--- /dev/null
+From 2561d309dfd1555e781484af757ed0115035ddb3 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Wed, 17 Aug 2016 16:02:32 -0400
+Subject: alpha: fix copy_from_user()
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 2561d309dfd1555e781484af757ed0115035ddb3 upstream.
+
+it should clear the destination even when access_ok() fails.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/alpha/include/asm/uaccess.h | 19 ++++++++-----------
+ 1 file changed, 8 insertions(+), 11 deletions(-)
+
+--- a/arch/alpha/include/asm/uaccess.h
++++ b/arch/alpha/include/asm/uaccess.h
+@@ -371,14 +371,6 @@ __copy_tofrom_user_nocheck(void *to, con
+ return __cu_len;
+ }
+
+-extern inline long
+-__copy_tofrom_user(void *to, const void *from, long len, const void __user *validate)
+-{
+- if (__access_ok((unsigned long)validate, len, get_fs()))
+- len = __copy_tofrom_user_nocheck(to, from, len);
+- return len;
+-}
+-
+ #define __copy_to_user(to, from, n) \
+ ({ \
+ __chk_user_ptr(to); \
+@@ -393,17 +385,22 @@ __copy_tofrom_user(void *to, const void
+ #define __copy_to_user_inatomic __copy_to_user
+ #define __copy_from_user_inatomic __copy_from_user
+
+-
+ extern inline long
+ copy_to_user(void __user *to, const void *from, long n)
+ {
+- return __copy_tofrom_user((__force void *)to, from, n, to);
++ if (likely(__access_ok((unsigned long)to, n, get_fs())))
++ n = __copy_tofrom_user_nocheck((__force void *)to, from, n);
++ return n;
+ }
+
+ extern inline long
+ copy_from_user(void *to, const void __user *from, long n)
+ {
+- return __copy_tofrom_user(to, (__force void *)from, n, from);
++ if (likely(__access_ok((unsigned long)from, n, get_fs())))
++ n = __copy_tofrom_user_nocheck(to, (__force void *)from, n);
++ else
++ memset(to, 0, n);
++ return n;
+ }
+
+ extern void __do_clear_user(void);
--- /dev/null
+From 05d9d0b96e53c52a113fd783c0c97c830c8dc7af Mon Sep 17 00:00:00 2001
+From: Vineet Gupta <Vineet.Gupta1@synopsys.com>
+Date: Fri, 19 Aug 2016 12:10:02 -0700
+Subject: ARC: uaccess: get_user to zero out dest in cause of fault
+
+From: Vineet Gupta <Vineet.Gupta1@synopsys.com>
+
+commit 05d9d0b96e53c52a113fd783c0c97c830c8dc7af upstream.
+
+Al reported potential issue with ARC get_user() as it wasn't clearing
+out destination pointer in case of fault due to bad address etc.
+
+Verified using following
+
+| {
+| u32 bogus1 = 0xdeadbeef;
+| u64 bogus2 = 0xdead;
+| int rc1, rc2;
+|
+| pr_info("Orig values %x %llx\n", bogus1, bogus2);
+| rc1 = get_user(bogus1, (u32 __user *)0x40000000);
+| rc2 = get_user(bogus2, (u64 __user *)0x50000000);
+| pr_info("access %d %d, new values %x %llx\n",
+| rc1, rc2, bogus1, bogus2);
+| }
+
+| [ARCLinux]# insmod /mnt/kernel-module/qtn.ko
+| Orig values deadbeef dead
+| access -14 -14, new values 0 0
+
+Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: linux-snps-arc@lists.infradead.org
+Cc: linux-kernel@vger.kernel.org
+Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arc/include/asm/uaccess.h | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/arch/arc/include/asm/uaccess.h
++++ b/arch/arc/include/asm/uaccess.h
+@@ -83,7 +83,10 @@
+ "2: ;nop\n" \
+ " .section .fixup, \"ax\"\n" \
+ " .align 4\n" \
+- "3: mov %0, %3\n" \
++ "3: # return -EFAULT\n" \
++ " mov %0, %3\n" \
++ " # zero out dst ptr\n" \
++ " mov %1, 0\n" \
+ " j 2b\n" \
+ " .previous\n" \
+ " .section __ex_table, \"a\"\n" \
+@@ -101,7 +104,11 @@
+ "2: ;nop\n" \
+ " .section .fixup, \"ax\"\n" \
+ " .align 4\n" \
+- "3: mov %0, %3\n" \
++ "3: # return -EFAULT\n" \
++ " mov %0, %3\n" \
++ " # zero out dst ptr\n" \
++ " mov %1, 0\n" \
++ " mov %R1, 0\n" \
+ " j 2b\n" \
+ " .previous\n" \
+ " .section __ex_table, \"a\"\n" \
--- /dev/null
+From 2545e5da080b4839dd859e3b09343a884f6ab0e3 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Wed, 17 Aug 2016 16:36:37 -0400
+Subject: asm-generic: make copy_from_user() zero the destination properly
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 2545e5da080b4839dd859e3b09343a884f6ab0e3 upstream.
+
+... in all cases, including the failing access_ok()
+
+Note that some architectures using asm-generic/uaccess.h have
+__copy_from_user() not zeroing the tail on failure halfway
+through. This variant works either way.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/asm-generic/uaccess.h | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/include/asm-generic/uaccess.h
++++ b/include/asm-generic/uaccess.h
+@@ -261,11 +261,13 @@ extern int __get_user_bad(void) __attrib
+ static inline long copy_from_user(void *to,
+ const void __user * from, unsigned long n)
+ {
++ unsigned long res = n;
+ might_fault();
+- if (access_ok(VERIFY_READ, from, n))
+- return __copy_from_user(to, from, n);
+- else
+- return n;
++ if (likely(access_ok(VERIFY_READ, from, n)))
++ res = __copy_from_user(to, from, n);
++ if (unlikely(res))
++ memset(to + (n - res), 0, res);
++ return res;
+ }
+
+ static inline long copy_to_user(void __user *to,
--- /dev/null
+From 9ad18b75c2f6e4a78ce204e79f37781f8815c0fa Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Wed, 17 Aug 2016 23:19:01 -0400
+Subject: asm-generic: make get_user() clear the destination on errors
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 9ad18b75c2f6e4a78ce204e79f37781f8815c0fa upstream.
+
+both for access_ok() failures and for faults halfway through
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/asm-generic/uaccess.h | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/include/asm-generic/uaccess.h
++++ b/include/asm-generic/uaccess.h
+@@ -230,14 +230,18 @@ extern int __put_user_bad(void) __attrib
+ might_fault(); \
+ access_ok(VERIFY_READ, __p, sizeof(*ptr)) ? \
+ __get_user((x), (__typeof__(*(ptr)) *)__p) : \
+- -EFAULT; \
++ ((x) = (__typeof__(*(ptr)))0,-EFAULT); \
+ })
+
+ #ifndef __get_user_fn
+ static inline int __get_user_fn(size_t size, const void __user *ptr, void *x)
+ {
+- size = __copy_from_user(x, ptr, size);
+- return size ? -EFAULT : size;
++ size_t n = __copy_from_user(x, ptr, size);
++ if (unlikely(n)) {
++ memset(x + (size - n), 0, n);
++ return -EFAULT;
++ }
++ return 0;
+ }
+
+ #define __get_user_fn(sz, u, k) __get_user_fn(sz, u, k)
--- /dev/null
+From 8630c32275bac2de6ffb8aea9d9b11663e7ad28e Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Fri, 9 Sep 2016 19:28:23 -0400
+Subject: avr32: fix copy_from_user()
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 8630c32275bac2de6ffb8aea9d9b11663e7ad28e upstream.
+
+really ugly, but apparently avr32 compilers turns access_ok() into
+something so bad that they want it in assembler. Left that way,
+zeroing added in inline wrapper.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/avr32/include/asm/uaccess.h | 11 ++++++++++-
+ arch/avr32/kernel/avr32_ksyms.c | 2 +-
+ arch/avr32/lib/copy_user.S | 4 ++--
+ 3 files changed, 13 insertions(+), 4 deletions(-)
+
+--- a/arch/avr32/include/asm/uaccess.h
++++ b/arch/avr32/include/asm/uaccess.h
+@@ -74,7 +74,7 @@ extern __kernel_size_t __copy_user(void
+
+ extern __kernel_size_t copy_to_user(void __user *to, const void *from,
+ __kernel_size_t n);
+-extern __kernel_size_t copy_from_user(void *to, const void __user *from,
++extern __kernel_size_t ___copy_from_user(void *to, const void __user *from,
+ __kernel_size_t n);
+
+ static inline __kernel_size_t __copy_to_user(void __user *to, const void *from,
+@@ -88,6 +88,15 @@ static inline __kernel_size_t __copy_fro
+ {
+ return __copy_user(to, (const void __force *)from, n);
+ }
++static inline __kernel_size_t copy_from_user(void *to,
++ const void __user *from,
++ __kernel_size_t n)
++{
++ size_t res = ___copy_from_user(to, from, n);
++ if (unlikely(res))
++ memset(to + (n - res), 0, res);
++ return res;
++}
+
+ #define __copy_to_user_inatomic __copy_to_user
+ #define __copy_from_user_inatomic __copy_from_user
+--- a/arch/avr32/kernel/avr32_ksyms.c
++++ b/arch/avr32/kernel/avr32_ksyms.c
+@@ -36,7 +36,7 @@ EXPORT_SYMBOL(copy_page);
+ /*
+ * Userspace access stuff.
