20 files changed, 18 insertions, 758 deletions
diff --git a/Buffer-overflow-read-checks-in-mwifiex.patch b/Buffer-overflow-read-checks-in-mwifiex.patch
deleted file mode 100644
index 00ae1fa9c..000000000
--- a/Buffer-overflow-read-checks-in-mwifiex.patch
+++ /dev/null
@@ -1,238 +0,0 @@
-From patchwork Wed May 29 12:52:19 2019
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-X-Patchwork-Submitter: Takashi Iwai <tiwai@suse.de>
-X-Patchwork-Id: 10967049
-X-Patchwork-Delegate: kvalo@adurom.com
-Return-Path: <linux-wireless-owner@kernel.org>
-Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
- [172.30.200.125])
-	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 3C6B01575
-	for <patchwork-linux-wireless@patchwork.kernel.org>;
- Wed, 29 May 2019 12:52:41 +0000 (UTC)
-Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
-	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2FD42287D4
-	for <patchwork-linux-wireless@patchwork.kernel.org>;
- Wed, 29 May 2019 12:52:41 +0000 (UTC)
-Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
-	id 2E25D2897A; Wed, 29 May 2019 12:52:41 +0000 (UTC)
-X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
-	pdx-wl-mail.web.codeaurora.org
-X-Spam-Level: 
-X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI,
-	RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1
-Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
-	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A60B52895F
-	for <patchwork-linux-wireless@patchwork.kernel.org>;
- Wed, 29 May 2019 12:52:40 +0000 (UTC)
-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
-        id S1727034AbfE2Mwk (ORCPT
-        <rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
-        Wed, 29 May 2019 08:52:40 -0400
-Received: from mx2.suse.de ([195.135.220.15]:33780 "EHLO mx1.suse.de"
-        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
-        id S1725936AbfE2Mwj (ORCPT <rfc822;linux-wireless@vger.kernel.org>);
-        Wed, 29 May 2019 08:52:39 -0400
-X-Virus-Scanned: by amavisd-new at test-mx.suse.de
-Received: from relay2.suse.de (unknown [195.135.220.254])
-        by mx1.suse.de (Postfix) with ESMTP id EA4CCB00B;
-        Wed, 29 May 2019 12:52:37 +0000 (UTC)
-From: Takashi Iwai <tiwai@suse.de>
-To: linux-wireless@vger.kernel.org
-Cc: Amitkumar Karwar <amitkarwar@gmail.com>,
-        Nishant Sarmukadam <nishants@marvell.com>,
-        Ganapathi Bhat <gbhat@marvell.com>,
-        Xinming Hu <huxinming820@gmail.com>,
-        Kalle Valo <kvalo@codeaurora.org>, huangwen@venustech.com.cn,
-        Solar Designer <solar@openwall.com>,
-        Marcus Meissner <meissner@suse.de>
-Subject: [PATCH 1/2] mwifiex: Fix possible buffer overflows at parsing bss
- descriptor
-Date: Wed, 29 May 2019 14:52:19 +0200
-Message-Id: <20190529125220.17066-2-tiwai@suse.de>
-X-Mailer: git-send-email 2.16.4
-In-Reply-To: <20190529125220.17066-1-tiwai@suse.de>
-References: <20190529125220.17066-1-tiwai@suse.de>
-Sender: linux-wireless-owner@vger.kernel.org
-Precedence: bulk
-List-ID: <linux-wireless.vger.kernel.org>
-X-Mailing-List: linux-wireless@vger.kernel.org
-X-Virus-Scanned: ClamAV using ClamSMTP
-
-mwifiex_update_bss_desc_with_ie() calls memcpy() unconditionally in
-a couple places without checking the destination size.  Since the
-source is given from user-space, this may trigger a heap buffer
-overflow.
-
-Fix it by putting the length check before performing memcpy().
-
-This fix addresses CVE-2019-3846.
-
-Reported-by: huangwen <huangwen@venustech.com.cn>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
----
- drivers/net/wireless/marvell/mwifiex/scan.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c
-index 935778ec9a1b..64ab6fe78c0d 100644
---- a/drivers/net/wireless/marvell/mwifiex/scan.c
-+++ b/drivers/net/wireless/marvell/mwifiex/scan.c
-@@ -1247,6 +1247,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
- 		}
- 		switch (element_id) {
- 		case WLAN_EID_SSID:
-+			if (element_len > IEEE80211_MAX_SSID_LEN)
-+				return -EINVAL;
- 			bss_entry->ssid.ssid_len = element_len;
- 			memcpy(bss_entry->ssid.ssid, (current_ptr + 2),
- 			       element_len);
-@@ -1256,6 +1258,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
- 			break;
- 
- 		case WLAN_EID_SUPP_RATES:
-+			if (element_len > MWIFIEX_SUPPORTED_RATES)
-+				return -EINVAL;
- 			memcpy(bss_entry->data_rates, current_ptr + 2,
- 			       element_len);
- 			memcpy(bss_entry->supported_rates, current_ptr + 2,
-
-From patchwork Wed May 29 12:52:20 2019
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-X-Patchwork-Submitter: Takashi Iwai <tiwai@suse.de>
-X-Patchwork-Id: 10967047
-X-Patchwork-Delegate: kvalo@adurom.com
-Return-Path: <linux-wireless-owner@kernel.org>
-Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
- [172.30.200.125])
-	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 05B0D92A
-	for <patchwork-linux-wireless@patchwork.kernel.org>;
- Wed, 29 May 2019 12:52:41 +0000 (UTC)
-Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
-	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id EB3CC28972
-	for <patchwork-linux-wireless@patchwork.kernel.org>;
- Wed, 29 May 2019 12:52:40 +0000 (UTC)
-Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
-	id DF23B28978; Wed, 29 May 2019 12:52:40 +0000 (UTC)
-X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
-	pdx-wl-mail.web.codeaurora.org
-X-Spam-Level: 
-X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI,
-	RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1
-Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
-	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8221B20121
-	for <patchwork-linux-wireless@patchwork.kernel.org>;
- Wed, 29 May 2019 12:52:40 +0000 (UTC)
-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
-        id S1727023AbfE2Mwj (ORCPT
-        <rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
-        Wed, 29 May 2019 08:52:39 -0400
-Received: from mx2.suse.de ([195.135.220.15]:33796 "EHLO mx1.suse.de"
-        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
-        id S1727017AbfE2Mwj (ORCPT <rfc822;linux-wireless@vger.kernel.org>);
-        Wed, 29 May 2019 08:52:39 -0400
-X-Virus-Scanned: by amavisd-new at test-mx.suse.de
-Received: from relay2.suse.de (unknown [195.135.220.254])
-        by mx1.suse.de (Postfix) with ESMTP id 06E82B010;
-        Wed, 29 May 2019 12:52:38 +0000 (UTC)
-From: Takashi Iwai <tiwai@suse.de>
-To: linux-wireless@vger.kernel.org
-Cc: Amitkumar Karwar <amitkarwar@gmail.com>,
-        Nishant Sarmukadam <nishants@marvell.com>,
-        Ganapathi Bhat <gbhat@marvell.com>,
-        Xinming Hu <huxinming820@gmail.com>,
-        Kalle Valo <kvalo@codeaurora.org>, huangwen@venustech.com.cn,
-        Solar Designer <solar@openwall.com>,
-        Marcus Meissner <meissner@suse.de>
-Subject: [PATCH 2/2] mwifiex: Abort at too short BSS descriptor element
-Date: Wed, 29 May 2019 14:52:20 +0200
-Message-Id: <20190529125220.17066-3-tiwai@suse.de>
-X-Mailer: git-send-email 2.16.4
-In-Reply-To: <20190529125220.17066-1-tiwai@suse.de>
-References: <20190529125220.17066-1-tiwai@suse.de>
-Sender: linux-wireless-owner@vger.kernel.org
-Precedence: bulk
-List-ID: <linux-wireless.vger.kernel.org>
-X-Mailing-List: linux-wireless@vger.kernel.org
-X-Virus-Scanned: ClamAV using ClamSMTP
-
-Currently mwifiex_update_bss_desc_with_ie() implicitly assumes that
-the source descriptor entries contain the enough size for each type
-and performs copying without checking the source size.  This may lead
-to read over boundary.
