From: Greg Kroah-Hartman Date: Mon, 9 Jan 2017 12:07:12 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v4.4.42~14 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c3212fdd5f423e342db082d37bf3074372dd3ee0;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: ath10k-fix-failure-to-send-null-func-frame-for-10.4.patch ath10k-use-the-right-length-of-background.patch clk-renesas-cpg-mssr-fix-inverted-debug-check.patch cris-only-build-flash-rescue-image-if-config_etrax_axisflashmap-is-selected.patch debugfs-improve-define_debugfs_attribute-for-config_debug_fs.patch drm-i915-dp-add-lane_count-check-in-intel_dp_check_link_status.patch drm-i915-tune-down-the-fast-link-training-vs-boot-fail.patch efi-efivar_ssdt_load-don-t-return-success-on-allocation-failure.patch mac80211-fix-tid_agg_rx-null-dereference.patch mfd-tps65217-fix-page-fault-on-unloading-modules.patch nl80211-use-different-attrs-for-bssid-and-random-mac-addr-in-scan-req.patch --- diff --git a/queue-4.9/ath10k-fix-failure-to-send-null-func-frame-for-10.4.patch b/queue-4.9/ath10k-fix-failure-to-send-null-func-frame-for-10.4.patch new file mode 100644 index 00000000000..f0f891a0c57 --- /dev/null +++ b/queue-4.9/ath10k-fix-failure-to-send-null-func-frame-for-10.4.patch @@ -0,0 +1,53 @@ +From fcf7cf1551cae54e747a771f5808240f2a37708f Mon Sep 17 00:00:00 2001 +From: Mohammed Shafi Shajakhan +Date: Wed, 9 Nov 2016 03:40:57 +0200 +Subject: ath10k: fix failure to send NULL func frame for 10.4 + +From: Mohammed Shafi Shajakhan + +commit fcf7cf1551cae54e747a771f5808240f2a37708f upstream. + +This partially reverts 'commit 2cdce425aa33 +("ath10k: Fix broken NULL func data frame status for 10.4")' +Unfortunately this breaks sending NULL func and the existing +issue of obtaining proper tx status for NULL function will be +fixed. Also update the comments for feature flag added to be +useless and not working + +Fixes: 2cdce425aa33 "ath10k: Fix broken NULL func data frame status for +10.4" +Signed-off-by: Mohammed Shafi Shajakhan +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath10k/core.h | 6 ++---- + drivers/net/wireless/ath/ath10k/mac.c | 2 -- + 2 files changed, 2 insertions(+), 6 deletions(-) + +--- a/drivers/net/wireless/ath/ath10k/core.h ++++ b/drivers/net/wireless/ath/ath10k/core.h +@@ -557,10 +557,8 @@ enum ath10k_fw_features { + */ + ATH10K_FW_FEATURE_BTCOEX_PARAM = 14, + +- /* Older firmware with HTT delivers incorrect tx status for null func +- * frames to driver, but this fixed in 10.2 and 10.4 firmware versions. +- * Also this workaround results in reporting of incorrect null func +- * status for 10.4. This flag is used to skip the workaround. ++ /* Unused flag and proven to be not working, enable this if you want ++ * to experiment sending NULL func data frames in HTT TX + */ + ATH10K_FW_FEATURE_SKIP_NULL_FUNC_WAR = 15, + +--- a/drivers/net/wireless/ath/ath10k/mac.c ++++ b/drivers/net/wireless/ath/ath10k/mac.c +@@ -3255,8 +3255,6 @@ ath10k_mac_tx_h_get_txmode(struct ath10k + if (ar->htt.target_version_major < 3 && + (ieee80211_is_nullfunc(fc) || ieee80211_is_qos_nullfunc(fc)) && + !test_bit(ATH10K_FW_FEATURE_HAS_WMI_MGMT_TX, +- ar->running_fw->fw_file.fw_features) && +- !test_bit(ATH10K_FW_FEATURE_SKIP_NULL_FUNC_WAR, + ar->running_fw->fw_file.fw_features)) + return ATH10K_HW_TXRX_MGMT; + diff --git a/queue-4.9/ath10k-use-the-right-length-of-background.patch b/queue-4.9/ath10k-use-the-right-length-of-background.patch new file mode 100644 index 00000000000..9f4d6a34d46 --- /dev/null +++ b/queue-4.9/ath10k-use-the-right-length-of-background.patch @@ -0,0 +1,32 @@ +From 31b239824ece321c09bdb8e61e1d14814eaba38b Mon Sep 17 00:00:00 2001 +From: Nicolas Iooss +Date: Sat, 29 Oct 2016 13:17:37 +0200 +Subject: ath10k: use the right length of "background" + +From: Nicolas Iooss + +commit 31b239824ece321c09bdb8e61e1d14814eaba38b upstream. + +The word "background" contains 10 characters so the third argument of +strncmp() need to be 10 in order to match this prefix correctly. + +Signed-off-by: Nicolas Iooss +Fixes: 855aed1220d2 ("ath10k: add spectral scan feature") +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath10k/spectral.