--- /dev/null
+From 401507d67d5c2854f5a88b3f93f64fc6f267bca5 Mon Sep 17 00:00:00 2001
+From: Wang Nan <wangnan0@huawei.com>
+Date: Wed, 29 Oct 2014 14:50:18 -0700
+Subject: cgroup/kmemleak: add kmemleak_free() for cgroup deallocations.
+
+From: Wang Nan <wangnan0@huawei.com>
+
+commit 401507d67d5c2854f5a88b3f93f64fc6f267bca5 upstream.
+
+Commit ff7ee93f4715 ("cgroup/kmemleak: Annotate alloc_page() for cgroup
+allocations") introduces kmemleak_alloc() for alloc_page_cgroup(), but
+corresponding kmemleak_free() is missing, which makes kmemleak be
+wrongly disabled after memory offlining. Log is pasted at the end of
+this commit message.
+
+This patch add kmemleak_free() into free_page_cgroup(). During page
+offlining, this patch removes corresponding entries in kmemleak rbtree.
+After that, the freed memory can be allocated again by other subsystems
+without killing kmemleak.
+
+ bash # for x in 1 2 3 4; do echo offline > /sys/devices/system/memory/memory$x/state ; sleep 1; done ; dmesg | grep leak
+
+ Offlined Pages 32768
+ kmemleak: Cannot insert 0xffff880016969000 into the object search tree (overlaps existing)
+ CPU: 0 PID: 412 Comm: sleep Not tainted 3.17.0-rc5+ #86
+ Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
+ Call Trace:
+ dump_stack+0x46/0x58
+ create_object+0x266/0x2c0
+ kmemleak_alloc+0x26/0x50
+ kmem_cache_alloc+0xd3/0x160
+ __sigqueue_alloc+0x49/0xd0
+ __send_signal+0xcb/0x410
+ send_signal+0x45/0x90
+ __group_send_sig_info+0x13/0x20
+ do_notify_parent+0x1bb/0x260
+ do_exit+0x767/0xa40
+ do_group_exit+0x44/0xa0
+ SyS_exit_group+0x17/0x20
+ system_call_fastpath+0x16/0x1b
+
+ kmemleak: Kernel memory leak detector disabled
+ kmemleak: Object 0xffff880016900000 (size 524288):
+ kmemleak: comm "swapper/0", pid 0, jiffies 4294667296
+ kmemleak: min_count = 0
+ kmemleak: count = 0
+ kmemleak: flags = 0x1
+ kmemleak: checksum = 0
+ kmemleak: backtrace:
+ log_early+0x63/0x77
+ kmemleak_alloc+0x4b/0x50
+ init_section_page_cgroup+0x7f/0xf5
+ page_cgroup_init+0xc5/0xd0
+ start_kernel+0x333/0x408
+ x86_64_start_reservations+0x2a/0x2c
+ x86_64_start_kernel+0xf5/0xfc
+
+Fixes: ff7ee93f4715 (cgroup/kmemleak: Annotate alloc_page() for cgroup allocations)
+Signed-off-by: Wang Nan <wangnan0@huawei.com>
+Acked-by: Johannes Weiner <hannes@cmpxchg.org>
+Acked-by: Michal Hocko <mhocko@suse.cz>
+Cc: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/page_cgroup.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/mm/page_cgroup.c
++++ b/mm/page_cgroup.c
+@@ -171,6 +171,7 @@ static void free_page_cgroup(void *addr)
+ sizeof(struct page_cgroup) * PAGES_PER_SECTION;
+
+ BUG_ON(PageReserved(page));
++ kmemleak_free(addr);
+ free_pages_exact(addr, table_size);
+ }
+ }
--- /dev/null
+From fa19ac4b92bc2b5024af3e868f41f81fa738567a Mon Sep 17 00:00:00 2001
+From: Jason Baron <jbaron@akamai.com>
+Date: Wed, 15 Oct 2014 20:47:28 +0000
+Subject: cpc925_edac: Report UE events properly
+
+From: Jason Baron <jbaron@akamai.com>
+
+commit fa19ac4b92bc2b5024af3e868f41f81fa738567a upstream.
+
+Fix UE event being reported as HW_EVENT_ERR_CORRECTED.
+
+Signed-off-by: Jason Baron <jbaron@akamai.com>
+Link: http://lkml.kernel.org/r/8beb13803500076fef827eab33d523e355d83759.1413405053.git.jbaron@akamai.com
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/edac/cpc925_edac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/edac/cpc925_edac.c
++++ b/drivers/edac/cpc925_edac.c
+@@ -562,7 +562,7 @@ static void cpc925_mc_check(struct mem_c
+
+ if (apiexcp & UECC_EXCP_DETECTED) {
+ cpc925_mc_printk(mci, KERN_INFO, "DRAM UECC Fault\n");
+- edac_mc_handle_error(HW_EVENT_ERR_CORRECTED, mci, 1,
++ edac_mc_handle_error(HW_EVENT_ERR_UNCORRECTED, mci, 1,
+ pfn, offset, 0,
+ csrow, -1, -1,
+ mci->ctl_name, "");
--- /dev/null
+From 8030122a9ccf939186f8db96c318dbb99b5463f6 Mon Sep 17 00:00:00 2001
+From: Jason Baron <jbaron@akamai.com>
+Date: Sat, 18 Oct 2014 16:06:32 +0200
+Subject: e7xxx_edac: Report CE events properly
+
+From: Jason Baron <jbaron@akamai.com>
+
+commit 8030122a9ccf939186f8db96c318dbb99b5463f6 upstream.
+
+Fix CE event being reported as HW_EVENT_ERR_UNCORRECTED.
+
+Signed-off-by: Jason Baron <jbaron@akamai.com>
+Link: http://lkml.kernel.org/r/e6dd616f2cd51583a7e77af6f639b86313c74144.1413405053.git.jbaron@akamai.com
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/edac/e7xxx_edac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/edac/e7xxx_edac.c
++++ b/drivers/edac/e7xxx_edac.c
+@@ -226,7 +226,7 @@ static void process_ce(struct mem_ctl_in
+ static void process_ce_no_info(struct mem_ctl_info *mci)
+ {
+ edac_dbg(3, "\n");
+- edac_mc_handle_error(HW_EVENT_ERR_UNCORRECTED, mci, 1, 0, 0, 0, -1, -1, -1,
++ edac_mc_handle_error(HW_EVENT_ERR_CORRECTED, mci, 1, 0, 0, 0, -1, -1, -1,
+ "e7xxx CE log register overflow", "");
+ }
+
--- /dev/null
+From 7938db449bbc55bbeb164bec7af406212e7e98f1 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Tue, 16 Sep 2014 22:23:10 +0200
+Subject: ext3: Don't check quota format when there are no quota files
+
+From: Jan Kara <jack@suse.cz>
+
+commit 7938db449bbc55bbeb164bec7af406212e7e98f1 upstream.
+
+The check whether quota format is set even though there are no
+quota files with journalled quota is pointless and it actually
+makes it impossible to turn off journalled quotas (as there's
+no way to unset journalled quota format). Just remove the check.
+
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext3/super.c | 7 -------
+ 1 file changed, 7 deletions(-)
+
+--- a/fs/ext3/super.c
++++ b/fs/ext3/super.c
+@@ -1354,13 +1354,6 @@ set_qf_format:
+ "not specified.");
+ return 0;
+ }
+- } else {
+- if (sbi->s_jquota_fmt) {
+- ext3_msg(sb, KERN_ERR, "error: journaled quota format "
+- "specified with no journaling "
+- "enabled.");
+- return 0;
+- }
+ }
+ #endif
+ return 1;
--- /dev/null
+From 8a3f075d6c9b3612b4a5fb2af8db82b38b20caf0 Mon Sep 17 00:00:00 2001
+From: Jason Baron <jbaron@akamai.com>
+Date: Wed, 15 Oct 2014 20:47:21 +0000
+Subject: i3200_edac: Report CE events properly
+
+From: Jason Baron <jbaron@akamai.com>
+
+commit 8a3f075d6c9b3612b4a5fb2af8db82b38b20caf0 upstream.
+
+Fix CE event being reported as HW_EVENT_ERR_UNCORRECTED.
+
+Signed-off-by: Jason Baron <jbaron@akamai.com>
+Link: http://lkml.kernel.org/r/d02465b4f30314b390c12c061502eda5e9d29c52.1413405053.git.jbaron@akamai.com
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/edac/i3200_edac.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/edac/i3200_edac.c
++++ b/drivers/edac/i3200_edac.c
+@@ -242,11 +242,11 @@ static void i3200_process_error_info(str
+ -1, -1,
+ "i3000 UE", "");
+ } else if (log & I3200_ECCERRLOG_CE) {
+- edac_mc_handle_error(HW_EVENT_ERR_UNCORRECTED, mci, 1,
++ edac_mc_handle_error(HW_EVENT_ERR_CORRECTED, mci, 1,
+ 0, 0, eccerrlog_syndrome(log),
+ eccerrlog_row(channel, log),
+ -1, -1,
+- "i3000 UE", "");
++ "i3000 CE", "");
+ }
+ }
+ }
--- /dev/null
+From ab0543de6ff0877474f57a5aafbb51a61e88676f Mon Sep 17 00:00:00 2001
+From: Jason Baron <jbaron@akamai.com>
+Date: Wed, 15 Oct 2014 20:47:24 +0000
+Subject: i82860_edac: Report CE events properly
+
+From: Jason Baron <jbaron@akamai.com>
+
+commit ab0543de6ff0877474f57a5aafbb51a61e88676f upstream.
+
+Fix CE event being reported as HW_EVENT_ERR_UNCORRECTED.
+
+Signed-off-by: Jason Baron <jbaron@akamai.com>
+Link: http://lkml.kernel.org/r/7aee8e244a32ff86b399a8f966c4aae70296aae0.1413405053.git.jbaron@akamai.com
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/edac/i82860_edac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/edac/i82860_edac.c
++++ b/drivers/edac/i82860_edac.c
+@@ -124,7 +124,7 @@ static int i82860_process_error_info(str
+ dimm->location[0], dimm->location[1], -1,
+ "i82860 UE", "");
+ else
+- edac_mc_handle_error(HW_EVENT_ERR_UNCORRECTED, mci, 1,
++ edac_mc_handle_error(HW_EVENT_ERR_CORRECTED, mci, 1,
+ info->eap, 0, info->derrsyn,
+ dimm->location[0], dimm->location[1], -1,
+ "i82860 CE", "");
--- /dev/null
+From 9180ac50716a097a407c6d7e7e4589754a922260 Mon Sep 17 00:00:00 2001
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Tue, 23 Sep 2014 23:02:41 +0300
+Subject: iwlwifi: configure the LTR
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+commit 9180ac50716a097a407c6d7e7e4589754a922260 upstream.
+
+The LTR is the handshake between the device and the root
+complex about the latency allowed when the bus exits power
+save. This configuration was missing and this led to high
+latency in the link power up. The end user could experience
+high latency in the network because of this.
+
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/iwlwifi/iwl-trans.h | 2 +
+ drivers/net/wireless/iwlwifi/mvm/fw-api-power.h | 35 +++++++++++++++++++++++-
+ drivers/net/wireless/iwlwifi/mvm/fw-api.h | 1
+ drivers/net/wireless/iwlwifi/mvm/fw.c | 9 ++++++
+ drivers/net/wireless/iwlwifi/mvm/ops.c | 1
+ drivers/net/wireless/iwlwifi/pcie/trans.c | 16 ++++++----
+ 6 files changed, 56 insertions(+), 8 deletions(-)
+
+--- a/drivers/net/wireless/iwlwifi/iwl-trans.h
++++ b/drivers/net/wireless/iwlwifi/iwl-trans.h
+@@ -548,6 +548,7 @@ enum iwl_trans_state {
+ * Set during transport allocation.
+ * @hw_id_str: a string with info about HW ID. Set during transport allocation.
+ * @pm_support: set to true in start_hw if link pm is supported
++ * @ltr_enabled: set to true if the LTR is enabled
+ * @dev_cmd_pool: pool for Tx cmd allocation - for internal use only.
+ * The user should use iwl_trans_{alloc,free}_tx_cmd.
