From: Greg Kroah-Hartman Date: Thu, 3 Aug 2017 22:24:47 +0000 (-0700) Subject: 4.4-stable patches X-Git-Tag: v4.12.5~31 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=07f52315fe85eb9ee32c6aa986d78a1220bf2526;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: ath10k-fix-null-deref-on-wmi-tlv-when-trying-spectral-scan.patch isdn-fix-a-sleep-in-atomic-bug.patch isdn-i4l-fix-buffer-overflow.patch kaweth-fix-firmware-download.patch kaweth-fix-oops-upon-failed-memory-allocation.patch mailbox-always-wait-in-mbox_send_message-for-blocking-tx-mode.patch mailbox-handle-empty-message-in-tx_tick.patch mailbox-skip-complete-wait-event-if-timer-expired.patch mpt3sas-don-t-overreach-ioc-reply_post-during-initialization.patch wil6210-fix-deadlock-when-using-fw_no_recovery-option.patch --- diff --git a/queue-4.4/ath10k-fix-null-deref-on-wmi-tlv-when-trying-spectral-scan.patch b/queue-4.4/ath10k-fix-null-deref-on-wmi-tlv-when-trying-spectral-scan.patch new file mode 100644 index 00000000000..728998a69b9 --- /dev/null +++ b/queue-4.4/ath10k-fix-null-deref-on-wmi-tlv-when-trying-spectral-scan.patch @@ -0,0 +1,76 @@ +From 18ae68fff392e445af3c2d8be9bef8a16e1c72a7 Mon Sep 17 00:00:00 2001 +From: Michal Kazior +Date: Mon, 14 Nov 2016 14:25:23 +0100 +Subject: ath10k: fix null deref on wmi-tlv when trying spectral scan + +From: Michal Kazior + +commit 18ae68fff392e445af3c2d8be9bef8a16e1c72a7 upstream. + +WMI ops wrappers did not properly check for null +function pointers for spectral scan. This caused +null dereference crash with WMI-TLV based firmware +which doesn't implement spectral scan. + +The crash could be triggered with: + + ip link set dev wlan0 up + echo background > /sys/kernel/debug/ieee80211/phy0/ath10k/spectral_scan_ctl + +The crash looked like this: + + [ 168.031989] BUG: unable to handle kernel NULL pointer dereference at (null) + [ 168.037406] IP: [< (null)>] (null) + [ 168.040395] PGD cdd4067 PUD fa0f067 PMD 0 + [ 168.043303] Oops: 0010 [#1] SMP + [ 168.045377] Modules linked in: ath10k_pci(O) ath10k_core(O) ath mac80211 cfg80211 [last unloaded: cfg80211] + [ 168.051560] CPU: 1 PID: 1380 Comm: bash Tainted: G W O 4.8.0 #78 + [ 168.054336] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014 + [ 168.059183] task: ffff88000c460c00 task.stack: ffff88000d4bc000 + [ 168.061736] RIP: 0010:[<0000000000000000>] [< (null)>] (null) + ... + [ 168.100620] Call Trace: + [ 168.101910] [] ? ath10k_spectral_scan_config+0x96/0x200 [ath10k_core] + [ 168.104871] [] ? filemap_fault+0xb2/0x4a0 + [ 168.106696] [] write_file_spec_scan_ctl+0x116/0x280 [ath10k_core] + [ 168.109618] [] full_proxy_write+0x51/0x80 + [ 168.111443] [] __vfs_write+0x28/0x120 + [ 168.113090] [] ? security_file_permission+0x3d/0xc0 + [ 168.114932] [] ? percpu_down_read+0x12/0x60 + [ 168.116680] [] vfs_write+0xb8/0x1a0 + [ 168.118293] [] SyS_write+0x46/0xa0 + [ 168.119912] [] entry_SYSCALL_64_fastpath+0x1a/0xa4 + [ 168.121737] Code: Bad RIP value. + [ 168.123318] RIP [< (null)>] (null) + +Signed-off-by: Michal Kazior +Signed-off-by: Kalle Valo +Signed-off-by: Amit Pundir +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath10k/wmi-ops.h | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/net/wireless/ath/ath10k/wmi-ops.h ++++ b/drivers/net/wireless/ath/ath10k/wmi-ops.h +@@ -639,6 +639,9 @@ ath10k_wmi_vdev_spectral_conf(struct ath + struct sk_buff *skb; + u32 cmd_id; + ++ if (!ar->wmi.ops->gen_vdev_spectral_conf) ++ return -EOPNOTSUPP; ++ + skb = ar->wmi.ops->gen_vdev_spectral_conf(ar, arg); + if (IS_ERR(skb)) + return PTR_ERR(skb); +@@ -654,6 +657,9 @@ ath10k_wmi_vdev_spectral_enable(struct a + struct sk_buff *skb; + u32 cmd_id; + ++ if (!ar->wmi.ops->gen_vdev_spectral_enable) ++ return -EOPNOTSUPP; ++ + skb = ar->wmi.ops->gen_vdev_spectral_enable(ar, vdev_id, trigger, + enable); + if (IS_ERR(skb)) diff --git a/queue-4.4/isdn-fix-a-sleep-in-atomic-bug.patch b/queue-4.4/isdn-fix-a-sleep-in-atomic-bug.patch new file mode 100644 index 00000000000..307b7194c84 --- /dev/null +++ b/queue-4.4/isdn-fix-a-sleep-in-atomic-bug.patch @@ -0,0 +1,40 @@ +From e8f4ae85439f34bec3b0ab69223a41809dab28c9 Mon Sep 17 00:00:00 2001 +From: Jia-Ju Bai +Date: Wed, 31 May 2017 09:40:11 +0800 +Subject: isdn: Fix a sleep-in-atomic bug + +From: Jia-Ju Bai + +commit e8f4ae85439f34bec3b0ab69223a41809dab28c9 upstream. + +The driver may sleep under a spin lock, the function call path is: +isdn_ppp_mp_receive (acquire the lock) + isdn_ppp_mp_reassembly + isdn_ppp_push_higher + isdn_ppp_decompress + isdn_ppp_ccp_reset_trans + isdn_ppp_ccp_reset_alloc_state + kzalloc(GFP_KERNEL) --> may sleep + +To fixed it, the "GFP_KERNEL" is replaced with "GFP_ATOMIC". + +Signed-off-by: Jia-Ju Bai +Signed-off-by: David S. Miller +Signed-off-by: Amit Pundir +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/isdn/i4l/isdn_ppp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/isdn/i4l/isdn_ppp.c ++++ b/drivers/isdn/i4l/isdn_ppp.c +@@ -2364,7 +2364,7 @@ static struct ippp_ccp_reset_state *isdn + id); + return NULL; + } else { +- rs = kzalloc(sizeof(struct ippp_ccp_reset_state), GFP_KERNEL); ++ rs = kzalloc(sizeof(struct ippp_ccp_reset_state), GFP_ATOMIC); + if (!rs) + return NULL; + rs->state = CCPResetIdle; diff --git a/queue-4.4/isdn-i4l-fix-buffer-overflow.patch b/queue-4.4/isdn-i4l-fix-buffer-overflow.patch new file mode 100644 index 00000000000..a7c00cc1522 --- /dev/null +++ b/queue-4.4/isdn-i4l-fix-buffer-overflow.patch @@ -0,0 +1,53 @@ +From 9f5af546e6acc30f075828cb58c7f09665033967 Mon Sep 17 00:00:00 2001 +From: Annie Cherkaev +Date: Sat, 15 Jul 2017 15:08:58 -0600 +Subject: isdn/i4l: fix buffer overflow + +From: Annie Cherkaev + +commit 9f5af546e6acc30f075828cb58c7f09665033967 upstream. + +This fixes a potential buffer overflow in isdn_net.c caused by an +unbounded strcpy. + +[ ISDN seems to be effectively unmaintained, and the I4L driver in + particular is long deprecated, but in case somebody uses this.. + - Linus ] + +Signed-off-by: Jiten Thakkar +Signed-off-by: Annie Cherkaev +Cc: Karsten Keil +Cc: Kees Cook +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/isdn/i4l/isdn_common.c | 1 + + drivers/isdn/i4l/isdn_net.c | 5 ++--- + 2 files changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/isdn/i4l/isdn_common.c ++++ b/drivers/isdn/i4l/isdn_common.c +@@ -1379,6 +1379,7 @@ isdn_ioctl(struct file *file, uint cmd, + if (arg) { + if (copy_from_user(bname, argp, sizeof(bname) - 1)) + return -EFAULT; ++ bname[sizeof(bname)-1] = 0; + } else + return -EINVAL; + ret = mutex_lock_interruptible(&dev->mtx); +--- a/drivers/isdn/i4l/isdn_net.c ++++ b/drivers/isdn/i4l/isdn_net.c +@@ -2611,10 +2611,9 @@ isdn_net_newslave(char *parm) + char newname[10]; + + if (p) { +- /* Slave-Name MUST not be empty */ +- if (!strlen(p + 1)) ++ /* Slave-Name MUST not be empty or overflow 'newname' */ ++ if (strscpy(newname, p + 1, sizeof(newname)) <= 0) + return NULL; +- strcpy(newname, p + 1); + *p = 0; + /* Master must already exist */ + if (!(n = isdn_net_findif(parm))) diff --git a/queue-4.4/kaweth-fix-firmware-download.patch b/queue-4.4/kaweth-fix-firmware-download.patch new file mode 100644 index 00000000000..39bd30c4977 --- /dev/null +++ b/queue-4.4/kaweth-fix-firmware-download.patch @@ -0,0 +1,40 @@ +From 60bcabd080f53561efa9288be45c128feda1a8bb Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Wed, 17 Aug 2016 15:51:55 +0200 +Subject: kaweth: fix firmware download + +From: Oliver Neukum + +commit 60bcabd080f53561efa9288be45c128feda1a8bb upstream. + +This fixes the oops discovered by the Umap2 project and Alan Stern. +The intf member needs to be set before the firmware is downloaded. + +Signed-off-by: Oliver Neukum +Signed-off-by: David S. Miller +Signed-off-by: Amit Pundir +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/usb/kaweth.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/net/usb/kaweth.c ++++ b/drivers/net/usb/kaweth.c +@@ -1029,6 +1029,7 @@ static int kaweth_probe( + kaweth = netdev_priv(netdev); + kaweth->dev = udev; + kaweth->net = netdev; ++ kaweth->intf = intf; + + spin_lock_init(&kaweth->device_lock); + init_waitqueue_head(&kaweth->term_wait); +@@ -1139,8 +1140,6 @@ err_fw: + + dev_dbg(dev, "Initializing net device.\n"); + +- kaweth->intf = intf; +- + kaweth->tx_urb = usb_alloc_urb(0, GFP_KERNEL); + if (!kaweth->tx_urb) + goto err_free_netdev; diff --git a/queue-4.4/kaweth-fix-oops-upon-failed-memory-allocation.patch b/queue-4.4/kaweth-fix-oops-upon-failed-memory-allocation.patch new file mode 100644 index 00000000000..5ae0724d46e --- /dev/null +++ b/queue-4.4/kaweth-fix-oops-upon-failed-memory-allocation.patch @@ -0,0 +1,50 @@ +From 575ced7f8090c1a4e91e2daf8da9352a6a1fc7a7 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Wed, 17 Aug 2016 15:51:56 +0200 +Subject: kaweth: fix oops upon failed memory allocation + +From: Oliver Neukum + +commit 575ced7f8090c1a4e91e2daf8da9352a6a1fc7a7 upstream. + +Just return an error upon failure. + +Signed-off-by: Oliver Neukum +Signed-off-by: David S. Miller +Signed-off-by: Amit Pundir +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/usb/kaweth.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/net/usb/kaweth.c ++++ b/drivers/net/usb/kaweth.c +@@ -1009,6 +1009,7 @@ static int kaweth_probe( + struct net_device *netdev; + const eth_addr_t bcast_addr = { 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF }; + int result = 0; ++ int rv = -EIO; + + dev_dbg(dev, + "Kawasaki Device Probe (Device number:%d): 0x%4.4x:0x%4.4x:0x%4.4x\n", +@@ -1049,6 +1050,10 @@ static int kaweth_probe( + /* Download the firmware */ + dev_info(dev, "Downloading firmware...