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/ath/ath10k/spectral.c ++++ b/drivers/net/wireless/ath/ath10k/spectral.c +@@ -338,7 +338,7 @@ static ssize_t write_file_spec_scan_ctl( + } else { + res = -EINVAL; + } +- } else if (strncmp("background", buf, 9) == 0) { ++ } else if (strncmp("background", buf, 10) == 0) { + res = ath10k_spectral_scan_config(ar, SPECTRAL_BACKGROUND); + } else if (strncmp("manual", buf, 6) == 0) { + res = ath10k_spectral_scan_config(ar, SPECTRAL_MANUAL); diff --git a/queue-4.9/clk-renesas-cpg-mssr-fix-inverted-debug-check.patch b/queue-4.9/clk-renesas-cpg-mssr-fix-inverted-debug-check.patch new file mode 100644 index 00000000000..45a623de634 --- /dev/null +++ b/queue-4.9/clk-renesas-cpg-mssr-fix-inverted-debug-check.patch @@ -0,0 +1,34 @@ +From bc4725d9029e2c8205fbaf1105e193d1c4e463bb Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Mon, 3 Oct 2016 13:03:38 +0200 +Subject: clk: renesas: cpg-mssr: Fix inverted debug check + +From: Geert Uytterhoeven + +commit bc4725d9029e2c8205fbaf1105e193d1c4e463bb upstream. + +The intention was to enable the checks if debugging is enabled, not +disabled. + +Fixes: f793d1e51705b276 ("clk: shmobile: Add new CPG/MSSR driver core") +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/clk/renesas/renesas-cpg-mssr.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/clk/renesas/renesas-cpg-mssr.c ++++ b/drivers/clk/renesas/renesas-cpg-mssr.c +@@ -33,9 +33,9 @@ + #include "clk-div6.h" + + #ifdef DEBUG +-#define WARN_DEBUG(x) do { } while (0) +-#else + #define WARN_DEBUG(x) WARN_ON(x) ++#else ++#define WARN_DEBUG(x) do { } while (0) + #endif + + diff --git a/queue-4.9/cris-only-build-flash-rescue-image-if-config_etrax_axisflashmap-is-selected.patch b/queue-4.9/cris-only-build-flash-rescue-image-if-config_etrax_axisflashmap-is-selected.patch new file mode 100644 index 00000000000..bd258249b28 --- /dev/null +++ b/queue-4.9/cris-only-build-flash-rescue-image-if-config_etrax_axisflashmap-is-selected.patch @@ -0,0 +1,56 @@ +From 328cf6927bb72cadefddebbc9a23c793108147a2 Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Sun, 30 Oct 2016 09:09:18 -0700 +Subject: cris: Only build flash rescue image if CONFIG_ETRAX_AXISFLASHMAP is selected + +From: Guenter Roeck + +commit 328cf6927bb72cadefddebbc9a23c793108147a2 upstream. + +If CONFIG_ETRAX_AXISFLASHMAP is not configured, the flash rescue image +object file is empty. With recent versions of binutils, this results +in the following build error. + +cris-linux-objcopy: error: + the input file 'arch/cris/boot/rescue/rescue.o' has no sections + +This is seen, for example, when trying to build cris:allnoconfig +with recently generated toolchains. + +Since it does not make sense to build a flash rescue image if there is +no flash, only build it if CONFIG_ETRAX_AXISFLASHMAP is enabled. + +Reported-by: kbuild test robot +Fixes: 66ab3a74c5ce ("CRIS: Merge machine dependent boot/compressed ..") +Signed-off-by: Guenter Roeck +Signed-off-by: Jesper Nilsson +Signed-off-by: Greg Kroah-Hartman + +--- + arch/cris/boot/rescue/Makefile | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/arch/cris/boot/rescue/Makefile ++++ b/arch/cris/boot/rescue/Makefile +@@ -10,6 +10,9 @@ + + asflags-y += $(LINUXINCLUDE) + ccflags-y += -O2 $(LINUXINCLUDE) ++ ++ifdef CONFIG_ETRAX_AXISFLASHMAP ++ + arch-$(CONFIG_ETRAX_ARCH_V10) = v10 + arch-$(CONFIG_ETRAX_ARCH_V32) = v32 + +@@ -28,6 +31,11 @@ $(obj)/rescue.bin: $(obj)/rescue.o FORCE + $(call if_changed,objcopy) + cp -p $(obj)/rescue.bin $(objtree) + ++else ++$(obj)/rescue.bin: ++ ++endif ++ + $(obj)/testrescue.bin: $(obj)/testrescue.o + $(OBJCOPY) $(OBJCOPYFLAGS) $(obj)/testrescue.o tr.bin + # Pad it to 784 bytes diff --git a/queue-4.9/debugfs-improve-define_debugfs_attribute-for-config_debug_fs.patch b/queue-4.9/debugfs-improve-define_debugfs_attribute-for-config_debug_fs.patch new file mode 100644 index 00000000000..e2e145201fa --- /dev/null +++ b/queue-4.9/debugfs-improve-define_debugfs_attribute-for-config_debug_fs.patch @@ -0,0 +1,109 @@ +From 7f847dd31736f1284538e54f46cf10e63929eb7f Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Thu, 20 Oct 2016 22:07:53 +0200 +Subject: debugfs: improve DEFINE_DEBUGFS_ATTRIBUTE for !CONFIG_DEBUG_FS +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Arnd Bergmann + +commit 7f847dd31736f1284538e54f46cf10e63929eb7f upstream. + +The slp_s0_residency_usec debugfs file currently uses +DEFINE_DEBUGFS_ATTRIBUTE(), but that macro cannot really be used to +define files outside of the debugfs code, as it has no reference to +the get/set functions if CONFIG_DEBUG_FS is not defined: + +drivers/platform/x86/intel_pmc_core.c:80:12: error: ‘pmc_core_dev_state_get’ defined but not used [-Werror=unused-function] + +This fixes the macro to always contain the reference, and instead rely +on the stubbed-out debugfs_create_file to not actually refer to +its arguments so the compiler can still drop the reference. +This works because the attribute definition is always 'static', +and the dead-code removal silently drops all static symbols +that are not used. + +Fixes: c64688081490 ("debugfs: add support for self-protecting attribute