I've attached the following fixes to 4.9, as an mbox:
- brcmfmac: add length checks in scheduled scan result handler - brcmfmac: assure SSID length from firmware is limited - brcmfmac: add subtype check for event handling in data path - binder: Replace "%p" with "%pK" for stable - binder: replace "%p" with "%pK" - fs: prevent page refcount overflow in pipe_buf_get - mm, gup: remove broken VM_BUG_ON_PAGE compound check for hugepages - mm, gup: ensure real head page is ref-counted when using hugepages - mm: prevent get_user_pages() from overflowing page refcount - mm: make page ref count overflow check tighter and more explicit - coredump: fix race condition between mmget_not_zero()/get_task_mm() and core dumping
The first two "mm, gup" commits might not be strictly security fixes but the next one depends on them.
Ben.