--- /dev/null
+From 63a02ce1c5c59baa40b99756492e3ec8d6b51483 Mon Sep 17 00:00:00 2001
+From: Larry Finger <Larry.Finger@lwfinger.net>
+Date: Mon, 25 Feb 2013 06:09:24 +0000
+Subject: b43: Fix lockdep splat on module unload
+
+From: Larry Finger <Larry.Finger@lwfinger.net>
+
+commit 63a02ce1c5c59baa40b99756492e3ec8d6b51483 upstream.
+
+On unload, b43 produces a lockdep warning that can be summarized in the
+following way:
+
+ ======================================================
+ [ INFO: possible circular locking dependency detected ]
+ 3.8.0-wl+ #117 Not tainted
+ -------------------------------------------------------
+ modprobe/5557 is trying to acquire lock:
+ ((&wl->firmware_load)){+.+.+.}, at: [<ffffffff81062160>] flush_work+0x0/0x2a0
+
+ but task is already holding lock:
+ (rtnl_mutex){+.+.+.}, at: [<ffffffff813bd7d2>] rtnl_lock+0x12/0x20
+
+ which lock already depends on the new lock.
+ [ INFO: possible circular locking dependency detected ]
+ ======================================================
+
+The full output is available at http://lkml.indiana.edu/hypermail/linux/kernel/1302.3/00060.html.
+To summarize, commit 6b6fa58 added a 'cancel_work_sync(&wl->firmware_load)'
+call in the wrong place.
+
+The fix is to move the cancel_work_sync() call to b43_bcma_remove() and
+b43_ssb_remove(). Thanks to Johannes Berg and Michael Buesch for help in
+diagnosing the log output.
+
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/b43/main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/b43/main.c
++++ b/drivers/net/wireless/b43/main.c
+@@ -4214,7 +4214,6 @@ redo:
+ mutex_unlock(&wl->mutex);
+ cancel_delayed_work_sync(&dev->periodic_work);
+ cancel_work_sync(&wl->tx_work);
+- cancel_work_sync(&wl->firmware_load);
+ mutex_lock(&wl->mutex);
+ dev = wl->current_dev;
+ if (!dev || b43_status(dev) < B43_STAT_STARTED) {
+@@ -5434,6 +5433,7 @@ static void b43_bcma_remove(struct bcma_
+ /* We must cancel any work here before unregistering from ieee80211,
+ * as the ieee80211 unreg will destroy the workqueue. */
+ cancel_work_sync(&wldev->restart_work);
++ cancel_work_sync(&wl->firmware_load);
+
+ B43_WARN_ON(!wl);
+ if (!wldev->fw.ucode.data)
+@@ -5510,6 +5510,7 @@ static void b43_ssb_remove(struct ssb_de
+ /* We must cancel any work here before unregistering from ieee80211,
+ * as the ieee80211 unreg will destroy the workqueue. */
+ cancel_work_sync(&wldev->restart_work);
++ cancel_work_sync(&wl->firmware_load);
+
+ B43_WARN_ON(!wl);
+ if (!wldev->fw.ucode.data)
--- /dev/null
+From 7b74e912785a11572da43292786ed07ada7e3e0c Mon Sep 17 00:00:00 2001
+From: Tomas Henzl <thenzl@redhat.com>
+Date: Wed, 27 Feb 2013 17:03:32 -0800
+Subject: block: fix ext_devt_idr handling
+
+From: Tomas Henzl <thenzl@redhat.com>
+
+commit 7b74e912785a11572da43292786ed07ada7e3e0c upstream.
+
+While adding and removing a lot of disks disks and partitions this
+sometimes shows up:
+
+ WARNING: at fs/sysfs/dir.c:512 sysfs_add_one+0xc9/0x130() (Not tainted)
+ Hardware name:
+ sysfs: cannot create duplicate filename '/dev/block/259:751'
+ Modules linked in: raid1 autofs4 bnx2fc cnic uio fcoe libfcoe libfc 8021q scsi_transport_fc scsi_tgt garp stp llc sunrpc cpufreq_ondemand powernow_k8 freq_table mperf ipv6 dm_mirror dm_region_hash dm_log power_meter microcode dcdbas serio_raw amd64_edac_mod edac_core edac_mce_amd i2c_piix4 i2c_core k10temp bnx2 sg ixgbe dca mdio ext4 mbcache jbd2 dm_round_robin sr_mod cdrom sd_mod crc_t10dif ata_generic pata_acpi pata_atiixp ahci mptsas mptscsih mptbase scsi_transport_sas dm_multipath dm_mod [last unloaded: scsi_wait_scan]
+ Pid: 44103, comm: async/16 Not tainted 2.6.32-195.el6.x86_64 #1
+ Call Trace:
+ warn_slowpath_common+0x87/0xc0
+ warn_slowpath_fmt+0x46/0x50
+ sysfs_add_one+0xc9/0x130
+ sysfs_do_create_link+0x12b/0x170
+ sysfs_create_link+0x13/0x20
+ device_add+0x317/0x650
+ idr_get_new+0x13/0x50
+ add_partition+0x21c/0x390
+ rescan_partitions+0x32b/0x470
+ sd_open+0x81/0x1f0 [sd_mod]
+ __blkdev_get+0x1b6/0x3c0
+ blkdev_get+0x10/0x20
+ register_disk+0x155/0x170
+ add_disk+0xa6/0x160
+ sd_probe_async+0x13b/0x210 [sd_mod]
+ add_wait_queue+0x46/0x60
+ async_thread+0x102/0x250
+ default_wake_function+0x0/0x20
+ async_thread+0x0/0x250
+ kthread+0x96/0xa0
+ child_rip+0xa/0x20
+ kthread+0x0/0xa0
+ child_rip+0x0/0x20
+
+This most likely happens because dev_t is freed while the number is
+still used and idr_get_new() is not protected on every use. The fix
+adds a mutex where it wasn't before and moves the dev_t free function so
+it is called after device del.
+
+Signed-off-by: Tomas Henzl <thenzl@redhat.com>
+Cc: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/genhd.c | 6 +++++-
+ block/partition-generic.c | 2 +-
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+--- a/block/genhd.c
++++ b/block/genhd.c
+@@ -422,14 +422,18 @@ int blk_alloc_devt(struct hd_struct *par
+ do {
+ if (!idr_pre_get(&ext_devt_idr, GFP_KERNEL))
+ return -ENOMEM;
++ mutex_lock(&ext_devt_mutex);
+ rc = idr_get_new(&ext_devt_idr, part, &idx);
++ mutex_unlock(&ext_devt_mutex);
+ } while (rc == -EAGAIN);
+
+ if (rc)
+ return rc;
+
+ if (idx > MAX_EXT_DEVT) {
++ mutex_lock(&ext_devt_mutex);
+ idr_remove(&ext_devt_idr, idx);
++ mutex_unlock(&ext_devt_mutex);
+ return -EBUSY;
+ }
+
+@@ -646,7 +650,6 @@ void del_gendisk(struct gendisk *disk)
+ disk_part_iter_exit(&piter);
+
+ invalidate_partition(disk, 0);
+- blk_free_devt(disk_to_dev(disk)->devt);
+ set_capacity(disk, 0);
+ disk->flags &= ~GENHD_FL_UP;
+
+@@ -664,6 +667,7 @@ void del_gendisk(struct gendisk *disk)
+ if (!sysfs_deprecated)
+ sysfs_remove_link(block_depr, dev_name(disk_to_dev(disk)));
+ device_del(disk_to_dev(disk));
++ blk_free_devt(disk_to_dev(disk)->devt);
+ }
+ EXPORT_SYMBOL(del_gendisk);
+
+--- a/block/partition-generic.c
++++ b/block/partition-generic.c
+@@ -249,11 +249,11 @@ void delete_partition(struct gendisk *di
+ if (!part)
+ return;
+
+- blk_free_devt(part_devt(part));
+ rcu_assign_pointer(ptbl->part[partno], NULL);
+ rcu_assign_pointer(ptbl->last_lookup, NULL);
+ kobject_put(part->holder_dir);
+ device_del(part_to_dev(part));
++ blk_free_devt(part_devt(part));
+
+ hd_struct_put(part);
+ }
--- /dev/null
+From a2fd6419174470f5ae6383f5037d0ee21ed9833f Mon Sep 17 00:00:00 2001
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Date: Mon, 25 Feb 2013 15:54:09 -0500
+Subject: doc, kernel-parameters: Document 'console=hvc<n>'
+
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+
+commit a2fd6419174470f5ae6383f5037d0ee21ed9833f upstream.
+
+Both the PowerPC hypervisor and Xen hypervisor can utilize the
+hvc driver.
+
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Link: http://lkml.kernel.org/r/1361825650-14031-3-git-send-email-konrad.wilk@oracle.com
+Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ Documentation/kernel-parameters.txt | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/Documentation/kernel-parameters.txt
++++ b/Documentation/kernel-parameters.txt
+@@ -564,6 +564,8 @@ bytes respectively. Such letter suffixes
+ UART at the specified I/O port or MMIO address,
+ switching to the matching ttyS device later. The
+ options are the same as for ttyS, above.