file fops") +Fixes: df2294fb6428 ("intel_pmc_core: Convert to DEFINE_DEBUGFS_ATTRIBUTE") +Signed-off-by: Arnd Bergmann +[nicstange@gmail.com: Add dummy implementations of debugfs_attr_read() and + debugfs_attr_write() in order to protect against possibly broken dead + code elimination and to improve readability. + Correct CONFIG_DEBUGFS_FS -> CONFIG_DEBUG_FS typo in changelog.] +Signed-off-by: Nicolai Stange +Reviewed-by: Andy Shevchenko +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/debugfs.h | 44 +++++++++++++++++++++++++++----------------- + 1 file changed, 27 insertions(+), 17 deletions(-) + +--- a/include/linux/debugfs.h ++++ b/include/linux/debugfs.h +@@ -62,6 +62,21 @@ static inline const struct file_operatio + return filp->f_path.dentry->d_fsdata; + } + ++#define DEFINE_DEBUGFS_ATTRIBUTE(__fops, __get, __set, __fmt) \ ++static int __fops ## _open(struct inode *inode, struct file *file) \ ++{ \ ++ __simple_attr_check_format(__fmt, 0ull); \ ++ return simple_attr_open(inode, file, __get, __set, __fmt); \ ++} \ ++static const struct file_operations __fops = { \ ++ .owner = THIS_MODULE, \ ++ .open = __fops ## _open, \ ++ .release = simple_attr_release, \ ++ .read = debugfs_attr_read, \ ++ .write = debugfs_attr_write, \ ++ .llseek = generic_file_llseek, \ ++} ++ + #if defined(CONFIG_DEBUG_FS) + + struct dentry *debugfs_create_file(const char *name, umode_t mode, +@@ -99,21 +114,6 @@ ssize_t debugfs_attr_read(struct file *f + ssize_t debugfs_attr_write(struct file *file, const char __user *buf, + size_t len, loff_t *ppos); + +-#define DEFINE_DEBUGFS_ATTRIBUTE(__fops, __get, __set, __fmt) \ +-static int __fops ## _open(struct inode *inode, struct file *file) \ +-{ \ +- __simple_attr_check_format(__fmt, 0ull); \ +- return simple_attr_open(inode, file, __get, __set, __fmt); \ +-} \ +-static const struct file_operations __fops = { \ +- .owner = THIS_MODULE, \ +- .open = __fops ## _open, \ +- .release = simple_attr_release, \ +- .read = debugfs_attr_read, \ +- .write = debugfs_attr_write, \ +- .llseek = generic_file_llseek, \ +-} +- + struct dentry *debugfs_rename(struct dentry *old_dir, struct dentry *old_dentry, + struct dentry *new_dir, const char *new_name); + +@@ -233,8 +233,18 @@ static inline void debugfs_use_file_fini + __releases(&debugfs_srcu) + { } + +-#define DEFINE_DEBUGFS_ATTRIBUTE(__fops, __get, __set, __fmt) \ +- static const struct file_operations __fops = { 0 } ++static inline ssize_t debugfs_attr_read(struct file *file, char __user *buf, ++ size_t len, loff_t *ppos) ++{ ++ return -ENODEV; ++} ++ ++static inline ssize_t debugfs_attr_write(struct file *file, ++ const char __user *buf, ++ size_t len, loff_t *ppos) ++{ ++ return -ENODEV; ++} + + static inline struct dentry *debugfs_rename(struct dentry *old_dir, struct dentry *old_dentry, + struct dentry *new_dir, char *new_name) diff --git a/queue-4.9/drm-i915-dp-add-lane_count-check-in-intel_dp_check_link_status.patch b/queue-4.9/drm-i915-dp-add-lane_count-check-in-intel_dp_check_link_status.patch new file mode 100644 index 00000000000..56c610850e0 --- /dev/null +++ b/queue-4.9/drm-i915-dp-add-lane_count-check-in-intel_dp_check_link_status.patch @@ -0,0 +1,50 @@ +From d4cb3fd9b548b8bfe2a712ec920b9ebabd3547ab Mon Sep 17 00:00:00 2001 +From: Matthew Auld +Date: Wed, 19 Oct 2016 22:29:53 +0100 +Subject: drm/i915/dp: add lane_count check in intel_dp_check_link_status +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Matthew Auld + +commit d4cb3fd9b548b8bfe2a712ec920b9ebabd3547ab upstream. + +Currently it's entirely possible to go through the link training step +without first determining the lane_count, which is silly since we end up +doing a bunch of aux transfers of size = 0, as highlighted by +WARN_ON(!msg->buffer != !msg->size), and can only ever result in a +'failed to update link training' message. This can be observed during +intel_dp_long_pulse where we can do the link training step, but before +we have had a chance to set the link params. To avoid this we add an +extra check for the lane_count in intel_dp_check_link_status, which +should prevent us from doing the link training step prematurely. + +v2: add WARN_ON_ONCE and FIXME comment (Ville) + +References: https://bugs.freedesktop.org/show_bug.cgi?id=97344 +Cc: Ville Syrjälä +Cc: Mika Kahola +Signed-off-by: Matthew Auld +Link: http://patchwork.freedesktop.org/patch/msgid/1476912593-10019-1-git-send-email-matthew.auld@intel.com +Signed-off-by: Ville Syrjälä +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/intel_dp.