--- /dev/null
+From 3cfd16a551dc0c188160e1765168a04baf2d3198 Mon Sep 17 00:00:00 2001
+From: Lee Jones <lee.jones@linaro.org>
+Date: Wed, 11 Jul 2012 14:02:16 -0700
+Subject: drivers/rtc/rtc-ab8500.c: use IRQF_ONESHOT when requesting a threaded IRQ
+
+From: Lee Jones <lee.jones@linaro.org>
+
+commit 3cfd16a551dc0c188160e1765168a04baf2d3198 upstream.
+
+This driver's IRQ registration is failing because the kernel now forces
+IRQs to be ONESHOT if no IRQ handler is passed.
+
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Cc: Alessandro Zummo <a.zummo@towertech.it>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/rtc/rtc-ab8500.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/rtc/rtc-ab8500.c
++++ b/drivers/rtc/rtc-ab8500.c
+@@ -422,7 +422,7 @@ static int __devinit ab8500_rtc_probe(st
+ }
+
+ err = request_threaded_irq(irq, NULL, rtc_alarm_handler,
+- IRQF_NO_SUSPEND, "ab8500-rtc", rtc);
++ IRQF_NO_SUSPEND | IRQF_ONESHOT, "ab8500-rtc", rtc);
+ if (err < 0) {
+ rtc_device_unregister(rtc);
+ return err;
--- /dev/null
+From b59f6d1febd6cbe9fae4589bf72da0ed32bc69e0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Beno=C3=AEt=20Th=C3=A9baudeau?=
+ <benoit.thebaudeau@advansee.com>
+Date: Wed, 11 Jul 2012 14:02:32 -0700
+Subject: drivers/rtc/rtc-mxc.c: fix irq enabled interrupts warning
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: =?UTF-8?q?Beno=C3=AEt=20Th=C3=A9baudeau?=
+
+commit b59f6d1febd6cbe9fae4589bf72da0ed32bc69e0 upstream.
+
+Fixes
+
+ WARNING: at irq/handle.c:146 handle_irq_event_percpu+0x19c/0x1b8()
+ irq 25 handler mxc_rtc_interrupt+0x0/0xac enabled interrupts
+ Modules linked in:
+ (unwind_backtrace+0x0/0xf0) from (warn_slowpath_common+0x4c/0x64)
+ (warn_slowpath_common+0x4c/0x64) from (warn_slowpath_fmt+0x30/0x40)
+ (warn_slowpath_fmt+0x30/0x40) from (handle_irq_event_percpu+0x19c/0x1b8)
+ (handle_irq_event_percpu+0x19c/0x1b8) from (handle_irq_event+0x28/0x38)
+ (handle_irq_event+0x28/0x38) from (handle_level_irq+0x80/0xc4)
+ (handle_level_irq+0x80/0xc4) from (generic_handle_irq+0x24/0x38)
+ (generic_handle_irq+0x24/0x38) from (handle_IRQ+0x30/0x84)
+ (handle_IRQ+0x30/0x84) from (avic_handle_irq+0x2c/0x4c)
+ (avic_handle_irq+0x2c/0x4c) from (__irq_svc+0x40/0x60)
+ Exception stack(0xc050bf60 to 0xc050bfa8)
+ bf60: 00000001 00000000 003c4208 c0018e20 c050a000 c050a000 c054a4c8 c050a000
+ bf80: c05157a8 4117b363 80503bb4 00000000 01000000 c050bfa8 c0018e2c c000e808
+ bfa0: 60000013 ffffffff
+ (__irq_svc+0x40/0x60) from (default_idle+0x1c/0x30)
+ (default_idle+0x1c/0x30) from (cpu_idle+0x68/0xa8)
+ (cpu_idle+0x68/0xa8) from (start_kernel+0x22c/0x26c)
+
+Signed-off-by: Benoît Thébaudeau <benoit.thebaudeau@advansee.com>
+Cc: Alessandro Zummo <a.zummo@towertech.it>
+Cc: Sascha Hauer <kernel@pengutronix.de>
