--- /dev/null
+From 8f067aa59430266386b83c18b983ca583faa6a11 Mon Sep 17 00:00:00 2001
+From: Yuhao Jiang <danisjiang@gmail.com>
+Date: Wed, 22 Oct 2025 15:07:04 -0500
+Subject: ACPI: video: Fix use-after-free in acpi_video_switch_brightness()
+
+From: Yuhao Jiang <danisjiang@gmail.com>
+
+commit 8f067aa59430266386b83c18b983ca583faa6a11 upstream.
+
+The switch_brightness_work delayed work accesses device->brightness
+and device->backlight, freed by acpi_video_dev_unregister_backlight()
+during device removal.
+
+If the work executes after acpi_video_bus_unregister_backlight()
+frees these resources, it causes a use-after-free when
+acpi_video_switch_brightness() dereferences device->brightness or
+device->backlight.
+
+Fix this by calling cancel_delayed_work_sync() for each device's
+switch_brightness_work in acpi_video_bus_remove_notify_handler()
+after removing the notify handler that queues the work. This ensures
+the work completes before the memory is freed.
+
+Fixes: 8ab58e8e7e097 ("ACPI / video: Fix backlight taking 2 steps on a brightness up/down keypress")
+Cc: All applicable <stable@vger.kernel.org>
+Signed-off-by: Yuhao Jiang <danisjiang@gmail.com>
+Reviewed-by: Hans de Goede <hansg@kernel.org>
+[ rjw: Changelog edit ]
+Link: https://patch.msgid.link/20251022200704.2655507-1-danisjiang@gmail.com
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/acpi_video.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/acpi/acpi_video.c
++++ b/drivers/acpi/acpi_video.c
+@@ -2034,8 +2034,10 @@ static void acpi_video_bus_remove_notify
+ struct acpi_video_device *dev;
+
+ mutex_lock(&video->device_list_lock);
+- list_for_each_entry(dev, &video->video_device_list, entry)
++ list_for_each_entry(dev, &video->video_device_list, entry) {
+ acpi_video_dev_remove_notify_handler(dev);
++ cancel_delayed_work_sync(&dev->switch_brightness_work);
++ }
+ mutex_unlock(&video->device_list_lock);
+
+ acpi_video_bus_stop_devices(video);
--- /dev/null
+From 7073c7fc8d8ba47194e5fc58fcafc0efe7586e9b Mon Sep 17 00:00:00 2001
+From: Daniel Palmer <daniel@0x0f.com>
+Date: Fri, 24 Oct 2025 18:37:15 +0900
+Subject: fbdev: atyfb: Check if pll_ops->init_pll failed
+
+From: Daniel Palmer <daniel@0x0f.com>
+
+commit 7073c7fc8d8ba47194e5fc58fcafc0efe7586e9b upstream.
+
+Actually check the return value from pll_ops->init_pll()
+as it can return an error.
+
+If the card's BIOS didn't run because it's not the primary VGA card
+the fact that the xclk source is unsupported is printed as shown
+below but the driver continues on regardless and on my machine causes
+a hard lock up.
+
+[ 61.470088] atyfb 0000:03:05.0: enabling device (0080 -> 0083)
+[ 61.476191] atyfb: using auxiliary register aperture
+[ 61.481239] atyfb: 3D RAGE XL (Mach64 GR, PCI-33) [0x4752 rev 0x27]
+[ 61.487569] atyfb: 512K SGRAM (1:1), 14.31818 MHz XTAL, 230 MHz PLL, 83 Mhz MCLK, 63 MHz XCLK
+[ 61.496112] atyfb: Unsupported xclk source: 5.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Daniel Palmer <daniel@0x0f.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/aty/atyfb_base.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/video/fbdev/aty/atyfb_base.c
++++ b/drivers/video/fbdev/aty/atyfb_base.c
+@@ -2617,8 +2617,12 @@ static int aty_init(struct fb_info *info
+ pr_cont("\n");
+ }
+ #endif
+- if (par->pll_ops->init_pll)
+- par->pll_ops->init_pll(info, &par->pll);
++ if (par->pll_ops->init_pll) {
++ ret = par->pll_ops->init_pll(info, &par->pll);
++ if (ret)
++ return ret;
++ }
++
+ if (par->pll_ops->resume_pll)
+ par->pll_ops->resume_pll(info, &par->pll);
+
--- /dev/null
+From 18c4ef4e765a798b47980555ed665d78b71aeadf Mon Sep 17 00:00:00 2001
+From: Junjie Cao <junjie.cao@intel.com>
+Date: Mon, 20 Oct 2025 21:47:01 +0800
+Subject: fbdev: bitblit: bound-check glyph index in bit_putcs*
+
+From: Junjie Cao <junjie.cao@intel.com>
+
+commit 18c4ef4e765a798b47980555ed665d78b71aeadf upstream.
