<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/drivers/net, branch linux-4.7.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>brcmfmac: use correct skb freeing helper when deleting flowring</title>
<updated>2016-10-22T10:06:48+00:00</updated>
<author>
<name>Rafał Miłecki</name>
<email>rafal@milecki.pl</email>
</author>
<published>2016-09-27T12:11:04+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=6faa698c35a43b9e74ea24e90fe37471d08d00d0'/>
<id>6faa698c35a43b9e74ea24e90fe37471d08d00d0</id>
<content type='text'>
commit 7f00ee2bbc630900ba16fc2690473f3e2db0e264 upstream.

Flowrings contain skbs waiting for transmission that were passed to us
by netif. It means we checked every one of them looking for 802.1x
Ethernet type. When deleting flowring we have to use freeing function
that will check for 802.1x type as well.

Freeing skbs without a proper check was leading to counter not being
properly decreased. This was triggering a WARNING every time
brcmf_netdev_wait_pend8021x was called.

Signed-off-by: Rafał Miłecki &lt;rafal@milecki.pl&gt;
Acked-by: Arend van Spriel &lt;arend@broadcom.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 7f00ee2bbc630900ba16fc2690473f3e2db0e264 upstream.

Flowrings contain skbs waiting for transmission that were passed to us
by netif. It means we checked every one of them looking for 802.1x
Ethernet type. When deleting flowring we have to use freeing function
that will check for 802.1x type as well.

Freeing skbs without a proper check was leading to counter not being
properly decreased. This was triggering a WARNING every time
brcmf_netdev_wait_pend8021x was called.

Signed-off-by: Rafał Miłecki &lt;rafal@milecki.pl&gt;
Acked-by: Arend van Spriel &lt;arend@broadcom.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>brcmfmac: fix memory leak in brcmf_fill_bss_param</title>
<updated>2016-10-22T10:06:48+00:00</updated>
<author>
<name>Rafał Miłecki</name>
<email>rafal@milecki.pl</email>
</author>
<published>2016-09-21T06:23:24+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=1d2ac5b9d6a808da83dc9d77a788f3a909a6897c'/>
<id>1d2ac5b9d6a808da83dc9d77a788f3a909a6897c</id>
<content type='text'>
commit 23e9c128adb2038c27a424a5f91136e7fa3e0dc6 upstream.

This function is called from get_station callback which means that every
time user space was getting/dumping station(s) we were leaking 2 KiB.

Signed-off-by: Rafał Miłecki &lt;rafal@milecki.pl&gt;
Fixes: 1f0dc59a6de ("brcmfmac: rework .get_station() callback")
Acked-by: Arend van Spriel &lt;arend.vanspriel@broadcom.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 23e9c128adb2038c27a424a5f91136e7fa3e0dc6 upstream.

This function is called from get_station callback which means that every
time user space was getting/dumping station(s) we were leaking 2 KiB.

Signed-off-by: Rafał Miłecki &lt;rafal@milecki.pl&gt;
Fixes: 1f0dc59a6de ("brcmfmac: rework .get_station() callback")
Acked-by: Arend van Spriel &lt;arend.vanspriel@broadcom.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>brcmfmac: fix pmksa-&gt;bssid usage</title>
<updated>2016-10-22T10:06:48+00:00</updated>
<author>
<name>Nicolas Iooss</name>
<email>nicolas.iooss_linux@m4x.org</email>
</author>
<published>2016-08-23T09:37:17+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=11b8369ad82d3e16f96c7284bbc7b2af1a48c82f'/>
<id>11b8369ad82d3e16f96c7284bbc7b2af1a48c82f</id>
<content type='text'>
commit 7703773ef1d85b40433902a8da20167331597e4a upstream.

The struct cfg80211_pmksa defines its bssid field as:

    const u8 *bssid;

contrary to struct brcmf_pmksa, which uses:

    u8 bssid[ETH_ALEN];

Therefore in brcmf_cfg80211_del_pmksa(), &amp;pmksa-&gt;bssid takes the address
of this field (of type u8**), not the one of its content (which would be
u8*).  Remove the &amp; operator to make brcmf_dbg("%pM") and memcmp()
behave as expected.

