--- /dev/null
+From 2528a8b8f457d7432552d0e2b6f0f4046bb702f4 Mon Sep 17 00:00:00 2001
+From: Chris Metcalf <cmetcalf@ezchip.com>
+Date: Thu, 25 Jun 2015 15:02:08 -0700
+Subject: __bitmap_parselist: fix bug in empty string handling
+
+From: Chris Metcalf <cmetcalf@ezchip.com>
+
+commit 2528a8b8f457d7432552d0e2b6f0f4046bb702f4 upstream.
+
+bitmap_parselist("", &mask, nmaskbits) will erroneously set bit zero in
+the mask. The same bug is visible in cpumask_parselist() since it is
+layered on top of the bitmask code, e.g. if you boot with "isolcpus=",
+you will actually end up with cpu zero isolated.
+
+The bug was introduced in commit 4b060420a596 ("bitmap, irq: add
+smp_affinity_list interface to /proc/irq") when bitmap_parselist() was
+generalized to support userspace as well as kernelspace.
+
+Fixes: 4b060420a596 ("bitmap, irq: add smp_affinity_list interface to /proc/irq")
+Signed-off-by: Chris Metcalf <cmetcalf@ezchip.com>
+Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/bitmap.c | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+--- a/lib/bitmap.c
++++ b/lib/bitmap.c
+@@ -506,12 +506,12 @@ static int __bitmap_parselist(const char
+ unsigned a, b;
+ int c, old_c, totaldigits;
+ const char __user __force *ubuf = (const char __user __force *)buf;
+- int exp_digit, in_range;
++ int at_start, in_range;
+
+ totaldigits = c = 0;
+ bitmap_zero(maskp, nmaskbits);
+ do {
+- exp_digit = 1;
++ at_start = 1;
+ in_range = 0;
+ a = b = 0;
+
+@@ -540,11 +540,10 @@ static int __bitmap_parselist(const char
+ break;
+
+ if (c == '-') {
+- if (exp_digit || in_range)
++ if (at_start || in_range)
+ return -EINVAL;
+ b = 0;
+ in_range = 1;
+- exp_digit = 1;
+ continue;
+ }
+
+@@ -554,16 +553,18 @@ static int __bitmap_parselist(const char
+ b = b * 10 + (c - '0');
+ if (!in_range)
+ a = b;
+- exp_digit = 0;
++ at_start = 0;
+ totaldigits++;
+ }
+ if (!(a <= b))
+ return -EINVAL;
+ if (b >= nmaskbits)
+ return -ERANGE;
+- while (a <= b) {
+- set_bit(a, maskp);
+- a++;
++ if (!at_start) {
++ while (a <= b) {
++ set_bit(a, maskp);
++ a++;
++ }
+ }
+ } while (buflen && c == ',');
+ return 0;
--- /dev/null
+From 6cbfb1bb66e4e85da5db78e8ff429a85bd84ce64 Mon Sep 17 00:00:00 2001
+From: Michal Kazior <michal.kazior@tieto.com>
+Date: Fri, 22 May 2015 10:57:22 +0200
+Subject: cfg80211: ignore netif running state when changing iftype
+
+From: Michal Kazior <michal.kazior@tieto.com>
+
+commit 6cbfb1bb66e4e85da5db78e8ff429a85bd84ce64 upstream.
+
+It was possible for mac80211 to be coerced into an
+unexpected flow causing sdata union to become
+corrupted. Station pointer was put into
+sdata->u.vlan.sta memory location while it was
+really master AP's sdata->u.ap.next_beacon. This
+led to station entry being later freed as
+next_beacon before __sta_info_flush() in
+ieee80211_stop_ap() and a subsequent invalid
+pointer dereference crash.
+
+The problem was that ieee80211_ptr->use_4addr
+wasn't cleared on interface type changes.
+
+This could be reproduced with the following steps:
+
+ # host A and host B have just booted; no
+ # wpa_s/hostapd running; all vifs are down
+ host A> iw wlan0 set type station
+ host A> iw wlan0 set 4addr on
+ host A> printf 'interface=wlan0\nssid=4addrcrash\nchannel=1\nwds_sta=1' > /tmp/hconf
+ host A> hostapd -B /tmp/conf
+ host B> iw wlan0 set 4addr on
+ host B> ifconfig wlan0 up
+ host B> iw wlan0 connect -w hostAssid
+ host A> pkill hostapd
+ # host A crashed:
+
+ [ 127.928192] BUG: unable to handle kernel NULL pointer dereference at 00000000000006c8
+ [ 127.929014] IP: [<ffffffff816f4f32>] __sta_info_flush+0xac/0x158
+ ...
+ [ 127.934578] [<ffffffff8170789e>] ieee80211_stop_ap+0x139/0x26c
+ [ 127.934578] [<ffffffff8100498f>] ? dump_trace+0x279/0x28a
+ [ 127.934578] [<ffffffff816dc661>] __cfg80211_stop_ap+0x84/0x191
+ [ 127.934578] [<ffffffff816dc7ad>] cfg80211_stop_ap+0x3f/0x58
+ [ 127.934578] [<ffffffff816c5ad6>] nl80211_stop_ap+0x1b/0x1d
+ [ 127.934578] [<ffffffff815e53f8>] genl_family_rcv_msg+0x259/0x2b5
+
+Note: This isn't a revert of f8cdddb8d61d
+("cfg80211: check iface combinations only when
+iface is running") as far as functionality is
+considered because b6a550156bc ("cfg80211/mac80211:
+move more combination checks to mac80211") moved
+the logic somewhere else already.
+
+Fixes: f8cdddb8d61d ("cfg80211: check iface combinations only when iface is running")
+Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/util.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/wireless/util.c
++++ b/net/wireless/util.c
+@@ -944,7 +944,7 @@ int cfg80211_change_iface(struct cfg8021
+ ntype == NL80211_IFTYPE_P2P_CLIENT))
+ return -EBUSY;
+
+- if (ntype != otype && netif_running(dev)) {
++ if (ntype != otype) {
+ dev->ieee80211_ptr->use_4addr = false;
+ dev->ieee80211_ptr->mesh_id_up_len = 0;
+ wdev_lock(dev->ieee80211_ptr);
--- /dev/null
+From 56a94f13919c0db5958611b388e1581b4852f3c9 Mon Sep 17 00:00:00 2001
+From: Damian Eppel <d.eppel@samsung.com>
+Date: Fri, 26 Jun 2015 15:23:04 +0200
+Subject: clocksource: exynos_mct: Avoid blocking calls in the cpu hotplug notifier
+
+From: Damian Eppel <d.eppel@samsung.com>
+
+commit 56a94f13919c0db5958611b388e1581b4852f3c9 upstream.
+
+Whilst testing cpu hotplug events on kernel configured with
+DEBUG_PREEMPT and DEBUG_ATOMIC_SLEEP we get following BUG message,
+caused by calling request_irq() and free_irq() in the context of
+hotplug notification (which is in this case atomic context).
+
+[ 40.785859] CPU1: Software reset
+[ 40.786660] BUG: sleeping function called from invalid context at mm/slub.c:1241
+[ 40.786668] in_atomic(): 1, irqs_disabled(): 128, pid: 0, name: swapper/1
+[ 40.786678] Preemption disabled at:[< (null)>] (null)
+[ 40.786681]
+[ 40.786692] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 3.19.0-rc4-00024-g7dca860 #36
+[ 40.786698] Hardware name: SAMSUNG EXYNOS (Flattened Device Tree)
+[ 40.786728] [<c0014a00>] (unwind_backtrace) from [<c0011980>] (show_stack+0x10/0x14)
+[ 40.786747] [<c0011980>] (show_stack) from [<c0449ba0>] (dump_stack+0x70/0xbc)
+[ 40.786767] [<c0449ba0>] (dump_stack) from [<c00c6124>] (kmem_cache_alloc+0xd8/0x170)
+[ 40.786785] [<c00c6124>] (kmem_cache_alloc) from [<c005d6f8>] (request_threaded_irq+0x64/0x128)
+[ 40.786804] [<c005d6f8>] (request_threaded_irq) from [<c0350b8c>] (exynos4_local_timer_setup+0xc0/0x13c)
+[ 40.786820] [<c0350b8c>] (exynos4_local_timer_setup) from [<c0350ca8>] (exynos4_mct_cpu_notify+0x30/0xa8)
+[ 40.786838] [<c0350ca8>] (exynos4_mct_cpu_notify) from [<c003b330>] (notifier_call_chain+0x44/0x84)
+[ 40.786857] [<c003b330>] (notifier_call_chain) from [<c0022fd4>] (__cpu_notify+0x28/0x44)
+[ 40.786873] [<c0022fd4>] (__cpu_notify) from [<c0013714>] (secondary_start_kernel+0xec/0x150)
+[ 40.786886] [<c0013714>] (secondary_start_kernel) from [<40008764>] (0x40008764)
+
+Interrupts cannot be requested/freed in the CPU_STARTING/CPU_DYING
+notifications which run on the hotplugged cpu with interrupts and
+preemption disabled.
