--- /dev/null
+From 54b3a4d311c98ad94b737802a8b5f2c8c6bfd627 Mon Sep 17 00:00:00 2001
+From: Matthew Garrett <mjg@redhat.com>
+Date: Thu, 3 May 2012 16:50:46 -0400
+Subject: efivars: Improve variable validation
+
+From: Matthew Garrett <mjg@redhat.com>
+
+commit 54b3a4d311c98ad94b737802a8b5f2c8c6bfd627 upstream.
+
+Ben Hutchings pointed out that the validation in efivars was inadequate -
+most obviously, an entry with size 0 would server as a DoS against the
+kernel. Improve this based on his suggestions.
+
+Signed-off-by: Matthew Garrett <mjg@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/firmware/efivars.c | 46 +++++++++++++++++++++++++++++----------------
+ 1 file changed, 30 insertions(+), 16 deletions(-)
+
+--- a/drivers/firmware/efivars.c
++++ b/drivers/firmware/efivars.c
+@@ -167,18 +167,21 @@ utf16_strsize(efi_char16_t *data, unsign
+ }
+
+ static bool
+-validate_device_path(struct efi_variable *var, int match, u8 *buffer, int len)
++validate_device_path(struct efi_variable *var, int match, u8 *buffer,
++ unsigned long len)
+ {
+ struct efi_generic_dev_path *node;
+ int offset = 0;
+
+ node = (struct efi_generic_dev_path *)buffer;
+
+- while (offset < len) {
+- offset += node->length;
++ if (len < sizeof(*node))
++ return false;
+
+- if (offset > len)
+- return false;
++ while (offset <= len - sizeof(*node) &&
++ node->length >= sizeof(*node) &&
++ node->length <= len - offset) {
++ offset += node->length;
+
+ if ((node->type == EFI_DEV_END_PATH ||
+ node->type == EFI_DEV_END_PATH2) &&
+@@ -197,7 +200,8 @@ validate_device_path(struct efi_variable
+ }
+
+ static bool
+-validate_boot_order(struct efi_variable *var, int match, u8 *buffer, int len)
++validate_boot_order(struct efi_variable *var, int match, u8 *buffer,
++ unsigned long len)
+ {
+ /* An array of 16-bit integers */
+ if ((len % 2) != 0)
+@@ -207,19 +211,27 @@ validate_boot_order(struct efi_variable
+ }
+
+ static bool
+-validate_load_option(struct efi_variable *var, int match, u8 *buffer, int len)
++validate_load_option(struct efi_variable *var, int match, u8 *buffer,
++ unsigned long len)
+ {
+ u16 filepathlength;
+- int i, desclength = 0;
++ int i, desclength = 0, namelen;
++
++ namelen = utf16_strnlen(var->VariableName, sizeof(var->VariableName));
+
+ /* Either "Boot" or "Driver" followed by four digits of hex */
+ for (i = match; i < match+4; i++) {
+- if (hex_to_bin(var->VariableName[i] & 0xff) < 0)
++ if (var->VariableName[i] > 127 ||
++ hex_to_bin(var->VariableName[i] & 0xff) < 0)
+ return true;
+ }
+
+- /* A valid entry must be at least 6 bytes */
+- if (len < 6)
++ /* Reject it if there's 4 digits of hex and then further content */
++ if (namelen > match + 4)
++ return false;
++
++ /* A valid entry must be at least 8 bytes */
++ if (len < 8)
+ return false;
+
+ filepathlength = buffer[4] | buffer[5] << 8;
+@@ -228,7 +240,7 @@ validate_load_option(struct efi_variable
+ * There's no stored length for the description, so it has to be
+ * found by hand
+ */
+- desclength = utf16_strsize((efi_char16_t *)(buffer + 6), len) + 2;
++ desclength = utf16_strsize((efi_char16_t *)(buffer + 6), len - 6) + 2;
+
+ /* Each boot entry must have a descriptor */
