000_adapter *adapter,
++ struct e1000_rx_ring *rx_ring,
++ int cleaned_count)
++{
++}
+ static void e1000_alloc_rx_buffers(struct e1000_adapter *adapter,
+ struct e1000_rx_ring *rx_ring,
+ int cleaned_count);
+@@ -3548,8 +3553,11 @@ static int e1000_change_mtu(struct net_d
+ msleep(1);
+ /* e1000_down has a dependency on max_frame_size */
+ hw->max_frame_size = max_frame;
+- if (netif_running(netdev))
++ if (netif_running(netdev)) {
++ /* prevent buffers from being reallocated */
++ adapter->alloc_rx_buf = e1000_alloc_dummy_rx_buffers;
+ e1000_down(adapter);
++ }
+
+ /* NOTE: netdev_alloc_skb reserves 16 bytes, and typically NET_IP_ALIGN
+ * means we reserve 2 more, this pushes us to allocate from the next
--- /dev/null
+From 80f1d68ccba70b1060c9c7360ca83da430f66bed Mon Sep 17 00:00:00 2001
+From: Daniel Borkmann <daniel@iogearbox.net>
+Date: Thu, 12 Mar 2015 17:21:42 +0100
+Subject: ebpf: verifier: check that call reg with ARG_ANYTHING is initialized
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+commit 80f1d68ccba70b1060c9c7360ca83da430f66bed upstream.
+
+I noticed that a helper function with argument type ARG_ANYTHING does
+not need to have an initialized value (register).
+
+This can worst case lead to unintented stack memory leakage in future
+helper functions if they are not carefully designed, or unintended
+application behaviour in case the application developer was not careful
+enough to match a correct helper function signature in the API.
+
+The underlying issue is that ARG_ANYTHING should actually be split
+into two different semantics:
+
+ 1) ARG_DONTCARE for function arguments that the helper function
+ does not care about (in other words: the default for unused
+ function arguments), and
+
+ 2) ARG_ANYTHING that is an argument actually being used by a
+ helper function and *guaranteed* to be an initialized register.
+
+The current risk is low: ARG_ANYTHING is only used for the 'flags'
+argument (r4) in bpf_map_update_elem() that internally does strict
+checking.
+
+Fixes: 17a5267067f3 ("bpf: verifier (add verifier core)")
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Alexei Starovoitov <ast@plumgrid.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/bpf.h | 4 +++-
+ kernel/bpf/verifier.c | 5 ++++-
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+--- a/include/linux/bpf.h
++++ b/include/linux/bpf.h
+@@ -48,7 +48,7 @@ struct bpf_map *bpf_map_get(struct fd f)
+
+ /* function argument constraints */
+ enum bpf_arg_type {
+- ARG_ANYTHING = 0, /* any argument is ok */
++ ARG_DONTCARE = 0, /* unused argument in helper function */
+
+ /* the following constraints used to prototype
+ * bpf_map_lookup/update/delete_elem() functions
+@@ -62,6 +62,8 @@ enum bpf_arg_type {
+ */
+ ARG_PTR_TO_STACK, /* any pointer to eBPF program stack */
+ ARG_CONST_STACK_SIZE, /* number of bytes accessed from stack */
++
++ ARG_ANYTHING, /* any (initialized) argument is ok */
+ };
+
+ /* type of values returned from helper functions */
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -755,7 +755,7 @@ static int check_func_arg(struct verifie
+ enum bpf_reg_type expected_type;
+ int err = 0;
+
+- if (arg_type == ARG_ANYTHING)
++ if (arg_type == ARG_DONTCARE)
+ return 0;
+
+ if (reg->type == NOT_INIT) {
+@@ -763,6 +763,9 @@ static int check_func_arg(struct verifie
+ return -EACCES;
+ }
+
++ if (arg_type == ARG_ANYTHING)
++ return 0;
++
+ if (arg_type == ARG_PTR_TO_STACK || arg_type == ARG_PTR_TO_MAP_KEY ||
+ arg_type == ARG_PTR_TO_MAP_VALUE) {
+ expected_type = PTR_TO_STACK;
--- /dev/null
+From 0b053c9518292705736329a8fe20ef4686ffc8e9 Mon Sep 17 00:00:00 2001
+From: mancha security <mancha1@zoho.com>
+Date: Wed, 18 Mar 2015 18:47:25 +0100
+Subject: lib: memzero_explicit: use barrier instead of OPTIMIZER_HIDE_VAR
+
+From: mancha security <mancha1@zoho.com>
+
+commit 0b053c9518292705736329a8fe20ef4686ffc8e9 upstream.
+
+OPTIMIZER_HIDE_VAR(), as defined when using gcc, is insufficient to
+ensure protection from dead store optimization.
+
+For the random driver and crypto drivers, calls are emitted ...
