--- /dev/null
+From afa31d8eb86fc2f25083e675d57ac8173a98f999 Mon Sep 17 00:00:00 2001
+From: Will Deacon <will.deacon@arm.com>
+Date: Mon, 12 Aug 2013 18:03:26 +0100
+Subject: ARM: 7811/1: locks: use early clobber in arch_spin_trylock
+
+From: Will Deacon <will.deacon@arm.com>
+
+commit afa31d8eb86fc2f25083e675d57ac8173a98f999 upstream.
+
+The res variable is written before we've finished with the input
+operands (namely the lock address), so ensure that we mark it as `early
+clobber' to avoid unintended register sharing.
+
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Cc: Wang Weidong <wangweidong1@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/include/asm/spinlock.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/arm/include/asm/spinlock.h
++++ b/arch/arm/include/asm/spinlock.h
+@@ -107,7 +107,7 @@ static inline int arch_spin_trylock(arch
+ " subs %1, %0, %0, ror #16\n"
+ " addeq %0, %0, %4\n"
+ " strexeq %2, %0, [%3]"
+- : "=&r" (slock), "=&r" (contended), "=r" (res)
++ : "=&r" (slock), "=&r" (contended), "=&r" (res)
+ : "r" (&lock->slock), "I" (1 << TICKET_SHIFT)
+ : "cc");
+ } while (res);
--- /dev/null
+From b3050248c167871ca52cfdb2ce78aa2460249346 Mon Sep 17 00:00:00 2001
+From: Sujith Manoharan <c_manoha@qca.qualcomm.com>
+Date: Fri, 14 Feb 2014 08:15:20 +0530
+Subject: ath9k: Fix ETSI compliance for AR9462 2.0
+
+From: Sujith Manoharan <c_manoha@qca.qualcomm.com>
+
+commit b3050248c167871ca52cfdb2ce78aa2460249346 upstream.
+
+The minimum CCA power threshold values have to be adjusted
+for existing cards to be in compliance with new regulations.
+Newer cards will make use of the values obtained from EEPROM,
+support for this was added earlier. To make sure that cards
+that are already in use and don't have proper values in EEPROM,
+do not violate regulations, use the initvals instead.
+
+Reported-by: Jeang Daniel <dyjeong@qca.qualcomm.com>
+Signed-off-by: Sujith Manoharan <c_manoha@qca.qualcomm.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ath/ath9k/ar9462_2p0_initvals.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath9k/ar9462_2p0_initvals.h
++++ b/drivers/net/wireless/ath/ath9k/ar9462_2p0_initvals.h
+@@ -56,7 +56,7 @@ static const u32 ar9462_2p0_baseband_pos
+ {0x00009e14, 0x37b95d5e, 0x37b9605e, 0x3236605e, 0x32365a5e},
+ {0x00009e18, 0x00000000, 0x00000000, 0x00000000, 0x00000000},
+ {0x00009e1c, 0x0001cf9c, 0x0001cf9c, 0x00021f9c, 0x00021f9c},
+- {0x00009e20, 0x000003b5, 0x000003b5, 0x000003ce, 0x000003ce},
++ {0x00009e20, 0x000003a5, 0x000003a5, 0x000003a5, 0x000003a5},
+ {0x00009e2c, 0x0000001c, 0x0000001c, 0x00000021, 0x00000021},
+ {0x00009e3c, 0xcf946220, 0xcf946220, 0xcfd5c782, 0xcfd5c282},
+ {0x00009e44, 0x62321e27, 0x62321e27, 0xfe291e27, 0xfe291e27},
+@@ -95,7 +95,7 @@ static const u32 ar9462_2p0_baseband_pos
+ {0x0000ae04, 0x001c0000, 0x001c0000, 0x001c0000, 0x00100000},
+ {0x0000ae18, 0x00000000, 0x00000000, 0x00000000, 0x00000000},
+ {0x0000ae1c, 0x0000019c, 0x0000019c, 0x0000019c, 0x0000019c},
+- {0x0000ae20, 0x000001b5, 0x000001b5, 0x000001ce, 0x000001ce},
++ {0x0000ae20, 0x000001a6, 0x000001a6, 0x000001aa, 0x000001aa},
+ {0x0000b284, 0x00000000, 0x00000000, 0x00000550, 0x00000550},
+ };
+
--- /dev/null
+From 9ef7506f7eff3fc42724269f62e30164c141661f Mon Sep 17 00:00:00 2001
+From: Rob Clark <rclark@redhat.com>
+Date: Wed, 12 Mar 2014 10:59:37 -0400
+Subject: drm/ttm: don't oops if no invalidate_caches()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Rob Clark <rclark@redhat.com>
+
+commit 9ef7506f7eff3fc42724269f62e30164c141661f upstream.
+
+A few of the simpler TTM drivers (cirrus, ast, mgag200) do not implement
+this function. Yet can end up somehow with an evicted bo:
+
+ BUG: unable to handle kernel NULL pointer dereference at (null)
+ IP: [< (null)>] (null)
+ PGD 16e761067 PUD 16e6cf067 PMD 0
+ Oops: 0010 [#1] SMP
+ Modules linked in: bnep bluetooth rfkill fuse ip6t_rpfilter ip6t_REJECT ipt_REJECT xt_conntrack ebtable_nat ebtable_broute bridge stp llc ebtable_filter ebtables ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw ip6table_filter ip6_tables iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_mangle iptable_security iptable_raw iptable_filter ip_tables sg btrfs zlib_deflate raid6_pq xor dm_queue_length iTCO_wdt iTCO_vendor_support coretemp kvm dcdbas dm_service_time microcode serio_raw pcspkr lpc_ich mfd_core i7core_edac edac_core ses enclosure ipmi_si ipmi_msghandler shpchp acpi_power_meter mperf nfsd auth_rpcgss nfs_acl lockd uinput sunrpc dm_multipath xfs libcrc32c ata_generic pata_acpi sr_mod cdrom
+ sd_mod usb_storage mgag200 syscopyarea sysfillrect sysimgblt i2c_algo_bit lpfc drm_kms_helper ttm crc32c_intel ata_piix bfa drm ixgbe libata i2c_core mdio crc_t10dif ptp crct10dif_common pps_core scsi_transport_fc dca scsi_tgt megaraid_sas bnx2 dm_mirror dm_region_hash dm_log dm_mod
+ CPU: 16 PID: 2572 Comm: X Not tainted 3.10.0-86.el7.x86_64 #1
+ Hardware name: Dell Inc. PowerEdge R810/0H235N, BIOS 0.3.0 11/14/2009