+ if (!desclength)
+@@ -250,7 +262,8 @@ validate_load_option(struct efi_variable
+ }
+
+ static bool
+-validate_uint16(struct efi_variable *var, int match, u8 *buffer, int len)
++validate_uint16(struct efi_variable *var, int match, u8 *buffer,
++ unsigned long len)
+ {
+ /* A single 16-bit integer */
+ if (len != 2)
+@@ -260,7 +273,8 @@ validate_uint16(struct efi_variable *var
+ }
+
+ static bool
+-validate_ascii_string(struct efi_variable *var, int match, u8 *buffer, int len)
++validate_ascii_string(struct efi_variable *var, int match, u8 *buffer,
++ unsigned long len)
+ {
+ int i;
+
+@@ -278,7 +292,7 @@ validate_ascii_string(struct efi_variabl
+ struct variable_validate {
+ char *name;
+ bool (*validate)(struct efi_variable *var, int match, u8 *data,
+- int len);
++ unsigned long len);
+ };
+
+ static const struct variable_validate variable_validate[] = {
+@@ -300,7 +314,7 @@ static const struct variable_validate va
+ };
+
+ static bool
+-validate_var(struct efi_variable *var, u8 *data, int len)
++validate_var(struct efi_variable *var, u8 *data, unsigned long len)
+ {
+ int i;
+ u16 *unicode_name = var->VariableName;
--- /dev/null
+From b704871124b477807966f06789c2b32f2de58bf7 Mon Sep 17 00:00:00 2001
+From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
+Date: Mon, 30 Apr 2012 09:18:01 -0400
+Subject: hwmon: (coretemp) fix oops on cpu unplug
+
+From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
+
+commit b704871124b477807966f06789c2b32f2de58bf7 upstream.
+
+coretemp tries to access core_data array beyond bounds on cpu unplug if
+core id of the cpu if more than NUM_REAL_CORES-1.
+
+BUG: unable to handle kernel NULL pointer dereference at 000000000000013c
+IP: [<ffffffffa00159af>] coretemp_cpu_callback+0x93/0x1ba [coretemp]
+PGD 673e5a067 PUD 66e9b3067 PMD 0
+Oops: 0000 [#1] SMP
+CPU 79
+Modules linked in: sunrpc cpufreq_ondemand acpi_cpufreq freq_table mperf bnep bluetooth rfkill ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_filter nf_conntrack_ipv4 nf_defrag_ipv4 ip6_tables xt_state nf_conntrack coretemp crc32c_intel asix tpm_tis pcspkr usbnet iTCO_wdt i2c_i801 microcode mii joydev tpm i2c_core iTCO_vendor_support tpm_bios i7core_edac igb ioatdma edac_core dca megaraid_sas [last unloaded: oprofile]
+
+Pid: 3315, comm: set-cpus Tainted: G W 3.4.0-rc5+ #2 QCI QSSC-S4R/QSSC-S4R
+RIP: 0010:[<ffffffffa00159af>] [<ffffffffa00159af>] coretemp_cpu_callback+0x93/0x1ba [coretemp]
+RSP: 0018:ffff880472fb3d48 EFLAGS: 00010246
+RAX: 0000000000000124 RBX: 0000000000000034 RCX: 00000000ffffffff
+RDX: 0000000000000000 RSI: 0000000000000046 RDI: 0000000000000246
+RBP: ffff880472fb3d88 R08: ffff88077fcd36c0 R09: 0000000000000001
+R10: ffffffff8184bc48 R11: 0000000000000000 R12: ffff880273095800
+R13: 0000000000000013 R14: ffff8802730a1810 R15: 0000000000000000
+FS: 00007f694a20f720(0000) GS:ffff88077fcc0000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
+CR2: 000000000000013c CR3: 000000067209b000 CR4: 00000000000007e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
+Process set-cpus (pid: 3315, threadinfo ffff880472fb2000, task ffff880471fa0000)
+Stack:
+ ffff880277b4c308 0000000000000003 ffff880472fb3d88 0000000000000005
