--- /dev/null
+From 2561d309dfd1555e781484af757ed0115035ddb3 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Wed, 17 Aug 2016 16:02:32 -0400
+Subject: alpha: fix copy_from_user()
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 2561d309dfd1555e781484af757ed0115035ddb3 upstream.
+
+it should clear the destination even when access_ok() fails.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/alpha/include/asm/uaccess.h | 19 ++++++++-----------
+ 1 file changed, 8 insertions(+), 11 deletions(-)
+
+--- a/arch/alpha/include/asm/uaccess.h
++++ b/arch/alpha/include/asm/uaccess.h
+@@ -371,14 +371,6 @@ __copy_tofrom_user_nocheck(void *to, con
+ return __cu_len;
+ }
+
+-extern inline long
+-__copy_tofrom_user(void *to, const void *from, long len, const void __user *validate)
+-{
+- if (__access_ok((unsigned long)validate, len, get_fs()))
+- len = __copy_tofrom_user_nocheck(to, from, len);
+- return len;
+-}
+-
+ #define __copy_to_user(to, from, n) \
+ ({ \
+ __chk_user_ptr(to); \
+@@ -393,17 +385,22 @@ __copy_tofrom_user(void *to, const void
+ #define __copy_to_user_inatomic __copy_to_user
+ #define __copy_from_user_inatomic __copy_from_user
+
+-
+ extern inline long
+ copy_to_user(void __user *to, const void *from, long n)
+ {
+- return __copy_tofrom_user((__force void *)to, from, n, to);
++ if (likely(__access_ok((unsigned long)to, n, get_fs())))
++ n = __copy_tofrom_user_nocheck((__force void *)to, from, n);
++ return n;
+ }
+
+ extern inline long
+ copy_from_user(void *to, const void __user *from, long n)
+ {
+- return __copy_tofrom_user(to, (__force void *)from, n, from);
++ if (likely(__access_ok((unsigned long)from, n, get_fs())))
++ n = __copy_tofrom_user_nocheck(to, (__force void *)from, n);
++ else
++ memset(to, 0, n);
++ return n;
+ }
+
+ extern void __do_clear_user(void);
--- /dev/null
+From 05d9d0b96e53c52a113fd783c0c97c830c8dc7af Mon Sep 17 00:00:00 2001
+From: Vineet Gupta <Vineet.Gupta1@synopsys.com>
+Date: Fri, 19 Aug 2016 12:10:02 -0700
+Subject: ARC: uaccess: get_user to zero out dest in cause of fault
+
+From: Vineet Gupta <Vineet.Gupta1@synopsys.com>
+
+commit 05d9d0b96e53c52a113fd783c0c97c830c8dc7af upstream.
+
+Al reported potential issue with ARC get_user() as it wasn't clearing
+out destination pointer in case of fault due to bad address etc.
+
+Verified using following
+
+| {
+| u32 bogus1 = 0xdeadbeef;
+| u64 bogus2 = 0xdead;
+| int rc1, rc2;
+|
+| pr_info("Orig values %x %llx\n", bogus1, bogus2);
+| rc1 = get_user(bogus1, (u32 __user *)0x40000000);
+| rc2 = get_user(bogus2, (u64 __user *)0x50000000);
+| pr_info("access %d %d, new values %x %llx\n",
+| rc1, rc2, bogus1, bogus2);
+| }
+
+| [ARCLinux]# insmod /mnt/kernel-module/qtn.ko
+| Orig values deadbeef dead
+| access -14 -14, new values 0 0
+
+Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: linux-snps-arc@lists.infradead.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arc/include/asm/uaccess.h | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/arch/arc/include/asm/uaccess.h
++++ b/arch/arc/include/asm/uaccess.h
+@@ -83,7 +83,10 @@
+ "2: ;nop\n" \
+ " .section .fixup, \"ax\"\n" \
+ " .align 4\n" \
+- "3: mov %0, %3\n" \
++ "3: # return -EFAULT\n" \
++ " mov %0, %3\n" \
++ " # zero out dst ptr\n" \
++ " mov %1, 0\n" \
+ " j 2b\n" \
+ " .previous\n" \
+ " .section __ex_table, \"a\"\n" \
+@@ -101,7 +104,11 @@
+ "2: ;nop\n" \
+ " .section .fixup, \"ax\"\n" \
+ " .align 4\n" \
+- "3: mov %0, %3\n" \
++ "3: # return -EFAULT\n" \
++ " mov %0, %3\n" \
++ " # zero out dst ptr\n" \
++ " mov %1, 0\n" \
++ " mov %R1, 0\n" \
+ " j 2b\n" \
+ " .previous\n" \
+ " .section __ex_table, \"a\"\n" \
--- /dev/null
+From 2545e5da080b4839dd859e3b09343a884f6ab0e3 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Wed, 17 Aug 2016 16:36:37 -0400
+Subject: asm-generic: make copy_from_user() zero the destination properly
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 2545e5da080b4839dd859e3b09343a884f6ab0e3 upstream.
+
+... in all cases, including the failing access_ok()
+
+Note that some architectures using asm-generic/uaccess.h have
+__copy_from_user() not zeroing the tail on failure halfway
+through. This variant works either way.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/asm-generic/uaccess.h | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/include/asm-generic/uaccess.h
++++ b/include/asm-generic/uaccess.h
+@@ -261,11 +261,13 @@ extern int __get_user_bad(void) __attrib
+ static inline long copy_from_user(void *to,
+ const void __user * from, unsigned long n)
+ {
++ unsigned long res = n;
+ might_fault();
+- if (access_ok(VERIFY_READ, from, n))
+- return __copy_from_user(to, from, n);
+- else
+- return n;
++ if (likely(access_ok(VERIFY_READ, from, n)))
++ res = __copy_from_user(to, from, n);
++ if (unlikely(res))
++ memset(to + (n - res), 0, res);
++ return res;
+ }
+
+ static inline long copy_to_user(void __user *to,
--- /dev/null
+From 9ad18b75c2f6e4a78ce204e79f37781f8815c0fa Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Wed, 17 Aug 2016 23:19:01 -0400
+Subject: asm-generic: make get_user() clear the destination on errors
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 9ad18b75c2f6e4a78ce204e79f37781f8815c0fa upstream.
+
+both for access_ok() failures and for faults halfway through
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/asm-generic/uaccess.h | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/include/asm-generic/uaccess.h
++++ b/include/asm-generic/uaccess.h
+@@ -230,14 +230,18 @@ extern int __put_user_bad(void) __attrib
+ might_fault(); \
+ access_ok(VERIFY_READ, __p, sizeof(*ptr)) ? \
+ __get_user((x), (__typeof__(*(ptr)) *)__p) : \
+- -EFAULT; \
++ ((x) = (__typeof__(*(ptr)))0,-EFAULT); \
+ })
+
+ #ifndef __get_user_fn
+ static inline int __get_user_fn(size_t size, const void __user *ptr, void *x)
+ {
+- size = __copy_from_user(x, ptr, size);
+- return size ? -EFAULT : size;
++ size_t n = __copy_from_user(x, ptr, size);
++ if (unlikely(n)) {
++ memset(x + (size - n), 0, n);
++ return -EFAULT;
++ }
++ return 0;
+ }
+
+ #define __get_user_fn(sz, u, k) __get_user_fn(sz, u, k)
--- /dev/null
+From 8630c32275bac2de6ffb8aea9d9b11663e7ad28e Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Fri, 9 Sep 2016 19:28:23 -0400
+Subject: avr32: fix copy_from_user()
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 8630c32275bac2de6ffb8aea9d9b11663e7ad28e upstream.
+
+really ugly, but apparently avr32 compilers turns access_ok() into
+something so bad that they want it in assembler. Left that way,
+zeroing added in inline wrapper.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/avr32/include/asm/uaccess.h | 11 ++++++++++-
+ arch/avr32/kernel/avr32_ksyms.c | 2 +-
+ arch/avr32/lib/copy_user.S | 4 ++--
+ 3 files changed, 13 insertions(+), 4 deletions(-)
+
+--- a/arch/avr32/include/asm/uaccess.h
++++ b/arch/avr32/include/asm/uaccess.h
+@@ -74,7 +74,7 @@ extern __kernel_size_t __copy_user(void
+
+ extern __kernel_size_t copy_to_user(void __user *to, const void *from,
+ __kernel_size_t n);
+-extern __kernel_size_t copy_from_user(void *to, const void __user *from,
++extern __kernel_size_t ___copy_from_user(void *to, const void __user *from,
+ __kernel_size_t n);
+
+ static inline __kernel_size_t __copy_to_user(void __user *to, const void *from,
+@@ -88,6 +88,15 @@ static inline __kernel_size_t __copy_fro
+ {
+ return __copy_user(to, (const void __force *)from, n);
+ }
++static inline __kernel_size_t copy_from_user(void *to,
++ const void __user *from,
++ __kernel_size_t n)
++{
++ size_t res = ___copy_from_user(to, from, n);
++ if (unlikely(res))
++ memset(to + (n - res), 0, res);
++ return res;
++}
+
+ #define __copy_to_user_inatomic __copy_to_user
+ #define __copy_from_user_inatomic __copy_from_user
+--- a/arch/avr32/kernel/avr32_ksyms.c
++++ b/arch/avr32/kernel/avr32_ksyms.c
+@@ -36,7 +36,7 @@ EXPORT_SYMBOL(copy_page);
+ /*
+ * Userspace access stuff.
