--- /dev/null
+From fcf7cf1551cae54e747a771f5808240f2a37708f Mon Sep 17 00:00:00 2001
+From: Mohammed Shafi Shajakhan <mohammed@qti.qualcomm.com>
+Date: Wed, 9 Nov 2016 03:40:57 +0200
+Subject: ath10k: fix failure to send NULL func frame for 10.4
+
+From: Mohammed Shafi Shajakhan <mohammed@qti.qualcomm.com>
+
+commit fcf7cf1551cae54e747a771f5808240f2a37708f upstream.
+
+This partially reverts 'commit 2cdce425aa33
+("ath10k: Fix broken NULL func data frame status for 10.4")'
+Unfortunately this breaks sending NULL func and the existing
+issue of obtaining proper tx status for NULL function will be
+fixed. Also update the comments for feature flag added to be
+useless and not working
+
+Fixes: 2cdce425aa33 "ath10k: Fix broken NULL func data frame status for
+10.4"
+Signed-off-by: Mohammed Shafi Shajakhan <mohammed@qti.qualcomm.com>
+Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ath/ath10k/core.h | 6 ++----
+ drivers/net/wireless/ath/ath10k/mac.c | 2 --
+ 2 files changed, 2 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath10k/core.h
++++ b/drivers/net/wireless/ath/ath10k/core.h
+@@ -557,10 +557,8 @@ enum ath10k_fw_features {
+ */
+ ATH10K_FW_FEATURE_BTCOEX_PARAM = 14,
+
+- /* Older firmware with HTT delivers incorrect tx status for null func
+- * frames to driver, but this fixed in 10.2 and 10.4 firmware versions.
+- * Also this workaround results in reporting of incorrect null func
+- * status for 10.4. This flag is used to skip the workaround.
++ /* Unused flag and proven to be not working, enable this if you want
++ * to experiment sending NULL func data frames in HTT TX
+ */
+ ATH10K_FW_FEATURE_SKIP_NULL_FUNC_WAR = 15,
+
+--- a/drivers/net/wireless/ath/ath10k/mac.c
++++ b/drivers/net/wireless/ath/ath10k/mac.c
+@@ -3255,8 +3255,6 @@ ath10k_mac_tx_h_get_txmode(struct ath10k
+ if (ar->htt.target_version_major < 3 &&
+ (ieee80211_is_nullfunc(fc) || ieee80211_is_qos_nullfunc(fc)) &&
+ !test_bit(ATH10K_FW_FEATURE_HAS_WMI_MGMT_TX,
+- ar->running_fw->fw_file.fw_features) &&
+- !test_bit(ATH10K_FW_FEATURE_SKIP_NULL_FUNC_WAR,
+ ar->running_fw->fw_file.fw_features))
+ return ATH10K_HW_TXRX_MGMT;
+
--- /dev/null
+From 31b239824ece321c09bdb8e61e1d14814eaba38b Mon Sep 17 00:00:00 2001
+From: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
+Date: Sat, 29 Oct 2016 13:17:37 +0200
+Subject: ath10k: use the right length of "background"
+
+From: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
+
+commit 31b239824ece321c09bdb8e61e1d14814eaba38b upstream.
+
+The word "background" contains 10 characters so the third argument of
+strncmp() need to be 10 in order to match this prefix correctly.
+
+Signed-off-by: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
+Fixes: 855aed1220d2 ("ath10k: add spectral scan feature")
+Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ath/ath10k/spectral.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/ath/ath10k/spectral.c
++++ b/drivers/net/wireless/ath/ath10k/spectral.c
+@@ -338,7 +338,7 @@ static ssize_t write_file_spec_scan_ctl(
+ } else {
+ res = -EINVAL;
+ }
+- } else if (strncmp("background", buf, 9) == 0) {
++ } else if (strncmp("background", buf, 10) == 0) {
+ res = ath10k_spectral_scan_config(ar, SPECTRAL_BACKGROUND);
+ } else if (strncmp("manual", buf, 6) == 0) {
+ res = ath10k_spectral_scan_config(ar, SPECTRAL_MANUAL);
--- /dev/null
+From bc4725d9029e2c8205fbaf1105e193d1c4e463bb Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Mon, 3 Oct 2016 13:03:38 +0200
+Subject: clk: renesas: cpg-mssr: Fix inverted debug check
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+commit bc4725d9029e2c8205fbaf1105e193d1c4e463bb upstream.
+
+The intention was to enable the checks if debugging is enabled, not
+disabled.
+
+Fixes: f793d1e51705b276 ("clk: shmobile: Add new CPG/MSSR driver core")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/clk/renesas/renesas-cpg-mssr.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/clk/renesas/renesas-cpg-mssr.c
++++ b/drivers/clk/renesas/renesas-cpg-mssr.c
+@@ -33,9 +33,9 @@
+ #include "clk-div6.h"
+
+ #ifdef DEBUG
+-#define WARN_DEBUG(x) do { } while (0)
+-#else
+ #define WARN_DEBUG(x) WARN_ON(x)
++#else
++#define WARN_DEBUG(x) do { } while (0)
+ #endif
+
+
--- /dev/null
+From 328cf6927bb72cadefddebbc9a23c793108147a2 Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Sun, 30 Oct 2016 09:09:18 -0700
+Subject: cris: Only build flash rescue image if CONFIG_ETRAX_AXISFLASHMAP is selected
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+commit 328cf6927bb72cadefddebbc9a23c793108147a2 upstream.