\n"); + kaweth->firmware_buf = (__u8 *)__get_free_page(GFP_KERNEL); ++ if (!kaweth->firmware_buf) { ++ rv = -ENOMEM; ++ goto err_free_netdev; ++ } + if ((result = kaweth_download_firmware(kaweth, + "kaweth/new_code.bin", + 100, +@@ -1203,7 +1208,7 @@ err_only_tx: + err_free_netdev: + free_netdev(netdev); + +- return -EIO; ++ return rv; + } + + /**************************************************************** diff --git a/queue-4.4/mailbox-always-wait-in-mbox_send_message-for-blocking-tx-mode.patch b/queue-4.4/mailbox-always-wait-in-mbox_send_message-for-blocking-tx-mode.patch new file mode 100644 index 00000000000..aef959b556f --- /dev/null +++ b/queue-4.4/mailbox-always-wait-in-mbox_send_message-for-blocking-tx-mode.patch @@ -0,0 +1,40 @@ +From c61b781ee084e69855477d23dd33e7e6caad652c Mon Sep 17 00:00:00 2001 +From: Sudeep Holla +Date: Tue, 21 Mar 2017 11:30:14 +0000 +Subject: mailbox: always wait in mbox_send_message for blocking Tx mode + +From: Sudeep Holla + +commit c61b781ee084e69855477d23dd33e7e6caad652c upstream. + +There exists a race when msg_submit return immediately as there was an +active request being processed which may have completed just before it's +checked again in mbox_send_message. This will result in return to the +caller without waiting in mbox_send_message even when it's blocking Tx. + +This patch fixes the issue by waiting for the completion always if Tx +is in blocking mode. + +Fixes: 2b6d83e2b8b7 ("mailbox: Introduce framework for mailbox") +Reported-by: Alexey Klimov +Signed-off-by: Sudeep Holla +Reviewed-by: Alexey Klimov +Signed-off-by: Jassi Brar +Signed-off-by: Amit Pundir +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mailbox/mailbox.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mailbox/mailbox.c ++++ b/drivers/mailbox/mailbox.c +@@ -261,7 +261,7 @@ int mbox_send_message(struct mbox_chan * + + msg_submit(chan); + +- if (chan->cl->tx_block && chan->active_req) { ++ if (chan->cl->tx_block) { + unsigned long wait; + int ret; + diff --git a/queue-4.4/mailbox-handle-empty-message-in-tx_tick.patch b/queue-4.4/mailbox-handle-empty-message-in-tx_tick.patch new file mode 100644 index 00000000000..3b789f37352 --- /dev/null +++ b/queue-4.4/mailbox-handle-empty-message-in-tx_tick.patch @@ -0,0 +1,40 @@ +From cb710ab1d8a23f68ff8f45aedf3e552bb90e70de Mon Sep 17 00:00:00 2001 +From: Sudeep Holla +Date: Tue, 21 Mar 2017 11:30:16 +0000 +Subject: mailbox: handle empty message in tx_tick + +From: Sudeep Holla + +commit cb710ab1d8a23f68ff8f45aedf3e552bb90e70de upstream. + +We already check if the message is empty before calling the client +tx_done callback. Calling completion on a wait event is also invalid +if the message is empty. + +This patch moves the existing empty message check earlier. + +Fixes: 2b6d83e2b8b7 ("mailbox: Introduce framework for mailbox") +Signed-off-by: Sudeep Holla +Signed-off-by: Jassi Brar +Signed-off-by: Amit Pundir +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mailbox/mailbox.