<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/drivers/net/wireless, branch v4.8.5</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>rtlwifi: Fix missing country code for Great Britain</title>
<updated>2016-10-28T07:45:18+00:00</updated>
<author>
<name>Larry Finger</name>
<email>Larry.Finger@lwfinger.net</email>
</author>
<published>2016-08-22T19:27:59+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=2ada397f9fe3a5c0ad8954165b75c12fd9aa1f03'/>
<id>2ada397f9fe3a5c0ad8954165b75c12fd9aa1f03</id>
<content type='text'>
commit 0c9d3491530773858ff9d705ec2a9c382f449230 upstream.

Some RTL8821AE devices sold in Great Britain have the country code of
0x25 encoded in their EEPROM. This value is not tested in the routine
that establishes the regulatory info for the chip. The fix is to set
this code to have the same capabilities as the EU countries. In addition,
the channels allowed for COUNTRY_CODE_ETSI were more properly suited
for China and Israel, not the EU. This problem has also been fixed.

Signed-off-by: Larry Finger &lt;Larry.Finger@lwfinger.net&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 0c9d3491530773858ff9d705ec2a9c382f449230 upstream.

Some RTL8821AE devices sold in Great Britain have the country code of
0x25 encoded in their EEPROM. This value is not tested in the routine
that establishes the regulatory info for the chip. The fix is to set
this code to have the same capabilities as the EU countries. In addition,
the channels allowed for COUNTRY_CODE_ETSI were more properly suited
for China and Israel, not the EU. This problem has also been fixed.

Signed-off-by: Larry Finger &lt;Larry.Finger@lwfinger.net&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>ath10k: fix copy engine 5 destination ring stuck</title>
<updated>2016-10-28T07:45:18+00:00</updated>
<author>
<name>Rajkumar Manoharan</name>
<email>rmanohar@qti.qualcomm.com</email>
</author>
<published>2016-09-21T10:58:06+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=8a9398b95cfba21d8bc38fad3db9236d56a823d4'/>
<id>8a9398b95cfba21d8bc38fad3db9236d56a823d4</id>
<content type='text'>
commit 0628467f97b5227755428bac10a68257322f7e34 upstream.

Firmware is running watchdog timer for tracking copy engine ring index
and write index. Whenever both indices are stuck at same location for
given duration, watchdog will be trigger to assert target. While
updating copy engine destination ring write index, driver ensures that
write index will not be same as read index by finding delta between these
two indices (CE_RING_DELTA).

HTT target to host copy engine (CE5) is special case where ring buffers
will be reused and delta check is not applied while updating write index.
In rare scenario, whenever CE5 ring is full, both indices will be referring
same location and this is causing CE ring stuck issue as explained
above. This issue is originally reported on IPQ4019 during long hour stress
testing and during veriwave max clients testsuites. The same issue is
also observed in other chips as well. Fix this by ensuring that write
index is one less than read index which means that full ring is
available for receiving data.

Tested-by: Tamizh chelvam &lt;c_traja@qti.qualcomm.com&gt;
Signed-off-by: Rajkumar Manoharan &lt;rmanohar@qti.qualcomm.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@qca.qualcomm.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 0628467f97b5227755428bac10a68257322f7e34 upstream.

Firmware is running watchdog timer for tracking copy engine ring index
and write index. Whenever both indices are stuck at same location for
given duration, watchdog will be trigger to assert target. While
updating copy engine destination ring write index, driver ensures that
write index will not be same as read index by finding delta between these
two indices (CE_RING_DELTA).

HTT target to host copy engine (CE5) is special case where ring buffers
will be reused and delta check is not applied while updating write index.
In rare scenario, whenever CE5 ring is full, both indices will be referring
same location and this is causing CE ring stuck issue as explained
above. This issue is originally reported on IPQ4019 during long hour stress
testing and during veriwave max clients testsuites. The same issue is
also observed in other chips as well. Fix this by ensuring that write
index is one less than read index which means that full ring is
available for receiving data.

Tested-by: Tamizh chelvam &lt;c_traja@qti.qualcomm.com&gt;
Signed-off-by: Rajkumar Manoharan &lt;rmanohar@qti.qualcomm.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@qca.qualcomm.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>brcmfmac: use correct skb freeing helper when deleting flowring</title>
<updated>2016-10-22T10:40:23+00:00</updated>
<author>
<name>Rafał Miłecki</name>
<email>rafal@milecki.pl</email>
</author>
<published>2016-09-27T12:11:04+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=9119232cc92a269d7860b4aa51f07d3923a3cc10'/>
<id>9119232cc92a269d7860b4aa51f07d3923a3cc10</id>
<content type='text'>
commit 7f00ee2bbc630900ba16fc2690473f3e2db0e264 upstream.

