From 2b8e47cdff6bab2039e9571fed388fdb40adf429 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 22 May 2013 10:17:41 -0700
Subject: [PATCH] 3.9-stable patches

added patches:
	ntb-correctly-handle-receive-buffers-of-the-minimal-size.patch
	ntb-fix-pointer-math-issues.patch
	ntb-handle-64bit-bar-sizes.patch
	ntb-link-toggle-memory-leak.patch
	ntb-memcpy-lockup-workaround.patch
	ntb-multiple-ntb-client-fix.patch
	ntb_netdev-remove-from-list-on-exit.patch
	ntb-off-by-one-sanity-checks.patch
	ntb-reset-tx_index-on-link-toggle.patch
	ntb-variable-dereferenced-before-check.patch
	x86-vm86-fix-vm86-syscalls-use-syscall_definex.patch
---
 ...-receive-buffers-of-the-minimal-size.patch |  48 ++++
 queue-3.9/ntb-fix-pointer-math-issues.patch   |  40 +++
 queue-3.9/ntb-handle-64bit-bar-sizes.patch    | 232 ++++++++++++++++++
 queue-3.9/ntb-link-toggle-memory-leak.patch   |  81 ++++++
 queue-3.9/ntb-memcpy-lockup-workaround.patch  |  42 ++++
 queue-3.9/ntb-multiple-ntb-client-fix.patch   |  49 ++++
 queue-3.9/ntb-off-by-one-sanity-checks.patch  |  49 ++++
 .../ntb-reset-tx_index-on-link-toggle.patch   |  39 +++
 ...b-variable-dereferenced-before-check.patch |  84 +++++++
 .../ntb_netdev-remove-from-list-on-exit.patch |  31 +++
 queue-3.9/series                              |  11 +
 ...ix-vm86-syscalls-use-syscall_definex.patch |  99 ++++++++
 12 files changed, 805 insertions(+)
 create mode 100644 queue-3.9/ntb-correctly-handle-receive-buffers-of-the-minimal-size.patch
 create mode 100644 queue-3.9/ntb-fix-pointer-math-issues.patch
 create mode 100644 queue-3.9/ntb-handle-64bit-bar-sizes.patch
 create mode 100644 queue-3.9/ntb-link-toggle-memory-leak.patch
 create mode 100644 queue-3.9/ntb-memcpy-lockup-workaround.patch
 create mode 100644 queue-3.9/ntb-multiple-ntb-client-fix.patch
 create mode 100644 queue-3.9/ntb-off-by-one-sanity-checks.patch
 create mode 100644 queue-3.9/ntb-reset-tx_index-on-link-toggle.patch
 create mode 100644 queue-3.9/ntb-variable-dereferenced-before-check.patch
 create mode 100644 queue-3.9/ntb_netdev-remove-from-list-on-exit.patch
 create mode 100644 queue-3.9/x86-vm86-fix-vm86-syscalls-use-syscall_definex.patch

diff --git a/queue-3.9/ntb-correctly-handle-receive-buffers-of-the-minimal-size.patch b/queue-3.9/ntb-correctly-handle-receive-buffers-of-the-minimal-size.patch
new file mode 100644
index 00000000000..b32426e7348
--- /dev/null
+++ b/queue-3.9/ntb-correctly-handle-receive-buffers-of-the-minimal-size.patch
@@ -0,0 +1,48 @@
+From c9d534c8cbaedbb522a1d2cb037c6c394f610317 Mon Sep 17 00:00:00 2001
+From: Jon Mason <jon.mason@intel.com>
+Date: Fri, 1 Feb 2013 15:45:16 -0700
+Subject: NTB: Correctly handle receive buffers of the minimal size
+
+From: Jon Mason <jon.mason@intel.com>
+
+commit c9d534c8cbaedbb522a1d2cb037c6c394f610317 upstream.
+
+The ring logic of the NTB receive buffer/transmit memory window requires
+there to be at least 2 payload sized allotments.  For the minimal size
+case, split the buffer into two and set the transport_mtu to the
+appropriate size.
+
+Signed-off-by: Jon Mason <jon.mason@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ntb/ntb_transport.c |    8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/ntb/ntb_transport.c
++++ b/drivers/ntb/ntb_transport.c
+@@ -490,11 +490,12 @@ static void ntb_transport_setup_qp_mw(st
+ 	rx_size -= sizeof(struct ntb_rx_info);
+ 
+ 	qp->rx_buff = qp->remote_rx_info + 1;
+-	qp->rx_max_frame = min(transport_mtu, rx_size);
++	/* Due to housekeeping, there must be atleast 2 buffs */
++	qp->rx_max_frame = min(transport_mtu, rx_size / 2);
+ 	qp->rx_max_entry = rx_size / qp->rx_max_frame;
+ 	qp->rx_index = 0;
+ 
+-	qp->remote_rx_info->entry = qp->rx_max_entry;
++	qp->remote_rx_info->entry = qp->rx_max_entry - 1;
+ 
+ 	/* setup the hdr offsets with 0's */
+ 	for (i = 0; i < qp->rx_max_entry; i++) {
+@@ -818,7 +819,8 @@ static void ntb_transport_init_queue(str
+ 	tx_size -= sizeof(struct ntb_rx_info);
+ 
+ 	qp->tx_mw = qp->rx_info + 1;
+-	qp->tx_max_frame = min(transport_mtu, tx_size);
++	/* Due to housekeeping, there must be atleast 2 buffs */
++	qp->tx_max_frame = min(transport_mtu, tx_size / 2);
+ 	qp->tx_max_entry = tx_size / qp->tx_max_frame;
+ 
+ 	if (nt->debugfs_dir) {
diff --git a/queue-3.9/ntb-fix-pointer-math-issues.patch b/queue-3.9/ntb-fix-pointer-math-issues.patch
new file mode 100644
index 00000000000..e133fb67e7f
--- /dev/null
+++ b/queue-3.9/ntb-fix-pointer-math-issues.patch
@@ -0,0 +1,40 @@
+From cc0f868d8adef7bdc12cda132654870086d766bc Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 23 Jan 2013 22:26:05 +0300
+Subject: NTB: fix pointer math issues
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit cc0f868d8adef7bdc12cda132654870086d766bc upstream.