+Acked-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/rtc/rtc-mxc.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/rtc/rtc-mxc.c
++++ b/drivers/rtc/rtc-mxc.c
+@@ -202,10 +202,11 @@ static irqreturn_t mxc_rtc_interrupt(int
+ struct platform_device *pdev = dev_id;
+ struct rtc_plat_data *pdata = platform_get_drvdata(pdev);
+ void __iomem *ioaddr = pdata->ioaddr;
++ unsigned long flags;
+ u32 status;
+ u32 events = 0;
+
+- spin_lock_irq(&pdata->rtc->irq_lock);
++ spin_lock_irqsave(&pdata->rtc->irq_lock, flags);
+ status = readw(ioaddr + RTC_RTCISR) & readw(ioaddr + RTC_RTCIENR);
+ /* clear interrupt sources */
+ writew(status, ioaddr + RTC_RTCISR);
+@@ -224,7 +225,7 @@ static irqreturn_t mxc_rtc_interrupt(int
+ events |= (RTC_PF | RTC_IRQF);
+
+ rtc_update_irq(pdata->rtc, 1, events);
+- spin_unlock_irq(&pdata->rtc->irq_lock);
++ spin_unlock_irqrestore(&pdata->rtc->irq_lock, flags);
+
+ return IRQ_HANDLED;
+ }
--- /dev/null
+From 2a643893e50fde71d7ba84b5592ec61b467b9ab6 Mon Sep 17 00:00:00 2001
+From: Devendra Naga <devendra.aaru@gmail.com>
+Date: Wed, 11 Jul 2012 14:01:53 -0700
+Subject: drivers/rtc/rtc-spear.c: fix use-after-free in spear_rtc_remove()
+
+From: Devendra Naga <devendra.aaru@gmail.com>
+
+commit 2a643893e50fde71d7ba84b5592ec61b467b9ab6 upstream.
+
+`config' is freed and is then used in the rtc_device_unregister() call,
+causing a kernel panic.
+
+Signed-off-by: Devendra Naga <devendra.aaru@gmail.com>
+Reviewed-by: Viresh Kumar <viresh.linux@gmail.com>
+Cc: Alessandro Zummo <a.zummo@towertech.it>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/rtc/rtc-spear.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/rtc/rtc-spear.c
++++ b/drivers/rtc/rtc-spear.c
+@@ -457,12 +457,12 @@ static int __devexit spear_rtc_remove(st
+ clk_disable(config->clk);
+ clk_put(config->clk);
+ iounmap(config->ioaddr);
+- kfree(config);
+ res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+ if (res)
+ release_mem_region(res->start, resource_size(res));
+ platform_set_drvdata(pdev, NULL);
+ rtc_device_unregister(config->rtc);
++ kfree(config);
+
+ return 0;
+ }
--- /dev/null
+From fea9f718b3d68147f162ed2d870183ce5e0ad8d8 Mon Sep 17 00:00:00 2001
+From: Bob Liu <lliubbo@gmail.com>
+Date: Wed, 11 Jul 2012 14:02:35 -0700
+Subject: fs: ramfs: file-nommu: add SetPageUptodate()
+
+From: Bob Liu <lliubbo@gmail.com>
+
+commit fea9f718b3d68147f162ed2d870183ce5e0ad8d8 upstream.
+
+There is a bug in the below scenario for !CONFIG_MMU:
+
+ 1. create a new file
+ 2. mmap the file and write to it
+ 3. read the file can't get the correct value
+
+Because
+
+ sys_read() -> generic_file_aio_read() -> simple_readpage() -> clear_page()
+
+which causes the page to be zeroed.
+
+Add SetPageUptodate() to ramfs_nommu_expand_for_mapping() so that
+generic_file_aio_read() do not call simple_readpage().