This bug have been found using a custom static checker (which checks the
usage of %p... attributes at build time).  It has been introduced in
commit 6c404f34f2bd ("brcmfmac: Cleanup pmksa cache handling code"),
which replaced pmksa-&gt;bssid by &amp;pmksa-&gt;bssid while refactoring the code,
without modifying struct cfg80211_pmksa definition.

Replace &amp;pmk[i].bssid with pmk[i].bssid too to make the code clearer,
this change does not affect the semantic.

Fixes: 6c404f34f2bd ("brcmfmac: Cleanup pmksa cache handling code")
Signed-off-by: Nicolas Iooss &lt;nicolas.iooss_linux@m4x.org&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 7703773ef1d85b40433902a8da20167331597e4a upstream.

The struct cfg80211_pmksa defines its bssid field as:

    const u8 *bssid;

contrary to struct brcmf_pmksa, which uses:

    u8 bssid[ETH_ALEN];

Therefore in brcmf_cfg80211_del_pmksa(), &amp;pmksa-&gt;bssid takes the address
of this field (of type u8**), not the one of its content (which would be
u8*).  Remove the &amp; operator to make brcmf_dbg("%pM") and memcmp()
behave as expected.

This bug have been found using a custom static checker (which checks the
usage of %p... attributes at build time).  It has been introduced in
commit 6c404f34f2bd ("brcmfmac: Cleanup pmksa cache handling code"),
which replaced pmksa-&gt;bssid by &amp;pmksa-&gt;bssid while refactoring the code,
without modifying struct cfg80211_pmksa definition.

Replace &amp;pmk[i].bssid with pmk[i].bssid too to make the code clearer,
this change does not affect the semantic.

Fixes: 6c404f34f2bd ("brcmfmac: Cleanup pmksa cache handling code")
Signed-off-by: Nicolas Iooss &lt;nicolas.iooss_linux@m4x.org&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>i40e: avoid NULL pointer dereference and recursive errors on early PCI error</title>
<updated>2016-10-22T10:06:47+00:00</updated>
<author>
<name>Guilherme G Piccoli</name>
<email>gpiccoli@linux.vnet.ibm.com</email>
</author>
<published>2016-10-03T07:31:12+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b2d095fc4968de3329a2d5438dc8d4dbb420686a'/>
<id>b2d095fc4968de3329a2d5438dc8d4dbb420686a</id>
<content type='text'>
commit edfc23ee3e0ebbb6713d7574ab1b00abff178f6c upstream.

Although rare, it's possible to hit PCI error early on device
probe, meaning possibly some structs are not entirely initialized,
and some might even be completely uninitialized, leading to NULL
pointer dereference.

The i40e driver currently presents a "bad" behavior if device hits
such early PCI error: firstly, the struct i40e_pf might not be
attached to pci_dev yet, leading to a NULL pointer dereference on
access to pf-&gt;state.

Even checking if the struct is NULL and avoiding the access in that
case isn't enough, since the driver cannot recover from PCI error
that early; in our experiments we saw multiple failures on kernel
log, like:

  [549.664] i40e 0007:01:00.1: Initial pf_reset failed: -15
  [549.664] i40e: probe of 0007:01:00.1 failed with error -15
  [...]
  [871.644] i40e 0007:01:00.1: The driver for the device stopped because the
  device firmware failed to init. Try updating your NVM image.
  [871.644] i40e: probe of 0007:01:00.1 failed with error -32
  [...]
  [872.516] i40e 0007:01:00.0: ARQ: Unknown event 0x0000 ignored

Between the first probe failure (error -15) and the second (error -32)
another PCI error happened due to the first bad probe. Also, driver
started to flood console with those ARQ event messages.

This patch will prevent these issues by allowing error recovery
mechanism to remove the failed device from the system instead of
trying to recover from early PCI errors during device probe.

