From 891c870b82de9b8f2c17abb6d4435cee73d501e5 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 23 Feb 2023 10:11:20 +0100 Subject: [PATCH] 4.19-stable patches added patches: alarmtimer-prevent-starvation-by-small-intervals-and-sig_ign.patch drm-i915-gvt-fix-double-free-bug-in-split_2mb_gtt_entry.patch mac80211-mesh-embedd-mesh_paths-and-mpp_paths-into-ieee80211_if_mesh.patch --- ...ation-by-small-intervals-and-sig_ign.patch | 132 +++++++ ...uble-free-bug-in-split_2mb_gtt_entry.patch | 63 ++++ ...and-mpp_paths-into-ieee80211_if_mesh.patch | 328 ++++++++++++++++++ queue-4.19/series | 3 + 4 files changed, 526 insertions(+) create mode 100644 queue-4.19/alarmtimer-prevent-starvation-by-small-intervals-and-sig_ign.patch create mode 100644 queue-4.19/drm-i915-gvt-fix-double-free-bug-in-split_2mb_gtt_entry.patch create mode 100644 queue-4.19/mac80211-mesh-embedd-mesh_paths-and-mpp_paths-into-ieee80211_if_mesh.patch diff --git a/queue-4.19/alarmtimer-prevent-starvation-by-small-intervals-and-sig_ign.patch b/queue-4.19/alarmtimer-prevent-starvation-by-small-intervals-and-sig_ign.patch new file mode 100644 index 00000000000..2656d39f071 --- /dev/null +++ b/queue-4.19/alarmtimer-prevent-starvation-by-small-intervals-and-sig_ign.patch @@ -0,0 +1,132 @@ +From d125d1349abeb46945dc5e98f7824bf688266f13 Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Thu, 9 Feb 2023 23:25:49 +0100 +Subject: alarmtimer: Prevent starvation by small intervals and SIG_IGN + +From: Thomas Gleixner + +commit d125d1349abeb46945dc5e98f7824bf688266f13 upstream. + +syzbot reported a RCU stall which is caused by setting up an alarmtimer +with a very small interval and ignoring the signal. The reproducer arms the +alarm timer with a relative expiry of 8ns and an interval of 9ns. Not a +problem per se, but that's an issue when the signal is ignored because then +the timer is immediately rearmed because there is no way to delay that +rearming to the signal delivery path. See posix_timer_fn() and commit +58229a189942 ("posix-timers: Prevent softirq starvation by small intervals +and SIG_IGN") for details. + +The reproducer does not set SIG_IGN explicitely, but it sets up the timers +signal with SIGCONT. That has the same effect as explicitely setting +SIG_IGN for a signal as SIGCONT is ignored if there is no handler set and +the task is not ptraced. + +The log clearly shows that: + + [pid 5102] --- SIGCONT {si_signo=SIGCONT, si_code=SI_TIMER, si_timerid=0, si_overrun=316014, si_int=0, si_ptr=NULL} --- + +It works because the tasks are traced and therefore the signal is queued so +the tracer can see it, which delays the restart of the timer to the signal +delivery path. But then the tracer is killed: + + [pid 5087] kill(-5102, SIGKILL + ... + ./strace-static-x86_64: Process 5107 detached + +and after it's gone the stall can be observed: + + syzkaller login: [ 79.439102][ C0] hrtimer: interrupt took 68471 ns + [ 184.460538][ C1] rcu: INFO: rcu_preempt detected stalls on CPUs/tasks: + ... + [ 184.658237][ C1] rcu: Stack dump where RCU GP kthread last ran: + [ 184.664574][ C1] Sending NMI from CPU 1 to CPUs 0: + [ 184.669821][ C0] NMI backtrace for cpu 0 + [ 184.669831][ C0] CPU: 0 PID: 5108 Comm: syz-executor192 Not tainted 6.2.0-rc6-next-20230203-syzkaller #0 + ... + [ 184.670036][ C0] Call Trace: + [ 184.670041][ C0] + [ 184.670045][ C0] alarmtimer_fired+0x327/0x670 + +posix_timer_fn() prevents that by checking whether the interval for +timers which have the signal ignored