.33 patches

7 files changed, 287 insertions, 207 deletions

diff --git a/queue-2.6.33/ethtool-compat-handling-for-struct-ethtool_rxnfc.patch b/queue-2.6.33/ethtool-compat-handling-for-struct-ethtool_rxnfc.patch
deleted file mode 100644
index 6c5c7d9..0000000
--- a/queue-2.6.33/ethtool-compat-handling-for-struct-ethtool_rxnfc.patch
+++ /dev/null
@@ -1,206 +0,0 @@
-From 3a7da39d165e0c363c294feec119db1427032afd Mon Sep 17 00:00:00 2001
-From: Ben Hutchings <bhutchings@solarflare.com>
-Date: Thu, 17 Mar 2011 07:34:32 +0000
-Subject: ethtool: Compat handling for struct ethtool_rxnfc
-
-From: Ben Hutchings <bhutchings@solarflare.com>
-
-commit 3a7da39d165e0c363c294feec119db1427032afd upstream.
-
-This structure was accidentally defined such that its layout can
-differ between 32-bit and 64-bit processes.  Add compat structure
-definitions and an ioctl wrapper function.
-
-Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
-Acked-by: Alexander Duyck <alexander.h.duyck@intel.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-
----
- include/linux/ethtool.h |   34 ++++++++++++++
- net/socket.c            |  114 +++++++++++++++++++++++++++++++++++++++++++++---
- 2 files changed, 141 insertions(+), 7 deletions(-)
-
---- a/include/linux/ethtool.h
-+++ b/include/linux/ethtool.h
-@@ -13,6 +13,9 @@
- #ifndef _LINUX_ETHTOOL_H
- #define _LINUX_ETHTOOL_H
- 
-+#ifdef __KERNEL__
-+#include <linux/compat.h>
-+#endif
- #include <linux/types.h>
- 
- /* This should work for both 32 and 64 bit userland. */
-@@ -397,6 +400,37 @@ int ethtool_op_set_ufo(struct net_device
- u32 ethtool_op_get_flags(struct net_device *dev);
- int ethtool_op_set_flags(struct net_device *dev, u32 data);
- 
-+#ifdef __KERNEL__
-+#ifdef CONFIG_COMPAT
-+
-+struct compat_ethtool_rx_flow_spec {
-+	u32		flow_type;
-+	union {
-+		struct ethtool_tcpip4_spec		tcp_ip4_spec;
-+		struct ethtool_tcpip4_spec		udp_ip4_spec;
-+		struct ethtool_tcpip4_spec		sctp_ip4_spec;
-+		struct ethtool_ah_espip4_spec		ah_ip4_spec;
-+		struct ethtool_ah_espip4_spec		esp_ip4_spec;
-+		struct ethtool_usrip4_spec		usr_ip4_spec;
-+		struct ethhdr				ether_spec;
-+		u8					hdata[72];
-+	} h_u, m_u;
-+	compat_u64	ring_cookie;
-+	u32		location;
-+};
-+
-+struct compat_ethtool_rxnfc {
-+	u32				cmd;
-+	u32				flow_type;
-+	compat_u64			data;
-+	struct compat_ethtool_rx_flow_spec fs;
-+	u32				rule_cnt;
-+	u32				rule_locs[0];
-+};
-+
-+#endif /* CONFIG_COMPAT */
-+#endif /* __KERNEL__ */
-+
- /**
-  * &ethtool_ops - Alter and report network device settings
-  * get_settings: Get device-specific settings
---- a/net/socket.c
-+++ b/net/socket.c
-@@ -2561,23 +2561,123 @@ static int dev_ifconf(struct net *net, s
- 
- static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32)
- {
-+	struct compat_ethtool_rxnfc __user *compat_rxnfc;
-+	bool convert_in = false, convert_out = false;
-+	size_t buf_size = ALIGN(sizeof(struct ifreq), 8);
-+	struct ethtool_rxnfc __user *rxnfc;
- 	struct ifreq __user *ifr;
-+	u32 rule_cnt = 0, actual_rule_cnt;
-+	u32 ethcmd;
- 	u32 data;
--	void __user *datap;
-+	int ret;
- 
--	ifr = compat_alloc_user_space(sizeof(*ifr));
-+	if (get_user(data, &ifr32->ifr_ifru.ifru_data))
-+		return -EFAULT;
- 
--	if (copy_in_user(&ifr->ifr_name, &ifr32->ifr_name, IFNAMSIZ))
-+	compat_rxnfc = compat_ptr(data);
-+
-+	if (get_user(ethcmd, &compat_rxnfc->cmd))
- 		return -EFAULT;
- 
--	if (get_user(data, &ifr32->ifr_ifru.ifru_data))
-+	/* Most ethtool structures are defined without padding.
