From 78d043ad6f764d2deae1a1069bd633765ea7d703 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 11 Jul 2012 17:15:10 -0700
Subject: [PATCH] 3.4-stable patches

added patches:
	drivers-rtc-rtc-ab8500.c-use-irqf_oneshot-when-requesting-a-threaded-irq.patch
	drivers-rtc-rtc-mxc.c-fix-irq-enabled-interrupts-warning.patch
	drivers-rtc-rtc-spear.c-fix-use-after-free-in-spear_rtc_remove.patch
	fs-ramfs-file-nommu-add-setpageuptodate.patch
	memblock-free-allocated-memblock_reserved_regions-later.patch
	memory-hotplug-fix-invalid-memory-access-caused-by-stale-kswapd-pointer.patch
	mm-thp-abort-compaction-if-migration-page-cannot-be-charged-to-memcg.patch
	ocfs2-fix-null-pointer-dereference-in-__ocfs2_change_file_space.patch
---
 ...eshot-when-requesting-a-threaded-irq.patch |  33 +++
 ...c-fix-irq-enabled-interrupts-warning.patch |  71 ++++++
 ...x-use-after-free-in-spear_rtc_remove.patch |  39 ++++
 ...ramfs-file-nommu-add-setpageuptodate.patch |  47 ++++
 ...ated-memblock_reserved_regions-later.patch | 217 ++++++++++++++++++
 ...ccess-caused-by-stale-kswapd-pointer.patch | 109 +++++++++
 ...tion-page-cannot-be-charged-to-memcg.patch |  50 ++++
 ...ference-in-__ocfs2_change_file_space.patch |  40 ++++
 queue-3.4/series                              |   8 +
 9 files changed, 614 insertions(+)
 create mode 100644 queue-3.4/drivers-rtc-rtc-ab8500.c-use-irqf_oneshot-when-requesting-a-threaded-irq.patch
 create mode 100644 queue-3.4/drivers-rtc-rtc-mxc.c-fix-irq-enabled-interrupts-warning.patch
 create mode 100644 queue-3.4/drivers-rtc-rtc-spear.c-fix-use-after-free-in-spear_rtc_remove.patch
 create mode 100644 queue-3.4/fs-ramfs-file-nommu-add-setpageuptodate.patch
 create mode 100644 queue-3.4/memblock-free-allocated-memblock_reserved_regions-later.patch
 create mode 100644 queue-3.4/memory-hotplug-fix-invalid-memory-access-caused-by-stale-kswapd-pointer.patch
 create mode 100644 queue-3.4/mm-thp-abort-compaction-if-migration-page-cannot-be-charged-to-memcg.patch
 create mode 100644 queue-3.4/ocfs2-fix-null-pointer-dereference-in-__ocfs2_change_file_space.patch

diff --git a/queue-3.4/drivers-rtc-rtc-ab8500.c-use-irqf_oneshot-when-requesting-a-threaded-irq.patch b/queue-3.4/drivers-rtc-rtc-ab8500.c-use-irqf_oneshot-when-requesting-a-threaded-irq.patch
new file mode 100644
index 00000000000..3e56d52812d
--- /dev/null
+++ b/queue-3.4/drivers-rtc-rtc-ab8500.c-use-irqf_oneshot-when-requesting-a-threaded-irq.patch
@@ -0,0 +1,33 @@
+From 3cfd16a551dc0c188160e1765168a04baf2d3198 Mon Sep 17 00:00:00 2001
+From: Lee Jones <lee.jones@linaro.org>
+Date: Wed, 11 Jul 2012 14:02:16 -0700
+Subject: drivers/rtc/rtc-ab8500.c: use IRQF_ONESHOT when requesting a threaded IRQ
+
+From: Lee Jones <lee.jones@linaro.org>
+
+commit 3cfd16a551dc0c188160e1765168a04baf2d3198 upstream.
+
+This driver's IRQ registration is failing because the kernel now forces
+IRQs to be ONESHOT if no IRQ handler is passed.