+
+If CONFIG_ETRAX_AXISFLASHMAP is not configured, the flash rescue image
+object file is empty. With recent versions of binutils, this results
+in the following build error.
+
+cris-linux-objcopy: error:
+ the input file 'arch/cris/boot/rescue/rescue.o' has no sections
+
+This is seen, for example, when trying to build cris:allnoconfig
+with recently generated toolchains.
+
+Since it does not make sense to build a flash rescue image if there is
+no flash, only build it if CONFIG_ETRAX_AXISFLASHMAP is enabled.
+
+Reported-by: kbuild test robot <fengguang.wu@intel.com>
+Fixes: 66ab3a74c5ce ("CRIS: Merge machine dependent boot/compressed ..")
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Jesper Nilsson <jesper.nilsson@axis.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/cris/boot/rescue/Makefile | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/arch/cris/boot/rescue/Makefile
++++ b/arch/cris/boot/rescue/Makefile
+@@ -10,6 +10,9 @@
+
+ asflags-y += $(LINUXINCLUDE)
+ ccflags-y += -O2 $(LINUXINCLUDE)
++
++ifdef CONFIG_ETRAX_AXISFLASHMAP
++
+ arch-$(CONFIG_ETRAX_ARCH_V10) = v10
+ arch-$(CONFIG_ETRAX_ARCH_V32) = v32
+
+@@ -28,6 +31,11 @@ $(obj)/rescue.bin: $(obj)/rescue.o FORCE
+ $(call if_changed,objcopy)
+ cp -p $(obj)/rescue.bin $(objtree)
+
++else
++$(obj)/rescue.bin:
++
++endif
++
+ $(obj)/testrescue.bin: $(obj)/testrescue.o
+ $(OBJCOPY) $(OBJCOPYFLAGS) $(obj)/testrescue.o tr.bin
+ # Pad it to 784 bytes
--- /dev/null
+From 7f847dd31736f1284538e54f46cf10e63929eb7f Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Thu, 20 Oct 2016 22:07:53 +0200
+Subject: debugfs: improve DEFINE_DEBUGFS_ATTRIBUTE for !CONFIG_DEBUG_FS
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 7f847dd31736f1284538e54f46cf10e63929eb7f upstream.
+
+The slp_s0_residency_usec debugfs file currently uses
+DEFINE_DEBUGFS_ATTRIBUTE(), but that macro cannot really be used to
+define files outside of the debugfs code, as it has no reference to
+the get/set functions if CONFIG_DEBUG_FS is not defined:
+
+drivers/platform/x86/intel_pmc_core.c:80:12: error: ‘pmc_core_dev_state_get’ defined but not used [-Werror=unused-function]
+
+This fixes the macro to always contain the reference, and instead rely
+on the stubbed-out debugfs_create_file to not actually refer to
+its arguments so the compiler can still drop the reference.
+This works because the attribute definition is always 'static',
+and the dead-code removal silently drops all static symbols
+that are not used.
+
+Fixes: c64688081490 ("debugfs: add support for self-protecting attribute file fops")
+Fixes: df2294fb6428 ("intel_pmc_core: Convert to DEFINE_DEBUGFS_ATTRIBUTE")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+[nicstange@gmail.com: Add dummy implementations of debugfs_attr_read() and
+ debugfs_attr_write() in order to protect against possibly broken dead
+ code elimination and to improve readability.
+ Correct CONFIG_DEBUGFS_FS -> CONFIG_DEBUG_FS typo in changelog.]
+Signed-off-by: Nicolai Stange <nicstange@gmail.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/debugfs.h | 44 +++++++++++++++++++++++++++-----------------
+ 1 file changed, 27 insertions(+), 17 deletions(-)
+
+--- a/include/linux/debugfs.h
++++ b/include/linux/debugfs.h
+@@ -62,6 +62,21 @@ static inline const struct file_operatio
+ return filp->f_path.dentry->d_fsdata;
+ }
+
++#define DEFINE_DEBUGFS_ATTRIBUTE(__fops, __get, __set, __fmt) \
++static int __fops ## _open(struct inode *inode, struct file *file) \
++{ \
++ __simple_attr_check_format(__fmt, 0ull); \
++ return simple_attr_open(inode, file, __get, __set, __fmt); \
++} \
++static const struct file_operations __fops = { \
++ .owner = THIS_MODULE, \
++ .open = __fops ## _open, \
++ .release = simple_attr_release, \
++ .read = debugfs_attr_read, \
++ .write = debugfs_attr_write, \
++ .llseek = generic_file_llseek, \
++}
++
+ #if defined(CONFIG_DEBUG_FS)
+
+ struct dentry *debugfs_create_file(const char *name, umode_t mode,
+@@ -99,21 +114,6 @@ ssize_t debugfs_attr_read(struct file *f
+ ssize_t debugfs_attr_write(struct file *file, const char __user *buf,
+ size_t len, loff_t *ppos);
+
+-#define DEFINE_DEBUGFS_ATTRIBUTE(__fops, __get, __set, __fmt) \
+-static int __fops ## _open(struct inode *inode, struct file *file) \
+-{ \
+- __simple_attr_check_format(__fmt, 0ull); \
+- return simple_attr_open(inode, file, __get, __set, __fmt); \
+-} \
+-static const struct file_operations __fops = { \
+- .owner = THIS_MODULE, \
+- .open = __fops ## _open, \
+- .release = simple_attr_release, \
+- .read = debugfs_attr_read, \
+- .write = debugfs_attr_write, \
+- .llseek = generic_file_llseek, \
+-}
+-
+ struct dentry *debugfs_rename(struct dentry *old_dir, struct dentry *old_dentry,
+ struct dentry *new_dir, const char *new_name);
+
+@@ -233,8 +233,18 @@ static inline void debugfs_use_file_fini
+ __releases(&debugfs_srcu)
+ { }
+
+-#define DEFINE_DEBUGFS_ATTRIBUTE(__fops, __get, __set, __fmt) \
+- static const struct file_operations __fops = { 0 }
++static inline ssize_t debugfs_attr_read(struct file *file, char __user *buf,
++ size_t len, loff_t *ppos)
++{
++ return -ENODEV;
++}
++
++static inline ssize_t debugfs_attr_write(struct file *file,
++ const char __user *buf,
++ size_t len, loff_t *ppos)
++{
++ return -ENODEV;
++}
+
+ static inline struct dentry *debugfs_rename(struct dentry *old_dir, struct dentry *old_dentry,
+ struct dentry *new_dir, char *new_name)
--- /dev/null
+From d4cb3fd9b548b8bfe2a712ec920b9ebabd3547ab Mon Sep 17 00:00:00 2001
+From: Matthew Auld <matthew.auld@intel.com>
+Date: Wed, 19 Oct 2016 22:29:53 +0100
+Subject: drm/i915/dp: add lane_count check in intel_dp_check_link_status
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Matthew Auld <matthew.auld@intel.com>
+
+commit d4cb3fd9b548b8bfe2a712ec920b9ebabd3547ab upstream.
