--- /dev/null
+From 8428e84d42179c2a00f5f6450866e70d802d1d05 Mon Sep 17 00:00:00 2001
+From: Catalin Marinas <catalin.marinas@arm.com>
+Date: Mon, 7 Nov 2011 18:05:53 +0100
+Subject: ARM: 7150/1: Allow kernel unaligned accesses on ARMv6+
+ processors
+
+From: Catalin Marinas <catalin.marinas@arm.com>
+
+commit 8428e84d42179c2a00f5f6450866e70d802d1d05 upstream.
+
+Recent gcc versions generate unaligned accesses by default on ARMv6 and
+later processors. This patch ensures that the SCTLR.A bit is always
+cleared on such processors to avoid kernel traping before
+alignment_init() is called.
+
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Tested-by: John Linn <John.Linn@xilinx.com>
+Acked-by: Nicolas Pitre <nico@linaro.org>
+Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/arm/kernel/head.S | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/kernel/head.S
++++ b/arch/arm/kernel/head.S
+@@ -356,7 +356,7 @@ __secondary_data:
+ * r13 = *virtual* address to jump to upon completion
+ */
+ __enable_mmu:
+-#ifdef CONFIG_ALIGNMENT_TRAP
++#if defined(CONFIG_ALIGNMENT_TRAP) && __LINUX_ARM_ARCH__ < 6
+ orr r0, r0, #CR_A
+ #else
+ bic r0, r0, #CR_A
--- /dev/null
+From 58ebacc66bd11be2327edcefc79de94bd6f5bb4a Mon Sep 17 00:00:00 2001
+From: "Luis R. Rodriguez" <mcgrof@qca.qualcomm.com>
+Date: Tue, 8 Nov 2011 14:28:06 -0800
+Subject: cfg80211: fix bug on regulatory core exit on access to last_request
+
+From: "Luis R. Rodriguez" <mcgrof@qca.qualcomm.com>
+
+commit 58ebacc66bd11be2327edcefc79de94bd6f5bb4a upstream.
+
+Commit 4d9d88d1 by Scott James Remnant <keybuk@google.com> added
+the .uevent() callback for the regulatory device used during
+the platform device registration. The change was done to account
+for queuing up udev change requests through udevadm triggers.
+The change also meant that upon regulatory core exit we will now
+send a uevent() but the uevent() callback, reg_device_uevent(),
+also accessed last_request. Right before commiting device suicide
+we free'd last_request but never set it to NULL so
+platform_device_unregister() would lead to bogus kernel paging
+request. Fix this and also simply supress uevents right before
+we commit suicide as they are pointless.
+
+This fix is required for kernels >= v2.6.39
+
+$ git describe --contains 4d9d88d1
+v2.6.39-rc1~468^2~25^2^2~21
+
+The impact of not having this present is that a bogus paging
+access may occur (only read) upon cfg80211 unload time. You
+may also get this BUG complaint below. Although Johannes
+could not reproduce the issue this fix is theoretically correct.