+ task: ffff8801799dabc0 ti: ffff88016c884000 task.ti: ffff88016c884000
+ RIP: 0010:[<0000000000000000>] [< (null)>] (null)
+ RSP: 0018:ffff88016c885ad8 EFLAGS: 00010202
+ RAX: ffffffffa04e94c0 RBX: ffff880178937a20 RCX: 0000000000000000
+ RDX: 0000000000000000 RSI: 0000000000240004 RDI: ffff880178937a00
+ RBP: ffff88016c885b60 R08: 00000000000171a0 R09: ffff88007cf171a0
+ R10: ffffea0005842540 R11: ffffffff810487b9 R12: ffff880178937b30
+ R13: ffff880178937a00 R14: ffff88016c885b78 R15: ffff880179929400
+ FS: 00007f81ba2ef980(0000) GS:ffff88007cf00000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000000000000 CR3: 000000016e763000 CR4: 00000000000007e0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
+ Stack:
+ ffffffffa0306fae ffff8801799295c0 0000000000260004 0000000000000001
+ ffff88016c885b60 ffffffffa0307669 00ff88007cf17738 ffff88017cf17700
+ ffff880178937a00 ffff880100000000 ffff880100000000 0000000079929400
+ Call Trace:
+ [<ffffffffa0306fae>] ? ttm_bo_handle_move_mem+0x54e/0x5b0 [ttm]
+ [<ffffffffa0307669>] ? ttm_bo_mem_space+0x169/0x340 [ttm]
+ [<ffffffffa0307bd7>] ttm_bo_move_buffer+0x117/0x130 [ttm]
+ [<ffffffff81130001>] ? perf_event_init_context+0x141/0x220
+ [<ffffffffa0307cb1>] ttm_bo_validate+0xc1/0x130 [ttm]
+ [<ffffffffa04e7377>] mgag200_bo_pin+0x87/0xc0 [mgag200]
+ [<ffffffffa04e56c4>] mga_crtc_cursor_set+0x474/0xbb0 [mgag200]
+ [<ffffffff811971d2>] ? __mem_cgroup_commit_charge+0x152/0x3b0
+ [<ffffffff815c4182>] ? mutex_lock+0x12/0x2f
+ [<ffffffffa0201433>] drm_mode_cursor_common+0x123/0x170 [drm]
+ [<ffffffffa0205231>] drm_mode_cursor_ioctl+0x41/0x50 [drm]
+ [<ffffffffa01f5ca2>] drm_ioctl+0x502/0x630 [drm]
+ [<ffffffff815cbab4>] ? __do_page_fault+0x1f4/0x510
+ [<ffffffff8101cb68>] ? __restore_xstate_sig+0x218/0x4f0
+ [<ffffffff811b4445>] do_vfs_ioctl+0x2e5/0x4d0
+ [<ffffffff8124488e>] ? file_has_perm+0x8e/0xa0
+ [<ffffffff811b46b1>] SyS_ioctl+0x81/0xa0
+ [<ffffffff815d05d9>] system_call_fastpath+0x16/0x1b
+ Code: Bad RIP value.
+ RIP [< (null)>] (null)
+ RSP <ffff88016c885ad8>
+ CR2: 0000000000000000
+
+Signed-off-by: Rob Clark <rclark@redhat.com>
+Reviewed-by: Jérôme Glisse <jglisse@redhat.com>
+Reviewed-by: Thomas Hellstrom <thellstrom@vmware.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/ttm/ttm_bo.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/ttm/ttm_bo.c
++++ b/drivers/gpu/drm/ttm/ttm_bo.c
+@@ -498,9 +498,11 @@ static int ttm_bo_handle_move_mem(struct
+
+ moved:
+ if (bo->evicted) {
+- ret = bdev->driver->invalidate_caches(bdev, bo->mem.placement);
+- if (ret)
+- pr_err("Can not flush read caches\n");
++ if (bdev->driver->invalidate_caches) {
++ ret = bdev->driver->invalidate_caches(bdev, bo->mem.placement);
++ if (ret)
++ pr_err("Can not flush read caches\n");
++ }
+ bo->evicted = false;
+ }
+
--- /dev/null
+From 205e2210daa975d92ace485a65a31ccc4077fe1a Mon Sep 17 00:00:00 2001
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Wed, 12 Feb 2014 15:15:05 +0200
+Subject: iwlwifi: disable TX AMPDU by default for iwldvm
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+commit 205e2210daa975d92ace485a65a31ccc4077fe1a upstream.
+
+NICs supported by iwldvm don't handle well TX AMPDU.
+Disable it by default, still leave the possibility to
+the user to force enable it with a debug parameter.
+
+NICs supported by iwlmvm don't suffer from the same issue,
+leave TX AMPDU enabled by default for these.
+
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/iwlwifi/dvm/mac80211.c | 22 ++++++++++++++++++++--
+ drivers/net/wireless/iwlwifi/iwl-drv.c | 2 +-
+ drivers/net/wireless/iwlwifi/iwl-modparams.h | 11 +++++++----
+ drivers/net/wireless/iwlwifi/mvm/mac80211.c | 22 ++++++++++++++++++++--
+ 4 files changed, 48 insertions(+), 9 deletions(-)
+
+--- a/drivers/net/wireless/iwlwifi/dvm/mac80211.c
++++ b/drivers/net/wireless/iwlwifi/dvm/mac80211.c
+@@ -739,6 +739,24 @@ static int iwlagn_mac_set_key(struct iee
+ return ret;
+ }
+
++static inline bool iwl_enable_rx_ampdu(const struct iwl_cfg *cfg)
++{
++ if (iwlwifi_mod_params.disable_11n & IWL_DISABLE_HT_RXAGG)
++ return false;
++ return true;
++}
++
++static inline bool iwl_enable_tx_ampdu(const struct iwl_cfg *cfg)
++{
++ if (iwlwifi_mod_params.disable_11n & IWL_DISABLE_HT_TXAGG)
++ return false;
++ if (iwlwifi_mod_params.disable_11n & IWL_ENABLE_HT_TXAGG)
++ return true;
++
++ /* disabled by default */
++ return false;
++}
++
+ static int iwlagn_mac_ampdu_action(struct ieee80211_hw *hw,
+ struct ieee80211_vif *vif,
+ enum ieee80211_ampdu_mlme_action action,
+@@ -760,7 +778,7 @@ static int iwlagn_mac_ampdu_action(struc
+
+ switch (action) {
+ case IEEE80211_AMPDU_RX_START:
+- if (iwlwifi_mod_params.disable_11n & IWL_DISABLE_HT_RXAGG)
++ if (!iwl_enable_rx_ampdu(priv->cfg))
+ break;
+ IWL_DEBUG_HT(priv, "start Rx\n");
+ ret = iwl_sta_rx_agg_start(priv, sta, tid, *ssn);
+@@ -772,7 +790,7 @@ static int iwlagn_mac_ampdu_action(struc
