--- /dev/null
+From 18ae68fff392e445af3c2d8be9bef8a16e1c72a7 Mon Sep 17 00:00:00 2001
+From: Michal Kazior <michal.kazior@tieto.com>
+Date: Mon, 14 Nov 2016 14:25:23 +0100
+Subject: ath10k: fix null deref on wmi-tlv when trying spectral scan
+
+From: Michal Kazior <michal.kazior@tieto.com>
+
+commit 18ae68fff392e445af3c2d8be9bef8a16e1c72a7 upstream.
+
+WMI ops wrappers did not properly check for null
+function pointers for spectral scan. This caused
+null dereference crash with WMI-TLV based firmware
+which doesn't implement spectral scan.
+
+The crash could be triggered with:
+
+ ip link set dev wlan0 up
+ echo background > /sys/kernel/debug/ieee80211/phy0/ath10k/spectral_scan_ctl
+
+The crash looked like this:
+
+ [ 168.031989] BUG: unable to handle kernel NULL pointer dereference at (null)
+ [ 168.037406] IP: [< (null)>] (null)
+ [ 168.040395] PGD cdd4067 PUD fa0f067 PMD 0
+ [ 168.043303] Oops: 0010 [#1] SMP
+ [ 168.045377] Modules linked in: ath10k_pci(O) ath10k_core(O) ath mac80211 cfg80211 [last unloaded: cfg80211]
+ [ 168.051560] CPU: 1 PID: 1380 Comm: bash Tainted: G W O 4.8.0 #78
+ [ 168.054336] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014
+ [ 168.059183] task: ffff88000c460c00 task.stack: ffff88000d4bc000
+ [ 168.061736] RIP: 0010:[<0000000000000000>] [< (null)>] (null)
+ ...
+ [ 168.100620] Call Trace:
+ [ 168.101910] [<ffffffffa03b9566>] ? ath10k_spectral_scan_config+0x96/0x200 [ath10k_core]
+ [ 168.104871] [<ffffffff811386e2>] ? filemap_fault+0xb2/0x4a0
+ [ 168.106696] [<ffffffffa03b97e6>] write_file_spec_scan_ctl+0x116/0x280 [ath10k_core]
+ [ 168.109618] [<ffffffff812da3a1>] full_proxy_write+0x51/0x80
+ [ 168.111443] [<ffffffff811957b8>] __vfs_write+0x28/0x120
+ [ 168.113090] [<ffffffff812f1a2d>] ? security_file_permission+0x3d/0xc0
+ [ 168.114932] [<ffffffff8109b912>] ? percpu_down_read+0x12/0x60
+ [ 168.116680] [<ffffffff811965f8>] vfs_write+0xb8/0x1a0
+ [ 168.118293] [<ffffffff81197966>] SyS_write+0x46/0xa0
+ [ 168.119912] [<ffffffff818f2972>] entry_SYSCALL_64_fastpath+0x1a/0xa4
+ [ 168.121737] Code: Bad RIP value.
+ [ 168.123318] RIP [< (null)>] (null)
+
+Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
+Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
+Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ath/ath10k/wmi-ops.h | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/net/wireless/ath/ath10k/wmi-ops.h
++++ b/drivers/net/wireless/ath/ath10k/wmi-ops.h
+@@ -660,6 +660,9 @@ ath10k_wmi_vdev_spectral_conf(struct ath
+ struct sk_buff *skb;
+ u32 cmd_id;
+
++ if (!ar->wmi.ops->gen_vdev_spectral_conf)
++ return -EOPNOTSUPP;
++
+ skb = ar->wmi.ops->gen_vdev_spectral_conf(ar, arg);
+ if (IS_ERR(skb))
+ return PTR_ERR(skb);
+@@ -675,6 +678,9 @@ ath10k_wmi_vdev_spectral_enable(struct a
+ struct sk_buff *skb;
+ u32 cmd_id;
+
++ if (!ar->wmi.ops->gen_vdev_spectral_enable)
++ return -EOPNOTSUPP;
++
+ skb = ar->wmi.ops->gen_vdev_spectral_enable(ar, vdev_id, trigger,
+ enable);
+ if (IS_ERR(skb))
--- /dev/null
+From 860f01e96981a68553f3ca49f574ff14fe955e72 Mon Sep 17 00:00:00 2001
+From: Valentin Vidic <Valentin.Vidic@CARNet.hr>
+Date: Fri, 5 May 2017 21:07:33 +0200
+Subject: ipmi/watchdog: fix watchdog timeout set on reboot
+
+From: Valentin Vidic <Valentin.Vidic@CARNet.hr>
+
+commit 860f01e96981a68553f3ca49f574ff14fe955e72 upstream.