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/gpu/drm/i915/intel_dp.c ++++ b/drivers/gpu/drm/i915/intel_dp.c +@@ -4018,6 +4018,11 @@ intel_dp_check_link_status(struct intel_ + if (!to_intel_crtc(intel_encoder->base.crtc)->active) + return; + ++ /* FIXME: we need to synchronize this sort of stuff with hardware ++ * readout */ ++ if (WARN_ON_ONCE(!intel_dp->lane_count)) ++ return; ++ + /* if link training is requested we should perform it always */ + if ((intel_dp->compliance_test_type == DP_TEST_LINK_TRAINING) || + (!drm_dp_channel_eq_ok(link_status, intel_dp->lane_count))) { diff --git a/queue-4.9/drm-i915-tune-down-the-fast-link-training-vs-boot-fail.patch b/queue-4.9/drm-i915-tune-down-the-fast-link-training-vs-boot-fail.patch new file mode 100644 index 00000000000..fc0e8d60467 --- /dev/null +++ b/queue-4.9/drm-i915-tune-down-the-fast-link-training-vs-boot-fail.patch @@ -0,0 +1,46 @@ +From 2c57b18adb93fc070039538f1ce375d3d3e99bbb Mon Sep 17 00:00:00 2001 +From: Daniel Vetter +Date: Tue, 13 Dec 2016 20:54:14 +0100 +Subject: drm/i915: tune down the fast link training vs boot fail +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Daniel Vetter + +commit 2c57b18adb93fc070039538f1ce375d3d3e99bbb upstream. + +It's been unfixed since a while and no one is immediately working on +this. And we have the FIXME already. And now also a task in the DP +team's backlog. + +Cc: Linus Torvalds +Cc: stable@vger.kernel.org +Cc: Ville Syrjälä +References: https://lists.freedesktop.org/archives/intel-gfx/2016-July/101951.html +Acked-by: Ville Syrjälä +[danvet: Adjust comment per Ville's feedback.] +Signed-off-by: Daniel Vetter +Link: http://patchwork.freedesktop.org/patch/msgid/20161213195414.28923-1-daniel.vetter@ffwll.ch +Signed-off-by: Greg Kroah-Hartman + +(cherry picked from commit 2dd85aeb5bc99e3763dd192cdb95ff405a102c8a) +Signed-off-by: Jani Nikula + +--- + drivers/gpu/drm/i915/intel_dp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/i915/intel_dp.c ++++ b/drivers/gpu/drm/i915/intel_dp.c +@@ -4019,8 +4019,8 @@ intel_dp_check_link_status(struct intel_ + return; + + /* FIXME: we need to synchronize this sort of stuff with hardware +- * readout */ +- if (WARN_ON_ONCE(!intel_dp->lane_count)) ++ * readout. Currently fast link training doesn't work on boot-up. */ ++ if (!intel_dp->lane_count) + return; + + /* if link training is requested we should perform it always */ diff --git a/queue-4.9/efi-efivar_ssdt_load-don-t-return-success-on-allocation-failure.patch b/queue-4.9/efi-efivar_ssdt_load-don-t-return-success-on-allocation-failure.patch new file mode 100644 index 00000000000..66a18fa1caa --- /dev/null +++ b/queue-4.9/efi-efivar_ssdt_load-don-t-return-success-on-allocation-failure.patch @@ -0,0 +1,40 @@ +From a75dcb5848359f488c32c0aef8711d9bd37a77b8 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 18 Oct 2016 15:33:18 +0100 +Subject: efi/efivar_ssdt_load: Don't return success on allocation failure + +From: Dan Carpenter + +commit a75dcb5848359f488c32c0aef8711d9bd37a77b8 upstream. + +We should return -ENOMEM here, instead of success. + +Signed-off-by: Dan Carpenter +Signed-off-by: Ard Biesheuvel +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: linux-efi@vger.kernel.org +Fixes: 475fb4e8b2f4 ("efi / ACPI: load SSTDs from EFI variables") +Link: http://lkml.kernel.org/r/20161018143318.15673-9-matt@codeblueprint.co.uk +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/firmware/efi/efi.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/firmware/efi/efi.c ++++ b/drivers/firmware/efi/efi.c +@@ -259,8 +259,10 @@ static __init int efivar_ssdt_load(void) + } + + data = kmalloc(size, GFP_KERNEL); +- if (!data) ++ if (!data) { ++ ret = -ENOMEM; + goto free_entry; ++ } + + ret = efivar_entry_get(entry, NULL, &size, data); + if (ret) { diff --git a/queue-4.9/mac80211-fix-tid_agg_rx-null-dereference.patch b/queue-4.9/mac80211-fix-tid_agg_rx-null-dereference.patch new file mode 100644 index 00000000000..674ffaa3bda --- /dev/null +++ b/queue-4.9/mac80211-fix-tid_agg_rx-null-dereference.patch @@ -0,0 +1,105 @@ +From 1c3d185a9a0b136a58e73b02912d593d0303d1da Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Tue, 18 Oct 2016 23:12:08 +0300 +Subject: mac80211: fix tid_agg_rx NULL dereference + +From: Johannes Berg + +commit 1c3d185a9a0b136a58e73b02912d593d0303d1da upstream. + +On drivers setting the SUPPORTS_REORDERING_BUFFER hardware flag, +we crash when the peer sends an AddBA request while we already +have a session open on the seame TID; this is because on those +drivers, the tid_agg_rx is left NULL even though the session is +valid, and the agg_session_valid bit is set. + +To fix this, store the dialog tokens outside the tid_agg_rx to +be able to compare them to the received AddBA request. + +Fixes: f89e07d4cf26 ("mac80211: agg-rx: refuse ADDBA Request with timeout update") +Reported-by: Emmanuel Grumbach +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/agg-rx.c | 8 ++------ + net/mac80211/debugfs_sta.c | 2 +- + net/mac80211/sta_info.h | 4 ++-- + 3 files changed, 5 insertions(+), 9 deletions(-) + +--- a/net/mac80211/agg-rx.c ++++ b/net/mac80211/agg-rx.c +@@ -315,11 +315,7 @@ void __ieee80211_start_rx_ba_session(str + mutex_lock(&sta->ampdu_mlme.mtx); + + if (test_bit(tid, sta->ampdu_mlme.agg_session_valid)) { +- tid_agg_rx = rcu_dereference_protected( +- sta->ampdu_mlme.tid_rx[tid], +- lockdep_is_held(&sta->ampdu_mlme.mtx)); +- +- if (tid_agg_rx->dialog_token == dialog_token) { ++ if (sta->ampdu_mlme.tid_rx_token[tid] == dialog_token) { + ht_dbg_ratelimited(sta->sdata, + "updated AddBA Req from %pM on tid %u\n", + sta->sta.addr, tid); +@@ -396,7 +392,6 @@ void __ieee80211_start_rx_ba_session(str + } + + /* update data */ +- tid_agg_rx->dialog_token = dialog_token; + tid_agg_rx->ssn = start_seq_num; + tid_agg_rx->head_seq_num = start_seq_num; + tid_agg_rx->buf_size = buf_size; +@@ -418,6 +413,7 @@ end: + if (status == WLAN_STATUS_SUCCESS) { + __set_bit(tid, sta->ampdu_mlme.agg_session_valid); + __clear_bit(tid, sta->ampdu_mlme.unexpected_agg); ++ sta->ampdu_mlme.tid_rx_token[tid] = dialog_token; + } + mutex_unlock(&sta->ampdu_mlme.mtx); + +--- a/net/mac80211/debugfs_sta.c ++++ b/net/mac80211/debugfs_sta.c +@@ -205,7 +205,7 @@ static ssize_t sta_agg_status_read(struc + p += scnprintf(p, sizeof(buf) + buf - p, "%02d", i); + p += scnprintf(p, sizeof(buf) + buf - p, "\t\t%x", !!tid_rx); + p += scnprintf(p, sizeof(buf) + buf - p, "\t%#.2x", +- tid_rx ? tid_rx->dialog_token : 0); ++ tid_rx ? sta->ampdu_mlme.tid_rx_token[i] : 0); + p += scnprintf(p, sizeof(buf) + buf - p, "\t%#.3x", + tid_rx ? tid_rx->ssn : 0); + +--- a/net/mac80211/sta_info.h ++++ b/net/mac80211/sta_info.h +@@ -184,7 +184,6 @@ struct tid_ampdu_tx { + * @ssn: Starting Sequence Number expected to be aggregated. + * @buf_size: buffer size for incoming A-MPDUs + * @timeout: reset timer value (in TUs). +- * @dialog_token: dialog token for aggregation session + * @rcu_head: RCU head used for freeing this struct + * @reorder_lock: serializes access to reorder buffer, see below. + * @auto_seq: used for offloaded BA sessions to automatically pick head_seq_and +@@ -213,7 +212,6 @@ struct tid_ampdu_rx { + u16 ssn; + u16 buf_size; + u16 timeout; +- u8 dialog_token; + bool auto_seq; + bool removed; + }; +@@ -225,6 +223,7 @@ struct tid_ampdu_rx { + * to tid_tx[idx], which are protected by the sta spinlock) + * tid_start_tx is also protected by sta->lock. + * @tid_rx: aggregation info for Rx per TID -- RCU protected ++ * @tid_rx_token: dialog tokens for valid aggregation sessions + * @tid_rx_timer_expired: bitmap indicating on which TIDs the + * RX timer expired until the work for it runs + * @tid_rx_stop_requested: bitmap indicating which BA sessions per TID the +@@ -243,6 +242,7 @@ struct sta_ampdu_mlme { + struct mutex mtx; + /* rx */ + struct tid_ampdu_rx __rcu *tid_rx[IEEE80211_NUM_TIDS]; ++ u8 tid_rx_token[IEEE80211_NUM_TIDS]; + unsigned long tid_rx_timer_expired[BITS_TO_LONGS(IEEE80211_NUM_TIDS)]; + unsigned long tid_rx_stop_requested[BITS_TO_LONGS(IEEE80211_NUM_TIDS)]; + unsigned long agg_session_valid[BITS_TO_LONGS(IEEE80211_NUM_TIDS)]; diff --git a/queue-4.9/mfd-tps65217-fix-page-fault-on-unloading-modules.patch b/queue-4.9/mfd-tps65217-fix-page-fault-on-unloading-modules.patch new file mode 100644 index 00000000000..6b1393bc701 --- /dev/null +++ b/queue-4.9/mfd-tps65217-fix-page-fault-on-unloading-modules.patch @@ -0,0 +1,160 @@ +From 40a50f8b307de8d08f3fa37c312fc16a7dd233e5 Mon Sep 17 00:00:00 2001 +From: Milo Kim +Date: Tue, 15 Nov 2016 22:02:11 +0900 +Subject: mfd: tps65217: Fix page fault on unloading modules + +From: Milo Kim + +commit 40a50f8b307de8d08f3fa37c312fc16a7dd233e5 upstream. + +TPS65217 IRQ domain should be removed and initialised as NULL when the +module is unloaded for the next use. When tps65217.ko is loaded again, +it causes the page fault. This patch fixes the error below. + +root@arm:~# lsmod | grep "tps" +tps65217_charger 3538 0 +tps65218_pwrbutton 2974 0 +tps65217 6710 1 tps65217_charger + +root@arm:~# modprobe -r tps65217_charger + +root@arm:~# modprobe tps65217.ko +[ 71.990277] Unable to handle kernel paging request at virtual address bf055944 +[ 71.998063] pgd = dd3a4000 +[ 72.000904] [bf055944] *pgd=9e6f7811, *pte=00000000, *ppte=00000000 +[ 72.007567] Internal error: Oops: 7 [#1] SMP ARM +[ 72.012404] Modules linked in: tps65217(+) evdev musb_dsps musb_hdrc udc_core tps65218_pwrbutton usbcore