+ */
+-EXPORT_SYMBOL(copy_from_user);
++EXPORT_SYMBOL(___copy_from_user);
+ EXPORT_SYMBOL(copy_to_user);
+ EXPORT_SYMBOL(__copy_user);
+ EXPORT_SYMBOL(strncpy_from_user);
+--- a/arch/avr32/lib/copy_user.S
++++ b/arch/avr32/lib/copy_user.S
+@@ -25,11 +25,11 @@
+ .align 1
+ .global copy_from_user
+ .type copy_from_user, @function
+-copy_from_user:
++___copy_from_user:
+ branch_if_kernel r8, __copy_user
+ ret_if_privileged r8, r11, r10, r10
+ rjmp __copy_user
+- .size copy_from_user, . - copy_from_user
++ .size ___copy_from_user, . - ___copy_from_user
+
+ .global copy_to_user
+ .type copy_to_user, @function
--- /dev/null
+From 8f035983dd826d7e04f67b28acf8e2f08c347e41 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Fri, 9 Sep 2016 19:16:58 -0400
+Subject: blackfin: fix copy_from_user()
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 8f035983dd826d7e04f67b28acf8e2f08c347e41 upstream.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/blackfin/include/asm/uaccess.h | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/arch/blackfin/include/asm/uaccess.h
++++ b/arch/blackfin/include/asm/uaccess.h
+@@ -171,11 +171,12 @@ static inline int bad_user_access_length
+ static inline unsigned long __must_check
+ copy_from_user(void *to, const void __user *from, unsigned long n)
+ {
+- if (access_ok(VERIFY_READ, from, n))
++ if (likely(access_ok(VERIFY_READ, from, n))) {
+ memcpy(to, (const void __force *)from, n);
+- else
+- return n;
+- return 0;
++ return 0;
++ }
++ memset(to, 0, n);
++ return n;
+ }
+
+ static inline unsigned long __must_check
--- /dev/null
+From eb47e0293baaa3044022059f1fa9ff474bfe35cb Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Thu, 18 Aug 2016 19:34:00 -0400
+Subject: cris: buggered copy_from_user/copy_to_user/clear_user
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit eb47e0293baaa3044022059f1fa9ff474bfe35cb upstream.
+
+* copy_from_user() on access_ok() failure ought to zero the destination
+* none of those primitives should skip the access_ok() check in case of
+small constant size.
+
+Acked-by: Jesper Nilsson <jesper.nilsson@axis.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/cris/include/asm/uaccess.h | 75 ++++++++++++++++++----------------------
+ 1 file changed, 34 insertions(+), 41 deletions(-)
+
+--- a/arch/cris/include/asm/uaccess.h
++++ b/arch/cris/include/asm/uaccess.h
+@@ -194,30 +194,6 @@ extern unsigned long __copy_user(void __
+ extern unsigned long __copy_user_zeroing(void *to, const void __user *from, unsigned long n);
+ extern unsigned long __do_clear_user(void __user *to, unsigned long n);
+
+-static inline unsigned long
+-__generic_copy_to_user(void __user *to, const void *from, unsigned long n)
+-{
+- if (access_ok(VERIFY_WRITE, to, n))
+- return __copy_user(to, from, n);
+- return n;
+-}
+-
+-static inline unsigned long
+-__generic_copy_from_user(void *to, const void __user *from, unsigned long n)
+-{
+- if (access_ok(VERIFY_READ, from, n))
+- return __copy_user_zeroing(to, from, n);
+- return n;
+-}
+-
+-static inline unsigned long
+-__generic_clear_user(void __user *to, unsigned long n)
+-{
+- if (access_ok(VERIFY_WRITE, to, n))
+- return __do_clear_user(to, n);
+- return n;
+-}
+-
+ static inline long
+ __strncpy_from_user(char *dst, const char __user *src, long count)
+ {
+@@ -282,7 +258,7 @@ __constant_copy_from_user(void *to, cons
+ else if (n == 24)
+ __asm_copy_from_user_24(to, from, ret);
+ else
+- ret = __generic_copy_from_user(to, from, n);
++ ret = __copy_user_zeroing(to, from, n);
+
+ return ret;
+ }
+@@ -333,7 +309,7 @@ __constant_copy_to_user(void __user *to,
+ else if (n == 24)
+ __asm_copy_to_user_24(to, from, ret);
+ else
+- ret = __generic_copy_to_user(to, from, n);
++ ret = __copy_user(to, from, n);
+
+ return ret;
+ }
+@@ -366,26 +342,43 @@ __constant_clear_user(void __user *to, u
+ else if (n == 24)
+ __asm_clear_24(to, ret);
+ else
+- ret = __generic_clear_user(to, n);
++ ret = __do_clear_user(to, n);
+
+ return ret;
+ }
+
+
+-#define clear_user(to, n) \
+- (__builtin_constant_p(n) ? \
+- __constant_clear_user(to, n) : \
+- __generic_clear_user(to, n))
+-
+-#define copy_from_user(to, from, n) \
+- (__builtin_constant_p(n) ? \
+- __constant_copy_from_user(to, from, n) : \
+- __generic_copy_from_user(to, from, n))
+-
+-#define copy_to_user(to, from, n) \
+- (__builtin_constant_p(n) ? \
+- __constant_copy_to_user(to, from, n) : \
+- __generic_copy_to_user(to, from, n))
++static inline size_t clear_user(void __user *to, size_t n)
++{
++ if (unlikely(!access_ok(VERIFY_WRITE, to, n)))
++ return n;
++ if (__builtin_constant_p(n))
++ return __constant_clear_user(to, n);
++ else
++ return __do_clear_user(to, n);
++}
++
++static inline size_t copy_from_user(void *to, const void __user *from, size_t n)
++{
++ if (unlikely(!access_ok(VERIFY_READ, from, n))) {
++ memset(to, 0, n);
++ return n;
++ }
++ if (__builtin_constant_p(n))
++ return __constant_copy_from_user(to, from, n);
++ else
++ return __copy_user_zeroing(to, from, n);
++}
++
++static inline size_t copy_to_user(void __user *to, const void *from, size_t n)
++{
++ if (unlikely(!access_ok(VERIFY_WRITE, to, n)))
++ return n;
++ if (__builtin_constant_p(n))
++ return __constant_copy_to_user(to, from, n);
++ else
++ return __copy_user(to, from, n);
++}
+
+ /* We let the __ versions of copy_from/to_user inline, because they're often
+ * used in fast paths and have only a small space overhead.
--- /dev/null
+From d31ed3f05763644840c654a384eaefa94c097ba2 Mon Sep 17 00:00:00 2001
+From: Jan Leupold <leupold@rsi-elektrotechnik.de>
+Date: Wed, 6 Jul 2016 13:22:35 +0200
+Subject: drm: atmel-hlcdc: Fix vertical scaling
+
+From: Jan Leupold <leupold@rsi-elektrotechnik.de>
+
+commit d31ed3f05763644840c654a384eaefa94c097ba2 upstream.
+
+The code is applying the same scaling for the X and Y components,
+thus making the scaling feature only functional when both components
+have the same scaling factor.
+
+Do the s/_w/_h/ replacement where appropriate to fix vertical scaling.
+
+Signed-off-by: Jan Leupold <leupold@rsi-elektrotechnik.de>
+Fixes: 1a396789f65a2 ("drm: add Atmel HLCDC Display Controller support")
+Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c
++++ b/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c
+@@ -320,19 +320,19 @@ atmel_hlcdc_plane_update_pos_and_size(st
+ u32 *coeff_tab = heo_upscaling_ycoef;
+ u32 max_memsize;
+
+- if (state->crtc_w < state->src_w)
++ if (state->crtc_h < state->src_h)
+ coeff_tab = heo_downscaling_ycoef;
+ for (i = 0; i < ARRAY_SIZE(heo_upscaling_ycoef); i++)
+ atmel_hlcdc_layer_update_cfg(&plane->layer,
+ 33 + i,
+ 0xffffffff,
+ coeff_tab[i]);
+- factor = ((8 * 256 * state->src_w) - (256 * 4)) /
+- state->crtc_w;
++ factor = ((8 * 256 * state->src_h) - (256 * 4)) /
++ state->crtc_h;
+ factor++;
+- max_memsize = ((factor * state->crtc_w) + (256 * 4)) /
++ max_memsize = ((factor * state->crtc_h) + (256 * 4)) /
+ 2048;
+- if (max_memsize > state->src_w)
++ if (max_memsize > state->src_h)
+ factor--;
+ factor_reg |= (factor << 16) | 0x80000000;
+ }
--- /dev/null
+From ea54ff4008892b46c7a3e6bc8ab8aaec9d198639 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala@linux.intel.com>
+Date: Tue, 13 Sep 2016 12:22:19 +0300
+Subject: drm/i915: Ignore OpRegion panel type except on select machines
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ville Syrjälä <ville.syrjala@linux.intel.com>
+
+commit ea54ff4008892b46c7a3e6bc8ab8aaec9d198639 upstream.
+
+Turns out
+commit a05628195a0d ("drm/i915: Get panel_type from OpRegion panel
+details") has regressed quite a few machines. So it looks like we
+can't use the panel type from OpRegion on all systems, and yet we
+absolutely must use it on some specific systems.
+
+Despite trying, I was unable to find any automagic way to determine
+if the OpRegion panel type is respectable or not. The only glimmer
+of hope I had was bit 8 in the SCIC response, but that turned out to
+not work either (it was always 0 on both types of systems).
+
+So, to fix the regressions without breaking the machine we know to need
+the OpRegion panel type, let's just add a quirk for this. Only specific
+machines known to require the OpRegion panel type will therefore use
+it. Everyone else will fall bck to the VBT panel type.
+
+The only known machine so far is a "Conrac GmbH IX45GM2". The PCI
+subsystem ID on this machine is just a generic 8086:2a42, so of no use.
+Instead we'll go with a DMI match.
+
+I suspect we can now also revert
+commit aeddda06c1a7 ("drm/i915: Ignore panel type from OpRegion on SKL")
+but let's leave that to a separate patch.
