From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 14 Oct 2013 21:57:18 +0000 (-0700)
Subject: 3.11-stable patches
X-Git-Tag: v3.10.17~18
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=98b696ce617e5e81387369e40c5f0ba1e86c9bb4;p=thirdparty%2Fkernel%2Fstable-queue.git

3.11-stable patches

added patches:
	drm-radeon-dpm-btc-off-by-one-in-btc_set_mc_special_registers.patch
	mips-stack-protector-fix-per-task-canary-switch.patch
	watchdog-kempld_wdt-fix-bit-mask-definition.patch
	watchdog-ts72xx_wdt-locking-bug-in-ioctl.patch
---

diff --git a/queue-3.11/drm-radeon-dpm-btc-off-by-one-in-btc_set_mc_special_registers.patch b/queue-3.11/drm-radeon-dpm-btc-off-by-one-in-btc_set_mc_special_registers.patch
new file mode 100644
index 00000000000..811043518ce
--- /dev/null
+++ b/queue-3.11/drm-radeon-dpm-btc-off-by-one-in-btc_set_mc_special_registers.patch
@@ -0,0 +1,49 @@
+From 96d8df846f52a720c8ae1fadadfad7c9e733e336 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 27 Sep 2013 23:18:39 +0300
+Subject: drm/radeon/dpm/btc: off by one in btc_set_mc_special_registers()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 96d8df846f52a720c8ae1fadadfad7c9e733e336 upstream.
+
+It should be ">=" instead of ">" here.  The table->mc_reg_address[]
+array has SMC_EVERGREEN_MC_REGISTER_ARRAY_SIZE (16) elements.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/radeon/btc_dpm.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/gpu/drm/radeon/btc_dpm.c
++++ b/drivers/gpu/drm/radeon/btc_dpm.c
+@@ -1913,7 +1913,7 @@ static int btc_set_mc_special_registers(
+ 			}
+ 			j++;
+ 
+-			if (j > SMC_EVERGREEN_MC_REGISTER_ARRAY_SIZE)
++			if (j >= SMC_EVERGREEN_MC_REGISTER_ARRAY_SIZE)
+ 				return -EINVAL;
+ 
+ 			tmp = RREG32(MC_PMG_CMD_MRS);
+@@ -1928,7 +1928,7 @@ static int btc_set_mc_special_registers(
+ 			}
+ 			j++;
+ 
+-			if (j > SMC_EVERGREEN_MC_REGISTER_ARRAY_SIZE)
++			if (j >= SMC_EVERGREEN_MC_REGISTER_ARRAY_SIZE)
+ 				return -EINVAL;
+ 			break;
+ 		case MC_SEQ_RESERVE_M >> 2:
+@@ -1942,7 +1942,7 @@ static int btc_set_mc_special_registers(
+ 			}
+ 			j++;
+ 
+-			if (j > SMC_EVERGREEN_MC_REGISTER_ARRAY_SIZE)
++			if (j >= SMC_EVERGREEN_MC_REGISTER_ARRAY_SIZE)
+ 				return -EINVAL;
+ 			break;
+ 		default:
diff --git a/queue-3.11/mips-stack-protector-fix-per-task-canary-switch.patch b/queue-3.11/mips-stack-protector-fix-per-task-canary-switch.patch
new file mode 100644
index 00000000000..1f8dbe393fc
--- /dev/null
+++ b/queue-3.11/mips-stack-protector-fix-per-task-canary-switch.patch
@@ -0,0 +1,88 @@
+From 8b3c569a3999a8fd5a819f892525ab5520777c92 Mon Sep 17 00:00:00 2001
+From: James Hogan <james.hogan@imgtec.com>
+Date: Mon, 7 Oct 2013 12:14:26 +0100
+Subject: MIPS: stack protector: Fix per-task canary switch
+
+From: James Hogan <james.hogan@imgtec.com>
+
+commit 8b3c569a3999a8fd5a819f892525ab5520777c92 upstream.
