--- /dev/null
+From 49999ab27eab6289a8e4f450e148bdab521361b2 Mon Sep 17 00:00:00 2001
+From: Ian Kent <raven@themaw.net>
+Date: Thu, 11 Oct 2012 08:00:33 +0800
+Subject: autofs4 - fix reset pending flag on mount fail
+
+From: Ian Kent <raven@themaw.net>
+
+commit 49999ab27eab6289a8e4f450e148bdab521361b2 upstream.
+
+In autofs4_d_automount(), if a mount fail occurs the AUTOFS_INF_PENDING
+mount pending flag is not cleared.
+
+One effect of this is when using the "browse" option, directory entry
+attributes show up with all "?"s due to the incorrect callback and
+subsequent failure return (when in fact no callback should be made).
+
+Signed-off-by: Ian Kent <ikent@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/autofs4/root.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/fs/autofs4/root.c
++++ b/fs/autofs4/root.c
+@@ -392,10 +392,12 @@ static struct vfsmount *autofs4_d_automo
+ ino->flags |= AUTOFS_INF_PENDING;
+ spin_unlock(&sbi->fs_lock);
+ status = autofs4_mount_wait(dentry);
+- if (status)
+- return ERR_PTR(status);
+ spin_lock(&sbi->fs_lock);
+ ino->flags &= ~AUTOFS_INF_PENDING;
++ if (status) {
++ spin_unlock(&sbi->fs_lock);
++ return ERR_PTR(status);
++ }
+ }
+ done:
+ if (!(ino->flags & AUTOFS_INF_EXPIRING)) {
--- /dev/null
+From 60ea8226cbd5c8301f9a39edc574ddabcb8150e0 Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Thu, 20 Sep 2012 14:09:30 -0700
+Subject: block: fix request_queue->flags initialization
+
+From: Tejun Heo <tj@kernel.org>
+
+commit 60ea8226cbd5c8301f9a39edc574ddabcb8150e0 upstream.
+
+A queue newly allocated with blk_alloc_queue_node() has only
+QUEUE_FLAG_BYPASS set. For request-based drivers,
+blk_init_allocated_queue() is called and q->queue_flags is overwritten
+with QUEUE_FLAG_DEFAULT which doesn't include BYPASS even though the
+initial bypass is still in effect.
+
+In blk_init_allocated_queue(), or QUEUE_FLAG_DEFAULT to q->queue_flags
+instead of overwriting.
+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Acked-by: Vivek Goyal <vgoyal@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/blk-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/block/blk-core.c
++++ b/block/blk-core.c
+@@ -696,7 +696,7 @@ blk_init_allocated_queue(struct request_
+ q->request_fn = rfn;
+ q->prep_rq_fn = NULL;
+ q->unprep_rq_fn = NULL;
+- q->queue_flags = QUEUE_FLAG_DEFAULT;
++ q->queue_flags |= QUEUE_FLAG_DEFAULT;
+
+ /* Override internal queue lock with supplied lock pointer */
+ if (lock)
--- /dev/null
+From e4b11b89f9039ca97b2ed1b6efeb6749fbdeb252 Mon Sep 17 00:00:00 2001
+From: Roland Dreier <roland@purestorage.com>
+Date: Tue, 18 Sep 2012 15:10:56 -0700
+Subject: qla2xxx: Fix endianness of task management response code
+
+From: Roland Dreier <roland@purestorage.com>
+
+commit e4b11b89f9039ca97b2ed1b6efeb6749fbdeb252 upstream.
+
+The qla2xxx firmware actually expects the task management response
+code in a CTIO IOCB with SCSI status mode 1 to be in little-endian
+byte order, ie the response code should be the first byte in the
+sense_data[] array. The old code erroneously byte-swapped the
+response code, which puts it in the wrong place on the wire and leads
+to initiators thinking every task management request succeeds (since
+they see 0 in the byte where they look for the response code).
