1 files changed, 114 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-ti33x-psp-3.2/3.2.24/0038-memory-hotplug-fix-invalid-memory-access-caused-by-s.patch b/recipes-kernel/linux/linux-ti33x-psp-3.2/3.2.24/0038-memory-hotplug-fix-invalid-memory-access-caused-by-s.patch
new file mode 100644
index 00000000..5d3cef24
--- /dev/null
+++ b/recipes-kernel/linux/linux-ti33x-psp-3.2/3.2.24/0038-memory-hotplug-fix-invalid-memory-access-caused-by-s.patch
@@ -0,0 +1,114 @@
+From c9a4beeb70f62ec5976dcbb9086683fda56d6aec Mon Sep 17 00:00:00 2001
+From: Jiang Liu <jiang.liu@huawei.com>
+Date: Wed, 11 Jul 2012 14:01:52 -0700
+Subject: [PATCH 038/109] memory hotplug: fix invalid memory access caused by
+ stale kswapd pointer
+commit d8adde17e5f858427504725218c56aef90e90fc7 upstream.
+kswapd_stop() is called to destroy the kswapd work thread when all memory
+of a NUMA node has been offlined.  But kswapd_stop() only terminates the
+work thread without resetting NODE_DATA(nid)->kswapd to NULL.  The stale
+pointer will prevent kswapd_run() from creating a new work thread when
+adding memory to the memory-less NUMA node again.  Eventually the stale
+pointer may cause invalid memory access.
+An example stack dump as below. It's reproduced with 2.6.32, but latest
+kernel has the same issue.
+  BUG: unable to handle kernel NULL pointer dereference at (null)
+  IP: [<ffffffff81051a94>] exit_creds+0x12/0x78
+  PGD 0
+  Oops: 0000 [#1] SMP
+  last sysfs file: /sys/devices/system/memory/memory391/state
+  CPU 11
+  Modules linked in: cpufreq_conservative cpufreq_userspace cpufreq_powersave acpi_cpufreq microcode fuse loop dm_mod tpm_tis rtc_cmos i2c_i801 rtc_core tpm serio_raw pcspkr sg tpm_bios igb i2c_core iTCO_wdt rtc_lib mptctl iTCO_vendor_support button dca bnx2 usbhid hid uhci_hcd ehci_hcd usbcore sd_mod crc_t10dif edd ext3 mbcache jbd fan ide_pci_generic ide_core ata_generic ata_piix libata thermal processor thermal_sys hwmon mptsas mptscsih mptbase scsi_transport_sas scsi_mod
+  Pid: 7949, comm: sh Not tainted 2.6.32.12-qiuxishi-5-default #92 Tecal RH2285
+  RIP: 0010:exit_creds+0x12/0x78
+  RSP: 0018:ffff8806044f1d78  EFLAGS: 00010202
+  RAX: 0000000000000000 RBX: ffff880604f22140 RCX: 0000000000019502
+  RDX: 0000000000000000 RSI: 0000000000000202 RDI: 0000000000000000
+  RBP: ffff880604f22150 R08: 0000000000000000 R09: ffffffff81a4dc10
+  R10: 00000000000032a0 R11: ffff880006202500 R12: 0000000000000000
+  R13: 0000000000c40000 R14: 0000000000008000 R15: 0000000000000001
+  FS:  00007fbc03d066f0(0000) GS:ffff8800282e0000(0000) knlGS:0000000000000000
+  CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
+  CR2: 0000000000000000 CR3: 000000060f029000 CR4: 00000000000006e0
+  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+  DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
+  Process sh (pid: 7949, threadinfo ffff8806044f0000, task ffff880603d7c600)
+  Stack:
+   ffff880604f22140 ffffffff8103aac5 ffff880604f22140 ffffffff8104d21e
+   ffff880006202500 0000000000008000 0000000000c38000 ffffffff810bd5b1
+   0000000000000000 ffff880603d7c600 00000000ffffdd29 0000000000000003
+  Call Trace:
+    __put_task_struct+0x5d/0x97
+    kthread_stop+0x50/0x58
+    offline_pages+0x324/0x3da
+    memory_block_change_state+0x179/0x1db
+    store_mem_state+0x9e/0xbb
+    sysfs_write_file+0xd0/0x107
+    vfs_write+0xad/0x169
+    sys_write+0x45/0x6e