++ hvc<n> Use the hypervisor console device <n>. This is for
++ both Xen and PowerPC hypervisors.
+
+ If the device connected to the port is not a TTY but a braille
+ device, prepend "brl," before the device type, for instance
--- /dev/null
+From 2482a92e7d17187301d7313cfe5021b13393a0b4 Mon Sep 17 00:00:00 2001
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Date: Mon, 25 Feb 2013 15:54:08 -0500
+Subject: doc, xen: Mention 'earlyprintk=xen' in the documentation.
+
+From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+
+commit 2482a92e7d17187301d7313cfe5021b13393a0b4 upstream.
+
+The earlyprintk for Xen PV guests utilizes a simple hypercall
+(console_io) to provide output to Xen emergency console.
+
+Note that the Xen hypervisor should be booted with 'loglevel=all'
+to output said information.
+
+Reported-by: H. Peter Anvin <hpa@zytor.com>
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+Link: http://lkml.kernel.org/r/1361825650-14031-2-git-send-email-konrad.wilk@oracle.com
+Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ Documentation/kernel-parameters.txt | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/Documentation/kernel-parameters.txt
++++ b/Documentation/kernel-parameters.txt
+@@ -754,6 +754,7 @@ bytes respectively. Such letter suffixes
+
+ earlyprintk= [X86,SH,BLACKFIN]
+ earlyprintk=vga
++ earlyprintk=xen
+ earlyprintk=serial[,ttySn[,baudrate]]
+ earlyprintk=ttySn[,baudrate]
+ earlyprintk=dbgp[debugController#]
+@@ -771,6 +772,8 @@ bytes respectively. Such letter suffixes
+ The VGA output is eventually overwritten by the real
+ console.
+
++ The xen output can only be used by Xen PV guests.
++
+ ekgdboc= [X86,KGDB] Allow early kernel console debugging
+ ekgdboc=kbd
+
--- /dev/null
+From 8c189ea64eea01ca20d102ddb74d6936dd16c579 Mon Sep 17 00:00:00 2001
+From: "Steven Rostedt (Red Hat)" <rostedt@goodmis.org>
+Date: Wed, 13 Feb 2013 15:18:38 -0500
+Subject: ftrace: Call ftrace cleanup module notifier after all other notifiers
+
+From: "Steven Rostedt (Red Hat)" <rostedt@goodmis.org>
+
+commit 8c189ea64eea01ca20d102ddb74d6936dd16c579 upstream.
+
+Commit: c1bf08ac "ftrace: Be first to run code modification on modules"
+
+changed ftrace module notifier's priority to INT_MAX in order to
+process the ftrace nops before anything else could touch them
+(namely kprobes). This was the correct thing to do.
+
+Unfortunately, the ftrace module notifier also contains the ftrace
+clean up code. As opposed to the set up code, this code should be
+run *after* all the module notifiers have run in case a module is doing
+correct clean-up and unregisters its ftrace hooks. Basically, ftrace
+needs to do clean up on module removal, as it needs to know about code
+being removed so that it doesn't try to modify that code. But after it
+removes the module from its records, if a ftrace user tries to remove
+a probe, that removal will fail due as the record of that code segment
+no longer exists.
+
+Nothing really bad happens if the probe removal is called after ftrace
+did the clean up, but the ftrace removal function will return an error.
+Correct code (such as kprobes) will produce a WARN_ON() if it fails
+to remove the probe. As people get annoyed by frivolous warnings, it's
+best to do the ftrace clean up after everything else.
+
+By splitting the ftrace_module_notifier into two notifiers, one that
+does the module load setup that is run at high priority, and the other
+that is called for module clean up that is run at low priority, the
+problem is solved.
+
+Reported-by: Frank Ch. Eigler <fche@redhat.com>
+Acked-by: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com>
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/ftrace.c | 46 ++++++++++++++++++++++++++++++++--------------
+ 1 file changed, 32 insertions(+), 14 deletions(-)
+
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -3970,37 +3970,51 @@ static void ftrace_init_module(struct mo
+ ftrace_process_locs(mod, start, end);
+ }
+
+-static int ftrace_module_notify(struct notifier_block *self,
+- unsigned long val, void *data)
++static int ftrace_module_notify_enter(struct notifier_block *self,
++ unsigned long val, void *data)
+ {
+ struct module *mod = data;
+
+- switch (val) {
+- case MODULE_STATE_COMING:
++ if (val == MODULE_STATE_COMING)
+ ftrace_init_module(mod, mod->ftrace_callsites,
+ mod->ftrace_callsites +
+ mod->num_ftrace_callsites);
+- break;
+- case MODULE_STATE_GOING:
++ return 0;
++}
++
++static int ftrace_module_notify_exit(struct notifier_block *self,
++ unsigned long val, void *data)
++{
++ struct module *mod = data;
++
++ if (val == MODULE_STATE_GOING)
+ ftrace_release_mod(mod);
+- break;
+- }
+
+ return 0;
+ }
+ #else
+-static int ftrace_module_notify(struct notifier_block *self,
+- unsigned long val, void *data)
++static int ftrace_module_notify_enter(struct notifier_block *self,
++ unsigned long val, void *data)
++{
++ return 0;
++}
++static int ftrace_module_notify_exit(struct notifier_block *self,
++ unsigned long val, void *data)
+ {
+ return 0;
+ }
+ #endif /* CONFIG_MODULES */
+
+-struct notifier_block ftrace_module_nb = {
+- .notifier_call = ftrace_module_notify,
++struct notifier_block ftrace_module_enter_nb = {
++ .notifier_call = ftrace_module_notify_enter,
+ .priority = INT_MAX, /* Run before anything that can use kprobes */
+ };
+
++struct notifier_block ftrace_module_exit_nb = {
++ .notifier_call = ftrace_module_notify_exit,
++ .priority = INT_MIN, /* Run after anything that can remove kprobes */
++};
++
+ extern unsigned long __start_mcount_loc[];
+ extern unsigned long __stop_mcount_loc[];
+
+@@ -4032,9 +4046,13 @@ void __init ftrace_init(void)
+ __start_mcount_loc,
+ __stop_mcount_loc);
+
+- ret = register_module_notifier(&ftrace_module_nb);
++ ret = register_module_notifier(&ftrace_module_enter_nb);
++ if (ret)
++ pr_warning("Failed to register trace ftrace module enter notifier\n");
++
++ ret = register_module_notifier(&ftrace_module_exit_nb);
+ if (ret)
+- pr_warning("Failed to register trace ftrace module notifier\n");
++ pr_warning("Failed to register trace ftrace module exit notifier\n");
+
+ set_ftrace_early_filters();
+
--- /dev/null
+From f528d980c17b8714aedc918ba86e058af914d66b Mon Sep 17 00:00:00 2001
+From: Joerg Roedel <joro@8bytes.org>
+Date: Wed, 6 Feb 2013 12:55:23 +0100
+Subject: iommu/amd: Initialize device table after dma_ops
+
+From: Joerg Roedel <joro@8bytes.org>
+
+commit f528d980c17b8714aedc918ba86e058af914d66b upstream.
+
+When dma_ops are initialized the unity mappings are
+created. The init_device_table_dma() function makes sure DMA
+from all devices is blocked by default. This opens a short
+window in time where DMA to unity mapped regions is blocked
+by the IOMMU. Make sure this does not happen by initializing
+the device table after dma_ops.
+
+Signed-off-by: Joerg Roedel <joro@8bytes.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iommu/amd_iommu_init.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/iommu/amd_iommu_init.c
++++ b/drivers/iommu/amd_iommu_init.c
+@@ -1876,11 +1876,6 @@ static int amd_iommu_init_dma(void)
+ struct amd_iommu *iommu;
+ int ret;
+
+- init_device_table_dma();
+-
+- for_each_iommu(iommu)
+- iommu_flush_all_caches(iommu);
+-
+ if (iommu_pass_through)
+ ret = amd_iommu_init_passthrough();
+ else
+@@ -1889,6 +1884,11 @@ static int amd_iommu_init_dma(void)
+ if (ret)
+ return ret;
+
++ init_device_table_dma();
++
++ for_each_iommu(iommu)
++ iommu_flush_all_caches(iommu);
++
+ amd_iommu_init_api();
+
+ amd_iommu_init_notifier();
--- /dev/null
+From 309a85b6861fedbb48a22d45e0e079d1be993b3a Mon Sep 17 00:00:00 2001
+From: "Xiaowei.Hu" <xiaowei.hu@oracle.com>
+Date: Wed, 27 Feb 2013 17:02:49 -0800
+Subject: ocfs2: ac->ac_allow_chain_relink=0 won't disable group relink
+
+From: "Xiaowei.Hu" <xiaowei.hu@oracle.com>
+
+commit 309a85b6861fedbb48a22d45e0e079d1be993b3a upstream.
+
+ocfs2_block_group_alloc_discontig() disables chain relink by setting
+ac->ac_allow_chain_relink = 0 because it grabs clusters from multiple
+cluster groups.