-
-Fix this by putting the source size check in appropriate places.
-
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
----
- drivers/net/wireless/marvell/mwifiex/scan.c | 15 +++++++++++++++
- 1 file changed, 15 insertions(+)
-
-diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c
-index 64ab6fe78c0d..c269a0de9413 100644
---- a/drivers/net/wireless/marvell/mwifiex/scan.c
-+++ b/drivers/net/wireless/marvell/mwifiex/scan.c
-@@ -1269,6 +1269,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
- 			break;
- 
- 		case WLAN_EID_FH_PARAMS:
-+			if (element_len + 2 < sizeof(*fh_param_set))
-+				return -EINVAL;
- 			fh_param_set =
- 				(struct ieee_types_fh_param_set *) current_ptr;
- 			memcpy(&bss_entry->phy_param_set.fh_param_set,
-@@ -1277,6 +1279,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
- 			break;
- 
- 		case WLAN_EID_DS_PARAMS:
-+			if (element_len + 2 < sizeof(*ds_param_set))
-+				return -EINVAL;
- 			ds_param_set =
- 				(struct ieee_types_ds_param_set *) current_ptr;
- 
-@@ -1288,6 +1292,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
- 			break;
- 
- 		case WLAN_EID_CF_PARAMS:
-+			if (element_len + 2 < sizeof(*cf_param_set))
-+				return -EINVAL;
- 			cf_param_set =
- 				(struct ieee_types_cf_param_set *) current_ptr;
- 			memcpy(&bss_entry->ss_param_set.cf_param_set,
-@@ -1296,6 +1302,8 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
- 			break;
- 
- 		case WLAN_EID_IBSS_PARAMS:
-+			if (element_len + 2 < sizeof(*ibss_param_set))
-+				return -EINVAL;
- 			ibss_param_set =
- 				(struct ieee_types_ibss_param_set *)
- 				current_ptr;
-@@ -1305,10 +1313,14 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
- 			break;
- 
- 		case WLAN_EID_ERP_INFO:
-+			if (!element_len)
-+				return -EINVAL;
- 			bss_entry->erp_flags = *(current_ptr + 2);
- 			break;
- 
- 		case WLAN_EID_PWR_CONSTRAINT:
-+			if (!element_len)
-+				return -EINVAL;
- 			bss_entry->local_constraint = *(current_ptr + 2);
- 			bss_entry->sensed_11h = true;
- 			break;
-@@ -1349,6 +1361,9 @@ int mwifiex_update_bss_desc_with_ie(struct mwifiex_adapter *adapter,
- 			break;
- 
- 		case WLAN_EID_VENDOR_SPECIFIC:
-+			if (element_len + 2 < sizeof(vendor_ie->vend_hdr))
-+				return -EINVAL;
-+
- 			vendor_ie = (struct ieee_types_vendor_specific *)
- 					current_ptr;
- 
diff --git a/bcm2835-vchiq-use-interruptible-waits.patch b/bcm2835-vchiq-use-interruptible-waits.patch
index cc4afc63b..d21cbe9b1 100644
--- a/bcm2835-vchiq-use-interruptible-waits.patch
+++ b/bcm2835-vchiq-use-interruptible-waits.patch
@@ -1,329 +1,3 @@
-From 0fa32f5500a1b4a81d6856ad389d654f1377f744 Mon Sep 17 00:00:00 2001
-From: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
-Date: Thu, 9 May 2019 16:31:33 +0200
-Subject: [PATCH 1/4] staging: vchiq_2835_arm: revert "quit using custom
- down_interruptible()"
-
-The killable version of down() is meant to be used on situations where
-it should not fail at all costs, but still have the convenience of being
-able to kill it if really necessary. VCHIQ doesn't fit this criteria, as
-it's mainly used as an interface to V4L2 and ALSA devices.
-
-Fixes: ff5979ad8636 ("staging: vchiq_2835_arm: quit using custom down_interruptible()")
-Signed-off-by: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
-Acked-by: Stefan Wahren <stefan.wahren@i2se.com>
----
- .../staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c  | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c
-index a9cc01e8e6c5..833b28e9ba4b 100644
---- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c
-+++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c
-@@ -553,7 +553,7 @@ create_pagelist(char __user *buf, size_t count, unsigned short type)
- 		(g_cache_line_size - 1)))) {
- 		char *fragments;
- 
--		if (down_killable(&g_free_fragments_sema)) {
-+		if (down_interruptible(&g_free_fragments_sema) != 0) {
- 			cleanup_pagelistinfo(pagelistinfo);
- 			return NULL;
- 		}
--- 
-2.21.0
-
-From 7c73f359a4f269b611ebc00a910933d2d1926ebe Mon Sep 17 00:00:00 2001
-From: Peter Robinson <pbrobinson@gmail.com>
-Date: Thu, 4 Jul 2019 17:31:38 +0100
-Subject: [PATCH 2/4] staging: vchiq: revert "switch to
- wait_for_completion_killable"
-
-The killable version of wait_for_completion() is meant to be used on
-situations where it should not fail at all costs, but still have the
-convenience of being able to kill it if really necessary. VCHIQ doesn't
-fit this criteria, as it's mainly used as an interface to V4L2 and ALSA
-devices.