+
+bit_putcs_aligned()/unaligned() derived the glyph pointer from the
+character value masked by 0xff/0x1ff, which may exceed the actual font's
+glyph count and read past the end of the built-in font array.
+Clamp the index to the actual glyph count before computing the address.
+
+This fixes a global out-of-bounds read reported by syzbot.
+
+Reported-by: syzbot+793cf822d213be1a74f2@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=793cf822d213be1a74f2
+Tested-by: syzbot+793cf822d213be1a74f2@syzkaller.appspotmail.com
+Signed-off-by: Junjie Cao <junjie.cao@intel.com>
+Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/core/bitblit.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+--- a/drivers/video/fbdev/core/bitblit.c
++++ b/drivers/video/fbdev/core/bitblit.c
+@@ -79,12 +79,16 @@ static inline void bit_putcs_aligned(str
+ struct fb_image *image, u8 *buf, u8 *dst)
+ {
+ u16 charmask = vc->vc_hi_font_mask ? 0x1ff : 0xff;
++ unsigned int charcnt = vc->vc_font.charcount;
+ u32 idx = vc->vc_font.width >> 3;
+ u8 *src;
+
+ while (cnt--) {
+- src = vc->vc_font.data + (scr_readw(s++)&
+- charmask)*cellsize;
++ u16 ch = scr_readw(s++) & charmask;
++
++ if (ch >= charcnt)
++ ch = 0;
++ src = vc->vc_font.data + (unsigned int)ch * cellsize;
+
+ if (attr) {
+ update_attr(buf, src, attr, vc);
+@@ -112,14 +116,18 @@ static inline void bit_putcs_unaligned(s
+ u8 *dst)
+ {
+ u16 charmask = vc->vc_hi_font_mask ? 0x1ff : 0xff;
++ unsigned int charcnt = vc->vc_font.charcount;
+ u32 shift_low = 0, mod = vc->vc_font.width % 8;
+ u32 shift_high = 8;
+ u32 idx = vc->vc_font.width >> 3;
+ u8 *src;
+
+ while (cnt--) {
+- src = vc->vc_font.data + (scr_readw(s++)&
+- charmask)*cellsize;
++ u16 ch = scr_readw(s++) & charmask;
++
++ if (ch >= charcnt)
++ ch = 0;
++ src = vc->vc_font.data + (unsigned int)ch * cellsize;
+
+ if (attr) {
+ update_attr(buf, src, attr, vc);
--- /dev/null
+From 5f566c0ac51cd2474e47da68dbe719d3acf7d999 Mon Sep 17 00:00:00 2001
+From: Florian Fuchs <fuchsfl@gmail.com>
+Date: Sun, 26 Oct 2025 00:38:50 +0200
+Subject: fbdev: pvr2fb: Fix leftover reference to ONCHIP_NR_DMA_CHANNELS
+
+From: Florian Fuchs <fuchsfl@gmail.com>
+
+commit 5f566c0ac51cd2474e47da68dbe719d3acf7d999 upstream.
+
+Commit e24cca19babe ("sh: Kill off MAX_DMA_ADDRESS leftovers.") removed
+the define ONCHIP_NR_DMA_CHANNELS. So that the leftover reference needs
+to be replaced by CONFIG_NR_ONCHIP_DMA_CHANNELS to compile successfully
+with CONFIG_PVR2_DMA enabled.
