From 8aaa16753786579ab3da0effb27ea853994f2e53 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 7 Jun 2014 19:05:00 -0700
Subject: [PATCH] 3.4-stable patches

added patches:
	arm-8051-1-put_user-fix-possible-data-corruption-in-put_user.patch
---
 ...possible-data-corruption-in-put_user.patch | 37 +++++++++++++++++++
 ...-by-race-between-poison-and-unpoison.patch |  2 +-
 queue-3.4/series                              |  1 +
 3 files changed, 39 insertions(+), 1 deletion(-)
 create mode 100644 queue-3.4/arm-8051-1-put_user-fix-possible-data-corruption-in-put_user.patch

diff --git a/queue-3.4/arm-8051-1-put_user-fix-possible-data-corruption-in-put_user.patch b/queue-3.4/arm-8051-1-put_user-fix-possible-data-corruption-in-put_user.patch
new file mode 100644
index 00000000000..2f704e91146
--- /dev/null
+++ b/queue-3.4/arm-8051-1-put_user-fix-possible-data-corruption-in-put_user.patch
@@ -0,0 +1,37 @@
+From 537094b64b229bf3ad146042f83e74cf6abe59df Mon Sep 17 00:00:00 2001
+From: Andrey Ryabinin <a.ryabinin@samsung.com>
+Date: Wed, 7 May 2014 08:07:25 +0100
+Subject: ARM: 8051/1: put_user: fix possible data corruption in put_user
+
+From: Andrey Ryabinin <a.ryabinin@samsung.com>
+
+commit 537094b64b229bf3ad146042f83e74cf6abe59df upstream.
+
+According to arm procedure call standart r2 register is call-cloberred.
+So after the result of x expression was put into r2 any following
+function call in p may overwrite r2. To fix this, the result of p
+expression must be saved to the temporary variable before the
+assigment x expression to __r2.
+
+Signed-off-by: Andrey Ryabinin <a.ryabinin@samsung.com>
+Reviewed-by: Nicolas Pitre <nico@linaro.org>
+Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/include/asm/uaccess.h |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/arm/include/asm/uaccess.h
++++ b/arch/arm/include/asm/uaccess.h
+@@ -158,8 +158,9 @@ extern int __put_user_8(void *, unsigned
+ #define put_user(x,p)							\
+ 	({								\
+ 		unsigned long __limit = current_thread_info()->addr_limit - 1; \
++		const typeof(*(p)) __user *__tmp_p = (p);		\
+ 		register const typeof(*(p)) __r2 asm("r2") = (x);	\
+-		register const typeof(*(p)) __user *__p asm("r0") = (p);\
++		register const typeof(*(p)) __user *__p asm("r0") = __tmp_p; \
+ 		register unsigned long __l asm("r1") = __limit;		\
+ 		register int __e asm("r0");				\
+ 		switch (sizeof(*(__p))) {				\
diff --git a/queue-3.4/mm-memory-failure.c-fix-memory-leak-by-race-between-poison-and-unpoison.patch b/queue-3.4/mm-memory-failure.c-fix-memory-leak-by-race-between-poison-and-unpoison.patch
index 83bf9b99c17..12cd8f6b75f 100644
--- a/queue-3.4/mm-memory-failure.c-fix-memory-leak-by-race-between-poison-and-unpoison.patch
+++ b/queue-3.4/mm-memory-failure.c-fix-memory-leak-by-race-between-poison-and-unpoison.patch
@@ -34,7 +34,7 @@ Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  	 */
  	if (!PageHWPoison(p)) {
  		printk(KERN_ERR "MCE %#lx: just unpoisoned\n", pfn);
-+		atomic_long_sub(nr_pages, &num_poisoned_pages);
++		atomic_long_sub(nr_pages, &mce_bad_pages);
 +		put_page(hpage);
  		res = 0;
  		goto out;
diff --git a/queue-3.4/series b/queue-3.4/series
index 6014f885fdf..b8d4dbcf912 100644
--- a/queue-3.4/series
+++ b/queue-3.4/series
@@ -3,3 +3,4 @@ perf-prevent-false-warning-in-perf_swevent_add.patch
 perf-limit-perf_event_attr-sample_period-to-63-bits.patch
 perf-fix-race-in-removing-an-event.patch
 mm-memory-failure.c-fix-memory-leak-by-race-between-poison-and-unpoison.patch
+arm-8051-1-put_user-fix-possible-data-corruption-in-put_user.patch
-- 
2.47.3