+
+Commit 1400eb6 (MIPS: r4k,octeon,r2300: stack protector: change canary
+per task) was merged in v3.11 and introduced assembly in the MIPS resume
+functions to update the value of the current canary in
+__stack_chk_guard. However it used PTR_L resulting in a load of the
+canary value, instead of PTR_LA to construct its address. The value is
+intended to be random but is then treated as an address in the
+subsequent LONG_S (store).
+
+This was observed to cause a fault and panic:
+
+CPU 0 Unable to handle kernel paging request at virtual address 139fea20, epc == 8000cc0c, ra == 8034f2a4
+Oops[#1]:
+...
+$24   : 139fea20 1e1f7cb6
+...
+Call Trace:
+[<8000cc0c>] resume+0xac/0x118
+[<8034f2a4>] __schedule+0x5f8/0x78c
+[<8034f4e0>] schedule_preempt_disabled+0x20/0x2c
+[<80348eec>] rest_init+0x74/0x84
+[<804dc990>] start_kernel+0x43c/0x454
+Code: 3c18804b  8f184030  8cb901f8 <af190000> 00c0e021  8cb002f0 8cb102f4  8cb202f8  8cb302fc
+
+This can also be forced by modifying
+arch/mips/include/asm/stackprotector.h so that the default
+__stack_chk_guard value is more likely to be a bad (or unaligned)
+pointer.
+
+Fix it to use PTR_LA instead, to load the address of the canary value,
+which the LONG_S can then use to write into it.
+
+Reported-by: bobjones (via #mipslinux on IRC)
+Signed-off-by: James Hogan <james.hogan@imgtec.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: Gregory Fong <gregory.0xf0@gmail.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/6026/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/octeon_switch.S |    2 +-
+ arch/mips/kernel/r2300_switch.S  |    2 +-
+ arch/mips/kernel/r4k_switch.S    |    2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/arch/mips/kernel/octeon_switch.S
++++ b/arch/mips/kernel/octeon_switch.S
+@@ -73,7 +73,7 @@
+ 3:
+ 
+ #if defined(CONFIG_CC_STACKPROTECTOR) && !defined(CONFIG_SMP)
+-	PTR_L	t8, __stack_chk_guard
++	PTR_LA	t8, __stack_chk_guard
+ 	LONG_L	t9, TASK_STACK_CANARY(a1)
+ 	LONG_S	t9, 0(t8)
+ #endif
+--- a/arch/mips/kernel/r2300_switch.S
++++ b/arch/mips/kernel/r2300_switch.S
+@@ -67,7 +67,7 @@ LEAF(resume)
+ 1:
+ 
+ #if defined(CONFIG_CC_STACKPROTECTOR) && !defined(CONFIG_SMP)
+-	PTR_L	t8, __stack_chk_guard
++	PTR_LA	t8, __stack_chk_guard
+ 	LONG_L	t9, TASK_STACK_CANARY(a1)
+ 	LONG_S	t9, 0(t8)
+ #endif
+--- a/arch/mips/kernel/r4k_switch.S
++++ b/arch/mips/kernel/r4k_switch.S
+@@ -69,7 +69,7 @@
+ 1:
+ 
+ #if defined(CONFIG_CC_STACKPROTECTOR) && !defined(CONFIG_SMP)
+-	PTR_L	t8, __stack_chk_guard
++	PTR_LA	t8, __stack_chk_guard
+ 	LONG_L	t9, TASK_STACK_CANARY(a1)
+ 	LONG_S	t9, 0(t8)
+ #endif
diff --git a/queue-3.11/series b/queue-3.11/series
index a3113dc5ee8..8f76e3e6d48 100644
--- a/queue-3.11/series
+++ b/queue-3.11/series
@@ -16,3 +16,7 @@ arc-fix-32-bit-wrap-around-in-access_ok.patch
 arc-workaround-spinlock-livelock-in-smp-systemc-simulation.patch
 arc-fix-signal-frame-management-for-sa_siginfo.patch
 arc-ignore-ptrace-setregset-request-for-synthetic-register-stop_pc.patch
+watchdog-ts72xx_wdt-locking-bug-in-ioctl.patch
+watchdog-kempld_wdt-fix-bit-mask-definition.patch
+mips-stack-protector-fix-per-task-canary-switch.patch
+drm-radeon-dpm-btc-off-by-one-in-btc_set_mc_special_registers.patch
diff --git a/queue-3.11/watchdog-kempld_wdt-fix-bit-mask-definition.patch b/queue-3.11/watchdog-kempld_wdt-fix-bit-mask-definition.patch
new file mode 100644
index 00000000000..21077d9014a
--- /dev/null
+++ b/queue-3.11/watchdog-kempld_wdt-fix-bit-mask-definition.patch
@@ -0,0 +1,34 @@
+From 4c4e45669de475573b15d968a6dca8d00124c9ad Mon Sep 17 00:00:00 2001
+From: Jingoo Han <jg1.han@samsung.com>
+Date: Mon, 23 Sep 2013 19:16:57 +0900
+Subject: watchdog: kempld_wdt: Fix bit mask definition
+
+From: Jingoo Han <jg1.han@samsung.com>
+
+commit 4c4e45669de475573b15d968a6dca8d00124c9ad upstream.