+ 0000000000000034 00000000ffffffd1 ffffffff81cadc70 ffff880472fb3e14
+ ffff880472fb3dc8 ffffffff8161f48d ffff880471fa0000 0000000000000034
+Call Trace:
+ [<ffffffff8161f48d>] notifier_call_chain+0x4d/0x70
+ [<ffffffff8107f1be>] __raw_notifier_call_chain+0xe/0x10
+ [<ffffffff81059d30>] __cpu_notify+0x20/0x40
+ [<ffffffff815fa251>] _cpu_down+0x81/0x270
+ [<ffffffff815fa477>] cpu_down+0x37/0x50
+ [<ffffffff815fd6a3>] store_online+0x63/0xc0
+ [<ffffffff813c7078>] dev_attr_store+0x18/0x30
+ [<ffffffff811f02cf>] sysfs_write_file+0xef/0x170
+ [<ffffffff81180443>] vfs_write+0xb3/0x180
+ [<ffffffff8118076a>] sys_write+0x4a/0x90
+ [<ffffffff816236a9>] system_call_fastpath+0x16/0x1b
+Code: 48 c7 c7 94 60 01 a0 44 0f b7 ac 10 ac 00 00 00 31 c0 e8 41 b7 5f e1 41 83 c5 02 49 63 c5 49 8b 44 c4 10 48 85 c0 74 56 45 31 ff <39> 58 18 75 4e eb 1f 49 63 d7 4c 89 f7 48 89 45 c8 48 6b d2 28
+RIP [<ffffffffa00159af>] coretemp_cpu_callback+0x93/0x1ba [coretemp]
+ RSP <ffff880472fb3d48>
+CR2: 000000000000013c
+
+Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Signed-off-by: Guenter Roeck <guenter.roeck@ericsson.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwmon/coretemp.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/hwmon/coretemp.c
++++ b/drivers/hwmon/coretemp.c
+@@ -752,6 +752,10 @@ static void __cpuinit put_core_offline(u
+
+ indx = TO_ATTR_NO(cpu);
+
++ /* The core id is too big, just return */
++ if (indx > MAX_CORE_DATA - 1)
++ return;
++
+ if (pdata->core_data[indx] && pdata->core_data[indx]->cpu == cpu)
+ coretemp_remove_core(pdata, &pdev->dev, indx);
+
--- /dev/null
+From bdc71c9a87b898e4c380c23b2e3e18071312ecde Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <guenter.roeck@ericsson.com>
+Date: Tue, 1 May 2012 08:15:42 -0700
+Subject: hwmon: (coretemp) Increase CPU core limit
+
+From: Guenter Roeck <guenter.roeck@ericsson.com>
+
+commit bdc71c9a87b898e4c380c23b2e3e18071312ecde upstream.
+
+CPU core ID is used to index the core_data[] array. The core ID is, however, not
+sequential; 10-core CPUS can have a core ID as high as 25. Increase the limit to
+32 to be able to deal with current CPUs.
+
+Signed-off-by: Guenter Roeck <guenter.roeck@ericsson.com>
+Acked-by: Jean Delvare <khali@linux-fr.org>
+Acked-by: Durgadoss R <durgadoss.r@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwmon/coretemp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hwmon/coretemp.c
++++ b/drivers/hwmon/coretemp.c
+@@ -42,7 +42,7 @@
+ #define DRVNAME "coretemp"
+
+ #define BASE_SYSFS_ATTR_NO 2 /* Sysfs Base attr no for coretemp */
+-#define NUM_REAL_CORES 16 /* Number of Real cores per cpu */
++#define NUM_REAL_CORES 32 /* Number of Real cores per cpu */
+ #define CORETEMP_NAME_LENGTH 17 /* String Length of attrs */
+ #define MAX_ATTRS 5 /* Maximum no of per-core attrs */
+ #define MAX_CORE_DATA (NUM_REAL_CORES + BASE_SYSFS_ATTR_NO)
--- /dev/null
+From 6c557cfee08751d22aed34840f389b846f0f4508 Mon Sep 17 00:00:00 2001
+From: Roland Stigge <stigge@antcom.de>
+Date: Wed, 4 Apr 2012 10:34:37 +0200
+Subject: i2c: pnx: Disable clk in suspend
+
+From: Roland Stigge <stigge@antcom.de>
+
+commit 6c557cfee08751d22aed34840f389b846f0f4508 upstream.