+ case IEEE80211_AMPDU_TX_START:
+ if (!priv->trans->ops->txq_enable)
+ break;
+- if (iwlwifi_mod_params.disable_11n & IWL_DISABLE_HT_TXAGG)
++ if (!iwl_enable_tx_ampdu(priv->cfg))
+ break;
+ IWL_DEBUG_HT(priv, "start Tx\n");
+ ret = iwlagn_tx_agg_start(priv, vif, sta, tid, ssn);
+--- a/drivers/net/wireless/iwlwifi/iwl-drv.c
++++ b/drivers/net/wireless/iwlwifi/iwl-drv.c
+@@ -1211,7 +1211,7 @@ module_param_named(swcrypto, iwlwifi_mod
+ MODULE_PARM_DESC(swcrypto, "using crypto in software (default 0 [hardware])");
+ module_param_named(11n_disable, iwlwifi_mod_params.disable_11n, uint, S_IRUGO);
+ MODULE_PARM_DESC(11n_disable,
+- "disable 11n functionality, bitmap: 1: full, 2: agg TX, 4: agg RX");
++ "disable 11n functionality, bitmap: 1: full, 2: disable agg TX, 4: disable agg RX, 8 enable agg TX");
+ module_param_named(amsdu_size_8K, iwlwifi_mod_params.amsdu_size_8K,
+ int, S_IRUGO);
+ MODULE_PARM_DESC(amsdu_size_8K, "enable 8K amsdu size (default 0)");
+--- a/drivers/net/wireless/iwlwifi/iwl-modparams.h
++++ b/drivers/net/wireless/iwlwifi/iwl-modparams.h
+@@ -79,9 +79,12 @@ enum iwl_power_level {
+ IWL_POWER_NUM
+ };
+
+-#define IWL_DISABLE_HT_ALL BIT(0)
+-#define IWL_DISABLE_HT_TXAGG BIT(1)
+-#define IWL_DISABLE_HT_RXAGG BIT(2)
++enum iwl_disable_11n {
++ IWL_DISABLE_HT_ALL = BIT(0),
++ IWL_DISABLE_HT_TXAGG = BIT(1),
++ IWL_DISABLE_HT_RXAGG = BIT(2),
++ IWL_ENABLE_HT_TXAGG = BIT(3),
++};
+
+ /**
+ * struct iwl_mod_params
+@@ -90,7 +93,7 @@ enum iwl_power_level {
+ *
+ * @sw_crypto: using hardware encryption, default = 0
+ * @disable_11n: disable 11n capabilities, default = 0,
+- * use IWL_DISABLE_HT_* constants
++ * use IWL_[DIS,EN]ABLE_HT_* constants
+ * @amsdu_size_8K: enable 8K amsdu size, default = 0
+ * @restart_fw: restart firmware, default = 1
+ * @plcp_check: enable plcp health check, default = true
+--- a/drivers/net/wireless/iwlwifi/mvm/mac80211.c
++++ b/drivers/net/wireless/iwlwifi/mvm/mac80211.c
+@@ -278,6 +278,24 @@ static void iwl_mvm_mac_tx(struct ieee80
+ ieee80211_free_txskb(hw, skb);
+ }
+
++static inline bool iwl_enable_rx_ampdu(const struct iwl_cfg *cfg)
++{
++ if (iwlwifi_mod_params.disable_11n & IWL_DISABLE_HT_RXAGG)
++ return false;
++ return true;
++}
++
++static inline bool iwl_enable_tx_ampdu(const struct iwl_cfg *cfg)
++{
++ if (iwlwifi_mod_params.disable_11n & IWL_DISABLE_HT_TXAGG)
++ return false;
++ if (iwlwifi_mod_params.disable_11n & IWL_ENABLE_HT_TXAGG)
++ return true;
++
++ /* enabled by default */
++ return true;
++}
++
+ static int iwl_mvm_mac_ampdu_action(struct ieee80211_hw *hw,
+ struct ieee80211_vif *vif,
+ enum ieee80211_ampdu_mlme_action action,
+@@ -297,7 +315,7 @@ static int iwl_mvm_mac_ampdu_action(stru
+
+ switch (action) {
+ case IEEE80211_AMPDU_RX_START:
+- if (iwlwifi_mod_params.disable_11n & IWL_DISABLE_HT_RXAGG) {
++ if (!iwl_enable_rx_ampdu(mvm->cfg)) {
+ ret = -EINVAL;
+ break;
+ }
+@@ -307,7 +325,7 @@ static int iwl_mvm_mac_ampdu_action(stru
+ ret = iwl_mvm_sta_rx_agg(mvm, sta, tid, 0, false);
+ break;
+ case IEEE80211_AMPDU_TX_START:
+- if (iwlwifi_mod_params.disable_11n & IWL_DISABLE_HT_TXAGG) {
++ if (!iwl_enable_tx_ampdu(mvm->cfg)) {
+ ret = -EINVAL;
+ break;
+ }
--- /dev/null
+From ec6f678c74dbdb06a6a775bbb00f1d26c17c404b Mon Sep 17 00:00:00 2001
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Tue, 18 Feb 2014 10:30:18 +0200
+Subject: iwlwifi: dvm: clear IWL_STA_UCODE_INPROGRESS when assoc fails
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+commit ec6f678c74dbdb06a6a775bbb00f1d26c17c404b upstream.
+
+We set IWL_STA_UCODE_INPROGRESS flag when we add a station
+and clear it when we send the LQ command for it. But the LQ
+command is sent only when the association succeeds.
+If the association doesn't succeed, we would leave this flag
+set and that wouldn't indicate the station entry as vacant.
+
+This probably fixes:
+https://bugzilla.redhat.com/show_bug.cgi?id=1065663
+
+Reviewed-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/iwlwifi/dvm/sta.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/iwlwifi/dvm/sta.c
++++ b/drivers/net/wireless/iwlwifi/dvm/sta.c
+@@ -590,6 +590,7 @@ void iwl_deactivate_station(struct iwl_p
+ sizeof(priv->tid_data[sta_id][tid]));
+
+ priv->stations[sta_id].used &= ~IWL_STA_DRIVER_ACTIVE;
++ priv->stations[sta_id].used &= ~IWL_STA_UCODE_INPROGRESS;
+
+ priv->num_stations--;
+
--- /dev/null
+From 143582c6847cb285b361804c613127c25de60ca4 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Tue, 25 Feb 2014 10:37:15 +0100
+Subject: iwlwifi: fix TX status for aggregated packets
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 143582c6847cb285b361804c613127c25de60ca4 upstream.
+
+Only the first packet is currently handled correctly, but then
+all others are assumed to have failed which is problematic. Fix
+this, marking them all successful instead (since if they're not
+then the firmware will have transmitted them as single frames.)
+
+This fixes the lost packet reporting.