+
+STAGE_CFG bits are defined as [5:4] bits. However, '(((x) & 0x30) << 4)'
+handles [9:8] bits. Thus, it should be fixed in order to handle
+[5:4] bits.
+
+Signed-off-by: Jingoo Han <jg1.han@samsung.com>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@iguana.be>
+Cc: Jonghwan Choi <jhbird.choi@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/watchdog/kempld_wdt.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/watchdog/kempld_wdt.c
++++ b/drivers/watchdog/kempld_wdt.c
+@@ -35,7 +35,7 @@
+ #define KEMPLD_WDT_STAGE_TIMEOUT(x)	(0x1b + (x) * 4)
+ #define KEMPLD_WDT_STAGE_CFG(x)		(0x18 + (x))
+ #define STAGE_CFG_GET_PRESCALER(x)	(((x) & 0x30) >> 4)
+-#define STAGE_CFG_SET_PRESCALER(x)	(((x) & 0x30) << 4)
++#define STAGE_CFG_SET_PRESCALER(x)	(((x) & 0x3) << 4)
+ #define STAGE_CFG_PRESCALER_MASK	0x30
+ #define STAGE_CFG_ACTION_MASK		0x7
+ #define STAGE_CFG_ASSERT		(1 << 3)
diff --git a/queue-3.11/watchdog-ts72xx_wdt-locking-bug-in-ioctl.patch b/queue-3.11/watchdog-ts72xx_wdt-locking-bug-in-ioctl.patch
new file mode 100644
index 00000000000..f35fba15eb9
--- /dev/null
+++ b/queue-3.11/watchdog-ts72xx_wdt-locking-bug-in-ioctl.patch
@@ -0,0 +1,34 @@
+From 8612ed0d97abcf1c016d34755b7cf2060de71963 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 23 Aug 2013 11:40:59 +0300
+Subject: watchdog: ts72xx_wdt: locking bug in ioctl
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 8612ed0d97abcf1c016d34755b7cf2060de71963 upstream.
+
+Calling the WDIOC_GETSTATUS & WDIOC_GETBOOTSTATUS and twice will cause a
+interruptible deadlock.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Wim Van Sebroeck <wim@iguana.be>
+Cc: Jonghwan Choi <jhbird.choi@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/watchdog/ts72xx_wdt.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/watchdog/ts72xx_wdt.c
++++ b/drivers/watchdog/ts72xx_wdt.c
+@@ -310,7 +310,8 @@ static long ts72xx_wdt_ioctl(struct file
+ 
+ 	case WDIOC_GETSTATUS:
+ 	case WDIOC_GETBOOTSTATUS:
+-		return put_user(0, p);
++		error = put_user(0, p);
++		break;
+ 
+ 	case WDIOC_KEEPALIVE:
+ 		ts72xx_wdt_kick(wdt);