--- /dev/null
+From c9d534c8cbaedbb522a1d2cb037c6c394f610317 Mon Sep 17 00:00:00 2001
+From: Jon Mason <jon.mason@intel.com>
+Date: Fri, 1 Feb 2013 15:45:16 -0700
+Subject: NTB: Correctly handle receive buffers of the minimal size
+
+From: Jon Mason <jon.mason@intel.com>
+
+commit c9d534c8cbaedbb522a1d2cb037c6c394f610317 upstream.
+
+The ring logic of the NTB receive buffer/transmit memory window requires
+there to be at least 2 payload sized allotments. For the minimal size
+case, split the buffer into two and set the transport_mtu to the
+appropriate size.
+
+Signed-off-by: Jon Mason <jon.mason@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ntb/ntb_transport.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/ntb/ntb_transport.c
++++ b/drivers/ntb/ntb_transport.c
+@@ -490,11 +490,12 @@ static void ntb_transport_setup_qp_mw(st
+ rx_size -= sizeof(struct ntb_rx_info);
+
+ qp->rx_buff = qp->remote_rx_info + 1;
+- qp->rx_max_frame = min(transport_mtu, rx_size);
++ /* Due to housekeeping, there must be atleast 2 buffs */
++ qp->rx_max_frame = min(transport_mtu, rx_size / 2);
+ qp->rx_max_entry = rx_size / qp->rx_max_frame;
+ qp->rx_index = 0;
+
+- qp->remote_rx_info->entry = qp->rx_max_entry;
++ qp->remote_rx_info->entry = qp->rx_max_entry - 1;
+
+ /* setup the hdr offsets with 0's */
+ for (i = 0; i < qp->rx_max_entry; i++) {
+@@ -818,7 +819,8 @@ static void ntb_transport_init_queue(str
+ tx_size -= sizeof(struct ntb_rx_info);
+
+ qp->tx_mw = qp->rx_info + 1;
+- qp->tx_max_frame = min(transport_mtu, tx_size);
++ /* Due to housekeeping, there must be atleast 2 buffs */
++ qp->tx_max_frame = min(transport_mtu, tx_size / 2);
+ qp->tx_max_entry = tx_size / qp->tx_max_frame;
+
+ if (nt->debugfs_dir) {
--- /dev/null
+From cc0f868d8adef7bdc12cda132654870086d766bc Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 23 Jan 2013 22:26:05 +0300
+Subject: NTB: fix pointer math issues
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit cc0f868d8adef7bdc12cda132654870086d766bc upstream.
+
+->remote_rx_info and ->rx_info are struct ntb_rx_info pointers. If we
+add sizeof(struct ntb_rx_info) then it goes too far.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Jon Mason <jon.mason@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ntb/ntb_transport.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/ntb/ntb_transport.c
++++ b/drivers/ntb/ntb_transport.c
+@@ -486,7 +486,7 @@ static void ntb_transport_setup_qp_mw(st
+ (qp_num / NTB_NUM_MW * rx_size);
+ rx_size -= sizeof(struct ntb_rx_info);
+
+- qp->rx_buff = qp->remote_rx_info + sizeof(struct ntb_rx_info);
++ qp->rx_buff = qp->remote_rx_info + 1;
+ qp->rx_max_frame = min(transport_mtu, rx_size);
+ qp->rx_max_entry = rx_size / qp->rx_max_frame;
+ qp->rx_index = 0;
+@@ -780,7 +780,7 @@ static void ntb_transport_init_queue(str
+ (qp_num / NTB_NUM_MW * tx_size);
+ tx_size -= sizeof(struct ntb_rx_info);
+
+- qp->tx_mw = qp->rx_info + sizeof(struct ntb_rx_info);
++ qp->tx_mw = qp->rx_info + 1;
+ qp->tx_max_frame = min(transport_mtu, tx_size);
+ qp->tx_max_entry = tx_size / qp->tx_max_frame;
+ qp->tx_index = 0;
--- /dev/null
+From 113fc505b83b2d16e820ca74fa07f99a34877b1d Mon Sep 17 00:00:00 2001
+From: Jon Mason <jon.mason@intel.com>
+Date: Wed, 30 Jan 2013 11:40:52 -0700
+Subject: NTB: Handle 64bit BAR sizes
+
+From: Jon Mason <jon.mason@intel.com>
+
+commit 113fc505b83b2d16e820ca74fa07f99a34877b1d upstream.