+
+Signed-off-by: Roland Dreier <roland@purestorage.com>
+Cc: Chad Dupuis <chad.dupuis@qlogic.com>
+Cc: Arun Easi <arun.easi@qlogic.com>
+Acked-by: Saurav Kashyap <saurav.kashyap@qlogic.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_target.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/qla2xxx/qla_target.c
++++ b/drivers/scsi/qla2xxx/qla_target.c
+@@ -1403,7 +1403,7 @@ static void qlt_24xx_send_task_mgmt_ctio
+ ctio->u.status1.scsi_status =
+ __constant_cpu_to_le16(SS_RESPONSE_INFO_LEN_VALID);
+ ctio->u.status1.response_len = __constant_cpu_to_le16(8);
+- ((uint32_t *)ctio->u.status1.sense_data)[0] = cpu_to_be32(resp_code);
++ ctio->u.status1.sense_data[0] = resp_code;
+
+ qla2x00_start_iocbs(ha, ha->req);
+ }
arm-omap-counter-add-locking-to-read_persistent_clock.patch
firewire-cdev-fix-user-memory-corruption-i386-userland-on-amd64-kernel.patch
sunrpc-ensure-that-the-tcp-socket-is-closed-when-in-close_wait.patch
+target-support-zero-allocation-length-in-inquiry.patch
+target-fix-truncation-of-mode-data-support-zero-allocation-length.patch
+target-fix-return-code-in-target_core_init_configfs-error-path.patch
+target-file-re-enable-optional-fd_buffered_io-1-operation.patch
+qla2xxx-fix-endianness-of-task-management-response-code.patch
+vfio-move-pci-intx-eventfd-setting-earlier.patch
+vfio-fix-pci-intx-disable-consistency.patch
+xen-pv-on-hvm-kexec-add-quirk-for-xen-3.4-and-shutdown-watches.patch
+xen-bootup-allow-read-write-_cr8-pvops-call.patch
+xen-bootup-allow-read_tscp-call-for-xen-pv-guests.patch
+block-fix-request_queue-flags-initialization.patch
+autofs4-fix-reset-pending-flag-on-mount-fail.patch
--- /dev/null
+From b32f4c7ed85c5cee2a21a55c9f59ebc9d57a2463 Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Sat, 29 Sep 2012 17:15:37 -0700
+Subject: target/file: Re-enable optional fd_buffered_io=1 operation
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit b32f4c7ed85c5cee2a21a55c9f59ebc9d57a2463 upstream.
+
+This patch re-adds the ability to optionally run in buffered FILEIO mode
+(eg: w/o O_DSYNC) for device backends in order to once again use the
+Linux buffered cache as a write-back storage mechanism.
+
+This logic was originally dropped with mainline v3.5-rc commit:
+
+commit a4dff3043c231d57f982af635c9d2192ee40e5ae
+Author: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Wed May 30 16:25:41 2012 -0700
+
+ target/file: Use O_DSYNC by default for FILEIO backends
+
+This difference with this patch is that fd_create_virtdevice() now
+forces the explicit setting of emulate_write_cache=1 when buffered FILEIO
+operation has been enabled.
+
+(v2: Switch to FDBD_HAS_BUFFERED_IO_WCE + add more detailed
+ comment as requested by hch)
+
+Reported-by: Ferry <iscsitmp@bananateam.nl>
+Cc: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/target_core_file.c | 41 +++++++++++++++++++++++++++++++++++---
+ drivers/target/target_core_file.h | 1
+ 2 files changed, 39 insertions(+), 3 deletions(-)
+
+--- a/drivers/target/target_core_file.c
++++ b/drivers/target/target_core_file.c
+@@ -125,6 +125,19 @@ static struct se_device *fd_create_virtd
+ * of pure timestamp updates.
+ */
+ flags = O_RDWR | O_CREAT | O_LARGEFILE | O_DSYNC;
++ /*
++ * Optionally allow fd_buffered_io=1 to be enabled for people
++ * who want use the fs buffer cache as an WriteCache mechanism.
++ *
++ * This means that in event of a hard failure, there is a risk
++ * of silent data-loss if the SCSI client has *not* performed a
++ * forced unit access (FUA) write, or issued SYNCHRONIZE_CACHE
++ * to write-out the entire device cache.