+
+Signed-off-by: Bob Liu <lliubbo@gmail.com>
+Cc: Hugh Dickins <hughd@google.com>
+Cc: David Howells <dhowells@redhat.com>
+Cc: Geert Uytterhoeven <geert@linux-m68k.org>
+Cc: Greg Ungerer <gerg@uclinux.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ramfs/file-nommu.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/ramfs/file-nommu.c
++++ b/fs/ramfs/file-nommu.c
+@@ -110,6 +110,7 @@ int ramfs_nommu_expand_for_mapping(struc
+
+ /* prevent the page from being discarded on memory pressure */
+ SetPageDirty(page);
++ SetPageUptodate(page);
+
+ unlock_page(page);
+ put_page(page);
--- /dev/null
+From 29f6738609e40227dabcc63bfb3b84b3726a75bd Mon Sep 17 00:00:00 2001
+From: Yinghai Lu <yinghai@kernel.org>
+Date: Wed, 11 Jul 2012 14:02:56 -0700
+Subject: memblock: free allocated memblock_reserved_regions later
+
+From: Yinghai Lu <yinghai@kernel.org>
+
+commit 29f6738609e40227dabcc63bfb3b84b3726a75bd upstream.
+
+memblock_free_reserved_regions() calls memblock_free(), but
+memblock_free() would double reserved.regions too, so we could free the
+old range for reserved.regions.
+
+Also tj said there is another bug which could be related to this.
+
+| I don't think we're saving any noticeable
+| amount by doing this "free - give it to page allocator - reserve
+| again" dancing. We should just allocate regions aligned to page
+| boundaries and free them later when memblock is no longer in use.
+
+in that case, when DEBUG_PAGEALLOC, will get panic:
+
+ memblock_free: [0x0000102febc080-0x0000102febf080] memblock_free_reserved_regions+0x37/0x39
+ BUG: unable to handle kernel paging request at ffff88102febd948
+ IP: [<ffffffff836a5774>] __next_free_mem_range+0x9b/0x155
+ PGD 4826063 PUD cf67a067 PMD cf7fa067 PTE 800000102febd160
+ Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
+ CPU 0
+ Pid: 0, comm: swapper Not tainted 3.5.0-rc2-next-20120614-sasha #447
+ RIP: 0010:[<ffffffff836a5774>] [<ffffffff836a5774>] __next_free_mem_range+0x9b/0x155
+
+See the discussion at https://lkml.org/lkml/2012/6/13/469
+
+So try to allocate with PAGE_SIZE alignment and free it later.
+
+Reported-by: Sasha Levin <levinsasha928@gmail.com>
+Acked-by: Tejun Heo <tj@kernel.org>
+Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Yinghai Lu <yinghai@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/memblock.h | 4 ---
+ mm/memblock.c | 51 +++++++++++++++++++++--------------------------
+ mm/nobootmem.c | 36 ++++++++++++++++++++-------------
+ 3 files changed, 46 insertions(+), 45 deletions(-)
+
+--- a/include/linux/memblock.h
++++ b/include/linux/memblock.h
+@@ -50,9 +50,7 @@ phys_addr_t memblock_find_in_range_node(
+ phys_addr_t size, phys_addr_t align, int nid);
+ phys_addr_t memblock_find_in_range(phys_addr_t start, phys_addr_t end,
+ phys_addr_t size, phys_addr_t align);
+-int memblock_free_reserved_regions(void);
+-int memblock_reserve_reserved_regions(void);
+-
++phys_addr_t get_allocated_memblock_reserved_regions_info(phys_addr_t *addr);
+ void memblock_allow_resize(void);
+ int memblock_add_node(phys_addr_t base, phys_addr_t size, int nid);