+
+64bit BAR sizes are permissible with an NTB device. To support them
+various modifications and clean-ups were required, most significantly
+using 2 32bit scratch pad registers for each BAR.
+
+Also, modify the driver to allow more than 2 Memory Windows.
+
+Signed-off-by: Jon Mason <jon.mason@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ntb/ntb_hw.c | 4 -
+ drivers/ntb/ntb_transport.c | 121 ++++++++++++++++++++++++++------------------
+ 2 files changed, 75 insertions(+), 50 deletions(-)
+
+--- a/drivers/ntb/ntb_hw.c
++++ b/drivers/ntb/ntb_hw.c
+@@ -1027,8 +1027,8 @@ static int ntb_pci_probe(struct pci_dev
+ ndev->mw[i].vbase =
+ ioremap_wc(pci_resource_start(pdev, MW_TO_BAR(i)),
+ ndev->mw[i].bar_sz);
+- dev_info(&pdev->dev, "MW %d size %d\n", i,
+- (u32) pci_resource_len(pdev, MW_TO_BAR(i)));
++ dev_info(&pdev->dev, "MW %d size %llu\n", i,
++ pci_resource_len(pdev, MW_TO_BAR(i)));
+ if (!ndev->mw[i].vbase) {
+ dev_warn(&pdev->dev, "Cannot remap BAR %d\n",
+ MW_TO_BAR(i));
+--- a/drivers/ntb/ntb_transport.c
++++ b/drivers/ntb/ntb_transport.c
+@@ -58,7 +58,7 @@
+ #include <linux/ntb.h>
+ #include "ntb_hw.h"
+
+-#define NTB_TRANSPORT_VERSION 2
++#define NTB_TRANSPORT_VERSION 3
+
+ static unsigned int transport_mtu = 0x401E;
+ module_param(transport_mtu, uint, 0644);
+@@ -173,10 +173,13 @@ struct ntb_payload_header {
+
+ enum {
+ VERSION = 0,
+- MW0_SZ,
+- MW1_SZ,
+- NUM_QPS,
+ QP_LINKS,
++ NUM_QPS,
++ NUM_MWS,
++ MW0_SZ_HIGH,
++ MW0_SZ_LOW,
++ MW1_SZ_HIGH,
++ MW1_SZ_LOW,
+ MAX_SPAD,
+ };
+
+@@ -526,6 +529,18 @@ static int ntb_set_mw(struct ntb_transpo
+ return 0;
+ }
+
++static void ntb_free_mw(struct ntb_transport *nt, int num_mw)
++{
++ struct ntb_transport_mw *mw = &nt->mw[num_mw];
++ struct pci_dev *pdev = ntb_query_pdev(nt->ndev);
++
++ if (!mw->virt_addr)
++ return;
++
++ dma_free_coherent(&pdev->dev, mw->size, mw->virt_addr, mw->dma_addr);
++ mw->virt_addr = NULL;
++}
++
+ static void ntb_qp_link_cleanup(struct work_struct *work)
+ {
+ struct ntb_transport_qp *qp = container_of(work,
+@@ -604,25 +619,31 @@ static void ntb_transport_link_work(stru
+ u32 val;
+ int rc, i;
+
+- /* send the local info */
+- rc = ntb_write_remote_spad(ndev, VERSION, NTB_TRANSPORT_VERSION);
+- if (rc) {
+- dev_err(&pdev->dev, "Error writing %x to remote spad %d\n",
+- 0, VERSION);
+- goto out;
+- }
++ /* send the local info, in the opposite order of the way we read it */
++ for (i = 0; i < NTB_NUM_MW; i++) {
++ rc = ntb_write_remote_spad(ndev, MW0_SZ_HIGH + (i * 2),
++ ntb_get_mw_size(ndev, i) >> 32);
++ if (rc) {
++ dev_err(&pdev->dev, "Error writing %u to remote spad %d\n",
++ (u32)(ntb_get_mw_size(ndev, i) >> 32),
++ MW0_SZ_HIGH + (i * 2));
++ goto out;
++ }
+
+- rc = ntb_write_remote_spad(ndev, MW0_SZ, ntb_get_mw_size(ndev, 0));
+- if (rc) {
+- dev_err(&pdev->dev, "Error writing %x to remote spad %d\n",
+- (u32) ntb_get_mw_size(ndev, 0), MW0_SZ);
+- goto out;
++ rc = ntb_write_remote_spad(ndev, MW0_SZ_LOW + (i * 2),