+
+Also do a tiny variable scoping cleanup.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+[Add the dvm part]
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/iwlwifi/dvm/tx.c | 14 +++++++++-----
+ drivers/net/wireless/iwlwifi/mvm/tx.c | 18 +++++++++---------
+ 2 files changed, 18 insertions(+), 14 deletions(-)
+
+--- a/drivers/net/wireless/iwlwifi/dvm/tx.c
++++ b/drivers/net/wireless/iwlwifi/dvm/tx.c
+@@ -1322,8 +1322,6 @@ int iwlagn_rx_reply_compressed_ba(struct
+ struct iwl_compressed_ba_resp *ba_resp = (void *)pkt->data;
+ struct iwl_ht_agg *agg;
+ struct sk_buff_head reclaimed_skbs;
+- struct ieee80211_tx_info *info;
+- struct ieee80211_hdr *hdr;
+ struct sk_buff *skb;
+ int sta_id;
+ int tid;
+@@ -1410,22 +1408,28 @@ int iwlagn_rx_reply_compressed_ba(struct
+ freed = 0;
+
+ skb_queue_walk(&reclaimed_skbs, skb) {
+- hdr = (struct ieee80211_hdr *)skb->data;
++ struct ieee80211_hdr *hdr = (void *)skb->data;
++ struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
+
+ if (ieee80211_is_data_qos(hdr->frame_control))
+ freed++;
+ else
+ WARN_ON_ONCE(1);
+
+- info = IEEE80211_SKB_CB(skb);
+ iwl_trans_free_tx_cmd(priv->trans, info->driver_data[1]);
+
++ memset(&info->status, 0, sizeof(info->status));
++ /* Packet was transmitted successfully, failures come as single
++ * frames because before failing a frame the firmware transmits
++ * it without aggregation at least once.
++ */
++ info->flags |= IEEE80211_TX_STAT_ACK;
++
+ if (freed == 1) {
+ /* this is the first skb we deliver in this batch */
+ /* put the rate scaling data there */
+ info = IEEE80211_SKB_CB(skb);
+ memset(&info->status, 0, sizeof(info->status));
+- info->flags |= IEEE80211_TX_STAT_ACK;
+ info->flags |= IEEE80211_TX_STAT_AMPDU;
+ info->status.ampdu_ack_len = ba_resp->txed_2_done;
+ info->status.ampdu_len = ba_resp->txed;
+--- a/drivers/net/wireless/iwlwifi/mvm/tx.c
++++ b/drivers/net/wireless/iwlwifi/mvm/tx.c
+@@ -819,16 +819,12 @@ int iwl_mvm_rx_ba_notif(struct iwl_mvm *
+ struct iwl_mvm_ba_notif *ba_notif = (void *)pkt->data;
+ struct sk_buff_head reclaimed_skbs;
+ struct iwl_mvm_tid_data *tid_data;
+- struct ieee80211_tx_info *info;
+ struct ieee80211_sta *sta;
+ struct iwl_mvm_sta *mvmsta;
+- struct ieee80211_hdr *hdr;
+ struct sk_buff *skb;
+ int sta_id, tid, freed;
+-
+ /* "flow" corresponds to Tx queue */
+ u16 scd_flow = le16_to_cpu(ba_notif->scd_flow);
+-
+ /* "ssn" is start of block-ack Tx window, corresponds to index
+ * (in Tx queue's circular buffer) of first TFD/frame in window */
+ u16 ba_resp_scd_ssn = le16_to_cpu(ba_notif->scd_ssn);
+@@ -885,22 +881,26 @@ int iwl_mvm_rx_ba_notif(struct iwl_mvm *
+ freed = 0;
+
+ skb_queue_walk(&reclaimed_skbs, skb) {
+- hdr = (struct ieee80211_hdr *)skb->data;
++ struct ieee80211_hdr *hdr = (void *)skb->data;
++ struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
+
+ if (ieee80211_is_data_qos(hdr->frame_control))
+ freed++;
+ else
+ WARN_ON_ONCE(1);
+
+- info = IEEE80211_SKB_CB(skb);
+ iwl_trans_free_tx_cmd(mvm->trans, info->driver_data[1]);
+
++ memset(&info->status, 0, sizeof(info->status));
++ /* Packet was transmitted successfully, failures come as single
++ * frames because before failing a frame the firmware transmits
++ * it without aggregation at least once.
++ */
++ info->flags |= IEEE80211_TX_STAT_ACK;
++
+ if (freed == 1) {
+ /* this is the first skb we deliver in this batch */
+ /* put the rate scaling data there */
+- info = IEEE80211_SKB_CB(skb);
+- memset(&info->status, 0, sizeof(info->status));
+- info->flags |= IEEE80211_TX_STAT_ACK;
+ info->flags |= IEEE80211_TX_STAT_AMPDU;
+ info->status.ampdu_ack_len = ba_notif->txed_2_done;
+ info->status.ampdu_len = ba_notif->txed;
--- /dev/null
+From 864a6040f395464003af8dd0d8ca86fed19866d4 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Tue, 4 Mar 2014 13:46:53 +0100
+Subject: mac80211: clear sequence/fragment number in QoS-null frames
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 864a6040f395464003af8dd0d8ca86fed19866d4 upstream.
+
+Avoid leaking data by sending uninitialized memory and setting an
+invalid (non-zero) fragment number (the sequence number is ignored
+anyway) by setting the seq_ctrl field to zero.
+
+Fixes: 3f52b7e328c5 ("mac80211: mesh power save basics")
+Fixes: ce662b44ce22 ("mac80211: send (QoS) Null if no buffered frames")
+Reviewed-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/mesh_ps.c | 1 +
+ net/mac80211/sta_info.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+--- a/net/mac80211/mesh_ps.c
++++ b/net/mac80211/mesh_ps.c
+@@ -36,6 +36,7 @@ static struct sk_buff *mps_qos_null_get(
+ sdata->vif.addr);
+ nullfunc->frame_control = fc;
+ nullfunc->duration_id = 0;
++ nullfunc->seq_ctrl = 0;
+ /* no address resolution for this frame -> set addr 1 immediately */
+ memcpy(nullfunc->addr1, sta->sta.addr, ETH_ALEN);
+ memset(skb_put(skb, 2), 0, 2); /* append QoS control field */
+--- a/net/mac80211/sta_info.c
++++ b/net/mac80211/sta_info.c
+@@ -1114,6 +1114,7 @@ static void ieee80211_send_null_response
+ memcpy(nullfunc->addr1, sta->sta.addr, ETH_ALEN);
+ memcpy(nullfunc->addr2, sdata->vif.addr, ETH_ALEN);
+ memcpy(nullfunc->addr3, sdata->vif.addr, ETH_ALEN);
++ nullfunc->seq_ctrl = 0;
+
+ skb->priority = tid;
+ skb_set_queue_mapping(skb, ieee802_1d_to_ac[tid]);
--- /dev/null
+From 963a1852fbac4f75a2d938fa2e734ef1e6d4c044 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Fri, 21 Feb 2014 20:34:34 +0100
+Subject: mac80211: don't validate unchanged AP bandwidth while tracking
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 963a1852fbac4f75a2d938fa2e734ef1e6d4c044 upstream.