+
+systemd by default starts watchdog on reboot and sets the timer to
+ShutdownWatchdogSec=10min. Reboot handler in ipmi_watchdog than reduces
+the timer to 120s which is not enough time to boot a Xen machine with
+a lot of RAM. As a result the machine is rebooted the second time
+during the long run of (XEN) Scrubbing Free RAM.....
+
+Fix this by setting the timer to 120s only if it was previously
+set to a low value.
+
+Signed-off-by: Valentin Vidic <Valentin.Vidic@CARNet.hr>
+Signed-off-by: Corey Minyard <cminyard@mvista.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/ipmi/ipmi_watchdog.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/char/ipmi/ipmi_watchdog.c
++++ b/drivers/char/ipmi/ipmi_watchdog.c
+@@ -1162,10 +1162,11 @@ static int wdog_reboot_handler(struct no
+ ipmi_watchdog_state = WDOG_TIMEOUT_NONE;
+ ipmi_set_timeout(IPMI_SET_TIMEOUT_NO_HB);
+ } else if (ipmi_watchdog_state != WDOG_TIMEOUT_NONE) {
+- /* Set a long timer to let the reboot happens, but
+- reboot if it hangs, but only if the watchdog
++ /* Set a long timer to let the reboot happen or
++ reset if it hangs, but only if the watchdog
+ timer was already running. */
+- timeout = 120;
++ if (timeout < 120)
++ timeout = 120;
+ pretimeout = 0;
+ ipmi_watchdog_state = WDOG_TIMEOUT_RESET;
+ ipmi_set_timeout(IPMI_SET_TIMEOUT_NO_HB);
--- /dev/null
+From e8f4ae85439f34bec3b0ab69223a41809dab28c9 Mon Sep 17 00:00:00 2001
+From: Jia-Ju Bai <baijiaju1990@163.com>
+Date: Wed, 31 May 2017 09:40:11 +0800
+Subject: isdn: Fix a sleep-in-atomic bug
+
+From: Jia-Ju Bai <baijiaju1990@163.com>
+
+commit e8f4ae85439f34bec3b0ab69223a41809dab28c9 upstream.
+
+The driver may sleep under a spin lock, the function call path is:
+isdn_ppp_mp_receive (acquire the lock)
+ isdn_ppp_mp_reassembly
+ isdn_ppp_push_higher
+ isdn_ppp_decompress
+ isdn_ppp_ccp_reset_trans
+ isdn_ppp_ccp_reset_alloc_state
+ kzalloc(GFP_KERNEL) --> may sleep
+
+To fixed it, the "GFP_KERNEL" is replaced with "GFP_ATOMIC".