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/mailbox/mailbox.c ++++ b/drivers/mailbox/mailbox.c +@@ -104,8 +104,11 @@ static void tx_tick(struct mbox_chan *ch + /* Submit next message */ + msg_submit(chan); + ++ if (!mssg) ++ return; ++ + /* Notify the client */ +- if (mssg && chan->cl->tx_done) ++ if (chan->cl->tx_done) + chan->cl->tx_done(chan->cl, mssg, r); + + if (r != -ETIME && chan->cl->tx_block) diff --git a/queue-4.4/mailbox-skip-complete-wait-event-if-timer-expired.patch b/queue-4.4/mailbox-skip-complete-wait-event-if-timer-expired.patch new file mode 100644 index 00000000000..49b5532dc29 --- /dev/null +++ b/queue-4.4/mailbox-skip-complete-wait-event-if-timer-expired.patch @@ -0,0 +1,53 @@ +From cc6eeaa3029a6dbcb4ad41b1f92876483bd88965 Mon Sep 17 00:00:00 2001 +From: Sudeep Holla +Date: Tue, 21 Mar 2017 11:30:15 +0000 +Subject: mailbox: skip complete wait event if timer expired + +From: Sudeep Holla + +commit cc6eeaa3029a6dbcb4ad41b1f92876483bd88965 upstream. + +If a wait_for_completion_timeout() call returns due to a timeout, +complete() can get called after returning from the wait which is +incorrect and can cause subsequent transmissions on a channel to fail. +Since the wait_for_completion_timeout() sees the completion variable +is non-zero caused by the erroneous/spurious complete() call, and +it immediately returns without waiting for the time as expected by the +client. + +This patch fixes the issue by skipping complete() call for the timer +expiry. + +Fixes: 2b6d83e2b8b7 ("mailbox: Introduce framework for mailbox") +Reported-by: Alexey Klimov +Signed-off-by: Sudeep Holla +Signed-off-by: Jassi Brar +Signed-off-by: Amit Pundir +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mailbox/mailbox.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/mailbox/mailbox.c ++++ b/drivers/mailbox/mailbox.c +@@ -108,7 +108,7 @@ static void tx_tick(struct mbox_chan *ch + if (mssg && chan->cl->tx_done) + chan->cl->tx_done(chan->cl, mssg, r); + +- if (chan->cl->tx_block) ++ if (r != -ETIME && chan->cl->tx_block) + complete(&chan->tx_complete); + } + +@@ -272,8 +272,8 @@ int mbox_send_message(struct mbox_chan * + + ret = wait_for_completion_timeout(&chan->tx_complete, wait); + if (ret == 0) { +- t = -EIO; +- tx_tick(chan, -EIO); ++ t = -ETIME; ++ tx_tick(chan, t); + } + } + diff --git a/queue-4.4/mpt3sas-don-t-overreach-ioc-reply_post-during-initialization.patch b/queue-4.4/mpt3sas-don-t-overreach-ioc-reply_post-during-initialization.patch new file mode 100644 index 00000000000..cdf30612fb9 --- /dev/null +++ b/queue-4.4/mpt3sas-don-t-overreach-ioc-reply_post-during-initialization.patch @@ -0,0 +1,121 @@ +From 5ec8a1753bc29efa7e4b1391d691c9c719b30257 Mon Sep 17 00:00:00 2001 +From: Calvin Owens +Date: Fri, 18 Mar 2016 12:45:42 -0700 +Subject: mpt3sas: Don't overreach ioc->reply_post[] during initialization + +From: Calvin Owens + +commit 5ec8a1753bc29efa7e4b1391d691c9c719b30257 upstream. + +In _base_make_ioc_operational(), we walk ioc->reply_queue_list and pull +a pointer out of successive elements of ioc->reply_post[] for each entry +in that list if RDPQ is enabled. + +Since the code pulls the pointer for the next iteration at the bottom of +the loop, it triggers