+
+Currently it's entirely possible to go through the link training step
+without first determining the lane_count, which is silly since we end up
+doing a bunch of aux transfers of size = 0, as highlighted by
+WARN_ON(!msg->buffer != !msg->size), and can only ever result in a
+'failed to update link training' message. This can be observed during
+intel_dp_long_pulse where we can do the link training step, but before
+we have had a chance to set the link params. To avoid this we add an
+extra check for the lane_count in intel_dp_check_link_status, which
+should prevent us from doing the link training step prematurely.
+
+v2: add WARN_ON_ONCE and FIXME comment (Ville)
+
+References: https://bugs.freedesktop.org/show_bug.cgi?id=97344
+Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Cc: Mika Kahola <mika.kahola@intel.com>
+Signed-off-by: Matthew Auld <matthew.auld@intel.com>
+Link: http://patchwork.freedesktop.org/patch/msgid/1476912593-10019-1-git-send-email-matthew.auld@intel.com
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/intel_dp.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/gpu/drm/i915/intel_dp.c
++++ b/drivers/gpu/drm/i915/intel_dp.c
+@@ -4018,6 +4018,11 @@ intel_dp_check_link_status(struct intel_
+ if (!to_intel_crtc(intel_encoder->base.crtc)->active)
+ return;
+
++ /* FIXME: we need to synchronize this sort of stuff with hardware
++ * readout */
++ if (WARN_ON_ONCE(!intel_dp->lane_count))
++ return;
++
+ /* if link training is requested we should perform it always */
+ if ((intel_dp->compliance_test_type == DP_TEST_LINK_TRAINING) ||
+ (!drm_dp_channel_eq_ok(link_status, intel_dp->lane_count))) {
--- /dev/null
+From 2c57b18adb93fc070039538f1ce375d3d3e99bbb Mon Sep 17 00:00:00 2001
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+Date: Tue, 13 Dec 2016 20:54:14 +0100
+Subject: drm/i915: tune down the fast link training vs boot fail
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Daniel Vetter <daniel.vetter@ffwll.ch>
+
+commit 2c57b18adb93fc070039538f1ce375d3d3e99bbb upstream.
+
+It's been unfixed since a while and no one is immediately working on
+this. And we have the FIXME already. And now also a task in the DP
+team's backlog.
+
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: stable@vger.kernel.org
+Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
+References: https://lists.freedesktop.org/archives/intel-gfx/2016-July/101951.html
+Acked-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+[danvet: Adjust comment per Ville's feedback.]
+Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
+Link: http://patchwork.freedesktop.org/patch/msgid/20161213195414.28923-1-daniel.vetter@ffwll.ch
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+(cherry picked from commit 2dd85aeb5bc99e3763dd192cdb95ff405a102c8a)
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+
+---
+ drivers/gpu/drm/i915/intel_dp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/i915/intel_dp.c
++++ b/drivers/gpu/drm/i915/intel_dp.c
+@@ -4019,8 +4019,8 @@ intel_dp_check_link_status(struct intel_
+ return;
+
+ /* FIXME: we need to synchronize this sort of stuff with hardware
+- * readout */
+- if (WARN_ON_ONCE(!intel_dp->lane_count))
++ * readout. Currently fast link training doesn't work on boot-up. */
++ if (!intel_dp->lane_count)
+ return;
+
+ /* if link training is requested we should perform it always */
--- /dev/null
+From a75dcb5848359f488c32c0aef8711d9bd37a77b8 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 18 Oct 2016 15:33:18 +0100
+Subject: efi/efivar_ssdt_load: Don't return success on allocation failure
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit a75dcb5848359f488c32c0aef8711d9bd37a77b8 upstream.