-
-Fixes: a772f116702e ("staging: vchiq: switch to wait_for_completion_killable")
-Signed-off-by: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
-Signed-off-by: Peter Robinson <pbrobinson@gmail.com>
----
- .../interface/vchiq_arm/vchiq_arm.c           | 21 ++++++++++---------
- .../interface/vchiq_arm/vchiq_core.c          | 21 ++++++++++---------
- .../interface/vchiq_arm/vchiq_util.c          |  6 +++---
- 3 files changed, 25 insertions(+), 23 deletions(-)
-
-diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
-index 064d0db4c51e..ccfb8218b83c 100644
---- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
-+++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
-@@ -560,7 +560,8 @@ add_completion(VCHIQ_INSTANCE_T instance, VCHIQ_REASON_T reason,
- 		vchiq_log_trace(vchiq_arm_log_level,
- 			"%s - completion queue full", __func__);
- 		DEBUG_COUNT(COMPLETION_QUEUE_FULL_COUNT);
--		if (wait_for_completion_killable( &instance->remove_event)) {
-+		if (wait_for_completion_interruptible(
-+					&instance->remove_event)) {
- 			vchiq_log_info(vchiq_arm_log_level,
- 				"service_callback interrupted");
- 			return VCHIQ_RETRY;
-@@ -671,7 +672,7 @@ service_callback(VCHIQ_REASON_T reason, struct vchiq_header *header,
- 			}
- 
- 			DEBUG_TRACE(SERVICE_CALLBACK_LINE);
--			if (wait_for_completion_killable(
-+			if (wait_for_completion_interruptible(
- 						&user_service->remove_event)
- 				!= 0) {
- 				vchiq_log_info(vchiq_arm_log_level,
-@@ -1006,7 +1007,7 @@ vchiq_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
- 		   has been closed until the client library calls the
- 		   CLOSE_DELIVERED ioctl, signalling close_event. */
- 		if (user_service->close_pending &&
--			wait_for_completion_killable(
-+			wait_for_completion_interruptible(
- 				&user_service->close_event))
- 			status = VCHIQ_RETRY;
- 		break;
-@@ -1182,7 +1183,7 @@ vchiq_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
- 
- 			DEBUG_TRACE(AWAIT_COMPLETION_LINE);
- 			mutex_unlock(&instance->completion_mutex);
--			rc = wait_for_completion_killable(
-+			rc = wait_for_completion_interruptible(
- 						&instance->insert_event);
- 			mutex_lock(&instance->completion_mutex);
- 			if (rc != 0) {
-@@ -1352,7 +1353,7 @@ vchiq_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
- 			do {
- 				spin_unlock(&msg_queue_spinlock);
- 				DEBUG_TRACE(DEQUEUE_MESSAGE_LINE);
--				if (wait_for_completion_killable(
-+				if (wait_for_completion_interruptible(
- 					&user_service->insert_event)) {
- 					vchiq_log_info(vchiq_arm_log_level,
- 						"DEQUEUE_MESSAGE interrupted");
-@@ -2360,7 +2361,7 @@ vchiq_keepalive_thread_func(void *v)
- 	while (1) {
- 		long rc = 0, uc = 0;
- 
--		if (wait_for_completion_killable(&arm_state->ka_evt)
-+		if (wait_for_completion_interruptible(&arm_state->ka_evt)
- 				!= 0) {
- 			vchiq_log_error(vchiq_susp_log_level,
- 				"%s interrupted", __func__);
-@@ -2611,7 +2612,7 @@ block_resume(struct vchiq_arm_state *arm_state)
- 		write_unlock_bh(&arm_state->susp_res_lock);
- 		vchiq_log_info(vchiq_susp_log_level, "%s wait for previously "
- 			"blocked clients", __func__);
--		if (wait_for_completion_killable_timeout(
-+		if (wait_for_completion_interruptible_timeout(
- 				&arm_state->blocked_blocker, timeout_val)
- 					<= 0) {
- 			vchiq_log_error(vchiq_susp_log_level, "%s wait for "
-@@ -2637,7 +2638,7 @@ block_resume(struct vchiq_arm_state *arm_state)
- 		write_unlock_bh(&arm_state->susp_res_lock);
- 		vchiq_log_info(vchiq_susp_log_level, "%s wait for resume",
- 			__func__);
--		if (wait_for_completion_killable_timeout(
-+		if (wait_for_completion_interruptible_timeout(
- 				&arm_state->vc_resume_complete, timeout_val)
- 					<= 0) {
- 			vchiq_log_error(vchiq_susp_log_level, "%s wait for "
-@@ -2844,7 +2845,7 @@ vchiq_arm_force_suspend(struct vchiq_state *state)
- 	do {
- 		write_unlock_bh(&arm_state->susp_res_lock);
- 
--		rc = wait_for_completion_killable_timeout(
-+		rc = wait_for_completion_interruptible_timeout(
- 				&arm_state->vc_suspend_complete,
- 				msecs_to_jiffies(FORCE_SUSPEND_TIMEOUT_MS));
- 
-@@ -2940,7 +2941,7 @@ vchiq_arm_allow_resume(struct vchiq_state *state)
- 	write_unlock_bh(&arm_state->susp_res_lock);
- 
- 	if (resume) {
--		if (wait_for_completion_killable(
-+		if (wait_for_completion_interruptible(
- 			&arm_state->vc_resume_complete) < 0) {
- 			vchiq_log_error(vchiq_susp_log_level,
- 				"%s interrupted", __func__);
-diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c
-index 819813e742d8..bc5661dde987 100644
---- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c
-+++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c
-@@ -590,7 +590,7 @@ reserve_space(struct vchiq_state *state, size_t space, int is_blocking)
- 			remote_event_signal(&state->remote->trigger);
- 
- 			if (!is_blocking ||
--				(wait_for_completion_killable(
-+				(wait_for_completion_interruptible(
- 				&state->slot_available_event)))
- 				return NULL; /* No space available */
- 		}
-@@ -860,7 +860,7 @@ queue_message(struct vchiq_state *state, struct vchiq_service *service,
- 			spin_unlock(&quota_spinlock);
- 			mutex_unlock(&state->slot_mutex);
- 
--			if (wait_for_completion_killable(
-+			if (wait_for_completion_interruptible(
- 						&state->data_quota_event))
- 				return VCHIQ_RETRY;
- 
-@@ -891,7 +891,7 @@ queue_message(struct vchiq_state *state, struct vchiq_service *service,
- 				service_quota->slot_use_count);
- 			VCHIQ_SERVICE_STATS_INC(service, quota_stalls);
- 			mutex_unlock(&state->slot_mutex);