+
+Signed-off-by: Jia-Ju Bai <baijiaju1990@163.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/isdn/i4l/isdn_ppp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/isdn/i4l/isdn_ppp.c
++++ b/drivers/isdn/i4l/isdn_ppp.c
+@@ -2364,7 +2364,7 @@ static struct ippp_ccp_reset_state *isdn
+ id);
+ return NULL;
+ } else {
+- rs = kzalloc(sizeof(struct ippp_ccp_reset_state), GFP_KERNEL);
++ rs = kzalloc(sizeof(struct ippp_ccp_reset_state), GFP_ATOMIC);
+ if (!rs)
+ return NULL;
+ rs->state = CCPResetIdle;
--- /dev/null
+From 9f5af546e6acc30f075828cb58c7f09665033967 Mon Sep 17 00:00:00 2001
+From: Annie Cherkaev <annie.cherk@gmail.com>
+Date: Sat, 15 Jul 2017 15:08:58 -0600
+Subject: isdn/i4l: fix buffer overflow
+
+From: Annie Cherkaev <annie.cherk@gmail.com>
+
+commit 9f5af546e6acc30f075828cb58c7f09665033967 upstream.
+
+This fixes a potential buffer overflow in isdn_net.c caused by an
+unbounded strcpy.
+
+[ ISDN seems to be effectively unmaintained, and the I4L driver in
+ particular is long deprecated, but in case somebody uses this..
+ - Linus ]
+
+Signed-off-by: Jiten Thakkar <jitenmt@gmail.com>
+Signed-off-by: Annie Cherkaev <annie.cherk@gmail.com>
+Cc: Karsten Keil <isdn@linux-pingi.de>
+Cc: Kees Cook <keescook@chromium.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/isdn/i4l/isdn_common.c | 1 +
+ drivers/isdn/i4l/isdn_net.c | 5 ++---
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/isdn/i4l/isdn_common.c
++++ b/drivers/isdn/i4l/isdn_common.c
+@@ -1379,6 +1379,7 @@ isdn_ioctl(struct file *file, uint cmd,
+ if (arg) {
+ if (copy_from_user(bname, argp, sizeof(bname) - 1))
+ return -EFAULT;
++ bname[sizeof(bname)-1] = 0;
+ } else
+ return -EINVAL;
+ ret = mutex_lock_interruptible(&dev->mtx);
+--- a/drivers/isdn/i4l/isdn_net.c
++++ b/drivers/isdn/i4l/isdn_net.c
+@@ -2611,10 +2611,9 @@ isdn_net_newslave(char *parm)
+ char newname[10];
+
+ if (p) {
+- /* Slave-Name MUST not be empty */
+- if (!strlen(p + 1))
++ /* Slave-Name MUST not be empty or overflow 'newname' */
++ if (strscpy(newname, p + 1, sizeof(newname)) <= 0)
+ return NULL;
+- strcpy(newname, p + 1);
+ *p = 0;
+ /* Master must already exist */
+ if (!(n = isdn_net_findif(parm)))
--- /dev/null
+From c61b781ee084e69855477d23dd33e7e6caad652c Mon Sep 17 00:00:00 2001
+From: Sudeep Holla <sudeep.holla@arm.com>
+Date: Tue, 21 Mar 2017 11:30:14 +0000
+Subject: mailbox: always wait in mbox_send_message for blocking Tx mode
+
+From: Sudeep Holla <sudeep.holla@arm.com>
+
+commit c61b781ee084e69855477d23dd33e7e6caad652c upstream.
+
+There exists a race when msg_submit return immediately as there was an
+active request being processed which may have completed just before it's
+checked again in mbox_send_message. This will result in return to the
+caller without waiting in mbox_send_message even when it's blocking Tx.
+
+This patch fixes the issue by waiting for the completion always if Tx
+is in blocking mode.
+
+Fixes: 2b6d83e2b8b7 ("mailbox: Introduce framework for mailbox")
+Reported-by: Alexey Klimov <alexey.klimov@arm.com>
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Reviewed-by: Alexey Klimov <alexey.klimov@arm.com>
+Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
+Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mailbox/mailbox.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mailbox/mailbox.c
++++ b/drivers/mailbox/mailbox.c
+@@ -261,7 +261,7 @@ int mbox_send_message(struct mbox_chan *
+
+ msg_submit(chan);
+
+- if (chan->cl->tx_block && chan->active_req) {
++ if (chan->cl->tx_block) {
+ unsigned long wait;
+ int ret;
+
--- /dev/null
+From cb710ab1d8a23f68ff8f45aedf3e552bb90e70de Mon Sep 17 00:00:00 2001
+From: Sudeep Holla <sudeep.holla@arm.com>
+Date: Tue, 21 Mar 2017 11:30:16 +0000
+Subject: mailbox: handle empty message in tx_tick
+
+From: Sudeep Holla <sudeep.holla@arm.com>
+
+commit cb710ab1d8a23f68ff8f45aedf3e552bb90e70de upstream.
