--- /dev/null
+From e46e927b9b7e8d95526e69322855243882b7e1a3 Mon Sep 17 00:00:00 2001
+From: Chase Douglas <chase.douglas@canonical.com>
+Date: Mon, 7 Nov 2011 11:08:05 -0800
+Subject: HID: bump maximum global item tag report size to 96 bytes
+
+From: Chase Douglas <chase.douglas@canonical.com>
+
+commit e46e927b9b7e8d95526e69322855243882b7e1a3 upstream.
+
+This allows the latest N-Trig devices to function properly.
+
+BugLink: https://bugs.launchpad.net/bugs/724831
+
+Signed-off-by: Chase Douglas <chase.douglas@canonical.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/hid/hid-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hid/hid-core.c
++++ b/drivers/hid/hid-core.c
+@@ -361,7 +361,7 @@ static int hid_parser_global(struct hid_
+
+ case HID_GLOBAL_ITEM_TAG_REPORT_SIZE:
+ parser->global.report_size = item_udata(item);
+- if (parser->global.report_size > 32) {
++ if (parser->global.report_size > 96) {
+ dbg_hid("invalid report_size %d\n",
+ parser->global.report_size);
+ return -1;
--- /dev/null
+From ef6f41157f3864d9bf42671b2ed66062dcafb72e Mon Sep 17 00:00:00 2001
+From: David Herrmann <dh.herrmann@googlemail.com>
+Date: Wed, 7 Dec 2011 21:33:59 +0100
+Subject: HID: wiimote: Select INPUT_FF_MEMLESS
+
+From: David Herrmann <dh.herrmann@googlemail.com>
+
+commit ef6f41157f3864d9bf42671b2ed66062dcafb72e upstream.
+
+We depend on memless force-feedback support, therefore correctly select the
+related config options.
+
+Reported-by: Randy Dunlap <rdunlap@xenotime.net>
+Signed-off-by: David Herrmann <dh.herrmann@googlemail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/hid/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/hid/Kconfig
++++ b/drivers/hid/Kconfig
+@@ -565,6 +565,7 @@ config HID_WACOM_POWER_SUPPLY
+ bool "Wacom Bluetooth devices power supply status support"
+ depends on HID_WACOM
+ select POWER_SUPPLY
++ select INPUT_FF_MEMLESS
+ ---help---
+ Say Y here if you want to enable power supply status monitoring for
+ Wacom Bluetooth devices.
--- /dev/null
+From 7b7e5916aa2f46e57f8bd8cb89c34620ebfda5da Mon Sep 17 00:00:00 2001
+From: Roberto Sassu <roberto.sassu@polito.it>
+Date: Mon, 19 Dec 2011 15:57:28 +0100
+Subject: ima: fix invalid memory reference
+
+From: Roberto Sassu <roberto.sassu@polito.it>
+
+commit 7b7e5916aa2f46e57f8bd8cb89c34620ebfda5da upstream.
+
+Don't free a valid measurement entry on TPM PCR extend failure.
+
+Signed-off-by: Roberto Sassu <roberto.sassu@polito.it>
+Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ security/integrity/ima/ima_queue.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+--- a/security/integrity/ima/ima_queue.c
++++ b/security/integrity/ima/ima_queue.c
+@@ -23,6 +23,8 @@
+ #include <linux/slab.h>
+ #include "ima.h"
+
++#define AUDIT_CAUSE_LEN_MAX 32
++
+ LIST_HEAD(ima_measurements); /* list of all measurements */
+
+ /* key: inode (before secure-hashing a file) */
+@@ -94,7 +96,8 @@ static int ima_pcr_extend(const u8 *hash
+
+ result = tpm_pcr_extend(TPM_ANY_NUM, CONFIG_IMA_MEASURE_PCR_IDX, hash);
+ if (result != 0)
+- pr_err("IMA: Error Communicating to TPM chip\n");
++ pr_err("IMA: Error Communicating to TPM chip, result: %d\n",
++ result);
+ return result;
+ }
+
+@@ -106,8 +109,9 @@ int ima_add_template_entry(struct ima_te
+ {
+ u8 digest[IMA_DIGEST_SIZE];
+ const char *audit_cause = "hash_added";
++ char tpm_audit_cause[AUDIT_CAUSE_LEN_MAX];
+ int audit_info = 1;
+- int result = 0;
++ int result = 0, tpmresult = 0;
+
+ mutex_lock(&ima_extend_list_mutex);
+ if (!violation) {
+@@ -129,9 +133,11 @@ int ima_add_template_entry(struct ima_te
+ if (violation) /* invalidate pcr */
+ memset(digest, 0xff, sizeof digest);
+
+- result = ima_pcr_extend(digest);
+- if (result != 0) {
+- audit_cause = "TPM error";
++ tpmresult = ima_pcr_extend(digest);
++ if (tpmresult != 0) {
++ snprintf(tpm_audit_cause, AUDIT_CAUSE_LEN_MAX, "TPM_error(%d)",
++ tpmresult);
++ audit_cause = tpm_audit_cause;
+ audit_info = 0;
+ }
+ out:
--- /dev/null
+From 45fae7493970d7c45626ccd96d4a74f5f1eea5a9 Mon Sep 17 00:00:00 2001
+From: Roberto Sassu <roberto.sassu@polito.it>
+Date: Mon, 19 Dec 2011 15:57:27 +0100
+Subject: ima: free duplicate measurement memory
+
+From: Roberto Sassu <roberto.sassu@polito.it>
+
+commit 45fae7493970d7c45626ccd96d4a74f5f1eea5a9 upstream.
+
+Info about new measurements are cached in the iint for performance. When
+the inode is flushed from cache, the associated iint is flushed as well.
+Subsequent access to the inode will cause the inode to be re-measured and
+will attempt to add a duplicate entry to the measurement list.
+
+This patch frees the duplicate measurement memory, fixing a memory leak.
+
+Signed-off-by: Roberto Sassu <roberto.sassu@polito.it>
+Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ security/integrity/ima/ima_api.c | 4 ++--
+ security/integrity/ima/ima_queue.c | 1 +
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+--- a/security/integrity/ima/ima_api.c
++++ b/security/integrity/ima/ima_api.c
+@@ -177,8 +177,8 @@ void ima_store_measurement(struct ima_ii
+ strncpy(entry->template.file_name, filename, IMA_EVENT_NAME_LEN_MAX);
+
+ result = ima_store_template(entry, violation, inode);
+- if (!result)
++ if (!result || result == -EEXIST)
+ iint->flags |= IMA_MEASURED;
+- else
++ if (result < 0)
+ kfree(entry);
+ }
+--- a/security/integrity/ima/ima_queue.c
++++ b/security/integrity/ima/ima_queue.c
+@@ -114,6 +114,7 @@ int ima_add_template_entry(struct ima_te
+ memcpy(digest, entry->digest, sizeof digest);
+ if (ima_lookup_digest_entry(digest)) {
+ audit_cause = "hash_exists";
++ result = -EEXIST;
+ goto out;
+ }
+ }
--- /dev/null
+From 8a0d551a59ac92d8ff048d6cb29d3a02073e81e8 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@redhat.com>
+Date: Tue, 20 Dec 2011 06:57:45 -0500
+Subject: nfs: fix regression in handling of context= option in NFSv4
+
+From: Jeff Layton <jlayton@redhat.com>
+
+commit 8a0d551a59ac92d8ff048d6cb29d3a02073e81e8 upstream.