+
+v2: Do the DMI match in the opregion code directly, as dev_priv->quirks
+ gets populated too late
+
+Cc: Rob Kramer <rob@solution-space.com>
+Cc: Martin van Es <martin@mrvanes.com>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: Dave Airlie <airlied@linux.ie>
+Cc: Marco Krüger <krgsch@gmail.com>
+Cc: Sean Greenslade <sean@seangreenslade.com>
+Cc: Trudy Tective <bertslany@gmail.com>
+Cc: Robin Müller <rm1990@gmx.de>
+Cc: Alexander Kobel <a-kobel@a-kobel.de>
+Cc: Alexey Shumitsky <alexey.shumitsky@gmail.com>
+Cc: Emil Andersen Lauridsen <mine809@gmail.com>
+Cc: oceans112@gmail.com
+Cc: James Hogan <james@albanarts.com>
+Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
+References: https://lists.freedesktop.org/archives/intel-gfx/2016-August/105545.html
+References: https://lists.freedesktop.org/archives/dri-devel/2016-August/116888.html
+References: https://lists.freedesktop.org/archives/intel-gfx/2016-June/098826.html
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=94825
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=97060
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=97443
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=97363
+Fixes: a05628195a0d ("drm/i915: Get panel_type from OpRegion panel details")
+Tested-by: Marco Krüger <krgsch@gmail.com>
+Tested-by: Alexey Shumitsky <alexey.shumitsky@gmail.com>
+Tested-by: Sean Greenslade <sean@seangreenslade.com>
+Tested-by: Emil Andersen Lauridsen <mine809@gmail.com>
+Tested-by: Robin Müller <rm1990@gmx.de>
+Tested-by: oceans112@gmail.com
+Tested-by: Rob Kramer <rob@solution-space.com>
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Link: http://patchwork.freedesktop.org/patch/msgid/1473758539-21565-1-git-send-email-ville.syrjala@linux.intel.com
+References: http://patchwork.freedesktop.org/patch/msgid/1473602239-15855-1-git-send-email-adrienverge@gmail.com
+Acked-by: Jani Nikula <jani.nikula@intel.com>
+(cherry picked from commit c8ebfad7a063fe665417fa0eeb0da7cfe987d8ed)
+Signed-off-by: Jani Nikula <jani.nikula@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/intel_opregion.c | 27 +++++++++++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+
+--- a/drivers/gpu/drm/i915/intel_opregion.c
++++ b/drivers/gpu/drm/i915/intel_opregion.c
+@@ -1013,6 +1013,23 @@ err_out:
+ return err;
+ }
+
++static int intel_use_opregion_panel_type_callback(const struct dmi_system_id *id)
++{
++ DRM_INFO("Using panel type from OpRegion on %s\n", id->ident);
++ return 1;
++}
++
++static const struct dmi_system_id intel_use_opregion_panel_type[] = {
++ {
++ .callback = intel_use_opregion_panel_type_callback,
++ .ident = "Conrac GmbH IX45GM2",
++ .matches = {DMI_MATCH(DMI_SYS_VENDOR, "Conrac GmbH"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "IX45GM2"),
++ },
++ },
++ { }
++};
++
+ int
+ intel_opregion_get_panel_type(struct drm_device *dev)
+ {
+@@ -1038,6 +1055,16 @@ intel_opregion_get_panel_type(struct drm
+ return -ENODEV;
+ }
+
++ /*
++ * So far we know that some machined must use it, others must not use it.
++ * There doesn't seem to be any way to determine which way to go, except
++ * via a quirk list :(
++ */
++ if (!dmi_check_system(intel_use_opregion_panel_type)) {
++ DRM_DEBUG_KMS("Ignoring OpRegion panel type (%d)\n", ret - 1);
++ return -ENODEV;
++ }
++
+ /*
+ * FIXME On Dell XPS 13 9350 the OpRegion panel type (0) gives us
+ * low vswing for eDP, whereas the VBT panel type (2) gives us normal
--- /dev/null
+From 47a66e45d7a7613322549c2475ea9d809baaf514 Mon Sep 17 00:00:00 2001
+From: "Kristian H. Kristensen" <hoegsberg@gmail.com>
+Date: Tue, 13 Sep 2016 14:20:45 -0700
+Subject: drm: Only use compat ioctl for addfb2 on X86/IA64
+
+From: Kristian H. Kristensen <hoegsberg@gmail.com>
+
+commit 47a66e45d7a7613322549c2475ea9d809baaf514 upstream.
+
+Similar to struct drm_update_draw, struct drm_mode_fb_cmd2 has an
+unaligned 64 bit field (modifier). This get packed differently between
+32 bit and 64 bit modes on architectures that can handle unaligned 64
+bit access (X86 and IA64). Other architectures pack the structs the
+same and don't need the compat wrapper. Use the same condition for
+drm_mode_fb_cmd2 as we use for drm_update_draw.
+
+Note that only the modifier will be packed differently between compat
+and non-compat versions.
+
+Reviewed-by: Rob Clark <robdclark@gmail.com>
+Signed-off-by: Kristian H. Kristensen <hoegsberg@chromium.org>
+[seanpaul added not at bottom of commit msg re: modifier]
+Signed-off-by: Sean Paul <seanpaul@chromium.org>
+Link: http://patchwork.freedesktop.org/patch/msgid/1473801645-116011-1-git-send-email-hoegsberg@chromium.org
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_ioc32.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/gpu/drm/drm_ioc32.c
++++ b/drivers/gpu/drm/drm_ioc32.c
+@@ -1015,6 +1015,7 @@ static int compat_drm_wait_vblank(struct
+ return 0;
+ }
+
++#if defined(CONFIG_X86) || defined(CONFIG_IA64)
+ typedef struct drm_mode_fb_cmd232 {
+ u32 fb_id;
+ u32 width;
+@@ -1071,6 +1072,7 @@ static int compat_drm_mode_addfb2(struct
+
+ return 0;
+ }
++#endif
+
+ static drm_ioctl_compat_t *drm_compat_ioctls[] = {
+ [DRM_IOCTL_NR(DRM_IOCTL_VERSION32)] = compat_drm_version,
+@@ -1104,7 +1106,9 @@ static drm_ioctl_compat_t *drm_compat_io
+ [DRM_IOCTL_NR(DRM_IOCTL_UPDATE_DRAW32)] = compat_drm_update_draw,
+ #endif
+ [DRM_IOCTL_NR(DRM_IOCTL_WAIT_VBLANK32)] = compat_drm_wait_vblank,
++#if defined(CONFIG_X86) || defined(CONFIG_IA64)
+ [DRM_IOCTL_NR(DRM_IOCTL_MODE_ADDFB232)] = compat_drm_mode_addfb2,
++#endif
+ };
+
+ /**
--- /dev/null
+From d4690f1e1cdabb4d61207b6787b1605a0dc0aeab Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Fri, 16 Sep 2016 00:11:45 +0100
+Subject: fix iov_iter_fault_in_readable()
+
+From: Al Viro <viro@ZenIV.linux.org.uk>
+
+commit d4690f1e1cdabb4d61207b6787b1605a0dc0aeab upstream.
+
+... by turning it into what used to be multipages counterpart
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/uio.h | 2 +-
+ lib/iov_iter.c | 24 ++----------------------
+ 2 files changed, 3 insertions(+), 23 deletions(-)
+
+--- a/include/linux/uio.h
++++ b/include/linux/uio.h
+@@ -76,7 +76,7 @@ size_t iov_iter_copy_from_user_atomic(st
+ struct iov_iter *i, unsigned long offset, size_t bytes);
+ void iov_iter_advance(struct iov_iter *i, size_t bytes);
+ int iov_iter_fault_in_readable(struct iov_iter *i, size_t bytes);
+-int iov_iter_fault_in_multipages_readable(struct iov_iter *i, size_t bytes);
++#define iov_iter_fault_in_multipages_readable iov_iter_fault_in_readable
+ size_t iov_iter_single_seg_count(const struct iov_iter *i);
+ size_t copy_page_to_iter(struct page *page, size_t offset, size_t bytes,
+ struct iov_iter *i);
+--- a/lib/iov_iter.c
++++ b/lib/iov_iter.c
+@@ -302,33 +302,13 @@ done:
+ }
+
+ /*
+- * Fault in the first iovec of the given iov_iter, to a maximum length
+- * of bytes. Returns 0 on success, or non-zero if the memory could not be
+- * accessed (ie. because it is an invalid address).
+- *
+- * writev-intensive code may want this to prefault several iovecs -- that
+- * would be possible (callers must not rely on the fact that _only_ the
+- * first iovec will be faulted with the current implementation).
+- */
+-int iov_iter_fault_in_readable(struct iov_iter *i, size_t bytes)
+-{
+- if (!(i->type & (ITER_BVEC|ITER_KVEC))) {
+- char __user *buf = i->iov->iov_base + i->iov_offset;
+- bytes = min(bytes, i->iov->iov_len - i->iov_offset);
+- return fault_in_pages_readable(buf, bytes);
+- }
+- return 0;
+-}
+-EXPORT_SYMBOL(iov_iter_fault_in_readable);
+-
+-/*
+ * Fault in one or more iovecs of the given iov_iter, to a maximum length of
+ * bytes. For each iovec, fault in each page that constitutes the iovec.
+ *
+ * Return 0 on success, or non-zero if the memory could not be accessed (i.e.
+ * because it is an invalid address).
+ */
+-int iov_iter_fault_in_multipages_readable(struct iov_iter *i, size_t bytes)
++int iov_iter_fault_in_readable(struct iov_iter *i, size_t bytes)
+ {
+ size_t skip = i->iov_offset;
+ const struct iovec *iov;
+@@ -345,7 +325,7 @@ int iov_iter_fault_in_multipages_readabl
+ }
+ return 0;
+ }
+-EXPORT_SYMBOL(iov_iter_fault_in_multipages_readable);
++EXPORT_SYMBOL(iov_iter_fault_in_readable);
+
+ void iov_iter_init(struct iov_iter *i, int direction,
+ const struct iovec *iov, unsigned long nr_segs,
--- /dev/null
+From 1c109fabbd51863475cd12ac206bdd249aee35af Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Thu, 15 Sep 2016 02:35:29 +0100
+Subject: fix minor infoleak in get_user_ex()
+
+From: Al Viro <viro@ZenIV.linux.org.uk>
+
+commit 1c109fabbd51863475cd12ac206bdd249aee35af upstream.
+
+get_user_ex(x, ptr) should zero x on failure. It's not a lot of a leak
+(at most we are leaking uninitialized 64bit value off the kernel stack,
+and in a fairly constrained situation, at that), but the fix is trivial,
+so...
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+[ This sat in different branch from the uaccess fixes since mid-August ]
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/uaccess.h | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/include/asm/uaccess.h
++++ b/arch/x86/include/asm/uaccess.h
+@@ -414,7 +414,11 @@ do { \
+ #define __get_user_asm_ex(x, addr, itype, rtype, ltype) \
+ asm volatile("1: mov"itype" %1,%"rtype"0\n" \
+ "2:\n" \
+- _ASM_EXTABLE_EX(1b, 2b) \
++ ".section .fixup,\"ax\"\n" \
++ "3:xor"itype" %"rtype"0,%"rtype"0\n" \
++ " jmp 2b\n" \
++ ".previous\n" \
++ _ASM_EXTABLE_EX(1b, 3b) \
+ : ltype(x) : "m" (__m(addr)))
+
+ #define __put_user_nocheck(x, ptr, size) \
--- /dev/null
+From 3b8767a8f00cc6538ba6b1cf0f88502e2fd2eb90 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Thu, 18 Aug 2016 20:54:02 -0400
+Subject: frv: fix clear_user()
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 3b8767a8f00cc6538ba6b1cf0f88502e2fd2eb90 upstream.
