From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 17 Apr 2016 10:28:47 +0000 (-0700)
Subject: 3.14-stable patches
X-Git-Tag: v3.14.67~12
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=012657a2bca57d225822105e322e4979b6a7e392;p=thirdparty%2Fkernel%2Fstable-queue.git

3.14-stable patches

added patches:
	mac80211-fix-unnecessary-frame-drops-in-mesh-fwding.patch
	usb-renesas_usbhs-avoid-null-pointer-derefernce-in-usbhsf_pkt_handler.patch
	usb-renesas_usbhs-disable-tx-irq-before-starting-tx-dmac-transfer.patch
---

diff --git a/queue-3.14/mac80211-fix-unnecessary-frame-drops-in-mesh-fwding.patch b/queue-3.14/mac80211-fix-unnecessary-frame-drops-in-mesh-fwding.patch
new file mode 100644
index 00000000000..f9e513f41d2
--- /dev/null
+++ b/queue-3.14/mac80211-fix-unnecessary-frame-drops-in-mesh-fwding.patch
@@ -0,0 +1,67 @@
+From cf44012810ccdd8fd947518e965cb04b7b8498be Mon Sep 17 00:00:00 2001
+From: Michal Kazior <michal.kazior@tieto.com>
+Date: Mon, 25 Jan 2016 14:43:24 +0100
+Subject: mac80211: fix unnecessary frame drops in mesh fwding
+
+From: Michal Kazior <michal.kazior@tieto.com>
+
+commit cf44012810ccdd8fd947518e965cb04b7b8498be upstream.
+
+The ieee80211_queue_stopped() expects hw queue
+number but it was given raw WMM AC number instead.
+
+This could cause frame drops and problems with
+traffic in some cases - most notably if driver
+doesn't map AC numbers to queue numbers 1:1 and
+uses ieee80211_stop_queues() and
+ieee80211_wake_queue() only without ever calling
+ieee80211_wake_queues().
+
+On ath10k it was possible to hit this problem in
+the following case:
+
+  1. wlan0 uses queue 0
+     (ath10k maps queues per vif)
+  2. offchannel uses queue 15
+  3. queues 1-14 are unused
+  4. ieee80211_stop_queues()
+  5. ieee80211_wake_queue(q=0)
+  6. ieee80211_wake_queue(q=15)
+     (other queues are not woken up because both
+      driver and mac80211 know other queues are
+      unused)
+  7. ieee80211_rx_h_mesh_fwding()
+  8. ieee80211_select_queue_80211() returns 2
+  9. ieee80211_queue_stopped(q=2) returns true
+ 10. frame is dropped (oops!)
+
+Fixes: d3c1597b8d1b ("mac80211: fix forwarded mesh frame queue mapping")
+Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/rx.c |    5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -2087,7 +2087,7 @@ ieee80211_rx_h_mesh_fwding(struct ieee80
+ 	struct ieee80211_sub_if_data *sdata = rx->sdata;
+ 	struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
+ 	struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh;
+-	u16 q, hdrlen;
++	u16 ac, q, hdrlen;
+ 
+ 	hdr = (struct ieee80211_hdr *) skb->data;
+ 	hdrlen = ieee80211_hdrlen(hdr->frame_control);
+@@ -2157,7 +2157,8 @@ ieee80211_rx_h_mesh_fwding(struct ieee80
+ 	    ether_addr_equal(sdata->vif.addr, hdr->addr3))
+ 		return RX_CONTINUE;
+ 
+-	q = ieee80211_select_queue_80211(sdata, skb, hdr);
++	ac = ieee80211_select_queue_80211(sdata, skb, hdr);
++	q = sdata->vif.hw_queue[ac];
+ 	if (ieee80211_queue_stopped(&local->hw, q)) {
+ 		IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_congestion);
+ 		return RX_DROP_MONITOR;
diff --git a/queue-3.14/series b/queue-3.14/series
index ccc0cfc843e..2c269afd82b 100644
--- a/queue-3.14/series
+++ b/queue-3.14/series
@@ -23,3 +23,6 @@ qmi_wwan-add-d-link-dwm-221-b1-device-id.patch
 ipv4-l2tp-fix-a-potential-issue-in-l2tp_ip_recv.patch
 ipv6-l2tp-fix-a-potential-issue-in-l2tp_ip6_recv.patch
 ip6_tunnel-set-rtnl_link_ops-before-calling-register_netdevice.patch
+mac80211-fix-unnecessary-frame-drops-in-mesh-fwding.patch
+usb-renesas_usbhs-avoid-null-pointer-derefernce-in-usbhsf_pkt_handler.patch
