From: Greg Kroah-Hartman Date: Fri, 28 Dec 2018 10:42:35 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v4.19.13~6 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fe12b4f3b1ce0c10968c38b9b4a2fbdeac583ede;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: iwlwifi-add-new-cards-for-9560-9462-9461-and-killer-series.patch iwlwifi-mvm-don-t-send-geo_tx_power_limit-to-old-firmwares.patch media-ov5640-fix-set-format-regression.patch revert-mwifiex-restructure-rx_reorder_tbl_lock-usage.patch rtlwifi-fix-leak-of-skb-when-processing-c2h_bt_info.patch xfrm_user-fix-freeing-of-xfrm-states-on-acquire.patch --- diff --git a/queue-4.19/iwlwifi-add-new-cards-for-9560-9462-9461-and-killer-series.patch b/queue-4.19/iwlwifi-add-new-cards-for-9560-9462-9461-and-killer-series.patch new file mode 100644 index 00000000000..2b502fcd454 --- /dev/null +++ b/queue-4.19/iwlwifi-add-new-cards-for-9560-9462-9461-and-killer-series.patch @@ -0,0 +1,79 @@ +From f108703cb5f199d0fc98517ac29a997c4c646c94 Mon Sep 17 00:00:00 2001 +From: Ihab Zhaika +Date: Tue, 31 Jul 2018 09:53:09 +0300 +Subject: iwlwifi: add new cards for 9560, 9462, 9461 and killer series + +From: Ihab Zhaika + +commit f108703cb5f199d0fc98517ac29a997c4c646c94 upstream. + +add few PCI ID'S for 9560, 9462, 9461 and killer series. + +Cc: stable@vger.kernel.org +Signed-off-by: Ihab Zhaika +Signed-off-by: Luca Coelho +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 50 ++++++++++++++++++++++++++ + 1 file changed, 50 insertions(+) + +--- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c +@@ -518,6 +518,56 @@ static const struct pci_device_id iwl_hw + {IWL_PCI_DEVICE(0x24FD, 0x9074, iwl8265_2ac_cfg)}, + + /* 9000 Series */ ++ {IWL_PCI_DEVICE(0x02F0, 0x0030, iwl9560_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x02F0, 0x0034, iwl9560_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x02F0, 0x0038, iwl9560_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x02F0, 0x003C, iwl9560_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x02F0, 0x0060, iwl9461_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x02F0, 0x0064, iwl9461_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x02F0, 0x00A0, iwl9462_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x02F0, 0x00A4, iwl9462_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x02F0, 0x0230, iwl9560_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x02F0, 0x0234, iwl9560_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x02F0, 0x0238, iwl9560_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x02F0, 0x023C, iwl9560_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x02F0, 0x0260, iwl9461_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x02F0, 0x0264, iwl9461_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x02F0, 0x02A0, iwl9462_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x02F0, 0x02A4, iwl9462_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x02F0, 0x1551, iwl9560_killer_s_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x02F0, 0x1552, iwl9560_killer_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x02F0, 0x2030, iwl9560_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x02F0, 0x2034, iwl9560_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x02F0, 0x4030, iwl9560_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x02F0, 0x4034, iwl9560_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x02F0, 0x40A4, iwl9462_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x02F0, 0x4234, iwl9560_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x02F0, 0x42A4, iwl9462_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x06F0, 0x0030, iwl9560_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x06F0, 