+
+->remote_rx_info and ->rx_info are struct ntb_rx_info pointers.  If we
+add sizeof(struct ntb_rx_info) then it goes too far.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Jon Mason <jon.mason@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ntb/ntb_transport.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/ntb/ntb_transport.c
++++ b/drivers/ntb/ntb_transport.c
+@@ -486,7 +486,7 @@ static void ntb_transport_setup_qp_mw(st
+ 			     (qp_num / NTB_NUM_MW * rx_size);
+ 	rx_size -= sizeof(struct ntb_rx_info);
+ 
+-	qp->rx_buff = qp->remote_rx_info + sizeof(struct ntb_rx_info);
++	qp->rx_buff = qp->remote_rx_info + 1;
+ 	qp->rx_max_frame = min(transport_mtu, rx_size);
+ 	qp->rx_max_entry = rx_size / qp->rx_max_frame;
+ 	qp->rx_index = 0;
+@@ -780,7 +780,7 @@ static void ntb_transport_init_queue(str
+ 		      (qp_num / NTB_NUM_MW * tx_size);
+ 	tx_size -= sizeof(struct ntb_rx_info);
+ 
+-	qp->tx_mw = qp->rx_info + sizeof(struct ntb_rx_info);
++	qp->tx_mw = qp->rx_info + 1;
+ 	qp->tx_max_frame = min(transport_mtu, tx_size);
+ 	qp->tx_max_entry = tx_size / qp->tx_max_frame;
+ 	qp->tx_index = 0;
diff --git a/queue-3.9/ntb-handle-64bit-bar-sizes.patch b/queue-3.9/ntb-handle-64bit-bar-sizes.patch
new file mode 100644
index 00000000000..6b517340b2e
--- /dev/null
+++ b/queue-3.9/ntb-handle-64bit-bar-sizes.patch
@@ -0,0 +1,232 @@
+From 113fc505b83b2d16e820ca74fa07f99a34877b1d Mon Sep 17 00:00:00 2001
+From: Jon Mason <jon.mason@intel.com>
+Date: Wed, 30 Jan 2013 11:40:52 -0700
+Subject: NTB: Handle 64bit BAR sizes
+
+From: Jon Mason <jon.mason@intel.com>
+
+commit 113fc505b83b2d16e820ca74fa07f99a34877b1d upstream.
+
+64bit BAR sizes are permissible with an NTB device.  To support them
+various modifications and clean-ups were required, most significantly
+using 2 32bit scratch pad registers for each BAR.
+
+Also, modify the driver to allow more than 2 Memory Windows.
+
+Signed-off-by: Jon Mason <jon.mason@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ntb/ntb_hw.c        |    4 -
+ drivers/ntb/ntb_transport.c |  121 ++++++++++++++++++++++++++------------------
+ 2 files changed, 75 insertions(+), 50 deletions(-)
+
+--- a/drivers/ntb/ntb_hw.c
++++ b/drivers/ntb/ntb_hw.c
+@@ -1027,8 +1027,8 @@ static int ntb_pci_probe(struct pci_dev
+ 		ndev->mw[i].vbase =
+ 		    ioremap_wc(pci_resource_start(pdev, MW_TO_BAR(i)),
+ 			       ndev->mw[i].bar_sz);
+-		dev_info(&pdev->dev, "MW %d size %d\n", i,
+-			 (u32) pci_resource_len(pdev, MW_TO_BAR(i)));
++		dev_info(&pdev->dev, "MW %d size %llu\n", i,
++			 pci_resource_len(pdev, MW_TO_BAR(i)));
+ 		if (!ndev->mw[i].vbase) {
+ 			dev_warn(&pdev->dev, "Cannot remap BAR %d\n",
+ 				 MW_TO_BAR(i));
+--- a/drivers/ntb/ntb_transport.c
++++ b/drivers/ntb/ntb_transport.c
+@@ -58,7 +58,7 @@
+ #include <linux/ntb.h>
+ #include "ntb_hw.h"
+ 
+-#define NTB_TRANSPORT_VERSION	2
++#define NTB_TRANSPORT_VERSION	3
+ 
+ static unsigned int transport_mtu = 0x401E;