+
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Cc: Alessandro Zummo <a.zummo@towertech.it>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/rtc/rtc-ab8500.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/rtc/rtc-ab8500.c
++++ b/drivers/rtc/rtc-ab8500.c
+@@ -422,7 +422,7 @@ static int __devinit ab8500_rtc_probe(st
+ 	}
+ 
+ 	err = request_threaded_irq(irq, NULL, rtc_alarm_handler,
+-		IRQF_NO_SUSPEND, "ab8500-rtc", rtc);
++		IRQF_NO_SUSPEND | IRQF_ONESHOT, "ab8500-rtc", rtc);
+ 	if (err < 0) {
+ 		rtc_device_unregister(rtc);
+ 		return err;
diff --git a/queue-3.4/drivers-rtc-rtc-mxc.c-fix-irq-enabled-interrupts-warning.patch b/queue-3.4/drivers-rtc-rtc-mxc.c-fix-irq-enabled-interrupts-warning.patch
new file mode 100644
index 00000000000..bbc08dc8a07
--- /dev/null
+++ b/queue-3.4/drivers-rtc-rtc-mxc.c-fix-irq-enabled-interrupts-warning.patch
@@ -0,0 +1,71 @@
+From b59f6d1febd6cbe9fae4589bf72da0ed32bc69e0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Beno=C3=AEt=20Th=C3=A9baudeau?=
+ <benoit.thebaudeau@advansee.com>
+Date: Wed, 11 Jul 2012 14:02:32 -0700
+Subject: drivers/rtc/rtc-mxc.c: fix irq enabled interrupts warning
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: =?UTF-8?q?Beno=C3=AEt=20Th=C3=A9baudeau?=
+
+commit b59f6d1febd6cbe9fae4589bf72da0ed32bc69e0 upstream.
+
+Fixes
+
+  WARNING: at irq/handle.c:146 handle_irq_event_percpu+0x19c/0x1b8()
+  irq 25 handler mxc_rtc_interrupt+0x0/0xac enabled interrupts
+  Modules linked in:
+   (unwind_backtrace+0x0/0xf0) from (warn_slowpath_common+0x4c/0x64)
+   (warn_slowpath_common+0x4c/0x64) from (warn_slowpath_fmt+0x30/0x40)
+   (warn_slowpath_fmt+0x30/0x40) from (handle_irq_event_percpu+0x19c/0x1b8)
+   (handle_irq_event_percpu+0x19c/0x1b8) from (handle_irq_event+0x28/0x38)
+   (handle_irq_event+0x28/0x38) from (handle_level_irq+0x80/0xc4)
+   (handle_level_irq+0x80/0xc4) from (generic_handle_irq+0x24/0x38)
+   (generic_handle_irq+0x24/0x38) from (handle_IRQ+0x30/0x84)
+   (handle_IRQ+0x30/0x84) from (avic_handle_irq+0x2c/0x4c)
+   (avic_handle_irq+0x2c/0x4c) from (__irq_svc+0x40/0x60)
+  Exception stack(0xc050bf60 to 0xc050bfa8)
+  bf60: 00000001 00000000 003c4208 c0018e20 c050a000 c050a000 c054a4c8 c050a000
+  bf80: c05157a8 4117b363 80503bb4 00000000 01000000 c050bfa8 c0018e2c c000e808
+  bfa0: 60000013 ffffffff
+   (__irq_svc+0x40/0x60) from (default_idle+0x1c/0x30)
+   (default_idle+0x1c/0x30) from (cpu_idle+0x68/0xa8)
+   (cpu_idle+0x68/0xa8) from (start_kernel+0x22c/0x26c)
+
+Signed-off-by: Benoît Thébaudeau <benoit.thebaudeau@advansee.com>
+Cc: Alessandro Zummo <a.zummo@towertech.it>
+Cc: Sascha Hauer <kernel@pengutronix.de>
+Acked-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/rtc/rtc-mxc.c |    5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/rtc/rtc-mxc.c
++++ b/drivers/rtc/rtc-mxc.c
+@@ -202,10 +202,11 @@ static irqreturn_t mxc_rtc_interrupt(int
+ 	struct platform_device *pdev = dev_id;
+ 	struct rtc_plat_data *pdata = platform_get_drvdata(pdev);
+ 	void __iomem *ioaddr = pdata->ioaddr;
++	unsigned long flags;