+ int memblock_add(phys_addr_t base, phys_addr_t size);
+--- a/mm/memblock.c
++++ b/mm/memblock.c
+@@ -143,30 +143,6 @@ phys_addr_t __init_memblock memblock_fin
+ MAX_NUMNODES);
+ }
+
+-/*
+- * Free memblock.reserved.regions
+- */
+-int __init_memblock memblock_free_reserved_regions(void)
+-{
+- if (memblock.reserved.regions == memblock_reserved_init_regions)
+- return 0;
+-
+- return memblock_free(__pa(memblock.reserved.regions),
+- sizeof(struct memblock_region) * memblock.reserved.max);
+-}
+-
+-/*
+- * Reserve memblock.reserved.regions
+- */
+-int __init_memblock memblock_reserve_reserved_regions(void)
+-{
+- if (memblock.reserved.regions == memblock_reserved_init_regions)
+- return 0;
+-
+- return memblock_reserve(__pa(memblock.reserved.regions),
+- sizeof(struct memblock_region) * memblock.reserved.max);
+-}
+-
+ static void __init_memblock memblock_remove_region(struct memblock_type *type, unsigned long r)
+ {
+ type->total_size -= type->regions[r].size;
+@@ -184,6 +160,18 @@ static void __init_memblock memblock_rem
+ }
+ }
+
++phys_addr_t __init_memblock get_allocated_memblock_reserved_regions_info(
++ phys_addr_t *addr)
++{
++ if (memblock.reserved.regions == memblock_reserved_init_regions)
++ return 0;
++
++ *addr = __pa(memblock.reserved.regions);
++
++ return PAGE_ALIGN(sizeof(struct memblock_region) *
++ memblock.reserved.max);
++}
++
+ /**
+ * memblock_double_array - double the size of the memblock regions array
+ * @type: memblock type of the regions array being doubled
+@@ -204,6 +192,7 @@ static int __init_memblock memblock_doub
+ phys_addr_t new_area_size)
+ {
+ struct memblock_region *new_array, *old_array;
++ phys_addr_t old_alloc_size, new_alloc_size;
+ phys_addr_t old_size, new_size, addr;
+ int use_slab = slab_is_available();
+ int *in_slab;
+@@ -217,6 +206,12 @@ static int __init_memblock memblock_doub
+ /* Calculate new doubled size */
+ old_size = type->max * sizeof(struct memblock_region);
+ new_size = old_size << 1;
++ /*
++ * We need to allocated new one align to PAGE_SIZE,
++ * so we can free them completely later.
++ */
++ old_alloc_size = PAGE_ALIGN(old_size);
++ new_alloc_size = PAGE_ALIGN(new_size);
+
+ /* Retrieve the slab flag */
+ if (type == &memblock.memory)
+@@ -245,11 +240,11 @@ static int __init_memblock memblock_doub
+
+ addr = memblock_find_in_range(new_area_start + new_area_size,
+ memblock.current_limit,
+- new_size, sizeof(phys_addr_t));
++ new_alloc_size, PAGE_SIZE);
+ if (!addr && new_area_size)
+ addr = memblock_find_in_range(0,
+ min(new_area_start, memblock.current_limit),
+- new_size, sizeof(phys_addr_t));
++ new_alloc_size, PAGE_SIZE);
+
+ new_array = addr ? __va(addr) : 0;
+ }
+@@ -279,13 +274,13 @@ static int __init_memblock memblock_doub
+ kfree(old_array);
+ else if (old_array != memblock_memory_init_regions &&
+ old_array != memblock_reserved_init_regions)
+- memblock_free(__pa(old_array), old_size);
++ memblock_free(__pa(old_array), old_alloc_size);
+
+ /* Reserve the new array if that comes from the memblock.