+
+We already check if the message is empty before calling the client
+tx_done callback. Calling completion on a wait event is also invalid
+if the message is empty.
+
+This patch moves the existing empty message check earlier.
+
+Fixes: 2b6d83e2b8b7 ("mailbox: Introduce framework for mailbox")
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
+Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mailbox/mailbox.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/mailbox/mailbox.c
++++ b/drivers/mailbox/mailbox.c
+@@ -104,8 +104,11 @@ static void tx_tick(struct mbox_chan *ch
+ /* Submit next message */
+ msg_submit(chan);
+
++ if (!mssg)
++ return;
++
+ /* Notify the client */
+- if (mssg && chan->cl->tx_done)
++ if (chan->cl->tx_done)
+ chan->cl->tx_done(chan->cl, mssg, r);
+
+ if (r != -ETIME && chan->cl->tx_block)
--- /dev/null
+From cc6eeaa3029a6dbcb4ad41b1f92876483bd88965 Mon Sep 17 00:00:00 2001
+From: Sudeep Holla <sudeep.holla@arm.com>
+Date: Tue, 21 Mar 2017 11:30:15 +0000
+Subject: mailbox: skip complete wait event if timer expired
+
+From: Sudeep Holla <sudeep.holla@arm.com>
+
+commit cc6eeaa3029a6dbcb4ad41b1f92876483bd88965 upstream.
+
+If a wait_for_completion_timeout() call returns due to a timeout,
+complete() can get called after returning from the wait which is
+incorrect and can cause subsequent transmissions on a channel to fail.
+Since the wait_for_completion_timeout() sees the completion variable
+is non-zero caused by the erroneous/spurious complete() call, and
+it immediately returns without waiting for the time as expected by the
+client.
+
+This patch fixes the issue by skipping complete() call for the timer
+expiry.
+
+Fixes: 2b6d83e2b8b7 ("mailbox: Introduce framework for mailbox")
+Reported-by: Alexey Klimov <alexey.klimov@arm.com>
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
+Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mailbox/mailbox.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/mailbox/mailbox.c
++++ b/drivers/mailbox/mailbox.c
+@@ -108,7 +108,7 @@ static void tx_tick(struct mbox_chan *ch
+ if (mssg && chan->cl->tx_done)
+ chan->cl->tx_done(chan->cl, mssg, r);
+
+- if (chan->cl->tx_block)
++ if (r != -ETIME && chan->cl->tx_block)
+ complete(&chan->tx_complete);
+ }
+
+@@ -272,8 +272,8 @@ int mbox_send_message(struct mbox_chan *
+
+ ret = wait_for_completion_timeout(&chan->tx_complete, wait);
+ if (ret == 0) {
+- t = -EIO;
+- tx_tick(chan, -EIO);
++ t = -ETIME;
++ tx_tick(chan, t);
+ }
+ }
+
--- /dev/null
+From 5a7a88f1b488e4ee49eb3d5b82612d4d9ffdf2c3 Mon Sep 17 00:00:00 2001
+From: "Ismail, Mustafa" <mustafa.ismail@intel.com>
+Date: Fri, 14 Jul 2017 09:41:30 -0500
+Subject: RDMA/uverbs: Fix the check for port number
+
+From: Ismail, Mustafa <mustafa.ismail@intel.com>
+
+commit 5a7a88f1b488e4ee49eb3d5b82612d4d9ffdf2c3 upstream.