+ 	u32 status;
+ 	u32 events = 0;
+ 
+-	spin_lock_irq(&pdata->rtc->irq_lock);
++	spin_lock_irqsave(&pdata->rtc->irq_lock, flags);
+ 	status = readw(ioaddr + RTC_RTCISR) & readw(ioaddr + RTC_RTCIENR);
+ 	/* clear interrupt sources */
+ 	writew(status, ioaddr + RTC_RTCISR);
+@@ -224,7 +225,7 @@ static irqreturn_t mxc_rtc_interrupt(int
+ 		events |= (RTC_PF | RTC_IRQF);
+ 
+ 	rtc_update_irq(pdata->rtc, 1, events);
+-	spin_unlock_irq(&pdata->rtc->irq_lock);
++	spin_unlock_irqrestore(&pdata->rtc->irq_lock, flags);
+ 
+ 	return IRQ_HANDLED;
+ }
diff --git a/queue-3.4/drivers-rtc-rtc-spear.c-fix-use-after-free-in-spear_rtc_remove.patch b/queue-3.4/drivers-rtc-rtc-spear.c-fix-use-after-free-in-spear_rtc_remove.patch
new file mode 100644
index 00000000000..f2e0fbe1333
--- /dev/null
+++ b/queue-3.4/drivers-rtc-rtc-spear.c-fix-use-after-free-in-spear_rtc_remove.patch
@@ -0,0 +1,39 @@
+From 2a643893e50fde71d7ba84b5592ec61b467b9ab6 Mon Sep 17 00:00:00 2001
+From: Devendra Naga <devendra.aaru@gmail.com>
+Date: Wed, 11 Jul 2012 14:01:53 -0700
+Subject: drivers/rtc/rtc-spear.c: fix use-after-free in spear_rtc_remove()
+
+From: Devendra Naga <devendra.aaru@gmail.com>
+
+commit 2a643893e50fde71d7ba84b5592ec61b467b9ab6 upstream.
+
+`config' is freed and is then used in the rtc_device_unregister() call,
+causing a kernel panic.
+
+Signed-off-by: Devendra Naga <devendra.aaru@gmail.com>
+Reviewed-by: Viresh Kumar <viresh.linux@gmail.com>
+Cc: Alessandro Zummo <a.zummo@towertech.it>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/rtc/rtc-spear.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/rtc/rtc-spear.c
++++ b/drivers/rtc/rtc-spear.c
+@@ -457,12 +457,12 @@ static int __devexit spear_rtc_remove(st
+ 	clk_disable(config->clk);
+ 	clk_put(config->clk);
+ 	iounmap(config->ioaddr);
+-	kfree(config);
+ 	res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+ 	if (res)
+ 		release_mem_region(res->start, resource_size(res));
+ 	platform_set_drvdata(pdev, NULL);
+ 	rtc_device_unregister(config->rtc);
++	kfree(config);
+ 
+ 	return 0;
+ }
diff --git a/queue-3.4/fs-ramfs-file-nommu-add-setpageuptodate.patch b/queue-3.4/fs-ramfs-file-nommu-add-setpageuptodate.patch
new file mode 100644
index 00000000000..f2ea5066be2
--- /dev/null
+++ b/queue-3.4/fs-ramfs-file-nommu-add-setpageuptodate.patch
@@ -0,0 +1,47 @@
+From fea9f718b3d68147f162ed2d870183ce5e0ad8d8 Mon Sep 17 00:00:00 2001
+From: Bob Liu <lliubbo@gmail.com>
+Date: Wed, 11 Jul 2012 14:02:35 -0700
+Subject: fs: ramfs: file-nommu: add SetPageUptodate()
+
+From: Bob Liu <lliubbo@gmail.com>
+
+commit fea9f718b3d68147f162ed2d870183ce5e0ad8d8 upstream.
+
+There is a bug in the below scenario for !CONFIG_MMU:
+
+ 1. create a new file
+ 2. mmap the file and write to it
+ 3. read the file can't get the correct value
+
+Because
+
+  sys_read() -> generic_file_aio_read() -> simple_readpage() -> clear_page()
+
+which causes the page to be zeroed.
+
+Add SetPageUptodate() to ramfs_nommu_expand_for_mapping() so that
+generic_file_aio_read() do not call simple_readpage().