+
+We should return -ENOMEM here, instead of success.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: linux-efi@vger.kernel.org
+Fixes: 475fb4e8b2f4 ("efi / ACPI: load SSTDs from EFI variables")
+Link: http://lkml.kernel.org/r/20161018143318.15673-9-matt@codeblueprint.co.uk
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/firmware/efi/efi.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/firmware/efi/efi.c
++++ b/drivers/firmware/efi/efi.c
+@@ -259,8 +259,10 @@ static __init int efivar_ssdt_load(void)
+ }
+
+ data = kmalloc(size, GFP_KERNEL);
+- if (!data)
++ if (!data) {
++ ret = -ENOMEM;
+ goto free_entry;
++ }
+
+ ret = efivar_entry_get(entry, NULL, &size, data);
+ if (ret) {
--- /dev/null
+From 1c3d185a9a0b136a58e73b02912d593d0303d1da Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Tue, 18 Oct 2016 23:12:08 +0300
+Subject: mac80211: fix tid_agg_rx NULL dereference
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 1c3d185a9a0b136a58e73b02912d593d0303d1da upstream.
+
+On drivers setting the SUPPORTS_REORDERING_BUFFER hardware flag,
+we crash when the peer sends an AddBA request while we already
+have a session open on the seame TID; this is because on those
+drivers, the tid_agg_rx is left NULL even though the session is
+valid, and the agg_session_valid bit is set.
+
+To fix this, store the dialog tokens outside the tid_agg_rx to
+be able to compare them to the received AddBA request.
+
+Fixes: f89e07d4cf26 ("mac80211: agg-rx: refuse ADDBA Request with timeout update")
+Reported-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/agg-rx.c | 8 ++------
+ net/mac80211/debugfs_sta.c | 2 +-
+ net/mac80211/sta_info.h | 4 ++--
+ 3 files changed, 5 insertions(+), 9 deletions(-)
+
+--- a/net/mac80211/agg-rx.c
++++ b/net/mac80211/agg-rx.c
+@@ -315,11 +315,7 @@ void __ieee80211_start_rx_ba_session(str
+ mutex_lock(&sta->ampdu_mlme.mtx);
+
+ if (test_bit(tid, sta->ampdu_mlme.agg_session_valid)) {
+- tid_agg_rx = rcu_dereference_protected(
+- sta->ampdu_mlme.tid_rx[tid],
+- lockdep_is_held(&sta->ampdu_mlme.mtx));
+-
+- if (tid_agg_rx->dialog_token == dialog_token) {
++ if (sta->ampdu_mlme.tid_rx_token[tid] == dialog_token) {
+ ht_dbg_ratelimited(sta->sdata,
+ "updated AddBA Req from %pM on tid %u\n",
+ sta->sta.addr, tid);
+@@ -396,7 +392,6 @@ void __ieee80211_start_rx_ba_session(str
+ }
+
+ /* update data */
+- tid_agg_rx->dialog_token = dialog_token;
+ tid_agg_rx->ssn = start_seq_num;
+ tid_agg_rx->head_seq_num = start_seq_num;
+ tid_agg_rx->buf_size = buf_size;
+@@ -418,6 +413,7 @@ end:
+ if (status == WLAN_STATUS_SUCCESS) {
+ __set_bit(tid, sta->ampdu_mlme.agg_session_valid);
+ __clear_bit(tid, sta->ampdu_mlme.unexpected_agg);
++ sta->ampdu_mlme.tid_rx_token[tid] = dialog_token;
+ }
+ mutex_unlock(&sta->ampdu_mlme.mtx);
+
+--- a/net/mac80211/debugfs_sta.c
++++ b/net/mac80211/debugfs_sta.c
+@@ -205,7 +205,7 @@ static ssize_t sta_agg_status_read(struc
+ p += scnprintf(p, sizeof(buf) + buf - p, "%02d", i);
+ p += scnprintf(p, sizeof(buf) + buf - p, "\t\t%x", !!tid_rx);
+ p += scnprintf(p, sizeof(buf) + buf - p, "\t%#.2x",
+- tid_rx ? tid_rx->dialog_token : 0);
++ tid_rx ? sta->ampdu_mlme.tid_rx_token[i] : 0);
+ p += scnprintf(p, sizeof(buf) + buf - p, "\t%#.3x",
+ tid_rx ? tid_rx->ssn : 0);
+
+--- a/net/mac80211/sta_info.h
++++ b/net/mac80211/sta_info.h
+@@ -184,7 +184,6 @@ struct tid_ampdu_tx {
+ * @ssn: Starting Sequence Number expected to be aggregated.
+ * @buf_size: buffer size for incoming A-MPDUs
+ * @timeout: reset timer value (in TUs).
+- * @dialog_token: dialog token for aggregation session
+ * @rcu_head: RCU head used for freeing this struct
+ * @reorder_lock: serializes access to reorder buffer, see below.
+ * @auto_seq: used for offloaded BA sessions to automatically pick head_seq_and
+@@ -213,7 +212,6 @@ struct tid_ampdu_rx {
+ u16 ssn;
+ u16 buf_size;
+ u16 timeout;
+- u8 dialog_token;
+ bool auto_seq;
+ bool removed;
+ };
+@@ -225,6 +223,7 @@ struct tid_ampdu_rx {
+ * to tid_tx[idx], which are protected by the sta spinlock)
+ * tid_start_tx is also protected by sta->lock.