+
+mac80211_hwsim: unregister radios
+mac80211_hwsim: closing netlink
+BUG: unable to handle kernel paging request at ffff88001a06b5ab
+IP: [<ffffffffa030df9a>] reg_device_uevent+0x1a/0x50 [cfg80211]
+PGD 1836063 PUD 183a063 PMD 1ffcb067 PTE 1a06b160
+Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
+CPU 0
+Modules linked in: cfg80211(-) [last unloaded: mac80211]
+
+Pid: 2279, comm: rmmod Tainted: G W 3.1.0-wl+ #663 Bochs Bochs
+RIP: 0010:[<ffffffffa030df9a>] [<ffffffffa030df9a>] reg_device_uevent+0x1a/0x50 [cfg80211]
+RSP: 0000:ffff88001c5f9d58 EFLAGS: 00010286
+RAX: 0000000000000000 RBX: ffff88001d2eda88 RCX: ffff88001c7468fc
+RDX: ffff88001a06b5a0 RSI: ffff88001c7467b0 RDI: ffff88001c7467b0
+RBP: ffff88001c5f9d58 R08: 000000000000ffff R09: 000000000000ffff
+R10: 0000000000000000 R11: 0000000000000001 R12: ffff88001c7467b0
+R13: ffff88001d2eda78 R14: ffffffff8164a840 R15: 0000000000000001
+FS: 00007f8a91d8a6e0(0000) GS:ffff88001fc00000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
+CR2: ffff88001a06b5ab CR3: 000000001c62e000 CR4: 00000000000006f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
+Process rmmod (pid: 2279, threadinfo ffff88001c5f8000, task ffff88000023c780)
+Stack:
+ ffff88001c5f9d98 ffffffff812ff7e5 ffffffff8176ab3d ffff88001c7468c2
+ 000000000000ffff ffff88001d2eda88 ffff88001c7467b0 ffff880000114820
+ ffff88001c5f9e38 ffffffff81241dc7 ffff88001c5f9db8 ffffffff81040189
+Call Trace:
+ [<ffffffff812ff7e5>] dev_uevent+0xc5/0x170
+ [<ffffffff81241dc7>] kobject_uevent_env+0x1f7/0x490
+ [<ffffffff81040189>] ? sub_preempt_count+0x29/0x60
+ [<ffffffff814cab1a>] ? _raw_spin_unlock_irqrestore+0x4a/0x90
+ [<ffffffff81305307>] ? devres_release_all+0x27/0x60
+ [<ffffffff8124206b>] kobject_uevent+0xb/0x10
+ [<ffffffff812fee27>] device_del+0x157/0x1b0
+ [<ffffffff8130377d>] platform_device_del+0x1d/0x90
+ [<ffffffff81303b76>] platform_device_unregister+0x16/0x30
+ [<ffffffffa030fffd>] regulatory_exit+0x5d/0x180 [cfg80211]
+ [<ffffffffa032bec3>] cfg80211_exit+0x2b/0x45 [cfg80211]
+ [<ffffffff8109a84c>] sys_delete_module+0x16c/0x220
+ [<ffffffff8108a23e>] ? trace_hardirqs_on_caller+0x7e/0x120
+ [<ffffffff814cba02>] system_call_fastpath+0x16/0x1b
+Code: <all your base are belong to me>
+RIP [<ffffffffa030df9a>] reg_device_uevent+0x1a/0x50 [cfg80211]
+ RSP <ffff88001c5f9d58>
+CR2: ffff88001a06b5ab
+---[ end trace 147c5099a411e8c0 ]---
+
+Reported-by: Johannes Berg <johannes@sipsolutions.net>
+Cc: Scott James Remnant <keybuk@google.com>
+Signed-off-by: Luis R. Rodriguez <mcgrof@qca.qualcomm.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/wireless/reg.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/wireless/reg.c
++++ b/net/wireless/reg.c
+@@ -2254,6 +2254,9 @@ void /* __init_or_exit */ regulatory_exi
+
+ kfree(last_request);
+
++ last_request = NULL;
++ dev_set_uevent_suppress(®_pdev->dev, true);
++
+ platform_device_unregister(reg_pdev);
+
+ spin_lock_bh(®_pending_beacons_lock);
--- /dev/null
+From 731abb9cb27aef6013ce60808a04e04a545f3f4e Mon Sep 17 00:00:00 2001
+From: Josh Boyer <jwboyer@redhat.com>
+Date: Thu, 10 Nov 2011 15:10:23 +0000
+Subject: ip6_tunnel: copy parms.name after register_netdevice
+
+From: Josh Boyer <jwboyer@redhat.com>
+
+commit 731abb9cb27aef6013ce60808a04e04a545f3f4e upstream.
+
+Commit 1c5cae815d removed an explicit call to dev_alloc_name in ip6_tnl_create
+because register_netdevice will now create a valid name. This works for the
+net_device itself.
+
+However the tunnel keeps a copy of the name in the parms structure for the
+ip6_tnl associated with the tunnel. parms.name is set by copying the net_device
+name in ip6_tnl_dev_init_gen. That function is called from ip6_tnl_dev_init in
+ip6_tnl_create, but it is done before register_netdevice is called so the name
+is set to a bogus value in the parms.name structure.