+ */
+-EXPORT_SYMBOL(copy_from_user);
++EXPORT_SYMBOL(___copy_from_user);
+ EXPORT_SYMBOL(copy_to_user);
+ EXPORT_SYMBOL(__copy_user);
+ EXPORT_SYMBOL(strncpy_from_user);
+--- a/arch/avr32/lib/copy_user.S
++++ b/arch/avr32/lib/copy_user.S
+@@ -25,11 +25,11 @@
+ .align 1
+ .global copy_from_user
+ .type copy_from_user, @function
+-copy_from_user:
++___copy_from_user:
+ branch_if_kernel r8, __copy_user
+ ret_if_privileged r8, r11, r10, r10
+ rjmp __copy_user
+- .size copy_from_user, . - copy_from_user
++ .size ___copy_from_user, . - ___copy_from_user
+
+ .global copy_to_user
+ .type copy_to_user, @function
--- /dev/null
+From 8f035983dd826d7e04f67b28acf8e2f08c347e41 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Fri, 9 Sep 2016 19:16:58 -0400
+Subject: blackfin: fix copy_from_user()
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 8f035983dd826d7e04f67b28acf8e2f08c347e41 upstream.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/blackfin/include/asm/uaccess.h | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/arch/blackfin/include/asm/uaccess.h
++++ b/arch/blackfin/include/asm/uaccess.h
+@@ -177,11 +177,12 @@ static inline int bad_user_access_length
+ static inline unsigned long __must_check
+ copy_from_user(void *to, const void __user *from, unsigned long n)
+ {
+- if (access_ok(VERIFY_READ, from, n))
++ if (likely(access_ok(VERIFY_READ, from, n))) {
+ memcpy(to, (const void __force *)from, n);
+- else
+- return n;
+- return 0;
++ return 0;
++ }
++ memset(to, 0, n);
++ return n;
+ }
+
+ static inline unsigned long __must_check
--- /dev/null
+From eb47e0293baaa3044022059f1fa9ff474bfe35cb Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Thu, 18 Aug 2016 19:34:00 -0400
+Subject: cris: buggered copy_from_user/copy_to_user/clear_user
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit eb47e0293baaa3044022059f1fa9ff474bfe35cb upstream.
+
+* copy_from_user() on access_ok() failure ought to zero the destination
+* none of those primitives should skip the access_ok() check in case of
+small constant size.
+
+Acked-by: Jesper Nilsson <jesper.nilsson@axis.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/cris/include/asm/uaccess.h | 75 ++++++++++++++++++----------------------
+ 1 file changed, 34 insertions(+), 41 deletions(-)
+
+--- a/arch/cris/include/asm/uaccess.h
++++ b/arch/cris/include/asm/uaccess.h
+@@ -194,30 +194,6 @@ extern unsigned long __copy_user(void __
+ extern unsigned long __copy_user_zeroing(void *to, const void __user *from, unsigned long n);
+ extern unsigned long __do_clear_user(void __user *to, unsigned long n);
+
+-static inline unsigned long
+-__generic_copy_to_user(void __user *to, const void *from, unsigned long n)
+-{
+- if (access_ok(VERIFY_WRITE, to, n))
+- return __copy_user(to, from, n);
+- return n;
+-}
+-
+-static inline unsigned long
+-__generic_copy_from_user(void *to, const void __user *from, unsigned long n)
+-{
+- if (access_ok(VERIFY_READ, from, n))
+- return __copy_user_zeroing(to, from, n);
+- return n;
+-}
+-
+-static inline unsigned long
+-__generic_clear_user(void __user *to, unsigned long n)
+-{
+- if (access_ok(VERIFY_WRITE, to, n))
+- return __do_clear_user(to, n);
+- return n;
+-}
+-
+ static inline long
+ __strncpy_from_user(char *dst, const char __user *src, long count)
+ {
+@@ -282,7 +258,7 @@ __constant_copy_from_user(void *to, cons
+ else if (n == 24)
+ __asm_copy_from_user_24(to, from, ret);
+ else
+- ret = __generic_copy_from_user(to, from, n);
++ ret = __copy_user_zeroing(to, from, n);
+
+ return ret;
+ }
+@@ -333,7 +309,7 @@ __constant_copy_to_user(void __user *to,
+ else if (n == 24)
+ __asm_copy_to_user_24(to, from, ret);
+ else
+- ret = __generic_copy_to_user(to, from, n);
++ ret = __copy_user(to, from, n);
+
+ return ret;
+ }
+@@ -366,26 +342,43 @@ __constant_clear_user(void __user *to, u
+ else if (n == 24)
+ __asm_clear_24(to, ret);
+ else
+- ret = __generic_clear_user(to, n);
++ ret = __do_clear_user(to, n);
+
+ return ret;
+ }
+
+
+-#define clear_user(to, n) \
+- (__builtin_constant_p(n) ? \
+- __constant_clear_user(to, n) : \
+- __generic_clear_user(to, n))
+-
+-#define copy_from_user(to, from, n) \
+- (__builtin_constant_p(n) ? \
+- __constant_copy_from_user(to, from, n) : \
+- __generic_copy_from_user(to, from, n))
+-
+-#define copy_to_user(to, from, n) \
+- (__builtin_constant_p(n) ? \
+- __constant_copy_to_user(to, from, n) : \
+- __generic_copy_to_user(to, from, n))
++static inline size_t clear_user(void __user *to, size_t n)
++{
++ if (unlikely(!access_ok(VERIFY_WRITE, to, n)))
++ return n;
++ if (__builtin_constant_p(n))
++ return __constant_clear_user(to, n);
++ else
++ return __do_clear_user(to, n);
++}
++
++static inline size_t copy_from_user(void *to, const void __user *from, size_t n)
++{
++ if (unlikely(!access_ok(VERIFY_READ, from, n))) {
++ memset(to, 0, n);
++ return n;
++ }
++ if (__builtin_constant_p(n))
++ return __constant_copy_from_user(to, from, n);
++ else
++ return __copy_user_zeroing(to, from, n);
++}
++
++static inline size_t copy_to_user(void __user *to, const void *from, size_t n)
++{
++ if (unlikely(!access_ok(VERIFY_WRITE, to, n)))
++ return n;
++ if (__builtin_constant_p(n))
++ return __constant_copy_to_user(to, from, n);
++ else
++ return __copy_user(to, from, n);
++}
+
+ /* We let the __ versions of copy_from/to_user inline, because they're often
+ * used in fast paths and have only a small space overhead.
--- /dev/null
+From d31ed3f05763644840c654a384eaefa94c097ba2 Mon Sep 17 00:00:00 2001
+From: Jan Leupold <leupold@rsi-elektrotechnik.de>
+Date: Wed, 6 Jul 2016 13:22:35 +0200
+Subject: drm: atmel-hlcdc: Fix vertical scaling
+
+From: Jan Leupold <leupold@rsi-elektrotechnik.de>
+
+commit d31ed3f05763644840c654a384eaefa94c097ba2 upstream.
+
+The code is applying the same scaling for the X and Y components,
+thus making the scaling feature only functional when both components
+have the same scaling factor.
+
+Do the s/_w/_h/ replacement where appropriate to fix vertical scaling.
+
+Signed-off-by: Jan Leupold <leupold@rsi-elektrotechnik.de>
+Fixes: 1a396789f65a2 ("drm: add Atmel HLCDC Display Controller support")
+Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c
++++ b/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c
+@@ -316,19 +316,19 @@ atmel_hlcdc_plane_update_pos_and_size(st
+ u32 *coeff_tab = heo_upscaling_ycoef;
+ u32 max_memsize;
+
+- if (state->crtc_w < state->src_w)
++ if (state->crtc_h < state->src_h)
+ coeff_tab = heo_downscaling_ycoef;
+ for (i = 0; i < ARRAY_SIZE(heo_upscaling_ycoef); i++)
+ atmel_hlcdc_layer_update_cfg(&plane->layer,
+ 33 + i,
+ 0xffffffff,
+ coeff_tab[i]);
+- factor = ((8 * 256 * state->src_w) - (256 * 4)) /
+- state->crtc_w;
++ factor = ((8 * 256 * state->src_h) - (256 * 4)) /
++ state->crtc_h;
+ factor++;
+- max_memsize = ((factor * state->crtc_w) + (256 * 4)) /
++ max_memsize = ((factor * state->crtc_h) + (256 * 4)) /
+ 2048;
+- if (max_memsize > state->src_w)
++ if (max_memsize > state->src_h)
+ factor--;
+ factor_reg |= (factor << 16) | 0x80000000;
+ }
--- /dev/null
+From 44eb0cb9620c6a53ec8e7073262e2af8079b727f Mon Sep 17 00:00:00 2001
+From: Mika Kuoppala <mika.kuoppala@linux.intel.com>
+Date: Fri, 30 Oct 2015 13:26:15 +0200
+Subject: drm/i915: Avoid pointer arithmetic in calculating plane surface offset
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mika Kuoppala <mika.kuoppala@linux.intel.com>
+
+commit 44eb0cb9620c6a53ec8e7073262e2af8079b727f upstream.
+
+VMA offsets are 64 bits. Plane surface offsets are in ggtt and
+the hardware register to set this is thus 32 bits. Be explicit
+about these and convert carefully to from vma to final size.
+
+This will make sparse happy by not creating 32bit pointers out
+of 64bit vma offsets.