+ * @tid_rx: aggregation info for Rx per TID -- RCU protected
++ * @tid_rx_token: dialog tokens for valid aggregation sessions
+ * @tid_rx_timer_expired: bitmap indicating on which TIDs the
+ * RX timer expired until the work for it runs
+ * @tid_rx_stop_requested: bitmap indicating which BA sessions per TID the
+@@ -243,6 +242,7 @@ struct sta_ampdu_mlme {
+ struct mutex mtx;
+ /* rx */
+ struct tid_ampdu_rx __rcu *tid_rx[IEEE80211_NUM_TIDS];
++ u8 tid_rx_token[IEEE80211_NUM_TIDS];
+ unsigned long tid_rx_timer_expired[BITS_TO_LONGS(IEEE80211_NUM_TIDS)];
+ unsigned long tid_rx_stop_requested[BITS_TO_LONGS(IEEE80211_NUM_TIDS)];
+ unsigned long agg_session_valid[BITS_TO_LONGS(IEEE80211_NUM_TIDS)];
--- /dev/null
+From 40a50f8b307de8d08f3fa37c312fc16a7dd233e5 Mon Sep 17 00:00:00 2001
+From: Milo Kim <woogyom.kim@gmail.com>
+Date: Tue, 15 Nov 2016 22:02:11 +0900
+Subject: mfd: tps65217: Fix page fault on unloading modules
+
+From: Milo Kim <woogyom.kim@gmail.com>
+
+commit 40a50f8b307de8d08f3fa37c312fc16a7dd233e5 upstream.
+
+TPS65217 IRQ domain should be removed and initialised as NULL when the
+module is unloaded for the next use. When tps65217.ko is loaded again,
+it causes the page fault. This patch fixes the error below.
+
+root@arm:~# lsmod | grep "tps"
+tps65217_charger 3538 0
+tps65218_pwrbutton 2974 0
+tps65217 6710 1 tps65217_charger
+
+root@arm:~# modprobe -r tps65217_charger
+
+root@arm:~# modprobe tps65217.ko
+[ 71.990277] Unable to handle kernel paging request at virtual address bf055944
+[ 71.998063] pgd = dd3a4000
+[ 72.000904] [bf055944] *pgd=9e6f7811, *pte=00000000, *ppte=00000000
+[ 72.007567] Internal error: Oops: 7 [#1] SMP ARM
+[ 72.012404] Modules linked in: tps65217(+) evdev musb_dsps musb_hdrc udc_core tps65218_pwrbutton usbcore phy_am335]
+[ 72.055700] CPU: 0 PID: 243 Comm: modprobe Not tainted 4.9.0-rc5-next-20161114 #3
+[ 72.063531] Hardware name: Generic AM33XX (Flattened Device Tree)
+[ 72.069899] task: de714380 task.stack: de7e6000
+[ 72.074655] PC is at irq_find_matching_fwspec+0x88/0x100
+[ 72.080211] LR is at 0xde7e79d8
+[ 72.083496] pc : [<c01a5d88>] lr : [<de7e79d8>] psr: 200e0013
+[ 72.083496] sp : de7e7a78 ip : 00000000 fp : dd138a68
+[ 72.095506] r10: c0ca04f8 r9 : 00000018 r8 : de7e7ab8
+[ 72.100973] r7 : 00000001 r6 : c0c4517c r5 : df963f68 r4 : de321980
+[ 72.107797] r3 : bf055940 r2 : de714380 r1 : 00000000 r0 : 00000000
+[ 72.114633] Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
+[ 72.122084] Control: 10c5387d Table: 9d3a4019 DAC: 00000051
+[ 72.128097] Process modprobe (pid: 243, stack limit = 0xde7e6218)
+[ 72.134489] Stack: (0xde7e7a78 to 0xde7e8000)
+[ 72.139060] 7a60: df963f68 de7e7ab8
+[ 72.147643] 7a80: 00000000 dd0e1000 dd491e20 c01a6ea0 600e0013 c01a5dc0 dd138a68 c0c45138
+[ 72.156216] 7aa0: df963f68 00000000 df963f68 dd0e1010 00000000 c01a71a4 df963f68 00000001
+[ 72.164800] 7ac0: 00000002 de7e7ac0 c80048b8 dd0adf00 df963f68 c0c4517c 00000000 de7e7b50
+[ 72.173369] 7ae0: 00000018 c0ca04f8 dd138a68 c01a5dc0 df963f68 dd0e1010 00000000 dd0e1000
+[ 72.181942] 7b00: dd491e20 c0653a70 df963f58 00000001 00000002 00000000 00000000 00000000
+[ 72.190522] 7b20: 600e0093 c0cbf8f0 c0c0512c c0193674 00000001 00000080 00000000 c0554984
+[ 72.199096] 7b40: 00000000 00000000 800e0013 c0553858 df963f68 00000000 00000000 00000000
+[ 72.207674] 7b60: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+[ 72.216239] 7b80: 00000000 00000000 00000000 00000000 00000000 00000000 dd0e1000 c0544d24
+[ 72.224816] 7ba0: dd491e10 dd0e1010 dd16e800 bf1d517c bf1d5620 dd0e1010 c1497ed4 bf1d5620
+[ 72.233398] 7bc0: dd0e1010 fffffdfb bf1d5620 bf1d5620 00000000 c054537c c0545330 dd0e1010
+[ 72.241967] 7be0: c1497ed4 00000000 bf1d5620 c05433ac 00000000 00000000 de7e7c28 c0543570