+
+ $ gdb vmlinux
+ (gdb) disassemble memzero_explicit
+ Dump of assembler code for function memzero_explicit:
+ 0xffffffff813a18b0 <+0>: push %rbp
+ 0xffffffff813a18b1 <+1>: mov %rsi,%rdx
+ 0xffffffff813a18b4 <+4>: xor %esi,%esi
+ 0xffffffff813a18b6 <+6>: mov %rsp,%rbp
+ 0xffffffff813a18b9 <+9>: callq 0xffffffff813a7120 <memset>
+ 0xffffffff813a18be <+14>: pop %rbp
+ 0xffffffff813a18bf <+15>: retq
+ End of assembler dump.
+
+ (gdb) disassemble extract_entropy
+ [...]
+ 0xffffffff814a5009 <+313>: mov %r12,%rdi
+ 0xffffffff814a500c <+316>: mov $0xa,%esi
+ 0xffffffff814a5011 <+321>: callq 0xffffffff813a18b0 <memzero_explicit>
+ 0xffffffff814a5016 <+326>: mov -0x48(%rbp),%rax
+ [...]
+
+... but in case in future we might use facilities such as LTO, then
+OPTIMIZER_HIDE_VAR() is not sufficient to protect gcc from a possible
+eviction of the memset(). We have to use a compiler barrier instead.
+
+Minimal test example when we assume memzero_explicit() would *not* be
+a call, but would have been *inlined* instead:
+
+ static inline void memzero_explicit(void *s, size_t count)
+ {
+ memset(s, 0, count);
+ <foo>
+ }
+
+ int main(void)
+ {
+ char buff[20];
+
+ snprintf(buff, sizeof(buff) - 1, "test");
+ printf("%s", buff);
+
+ memzero_explicit(buff, sizeof(buff));
+ return 0;
+ }
+
+With <foo> := OPTIMIZER_HIDE_VAR():
+
+ (gdb) disassemble main
+ Dump of assembler code for function main:
+ [...]
+ 0x0000000000400464 <+36>: callq 0x400410 <printf@plt>
+ 0x0000000000400469 <+41>: xor %eax,%eax
+ 0x000000000040046b <+43>: add $0x28,%rsp
+ 0x000000000040046f <+47>: retq
+ End of assembler dump.
+
+With <foo> := barrier():
+
+ (gdb) disassemble main
+ Dump of assembler code for function main:
+ [...]
+ 0x0000000000400464 <+36>: callq 0x400410 <printf@plt>
+ 0x0000000000400469 <+41>: movq $0x0,(%rsp)
+ 0x0000000000400471 <+49>: movq $0x0,0x8(%rsp)
+ 0x000000000040047a <+58>: movl $0x0,0x10(%rsp)
+ 0x0000000000400482 <+66>: xor %eax,%eax
+ 0x0000000000400484 <+68>: add $0x28,%rsp
+ 0x0000000000400488 <+72>: retq
+ End of assembler dump.
+
+As can be seen, movq, movq, movl are being emitted inlined
+via memset().
+
+Reference: http://thread.gmane.org/gmane.linux.kernel.cryptoapi/13764/
+Fixes: d4c5efdb9777 ("random: add and use memzero_explicit() for clearing data")
+Cc: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: mancha security <mancha1@zoho.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
+Acked-by: Stephan Mueller <smueller@chronox.de>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/string.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/lib/string.c
++++ b/lib/string.c
+@@ -610,7 +610,7 @@ EXPORT_SYMBOL(memset);
+ void memzero_explicit(void *s, size_t count)
+ {
+ memset(s, 0, count);
+- OPTIMIZER_HIDE_VAR(s);
++ barrier();
+ }
+ EXPORT_SYMBOL(memzero_explicit);
+
--- /dev/null
+From a73f8e21f3f93159bc19e154e8f50891c22c11db Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Sat, 21 Mar 2015 07:41:04 +0100
+Subject: mac80211: send AP probe as unicast again
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit a73f8e21f3f93159bc19e154e8f50891c22c11db upstream.
+
+Louis reported that a static checker was complaining that
+the 'dst' variable was set (multiple times) but not used.
+This is due to a previous commit having removed the usage
+(apparently erroneously), so add it back.
+
+Fixes: a344d6778a98 ("mac80211: allow drivers to support NL80211_SCAN_FLAG_RANDOM_ADDR")
+Reported-by: Louis Langholtz <lou_langholtz@me.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/mlme.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -2231,7 +2231,7 @@ static void ieee80211_mgd_probe_ap_send(
+ else
+ ssid_len = ssid[1];
+
+- ieee80211_send_probe_req(sdata, sdata->vif.addr, NULL,
++ ieee80211_send_probe_req(sdata, sdata->vif.addr, dst,
+ ssid + 2, ssid_len, NULL,
+ 0, (u32) -1, true, 0,
+ ifmgd->associated->channel, false);
--- /dev/null
+From 13f6b191aaa11c7fd718d35a0c565f3c16bc1d99 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 16 Apr 2015 12:48:35 -0700
+Subject: memstick: mspro_block: add missing curly braces
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 13f6b191aaa11c7fd718d35a0c565f3c16bc1d99 upstream.