+
+Signed-off-by: Florian Fuchs <fuchsfl@gmail.com>
+Reviewed-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/pvr2fb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/video/fbdev/pvr2fb.c
++++ b/drivers/video/fbdev/pvr2fb.c
+@@ -191,7 +191,7 @@ static unsigned long pvr2fb_map;
+
+ #ifdef CONFIG_PVR2_DMA
+ static unsigned int shdma = PVR2_CASCADE_CHAN;
+-static unsigned int pvr2dma = ONCHIP_NR_DMA_CHANNELS;
++static unsigned int pvr2dma = CONFIG_NR_ONCHIP_DMA_CHANNELS;
+ #endif
+
+ static struct fb_videomode pvr2_modedb[] = {
--- /dev/null
+From eb53368f8d6e2dfba84c8a94d245719bcf9ae270 Mon Sep 17 00:00:00 2001
+From: Miaoqian Lin <linmq006@gmail.com>
+Date: Mon, 27 Oct 2025 16:43:37 +0800
+Subject: fbdev: valkyriefb: Fix reference count leak in valkyriefb_init
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+commit eb53368f8d6e2dfba84c8a94d245719bcf9ae270 upstream.
+
+The of_find_node_by_name() function returns a device tree node with its
+reference count incremented. The caller is responsible for calling
+of_node_put() to release this reference when done.
+
+Found via static analysis.
+
+Fixes: cc5d0189b9ba ("[PATCH] powerpc: Remove device_node addrs/n_addr")
+Cc: stable@vger.kernel.org
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/valkyriefb.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/video/fbdev/valkyriefb.c
++++ b/drivers/video/fbdev/valkyriefb.c
+@@ -336,11 +336,13 @@ int __init valkyriefb_init(void)
+
+ if (of_address_to_resource(dp, 0, &r)) {
+ printk(KERN_ERR "can't find address for valkyrie\n");
++ of_node_put(dp);
+ return 0;
+ }
+
+ frame_buffer_phys = r.start;
+ cmap_regs_phys = r.start + 0x304000;
++ of_node_put(dp);
+ }
+ #endif /* ppc (!CONFIG_MAC) */
+
--- /dev/null
+From a824084b98d8a1dbd6e85d0842a8eb5e73467f59 Mon Sep 17 00:00:00 2001
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Tue, 28 Oct 2025 09:16:54 +0100
+Subject: mptcp: restore window probe
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+commit a824084b98d8a1dbd6e85d0842a8eb5e73467f59 upstream.
+
+Since commit 72377ab2d671 ("mptcp: more conservative check for zero
+probes") the MPTCP-level zero window probe check is always disabled, as
+the TCP-level write queue always contains at least the newly allocated
+skb.
+
+Refine the relevant check tacking in account that the above condition
+and that such skb can have zero length.
+
+Fixes: 72377ab2d671 ("mptcp: more conservative check for zero probes")
+Cc: stable@vger.kernel.org
+Reported-by: Geliang Tang <geliang@kernel.org>
+Closes: https://lore.kernel.org/d0a814c364e744ca6b836ccd5b6e9146882e8d42.camel@kernel.org
+Reviewed-by: Mat Martineau <martineau@kernel.org>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Tested-by: Geliang Tang <geliang@kernel.org>
+Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://patch.msgid.link/20251028-net-mptcp-send-timeout-v1-3-38ffff5a9ec8@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/protocol.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/net/mptcp/protocol.c
++++ b/net/mptcp/protocol.c
+@@ -1411,7 +1411,12 @@ alloc_skb:
+ if (copy == 0) {
+ u64 snd_una = READ_ONCE(msk->snd_una);
+
+- if (snd_una != msk->snd_nxt || tcp_write_queue_tail(ssk)) {
++ /* No need for zero probe if there are any data pending
++ * either at the msk or ssk level; skb is the current write
++ * queue tail and can be empty at this point.