0x0034, iwl9560_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x06F0, 0x0038, iwl9560_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x06F0, 0x003C, iwl9560_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x06F0, 0x0060, iwl9461_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x06F0, 0x0064, iwl9461_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x06F0, 0x00A0, iwl9462_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x06F0, 0x00A4, iwl9462_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x06F0, 0x0230, iwl9560_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x06F0, 0x0234, iwl9560_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x06F0, 0x0238, iwl9560_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x06F0, 0x023C, iwl9560_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x06F0, 0x0260, iwl9461_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x06F0, 0x0264, iwl9461_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x06F0, 0x02A0, iwl9462_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x06F0, 0x02A4, iwl9462_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x06F0, 0x1551, iwl9560_killer_s_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x06F0, 0x1552, iwl9560_killer_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x06F0, 0x2030, iwl9560_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x06F0, 0x2034, iwl9560_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x06F0, 0x4030, iwl9560_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x06F0, 0x4034, iwl9560_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x06F0, 0x40A4, iwl9462_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x06F0, 0x4234, iwl9560_2ac_cfg_soc)}, ++ {IWL_PCI_DEVICE(0x06F0, 0x42A4, iwl9462_2ac_cfg_soc)}, + {IWL_PCI_DEVICE(0x2526, 0x0010, iwl9260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x2526, 0x0014, iwl9260_2ac_cfg)}, + {IWL_PCI_DEVICE(0x2526, 0x0018, iwl9260_2ac_cfg)}, diff --git a/queue-4.19/iwlwifi-mvm-don-t-send-geo_tx_power_limit-to-old-firmwares.patch b/queue-4.19/iwlwifi-mvm-don-t-send-geo_tx_power_limit-to-old-firmwares.patch new file mode 100644 index 00000000000..d25383a064b --- /dev/null +++ b/queue-4.19/iwlwifi-mvm-don-t-send-geo_tx_power_limit-to-old-firmwares.patch @@ -0,0 +1,43 @@ +From eca1e56ceedd9cc185eb18baf307d3ff2e4af376 Mon Sep 17 00:00:00 2001 +From: Emmanuel Grumbach +Date: Fri, 14 Dec 2018 18:30:22 +0200 +Subject: iwlwifi: mvm: don't send GEO_TX_POWER_LIMIT to old firmwares + +From: Emmanuel Grumbach + +commit eca1e56ceedd9cc185eb18baf307d3ff2e4af376 upstream. + +Old firmware versions don't support this command. Sending it +to any firmware before -41.ucode will crash the firmware. + +This fixes https://bugzilla.kernel.org/show_bug.cgi?id=201975 + +Fixes: 66e839030fd6 ("iwlwifi: fix wrong WGDS_WIFI_DATA_SIZE") +CC: #4.19+ +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Luca Coelho +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c +@@ -868,6 +868,15 @@ static int iwl_mvm_sar_geo_init(struct i + int ret, i, j; + u16 cmd_wide_id = WIDE_ID(PHY_OPS_GROUP, GEO_TX_POWER_LIMIT); + ++ /* ++ * This command is not supported on earlier firmware versions. ++ * Unfortunately, we don't have a TLV API flag to rely on, so ++ * rely on the major version which is in the first byte of ++ * ucode_ver. ++ */ ++ if (IWL_UCODE_SERIAL(mvm->fw->ucode_ver) < 41) ++ return 0; ++ + ret = iwl_mvm_sar_get_wgds_table(mvm); + if (ret < 0) { + IWL_DEBUG_RADIO(mvm, diff --git a/queue-4.19/media-ov5640-fix-set-format-regression.patch b/queue-4.19/media-ov5640-fix-set-format-regression.patch new file mode 100644 index 00000000000..d75d46644b4 --- /dev/null +++ b/queue-4.19/media-ov5640-fix-set-format-regression.patch @@ -0,0 +1,73 @@ +From 07115449919383548d094ff83cc27bd08639a8a1 Mon Sep 17 00:00:00 2001 +From: Jacopo Mondi +Date: Mon, 3 Dec 2018 03:44:16 -0500 +Subject: media: ov5640: Fix set format regression + +From: Jacopo Mondi + +commit 07115449919383548d094ff83cc27bd08639a8a1 upstream. + +The set_fmt operations updates the sensor format only when the image format +is changed. When only the image sizes gets changed, the format do not get +updated causing the sensor to always report the one that was previously in +use. + +Without this patch, updating frame size only fails: + [fmt:UYVY8_2X8/640x480@1/30 field:none colorspace:srgb xfer:srgb ...] + +With this patch applied: + [fmt:UYVY8_2X8/1024x768@1/30 field:none colorspace:srgb xfer:srgb ...] + +Fixes: 6949d864776e ("media: ov5640: do not change mode if format or frame interval is unchanged") + +Signed-off-by: Jacopo Mondi +Signed-off-by: Maxime Ripard +Tested-by: Adam Ford #imx6 w/ CSI2 interface on 4.19.6 and 4.20-RC5 +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/i2c/ov5640.c | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +--- a/drivers/media/i2c/ov5640.c ++++ b/drivers/media/i2c/ov5640.c +@@ -2020,6 +2020,7 @@ static int ov5640_set_fmt(struct v4l2_su + struct ov5640_dev *sensor = to_ov5640_dev(sd); + const struct ov5640_mode_info *new_mode; + struct v4l2_mbus_framefmt *mbus_fmt = &format->format; ++ struct v4l2_mbus_framefmt *fmt; + int ret; + + if (format->pad != 0) +@@ -2037,22 +2038,20 @@ static int ov5640_set_fmt(struct v4l2_su + if (ret) + goto out; + +- if (format->which == V4L2_SUBDEV_FORMAT_TRY) { +- struct v4l2_mbus_framefmt *fmt = +- v4l2_subdev_get_try_format(sd, cfg, 0); ++ if (format->which == V4L2_SUBDEV_FORMAT_TRY) ++ fmt = v4l2_subdev_get_try_format(sd, cfg, 0); ++ else ++ fmt = &sensor->fmt; + +- *fmt = *mbus_fmt; +- goto out; +- } ++ *fmt = *mbus_fmt; + + if (new_mode != sensor->current_mode) { + sensor->current_mode = new_mode; + sensor->pending_mode_change = true; + } +- if (mbus_fmt->code != sensor->fmt.code) { +- sensor->fmt = *mbus_fmt; ++ if (mbus_fmt->code != sensor->fmt.code) + sensor->pending_fmt_change = true; +- } ++ + out: + mutex_unlock(&sensor->lock); + return ret; diff --git a/queue-4.19/revert-mwifiex-restructure-rx_reorder_tbl_lock-usage.patch b/queue-4.19/revert-mwifiex-restructure-rx_reorder_tbl_lock-usage.patch new file mode 100644 index 00000000000..f448d26945a --- /dev/null +++ b/queue-4.19/revert-mwifiex-restructure-rx_reorder_tbl_lock-usage.patch @@ -0,0 +1,436 @@ +From 1aa48f088615ebfa5e139951a0d3e7dc2c2af4ec Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Fri, 30 Nov 2018 09:59:57 -0800 +Subject: Revert "mwifiex: restructure rx_reorder_tbl_lock usage" + +From: Brian Norris + +commit 1aa48f088615ebfa5e139951a0d3e7dc2c2af4ec upstream. + +This reverts commit 5188d5453bc9380ccd4ae1086138dd485d13aef2, because it +introduced lock recursion: + + BUG: spinlock recursion on CPU#2, kworker/u13:1/395 + lock: 0xffffffc0e28a47f0, .magic: dead4ead, .owner: kworker/u13:1/395, .owner_cpu: 2 + CPU: 2 PID: 395 Comm: kworker/u13:1 Not tainted 4.20.0-rc4+ #2 + Hardware name: Google Kevin (DT) + Workqueue: MWIFIEX_RX_WORK_QUEUE mwifiex_rx_work_queue [mwifiex] + Call trace: + dump_backtrace+0x0/0x140 + show_stack+0x20/0x28 + dump_stack+0x84/0xa4 + spin_bug+0x98/0xa4 + do_raw_spin_lock+0x5c/0xdc + _raw_spin_lock_irqsave+0x38/0x48 + mwifiex_flush_data+0x2c/0xa4 [mwifiex] + call_timer_fn+0xcc/0x1c4 + run_timer_softirq+0x264/0x4f0 + __do_softirq+0x1a8/0x35c + do_softirq+0x54/0x64 + netif_rx_ni+0xe8/0x120 + mwifiex_recv_packet+0xfc/0x10c [mwifiex] + mwifiex_process_rx_packet+0x1d4/0x238 [mwifiex] + mwifiex_11n_dispatch_pkt+0x190/0x1ac [mwifiex] + mwifiex_11n_rx_reorder_pkt+0x28c/0x354 [mwifiex] + mwifiex_process_sta_rx_packet+0x204/0x26c [mwifiex] + mwifiex_handle_rx_packet+0x15c/0x16c [mwifiex] + mwifiex_rx_work_queue+0x104/0x134 [mwifiex] + worker_thread+0x4cc/0x72c + kthread+0x134/0x13c + ret_from_fork+0x10/0x18 + +This was clearly not tested well at all. I simply performed 'wget' in a +loop and it fell over within a few seconds. + +Fixes: 5188d5453bc9 ("mwifiex: restructure rx_reorder_tbl_lock usage") +Cc: +Cc: Ganapathi Bhat +Signed-off-by: Brian Norris +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/marvell/mwifiex/11n.c | 5 + drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c | 96 +++++++++---------- + drivers/net/wireless/marvell/mwifiex/uap_txrx.c | 3 + 3 files changed, 51 insertions(+), 53 deletions(-) + +--- a/drivers/net/wireless/marvell/mwifiex/11n.c ++++ b/drivers/net/wireless/marvell/mwifiex/11n.c +@@ -696,11 +696,10 @@ void mwifiex_11n_delba(struct mwifiex_pr + "Send delba to tid=%d, %pM\n", + tid, rx_reor_tbl_ptr->ta); + mwifiex_send_delba(priv, tid, rx_reor_tbl_ptr->ta, 0); +- spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock, +- flags); +- return; ++ goto exit; + } + } ++exit: + spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock, flags); + } + +--- a/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c ++++ b/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c +@@ -103,8 +103,6 @@ static int mwifiex_11n_dispatch_pkt(stru + * There could be holes in the buffer, which are skipped by the function. + * Since the buffer is linear, the function uses rotation to simulate + * circular buffer. +- * +- * The caller must hold rx_reorder_tbl_lock spinlock. + */ + static void + mwifiex_11n_dispatch_pkt_until_start_win(struct mwifiex_private *priv, +@@ -113,21 +111,25 @@ mwifiex_11n_dispatch_pkt_until_start_win + { + int pkt_to_send, i; + void *rx_tmp_ptr; ++ unsigned long flags; + + pkt_to_send = (start_win > tbl->start_win) ? + min((start_win - tbl->start_win), tbl->win_size) : + tbl->win_size; + + for (i = 0; i < pkt_to_send; ++i) { ++ spin_lock_irqsave(&priv->rx_reorder_tbl_lock, flags); + rx_tmp_ptr = NULL; + if (tbl->rx_reorder_ptr[i]) { + rx_tmp_ptr = tbl->rx_reorder_ptr[i]; + tbl->rx_reorder_ptr[i] = NULL; + } ++ spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock, flags); + if (rx_tmp_ptr) + mwifiex_11n_dispatch_pkt(priv, rx_tmp_ptr); + } + ++ spin_lock_irqsave(&priv->rx_reorder_tbl_lock, flags); + /* + * We don't have a circular buffer, hence use rotation to simulate + * circular buffer +@@ -138,6 +140,7 @@ mwifiex_11n_dispatch_pkt_until_start_win + } + + tbl->start_win = start_win; ++ spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock, flags); + } + + /* +@@ -147,8 +150,6 @@ mwifiex_11n_dispatch_pkt_until_start_win + * The start window is adjusted automatically when a hole is located. + * Since the buffer is linear, the function uses rotation to simulate + * circular buffer. +- * +- * The caller must hold rx_reorder_tbl_lock spinlock. + */ + static void + mwifiex_11n_scan_and_dispatch(struct mwifiex_private *priv, +@@ -156,15 +157,22 @@ mwifiex_11n_scan_and_dispatch(struct mwi + { + int i, j, xchg; + void *rx_tmp_ptr; ++ unsigned long flags; + + for (i = 0; i < tbl->win_size; ++i) { +- if (!tbl->rx_reorder_ptr[i]) ++ spin_lock_irqsave(&priv->rx_reorder_tbl_lock, flags); ++ if (!tbl->rx_reorder_ptr[i]) { ++ spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock, ++ flags); + break; ++ } + rx_tmp_ptr = tbl->rx_reorder_ptr[i]; + tbl->rx_reorder_ptr[i] = NULL; ++ spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock, flags); + mwifiex_11n_dispatch_pkt(priv, rx_tmp_ptr); + } + ++ spin_lock_irqsave(&priv->rx_reorder_tbl_lock, flags); + /* + * We don't have a circular buffer, hence use rotation to simulate + * circular buffer +@@ -177,6 +185,7 @@ mwifiex_11n_scan_and_dispatch(struct mwi + } + } + tbl->start_win = (tbl->start_win + i) & (MAX_TID_VALUE - 1); ++ spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock, flags); + } + + /* +@@ -184,8 +193,6 @@ mwifiex_11n_scan_and_dispatch(struct mwi + * + * The function stops the associated timer and dispatches all the + * pending packets in the Rx reorder table before deletion. +- * +- * The caller must hold rx_reorder_tbl_lock spinlock. + */ + static void + mwifiex_del_rx_reorder_entry(struct mwifiex_private *priv, +@@ -211,7 +218,11 @@ mwifiex_del_rx_reorder_entry(struct mwif + + del_timer_sync(&tbl->timer_context.timer); + tbl->timer_context.timer_is_set = false; ++ ++ spin_lock_irqsave(&priv->rx_reorder_tbl_lock, flags); + list_del(&tbl->list); ++ spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock, flags); ++ + kfree(tbl->rx_reorder_ptr); + kfree(tbl); + +@@ -224,17 +235,22 @@ mwifiex_del_rx_reorder_entry(struct mwif + /* + * This function returns the pointer to an entry in Rx reordering + * table which matches the given TA/TID pair. +- * +- * The caller must hold rx_reorder_tbl_lock spinlock. + */ + struct mwifiex_rx_reorder_tbl * + mwifiex_11n_get_rx_reorder_tbl(struct mwifiex_private *priv, int tid, u8 *ta) + { + struct mwifiex_rx_reorder_tbl *tbl; ++ unsigned long flags; + +- list_for_each_entry(tbl, &priv->rx_reorder_tbl_ptr, list) +- if (!memcmp(tbl->ta, ta, ETH_ALEN) && tbl->tid == tid) ++ spin_lock_irqsave(&priv->rx_reorder_tbl_lock, flags); ++ list_for_each_entry(tbl, &priv->rx_reorder_tbl_ptr, list) { ++ if (!memcmp(tbl->ta, ta, ETH_ALEN) && tbl->tid == tid) { ++ spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock, ++ flags); + return tbl; ++ } ++ } ++ spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock, flags); + + return NULL; + } +@@ -251,9 +267,14 @@ void mwifiex_11n_del_rx_reorder_tbl_by_t + return; + + spin_lock_irqsave(&priv->rx_reorder_tbl_lock, flags); +- list_for_each_entry_safe(tbl, tmp, &priv->rx_reorder_tbl_ptr, list) +- if (!memcmp(tbl->ta, ta, ETH_ALEN)) ++ list_for_each_entry_safe(tbl, tmp, &priv->rx_reorder_tbl_ptr, list) { ++ if (!memcmp(tbl->ta, ta, ETH_ALEN)) { ++ spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock, ++ flags); + mwifiex_del_rx_reorder_entry(priv, tbl); ++ spin_lock_irqsave(&priv->rx_reorder_tbl_lock, flags); ++ } ++ } + spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock, flags); + + return; +@@ -262,18 +283,24 @@ void mwifiex_11n_del_rx_reorder_tbl_by_t + /* + * This function finds the last sequence number used in the packets + * buffered in Rx reordering table. +- * +- * The caller must hold rx_reorder_tbl_lock spinlock. + */ + static int + mwifiex_11n_find_last_seq_num(struct reorder_tmr_cnxt *ctx) + { + struct mwifiex_rx_reorder_tbl *rx_reorder_tbl_ptr = ctx->ptr; ++ struct mwifiex_private *priv = ctx->priv; ++ unsigned long flags; + int i; + +- for (i = rx_reorder_tbl_ptr->win_size - 1; i >= 0; --i) +- if (rx_reorder_tbl_ptr->rx_reorder_ptr[i]) ++ spin_lock_irqsave(&priv->rx_reorder_tbl_lock, flags); ++ for (i = rx_reorder_tbl_ptr->win_size - 1; i >= 0; --i) { ++ if (rx_reorder_tbl_ptr->rx_reorder_ptr[i]) { ++ spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock, ++ flags); + return i; ++ } ++ } ++ spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock, flags); + + return -1; + } +@@ -291,22 +318,17 @@ mwifiex_flush_data(struct timer_list *t) + struct reorder_tmr_cnxt *ctx = + from_timer(ctx, t, timer); + int start_win, seq_num; +- unsigned long