-+	 * Unfortunately struct ethtool_rxnfc is an exception.
-+	 */
-+	switch (ethcmd) {
-+	default:
-+		break;
-+	case ETHTOOL_GRXCLSRLALL:
-+		/* Buffer size is variable */
-+		if (get_user(rule_cnt, &compat_rxnfc->rule_cnt))
-+			return -EFAULT;
-+		if (rule_cnt > KMALLOC_MAX_SIZE / sizeof(u32))
-+			return -ENOMEM;
-+		buf_size += rule_cnt * sizeof(u32);
-+		/* fall through */
-+	case ETHTOOL_GRXRINGS:
-+	case ETHTOOL_GRXCLSRLCNT:
-+	case ETHTOOL_GRXCLSRULE:
-+		convert_out = true;
-+		/* fall through */
-+	case ETHTOOL_SRXCLSRLDEL:
-+	case ETHTOOL_SRXCLSRLINS:
-+		buf_size += sizeof(struct ethtool_rxnfc);
-+		convert_in = true;
-+		break;
-+	}
-+
-+	ifr = compat_alloc_user_space(buf_size);
-+	rxnfc = (void *)ifr + ALIGN(sizeof(struct ifreq), 8);
-+
-+	if (copy_in_user(&ifr->ifr_name, &ifr32->ifr_name, IFNAMSIZ))
- 		return -EFAULT;
- 
--	datap = compat_ptr(data);
--	if (put_user(datap, &ifr->ifr_ifru.ifru_data))
-+	if (put_user(convert_in ? rxnfc : compat_ptr(data),
-+		     &ifr->ifr_ifru.ifru_data))
- 		return -EFAULT;
- 
--	return dev_ioctl(net, SIOCETHTOOL, ifr);
-+	if (convert_in) {
-+		/* We expect there to be holes between fs.m_u and
-+		 * fs.ring_cookie and at the end of fs, but nowhere else.
-+		 */
-+		BUILD_BUG_ON(offsetof(struct compat_ethtool_rxnfc, fs.m_u) +
-+			     sizeof(compat_rxnfc->fs.m_u) !=
-+			     offsetof(struct ethtool_rxnfc, fs.m_u) +
-+			     sizeof(rxnfc->fs.m_u));
-+		BUILD_BUG_ON(
-+			offsetof(struct compat_ethtool_rxnfc, fs.location) -
-+			offsetof(struct compat_ethtool_rxnfc, fs.ring_cookie) !=
-+			offsetof(struct ethtool_rxnfc, fs.location) -
-+			offsetof(struct ethtool_rxnfc, fs.ring_cookie));
-+
-+		if (copy_in_user(rxnfc, compat_rxnfc,
-+				 (void *)(&rxnfc->fs.m_u + 1) -
-+				 (void *)rxnfc) ||
-+		    copy_in_user(&rxnfc->fs.ring_cookie,
-+				 &compat_rxnfc->fs.ring_cookie,
-+				 (void *)(&rxnfc->fs.location + 1) -
-+				 (void *)&rxnfc->fs.ring_cookie) ||
-+		    copy_in_user(&rxnfc->rule_cnt, &compat_rxnfc->rule_cnt,
-+				 sizeof(rxnfc->rule_cnt)))
-+			return -EFAULT;
-+	}
-+
-+	ret = dev_ioctl(net, SIOCETHTOOL, ifr);
-+	if (ret)
-+		return ret;
-+
-+	if (convert_out) {
-+		if (copy_in_user(compat_rxnfc, rxnfc,
-+				 (const void *)(&rxnfc->fs.m_u + 1) -
-+				 (const void *)rxnfc) ||
-+		    copy_in_user(&compat_rxnfc->fs.ring_cookie,
-+				 &rxnfc->fs.ring_cookie,
-+				 (const void *)(&rxnfc->fs.location + 1) -
-+				 (const void *)&rxnfc->fs.ring_cookie) ||
-+		    copy_in_user(&compat_rxnfc->rule_cnt, &rxnfc->rule_cnt,
-+				 sizeof(rxnfc->rule_cnt)))
-+			return -EFAULT;
-+
-+		if (ethcmd == ETHTOOL_GRXCLSRLALL) {
-+			/* As an optimisation, we only copy the actual
-+			 * number of rules that the underlying
-+			 * function returned.  Since Mallory might
-+			 * change the rule count in user memory, we
-+			 * check that it is less than the rule count
-+			 * originally given (as the user buffer size),
-+			 * which has been range-checked.