++ (u32) ntb_get_mw_size(ndev, i));
++ if (rc) {
++ dev_err(&pdev->dev, "Error writing %u to remote spad %d\n",
++ (u32) ntb_get_mw_size(ndev, i),
++ MW0_SZ_LOW + (i * 2));
++ goto out;
++ }
+ }
+
+- rc = ntb_write_remote_spad(ndev, MW1_SZ, ntb_get_mw_size(ndev, 1));
++ rc = ntb_write_remote_spad(ndev, NUM_MWS, NTB_NUM_MW);
+ if (rc) {
+ dev_err(&pdev->dev, "Error writing %x to remote spad %d\n",
+- (u32) ntb_get_mw_size(ndev, 1), MW1_SZ);
++ NTB_NUM_MW, NUM_MWS);
+ goto out;
+ }
+
+@@ -633,16 +654,10 @@ static void ntb_transport_link_work(stru
+ goto out;
+ }
+
+- rc = ntb_read_local_spad(nt->ndev, QP_LINKS, &val);
+- if (rc) {
+- dev_err(&pdev->dev, "Error reading spad %d\n", QP_LINKS);
+- goto out;
+- }
+-
+- rc = ntb_write_remote_spad(ndev, QP_LINKS, val);
++ rc = ntb_write_remote_spad(ndev, VERSION, NTB_TRANSPORT_VERSION);
+ if (rc) {
+ dev_err(&pdev->dev, "Error writing %x to remote spad %d\n",
+- val, QP_LINKS);
++ NTB_TRANSPORT_VERSION, VERSION);
+ goto out;
+ }
+
+@@ -667,33 +682,43 @@ static void ntb_transport_link_work(stru
+ goto out;
+ dev_dbg(&pdev->dev, "Remote max number of qps = %d\n", val);
+
+- rc = ntb_read_remote_spad(ndev, MW0_SZ, &val);
++ rc = ntb_read_remote_spad(ndev, NUM_MWS, &val);
+ if (rc) {
+- dev_err(&pdev->dev, "Error reading remote spad %d\n", MW0_SZ);
++ dev_err(&pdev->dev, "Error reading remote spad %d\n", NUM_MWS);
+ goto out;
+ }
+
+- if (!val)
++ if (val != NTB_NUM_MW)
+ goto out;
+- dev_dbg(&pdev->dev, "Remote MW0 size = %d\n", val);
++ dev_dbg(&pdev->dev, "Remote number of mws = %d\n", val);
+
+- rc = ntb_set_mw(nt, 0, val);
+- if (rc)
+- goto out;
++ for (i = 0; i < NTB_NUM_MW; i++) {
++ u64 val64;
+
+- rc = ntb_read_remote_spad(ndev, MW1_SZ, &val);
+- if (rc) {
+- dev_err(&pdev->dev, "Error reading remote spad %d\n", MW1_SZ);
+- goto out;
+- }
++ rc = ntb_read_remote_spad(ndev, MW0_SZ_HIGH + (i * 2), &val);
++ if (rc) {
++ dev_err(&pdev->dev, "Error reading remote spad %d\n",
++ MW0_SZ_HIGH + (i * 2));
++ goto out1;
++ }
+
+- if (!val)
+- goto out;
+- dev_dbg(&pdev->dev, "Remote MW1 size = %d\n", val);
++ val64 = (u64) val << 32;
+
+- rc = ntb_set_mw(nt, 1, val);
+- if (rc)
+- goto out;
++ rc = ntb_read_remote_spad(ndev, MW0_SZ_LOW + (i * 2), &val);
++ if (rc) {
++ dev_err(&pdev->dev, "Error reading remote spad %d\n",
++ MW0_SZ_LOW + (i * 2));
++ goto out1;
++ }
++
++ val64 |= val;
++
++ dev_dbg(&pdev->dev, "Remote MW%d size = %llu\n", i, val64);
++
++ rc = ntb_set_mw(nt, i, val64);
++ if (rc)
++ goto out1;
++ }
+
+ nt->transport_link = NTB_LINK_UP;
+
+@@ -708,6 +733,9 @@ static void ntb_transport_link_work(stru
+
+ return;
+
++out1:
++ for (i = 0; i < NTB_NUM_MW; i++)
++ ntb_free_mw(nt, i);
+ out:
+ if (ntb_hw_link_status(ndev))
+ schedule_delayed_work(&nt->link_work,
+@@ -897,10 +925,7 @@ void ntb_transport_free(void *transport)
+ pdev = ntb_query_pdev(nt->ndev);
+
+ for (i = 0; i < NTB_NUM_MW; i++)
+- if (nt->mw[i].virt_addr)
