From 11c7037780148309a93b3d95c966b87db019f764 Mon Sep 17 00:00:00 2001
From: Tad <tad@spotco.us>
Date: Tue, 7 Nov 2017 17:32:46 -0500
Subject: [PATCH] Switch to new CVE patchset

---
 .../Linux_CVEs/CVE-2012-4220/ANY/0001.patch   |   345 +
 .../Linux_CVEs/CVE-2012-4221/ANY/0001.patch   |   345 +
 .../Linux_CVEs/CVE-2012-4222/ANY/0001.patch   |    65 +
 .../{ANY/0.patch => ^3.5/0001.patch}          |     0
 .../{ANY/0.patch => ^3.5/0001.patch}          |     0
 .../CVE-2012-6701/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2012-6703/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2012-6703/ANY/{2.patch => 0002.patch} |     0
 Patches/Linux_CVEs/CVE-2012-6703/ANY/1.patch  |    31 -
 .../{ANY/0.patch => ^3.5/0001.patch}          |     0
 .../{3.4/0.patch => ^3.8/0001.patch}          |     0
 .../Linux_CVEs/CVE-2013-2596/ANY/0001.patch   |    52 +
 .../Linux_CVEs/CVE-2013-2596/ANY/0002.patch   |    64 +
 .../Linux_CVEs/CVE-2013-2596/ANY/0003.patch   |    56 +
 .../Linux_CVEs/CVE-2013-2597/ANY/0001.patch   |    32 +
 .../Linux_CVEs/CVE-2013-2597/ANY/0002.patch   |    32 +
 .../CVE-2013-4312/3.2/{0.patch => 0001.patch} |     0
 .../CVE-2013-4312/3.2/{1.patch => 0002.patch} |     0
 .../CVE-2013-4312/4.5/{2.patch => 0003.patch} |     0
 .../CVE-2013-4312/4.5/{3.patch => 0004.patch} |     0
 .../Linux_CVEs/CVE-2013-4736/ANY/0002.patch   |   125 +
 .../Linux_CVEs/CVE-2013-4736/ANY/0003.patch   |   101 +
 .../Linux_CVEs/CVE-2013-4737/ANY/0001.patch   |   150 +
 .../Linux_CVEs/CVE-2013-4738/ANY/0001.patch   |    34 +
 .../Linux_CVEs/CVE-2013-4738/ANY/0002.patch   |    33 +
 .../Linux_CVEs/CVE-2013-4739/ANY/0001.patch   |    50 +
 .../Linux_CVEs/CVE-2013-4740/ANY/0001.patch   |   300 +
 .../Linux_CVEs/CVE-2013-6122/ANY/0001.patch   |   300 +
 .../Linux_CVEs/CVE-2013-6123/ANY/0001.patch   |    39 +
 .../Linux_CVEs/CVE-2013-6123/ANY/0002.patch   |    67 +
 .../Linux_CVEs/CVE-2013-6282/ANY/0001.patch   |   253 +
 .../Linux_CVEs/CVE-2013-7446/ANY/0001.patch   |   320 +
 .../CVE-2014-0196/3.2/{1.patch => 0002.patch} |     0
 .../CVE-2014-0196/3.4/{2.patch => 0003.patch} |     0
 .../CVE-2014-0196/ANY/{0.patch => 0001.patch} |     0
 .../{3.12/0.patch => ANY/0001.patch}          |     0
 .../Linux_CVEs/CVE-2014-0972/ANY/0001.patch   |   181 +
 .../Linux_CVEs/CVE-2014-0972/ANY/0002.patch   |    31 +
 .../Linux_CVEs/CVE-2014-0975/ANY/0001.patch   |    35 +
 .../Linux_CVEs/CVE-2014-0976/ANY/0001.patch   |    31 +
 .../CVE-2014-1739/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2014-2523/3.2/{1.patch => 0001.patch} |     0
 .../{ANY/0.patch => ^3.13/0002.patch}         |     0
 .../CVE-2014-2706/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2014-2851/3.2/{0.patch => 0001.patch} |     0
 Patches/Linux_CVEs/CVE-2014-3145/3.2/2.patch  |    92 -
 .../{3.10/1.patch => ANY/0001.patch}          |     0
 .../CVE-2014-3145/ANY/{0.patch => 0002.patch} |     0
 .../CVE-2014-4014/ANY/{0.patch => 0001.patch} |     0
 .../Linux_CVEs/CVE-2014-4321/ANY/0001.patch   |    66 +
 .../Linux_CVEs/CVE-2014-4322/ANY/0001.patch   |    94 +
 .../Linux_CVEs/CVE-2014-4322/ANY/0002.patch   |   383 +
 .../{3.10/0.patch => ANY/0001.patch}          |     0
 .../Linux_CVEs/CVE-2014-4324/ANY/0001.patch   |   308 +
 Patches/Linux_CVEs/CVE-2014-4655/3.2/1.patch  |    90 -
 Patches/Linux_CVEs/CVE-2014-4655/3.2/2.patch  |    27 -
 .../CVE-2014-4655/ANY/{0.patch => 0001.patch} |     7 +-
 Patches/Linux_CVEs/CVE-2014-4656/3.2/1.patch  |    39 -
 .../CVE-2014-4656/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2014-4943/3.2/{1.patch => 0001.patch} |     0
 .../{ANY/0.patch => ^3.15/0002.patch}         |     0
 .../^3.16/{0.patch => 0001.patch}             |     0
 .../0.patch => 3.2-3.16/0001.patch}           |     0
 .../CVE-2014-7825/3.2/{0.patch => 0001.patch} |     0
 .../CVE-2014-7825/3.2/{1.patch => 0002.patch} |     0
 .../{ANY/2.patch => ^3.17/0003.patch}         |     0
 .../CVE-2014-7970/3.0/{1.patch => 0001.patch} |     0
 .../CVE-2014-7970/3.4/{2.patch => 0002.patch} |     0
 .../{ANY/0.patch => ^3.17/0003.patch}         |     0
 .../{3.2-^3.18/1.patch => 3.2/0001.patch}     |     0
 .../^3.18/{0.patch => 0002.patch}             |     0
 .../{ANY/0.patch => 3.9-3.12/0001.patch}      |     0
 Patches/Linux_CVEs/CVE-2014-8709/3.2/1.patch  |    56 -
 .../CVE-2014-8709/ANY/{0.patch => 0001.patch} |     0
 .../Linux_CVEs/CVE-2014-9322/ANY/0001.patch   |    16 +
 .../CVE-2014-9322/ANY/0001.patch.base64       |     1 +
 .../Linux_CVEs/CVE-2014-9322/ANY/0002.patch   |   519 +
 .../CVE-2014-9322/ANY/0002.patch.base64       |     1 +
 .../Linux_CVEs/CVE-2014-9322/ANY/0003.patch   |    52 +
 .../CVE-2014-9322/ANY/0003.patch.base64       |     1 +
 .../Linux_CVEs/CVE-2014-9322/ANY/0004.patch   |    10 +
 .../CVE-2014-9322/ANY/0004.patch.base64       |     1 +
 .../Linux_CVEs/CVE-2014-9322/ANY/0005.patch   |    54 +
 .../CVE-2014-9322/ANY/0005.patch.base64       |     1 +
 .../Linux_CVEs/CVE-2014-9322/ANY/0006.patch   |   195 +
 .../CVE-2014-9322/ANY/0006.patch.base64       |     1 +
 .../Linux_CVEs/CVE-2014-9322/ANY/0007.patch   |   105 +
 .../CVE-2014-9322/ANY/0007.patch.base64       |     1 +
 .../Linux_CVEs/CVE-2014-9322/ANY/0008.patch   |    30 +
 .../CVE-2014-9322/ANY/0008.patch.base64       |     1 +
 .../Linux_CVEs/CVE-2014-9322/ANY/0009.patch   |    94 +
 .../CVE-2014-9322/ANY/0009.patch.base64       |     1 +
 .../Linux_CVEs/CVE-2014-9322/ANY/0010.patch   |   101 +
 .../CVE-2014-9322/ANY/0010.patch.base64       |     1 +
 .../Linux_CVEs/CVE-2014-9322/ANY/0011.patch   |    55 +
 .../CVE-2014-9322/ANY/0011.patch.base64       |     1 +
 .../CVE-2014-9420/3.2-^3.18/1.patch           |    57 -
 .../{^3.18/0.patch => ANY/0001.patch}         |     7 +-
 Patches/Linux_CVEs/CVE-2014-9529/3.2/1.patch  |    51 -
 .../CVE-2014-9529/ANY/{0.patch => 0001.patch} |     7 +-
 .../{3.2-^3.18/1.patch => 3.2/0001.patch}     |     0
 .../^3.18/{0.patch => 0002.patch}             |     0
 .../CVE-2014-9715/3.2/{1.patch => 0001.patch} |     0
 .../{ANY/0.patch => ^3.14/0002.patch}         |     0
 .../CVE-2014-9731/ANY/{0.patch => 0001.patch} |     0
 .../Linux_CVEs/CVE-2014-9777/ANY/0001.patch   |    35 +
 Patches/Linux_CVEs/CVE-2014-9778/ANY/0.patch  |    48 -
 .../0.patch => CVE-2014-9778/ANY/0001.patch}  |     0
 .../Linux_CVEs/CVE-2014-9779/ANY/0001.patch   |    44 +
 .../CVE-2014-9780/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2014-9781/ANY/{0.patch => 0001.patch} |     2 +
 .../CVE-2014-9782/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2014-9783/ANY/{0.patch => 0001.patch} |     0
 .../Linux_CVEs/CVE-2014-9783/ANY/0002.patch   |    50 +
 .../CVE-2014-9784/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2014-9785/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2014-9786/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2014-9787/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2014-9788/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2014-9789/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2014-9790/ANY/{0.patch => 0001.patch} |     0
 .../Linux_CVEs/CVE-2014-9790/ANY/0002.patch   |    37 +
 .../Linux_CVEs/CVE-2014-9791/ANY/0001.patch   |    83 +
 .../CVE-2014-9792/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2014-9803/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2014-9863/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2014-9864/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2014-9865/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2014-9866/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2014-9867/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2014-9868/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2014-9869/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2014-9869/ANY/{1.patch => 0002.patch} |     0
 .../CVE-2014-9870/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2014-9871/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2014-9872/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2014-9873/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2014-9874/ANY/{0.patch => 0001.patch} |     0
 Patches/Linux_CVEs/CVE-2014-9874/ANY/1.patch  |    44 -
 .../CVE-2014-9875/ANY/{0.patch => 0001.patch} |     0
 Patches/Linux_CVEs/CVE-2014-9876/3.4/1.patch  |    30 -
 .../{3.0/0.patch => ANY/0001.patch}           |     0
 .../CVE-2014-9877/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2014-9878/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2014-9879/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2014-9880/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2014-9881/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2014-9882/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2014-9882/ANY/{1.patch => 0002.patch} |     0
 .../CVE-2014-9883/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2014-9884/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2014-9885/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2014-9886/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2014-9887/ANY/{0.patch => 0001.patch} |     0
 Patches/Linux_CVEs/CVE-2014-9888/ANY/0.patch  |    37 -
 .../CVE-2014-9888/ANY/{1.patch => 0001.patch} |     0
 Patches/Linux_CVEs/CVE-2014-9889/3.10/0.patch |    85 -
 .../{3.4/1.patch => ANY/0001.patch}           |     0
 .../CVE-2014-9890/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2014-9891/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2014-9892/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2014-9893/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2014-9894/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2014-9895/ANY/{0.patch => 0001.patch} |     0
 Patches/Linux_CVEs/CVE-2014-9895/ANY/1.patch  |    36 -
 .../CVE-2014-9896/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2014-9897/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2014-9898/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2014-9899/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2014-9900/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2014-9901/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2014-9902/ANY/{0.patch => 0001.patch} |     0
 .../Linux_CVEs/CVE-2014-9902/ANY/0002.patch   |    61 +
 .../CVE-2014-9903/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2014-9904/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2014-9914/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2014-9922/ANY/{0.patch => 0001.patch} |     0
 Patches/Linux_CVEs/CVE-2014-9922/ANY/1.patch  |    18 -
 .../CVE-2014-9922/ANY/1.patch.base64          |     1 -
 .../CVE-2014-9940/ANY/{0.patch => 0001.patch} |     0
 Patches/Linux_CVEs/CVE-2015-0569/3.10/2.patch |    33 -
 .../CVE-2015-0569/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2015-0569/ANY/{1.patch => 0002.patch} |     0
 Patches/Linux_CVEs/CVE-2015-0570/3.10/2.patch |   185 -
 .../CVE-2015-0570/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2015-0570/ANY/{1.patch => 0002.patch} |     0
 .../Linux_CVEs/CVE-2015-0571/ANY/0001.patch   |    39 +
 .../Linux_CVEs/CVE-2015-0571/ANY/0002.patch   |    38 +
 .../Linux_CVEs/CVE-2015-0571/ANY/0003.patch   |    39 +
 .../Linux_CVEs/CVE-2015-0571/ANY/0004.patch   |    39 +
 .../Linux_CVEs/CVE-2015-0571/ANY/0005.patch   |    37 +
 .../Linux_CVEs/CVE-2015-0571/ANY/0006.patch   |    38 +
 .../Linux_CVEs/CVE-2015-0571/ANY/0007.patch   |    38 +
 .../Linux_CVEs/CVE-2015-0571/ANY/0008.patch   |    38 +
 .../Linux_CVEs/CVE-2015-0571/ANY/0009.patch   |    38 +
 .../Linux_CVEs/CVE-2015-0571/ANY/0010.patch   |    38 +
 .../Linux_CVEs/CVE-2015-0571/ANY/0011.patch   |    38 +
 .../Linux_CVEs/CVE-2015-0571/ANY/0012.patch   |    44 +
 .../Linux_CVEs/CVE-2015-0571/ANY/0013.patch   |   105 +
 .../Linux_CVEs/CVE-2015-0572/ANY/0001.patch   |   143 +
 .../Linux_CVEs/CVE-2015-0573/ANY/0001.patch   | 12987 ++++++++++++++++
 .../{3.2/0.patch => 3.2-3.19/0001.patch}      |     0
 .../CVE-2015-1465/ANY/{0.patch => 0001.patch} |    11 +-
 .../CVE-2015-1534/ANY/{0.patch => 0001.patch} |     0
 .../ANY/{0.patch.base64 => 0001.patch.base64} |     0
 .../CVE-2015-1593/ANY/{0.patch => 0001.patch} |    17 +-
 .../Linux_CVEs/CVE-2015-1805/3.10/0002.patch  |   152 +
 .../CVE-2015-1805/3.10/0002.patch.base64      |     1 +
 .../Linux_CVEs/CVE-2015-1805/3.14/0003.patch  |   152 +
 .../CVE-2015-1805/3.14/0003.patch.base64      |     1 +
 .../{3.4-^3.16/0.patch => 3.16/0004.patch}    |     0
 .../Linux_CVEs/CVE-2015-1805/3.4/0001.patch   |   152 +
 .../CVE-2015-1805/3.4/0001.patch.base64       |     1 +
 .../CVE-2015-2041/3.2/{1.patch => 0001.patch} |     0
 .../{ANY/0.patch => ^3.19/0002.patch}         |     0
 .../CVE-2015-2686/ANY/{0.patch => 0001.patch} |     0
 .../ANY/{0.patch.disabled => 0001.patch}      |     7 +-
 Patches/Linux_CVEs/CVE-2015-3288/3.2/1.patch  |    73 -
 .../CVE-2015-3288/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2015-3339/3.2/{1.patch => 0001.patch} |     0
 .../{ANY/0.patch => ^3.19/0002.patch}         |     0
 .../CVE-2015-3636/ANY/{0.patch => 0001.patch} |     0
 .../{ANY/0.patch => 3.10^/0001.patch}         |     0
 .../{ANY/0.patch => 4.0/0001.patch}           |     0
 .../0.patch => CVE-2015-5364/ANY/0001.patch}  |    13 +-
 .../1.patch => CVE-2015-5366/3.10/0001.patch} |     0
 .../3.10/0001.patch.base64}                   |     0
 .../2.patch => CVE-2015-5366/3.18/0002.patch} |     0
 .../3.18/0002.patch.base64}                   |     0
 .../0.patch => CVE-2015-5366/^4.9/0003.patch} |     0
 .../{ANY/0.patch => ^4.1/0001.patch}          |     0
 .../CVE-2015-5706/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2015-5707/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2015-5707/ANY/{1.patch => 0002.patch} |     0
 .../Linux_CVEs/CVE-2015-6619/ANY/0001.patch   |     5 +
 .../CVE-2015-6619/ANY/0001.patch.base64       |     1 +
 .../Linux_CVEs/CVE-2015-6640/ANY/0001.patch   |    13 +
 .../CVE-2015-6640/ANY/0001.patch.base64       |     1 +
 .../Linux_CVEs/CVE-2015-6642/ANY/0001.patch   |    57 +
 .../{ANY/0.patch => ^3.7/0001.patch}          |     0
 .../{3.2-^4.4/1.patch => 3.2/0001.patch}      |     0
 .../^4.4/{0.patch => 0002.patch}              |     0
 .../{ANY/0.patch => ^4.3/0001.patch}          |     0
 .../Linux_CVEs/CVE-2015-7872/ANY/0001.patch   |    79 +
 .../3.10/{0.patch => 0001.patch}              |     0
 .../3.18/{1.patch => 0002.patch}              |     0
 .../{ANY/2.patch => 4.3/0003.patch}           |     0
 .../CVE-2015-8539/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2015-8543/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2015-8575/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2015-8785/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2015-8830/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2015-8830/ANY/{1.patch => 0002.patch} |     0
 .../CVE-2015-8839/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2015-8839/ANY/{1.patch => 0002.patch} |     0
 .../CVE-2015-8937/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2015-8938/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2015-8939/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2015-8940/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2015-8941/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2015-8942/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2015-8943/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2015-8944/ANY/{0.patch => 0001.patch} |     0
 .../Linux_CVEs/CVE-2015-8950/ANY/0001.patch   |    53 +
 .../{ANY/0.patch => 3.10/0001.patch}          |     0
 .../Linux_CVEs/CVE-2015-8951/3.18/0002.patch  |    76 +
 .../CVE-2015-8955/ANY/{0.patch => 0001.patch} |    73 +-
 .../CVE-2015-8961/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2015-8962/ANY/{0.patch => 0001.patch} |     7 +-
 .../CVE-2015-8963/ANY/{0.patch => 0001.patch} |     0
 Patches/Linux_CVEs/CVE-2015-8964/3.10/1.patch |    80 -
 .../CVE-2015-8964/ANY/{0.patch => 0001.patch} |     0
 .../{ANY/0.patch => 3.15+/0001.patch}         |     0
 .../CVE-2015-8967/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2015-9004/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2016-0723/ANY/{0.patch => 0001.patch} |     0
 .../Linux_CVEs/CVE-2016-0728/3.10/0001.patch  |    12 +
 .../CVE-2016-0728/3.10/0001.patch.base64      |     1 +
 .../Linux_CVEs/CVE-2016-0728/3.14/0002.patch  |    12 +
 .../CVE-2016-0728/3.14/0002.patch.base64      |     1 +
 .../Linux_CVEs/CVE-2016-0728/3.18/0003.patch  |    12 +
 .../CVE-2016-0728/3.18/0003.patch.base64      |     1 +
 .../Linux_CVEs/CVE-2016-0728/4.1/0004.patch   |    12 +
 .../CVE-2016-0728/4.1/0004.patch.base64       |     1 +
 Patches/Linux_CVEs/CVE-2016-0728/ANY/0.patch  |    81 -
 .../CVE-2016-0758/ANY/{0.patch => 0001.patch} |    13 +-
 .../ANY/{0.patch.disabled => 0001.patch}      |     0
 Patches/Linux_CVEs/CVE-2016-0774/ANY/1.patch  |    60 -
 .../Linux_CVEs/CVE-2016-0801/ANY/0001.patch   |    28 +
 .../CVE-2016-0801/ANY/0001.patch.base64       |     1 +
 .../Linux_CVEs/CVE-2016-0802/ANY/0001.patch   |   152 +
 .../CVE-2016-0802/ANY/0001.patch.base64       |     1 +
 .../CVE-2016-0805/ANY/{0.patch => 0001.patch} |     0
 .../{3.4/1.patch => ANY/0001.patch}           |     4 +
 .../{3.10/0.patch => ANY/0002.patch}          |     4 +
 .../ANY/{0.patch.disabled => 0001.patch}      |     0
 .../CVE-2016-0821/ANY/{0.patch => 0001.patch} |     7 +-
 .../CVE-2016-0823/ANY/{0.patch => 0001.patch} |     0
 .../Linux_CVEs/CVE-2016-0843/ANY/0001.patch   |   101 +
 .../Linux_CVEs/CVE-2016-0844/ANY/0001.patch   |    60 +
 .../ANY/{2.patch => 0001.patch}               |     0
 .../ANY/{0.patch => 0002.patch}               |     0
 .../ANY/{0.patch.base64 => 0002.patch.base64} |     0
 .../ANY/{1.patch => 0003.patch}               |     0
 .../ANY/{1.patch.base64 => 0003.patch.base64} |     0
 .../ANY/{0.patch => 0001.patch}               |     0
 .../{ANY/0.patch => 4.9/0001.patch}           |     0
 .../{ANY/0.patch => 4.9/0001.patch}           |     0
 .../ANY/{0.patch => 0001.patch}               |     0
 .../{3.16/2.patch => 3.10-3.16/0001.patch}    |     0
 Patches/Linux_CVEs/CVE-2016-10208/ANY/0.patch |    63 -
 .../CVE-2016-10208/ANY/0.patch.base64         |     1 -
 Patches/Linux_CVEs/CVE-2016-10208/ANY/1.patch |    67 -
 Patches/Linux_CVEs/CVE-2016-10208/ANY/3.patch |    31 -
 Patches/Linux_CVEs/CVE-2016-10208/ANY/4.patch |    37 -
 Patches/Linux_CVEs/CVE-2016-10208/ANY/5.patch |    23 -
 .../CVE-2016-10208/ANY/5.patch.base64         |     1 -
 .../{^4.5/0.patch => ANY/0001.patch}          |     0
 .../ANY/{0.patch => 0001.patch}               |     0
 .../{3.18/0.patch => ANY/0001.patch}          |     0
 Patches/Linux_CVEs/CVE-2016-10231/ANY/1.patch |    38 -
 .../3.10/{1.patch => 0001.patch}              |     0
 .../3.18/{0.patch => 0002.patch}              |     0
 .../Linux_CVEs/CVE-2016-10233/3.10/1.patch    |    37 -
 .../ANY/{0.patch => 0001.patch}               |     0
 .../{ANY/1.patch => 3.10/0001.patch}          |     0
 .../{ANY/0.patch => 3.18/0002.patch}          |     0
 .../ANY/{0.patch => 0001.patch}               |     0
 Patches/Linux_CVEs/CVE-2016-10235/ANY/1.patch |    35 -
 .../ANY/{0.patch => 0001.patch}               |     0
 .../ANY/{0.patch => 0001.patch}               |     0
 .../Linux_CVEs/CVE-2016-10283/ANY/0002.patch  |    43 +
 Patches/Linux_CVEs/CVE-2016-10283/ANY/1.patch |    44 -
 .../ANY/{0.patch => 0001.patch}               |     0
 .../ANY/{0.patch => 0001.patch}               |     0
 .../ANY/{0.patch => 0001.patch}               |     0
 .../ANY/{0.patch => 0001.patch}               |     0
 .../{ANY/0.patch => 3.18/0001.patch}          |     0
 .../Linux_CVEs/CVE-2016-10289/4.4/0002.patch  |    80 +
 .../ANY/{0.patch => 0001.patch}               |     0
 .../Linux_CVEs/CVE-2016-10291/3.10/0001.patch |    74 +
 .../{ANY/0.patch => 3.18/0002.patch}          |     0
 .../ANY/{0.patch => 0001.patch}               |     0
 Patches/Linux_CVEs/CVE-2016-10293/ANY/1.patch |    13 -
 .../CVE-2016-10293/ANY/1.patch.base64         |     1 -
 .../ANY/{0.patch => 0001.patch}               |     0
 .../ANY/{0.patch => 0001.patch}               |     0
 .../ANY/{0.patch => 0001.patch}               |     0
 Patches/Linux_CVEs/CVE-2016-10296/ANY/1.patch |    78 -
 .../CVE-2016-10296/ANY/1.patch.base64         |     1 -
 Patches/Linux_CVEs/CVE-2016-1583/ANY/0.patch  |    57 -
 .../Linux_CVEs/CVE-2016-1583/ANY/0001.patch   |    41 +
 .../Linux_CVEs/CVE-2016-1583/ANY/0002.patch   |    59 +
 .../Linux_CVEs/CVE-2016-1583/ANY/0003.patch   |    36 +
 .../CVE-2016-2053/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2016-2059/ANY/{0.patch => 0001.patch} |     0
 .../Linux_CVEs/CVE-2016-2060/ANY/0001.patch   |    34 +
 .../CVE-2016-2061/ANY/{0.patch => 0001.patch} |     0
 .../Linux_CVEs/CVE-2016-2062/ANY/0001.patch   |     7 +
 .../CVE-2016-2063/ANY/{0.patch => 0001.patch} |     0
 .../Linux_CVEs/CVE-2016-2064/ANY/0001.patch   |  1511 ++
 .../Linux_CVEs/CVE-2016-2065/ANY/0001.patch   |  1511 ++
 .../Linux_CVEs/CVE-2016-2066/ANY/0001.patch   |  1511 ++
 .../Linux_CVEs/CVE-2016-2067/ANY/0001.patch   |    82 +
 .../CVE-2016-2068/ANY/{0.patch => 0001.patch} |    25 +-
 .../Linux_CVEs/CVE-2016-2184/ANY/0001.patch   |   101 +
 .../CVE-2016-2185/ANY/{0.patch => 0001.patch} |     0
 .../Linux_CVEs/CVE-2016-2185/ANY/1.patch.dupe |   109 -
 .../CVE-2016-2186/ANY/{0.patch => 0001.patch} |     0
 .../Linux_CVEs/CVE-2016-2186/ANY/1.patch.dupe |    38 -
 .../CVE-2016-2187/ANY/{0.patch => 0001.patch} |     0
 .../Linux_CVEs/CVE-2016-2187/ANY/1.patch.dupe |    59 -
 .../CVE-2016-2188/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2016-2188/ANY/{2.patch => 0002.patch} |     0
 Patches/Linux_CVEs/CVE-2016-2188/ANY/1.patch  |    46 -
 .../{ANY/0.patch => ^4.5/0001.patch}          |     0
 .../Linux_CVEs/CVE-2016-2411/ANY/0001.patch   |    49 +
 .../Linux_CVEs/CVE-2016-2438/ANY/0001.patch   |    98 +
 .../Linux_CVEs/CVE-2016-2441/ANY/0001.patch   |   605 +
 .../Linux_CVEs/CVE-2016-2442/ANY/0001.patch   |   605 +
 .../CVE-2016-2443/ANY/{0.patch => 0001.patch} |     0
 .../ANY/{0.patch.base64 => 0001.patch.base64} |     0
 .../{ANY/0.patch => 3.10/0001.patch}          |     0
 .../Linux_CVEs/CVE-2016-2465/3.18/0002.patch  |   178 +
 .../CVE-2016-2466/ANY/{0.patch => 0001.patch} |     0
 .../ANY/{0.patch.base64 => 0001.patch.base64} |     0
 .../CVE-2016-2467/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2016-2468/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2016-2468/ANY/{1.patch => 0002.patch} |     0
 .../ANY/{1.patch.base64 => 0002.patch.base64} |     0
 .../Linux_CVEs/CVE-2016-2469/3.10/0001.patch  |    90 +
 .../Linux_CVEs/CVE-2016-2469/3.18/0002.patch  |    67 +
 Patches/Linux_CVEs/CVE-2016-2469/ANY/0.patch  |   104 -
 .../CVE-2016-2469/ANY/0.patch.base64          |     1 -
 .../Linux_CVEs/CVE-2016-2470/ANY/0001.patch   |   303 +
 .../Linux_CVEs/CVE-2016-2470/ANY/0002.patch   |    88 +
 .../Linux_CVEs/CVE-2016-2471/ANY/0001.patch   |    43 +
 .../Linux_CVEs/CVE-2016-2472/ANY/0001.patch   |   398 +
 .../Linux_CVEs/CVE-2016-2473/ANY/0001.patch   |   284 +
 Patches/Linux_CVEs/CVE-2016-2474/ANY/0.patch  |    25 -
 .../CVE-2016-2474/ANY/0.patch.base64          |     1 -
 .../Linux_CVEs/CVE-2016-2474/ANY/0001.patch   |    41 +
 .../Linux_CVEs/CVE-2016-2474/ANY/0002.patch   |    99 +
 .../CVE-2016-2475/ANY/{0.patch => 0001.patch} |     0
 .../ANY/{0.patch.base64 => 0001.patch.base64} |     0
 .../Linux_CVEs/CVE-2016-2477/ANY/0001.patch   |   116 +
 .../CVE-2016-2477/ANY/0001.patch.base64       |     1 +
 .../Linux_CVEs/CVE-2016-2478/ANY/0001.patch   |   116 +
 .../CVE-2016-2478/ANY/0001.patch.base64       |     1 +
 .../Linux_CVEs/CVE-2016-2480/ANY/0001.patch   |  1138 ++
 .../CVE-2016-2480/ANY/0001.patch.base64       |     1 +
 .../Linux_CVEs/CVE-2016-2482/ANY/0001.patch   |   131 +
 .../CVE-2016-2482/ANY/0001.patch.base64       |     1 +
 .../CVE-2016-2488/ANY/{0.patch => 0001.patch} |     0
 .../Linux_CVEs/CVE-2016-2498/ANY/0001.patch   |   303 +
 .../Linux_CVEs/CVE-2016-2501/ANY/0001.patch   |    96 +
 .../Linux_CVEs/CVE-2016-2502/ANY/0001.patch   |    37 +
 .../{ANY/0.patch => 3.10/0001.patch}          |     0
 .../Linux_CVEs/CVE-2016-2503/3.18/0002.patch  |   102 +
 .../Linux_CVEs/CVE-2016-2504/3.18/0002.patch  |    80 +
 .../CVE-2016-2504/3.4-3.10/0001.patch         |   164 +
 .../CVE-2016-2504/ANY/{0.patch => 0003.patch} |     0
 .../CVE-2016-2544/ANY/{0.patch => 0001.patch} |     0
 .../{ANY/0.patch => ^4.4/0001.patch}          |     0
 .../CVE-2016-2546/ANY/{0.patch => 0001.patch} |     0
 .../{ANY/0.patch => ^4.4/0001.patch}          |     0
 .../{ANY/0.patch => ^4.4/0001.patch}          |     0
 .../CVE-2016-2847/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2016-3070/ANY/{0.patch => 0001.patch} |     0
 Patches/Linux_CVEs/CVE-2016-3134/3.10/0.patch |   115 -
 .../Linux_CVEs/CVE-2016-3134/ANY/0001.patch   |   234 +
 .../CVE-2016-3135/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2016-3136/ANY/{0.patch => 0001.patch} |     0
 .../Linux_CVEs/CVE-2016-3136/ANY/1.patch.dupe |    53 -
 .../CVE-2016-3137/ANY/{0.patch => 0001.patch} |     0
 .../Linux_CVEs/CVE-2016-3137/ANY/1.patch.dupe |    53 -
 .../CVE-2016-3138/ANY/{0.patch => 0001.patch} |     0
 .../Linux_CVEs/CVE-2016-3138/ANY/1.patch.dupe |    39 -
 .../CVE-2016-3140/ANY/{0.patch => 0001.patch} |     0
 .../Linux_CVEs/CVE-2016-3140/ANY/1.patch.dupe |    57 -
 .../CVE-2016-3156/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2016-3672/ANY/{0.patch => 0001.patch} |    46 +-
 .../CVE-2016-3689/ANY/{0.patch => 0001.patch} |     0
 .../Linux_CVEs/CVE-2016-3689/ANY/1.patch.dupe |    40 -
 .../Linux_CVEs/CVE-2016-3746/ANY/0001.patch   |   162 +
 .../Linux_CVEs/CVE-2016-3747/ANY/0001.patch   |    91 +
 .../Linux_CVEs/CVE-2016-3768/ANY/0001.patch   |    90 +
 .../CVE-2016-3768/ANY/{0.patch => 0002.patch} |     0
 .../3.10/{0.patch => 0003.patch}              |     0
 .../3.18/{1.patch => 0004.patch}              |     0
 .../CVE-2016-3775/3.4/{3.patch => 0001.patch} |     0
 .../CVE-2016-3775/3.4/{2.patch => 0002.patch} |     0
 .../3.4/{2.patch.base64 => 0002.patch.base64} |     0
 .../Linux_CVEs/CVE-2016-3792/ANY/0001.patch   |   336 +
 .../Linux_CVEs/CVE-2016-3797/ANY/0001.patch   |    60 +
 .../CVE-2016-3809/ANY/{0.patch => 0001.patch} |     0
 .../ANY/{0.patch.base64 => 0001.patch.base64} |     0
 .../{ANY/0.patch => 3.10/0001.patch}          |     0
 .../Linux_CVEs/CVE-2016-3813/3.18/0002.patch  |    51 +
 Patches/Linux_CVEs/CVE-2016-3841/3.10/1.patch |   574 -
 Patches/Linux_CVEs/CVE-2016-3841/3.4/0.patch  |   557 -
 .../{3.18/2.patch => ANY/0001.patch}          |   167 +-
 .../3.10/{1.patch => 0002.patch}              |     0
 .../3.18/{2.patch => 0003.patch}              |     0
 .../CVE-2016-3842/3.4/{0.patch => 0001.patch} |     0
 .../CVE-2016-3843/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2016-3843/ANY/{1.patch => 0002.patch} |     0
 .../CVE-2016-3843/ANY/{2.patch => 0003.patch} |     0
 .../CVE-2016-3843/ANY/{3.patch => 0004.patch} |     0
 .../Linux_CVEs/CVE-2016-3850/ANY/0001.patch   |    36 +
 .../CVE-2016-3854/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2016-3855/ANY/{0.patch => 0001.patch} |     0
 .../{3.10/0.patch => ANY/0001.patch}          |     0
 Patches/Linux_CVEs/CVE-2016-3857/ANY/1.patch  |    32 -
 Patches/Linux_CVEs/CVE-2016-3857/ANY/2.patch  |    48 -
 .../CVE-2016-3857/ANY/2.patch.base64          |     1 -
 .../Linux_CVEs/CVE-2016-3858/ANY/0001.patch   |    31 +
 .../{ANY/0.patch => 3.10/0001.patch}          |     0
 .../Linux_CVEs/CVE-2016-3859/3.18/0002.patch  |    36 +
 .../Linux_CVEs/CVE-2016-3860/ANY/0001.patch   |  7585 +++++++++
 .../CVE-2016-3865/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2016-3865/ANY/{1.patch => 0002.patch} |     0
 .../Linux_CVEs/CVE-2016-3866/ANY/0001.patch   |    31 +
 .../3.10/{0.patch => 0001.patch}              |     0
 .../3.18/{1.patch => 0002.patch}              |     0
 .../Linux_CVEs/CVE-2016-3868/ANY/0001.patch   |    74 +
 .../Linux_CVEs/CVE-2016-3874/ANY/0001.patch   |    47 +
 .../Linux_CVEs/CVE-2016-3874/ANY/0002.patch   |    44 +
 .../Linux_CVEs/CVE-2016-3892/ANY/0001.patch   |   105 +
 .../CVE-2016-3893/ANY/{0.patch => 0001.patch} |     0
 Patches/Linux_CVEs/CVE-2016-3894/ANY/0.patch  |    26 -
 .../CVE-2016-3894/ANY/{1.patch => 0001.patch} |     0
 .../0.patch => CVE-2016-3901/ANY/0001.patch}  |     0
 .../CVE-2016-3902/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2016-3903/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2016-3904/ANY/{0.patch => 0001.patch} |     0
 .../Linux_CVEs/CVE-2016-3905/ANY/0001.patch   |   170 +
 .../CVE-2016-3906/ANY/{0.patch => 0001.patch} |    20 +-
 .../{ANY/0.patch => 3.10/0001.patch}          |     0
 .../Linux_CVEs/CVE-2016-3907/3.10/0002.patch  |    33 +
 .../CVE-2016-3931/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2016-3934/ANY/{0.patch => 0001.patch} |     0
 .../Linux_CVEs/CVE-2016-3935/ANY/0001.patch   |    59 +
 .../Linux_CVEs/CVE-2016-3938/ANY/0001.patch   |    48 +
 .../Linux_CVEs/CVE-2016-3939/ANY/0001.patch   |    49 +
 .../Linux_CVEs/CVE-2016-3951/ANY/0001.patch   |    87 +
 .../Linux_CVEs/CVE-2016-3951/ANY/0002.patch   |    39 +
 .../Linux_CVEs/CVE-2016-4470/ANY/0001.patch   |    91 +
 .../Linux_CVEs/CVE-2016-4482/ANY/0001.patch   |    41 +
 .../{^4.5/0.patch => ANY/0001.patch}          |     0
 .../CVE-2016-4569/ANY/{0.patch => 0001.patch} |     0
 .../Linux_CVEs/CVE-2016-4578/ANY/0001.patch   |    33 +
 .../CVE-2016-4578/ANY/{0.patch => 0002.patch} |     0
 .../{ANY/0.patch => 3.18+/0001.patch}         |     0
 .../{ANY/1.patch => 3.18+/0002.patch}         |     0
 .../CVE-2016-4805/ANY/{0.patch => 0001.patch} |     0
 Patches/Linux_CVEs/CVE-2016-4805/ANY/1.patch  |    55 -
 .../Linux_CVEs/CVE-2016-4998/ANY/0001.patch   |   200 +
 .../CVE-2016-4998/ANY/{0.patch => 0002.patch} |     0
 Patches/Linux_CVEs/CVE-2016-5195/3.4/0.patch  |   148 -
 .../{3.10/1.patch => ANY/0001.patch}          |    26 +-
 .../{3.18/2.patch => ANY/0002.patch}          |    30 +-
 .../CVE-2016-5340/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2016-5342/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2016-5343/ANY/{0.patch => 0001.patch} |    13 +-
 .../Linux_CVEs/CVE-2016-5344/ANY/0001.patch   |   167 +
 .../CVE-2016-5345/ANY/{0.patch => 0001.patch} |     0
 .../{ANY/0.patch => 3.18/0001.patch}          |     0
 .../Linux_CVEs/CVE-2016-5346/4.4/0002.patch   |    48 +
 .../{ANY/0.patch => 3.18/0001.patch}          |     6 +-
 .../Linux_CVEs/CVE-2016-5347/4.4/0002.patch   |    31 +
 .../CVE-2016-5349/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2016-5349/ANY/{3.patch => 0002.patch} |     0
 .../CVE-2016-5349/ANY/{2.patch => 0003.patch} |     0
 .../CVE-2016-5349/ANY/{1.patch => 0004.patch} |     0
 .../Linux_CVEs/CVE-2016-5696/ANY/0001.patch   |    81 +
 .../CVE-2016-5829/ANY/{0.patch => 0001.patch} |     0
 .../Linux_CVEs/CVE-2016-5853/3.10/0001.patch  |    35 +
 .../Linux_CVEs/CVE-2016-5853/3.18/0002.patch  |    35 +
 .../{ANY/0.patch => 4.4/0003.patch}           |     0
 .../CVE-2016-5854/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2016-5855/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2016-5856/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2016-5857/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2016-5858/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2016-5858/ANY/{1.patch => 0002.patch} |     0
 .../Linux_CVEs/CVE-2016-5858/ANY/0003.patch   |    37 +
 .../Linux_CVEs/CVE-2016-5859/3.10/0001.patch  |    51 +
 .../{ANY/0.patch => 3.18/0002.patch}          |     0
 .../Linux_CVEs/CVE-2016-5860/3.10/0001.patch  |    36 +
 .../Linux_CVEs/CVE-2016-5860/3.18/0002.patch  |    36 +
 .../{ANY/0.patch => 4.4/0003.patch}           |     0
 Patches/Linux_CVEs/CVE-2016-5861/3.10/2.patch |    78 -
 .../CVE-2016-5861/ANY/{0.patch => 0001.patch} |     0
 Patches/Linux_CVEs/CVE-2016-5861/ANY/1.patch  |    34 -
 .../CVE-2016-5862/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2016-5863/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2016-5864/ANY/{0.patch => 0001.patch} |     0
 .../Linux_CVEs/CVE-2016-5867/3.10/0001.patch  |    51 +
 .../{ANY/0.patch => 3.18/0002.patch}          |     0
 .../Linux_CVEs/CVE-2016-5867/4.4/0003.patch   |    51 +
 .../Linux_CVEs/CVE-2016-5868/3.10/0001.patch  |   525 +
 .../Linux_CVEs/CVE-2016-5868/3.18/0002.patch  |   519 +
 .../{ANY/0.patch => 4.4/0003.patch}           |     0
 .../CVE-2016-5870/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2016-6136/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2016-6672/ANY/{0.patch => 0001.patch} |     0
 .../Linux_CVEs/CVE-2016-6675/ANY/0001.patch   |    35 +
 .../Linux_CVEs/CVE-2016-6676/ANY/0001.patch   |    33 +
 .../CVE-2016-6679/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2016-6679/ANY/{1.patch => 0002.patch} |     0
 Patches/Linux_CVEs/CVE-2016-6679/ANY/2.patch  |   476 -
 .../CVE-2016-6680/ANY/{1.patch => 0001.patch} |   170 +-
 .../CVE-2016-6680/ANY/{0.patch => 0002.patch} |     0
 .../0.patch => CVE-2016-6681/ANY/0001.patch}  |    26 +-
 .../0.patch => CVE-2016-6682/ANY/0001.patch}  |    26 +-
 .../CVE-2016-6683/ANY/{0.patch => 0001.patch} |     0
 .../ANY/{0.patch.base64 => 0001.patch.base64} |     0
 .../Linux_CVEs/CVE-2016-6692/ANY/0001.patch   |    58 +
 .../Linux_CVEs/CVE-2016-6693/ANY/0001.patch   |    37 +
 .../Linux_CVEs/CVE-2016-6694/ANY/0001.patch   |    45 +
 .../Linux_CVEs/CVE-2016-6695/ANY/0001.patch   |    56 +
 .../Linux_CVEs/CVE-2016-6696/ANY/0001.patch   |    35 +
 .../{ANY/0.patch => 3.10/0001.patch}          |     0
 .../Linux_CVEs/CVE-2016-6698/3.18/0002.patch  |   213 +
 .../{ANY/0.patch => 3.10/0001.patch}          |     0
 .../Linux_CVEs/CVE-2016-6725/3.18/0002.patch  |    40 +
 .../CVE-2016-6728/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2016-6728/ANY/{1.patch => 0002.patch} |     0
 Patches/Linux_CVEs/CVE-2016-6728/ANY/2.patch  |    38 -
 .../CVE-2016-6738/ANY/{0.patch => 0001.patch} |     0
 .../3.10/{1.patch => 0001.patch}              |     0
 .../3.18/{0.patch => 0002.patch}              |     0
 .../3.10/{1.patch => 0001.patch}              |     0
 .../3.18/{0.patch => 0002.patch}              |     0
 .../3.10/{0.patch.disabled => 0001.patch}     |     0
 .../Linux_CVEs/CVE-2016-6741/3.18/0002.patch  |   137 +
 .../CVE-2016-6742/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2016-6745/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2016-6745/ANY/{1.patch => 0002.patch} |     0
 .../CVE-2016-6745/ANY/{2.patch => 0003.patch} |     0
 .../CVE-2016-6745/ANY/{3.patch => 0004.patch} |     0
 .../Linux_CVEs/CVE-2016-6745/ANY/0005.patch   |   401 +
 .../{ANY/1.patch => 3.10/0001.patch}          |     0
 .../{ANY/0.patch => 3.18/0002.patch}          |     0
 .../Linux_CVEs/CVE-2016-6749/ANY/0001.patch   |   214 +
 .../CVE-2016-6750/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2016-6751/ANY/{0.patch => 0001.patch} |    21 +-
 .../CVE-2016-6752/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2016-6753/ANY/{0.patch => 0001.patch} |     0
 .../{ANY/0.patch => 3.10/0001.patch}          |     0
 .../Linux_CVEs/CVE-2016-6755/3.18/0002.patch  |    57 +
 .../{ANY/0.patch => 3.10/0001.patch}          |     0
 .../Linux_CVEs/CVE-2016-6756/3.18/0002.patch  |  1593 ++
 .../{ANY/0.patch => 3.10/0001.patch}          |     0
 .../Linux_CVEs/CVE-2016-6757/3.18/0002.patch  |  2368 +++
 .../CVE-2016-6786/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2016-6787/ANY/{0.patch => 0001.patch} |     0
 .../Linux_CVEs/CVE-2016-6791/ANY/0001.patch   |    79 +
 .../CVE-2016-6791/ANY/{0.patch => 0002.patch} |     0
 .../CVE-2016-6828/ANY/{0.patch => 0001.patch} |     2 +
 .../CVE-2016-7042/ANY/{0.patch => 0001.patch} |     0
 .../{^4.8/0.patch => ANY/0001.patch}          |     0
 .../0.patch => CVE-2016-7117/ANY/0001.patch}  |    12 +-
 .../Linux_CVEs/CVE-2016-7910/ANY/0001.patch   |   112 +
 .../Linux_CVEs/CVE-2016-7911/ANY/0001.patch   |   123 +
 .../{3.18/0.patch => ANY/0001.patch}          |    36 +-
 Patches/Linux_CVEs/CVE-2016-7913/3.10/1.patch |    45 -
 Patches/Linux_CVEs/CVE-2016-7913/3.10/2.patch |   131 -
 .../{3.10/0.patch => ANY/0001.patch}          |    14 +-
 .../CVE-2016-7914/ANY/{0.patch => 0001.patch} |     7 +-
 .../CVE-2016-7915/ANY/{0.patch => 0001.patch} |     0
 .../{^4.5/0.patch => ANY/0001.patch}          |     0
 Patches/Linux_CVEs/CVE-2016-7917/3.18/1.patch |    21 -
 .../CVE-2016-7917/3.18/1.patch.base64         |     1 -
 .../CVE-2016-7917/ANY/{0.patch => 0001.patch} |     0
 .../Linux_CVEs/CVE-2016-8391/ANY/0001.patch   |    79 +
 .../CVE-2016-8391/ANY/{0.patch => 0002.patch} |     0
 .../Linux_CVEs/CVE-2016-8392/ANY/0001.patch   |    79 +
 .../Linux_CVEs/CVE-2016-8392/ANY/0002.patch   |    97 +
 .../CVE-2016-8393/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2016-8393/ANY/{1.patch => 0002.patch} |     0
 .../CVE-2016-8393/ANY/{2.patch => 0003.patch} |     0
 .../CVE-2016-8394/ANY/{0.patch => 0001.patch} |     0
 .../ANY/{0.patch.disabled => 0001.patch}      |     0
 .../CVE-2016-8399/ANY/{1.patch => 0002.patch} |     0
 .../CVE-2016-8401/ANY/{0.patch => 0001.patch} |     0
 .../3.10/{0.patch => 0002.patch}              |     0
 .../CVE-2016-8402/3.4/{1.patch => 0001.patch} |     0
 .../CVE-2016-8403/ANY/{0.patch => 0001.patch} |     0
 .../ANY/{0.patch.base64 => 0001.patch.base64} |     0
 .../CVE-2016-8404/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2016-8405/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2016-8406/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2016-8407/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2016-8410/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2016-8412/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2016-8413/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2016-8414/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2016-8415/ANY/{0.patch => 0001.patch} |     0
 Patches/Linux_CVEs/CVE-2016-8415/ANY/1.patch  |    47 -
 .../CVE-2016-8416/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2016-8417/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2016-8418/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2016-8419/ANY/{0.patch => 0001.patch} |     0
 Patches/Linux_CVEs/CVE-2016-8419/ANY/1.patch  |   102 -
 .../CVE-2016-8420/ANY/{0.patch => 0001.patch} |     0
 Patches/Linux_CVEs/CVE-2016-8420/ANY/1.patch  |    55 -
 .../CVE-2016-8421/ANY/{0.patch => 0001.patch} |     0
 Patches/Linux_CVEs/CVE-2016-8421/ANY/1.patch  |    75 -
 .../CVE-2016-8434/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2016-8436/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2016-8444/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2016-8450/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2016-8452/ANY/{0.patch => 0001.patch} |     0
 Patches/Linux_CVEs/CVE-2016-8452/ANY/1.patch  |    98 -
 Patches/Linux_CVEs/CVE-2016-8452/ANY/2.patch  |   102 -
 .../CVE-2016-8453/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2016-8454/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2016-8455/ANY/{0.patch => 0001.patch} |     0
 Patches/Linux_CVEs/CVE-2016-8456/ANY/0.patch  |   143 -
 .../0.patch => CVE-2016-8456/ANY/0001.patch}  |     0
 .../Linux_CVEs/CVE-2016-8457/ANY/0001.patch   |   348 +
 .../3.10/{0.patch => 0001.patch}              |     0
 .../3.18/{1.patch => 0002.patch}              |     0
 .../CVE-2016-8463/ANY/{0.patch => 0001.patch} |     0
 Patches/Linux_CVEs/CVE-2016-8463/ANY/1.patch  |    32 -
 Patches/Linux_CVEs/CVE-2016-8463/ANY/2.patch  |    35 -
 .../3.10/{0.patch => 0001.patch}              |     0
 .../3.18/{1.patch => 0002.patch}              |     0
 .../{1.patch.base64 => 0002.patch.base64}     |     0
 .../3.10/{0.patch => 0001.patch}              |     0
 .../3.10/{1.patch => 0002.patch}              |     0
 .../3.18/{2.patch => 0003.patch}              |     0
 .../3.18/{3.patch => 0004.patch}              |     0
 .../3.10/{0.patch => 0001.patch}              |     0
 .../3.18/{1.patch => 0002.patch}              |     0
 .../3.18/{0.patch => 0001.patch}              |     0
 .../{3.10/0.patch => ANY/0001.patch}          |     0
 .../{3.10/0.patch => ANY/0001.patch}          |     0
 .../{3.18/0.patch => ANY/0001.patch}          |     0
 .../CVE-2016-8476/ANY/{0.patch => 0001.patch} |     0
 Patches/Linux_CVEs/CVE-2016-8476/ANY/1.patch  |    50 -
 .../{ANY/0.patch => 3.10/0001.patch}          |     0
 .../{ANY/1.patch => 3.18/0002.patch}          |     0
 .../CVE-2016-8478/ANY/{0.patch => 0001.patch} |     0
 .../{ANY/0.patch => 3.18/0001.patch}          |    33 +-
 .../Linux_CVEs/CVE-2016-8479/4.4/0002.patch   |    89 +
 .../{ANY/0.patch => 3.10/0001.patch}          |     0
 .../{ANY/1.patch => 3.18/0002.patch}          |     0
 .../Linux_CVEs/CVE-2016-8480/4.4/0003.patch   |    55 +
 .../Linux_CVEs/CVE-2016-8481/4.4/0002.patch   |   185 +
 .../CVE-2016-8481/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2016-8481/ANY/{1.patch => 0003.patch} |     0
 Patches/Linux_CVEs/CVE-2016-8483/3.10/1.patch |    48 -
 .../{3.18/0.patch => ANY/0001.patch}          |     0
 .../CVE-2016-8650/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2016-8655/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2016-9120/ANY/{0.patch => 0001.patch} |     0
 Patches/Linux_CVEs/CVE-2016-9120/ANY/1.patch  |    89 -
 .../{ANY/0.patch => 3.11-4.8/0001.patch}      |     0
