--- /dev/null
+From dbdedbdf4fbff3d4962a0786f37aa86dfdc48a7e Mon Sep 17 00:00:00 2001
+From: Seth Forshee <seth.forshee@canonical.com>
+Date: Wed, 25 Apr 2012 17:28:00 -0500
+Subject: b43: only reload config after successful initialization
+
+From: Seth Forshee <seth.forshee@canonical.com>
+
+commit dbdedbdf4fbff3d4962a0786f37aa86dfdc48a7e upstream.
+
+Commit 2a19032 (b43: reload phy and bss settings after core restarts)
+introduced an unconditional call to b43_op_config() at the end of
+b43_op_start(). When firmware fails to load this can wedge the system.
+There's no need to reload the configuration after a failed
+initialization anyway, so only make the call if initialization was
+successful.
+
+BugLink: http://bugs.launchpad.net/bugs/950295
+Cc: Felix Fietkau <nbd@openwrt.org>
+Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/b43/main.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/b43/main.c
++++ b/drivers/net/wireless/b43/main.c
+@@ -4841,8 +4841,14 @@ static int b43_op_start(struct ieee80211
+ out_mutex_unlock:
+ mutex_unlock(&wl->mutex);
+
+- /* reload configuration */
+- b43_op_config(hw, ~0);
++ /*
++ * Configuration may have been overwritten during initialization.
++ * Reload the configuration, but only if initialization was
++ * successful. Reloading the configuration after a failed init
++ * may hang the system.
++ */
++ if (!err)
++ b43_op_config(hw, ~0);
+
+ return err;
+ }
--- /dev/null
+From 54b3a4d311c98ad94b737802a8b5f2c8c6bfd627 Mon Sep 17 00:00:00 2001
+From: Matthew Garrett <mjg@redhat.com>
+Date: Thu, 3 May 2012 16:50:46 -0400
+Subject: efivars: Improve variable validation
+
+From: Matthew Garrett <mjg@redhat.com>
+
+commit 54b3a4d311c98ad94b737802a8b5f2c8c6bfd627 upstream.
+
+Ben Hutchings pointed out that the validation in efivars was inadequate -
+most obviously, an entry with size 0 would server as a DoS against the
+kernel. Improve this based on his suggestions.
+
+Signed-off-by: Matthew Garrett <mjg@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/firmware/efivars.c | 46 +++++++++++++++++++++++++++++----------------
+ 1 file changed, 30 insertions(+), 16 deletions(-)
+
+--- a/drivers/firmware/efivars.c
++++ b/drivers/firmware/efivars.c
+@@ -192,18 +192,21 @@ utf16_strncmp(const efi_char16_t *a, con
+ }
+
+ static bool
+-validate_device_path(struct efi_variable *var, int match, u8 *buffer, int len)
++validate_device_path(struct efi_variable *var, int match, u8 *buffer,
++ unsigned long len)
+ {
+ struct efi_generic_dev_path *node;
+ int offset = 0;
+
+ node = (struct efi_generic_dev_path *)buffer;
+
+- while (offset < len) {
+- offset += node->length;
++ if (len < sizeof(*node))
++ return false;
+
+- if (offset > len)
+- return false;
++ while (offset <= len - sizeof(*node) &&
++ node->length >= sizeof(*node) &&
++ node->length <= len - offset) {
++ offset += node->length;
+
+ if ((node->type == EFI_DEV_END_PATH ||
+ node->type == EFI_DEV_END_PATH2) &&
+@@ -222,7 +225,8 @@ validate_device_path(struct efi_variable
+ }
+
+ static bool
+-validate_boot_order(struct efi_variable *var, int match, u8 *buffer, int len)
++validate_boot_order(struct efi_variable *var, int match, u8 *buffer,
++ unsigned long len)
+ {
+ /* An array of 16-bit integers */
+ if ((len % 2) != 0)
+@@ -232,19 +236,27 @@ validate_boot_order(struct efi_variable
+ }
+
+ static bool
+-validate_load_option(struct efi_variable *var, int match, u8 *buffer, int len)
++validate_load_option(struct efi_variable *var, int match, u8 *buffer,
++ unsigned long len)
+ {
+ u16 filepathlength;
+- int i, desclength = 0;
++ int i, desclength = 0, namelen;
++
++ namelen = utf16_strnlen(var->VariableName, sizeof(var->VariableName));
+
+ /* Either "Boot" or "Driver" followed by four digits of hex */
+ for (i = match; i < match+4; i++) {
+- if (hex_to_bin(var->VariableName[i] & 0xff) < 0)
++ if (var->VariableName[i] > 127 ||
++ hex_to_bin(var->VariableName[i] & 0xff) < 0)
+ return true;
+ }
+
+- /* A valid entry must be at least 6 bytes */
+- if (len < 6)
++ /* Reject it if there's 4 digits of hex and then further content */
++ if (namelen > match + 4)
++ return false;
++
++ /* A valid entry must be at least 8 bytes */
++ if (len < 8)
+ return false;
+
+ filepathlength = buffer[4] | buffer[5] << 8;
+@@ -253,7 +265,7 @@ validate_load_option(struct efi_variable
+ * There's no stored length for the description, so it has to be
+ * found by hand
+ */
+- desclength = utf16_strsize((efi_char16_t *)(buffer + 6), len) + 2;
++ desclength = utf16_strsize((efi_char16_t *)(buffer + 6), len - 6) + 2;
+
+ /* Each boot entry must have a descriptor */
+ if (!desclength)
+@@ -275,7 +287,8 @@ validate_load_option(struct efi_variable
+ }
+
+ static bool
+-validate_uint16(struct efi_variable *var, int match, u8 *buffer, int len)
++validate_uint16(struct efi_variable *var, int match, u8 *buffer,
++ unsigned long len)
+ {
+ /* A single 16-bit integer */
+ if (len != 2)
+@@ -285,7 +298,8 @@ validate_uint16(struct efi_variable *var
+ }
+
+ static bool
+-validate_ascii_string(struct efi_variable *var, int match, u8 *buffer, int len)
++validate_ascii_string(struct efi_variable *var, int match, u8 *buffer,
++ unsigned long len)
+ {
+ int i;
+
+@@ -303,7 +317,7 @@ validate_ascii_string(struct efi_variabl
+ struct variable_validate {
+ char *name;
+ bool (*validate)(struct efi_variable *var, int match, u8 *data,
+- int len);
++ unsigned long len);
+ };
+
+ static const struct variable_validate variable_validate[] = {
+@@ -325,7 +339,7 @@ static const struct variable_validate va
+ };
+
+ static bool
+-validate_var(struct efi_variable *var, u8 *data, int len)
++validate_var(struct efi_variable *var, u8 *data, unsigned long len)
+ {
+ int i;
+ u16 *unicode_name = var->VariableName;
--- /dev/null
+From b704871124b477807966f06789c2b32f2de58bf7 Mon Sep 17 00:00:00 2001
+From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
+Date: Mon, 30 Apr 2012 09:18:01 -0400
+Subject: hwmon: (coretemp) fix oops on cpu unplug
+
+From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
+
+commit b704871124b477807966f06789c2b32f2de58bf7 upstream.