+ module_param(transport_mtu, uint, 0644);
+@@ -173,10 +173,13 @@ struct ntb_payload_header {
+ 
+ enum {
+ 	VERSION = 0,
+-	MW0_SZ,
+-	MW1_SZ,
+-	NUM_QPS,
+ 	QP_LINKS,
++	NUM_QPS,
++	NUM_MWS,
++	MW0_SZ_HIGH,
++	MW0_SZ_LOW,
++	MW1_SZ_HIGH,
++	MW1_SZ_LOW,
+ 	MAX_SPAD,
+ };
+ 
+@@ -526,6 +529,18 @@ static int ntb_set_mw(struct ntb_transpo
+ 	return 0;
+ }
+ 
++static void ntb_free_mw(struct ntb_transport *nt, int num_mw)
++{
++	struct ntb_transport_mw *mw = &nt->mw[num_mw];
++	struct pci_dev *pdev = ntb_query_pdev(nt->ndev);
++
++	if (!mw->virt_addr)
++		return;
++
++	dma_free_coherent(&pdev->dev, mw->size, mw->virt_addr, mw->dma_addr);
++	mw->virt_addr = NULL;
++}
++
+ static void ntb_qp_link_cleanup(struct work_struct *work)
+ {
+ 	struct ntb_transport_qp *qp = container_of(work,
+@@ -604,25 +619,31 @@ static void ntb_transport_link_work(stru
+ 	u32 val;
+ 	int rc, i;
+ 
+-	/* send the local info */
+-	rc = ntb_write_remote_spad(ndev, VERSION, NTB_TRANSPORT_VERSION);
+-	if (rc) {
+-		dev_err(&pdev->dev, "Error writing %x to remote spad %d\n",
+-			0, VERSION);
+-		goto out;
+-	}
++	/* send the local info, in the opposite order of the way we read it */
++	for (i = 0; i < NTB_NUM_MW; i++) {
++		rc = ntb_write_remote_spad(ndev, MW0_SZ_HIGH + (i * 2),
++					   ntb_get_mw_size(ndev, i) >> 32);
++		if (rc) {
++			dev_err(&pdev->dev, "Error writing %u to remote spad %d\n",
++				(u32)(ntb_get_mw_size(ndev, i) >> 32),
++				MW0_SZ_HIGH + (i * 2));
++			goto out;
++		}
+ 
+-	rc = ntb_write_remote_spad(ndev, MW0_SZ, ntb_get_mw_size(ndev, 0));
+-	if (rc) {
+-		dev_err(&pdev->dev, "Error writing %x to remote spad %d\n",
+-			(u32) ntb_get_mw_size(ndev, 0), MW0_SZ);
+-		goto out;
++		rc = ntb_write_remote_spad(ndev, MW0_SZ_LOW + (i * 2),
++					   (u32) ntb_get_mw_size(ndev, i));
++		if (rc) {
++			dev_err(&pdev->dev, "Error writing %u to remote spad %d\n",
++				(u32) ntb_get_mw_size(ndev, i),
++				MW0_SZ_LOW + (i * 2));
++			goto out;
++		}
+ 	}
+ 
+-	rc = ntb_write_remote_spad(ndev, MW1_SZ, ntb_get_mw_size(ndev, 1));
++	rc = ntb_write_remote_spad(ndev, NUM_MWS, NTB_NUM_MW);
+ 	if (rc) {
+ 		dev_err(&pdev->dev, "Error writing %x to remote spad %d\n",
+-			(u32) ntb_get_mw_size(ndev, 1), MW1_SZ);
++			NTB_NUM_MW, NUM_MWS);
+ 		goto out;
+ 	}
+ 
+@@ -633,16 +654,10 @@ static void ntb_transport_link_work(stru
+ 		goto out;
+ 	}
+ 
+-	rc = ntb_read_local_spad(nt->ndev, QP_LINKS, &val);
+-	if (rc) {
+-		dev_err(&pdev->dev, "Error reading spad %d\n", QP_LINKS);
+-		goto out;
+-	}
+-
+-	rc = ntb_write_remote_spad(ndev, QP_LINKS, val);
++	rc = ntb_write_remote_spad(ndev, VERSION, NTB_TRANSPORT_VERSION);
+ 	if (rc) {
+ 		dev_err(&pdev->dev, "Error writing %x to remote spad %d\n",
+-			val, QP_LINKS);
++			NTB_TRANSPORT_VERSION, VERSION);
+ 		goto out;
+ 	}
+ 
+@@ -667,33 +682,43 @@ static void ntb_transport_link_work(stru
+ 		goto out;
+ 	dev_dbg(&pdev->dev, "Remote max number of qps = %d\n", val);