 .../CVE-2016-9555/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2016-9576/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2016-9604/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2016-9754/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2016-9793/ANY/{0.patch => 0001.patch} |     0
 Patches/Linux_CVEs/CVE-2016-9794/ANY/0.patch  |    44 -
 .../CVE-2016-9794/ANY/{1.patch => 0001.patch} |     0
 .../CVE-2016-9806/ANY/{0.patch => 0001.patch} |     0
 .../{ANY/0.patch => 3.0-3.18/0001.patch}      |     0
 .../{ANY/0.patch => ^3.18/0001.patch}         |     0
 .../3.10/{1.patch => 0001.patch}              |     0
 .../3.18/{0.patch => 0002.patch}              |     0
 .../CVE-2017-0430/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-0433/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-0433/ANY/{1.patch => 0002.patch} |     0
 .../{ANY/0.patch => 3.18/0001.patch}          |     0
 .../CVE-2017-0435/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-0435/ANY/{1.patch => 0002.patch} |     0
 .../CVE-2017-0436/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-0437/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-0438/ANY/{0.patch => 0001.patch} |     0
 Patches/Linux_CVEs/CVE-2017-0438/ANY/1.patch  |   127 -
 .../CVE-2017-0439/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-0439/ANY/{1.patch => 0002.patch} |    31 +-
 .../CVE-2017-0440/ANY/{0.patch => 0001.patch} |     0
 Patches/Linux_CVEs/CVE-2017-0440/ANY/1.patch  |    71 -
 Patches/Linux_CVEs/CVE-2017-0440/ANY/2.patch  |    96 -
 .../CVE-2017-0441/ANY/{0.patch => 0001.patch} |     0
 .../Linux_CVEs/CVE-2017-0441/ANY/0002.patch   |    76 +
 Patches/Linux_CVEs/CVE-2017-0441/ANY/1.patch  |    93 -
 .../CVE-2017-0442/ANY/{0.patch => 0001.patch} |     0
 Patches/Linux_CVEs/CVE-2017-0442/ANY/1.patch  |   127 -
 .../CVE-2017-0443/ANY/{0.patch => 0001.patch} |     2 +-
 .../1.patch => CVE-2017-0443/ANY/0002.patch}  |    85 +-
 Patches/Linux_CVEs/CVE-2017-0443/ANY/1.patch  |   127 -
 .../CVE-2017-0444/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-0445/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-0445/ANY/{1.patch => 0002.patch} |     0
 .../CVE-2017-0445/ANY/{2.patch => 0003.patch} |     0
 .../CVE-2017-0445/ANY/{3.patch => 0004.patch} |     0
 .../CVE-2017-0446/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-0447/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-0449/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-0451/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-0451/ANY/{1.patch => 0002.patch} |     0
 .../CVE-2017-0452/ANY/0.patch.base64          |     1 -
 .../Linux_CVEs/CVE-2017-0452/ANY/0.patch.dupe |    36 -
 .../CVE-2017-0452/ANY/{1.patch => 0001.patch} |     0
 .../CVE-2017-0453/ANY/{0.patch => 0001.patch} |     2 +-
 .../Linux_CVEs/CVE-2017-0453/ANY/0002.patch   |    40 +
 .../CVE-2017-0453/ANY/{1.patch => 0003.patch} |     6 +-
 .../Linux_CVEs/CVE-2017-0454/3.10/0001.patch  |   119 +
 .../{ANY/0.patch => 3.18/0002.patch}          |     2 +-
 .../Linux_CVEs/CVE-2017-0454/4.4/0003.patch   |   119 +
 .../Linux_CVEs/CVE-2017-0455/ANY/0001.patch   |    30 +
 .../Linux_CVEs/CVE-2017-0456/ANY/0001.patch   |    38 +
 Patches/Linux_CVEs/CVE-2017-0457/3.10/0.patch |    33 -
 .../Linux_CVEs/CVE-2017-0457/3.10/0001.patch  |    68 +
 .../3.10/{1.patch => 0002.patch}              |     0
 .../3.18/{2.patch => 0003.patch}              |     0
 .../CVE-2017-0458/ANY/{0.patch => 0001.patch} |     0
 Patches/Linux_CVEs/CVE-2017-0459/3.10/1.patch |    55 -
 .../CVE-2017-0459/ANY/{0.patch => 0001.patch} |     0
 .../Linux_CVEs/CVE-2017-0460/3.10/0001.patch  |    52 +
 .../Linux_CVEs/CVE-2017-0460/3.18/0002.patch  |    52 +
 .../{3.10/1.patch => 4.4/0003.patch}          |    26 +-
 Patches/Linux_CVEs/CVE-2017-0460/ANY/0.patch  |    16 -
 .../CVE-2017-0460/ANY/0.patch.base64          |     1 -
 .../CVE-2017-0461/ANY/{0.patch => 0001.patch} |     0
 Patches/Linux_CVEs/CVE-2017-0461/ANY/1.patch  |    53 -
 .../{ANY/0.patch => 3.18/0001.patch}          |     0
 .../Linux_CVEs/CVE-2017-0462/4.4/0002.patch   |    63 +
 .../{ANY/0.patch => 3.18/0001.patch}          |     0
 .../Linux_CVEs/CVE-2017-0463/4.4/0002.patch   |    35 +
 .../CVE-2017-0464/ANY/{0.patch => 0001.patch} |     0
 Patches/Linux_CVEs/CVE-2017-0464/ANY/1.patch  |  2021 ---
 .../CVE-2017-0465/ANY/{0.patch => 0001.patch} |     0
 Patches/Linux_CVEs/CVE-2017-0507/ANY/0.patch  |    50 -
 .../CVE-2017-0507/ANY/0.patch.base64          |     1 -
 .../CVE-2017-0507/ANY/{1.patch => 0001.patch} |     0
 .../CVE-2017-0509/ANY/{0.patch => 0001.patch} |     0
 .../3.10/{0.patch => 0002.patch}              |     0
 .../3.18/{1.patch => 0003.patch}              |     0
 .../CVE-2017-0510/3.4/{3.patch => 0001.patch} |     0
 .../3.4/{3.patch.base64 => 0001.patch.base64} |     0
 Patches/Linux_CVEs/CVE-2017-0510/ANY/2.patch  |   177 -
 .../CVE-2017-0510/ANY/2.patch.base64          |     1 -
 .../CVE-2017-0516/ANY/{0.patch => 0001.patch} |    18 +-
 .../3.18/{0.patch => 0001.patch}              |     0
 .../3.18/{1.patch => 0002.patch}              |     0
 .../3.18/{0.patch => 0001.patch}              |     0
 .../CVE-2017-0520/ANY/{0.patch => 0001.patch} |     0
 .../{ANY/0.patch => 3.18/0001.patch}          |     0
 .../Linux_CVEs/CVE-2017-0521/4.4/0002.patch   |    46 +
 .../{ANY/0.patch => 3.18/0001.patch}          |     0
 .../Linux_CVEs/CVE-2017-0523/4.4/0002.patch   |    75 +
 .../CVE-2017-0524/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-0524/ANY/{1.patch => 0002.patch} |     0
 .../CVE-2017-0524/ANY/{2.patch => 0003.patch} |     0
 .../Linux_CVEs/CVE-2017-0525/3.10/0001.patch  |   323 +
 .../{ANY/0.patch => 3.18/0002.patch}          |   138 +-
 .../Linux_CVEs/CVE-2017-0525/4.4/0003.patch   |   669 +
 .../{ANY/0.patch => 3.18/0001.patch}          |     0
 .../Linux_CVEs/CVE-2017-0531/4.4/0002.patch   |   275 +
 .../CVE-2017-0533/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-0534/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-0535/ANY/{0.patch => 0001.patch} |     0
 .../ANY/{0.patch.base64 => 0001.patch.base64} |     0
 .../CVE-2017-0536/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-0537/ANY/{0.patch => 0001.patch} |     0
 Patches/Linux_CVEs/CVE-2017-0564/3.10/0.patch |   137 -
 .../CVE-2017-0564/3.10/0.patch.base64         |     1 -
 Patches/Linux_CVEs/CVE-2017-0564/3.10/1.patch |   138 -
 .../CVE-2017-0564/3.10/1.patch.base64         |     1 -
 .../CVE-2017-0564/ANY/{2.patch => 0001.patch} |     0
 .../CVE-2017-0568/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-0568/ANY/{1.patch => 0002.patch} |     0
 .../3.10/{0.patch => 0001.patch}              |     0
 .../{3.10/0.patch => ANY/0001.patch}          |     0
 .../{3.10/0.patch => ANY/0001.patch}          |     0
 .../CVE-2017-0572/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-0573/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-0574/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-0575/ANY/{0.patch => 0001.patch} |    46 +-
 Patches/Linux_CVEs/CVE-2017-0575/ANY/1.patch  |    91 -
 .../CVE-2017-0576/ANY/{0.patch => 0001.patch} |     0
 .../Linux_CVEs/CVE-2017-0583/3.10/0001.patch  |    58 +
 .../{ANY/0.patch => 3.18/0002.patch}          |     0
 .../CVE-2017-0584/ANY/{0.patch => 0001.patch} |     0
 Patches/Linux_CVEs/CVE-2017-0584/ANY/1.patch  |    54 -
 .../CVE-2017-0586/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-0604/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-0606/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-0607/ANY/{0.patch => 0001.patch} |     0
 .../Linux_CVEs/CVE-2017-0608/4.4/0001.patch   |    49 +
 .../{ANY/0.patch => 4.4/0002.patch}           |     0
 .../CVE-2017-0609/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-0610/ANY/{0.patch => 0001.patch} |     0
 Patches/Linux_CVEs/CVE-2017-0610/ANY/1.patch  |    59 -
 .../CVE-2017-0611/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-0612/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-0613/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-0614/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-0619/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-0620/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-0621/ANY/{0.patch => 0001.patch} |     0
 .../{ANY/0.patch => 3.18/0001.patch}          |     0
 .../Linux_CVEs/CVE-2017-0622/4.4/0002.patch   |    51 +
 .../Linux_CVEs/CVE-2017-0624/ANY/0001.patch   |    71 +
 .../CVE-2017-0626/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-0627/ANY/{0.patch => 0001.patch} |     0
 .../{4.4/0.patch => ANY/0001.patch}           |     0
 .../CVE-2017-0629/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-0631/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-0632/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-0633/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-0648/ANY/{0.patch => 0001.patch} |     0
 .../ANY/{0.patch.base64 => 0001.patch.base64} |     0
 .../CVE-2017-0650/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-0651/ANY/{0.patch => 0001.patch} |     0
 .../ANY/{0.patch.base64 => 0001.patch.base64} |     0
 .../CVE-2017-0705/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-0706/ANY/{0.patch => 0001.patch} |     0
 .../ANY/{0.patch.base64 => 0001.patch.base64} |     0
 .../CVE-2017-0710/ANY/{0.patch => 0001.patch} |     0
 .../ANY/{0.patch.base64 => 0001.patch.base64} |     0
 .../CVE-2017-0740/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-0744/ANY/{0.patch => 0001.patch} |     0
 .../ANY/{0.patch.base64 => 0001.patch.base64} |     0
 .../CVE-2017-0746/ANY/{0.patch => 0001.patch} |     0
 .../Linux_CVEs/CVE-2017-0747/ANY/0001.patch   |    47 +
 .../CVE-2017-0748/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-0749/ANY/{0.patch => 0001.patch} |     0
 .../ANY/{0.patch.base64 => 0001.patch.base64} |     0
 .../CVE-2017-0750/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-0751/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-0786/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-0787/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-0788/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-0789/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-0790/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-0791/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-0792/ANY/{0.patch => 0001.patch} |     0
 .../{3.10/0.patch.disabled => ANY/0001.patch} |     0
 .../{3.18/0.patch => ANY/0001.patch}          |     0
 .../{3.10/0.patch => ANY/0001.patch}          |     0
 .../3.0/{2.patch => 0001.patch}               |     0
 .../3.0/{2.patch.base64 => 0001.patch.base64} |     0
 .../3.4/{1.patch => 0002.patch}               |     0
 .../3.4/{1.patch.base64 => 0002.patch.base64} |     0
 .../ANY/{0.patch => 0003.patch}               |     0
 .../3.10/{1.patch => 0005.patch}              |     0
 .../{1.patch.base64 => 0005.patch.base64}     |     0
 .../3.10/{2.patch => 0006.patch}              |     0
 .../{2.patch.base64 => 0006.patch.base64}     |     0
 .../3.10/{0.patch => 0007.patch}              |     0
 .../{0.patch.base64 => 0007.patch.base64}     |     0
 .../3.18/{3.patch => 0008.patch}              |     0
 .../3.18/{6.patch => 0009.patch}              |     0
 .../3.18/{7.patch => 0010.patch}              |     0
 .../3.2/{8.patch => 0001.patch}               |     0
 .../3.2/{9.patch => 0002.patch}               |     0
 .../3.4/{4.patch => 0003.patch}               |     0
 .../3.4/{4.patch.base64 => 0003.patch.base64} |     0
 .../3.4/{5.patch => 0004.patch}               |     0
 .../3.4/{5.patch.base64 => 0004.patch.base64} |     0
 .../3.10/{0.patch => 0001.patch}              |     0
 .../{0.patch.base64 => 0001.patch.base64}     |     0
 .../3.18/{1.patch => 0002.patch}              |     0
 .../{ANY/0.patch => ^4.11/0001.patch}         |     0
 .../{ANY/1.patch => ^4.11/0002.patch}         |     0
 .../ANY/{0.patch => 0001.patch}               |    34 +-
 .../ANY/{0.patch => 0001.patch}               |    35 +-
 .../ANY/{0.patch => 0001.patch}               |     0
 .../{3.18/1.patch => ANY/0002.patch}          |     0
 .../ANY/{0.patch => 0001.patch}               |     0
 .../{ANY/0.patch => 3.10/0001.patch}          |     0
 .../Linux_CVEs/CVE-2017-10997/4.4/0002.patch  |    48 +
 .../Linux_CVEs/CVE-2017-10998/3.10/0.patch    |    45 -
 .../{3.18/1.patch => ANY/0001.patch}          |     0
 .../ANY/{0.patch => 0001.patch}               |     0
 .../ANY/{0.patch => 0001.patch}               |     0
 .../ANY/{0.patch => 0001.patch}               |     0
 .../Linux_CVEs/CVE-2017-11002/ANY/0001.patch  |    85 +
 .../ANY/{0.patch => 0002.patch}               |     0
 .../Linux_CVEs/CVE-2017-11012/ANY/0001.patch  |    94 +
 .../Linux_CVEs/CVE-2017-11013/ANY/0001.patch  |    87 +
 .../Linux_CVEs/CVE-2017-11013/ANY/0002.patch  |    98 +
 .../Linux_CVEs/CVE-2017-11014/ANY/0001.patch  |    53 +
 .../Linux_CVEs/CVE-2017-11015/ANY/0001.patch  |    53 +
 .../Linux_CVEs/CVE-2017-11015/ANY/0002.patch  |    33 +
 .../Linux_CVEs/CVE-2017-11018/ANY/0001.patch  |   531 +
 .../Linux_CVEs/CVE-2017-11022/ANY/0001.patch  |  1217 ++
 .../Linux_CVEs/CVE-2017-11022/ANY/0002.patch  |  1297 ++
 .../Linux_CVEs/CVE-2017-11023/ANY/0001.patch  |   172 +
 .../Linux_CVEs/CVE-2017-11024/ANY/0001.patch  |   115 +
 .../Linux_CVEs/CVE-2017-11025/ANY/0001.patch  |   248 +
 .../Linux_CVEs/CVE-2017-11028/ANY/0001.patch  |    57 +
 .../Linux_CVEs/CVE-2017-11028/ANY/0002.patch  |    36 +
 .../Linux_CVEs/CVE-2017-11029/ANY/0001.patch  |   147 +
 .../Linux_CVEs/CVE-2017-11029/ANY/0002.patch  |    43 +
 .../Linux_CVEs/CVE-2017-11032/ANY/0001.patch  |    33 +
 .../Linux_CVEs/CVE-2017-11035/ANY/0001.patch  |    62 +
 .../Linux_CVEs/CVE-2017-11035/ANY/0002.patch  |    72 +
 .../ANY/{0.patch => 0001.patch}               |     0
 .../{3.10/0.patch => ANY/0001.patch}          |     0
 .../{3.10/0.patch => ANY/0001.patch}          |     0
 .../ANY/{0.patch => 0001.patch}               |     0
 Patches/Linux_CVEs/CVE-2017-11050/ANY/1.patch |    45 -
 .../ANY/{0.patch => 0001.patch}               |     0
 Patches/Linux_CVEs/CVE-2017-11051/ANY/1.patch |    30 -
 .../ANY/{0.patch => 0001.patch}               |     0
 Patches/Linux_CVEs/CVE-2017-11052/ANY/1.patch |    41 -
 .../ANY/{0.patch => 0001.patch}               |     0
 Patches/Linux_CVEs/CVE-2017-11053/ANY/1.patch |    41 -
 .../ANY/{0.patch => 0001.patch}               |     0
 .../ANY/{0.patch => 0001.patch}               |     0
 Patches/Linux_CVEs/CVE-2017-11055/ANY/1.patch |    30 -
 .../{3.10/0.patch => ANY/0001.patch}          |     0
 .../{3.10/0.patch => ANY/0001.patch}          |     0
 .../1.patch => CVE-2017-11058/ANY/0001.patch} |    37 +-
 .../{3.10/0.patch => ANY/0001.patch}          |     0
 .../ANY/{0.patch => 0001.patch}               |     0
 Patches/Linux_CVEs/CVE-2017-11060/ANY/1.patch |    97 -
 Patches/Linux_CVEs/CVE-2017-11060/ANY/2.patch |    36 -
 .../ANY/{0.patch => 0001.patch}               |     0
 Patches/Linux_CVEs/CVE-2017-11061/ANY/1.patch |   109 -
 .../ANY/{0.patch => 0001.patch}               |     0
 Patches/Linux_CVEs/CVE-2017-11062/ANY/1.patch |    68 -
 .../ANY/{0.patch => 0001.patch}               |     0
 Patches/Linux_CVEs/CVE-2017-11064/ANY/1.patch |    62 -
 Patches/Linux_CVEs/CVE-2017-11067/ANY/0.patch |   147 -
 .../ANY/{1.patch => 0001.patch}               |     0
 .../{3.10/0.patch => ANY/0001.patch}          |     0
 .../ANY/{0.patch => 0001.patch}               |     0
 .../{3.16/0.patch => 3.2-3.16/0001.patch}     |     0
 .../ANY/{0.patch => 0001.patch}               |   264 +-
 .../CVE-2017-13080-Extra/ANY/0002.patch       |   214 +
 .../CVE-2017-13080-Extra/ANY/0003.patch       |    35 +
 .../ANY/{1.patch => 0004.patch}               |     0
 .../ANY/{0.patch => 0001.patch}               |    30 +-
 .../{ANY/0.patch => ^4.14/0001.patch}         |     0
 .../3.10/{0.patch => 0001.patch}              |     0
 .../{ANY/0.patch => ^4.10/0001.patch}         |     0
 .../{ANY/0.patch => ^4.10/0001.patch}         |     0
 .../{ANY/0.patch => 4.7-4.9/0001.patch}       |     0
 .../{ANY/0.patch => 4.9/0001.patch}           |     0
 .../{ANY/0.patch => 4.9/0001.patch}           |     0
 .../{ANY/0.patch => 3.14-4.9/0001.patch}      |     0
 Patches/Linux_CVEs/CVE-2017-5669/ANY/0.patch  |    70 -
 .../{ANY/1.patch.dupe => ^4.9/0001.patch}     |     0
 .../CVE-2017-5897/ANY/{0.patch => 0001.patch} |     0
 .../Linux_CVEs/CVE-2017-5967/3.10/0001.patch  |   908 ++
 .../CVE-2017-5967/3.10/0001.patch.base64      |     1 +
 .../Linux_CVEs/CVE-2017-5967/3.18/0002.patch  |    20 +
 .../CVE-2017-5967/3.18/0002.patch.base64      |     1 +
 .../Linux_CVEs/CVE-2017-5967/^4.9/0003.patch  |   939 ++
 .../CVE-2017-5970/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-5972/ANY/{0.patch => 0001.patch} |     0
 .../{ANY/0.patch => ^4.9/0001.patch}          |     0
 .../{3.4/0.patch => ANY/0001.patch}           |    24 +-
 .../CVE-2017-6001/ANY/0001.patch.base64       |     1 +
 Patches/Linux_CVEs/CVE-2017-6074/ANY/0.patch  |    44 -
 .../ANY/{1.patch.dupe => 0001.patch}          |     0
 Patches/Linux_CVEs/CVE-2017-6214/ANY/0.patch  |    42 -
 .../CVE-2017-6214/ANY/{1.patch => 0001.patch} |     0
 .../{ANY/0.patch => ^4.9/0001.patch}          |     0
 Patches/Linux_CVEs/CVE-2017-6346/3.18/1.patch |    53 -
 .../CVE-2017-6346/3.18/1.patch.base64         |     1 -
 .../CVE-2017-6346/ANY/{0.patch => 0001.patch} |     0
 .../{ANY/0.patch => ^4.10/0001.patch}         |     0
 .../{ANY/0.patch => ^4.9/0001.patch}          |     0
 .../{ANY/0.patch => ^4.10/0001.patch}         |     0
 .../CVE-2017-6421/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-6423/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-6424/ANY/{0.patch => 0001.patch} |     0
 .../Linux_CVEs/CVE-2017-6424/ANY/0002.patch   |    41 +
 Patches/Linux_CVEs/CVE-2017-6424/ANY/1.patch  |    50 -
 .../CVE-2017-6425/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-6426/ANY/{0.patch => 0001.patch} |     0
 .../{ANY/0.patch => ^4.10/0001.patch}         |     0
 .../{ANY/0.patch => ^3.14/0001.patch}         |     0
 .../CVE-2017-7184/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-7184/ANY/{1.patch => 0002.patch} |     0
 Patches/Linux_CVEs/CVE-2017-7187/ANY/0.patch  |    54 -
 .../Linux_CVEs/CVE-2017-7187/ANY/0001.patch   |    33 +
 .../{ANY/0.patch => ^4.10/0001.patch}         |     0
 .../{ANY/1.patch => ^4.10/0002.patch}         |     0
 Patches/Linux_CVEs/CVE-2017-7308/3.18/0.patch |    15 -
 .../CVE-2017-7308/3.18/0.patch.base64         |     1 -
 Patches/Linux_CVEs/CVE-2017-7308/3.18/1.patch |    13 -
 .../CVE-2017-7308/3.18/1.patch.base64         |     1 -
 Patches/Linux_CVEs/CVE-2017-7308/3.18/2.patch |    13 -
 .../CVE-2017-7308/3.18/2.patch.base64         |     1 -
 .../Linux_CVEs/CVE-2017-7308/ANY/0001.patch   |    39 +
 .../Linux_CVEs/CVE-2017-7308/ANY/0002.patch   |    36 +
 .../Linux_CVEs/CVE-2017-7308/ANY/0003.patch   |    32 +
 .../CVE-2017-7364/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-7366/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-7366/ANY/{1.patch => 0002.patch} |     0
 .../CVE-2017-7368/ANY/{0.patch => 0001.patch} |     0
 .../3.10/{0.patch => 0001.patch}              |     0
 .../3.18/{1.patch => 0002.patch}              |     0
 .../Linux_CVEs/CVE-2017-7369/4.4/0003.patch   |    50 +
 .../CVE-2017-7370/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-7371/ANY/{0.patch => 0001.patch} |     0
 .../Linux_CVEs/CVE-2017-7371/ANY/1.patch.dupe |    45 -
 .../CVE-2017-7372/ANY/{0.patch => 0001.patch} |     0
 Patches/Linux_CVEs/CVE-2017-7373/3.10/1.patch |    33 -
 .../CVE-2017-7373/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-7374/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-7472/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-7487/ANY/{0.patch => 0001.patch} |     0
 Patches/Linux_CVEs/CVE-2017-7495/3.18/1.patch |    87 -
 .../CVE-2017-7495/3.18/1.patch.base64         |     1 -
 Patches/Linux_CVEs/CVE-2017-7495/3.18/2.patch |    77 -
 .../CVE-2017-7495/3.18/2.patch.base64         |     1 -
 .../CVE-2017-7495/ANY/{0.patch => 0001.patch} |     0
 .../Linux_CVEs/CVE-2017-7541/ANY/0001.patch   |    45 +
 .../CVE-2017-7616/ANY/{0.patch => 0001.patch} |     0
 .../{ANY/0.patch => ^4.10/0002.patch}         |     0
 .../{ANY/0.patch => ^4.10/0001.patch}         |     0
 .../{ANY/0.patch => ^4.11/0001.patch}         |     0
 .../{ANY/0.patch => 3.18/0001.patch}          |     0
 .../Linux_CVEs/CVE-2017-8233/4.4/0002.patch   |    60 +
 .../CVE-2017-8234/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-8235/ANY/{0.patch => 0001.patch} |     0
 .../Linux_CVEs/CVE-2017-8236/3.10/0001.patch  |    81 +
 .../{ANY/0.patch => 3.18/0002.patch}          |     0
 .../CVE-2017-8237/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-8239/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-8240/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-8241/ANY/{0.patch => 0001.patch} |     0
 .../{ANY/0.patch => 3.18/0001.patch}          |     0
 .../Linux_CVEs/CVE-2017-8242/4.4/0002.patch   |    34 +
 .../Linux_CVEs/CVE-2017-8243/4.4/0001.patch   |    39 +
 .../3.10/{0.patch => 0001.patch}              |     0
 .../3.18/{1.patch => 0002.patch}              |     0
 .../CVE-2017-8244/4.4/{2.patch => 0003.patch} |     0
 .../3.10/{0.patch => 0001.patch}              |     0
 .../3.18/{1.patch => 0002.patch}              |     0
 .../CVE-2017-8245/4.4/{2.patch => 0003.patch} |     0
 .../3.10/{0.patch => 0001.patch}              |     0
 .../3.18/{1.patch => 0002.patch}              |     0
 .../CVE-2017-8246/4.4/{2.patch => 0003.patch} |     0
 .../CVE-2017-8247/ANY/{0.patch => 0001.patch} |     0
 .../{3.18/0.patch => ANY/0001.patch}          |     0
 Patches/Linux_CVEs/CVE-2017-8251/3.10/0.patch |    64 -
 .../Linux_CVEs/CVE-2017-8251/ANY/0001.patch   |    52 +
 .../CVE-2017-8253/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-8254/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-8256/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-8257/ANY/{0.patch => 0001.patch} |     0
 .../Linux_CVEs/CVE-2017-8258/ANY/0001.patch   |    38 +
 .../CVE-2017-8259/ANY/{0.patch => 0001.patch} |     0
 Patches/Linux_CVEs/CVE-2017-8260/3.10/0.patch |    82 -
 .../Linux_CVEs/CVE-2017-8260/3.18/0001.patch  |    32 +
 .../Linux_CVEs/CVE-2017-8260/4.4/0002.patch   |    32 +
 Patches/Linux_CVEs/CVE-2017-8261/ANY/0.patch  |    33 -
 .../0.patch => CVE-2017-8261/ANY/0001.patch}  |    65 +-
 Patches/Linux_CVEs/CVE-2017-8262/3.10/1.patch |    53 -
 .../CVE-2017-8262/3.10/1.patch.base64         |     1 -
 .../Linux_CVEs/CVE-2017-8262/3.18/0001.patch  |    83 +
 .../{ANY/0.patch => 4.4/0002.patch}           |     0
 .../CVE-2017-8263/ANY/0.patch.base64          |     1 -
 .../CVE-2017-8263/ANY/{0.patch => 0001.patch} |    65 +-
 .../3.10/{0.patch => 0001.patch}              |     0
 .../3.18/{1.patch => 0002.patch}              |     0
 .../CVE-2017-8265/ANY/{0.patch => 0001.patch} |     0
 Patches/Linux_CVEs/CVE-2017-8266/3.10/1.patch |   182 -
 .../3.18/{0.patch => 0001.patch}              |     0
 .../Linux_CVEs/CVE-2017-8266/4.4/0002.patch   |    52 +
 .../CVE-2017-8267/ANY/0.patch.base64          |     1 -
 .../Linux_CVEs/CVE-2017-8267/ANY/0001.patch   |    99 +
 .../{ANY/0.patch => 3.10/0001.patch}          |     0
 .../Linux_CVEs/CVE-2017-8268/4.4/0002.patch   |    79 +
 .../CVE-2017-8269/ANY/{0.patch => 0001.patch} |     0
 .../Linux_CVEs/CVE-2017-8270/ANY/0001.patch   |   204 +
 .../Linux_CVEs/CVE-2017-8272/4.4/0001.patch   |    60 +
 .../CVE-2017-8277/ANY/{0.patch => 0001.patch} |     0
 .../Linux_CVEs/CVE-2017-8279/ANY/0001.patch   |   388 +
 .../CVE-2017-8280/ANY/{0.patch => 0001.patch} |     0
 .../Linux_CVEs/CVE-2017-8281/3.18/0001.patch  |    40 +
 .../{ANY/1.patch => 4.4/0002.patch}           |    10 +-
 .../CVE-2017-8890/3.4/0.patch.base64          |     1 -
 .../{3.4/0.patch => ANY/0001.patch}           |    24 +-
 .../CVE-2017-9074/3.2/{1.patch => 0001.patch} |     0
 .../CVE-2017-9074/3.2/{2.patch => 0002.patch} |     0
 .../{ANY/0.patch => ^4.11/0003.patch}         |     0
 .../CVE-2017-9075/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-9076/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-9077/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-9150/ANY/{0.patch => 0001.patch} |     7 +-
 .../{ANY/0.patch => ^4.11/0001.patch}         |     0
 Patches/Linux_CVEs/CVE-2017-9676/3.0/1.patch  |   272 -
 .../CVE-2017-9676/ANY/{0.patch => 0001.patch} |     0
 Patches/Linux_CVEs/CVE-2017-9677/3.10/0.patch |  1858 ---
 .../{3.18/1.patch => ANY/0001.patch}          |     0
 .../{ANY/0.patch => 3.18/0001.patch}          |     0
 .../Linux_CVEs/CVE-2017-9678/4.4/0002.patch   |    42 +
 .../CVE-2017-9679/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-9680/ANY/{0.patch => 0001.patch} |    12 +-
 .../{ANY/0.patch => 3.18/0001.patch}          |     0
 .../Linux_CVEs/CVE-2017-9682/4.4/0002.patch   |    33 +
 .../CVE-2017-9684/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-9684/ANY/{1.patch => 0002.patch} |     0
 .../CVE-2017-9684/ANY/{2.patch => 0003.patch} |     0
 .../{3.18/0.patch => ANY/0001.patch}          |     0
 Patches/Linux_CVEs/CVE-2017-9687/3.18/0.patch |    58 -
 .../Linux_CVEs/CVE-2017-9687/ANY/0001.patch   |    60 +
 .../CVE-2017-9691/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-9691/ANY/{1.patch => 0002.patch} |     0
 .../CVE-2017-9692/ANY/{0.patch => 0001.patch} |     0
 .../CVE-2017-9693/ANY/{0.patch => 0001.patch} |    31 +-
 Patches/Linux_CVEs/CVE-2017-9694/ANY/0.patch  |    35 -
 .../Linux_CVEs/CVE-2017-9694/ANY/0001.patch   |    33 +
 .../{3.18/0.patch => ANY/0001.patch}          |    26 +-
 .../{3.10/0.patch => ANY/0001.patch}          |     0
 .../CVE-2017-9714/ANY/{0.patch => 0001.patch} |     0
 Patches/Linux_CVEs/CVE-2017-9714/ANY/1.patch  |    62 -
 .../CVE-2017-9715/ANY/{0.patch => 0001.patch} |     0
 Patches/Linux_CVEs/CVE-2017-9715/ANY/1.patch  |    49 -
 .../CVE-2017-9717/ANY/{0.patch => 0001.patch} |     0
 Patches/Linux_CVEs/CVE-2017-9717/ANY/1.patch  |    31 -
 .../Linux_CVEs/CVE-2017-9719/ANY/0001.patch   |    47 +
 .../Linux_CVEs/CVE-2017-9719/ANY/0002.patch   |    47 +
 .../CVE-2017-9720/ANY/{0.patch => 0001.patch} |    16 +-
 .../Linux_CVEs/CVE-2017-9720/ANY/0002.patch   |    30 +
 .../CVE-2017-9724/ANY/{0.patch => 0001.patch} |     0
 Patches/Linux_CVEs/CVE-2017-9725/ANY/0.patch  |    79 -
 .../Linux_CVEs/CVE-2017-9725/ANY/0001.patch   |   105 +
 Patches/Linux_CVEs/Kernel_CVE_Patch_List.txt  |     4 +-
 .../LVT-2017-0001/3.0/{0.patch => 0001.patch} |     0
 .../3.0/{0.patch.base64 => 0001.patch.base64} |     0
 .../3.10/{2.patch => 0003.patch}              |     0
 .../{2.patch.base64 => 0003.patch.base64}     |     0
 .../3.18/{3.patch => 0004.patch}              |     0
 .../{3.patch.base64 => 0004.patch.base64}     |     0
 .../LVT-2017-0001/3.4/{1.patch => 0002.patch} |     0
 .../3.4/{1.patch.base64 => 0002.patch.base64} |     0
 .../3.10/{1.patch => 0002.patch}              |     0
 .../{1.patch.base64 => 0002.patch.base64}     |     0
 .../3.18/{2.patch => 0003.patch}              |     0
 .../{2.patch.base64 => 0003.patch.base64}     |     0
 .../LVT-2017-0002/3.4/{0.patch => 0001.patch} |     0
 .../3.4/{0.patch.base64 => 0001.patch.base64} |     0
 .../3.10/{0.patch => 0001.patch}              |     0
 .../{0.patch.base64 => 0001.patch.base64}     |     0
 .../3.10/{1.patch => 0002.patch}              |     0
 .../{1.patch.base64 => 0002.patch.base64}     |     0
 .../3.18/{2.patch => 0003.patch}              |     0
 .../{2.patch.base64 => 0003.patch.base64}     |     0
 .../LVT-2017-0004/3.4/{0.patch => 0001.patch} |     0
 .../3.4/{0.patch.base64 => 0001.patch.base64} |     0
 1215 files changed, 60697 insertions(+), 14533 deletions(-)
 create mode 100644 Patches/Linux_CVEs/CVE-2012-4220/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2012-4221/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2012-4222/ANY/0001.patch
 rename Patches/Linux_CVEs/CVE-2012-6657/{ANY/0.patch => ^3.5/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2012-6689/{ANY/0.patch => ^3.5/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2012-6701/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2012-6703/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2012-6703/ANY/{2.patch => 0002.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2012-6703/ANY/1.patch
 rename Patches/Linux_CVEs/CVE-2012-6704/{ANY/0.patch => ^3.5/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2013-2015/{3.4/0.patch => ^3.8/0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2013-2596/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2013-2596/ANY/0002.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2013-2596/ANY/0003.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2013-2597/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2013-2597/ANY/0002.patch
 rename Patches/Linux_CVEs/CVE-2013-4312/3.2/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2013-4312/3.2/{1.patch => 0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2013-4312/4.5/{2.patch => 0003.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2013-4312/4.5/{3.patch => 0004.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2013-4736/ANY/0002.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2013-4736/ANY/0003.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2013-4737/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2013-4738/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2013-4738/ANY/0002.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2013-4739/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2013-4740/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2013-6122/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2013-6123/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2013-6123/ANY/0002.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2013-6282/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2013-7446/ANY/0001.patch
 rename Patches/Linux_CVEs/CVE-2014-0196/3.2/{1.patch => 0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-0196/3.4/{2.patch => 0003.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-0196/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-0206/{3.12/0.patch => ANY/0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2014-0972/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2014-0972/ANY/0002.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2014-0975/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2014-0976/ANY/0001.patch
 rename Patches/Linux_CVEs/CVE-2014-1739/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-2523/3.2/{1.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-2523/{ANY/0.patch => ^3.13/0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-2706/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-2851/3.2/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2014-3145/3.2/2.patch
 rename Patches/Linux_CVEs/CVE-2014-3145/{3.10/1.patch => ANY/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-3145/ANY/{0.patch => 0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-4014/ANY/{0.patch => 0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2014-4321/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2014-4322/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2014-4322/ANY/0002.patch
 rename Patches/Linux_CVEs/CVE-2014-4323/{3.10/0.patch => ANY/0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2014-4324/ANY/0001.patch
 delete mode 100644 Patches/Linux_CVEs/CVE-2014-4655/3.2/1.patch
 delete mode 100644 Patches/Linux_CVEs/CVE-2014-4655/3.2/2.patch
 rename Patches/Linux_CVEs/CVE-2014-4655/ANY/{0.patch => 0001.patch} (97%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2014-4656/3.2/1.patch
 rename Patches/Linux_CVEs/CVE-2014-4656/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-4943/3.2/{1.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-4943/{ANY/0.patch => ^3.15/0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-5206/^3.16/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-7822/{3.2-^3.16/0.patch => 3.2-3.16/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-7825/3.2/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-7825/3.2/{1.patch => 0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-7825/{ANY/2.patch => ^3.17/0003.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-7970/3.0/{1.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-7970/3.4/{2.patch => 0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-7970/{ANY/0.patch => ^3.17/0003.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-8160/{3.2-^3.18/1.patch => 3.2/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-8160/^3.18/{0.patch => 0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-8173/{ANY/0.patch => 3.9-3.12/0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2014-8709/3.2/1.patch
 rename Patches/Linux_CVEs/CVE-2014-8709/ANY/{0.patch => 0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2014-9322/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2014-9322/ANY/0001.patch.base64
 create mode 100644 Patches/Linux_CVEs/CVE-2014-9322/ANY/0002.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2014-9322/ANY/0002.patch.base64
 create mode 100644 Patches/Linux_CVEs/CVE-2014-9322/ANY/0003.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2014-9322/ANY/0003.patch.base64
 create mode 100644 Patches/Linux_CVEs/CVE-2014-9322/ANY/0004.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2014-9322/ANY/0004.patch.base64
 create mode 100644 Patches/Linux_CVEs/CVE-2014-9322/ANY/0005.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2014-9322/ANY/0005.patch.base64
 create mode 100644 Patches/Linux_CVEs/CVE-2014-9322/ANY/0006.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2014-9322/ANY/0006.patch.base64
 create mode 100644 Patches/Linux_CVEs/CVE-2014-9322/ANY/0007.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2014-9322/ANY/0007.patch.base64
 create mode 100644 Patches/Linux_CVEs/CVE-2014-9322/ANY/0008.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2014-9322/ANY/0008.patch.base64
 create mode 100644 Patches/Linux_CVEs/CVE-2014-9322/ANY/0009.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2014-9322/ANY/0009.patch.base64
 create mode 100644 Patches/Linux_CVEs/CVE-2014-9322/ANY/0010.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2014-9322/ANY/0010.patch.base64
 create mode 100644 Patches/Linux_CVEs/CVE-2014-9322/ANY/0011.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2014-9322/ANY/0011.patch.base64
 delete mode 100644 Patches/Linux_CVEs/CVE-2014-9420/3.2-^3.18/1.patch
 rename Patches/Linux_CVEs/CVE-2014-9420/{^3.18/0.patch => ANY/0001.patch} (93%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2014-9529/3.2/1.patch
 rename Patches/Linux_CVEs/CVE-2014-9529/ANY/{0.patch => 0001.patch} (93%)
 rename Patches/Linux_CVEs/CVE-2014-9683/{3.2-^3.18/1.patch => 3.2/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-9683/^3.18/{0.patch => 0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-9715/3.2/{1.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-9715/{ANY/0.patch => ^3.14/0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-9731/ANY/{0.patch => 0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2014-9777/ANY/0001.patch
 delete mode 100644 Patches/Linux_CVEs/CVE-2014-9778/ANY/0.patch
 rename Patches/Linux_CVEs/{CVE-2014-9777/ANY/0.patch => CVE-2014-9778/ANY/0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2014-9779/ANY/0001.patch
 rename Patches/Linux_CVEs/CVE-2014-9780/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-9781/ANY/{0.patch => 0001.patch} (97%)
 rename Patches/Linux_CVEs/CVE-2014-9782/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-9783/ANY/{0.patch => 0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2014-9783/ANY/0002.patch
 rename Patches/Linux_CVEs/CVE-2014-9784/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-9785/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-9786/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-9787/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-9788/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-9789/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-9790/ANY/{0.patch => 0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2014-9790/ANY/0002.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2014-9791/ANY/0001.patch
 rename Patches/Linux_CVEs/CVE-2014-9792/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-9803/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-9863/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-9864/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-9865/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-9866/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-9867/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-9868/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-9869/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-9869/ANY/{1.patch => 0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-9870/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-9871/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-9872/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-9873/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-9874/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2014-9874/ANY/1.patch
 rename Patches/Linux_CVEs/CVE-2014-9875/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2014-9876/3.4/1.patch
 rename Patches/Linux_CVEs/CVE-2014-9876/{3.0/0.patch => ANY/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-9877/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-9878/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-9879/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-9880/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-9881/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-9882/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-9882/ANY/{1.patch => 0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-9883/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-9884/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-9885/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-9886/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-9887/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2014-9888/ANY/0.patch
 rename Patches/Linux_CVEs/CVE-2014-9888/ANY/{1.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2014-9889/3.10/0.patch
 rename Patches/Linux_CVEs/CVE-2014-9889/{3.4/1.patch => ANY/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-9890/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-9891/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-9892/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-9893/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-9894/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-9895/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2014-9895/ANY/1.patch
 rename Patches/Linux_CVEs/CVE-2014-9896/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-9897/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-9898/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-9899/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-9900/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-9901/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-9902/ANY/{0.patch => 0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2014-9902/ANY/0002.patch
 rename Patches/Linux_CVEs/CVE-2014-9903/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-9904/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-9914/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2014-9922/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2014-9922/ANY/1.patch
 delete mode 100644 Patches/Linux_CVEs/CVE-2014-9922/ANY/1.patch.base64
 rename Patches/Linux_CVEs/CVE-2014-9940/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2015-0569/3.10/2.patch
 rename Patches/Linux_CVEs/CVE-2015-0569/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2015-0569/ANY/{1.patch => 0002.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2015-0570/3.10/2.patch
 rename Patches/Linux_CVEs/CVE-2015-0570/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2015-0570/ANY/{1.patch => 0002.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2015-0571/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2015-0571/ANY/0002.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2015-0571/ANY/0003.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2015-0571/ANY/0004.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2015-0571/ANY/0005.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2015-0571/ANY/0006.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2015-0571/ANY/0007.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2015-0571/ANY/0008.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2015-0571/ANY/0009.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2015-0571/ANY/0010.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2015-0571/ANY/0011.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2015-0571/ANY/0012.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2015-0571/ANY/0013.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2015-0572/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2015-0573/ANY/0001.patch
 rename Patches/Linux_CVEs/CVE-2015-1420/{3.2/0.patch => 3.2-3.19/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2015-1465/ANY/{0.patch => 0001.patch} (94%)