+ * @dev_cmd_headroom: room needed for the transport's private use before the
+@@ -574,6 +575,7 @@ struct iwl_trans {
+ u8 rx_mpdu_cmd, rx_mpdu_cmd_hdr_size;
+
+ bool pm_support;
++ bool ltr_enabled;
+
+ /* The following fields are internal only */
+ struct kmem_cache *dev_cmd_pool;
+--- a/drivers/net/wireless/iwlwifi/mvm/fw-api-power.h
++++ b/drivers/net/wireless/iwlwifi/mvm/fw-api-power.h
+@@ -66,13 +66,46 @@
+
+ /* Power Management Commands, Responses, Notifications */
+
++/**
++ * enum iwl_ltr_config_flags - masks for LTR config command flags
++ * @LTR_CFG_FLAG_FEATURE_ENABLE: Feature operational status
++ * @LTR_CFG_FLAG_HW_DIS_ON_SHADOW_REG_ACCESS: allow LTR change on shadow
++ * memory access
++ * @LTR_CFG_FLAG_HW_EN_SHRT_WR_THROUGH: allow LTR msg send on ANY LTR
++ * reg change
++ * @LTR_CFG_FLAG_HW_DIS_ON_D0_2_D3: allow LTR msg send on transition from
++ * D0 to D3
++ * @LTR_CFG_FLAG_SW_SET_SHORT: fixed static short LTR register
++ * @LTR_CFG_FLAG_SW_SET_LONG: fixed static short LONG register
++ * @LTR_CFG_FLAG_DENIE_C10_ON_PD: allow going into C10 on PD
++ */
++enum iwl_ltr_config_flags {
++ LTR_CFG_FLAG_FEATURE_ENABLE = BIT(0),
++ LTR_CFG_FLAG_HW_DIS_ON_SHADOW_REG_ACCESS = BIT(1),
++ LTR_CFG_FLAG_HW_EN_SHRT_WR_THROUGH = BIT(2),
++ LTR_CFG_FLAG_HW_DIS_ON_D0_2_D3 = BIT(3),
++ LTR_CFG_FLAG_SW_SET_SHORT = BIT(4),
++ LTR_CFG_FLAG_SW_SET_LONG = BIT(5),
++ LTR_CFG_FLAG_DENIE_C10_ON_PD = BIT(6),
++};
++
++/**
++ * struct iwl_ltr_config_cmd - configures the LTR
++ * @flags: See %enum iwl_ltr_config_flags
++ */
++struct iwl_ltr_config_cmd {
++ __le32 flags;
++ __le32 static_long;
++ __le32 static_short;
++} __packed;
++
+ /* Radio LP RX Energy Threshold measured in dBm */
+ #define POWER_LPRX_RSSI_THRESHOLD 75
+ #define POWER_LPRX_RSSI_THRESHOLD_MAX 94
+ #define POWER_LPRX_RSSI_THRESHOLD_MIN 30
+
+ /**
+- * enum iwl_scan_flags - masks for power table command flags
++ * enum iwl_power_flags - masks for power table command flags
+ * @POWER_FLAGS_POWER_SAVE_ENA_MSK: '1' Allow to save power by turning off
+ * receiver and transmitter. '0' - does not allow.
+ * @POWER_FLAGS_POWER_MANAGEMENT_ENA_MSK: '0' Driver disables power management,
+--- a/drivers/net/wireless/iwlwifi/mvm/fw-api.h
++++ b/drivers/net/wireless/iwlwifi/mvm/fw-api.h
+@@ -148,6 +148,7 @@ enum {
+ /* Power - legacy power table command */
+ POWER_TABLE_CMD = 0x77,
+ PSM_UAPSD_AP_MISBEHAVING_NOTIFICATION = 0x78,
++ LTR_CONFIG = 0xee,
+
+ /* Thermal Throttling*/
+ REPLY_THERMAL_MNG_BACKOFF = 0x7e,
+--- a/drivers/net/wireless/iwlwifi/mvm/fw.c
++++ b/drivers/net/wireless/iwlwifi/mvm/fw.c
+@@ -475,6 +475,15 @@ int iwl_mvm_up(struct iwl_mvm *mvm)
+ /* Initialize tx backoffs to the minimal possible */
+ iwl_mvm_tt_tx_backoff(mvm, 0);
+
++ if (mvm->trans->ltr_enabled) {
++ struct iwl_ltr_config_cmd cmd = {
++ .flags = cpu_to_le32(LTR_CFG_FLAG_FEATURE_ENABLE),
++ };
++
++ WARN_ON(iwl_mvm_send_cmd_pdu(mvm, LTR_CONFIG, 0,
++ sizeof(cmd), &cmd));
++ }
++
+ ret = iwl_mvm_power_update_device(mvm);
+ if (ret)
+ goto error;
+--- a/drivers/net/wireless/iwlwifi/mvm/ops.c
++++ b/drivers/net/wireless/iwlwifi/mvm/ops.c
+@@ -332,6 +332,7 @@ static const char *const iwl_mvm_cmd_str
+ CMD(REPLY_BEACON_FILTERING_CMD),
+ CMD(REPLY_THERMAL_MNG_BACKOFF),
+ CMD(MAC_PM_POWER_TABLE),
++ CMD(LTR_CONFIG),
+ CMD(BT_COEX_CI),
+ CMD(BT_COEX_UPDATE_SW_BOOST),
+ CMD(BT_COEX_UPDATE_CORUN_LUT),
+--- a/drivers/net/wireless/iwlwifi/pcie/trans.c
++++ b/drivers/net/wireless/iwlwifi/pcie/trans.c
+@@ -172,6 +172,7 @@ static void iwl_pcie_apm_config(struct i
+ {
+ struct iwl_trans_pcie *trans_pcie = IWL_TRANS_GET_PCIE_TRANS(trans);
+ u16 lctl;
++ u16 cap;
+
+ /*
+ * HW bug W/A for instability in PCIe bus L0S->L1 transition.
+@@ -182,16 +183,17 @@ static void iwl_pcie_apm_config(struct i
+ * power savings, even without L1.
+ */
+ pcie_capability_read_word(trans_pcie->pci_dev, PCI_EXP_LNKCTL, &lctl);
+- if (lctl & PCI_EXP_LNKCTL_ASPM_L1) {
+- /* L1-ASPM enabled; disable(!) L0S */
++ if (lctl & PCI_EXP_LNKCTL_ASPM_L1)
+ iwl_set_bit(trans, CSR_GIO_REG, CSR_GIO_REG_VAL_L0S_ENABLED);
+- dev_info(trans->dev, "L1 Enabled; Disabling L0S\n");
+- } else {
+- /* L1-ASPM disabled; enable(!) L0S */
++ else
+ iwl_clear_bit(trans, CSR_GIO_REG, CSR_GIO_REG_VAL_L0S_ENABLED);
+- dev_info(trans->dev, "L1 Disabled; Enabling L0S\n");
+- }
+ trans->pm_support = !(lctl & PCI_EXP_LNKCTL_ASPM_L0S);
++
++ pcie_capability_read_word(trans_pcie->pci_dev, PCI_EXP_DEVCTL2, &cap);
++ trans->ltr_enabled = cap & PCI_EXP_DEVCTL2_LTR_EN;
++ dev_info(trans->dev, "L1 %sabled - LTR %sabled\n",
++ (lctl & PCI_EXP_LNKCTL_ASPM_L1) ? "En" : "Dis",
++ trans->ltr_enabled ? "En" : "Dis");
+ }
+
+ /*
--- /dev/null
+From a0855054e59b0c5b2b00237fdb5147f7bcc18efb Mon Sep 17 00:00:00 2001
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Sun, 5 Oct 2014 09:11:14 +0300
+Subject: iwlwifi: dvm: drop non VO frames when flushing
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+commit a0855054e59b0c5b2b00237fdb5147f7bcc18efb upstream.
+
+When mac80211 wants to ensure that a frame is sent, it calls
+the flush() callback. Until now, iwldvm implemented this by
+waiting that all the frames are sent (ACKed or timeout).
+In case of weak signal, this can take a significant amount
+of time, delaying the next connection (in case of roaming).
+Many users have reported that the flush would take too long
+leading to the following error messages to be printed:
+
+iwlwifi 0000:03:00.0: fail to flush all tx fifo queues Q 2
+iwlwifi 0000:03:00.0: Current SW read_ptr 161 write_ptr 201
+iwl data: 00000000: 00 00 00 00 00 00 00 00 fe ff 01 00 00 00 00 00
+[snip]
+iwlwifi 0000:03:00.0: FH TRBs(0) = 0x00000000
+[snip]
+iwlwifi 0000:03:00.0: Q 0 is active and mapped to fifo 3 ra_tid 0x0000 [9,9]
+[snip]
+
+Instead of waiting for these packets, simply drop them. This
+significantly improves the responsiveness of the network.
+Note that all the queues are flushed, but the VO one. This
+is not typically used by the applications and it likely
+contains management frames that are useful for connection
+or roaming.
+
+This bug is tracked here:
+https://bugzilla.kernel.org/show_bug.cgi?id=56581
+
+But it is duplicated in distributions' trackers.
+A simple search in Ubuntu's database led to these bugs:
+
+https://bugs.launchpad.net/ubuntu/+source/linux-firmware/+bug/1270808
+https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1305406
+https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1356236
+https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1360597
+https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1361809
+
+Depends-on: 77be2c54c5bd ("mac80211: add vif to flush call")
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/iwlwifi/dvm/mac80211.c | 24 +++++++++++++-----------
+ 1 file changed, 13 insertions(+), 11 deletions(-)
+
+--- a/drivers/net/wireless/iwlwifi/dvm/mac80211.c
++++ b/drivers/net/wireless/iwlwifi/dvm/mac80211.c
+@@ -1095,6 +1095,7 @@ static void iwlagn_mac_flush(struct ieee
+ u32 queues, bool drop)
+ {
+ struct iwl_priv *priv = IWL_MAC80211_GET_DVM(hw);
++ u32 scd_queues;
+
+ mutex_lock(&priv->mutex);
+ IWL_DEBUG_MAC80211(priv, "enter\n");
+@@ -1108,18 +1109,19 @@ static void iwlagn_mac_flush(struct ieee
+ goto done;
+ }
+
+- /*
+- * mac80211 will not push any more frames for transmit
+- * until the flush is completed
+- */
+- if (drop) {
+- IWL_DEBUG_MAC80211(priv, "send flush command\n");
+- if (iwlagn_txfifo_flush(priv, 0)) {
+- IWL_ERR(priv, "flush request fail\n");
+- goto done;
+- }
++ scd_queues = BIT(priv->cfg->base_params->num_of_queues) - 1;
++ scd_queues &= ~(BIT(IWL_IPAN_CMD_QUEUE_NUM) |
++ BIT(IWL_DEFAULT_CMD_QUEUE_NUM));
++
++ if (vif)
++ scd_queues &= ~BIT(vif->hw_queue[IEEE80211_AC_VO]);
++
++ IWL_DEBUG_TX_QUEUES(priv, "Flushing SCD queues: 0x%x\n", scd_queues);
++ if (iwlagn_txfifo_flush(priv, scd_queues)) {
++ IWL_ERR(priv, "flush request fail\n");
++ goto done;
+ }
+- IWL_DEBUG_MAC80211(priv, "wait transmit/flush all frames\n");
++ IWL_DEBUG_TX_QUEUES(priv, "wait transmit/flush all frames\n");
+ iwl_trans_wait_tx_queue_empty(priv->trans, 0xffffffff);
+ done:
+ mutex_unlock(&priv->mutex);
--- /dev/null
+From d14b28fd2c61af0bf310230472e342864d799c98 Mon Sep 17 00:00:00 2001
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Mon, 22 Sep 2014 16:12:24 +0300
+Subject: iwlwifi: mvm: BT Coex - update the MPLUT Boost register value
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+commit d14b28fd2c61af0bf310230472e342864d799c98 upstream.
+
+Fixes: 2adc8949efab ("iwlwifi: mvm: BT Coex - fix boost register / LUT values")
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/iwlwifi/mvm/coex.c | 4 ++--
+ drivers/net/wireless/iwlwifi/mvm/coex_legacy.c | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/iwlwifi/mvm/coex.c
++++ b/drivers/net/wireless/iwlwifi/mvm/coex.c
+@@ -301,8 +301,8 @@ static const __le64 iwl_ci_mask[][3] = {
+ };
+
+ static const __le32 iwl_bt_mprio_lut[BT_COEX_MULTI_PRIO_LUT_SIZE] = {
+- cpu_to_le32(0x28412201),
+- cpu_to_le32(0x11118451),
++ cpu_to_le32(0x2e402280),
++ cpu_to_le32(0x7711a751),
+ };
+
+ struct corunning_block_luts {
+--- a/drivers/net/wireless/iwlwifi/mvm/coex_legacy.c
++++ b/drivers/net/wireless/iwlwifi/mvm/coex_legacy.c
+@@ -289,8 +289,8 @@ static const __le64 iwl_ci_mask[][3] = {
+ };
+
+ static const __le32 iwl_bt_mprio_lut[BT_COEX_MULTI_PRIO_LUT_SIZE] = {
+- cpu_to_le32(0x28412201),
+- cpu_to_le32(0x11118451),
++ cpu_to_le32(0x2e402280),
++ cpu_to_le32(0x7711a751),
+ };
+
+ struct corunning_block_luts {
--- /dev/null
+From ea5d05b34aca25c066e0699512d0ffbd8ee6ac3e Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Wed, 29 Oct 2014 14:50:44 -0700
+Subject: lib/bitmap.c: fix undefined shift in __bitmap_shift_{left|right}()
+
+From: Jan Kara <jack@suse.cz>
+
+commit ea5d05b34aca25c066e0699512d0ffbd8ee6ac3e upstream.