++ */
++ if (snd_una != msk->snd_nxt || skb->len ||
++ skb != tcp_send_head(ssk)) {
+ tcp_remove_empty_skb(ssk);
+ return 0;
+ }
--- /dev/null
+From dc89548c6926d68dfdda11bebc1a5258bc41d887 Mon Sep 17 00:00:00 2001
+From: Miaoqian Lin <linmq006@gmail.com>
+Date: Mon, 27 Oct 2025 00:43:16 +0800
+Subject: net: usb: asix_devices: Check return value of usbnet_get_endpoints
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+commit dc89548c6926d68dfdda11bebc1a5258bc41d887 upstream.
+
+The code did not check the return value of usbnet_get_endpoints.
+Add checks and return the error if it fails to transfer the error.
+
+Found via static anlaysis and this is similar to
+commit 07161b2416f7 ("sr9800: Add check for usbnet_get_endpoints").
+
+Fixes: 933a27d39e0e ("USB: asix - Add AX88178 support and many other changes")
+Fixes: 2e55cc7210fe ("[PATCH] USB: usbnet (3/9) module for ASIX Ethernet adapters")
+Cc: stable@vger.kernel.org
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Link: https://patch.msgid.link/20251026164318.57624-1-linmq006@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/asix_devices.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/usb/asix_devices.c
++++ b/drivers/net/usb/asix_devices.c
+@@ -230,7 +230,9 @@ static int ax88172_bind(struct usbnet *d
+ int i;
+ unsigned long gpio_bits = dev->driver_info->data;
+
+- usbnet_get_endpoints(dev,intf);
++ ret = usbnet_get_endpoints(dev, intf);
++ if (ret)
++ goto out;
+
+ /* Toggle the GPIOs in a manufacturer/model specific way */
+ for (i = 2; i >= 0; i--) {
+@@ -745,7 +747,9 @@ static int ax88772_bind(struct usbnet *d
+
+ dev->driver_priv = priv;
+
+- usbnet_get_endpoints(dev, intf);
++ ret = usbnet_get_endpoints(dev, intf);
++ if (ret)
++ return ret;
+
+ /* Maybe the boot loader passed the MAC address via device tree */
+ if (!eth_platform_get_mac_address(&dev->udev->dev, buf)) {
+@@ -1165,7 +1169,9 @@ static int ax88178_bind(struct usbnet *d
+ int ret;
+ u8 buf[ETH_ALEN] = {0};
+
+- usbnet_get_endpoints(dev,intf);
++ ret = usbnet_get_endpoints(dev, intf);
++ if (ret)
++ return ret;
+
+ /* Get the MAC address */
+ ret = asix_read_cmd(dev, AX_CMD_READ_NODE_ID, 0, 0, ETH_ALEN, buf, 0);
--- /dev/null
+From abb1f08a2121dd270193746e43b2a9373db9ad84 Mon Sep 17 00:00:00 2001
+From: Chuck Lever <chuck.lever@oracle.com>
+Date: Tue, 30 Sep 2025 10:05:20 -0400
+Subject: NFSD: Fix crash in nfsd4_read_release()
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+commit abb1f08a2121dd270193746e43b2a9373db9ad84 upstream.
+
+When tracing is enabled, the trace_nfsd_read_done trace point
+crashes during the pynfs read.testNoFh test.