++ */
++ if (fd_dev->fbd_flags & FDBD_HAS_BUFFERED_IO_WCE) {
++ pr_debug("FILEIO: Disabling O_DSYNC, using buffered FILEIO\n");
++ flags &= ~O_DSYNC;
++ }
+
+ file = filp_open(fd_dev->fd_dev_name, flags, 0600);
+ if (IS_ERR(file)) {
+@@ -188,6 +201,12 @@ static struct se_device *fd_create_virtd
+ if (!dev)
+ goto fail;
+
++ if (fd_dev->fbd_flags & FDBD_HAS_BUFFERED_IO_WCE) {
++ pr_debug("FILEIO: Forcing setting of emulate_write_cache=1"
++ " with FDBD_HAS_BUFFERED_IO_WCE\n");
++ dev->se_sub_dev->se_dev_attrib.emulate_write_cache = 1;
++ }
++
+ fd_dev->fd_dev_id = fd_host->fd_host_dev_id_count++;
+ fd_dev->fd_queue_depth = dev->queue_depth;
+
+@@ -407,6 +426,7 @@ enum {
+ static match_table_t tokens = {
+ {Opt_fd_dev_name, "fd_dev_name=%s"},
+ {Opt_fd_dev_size, "fd_dev_size=%s"},
++ {Opt_fd_buffered_io, "fd_buffered_io=%d"},
+ {Opt_err, NULL}
+ };
+
+@@ -418,7 +438,7 @@ static ssize_t fd_set_configfs_dev_param
+ struct fd_dev *fd_dev = se_dev->se_dev_su_ptr;
+ char *orig, *ptr, *arg_p, *opts;
+ substring_t args[MAX_OPT_ARGS];
+- int ret = 0, token;
++ int ret = 0, arg, token;
+
+ opts = kstrdup(page, GFP_KERNEL);
+ if (!opts)
+@@ -459,6 +479,19 @@ static ssize_t fd_set_configfs_dev_param
+ " bytes\n", fd_dev->fd_dev_size);
+ fd_dev->fbd_flags |= FBDF_HAS_SIZE;
+ break;
++ case Opt_fd_buffered_io:
++ match_int(args, &arg);
++ if (arg != 1) {
++ pr_err("bogus fd_buffered_io=%d value\n", arg);
++ ret = -EINVAL;
++ goto out;
++ }
++
++ pr_debug("FILEIO: Using buffered I/O"
++ " operations for struct fd_dev\n");
++
++ fd_dev->fbd_flags |= FDBD_HAS_BUFFERED_IO_WCE;
++ break;
+ default:
+ break;
+ }
+@@ -490,8 +523,10 @@ static ssize_t fd_show_configfs_dev_para
+ ssize_t bl = 0;
+
+ bl = sprintf(b + bl, "TCM FILEIO ID: %u", fd_dev->fd_dev_id);
+- bl += sprintf(b + bl, " File: %s Size: %llu Mode: O_DSYNC\n",
+- fd_dev->fd_dev_name, fd_dev->fd_dev_size);
++ bl += sprintf(b + bl, " File: %s Size: %llu Mode: %s\n",
++ fd_dev->fd_dev_name, fd_dev->fd_dev_size,
++ (fd_dev->fbd_flags & FDBD_HAS_BUFFERED_IO_WCE) ?
++ "Buffered-WCE" : "O_DSYNC");
+ return bl;
+ }
+
+--- a/drivers/target/target_core_file.h
++++ b/drivers/target/target_core_file.h
+@@ -14,6 +14,7 @@
+
+ #define FBDF_HAS_PATH 0x01
+ #define FBDF_HAS_SIZE 0x02
++#define FDBD_HAS_BUFFERED_IO_WCE 0x04
+
+ struct fd_dev {
+ u32 fbd_flags;
--- /dev/null
+From 37bb7899ca366dc212b71b150e78566d04808cc0 Mon Sep 17 00:00:00 2001
+From: Peter Senna Tschudin <peter.senna@gmail.com>
+Date: Mon, 17 Sep 2012 20:05:33 +0200
+Subject: target: fix return code in target_core_init_configfs error path
+
+From: Peter Senna Tschudin <peter.senna@gmail.com>
+
+commit 37bb7899ca366dc212b71b150e78566d04808cc0 upstream.