+
+The port number is only valid if IB_QP_PORT is set in the mask.
+So only check port number if it is valid to prevent modify_qp from
+failing due to an invalid port number.
+
+Fixes: 5ecce4c9b17b("Check port number supplied by user verbs cmds")
+Reviewed-by: Steve Wise <swise@opengridcomputing.com>
+Signed-off-by: Mustafa Ismail <mustafa.ismail@intel.com>
+Tested-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ drivers/infiniband/core/uverbs_cmd.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/infiniband/core/uverbs_cmd.c
++++ b/drivers/infiniband/core/uverbs_cmd.c
+@@ -2342,8 +2342,9 @@ ssize_t ib_uverbs_modify_qp(struct ib_uv
+ if (copy_from_user(&cmd, buf, sizeof cmd))
+ return -EFAULT;
+
+- if (cmd.port_num < rdma_start_port(ib_dev) ||
+- cmd.port_num > rdma_end_port(ib_dev))
++ if ((cmd.attr_mask & IB_QP_PORT) &&
++ (cmd.port_num < rdma_start_port(ib_dev) ||
++ cmd.port_num > rdma_end_port(ib_dev)))
+ return -EINVAL;
+
+ INIT_UDATA(&udata, buf + sizeof cmd, NULL, in_len - sizeof cmd,
--- /dev/null
+From 96b777452d8881480fd5be50112f791c17db4b6b Mon Sep 17 00:00:00 2001
+From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Date: Wed, 8 Feb 2017 14:27:27 +0300
+Subject: sched/cgroup: Move sched_online_group() back into css_online() to fix crash
+
+From: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+
+commit 96b777452d8881480fd5be50112f791c17db4b6b upstream.
+
+Commit:
+
+ 2f5177f0fd7e ("sched/cgroup: Fix/cleanup cgroup teardown/init")
+
+.. moved sched_online_group() from css_online() to css_alloc().
+It exposes half-baked task group into global lists before initializing
+generic cgroup stuff.
+
+LTP testcase (third in cgroup_regression_test) written for testing
+similar race in kernels 2.6.26-2.6.28 easily triggers this oops:
+
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
+ IP: kernfs_path_from_node_locked+0x260/0x320
+ CPU: 1 PID: 30346 Comm: cat Not tainted 4.10.0-rc5-test #4
+ Call Trace:
+ ? kernfs_path_from_node+0x4f/0x60
+ kernfs_path_from_node+0x3e/0x60
+ print_rt_rq+0x44/0x2b0
+ print_rt_stats+0x7a/0xd0
+ print_cpu+0x2fc/0xe80
+ ? __might_sleep+0x4a/0x80
+ sched_debug_show+0x17/0x30
+ seq_read+0xf2/0x3b0
+ proc_reg_read+0x42/0x70
+ __vfs_read+0x28/0x130
+ ? security_file_permission+0x9b/0xc0
+ ? rw_verify_area+0x4e/0xb0
+ vfs_read+0xa5/0x170
+ SyS_read+0x46/0xa0
+ entry_SYSCALL_64_fastpath+0x1e/0xad
+
+Here the task group is already linked into the global RCU-protected 'task_groups'
+list, but the css->cgroup pointer is still NULL.
+
+This patch reverts this chunk and moves online back to css_online().