--			if (wait_for_completion_killable(
-+			if (wait_for_completion_interruptible(
- 						&service_quota->quota_event))
- 				return VCHIQ_RETRY;
- 			if (service->closing)
-@@ -1740,7 +1740,8 @@ parse_rx_slots(struct vchiq_state *state)
- 					&service->bulk_rx : &service->bulk_tx;
- 
- 				DEBUG_TRACE(PARSE_LINE);
--				if (mutex_lock_killable(&service->bulk_mutex)) {
-+				if (mutex_lock_killable(
-+					&service->bulk_mutex) != 0) {
- 					DEBUG_TRACE(PARSE_LINE);
- 					goto bail_not_ready;
- 				}
-@@ -2458,7 +2459,7 @@ vchiq_open_service_internal(struct vchiq_service *service, int client_id)
- 			       QMFLAGS_IS_BLOCKING);
- 	if (status == VCHIQ_SUCCESS) {
- 		/* Wait for the ACK/NAK */
--		if (wait_for_completion_killable(&service->remove_event)) {
-+		if (wait_for_completion_interruptible(&service->remove_event)) {
- 			status = VCHIQ_RETRY;
- 			vchiq_release_service_internal(service);
- 		} else if ((service->srvstate != VCHIQ_SRVSTATE_OPEN) &&
-@@ -2825,7 +2826,7 @@ vchiq_connect_internal(struct vchiq_state *state, VCHIQ_INSTANCE_T instance)
- 	}
- 
- 	if (state->conn_state == VCHIQ_CONNSTATE_CONNECTING) {
--		if (wait_for_completion_killable(&state->connect))
-+		if (wait_for_completion_interruptible(&state->connect))
- 			return VCHIQ_RETRY;
- 
- 		vchiq_set_conn_state(state, VCHIQ_CONNSTATE_CONNECTED);
-@@ -2924,7 +2925,7 @@ vchiq_close_service(VCHIQ_SERVICE_HANDLE_T handle)
- 	}
- 
- 	while (1) {
--		if (wait_for_completion_killable(&service->remove_event)) {
-+		if (wait_for_completion_interruptible(&service->remove_event)) {
- 			status = VCHIQ_RETRY;
- 			break;
- 		}
-@@ -2985,7 +2986,7 @@ vchiq_remove_service(VCHIQ_SERVICE_HANDLE_T handle)
- 		request_poll(service->state, service, VCHIQ_POLL_REMOVE);
- 	}
- 	while (1) {
--		if (wait_for_completion_killable(&service->remove_event)) {
-+		if (wait_for_completion_interruptible(&service->remove_event)) {
- 			status = VCHIQ_RETRY;
- 			break;
- 		}
-@@ -3068,7 +3069,7 @@ VCHIQ_STATUS_T vchiq_bulk_transfer(VCHIQ_SERVICE_HANDLE_T handle,
- 		VCHIQ_SERVICE_STATS_INC(service, bulk_stalls);
- 		do {
- 			mutex_unlock(&service->bulk_mutex);
--			if (wait_for_completion_killable(
-+			if (wait_for_completion_interruptible(
- 						&service->bulk_remove_event)) {
- 				status = VCHIQ_RETRY;
- 				goto error_exit;
-@@ -3145,7 +3146,7 @@ VCHIQ_STATUS_T vchiq_bulk_transfer(VCHIQ_SERVICE_HANDLE_T handle,
- 
- 	if (bulk_waiter) {
- 		bulk_waiter->bulk = bulk;
--		if (wait_for_completion_killable(&bulk_waiter->event))
-+		if (wait_for_completion_interruptible(&bulk_waiter->event))
- 			status = VCHIQ_RETRY;
- 		else if (bulk_waiter->actual == VCHIQ_BULK_ACTUAL_ABORTED)
- 			status = VCHIQ_ERROR;
-diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_util.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_util.c
-index 55c5fd82b911..30deea1b57f7 100644
---- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_util.c
-+++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_util.c
-@@ -80,7 +80,7 @@ void vchiu_queue_push(struct vchiu_queue *queue, struct vchiq_header *header)
- 		return;
- 
- 	while (queue->write == queue->read + queue->size) {
--		if (wait_for_completion_killable(&queue->pop))
-+		if (wait_for_completion_interruptible(&queue->pop))
- 			flush_signals(current);
- 	}
- 
-@@ -93,7 +93,7 @@ void vchiu_queue_push(struct vchiu_queue *queue, struct vchiq_header *header)
- struct vchiq_header *vchiu_queue_peek(struct vchiu_queue *queue)
- {
- 	while (queue->write == queue->read) {
--		if (wait_for_completion_killable(&queue->push))
-+		if (wait_for_completion_interruptible(&queue->push))
- 			flush_signals(current);
- 	}
- 
-@@ -107,7 +107,7 @@ struct vchiq_header *vchiu_queue_pop(struct vchiu_queue *queue)
- 	struct vchiq_header *header;
- 
- 	while (queue->write == queue->read) {
--		if (wait_for_completion_killable(&queue->push))
-+		if (wait_for_completion_interruptible(&queue->push))
- 			flush_signals(current);
- 	}
- 
--- 
-2.21.0
-
-From 4d0d97ce18dc90a3ca6296ee669c51b5a55a61c7 Mon Sep 17 00:00:00 2001
-From: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
-Date: Thu, 9 May 2019 16:31:35 +0200
-Subject: [PATCH 3/4] staging: vchiq: make wait events interruptible
-
-The killable version of wait_event() is meant to be used on situations
-where it should not fail at all costs, but still have the convenience of
-being able to kill it if really necessary. Wait events in VCHIQ doesn't
-fit this criteria, as it's mainly used as an interface to V4L2 and ALSA
-devices.
-
-Fixes: 852b2876a8a8 ("staging: vchiq: rework remove_event handling")
-Signed-off-by: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
----
- .../vc04_services/interface/vchiq_arm/vchiq_core.c     | 10 +++++++++-
- 1 file changed, 9 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c
-index bc5661dde987..0958d86aebe6 100644
---- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c
-+++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c
-@@ -425,13 +425,21 @@ remote_event_create(wait_queue_head_t *wq, struct remote_event *event)
- 	init_waitqueue_head(wq);
- }
- 
-+/*
-+ * All the event waiting routines in VCHIQ used a custom semaphore
-+ * implementation that filtered most signals. This achieved a behaviour similar
-+ * to the "killable" family of functions. While cleaning up this code all the
-+ * routines where switched to the "interruptible" family of functions, as the
-+ * former was deemed unjustified and the use "killable" set all VCHIQ's
-+ * threads in D state.