flags; + + ctx->timer_is_set = false; +- spin_lock_irqsave(&ctx->priv->rx_reorder_tbl_lock, flags); + seq_num = mwifiex_11n_find_last_seq_num(ctx); + +- if (seq_num < 0) { +- spin_unlock_irqrestore(&ctx->priv->rx_reorder_tbl_lock, flags); ++ if (seq_num < 0) + return; +- } + + mwifiex_dbg(ctx->priv->adapter, INFO, "info: flush data %d\n", seq_num); + start_win = (ctx->ptr->start_win + seq_num + 1) & (MAX_TID_VALUE - 1); + mwifiex_11n_dispatch_pkt_until_start_win(ctx->priv, ctx->ptr, + start_win); +- spin_unlock_irqrestore(&ctx->priv->rx_reorder_tbl_lock, flags); + } + + /* +@@ -333,14 +355,11 @@ mwifiex_11n_create_rx_reorder_tbl(struct + * If we get a TID, ta pair which is already present dispatch all the + * the packets and move the window size until the ssn + */ +- spin_lock_irqsave(&priv->rx_reorder_tbl_lock, flags); + tbl = mwifiex_11n_get_rx_reorder_tbl(priv, tid, ta); + if (tbl) { + mwifiex_11n_dispatch_pkt_until_start_win(priv, tbl, seq_num); +- spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock, flags); + return; + } +- spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock, flags); + /* if !tbl then create one */ + new_node = kzalloc(sizeof(struct mwifiex_rx_reorder_tbl), GFP_KERNEL); + if (!new_node) +@@ -551,20 +570,16 @@ int mwifiex_11n_rx_reorder_pkt(struct mw + int prev_start_win, start_win, end_win, win_size; + u16 pkt_index; + bool init_window_shift = false; +- unsigned long flags; + int ret = 0; + +- spin_lock_irqsave(&priv->rx_reorder_tbl_lock, flags); + tbl = mwifiex_11n_get_rx_reorder_tbl(priv, tid, ta); + if (!tbl) { +- spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock, flags); + if (pkt_type != PKT_TYPE_BAR) + mwifiex_11n_dispatch_pkt(priv, payload); + return ret; + } + + if ((pkt_type == PKT_TYPE_AMSDU) && !tbl->amsdu) { +- spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock, flags); + mwifiex_11n_dispatch_pkt(priv, payload); + return ret; + } +@@ -651,8 +666,6 @@ done: + if (!tbl->timer_context.timer_is_set || + prev_start_win != tbl->start_win) + mwifiex_11n_rxreorder_timer_restart(tbl); +- +- spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock, flags); + return ret; + } + +@@ -681,18 +694,14 @@ mwifiex_del_ba_tbl(struct mwifiex_privat + peer_mac, tid, initiator); + + if (cleanup_rx_reorder_tbl) { +- spin_lock_irqsave(&priv->rx_reorder_tbl_lock, flags); + tbl = mwifiex_11n_get_rx_reorder_tbl(priv, tid, + peer_mac); + if (!tbl) { +- spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock, +- flags); + mwifiex_dbg(priv->adapter, EVENT, + "event: TID, TA not found in table\n"); + return; + } + mwifiex_del_rx_reorder_entry(priv, tbl); +- spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock, flags); + } else { + ptx_tbl = mwifiex_get_ba_tbl(priv, tid, peer_mac); + if (!ptx_tbl) { +@@ -726,7 +735,6 @@ int mwifiex_ret_11n_addba_resp(struct mw + int tid, win_size; + struct mwifiex_rx_reorder_tbl *tbl; + uint16_t block_ack_param_set; +- unsigned long flags; + + block_ack_param_set = le16_to_cpu(add_ba_rsp->block_ack_param_set); + +@@ -740,20 +748,17 @@ int mwifiex_ret_11n_addba_resp(struct mw + mwifiex_dbg(priv->adapter, ERROR, "ADDBA RSP: failed %pM tid=%d)\n", + add_ba_rsp->peer_mac_addr, tid); + +- spin_lock_irqsave(&priv->rx_reorder_tbl_lock, flags); + tbl = mwifiex_11n_get_rx_reorder_tbl(priv, tid, + add_ba_rsp->peer_mac_addr); + if (tbl) + mwifiex_del_rx_reorder_entry(priv, tbl); + +- spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock, flags); + return 0; + } + + win_size = (block_ack_param_set & IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK) + >> BLOCKACKPARAM_WINSIZE_POS; + +- spin_lock_irqsave(&priv->rx_reorder_tbl_lock, flags); + tbl = mwifiex_11n_get_rx_reorder_tbl(priv, tid, + add_ba_rsp->peer_mac_addr); + if (tbl) { +@@ -764,7 +769,6 @@ int mwifiex_ret_11n_addba_resp(struct mw + else + tbl->amsdu = false; + } +- spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock, flags); + + mwifiex_dbg(priv->adapter, CMD, + "cmd: ADDBA RSP: %pM tid=%d ssn=%d win_size=%d\n", +@@ -804,8 +808,11 @@ void mwifiex_11n_cleanup_reorder_tbl(str + + spin_lock_irqsave(&priv->rx_reorder_tbl_lock, flags); + list_for_each_entry_safe(del_tbl_ptr, tmp_node, +- &priv->rx_reorder_tbl_ptr, list) ++ &priv->rx_reorder_tbl_ptr, list) { ++ spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock, flags); + mwifiex_del_rx_reorder_entry(priv, del_tbl_ptr); ++ spin_lock_irqsave(&priv->rx_reorder_tbl_lock, flags); ++ } + INIT_LIST_HEAD(&priv->rx_reorder_tbl_ptr); + spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock, flags); + +@@ -929,7 +936,6 @@ void mwifiex_11n_rxba_sync_event(struct + int tlv_buf_left = len; + int ret; + u8 *tmp; +- unsigned long flags; + + mwifiex_dbg_dump(priv->adapter, EVT_D, "RXBA_SYNC event:", + event_buf, len); +@@ -949,18 +955,14 @@ void mwifiex_11n_rxba_sync_event(struct + tlv_rxba->mac, tlv_rxba->tid, tlv_seq_num, + tlv_bitmap_len); + +- spin_lock_irqsave(&priv->rx_reorder_tbl_lock, flags); + rx_reor_tbl_ptr = + mwifiex_11n_get_rx_reorder_tbl(priv, tlv_rxba->tid, + tlv_rxba->mac); + if (!rx_reor_tbl_ptr) { +- spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock, +- flags); + mwifiex_dbg(priv->adapter, ERROR, + "Can not find rx_reorder_tbl!"); + return; + } +- spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock, flags); + + for (i = 0; i < tlv_bitmap_len; i++) { + for (j = 0 ; j < 8; j++) { +--- a/drivers/net/wireless/marvell/mwifiex/uap_txrx.c ++++ b/drivers/net/wireless/marvell/mwifiex/uap_txrx.c +@@ -421,15 +421,12 @@ int mwifiex_process_uap_rx_packet(struct + spin_unlock_irqrestore(&priv->sta_list_spinlock, flags); + } + +- spin_lock_irqsave(&priv->rx_reorder_tbl_lock, flags); + if (!priv->ap_11n_enabled || + (!mwifiex_11n_get_rx_reorder_tbl(priv, uap_rx_pd->priority, ta) && + (le16_to_cpu(uap_rx_pd->rx_pkt_type) != PKT_TYPE_AMSDU))) { + ret = mwifiex_handle_uap_rx_forward(priv, skb); +- spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock, flags); + return ret; + } +- spin_unlock_irqrestore(&priv->rx_reorder_tbl_lock, flags); + + /* Reorder and send to kernel */ + pkt_type = (u8)le16_to_cpu(uap_rx_pd->rx_pkt_type); diff --git a/queue-4.19/rtlwifi-fix-leak-of-skb-when-processing-c2h_bt_info.patch b/queue-4.19/rtlwifi-fix-leak-of-skb-when-processing-c2h_bt_info.patch new file mode 100644 index 00000000000..fa913daff00 --- /dev/null +++ b/queue-4.19/rtlwifi-fix-leak-of-skb-when-processing-c2h_bt_info.patch @@ -0,0 +1,42 @@ +From 8cfa272b0d321160ebb5b45073e39ef0a6ad73f2 Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Sat, 17 Nov 2018 20:55:03 -0600 +Subject: rtlwifi: Fix leak of skb when processing C2H_BT_INFO +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Larry Finger + +commit 8cfa272b0d321160ebb5b45073e39ef0a6ad73f2 upstream. + +With commit 0a9f8f0a1ba9 ("rtlwifi: fix btmpinfo timeout while processing +C2H_BT_INFO"), calling rtl_c2hcmd_enqueue() with rtl_c2h_fast_cmd() true, +the routine returns without freeing that skb, thereby leaking it. + +This issue has been discussed at https://github.com/lwfinger/rtlwifi_new/issues/401 +and the fix tested there. + +Fixes: 0a9f8f0a1ba9 ("rtlwifi: fix btmpinfo timeout while processing C2H_BT_INFO") +Reported-and-tested-by: Francisco Machado Magalhães Neto +Cc: Francisco Machado Magalhães Neto +Cc: Ping-Ke Shih +Cc: Stable # 4.18+ +Signed-off-by: Larry Finger +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/realtek/rtlwifi/base.