+
+To avoid the issue, request the interrupts for all possible cpus in
+the boot code. The interrupts are marked NO_AUTOENABLE to avoid a racy
+request_irq/disable_irq() sequence. The flag prevents the
+request_irq() code from enabling the interrupt immediately.
+
+The interrupt is then enabled in the CPU_STARTING notifier of the
+hotplugged cpu and again disabled with disable_irq_nosync() in the
+CPU_DYING notifier.
+
+[ tglx: Massaged changelog to match the patch ]
+
+Fixes: 7114cd749a12 ("clocksource: exynos_mct: use (request/free)_irq calls for local timer registration")
+Reported-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+Reviewed-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+Tested-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+Tested-by: Marcin Jabrzyk <m.jabrzyk@samsung.com>
+Signed-off-by: Damian Eppel <d.eppel@samsung.com>
+Cc: m.szyprowski@samsung.com
+Cc: kyungmin.park@samsung.com
+Cc: daniel.lezcano@linaro.org
+Cc: kgene@kernel.org
+Cc: linux-arm-kernel@lists.infradead.org
+Link: http://lkml.kernel.org/r/1435324984-7328-1-git-send-email-d.eppel@samsung.com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/clocksource/exynos_mct.c | 43 +++++++++++++++++++++++++++------------
+ 1 file changed, 30 insertions(+), 13 deletions(-)
+
+--- a/drivers/clocksource/exynos_mct.c
++++ b/drivers/clocksource/exynos_mct.c
+@@ -466,15 +466,12 @@ static int exynos4_local_timer_setup(str
+ exynos4_mct_write(TICK_BASE_CNT, mevt->base + MCT_L_TCNTB_OFFSET);
+
+ if (mct_int_type == MCT_INT_SPI) {
+- evt->irq = mct_irqs[MCT_L0_IRQ + cpu];
+- if (request_irq(evt->irq, exynos4_mct_tick_isr,
+- IRQF_TIMER | IRQF_NOBALANCING,
+- evt->name, mevt)) {
+- pr_err("exynos-mct: cannot register IRQ %d\n",
+- evt->irq);
++
++ if (evt->irq == -1)
+ return -EIO;
+- }
+- irq_force_affinity(mct_irqs[MCT_L0_IRQ + cpu], cpumask_of(cpu));
++
++ irq_force_affinity(evt->irq, cpumask_of(cpu));
++ enable_irq(evt->irq);
+ } else {
+ enable_percpu_irq(mct_irqs[MCT_L0_IRQ], 0);
+ }
+@@ -487,10 +484,12 @@ static int exynos4_local_timer_setup(str
+ static void exynos4_local_timer_stop(struct clock_event_device *evt)
+ {
+ evt->set_mode(CLOCK_EVT_MODE_UNUSED, evt);
+- if (mct_int_type == MCT_INT_SPI)
+- free_irq(evt->irq, this_cpu_ptr(&percpu_mct_tick));
+- else
++ if (mct_int_type == MCT_INT_SPI) {
++ if (evt->irq != -1)
++ disable_irq_nosync(evt->irq);
++ } else {
+ disable_percpu_irq(mct_irqs[MCT_L0_IRQ]);
++ }
+ }
+
+ static int exynos4_mct_cpu_notify(struct notifier_block *self,
+@@ -522,7 +521,7 @@ static struct notifier_block exynos4_mct
+
+ static void __init exynos4_timer_resources(struct device_node *np, void __iomem *base)
+ {
+- int err;
++ int err, cpu;
+ struct mct_clock_event_device *mevt = this_cpu_ptr(&percpu_mct_tick);
+ struct clk *mct_clk, *tick_clk;
+
+@@ -549,7 +548,25 @@ static void __init exynos4_timer_resourc
+ WARN(err, "MCT: can't request IRQ %d (%d)\n",
+ mct_irqs[MCT_L0_IRQ], err);
+ } else {
+- irq_set_affinity(mct_irqs[MCT_L0_IRQ], cpumask_of(0));
++ for_each_possible_cpu(cpu) {
++ int mct_irq = mct_irqs[MCT_L0_IRQ + cpu];
++ struct mct_clock_event_device *pcpu_mevt =
++ per_cpu_ptr(&percpu_mct_tick, cpu);
++
++ pcpu_mevt->evt.irq = -1;
++
++ irq_set_status_flags(mct_irq, IRQ_NOAUTOEN);
++ if (request_irq(mct_irq,
++ exynos4_mct_tick_isr,
++ IRQF_TIMER | IRQF_NOBALANCING,
++ pcpu_mevt->name, pcpu_mevt)) {
++ pr_err("exynos-mct: cannot register IRQ (cpu%d)\n",
++ cpu);
++
++ continue;
++ }
++ pcpu_mevt->evt.irq = mct_irq;
++ }
+ }
+
+ err = register_cpu_notifier(&exynos4_mct_cpu_nb);
--- /dev/null
+From b86a50c3b5414eafdbee7f34af4a201a4a7817c2 Mon Sep 17 00:00:00 2001
+From: Daniel Borkmann <daniel@iogearbox.net>
+Date: Thu, 25 Jun 2015 15:01:05 -0700
+Subject: compiler-intel: fix wrong compiler barrier() macro
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+commit b86a50c3b5414eafdbee7f34af4a201a4a7817c2 upstream.
+
+Cleanup commit 73679e508201 ("compiler-intel.h: Remove duplicate
+definition") removed the double definition of __memory_barrier()
+intrinsics.
+
+However, in doing so, it also removed the preceding #undef barrier by
+accident, meaning, the actual barrier() macro from compiler-gcc.h with
+inline asm is still in place as __GNUC__ is provided.
+
+Subsequently, barrier() can never be defined as __memory_barrier() from
+compiler.h since it already has a definition in place and if we trust
+the comment in compiler-intel.h, ecc doesn't support gcc specific asm
+statements.
+
+I don't have an ecc at hand (unsure if that's still used in the field?)
+and only found this by accident during code review, a revert of that
+cleanup would be simplest option.
+
+Fixes: 73679e508201 ("compiler-intel.h: Remove duplicate definition")
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: Pranith Kumar <bobby.prani@gmail.com>
+Cc: Pranith Kumar <bobby.prani@gmail.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: mancha security <mancha1@zoho.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/compiler-intel.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/include/linux/compiler-intel.h
++++ b/include/linux/compiler-intel.h
+@@ -13,10 +13,12 @@
+ /* Intel ECC compiler doesn't support gcc specific asm stmts.
+ * It uses intrinsics to do the equivalent things.
+ */
++#undef barrier
+ #undef barrier_data
+ #undef RELOC_HIDE
+ #undef OPTIMIZER_HIDE_VAR
+
++#define barrier() __memory_barrier()
+ #define barrier_data(ptr) barrier()
+
+ #define RELOC_HIDE(ptr, off) \
--- /dev/null
+From b8830a4e71b15d0364ac8e6c55301eea73f211da Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pali=20Roh=C3=A1r?= <pali.rohar@gmail.com>
+Date: Tue, 23 Jun 2015 10:11:19 +0200
+Subject: dell-laptop: Fix allocating & freeing SMI buffer page
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: =?UTF-8?q?Pali=20Roh=C3=A1r?= <pali.rohar@gmail.com>
+
+commit b8830a4e71b15d0364ac8e6c55301eea73f211da upstream.
+
+This commit fix kernel crash when probing for rfkill devices in dell-laptop
+driver failed. Function free_page() was incorrectly used on struct page *
+instead of virtual address of SMI buffer.
+
+This commit also simplify allocating page for SMI buffer by using
+__get_free_page() function instead of sequential call of functions
+alloc_page() and page_address().