phy_am335] +[ 72.055700] CPU: 0 PID: 243 Comm: modprobe Not tainted 4.9.0-rc5-next-20161114 #3 +[ 72.063531] Hardware name: Generic AM33XX (Flattened Device Tree) +[ 72.069899] task: de714380 task.stack: de7e6000 +[ 72.074655] PC is at irq_find_matching_fwspec+0x88/0x100 +[ 72.080211] LR is at 0xde7e79d8 +[ 72.083496] pc : [] lr : [] psr: 200e0013 +[ 72.083496] sp : de7e7a78 ip : 00000000 fp : dd138a68 +[ 72.095506] r10: c0ca04f8 r9 : 00000018 r8 : de7e7ab8 +[ 72.100973] r7 : 00000001 r6 : c0c4517c r5 : df963f68 r4 : de321980 +[ 72.107797] r3 : bf055940 r2 : de714380 r1 : 00000000 r0 : 00000000 +[ 72.114633] Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none +[ 72.122084] Control: 10c5387d Table: 9d3a4019 DAC: 00000051 +[ 72.128097] Process modprobe (pid: 243, stack limit = 0xde7e6218) +[ 72.134489] Stack: (0xde7e7a78 to 0xde7e8000) +[ 72.139060] 7a60: df963f68 de7e7ab8 +[ 72.147643] 7a80: 00000000 dd0e1000 dd491e20 c01a6ea0 600e0013 c01a5dc0 dd138a68 c0c45138 +[ 72.156216] 7aa0: df963f68 00000000 df963f68 dd0e1010 00000000 c01a71a4 df963f68 00000001 +[ 72.164800] 7ac0: 00000002 de7e7ac0 c80048b8 dd0adf00 df963f68 c0c4517c 00000000 de7e7b50 +[ 72.173369] 7ae0: 00000018 c0ca04f8 dd138a68 c01a5dc0 df963f68 dd0e1010 00000000 dd0e1000 +[ 72.181942] 7b00: dd491e20 c0653a70 df963f58 00000001 00000002 00000000 00000000 00000000 +[ 72.190522] 7b20: 600e0093 c0cbf8f0 c0c0512c c0193674 00000001 00000080 00000000 c0554984 +[ 72.199096] 7b40: 00000000 00000000 800e0013 c0553858 df963f68 00000000 00000000 00000000 +[ 72.207674] 7b60: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +[ 72.216239] 7b80: 00000000 00000000 00000000 00000000 00000000 00000000 dd0e1000 c0544d24 +[ 72.224816] 7ba0: dd491e10 dd0e1010 dd16e800 bf1d517c bf1d5620 dd0e1010 c1497ed4 bf1d5620 +[ 72.233398] 7bc0: dd0e1010 fffffdfb bf1d5620 bf1d5620 00000000 c054537c c0545330 dd0e1010 +[ 72.241967] 7be0: c1497ed4 00000000 bf1d5620 c05433ac 00000000 00000000 de7e7c28 c0543570 +[ 72.250537] 7c00: 00000001 c1497e90 00000000 c0541884 de080cd4 dd44b7d4 dd0e1010 dd0e1010 +[ 72.259109] 7c20: dd0e1044 c05430c8 dd0e1010 00000001 dd0e1010 dd0e1018 dd0e1010 c0c9e328 +[ 72.267676] 7c40: de5d4020 c0542760 dd0e1018 dd0e1010 00000000 c0540ba8 dd138a40 c048dec4 +[ 72.276253] 7c60: 00000000 dd0e1000 00000001 dd0e1000 dd0e1010 dd0e1000 bf233de0 dd138a40 +[ 72.284829] 7c80: dd0e1010 c05450a0 000000bf 00000000 dd138a60 00000001 dd0e1000 c0571240 +[ 72.293398] 7ca0: 00000000 dd1ce9c0 00000040 dd1ce9cc bf233de0 00000003 de5d4020 ffffffff +[ 72.301969] 7cc0: 00000004 dd0adf00 00000000 c0571408 00000000 00000000 dd0adf00 de5d4020 +[ 72.310543] 7ce0: c057146c dd1ce9c0 bf233d14 de5d4020 de7fb3d0 00000004 bf233d14 ffffffff +[ 72.319120] 7d00: 00000018 dd49bf30 c01cedc0 c05714d0 00000000 00000000 dd0adf00 de322810 +[ 72.327692] 7d20: de322810 00000000 dd033000 000000f0 00000001 bf2333fc 00000000 00000000 +[ 72.336269] 7d40: dd0adf00 de5d4020 000000b6 bf233e40 de5d4020 bf233968 de5d4004 de5d4000 +[ 72.344848] 7d60: bf233314 c06148ac de5d4020 c1497ed4 00000000 bf233e40 00000000 c05433ac +[ 72.353422] 7d80: 00000000 de5d4020 bf233e40 de5d4054 00000000 bf236000 00000000 c0543538 +[ 72.362002] 7da0: 00000000 bf233e40 c0543484 c05417e4 de1442a4 de5d04d0 bf233e40 de321300 +[ 72.370582] 7dc0: c0caa5a4 c05429fc bf233be0 bf233e40 c0cbfa44 bf233e40 c0cbfa44 dd2f7740 +[ 72.379148] 7de0: bf233f00 c05442f0 bf233e8c bf233e24 c0cbfa44 c0615ae0 00000000 bf233f00 +[ 72.387718] 7e00: c0cbfa44 c010186c 200f0013 c0191650 de714380 00000000 600f0013 00000040 +[ 72.396286] 7e20: dd2f7740 c018f1ac 00000001 c0c8356c 024000c0 c01a8854 c0c56e0e c028225c +[ 72.404863] 7e40: dd2f7740 c0191984 de714380 dd2f7740 00000001 bf233f00 bf233f00 c0cbfa44 +[ 72.413440] 7e60: dd2f7740 bf233f00 00000001 dd49bf08 dd49bf30 c0230998 00000001 c0c8356c +[ 72.421997] 7e80: c0c4c536 c0cbfa44 c0c0512c c01d2070 bf233f0c 00007fff bf233f00 c01cf5b8 +[ 72.430570] 7ea0: 00000000 c1475134 c01cee34 bf23411c bf233f48 bf234054 bf234150 00000000 +[ 72.439144] 7ec0: 024002c2 de7fbf40 0009bc20 c02776ac ff800000 00000000 00000000 bf233670 +[ 72.447723] 7ee0: 00000004 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +[ 72.456298] 7f00: 00000000 00000000 00000000 00000000 c01d2590 0000aa41 00000000 00000000 +[ 72.464862] 7f20: 000b2549 e12c3a41 00000051 de7e6000 0009bc20 c01d2630 00000530 e12b9000 +[ 72.473438] 7f40: 0000aa41 e12c1434 e12c1211 e12c336c 00001150 00001620 00000000 00000000 +[ 72.482003] 7f60: 00000000 000010fc 00000035 00000036 0000001d 0000001a 00000017 00000000 +[ 72.490564] 7f80: de7e6000 3ba39a00 0009b008 0009b718 00000080 c0107704 de7e6000 00000000 +[ 72.499141] 7fa0: 0009f609 c0107560 