+
+It should check access_ok(). Otherwise a bunch of places turn into
+trivially exploitable rootholes.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/frv/include/asm/uaccess.h | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/arch/frv/include/asm/uaccess.h
++++ b/arch/frv/include/asm/uaccess.h
+@@ -263,19 +263,25 @@ do { \
+ extern long __memset_user(void *dst, unsigned long count);
+ extern long __memcpy_user(void *dst, const void *src, unsigned long count);
+
+-#define clear_user(dst,count) __memset_user(____force(dst), (count))
++#define __clear_user(dst,count) __memset_user(____force(dst), (count))
+ #define __copy_from_user_inatomic(to, from, n) __memcpy_user((to), ____force(from), (n))
+ #define __copy_to_user_inatomic(to, from, n) __memcpy_user(____force(to), (from), (n))
+
+ #else
+
+-#define clear_user(dst,count) (memset(____force(dst), 0, (count)), 0)
++#define __clear_user(dst,count) (memset(____force(dst), 0, (count)), 0)
+ #define __copy_from_user_inatomic(to, from, n) (memcpy((to), ____force(from), (n)), 0)
+ #define __copy_to_user_inatomic(to, from, n) (memcpy(____force(to), (from), (n)), 0)
+
+ #endif
+
+-#define __clear_user clear_user
++static inline unsigned long __must_check
++clear_user(void __user *to, unsigned long n)
++{
++ if (likely(__access_ok(to, n)))
++ n = __clear_user(to, n);
++ return n;
++}
+
+ static inline unsigned long __must_check
+ __copy_to_user(void __user *to, const void *from, unsigned long n)
--- /dev/null
+From ebf9ff753c041b296241990aef76163bbb2cc9c8 Mon Sep 17 00:00:00 2001
+From: Boris Brezillon <boris.brezillon@free-electrons.com>
+Date: Tue, 13 Sep 2016 15:58:28 +0200
+Subject: genirq: Provide irq_gc_{lock_irqsave,unlock_irqrestore}() helpers
+
+From: Boris Brezillon <boris.brezillon@free-electrons.com>
+
+commit ebf9ff753c041b296241990aef76163bbb2cc9c8 upstream.
+
+Some irqchip drivers need to take the generic chip lock outside of the
+irq context.
+
+Provide the irq_gc_{lock_irqsave,unlock_irqrestore}() helpers to allow
+one to disable irqs while entering a critical section protected by
+gc->lock.
+
+Note that we do not provide optimized version of these helpers for !SMP,
+because they are not called from the hot-path.
+
+[ tglx: Added a comment when these helpers should be [not] used ]
+
+Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Cc: Jason Cooper <jason@lakedaemon.net>
+Cc: Marc Zyngier <marc.zyngier@arm.com>
+Cc: Nicolas Ferre <nicolas.ferre@atmel.com>
+Cc: Alexandre Belloni <alexandre.belloni@free-electrons.com>
+Link: http://lkml.kernel.org/r/1473775109-4192-1-git-send-email-boris.brezillon@free-electrons.com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/irq.h | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/include/linux/irq.h
++++ b/include/linux/irq.h
+@@ -933,6 +933,16 @@ static inline void irq_gc_lock(struct ir
+ static inline void irq_gc_unlock(struct irq_chip_generic *gc) { }
+ #endif
+
++/*
++ * The irqsave variants are for usage in non interrupt code. Do not use
++ * them in irq_chip callbacks. Use irq_gc_lock() instead.
++ */
++#define irq_gc_lock_irqsave(gc, flags) \
++ raw_spin_lock_irqsave(&(gc)->lock, flags)
++
++#define irq_gc_unlock_irqrestore(gc, flags) \
++ raw_spin_unlock_irqrestore(&(gc)->lock, flags)
++
+ static inline void irq_reg_writel(struct irq_chip_generic *gc,
+ u32 val, int reg_offset)
+ {
--- /dev/null
+From f35c1e0671728d1c9abc405d05ef548b5fcb2fc4 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Thu, 18 Aug 2016 21:16:49 -0400
+Subject: hexagon: fix strncpy_from_user() error return
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit f35c1e0671728d1c9abc405d05ef548b5fcb2fc4 upstream.
+
+It's -EFAULT, not -1 (and contrary to the comment in there,
+__strnlen_user() can return 0 - on faults).
+
+Acked-by: Richard Kuo <rkuo@codeaurora.org>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/hexagon/include/asm/uaccess.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/hexagon/include/asm/uaccess.h
++++ b/arch/hexagon/include/asm/uaccess.h
+@@ -103,7 +103,8 @@ static inline long hexagon_strncpy_from_
+ {
+ long res = __strnlen_user(src, n);
+
+- /* return from strnlen can't be zero -- that would be rubbish. */
++ if (unlikely(!res))
++ return -EFAULT;
+
+ if (res > n) {
+ copy_from_user(dst, src, n);
--- /dev/null
+From 5eb0d6eb3fac3daa60d9190eed9fa41cf809c756 Mon Sep 17 00:00:00 2001
+From: Boris Brezillon <boris.brezillon@free-electrons.com>
+Date: Tue, 13 Sep 2016 15:58:29 +0200
+Subject: irqchip/atmel-aic: Fix potential deadlock in ->xlate()
+
+From: Boris Brezillon <boris.brezillon@free-electrons.com>
+
+commit 5eb0d6eb3fac3daa60d9190eed9fa41cf809c756 upstream.
+
+aic5_irq_domain_xlate() and aic_irq_domain_xlate() take the generic chip
+lock without disabling interrupts, which can lead to a deadlock if an
+interrupt occurs while the lock is held in one of these functions.
+
+Replace irq_gc_{lock,unlock}() calls by
+irq_gc_{lock_irqsave,unlock_irqrestore}() ones to prevent this bug from
+happening.
+
+Fixes: b1479ebb7720 ("irqchip: atmel-aic: Add atmel AIC/AIC5 drivers")
+Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Acked-by: Marc Zyngier <marc.zyngier@arm.com>
+Cc: Jason Cooper <jason@lakedaemon.net>
+Cc: Nicolas Ferre <nicolas.ferre@atmel.com>
+Cc: Alexandre Belloni <alexandre.belloni@free-electrons.com>
+Link: http://lkml.kernel.org/r/1473775109-4192-2-git-send-email-boris.brezillon@free-electrons.com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/irqchip/irq-atmel-aic.c | 5 +++--
+ drivers/irqchip/irq-atmel-aic5.c | 5 +++--
+ 2 files changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/irqchip/irq-atmel-aic.c
++++ b/drivers/irqchip/irq-atmel-aic.c
+@@ -176,6 +176,7 @@ static int aic_irq_domain_xlate(struct i
+ {
+ struct irq_domain_chip_generic *dgc = d->gc;
+ struct irq_chip_generic *gc;
++ unsigned long flags;
+ unsigned smr;
+ int idx;
+ int ret;
+@@ -194,11 +195,11 @@ static int aic_irq_domain_xlate(struct i
+
+ gc = dgc->gc[idx];
+
+- irq_gc_lock(gc);
++ irq_gc_lock_irqsave(gc, flags);
+ smr = irq_reg_readl(gc, AT91_AIC_SMR(*out_hwirq));
+ aic_common_set_priority(intspec[2], &smr);
+ irq_reg_writel(gc, smr, AT91_AIC_SMR(*out_hwirq));
+- irq_gc_unlock(gc);
++ irq_gc_unlock_irqrestore(gc, flags);
+
+ return ret;
+ }
+--- a/drivers/irqchip/irq-atmel-aic5.c
++++ b/drivers/irqchip/irq-atmel-aic5.c
+@@ -258,6 +258,7 @@ static int aic5_irq_domain_xlate(struct
+ unsigned int *out_type)
+ {
+ struct irq_chip_generic *bgc = irq_get_domain_generic_chip(d, 0);
++ unsigned long flags;
+ unsigned smr;
+ int ret;
+
+@@ -269,12 +270,12 @@ static int aic5_irq_domain_xlate(struct
+ if (ret)
+ return ret;
+
+- irq_gc_lock(bgc);
++ irq_gc_lock_irqsave(bgc, flags);
+ irq_reg_writel(bgc, *out_hwirq, AT91_AIC5_SSR);
+ smr = irq_reg_readl(bgc, AT91_AIC5_SMR);
+ aic_common_set_priority(intspec[2], &smr);
+ irq_reg_writel(bgc, smr, AT91_AIC5_SMR);
+- irq_gc_unlock(bgc);
++ irq_gc_unlock_irqrestore(bgc, flags);
+
+ return ret;
+ }
--- /dev/null
+From 236dec051078a8691950f56949612b4b74107e48 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Thu, 1 Sep 2016 16:14:47 -0700
+Subject: kconfig: tinyconfig: provide whole choice blocks to avoid warnings
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 236dec051078a8691950f56949612b4b74107e48 upstream.
+
+Using "make tinyconfig" produces a couple of annoying warnings that show
+up for build test machines all the time:
+
+ .config:966:warning: override: NOHIGHMEM changes choice state
+ .config:965:warning: override: SLOB changes choice state
+ .config:963:warning: override: KERNEL_XZ changes choice state
+ .config:962:warning: override: CC_OPTIMIZE_FOR_SIZE changes choice state
+ .config:933:warning: override: SLOB changes choice state
+ .config:930:warning: override: CC_OPTIMIZE_FOR_SIZE changes choice state
+ .config:870:warning: override: SLOB changes choice state
+ .config:868:warning: override: KERNEL_XZ changes choice state
+ .config:867:warning: override: CC_OPTIMIZE_FOR_SIZE changes choice state
+
+I've made a previous attempt at fixing them and we discussed a number of
+alternatives.
+
+I tried changing the Makefile to use "merge_config.sh -n
+$(fragment-list)" but couldn't get that to work properly.