+
+This shows up if you do a simple tunnel add, followed by a tunnel show:
+
+[root@localhost ~]# ip -6 tunnel add remote fec0::100 local fec0::200
+[root@localhost ~]# ip -6 tunnel show
+ip6tnl0: ipv6/ipv6 remote :: local :: encaplimit 0 hoplimit 0 tclass 0x00 flowlabel 0x00000 (flowinfo 0x00000000)
+ip6tnl%d: ipv6/ipv6 remote fec0::100 local fec0::200 encaplimit 4 hoplimit 64 tclass 0x00 flowlabel 0x00000 (flowinfo 0x00000000)
+[root@localhost ~]#
+
+Fix this by moving the strcpy out of ip6_tnl_dev_init_gen, and calling it after
+register_netdevice has successfully returned.
+
+Signed-off-by: Josh Boyer <jwboyer@redhat.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv6/ip6_tunnel.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/ip6_tunnel.c
++++ b/net/ipv6/ip6_tunnel.c
+@@ -289,6 +289,8 @@ static struct ip6_tnl *ip6_tnl_create(st
+ if ((err = register_netdevice(dev)) < 0)
+ goto failed_free;
+
++ strcpy(t->parms.name, dev->name);
++
+ dev_hold(dev);
+ ip6_tnl_link(ip6n, t);
+ return t;
+@@ -1397,7 +1399,6 @@ ip6_tnl_dev_init_gen(struct net_device *
+ struct ip6_tnl *t = netdev_priv(dev);
+
+ t->dev = dev;
+- strcpy(t->parms.name, dev->name);
+ dev->tstats = alloc_percpu(struct pcpu_tstats);
+ if (!dev->tstats)
+ return -ENOMEM;
+@@ -1477,6 +1478,7 @@ static void __net_exit ip6_tnl_destroy_t
+ static int __net_init ip6_tnl_init_net(struct net *net)
+ {
+ struct ip6_tnl_net *ip6n = net_generic(net, ip6_tnl_net_id);
++ struct ip6_tnl *t = NULL;
+ int err;
+
+ ip6n->tnls[0] = ip6n->tnls_wc;
+@@ -1497,6 +1499,10 @@ static int __net_init ip6_tnl_init_net(s
+ err = register_netdev(ip6n->fb_tnl_dev);
+ if (err < 0)
+ goto err_register;
++
++ t = netdev_priv(ip6n->fb_tnl_dev);
++
++ strcpy(t->parms.name, ip6n->fb_tnl_dev->name);
+ return 0;
+
+ err_register:
--- /dev/null
+From 9e6dabeffd1d0ec2aa19aa076c4886067238d442 Mon Sep 17 00:00:00 2001
+From: Cornelia Huck <cornelia.huck@de.ibm.com>
+Date: Thu, 17 Nov 2011 11:00:41 +0100
+Subject: KVM: s390: Fix RUNNING flag misinterpretation
+
+From: Cornelia Huck <cornelia.huck@de.ibm.com>
+
+commit 9e6dabeffd1d0ec2aa19aa076c4886067238d442 upstream.
+
+CPUSTAT_RUNNING was implemented signifying that a vcpu is not stopped.
+This is not, however, what the architecture says: RUNNING should be
+set when the host is acting on the behalf of the guest operating
+system.
+
+CPUSTAT_RUNNING has been changed to be set in kvm_arch_vcpu_load()
+and to be unset in kvm_arch_vcpu_put().
+
+For signifying stopped state of a vcpu, a host-controlled bit has
+been used and is set/unset basically on the reverse as the old
+CPUSTAT_RUNNING bit (including pushing it down into stop handling
+proper in handle_stop()).