+
+This patch fixes error cases within target_core_init_configfs() to
+properly set ret = -ENOMEM before jumping to the out_global exception
+path.
+
+This was originally discovered with the following Coccinelle semantic
+match information:
+
+Convert a nonnegative error return code to a negative one, as returned
+elsewhere in the function. A simplified version of the semantic match
+that finds this problem is as follows: (http://coccinelle.lip6.fr/)
+
+// <smpl>
+(
+if@p1 (\(ret < 0\|ret != 0\))
+ { ... return ret; }
+|
+ret@p1 = 0
+)
+... when != ret = e1
+ when != &ret
+*if(...)
+{
+ ... when != ret = e2
+ when forall
+ return ret;
+}
+// </smpl>
+
+Signed-off-by: Peter Senna Tschudin <peter.senna@gmail.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/target_core_configfs.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/target/target_core_configfs.c
++++ b/drivers/target/target_core_configfs.c
+@@ -3132,6 +3132,7 @@ static int __init target_core_init_confi
+ GFP_KERNEL);
+ if (!target_cg->default_groups) {
+ pr_err("Unable to allocate target_cg->default_groups\n");
++ ret = -ENOMEM;
+ goto out_global;
+ }
+
+@@ -3147,6 +3148,7 @@ static int __init target_core_init_confi
+ GFP_KERNEL);
+ if (!hba_cg->default_groups) {
+ pr_err("Unable to allocate hba_cg->default_groups\n");
++ ret = -ENOMEM;
+ goto out_global;
+ }
+ config_group_init_type_name(&alua_group,
+@@ -3162,6 +3164,7 @@ static int __init target_core_init_confi
+ GFP_KERNEL);
+ if (!alua_cg->default_groups) {
+ pr_err("Unable to allocate alua_cg->default_groups\n");
++ ret = -ENOMEM;
+ goto out_global;
+ }
+
+@@ -3173,14 +3176,17 @@ static int __init target_core_init_confi
+ * Add core/alua/lu_gps/default_lu_gp
+ */
+ lu_gp = core_alua_allocate_lu_gp("default_lu_gp", 1);
+- if (IS_ERR(lu_gp))
++ if (IS_ERR(lu_gp)) {
++ ret = -ENOMEM;
+ goto out_global;
++ }
+
+ lu_gp_cg = &alua_lu_gps_group;
+ lu_gp_cg->default_groups = kzalloc(sizeof(struct config_group) * 2,
+ GFP_KERNEL);
+ if (!lu_gp_cg->default_groups) {
+ pr_err("Unable to allocate lu_gp_cg->default_groups\n");
++ ret = -ENOMEM;
+ goto out_global;
+ }
+
--- /dev/null
+From 7a3f369ce31694017996524a1cdb08208a839077 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Fri, 7 Sep 2012 17:30:39 +0200
+Subject: target: fix truncation of mode data, support zero allocation length
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit 7a3f369ce31694017996524a1cdb08208a839077 upstream.
+
+The offset was not bumped back to the full size after writing the
+header of the MODE SENSE response, so the last 1 or 2 bytes were
+not copied.
+
+On top of this, support zero-length requests by checking for the
+return value of transport_kmap_data_sg.