is smaller than a jiffie and +artifically delay it by shifting the next expiry out by a jiffie. That's +accurate vs. the overrun accounting, but slightly inaccurate +vs. timer_gettimer(2). + +The comment in that function says what needs to be done and there was a fix +available for the regular userspace induced SIG_IGN mechanism, but that did +not work due to the implicit ignore for SIGCONT and similar signals. This +needs to be worked on, but for now the only available workaround is to do +exactly what posix_timer_fn() does: + +Increase the interval of self-rearming timers, which have their signal +ignored, to at least a jiffie. + +Interestingly this has been fixed before via commit ff86bf0c65f1 +("alarmtimer: Rate limit periodic intervals") already, but that fix got +lost in a later rework. + +Reported-by: syzbot+b9564ba6e8e00694511b@syzkaller.appspotmail.com +Fixes: f2c45807d399 ("alarmtimer: Switch over to generic set/get/rearm routine") +Signed-off-by: Thomas Gleixner +Acked-by: John Stultz +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/87k00q1no2.ffs@tglx +Signed-off-by: Greg Kroah-Hartman +--- + kernel/time/alarmtimer.c | 33 +++++++++++++++++++++++++++++---- + 1 file changed, 29 insertions(+), 4 deletions(-) + +--- a/kernel/time/alarmtimer.c ++++ b/kernel/time/alarmtimer.c +@@ -476,11 +476,35 @@ u64 alarm_forward(struct alarm *alarm, k + } + EXPORT_SYMBOL_GPL(alarm_forward); + +-u64 alarm_forward_now(struct alarm *alarm, ktime_t interval) ++static u64 __alarm_forward_now(struct alarm *alarm, ktime_t interval, bool throttle) + { + struct alarm_base *base = &alarm_bases[alarm->type]; ++ ktime_t now = base->gettime(); ++ ++ if (IS_ENABLED(CONFIG_HIGH_RES_TIMERS) && throttle) { ++ /* ++ * Same issue as with posix_timer_fn(). Timers which are ++ * periodic but the signal is ignored can starve the system ++ * with a very small interval. The real fix which was ++ * promised in the context of posix_timer_fn() never ++ * materialized, but someone should really work on it. ++ * ++ * To prevent DOS fake @now to be 1 jiffie out which keeps ++ * the overrun accounting correct but creates an ++ * inconsistency vs. timer_gettime(2). ++ */ ++ ktime_t kj = NSEC_PER_SEC / HZ; ++ ++ if (interval < kj) ++ now = ktime_add(now, kj); ++ } ++ ++ return alarm_forward(alarm, now, interval); ++} + +- return alarm_forward(alarm, base->gettime(), interval); ++u64 alarm_forward_now(struct alarm *alarm, ktime_t interval) ++{ ++ return __alarm_forward_now(alarm, interval, false); + } + EXPORT_SYMBOL_GPL(alarm_forward_now); + +@@ -554,9 +578,10 @@ static enum alarmtimer_restart alarm_han + if (posix_timer_event(ptr, si_private) && ptr->it_interval) { + /* + * Handle ignored signals and rearm the timer. This will go +- * away once we handle ignored signals proper. ++ * away once we handle ignored signals proper. Ensure that ++ * small intervals cannot starve the system. + */ +- ptr->it_overrun += alarm_forward_now(alarm, ptr->it_interval); ++ ptr->it_overrun += __alarm_forward_now(alarm, ptr->it_interval, true); + ++ptr->it_requeue_pending; + ptr->it_active = 1; + result = ALARMTIMER_RESTART; diff --git a/queue-4.19/drm-i915-gvt-fix-double-free-bug-in-split_2mb_gtt_entry.patch b/queue-4.19/drm-i915-gvt-fix-double-free-bug-in-split_2mb_gtt_entry.patch new file mode 100644 index 00000000000..1c97ff66aba --- /dev/null +++ b/queue-4.19/drm-i915-gvt-fix-double-free-bug-in-split_2mb_gtt_entry.patch @@ -0,0 +1,63 @@ +From 4a61648af68f5ba4884f0e3b494ee1cabc4b6620 