+
+Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
+Signed-off-by: Carsten Otte <cotte@de.ibm.com>
+Signed-off-by: Avi Kivity <avi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/s390/include/asm/kvm_host.h | 2 +-
+ arch/s390/kvm/diag.c | 2 +-
+ arch/s390/kvm/intercept.c | 3 ++-
+ arch/s390/kvm/interrupt.c | 1 +
+ arch/s390/kvm/kvm-s390.c | 10 +++++++---
+ arch/s390/kvm/sigp.c | 6 +++---
+ 6 files changed, 15 insertions(+), 9 deletions(-)
+
+--- a/arch/s390/include/asm/kvm_host.h
++++ b/arch/s390/include/asm/kvm_host.h
+@@ -47,7 +47,7 @@ struct sca_block {
+ #define KVM_HPAGE_MASK(x) (~(KVM_HPAGE_SIZE(x) - 1))
+ #define KVM_PAGES_PER_HPAGE(x) (KVM_HPAGE_SIZE(x) / PAGE_SIZE)
+
+-#define CPUSTAT_HOST 0x80000000
++#define CPUSTAT_STOPPED 0x80000000
+ #define CPUSTAT_WAIT 0x10000000
+ #define CPUSTAT_ECALL_PEND 0x08000000
+ #define CPUSTAT_STOP_INT 0x04000000
+--- a/arch/s390/kvm/diag.c
++++ b/arch/s390/kvm/diag.c
+@@ -42,7 +42,7 @@ static int __diag_ipl_functions(struct k
+ return -EOPNOTSUPP;
+ }
+
+- atomic_clear_mask(CPUSTAT_RUNNING, &vcpu->arch.sie_block->cpuflags);
++ atomic_set_mask(CPUSTAT_STOPPED, &vcpu->arch.sie_block->cpuflags);
+ vcpu->run->s390_reset_flags |= KVM_S390_RESET_SUBSYSTEM;
+ vcpu->run->s390_reset_flags |= KVM_S390_RESET_IPL;
+ vcpu->run->s390_reset_flags |= KVM_S390_RESET_CPU_INIT;
+--- a/arch/s390/kvm/intercept.c
++++ b/arch/s390/kvm/intercept.c
+@@ -132,7 +132,6 @@ static int handle_stop(struct kvm_vcpu *
+ int rc = 0;
+
+ vcpu->stat.exit_stop_request++;
+- atomic_clear_mask(CPUSTAT_RUNNING, &vcpu->arch.sie_block->cpuflags);
+ spin_lock_bh(&vcpu->arch.local_int.lock);
+ if (vcpu->arch.local_int.action_bits & ACTION_STORE_ON_STOP) {
+ vcpu->arch.local_int.action_bits &= ~ACTION_STORE_ON_STOP;
+@@ -149,6 +148,8 @@ static int handle_stop(struct kvm_vcpu *
+ }
+
+ if (vcpu->arch.local_int.action_bits & ACTION_STOP_ON_STOP) {
++ atomic_set_mask(CPUSTAT_STOPPED,
++ &vcpu->arch.sie_block->cpuflags);
+ vcpu->arch.local_int.action_bits &= ~ACTION_STOP_ON_STOP;
+ VCPU_EVENT(vcpu, 3, "%s", "cpu stopped");
+ rc = -EOPNOTSUPP;
+--- a/arch/s390/kvm/interrupt.c
++++ b/arch/s390/kvm/interrupt.c
+@@ -224,6 +224,7 @@ static void __do_deliver_interrupt(struc
+ offsetof(struct _lowcore, restart_psw), sizeof(psw_t));
+ if (rc == -EFAULT)
+ exception = 1;
++ atomic_clear_mask(CPUSTAT_STOPPED, &vcpu->arch.sie_block->cpuflags);
+ break;
+
+ case KVM_S390_PROGRAM_INT:
+--- a/arch/s390/kvm/kvm-s390.c
++++ b/arch/s390/kvm/kvm-s390.c
+@@ -265,10 +265,12 @@ void kvm_arch_vcpu_load(struct kvm_vcpu
+ restore_fp_regs(&vcpu->arch.guest_fpregs);
+ restore_access_regs(vcpu->arch.guest_acrs);
+ gmap_enable(vcpu->arch.gmap);
++ atomic_set_mask(CPUSTAT_RUNNING, &vcpu->arch.sie_block->cpuflags);
+ }
+
+ void kvm_arch_vcpu_put(struct kvm_vcpu *vcpu)
+ {
++ atomic_clear_mask(CPUSTAT_RUNNING, &vcpu->arch.sie_block->cpuflags);
+ gmap_disable(vcpu->arch.gmap);
+ save_fp_regs(&vcpu->arch.guest_fpregs);
+ save_access_regs(vcpu->arch.guest_acrs);
+@@ -296,7 +298,9 @@ static void kvm_s390_vcpu_initial_reset(
+