+
+It doesn't keep the credits for all chain relink,but
+ocfs2_claim_suballoc_bits overrides this in this call trace:
+ocfs2_block_group_claim_bits()->ocfs2_claim_clusters()->
+__ocfs2_claim_clusters()->ocfs2_claim_suballoc_bits()
+ocfs2_claim_suballoc_bits set ac->ac_allow_chain_relink = 1; then call
+ocfs2_search_chain() one time and disable it again, and then we run out
+of credits.
+
+Fix is to allow relink by default and disable it in
+ocfs2_block_group_alloc_discontig.
+
+Without this patch, End-users will run into a crash due to run out of
+credits, backtrace like this:
+
+ RIP: 0010:[<ffffffffa0808b14>] [<ffffffffa0808b14>]
+ jbd2_journal_dirty_metadata+0x164/0x170 [jbd2]
+ RSP: 0018:ffff8801b919b5b8 EFLAGS: 00010246
+ RAX: 0000000000000000 RBX: ffff88022139ddc0 RCX: ffff880159f652d0
+ RDX: ffff880178aa3000 RSI: ffff880159f652d0 RDI: ffff880087f09bf8
+ RBP: ffff8801b919b5e8 R08: 0000000000000000 R09: 0000000000000000
+ R10: 0000000000001e00 R11: 00000000000150b0 R12: ffff880159f652d0
+ R13: ffff8801a0cae908 R14: ffff880087f09bf8 R15: ffff88018d177800
+ FS: 00007fc9b0b6b6e0(0000) GS:ffff88022fd40000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
+ CR2: 000000000040819c CR3: 0000000184017000 CR4: 00000000000006e0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
+ Process dd (pid: 9945, threadinfo ffff8801b919a000, task ffff880149a264c0)
+ Call Trace:
+ ocfs2_journal_dirty+0x2f/0x70 [ocfs2]
+ ocfs2_relink_block_group+0x111/0x480 [ocfs2]
+ ocfs2_search_chain+0x455/0x9a0 [ocfs2]
+ ...
+
+Signed-off-by: Xiaowei.Hu <xiaowei.hu@oracle.com>
+Reviewed-by: Srinivas Eeda <srinivas.eeda@oracle.com>
+Cc: Mark Fasheh <mfasheh@suse.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ocfs2/suballoc.c | 7 +++----
+ fs/ocfs2/suballoc.h | 2 +-
+ 2 files changed, 4 insertions(+), 5 deletions(-)
+
+--- a/fs/ocfs2/suballoc.c
++++ b/fs/ocfs2/suballoc.c
+@@ -642,7 +642,7 @@ ocfs2_block_group_alloc_discontig(handle
+ * cluster groups will be staying in cache for the duration of
+ * this operation.
+ */
+- ac->ac_allow_chain_relink = 0;
++ ac->ac_disable_chain_relink = 1;
+
+ /* Claim the first region */
+ status = ocfs2_block_group_claim_bits(osb, handle, ac, min_bits,
+@@ -1823,7 +1823,7 @@ static int ocfs2_search_chain(struct ocf
+ * Do this *after* figuring out how many bits we're taking out
+ * of our target group.
+ */
+- if (ac->ac_allow_chain_relink &&
++ if (!ac->ac_disable_chain_relink &&
+ (prev_group_bh) &&
+ (ocfs2_block_group_reasonably_empty(bg, res->sr_bits))) {
+ status = ocfs2_relink_block_group(handle, alloc_inode,
+@@ -1928,7 +1928,6 @@ static int ocfs2_claim_suballoc_bits(str
+
+ victim = ocfs2_find_victim_chain(cl);
+ ac->ac_chain = victim;
+- ac->ac_allow_chain_relink = 1;
+
+ status = ocfs2_search_chain(ac, handle, bits_wanted, min_bits,
+ res, &bits_left);
+@@ -1947,7 +1946,7 @@ static int ocfs2_claim_suballoc_bits(str
+ * searching each chain in order. Don't allow chain relinking
+ * because we only calculate enough journal credits for one
+ * relink per alloc. */
+- ac->ac_allow_chain_relink = 0;
++ ac->ac_disable_chain_relink = 1;
+ for (i = 0; i < le16_to_cpu(cl->cl_next_free_rec); i ++) {
+ if (i == victim)
+ continue;
+--- a/fs/ocfs2/suballoc.h
++++ b/fs/ocfs2/suballoc.h
+@@ -49,7 +49,7 @@ struct ocfs2_alloc_context {
+
+ /* these are used by the chain search */
+ u16 ac_chain;
+- int ac_allow_chain_relink;
++ int ac_disable_chain_relink;
+ group_search_t *ac_group_search;
+
+ u64 ac_last_group;
--- /dev/null
+From 32918dd9f19e5960af4cdfa41190bb843fb2247b Mon Sep 17 00:00:00 2001
+From: Jeff Liu <jeff.liu@oracle.com>
+Date: Wed, 27 Feb 2013 17:02:48 -0800
+Subject: ocfs2: fix ocfs2_init_security_and_acl() to initialize acl correctly
+
+From: Jeff Liu <jeff.liu@oracle.com>
+
+commit 32918dd9f19e5960af4cdfa41190bb843fb2247b upstream.
+
+We need to re-initialize the security for a new reflinked inode with its
+parent dirs if it isn't specified to be preserved for ocfs2_reflink().
+However, the code logic is broken at ocfs2_init_security_and_acl()
+although ocfs2_init_security_get() succeed. As a result,
+ocfs2_acl_init() does not involked and therefore the default ACL of
+parent dir was missing on the new inode.
+
+Note this was introduced by 9d8f13ba3 ("security: new
+security_inode_init_security API adds function callback")
+
+To reproduce:
+
+ set default ACL for the parent dir(ocfs2 in this case):
+ $ setfacl -m default:user:jeff:rwx ../ocfs2/
+ $ getfacl ../ocfs2/
+ # file: ../ocfs2/
+ # owner: jeff
+ # group: jeff
+ user::rwx
+ group::r-x
+ other::r-x
+ default:user::rwx
+ default:user:jeff:rwx
+ default:group::r-x
+ default:mask::rwx
+ default:other::r-x
+
+ $ touch a
+ $ getfacl a
+ # file: a
+ # owner: jeff
+ # group: jeff
+ user::rw-
+ group::rw-
+ other::r--
+
+Before patching, create reflink file b from a, the user
+default ACL entry(user:jeff:rwx)was missing:
+
+ $ ./ocfs2_reflink a b
+ $ getfacl b
+ # file: b
+ # owner: jeff
+ # group: jeff
+ user::rw-
+ group::rw-
+ other::r--
+
+In this case, the end user can also observed an error message at syslog:
+
+ (ocfs2_reflink,3229,2):ocfs2_init_security_and_acl:7193 ERROR: status = 0
+
+After applying this patch, create reflink file c from a:
+
+ $ ./ocfs2_reflink a c
+ $ getfacl c
+ # file: c
+ # owner: jeff
+ # group: jeff
+ user::rw-
+ user:jeff:rwx #effective:rw-
+ group::r-x #effective:r--
+ mask::rw-
+ other::r--
+
+Test program:
+/* Usage: reflink <source> <dest> */
+#include <stdio.h>
+#include <stdint.h>
+#include <stdbool.h>
+#include <string.h>
+#include <errno.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sys/ioctl.h>
+
+static int
+reflink_file(char const *src_name, char const *dst_name,
+ bool preserve_attrs)
+{
+ int fd;
+
+#ifndef REFLINK_ATTR_NONE
+# define REFLINK_ATTR_NONE 0
+#endif
+#ifndef REFLINK_ATTR_PRESERVE
+# define REFLINK_ATTR_PRESERVE 1
+#endif
+#ifndef OCFS2_IOC_REFLINK
+ struct reflink_arguments {
+ uint64_t old_path;
+ uint64_t new_path;
+ uint64_t preserve;
+ };
+
+# define OCFS2_IOC_REFLINK _IOW ('o', 4, struct reflink_arguments)
+#endif
+ struct reflink_arguments args = {
+ .old_path = (unsigned long) src_name,
+ .new_path = (unsigned long) dst_name,
+ .preserve = preserve_attrs ? REFLINK_ATTR_PRESERVE :
+ REFLINK_ATTR_NONE,
+ };
+
+ fd = open(src_name, O_RDONLY);
+ if (fd < 0) {
+ fprintf(stderr, "Failed to open %s: %s\n",
+ src_name, strerror(errno));
+ return -1;
+ }
+
+ if (ioctl(fd, OCFS2_IOC_REFLINK, &args) < 0) {
+ fprintf(stderr, "Failed to reflink %s to %s: %s\n",
+ src_name, dst_name, strerror(errno));
+ return -1;
+ }
+}
+
+int
+main(int argc, char *argv[])
+{
+ if (argc != 3) {
+ fprintf(stdout, "Usage: %s source dest\n", argv[0]);
+ return 1;
+ }
+
+ return reflink_file(argv[1], argv[2], 0);
+}
+
+Signed-off-by: Jie Liu <jeff.liu@oracle.com>
+Reviewed-by: Tao Ma <boyu.mt@taobao.com>
+Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Mark Fasheh <mfasheh@suse.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ocfs2/xattr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ocfs2/xattr.c
++++ b/fs/ocfs2/xattr.c
+@@ -7189,7 +7189,7 @@ int ocfs2_init_security_and_acl(struct i
+ struct buffer_head *dir_bh = NULL;
+
+ ret = ocfs2_init_security_get(inode, dir, qstr, NULL);
+- if (!ret) {
++ if (ret) {
+ mlog_errno(ret);
+ goto leave;
+ }
--- /dev/null
+From 9b171e0c74ca0549d0610990a862dd895870f04a Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Wed, 20 Feb 2013 13:16:39 +1100
+Subject: ocfs2: fix possible use-after-free with AIO
+
+From: Jan Kara <jack@suse.cz>
+
+commit 9b171e0c74ca0549d0610990a862dd895870f04a upstream.