Mon Sep 17 00:00:00 2001 +From: Zheng Wang +Date: Fri, 30 Dec 2022 00:56:41 +0800 +Subject: drm/i915/gvt: fix double free bug in split_2MB_gtt_entry + +From: Zheng Wang + +commit 4a61648af68f5ba4884f0e3b494ee1cabc4b6620 upstream. + +If intel_gvt_dma_map_guest_page failed, it will call +ppgtt_invalidate_spt, which will finally free the spt. +But the caller function ppgtt_populate_spt_by_guest_entry +does not notice that, it will free spt again in its error +path. + +Fix this by canceling the mapping of DMA address and freeing sub_spt. +Besides, leave the handle of spt destroy to caller function instead +of callee function when error occurs. + +Fixes: b901b252b6cf ("drm/i915/gvt: Add 2M huge gtt support") +Signed-off-by: Zheng Wang +Reviewed-by: Zhenyu Wang +Signed-off-by: Zhenyu Wang +Link: http://patchwork.freedesktop.org/patch/msgid/20221229165641.1192455-1-zyytlz.wz@163.com +Signed-off-by: Ovidiu Panait +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/i915/gvt/gtt.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/i915/gvt/gtt.c ++++ b/drivers/gpu/drm/i915/gvt/gtt.c +@@ -1155,10 +1155,8 @@ static int split_2MB_gtt_entry(struct in + for_each_shadow_entry(sub_spt, &sub_se, sub_index) { + ret = intel_gvt_hypervisor_dma_map_guest_page(vgpu, + start_gfn + sub_index, PAGE_SIZE, &dma_addr); +- if (ret) { +- ppgtt_invalidate_spt(spt); +- return ret; +- } ++ if (ret) ++ goto err; + sub_se.val64 = se->val64; + + /* Copy the PAT field from PDE. */ +@@ -1177,6 +1175,17 @@ static int split_2MB_gtt_entry(struct in + ops->set_pfn(se, sub_spt->shadow_page.mfn); + ppgtt_set_shadow_entry(spt, se, index); + return 0; ++err: ++ /* Cancel the existing addess mappings of DMA addr. */ ++ for_each_present_shadow_entry(sub_spt, &sub_se, sub_index) { ++ gvt_vdbg_mm("invalidate 4K entry\n"); ++ ppgtt_invalidate_pte(sub_spt, &sub_se); ++ } ++ /* Release the new allocated spt. */ ++ trace_spt_change(sub_spt->vgpu->id, "release", sub_spt, ++ sub_spt->guest_page.gfn, sub_spt->shadow_page.type); ++ ppgtt_free_spt(sub_spt); ++ return ret; + } + + static int split_64KB_gtt_entry(struct intel_vgpu *vgpu, diff --git a/queue-4.19/mac80211-mesh-embedd-mesh_paths-and-mpp_paths-into-ieee80211_if_mesh.patch b/queue-4.19/mac80211-mesh-embedd-mesh_paths-and-mpp_paths-into-ieee80211_if_mesh.patch new file mode 100644 index 00000000000..28ac105ccf5 --- /dev/null +++ b/queue-4.19/mac80211-mesh-embedd-mesh_paths-and-mpp_paths-into-ieee80211_if_mesh.patch @@ -0,0 +1,328 @@ +From 8b5cb7e41d9d77ffca036b0239177de123394a55 Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Thu, 30 Dec 2021 22:55:47 +0300 +Subject: mac80211: mesh: embedd mesh_paths and mpp_paths into ieee80211_if_mesh + +From: Pavel Skripkin + +commit 8b5cb7e41d9d77ffca036b0239177de123394a55 upstream. + +Syzbot hit NULL deref in rhashtable_free_and_destroy(). The problem was +in mesh_paths and mpp_paths being NULL. + +mesh_pathtbl_init() could fail in case of memory allocation failure, but +nobody cared, since ieee80211_mesh_init_sdata() returns void. It led to +leaving 2 pointers as NULL. Syzbot has found null deref on exit path, +but it could happen anywhere else, because code assumes these pointers are +valid. + +Since all ieee80211_*_setup_sdata functions are void and do not fail, +let's embedd mesh_paths and mpp_paths into parent struct to avoid +adding error handling on higher levels and follow the pattern of others +setup_sdata functions + +Fixes: 60854fd94573 ("mac80211: mesh: convert path