commit c977650a67e6ca6c3cff9548b031d072d00db80a
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Wed May 18 17:04:11 2016 -0700

    Linux 3.14.70

commit a1f85b3a66d74389417e86505013e51a06b789f0
Author: Kangjie Lu <kangjielu@gmail.com>
Date:   Sun May 8 12:10:14 2016 -0400

    net: fix a kernel infoleak in x25 module
    
    [ Upstream commit 79e48650320e6fba48369fccf13fd045315b19b8 ]
    
    Stack object "dte_facilities" is allocated in x25_rx_call_request(),
    which is supposed to be initialized in x25_negotiate_facilities.
    However, 5 fields (8 bytes in total) are not initialized. This
    object is then copied to userland via copy_to_user, thus infoleak
    occurs.
    
    Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4e89b76588e7fa923fe0b8cba1145646036289bd
Author: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Date:   Wed May 4 16:18:45 2016 +0200

    net: bridge: fix old ioctl unlocked net device walk
    
    [ Upstream commit 31ca0458a61a502adb7ed192bf9716c6d05791a5 ]
    
    get_bridge_ifindices() is used from the old "deviceless" bridge ioctl
    calls which aren't called with rtnl held. The comment above says that it is
    called with rtnl but that is not really the case.
    Here's a sample output from a test ASSERT_RTNL() which I put in
    get_bridge_ifindices and executed "brctl show":
    [  957.422726] RTNL: assertion failed at net/bridge//br_ioctl.c (30)
    [  957.422925] CPU: 0 PID: 1862 Comm: brctl Tainted: G        W  O
    4.6.0-rc4+ #157
    [  957.423009] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
    BIOS 1.8.1-20150318_183358- 04/01/2014
    [  957.423009]  0000000000000000 ffff880058adfdf0 ffffffff8138dec5
    0000000000000400
    [  957.423009]  ffffffff81ce8380 ffff880058adfe58 ffffffffa05ead32
    0000000000000001
    [  957.423009]  00007ffec1a444b0 0000000000000400 ffff880053c19130
    0000000000008940
    [  957.423009] Call Trace:
    [  957.423009]  [<ffffffff8138dec5>] dump_stack+0x85/0xc0
    [  957.423009]  [<ffffffffa05ead32>]
    br_ioctl_deviceless_stub+0x212/0x2e0 [bridge]
    [  957.423009]  [<ffffffff81515beb>] sock_ioctl+0x22b/0x290
    [  957.423009]  [<ffffffff8126ba75>] do_vfs_ioctl+0x95/0x700
    [  957.423009]  [<ffffffff8126c159>] SyS_ioctl+0x79/0x90
    [  957.423009]  [<ffffffff8163a4c0>] entry_SYSCALL_64_fastpath+0x23/0xc1
    
    Since it only reads bridge ifindices, we can use rcu to safely walk the net
    device list. Also remove the wrong rtnl comment above.
    
    Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit a70f3ad276ddeccce63da71e555906af0a4a310a
Author: Ian Campbell <ian.campbell@docker.com>
Date:   Wed May 4 14:21:53 2016 +0100

    VSOCK: do not disconnect socket when peer has shutdown SEND only
    
    [ Upstream commit dedc58e067d8c379a15a8a183c5db318201295bb ]
    
    The peer may be expecting a reply having sent a request and then done a
    shutdown(SHUT_WR), so tearing down the whole socket at this point seems
    wrong and breaks for me with a client which does a SHUT_WR.
    
    Looking at other socket family's stream_recvmsg callbacks doing a shutdown
    here does not seem to be the norm and removing it does not seem to have
    had any adverse effects that I can see.
    
    I'm using Stefan's RFC virtio transport patches, I'm unsure of the impact
    on the vmci transport.
    
    Signed-off-by: Ian Campbell <ian.campbell@docker.com>
    Cc: "David S. Miller" <davem@davemloft.net>
    Cc: Stefan Hajnoczi <stefanha@redhat.com>
    Cc: Claudio Imbrenda <imbrenda@linux.vnet.ibm.com>
    Cc: Andy King <acking@vmware.com>
    Cc: Dmitry Torokhov <dtor@vmware.com>
    Cc: Jorgen Hansen <jhansen@vmware.com>
    Cc: Adit Ranadive <aditr@vmware.com>
    Cc: netdev@vger.kernel.org
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit c1e797692b97ec480bc0e940cc022823e3cc40c9
Author: Kangjie Lu <kangjielu@gmail.com>
Date:   Tue May 3 16:46:24 2016 -0400

    net: fix infoleak in rtnetlink
    
    [ Upstream commit 5f8e44741f9f216e33736ea4ec65ca9ac03036e6 ]
    
    The stack object “map” has a total size of 32 bytes. Its last 4
    bytes are padding generated by compiler. These padding bytes are
    not initialized and sent out via “nla_put”.
    
    Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f3a0b05e04b862ffc549b5635339a5cee00da34d
Author: Kangjie Lu <kangjielu@gmail.com>
Date:   Tue May 3 16:35:05 2016 -0400

    net: fix infoleak in llc
    
    [ Upstream commit b8670c09f37bdf2847cc44f36511a53afc6161fd ]
    
    The stack object “info” has a total size of 12 bytes. Its last byte
    is padding which is not initialized and leaked via “put_cmsg”.
    
    Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit d6b8a68ac7b6d2e241f8d34b769c98a1793d9124
Author: Ben Hutchings <ben@decadent.org.uk>
Date:   Wed Apr 20 23:23:08 2016 +0100

    atl2: Disable unimplemented scatter/gather feature
    
    [ Upstream commit f43bfaeddc79effbf3d0fcb53ca477cca66f3db8 ]
    
    atl2 includes NETIF_F_SG in hw_features even though it has no support
    for non-linear skbs.  This bug was originally harmless since the
    driver does not claim to implement checksum offload and that used to
    be a requirement for SG.
    
    Now that SG and checksum offload are independent features, if you
    explicitly enable SG *and* use one of the rare protocols that can use
    SG without checkusm offload, this potentially leaks sensitive
    information (before you notice that it just isn't working).  Therefore
    this obscure bug has been designated CVE-2016-2117.
    
    Reported-by: Justin Yackoski <jyackoski@crypto-nite.com>
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
    Fixes: ec5f06156423 ("net: Kill link between CSUM and SG features.")
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 87d1233dddee7a9216b0c127fd69df9dedac6262
Author: Mathias Krause <minipli@googlemail.com>
Date:   Sun Apr 10 12:52:28 2016 +0200

    packet: fix heap info leak in PACKET_DIAG_MCLIST sock_diag interface
    
    [ Upstream commit 309cf37fe2a781279b7675d4bb7173198e532867 ]
    
    Because we miss to wipe the remainder of i->addr[] in packet_mc_add(),
    pdiag_put_mclist() leaks uninitialized heap bytes via the
    PACKET_DIAG_MCLIST netlink attribute.
    
    Fix this by explicitly memset(0)ing the remaining bytes in i->addr[].
    
    Fixes: eea68e2f1a00 ("packet: Report socket mclist info via diag module")
    Signed-off-by: Mathias Krause <minipli@googlemail.com>
    Cc: Eric W. Biederman <ebiederm@xmission.com>
    Cc: Pavel Emelyanov <xemul@parallels.com>
    Acked-by: Pavel Emelyanov <xemul@virtuozzo.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9a7deb646b34f0e3ccfebf963a390b8f61f1d174
Author: Chris Friesen <chris.friesen@windriver.com>
Date:   Fri Apr 8 15:21:30 2016 -0600

    route: do not cache fib route info on local routes with oif
    
    [ Upstream commit d6d5e999e5df67f8ec20b6be45e2229455ee3699 ]
    
    For local routes that require a particular output interface we do not want
    to cache the result.  Caching the result causes incorrect behaviour when
    there are multiple source addresses on the interface.  The end result
    being that if the intended recipient is waiting on that interface for the
    packet he won't receive it because it will be delivered on the loopback
    interface and the IP_PKTINFO ipi_ifindex will be set to the loopback
    interface as well.
    
    This can be tested by running a program such as "dhcp_release" which
    attempts to inject a packet on a particular interface so that it is
    received by another program on the same board.  The receiving process
    should see an IP_PKTINFO ipi_ifndex value of the source interface
    (e.g., eth1) instead of the loopback interface (e.g., lo).  The packet
    will still appear on the loopback interface in tcpdump but the important
    aspect is that the CMSG info is correct.
    
    Sample dhcp_release command line:
    
       dhcp_release eth1 192.168.204.222 02:11:33:22:44:66
    
    Signed-off-by: Allain Legacy <allain.legacy@windriver.com>
    Signed off-by: Chris Friesen <chris.friesen@windriver.com>
    Reviewed-by: Julian Anastasov <ja@ssi.bg>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4f19b61fcca691b47f37435343b40a55a88a675f
Author: David S. Miller <davem@davemloft.net>
Date:   Sun Apr 10 23:01:30 2016 -0400

    decnet: Do not build routes to devices without decnet private data.
    