+
+The MLME code in mac80211 must track whether or not the AP changed
+bandwidth, but if there's no change while tracking it shouldn't do
+anything, otherwise regulatory updates can make it impossible to
+connect to certain APs if the regulatory database doesn't match the
+information from the AP. See the precise scenario described in the
+code.
+
+This still leaves some possible problems with CSA or if the AP
+actually changed bandwidth, but those cases are less common and
+won't completely prevent using it.
+
+This fixes https://bugzilla.kernel.org/show_bug.cgi?id=70881
+
+Reported-and-tested-by: Nate Carlson <kernel@natecarlson.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/mlme.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -359,6 +359,28 @@ ieee80211_determine_chantype(struct ieee
+ ret = 0;
+
+ out:
++ /*
++ * When tracking the current AP, don't do any further checks if the
++ * new chandef is identical to the one we're currently using for the
++ * connection. This keeps us from playing ping-pong with regulatory,
++ * without it the following can happen (for example):
++ * - connect to an AP with 80 MHz, world regdom allows 80 MHz
++ * - AP advertises regdom US
++ * - CRDA loads regdom US with 80 MHz prohibited (old database)
++ * - the code below detects an unsupported channel, downgrades, and
++ * we disconnect from the AP in the caller
++ * - disconnect causes CRDA to reload world regdomain and the game
++ * starts anew.
++ * (see https://bugzilla.kernel.org/show_bug.cgi?id=70881)
++ *
++ * It seems possible that there are still scenarios with CSA or real
++ * bandwidth changes where a this could happen, but those cases are
++ * less common and wouldn't completely prevent using the AP.
++ */
++ if (tracking &&
++ cfg80211_chandef_identical(chandef, &sdata->vif.bss_conf.chandef))
++ return ret;
++
+ /* don't print the message below for VHT mismatch if VHT is disabled */
+ if (ret & IEEE80211_STA_DISABLE_VHT)
+ vht_chandef = *chandef;
--- /dev/null
+From 1d147bfa64293b2723c4fec50922168658e613ba Mon Sep 17 00:00:00 2001
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Thu, 20 Feb 2014 09:22:11 +0200
+Subject: mac80211: fix AP powersave TX vs. wakeup race
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+commit 1d147bfa64293b2723c4fec50922168658e613ba upstream.
+
+There is a race between the TX path and the STA wakeup: while
+a station is sleeping, mac80211 buffers frames until it wakes
+up, then the frames are transmitted. However, the RX and TX
+path are concurrent, so the packet indicating wakeup can be
+processed while a packet is being transmitted.
+
+This can lead to a situation where the buffered frames list
+is emptied on the one side, while a frame is being added on
+the other side, as the station is still seen as sleeping in
+the TX path.
+
+As a result, the newly added frame will not be send anytime
+soon. It might be sent much later (and out of order) when the
+station goes to sleep and wakes up the next time.
+
+Additionally, it can lead to the crash below.
+
+Fix all this by synchronising both paths with a new lock.
+Both path are not fastpath since they handle PS situations.
+
+In a later patch we'll remove the extra skb queue locks to
+reduce locking overhead.
+
+BUG: unable to handle kernel
+NULL pointer dereference at 000000b0
+IP: [<ff6f1791>] ieee80211_report_used_skb+0x11/0x3e0 [mac80211]
+*pde = 00000000
+Oops: 0000 [#1] SMP DEBUG_PAGEALLOC
+EIP: 0060:[<ff6f1791>] EFLAGS: 00210282 CPU: 1
+EIP is at ieee80211_report_used_skb+0x11/0x3e0 [mac80211]
+EAX: e5900da0 EBX: 00000000 ECX: 00000001 EDX: 00000000
+ESI: e41d00c0 EDI: e5900da0 EBP: ebe458e4 ESP: ebe458b0
+ DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
+CR0: 8005003b CR2: 000000b0 CR3: 25a78000 CR4: 000407d0
+DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
+DR6: ffff0ff0 DR7: 00000400
+Process iperf (pid: 3934, ti=ebe44000 task=e757c0b0 task.ti=ebe44000)
+iwlwifi 0000:02:00.0: I iwl_pcie_enqueue_hcmd Sending command LQ_CMD (#4e), seq: 0x0903, 92 bytes at 3[3]:9
+Stack:
+ e403b32c ebe458c4 00200002 00200286 e403b338 ebe458cc c10960bb e5900da0
+ ff76a6ec ebe458d8 00000000 e41d00c0 e5900da0 ebe458f0 ff6f1b75 e403b210
+ ebe4598c ff723dc1 00000000 ff76a6ec e597c978 e403b758 00000002 00000002
+Call Trace:
+ [<ff6f1b75>] ieee80211_free_txskb+0x15/0x20 [mac80211]
+ [<ff723dc1>] invoke_tx_handlers+0x1661/0x1780 [mac80211]
+ [<ff7248a5>] ieee80211_tx+0x75/0x100 [mac80211]
+ [<ff7249bf>] ieee80211_xmit+0x8f/0xc0 [mac80211]
+ [<ff72550e>] ieee80211_subif_start_xmit+0x4fe/0xe20 [mac80211]
+ [<c149ef70>] dev_hard_start_xmit+0x450/0x950
+ [<c14b9aa9>] sch_direct_xmit+0xa9/0x250
+ [<c14b9c9b>] __qdisc_run+0x4b/0x150
+ [<c149f732>] dev_queue_xmit+0x2c2/0xca0
+
+Reported-by: Yaara Rozenblum <yaara.rozenblum@intel.com>
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Reviewed-by: Stanislaw Gruszka <sgruszka@redhat.com>
+[reword commit log, use a separate lock]
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/sta_info.c | 4 ++++
+ net/mac80211/sta_info.h | 7 +++----
+ net/mac80211/tx.c | 15 +++++++++++++++
+ 3 files changed, 22 insertions(+), 4 deletions(-)
+
+--- a/net/mac80211/sta_info.c
++++ b/net/mac80211/sta_info.c
+@@ -339,6 +339,7 @@ struct sta_info *sta_info_alloc(struct i
+ return NULL;
+
+ spin_lock_init(&sta->lock);
++ spin_lock_init(&sta->ps_lock);
+ INIT_WORK(&sta->drv_unblock_wk, sta_unblock);
+ INIT_WORK(&sta->ampdu_mlme.work, ieee80211_ba_session_work);
+ mutex_init(&sta->ampdu_mlme.mtx);
+@@ -1045,6 +1046,8 @@ void ieee80211_sta_ps_deliver_wakeup(str
+
+ skb_queue_head_init(&pending);
+
++ /* sync with ieee80211_tx_h_unicast_ps_buf */
++ spin_lock(&sta->ps_lock);
+ /* Send all buffered frames to the station */
+ for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
+ int count = skb_queue_len(&pending), tmp;
+@@ -1064,6 +1067,7 @@ void ieee80211_sta_ps_deliver_wakeup(str
+ }
+
+ ieee80211_add_pending_skbs_fn(local, &pending, clear_sta_ps_flags, sta);
++ spin_unlock(&sta->ps_lock);
+
+ local->total_ps_buffered -= buffered;
+
+--- a/net/mac80211/sta_info.h
++++ b/net/mac80211/sta_info.h
+@@ -244,6 +244,7 @@ struct sta_ampdu_mlme {
+ * @drv_unblock_wk: used for driver PS unblocking
+ * @listen_interval: listen interval of this station, when we're acting as AP
+ * @_flags: STA flags, see &enum ieee80211_sta_info_flags, do not use directly
++ * @ps_lock: used for powersave (when mac80211 is the AP) related locking
+ * @ps_tx_buf: buffers (per AC) of frames to transmit to this station
+ * when it leaves power saving state or polls
+ * @tx_filtered: buffers (per AC) of frames we already tried to
+@@ -324,10 +325,8 @@ struct sta_info {
+ /* use the accessors defined below */
+ unsigned long _flags;
+
+- /*
+- * STA powersave frame queues, no more than the internal
+- * locking required.