table to rhashtable") +Reported-and-tested-by: syzbot+860268315ba86ea6b96b@syzkaller.appspotmail.com +Signed-off-by: Pavel Skripkin +Link: https://lore.kernel.org/r/20211230195547.23977-1-paskripkin@gmail.com +Signed-off-by: Johannes Berg +[pchelkin@ispras.ru: adapt a comment spell fixing issue] +Signed-off-by: Fedor Pchelkin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/ieee80211_i.h | 24 ++++++++++- + net/mac80211/mesh.h | 22 ---------- + net/mac80211/mesh_pathtbl.c | 91 +++++++++++++++----------------------------- + 3 files changed, 55 insertions(+), 82 deletions(-) + +--- a/net/mac80211/ieee80211_i.h ++++ b/net/mac80211/ieee80211_i.h +@@ -627,6 +627,26 @@ struct mesh_csa_settings { + struct cfg80211_csa_settings settings; + }; + ++/** ++ * struct mesh_table ++ * ++ * @known_gates: list of known mesh gates and their mpaths by the station. The ++ * gate's mpath may or may not be resolved and active. ++ * @gates_lock: protects updates to known_gates ++ * @rhead: the rhashtable containing struct mesh_paths, keyed by dest addr ++ * @walk_head: linked list containing all mesh_path objects ++ * @walk_lock: lock protecting walk_head ++ * @entries: number of entries in the table ++ */ ++struct mesh_table { ++ struct hlist_head known_gates; ++ spinlock_t gates_lock; ++ struct rhashtable rhead; ++ struct hlist_head walk_head; ++ spinlock_t walk_lock; ++ atomic_t entries; /* Up to MAX_MESH_NEIGHBOURS */ ++}; ++ + struct ieee80211_if_mesh { + struct timer_list housekeeping_timer; + struct timer_list mesh_path_timer; +@@ -701,8 +721,8 @@ struct ieee80211_if_mesh { + /* offset from skb->data while building IE */ + int meshconf_offset; + +- struct mesh_table *mesh_paths; +- struct mesh_table *mpp_paths; /* Store paths for MPP&MAP */ ++ struct mesh_table mesh_paths; ++ struct mesh_table mpp_paths; /* Store paths for MPP&MAP */ + int mesh_paths_generation; + int mpp_paths_generation; + }; +--- a/net/mac80211/mesh.h ++++ b/net/mac80211/mesh.h +@@ -128,26 +128,6 @@ struct mesh_path { + bool is_gate; + }; + +-/** +- * struct mesh_table +- * +- * @known_gates: list of known mesh gates and their mpaths by the station. The +- * gate's mpath may or may not be resolved and active. +- * @gates_lock: protects updates to known_gates +- * @rhead: the rhashtable containing struct mesh_paths, keyed by dest addr +- * @walk_head: linked list containging all mesh_path objects +- * @walk_lock: lock protecting walk_head +- * @entries: number of entries in the table +- */ +-struct mesh_table { +- struct hlist_head known_gates; +- spinlock_t gates_lock; +- struct rhashtable rhead; +- struct hlist_head walk_head; +- spinlock_t walk_lock; +- atomic_t entries; /* Up to MAX_MESH_NEIGHBOURS */ +-}; +- + /* Recent multicast cache */ + /* RMC_BUCKETS must be a power of 2, maximum 256 */ + #define RMC_BUCKETS 256 +@@ -300,7 +280,7 @@ int mesh_path_error_tx(struct ieee80211_ + void mesh_path_assign_nexthop(struct mesh_path *mpath, struct sta_info *sta); + void mesh_path_flush_pending(struct mesh_path *mpath); + void mesh_path_tx_pending(struct mesh_path *mpath); +-int mesh_pathtbl_init(struct ieee80211_sub_if_data *sdata); ++void mesh_pathtbl_init(struct ieee80211_sub_if_data *sdata); + void mesh_pathtbl_unregister(struct ieee80211_sub_if_data *sdata); + int mesh_path_del(struct ieee80211_sub_if_data *sdata, const u8 *addr); + void mesh_path_timer(struct timer_list *t); +--- a/net/mac80211/mesh_pathtbl.c ++++ b/net/mac80211/mesh_pathtbl.c +@@ -50,32 +50,24 @@ static