-+ */
- static inline int
- remote_event_wait(wait_queue_head_t *wq, struct remote_event *event)
- {
- 	if (!event->fired) {
- 		event->armed = 1;
- 		dsb(sy);
--		if (wait_event_killable(*wq, event->fired)) {
-+		if (wait_event_interruptible(*wq, event->fired)) {
- 			event->armed = 0;
- 			return 0;
- 		}
--- 
-2.21.0
-
 From e4d9fccaaf6e61bbc7416d92d73cec5a5f0cb458 Mon Sep 17 00:00:00 2001
 From: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
 Date: Thu, 9 May 2019 16:31:36 +0200
diff --git a/configs/fedora/generic/CONFIG_ASIX_PHY b/configs/fedora/generic/CONFIG_ASIX_PHY
deleted file mode 100644
index 37bb545c7..000000000
--- a/configs/fedora/generic/CONFIG_ASIX_PHY
+++ /dev/null
@@ -1 +0,0 @@
-# CONFIG_ASIX_PHY is not set
diff --git a/configs/fedora/generic/CONFIG_AX88796B_PHY b/configs/fedora/generic/CONFIG_AX88796B_PHY
new file mode 100644
index 000000000..ec30dfcaf
--- /dev/null
+++ b/configs/fedora/generic/CONFIG_AX88796B_PHY
@@ -0,0 +1 @@
+# CONFIG_AX88796B_PHY is not set
diff --git a/kernel-aarch64-debug.config b/kernel-aarch64-debug.config
index 59b11e9ef..3ee558d02 100644
--- a/kernel-aarch64-debug.config
+++ b/kernel-aarch64-debug.config
@@ -370,7 +370,6 @@ CONFIG_ARM_TEGRA_DEVFREQ=m
 CONFIG_ARM_TIMER_SP804=y
 CONFIG_ARMV8_DEPRECATED=y
 # CONFIG_AS3935 is not set
-# CONFIG_ASIX_PHY is not set
 CONFIG_ASYMMETRIC_KEY_TYPE=y
 CONFIG_ASYMMETRIC_TPM_KEY_SUBTYPE=m
 CONFIG_ASYNC_RAID6_TEST=m
@@ -461,6 +460,7 @@ CONFIG_AUTOFS_FS=y
 CONFIG_AUXDISPLAY=y
 CONFIG_AX25_DAMA_SLAVE=y
 CONFIG_AX25=m
+# CONFIG_AX88796B_PHY is not set
 CONFIG_AXP20X_ADC=m
 CONFIG_AXP20X_POWER=m
 CONFIG_AXP288_ADC=m
diff --git a/kernel-aarch64.config b/kernel-aarch64.config
index 08834a835..9964d6d8a 100644
--- a/kernel-aarch64.config
+++ b/kernel-aarch64.config
@@ -370,7 +370,6 @@ CONFIG_ARM_TEGRA_DEVFREQ=m
 CONFIG_ARM_TIMER_SP804=y
 CONFIG_ARMV8_DEPRECATED=y
 # CONFIG_AS3935 is not set
-# CONFIG_ASIX_PHY is not set
 CONFIG_ASYMMETRIC_KEY_TYPE=y
 CONFIG_ASYMMETRIC_TPM_KEY_SUBTYPE=m
 CONFIG_ASYNC_RAID6_TEST=m
@@ -461,6 +460,7 @@ CONFIG_AUTOFS_FS=y
 CONFIG_AUXDISPLAY=y
 CONFIG_AX25_DAMA_SLAVE=y
 CONFIG_AX25=m
+# CONFIG_AX88796B_PHY is not set
 CONFIG_AXP20X_ADC=m
 CONFIG_AXP20X_POWER=m
 CONFIG_AXP288_ADC=m
diff --git a/kernel-armv7hl-debug.config b/kernel-armv7hl-debug.config
index 7956bea2e..d0d81b8ad 100644
--- a/kernel-armv7hl-debug.config
+++ b/kernel-armv7hl-debug.config
@@ -368,7 +368,6 @@ CONFIG_ARM_VIRT_EXT=y
 CONFIG_ARM=y
 CONFIG_ARM_ZYNQ_CPUIDLE=y
 # CONFIG_AS3935 is not set
-# CONFIG_ASIX_PHY is not set
 CONFIG_ASYMMETRIC_KEY_TYPE=y
 CONFIG_ASYMMETRIC_TPM_KEY_SUBTYPE=m
 CONFIG_ASYNC_RAID6_TEST=m
@@ -462,6 +461,7 @@ CONFIG_AUXDISPLAY=y
 CONFIG_AX25_DAMA_SLAVE=y
 CONFIG_AX25=m
 CONFIG_AX88796_93CX6=y
+# CONFIG_AX88796B_PHY is not set
 CONFIG_AX88796=m
 CONFIG_AXI_DMAC=m
 CONFIG_AXP20X_ADC=m
diff --git a/kernel-armv7hl-lpae-debug.config b/kernel-armv7hl-lpae-debug.config
index cfdc49b3d..1350ca8c1 100644
--- a/kernel-armv7hl-lpae-debug.config
+++ b/kernel-armv7hl-lpae-debug.config
@@ -355,7 +355,6 @@ CONFIG_ARM_VEXPRESS_SPC_CPUFREQ=m
 CONFIG_ARM_VIRT_EXT=y
 CONFIG_ARM=y
 # CONFIG_AS3935 is not set
-# CONFIG_ASIX_PHY is not set
 CONFIG_ASYMMETRIC_KEY_TYPE=y
 CONFIG_ASYMMETRIC_TPM_KEY_SUBTYPE=m
 CONFIG_ASYNC_RAID6_TEST=m
@@ -449,6 +448,7 @@ CONFIG_AUXDISPLAY=y
 CONFIG_AX25_DAMA_SLAVE=y
 CONFIG_AX25=m
 CONFIG_AX88796_93CX6=y
+# CONFIG_AX88796B_PHY is not set
 CONFIG_AX88796=m
 CONFIG_AXP20X_ADC=m
 CONFIG_AXP20X_POWER=m
diff --git a/kernel-armv7hl-lpae.config b/kernel-armv7hl-lpae.config
index 8a8424c15..72ec631ba 100644
--- a/kernel-armv7hl-lpae.config
+++ b/kernel-armv7hl-lpae.config
@@ -355,7 +355,6 @@ CONFIG_ARM_VEXPRESS_SPC_CPUFREQ=m
 CONFIG_ARM_VIRT_EXT=y
 CONFIG_ARM=y
 # CONFIG_AS3935 is not set
-# CONFIG_ASIX_PHY is not set
 CONFIG_ASYMMETRIC_KEY_TYPE=y
 CONFIG_ASYMMETRIC_TPM_KEY_SUBTYPE=m
 CONFIG_ASYNC_RAID6_TEST=m
@@ -449,6 +448,7 @@ CONFIG_AUXDISPLAY=y
 CONFIG_AX25_DAMA_SLAVE=y
 CONFIG_AX25=m
 CONFIG_AX88796_93CX6=y
+# CONFIG_AX88796B_PHY is not set
 CONFIG_AX88796=m
 CONFIG_AXP20X_ADC=m
 CONFIG_AXP20X_POWER=m
diff --git a/kernel-armv7hl.config b/kernel-armv7hl.config
index 9556f2f36..8d2811ab0 100644
--- a/kernel-armv7hl.config
+++ b/kernel-armv7hl.config
@@ -368,7 +368,6 @@ CONFIG_ARM_VIRT_EXT=y
 CONFIG_ARM=y
 CONFIG_ARM_ZYNQ_CPUIDLE=y
 # CONFIG_AS3935 is not set
-# CONFIG_ASIX_PHY is not set
 CONFIG_ASYMMETRIC_KEY_TYPE=y
 CONFIG_ASYMMETRIC_TPM_KEY_SUBTYPE=m
 CONFIG_ASYNC_RAID6_TEST=m
@@ -462,6 +461,7 @@ CONFIG_AUXDISPLAY=y
 CONFIG_AX25_DAMA_SLAVE=y
 CONFIG_AX25=m
 CONFIG_AX88796_93CX6=y
+# CONFIG_AX88796B_PHY is not set
 CONFIG_AX88796=m
 CONFIG_AXI_DMAC=m
 CONFIG_AXP20X_ADC=m