+
+coretemp tries to access core_data array beyond bounds on cpu unplug if
+core id of the cpu if more than NUM_REAL_CORES-1.
+
+BUG: unable to handle kernel NULL pointer dereference at 000000000000013c
+IP: [<ffffffffa00159af>] coretemp_cpu_callback+0x93/0x1ba [coretemp]
+PGD 673e5a067 PUD 66e9b3067 PMD 0
+Oops: 0000 [#1] SMP
+CPU 79
+Modules linked in: sunrpc cpufreq_ondemand acpi_cpufreq freq_table mperf bnep bluetooth rfkill ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_filter nf_conntrack_ipv4 nf_defrag_ipv4 ip6_tables xt_state nf_conntrack coretemp crc32c_intel asix tpm_tis pcspkr usbnet iTCO_wdt i2c_i801 microcode mii joydev tpm i2c_core iTCO_vendor_support tpm_bios i7core_edac igb ioatdma edac_core dca megaraid_sas [last unloaded: oprofile]
+
+Pid: 3315, comm: set-cpus Tainted: G W 3.4.0-rc5+ #2 QCI QSSC-S4R/QSSC-S4R
+RIP: 0010:[<ffffffffa00159af>] [<ffffffffa00159af>] coretemp_cpu_callback+0x93/0x1ba [coretemp]
+RSP: 0018:ffff880472fb3d48 EFLAGS: 00010246
+RAX: 0000000000000124 RBX: 0000000000000034 RCX: 00000000ffffffff
+RDX: 0000000000000000 RSI: 0000000000000046 RDI: 0000000000000246
+RBP: ffff880472fb3d88 R08: ffff88077fcd36c0 R09: 0000000000000001
+R10: ffffffff8184bc48 R11: 0000000000000000 R12: ffff880273095800
+R13: 0000000000000013 R14: ffff8802730a1810 R15: 0000000000000000
+FS: 00007f694a20f720(0000) GS:ffff88077fcc0000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
+CR2: 000000000000013c CR3: 000000067209b000 CR4: 00000000000007e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
+Process set-cpus (pid: 3315, threadinfo ffff880472fb2000, task ffff880471fa0000)
+Stack:
+ ffff880277b4c308 0000000000000003 ffff880472fb3d88 0000000000000005
+ 0000000000000034 00000000ffffffd1 ffffffff81cadc70 ffff880472fb3e14
+ ffff880472fb3dc8 ffffffff8161f48d ffff880471fa0000 0000000000000034
+Call Trace:
+ [<ffffffff8161f48d>] notifier_call_chain+0x4d/0x70
+ [<ffffffff8107f1be>] __raw_notifier_call_chain+0xe/0x10
+ [<ffffffff81059d30>] __cpu_notify+0x20/0x40
+ [<ffffffff815fa251>] _cpu_down+0x81/0x270
+ [<ffffffff815fa477>] cpu_down+0x37/0x50
+ [<ffffffff815fd6a3>] store_online+0x63/0xc0
+ [<ffffffff813c7078>] dev_attr_store+0x18/0x30
+ [<ffffffff811f02cf>] sysfs_write_file+0xef/0x170
+ [<ffffffff81180443>] vfs_write+0xb3/0x180
+ [<ffffffff8118076a>] sys_write+0x4a/0x90
+ [<ffffffff816236a9>] system_call_fastpath+0x16/0x1b
+Code: 48 c7 c7 94 60 01 a0 44 0f b7 ac 10 ac 00 00 00 31 c0 e8 41 b7 5f e1 41 83 c5 02 49 63 c5 49 8b 44 c4 10 48 85 c0 74 56 45 31 ff <39> 58 18 75 4e eb 1f 49 63 d7 4c 89 f7 48 89 45 c8 48 6b d2 28
+RIP [<ffffffffa00159af>] coretemp_cpu_callback+0x93/0x1ba [coretemp]
+ RSP <ffff880472fb3d48>
+CR2: 000000000000013c
+
+Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Signed-off-by: Guenter Roeck <guenter.roeck@ericsson.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwmon/coretemp.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/hwmon/coretemp.c
++++ b/drivers/hwmon/coretemp.c
+@@ -708,6 +708,10 @@ static void __cpuinit put_core_offline(u
+
+ indx = TO_ATTR_NO(cpu);
+
++ /* The core id is too big, just return */
++ if (indx > MAX_CORE_DATA - 1)
++ return;
++
+ if (pdata->core_data[indx] && pdata->core_data[indx]->cpu == cpu)
+ coretemp_remove_core(pdata, &pdev->dev, indx);
+
--- /dev/null
+From bdc71c9a87b898e4c380c23b2e3e18071312ecde Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <guenter.roeck@ericsson.com>
+Date: Tue, 1 May 2012 08:15:42 -0700
+Subject: hwmon: (coretemp) Increase CPU core limit
+
+From: Guenter Roeck <guenter.roeck@ericsson.com>
+
+commit bdc71c9a87b898e4c380c23b2e3e18071312ecde upstream.
+
+CPU core ID is used to index the core_data[] array. The core ID is, however, not
+sequential; 10-core CPUS can have a core ID as high as 25. Increase the limit to
+32 to be able to deal with current CPUs.