+
+Setting the security context of a NFSv4 mount via the context= mount
+option is currently broken. The NFSv4 codepath allocates a parsed
+options struct, and then parses the mount options to fill it. It
+eventually calls nfs4_remote_mount which calls security_init_mnt_opts.
+That clobbers the lsm_opts struct that was populated earlier. This bug
+also looks like it causes a small memory leak on each v4 mount where
+context= is used.
+
+Fix this by moving the initialization of the lsm_opts into
+nfs_alloc_parsed_mount_data. Also, add a destructor for
+nfs_parsed_mount_data to make it easier to free all of the allocations
+hanging off of it, and to ensure that the security_free_mnt_opts is
+called whenever security_init_mnt_opts is.
+
+I believe this regression was introduced quite some time ago, probably
+by commit c02d7adf.
+
+Signed-off-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/nfs/super.c | 43 +++++++++++++++++++------------------------
+ 1 file changed, 19 insertions(+), 24 deletions(-)
+
+--- a/fs/nfs/super.c
++++ b/fs/nfs/super.c
+@@ -904,10 +904,24 @@ static struct nfs_parsed_mount_data *nfs
+ data->auth_flavor_len = 1;
+ data->version = version;
+ data->minorversion = 0;
++ security_init_mnt_opts(&data->lsm_opts);
+ }
+ return data;
+ }
+
++static void nfs_free_parsed_mount_data(struct nfs_parsed_mount_data *data)
++{
++ if (data) {
++ kfree(data->client_address);
++ kfree(data->mount_server.hostname);
++ kfree(data->nfs_server.export_path);
++ kfree(data->nfs_server.hostname);
++ kfree(data->fscache_uniq);
++ security_free_mnt_opts(&data->lsm_opts);
++ kfree(data);
++ }
++}
++
+ /*
+ * Sanity-check a server address provided by the mount command.
+ *
+@@ -2218,9 +2232,7 @@ static struct dentry *nfs_fs_mount(struc
+ data = nfs_alloc_parsed_mount_data(NFS_DEFAULT_VERSION);
+ mntfh = nfs_alloc_fhandle();
+ if (data == NULL || mntfh == NULL)
+- goto out_free_fh;
+-
+- security_init_mnt_opts(&data->lsm_opts);
++ goto out;
+
+ /* Validate the mount data */
+ error = nfs_validate_mount_data(raw_data, data, mntfh, dev_name);
+@@ -2232,8 +2244,6 @@ static struct dentry *nfs_fs_mount(struc
+ #ifdef CONFIG_NFS_V4
+ if (data->version == 4) {
+ mntroot = nfs4_try_mount(flags, dev_name, data);
+- kfree(data->client_address);
+- kfree(data->nfs_server.export_path);
+ goto out;
+ }
+ #endif /* CONFIG_NFS_V4 */
+@@ -2284,13 +2294,8 @@ static struct dentry *nfs_fs_mount(struc
+ s->s_flags |= MS_ACTIVE;
+
+ out:
+- kfree(data->nfs_server.hostname);
+- kfree(data->mount_server.hostname);
+- kfree(data->fscache_uniq);
+- security_free_mnt_opts(&data->lsm_opts);
+-out_free_fh:
++ nfs_free_parsed_mount_data(data);
+ nfs_free_fhandle(mntfh);
+- kfree(data);
+ return mntroot;
+
+ out_err_nosb:
+@@ -2613,9 +2618,7 @@ nfs4_remote_mount(struct file_system_typ
+
+ mntfh = nfs_alloc_fhandle();
+ if (data == NULL || mntfh == NULL)
+- goto out_free_fh;
+-
+- security_init_mnt_opts(&data->lsm_opts);
++ goto out;
+
+ /* Get a volume representation */
+ server = nfs4_create_server(data, mntfh);
+@@ -2663,13 +2666,10 @@ nfs4_remote_mount(struct file_system_typ
+
+ s->s_flags |= MS_ACTIVE;
+
+- security_free_mnt_opts(&data->lsm_opts);
+ nfs_free_fhandle(mntfh);
+ return mntroot;
+
+ out:
+- security_free_mnt_opts(&data->lsm_opts);
+-out_free_fh:
+ nfs_free_fhandle(mntfh);
+ return ERR_PTR(error);
+
+@@ -2855,7 +2855,7 @@ static struct dentry *nfs4_mount(struct
+
+ data = nfs_alloc_parsed_mount_data(4);
+ if (data == NULL)
+- goto out_free_data;
++ goto out;
+
+ /* Validate the mount data */
+ error = nfs4_validate_mount_data(raw_data, data, dev_name);
+@@ -2869,12 +2869,7 @@ static struct dentry *nfs4_mount(struct
+ error = PTR_ERR(res);
+
+ out:
+- kfree(data->client_address);
+- kfree(data->nfs_server.export_path);
+- kfree(data->nfs_server.hostname);
+- kfree(data->fscache_uniq);
+-out_free_data:
+- kfree(data);
++ nfs_free_parsed_mount_data(data);
+ dprintk("<-- nfs4_mount() = %d%s\n", error,
+ error != 0 ? " [error]" : "");
+ return res;
--- /dev/null
+From 43717c7daebf10b43f12e68512484b3095bb1ba5 Mon Sep 17 00:00:00 2001
+From: Chuck Lever <chuck.lever@oracle.com>
+Date: Mon, 5 Dec 2011 15:40:30 -0500
+Subject: NFS: Retry mounting NFSROOT
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+commit 43717c7daebf10b43f12e68512484b3095bb1ba5 upstream.
+
+Lukas Razik <linux@razik.name> reports that on his SPARC system,
+booting with an NFS root file system stopped working after commit
+56463e50 "NFS: Use super.c for NFSROOT mount option parsing."
+
+We found that the network switch to which Lukas' client was attached
+was delaying access to the LAN after the client's NIC driver reported
+that its link was up. The delay was longer than the timeouts used in
+the NFS client during mounting.
+
+NFSROOT worked for Lukas before commit 56463e50 because in those
+kernels, the client's first operation was an rpcbind request to
+determine which port the NFS server was listening on. When that
+request failed after a long timeout, the client simply selected the
+default NFS port (2049). By that time the switch was allowing access
+to the LAN, and the mount succeeded.
+
+Neither of these client behaviors is desirable, so reverting 56463e50
+is really not a choice. Instead, introduce a mechanism that retries
+the NFSROOT mount request several times. This is the same tactic that
+normal user space NFS mounts employ to overcome server and network
+delays.