diff --git a/kernel-i686-debug.config b/kernel-i686-debug.config
index 0b87d7c62..f89797c5d 100644
--- a/kernel-i686-debug.config
+++ b/kernel-i686-debug.config
@@ -251,7 +251,6 @@ CONFIG_ARCH_MULTIPLATFORM=y
 CONFIG_ARM64_ERRATUM_858921=y
 CONFIG_ARM_PTDUMP_DEBUGFS=y
 # CONFIG_AS3935 is not set
-# CONFIG_ASIX_PHY is not set
 CONFIG_ASUS_LAPTOP=m
 CONFIG_ASUS_NB_WMI=m
 CONFIG_ASUS_WIRELESS=m
@@ -344,6 +343,7 @@ CONFIG_AUTOFS_FS=y
 CONFIG_AUXDISPLAY=y
 CONFIG_AX25_DAMA_SLAVE=y
 CONFIG_AX25=m
+# CONFIG_AX88796B_PHY is not set
 CONFIG_B43_BCMA_PIO=y
 CONFIG_B43_BCMA=y
 CONFIG_B43_BUSES_BCMA_AND_SSB=y
diff --git a/kernel-i686.config b/kernel-i686.config
index 41057b9d1..fe4a05435 100644
--- a/kernel-i686.config
+++ b/kernel-i686.config
@@ -250,7 +250,6 @@ CONFIG_ARCH_MULTIPLATFORM=y
 # CONFIG_ARCNET is not set
 CONFIG_ARM64_ERRATUM_858921=y
 # CONFIG_AS3935 is not set
-# CONFIG_ASIX_PHY is not set
 CONFIG_ASUS_LAPTOP=m
 CONFIG_ASUS_NB_WMI=m
 CONFIG_ASUS_WIRELESS=m
@@ -343,6 +342,7 @@ CONFIG_AUTOFS_FS=y
 CONFIG_AUXDISPLAY=y
 CONFIG_AX25_DAMA_SLAVE=y
 CONFIG_AX25=m
+# CONFIG_AX88796B_PHY is not set
 CONFIG_B43_BCMA_PIO=y
 CONFIG_B43_BCMA=y
 CONFIG_B43_BUSES_BCMA_AND_SSB=y
diff --git a/kernel-ppc64le-debug.config b/kernel-ppc64le-debug.config
index a37c61ad5..c9abec928 100644
--- a/kernel-ppc64le-debug.config
+++ b/kernel-ppc64le-debug.config
@@ -195,7 +195,6 @@ CONFIG_ARCH_MULTIPLATFORM=y
 CONFIG_ARM64_ERRATUM_858921=y
 CONFIG_ARM_PTDUMP_DEBUGFS=y
 # CONFIG_AS3935 is not set
-# CONFIG_ASIX_PHY is not set
 CONFIG_ASYMMETRIC_KEY_TYPE=y
 CONFIG_ASYMMETRIC_TPM_KEY_SUBTYPE=m
 CONFIG_ASYNC_RAID6_TEST=m
@@ -284,6 +283,7 @@ CONFIG_AUTOFS_FS=y
 CONFIG_AUXDISPLAY=y
 CONFIG_AX25_DAMA_SLAVE=y
 CONFIG_AX25=m
+# CONFIG_AX88796B_PHY is not set
 CONFIG_B43_BCMA_PIO=y
 CONFIG_B43_BCMA=y
 CONFIG_B43_BUSES_BCMA_AND_SSB=y
diff --git a/kernel-ppc64le.config b/kernel-ppc64le.config
index a23326d07..4884618b4 100644
--- a/kernel-ppc64le.config
+++ b/kernel-ppc64le.config
@@ -194,7 +194,6 @@ CONFIG_ARCH_MULTIPLATFORM=y
 # CONFIG_ARCNET is not set
 CONFIG_ARM64_ERRATUM_858921=y
 # CONFIG_AS3935 is not set
-# CONFIG_ASIX_PHY is not set
 CONFIG_ASYMMETRIC_KEY_TYPE=y
 CONFIG_ASYMMETRIC_TPM_KEY_SUBTYPE=m
 CONFIG_ASYNC_RAID6_TEST=m
@@ -283,6 +282,7 @@ CONFIG_AUTOFS_FS=y
 CONFIG_AUXDISPLAY=y
 CONFIG_AX25_DAMA_SLAVE=y
 CONFIG_AX25=m
+# CONFIG_AX88796B_PHY is not set
 CONFIG_B43_BCMA_PIO=y
 CONFIG_B43_BCMA=y
 CONFIG_B43_BUSES_BCMA_AND_SSB=y
diff --git a/kernel-s390x-debug.config b/kernel-s390x-debug.config
index 894ded60d..41f884a15 100644
--- a/kernel-s390x-debug.config
+++ b/kernel-s390x-debug.config
@@ -200,7 +200,6 @@ CONFIG_ARCH_RANDOM=y
 CONFIG_ARM64_ERRATUM_858921=y
 CONFIG_ARM_PTDUMP_DEBUGFS=y
 # CONFIG_AS3935 is not set
-# CONFIG_ASIX_PHY is not set
 CONFIG_ASYMMETRIC_KEY_TYPE=y
 CONFIG_ASYMMETRIC_TPM_KEY_SUBTYPE=m
 CONFIG_ASYNC_RAID6_TEST=m
@@ -289,6 +288,7 @@ CONFIG_AUTOFS_FS=y
 # CONFIG_AUXDISPLAY is not set
 CONFIG_AX25_DAMA_SLAVE=y
 CONFIG_AX25=m
+# CONFIG_AX88796B_PHY is not set
 CONFIG_B43_BCMA_PIO=y
 CONFIG_B43_BCMA=y
 CONFIG_B43_BUSES_BCMA_AND_SSB=y
diff --git a/kernel-s390x.config b/kernel-s390x.config
index d58fdfe4e..3d07d6ec4 100644
--- a/kernel-s390x.config
+++ b/kernel-s390x.config
@@ -199,7 +199,6 @@ CONFIG_ARCH_RANDOM=y
 # CONFIG_ARCNET is not set
 CONFIG_ARM64_ERRATUM_858921=y
 # CONFIG_AS3935 is not set
-# CONFIG_ASIX_PHY is not set
 CONFIG_ASYMMETRIC_KEY_TYPE=y
 CONFIG_ASYMMETRIC_TPM_KEY_SUBTYPE=m
 CONFIG_ASYNC_RAID6_TEST=m
@@ -288,6 +287,7 @@ CONFIG_AUTOFS_FS=y
 # CONFIG_AUXDISPLAY is not set
 CONFIG_AX25_DAMA_SLAVE=y
 CONFIG_AX25=m
+# CONFIG_AX88796B_PHY is not set
 CONFIG_B43_BCMA_PIO=y
 CONFIG_B43_BCMA=y
 CONFIG_B43_BUSES_BCMA_AND_SSB=y
diff --git a/kernel-x86_64-debug.config b/kernel-x86_64-debug.config
index db2ed00ba..ec5e71147 100644
--- a/kernel-x86_64-debug.config
+++ b/kernel-x86_64-debug.config
@@ -254,7 +254,6 @@ CONFIG_ARCH_MULTIPLATFORM=y
 CONFIG_ARM64_ERRATUM_858921=y
 CONFIG_ARM_PTDUMP_DEBUGFS=y
 # CONFIG_AS3935 is not set
-# CONFIG_ASIX_PHY is not set
 CONFIG_ASUS_LAPTOP=m
 CONFIG_ASUS_NB_WMI=m
 CONFIG_ASUS_WIRELESS=m
@@ -347,6 +346,7 @@ CONFIG_AUTOFS_FS=y
 CONFIG_AUXDISPLAY=y
 CONFIG_AX25_DAMA_SLAVE=y
 CONFIG_AX25=m
+# CONFIG_AX88796B_PHY is not set
 # CONFIG_AXP20X_ADC is not set
 # CONFIG_AXP20X_POWER is not set
 CONFIG_AXP288_ADC=m
diff --git a/kernel-x86_64.config b/kernel-x86_64.config
index ef5038e3f..c45a4ecc6 100644
--- a/kernel-x86_64.config
+++ b/kernel-x86_64.config
@@ -253,7 +253,6 @@ CONFIG_ARCH_MULTIPLATFORM=y
 # CONFIG_ARCNET is not set
 CONFIG_ARM64_ERRATUM_858921=y
 # CONFIG_AS3935 is not set
-# CONFIG_ASIX_PHY is not set
 CONFIG_ASUS_LAPTOP=m
 CONFIG_ASUS_NB_WMI=m