the a KASAN dump on the final iteration: + + BUG: KASAN: slab-out-of-bounds in _base_make_ioc_operational+0x47b7/0x47e0 [mpt3sas] at addr ffff880754816ab0 + Read of size 8 by task modprobe/305 + + Call Trace: + [] dump_stack+0x4d/0x6c + [] print_trailer+0xf9/0x150 + [] object_err+0x34/0x40 + [] kasan_report_error+0x221/0x530 + [] __asan_report_load8_noabort+0x43/0x50 + [] _base_make_ioc_operational+0x47b7/0x47e0 [mpt3sas] + [] mpt3sas_base_attach+0x1991/0x2120 [mpt3sas] + [] _scsih_probe+0xeb3/0x16b0 [mpt3sas] + [] local_pci_probe+0xc7/0x170 + [] pci_device_probe+0x20f/0x290 + [] really_probe+0x17d/0x600 + [] __driver_attach+0x153/0x190 + [] bus_for_each_dev+0x11c/0x1a0 + [] driver_attach+0x3d/0x50 + [] bus_add_driver+0x44a/0x5f0 + [] driver_register+0x18c/0x3b0 + [] __pci_register_driver+0x156/0x200 + [] _mpt3sas_init+0x135/0x1000 [mpt3sas] + [] do_one_initcall+0x113/0x2b0 + [] do_init_module+0x1d0/0x4d8 + [] load_module+0x6729/0x8dc0 + [] SYSC_init_module+0x183/0x1a0 + [] SyS_init_module+0xe/0x10 + [] entry_SYSCALL_64_fastpath+0x12/0x6a + +Fix this by pulling the value at the beginning of the loop. + +Signed-off-by: Calvin Owens +Reviewed-by: Johannes Thumshirn +Reviewed-by: Jens Axboe +Acked-by: Chaitra Basappa +Signed-off-by: Martin K. Petersen +Signed-off-by: Amit Pundir +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/mpt3sas/mpt3sas_base.c | 33 ++++++++++++++++----------------- + 1 file changed, 16 insertions(+), 17 deletions(-) + +--- a/drivers/scsi/mpt3sas/mpt3sas_base.c ++++ b/drivers/scsi/mpt3sas/mpt3sas_base.c +@@ -4981,15 +4981,14 @@ _base_make_ioc_ready(struct MPT3SAS_ADAP + static int + _base_make_ioc_operational(struct MPT3SAS_ADAPTER *ioc, int sleep_flag) + { +- int r, i; ++ int r, i, index; + unsigned long flags; + u32 reply_address; + u16 smid; + struct _tr_list *delayed_tr, *delayed_tr_next; + u8 hide_flag; + struct adapter_reply_queue *reply_q; +- long reply_post_free; +- u32 reply_post_free_sz, index = 0; ++ Mpi2ReplyDescriptorsUnion_t *reply_post_free_contig; + + dinitprintk(ioc, pr_info(MPT3SAS_FMT "%s\n", ioc->name, + __func__)); +@@ -5061,27 +5060,27 @@ _base_make_ioc_operational(struct MPT3SA + _base_assign_reply_queues(ioc); + + /* initialize Reply Post Free Queue */ +- reply_post_free_sz = ioc->reply_post_queue_depth * +- sizeof(Mpi2DefaultReplyDescriptor_t); +- reply_post_free = (long)ioc->reply_post[index].reply_post_free; ++ index = 0; ++ reply_post_free_contig = ioc->reply_post[0].reply_post_free; + list_for_each_entry(reply_q, &ioc->reply_queue_list, list) { ++ /* ++ * If RDPQ is enabled, switch to the next allocation. ++ * Otherwise advance within the contiguous region. ++ */ ++ if (ioc->rdpq_array_enable) { ++ reply_q->reply_post_free = ++ ioc->reply_post[index++].reply_post_free; ++ } else { ++ reply_q->reply_post_free = reply_post_free_contig; ++ reply_post_free_contig += ioc->reply_post_queue_depth; ++ } ++ + reply_q->reply_post_host_index = 0; +- reply_q->reply_post_free = (Mpi2ReplyDescriptorsUnion_t *) +- reply_post_free; + for (i = 0; i < ioc->reply_post_queue_depth; i++) + reply_q->reply_post_free[i].Words = + cpu_to_le64(ULLONG_MAX); + if (!