+
+Signed-off-by: Lukas Razik <linux@razik.name>
+[ cel: match kernel coding style, add proper patch description ]
+[ cel: add exponential back-off ]
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Tested-by: Lukas Razik <linux@razik.name>
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ init/do_mounts.c | 35 +++++++++++++++++++++++++++++++----
+ 1 file changed, 31 insertions(+), 4 deletions(-)
+
+--- a/init/do_mounts.c
++++ b/init/do_mounts.c
+@@ -360,15 +360,42 @@ out:
+ }
+
+ #ifdef CONFIG_ROOT_NFS
++
++#define NFSROOT_TIMEOUT_MIN 5
++#define NFSROOT_TIMEOUT_MAX 30
++#define NFSROOT_RETRY_MAX 5
++
+ static int __init mount_nfs_root(void)
+ {
+ char *root_dev, *root_data;
++ unsigned int timeout;
++ int try, err;
+
+- if (nfs_root_data(&root_dev, &root_data) != 0)
+- return 0;
+- if (do_mount_root(root_dev, "nfs", root_mountflags, root_data) != 0)
++ err = nfs_root_data(&root_dev, &root_data);
++ if (err != 0)
+ return 0;
+- return 1;
++
++ /*
++ * The server or network may not be ready, so try several
++ * times. Stop after a few tries in case the client wants
++ * to fall back to other boot methods.
++ */
++ timeout = NFSROOT_TIMEOUT_MIN;
++ for (try = 1; ; try++) {
++ err = do_mount_root(root_dev, "nfs",
++ root_mountflags, root_data);
++ if (err == 0)
++ return 1;
++ if (try > NFSROOT_RETRY_MAX)
++ break;
++
++ /* Wait, in case the server refused us immediately */
++ ssleep(timeout);
++ timeout <<= 1;
++ if (timeout > NFSROOT_TIMEOUT_MAX)
++ timeout = NFSROOT_TIMEOUT_MAX;
++ }
++ return 0;
+ }
+ #endif
+
--- /dev/null
+From 61f2e5106582d02f30b6807e3f9c07463c572ccb Mon Sep 17 00:00:00 2001
+From: Andy Adamson <andros@netapp.com>
+Date: Wed, 9 Nov 2011 13:58:20 -0500
+Subject: NFSv4.1: fix backchannel slotid off-by-one bug
+
+From: Andy Adamson <andros@netapp.com>
+
+commit 61f2e5106582d02f30b6807e3f9c07463c572ccb upstream.
+
+Signed-off-by: Andy Adamson <andros@netapp.com>
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/nfs/callback_proc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfs/callback_proc.c
++++ b/fs/nfs/callback_proc.c
+@@ -324,7 +324,7 @@ validate_seqid(struct nfs4_slot_table *t
+ dprintk("%s enter. slotid %d seqid %d\n",
+ __func__, args->csa_slotid, args->csa_sequenceid);
+
+- if (args->csa_slotid > NFS41_BC_MAX_CALLBACKS)
++ if (args->csa_slotid >= NFS41_BC_MAX_CALLBACKS)
+ return htonl(NFS4ERR_BADSLOT);
+
+ slot = tbl->slots + args->csa_slotid;
--- /dev/null
+From 1830ea91c20b06608f7cdb2455ce05ba834b3214 Mon Sep 17 00:00:00 2001
+From: Alex Williamson <alex.williamson@redhat.com>
+Date: Wed, 16 Nov 2011 09:24:16 -0700
+Subject: PCI: Fix PCI_EXP_TYPE_RC_EC value
+
+From: Alex Williamson <alex.williamson@redhat.com>
+
+commit 1830ea91c20b06608f7cdb2455ce05ba834b3214 upstream.
+
+Spec shows this as 1010b = 0xa
+
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/linux/pci_regs.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/pci_regs.h
++++ b/include/linux/pci_regs.h
+@@ -392,7 +392,7 @@
+ #define PCI_EXP_TYPE_DOWNSTREAM 0x6 /* Downstream Port */
+ #define PCI_EXP_TYPE_PCI_BRIDGE 0x7 /* PCI/PCI-X Bridge */
+ #define PCI_EXP_TYPE_RC_END 0x9 /* Root Complex Integrated Endpoint */
+-#define PCI_EXP_TYPE_RC_EC 0x10 /* Root Complex Event Collector */
++#define PCI_EXP_TYPE_RC_EC 0xa /* Root Complex Event Collector */
+ #define PCI_EXP_FLAGS_SLOT 0x0100 /* Slot implemented */
+ #define PCI_EXP_FLAGS_IRQ 0x3e00 /* Interrupt message number */
+ #define PCI_EXP_DEVCAP 4 /* Device capabilities */
--- /dev/null
+From a776c491ca5e38c26d9f66923ff574d041e747f4 Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Mon, 17 Oct 2011 11:46:06 -0700
+Subject: PCI: msi: Disable msi interrupts when we initialize a pci device
+
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+
+commit a776c491ca5e38c26d9f66923ff574d041e747f4 upstream.
+
+I traced a nasty kexec on panic boot failure to the fact that we had
+screaming msi interrupts and we were not disabling the msi messages at
+kernel startup. The booting kernel had not enabled those interupts so
+was not prepared to handle them.
+
+I can see no reason why we would ever want to leave the msi interrupts
+enabled at boot if something else has enabled those interrupts. The pci
+spec specifies that msi interrupts should be off by default. Drivers
+are expected to enable the msi interrupts if they want to use them. Our
+interrupt handling code reprograms the interrupt handlers at boot and
+will not be be able to do anything useful with an unexpected interrupt.
+
+This patch applies cleanly all of the way back to 2.6.32 where I noticed
+the problem.
+
+Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
+Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/pci/msi.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/pci/msi.c
++++ b/drivers/pci/msi.c
+@@ -869,5 +869,15 @@ EXPORT_SYMBOL(pci_msi_enabled);
+
+ void pci_msi_init_pci_dev(struct pci_dev *dev)
+ {
++ int pos;
+ INIT_LIST_HEAD(&dev->msi_list);
++
++ /* Disable the msi hardware to avoid screaming interrupts
++ * during boot. This is the power on reset default so
++ * usually this should be a noop.
++ */
++ pos = pci_find_capability(dev, PCI_CAP_ID_MSI);
++ if (pos)
++ msi_set_enable(dev, pos, 0);
++ msix_set_enable(dev, 0);
+ }
--- /dev/null
+From eb31aae8cb5eb54e234ed2d857ddac868195d911 Mon Sep 17 00:00:00 2001
+From: Bjorn Helgaas <bhelgaas@google.com>
+Date: Thu, 5 Jan 2012 14:27:24 -0700
+Subject: PNP: work around Dell 1536/1546 BIOS MMCONFIG bug that breaks USB
+
+From: Bjorn Helgaas <bhelgaas@google.com>
+
+commit eb31aae8cb5eb54e234ed2d857ddac868195d911 upstream.
+
+Some Dell BIOSes have MCFG tables that don't report the entire
+MMCONFIG area claimed by the chipset. If we move PCI devices into
+that claimed-but-unreported area, they don't work.