void mesh_path_rht_free(void *ptr + mesh_path_free_rcu(tbl, mpath); + } + +-static struct mesh_table *mesh_table_alloc(void) ++static void mesh_table_init(struct mesh_table *tbl) + { +- struct mesh_table *newtbl; +- +- newtbl = kmalloc(sizeof(struct mesh_table), GFP_ATOMIC); +- if (!newtbl) +- return NULL; +- +- INIT_HLIST_HEAD(&newtbl->known_gates); +- INIT_HLIST_HEAD(&newtbl->walk_head); +- atomic_set(&newtbl->entries, 0); +- spin_lock_init(&newtbl->gates_lock); +- spin_lock_init(&newtbl->walk_lock); +- if (rhashtable_init(&newtbl->rhead, &mesh_rht_params)) { +- kfree(newtbl); +- return NULL; +- } +- +- return newtbl; ++ INIT_HLIST_HEAD(&tbl->known_gates); ++ INIT_HLIST_HEAD(&tbl->walk_head); ++ atomic_set(&tbl->entries, 0); ++ spin_lock_init(&tbl->gates_lock); ++ spin_lock_init(&tbl->walk_lock); ++ ++ /* rhashtable_init() may fail only in case of wrong ++ * mesh_rht_params ++ */ ++ WARN_ON(rhashtable_init(&tbl->rhead, &mesh_rht_params)); + } + + static void mesh_table_free(struct mesh_table *tbl) + { + rhashtable_free_and_destroy(&tbl->rhead, + mesh_path_rht_free, tbl); +- kfree(tbl); + } + + /** +@@ -243,13 +235,13 @@ static struct mesh_path *mpath_lookup(st + struct mesh_path * + mesh_path_lookup(struct ieee80211_sub_if_data *sdata, const u8 *dst) + { +- return mpath_lookup(sdata->u.mesh.mesh_paths, dst, sdata); ++ return mpath_lookup(&sdata->u.mesh.mesh_paths, dst, sdata); + } + + struct mesh_path * + mpp_path_lookup(struct ieee80211_sub_if_data *sdata, const u8 *dst) + { +- return mpath_lookup(sdata->u.mesh.mpp_paths, dst, sdata); ++ return mpath_lookup(&sdata->u.mesh.mpp_paths, dst, sdata); + } + + static struct mesh_path * +@@ -286,7 +278,7 @@ __mesh_path_lookup_by_idx(struct mesh_ta + struct mesh_path * + mesh_path_lookup_by_idx(struct ieee80211_sub_if_data *sdata, int idx) + { +- return __mesh_path_lookup_by_idx(sdata->u.mesh.mesh_paths, idx); ++ return __mesh_path_lookup_by_idx(&sdata->u.mesh.mesh_paths, idx); + } + + /** +@@ -301,7 +293,7 @@ mesh_path_lookup_by_idx(struct ieee80211 + struct mesh_path * + mpp_path_lookup_by_idx(struct ieee80211_sub_if_data *sdata, int idx) + { +- return __mesh_path_lookup_by_idx(sdata->u.mesh.mpp_paths, idx); ++ return __mesh_path_lookup_by_idx(&sdata->u.mesh.mpp_paths, idx); + } + + /** +@@ -314,7 +306,7 @@ int mesh_path_add_gate(struct mesh_path + int err; + + rcu_read_lock(); +- tbl = mpath->sdata->u.mesh.mesh_paths; ++ tbl = &mpath->sdata->u.mesh.mesh_paths; + + spin_lock_bh(&mpath->state_lock); + if (mpath->is_gate) { +@@ -424,7 +416,7 @@ struct mesh_path *mesh_path_add(struct i + if (!new_mpath) + return ERR_PTR(-ENOMEM); + +- tbl = sdata->u.mesh.mesh_paths; ++ tbl = &sdata->u.mesh.mesh_paths; + spin_lock_bh(&tbl->walk_lock); + do { + ret = rhashtable_lookup_insert_fast(&tbl->rhead, +@@ -473,7 +465,7 @@ int mpp_path_add(struct ieee80211_sub_if + return -ENOMEM; + + memcpy(new_mpath->mpp, mpp, ETH_ALEN); +- tbl = sdata->u.mesh.mpp_paths; ++ tbl = &sdata->u.mesh.mpp_paths; + + spin_lock_bh(&tbl->walk_lock); + ret = rhashtable_lookup_insert_fast(&tbl->rhead, +@@ -502,7 +494,7 @@ int mpp_path_add(struct ieee80211_sub_if + void mesh_plink_broken(struct sta_info *sta) + { + struct ieee80211_sub_if_data *sdata = sta->sdata; +- struct mesh_table *tbl = sdata->u.mesh.mesh_paths; ++ struct mesh_table *tbl = &sdata->u.mesh.mesh_paths; + static const u8 bcast[ETH_ALEN] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff}; + struct mesh_path *mpath; + +@@ -561,7 +553,7 @@ static void __mesh_path_del(struct mesh_ + void mesh_path_flush_by_nexthop(struct sta_info *sta) + { + struct ieee80211_sub_if_data *sdata = sta->sdata; +- struct mesh_table *tbl = sdata->u.mesh.mesh_paths; ++ struct mesh_table *tbl = &sdata->u.mesh.mesh_paths; + struct mesh_path *mpath; + struct hlist_node *n; + +@@ -576,7 +568,7 @@ void mesh_path_flush_by_nexthop(struct s + static void mpp_flush_by_proxy(struct ieee80211_sub_if_data *sdata, + const u8 *proxy) + { +- struct mesh_table *tbl = sdata->u.mesh.mpp_paths; ++ struct mesh_table *tbl = &sdata->u.mesh.mpp_paths; + struct mesh_path *mpath; + struct hlist_node *n; + +@@ -610,8 +602,8 @@ static void table_flush_by_iface(struct + */ + void mesh_path_flush_by_iface(struct ieee80211_sub_if_data *sdata) + { +- table_flush_by_iface(sdata->u.mesh.mesh_paths); +- table_flush_by_iface(sdata->u.mesh.mpp_paths); ++ table_flush_by_iface(&sdata->u.mesh.mesh_paths); ++ table_flush_by_iface(&sdata->u.mesh.mpp_paths); + } + + /** +@@ -657,7 +649,7 @@ int mesh_path_del(struct ieee80211_sub_i + /* flush relevant mpp entries first */ + mpp_flush_by_proxy(sdata, addr); + +- err = table_path_del(sdata->u.mesh.mesh_paths, sdata, addr); ++ err = table_path_del(&sdata->u.mesh.mesh_paths, sdata, addr); + sdata->u.mesh.mesh_paths_generation++; + return err; + } +@@ -695,7 +687,7 @@ int mesh_path_send_to_gates(struct mesh_ + struct mesh_path *gate; + bool copy = false; + +- tbl = sdata->u.mesh.mesh_paths; ++ tbl = &sdata->u.mesh.mesh_paths; + + rcu_read_lock(); + hlist_for_each_entry_rcu(gate, &tbl->known_gates, gate_list) { +@@ -775,29 +767,10 @@ void mesh_path_fix_nexthop(struct mesh_p + mesh_path_tx_pending(mpath); + } + +-int mesh_pathtbl_init(struct ieee80211_sub_if_data *sdata) ++void mesh_pathtbl_init(struct ieee80211_sub_if_data *sdata) + { +- struct mesh_table *tbl_path, *tbl_mpp; +- int ret; +- +- tbl_path = mesh_table_alloc(); +- if (!tbl_path) +- return -ENOMEM; +- +- tbl_mpp = mesh_table_alloc(); +- if (!tbl_mpp) { +- ret = -ENOMEM; +- goto free_path; +- } +- +- sdata->u.mesh.mesh_paths = tbl_path; +- sdata->u.mesh.mpp_paths = tbl_mpp; +- +- return 0; +- +-free_path: +- mesh_table_free(tbl_path); +- return ret; ++ mesh_table_init(&sdata->u.mesh.mesh_paths); ++ mesh_table_init(&sdata->u.mesh.mpp_paths); + } + + static +@@ -819,12 +792,12 @@ void mesh_path_tbl_expire(struct ieee802 + + void mesh_path_expire(struct ieee80211_sub_if_data *sdata) + { +- mesh_path_tbl_expire(sdata, sdata->u.mesh.mesh_paths); +- mesh_path_tbl_expire(sdata, sdata->u.mesh.mpp_paths); ++ mesh_path_tbl_expire(sdata, &sdata->u.mesh.mesh_paths); ++ mesh_path_tbl_expire(sdata, &sdata->u.mesh.mpp_paths); + } + + void mesh_pathtbl_unregister(struct ieee80211_sub_if_data *sdata) + { +- mesh_table_free(sdata->u.mesh.mesh_paths); +- mesh_table_free(sdata->u.mesh.mpp_paths); ++ mesh_table_free(&sdata->u.mesh.mesh_paths); ++ mesh_table_free(&sdata->u.mesh.mpp_paths); + } diff --git a/queue-4.19/series b/queue-4.19/series index ef1b97a0f18..8b5b3fef426 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -3,3 +3,6 @@ powerpc-dts-t208x-mark-mac1-and-mac2-as-10g.patch random-always-mix-cycle-counter-in-add_latent_entrop.patch can-kvaser_usb-hydra-help-gcc-13-to-figure-out-cmd_l.patch powerpc-dts-t208x-disable-10g-on-mac1-and-mac2.patch +alarmtimer-prevent-starvation-by-small-intervals-and-sig_ign.patch +drm-i915-gvt-fix-double-free-bug-in-split_2mb_gtt_entry.patch +mac80211-mesh-embedd-mesh_paths-and-mpp_paths-into-ieee80211_if_mesh.patch -- 2.47.2