Flowrings contain skbs waiting for transmission that were passed to us
by netif. It means we checked every one of them looking for 802.1x
Ethernet type. When deleting flowring we have to use freeing function
that will check for 802.1x type as well.

Freeing skbs without a proper check was leading to counter not being
properly decreased. This was triggering a WARNING every time
brcmf_netdev_wait_pend8021x was called.

Signed-off-by: Rafał Miłecki &lt;rafal@milecki.pl&gt;
Acked-by: Arend van Spriel &lt;arend@broadcom.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 7f00ee2bbc630900ba16fc2690473f3e2db0e264 upstream.

Flowrings contain skbs waiting for transmission that were passed to us
by netif. It means we checked every one of them looking for 802.1x
Ethernet type. When deleting flowring we have to use freeing function
that will check for 802.1x type as well.

Freeing skbs without a proper check was leading to counter not being
properly decreased. This was triggering a WARNING every time
brcmf_netdev_wait_pend8021x was called.

Signed-off-by: Rafał Miłecki &lt;rafal@milecki.pl&gt;
Acked-by: Arend van Spriel &lt;arend@broadcom.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>brcmfmac: fix memory leak in brcmf_fill_bss_param</title>
<updated>2016-10-22T10:40:23+00:00</updated>
<author>
<name>Rafał Miłecki</name>
<email>rafal@milecki.pl</email>
</author>
<published>2016-09-21T06:23:24+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=5de3caefee0e48a924c8817ea10371a6a02fdf2b'/>
<id>5de3caefee0e48a924c8817ea10371a6a02fdf2b</id>
<content type='text'>
commit 23e9c128adb2038c27a424a5f91136e7fa3e0dc6 upstream.

This function is called from get_station callback which means that every
time user space was getting/dumping station(s) we were leaking 2 KiB.

Signed-off-by: Rafał Miłecki &lt;rafal@milecki.pl&gt;
Fixes: 1f0dc59a6de ("brcmfmac: rework .get_station() callback")
Acked-by: Arend van Spriel &lt;arend.vanspriel@broadcom.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 23e9c128adb2038c27a424a5f91136e7fa3e0dc6 upstream.

This function is called from get_station callback which means that every
time user space was getting/dumping station(s) we were leaking 2 KiB.

Signed-off-by: Rafał Miłecki &lt;rafal@milecki.pl&gt;
Fixes: 1f0dc59a6de ("brcmfmac: rework .get_station() callback")
Acked-by: Arend van Spriel &lt;arend.vanspriel@broadcom.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>brcmfmac: fix pmksa-&gt;bssid usage</title>
<updated>2016-10-22T10:40:23+00:00</updated>
<author>
<name>Nicolas Iooss</name>
<email>nicolas.iooss_linux@m4x.org</email>
</author>
<published>2016-08-23T09:37:17+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=4a50f927452e20733353aec9da63fc69a8e2a93c'/>
<id>4a50f927452e20733353aec9da63fc69a8e2a93c</id>
<content type='text'>
commit 7703773ef1d85b40433902a8da20167331597e4a upstream.

The struct cfg80211_pmksa defines its bssid field as:

    const u8 *bssid;

contrary to struct brcmf_pmksa, which uses:

    u8 bssid[ETH_ALEN];

Therefore in brcmf_cfg80211_del_pmksa(), &amp;pmksa-&gt;bssid takes the address
of this field (of type u8**), not the one of its content (which would be
u8*).  Remove the &amp; operator to make brcmf_dbg("%pM") and memcmp()
behave as expected.

This bug have been found using a custom static checker (which checks the
usage of %p... attributes at build time).  It has been introduced in
commit 6c404f34f2bd ("brcmfmac: Cleanup pmksa cache handling code"),
which replaced pmksa-&gt;bssid by &amp;pmksa-&gt;bssid while refactoring the code,
without modifying struct cfg80211_pmksa definition.

Replace &amp;pmk[i].bssid with pmk[i].bssid too to make the code clearer,
this change does not affect the semantic.

Fixes: 6c404f34f2bd ("brcmfmac: Cleanup pmksa cache handling code")
Signed-off-by: Nicolas Iooss &lt;nicolas.iooss_linux@m4x.org&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 7703773ef1d85b40433902a8da20167331597e4a upstream.

The struct cfg80211_pmksa defines its bssid field as:

    const u8 *bssid;

contrary to struct brcmf_pmksa, which uses:

    u8 bssid[ETH_ALEN];

Therefore in brcmf_cfg80211_del_pmksa(), &amp;pmksa-&gt;bssid takes the address
of this field (of type u8**), not the one of its content (which would be
u8*).  Remove the &amp; operator to make brcmf_dbg("%pM") and memcmp()
behave as expected.