+
+Signed-off-by: Guenter Roeck <guenter.roeck@ericsson.com>
+Acked-by: Jean Delvare <khali@linux-fr.org>
+Acked-by: Durgadoss R <durgadoss.r@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwmon/coretemp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hwmon/coretemp.c
++++ b/drivers/hwmon/coretemp.c
+@@ -51,7 +51,7 @@ module_param_named(tjmax, force_tjmax, i
+ MODULE_PARM_DESC(tjmax, "TjMax value in degrees Celsius");
+
+ #define BASE_SYSFS_ATTR_NO 2 /* Sysfs Base attr no for coretemp */
+-#define NUM_REAL_CORES 16 /* Number of Real cores per cpu */
++#define NUM_REAL_CORES 32 /* Number of Real cores per cpu */
+ #define CORETEMP_NAME_LENGTH 17 /* String Length of attrs */
+ #define MAX_CORE_ATTRS 4 /* Maximum no of basic attrs */
+ #define TOTAL_ATTRS (MAX_CORE_ATTRS + 1)
--- /dev/null
+From 6c557cfee08751d22aed34840f389b846f0f4508 Mon Sep 17 00:00:00 2001
+From: Roland Stigge <stigge@antcom.de>
+Date: Wed, 4 Apr 2012 10:34:37 +0200
+Subject: i2c: pnx: Disable clk in suspend
+
+From: Roland Stigge <stigge@antcom.de>
+
+commit 6c557cfee08751d22aed34840f389b846f0f4508 upstream.
+
+In the driver's suspend function, clk_enable() was used instead of
+clk_disable(). This is corrected with this patch.
+
+Signed-off-by: Roland Stigge <stigge@antcom.de>
+Reviewed-by: Arnd Bergmann <arnd@arndb.de>
+[wsa: reworded commit header slightly]
+Signed-off-by: Wolfram Sang <w.sang@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-pnx.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-pnx.c
++++ b/drivers/i2c/busses/i2c-pnx.c
+@@ -546,8 +546,7 @@ static int i2c_pnx_controller_suspend(st
+ {
+ struct i2c_pnx_algo_data *alg_data = platform_get_drvdata(pdev);
+
+- /* FIXME: shouldn't this be clk_disable? */
+- clk_enable(alg_data->clk);
++ clk_disable(alg_data->clk);
+
+ return 0;
+ }
--- /dev/null
+From dd447319895d0c0af423e483d9b63f84f3f8869a Mon Sep 17 00:00:00 2001
+From: Stanislav Yakovlev <stas.yakovlev@gmail.com>
+Date: Thu, 19 Apr 2012 15:55:09 -0400
+Subject: ipw2200: Fix race condition in the command completion acknowledge
+
+From: Stanislav Yakovlev <stas.yakovlev@gmail.com>
+
+commit dd447319895d0c0af423e483d9b63f84f3f8869a upstream.
+
+Driver incorrectly validates command completion: instead of waiting
+for a command to be acknowledged it continues execution. Most of the
+time driver gets acknowledge of the command completion in a tasklet
+before it executes the next one. But sometimes it sends the next
+command before it gets acknowledge for the previous one. In such a
+case one of the following error messages appear in the log:
+
+Failed to send SYSTEM_CONFIG: Already sending a command.
+Failed to send ASSOCIATE: Already sending a command.
+Failed to send TX_POWER: Already sending a command.
+
+After that you need to reload the driver to get it working again.
+
+This bug occurs during roaming (reported by Sam Varshavchik)
+https://bugzilla.redhat.com/show_bug.cgi?id=738508
+and machine booting (reported by Tom Gundersen and Mads Kiilerich)
+https://bugs.archlinux.org/task/28097
+https://bugzilla.redhat.com/show_bug.cgi?id=802106
+
+This patch doesn't fix the delay issue during firmware load.
+But at least device now works as usual after boot.
+
+Signed-off-by: Stanislav Yakovlev <stas.yakovlev@gmail.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ipw2x00/ipw2200.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/ipw2x00/ipw2200.c
++++ b/drivers/net/wireless/ipw2x00/ipw2200.c
+@@ -2191,6 +2191,7 @@ static int __ipw_send_cmd(struct ipw_pri
+ {
+ int rc = 0;
+ unsigned long flags;
++ unsigned long now, end;
+
+ spin_lock_irqsave(&priv->lock, flags);
+ if (priv->status & STATUS_HCMD_ACTIVE) {
+@@ -2232,10 +2233,20 @@ static int __ipw_send_cmd(struct ipw_pri
+ }
+ spin_unlock_irqrestore(&priv->lock, flags);
+
++ now = jiffies;
++ end = now + HOST_COMPLETE_TIMEOUT;
++again:
+ rc = wait_event_interruptible_timeout(priv->wait_command_queue,
+ !(priv->
+ status & STATUS_HCMD_ACTIVE),
+- HOST_COMPLETE_TIMEOUT);
++ end - now);
++ if (rc < 0) {
++ now = jiffies;
++ if (time_before(now, end))
++ goto again;
++ rc = 0;
++ }
++
+ if (rc == 0) {
+ spin_lock_irqsave(&priv->lock, flags);
+ if (priv->status & STATUS_HCMD_ACTIVE) {
--- /dev/null
+From 8db4c7e25d153fb049e81715d72fa3be3a0c3b69 Mon Sep 17 00:00:00 2001
+From: Stanislaw Gruszka <sgruszka@redhat.com>
+Date: Wed, 18 Apr 2012 08:01:15 -0700
+Subject: iwlwifi: do not nulify ctx->vif on reset
+
+From: Stanislaw Gruszka <sgruszka@redhat.com>
+
+commit 8db4c7e25d153fb049e81715d72fa3be3a0c3b69 upstream.
+
+ctx->vif is dereferenced in different part of iwlwifi code, so do not
+nullify it.
+
+This should address at least one of the possible reasons of WARNING at
+iwlagn_mac_remove_interface, and perhaps some random crashes when
+firmware reset is performed.