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/realtek/rtlwifi/base.c ++++ b/drivers/net/wireless/realtek/rtlwifi/base.c +@@ -2289,6 +2289,7 @@ void rtl_c2hcmd_enqueue(struct ieee80211 + + if (rtl_c2h_fast_cmd(hw, skb)) { + rtl_c2h_content_parsing(hw, skb); ++ kfree_skb(skb); + return; + } + diff --git a/queue-4.19/series b/queue-4.19/series index 93f2c563367..7aa10852468 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -31,3 +31,9 @@ panic-avoid-deadlocks-in-re-entrant-console-drivers.patch mm-add-mm_pxd_folded-checks-to-pgtable_bytes-account.patch mm-make-the-__pagetable_pxd_folded-defines-non-empty.patch mm-introduce-mm_-p4d-pud-pmd-_folded.patch +xfrm_user-fix-freeing-of-xfrm-states-on-acquire.patch +rtlwifi-fix-leak-of-skb-when-processing-c2h_bt_info.patch +iwlwifi-mvm-don-t-send-geo_tx_power_limit-to-old-firmwares.patch +revert-mwifiex-restructure-rx_reorder_tbl_lock-usage.patch +iwlwifi-add-new-cards-for-9560-9462-9461-and-killer-series.patch +media-ov5640-fix-set-format-regression.patch diff --git a/queue-4.19/xfrm_user-fix-freeing-of-xfrm-states-on-acquire.patch b/queue-4.19/xfrm_user-fix-freeing-of-xfrm-states-on-acquire.patch new file mode 100644 index 00000000000..d341ac720b9 --- /dev/null +++ b/queue-4.19/xfrm_user-fix-freeing-of-xfrm-states-on-acquire.patch @@ -0,0 +1,83 @@ +From 4a135e538962cb00a9667c82e7d2b9e4d7cd7177 Mon Sep 17 00:00:00 2001 +From: Mathias Krause +Date: Wed, 21 Nov 2018 21:09:23 +0100 +Subject: xfrm_user: fix freeing of xfrm states on acquire + +From: Mathias Krause + +commit 4a135e538962cb00a9667c82e7d2b9e4d7cd7177 upstream. + +Commit 565f0fa902b6 ("xfrm: use a dedicated slab cache for struct +xfrm_state") moved xfrm state objects to use their own slab cache. +However, it missed to adapt xfrm_user to use this new cache when +freeing xfrm states. + +Fix this by introducing and make use of a new helper for freeing +xfrm_state objects. + +Fixes: 565f0fa902b6 ("xfrm: use a dedicated slab cache for struct xfrm_state") +Reported-by: Pan Bian +Cc: # v4.18+ +Signed-off-by: Mathias Krause +Acked-by: Herbert Xu +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman + +--- + include/net/xfrm.h | 1 + + net/xfrm/xfrm_state.c | 8 +++++++- + net/xfrm/xfrm_user.c | 4 ++-- + 3 files changed, 10 insertions(+), 3 deletions(-) + +--- a/include/net/xfrm.h ++++ b/include/net/xfrm.h +@@ -1552,6 +1552,7 @@ int xfrm_state_walk(struct net *net, str + int (*func)(struct xfrm_state *, int, void*), void *); + void xfrm_state_walk_done(struct xfrm_state_walk *walk, struct net *net); + struct xfrm_state *xfrm_state_alloc(struct net *net); ++void xfrm_state_free(struct xfrm_state *x); + struct xfrm_state *xfrm_state_find(const xfrm_address_t *daddr, + const xfrm_address_t *saddr, + const struct flowi *fl, +--- a/net/xfrm/xfrm_state.c ++++ b/net/xfrm/xfrm_state.c +@@ -426,6 +426,12 @@ static void xfrm_put_mode(struct xfrm_mo + module_put(mode->owner); + } + ++void xfrm_state_free(struct xfrm_state *x) ++{ ++ kmem_cache_free(xfrm_state_cache, x); ++} ++EXPORT_SYMBOL(xfrm_state_free); ++ + static void xfrm_state_gc_destroy(struct xfrm_state *x) + { + tasklet_hrtimer_cancel(&x->mtimer); +@@ -452,7 +458,7 @@ static void xfrm_state_gc_destroy(struct + } + xfrm_dev_state_free(x); + security_xfrm_state_free(x); +- kmem_cache_free(xfrm_state_cache, x); ++ xfrm_state_free(x); + } + + static void xfrm_state_gc_task(struct work_struct *work) +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -2288,13 +2288,13 @@ static int xfrm_add_acquire(struct sk_bu + + } + +- kfree(x); ++ xfrm_state_free(x); + kfree(xp); + + return 0; + + free_state: +- kfree(x); ++ xfrm_state_free(x); + nomem: + return err; + }