+
+In the driver's suspend function, clk_enable() was used instead of
+clk_disable(). This is corrected with this patch.
+
+Signed-off-by: Roland Stigge <stigge@antcom.de>
+Reviewed-by: Arnd Bergmann <arnd@arndb.de>
+[wsa: reworded commit header slightly]
+Signed-off-by: Wolfram Sang <w.sang@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-pnx.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-pnx.c
++++ b/drivers/i2c/busses/i2c-pnx.c
+@@ -546,8 +546,7 @@ static int i2c_pnx_controller_suspend(st
+ {
+ struct i2c_pnx_algo_data *alg_data = platform_get_drvdata(pdev);
+
+- /* FIXME: shouldn't this be clk_disable? */
+- clk_enable(alg_data->clk);
++ clk_disable(alg_data->clk);
+
+ return 0;
+ }
--- /dev/null
+From dd447319895d0c0af423e483d9b63f84f3f8869a Mon Sep 17 00:00:00 2001
+From: Stanislav Yakovlev <stas.yakovlev@gmail.com>
+Date: Thu, 19 Apr 2012 15:55:09 -0400
+Subject: ipw2200: Fix race condition in the command completion acknowledge
+
+From: Stanislav Yakovlev <stas.yakovlev@gmail.com>
+
+commit dd447319895d0c0af423e483d9b63f84f3f8869a upstream.
+
+Driver incorrectly validates command completion: instead of waiting
+for a command to be acknowledged it continues execution. Most of the
+time driver gets acknowledge of the command completion in a tasklet
+before it executes the next one. But sometimes it sends the next
+command before it gets acknowledge for the previous one. In such a
+case one of the following error messages appear in the log:
+
+Failed to send SYSTEM_CONFIG: Already sending a command.
+Failed to send ASSOCIATE: Already sending a command.
+Failed to send TX_POWER: Already sending a command.
+
+After that you need to reload the driver to get it working again.
+
+This bug occurs during roaming (reported by Sam Varshavchik)
+https://bugzilla.redhat.com/show_bug.cgi?id=738508
+and machine booting (reported by Tom Gundersen and Mads Kiilerich)
+https://bugs.archlinux.org/task/28097
+https://bugzilla.redhat.com/show_bug.cgi?id=802106
+
+This patch doesn't fix the delay issue during firmware load.
+But at least device now works as usual after boot.
+
+Signed-off-by: Stanislav Yakovlev <stas.yakovlev@gmail.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ipw2x00/ipw2200.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/ipw2x00/ipw2200.c
++++ b/drivers/net/wireless/ipw2x00/ipw2200.c
+@@ -2182,6 +2182,7 @@ static int __ipw_send_cmd(struct ipw_pri
+ {
+ int rc = 0;
+ unsigned long flags;
++ unsigned long now, end;
+
+ spin_lock_irqsave(&priv->lock, flags);
+ if (priv->status & STATUS_HCMD_ACTIVE) {
+@@ -2223,10 +2224,20 @@ static int __ipw_send_cmd(struct ipw_pri
+ }
+ spin_unlock_irqrestore(&priv->lock, flags);
+
++ now = jiffies;
++ end = now + HOST_COMPLETE_TIMEOUT;
++again:
+ rc = wait_event_interruptible_timeout(priv->wait_command_queue,
+ !(priv->
+ status & STATUS_HCMD_ACTIVE),
+- HOST_COMPLETE_TIMEOUT);
++ end - now);
++ if (rc < 0) {
++ now = jiffies;
++ if (time_before(now, end))
++ goto again;
++ rc = 0;
++ }
++
+ if (rc == 0) {
+ spin_lock_irqsave(&priv->lock, flags);
+ if (priv->status & STATUS_HCMD_ACTIVE) {
--- /dev/null
+From 6868225e3e92399068be9a5f1635752d91012ad5 Mon Sep 17 00:00:00 2001
+From: Lin Ming <ming.m.lin@intel.com>
+Date: Thu, 3 May 2012 22:15:07 +0800
+Subject: libata: skip old error history when counting probe trials
+
+From: Lin Ming <ming.m.lin@intel.com>
+
+commit 6868225e3e92399068be9a5f1635752d91012ad5 upstream.