+- dma_free_coherent(&pdev->dev, nt->mw[i].size,
+- nt->mw[i].virt_addr,
+- nt->mw[i].dma_addr);
++ ntb_free_mw(nt, i);
+
+ kfree(nt->qps);
+ ntb_unregister_transport(nt->ndev);
--- /dev/null
+From b77b2637b39ecc380bb08992380d7d48452b0872 Mon Sep 17 00:00:00 2001
+From: Jon Mason <jon.mason@intel.com>
+Date: Fri, 1 Feb 2013 15:25:37 -0700
+Subject: NTB: Link toggle memory leak
+
+From: Jon Mason <jon.mason@intel.com>
+
+commit b77b2637b39ecc380bb08992380d7d48452b0872 upstream.
+
+Each link-up will allocate a new NTB receive buffer when the NTB
+properties are negotiated with the remote system. These allocations did
+not check for existing buffers and thus did not free them. Now, the
+driver will check for an existing buffer and free it if not of the
+correct size, before trying to alloc a new one.
+
+Signed-off-by: Jon Mason <jon.mason@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ntb/ntb_transport.c | 32 ++++++++++++++++++++------------
+ 1 file changed, 20 insertions(+), 12 deletions(-)
+
+--- a/drivers/ntb/ntb_transport.c
++++ b/drivers/ntb/ntb_transport.c
+@@ -507,17 +507,37 @@ static void ntb_transport_setup_qp_mw(st
+ qp->tx_pkts = 0;
+ }
+
++static void ntb_free_mw(struct ntb_transport *nt, int num_mw)
++{
++ struct ntb_transport_mw *mw = &nt->mw[num_mw];
++ struct pci_dev *pdev = ntb_query_pdev(nt->ndev);
++
++ if (!mw->virt_addr)
++ return;
++
++ dma_free_coherent(&pdev->dev, mw->size, mw->virt_addr, mw->dma_addr);
++ mw->virt_addr = NULL;
++}
++
+ static int ntb_set_mw(struct ntb_transport *nt, int num_mw, unsigned int size)
+ {
+ struct ntb_transport_mw *mw = &nt->mw[num_mw];
+ struct pci_dev *pdev = ntb_query_pdev(nt->ndev);
+
++ /* No need to re-setup */
++ if (mw->size == ALIGN(size, 4096))
++ return 0;
++
++ if (mw->size != 0)
++ ntb_free_mw(nt, num_mw);
++
+ /* Alloc memory for receiving data. Must be 4k aligned */
+ mw->size = ALIGN(size, 4096);
+
+ mw->virt_addr = dma_alloc_coherent(&pdev->dev, mw->size, &mw->dma_addr,
+ GFP_KERNEL);
+ if (!mw->virt_addr) {
++ mw->size = 0;
+ dev_err(&pdev->dev, "Unable to allocate MW buffer of size %d\n",
+ (int) mw->size);
+ return -ENOMEM;
+@@ -529,18 +549,6 @@ static int ntb_set_mw(struct ntb_transpo
+ return 0;
+ }
+
+-static void ntb_free_mw(struct ntb_transport *nt, int num_mw)
+-{
+- struct ntb_transport_mw *mw = &nt->mw[num_mw];
+- struct pci_dev *pdev = ntb_query_pdev(nt->ndev);
+-
+- if (!mw->virt_addr)
+- return;
+-
+- dma_free_coherent(&pdev->dev, mw->size, mw->virt_addr, mw->dma_addr);
+- mw->virt_addr = NULL;
+-}
+-
+ static void ntb_qp_link_cleanup(struct work_struct *work)
+ {
+ struct ntb_transport_qp *qp = container_of(work,
--- /dev/null
+From c336acd3331dcc191a97dbc66a557d47741657c7 Mon Sep 17 00:00:00 2001
+From: Jon Mason <jon.mason@intel.com>
+Date: Thu, 17 Jan 2013 15:28:45 -0700
+Subject: NTB: memcpy lockup workaround
+
+From: Jon Mason <jon.mason@intel.com>
+
+commit c336acd3331dcc191a97dbc66a557d47741657c7 upstream.