+
+Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
+Signed-off-by: Mika Kuoppala <mika.kuoppala@intel.com>
+Link: http://patchwork.freedesktop.org/patch/msgid/1446204375-29831-1-git-send-email-mika.kuoppala@intel.com
+Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
+Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/i915/intel_display.c | 16 +++++++++-------
+ drivers/gpu/drm/i915/intel_drv.h | 6 +++---
+ drivers/gpu/drm/i915/intel_sprite.c | 2 +-
+ 3 files changed, 13 insertions(+), 11 deletions(-)
+
+--- a/drivers/gpu/drm/i915/intel_display.c
++++ b/drivers/gpu/drm/i915/intel_display.c
+@@ -2950,13 +2950,13 @@ u32 intel_fb_stride_alignment(struct drm
+ }
+ }
+
+-unsigned long intel_plane_obj_offset(struct intel_plane *intel_plane,
+- struct drm_i915_gem_object *obj,
+- unsigned int plane)
++u32 intel_plane_obj_offset(struct intel_plane *intel_plane,
++ struct drm_i915_gem_object *obj,
++ unsigned int plane)
+ {
+ const struct i915_ggtt_view *view = &i915_ggtt_view_normal;
+ struct i915_vma *vma;
+- unsigned char *offset;
++ u64 offset;
+
+ if (intel_rotation_90_or_270(intel_plane->base.state->rotation))
+ view = &i915_ggtt_view_rotated;
+@@ -2966,14 +2966,16 @@ unsigned long intel_plane_obj_offset(str
+ view->type))
+ return -1;
+
+- offset = (unsigned char *)vma->node.start;
++ offset = vma->node.start;
+
+ if (plane == 1) {
+ offset += vma->ggtt_view.rotation_info.uv_start_page *
+ PAGE_SIZE;
+ }
+
+- return (unsigned long)offset;
++ WARN_ON(upper_32_bits(offset));
++
++ return lower_32_bits(offset);
+ }
+
+ static void skl_detach_scaler(struct intel_crtc *intel_crtc, int id)
+@@ -3099,7 +3101,7 @@ static void skylake_update_primary_plane
+ u32 tile_height, plane_offset, plane_size;
+ unsigned int rotation;
+ int x_offset, y_offset;
+- unsigned long surf_addr;
++ u32 surf_addr;
+ struct intel_crtc_state *crtc_state = intel_crtc->config;
+ struct intel_plane_state *plane_state;
+ int src_x = 0, src_y = 0, src_w = 0, src_h = 0;
+--- a/drivers/gpu/drm/i915/intel_drv.h
++++ b/drivers/gpu/drm/i915/intel_drv.h
+@@ -1177,9 +1177,9 @@ void intel_modeset_preclose(struct drm_d
+ int skl_update_scaler_crtc(struct intel_crtc_state *crtc_state);
+ int skl_max_scale(struct intel_crtc *crtc, struct intel_crtc_state *crtc_state);
+
+-unsigned long intel_plane_obj_offset(struct intel_plane *intel_plane,
+- struct drm_i915_gem_object *obj,
+- unsigned int plane);
++u32 intel_plane_obj_offset(struct intel_plane *intel_plane,
++ struct drm_i915_gem_object *obj,
++ unsigned int plane);
+
+ u32 skl_plane_ctl_format(uint32_t pixel_format);
+ u32 skl_plane_ctl_tiling(uint64_t fb_modifier);
+--- a/drivers/gpu/drm/i915/intel_sprite.c
++++ b/drivers/gpu/drm/i915/intel_sprite.c
+@@ -195,7 +195,7 @@ skl_update_plane(struct drm_plane *drm_p
+ int pixel_size = drm_format_plane_cpp(fb->pixel_format, 0);
+ const struct drm_intel_sprite_colorkey *key =
+ &to_intel_plane_state(drm_plane->state)->ckey;
+- unsigned long surf_addr;
++ u32 surf_addr;
+ u32 tile_height, plane_offset, plane_size;
+ unsigned int rotation;
+ int x_offset, y_offset;
--- /dev/null
+From 47a66e45d7a7613322549c2475ea9d809baaf514 Mon Sep 17 00:00:00 2001
+From: "Kristian H. Kristensen" <hoegsberg@gmail.com>
+Date: Tue, 13 Sep 2016 14:20:45 -0700
+Subject: drm: Only use compat ioctl for addfb2 on X86/IA64
+
+From: Kristian H. Kristensen <hoegsberg@gmail.com>
+
+commit 47a66e45d7a7613322549c2475ea9d809baaf514 upstream.
+
+Similar to struct drm_update_draw, struct drm_mode_fb_cmd2 has an
+unaligned 64 bit field (modifier). This get packed differently between
+32 bit and 64 bit modes on architectures that can handle unaligned 64
+bit access (X86 and IA64). Other architectures pack the structs the
+same and don't need the compat wrapper. Use the same condition for
+drm_mode_fb_cmd2 as we use for drm_update_draw.
+
+Note that only the modifier will be packed differently between compat
+and non-compat versions.
+
+Reviewed-by: Rob Clark <robdclark@gmail.com>
+Signed-off-by: Kristian H. Kristensen <hoegsberg@chromium.org>
+[seanpaul added not at bottom of commit msg re: modifier]
+Signed-off-by: Sean Paul <seanpaul@chromium.org>
+Link: http://patchwork.freedesktop.org/patch/msgid/1473801645-116011-1-git-send-email-hoegsberg@chromium.org
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_ioc32.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/gpu/drm/drm_ioc32.c
++++ b/drivers/gpu/drm/drm_ioc32.c
+@@ -1015,6 +1015,7 @@ static int compat_drm_wait_vblank(struct
+ return 0;
+ }
+
++#if defined(CONFIG_X86) || defined(CONFIG_IA64)
+ typedef struct drm_mode_fb_cmd232 {
+ u32 fb_id;
+ u32 width;
+@@ -1071,6 +1072,7 @@ static int compat_drm_mode_addfb2(struct
+
+ return 0;
+ }
++#endif
+
+ static drm_ioctl_compat_t *drm_compat_ioctls[] = {
+ [DRM_IOCTL_NR(DRM_IOCTL_VERSION32)] = compat_drm_version,
+@@ -1104,7 +1106,9 @@ static drm_ioctl_compat_t *drm_compat_io
+ [DRM_IOCTL_NR(DRM_IOCTL_UPDATE_DRAW32)] = compat_drm_update_draw,
+ #endif
+ [DRM_IOCTL_NR(DRM_IOCTL_WAIT_VBLANK32)] = compat_drm_wait_vblank,
++#if defined(CONFIG_X86) || defined(CONFIG_IA64)
+ [DRM_IOCTL_NR(DRM_IOCTL_MODE_ADDFB232)] = compat_drm_mode_addfb2,
++#endif
+ };
+
+ /**
--- /dev/null
+From d4690f1e1cdabb4d61207b6787b1605a0dc0aeab Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Fri, 16 Sep 2016 00:11:45 +0100
+Subject: fix iov_iter_fault_in_readable()
+
+From: Al Viro <viro@ZenIV.linux.org.uk>
+
+commit d4690f1e1cdabb4d61207b6787b1605a0dc0aeab upstream.
+
+... by turning it into what used to be multipages counterpart
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/uio.h | 2 +-
+ lib/iov_iter.c | 24 ++----------------------
+ 2 files changed, 3 insertions(+), 23 deletions(-)
+
+--- a/include/linux/uio.h
++++ b/include/linux/uio.h
+@@ -76,7 +76,7 @@ size_t iov_iter_copy_from_user_atomic(st
+ struct iov_iter *i, unsigned long offset, size_t bytes);
+ void iov_iter_advance(struct iov_iter *i, size_t bytes);
+ int iov_iter_fault_in_readable(struct iov_iter *i, size_t bytes);
+-int iov_iter_fault_in_multipages_readable(struct iov_iter *i, size_t bytes);
++#define iov_iter_fault_in_multipages_readable iov_iter_fault_in_readable
+ size_t iov_iter_single_seg_count(const struct iov_iter *i);
+ size_t copy_page_to_iter(struct page *page, size_t offset, size_t bytes,
+ struct iov_iter *i);
+--- a/lib/iov_iter.c
++++ b/lib/iov_iter.c
+@@ -298,33 +298,13 @@ done:
+ }
+
+ /*
+- * Fault in the first iovec of the given iov_iter, to a maximum length
+- * of bytes. Returns 0 on success, or non-zero if the memory could not be
+- * accessed (ie. because it is an invalid address).
+- *
+- * writev-intensive code may want this to prefault several iovecs -- that
+- * would be possible (callers must not rely on the fact that _only_ the
+- * first iovec will be faulted with the current implementation).
+- */
+-int iov_iter_fault_in_readable(struct iov_iter *i, size_t bytes)
+-{
+- if (!(i->type & (ITER_BVEC|ITER_KVEC))) {
+- char __user *buf = i->iov->iov_base + i->iov_offset;
+- bytes = min(bytes, i->iov->iov_len - i->iov_offset);
+- return fault_in_pages_readable(buf, bytes);
+- }
+- return 0;
+-}
+-EXPORT_SYMBOL(iov_iter_fault_in_readable);
+-
+-/*
+ * Fault in one or more iovecs of the given iov_iter, to a maximum length of
+ * bytes. For each iovec, fault in each page that constitutes the iovec.
+ *
+ * Return 0 on success, or non-zero if the memory could not be accessed (i.e.
+ * because it is an invalid address).
+ */
+-int iov_iter_fault_in_multipages_readable(struct iov_iter *i, size_t bytes)
++int iov_iter_fault_in_readable(struct iov_iter *i, size_t bytes)
+ {
+ size_t skip = i->iov_offset;
+ const struct iovec *iov;
+@@ -341,7 +321,7 @@ int iov_iter_fault_in_multipages_readabl
+ }
+ return 0;
+ }
+-EXPORT_SYMBOL(iov_iter_fault_in_multipages_readable);
++EXPORT_SYMBOL(iov_iter_fault_in_readable);
+
+ void iov_iter_init(struct iov_iter *i, int direction,
+ const struct iovec *iov, unsigned long nr_segs,
--- /dev/null
+From 1c109fabbd51863475cd12ac206bdd249aee35af Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Thu, 15 Sep 2016 02:35:29 +0100
+Subject: fix minor infoleak in get_user_ex()
+
+From: Al Viro <viro@ZenIV.linux.org.uk>
+
+commit 1c109fabbd51863475cd12ac206bdd249aee35af upstream.
+
+get_user_ex(x, ptr) should zero x on failure. It's not a lot of a leak
+(at most we are leaking uninitialized 64bit value off the kernel stack,
+and in a fairly constrained situation, at that), but the fix is trivial,
+so...