3ba39a00 0009b008 000a7b08 0000aa41 0009bc20 0000aa41 +[ 72.507717] 7fc0: 3ba39a00 0009b008 0009b718 00000080 00000001 00000008 0009ab14 0009f609 +[ 72.516290] 7fe0: bea31ab8 bea31aa8 0001e5eb b6e83b42 800f0030 000a7b08 0000ffff 0840ffff +[ 72.524883] [] (irq_find_matching_fwspec) from [] (irq_create_fwspec_mapping+0x28/0x2e0) +[ 72.535174] [] (irq_create_fwspec_mapping) from [] (irq_create_of_mapping+0x4c/0x54) +[ 72.545115] [] (irq_create_of_mapping) from [] (of_irq_get+0x58/0x68) +[ 72.553699] [] (of_irq_get) from [] (platform_get_irq+0x1c/0xec) +[ 72.561828] [] (platform_get_irq) from [] (tps6521x_pb_probe+0xd0/0x1a8 [tps65218_pwrbutton]) +[ 72.572581] [] (tps6521x_pb_probe [tps65218_pwrbutton]) from [] (platform_drv_probe+0x4c/0xac) +[ 72.583426] [] (platform_drv_probe) from [] (driver_probe_device+0x204/0x2dc) +[ 72.592729] [] (driver_probe_device) from [] (bus_for_each_drv+0x58/0x8c) +[ 72.601657] [] (bus_for_each_drv) from [] (__device_attach+0xb0/0x114) +[ 72.610324] [] (__device_attach) from [] (bus_probe_device+0x88/0x90) +[ 72.618898] [] (bus_probe_device) from [] (device_add+0x3b8/0x560) +[ 72.627203] [] (device_add) from [] (platform_device_add+0xa8/0x208) +[ 72.635693] [] (platform_device_add) from [] (mfd_add_device+0x240/0x338) +[ 72.644634] [] (mfd_add_device) from [] (mfd_add_devices+0xa0/0x104) +[ 72.653120] [] (mfd_add_devices) from [] (devm_mfd_add_devices+0x60/0xa8) +[ 72.662077] [] (devm_mfd_add_devices) from [] (tps65217_probe+0xe8/0x2ec [tps65217]) +[ 72.672026] [] (tps65217_probe [tps65217]) from [] (i2c_device_probe+0x168/0x1f4) +[ 72.681695] [] (i2c_device_probe) from [] (driver_probe_device+0x204/0x2dc) +[ 72.690816] [] (driver_probe_device) from [] (__driver_attach+0xb4/0xb8) +[ 72.699657] [] (__driver_attach) from [] (bus_for_each_dev+0x60/0x94) +[ 72.708224] [] (bus_for_each_dev) from [] (bus_add_driver+0x18c/0x214) +[ 72.716892] [] (bus_add_driver) from [] (driver_register+0x78/0xf8) +[ 72.725280] [] (driver_register) from [] (i2c_register_driver+0x38/0x80) +[ 72.734120] [] (i2c_register_driver) from [] (do_one_initcall+0x3c/0x178) +[ 72.743055] [] (do_one_initcall) from [] (do_init_module+0x5c/0x1d0) +[ 72.751537] [] (do_init_module) from [] (load_module+0x1d10/0x21c0) +[ 72.759933] [] (load_module) from [] (SyS_init_module+0x110/0x154) +[ 72.768242] [] (SyS_init_module) from [] (ret_fast_syscall+0x0/0x1c) +[ 72.776725] Code: e5944000 e1540006 0a00001b e594300c (e593c004) +[ 72.783181] ---[ end trace 0278ec325f4689b8 ]--- + +Fixes: 6556bdacf646 ("mfd: tps65217: Add support for IRQs") +Signed-off-by: Milo Kim +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mfd/tps65217.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +--- a/drivers/mfd/tps65217.c ++++ b/drivers/mfd/tps65217.c +@@ -424,6 +424,24 @@ static int tps65217_probe(struct i2c_cli + return 0; + } + ++static int tps65217_remove(struct i2c_client *client) ++{ ++ struct tps65217 *tps = i2c_get_clientdata(client); ++ unsigned int virq; ++ int i; ++ ++ for (i = 0; i < ARRAY_SIZE(tps65217_irqs); i++) { ++ virq = irq_find_mapping(tps->irq_domain, i); ++ if (virq) ++ irq_dispose_mapping(virq); ++ } ++ ++ irq_domain_remove(tps->irq_domain); ++ tps->irq_domain = NULL; ++ ++ return 0; ++} ++ + static const struct i2c_device_id tps65217_id_table[] = { + {"tps65217", TPS65217}, + { /* sentinel */ } +@@ -437,6 +455,7 @@ static struct i2c_driver tps65217_driver + }, + .id_table = tps65217_id_table, + .probe = tps65217_probe, ++ .remove = tps65217_remove, + }; + + static int __init tps65217_init(void) diff --git a/queue-4.9/nl80211-use-different-attrs-for-bssid-and-random-mac-addr-in-scan-req.patch b/queue-4.9/nl80211-use-different-attrs-for-bssid-and-random-mac-addr-in-scan-req.patch new file mode 100644 index 00000000000..567117d1890 --- /dev/null +++ b/queue-4.9/nl80211-use-different-attrs-for-bssid-and-random-mac-addr-in-scan-req.patch @@ -0,0 +1,100 @@ +From 2fa436b3a2a7009c11a3bc03fe0ff4c26e80fd87 Mon Sep 17 00:00:00 2001 +From: Vamsi Krishna +Date: Fri, 2 Dec 2016 23:59:08 +0200 +Subject: nl80211: Use different attrs for BSSID and random MAC addr in scan req + +From: Vamsi Krishna + +commit 2fa436b3a2a7009c11a3bc03fe0ff4c26e80fd87 upstream. + +NL80211_ATTR_MAC was used to set both the specific BSSID to be scanned +and the random MAC address to be used when privacy is enabled. When both +the features are enabled, both the BSSID and the local MAC address were +getting same value causing Probe Request frames to go with unintended +DA. Hence, this has been fixed by using a different NL80211_ATTR_BSSID +attribute to set the specific BSSID (which was the more recent addition +in cfg80211) for a