+ 
+-	rc = ntb_read_remote_spad(ndev, MW0_SZ, &val);
++	rc = ntb_read_remote_spad(ndev, NUM_MWS, &val);
+ 	if (rc) {
+-		dev_err(&pdev->dev, "Error reading remote spad %d\n", MW0_SZ);
++		dev_err(&pdev->dev, "Error reading remote spad %d\n", NUM_MWS);
+ 		goto out;
+ 	}
+ 
+-	if (!val)
++	if (val != NTB_NUM_MW)
+ 		goto out;
+-	dev_dbg(&pdev->dev, "Remote MW0 size = %d\n", val);
++	dev_dbg(&pdev->dev, "Remote number of mws = %d\n", val);
+ 
+-	rc = ntb_set_mw(nt, 0, val);
+-	if (rc)
+-		goto out;
++	for (i = 0; i < NTB_NUM_MW; i++) {
++		u64 val64;
+ 
+-	rc = ntb_read_remote_spad(ndev, MW1_SZ, &val);
+-	if (rc) {
+-		dev_err(&pdev->dev, "Error reading remote spad %d\n", MW1_SZ);
+-		goto out;
+-	}
++		rc = ntb_read_remote_spad(ndev, MW0_SZ_HIGH + (i * 2), &val);
++		if (rc) {
++			dev_err(&pdev->dev, "Error reading remote spad %d\n",
++				MW0_SZ_HIGH + (i * 2));
++			goto out1;
++		}
+ 
+-	if (!val)
+-		goto out;
+-	dev_dbg(&pdev->dev, "Remote MW1 size = %d\n", val);
++		val64 = (u64) val << 32;
+ 
+-	rc = ntb_set_mw(nt, 1, val);
+-	if (rc)
+-		goto out;
++		rc = ntb_read_remote_spad(ndev, MW0_SZ_LOW + (i * 2), &val);
++		if (rc) {
++			dev_err(&pdev->dev, "Error reading remote spad %d\n",
++				MW0_SZ_LOW + (i * 2));
++			goto out1;
++		}
++
++		val64 |= val;
++
++		dev_dbg(&pdev->dev, "Remote MW%d size = %llu\n", i, val64);
++
++		rc = ntb_set_mw(nt, i, val64);
++		if (rc)
++			goto out1;
++	}
+ 
+ 	nt->transport_link = NTB_LINK_UP;
+ 
+@@ -708,6 +733,9 @@ static void ntb_transport_link_work(stru
+ 
+ 	return;
+ 
++out1:
++	for (i = 0; i < NTB_NUM_MW; i++)
++		ntb_free_mw(nt, i);
+ out:
+ 	if (ntb_hw_link_status(ndev))
+ 		schedule_delayed_work(&nt->link_work,
+@@ -897,10 +925,7 @@ void ntb_transport_free(void *transport)
+ 	pdev = ntb_query_pdev(nt->ndev);
+ 
+ 	for (i = 0; i < NTB_NUM_MW; i++)
+-		if (nt->mw[i].virt_addr)
+-			dma_free_coherent(&pdev->dev, nt->mw[i].size,
+-					  nt->mw[i].virt_addr,
+-					  nt->mw[i].dma_addr);
++		ntb_free_mw(nt, i);
+ 
+ 	kfree(nt->qps);
+ 	ntb_unregister_transport(nt->ndev);
diff --git a/queue-3.9/ntb-link-toggle-memory-leak.patch b/queue-3.9/ntb-link-toggle-memory-leak.patch
new file mode 100644
index 00000000000..655690f5760
--- /dev/null
+++ b/queue-3.9/ntb-link-toggle-memory-leak.patch
@@ -0,0 +1,81 @@
+From b77b2637b39ecc380bb08992380d7d48452b0872 Mon Sep 17 00:00:00 2001
+From: Jon Mason <jon.mason@intel.com>
+Date: Fri, 1 Feb 2013 15:25:37 -0700
+Subject: NTB: Link toggle memory leak
+
+From: Jon Mason <jon.mason@intel.com>
+
+commit b77b2637b39ecc380bb08992380d7d48452b0872 upstream.
+
+Each link-up will allocate a new NTB receive buffer when the NTB
+properties are negotiated with the remote system.  These allocations did
+not check for existing buffers and thus did not free them.  Now, the
+driver will check for an existing buffer and free it if not of the
+correct size, before trying to alloc a new one.