+ int kvm_arch_vcpu_setup(struct kvm_vcpu *vcpu)
+ {
+- atomic_set(&vcpu->arch.sie_block->cpuflags, CPUSTAT_ZARCH | CPUSTAT_SM);
++ atomic_set(&vcpu->arch.sie_block->cpuflags, CPUSTAT_ZARCH |
++ CPUSTAT_SM |
++ CPUSTAT_STOPPED);
+ vcpu->arch.sie_block->ecb = 6;
+ vcpu->arch.sie_block->eca = 0xC1002001U;
+ vcpu->arch.sie_block->fac = (int) (long) facilities;
+@@ -421,7 +425,7 @@ static int kvm_arch_vcpu_ioctl_set_initi
+ {
+ int rc = 0;
+
+- if (atomic_read(&vcpu->arch.sie_block->cpuflags) & CPUSTAT_RUNNING)
++ if (!(atomic_read(&vcpu->arch.sie_block->cpuflags) & CPUSTAT_STOPPED))
+ rc = -EBUSY;
+ else {
+ vcpu->run->psw_mask = psw.mask;
+@@ -494,7 +498,7 @@ rerun_vcpu:
+ if (vcpu->sigset_active)
+ sigprocmask(SIG_SETMASK, &vcpu->sigset, &sigsaved);
+
+- atomic_set_mask(CPUSTAT_RUNNING, &vcpu->arch.sie_block->cpuflags);
++ atomic_clear_mask(CPUSTAT_STOPPED, &vcpu->arch.sie_block->cpuflags);
+
+ BUG_ON(vcpu->kvm->arch.float_int.local_int[vcpu->vcpu_id] == NULL);
+
+--- a/arch/s390/kvm/sigp.c
++++ b/arch/s390/kvm/sigp.c
+@@ -57,8 +57,8 @@ static int __sigp_sense(struct kvm_vcpu
+ spin_lock(&fi->lock);
+ if (fi->local_int[cpu_addr] == NULL)
+ rc = 3; /* not operational */
+- else if (atomic_read(fi->local_int[cpu_addr]->cpuflags)
+- & CPUSTAT_RUNNING) {
++ else if (!(atomic_read(fi->local_int[cpu_addr]->cpuflags)
++ & CPUSTAT_STOPPED)) {
+ *reg &= 0xffffffff00000000UL;
+ rc = 1; /* status stored */
+ } else {
+@@ -212,7 +212,7 @@ static int __sigp_set_prefix(struct kvm_
+
+ spin_lock_bh(&li->lock);
+ /* cpu must be in stopped state */
+- if (atomic_read(li->cpuflags) & CPUSTAT_RUNNING) {
++ if (!(atomic_read(li->cpuflags) & CPUSTAT_STOPPED)) {
+ rc = 1; /* incorrect state */
+ *reg &= SIGP_STAT_INCORRECT_STATE;
+ kfree(inti);
--- /dev/null
+From 5b2bbf75a24d6b06afff6de0eb4819413fd81971 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Tue, 8 Nov 2011 13:04:41 +0100
+Subject: mac80211: fix bug in ieee80211_build_probe_req
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 5b2bbf75a24d6b06afff6de0eb4819413fd81971 upstream.
+
+ieee80211_probereq_get() can return NULL in
+which case we should clean up & return NULL
+in ieee80211_build_probe_req() as well.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/mac80211/util.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/mac80211/util.c
++++ b/net/mac80211/util.c
+@@ -1055,6 +1055,8 @@ struct sk_buff *ieee80211_build_probe_re
+ skb = ieee80211_probereq_get(&local->hw, &sdata->vif,
+ ssid, ssid_len,
+ buf, buf_len);
++ if (!skb)
++ goto out;
+
+ if (dst) {
+ mgmt = (struct ieee80211_mgmt *) skb->data;
+@@ -1063,6 +1065,8 @@ struct sk_buff *ieee80211_build_probe_re
+ }
+
+ IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_INTFL_DONT_ENCRYPT;
++
++ out:
+ kfree(buf);
+
+ return skb;
--- /dev/null
+From f8d1ccf15568268c76f913b45ecdd33134387f1a Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Tue, 8 Nov 2011 12:28:33 +0100
+Subject: mac80211: fix NULL dereference in radiotap code
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit f8d1ccf15568268c76f913b45ecdd33134387f1a upstream.