+
+Signed-off-by: Bob Liu <lliubbo@gmail.com>
+Cc: Hugh Dickins <hughd@google.com>
+Cc: David Howells <dhowells@redhat.com>
+Cc: Geert Uytterhoeven <geert@linux-m68k.org>
+Cc: Greg Ungerer <gerg@uclinux.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ramfs/file-nommu.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/ramfs/file-nommu.c
++++ b/fs/ramfs/file-nommu.c
+@@ -110,6 +110,7 @@ int ramfs_nommu_expand_for_mapping(struc
+ 
+ 		/* prevent the page from being discarded on memory pressure */
+ 		SetPageDirty(page);
++		SetPageUptodate(page);
+ 
+ 		unlock_page(page);
+ 		put_page(page);
diff --git a/queue-3.4/memblock-free-allocated-memblock_reserved_regions-later.patch b/queue-3.4/memblock-free-allocated-memblock_reserved_regions-later.patch
new file mode 100644
index 00000000000..251ae224c02
--- /dev/null
+++ b/queue-3.4/memblock-free-allocated-memblock_reserved_regions-later.patch
@@ -0,0 +1,217 @@
+From 29f6738609e40227dabcc63bfb3b84b3726a75bd Mon Sep 17 00:00:00 2001
+From: Yinghai Lu <yinghai@kernel.org>
+Date: Wed, 11 Jul 2012 14:02:56 -0700
+Subject: memblock: free allocated memblock_reserved_regions later
+
+From: Yinghai Lu <yinghai@kernel.org>
+
+commit 29f6738609e40227dabcc63bfb3b84b3726a75bd upstream.
+
+memblock_free_reserved_regions() calls memblock_free(), but
+memblock_free() would double reserved.regions too, so we could free the
+old range for reserved.regions.
+
+Also tj said there is another bug which could be related to this.
+
+| I don't think we're saving any noticeable
+| amount by doing this "free - give it to page allocator - reserve
+| again" dancing.  We should just allocate regions aligned to page
+| boundaries and free them later when memblock is no longer in use.
+
+in that case, when DEBUG_PAGEALLOC, will get panic:
+
+     memblock_free: [0x0000102febc080-0x0000102febf080] memblock_free_reserved_regions+0x37/0x39
+  BUG: unable to handle kernel paging request at ffff88102febd948
+  IP: [<ffffffff836a5774>] __next_free_mem_range+0x9b/0x155
+  PGD 4826063 PUD cf67a067 PMD cf7fa067 PTE 800000102febd160
+  Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
+  CPU 0
+  Pid: 0, comm: swapper Not tainted 3.5.0-rc2-next-20120614-sasha #447
+  RIP: 0010:[<ffffffff836a5774>]  [<ffffffff836a5774>] __next_free_mem_range+0x9b/0x155
+
+See the discussion at https://lkml.org/lkml/2012/6/13/469
+
+So try to allocate with PAGE_SIZE alignment and free it later.
+
+Reported-by: Sasha Levin <levinsasha928@gmail.com>
+Acked-by: Tejun Heo <tj@kernel.org>
+Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Signed-off-by: Yinghai Lu <yinghai@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/memblock.h |    4 ---
+ mm/memblock.c            |   51 +++++++++++++++++++++--------------------------
+ mm/nobootmem.c           |   36 ++++++++++++++++++++-------------
+ 3 files changed, 46 insertions(+), 45 deletions(-)
+
+--- a/include/linux/memblock.h
++++ b/include/linux/memblock.h
+@@ -50,9 +50,7 @@ phys_addr_t memblock_find_in_range_node(
+ 				phys_addr_t size, phys_addr_t align, int nid);
+ phys_addr_t memblock_find_in_range(phys_addr_t start, phys_addr_t end,
+ 				   phys_addr_t size, phys_addr_t align);
+-int memblock_free_reserved_regions(void);
+-int memblock_reserve_reserved_regions(void);
+-
++phys_addr_t get_allocated_memblock_reserved_regions_info(phys_addr_t *addr);
+ void memblock_allow_resize(void);
+ int memblock_add_node(phys_addr_t base, phys_addr_t size, int nid);
+ int memblock_add(phys_addr_t base, phys_addr_t size);
+--- a/mm/memblock.c
++++ b/mm/memblock.c
+@@ -143,30 +143,6 @@ phys_addr_t __init_memblock memblock_fin
+ 					   MAX_NUMNODES);