+    system_call_fastpath+0x16/0x1b
+  Code: ff 4d 00 0f 94 c0 84 c0 74 08 48 89 ef e8 1f fd ff ff 5b 5d 31 c0 41 5c c3 53 48 8b 87 20 06 00 00 48 89 fb 48 8b bf 18 06 00 00 <8b> 00 48 c7 83 18 06 00 00 00 00 00 00 f0 ff 0f 0f 94 c0 84 c0
+  RIP  exit_creds+0x12/0x78
+   RSP <ffff8806044f1d78>
+  CR2: 0000000000000000
+[akpm@linux-foundation.org: add pglist_data.kswapd locking comments]
+Signed-off-by: Xishi Qiu <qiuxishi@huawei.com>
+Signed-off-by: Jiang Liu <jiang.liu@huawei.com>
+Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
+Acked-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+Acked-by: Mel Gorman <mgorman@suse.de>
+Acked-by: David Rientjes <rientjes@google.com>
+Reviewed-by: Minchan Kim <minchan@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ include/linux/mmzone.h |    2 +-
+ mm/vmscan.c            |    7 +++++--
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+diff --git a/include/linux/mmzone.h b/include/linux/mmzone.h
+index 188cb2f..905b1e1 100644
+--- a/include/linux/mmzone.h
+++ b/include/linux/mmzone.h
+@@ -652,7 +652,7 @@ typedef struct pglist_data {
+                                             range, including holes */
+        int node_id;
+        wait_queue_head_t kswapd_wait;
+-       struct task_struct *kswapd;
+       struct task_struct *kswapd;     /* Protected by lock_memory_hotplug() */
+        int kswapd_max_order;
+        enum zone_type classzone_idx;
+ } pg_data_t;
+diff --git a/mm/vmscan.c b/mm/vmscan.c
+index fbe2d2c..72cf498 100644
+--- a/mm/vmscan.c
+++ b/mm/vmscan.c
+@@ -3090,14 +3090,17 @@ int kswapd_run(int nid)
+ }
+ 
+ /*
+- * Called by memory hotplug when all memory in a node is offlined.
+ * Called by memory hotplug when all memory in a node is offlined.  Caller must
+ * hold lock_memory_hotplug().
+  */
+ void kswapd_stop(int nid)
+ {
+        struct task_struct *kswapd = NODE_DATA(nid)->kswapd;
+ 
+-       if (kswapd)
+       if (kswapd) {
+                kthread_stop(kswapd);
+               NODE_DATA(nid)->kswapd = NULL;
+       }
+ }
+ 
+ static int __init kswapd_init(void)
+-- 
+1.7.7.6

diff --git a/recipes-kernel/linux/linux-ti33x-psp-3.2/3.2.24/0038-memory-hotplug-fix-invalid-memory-access-caused-by-s.patch b/recipes-kernel/linux/linux-ti33x-psp-3.2/3.2.24/0038-memory-hotplug-fix-invalid-memory-access-caused-by-s.patch new file mode 100644 index 00000000..5d3cef24 --- /dev/null +++ b/recipes-kernel/linux/linux-ti33x-psp-3.2/3.2.24/0038-memory-hotplug-fix-invalid-memory-access-caused-by-s.patch
@@ -0,0 +1,114 @@
	1	From c9a4beeb70f62ec5976dcbb9086683fda56d6aec Mon Sep 17 00:00:00 2001
	2	From: Jiang Liu <jiang.liu@huawei.com>
	3	Date: Wed, 11 Jul 2012 14:01:52 -0700
	4	Subject: [PATCH 038/109] memory hotplug: fix invalid memory access caused by
	5	stale kswapd pointer
	6
	7	commit d8adde17e5f858427504725218c56aef90e90fc7 upstream.
	8
	9	kswapd_stop() is called to destroy the kswapd work thread when all memory
	10	of a NUMA node has been offlined. But kswapd_stop() only terminates the
	11	work thread without resetting NODE_DATA(nid)->kswapd to NULL. The stale
	12	pointer will prevent kswapd_run() from creating a new work thread when
	13	adding memory to the memory-less NUMA node again. Eventually the stale
	14	pointer may cause invalid memory access.
	15
	16	An example stack dump as below. It's reproduced with 2.6.32, but latest
	17	kernel has the same issue.