+
+When receiving failed PLCP frames is enabled, there
+won't be a rate pointer when we add the radiotap
+header and thus the kernel will crash. Fix this by
+not assuming the rate pointer is always valid. It's
+still always valid for frames that have good PLCP
+though, and that is checked & enforced.
+
+This was broken by my
+commit fc88518916793af8ad6a02e05ff254d95c36d875
+Author: Johannes Berg <johannes.berg@intel.com>
+Date: Fri Jul 30 13:23:12 2010 +0200
+
+ mac80211: don't check rates on PLCP error frames
+
+where I removed the check in this case but didn't
+take into account that the rate info would be used.
+
+Reported-by: Xiaokang Qin <xiaokang.qin@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/mac80211/rx.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -140,8 +140,9 @@ ieee80211_add_rx_radiotap_header(struct
+ pos++;
+
+ /* IEEE80211_RADIOTAP_RATE */
+- if (status->flag & RX_FLAG_HT) {
++ if (!rate || status->flag & RX_FLAG_HT) {
+ /*
++ * Without rate information don't add it. If we have,
+ * MCS information is a separate field in radiotap,
+ * added below. The byte here is needed as padding
+ * for the channel though, so initialise it to 0.
+@@ -162,12 +163,14 @@ ieee80211_add_rx_radiotap_header(struct
+ else if (status->flag & RX_FLAG_HT)
+ put_unaligned_le16(IEEE80211_CHAN_DYN | IEEE80211_CHAN_2GHZ,
+ pos);
+- else if (rate->flags & IEEE80211_RATE_ERP_G)
++ else if (rate && rate->flags & IEEE80211_RATE_ERP_G)
+ put_unaligned_le16(IEEE80211_CHAN_OFDM | IEEE80211_CHAN_2GHZ,
+ pos);
+- else
++ else if (rate)
+ put_unaligned_le16(IEEE80211_CHAN_CCK | IEEE80211_CHAN_2GHZ,
+ pos);
++ else
++ put_unaligned_le16(IEEE80211_CHAN_2GHZ, pos);
+ pos += 2;
+
+ /* IEEE80211_RADIOTAP_DBM_ANTSIGNAL */
--- /dev/null
+From fe09b32a4361bea44169b2063e8c867cabb6a8ba Mon Sep 17 00:00:00 2001
+From: Jesper Juhl <jj@chaosbits.net>
+Date: Sun, 13 Nov 2011 22:14:32 +0100
+Subject: Net, libertas: Resolve memory leak in if_spi_host_to_card()
+
+From: Jesper Juhl <jj@chaosbits.net>
+
+commit fe09b32a4361bea44169b2063e8c867cabb6a8ba upstream.
+
+If we hit the default case in the switch in if_spi_host_to_card() we'll leak
+the memory we allocated for 'packet'. This patch resolves the leak by freeing
+the allocated memory in that case.
+
+Signed-off-by: Jesper Juhl <jj@chaosbits.net>
+Acked-by: Dan Williams <dcbw@redhat.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/wireless/libertas/if_spi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/libertas/if_spi.c
++++ b/drivers/net/wireless/libertas/if_spi.c
+@@ -999,6 +999,7 @@ static int if_spi_host_to_card(struct lb
+ spin_unlock_irqrestore(&card->buffer_lock, flags);
+ break;
+ default:
++ kfree(packet);
+ netdev_err(priv->dev, "can't transfer buffer of type %d\n",
+ type);
+ err = -EINVAL;
--- /dev/null
+From 6c7394197af90f6a332180e33f5d025d3037d883 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Thu, 3 Nov 2011 09:27:01 +0100
+Subject: nl80211: fix HT capability attribute validation
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 6c7394197af90f6a332180e33f5d025d3037d883 upstream.