    [ Upstream commit a36a0d4008488fa545c74445d69eaf56377d5d4e ]
    
    In particular, make sure we check for decnet private presence
    for loopback devices.
    
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9fb9e4f0f001921fed7e0b33491f22096cc7cd83
Author: Tony Lindgren <tony@atomide.com>
Date:   Thu May 28 07:22:08 2015 -0700

    ARM: OMAP3: Fix booting with thumb2 kernel
    
    commit d8a50941c91a68da202aaa96a3dacd471ea9c693 upstream.
    
    We get a NULL pointer dereference on omap3 for thumb2 compiled kernels:
    
    Internal error: Oops: 80000005 [#1] SMP THUMB2
    ...
    [<c046497b>] (_raw_spin_unlock_irqrestore) from [<c0024375>]
    (omap3_enter_idle_bm+0xc5/0x178)
    [<c0024375>] (omap3_enter_idle_bm) from [<c0374e63>]
    (cpuidle_enter_state+0x77/0x27c)
    [<c0374e63>] (cpuidle_enter_state) from [<c00627f1>]
    (cpu_startup_entry+0x155/0x23c)
    [<c00627f1>] (cpu_startup_entry) from [<c06b9a47>]
    (start_kernel+0x32f/0x338)
    [<c06b9a47>] (start_kernel) from [<8000807f>] (0x8000807f)
    
    The power management related assembly on omaps needs to interact with
    ARM mode bootrom code, so we need to keep most of the related assembly
    in ARM mode.
    
    Turns out this error is because of missing ENDPROC for assembly code
    as suggested by Stephen Boyd <sboyd@codeaurora.org>. Let's fix the
    problem by adding ENDPROC in two places to sleep34xx.S.
    
    Let's also remove the now duplicate custom code for mode switching.
    This has been unnecessary since commit 6ebbf2ce437b ("ARM: convert
    all "mov.* pc, reg" to "bx reg" for ARMv6+").
    
    And let's also remove the comments about local variables, they are
    now just confusing after the ENDPROC.
    
    The reason why ENDPROC makes a difference is it sets .type and then
    the compiler knows what to do with the thumb bit as explained at:
    
    https://wiki.ubuntu.com/ARM/Thumb2PortingHowto
    
    Reported-by: Kevin Hilman <khilman@kernel.org>
    Tested-by: Kevin Hilman <khilman@linaro.org>
    Signed-off-by: Tony Lindgren <tony@atomide.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit dfc2079ba67e4bd5b3ee88d59952a174a7f1272f
Author: Daniel Vetter <daniel.vetter@ffwll.ch>
Date:   Tue May 3 10:33:01 2016 +0200

    drm/i915: Bail out of pipe config compute loop on LPT
    
    commit 2700818ac9f935d8590715eecd7e8cadbca552b6 upstream.
    
    LPT is pch, so might run into the fdi bandwidth constraint (especially
    since it has only 2 lanes). But right now we just force pipe_bpp back
    to 24, resulting in a nice loop (which we bail out with a loud
    WARN_ON). Fix this.
    
    Cc: Chris Wilson <chris@chris-wilson.co.uk>
    Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
    References: https://bugs.freedesktop.org/show_bug.cgi?id=93477
    Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
    Tested-by: Chris Wilson <chris@chris-wilson.co.uk>
    Signed-off-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
    Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
    Link: http://patchwork.freedesktop.org/patch/msgid/1462264381-7573-1-git-send-email-daniel.vetter@ffwll.ch
    (cherry picked from commit f58a1acc7e4a1f37d26124ce4c875c647fbcc61f)
    Signed-off-by: Jani Nikula <jani.nikula@intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9e3f55f5045c542a48c560c503f949b8e80adcf4
Author: Lucas Stach <dev@lynxeye.de>
Date:   Thu May 5 10:16:44 2016 -0400

    drm/radeon: fix PLL sharing on DCE6.1 (v2)
    
    commit e3c00d87845ab375f90fa6e10a5e72a3a5778cd3 upstream.
    
    On DCE6.1 PPLL2 is exclusively available to UNIPHYA, so it should not
    be taken into consideration when looking for an already enabled PLL
    to be shared with other outputs.
    
    This fixes the broken VGA port (TRAVIS DP->VGA bridge) on my Richland
    based laptop, where the internal display is connected to UNIPHYA through
    a TRAVIS DP->LVDS bridge.
    
    Bug:
    https://bugs.freedesktop.org/show_bug.cgi?id=78987
    
    v2: agd: add check in radeon_get_shared_nondp_ppll as well, drop
        extra parameter.
    