+
+Signed-off-by: Pali Rohár <pali.rohar@gmail.com>
+Acked-by: Michal Hocko <mhocko@suse.cz>
+Signed-off-by: Darren Hart <dvhart@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/platform/x86/dell-laptop.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/drivers/platform/x86/dell-laptop.c
++++ b/drivers/platform/x86/dell-laptop.c
+@@ -305,7 +305,6 @@ static const struct dmi_system_id dell_q
+ };
+
+ static struct calling_interface_buffer *buffer;
+-static struct page *bufferpage;
+ static DEFINE_MUTEX(buffer_mutex);
+
+ static int hwswitch_state;
+@@ -1896,12 +1895,11 @@ static int __init dell_init(void)
+ * Allocate buffer below 4GB for SMI data--only 32-bit physical addr
+ * is passed to SMI handler.
+ */
+- bufferpage = alloc_page(GFP_KERNEL | GFP_DMA32);
+- if (!bufferpage) {
++ buffer = (void *)__get_free_page(GFP_KERNEL | GFP_DMA32);
++ if (!buffer) {
+ ret = -ENOMEM;
+ goto fail_buffer;
+ }
+- buffer = page_address(bufferpage);
+
+ ret = dell_setup_rfkill();
+
+@@ -1965,7 +1963,7 @@ fail_backlight:
+ cancel_delayed_work_sync(&dell_rfkill_work);
+ dell_cleanup_rfkill();
+ fail_rfkill:
+- free_page((unsigned long)bufferpage);
++ free_page((unsigned long)buffer);
+ fail_buffer:
+ platform_device_del(platform_device);
+ fail_platform_device2:
--- /dev/null
+From 8084b86dcfbc4b4822868c1dbdb429b5c08154e2 Mon Sep 17 00:00:00 2001
+From: Alexander Duyck <alexander.h.duyck@redhat.com>
+Date: Sat, 2 May 2015 00:52:00 -0700
+Subject: e1000e: Cleanup handling of VLAN_HLEN as a part of max frame size
+
+From: Alexander Duyck <alexander.h.duyck@redhat.com>
+
+commit 8084b86dcfbc4b4822868c1dbdb429b5c08154e2 upstream.
+
+When the VLAN_HLEN was added to the calculation for the maximum frame size
+there seems to have been a number of issues added to the driver.
+
+The first issue is that in some cases the maximum frame size for a device
+never really reached the actual maximum frame size as the VLAN header
+length was not included the calculation for that value. As a result some
+parts only supported a maximum frame size of either 1496 in the case of
+parts that didn't support jumbo frames, and 8996 in the case of the parts
+that do.
+
+The second issue is the fact that there were several checks that weren't
+updated so as a result setting an MTU of 1500 was treated as enabling jumbo
+frames as the calculated value was 1522 instead of 1518. I have addressed
+those by replacing ETH_FRAME_LEN with VLAN_ETH_FRAME_LEN where appropriate.
+
+The final issue was the fact that lowering the MTU below 1500 would cause
+the driver to allocate 2K buffers for the rings. This is an old issue that
+was fixed several years ago in igb/ixgbe and I am addressing now by just
+replacing == with a <= so that we always just round up to 1522 for anything
+that isn't a jumbo frame.
+
+Fixes: c751a3d58cf2d ("e1000e: Correctly include VLAN_HLEN when changing interface MTU")
+Signed-off-by: Alexander Duyck <alexander.h.duyck@redhat.com>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/intel/e1000e/82571.c | 2 +-
+ drivers/net/ethernet/intel/e1000e/ich8lan.c | 10 +++++-----
+ drivers/net/ethernet/intel/e1000e/netdev.c | 18 ++++++++----------
+ 3 files changed, 14 insertions(+), 16 deletions(-)
+
+--- a/drivers/net/ethernet/intel/e1000e/82571.c
++++ b/drivers/net/ethernet/intel/e1000e/82571.c
+@@ -2010,7 +2010,7 @@ const struct e1000_info e1000_82573_info
+ .flags2 = FLAG2_DISABLE_ASPM_L1
+ | FLAG2_DISABLE_ASPM_L0S,
+ .pba = 20,
+- .max_hw_frame_size = ETH_FRAME_LEN + ETH_FCS_LEN,
++ .max_hw_frame_size = VLAN_ETH_FRAME_LEN + ETH_FCS_LEN,
+ .get_variants = e1000_get_variants_82571,
+ .mac_ops = &e82571_mac_ops,
+ .phy_ops = &e82_phy_ops_m88,
+--- a/drivers/net/ethernet/intel/e1000e/ich8lan.c
++++ b/drivers/net/ethernet/intel/e1000e/ich8lan.c
+@@ -1563,7 +1563,7 @@ static s32 e1000_get_variants_ich8lan(st
+ ((adapter->hw.mac.type >= e1000_pch2lan) &&
+ (!(er32(CTRL_EXT) & E1000_CTRL_EXT_LSECCK)))) {
+ adapter->flags &= ~FLAG_HAS_JUMBO_FRAMES;
+- adapter->max_hw_frame_size = ETH_FRAME_LEN + ETH_FCS_LEN;
++ adapter->max_hw_frame_size = VLAN_ETH_FRAME_LEN + ETH_FCS_LEN;
+
+ hw->mac.ops.blink_led = NULL;
+ }
+@@ -5681,7 +5681,7 @@ const struct e1000_info e1000_ich8_info
+ | FLAG_HAS_FLASH
+ | FLAG_APME_IN_WUC,
+ .pba = 8,
+- .max_hw_frame_size = ETH_FRAME_LEN + ETH_FCS_LEN,
++ .max_hw_frame_size = VLAN_ETH_FRAME_LEN + ETH_FCS_LEN,
+ .get_variants = e1000_get_variants_ich8lan,
+ .mac_ops = &ich8_mac_ops,
+ .phy_ops = &ich8_phy_ops,
+@@ -5754,7 +5754,7 @@ const struct e1000_info e1000_pch2_info
+ .flags2 = FLAG2_HAS_PHY_STATS
+ | FLAG2_HAS_EEE,
+ .pba = 26,
+- .max_hw_frame_size = 9018,
++ .max_hw_frame_size = 9022,
+ .get_variants = e1000_get_variants_ich8lan,
+ .mac_ops = &ich8_mac_ops,
+ .phy_ops = &ich8_phy_ops,
+@@ -5774,7 +5774,7 @@ const struct e1000_info e1000_pch_lpt_in
+ .flags2 = FLAG2_HAS_PHY_STATS
+ | FLAG2_HAS_EEE,
+ .pba = 26,
+- .max_hw_frame_size = 9018,
++ .max_hw_frame_size = 9022,
+ .get_variants = e1000_get_variants_ich8lan,
+ .mac_ops = &ich8_mac_ops,
+ .phy_ops = &ich8_phy_ops,
+@@ -5794,7 +5794,7 @@ const struct e1000_info e1000_pch_spt_in
+ .flags2 = FLAG2_HAS_PHY_STATS
+ | FLAG2_HAS_EEE,
+ .pba = 26,
+- .max_hw_frame_size = 9018,
++ .max_hw_frame_size = 9022,
+ .get_variants = e1000_get_variants_ich8lan,
+ .mac_ops = &ich8_mac_ops,
+ .phy_ops = &ich8_phy_ops,
+--- a/drivers/net/ethernet/intel/e1000e/netdev.c
++++ b/drivers/net/ethernet/intel/e1000e/netdev.c
+@@ -3807,7 +3807,7 @@ void e1000e_reset(struct e1000_adapter *
+ /* reset Packet Buffer Allocation to default */
+ ew32(PBA, pba);
+
+- if (adapter->max_frame_size > ETH_FRAME_LEN + ETH_FCS_LEN) {
++ if (adapter->max_frame_size > (VLAN_ETH_FRAME_LEN + ETH_FCS_LEN)) {
+ /* To maintain wire speed transmits, the Tx FIFO should be
+ * large enough to accommodate two full transmit packets,
+ * rounded up to the next 1KB and expressed in KB. Likewise,
+@@ -4196,9 +4196,9 @@ static int e1000_sw_init(struct e1000_ad
+ {
+ struct net_device *netdev = adapter->netdev;
+
+- adapter->rx_buffer_len = ETH_FRAME_LEN + VLAN_HLEN + ETH_FCS_LEN;
++ adapter->rx_buffer_len = VLAN_ETH_FRAME_LEN + ETH_FCS_LEN;
+ adapter->rx_ps_bsize0 = 128;
+- adapter->max_frame_size = netdev->mtu + ETH_HLEN + ETH_FCS_LEN;
++ adapter->max_frame_size = netdev->mtu + VLAN_ETH_HLEN + ETH_FCS_LEN;
+ adapter->min_frame_size = ETH_ZLEN + ETH_FCS_LEN;
+ adapter->tx_ring_count = E1000_DEFAULT_TXD;
+ adapter->rx_ring_count = E1000_DEFAULT_RXD;
+@@ -5781,17 +5781,17 @@ struct rtnl_link_stats64 *e1000e_get_sta
+ static int e1000_change_mtu(struct net_device *netdev, int new_mtu)