 rename Patches/Linux_CVEs/CVE-2015-1534/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2015-1534/ANY/{0.patch.base64 => 0001.patch.base64} (100%)
 rename Patches/Linux_CVEs/CVE-2015-1593/ANY/{0.patch => 0001.patch} (89%)
 create mode 100644 Patches/Linux_CVEs/CVE-2015-1805/3.10/0002.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2015-1805/3.10/0002.patch.base64
 create mode 100644 Patches/Linux_CVEs/CVE-2015-1805/3.14/0003.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2015-1805/3.14/0003.patch.base64
 rename Patches/Linux_CVEs/CVE-2015-1805/{3.4-^3.16/0.patch => 3.16/0004.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2015-1805/3.4/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2015-1805/3.4/0001.patch.base64
 rename Patches/Linux_CVEs/CVE-2015-2041/3.2/{1.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2015-2041/{ANY/0.patch => ^3.19/0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2015-2686/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2015-2922/ANY/{0.patch.disabled => 0001.patch} (94%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2015-3288/3.2/1.patch
 rename Patches/Linux_CVEs/CVE-2015-3288/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2015-3339/3.2/{1.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2015-3339/{ANY/0.patch => ^3.19/0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2015-3636/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2015-4170/{ANY/0.patch => 3.10^/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2015-4177/{ANY/0.patch => 4.0/0001.patch} (100%)
 rename Patches/Linux_CVEs/{CVE-2015-5366/ANY/0.patch => CVE-2015-5364/ANY/0001.patch} (83%)
 rename Patches/Linux_CVEs/{CVE-2017-5967/3.10/1.patch => CVE-2015-5366/3.10/0001.patch} (100%)
 rename Patches/Linux_CVEs/{CVE-2017-5967/3.10/1.patch.base64 => CVE-2015-5366/3.10/0001.patch.base64} (100%)
 rename Patches/Linux_CVEs/{CVE-2017-5967/3.18/2.patch => CVE-2015-5366/3.18/0002.patch} (100%)
 rename Patches/Linux_CVEs/{CVE-2017-5967/3.18/2.patch.base64 => CVE-2015-5366/3.18/0002.patch.base64} (100%)
 rename Patches/Linux_CVEs/{CVE-2017-5967/ANY/0.patch => CVE-2015-5366/^4.9/0003.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2015-5697/{ANY/0.patch => ^4.1/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2015-5706/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2015-5707/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2015-5707/ANY/{1.patch => 0002.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2015-6619/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2015-6619/ANY/0001.patch.base64
 create mode 100644 Patches/Linux_CVEs/CVE-2015-6640/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2015-6640/ANY/0001.patch.base64
 create mode 100644 Patches/Linux_CVEs/CVE-2015-6642/ANY/0001.patch
 rename Patches/Linux_CVEs/CVE-2015-7509/{ANY/0.patch => ^3.7/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2015-7515/{3.2-^4.4/1.patch => 3.2/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2015-7515/^4.4/{0.patch => 0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2015-7550/{ANY/0.patch => ^4.3/0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2015-7872/ANY/0001.patch
 rename Patches/Linux_CVEs/CVE-2015-8019/3.10/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2015-8019/3.18/{1.patch => 0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2015-8019/{ANY/2.patch => 4.3/0003.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2015-8539/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2015-8543/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2015-8575/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2015-8785/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2015-8830/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2015-8830/ANY/{1.patch => 0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2015-8839/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2015-8839/ANY/{1.patch => 0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2015-8937/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2015-8938/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2015-8939/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2015-8940/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2015-8941/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2015-8942/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2015-8943/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2015-8944/ANY/{0.patch => 0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2015-8950/ANY/0001.patch
 rename Patches/Linux_CVEs/CVE-2015-8951/{ANY/0.patch => 3.10/0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2015-8951/3.18/0002.patch
 rename Patches/Linux_CVEs/CVE-2015-8955/ANY/{0.patch => 0001.patch} (53%)
 rename Patches/Linux_CVEs/CVE-2015-8961/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2015-8962/ANY/{0.patch => 0001.patch} (95%)
 rename Patches/Linux_CVEs/CVE-2015-8963/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2015-8964/3.10/1.patch
 rename Patches/Linux_CVEs/CVE-2015-8964/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2015-8966/{ANY/0.patch => 3.15+/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2015-8967/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2015-9004/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-0723/ANY/{0.patch => 0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2016-0728/3.10/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2016-0728/3.10/0001.patch.base64
 create mode 100644 Patches/Linux_CVEs/CVE-2016-0728/3.14/0002.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2016-0728/3.14/0002.patch.base64
 create mode 100644 Patches/Linux_CVEs/CVE-2016-0728/3.18/0003.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2016-0728/3.18/0003.patch.base64
 create mode 100644 Patches/Linux_CVEs/CVE-2016-0728/4.1/0004.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2016-0728/4.1/0004.patch.base64
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-0728/ANY/0.patch
 rename Patches/Linux_CVEs/CVE-2016-0758/ANY/{0.patch => 0001.patch} (84%)
 rename Patches/Linux_CVEs/CVE-2016-0774/ANY/{0.patch.disabled => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-0774/ANY/1.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2016-0801/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2016-0801/ANY/0001.patch.base64
 create mode 100644 Patches/Linux_CVEs/CVE-2016-0802/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2016-0802/ANY/0001.patch.base64
 rename Patches/Linux_CVEs/CVE-2016-0805/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-0806/{3.4/1.patch => ANY/0001.patch} (99%)
 rename Patches/Linux_CVEs/CVE-2016-0806/{3.10/0.patch => ANY/0002.patch} (99%)
 rename Patches/Linux_CVEs/CVE-2016-0819/ANY/{0.patch.disabled => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-0821/ANY/{0.patch => 0001.patch} (94%)
 rename Patches/Linux_CVEs/CVE-2016-0823/ANY/{0.patch => 0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2016-0843/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2016-0844/ANY/0001.patch
 rename Patches/Linux_CVEs/CVE-2016-10044/ANY/{2.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-10044/ANY/{0.patch => 0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-10044/ANY/{0.patch.base64 => 0002.patch.base64} (100%)
 rename Patches/Linux_CVEs/CVE-2016-10044/ANY/{1.patch => 0003.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-10044/ANY/{1.patch.base64 => 0003.patch.base64} (100%)
 rename Patches/Linux_CVEs/CVE-2016-10088/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-10153/{ANY/0.patch => 4.9/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-10154/{ANY/0.patch => 4.9/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-10200/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-10208/{3.16/2.patch => 3.10-3.16/0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-10208/ANY/0.patch
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-10208/ANY/0.patch.base64
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-10208/ANY/1.patch
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-10208/ANY/3.patch
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-10208/ANY/4.patch
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-10208/ANY/5.patch
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-10208/ANY/5.patch.base64
 rename Patches/Linux_CVEs/CVE-2016-10229/{^4.5/0.patch => ANY/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-10230/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-10231/{3.18/0.patch => ANY/0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-10231/ANY/1.patch
 rename Patches/Linux_CVEs/CVE-2016-10232/3.10/{1.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-10232/3.18/{0.patch => 0002.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-10233/3.10/1.patch
 rename Patches/Linux_CVEs/CVE-2016-10233/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-10234/{ANY/1.patch => 3.10/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-10234/{ANY/0.patch => 3.18/0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-10235/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-10235/ANY/1.patch
 rename Patches/Linux_CVEs/CVE-2016-10236/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-10283/ANY/{0.patch => 0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2016-10283/ANY/0002.patch
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-10283/ANY/1.patch
 rename Patches/Linux_CVEs/CVE-2016-10285/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-10286/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-10287/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-10288/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-10289/{ANY/0.patch => 3.18/0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2016-10289/4.4/0002.patch
 rename Patches/Linux_CVEs/CVE-2016-10290/ANY/{0.patch => 0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2016-10291/3.10/0001.patch
 rename Patches/Linux_CVEs/CVE-2016-10291/{ANY/0.patch => 3.18/0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-10293/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-10293/ANY/1.patch
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-10293/ANY/1.patch.base64
 rename Patches/Linux_CVEs/CVE-2016-10294/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-10295/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-10296/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-10296/ANY/1.patch
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-10296/ANY/1.patch.base64
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-1583/ANY/0.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2016-1583/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2016-1583/ANY/0002.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2016-1583/ANY/0003.patch
 rename Patches/Linux_CVEs/CVE-2016-2053/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-2059/ANY/{0.patch => 0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2016-2060/ANY/0001.patch
 rename Patches/Linux_CVEs/CVE-2016-2061/ANY/{0.patch => 0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2016-2062/ANY/0001.patch
 rename Patches/Linux_CVEs/CVE-2016-2063/ANY/{0.patch => 0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2016-2064/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2016-2065/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2016-2066/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2016-2067/ANY/0001.patch
 rename Patches/Linux_CVEs/CVE-2016-2068/ANY/{0.patch => 0001.patch} (73%)
 create mode 100644 Patches/Linux_CVEs/CVE-2016-2184/ANY/0001.patch
 rename Patches/Linux_CVEs/CVE-2016-2185/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-2185/ANY/1.patch.dupe
 rename Patches/Linux_CVEs/CVE-2016-2186/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-2186/ANY/1.patch.dupe
 rename Patches/Linux_CVEs/CVE-2016-2187/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-2187/ANY/1.patch.dupe
 rename Patches/Linux_CVEs/CVE-2016-2188/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-2188/ANY/{2.patch => 0002.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-2188/ANY/1.patch
 rename Patches/Linux_CVEs/CVE-2016-2384/{ANY/0.patch => ^4.5/0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2016-2411/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2016-2438/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2016-2441/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2016-2442/ANY/0001.patch
 rename Patches/Linux_CVEs/CVE-2016-2443/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-2443/ANY/{0.patch.base64 => 0001.patch.base64} (100%)
 rename Patches/Linux_CVEs/CVE-2016-2465/{ANY/0.patch => 3.10/0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2016-2465/3.18/0002.patch
 rename Patches/Linux_CVEs/CVE-2016-2466/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-2466/ANY/{0.patch.base64 => 0001.patch.base64} (100%)
 rename Patches/Linux_CVEs/CVE-2016-2467/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-2468/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-2468/ANY/{1.patch => 0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-2468/ANY/{1.patch.base64 => 0002.patch.base64} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2016-2469/3.10/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2016-2469/3.18/0002.patch
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-2469/ANY/0.patch
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-2469/ANY/0.patch.base64
 create mode 100644 Patches/Linux_CVEs/CVE-2016-2470/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2016-2470/ANY/0002.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2016-2471/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2016-2472/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2016-2473/ANY/0001.patch
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-2474/ANY/0.patch
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-2474/ANY/0.patch.base64
 create mode 100644 Patches/Linux_CVEs/CVE-2016-2474/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2016-2474/ANY/0002.patch
 rename Patches/Linux_CVEs/CVE-2016-2475/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-2475/ANY/{0.patch.base64 => 0001.patch.base64} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2016-2477/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2016-2477/ANY/0001.patch.base64
 create mode 100644 Patches/Linux_CVEs/CVE-2016-2478/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2016-2478/ANY/0001.patch.base64
 create mode 100644 Patches/Linux_CVEs/CVE-2016-2480/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2016-2480/ANY/0001.patch.base64
 create mode 100644 Patches/Linux_CVEs/CVE-2016-2482/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2016-2482/ANY/0001.patch.base64
 rename Patches/Linux_CVEs/CVE-2016-2488/ANY/{0.patch => 0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2016-2498/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2016-2501/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2016-2502/ANY/0001.patch
 rename Patches/Linux_CVEs/CVE-2016-2503/{ANY/0.patch => 3.10/0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2016-2503/3.18/0002.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2016-2504/3.18/0002.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2016-2504/3.4-3.10/0001.patch
 rename Patches/Linux_CVEs/CVE-2016-2504/ANY/{0.patch => 0003.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-2544/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-2545/{ANY/0.patch => ^4.4/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-2546/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-2547/{ANY/0.patch => ^4.4/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-2549/{ANY/0.patch => ^4.4/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-2847/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-3070/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-3134/3.10/0.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2016-3134/ANY/0001.patch
 rename Patches/Linux_CVEs/CVE-2016-3135/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-3136/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-3136/ANY/1.patch.dupe
 rename Patches/Linux_CVEs/CVE-2016-3137/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-3137/ANY/1.patch.dupe
 rename Patches/Linux_CVEs/CVE-2016-3138/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-3138/ANY/1.patch.dupe
 rename Patches/Linux_CVEs/CVE-2016-3140/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-3140/ANY/1.patch.dupe
 rename Patches/Linux_CVEs/CVE-2016-3156/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-3672/ANY/{0.patch => 0001.patch} (72%)
 rename Patches/Linux_CVEs/CVE-2016-3689/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-3689/ANY/1.patch.dupe
 create mode 100644 Patches/Linux_CVEs/CVE-2016-3746/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2016-3747/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2016-3768/ANY/0001.patch
 rename Patches/Linux_CVEs/CVE-2016-3768/ANY/{0.patch => 0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-3775/3.10/{0.patch => 0003.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-3775/3.18/{1.patch => 0004.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-3775/3.4/{3.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-3775/3.4/{2.patch => 0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-3775/3.4/{2.patch.base64 => 0002.patch.base64} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2016-3792/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2016-3797/ANY/0001.patch
 rename Patches/Linux_CVEs/CVE-2016-3809/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-3809/ANY/{0.patch.base64 => 0001.patch.base64} (100%)
 rename Patches/Linux_CVEs/CVE-2016-3813/{ANY/0.patch => 3.10/0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2016-3813/3.18/0002.patch
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-3841/3.10/1.patch
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-3841/3.4/0.patch
 rename Patches/Linux_CVEs/CVE-2016-3841/{3.18/2.patch => ANY/0001.patch} (75%)
 rename Patches/Linux_CVEs/CVE-2016-3842/3.10/{1.patch => 0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-3842/3.18/{2.patch => 0003.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-3842/3.4/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-3843/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-3843/ANY/{1.patch => 0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-3843/ANY/{2.patch => 0003.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-3843/ANY/{3.patch => 0004.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2016-3850/ANY/0001.patch
 rename Patches/Linux_CVEs/CVE-2016-3854/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-3855/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-3857/{3.10/0.patch => ANY/0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-3857/ANY/1.patch
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-3857/ANY/2.patch
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-3857/ANY/2.patch.base64
 create mode 100644 Patches/Linux_CVEs/CVE-2016-3858/ANY/0001.patch
 rename Patches/Linux_CVEs/CVE-2016-3859/{ANY/0.patch => 3.10/0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2016-3859/3.18/0002.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2016-3860/ANY/0001.patch
 rename Patches/Linux_CVEs/CVE-2016-3865/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-3865/ANY/{1.patch => 0002.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2016-3866/ANY/0001.patch
 rename Patches/Linux_CVEs/CVE-2016-3867/3.10/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-3867/3.18/{1.patch => 0002.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2016-3868/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2016-3874/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2016-3874/ANY/0002.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2016-3892/ANY/0001.patch
 rename Patches/Linux_CVEs/CVE-2016-3893/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-3894/ANY/0.patch
 rename Patches/Linux_CVEs/CVE-2016-3894/ANY/{1.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/{CVE-2016-3935/ANY/0.patch => CVE-2016-3901/ANY/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-3902/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-3903/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-3904/ANY/{0.patch => 0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2016-3905/ANY/0001.patch
 rename Patches/Linux_CVEs/CVE-2016-3906/ANY/{0.patch => 0001.patch} (85%)
 rename Patches/Linux_CVEs/CVE-2016-3907/{ANY/0.patch => 3.10/0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2016-3907/3.10/0002.patch
 rename Patches/Linux_CVEs/CVE-2016-3931/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-3934/ANY/{0.patch => 0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2016-3935/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2016-3938/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2016-3939/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2016-3951/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2016-3951/ANY/0002.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2016-4470/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2016-4482/ANY/0001.patch
 rename Patches/Linux_CVEs/CVE-2016-4486/{^4.5/0.patch => ANY/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-4569/ANY/{0.patch => 0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2016-4578/ANY/0001.patch
 rename Patches/Linux_CVEs/CVE-2016-4578/ANY/{0.patch => 0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-4794/{ANY/0.patch => 3.18+/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-4794/{ANY/1.patch => 3.18+/0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-4805/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-4805/ANY/1.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2016-4998/ANY/0001.patch
 rename Patches/Linux_CVEs/CVE-2016-4998/ANY/{0.patch => 0002.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-5195/3.4/0.patch
 rename Patches/Linux_CVEs/CVE-2016-5195/{3.10/1.patch => ANY/0001.patch} (82%)
 rename Patches/Linux_CVEs/CVE-2016-5195/{3.18/2.patch => ANY/0002.patch} (81%)
 rename Patches/Linux_CVEs/CVE-2016-5340/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-5342/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-5343/ANY/{0.patch => 0001.patch} (91%)
 create mode 100644 Patches/Linux_CVEs/CVE-2016-5344/ANY/0001.patch
 rename Patches/Linux_CVEs/CVE-2016-5345/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-5346/{ANY/0.patch => 3.18/0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2016-5346/4.4/0002.patch
 rename Patches/Linux_CVEs/CVE-2016-5347/{ANY/0.patch => 3.18/0001.patch} (83%)
 create mode 100644 Patches/Linux_CVEs/CVE-2016-5347/4.4/0002.patch
 rename Patches/Linux_CVEs/CVE-2016-5349/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-5349/ANY/{3.patch => 0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-5349/ANY/{2.patch => 0003.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-5349/ANY/{1.patch => 0004.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2016-5696/ANY/0001.patch
 rename Patches/Linux_CVEs/CVE-2016-5829/ANY/{0.patch => 0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2016-5853/3.10/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2016-5853/3.18/0002.patch
 rename Patches/Linux_CVEs/CVE-2016-5853/{ANY/0.patch => 4.4/0003.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-5854/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-5855/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-5856/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-5857/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-5858/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-5858/ANY/{1.patch => 0002.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2016-5858/ANY/0003.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2016-5859/3.10/0001.patch
 rename Patches/Linux_CVEs/CVE-2016-5859/{ANY/0.patch => 3.18/0002.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2016-5860/3.10/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2016-5860/3.18/0002.patch
 rename Patches/Linux_CVEs/CVE-2016-5860/{ANY/0.patch => 4.4/0003.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-5861/3.10/2.patch
 rename Patches/Linux_CVEs/CVE-2016-5861/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-5861/ANY/1.patch
 rename Patches/Linux_CVEs/CVE-2016-5862/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-5863/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-5864/ANY/{0.patch => 0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2016-5867/3.10/0001.patch
 rename Patches/Linux_CVEs/CVE-2016-5867/{ANY/0.patch => 3.18/0002.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2016-5867/4.4/0003.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2016-5868/3.10/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2016-5868/3.18/0002.patch
 rename Patches/Linux_CVEs/CVE-2016-5868/{ANY/0.patch => 4.4/0003.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-5870/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-6136/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-6672/ANY/{0.patch => 0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2016-6675/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2016-6676/ANY/0001.patch
 rename Patches/Linux_CVEs/CVE-2016-6679/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-6679/ANY/{1.patch => 0002.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-6679/ANY/2.patch
 rename Patches/Linux_CVEs/CVE-2016-6680/ANY/{1.patch => 0001.patch} (78%)
 rename Patches/Linux_CVEs/CVE-2016-6680/ANY/{0.patch => 0002.patch} (100%)
 rename Patches/Linux_CVEs/{CVE-2016-6682/ANY/0.patch => CVE-2016-6681/ANY/0001.patch} (70%)
 rename Patches/Linux_CVEs/{CVE-2016-6681/ANY/0.patch => CVE-2016-6682/ANY/0001.patch} (70%)
 rename Patches/Linux_CVEs/CVE-2016-6683/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-6683/ANY/{0.patch.base64 => 0001.patch.base64} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2016-6692/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2016-6693/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2016-6694/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2016-6695/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2016-6696/ANY/0001.patch
 rename Patches/Linux_CVEs/CVE-2016-6698/{ANY/0.patch => 3.10/0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2016-6698/3.18/0002.patch
 rename Patches/Linux_CVEs/CVE-2016-6725/{ANY/0.patch => 3.10/0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2016-6725/3.18/0002.patch
 rename Patches/Linux_CVEs/CVE-2016-6728/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-6728/ANY/{1.patch => 0002.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-6728/ANY/2.patch
 rename Patches/Linux_CVEs/CVE-2016-6738/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-6739/3.10/{1.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-6739/3.18/{0.patch => 0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-6740/3.10/{1.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-6740/3.18/{0.patch => 0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-6741/3.10/{0.patch.disabled => 0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2016-6741/3.18/0002.patch
 rename Patches/Linux_CVEs/CVE-2016-6742/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-6745/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-6745/ANY/{1.patch => 0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-6745/ANY/{2.patch => 0003.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-6745/ANY/{3.patch => 0004.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2016-6745/ANY/0005.patch
 rename Patches/Linux_CVEs/CVE-2016-6748/{ANY/1.patch => 3.10/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-6748/{ANY/0.patch => 3.18/0002.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2016-6749/ANY/0001.patch
 rename Patches/Linux_CVEs/CVE-2016-6750/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-6751/ANY/{0.patch => 0001.patch} (71%)
 rename Patches/Linux_CVEs/CVE-2016-6752/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-6753/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-6755/{ANY/0.patch => 3.10/0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2016-6755/3.18/0002.patch
 rename Patches/Linux_CVEs/CVE-2016-6756/{ANY/0.patch => 3.10/0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2016-6756/3.18/0002.patch
 rename Patches/Linux_CVEs/CVE-2016-6757/{ANY/0.patch => 3.10/0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2016-6757/3.18/0002.patch
 rename Patches/Linux_CVEs/CVE-2016-6786/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-6787/ANY/{0.patch => 0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2016-6791/ANY/0001.patch
 rename Patches/Linux_CVEs/CVE-2016-6791/ANY/{0.patch => 0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-6828/ANY/{0.patch => 0001.patch} (98%)
 rename Patches/Linux_CVEs/CVE-2016-7042/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-7097/{^4.8/0.patch => ANY/0001.patch} (100%)
 rename Patches/Linux_CVEs/{CVE-2017-8281/ANY/0.patch => CVE-2016-7117/ANY/0001.patch} (87%)
 create mode 100644 Patches/Linux_CVEs/CVE-2016-7910/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2016-7911/ANY/0001.patch
 rename Patches/Linux_CVEs/CVE-2016-7912/{3.18/0.patch => ANY/0001.patch} (52%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-7913/3.10/1.patch
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-7913/3.10/2.patch
 rename Patches/Linux_CVEs/CVE-2016-7913/{3.10/0.patch => ANY/0001.patch} (96%)
 rename Patches/Linux_CVEs/CVE-2016-7914/ANY/{0.patch => 0001.patch} (98%)
 rename Patches/Linux_CVEs/CVE-2016-7915/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-7916/{^4.5/0.patch => ANY/0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-7917/3.18/1.patch
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-7917/3.18/1.patch.base64
 rename Patches/Linux_CVEs/CVE-2016-7917/ANY/{0.patch => 0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2016-8391/ANY/0001.patch
 rename Patches/Linux_CVEs/CVE-2016-8391/ANY/{0.patch => 0002.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2016-8392/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2016-8392/ANY/0002.patch
 rename Patches/Linux_CVEs/CVE-2016-8393/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-8393/ANY/{1.patch => 0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-8393/ANY/{2.patch => 0003.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-8394/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-8399/ANY/{0.patch.disabled => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-8399/ANY/{1.patch => 0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-8401/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-8402/3.10/{0.patch => 0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-8402/3.4/{1.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-8403/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-8403/ANY/{0.patch.base64 => 0001.patch.base64} (100%)
 rename Patches/Linux_CVEs/CVE-2016-8404/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-8405/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-8406/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-8407/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-8410/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-8412/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-8413/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-8414/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-8415/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-8415/ANY/1.patch
 rename Patches/Linux_CVEs/CVE-2016-8416/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-8417/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-8418/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-8419/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-8419/ANY/1.patch
 rename Patches/Linux_CVEs/CVE-2016-8420/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-8420/ANY/1.patch
 rename Patches/Linux_CVEs/CVE-2016-8421/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-8421/ANY/1.patch
 rename Patches/Linux_CVEs/CVE-2016-8434/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-8436/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-8444/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-8450/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-8452/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-8452/ANY/1.patch
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-8452/ANY/2.patch
 rename Patches/Linux_CVEs/CVE-2016-8453/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-8454/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-8455/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-8456/ANY/0.patch
 rename Patches/Linux_CVEs/{CVE-2016-8457/ANY/0.patch => CVE-2016-8456/ANY/0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2016-8457/ANY/0001.patch
 rename Patches/Linux_CVEs/CVE-2016-8458/3.10/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-8458/3.18/{1.patch => 0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-8463/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-8463/ANY/1.patch
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-8463/ANY/2.patch
 rename Patches/Linux_CVEs/CVE-2016-8464/3.10/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-8464/3.18/{1.patch => 0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-8464/3.18/{1.patch.base64 => 0002.patch.base64} (100%)
 rename Patches/Linux_CVEs/CVE-2016-8465/3.10/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-8465/3.10/{1.patch => 0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-8465/3.18/{2.patch => 0003.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-8465/3.18/{3.patch => 0004.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-8466/3.10/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-8466/3.18/{1.patch => 0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-8468/3.18/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-8473/{3.10/0.patch => ANY/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-8474/{3.10/0.patch => ANY/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-8475/{3.18/0.patch => ANY/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-8476/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-8476/ANY/1.patch
 rename Patches/Linux_CVEs/CVE-2016-8477/{ANY/0.patch => 3.10/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-8477/{ANY/1.patch => 3.18/0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-8478/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-8479/{ANY/0.patch => 3.18/0001.patch} (73%)
 create mode 100644 Patches/Linux_CVEs/CVE-2016-8479/4.4/0002.patch
 rename Patches/Linux_CVEs/CVE-2016-8480/{ANY/0.patch => 3.10/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-8480/{ANY/1.patch => 3.18/0002.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2016-8480/4.4/0003.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2016-8481/4.4/0002.patch
 rename Patches/Linux_CVEs/CVE-2016-8481/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-8481/ANY/{1.patch => 0003.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-8483/3.10/1.patch
 rename Patches/Linux_CVEs/CVE-2016-8483/{3.18/0.patch => ANY/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-8650/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-8655/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-9120/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-9120/ANY/1.patch
 rename Patches/Linux_CVEs/CVE-2016-9191/{ANY/0.patch => 3.11-4.8/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-9555/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-9576/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-9604/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-9754/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-9793/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2016-9794/ANY/0.patch
 rename Patches/Linux_CVEs/CVE-2016-9794/ANY/{1.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2016-9806/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0403/{ANY/0.patch => 3.0-3.18/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0404/{ANY/0.patch => ^3.18/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0427/3.10/{1.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0427/3.18/{0.patch => 0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0430/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0433/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0433/ANY/{1.patch => 0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0434/{ANY/0.patch => 3.18/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0435/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0435/ANY/{1.patch => 0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0436/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0437/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0438/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-0438/ANY/1.patch
 rename Patches/Linux_CVEs/CVE-2017-0439/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0439/ANY/{1.patch => 0002.patch} (59%)
 rename Patches/Linux_CVEs/CVE-2017-0440/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-0440/ANY/1.patch
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-0440/ANY/2.patch
 rename Patches/Linux_CVEs/CVE-2017-0441/ANY/{0.patch => 0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2017-0441/ANY/0002.patch
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-0441/ANY/1.patch
 rename Patches/Linux_CVEs/CVE-2017-0442/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-0442/ANY/1.patch
 rename Patches/Linux_CVEs/CVE-2017-0443/ANY/{0.patch => 0001.patch} (98%)
 rename Patches/Linux_CVEs/{CVE-2017-0437/ANY/1.patch => CVE-2017-0443/ANY/0002.patch} (54%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-0443/ANY/1.patch
 rename Patches/Linux_CVEs/CVE-2017-0444/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0445/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0445/ANY/{1.patch => 0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0445/ANY/{2.patch => 0003.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0445/ANY/{3.patch => 0004.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0446/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0447/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0449/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0451/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0451/ANY/{1.patch => 0002.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-0452/ANY/0.patch.base64
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-0452/ANY/0.patch.dupe
 rename Patches/Linux_CVEs/CVE-2017-0452/ANY/{1.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0453/ANY/{0.patch => 0001.patch} (95%)
 create mode 100644 Patches/Linux_CVEs/CVE-2017-0453/ANY/0002.patch
 rename Patches/Linux_CVEs/CVE-2017-0453/ANY/{1.patch => 0003.patch} (89%)
 create mode 100644 Patches/Linux_CVEs/CVE-2017-0454/3.10/0001.patch
 rename Patches/Linux_CVEs/CVE-2017-0454/{ANY/0.patch => 3.18/0002.patch} (98%)
 create mode 100644 Patches/Linux_CVEs/CVE-2017-0454/4.4/0003.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2017-0455/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2017-0456/ANY/0001.patch
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-0457/3.10/0.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2017-0457/3.10/0001.patch
 rename Patches/Linux_CVEs/CVE-2017-0457/3.10/{1.patch => 0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0457/3.18/{2.patch => 0003.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0458/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-0459/3.10/1.patch
 rename Patches/Linux_CVEs/CVE-2017-0459/ANY/{0.patch => 0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2017-0460/3.10/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2017-0460/3.18/0002.patch
 rename Patches/Linux_CVEs/CVE-2017-0460/{3.10/1.patch => 4.4/0003.patch} (63%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-0460/ANY/0.patch
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-0460/ANY/0.patch.base64
 rename Patches/Linux_CVEs/CVE-2017-0461/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-0461/ANY/1.patch
 rename Patches/Linux_CVEs/CVE-2017-0462/{ANY/0.patch => 3.18/0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2017-0462/4.4/0002.patch
 rename Patches/Linux_CVEs/CVE-2017-0463/{ANY/0.patch => 3.18/0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2017-0463/4.4/0002.patch
 rename Patches/Linux_CVEs/CVE-2017-0464/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-0464/ANY/1.patch
 rename Patches/Linux_CVEs/CVE-2017-0465/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-0507/ANY/0.patch
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-0507/ANY/0.patch.base64
 rename Patches/Linux_CVEs/CVE-2017-0507/ANY/{1.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0509/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0510/3.10/{0.patch => 0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0510/3.18/{1.patch => 0003.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0510/3.4/{3.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0510/3.4/{3.patch.base64 => 0001.patch.base64} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-0510/ANY/2.patch