+
+Running AIO is pinning inode in memory using file reference. Once AIO
+is completed using aio_complete(), file reference is put and inode can
+be freed from memory. So we have to be sure that calling aio_complete()
+is the last thing we do with the inode.
+
+Signed-off-by: Jan Kara <jack@suse.cz>
+Acked-by: Jeff Moyer <jmoyer@redhat.com>
+Acked-by: Joel Becker <jlbec@evilplan.org>
+Cc: Mark Fasheh <mfasheh@suse.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ocfs2/aops.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ocfs2/aops.c
++++ b/fs/ocfs2/aops.c
+@@ -593,9 +593,9 @@ static void ocfs2_dio_end_io(struct kioc
+ level = ocfs2_iocb_rw_locked_level(iocb);
+ ocfs2_rw_unlock(inode, level);
+
++ inode_dio_done(inode);
+ if (is_async)
+ aio_complete(iocb, ret, 0);
+- inode_dio_done(inode);
+ }
+
+ /*
--- /dev/null
+From e182bb38d7db7494fa5dcd82da17fe0dedf60ecf Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Wed, 20 Feb 2013 15:24:12 -0800
+Subject: posix-timer: Don't call idr_find() with out-of-range ID
+
+From: Tejun Heo <tj@kernel.org>
+
+commit e182bb38d7db7494fa5dcd82da17fe0dedf60ecf upstream.
+
+When idr_find() was fed a negative ID, it used to look up the ID
+ignoring the sign bit before recent ("idr: remove MAX_IDR_MASK and
+move left MAX_IDR_* into idr.c") patch. Now a negative ID triggers
+a WARN_ON_ONCE().
+
+__lock_timer() feeds timer_id from userland directly to idr_find()
+without sanitizing it which can trigger the above malfunctions. Add a
+range check on @timer_id before invoking idr_find() in __lock_timer().
+
+While timer_t is defined as int by all archs at the moment, Andrew
+worries that it may be defined as a larger type later on. Make the
+test cover larger integers too so that it at least is guaranteed to
+not return the wrong timer.
+
+Note that WARN_ON_ONCE() in idr_find() on id < 0 is transitional
+precaution while moving away from ignoring MSB. Once it's gone we can
+remove the guard as long as timer_t isn't larger than int.
+
+Signed-off-by: Tejun Heo <tj@kernel.org>nnn
+Reported-by: Sasha Levin <sasha.levin@oracle.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Link: http://lkml.kernel.org/r/20130220232412.GL3570@htj.dyndns.org
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/posix-timers.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/kernel/posix-timers.c
++++ b/kernel/posix-timers.c
+@@ -639,6 +639,13 @@ static struct k_itimer *__lock_timer(tim
+ {
+ struct k_itimer *timr;
+
++ /*
++ * timer_t could be any type >= int and we want to make sure any
++ * @timer_id outside positive int range fails lookup.
++ */
++ if ((unsigned long long)timer_id > INT_MAX)
++ return NULL;
++
+ rcu_read_lock();
+ timr = idr_find(&posix_timers_id, (int)timer_id);
+ if (timr) {
ib-srp-avoid-endless-scsi-error-handling-loop.patch
ib-srp-fail-i-o-requests-if-the-transport-is-offline.patch
quota-autoload-the-quota_v2-module-for-qfmt_vfs_v1-quota-format.patch
+usb-dwc3-enable-usb2-lpm-only-when-connected-as-usb2.0.patch
+usb-dwc3-gadget-fix-missed-isoc.patch
+usb-dwc3-gadget-fix-isoc-end-transfer-condition.patch
+usb-dwc3-gadget-fix-skip-link_trb-on-isoc.patch
+usb-dwc3-gadget-change-hird-threshold-to-12.patch
+b43-fix-lockdep-splat-on-module-unload.patch
+ubifs-fix-use-of-freed-ubifs_orphan-objects.patch
+ubifs-fix-double-free-of-ubifs_orphan-objects.patch
+iommu-amd-initialize-device-table-after-dma_ops.patch
+posix-timer-don-t-call-idr_find-with-out-of-range-id.patch
+ftrace-call-ftrace-cleanup-module-notifier-after-all-other-notifiers.patch
+x86-apic-fix-parsing-of-the-lapic-cmdline-option.patch
+x86-efi-make-noefi-really-disable-efi-runtime-serivces.patch
+doc-xen-mention-earlyprintk-xen-in-the-documentation.patch
+doc-kernel-parameters-document-console-hvc-n.patch
+x86-make-sure-we-can-boot-in-the-case-the-bda-contains-pure-garbage.patch
+target-fix-lookup-of-dynamic-nodeacls-during-cached-demo-mode-operation.patch
+target-add-missing-mapped_lun-bounds-checking-during-make_mappedlun-setup.patch
+ocfs2-fix-possible-use-after-free-with-aio.patch
+ocfs2-fix-ocfs2_init_security_and_acl-to-initialize-acl-correctly.patch
+ocfs2-ac-ac_allow_chain_relink-0-won-t-disable-group-relink.patch
+block-fix-ext_devt_idr-handling.patch
--- /dev/null
+From fbbf8555a986ed31e54f006b6cc637ea4ff1425b Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Mon, 18 Feb 2013 18:31:37 -0800
+Subject: target: Add missing mapped_lun bounds checking during make_mappedlun setup
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit fbbf8555a986ed31e54f006b6cc637ea4ff1425b upstream.
+
+This patch adds missing bounds checking for the configfs provided
+mapped_lun value during target_fabric_make_mappedlun() setup ahead
+of se_lun_acl initialization.
+
+This addresses a potential OOPs when using a mapped_lun value that
+exceeds the hardcoded TRANSPORT_MAX_LUNS_PER_TPG-1 value within
+se_node_acl->device_list[].
+
+Reported-by: Jan Engelhardt <jengelh@inai.de>
+Cc: Jan Engelhardt <jengelh@inai.de>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/target_core_fabric_configfs.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/target/target_core_fabric_configfs.c
++++ b/drivers/target/target_core_fabric_configfs.c
+@@ -354,6 +354,14 @@ static struct config_group *target_fabri
+ ret = -EINVAL;
+ goto out;
+ }
++ if (mapped_lun > (TRANSPORT_MAX_LUNS_PER_TPG-1)) {
++ pr_err("Mapped LUN: %lu exceeds TRANSPORT_MAX_LUNS_PER_TPG"
++ "-1: %u for Target Portal Group: %u\n", mapped_lun,
++ TRANSPORT_MAX_LUNS_PER_TPG-1,
++ se_tpg->se_tpg_tfo->tpg_get_tag(se_tpg));
++ ret = -EINVAL;
++ goto out;
++ }
+
+ lacl = core_dev_init_initiator_node_lun_acl(se_tpg, se_nacl,
+ mapped_lun, &ret);
--- /dev/null
+From fcf29481fb8e106daad6688f2e898226ee928992 Mon Sep 17 00:00:00 2001
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+Date: Mon, 18 Feb 2013 18:00:33 -0800
+Subject: target: Fix lookup of dynamic NodeACLs during cached demo-mode operation
+
+From: Nicholas Bellinger <nab@linux-iscsi.org>
+
+commit fcf29481fb8e106daad6688f2e898226ee928992 upstream.
+
+This patch fixes a bug in core_tpg_check_initiator_node_acl() ->
+core_tpg_get_initiator_node_acl() where a dynamically created
+se_node_acl generated during session login would be skipped during
+subsequent lookup due to the '!acl->dynamic_node_acl' check, causing
+a new se_node_acl to be created with a duplicate ->initiatorname.
+
+This would occur when a fabric endpoint was configured with
+TFO->tpg_check_demo_mode()=1 + TPF->tpg_check_demo_mode_cache()=1
+preventing the release of an existing se_node_acl during se_session
+shutdown.
+
+Also, drop the unnecessary usage of core_tpg_get_initiator_node_acl()
+within core_dev_init_initiator_node_lun_acl() that originally
+required the extra '!acl->dynamic_node_acl' check, and just pass
+the configfs provided se_node_acl pointer instead.