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+[ This sat in different branch from the uaccess fixes since mid-August ]
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/include/asm/uaccess.h | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/include/asm/uaccess.h
++++ b/arch/x86/include/asm/uaccess.h
+@@ -394,7 +394,11 @@ do { \
+ #define __get_user_asm_ex(x, addr, itype, rtype, ltype) \
+ asm volatile("1: mov"itype" %1,%"rtype"0\n" \
+ "2:\n" \
+- _ASM_EXTABLE_EX(1b, 2b) \
++ ".section .fixup,\"ax\"\n" \
++ "3:xor"itype" %"rtype"0,%"rtype"0\n" \
++ " jmp 2b\n" \
++ ".previous\n" \
++ _ASM_EXTABLE_EX(1b, 3b) \
+ : ltype(x) : "m" (__m(addr)))
+
+ #define __put_user_nocheck(x, ptr, size) \
--- /dev/null
+From 3b8767a8f00cc6538ba6b1cf0f88502e2fd2eb90 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Thu, 18 Aug 2016 20:54:02 -0400
+Subject: frv: fix clear_user()
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 3b8767a8f00cc6538ba6b1cf0f88502e2fd2eb90 upstream.
+
+It should check access_ok(). Otherwise a bunch of places turn into
+trivially exploitable rootholes.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/frv/include/asm/uaccess.h | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/arch/frv/include/asm/uaccess.h
++++ b/arch/frv/include/asm/uaccess.h
+@@ -263,19 +263,25 @@ do { \
+ extern long __memset_user(void *dst, unsigned long count);
+ extern long __memcpy_user(void *dst, const void *src, unsigned long count);
+
+-#define clear_user(dst,count) __memset_user(____force(dst), (count))
++#define __clear_user(dst,count) __memset_user(____force(dst), (count))
+ #define __copy_from_user_inatomic(to, from, n) __memcpy_user((to), ____force(from), (n))
+ #define __copy_to_user_inatomic(to, from, n) __memcpy_user(____force(to), (from), (n))
+
+ #else
+
+-#define clear_user(dst,count) (memset(____force(dst), 0, (count)), 0)
++#define __clear_user(dst,count) (memset(____force(dst), 0, (count)), 0)
+ #define __copy_from_user_inatomic(to, from, n) (memcpy((to), ____force(from), (n)), 0)
+ #define __copy_to_user_inatomic(to, from, n) (memcpy(____force(to), (from), (n)), 0)
+
+ #endif
+
+-#define __clear_user clear_user
++static inline unsigned long __must_check
++clear_user(void __user *to, unsigned long n)
++{
++ if (likely(__access_ok(to, n)))
++ n = __clear_user(to, n);
++ return n;
++}
+
+ static inline unsigned long __must_check
+ __copy_to_user(void __user *to, const void *from, unsigned long n)
--- /dev/null
+From ebf9ff753c041b296241990aef76163bbb2cc9c8 Mon Sep 17 00:00:00 2001
+From: Boris Brezillon <boris.brezillon@free-electrons.com>
+Date: Tue, 13 Sep 2016 15:58:28 +0200
+Subject: genirq: Provide irq_gc_{lock_irqsave,unlock_irqrestore}() helpers
+
+From: Boris Brezillon <boris.brezillon@free-electrons.com>
+
+commit ebf9ff753c041b296241990aef76163bbb2cc9c8 upstream.
+
+Some irqchip drivers need to take the generic chip lock outside of the
+irq context.
+
+Provide the irq_gc_{lock_irqsave,unlock_irqrestore}() helpers to allow
+one to disable irqs while entering a critical section protected by
+gc->lock.
+
+Note that we do not provide optimized version of these helpers for !SMP,
+because they are not called from the hot-path.
+
+[ tglx: Added a comment when these helpers should be [not] used ]
+
+Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Cc: Jason Cooper <jason@lakedaemon.net>
+Cc: Marc Zyngier <marc.zyngier@arm.com>
+Cc: Nicolas Ferre <nicolas.ferre@atmel.com>
+Cc: Alexandre Belloni <alexandre.belloni@free-electrons.com>
+Link: http://lkml.kernel.org/r/1473775109-4192-1-git-send-email-boris.brezillon@free-electrons.com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/irq.h | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/include/linux/irq.h
++++ b/include/linux/irq.h
+@@ -916,6 +916,16 @@ static inline void irq_gc_lock(struct ir
+ static inline void irq_gc_unlock(struct irq_chip_generic *gc) { }
+ #endif
+
++/*
++ * The irqsave variants are for usage in non interrupt code. Do not use
++ * them in irq_chip callbacks. Use irq_gc_lock() instead.
++ */
++#define irq_gc_lock_irqsave(gc, flags) \
++ raw_spin_lock_irqsave(&(gc)->lock, flags)
++
++#define irq_gc_unlock_irqrestore(gc, flags) \
++ raw_spin_unlock_irqrestore(&(gc)->lock, flags)
++
+ static inline void irq_reg_writel(struct irq_chip_generic *gc,
+ u32 val, int reg_offset)
+ {
--- /dev/null
+From 166c5a6ef765653848161e6f4af81c05e4b3ecf6 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Mon, 4 Apr 2016 12:38:46 -0700
+Subject: gma500: remove annoying deprecation warning
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit 166c5a6ef765653848161e6f4af81c05e4b3ecf6 upstream.
+
+In commit e45708976aea ("drm/dp-helper: Move the legacy helpers to
+gma500") the legacy i2c helpers were moved to the only remaining user of
+them, the gma500 driver. Together with that move, i2c_dp_aux_add_bus()
+was marked deprecated and started warning about its remaining use.
+
+It's now been a year and a half of annoying warning, and apparently
+nobody cares enough about gma500 to try to move it along to the more
+modern models.
+
+Get rid of the warning - if even the gma500 people don't care enough,
+then they should certainly not spam other innocent developers with a
+warning that might hide other, much more real issues.
+
+Cc: Daniel Vetter <daniel.vetter@intel.com>
+Cc: Alan Cox <alan@linux.intel.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/gma500/cdv_intel_dp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/gma500/cdv_intel_dp.c
++++ b/drivers/gpu/drm/gma500/cdv_intel_dp.c
+@@ -220,7 +220,7 @@ i2c_dp_aux_prepare_bus(struct i2c_adapte
+ * FIXME: This is the old dp aux helper, gma500 is the last driver that needs to
+ * be ported over to the new helper code in drm_dp_helper.c like i915 or radeon.
+ */
+-static int __deprecated
++static int
+ i2c_dp_aux_add_bus(struct i2c_adapter *adapter)
+ {
+ int error;
--- /dev/null
+From f35c1e0671728d1c9abc405d05ef548b5fcb2fc4 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Thu, 18 Aug 2016 21:16:49 -0400
+Subject: hexagon: fix strncpy_from_user() error return
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit f35c1e0671728d1c9abc405d05ef548b5fcb2fc4 upstream.
+
+It's -EFAULT, not -1 (and contrary to the comment in there,
+__strnlen_user() can return 0 - on faults).
+
+Acked-by: Richard Kuo <rkuo@codeaurora.org>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/hexagon/include/asm/uaccess.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/hexagon/include/asm/uaccess.h
++++ b/arch/hexagon/include/asm/uaccess.h
+@@ -103,7 +103,8 @@ static inline long hexagon_strncpy_from_
+ {
+ long res = __strnlen_user(src, n);
+
+- /* return from strnlen can't be zero -- that would be rubbish. */
++ if (unlikely(!res))
++ return -EFAULT;
+
+ if (res > n) {
+ copy_from_user(dst, src, n);
--- /dev/null
+From 5eb0d6eb3fac3daa60d9190eed9fa41cf809c756 Mon Sep 17 00:00:00 2001
+From: Boris Brezillon <boris.brezillon@free-electrons.com>
+Date: Tue, 13 Sep 2016 15:58:29 +0200
+Subject: irqchip/atmel-aic: Fix potential deadlock in ->xlate()
+
+From: Boris Brezillon <boris.brezillon@free-electrons.com>
+
+commit 5eb0d6eb3fac3daa60d9190eed9fa41cf809c756 upstream.
+
+aic5_irq_domain_xlate() and aic_irq_domain_xlate() take the generic chip
+lock without disabling interrupts, which can lead to a deadlock if an
+interrupt occurs while the lock is held in one of these functions.
+
+Replace irq_gc_{lock,unlock}() calls by
+irq_gc_{lock_irqsave,unlock_irqrestore}() ones to prevent this bug from
+happening.