-+			 */
-+			if (get_user(actual_rule_cnt, &rxnfc->rule_cnt))
-+				return -EFAULT;
-+			if (actual_rule_cnt < rule_cnt)
-+				rule_cnt = actual_rule_cnt;
-+			if (copy_in_user(&compat_rxnfc->rule_locs[0],
-+					 &rxnfc->rule_locs[0],
-+					 rule_cnt * sizeof(u32)))
-+				return -EFAULT;
-+		}
-+	}
-+
-+	return 0;
- }
- 
- static int compat_siocwandev(struct net *net, struct compat_ifreq __user *uifr32)
diff --git a/queue-2.6.33/pci-hotplug-acpiphp-set-current_state-to-d0-in-register_slot.patch b/queue-2.6.33/pci-hotplug-acpiphp-set-current_state-to-d0-in-register_slot.patch
new file mode 100644
index 0000000..fa0f95c
--- /dev/null
+++ b/queue-2.6.33/pci-hotplug-acpiphp-set-current_state-to-d0-in-register_slot.patch
@@ -0,0 +1,65 @@
+From 47e9037ac16637cd7f12b8790ea7ce6680e42168 Mon Sep 17 00:00:00 2001
+From: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
+Date: Mon, 28 Feb 2011 16:20:11 +0000
+Subject: PCI hotplug: acpiphp: set current_state to D0 in register_slot
+
+From: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
+
+commit 47e9037ac16637cd7f12b8790ea7ce6680e42168 upstream.
+
+If a device doesn't support power management (pm_cap == 0) but it is
+acpi_pci_power_manageable() because there is a _PS0 method declared for
+it and _EJ0 is also declared for the slot then nobody is going to set
+current_state = PCI_D0 for this device.  This is what I think it is
+happening:
+
+pci_enable_device
+    |
+__pci_enable_device_flags
+/* here we do not set current_state because !pm_cap */
+    |
+do_pci_enable_device
+    |
+pci_set_power_state
+    |
+__pci_start_power_transition
+    |
+pci_platform_power_transition
+/* platform_pci_power_manageable() calls acpi_pci_power_manageable that
+ * returns true */
+    |
+platform_pci_set_power_state
+/* acpi_pci_set_power_state gets called and does nothing because the
+ * acpi device has _EJ0, see the comment "If the ACPI device has _EJ0,
+ * ignore the device" */
+
+at this point if we refer to the commit message that introduced the
+comment above (10b3dcae0f275e2546e55303d64ddbb58cec7599), it is up to
+the hotplug driver to set the state to D0.
+However AFAICT the pci hotplug driver never does, in fact
+drivers/pci/hotplug/acpiphp_glue.c:register_slot sets the slot flags to
+(SLOT_ENABLED | SLOT_POWEREDON) but it does not set the pci device
+current state to PCI_D0.
+
+So my proposed fix is also to set current_state = PCI_D0 in
+register_slot.
+Comments are very welcome.
