From c02eb9fd663ea183633d6a59d88e3369b03a7e9f Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 10 Jul 2012 12:05:45 -0700
Subject: [PATCH] 3.4-stable patches

added patches:
	mm-fix-slab-page-_count-corruption-when-using-slub.patch
---
 ...ge-_count-corruption-when-using-slub.patch | 52 +++++++++++++++++++
 queue-3.4/series                              |  1 +
 2 files changed, 53 insertions(+)
 create mode 100644 queue-3.4/mm-fix-slab-page-_count-corruption-when-using-slub.patch

diff --git a/queue-3.4/mm-fix-slab-page-_count-corruption-when-using-slub.patch b/queue-3.4/mm-fix-slab-page-_count-corruption-when-using-slub.patch
new file mode 100644
index 00000000000..596ac68b788
--- /dev/null
+++ b/queue-3.4/mm-fix-slab-page-_count-corruption-when-using-slub.patch
@@ -0,0 +1,52 @@
+From abca7c4965845924f65d40e0aa1092bdd895e314 Mon Sep 17 00:00:00 2001
+From: Pravin B Shelar <pshelar@nicira.com>
+Date: Wed, 20 Jun 2012 12:52:56 -0700
+Subject: mm: fix slab->page _count corruption when using slub
+
+From: Pravin B Shelar <pshelar@nicira.com>
+
+commit abca7c4965845924f65d40e0aa1092bdd895e314 upstream.
+
+On arches that do not support this_cpu_cmpxchg_double() slab_lock is used
+to do atomic cmpxchg() on double word which contains page->_count.  The
+page count can be changed from get_page() or put_page() without taking
+slab_lock.  That corrupts page counter.
+
+Fix it by moving page->_count out of cmpxchg_double data.  So that slub
+does no change it while updating slub meta-data in struct page.
+
+[akpm@linux-foundation.org: use standard comment layout, tweak comment text]
+Reported-by: Amey Bhide <abhide@nicira.com>
+Signed-off-by: Pravin B Shelar <pshelar@nicira.com>
+Acked-by: Christoph Lameter <cl@linux.com>
+Cc: Pekka Enberg <penberg@cs.helsinki.fi>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/mm_types.h |   10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/include/linux/mm_types.h
++++ b/include/linux/mm_types.h
+@@ -56,8 +56,18 @@ struct page {
+ 		};
+ 
+ 		union {
++#if defined(CONFIG_HAVE_CMPXCHG_DOUBLE) && \
++	defined(CONFIG_HAVE_ALIGNED_STRUCT_PAGE)
+ 			/* Used for cmpxchg_double in slub */
+ 			unsigned long counters;
++#else
++			/*
++			 * Keep _count separate from slub cmpxchg_double data.
++			 * As the rest of the double word is protected by
++			 * slab_lock but _count is not.
++			 */
++			unsigned counters;
++#endif
+ 
+ 			struct {
+ 
diff --git a/queue-3.4/series b/queue-3.4/series
index a569e4d6760..9494530b58e 100644
--- a/queue-3.4/series
+++ b/queue-3.4/series
@@ -39,3 +39,4 @@ bnx2x-fix-panic-when-tx-ring-is-full.patch
 net-remove-skb_orphan_try.patch
 bridge-assign-rtnl_link_ops-to-bridge-devices-created-via-ioctl-v2.patch
 xen-netfront-teardown-the-device-before-unregistering-it.patch
+mm-fix-slab-page-_count-corruption-when-using-slub.patch
-- 
2.47.3