 CONFIG_ASUS_WIRELESS=m
@@ -346,6 +345,7 @@ CONFIG_AUTOFS_FS=y
 CONFIG_AUXDISPLAY=y
 CONFIG_AX25_DAMA_SLAVE=y
 CONFIG_AX25=m
+# CONFIG_AX88796B_PHY is not set
 # CONFIG_AXP20X_ADC is not set
 # CONFIG_AXP20X_POWER is not set
 CONFIG_AXP288_ADC=m
diff --git a/kernel.spec b/kernel.spec
index f259a1738..ed53e9f39 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -613,9 +613,6 @@ Patch526: 0001-platform-x86-ideapad-laptop-Remove-no_hw_rfkill_list.patch
 # CVE-2019-12378 rhbz 1715459 1715460
 Patch528: ipv6_sockglue-fix-missing-check-bug-in-ip6_ra_control.patch
 
-# CVE-2019-3846 rhbz 1713059 1715475
-Patch529: Buffer-overflow-read-checks-in-mwifiex.patch
-
 # CVE-2019-12380 rhbz 1715494 1715495
 Patch530: 0001-efi-x86-Add-missing-error-handling-to-old_memmap-1-1.patch
 
@@ -640,9 +637,6 @@ Patch536: scsi-mpt3sas_ctl-fix-double-fetch-bug-in_ctl_ioctl_main.patch
 # CVE-2019-12614 rhbz 1718176 1718185
 Patch538: powerpc-fix-a-missing-check-in-dlpar_parse_cc_property.patch
 
-# CVE-2019-10126 rhbz 1716992 1720122
-Patch541: mwifiex-Fix-heap-overflow-in-mwifiex_uap_parse_tail_ies.patch
-
 # Fix the LCD panel on the GPD MicroPC not working, pending as fixes for 5.2
 Patch544: drm-panel-orientation-quirks.patch
 Patch545: efi-bgrt-acpi6.2-support.patch
@@ -1895,6 +1889,9 @@ fi
 #
 #
 %changelog
+* Mon Jul 15 2019 Jeremy Cline <jcline@redhat.com> - 5.1.18-300
+- Linux v5.1.18
+
 * Wed Jul 10 2019 Jeremy Cline <jcline@redhat.com> - 5.1.17-300
 - Linux v5.1.17
 
diff --git a/mwifiex-Fix-heap-overflow-in-mwifiex_uap_parse_tail_ies.patch b/mwifiex-Fix-heap-overflow-in-mwifiex_uap_parse_tail_ies.patch
deleted file mode 100644
index c9a0f13a7..000000000
--- a/mwifiex-Fix-heap-overflow-in-mwifiex_uap_parse_tail_ies.patch
+++ /dev/null
@@ -1,173 +0,0 @@
-From patchwork Fri May 31 13:18:41 2019
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-X-Patchwork-Submitter: Takashi Iwai <tiwai@suse.de>
-X-Patchwork-Id: 10970141
-X-Patchwork-Delegate: kvalo@adurom.com
-Return-Path: <linux-wireless-owner@kernel.org>
-Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
- [172.30.200.125])
-	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A2FA614C0
-	for <patchwork-linux-wireless@patchwork.kernel.org>;
- Fri, 31 May 2019 13:19:19 +0000 (UTC)
-Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
-	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 914E928CA2
-	for <patchwork-linux-wireless@patchwork.kernel.org>;
- Fri, 31 May 2019 13:19:19 +0000 (UTC)
-Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
-	id 858EA28CA3; Fri, 31 May 2019 13:19:19 +0000 (UTC)
-X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
-	pdx-wl-mail.web.codeaurora.org
-X-Spam-Level: 
-X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI,
-	RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1
-Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
-	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C4AB628CB5
-	for <patchwork-linux-wireless@patchwork.kernel.org>;
- Fri, 31 May 2019 13:19:18 +0000 (UTC)
-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
-        id S1726687AbfEaNTR (ORCPT
-        <rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
-        Fri, 31 May 2019 09:19:17 -0400
-Received: from mx2.suse.de ([195.135.220.15]:46148 "EHLO mx1.suse.de"
-        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
-        id S1726330AbfEaNTR (ORCPT <rfc822;linux-wireless@vger.kernel.org>);
-        Fri, 31 May 2019 09:19:17 -0400
-X-Virus-Scanned: by amavisd-new at test-mx.suse.de
-Received: from relay2.suse.de (unknown [195.135.220.254])
-        by mx1.suse.de (Postfix) with ESMTP id A72A4AE4D;
-        Fri, 31 May 2019 13:19:15 +0000 (UTC)
-From: Takashi Iwai <tiwai@suse.de>
-To: Kalle Valo <kvalo@codeaurora.org>
-Cc: Amitkumar Karwar <amitkarwar@gmail.com>,
-        Nishant Sarmukadam <nishants@marvell.com>,
-        Ganapathi Bhat <gbhat@marvell.com>,
-        Xinming Hu <huxinming820@gmail.com>,
-        huangwen <huangwen@venustech.com.cn>,
-        Solar Designer <solar@openwall.com>,
-        Marcus Meissner <meissner@suse.de>,
-        linux-wireless@vger.kernel.org
-Subject: [PATCH] mwifiex: Fix heap overflow in mwifiex_uap_parse_tail_ies()
-Date: Fri, 31 May 2019 15:18:41 +0200
-Message-Id: <20190531131841.7552-1-tiwai@suse.de>
-X-Mailer: git-send-email 2.16.4
-Sender: linux-wireless-owner@vger.kernel.org
-Precedence: bulk
-List-ID: <linux-wireless.vger.kernel.org>
-X-Mailing-List: linux-wireless@vger.kernel.org
-X-Virus-Scanned: ClamAV using ClamSMTP
-
-A few places in mwifiex_uap_parse_tail_ies() perform memcpy()
-unconditionally, which may lead to either buffer overflow or read over
-boundary.