+
+Fixes: 15a8b55dbb1b ("nfsd: call op_release, even when op_func returns an error")
+Cc: stable@vger.kernel.org
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfs4proc.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/fs/nfsd/nfs4proc.c
++++ b/fs/nfsd/nfs4proc.c
+@@ -945,10 +945,11 @@ nfsd4_read(struct svc_rqst *rqstp, struc
+ static void
+ nfsd4_read_release(union nfsd4_op_u *u)
+ {
+- if (u->read.rd_nf)
++ if (u->read.rd_nf) {
++ trace_nfsd_read_done(u->read.rd_rqstp, u->read.rd_fhp,
++ u->read.rd_offset, u->read.rd_length);
+ nfsd_file_put(u->read.rd_nf);
+- trace_nfsd_read_done(u->read.rd_rqstp, u->read.rd_fhp,
+- u->read.rd_offset, u->read.rd_length);
++ }
+ }
+
+ static __be32
btrfs-scrub-replace-max_t-min_t-with-clamp-in-scrub_.patch
btrfs-always-drop-log-root-tree-reference-in-btrfs_r.patch
btrfs-use-smp_mb__after_atomic-when-forcing-cow-in-c.patch
+nfsd-fix-crash-in-nfsd4_read_release.patch
+net-usb-asix_devices-check-return-value-of-usbnet_get_endpoints.patch
+fbdev-atyfb-check-if-pll_ops-init_pll-failed.patch
+acpi-video-fix-use-after-free-in-acpi_video_switch_brightness.patch
+fbdev-bitblit-bound-check-glyph-index-in-bit_putcs.patch
+wifi-brcmfmac-fix-crash-while-sending-action-frames-in-standalone-ap-mode.patch
+fbdev-pvr2fb-fix-leftover-reference-to-onchip_nr_dma_channels.patch
+fbdev-valkyriefb-fix-reference-count-leak-in-valkyriefb_init.patch
+mptcp-restore-window-probe.patch
--- /dev/null
+From 3776c685ebe5f43e9060af06872661de55e80b9a Mon Sep 17 00:00:00 2001
+From: Gokul Sivakumar <gokulkumar.sivakumar@infineon.com>
+Date: Mon, 13 Oct 2025 15:58:19 +0530
+Subject: wifi: brcmfmac: fix crash while sending Action Frames in standalone AP Mode
+
+From: Gokul Sivakumar <gokulkumar.sivakumar@infineon.com>
+
+commit 3776c685ebe5f43e9060af06872661de55e80b9a upstream.
+
+Currently, whenever there is a need to transmit an Action frame,
+the brcmfmac driver always uses the P2P vif to send the "actframe" IOVAR to
+firmware. The P2P interfaces were available when wpa_supplicant is managing
+the wlan interface.
+
+However, the P2P interfaces are not created/initialized when only hostapd
+is managing the wlan interface. And if hostapd receives an ANQP Query REQ
+Action frame even from an un-associated STA, the brcmfmac driver tries
+to use an uninitialized P2P vif pointer for sending the IOVAR to firmware.
+This NULL pointer dereferencing triggers a driver crash.
+
+ [ 1417.074538] Unable to handle kernel NULL pointer dereference at virtual
+ address 0000000000000000
+ [...]
+ [ 1417.075188] Hardware name: Raspberry Pi 4 Model B Rev 1.5 (DT)
+ [...]
+ [ 1417.075653] Call trace:
+ [ 1417.075662] brcmf_p2p_send_action_frame+0x23c/0xc58 [brcmfmac]
+ [ 1417.075738] brcmf_cfg80211_mgmt_tx+0x304/0x5c0 [brcmfmac]
+ [ 1417.075810] cfg80211_mlme_mgmt_tx+0x1b0/0x428 [cfg80211]
+ [ 1417.076067] nl80211_tx_mgmt+0x238/0x388 [cfg80211]
+ [ 1417.076281] genl_family_rcv_msg_doit+0xe0/0x158
+ [ 1417.076302] genl_rcv_msg+0x220/0x2a0
+ [ 1417.076317] netlink_rcv_skb+0x68/0x140
+ [ 1417.076330] genl_rcv+0x40/0x60
+ [ 1417.076343] netlink_unicast+0x330/0x3b8
+ [ 1417.076357] netlink_sendmsg+0x19c/0x3f8
+ [ 1417.076370] __sock_sendmsg+0x64/0xc0
+ [ 1417.076391] ____sys_sendmsg+0x268/0x2a0
+ [ 1417.076408] ___sys_sendmsg+0xb8/0x118
+ [ 1417.076427] __sys_sendmsg+0x90/0xf8
+ [ 1417.076445] __arm64_sys_sendmsg+0x2c/0x40
+ [ 1417.076465] invoke_syscall+0x50/0x120
+ [ 1417.076486] el0_svc_common.constprop.0+0x48/0xf0
+ [ 1417.076506] do_el0_svc+0x24/0x38
+ [ 1417.076525] el0_svc+0x30/0x100
+ [ 1417.076548] el0t_64_sync_handler+0x100/0x130
+ [ 1417.076569] el0t_64_sync+0x190/0x198
+ [ 1417.076589] Code: f9401e80 aa1603e2 f9403be1 5280e483 (f9400000)
+
+Fix this, by always using the vif corresponding to the wdev on which the
+Action frame Transmission request was initiated by the userspace. This way,
+even if P2P vif is not available, the IOVAR is sent to firmware on AP vif
+and the ANQP Query RESP Action frame is transmitted without crashing the
+driver.