    Signed-off-by: Lucas Stach <dev@lynxeye.de>
    Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 1ad1bad4817ccf1e59d52ed7d71623be48bec3a9
Author: Andi Kleen <ak@linux.intel.com>
Date:   Sat Feb 8 08:52:00 2014 +0100

    asmlinkage, pnp: Make variables used from assembler code visible
    
    commit a99aa42d0253f033cbb85096d3f2bd82201321e6 upstream.
    
    Mark variables referenced from assembler files visible.
    
    This fixes compile problems with LTO.
    
    Cc: Jaroslav Kysela <perex@perex.cz>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
    Link: http://lkml.kernel.org/r/1391845930-28580-4-git-send-email-ak@linux.intel.com
    Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
    Cc: Christoph Biedl <linux-kernel.bfrz@manchmal.in-ulm.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 9a048abff4355201ca945d2e9ebe64ec4755c446
Author: Marek Szyprowski <m.szyprowski@samsung.com>
Date:   Mon May 9 09:31:47 2016 -0700

    Input: max8997-haptic - fix NULL pointer dereference
    
    commit 6ae645d5fa385f3787bf1723639cd907fe5865e7 upstream.
    
    NULL pointer derefence happens when booting with DTB because the
    platform data for haptic device is not set in supplied data from parent
    MFD device.
    
    The MFD device creates only platform data (from Device Tree) for itself,
    not for haptic child.
    
    Unable to handle kernel NULL pointer dereference at virtual address 0000009c
    pgd = c0004000
    	[0000009c] *pgd=00000000
    	Internal error: Oops: 5 [#1] PREEMPT SMP ARM
    	(max8997_haptic_probe) from [<c03f9cec>] (platform_drv_probe+0x4c/0xb0)
    	(platform_drv_probe) from [<c03f8440>] (driver_probe_device+0x214/0x2c0)
    	(driver_probe_device) from [<c03f8598>] (__driver_attach+0xac/0xb0)
    	(__driver_attach) from [<c03f67ac>] (bus_for_each_dev+0x68/0x9c)
    	(bus_for_each_dev) from [<c03f7a38>] (bus_add_driver+0x1a0/0x218)
    	(bus_add_driver) from [<c03f8db0>] (driver_register+0x78/0xf8)
    	(driver_register) from [<c0101774>] (do_one_initcall+0x90/0x1d8)
    	(do_one_initcall) from [<c0a00dbc>] (kernel_init_freeable+0x15c/0x1fc)
    	(kernel_init_freeable) from [<c06bb5b4>] (kernel_init+0x8/0x114)
    	(kernel_init) from [<c0107938>] (ret_from_fork+0x14/0x3c)
    
    Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
    Fixes: 104594b01ce7 ("Input: add driver support for MAX8997-haptic")
    [k.kozlowski: Write commit message, add CC-stable]
    Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
    Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit dc7e3177f3cefcbecda0e4266cd554866ff2caea
Author: Al Viro <viro@zeniv.linux.org.uk>
Date:   Thu May 5 16:25:35 2016 -0400

    get_rock_ridge_filename(): handle malformed NM entries
    
    commit 99d825822eade8d827a1817357cbf3f889a552d6 upstream.
    
    Payloads of NM entries are not supposed to contain NUL.  When we run
    into such, only the part prior to the first NUL goes into the
    concatenation (i.e. the directory entry name being encoded by a bunch
    of NM entries).  We do stop when the amount collected so far + the
    claimed amount in the current NM entry exceed 254.  So far, so good,
    but what we return as the total length is the sum of *claimed*
    sizes, not the actual amount collected.  And that can grow pretty
    large - not unlimited, since you'd need to put CE entries in
    between to be able to get more than the maximum that could be
    contained in one isofs directory entry / continuation chunk and
    we are stop once we'd encountered 32 CEs, but you can get about 8Kb
    easily.  And that's what will be passed to readdir callback as the
    name length.  8Kb __copy_to_user() from a buffer allocated by
    __get_free_page()
    
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit cc440a5b68873b7b98c3130d09a69a1b13acb0b7
Author: Herbert Xu <herbert@gondor.apana.org.au>
Date:   Wed May 4 17:52:56 2016 +0800

    crypto: hash - Fix page length clamping in hash walk
    
    commit 13f4bb78cf6a312bbdec367ba3da044b09bf0e29 upstream.
    
    The crypto hash walk code is broken when supplied with an offset
    greater than or equal to PAGE_SIZE.  This patch fixes it by adjusting
    walk->pg and walk->offset when this happens.
    
    Reported-by: Steffen Klassert <steffen.klassert@secunet.com>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>