+ * Otherwise, we needn't do it
+ */
+ if (!use_slab)
+- BUG_ON(memblock_reserve(addr, new_size));
++ BUG_ON(memblock_reserve(addr, new_alloc_size));
+
+ /* Update slab flag */
+ *in_slab = use_slab;
+--- a/mm/nobootmem.c
++++ b/mm/nobootmem.c
+@@ -105,27 +105,35 @@ static void __init __free_pages_memory(u
+ __free_pages_bootmem(pfn_to_page(i), 0);
+ }
+
++static unsigned long __init __free_memory_core(phys_addr_t start,
++ phys_addr_t end)
++{
++ unsigned long start_pfn = PFN_UP(start);
++ unsigned long end_pfn = min_t(unsigned long,
++ PFN_DOWN(end), max_low_pfn);
++
++ if (start_pfn > end_pfn)
++ return 0;
++
++ __free_pages_memory(start_pfn, end_pfn);
++
++ return end_pfn - start_pfn;
++}
++
+ unsigned long __init free_low_memory_core_early(int nodeid)
+ {
+ unsigned long count = 0;
+- phys_addr_t start, end;
++ phys_addr_t start, end, size;
+ u64 i;
+
+- /* free reserved array temporarily so that it's treated as free area */
+- memblock_free_reserved_regions();
++ for_each_free_mem_range(i, MAX_NUMNODES, &start, &end, NULL)
++ count += __free_memory_core(start, end);
+
+- for_each_free_mem_range(i, MAX_NUMNODES, &start, &end, NULL) {
+- unsigned long start_pfn = PFN_UP(start);
+- unsigned long end_pfn = min_t(unsigned long,
+- PFN_DOWN(end), max_low_pfn);
+- if (start_pfn < end_pfn) {
+- __free_pages_memory(start_pfn, end_pfn);
+- count += end_pfn - start_pfn;
+- }
+- }
++ /* free range that is used for reserved array if we allocate it */
++ size = get_allocated_memblock_reserved_regions_info(&start);
++ if (size)
++ count += __free_memory_core(start, start + size);
+
+- /* put region array back? */
+- memblock_reserve_reserved_regions();
+ return count;
+ }
+
--- /dev/null
+From d8adde17e5f858427504725218c56aef90e90fc7 Mon Sep 17 00:00:00 2001
+From: Jiang Liu <jiang.liu@huawei.com>
+Date: Wed, 11 Jul 2012 14:01:52 -0700
+Subject: memory hotplug: fix invalid memory access caused by stale kswapd pointer
+
+From: Jiang Liu <jiang.liu@huawei.com>
+
+commit d8adde17e5f858427504725218c56aef90e90fc7 upstream.
+
+kswapd_stop() is called to destroy the kswapd work thread when all memory
+of a NUMA node has been offlined. But kswapd_stop() only terminates the
+work thread without resetting NODE_DATA(nid)->kswapd to NULL. The stale
+pointer will prevent kswapd_run() from creating a new work thread when
+adding memory to the memory-less NUMA node again. Eventually the stale
+pointer may cause invalid memory access.
+
+An example stack dump as below. It's reproduced with 2.6.32, but latest
+kernel has the same issue.
+
+ BUG: unable to handle kernel NULL pointer dereference at (null)
+ IP: [<ffffffff81051a94>] exit_creds+0x12/0x78
+ PGD 0
+ Oops: 0000 [#1] SMP
+ last sysfs file: /sys/devices/system/memory/memory391/state
+ CPU 11
+ Modules linked in: cpufreq_conservative cpufreq_userspace cpufreq_powersave acpi_cpufreq microcode fuse loop dm_mod tpm_tis rtc_cmos i2c_i801 rtc_core tpm serio_raw pcspkr sg tpm_bios igb i2c_core iTCO_wdt rtc_lib mptctl iTCO_vendor_support button dca bnx2 usbhid hid uhci_hcd ehci_hcd usbcore sd_mod crc_t10dif edd ext3 mbcache jbd fan ide_pci_generic ide_core ata_generic ata_piix libata thermal processor thermal_sys hwmon mptsas mptscsih mptbase scsi_transport_sas scsi_mod
+ Pid: 7949, comm: sh Not tainted 2.6.32.12-qiuxishi-5-default #92 Tecal RH2285