scan. + +Backwards compatibility with old userspace software is maintained to +some extent by allowing NL80211_ATTR_MAC to be used to set the specific +BSSID when scanning without enabling random MAC address use. + +Scanning with random source MAC address was introduced by commit +ad2b26abc157 ("cfg80211: allow drivers to support random MAC addresses +for scan") and the issue was introduced with the addition of the second +user for the same attribute in commit 818965d39177 ("cfg80211: Allow a +scan request for a specific BSSID"). + +Fixes: 818965d39177 ("cfg80211: Allow a scan request for a specific BSSID") +Signed-off-by: Vamsi Krishna +Signed-off-by: Jouni Malinen +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + include/uapi/linux/nl80211.h | 7 ++++++- + net/wireless/nl80211.c | 16 +++++++++++++++- + 2 files changed, 21 insertions(+), 2 deletions(-) + +--- a/include/uapi/linux/nl80211.h ++++ b/include/uapi/linux/nl80211.h +@@ -323,7 +323,7 @@ + * @NL80211_CMD_GET_SCAN: get scan results + * @NL80211_CMD_TRIGGER_SCAN: trigger a new scan with the given parameters + * %NL80211_ATTR_TX_NO_CCK_RATE is used to decide whether to send the +- * probe requests at CCK rate or not. %NL80211_ATTR_MAC can be used to ++ * probe requests at CCK rate or not. %NL80211_ATTR_BSSID can be used to + * specify a BSSID to scan for; if not included, the wildcard BSSID will + * be used. + * @NL80211_CMD_NEW_SCAN_RESULTS: scan notification (as a reply to +@@ -1937,6 +1937,9 @@ enum nl80211_commands { + * @NL80211_ATTR_NAN_MATCH: used to report a match. This is a nested attribute. + * See &enum nl80211_nan_match_attributes. + * ++ * @NL80211_ATTR_BSSID: The BSSID of the AP. Note that %NL80211_ATTR_MAC is also ++ * used in various commands/events for specifying the BSSID. ++ * + * @NUM_NL80211_ATTR: total number of nl80211_attrs available + * @NL80211_ATTR_MAX: highest attribute number currently defined + * @__NL80211_ATTR_AFTER_LAST: internal use +@@ -2336,6 +2339,8 @@ enum nl80211_attrs { + NL80211_ATTR_NAN_FUNC, + NL80211_ATTR_NAN_MATCH, + ++ NL80211_ATTR_BSSID, ++ + /* add attributes here, update the policy in nl80211.c */ + + __NL80211_ATTR_AFTER_LAST, +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -414,6 +414,7 @@ static const struct nla_policy nl80211_p + [NL80211_ATTR_NAN_MASTER_PREF] = { .type = NLA_U8 }, + [NL80211_ATTR_NAN_DUAL] = { .type = NLA_U8 }, + [NL80211_ATTR_NAN_FUNC] = { .type = NLA_NESTED }, ++ [NL80211_ATTR_BSSID] = { .len = ETH_ALEN }, + }; + + /* policy for the key attributes */ +@@ -6677,7 +6678,20 @@ static int nl80211_trigger_scan(struct s + request->no_cck = + nla_get_flag(info->attrs[NL80211_ATTR_TX_NO_CCK_RATE]); + +- if (info->attrs[NL80211_ATTR_MAC]) ++ /* Initial implementation used NL80211_ATTR_MAC to set the specific ++ * BSSID to scan for. This was problematic because that same attribute ++ * was already used for another purpose (local random MAC address). The ++ * NL80211_ATTR_BSSID attribute was added to fix this. For backwards ++ * compatibility with older userspace components, also use the ++ * NL80211_ATTR_MAC value here if it can be determined to be used for ++ * the specific BSSID use case instead of the random MAC address ++ * (NL80211_ATTR_SCAN_FLAGS is used to enable random MAC address use). ++ */ ++ if (info->attrs[NL80211_ATTR_BSSID]) ++ memcpy(request->bssid, ++ nla_data(info->attrs[NL80211_ATTR_BSSID]), ETH_ALEN); ++ else if (!(request->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) && ++ info->attrs[NL80211_ATTR_MAC]) + memcpy(request->bssid, nla_data(info->attrs[NL80211_ATTR_MAC]), + ETH_ALEN); + else diff --git a/queue-4.9/series b/queue-4.9/series index 64df8d74ae8..d7ac608fa69 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -88,3 +88,14 @@ iio-accel-st_accel-fix-lis3lv02-reading-and-scaling.patch usb-dwc3-ep0-add-dwc3_ep0_prepare_one_trb.patch usb-dwc3-ep0-explicitly-call-dwc3_ep0_prepare_one_trb.patch usb-dwc3-gadget-always-unmap-ep0-requests.patch +drm-i915-dp-add-lane_count-check-in-intel_dp_check_link_status.patch +drm-i915-tune-down-the-fast-link-training-vs-boot-fail.patch +mac80211-fix-tid_agg_rx-null-dereference.patch +nl80211-use-different-attrs-for-bssid-and-random-mac-addr-in-scan-req.patch +ath10k-fix-failure-to-send-null-func-frame-for-10.4.patch +mfd-tps65217-fix-page-fault-on-unloading-modules.patch +ath10k-use-the-right-length-of-background.patch +cris-only-build-flash-rescue-image-if-config_etrax_axisflashmap-is-selected.patch +efi-efivar_ssdt_load-don-t-return-success-on-allocation-failure.patch +clk-renesas-cpg-mssr-fix-inverted-debug-check.patch +debugfs-improve-define_debugfs_attribute-for-config_debug_fs.patch