+ {
+ struct e1000_adapter *adapter = netdev_priv(netdev);
+- int max_frame = new_mtu + VLAN_HLEN + ETH_HLEN + ETH_FCS_LEN;
++ int max_frame = new_mtu + VLAN_ETH_HLEN + ETH_FCS_LEN;
+
+ /* Jumbo frame support */
+- if ((max_frame > ETH_FRAME_LEN + ETH_FCS_LEN) &&
++ if ((max_frame > (VLAN_ETH_FRAME_LEN + ETH_FCS_LEN)) &&
+ !(adapter->flags & FLAG_HAS_JUMBO_FRAMES)) {
+ e_err("Jumbo Frames not supported.\n");
+ return -EINVAL;
+ }
+
+ /* Supported frame sizes */
+- if ((new_mtu < ETH_ZLEN + ETH_FCS_LEN + VLAN_HLEN) ||
++ if ((new_mtu < (VLAN_ETH_ZLEN + ETH_FCS_LEN)) ||
+ (max_frame > adapter->max_hw_frame_size)) {
+ e_err("Unsupported MTU setting\n");
+ return -EINVAL;
+@@ -5831,10 +5831,8 @@ static int e1000_change_mtu(struct net_d
+ adapter->rx_buffer_len = 4096;
+
+ /* adjust allocation if LPE protects us, and we aren't using SBP */
+- if ((max_frame == ETH_FRAME_LEN + ETH_FCS_LEN) ||
+- (max_frame == ETH_FRAME_LEN + VLAN_HLEN + ETH_FCS_LEN))
+- adapter->rx_buffer_len = ETH_FRAME_LEN + VLAN_HLEN
+- + ETH_FCS_LEN;
++ if (max_frame <= (VLAN_ETH_FRAME_LEN + ETH_FCS_LEN))
++ adapter->rx_buffer_len = VLAN_ETH_FRAME_LEN + ETH_FCS_LEN;
+
+ if (netif_running(netdev))
+ e1000e_up(adapter);
--- /dev/null
+From 17cd5bd5391e6e7b363d66335e1bc6760ae969b9 Mon Sep 17 00:00:00 2001
+From: Jean Delvare <jdelvare@suse.de>
+Date: Thu, 25 Jun 2015 09:06:55 +0200
+Subject: firmware: dmi_scan: Only honor end-of-table for 64-bit tables
+
+From: Jean Delvare <jdelvare@suse.de>
+
+commit 17cd5bd5391e6e7b363d66335e1bc6760ae969b9 upstream.
+
+A 32-bit entry point to a DMI table says how many structures the table
+contains. The SMBIOS specification explicitly says that end-of-table
+markers should be ignored if they are not actually at the end of the
+DMI table. So only honor the end-of-table marker for tables accessed
+through 64-bit entry points, as they do not specify a structure count.
+
+Fixes: fc43026278 ("dmi: add support for SMBIOS 3.0 64-bit entry point")
+Signed-off-by: Jean Delvare <jdelvare@suse.de>
+Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
+Cc: Leif Lindholm <leif.lindholm@linaro.org>
+Cc: Matt Fleming <matt.fleming@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/firmware/dmi_scan.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/drivers/firmware/dmi_scan.c
++++ b/drivers/firmware/dmi_scan.c
+@@ -89,9 +89,9 @@ static void dmi_table(u8 *buf,
+
+ /*
+ * Stop when we have seen all the items the table claimed to have
+- * (SMBIOS < 3.0 only) OR we reach an end-of-table marker OR we run
+- * off the end of the table (should never happen but sometimes does
+- * on bogus implementations.)
++ * (SMBIOS < 3.0 only) OR we reach an end-of-table marker (SMBIOS
++ * >= 3.0 only) OR we run off the end of the table (should never
++ * happen but sometimes does on bogus implementations.)
+ */
+ while ((!dmi_num || i < dmi_num) &&
+ (data - buf + sizeof(struct dmi_header)) <= dmi_len) {
+@@ -110,8 +110,13 @@ static void dmi_table(u8 *buf,
+
+ /*
+ * 7.45 End-of-Table (Type 127) [SMBIOS reference spec v3.0.0]
++ * For tables behind a 64-bit entry point, we have no item
++ * count and no exact table length, so stop on end-of-table
++ * marker. For tables behind a 32-bit entry point, we have
++ * seen OEM structures behind the end-of-table marker on
++ * some systems, so don't trust it.
+ */
+- if (dm->type == DMI_ENTRY_END_OF_TABLE)
++ if (!dmi_num && dm->type == DMI_ENTRY_END_OF_TABLE)
+ break;
+
+ data += 2;
--- /dev/null
+From 4b200b4604bec3388426159f1656109d19fadf6e Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Sat, 13 Jun 2015 15:23:33 +0200
+Subject: ideapad: fix software rfkill setting
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 4b200b4604bec3388426159f1656109d19fadf6e upstream.
+
+This fixes a several year old regression that I found while trying
+to get the Yoga 3 11 to work. The ideapad_rfk_set function is meant
+to send a command to the embedded controller through ACPI, but
+as of c1f73658ed, it sends the index of the rfkill device instead
+of the command, and ignores the opcode field.
+
+This changes it back to the original behavior, which indeed
+flips the rfkill state as seen in the debugfs interface.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Fixes: c1f73658ed ("ideapad: pass ideapad_priv as argument (part 2)")
+Signed-off-by: Darren Hart <dvhart@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/platform/x86/ideapad-laptop.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/platform/x86/ideapad-laptop.c
++++ b/drivers/platform/x86/ideapad-laptop.c
+@@ -464,8 +464,9 @@ static const struct ideapad_rfk_data ide
+ static int ideapad_rfk_set(void *data, bool blocked)
+ {
+ struct ideapad_rfk_priv *priv = data;
++ int opcode = ideapad_rfk_data[priv->dev].opcode;
+
+- return write_ec_cmd(priv->priv->adev->handle, priv->dev, !blocked);
++ return write_ec_cmd(priv->priv->adev->handle, opcode, !blocked);
+ }
+
+ static struct rfkill_ops ideapad_rfk_ops = {
--- /dev/null
+From 4fa9dabcffc8e16601307d3d56b58c68d9716ba4 Mon Sep 17 00:00:00 2001
+From: Dmitry Tunin <hanipouspilot@gmail.com>
+Date: Sun, 18 Jan 2015 15:44:40 +0300
+Subject: ideapad_laptop: Lenovo G50-30 fix rfkill reports wireless blocked
+
+From: Dmitry Tunin <hanipouspilot@gmail.com>
+
+commit 4fa9dabcffc8e16601307d3d56b58c68d9716ba4 upstream.
+
+Lenovo G30-50 does not have a hardware wireless switch and wireless
+is always blocked.
+
+BugLink: https://bugs.launchpad.net/bugs/1397021
+Signed-off-by: Dmitry Tunin <hanipouspilot@gmail.com>
+Signed-off-by: Philippe Coval <philippe.coval@open.eurogiciel.org>
+[dvhart@linux.intel.com: Reordered dmi id per Phillippe's later version]
+Signed-off-by: Darren Hart <dvhart@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/platform/x86/ideapad-laptop.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/platform/x86/ideapad-laptop.c
++++ b/drivers/platform/x86/ideapad-laptop.c
+@@ -837,6 +837,13 @@ static const struct dmi_system_id no_hw_
+ },
+ },
+ {
++ .ident = "Lenovo G50-30",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
++ DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo G50-30"),
++ },
++ },
++ {
+ .ident = "Lenovo Yoga 2 11 / 13 / Pro",
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
--- /dev/null
+From c779273b37bec14c33feeab11c4d457a24bc64e0 Mon Sep 17 00:00:00 2001
+From: Eliad Peller <eliad@wizery.com>
+Date: Sun, 19 Apr 2015 11:41:04 +0300
+Subject: iwlwifi: mvm: fix ROC reference accounting
+
+From: Eliad Peller <eliad@wizery.com>
+
+commit c779273b37bec14c33feeab11c4d457a24bc64e0 upstream.