+
+If __bitmap_shift_left() or __bitmap_shift_right() are asked to shift by
+a multiple of BITS_PER_LONG, they will try to shift a long value by
+BITS_PER_LONG bits which is undefined. Change the functions to avoid
+the undefined shift.
+
+Coverity id: 1192175
+Coverity id: 1192174
+Signed-off-by: Jan Kara <jack@suse.cz>
+Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/bitmap.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/lib/bitmap.c
++++ b/lib/bitmap.c
+@@ -131,7 +131,9 @@ void __bitmap_shift_right(unsigned long
+ lower = src[off + k];
+ if (left && off + k == lim - 1)
+ lower &= mask;
+- dst[k] = upper << (BITS_PER_LONG - rem) | lower >> rem;
++ dst[k] = lower >> rem;
++ if (rem)
++ dst[k] |= upper << (BITS_PER_LONG - rem);
+ if (left && k == lim - 1)
+ dst[k] &= mask;
+ }
+@@ -172,7 +174,9 @@ void __bitmap_shift_left(unsigned long *
+ upper = src[k];
+ if (left && k == lim - 1)
+ upper &= (1UL << left) - 1;
+- dst[k + off] = lower >> (BITS_PER_LONG - rem) | upper << rem;
++ dst[k + off] = upper << rem;
++ if (rem)
++ dst[k + off] |= lower >> (BITS_PER_LONG - rem);
+ if (left && k + off == lim - 1)
+ dst[k + off] &= (1UL << left) - 1;
+ }
--- /dev/null
+From c21e59d8dc04b2107bdb4ff0f412a9b7ae3349f3 Mon Sep 17 00:00:00 2001
+From: Tony Battersby <tonyb@cybernetics.com>
+Date: Thu, 23 Oct 2014 15:10:21 -0400
+Subject: lib/scatterlist: fix memory leak with scsi-mq
+
+From: Tony Battersby <tonyb@cybernetics.com>
+
+commit c21e59d8dc04b2107bdb4ff0f412a9b7ae3349f3 upstream.
+
+Fix a memory leak with scsi-mq triggered by commands with large data
+transfer length.
+
+Fixes: c53c6d6a68b1 ("scatterlist: allow chaining to preallocated chunks")
+Signed-off-by: Tony Battersby <tonyb@cybernetics.com>
+Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/scatterlist.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/lib/scatterlist.c
++++ b/lib/scatterlist.c
+@@ -203,10 +203,10 @@ void __sg_free_table(struct sg_table *ta
+ }
+
+ table->orig_nents -= sg_size;
+- if (!skip_first_chunk) {
+- free_fn(sgl, alloc_size);
++ if (skip_first_chunk)
+ skip_first_chunk = false;
+- }
++ else
++ free_fn(sgl, alloc_size);
+ sgl = next;
+ }
+
--- /dev/null
+From c7abf25af0f41be4b50d44c5b185d52eea360cb8 Mon Sep 17 00:00:00 2001
+From: Karl Beldan <karl.beldan@rivierawaves.com>
+Date: Mon, 13 Oct 2014 14:34:41 +0200
+Subject: mac80211: fix typo in starting baserate for rts_cts_rate_idx
+
+From: Karl Beldan <karl.beldan@rivierawaves.com>
+
+commit c7abf25af0f41be4b50d44c5b185d52eea360cb8 upstream.
+
+It affects non-(V)HT rates and can lead to selecting an rts_cts rate
+that is not a basic rate or way superior to the reference rate (ATM
+rates[0] used for the 1st attempt of the protected frame data).
+
+E.g, assuming drivers register growing (bitrate) sorted tables of
+ieee80211_rate-s, having :
+- rates[0].idx == d'2 and basic_rates == b'10100
+will select rts_cts idx b'10011 & ~d'(BIT(2)-1), i.e. 1, likewise
+- rates[0].idx == d'2 and basic_rates == b'10001
+will select rts_cts idx b'10000
+The first is not a basic rate and the second is > rates[0].
+
+Also, wrt severity of the addressed misbehavior, ATM we only have one
+rts_cts_rate_idx rather than one per rate table entry, so this idx might
+still point to bitrates > rates[1..MAX_RATES].
+
+Fixes: 5253ffb8c9e1 ("mac80211: always pick a basic rate to tx RTS/CTS for pre-HT rates")
+Signed-off-by: Karl Beldan <karl.beldan@rivierawaves.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/rate.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/mac80211/rate.c
++++ b/net/mac80211/rate.c
+@@ -448,7 +448,7 @@ static void rate_fixup_ratelist(struct i
+ */
+ if (!(rates[0].flags & IEEE80211_TX_RC_MCS)) {
+ u32 basic_rates = vif->bss_conf.basic_rates;
+- s8 baserate = basic_rates ? ffs(basic_rates - 1) : 0;
++ s8 baserate = basic_rates ? ffs(basic_rates) - 1 : 0;
+
+ rate = &sband->bitrates[rates[0].idx];
+
--- /dev/null
+From 4d88e6f7d5ffc84e6094a47925870f4a130555c2 Mon Sep 17 00:00:00 2001
+From: Konstantin Khlebnikov <k.khlebnikov@samsung.com>
+Date: Wed, 29 Oct 2014 14:51:02 -0700
+Subject: mm/balloon_compaction: fix deflation when compaction is disabled
+
+From: Konstantin Khlebnikov <k.khlebnikov@samsung.com>
+
+commit 4d88e6f7d5ffc84e6094a47925870f4a130555c2 upstream.
+
+If CONFIG_BALLOON_COMPACTION=n balloon_page_insert() does not link pages
+with balloon and doesn't set PagePrivate flag, as a result
+balloon_page_dequeue() cannot get any pages because it thinks that all
+of them are isolated. Without balloon compaction nobody can isolate
+ballooned pages. It's safe to remove this check.
+
+Fixes: d6d86c0a7f8d ("mm/balloon_compaction: redesign ballooned pages management").
+Signed-off-by: Konstantin Khlebnikov <k.khlebnikov@samsung.com>
+Reported-by: Matt Mullins <mmullins@mmlx.us>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/balloon_compaction.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/mm/balloon_compaction.c
++++ b/mm/balloon_compaction.c
+@@ -93,11 +93,13 @@ struct page *balloon_page_dequeue(struct
+ * to be released by the balloon driver.
+ */
+ if (trylock_page(page)) {
++#ifdef CONFIG_BALLOON_COMPACTION
+ if (!PagePrivate(page)) {
+ /* raced with isolation */
+ unlock_page(page);
+ continue;
+ }
++#endif
+ spin_lock_irqsave(&b_dev_info->pages_lock, flags);
+ balloon_page_delete(page);
+ spin_unlock_irqrestore(&b_dev_info->pages_lock, flags);
--- /dev/null
+From 5ddacbe92b806cd5b4f8f154e8e46ac267fff55c Mon Sep 17 00:00:00 2001
+From: Yu Zhao <yuzhao@google.com>
+Date: Wed, 29 Oct 2014 14:50:26 -0700
+Subject: mm: free compound page with correct order
+
+From: Yu Zhao <yuzhao@google.com>
+
+commit 5ddacbe92b806cd5b4f8f154e8e46ac267fff55c upstream.
+
+Compound page should be freed by put_page() or free_pages() with correct
+order. Not doing so will cause tail pages leaked.
+
+The compound order can be obtained by compound_order() or use
+HPAGE_PMD_ORDER in our case. Some people would argue the latter is
+faster but I prefer the former which is more general.
+
+This bug was observed not just on our servers (the worst case we saw is
+11G leaked on a 48G machine) but also on our workstations running Ubuntu
+based distro.
+
+ $ cat /proc/vmstat | grep thp_zero_page_alloc
+ thp_zero_page_alloc 55
+ thp_zero_page_alloc_failed 0
+
+This means there is (thp_zero_page_alloc - 1) * (2M - 4K) memory leaked.
+
+Fixes: 97ae17497e99 ("thp: implement refcounting for huge zero page")
+Signed-off-by: Yu Zhao <yuzhao@google.com>
+Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: Mel Gorman <mel@csn.ul.ie>
+Cc: David Rientjes <rientjes@google.com>
+Cc: Bob Liu <lliubbo@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/huge_memory.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/mm/huge_memory.c
++++ b/mm/huge_memory.c
+@@ -200,7 +200,7 @@ retry:
+ preempt_disable();
+ if (cmpxchg(&huge_zero_page, NULL, zero_page)) {
+ preempt_enable();
+- __free_page(zero_page);
++ __free_pages(zero_page, compound_order(zero_page));
+ goto retry;
+ }
+
+@@ -232,7 +232,7 @@ static unsigned long shrink_huge_zero_pa
+ if (atomic_cmpxchg(&huge_zero_refcount, 1, 0) == 1) {
+ struct page *zero_page = xchg(&huge_zero_page, NULL);
+ BUG_ON(zero_page == NULL);
+- __free_page(zero_page);
++ __free_pages(zero_page, compound_order(zero_page));
+ return HPAGE_PMD_NR;
+ }
+
--- /dev/null
+From d7365e783edb858279be1d03f61bc8d5d3383d90 Mon Sep 17 00:00:00 2001
+From: Johannes Weiner <hannes@cmpxchg.org>
+Date: Wed, 29 Oct 2014 14:50:48 -0700
+Subject: mm: memcontrol: fix missed end-writeback page accounting
+
+From: Johannes Weiner <hannes@cmpxchg.org>
+
+commit d7365e783edb858279be1d03f61bc8d5d3383d90 upstream.
+
+Commit 0a31bc97c80c ("mm: memcontrol: rewrite uncharge API") changed
+page migration to uncharge the old page right away. The page is locked,
+unmapped, truncated, and off the LRU, but it could race with writeback
+ending, which then doesn't unaccount the page properly:
+
+test_clear_page_writeback() migration
+ wait_on_page_writeback()
+ TestClearPageWriteback()
+ mem_cgroup_migrate()
+ clear PCG_USED
+ mem_cgroup_update_page_stat()
+ if (PageCgroupUsed(pc))
+ decrease memcg pages under writeback
+
+ release pc->mem_cgroup->move_lock
+
+The per-page statistics interface is heavily optimized to avoid a
+function call and a lookup_page_cgroup() in the file unmap fast path,
+which means it doesn't verify whether a page is still charged before
+clearing PageWriteback() and it has to do it in the stat update later.
+
+Rework it so that it looks up the page's memcg once at the beginning of
+the transaction and then uses it throughout. The charge will be
+verified before clearing PageWriteback() and migration can't uncharge
+the page as long as that is still set. The RCU lock will protect the
+memcg past uncharge.
+
+As far as losing the optimization goes, the following test results are
+from a microbenchmark that maps, faults, and unmaps a 4GB sparse file
+three times in a nested fashion, so that there are two negative passes
+that don't account but still go through the new transaction overhead.