+
+Commit d902747("[libata] Add ATA transport class") introduced
+ATA_EFLAG_OLD_ER to mark entries in the error ring as cleared.
+
+But ata_count_probe_trials_cb() didn't check this flag and it still
+counts the old error history. So wrong probe trials count is returned
+and it causes problem, for example, SATA link speed is slowed down from
+3.0Gbps to 1.5Gbps.
+
+Fix it by checking ATA_EFLAG_OLD_ER in ata_count_probe_trials_cb().
+
+Signed-off-by: Lin Ming <ming.m.lin@intel.com>
+Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ata/libata-eh.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/ata/libata-eh.c
++++ b/drivers/ata/libata-eh.c
+@@ -3487,7 +3487,8 @@ static int ata_count_probe_trials_cb(str
+ u64 now = get_jiffies_64();
+ int *trials = void_arg;
+
+- if (ent->timestamp < now - min(now, interval))
++ if ((ent->eflags & ATA_EFLAG_OLD_ER) ||
++ (ent->timestamp < now - min(now, interval)))
+ return -1;
+
+ (*trials)++;
--- /dev/null
+From 66f2c99af3d6f2d0aa1120884cf1c60613ef61c0 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@openwrt.org>
+Date: Sun, 29 Apr 2012 15:44:16 +0200
+Subject: mac80211: fix AP mode EAP tx for VLAN stations
+
+From: Felix Fietkau <nbd@openwrt.org>
+
+commit 66f2c99af3d6f2d0aa1120884cf1c60613ef61c0 upstream.
+
+EAP frames for stations in an AP VLAN are sent on the main AP interface
+to avoid race conditions wrt. moving stations.
+For that to work properly, sta_info_get_bss must be used instead of
+sta_info_get when sending EAP packets.
+Previously this was only done for cooked monitor injected packets, so
+this patch adds a check for tx->skb->protocol to the same place.
+
+Signed-off-by: Felix Fietkau <nbd@openwrt.org>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/tx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -1222,7 +1222,8 @@ ieee80211_tx_prepare(struct ieee80211_su
+ tx->sta = rcu_dereference(sdata->u.vlan.sta);
+ if (!tx->sta && sdata->dev->ieee80211_ptr->use_4addr)
+ return TX_DROP;
+- } else if (info->flags & IEEE80211_TX_CTL_INJECTED) {
++ } else if (info->flags & IEEE80211_TX_CTL_INJECTED ||
++ tx->sdata->control_port_protocol == tx->skb->protocol) {
+ tx->sta = sta_info_get_bss(sdata, hdr->addr1);
+ }
+ if (!tx->sta)
--- /dev/null
+From 44eb65cfd8da4b9c231238998729e858e963a980 Mon Sep 17 00:00:00 2001
+From: Larry Finger <Larry.Finger@lwfinger.net>
+Date: Thu, 19 Apr 2012 21:39:06 -0500
+Subject: rtlwifi: Fix oops on unload
+
+From: Larry Finger <Larry.Finger@lwfinger.net>
+
+commit 44eb65cfd8da4b9c231238998729e858e963a980 upstream.