+
+Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Tejun Heo <tj@kernel.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Fixes: 2f5177f0fd7e ("sched/cgroup: Fix/cleanup cgroup teardown/init")
+Link: http://lkml.kernel.org/r/148655324740.424917.5302984537258726349.stgit@buzz
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Matt Fleming <matt@codeblueprint.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/sched/core.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -8376,11 +8376,20 @@ cpu_cgroup_css_alloc(struct cgroup_subsy
+ if (IS_ERR(tg))
+ return ERR_PTR(-ENOMEM);
+
+- sched_online_group(tg, parent);
+-
+ return &tg->css;
+ }
+
++/* Expose task group only after completing cgroup initialization */
++static int cpu_cgroup_css_online(struct cgroup_subsys_state *css)
++{
++ struct task_group *tg = css_tg(css);
++ struct task_group *parent = css_tg(css->parent);
++
++ if (parent)
++ sched_online_group(tg, parent);
++ return 0;
++}
++
+ static void cpu_cgroup_css_released(struct cgroup_subsys_state *css)
+ {
+ struct task_group *tg = css_tg(css);
+@@ -8783,6 +8792,7 @@ static struct cftype cpu_files[] = {
+
+ struct cgroup_subsys cpu_cgrp_subsys = {
+ .css_alloc = cpu_cgroup_css_alloc,
++ .css_online = cpu_cgroup_css_online,
+ .css_released = cpu_cgroup_css_released,
+ .css_free = cpu_cgroup_css_free,
+ .fork = cpu_cgroup_fork,
nfc-fix-hangup-of-rc-s380-in-port100_send_ack.patch
nfc-fdp-fix-null-pointer-dereference.patch
net-phy-do-not-perform-software-reset-for-generic-phy.patch
+isdn-fix-a-sleep-in-atomic-bug.patch
+isdn-i4l-fix-buffer-overflow.patch
+ath10k-fix-null-deref-on-wmi-tlv-when-trying-spectral-scan.patch
+wil6210-fix-deadlock-when-using-fw_no_recovery-option.patch
+mailbox-always-wait-in-mbox_send_message-for-blocking-tx-mode.patch
+mailbox-skip-complete-wait-event-if-timer-expired.patch
+mailbox-handle-empty-message-in-tx_tick.patch
+sched-cgroup-move-sched_online_group-back-into-css_online-to-fix-crash.patch
+rdma-uverbs-fix-the-check-for-port-number.patch
+ipmi-watchdog-fix-watchdog-timeout-set-on-reboot.patch
--- /dev/null
+From dfb5b098e0f40b68aa07f2ec55f4dd762efefbfa Mon Sep 17 00:00:00 2001
+From: Lior David <qca_liord@qca.qualcomm.com>
+Date: Wed, 23 Nov 2016 16:06:41 +0200
+Subject: wil6210: fix deadlock when using fw_no_recovery option
+
+From: Lior David <qca_liord@qca.qualcomm.com>
+
+commit dfb5b098e0f40b68aa07f2ec55f4dd762efefbfa upstream.
+
+When FW crashes with no_fw_recovery option, driver
+waits for manual recovery with wil->mutex held, this
+can easily create deadlocks.
+Fix the problem by moving the wait outside the lock.
+
+Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
+Signed-off-by: Maya Erez <qca_merez@qca.qualcomm.com>
+Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
+Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ath/wil6210/main.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/wireless/ath/wil6210/main.c
++++ b/drivers/net/wireless/ath/wil6210/main.c
+@@ -384,18 +384,19 @@ static void wil_fw_error_worker(struct w
+
+ wil->last_fw_recovery = jiffies;
+
++ wil_info(wil, "fw error recovery requested (try %d)...\n",
++ wil->recovery_count);
++ if (!no_fw_recovery)
++ wil->recovery_state = fw_recovery_running;
++ if (wil_wait_for_recovery(wil) != 0)
++ return;
++
+ mutex_lock(&wil->mutex);
+ switch (wdev->iftype) {
+ case NL80211_IFTYPE_STATION:
+ case NL80211_IFTYPE_P2P_CLIENT:
+ case NL80211_IFTYPE_MONITOR:
+- wil_info(wil, "fw error recovery requested (try %d)...\n",
+- wil->recovery_count);
+- if (!no_fw_recovery)
+- wil->recovery_state = fw_recovery_running;
+- if (0 != wil_wait_for_recovery(wil))
+- break;
+-
++ /* silent recovery, upper layers will see disconnect */
+ __wil_down(wil);
+ __wil_up(wil);
+ break;
projects / thirdparty / kernel / stable-queue.git / commitdiff