+ }
+ 
+-/*
+- * Free memblock.reserved.regions
+- */
+-int __init_memblock memblock_free_reserved_regions(void)
+-{
+-	if (memblock.reserved.regions == memblock_reserved_init_regions)
+-		return 0;
+-
+-	return memblock_free(__pa(memblock.reserved.regions),
+-		 sizeof(struct memblock_region) * memblock.reserved.max);
+-}
+-
+-/*
+- * Reserve memblock.reserved.regions
+- */
+-int __init_memblock memblock_reserve_reserved_regions(void)
+-{
+-	if (memblock.reserved.regions == memblock_reserved_init_regions)
+-		return 0;
+-
+-	return memblock_reserve(__pa(memblock.reserved.regions),
+-		 sizeof(struct memblock_region) * memblock.reserved.max);
+-}
+-
+ static void __init_memblock memblock_remove_region(struct memblock_type *type, unsigned long r)
+ {
+ 	type->total_size -= type->regions[r].size;
+@@ -184,6 +160,18 @@ static void __init_memblock memblock_rem
+ 	}
+ }
+ 
++phys_addr_t __init_memblock get_allocated_memblock_reserved_regions_info(
++					phys_addr_t *addr)
++{
++	if (memblock.reserved.regions == memblock_reserved_init_regions)
++		return 0;
++
++	*addr = __pa(memblock.reserved.regions);
++
++	return PAGE_ALIGN(sizeof(struct memblock_region) *
++			  memblock.reserved.max);
++}
++
+ /**
+  * memblock_double_array - double the size of the memblock regions array
+  * @type: memblock type of the regions array being doubled
+@@ -204,6 +192,7 @@ static int __init_memblock memblock_doub
+ 						phys_addr_t new_area_size)
+ {
+ 	struct memblock_region *new_array, *old_array;
++	phys_addr_t old_alloc_size, new_alloc_size;
+ 	phys_addr_t old_size, new_size, addr;
+ 	int use_slab = slab_is_available();
+ 	int *in_slab;
+@@ -217,6 +206,12 @@ static int __init_memblock memblock_doub
+ 	/* Calculate new doubled size */
+ 	old_size = type->max * sizeof(struct memblock_region);
+ 	new_size = old_size << 1;
++	/*
++	 * We need to allocated new one align to PAGE_SIZE,
++	 *   so we can free them completely later.
++	 */
++	old_alloc_size = PAGE_ALIGN(old_size);
++	new_alloc_size = PAGE_ALIGN(new_size);
+ 
+ 	/* Retrieve the slab flag */
+ 	if (type == &memblock.memory)
+@@ -245,11 +240,11 @@ static int __init_memblock memblock_doub
+ 
+ 		addr = memblock_find_in_range(new_area_start + new_area_size,
+ 						memblock.current_limit,
+-						new_size, sizeof(phys_addr_t));
++						new_alloc_size, PAGE_SIZE);
+ 		if (!addr && new_area_size)
+ 			addr = memblock_find_in_range(0,
+ 					min(new_area_start, memblock.current_limit),
+-					new_size, sizeof(phys_addr_t));
++					new_alloc_size, PAGE_SIZE);
+ 
+ 		new_array = addr ? __va(addr) : 0;
+ 	}
+@@ -279,13 +274,13 @@ static int __init_memblock memblock_doub
+ 		kfree(old_array);
+ 	else if (old_array != memblock_memory_init_regions &&
+ 		 old_array != memblock_reserved_init_regions)
+-		memblock_free(__pa(old_array), old_size);
++		memblock_free(__pa(old_array), old_alloc_size);
+ 
+ 	/* Reserve the new array if that comes from the memblock.
+ 	 * Otherwise, we needn't do it
+ 	 */
+ 	if (!use_slab)
+-		BUG_ON(memblock_reserve(addr, new_size));
++		BUG_ON(memblock_reserve(addr, new_alloc_size));
+ 
+ 	/* Update slab flag */
+ 	*in_slab = use_slab;
+--- a/mm/nobootmem.c
++++ b/mm/nobootmem.c
+@@ -105,27 +105,35 @@ static void __init __free_pages_memory(u
+ 		__free_pages_bootmem(pfn_to_page(i), 0);
+ }
+ 
++static unsigned long __init __free_memory_core(phys_addr_t start,
++				 phys_addr_t end)
++{
++	unsigned long start_pfn = PFN_UP(start);
++	unsigned long end_pfn = min_t(unsigned long,
++				      PFN_DOWN(end), max_low_pfn);
++
++	if (start_pfn > end_pfn)
++		return 0;
++
++	__free_pages_memory(start_pfn, end_pfn);
++