+
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/target_core_device.c | 13 ++++---------
+ drivers/target/target_core_fabric_configfs.c | 4 ++--
+ drivers/target/target_core_internal.h | 2 +-
+ drivers/target/target_core_tpg.c | 10 ++--------
+ 4 files changed, 9 insertions(+), 20 deletions(-)
+
+--- a/drivers/target/target_core_device.c
++++ b/drivers/target/target_core_device.c
+@@ -1182,24 +1182,18 @@ static struct se_lun *core_dev_get_lun(s
+
+ struct se_lun_acl *core_dev_init_initiator_node_lun_acl(
+ struct se_portal_group *tpg,
++ struct se_node_acl *nacl,
+ u32 mapped_lun,
+- char *initiatorname,
+ int *ret)
+ {
+ struct se_lun_acl *lacl;
+- struct se_node_acl *nacl;
+
+- if (strlen(initiatorname) >= TRANSPORT_IQN_LEN) {
++ if (strlen(nacl->initiatorname) >= TRANSPORT_IQN_LEN) {
+ pr_err("%s InitiatorName exceeds maximum size.\n",
+ tpg->se_tpg_tfo->get_fabric_name());
+ *ret = -EOVERFLOW;
+ return NULL;
+ }
+- nacl = core_tpg_get_initiator_node_acl(tpg, initiatorname);
+- if (!nacl) {
+- *ret = -EINVAL;
+- return NULL;
+- }
+ lacl = kzalloc(sizeof(struct se_lun_acl), GFP_KERNEL);
+ if (!lacl) {
+ pr_err("Unable to allocate memory for struct se_lun_acl.\n");
+@@ -1210,7 +1204,8 @@ struct se_lun_acl *core_dev_init_initiat
+ INIT_LIST_HEAD(&lacl->lacl_list);
+ lacl->mapped_lun = mapped_lun;
+ lacl->se_lun_nacl = nacl;
+- snprintf(lacl->initiatorname, TRANSPORT_IQN_LEN, "%s", initiatorname);
++ snprintf(lacl->initiatorname, TRANSPORT_IQN_LEN, "%s",
++ nacl->initiatorname);
+
+ return lacl;
+ }
+--- a/drivers/target/target_core_fabric_configfs.c
++++ b/drivers/target/target_core_fabric_configfs.c
+@@ -355,8 +355,8 @@ static struct config_group *target_fabri
+ goto out;
+ }
+
+- lacl = core_dev_init_initiator_node_lun_acl(se_tpg, mapped_lun,
+- config_item_name(acl_ci), &ret);
++ lacl = core_dev_init_initiator_node_lun_acl(se_tpg, se_nacl,
++ mapped_lun, &ret);
+ if (!lacl) {
+ ret = -EINVAL;
+ goto out;
+--- a/drivers/target/target_core_internal.h
++++ b/drivers/target/target_core_internal.h
+@@ -45,7 +45,7 @@ struct se_lun *core_dev_add_lun(struct s
+ int core_dev_del_lun(struct se_portal_group *, u32);
+ struct se_lun *core_get_lun_from_tpg(struct se_portal_group *, u32);
+ struct se_lun_acl *core_dev_init_initiator_node_lun_acl(struct se_portal_group *,
+- u32, char *, int *);
++ struct se_node_acl *, u32, int *);
+ int core_dev_add_initiator_node_lun_acl(struct se_portal_group *,
+ struct se_lun_acl *, u32, u32);
+ int core_dev_del_initiator_node_lun_acl(struct se_portal_group *,
+--- a/drivers/target/target_core_tpg.c
++++ b/drivers/target/target_core_tpg.c
+@@ -111,16 +111,10 @@ struct se_node_acl *core_tpg_get_initiat
+ struct se_node_acl *acl;
+
+ spin_lock_irq(&tpg->acl_node_lock);
+- list_for_each_entry(acl, &tpg->acl_node_list, acl_list) {
+- if (!strcmp(acl->initiatorname, initiatorname) &&
+- !acl->dynamic_node_acl) {
+- spin_unlock_irq(&tpg->acl_node_lock);
+- return acl;
+- }
+- }
++ acl = __core_tpg_get_initiator_node_acl(tpg, initiatorname);
+ spin_unlock_irq(&tpg->acl_node_lock);
+
+- return NULL;
++ return acl;
+ }
+
+ /* core_tpg_add_node_to_devs():
--- /dev/null
+From 8afd500cb52a5d00bab4525dd5a560d199f979b9 Mon Sep 17 00:00:00 2001
+From: Adam Thomas <adamthomas1111@gmail.com>
+Date: Sat, 2 Feb 2013 22:35:08 +0000
+Subject: UBIFS: fix double free of ubifs_orphan objects
+
+From: Adam Thomas <adamthomas1111@gmail.com>
+
+commit 8afd500cb52a5d00bab4525dd5a560d199f979b9 upstream.
+
+The last orphan in the dnext list has its dnext set to NULL. Because
+of that, ubifs_delete_orphan assumes that it is not on the dnext list
+and frees it immediately instead ignoring it as a second delete. The
+orphan is later freed again by erase_deleted.
+
+This change adds an explicit flag to ubifs_orphan indicating whether
+it is pending delete.
+
+Signed-off-by: Adam Thomas <adamthomas1111@gmail.com>
+Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ubifs/orphan.c | 5 ++++-
+ fs/ubifs/ubifs.h | 2 ++
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+--- a/fs/ubifs/orphan.c
++++ b/fs/ubifs/orphan.c
+@@ -126,13 +126,14 @@ void ubifs_delete_orphan(struct ubifs_in
+ else if (inum > o->inum)
+ p = p->rb_right;
+ else {
+- if (o->dnext) {
++ if (o->del) {
+ spin_unlock(&c->orphan_lock);
+ dbg_gen("deleted twice ino %lu",
+ (unsigned long)inum);
+ return;
+ }
+ if (o->cmt) {
++ o->del = 1;
+ o->dnext = c->orph_dnext;
+ c->orph_dnext = o;
+ spin_unlock(&c->orphan_lock);
+@@ -447,6 +448,7 @@ static void erase_deleted(struct ubifs_i
+ orphan = dnext;
+ dnext = orphan->dnext;
+ ubifs_assert(!orphan->new);
++ ubifs_assert(orphan->del);
+ rb_erase(&orphan->rb, &c->orph_tree);
+ list_del(&orphan->list);
+ c->tot_orphans -= 1;
+@@ -536,6 +538,7 @@ static int insert_dead_orphan(struct ubi
+ rb_link_node(&orphan->rb, parent, p);
+ rb_insert_color(&orphan->rb, &c->orph_tree);
+ list_add_tail(&orphan->list, &c->orph_list);
++ orphan->del = 1;
+ orphan->dnext = c->orph_dnext;
+ c->orph_dnext = orphan;
+ dbg_mnt("ino %lu, new %d, tot %d", (unsigned long)inum,
+--- a/fs/ubifs/ubifs.h
++++ b/fs/ubifs/ubifs.h
+@@ -905,6 +905,7 @@ struct ubifs_budget_req {
+ * @inum: inode number
+ * @new: %1 => added since the last commit, otherwise %0
+ * @cmt: %1 => commit pending, otherwise %0
++ * @del: %1 => delete pending, otherwise %0
+ */
+ struct ubifs_orphan {
+ struct rb_node rb;
+@@ -915,6 +916,7 @@ struct ubifs_orphan {
+ ino_t inum;
+ unsigned new:1;
+ unsigned cmt:1;
++ unsigned del:1;
+ };
+
+ /**
--- /dev/null
+From 2928f0d0c5ebd6c9605c0d98207a44376387c298 Mon Sep 17 00:00:00 2001
+From: Adam Thomas <adamthomas1111@gmail.com>
+Date: Sat, 2 Feb 2013 22:32:31 +0000
+Subject: UBIFS: fix use of freed ubifs_orphan objects
+
+From: Adam Thomas <adamthomas1111@gmail.com>
+
+commit 2928f0d0c5ebd6c9605c0d98207a44376387c298 upstream.
+
+The last orphan in the cnext list has its cnext set to NULL. Because
+of that, ubifs_delete_orphan assumes that it is not on the cnext list
+and frees it immediately instead of adding it to the dnext list. The
+freed orphan is later modified by write_orph_node.
+
+This can cause various inconsistencies including directory entries
+that cannot be removed and this error:
+
+UBIFS error (pid 20685): layout_cnodes: LPT out of space at LEB 14:129009 needing 17, done_ltab 1, done_lsave 1
+
+This is a regression introduced by
+"7074e5eb UBIFS: remove invalid reference to list iterator variable".
+
+This change adds an explicit flag to ubifs_orphan indicating whether
+it is pending commit.