+
+This quirk reads the AMD MMCONFIG MSRs and adds PNP0C01 resources as
+needed to cover the entire area.
+
+Example problem scenario:
+
+ BIOS-e820: 00000000cfec5400 - 00000000d4000000 (reserved)
+ Fam 10h mmconf [d0000000, dfffffff]
+ PCI: MMCONFIG for domain 0000 [bus 00-3f] at [mem 0xd0000000-0xd3ffffff] (base 0xd0000000)
+ pnp 00:0c: [mem 0xd0000000-0xd3ffffff]
+ pci 0000:00:12.0: reg 10: [mem 0xffb00000-0xffb00fff]
+ pci 0000:00:12.0: no compatible bridge window for [mem 0xffb00000-0xffb00fff]
+ pci 0000:00:12.0: BAR 0: assigned [mem 0xd4000000-0xd40000ff]
+
+Reported-by: Lisa Salimbas <lisa.salimbas@canonical.com>
+Reported-by: <thuban@singularity.fr>
+Tested-by: dann frazier <dann.frazier@canonical.com>
+References: https://bugzilla.kernel.org/show_bug.cgi?id=31602
+References: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/647043
+References: https://bugzilla.redhat.com/show_bug.cgi?id=770308
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/pnp/quirks.c | 42 ++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 42 insertions(+)
+
+--- a/drivers/pnp/quirks.c
++++ b/drivers/pnp/quirks.c
+@@ -295,6 +295,45 @@ static void quirk_system_pci_resources(s
+ }
+ }
+
++#ifdef CONFIG_AMD_NB
++
++#include <asm/amd_nb.h>
++
++static void quirk_amd_mmconfig_area(struct pnp_dev *dev)
++{
++ resource_size_t start, end;
++ struct pnp_resource *pnp_res;
++ struct resource *res;
++ struct resource mmconfig_res, *mmconfig;
++
++ mmconfig = amd_get_mmconfig_range(&mmconfig_res);
++ if (!mmconfig)
++ return;
++
++ list_for_each_entry(pnp_res, &dev->resources, list) {
++ res = &pnp_res->res;
++ if (res->end < mmconfig->start || res->start > mmconfig->end ||
++ (res->start == mmconfig->start && res->end == mmconfig->end))
++ continue;
++
++ dev_info(&dev->dev, FW_BUG
++ "%pR covers only part of AMD MMCONFIG area %pR; adding more reservations\n",
++ res, mmconfig);
++ if (mmconfig->start < res->start) {
++ start = mmconfig->start;
++ end = res->start - 1;
++ pnp_add_mem_resource(dev, start, end, 0);
++ }
++ if (mmconfig->end > res->end) {
++ start = res->end + 1;
++ end = mmconfig->end;
++ pnp_add_mem_resource(dev, start, end, 0);
++ }
++ break;
++ }
++}
++#endif
++
+ /*
+ * PnP Quirks
+ * Cards or devices that need some tweaking due to incomplete resource info
+@@ -322,6 +361,9 @@ static struct pnp_fixup pnp_fixups[] = {
+ /* PnP resources that might overlap PCI BARs */
+ {"PNP0c01", quirk_system_pci_resources},
+ {"PNP0c02", quirk_system_pci_resources},
++#ifdef CONFIG_AMD_NB
++ {"PNP0c01", quirk_amd_mmconfig_area},
++#endif
+ {""}
+ };
+
--- /dev/null
+From aff132d95ffe14eca96cab90597cdd010b457af7 Mon Sep 17 00:00:00 2001
+From: "nagalakshmi.nandigama@lsi.com" <nagalakshmi.nandigama@lsi.com>
+Date: Thu, 1 Dec 2011 07:53:08 +0530
+Subject: SCSI: mpt2sas : Fix for memory allocation error for large host credits
+
+From: "nagalakshmi.nandigama@lsi.com" <nagalakshmi.nandigama@lsi.com>
+
+commit aff132d95ffe14eca96cab90597cdd010b457af7 upstream.
+
+The amount of memory required for tracking chain buffers is rather
+large, and when the host credit count is big, memory allocation
+failure occurs inside __get_free_pages.
+
+The fix is to limit the number of chains to 100,000. In addition,
+the number of host credits is limited to 30,000 IOs. However this
+limitation can be overridden this using the command line option
+max_queue_depth. The algorithm for calculating the
+reply_post_queue_depth is changed so that it is equal to
+(reply_free_queue_depth + 16), previously it was (reply_free_queue_depth * 2).
+
+Signed-off-by: Nagalakshmi Nandigama <nagalakshmi.nandigama@lsi.com>
+Signed-off-by: James Bottomley <JBottomley@Parallels.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/scsi/mpt2sas/mpt2sas_base.c | 83 +++++++++++------------------------
+ drivers/scsi/mpt2sas/mpt2sas_scsih.c | 4 -
+ 2 files changed, 29 insertions(+), 58 deletions(-)
+
+--- a/drivers/scsi/mpt2sas/mpt2sas_base.c
++++ b/drivers/scsi/mpt2sas/mpt2sas_base.c
+@@ -66,6 +66,8 @@ static MPT_CALLBACK mpt_callbacks[MPT_MA
+
+ #define FAULT_POLLING_INTERVAL 1000 /* in milliseconds */
+
++#define MAX_HBA_QUEUE_DEPTH 30000
++#define MAX_CHAIN_DEPTH 100000
+ static int max_queue_depth = -1;
+ module_param(max_queue_depth, int, 0);
+ MODULE_PARM_DESC(max_queue_depth, " max controller queue depth ");
+@@ -2098,8 +2100,6 @@ _base_release_memory_pools(struct MPT2SA
+ }
+ if (ioc->chain_dma_pool)
+ pci_pool_destroy(ioc->chain_dma_pool);
+- }
+- if (ioc->chain_lookup) {
+ free_pages((ulong)ioc->chain_lookup, ioc->chain_pages);
+ ioc->chain_lookup = NULL;
+ }
+@@ -2117,9 +2117,7 @@ static int
+ _base_allocate_memory_pools(struct MPT2SAS_ADAPTER *ioc, int sleep_flag)
+ {
+ struct mpt2sas_facts *facts;
+- u32 queue_size, queue_diff;
+ u16 max_sge_elements;
+- u16 num_of_reply_frames;
+ u16 chains_needed_per_io;
+ u32 sz, total_sz;
+ u32 retry_sz;
+@@ -2146,7 +2144,8 @@ _base_allocate_memory_pools(struct MPT2S
+ max_request_credit = (max_queue_depth < facts->RequestCredit)