+
+Fixes: b1479ebb7720 ("irqchip: atmel-aic: Add atmel AIC/AIC5 drivers")
+Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
+Acked-by: Marc Zyngier <marc.zyngier@arm.com>
+Cc: Jason Cooper <jason@lakedaemon.net>
+Cc: Nicolas Ferre <nicolas.ferre@atmel.com>
+Cc: Alexandre Belloni <alexandre.belloni@free-electrons.com>
+Link: http://lkml.kernel.org/r/1473775109-4192-2-git-send-email-boris.brezillon@free-electrons.com
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/irqchip/irq-atmel-aic.c | 5 +++--
+ drivers/irqchip/irq-atmel-aic5.c | 5 +++--
+ 2 files changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/irqchip/irq-atmel-aic.c
++++ b/drivers/irqchip/irq-atmel-aic.c
+@@ -176,6 +176,7 @@ static int aic_irq_domain_xlate(struct i
+ {
+ struct irq_domain_chip_generic *dgc = d->gc;
+ struct irq_chip_generic *gc;
++ unsigned long flags;
+ unsigned smr;
+ int idx;
+ int ret;
+@@ -194,12 +195,12 @@ static int aic_irq_domain_xlate(struct i
+
+ gc = dgc->gc[idx];
+
+- irq_gc_lock(gc);
++ irq_gc_lock_irqsave(gc, flags);
+ smr = irq_reg_readl(gc, AT91_AIC_SMR(*out_hwirq));
+ ret = aic_common_set_priority(intspec[2], &smr);
+ if (!ret)
+ irq_reg_writel(gc, smr, AT91_AIC_SMR(*out_hwirq));
+- irq_gc_unlock(gc);
++ irq_gc_unlock_irqrestore(gc, flags);
+
+ return ret;
+ }
+--- a/drivers/irqchip/irq-atmel-aic5.c
++++ b/drivers/irqchip/irq-atmel-aic5.c
+@@ -258,6 +258,7 @@ static int aic5_irq_domain_xlate(struct
+ unsigned int *out_type)
+ {
+ struct irq_chip_generic *bgc = irq_get_domain_generic_chip(d, 0);
++ unsigned long flags;
+ unsigned smr;
+ int ret;
+
+@@ -269,13 +270,13 @@ static int aic5_irq_domain_xlate(struct
+ if (ret)
+ return ret;
+
+- irq_gc_lock(bgc);
++ irq_gc_lock_irqsave(bgc, flags);
+ irq_reg_writel(bgc, *out_hwirq, AT91_AIC5_SSR);
+ smr = irq_reg_readl(bgc, AT91_AIC5_SMR);
+ ret = aic_common_set_priority(intspec[2], &smr);
+ if (!ret)
+ irq_reg_writel(bgc, intspec[2] | smr, AT91_AIC5_SMR);
+- irq_gc_unlock(bgc);
++ irq_gc_unlock_irqrestore(bgc, flags);
+
+ return ret;
+ }
--- /dev/null
+From 236dec051078a8691950f56949612b4b74107e48 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Thu, 1 Sep 2016 16:14:47 -0700
+Subject: kconfig: tinyconfig: provide whole choice blocks to avoid warnings
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 236dec051078a8691950f56949612b4b74107e48 upstream.
+
+Using "make tinyconfig" produces a couple of annoying warnings that show
+up for build test machines all the time:
+
+ .config:966:warning: override: NOHIGHMEM changes choice state
+ .config:965:warning: override: SLOB changes choice state
+ .config:963:warning: override: KERNEL_XZ changes choice state
+ .config:962:warning: override: CC_OPTIMIZE_FOR_SIZE changes choice state
+ .config:933:warning: override: SLOB changes choice state
+ .config:930:warning: override: CC_OPTIMIZE_FOR_SIZE changes choice state
+ .config:870:warning: override: SLOB changes choice state
+ .config:868:warning: override: KERNEL_XZ changes choice state
+ .config:867:warning: override: CC_OPTIMIZE_FOR_SIZE changes choice state
+
+I've made a previous attempt at fixing them and we discussed a number of
+alternatives.
+
+I tried changing the Makefile to use "merge_config.sh -n
+$(fragment-list)" but couldn't get that to work properly.
+
+This is yet another approach, based on the observation that we do want
+to see a warning for conflicting 'choice' options, and that we can
+simply make them non-conflicting by listing all other options as
+disabled. This is a trivial patch that we can apply independent of
+plans for other changes.
+
+Link: http://lkml.kernel.org/r/20160829214952.1334674-2-arnd@arndb.de
+Link: https://storage.kernelci.org/mainline/v4.7-rc6/x86-tinyconfig/build.log
+https://patchwork.kernel.org/patch/9212749/
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Josh Triplett <josh@joshtriplett.org>
+Reviewed-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Acked-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/configs/tiny.config | 2 ++
+ kernel/configs/tiny.config | 8 ++++++++
+ 2 files changed, 10 insertions(+)
+
+--- a/arch/x86/configs/tiny.config
++++ b/arch/x86/configs/tiny.config
+@@ -1 +1,3 @@
+ CONFIG_NOHIGHMEM=y
++# CONFIG_HIGHMEM4G is not set
++# CONFIG_HIGHMEM64G is not set
+--- a/kernel/configs/tiny.config
++++ b/kernel/configs/tiny.config
+@@ -1,4 +1,12 @@
++# CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE is not set
+ CONFIG_CC_OPTIMIZE_FOR_SIZE=y
++# CONFIG_KERNEL_GZIP is not set
++# CONFIG_KERNEL_BZIP2 is not set
++# CONFIG_KERNEL_LZMA is not set
+ CONFIG_KERNEL_XZ=y
++# CONFIG_KERNEL_LZO is not set
++# CONFIG_KERNEL_LZ4 is not set
+ CONFIG_OPTIMIZE_INLINING=y
++# CONFIG_SLAB is not set
++# CONFIG_SLUB is not set
+ CONFIG_SLOB=y
--- /dev/null
+From c90a3bc5061d57e7931a9b7ad14784e1a0ed497d Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Fri, 9 Sep 2016 19:20:13 -0400
+Subject: m32r: fix __get_user()
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit c90a3bc5061d57e7931a9b7ad14784e1a0ed497d upstream.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/m32r/include/asm/uaccess.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/m32r/include/asm/uaccess.h
++++ b/arch/m32r/include/asm/uaccess.h
+@@ -219,7 +219,7 @@ extern int fixup_exception(struct pt_reg
+ #define __get_user_nocheck(x, ptr, size) \
+ ({ \
+ long __gu_err = 0; \
+- unsigned long __gu_val; \
++ unsigned long __gu_val = 0; \
+ might_fault(); \
+ __get_user_size(__gu_val, (ptr), (size), __gu_err); \
+ (x) = (__force __typeof__(*(ptr)))__gu_val; \
--- /dev/null
+From 8ae95ed4ae5fc7c3391ed668b2014c9e2079533b Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Thu, 18 Aug 2016 22:08:20 -0400
+Subject: metag: copy_from_user() should zero the destination on access_ok() failure
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 8ae95ed4ae5fc7c3391ed668b2014c9e2079533b upstream.
+
+Acked-by: James Hogan <james.hogan@imgtec.com>
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/metag/include/asm/uaccess.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/metag/include/asm/uaccess.h
++++ b/arch/metag/include/asm/uaccess.h
+@@ -204,8 +204,9 @@ extern unsigned long __must_check __copy
+ static inline unsigned long
+ copy_from_user(void *to, const void __user *from, unsigned long n)
+ {
+- if (access_ok(VERIFY_READ, from, n))
++ if (likely(access_ok(VERIFY_READ, from, n)))
+ return __copy_user_zeroing(to, from, n);
++ memset(to, 0, n);
+ return n;
+ }
+
--- /dev/null
+From e98b9e37ae04562d52c96f46b3cf4c2e80222dc1 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Fri, 9 Sep 2016 19:23:33 -0400
+Subject: microblaze: fix __get_user()
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit e98b9e37ae04562d52c96f46b3cf4c2e80222dc1 upstream.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/microblaze/include/asm/uaccess.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/microblaze/include/asm/uaccess.h
++++ b/arch/microblaze/include/asm/uaccess.h
+@@ -227,7 +227,7 @@ extern long __user_bad(void);
+
+ #define __get_user(x, ptr) \
+ ({ \
+- unsigned long __gu_val; \
++ unsigned long __gu_val = 0; \
+ /*unsigned long __gu_ptr = (unsigned long)(ptr);*/ \
+ long __gu_err; \
+ switch (sizeof(*(ptr))) { \
--- /dev/null
+From d0cf385160c12abd109746cad1f13e3b3e8b50b8 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Fri, 9 Sep 2016 19:22:34 -0400
+Subject: microblaze: fix copy_from_user()
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit d0cf385160c12abd109746cad1f13e3b3e8b50b8 upstream.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/microblaze/include/asm/uaccess.h | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/arch/microblaze/include/asm/uaccess.h
++++ b/arch/microblaze/include/asm/uaccess.h
+@@ -373,10 +373,13 @@ extern long __user_bad(void);
+ static inline long copy_from_user(void *to,
+ const void __user *from, unsigned long n)
+ {
++ unsigned long res = n;
+ might_fault();
+- if (access_ok(VERIFY_READ, from, n))
+- return __copy_from_user(to, from, n);
+- return n;
++ if (likely(access_ok(VERIFY_READ, from, n)))
++ res = __copy_from_user(to, from, n);
++ if (unlikely(res))
++ memset(to + (n - res), 0, res);
++ return res;
+ }
+
+ #define __copy_to_user(to, from, n) \
--- /dev/null
+From e69d700535ac43a18032b3c399c69bf4639e89a2 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sat, 20 Aug 2016 16:18:53 -0400
+Subject: mips: copy_from_user() must zero the destination on access_ok() failure
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit e69d700535ac43a18032b3c399c69bf4639e89a2 upstream.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/include/asm/uaccess.h | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/mips/include/asm/uaccess.h
++++ b/arch/mips/include/asm/uaccess.h
+@@ -14,6 +14,7 @@
+ #include <linux/kernel.h>
+ #include <linux/errno.h>
+ #include <linux/thread_info.h>
++#include <linux/string.h>
+ #include <asm/asm-eva.h>
+
+ /*
+@@ -1170,6 +1171,8 @@ extern size_t __copy_in_user_eva(void *_
+ __cu_len = __invoke_copy_from_user(__cu_to, \
+ __cu_from, \
+ __cu_len); \
++ } else { \
++ memset(__cu_to, 0, __cu_len); \
+ } \
+ } \
+ __cu_len; \
--- /dev/null
+From 260b31643691e8a58683a4ccc3bdf7abfd86f54a Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Thu, 12 Nov 2015 15:14:23 +0100
+Subject: mmc: dw_mmc: use resource_size_t to store physical address
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 260b31643691e8a58683a4ccc3bdf7abfd86f54a upstream.