+There is no actual difference:
+
+ old: 33.195102545 seconds time elapsed ( +- 0.01% )
+ new: 33.199231369 seconds time elapsed ( +- 0.03% )
+
+The time spent in page_remove_rmap()'s callees still adds up to the
+same, but the time spent in the function itself seems reduced:
+
+ # Children Self Command Shared Object Symbol
+ old: 0.12% 0.11% filemapstress [kernel.kallsyms] [k] page_remove_rmap
+ new: 0.12% 0.08% filemapstress [kernel.kallsyms] [k] page_remove_rmap
+
+Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
+Acked-by: Michal Hocko <mhocko@suse.cz>
+Cc: Vladimir Davydov <vdavydov@parallels.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/memcontrol.h | 56 ++++++---------------
+ mm/memcontrol.c | 115 ++++++++++++++++++++++++---------------------
+ mm/page-writeback.c | 22 ++++----
+ mm/rmap.c | 20 +++----
+ 4 files changed, 100 insertions(+), 113 deletions(-)
+
+--- a/include/linux/memcontrol.h
++++ b/include/linux/memcontrol.h
+@@ -139,48 +139,23 @@ static inline bool mem_cgroup_disabled(v
+ return false;
+ }
+
+-void __mem_cgroup_begin_update_page_stat(struct page *page, bool *locked,
+- unsigned long *flags);
++struct mem_cgroup *mem_cgroup_begin_page_stat(struct page *page, bool *locked,
++ unsigned long *flags);
++void mem_cgroup_end_page_stat(struct mem_cgroup *memcg, bool locked,
++ unsigned long flags);
++void mem_cgroup_update_page_stat(struct mem_cgroup *memcg,
++ enum mem_cgroup_stat_index idx, int val);
+
+-extern atomic_t memcg_moving;
+-
+-static inline void mem_cgroup_begin_update_page_stat(struct page *page,
+- bool *locked, unsigned long *flags)
+-{
+- if (mem_cgroup_disabled())
+- return;
+- rcu_read_lock();
+- *locked = false;
+- if (atomic_read(&memcg_moving))
+- __mem_cgroup_begin_update_page_stat(page, locked, flags);
+-}
+-
+-void __mem_cgroup_end_update_page_stat(struct page *page,
+- unsigned long *flags);
+-static inline void mem_cgroup_end_update_page_stat(struct page *page,
+- bool *locked, unsigned long *flags)
+-{
+- if (mem_cgroup_disabled())
+- return;
+- if (*locked)
+- __mem_cgroup_end_update_page_stat(page, flags);
+- rcu_read_unlock();
+-}
+-
+-void mem_cgroup_update_page_stat(struct page *page,
+- enum mem_cgroup_stat_index idx,
+- int val);
+-
+-static inline void mem_cgroup_inc_page_stat(struct page *page,
++static inline void mem_cgroup_inc_page_stat(struct mem_cgroup *memcg,
+ enum mem_cgroup_stat_index idx)
+ {
+- mem_cgroup_update_page_stat(page, idx, 1);
++ mem_cgroup_update_page_stat(memcg, idx, 1);
+ }
+
+-static inline void mem_cgroup_dec_page_stat(struct page *page,
++static inline void mem_cgroup_dec_page_stat(struct mem_cgroup *memcg,
+ enum mem_cgroup_stat_index idx)
+ {
+- mem_cgroup_update_page_stat(page, idx, -1);
++ mem_cgroup_update_page_stat(memcg, idx, -1);
+ }
+
+ unsigned long mem_cgroup_soft_limit_reclaim(struct zone *zone, int order,
+@@ -315,13 +290,14 @@ mem_cgroup_print_oom_info(struct mem_cgr
+ {
+ }
+
+-static inline void mem_cgroup_begin_update_page_stat(struct page *page,
++static inline struct mem_cgroup *mem_cgroup_begin_page_stat(struct page *page,
+ bool *locked, unsigned long *flags)
+ {
++ return NULL;
+ }
+
+-static inline void mem_cgroup_end_update_page_stat(struct page *page,
+- bool *locked, unsigned long *flags)
++static inline void mem_cgroup_end_page_stat(struct mem_cgroup *memcg,
++ bool locked, unsigned long flags)
+ {
+ }
+
+@@ -343,12 +319,12 @@ static inline bool mem_cgroup_oom_synchr
+ return false;
+ }
+
+-static inline void mem_cgroup_inc_page_stat(struct page *page,
++static inline void mem_cgroup_inc_page_stat(struct mem_cgroup *memcg,
+ enum mem_cgroup_stat_index idx)
+ {
+ }
+
+-static inline void mem_cgroup_dec_page_stat(struct page *page,
++static inline void mem_cgroup_dec_page_stat(struct mem_cgroup *memcg,
+ enum mem_cgroup_stat_index idx)
+ {
+ }
+--- a/mm/memcontrol.c
++++ b/mm/memcontrol.c
+@@ -1545,12 +1545,8 @@ int mem_cgroup_swappiness(struct mem_cgr
+ * start move here.
+ */
+
+-/* for quick checking without looking up memcg */
+-atomic_t memcg_moving __read_mostly;
+-
+ static void mem_cgroup_start_move(struct mem_cgroup *memcg)
+ {
+- atomic_inc(&memcg_moving);
+ atomic_inc(&memcg->moving_account);
+ synchronize_rcu();
+ }
+@@ -1561,10 +1557,8 @@ static void mem_cgroup_end_move(struct m
+ * Now, mem_cgroup_clear_mc() may call this function with NULL.
+ * We check NULL in callee rather than caller.
+ */
+- if (memcg) {
+- atomic_dec(&memcg_moving);
++ if (memcg)
+ atomic_dec(&memcg->moving_account);
+- }
+ }
+
+ /*
+@@ -2249,41 +2243,52 @@ cleanup:
+ return true;
+ }
+
+-/*
+- * Used to update mapped file or writeback or other statistics.
+- *
+- * Notes: Race condition
+- *
+- * Charging occurs during page instantiation, while the page is
+- * unmapped and locked in page migration, or while the page table is
+- * locked in THP migration. No race is possible.
+- *
+- * Uncharge happens to pages with zero references, no race possible.
+- *
+- * Charge moving between groups is protected by checking mm->moving
+- * account and taking the move_lock in the slowpath.
+- */
+-
+-void __mem_cgroup_begin_update_page_stat(struct page *page,
+- bool *locked, unsigned long *flags)
++/**
++ * mem_cgroup_begin_page_stat - begin a page state statistics transaction
++ * @page: page that is going to change accounted state
++ * @locked: &memcg->move_lock slowpath was taken
++ * @flags: IRQ-state flags for &memcg->move_lock
++ *
++ * This function must mark the beginning of an accounted page state
++ * change to prevent double accounting when the page is concurrently
++ * being moved to another memcg:
++ *
++ * memcg = mem_cgroup_begin_page_stat(page, &locked, &flags);
++ * if (TestClearPageState(page))
++ * mem_cgroup_update_page_stat(memcg, state, -1);
++ * mem_cgroup_end_page_stat(memcg, locked, flags);
++ *
++ * The RCU lock is held throughout the transaction. The fast path can
++ * get away without acquiring the memcg->move_lock (@locked is false)
++ * because page moving starts with an RCU grace period.
++ *
++ * The RCU lock also protects the memcg from being freed when the page
++ * state that is going to change is the only thing preventing the page
++ * from being uncharged. E.g. end-writeback clearing PageWriteback(),
++ * which allows migration to go ahead and uncharge the page before the
++ * account transaction might be complete.
++ */
++struct mem_cgroup *mem_cgroup_begin_page_stat(struct page *page,
++ bool *locked,
++ unsigned long *flags)
+ {
+ struct mem_cgroup *memcg;
+ struct page_cgroup *pc;
+
++ rcu_read_lock();
++
++ if (mem_cgroup_disabled())
++ return NULL;
++
+ pc = lookup_page_cgroup(page);
+ again:
+ memcg = pc->mem_cgroup;
+ if (unlikely(!memcg || !PageCgroupUsed(pc)))
+- return;
+- /*
+- * If this memory cgroup is not under account moving, we don't
+- * need to take move_lock_mem_cgroup(). Because we already hold
+- * rcu_read_lock(), any calls to move_account will be delayed until
+- * rcu_read_unlock().
+- */
+- VM_BUG_ON(!rcu_read_lock_held());
++ return NULL;
++
++ *locked = false;
+ if (atomic_read(&memcg->moving_account) <= 0)
+- return;
++ return memcg;
+
+ move_lock_mem_cgroup(memcg, flags);
+ if (memcg != pc->mem_cgroup || !PageCgroupUsed(pc)) {
+@@ -2291,36 +2296,40 @@ again:
+ goto again;
+ }
+ *locked = true;
++
++ return memcg;
+ }
+
+-void __mem_cgroup_end_update_page_stat(struct page *page, unsigned long *flags)
++/**
++ * mem_cgroup_end_page_stat - finish a page state statistics transaction
++ * @memcg: the memcg that was accounted against
++ * @locked: value received from mem_cgroup_begin_page_stat()
++ * @flags: value received from mem_cgroup_begin_page_stat()
++ */
++void mem_cgroup_end_page_stat(struct mem_cgroup *memcg, bool locked,
++ unsigned long flags)
+ {
+- struct page_cgroup *pc = lookup_page_cgroup(page);
++ if (memcg && locked)
++ move_unlock_mem_cgroup(memcg, &flags);
+
+- /*
+- * It's guaranteed that pc->mem_cgroup never changes while
+- * lock is held because a routine modifies pc->mem_cgroup
+- * should take move_lock_mem_cgroup().
+- */
+- move_unlock_mem_cgroup(pc->mem_cgroup, flags);
++ rcu_read_unlock();
+ }
+
+-void mem_cgroup_update_page_stat(struct page *page,
++/**
++ * mem_cgroup_update_page_stat - update page state statistics
++ * @memcg: memcg to account against
++ * @idx: page state item to account
++ * @val: number of pages (positive or negative)
++ *
++ * See mem_cgroup_begin_page_stat() for locking requirements.
++ */
++void mem_cgroup_update_page_stat(struct mem_cgroup *memcg,
+ enum mem_cgroup_stat_index idx, int val)
+ {
+- struct mem_cgroup *memcg;
+- struct page_cgroup *pc = lookup_page_cgroup(page);
+- unsigned long uninitialized_var(flags);
+-
+- if (mem_cgroup_disabled())
+- return;
+-
+ VM_BUG_ON(!rcu_read_lock_held());
+- memcg = pc->mem_cgroup;
+- if (unlikely(!memcg || !PageCgroupUsed(pc)))
+- return;
+
+- this_cpu_add(memcg->stat->count[idx], val);
++ if (memcg)
++ this_cpu_add(memcg->stat->count[idx], val);
+ }
+
+ /*
+--- a/mm/page-writeback.c
++++ b/mm/page-writeback.c
+@@ -2327,11 +2327,12 @@ EXPORT_SYMBOL(clear_page_dirty_for_io);
+ int test_clear_page_writeback(struct page *page)
+ {
+ struct address_space *mapping = page_mapping(page);
+- int ret;
+- bool locked;
+ unsigned long memcg_flags;
++ struct mem_cgroup *memcg;
++ bool locked;
++ int ret;
+
+- mem_cgroup_begin_update_page_stat(page, &locked, &memcg_flags);
++ memcg = mem_cgroup_begin_page_stat(page, &locked, &memcg_flags);
+ if (mapping) {
+ struct backing_dev_info *bdi = mapping->backing_dev_info;
+ unsigned long flags;
+@@ -2352,22 +2353,23 @@ int test_clear_page_writeback(struct pag
+ ret = TestClearPageWriteback(page);
+ }
+ if (ret) {
+- mem_cgroup_dec_page_stat(page, MEM_CGROUP_STAT_WRITEBACK);
++ mem_cgroup_dec_page_stat(memcg, MEM_CGROUP_STAT_WRITEBACK);
+ dec_zone_page_state(page, NR_WRITEBACK);
+ inc_zone_page_state(page, NR_WRITTEN);
+ }
+- mem_cgroup_end_update_page_stat(page, &locked, &memcg_flags);
++ mem_cgroup_end_page_stat(memcg, locked, memcg_flags);
+ return ret;
+ }
+
+ int __test_set_page_writeback(struct page *page, bool keep_write)
+ {
+ struct address_space *mapping = page_mapping(page);
+- int ret;
+- bool locked;
+ unsigned long memcg_flags;
++ struct mem_cgroup *memcg;
++ bool locked;
++ int ret;
+
+- mem_cgroup_begin_update_page_stat(page, &locked, &memcg_flags);
++ memcg = mem_cgroup_begin_page_stat(page, &locked, &memcg_flags);
+ if (mapping) {
+ struct backing_dev_info *bdi = mapping->backing_dev_info;
+ unsigned long flags;
+@@ -2394,10 +2396,10 @@ int __test_set_page_writeback(struct pag
+ ret = TestSetPageWriteback(page);
+ }
+ if (!ret) {
+- mem_cgroup_inc_page_stat(page, MEM_CGROUP_STAT_WRITEBACK);
++ mem_cgroup_inc_page_stat(memcg, MEM_CGROUP_STAT_WRITEBACK);
+ inc_zone_page_state(page, NR_WRITEBACK);
+ }
+- mem_cgroup_end_update_page_stat(page, &locked, &memcg_flags);
++ mem_cgroup_end_page_stat(memcg, locked, memcg_flags);
+ return ret;
+
+ }
+--- a/mm/rmap.c
++++ b/mm/rmap.c
+@@ -1042,15 +1042,16 @@ void page_add_new_anon_rmap(struct page
+ */
+ void page_add_file_rmap(struct page *page)
+ {
+- bool locked;
++ struct mem_cgroup *memcg;
+ unsigned long flags;
++ bool locked;
+
+- mem_cgroup_begin_update_page_stat(page, &locked, &flags);
++ memcg = mem_cgroup_begin_page_stat(page, &locked, &flags);
+ if (atomic_inc_and_test(&page->_mapcount)) {
+ __inc_zone_page_state(page, NR_FILE_MAPPED);
+- mem_cgroup_inc_page_stat(page, MEM_CGROUP_STAT_FILE_MAPPED);
++ mem_cgroup_inc_page_stat(memcg, MEM_CGROUP_STAT_FILE_MAPPED);
+ }
+- mem_cgroup_end_update_page_stat(page, &locked, &flags);
++ mem_cgroup_end_page_stat(memcg, locked, flags);
+ }
+
+ /**
+@@ -1061,9 +1062,10 @@ void page_add_file_rmap(struct page *pag
+ */
+ void page_remove_rmap(struct page *page)
+ {
++ struct mem_cgroup *uninitialized_var(memcg);
+ bool anon = PageAnon(page);
+- bool locked;
+ unsigned long flags;
++ bool locked;
+
+ /*
+ * The anon case has no mem_cgroup page_stat to update; but may
+@@ -1071,7 +1073,7 @@ void page_remove_rmap(struct page *page)
+ * we hold the lock against page_stat move: so avoid it on anon.