+
+Testcase: sg_raw -r20 /dev/sdb 5a 00 0a 00 00 00 00 00 14 00
+ last byte should be 0x1e
+ it is 0x00 without the patch
+ it is correct with the patch
+
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/target_core_spc.c | 17 +++++++----------
+ 1 file changed, 7 insertions(+), 10 deletions(-)
+
+--- a/drivers/target/target_core_spc.c
++++ b/drivers/target/target_core_spc.c
+@@ -784,7 +784,7 @@ static int spc_emulate_modesense(struct
+ unsigned char *rbuf;
+ int type = dev->transport->get_device_type(dev);
+ int ten = (cmd->t_task_cdb[0] == MODE_SENSE_10);
+- int offset = ten ? 8 : 4;
++ u32 offset = ten ? 8 : 4;
+ int length = 0;
+ unsigned char buf[SE_MODE_PAGE_BUF];
+
+@@ -817,6 +817,7 @@ static int spc_emulate_modesense(struct
+ offset -= 2;
+ buf[0] = (offset >> 8) & 0xff;
+ buf[1] = offset & 0xff;
++ offset += 2;
+
+ if ((cmd->se_lun->lun_access & TRANSPORT_LUNFLAGS_READ_ONLY) ||
+ (cmd->se_deve &&
+@@ -826,13 +827,10 @@ static int spc_emulate_modesense(struct
+ if ((dev->se_sub_dev->se_dev_attrib.emulate_write_cache > 0) &&
+ (dev->se_sub_dev->se_dev_attrib.emulate_fua_write > 0))
+ spc_modesense_dpofua(&buf[3], type);
+-
+- if ((offset + 2) > cmd->data_length)
+- offset = cmd->data_length;
+-
+ } else {
+ offset -= 1;
+ buf[0] = offset & 0xff;
++ offset += 1;
+
+ if ((cmd->se_lun->lun_access & TRANSPORT_LUNFLAGS_READ_ONLY) ||
+ (cmd->se_deve &&
+@@ -842,14 +840,13 @@ static int spc_emulate_modesense(struct
+ if ((dev->se_sub_dev->se_dev_attrib.emulate_write_cache > 0) &&
+ (dev->se_sub_dev->se_dev_attrib.emulate_fua_write > 0))
+ spc_modesense_dpofua(&buf[2], type);
+-
+- if ((offset + 1) > cmd->data_length)
+- offset = cmd->data_length;
+ }
+
+ rbuf = transport_kmap_data_sg(cmd);
+- memcpy(rbuf, buf, offset);
+- transport_kunmap_data_sg(cmd);
++ if (rbuf) {
++ memcpy(rbuf, buf, min(offset, cmd->data_length));
++ transport_kunmap_data_sg(cmd);
++ }
+
+ target_complete_cmd(cmd, GOOD);
+ return 0;
--- /dev/null
+From ffe7b0e9326d9c68f5688bef691dd49f1e0d3651 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Fri, 7 Sep 2012 17:30:38 +0200
+Subject: target: support zero allocation length in INQUIRY
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit ffe7b0e9326d9c68f5688bef691dd49f1e0d3651 upstream.
+
+INQUIRY processing already uses an on-heap bounce buffer for loopback,
+but not for other fabrics. Switch this to a cheaper on-stack bounce
+buffer, similar to the one used by MODE SENSE and REQUEST SENSE, and
+use it unconditionally. With this in place, zero allocation length is
+handled simply by checking the return address of transport_kmap_data_sg.
+
+Testcase: sg_raw /dev/sdb 12 00 83 00 00 00
+ should fail with ILLEGAL REQUEST / INVALID FIELD IN CDB sense
+ does not fail without the patch
+ fails correctly with the series
+
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/target_core_spc.c | 31 ++++++-------------------------
+ 1 file changed, 6 insertions(+), 25 deletions(-)
+
+--- a/drivers/target/target_core_spc.c
++++ b/drivers/target/target_core_spc.c
+@@ -600,30 +600,11 @@ static int spc_emulate_inquiry(struct se
+ {
+ struct se_device *dev = cmd->se_dev;
+ struct se_portal_group *tpg = cmd->se_lun->lun_sep->sep_tpg;
+- unsigned char *buf, *map_buf;
++ unsigned char *rbuf;
+ unsigned char *cdb = cmd->t_task_cdb;
++ unsigned char buf[SE_INQUIRY_BUF];
+ int p, ret;
+
+- map_buf = transport_kmap_data_sg(cmd);
+- /*
+- * If SCF_PASSTHROUGH_SG_TO_MEM_NOALLOC is not set, then we
+- * know we actually allocated a full page. Otherwise, if the
+- * data buffer is too small, allocate a temporary buffer so we
+- * don't have to worry about overruns in all our INQUIRY
+- * emulation handling.