+- */
++ /* STA powersave lock and frame queues */
++ spinlock_t ps_lock;
+ struct sk_buff_head ps_tx_buf[IEEE80211_NUM_ACS];
+ struct sk_buff_head tx_filtered[IEEE80211_NUM_ACS];
+ unsigned long driver_buffered_tids;
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -461,6 +461,20 @@ ieee80211_tx_h_unicast_ps_buf(struct iee
+ sta->sta.addr, sta->sta.aid, ac);
+ if (tx->local->total_ps_buffered >= TOTAL_MAX_TX_BUFFER)
+ purge_old_ps_buffers(tx->local);
++
++ /* sync with ieee80211_sta_ps_deliver_wakeup */
++ spin_lock(&sta->ps_lock);
++ /*
++ * STA woke up the meantime and all the frames on ps_tx_buf have
++ * been queued to pending queue. No reordering can happen, go
++ * ahead and Tx the packet.
++ */
++ if (!test_sta_flag(sta, WLAN_STA_PS_STA) &&
++ !test_sta_flag(sta, WLAN_STA_PS_DRIVER)) {
++ spin_unlock(&sta->ps_lock);
++ return TX_CONTINUE;
++ }
++
+ if (skb_queue_len(&sta->ps_tx_buf[ac]) >= STA_MAX_TX_BUFFER) {
+ struct sk_buff *old = skb_dequeue(&sta->ps_tx_buf[ac]);
+ ps_dbg(tx->sdata,
+@@ -474,6 +488,7 @@ ieee80211_tx_h_unicast_ps_buf(struct iee
+ info->control.vif = &tx->sdata->vif;
+ info->flags |= IEEE80211_TX_INTFL_NEED_TXPROCESSING;
+ skb_queue_tail(&sta->ps_tx_buf[ac], tx->skb);
++ spin_unlock(&sta->ps_lock);
+
+ if (!timer_pending(&local->sta_cleanup))
+ mod_timer(&local->sta_cleanup,
--- /dev/null
+From cb664981607a6b5b3d670ad57bbda893b2528d96 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Thu, 27 Feb 2014 20:47:53 +0100
+Subject: mac80211: fix association to 20/40 MHz VHT networks
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit cb664981607a6b5b3d670ad57bbda893b2528d96 upstream.
+
+When a VHT network uses 20 or 40 MHz as per the HT operation
+information, the channel center frequency segment 0 field in
+the VHT operation information is reserved, so ignore it.
+
+This fixes association with such networks when the AP puts 0
+into the field, previously we'd disconnect due to an invalid
+channel with the message
+wlan0: AP VHT information is invalid, disable VHT
+
+Fixes: f2d9d270c15ae ("mac80211: support VHT association")
+Reported-by: Tim Nelson <tim.l.nelson@gmail.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/mlme.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -310,6 +310,7 @@ ieee80211_determine_chantype(struct ieee
+ switch (vht_oper->chan_width) {
+ case IEEE80211_VHT_CHANWIDTH_USE_HT:
+ vht_chandef.width = chandef->width;
++ vht_chandef.center_freq1 = chandef->center_freq1;
+ break;
+ case IEEE80211_VHT_CHANWIDTH_80MHZ:
+ vht_chandef.width = NL80211_CHAN_WIDTH_80;
--- /dev/null
+From 1bf4bbb4024dcdab5e57634dd8ae1072d42a53ac Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@openwrt.org>
+Date: Tue, 11 Feb 2014 16:02:47 +0100
+Subject: mac80211: send control port protocol frames to the VO queue
+
+From: Felix Fietkau <nbd@openwrt.org>
+
+commit 1bf4bbb4024dcdab5e57634dd8ae1072d42a53ac upstream.
+
+Improves reliability of wifi connections with WPA, since authentication
+frames are prioritized over normal traffic and also typically exempt
+from aggregation.
+
+Signed-off-by: Felix Fietkau <nbd@openwrt.org>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/wme.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/mac80211/wme.c
++++ b/net/mac80211/wme.c
+@@ -153,6 +153,11 @@ u16 ieee80211_select_queue(struct ieee80
+ return IEEE80211_AC_BE;
+ }
+
++ if (skb->protocol == sdata->control_port_protocol) {
++ skb->priority = 7;
++ return ieee80211_downgrade_queue(sdata, skb);
++ }
++
+ /* use the data classifier to determine what 802.1d tag the
+ * data frame has */
+ skb->priority = cfg80211_classify8021d(skb);
--- /dev/null
+From bb8e6a1ee881d131e404f0f1f5e8dc9281002771 Mon Sep 17 00:00:00 2001
+From: Amitkumar Karwar <akarwar@marvell.com>
+Date: Tue, 18 Feb 2014 15:41:55 -0800
+Subject: mwifiex: add NULL check for PCIe Rx skb
+
+From: Amitkumar Karwar <akarwar@marvell.com>
+
+commit bb8e6a1ee881d131e404f0f1f5e8dc9281002771 upstream.
+
+We may get a NULL pointer here if skb allocation for Rx packet
+was failed earlier.
+
+Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
+Signed-off-by: Bing Zhao <bzhao@marvell.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/mwifiex/pcie.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/net/wireless/mwifiex/pcie.c
++++ b/drivers/net/wireless/mwifiex/pcie.c
+@@ -1195,6 +1195,12 @@ static int mwifiex_pcie_process_recv_dat
+ rd_index = card->rxbd_rdptr & reg->rx_mask;
+ skb_data = card->rx_buf_list[rd_index];
+
++ /* If skb allocation was failed earlier for Rx packet,
++ * rx_buf_list[rd_index] would have been left with a NULL.