+
+Using the indenting we can see the curly braces were obviously intended.
+This is a static checker fix, but my guess is that we don't read enough
+bytes, because we don't calculate "t_len" correctly.
+
+Fixes: f1d82698029b ('memstick: use fully asynchronous request processing')
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: Alex Dubov <oakad@yahoo.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/memstick/core/mspro_block.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/memstick/core/mspro_block.c
++++ b/drivers/memstick/core/mspro_block.c
+@@ -758,7 +758,7 @@ static int mspro_block_complete_req(stru
+
+ if (error || (card->current_mrq.tpc == MSPRO_CMD_STOP)) {
+ if (msb->data_dir == READ) {
+- for (cnt = 0; cnt < msb->current_seg; cnt++)
++ for (cnt = 0; cnt < msb->current_seg; cnt++) {
+ t_len += msb->req_sg[cnt].length
+ / msb->page_size;
+
+@@ -766,6 +766,7 @@ static int mspro_block_complete_req(stru
+ t_len += msb->current_page - 1;
+
+ t_len *= msb->page_size;
++ }
+ }
+ } else
+ t_len = blk_rq_bytes(msb->block_req);
nfsd-eliminate-nfsd_debug.patch
nfs-add-a-stub-for-getdevicelist.patch
iommu-vt-d-allow-rmrr-on-graphics-devices-too.patch
+e1000-add-dummy-allocator-to-fix-race-condition-between-mtu-change-and-netpoll.patch
+mac80211-send-ap-probe-as-unicast-again.patch
+ebpf-verifier-check-that-call-reg-with-arg_anything-is-initialized.patch
+lib-memzero_explicit-use-barrier-instead-of-optimizer_hide_var.patch
+wl18xx-show-rx_frames_per_rates-as-an-array-as-it-really-is.patch
+crypto-omap-aes-fix-support-for-unequal-lengths.patch
+c6x-time-ensure-consistency-in-__init.patch
+memstick-mspro_block-add-missing-curly-braces.patch
+drivers-platform-parse-irq-flags-from-resources.patch
--- /dev/null
+From a3fa71c40f1853d0c27e8f5bc01a722a705d9682 Mon Sep 17 00:00:00 2001
+From: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
+Date: Fri, 13 Mar 2015 15:17:14 +0800
+Subject: wl18xx: show rx_frames_per_rates as an array as it really is
+
+From: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
+
+commit a3fa71c40f1853d0c27e8f5bc01a722a705d9682 upstream.
+
+In struct wl18xx_acx_rx_rate_stat, rx_frames_per_rates field is an
+array, not a number. This means WL18XX_DEBUGFS_FWSTATS_FILE can't be
+used to display this field in debugfs (it would display a pointer, not
+the actual data). Use WL18XX_DEBUGFS_FWSTATS_FILE_ARRAY instead.
+
+This bug has been found by adding a __printf attribute to
+wl1271_format_buffer. gcc complained about "format '%u' expects
+argument of type 'unsigned int', but argument 5 has type 'u32 *'".
+
+Fixes: c5d94169e818 ("wl18xx: use new fw stats structures")
+Signed-off-by: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ti/wl18xx/debugfs.c | 2 +-
+ drivers/net/wireless/ti/wlcore/debugfs.h | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/ti/wl18xx/debugfs.c
++++ b/drivers/net/wireless/ti/wl18xx/debugfs.c
+@@ -136,7 +136,7 @@ WL18XX_DEBUGFS_FWSTATS_FILE(rx_filter, p
+ WL18XX_DEBUGFS_FWSTATS_FILE(rx_filter, accum_arp_pend_requests, "%u");
+ WL18XX_DEBUGFS_FWSTATS_FILE(rx_filter, max_arp_queue_dep, "%u");
+
+-WL18XX_DEBUGFS_FWSTATS_FILE(rx_rate, rx_frames_per_rates, "%u");
++WL18XX_DEBUGFS_FWSTATS_FILE_ARRAY(rx_rate, rx_frames_per_rates, 50);
+
+ WL18XX_DEBUGFS_FWSTATS_FILE_ARRAY(aggr_size, tx_agg_vs_rate,
+ AGGR_STATS_TX_AGG*AGGR_STATS_TX_RATE);
+--- a/drivers/net/wireless/ti/wlcore/debugfs.h
++++ b/drivers/net/wireless/ti/wlcore/debugfs.h
+@@ -26,8 +26,8 @@
+
+ #include "wlcore.h"
+
+-int wl1271_format_buffer(char __user *userbuf, size_t count,
+- loff_t *ppos, char *fmt, ...);
++__printf(4, 5) int wl1271_format_buffer(char __user *userbuf, size_t count,
++ loff_t *ppos, char *fmt, ...);
+
+ int wl1271_debugfs_init(struct wl1271 *wl);
+ void wl1271_debugfs_exit(struct wl1271 *wl);
projects / thirdparty / kernel / stable-queue.git / commitdiff