+
+commit b112889c5af8124 ("iwlwifi: mvm: add Aux ROC request/response flow")
+added aux ROC flow in addition to the existing ROC flow. While doing
+it, it moved the ROC reference release to a common work item, which
+is being called for both the ROC and aux ROC flows.
+
+This resulted in invalid reference accounting, as no reference was
+taken in case of aux ROC, while a reference was released on completion.
+
+Fix it by adding a reference for the aux ROC as well, and release
+only the relevant references on completion (according to the set bits).
+
+While at it, convert cancel_work_sync() to flush_work(), in order
+to make sure the references are being cleaned properly.
+
+Fixes: b112889c5af8 ("iwlwifi: mvm: add Aux ROC request/response flow")
+Signed-off-by: Eliad Peller <eliadx.peller@intel.com>
+Reviewed-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/iwlwifi/mvm/debugfs.c | 5 +++--
+ drivers/net/wireless/iwlwifi/mvm/mac80211.c | 2 +-
+ drivers/net/wireless/iwlwifi/mvm/mvm.h | 1 +
+ drivers/net/wireless/iwlwifi/mvm/time-event.c | 15 +++++++++------
+ 4 files changed, 14 insertions(+), 9 deletions(-)
+
+--- a/drivers/net/wireless/iwlwifi/mvm/debugfs.c
++++ b/drivers/net/wireless/iwlwifi/mvm/debugfs.c
+@@ -6,7 +6,7 @@
+ * GPL LICENSE SUMMARY
+ *
+ * Copyright(c) 2012 - 2014 Intel Corporation. All rights reserved.
+- * Copyright(c) 2013 - 2014 Intel Mobile Communications GmbH
++ * Copyright(c) 2013 - 2015 Intel Mobile Communications GmbH
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of version 2 of the GNU General Public License as
+@@ -32,7 +32,7 @@
+ * BSD LICENSE
+ *
+ * Copyright(c) 2012 - 2014 Intel Corporation. All rights reserved.
+- * Copyright(c) 2013 - 2014 Intel Mobile Communications GmbH
++ * Copyright(c) 2013 - 2015 Intel Mobile Communications GmbH
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+@@ -1356,6 +1356,7 @@ static ssize_t iwl_dbgfs_d0i3_refs_read(
+ PRINT_MVM_REF(IWL_MVM_REF_UCODE_DOWN);
+ PRINT_MVM_REF(IWL_MVM_REF_SCAN);
+ PRINT_MVM_REF(IWL_MVM_REF_ROC);
++ PRINT_MVM_REF(IWL_MVM_REF_ROC_AUX);
+ PRINT_MVM_REF(IWL_MVM_REF_P2P_CLIENT);
+ PRINT_MVM_REF(IWL_MVM_REF_AP_IBSS);
+ PRINT_MVM_REF(IWL_MVM_REF_USER);
+--- a/drivers/net/wireless/iwlwifi/mvm/mac80211.c
++++ b/drivers/net/wireless/iwlwifi/mvm/mac80211.c
+@@ -1404,7 +1404,7 @@ void __iwl_mvm_mac_stop(struct iwl_mvm *
+ * The work item could be running or queued if the
+ * ROC time event stops just as we get here.
+ */
+- cancel_work_sync(&mvm->roc_done_wk);
++ flush_work(&mvm->roc_done_wk);
+
+ iwl_trans_stop_device(mvm->trans);
+
+--- a/drivers/net/wireless/iwlwifi/mvm/mvm.h
++++ b/drivers/net/wireless/iwlwifi/mvm/mvm.h
+@@ -275,6 +275,7 @@ enum iwl_mvm_ref_type {
+ IWL_MVM_REF_UCODE_DOWN,
+ IWL_MVM_REF_SCAN,
+ IWL_MVM_REF_ROC,
++ IWL_MVM_REF_ROC_AUX,
+ IWL_MVM_REF_P2P_CLIENT,
+ IWL_MVM_REF_AP_IBSS,
+ IWL_MVM_REF_USER,
+--- a/drivers/net/wireless/iwlwifi/mvm/time-event.c
++++ b/drivers/net/wireless/iwlwifi/mvm/time-event.c
+@@ -6,7 +6,7 @@
+ * GPL LICENSE SUMMARY
+ *
+ * Copyright(c) 2012 - 2014 Intel Corporation. All rights reserved.
+- * Copyright(c) 2013 - 2014 Intel Mobile Communications GmbH
++ * Copyright(c) 2013 - 2015 Intel Mobile Communications GmbH
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of version 2 of the GNU General Public License as
+@@ -32,7 +32,7 @@
+ * BSD LICENSE
+ *
+ * Copyright(c) 2012 - 2014 Intel Corporation. All rights reserved.
+- * Copyright(c) 2013 - 2014 Intel Mobile Communications GmbH
++ * Copyright(c) 2013 - 2015 Intel Mobile Communications GmbH
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+@@ -108,12 +108,14 @@ void iwl_mvm_roc_done_wk(struct work_str
+ * in the case that the time event actually completed in the firmware
+ * (which is handled in iwl_mvm_te_handle_notif).
+ */
+- if (test_and_clear_bit(IWL_MVM_STATUS_ROC_RUNNING, &mvm->status))
++ if (test_and_clear_bit(IWL_MVM_STATUS_ROC_RUNNING, &mvm->status)) {
+ queues |= BIT(IWL_MVM_OFFCHANNEL_QUEUE);
+- if (test_and_clear_bit(IWL_MVM_STATUS_ROC_AUX_RUNNING, &mvm->status))
++ iwl_mvm_unref(mvm, IWL_MVM_REF_ROC);
++ }
++ if (test_and_clear_bit(IWL_MVM_STATUS_ROC_AUX_RUNNING, &mvm->status)) {
+ queues |= BIT(mvm->aux_queue);
+-
+- iwl_mvm_unref(mvm, IWL_MVM_REF_ROC);
++ iwl_mvm_unref(mvm, IWL_MVM_REF_ROC_AUX);
++ }
+
+ synchronize_net();
+
+@@ -393,6 +395,7 @@ static int iwl_mvm_aux_roc_te_handle_not
+ } else if (le32_to_cpu(notif->action) == TE_V2_NOTIF_HOST_EVENT_START) {
+ set_bit(IWL_MVM_STATUS_ROC_AUX_RUNNING, &mvm->status);
+ te_data->running = true;
++ iwl_mvm_ref(mvm, IWL_MVM_REF_ROC_AUX);
+ ieee80211_ready_on_channel(mvm->hw); /* Start TE */
+ } else {
+ IWL_DEBUG_TE(mvm,
--- /dev/null
+From 8df734e865b74d9f273216482a45a38269dc767a Mon Sep 17 00:00:00 2001
+From: Chun-Yeow Yeoh <yeohchunyeow@gmail.com>
+Date: Tue, 9 Jun 2015 13:35:33 +0800
+Subject: mac80211: fix the beacon csa counter for mesh and ibss
+
+From: Chun-Yeow Yeoh <yeohchunyeow@gmail.com>
+
+commit 8df734e865b74d9f273216482a45a38269dc767a upstream.
+
+The csa counter has moved from sdata to beacon/presp but
+it is not updated accordingly for mesh and ibss. Fix this.
+
+Fixes: af296bdb8da4 ("mac80211: move csa counters from sdata to beacon/presp")
+Signed-off-by: Chun-Yeow Yeoh <yeohchunyeow@gmail.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/cfg.c | 1 +
+ net/mac80211/ibss.c | 1 +
+ net/mac80211/mesh.c | 1 +
+ 3 files changed, 3 insertions(+)
+
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -3356,6 +3356,7 @@ static int ieee80211_mgmt_tx(struct wiph
+ /* Update CSA counters */
+ if (sdata->vif.csa_active &&
+ (sdata->vif.type == NL80211_IFTYPE_AP ||
++ sdata->vif.type == NL80211_IFTYPE_MESH_POINT ||
+ sdata->vif.type == NL80211_IFTYPE_ADHOC) &&
+ params->n_csa_offsets) {
+ int i;
+--- a/net/mac80211/ibss.c
++++ b/net/mac80211/ibss.c
+@@ -146,6 +146,7 @@ ieee80211_ibss_build_presp(struct ieee80
+ csa_settings->chandef.chan->center_freq);
+ presp->csa_counter_offsets[0] = (pos - presp->head);
+ *pos++ = csa_settings->count;
++ presp->csa_current_counter = csa_settings->count;
+ }
+
+ /* put the remaining rates in WLAN_EID_EXT_SUPP_RATES */
+--- a/net/mac80211/mesh.c
++++ b/net/mac80211/mesh.c
+@@ -680,6 +680,7 @@ ieee80211_mesh_build_beacon(struct ieee8
+ *pos++ = 0x0;
+ *pos++ = ieee80211_frequency_to_channel(
+ csa->settings.chandef.chan->center_freq);
++ bcn->csa_current_counter = csa->settings.count;
+ bcn->csa_counter_offsets[0] = hdr_len + 6;
+ *pos++ = csa->settings.count;
+ *pos++ = WLAN_EID_CHAN_SWITCH_PARAM;
--- /dev/null
+From ab499db80fcf07c18e4053f91a619500f663e90e Mon Sep 17 00:00:00 2001
+From: Michal Kazior <michal.kazior@tieto.com>
+Date: Fri, 22 May 2015 10:22:40 +0200
+Subject: mac80211: prevent possible crypto tx tailroom corruption
+
+From: Michal Kazior <michal.kazior@tieto.com>
+
+commit ab499db80fcf07c18e4053f91a619500f663e90e upstream.