+
+Under some circumstances, a PCI-based driver reports the following OOPs:
+
+Mar 19 08:14:35 kvothe kernel: [ 6584.626011] Oops: 0000 [#1] SMP
+--snip--
+Mar 19 08:14:35 kvothe kernel: [ 6584.626011] Pid: 19627, comm: rmmod
+Not tainted 3.2.9-2.fc16.x86_64 #1 LENOVO 05962RU/05962RU
+Mar 19 08:14:35 kvothe kernel: [ 6584.626011] RIP:
+0010:[<ffffffffa0418d39>] [<ffffffffa0418d39>]
+rtl92ce_get_desc+0x19/0xd0 [rtl8192ce]
+--snip--
+Mar 19 08:14:35 kvothe kernel: [ 6584.626011] Process rmmod (pid:
+19627, threadinfo ffff880050262000, task ffff8801156d5cc0)
+Mar 19 08:14:35 kvothe kernel: [ 6584.626011] Stack:
+Mar 19 08:14:35 kvothe kernel: [ 6584.626011] 0000000000000002
+ffff8801176c2540 ffff880050263ca8 ffffffffa03348e7
+Mar 19 08:14:35 kvothe kernel: [ 6584.626011] 0000000000000282
+0000000180150014 ffff880050263fd8 ffff8801176c2810
+Mar 19 08:14:35 kvothe kernel: [ 6584.626011] ffff880050263bc8
+ffffffff810550e2 00000000000002c0 ffff8801176c0d40
+Mar 19 08:14:35 kvothe kernel: [ 6584.626011] Call Trace:
+Mar 19 08:14:35 kvothe kernel: [ 6584.626011] [<ffffffffa03348e7>]
+_rtl_pci_rx_interrupt+0x187/0x650 [rtlwifi]
+--snip--
+Mar 19 08:14:35 kvothe kernel: [ 6584.626011] Code: ff 09 d0 89 07 48
+83 c4 08 5b 5d c3 66 0f 1f 44 00 00 55 48 89 e5 53 48 83 ec 08 66 66
+66 66 90 40 84 f6 89 d3 74 13 84 d2 75 57 <8b> 07 48 83 c4 08 5b 5d c1
+e8 1f c3 0f 1f 00 84 d2 74 ed 80 fa
+Mar 19 08:14:35 kvothe kernel: [ 6584.626011] RIP
+[<ffffffffa0418d39>] rtl92ce_get_desc+0x19/0xd0 [rtl8192ce]
+Mar 19 08:14:35 kvothe kernel: [ 6584.626011] RSP <ffff880050263b58>
+Mar 19 08:14:35 kvothe kernel: [ 6584.626011] CR2: 00000000000006e0
+Mar 19 08:14:35 kvothe kernel: [ 6584.646491] ---[ end trace
+8636c766dcfbe0e6 ]---
+
+This oops is due to interrupts not being disabled in this particular path.
+
+Reported-by: Dave Airlie <airlied@gmail.com>
+Tested-by: Dave Airlie <airlied@gmail.com>
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/rtlwifi/pci.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/rtlwifi/pci.c
++++ b/drivers/net/wireless/rtlwifi/pci.c
+@@ -1988,6 +1988,7 @@ void rtl_pci_disconnect(struct pci_dev *
+ rtl_deinit_deferred_work(hw);
+ rtlpriv->intf_ops->adapter_stop(hw);
+ }
++ rtlpriv->cfg->ops->disable_interrupt(hw);
+
+ /*deinit rfkill */
+ rtl_deinit_rfkill(hw);
--- /dev/null
+From c308b56b5398779cd3da0f62ab26b0453494c3d4 Mon Sep 17 00:00:00 2001
+From: Peter Zijlstra <peterz@infradead.org>
+Date: Thu, 1 Mar 2012 15:04:46 +0100
+Subject: sched: Fix nohz load accounting -- again!
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Peter Zijlstra <peterz@infradead.org>
+
+commit c308b56b5398779cd3da0f62ab26b0453494c3d4 upstream.
+[ backported to 3.0 by Kerin Millar <kerframil@gmail.com>]
+
+Various people reported nohz load tracking still being wrecked, but Doug
+spotted the actual problem. We fold the nohz remainder in too soon,
+causing us to loose samples and under-account.
+
+So instead of playing catch-up up-front, always do a single load-fold
+with whatever state we encounter and only then fold the nohz remainder
+and play catch-up.