+
+The system will appear to lockup for long periods of time due to the NTB
+driver spending too much time in memcpy. Avoid this by reducing the
+number of packets that can be serviced on a given interrupt.
+
+Signed-off-by: Jon Mason <jon.mason@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ntb/ntb_transport.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/drivers/ntb/ntb_transport.c
++++ b/drivers/ntb/ntb_transport.c
+@@ -1034,11 +1034,16 @@ out:
+ static void ntb_transport_rx(unsigned long data)
+ {
+ struct ntb_transport_qp *qp = (struct ntb_transport_qp *)data;
+- int rc;
++ int rc, i;
+
+- do {
++ /* Limit the number of packets processed in a single interrupt to
++ * provide fairness to others
++ */
++ for (i = 0; i < qp->rx_max_entry; i++) {
+ rc = ntb_process_rxc(qp);
+- } while (!rc);
++ if (rc)
++ break;
++ }
+ }
+
+ static void ntb_transport_rxc_db(void *data, int db_num)
--- /dev/null
+From 8b19d450ad188d402a183ff4a4d40f31c3916fbf Mon Sep 17 00:00:00 2001
+From: Jon Mason <jon.mason@intel.com>
+Date: Fri, 26 Apr 2013 14:51:57 -0700
+Subject: NTB: Multiple NTB client fix
+
+From: Jon Mason <jon.mason@intel.com>
+
+commit 8b19d450ad188d402a183ff4a4d40f31c3916fbf upstream.
+
+Fix issue with adding multiple ntb client devices to the ntb virtual
+bus. Previously, multiple devices would be added with the same name,
+resulting in crashes. To get around this issue, add a unique number to
+the device when it is added.
+
+Signed-off-by: Jon Mason <jon.mason@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ntb/ntb_transport.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/ntb/ntb_transport.c
++++ b/drivers/ntb/ntb_transport.c
+@@ -300,7 +300,7 @@ int ntb_register_client_dev(char *device
+ {
+ struct ntb_transport_client_dev *client_dev;
+ struct ntb_transport *nt;
+- int rc;
++ int rc, i = 0;
+
+ if (list_empty(&ntb_transport_list))
+ return -ENODEV;
+@@ -318,7 +318,7 @@ int ntb_register_client_dev(char *device
+ dev = &client_dev->dev;
+
+ /* setup and register client devices */
+- dev_set_name(dev, "%s", device_name);
++ dev_set_name(dev, "%s%d", device_name, i);
+ dev->bus = &ntb_bus_type;
+ dev->release = ntb_client_release;
+ dev->parent = &ntb_query_pdev(nt->ndev)->dev;
+@@ -330,6 +330,7 @@ int ntb_register_client_dev(char *device
+ }
+
+ list_add_tail(&client_dev->entry, &nt->client_devs);
++ i++;
+ }
+
+ return 0;
--- /dev/null
+From ad3e2751e7c546ae678be1f8d86e898506b42cef Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 22 Jan 2013 10:19:14 +0300
+Subject: ntb: off by one sanity checks
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit ad3e2751e7c546ae678be1f8d86e898506b42cef upstream.