+
+Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
+Signed-off-by: Wey-Yi Guy <wey-yi.w.guy@intel.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/iwlwifi/iwl-agn.c | 3 ---
+ drivers/net/wireless/iwlwifi/iwl-mac80211.c | 10 +++++++++-
+ 2 files changed, 9 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/iwlwifi/iwl-agn.c
++++ b/drivers/net/wireless/iwlwifi/iwl-agn.c
+@@ -1403,7 +1403,6 @@ static void iwl_bg_run_time_calib_work(s
+
+ void iwlagn_prepare_restart(struct iwl_priv *priv)
+ {
+- struct iwl_rxon_context *ctx;
+ bool bt_full_concurrent;
+ u8 bt_ci_compliance;
+ u8 bt_load;
+@@ -1412,8 +1411,6 @@ void iwlagn_prepare_restart(struct iwl_p
+
+ lockdep_assert_held(&priv->shrd->mutex);
+
+- for_each_context(priv, ctx)
+- ctx->vif = NULL;
+ priv->is_open = 0;
+
+ /*
+--- a/drivers/net/wireless/iwlwifi/iwl-mac80211.c
++++ b/drivers/net/wireless/iwlwifi/iwl-mac80211.c
+@@ -1226,6 +1226,7 @@ static int iwlagn_mac_add_interface(stru
+ struct iwl_rxon_context *tmp, *ctx = NULL;
+ int err;
+ enum nl80211_iftype viftype = ieee80211_vif_type_p2p(vif);
++ bool reset = false;
+
+ IWL_DEBUG_MAC80211(priv, "enter: type %d, addr %pM\n",
+ viftype, vif->addr);
+@@ -1247,6 +1248,13 @@ static int iwlagn_mac_add_interface(stru
+ tmp->interface_modes | tmp->exclusive_interface_modes;
+
+ if (tmp->vif) {
++ /* On reset we need to add the same interface again */
++ if (tmp->vif == vif) {
++ reset = true;
++ ctx = tmp;
++ break;
++ }
++
+ /* check if this busy context is exclusive */
+ if (tmp->exclusive_interface_modes &
+ BIT(tmp->vif->type)) {
+@@ -1273,7 +1281,7 @@ static int iwlagn_mac_add_interface(stru
+ ctx->vif = vif;
+
+ err = iwl_setup_interface(priv, ctx);
+- if (!err)
++ if (!err || reset)
+ goto out;
+
+ ctx->vif = NULL;
--- /dev/null
+From 5ef4acd58ab2abd0dd0c8e3cacd61a0dc5d73646 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Mon, 23 Apr 2012 14:17:50 -0700
+Subject: iwlwifi: fix hardware queue programming
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 5ef4acd58ab2abd0dd0c8e3cacd61a0dc5d73646 upstream.
+
+Newer devices have 20 (5000 series) or 30 (6000 series)
+hardware queues, rather than the 16 that 4965 had. This
+was added to the driver a long time ago, but improperly:
+the queue registers for the higher queues aren't just
+continuations of the registers for the first 16 queues,
+they are in other places. Therefore, the hardware would
+lock up when trying to activate queue 16 or above and
+the device would have to be restarted.
+
+Thanks goes to Emmanuel who identified this and told me
+how the queue programming should be done.
+
+Note that we don't use queues 20 and higher today and
+doing so needs more work than this.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Wey-Yi Guy <wey-yi.w.guy@intel.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/iwlwifi/iwl-fh.h | 22 ++++++++++++++++++----
+ drivers/net/wireless/iwlwifi/iwl-prph.h | 27 ++++++++++++++++++++++++---
+ 2 files changed, 42 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/wireless/iwlwifi/iwl-fh.h
++++ b/drivers/net/wireless/iwlwifi/iwl-fh.h
+@@ -104,15 +104,29 @@
+ * (see struct iwl_tfd_frame). These 16 pointer registers are offset by 0x04
+ * bytes from one another. Each TFD circular buffer in DRAM must be 256-byte
+ * aligned (address bits 0-7 must be 0).
++ * Later devices have 20 (5000 series) or 30 (higher) queues, but the registers
++ * for them are in different places.
+ *
+ * Bit fields in each pointer register:
+ * 27-0: TFD CB physical base address [35:8], must be 256-byte aligned
+ */
+-#define FH_MEM_CBBC_LOWER_BOUND (FH_MEM_LOWER_BOUND + 0x9D0)
+-#define FH_MEM_CBBC_UPPER_BOUND (FH_MEM_LOWER_BOUND + 0xA10)
++#define FH_MEM_CBBC_0_15_LOWER_BOUND (FH_MEM_LOWER_BOUND + 0x9D0)
++#define FH_MEM_CBBC_0_15_UPPER_BOUND (FH_MEM_LOWER_BOUND + 0xA10)
++#define FH_MEM_CBBC_16_19_LOWER_BOUND (FH_MEM_LOWER_BOUND + 0xBF0)
++#define FH_MEM_CBBC_16_19_UPPER_BOUND (FH_MEM_LOWER_BOUND + 0xC00)
++#define FH_MEM_CBBC_20_31_LOWER_BOUND (FH_MEM_LOWER_BOUND + 0xB20)
++#define FH_MEM_CBBC_20_31_UPPER_BOUND (FH_MEM_LOWER_BOUND + 0xB80)
+
+-/* Find TFD CB base pointer for given queue (range 0-15). */
+-#define FH_MEM_CBBC_QUEUE(x) (FH_MEM_CBBC_LOWER_BOUND + (x) * 0x4)
++/* Find TFD CB base pointer for given queue */
++static inline unsigned int FH_MEM_CBBC_QUEUE(unsigned int chnl)
++{
++ if (chnl < 16)
++ return FH_MEM_CBBC_0_15_LOWER_BOUND + 4 * chnl;
++ if (chnl < 20)
++ return FH_MEM_CBBC_16_19_LOWER_BOUND + 4 * (chnl - 16);
++ WARN_ON_ONCE(chnl >= 32);
++ return FH_MEM_CBBC_20_31_LOWER_BOUND + 4 * (chnl - 20);
++}
+
+
+ /**
+--- a/drivers/net/wireless/iwlwifi/iwl-prph.h
++++ b/drivers/net/wireless/iwlwifi/iwl-prph.h
+@@ -227,12 +227,33 @@
+ #define SCD_AIT (SCD_BASE + 0x0c)
+ #define SCD_TXFACT (SCD_BASE + 0x10)
+ #define SCD_ACTIVE (SCD_BASE + 0x14)
+-#define SCD_QUEUE_WRPTR(x) (SCD_BASE + 0x18 + (x) * 4)
+-#define SCD_QUEUE_RDPTR(x) (SCD_BASE + 0x68 + (x) * 4)
+ #define SCD_QUEUECHAIN_SEL (SCD_BASE + 0xe8)
+ #define SCD_AGGR_SEL (SCD_BASE + 0x248)
+ #define SCD_INTERRUPT_MASK (SCD_BASE + 0x108)
+-#define SCD_QUEUE_STATUS_BITS(x) (SCD_BASE + 0x10c + (x) * 4)
++
++static inline unsigned int SCD_QUEUE_WRPTR(unsigned int chnl)
++{
++ if (chnl < 20)
++ return SCD_BASE + 0x18 + chnl * 4;
++ WARN_ON_ONCE(chnl >= 32);
++ return SCD_BASE + 0x284 + (chnl - 20) * 4;
++}
++
++static inline unsigned int SCD_QUEUE_RDPTR(unsigned int chnl)
++{
++ if (chnl < 20)
++ return SCD_BASE + 0x68 + chnl * 4;
++ WARN_ON_ONCE(chnl >= 32);
++ return SCD_BASE + 0x2B4 + (chnl - 20) * 4;
++}
++
++static inline unsigned int SCD_QUEUE_STATUS_BITS(unsigned int chnl)
++{
++ if (chnl < 20)
++ return SCD_BASE + 0x10c + chnl * 4;
++ WARN_ON_ONCE(chnl >= 32);
++ return SCD_BASE + 0x384 + (chnl - 20) * 4;
++}
+
+ /*********************** END TX SCHEDULER *************************************/
+
--- /dev/null
+From 1ed2ec37b44e86eaa8e0a03b908a39c80f65ee45 Mon Sep 17 00:00:00 2001
+From: Wey-Yi Guy <wey-yi.w.guy@intel.com>
+Date: Wed, 25 Apr 2012 08:10:08 -0700
+Subject: iwlwifi: use 6000G2B for 6030 device series
+
+From: Wey-Yi Guy <wey-yi.w.guy@intel.com>
+
+commit 1ed2ec37b44e86eaa8e0a03b908a39c80f65ee45 upstream.