+ */
+ if (!anon)
+- mem_cgroup_begin_update_page_stat(page, &locked, &flags);
++ memcg = mem_cgroup_begin_page_stat(page, &locked, &flags);
+
+ /* page still mapped by someone else? */
+ if (!atomic_add_negative(-1, &page->_mapcount))
+@@ -1096,8 +1098,7 @@ void page_remove_rmap(struct page *page)
+ -hpage_nr_pages(page));
+ } else {
+ __dec_zone_page_state(page, NR_FILE_MAPPED);
+- mem_cgroup_dec_page_stat(page, MEM_CGROUP_STAT_FILE_MAPPED);
+- mem_cgroup_end_update_page_stat(page, &locked, &flags);
++ mem_cgroup_dec_page_stat(memcg, MEM_CGROUP_STAT_FILE_MAPPED);
+ }
+ if (unlikely(PageMlocked(page)))
+ clear_page_mlock(page);
+@@ -1110,10 +1111,9 @@ void page_remove_rmap(struct page *page)
+ * Leaving it set also helps swapoff to reinstate ptes
+ * faster for those pages still in swapcache.
+ */
+- return;
+ out:
+ if (!anon)
+- mem_cgroup_end_update_page_stat(page, &locked, &flags);
++ mem_cgroup_end_page_stat(memcg, locked, flags);
+ }
+
+ /*
--- /dev/null
+From 3a3c02ecf7f2852f122d6d16fb9b3d9cb0c6f201 Mon Sep 17 00:00:00 2001
+From: Johannes Weiner <hannes@cmpxchg.org>
+Date: Wed, 29 Oct 2014 14:50:46 -0700
+Subject: mm: page-writeback: inline account_page_dirtied() into single caller
+
+From: Johannes Weiner <hannes@cmpxchg.org>
+
+commit 3a3c02ecf7f2852f122d6d16fb9b3d9cb0c6f201 upstream.
+
+A follow-up patch would have changed the call signature. To save the
+trouble, just fold it instead.
+
+Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
+Acked-by: Michal Hocko <mhocko@suse.cz>
+Cc: Vladimir Davydov <vdavydov@parallels.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/mm.h | 1 -
+ mm/page-writeback.c | 23 ++++-------------------
+ 2 files changed, 4 insertions(+), 20 deletions(-)
+
+--- a/include/linux/mm.h
++++ b/include/linux/mm.h
+@@ -1233,7 +1233,6 @@ int __set_page_dirty_no_writeback(struct
+ int redirty_page_for_writepage(struct writeback_control *wbc,
+ struct page *page);
+ void account_page_dirtied(struct page *page, struct address_space *mapping);
+-void account_page_writeback(struct page *page);
+ int set_page_dirty(struct page *page);
+ int set_page_dirty_lock(struct page *page);
+ int clear_page_dirty_for_io(struct page *page);
+--- a/mm/page-writeback.c
++++ b/mm/page-writeback.c
+@@ -2116,23 +2116,6 @@ void account_page_dirtied(struct page *p
+ EXPORT_SYMBOL(account_page_dirtied);
+
+ /*
+- * Helper function for set_page_writeback family.
+- *
+- * The caller must hold mem_cgroup_begin/end_update_page_stat() lock
+- * while calling this function.
+- * See test_set_page_writeback for example.
+- *
+- * NOTE: Unlike account_page_dirtied this does not rely on being atomic
+- * wrt interrupts.
+- */
+-void account_page_writeback(struct page *page)
+-{
+- mem_cgroup_inc_page_stat(page, MEM_CGROUP_STAT_WRITEBACK);
+- inc_zone_page_state(page, NR_WRITEBACK);
+-}
+-EXPORT_SYMBOL(account_page_writeback);
+-
+-/*
+ * For address_spaces which do not use buffers. Just tag the page as dirty in
+ * its radix tree.
+ *
+@@ -2410,8 +2393,10 @@ int __test_set_page_writeback(struct pag
+ } else {
+ ret = TestSetPageWriteback(page);
+ }
+- if (!ret)
+- account_page_writeback(page);
++ if (!ret) {
++ mem_cgroup_inc_page_stat(page, MEM_CGROUP_STAT_WRITEBACK);
++ inc_zone_page_state(page, NR_WRITEBACK);
++ }
+ mem_cgroup_end_update_page_stat(page, &locked, &memcg_flags);
+ return ret;
+
--- /dev/null
+From 89cf38dd536a7301d6b5f5ddd73f42074c01bfaa Mon Sep 17 00:00:00 2001
+From: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
+Date: Thu, 23 Oct 2014 01:23:01 +0200
+Subject: mtd: cfi_cmdset_0001.c: fix resume for LH28F640BF chips
+
+From: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
+
+commit 89cf38dd536a7301d6b5f5ddd73f42074c01bfaa upstream.
+
+After '#echo mem > /sys/power/state' some devices can not be properly resumed
+because apparently the MTD Partition Configuration Register has been reset
+to default thus the rootfs cannot be mounted cleanly on resume.
+An example of this can be found in the SA-1100 Developer's Manual at 9.5.3.3
+where the second step of the Sleep Shutdown Sequence is described:
+"An internal reset is applied to the SA-1100. All units are reset...".
+
+As workaround we refresh the PCR value as done initially on chip setup.
+
+This behavior and the fix are confirmed by our tests done on 2 different Zaurus
+collie units with kernel 3.17.
+
+Fixes: 812c5fa82bae: ("mtd: cfi_cmdset_0001.c: add support for Sharp LH28F640BF NOR")
+Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
+Signed-off-by: Andrea Adami <andrea.adami@gmail.com>
+Signed-off-by: Brian Norris <computersforpeace@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/chips/cfi_cmdset_0001.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/mtd/chips/cfi_cmdset_0001.c
++++ b/drivers/mtd/chips/cfi_cmdset_0001.c
+@@ -2590,6 +2590,8 @@ static void cfi_intelext_resume(struct m
+
+ /* Go to known state. Chip may have been power cycled */
+ if (chip->state == FL_PM_SUSPENDED) {
++ /* Refresh LH28F640BF Partition Config. Register */
++ fixup_LH28F640BF(mtd);
+ map_write(map, CMD(0xFF), cfi->chips[i].start);
+ chip->oldstate = chip->state = FL_READY;
+ wake_up(&chip->wq);
--- /dev/null
+From 51904b08072a8bf2b9ed74d1bd7a5300a614471d Mon Sep 17 00:00:00 2001
+From: "J. Bruce Fields" <bfields@redhat.com>
+Date: Wed, 22 Oct 2014 14:46:29 -0400
+Subject: nfsd4: fix crash on unknown operation number
+
+From: "J. Bruce Fields" <bfields@redhat.com>
+
+commit 51904b08072a8bf2b9ed74d1bd7a5300a614471d upstream.
+
+Unknown operation numbers are caught in nfsd4_decode_compound() which
+sets op->opnum to OP_ILLEGAL and op->status to nfserr_op_illegal. The
+error causes the main loop in nfsd4_proc_compound() to skip most
+processing. But nfsd4_proc_compound also peeks ahead at the next
+operation in one case and doesn't take similar precautions there.
+
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfsd/nfs4proc.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/nfsd/nfs4proc.c
++++ b/fs/nfsd/nfs4proc.c
+@@ -1229,7 +1229,8 @@ static bool need_wrongsec_check(struct s
+ */
+ if (argp->opcnt == resp->opcnt)
+ return false;
+-
++ if (next->opnum == OP_ILLEGAL)
++ return false;
+ nextd = OPDESC(next);
+ /*
+ * Rest of 2.6.3.1.1: certain operations will return WRONGSEC
--- /dev/null
+From d1d84c9626bb3a519863b3ffc40d347166f9fb83 Mon Sep 17 00:00:00 2001
+From: "J. Bruce Fields" <bfields@redhat.com>
+Date: Thu, 21 Aug 2014 15:04:31 -0400
+Subject: nfsd4: fix response size estimation for OP_SEQUENCE
+
+From: "J. Bruce Fields" <bfields@redhat.com>
+
+commit d1d84c9626bb3a519863b3ffc40d347166f9fb83 upstream.
+
+We added this new estimator function but forgot to hook it up. The
+effect is that NFSv4.1 (and greater) won't do zero-copy reads.
+
+The estimate was also wrong by 8 bytes.
+
+Fixes: ccae70a9ee41 "nfsd4: estimate sequence response size"
+Reported-by: Chuck Lever <chucklever@gmail.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfsd/nfs4proc.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/fs/nfsd/nfs4proc.c
++++ b/fs/nfsd/nfs4proc.c
+@@ -1546,7 +1546,8 @@ static inline u32 nfsd4_rename_rsize(str
+ static inline u32 nfsd4_sequence_rsize(struct svc_rqst *rqstp,
+ struct nfsd4_op *op)
+ {
+- return NFS4_MAX_SESSIONID_LEN + 20;
++ return (op_encode_hdr_size
++ + XDR_QUADLEN(NFS4_MAX_SESSIONID_LEN) + 5) * sizeof(__be32);
+ }
+
+ static inline u32 nfsd4_setattr_rsize(struct svc_rqst *rqstp, struct nfsd4_op *op)
+@@ -1850,6 +1851,7 @@ static struct nfsd4_operation nfsd4_ops[
+ .op_func = (nfsd4op_func)nfsd4_sequence,
+ .op_flags = ALLOWED_WITHOUT_FH | ALLOWED_AS_FIRST_OP,
+ .op_name = "OP_SEQUENCE",
++ .op_rsize_bop = (nfsd4op_rsize)nfsd4_sequence_rsize,
+ },
+ [OP_DESTROY_CLIENTID] = {
+ .op_func = (nfsd4op_func)nfsd4_destroy_clientid,
--- /dev/null
+From d8e7d53a2fc14e0830ab728cb84ee19933d3ac8d Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Thu, 30 Oct 2014 09:30:28 -0700
+Subject: PCI: Rename sysfs 'enabled' file back to 'enable'
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit d8e7d53a2fc14e0830ab728cb84ee19933d3ac8d upstream.
+
+Back in commit 5136b2da770d ("PCI: convert bus code to use dev_groups"),
+I misstyped the 'enable' sysfs filename as 'enabled', which broke the
+userspace API. This patch fixes that issue by renaming the file back.
+
+Fixes: 5136b2da770d ("PCI: convert bus code to use dev_groups")
+Reported-by: Jeff Epler <jepler@unpythonic.net>
+Tested-by: Jeff Epler <jepler@unpythonic.net> # on v3.14-rt
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+
+---
+ drivers/pci/pci-sysfs.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/pci/pci-sysfs.c
++++ b/drivers/pci/pci-sysfs.c
+@@ -185,7 +185,7 @@ static ssize_t modalias_show(struct devi
+ }
+ static DEVICE_ATTR_RO(modalias);
+
+-static ssize_t enabled_store(struct device *dev, struct device_attribute *attr,
++static ssize_t enable_store(struct device *dev, struct device_attribute *attr,
+ const char *buf, size_t count)
+ {
+ struct pci_dev *pdev = to_pci_dev(dev);
+@@ -210,7 +210,7 @@ static ssize_t enabled_store(struct devi
+ return result < 0 ? result : count;
+ }
+
+-static ssize_t enabled_show(struct device *dev, struct device_attribute *attr,
++static ssize_t enable_show(struct device *dev, struct device_attribute *attr,
+ char *buf)
+ {
+ struct pci_dev *pdev;
+@@ -218,7 +218,7 @@ static ssize_t enabled_show(struct devic
+ pdev = to_pci_dev(dev);
+ return sprintf(buf, "%u\n", atomic_read(&pdev->enable_cnt));
+ }
+-static DEVICE_ATTR_RW(enabled);
++static DEVICE_ATTR_RW(enable);
+
+ #ifdef CONFIG_NUMA
+ static ssize_t numa_node_show(struct device *dev, struct device_attribute *attr,
+@@ -564,7 +564,7 @@ static struct attribute *pci_dev_attrs[]
+ #endif
+ &dev_attr_dma_mask_bits.attr,
+ &dev_attr_consistent_dma_mask_bits.attr,
+- &dev_attr_enabled.attr,
++ &dev_attr_enable.attr,
+ &dev_attr_broken_parity_status.attr,
+ &dev_attr_msi_bus.attr,
+ #if defined(CONFIG_PM_RUNTIME) && defined(CONFIG_ACPI)
--- /dev/null
+From 246ef766743618a7cab059d6c4993270075b173e Mon Sep 17 00:00:00 2001
+From: Imre Deak <imre.deak@intel.com>
+Date: Fri, 24 Oct 2014 20:29:09 +0300
+Subject: PM / Sleep: fix async suspend_late/freeze_late error handling
+
+From: Imre Deak <imre.deak@intel.com>
+
+commit 246ef766743618a7cab059d6c4993270075b173e upstream.