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-0510/ANY/2.patch.base64
 rename Patches/Linux_CVEs/CVE-2017-0516/ANY/{0.patch => 0001.patch} (70%)
 rename Patches/Linux_CVEs/CVE-2017-0518/3.18/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0518/3.18/{1.patch => 0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0519/3.18/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0520/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0521/{ANY/0.patch => 3.18/0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2017-0521/4.4/0002.patch
 rename Patches/Linux_CVEs/CVE-2017-0523/{ANY/0.patch => 3.18/0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2017-0523/4.4/0002.patch
 rename Patches/Linux_CVEs/CVE-2017-0524/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0524/ANY/{1.patch => 0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0524/ANY/{2.patch => 0003.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2017-0525/3.10/0001.patch
 rename Patches/Linux_CVEs/CVE-2017-0525/{ANY/0.patch => 3.18/0002.patch} (83%)
 create mode 100644 Patches/Linux_CVEs/CVE-2017-0525/4.4/0003.patch
 rename Patches/Linux_CVEs/CVE-2017-0531/{ANY/0.patch => 3.18/0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2017-0531/4.4/0002.patch
 rename Patches/Linux_CVEs/CVE-2017-0533/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0534/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0535/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0535/ANY/{0.patch.base64 => 0001.patch.base64} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0536/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0537/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-0564/3.10/0.patch
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-0564/3.10/0.patch.base64
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-0564/3.10/1.patch
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-0564/3.10/1.patch.base64
 rename Patches/Linux_CVEs/CVE-2017-0564/ANY/{2.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0568/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0568/ANY/{1.patch => 0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0569/3.10/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0570/{3.10/0.patch => ANY/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0571/{3.10/0.patch => ANY/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0572/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0573/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0574/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0575/ANY/{0.patch => 0001.patch} (63%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-0575/ANY/1.patch
 rename Patches/Linux_CVEs/CVE-2017-0576/ANY/{0.patch => 0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2017-0583/3.10/0001.patch
 rename Patches/Linux_CVEs/CVE-2017-0583/{ANY/0.patch => 3.18/0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0584/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-0584/ANY/1.patch
 rename Patches/Linux_CVEs/CVE-2017-0586/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0604/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0606/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0607/ANY/{0.patch => 0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2017-0608/4.4/0001.patch
 rename Patches/Linux_CVEs/CVE-2017-0608/{ANY/0.patch => 4.4/0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0609/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0610/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-0610/ANY/1.patch
 rename Patches/Linux_CVEs/CVE-2017-0611/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0612/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0613/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0614/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0619/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0620/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0621/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0622/{ANY/0.patch => 3.18/0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2017-0622/4.4/0002.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2017-0624/ANY/0001.patch
 rename Patches/Linux_CVEs/CVE-2017-0626/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0627/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0628/{4.4/0.patch => ANY/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0629/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0631/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0632/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0633/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0648/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0648/ANY/{0.patch.base64 => 0001.patch.base64} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0650/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0651/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0651/ANY/{0.patch.base64 => 0001.patch.base64} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0705/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0706/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0706/ANY/{0.patch.base64 => 0001.patch.base64} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0710/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0710/ANY/{0.patch.base64 => 0001.patch.base64} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0740/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0744/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0744/ANY/{0.patch.base64 => 0001.patch.base64} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0746/ANY/{0.patch => 0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2017-0747/ANY/0001.patch
 rename Patches/Linux_CVEs/CVE-2017-0748/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0749/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0749/ANY/{0.patch.base64 => 0001.patch.base64} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0750/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0751/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0786/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0787/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0788/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0789/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0790/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0791/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0792/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0794/{3.10/0.patch.disabled => ANY/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0824/{3.18/0.patch => ANY/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-0825/{3.10/0.patch => ANY/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-1000251/3.0/{2.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-1000251/3.0/{2.patch.base64 => 0001.patch.base64} (100%)
 rename Patches/Linux_CVEs/CVE-2017-1000251/3.4/{1.patch => 0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-1000251/3.4/{1.patch.base64 => 0002.patch.base64} (100%)
 rename Patches/Linux_CVEs/CVE-2017-1000251/ANY/{0.patch => 0003.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-1000364/3.10/{1.patch => 0005.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-1000364/3.10/{1.patch.base64 => 0005.patch.base64} (100%)
 rename Patches/Linux_CVEs/CVE-2017-1000364/3.10/{2.patch => 0006.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-1000364/3.10/{2.patch.base64 => 0006.patch.base64} (100%)
 rename Patches/Linux_CVEs/CVE-2017-1000364/3.10/{0.patch => 0007.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-1000364/3.10/{0.patch.base64 => 0007.patch.base64} (100%)
 rename Patches/Linux_CVEs/CVE-2017-1000364/3.18/{3.patch => 0008.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-1000364/3.18/{6.patch => 0009.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-1000364/3.18/{7.patch => 0010.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-1000364/3.2/{8.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-1000364/3.2/{9.patch => 0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-1000364/3.4/{4.patch => 0003.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-1000364/3.4/{4.patch.base64 => 0003.patch.base64} (100%)
 rename Patches/Linux_CVEs/CVE-2017-1000364/3.4/{5.patch => 0004.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-1000364/3.4/{5.patch.base64 => 0004.patch.base64} (100%)
 rename Patches/Linux_CVEs/CVE-2017-1000365/3.10/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-1000365/3.10/{0.patch.base64 => 0001.patch.base64} (100%)
 rename Patches/Linux_CVEs/CVE-2017-1000365/3.18/{1.patch => 0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-1000380/{ANY/0.patch => ^4.11/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-1000380/{ANY/1.patch => ^4.11/0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-10661/ANY/{0.patch => 0001.patch} (73%)
 rename Patches/Linux_CVEs/CVE-2017-10662/ANY/{0.patch => 0001.patch} (60%)
 rename Patches/Linux_CVEs/CVE-2017-10663/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-10663/{3.18/1.patch => ANY/0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-10996/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-10997/{ANY/0.patch => 3.10/0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2017-10997/4.4/0002.patch
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-10998/3.10/0.patch
 rename Patches/Linux_CVEs/CVE-2017-10998/{3.18/1.patch => ANY/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-10999/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-11000/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-11001/ANY/{0.patch => 0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2017-11002/ANY/0001.patch
 rename Patches/Linux_CVEs/CVE-2017-11002/ANY/{0.patch => 0002.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2017-11012/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2017-11013/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2017-11013/ANY/0002.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2017-11014/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2017-11015/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2017-11015/ANY/0002.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2017-11018/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2017-11022/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2017-11022/ANY/0002.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2017-11023/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2017-11024/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2017-11025/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2017-11028/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2017-11028/ANY/0002.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2017-11029/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2017-11029/ANY/0002.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2017-11032/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2017-11035/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2017-11035/ANY/0002.patch
 rename Patches/Linux_CVEs/CVE-2017-11040/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-11046/{3.10/0.patch => ANY/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-11048/{3.10/0.patch => ANY/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-11050/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-11050/ANY/1.patch
 rename Patches/Linux_CVEs/CVE-2017-11051/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-11051/ANY/1.patch
 rename Patches/Linux_CVEs/CVE-2017-11052/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-11052/ANY/1.patch
 rename Patches/Linux_CVEs/CVE-2017-11053/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-11053/ANY/1.patch
 rename Patches/Linux_CVEs/CVE-2017-11054/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-11055/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-11055/ANY/1.patch
 rename Patches/Linux_CVEs/CVE-2017-11056/{3.10/0.patch => ANY/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-11057/{3.10/0.patch => ANY/0001.patch} (100%)
 rename Patches/Linux_CVEs/{CVE-2017-11054/ANY/1.patch => CVE-2017-11058/ANY/0001.patch} (75%)
 rename Patches/Linux_CVEs/CVE-2017-11059/{3.10/0.patch => ANY/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-11060/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-11060/ANY/1.patch
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-11060/ANY/2.patch
 rename Patches/Linux_CVEs/CVE-2017-11061/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-11061/ANY/1.patch
 rename Patches/Linux_CVEs/CVE-2017-11062/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-11062/ANY/1.patch
 rename Patches/Linux_CVEs/CVE-2017-11064/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-11064/ANY/1.patch
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-11067/ANY/0.patch
 rename Patches/Linux_CVEs/CVE-2017-11067/ANY/{1.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-11600/{3.10/0.patch => ANY/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-12146/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-12153/{3.16/0.patch => 3.2-3.16/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-13080-Extra/ANY/{0.patch => 0001.patch} (59%)
 create mode 100644 Patches/Linux_CVEs/CVE-2017-13080-Extra/ANY/0002.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2017-13080-Extra/ANY/0003.patch
 rename Patches/Linux_CVEs/CVE-2017-13080-Extra/ANY/{1.patch => 0004.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-13080/ANY/{0.patch => 0001.patch} (76%)
 rename Patches/Linux_CVEs/CVE-2017-15265/{ANY/0.patch => ^4.14/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-2618/3.10/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-2636/{ANY/0.patch => ^4.10/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-2671/{ANY/0.patch => ^4.10/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-5546/{ANY/0.patch => 4.7-4.9/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-5547/{ANY/0.patch => 4.9/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-5550/{ANY/0.patch => 4.9/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-5551/{ANY/0.patch => 3.14-4.9/0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-5669/ANY/0.patch
 rename Patches/Linux_CVEs/CVE-2017-5669/{ANY/1.patch.dupe => ^4.9/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-5897/ANY/{0.patch => 0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2017-5967/3.10/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2017-5967/3.10/0001.patch.base64
 create mode 100644 Patches/Linux_CVEs/CVE-2017-5967/3.18/0002.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2017-5967/3.18/0002.patch.base64
 create mode 100644 Patches/Linux_CVEs/CVE-2017-5967/^4.9/0003.patch
 rename Patches/Linux_CVEs/CVE-2017-5970/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-5972/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-5986/{ANY/0.patch => ^4.9/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-6001/{3.4/0.patch => ANY/0001.patch} (88%)
 create mode 100644 Patches/Linux_CVEs/CVE-2017-6001/ANY/0001.patch.base64
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-6074/ANY/0.patch
 rename Patches/Linux_CVEs/CVE-2017-6074/ANY/{1.patch.dupe => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-6214/ANY/0.patch
 rename Patches/Linux_CVEs/CVE-2017-6214/ANY/{1.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-6345/{ANY/0.patch => ^4.9/0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-6346/3.18/1.patch
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-6346/3.18/1.patch.base64
 rename Patches/Linux_CVEs/CVE-2017-6346/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-6347/{ANY/0.patch => ^4.10/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-6348/{ANY/0.patch => ^4.9/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-6353/{ANY/0.patch => ^4.10/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-6421/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-6423/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-6424/ANY/{0.patch => 0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2017-6424/ANY/0002.patch
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-6424/ANY/1.patch
 rename Patches/Linux_CVEs/CVE-2017-6425/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-6426/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-6874/{ANY/0.patch => ^4.10/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-6951/{ANY/0.patch => ^3.14/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-7184/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-7184/ANY/{1.patch => 0002.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-7187/ANY/0.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2017-7187/ANY/0001.patch
 rename Patches/Linux_CVEs/CVE-2017-7277/{ANY/0.patch => ^4.10/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-7277/{ANY/1.patch => ^4.10/0002.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-7308/3.18/0.patch
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-7308/3.18/0.patch.base64
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-7308/3.18/1.patch
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-7308/3.18/1.patch.base64
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-7308/3.18/2.patch
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-7308/3.18/2.patch.base64
 create mode 100644 Patches/Linux_CVEs/CVE-2017-7308/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2017-7308/ANY/0002.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2017-7308/ANY/0003.patch
 rename Patches/Linux_CVEs/CVE-2017-7364/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-7366/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-7366/ANY/{1.patch => 0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-7368/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-7369/3.10/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-7369/3.18/{1.patch => 0002.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2017-7369/4.4/0003.patch
 rename Patches/Linux_CVEs/CVE-2017-7370/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-7371/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-7371/ANY/1.patch.dupe
 rename Patches/Linux_CVEs/CVE-2017-7372/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-7373/3.10/1.patch
 rename Patches/Linux_CVEs/CVE-2017-7373/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-7374/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-7472/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-7487/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-7495/3.18/1.patch
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-7495/3.18/1.patch.base64
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-7495/3.18/2.patch
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-7495/3.18/2.patch.base64
 rename Patches/Linux_CVEs/CVE-2017-7495/ANY/{0.patch => 0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2017-7541/ANY/0001.patch
 rename Patches/Linux_CVEs/CVE-2017-7616/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-7618/{ANY/0.patch => ^4.10/0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-7889/{ANY/0.patch => ^4.10/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-7979/{ANY/0.patch => ^4.11/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-8233/{ANY/0.patch => 3.18/0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2017-8233/4.4/0002.patch
 rename Patches/Linux_CVEs/CVE-2017-8234/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-8235/ANY/{0.patch => 0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2017-8236/3.10/0001.patch
 rename Patches/Linux_CVEs/CVE-2017-8236/{ANY/0.patch => 3.18/0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-8237/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-8239/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-8240/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-8241/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-8242/{ANY/0.patch => 3.18/0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2017-8242/4.4/0002.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2017-8243/4.4/0001.patch
 rename Patches/Linux_CVEs/CVE-2017-8244/3.10/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-8244/3.18/{1.patch => 0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-8244/4.4/{2.patch => 0003.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-8245/3.10/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-8245/3.18/{1.patch => 0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-8245/4.4/{2.patch => 0003.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-8246/3.10/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-8246/3.18/{1.patch => 0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-8246/4.4/{2.patch => 0003.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-8247/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-8250/{3.18/0.patch => ANY/0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-8251/3.10/0.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2017-8251/ANY/0001.patch
 rename Patches/Linux_CVEs/CVE-2017-8253/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-8254/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-8256/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-8257/ANY/{0.patch => 0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2017-8258/ANY/0001.patch
 rename Patches/Linux_CVEs/CVE-2017-8259/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-8260/3.10/0.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2017-8260/3.18/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2017-8260/4.4/0002.patch
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-8261/ANY/0.patch
 rename Patches/Linux_CVEs/{CVE-2017-8267/ANY/0.patch => CVE-2017-8261/ANY/0001.patch} (54%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-8262/3.10/1.patch
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-8262/3.10/1.patch.base64
 create mode 100644 Patches/Linux_CVEs/CVE-2017-8262/3.18/0001.patch
 rename Patches/Linux_CVEs/CVE-2017-8262/{ANY/0.patch => 4.4/0002.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-8263/ANY/0.patch.base64
 rename Patches/Linux_CVEs/CVE-2017-8263/ANY/{0.patch => 0001.patch} (54%)
 rename Patches/Linux_CVEs/CVE-2017-8264/3.10/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-8264/3.18/{1.patch => 0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-8265/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-8266/3.10/1.patch
 rename Patches/Linux_CVEs/CVE-2017-8266/3.18/{0.patch => 0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2017-8266/4.4/0002.patch
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-8267/ANY/0.patch.base64
 create mode 100644 Patches/Linux_CVEs/CVE-2017-8267/ANY/0001.patch
 rename Patches/Linux_CVEs/CVE-2017-8268/{ANY/0.patch => 3.10/0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2017-8268/4.4/0002.patch
 rename Patches/Linux_CVEs/CVE-2017-8269/ANY/{0.patch => 0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2017-8270/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2017-8272/4.4/0001.patch
 rename Patches/Linux_CVEs/CVE-2017-8277/ANY/{0.patch => 0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2017-8279/ANY/0001.patch
 rename Patches/Linux_CVEs/CVE-2017-8280/ANY/{0.patch => 0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2017-8281/3.18/0001.patch
 rename Patches/Linux_CVEs/CVE-2017-8281/{ANY/1.patch => 4.4/0002.patch} (77%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-8890/3.4/0.patch.base64
 rename Patches/Linux_CVEs/CVE-2017-8890/{3.4/0.patch => ANY/0001.patch} (61%)
 rename Patches/Linux_CVEs/CVE-2017-9074/3.2/{1.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-9074/3.2/{2.patch => 0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-9074/{ANY/0.patch => ^4.11/0003.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-9075/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-9076/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-9077/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-9150/ANY/{0.patch => 0001.patch} (96%)
 rename Patches/Linux_CVEs/CVE-2017-9242/{ANY/0.patch => ^4.11/0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-9676/3.0/1.patch
 rename Patches/Linux_CVEs/CVE-2017-9676/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-9677/3.10/0.patch
 rename Patches/Linux_CVEs/CVE-2017-9677/{3.18/1.patch => ANY/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-9678/{ANY/0.patch => 3.18/0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2017-9678/4.4/0002.patch
 rename Patches/Linux_CVEs/CVE-2017-9679/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-9680/ANY/{0.patch => 0001.patch} (79%)
 rename Patches/Linux_CVEs/CVE-2017-9682/{ANY/0.patch => 3.18/0001.patch} (100%)
 create mode 100644 Patches/Linux_CVEs/CVE-2017-9682/4.4/0002.patch
 rename Patches/Linux_CVEs/CVE-2017-9684/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-9684/ANY/{1.patch => 0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-9684/ANY/{2.patch => 0003.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-9686/{3.18/0.patch => ANY/0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-9687/3.18/0.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2017-9687/ANY/0001.patch
 rename Patches/Linux_CVEs/CVE-2017-9691/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-9691/ANY/{1.patch => 0002.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-9692/ANY/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-9693/ANY/{0.patch => 0001.patch} (56%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-9694/ANY/0.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2017-9694/ANY/0001.patch
 rename Patches/Linux_CVEs/CVE-2017-9697/{3.18/0.patch => ANY/0001.patch} (63%)
 rename Patches/Linux_CVEs/CVE-2017-9706/{3.10/0.patch => ANY/0001.patch} (100%)
 rename Patches/Linux_CVEs/CVE-2017-9714/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-9714/ANY/1.patch
 rename Patches/Linux_CVEs/CVE-2017-9715/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-9715/ANY/1.patch
 rename Patches/Linux_CVEs/CVE-2017-9717/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-9717/ANY/1.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2017-9719/ANY/0001.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2017-9719/ANY/0002.patch
 rename Patches/Linux_CVEs/CVE-2017-9720/ANY/{0.patch => 0001.patch} (71%)
 create mode 100644 Patches/Linux_CVEs/CVE-2017-9720/ANY/0002.patch
 rename Patches/Linux_CVEs/CVE-2017-9724/ANY/{0.patch => 0001.patch} (100%)
 delete mode 100644 Patches/Linux_CVEs/CVE-2017-9725/ANY/0.patch
 create mode 100644 Patches/Linux_CVEs/CVE-2017-9725/ANY/0001.patch
 rename Patches/Linux_CVEs/LVT-2017-0001/3.0/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/LVT-2017-0001/3.0/{0.patch.base64 => 0001.patch.base64} (100%)
 rename Patches/Linux_CVEs/LVT-2017-0001/3.10/{2.patch => 0003.patch} (100%)
 rename Patches/Linux_CVEs/LVT-2017-0001/3.10/{2.patch.base64 => 0003.patch.base64} (100%)
 rename Patches/Linux_CVEs/LVT-2017-0001/3.18/{3.patch => 0004.patch} (100%)
 rename Patches/Linux_CVEs/LVT-2017-0001/3.18/{3.patch.base64 => 0004.patch.base64} (100%)
 rename Patches/Linux_CVEs/LVT-2017-0001/3.4/{1.patch => 0002.patch} (100%)
 rename Patches/Linux_CVEs/LVT-2017-0001/3.4/{1.patch.base64 => 0002.patch.base64} (100%)
 rename Patches/Linux_CVEs/LVT-2017-0002/3.10/{1.patch => 0002.patch} (100%)
 rename Patches/Linux_CVEs/LVT-2017-0002/3.10/{1.patch.base64 => 0002.patch.base64} (100%)
 rename Patches/Linux_CVEs/LVT-2017-0002/3.18/{2.patch => 0003.patch} (100%)
 rename Patches/Linux_CVEs/LVT-2017-0002/3.18/{2.patch.base64 => 0003.patch.base64} (100%)
 rename Patches/Linux_CVEs/LVT-2017-0002/3.4/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/LVT-2017-0002/3.4/{0.patch.base64 => 0001.patch.base64} (100%)
 rename Patches/Linux_CVEs/LVT-2017-0003/3.10/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/LVT-2017-0003/3.10/{0.patch.base64 => 0001.patch.base64} (100%)
 rename Patches/Linux_CVEs/LVT-2017-0004/3.10/{1.patch => 0002.patch} (100%)
 rename Patches/Linux_CVEs/LVT-2017-0004/3.10/{1.patch.base64 => 0002.patch.base64} (100%)
 rename Patches/Linux_CVEs/LVT-2017-0004/3.18/{2.patch => 0003.patch} (100%)
 rename Patches/Linux_CVEs/LVT-2017-0004/3.18/{2.patch.base64 => 0003.patch.base64} (100%)
 rename Patches/Linux_CVEs/LVT-2017-0004/3.4/{0.patch => 0001.patch} (100%)
 rename Patches/Linux_CVEs/LVT-2017-0004/3.4/{0.patch.base64 => 0001.patch.base64} (100%)

diff --git a/Patches/Linux_CVEs/CVE-2012-4220/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2012-4220/ANY/0001.patch
new file mode 100644
index 00000000..1965644b
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2012-4220/ANY/0001.patch
@@ -0,0 +1,345 @@
+From 77ad483f7b82d944aae5b944cd28e923a5293668 Mon Sep 17 00:00:00 2001
+From: Ravi Aravamudhan <aravamud@codeaurora.org>
+Date: Thu, 15 Nov 2012 16:04:04 -0800
+Subject: diag: Improve handling of IOCTLs
+
+DIAG kernel driver interacts with user space processes using
+IOCTLS. This change adds conditions to avoid potential integer
+over/underflow, incorrect buffer copy.
+
+CVE-2012-4220
+CVE-2012-4221
+
+Change-Id: Ic1e815051ae9544c911c9a5bd0c9218c1225f6d5
+CRs-Fixed: 385352
+CRs-Fixed: 385349
+Signed-off-by: Shalabh Jain <shalabhj@codeaurora.org>
+---
+ drivers/char/diag/diagchar.h      |   1 +
+ drivers/char/diag/diagchar_core.c | 188 ++++++++++++++++++++++++++++----------
+ 2 files changed, 142 insertions(+), 47 deletions(-)
+
+diff --git a/drivers/char/diag/diagchar.h b/drivers/char/diag/diagchar.h
+index 28d0565..de3cf522 100644
+--- a/drivers/char/diag/diagchar.h
++++ b/drivers/char/diag/diagchar.h
+@@ -29,6 +29,7 @@
+ #define IN_BUF_SIZE		16384
+ #define MAX_IN_BUF_SIZE	32768
+ #define MAX_SYNC_OBJ_NAME_SIZE	32
++#define UINT32_MAX	UINT_MAX
+ /* Size of the buffer used for deframing a packet
+   reveived from the PC tool*/
+ #define HDLC_MAX 4096
+diff --git a/drivers/char/diag/diagchar_core.c b/drivers/char/diag/diagchar_core.c
+index 19c6ed2..7b17ce4 100644
+--- a/drivers/char/diag/diagchar_core.c
++++ b/drivers/char/diag/diagchar_core.c
+@@ -358,7 +358,7 @@ void diag_clear_reg(int proc_num)
+ }
+ 
+ void diag_add_reg(int j, struct bindpkt_params *params,
+-					  int *success, int *count_entries)
++				  int *success, unsigned int *count_entries)
+ {
+ 	*success = 1;
+ 	driver->table[j].cmd_code = params->cmd_code;
+@@ -399,79 +399,153 @@ inline uint16_t diag_get_remote_device_mask(void) { return 0; }
+ long diagchar_ioctl(struct file *filp,
+ 			   unsigned int iocmd, unsigned long ioarg)
+ {
+-	int i, j, count_entries = 0, temp;
+-	int success = -1;
++	int i, j, temp, success = -1, status;
++	unsigned int count_entries = 0, interim_count = 0;
+ 	void *temp_buf;
+ 	uint16_t support_list = 0;
+-	struct diag_dci_client_tbl *params =
+-		kzalloc(sizeof(struct diag_dci_client_tbl), GFP_KERNEL);
++	struct diag_dci_client_tbl *dci_params;
+ 	struct diag_dci_health_stats stats;
+-	int status;
+ 
+ 	if (iocmd == DIAG_IOCTL_COMMAND_REG) {
+-		struct bindpkt_params_per_process *pkt_params =
+-			 (struct bindpkt_params_per_process *) ioarg;
++		struct bindpkt_params_per_process pkt_params;
++		struct bindpkt_params *params;
++		struct bindpkt_params *head_params;
++		if (copy_from_user(&pkt_params, (void *)ioarg,
++			   sizeof(struct bindpkt_params_per_process))) {
++			return -EFAULT;
++		}
++		if ((UINT32_MAX/sizeof(struct bindpkt_params)) <
++							 pkt_params.count) {
++			pr_warning("diag: integer overflow while multiply\n");
++			return -EFAULT;
++		}
++		params = kzalloc(pkt_params.count*sizeof(
++			struct bindpkt_params), GFP_KERNEL);
++		if (!params) {
++			pr_err("diag: unable to alloc memory\n");
++			return -ENOMEM;
++		} else
++			head_params = params;
++
++		if (copy_from_user(params, pkt_params.params,
++			   pkt_params.count*sizeof(struct bindpkt_params))) {
++			kfree(head_params);
++			return -EFAULT;
++		}
+ 		mutex_lock(&driver->diagchar_mutex);
+ 		for (i = 0; i < diag_max_reg; i++) {
+ 			if (driver->table[i].process_id == 0) {
+-				diag_add_reg(i, pkt_params->params,
+-						&success, &count_entries);
+-				if (pkt_params->count > count_entries) {
+-					pkt_params->params++;
++				diag_add_reg(i, params, &success,
++							 &count_entries);
++				if (pkt_params.count > count_entries) {
++					params++;
+ 				} else {
+ 					mutex_unlock(&driver->diagchar_mutex);
++					kfree(head_params);
+ 					return success;
+ 				}
+ 			}
+ 		}
+ 		if (i < diag_threshold_reg) {
+ 			/* Increase table size by amount required */
+-			diag_max_reg += pkt_params->count -
++			if (pkt_params.count >= count_entries) {
++				interim_count = pkt_params.count -
+ 							 count_entries;
++			} else {
++				pr_warning("diag: error in params count\n");
++				kfree(head_params);
++				mutex_unlock(&driver->diagchar_mutex);
++				return -EFAULT;
++			}
++			if (UINT32_MAX - diag_max_reg >=
++							interim_count) {
++				diag_max_reg += interim_count;
++			} else {
++				pr_warning("diag: Integer overflow\n");
++				kfree(head_params);
++				mutex_unlock(&driver->diagchar_mutex);
++				return -EFAULT;
++			}
+ 			/* Make sure size doesnt go beyond threshold */
+ 			if (diag_max_reg > diag_threshold_reg) {
+ 				diag_max_reg = diag_threshold_reg;
+ 				pr_info("diag: best case memory allocation\n");
+ 			}
++			if (UINT32_MAX/sizeof(struct diag_master_table) <
++								 diag_max_reg) {
++				pr_warning("diag: integer overflow\n");
++				kfree(head_params);
++				mutex_unlock(&driver->diagchar_mutex);
++				return -EFAULT;
++			}
+ 			temp_buf = krealloc(driver->table,
+ 					 diag_max_reg*sizeof(struct
+ 					 diag_master_table), GFP_KERNEL);
+ 			if (!temp_buf) {
+-				diag_max_reg -= pkt_params->count -
+-							 count_entries;
+-				pr_alert("diag: Insufficient memory for reg.");
++				pr_alert("diag: Insufficient memory for reg.\n");
+ 				mutex_unlock(&driver->diagchar_mutex);
++
++				if (pkt_params.count >= count_entries) {
++					interim_count = pkt_params.count -
++								 count_entries;
++				} else {
++					pr_warning("diag: params count error\n");
++					mutex_unlock(&driver->diagchar_mutex);
++					kfree(head_params);
++					return -EFAULT;
++				}
++				if (diag_max_reg >= interim_count) {
++					diag_max_reg -= interim_count;
++				} else {
++					pr_warning("diag: Integer underflow\n");
++					mutex_unlock(&driver->diagchar_mutex);
++					kfree(head_params);
++					return -EFAULT;
++				}
++				kfree(head_params);
+ 				return 0;
+ 			} else {
+ 				driver->table = temp_buf;
+ 			}
+ 			for (j = i; j < diag_max_reg; j++) {
+-				diag_add_reg(j, pkt_params->params,
+-						&success, &count_entries);
+-				if (pkt_params->count > count_entries) {
+-					pkt_params->params++;
++				diag_add_reg(j, params, &success,
++							 &count_entries);
++				if (pkt_params.count > count_entries) {
++					params++;
+ 				} else {
+ 					mutex_unlock(&driver->diagchar_mutex);
++					kfree(head_params);
+ 					return success;
+ 				}
+ 			}
++			kfree(head_params);
+ 			mutex_unlock(&driver->diagchar_mutex);
+ 		} else {
+ 			mutex_unlock(&driver->diagchar_mutex);
++			kfree(head_params);
+ 			pr_err("Max size reached, Pkt Registration failed for"
+ 						" Process %d", current->tgid);
+ 		}
+ 		success = 0;
+ 	} else if (iocmd == DIAG_IOCTL_GET_DELAYED_RSP_ID) {
+-		struct diagpkt_delay_params *delay_params =
+-					(struct diagpkt_delay_params *) ioarg;
+-
+-		if ((delay_params->rsp_ptr) &&
+-		 (delay_params->size == sizeof(delayed_rsp_id)) &&
+-				 (delay_params->num_bytes_ptr)) {
+-			*((uint16_t *)delay_params->rsp_ptr) =
+-				DIAGPKT_NEXT_DELAYED_RSP_ID(delayed_rsp_id);
+-			*(delay_params->num_bytes_ptr) = sizeof(delayed_rsp_id);
++		struct diagpkt_delay_params delay_params;
++		uint16_t interim_rsp_id;
++		int interim_size;
++		if (copy_from_user(&delay_params, (void *)ioarg,
++					   sizeof(struct diagpkt_delay_params)))
++			return -EFAULT;
++		if ((delay_params.rsp_ptr) &&
++		 (delay_params.size == sizeof(delayed_rsp_id)) &&
++				 (delay_params.num_bytes_ptr)) {
++			interim_rsp_id = DIAGPKT_NEXT_DELAYED_RSP_ID(
++							delayed_rsp_id);
++			if (copy_to_user((void *)delay_params.rsp_ptr,
++					 &interim_rsp_id, sizeof(uint16_t)))
++				return -EFAULT;
++			interim_size = sizeof(delayed_rsp_id);
++			if (copy_to_user((void *)delay_params.num_bytes_ptr,
++						 &interim_size, sizeof(int)))
++				return -EFAULT;
+ 			success = 0;
+ 		}
+ 	} else if (iocmd == DIAG_IOCTL_DCI_REG) {
+@@ -479,7 +553,13 @@ long diagchar_ioctl(struct file *filp,
+ 			return DIAG_DCI_NO_REG;
+ 		if (driver->num_dci_client >= MAX_DCI_CLIENTS)
+ 			return DIAG_DCI_NO_REG;
+-		if (copy_from_user(params, (void *)ioarg,
++		dci_params = kzalloc(sizeof(struct diag_dci_client_tbl),
++								 GFP_KERNEL);
++		if (dci_params == NULL) {
++			pr_err("diag: unable to alloc memory\n");
++			return -ENOMEM;
++		}
++		if (copy_from_user(dci_params, (void *)ioarg,
+ 				 sizeof(struct diag_dci_client_tbl)))
+ 			return -EFAULT;
+ 		mutex_lock(&driver->dci_mutex);
+@@ -492,9 +572,9 @@ long diagchar_ioctl(struct file *filp,
+ 			if (driver->dci_client_tbl[i].client == NULL) {
+ 				driver->dci_client_tbl[i].client = current;
+ 				driver->dci_client_tbl[i].list =
+-							 params->list;
++							 dci_params->list;
+ 				driver->dci_client_tbl[i].signal_type =
+-					 params->signal_type;
++					 dci_params->signal_type;
+ 				create_dci_log_mask_tbl(driver->
+ 					dci_client_tbl[i].dci_log_mask);
+ 				create_dci_event_mask_tbl(driver->
+@@ -512,6 +592,7 @@ long diagchar_ioctl(struct file *filp,
+ 			}
+ 		}
+ 		mutex_unlock(&driver->dci_mutex);
++		kfree(dci_params);
+ 		return driver->dci_client_id;
+ 	} else if (iocmd == DIAG_IOCTL_DCI_DEINIT) {
+ 		success = -1;
+@@ -536,25 +617,29 @@ long diagchar_ioctl(struct file *filp,
+ 	} else if (iocmd == DIAG_IOCTL_DCI_SUPPORT) {
+ 		if (driver->ch_dci)
+ 			support_list = support_list | DIAG_CON_MPSS;
+-		*(uint16_t *)ioarg = support_list;
++		if (copy_to_user((void *)ioarg, &support_list,
++							 sizeof(uint16_t)))
++			return -EFAULT;
+ 		return DIAG_DCI_NO_ERROR;
+ 	} else if (iocmd == DIAG_IOCTL_DCI_HEALTH_STATS) {
+ 		if (copy_from_user(&stats, (void *)ioarg,
+ 				 sizeof(struct diag_dci_health_stats)))
+ 			return -EFAULT;
+ 		for (i = 0; i < MAX_DCI_CLIENTS; i++) {
+-			params = &(driver->dci_client_tbl[i]);
+-			if (params->client &&
+-				params->client->tgid == current->tgid) {
+-				stats.dropped_logs = params->dropped_logs;
+-				stats.dropped_events = params->dropped_events;
+-				stats.received_logs = params->received_logs;
+-				stats.received_events = params->received_events;
++			dci_params = &(driver->dci_client_tbl[i]);
++			if (dci_params->client &&
++				dci_params->client->tgid == current->tgid) {
++				stats.dropped_logs = dci_params->dropped_logs;
++				stats.dropped_events =
++						 dci_params->dropped_events;
++				stats.received_logs = dci_params->received_logs;
++				stats.received_events =
++						 dci_params->received_events;
+ 				if (stats.reset_status) {
+-					params->dropped_logs = 0;
+-					params->dropped_events = 0;
+-					params->received_logs = 0;
+-					params->received_events = 0;
++					dci_params->dropped_logs = 0;
++					dci_params->dropped_events = 0;
++					dci_params->received_logs = 0;
++					dci_params->received_events = 0;
+ 				}
+ 				break;
+ 			}
+@@ -567,7 +652,7 @@ long diagchar_ioctl(struct file *filp,
+ 		for (i = 0; i < driver->num_clients; i++)
+ 			if (driver->client_map[i].pid == current->tgid)
+ 				break;
+-		if (i == -1)
++		if (i == driver->num_clients)
+ 			return -EINVAL;
+ 		driver->data_ready[i] |= DEINIT_TYPE;
+ 		wake_up_interruptible(&driver->wait_q);
+@@ -1068,7 +1153,7 @@ static int diagchar_write(struct file *file, const char __user *buf,
+ 	struct diag_send_desc_type send = { NULL, NULL, DIAG_STATE_START, 0 };
+ 	struct diag_hdlc_dest_type enc = { NULL, NULL, 0 };
+ 	void *buf_copy = NULL;
+-	int payload_size;
++	unsigned int payload_size;
+ #ifdef CONFIG_DIAG_OVER_USB
+ 	if (((driver->logging_mode == USB_MODE) && (!driver->usb_connected)) ||
+ 				(driver->logging_mode == NO_LOGGING_MODE)) {
+@@ -1079,8 +1164,17 @@ static int diagchar_write(struct file *file, const char __user *buf,
+ 	/* Get the packet type F3/log/event/Pkt response */
+ 	err = copy_from_user((&pkt_type), buf, 4);
+ 	/* First 4 bytes indicate the type of payload - ignore these */
++	if (count < 4) {
++		pr_err("diag: Client sending short data\n");
++		return -EBADMSG;
++	}
+ 	payload_size = count - 4;
+-
++	if (payload_size > USER_SPACE_DATA) {
++		pr_err("diag: Dropping packet, packet payload size crosses 8KB limit. Current payload size %d\n",
++				payload_size);
++		driver->dropped_count++;
++		return -EBADMSG;
++	}
+ 	if (pkt_type == DCI_DATA_TYPE) {
+ 		err = copy_from_user(driver->user_space_data, buf + 4,
+ 							 payload_size);
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2012-4221/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2012-4221/ANY/0001.patch
new file mode 100644
index 00000000..1965644b
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2012-4221/ANY/0001.patch
@@ -0,0 +1,345 @@
+From 77ad483f7b82d944aae5b944cd28e923a5293668 Mon Sep 17 00:00:00 2001
+From: Ravi Aravamudhan <aravamud@codeaurora.org>
+Date: Thu, 15 Nov 2012 16:04:04 -0800
+Subject: diag: Improve handling of IOCTLs
+
+DIAG kernel driver interacts with user space processes using
+IOCTLS. This change adds conditions to avoid potential integer
+over/underflow, incorrect buffer copy.