++	return end_pfn - start_pfn;
++}
++
+ unsigned long __init free_low_memory_core_early(int nodeid)
+ {
+ 	unsigned long count = 0;
+-	phys_addr_t start, end;
++	phys_addr_t start, end, size;
+ 	u64 i;
+ 
+-	/* free reserved array temporarily so that it's treated as free area */
+-	memblock_free_reserved_regions();
++	for_each_free_mem_range(i, MAX_NUMNODES, &start, &end, NULL)
++		count += __free_memory_core(start, end);
+ 
+-	for_each_free_mem_range(i, MAX_NUMNODES, &start, &end, NULL) {
+-		unsigned long start_pfn = PFN_UP(start);
+-		unsigned long end_pfn = min_t(unsigned long,
+-					      PFN_DOWN(end), max_low_pfn);
+-		if (start_pfn < end_pfn) {
+-			__free_pages_memory(start_pfn, end_pfn);
+-			count += end_pfn - start_pfn;
+-		}
+-	}
++	/* free range that is used for reserved array if we allocate it */
++	size = get_allocated_memblock_reserved_regions_info(&start);
++	if (size)
++		count += __free_memory_core(start, start + size);
+ 
+-	/* put region array back? */
+-	memblock_reserve_reserved_regions();
+ 	return count;
+ }
+ 
diff --git a/queue-3.4/memory-hotplug-fix-invalid-memory-access-caused-by-stale-kswapd-pointer.patch b/queue-3.4/memory-hotplug-fix-invalid-memory-access-caused-by-stale-kswapd-pointer.patch
new file mode 100644
index 00000000000..00f818dbf4c
--- /dev/null
+++ b/queue-3.4/memory-hotplug-fix-invalid-memory-access-caused-by-stale-kswapd-pointer.patch
@@ -0,0 +1,109 @@
+From d8adde17e5f858427504725218c56aef90e90fc7 Mon Sep 17 00:00:00 2001
+From: Jiang Liu <jiang.liu@huawei.com>
+Date: Wed, 11 Jul 2012 14:01:52 -0700
+Subject: memory hotplug: fix invalid memory access caused by stale kswapd pointer
+
+From: Jiang Liu <jiang.liu@huawei.com>
+
+commit d8adde17e5f858427504725218c56aef90e90fc7 upstream.
+
+kswapd_stop() is called to destroy the kswapd work thread when all memory
+of a NUMA node has been offlined.  But kswapd_stop() only terminates the
+work thread without resetting NODE_DATA(nid)->kswapd to NULL.  The stale
+pointer will prevent kswapd_run() from creating a new work thread when
+adding memory to the memory-less NUMA node again.  Eventually the stale
+pointer may cause invalid memory access.
+
+An example stack dump as below. It's reproduced with 2.6.32, but latest
+kernel has the same issue.
+
+  BUG: unable to handle kernel NULL pointer dereference at (null)
+  IP: [<ffffffff81051a94>] exit_creds+0x12/0x78
+  PGD 0
+  Oops: 0000 [#1] SMP
+  last sysfs file: /sys/devices/system/memory/memory391/state
+  CPU 11
+  Modules linked in: cpufreq_conservative cpufreq_userspace cpufreq_powersave acpi_cpufreq microcode fuse loop dm_mod tpm_tis rtc_cmos i2c_i801 rtc_core tpm serio_raw pcspkr sg tpm_bios igb i2c_core iTCO_wdt rtc_lib mptctl iTCO_vendor_support button dca bnx2 usbhid hid uhci_hcd ehci_hcd usbcore sd_mod crc_t10dif edd ext3 mbcache jbd fan ide_pci_generic ide_core ata_generic ata_piix libata thermal processor thermal_sys hwmon mptsas mptscsih mptbase scsi_transport_sas scsi_mod
+  Pid: 7949, comm: sh Not tainted 2.6.32.12-qiuxishi-5-default #92 Tecal RH2285
+  RIP: 0010:exit_creds+0x12/0x78
+  RSP: 0018:ffff8806044f1d78  EFLAGS: 00010202
+  RAX: 0000000000000000 RBX: ffff880604f22140 RCX: 0000000000019502
+  RDX: 0000000000000000 RSI: 0000000000000202 RDI: 0000000000000000
+  RBP: ffff880604f22150 R08: 0000000000000000 R09: ffffffff81a4dc10
+  R10: 00000000000032a0 R11: ffff880006202500 R12: 0000000000000000
+  R13: 0000000000c40000 R14: 0000000000008000 R15: 0000000000000001
+  FS:  00007fbc03d066f0(0000) GS:ffff8800282e0000(0000) knlGS:0000000000000000
+  CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
+  CR2: 0000000000000000 CR3: 000000060f029000 CR4: 00000000000006e0