+
+These tests are off by one. If "mw" is equal to NTB_NUM_MW then we
+would go beyond the end of the ndev->mw[] array.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Jon Mason <jon.mason@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ntb/ntb_hw.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/ntb/ntb_hw.c
++++ b/drivers/ntb/ntb_hw.c
+@@ -345,7 +345,7 @@ int ntb_read_remote_spad(struct ntb_devi
+ */
+ void __iomem *ntb_get_mw_vbase(struct ntb_device *ndev, unsigned int mw)
+ {
+- if (mw > NTB_NUM_MW)
++ if (mw >= NTB_NUM_MW)
+ return NULL;
+
+ return ndev->mw[mw].vbase;
+@@ -362,7 +362,7 @@ void __iomem *ntb_get_mw_vbase(struct nt
+ */
+ resource_size_t ntb_get_mw_size(struct ntb_device *ndev, unsigned int mw)
+ {
+- if (mw > NTB_NUM_MW)
++ if (mw >= NTB_NUM_MW)
+ return 0;
+
+ return ndev->mw[mw].bar_sz;
+@@ -380,7 +380,7 @@ resource_size_t ntb_get_mw_size(struct n
+ */
+ void ntb_set_mw_addr(struct ntb_device *ndev, unsigned int mw, u64 addr)
+ {
+- if (mw > NTB_NUM_MW)
++ if (mw >= NTB_NUM_MW)
+ return;
+
+ dev_dbg(&ndev->pdev->dev, "Writing addr %Lx to BAR %d\n", addr,
--- /dev/null
+From 90f9e934647e652a69396e18c779215a493271cf Mon Sep 17 00:00:00 2001
+From: Jon Mason <jon.mason@intel.com>
+Date: Fri, 1 Feb 2013 15:34:35 -0700
+Subject: NTB: reset tx_index on link toggle
+
+From: Jon Mason <jon.mason@intel.com>
+
+commit 90f9e934647e652a69396e18c779215a493271cf upstream.
+
+If the NTB link toggles, the driver could stop receiving due to the
+tx_index not being set to 0 on the transmitting size on a link-up event.
+This is due to the driver expecting the incoming data to start at the
+beginning of the receive buffer and not at a random place.
+
+Signed-off-by: Jon Mason <jon.mason@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ntb/ntb_transport.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/ntb/ntb_transport.c
++++ b/drivers/ntb/ntb_transport.c
+@@ -505,6 +505,7 @@ static void ntb_transport_setup_qp_mw(st
+
+ qp->rx_pkts = 0;
+ qp->tx_pkts = 0;
++ qp->tx_index = 0;
+ }
+
+ static void ntb_free_mw(struct ntb_transport *nt, int num_mw)
+@@ -819,7 +820,6 @@ static void ntb_transport_init_queue(str
+ qp->tx_mw = qp->rx_info + 1;
+ qp->tx_max_frame = min(transport_mtu, tx_size);
+ qp->tx_max_entry = tx_size / qp->tx_max_frame;
+- qp->tx_index = 0;
+
+ if (nt->debugfs_dir) {
+ char debugfs_name[4];
--- /dev/null
+From 186f27ff9f9ec5c110739ced88ce9f8fca053882 Mon Sep 17 00:00:00 2001
+From: Jon Mason <jon.mason@intel.com>
+Date: Tue, 22 Jan 2013 11:35:40 -0700
+Subject: NTB: variable dereferenced before check
+
+From: Jon Mason <jon.mason@intel.com>
+
+commit 186f27ff9f9ec5c110739ced88ce9f8fca053882 upstream.
+
+Correct instances of variable dereferencing before checking its value on
+the functions exported to the client drivers. Also, add sanity checks
+for all exported functions.