Signed-off-by: Guilherme G Piccoli &lt;gpiccoli@linux.vnet.ibm.com&gt;
Acked-by: Jacob Keller &lt;jacob.e.keller@intel.com&gt;
Tested-by: Andrew Bowers &lt;andrewx.bowers@intel.com&gt;
Signed-off-by: Jeff Kirsher &lt;jeffrey.t.kirsher@intel.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit edfc23ee3e0ebbb6713d7574ab1b00abff178f6c upstream.

Although rare, it's possible to hit PCI error early on device
probe, meaning possibly some structs are not entirely initialized,
and some might even be completely uninitialized, leading to NULL
pointer dereference.

The i40e driver currently presents a "bad" behavior if device hits
such early PCI error: firstly, the struct i40e_pf might not be
attached to pci_dev yet, leading to a NULL pointer dereference on
access to pf-&gt;state.

Even checking if the struct is NULL and avoiding the access in that
case isn't enough, since the driver cannot recover from PCI error
that early; in our experiments we saw multiple failures on kernel
log, like:

  [549.664] i40e 0007:01:00.1: Initial pf_reset failed: -15
  [549.664] i40e: probe of 0007:01:00.1 failed with error -15
  [...]
  [871.644] i40e 0007:01:00.1: The driver for the device stopped because the
  device firmware failed to init. Try updating your NVM image.
  [871.644] i40e: probe of 0007:01:00.1 failed with error -32
  [...]
  [872.516] i40e 0007:01:00.0: ARQ: Unknown event 0x0000 ignored

Between the first probe failure (error -15) and the second (error -32)
another PCI error happened due to the first bad probe. Also, driver
started to flood console with those ARQ event messages.

This patch will prevent these issues by allowing error recovery
mechanism to remove the failed device from the system instead of
trying to recover from early PCI errors during device probe.

Signed-off-by: Guilherme G Piccoli &lt;gpiccoli@linux.vnet.ibm.com&gt;
Acked-by: Jacob Keller &lt;jacob.e.keller@intel.com&gt;
Tested-by: Andrew Bowers &lt;andrewx.bowers@intel.com&gt;
Signed-off-by: Jeff Kirsher &lt;jeffrey.t.kirsher@intel.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>carl9170: fix debugfs crashes</title>
<updated>2016-10-22T10:06:46+00:00</updated>
<author>
<name>Christian Lamparter</name>
<email>chunkeey@googlemail.com</email>
</author>
<published>2016-09-21T16:49:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b5de4b6a6023a6d5d73f671faf1c00ba9aa23dce'/>
<id>b5de4b6a6023a6d5d73f671faf1c00ba9aa23dce</id>
<content type='text'>
commit 6ee6d1cb391ca85b419f8d18bdfb1f020a5e859c upstream.

Ben Greear reported:
&gt; I see lots of instability as soon as I load up the carl9710 NIC.
&gt; My application is going to be poking at it's debugfs files...
&gt;
&gt; BUG: KASAN: slab-out-of-bounds in carl9170_debugfs_read+0xd5/0x2a0
&gt; [carl9170] at addr 0xffff8801bc1208b0
&gt; Read of size 8 by task btserver/5888
&gt; =======================================================================
&gt; BUG kmalloc-256 (Tainted: G        W      ): kasan: bad access detected
&gt; -----------------------------------------------------------------------
&gt;
&gt; INFO: Allocated in seq_open+0x50/0x100 age=2690 cpu=2 pid=772
&gt;...

This breakage was caused by the introduction of intermediate
fops in debugfs by commit 9fd4dcece43a
("debugfs: prevent access to possibly dead file_operations at file open")

Thankfully, the original/real fops are still available in d_fsdata.

Reported-by: Ben Greear &lt;greearb@candelatech.com&gt;
Signed-off-by: Christian Lamparter &lt;chunkeey@gmail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 6ee6d1cb391ca85b419f8d18bdfb1f020a5e859c upstream.

Ben Greear reported:
&gt; I see lots of instability as soon as I load up the carl9710 NIC.
&gt; My application is going to be poking at it's debugfs files...
&gt;
&gt; BUG: KASAN: slab-out-of-bounds in carl9170_debugfs_read+0xd5/0x2a0
&gt; [carl9170] at addr 0xffff8801bc1208b0
&gt; Read of size 8 by task btserver/5888
&gt; =======================================================================
&gt; BUG kmalloc-256 (Tainted: G        W      ): kasan: bad access detected
&gt; -----------------------------------------------------------------------
&gt;
&gt; INFO: Allocated in seq_open+0x50/0x100 age=2690 cpu=2 pid=772
&gt;...