This bug have been found using a custom static checker (which checks the
usage of %p... attributes at build time).  It has been introduced in
commit 6c404f34f2bd ("brcmfmac: Cleanup pmksa cache handling code"),
which replaced pmksa-&gt;bssid by &amp;pmksa-&gt;bssid while refactoring the code,
without modifying struct cfg80211_pmksa definition.

Replace &amp;pmk[i].bssid with pmk[i].bssid too to make the code clearer,
this change does not affect the semantic.

Fixes: 6c404f34f2bd ("brcmfmac: Cleanup pmksa cache handling code")
Signed-off-by: Nicolas Iooss &lt;nicolas.iooss_linux@m4x.org&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>carl9170: fix debugfs crashes</title>
<updated>2016-10-22T10:40:22+00:00</updated>
<author>
<name>Christian Lamparter</name>
<email>chunkeey@googlemail.com</email>
</author>
<published>2016-09-21T16:49:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=ba77f1da2bc797f561fe9e1df0602122e7709c46'/>
<id>ba77f1da2bc797f561fe9e1df0602122e7709c46</id>
<content type='text'>
commit 6ee6d1cb391ca85b419f8d18bdfb1f020a5e859c upstream.

Ben Greear reported:
&gt; I see lots of instability as soon as I load up the carl9710 NIC.
&gt; My application is going to be poking at it's debugfs files...
&gt;
&gt; BUG: KASAN: slab-out-of-bounds in carl9170_debugfs_read+0xd5/0x2a0
&gt; [carl9170] at addr 0xffff8801bc1208b0
&gt; Read of size 8 by task btserver/5888
&gt; =======================================================================
&gt; BUG kmalloc-256 (Tainted: G        W      ): kasan: bad access detected
&gt; -----------------------------------------------------------------------
&gt;
&gt; INFO: Allocated in seq_open+0x50/0x100 age=2690 cpu=2 pid=772
&gt;...

This breakage was caused by the introduction of intermediate
fops in debugfs by commit 9fd4dcece43a
("debugfs: prevent access to possibly dead file_operations at file open")

Thankfully, the original/real fops are still available in d_fsdata.

Reported-by: Ben Greear &lt;greearb@candelatech.com&gt;
Signed-off-by: Christian Lamparter &lt;chunkeey@gmail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 6ee6d1cb391ca85b419f8d18bdfb1f020a5e859c upstream.

Ben Greear reported:
&gt; I see lots of instability as soon as I load up the carl9710 NIC.
&gt; My application is going to be poking at it's debugfs files...
&gt;
&gt; BUG: KASAN: slab-out-of-bounds in carl9170_debugfs_read+0xd5/0x2a0
&gt; [carl9170] at addr 0xffff8801bc1208b0
&gt; Read of size 8 by task btserver/5888
&gt; =======================================================================
&gt; BUG kmalloc-256 (Tainted: G        W      ): kasan: bad access detected
&gt; -----------------------------------------------------------------------
&gt;
&gt; INFO: Allocated in seq_open+0x50/0x100 age=2690 cpu=2 pid=772
&gt;...

This breakage was caused by the introduction of intermediate
fops in debugfs by commit 9fd4dcece43a
("debugfs: prevent access to possibly dead file_operations at file open")

Thankfully, the original/real fops are still available in d_fsdata.

Reported-by: Ben Greear &lt;greearb@candelatech.com&gt;
Signed-off-by: Christian Lamparter &lt;chunkeey@gmail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>b43legacy: fix debugfs crash</title>
<updated>2016-10-22T10:40:22+00:00</updated>
<author>
<name>Christian Lamparter</name>
<email>chunkeey@googlemail.com</email>
</author>
<published>2016-09-17T19:43:04+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=c5054f7709318ac0da1e3281148472d1b43e6717'/>
<id>c5054f7709318ac0da1e3281148472d1b43e6717</id>
<content type='text'>
commit 9c4a45b17e094a090e96beb1138e34c2a10c6b8c upstream.

This patch fixes a crash that happens because b43legacy's
debugfs code expects file-&gt;f_op to be a pointer to its own
b43legacy_debugfs_fops struct. This is no longer the case
since commit 9fd4dcece43a
("debugfs: prevent access to possibly dead file_operations at file open")

Reviewed-by: Nicolai Stange &lt;nicstange@gmail.com&gt;
Signed-off-by: Christian Lamparter &lt;chunkeey@gmail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 9c4a45b17e094a090e96beb1138e34c2a10c6b8c upstream.