+
+The dw_mmc driver stores the physical address of the MMIO registers
+in a pointer, which requires the use of type casts, and is actually
+broken if anyone ever has this device on a 32-bit SoC in registers
+above 4GB. Gcc warns about this possibility when the driver is built
+with ARM LPAE enabled:
+
+mmc/host/dw_mmc.c: In function 'dw_mci_edmac_start_dma':
+mmc/host/dw_mmc.c:702:17: warning: cast from pointer to integer of different size
+ cfg.dst_addr = (dma_addr_t)(host->phy_regs + fifo_offset);
+ ^
+mmc/host/dw_mmc-pltfm.c: In function 'dw_mci_pltfm_register':
+mmc/host/dw_mmc-pltfm.c:63:19: warning: cast to pointer from integer of different size
+ host->phy_regs = (void *)(regs->start);
+
+This changes the code to use resource_size_t, which gets rid of the
+warning, the bug and the useless casts.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Jaehoon Chung <jh80.chung@samsung.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/dw_mmc-pltfm.c | 2 +-
+ drivers/mmc/host/dw_mmc.c | 2 +-
+ include/linux/mmc/dw_mmc.h | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/mmc/host/dw_mmc-pltfm.c
++++ b/drivers/mmc/host/dw_mmc-pltfm.c
+@@ -60,7 +60,7 @@ int dw_mci_pltfm_register(struct platfor
+
+ regs = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+ /* Get registers' physical base address */
+- host->phy_regs = (void *)(regs->start);
++ host->phy_regs = regs->start;
+ host->regs = devm_ioremap_resource(&pdev->dev, regs);
+ if (IS_ERR(host->regs))
+ return PTR_ERR(host->regs);
+--- a/drivers/mmc/host/dw_mmc.c
++++ b/drivers/mmc/host/dw_mmc.c
+@@ -699,7 +699,7 @@ static int dw_mci_edmac_start_dma(struct
+ int ret = 0;
+
+ /* Set external dma config: burst size, burst width */
+- cfg.dst_addr = (dma_addr_t)(host->phy_regs + fifo_offset);
++ cfg.dst_addr = host->phy_regs + fifo_offset;
+ cfg.src_addr = cfg.dst_addr;
+ cfg.dst_addr_width = DMA_SLAVE_BUSWIDTH_4_BYTES;
+ cfg.src_addr_width = DMA_SLAVE_BUSWIDTH_4_BYTES;
+--- a/include/linux/mmc/dw_mmc.h
++++ b/include/linux/mmc/dw_mmc.h
+@@ -172,7 +172,7 @@ struct dw_mci {
+ /* For edmac */
+ struct dw_mci_dma_slave *dms;
+ /* Registers's physical base address */
+- void *phy_regs;
++ resource_size_t phy_regs;
+
+ u32 cmd_status;
+ u32 data_status;
--- /dev/null
+From ae7cc577ec2a4a6151c9e928fd1f595d953ecef1 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sat, 20 Aug 2016 16:33:10 -0400
+Subject: mn10300: copy_from_user() should zero on access_ok() failure...
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit ae7cc577ec2a4a6151c9e928fd1f595d953ecef1 upstream.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mn10300/lib/usercopy.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/arch/mn10300/lib/usercopy.c
++++ b/arch/mn10300/lib/usercopy.c
+@@ -9,7 +9,7 @@
+ * as published by the Free Software Foundation; either version
+ * 2 of the Licence, or (at your option) any later version.
+ */
+-#include <asm/uaccess.h>
++#include <linux/uaccess.h>
+
+ unsigned long
+ __generic_copy_to_user(void *to, const void *from, unsigned long n)
+@@ -24,6 +24,8 @@ __generic_copy_from_user(void *to, const
+ {
+ if (access_ok(VERIFY_READ, from, n))
+ __copy_user_zeroing(to, from, n);
++ else
++ memset(to, 0, n);
+ return n;
+ }
+
--- /dev/null
+From 43403eabf558d2800b429cd886e996fd555aa542 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sat, 20 Aug 2016 16:32:02 -0400
+Subject: mn10300: failing __get_user() and get_user() should zero
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 43403eabf558d2800b429cd886e996fd555aa542 upstream.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mn10300/include/asm/uaccess.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/mn10300/include/asm/uaccess.h
++++ b/arch/mn10300/include/asm/uaccess.h
+@@ -181,6 +181,7 @@ struct __large_struct { unsigned long bu
+ "2:\n" \
+ " .section .fixup,\"ax\"\n" \
+ "3:\n\t" \
++ " mov 0,%1\n" \
+ " mov %3,%0\n" \
+ " jmp 2b\n" \
+ " .previous\n" \
--- /dev/null
+From 3610a2add39365a0f153154c60169a66c616d50f Mon Sep 17 00:00:00 2001
+From: Mike Danese <mikedanese@google.com>
+Date: Thu, 19 May 2016 21:54:51 -0700
+Subject: mpssd: fix buffer overflow warning
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mike Danese <mikedanese@google.com>
+
+commit 3610a2add39365a0f153154c60169a66c616d50f upstream.
+
+The compilation emits a warning in function ‘snprintf’,
+ inlined from ‘set_cmdline’ at
+ ../Documentation/mic/mpssd/mpssd.c:1541:9:
+/usr/include/x86_64-linux-gnu/bits/stdio2.h:64:10:
+ warning: call to __builtin___snprintf_chk will always overflow
+ destination buffer
+
+This was introduced in commit f4a66c204482 ("misc: mic: Update MIC host
+daemon with COSM changes") and is fixed by reverting the changes to the
+size argument of these snprintf statements.
+
+Cc: Ashutosh Dixit <ashutosh.dixit@intel.com>
+Signed-off-by: Mike Danese <mikedanese@google.com>
+Signed-off-by: Jonathan Corbet <corbet@lwn.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ Documentation/mic/mpssd/mpssd.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/Documentation/mic/mpssd/mpssd.c
++++ b/Documentation/mic/mpssd/mpssd.c
+@@ -1538,9 +1538,9 @@ set_cmdline(struct mic_info *mic)
+
+ len = snprintf(buffer, PATH_MAX,
+ "clocksource=tsc highres=off nohz=off ");
+- len += snprintf(buffer + len, PATH_MAX,
++ len += snprintf(buffer + len, PATH_MAX - len,
+ "cpufreq_on;corec6_off;pc3_off;pc6_off ");
+- len += snprintf(buffer + len, PATH_MAX,
++ len += snprintf(buffer + len, PATH_MAX - len,
+ "ifcfg=static;address,172.31.%d.1;netmask,255.255.255.0",
+ mic->id + 1);
+
--- /dev/null
+From facc432faa59414bd7c60c307ff1645154a66c98 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Fri, 22 Jan 2016 11:43:44 +0100
+Subject: net: simplify napi_synchronize() to avoid warnings
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit facc432faa59414bd7c60c307ff1645154a66c98 upstream.
+
+The napi_synchronize() function is defined twice: The definition
+for SMP builds waits for other CPUs to be done, while the uniprocessor
+variant just contains a barrier and ignores its argument.
+
+In the mvneta driver, this leads to a warning about an unused variable
+when we lookup the NAPI struct of another CPU and then don't use it:
+
+ethernet/marvell/mvneta.c: In function 'mvneta_percpu_notifier':
+ethernet/marvell/mvneta.c:2910:30: error: unused variable 'other_port' [-Werror=unused-variable]
+
+There are no other CPUs on a UP build, so that code never runs, but
+gcc does not know this.
+
+The nicest solution seems to be to turn the napi_synchronize() helper
+into an inline function for the UP case as well, as that leads gcc to
+not complain about the argument being unused. Once we do that, we can
+also combine the two cases into a single function definition and use
+if(IS_ENABLED()) rather than #ifdef to make it look a bit nicer.
+
+The warning first came up in linux-4.4, but I failed to catch it
+earlier.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Fixes: f86428854480 ("net: mvneta: Statically assign queues to CPUs")
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/netdevice.h | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+--- a/include/linux/netdevice.h
++++ b/include/linux/netdevice.h
+@@ -511,7 +511,6 @@ static inline void napi_enable(struct na
+ clear_bit(NAPI_STATE_NPSVC, &n->state);
+ }
+
+-#ifdef CONFIG_SMP
+ /**
+ * napi_synchronize - wait until NAPI is not running
+ * @n: napi context
+@@ -522,12 +521,12 @@ static inline void napi_enable(struct na
+ */
+ static inline void napi_synchronize(const struct napi_struct *n)
+ {
+- while (test_bit(NAPI_STATE_SCHED, &n->state))
+- msleep(1);
++ if (IS_ENABLED(CONFIG_SMP))
++ while (test_bit(NAPI_STATE_SCHED, &n->state))
++ msleep(1);
++ else
++ barrier();
+ }
+-#else
+-# define napi_synchronize(n) barrier()
+-#endif
+
+ enum netdev_queue_state_t {
+ __QUEUE_STATE_DRV_XOFF,
--- /dev/null
+From e33d1f6f72cc82fcfc3d1fb20c9e3ad83b1928fa Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sat, 20 Aug 2016 16:36:36 -0400
+Subject: nios2: copy_from_user() should zero the tail of destination
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit e33d1f6f72cc82fcfc3d1fb20c9e3ad83b1928fa upstream.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/nios2/include/asm/uaccess.h | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/arch/nios2/include/asm/uaccess.h
++++ b/arch/nios2/include/asm/uaccess.h
+@@ -102,9 +102,12 @@ extern long __copy_to_user(void __user *
+ static inline long copy_from_user(void *to, const void __user *from,
+ unsigned long n)
+ {
+- if (!access_ok(VERIFY_READ, from, n))
+- return n;
+- return __copy_from_user(to, from, n);
++ unsigned long res = n;
++ if (access_ok(VERIFY_READ, from, n))
++ res = __copy_from_user(to, from, n);
++ if (unlikely(res))
++ memset(to + (n - res), 0, res);
++ return res;
+ }
+
+ static inline long copy_to_user(void __user *to, const void *from,
--- /dev/null
+From 2e29f50ad5e23db37dde9be71410d95d50241ecd Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sat, 20 Aug 2016 16:39:01 -0400
+Subject: nios2: fix __get_user()
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 2e29f50ad5e23db37dde9be71410d95d50241ecd upstream.