+- */
+- if (cmd->data_length < SE_INQUIRY_BUF &&
+- (cmd->se_cmd_flags & SCF_PASSTHROUGH_SG_TO_MEM_NOALLOC)) {
+- buf = kzalloc(SE_INQUIRY_BUF, GFP_KERNEL);
+- if (!buf) {
+- transport_kunmap_data_sg(cmd);
+- cmd->scsi_sense_reason = TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE;
+- return -ENOMEM;
+- }
+- } else {
+- buf = map_buf;
+- }
+-
+ if (dev == tpg->tpg_virt_lun0.lun_se_dev)
+ buf[0] = 0x3f; /* Not connected */
+ else
+@@ -655,11 +636,11 @@ static int spc_emulate_inquiry(struct se
+ ret = -EINVAL;
+
+ out:
+- if (buf != map_buf) {
+- memcpy(map_buf, buf, cmd->data_length);
+- kfree(buf);
++ rbuf = transport_kmap_data_sg(cmd);
++ if (rbuf) {
++ memcpy(rbuf, buf, min_t(u32, sizeof(buf), cmd->data_length));
++ transport_kunmap_data_sg(cmd);
+ }
+- transport_kunmap_data_sg(cmd);
+
+ if (!ret)
+ target_complete_cmd(cmd, GOOD);
--- /dev/null
+From 899649b7d4ead76c19e39251ca886eebe3f811a8 Mon Sep 17 00:00:00 2001
+From: Alex Williamson <alex.williamson@redhat.com>
+Date: Wed, 10 Oct 2012 09:10:32 -0600
+Subject: vfio: Fix PCI INTx disable consistency
+
+From: Alex Williamson <alex.williamson@redhat.com>
+
+commit 899649b7d4ead76c19e39251ca886eebe3f811a8 upstream.
+
+The virq_disabled flag tracks the userspace view of INTx masking
+across interrupt mode changes, but we're not consistently applying
+this to the interrupt and masking handler notion of the device.
+Currently if the user sets DisINTx while in MSI or MSIX mode, then
+returns to INTx mode (ex. rebooting a qemu guest), the hardware has
+DisINTx+, but the management of INTx thinks it's enabled, making it
+impossible to actually clear DisINTx. Fix this by updating the
+handler state when INTx is re-enabled.
+
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/vfio/pci/vfio_pci_intrs.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+--- a/drivers/vfio/pci/vfio_pci_intrs.c
++++ b/drivers/vfio/pci/vfio_pci_intrs.c
+@@ -366,6 +366,17 @@ static int vfio_intx_enable(struct vfio_
+ return -ENOMEM;
+
+ vdev->num_ctx = 1;
++
++ /*
++ * If the virtual interrupt is masked, restore it. Devices
++ * supporting DisINTx can be masked at the hardware level
++ * here, non-PCI-2.3 devices will have to wait until the
++ * interrupt is enabled.
++ */
++ vdev->ctx[0].masked = vdev->virq_disabled;
++ if (vdev->pci_2_3)
++ pci_intx(vdev->pdev, !vdev->ctx[0].masked);
++
+ vdev->irq_type = VFIO_PCI_INTX_IRQ_INDEX;
+
+ return 0;
+@@ -419,7 +430,7 @@ static int vfio_intx_set_signal(struct v
+ * disable_irq won't.
+ */
+ spin_lock_irqsave(&vdev->irqlock, flags);
+- if (!vdev->pci_2_3 && (vdev->ctx[0].masked || vdev->virq_disabled))
++ if (!vdev->pci_2_3 && vdev->ctx[0].masked)
+ disable_irq_nosync(pdev->irq);
+ spin_unlock_irqrestore(&vdev->irqlock, flags);
+
--- /dev/null
+From 9dbdfd23b7638d054f3b0e70c64dfb9f297f2a9f Mon Sep 17 00:00:00 2001
+From: Alex Williamson <alex.williamson@redhat.com>
+Date: Wed, 10 Oct 2012 09:10:32 -0600
+Subject: vfio: Move PCI INTx eventfd setting earlier
+
+From: Alex Williamson <alex.williamson@redhat.com>
+
+commit 9dbdfd23b7638d054f3b0e70c64dfb9f297f2a9f upstream.
+
+We need to be ready to recieve an interrupt as soon as we call
+request_irq, so our eventfd context setting needs to be moved
+earlier. Without this, an interrupt from our device or one
+sharing the interrupt line can pass a NULL into eventfd_signal
+and oops.