+
+There was a possible race between
+ieee80211_reconfig() and
+ieee80211_delayed_tailroom_dec(). This could
+result in inability to transmit data if driver
+crashed during roaming or rekeying and subsequent
+skbs with insufficient tailroom appeared.
+
+This race was probably never seen in the wild
+because a device driver would have to crash AND
+recover within 0.5s which is very unlikely.
+
+I was able to prove this race exists after
+changing the delay to 10s locally and crashing
+ath10k via debugfs immediately after GTK
+rekeying. In case of ath10k the counter went below
+0. This was harmless but other drivers which
+actually require tailroom (e.g. for WEP ICV or
+MMIC) could end up with the counter at 0 instead
+of >0 and introduce insufficient skb tailroom
+failures because mac80211 would not resize skbs
+appropriately anymore.
+
+Fixes: 8d1f7ecd2af5 ("mac80211: defer tailroom counter manipulation when roaming")
+Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/main.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/mac80211/main.c
++++ b/net/mac80211/main.c
+@@ -249,6 +249,7 @@ static void ieee80211_restart_work(struc
+ {
+ struct ieee80211_local *local =
+ container_of(work, struct ieee80211_local, restart_work);
++ struct ieee80211_sub_if_data *sdata;
+
+ /* wait for scan work complete */
+ flush_workqueue(local->workqueue);
+@@ -257,6 +258,8 @@ static void ieee80211_restart_work(struc
+ "%s called with hardware scan in progress\n", __func__);
+
+ rtnl_lock();
++ list_for_each_entry(sdata, &local->interfaces, list)
++ flush_delayed_work(&sdata->dec_tailroom_needed_wk);
+ ieee80211_scan_cancel(local);
+ ieee80211_reconfig(local);
+ rtnl_unlock();
--- /dev/null
+From 641844f5616d7c6597309f560838f996466d7aac Mon Sep 17 00:00:00 2001
+From: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
+Date: Wed, 24 Jun 2015 16:56:59 -0700
+Subject: mm/hugetlb: introduce minimum hugepage order
+
+From: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
+
+commit 641844f5616d7c6597309f560838f996466d7aac upstream.
+
+Currently the initial value of order in dissolve_free_huge_page is 64 or
+32, which leads to the following warning in static checker:
+
+ mm/hugetlb.c:1203 dissolve_free_huge_pages()
+ warn: potential right shift more than type allows '9,18,64'
+
+This is a potential risk of infinite loop, because 1 << order (== 0) is used
+in for-loop like this:
+
+ for (pfn =3D start_pfn; pfn < end_pfn; pfn +=3D 1 << order)
+ ...
+
+So this patch fixes it by using global minimum_order calculated at boot time.
+
+ text data bss dec hex filename
+ 28313 469 84236 113018 1b97a mm/hugetlb.o
+ 28256 473 84236 112965 1b945 mm/hugetlb.o (patched)
+
+Fixes: c8721bbbdd36 ("mm: memory-hotplug: enable memory hotplug to handle hugepage")
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/hugetlb.c | 19 +++++++++++--------
+ 1 file changed, 11 insertions(+), 8 deletions(-)
+
+--- a/mm/hugetlb.c
++++ b/mm/hugetlb.c
+@@ -40,6 +40,11 @@ int hugepages_treat_as_movable;
+ int hugetlb_max_hstate __read_mostly;
+ unsigned int default_hstate_idx;
+ struct hstate hstates[HUGE_MAX_HSTATE];
++/*
++ * Minimum page order among possible hugepage sizes, set to a proper value
++ * at boot time.
++ */
++static unsigned int minimum_order __read_mostly = UINT_MAX;
+
+ __initdata LIST_HEAD(huge_boot_pages);
+
+@@ -1188,19 +1193,13 @@ static void dissolve_free_huge_page(stru
+ */
+ void dissolve_free_huge_pages(unsigned long start_pfn, unsigned long end_pfn)
+ {
+- unsigned int order = 8 * sizeof(void *);
+ unsigned long pfn;
+- struct hstate *h;
+
+ if (!hugepages_supported())
+ return;
+
+- /* Set scan step to minimum hugepage size */
+- for_each_hstate(h)
+- if (order > huge_page_order(h))
+- order = huge_page_order(h);
+- VM_BUG_ON(!IS_ALIGNED(start_pfn, 1 << order));
+- for (pfn = start_pfn; pfn < end_pfn; pfn += 1 << order)
++ VM_BUG_ON(!IS_ALIGNED(start_pfn, 1 << minimum_order));
++ for (pfn = start_pfn; pfn < end_pfn; pfn += 1 << minimum_order)
+ dissolve_free_huge_page(pfn_to_page(pfn));
+ }
+
+@@ -1627,10 +1626,14 @@ static void __init hugetlb_init_hstates(
+ struct hstate *h;
+
+ for_each_hstate(h) {
++ if (minimum_order > huge_page_order(h))
++ minimum_order = huge_page_order(h);
++
+ /* oversize hugepages were init'ed in early boot */
+ if (!hstate_is_gigantic(h))
+ hugetlb_hstate_alloc_pages(h);
+ }
++ VM_BUG_ON(minimum_order == UINT_MAX);
+ }
+
+ static char * __init memfmt(char *buf, unsigned long n)
--- /dev/null
+From 29535f7b797df35cc9b6b3bca635591cdd3dd2a8 Mon Sep 17 00:00:00 2001
+From: Ding Wang <justin.wang@spreadtrum.com>
+Date: Mon, 18 May 2015 20:14:15 +0800
+Subject: mmc: card: Fixup request missing in mmc_blk_issue_rw_rq
+
+From: Ding Wang <justin.wang@spreadtrum.com>
+
+commit 29535f7b797df35cc9b6b3bca635591cdd3dd2a8 upstream.
+
+The current handler of MMC_BLK_CMD_ERR in mmc_blk_issue_rw_rq function
+may cause new coming request permanent missing when the ongoing
+request (previoulsy started) complete end.
+
+The problem scenario is as follows:
+(1) Request A is ongoing;
+(2) Request B arrived, and finally mmc_blk_issue_rw_rq() is called;
+(3) Request A encounters the MMC_BLK_CMD_ERR error;
+(4) In the error handling of MMC_BLK_CMD_ERR, suppose mmc_blk_cmd_err()
+ end request A completed and return zero. Continue the error handling,
+ suppose mmc_blk_reset() reset device success;
+(5) Continue the execution, while loop completed because variable ret
+ is zero now;
+(6) Finally, mmc_blk_issue_rw_rq() return without processing request B.
+
+The process related to the missing request may wait that IO request
+complete forever, possibly crashing the application or hanging the system.
+
+Fix this issue by starting new request when reset success.
+
+Signed-off-by: Ding Wang <justin.wang@spreadtrum.com>
+Fixes: 67716327eec7 ("mmc: block: add eMMC hardware reset support")
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/card/block.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/mmc/card/block.c
++++ b/drivers/mmc/card/block.c
+@@ -1912,9 +1912,11 @@ static int mmc_blk_issue_rw_rq(struct mm
+ break;
+ case MMC_BLK_CMD_ERR:
+ ret = mmc_blk_cmd_err(md, card, brq, req, ret);
+- if (!mmc_blk_reset(md, card->host, type))
+- break;
+- goto cmd_abort;
++ if (mmc_blk_reset(md, card->host, type))
++ goto cmd_abort;
++ if (!ret)
++ goto start_new_req;
++ break;
+ case MMC_BLK_RETRY:
+ if (retry++ < 5)
+ break;
--- /dev/null
+From 5fd26c7ecb32082745b0bd33c8e35badd1cb5a91 Mon Sep 17 00:00:00 2001
+From: Ulf Hansson <ulf.hansson@linaro.org>
+Date: Fri, 5 Jun 2015 11:40:08 +0200
+Subject: mmc: sdhci: Restore behavior while creating OCR mask
+
+From: Ulf Hansson <ulf.hansson@linaro.org>
+
+commit 5fd26c7ecb32082745b0bd33c8e35badd1cb5a91 upstream.