+
+This is yet another approach, based on the observation that we do want
+to see a warning for conflicting 'choice' options, and that we can
+simply make them non-conflicting by listing all other options as
+disabled. This is a trivial patch that we can apply independent of
+plans for other changes.
+
+Link: http://lkml.kernel.org/r/20160829214952.1334674-2-arnd@arndb.de
+Link: https://storage.kernelci.org/mainline/v4.7-rc6/x86-tinyconfig/build.log
+https://patchwork.kernel.org/patch/9212749/
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Josh Triplett <josh@joshtriplett.org>
+Reviewed-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Acked-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/configs/tiny.config | 2 ++
+ kernel/configs/tiny.config | 8 ++++++++
+ 2 files changed, 10 insertions(+)
+
+--- a/arch/x86/configs/tiny.config
++++ b/arch/x86/configs/tiny.config
+@@ -1 +1,3 @@
+ CONFIG_NOHIGHMEM=y
++# CONFIG_HIGHMEM4G is not set
++# CONFIG_HIGHMEM64G is not set
+--- a/kernel/configs/tiny.config
++++ b/kernel/configs/tiny.config
+@@ -1,4 +1,12 @@
++# CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE is not set
+ CONFIG_CC_OPTIMIZE_FOR_SIZE=y
++# CONFIG_KERNEL_GZIP is not set
++# CONFIG_KERNEL_BZIP2 is not set
++# CONFIG_KERNEL_LZMA is not set
+ CONFIG_KERNEL_XZ=y
++# CONFIG_KERNEL_LZO is not set
++# CONFIG_KERNEL_LZ4 is not set
+ CONFIG_OPTIMIZE_INLINING=y
++# CONFIG_SLAB is not set
++# CONFIG_SLUB is not set
+ CONFIG_SLOB=y
--- /dev/null
+From c90a3bc5061d57e7931a9b7ad14784e1a0ed497d Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Fri, 9 Sep 2016 19:20:13 -0400
+Subject: m32r: fix __get_user()
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit c90a3bc5061d57e7931a9b7ad14784e1a0ed497d upstream.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/m32r/include/asm/uaccess.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/m32r/include/asm/uaccess.h
++++ b/arch/m32r/include/asm/uaccess.h
+@@ -219,7 +219,7 @@ extern int fixup_exception(struct pt_reg
+ #define __get_user_nocheck(x, ptr, size) \
+ ({ \
+ long __gu_err = 0; \
+- unsigned long __gu_val; \
++ unsigned long __gu_val = 0; \
+ might_fault(); \
+ __get_user_size(__gu_val, (ptr), (size), __gu_err); \
+ (x) = (__force __typeof__(*(ptr)))__gu_val; \
--- /dev/null
+From 8ae95ed4ae5fc7c3391ed668b2014c9e2079533b Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Thu, 18 Aug 2016 22:08:20 -0400
+Subject: metag: copy_from_user() should zero the destination on access_ok() failure
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 8ae95ed4ae5fc7c3391ed668b2014c9e2079533b upstream.
+
+Acked-by: James Hogan <james.hogan@imgtec.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/metag/include/asm/uaccess.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/metag/include/asm/uaccess.h
++++ b/arch/metag/include/asm/uaccess.h
+@@ -204,8 +204,9 @@ extern unsigned long __must_check __copy
+ static inline unsigned long
+ copy_from_user(void *to, const void __user *from, unsigned long n)
+ {
+- if (access_ok(VERIFY_READ, from, n))
++ if (likely(access_ok(VERIFY_READ, from, n)))
+ return __copy_user_zeroing(to, from, n);
++ memset(to, 0, n);
+ return n;
+ }
+
--- /dev/null
+From e98b9e37ae04562d52c96f46b3cf4c2e80222dc1 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Fri, 9 Sep 2016 19:23:33 -0400
+Subject: microblaze: fix __get_user()
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit e98b9e37ae04562d52c96f46b3cf4c2e80222dc1 upstream.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/microblaze/include/asm/uaccess.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/microblaze/include/asm/uaccess.h
++++ b/arch/microblaze/include/asm/uaccess.h
+@@ -227,7 +227,7 @@ extern long __user_bad(void);
+
+ #define __get_user(x, ptr) \
+ ({ \
+- unsigned long __gu_val; \
++ unsigned long __gu_val = 0; \
+ /*unsigned long __gu_ptr = (unsigned long)(ptr);*/ \
+ long __gu_err; \
+ switch (sizeof(*(ptr))) { \
--- /dev/null
+From d0cf385160c12abd109746cad1f13e3b3e8b50b8 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Fri, 9 Sep 2016 19:22:34 -0400
+Subject: microblaze: fix copy_from_user()
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit d0cf385160c12abd109746cad1f13e3b3e8b50b8 upstream.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/microblaze/include/asm/uaccess.h | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/arch/microblaze/include/asm/uaccess.h
++++ b/arch/microblaze/include/asm/uaccess.h
+@@ -373,10 +373,13 @@ extern long __user_bad(void);
+ static inline long copy_from_user(void *to,
+ const void __user *from, unsigned long n)
+ {
++ unsigned long res = n;
+ might_fault();
+- if (access_ok(VERIFY_READ, from, n))
+- return __copy_from_user(to, from, n);
+- return n;
++ if (likely(access_ok(VERIFY_READ, from, n)))
++ res = __copy_from_user(to, from, n);
++ if (unlikely(res))
++ memset(to + (n - res), 0, res);
++ return res;
+ }
+
+ #define __copy_to_user(to, from, n) \
--- /dev/null
+From e69d700535ac43a18032b3c399c69bf4639e89a2 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sat, 20 Aug 2016 16:18:53 -0400
+Subject: mips: copy_from_user() must zero the destination on access_ok() failure
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit e69d700535ac43a18032b3c399c69bf4639e89a2 upstream.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/include/asm/uaccess.h | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/mips/include/asm/uaccess.h
++++ b/arch/mips/include/asm/uaccess.h
+@@ -14,6 +14,7 @@
+ #include <linux/kernel.h>
+ #include <linux/errno.h>
+ #include <linux/thread_info.h>
++#include <linux/string.h>
+ #include <asm/asm-eva.h>
+
+ /*
+@@ -1170,6 +1171,8 @@ extern size_t __copy_in_user_eva(void *_
+ __cu_len = __invoke_copy_from_user(__cu_to, \
+ __cu_from, \
+ __cu_len); \
++ } else { \
++ memset(__cu_to, 0, __cu_len); \
+ } \
+ } \
+ __cu_len; \
--- /dev/null
+From 3ae50f4512ce831e8b63eb54ad969417ff30ada7 Mon Sep 17 00:00:00 2001
+From: Lee Jones <lee.jones@linaro.org>
+Date: Thu, 8 Sep 2016 11:11:36 +0200
+Subject: mmc: sdhci-st: Handle interconnect clock
+
+From: Lee Jones <lee.jones@linaro.org>
+
+commit 3ae50f4512ce831e8b63eb54ad969417ff30ada7 upstream.
+
+Some ST platforms contain interconnect (ICN) clocks which must be handed
+correctly in order to obtain full functionality of a given IP. In this
+case, if the ICN clocks are not handled properly by the ST SDHCI driver
+MMC will break and the following output can be observed:
+
+ [ 13.916949] mmc0: Timeout waiting for hardware interrupt.
+ [ 13.922349] sdhci: =========== REGISTER DUMP (mmc0)===========
+ [ 13.928175] sdhci: Sys addr: 0x00000000 | Version: 0x00001002
+ [ 13.933999] sdhci: Blk size: 0x00007040 | Blk cnt: 0x00000001
+ [ 13.939825] sdhci: Argument: 0x00fffff0 | Trn mode: 0x00000013
+ [ 13.945650] sdhci: Present: 0x1fff0206 | Host ctl: 0x00000011
+ [ 13.951475] sdhci: Power: 0x0000000f | Blk gap: 0x00000080
+ [ 13.957300] sdhci: Wake-up: 0x00000000 | Clock: 0x00003f07
+ [ 13.963126] sdhci: Timeout: 0x00000004 | Int stat: 0x00000000
+ [ 13.968952] sdhci: Int enab: 0x02ff008b | Sig enab: 0x02ff008b
+ [ 13.974777] sdhci: AC12 err: 0x00000000 | Slot int: 0x00000000
+ [ 13.980602] sdhci: Caps: 0x21ed3281 | Caps_1: 0x00000000
+ [ 13.986428] sdhci: Cmd: 0x0000063a | Max curr: 0x00000000
+ [ 13.992252] sdhci: Host ctl2: 0x00000000
+ [ 13.996166] sdhci: ADMA Err: 0x00000000 | ADMA Ptr: 0x7c048200
+ [ 14.001990] sdhci: ===========================================
+ [ 14.009802] mmc0: Got data interrupt 0x02000000 even though no data operation was in progress.
+
+A decent point was raised about minimising the use of a local variable that
+we 'could' do without. I've chosen consistency over the possibility of
+reducing the local variable count by 1. Thinking that it's more important
+for the code to be grouped and authoured in a similar manner/style for
+greater maintainability/readability.