+
+If an asynchronous suspend_late or freeze_late callback fails
+during the SUSPEND, FREEZE or QUIESCE phases, we don't propagate the
+corresponding error correctly, in effect ignoring the error and
+continuing the suspend-to-ram/hibernation. During suspend-to-ram this
+could leave some devices without a valid saved context, leading to a
+failure to reinitialize them during resume. During hibernation this
+could leave some devices active interfeering with the creation /
+restoration of the hibernation image. Also this could leave the
+corresponding devices without a valid saved context and failure to
+reinitialize them during resume.
+
+Fixes: de377b397272 (PM / sleep: Asynchronous threads for suspend_late)
+Signed-off-by: Imre Deak <imre.deak@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/power/main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/base/power/main.c
++++ b/drivers/base/power/main.c
+@@ -1266,6 +1266,8 @@ static int dpm_suspend_late(pm_message_t
+ }
+ mutex_unlock(&dpm_list_mtx);
+ async_synchronize_full();
++ if (!error)
++ error = async_error;
+ if (error) {
+ suspend_stats.failed_suspend_late++;
+ dpm_save_failed_step(SUSPEND_SUSPEND_LATE);
--- /dev/null
+From 94fb823fcb4892614f57e59601bb9d4920f24711 Mon Sep 17 00:00:00 2001
+From: Imre Deak <imre.deak@intel.com>
+Date: Fri, 24 Oct 2014 20:29:10 +0300
+Subject: PM / Sleep: fix recovery during resuming from hibernation
+
+From: Imre Deak <imre.deak@intel.com>
+
+commit 94fb823fcb4892614f57e59601bb9d4920f24711 upstream.
+
+If a device's dev_pm_ops::freeze callback fails during the QUIESCE
+phase, we don't rollback things correctly calling the thaw and complete
+callbacks. This could leave some devices in a suspended state in case of
+an error during resuming from hibernation.
+
+Signed-off-by: Imre Deak <imre.deak@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/power/hibernate.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/kernel/power/hibernate.c
++++ b/kernel/power/hibernate.c
+@@ -502,8 +502,14 @@ int hibernation_restore(int platform_mod
+ error = dpm_suspend_start(PMSG_QUIESCE);
+ if (!error) {
+ error = resume_target_kernel(platform_mode);
+- dpm_resume_end(PMSG_RECOVER);
++ /*
++ * The above should either succeed and jump to the new kernel,
++ * or return with an error. Otherwise things are just
++ * undefined, so let's be paranoid.
++ */
++ BUG_ON(!error);
+ }
++ dpm_resume_end(PMSG_RECOVER);
+ pm_restore_gfp_mask();
+ resume_console();
+ pm_restore_console();
--- /dev/null
+From 6891c4509c792209c44ced55a60f13954cb50ef4 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Sat, 4 Oct 2014 23:06:39 +0200
+Subject: posix-timers: Fix stack info leak in timer_create()
+
+From: Mathias Krause <minipli@googlemail.com>
+
+commit 6891c4509c792209c44ced55a60f13954cb50ef4 upstream.
+
+If userland creates a timer without specifying a sigevent info, we'll
+create one ourself, using a stack local variable. Particularly will we
+use the timer ID as sival_int. But as sigev_value is a union containing
+a pointer and an int, that assignment will only partially initialize
+sigev_value on systems where the size of a pointer is bigger than the
+size of an int. On such systems we'll copy the uninitialized stack bytes
+from the timer_create() call to userland when the timer actually fires
+and we're going to deliver the signal.
+
+Initialize sigev_value with 0 to plug the stack info leak.
+
+Found in the PaX patch, written by the PaX Team.
+
+Fixes: 5a9fa7307285 ("posix-timers: kill ->it_sigev_signo and...")
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Cc: Brad Spengler <spender@grsecurity.net>
+Cc: PaX Team <pageexec@freemail.hu>
+Link: http://lkml.kernel.org/r/1412456799-32339-1-git-send-email-minipli@googlemail.com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/time/posix-timers.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/kernel/time/posix-timers.c
++++ b/kernel/time/posix-timers.c
+@@ -636,6 +636,7 @@ SYSCALL_DEFINE3(timer_create, const cloc
+ goto out;
+ }
+ } else {
++ memset(&event.sigev_value, 0, sizeof(event.sigev_value));
+ event.sigev_notify = SIGEV_SIGNAL;
+ event.sigev_signo = SIGALRM;
+ event.sigev_value.sival_int = new_timer->it_id;
--- /dev/null
+From 474d2605d119479e5aa050f738632e63589d4bb5 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Wed, 22 Oct 2014 09:06:49 +0200
+Subject: quota: Properly return errors from dquot_writeback_dquots()
+
+From: Jan Kara <jack@suse.cz>
+
+commit 474d2605d119479e5aa050f738632e63589d4bb5 upstream.
+
+Due to a switched left and right side of an assignment,
+dquot_writeback_dquots() never returned error. This could result in
+errors during quota writeback to not be reported to userspace properly.
+Fix it.
+
+Coverity-id: 1226884
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/quota/dquot.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/quota/dquot.c
++++ b/fs/quota/dquot.c
+@@ -634,7 +634,7 @@ int dquot_writeback_dquots(struct super_
+ dqstats_inc(DQST_LOOKUPS);
+ err = sb->dq_op->write_dquot(dquot);
+ if (!ret && err)
+- err = ret;
++ ret = err;
+ dqput(dquot);
+ spin_lock(&dq_list_lock);
+ }
--- /dev/null
+From 1ffde699aae127e7abdb98dbdedc2cc6a973a1a1 Mon Sep 17 00:00:00 2001
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Mon, 20 Oct 2014 08:29:55 +0300
+Subject: Revert "iwlwifi: mvm: treat EAPOLs like mgmt frames wrt rate"
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+commit 1ffde699aae127e7abdb98dbdedc2cc6a973a1a1 upstream.
+
+This reverts commit aa11bbf3df026d6b1c6b528bef634fd9de7c2619.
+This commit was causing connection issues and is not needed
+if IWL_MVM_RS_RSSI_BASED_INIT_RATE is set to false by default.
+
+Regardless of the issues mentioned above, this patch added the
+following WARNING:
+
+WARNING: CPU: 0 PID: 3946 at drivers/net/wireless/iwlwifi/mvm/tx.c:190 iwl_mvm_set_tx_params+0x60a/0x6f0 [iwlmvm]()
+Got an HT rate for a non data frame 0x8
+CPU: 0 PID: 3946 Comm: wpa_supplicant Tainted: G O 3.17.0+ #6
+Hardware name: LENOVO 20ANCTO1WW/20ANCTO1WW, BIOS GLET71WW (2.25 ) 07/02/2014
+ 0000000000000009 ffffffff814fa911 ffff8804288db8f8 ffffffff81064f52
+ 0000000000001808 ffff8804288db948 ffff88040add8660 ffff8804291b5600
+ 0000000000000000 ffffffff81064fb7 ffffffffa07b73d0 0000000000000020
+Call Trace:
+ [<ffffffff814fa911>] ? dump_stack+0x41/0x51
+ [<ffffffff81064f52>] ? warn_slowpath_common+0x72/0x90
+ [<ffffffff81064fb7>] ? warn_slowpath_fmt+0x47/0x50
+ [<ffffffffa07a39ea>] ? iwl_mvm_set_tx_params+0x60a/0x6f0 [iwlmvm]
+ [<ffffffffa07a3cf8>] ? iwl_mvm_tx_skb+0x48/0x3c0 [iwlmvm]
+ [<ffffffffa079cb9b>] ? iwl_mvm_mac_tx+0x7b/0x180 [iwlmvm]
+ [<ffffffffa0746ce9>] ? __ieee80211_tx+0x2b9/0x3c0 [mac80211]
+ [<ffffffffa07492f3>] ? ieee80211_tx+0xb3/0x100 [mac80211]
+ [<ffffffffa0749c49>] ? ieee80211_subif_start_xmit+0x459/0xca0 [mac80211]
+ [<ffffffff814116e7>] ? dev_hard_start_xmit+0x337/0x5f0
+ [<ffffffff81430d46>] ? sch_direct_xmit+0x96/0x1f0
+ [<ffffffff81411ba3>] ? __dev_queue_xmit+0x203/0x4f0
+ [<ffffffff8142f670>] ? ether_setup+0x70/0x70
+ [<ffffffff814e96a1>] ? packet_sendmsg+0xf81/0x1110
+ [<ffffffff8140625c>] ? skb_free_datagram+0xc/0x40
+ [<ffffffff813f7538>] ? sock_sendmsg+0x88/0xc0
+ [<ffffffff813f7274>] ? move_addr_to_kernel.part.20+0x14/0x60
+ [<ffffffff811c47c2>] ? __inode_wait_for_writeback+0x62/0xb0
+ [<ffffffff813f7a91>] ? SYSC_sendto+0xf1/0x180
+ [<ffffffff813f88f9>] ? __sys_recvmsg+0x39/0x70
+ [<ffffffff8150066d>] ? system_call_fastpath+0x1a/0x1f
+---[ end trace cc19a150d311fc63 ]---
+
+which was reported here: https://bugzilla.kernel.org/show_bug.cgi?id=85691
+
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/iwlwifi/mvm/tx.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/wireless/iwlwifi/mvm/tx.c
++++ b/drivers/net/wireless/iwlwifi/mvm/tx.c
+@@ -168,14 +168,10 @@ static void iwl_mvm_set_tx_cmd_rate(stru
+
+ /*
+ * for data packets, rate info comes from the table inside the fw. This
+- * table is controlled by LINK_QUALITY commands. Exclude ctrl port
+- * frames like EAPOLs which should be treated as mgmt frames. This
+- * avoids them being sent initially in high rates which increases the
+- * chances for completion of the 4-Way handshake.
++ * table is controlled by LINK_QUALITY commands
+ */
+
+- if (ieee80211_is_data(fc) && sta &&
+- !(info->control.flags & IEEE80211_TX_CTRL_PORT_CTRL_PROTO)) {
++ if (ieee80211_is_data(fc) && sta) {
+ tx_cmd->initial_rate_index = 0;
+ tx_cmd->tx_flags |= cpu_to_le32(TX_CMD_FLG_STA_RATE);
+ return;
--- /dev/null
+From 84ce0f0e94ac97217398b3b69c21c7a62ebeed05 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Wed, 22 Oct 2014 20:13:39 -0600
+Subject: scsi: Fix error handling in SCSI_IOCTL_SEND_COMMAND
+
+From: Jan Kara <jack@suse.cz>
+
+commit 84ce0f0e94ac97217398b3b69c21c7a62ebeed05 upstream.
+
+When sg_scsi_ioctl() fails to prepare request to submit in
+blk_rq_map_kern() we jump to a label where we just end up copying
+(luckily zeroed-out) kernel buffer to userspace instead of reporting
+error. Fix the problem by jumping to the right label.
+
+CC: Jens Axboe <axboe@kernel.dk>
+CC: linux-scsi@vger.kernel.org
+Coverity-id: 1226871
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+Fixed up the, now unused, out label.
+
+Signed-off-by: Jens Axboe <axboe@fb.com>
+
+---
+ block/scsi_ioctl.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/block/scsi_ioctl.c
++++ b/block/scsi_ioctl.c
+@@ -509,7 +509,7 @@ int sg_scsi_ioctl(struct request_queue *
+
+ if (bytes && blk_rq_map_kern(q, rq, buffer, bytes, __GFP_WAIT)) {
+ err = DRIVER_ERROR << 24;
+- goto out;
++ goto error;
+ }
+
+ memset(sense, 0, sizeof(sense));
+@@ -518,7 +518,6 @@ int sg_scsi_ioctl(struct request_queue *
+
+ blk_execute_rq(q, disk, rq, 0);
+
+-out:
+ err = rq->errors & 0xff; /* only 8 bit SCSI status */
+ if (err) {
+ if (rq->sense_len && rq->sense) {
--- /dev/null
+From b1dd2aac4cc0892b82ec60232ed37e3b0af776cc Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@lst.de>
+Date: Sun, 19 Oct 2014 17:13:58 +0200
+Subject: scsi: set REQ_QUEUE for the blk-mq case
+
+From: Christoph Hellwig <hch@lst.de>
+
+commit b1dd2aac4cc0892b82ec60232ed37e3b0af776cc upstream.