+
+Signed-off-by: Adam Thomas <adamthomas1111@gmail.com>
+Reviewed-by: Adrian Hunter <adrian.hunter@intel.com>
+Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ubifs/orphan.c | 7 ++++++-
+ fs/ubifs/ubifs.h | 4 +++-
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+--- a/fs/ubifs/orphan.c
++++ b/fs/ubifs/orphan.c
+@@ -132,7 +132,7 @@ void ubifs_delete_orphan(struct ubifs_in
+ (unsigned long)inum);
+ return;
+ }
+- if (o->cnext) {
++ if (o->cmt) {
+ o->dnext = c->orph_dnext;
+ c->orph_dnext = o;
+ spin_unlock(&c->orphan_lock);
+@@ -172,7 +172,9 @@ int ubifs_orphan_start_commit(struct ubi
+ last = &c->orph_cnext;
+ list_for_each_entry(orphan, &c->orph_new, new_list) {
+ ubifs_assert(orphan->new);
++ ubifs_assert(!orphan->cmt);
+ orphan->new = 0;
++ orphan->cmt = 1;
+ *last = orphan;
+ last = &orphan->cnext;
+ }
+@@ -299,7 +301,9 @@ static int write_orph_node(struct ubifs_
+ cnext = c->orph_cnext;
+ for (i = 0; i < cnt; i++) {
+ orphan = cnext;
++ ubifs_assert(orphan->cmt);
+ orph->inos[i] = cpu_to_le64(orphan->inum);
++ orphan->cmt = 0;
+ cnext = orphan->cnext;
+ orphan->cnext = NULL;
+ }
+@@ -378,6 +382,7 @@ static int consolidate(struct ubifs_info
+ list_for_each_entry(orphan, &c->orph_list, list) {
+ if (orphan->new)
+ continue;
++ orphan->cmt = 1;
+ *last = orphan;
+ last = &orphan->cnext;
+ cnt += 1;
+--- a/fs/ubifs/ubifs.h
++++ b/fs/ubifs/ubifs.h
+@@ -904,6 +904,7 @@ struct ubifs_budget_req {
+ * @dnext: next orphan to delete
+ * @inum: inode number
+ * @new: %1 => added since the last commit, otherwise %0
++ * @cmt: %1 => commit pending, otherwise %0
+ */
+ struct ubifs_orphan {
+ struct rb_node rb;
+@@ -912,7 +913,8 @@ struct ubifs_orphan {
+ struct ubifs_orphan *cnext;
+ struct ubifs_orphan *dnext;
+ ino_t inum;
+- int new;
++ unsigned new:1;
++ unsigned cmt:1;
+ };
+
+ /**
--- /dev/null
+From 2b758350af19db9a5c98241cf222c2e211d7a912 Mon Sep 17 00:00:00 2001
+From: Pratyush Anand <pratyush.anand@st.com>
+Date: Mon, 14 Jan 2013 15:59:31 +0530
+Subject: usb: dwc3: Enable usb2 LPM only when connected as usb2.0
+
+From: Pratyush Anand <pratyush.anand@st.com>
+
+commit 2b758350af19db9a5c98241cf222c2e211d7a912 upstream.
+
+Synopsys says:
+The HIRD Threshold field must be set to ‘0’ when the device core is
+operating in super speed mode.
+
+This patch implements above statement.
+
+Acked-by: Paul Zimmerman <paulz@synopsys.com>
+Signed-off-by: Pratyush Anand <pratyush.anand@st.com>
+Signed-off-by: Felipe Balbi <balbi@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/dwc3/gadget.c | 31 ++++++++++++++++++-------------
+ 1 file changed, 18 insertions(+), 13 deletions(-)
+
+--- a/drivers/usb/dwc3/gadget.c
++++ b/drivers/usb/dwc3/gadget.c
+@@ -2157,6 +2157,23 @@ static void dwc3_gadget_conndone_interru
+ break;
+ }
+
++ /* Enable USB2 LPM Capability */
++
++ if ((dwc->revision > DWC3_REVISION_194A)
++ && (speed != DWC3_DCFG_SUPERSPEED)) {
++ reg = dwc3_readl(dwc->regs, DWC3_DCFG);
++ reg |= DWC3_DCFG_LPM_CAP;
++ dwc3_writel(dwc->regs, DWC3_DCFG, reg);
++
++ reg = dwc3_readl(dwc->regs, DWC3_DCTL);
++ reg &= ~(DWC3_DCTL_HIRD_THRES_MASK | DWC3_DCTL_L1_HIBER_EN);
++
++ /* TODO: This should be configurable */
++ reg |= DWC3_DCTL_HIRD_THRES(28);
++
++ dwc3_writel(dwc->regs, DWC3_DCTL, reg);
++ }
++
+ /* Recent versions support automatic phy suspend and don't need this */
+ if (dwc->revision < DWC3_REVISION_194A) {
+ /* Suspend unneeded PHY */
+@@ -2463,20 +2480,8 @@ int dwc3_gadget_init(struct dwc3 *dwc)
+ DWC3_DEVTEN_DISCONNEVTEN);
+ dwc3_writel(dwc->regs, DWC3_DEVTEN, reg);
+
+- /* Enable USB2 LPM and automatic phy suspend only on recent versions */
++ /* automatic phy suspend only on recent versions */
+ if (dwc->revision >= DWC3_REVISION_194A) {
+- reg = dwc3_readl(dwc->regs, DWC3_DCFG);
+- reg |= DWC3_DCFG_LPM_CAP;
+- dwc3_writel(dwc->regs, DWC3_DCFG, reg);
+-
+- reg = dwc3_readl(dwc->regs, DWC3_DCTL);
+- reg &= ~(DWC3_DCTL_HIRD_THRES_MASK | DWC3_DCTL_L1_HIBER_EN);
+-
+- /* TODO: This should be configurable */
+- reg |= DWC3_DCTL_HIRD_THRES(28);
+-
+- dwc3_writel(dwc->regs, DWC3_DCTL, reg);
+-
+ dwc3_gadget_usb2_phy_suspend(dwc, false);
+ dwc3_gadget_usb3_phy_suspend(dwc, false);
+ }
--- /dev/null
+From 1a947746dbe1486d0e305ab512ddf085b7874cb3 Mon Sep 17 00:00:00 2001
+From: Felipe Balbi <balbi@ti.com>
+Date: Thu, 24 Jan 2013 11:56:11 +0200
+Subject: usb: dwc3: gadget: change HIRD threshold to 12
+
+From: Felipe Balbi <balbi@ti.com>
+
+commit 1a947746dbe1486d0e305ab512ddf085b7874cb3 upstream.
+
+First of all, that 28 value makes no sense as
+HIRD threshold is a 4-bit value, second of all
+it's causing issues for OMAP5.
+
+Using 12 because commit cbc725b3 (usb: dwc3:
+keep default hird threshold value as 4b1100)
+had the intention of setting the maximum allowed
+value of 0xc.
+
+Also, original code has been wrong forever, so
+this should be backported as far back as
+possible.
+
+Signed-off-by: Felipe Balbi <balbi@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/dwc3/gadget.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/dwc3/gadget.c
++++ b/drivers/usb/dwc3/gadget.c
+@@ -2190,8 +2190,11 @@ static void dwc3_gadget_conndone_interru
+ reg = dwc3_readl(dwc->regs, DWC3_DCTL);
+ reg &= ~(DWC3_DCTL_HIRD_THRES_MASK | DWC3_DCTL_L1_HIBER_EN);
+
+- /* TODO: This should be configurable */
+- reg |= DWC3_DCTL_HIRD_THRES(28);
++ /*
++ * TODO: This should be configurable. For now using
++ * maximum allowed HIRD threshold value of 0b1100
++ */
++ reg |= DWC3_DCTL_HIRD_THRES(12);
+
+ dwc3_writel(dwc->regs, DWC3_DCTL, reg);
+ }
--- /dev/null
+From cdc359dd87ab6c39a67dab724fd0b61c16e6f08b Mon Sep 17 00:00:00 2001
+From: Pratyush Anand <pratyush.anand@st.com>
+Date: Mon, 14 Jan 2013 15:59:34 +0530
+Subject: usb: dwc3: gadget: fix isoc END TRANSFER Condition
+
+From: Pratyush Anand <pratyush.anand@st.com>
+
+commit cdc359dd87ab6c39a67dab724fd0b61c16e6f08b upstream.
+
+There were still some corner cases where isoc transfer was not able to
+restart, specially when missed isoc does not happen , and in fact gadget does
+not queue any new request during giveback.
+
+Cleanup function calls giveback first, which provides a way to queue
+another request to gadget. But gadget did not had any data. So , it did
+not call ep_queue. To twist it further, gadget did not queue till
+cleanup for last queued TRB is called. If we ever reach this scenario,
+we must call END TRANSFER, so that we receive a new xfernotready with
+information about current microframe number.
+
+Also insure that there is no request submitted to core when issuing END
+TRANSFER.
+
+Signed-off-by: Pratyush Anand <pratyush.anand@st.com>
+Signed-off-by: Felipe Balbi <balbi@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/dwc3/gadget.c | 23 ++++++++++++++++++-----
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+--- a/drivers/usb/dwc3/gadget.c
++++ b/drivers/usb/dwc3/gadget.c
+@@ -1091,7 +1091,10 @@ static int __dwc3_gadget_ep_queue(struct
+ * notion of current microframe.