+
+Move init_completion() for "send_af_done" from brcmf_p2p_create_p2pdev()
+to brcmf_p2p_attach(). Because the former function would not get executed
+when only hostapd is managing wlan interface, and it is not safe to do
+reinit_completion() later in brcmf_p2p_tx_action_frame(), without any prior
+init_completion().
+
+And in the brcmf_p2p_tx_action_frame() function, the condition check for
+P2P Presence response frame is not needed, since the wpa_supplicant is
+properly sending the P2P Presense Response frame on the P2P-GO vif instead
+of the P2P-Device vif.
+
+Cc: stable@vger.kernel.org
+Fixes: 18e2f61db3b7 ("brcmfmac: P2P action frame tx")
+Signed-off-by: Gokul Sivakumar <gokulkumar.sivakumar@infineon.com>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Link: https://patch.msgid.link/20251013102819.9727-1-gokulkumar.sivakumar@infineon.com
+[Cc stable]
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 3 -
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c | 28 ++++--------
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.h | 3 -
+ 3 files changed, 12 insertions(+), 22 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -5200,8 +5200,7 @@ brcmf_cfg80211_mgmt_tx(struct wiphy *wip
+ brcmf_dbg(TRACE, "Action frame, cookie=%lld, len=%d, freq=%d\n",
+ *cookie, le16_to_cpu(action_frame->len), freq);
+
+- ack = brcmf_p2p_send_action_frame(cfg, cfg_to_ndev(cfg),
+- af_params);
++ ack = brcmf_p2p_send_action_frame(vif->ifp, af_params);
+
+ cfg80211_mgmt_tx_status(wdev, *cookie, buf, len, ack,
+ GFP_KERNEL);
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c
+@@ -1529,6 +1529,7 @@ int brcmf_p2p_notify_action_tx_complete(
+ /**
+ * brcmf_p2p_tx_action_frame() - send action frame over fil.
+ *
++ * @ifp: interface to transmit on.
+ * @p2p: p2p info struct for vif.
+ * @af_params: action frame data/info.
+ *
+@@ -1538,12 +1539,11 @@ int brcmf_p2p_notify_action_tx_complete(
+ * The WLC_E_ACTION_FRAME_COMPLETE event will be received when the action
+ * frame is transmitted.
+ */
+-static s32 brcmf_p2p_tx_action_frame(struct brcmf_p2p_info *p2p,
++static s32 brcmf_p2p_tx_action_frame(struct brcmf_if *ifp,
++ struct brcmf_p2p_info *p2p,
+ struct brcmf_fil_af_params_le *af_params)
+ {
+ struct brcmf_pub *drvr = p2p->cfg->pub;
+- struct brcmf_cfg80211_vif *vif;
+- struct brcmf_p2p_action_frame *p2p_af;
+ s32 err = 0;
+
+ brcmf_dbg(TRACE, "Enter\n");
+@@ -1552,14 +1552,7 @@ static s32 brcmf_p2p_tx_action_frame(str
+ clear_bit(BRCMF_P2P_STATUS_ACTION_TX_COMPLETED, &p2p->status);
+ clear_bit(BRCMF_P2P_STATUS_ACTION_TX_NOACK, &p2p->status);
+
+- /* check if it is a p2p_presence response */
+- p2p_af = (struct brcmf_p2p_action_frame *)af_params->action_frame.data;
+- if (p2p_af->subtype == P2P_AF_PRESENCE_RSP)
+- vif = p2p->bss_idx[P2PAPI_BSSCFG_CONNECTION].vif;
+- else
+- vif = p2p->bss_idx[P2PAPI_BSSCFG_DEVICE].vif;
+-
+- err = brcmf_fil_bsscfg_data_set(vif->ifp, "actframe", af_params,
++ err = brcmf_fil_bsscfg_data_set(ifp, "actframe", af_params,
+ sizeof(*af_params));
+ if (err) {
+ bphy_err(drvr, " sending action frame has failed\n");
+@@ -1711,16 +1704,14 @@ static bool brcmf_p2p_check_dwell_overfl
+ /**
+ * brcmf_p2p_send_action_frame() - send action frame .