This breakage was caused by the introduction of intermediate
fops in debugfs by commit 9fd4dcece43a
("debugfs: prevent access to possibly dead file_operations at file open")

Thankfully, the original/real fops are still available in d_fsdata.

Reported-by: Ben Greear &lt;greearb@candelatech.com&gt;
Signed-off-by: Christian Lamparter &lt;chunkeey@gmail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>b43legacy: fix debugfs crash</title>
<updated>2016-10-22T10:06:46+00:00</updated>
<author>
<name>Christian Lamparter</name>
<email>chunkeey@googlemail.com</email>
</author>
<published>2016-09-17T19:43:04+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=2b96ed6e359a754ab927d54da45c00f4ca328078'/>
<id>2b96ed6e359a754ab927d54da45c00f4ca328078</id>
<content type='text'>
commit 9c4a45b17e094a090e96beb1138e34c2a10c6b8c upstream.

This patch fixes a crash that happens because b43legacy's
debugfs code expects file-&gt;f_op to be a pointer to its own
b43legacy_debugfs_fops struct. This is no longer the case
since commit 9fd4dcece43a
("debugfs: prevent access to possibly dead file_operations at file open")

Reviewed-by: Nicolai Stange &lt;nicstange@gmail.com&gt;
Signed-off-by: Christian Lamparter &lt;chunkeey@gmail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 9c4a45b17e094a090e96beb1138e34c2a10c6b8c upstream.

This patch fixes a crash that happens because b43legacy's
debugfs code expects file-&gt;f_op to be a pointer to its own
b43legacy_debugfs_fops struct. This is no longer the case
since commit 9fd4dcece43a
("debugfs: prevent access to possibly dead file_operations at file open")

Reviewed-by: Nicolai Stange &lt;nicstange@gmail.com&gt;
Signed-off-by: Christian Lamparter &lt;chunkeey@gmail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>b43: fix debugfs crash</title>
<updated>2016-10-22T10:06:46+00:00</updated>
<author>
<name>Christian Lamparter</name>
<email>chunkeey@googlemail.com</email>
</author>
<published>2016-09-17T19:43:03+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=1c351b32b1f95043f417b024fecf1b9c1717bcf4'/>
<id>1c351b32b1f95043f417b024fecf1b9c1717bcf4</id>
<content type='text'>
commit 51b275a6fe5601834b717351d6cbdb89bd1f308b upstream.

This patch fixes a crash that happens because b43's
debugfs code expects file-&gt;f_op to be a pointer to
its own b43_debugfs_fops struct. This is no longer
the case since commit 9fd4dcece43a
("debugfs: prevent access to possibly dead file_operations at file open")

Reviewed-by: Nicolai Stange &lt;nicstange@gmail.com&gt;
Signed-off-by: Christian Lamparter &lt;chunkeey@gmail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 51b275a6fe5601834b717351d6cbdb89bd1f308b upstream.

This patch fixes a crash that happens because b43's
debugfs code expects file-&gt;f_op to be a pointer to
its own b43_debugfs_fops struct. This is no longer
the case since commit 9fd4dcece43a
("debugfs: prevent access to possibly dead file_operations at file open")

Reviewed-by: Nicolai Stange &lt;nicstange@gmail.com&gt;
Signed-off-by: Christian Lamparter &lt;chunkeey@gmail.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>ath10k: fix get rx_status from htt context</title>
<updated>2016-10-07T13:21:26+00:00</updated>
<author>
<name>Ashok Raj Nagarajan</name>
<email>arnagara@qti.qualcomm.com</email>
</author>
<published>2016-08-19T10:37:37+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=a734679bdf768e370ef3d32254871ada91ad261f'/>
<id>a734679bdf768e370ef3d32254871ada91ad261f</id>
<content type='text'>
commit 237e15dfd5d651868726111c3a9d828bec700490 upstream.