+ RIP: 0010:exit_creds+0x12/0x78
+ RSP: 0018:ffff8806044f1d78 EFLAGS: 00010202
+ RAX: 0000000000000000 RBX: ffff880604f22140 RCX: 0000000000019502
+ RDX: 0000000000000000 RSI: 0000000000000202 RDI: 0000000000000000
+ RBP: ffff880604f22150 R08: 0000000000000000 R09: ffffffff81a4dc10
+ R10: 00000000000032a0 R11: ffff880006202500 R12: 0000000000000000
+ R13: 0000000000c40000 R14: 0000000000008000 R15: 0000000000000001
+ FS: 00007fbc03d066f0(0000) GS:ffff8800282e0000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
+ CR2: 0000000000000000 CR3: 000000060f029000 CR4: 00000000000006e0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
+ Process sh (pid: 7949, threadinfo ffff8806044f0000, task ffff880603d7c600)
+ Stack:
+ ffff880604f22140 ffffffff8103aac5 ffff880604f22140 ffffffff8104d21e
+ ffff880006202500 0000000000008000 0000000000c38000 ffffffff810bd5b1
+ 0000000000000000 ffff880603d7c600 00000000ffffdd29 0000000000000003
+ Call Trace:
+ __put_task_struct+0x5d/0x97
+ kthread_stop+0x50/0x58
+ offline_pages+0x324/0x3da
+ memory_block_change_state+0x179/0x1db
+ store_mem_state+0x9e/0xbb
+ sysfs_write_file+0xd0/0x107
+ vfs_write+0xad/0x169
+ sys_write+0x45/0x6e
+ system_call_fastpath+0x16/0x1b
+ Code: ff 4d 00 0f 94 c0 84 c0 74 08 48 89 ef e8 1f fd ff ff 5b 5d 31 c0 41 5c c3 53 48 8b 87 20 06 00 00 48 89 fb 48 8b bf 18 06 00 00 <8b> 00 48 c7 83 18 06 00 00 00 00 00 00 f0 ff 0f 0f 94 c0 84 c0
+ RIP exit_creds+0x12/0x78
+ RSP <ffff8806044f1d78>
+ CR2: 0000000000000000
+
+[akpm@linux-foundation.org: add pglist_data.kswapd locking comments]
+Signed-off-by: Xishi Qiu <qiuxishi@huawei.com>
+Signed-off-by: Jiang Liu <jiang.liu@huawei.com>
+Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
+Acked-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+Acked-by: Mel Gorman <mgorman@suse.de>
+Acked-by: David Rientjes <rientjes@google.com>
+Reviewed-by: Minchan Kim <minchan@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/mmzone.h | 2 +-
+ mm/vmscan.c | 7 +++++--
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+--- a/include/linux/mmzone.h
++++ b/include/linux/mmzone.h
+@@ -663,7 +663,7 @@ typedef struct pglist_data {
+ range, including holes */
+ int node_id;
+ wait_queue_head_t kswapd_wait;
+- struct task_struct *kswapd;
++ struct task_struct *kswapd; /* Protected by lock_memory_hotplug() */
+ int kswapd_max_order;
+ enum zone_type classzone_idx;
+ } pg_data_t;
+--- a/mm/vmscan.c
++++ b/mm/vmscan.c
+@@ -3279,14 +3279,17 @@ int kswapd_run(int nid)
+ }
+
+ /*
+- * Called by memory hotplug when all memory in a node is offlined.
++ * Called by memory hotplug when all memory in a node is offlined. Caller must
++ * hold lock_memory_hotplug().
+ */
+ void kswapd_stop(int nid)
+ {
+ struct task_struct *kswapd = NODE_DATA(nid)->kswapd;
+
+- if (kswapd)
++ if (kswapd) {
+ kthread_stop(kswapd);
++ NODE_DATA(nid)->kswapd = NULL;
++ }
+ }
+
+ static int __init kswapd_init(void)
--- /dev/null
+From 4bf2bba3750f10aa9e62e6949bc7e8329990f01b Mon Sep 17 00:00:00 2001
+From: David Rientjes <rientjes@google.com>
+Date: Wed, 11 Jul 2012 14:02:13 -0700
+Subject: mm, thp: abort compaction if migration page cannot be charged to memcg
+
+From: David Rientjes <rientjes@google.com>
+
+commit 4bf2bba3750f10aa9e62e6949bc7e8329990f01b upstream.