+
+Since the NL80211_ATTR_HT_CAPABILITY attribute is
+used as a struct, it needs a minimum, not maximum
+length. Enforce that properly. Not doing so could
+potentially lead to reading after the buffer.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/wireless/nl80211.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -126,8 +126,7 @@ static const struct nla_policy nl80211_p
+ [NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
+ [NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
+
+- [NL80211_ATTR_HT_CAPABILITY] = { .type = NLA_BINARY,
+- .len = NL80211_HT_CAPABILITY_LEN },
++ [NL80211_ATTR_HT_CAPABILITY] = { .len = NL80211_HT_CAPABILITY_LEN },
+
+ [NL80211_ATTR_MGMT_SUBTYPE] = { .type = NLA_U8 },
+ [NL80211_ATTR_IE] = { .type = NLA_BINARY,
--- /dev/null
+From af8db1508f2c9f3b6e633e2d2d906c6557c617f9 Mon Sep 17 00:00:00 2001
+From: Peter Chen <peter.chen@freescale.com>
+Date: Tue, 15 Nov 2011 21:52:29 +0100
+Subject: PM / driver core: disable device's runtime PM during shutdown
+
+From: Peter Chen <peter.chen@freescale.com>
+
+commit af8db1508f2c9f3b6e633e2d2d906c6557c617f9 upstream.
+
+There may be an issue when the user issue "reboot/shutdown" command, then
+the device has shut down its hardware, after that, this runtime-pm featured
+device's driver will probably be scheduled to do its suspend routine,
+and at its suspend routine, it may access hardware, but the device has
+already shutdown physically, then the system hang may be occurred.
+
+I ran out this issue using an auto-suspend supported USB devices, like
+3G modem, keyboard. The usb runtime suspend routine may be scheduled
+after the usb controller has been shut down, and the usb runtime suspend
+routine will try to suspend its roothub(controller), it will access
+register, then the system hang occurs as the controller is shutdown.
+
+Signed-off-by: Peter Chen <peter.chen@freescale.com>
+Acked-by: Ming Lei <tom.leiming@gmail.com>
+Acked-by: Greg Kroah-Hartman <gregkh@suse.de>
+Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/base/core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/base/core.c
++++ b/drivers/base/core.c
+@@ -22,6 +22,7 @@
+ #include <linux/kallsyms.h>
+ #include <linux/mutex.h>
+ #include <linux/async.h>
++#include <linux/pm_runtime.h>
+
+ #include "base.h"
+ #include "power/power.h"
+@@ -1742,6 +1743,8 @@ void device_shutdown(void)
+ */
+ list_del_init(&dev->kobj.entry);
+ spin_unlock(&devices_kset->list_lock);
++ /* Disable all device's runtime power management */
++ pm_runtime_disable(dev);
+
+ if (dev->bus && dev->bus->shutdown) {
+ dev_dbg(dev, "shutdown\n");
--- /dev/null
+From ed66ba472a742cd8df37d7072804b2111cdb1014 Mon Sep 17 00:00:00 2001
+From: Gertjan van Wingerde <gwingerde@gmail.com>
+Date: Sat, 12 Nov 2011 19:10:44 +0100
+Subject: rt2x00: Fix sleep-while-atomic bug in powersaving code.
+
+From: Gertjan van Wingerde <gwingerde@gmail.com>
+
+commit ed66ba472a742cd8df37d7072804b2111cdb1014 upstream.
+
+The generic powersaving code that determines after reception of a frame
+whether the device should go back to sleep or whether is could stay
+awake was calling rt2x00lib_config directly from RX tasklet context.
+On a number of the devices this call can actually sleep, due to having
+to confirm that the sleeping commands have been executed successfully.
+
+Fix this by moving the call to rt2x00lib_config to a workqueue call.
+
+This fixes bug https://bugzilla.redhat.com/show_bug.cgi?id=731672
+
+Tested-by: Tomas Trnka <tomastrnka@gmx.com>
+Signed-off-by: Gertjan van Wingerde <gwingerde@gmail.com>
+Acked-by: Ivo van Doorn <IvDoorn@gmail.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/wireless/rt2x00/rt2x00.h | 1 +
+ drivers/net/wireless/rt2x00/rt2x00dev.c | 22 ++++++++++++++++++++--
+ 2 files changed, 21 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/rt2x00/rt2x00.h
++++ b/drivers/net/wireless/rt2x00/rt2x00.h
+@@ -923,6 +923,7 @@ struct rt2x00_dev {
+ * Powersaving work
+ */
+ struct delayed_work autowakeup_work;
++ struct work_struct sleep_work;
+
+ /*
+ * Data queue arrays for RX, TX, Beacon and ATIM.