+
+Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
+Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/pci/hotplug/acpiphp_glue.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/pci/hotplug/acpiphp_glue.c
++++ b/drivers/pci/hotplug/acpiphp_glue.c
+@@ -211,6 +211,7 @@ register_slot(acpi_handle handle, u32 lv
+ 
+ 	pdev = pci_get_slot(pbus, PCI_DEVFN(device, function));
+ 	if (pdev) {
++		pdev->current_state = PCI_D0;
+ 		slot->flags |= (SLOT_ENABLED | SLOT_POWEREDON);
+ 		pci_dev_put(pdev);
+ 	}
diff --git a/queue-2.6.33/pci-return-correct-value-when-writing-to-the-reset-attribute.patch b/queue-2.6.33/pci-return-correct-value-when-writing-to-the-reset-attribute.patch
new file mode 100644
index 0000000..09aec5c
--- /dev/null
+++ b/queue-2.6.33/pci-return-correct-value-when-writing-to-the-reset-attribute.patch
@@ -0,0 +1,39 @@
+From 447c5dd7338638f526e9bcf7dcf69b4da5835c7d Mon Sep 17 00:00:00 2001
+From: Michal Schmidt <mschmidt@redhat.com>
+Date: Tue, 11 May 2010 11:44:54 +0200
+Subject: PCI: return correct value when writing to the "reset" attribute
+
+From: Michal Schmidt <mschmidt@redhat.com>
+
+commit 447c5dd7338638f526e9bcf7dcf69b4da5835c7d upstream.
+
+A successful write() to the "reset" sysfs attribute should return the
+number of bytes written, not 0. Otherwise userspace (bash) retries the
+write over and over again.
+
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Acked-by: Greg Kroah-Hartman <gregkh@suse.de>
+Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
+Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/pci/pci-sysfs.c |    7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/pci/pci-sysfs.c
++++ b/drivers/pci/pci-sysfs.c
+@@ -966,7 +966,12 @@ static ssize_t reset_store(struct device
+ 
+ 	if (val != 1)
+ 		return -EINVAL;
+-	return pci_reset_function(pdev);
++
++	result = pci_reset_function(pdev);
++	if (result < 0)
++		return result;
++
++	return count;
+ }
+ 
+ static struct device_attribute reset_attr = __ATTR(reset, 0200, NULL, reset_store);
diff --git a/queue-2.6.33/prevent-rt_sigqueueinfo-and-rt_tgsigqueueinfo-from-spoofing-the-signal-code.patch b/queue-2.6.33/prevent-rt_sigqueueinfo-and-rt_tgsigqueueinfo-from-spoofing-the-signal-code.patch
new file mode 100644
index 0000000..fb1068e
--- /dev/null
+++ b/queue-2.6.33/prevent-rt_sigqueueinfo-and-rt_tgsigqueueinfo-from-spoofing-the-signal-code.patch
@@ -0,0 +1,68 @@
+From da48524eb20662618854bb3df2db01fc65f3070c Mon Sep 17 00:00:00 2001
+From: Julien Tinnes <jln@google.com>
+Date: Fri, 18 Mar 2011 15:05:21 -0700
+Subject: Prevent rt_sigqueueinfo and rt_tgsigqueueinfo from spoofing the signal code
+
+From: Julien Tinnes <jln@google.com>
+
+commit da48524eb20662618854bb3df2db01fc65f3070c upstream.
+
+Userland should be able to trust the pid and uid of the sender of a
+signal if the si_code is SI_TKILL.
+
+Unfortunately, the kernel has historically allowed sigqueueinfo() to
+send any si_code at all (as long as it was negative - to distinguish it
+from kernel-generated signals like SIGILL etc), so it could spoof a
+SI_TKILL with incorrect siginfo values.
+
+Happily, it looks like glibc has always set si_code to the appropriate
+SI_QUEUE, so there are probably no actual user code that ever uses
+anything but the appropriate SI_QUEUE flag.
+
+So just tighten the check for si_code (we used to allow any negative
+value), and add a (one-time) warning in case there are binaries out
+there that might depend on using other si_code values.
+
+Signed-off-by: Julien Tinnes <jln@google.com>
+Acked-by: Oleg Nesterov <oleg@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/signal.c |   16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -2406,9 +2406,13 @@ SYSCALL_DEFINE3(rt_sigqueueinfo, pid_t,
+ 		return -EFAULT;
+ 
+ 	/* Not even root can pretend to send signals from the kernel.