-
-This patch addresses the issues by checking the read size and the
-destination size at each place more properly.  Along with the fixes,
-the patch cleans up the code slightly by introducing a temporary
-variable for the token size, and unifies the error path with the
-standard goto statement.
-
-Reported-by: huangwen <huangwen@venustech.com.cn>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
----
- drivers/net/wireless/marvell/mwifiex/ie.c | 47 ++++++++++++++++++++-----------
- 1 file changed, 31 insertions(+), 16 deletions(-)
-
-diff --git a/drivers/net/wireless/marvell/mwifiex/ie.c b/drivers/net/wireless/marvell/mwifiex/ie.c
-index 6845eb57b39a..653d347a9a19 100644
---- a/drivers/net/wireless/marvell/mwifiex/ie.c
-+++ b/drivers/net/wireless/marvell/mwifiex/ie.c
-@@ -329,6 +329,8 @@ static int mwifiex_uap_parse_tail_ies(struct mwifiex_private *priv,
- 	struct ieee80211_vendor_ie *vendorhdr;
- 	u16 gen_idx = MWIFIEX_AUTO_IDX_MASK, ie_len = 0;
- 	int left_len, parsed_len = 0;
-+	unsigned int token_len;
-+	int err = 0;
- 
- 	if (!info->tail || !info->tail_len)
- 		return 0;
-@@ -344,6 +346,12 @@ static int mwifiex_uap_parse_tail_ies(struct mwifiex_private *priv,
- 	 */
- 	while (left_len > sizeof(struct ieee_types_header)) {
- 		hdr = (void *)(info->tail + parsed_len);
-+		token_len = hdr->len + sizeof(struct ieee_types_header);
-+		if (token_len > left_len) {
-+			err = -EINVAL;
-+			goto out;
-+		}
-+
- 		switch (hdr->element_id) {
- 		case WLAN_EID_SSID:
- 		case WLAN_EID_SUPP_RATES:
-@@ -361,17 +369,20 @@ static int mwifiex_uap_parse_tail_ies(struct mwifiex_private *priv,
- 			if (cfg80211_find_vendor_ie(WLAN_OUI_MICROSOFT,
- 						    WLAN_OUI_TYPE_MICROSOFT_WMM,
- 						    (const u8 *)hdr,
--						    hdr->len + sizeof(struct ieee_types_header)))
-+						    token_len))
- 				break;
- 			/* fall through */
- 		default:
--			memcpy(gen_ie->ie_buffer + ie_len, hdr,
--			       hdr->len + sizeof(struct ieee_types_header));
--			ie_len += hdr->len + sizeof(struct ieee_types_header);
-+			if (ie_len + token_len > IEEE_MAX_IE_SIZE) {
-+				err = -EINVAL;
-+				goto out;
-+			}
-+			memcpy(gen_ie->ie_buffer + ie_len, hdr, token_len);
-+			ie_len += token_len;
- 			break;
- 		}
--		left_len -= hdr->len + sizeof(struct ieee_types_header);
--		parsed_len += hdr->len + sizeof(struct ieee_types_header);
-+		left_len -= token_len;
-+		parsed_len += token_len;
- 	}
- 
- 	/* parse only WPA vendor IE from tail, WMM IE is configured by
-@@ -381,15 +392,17 @@ static int mwifiex_uap_parse_tail_ies(struct mwifiex_private *priv,
- 						    WLAN_OUI_TYPE_MICROSOFT_WPA,
- 						    info->tail, info->tail_len);
- 	if (vendorhdr) {
--		memcpy(gen_ie->ie_buffer + ie_len, vendorhdr,
--		       vendorhdr->len + sizeof(struct ieee_types_header));
--		ie_len += vendorhdr->len + sizeof(struct ieee_types_header);
-+		token_len = vendorhdr->len + sizeof(struct ieee_types_header);
-+		if (ie_len + token_len > IEEE_MAX_IE_SIZE) {
-+			err = -EINVAL;
-+			goto out;
-+		}
-+		memcpy(gen_ie->ie_buffer + ie_len, vendorhdr, token_len);
-+		ie_len += token_len;
- 	}
- 
--	if (!ie_len) {
--		kfree(gen_ie);
--		return 0;
--	}
-+	if (!ie_len)
-+		goto out;
- 
- 	gen_ie->ie_index = cpu_to_le16(gen_idx);
- 	gen_ie->mgmt_subtype_mask = cpu_to_le16(MGMT_MASK_BEACON |
-@@ -399,13 +412,15 @@ static int mwifiex_uap_parse_tail_ies(struct mwifiex_private *priv,
- 
- 	if (mwifiex_update_uap_custom_ie(priv, gen_ie, &gen_idx, NULL, NULL,
- 					 NULL, NULL)) {
--		kfree(gen_ie);
--		return -1;
-+		err = -EINVAL;
-+		goto out;
- 	}
- 
- 	priv->gen_idx = gen_idx;
-+
-+ out:
- 	kfree(gen_ie);
--	return 0;
-+	return err;
- }
- 
- /* This function parses different IEs-head & tail IEs, beacon IEs,