+
+Tested-by: Peter Griffin <peter.griffin@linaro.org>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/sdhci-st.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+--- a/drivers/mmc/host/sdhci-st.c
++++ b/drivers/mmc/host/sdhci-st.c
+@@ -28,6 +28,7 @@
+
+ struct st_mmc_platform_data {
+ struct reset_control *rstc;
++ struct clk *icnclk;
+ void __iomem *top_ioaddr;
+ };
+
+@@ -353,7 +354,7 @@ static int sdhci_st_probe(struct platfor
+ struct sdhci_host *host;
+ struct st_mmc_platform_data *pdata;
+ struct sdhci_pltfm_host *pltfm_host;
+- struct clk *clk;
++ struct clk *clk, *icnclk;
+ int ret = 0;
+ u16 host_version;
+ struct resource *res;
+@@ -365,6 +366,11 @@ static int sdhci_st_probe(struct platfor
+ return PTR_ERR(clk);
+ }
+
++ /* ICN clock isn't compulsory, but use it if it's provided. */
++ icnclk = devm_clk_get(&pdev->dev, "icn");
++ if (IS_ERR(icnclk))
++ icnclk = NULL;
++
+ rstc = devm_reset_control_get(&pdev->dev, NULL);
+ if (IS_ERR(rstc))
+ rstc = NULL;
+@@ -389,6 +395,7 @@ static int sdhci_st_probe(struct platfor
+ }
+
+ clk_prepare_enable(clk);
++ clk_prepare_enable(icnclk);
+
+ /* Configure the FlashSS Top registers for setting eMMC TX/RX delay */
+ res = platform_get_resource_byname(pdev, IORESOURCE_MEM,
+@@ -400,6 +407,7 @@ static int sdhci_st_probe(struct platfor
+ }
+
+ pltfm_host->clk = clk;
++ pdata->icnclk = icnclk;
+
+ /* Configure the Arasan HC inside the flashSS */
+ st_mmcss_cconfig(np, host);
+@@ -422,6 +430,7 @@ static int sdhci_st_probe(struct platfor
+ return 0;
+
+ err_out:
++ clk_disable_unprepare(icnclk);
+ clk_disable_unprepare(clk);
+ err_of:
+ sdhci_pltfm_free(pdev);
+@@ -442,6 +451,8 @@ static int sdhci_st_remove(struct platfo
+
+ ret = sdhci_pltfm_unregister(pdev);
+
++ clk_disable_unprepare(pdata->icnclk);
++
+ if (rstc)
+ reset_control_assert(rstc);
+
+@@ -462,6 +473,7 @@ static int sdhci_st_suspend(struct devic
+ if (pdata->rstc)
+ reset_control_assert(pdata->rstc);
+
++ clk_disable_unprepare(pdata->icnclk);
+ clk_disable_unprepare(pltfm_host->clk);
+ out:
+ return ret;
+@@ -475,6 +487,7 @@ static int sdhci_st_resume(struct device
+ struct device_node *np = dev->of_node;
+
+ clk_prepare_enable(pltfm_host->clk);
++ clk_prepare_enable(pdata->icnclk);
+
+ if (pdata->rstc)
+ reset_control_deassert(pdata->rstc);
--- /dev/null
+From ae7cc577ec2a4a6151c9e928fd1f595d953ecef1 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sat, 20 Aug 2016 16:33:10 -0400
+Subject: mn10300: copy_from_user() should zero on access_ok() failure...
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit ae7cc577ec2a4a6151c9e928fd1f595d953ecef1 upstream.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mn10300/lib/usercopy.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/arch/mn10300/lib/usercopy.c
++++ b/arch/mn10300/lib/usercopy.c
+@@ -9,7 +9,7 @@
+ * as published by the Free Software Foundation; either version
+ * 2 of the Licence, or (at your option) any later version.
+ */
+-#include <asm/uaccess.h>
++#include <linux/uaccess.h>
+
+ unsigned long
+ __generic_copy_to_user(void *to, const void *from, unsigned long n)
+@@ -24,6 +24,8 @@ __generic_copy_from_user(void *to, const
+ {
+ if (access_ok(VERIFY_READ, from, n))
+ __copy_user_zeroing(to, from, n);
++ else
++ memset(to, 0, n);
+ return n;
+ }
+
--- /dev/null
+From 43403eabf558d2800b429cd886e996fd555aa542 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sat, 20 Aug 2016 16:32:02 -0400
+Subject: mn10300: failing __get_user() and get_user() should zero
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 43403eabf558d2800b429cd886e996fd555aa542 upstream.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mn10300/include/asm/uaccess.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/mn10300/include/asm/uaccess.h
++++ b/arch/mn10300/include/asm/uaccess.h
+@@ -166,6 +166,7 @@ struct __large_struct { unsigned long bu
+ "2:\n" \
+ " .section .fixup,\"ax\"\n" \
+ "3:\n\t" \
++ " mov 0,%1\n" \
+ " mov %3,%0\n" \
+ " jmp 2b\n" \
+ " .previous\n" \
--- /dev/null
+From 3610a2add39365a0f153154c60169a66c616d50f Mon Sep 17 00:00:00 2001
+From: Mike Danese <mikedanese@google.com>
+Date: Thu, 19 May 2016 21:54:51 -0700
+Subject: mpssd: fix buffer overflow warning
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mike Danese <mikedanese@google.com>
+
+commit 3610a2add39365a0f153154c60169a66c616d50f upstream.
+
+The compilation emits a warning in function ‘snprintf’,
+ inlined from ‘set_cmdline’ at
+ ../Documentation/mic/mpssd/mpssd.c:1541:9:
+/usr/include/x86_64-linux-gnu/bits/stdio2.h:64:10:
+ warning: call to __builtin___snprintf_chk will always overflow
+ destination buffer
+
+This was introduced in commit f4a66c204482 ("misc: mic: Update MIC host
+daemon with COSM changes") and is fixed by reverting the changes to the
+size argument of these snprintf statements.
+
+Cc: Ashutosh Dixit <ashutosh.dixit@intel.com>
+Signed-off-by: Mike Danese <mikedanese@google.com>
+Signed-off-by: Jonathan Corbet <corbet@lwn.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ Documentation/mic/mpssd/mpssd.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/Documentation/mic/mpssd/mpssd.c
++++ b/Documentation/mic/mpssd/mpssd.c
+@@ -1538,9 +1538,9 @@ set_cmdline(struct mic_info *mic)
+
+ len = snprintf(buffer, PATH_MAX,
+ "clocksource=tsc highres=off nohz=off ");
+- len += snprintf(buffer + len, PATH_MAX,
++ len += snprintf(buffer + len, PATH_MAX - len,
+ "cpufreq_on;corec6_off;pc3_off;pc6_off ");
+- len += snprintf(buffer + len, PATH_MAX,
++ len += snprintf(buffer + len, PATH_MAX - len,
+ "ifcfg=static;address,172.31.%d.1;netmask,255.255.255.0",
+ mic->id + 1);
+
--- /dev/null
+From e33d1f6f72cc82fcfc3d1fb20c9e3ad83b1928fa Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sat, 20 Aug 2016 16:36:36 -0400
+Subject: nios2: copy_from_user() should zero the tail of destination
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit e33d1f6f72cc82fcfc3d1fb20c9e3ad83b1928fa upstream.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/nios2/include/asm/uaccess.h | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/arch/nios2/include/asm/uaccess.h
++++ b/arch/nios2/include/asm/uaccess.h
+@@ -102,9 +102,12 @@ extern long __copy_to_user(void __user *
+ static inline long copy_from_user(void *to, const void __user *from,
+ unsigned long n)
+ {
+- if (!access_ok(VERIFY_READ, from, n))
+- return n;
+- return __copy_from_user(to, from, n);
++ unsigned long res = n;
++ if (access_ok(VERIFY_READ, from, n))
++ res = __copy_from_user(to, from, n);
++ if (unlikely(res))
++ memset(to + (n - res), 0, res);
++ return res;
+ }
+
+ static inline long copy_to_user(void __user *to, const void *from,
--- /dev/null
+From 2e29f50ad5e23db37dde9be71410d95d50241ecd Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sat, 20 Aug 2016 16:39:01 -0400
+Subject: nios2: fix __get_user()
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 2e29f50ad5e23db37dde9be71410d95d50241ecd upstream.
+
+a) should not leave crap on fault
+b) should _not_ require access_ok() in any cases.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/nios2/include/asm/uaccess.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/nios2/include/asm/uaccess.h
++++ b/arch/nios2/include/asm/uaccess.h
+@@ -139,7 +139,7 @@ extern long strnlen_user(const char __us
+
+ #define __get_user_unknown(val, size, ptr, err) do { \
+ err = 0; \
+- if (copy_from_user(&(val), ptr, size)) { \
++ if (__copy_from_user(&(val), ptr, size)) { \
+ err = -EFAULT; \
+ } \
+ } while (0)
+@@ -166,7 +166,7 @@ do { \
+ ({ \
+ long __gu_err = -EFAULT; \
+ const __typeof__(*(ptr)) __user *__gu_ptr = (ptr); \
+- unsigned long __gu_val; \
++ unsigned long __gu_val = 0; \
+ __get_user_common(__gu_val, sizeof(*(ptr)), __gu_ptr, __gu_err);\
+ (x) = (__force __typeof__(x))__gu_val; \
+ __gu_err; \
--- /dev/null
+From acb2505d0119033a80c85ac8d02dccae41271667 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sat, 20 Aug 2016 17:05:21 -0400
+Subject: openrisc: fix copy_from_user()
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit acb2505d0119033a80c85ac8d02dccae41271667 upstream.
+
+... that should zero on faults. Also remove the <censored> helpful
+logics wrt range truncation copied from ppc32. Where it had ever
+been needed only in case of copy_from_user() *and* had not been merged
+into the mainline until a month after the need had disappeared.
+A decade before openrisc went into mainline, I might add...