+
+Signed-off-by: Jon Mason <jon.mason@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ntb/ntb_transport.c |   32 ++++++++++++++++++++------------
+ 1 file changed, 20 insertions(+), 12 deletions(-)
+
+--- a/drivers/ntb/ntb_transport.c
++++ b/drivers/ntb/ntb_transport.c
+@@ -507,17 +507,37 @@ static void ntb_transport_setup_qp_mw(st
+ 	qp->tx_pkts = 0;
+ }
+ 
++static void ntb_free_mw(struct ntb_transport *nt, int num_mw)
++{
++	struct ntb_transport_mw *mw = &nt->mw[num_mw];
++	struct pci_dev *pdev = ntb_query_pdev(nt->ndev);
++
++	if (!mw->virt_addr)
++		return;
++
++	dma_free_coherent(&pdev->dev, mw->size, mw->virt_addr, mw->dma_addr);
++	mw->virt_addr = NULL;
++}
++
+ static int ntb_set_mw(struct ntb_transport *nt, int num_mw, unsigned int size)
+ {
+ 	struct ntb_transport_mw *mw = &nt->mw[num_mw];
+ 	struct pci_dev *pdev = ntb_query_pdev(nt->ndev);
+ 
++	/* No need to re-setup */
++	if (mw->size == ALIGN(size, 4096))
++		return 0;
++
++	if (mw->size != 0)
++		ntb_free_mw(nt, num_mw);
++
+ 	/* Alloc memory for receiving data.  Must be 4k aligned */
+ 	mw->size = ALIGN(size, 4096);
+ 
+ 	mw->virt_addr = dma_alloc_coherent(&pdev->dev, mw->size, &mw->dma_addr,
+ 					   GFP_KERNEL);
+ 	if (!mw->virt_addr) {
++		mw->size = 0;
+ 		dev_err(&pdev->dev, "Unable to allocate MW buffer of size %d\n",
+ 		       (int) mw->size);
+ 		return -ENOMEM;
+@@ -529,18 +549,6 @@ static int ntb_set_mw(struct ntb_transpo
+ 	return 0;
+ }
+ 
+-static void ntb_free_mw(struct ntb_transport *nt, int num_mw)
+-{
+-	struct ntb_transport_mw *mw = &nt->mw[num_mw];
+-	struct pci_dev *pdev = ntb_query_pdev(nt->ndev);
+-
+-	if (!mw->virt_addr)
+-		return;
+-
+-	dma_free_coherent(&pdev->dev, mw->size, mw->virt_addr, mw->dma_addr);
+-	mw->virt_addr = NULL;
+-}
+-
+ static void ntb_qp_link_cleanup(struct work_struct *work)
+ {
+ 	struct ntb_transport_qp *qp = container_of(work,
diff --git a/queue-3.9/ntb-memcpy-lockup-workaround.patch b/queue-3.9/ntb-memcpy-lockup-workaround.patch
new file mode 100644
index 00000000000..e6f5fa79881
--- /dev/null
+++ b/queue-3.9/ntb-memcpy-lockup-workaround.patch
@@ -0,0 +1,42 @@
+From c336acd3331dcc191a97dbc66a557d47741657c7 Mon Sep 17 00:00:00 2001
+From: Jon Mason <jon.mason@intel.com>
+Date: Thu, 17 Jan 2013 15:28:45 -0700
+Subject: NTB: memcpy lockup workaround
+
+From: Jon Mason <jon.mason@intel.com>
+
+commit c336acd3331dcc191a97dbc66a557d47741657c7 upstream.
+
+The system will appear to lockup for long periods of time due to the NTB
+driver spending too much time in memcpy.  Avoid this by reducing the
+number of packets that can be serviced on a given interrupt.
+
+Signed-off-by: Jon Mason <jon.mason@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ntb/ntb_transport.c |   11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/drivers/ntb/ntb_transport.c
++++ b/drivers/ntb/ntb_transport.c
+@@ -1034,11 +1034,16 @@ out:
+ static void ntb_transport_rx(unsigned long data)
+ {
+ 	struct ntb_transport_qp *qp = (struct ntb_transport_qp *)data;
+-	int rc;
++	int rc, i;
+ 
+-	do {
++	/* Limit the number of packets processed in a single interrupt to
++	 * provide fairness to others
++	 */
++	for (i = 0; i < qp->rx_max_entry; i++) {
+ 		rc = ntb_process_rxc(qp);
+-	} while (!rc);
++		if (rc)
++			break;
++	}
+ }
+ 
+ static void ntb_transport_rxc_db(void *data, int db_num)
diff --git a/queue-3.9/ntb-multiple-ntb-client-fix.patch b/queue-3.9/ntb-multiple-ntb-client-fix.patch
new file mode 100644
index 00000000000..6918120e7b4
--- /dev/null
+++ b/queue-3.9/ntb-multiple-ntb-client-fix.patch
@@ -0,0 +1,49 @@
+From 8b19d450ad188d402a183ff4a4d40f31c3916fbf Mon Sep 17 00:00:00 2001
+From: Jon Mason <jon.mason@intel.com>
+Date: Fri, 26 Apr 2013 14:51:57 -0700
+Subject: NTB: Multiple NTB client fix
+
+From: Jon Mason <jon.mason@intel.com>
+
+commit 8b19d450ad188d402a183ff4a4d40f31c3916fbf upstream.
+
+Fix issue with adding multiple ntb client devices to the ntb virtual
+bus.  Previously, multiple devices would be added with the same name,
+resulting in crashes.  To get around this issue, add a unique number to
+the device when it is added.
+
+Signed-off-by: Jon Mason <jon.mason@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ntb/ntb_transport.c |    5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/ntb/ntb_transport.c
++++ b/drivers/ntb/ntb_transport.c
+@@ -300,7 +300,7 @@ int ntb_register_client_dev(char *device
+ {
+ 	struct ntb_transport_client_dev *client_dev;
+ 	struct ntb_transport *nt;
+-	int rc;
++	int rc, i = 0;
+ 
+ 	if (list_empty(&ntb_transport_list))
+ 		return -ENODEV;
+@@ -318,7 +318,7 @@ int ntb_register_client_dev(char *device
+ 		dev = &client_dev->dev;
+ 
+ 		/* setup and register client devices */
+-		dev_set_name(dev, "%s", device_name);
++		dev_set_name(dev, "%s%d", device_name, i);
+ 		dev->bus = &ntb_bus_type;
+ 		dev->release = ntb_client_release;
+ 		dev->parent = &ntb_query_pdev(nt->ndev)->dev;
+@@ -330,6 +330,7 @@ int ntb_register_client_dev(char *device
+ 		}
+ 
+ 		list_add_tail(&client_dev->entry, &nt->client_devs);
++		i++;
+ 	}
+ 
+ 	return 0;
diff --git a/queue-3.9/ntb-off-by-one-sanity-checks.patch b/queue-3.9/ntb-off-by-one-sanity-checks.patch
new file mode 100644
index 00000000000..04153a00818
--- /dev/null
+++ b/queue-3.9/ntb-off-by-one-sanity-checks.patch
@@ -0,0 +1,49 @@
+From ad3e2751e7c546ae678be1f8d86e898506b42cef Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 22 Jan 2013 10:19:14 +0300
+Subject: ntb: off by one sanity checks
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit ad3e2751e7c546ae678be1f8d86e898506b42cef upstream.