+ ? max_queue_depth : facts->RequestCredit;
+ else
+- max_request_credit = facts->RequestCredit;
++ max_request_credit = min_t(u16, facts->RequestCredit,
++ MAX_HBA_QUEUE_DEPTH);
+
+ ioc->hba_queue_depth = max_request_credit;
+ ioc->hi_priority_depth = facts->HighPriorityCredit;
+@@ -2187,50 +2186,25 @@ _base_allocate_memory_pools(struct MPT2S
+ }
+ ioc->chains_needed_per_io = chains_needed_per_io;
+
+- /* reply free queue sizing - taking into account for events */
+- num_of_reply_frames = ioc->hba_queue_depth + 32;
+-
+- /* number of replies frames can't be a multiple of 16 */
+- /* decrease number of reply frames by 1 */
+- if (!(num_of_reply_frames % 16))
+- num_of_reply_frames--;
+-
+- /* calculate number of reply free queue entries
+- * (must be multiple of 16)
+- */
+-
+- /* (we know reply_free_queue_depth is not a multiple of 16) */
+- queue_size = num_of_reply_frames;
+- queue_size += 16 - (queue_size % 16);
+- ioc->reply_free_queue_depth = queue_size;
+-
+- /* reply descriptor post queue sizing */
+- /* this size should be the number of request frames + number of reply
+- * frames
+- */
++ /* reply free queue sizing - taking into account for 64 FW events */
++ ioc->reply_free_queue_depth = ioc->hba_queue_depth + 64;
+
+- queue_size = ioc->hba_queue_depth + num_of_reply_frames + 1;
+- /* round up to 16 byte boundary */
+- if (queue_size % 16)
+- queue_size += 16 - (queue_size % 16);
+-
+- /* check against IOC maximum reply post queue depth */
+- if (queue_size > facts->MaxReplyDescriptorPostQueueDepth) {
+- queue_diff = queue_size -
+- facts->MaxReplyDescriptorPostQueueDepth;
+-
+- /* round queue_diff up to multiple of 16 */
+- if (queue_diff % 16)
+- queue_diff += 16 - (queue_diff % 16);
+-
+- /* adjust hba_queue_depth, reply_free_queue_depth,
+- * and queue_size
+- */
+- ioc->hba_queue_depth -= (queue_diff / 2);
+- ioc->reply_free_queue_depth -= (queue_diff / 2);
+- queue_size = facts->MaxReplyDescriptorPostQueueDepth;
++ /* align the reply post queue on the next 16 count boundary */
++ if (!ioc->reply_free_queue_depth % 16)
++ ioc->reply_post_queue_depth = ioc->reply_free_queue_depth + 16;
++ else
++ ioc->reply_post_queue_depth = ioc->reply_free_queue_depth +
++ 32 - (ioc->reply_free_queue_depth % 16);
++ if (ioc->reply_post_queue_depth >
++ facts->MaxReplyDescriptorPostQueueDepth) {
++ ioc->reply_post_queue_depth = min_t(u16,
++ (facts->MaxReplyDescriptorPostQueueDepth -
++ (facts->MaxReplyDescriptorPostQueueDepth % 16)),
++ (ioc->hba_queue_depth - (ioc->hba_queue_depth % 16)));
++ ioc->reply_free_queue_depth = ioc->reply_post_queue_depth - 16;
++ ioc->hba_queue_depth = ioc->reply_free_queue_depth - 64;
+ }
+- ioc->reply_post_queue_depth = queue_size;
++
+
+ dinitprintk(ioc, printk(MPT2SAS_INFO_FMT "scatter gather: "
+ "sge_in_main_msg(%d), sge_per_chain(%d), sge_per_io(%d), "
+@@ -2316,15 +2290,12 @@ _base_allocate_memory_pools(struct MPT2S
+ "depth(%d)\n", ioc->name, ioc->request,
+ ioc->scsiio_depth));
+
+- /* loop till the allocation succeeds */
+- do {
+- sz = ioc->chain_depth * sizeof(struct chain_tracker);
+- ioc->chain_pages = get_order(sz);
+- ioc->chain_lookup = (struct chain_tracker *)__get_free_pages(
+- GFP_KERNEL, ioc->chain_pages);
+- if (ioc->chain_lookup == NULL)
+- ioc->chain_depth -= 100;
+- } while (ioc->chain_lookup == NULL);
++ ioc->chain_depth = min_t(u32, ioc->chain_depth, MAX_CHAIN_DEPTH);
++ sz = ioc->chain_depth * sizeof(struct chain_tracker);
++ ioc->chain_pages = get_order(sz);
++
++ ioc->chain_lookup = (struct chain_tracker *)__get_free_pages(
++ GFP_KERNEL, ioc->chain_pages);
+ ioc->chain_dma_pool = pci_pool_create("chain pool", ioc->pdev,
+ ioc->request_sz, 16, 0);
+ if (!ioc->chain_dma_pool) {
+--- a/drivers/scsi/mpt2sas/mpt2sas_scsih.c
++++ b/drivers/scsi/mpt2sas/mpt2sas_scsih.c
+@@ -974,8 +974,8 @@ _scsih_get_chain_buffer_tracker(struct M
+ spin_lock_irqsave(&ioc->scsi_lookup_lock, flags);
+ if (list_empty(&ioc->free_chain_list)) {
+ spin_unlock_irqrestore(&ioc->scsi_lookup_lock, flags);
+- printk(MPT2SAS_WARN_FMT "chain buffers not available\n",
+- ioc->name);
++ dfailprintk(ioc, printk(MPT2SAS_WARN_FMT "chain buffers not "
++ "available\n", ioc->name));
+ return NULL;
+ }
+ chain_req = list_entry(ioc->free_chain_list.next,
--- /dev/null
+From 30c43282f3d347f47f9e05199d2b14f56f3f2837 Mon Sep 17 00:00:00 2001
+From: "nagalakshmi.nandigama@lsi.com" <nagalakshmi.nandigama@lsi.com>
+Date: Thu, 1 Dec 2011 07:52:56 +0530
+Subject: SCSI: mpt2sas: Release spinlock for the raid device list before blocking it
+
+From: "nagalakshmi.nandigama@lsi.com" <nagalakshmi.nandigama@lsi.com>
+
+commit 30c43282f3d347f47f9e05199d2b14f56f3f2837 upstream.
+
+Added code to release the spinlock that is used to protect the
+raid device list before calling a function that can block. The
+blocking was causing a reschedule, and subsequently it is tried
+to acquire the same lock, resulting in a panic (NMI Watchdog
+detecting a CPU lockup).