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/openrisc/include/asm/uaccess.h | 33 ++++++++++-----------------------
+ 1 file changed, 10 insertions(+), 23 deletions(-)
+
+--- a/arch/openrisc/include/asm/uaccess.h
++++ b/arch/openrisc/include/asm/uaccess.h
+@@ -273,28 +273,20 @@ __copy_tofrom_user(void *to, const void
+ static inline unsigned long
+ copy_from_user(void *to, const void *from, unsigned long n)
+ {
+- unsigned long over;
++ unsigned long res = n;
+
+- if (access_ok(VERIFY_READ, from, n))
+- return __copy_tofrom_user(to, from, n);
+- if ((unsigned long)from < TASK_SIZE) {
+- over = (unsigned long)from + n - TASK_SIZE;
+- return __copy_tofrom_user(to, from, n - over) + over;
+- }
+- return n;
++ if (likely(access_ok(VERIFY_READ, from, n)))
++ n = __copy_tofrom_user(to, from, n);
++ if (unlikely(res))
++ memset(to + (n - res), 0, res);
++ return res;
+ }
+
+ static inline unsigned long
+ copy_to_user(void *to, const void *from, unsigned long n)
+ {
+- unsigned long over;
+-
+- if (access_ok(VERIFY_WRITE, to, n))
+- return __copy_tofrom_user(to, from, n);
+- if ((unsigned long)to < TASK_SIZE) {
+- over = (unsigned long)to + n - TASK_SIZE;
+- return __copy_tofrom_user(to, from, n - over) + over;
+- }
++ if (likely(access_ok(VERIFY_WRITE, to, n)))
++ n = __copy_tofrom_user(to, from, n);
+ return n;
+ }
+
+@@ -303,13 +295,8 @@ extern unsigned long __clear_user(void *
+ static inline __must_check unsigned long
+ clear_user(void *addr, unsigned long size)
+ {
+-
+- if (access_ok(VERIFY_WRITE, addr, size))
+- return __clear_user(addr, size);
+- if ((unsigned long)addr < TASK_SIZE) {
+- unsigned long over = (unsigned long)addr + size - TASK_SIZE;
+- return __clear_user(addr, size - over) + over;
+- }
++ if (likely(access_ok(VERIFY_WRITE, addr, size)))
++ size = __clear_user(addr, size);
+ return size;
+ }
+
--- /dev/null
+From aace880feea38875fbc919761b77e5732a3659ef Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sat, 20 Aug 2016 19:03:37 -0400
+Subject: parisc: fix copy_from_user()
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit aace880feea38875fbc919761b77e5732a3659ef upstream.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/parisc/include/asm/uaccess.h | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/arch/parisc/include/asm/uaccess.h
++++ b/arch/parisc/include/asm/uaccess.h
+@@ -10,6 +10,7 @@
+ #include <asm-generic/uaccess-unaligned.h>
+
+ #include <linux/bug.h>
++#include <linux/string.h>
+
+ #define VERIFY_READ 0
+ #define VERIFY_WRITE 1
+@@ -221,13 +222,14 @@ static inline unsigned long __must_check
+ unsigned long n)
+ {
+ int sz = __compiletime_object_size(to);
+- int ret = -EFAULT;
++ unsigned long ret = n;
+
+ if (likely(sz == -1 || !__builtin_constant_p(n) || sz >= n))
+ ret = __copy_from_user(to, from, n);
+ else
+ copy_from_user_overflow();
+-
++ if (unlikely(ret))
++ memset(to + (n - ret), 0, ret);
+ return ret;
+ }
+
--- /dev/null
+From fd2d2b191fe75825c4c7a6f12f3fef35aaed7dd7 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sun, 21 Aug 2016 22:00:54 -0400
+Subject: s390: get_user() should zero on failure
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit fd2d2b191fe75825c4c7a6f12f3fef35aaed7dd7 upstream.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/include/asm/uaccess.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/arch/s390/include/asm/uaccess.h
++++ b/arch/s390/include/asm/uaccess.h
+@@ -209,28 +209,28 @@ int __put_user_bad(void) __attribute__((
+ __chk_user_ptr(ptr); \
+ switch (sizeof(*(ptr))) { \
+ case 1: { \
+- unsigned char __x; \
++ unsigned char __x = 0; \
+ __gu_err = __get_user_fn(&__x, ptr, \
+ sizeof(*(ptr))); \
+ (x) = *(__force __typeof__(*(ptr)) *) &__x; \
+ break; \
+ }; \
+ case 2: { \
+- unsigned short __x; \
++ unsigned short __x = 0; \
+ __gu_err = __get_user_fn(&__x, ptr, \
+ sizeof(*(ptr))); \
+ (x) = *(__force __typeof__(*(ptr)) *) &__x; \
+ break; \
+ }; \
+ case 4: { \
+- unsigned int __x; \
++ unsigned int __x = 0; \
+ __gu_err = __get_user_fn(&__x, ptr, \
+ sizeof(*(ptr))); \
+ (x) = *(__force __typeof__(*(ptr)) *) &__x; \
+ break; \
+ }; \
+ case 8: { \
+- unsigned long long __x; \
++ unsigned long long __x = 0; \
+ __gu_err = __get_user_fn(&__x, ptr, \
+ sizeof(*(ptr))); \
+ (x) = *(__force __typeof__(*(ptr)) *) &__x; \
--- /dev/null
+From c2f18fa4cbb3ad92e033a24efa27583978ce9600 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sun, 21 Aug 2016 22:13:39 -0400
+Subject: score: fix __get_user/get_user
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit c2f18fa4cbb3ad92e033a24efa27583978ce9600 upstream.
+
+* should zero on any failure
+* __get_user() should use __copy_from_user(), not copy_from_user()
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/score/include/asm/uaccess.h | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/arch/score/include/asm/uaccess.h
++++ b/arch/score/include/asm/uaccess.h
+@@ -163,7 +163,7 @@ do { \
+ __get_user_asm(val, "lw", ptr); \
+ break; \
+ case 8: \
+- if ((copy_from_user((void *)&val, ptr, 8)) == 0) \
++ if (__copy_from_user((void *)&val, ptr, 8) == 0) \
+ __gu_err = 0; \
+ else \
+ __gu_err = -EFAULT; \
+@@ -188,6 +188,8 @@ do { \
+ \
+ if (likely(access_ok(VERIFY_READ, __gu_ptr, size))) \
+ __get_user_common((x), size, __gu_ptr); \
++ else \
++ (x) = 0; \
+ \
+ __gu_err; \
+ })
+@@ -201,6 +203,7 @@ do { \
+ "2:\n" \
+ ".section .fixup,\"ax\"\n" \
+ "3:li %0, %4\n" \
++ "li %1, 0\n" \
+ "j 2b\n" \
+ ".previous\n" \
+ ".section __ex_table,\"a\"\n" \
--- /dev/null
+From b615e3c74621e06cd97f86373ca90d43d6d998aa Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sun, 21 Aug 2016 22:30:44 -0400
+Subject: score: fix copy_from_user() and friends
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit b615e3c74621e06cd97f86373ca90d43d6d998aa upstream.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/score/include/asm/uaccess.h | 41 +++++++++++++++++++--------------------
+ 1 file changed, 20 insertions(+), 21 deletions(-)
+
+--- a/arch/score/include/asm/uaccess.h
++++ b/arch/score/include/asm/uaccess.h
+@@ -301,35 +301,34 @@ extern int __copy_tofrom_user(void *to,
+ static inline unsigned long
+ copy_from_user(void *to, const void *from, unsigned long len)
+ {
+- unsigned long over;
++ unsigned long res = len;
+
+- if (access_ok(VERIFY_READ, from, len))
+- return __copy_tofrom_user(to, from, len);
++ if (likely(access_ok(VERIFY_READ, from, len)))
++ res = __copy_tofrom_user(to, from, len);
+
+- if ((unsigned long)from < TASK_SIZE) {
+- over = (unsigned long)from + len - TASK_SIZE;
+- return __copy_tofrom_user(to, from, len - over) + over;
+- }
+- return len;
++ if (unlikely(res))
++ memset(to + (len - res), 0, res);
++
++ return res;
+ }
+
+ static inline unsigned long
+ copy_to_user(void *to, const void *from, unsigned long len)
+ {
+- unsigned long over;
+-
+- if (access_ok(VERIFY_WRITE, to, len))
+- return __copy_tofrom_user(to, from, len);
++ if (likely(access_ok(VERIFY_WRITE, to, len)))
++ len = __copy_tofrom_user(to, from, len);
+
+- if ((unsigned long)to < TASK_SIZE) {
+- over = (unsigned long)to + len - TASK_SIZE;
+- return __copy_tofrom_user(to, from, len - over) + over;
+- }
+ return len;
+ }
+
+-#define __copy_from_user(to, from, len) \
+- __copy_tofrom_user((to), (from), (len))
++static inline unsigned long
++__copy_from_user(void *to, const void *from, unsigned long len)
++{
++ unsigned long left = __copy_tofrom_user(to, from, len);
++ if (unlikely(left))
++ memset(to + (len - left), 0, left);
++ return left;
++}
+
+ #define __copy_to_user(to, from, len) \
+ __copy_tofrom_user((to), (from), (len))
+@@ -343,17 +342,17 @@ __copy_to_user_inatomic(void *to, const
+ static inline unsigned long
+ __copy_from_user_inatomic(void *to, const void *from, unsigned long len)
+ {
+- return __copy_from_user(to, from, len);
++ return __copy_tofrom_user(to, from, len);
+ }
+
+-#define __copy_in_user(to, from, len) __copy_from_user(to, from, len)
++#define __copy_in_user(to, from, len) __copy_tofrom_user(to, from, len)
+
+ static inline unsigned long
+ copy_in_user(void *to, const void *from, unsigned long len)
+ {
+ if (access_ok(VERIFY_READ, from, len) &&
+ access_ok(VERFITY_WRITE, to, len))
+- return copy_from_user(to, from, len);
++ return __copy_tofrom_user(to, from, len);
+ }
+
+ /*
x86-efi-use-efi_exit_boot_services.patch
powerpc-32-fix-csum_partial_copy_generic.patch
powerpc-32-fix-again-csum_partial_copy_generic.patch
+mpssd-fix-buffer-overflow-warning.patch
+kconfig-tinyconfig-provide-whole-choice-blocks-to-avoid-warnings.patch
+drm-atmel-hlcdc-fix-vertical-scaling.patch
+drm-i915-ignore-opregion-panel-type-except-on-select-machines.patch
+drm-only-use-compat-ioctl-for-addfb2-on-x86-ia64.patch
+svcauth_gss-revert-64c59a3726f2-remove-unnecessary-allocation.patch
+mmc-sdhci-st-handle-interconnect-clock.patch
+genirq-provide-irq_gc_-lock_irqsave-unlock_irqrestore-helpers.patch
+irqchip-atmel-aic-fix-potential-deadlock-in-xlate.patch
+fix-iov_iter_fault_in_readable.patch
+microblaze-fix-__get_user.patch
+avr32-fix-copy_from_user.patch
+microblaze-fix-copy_from_user.patch
+fix-minor-infoleak-in-get_user_ex.patch
+mn10300-failing-__get_user-and-get_user-should-zero.patch
+m32r-fix-__get_user.patch
+sh64-failing-__get_user-should-zero.patch
+nios2-fix-__get_user.patch
+score-fix-__get_user-get_user.patch
+s390-get_user-should-zero-on-failure.patch
+arc-uaccess-get_user-to-zero-out-dest-in-cause-of-fault.patch
+asm-generic-make-get_user-clear-the-destination-on-errors.patch
+frv-fix-clear_user.patch
+cris-buggered-copy_from_user-copy_to_user-clear_user.patch
+blackfin-fix-copy_from_user.patch
+score-fix-copy_from_user-and-friends.patch
+sh-fix-copy_from_user.patch
+sh-cmpxchg-fix-a-bit-shift-bug-in-big_endian-os.patch
+hexagon-fix-strncpy_from_user-error-return.patch
+mips-copy_from_user-must-zero-the-destination-on-access_ok-failure.patch
+asm-generic-make-copy_from_user-zero-the-destination-properly.patch
+alpha-fix-copy_from_user.patch
+metag-copy_from_user-should-zero-the-destination-on-access_ok-failure.patch
+parisc-fix-copy_from_user.patch
+openrisc-fix-copy_from_user.patch
+nios2-copy_from_user-should-zero-the-tail-of-destination.patch
+mn10300-copy_from_user-should-zero-on-access_ok-failure.patch
--- /dev/null
+From ff18143ceed3424b7d6cdb8659b9692fa734f0d8 Mon Sep 17 00:00:00 2001
+From: Pan Xinhui <xinhui.pan@linux.vnet.ibm.com>
+Date: Wed, 20 Apr 2016 14:41:00 +0800
+Subject: sh: cmpxchg: fix a bit shift bug in big_endian os
+
+From: Pan Xinhui <xinhui.pan@linux.vnet.ibm.com>
+
+commit ff18143ceed3424b7d6cdb8659b9692fa734f0d8 upstream.