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Jon Mason <jon.mason@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ntb/ntb_transport.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+--- a/drivers/ntb/ntb_transport.c
++++ b/drivers/ntb/ntb_transport.c
+@@ -1210,12 +1210,14 @@ EXPORT_SYMBOL_GPL(ntb_transport_create_q
+ */
+ void ntb_transport_free_queue(struct ntb_transport_qp *qp)
+ {
+- struct pci_dev *pdev = ntb_query_pdev(qp->ndev);
++ struct pci_dev *pdev;
+ struct ntb_queue_entry *entry;
+
+ if (!qp)
+ return;
+
++ pdev = ntb_query_pdev(qp->ndev);
++
+ cancel_delayed_work_sync(&qp->link_work);
+
+ ntb_unregister_db_callback(qp->ndev, qp->qp_num);
+@@ -1371,12 +1373,13 @@ EXPORT_SYMBOL_GPL(ntb_transport_link_up)
+ */
+ void ntb_transport_link_down(struct ntb_transport_qp *qp)
+ {
+- struct pci_dev *pdev = ntb_query_pdev(qp->ndev);
++ struct pci_dev *pdev;
+ int rc, val;
+
+ if (!qp)
+ return;
+
++ pdev = ntb_query_pdev(qp->ndev);
+ qp->client_ready = NTB_LINK_DOWN;
+
+ rc = ntb_read_local_spad(qp->ndev, QP_LINKS, &val);
+@@ -1408,6 +1411,9 @@ EXPORT_SYMBOL_GPL(ntb_transport_link_dow
+ */
+ bool ntb_transport_link_query(struct ntb_transport_qp *qp)
+ {
++ if (!qp)
++ return false;
++
+ return qp->qp_link == NTB_LINK_UP;
+ }
+ EXPORT_SYMBOL_GPL(ntb_transport_link_query);
+@@ -1422,6 +1428,9 @@ EXPORT_SYMBOL_GPL(ntb_transport_link_que
+ */
+ unsigned char ntb_transport_qp_num(struct ntb_transport_qp *qp)
+ {
++ if (!qp)
++ return 0;
++
+ return qp->qp_num;
+ }
+ EXPORT_SYMBOL_GPL(ntb_transport_qp_num);
+@@ -1436,6 +1445,9 @@ EXPORT_SYMBOL_GPL(ntb_transport_qp_num);
+ */
+ unsigned int ntb_transport_max_size(struct ntb_transport_qp *qp)
+ {
++ if (!qp)
++ return 0;
++
+ return qp->tx_max_frame - sizeof(struct ntb_payload_header);
+ }
+ EXPORT_SYMBOL_GPL(ntb_transport_max_size);
--- /dev/null
+From 904435cf76a9bdd5eb41b1c4e049d5a64f3a8400 Mon Sep 17 00:00:00 2001
+From: Jon Mason <jon.mason@intel.com>
+Date: Thu, 18 Apr 2013 13:36:43 -0700
+Subject: ntb_netdev: remove from list on exit
+
+From: Jon Mason <jon.mason@intel.com>
+
+commit 904435cf76a9bdd5eb41b1c4e049d5a64f3a8400 upstream.
+
+The ntb_netdev device is not removed from the global list of devices
+upon device removal. If the device is re-added, the removal code would
+find the first instance and try to remove an already removed device.
+
+Signed-off-by: Jon Mason <jon.mason@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ntb_netdev.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/ntb_netdev.c
++++ b/drivers/net/ntb_netdev.c
+@@ -375,6 +375,8 @@ static void ntb_netdev_remove(struct pci
+ if (dev == NULL)
+ return;
+
++ list_del(&dev->list);
++
+ ndev = dev->ndev;
+
+ unregister_netdev(ndev);
drm-nouveau-bios-fix-thinko-in-zm_mask_add-opcode.patch
drm-radeon-fix-vram-size-calculation-for-vram-4gb.patch
virtio_console-fix-uapi-header.patch
+ntb-variable-dereferenced-before-check.patch
+ntb-off-by-one-sanity-checks.patch
+ntb-fix-pointer-math-issues.patch
+ntb-handle-64bit-bar-sizes.patch
+ntb-link-toggle-memory-leak.patch
+ntb-reset-tx_index-on-link-toggle.patch
+ntb-correctly-handle-receive-buffers-of-the-minimal-size.patch
+ntb-memcpy-lockup-workaround.patch
+ntb_netdev-remove-from-list-on-exit.patch
+ntb-multiple-ntb-client-fix.patch
+x86-vm86-fix-vm86-syscalls-use-syscall_definex.patch
--- /dev/null
+From 5522ddb3fc0dfd4a503c8278eafd88c9f2d3fada Mon Sep 17 00:00:00 2001
+From: Alexander van Heukelum <heukelum@fastmail.fm>
+Date: Wed, 27 Mar 2013 22:18:05 +0100
+Subject: x86, vm86: fix VM86 syscalls: use SYSCALL_DEFINEx(...)