+
+a) should not leave crap on fault
+b) should _not_ require access_ok() in any cases.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/nios2/include/asm/uaccess.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/nios2/include/asm/uaccess.h
++++ b/arch/nios2/include/asm/uaccess.h
+@@ -139,7 +139,7 @@ extern long strnlen_user(const char __us
+
+ #define __get_user_unknown(val, size, ptr, err) do { \
+ err = 0; \
+- if (copy_from_user(&(val), ptr, size)) { \
++ if (__copy_from_user(&(val), ptr, size)) { \
+ err = -EFAULT; \
+ } \
+ } while (0)
+@@ -166,7 +166,7 @@ do { \
+ ({ \
+ long __gu_err = -EFAULT; \
+ const __typeof__(*(ptr)) __user *__gu_ptr = (ptr); \
+- unsigned long __gu_val; \
++ unsigned long __gu_val = 0; \
+ __get_user_common(__gu_val, sizeof(*(ptr)), __gu_ptr, __gu_err);\
+ (x) = (__force __typeof__(x))__gu_val; \
+ __gu_err; \
--- /dev/null
+From acb2505d0119033a80c85ac8d02dccae41271667 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sat, 20 Aug 2016 17:05:21 -0400
+Subject: openrisc: fix copy_from_user()
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit acb2505d0119033a80c85ac8d02dccae41271667 upstream.
+
+... that should zero on faults. Also remove the <censored> helpful
+logics wrt range truncation copied from ppc32. Where it had ever
+been needed only in case of copy_from_user() *and* had not been merged
+into the mainline until a month after the need had disappeared.
+A decade before openrisc went into mainline, I might add...
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/openrisc/include/asm/uaccess.h | 33 ++++++++++-----------------------
+ 1 file changed, 10 insertions(+), 23 deletions(-)
+
+--- a/arch/openrisc/include/asm/uaccess.h
++++ b/arch/openrisc/include/asm/uaccess.h
+@@ -273,28 +273,20 @@ __copy_tofrom_user(void *to, const void
+ static inline unsigned long
+ copy_from_user(void *to, const void *from, unsigned long n)
+ {
+- unsigned long over;
++ unsigned long res = n;
+
+- if (access_ok(VERIFY_READ, from, n))
+- return __copy_tofrom_user(to, from, n);
+- if ((unsigned long)from < TASK_SIZE) {
+- over = (unsigned long)from + n - TASK_SIZE;
+- return __copy_tofrom_user(to, from, n - over) + over;
+- }
+- return n;
++ if (likely(access_ok(VERIFY_READ, from, n)))
++ n = __copy_tofrom_user(to, from, n);
++ if (unlikely(res))
++ memset(to + (n - res), 0, res);
++ return res;
+ }
+
+ static inline unsigned long
+ copy_to_user(void *to, const void *from, unsigned long n)
+ {
+- unsigned long over;
+-
+- if (access_ok(VERIFY_WRITE, to, n))
+- return __copy_tofrom_user(to, from, n);
+- if ((unsigned long)to < TASK_SIZE) {
+- over = (unsigned long)to + n - TASK_SIZE;
+- return __copy_tofrom_user(to, from, n - over) + over;
+- }
++ if (likely(access_ok(VERIFY_WRITE, to, n)))
++ n = __copy_tofrom_user(to, from, n);
+ return n;
+ }
+
+@@ -303,13 +295,8 @@ extern unsigned long __clear_user(void *
+ static inline __must_check unsigned long
+ clear_user(void *addr, unsigned long size)
+ {
+-
+- if (access_ok(VERIFY_WRITE, addr, size))
+- return __clear_user(addr, size);
+- if ((unsigned long)addr < TASK_SIZE) {
+- unsigned long over = (unsigned long)addr + size - TASK_SIZE;
+- return __clear_user(addr, size - over) + over;
+- }
++ if (likely(access_ok(VERIFY_WRITE, addr, size)))
++ size = __clear_user(addr, size);
+ return size;
+ }
+
--- /dev/null
+From aace880feea38875fbc919761b77e5732a3659ef Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sat, 20 Aug 2016 19:03:37 -0400
+Subject: parisc: fix copy_from_user()
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit aace880feea38875fbc919761b77e5732a3659ef upstream.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/parisc/include/asm/uaccess.h | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/arch/parisc/include/asm/uaccess.h
++++ b/arch/parisc/include/asm/uaccess.h
+@@ -10,6 +10,7 @@
+ #include <asm-generic/uaccess-unaligned.h>
+
+ #include <linux/bug.h>
++#include <linux/string.h>
+
+ #define VERIFY_READ 0
+ #define VERIFY_WRITE 1
+@@ -245,13 +246,14 @@ static inline unsigned long __must_check
+ unsigned long n)
+ {
+ int sz = __compiletime_object_size(to);
+- int ret = -EFAULT;
++ unsigned long ret = n;
+
+ if (likely(sz == -1 || !__builtin_constant_p(n) || sz >= n))
+ ret = __copy_from_user(to, from, n);
+ else
+ copy_from_user_overflow();
+-
++ if (unlikely(ret))
++ memset(to + (n - ret), 0, ret);
+ return ret;
+ }
+
--- /dev/null
+From 32844138e31347fc0f61d3bf2d7b9c4583f189e3 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Wed, 18 Nov 2015 16:21:17 +0100
+Subject: pinctrl: at91-pio4: use %pr format string for resource
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 32844138e31347fc0f61d3bf2d7b9c4583f189e3 upstream.
+
+resource_size_t may be defined as 32 or 64 bit depending on configuration,
+so it cannot be printed using the normal format strings, as gcc correctly
+warns:
+
+pinctrl-at91-pio4.c: In function 'atmel_pinctrl_probe':
+pinctrl-at91-pio4.c:1003:41: warning: format '%u' expects argument of type 'unsigned int', but argument 5 has type 'resource_size_t {aka long long unsigned int}' [-Wformat=]
+ dev_dbg(dev, "bank %i: hwirq=%u\n", i, res->start);
+
+This changes the format string to use the special "%pr" format
+string that prints a resource, and changes the arguments so we
+the resource structure directly.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Ludovic Desroches <ludovic.desroches@atmel.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pinctrl/pinctrl-at91-pio4.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/pinctrl/pinctrl-at91-pio4.c
++++ b/drivers/pinctrl/pinctrl-at91-pio4.c
+@@ -1002,7 +1002,7 @@ static int atmel_pinctrl_probe(struct pl
+ atmel_pioctrl->irqs[i] = res->start;
+ irq_set_chained_handler(res->start, atmel_gpio_irq_handler);
+ irq_set_handler_data(res->start, atmel_pioctrl);
+- dev_dbg(dev, "bank %i: hwirq=%u\n", i, res->start);
++ dev_dbg(dev, "bank %i: irq=%pr\n", i, res);
+ }
+
+ atmel_pioctrl->irq_domain = irq_domain_add_linear(dev->of_node,
--- /dev/null
+From fd2d2b191fe75825c4c7a6f12f3fef35aaed7dd7 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sun, 21 Aug 2016 22:00:54 -0400
+Subject: s390: get_user() should zero on failure
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit fd2d2b191fe75825c4c7a6f12f3fef35aaed7dd7 upstream.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/s390/include/asm/uaccess.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/arch/s390/include/asm/uaccess.h
++++ b/arch/s390/include/asm/uaccess.h
+@@ -215,28 +215,28 @@ int __put_user_bad(void) __attribute__((
+ __chk_user_ptr(ptr); \
+ switch (sizeof(*(ptr))) { \
+ case 1: { \
+- unsigned char __x; \
++ unsigned char __x = 0; \
+ __gu_err = __get_user_fn(&__x, ptr, \
+ sizeof(*(ptr))); \
+ (x) = *(__force __typeof__(*(ptr)) *) &__x; \
+ break; \
+ }; \
+ case 2: { \
+- unsigned short __x; \
++ unsigned short __x = 0; \
+ __gu_err = __get_user_fn(&__x, ptr, \
+ sizeof(*(ptr))); \
+ (x) = *(__force __typeof__(*(ptr)) *) &__x; \
+ break; \
+ }; \
+ case 4: { \
+- unsigned int __x; \
++ unsigned int __x = 0; \
+ __gu_err = __get_user_fn(&__x, ptr, \
+ sizeof(*(ptr))); \
+ (x) = *(__force __typeof__(*(ptr)) *) &__x; \
+ break; \
+ }; \
+ case 8: { \
+- unsigned long long __x; \
++ unsigned long long __x = 0; \
+ __gu_err = __get_user_fn(&__x, ptr, \
+ sizeof(*(ptr))); \
+ (x) = *(__force __typeof__(*(ptr)) *) &__x; \
--- /dev/null
+From c2f18fa4cbb3ad92e033a24efa27583978ce9600 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sun, 21 Aug 2016 22:13:39 -0400
+Subject: score: fix __get_user/get_user
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit c2f18fa4cbb3ad92e033a24efa27583978ce9600 upstream.