+
+Correct bitoff in big endian OS.
+Current code works correctly for 1 byte but not for 2 bytes.
+
+Fixes: 3226aad81aa6 ("sh: support 1 and 2 byte xchg")
+Signed-off-by: Pan Xinhui <xinhui.pan@linux.vnet.ibm.com>
+Acked-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Rich Felker <dalias@libc.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/sh/include/asm/cmpxchg-xchg.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/sh/include/asm/cmpxchg-xchg.h
++++ b/arch/sh/include/asm/cmpxchg-xchg.h
+@@ -21,7 +21,7 @@ static inline u32 __xchg_cmpxchg(volatil
+ int off = (unsigned long)ptr % sizeof(u32);
+ volatile u32 *p = ptr - off;
+ #ifdef __BIG_ENDIAN
+- int bitoff = (sizeof(u32) - 1 - off) * BITS_PER_BYTE;
++ int bitoff = (sizeof(u32) - size - off) * BITS_PER_BYTE;
+ #else
+ int bitoff = off * BITS_PER_BYTE;
+ #endif
--- /dev/null
+From 6e050503a150b2126620c1a1e9b3a368fcd51eac Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sun, 21 Aug 2016 23:39:47 -0400
+Subject: sh: fix copy_from_user()
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 6e050503a150b2126620c1a1e9b3a368fcd51eac upstream.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/sh/include/asm/uaccess.h | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/arch/sh/include/asm/uaccess.h
++++ b/arch/sh/include/asm/uaccess.h
+@@ -151,7 +151,10 @@ copy_from_user(void *to, const void __us
+ __kernel_size_t __copy_size = (__kernel_size_t) n;
+
+ if (__copy_size && __access_ok(__copy_from, __copy_size))
+- return __copy_user(to, from, __copy_size);
++ __copy_size = __copy_user(to, from, __copy_size);
++
++ if (unlikely(__copy_size))
++ memset(to + (n - __copy_size), 0, __copy_size);
+
+ return __copy_size;
+ }
--- /dev/null
+From c6852389228df9fb3067f94f3b651de2a7921b36 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sun, 21 Aug 2016 23:33:47 -0400
+Subject: sh64: failing __get_user() should zero
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit c6852389228df9fb3067f94f3b651de2a7921b36 upstream.
+
+It could be done in exception-handling bits in __get_user_b() et.al.,
+but the surgery involved would take more knowledge of sh64 details
+than I have or _want_ to have.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/sh/include/asm/uaccess_64.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/sh/include/asm/uaccess_64.h
++++ b/arch/sh/include/asm/uaccess_64.h
+@@ -24,6 +24,7 @@
+ #define __get_user_size(x,ptr,size,retval) \
+ do { \
+ retval = 0; \
++ x = 0; \
+ switch (size) { \
+ case 1: \
+ retval = __get_user_asm_b((void *)&x, \
--- /dev/null
+From bf2c4b6f9b74c2ee1dd3c050b181e9b9c86fbcdb Mon Sep 17 00:00:00 2001
+From: Chuck Lever <chuck.lever@oracle.com>
+Date: Thu, 1 Sep 2016 10:50:38 -0400
+Subject: svcauth_gss: Revert 64c59a3726f2 ("Remove unnecessary allocation")
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+commit bf2c4b6f9b74c2ee1dd3c050b181e9b9c86fbcdb upstream.
+
+rsc_lookup steals the passed-in memory to avoid doing an allocation of
+its own, so we can't just pass in a pointer to memory that someone else
+is using.
+
+If we really want to avoid allocation there then maybe we should
+preallocate somwhere, or reference count these handles.
+
+For now we should revert.
+
+On occasion I see this on my server:
+
+kernel: kernel BUG at /home/cel/src/linux/linux-2.6/mm/slub.c:3851!
+kernel: invalid opcode: 0000 [#1] SMP
+kernel: Modules linked in: cts rpcsec_gss_krb5 sb_edac edac_core x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel lrw gf128mul glue_helper ablk_helper cryptd btrfs xor iTCO_wdt iTCO_vendor_support raid6_pq pcspkr i2c_i801 i2c_smbus lpc_ich mfd_core mei_me sg mei shpchp wmi ioatdma ipmi_si ipmi_msghandler acpi_pad acpi_power_meter rpcrdma ib_ipoib rdma_ucm ib_ucm ib_uverbs ib_umad rdma_cm ib_cm iw_cm nfsd nfs_acl lockd grace auth_rpcgss sunrpc ip_tables xfs libcrc32c mlx4_ib mlx4_en ib_core sr_mod cdrom sd_mod ast drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm crc32c_intel igb mlx4_core ahci libahci libata ptp pps_core dca i2c_algo_bit i2c_core dm_mirror dm_region_hash dm_log dm_mod
+kernel: CPU: 7 PID: 145 Comm: kworker/7:2 Not tainted 4.8.0-rc4-00006-g9d06b0b #15
+kernel: Hardware name: Supermicro Super Server/X10SRL-F, BIOS 1.0c 09/09/2015
+kernel: Workqueue: events do_cache_clean [sunrpc]
+kernel: task: ffff8808541d8000 task.stack: ffff880854344000
+kernel: RIP: 0010:[<ffffffff811e7075>] [<ffffffff811e7075>] kfree+0x155/0x180
+kernel: RSP: 0018:ffff880854347d70 EFLAGS: 00010246
+kernel: RAX: ffffea0020fe7660 RBX: ffff88083f9db064 RCX: 146ff0f9d5ec5600
+kernel: RDX: 000077ff80000000 RSI: ffff880853f01500 RDI: ffff88083f9db064
+kernel: RBP: ffff880854347d88 R08: ffff8808594ee000 R09: ffff88087fdd8780
+kernel: R10: 0000000000000000 R11: ffffea0020fe76c0 R12: ffff880853f01500
+kernel: R13: ffffffffa013cf76 R14: ffffffffa013cff0 R15: ffffffffa04253a0
+kernel: FS: 0000000000000000(0000) GS:ffff88087fdc0000(0000) knlGS:0000000000000000
+kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+kernel: CR2: 00007fed60b020c3 CR3: 0000000001c06000 CR4: 00000000001406e0
+kernel: Stack:
+kernel: ffff8808589f2f00 ffff880853f01500 0000000000000001 ffff880854347da0
+kernel: ffffffffa013cf76 ffff8808589f2f00 ffff880854347db8 ffffffffa013d006
+kernel: ffff8808589f2f20 ffff880854347e00 ffffffffa0406f60 0000000057c7044f
+kernel: Call Trace:
+kernel: [<ffffffffa013cf76>] rsc_free+0x16/0x90 [auth_rpcgss]
+kernel: [<ffffffffa013d006>] rsc_put+0x16/0x30 [auth_rpcgss]
+kernel: [<ffffffffa0406f60>] cache_clean+0x2e0/0x300 [sunrpc]
+kernel: [<ffffffffa04073ee>] do_cache_clean+0xe/0x70 [sunrpc]
+kernel: [<ffffffff8109a70f>] process_one_work+0x1ff/0x3b0
+kernel: [<ffffffff8109b15c>] worker_thread+0x2bc/0x4a0
+kernel: [<ffffffff8109aea0>] ? rescuer_thread+0x3a0/0x3a0
+kernel: [<ffffffff810a0ba4>] kthread+0xe4/0xf0
+kernel: [<ffffffff8169c47f>] ret_from_fork+0x1f/0x40
+kernel: [<ffffffff810a0ac0>] ? kthread_stop+0x110/0x110
+kernel: Code: f7 ff ff eb 3b 65 8b 05 da 30 e2 7e 89 c0 48 0f a3 05 a0 38 b8 00 0f 92 c0 84 c0 0f 85 d1 fe ff ff 0f 1f 44 00 00 e9 f5 fe ff ff <0f> 0b 49 8b 03 31 f6 f6 c4 40 0f 85 62 ff ff ff e9 61 ff ff ff
+kernel: RIP [<ffffffff811e7075>] kfree+0x155/0x180
+kernel: RSP <ffff880854347d70>
+kernel: ---[ end trace 3fdec044969def26 ]---
+
+It seems to be most common after a server reboot where a client has been
+using a Kerberos mount, and reconnects to continue its workload.
+
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sunrpc/auth_gss/svcauth_gss.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/sunrpc/auth_gss/svcauth_gss.c
++++ b/net/sunrpc/auth_gss/svcauth_gss.c
+@@ -569,9 +569,10 @@ gss_svc_searchbyctx(struct cache_detail
+ struct rsc *found;
+
+ memset(&rsci, 0, sizeof(rsci));
+- rsci.handle.data = handle->data;
+- rsci.handle.len = handle->len;
++ if (dup_to_netobj(&rsci.handle, handle->data, handle->len))
++ return NULL;
+ found = rsc_lookup(cd, &rsci);
++ rsc_free(&rsci);
+ if (!found)
+ return NULL;
+ if (cache_check(cd, &found->h, NULL))
projects / thirdparty / kernel / stable-queue.git / commitdiff