This patch fixes a crash that happens because b43legacy's
debugfs code expects file-&gt;f_op to be a pointer to its own
b43legacy_debugfs_fops struct. This is no longer the case
since commit 9fd4dcece43a
("debugfs: prevent access to possibly dead file_operations at file open")

Reviewed-by: Nicolai Stange &lt;nicstange@gmail.com&gt;
Signed-off-by: Christian Lamparter &lt;chunkeey@gmail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>b43: fix debugfs crash</title>
<updated>2016-10-22T10:40:22+00:00</updated>
<author>
<name>Christian Lamparter</name>
<email>chunkeey@googlemail.com</email>
</author>
<published>2016-09-17T19:43:03+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=d7b41551c48d95640b92582bcb762e3517b5c418'/>
<id>d7b41551c48d95640b92582bcb762e3517b5c418</id>
<content type='text'>
commit 51b275a6fe5601834b717351d6cbdb89bd1f308b upstream.

This patch fixes a crash that happens because b43's
debugfs code expects file-&gt;f_op to be a pointer to
its own b43_debugfs_fops struct. This is no longer
the case since commit 9fd4dcece43a
("debugfs: prevent access to possibly dead file_operations at file open")

Reviewed-by: Nicolai Stange &lt;nicstange@gmail.com&gt;
Signed-off-by: Christian Lamparter &lt;chunkeey@gmail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 51b275a6fe5601834b717351d6cbdb89bd1f308b upstream.

This patch fixes a crash that happens because b43's
debugfs code expects file-&gt;f_op to be a pointer to
its own b43_debugfs_fops struct. This is no longer
the case since commit 9fd4dcece43a
("debugfs: prevent access to possibly dead file_operations at file open")

Reviewed-by: Nicolai Stange &lt;nicstange@gmail.com&gt;
Signed-off-by: Christian Lamparter &lt;chunkeey@gmail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>Merge tag 'iwlwifi-for-kalle-2016-09-15' of git://git.kernel.org/pub/scm/linux/kernel/git/iwlwifi/iwlwifi-fixes</title>
<updated>2016-09-17T14:06:22+00:00</updated>
<author>
<name>Kalle Valo</name>
<email>kvalo@codeaurora.org</email>
</author>
<published>2016-09-17T14:06:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=db64c5fa590b5d82ac0d5ec39bc498f95094e66b'/>
<id>db64c5fa590b5d82ac0d5ec39bc498f95094e66b</id>
<content type='text'>
* fix to prevent firmware crash when sending off-channel frames
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
* fix to prevent firmware crash when sending off-channel frames
</pre>
</div>
</content>
</entry>
<entry>
<title>iwlwifi: mvm: update TX queue before making a copy of the skb</title>
<updated>2016-09-15T15:35:20+00:00</updated>
<author>
<name>Beni Lev</name>
<email>beni.lev@intel.com</email>
</author>
<published>2016-08-10T14:03:43+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=54c5ef2e93ea002dc5dd63349298b2778fe59edb'/>
<id>54c5ef2e93ea002dc5dd63349298b2778fe59edb</id>
<content type='text'>
Off-channel action frames (such as ANQP frames) must be sent either on
the AUX queue or on the offchannel queue, otherwise the firmware will
cause a SYSASSERT.

In the current implementation, the queue to be used is correctly set in
the original skb, but this is done after it is copied.  Thus the copy
remains with the original, incorrect queue.

Fix this by setting the queue in the original skb before copying it.

Fixes: commit 5c08b0f5026f ("iwlwifi: mvm: don't override the rate with the AMSDU len")
Cc: stable@vger.kernel.org # v4.6+
Signed-off-by: Beni Lev &lt;beni.lev@intel.com&gt;
Signed-off-by: Luca Coelho &lt;luciano.coelho@intel.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Off-channel action frames (such as ANQP frames) must be sent either on
the AUX queue or on the offchannel queue, otherwise the firmware will
cause a SYSASSERT.

In the current implementation, the queue to be used is correctly set in
the original skb, but this is done after it is copied.  Thus the copy
remains with the original, incorrect queue.

Fix this by setting the queue in the original skb before copying it.

Fixes: commit 5c08b0f5026f ("iwlwifi: mvm: don't override the rate with the AMSDU len")
Cc: stable@vger.kernel.org # v4.6+
Signed-off-by: Beni Lev &lt;beni.lev@intel.com&gt;
Signed-off-by: Luca Coelho &lt;luciano.coelho@intel.com&gt;
</pre>
</div>
</content>
</entry>
</feed>