+usb-renesas_usbhs-disable-tx-irq-before-starting-tx-dmac-transfer.patch
diff --git a/queue-3.14/usb-renesas_usbhs-avoid-null-pointer-derefernce-in-usbhsf_pkt_handler.patch b/queue-3.14/usb-renesas_usbhs-avoid-null-pointer-derefernce-in-usbhsf_pkt_handler.patch
new file mode 100644
index 00000000000..c3a22e66318
--- /dev/null
+++ b/queue-3.14/usb-renesas_usbhs-avoid-null-pointer-derefernce-in-usbhsf_pkt_handler.patch
@@ -0,0 +1,52 @@
+From 894f2fc44f2f3f48c36c973b1123f6ab298be160 Mon Sep 17 00:00:00 2001
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Date: Thu, 10 Mar 2016 11:30:14 +0900
+Subject: usb: renesas_usbhs: avoid NULL pointer derefernce in usbhsf_pkt_handler()
+
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+
+commit 894f2fc44f2f3f48c36c973b1123f6ab298be160 upstream.
+
+When unexpected situation happened (e.g. tx/rx irq happened while
+DMAC is used), the usbhsf_pkt_handler() was possible to cause NULL
+pointer dereference like the followings:
+
+Unable to handle kernel NULL pointer dereference at virtual address 00000000
+pgd = c0004000
+[00000000] *pgd=00000000
+Internal error: Oops: 80000007 [#1] SMP ARM
+Modules linked in: usb_f_acm u_serial g_serial libcomposite
+CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.5.0-rc6-00842-gac57066-dirty #63
+Hardware name: Generic R8A7790 (Flattened Device Tree)
+task: c0729c00 ti: c0724000 task.ti: c0724000
+PC is at 0x0
+LR is at usbhsf_pkt_handler+0xac/0x118
+pc : [<00000000>]    lr : [<c03257e0>]    psr: 60000193
+sp : c0725db8  ip : 00000000  fp : c0725df4
+r10: 00000001  r9 : 00000193  r8 : ef3ccab4
+r7 : ef3cca10  r6 : eea4586c  r5 : 00000000  r4 : ef19ceb4
+r3 : 00000000  r2 : 0000009c  r1 : c0725dc4  r0 : ef19ceb4
+
+This patch adds a condition to avoid the dereference.
+
+Fixes: e73a989 ("usb: renesas_usbhs: add DMAEngine support")
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/renesas_usbhs/fifo.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/renesas_usbhs/fifo.c
++++ b/drivers/usb/renesas_usbhs/fifo.c
+@@ -166,7 +166,8 @@ static int usbhsf_pkt_handler(struct usb
+ 		goto __usbhs_pkt_handler_end;
+ 	}
+ 
+-	ret = func(pkt, &is_done);
++	if (likely(func))
++		ret = func(pkt, &is_done);
+ 
+ 	if (is_done)
+ 		__usbhsf_pkt_del(pkt);
diff --git a/queue-3.14/usb-renesas_usbhs-disable-tx-irq-before-starting-tx-dmac-transfer.patch b/queue-3.14/usb-renesas_usbhs-disable-tx-irq-before-starting-tx-dmac-transfer.patch
new file mode 100644
index 00000000000..2e5c5dfec2a
--- /dev/null
+++ b/queue-3.14/usb-renesas_usbhs-disable-tx-irq-before-starting-tx-dmac-transfer.patch
@@ -0,0 +1,32 @@
+From 6490865c67825277b29638e839850882600b48ec Mon Sep 17 00:00:00 2001
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Date: Thu, 10 Mar 2016 11:30:15 +0900
+Subject: usb: renesas_usbhs: disable TX IRQ before starting TX DMAC transfer
+
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+
+commit 6490865c67825277b29638e839850882600b48ec upstream.
+
+This patch adds a code to surely disable TX IRQ of the pipe before
+starting TX DMAC transfer. Otherwise, a lot of unnecessary TX IRQs
+may happen in rare cases when DMAC is used.
+
+Fixes: e73a989 ("usb: renesas_usbhs: add DMAEngine support")
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/renesas_usbhs/fifo.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/renesas_usbhs/fifo.c
++++ b/drivers/usb/renesas_usbhs/fifo.c
+@@ -934,6 +934,7 @@ static int usbhsf_dma_try_pop(struct usb
+ 
+ 	pkt->trans = len;
+ 
++	usbhsf_tx_irq_ctrl(pipe, 0);
+ 	INIT_WORK(&pkt->work, xfer_work);
+ 	schedule_work(&pkt->work);
+