+  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+  DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
+  Process sh (pid: 7949, threadinfo ffff8806044f0000, task ffff880603d7c600)
+  Stack:
+   ffff880604f22140 ffffffff8103aac5 ffff880604f22140 ffffffff8104d21e
+   ffff880006202500 0000000000008000 0000000000c38000 ffffffff810bd5b1
+   0000000000000000 ffff880603d7c600 00000000ffffdd29 0000000000000003
+  Call Trace:
+    __put_task_struct+0x5d/0x97
+    kthread_stop+0x50/0x58
+    offline_pages+0x324/0x3da
+    memory_block_change_state+0x179/0x1db
+    store_mem_state+0x9e/0xbb
+    sysfs_write_file+0xd0/0x107
+    vfs_write+0xad/0x169
+    sys_write+0x45/0x6e
+    system_call_fastpath+0x16/0x1b
+  Code: ff 4d 00 0f 94 c0 84 c0 74 08 48 89 ef e8 1f fd ff ff 5b 5d 31 c0 41 5c c3 53 48 8b 87 20 06 00 00 48 89 fb 48 8b bf 18 06 00 00 <8b> 00 48 c7 83 18 06 00 00 00 00 00 00 f0 ff 0f 0f 94 c0 84 c0
+  RIP  exit_creds+0x12/0x78
+   RSP <ffff8806044f1d78>
+  CR2: 0000000000000000
+
+[akpm@linux-foundation.org: add pglist_data.kswapd locking comments]
+Signed-off-by: Xishi Qiu <qiuxishi@huawei.com>
+Signed-off-by: Jiang Liu <jiang.liu@huawei.com>
+Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
+Acked-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+Acked-by: Mel Gorman <mgorman@suse.de>
+Acked-by: David Rientjes <rientjes@google.com>
+Reviewed-by: Minchan Kim <minchan@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/mmzone.h |    2 +-
+ mm/vmscan.c            |    7 +++++--
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+--- a/include/linux/mmzone.h
++++ b/include/linux/mmzone.h
+@@ -663,7 +663,7 @@ typedef struct pglist_data {
+ 					     range, including holes */
+ 	int node_id;
+ 	wait_queue_head_t kswapd_wait;
+-	struct task_struct *kswapd;
++	struct task_struct *kswapd;	/* Protected by lock_memory_hotplug() */
+ 	int kswapd_max_order;
+ 	enum zone_type classzone_idx;
+ } pg_data_t;
+--- a/mm/vmscan.c
++++ b/mm/vmscan.c
+@@ -3279,14 +3279,17 @@ int kswapd_run(int nid)
+ }
+ 
+ /*
+- * Called by memory hotplug when all memory in a node is offlined.
++ * Called by memory hotplug when all memory in a node is offlined.  Caller must
++ * hold lock_memory_hotplug().
+  */
+ void kswapd_stop(int nid)
+ {
+ 	struct task_struct *kswapd = NODE_DATA(nid)->kswapd;
+ 
+-	if (kswapd)
++	if (kswapd) {
+ 		kthread_stop(kswapd);
++		NODE_DATA(nid)->kswapd = NULL;
++	}
+ }
+ 
+ static int __init kswapd_init(void)
diff --git a/queue-3.4/mm-thp-abort-compaction-if-migration-page-cannot-be-charged-to-memcg.patch b/queue-3.4/mm-thp-abort-compaction-if-migration-page-cannot-be-charged-to-memcg.patch
new file mode 100644
index 00000000000..a3e265de1eb
--- /dev/null
+++ b/queue-3.4/mm-thp-abort-compaction-if-migration-page-cannot-be-charged-to-memcg.patch
@@ -0,0 +1,50 @@
+From 4bf2bba3750f10aa9e62e6949bc7e8329990f01b Mon Sep 17 00:00:00 2001
+From: David Rientjes <rientjes@google.com>
+Date: Wed, 11 Jul 2012 14:02:13 -0700
+Subject: mm, thp: abort compaction if migration page cannot be charged to memcg
+
+From: David Rientjes <rientjes@google.com>
+
+commit 4bf2bba3750f10aa9e62e6949bc7e8329990f01b upstream.
+
+If page migration cannot charge the temporary page to the memcg,
+migrate_pages() will return -ENOMEM.  This isn't considered in memory
+compaction however, and the loop continues to iterate over all
+pageblocks trying to isolate and migrate pages.  If a small number of
+very large memcgs happen to be oom, however, these attempts will mostly
+be futile leading to an enormous amout of cpu consumption due to the
+page migration failures.