+--- a/drivers/net/wireless/rt2x00/rt2x00dev.c
++++ b/drivers/net/wireless/rt2x00/rt2x00dev.c
+@@ -449,6 +449,23 @@ static u8 *rt2x00lib_find_ie(u8 *data, u
+ return NULL;
+ }
+
++static void rt2x00lib_sleep(struct work_struct *work)
++{
++ struct rt2x00_dev *rt2x00dev =
++ container_of(work, struct rt2x00_dev, sleep_work);
++
++ if (!test_bit(DEVICE_STATE_PRESENT, &rt2x00dev->flags))
++ return;
++
++ /*
++ * Check again is powersaving is enabled, to prevent races from delayed
++ * work execution.
++ */
++ if (!test_bit(CONFIG_POWERSAVING, &rt2x00dev->flags))
++ rt2x00lib_config(rt2x00dev, &rt2x00dev->hw->conf,
++ IEEE80211_CONF_CHANGE_PS);
++}
++
+ static void rt2x00lib_rxdone_check_ps(struct rt2x00_dev *rt2x00dev,
+ struct sk_buff *skb,
+ struct rxdone_entry_desc *rxdesc)
+@@ -496,8 +513,7 @@ static void rt2x00lib_rxdone_check_ps(st
+ cam |= (tim_ie->bitmap_ctrl & 0x01);
+
+ if (!cam && !test_bit(CONFIG_POWERSAVING, &rt2x00dev->flags))
+- rt2x00lib_config(rt2x00dev, &rt2x00dev->hw->conf,
+- IEEE80211_CONF_CHANGE_PS);
++ queue_work(rt2x00dev->workqueue, &rt2x00dev->sleep_work);
+ }
+
+ static int rt2x00lib_rxdone_read_signal(struct rt2x00_dev *rt2x00dev,
+@@ -1121,6 +1137,7 @@ int rt2x00lib_probe_dev(struct rt2x00_de
+
+ INIT_WORK(&rt2x00dev->intf_work, rt2x00lib_intf_scheduled);
+ INIT_DELAYED_WORK(&rt2x00dev->autowakeup_work, rt2x00lib_autowakeup);
++ INIT_WORK(&rt2x00dev->sleep_work, rt2x00lib_sleep);
+
+ /*
+ * Let the driver probe the device to detect the capabilities.
+@@ -1177,6 +1194,7 @@ void rt2x00lib_remove_dev(struct rt2x00_
+ */
+ cancel_work_sync(&rt2x00dev->intf_work);
+ cancel_delayed_work_sync(&rt2x00dev->autowakeup_work);
++ cancel_work_sync(&rt2x00dev->sleep_work);
+ if (rt2x00_is_usb(rt2x00dev)) {
+ del_timer_sync(&rt2x00dev->txstatus_timer);
+ cancel_work_sync(&rt2x00dev->rxdone_work);
hpsa-disable-aspm.patch
aacraid-controller-hangs-if-kernel-uses-non-default-aspm-policy.patch
saa7164-add-support-for-another-hvr2200-hardware-revision.patch
+kvm-s390-fix-running-flag-misinterpretation.patch
+arm-7150-1-allow-kernel-unaligned-accesses-on-armv6.patch
+net-libertas-resolve-memory-leak-in-if_spi_host_to_card.patch
+rt2x00-fix-sleep-while-atomic-bug-in-powersaving-code.patch
+mac80211-fix-null-dereference-in-radiotap-code.patch
+mac80211-fix-bug-in-ieee80211_build_probe_req.patch
+nl80211-fix-ht-capability-attribute-validation.patch
+cfg80211-fix-bug-on-regulatory-core-exit-on-access-to-last_request.patch
+ip6_tunnel-copy-parms.name-after-register_netdevice.patch
+pm-driver-core-disable-device-s-runtime-pm-during-shutdown.patch