+
+Reported-by: Doug Smythies <dsmythies@telus.net>
+Reported-by: LesÃ…=82aw Kope=C4=87 <leslaw.kopec@nasza-klasa.pl>
+Reported-by: Aman Gupta <aman@tmm1.net>
+Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
+Link: http://lkml.kernel.org/n/tip-4v31etnhgg9kwd6ocgx3rxl8@git.kernel.org
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Cc: Kerin Millar <kerframil@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ kernel/sched.c | 53 ++++++++++++++++++++++++++---------------------------
+ 1 file changed, 26 insertions(+), 27 deletions(-)
+
+--- a/kernel/sched.c
++++ b/kernel/sched.c
+@@ -3392,13 +3392,10 @@ calc_load_n(unsigned long load, unsigned
+ * Once we've updated the global active value, we need to apply the exponential
+ * weights adjusted to the number of cycles missed.
+ */
+-static void calc_global_nohz(unsigned long ticks)
++static void calc_global_nohz(void)
+ {
+ long delta, active, n;
+
+- if (time_before(jiffies, calc_load_update))
+- return;
+-
+ /*
+ * If we crossed a calc_load_update boundary, make sure to fold
+ * any pending idle changes, the respective CPUs might have
+@@ -3410,31 +3407,25 @@ static void calc_global_nohz(unsigned lo
+ atomic_long_add(delta, &calc_load_tasks);
+
+ /*
+- * If we were idle for multiple load cycles, apply them.
++ * It could be the one fold was all it took, we done!
+ */
+- if (ticks >= LOAD_FREQ) {
+- n = ticks / LOAD_FREQ;
++ if (time_before(jiffies, calc_load_update + 10))
++ return;
+
+- active = atomic_long_read(&calc_load_tasks);
+- active = active > 0 ? active * FIXED_1 : 0;
++ /*
++ * Catch-up, fold however many we are behind still
++ */
++ delta = jiffies - calc_load_update - 10;
++ n = 1 + (delta / LOAD_FREQ);
+
+- avenrun[0] = calc_load_n(avenrun[0], EXP_1, active, n);
+- avenrun[1] = calc_load_n(avenrun[1], EXP_5, active, n);
+- avenrun[2] = calc_load_n(avenrun[2], EXP_15, active, n);
++ active = atomic_long_read(&calc_load_tasks);
++ active = active > 0 ? active * FIXED_1 : 0;
+
+- calc_load_update += n * LOAD_FREQ;
+- }
++ avenrun[0] = calc_load_n(avenrun[0], EXP_1, active, n);
++ avenrun[1] = calc_load_n(avenrun[1], EXP_5, active, n);
++ avenrun[2] = calc_load_n(avenrun[2], EXP_15, active, n);
+
+- /*
+- * Its possible the remainder of the above division also crosses
+- * a LOAD_FREQ period, the regular check in calc_global_load()
+- * which comes after this will take care of that.
+- *
+- * Consider us being 11 ticks before a cycle completion, and us
+- * sleeping for 4*LOAD_FREQ + 22 ticks, then the above code will
+- * age us 4 cycles, and the test in calc_global_load() will
+- * pick up the final one.
+- */
++ calc_load_update += n * LOAD_FREQ;
+ }
+ #else
+ static void calc_load_account_idle(struct rq *this_rq)
+@@ -3446,7 +3437,7 @@ static inline long calc_load_fold_idle(v
+ return 0;
+ }
+
+-static void calc_global_nohz(unsigned long ticks)
++static void calc_global_nohz(void)
+ {
+ }
+ #endif
+@@ -3474,8 +3465,6 @@ void calc_global_load(unsigned long tick
+ {
+ long active;
+
+- calc_global_nohz(ticks);
+-
+ if (time_before(jiffies, calc_load_update + 10))
+ return;
+
+@@ -3487,6 +3476,16 @@ void calc_global_load(unsigned long tick
+ avenrun[2] = calc_load(avenrun[2], EXP_15, active);
+
+ calc_load_update += LOAD_FREQ;
++
++ /*
++ * Account one period with whatever state we found before
++ * folding in the nohz state and ageing the entire idle period.