On handling amsdu on rx path, get the rx_status from htt context. Without this
fix, we are seeing warnings when running DBDC traffic like this.

WARNING: CPU: 0 PID: 0 at net/mac80211/rx.c:4105 ieee80211_rx_napi+0x88/0x7d8 [mac80211]()

[ 1715.878248] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 3.18.21 #1
[ 1715.878273] [&lt;c001d3f4&gt;] (unwind_backtrace) from [&lt;c001a4b0&gt;] (show_stack+0x10/0x14)
[ 1715.878293] [&lt;c001a4b0&gt;] (show_stack) from [&lt;c01bee64&gt;] (dump_stack+0x70/0xbc)
[ 1715.878315] [&lt;c01bee64&gt;] (dump_stack) from [&lt;c002a61c&gt;] (warn_slowpath_common+0x64/0x88)
[ 1715.878339] [&lt;c002a61c&gt;] (warn_slowpath_common) from [&lt;c002a6d0&gt;] (warn_slowpath_null+0x18/0x20)
[ 1715.878395] [&lt;c002a6d0&gt;] (warn_slowpath_null) from [&lt;bf4caa98&gt;] (ieee80211_rx_napi+0x88/0x7d8 [mac80211])
[ 1715.878474] [&lt;bf4caa98&gt;] (ieee80211_rx_napi [mac80211]) from [&lt;bf568658&gt;] (ath10k_htt_t2h_msg_handler+0xb48/0xbfc [ath10k_core])
[ 1715.878535] [&lt;bf568658&gt;] (ath10k_htt_t2h_msg_handler [ath10k_core]) from [&lt;bf568708&gt;] (ath10k_htt_t2h_msg_handler+0xbf8/0xbfc [ath10k_core])
[ 1715.878597] [&lt;bf568708&gt;] (ath10k_htt_t2h_msg_handler [ath10k_core]) from [&lt;bf569160&gt;] (ath10k_htt_txrx_compl_task+0xa54/0x1170 [ath10k_core])
[ 1715.878639] [&lt;bf569160&gt;] (ath10k_htt_txrx_compl_task [ath10k_core]) from [&lt;c002db14&gt;] (tasklet_action+0xb4/0x130)
[ 1715.878659] [&lt;c002db14&gt;] (tasklet_action) from [&lt;c002d110&gt;] (__do_softirq+0xe0/0x210)
[ 1715.878678] [&lt;c002d110&gt;] (__do_softirq) from [&lt;c002d4b4&gt;] (irq_exit+0x84/0xe0)
[ 1715.878700] [&lt;c002d4b4&gt;] (irq_exit) from [&lt;c005a544&gt;] (__handle_domain_irq+0x98/0xd0)
[ 1715.878722] [&lt;c005a544&gt;] (__handle_domain_irq) from [&lt;c00085f4&gt;] (gic_handle_irq+0x38/0x5c)
[ 1715.878741] [&lt;c00085f4&gt;] (gic_handle_irq) from [&lt;c0009680&gt;] (__irq_svc+0x40/0x74)
[ 1715.878753] Exception stack(0xc05f9f50 to 0xc05f9f98)
[ 1715.878767] 9f40: ffffffed 00000000 00399e1e c000a220
[ 1715.878786] 9f60: 00000000 c05f6780 c05f8000 00000000 c05f5db8 ffffffed c05f8000 c04d1980
[ 1715.878802] 9f80: 00000000 c05f9f98 c0018110 c0018114 60000013 ffffffff
[ 1715.878822] [&lt;c0009680&gt;] (__irq_svc) from [&lt;c0018114&gt;] (arch_cpu_idle+0x2c/0x50)
[ 1715.878844] [&lt;c0018114&gt;] (arch_cpu_idle) from [&lt;c00530d4&gt;] (cpu_startup_entry+0x108/0x234)
[ 1715.878866] [&lt;c00530d4&gt;] (cpu_startup_entry) from [&lt;c05c7be0&gt;] (start_kernel+0x33c/0x3b8)
[ 1715.878879] ---[ end trace 6d5e1cc0fef8ed6a ]---
[ 1715.878899] ------------[ cut here ]------------

Fixes: 18235664e7f9 ("ath10k: cleanup amsdu processing for rx indication")
Signed-off-by: Ashok Raj Nagarajan &lt;arnagara@qti.qualcomm.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@qca.qualcomm.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 237e15dfd5d651868726111c3a9d828bec700490 upstream.