++ */
++ if (!skb_data)
++ return -ENOMEM;
++
+ MWIFIEX_SKB_PACB(skb_data, &buf_pa);
+ pci_unmap_single(card->dev, buf_pa, MWIFIEX_RX_DATA_BUF_SIZE,
+ PCI_DMA_FROMDEVICE);
--- /dev/null
+From 4f7ba432202c8330cc03ab959c6228d0de5dc4a3 Mon Sep 17 00:00:00 2001
+From: Avinash Patil <patila@marvell.com>
+Date: Tue, 18 Feb 2014 15:41:54 -0800
+Subject: mwifiex: clean pcie ring only when device is present
+
+From: Avinash Patil <patila@marvell.com>
+
+commit 4f7ba432202c8330cc03ab959c6228d0de5dc4a3 upstream.
+
+Write io memory to clean PCIe buffer only when PCIe device is
+present else this results into crash because of invalid memory
+access.
+
+Signed-off-by: Avinash Patil <patila@marvell.com>
+Signed-off-by: Bing Zhao <bzhao@marvell.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/mwifiex/wmm.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/mwifiex/wmm.c
++++ b/drivers/net/wireless/mwifiex/wmm.c
+@@ -556,7 +556,8 @@ mwifiex_clean_txrx(struct mwifiex_privat
+ mwifiex_wmm_delete_all_ralist(priv);
+ memcpy(tos_to_tid, ac_to_tid, sizeof(tos_to_tid));
+
+- if (priv->adapter->if_ops.clean_pcie_ring)
++ if (priv->adapter->if_ops.clean_pcie_ring &&
++ !priv->adapter->surprise_removed)
+ priv->adapter->if_ops.clean_pcie_ring(priv->adapter);
+ spin_unlock_irqrestore(&priv->wmm.ra_list_spinlock, flags);
+ }
--- /dev/null
+From c99b1861c232e1f641f13b8645e0febb3712cc71 Mon Sep 17 00:00:00 2001
+From: Amitkumar Karwar <akarwar@marvell.com>
+Date: Tue, 4 Mar 2014 18:43:13 -0800
+Subject: mwifiex: copy AP's HT capability info correctly
+
+From: Amitkumar Karwar <akarwar@marvell.com>
+
+commit c99b1861c232e1f641f13b8645e0febb3712cc71 upstream.
+
+While preparing association request, intersection of device's HT
+capability information and corresponding fields advertised by AP
+is used.
+
+This patch fixes an error while copying this field from AP's
+beacon.
+
+Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
+Signed-off-by: Bing Zhao <bzhao@marvell.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/mwifiex/11n.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/mwifiex/11n.c
++++ b/drivers/net/wireless/mwifiex/11n.c
+@@ -307,8 +307,7 @@ mwifiex_cmd_append_11n_tlv(struct mwifie
+ ht_cap->header.len =
+ cpu_to_le16(sizeof(struct ieee80211_ht_cap));
+ memcpy((u8 *) ht_cap + sizeof(struct mwifiex_ie_types_header),
+- (u8 *) bss_desc->bcn_ht_cap +
+- sizeof(struct ieee_types_header),
++ (u8 *)bss_desc->bcn_ht_cap,
+ le16_to_cpu(ht_cap->header.len));
+
+ mwifiex_fill_cap_info(priv, radio_type, ht_cap);
--- /dev/null
+From adb07df1e039e9fe43e66aeea8b4771f83659dbb Mon Sep 17 00:00:00 2001
+From: Bing Zhao <bzhao@marvell.com>
+Date: Wed, 26 Feb 2014 20:11:22 -0800
+Subject: mwifiex: do not advertise usb autosuspend support
+
+From: Bing Zhao <bzhao@marvell.com>
+
+commit adb07df1e039e9fe43e66aeea8b4771f83659dbb upstream.
+
+As many Surface Pro I & II users have found out, the mwifiex_usb
+doesn't support usb autosuspend, and it has caused some system
+stability issues.
+
+Bug 69661 - mwifiex_usb on MS Surface Pro 1 is unstable
+Bug 60815 - Interface hangs in mwifiex_usb
+Bug 64111 - mwifiex_usb USB8797 crash failed to get signal
+ information
+
+USB autosuspend get triggered when Surface Pro's AC power is
+removed or powertop enables power saving on USB8797 device.
+Driver's suspend handler is called here, but resume handler
+won't be called until the AC power is put back on or powertop
+disables power saving for USB8797.
+
+We need to refactor the suspend/resume handlers to support
+usb autosuspend properly. For now let's just remove it.
+
+Signed-off-by: Bing Zhao <bzhao@marvell.com>
+Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/mwifiex/usb.c | 8 --------
+ 1 file changed, 8 deletions(-)
+
+--- a/drivers/net/wireless/mwifiex/usb.c
++++ b/drivers/net/wireless/mwifiex/usb.c
+@@ -511,13 +511,6 @@ static int mwifiex_usb_resume(struct usb
+ MWIFIEX_BSS_ROLE_ANY),
+ MWIFIEX_ASYNC_CMD);
+
+-#ifdef CONFIG_PM
+- /* Resume handler may be called due to remote wakeup,
+- * force to exit suspend anyway
+- */
+- usb_disable_autosuspend(card->udev);
+-#endif /* CONFIG_PM */
+-
+ return 0;
+ }
+
+@@ -576,7 +569,6 @@ static struct usb_driver mwifiex_usb_dri
+ .id_table = mwifiex_usb_table,
+ .suspend = mwifiex_usb_suspend,
+ .resume = mwifiex_usb_resume,
+- .supports_autosuspend = 1,
+ };
+
+ static int mwifiex_usb_tx_init(struct mwifiex_adapter *adapter)
--- /dev/null
+From 1c97560f6d751a620978504a4a888c631192b71a Mon Sep 17 00:00:00 2001
+From: Amitkumar Karwar <akarwar@marvell.com>
+Date: Tue, 18 Feb 2014 15:41:56 -0800
+Subject: mwifiex: fix cmd and Tx data timeout issue for PCIe cards
+
+From: Amitkumar Karwar <akarwar@marvell.com>
+
+commit 1c97560f6d751a620978504a4a888c631192b71a upstream.
+
+We are sending sleep confirm done interrupt in the middle of
+sleep handshake. There is a corner case when Tx done interrupt
+is received from firmware during sleep handshake due to which
+host and firmware power states go out of sync causing cmd and
+Tx data timeout problem.
+
+Hence sleep confirm done interrupt is sent at the end of sleep
+handshake to fix the problem.