+
+Signed-off-by: Nagalakshmi Nandigama <nagalakshmi.nandigama@lsi.com>
+Signed-off-by: James Bottomley <JBottomley@Parallels.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/scsi/mpt2sas/mpt2sas_scsih.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/scsi/mpt2sas/mpt2sas_scsih.c
++++ b/drivers/scsi/mpt2sas/mpt2sas_scsih.c
+@@ -6425,6 +6425,7 @@ _scsih_mark_responding_raid_device(struc
+ } else
+ sas_target_priv_data = NULL;
+ raid_device->responding = 1;
++ spin_unlock_irqrestore(&ioc->raid_device_lock, flags);
+ starget_printk(KERN_INFO, raid_device->starget,
+ "handle(0x%04x), wwid(0x%016llx)\n", handle,
+ (unsigned long long)raid_device->wwid);
+@@ -6435,16 +6436,16 @@ _scsih_mark_responding_raid_device(struc
+ */
+ _scsih_init_warpdrive_properties(ioc, raid_device);
+ if (raid_device->handle == handle)
+- goto out;
++ return;
+ printk(KERN_INFO "\thandle changed from(0x%04x)!!!\n",
+ raid_device->handle);
+ raid_device->handle = handle;
+ if (sas_target_priv_data)
+ sas_target_priv_data->handle = handle;
+- goto out;
++ return;
+ }
+ }
+- out:
++
+ spin_unlock_irqrestore(&ioc->raid_device_lock, flags);
+ }
+
drm-radeon-kms-workaround-invalid-avi-infoframe-checksum-issue.patch
drm-radeon-kms-disable-writeback-on-pre-r300-asics.patch
radeon-fix-disabling-pci-bus-mastering-on-big-endian-hosts.patch
+nfs-retry-mounting-nfsroot.patch
+nfsv4.1-fix-backchannel-slotid-off-by-one-bug.patch
+nfs-fix-regression-in-handling-of-context-option-in-nfsv4.patch
+hid-bump-maximum-global-item-tag-report-size-to-96-bytes.patch
+hid-wiimote-select-input_ff_memless.patch
+ubi-fix-missing-scrub-when-there-is-a-bit-flip.patch
+ubi-fix-use-after-free-on-error-path.patch
+pci-fix-pci_exp_type_rc_ec-value.patch
+pci-msi-disable-msi-interrupts-when-we-initialize-a-pci-device.patch
+x86-pci-ignore-cpu-non-addressable-_crs-reserved-memory-resources.patch
+x86-pci-amd-factor-out-mmconfig-discovery.patch
+x86-pci-build-amd_bus.o-only-when-config_amd_nb-y.patch
+scsi-mpt2sas-release-spinlock-for-the-raid-device-list-before-blocking-it.patch
+scsi-mpt2sas-fix-for-memory-allocation-error-for-large-host-credits.patch
+xen-xenbus-reject-replies-with-payload-xenstore_payload_max.patch
+ima-free-duplicate-measurement-memory.patch
+ima-fix-invalid-memory-reference.patch
+pnp-work-around-dell-1536-1546-bios-mmconfig-bug-that-breaks-usb.patch
--- /dev/null
+From e801e128b2200c40a0ec236cf2330b2586b6e05a Mon Sep 17 00:00:00 2001
+From: Bhavesh Parekh <bparekh@nvidia.com>
+Date: Wed, 30 Nov 2011 17:43:42 +0530
+Subject: UBI: fix missing scrub when there is a bit-flip
+
+From: Bhavesh Parekh <bparekh@nvidia.com>
+
+commit e801e128b2200c40a0ec236cf2330b2586b6e05a upstream.
+
+Under some cases, when scrubbing the PEB if we did not get the lock on
+the PEB it fails to scrub. Add that PEB again to the scrub list
+
+Artem: minor amendments.
+
+Signed-off-by: Bhavesh Parekh <bparekh@nvidia.com>
+Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/mtd/ubi/eba.c | 6 ++++--
+ drivers/mtd/ubi/ubi.h | 2 ++
+ drivers/mtd/ubi/wl.c | 5 ++++-
+ 3 files changed, 10 insertions(+), 3 deletions(-)
+
+--- a/drivers/mtd/ubi/eba.c
++++ b/drivers/mtd/ubi/eba.c
+@@ -1028,12 +1028,14 @@ int ubi_eba_copy_leb(struct ubi_device *
+ * 'ubi_wl_put_peb()' function on the @ubi->move_mutex. In turn, we are
+ * holding @ubi->move_mutex and go sleep on the LEB lock. So, if the
+ * LEB is already locked, we just do not move it and return
+- * %MOVE_CANCEL_RACE, which means that UBI will re-try, but later.
++ * %MOVE_RETRY. Note, we do not return %MOVE_CANCEL_RACE here because
++ * we do not know the reasons of the contention - it may be just a
++ * normal I/O on this LEB, so we want to re-try.
+ */
+ err = leb_write_trylock(ubi, vol_id, lnum);
+ if (err) {
+ dbg_wl("contention on LEB %d:%d, cancel", vol_id, lnum);
+- return MOVE_CANCEL_RACE;
++ return MOVE_RETRY;
+ }
+
+ /*
+--- a/drivers/mtd/ubi/ubi.h
++++ b/drivers/mtd/ubi/ubi.h
+@@ -121,6 +121,7 @@ enum {
+ * PEB
+ * MOVE_CANCEL_BITFLIPS: canceled because a bit-flip was detected in the
+ * target PEB
++ * MOVE_RETRY: retry scrubbing the PEB
+ */
+ enum {
+ MOVE_CANCEL_RACE = 1,
+@@ -128,6 +129,7 @@ enum {
+ MOVE_TARGET_RD_ERR,
+ MOVE_TARGET_WR_ERR,
+ MOVE_CANCEL_BITFLIPS,
++ MOVE_RETRY,
+ };
+
+ /**
+--- a/drivers/mtd/ubi/wl.c
++++ b/drivers/mtd/ubi/wl.c
+@@ -792,7 +792,10 @@ static int wear_leveling_worker(struct u
+ protect = 1;
+ goto out_not_moved;
+ }
+-
++ if (err == MOVE_RETRY) {
++ scrubbing = 1;
++ goto out_not_moved;
++ }
+ if (err == MOVE_CANCEL_BITFLIPS || err == MOVE_TARGET_WR_ERR ||
+ err == MOVE_TARGET_RD_ERR) {
+ /*
--- /dev/null
+From e57e0d8e818512047fe379157c3f77f1b9fabffb Mon Sep 17 00:00:00 2001
+From: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
+Date: Thu, 5 Jan 2012 10:47:18 +0200
+Subject: UBI: fix use-after-free on error path
+
+From: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
+
+commit e57e0d8e818512047fe379157c3f77f1b9fabffb upstream.
+
+When we fail to erase a PEB, we free the corresponding erase entry object,
+but then re-schedule this object if the error code was something like -EAGAIN.
+Obviously, it is a bug to use the object after we have freed it.
+
+Reported-by: Emese Revfy <re.emese@gmail.com>
+Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/mtd/ubi/wl.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/mtd/ubi/wl.c
++++ b/drivers/mtd/ubi/wl.c
+@@ -1049,7 +1049,6 @@ static int erase_worker(struct ubi_devic
+
+ ubi_err("failed to erase PEB %d, error %d", pnum, err);
+ kfree(wl_wrk);
+- kmem_cache_free(ubi_wl_entry_slab, e);
+
+ if (err == -EINTR || err == -ENOMEM || err == -EAGAIN ||
+ err == -EBUSY) {
+@@ -1062,14 +1061,16 @@ static int erase_worker(struct ubi_devic
+ goto out_ro;
+ }
+ return err;
+- } else if (err != -EIO) {
++ }
++
++ kmem_cache_free(ubi_wl_entry_slab, e);
++ if (err != -EIO)
+ /*
+ * If this is not %-EIO, we have no idea what to do. Scheduling
+ * this physical eraseblock for erasure again would cause
+ * errors again and again. Well, lets switch to R/O mode.