	18
	19	BUG: unable to handle kernel NULL pointer dereference at (null)
	20	IP: [<ffffffff81051a94>] exit_creds+0x12/0x78
	21	PGD 0
	22	Oops: 0000 [#1] SMP
	23	last sysfs file: /sys/devices/system/memory/memory391/state
	24	CPU 11
	25	Modules linked in: cpufreq_conservative cpufreq_userspace cpufreq_powersave acpi_cpufreq microcode fuse loop dm_mod tpm_tis rtc_cmos i2c_i801 rtc_core tpm serio_raw pcspkr sg tpm_bios igb i2c_core iTCO_wdt rtc_lib mptctl iTCO_vendor_support button dca bnx2 usbhid hid uhci_hcd ehci_hcd usbcore sd_mod crc_t10dif edd ext3 mbcache jbd fan ide_pci_generic ide_core ata_generic ata_piix libata thermal processor thermal_sys hwmon mptsas mptscsih mptbase scsi_transport_sas scsi_mod
	26	Pid: 7949, comm: sh Not tainted 2.6.32.12-qiuxishi-5-default #92 Tecal RH2285
	27	RIP: 0010:exit_creds+0x12/0x78
	28	RSP: 0018:ffff8806044f1d78 EFLAGS: 00010202
	29	RAX: 0000000000000000 RBX: ffff880604f22140 RCX: 0000000000019502
	30	RDX: 0000000000000000 RSI: 0000000000000202 RDI: 0000000000000000
	31	RBP: ffff880604f22150 R08: 0000000000000000 R09: ffffffff81a4dc10
	32	R10: 00000000000032a0 R11: ffff880006202500 R12: 0000000000000000
	33	R13: 0000000000c40000 R14: 0000000000008000 R15: 0000000000000001
	34	FS: 00007fbc03d066f0(0000) GS:ffff8800282e0000(0000) knlGS:0000000000000000
	35	CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
	36	CR2: 0000000000000000 CR3: 000000060f029000 CR4: 00000000000006e0
	37	DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
	38	DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
	39	Process sh (pid: 7949, threadinfo ffff8806044f0000, task ffff880603d7c600)
	40	Stack:
	41	ffff880604f22140 ffffffff8103aac5 ffff880604f22140 ffffffff8104d21e
	42	ffff880006202500 0000000000008000 0000000000c38000 ffffffff810bd5b1
	43	0000000000000000 ffff880603d7c600 00000000ffffdd29 0000000000000003
	44	Call Trace:
	45	__put_task_struct+0x5d/0x97
	46	kthread_stop+0x50/0x58
	47	offline_pages+0x324/0x3da
	48	memory_block_change_state+0x179/0x1db
	49	store_mem_state+0x9e/0xbb
	50	sysfs_write_file+0xd0/0x107
	51	vfs_write+0xad/0x169
	52	sys_write+0x45/0x6e
	53	system_call_fastpath+0x16/0x1b
	54	Code: ff 4d 00 0f 94 c0 84 c0 74 08 48 89 ef e8 1f fd ff ff 5b 5d 31 c0 41 5c c3 53 48 8b 87 20 06 00 00 48 89 fb 48 8b bf 18 06 00 00 <8b> 00 48 c7 83 18 06 00 00 00 00 00 00 f0 ff 0f 0f 94 c0 84 c0
	55	RIP exit_creds+0x12/0x78
	56	RSP <ffff8806044f1d78>
	57	CR2: 0000000000000000
	58
	59	[akpm@linux-foundation.org: add pglist_data.kswapd locking comments]
	60	Signed-off-by: Xishi Qiu <qiuxishi@huawei.com>
	61	Signed-off-by: Jiang Liu <jiang.liu@huawei.com>
	62	Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
	63	Acked-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
	64	Acked-by: Mel Gorman <mgorman@suse.de>
	65	Acked-by: David Rientjes <rientjes@google.com>
	66	Reviewed-by: Minchan Kim <minchan@kernel.org>
	67	Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
	68	Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
	69	Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
	70	---
	71	include/linux/mmzone.h \| 2 +-
	72	mm/vmscan.c \| 7 +++++--
	73	2 files changed, 6 insertions(+), 3 deletions(-)
	74
	75	diff --git a/include/linux/mmzone.h b/include/linux/mmzone.h
	76	index 188cb2f..905b1e1 100644
	77	--- a/include/linux/mmzone.h
	78	+++ b/include/linux/mmzone.h
	79	@@ -652,7 +652,7 @@ typedef struct pglist_data {
	80	range, including holes */
	81	int node_id;
	82	wait_queue_head_t kswapd_wait;
	83	- struct task_struct *kswapd;
	84	+ struct task_struct kswapd; / Protected by lock_memory_hotplug() */
	85	int kswapd_max_order;
	86	enum zone_type classzone_idx;
	87	} pg_data_t;
	88	diff --git a/mm/vmscan.c b/mm/vmscan.c
	89	index fbe2d2c..72cf498 100644
	90	--- a/mm/vmscan.c
	91	+++ b/mm/vmscan.c
	92	@@ -3090,14 +3090,17 @@ int kswapd_run(int nid)
	93	}
	94
	95	/*
	96	- * Called by memory hotplug when all memory in a node is offlined.
	97	+ * Called by memory hotplug when all memory in a node is offlined. Caller must
	98	+ * hold lock_memory_hotplug().
	99	*/
	100	void kswapd_stop(int nid)
	101	{
	102	struct task_struct *kswapd = NODE_DATA(nid)->kswapd;
	103
	104	- if (kswapd)
	105	+ if (kswapd) {
	106	kthread_stop(kswapd);
	107	+ NODE_DATA(nid)->kswapd = NULL;
	108	+ }
	109	}
	110
	111	static int __init kswapd_init(void)
	112	--
	113	1.7.7.6
	114