On handling amsdu on rx path, get the rx_status from htt context. Without this
fix, we are seeing warnings when running DBDC traffic like this.

WARNING: CPU: 0 PID: 0 at net/mac80211/rx.c:4105 ieee80211_rx_napi+0x88/0x7d8 [mac80211]()

[ 1715.878248] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 3.18.21 #1
[ 1715.878273] [&lt;c001d3f4&gt;] (unwind_backtrace) from [&lt;c001a4b0&gt;] (show_stack+0x10/0x14)
[ 1715.878293] [&lt;c001a4b0&gt;] (show_stack) from [&lt;c01bee64&gt;] (dump_stack+0x70/0xbc)
[ 1715.878315] [&lt;c01bee64&gt;] (dump_stack) from [&lt;c002a61c&gt;] (warn_slowpath_common+0x64/0x88)
[ 1715.878339] [&lt;c002a61c&gt;] (warn_slowpath_common) from [&lt;c002a6d0&gt;] (warn_slowpath_null+0x18/0x20)
[ 1715.878395] [&lt;c002a6d0&gt;] (warn_slowpath_null) from [&lt;bf4caa98&gt;] (ieee80211_rx_napi+0x88/0x7d8 [mac80211])
[ 1715.878474] [&lt;bf4caa98&gt;] (ieee80211_rx_napi [mac80211]) from [&lt;bf568658&gt;] (ath10k_htt_t2h_msg_handler+0xb48/0xbfc [ath10k_core])
[ 1715.878535] [&lt;bf568658&gt;] (ath10k_htt_t2h_msg_handler [ath10k_core]) from [&lt;bf568708&gt;] (ath10k_htt_t2h_msg_handler+0xbf8/0xbfc [ath10k_core])
[ 1715.878597] [&lt;bf568708&gt;] (ath10k_htt_t2h_msg_handler [ath10k_core]) from [&lt;bf569160&gt;] (ath10k_htt_txrx_compl_task+0xa54/0x1170 [ath10k_core])
[ 1715.878639] [&lt;bf569160&gt;] (ath10k_htt_txrx_compl_task [ath10k_core]) from [&lt;c002db14&gt;] (tasklet_action+0xb4/0x130)
[ 1715.878659] [&lt;c002db14&gt;] (tasklet_action) from [&lt;c002d110&gt;] (__do_softirq+0xe0/0x210)
[ 1715.878678] [&lt;c002d110&gt;] (__do_softirq) from [&lt;c002d4b4&gt;] (irq_exit+0x84/0xe0)
[ 1715.878700] [&lt;c002d4b4&gt;] (irq_exit) from [&lt;c005a544&gt;] (__handle_domain_irq+0x98/0xd0)
[ 1715.878722] [&lt;c005a544&gt;] (__handle_domain_irq) from [&lt;c00085f4&gt;] (gic_handle_irq+0x38/0x5c)
[ 1715.878741] [&lt;c00085f4&gt;] (gic_handle_irq) from [&lt;c0009680&gt;] (__irq_svc+0x40/0x74)
[ 1715.878753] Exception stack(0xc05f9f50 to 0xc05f9f98)
[ 1715.878767] 9f40: ffffffed 00000000 00399e1e c000a220
[ 1715.878786] 9f60: 00000000 c05f6780 c05f8000 00000000 c05f5db8 ffffffed c05f8000 c04d1980
[ 1715.878802] 9f80: 00000000 c05f9f98 c0018110 c0018114 60000013 ffffffff
[ 1715.878822] [&lt;c0009680&gt;] (__irq_svc) from [&lt;c0018114&gt;] (arch_cpu_idle+0x2c/0x50)
[ 1715.878844] [&lt;c0018114&gt;] (arch_cpu_idle) from [&lt;c00530d4&gt;] (cpu_startup_entry+0x108/0x234)
[ 1715.878866] [&lt;c00530d4&gt;] (cpu_startup_entry) from [&lt;c05c7be0&gt;] (start_kernel+0x33c/0x3b8)
[ 1715.878879] ---[ end trace 6d5e1cc0fef8ed6a ]---
[ 1715.878899] ------------[ cut here ]------------