+
+This patch will short circuit and fail memory compaction if
+migrate_pages() returns -ENOMEM.  COMPACT_PARTIAL is returned in case
+some migrations were successful so that the page allocator will retry.
+
+Signed-off-by: David Rientjes <rientjes@google.com>
+Acked-by: Mel Gorman <mgorman@suse.de>
+Cc: Minchan Kim <minchan@kernel.org>
+Cc: Kamezawa Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
+Cc: Rik van Riel <riel@redhat.com>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/compaction.c |    5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/mm/compaction.c
++++ b/mm/compaction.c
+@@ -594,8 +594,11 @@ static int compact_zone(struct zone *zon
+ 		if (err) {
+ 			putback_lru_pages(&cc->migratepages);
+ 			cc->nr_migratepages = 0;
++			if (err == -ENOMEM) {
++				ret = COMPACT_PARTIAL;
++				goto out;
++			}
+ 		}
+-
+ 	}
+ 
+ out:
diff --git a/queue-3.4/ocfs2-fix-null-pointer-dereference-in-__ocfs2_change_file_space.patch b/queue-3.4/ocfs2-fix-null-pointer-dereference-in-__ocfs2_change_file_space.patch
new file mode 100644
index 00000000000..f7b99e6295b
--- /dev/null
+++ b/queue-3.4/ocfs2-fix-null-pointer-dereference-in-__ocfs2_change_file_space.patch
@@ -0,0 +1,40 @@
+From a4e08d001f2e50bb8b3c4eebadcf08e5535f02ee Mon Sep 17 00:00:00 2001
+From: Luis Henriques <luis.henriques@canonical.com>
+Date: Wed, 11 Jul 2012 14:02:10 -0700
+Subject: ocfs2: fix NULL pointer dereference in __ocfs2_change_file_space()
+
+From: Luis Henriques <luis.henriques@canonical.com>
+
+commit a4e08d001f2e50bb8b3c4eebadcf08e5535f02ee upstream.
+
+As ocfs2_fallocate() will invoke __ocfs2_change_file_space() with a NULL
+as the first parameter (file), it may trigger a NULL pointer dereferrence
+due to a missing check.
+
+Addresses http://bugs.launchpad.net/bugs/1006012
+
+Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
+Reported-by: Bret Towe <magnade@gmail.com>
+Tested-by: Bret Towe <magnade@gmail.com>
+Cc: Sunil Mushran <sunil.mushran@oracle.com>
+Acked-by: Joel Becker <jlbec@evilplan.org>
+Acked-by: Mark Fasheh <mfasheh@suse.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ocfs2/file.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ocfs2/file.c
++++ b/fs/ocfs2/file.c
+@@ -1950,7 +1950,7 @@ static int __ocfs2_change_file_space(str
+ 	if (ret < 0)
+ 		mlog_errno(ret);
+ 
+-	if (file->f_flags & O_SYNC)
++	if (file && (file->f_flags & O_SYNC))
+ 		handle->h_sync = 1;
+ 
+ 	ocfs2_commit_trans(osb, handle);
diff --git a/queue-3.4/series b/queue-3.4/series
index 15df56df264..5d9c2e34d6e 100644
--- a/queue-3.4/series
+++ b/queue-3.4/series
@@ -177,3 +177,11 @@ drm-i915-rip-out-the-pm_iir-warn.patch
 mm-hold-a-file-reference-in-madvise_remove.patch
 md-raid5-do-not-add-data_offset-before-call-to-is_badblock.patch
 staging-iio-ad7606-re-add-missing-scale-attribute.patch
+memory-hotplug-fix-invalid-memory-access-caused-by-stale-kswapd-pointer.patch
+drivers-rtc-rtc-spear.c-fix-use-after-free-in-spear_rtc_remove.patch
+drivers-rtc-rtc-ab8500.c-use-irqf_oneshot-when-requesting-a-threaded-irq.patch
+drivers-rtc-rtc-mxc.c-fix-irq-enabled-interrupts-warning.patch
+mm-thp-abort-compaction-if-migration-page-cannot-be-charged-to-memcg.patch
+fs-ramfs-file-nommu-add-setpageuptodate.patch
+memblock-free-allocated-memblock_reserved_regions-later.patch
+ocfs2-fix-null-pointer-dereference-in-__ocfs2_change_file_space.patch
-- 
2.47.3