+
+"iwlwifi: use correct released ucode version" change
+the ucode api ok from 6000G2 to 6000G2B, but it shall belong
+to 6030 device series, not the 6005 device series. Fix it
+
+Signed-off-by: Wey-Yi Guy <wey-yi.w.guy@intel.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/iwlwifi/iwl-6000.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/iwlwifi/iwl-6000.c
++++ b/drivers/net/wireless/iwlwifi/iwl-6000.c
+@@ -351,7 +351,7 @@ static struct iwl_bt_params iwl6000_bt_p
+ #define IWL_DEVICE_6005 \
+ .fw_name_pre = IWL6005_FW_PRE, \
+ .ucode_api_max = IWL6000G2_UCODE_API_MAX, \
+- .ucode_api_ok = IWL6000G2B_UCODE_API_OK, \
++ .ucode_api_ok = IWL6000G2_UCODE_API_OK, \
+ .ucode_api_min = IWL6000G2_UCODE_API_MIN, \
+ .eeprom_ver = EEPROM_6005_EEPROM_VERSION, \
+ .eeprom_calib_ver = EEPROM_6005_TX_POWER_VERSION, \
+@@ -391,7 +391,7 @@ struct iwl_cfg iwl6005_2agn_d_cfg = {
+ #define IWL_DEVICE_6030 \
+ .fw_name_pre = IWL6030_FW_PRE, \
+ .ucode_api_max = IWL6000G2_UCODE_API_MAX, \
+- .ucode_api_ok = IWL6000G2_UCODE_API_OK, \
++ .ucode_api_ok = IWL6000G2B_UCODE_API_OK, \
+ .ucode_api_min = IWL6000G2_UCODE_API_MIN, \
+ .eeprom_ver = EEPROM_6030_EEPROM_VERSION, \
+ .eeprom_calib_ver = EEPROM_6030_TX_POWER_VERSION, \
--- /dev/null
+From 78cbcf2b9dbe0565820dc7721316f9c401000a68 Mon Sep 17 00:00:00 2001
+From: Meenakshi Venkataraman <meenakshi.venkataraman@intel.com>
+Date: Sun, 22 Apr 2012 07:55:27 -0700
+Subject: iwlwifi: use correct released ucode version
+
+From: Meenakshi Venkataraman <meenakshi.venkataraman@intel.com>
+
+commit 78cbcf2b9dbe0565820dc7721316f9c401000a68 upstream.
+
+Report correctly the latest released version
+of the iwlwifi firmware for all
+iwlwifi-supported devices.
+
+Signed-off-by: Meenakshi Venkataraman <meenakshi.venkataraman@intel.com>
+Signed-off-by: Wey-Yi Guy <wey-yi.w.guy@intel.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/iwlwifi/iwl-1000.c | 8 ++++----
+ drivers/net/wireless/iwlwifi/iwl-2000.c | 16 ++++++++--------
+ drivers/net/wireless/iwlwifi/iwl-5000.c | 11 +++++++++--
+ drivers/net/wireless/iwlwifi/iwl-6000.c | 10 ++++++----
+ 4 files changed, 27 insertions(+), 18 deletions(-)
+
+--- a/drivers/net/wireless/iwlwifi/iwl-1000.c
++++ b/drivers/net/wireless/iwlwifi/iwl-1000.c
+@@ -45,8 +45,8 @@
+ #include "iwl-cfg.h"
+
+ /* Highest firmware API version supported */
+-#define IWL1000_UCODE_API_MAX 6
+-#define IWL100_UCODE_API_MAX 6
++#define IWL1000_UCODE_API_MAX 5
++#define IWL100_UCODE_API_MAX 5
+
+ /* Oldest version we won't warn about */
+ #define IWL1000_UCODE_API_OK 5
+@@ -235,5 +235,5 @@ struct iwl_cfg iwl100_bg_cfg = {
+ IWL_DEVICE_100,
+ };
+
+-MODULE_FIRMWARE(IWL1000_MODULE_FIRMWARE(IWL1000_UCODE_API_MAX));
+-MODULE_FIRMWARE(IWL100_MODULE_FIRMWARE(IWL100_UCODE_API_MAX));
++MODULE_FIRMWARE(IWL1000_MODULE_FIRMWARE(IWL1000_UCODE_API_OK));
++MODULE_FIRMWARE(IWL100_MODULE_FIRMWARE(IWL100_UCODE_API_OK));
+--- a/drivers/net/wireless/iwlwifi/iwl-2000.c
++++ b/drivers/net/wireless/iwlwifi/iwl-2000.c
+@@ -51,10 +51,10 @@
+ #define IWL135_UCODE_API_MAX 6
+
+ /* Oldest version we won't warn about */
+-#define IWL2030_UCODE_API_OK 5
+-#define IWL2000_UCODE_API_OK 5
+-#define IWL105_UCODE_API_OK 5
+-#define IWL135_UCODE_API_OK 5
++#define IWL2030_UCODE_API_OK 6
++#define IWL2000_UCODE_API_OK 6
++#define IWL105_UCODE_API_OK 6
++#define IWL135_UCODE_API_OK 6
+
+ /* Lowest firmware API version supported */
+ #define IWL2030_UCODE_API_MIN 5
+@@ -338,7 +338,7 @@ struct iwl_cfg iwl135_bgn_cfg = {
+ .ht_params = &iwl2000_ht_params,
+ };
+
+-MODULE_FIRMWARE(IWL2000_MODULE_FIRMWARE(IWL2000_UCODE_API_MAX));
+-MODULE_FIRMWARE(IWL2030_MODULE_FIRMWARE(IWL2030_UCODE_API_MAX));
+-MODULE_FIRMWARE(IWL105_MODULE_FIRMWARE(IWL105_UCODE_API_MAX));
+-MODULE_FIRMWARE(IWL135_MODULE_FIRMWARE(IWL135_UCODE_API_MAX));