+
+CVE-2012-4220
+CVE-2012-4221
+
+Change-Id: Ic1e815051ae9544c911c9a5bd0c9218c1225f6d5
+CRs-Fixed: 385352
+CRs-Fixed: 385349
+Signed-off-by: Shalabh Jain <shalabhj@codeaurora.org>
+---
+ drivers/char/diag/diagchar.h      |   1 +
+ drivers/char/diag/diagchar_core.c | 188 ++++++++++++++++++++++++++++----------
+ 2 files changed, 142 insertions(+), 47 deletions(-)
+
+diff --git a/drivers/char/diag/diagchar.h b/drivers/char/diag/diagchar.h
+index 28d0565..de3cf522 100644
+--- a/drivers/char/diag/diagchar.h
++++ b/drivers/char/diag/diagchar.h
+@@ -29,6 +29,7 @@
+ #define IN_BUF_SIZE		16384
+ #define MAX_IN_BUF_SIZE	32768
+ #define MAX_SYNC_OBJ_NAME_SIZE	32
++#define UINT32_MAX	UINT_MAX
+ /* Size of the buffer used for deframing a packet
+   reveived from the PC tool*/
+ #define HDLC_MAX 4096
+diff --git a/drivers/char/diag/diagchar_core.c b/drivers/char/diag/diagchar_core.c
+index 19c6ed2..7b17ce4 100644
+--- a/drivers/char/diag/diagchar_core.c
++++ b/drivers/char/diag/diagchar_core.c
+@@ -358,7 +358,7 @@ void diag_clear_reg(int proc_num)
+ }
+ 
+ void diag_add_reg(int j, struct bindpkt_params *params,
+-					  int *success, int *count_entries)
++				  int *success, unsigned int *count_entries)
+ {
+ 	*success = 1;
+ 	driver->table[j].cmd_code = params->cmd_code;
+@@ -399,79 +399,153 @@ inline uint16_t diag_get_remote_device_mask(void) { return 0; }
+ long diagchar_ioctl(struct file *filp,
+ 			   unsigned int iocmd, unsigned long ioarg)
+ {
+-	int i, j, count_entries = 0, temp;
+-	int success = -1;
++	int i, j, temp, success = -1, status;
++	unsigned int count_entries = 0, interim_count = 0;
+ 	void *temp_buf;
+ 	uint16_t support_list = 0;
+-	struct diag_dci_client_tbl *params =
+-		kzalloc(sizeof(struct diag_dci_client_tbl), GFP_KERNEL);
++	struct diag_dci_client_tbl *dci_params;
+ 	struct diag_dci_health_stats stats;
+-	int status;
+ 
+ 	if (iocmd == DIAG_IOCTL_COMMAND_REG) {
+-		struct bindpkt_params_per_process *pkt_params =
+-			 (struct bindpkt_params_per_process *) ioarg;
++		struct bindpkt_params_per_process pkt_params;
++		struct bindpkt_params *params;
++		struct bindpkt_params *head_params;
++		if (copy_from_user(&pkt_params, (void *)ioarg,
++			   sizeof(struct bindpkt_params_per_process))) {
++			return -EFAULT;
++		}
++		if ((UINT32_MAX/sizeof(struct bindpkt_params)) <
++							 pkt_params.count) {
++			pr_warning("diag: integer overflow while multiply\n");
++			return -EFAULT;
++		}
++		params = kzalloc(pkt_params.count*sizeof(
++			struct bindpkt_params), GFP_KERNEL);
++		if (!params) {
++			pr_err("diag: unable to alloc memory\n");
++			return -ENOMEM;
++		} else
++			head_params = params;
++
++		if (copy_from_user(params, pkt_params.params,
++			   pkt_params.count*sizeof(struct bindpkt_params))) {
++			kfree(head_params);
++			return -EFAULT;
++		}
+ 		mutex_lock(&driver->diagchar_mutex);
+ 		for (i = 0; i < diag_max_reg; i++) {
+ 			if (driver->table[i].process_id == 0) {
+-				diag_add_reg(i, pkt_params->params,
+-						&success, &count_entries);
+-				if (pkt_params->count > count_entries) {
+-					pkt_params->params++;
++				diag_add_reg(i, params, &success,
++							 &count_entries);
++				if (pkt_params.count > count_entries) {
++					params++;
+ 				} else {
+ 					mutex_unlock(&driver->diagchar_mutex);
++					kfree(head_params);
+ 					return success;
+ 				}
+ 			}
+ 		}
+ 		if (i < diag_threshold_reg) {
+ 			/* Increase table size by amount required */
+-			diag_max_reg += pkt_params->count -
++			if (pkt_params.count >= count_entries) {
++				interim_count = pkt_params.count -
+ 							 count_entries;
++			} else {
++				pr_warning("diag: error in params count\n");
++				kfree(head_params);
++				mutex_unlock(&driver->diagchar_mutex);
++				return -EFAULT;
++			}
++			if (UINT32_MAX - diag_max_reg >=
++							interim_count) {
++				diag_max_reg += interim_count;
++			} else {
++				pr_warning("diag: Integer overflow\n");
++				kfree(head_params);
++				mutex_unlock(&driver->diagchar_mutex);
++				return -EFAULT;
++			}
+ 			/* Make sure size doesnt go beyond threshold */
+ 			if (diag_max_reg > diag_threshold_reg) {
+ 				diag_max_reg = diag_threshold_reg;
+ 				pr_info("diag: best case memory allocation\n");
+ 			}
++			if (UINT32_MAX/sizeof(struct diag_master_table) <
++								 diag_max_reg) {
++				pr_warning("diag: integer overflow\n");
++				kfree(head_params);
++				mutex_unlock(&driver->diagchar_mutex);
++				return -EFAULT;
++			}
+ 			temp_buf = krealloc(driver->table,
+ 					 diag_max_reg*sizeof(struct
+ 					 diag_master_table), GFP_KERNEL);
+ 			if (!temp_buf) {
+-				diag_max_reg -= pkt_params->count -
+-							 count_entries;
+-				pr_alert("diag: Insufficient memory for reg.");
++				pr_alert("diag: Insufficient memory for reg.\n");
+ 				mutex_unlock(&driver->diagchar_mutex);
++
++				if (pkt_params.count >= count_entries) {
++					interim_count = pkt_params.count -
++								 count_entries;
++				} else {
++					pr_warning("diag: params count error\n");
++					mutex_unlock(&driver->diagchar_mutex);
++					kfree(head_params);
++					return -EFAULT;
++				}
++				if (diag_max_reg >= interim_count) {
++					diag_max_reg -= interim_count;
++				} else {
++					pr_warning("diag: Integer underflow\n");
++					mutex_unlock(&driver->diagchar_mutex);
++					kfree(head_params);
++					return -EFAULT;
++				}
++				kfree(head_params);
+ 				return 0;
+ 			} else {
+ 				driver->table = temp_buf;
+ 			}
+ 			for (j = i; j < diag_max_reg; j++) {
+-				diag_add_reg(j, pkt_params->params,
+-						&success, &count_entries);
+-				if (pkt_params->count > count_entries) {
+-					pkt_params->params++;
++				diag_add_reg(j, params, &success,
++							 &count_entries);
++				if (pkt_params.count > count_entries) {
++					params++;
+ 				} else {
+ 					mutex_unlock(&driver->diagchar_mutex);
++					kfree(head_params);
+ 					return success;
+ 				}
+ 			}
++			kfree(head_params);
+ 			mutex_unlock(&driver->diagchar_mutex);
+ 		} else {
+ 			mutex_unlock(&driver->diagchar_mutex);
++			kfree(head_params);
+ 			pr_err("Max size reached, Pkt Registration failed for"
+ 						" Process %d", current->tgid);
+ 		}
+ 		success = 0;
+ 	} else if (iocmd == DIAG_IOCTL_GET_DELAYED_RSP_ID) {
+-		struct diagpkt_delay_params *delay_params =
+-					(struct diagpkt_delay_params *) ioarg;
+-
+-		if ((delay_params->rsp_ptr) &&
+-		 (delay_params->size == sizeof(delayed_rsp_id)) &&
+-				 (delay_params->num_bytes_ptr)) {
+-			*((uint16_t *)delay_params->rsp_ptr) =
+-				DIAGPKT_NEXT_DELAYED_RSP_ID(delayed_rsp_id);
+-			*(delay_params->num_bytes_ptr) = sizeof(delayed_rsp_id);
++		struct diagpkt_delay_params delay_params;
++		uint16_t interim_rsp_id;
++		int interim_size;
++		if (copy_from_user(&delay_params, (void *)ioarg,
++					   sizeof(struct diagpkt_delay_params)))
++			return -EFAULT;
++		if ((delay_params.rsp_ptr) &&
++		 (delay_params.size == sizeof(delayed_rsp_id)) &&
++				 (delay_params.num_bytes_ptr)) {
++			interim_rsp_id = DIAGPKT_NEXT_DELAYED_RSP_ID(
++							delayed_rsp_id);
++			if (copy_to_user((void *)delay_params.rsp_ptr,
++					 &interim_rsp_id, sizeof(uint16_t)))
++				return -EFAULT;
++			interim_size = sizeof(delayed_rsp_id);
++			if (copy_to_user((void *)delay_params.num_bytes_ptr,
++						 &interim_size, sizeof(int)))
++				return -EFAULT;
+ 			success = 0;
+ 		}
+ 	} else if (iocmd == DIAG_IOCTL_DCI_REG) {
+@@ -479,7 +553,13 @@ long diagchar_ioctl(struct file *filp,
+ 			return DIAG_DCI_NO_REG;
+ 		if (driver->num_dci_client >= MAX_DCI_CLIENTS)
+ 			return DIAG_DCI_NO_REG;
+-		if (copy_from_user(params, (void *)ioarg,
++		dci_params = kzalloc(sizeof(struct diag_dci_client_tbl),
++								 GFP_KERNEL);
++		if (dci_params == NULL) {
++			pr_err("diag: unable to alloc memory\n");
++			return -ENOMEM;
++		}
++		if (copy_from_user(dci_params, (void *)ioarg,
+ 				 sizeof(struct diag_dci_client_tbl)))
+ 			return -EFAULT;
+ 		mutex_lock(&driver->dci_mutex);
+@@ -492,9 +572,9 @@ long diagchar_ioctl(struct file *filp,
+ 			if (driver->dci_client_tbl[i].client == NULL) {
+ 				driver->dci_client_tbl[i].client = current;
+ 				driver->dci_client_tbl[i].list =
+-							 params->list;
++							 dci_params->list;
+ 				driver->dci_client_tbl[i].signal_type =
+-					 params->signal_type;
++					 dci_params->signal_type;
+ 				create_dci_log_mask_tbl(driver->
+ 					dci_client_tbl[i].dci_log_mask);
+ 				create_dci_event_mask_tbl(driver->
+@@ -512,6 +592,7 @@ long diagchar_ioctl(struct file *filp,
+ 			}
+ 		}
+ 		mutex_unlock(&driver->dci_mutex);
++		kfree(dci_params);
+ 		return driver->dci_client_id;
+ 	} else if (iocmd == DIAG_IOCTL_DCI_DEINIT) {
+ 		success = -1;
+@@ -536,25 +617,29 @@ long diagchar_ioctl(struct file *filp,
+ 	} else if (iocmd == DIAG_IOCTL_DCI_SUPPORT) {
+ 		if (driver->ch_dci)
+ 			support_list = support_list | DIAG_CON_MPSS;
+-		*(uint16_t *)ioarg = support_list;
++		if (copy_to_user((void *)ioarg, &support_list,
++							 sizeof(uint16_t)))
++			return -EFAULT;
+ 		return DIAG_DCI_NO_ERROR;
+ 	} else if (iocmd == DIAG_IOCTL_DCI_HEALTH_STATS) {
+ 		if (copy_from_user(&stats, (void *)ioarg,
+ 				 sizeof(struct diag_dci_health_stats)))
+ 			return -EFAULT;
+ 		for (i = 0; i < MAX_DCI_CLIENTS; i++) {
+-			params = &(driver->dci_client_tbl[i]);
+-			if (params->client &&
+-				params->client->tgid == current->tgid) {
+-				stats.dropped_logs = params->dropped_logs;
+-				stats.dropped_events = params->dropped_events;
+-				stats.received_logs = params->received_logs;
+-				stats.received_events = params->received_events;
++			dci_params = &(driver->dci_client_tbl[i]);
++			if (dci_params->client &&
++				dci_params->client->tgid == current->tgid) {
++				stats.dropped_logs = dci_params->dropped_logs;
++				stats.dropped_events =
++						 dci_params->dropped_events;
++				stats.received_logs = dci_params->received_logs;
++				stats.received_events =
++						 dci_params->received_events;
+ 				if (stats.reset_status) {
+-					params->dropped_logs = 0;
+-					params->dropped_events = 0;
+-					params->received_logs = 0;
+-					params->received_events = 0;
++					dci_params->dropped_logs = 0;
++					dci_params->dropped_events = 0;
++					dci_params->received_logs = 0;
++					dci_params->received_events = 0;
+ 				}
+ 				break;
+ 			}
+@@ -567,7 +652,7 @@ long diagchar_ioctl(struct file *filp,
+ 		for (i = 0; i < driver->num_clients; i++)
+ 			if (driver->client_map[i].pid == current->tgid)
+ 				break;
+-		if (i == -1)
++		if (i == driver->num_clients)
+ 			return -EINVAL;
+ 		driver->data_ready[i] |= DEINIT_TYPE;
+ 		wake_up_interruptible(&driver->wait_q);
+@@ -1068,7 +1153,7 @@ static int diagchar_write(struct file *file, const char __user *buf,
+ 	struct diag_send_desc_type send = { NULL, NULL, DIAG_STATE_START, 0 };
+ 	struct diag_hdlc_dest_type enc = { NULL, NULL, 0 };
+ 	void *buf_copy = NULL;
+-	int payload_size;
++	unsigned int payload_size;
+ #ifdef CONFIG_DIAG_OVER_USB
+ 	if (((driver->logging_mode == USB_MODE) && (!driver->usb_connected)) ||
+ 				(driver->logging_mode == NO_LOGGING_MODE)) {
+@@ -1079,8 +1164,17 @@ static int diagchar_write(struct file *file, const char __user *buf,
+ 	/* Get the packet type F3/log/event/Pkt response */
+ 	err = copy_from_user((&pkt_type), buf, 4);
+ 	/* First 4 bytes indicate the type of payload - ignore these */
++	if (count < 4) {
++		pr_err("diag: Client sending short data\n");
++		return -EBADMSG;
++	}
+ 	payload_size = count - 4;
+-
++	if (payload_size > USER_SPACE_DATA) {
++		pr_err("diag: Dropping packet, packet payload size crosses 8KB limit. Current payload size %d\n",
++				payload_size);
++		driver->dropped_count++;
++		return -EBADMSG;
++	}
+ 	if (pkt_type == DCI_DATA_TYPE) {
+ 		err = copy_from_user(driver->user_space_data, buf + 4,
+ 							 payload_size);
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2012-4222/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2012-4222/ANY/0001.patch
new file mode 100644
index 00000000..364b4eb5
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2012-4222/ANY/0001.patch
@@ -0,0 +1,65 @@
+From 1e76f61bb001b93795a227f8f808104b6c10b048 Mon Sep 17 00:00:00 2001
+From: Jordan Crouse <jcrouse@codeaurora.org>
+Date: Wed, 8 Aug 2012 13:24:21 -0600
+Subject: msm: kgsl: Detect and avoid malformed ioctl codes
+
+Because we were using _IO_NR, one could construct a malformed ioctl
+code that would avoid allocating memory yet go to a function that
+expected that memory. Still use _IO_NR to index the array of ioctls,
+but check that the full values match before jumping to the helper
+function.
+
+CRs-fixed: 385592
+Change-Id: Ic0dedbaded469035bd0a2bb0f20fecb2a3045ca5
+Signed-off-by: Jordan Crouse <jcrouse@codeaurora.org>
+---
+ drivers/gpu/msm/kgsl.c | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/msm/kgsl.c b/drivers/gpu/msm/kgsl.c
+index 57a0e2b..53eff77 100644
+--- a/drivers/gpu/msm/kgsl.c
++++ b/drivers/gpu/msm/kgsl.c
+@@ -2176,7 +2176,7 @@ static const struct {
+ static long kgsl_ioctl(struct file *filep, unsigned int cmd, unsigned long arg)
+ {
+ 	struct kgsl_device_private *dev_priv = filep->private_data;
+-	unsigned int nr = _IOC_NR(cmd);
++	unsigned int nr;
+ 	kgsl_ioctl_func_t func;
+ 	int lock, ret;
+ 	char ustack[64];
+@@ -2192,6 +2192,8 @@ static long kgsl_ioctl(struct file *filep, unsigned int cmd, unsigned long arg)
+ 	else if (cmd == IOCTL_KGSL_CMDSTREAM_READTIMESTAMP_OLD)
+ 		cmd = IOCTL_KGSL_CMDSTREAM_READTIMESTAMP;
+ 
++	nr = _IOC_NR(cmd);
++
+ 	if (cmd & (IOC_IN | IOC_OUT)) {
+ 		if (_IOC_SIZE(cmd) < sizeof(ustack))
+ 			uptr = ustack;
+@@ -2216,7 +2218,20 @@ static long kgsl_ioctl(struct file *filep, unsigned int cmd, unsigned long arg)
+ 	}
+ 
+ 	if (nr < ARRAY_SIZE(kgsl_ioctl_funcs) &&
+-	    kgsl_ioctl_funcs[nr].func != NULL) {
++		kgsl_ioctl_funcs[nr].func != NULL) {
++
++		/*
++		 * Make sure that nobody tried to send us a malformed ioctl code
++		 * with a valid NR but bogus flags
++		 */
++
++		if (kgsl_ioctl_funcs[nr].cmd != cmd) {
++			KGSL_DRV_ERR(dev_priv->device,
++				"Malformed ioctl code %08x\n", cmd);
++			ret = -ENOIOCTLCMD;
++			goto done;
++		}
++
+ 		func = kgsl_ioctl_funcs[nr].func;
+ 		lock = kgsl_ioctl_funcs[nr].lock;
+ 	} else {
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2012-6657/ANY/0.patch b/Patches/Linux_CVEs/CVE-2012-6657/^3.5/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2012-6657/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2012-6657/^3.5/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2012-6689/ANY/0.patch b/Patches/Linux_CVEs/CVE-2012-6689/^3.5/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2012-6689/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2012-6689/^3.5/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2012-6701/ANY/0.patch b/Patches/Linux_CVEs/CVE-2012-6701/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2012-6701/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2012-6701/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2012-6703/ANY/0.patch b/Patches/Linux_CVEs/CVE-2012-6703/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2012-6703/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2012-6703/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2012-6703/ANY/2.patch b/Patches/Linux_CVEs/CVE-2012-6703/ANY/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2012-6703/ANY/2.patch
rename to Patches/Linux_CVEs/CVE-2012-6703/ANY/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2012-6703/ANY/1.patch b/Patches/Linux_CVEs/CVE-2012-6703/ANY/1.patch
deleted file mode 100644
index a93bedec..00000000
--- a/Patches/Linux_CVEs/CVE-2012-6703/ANY/1.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 81ce573830e9d5531531b3ec778c58e6b9167bcd Mon Sep 17 00:00:00 2001
-From: Dan Carpenter <dan.carpenter@oracle.com>
-Date: Wed, 5 Sep 2012 15:32:18 +0300
-Subject: [PATCH] ALSA: compress_core: integer overflow in
- snd_compr_allocate_buffer()
-
-These are 32 bit values that come from the user, we need to check for
-integer overflows or we could end up allocating a smaller buffer than
-expected.
-
-Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
----
- sound/core/compress_offload.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c
-index eb60cb8dbb8a6..68fe02c7400a2 100644
---- a/sound/core/compress_offload.c
-+++ b/sound/core/compress_offload.c
-@@ -407,6 +407,10 @@ static int snd_compr_allocate_buffer(struct snd_compr_stream *stream,
- 	unsigned int buffer_size;
- 	void *buffer;
- 
-+	if (params->buffer.fragment_size == 0 ||
-+	    params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size)
-+		return -EINVAL;
-+
- 	buffer_size = params->buffer.fragment_size * params->buffer.fragments;
- 	if (stream->ops->copy) {
- 		buffer = NULL;
diff --git a/Patches/Linux_CVEs/CVE-2012-6704/ANY/0.patch b/Patches/Linux_CVEs/CVE-2012-6704/^3.5/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2012-6704/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2012-6704/^3.5/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2013-2015/3.4/0.patch b/Patches/Linux_CVEs/CVE-2013-2015/^3.8/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2013-2015/3.4/0.patch
rename to Patches/Linux_CVEs/CVE-2013-2015/^3.8/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2013-2596/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2013-2596/ANY/0001.patch
new file mode 100644
index 00000000..78f882fa
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2013-2596/ANY/0001.patch
@@ -0,0 +1,52 @@
+From 24b51892b863ad23a9fcb2a28a45e5cc15c2f3b5 Mon Sep 17 00:00:00 2001
+From: Manoj Rao <manojraj@codeaurora.org>
+Date: Tue, 16 Apr 2013 17:42:38 -0700
+Subject: mdss: mdss_fb: remove mmio access through mmap
+
+Disable access to mm io and add
+appropriate range checks to ensure valid accesses
+through framebuffer mmap. This prevents illegal
+access into memory.
+
+Change-Id: Ic6e47ec726d330d48ce9a7a708418492a553543b
+CRs-Fixed: 474706
+Signed-off-by: Manoj Rao <manojraj@codeaurora.org>
+---
+ drivers/video/msm/mdss/mdss_fb.c | 16 +++++-----------
+ 1 file changed, 5 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/video/msm/mdss/mdss_fb.c b/drivers/video/msm/mdss/mdss_fb.c
+index e2d8cf6..f42df2a 100644
+--- a/drivers/video/msm/mdss/mdss_fb.c
++++ b/drivers/video/msm/mdss/mdss_fb.c
+@@ -669,22 +669,16 @@ static int mdss_fb_mmap(struct fb_info *info, struct vm_area_struct *vma)
+ 	}
+ 
+ 	mdss_fb_pan_idle(mfd);
+-	if (off >= len) {
+-		/* memory mapped io */
+-		off -= len;
+-		if (info->var.accel_flags) {
+-			mutex_unlock(&info->lock);
+-			return -EINVAL;
+-		}
+-		start = info->fix.mmio_start;
+-		len = PAGE_ALIGN((start & ~PAGE_MASK) + info->fix.mmio_len);
+-	}
+ 
+ 	/* Set VM flags. */
+ 	start &= PAGE_MASK;
+-	if ((vma->vm_end - vma->vm_start + off) > len)
++	if ((vma->vm_end <= vma->vm_start) ||
++	    (off >= len) ||
++	    ((vma->vm_end - vma->vm_start) > (len - off)))
+ 		return -EINVAL;
+ 	off += start;
++	if (off < start)
++		return -EINVAL;
+ 	vma->vm_pgoff = off >> PAGE_SHIFT;
+ 	/* This is an IO map - tell maydump to skip this VMA */
+ 	vma->vm_flags |= VM_IO | VM_RESERVED;
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2013-2596/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2013-2596/ANY/0002.patch
new file mode 100644
index 00000000..6e74acaa
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2013-2596/ANY/0002.patch
@@ -0,0 +1,64 @@
+From 7e9785f78415d32e0b17b1d296a172b66e0d2ab7 Mon Sep 17 00:00:00 2001
+From: Manoj Rao <manojraj@codeaurora.org>
+Date: Fri, 12 Apr 2013 18:37:14 -0700
+Subject: msm: msm_fb: remove mmio access through mmap
+
+Disable access to mm io and add
+appropriate range checks to ensure valid accesses
+through framebuffer mmap. This prevents illegal
+access into memory.
+
+CRs-Fixed: 474706
+Change-Id: If25166f2732433ef967e99c716440030b567aae9
+Signed-off-by: Manoj Rao <manojraj@codeaurora.org>
+(cherry picked from commit b571bef36cf51f9bb4cd1ad3ba23e3cee6d1d3cb)
+
+Conflicts:
+
+	drivers/video/msm/msm_fb.c
+
+Signed-off-by: Raviteja <adimur@codeaurora.org>
+---
+ drivers/video/msm/msm_fb.c | 22 ++++++++++------------
+ 1 file changed, 10 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/video/msm/msm_fb.c b/drivers/video/msm/msm_fb.c
+index 7d11fa9..2b626a0 100644
+--- a/drivers/video/msm/msm_fb.c
++++ b/drivers/video/msm/msm_fb.c
+@@ -1004,22 +1004,20 @@ static int msm_fb_mmap(struct fb_info *info, struct vm_area_struct * vma)
+ 	u32 len = PAGE_ALIGN((start & ~PAGE_MASK) + info->fix.smem_len);
+ 	unsigned long off = vma->vm_pgoff << PAGE_SHIFT;
+ 	struct msm_fb_data_type *mfd = (struct msm_fb_data_type *)info->par;
+-	if (off >= len) {
+-		/* memory mapped io */
+-		off -= len;
+-		if (info->var.accel_flags) {
+-			mutex_unlock(&info->lock);
+-			return -EINVAL;
+-		}
+-		start = info->fix.mmio_start;
+-		len = PAGE_ALIGN((start & ~PAGE_MASK) + info->fix.mmio_len);
+-	}
+ 
++	if (!start)
++		return -EINVAL;
++
++	if ((vma->vm_end <= vma->vm_start) ||
++	    (off >= len) ||
++	    ((vma->vm_end - vma->vm_start) > (len - off)))
++		return -EINVAL;
+ 	/* Set VM flags. */
+ 	start &= PAGE_MASK;
+-	if ((vma->vm_end - vma->vm_start + off) > len)
+-		return -EINVAL;
+ 	off += start;
++	if (off < start)
++		return -EINVAL;
++
+ 	vma->vm_pgoff = off >> PAGE_SHIFT;
+ 	/* This is an IO map - tell maydump to skip this VMA */
+ 	vma->vm_flags |= VM_IO | VM_RESERVED;
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2013-2596/ANY/0003.patch b/Patches/Linux_CVEs/CVE-2013-2596/ANY/0003.patch
new file mode 100644
index 00000000..bb97f67c
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2013-2596/ANY/0003.patch
@@ -0,0 +1,56 @@
+From cdde1a87792a52274763eb006d326ca254ec3c63 Mon Sep 17 00:00:00 2001
+From: Manoj Rao <manojraj@codeaurora.org>
+Date: Fri, 12 Apr 2013 18:37:14 -0700
+Subject: msm: msm_fb: remove mmio access through mmap
+
+Disable access to mm io and add
+appropriate range checks to ensure valid accesses
+through framebuffer mmap. This prevents illegal
+access into memory.
+
+CRs-Fixed: 474706
+Change-Id: If25166f2732433ef967e99c716440030b567aae9
+Signed-off-by: Manoj Rao <manojraj@codeaurora.org>
+---
+ drivers/video/msm/msm_fb.c | 21 ++++++++-------------
+ 1 file changed, 8 insertions(+), 13 deletions(-)
+
+diff --git a/drivers/video/msm/msm_fb.c b/drivers/video/msm/msm_fb.c
+index adf50ed..9efe766 100644
+--- a/drivers/video/msm/msm_fb.c
++++ b/drivers/video/msm/msm_fb.c
+@@ -1166,23 +1166,18 @@ static int msm_fb_mmap(struct fb_info *info, struct vm_area_struct * vma)
+ 	if (!start)
+ 		return -EINVAL;
+ 
+-	msm_fb_pan_idle(mfd);
+-	if (off >= len) {
+-		/* memory mapped io */
+-		off -= len;
+-		if (info->var.accel_flags) {
+-			mutex_unlock(&info->lock);
+-			return -EINVAL;
+-		}
+-		start = info->fix.mmio_start;
+-		len = PAGE_ALIGN((start & ~PAGE_MASK) + info->fix.mmio_len);
+-	}
++	if ((vma->vm_end <= vma->vm_start) ||
++	    (off >= len) ||
++	    ((vma->vm_end - vma->vm_start) > (len - off)))
++		return -EINVAL;
+ 
++	msm_fb_pan_idle(mfd);
+ 	/* Set VM flags. */
+ 	start &= PAGE_MASK;
+-	if ((vma->vm_end - vma->vm_start + off) > len)
+-		return -EINVAL;
+ 	off += start;
++	if (off < start)
++		return -EINVAL;
++
+ 	vma->vm_pgoff = off >> PAGE_SHIFT;
+ 	/* This is an IO map - tell maydump to skip this VMA */
+ 	vma->vm_flags |= VM_IO | VM_RESERVED;
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2013-2597/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2013-2597/ANY/0001.patch
new file mode 100644
index 00000000..be377d7f
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2013-2597/ANY/0001.patch
@@ -0,0 +1,32 @@
+From b44d5f71da7d2c44a7575376c582f9f1cde1cf6d Mon Sep 17 00:00:00 2001
+From: Ben Romberger <bromberg@codeaurora.org>
+Date: Wed, 3 Apr 2013 16:20:18 -0700
+Subject: ASoC: msm: Add size safety check to ACDB driver
+
+Check that the size sent by userspace is not larger
+then the internal amount allowed. This protects
+against overflowing the stack due to an invalid size.
+
+Change-Id: I4a5b5ca5212bea32b671027d68a66367c5d4c4e7
+CRs-fixed: 470222
+Signed-off-by: Ben Romberger <bromberg@codeaurora.org>
+---
+ sound/soc/msm/qdsp6v2/audio_acdb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/msm/qdsp6v2/audio_acdb.c b/sound/soc/msm/qdsp6v2/audio_acdb.c
+index 16d6e81c..b2a469b 100644
+--- a/sound/soc/msm/qdsp6v2/audio_acdb.c
++++ b/sound/soc/msm/qdsp6v2/audio_acdb.c
+@@ -1064,7 +1064,7 @@ static long acdb_ioctl(struct file *f,
+ 		goto done;
+ 	}
+ 
+-	if (size <= 0) {
++	if ((size <= 0) || (size > sizeof(data))) {
+ 		pr_err("%s: Invalid size sent to driver: %d\n",
+ 			__func__, size);
+ 		result = -EFAULT;
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2013-2597/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2013-2597/ANY/0002.patch
new file mode 100644
index 00000000..2262a201
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2013-2597/ANY/0002.patch
@@ -0,0 +1,32 @@
+From 76fb3e419e2b149292c3adf1e9171e2b542831bf Mon Sep 17 00:00:00 2001
+From: Ben Romberger <bromberg@codeaurora.org>
+Date: Wed, 8 May 2013 12:46:26 -0700
+Subject: msm: audio: qdsp6v2: Add size safety check to ACDB driver
+
+Check that the size sent by userspace is not larger
+then the internal amount allowed. This protects
+against overflowing the stack due to an invalid size.
+
+Change-Id: I8230fdb00a7b57d398929e8ab0eb6587476f3db1
+CRs-fixed: 470222
+Signed-off-by: Ben Romberger <bromberg@codeaurora.org>
+---
+ arch/arm/mach-msm/qdsp6v2/audio_acdb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/arm/mach-msm/qdsp6v2/audio_acdb.c b/arch/arm/mach-msm/qdsp6v2/audio_acdb.c
+index 8efd808..aad14be 100644
+--- a/arch/arm/mach-msm/qdsp6v2/audio_acdb.c
++++ b/arch/arm/mach-msm/qdsp6v2/audio_acdb.c
+@@ -770,7 +770,7 @@ static long acdb_ioctl(struct file *f,
+ 		goto done;
+ 	}
+ 
+-	if (size <= 0) {
++	if ((size <= 0) || (size > sizeof(data))) {
+ 		pr_err("%s: Invalid size sent to driver: %d\n",
+ 			__func__, size);
+ 		result = -EFAULT;
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2013-4312/3.2/0.patch b/Patches/Linux_CVEs/CVE-2013-4312/3.2/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2013-4312/3.2/0.patch
rename to Patches/Linux_CVEs/CVE-2013-4312/3.2/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2013-4312/3.2/1.patch b/Patches/Linux_CVEs/CVE-2013-4312/3.2/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2013-4312/3.2/1.patch
rename to Patches/Linux_CVEs/CVE-2013-4312/3.2/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2013-4312/4.5/2.patch b/Patches/Linux_CVEs/CVE-2013-4312/4.5/0003.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2013-4312/4.5/2.patch
rename to Patches/Linux_CVEs/CVE-2013-4312/4.5/0003.patch
diff --git a/Patches/Linux_CVEs/CVE-2013-4312/4.5/3.patch b/Patches/Linux_CVEs/CVE-2013-4312/4.5/0004.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2013-4312/4.5/3.patch
rename to Patches/Linux_CVEs/CVE-2013-4312/4.5/0004.patch
diff --git a/Patches/Linux_CVEs/CVE-2013-4736/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2013-4736/ANY/0002.patch
new file mode 100644
index 00000000..f89cffbd
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2013-4736/ANY/0002.patch
@@ -0,0 +1,125 @@
+From 8c5300aec8cd9882b89e9d169680221541da0d7f Mon Sep 17 00:00:00 2001
+From: Monika Alekhya <malekh@codeaurora.org>
+Date: Fri, 28 Jun 2013 18:23:40 +0530
+Subject:  msm:camera: Fix overflow issue in ioctl_hw_cmds function
+
+    'len' is of type signed int 32bit,but the assigned value
+    may exceed maximum unsigned int32 range.Add overflow check
+    and graceful exit if 'm'exceeds UINT32_MAX value.
+
+Change-Id: I38f0d10a0cb44d08d0054f91044fc891c246ebd1
+CRs-Fixed: 493314
+Signed-off-by: Monika Alekhya <malekh@codeaurora.org>
+---
+ drivers/media/video/msm/gemini/msm_gemini_sync.c   |  9 ++++++++-
+ drivers/media/video/msm/jpeg_10/msm_jpeg_sync.c    | 10 ++++++++--
+ drivers/media/video/msm/mercury/msm_mercury_sync.c | 10 ++++++++--
+ 3 files changed, 24 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/media/video/msm/gemini/msm_gemini_sync.c b/drivers/media/video/msm/gemini/msm_gemini_sync.c
+index ef727fd..f5089ae 100644
+--- a/drivers/media/video/msm/gemini/msm_gemini_sync.c
++++ b/drivers/media/video/msm/gemini/msm_gemini_sync.c
+@@ -23,6 +23,7 @@
+ #include <mach/msm_bus.h>
+ #include <mach/msm_bus_board.h>
+ 
++#  define UINT32_MAX    (4294967295U)
+ static int release_buf;
+ 
+ /* size is based on 4k page size */
+@@ -804,7 +805,7 @@ int msm_gemini_ioctl_hw_cmds(struct msm_gemini_device *pgmn_dev,
+ 	void * __user arg)
+ {
+ 	int is_copy_to_user;
+-	int len;
++	uint32_t len;
+ 	uint32_t m;
+ 	struct msm_gemini_hw_cmds *hw_cmds_p;
+ 	struct msm_gemini_hw_cmd *hw_cmd_p;
+@@ -813,6 +814,12 @@ int msm_gemini_ioctl_hw_cmds(struct msm_gemini_device *pgmn_dev,
+ 		GMN_PR_ERR("%s:%d] failed\n", __func__, __LINE__);
+ 		return -EFAULT;
+ 	}
++	if ((m == 0) || (m > ((UINT32_MAX-sizeof(struct msm_gemini_hw_cmds))/
++		sizeof(struct msm_gemini_hw_cmd)))) {
++		GMN_PR_ERR("%s:%d] outof range of hwcmds\n",
++			 __func__, __LINE__);
++		return -EINVAL;
++	}
+ 
+ 	len = sizeof(struct msm_gemini_hw_cmds) +
+ 		sizeof(struct msm_gemini_hw_cmd) * (m - 1);
+diff --git a/drivers/media/video/msm/jpeg_10/msm_jpeg_sync.c b/drivers/media/video/msm/jpeg_10/msm_jpeg_sync.c
+index 6ac4a5e..4a81fa6 100644
+--- a/drivers/media/video/msm/jpeg_10/msm_jpeg_sync.c
++++ b/drivers/media/video/msm/jpeg_10/msm_jpeg_sync.c
+@@ -22,6 +22,7 @@
+ #include "msm_jpeg_platform.h"
+ #include "msm_jpeg_common.h"
+ 
++#define UINT32_MAX    (4294967295U)
+ static int release_buf;
+ 
+ inline void msm_jpeg_q_init(char const *name, struct msm_jpeg_q *q_p)
+@@ -631,7 +632,7 @@ int msm_jpeg_ioctl_hw_cmds(struct msm_jpeg_device *pgmn_dev,
+ 	void * __user arg)
+ {
+ 	int is_copy_to_user;
+-	int len;
++	uint32_t len;
+ 	uint32_t m;
+ 	struct msm_jpeg_hw_cmds *hw_cmds_p;
+ 	struct msm_jpeg_hw_cmd *hw_cmd_p;
+@@ -640,7 +641,12 @@ int msm_jpeg_ioctl_hw_cmds(struct msm_jpeg_device *pgmn_dev,
+ 		JPEG_PR_ERR("%s:%d] failed\n", __func__, __LINE__);
+ 		return -EFAULT;
+ 	}
+-
++	if ((m == 0) || (m > ((UINT32_MAX-sizeof(struct msm_jpeg_hw_cmds))/
++		sizeof(struct msm_jpeg_hw_cmd)))) {
++		JPEG_PR_ERR("%s:%d] outof range of hwcmds\n",
++			__func__, __LINE__);
++		return -EINVAL;
++	}
+ 	len = sizeof(struct msm_jpeg_hw_cmds) +
+ 		sizeof(struct msm_jpeg_hw_cmd) * (m - 1);
+ 	hw_cmds_p = kmalloc(len, GFP_KERNEL);
+diff --git a/drivers/media/video/msm/mercury/msm_mercury_sync.c b/drivers/media/video/msm/mercury/msm_mercury_sync.c
+index 9293aad..fe74a0a 100644
+--- a/drivers/media/video/msm/mercury/msm_mercury_sync.c
++++ b/drivers/media/video/msm/mercury/msm_mercury_sync.c
+@@ -24,6 +24,7 @@
+ #include "msm_mercury_macros.h"
+ #include "msm_mercury_hw_reg.h"
+ 
++#define UINT32_MAX    (4294967295U)
+ static struct msm_mercury_core_buf out_buf_local;
+ static struct msm_mercury_core_buf in_buf_local;
+ 
+@@ -470,7 +471,7 @@ int msm_mercury_ioctl_hw_cmds(struct msm_mercury_device *pmercury_dev,
+ 	void * __user arg)
+ {
+ 	int is_copy_to_user;
+-	int len;
++	uint32_t len;
+ 	uint32_t m;
+ 	struct msm_mercury_hw_cmds *hw_cmds_p;
+ 	struct msm_mercury_hw_cmd *hw_cmd_p;
+@@ -479,7 +480,12 @@ int msm_mercury_ioctl_hw_cmds(struct msm_mercury_device *pmercury_dev,
+ 		MCR_PR_ERR("%s:%d] failed\n", __func__, __LINE__);
+ 		return -EFAULT;
+ 	}
+-
++	if ((m == 0) || (m > ((UINT32_MAX-sizeof(struct msm_mercury_hw_cmds))/
++		sizeof(struct msm_mercury_hw_cmd)))) {
++		MCR_PR_ERR("%s:%d] outof range of hwcmds\n",
++			__func__, __LINE__);
++		return -EINVAL;
++	}
+ 	len = sizeof(struct msm_mercury_hw_cmds) +
+ 		sizeof(struct msm_mercury_hw_cmd) * (m - 1);
+ 	hw_cmds_p = kmalloc(len, GFP_KERNEL);
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2013-4736/ANY/0003.patch b/Patches/Linux_CVEs/CVE-2013-4736/ANY/0003.patch
new file mode 100644
index 00000000..362d13b0
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2013-4736/ANY/0003.patch
@@ -0,0 +1,101 @@
+From 81947189009afcfac17d1106101260c660421265 Mon Sep 17 00:00:00 2001
+From: Monika Alekhya <malekh@codeaurora.org>
+Date: Tue, 11 Jun 2013 19:32:27 +0530
+Subject: msm:camera: Fix signedness issue in hw_exec_cmds
+
+  In hw_exec_cmds()second argument m_cmds should be
+  of type unsigned interger
+
+Change-Id: Idad2eb1a59481f3fe9f90221ff2061e8dae57013
+CRs-Fixed: 493314
+Signed-off-by: Monika Alekhya <malekh@codeaurora.org>
+---
+ drivers/media/video/msm/gemini/msm_gemini_hw.c   | 2 +-
+ drivers/media/video/msm/gemini/msm_gemini_hw.h   | 2 +-
+ drivers/media/video/msm/jpeg_10/msm_jpeg_hw.c    | 2 +-
+ drivers/media/video/msm/jpeg_10/msm_jpeg_hw.h    | 2 +-
+ drivers/media/video/msm/mercury/msm_mercury_hw.c | 2 +-
+ drivers/media/video/msm/mercury/msm_mercury_hw.h | 2 +-
+ 6 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/media/video/msm/gemini/msm_gemini_hw.c b/drivers/media/video/msm/gemini/msm_gemini_hw.c
+index 116edcf..99b76be 100644
+--- a/drivers/media/video/msm/gemini/msm_gemini_hw.c
++++ b/drivers/media/video/msm/gemini/msm_gemini_hw.c
+@@ -432,7 +432,7 @@ void msm_gemini_hw_delay(struct msm_gemini_hw_cmd *hw_cmd_p, int m_us)
+ 	}
+ }
+ 
+-int msm_gemini_hw_exec_cmds(struct msm_gemini_hw_cmd *hw_cmd_p, int m_cmds)
++int msm_gemini_hw_exec_cmds(struct msm_gemini_hw_cmd *hw_cmd_p, uint32_t m_cmds)
+ {
+ 	int is_copy_to_user = -1;
+ 	uint32_t data;
+diff --git a/drivers/media/video/msm/gemini/msm_gemini_hw.h b/drivers/media/video/msm/gemini/msm_gemini_hw.h
+index 0abd4c4..23d31ef 100644
+--- a/drivers/media/video/msm/gemini/msm_gemini_hw.h
++++ b/drivers/media/video/msm/gemini/msm_gemini_hw.h
+@@ -94,7 +94,7 @@ uint32_t msm_gemini_hw_read(struct msm_gemini_hw_cmd *hw_cmd_p);
+ void msm_gemini_hw_write(struct msm_gemini_hw_cmd *hw_cmd_p);
+ int msm_gemini_hw_wait(struct msm_gemini_hw_cmd *hw_cmd_p, int m_us);
+ void msm_gemini_hw_delay(struct msm_gemini_hw_cmd *hw_cmd_p, int m_us);
+-int msm_gemini_hw_exec_cmds(struct msm_gemini_hw_cmd *hw_cmd_p, int m_cmds);
++int msm_gemini_hw_exec_cmds(struct msm_gemini_hw_cmd *hw_cmd_p, uint32_t m_cmds);
+ void msm_gemini_hw_region_dump(int size);
+ void msm_gemini_io_dump(int size);
+ 
+diff --git a/drivers/media/video/msm/jpeg_10/msm_jpeg_hw.c b/drivers/media/video/msm/jpeg_10/msm_jpeg_hw.c
+index 0bfb6a8..d92caab 100644
+--- a/drivers/media/video/msm/jpeg_10/msm_jpeg_hw.c
++++ b/drivers/media/video/msm/jpeg_10/msm_jpeg_hw.c
+@@ -295,7 +295,7 @@ void msm_jpeg_hw_delay(struct msm_jpeg_hw_cmd *hw_cmd_p, int m_us)
+ 	}
+ }
+ 
+-int msm_jpeg_hw_exec_cmds(struct msm_jpeg_hw_cmd *hw_cmd_p, int m_cmds)
++int msm_jpeg_hw_exec_cmds(struct msm_jpeg_hw_cmd *hw_cmd_p, uint32_t m_cmds)
+ {
+ 	int is_copy_to_user = -1;
+ 	uint32_t data;
+diff --git a/drivers/media/video/msm/jpeg_10/msm_jpeg_hw.h b/drivers/media/video/msm/jpeg_10/msm_jpeg_hw.h
+index 73a0e27..5545115 100644
+--- a/drivers/media/video/msm/jpeg_10/msm_jpeg_hw.h
++++ b/drivers/media/video/msm/jpeg_10/msm_jpeg_hw.h
+@@ -94,7 +94,7 @@ uint32_t msm_jpeg_hw_read(struct msm_jpeg_hw_cmd *hw_cmd_p);
+ void msm_jpeg_hw_write(struct msm_jpeg_hw_cmd *hw_cmd_p);
+ int msm_jpeg_hw_wait(struct msm_jpeg_hw_cmd *hw_cmd_p, int m_us);
+ void msm_jpeg_hw_delay(struct msm_jpeg_hw_cmd *hw_cmd_p, int m_us);
+-int msm_jpeg_hw_exec_cmds(struct msm_jpeg_hw_cmd *hw_cmd_p, int m_cmds);
++int msm_jpeg_hw_exec_cmds(struct msm_jpeg_hw_cmd *hw_cmd_p, uint32_t m_cmds);
+ void msm_jpeg_hw_region_dump(int size);
+ void msm_jpeg_io_dump(int size);
+ 
+diff --git a/drivers/media/video/msm/mercury/msm_mercury_hw.c b/drivers/media/video/msm/mercury/msm_mercury_hw.c
+index 244c038..a940dd6 100644
+--- a/drivers/media/video/msm/mercury/msm_mercury_hw.c
++++ b/drivers/media/video/msm/mercury/msm_mercury_hw.c
+@@ -263,7 +263,7 @@ void msm_mercury_hw_delay(struct msm_mercury_hw_cmd *hw_cmd_p, int m_us)
+ 	}
+ }
+ 
+-int msm_mercury_hw_exec_cmds(struct msm_mercury_hw_cmd *hw_cmd_p, int m_cmds)
++int msm_mercury_hw_exec_cmds(struct msm_mercury_hw_cmd *hw_cmd_p, uint32_t m_cmds)
+ {
+ 	int is_copy_to_user = -1;
+ 	uint32_t data;
+diff --git a/drivers/media/video/msm/mercury/msm_mercury_hw.h b/drivers/media/video/msm/mercury/msm_mercury_hw.h
+index 54fc818..f69d8ba 100644
+--- a/drivers/media/video/msm/mercury/msm_mercury_hw.h
++++ b/drivers/media/video/msm/mercury/msm_mercury_hw.h
+@@ -55,7 +55,7 @@ uint32_t msm_mercury_hw_read(struct msm_mercury_hw_cmd *hw_cmd_p);
+ void msm_mercury_hw_write(struct msm_mercury_hw_cmd *hw_cmd_p);
+ int msm_mercury_hw_wait(struct msm_mercury_hw_cmd *hw_cmd_p, int m_us);
+ void msm_mercury_hw_delay(struct msm_mercury_hw_cmd *hw_cmd_p, int m_us);
+-int msm_mercury_hw_exec_cmds(struct msm_mercury_hw_cmd *hw_cmd_p, int m_cmds);
++int msm_mercury_hw_exec_cmds(struct msm_mercury_hw_cmd *hw_cmd_p, uint32_t m_cmds);
+ void msm_mercury_hw_region_dump(int size);
+ 
+ 
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2013-4737/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2013-4737/ANY/0001.patch
new file mode 100644
index 00000000..4b680b63
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2013-4737/ANY/0001.patch
@@ -0,0 +1,150 @@
+From 4256415b296348ff16cd17a5b8f8dce4dea37328 Mon Sep 17 00:00:00 2001
+From: Larry Bassel <lbassel@codeaurora.org>
+Date: Mon, 29 Jul 2013 13:43:17 -0700
+Subject: msm: Make CONFIG_STRICT_MEMORY_RWX even stricter
+
+If CONFIG_STRICT_MEMORY_RWX was set, the first section (containing
+the kernel page table and the initial code) and the section
+containing the init code were both given RWX permission, which is
+a potential security hole.