+
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/vfio/pci/vfio_pci_intrs.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/vfio/pci/vfio_pci_intrs.c
++++ b/drivers/vfio/pci/vfio_pci_intrs.c
+@@ -400,19 +400,20 @@ static int vfio_intx_set_signal(struct v
+ return PTR_ERR(trigger);
+ }
+
++ vdev->ctx[0].trigger = trigger;
++
+ if (!vdev->pci_2_3)
+ irqflags = 0;
+
+ ret = request_irq(pdev->irq, vfio_intx_handler,
+ irqflags, vdev->ctx[0].name, vdev);
+ if (ret) {
++ vdev->ctx[0].trigger = NULL;
+ kfree(vdev->ctx[0].name);
+ eventfd_ctx_put(trigger);
+ return ret;
+ }
+
+- vdev->ctx[0].trigger = trigger;
+-
+ /*
+ * INTx disable will stick across the new irq setup,
+ * disable_irq won't.
--- /dev/null
+From 1a7bbda5b1ab0e02622761305a32dc38735b90b2 Mon Sep 17 00:00:00 2001
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Date: Wed, 10 Oct 2012 13:25:48 -0400
+Subject: xen/bootup: allow {read|write}_cr8 pvops call.
+
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+
+commit 1a7bbda5b1ab0e02622761305a32dc38735b90b2 upstream.
+
+We actually do not do anything about it. Just return a default
+value of zero and if the kernel tries to write anything but 0
+we BUG_ON.
+
+This fixes the case when an user tries to suspend the machine
+and it blows up in save_processor_state b/c 'read_cr8' is set
+to NULL and we get:
+
+kernel BUG at /home/konrad/ssd/linux/arch/x86/include/asm/paravirt.h:100!
+invalid opcode: 0000 [#1] SMP
+Pid: 2687, comm: init.late Tainted: G O 3.6.0upstream-00002-gac264ac-dirty #4 Bochs Bochs
+RIP: e030:[<ffffffff814d5f42>] [<ffffffff814d5f42>] save_processor_state+0x212/0x270
+
+.. snip..
+Call Trace:
+ [<ffffffff810733bf>] do_suspend_lowlevel+0xf/0xac
+ [<ffffffff8107330c>] ? x86_acpi_suspend_lowlevel+0x10c/0x150
+ [<ffffffff81342ee2>] acpi_suspend_enter+0x57/0xd5
+
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/xen/enlighten.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/xen/enlighten.c
++++ b/arch/x86/xen/enlighten.c
+@@ -984,7 +984,16 @@ static void xen_write_cr4(unsigned long
+
+ native_write_cr4(cr4);
+ }
+-
++#ifdef CONFIG_X86_64
++static inline unsigned long xen_read_cr8(void)
++{
++ return 0;
++}
++static inline void xen_write_cr8(unsigned long val)
++{
++ BUG_ON(val);
++}
++#endif
+ static int xen_write_msr_safe(unsigned int msr, unsigned low, unsigned high)
+ {
+ int ret;
+@@ -1153,6 +1162,11 @@ static const struct pv_cpu_ops xen_cpu_o
+ .read_cr4_safe = native_read_cr4_safe,
+ .write_cr4 = xen_write_cr4,
+
++#ifdef CONFIG_X86_64
++ .read_cr8 = xen_read_cr8,
++ .write_cr8 = xen_write_cr8,
++#endif
++
+ .wbinvd = native_wbinvd,
+
+ .read_msr = native_read_msr_safe,
--- /dev/null
+From cd0608e71e9757f4dae35bcfb4e88f4d1a03a8ab Mon Sep 17 00:00:00 2001
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Date: Wed, 10 Oct 2012 13:30:47 -0400
+Subject: xen/bootup: allow read_tscp call for Xen PV guests.
+
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+
+commit cd0608e71e9757f4dae35bcfb4e88f4d1a03a8ab upstream.
+
+The hypervisor will trap it. However without this patch,
+we would crash as the .read_tscp is set to NULL. This patch
+fixes it and sets it to the native_read_tscp call.