+
+These tests are off by one.  If "mw" is equal to NTB_NUM_MW then we
+would go beyond the end of the ndev->mw[] array.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Jon Mason <jon.mason@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ntb/ntb_hw.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/ntb/ntb_hw.c
++++ b/drivers/ntb/ntb_hw.c
+@@ -345,7 +345,7 @@ int ntb_read_remote_spad(struct ntb_devi
+  */
+ void __iomem *ntb_get_mw_vbase(struct ntb_device *ndev, unsigned int mw)
+ {
+-	if (mw > NTB_NUM_MW)
++	if (mw >= NTB_NUM_MW)
+ 		return NULL;
+ 
+ 	return ndev->mw[mw].vbase;
+@@ -362,7 +362,7 @@ void __iomem *ntb_get_mw_vbase(struct nt
+  */
+ resource_size_t ntb_get_mw_size(struct ntb_device *ndev, unsigned int mw)
+ {
+-	if (mw > NTB_NUM_MW)
++	if (mw >= NTB_NUM_MW)
+ 		return 0;
+ 
+ 	return ndev->mw[mw].bar_sz;
+@@ -380,7 +380,7 @@ resource_size_t ntb_get_mw_size(struct n
+  */
+ void ntb_set_mw_addr(struct ntb_device *ndev, unsigned int mw, u64 addr)
+ {
+-	if (mw > NTB_NUM_MW)
++	if (mw >= NTB_NUM_MW)
+ 		return;
+ 
+ 	dev_dbg(&ndev->pdev->dev, "Writing addr %Lx to BAR %d\n", addr,
diff --git a/queue-3.9/ntb-reset-tx_index-on-link-toggle.patch b/queue-3.9/ntb-reset-tx_index-on-link-toggle.patch
new file mode 100644
index 00000000000..8e3ec53e240
--- /dev/null
+++ b/queue-3.9/ntb-reset-tx_index-on-link-toggle.patch
@@ -0,0 +1,39 @@
+From 90f9e934647e652a69396e18c779215a493271cf Mon Sep 17 00:00:00 2001
+From: Jon Mason <jon.mason@intel.com>
+Date: Fri, 1 Feb 2013 15:34:35 -0700
+Subject: NTB: reset tx_index on link toggle
+
+From: Jon Mason <jon.mason@intel.com>
+
+commit 90f9e934647e652a69396e18c779215a493271cf upstream.
+
+If the NTB link toggles, the driver could stop receiving due to the
+tx_index not being set to 0 on the transmitting size on a link-up event.
+This is due to the driver expecting the incoming data to start at the
+beginning of the receive buffer and not at a random place.
+
+Signed-off-by: Jon Mason <jon.mason@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ntb/ntb_transport.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/ntb/ntb_transport.c
++++ b/drivers/ntb/ntb_transport.c
+@@ -505,6 +505,7 @@ static void ntb_transport_setup_qp_mw(st
+ 
+ 	qp->rx_pkts = 0;
+ 	qp->tx_pkts = 0;
++	qp->tx_index = 0;
+ }
+ 
+ static void ntb_free_mw(struct ntb_transport *nt, int num_mw)
+@@ -819,7 +820,6 @@ static void ntb_transport_init_queue(str
+ 	qp->tx_mw = qp->rx_info + 1;
+ 	qp->tx_max_frame = min(transport_mtu, tx_size);
+ 	qp->tx_max_entry = tx_size / qp->tx_max_frame;
+-	qp->tx_index = 0;
+ 
+ 	if (nt->debugfs_dir) {
+ 		char debugfs_name[4];
diff --git a/queue-3.9/ntb-variable-dereferenced-before-check.patch b/queue-3.9/ntb-variable-dereferenced-before-check.patch
new file mode 100644
index 00000000000..3eb12247779
--- /dev/null
+++ b/queue-3.9/ntb-variable-dereferenced-before-check.patch
@@ -0,0 +1,84 @@
+From 186f27ff9f9ec5c110739ced88ce9f8fca053882 Mon Sep 17 00:00:00 2001
+From: Jon Mason <jon.mason@intel.com>
+Date: Tue, 22 Jan 2013 11:35:40 -0700
+Subject: NTB: variable dereferenced before check
+
+From: Jon Mason <jon.mason@intel.com>
+
+commit 186f27ff9f9ec5c110739ced88ce9f8fca053882 upstream.