+
+Pad the first section after the initial code (which will never
+be executed when the MMU is on) to make the rest of the kernel
+text start in the second section and make the first section RW.
+
+Move some data which had ended up in the "init text"
+section into the "init data" one, as this is RW, not RX.
+Make the "init text" RX.
+
+We will not free the section containing the "init text",
+because if we do, the kernel will allocate memory for RW data there.
+
+Change-Id: I6ca5f4e07342c374246f04a3fee18042fd47c33b
+CRs-fixed: 513919
+Signed-off-by: Larry Bassel <lbassel@codeaurora.org>
+---
+ arch/arm/kernel/vmlinux.lds.S | 12 +++++++-----
+ arch/arm/mm/init.c            |  9 +++++++++
+ arch/arm/mm/mmu.c             | 15 +++++++--------
+ 3 files changed, 23 insertions(+), 13 deletions(-)
+
+diff --git a/arch/arm/kernel/vmlinux.lds.S b/arch/arm/kernel/vmlinux.lds.S
+index ae59e5a..0bf55ae 100644
+--- a/arch/arm/kernel/vmlinux.lds.S
++++ b/arch/arm/kernel/vmlinux.lds.S
+@@ -93,6 +93,9 @@ SECTIONS
+ 		_text = .;
+ 		HEAD_TEXT
+ 	}
++#ifdef CONFIG_STRICT_MEMORY_RWX
++	. = ALIGN(1<<SECTION_SHIFT);
++#endif
+ 
+ 	.text : {			/* Real text segment		*/
+ 		_stext = .;		/* Text and read-only data	*/
+@@ -115,10 +118,10 @@ SECTIONS
+ 		*(.got)			/* Global offset table		*/
+ 			ARM_CPU_KEEP(PROC_INFO)
+ 	}
++
+ #ifdef CONFIG_STRICT_MEMORY_RWX
+ 	. = ALIGN(1<<SECTION_SHIFT);
+ #endif
+-
+ 	RO_DATA(PAGE_SIZE)
+ 
+ #ifdef CONFIG_ARM_UNWIND
+@@ -156,6 +159,9 @@ SECTIONS
+ 	.init.proc.info : {
+ 		ARM_CPU_DISCARD(PROC_INFO)
+ 	}
++#ifdef CONFIG_STRICT_MEMORY_RWX
++	. = ALIGN(1<<SECTION_SHIFT);
++#endif
+ 	.init.arch.info : {
+ 		__arch_info_begin = .;
+ 		*(.arch.info.init)
+@@ -190,10 +196,6 @@ SECTIONS
+ 		INIT_RAM_FS
+ 	}
+ #ifndef CONFIG_XIP_KERNEL
+-#ifdef CONFIG_STRICT_MEMORY_RWX
+-	. = ALIGN(1<<SECTION_SHIFT);
+-#endif
+-	__init_data = .;
+ 	.exit.data : {
+ 		ARM_EXIT_KEEP(EXIT_DATA)
+ 	}
+diff --git a/arch/arm/mm/init.c b/arch/arm/mm/init.c
+index 34cb153..e82ea2b 100644
+--- a/arch/arm/mm/init.c
++++ b/arch/arm/mm/init.c
+@@ -909,6 +909,14 @@ void free_initmem(void)
+ 				    "TCM link");
+ #endif
+ 
++#ifdef CONFIG_STRICT_MEMORY_RWX
++	poison_init_mem((char *)__arch_info_begin,
++		__init_end - (char *)__arch_info_begin);
++	reclaimed_initmem = free_area(__phys_to_pfn(__pa(__arch_info_begin)),
++				    __phys_to_pfn(__pa(__init_end)),
++				    "init");
++	totalram_pages += reclaimed_initmem;
++#else
+ 	poison_init_mem(__init_begin, __init_end - __init_begin);
+ 	if (!machine_is_integrator() && !machine_is_cintegrator()) {
+ 		reclaimed_initmem = free_area(__phys_to_pfn(__pa(__init_begin)),
+@@ -916,6 +924,7 @@ void free_initmem(void)
+ 					    "init");
+ 		totalram_pages += reclaimed_initmem;
+ 	}
++#endif
+ }
+ 
+ #ifdef CONFIG_BLK_DEV_INITRD
+diff --git a/arch/arm/mm/mmu.c b/arch/arm/mm/mmu.c
+index c2efc34..e5a60a9 100644
+--- a/arch/arm/mm/mmu.c
++++ b/arch/arm/mm/mmu.c
+@@ -1379,8 +1379,6 @@ void mem_text_write_kernel_word(unsigned long *addr, unsigned long word)
+ }
+ EXPORT_SYMBOL(mem_text_write_kernel_word);
+ 
+-extern char __init_data[];
+-
+ static void __init map_lowmem(void)
+ {
+ 	struct memblock_region *reg;
+@@ -1401,7 +1399,7 @@ static void __init map_lowmem(void)
+ #ifdef CONFIG_STRICT_MEMORY_RWX
+ 		if (start <= __pa(_text) && __pa(_text) < end) {
+ 			map.length = SECTION_SIZE;
+-			map.type = MT_MEMORY;
++			map.type = MT_MEMORY_RW;
+ 
+ 			create_mapping(&map);
+ 
+@@ -1421,14 +1419,15 @@ static void __init map_lowmem(void)
+ 
+ 			map.pfn = __phys_to_pfn(__pa(__init_begin));
+ 			map.virtual = (unsigned long)__init_begin;
+-			map.length = __init_data - __init_begin;
+-			map.type = MT_MEMORY;
++			map.length = (char *)__arch_info_begin - __init_begin;
++			map.type = MT_MEMORY_RX;
+ 
+ 			create_mapping(&map);
+ 
+-			map.pfn = __phys_to_pfn(__pa(__init_data));
+-			map.virtual = (unsigned long)__init_data;
+-			map.length = __phys_to_virt(end) - (unsigned int)__init_data;
++			map.pfn = __phys_to_pfn(__pa(__arch_info_begin));
++			map.virtual = (unsigned long)__arch_info_begin;
++			map.length = __phys_to_virt(end) -
++				(unsigned long)__arch_info_begin;
+ 			map.type = MT_MEMORY_RW;
+ 		} else {
+ 			map.length = end - start;
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2013-4738/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2013-4738/ANY/0001.patch
new file mode 100644
index 00000000..43670e75
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2013-4738/ANY/0001.patch
@@ -0,0 +1,34 @@
+From c9c81836ee44db9974007d34cf2aaeb1a51a8d45 Mon Sep 17 00:00:00 2001
+From: Hariram Purushothaman <hpurus@codeaurora.org>
+Date: Fri, 9 Aug 2013 11:21:50 -0700
+Subject: msm: camera: Bound check length for Dequeue stream buff info
+
+Bound check the length param from user space given to
+copy_from_user function to avoid any invalid memory access.
+
+Change-Id: I926509a5fffd49cfc0130d182f246fbb9335b60e
+CRs-Fixed: 519124
+Signed-off-by: Hariram Purushothaman <hpurus@codeaurora.org>
+---
+ drivers/media/platform/msm/camera_v2/pproc/vpe/msm_vpe.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/media/platform/msm/camera_v2/pproc/vpe/msm_vpe.c b/drivers/media/platform/msm/camera_v2/pproc/vpe/msm_vpe.c
+index d302131..3aaff78 100644
+--- a/drivers/media/platform/msm/camera_v2/pproc/vpe/msm_vpe.c
++++ b/drivers/media/platform/msm/camera_v2/pproc/vpe/msm_vpe.c
+@@ -1323,6 +1323,11 @@ static long msm_vpe_subdev_ioctl(struct v4l2_subdev *sd,
+ 		struct msm_vpe_buff_queue_info_t *buff_queue_info;
+ 
+ 		VPE_DBG("VIDIOC_MSM_VPE_DEQUEUE_STREAM_BUFF_INFO\n");
++		if (ioctl_ptr->len != sizeof(uint32_t)) {
++			pr_err("%s:%d Invalid len\n", __func__, __LINE__);
++			mutex_unlock(&vpe_dev->mutex);
++			return -EINVAL;
++		}
+ 
+ 		rc = (copy_from_user(&identity,
+ 				(void __user *)ioctl_ptr->ioctl_ptr,
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2013-4738/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2013-4738/ANY/0002.patch
new file mode 100644
index 00000000..239a2fce
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2013-4738/ANY/0002.patch
@@ -0,0 +1,33 @@
+From 28385b9c3054c91dca1aa194ffa750550c50f3ce Mon Sep 17 00:00:00 2001
+From: Seemanta Dutta <seemanta@codeaurora.org>
+Date: Fri, 26 Jul 2013 13:39:05 -0700
+Subject: msm: camera: Add lower and upper bounds check in msm_cpp.c ioctl()
+
+Add a check for upper and lower bounds in msm_cpp_subdev_ioctl() for
+command code VIDIOC_MSM_CPP_DEQUEUE_STREAM_BUFF_INFO.
+
+CRs-fixed: 518731
+Change-Id: I72996e13b7370a3b49f645297c52a118775b2b12
+Signed-off-by: Seemanta Dutta <seemanta@codeaurora.org>
+---
+ drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
+index 822c0c8..8c8570d 100644
+--- a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
++++ b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
+@@ -1536,6 +1536,10 @@ long msm_cpp_subdev_ioctl(struct v4l2_subdev *sd,
+ 		uint32_t identity;
+ 		struct msm_cpp_buff_queue_info_t *buff_queue_info;
+ 
++		if ((ioctl_ptr->len == 0) ||
++		    (ioctl_ptr->len > sizeof(uint32_t)))
++			return -EINVAL;
++
+ 		rc = (copy_from_user(&identity,
+ 				(void __user *)ioctl_ptr->ioctl_ptr,
+ 				ioctl_ptr->len) ? -EFAULT : 0);
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2013-4739/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2013-4739/ANY/0001.patch
new file mode 100644
index 00000000..66d65e80
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2013-4739/ANY/0001.patch
@@ -0,0 +1,50 @@
+From 8604847927f952cc8e773b97eca24e1060a570f2 Mon Sep 17 00:00:00 2001
+From: Seemanta Dutta <seemanta@codeaurora.org>
+Date: Thu, 25 Jul 2013 18:01:32 -0700
+Subject: msm: camera: Fix uninitialized memory returned to userspace
+
+Local structures have not been initialized to all zeroes, so fix
+this by setting them to all zeroes to prevent uninitialized memory
+being copied to userspace.
+
+CRs-fixed: 518478
+Change-Id: I6e76355c3f854514def1bd18dcc5c3ef6db38f16
+Signed-off-by: Seemanta Dutta <seemanta@codeaurora.org>
+---
+ drivers/media/platform/msm/camera_v1/mercury/msm_mercury_sync.c | 3 ++-
+ drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_sync.c    | 1 +
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/msm/camera_v1/mercury/msm_mercury_sync.c b/drivers/media/platform/msm/camera_v1/mercury/msm_mercury_sync.c
+index 9293aad..e6483c1 100644
+--- a/drivers/media/platform/msm/camera_v1/mercury/msm_mercury_sync.c
++++ b/drivers/media/platform/msm/camera_v1/mercury/msm_mercury_sync.c
+@@ -1,4 +1,4 @@
+-/* Copyright (c) 2012, The Linux Foundation. All rights reserved.
++/* Copyright (c) 2012-2013, The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -196,6 +196,7 @@ int msm_mercury_evt_get(struct msm_mercury_device *pmercury_dev,
+ 	int rc = 0;
+ 
+ 	MCR_DBG("(%d)%s() Enter\n", __LINE__, __func__);
++	memset(&ctrl_cmd, 0, sizeof(ctrl_cmd));
+ 	ctrl_cmd.type = (uint32_t)msm_mercury_q_wait(&pmercury_dev->evt_q);
+ 
+ 	rc = copy_to_user(arg, &ctrl_cmd, sizeof(ctrl_cmd));
+diff --git a/drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_sync.c b/drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_sync.c
+index aa6f034..debbf03 100644
+--- a/drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_sync.c
++++ b/drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_sync.c
+@@ -221,6 +221,7 @@ int msm_jpeg_evt_get(struct msm_jpeg_device *pgmn_dev,
+ 		return -EAGAIN;
+ 	}
+ 
++	memset(&ctrl_cmd, 0, sizeof(ctrl_cmd));
+ 	ctrl_cmd.type = buf_p->vbuf.type;
+ 	kfree(buf_p);
+ 
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2013-4740/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2013-4740/ANY/0001.patch
new file mode 100644
index 00000000..39e3ca4e
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2013-4740/ANY/0001.patch
@@ -0,0 +1,300 @@
+From f53bcf29a6e7a66b3d935b8d562fa00829261f05 Mon Sep 17 00:00:00 2001
+From: Bingzhe Cai <bingzhec@codeaurora.org>
+Date: Tue, 24 Sep 2013 01:42:12 +0800
+Subject: input: touchpanel: fix security issues in GT915 driver
+
+There are multiple buffer overflow and input validation issues
+in Goodix gt915 driver, fix these issues by adding data length
+check and change file system node mode.
+
+CRs-Fixed: 526101
+Change-Id: I5173fc1ca021fd45c939c7c8a4f460651330de5b
+Signed-off-by: Bingzhe Cai <bingzhec@codeaurora.org>
+---
+ drivers/input/touchscreen/gt9xx/goodix_tool.c | 110 +++++++++++++++++++-------
+ 1 file changed, 83 insertions(+), 27 deletions(-)
+
+diff --git a/drivers/input/touchscreen/gt9xx/goodix_tool.c b/drivers/input/touchscreen/gt9xx/goodix_tool.c
+index bdac3fd..aa8159f 100644
+--- a/drivers/input/touchscreen/gt9xx/goodix_tool.c
++++ b/drivers/input/touchscreen/gt9xx/goodix_tool.c
+@@ -22,6 +22,7 @@
+  */
+ 
+ #include "gt9xx.h"
++#include <linux/mutex.h>
+ 
+ #define DATA_LENGTH_UINT    512
+ #define CMD_HEAD_LENGTH     (sizeof(st_cmd_head) - sizeof(u8 *))
+@@ -53,6 +54,8 @@ static struct i2c_client *gt_client;
+ 
+ static struct proc_dir_entry *goodix_proc_entry;
+ 
++static struct mutex lock;
++
+ static s32 goodix_tool_write(struct file *filp, const char __user *buff,
+ 						unsigned long len, void *data);
+ static s32 goodix_tool_read(char *page, char **start, off_t off, int count,
+@@ -188,7 +191,7 @@ static void unregister_i2c_func(void)
+ 
+ s32 init_wr_node(struct i2c_client *client)
+ {
+-	s32 i;
++	u8 i;
+ 
+ 	gt_client = client;
+ 	memset(&cmd_head, 0, sizeof(cmd_head));
+@@ -202,8 +205,8 @@ s32 init_wr_node(struct i2c_client *client)
+ 		i--;
+ 	}
+ 	if (i) {
+-		DATA_LENGTH = i * DATA_LENGTH_UINT + GTP_ADDR_LENGTH;
+-		GTP_INFO("Applied memory size:%d.", DATA_LENGTH);
++		DATA_LENGTH = i * DATA_LENGTH_UINT;
++		dev_dbg(&client->dev, "Applied memory size:%d.", DATA_LENGTH);
+ 	} else {
+ 		GTP_ERROR("Apply for memory failed.");
+ 		return FAIL;
+@@ -214,8 +217,9 @@ s32 init_wr_node(struct i2c_client *client)
+ 
+ 	register_i2c_func();
+ 
++	mutex_init(&lock);
+ 	tool_set_proc_name(procname);
+-	goodix_proc_entry = create_proc_entry(procname, 0666, NULL);
++	goodix_proc_entry = create_proc_entry(procname, 0660, NULL);
+ 	if (goodix_proc_entry == NULL) {
+ 		GTP_ERROR("Couldn't create proc entry!");
+ 		return FAIL;
+@@ -334,9 +338,13 @@ static s32 goodix_tool_write(struct file *filp, const char __user *buff,
+ 	GTP_DEBUG_FUNC();
+ 	GTP_DEBUG_ARRAY((u8 *)buff, len);
+ 
++	mutex_lock(&lock);
+ 	ret = copy_from_user(&cmd_head, buff, CMD_HEAD_LENGTH);
+-	if (ret)
++	if (ret) {
+ 		GTP_ERROR("copy_from_user failed.");
++		ret = -EACCES;
++		goto exit;
++	}
+ 
+ 	GTP_DEBUG("wr  :0x%02x.", cmd_head.wr);
+ 	GTP_DEBUG("flag:0x%02x.", cmd_head.flag);
+@@ -354,6 +362,19 @@ static s32 goodix_tool_write(struct file *filp, const char __user *buff,
+ 	GTP_DEBUG("len:%d.", (s32)len);
+ 	GTP_DEBUG("buf[20]:0x%02x.", buff[CMD_HEAD_LENGTH]);
+ 
++	if (cmd_head.data_len > (DATA_LENGTH - GTP_ADDR_LENGTH)) {
++		pr_err("data len %d > data buff %d, rejected!\n",
++			cmd_head.data_len, (DATA_LENGTH - GTP_ADDR_LENGTH));
++		ret = -EINVAL;
++		goto exit;
++	}
++	if (cmd_head.addr_len > GTP_ADDR_LENGTH) {
++		pr_err(" addr len %d > data buff %d, rejected!\n",
++			cmd_head.addr_len, GTP_ADDR_LENGTH);
++		ret = -EINVAL;
++		goto exit;
++	}
++
+ 	if (cmd_head.wr == 1) {
+ 		/*  copy_from_user(&cmd_head.data[cmd_head.addr_len],
+ 				&buff[CMD_HEAD_LENGTH], cmd_head.data_len); */
+@@ -373,7 +394,8 @@ static s32 goodix_tool_write(struct file *filp, const char __user *buff,
+ 		if (cmd_head.flag == 1) {
+ 			if (FAIL == comfirm()) {
+ 				GTP_ERROR("[WRITE]Comfirm fail!");
+-				return FAIL;
++				ret = -EINVAL;
++				goto exit;
+ 			}
+ 		} else if (cmd_head.flag == 2) {
+ 			/* Need interrupt! */
+@@ -382,7 +404,8 @@ static s32 goodix_tool_write(struct file *filp, const char __user *buff,
+ 		&cmd_head.data[GTP_ADDR_LENGTH - cmd_head.addr_len],
+ 		cmd_head.data_len + cmd_head.addr_len) <= 0) {
+ 			GTP_ERROR("[WRITE]Write data failed!");
+-			return FAIL;
++			ret = -EIO;
++			goto exit;
+ 		}
+ 
+ 		GTP_DEBUG_ARRAY(
+@@ -391,7 +414,8 @@ static s32 goodix_tool_write(struct file *filp, const char __user *buff,
+ 		if (cmd_head.delay)
+ 			msleep(cmd_head.delay);
+ 
+-		return cmd_head.data_len + CMD_HEAD_LENGTH;
++		ret = cmd_head.data_len + CMD_HEAD_LENGTH;
++		goto exit;
+ 	} else if (cmd_head.wr == 3) {  /* Write ic type */
+ 
+ 		ret = copy_from_user(&cmd_head.data[0], &buff[CMD_HEAD_LENGTH],
+@@ -399,30 +423,40 @@ static s32 goodix_tool_write(struct file *filp, const char __user *buff,
+ 		if (ret)
+ 			GTP_ERROR("copy_from_user failed.");
+ 
++		if (cmd_head.data_len > sizeof(IC_TYPE)) {
++			pr_err("<<-GTP->> data len %d > data buff %d, rejected!\n",
++			cmd_head.data_len, sizeof(IC_TYPE));
++			ret = -EINVAL;
++			goto exit;
++		}
+ 		memcpy(IC_TYPE, cmd_head.data, cmd_head.data_len);
+ 
+ 		register_i2c_func();
+ 
+-		return cmd_head.data_len + CMD_HEAD_LENGTH;
+-	} else if (cmd_head.wr == 3) {
++		ret = cmd_head.data_len + CMD_HEAD_LENGTH;
++		goto exit;
++	} else if (cmd_head.wr == 5) {
+ 
+ 		/* memcpy(IC_TYPE, cmd_head.data, cmd_head.data_len); */
+ 
+-		return cmd_head.data_len + CMD_HEAD_LENGTH;
++		ret = cmd_head.data_len + CMD_HEAD_LENGTH;
++		goto exit;
+ 	} else if (cmd_head.wr == 7) { /* disable irq! */
+ 		gtp_irq_disable(i2c_get_clientdata(gt_client));
+ 
+ 		#if GTP_ESD_PROTECT
+ 		gtp_esd_switch(gt_client, SWITCH_OFF);
+ 		#endif
+-		return CMD_HEAD_LENGTH;
++		ret = CMD_HEAD_LENGTH;
++		goto exit;
+ 	} else if (cmd_head.wr == 9) { /* enable irq! */
+ 		gtp_irq_enable(i2c_get_clientdata(gt_client));
+ 
+ 		#if GTP_ESD_PROTECT
+ 		gtp_esd_switch(gt_client, SWITCH_ON);
+ 		#endif
+-		return CMD_HEAD_LENGTH;
++		ret = CMD_HEAD_LENGTH;
++		goto exit;
+ 	} else if (cmd_head.wr == 17) {
+ 		struct goodix_ts_data *ts = i2c_get_clientdata(gt_client);
+ 		ret = copy_from_user(&cmd_head.data[GTP_ADDR_LENGTH],
+@@ -436,27 +470,41 @@ static s32 goodix_tool_write(struct file *filp, const char __user *buff,
+ 			ts->gtp_rawdiff_mode = false;
+ 			GTP_DEBUG("gtp leave rawdiff.");
+ 		}
+-		return CMD_HEAD_LENGTH;
++		ret = CMD_HEAD_LENGTH;
++		goto exit;
+ 	}
+ #ifdef UPDATE_FUNCTIONS
+ 	else if (cmd_head.wr == 11) { /* Enter update mode! */
+-		if (FAIL == gup_enter_update_mode(gt_client))
+-			return FAIL;
++		if (FAIL == gup_enter_update_mode(gt_client)) {
++			ret = -EBUSY;
++			goto exit;
++		}
+ 	} else if (cmd_head.wr == 13) { /* Leave update mode! */
+ 		gup_leave_update_mode();
+ 	} else if (cmd_head.wr == 15) { /* Update firmware! */
+ 		show_len = 0;
+ 		total_len = 0;
++		if (cmd_head.data_len + 1 > DATA_LENGTH) {
++			pr_err("<<-GTP->> data len %d > data buff %d, rejected!\n",
++			cmd_head.data_len + 1, DATA_LENGTH);
++			ret = -EINVAL;
++			goto exit;
++		}
+ 		memset(cmd_head.data, 0, cmd_head.data_len + 1);
+ 		memcpy(cmd_head.data, &buff[CMD_HEAD_LENGTH],
+ 					cmd_head.data_len);
+ 
+-		if (FAIL == gup_update_proc((void *)cmd_head.data))
+-			return FAIL;
++		if (FAIL == gup_update_proc((void *)cmd_head.data)) {
++			ret = -EBUSY;
++			goto exit;
++		}
+ 	}
+ #endif
++	ret = CMD_HEAD_LENGTH;
+ 
+-	return CMD_HEAD_LENGTH;
++exit:
++	mutex_unlock(&lock);
++	return ret;
+ }
+ 
+ /*******************************************************
+@@ -470,10 +518,14 @@ Output:
+ static s32 goodix_tool_read(char *page, char **start, off_t off, int count,
+ 							int *eof, void *data)
+ {
++	s32 ret;
+ 	GTP_DEBUG_FUNC();
+ 
++	mutex_lock(&lock);
+ 	if (cmd_head.wr % 2) {
+-		return FAIL;
++		pr_err("<< [READ]command head wrong\n");
++		ret = -EINVAL;
++		goto exit;
+ 	} else if (!cmd_head.wr) {
+ 		u16 len = 0;
+ 		s16 data_len = 0;
+@@ -482,7 +534,8 @@ static s32 goodix_tool_read(char *page, char **start, off_t off, int count,
+ 		if (cmd_head.flag == 1) {
+ 			if (FAIL == comfirm()) {
+ 				GTP_ERROR("[READ]Comfirm fail!");
+-				return FAIL;
++				ret = -EINVAL;
++				goto exit;
+ 			}
+ 		} else if (cmd_head.flag == 2) {
+ 			/* Need interrupt! */
+@@ -505,11 +558,12 @@ static s32 goodix_tool_read(char *page, char **start, off_t off, int count,
+ 			else
+ 				len = data_len;
+ 
+-			data_len -= DATA_LENGTH;
++			data_len -= len;
+ 
+ 			if (tool_i2c_read(cmd_head.data, len) <= 0) {
+ 				GTP_ERROR("[READ]Read data failed!");
+-				return FAIL;
++				ret = -EINVAL;
++				goto exit;
+ 			}
+ 			memcpy(&page[loc], &cmd_head.data[GTP_ADDR_LENGTH],
+ 									len);
+@@ -525,15 +579,14 @@ static s32 goodix_tool_read(char *page, char **start, off_t off, int count,
+ 
+ 		GTP_DEBUG("Return ic type:%s len:%d.", page,
+ 						(s32)cmd_head.data_len);
+-		return cmd_head.data_len;
++		ret = cmd_head.data_len;
++		goto exit;
+ 		/* return sizeof(IC_TYPE_NAME); */
+ 	} else if (cmd_head.wr == 4) {
+ 		page[0] = show_len >> 8;
+ 		page[1] = show_len & 0xff;
+ 		page[2] = total_len >> 8;
+ 		page[3] = total_len & 0xff;
+-
+-		return cmd_head.data_len;
+ 	} else if (6 == cmd_head.wr) {
+ 		/* Read error code! */
+ 	} else if (8 == cmd_head.wr) { /*Read driver version */
+@@ -544,6 +597,9 @@ static s32 goodix_tool_read(char *page, char **start, off_t off, int count,
+ 		memcpy(page, GTP_DRIVER_VERSION, tmp_len);
+ 		page[tmp_len] = 0;
+ 	}
++	ret = cmd_head.data_len;
+ 
+-	return cmd_head.data_len;
++exit:
++	mutex_unlock(&lock);
++	return ret;
+ }
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2013-6122/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2013-6122/ANY/0001.patch
new file mode 100644
index 00000000..39e3ca4e
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2013-6122/ANY/0001.patch
@@ -0,0 +1,300 @@
+From f53bcf29a6e7a66b3d935b8d562fa00829261f05 Mon Sep 17 00:00:00 2001
+From: Bingzhe Cai <bingzhec@codeaurora.org>
+Date: Tue, 24 Sep 2013 01:42:12 +0800
+Subject: input: touchpanel: fix security issues in GT915 driver
+
+There are multiple buffer overflow and input validation issues
+in Goodix gt915 driver, fix these issues by adding data length
+check and change file system node mode.
+
+CRs-Fixed: 526101
+Change-Id: I5173fc1ca021fd45c939c7c8a4f460651330de5b
+Signed-off-by: Bingzhe Cai <bingzhec@codeaurora.org>
+---
+ drivers/input/touchscreen/gt9xx/goodix_tool.c | 110 +++++++++++++++++++-------
+ 1 file changed, 83 insertions(+), 27 deletions(-)
+
+diff --git a/drivers/input/touchscreen/gt9xx/goodix_tool.c b/drivers/input/touchscreen/gt9xx/goodix_tool.c
+index bdac3fd..aa8159f 100644
+--- a/drivers/input/touchscreen/gt9xx/goodix_tool.c
++++ b/drivers/input/touchscreen/gt9xx/goodix_tool.c
+@@ -22,6 +22,7 @@
+  */
+ 
+ #include "gt9xx.h"
++#include <linux/mutex.h>
+ 
+ #define DATA_LENGTH_UINT    512
+ #define CMD_HEAD_LENGTH     (sizeof(st_cmd_head) - sizeof(u8 *))
+@@ -53,6 +54,8 @@ static struct i2c_client *gt_client;
+ 
+ static struct proc_dir_entry *goodix_proc_entry;
+ 
++static struct mutex lock;
++
+ static s32 goodix_tool_write(struct file *filp, const char __user *buff,
+ 						unsigned long len, void *data);
+ static s32 goodix_tool_read(char *page, char **start, off_t off, int count,
+@@ -188,7 +191,7 @@ static void unregister_i2c_func(void)
+ 
+ s32 init_wr_node(struct i2c_client *client)
+ {
+-	s32 i;
++	u8 i;
+ 
+ 	gt_client = client;
+ 	memset(&cmd_head, 0, sizeof(cmd_head));
+@@ -202,8 +205,8 @@ s32 init_wr_node(struct i2c_client *client)
+ 		i--;
+ 	}
+ 	if (i) {
+-		DATA_LENGTH = i * DATA_LENGTH_UINT + GTP_ADDR_LENGTH;
+-		GTP_INFO("Applied memory size:%d.", DATA_LENGTH);
++		DATA_LENGTH = i * DATA_LENGTH_UINT;
++		dev_dbg(&client->dev, "Applied memory size:%d.", DATA_LENGTH);
+ 	} else {
+ 		GTP_ERROR("Apply for memory failed.");
+ 		return FAIL;
+@@ -214,8 +217,9 @@ s32 init_wr_node(struct i2c_client *client)
+ 
+ 	register_i2c_func();
+ 
++	mutex_init(&lock);
+ 	tool_set_proc_name(procname);
+-	goodix_proc_entry = create_proc_entry(procname, 0666, NULL);
++	goodix_proc_entry = create_proc_entry(procname, 0660, NULL);
+ 	if (goodix_proc_entry == NULL) {
+ 		GTP_ERROR("Couldn't create proc entry!");
+ 		return FAIL;
+@@ -334,9 +338,13 @@ static s32 goodix_tool_write(struct file *filp, const char __user *buff,
+ 	GTP_DEBUG_FUNC();
+ 	GTP_DEBUG_ARRAY((u8 *)buff, len);
+ 
++	mutex_lock(&lock);
+ 	ret = copy_from_user(&cmd_head, buff, CMD_HEAD_LENGTH);
+-	if (ret)
++	if (ret) {
+ 		GTP_ERROR("copy_from_user failed.");
++		ret = -EACCES;
++		goto exit;
++	}
+ 
+ 	GTP_DEBUG("wr  :0x%02x.", cmd_head.wr);
+ 	GTP_DEBUG("flag:0x%02x.", cmd_head.flag);
+@@ -354,6 +362,19 @@ static s32 goodix_tool_write(struct file *filp, const char __user *buff,
+ 	GTP_DEBUG("len:%d.", (s32)len);
+ 	GTP_DEBUG("buf[20]:0x%02x.", buff[CMD_HEAD_LENGTH]);
+ 
++	if (cmd_head.data_len > (DATA_LENGTH - GTP_ADDR_LENGTH)) {
++		pr_err("data len %d > data buff %d, rejected!\n",
++			cmd_head.data_len, (DATA_LENGTH - GTP_ADDR_LENGTH));
++		ret = -EINVAL;
++		goto exit;
++	}
++	if (cmd_head.addr_len > GTP_ADDR_LENGTH) {
++		pr_err(" addr len %d > data buff %d, rejected!\n",
++			cmd_head.addr_len, GTP_ADDR_LENGTH);
++		ret = -EINVAL;
++		goto exit;
++	}
++
+ 	if (cmd_head.wr == 1) {
+ 		/*  copy_from_user(&cmd_head.data[cmd_head.addr_len],
+ 				&buff[CMD_HEAD_LENGTH], cmd_head.data_len); */
+@@ -373,7 +394,8 @@ static s32 goodix_tool_write(struct file *filp, const char __user *buff,
+ 		if (cmd_head.flag == 1) {
+ 			if (FAIL == comfirm()) {
+ 				GTP_ERROR("[WRITE]Comfirm fail!");
+-				return FAIL;
++				ret = -EINVAL;
++				goto exit;
+ 			}
+ 		} else if (cmd_head.flag == 2) {
+ 			/* Need interrupt! */
+@@ -382,7 +404,8 @@ static s32 goodix_tool_write(struct file *filp, const char __user *buff,
+ 		&cmd_head.data[GTP_ADDR_LENGTH - cmd_head.addr_len],
+ 		cmd_head.data_len + cmd_head.addr_len) <= 0) {
+ 			GTP_ERROR("[WRITE]Write data failed!");
+-			return FAIL;
++			ret = -EIO;
++			goto exit;
+ 		}
+ 
+ 		GTP_DEBUG_ARRAY(
+@@ -391,7 +414,8 @@ static s32 goodix_tool_write(struct file *filp, const char __user *buff,
+ 		if (cmd_head.delay)
+ 			msleep(cmd_head.delay);
+ 
+-		return cmd_head.data_len + CMD_HEAD_LENGTH;
++		ret = cmd_head.data_len + CMD_HEAD_LENGTH;
++		goto exit;
+ 	} else if (cmd_head.wr == 3) {  /* Write ic type */
+ 
+ 		ret = copy_from_user(&cmd_head.data[0], &buff[CMD_HEAD_LENGTH],
+@@ -399,30 +423,40 @@ static s32 goodix_tool_write(struct file *filp, const char __user *buff,
+ 		if (ret)
+ 			GTP_ERROR("copy_from_user failed.");
+ 
++		if (cmd_head.data_len > sizeof(IC_TYPE)) {
++			pr_err("<<-GTP->> data len %d > data buff %d, rejected!\n",
++			cmd_head.data_len, sizeof(IC_TYPE));
++			ret = -EINVAL;
++			goto exit;
++		}
+ 		memcpy(IC_TYPE, cmd_head.data, cmd_head.data_len);
+ 
+ 		register_i2c_func();
+ 
+-		return cmd_head.data_len + CMD_HEAD_LENGTH;
+-	} else if (cmd_head.wr == 3) {
++		ret = cmd_head.data_len + CMD_HEAD_LENGTH;
++		goto exit;
++	} else if (cmd_head.wr == 5) {
+ 
+ 		/* memcpy(IC_TYPE, cmd_head.data, cmd_head.data_len); */
+ 
+-		return cmd_head.data_len + CMD_HEAD_LENGTH;
++		ret = cmd_head.data_len + CMD_HEAD_LENGTH;
++		goto exit;
+ 	} else if (cmd_head.wr == 7) { /* disable irq! */
+ 		gtp_irq_disable(i2c_get_clientdata(gt_client));
+ 
+ 		#if GTP_ESD_PROTECT
+ 		gtp_esd_switch(gt_client, SWITCH_OFF);
+ 		#endif
+-		return CMD_HEAD_LENGTH;
++		ret = CMD_HEAD_LENGTH;
++		goto exit;
+ 	} else if (cmd_head.wr == 9) { /* enable irq! */
+ 		gtp_irq_enable(i2c_get_clientdata(gt_client));
+ 
+ 		#if GTP_ESD_PROTECT
+ 		gtp_esd_switch(gt_client, SWITCH_ON);
+ 		#endif
+-		return CMD_HEAD_LENGTH;
++		ret = CMD_HEAD_LENGTH;
++		goto exit;
+ 	} else if (cmd_head.wr == 17) {
+ 		struct goodix_ts_data *ts = i2c_get_clientdata(gt_client);
+ 		ret = copy_from_user(&cmd_head.data[GTP_ADDR_LENGTH],
+@@ -436,27 +470,41 @@ static s32 goodix_tool_write(struct file *filp, const char __user *buff,
+ 			ts->gtp_rawdiff_mode = false;
+ 			GTP_DEBUG("gtp leave rawdiff.");
+ 		}
+-		return CMD_HEAD_LENGTH;
++		ret = CMD_HEAD_LENGTH;
++		goto exit;
+ 	}
+ #ifdef UPDATE_FUNCTIONS
+ 	else if (cmd_head.wr == 11) { /* Enter update mode! */
+-		if (FAIL == gup_enter_update_mode(gt_client))
+-			return FAIL;
++		if (FAIL == gup_enter_update_mode(gt_client)) {
++			ret = -EBUSY;
++			goto exit;
++		}
+ 	} else if (cmd_head.wr == 13) { /* Leave update mode! */
+ 		gup_leave_update_mode();
+ 	} else if (cmd_head.wr == 15) { /* Update firmware! */
+ 		show_len = 0;
+ 		total_len = 0;
++		if (cmd_head.data_len + 1 > DATA_LENGTH) {
++			pr_err("<<-GTP->> data len %d > data buff %d, rejected!\n",
++			cmd_head.data_len + 1, DATA_LENGTH);
++			ret = -EINVAL;
++			goto exit;
++		}
+ 		memset(cmd_head.data, 0, cmd_head.data_len + 1);
+ 		memcpy(cmd_head.data, &buff[CMD_HEAD_LENGTH],
+ 					cmd_head.data_len);
+ 
+-		if (FAIL == gup_update_proc((void *)cmd_head.data))
+-			return FAIL;
++		if (FAIL == gup_update_proc((void *)cmd_head.data)) {
++			ret = -EBUSY;
++			goto exit;
++		}
+ 	}
+ #endif
++	ret = CMD_HEAD_LENGTH;
+ 
+-	return CMD_HEAD_LENGTH;
++exit:
++	mutex_unlock(&lock);
++	return ret;
+ }
+ 
+ /*******************************************************
+@@ -470,10 +518,14 @@ Output:
+ static s32 goodix_tool_read(char *page, char **start, off_t off, int count,
+ 							int *eof, void *data)
+ {
++	s32 ret;
+ 	GTP_DEBUG_FUNC();
+ 
++	mutex_lock(&lock);
+ 	if (cmd_head.wr % 2) {
+-		return FAIL;
++		pr_err("<< [READ]command head wrong\n");
++		ret = -EINVAL;
++		goto exit;
+ 	} else if (!cmd_head.wr) {
+ 		u16 len = 0;
+ 		s16 data_len = 0;
+@@ -482,7 +534,8 @@ static s32 goodix_tool_read(char *page, char **start, off_t off, int count,
+ 		if (cmd_head.flag == 1) {
+ 			if (FAIL == comfirm()) {
+ 				GTP_ERROR("[READ]Comfirm fail!");
+-				return FAIL;
++				ret = -EINVAL;
++				goto exit;
+ 			}
+ 		} else if (cmd_head.flag == 2) {
+ 			/* Need interrupt! */
+@@ -505,11 +558,12 @@ static s32 goodix_tool_read(char *page, char **start, off_t off, int count,
+ 			else
+ 				len = data_len;
+ 
+-			data_len -= DATA_LENGTH;
++			data_len -= len;
+ 
+ 			if (tool_i2c_read(cmd_head.data, len) <= 0) {
+ 				GTP_ERROR("[READ]Read data failed!");
+-				return FAIL;
++				ret = -EINVAL;
++				goto exit;
+ 			}
+ 			memcpy(&page[loc], &cmd_head.data[GTP_ADDR_LENGTH],
+ 									len);
+@@ -525,15 +579,14 @@ static s32 goodix_tool_read(char *page, char **start, off_t off, int count,
+ 
+ 		GTP_DEBUG("Return ic type:%s len:%d.", page,
+ 						(s32)cmd_head.data_len);
+-		return cmd_head.data_len;
++		ret = cmd_head.data_len;
++		goto exit;
+ 		/* return sizeof(IC_TYPE_NAME); */
+ 	} else if (cmd_head.wr == 4) {
+ 		page[0] = show_len >> 8;
+ 		page[1] = show_len & 0xff;
+ 		page[2] = total_len >> 8;
+ 		page[3] = total_len & 0xff;
+-
+-		return cmd_head.data_len;
+ 	} else if (6 == cmd_head.wr) {
+ 		/* Read error code! */
+ 	} else if (8 == cmd_head.wr) { /*Read driver version */
+@@ -544,6 +597,9 @@ static s32 goodix_tool_read(char *page, char **start, off_t off, int count,
+ 		memcpy(page, GTP_DRIVER_VERSION, tmp_len);
+ 		page[tmp_len] = 0;
+ 	}
++	ret = cmd_head.data_len;
+ 
+-	return cmd_head.data_len;
++exit:
++	mutex_unlock(&lock);
++	return ret;
+ }
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2013-6123/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2013-6123/ANY/0001.patch
new file mode 100644
index 00000000..fde5826b
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2013-6123/ANY/0001.patch
@@ -0,0 +1,39 @@
+From 7beb04ea945a7178e61d935918d3cb152996b558 Mon Sep 17 00:00:00 2001
+From: Alok Kediya <kediya@codeaurora.org>
+Date: Mon, 9 Dec 2013 10:52:49 +0530
+Subject: msm: camera: Added bounds check for index parameter
+
+Bound check the index param from user space to avoid
+any invalid memory access.