+
+Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
+Signed-off-by: Bing Zhao <bzhao@marvell.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/mwifiex/pcie.c | 28 +++++++++++-----------------
+ 1 file changed, 11 insertions(+), 17 deletions(-)
+
+--- a/drivers/net/wireless/mwifiex/pcie.c
++++ b/drivers/net/wireless/mwifiex/pcie.c
+@@ -1515,6 +1515,14 @@ static int mwifiex_pcie_process_cmd_comp
+ if (adapter->ps_state == PS_STATE_SLEEP_CFM) {
+ mwifiex_process_sleep_confirm_resp(adapter, skb->data,
+ skb->len);
++ mwifiex_pcie_enable_host_int(adapter);
++ if (mwifiex_write_reg(adapter,
++ PCIE_CPU_INT_EVENT,
++ CPU_INTR_SLEEP_CFM_DONE)) {
++ dev_warn(adapter->dev,
++ "Write register failed\n");
++ return -1;
++ }
+ while (reg->sleep_cookie && (count++ < 10) &&
+ mwifiex_pcie_ok_to_access_hw(adapter))
+ usleep_range(50, 60);
+@@ -1985,23 +1993,9 @@ static void mwifiex_interrupt_status(str
+ adapter->int_status |= pcie_ireg;
+ spin_unlock_irqrestore(&adapter->int_lock, flags);
+
+- if (pcie_ireg & HOST_INTR_CMD_DONE) {
+- if ((adapter->ps_state == PS_STATE_SLEEP_CFM) ||
+- (adapter->ps_state == PS_STATE_SLEEP)) {
+- mwifiex_pcie_enable_host_int(adapter);
+- if (mwifiex_write_reg(adapter,
+- PCIE_CPU_INT_EVENT,
+- CPU_INTR_SLEEP_CFM_DONE)
+- ) {
+- dev_warn(adapter->dev,
+- "Write register failed\n");
+- return;
+-
+- }
+- }
+- } else if (!adapter->pps_uapsd_mode &&
+- adapter->ps_state == PS_STATE_SLEEP &&
+- mwifiex_pcie_ok_to_access_hw(adapter)) {
++ if (!adapter->pps_uapsd_mode &&
++ adapter->ps_state == PS_STATE_SLEEP &&
++ mwifiex_pcie_ok_to_access_hw(adapter)) {
+ /* Potentially for PCIe we could get other
+ * interrupts like shared. Don't change power
+ * state until cookie is set */
--- /dev/null
+From d51246481c7f28bbfa1f814ded2da65e531cd4b2 Mon Sep 17 00:00:00 2001
+From: Amitkumar Karwar <akarwar@marvell.com>
+Date: Tue, 4 Mar 2014 18:43:14 -0800
+Subject: mwifiex: save and copy AP's VHT capability info correctly
+
+From: Amitkumar Karwar <akarwar@marvell.com>
+
+commit d51246481c7f28bbfa1f814ded2da65e531cd4b2 upstream.
+
+While preparing association request, intersection of device's
+VHT capability information and corresponding field advertised
+by AP is used.
+
+This patch fixes a couple errors while saving and copying vht_cap
+and vht_oper fields from AP's beacon.
+
+Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
+Signed-off-by: Bing Zhao <bzhao@marvell.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/mwifiex/11ac.c | 3 +--
+ drivers/net/wireless/mwifiex/scan.c | 8 ++++----
+ 2 files changed, 5 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/wireless/mwifiex/11ac.c
++++ b/drivers/net/wireless/mwifiex/11ac.c
+@@ -189,8 +189,7 @@ int mwifiex_cmd_append_11ac_tlv(struct m
+ vht_cap->header.len =
+ cpu_to_le16(sizeof(struct ieee80211_vht_cap));
+ memcpy((u8 *)vht_cap + sizeof(struct mwifiex_ie_types_header),
+- (u8 *)bss_desc->bcn_vht_cap +
+- sizeof(struct ieee_types_header),
++ (u8 *)bss_desc->bcn_vht_cap,
+ le16_to_cpu(vht_cap->header.len));
+
+ mwifiex_fill_vht_cap_tlv(priv, vht_cap, bss_desc->bss_band);
+--- a/drivers/net/wireless/mwifiex/scan.c
++++ b/drivers/net/wireless/mwifiex/scan.c
+@@ -2040,12 +2040,12 @@ mwifiex_save_curr_bcn(struct mwifiex_pri
+ curr_bss->ht_info_offset);
+
+ if (curr_bss->bcn_vht_cap)
+- curr_bss->bcn_ht_cap = (void *)(curr_bss->beacon_buf +
+- curr_bss->vht_cap_offset);
++ curr_bss->bcn_vht_cap = (void *)(curr_bss->beacon_buf +
++ curr_bss->vht_cap_offset);
+
+ if (curr_bss->bcn_vht_oper)
+- curr_bss->bcn_ht_oper = (void *)(curr_bss->beacon_buf +
+- curr_bss->vht_info_offset);
++ curr_bss->bcn_vht_oper = (void *)(curr_bss->beacon_buf +
++ curr_bss->vht_info_offset);
+
+ if (curr_bss->bcn_bss_co_2040)
+ curr_bss->bcn_bss_co_2040 =
ipv6-ipv6_find_hdr-restore-prev-functionality.patch
tg3-don-t-check-undefined-error-bits-in-rxbd.patch
net-sctp-fix-sctp_sf_do_5_1d_ce-to-verify-if-we-peer-is-auth-capable.patch
+mac80211-send-control-port-protocol-frames-to-the-vo-queue.patch
+mac80211-fix-ap-powersave-tx-vs.-wakeup-race.patch
+mac80211-don-t-validate-unchanged-ap-bandwidth-while-tracking.patch
+mac80211-fix-association-to-20-40-mhz-vht-networks.patch
+mac80211-clear-sequence-fragment-number-in-qos-null-frames.patch
+ath9k-fix-etsi-compliance-for-ar9462-2.0.patch
+iwlwifi-dvm-clear-iwl_sta_ucode_inprogress-when-assoc-fails.patch
+iwlwifi-fix-tx-status-for-aggregated-packets.patch
+iwlwifi-disable-tx-ampdu-by-default-for-iwldvm.patch
+mwifiex-clean-pcie-ring-only-when-device-is-present.patch
+mwifiex-add-null-check-for-pcie-rx-skb.patch
+mwifiex-fix-cmd-and-tx-data-timeout-issue-for-pcie-cards.patch
+mwifiex-do-not-advertise-usb-autosuspend-support.patch
+mwifiex-copy-ap-s-ht-capability-info-correctly.patch
+mwifiex-save-and-copy-ap-s-vht-capability-info-correctly.patch
+arm-7811-1-locks-use-early-clobber-in-arch_spin_trylock.patch
+drm-ttm-don-t-oops-if-no-invalidate_caches.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