++ *
++ * This avoids loosing a sample when we go idle between
++ * calc_load_account_active() (10 ticks ago) and now and thus
++ * under-accounting.
++ */
++ calc_global_nohz();
+ }
+
+ /*
efivars-string-functions.patch
efivars-fix-warnings-when-config_pstore-n.patch
efi-validate-uefi-boot-variables.patch
+efivars-improve-variable-validation.patch
+hwmon-coretemp-increase-cpu-core-limit.patch
+hwmon-coretemp-fix-oops-on-cpu-unplug.patch
+libata-skip-old-error-history-when-counting-probe-trials.patch
+i2c-pnx-disable-clk-in-suspend.patch
+ipw2200-fix-race-condition-in-the-command-completion-acknowledge.patch
+mac80211-fix-ap-mode-eap-tx-for-vlan-stations.patch
+rtlwifi-fix-oops-on-unload.patch
+wl1251-fix-crash-on-remove-due-to-premature-kfree.patch
+wl1251-fix-crash-on-remove-due-to-leftover-work-item.patch
+sched-fix-nohz-load-accounting-again.patch
--- /dev/null
+From 4c1bcdb5a3354b250b82a67549f57ac27a3bb85f Mon Sep 17 00:00:00 2001
+From: Grazvydas Ignotas <notasas@gmail.com>
+Date: Thu, 26 Apr 2012 23:07:44 +0300
+Subject: wl1251: fix crash on remove due to leftover work item
+
+From: Grazvydas Ignotas <notasas@gmail.com>
+
+commit 4c1bcdb5a3354b250b82a67549f57ac27a3bb85f upstream.
+
+This driver currently leaves elp_work behind when stopping, which
+occasionally results in data corruption because work function ends
+up accessing freed memory, typical symptoms of this are various
+worker_thread crashes. Fix it by cancelling elp_work.
+
+Signed-off-by: Grazvydas Ignotas <notasas@gmail.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/wl1251/main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/wl1251/main.c
++++ b/drivers/net/wireless/wl1251/main.c
+@@ -479,6 +479,7 @@ static void wl1251_op_stop(struct ieee80
+ cancel_work_sync(&wl->irq_work);
+ cancel_work_sync(&wl->tx_work);
+ cancel_work_sync(&wl->filter_work);
++ cancel_delayed_work_sync(&wl->elp_work);
+
+ mutex_lock(&wl->mutex);
+
--- /dev/null
+From 328c32f0f85467af5a6c4c3289e168d9ad2555af Mon Sep 17 00:00:00 2001
+From: Grazvydas Ignotas <notasas@gmail.com>
+Date: Thu, 26 Apr 2012 23:07:43 +0300
+Subject: wl1251: fix crash on remove due to premature kfree
+
+From: Grazvydas Ignotas <notasas@gmail.com>
+
+commit 328c32f0f85467af5a6c4c3289e168d9ad2555af upstream.
+
+Currently SDIO glue frees it's own structure before calling
+wl1251_free_hw(), which in turn calls ieee80211_unregister_hw().
+The later call may result in a need to communicate with the chip
+to stop it (as it happens now if the interface is still up before
+rmmod), which means calls are made back to the glue, resulting in
+freed memory access.
+
+Fix this by freeing glue data last.
+
+Signed-off-by: Grazvydas Ignotas <notasas@gmail.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/wl1251/sdio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/wl1251/sdio.c
++++ b/drivers/net/wireless/wl1251/sdio.c
+@@ -314,8 +314,8 @@ static void __devexit wl1251_sdio_remove
+
+ if (wl->irq)
+ free_irq(wl->irq, wl);
+- kfree(wl_sdio);
+ wl1251_free_hw(wl);
++ kfree(wl_sdio);
+
+ sdio_claim_host(func);
+ sdio_release_irq(func);
projects / thirdparty / kernel / stable-queue.git / commitdiff