+
+Commit 3a48edc4bd68 ("mmc: sdhci: Use mmc core regulator infrastucture")
+changed the behavior for how to assign the ocr_avail mask for the mmc
+host. More precisely it started to mask the bits instead of assigning
+them.
+
+Restore the behavior, but also make it clear that an OCR mask created
+from an external regulator overrides the other ones. The OCR mask is
+determined by one of the following with this priority:
+
+1. Supported ranges of external regulator if one supplies VDD
+2. Host OCR mask if set by the driver (based on DT properties)
+3. The capabilities reported by the controller itself
+
+Fixes: 3a48edc4bd68 ("mmc: sdhci: Use mmc core regulator infrastucture")
+Cc: Tim Kryger <tim.kryger@gmail.com>
+Reported-by: Yangbo Lu <yangbo.lu@freescale.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Reviewed-by: Tim Kryger <tim.kryger@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/sdhci.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/mmc/host/sdhci.c
++++ b/drivers/mmc/host/sdhci.c
+@@ -3315,13 +3315,14 @@ int sdhci_add_host(struct sdhci_host *ho
+ SDHCI_MAX_CURRENT_MULTIPLIER;
+ }
+
+- /* If OCR set by external regulators, use it instead */
++ /* If OCR set by host, use it instead. */
++ if (host->ocr_mask)
++ ocr_avail = host->ocr_mask;
++
++ /* If OCR set by external regulators, give it highest prio. */
+ if (mmc->ocr_avail)
+ ocr_avail = mmc->ocr_avail;
+
+- if (host->ocr_mask)
+- ocr_avail &= host->ocr_mask;
+-
+ mmc->ocr_avail = ocr_avail;
+ mmc->ocr_avail_sdio = ocr_avail;
+ if (host->ocr_avail_sdio)
--- /dev/null
+From 294240ffe784e951dc2ef070da04fa31ef6db3a0 Mon Sep 17 00:00:00 2001
+From: Jingoo Han <jingoohan1@gmail.com>
+Date: Thu, 18 Jun 2015 00:12:27 +0900
+Subject: of/address: use atomic allocation in pci_register_io_range()
+
+From: Jingoo Han <jingoohan1@gmail.com>
+
+commit 294240ffe784e951dc2ef070da04fa31ef6db3a0 upstream.
+
+When kzalloc() is called under spin_lock(), GFP_ATOMIC should be
+used to avoid sleeping allocation.
+The call tree is:
+ of_pci_range_to_resource()
+ --> pci_register_io_range() <-- takes spin_lock(&io_range_lock);
+ --> kzalloc()
+
+Signed-off-by: Jingoo Han <jingoohan1@gmail.com>
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/of/address.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/of/address.c
++++ b/drivers/of/address.c
+@@ -712,7 +712,7 @@ int __weak pci_register_io_range(phys_ad
+ }
+
+ /* add the range to the list */
+- range = kzalloc(sizeof(*range), GFP_KERNEL);
++ range = kzalloc(sizeof(*range), GFP_ATOMIC);
+ if (!range) {
+ err = -ENOMEM;
+ goto end_register;
--- /dev/null
+From 3fc3a0be0dab352e065d1dad7d3f81953ed0d4bc Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Fri, 8 May 2015 10:47:43 +0200
+Subject: PM / clk: Fix clock error check in __pm_clk_add()
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+commit 3fc3a0be0dab352e065d1dad7d3f81953ed0d4bc upstream.
+
+In the final iteration of commit 245bd6f6af8a62a2 ("PM / clock_ops: Add
+pm_clk_add_clk()"), a refcount increment was added by Grygorii Strashko.
+However, the accompanying IS_ERR() check operates on the wrong clock
+pointer, which is always zero at this point, i.e. not an error.
+This may lead to a NULL pointer dereference later, when __clk_get()
+tries to dereference an error pointer.
+
+Check the passed clock pointer instead to fix this.
+
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Fixes: 245bd6f6af8a62a2 ("PM / clock_ops: Add pm_clk_add_clk()")
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/power/clock_ops.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/base/power/clock_ops.c
++++ b/drivers/base/power/clock_ops.c
+@@ -93,7 +93,7 @@ static int __pm_clk_add(struct device *d
+ return -ENOMEM;
+ }
+ } else {
+- if (IS_ERR(ce->clk) || !__clk_get(clk)) {
++ if (IS_ERR(clk) || !__clk_get(clk)) {
+ kfree(ce);
+ return -ENOENT;
+ }
--- /dev/null
+From fff3b16d2754a061a3549c4307a186423a0128fd Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 25 Jun 2015 00:35:16 +0200
+Subject: PM / sleep: Increase default DPM watchdog timeout to 60
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit fff3b16d2754a061a3549c4307a186423a0128fd upstream.
+
+Many harddisks (mostly WD ones) have firmware problems and take too
+long, more than 10 seconds, to resume from suspend. And this often
+exceeds the default DPM watchdog timeout (12 seconds), resulting in a
+kernel panic out of sudden.
+
+Since most distros just take the default as is, we should give a bit
+more safer value. This patch increases the default value from 12
+seconds to one minute, which has been confirmed to be long enough for
+such problematic disks.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=91921
+Fixes: 70fea60d888d (PM / Sleep: Detect device suspend/resume lockup and log event)
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/power/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/power/Kconfig
++++ b/kernel/power/Kconfig
+@@ -187,7 +187,7 @@ config DPM_WATCHDOG
+ config DPM_WATCHDOG_TIMEOUT
+ int "Watchdog timeout in seconds"
+ range 1 120
+- default 12
++ default 60
+ depends on DPM_WATCHDOG
+
+ config PM_TRACE
--- /dev/null
+From 4dc544427991e3cef38ce3ae124b7e6557063bd3 Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Fri, 5 Jun 2015 15:47:27 +0100
+Subject: RDMA/ocrdma: fix double free on pd
+
+From: Colin Ian King <colin.king@canonical.com>
+
+commit 4dc544427991e3cef38ce3ae124b7e6557063bd3 upstream.
+
+A reorganisation of the PD allocation and deallocation in commit
+9ba1377daa ("RDMA/ocrdma: Move PD resource management to driver.")
+introduced a double free on pd, as detected by static analysis by
+smatch:
+
+drivers/infiniband/hw/ocrdma/ocrdma_verbs.c:682 ocrdma_alloc_pd()
+ error: double free of 'pd'^
+
+The original call to ocrdma_mbx_dealloc_pd() (which does not kfree
+pd) was replaced with a call to _ocrdma_dealloc_pd() (which does
+kfree pd). The kfree following this call causes the double free,
+so just remove it to fix the problem.
+
+Fixes: 9ba1377daa ("RDMA/ocrdma: Move PD resource management to driver.")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Acked-By: Devesh Sharma <devesh.sharma@avagotech.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/ocrdma/ocrdma_verbs.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c
++++ b/drivers/infiniband/hw/ocrdma/ocrdma_verbs.c
+@@ -679,7 +679,6 @@ err:
+ ocrdma_release_ucontext_pd(uctx);
+ } else {
+ status = _ocrdma_dealloc_pd(dev, pd);
+- kfree(pd);
+ }
+ exit:
+ return ERR_PTR(status);
--- /dev/null
+From d194e5d666225b04c7754471df0948f645b6ab3a Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Thu, 25 Jun 2015 15:01:44 -0700
+Subject: security_syslog() should be called once only
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit d194e5d666225b04c7754471df0948f645b6ab3a upstream.
+
+The final version of commit 637241a900cb ("kmsg: honor dmesg_restrict
+sysctl on /dev/kmsg") lost few hooks, as result security_syslog() are
+processed incorrectly:
+
+- open of /dev/kmsg checks syslog access permissions by using
+ check_syslog_permissions() where security_syslog() is not called if
+ dmesg_restrict is set.
+
+- syslog syscall and /proc/kmsg calls do_syslog() where security_syslog
+ can be executed twice (inside check_syslog_permissions() and then
+ directly in do_syslog())
+
+With this patch security_syslog() is called once only in all
+syslog-related operations regardless of dmesg_restrict value.