Fixes: 18235664e7f9 ("ath10k: cleanup amsdu processing for rx indication")
Signed-off-by: Ashok Raj Nagarajan &lt;arnagara@qti.qualcomm.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@qca.qualcomm.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>brcmsmac: Initialize power in brcms_c_stf_ss_algo_channel_get()</title>
<updated>2016-10-07T13:21:25+00:00</updated>
<author>
<name>Florian Fainelli</name>
<email>f.fainelli@gmail.com</email>
</author>
<published>2016-07-18T23:24:37+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=cd8fb09885bec8f6592a2a6e18975b863fe44777'/>
<id>cd8fb09885bec8f6592a2a6e18975b863fe44777</id>
<content type='text'>
commit f823a2aa8f4674c095a5413b9e3ba12d82df06f2 upstream.

wlc_phy_txpower_get_current() does a logical OR of power-&gt;flags, which
presumes that power.flags was initiliazed earlier by the caller,
unfortunately, this is not the case, so make sure we zero out the struct
tx_power before calling into wlc_phy_txpower_get_current().

Reported-by: coverity (CID 146011)
Fixes: 5b435de0d7868 ("net: wireless: add brcm80211 drivers")
Signed-off-by: Florian Fainelli &lt;f.fainelli@gmail.com&gt;
Acked-by: Arend van Spriel &lt;arend.vanspriel@broadcom.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit f823a2aa8f4674c095a5413b9e3ba12d82df06f2 upstream.

wlc_phy_txpower_get_current() does a logical OR of power-&gt;flags, which
presumes that power.flags was initiliazed earlier by the caller,
unfortunately, this is not the case, so make sure we zero out the struct
tx_power before calling into wlc_phy_txpower_get_current().

Reported-by: coverity (CID 146011)
Fixes: 5b435de0d7868 ("net: wireless: add brcm80211 drivers")
Signed-off-by: Florian Fainelli &lt;f.fainelli@gmail.com&gt;
Acked-by: Arend van Spriel &lt;arend.vanspriel@broadcom.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>brcmsmac: Free packet if dma_mapping_error() fails in dma_rxfill</title>
<updated>2016-10-07T13:21:25+00:00</updated>
<author>
<name>Florian Fainelli</name>
<email>f.fainelli@gmail.com</email>
</author>
<published>2016-07-18T23:24:35+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=4e72aaca2db72a29a90ccebdb762b300c2f29562'/>
<id>4e72aaca2db72a29a90ccebdb762b300c2f29562</id>
<content type='text'>
commit 5c5fa1f464ac954982df1d96b9f9a5103d21aedd upstream.

In case dma_mapping_error() returns an error in dma_rxfill, we would be
leaking a packet that we allocated with brcmu_pkt_buf_get_skb().

Reported-by: coverity (CID 1081819)
Fixes: 67d0cf50bd32 ("brcmsmac: Fix WARNING caused by lack of calls to dma_mapping_error()")
Signed-off-by: Florian Fainelli &lt;f.fainelli@gmail.com&gt;
Acked-by: Arend van Spriel &lt;arend@broadcom.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 5c5fa1f464ac954982df1d96b9f9a5103d21aedd upstream.

In case dma_mapping_error() returns an error in dma_rxfill, we would be
leaking a packet that we allocated with brcmu_pkt_buf_get_skb().

Reported-by: coverity (CID 1081819)
Fixes: 67d0cf50bd32 ("brcmsmac: Fix WARNING caused by lack of calls to dma_mapping_error()")
Signed-off-by: Florian Fainelli &lt;f.fainelli@gmail.com&gt;
Acked-by: Arend van Spriel &lt;arend@broadcom.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
</feed>