+
+CRs-Fixed: 583366
+
+Change-Id: I0f887bb8f1fa5a69a55e23dbb522b3bb694ad27f
+Signed-off-by: Alok Kediya <kediya@codeaurora.org>
+---
+ drivers/media/video/msm/server/msm_cam_server.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/media/video/msm/server/msm_cam_server.c b/drivers/media/video/msm/server/msm_cam_server.c
+index 5fc8e83..6e49082 100644
+--- a/drivers/media/video/msm/server/msm_cam_server.c
++++ b/drivers/media/video/msm/server/msm_cam_server.c
+@@ -1390,6 +1390,15 @@ static long msm_ioctl_server(struct file *file, void *fh,
+ 		}
+ 
+ 		mutex_lock(&g_server_dev.server_queue_lock);
++
++		if(u_isp_event.isp_data.ctrl.queue_idx < 0 ||
++		u_isp_event.isp_data.ctrl.queue_idx >= MAX_NUM_ACTIVE_CAMERA) {
++			pr_err("%s: Invalid index %d\n", __func__,
++				u_isp_event.isp_data.ctrl.queue_idx);
++			rc = -EINVAL;
++			return rc;
++		}
++
+ 		if (!g_server_dev.server_queue
+ 			[u_isp_event.isp_data.ctrl.queue_idx].queue_active) {
+ 			pr_err("%s: Invalid queue\n", __func__);
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2013-6123/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2013-6123/ANY/0002.patch
new file mode 100644
index 00000000..eb0b7ef1
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2013-6123/ANY/0002.patch
@@ -0,0 +1,67 @@
+From 60e4af06161d91d5aeaa04c7d6e9f4345a6acdd4 Mon Sep 17 00:00:00 2001
+From: Alok Kediya <kediya@codeaurora.org>
+Date: Thu, 10 Oct 2013 12:11:01 +0530
+Subject: msm:camera: Bounds and validity check for params
+
+Check the range and validity of parameters before accessing.
+
+CRs-fixed: 550607, 554434, 554436
+
+Change-Id: I2d6aec4f9cb9385789c0df6a2c4abefe9e87539f
+Signed-off-by: Alok Kediya <kediya@codeaurora.org>
+---
+ drivers/media/video/msm/server/msm_cam_server.c | 20 ++++++++++++++++----
+ 1 file changed, 16 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/media/video/msm/server/msm_cam_server.c b/drivers/media/video/msm/server/msm_cam_server.c
+index 4bda7a3..5fc8e83 100644
+--- a/drivers/media/video/msm/server/msm_cam_server.c
++++ b/drivers/media/video/msm/server/msm_cam_server.c
+@@ -311,6 +311,13 @@ static int msm_ctrl_cmd_done(void *arg)
+ 		goto ctrl_cmd_done_error;
+ 	}
+ 
++	if(command->queue_idx < 0 ||
++		command->queue_idx >= MAX_NUM_ACTIVE_CAMERA) {
++		pr_err("%s: Invalid value OR index %d\n", __func__,
++		  command->queue_idx);
++		goto ctrl_cmd_done_error;
++	}
++
+ 	if (!g_server_dev.server_queue[command->queue_idx].queue_active) {
+ 		pr_err("%s: Invalid queue\n", __func__);
+ 		goto ctrl_cmd_done_error;
+@@ -339,7 +346,8 @@ static int msm_ctrl_cmd_done(void *arg)
+ 				max_control_command_size);
+ 			goto ctrl_cmd_done_error;
+ 		}
+-		if (copy_from_user(command->value, uptr, command->length)) {
++		if (copy_from_user(command->value, (void __user *)uptr,
++			command->length)) {
+ 			pr_err("%s: copy_from_user failed, size=%d\n",
+ 				__func__, sizeof(struct msm_ctrl_cmd));
+ 			goto ctrl_cmd_done_error;
+@@ -2650,13 +2658,17 @@ int msm_server_send_ctrl(struct msm_ctrl_cmd *out,
+ 	struct msm_queue_cmd *event_qcmd;
+ 	struct msm_ctrl_cmd *ctrlcmd;
+ 	struct msm_cam_server_dev *server_dev = &g_server_dev;
+-	struct msm_device_queue *queue =
+-		&server_dev->server_queue[out->queue_idx].ctrl_q;
+-
++	struct msm_device_queue *queue;
+ 	struct v4l2_event v4l2_evt;
+ 	struct msm_isp_event_ctrl *isp_event;
+ 	void *ctrlcmd_data;
+ 
++	if(out->queue_idx < 0 || out->queue_idx >= MAX_NUM_ACTIVE_CAMERA) {
++		pr_err("%s: Invalid index %d\n", __func__, out->queue_idx);
++		return -EINVAL;
++	}
++	queue = &server_dev->server_queue[out->queue_idx].ctrl_q;
++
+ 	event_qcmd = kzalloc(sizeof(struct msm_queue_cmd), GFP_KERNEL);
+ 	if (!event_qcmd) {
+ 		pr_err("%s Insufficient memory. return", __func__);
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2013-6282/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2013-6282/ANY/0001.patch
new file mode 100644
index 00000000..62f1b88a
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2013-6282/ANY/0001.patch
@@ -0,0 +1,253 @@
+From 76565e3d786bed66f247c682bd9f591098522483 Mon Sep 17 00:00:00 2001
+From: Russell King <rmk+kernel@arm.linux.org.uk>
+Date: Fri, 7 Sep 2012 18:22:28 +0100
+Subject: ARM: 7527/1: uaccess: explicitly check __user pointer when
+ !CPU_USE_DOMAINS
+
+The {get,put}_user macros don't perform range checking on the provided
+__user address when !CPU_HAS_DOMAINS.
+
+This patch reworks the out-of-line assembly accessors to check the user
+address against a specified limit, returning -EFAULT if is is out of
+range.
+
+[will: changed get_user register allocation to match put_user]
+[rmk: fixed building on older ARM architectures]
+
+CRs-Fixed: 504011
+Change-Id: I3818045a136fcdf72deb1371b132e090fd7ed643
+Reported-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Git-commit: 8404663f81d212918ff85f493649a7991209fa04
+Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
+Signed-off-by: Laura Abbott <lauraa@codeaurora.org>
+---
+ arch/arm/include/asm/assembler.h |  8 ++++++++
+ arch/arm/include/asm/uaccess.h   | 40 +++++++++++++++++++++++++++-------------
+ arch/arm/lib/getuser.S           | 23 +++++++++++++++--------
+ arch/arm/lib/putuser.S           |  6 ++++++
+ 4 files changed, 56 insertions(+), 21 deletions(-)
+
+diff --git a/arch/arm/include/asm/assembler.h b/arch/arm/include/asm/assembler.h
+index 03fb936..5c8b3bf4 100644
+--- a/arch/arm/include/asm/assembler.h
++++ b/arch/arm/include/asm/assembler.h
+@@ -320,4 +320,12 @@
+ 	.size \name , . - \name
+ 	.endm
+ 
++	.macro check_uaccess, addr:req, size:req, limit:req, tmp:req, bad:req
++#ifndef CONFIG_CPU_USE_DOMAINS
++	adds	\tmp, \addr, #\size - 1
++	sbcccs	\tmp, \tmp, \limit
++	bcs	\bad
++#endif
++	.endm
++
+ #endif /* __ASM_ASSEMBLER_H__ */
+diff --git a/arch/arm/include/asm/uaccess.h b/arch/arm/include/asm/uaccess.h
+index 71f6536..0a070e9 100644
+--- a/arch/arm/include/asm/uaccess.h
++++ b/arch/arm/include/asm/uaccess.h
+@@ -101,28 +101,39 @@ extern int __get_user_1(void *);
+ extern int __get_user_2(void *);
+ extern int __get_user_4(void *);
+ 
+-#define __get_user_x(__r2,__p,__e,__s,__i...)				\
++#define __GUP_CLOBBER_1	"lr", "cc"
++#ifdef CONFIG_CPU_USE_DOMAINS
++#define __GUP_CLOBBER_2	"ip", "lr", "cc"
++#else
++#define __GUP_CLOBBER_2 "lr", "cc"
++#endif
++#define __GUP_CLOBBER_4	"lr", "cc"
++
++#define __get_user_x(__r2,__p,__e,__l,__s)				\
+ 	   __asm__ __volatile__ (					\
+ 		__asmeq("%0", "r0") __asmeq("%1", "r2")			\
++		__asmeq("%3", "r1")					\
+ 		"bl	__get_user_" #__s				\
+ 		: "=&r" (__e), "=r" (__r2)				\
+-		: "0" (__p)						\
+-		: __i, "cc")
++		: "0" (__p), "r" (__l)					\
++		: __GUP_CLOBBER_##__s)
+ 
+ #define get_user(x,p)							\
+ 	({								\
++		unsigned long __limit = current_thread_info()->addr_limit - 1; \
+ 		register const typeof(*(p)) __user *__p asm("r0") = (p);\
+ 		register unsigned long __r2 asm("r2");			\
++		register unsigned long __l asm("r1") = __limit;		\
+ 		register int __e asm("r0");				\
+ 		switch (sizeof(*(__p))) {				\
+ 		case 1:							\
+-			__get_user_x(__r2, __p, __e, 1, "lr");		\
+-	       		break;						\
++			__get_user_x(__r2, __p, __e, __l, 1);		\
++			break;						\
+ 		case 2:							\
+-			__get_user_x(__r2, __p, __e, 2, "r3", "lr");	\
++			__get_user_x(__r2, __p, __e, __l, 2);		\
+ 			break;						\
+ 		case 4:							\
+-	       		__get_user_x(__r2, __p, __e, 4, "lr");		\
++			__get_user_x(__r2, __p, __e, __l, 4);		\
+ 			break;						\
+ 		default: __e = __get_user_bad(); break;			\
+ 		}							\
+@@ -135,31 +146,34 @@ extern int __put_user_2(void *, unsigned int);
+ extern int __put_user_4(void *, unsigned int);
+ extern int __put_user_8(void *, unsigned long long);
+ 
+-#define __put_user_x(__r2,__p,__e,__s)					\
++#define __put_user_x(__r2,__p,__e,__l,__s)				\
+ 	   __asm__ __volatile__ (					\
+ 		__asmeq("%0", "r0") __asmeq("%2", "r2")			\
++		__asmeq("%3", "r1")					\
+ 		"bl	__put_user_" #__s				\
+ 		: "=&r" (__e)						\
+-		: "0" (__p), "r" (__r2)					\
++		: "0" (__p), "r" (__r2), "r" (__l)			\
+ 		: "ip", "lr", "cc")
+ 
+ #define put_user(x,p)							\
+ 	({								\
++		unsigned long __limit = current_thread_info()->addr_limit - 1; \
+ 		register const typeof(*(p)) __r2 asm("r2") = (x);	\
+ 		register const typeof(*(p)) __user *__p asm("r0") = (p);\
++		register unsigned long __l asm("r1") = __limit;		\
+ 		register int __e asm("r0");				\
+ 		switch (sizeof(*(__p))) {				\
+ 		case 1:							\
+-			__put_user_x(__r2, __p, __e, 1);		\
++			__put_user_x(__r2, __p, __e, __l, 1);		\
+ 			break;						\
+ 		case 2:							\
+-			__put_user_x(__r2, __p, __e, 2);		\
++			__put_user_x(__r2, __p, __e, __l, 2);		\
+ 			break;						\
+ 		case 4:							\
+-			__put_user_x(__r2, __p, __e, 4);		\
++			__put_user_x(__r2, __p, __e, __l, 4);		\
+ 			break;						\
+ 		case 8:							\
+-			__put_user_x(__r2, __p, __e, 8);		\
++			__put_user_x(__r2, __p, __e, __l, 8);		\
+ 			break;						\
+ 		default: __e = __put_user_bad(); break;			\
+ 		}							\
+diff --git a/arch/arm/lib/getuser.S b/arch/arm/lib/getuser.S
+index 11093a7..9b06bb4 100644
+--- a/arch/arm/lib/getuser.S
++++ b/arch/arm/lib/getuser.S
+@@ -16,8 +16,9 @@
+  * __get_user_X
+  *
+  * Inputs:	r0 contains the address
++ *		r1 contains the address limit, which must be preserved
+  * Outputs:	r0 is the error code
+- *		r2, r3 contains the zero-extended value
++ *		r2 contains the zero-extended value
+  *		lr corrupted
+  *
+  * No other registers must be altered.  (see <asm/uaccess.h>
+@@ -27,33 +28,39 @@
+  * Note also that it is intended that __get_user_bad is not global.
+  */
+ #include <linux/linkage.h>
++#include <asm/assembler.h>
+ #include <asm/errno.h>
+ #include <asm/domain.h>
+ 
+ ENTRY(__get_user_1)
++	check_uaccess r0, 1, r1, r2, __get_user_bad
+ 1: TUSER(ldrb)	r2, [r0]
+ 	mov	r0, #0
+ 	mov	pc, lr
+ ENDPROC(__get_user_1)
+ 
+ ENTRY(__get_user_2)
+-#ifdef CONFIG_THUMB2_KERNEL
+-2: TUSER(ldrb)	r2, [r0]
+-3: TUSER(ldrb)	r3, [r0, #1]
++	check_uaccess r0, 2, r1, r2, __get_user_bad
++#ifdef CONFIG_CPU_USE_DOMAINS
++rb	.req	ip
++2:	ldrbt	r2, [r0], #1
++3:	ldrbt	rb, [r0], #0
+ #else
+-2: TUSER(ldrb)	r2, [r0], #1
+-3: TUSER(ldrb)	r3, [r0]
++rb	.req	r0
++2:	ldrb	r2, [r0]
++3:	ldrb	rb, [r0, #1]
+ #endif
+ #ifndef __ARMEB__
+-	orr	r2, r2, r3, lsl #8
++	orr	r2, r2, rb, lsl #8
+ #else
+-	orr	r2, r3, r2, lsl #8
++	orr	r2, rb, r2, lsl #8
+ #endif
+ 	mov	r0, #0
+ 	mov	pc, lr
+ ENDPROC(__get_user_2)
+ 
+ ENTRY(__get_user_4)
++	check_uaccess r0, 4, r1, r2, __get_user_bad
+ 4: TUSER(ldr)	r2, [r0]
+ 	mov	r0, #0
+ 	mov	pc, lr
+diff --git a/arch/arm/lib/putuser.S b/arch/arm/lib/putuser.S
+index 7db2599..3d73dcb9 100644
+--- a/arch/arm/lib/putuser.S
++++ b/arch/arm/lib/putuser.S
+@@ -16,6 +16,7 @@
+  * __put_user_X
+  *
+  * Inputs:	r0 contains the address
++ *		r1 contains the address limit, which must be preserved
+  *		r2, r3 contains the value
+  * Outputs:	r0 is the error code
+  *		lr corrupted
+@@ -27,16 +28,19 @@
+  * Note also that it is intended that __put_user_bad is not global.
+  */
+ #include <linux/linkage.h>
++#include <asm/assembler.h>
+ #include <asm/errno.h>
+ #include <asm/domain.h>
+ 
+ ENTRY(__put_user_1)
++	check_uaccess r0, 1, r1, ip, __put_user_bad
+ 1: TUSER(strb)	r2, [r0]
+ 	mov	r0, #0
+ 	mov	pc, lr
+ ENDPROC(__put_user_1)
+ 
+ ENTRY(__put_user_2)
++	check_uaccess r0, 2, r1, ip, __put_user_bad
+ 	mov	ip, r2, lsr #8
+ #ifdef CONFIG_THUMB2_KERNEL
+ #ifndef __ARMEB__
+@@ -60,12 +64,14 @@ ENTRY(__put_user_2)
+ ENDPROC(__put_user_2)
+ 
+ ENTRY(__put_user_4)
++	check_uaccess r0, 4, r1, ip, __put_user_bad
+ 4: TUSER(str)	r2, [r0]
+ 	mov	r0, #0
+ 	mov	pc, lr
+ ENDPROC(__put_user_4)
+ 
+ ENTRY(__put_user_8)
++	check_uaccess r0, 8, r1, ip, __put_user_bad
+ #ifdef CONFIG_THUMB2_KERNEL
+ 5: TUSER(str)	r2, [r0]
+ 6: TUSER(str)	r3, [r0, #4]
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2013-7446/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2013-7446/ANY/0001.patch
new file mode 100644
index 00000000..be87c762
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2013-7446/ANY/0001.patch
@@ -0,0 +1,320 @@
+From 7d267278a9ece963d77eefec61630223fce08c6c Mon Sep 17 00:00:00 2001
+From: Rainer Weikusat <rweikusat@mobileactivedefense.com>
+Date: Fri, 20 Nov 2015 22:07:23 +0000
+Subject: unix: avoid use-after-free in ep_remove_wait_queue
+
+Rainer Weikusat <rweikusat@mobileactivedefense.com> writes:
+An AF_UNIX datagram socket being the client in an n:1 association with
+some server socket is only allowed to send messages to the server if the
+receive queue of this socket contains at most sk_max_ack_backlog
+datagrams. This implies that prospective writers might be forced to go
+to sleep despite none of the message presently enqueued on the server
+receive queue were sent by them. In order to ensure that these will be
+woken up once space becomes again available, the present unix_dgram_poll
+routine does a second sock_poll_wait call with the peer_wait wait queue
+of the server socket as queue argument (unix_dgram_recvmsg does a wake
+up on this queue after a datagram was received). This is inherently
+problematic because the server socket is only guaranteed to remain alive
+for as long as the client still holds a reference to it. In case the
+connection is dissolved via connect or by the dead peer detection logic
+in unix_dgram_sendmsg, the server socket may be freed despite "the
+polling mechanism" (in particular, epoll) still has a pointer to the
+corresponding peer_wait queue. There's no way to forcibly deregister a
+wait queue with epoll.
+
+Based on an idea by Jason Baron, the patch below changes the code such
+that a wait_queue_t belonging to the client socket is enqueued on the
+peer_wait queue of the server whenever the peer receive queue full
+condition is detected by either a sendmsg or a poll. A wake up on the
+peer queue is then relayed to the ordinary wait queue of the client
+socket via wake function. The connection to the peer wait queue is again
+dissolved if either a wake up is about to be relayed or the client
+socket reconnects or a dead peer is detected or the client socket is
+itself closed. This enables removing the second sock_poll_wait from
+unix_dgram_poll, thus avoiding the use-after-free, while still ensuring
+that no blocked writer sleeps forever.
+
+Signed-off-by: Rainer Weikusat <rweikusat@mobileactivedefense.com>
+Fixes: ec0d215f9420 ("af_unix: fix 'poll for write'/connected DGRAM sockets")
+Reviewed-by: Jason Baron <jbaron@akamai.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/unix/af_unix.c | 183 +++++++++++++++++++++++++++++++++++++++++++++++------
+ 1 file changed, 164 insertions(+), 19 deletions(-)
+
+(limited to 'net/unix/af_unix.c')
+
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index 955ec15..4e95bdf 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -326,6 +326,118 @@ found:
+ 	return s;
+ }
+ 
++/* Support code for asymmetrically connected dgram sockets
++ *
++ * If a datagram socket is connected to a socket not itself connected
++ * to the first socket (eg, /dev/log), clients may only enqueue more
++ * messages if the present receive queue of the server socket is not
++ * "too large". This means there's a second writeability condition
++ * poll and sendmsg need to test. The dgram recv code will do a wake
++ * up on the peer_wait wait queue of a socket upon reception of a
++ * datagram which needs to be propagated to sleeping would-be writers
++ * since these might not have sent anything so far. This can't be
++ * accomplished via poll_wait because the lifetime of the server
++ * socket might be less than that of its clients if these break their
++ * association with it or if the server socket is closed while clients
++ * are still connected to it and there's no way to inform "a polling
++ * implementation" that it should let go of a certain wait queue
++ *
++ * In order to propagate a wake up, a wait_queue_t of the client
++ * socket is enqueued on the peer_wait queue of the server socket
++ * whose wake function does a wake_up on the ordinary client socket
++ * wait queue. This connection is established whenever a write (or
++ * poll for write) hit the flow control condition and broken when the
++ * association to the server socket is dissolved or after a wake up
++ * was relayed.
++ */
++
++static int unix_dgram_peer_wake_relay(wait_queue_t *q, unsigned mode, int flags,
++				      void *key)
++{
++	struct unix_sock *u;
++	wait_queue_head_t *u_sleep;
++
++	u = container_of(q, struct unix_sock, peer_wake);
++
++	__remove_wait_queue(&unix_sk(u->peer_wake.private)->peer_wait,
++			    q);
++	u->peer_wake.private = NULL;
++
++	/* relaying can only happen while the wq still exists */
++	u_sleep = sk_sleep(&u->sk);
++	if (u_sleep)
++		wake_up_interruptible_poll(u_sleep, key);
++
++	return 0;
++}
++
++static int unix_dgram_peer_wake_connect(struct sock *sk, struct sock *other)
++{
++	struct unix_sock *u, *u_other;
++	int rc;
++
++	u = unix_sk(sk);
++	u_other = unix_sk(other);
++	rc = 0;
++	spin_lock(&u_other->peer_wait.lock);
++
++	if (!u->peer_wake.private) {
++		u->peer_wake.private = other;
++		__add_wait_queue(&u_other->peer_wait, &u->peer_wake);
++
++		rc = 1;
++	}
++
++	spin_unlock(&u_other->peer_wait.lock);
++	return rc;
++}
++
++static void unix_dgram_peer_wake_disconnect(struct sock *sk,
++					    struct sock *other)
++{
++	struct unix_sock *u, *u_other;
++
++	u = unix_sk(sk);
++	u_other = unix_sk(other);
++	spin_lock(&u_other->peer_wait.lock);
++
++	if (u->peer_wake.private == other) {
++		__remove_wait_queue(&u_other->peer_wait, &u->peer_wake);
++		u->peer_wake.private = NULL;
++	}
++
++	spin_unlock(&u_other->peer_wait.lock);
++}
++
++static void unix_dgram_peer_wake_disconnect_wakeup(struct sock *sk,
++						   struct sock *other)
++{
++	unix_dgram_peer_wake_disconnect(sk, other);
++	wake_up_interruptible_poll(sk_sleep(sk),
++				   POLLOUT |
++				   POLLWRNORM |
++				   POLLWRBAND);
++}
++
++/* preconditions:
++ *	- unix_peer(sk) == other
++ *	- association is stable
++ */
++static int unix_dgram_peer_wake_me(struct sock *sk, struct sock *other)
++{
++	int connected;
++
++	connected = unix_dgram_peer_wake_connect(sk, other);
++
++	if (unix_recvq_full(other))
++		return 1;
++
++	if (connected)
++		unix_dgram_peer_wake_disconnect(sk, other);
++
++	return 0;
++}
++
+ static int unix_writable(const struct sock *sk)
+ {
+ 	return sk->sk_state != TCP_LISTEN &&
+@@ -431,6 +543,8 @@ static void unix_release_sock(struct sock *sk, int embrion)
+ 			skpair->sk_state_change(skpair);
+ 			sk_wake_async(skpair, SOCK_WAKE_WAITD, POLL_HUP);
+ 		}
++
++		unix_dgram_peer_wake_disconnect(sk, skpair);
+ 		sock_put(skpair); /* It may now die */
+ 		unix_peer(sk) = NULL;
+ 	}
+@@ -666,6 +780,7 @@ static struct sock *unix_create1(struct net *net, struct socket *sock, int kern)
+ 	INIT_LIST_HEAD(&u->link);
+ 	mutex_init(&u->readlock); /* single task reading lock */
+ 	init_waitqueue_head(&u->peer_wait);
++	init_waitqueue_func_entry(&u->peer_wake, unix_dgram_peer_wake_relay);
+ 	unix_insert_socket(unix_sockets_unbound(sk), sk);
+ out:
+ 	if (sk == NULL)
+@@ -1033,6 +1148,8 @@ restart:
+ 	if (unix_peer(sk)) {
+ 		struct sock *old_peer = unix_peer(sk);
+ 		unix_peer(sk) = other;
++		unix_dgram_peer_wake_disconnect_wakeup(sk, old_peer);
++
+ 		unix_state_double_unlock(sk, other);
+ 
+ 		if (other != old_peer)
+@@ -1472,6 +1589,7 @@ static int unix_dgram_sendmsg(struct socket *sock, struct msghdr *msg,
+ 	struct scm_cookie scm;
+ 	int max_level;
+ 	int data_len = 0;
++	int sk_locked;
+ 
+ 	wait_for_unix_gc();
+ 	err = scm_send(sock, msg, &scm, false);
+@@ -1550,12 +1668,14 @@ restart:
+ 		goto out_free;
+ 	}
+ 
++	sk_locked = 0;
+ 	unix_state_lock(other);
++restart_locked:
+ 	err = -EPERM;
+ 	if (!unix_may_send(sk, other))
+ 		goto out_unlock;
+ 
+-	if (sock_flag(other, SOCK_DEAD)) {
++	if (unlikely(sock_flag(other, SOCK_DEAD))) {
+ 		/*
+ 		 *	Check with 1003.1g - what should
+ 		 *	datagram error
+@@ -1563,10 +1683,14 @@ restart:
+ 		unix_state_unlock(other);
+ 		sock_put(other);
+ 
++		if (!sk_locked)
++			unix_state_lock(sk);
++
+ 		err = 0;
+-		unix_state_lock(sk);
+ 		if (unix_peer(sk) == other) {
+ 			unix_peer(sk) = NULL;
++			unix_dgram_peer_wake_disconnect_wakeup(sk, other);
++
+ 			unix_state_unlock(sk);
+ 
+ 			unix_dgram_disconnected(sk, other);
+@@ -1592,21 +1716,38 @@ restart:
+ 			goto out_unlock;
+ 	}
+ 
+-	if (unix_peer(other) != sk && unix_recvq_full(other)) {
+-		if (!timeo) {
+-			err = -EAGAIN;
+-			goto out_unlock;
++	if (unlikely(unix_peer(other) != sk && unix_recvq_full(other))) {
++		if (timeo) {
++			timeo = unix_wait_for_peer(other, timeo);
++
++			err = sock_intr_errno(timeo);
++			if (signal_pending(current))
++				goto out_free;
++
++			goto restart;
+ 		}
+ 
+-		timeo = unix_wait_for_peer(other, timeo);
++		if (!sk_locked) {
++			unix_state_unlock(other);
++			unix_state_double_lock(sk, other);
++		}
+ 
+-		err = sock_intr_errno(timeo);
+-		if (signal_pending(current))
+-			goto out_free;
++		if (unix_peer(sk) != other ||
++		    unix_dgram_peer_wake_me(sk, other)) {
++			err = -EAGAIN;
++			sk_locked = 1;
++			goto out_unlock;
++		}
+ 
+-		goto restart;
++		if (!sk_locked) {
++			sk_locked = 1;
++			goto restart_locked;
++		}
+ 	}
+ 
++	if (unlikely(sk_locked))
++		unix_state_unlock(sk);
++
+ 	if (sock_flag(other, SOCK_RCVTSTAMP))
+ 		__net_timestamp(skb);
+ 	maybe_add_creds(skb, sock, other);
+@@ -1620,6 +1761,8 @@ restart:
+ 	return len;
+ 
+ out_unlock:
++	if (sk_locked)
++		unix_state_unlock(sk);
+ 	unix_state_unlock(other);
+ out_free:
+ 	kfree_skb(skb);
+@@ -2476,14 +2619,16 @@ static unsigned int unix_dgram_poll(struct file *file, struct socket *sock,
+ 		return mask;
+ 
+ 	writable = unix_writable(sk);
+-	other = unix_peer_get(sk);
+-	if (other) {
+-		if (unix_peer(other) != sk) {
+-			sock_poll_wait(file, &unix_sk(other)->peer_wait, wait);
+-			if (unix_recvq_full(other))
+-				writable = 0;
+-		}
+-		sock_put(other);
++	if (writable) {
++		unix_state_lock(sk);
++
++		other = unix_peer(sk);
++		if (other && unix_peer(other) != sk &&
++		    unix_recvq_full(other) &&
++		    unix_dgram_peer_wake_me(sk, other))
++			writable = 0;
++
++		unix_state_unlock(sk);
+ 	}
+ 
+ 	if (writable)
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2014-0196/3.2/1.patch b/Patches/Linux_CVEs/CVE-2014-0196/3.2/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-0196/3.2/1.patch
rename to Patches/Linux_CVEs/CVE-2014-0196/3.2/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-0196/3.4/2.patch b/Patches/Linux_CVEs/CVE-2014-0196/3.4/0003.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-0196/3.4/2.patch
rename to Patches/Linux_CVEs/CVE-2014-0196/3.4/0003.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-0196/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-0196/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-0196/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-0196/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-0206/3.12/0.patch b/Patches/Linux_CVEs/CVE-2014-0206/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-0206/3.12/0.patch
rename to Patches/Linux_CVEs/CVE-2014-0206/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-0972/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-0972/ANY/0001.patch
new file mode 100644
index 00000000..60c69649
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2014-0972/ANY/0001.patch
@@ -0,0 +1,181 @@
+From 7613c9d520ee4d227e635f6db0270d4cf26102bc Mon Sep 17 00:00:00 2001
+From: Jordan Crouse <jcrouse@codeaurora.org>
+Date: Mon, 21 Apr 2014 15:04:54 -0600
+Subject: msm: kgsl: Protect CP_STATE_DEBUG_INDEX
+
+Put CP_STATE_DEBUG_INDEX and CP_STATE_DEBUG_DATA under protection
+to keep it from being written from an IB1. Doing so however opens
+up a subtle "feature" in the microcode: memory read opcodes turn off
+protected mode in the microcode to do the read and then turns it
+back on regardless of the initial state. This is a problem if the
+memory read happens while protected mode is turned off and then we
+try to access a protected register which then complains and goes boom.
+
+To account for this irregularity explicitly turn back off protected
+mode in all the places where we know this will be a problem.
+
+Change-Id: Ic0dedbad1397ca9b80132241ac006560a615e042
+Signed-off-by: Jordan Crouse <jcrouse@codeaurora.org>
+---
+ drivers/gpu/msm/adreno.c      | 24 +++++++++++++-----------
+ drivers/gpu/msm/adreno.h      | 10 ++++++++++
+ drivers/gpu/msm/adreno_a3xx.c |  1 +
+ drivers/gpu/msm/kgsl_iommu.c  | 16 ++++++++++++++++
+ 4 files changed, 40 insertions(+), 11 deletions(-)
+
+diff --git a/drivers/gpu/msm/adreno.c b/drivers/gpu/msm/adreno.c
+index 4b21218..9bd07c6 100644
+--- a/drivers/gpu/msm/adreno.c
++++ b/drivers/gpu/msm/adreno.c
+@@ -1150,9 +1150,7 @@ static int adreno_iommu_setstate(struct kgsl_device *device,
+ 					uint32_t flags)
+ {
+ 	phys_addr_t pt_val;
+-	unsigned int link[230];
+-	unsigned int *cmds = &link[0];
+-	int sizedwords = 0;
++	unsigned int *link = NULL, *cmds;
+ 	struct adreno_device *adreno_dev = ADRENO_DEVICE(device);
+ 	int num_iommu_units;
+ 	struct kgsl_context *context;
+@@ -1170,6 +1168,14 @@ static int adreno_iommu_setstate(struct kgsl_device *device,
+ 	if (context)
+ 		adreno_ctx = ADRENO_CONTEXT(context);
+ 
++	link = kmalloc(PAGE_SIZE, GFP_KERNEL);
++	if (link == NULL) {
++		result = -ENOMEM;
++		goto done;
++	}
++
++	cmds = link;
++
+ 	result = kgsl_mmu_enable_clk(&device->mmu, KGSL_IOMMU_CONTEXT_USER);
+ 
+ 	if (result)
+@@ -1192,17 +1198,11 @@ static int adreno_iommu_setstate(struct kgsl_device *device,
+ 		cmds += _adreno_iommu_setstate_v1(device, cmds, pt_val,
+ 						num_iommu_units, flags);
+ 
+-	sizedwords += (cmds - &link[0]);
+-	if (sizedwords == 0) {
+-		KGSL_DRV_ERR(device, "no commands generated\n");
+-		BUG();
+-	}
+ 	/* invalidate all base pointers */
+ 	*cmds++ = cp_type3_packet(CP_INVALIDATE_STATE, 1);
+ 	*cmds++ = 0x7fff;
+-	sizedwords += 2;
+ 
+-	if (sizedwords > (ARRAY_SIZE(link))) {
++	if ((unsigned int) (cmds - link) > (PAGE_SIZE / sizeof(unsigned int))) {
+ 		KGSL_DRV_ERR(device, "Temp command buffer overflow\n");
+ 		BUG();
+ 	}
+@@ -1211,7 +1211,8 @@ static int adreno_iommu_setstate(struct kgsl_device *device,
+ 	 * use the global timestamp for iommu clock disablement
+ 	 */
+ 	result = adreno_ringbuffer_issuecmds(device, adreno_ctx,
+-			KGSL_CMD_FLAGS_PMODE, &link[0], sizedwords);
++			KGSL_CMD_FLAGS_PMODE, link,
++			(unsigned int)(cmds - link));
+ 
+ 	/*
+ 	 * On error disable the IOMMU clock right away otherwise turn it off
+@@ -1225,6 +1226,7 @@ static int adreno_iommu_setstate(struct kgsl_device *device,
+ 						KGSL_IOMMU_CONTEXT_USER);
+ 
+ done:
++	kfree(link);
+ 	kgsl_context_put(context);
+ 	return result;
+ }
+diff --git a/drivers/gpu/msm/adreno.h b/drivers/gpu/msm/adreno.h
+index 8e162ca..0b793fa 100644
+--- a/drivers/gpu/msm/adreno.h
++++ b/drivers/gpu/msm/adreno.h
+@@ -805,6 +805,11 @@ static inline int adreno_add_read_cmds(struct kgsl_device *device,
+ 	*cmds++ = val;
+ 	*cmds++ = 0xFFFFFFFF;
+ 	*cmds++ = 0xFFFFFFFF;
++
++	/* WAIT_REG_MEM turns back on protected mode - push it off */
++	*cmds++ = cp_type3_packet(CP_SET_PROTECTED_MODE, 1);
++	*cmds++ = 0;
++
+ 	cmds += __adreno_add_idle_indirect_cmds(cmds, nop_gpuaddr);
+ 	return cmds - start;
+ }
+@@ -850,6 +855,11 @@ static inline int adreno_wait_reg_mem(unsigned int *cmds, unsigned int addr,
+ 	*cmds++ = val; /* ref val */
+ 	*cmds++ = mask;
+ 	*cmds++ = interval;
++
++	/* WAIT_REG_MEM turns back on protected mode - push it off */
++	*cmds++ = cp_type3_packet(CP_SET_PROTECTED_MODE, 1);
++	*cmds++ = 0;
++
+ 	return cmds - start;
+ }
+ /*
+diff --git a/drivers/gpu/msm/adreno_a3xx.c b/drivers/gpu/msm/adreno_a3xx.c
+index 70ba50e..873a5c9 100644
+--- a/drivers/gpu/msm/adreno_a3xx.c
++++ b/drivers/gpu/msm/adreno_a3xx.c
+@@ -2038,6 +2038,7 @@ static void a3xx_protect_init(struct kgsl_device *device)
+ 
+ 	/* CP registers */
+ 	adreno_set_protected_registers(device, &index, 0x1C0, 5);
++	adreno_set_protected_registers(device, &index, 0x1EC, 1);
+ 	adreno_set_protected_registers(device, &index, 0x1F6, 1);
+ 	adreno_set_protected_registers(device, &index, 0x1F8, 2);
+ 	adreno_set_protected_registers(device, &index, 0x45E, 2);
+diff --git a/drivers/gpu/msm/kgsl_iommu.c b/drivers/gpu/msm/kgsl_iommu.c
+index dba23b0..68b3420 100644
+--- a/drivers/gpu/msm/kgsl_iommu.c
++++ b/drivers/gpu/msm/kgsl_iommu.c
+@@ -1036,6 +1036,10 @@ static unsigned int kgsl_iommu_sync_lock(struct kgsl_mmu *mmu,
+ 	*cmds++ = 0x1;
+ 	*cmds++ = 0x1;
+ 
++	/* WAIT_REG_MEM turns back on protected mode - push it off */
++	*cmds++ = cp_type3_packet(CP_SET_PROTECTED_MODE, 1);
++	*cmds++ = 0;
++
+ 	*cmds++ = cp_type3_packet(CP_MEM_WRITE, 2);
+ 	*cmds++ = lock_vars->turn;
+ 	*cmds++ = 0;
+@@ -1050,11 +1054,19 @@ static unsigned int kgsl_iommu_sync_lock(struct kgsl_mmu *mmu,
+ 	*cmds++ = 0x1;
+ 	*cmds++ = 0x1;
+ 
++	/* WAIT_REG_MEM turns back on protected mode - push it off */
++	*cmds++ = cp_type3_packet(CP_SET_PROTECTED_MODE, 1);
++	*cmds++ = 0;
++
+ 	*cmds++ = cp_type3_packet(CP_TEST_TWO_MEMS, 3);
+ 	*cmds++ = lock_vars->flag[PROC_APPS];
+ 	*cmds++ = lock_vars->turn;
+ 	*cmds++ = 0;
+ 
++	/* TEST_TWO_MEMS turns back on protected mode - push it off */
++	*cmds++ = cp_type3_packet(CP_SET_PROTECTED_MODE, 1);
++	*cmds++ = 0;
++
+ 	cmds += adreno_add_idle_cmds(adreno_dev, cmds);
+ 
+ 	return cmds - start;
+@@ -1092,6 +1104,10 @@ static unsigned int kgsl_iommu_sync_unlock(struct kgsl_mmu *mmu,
+ 	*cmds++ = 0x1;
+ 	*cmds++ = 0x1;
+ 
++	/* WAIT_REG_MEM turns back on protected mode - push it off */
++	*cmds++ = cp_type3_packet(CP_SET_PROTECTED_MODE, 1);
++	*cmds++ = 0;
++
+ 	cmds += adreno_add_idle_cmds(adreno_dev, cmds);
+ 
+ 	return cmds - start;
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2014-0972/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2014-0972/ANY/0002.patch
new file mode 100644
index 00000000..2e743900
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2014-0972/ANY/0002.patch
@@ -0,0 +1,31 @@
+From d7d07936a166e7421a6308eec443b707a9678580 Mon Sep 17 00:00:00 2001
+From: Jordan Crouse <jcrouse@codeaurora.org>
+Date: Thu, 17 Apr 2014 10:05:21 -0600
+Subject: msm: kgsl: Mark the IOMMU setstate memory as read only
+
+Mark the IOMMU setstate memory as read only in the pagetable.
+
+Change-Id: Ic0dedbadb19e499c749cd744c3e89be3bcb4c2a2
+Signed-off-by: Jordan Crouse <jcrouse@codeaurora.org>
+---
+ drivers/gpu/msm/kgsl_mmu.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/gpu/msm/kgsl_mmu.c b/drivers/gpu/msm/kgsl_mmu.c
+index 95aac09..eb6d76f 100644
+--- a/drivers/gpu/msm/kgsl_mmu.c
++++ b/drivers/gpu/msm/kgsl_mmu.c
+@@ -377,6 +377,10 @@ int kgsl_mmu_init(struct kgsl_device *device)
+ 					PAGE_SIZE);
+ 	if (status)
+ 		return status;
++
++	/* Mark the setstate memory as read only */
++	mmu->setstate_memory.flags |= KGSL_MEMFLAGS_GPUREADONLY;
++
+ 	kgsl_sharedmem_set(device, &mmu->setstate_memory, 0, 0,
+ 				mmu->setstate_memory.size);
+ 
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2014-0975/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-0975/ANY/0001.patch
new file mode 100644
index 00000000..ef25a282
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2014-0975/ANY/0001.patch
@@ -0,0 +1,35 @@
+From 832666bda9606623c3cff5b14873553f82ec1281 Mon Sep 17 00:00:00 2001
+From: Suman Mukherjee <sumam@codeaurora.org>
+Date: Tue, 9 Dec 2014 13:25:36 +0530
+Subject: msm: camera: add check for csid_cid to prevent of overwrite memory
+
+add sanity check for csid cid to ensute that we never read or write
+outside csid_dev->mem buffer
+
+Change-Id: Ic8f0d689fa176720ae3a3316f2ad27556ae7bde5
+Signed-off-by: Suman Mukherjee <sumam@codeaurora.org>
+---
+ drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c b/drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c
+index 3596a12..53a5ed3 100644
+--- a/drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c
++++ b/drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c
+@@ -50,6 +50,13 @@ static int msm_csid_cid_lut(
+ 		return -EINVAL;
+ 	}
+ 	for (i = 0; i < csid_lut_params->num_cid && i < 16; i++) {
++		if (csid_lut_params->vc_cfg[i]->cid >=
++			csid_lut_params->num_cid ||
++			csid_lut_params->vc_cfg[i]->cid < 0) {
++				pr_err("%s: cid outside range %d\n",
++					__func__, csid_lut_params->vc_cfg[i]->cid);
++				return -EINVAL;
++		}
+ 		CDBG("%s lut params num_cid = %d, cid = %d, dt = %x, df = %d\n",
+ 			__func__,
+ 			csid_lut_params->num_cid,
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2014-0976/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-0976/ANY/0001.patch
new file mode 100644
index 00000000..9136c47e
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2014-0976/ANY/0001.patch
@@ -0,0 +1,31 @@
+From ee37138b8ceee6035c93756043eaac7eaa1c0948 Mon Sep 17 00:00:00 2001
+From: Suman Mukherjee <sumam@codeaurora.org>
+Date: Wed, 17 Dec 2014 10:00:49 +0530
+Subject: msm: camera: ispif: Validate vfe_intf parameter
+
+Validate vfe_intf parameter to avoid invalid register access.