+[ 72.250537] 7c00: 00000001 c1497e90 00000000 c0541884 de080cd4 dd44b7d4 dd0e1010 dd0e1010
+[ 72.259109] 7c20: dd0e1044 c05430c8 dd0e1010 00000001 dd0e1010 dd0e1018 dd0e1010 c0c9e328
+[ 72.267676] 7c40: de5d4020 c0542760 dd0e1018 dd0e1010 00000000 c0540ba8 dd138a40 c048dec4
+[ 72.276253] 7c60: 00000000 dd0e1000 00000001 dd0e1000 dd0e1010 dd0e1000 bf233de0 dd138a40
+[ 72.284829] 7c80: dd0e1010 c05450a0 000000bf 00000000 dd138a60 00000001 dd0e1000 c0571240
+[ 72.293398] 7ca0: 00000000 dd1ce9c0 00000040 dd1ce9cc bf233de0 00000003 de5d4020 ffffffff
+[ 72.301969] 7cc0: 00000004 dd0adf00 00000000 c0571408 00000000 00000000 dd0adf00 de5d4020
+[ 72.310543] 7ce0: c057146c dd1ce9c0 bf233d14 de5d4020 de7fb3d0 00000004 bf233d14 ffffffff
+[ 72.319120] 7d00: 00000018 dd49bf30 c01cedc0 c05714d0 00000000 00000000 dd0adf00 de322810
+[ 72.327692] 7d20: de322810 00000000 dd033000 000000f0 00000001 bf2333fc 00000000 00000000
+[ 72.336269] 7d40: dd0adf00 de5d4020 000000b6 bf233e40 de5d4020 bf233968 de5d4004 de5d4000
+[ 72.344848] 7d60: bf233314 c06148ac de5d4020 c1497ed4 00000000 bf233e40 00000000 c05433ac
+[ 72.353422] 7d80: 00000000 de5d4020 bf233e40 de5d4054 00000000 bf236000 00000000 c0543538
+[ 72.362002] 7da0: 00000000 bf233e40 c0543484 c05417e4 de1442a4 de5d04d0 bf233e40 de321300
+[ 72.370582] 7dc0: c0caa5a4 c05429fc bf233be0 bf233e40 c0cbfa44 bf233e40 c0cbfa44 dd2f7740
+[ 72.379148] 7de0: bf233f00 c05442f0 bf233e8c bf233e24 c0cbfa44 c0615ae0 00000000 bf233f00
+[ 72.387718] 7e00: c0cbfa44 c010186c 200f0013 c0191650 de714380 00000000 600f0013 00000040
+[ 72.396286] 7e20: dd2f7740 c018f1ac 00000001 c0c8356c 024000c0 c01a8854 c0c56e0e c028225c
+[ 72.404863] 7e40: dd2f7740 c0191984 de714380 dd2f7740 00000001 bf233f00 bf233f00 c0cbfa44
+[ 72.413440] 7e60: dd2f7740 bf233f00 00000001 dd49bf08 dd49bf30 c0230998 00000001 c0c8356c
+[ 72.421997] 7e80: c0c4c536 c0cbfa44 c0c0512c c01d2070 bf233f0c 00007fff bf233f00 c01cf5b8
+[ 72.430570] 7ea0: 00000000 c1475134 c01cee34 bf23411c bf233f48 bf234054 bf234150 00000000
+[ 72.439144] 7ec0: 024002c2 de7fbf40 0009bc20 c02776ac ff800000 00000000 00000000 bf233670
+[ 72.447723] 7ee0: 00000004 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+[ 72.456298] 7f00: 00000000 00000000 00000000 00000000 c01d2590 0000aa41 00000000 00000000
+[ 72.464862] 7f20: 000b2549 e12c3a41 00000051 de7e6000 0009bc20 c01d2630 00000530 e12b9000
+[ 72.473438] 7f40: 0000aa41 e12c1434 e12c1211 e12c336c 00001150 00001620 00000000 00000000
+[ 72.482003] 7f60: 00000000 000010fc 00000035 00000036 0000001d 0000001a 00000017 00000000
+[ 72.490564] 7f80: de7e6000 3ba39a00 0009b008 0009b718 00000080 c0107704 de7e6000 00000000
+[ 72.499141] 7fa0: 0009f609 c0107560 3ba39a00 0009b008 000a7b08 0000aa41 0009bc20 0000aa41
+[ 72.507717] 7fc0: 3ba39a00 0009b008 0009b718 00000080 00000001 00000008 0009ab14 0009f609
+[ 72.516290] 7fe0: bea31ab8 bea31aa8 0001e5eb b6e83b42 800f0030 000a7b08 0000ffff 0840ffff
+[ 72.524883] [<c01a5d88>] (irq_find_matching_fwspec) from [<c01a6ea0>] (irq_create_fwspec_mapping+0x28/0x2e0)
+[ 72.535174] [<c01a6ea0>] (irq_create_fwspec_mapping) from [<c01a71a4>] (irq_create_of_mapping+0x4c/0x54)
+[ 72.545115] [<c01a71a4>] (irq_create_of_mapping) from [<c0653a70>] (of_irq_get+0x58/0x68)
+[ 72.553699] [<c0653a70>] (of_irq_get) from [<c0544d24>] (platform_get_irq+0x1c/0xec)
+[ 72.561828] [<c0544d24>] (platform_get_irq) from [<bf1d517c>] (tps6521x_pb_probe+0xd0/0x1a8 [tps65218_pwrbutton])
+[ 72.572581] [<bf1d517c>] (tps6521x_pb_probe [tps65218_pwrbutton]) from [<c054537c>] (platform_drv_probe+0x4c/0xac)
+[ 72.583426] [<c054537c>] (platform_drv_probe) from [<c05433ac>] (driver_probe_device+0x204/0x2dc)
+[ 72.592729] [<c05433ac>] (driver_probe_device) from [<c0541884>] (bus_for_each_drv+0x58/0x8c)
+[ 72.601657] [<c0541884>] (bus_for_each_drv) from [<c05430c8>] (__device_attach+0xb0/0x114)