+
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/xen/enlighten.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/x86/xen/enlighten.c
++++ b/arch/x86/xen/enlighten.c
+@@ -1175,6 +1175,8 @@ static const struct pv_cpu_ops xen_cpu_o
+ .read_tsc = native_read_tsc,
+ .read_pmc = native_read_pmc,
+
++ .read_tscp = native_read_tscp,
++
+ .iret = xen_iret,
+ .irq_enable_sysexit = xen_sysexit,
+ #ifdef CONFIG_X86_64
--- /dev/null
+From cb6b6df111e46b9d0f79eb971575fd50555f43f4 Mon Sep 17 00:00:00 2001
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Date: Wed, 10 Oct 2012 13:23:36 -0400
+Subject: xen/pv-on-hvm kexec: add quirk for Xen 3.4 and shutdown watches.
+
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+
+commit cb6b6df111e46b9d0f79eb971575fd50555f43f4 upstream.
+
+The commit 254d1a3f02ebc10ccc6e4903394d8d3f484f715e, titled
+"xen/pv-on-hvm kexec: shutdown watches from old kernel" assumes that the
+XenBus backend can deal with reading of values from:
+ "control/platform-feature-xs_reset_watches":
+
+ ... a patch for xenstored is required so that it
+ accepts the XS_RESET_WATCHES request from a client (see changeset
+ 23839:42a45baf037d in xen-unstable.hg). Without the patch for xenstored
+ the registration of watches will fail and some features of a PVonHVM
+ guest are not available. The guest is still able to boot, but repeated
+ kexec boots will fail."
+
+Sadly this is not true when using a Xen 3.4 hypervisor and booting a PVHVM
+guest. We end up hanging at:
+
+ err = xenbus_scanf(XBT_NIL, "control",
+ "platform-feature-xs_reset_watches", "%d", &supported);
+
+This can easily be seen with guests hanging at xenbus_init:
+
+NX (Execute Disable) protection: active
+SMBIOS 2.4 present.
+DMI: Xen HVM domU, BIOS 3.4.0 05/13/2011
+Hypervisor detected: Xen HVM
+Xen version 3.4.
+Xen Platform PCI: I/O protocol version 1
+... snip ..
+calling xenbus_init+0x0/0x27e @ 1
+
+Reverting the commit or using the attached patch fixes the issue. This fix
+checks whether the hypervisor is older than 4.0 and if so does not try to
+perform the read.
+
+Fixes-Oracle-Bug: 14708233
+Acked-by: Olaf Hering <olaf@aepfle.de>
+[v2: Added a comment in the source code]
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/xen/xenbus/xenbus_xs.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+--- a/drivers/xen/xenbus/xenbus_xs.c
++++ b/drivers/xen/xenbus/xenbus_xs.c
+@@ -47,6 +47,7 @@
+ #include <xen/xenbus.h>
+ #include <xen/xen.h>
+ #include "xenbus_comms.h"
++#include <asm/xen/hypervisor.h>
+
+ struct xs_stored_msg {
+ struct list_head list;
+@@ -617,7 +618,24 @@ static struct xenbus_watch *find_watch(c
+
+ return NULL;
+ }
++/*
++ * Certain older XenBus toolstack cannot handle reading values that are
++ * not populated. Some Xen 3.4 installation are incapable of doing this
++ * so if we are running on anything older than 4 do not attempt to read
++ * control/platform-feature-xs_reset_watches.
++ */
++static bool xen_strict_xenbus_quirk()
++{
++ uint32_t eax, ebx, ecx, edx, base;
++
++ base = xen_cpuid_base();
++ cpuid(base + 1, &eax, &ebx, &ecx, &edx);
+
++ if ((eax >> 16) < 4)
++ return true;
++ return false;
++
++}
+ static void xs_reset_watches(void)
+ {
+ int err, supported = 0;
+@@ -625,6 +643,9 @@ static void xs_reset_watches(void)
+ if (!xen_hvm_domain())
+ return;
+
++ if (xen_strict_xenbus_quirk())
++ return;
++
+ err = xenbus_scanf(XBT_NIL, "control",
+ "platform-feature-xs_reset_watches", "%d", &supported);
+ if (err != 1 || !supported)
projects / thirdparty / kernel / stable-queue.git / commitdiff