+ */
+ if (usb_endpoint_xfer_isoc(dep->endpoint.desc)) {
+- dwc3_stop_active_transfer(dwc, dep->number);
++ if (list_empty(&dep->req_queued)) {
++ dwc3_stop_active_transfer(dwc, dep->number);
++ dep->flags = DWC3_EP_ENABLED;
++ }
+ return 0;
+ }
+
+@@ -1728,10 +1731,20 @@ static int dwc3_cleanup_done_reqs(struct
+ break;
+ } while (1);
+
+- if (list_empty(&dep->req_queued) &&
+- (dep->flags & DWC3_EP_MISSED_ISOC)) {
+- dwc3_stop_active_transfer(dwc, dep->number);
+- dep->flags &= ~DWC3_EP_MISSED_ISOC;
++ if (usb_endpoint_xfer_isoc(dep->endpoint.desc) &&
++ list_empty(&dep->req_queued)) {
++ if (list_empty(&dep->request_list)) {
++ /*
++ * If there is no entry in request list then do
++ * not issue END TRANSFER now. Just set PENDING
++ * flag, so that END TRANSFER is issued when an
++ * entry is added into request list.
++ */
++ dep->flags = DWC3_EP_PENDING_REQUEST;
++ } else {
++ dwc3_stop_active_transfer(dwc, dep->number);
++ dep->flags = DWC3_EP_ENABLED;
++ }
+ return 1;
+ }
+
--- /dev/null
+From 7efea86c2868b8fd9df65e589e33aebe498ce21d Mon Sep 17 00:00:00 2001
+From: Pratyush Anand <pratyush.anand@st.com>
+Date: Mon, 14 Jan 2013 15:59:32 +0530
+Subject: usb: dwc3: gadget: fix missed isoc
+
+From: Pratyush Anand <pratyush.anand@st.com>
+
+commit 7efea86c2868b8fd9df65e589e33aebe498ce21d upstream.
+
+There are two reasons to generate missed isoc.
+
+1. when the host does not poll for all the data.
+2. because of application-side delays that prevent all the data from
+being transferred in programmed microframe.
+
+Current code was able to handle first case only. This patch handles
+scenario 2 as well.Scenario 2 sometime may occur with complex gadget
+application, however it can be easily reproduced for testing purpose as
+follows:
+
+a. use isoc binterval as 1 in f_sourcesink.
+b. use pattern=0
+c. introduce a delay of 150us deliberately in source_sink_complete, so
+that after few frames it lands into scenario 2.
+d. now run testusb 16 (isoc in test). You will notice that if this
+patch is not applied then isoc transfer is not able to recover after
+first missed.
+
+Current patch's approach is as under:
+
+If missed isoc occurs and there is no request queued then issue END
+TRANSFER, so that core generates next xfernotready and we will issue a
+fresh START TRANSFER.
+If there are still queued request then wait, do not issue either END or
+UPDATE TRANSFER, just attach next request in request_list during giveback.
+If any future queued request is successfully transferred then we will issue
+UPDATE TRANSFER for all request in the request_list.
+
+Signed-off-by: Pratyush Anand <pratyush.anand@st.com>
+Signed-off-by: Felipe Balbi <balbi@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/dwc3/core.h | 2 --
+ drivers/usb/dwc3/gadget.c | 36 ++++++++++++++++++++++++------------
+ 2 files changed, 24 insertions(+), 14 deletions(-)
+
+--- a/drivers/usb/dwc3/core.h
++++ b/drivers/usb/dwc3/core.h
+@@ -405,7 +405,6 @@ struct dwc3_event_buffer {
+ * @number: endpoint number (1 - 15)
+ * @type: set to bmAttributes & USB_ENDPOINT_XFERTYPE_MASK
+ * @resource_index: Resource transfer index
+- * @current_uf: Current uf received through last event parameter
+ * @interval: the intervall on which the ISOC transfer is started
+ * @name: a human readable name e.g. ep1out-bulk
+ * @direction: true for TX, false for RX
+@@ -439,7 +438,6 @@ struct dwc3_ep {
+ u8 number;
+ u8 type;
+ u8 resource_index;
+- u16 current_uf;
+ u32 interval;
+
+ char name[20];
+--- a/drivers/usb/dwc3/gadget.c
++++ b/drivers/usb/dwc3/gadget.c
+@@ -1117,16 +1117,6 @@ static int __dwc3_gadget_ep_queue(struct
+ dep->name);
+ }
+
+- /*
+- * 3. Missed ISOC Handling. We need to start isoc transfer on the saved
+- * uframe number.
+- */
+- if (usb_endpoint_xfer_isoc(dep->endpoint.desc) &&
+- (dep->flags & DWC3_EP_MISSED_ISOC)) {
+- __dwc3_gadget_start_isoc(dwc, dep, dep->current_uf);
+- dep->flags &= ~DWC3_EP_MISSED_ISOC;
+- }
+-
+ return 0;
+ }
+
+@@ -1689,14 +1679,29 @@ static int dwc3_cleanup_done_reqs(struct
+ if (trb_status == DWC3_TRBSTS_MISSED_ISOC) {
+ dev_dbg(dwc->dev, "incomplete IN transfer %s\n",
+ dep->name);
+- dep->current_uf = event->parameters &
+- ~(dep->interval - 1);
++ /*
++ * If missed isoc occurred and there is
++ * no request queued then issue END
++ * TRANSFER, so that core generates
++ * next xfernotready and we will issue
++ * a fresh START TRANSFER.
++ * If there are still queued request
++ * then wait, do not issue either END
++ * or UPDATE TRANSFER, just attach next
++ * request in request_list during
++ * giveback.If any future queued request
++ * is successfully transferred then we
++ * will issue UPDATE TRANSFER for all
++ * request in the request_list.
++ */
+ dep->flags |= DWC3_EP_MISSED_ISOC;
+ } else {
+ dev_err(dwc->dev, "incomplete IN transfer %s\n",
+ dep->name);
+ status = -ECONNRESET;
+ }
++ } else {
++ dep->flags &= ~DWC3_EP_MISSED_ISOC;
+ }
+ } else {
+ if (count && (event->status & DEPEVT_STATUS_SHORT))
+@@ -1723,6 +1728,13 @@ static int dwc3_cleanup_done_reqs(struct
+ break;
+ } while (1);
+
++ if (list_empty(&dep->req_queued) &&
++ (dep->flags & DWC3_EP_MISSED_ISOC)) {
++ dwc3_stop_active_transfer(dwc, dep->number);
++ dep->flags &= ~DWC3_EP_MISSED_ISOC;
++ return 1;
++ }
++
+ if ((event->status & DEPEVT_STATUS_IOC) &&
+ (trb->ctrl & DWC3_TRB_CTRL_IOC))
+ return 0;
--- /dev/null
+From 915e202aeeb59e272992a6364c910aaef3073544 Mon Sep 17 00:00:00 2001
+From: Pratyush Anand <pratyush.anand@st.com>
+Date: Mon, 14 Jan 2013 15:59:35 +0530
+Subject: usb: dwc3: gadget: fix skip LINK_TRB on ISOC
+
+From: Pratyush Anand <pratyush.anand@st.com>
+
+commit 915e202aeeb59e272992a6364c910aaef3073544 upstream.
+
+When we reach to link trb, we just need to increase free_slot and then
+calculate TRB. Return is not correct, as it will cause wrong TRB DMA
+address to fetch in case of update transfer.
+
+Signed-off-by: Pratyush Anand <pratyush.anand@st.com>
+Signed-off-by: Felipe Balbi <balbi@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/dwc3/gadget.c | 13 +++++--------
+ 1 file changed, 5 insertions(+), 8 deletions(-)
+
+--- a/drivers/usb/dwc3/gadget.c
++++ b/drivers/usb/dwc3/gadget.c
+@@ -754,21 +754,18 @@ static void dwc3_prepare_one_trb(struct
+ struct dwc3 *dwc = dep->dwc;
+ struct dwc3_trb *trb;
+
+- unsigned int cur_slot;
+-
+ dev_vdbg(dwc->dev, "%s: req %p dma %08llx length %d%s%s\n",
+ dep->name, req, (unsigned long long) dma,
+ length, last ? " last" : "",
+ chain ? " chain" : "");
+
+- trb = &dep->trb_pool[dep->free_slot & DWC3_TRB_MASK];
+- cur_slot = dep->free_slot;
+- dep->free_slot++;
+-
+ /* Skip the LINK-TRB on ISOC */
+- if (((cur_slot & DWC3_TRB_MASK) == DWC3_TRB_NUM - 1) &&
++ if (((dep->free_slot & DWC3_TRB_MASK) == DWC3_TRB_NUM - 1) &&
+ usb_endpoint_xfer_isoc(dep->endpoint.desc))
+- return;
++ dep->free_slot++;
++
++ trb = &dep->trb_pool[dep->free_slot & DWC3_TRB_MASK];
++ dep->free_slot++;
+
+ if (!req->trb) {
+ dwc3_gadget_move_request_queued(req);
--- /dev/null
+From 27cf929845b10043f2257693c7d179a9e0b1980e Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@googlemail.com>
+Date: Tue, 19 Feb 2013 20:47:07 +0100
+Subject: x86/apic: Fix parsing of the 'lapic' cmdline option
+
+From: Mathias Krause <minipli@googlemail.com>
+
+commit 27cf929845b10043f2257693c7d179a9e0b1980e upstream.