+-	   Nor can they impersonate a kill(), which adds source info.  */
+-	if (info.si_code >= 0)
++	 * Nor can they impersonate a kill()/tgkill(), which adds source info.
++	 */
++	if (info.si_code != SI_QUEUE) {
++		/* We used to allow any < 0 si_code */
++		WARN_ON_ONCE(info.si_code < 0);
+ 		return -EPERM;
++	}
+ 	info.si_signo = sig;
+ 
+ 	/* POSIX.1b doesn't mention process groups.  */
+@@ -2422,9 +2426,13 @@ long do_rt_tgsigqueueinfo(pid_t tgid, pi
+ 		return -EINVAL;
+ 
+ 	/* Not even root can pretend to send signals from the kernel.
+-	   Nor can they impersonate a kill(), which adds source info.  */
+-	if (info->si_code >= 0)
++	 * Nor can they impersonate a kill()/tgkill(), which adds source info.
++	 */
++	if (info->si_code != SI_QUEUE) {
++		/* We used to allow any < 0 si_code */
++		WARN_ON_ONCE(info->si_code < 0);
+ 		return -EPERM;
++	}
+ 	info->si_signo = sig;
+ 
+ 	return do_send_specific(tgid, pid, sig, info);
diff --git a/queue-2.6.33/revert-intel_idle-pci-quirk-to-prevent-lenovo-ideapad-s10-3-boot-hang.patch b/queue-2.6.33/revert-intel_idle-pci-quirk-to-prevent-lenovo-ideapad-s10-3-boot-hang.patch
new file mode 100644
index 0000000..c33765a
--- /dev/null
+++ b/queue-2.6.33/revert-intel_idle-pci-quirk-to-prevent-lenovo-ideapad-s10-3-boot-hang.patch
@@ -0,0 +1,48 @@
+From 925e5ea1ea2627538fb9444307cc5c23990d670f Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@suse.de>
+Date: Wed, 23 Mar 2011 15:50:39 -0700
+Subject: [PATCH] Revert "intel_idle: PCI quirk to prevent Lenovo Ideapad s10-3 boot hang"
+
+This reverts commit 05f7676dc3559c2b9061fda4e44c085a8d32fb05.
+
+To quote Len Brown:
+	intel_idle was deemed a "feature", and thus not included in
+	2.6.33.stable, and thus 2.6.33.stable does not need this patch.
+so I'm removing it.
+
+Cc: Len Brown <len.brown@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/pci/quirks.c |   20 --------------------
+ 1 file changed, 20 deletions(-)
+
+--- a/drivers/pci/quirks.c
++++ b/drivers/pci/quirks.c
+@@ -155,26 +155,6 @@ DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_NE
+ DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_NEC,	PCI_DEVICE_ID_NEC_CBUS_3,	quirk_isa_dma_hangs);
+ 
+ /*
+- * Intel NM10 "TigerPoint" LPC PM1a_STS.BM_STS must be clear
+- * for some HT machines to use C4 w/o hanging.
