--- /dev/null
+From cf44012810ccdd8fd947518e965cb04b7b8498be Mon Sep 17 00:00:00 2001
+From: Michal Kazior <michal.kazior@tieto.com>
+Date: Mon, 25 Jan 2016 14:43:24 +0100
+Subject: mac80211: fix unnecessary frame drops in mesh fwding
+
+From: Michal Kazior <michal.kazior@tieto.com>
+
+commit cf44012810ccdd8fd947518e965cb04b7b8498be upstream.
+
+The ieee80211_queue_stopped() expects hw queue
+number but it was given raw WMM AC number instead.
+
+This could cause frame drops and problems with
+traffic in some cases - most notably if driver
+doesn't map AC numbers to queue numbers 1:1 and
+uses ieee80211_stop_queues() and
+ieee80211_wake_queue() only without ever calling
+ieee80211_wake_queues().
+
+On ath10k it was possible to hit this problem in
+the following case:
+
+ 1. wlan0 uses queue 0
+ (ath10k maps queues per vif)
+ 2. offchannel uses queue 15
+ 3. queues 1-14 are unused
+ 4. ieee80211_stop_queues()
+ 5. ieee80211_wake_queue(q=0)
+ 6. ieee80211_wake_queue(q=15)
+ (other queues are not woken up because both
+ driver and mac80211 know other queues are
+ unused)
+ 7. ieee80211_rx_h_mesh_fwding()
+ 8. ieee80211_select_queue_80211() returns 2
+ 9. ieee80211_queue_stopped(q=2) returns true
+ 10. frame is dropped (oops!)
+
+Fixes: d3c1597b8d1b ("mac80211: fix forwarded mesh frame queue mapping")
+Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/rx.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -2087,7 +2087,7 @@ ieee80211_rx_h_mesh_fwding(struct ieee80
+ struct ieee80211_sub_if_data *sdata = rx->sdata;
+ struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
+ struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh;
+- u16 q, hdrlen;
++ u16 ac, q, hdrlen;
+
+ hdr = (struct ieee80211_hdr *) skb->data;
+ hdrlen = ieee80211_hdrlen(hdr->frame_control);
+@@ -2157,7 +2157,8 @@ ieee80211_rx_h_mesh_fwding(struct ieee80
+ ether_addr_equal(sdata->vif.addr, hdr->addr3))
+ return RX_CONTINUE;
+
+- q = ieee80211_select_queue_80211(sdata, skb, hdr);
++ ac = ieee80211_select_queue_80211(sdata, skb, hdr);
++ q = sdata->vif.hw_queue[ac];
+ if (ieee80211_queue_stopped(&local->hw, q)) {
+ IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_congestion);
+ return RX_DROP_MONITOR;
ipv4-l2tp-fix-a-potential-issue-in-l2tp_ip_recv.patch
ipv6-l2tp-fix-a-potential-issue-in-l2tp_ip6_recv.patch
ip6_tunnel-set-rtnl_link_ops-before-calling-register_netdevice.patch
+mac80211-fix-unnecessary-frame-drops-in-mesh-fwding.patch
+usb-renesas_usbhs-avoid-null-pointer-derefernce-in-usbhsf_pkt_handler.patch
+usb-renesas_usbhs-disable-tx-irq-before-starting-tx-dmac-transfer.patch
--- /dev/null
+From 894f2fc44f2f3f48c36c973b1123f6ab298be160 Mon Sep 17 00:00:00 2001
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Date: Thu, 10 Mar 2016 11:30:14 +0900
+Subject: usb: renesas_usbhs: avoid NULL pointer derefernce in usbhsf_pkt_handler()
+
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+
+commit 894f2fc44f2f3f48c36c973b1123f6ab298be160 upstream.
+
+When unexpected situation happened (e.g. tx/rx irq happened while
+DMAC is used), the usbhsf_pkt_handler() was possible to cause NULL
+pointer dereference like the followings:
+
+Unable to handle kernel NULL pointer dereference at virtual address 00000000
+pgd = c0004000
+[00000000] *pgd=00000000
+Internal error: Oops: 80000007 [#1] SMP ARM
+Modules linked in: usb_f_acm u_serial g_serial libcomposite
+CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.5.0-rc6-00842-gac57066-dirty #63
+Hardware name: Generic R8A7790 (Flattened Device Tree)
+task: c0729c00 ti: c0724000 task.ti: c0724000
+PC is at 0x0
+LR is at usbhsf_pkt_handler+0xac/0x118
+pc : [<00000000>] lr : [<c03257e0>] psr: 60000193
+sp : c0725db8 ip : 00000000 fp : c0725df4
+r10: 00000001 r9 : 00000193 r8 : ef3ccab4
+r7 : ef3cca10 r6 : eea4586c r5 : 00000000 r4 : ef19ceb4
+r3 : 00000000 r2 : 0000009c r1 : c0725dc4 r0 : ef19ceb4
+
+This patch adds a condition to avoid the dereference.
+
+Fixes: e73a989 ("usb: renesas_usbhs: add DMAEngine support")
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/renesas_usbhs/fifo.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/renesas_usbhs/fifo.c
++++ b/drivers/usb/renesas_usbhs/fifo.c
+@@ -166,7 +166,8 @@ static int usbhsf_pkt_handler(struct usb
+ goto __usbhs_pkt_handler_end;
+ }
+
+- ret = func(pkt, &is_done);
++ if (likely(func))
++ ret = func(pkt, &is_done);
+
+ if (is_done)
+ __usbhsf_pkt_del(pkt);
--- /dev/null
+From 6490865c67825277b29638e839850882600b48ec Mon Sep 17 00:00:00 2001
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Date: Thu, 10 Mar 2016 11:30:15 +0900
+Subject: usb: renesas_usbhs: disable TX IRQ before starting TX DMAC transfer
+
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+
+commit 6490865c67825277b29638e839850882600b48ec upstream.
+
+This patch adds a code to surely disable TX IRQ of the pipe before
+starting TX DMAC transfer. Otherwise, a lot of unnecessary TX IRQs
+may happen in rare cases when DMAC is used.
+
+Fixes: e73a989 ("usb: renesas_usbhs: add DMAEngine support")
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/renesas_usbhs/fifo.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/renesas_usbhs/fifo.c
++++ b/drivers/usb/renesas_usbhs/fifo.c
+@@ -934,6 +934,7 @@ static int usbhsf_dma_try_pop(struct usb
+
+ pkt->trans = len;
+
++ usbhsf_tx_irq_ctrl(pipe, 0);
+ INIT_WORK(&pkt->work, xfer_work);
+ schedule_work(&pkt->work);
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