+
+From: Alexander van Heukelum <heukelum@fastmail.fm>
+
+commit 5522ddb3fc0dfd4a503c8278eafd88c9f2d3fada upstream.
+
+Commit 49cb25e9290 x86: 'get rid of pt_regs argument in vm86/vm86old'
+got rid of the pt_regs stub for sys_vm86old and sys_vm86. The functions
+were, however, not changed to use the calling convention for syscalls.
+
+[AV: killed asmlinkage_protect() - it's done automatically now]
+
+Backported-by: Satoru Takeuchi <satoru.takeuchi@gmail.com>
+Reported-and-tested-by: Hans de Bruin <jmdebruin@xmsnet.nl>
+Signed-off-by: Alexander van Heukelum <heukelum@fastmail.fm>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/syscalls.h | 4 ++--
+ arch/x86/kernel/vm86_32.c | 11 ++++++-----
+ 2 files changed, 8 insertions(+), 7 deletions(-)
+
+--- a/arch/x86/include/asm/syscalls.h
++++ b/arch/x86/include/asm/syscalls.h
+@@ -37,8 +37,8 @@ asmlinkage int sys_get_thread_area(struc
+ unsigned long sys_sigreturn(void);
+
+ /* kernel/vm86_32.c */
+-int sys_vm86old(struct vm86_struct __user *);
+-int sys_vm86(unsigned long, unsigned long);
++asmlinkage long sys_vm86old(struct vm86_struct __user *);
++asmlinkage long sys_vm86(unsigned long, unsigned long);
+
+ #else /* CONFIG_X86_32 */
+
+--- a/arch/x86/kernel/vm86_32.c
++++ b/arch/x86/kernel/vm86_32.c
+@@ -33,6 +33,7 @@
+ #include <linux/capability.h>
+ #include <linux/errno.h>
+ #include <linux/interrupt.h>
++#include <linux/syscalls.h>
+ #include <linux/sched.h>
+ #include <linux/kernel.h>
+ #include <linux/signal.h>
+@@ -48,7 +49,6 @@
+ #include <asm/io.h>
+ #include <asm/tlbflush.h>
+ #include <asm/irq.h>
+-#include <asm/syscalls.h>
+
+ /*
+ * Known problems:
+@@ -202,17 +202,16 @@ out:
+ static int do_vm86_irq_handling(int subfunction, int irqnumber);
+ static void do_sys_vm86(struct kernel_vm86_struct *info, struct task_struct *tsk);
+
+-int sys_vm86old(struct vm86_struct __user *v86)
++SYSCALL_DEFINE1(vm86old, struct vm86_struct __user *, v86)
+ {
+ struct kernel_vm86_struct info; /* declare this _on top_,
+ * this avoids wasting of stack space.
+ * This remains on the stack until we
+ * return to 32 bit user space.
+ */
+- struct task_struct *tsk;
++ struct task_struct *tsk = current;
+ int tmp, ret = -EPERM;
+
+- tsk = current;
+ if (tsk->thread.saved_sp0)
+ goto out;
+ tmp = copy_vm86_regs_from_user(&info.regs, &v86->regs,
+@@ -227,11 +226,12 @@ int sys_vm86old(struct vm86_struct __use
+ do_sys_vm86(&info, tsk);
+ ret = 0; /* we never return here */
+ out:
++ asmlinkage_protect(1, ret, v86);
+ return ret;
+ }
+
+
+-int sys_vm86(unsigned long cmd, unsigned long arg)
++SYSCALL_DEFINE2(vm86, unsigned long, cmd, unsigned long, arg)
+ {
+ struct kernel_vm86_struct info; /* declare this _on top_,
+ * this avoids wasting of stack space.
+@@ -278,6 +278,7 @@ int sys_vm86(unsigned long cmd, unsigned
+ do_sys_vm86(&info, tsk);
+ ret = 0; /* we never return here */
+ out:
++ asmlinkage_protect(2, ret, cmd, arg);
+ return ret;
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