+
+Correct instances of variable dereferencing before checking its value on
+the functions exported to the client drivers.  Also, add sanity checks
+for all exported functions.
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Jon Mason <jon.mason@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ntb/ntb_transport.c |   16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+--- a/drivers/ntb/ntb_transport.c
++++ b/drivers/ntb/ntb_transport.c
+@@ -1210,12 +1210,14 @@ EXPORT_SYMBOL_GPL(ntb_transport_create_q
+  */
+ void ntb_transport_free_queue(struct ntb_transport_qp *qp)
+ {
+-	struct pci_dev *pdev = ntb_query_pdev(qp->ndev);
++	struct pci_dev *pdev;
+ 	struct ntb_queue_entry *entry;
+ 
+ 	if (!qp)
+ 		return;
+ 
++	pdev = ntb_query_pdev(qp->ndev);
++
+ 	cancel_delayed_work_sync(&qp->link_work);
+ 
+ 	ntb_unregister_db_callback(qp->ndev, qp->qp_num);
+@@ -1371,12 +1373,13 @@ EXPORT_SYMBOL_GPL(ntb_transport_link_up)
+  */
+ void ntb_transport_link_down(struct ntb_transport_qp *qp)
+ {
+-	struct pci_dev *pdev = ntb_query_pdev(qp->ndev);
++	struct pci_dev *pdev;
+ 	int rc, val;
+ 
+ 	if (!qp)
+ 		return;
+ 
++	pdev = ntb_query_pdev(qp->ndev);
+ 	qp->client_ready = NTB_LINK_DOWN;
+ 
+ 	rc = ntb_read_local_spad(qp->ndev, QP_LINKS, &val);
+@@ -1408,6 +1411,9 @@ EXPORT_SYMBOL_GPL(ntb_transport_link_dow
+  */
+ bool ntb_transport_link_query(struct ntb_transport_qp *qp)
+ {
++	if (!qp)
++		return false;
++
+ 	return qp->qp_link == NTB_LINK_UP;
+ }
+ EXPORT_SYMBOL_GPL(ntb_transport_link_query);
+@@ -1422,6 +1428,9 @@ EXPORT_SYMBOL_GPL(ntb_transport_link_que
+  */
+ unsigned char ntb_transport_qp_num(struct ntb_transport_qp *qp)
+ {
++	if (!qp)
++		return 0;
++
+ 	return qp->qp_num;
+ }
+ EXPORT_SYMBOL_GPL(ntb_transport_qp_num);
+@@ -1436,6 +1445,9 @@ EXPORT_SYMBOL_GPL(ntb_transport_qp_num);
+  */
+ unsigned int ntb_transport_max_size(struct ntb_transport_qp *qp)
+ {
++	if (!qp)
++		return 0;
++
+ 	return qp->tx_max_frame - sizeof(struct ntb_payload_header);
+ }
+ EXPORT_SYMBOL_GPL(ntb_transport_max_size);
diff --git a/queue-3.9/ntb_netdev-remove-from-list-on-exit.patch b/queue-3.9/ntb_netdev-remove-from-list-on-exit.patch
new file mode 100644
index 00000000000..4c0a055a205
--- /dev/null
+++ b/queue-3.9/ntb_netdev-remove-from-list-on-exit.patch
@@ -0,0 +1,31 @@
+From 904435cf76a9bdd5eb41b1c4e049d5a64f3a8400 Mon Sep 17 00:00:00 2001
+From: Jon Mason <jon.mason@intel.com>
+Date: Thu, 18 Apr 2013 13:36:43 -0700
+Subject: ntb_netdev: remove from list on exit
+
+From: Jon Mason <jon.mason@intel.com>
+
+commit 904435cf76a9bdd5eb41b1c4e049d5a64f3a8400 upstream.
+
+The ntb_netdev device is not removed from the global list of devices
+upon device removal.  If the device is re-added, the removal code would
+find the first instance and try to remove an already removed device.
+
+Signed-off-by: Jon Mason <jon.mason@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ntb_netdev.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/ntb_netdev.c
++++ b/drivers/net/ntb_netdev.c
+@@ -375,6 +375,8 @@ static void ntb_netdev_remove(struct pci
+ 	if (dev == NULL)
+ 		return;
+ 
++	list_del(&dev->list);
++
+ 	ndev = dev->ndev;
+ 
+ 	unregister_netdev(ndev);
diff --git a/queue-3.9/series b/queue-3.9/series
index 09e04aaee40..ec62157dc9c 100644
--- a/queue-3.9/series
+++ b/queue-3.9/series
@@ -8,3 +8,14 @@ x86-fix-bit-corruption-at-cpu-resume-time.patch
 drm-nouveau-bios-fix-thinko-in-zm_mask_add-opcode.patch
 drm-radeon-fix-vram-size-calculation-for-vram-4gb.patch
 virtio_console-fix-uapi-header.patch
+ntb-variable-dereferenced-before-check.patch
+ntb-off-by-one-sanity-checks.patch
+ntb-fix-pointer-math-issues.patch
+ntb-handle-64bit-bar-sizes.patch
+ntb-link-toggle-memory-leak.patch
+ntb-reset-tx_index-on-link-toggle.patch
+ntb-correctly-handle-receive-buffers-of-the-minimal-size.patch
+ntb-memcpy-lockup-workaround.patch
+ntb_netdev-remove-from-list-on-exit.patch
+ntb-multiple-ntb-client-fix.patch
+x86-vm86-fix-vm86-syscalls-use-syscall_definex.patch
diff --git a/queue-3.9/x86-vm86-fix-vm86-syscalls-use-syscall_definex.patch b/queue-3.9/x86-vm86-fix-vm86-syscalls-use-syscall_definex.patch
new file mode 100644
index 00000000000..37e96398a5a
--- /dev/null
+++ b/queue-3.9/x86-vm86-fix-vm86-syscalls-use-syscall_definex.patch
@@ -0,0 +1,99 @@
+From 5522ddb3fc0dfd4a503c8278eafd88c9f2d3fada Mon Sep 17 00:00:00 2001
+From: Alexander van Heukelum <heukelum@fastmail.fm>
+Date: Wed, 27 Mar 2013 22:18:05 +0100
+Subject: x86, vm86: fix VM86 syscalls: use SYSCALL_DEFINEx(...)