+
+* should zero on any failure
+* __get_user() should use __copy_from_user(), not copy_from_user()
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/score/include/asm/uaccess.h | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/arch/score/include/asm/uaccess.h
++++ b/arch/score/include/asm/uaccess.h
+@@ -163,7 +163,7 @@ do { \
+ __get_user_asm(val, "lw", ptr); \
+ break; \
+ case 8: \
+- if ((copy_from_user((void *)&val, ptr, 8)) == 0) \
++ if (__copy_from_user((void *)&val, ptr, 8) == 0) \
+ __gu_err = 0; \
+ else \
+ __gu_err = -EFAULT; \
+@@ -188,6 +188,8 @@ do { \
+ \
+ if (likely(access_ok(VERIFY_READ, __gu_ptr, size))) \
+ __get_user_common((x), size, __gu_ptr); \
++ else \
++ (x) = 0; \
+ \
+ __gu_err; \
+ })
+@@ -201,6 +203,7 @@ do { \
+ "2:\n" \
+ ".section .fixup,\"ax\"\n" \
+ "3:li %0, %4\n" \
++ "li %1, 0\n" \
+ "j 2b\n" \
+ ".previous\n" \
+ ".section __ex_table,\"a\"\n" \
--- /dev/null
+From b615e3c74621e06cd97f86373ca90d43d6d998aa Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sun, 21 Aug 2016 22:30:44 -0400
+Subject: score: fix copy_from_user() and friends
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit b615e3c74621e06cd97f86373ca90d43d6d998aa upstream.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/score/include/asm/uaccess.h | 41 +++++++++++++++++++--------------------
+ 1 file changed, 20 insertions(+), 21 deletions(-)
+
+--- a/arch/score/include/asm/uaccess.h
++++ b/arch/score/include/asm/uaccess.h
+@@ -301,35 +301,34 @@ extern int __copy_tofrom_user(void *to,
+ static inline unsigned long
+ copy_from_user(void *to, const void *from, unsigned long len)
+ {
+- unsigned long over;
++ unsigned long res = len;
+
+- if (access_ok(VERIFY_READ, from, len))
+- return __copy_tofrom_user(to, from, len);
++ if (likely(access_ok(VERIFY_READ, from, len)))
++ res = __copy_tofrom_user(to, from, len);
+
+- if ((unsigned long)from < TASK_SIZE) {
+- over = (unsigned long)from + len - TASK_SIZE;
+- return __copy_tofrom_user(to, from, len - over) + over;
+- }
+- return len;
++ if (unlikely(res))
++ memset(to + (len - res), 0, res);
++
++ return res;
+ }
+
+ static inline unsigned long
+ copy_to_user(void *to, const void *from, unsigned long len)
+ {
+- unsigned long over;
+-
+- if (access_ok(VERIFY_WRITE, to, len))
+- return __copy_tofrom_user(to, from, len);
++ if (likely(access_ok(VERIFY_WRITE, to, len)))
++ len = __copy_tofrom_user(to, from, len);
+
+- if ((unsigned long)to < TASK_SIZE) {
+- over = (unsigned long)to + len - TASK_SIZE;
+- return __copy_tofrom_user(to, from, len - over) + over;
+- }
+ return len;
+ }
+
+-#define __copy_from_user(to, from, len) \
+- __copy_tofrom_user((to), (from), (len))
++static inline unsigned long
++__copy_from_user(void *to, const void *from, unsigned long len)
++{
++ unsigned long left = __copy_tofrom_user(to, from, len);
++ if (unlikely(left))
++ memset(to + (len - left), 0, left);
++ return left;
++}
+
+ #define __copy_to_user(to, from, len) \
+ __copy_tofrom_user((to), (from), (len))
+@@ -343,17 +342,17 @@ __copy_to_user_inatomic(void *to, const
+ static inline unsigned long
+ __copy_from_user_inatomic(void *to, const void *from, unsigned long len)
+ {
+- return __copy_from_user(to, from, len);
++ return __copy_tofrom_user(to, from, len);
+ }
+
+-#define __copy_in_user(to, from, len) __copy_from_user(to, from, len)
++#define __copy_in_user(to, from, len) __copy_tofrom_user(to, from, len)
+
+ static inline unsigned long
+ copy_in_user(void *to, const void *from, unsigned long len)
+ {
+ if (access_ok(VERIFY_READ, from, len) &&
+ access_ok(VERFITY_WRITE, to, len))
+- return copy_from_user(to, from, len);
++ return __copy_tofrom_user(to, from, len);
+ }
+
+ /*
revert-wext-fix-32-bit-iwpriv-compatibility-issue-with-64-bit-kernel.patch
sched-core-fix-a-race-between-try_to_wake_up-and-a-woken-up-task.patch
ipv6-addrconf-fix-dev-refcont-leak-when-dad-failed.patch
+gma500-remove-annoying-deprecation-warning.patch
+mpssd-fix-buffer-overflow-warning.patch
+drm-i915-avoid-pointer-arithmetic-in-calculating-plane-surface-offset.patch
+mmc-dw_mmc-use-resource_size_t-to-store-physical-address.patch
+pinctrl-at91-pio4-use-pr-format-string-for-resource.patch
+soc-qcom-spm-shut-up-uninitialized-variable-warning.patch
+kconfig-tinyconfig-provide-whole-choice-blocks-to-avoid-warnings.patch
+net-simplify-napi_synchronize-to-avoid-warnings.patch
+drm-atmel-hlcdc-fix-vertical-scaling.patch
+drm-only-use-compat-ioctl-for-addfb2-on-x86-ia64.patch
+genirq-provide-irq_gc_-lock_irqsave-unlock_irqrestore-helpers.patch
+irqchip-atmel-aic-fix-potential-deadlock-in-xlate.patch
+fix-iov_iter_fault_in_readable.patch
+microblaze-fix-__get_user.patch
+avr32-fix-copy_from_user.patch
+microblaze-fix-copy_from_user.patch
+fix-minor-infoleak-in-get_user_ex.patch
+mn10300-failing-__get_user-and-get_user-should-zero.patch
+m32r-fix-__get_user.patch
+sh64-failing-__get_user-should-zero.patch
+nios2-fix-__get_user.patch
+score-fix-__get_user-get_user.patch
+s390-get_user-should-zero-on-failure.patch
+arc-uaccess-get_user-to-zero-out-dest-in-cause-of-fault.patch
+asm-generic-make-get_user-clear-the-destination-on-errors.patch
+frv-fix-clear_user.patch
+cris-buggered-copy_from_user-copy_to_user-clear_user.patch
+blackfin-fix-copy_from_user.patch
+score-fix-copy_from_user-and-friends.patch
+sh-fix-copy_from_user.patch
+hexagon-fix-strncpy_from_user-error-return.patch
+mips-copy_from_user-must-zero-the-destination-on-access_ok-failure.patch
+asm-generic-make-copy_from_user-zero-the-destination-properly.patch
+alpha-fix-copy_from_user.patch
+metag-copy_from_user-should-zero-the-destination-on-access_ok-failure.patch
+parisc-fix-copy_from_user.patch
+openrisc-fix-copy_from_user.patch
+nios2-copy_from_user-should-zero-the-tail-of-destination.patch
+mn10300-copy_from_user-should-zero-on-access_ok-failure.patch
--- /dev/null
+From 6e050503a150b2126620c1a1e9b3a368fcd51eac Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sun, 21 Aug 2016 23:39:47 -0400
+Subject: sh: fix copy_from_user()
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 6e050503a150b2126620c1a1e9b3a368fcd51eac upstream.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/sh/include/asm/uaccess.h | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/arch/sh/include/asm/uaccess.h
++++ b/arch/sh/include/asm/uaccess.h
+@@ -151,7 +151,10 @@ copy_from_user(void *to, const void __us
+ __kernel_size_t __copy_size = (__kernel_size_t) n;
+
+ if (__copy_size && __access_ok(__copy_from, __copy_size))
+- return __copy_user(to, from, __copy_size);
++ __copy_size = __copy_user(to, from, __copy_size);
++
++ if (unlikely(__copy_size))
++ memset(to + (n - __copy_size), 0, __copy_size);
+
+ return __copy_size;
+ }
--- /dev/null
+From c6852389228df9fb3067f94f3b651de2a7921b36 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sun, 21 Aug 2016 23:33:47 -0400
+Subject: sh64: failing __get_user() should zero
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit c6852389228df9fb3067f94f3b651de2a7921b36 upstream.
+
+It could be done in exception-handling bits in __get_user_b() et.al.,
+but the surgery involved would take more knowledge of sh64 details
+than I have or _want_ to have.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/sh/include/asm/uaccess_64.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/sh/include/asm/uaccess_64.h
++++ b/arch/sh/include/asm/uaccess_64.h
+@@ -24,6 +24,7 @@
+ #define __get_user_size(x,ptr,size,retval) \
+ do { \
+ retval = 0; \
++ x = 0; \
+ switch (size) { \
+ case 1: \
+ retval = __get_user_asm_b((void *)&x, \
--- /dev/null
+From 00affcac69c7aae6c2cfcbc71f724e1c16d0b445 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Sun, 17 Jan 2016 01:02:56 +0100
+Subject: soc: qcom/spm: shut up uninitialized variable warning
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 00affcac69c7aae6c2cfcbc71f724e1c16d0b445 upstream.
+
+gcc warns about the 'found' variable possibly being used uninitialized:
+
+drivers/soc/qcom/spm.c: In function 'spm_dev_probe':
+drivers/soc/qcom/spm.c:305:5: error: 'found' may be used uninitialized in this function [-Werror=maybe-uninitialized]
+
+However, the code is correct because we know that there is
+always at least one online CPU. This initializes the 'found'
+variable to zero before the loop so the compiler knows
+it does not have to warn about it.
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/soc/qcom/spm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/soc/qcom/spm.c
++++ b/drivers/soc/qcom/spm.c
+@@ -288,7 +288,7 @@ static struct spm_driver_data *spm_get_d
+ struct spm_driver_data *drv = NULL;
+ struct device_node *cpu_node, *saw_node;
+ int cpu;
+- bool found;
++ bool found = 0;
+
+ for_each_possible_cpu(cpu) {
+ cpu_node = of_cpu_device_node_get(cpu);
projects / thirdparty / kernel / stable-queue.git / commitdiff