++MODULE_FIRMWARE(IWL2000_MODULE_FIRMWARE(IWL2000_UCODE_API_OK));
++MODULE_FIRMWARE(IWL2030_MODULE_FIRMWARE(IWL2030_UCODE_API_OK));
++MODULE_FIRMWARE(IWL105_MODULE_FIRMWARE(IWL105_UCODE_API_OK));
++MODULE_FIRMWARE(IWL135_MODULE_FIRMWARE(IWL135_UCODE_API_OK));
+--- a/drivers/net/wireless/iwlwifi/iwl-5000.c
++++ b/drivers/net/wireless/iwlwifi/iwl-5000.c
+@@ -50,6 +50,10 @@
+ #define IWL5000_UCODE_API_MAX 5
+ #define IWL5150_UCODE_API_MAX 2
+
++/* Oldest version we won't warn about */
++#define IWL5000_UCODE_API_OK 5
++#define IWL5150_UCODE_API_OK 2
++
+ /* Lowest firmware API version supported */
+ #define IWL5000_UCODE_API_MIN 1
+ #define IWL5150_UCODE_API_MIN 1
+@@ -359,6 +363,7 @@ static struct iwl_ht_params iwl5000_ht_p
+ #define IWL_DEVICE_5000 \
+ .fw_name_pre = IWL5000_FW_PRE, \
+ .ucode_api_max = IWL5000_UCODE_API_MAX, \
++ .ucode_api_ok = IWL5000_UCODE_API_OK, \
+ .ucode_api_min = IWL5000_UCODE_API_MIN, \
+ .eeprom_ver = EEPROM_5000_EEPROM_VERSION, \
+ .eeprom_calib_ver = EEPROM_5000_TX_POWER_VERSION, \
+@@ -402,6 +407,7 @@ struct iwl_cfg iwl5350_agn_cfg = {
+ .name = "Intel(R) WiMAX/WiFi Link 5350 AGN",
+ .fw_name_pre = IWL5000_FW_PRE,
+ .ucode_api_max = IWL5000_UCODE_API_MAX,
++ .ucode_api_ok = IWL5000_UCODE_API_OK,
+ .ucode_api_min = IWL5000_UCODE_API_MIN,
+ .eeprom_ver = EEPROM_5050_EEPROM_VERSION,
+ .eeprom_calib_ver = EEPROM_5050_TX_POWER_VERSION,
+@@ -415,6 +421,7 @@ struct iwl_cfg iwl5350_agn_cfg = {
+ #define IWL_DEVICE_5150 \
+ .fw_name_pre = IWL5150_FW_PRE, \
+ .ucode_api_max = IWL5150_UCODE_API_MAX, \
++ .ucode_api_ok = IWL5150_UCODE_API_OK, \
+ .ucode_api_min = IWL5150_UCODE_API_MIN, \
+ .eeprom_ver = EEPROM_5050_EEPROM_VERSION, \
+ .eeprom_calib_ver = EEPROM_5050_TX_POWER_VERSION, \
+@@ -436,5 +443,5 @@ struct iwl_cfg iwl5150_abg_cfg = {
+ IWL_DEVICE_5150,
+ };
+
+-MODULE_FIRMWARE(IWL5000_MODULE_FIRMWARE(IWL5000_UCODE_API_MAX));
+-MODULE_FIRMWARE(IWL5150_MODULE_FIRMWARE(IWL5150_UCODE_API_MAX));
++MODULE_FIRMWARE(IWL5000_MODULE_FIRMWARE(IWL5000_UCODE_API_OK));
++MODULE_FIRMWARE(IWL5150_MODULE_FIRMWARE(IWL5150_UCODE_API_OK));
+--- a/drivers/net/wireless/iwlwifi/iwl-6000.c
++++ b/drivers/net/wireless/iwlwifi/iwl-6000.c
+@@ -53,6 +53,8 @@
+ /* Oldest version we won't warn about */
+ #define IWL6000_UCODE_API_OK 4
+ #define IWL6000G2_UCODE_API_OK 5
++#define IWL6050_UCODE_API_OK 5
++#define IWL6000G2B_UCODE_API_OK 6
+
+ /* Lowest firmware API version supported */
+ #define IWL6000_UCODE_API_MIN 4
+@@ -349,7 +351,7 @@ static struct iwl_bt_params iwl6000_bt_p
+ #define IWL_DEVICE_6005 \
+ .fw_name_pre = IWL6005_FW_PRE, \
+ .ucode_api_max = IWL6000G2_UCODE_API_MAX, \
+- .ucode_api_ok = IWL6000G2_UCODE_API_OK, \
++ .ucode_api_ok = IWL6000G2B_UCODE_API_OK, \
+ .ucode_api_min = IWL6000G2_UCODE_API_MIN, \
+ .eeprom_ver = EEPROM_6005_EEPROM_VERSION, \
+ .eeprom_calib_ver = EEPROM_6005_TX_POWER_VERSION, \
+@@ -548,6 +550,6 @@ struct iwl_cfg iwl6000_3agn_cfg = {
+ };
+
+ MODULE_FIRMWARE(IWL6000_MODULE_FIRMWARE(IWL6000_UCODE_API_OK));
+-MODULE_FIRMWARE(IWL6050_MODULE_FIRMWARE(IWL6050_UCODE_API_MAX));
+-MODULE_FIRMWARE(IWL6005_MODULE_FIRMWARE(IWL6000G2_UCODE_API_MAX));
+-MODULE_FIRMWARE(IWL6030_MODULE_FIRMWARE(IWL6000G2_UCODE_API_MAX));
++MODULE_FIRMWARE(IWL6050_MODULE_FIRMWARE(IWL6050_UCODE_API_OK));
++MODULE_FIRMWARE(IWL6005_MODULE_FIRMWARE(IWL6000G2_UCODE_API_OK));
++MODULE_FIRMWARE(IWL6030_MODULE_FIRMWARE(IWL6000G2B_UCODE_API_OK));
--- /dev/null
+From 6868225e3e92399068be9a5f1635752d91012ad5 Mon Sep 17 00:00:00 2001
+From: Lin Ming <ming.m.lin@intel.com>
+Date: Thu, 3 May 2012 22:15:07 +0800
+Subject: libata: skip old error history when counting probe trials
+
+From: Lin Ming <ming.m.lin@intel.com>
+
+commit 6868225e3e92399068be9a5f1635752d91012ad5 upstream.