+ *
+- * @cfg: driver private data for cfg80211 interface.
+- * @ndev: net device to transmit on.
++ * @ifp: interface to transmit on.
+ * @af_params: configuration data for action frame.
+ */
+-bool brcmf_p2p_send_action_frame(struct brcmf_cfg80211_info *cfg,
+- struct net_device *ndev,
++bool brcmf_p2p_send_action_frame(struct brcmf_if *ifp,
+ struct brcmf_fil_af_params_le *af_params)
+ {
++ struct brcmf_cfg80211_info *cfg = ifp->drvr->config;
+ struct brcmf_p2p_info *p2p = &cfg->p2p;
+- struct brcmf_if *ifp = netdev_priv(ndev);
+ struct brcmf_fil_action_frame_le *action_frame;
+ struct brcmf_config_af_params config_af_params;
+ struct afx_hdl *afx_hdl = &p2p->afx_hdl;
+@@ -1857,7 +1848,7 @@ bool brcmf_p2p_send_action_frame(struct
+ if (af_params->channel)
+ msleep(P2P_AF_RETRY_DELAY_TIME);
+
+- ack = !brcmf_p2p_tx_action_frame(p2p, af_params);
++ ack = !brcmf_p2p_tx_action_frame(ifp, p2p, af_params);
+ tx_retry++;
+ dwell_overflow = brcmf_p2p_check_dwell_overflow(requested_dwell,
+ dwell_jiffies);
+@@ -2217,7 +2208,6 @@ static struct wireless_dev *brcmf_p2p_cr
+
+ WARN_ON(p2p_ifp->bsscfgidx != bsscfgidx);
+
+- init_completion(&p2p->send_af_done);
+ INIT_WORK(&p2p->afx_hdl.afx_work, brcmf_p2p_afx_handler);
+ init_completion(&p2p->afx_hdl.act_frm_scan);
+ init_completion(&p2p->wait_next_af);
+@@ -2509,6 +2499,8 @@ s32 brcmf_p2p_attach(struct brcmf_cfg802
+ pri_ifp = brcmf_get_ifp(cfg->pub, 0);
+ p2p->bss_idx[P2PAPI_BSSCFG_PRIMARY].vif = pri_ifp->vif;
+
++ init_completion(&p2p->send_af_done);
++
+ if (p2pdev_forced) {
+ err_ptr = brcmf_p2p_create_p2pdev(p2p, NULL, NULL);
+ if (IS_ERR(err_ptr)) {
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.h
+@@ -168,8 +168,7 @@ int brcmf_p2p_notify_action_frame_rx(str
+ int brcmf_p2p_notify_action_tx_complete(struct brcmf_if *ifp,
+ const struct brcmf_event_msg *e,
+ void *data);
+-bool brcmf_p2p_send_action_frame(struct brcmf_cfg80211_info *cfg,
+- struct net_device *ndev,
++bool brcmf_p2p_send_action_frame(struct brcmf_if *ifp,
+ struct brcmf_fil_af_params_le *af_params);
+ bool brcmf_p2p_scan_finding_common_channel(struct brcmf_cfg80211_info *cfg,
+ struct brcmf_bss_info_le *bi);
projects / thirdparty / kernel / stable-queue.git / commitdiff