+ */
+ goto out_ro;
+- }
+
+ /* It is %-EIO, the PEB went bad */
+
--- /dev/null
+From 24d25dbfa63c376323096660bfa9ad45a08870ce Mon Sep 17 00:00:00 2001
+From: Bjorn Helgaas <bhelgaas@google.com>
+Date: Thu, 5 Jan 2012 14:27:19 -0700
+Subject: x86/PCI: amd: factor out MMCONFIG discovery
+
+From: Bjorn Helgaas <bhelgaas@google.com>
+
+commit 24d25dbfa63c376323096660bfa9ad45a08870ce upstream.
+
+This factors out the AMD native MMCONFIG discovery so we can use it
+outside amd_bus.c.
+
+amd_bus.c reads AMD MSRs so it can remove the MMCONFIG area from the
+PCI resources. We may also need the MMCONFIG information to work
+around BIOS defects in the ACPI MCFG table.
+
+Cc: Borislav Petkov <borislav.petkov@amd.com>
+Cc: Yinghai Lu <yinghai@kernel.org>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/include/asm/amd_nb.h | 2 ++
+ arch/x86/kernel/amd_nb.c | 31 +++++++++++++++++++++++++++++++
+ arch/x86/pci/amd_bus.c | 42 +++++++++++-------------------------------
+ 3 files changed, 44 insertions(+), 31 deletions(-)
+
+--- a/arch/x86/include/asm/amd_nb.h
++++ b/arch/x86/include/asm/amd_nb.h
+@@ -1,6 +1,7 @@
+ #ifndef _ASM_X86_AMD_NB_H
+ #define _ASM_X86_AMD_NB_H
+
++#include <linux/ioport.h>
+ #include <linux/pci.h>
+
+ struct amd_nb_bus_dev_range {
+@@ -13,6 +14,7 @@ extern const struct pci_device_id amd_nb
+ extern const struct amd_nb_bus_dev_range amd_nb_bus_dev_ranges[];
+
+ extern bool early_is_amd_nb(u32 value);
++extern struct resource *amd_get_mmconfig_range(struct resource *res);
+ extern int amd_cache_northbridges(void);
+ extern void amd_flush_garts(void);
+ extern int amd_numa_init(void);
+--- a/arch/x86/kernel/amd_nb.c
++++ b/arch/x86/kernel/amd_nb.c
+@@ -119,6 +119,37 @@ bool __init early_is_amd_nb(u32 device)
+ return false;
+ }
+
++struct resource *amd_get_mmconfig_range(struct resource *res)
++{
++ u32 address;
++ u64 base, msr;
++ unsigned segn_busn_bits;
++
++ if (boot_cpu_data.x86_vendor != X86_VENDOR_AMD)
++ return NULL;
++
++ /* assume all cpus from fam10h have mmconfig */
++ if (boot_cpu_data.x86 < 0x10)
++ return NULL;
++
++ address = MSR_FAM10H_MMIO_CONF_BASE;
++ rdmsrl(address, msr);
++
++ /* mmconfig is not enabled */
++ if (!(msr & FAM10H_MMIO_CONF_ENABLE))
++ return NULL;
++
++ base = msr & (FAM10H_MMIO_CONF_BASE_MASK<<FAM10H_MMIO_CONF_BASE_SHIFT);
++
++ segn_busn_bits = (msr >> FAM10H_MMIO_CONF_BUSRANGE_SHIFT) &
++ FAM10H_MMIO_CONF_BUSRANGE_MASK;
++
++ res->flags = IORESOURCE_MEM;
++ res->start = base;
++ res->end = base + (1ULL<<(segn_busn_bits + 20)) - 1;
++ return res;
++}
++
+ int amd_get_subcaches(int cpu)
+ {
+ struct pci_dev *link = node_to_amd_nb(amd_get_nb_id(cpu))->link;
+--- a/arch/x86/pci/amd_bus.c
++++ b/arch/x86/pci/amd_bus.c
+@@ -30,34 +30,6 @@ static struct pci_hostbridge_probe pci_p
+ { 0, 0x18, PCI_VENDOR_ID_AMD, 0x1300 },
+ };
+
+-static u64 __initdata fam10h_mmconf_start;
+-static u64 __initdata fam10h_mmconf_end;
+-static void __init get_pci_mmcfg_amd_fam10h_range(void)
+-{
+- u32 address;
+- u64 base, msr;
+- unsigned segn_busn_bits;
+-
+- /* assume all cpus from fam10h have mmconf */
+- if (boot_cpu_data.x86 < 0x10)
+- return;
+-
+- address = MSR_FAM10H_MMIO_CONF_BASE;
+- rdmsrl(address, msr);
+-
+- /* mmconfig is not enable */
+- if (!(msr & FAM10H_MMIO_CONF_ENABLE))
+- return;
+-
+- base = msr & (FAM10H_MMIO_CONF_BASE_MASK<<FAM10H_MMIO_CONF_BASE_SHIFT);
+-
+- segn_busn_bits = (msr >> FAM10H_MMIO_CONF_BUSRANGE_SHIFT) &
+- FAM10H_MMIO_CONF_BUSRANGE_MASK;
+-
+- fam10h_mmconf_start = base;
+- fam10h_mmconf_end = base + (1ULL<<(segn_busn_bits + 20)) - 1;
+-}
+-
+ #define RANGE_NUM 16
+
+ /**
+@@ -85,6 +57,9 @@ static int __init early_fill_mp_bus_info
+ u64 val;
+ u32 address;
+ bool found;
++ struct resource fam10h_mmconf_res, *fam10h_mmconf;
++ u64 fam10h_mmconf_start;
++ u64 fam10h_mmconf_end;
+
+ if (!early_pci_allowed())
+ return -1;
+@@ -211,12 +186,17 @@ static int __init early_fill_mp_bus_info
+ subtract_range(range, RANGE_NUM, 0, end);
+
+ /* get mmconfig */
+- get_pci_mmcfg_amd_fam10h_range();
++ fam10h_mmconf = amd_get_mmconfig_range(&fam10h_mmconf_res);
+ /* need to take out mmconf range */
+- if (fam10h_mmconf_end) {
+- printk(KERN_DEBUG "Fam 10h mmconf [%llx, %llx]\n", fam10h_mmconf_start, fam10h_mmconf_end);
++ if (fam10h_mmconf) {
++ printk(KERN_DEBUG "Fam 10h mmconf %pR\n", fam10h_mmconf);
++ fam10h_mmconf_start = fam10h_mmconf->start;
++ fam10h_mmconf_end = fam10h_mmconf->end;
+ subtract_range(range, RANGE_NUM, fam10h_mmconf_start,
+ fam10h_mmconf_end + 1);
++ } else {
++ fam10h_mmconf_start = 0;
++ fam10h_mmconf_end = 0;
+ }
+
+ /* mmio resource */
--- /dev/null
+From 5cf9a4e69c1ff0ccdd1d2b7404f95c0531355274 Mon Sep 17 00:00:00 2001
+From: Bjorn Helgaas <bhelgaas@google.com>
+Date: Thu, 12 Jan 2012 08:01:40 -0700
+Subject: x86/PCI: build amd_bus.o only when CONFIG_AMD_NB=y
+
+From: Bjorn Helgaas <bhelgaas@google.com>
+
+commit 5cf9a4e69c1ff0ccdd1d2b7404f95c0531355274 upstream.