+
+To generate the right SPI tag messages we need to properly set
+QUEUE_FLAG_QUEUED in the request_queue and mirror it to the
+request.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
+Acked-by: Jens Axboe <axboe@kernel.dk>
+Reported-by: Meelis Roos <mroos@linux.ee>
+Tested-by: Meelis Roos <mroos@linux.ee>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/scsi_lib.c | 5 +++++
+ include/scsi/scsi_tcq.h | 8 ++++----
+ 2 files changed, 9 insertions(+), 4 deletions(-)
+
+--- a/drivers/scsi/scsi_lib.c
++++ b/drivers/scsi/scsi_lib.c
+@@ -1887,6 +1887,11 @@ static int scsi_queue_rq(struct blk_mq_h
+ req->cmd_flags |= REQ_DONTPREP;
+ }
+
++ if (blk_queue_tagged(q))
++ req->cmd_flags |= REQ_QUEUED;
++ else
++ req->cmd_flags &= ~REQ_QUEUED;
++
+ scsi_init_cmd_errh(cmd);
+ cmd->scsi_done = scsi_mq_done;
+
+--- a/include/scsi/scsi_tcq.h
++++ b/include/scsi/scsi_tcq.h
+@@ -67,8 +67,9 @@ static inline void scsi_activate_tcq(str
+ if (!sdev->tagged_supported)
+ return;
+
+- if (!shost_use_blk_mq(sdev->host) &&
+- !blk_queue_tagged(sdev->request_queue))
++ if (shost_use_blk_mq(sdev->host))
++ queue_flag_set_unlocked(QUEUE_FLAG_QUEUED, sdev->request_queue);
++ else if (!blk_queue_tagged(sdev->request_queue))
+ blk_queue_init_tags(sdev->request_queue, depth,
+ sdev->host->bqt);
+
+@@ -81,8 +82,7 @@ static inline void scsi_activate_tcq(str
+ **/
+ static inline void scsi_deactivate_tcq(struct scsi_device *sdev, int depth)
+ {
+- if (!shost_use_blk_mq(sdev->host) &&
+- blk_queue_tagged(sdev->request_queue))
++ if (blk_queue_tagged(sdev->request_queue))
+ blk_queue_free_tags(sdev->request_queue);
+ scsi_adjust_queue_depth(sdev, 0, depth);
+ }
usb-kobil_sct-fix-non-atomic-allocation-in-write-path.patch
usb-remove-references-to-non-existent-plat_s5p-symbol.patch
ima-check-xattr-value-length-and-type-in-the-ima_inode_setxattr.patch
+sh-fix-sh770x-scif-memory-regions.patch
+mm-free-compound-page-with-correct-order.patch
+cgroup-kmemleak-add-kmemleak_free-for-cgroup-deallocations.patch
+mm-page-writeback-inline-account_page_dirtied-into-single-caller.patch
+mm-memcontrol-fix-missed-end-writeback-page-accounting.patch
+lib-bitmap.c-fix-undefined-shift-in-__bitmap_shift_-left-right.patch
+mm-balloon_compaction-fix-deflation-when-compaction-is-disabled.patch
+xhci-no-switching-back-on-non-ult-haswell.patch
+xhci-disable-streams-on-asmedia-1042-xhci-controllers.patch
+scsi-fix-error-handling-in-scsi_ioctl_send_command.patch
+lib-scatterlist-fix-memory-leak-with-scsi-mq.patch
+scsi-set-req_queue-for-the-blk-mq-case.patch
+i82860_edac-report-ce-events-properly.patch
+i3200_edac-report-ce-events-properly.patch
+e7xxx_edac-report-ce-events-properly.patch
+cpc925_edac-report-ue-events-properly.patch
+nfsd4-fix-response-size-estimation-for-op_sequence.patch
+nfsd4-fix-crash-on-unknown-operation-number.patch
+zap_pte_range-update-addr-when-forcing-flush-after-tlb-batching-faiure.patch
+iwlwifi-mvm-bt-coex-update-the-mplut-boost-register-value.patch
+iwlwifi-configure-the-ltr.patch
+iwlwifi-dvm-drop-non-vo-frames-when-flushing.patch
+revert-iwlwifi-mvm-treat-eapols-like-mgmt-frames-wrt-rate.patch
+ext3-don-t-check-quota-format-when-there-are-no-quota-files.patch
+pci-rename-sysfs-enabled-file-back-to-enable.patch
+quota-properly-return-errors-from-dquot_writeback_dquots.patch
+tty-vt-don-t-set-font-mappings-on-vc-not-supporting-this.patch
+tty-fix-high-cpu-load-if-tty-is-unreleaseable.patch
+pm-sleep-fix-async-suspend_late-freeze_late-error-handling.patch
+pm-sleep-fix-recovery-during-resuming-from-hibernation.patch
+staging-comedi-regression-channel-list-must-be-set-for-comedi_cmd-ioctl.patch
+staging-comedi-fix-memory-leak-bad-pointer-freeing-for-chanlist.patch
+mac80211-fix-typo-in-starting-baserate-for-rts_cts_rate_idx.patch
+mtd-cfi_cmdset_0001.c-fix-resume-for-lh28f640bf-chips.patch
+posix-timers-fix-stack-info-leak-in-timer_create.patch
+x86-apic-handle-a-bad-tsc-more-gracefully.patch
--- /dev/null
+From 5417421b270229bfce0795ccc99a4b481e4954ca Mon Sep 17 00:00:00 2001
+From: Andriy Skulysh <askulysh@gmail.com>
+Date: Wed, 29 Oct 2014 14:50:59 -0700
+Subject: sh: fix sh770x SCIF memory regions
+
+From: Andriy Skulysh <askulysh@gmail.com>
+
+commit 5417421b270229bfce0795ccc99a4b481e4954ca upstream.
+
+Resources scif1_resources & scif2_resources overlap. Actual SCIF region
+size is 0x10.
+
+This is regression from commit d850acf975be ("sh: Declare SCIF register
+base and IRQ as resources")
+
+Signed-off-by: Andriy Skulysh <askulysh@gmail.com>
+Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Cc: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/sh/kernel/cpu/sh3/setup-sh770x.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/sh/kernel/cpu/sh3/setup-sh770x.c
++++ b/arch/sh/kernel/cpu/sh3/setup-sh770x.c
+@@ -118,7 +118,7 @@ static struct plat_sci_port scif0_platfo
+ };
+
+ static struct resource scif0_resources[] = {
+- DEFINE_RES_MEM(0xfffffe80, 0x100),
++ DEFINE_RES_MEM(0xfffffe80, 0x10),
+ DEFINE_RES_IRQ(evt2irq(0x4e0)),
+ };
+
+@@ -143,7 +143,7 @@ static struct plat_sci_port scif1_platfo
+ };
+
+ static struct resource scif1_resources[] = {
+- DEFINE_RES_MEM(0xa4000150, 0x100),
++ DEFINE_RES_MEM(0xa4000150, 0x10),
+ DEFINE_RES_IRQ(evt2irq(0x900)),
+ };
+
+@@ -169,7 +169,7 @@ static struct plat_sci_port scif2_platfo
+ };
+
+ static struct resource scif2_resources[] = {
+- DEFINE_RES_MEM(0xa4000140, 0x100),
++ DEFINE_RES_MEM(0xa4000140, 0x10),
+ DEFINE_RES_IRQ(evt2irq(0x880)),
+ };
+
--- /dev/null
+From 238b5ad855924919e5b98d0c772d9dc78795639b Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Mon, 20 Oct 2014 15:10:40 +0100
+Subject: staging: comedi: fix memory leak / bad pointer freeing for chanlist
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit 238b5ad855924919e5b98d0c772d9dc78795639b upstream.
+
+As a follow-up to commit 6cab7a37f5c04 ("staging: comedi: (regression)
+channel list must be set for COMEDI_CMD ioctl"), Hartley Sweeten pointed
+out another couple of bugs stemming from commit 6cab7a37f5c04 ("staging:
+comedi: comedi_fops: introduce __comedi_get_user_chanlist()").
+
+Firstly, `do_cmdtest_ioctl()` never frees the kernel copy of the user
+chanlist allocated by `__comedi_get_user_chanlist()`, so that memory is
+leaked. Fix it by freeing the allocated kernel memory pointed to by
+`cmd.chanlist` before that pointer is overwritten with its original
+pointer to user memory before `cmd` is copied back to user-space.
+
+Secondly, if `__comedi_get_user_chanlist()` returns an error,
+`cmd->chanlist` is left unchanged and in fact will be a pointer to user
+memory. This causes `do_cmd_ioctl()` to `goto cleanup` and call
+`do_become_nonbusy()` which would attempt to free the memory pointed to
+by the user-space pointer. Fix it by setting `cmd->chanlist` to NULL at
+the start of `__comedi_get_user_chanlist()`.
+
+Fixes: c6cd0eefb27b ("staging: comedi: comedi_fops: introduce __comedi_get_user_chanlist()")
+Reported-by: H Hartley Sweeten <hsweeten@visionengravers.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/comedi/comedi_fops.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/staging/comedi/comedi_fops.c
++++ b/drivers/staging/comedi/comedi_fops.c
+@@ -1462,6 +1462,7 @@ static int __comedi_get_user_chanlist(st
+ unsigned int *chanlist;
+ int ret;
+
++ cmd->chanlist = NULL;
+ chanlist = memdup_user(user_chanlist,
+ cmd->chanlist_len * sizeof(unsigned int));
+ if (IS_ERR(chanlist))
+@@ -1615,6 +1616,8 @@ static int do_cmdtest_ioctl(struct comed
+
+ ret = s->do_cmdtest(dev, s, &cmd);
+
++ kfree(cmd.chanlist); /* free kernel copy of user chanlist */
++
+ /* restore chanlist pointer before copying back */
+ cmd.chanlist = (unsigned int __force *)user_chanlist;
+
--- /dev/null
+From 6cab7a37f5c048bb2a768f24b0ec748b052fda09 Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Wed, 8 Oct 2014 16:09:14 +0100
+Subject: staging: comedi: (regression) channel list must be set for COMEDI_CMD ioctl
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit 6cab7a37f5c048bb2a768f24b0ec748b052fda09 upstream.
+
+`do_cmd_ioctl()`, the handler for the `COMEDI_CMD` ioctl can incorrectly
+call the Comedi subdevice's `do_cmd()` handler with a NULL channel list
+pointer. This is a regression as the `do_cmd()` handler has never been
+expected to deal with that, leading to a kernel OOPS when it tries to
+dereference it.
+
+A NULL channel list pointer is allowed for the `COMEDI_CMDTEST` ioctl,
+handled by `do_cmdtest_ioctl()` and the subdevice's `do_cmdtest()`
+handler, but not for the `COMEDI_CMD` ioctl and its handlers.
+
+Both `do_cmd_ioctl()` and `do_cmdtest_ioctl()` call
+`__comedi_get_user_chanlist()` to copy the channel list from user memory
+into dynamically allocated kernel memory and check it for consistency.
+That function currently returns 0 if the `user_chanlist` parameter
+(pointing to the channel list in user memory) is NULL. That's fine for
+`do_cmdtest_ioctl()`, but `do_cmd_ioctl()` incorrectly assumes the
+kernel copy of the channel list has been set-up correctly.
+
+Fix it by not allowing the `user_chanlist` parameter to be NULL in
+`__comedi_get_user_chanlist()`, and only calling it from
+`do_cmdtest_ioctl()` if the parameter is non-NULL.
+
+Thanks to Bernd Porr for reporting the bug via an initial patch sent
+privately.