+
+From: Alexander van Heukelum <heukelum@fastmail.fm>
+
+commit 5522ddb3fc0dfd4a503c8278eafd88c9f2d3fada upstream.
+
+Commit 49cb25e9290 x86: 'get rid of pt_regs argument in vm86/vm86old'
+got rid of the pt_regs stub for sys_vm86old and sys_vm86. The functions
+were, however, not changed to use the calling convention for syscalls.
+
+[AV: killed asmlinkage_protect() - it's done automatically now]
+
+Backported-by: Satoru Takeuchi <satoru.takeuchi@gmail.com>
+Reported-and-tested-by: Hans de Bruin <jmdebruin@xmsnet.nl>
+Signed-off-by: Alexander van Heukelum <heukelum@fastmail.fm>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/syscalls.h |    4 ++--
+ arch/x86/kernel/vm86_32.c       |   11 ++++++-----
+ 2 files changed, 8 insertions(+), 7 deletions(-)
+
+--- a/arch/x86/include/asm/syscalls.h
++++ b/arch/x86/include/asm/syscalls.h
+@@ -37,8 +37,8 @@ asmlinkage int sys_get_thread_area(struc
+ unsigned long sys_sigreturn(void);
+ 
+ /* kernel/vm86_32.c */
+-int sys_vm86old(struct vm86_struct __user *);
+-int sys_vm86(unsigned long, unsigned long);
++asmlinkage long sys_vm86old(struct vm86_struct __user *);
++asmlinkage long sys_vm86(unsigned long, unsigned long);
+ 
+ #else /* CONFIG_X86_32 */
+ 
+--- a/arch/x86/kernel/vm86_32.c
++++ b/arch/x86/kernel/vm86_32.c
+@@ -33,6 +33,7 @@
+ #include <linux/capability.h>
+ #include <linux/errno.h>
+ #include <linux/interrupt.h>
++#include <linux/syscalls.h>
+ #include <linux/sched.h>
+ #include <linux/kernel.h>
+ #include <linux/signal.h>
+@@ -48,7 +49,6 @@
+ #include <asm/io.h>
+ #include <asm/tlbflush.h>
+ #include <asm/irq.h>
+-#include <asm/syscalls.h>
+ 
+ /*
+  * Known problems:
+@@ -202,17 +202,16 @@ out:
+ static int do_vm86_irq_handling(int subfunction, int irqnumber);
+ static void do_sys_vm86(struct kernel_vm86_struct *info, struct task_struct *tsk);
+ 
+-int sys_vm86old(struct vm86_struct __user *v86)
++SYSCALL_DEFINE1(vm86old, struct vm86_struct __user *, v86)
+ {
+ 	struct kernel_vm86_struct info; /* declare this _on top_,
+ 					 * this avoids wasting of stack space.
+ 					 * This remains on the stack until we
+ 					 * return to 32 bit user space.
+ 					 */
+-	struct task_struct *tsk;
++	struct task_struct *tsk = current;
+ 	int tmp, ret = -EPERM;
+ 
+-	tsk = current;
+ 	if (tsk->thread.saved_sp0)
+ 		goto out;
+ 	tmp = copy_vm86_regs_from_user(&info.regs, &v86->regs,
+@@ -227,11 +226,12 @@ int sys_vm86old(struct vm86_struct __use
+ 	do_sys_vm86(&info, tsk);
+ 	ret = 0;	/* we never return here */
+ out:
++	asmlinkage_protect(1, ret, v86);
+ 	return ret;
+ }
+ 
+ 
+-int sys_vm86(unsigned long cmd, unsigned long arg)
++SYSCALL_DEFINE2(vm86, unsigned long, cmd, unsigned long, arg)
+ {
+ 	struct kernel_vm86_struct info; /* declare this _on top_,
+ 					 * this avoids wasting of stack space.
+@@ -278,6 +278,7 @@ int sys_vm86(unsigned long cmd, unsigned
+ 	do_sys_vm86(&info, tsk);
+ 	ret = 0;	/* we never return here */
+ out:
++	asmlinkage_protect(2, ret, cmd, arg);
+ 	return ret;
+ }
+ 
-- 
2.47.3