+
+Commit d902747("[libata] Add ATA transport class") introduced
+ATA_EFLAG_OLD_ER to mark entries in the error ring as cleared.
+
+But ata_count_probe_trials_cb() didn't check this flag and it still
+counts the old error history. So wrong probe trials count is returned
+and it causes problem, for example, SATA link speed is slowed down from
+3.0Gbps to 1.5Gbps.
+
+Fix it by checking ATA_EFLAG_OLD_ER in ata_count_probe_trials_cb().
+
+Signed-off-by: Lin Ming <ming.m.lin@intel.com>
+Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ata/libata-eh.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/ata/libata-eh.c
++++ b/drivers/ata/libata-eh.c
+@@ -3500,7 +3500,8 @@ static int ata_count_probe_trials_cb(str
+ u64 now = get_jiffies_64();
+ int *trials = void_arg;
+
+- if (ent->timestamp < now - min(now, interval))
++ if ((ent->eflags & ATA_EFLAG_OLD_ER) ||
++ (ent->timestamp < now - min(now, interval)))
+ return -1;
+
+ (*trials)++;
--- /dev/null
+From 66f2c99af3d6f2d0aa1120884cf1c60613ef61c0 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@openwrt.org>
+Date: Sun, 29 Apr 2012 15:44:16 +0200
+Subject: mac80211: fix AP mode EAP tx for VLAN stations
+
+From: Felix Fietkau <nbd@openwrt.org>
+
+commit 66f2c99af3d6f2d0aa1120884cf1c60613ef61c0 upstream.
+
+EAP frames for stations in an AP VLAN are sent on the main AP interface
+to avoid race conditions wrt. moving stations.
+For that to work properly, sta_info_get_bss must be used instead of
+sta_info_get when sending EAP packets.
+Previously this was only done for cooked monitor injected packets, so
+this patch adds a check for tx->skb->protocol to the same place.
+
+Signed-off-by: Felix Fietkau <nbd@openwrt.org>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/tx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -1144,7 +1144,8 @@ ieee80211_tx_prepare(struct ieee80211_su
+ tx->sta = rcu_dereference(sdata->u.vlan.sta);
+ if (!tx->sta && sdata->dev->ieee80211_ptr->use_4addr)
+ return TX_DROP;
+- } else if (info->flags & IEEE80211_TX_CTL_INJECTED) {
++ } else if (info->flags & IEEE80211_TX_CTL_INJECTED ||
++ tx->sdata->control_port_protocol == tx->skb->protocol) {
+ tx->sta = sta_info_get_bss(sdata, hdr->addr1);
+ }
+ if (!tx->sta)
--- /dev/null
+From addde4ec31456c5f1e9b61aae3edcfeb0f338f87 Mon Sep 17 00:00:00 2001
+From: Dave Airlie <airlied@redhat.com>
+Date: Wed, 2 May 2012 20:26:24 +0100
+Subject: nouveau: initialise has_optimus variable.
+
+From: Dave Airlie <airlied@redhat.com>
+
+commit addde4ec31456c5f1e9b61aae3edcfeb0f338f87 upstream.
+
+We should initialise this to 0 really to avoid getting false positives.
+
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/nouveau/nouveau_acpi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/nouveau/nouveau_acpi.c
++++ b/drivers/gpu/drm/nouveau/nouveau_acpi.c
+@@ -270,7 +270,7 @@ static bool nouveau_dsm_detect(void)
+ struct acpi_buffer buffer = {sizeof(acpi_method_name), acpi_method_name};
+ struct pci_dev *pdev = NULL;
+ int has_dsm = 0;
+- int has_optimus;
++ int has_optimus = 0;
+ int vga_count = 0;
+ bool guid_valid;
+ int retval;
--- /dev/null
+From 44eb65cfd8da4b9c231238998729e858e963a980 Mon Sep 17 00:00:00 2001
+From: Larry Finger <Larry.Finger@lwfinger.net>
+Date: Thu, 19 Apr 2012 21:39:06 -0500
+Subject: rtlwifi: Fix oops on unload
+
+From: Larry Finger <Larry.Finger@lwfinger.net>
+
+commit 44eb65cfd8da4b9c231238998729e858e963a980 upstream.