+
+Fixes: c6cd0eefb27b ("staging: comedi: comedi_fops: introduce __comedi_get_user_chanlist()")
+Reported-by: Bernd Porr <mail@berndporr.me.uk>
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Reviewed-by: H Hartley Sweeten <hsweeten@visionengravers.com>
+Cc: Bernd Porr <mail@berndporr.me.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/comedi/comedi_fops.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+--- a/drivers/staging/comedi/comedi_fops.c
++++ b/drivers/staging/comedi/comedi_fops.c
+@@ -1462,10 +1462,6 @@ static int __comedi_get_user_chanlist(st
+ unsigned int *chanlist;
+ int ret;
+
+- /* user_chanlist could be NULL for do_cmdtest ioctls */
+- if (!user_chanlist)
+- return 0;
+-
+ chanlist = memdup_user(user_chanlist,
+ cmd->chanlist_len * sizeof(unsigned int));
+ if (IS_ERR(chanlist))
+@@ -1609,10 +1605,13 @@ static int do_cmdtest_ioctl(struct comed
+
+ s = &dev->subdevices[cmd.subdev];
+
+- /* load channel/gain list */
+- ret = __comedi_get_user_chanlist(dev, s, user_chanlist, &cmd);
+- if (ret)
+- return ret;
++ /* user_chanlist can be NULL for COMEDI_CMDTEST ioctl */
++ if (user_chanlist) {
++ /* load channel/gain list */
++ ret = __comedi_get_user_chanlist(dev, s, user_chanlist, &cmd);
++ if (ret)
++ return ret;
++ }
+
+ ret = s->do_cmdtest(dev, s, &cmd);
+
--- /dev/null
+From 37b164578826406a173ca7c20d9ba7430134d23e Mon Sep 17 00:00:00 2001
+From: Peter Hurley <peter@hurleysoftware.com>
+Date: Thu, 16 Oct 2014 13:51:30 -0400
+Subject: tty: Fix high cpu load if tty is unreleaseable
+
+From: Peter Hurley <peter@hurleysoftware.com>
+
+commit 37b164578826406a173ca7c20d9ba7430134d23e upstream.
+
+Kernel oops can cause the tty to be unreleaseable (for example, if
+n_tty_read() crashes while on the read_wait queue). This will cause
+tty_release() to endlessly loop without sleeping.
+
+Use a killable sleep timeout which grows by 2n+1 jiffies over the interval
+[0, 120 secs.) and then jumps to forever (but still killable).
+
+NB: killable just allows for the task to be rewoken manually, not
+to be terminated.
+
+Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/tty_io.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/tty/tty_io.c
++++ b/drivers/tty/tty_io.c
+@@ -1686,6 +1686,7 @@ int tty_release(struct inode *inode, str
+ int pty_master, tty_closing, o_tty_closing, do_sleep;
+ int idx;
+ char buf[64];
++ long timeout = 0;
+
+ if (tty_paranoia_check(tty, inode, __func__))
+ return 0;
+@@ -1770,7 +1771,11 @@ int tty_release(struct inode *inode, str
+ __func__, tty_name(tty, buf));
+ tty_unlock_pair(tty, o_tty);
+ mutex_unlock(&tty_mutex);
+- schedule();
++ schedule_timeout_killable(timeout);
++ if (timeout < 120 * HZ)
++ timeout = 2 * timeout + 1;
++ else
++ timeout = MAX_SCHEDULE_TIMEOUT;
+ }
+
+ /*
--- /dev/null
+From 9e326f78713a4421fe11afc2ddeac07698fac131 Mon Sep 17 00:00:00 2001
+From: Imre Deak <imre.deak@intel.com>
+Date: Thu, 2 Oct 2014 16:34:31 +0300
+Subject: tty/vt: don't set font mappings on vc not supporting this
+
+From: Imre Deak <imre.deak@intel.com>
+
+commit 9e326f78713a4421fe11afc2ddeac07698fac131 upstream.
+
+We can call this function for a dummy console that doesn't support
+setting the font mapping, which will result in a null ptr BUG. So check
+for this case and return error for consoles w/o font mapping support.
+
+Reference: https://bugzilla.kernel.org/show_bug.cgi?id=59321
+Signed-off-by: Imre Deak <imre.deak@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/vt/consolemap.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/tty/vt/consolemap.c
++++ b/drivers/tty/vt/consolemap.c
+@@ -539,6 +539,12 @@ int con_set_unimap(struct vc_data *vc, u
+
+ /* Save original vc_unipagdir_loc in case we allocate a new one */
+ p = *vc->vc_uni_pagedir_loc;
++
++ if (!p) {
++ err = -EINVAL;
++
++ goto out_unlock;
++ }
+
+ if (p->refcount > 1) {
+ int j, k;
+@@ -623,6 +629,7 @@ int con_set_unimap(struct vc_data *vc, u
+ set_inverse_transl(vc, p, i); /* Update inverse translations */
+ set_inverse_trans_unicode(vc, p);
+
++out_unlock:
+ console_unlock();
+ return err;
+ }
--- /dev/null
+From b47dcbdc5161d3d5756f430191e2840d9b855492 Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto@amacapital.net>
+Date: Wed, 15 Oct 2014 10:12:07 -0700
+Subject: x86, apic: Handle a bad TSC more gracefully
+
+From: Andy Lutomirski <luto@amacapital.net>
+
+commit b47dcbdc5161d3d5756f430191e2840d9b855492 upstream.
+
+If the TSC is unusable or disabled, then this patch fixes:
+
+ - Confusion while trying to clear old APIC interrupts.
+ - Division by zero and incorrect programming of the TSC deadline
+ timer.
+
+This fixes boot if the CPU has a TSC deadline timer but a missing or
+broken TSC. The failure to boot can be observed with qemu using
+-cpu qemu64,-tsc,+tsc-deadline
+
+This also happens to me in nested KVM for unknown reasons.
+With this patch, I can boot cleanly (although without a TSC).
+
+Signed-off-by: Andy Lutomirski <luto@amacapital.net>
+Cc: Bandan Das <bsd@redhat.com>
+Link: http://lkml.kernel.org/r/e2fa274e498c33988efac0ba8b7e3120f7f92d78.1413393027.git.luto@amacapital.net
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/apic/apic.c | 4 ++--
+ arch/x86/kernel/tsc.c | 5 ++++-
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/kernel/apic/apic.c
++++ b/arch/x86/kernel/apic/apic.c
+@@ -1297,7 +1297,7 @@ void setup_local_APIC(void)
+ unsigned int value, queued;
+ int i, j, acked = 0;
+ unsigned long long tsc = 0, ntsc;
+- long long max_loops = cpu_khz;
++ long long max_loops = cpu_khz ? cpu_khz : 1000000;
+
+ if (cpu_has_tsc)
+ rdtscll(tsc);
+@@ -1383,7 +1383,7 @@ void setup_local_APIC(void)
+ break;
+ }
+ if (queued) {
+- if (cpu_has_tsc) {
++ if (cpu_has_tsc && cpu_khz) {
+ rdtscll(ntsc);
+ max_loops = (cpu_khz << 10) - (ntsc - tsc);
+ } else
+--- a/arch/x86/kernel/tsc.c
++++ b/arch/x86/kernel/tsc.c
+@@ -1166,14 +1166,17 @@ void __init tsc_init(void)
+
+ x86_init.timers.tsc_pre_init();
+
+- if (!cpu_has_tsc)
++ if (!cpu_has_tsc) {
++ setup_clear_cpu_cap(X86_FEATURE_TSC_DEADLINE_TIMER);
+ return;
++ }
+
+ tsc_khz = x86_platform.calibrate_tsc();
+ cpu_khz = tsc_khz;
+
+ if (!tsc_khz) {
+ mark_tsc_unstable("could not calculate TSC khz");
++ setup_clear_cpu_cap(X86_FEATURE_TSC_DEADLINE_TIMER);
+ return;
+ }
+
--- /dev/null
+From 2391eacbd00b706ff4902db7dbee21e33b6f1850 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Tue, 28 Oct 2014 11:05:29 +0100
+Subject: xhci: Disable streams on Asmedia 1042 xhci controllers
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 2391eacbd00b706ff4902db7dbee21e33b6f1850 upstream.
+
+Streams seem to be broken on the Asmedia 1042. An uas capable Seagate disk
+which is known to work fine with other controllers causes the system to freeze
+when connected over usb-3 with this controller, where as it works fine with
+uas in usb-2 ports, indicating a problem with streams.
+
+This is a bit bigger hammer then I would like to use for this, but for now it
+will have to make do. I've ordered a pci-e usb controller card with an Asmedia
+1042, once that arrives I'll try to get streams to work (with a quirk flag if
+necessary) and then we can re-enable them. For now this at least makes uas
+capable disk enclosures work again by forcing fallback to the usb-storage
+driver.
+
+Reported-by: Bogdan Mihalcea <bogdan.mihalcea@infim.ro>
+Cc: Bogdan Mihalcea <bogdan.mihalcea@infim.ro>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-pci.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/host/xhci-pci.c
++++ b/drivers/usb/host/xhci-pci.c
+@@ -146,6 +146,10 @@ static void xhci_pci_quirks(struct devic
+ pdev->device == 0x3432)
+ xhci->quirks |= XHCI_BROKEN_STREAMS;
+
++ if (pdev->vendor == PCI_VENDOR_ID_ASMEDIA &&
++ pdev->device == 0x1042)
++ xhci->quirks |= XHCI_BROKEN_STREAMS;
++
+ if (xhci->quirks & XHCI_RESET_ON_RESUME)
+ xhci_dbg_trace(xhci, trace_xhci_dbg_quirks,
+ "QUIRK: Resetting on resume");
--- /dev/null
+From b45abacde3d551c6696c6738bef4a1805d0bf27a Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.de>
+Date: Mon, 27 Oct 2014 14:53:29 +0100
+Subject: xhci: no switching back on non-ULT Haswell
+
+From: Oliver Neukum <oneukum@suse.de>
+
+commit b45abacde3d551c6696c6738bef4a1805d0bf27a upstream.
+
+The switch back is limited to ULT even on HP. The contrary
+finding arose by bad luck in BIOS versions for testing.
+This fixes spontaneous resume from S3 on some HP laptops.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-pci.c | 14 --------------
+ 1 file changed, 14 deletions(-)
+
+--- a/drivers/usb/host/xhci-pci.c
++++ b/drivers/usb/host/xhci-pci.c
+@@ -126,20 +126,6 @@ static void xhci_pci_quirks(struct devic
+ xhci->quirks |= XHCI_AVOID_BEI;
+ }
+ if (pdev->vendor == PCI_VENDOR_ID_INTEL &&
+- (pdev->device == PCI_DEVICE_ID_INTEL_LYNXPOINT_XHCI ||
+- pdev->device == PCI_DEVICE_ID_INTEL_LYNXPOINT_LP_XHCI)) {
+- /* Workaround for occasional spurious wakeups from S5 (or
+- * any other sleep) on Haswell machines with LPT and LPT-LP
+- * with the new Intel BIOS
+- */
+- /* Limit the quirk to only known vendors, as this triggers
+- * yet another BIOS bug on some other machines
+- * https://bugzilla.kernel.org/show_bug.cgi?id=66171
+- */
+- if (pdev->subsystem_vendor == PCI_VENDOR_ID_HP)
+- xhci->quirks |= XHCI_SPURIOUS_WAKEUP;
+- }
+- if (pdev->vendor == PCI_VENDOR_ID_INTEL &&
+ pdev->device == PCI_DEVICE_ID_INTEL_LYNXPOINT_LP_XHCI) {
+ xhci->quirks |= XHCI_SPURIOUS_REBOOT;
+ }
--- /dev/null
+From ce9ec37bddb633404a0c23e1acb181a264e7f7f2 Mon Sep 17 00:00:00 2001
+From: Will Deacon <will.deacon@arm.com>
+Date: Tue, 28 Oct 2014 13:16:28 -0700
+Subject: zap_pte_range: update addr when forcing flush after TLB batching faiure
+
+From: Will Deacon <will.deacon@arm.com>
+
+commit ce9ec37bddb633404a0c23e1acb181a264e7f7f2 upstream.
+
+When unmapping a range of pages in zap_pte_range, the page being
+unmapped is added to an mmu_gather_batch structure for asynchronous
+freeing. If we run out of space in the batch structure before the range
+has been completely unmapped, then we break out of the loop, force a
+TLB flush and free the pages that we have batched so far. If there are
+further pages to unmap, then we resume the loop where we left off.
+
+Unfortunately, we forget to update addr when we break out of the loop,
+which causes us to truncate the range being invalidated as the end
+address is exclusive. When we re-enter the loop at the same address, the
+page has already been freed and the pte_present test will fail, meaning
+that we do not reconsider the address for invalidation.
+
+This patch fixes the problem by incrementing addr by the PAGE_SIZE
+before breaking out of the loop on batch failure.
+
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/memory.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/mm/memory.c
++++ b/mm/memory.c
+@@ -1147,6 +1147,7 @@ again:
+ print_bad_pte(vma, addr, ptent, page);
+ if (unlikely(!__tlb_remove_page(tlb, page))) {
+ force_flush = 1;
++ addr += PAGE_SIZE;
+ break;
+ }
+ continue;
projects / thirdparty / kernel / stable-queue.git / commitdiff