+
+We only need amd_bus.o for AMD systems with PCI. arch/x86/pci/Makefile
+already depends on CONFIG_PCI=y, so this patch just adds the dependency
+on CONFIG_AMD_NB.
+
+Cc: Yinghai Lu <yinghai@kernel.org>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/pci/Makefile | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/pci/Makefile
++++ b/arch/x86/pci/Makefile
+@@ -18,8 +18,9 @@ obj-$(CONFIG_X86_NUMAQ) += numaq_32.o
+ obj-$(CONFIG_X86_MRST) += mrst.o
+
+ obj-y += common.o early.o
+-obj-y += amd_bus.o bus_numa.o
++obj-y += bus_numa.o
+
++obj-$(CONFIG_AMD_NB) += amd_bus.o
+ obj-$(CONFIG_PCI_CNB20LE_QUIRK) += broadcom_bus.o
+
+ ifeq ($(CONFIG_PCI_DEBUG),y)
--- /dev/null
+From ae5cd86455381282ece162966183d3f208c6fad7 Mon Sep 17 00:00:00 2001
+From: Gary Hade <garyhade@us.ibm.com>
+Date: Mon, 14 Nov 2011 15:42:16 -0800
+Subject: x86/PCI: Ignore CPU non-addressable _CRS reserved memory resources
+
+From: Gary Hade <garyhade@us.ibm.com>
+
+commit ae5cd86455381282ece162966183d3f208c6fad7 upstream.
+
+This assures that a _CRS reserved host bridge window or window region is
+not used if it is not addressable by the CPU. The new code either trims
+the window to exclude the non-addressable portion or totally ignores the
+window if the entire window is non-addressable.
+
+The current code has been shown to be problematic with 32-bit non-PAE
+kernels on systems where _CRS reserves resources above 4GB.
+
+Signed-off-by: Gary Hade <garyhade@us.ibm.com>
+Reviewed-by: Bjorn Helgaas <bhelgaas@google.com>
+Cc: Thomas Renninger <trenn@novell.com>
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/pci/acpi.c | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/pci/acpi.c
++++ b/arch/x86/pci/acpi.c
+@@ -149,7 +149,7 @@ setup_resource(struct acpi_resource *acp
+ struct acpi_resource_address64 addr;
+ acpi_status status;
+ unsigned long flags;
+- u64 start, end;
++ u64 start, orig_end, end;
+
+ status = resource_to_addr(acpi_res, &addr);
+ if (!ACPI_SUCCESS(status))
+@@ -165,7 +165,21 @@ setup_resource(struct acpi_resource *acp
+ return AE_OK;
+
+ start = addr.minimum + addr.translation_offset;
+- end = addr.maximum + addr.translation_offset;
++ orig_end = end = addr.maximum + addr.translation_offset;
++
++ /* Exclude non-addressable range or non-addressable portion of range */
++ end = min(end, (u64)iomem_resource.end);
++ if (end <= start) {
++ dev_info(&info->bridge->dev,
++ "host bridge window [%#llx-%#llx] "
++ "(ignored, not CPU addressable)\n", start, orig_end);
++ return AE_OK;
++ } else if (orig_end != end) {
++ dev_info(&info->bridge->dev,
++ "host bridge window [%#llx-%#llx] "
++ "([%#llx-%#llx] ignored, not CPU addressable)\n",
++ start, orig_end, end + 1, orig_end);
++ }
+
+ res = &info->res[info->res_num];
+ res->name = info->name;
--- /dev/null
+From 9e7860cee18241633eddb36a4c34c7b61d8cecbc Mon Sep 17 00:00:00 2001
+From: Ian Campbell <Ian.Campbell@citrix.com>
+Date: Wed, 4 Jan 2012 09:34:49 +0000
+Subject: xen/xenbus: Reject replies with payload > XENSTORE_PAYLOAD_MAX.
+
+From: Ian Campbell <Ian.Campbell@citrix.com>
+
+commit 9e7860cee18241633eddb36a4c34c7b61d8cecbc upstream.
+
+Haogang Chen found out that:
+
+ There is a potential integer overflow in process_msg() that could result
+ in cross-domain attack.
+
+ body = kmalloc(msg->hdr.len + 1, GFP_NOIO | __GFP_HIGH);
+
+ When a malicious guest passes 0xffffffff in msg->hdr.len, the subsequent
+ call to xb_read() would write to a zero-length buffer.
+
+ The other end of this connection is always the xenstore backend daemon
+ so there is no guest (malicious or otherwise) which can do this. The
+ xenstore daemon is a trusted component in the system.
+
+ However this seem like a reasonable robustness improvement so we should
+ have it.
+
+And Ian when read the API docs found that:
+ The payload length (len field of the header) is limited to 4096
+ (XENSTORE_PAYLOAD_MAX) in both directions. If a client exceeds the
+ limit, its xenstored connection will be immediately killed by
+ xenstored, which is usually catastrophic from the client's point of
+ view. Clients (particularly domains, which cannot just reconnect)
+ should avoid this.
+
+so this patch checks against that instead.
+
+This also avoids a potential integer overflow pointed out by Haogang Chen.
+
+Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
+Cc: Haogang Chen <haogangchen@gmail.com>
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/xen/xenbus/xenbus_xs.c | 6 ++++++
+ include/xen/interface/io/xs_wire.h | 3 +++
+ 2 files changed, 9 insertions(+)
+
+--- a/drivers/xen/xenbus/xenbus_xs.c
++++ b/drivers/xen/xenbus/xenbus_xs.c
+@@ -801,6 +801,12 @@ static int process_msg(void)
+ goto out;
+ }
+
++ if (msg->hdr.len > XENSTORE_PAYLOAD_MAX) {
++ kfree(msg);
++ err = -EINVAL;
++ goto out;
++ }
++
+ body = kmalloc(msg->hdr.len + 1, GFP_NOIO | __GFP_HIGH);
+ if (body == NULL) {
+ kfree(msg);
+--- a/include/xen/interface/io/xs_wire.h
++++ b/include/xen/interface/io/xs_wire.h
+@@ -84,4 +84,7 @@ struct xenstore_domain_interface {
+ XENSTORE_RING_IDX rsp_cons, rsp_prod;
+ };
+
++/* Violating this is very bad. See docs/misc/xenstore.txt. */
++#define XENSTORE_PAYLOAD_MAX 4096
++
+ #endif /* _XS_WIRE_H */
projects / thirdparty / kernel / stable-queue.git / commitdiff