+
+Fixes: 637241a900cb ("kmsg: honor dmesg_restrict sysctl on /dev/kmsg")
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Josh Boyer <jwboyer@redhat.com>
+Cc: Eric Paris <eparis@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/printk/printk.c | 11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+--- a/kernel/printk/printk.c
++++ b/kernel/printk/printk.c
+@@ -484,11 +484,11 @@ int check_syslog_permissions(int type, b
+ * already done the capabilities checks at open time.
+ */
+ if (from_file && type != SYSLOG_ACTION_OPEN)
+- return 0;
++ goto ok;
+
+ if (syslog_action_restricted(type)) {
+ if (capable(CAP_SYSLOG))
+- return 0;
++ goto ok;
+ /*
+ * For historical reasons, accept CAP_SYS_ADMIN too, with
+ * a warning.
+@@ -498,10 +498,11 @@ int check_syslog_permissions(int type, b
+ "CAP_SYS_ADMIN but no CAP_SYSLOG "
+ "(deprecated).\n",
+ current->comm, task_pid_nr(current));
+- return 0;
++ goto ok;
+ }
+ return -EPERM;
+ }
++ok:
+ return security_syslog(type);
+ }
+
+@@ -1263,10 +1264,6 @@ int do_syslog(int type, char __user *buf
+ if (error)
+ goto out;
+
+- error = security_syslog(type);
+- if (error)
+- return error;
+-
+ switch (type) {
+ case SYSLOG_ACTION_CLOSE: /* Close log */
+ break;
--- /dev/null
+From 357d56151976a78d90dc3dfac01777de0ef05212 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Tue, 19 May 2015 22:26:04 +0200
+Subject: serial: samsung: only use earlycon for console
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 357d56151976a78d90dc3dfac01777de0ef05212 upstream.
+
+A configuration that enables earlycon but not the core console
+code causes a link error:
+
+ drivers/built-in.o: In function `setup_earlycon':
+ drivers/tty/serial/earlycon.c:70: undefined reference to `uart_parse_earlycon'
+
+That error can be triggered by the newly added samsung earlycon support,
+which is missing a 'select' statement.
+
+As suggested by Peter Hurley, solves the problem by moving the
+'select SERIAL_EARLYCON' statement to the samsung console driver
+option, as it is done by all other console drivers.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Fixes: b94ba0328d3b3 ("serial: samsung: Add support for early console")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/tty/serial/Kconfig
++++ b/drivers/tty/serial/Kconfig
+@@ -241,7 +241,6 @@ config SERIAL_SAMSUNG
+ tristate "Samsung SoC serial support"
+ depends on PLAT_SAMSUNG || ARCH_EXYNOS
+ select SERIAL_CORE
+- select SERIAL_EARLYCON
+ help
+ Support for the on-chip UARTs on the Samsung S3C24XX series CPUs,
+ providing /dev/ttySAC0, 1 and 2 (note, some machines may not
+@@ -277,6 +276,7 @@ config SERIAL_SAMSUNG_CONSOLE
+ bool "Support for console on Samsung SoC serial port"
+ depends on SERIAL_SAMSUNG=y
+ select SERIAL_CORE_CONSOLE
++ select SERIAL_EARLYCON
+ help
+ Allow selection of the S3C24XX on-board serial ports for use as
+ an virtual console.
acpica-tables-fix-an-issue-that-facs-initialization-is-performed-twice.patch
acpica-tables-enable-default-64-bit-fadt-addresses-favor.patch
acpi-pci-fix-regressions-caused-by-resource_size_t-overflow-with-32-bit-kernel.patch
+serial-samsung-only-use-earlycon-for-console.patch
+mmc-card-fixup-request-missing-in-mmc_blk_issue_rw_rq.patch
+mmc-sdhci-restore-behavior-while-creating-ocr-mask.patch
+pm-clk-fix-clock-error-check-in-__pm_clk_add.patch
+rdma-ocrdma-fix-double-free-on-pd.patch
+tty-remove-platform_sysrq_reset_seq.patch
+mm-hugetlb-introduce-minimum-hugepage-order.patch
+pm-sleep-increase-default-dpm-watchdog-timeout-to-60.patch
+firmware-dmi_scan-only-honor-end-of-table-for-64-bit-tables.patch
+compiler-intel-fix-wrong-compiler-barrier-macro.patch
+__bitmap_parselist-fix-bug-in-empty-string-handling.patch
+security_syslog-should-be-called-once-only.patch
+mac80211-fix-the-beacon-csa-counter-for-mesh-and-ibss.patch
+iwlwifi-mvm-fix-roc-reference-accounting.patch
+cfg80211-ignore-netif-running-state-when-changing-iftype.patch
+mac80211-prevent-possible-crypto-tx-tailroom-corruption.patch
+e1000e-cleanup-handling-of-vlan_hlen-as-a-part-of-max-frame-size.patch
+clocksource-exynos_mct-avoid-blocking-calls-in-the-cpu-hotplug-notifier.patch
+ideapad_laptop-lenovo-g50-30-fix-rfkill-reports-wireless-blocked.patch
+ideapad-fix-software-rfkill-setting.patch
+of-address-use-atomic-allocation-in-pci_register_io_range.patch
+dell-laptop-fix-allocating-freeing-smi-buffer-page.patch
--- /dev/null
+From ffb6e0c9a0572f8e5f8e9337a1b40ac2ec1493a1 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Tue, 26 May 2015 14:45:29 -0700
+Subject: tty: remove platform_sysrq_reset_seq
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit ffb6e0c9a0572f8e5f8e9337a1b40ac2ec1493a1 upstream.
+
+The platform_sysrq_reset_seq code was intended as a way for an embedded
+platform to provide its own sysrq sequence at compile time. After over two
+years, nobody has started using it in an upstream kernel, and the platforms
+that were interested in it have moved on to devicetree, which can be used
+to configure the sequence without requiring kernel changes. The method is
+also incompatible with the way that most architectures build support for
+multiple platforms into a single kernel.
+
+Now the code is producing warnings when built with gcc-5.1:
+
+drivers/tty/sysrq.c: In function 'sysrq_init':
+drivers/tty/sysrq.c:959:33: warning: array subscript is above array bounds [-Warray-bounds]
+ key = platform_sysrq_reset_seq[i];
+
+We could fix this, but it seems unlikely that it will ever be used, so
+let's just remove the code instead. We still have the option to pass the
+sequence either in DT, using the kernel command line, or using the
+/sys/module/sysrq/parameters/reset_seq file.
+
+Fixes: 154b7a489a ("Input: sysrq - allow specifying alternate reset sequence")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/sysrq.c | 19 +------------------
+ 1 file changed, 1 insertion(+), 18 deletions(-)
+
+--- a/drivers/tty/sysrq.c
++++ b/drivers/tty/sysrq.c
+@@ -55,9 +55,6 @@
+ static int __read_mostly sysrq_enabled = CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE;
+ static bool __read_mostly sysrq_always_enabled;
+
+-unsigned short platform_sysrq_reset_seq[] __weak = { KEY_RESERVED };
+-int sysrq_reset_downtime_ms __weak;
+-
+ static bool sysrq_on(void)
+ {
+ return sysrq_enabled || sysrq_always_enabled;
+@@ -569,6 +566,7 @@ void handle_sysrq(int key)
+ EXPORT_SYMBOL(handle_sysrq);
+
+ #ifdef CONFIG_INPUT
++static int sysrq_reset_downtime_ms;
+
+ /* Simple translation table for the SysRq keys */
+ static const unsigned char sysrq_xlate[KEY_CNT] =
+@@ -949,23 +947,8 @@ static bool sysrq_handler_registered;
+
+ static inline void sysrq_register_handler(void)
+ {
+- unsigned short key;
+ int error;
+- int i;
+-
+- /* First check if a __weak interface was instantiated. */
+- for (i = 0; i < ARRAY_SIZE(sysrq_reset_seq); i++) {
+- key = platform_sysrq_reset_seq[i];
+- if (key == KEY_RESERVED || key > KEY_MAX)
+- break;
+-
+- sysrq_reset_seq[sysrq_reset_seq_len++] = key;
+- }
+
+- /*
+- * DT configuration takes precedence over anything that would
+- * have been defined via the __weak interface.
+- */
+ sysrq_of_get_keyreset_config();
+
+ error = input_register_handler(&sysrq_handler);
projects / thirdparty / kernel / stable-queue.git / commitdiff