+[ 72.610324] [<c05430c8>] (__device_attach) from [<c0542760>] (bus_probe_device+0x88/0x90)
+[ 72.618898] [<c0542760>] (bus_probe_device) from [<c0540ba8>] (device_add+0x3b8/0x560)
+[ 72.627203] [<c0540ba8>] (device_add) from [<c05450a0>] (platform_device_add+0xa8/0x208)
+[ 72.635693] [<c05450a0>] (platform_device_add) from [<c0571240>] (mfd_add_device+0x240/0x338)
+[ 72.644634] [<c0571240>] (mfd_add_device) from [<c0571408>] (mfd_add_devices+0xa0/0x104)
+[ 72.653120] [<c0571408>] (mfd_add_devices) from [<c05714d0>] (devm_mfd_add_devices+0x60/0xa8)
+[ 72.662077] [<c05714d0>] (devm_mfd_add_devices) from [<bf2333fc>] (tps65217_probe+0xe8/0x2ec [tps65217])
+[ 72.672026] [<bf2333fc>] (tps65217_probe [tps65217]) from [<c06148ac>] (i2c_device_probe+0x168/0x1f4)
+[ 72.681695] [<c06148ac>] (i2c_device_probe) from [<c05433ac>] (driver_probe_device+0x204/0x2dc)
+[ 72.690816] [<c05433ac>] (driver_probe_device) from [<c0543538>] (__driver_attach+0xb4/0xb8)
+[ 72.699657] [<c0543538>] (__driver_attach) from [<c05417e4>] (bus_for_each_dev+0x60/0x94)
+[ 72.708224] [<c05417e4>] (bus_for_each_dev) from [<c05429fc>] (bus_add_driver+0x18c/0x214)
+[ 72.716892] [<c05429fc>] (bus_add_driver) from [<c05442f0>] (driver_register+0x78/0xf8)
+[ 72.725280] [<c05442f0>] (driver_register) from [<c0615ae0>] (i2c_register_driver+0x38/0x80)
+[ 72.734120] [<c0615ae0>] (i2c_register_driver) from [<c010186c>] (do_one_initcall+0x3c/0x178)
+[ 72.743055] [<c010186c>] (do_one_initcall) from [<c0230998>] (do_init_module+0x5c/0x1d0)
+[ 72.751537] [<c0230998>] (do_init_module) from [<c01d2070>] (load_module+0x1d10/0x21c0)
+[ 72.759933] [<c01d2070>] (load_module) from [<c01d2630>] (SyS_init_module+0x110/0x154)
+[ 72.768242] [<c01d2630>] (SyS_init_module) from [<c0107560>] (ret_fast_syscall+0x0/0x1c)
+[ 72.776725] Code: e5944000 e1540006 0a00001b e594300c (e593c004)
+[ 72.783181] ---[ end trace 0278ec325f4689b8 ]---
+
+Fixes: 6556bdacf646 ("mfd: tps65217: Add support for IRQs")
+Signed-off-by: Milo Kim <woogyom.kim@gmail.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mfd/tps65217.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+--- a/drivers/mfd/tps65217.c
++++ b/drivers/mfd/tps65217.c
+@@ -424,6 +424,24 @@ static int tps65217_probe(struct i2c_cli
+ return 0;
+ }
+
++static int tps65217_remove(struct i2c_client *client)
++{
++ struct tps65217 *tps = i2c_get_clientdata(client);
++ unsigned int virq;
++ int i;
++
++ for (i = 0; i < ARRAY_SIZE(tps65217_irqs); i++) {
++ virq = irq_find_mapping(tps->irq_domain, i);
++ if (virq)
++ irq_dispose_mapping(virq);
++ }
++
++ irq_domain_remove(tps->irq_domain);
++ tps->irq_domain = NULL;
++
++ return 0;
++}
++
+ static const struct i2c_device_id tps65217_id_table[] = {
+ {"tps65217", TPS65217},
+ { /* sentinel */ }
+@@ -437,6 +455,7 @@ static struct i2c_driver tps65217_driver
+ },
+ .id_table = tps65217_id_table,
+ .probe = tps65217_probe,
++ .remove = tps65217_remove,
+ };
+
+ static int __init tps65217_init(void)
--- /dev/null
+From 2fa436b3a2a7009c11a3bc03fe0ff4c26e80fd87 Mon Sep 17 00:00:00 2001
+From: Vamsi Krishna <vamsin@qti.qualcomm.com>
+Date: Fri, 2 Dec 2016 23:59:08 +0200
+Subject: nl80211: Use different attrs for BSSID and random MAC addr in scan req
+
+From: Vamsi Krishna <vamsin@qti.qualcomm.com>
+
+commit 2fa436b3a2a7009c11a3bc03fe0ff4c26e80fd87 upstream.
+
+NL80211_ATTR_MAC was used to set both the specific BSSID to be scanned
+and the random MAC address to be used when privacy is enabled. When both
+the features are enabled, both the BSSID and the local MAC address were
+getting same value causing Probe Request frames to go with unintended
+DA. Hence, this has been fixed by using a different NL80211_ATTR_BSSID
+attribute to set the specific BSSID (which was the more recent addition
+in cfg80211) for a scan.