+
+Including " lapic " in the kernel cmdline on an x86-64 kernel
+makes it panic while parsing early params -- e.g. with no user
+visible output.
+
+Fix this bug by ensuring arg is non-NULL before passing it to
+strncmp().
+
+Reported-by: PaX Team <pageexec@freemail.hu>
+Signed-off-by: Mathias Krause <minipli@googlemail.com>
+Acked-by: David Rientjes <rientjes@google.com>
+Cc: Suresh Siddha <suresh.b.siddha@intel.com>
+Link: http://lkml.kernel.org/r/1361303227-13174-1-git-send-email-minipli@googlemail.com
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/apic/apic.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/apic/apic.c
++++ b/arch/x86/kernel/apic/apic.c
+@@ -131,7 +131,7 @@ static int __init parse_lapic(char *arg)
+ {
+ if (config_enabled(CONFIG_X86_32) && !arg)
+ force_enable_local_apic = 1;
+- else if (!strncmp(arg, "notscdeadline", 13))
++ else if (arg && !strncmp(arg, "notscdeadline", 13))
+ setup_clear_cpu_cap(X86_FEATURE_TSC_DEADLINE_TIMER);
+ return 0;
+ }
--- /dev/null
+From fb834c7acc5e140cf4f9e86da93a66de8c0514da Mon Sep 17 00:00:00 2001
+From: Matt Fleming <matt.fleming@intel.com>
+Date: Wed, 20 Feb 2013 20:36:12 +0000
+Subject: x86, efi: Make "noefi" really disable EFI runtime serivces
+
+From: Matt Fleming <matt.fleming@intel.com>
+
+commit fb834c7acc5e140cf4f9e86da93a66de8c0514da upstream.
+
+commit 1de63d60cd5b ("efi: Clear EFI_RUNTIME_SERVICES rather than
+EFI_BOOT by "noefi" boot parameter") attempted to make "noefi" true to
+its documentation and disable EFI runtime services to prevent the
+bricking bug described in commit e0094244e41c ("samsung-laptop:
+Disable on EFI hardware"). However, it's not possible to clear
+EFI_RUNTIME_SERVICES from an early param function because
+EFI_RUNTIME_SERVICES is set in efi_init() *after* parse_early_param().
+
+This resulted in "noefi" effectively becoming a no-op and no longer
+providing users with a way to disable EFI, which is bad for those
+users that have buggy machines.
+
+Reported-by: Walt Nelson Jr <walt0924@gmail.com>
+Cc: Satoru Takeuchi <takeuchi_satoru@jp.fujitsu.com>
+Signed-off-by: Matt Fleming <matt.fleming@intel.com>
+Link: http://lkml.kernel.org/r/1361392572-25657-1-git-send-email-matt@console-pimps.org
+Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/platform/efi/efi.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/platform/efi/efi.c
++++ b/arch/x86/platform/efi/efi.c
+@@ -85,9 +85,10 @@ int efi_enabled(int facility)
+ }
+ EXPORT_SYMBOL(efi_enabled);
+
++static bool disable_runtime = false;
+ static int __init setup_noefi(char *arg)
+ {
+- clear_bit(EFI_RUNTIME_SERVICES, &x86_efi_facility);
++ disable_runtime = true;
+ return 0;
+ }
+ early_param("noefi", setup_noefi);
+@@ -734,7 +735,7 @@ void __init efi_init(void)
+ if (!efi_is_native())
+ pr_info("No EFI runtime due to 32/64-bit mismatch with kernel\n");
+ else {
+- if (efi_runtime_init())
++ if (disable_runtime || efi_runtime_init())
+ return;
+ set_bit(EFI_RUNTIME_SERVICES, &x86_efi_facility);
+ }
--- /dev/null
+From 7c10093692ed2e6f318387d96b829320aa0ca64c Mon Sep 17 00:00:00 2001
+From: "H. Peter Anvin" <hpa@linux.intel.com>
+Date: Wed, 27 Feb 2013 12:46:40 -0800
+Subject: x86: Make sure we can boot in the case the BDA contains pure garbage
+
+From: "H. Peter Anvin" <hpa@linux.intel.com>
+
+commit 7c10093692ed2e6f318387d96b829320aa0ca64c upstream.
+
+On non-BIOS platforms it is possible that the BIOS data area contains
+garbage instead of being zeroed or something equivalent (firmware
+people: we are talking of 1.5K here, so please do the sane thing.)
+
+We need on the order of 20-30K of low memory in order to boot, which
+may grow up to < 64K in the future. We probably want to avoid the
+lowest of the low memory. At the same time, it seems extremely
+unlikely that a legitimate EBDA would ever reach down to the 128K
+(which would require it to be over half a megabyte in size.) Thus,
+pick 128K as the cutoff for "this is insane, ignore." We may still
+end up reserving a bunch of extra memory on the low megabyte, but that
+is not really a major issue these days. In the worst case we lose
+512K of RAM.
+
+This code really should be merged with trim_bios_range() in
+arch/x86/kernel/setup.c, but that is a bigger patch for a later merge
+window.
+
+Reported-by: Darren Hart <dvhart@linux.intel.com>
+Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
+Cc: Matt Fleming <matt.fleming@intel.com>
+Link: http://lkml.kernel.org/n/tip-oebml055yyfm8yxmria09rja@git.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/head.c | 57 ++++++++++++++++++++++++++++++-------------------
+ 1 file changed, 36 insertions(+), 21 deletions(-)
+
+--- a/arch/x86/kernel/head.c
++++ b/arch/x86/kernel/head.c
+@@ -5,8 +5,6 @@
+ #include <asm/setup.h>
+ #include <asm/bios_ebda.h>
+
+-#define BIOS_LOWMEM_KILOBYTES 0x413
+-
+ /*
+ * The BIOS places the EBDA/XBDA at the top of conventional
+ * memory, and usually decreases the reported amount of
+@@ -16,17 +14,30 @@
+ * chipset: reserve a page before VGA to prevent PCI prefetch
+ * into it (errata #56). Usually the page is reserved anyways,
+ * unless you have no PS/2 mouse plugged in.
++ *
++ * This functions is deliberately very conservative. Losing
++ * memory in the bottom megabyte is rarely a problem, as long
++ * as we have enough memory to install the trampoline. Using
++ * memory that is in use by the BIOS or by some DMA device
++ * the BIOS didn't shut down *is* a big problem.
+ */
++
++#define BIOS_LOWMEM_KILOBYTES 0x413
++#define LOWMEM_CAP 0x9f000U /* Absolute maximum */
++#define INSANE_CUTOFF 0x20000U /* Less than this = insane */
++
+ void __init reserve_ebda_region(void)
+ {
+ unsigned int lowmem, ebda_addr;
+
+- /* To determine the position of the EBDA and the */
+- /* end of conventional memory, we need to look at */
+- /* the BIOS data area. In a paravirtual environment */
+- /* that area is absent. We'll just have to assume */
+- /* that the paravirt case can handle memory setup */
+- /* correctly, without our help. */
++ /*
++ * To determine the position of the EBDA and the
++ * end of conventional memory, we need to look at
++ * the BIOS data area. In a paravirtual environment
++ * that area is absent. We'll just have to assume
++ * that the paravirt case can handle memory setup
++ * correctly, without our help.
++ */
+ if (paravirt_enabled())
+ return;
+
+@@ -37,19 +48,23 @@ void __init reserve_ebda_region(void)
+ /* start of EBDA area */
+ ebda_addr = get_bios_ebda();
+
+- /* Fixup: bios puts an EBDA in the top 64K segment */
+- /* of conventional memory, but does not adjust lowmem. */
+- if ((lowmem - ebda_addr) <= 0x10000)
+- lowmem = ebda_addr;
+-
+- /* Fixup: bios does not report an EBDA at all. */
+- /* Some old Dells seem to need 4k anyhow (bugzilla 2990) */
+- if ((ebda_addr == 0) && (lowmem >= 0x9f000))
+- lowmem = 0x9f000;
+-
+- /* Paranoia: should never happen, but... */
+- if ((lowmem == 0) || (lowmem >= 0x100000))
+- lowmem = 0x9f000;
++ /*
++ * Note: some old Dells seem to need 4k EBDA without
++ * reporting so, so just consider the memory above 0x9f000
++ * to be off limits (bugzilla 2990).
++ */
++
++ /* If the EBDA address is below 128K, assume it is bogus */
++ if (ebda_addr < INSANE_CUTOFF)
++ ebda_addr = LOWMEM_CAP;
++
++ /* If lowmem is less than 128K, assume it is bogus */
++ if (lowmem < INSANE_CUTOFF)
++ lowmem = LOWMEM_CAP;
++
++ /* Use the lower of the lowmem and EBDA markers as the cutoff */
++ lowmem = min(lowmem, ebda_addr);
++ lowmem = min(lowmem, LOWMEM_CAP); /* Absolute cap */
+
+ /* reserve all memory between lowmem and the 1MB mark */
+ memblock_reserve(lowmem, 0x100000 - lowmem);
projects / thirdparty / kernel / stable-queue.git / commitdiff