_base_is_controller_msix_enabled(ioc)) + goto skip_init_reply_post_free_queue; +- /* +- * If RDPQ is enabled, switch to the next allocation. +- * Otherwise advance within the contiguous region. +- */ +- if (ioc->rdpq_array_enable) +- reply_post_free = (long) +- ioc->reply_post[++index].reply_post_free; +- else +- reply_post_free += reply_post_free_sz; + } + skip_init_reply_post_free_queue: + diff --git a/queue-4.4/series b/queue-4.4/series index 7289e7737ae..5c638d245bc 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -22,3 +22,13 @@ perf-intel-pt-ensure-never-to-set-last_ip-when-packet-count-is-zero.patch xfs-don-t-bug-on-mixed-direct-and-mapped-i-o.patch nfc-fdp-fix-null-pointer-dereference.patch net-phy-do-not-perform-software-reset-for-generic-phy.patch +isdn-fix-a-sleep-in-atomic-bug.patch +isdn-i4l-fix-buffer-overflow.patch +ath10k-fix-null-deref-on-wmi-tlv-when-trying-spectral-scan.patch +wil6210-fix-deadlock-when-using-fw_no_recovery-option.patch +mailbox-always-wait-in-mbox_send_message-for-blocking-tx-mode.patch +mailbox-skip-complete-wait-event-if-timer-expired.patch +mailbox-handle-empty-message-in-tx_tick.patch +mpt3sas-don-t-overreach-ioc-reply_post-during-initialization.patch +kaweth-fix-firmware-download.patch +kaweth-fix-oops-upon-failed-memory-allocation.patch diff --git a/queue-4.4/wil6210-fix-deadlock-when-using-fw_no_recovery-option.patch b/queue-4.4/wil6210-fix-deadlock-when-using-fw_no_recovery-option.patch new file mode 100644 index 00000000000..afedc695440 --- /dev/null +++ b/queue-4.4/wil6210-fix-deadlock-when-using-fw_no_recovery-option.patch @@ -0,0 +1,53 @@ +From dfb5b098e0f40b68aa07f2ec55f4dd762efefbfa Mon Sep 17 00:00:00 2001 +From: Lior David +Date: Wed, 23 Nov 2016 16:06:41 +0200 +Subject: wil6210: fix deadlock when using fw_no_recovery option + +From: Lior David + +commit dfb5b098e0f40b68aa07f2ec55f4dd762efefbfa upstream. + +When FW crashes with no_fw_recovery option, driver +waits for manual recovery with wil->mutex held, this +can easily create deadlocks. +Fix the problem by moving the wait outside the lock. + +Signed-off-by: Lior David +Signed-off-by: Maya Erez +Signed-off-by: Kalle Valo +Signed-off-by: Amit Pundir +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/wil6210/main.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +--- a/drivers/net/wireless/ath/wil6210/main.c ++++ b/drivers/net/wireless/ath/wil6210/main.c +@@ -330,18 +330,19 @@ static void wil_fw_error_worker(struct w + + wil->last_fw_recovery = jiffies; + ++ wil_info(wil, "fw error recovery requested (try %d)...\n", ++ wil->recovery_count); ++ if (!no_fw_recovery) ++ wil->recovery_state = fw_recovery_running; ++ if (wil_wait_for_recovery(wil) != 0) ++ return; ++ + mutex_lock(&wil->mutex); + switch (wdev->iftype) { + case NL80211_IFTYPE_STATION: + case NL80211_IFTYPE_P2P_CLIENT: + case NL80211_IFTYPE_MONITOR: +- wil_info(wil, "fw error recovery requested (try %d)...\n", +- wil->recovery_count); +- if (!no_fw_recovery) +- wil->recovery_state = fw_recovery_running; +- if (0 != wil_wait_for_recovery(wil)) +- break; +- ++ /* silent recovery, upper layers will see disconnect */ + __wil_down(wil); + __wil_up(wil); + break;