+- */
+-static void __devinit quirk_tigerpoint_bm_sts(struct pci_dev *dev)
+-{
+-	u32 pmbase;
+-	u16 pm1a;
+-
+-	pci_read_config_dword(dev, 0x40, &pmbase);
+-	pmbase = pmbase & 0xff80;
+-	pm1a = inw(pmbase);
+-
+-	if (pm1a & 0x10) {
+-		dev_info(&dev->dev, FW_BUG "TigerPoint LPC.BM_STS cleared\n");
+-		outw(0x10, pmbase);
+-	}
+-}
+-DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_TGP_LPC, quirk_tigerpoint_bm_sts);
+-
+-/*
+  *	Chipsets where PCI->PCI transfers vanish or hang
+  */
+ static void __devinit quirk_nopcipci(struct pci_dev *dev)
diff --git a/queue-2.6.33/series b/queue-2.6.33/series
index 38e0a89..e46d842 100644
--- a/queue-2.6.33/series
+++ b/queue-2.6.33/series
@@ -8,6 +8,10 @@ x86-binutils-xen-fix-another-wrong-size-directive.patch
 hwmon-sht15-fix-integer-overflow-in-humidity-calculation.patch
 alsa-hda-via-fix-stereo-mixer-recording-no-sound-issue.patch
 alsa-hda-via-add-missing-support-for-vt1718s-in-a-a-path.patch
-ethtool-compat-handling-for-struct-ethtool_rxnfc.patch
 aio-wake-all-waiters-when-destroying-ctx.patch
 shmem-let-shared-anonymous-be-nonlinear-again.patch
+pci-hotplug-acpiphp-set-current_state-to-d0-in-register_slot.patch
+xen-set-max_pfn_mapped-to-the-last-pfn-mapped.patch
+pci-return-correct-value-when-writing-to-the-reset-attribute.patch
+revert-intel_idle-pci-quirk-to-prevent-lenovo-ideapad-s10-3-boot-hang.patch
+prevent-rt_sigqueueinfo-and-rt_tgsigqueueinfo-from-spoofing-the-signal-code.patch
diff --git a/queue-2.6.33/xen-set-max_pfn_mapped-to-the-last-pfn-mapped.patch b/queue-2.6.33/xen-set-max_pfn_mapped-to-the-last-pfn-mapped.patch
new file mode 100644
index 0000000..c5c69a8
--- /dev/null
+++ b/queue-2.6.33/xen-set-max_pfn_mapped-to-the-last-pfn-mapped.patch
@@ -0,0 +1,62 @@
+From 14988a4d350ce3b41ecad4f63c4f44c56f5ae34d Mon Sep 17 00:00:00 2001
+From: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
+Date: Fri, 18 Feb 2011 11:32:40 +0000
+Subject: xen: set max_pfn_mapped to the last pfn mapped
+
+From: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
+
+commit 14988a4d350ce3b41ecad4f63c4f44c56f5ae34d upstream.
+
+Do not set max_pfn_mapped to the end of the initial memory mappings,
+that also contain pages that don't belong in pfn space (like the mfn
+list).
+
+Set max_pfn_mapped to the last real pfn mapped in the initial memory
+mappings that is the pfn backing _end.
+
+Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
+Acked-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
+LKML-Reference: <alpine.DEB.2.00.1103171739050.3382@kaball-desktop>
+Signed-off-by: H. Peter Anvin <hpa@zytor.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/xen/mmu.c |   13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+--- a/arch/x86/xen/mmu.c
++++ b/arch/x86/xen/mmu.c
+@@ -1658,9 +1658,6 @@ static __init void xen_map_identity_earl
+ 		for (pteidx = 0; pteidx < PTRS_PER_PTE; pteidx++, pfn++) {
+ 			pte_t pte;
+ 
+-			if (pfn > max_pfn_mapped)
+-				max_pfn_mapped = pfn;
+-
+ 			if (!pte_none(pte_page[pteidx]))
+ 				continue;
+ 
+@@ -1704,6 +1701,12 @@ __init pgd_t *xen_setup_kernel_pagetable
+ 	pud_t *l3;
+ 	pmd_t *l2;
+ 
++	/* max_pfn_mapped is the last pfn mapped in the initial memory
++	 * mappings. Considering that on Xen after the kernel mappings we
++	 * have the mappings of some pages that don't exist in pfn space, we
++	 * set max_pfn_mapped to the last real pfn mapped. */
++	max_pfn_mapped = PFN_DOWN(__pa(xen_start_info->mfn_list));
++
+ 	/* Zap identity mapping */
+ 	init_level4_pgt[0] = __pgd(0);
+ 
+@@ -1767,9 +1770,7 @@ __init pgd_t *xen_setup_kernel_pagetable
+ {
+ 	pmd_t *kernel_pmd;
+ 
+-	max_pfn_mapped = PFN_DOWN(__pa(xen_start_info->pt_base) +
+-				  xen_start_info->nr_pt_frames * PAGE_SIZE +
+-				  512*1024);
++	max_pfn_mapped = PFN_DOWN(__pa(xen_start_info->mfn_list));
+ 
+ 	kernel_pmd = m2v(pgd[KERNEL_PGD_BOUNDARY].pgd);
+ 	memcpy(level2_kernel_pgt, kernel_pmd, sizeof(pmd_t) * PTRS_PER_PMD);