+
+Backwards compatibility with old userspace software is maintained to
+some extent by allowing NL80211_ATTR_MAC to be used to set the specific
+BSSID when scanning without enabling random MAC address use.
+
+Scanning with random source MAC address was introduced by commit
+ad2b26abc157 ("cfg80211: allow drivers to support random MAC addresses
+for scan") and the issue was introduced with the addition of the second
+user for the same attribute in commit 818965d39177 ("cfg80211: Allow a
+scan request for a specific BSSID").
+
+Fixes: 818965d39177 ("cfg80211: Allow a scan request for a specific BSSID")
+Signed-off-by: Vamsi Krishna <vamsin@qti.qualcomm.com>
+Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/uapi/linux/nl80211.h | 7 ++++++-
+ net/wireless/nl80211.c | 16 +++++++++++++++-
+ 2 files changed, 21 insertions(+), 2 deletions(-)
+
+--- a/include/uapi/linux/nl80211.h
++++ b/include/uapi/linux/nl80211.h
+@@ -323,7 +323,7 @@
+ * @NL80211_CMD_GET_SCAN: get scan results
+ * @NL80211_CMD_TRIGGER_SCAN: trigger a new scan with the given parameters
+ * %NL80211_ATTR_TX_NO_CCK_RATE is used to decide whether to send the
+- * probe requests at CCK rate or not. %NL80211_ATTR_MAC can be used to
++ * probe requests at CCK rate or not. %NL80211_ATTR_BSSID can be used to
+ * specify a BSSID to scan for; if not included, the wildcard BSSID will
+ * be used.
+ * @NL80211_CMD_NEW_SCAN_RESULTS: scan notification (as a reply to
+@@ -1937,6 +1937,9 @@ enum nl80211_commands {
+ * @NL80211_ATTR_NAN_MATCH: used to report a match. This is a nested attribute.
+ * See &enum nl80211_nan_match_attributes.
+ *
++ * @NL80211_ATTR_BSSID: The BSSID of the AP. Note that %NL80211_ATTR_MAC is also
++ * used in various commands/events for specifying the BSSID.
++ *
+ * @NUM_NL80211_ATTR: total number of nl80211_attrs available
+ * @NL80211_ATTR_MAX: highest attribute number currently defined
+ * @__NL80211_ATTR_AFTER_LAST: internal use
+@@ -2336,6 +2339,8 @@ enum nl80211_attrs {
+ NL80211_ATTR_NAN_FUNC,
+ NL80211_ATTR_NAN_MATCH,
+
++ NL80211_ATTR_BSSID,
++
+ /* add attributes here, update the policy in nl80211.c */
+
+ __NL80211_ATTR_AFTER_LAST,
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -414,6 +414,7 @@ static const struct nla_policy nl80211_p
+ [NL80211_ATTR_NAN_MASTER_PREF] = { .type = NLA_U8 },
+ [NL80211_ATTR_NAN_DUAL] = { .type = NLA_U8 },
+ [NL80211_ATTR_NAN_FUNC] = { .type = NLA_NESTED },
++ [NL80211_ATTR_BSSID] = { .len = ETH_ALEN },
+ };
+
+ /* policy for the key attributes */
+@@ -6677,7 +6678,20 @@ static int nl80211_trigger_scan(struct s
+ request->no_cck =
+ nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]);
+
+- if (info->attrs[NL80211_ATTR_MAC])
++ /* Initial implementation used NL80211_ATTR_MAC to set the specific
++ * BSSID to scan for. This was problematic because that same attribute
++ * was already used for another purpose (local random MAC address). The
++ * NL80211_ATTR_BSSID attribute was added to fix this. For backwards
++ * compatibility with older userspace components, also use the
++ * NL80211_ATTR_MAC value here if it can be determined to be used for
++ * the specific BSSID use case instead of the random MAC address
++ * (NL80211_ATTR_SCAN_FLAGS is used to enable random MAC address use).
++ */
++ if (info->attrs[NL80211_ATTR_BSSID])
++ memcpy(request->bssid,
++ nla_data(info->attrs[NL80211_ATTR_BSSID]), ETH_ALEN);
++ else if (!(request->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) &&
++ info->attrs[NL80211_ATTR_MAC])
+ memcpy(request->bssid, nla_data(info->attrs[NL80211_ATTR_MAC]),
+ ETH_ALEN);
+ else
usb-dwc3-ep0-add-dwc3_ep0_prepare_one_trb.patch
usb-dwc3-ep0-explicitly-call-dwc3_ep0_prepare_one_trb.patch
usb-dwc3-gadget-always-unmap-ep0-requests.patch
+drm-i915-dp-add-lane_count-check-in-intel_dp_check_link_status.patch
+drm-i915-tune-down-the-fast-link-training-vs-boot-fail.patch
+mac80211-fix-tid_agg_rx-null-dereference.patch
+nl80211-use-different-attrs-for-bssid-and-random-mac-addr-in-scan-req.patch
+ath10k-fix-failure-to-send-null-func-frame-for-10.4.patch
+mfd-tps65217-fix-page-fault-on-unloading-modules.patch
+ath10k-use-the-right-length-of-background.patch
+cris-only-build-flash-rescue-image-if-config_etrax_axisflashmap-is-selected.patch
+efi-efivar_ssdt_load-don-t-return-success-on-allocation-failure.patch
+clk-renesas-cpg-mssr-fix-inverted-debug-check.patch
+debugfs-improve-define_debugfs_attribute-for-config_debug_fs.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