+
+Under some circumstances, a PCI-based driver reports the following OOPs:
+
+Mar 19 08:14:35 kvothe kernel: [ 6584.626011] Oops: 0000 [#1] SMP
+--snip--
+Mar 19 08:14:35 kvothe kernel: [ 6584.626011] Pid: 19627, comm: rmmod
+Not tainted 3.2.9-2.fc16.x86_64 #1 LENOVO 05962RU/05962RU
+Mar 19 08:14:35 kvothe kernel: [ 6584.626011] RIP:
+0010:[<ffffffffa0418d39>] [<ffffffffa0418d39>]
+rtl92ce_get_desc+0x19/0xd0 [rtl8192ce]
+--snip--
+Mar 19 08:14:35 kvothe kernel: [ 6584.626011] Process rmmod (pid:
+19627, threadinfo ffff880050262000, task ffff8801156d5cc0)
+Mar 19 08:14:35 kvothe kernel: [ 6584.626011] Stack:
+Mar 19 08:14:35 kvothe kernel: [ 6584.626011] 0000000000000002
+ffff8801176c2540 ffff880050263ca8 ffffffffa03348e7
+Mar 19 08:14:35 kvothe kernel: [ 6584.626011] 0000000000000282
+0000000180150014 ffff880050263fd8 ffff8801176c2810
+Mar 19 08:14:35 kvothe kernel: [ 6584.626011] ffff880050263bc8
+ffffffff810550e2 00000000000002c0 ffff8801176c0d40
+Mar 19 08:14:35 kvothe kernel: [ 6584.626011] Call Trace:
+Mar 19 08:14:35 kvothe kernel: [ 6584.626011] [<ffffffffa03348e7>]
+_rtl_pci_rx_interrupt+0x187/0x650 [rtlwifi]
+--snip--
+Mar 19 08:14:35 kvothe kernel: [ 6584.626011] Code: ff 09 d0 89 07 48
+83 c4 08 5b 5d c3 66 0f 1f 44 00 00 55 48 89 e5 53 48 83 ec 08 66 66
+66 66 90 40 84 f6 89 d3 74 13 84 d2 75 57 <8b> 07 48 83 c4 08 5b 5d c1
+e8 1f c3 0f 1f 00 84 d2 74 ed 80 fa
+Mar 19 08:14:35 kvothe kernel: [ 6584.626011] RIP
+[<ffffffffa0418d39>] rtl92ce_get_desc+0x19/0xd0 [rtl8192ce]
+Mar 19 08:14:35 kvothe kernel: [ 6584.626011] RSP <ffff880050263b58>
+Mar 19 08:14:35 kvothe kernel: [ 6584.626011] CR2: 00000000000006e0
+Mar 19 08:14:35 kvothe kernel: [ 6584.646491] ---[ end trace
+8636c766dcfbe0e6 ]---
+
+This oops is due to interrupts not being disabled in this particular path.
+
+Reported-by: Dave Airlie <airlied@gmail.com>
+Tested-by: Dave Airlie <airlied@gmail.com>
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/rtlwifi/pci.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/rtlwifi/pci.c
++++ b/drivers/net/wireless/rtlwifi/pci.c
+@@ -1955,6 +1955,7 @@ void rtl_pci_disconnect(struct pci_dev *
+ rtl_deinit_deferred_work(hw);
+ rtlpriv->intf_ops->adapter_stop(hw);
+ }
++ rtlpriv->cfg->ops->disable_interrupt(hw);
+
+ /*deinit rfkill */
+ rtl_deinit_rfkill(hw);
exit_signal-simplify-the-we-have-changed-execution-domain-logic.patch
exit_signal-fix-the-parent-has-changed-security-domain-logic.patch
md-raid5-fix-a-bug-about-judging-if-the-operation-is-syncing-or-replacing.patch
+efivars-improve-variable-validation.patch
+hwmon-coretemp-increase-cpu-core-limit.patch
+nouveau-initialise-has_optimus-variable.patch
+hwmon-coretemp-fix-oops-on-cpu-unplug.patch
+libata-skip-old-error-history-when-counting-probe-trials.patch
+b43-only-reload-config-after-successful-initialization.patch
+i2c-pnx-disable-clk-in-suspend.patch
+ipw2200-fix-race-condition-in-the-command-completion-acknowledge.patch
+mac80211-fix-ap-mode-eap-tx-for-vlan-stations.patch
+rtlwifi-fix-oops-on-unload.patch
+wl1251-fix-crash-on-remove-due-to-premature-kfree.patch
+wl1251-fix-crash-on-remove-due-to-leftover-work-item.patch
+iwlwifi-do-not-nulify-ctx-vif-on-reset.patch
+iwlwifi-use-correct-released-ucode-version.patch
+iwlwifi-fix-hardware-queue-programming.patch
+iwlwifi-use-6000g2b-for-6030-device-series.patch
--- /dev/null
+From 4c1bcdb5a3354b250b82a67549f57ac27a3bb85f Mon Sep 17 00:00:00 2001
+From: Grazvydas Ignotas <notasas@gmail.com>
+Date: Thu, 26 Apr 2012 23:07:44 +0300
+Subject: wl1251: fix crash on remove due to leftover work item
+
+From: Grazvydas Ignotas <notasas@gmail.com>
+
+commit 4c1bcdb5a3354b250b82a67549f57ac27a3bb85f upstream.
+
+This driver currently leaves elp_work behind when stopping, which
+occasionally results in data corruption because work function ends
+up accessing freed memory, typical symptoms of this are various
+worker_thread crashes. Fix it by cancelling elp_work.
+
+Signed-off-by: Grazvydas Ignotas <notasas@gmail.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/wl1251/main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/wl1251/main.c
++++ b/drivers/net/wireless/wl1251/main.c
+@@ -479,6 +479,7 @@ static void wl1251_op_stop(struct ieee80
+ cancel_work_sync(&wl->irq_work);
+ cancel_work_sync(&wl->tx_work);
+ cancel_work_sync(&wl->filter_work);
++ cancel_delayed_work_sync(&wl->elp_work);
+
+ mutex_lock(&wl->mutex);
+
--- /dev/null
+From 328c32f0f85467af5a6c4c3289e168d9ad2555af Mon Sep 17 00:00:00 2001
+From: Grazvydas Ignotas <notasas@gmail.com>
+Date: Thu, 26 Apr 2012 23:07:43 +0300
+Subject: wl1251: fix crash on remove due to premature kfree
+
+From: Grazvydas Ignotas <notasas@gmail.com>
+
+commit 328c32f0f85467af5a6c4c3289e168d9ad2555af upstream.
+
+Currently SDIO glue frees it's own structure before calling
+wl1251_free_hw(), which in turn calls ieee80211_unregister_hw().
+The later call may result in a need to communicate with the chip
+to stop it (as it happens now if the interface is still up before
+rmmod), which means calls are made back to the glue, resulting in
+freed memory access.
+
+Fix this by freeing glue data last.
+
+Signed-off-by: Grazvydas Ignotas <notasas@gmail.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/wl1251/sdio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/wl1251/sdio.c
++++ b/drivers/net/wireless/wl1251/sdio.c
+@@ -315,8 +315,8 @@ static void __devexit wl1251_sdio_remove
+
+ if (wl->irq)
+ free_irq(wl->irq, wl);
+- kfree(wl_sdio);
+ wl1251_free_hw(wl);
++ kfree(wl_sdio);
+
+ sdio_claim_host(func);
+ sdio_release_irq(func);
projects / thirdparty / kernel / stable-queue.git / commitdiff