+
+If page migration cannot charge the temporary page to the memcg,
+migrate_pages() will return -ENOMEM. This isn't considered in memory
+compaction however, and the loop continues to iterate over all
+pageblocks trying to isolate and migrate pages. If a small number of
+very large memcgs happen to be oom, however, these attempts will mostly
+be futile leading to an enormous amout of cpu consumption due to the
+page migration failures.
+
+This patch will short circuit and fail memory compaction if
+migrate_pages() returns -ENOMEM. COMPACT_PARTIAL is returned in case
+some migrations were successful so that the page allocator will retry.
+
+Signed-off-by: David Rientjes <rientjes@google.com>
+Acked-by: Mel Gorman <mgorman@suse.de>
+Cc: Minchan Kim <minchan@kernel.org>
+Cc: Kamezawa Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
+Cc: Rik van Riel <riel@redhat.com>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/compaction.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/mm/compaction.c
++++ b/mm/compaction.c
+@@ -594,8 +594,11 @@ static int compact_zone(struct zone *zon
+ if (err) {
+ putback_lru_pages(&cc->migratepages);
+ cc->nr_migratepages = 0;
++ if (err == -ENOMEM) {
++ ret = COMPACT_PARTIAL;
++ goto out;
++ }
+ }
+-
+ }
+
+ out:
--- /dev/null
+From a4e08d001f2e50bb8b3c4eebadcf08e5535f02ee Mon Sep 17 00:00:00 2001
+From: Luis Henriques <luis.henriques@canonical.com>
+Date: Wed, 11 Jul 2012 14:02:10 -0700
+Subject: ocfs2: fix NULL pointer dereference in __ocfs2_change_file_space()
+
+From: Luis Henriques <luis.henriques@canonical.com>
+
+commit a4e08d001f2e50bb8b3c4eebadcf08e5535f02ee upstream.
+
+As ocfs2_fallocate() will invoke __ocfs2_change_file_space() with a NULL
+as the first parameter (file), it may trigger a NULL pointer dereferrence
+due to a missing check.
+
+Addresses http://bugs.launchpad.net/bugs/1006012
+
+Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
+Reported-by: Bret Towe <magnade@gmail.com>
+Tested-by: Bret Towe <magnade@gmail.com>
+Cc: Sunil Mushran <sunil.mushran@oracle.com>
+Acked-by: Joel Becker <jlbec@evilplan.org>
+Acked-by: Mark Fasheh <mfasheh@suse.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ocfs2/file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ocfs2/file.c
++++ b/fs/ocfs2/file.c
+@@ -1950,7 +1950,7 @@ static int __ocfs2_change_file_space(str
+ if (ret < 0)
+ mlog_errno(ret);
+
+- if (file->f_flags & O_SYNC)
++ if (file && (file->f_flags & O_SYNC))
+ handle->h_sync = 1;
+
+ ocfs2_commit_trans(osb, handle);
mm-hold-a-file-reference-in-madvise_remove.patch
md-raid5-do-not-add-data_offset-before-call-to-is_badblock.patch
staging-iio-ad7606-re-add-missing-scale-attribute.patch
+memory-hotplug-fix-invalid-memory-access-caused-by-stale-kswapd-pointer.patch
+drivers-rtc-rtc-spear.c-fix-use-after-free-in-spear_rtc_remove.patch
+drivers-rtc-rtc-ab8500.c-use-irqf_oneshot-when-requesting-a-threaded-irq.patch
+drivers-rtc-rtc-mxc.c-fix-irq-enabled-interrupts-warning.patch
+mm-thp-abort-compaction-if-migration-page-cannot-be-charged-to-memcg.patch
+fs-ramfs-file-nommu-add-setpageuptodate.patch
+memblock-free-allocated-memblock_reserved_regions-later.patch
+ocfs2-fix-null-pointer-dereference-in-__ocfs2_change_file_space.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