+
+Change-Id: Ie0b57071cc5fca1c48d3a5e2e7819f9af9ff544c
+Signed-off-by: Suman Mukherjee <sumam@codeaurora.org>
+---
+ drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c b/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c
+index 8f99ff6..d044c1d 100755
+--- a/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c
++++ b/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c
+@@ -60,8 +60,8 @@ static void msm_ispif_io_dump_reg(struct ispif_device *ispif)
+ static inline int msm_ispif_is_intf_valid(uint32_t csid_version,
+ 	uint8_t intf_type)
+ {
+-	return (csid_version <= CSID_VERSION_V22 && intf_type != VFE0) ?
+-		false : true;
++        return ((csid_version <= CSID_VERSION_V22 && intf_type != VFE0) ||
++                (intf_type >= VFE_MAX)) ? false : true;
+ }
+ 
+ static struct msm_cam_clk_info ispif_8626_reset_clk_info[] = {
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2014-1739/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-1739/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-1739/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-1739/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-2523/3.2/1.patch b/Patches/Linux_CVEs/CVE-2014-2523/3.2/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-2523/3.2/1.patch
rename to Patches/Linux_CVEs/CVE-2014-2523/3.2/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-2523/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-2523/^3.13/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-2523/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-2523/^3.13/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-2706/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-2706/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-2706/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-2706/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-2851/3.2/0.patch b/Patches/Linux_CVEs/CVE-2014-2851/3.2/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-2851/3.2/0.patch
rename to Patches/Linux_CVEs/CVE-2014-2851/3.2/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-3145/3.2/2.patch b/Patches/Linux_CVEs/CVE-2014-3145/3.2/2.patch
deleted file mode 100644
index c3660802..00000000
--- a/Patches/Linux_CVEs/CVE-2014-3145/3.2/2.patch
+++ /dev/null
@@ -1,92 +0,0 @@
-From d41eb74e53d94aba656ffda647d106808e636cd6 Mon Sep 17 00:00:00 2001
-From: Mathias Krause <minipli@googlemail.com>
-Date: Sun, 13 Apr 2014 18:23:33 +0200
-Subject: filter: prevent nla extensions to peek beyond the end of the message
-
-[ Upstream commit 05ab8f2647e4221cbdb3856dd7d32bd5407316b3 ]
-
-The BPF_S_ANC_NLATTR and BPF_S_ANC_NLATTR_NEST extensions fail to check
-for a minimal message length before testing the supplied offset to be
-within the bounds of the message. This allows the subtraction of the nla
-header to underflow and therefore -- as the data type is unsigned --
-allowing far to big offset and length values for the search of the
-netlink attribute.
-
-The remainder calculation for the BPF_S_ANC_NLATTR_NEST extension is
-also wrong. It has the minuend and subtrahend mixed up, therefore
-calculates a huge length value, allowing to overrun the end of the
-message while looking for the netlink attribute.
-
-The following three BPF snippets will trigger the bugs when attached to
-a UNIX datagram socket and parsing a message with length 1, 2 or 3.
-
- ,-[ PoC for missing size check in BPF_S_ANC_NLATTR ]--
- | ld	#0x87654321
- | ldx	#42
- | ld	#nla
- | ret	a
- `---
-
- ,-[ PoC for the same bug in BPF_S_ANC_NLATTR_NEST ]--
- | ld	#0x87654321
- | ldx	#42
- | ld	#nlan
- | ret	a
- `---
-
- ,-[ PoC for wrong remainder calculation in BPF_S_ANC_NLATTR_NEST ]--
- | ; (needs a fake netlink header at offset 0)
- | ld	#0
- | ldx	#42
- | ld	#nlan
- | ret	a
- `---
-
-Fix the first issue by ensuring the message length fulfills the minimal
-size constrains of a nla header. Fix the second bug by getting the math
-for the remainder calculation right.
-
-Fixes: 4738c1db15 ("[SKFILTER]: Add SKF_ADF_NLATTR instruction")
-Fixes: d214c7537b ("filter: add SKF_AD_NLATTR_NEST to look for nested..")
-Cc: Patrick McHardy <kaber@trash.net>
-Cc: Pablo Neira Ayuso <pablo@netfilter.org>
-Signed-off-by: Mathias Krause <minipli@googlemail.com>
-Acked-by: Daniel Borkmann <dborkman@redhat.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-[bwh: Fix misplacement of the first check due to a bug in the patch program]
-Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
----
- net/core/filter.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/net/core/filter.c b/net/core/filter.c
-index 5dea452..9c88080 100644
---- a/net/core/filter.c
-+++ b/net/core/filter.c
-@@ -320,6 +320,8 @@ load_b:
- 
- 			if (skb_is_nonlinear(skb))
- 				return 0;
-+			if (skb->len < sizeof(struct nlattr))
-+				return 0;
- 			if (A > skb->len - sizeof(struct nlattr))
- 				return 0;
- 
-@@ -336,11 +338,13 @@ load_b:
- 
- 			if (skb_is_nonlinear(skb))
- 				return 0;
-+			if (skb->len < sizeof(struct nlattr))
-+				return 0;
- 			if (A > skb->len - sizeof(struct nlattr))
- 				return 0;
- 
- 			nla = (struct nlattr *)&skb->data[A];
--			if (nla->nla_len > A - skb->len)
-+			if (nla->nla_len > skb->len - A)
- 				return 0;
- 
- 			nla = nla_find_nested(nla, X);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-3145/3.10/1.patch b/Patches/Linux_CVEs/CVE-2014-3145/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-3145/3.10/1.patch
rename to Patches/Linux_CVEs/CVE-2014-3145/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-3145/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-3145/ANY/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-3145/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-3145/ANY/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-4014/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-4014/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-4014/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-4014/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-4321/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-4321/ANY/0001.patch
new file mode 100644
index 00000000..142053d4
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2014-4321/ANY/0001.patch
@@ -0,0 +1,66 @@
+From 68c459daa22a26d6ca8f169baef6605ca8a285f2 Mon Sep 17 00:00:00 2001
+From: Alok Kediya <kediya@codeaurora.org>
+Date: Tue, 9 Dec 2014 12:53:29 +0530
+Subject: msm: camera: isp: Validate reg_offset and len parameters
+
+Validate reg_offset and len parameters before consuming to
+avoid invalid register access.
+
+Change-Id: I07676a6d10a9945fb0b99ebfd147075f896fbfab
+Signed-off-by: Alok Kediya <kediya@codeaurora.org>
+---
+ .../platform/msm/camera_v2/isp/msm_isp_util.c      | 36 +++++++++++++++++++---
+ 1 file changed, 31 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
+index 12fd081..620c01a 100644
+--- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
++++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
+@@ -495,13 +495,39 @@ static int msm_isp_send_hw_cmd(struct vfe_device *vfe_dev,
+ 	uint32_t *cfg_data, uint32_t cmd_len)
+ {
+ 	switch (reg_cfg_cmd->cmd_type) {
+-	case VFE_WRITE: {
+-		if (resource_size(vfe_dev->vfe_mem) <
+-			(reg_cfg_cmd->u.rw_info.reg_offset +
+-			reg_cfg_cmd->u.rw_info.len)) {
+-			pr_err("%s: VFE_WRITE: Invalid length\n", __func__);
++	case VFE_WRITE:
++	case VFE_READ: {
++		if ((reg_cfg_cmd->u.rw_info.reg_offset >
++			(UINT_MAX - reg_cfg_cmd->u.rw_info.len)) ||
++			((reg_cfg_cmd->u.rw_info.reg_offset +
++			reg_cfg_cmd->u.rw_info.len) >
++			resource_size(vfe_dev->vfe_mem))) {
++			pr_err("%s:%d reg_offset %d len %d res %d\n",
++				__func__, __LINE__,
++				reg_cfg_cmd->u.rw_info.reg_offset,
++				reg_cfg_cmd->u.rw_info.len,
++				(uint32_t)resource_size(vfe_dev->vfe_mem));
+ 			return -EINVAL;
+ 		}
++
++		if ((reg_cfg_cmd->u.rw_info.cmd_data_offset >
++			(UINT_MAX - reg_cfg_cmd->u.rw_info.len)) ||
++			((reg_cfg_cmd->u.rw_info.cmd_data_offset +
++			reg_cfg_cmd->u.rw_info.len) > cmd_len)) {
++			pr_err("%s:%d cmd_data_offset %d len %d cmd_len %d\n",
++				__func__, __LINE__,
++				reg_cfg_cmd->u.rw_info.cmd_data_offset,
++				reg_cfg_cmd->u.rw_info.len, cmd_len);
++			return -EINVAL;
++		}
++		break;
++	}
++	default:
++		break;
++	}
++
++	switch (reg_cfg_cmd->cmd_type) {
++	case VFE_WRITE: {
+ 		msm_camera_io_memcpy(vfe_dev->vfe_base +
+ 			reg_cfg_cmd->u.rw_info.reg_offset,
+ 			cfg_data + reg_cfg_cmd->u.rw_info.cmd_data_offset/4,
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2014-4322/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-4322/ANY/0001.patch
new file mode 100644
index 00000000..9fa7e42e
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2014-4322/ANY/0001.patch
@@ -0,0 +1,94 @@
+From b9470692c228608ef0ec60747ac2732ad7ffedf0 Mon Sep 17 00:00:00 2001
+From: Mona Hossain <mhossain@codeaurora.org>
+Date: Thu, 9 Oct 2014 12:00:03 -0700
+Subject: qseecom: Add boundary checks for offset within message.
+
+Qseecom driver does not have boundary checks for offset within the
+message. So this patch add checks to validate the offsets sent by
+client to modify data within the command request message and it
+should not exceed the memory allocated for that message.
+
+Change-Id: I29bfbdc154eebb4f3f4bfbb31789562e37fa5886
+Signed-off-by: Mona Hossain <mhossain@codeaurora.org>
+Signed-off-by: Mallikarjuna Reddy Amireddy <mamire@codeaurora.org>
+---
+ drivers/misc/qseecom.c | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 49 insertions(+)
+
+diff --git a/drivers/misc/qseecom.c b/drivers/misc/qseecom.c
+index 3a93469..b091acd 100644
+--- a/drivers/misc/qseecom.c
++++ b/drivers/misc/qseecom.c
+@@ -1525,6 +1525,30 @@ static int qseecom_send_cmd(struct qseecom_dev_handle *data, void __user *argp)
+ 	return ret;
+ }
+ 
++int boundary_checks_offset(struct qseecom_send_modfd_cmd_req *cmd_req,
++			struct qseecom_send_modfd_listener_resp *lstnr_resp,
++			struct qseecom_dev_handle *data, bool listener_svc,
++			int i) {
++	int ret = 0;
++
++	if ((!listener_svc) && (cmd_req->ifd_data[i].fd > 0)) {
++		if (cmd_req->ifd_data[i].cmd_buf_offset >
++				cmd_req->cmd_req_len - sizeof(uint32_t)) {
++			pr_err("Invalid offset 0x%x\n",
++					cmd_req->ifd_data[i].cmd_buf_offset);
++			return ++ret;
++		}
++	} else if ((listener_svc) && (lstnr_resp->ifd_data[i].fd > 0)) {
++		if (lstnr_resp->ifd_data[i].cmd_buf_offset >
++				lstnr_resp->resp_len - sizeof(uint32_t)) {
++			pr_err("Invalid offset 0x%x\n",
++					lstnr_resp->ifd_data[i].cmd_buf_offset);
++			return ++ret;
++		}
++	}
++	return ret;
++}
++
+ static int __qseecom_update_cmd_buf(void *msg, bool cleanup,
+ 					struct qseecom_dev_handle *data,
+ 					bool listener_svc)
+@@ -1598,6 +1622,10 @@ static int __qseecom_update_cmd_buf(void *msg, bool cleanup,
+ 		if (sg_ptr->nents == 1) {
+ 			uint32_t *update;
+ 			update = (uint32_t *) field;
++
++			if (boundary_checks_offset(cmd_req, lstnr_resp, data,
++							listener_svc, i))
++				goto err;
+ 			if (cleanup)
+ 				*update = 0;
+ 			else
+@@ -1607,6 +1635,27 @@ static int __qseecom_update_cmd_buf(void *msg, bool cleanup,
+ 		} else {
+ 			struct qseecom_sg_entry *update;
+ 			int j = 0;
++
++			if ((!listener_svc) && (cmd_req->ifd_data[i].fd > 0)) {
++				if (cmd_req->ifd_data[i].cmd_buf_offset >
++					cmd_req->cmd_req_len -
++					sizeof(struct qseecom_sg_entry)) {
++					pr_err("Invalid offset = 0x%x\n",
++						cmd_req->ifd_data[i].
++						cmd_buf_offset);
++					goto err;
++				}
++			} else if ((listener_svc) &&
++					(lstnr_resp->ifd_data[i].fd > 0)) {
++				if (lstnr_resp->ifd_data[i].cmd_buf_offset >
++							lstnr_resp->resp_len -
++					sizeof(struct qseecom_sg_entry)) {
++					pr_err("Invalid offset = 0x%x\n",
++						lstnr_resp->ifd_data[i].
++							cmd_buf_offset);
++					goto err;
++				}
++			}
+ 			update = (struct qseecom_sg_entry *) field;
+ 			for (j = 0; j < sg_ptr->nents; j++) {
+ 				if (cleanup) {
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2014-4322/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2014-4322/ANY/0002.patch
new file mode 100644
index 00000000..f6c32003
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2014-4322/ANY/0002.patch
@@ -0,0 +1,383 @@
+From e909d95e6bded328e388d5b8d123297bbbb70728 Mon Sep 17 00:00:00 2001
+From: Mona Hossain <mhossain@codeaurora.org>
+Date: Mon, 3 Nov 2014 17:05:48 -0800
+Subject: qseecom:  Add checks for send_cmd inputs
+
+Improve user input validation across send cmd APIs. Add new
+API  __validate_send_cmd_inputs() to validate all user provided
+inputs.
+
+Change-Id: Ibbb0c0e7e5483f653bd59b927562b63c1e43c365
+Signed-off-by: Mona Hossain <mhossain@codeaurora.org>
+---
+ drivers/misc/qseecom.c | 221 ++++++++++++++++++++++++++++++-------------------
+ 1 file changed, 134 insertions(+), 87 deletions(-)
+
+diff --git a/drivers/misc/qseecom.c b/drivers/misc/qseecom.c
+index 65001c5..244f1bf 100644
+--- a/drivers/misc/qseecom.c
++++ b/drivers/misc/qseecom.c
+@@ -981,7 +981,7 @@ static int qseecom_scale_bus_bandwidth(struct qseecom_dev_handle *data,
+ 	}
+ 	if (req_mode > HIGH) {
+ 		pr_err("Invalid bandwidth mode (%d)\n", req_mode);
+-		return ret;
++		return -EINVAL;
+ 	}
+ 
+ 	/*
+@@ -1834,24 +1834,16 @@ exit:
+ 	return ret;
+ }
+ 
+-static int __qseecom_send_cmd(struct qseecom_dev_handle *data,
++static int __validate_send_cmd_inputs(struct qseecom_dev_handle *data,
+ 				struct qseecom_send_cmd_req *req)
+-{
+-	int ret = 0;
+-	u32 reqd_len_sb_in = 0;
+-	struct qseecom_client_send_data_ireq send_data_req;
+-	struct qseecom_command_scm_resp resp;
+-	unsigned long flags;
+-	struct qseecom_registered_app_list *ptr_app;
+-	bool found_app = false;
+-	int name_len = 0;
+ 
++{
+ 	if (!data || !data->client.ihandle) {
+ 		pr_err("Client or client handle is not initialized\n");
+ 		return -EINVAL;
+ 	}
+-
+-	if (req->cmd_req_buf == NULL || req->resp_buf == NULL) {
++	if (((req->resp_buf == NULL) && (req->resp_len != 0)) ||
++						(req->cmd_req_buf == NULL)) {
+ 		pr_err("cmd buffer or response buffer is null\n");
+ 		return -EINVAL;
+ 	}
+@@ -1862,8 +1854,6 @@ static int __qseecom_send_cmd(struct qseecom_dev_handle *data,
+ 		pr_err("cmd buffer address not within shared bufffer\n");
+ 		return -EINVAL;
+ 	}
+-
+-
+ 	if (((uintptr_t)req->resp_buf <
+ 				data->client.user_virt_sb_base)  ||
+ 		((uintptr_t)req->resp_buf >=
+@@ -1871,27 +1861,62 @@ static int __qseecom_send_cmd(struct qseecom_dev_handle *data,
+ 		pr_err("response buffer address not within shared bufffer\n");
+ 		return -EINVAL;
+ 	}
+-
+-	if ((req->cmd_req_len == 0) || (req->resp_len == 0) ||
+-		req->cmd_req_len > data->client.sb_length ||
+-		req->resp_len > data->client.sb_length) {
+-		pr_err("cmd buffer length or response buffer length not valid\n");
++	if ((req->cmd_req_len == 0) ||
++		(req->cmd_req_len > data->client.sb_length) ||
++		(req->resp_len > data->client.sb_length)) {
++		pr_err("cmd buf length or response buf length not valid\n");
+ 		return -EINVAL;
+ 	}
+-
+ 	if (req->cmd_req_len > UINT_MAX - req->resp_len) {
+-		pr_err("Integer overflow detected in req_len & rsp_len, exiting now\n");
++		pr_err("Integer overflow detected in req_len & rsp_len\n");
+ 		return -EINVAL;
+ 	}
+ 
+-	reqd_len_sb_in = req->cmd_req_len + req->resp_len;
+-	if (reqd_len_sb_in > data->client.sb_length) {
++	if ((req->cmd_req_len + req->resp_len) > data->client.sb_length) {
+ 		pr_debug("Not enough memory to fit cmd_buf.\n");
+ 		pr_debug("resp_buf. Required: %u, Available: %zu\n",
+-				reqd_len_sb_in, data->client.sb_length);
++				(req->cmd_req_len + req->resp_len),
++					data->client.sb_length);
+ 		return -ENOMEM;
+ 	}
++	if ((uintptr_t)req->cmd_req_buf > (ULONG_MAX - req->cmd_req_len)) {
++		pr_err("Integer overflow in req_len & cmd_req_buf\n");
++		return -EINVAL;
++	}
++	if ((uintptr_t)req->resp_buf > (ULONG_MAX - req->resp_len)) {
++		pr_err("Integer overflow in resp_len & resp_buf\n");
++		return -EINVAL;
++	}
++	if (data->client.user_virt_sb_base >
++					(ULONG_MAX - data->client.sb_length)) {
++		pr_err("Integer overflow in user_virt_sb_base & sb_length\n");
++		return -EINVAL;
++	}
++	if ((((uintptr_t)req->cmd_req_buf + req->cmd_req_len) >
++		((uintptr_t)data->client.user_virt_sb_base +
++						data->client.sb_length)) ||
++		(((uintptr_t)req->resp_buf + req->resp_len) >
++		((uintptr_t)data->client.user_virt_sb_base +
++						data->client.sb_length))) {
++		pr_err("cmd buf or resp buf is out of shared buffer region\n");
++		return -EINVAL;
++	}
++	return 0;
++}
+ 
++static int __qseecom_send_cmd(struct qseecom_dev_handle *data,
++				struct qseecom_send_cmd_req *req)
++{
++	int ret = 0;
++	u32 reqd_len_sb_in = 0;
++	struct qseecom_client_send_data_ireq send_data_req;
++	struct qseecom_command_scm_resp resp;
++	unsigned long flags;
++	struct qseecom_registered_app_list *ptr_app;
++	bool found_app = false;
++	int name_len = 0;
++
++	reqd_len_sb_in = req->cmd_req_len + req->resp_len;
+ 	/* find app_id & img_name from list */
+ 	spin_lock_irqsave(&qseecom.registered_app_list_lock, flags);
+ 	list_for_each_entry(ptr_app, &qseecom.registered_app_list_head,
+@@ -1965,6 +1990,10 @@ static int qseecom_send_cmd(struct qseecom_dev_handle *data, void __user *argp)
+ 		pr_err("copy_from_user failed\n");
+ 		return ret;
+ 	}
++
++	if (__validate_send_cmd_inputs(data, &req))
++		return -EINVAL;
++
+ 	ret = __qseecom_send_cmd(data, &req);
+ 
+ 	if (ret)
+@@ -1973,50 +2002,54 @@ static int qseecom_send_cmd(struct qseecom_dev_handle *data, void __user *argp)
+ 	return ret;
+ }
+ 
+-int boundary_checks_offset(struct qseecom_send_modfd_cmd_req *req,
++int __boundary_checks_offset(struct qseecom_send_modfd_cmd_req *req,
+ 			struct qseecom_send_modfd_listener_resp *lstnr_resp,
+ 			struct qseecom_dev_handle *data, bool qteec,
+ 			int i) {
+-	int ret = 0;
+ 
+ 	if ((data->type != QSEECOM_LISTENER_SERVICE) &&
+ 						(req->ifd_data[i].fd > 0)) {
+ 		if (qteec) {
+-			if (req->ifd_data[i].cmd_buf_offset >
+-				req->cmd_req_len - TWO * sizeof(uint32_t)) {
+-				pr_err("Invalid offset 0x%x\n",
++			if ((req->cmd_req_len < (TWO * sizeof(uint32_t))) ||
++				(req->ifd_data[i].cmd_buf_offset >
++				req->cmd_req_len - (TWO * sizeof(uint32_t)))) {
++				pr_err("Invalid offset (QTEEC req len) 0x%x\n",
+ 					req->ifd_data[i].cmd_buf_offset);
+-				return ++ret;
++				return -EINVAL;
+ 			}
+ 		} else {
+-			if (req->ifd_data[i].cmd_buf_offset >
+-				req->cmd_req_len - sizeof(uint32_t)) {
+-				pr_err("Invalid offset 0x%x\n",
++			if ((req->cmd_req_len < sizeof(uint32_t)) ||
++				(req->ifd_data[i].cmd_buf_offset >
++				req->cmd_req_len - sizeof(uint32_t))) {
++				pr_err("Invalid offset (req len) 0x%x\n",
+ 					req->ifd_data[i].cmd_buf_offset);
+-				return ++ret;
++				return -EINVAL;
+ 			}
+ 		}
+ 	} else if ((data->type == QSEECOM_LISTENER_SERVICE) &&
+ 					(lstnr_resp->ifd_data[i].fd > 0)) {
+ 		if (qteec) {
+-			if (lstnr_resp->ifd_data[i].cmd_buf_offset >
+-				lstnr_resp->resp_len - TWO * sizeof(uint32_t)) {
+-				pr_err("Invalid offset 0x%x\n",
++			if ((lstnr_resp->resp_len < TWO * sizeof(uint32_t)) ||
++				(lstnr_resp->ifd_data[i].cmd_buf_offset >
++				lstnr_resp->resp_len - TWO*sizeof(uint32_t))) {
++				pr_err("Invalid offset (QTEEC resp len) 0x%x\n",
+ 					lstnr_resp->ifd_data[i].cmd_buf_offset);
+-				return ++ret;
++				return -EINVAL;
+ 			}
+ 		} else {
+-			if (lstnr_resp->ifd_data[i].cmd_buf_offset >
+-				lstnr_resp->resp_len - sizeof(uint32_t)) {
+-				pr_err("Invalid offset 0x%x\n",
++			if ((lstnr_resp->resp_len < sizeof(uint32_t)) ||
++				(lstnr_resp->ifd_data[i].cmd_buf_offset >
++				lstnr_resp->resp_len - sizeof(uint32_t))) {
++				pr_err("Invalid offset (lstnr resp len) 0x%x\n",
+ 					lstnr_resp->ifd_data[i].cmd_buf_offset);
+-				return ++ret;
++				return -EINVAL;
+ 			}
+ 		}
+ 	}
+-	return ret;
++	return 0;
+ }
+ 
++#define SG_ENTRY_SZ   sizeof(struct qseecom_sg_entry)
+ static int __qseecom_update_cmd_buf(void *msg, bool cleanup,
+ 			struct qseecom_dev_handle *data, bool qteec)
+ {
+@@ -2095,7 +2128,7 @@ static int __qseecom_update_cmd_buf(void *msg, bool cleanup,
+ 			uint32_t *update;
+ 			update = (uint32_t *) field;
+ 
+-			if (boundary_checks_offset(req, lstnr_resp, data,
++			if (__boundary_checks_offset(req, lstnr_resp, data,
+ 								qteec, i))
+ 				goto err;
+ 			if (cleanup)
+@@ -2112,22 +2145,25 @@ static int __qseecom_update_cmd_buf(void *msg, bool cleanup,
+ 
+ 			if ((data->type != QSEECOM_LISTENER_SERVICE) &&
+ 					(req->ifd_data[i].fd > 0)) {
+-				if (req->ifd_data[i].cmd_buf_offset >
+-					req->cmd_req_len -
+-					sizeof(struct qseecom_sg_entry)) {
++
++				if ((req->cmd_req_len <
++					 SG_ENTRY_SZ * sg_ptr->nents) ||
++					(req->ifd_data[i].cmd_buf_offset >
++						(req->cmd_req_len -
++						SG_ENTRY_SZ * sg_ptr->nents))) {
+ 					pr_err("Invalid offset = 0x%x\n",
+-						req->ifd_data[i].
+-						cmd_buf_offset);
++					req->ifd_data[i].cmd_buf_offset);
+ 					goto err;
+ 				}
++
+ 			} else if ((data->type == QSEECOM_LISTENER_SERVICE) &&
+ 					(lstnr_resp->ifd_data[i].fd > 0)) {
+-				if (lstnr_resp->ifd_data[i].cmd_buf_offset >
+-							lstnr_resp->resp_len -
+-					sizeof(struct qseecom_sg_entry)) {
+-					pr_err("Invalid offset = 0x%x\n",
+-						lstnr_resp->ifd_data[i].
+-							cmd_buf_offset);
++
++				if ((lstnr_resp->resp_len <
++						SG_ENTRY_SZ * sg_ptr->nents) ||
++				(lstnr_resp->ifd_data[i].cmd_buf_offset >
++						(lstnr_resp->resp_len -
++						SG_ENTRY_SZ * sg_ptr->nents))) {
+ 					goto err;
+ 				}
+ 			}
+@@ -2179,37 +2215,14 @@ static int qseecom_send_modfd_cmd(struct qseecom_dev_handle *data,
+ 		return ret;
+ 	}
+ 
+-	if (req.cmd_req_buf == NULL || req.resp_buf == NULL) {
+-		pr_err("cmd buffer or response buffer is null\n");
+-		return -EINVAL;
+-	}
+-	if (((uintptr_t)req.cmd_req_buf <
+-				data->client.user_virt_sb_base) ||
+-		((uintptr_t)req.cmd_req_buf >=
+-		(data->client.user_virt_sb_base + data->client.sb_length))) {
+-		pr_err("cmd buffer address not within shared bufffer\n");
+-		return -EINVAL;
+-	}
+-
+-	if (((uintptr_t)req.resp_buf <
+-			data->client.user_virt_sb_base)  ||
+-		((uintptr_t)req.resp_buf >=
+-		(data->client.user_virt_sb_base + data->client.sb_length))) {
+-		pr_err("response buffer address not within shared bufffer\n");
+-		return -EINVAL;
+-	}
+-
+-	if (req.cmd_req_len == 0 || req.cmd_req_len > data->client.sb_length ||
+-		req.resp_len > data->client.sb_length) {
+-		pr_err("cmd or response buffer length not valid\n");
+-		return -EINVAL;
+-	}
+-
+ 	send_cmd_req.cmd_req_buf = req.cmd_req_buf;
+ 	send_cmd_req.cmd_req_len = req.cmd_req_len;
+ 	send_cmd_req.resp_buf = req.resp_buf;
+ 	send_cmd_req.resp_len = req.resp_len;
+ 
++	if (__validate_send_cmd_inputs(data, &send_cmd_req))
++		return -EINVAL;
++
+ 	/* validate offsets */
+ 	for (i = 0; i < MAX_ION_FD; i++) {
+ 		if (req.ifd_data[i].cmd_buf_offset >= req.cmd_req_len) {
+@@ -2897,6 +2910,9 @@ int qseecom_send_command(struct qseecom_handle *handle, void *send_buf,
+ 	req.cmd_req_buf = send_buf;
+ 	req.resp_buf = resp_buf;
+ 
++	if (__validate_send_cmd_inputs(data, &req))
++		return -EINVAL;
++
+ 	mutex_lock(&app_access_lock);
+ 	atomic_inc(&data->ioctl_count);
+ 	if (qseecom.support_bus_scaling) {
+@@ -4111,6 +4127,19 @@ static int qseecom_save_partition_hash(void __user *argp)
+ static int __qseecom_qteec_validate_msg(struct qseecom_dev_handle *data,
+ 				struct qseecom_qteec_req *req)
+ {
++
++	if (req->req_len > UINT_MAX - req->resp_len) {
++		pr_err("Integer overflow detected in req_len & rsp_len\n");
++		return -EINVAL;
++	}
++
++	if (req->req_len + req->resp_len > data->client.sb_length) {
++		pr_debug("Not enough memory to fit cmd_buf.\n");
++		pr_debug("resp_buf. Required: %u, Available: %zu\n",
++		(req->req_len + req->resp_len), data->client.sb_length);
++		return -ENOMEM;
++	}
++
+ 	if (req->req_ptr == NULL || req->resp_ptr == NULL) {
+ 		pr_err("cmd buffer or response buffer is null\n");
+ 		return -EINVAL;
+@@ -4131,15 +4160,33 @@ static int __qseecom_qteec_validate_msg(struct qseecom_dev_handle *data,
+ 		return -EINVAL;
+ 	}
+ 
+-	if ((req->req_len == 0) || (req->resp_len == 0) ||
+-		req->req_len > data->client.sb_length ||
+-		req->resp_len > data->client.sb_length) {
++	if ((req->req_len == 0) || (req->resp_len == 0)) {
+ 		pr_err("cmd buf lengtgh/response buf length not valid\n");
+ 		return -EINVAL;
+ 	}
+ 
+-	if (req->req_len > UINT_MAX - req->resp_len) {
+-		pr_err("Integer overflow detected in req_len/rsp_len, exit\n");
++	if ((uintptr_t)req->req_ptr > (ULONG_MAX - req->req_len)) {
++		pr_err("Integer overflow in req_len & req_ptr\n");
++		return -EINVAL;
++	}
++
++	if ((uintptr_t)req->resp_ptr > (ULONG_MAX - req->resp_len)) {
++		pr_err("Integer overflow in resp_len & resp_ptr\n");
++		return -EINVAL;
++	}
++
++	if (data->client.user_virt_sb_base >
++					(ULONG_MAX - data->client.sb_length)) {
++		pr_err("Integer overflow in user_virt_sb_base & sb_length\n");
++		return -EINVAL;
++	}
++	if ((((uintptr_t)req->req_ptr + req->req_len) >
++		((uintptr_t)data->client.user_virt_sb_base +
++						data->client.sb_length)) ||
++		(((uintptr_t)req->resp_ptr + req->resp_len) >
++		((uintptr_t)data->client.user_virt_sb_base +
++						data->client.sb_length))) {
++		pr_err("cmd buf or resp buf is out of shared buffer region\n");
+ 		return -EINVAL;
+ 	}
+ 	return 0;
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2014-4323/3.10/0.patch b/Patches/Linux_CVEs/CVE-2014-4323/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-4323/3.10/0.patch
rename to Patches/Linux_CVEs/CVE-2014-4323/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-4324/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-4324/ANY/0001.patch
new file mode 100644
index 00000000..37e7a938
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2014-4324/ANY/0001.patch
@@ -0,0 +1,308 @@
+From 8ad163e831a2b2c30551edb360f168a604cdb0bb Mon Sep 17 00:00:00 2001
+From: Alok Kediya <kediya@codeaurora.org>
+Date: Fri, 12 Dec 2014 04:20:59 -0800
+Subject: msm: camera: isp: Validate input parameter for vfe_write and vfe_read
+
+Validate input parameters for read and write operations in vfe to
+ensure operations are performed within vfe register boundary and
+within structure limits passed by caller.
+
+Change-Id: If3719de65b32773c2b6ff904da76a951dbfb11eb
+Signed-off-by: Alok Kediya <kediya@codeaurora.org>
+---
+ .../platform/msm/camera_v2/isp/msm_isp_util.c      | 162 ++++++++++++++-------
+ .../msm/camera_v2/sensor/io/msm_camera_io_util.c   |  11 ++
+ .../msm/camera_v2/sensor/io/msm_camera_io_util.h   |   2 +
+ 3 files changed, 119 insertions(+), 56 deletions(-)
+
+diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
+index 620c01a..e1b79ce 100644
+--- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
++++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
+@@ -494,9 +494,24 @@ static int msm_isp_send_hw_cmd(struct vfe_device *vfe_dev,
+ 	struct msm_vfe_reg_cfg_cmd *reg_cfg_cmd,
+ 	uint32_t *cfg_data, uint32_t cmd_len)
+ {
++	if (!vfe_dev || !reg_cfg_cmd) {
++		pr_err("%s:%d failed: vfe_dev %p reg_cfg_cmd %p\n", __func__,
++			__LINE__, vfe_dev, reg_cfg_cmd);
++		return -EINVAL;
++	}
++	if ((reg_cfg_cmd->cmd_type != VFE_CFG_MASK) &&
++		(!cfg_data || !cmd_len)) {
++		pr_err("%s:%d failed: cmd type %d cfg_data %p cmd_len %d\n",
++			__func__, __LINE__, reg_cfg_cmd->cmd_type, cfg_data,
++			cmd_len);
++		return -EINVAL;
++	}
++
++	/* Validate input parameters */
+ 	switch (reg_cfg_cmd->cmd_type) {
+ 	case VFE_WRITE:
+-	case VFE_READ: {
++	case VFE_READ:
++	case VFE_WRITE_MB: {
+ 		if ((reg_cfg_cmd->u.rw_info.reg_offset >
+ 			(UINT_MAX - reg_cfg_cmd->u.rw_info.len)) ||
+ 			((reg_cfg_cmd->u.rw_info.reg_offset +
+@@ -522,6 +537,58 @@ static int msm_isp_send_hw_cmd(struct vfe_device *vfe_dev,
+ 		}
+ 		break;
+ 	}
++
++	case VFE_WRITE_DMI_16BIT:
++	case VFE_WRITE_DMI_32BIT:
++	case VFE_WRITE_DMI_64BIT:
++	case VFE_READ_DMI_16BIT:
++	case VFE_READ_DMI_32BIT:
++	case VFE_READ_DMI_64BIT: {
++		if (reg_cfg_cmd->cmd_type == VFE_WRITE_DMI_64BIT) {
++			if ((reg_cfg_cmd->u.dmi_info.hi_tbl_offset <=
++				reg_cfg_cmd->u.dmi_info.lo_tbl_offset) ||
++				(reg_cfg_cmd->u.dmi_info.hi_tbl_offset -
++				reg_cfg_cmd->u.dmi_info.lo_tbl_offset !=
++				(sizeof(uint32_t)))) {
++				pr_err("%s:%d hi %d lo %d\n",
++					__func__, __LINE__,
++					reg_cfg_cmd->u.dmi_info.hi_tbl_offset,
++					reg_cfg_cmd->u.dmi_info.hi_tbl_offset);
++				return -EINVAL;
++			}
++			if (reg_cfg_cmd->u.dmi_info.len <= sizeof(uint32_t)) {
++				pr_err("%s:%d len %d\n",
++					__func__, __LINE__,
++					reg_cfg_cmd->u.dmi_info.len);
++				return -EINVAL;
++			}
++			if (((UINT_MAX -
++				reg_cfg_cmd->u.dmi_info.hi_tbl_offset) <
++				(reg_cfg_cmd->u.dmi_info.len -
++				sizeof(uint32_t))) ||
++				((reg_cfg_cmd->u.dmi_info.hi_tbl_offset +
++				reg_cfg_cmd->u.dmi_info.len -
++				sizeof(uint32_t)) > cmd_len)) {
++				pr_err("%s:%d hi_tbl_offset %d len %d cmd %d\n",
++					__func__, __LINE__,
++					reg_cfg_cmd->u.dmi_info.hi_tbl_offset,
++					reg_cfg_cmd->u.dmi_info.len, cmd_len);
++				return -EINVAL;
++			}
++		}
++		if ((reg_cfg_cmd->u.dmi_info.lo_tbl_offset >
++			(UINT_MAX - reg_cfg_cmd->u.dmi_info.len)) ||
++			((reg_cfg_cmd->u.dmi_info.lo_tbl_offset +
++			reg_cfg_cmd->u.dmi_info.len) > cmd_len)) {
++			pr_err("%s:%d lo_tbl_offset %d len %d cmd_len %d\n",
++				__func__, __LINE__,
++				reg_cfg_cmd->u.dmi_info.lo_tbl_offset,
++				reg_cfg_cmd->u.dmi_info.len, cmd_len);
++			return -EINVAL;
++		}
++		break;
++	}
++
+ 	default:
+ 		break;
+ 	}
+@@ -535,39 +602,27 @@ static int msm_isp_send_hw_cmd(struct vfe_device *vfe_dev,
+ 		break;
+ 	}
+ 	case VFE_WRITE_MB: {
+-		uint32_t *data_ptr = cfg_data +
+-			reg_cfg_cmd->u.rw_info.cmd_data_offset/4;
+-
+-		if ((UINT_MAX - sizeof(*data_ptr) <
+-					reg_cfg_cmd->u.rw_info.reg_offset) ||
+-			(resource_size(vfe_dev->vfe_mem) <
+-			reg_cfg_cmd->u.rw_info.reg_offset +
+-			sizeof(*data_ptr))) {
+-			pr_err("%s: VFE_WRITE_MB: Invalid length\n", __func__);
+-			return -EINVAL;
+-		}
+-		msm_camera_io_w_mb(*data_ptr, vfe_dev->vfe_base +
+-			reg_cfg_cmd->u.rw_info.reg_offset);
++		msm_camera_io_memcpy_mb(vfe_dev->vfe_base +
++			reg_cfg_cmd->u.rw_info.reg_offset,
++			cfg_data + reg_cfg_cmd->u.rw_info.cmd_data_offset/4,
++			reg_cfg_cmd->u.rw_info.len);
+ 		break;
+ 	}
+ 	case VFE_CFG_MASK: {
+ 		uint32_t temp;
+-		if (resource_size(vfe_dev->vfe_mem) <
+-				reg_cfg_cmd->u.mask_info.reg_offset)
+-			return -EINVAL;
+-		temp = msm_camera_io_r(vfe_dev->vfe_base +
+-			reg_cfg_cmd->u.mask_info.reg_offset);
+-
+-		temp &= ~reg_cfg_cmd->u.mask_info.mask;
+-		temp |= reg_cfg_cmd->u.mask_info.val;
+ 		if ((UINT_MAX - sizeof(temp) <
+-					reg_cfg_cmd->u.mask_info.reg_offset) ||
++			reg_cfg_cmd->u.mask_info.reg_offset) ||
+ 			(resource_size(vfe_dev->vfe_mem) <
+ 			reg_cfg_cmd->u.mask_info.reg_offset +
+ 			sizeof(temp))) {
+ 			pr_err("%s: VFE_CFG_MASK: Invalid length\n", __func__);
+ 			return -EINVAL;
+ 		}
++		temp = msm_camera_io_r(vfe_dev->vfe_base +
++			reg_cfg_cmd->u.mask_info.reg_offset);
++
++		temp &= ~reg_cfg_cmd->u.mask_info.mask;
++		temp |= reg_cfg_cmd->u.mask_info.val;
+ 		msm_camera_io_w(temp, vfe_dev->vfe_base +
+ 			reg_cfg_cmd->u.mask_info.reg_offset);
+ 		break;
+@@ -579,22 +634,9 @@ static int msm_isp_send_hw_cmd(struct vfe_device *vfe_dev,
+ 		uint32_t *hi_tbl_ptr = NULL, *lo_tbl_ptr = NULL;
+ 		uint32_t hi_val, lo_val, lo_val1;
+ 		if (reg_cfg_cmd->cmd_type == VFE_WRITE_DMI_64BIT) {
+-			if ((UINT_MAX - reg_cfg_cmd->u.dmi_info.hi_tbl_offset <
+-						reg_cfg_cmd->u.dmi_info.len) ||
+-				(reg_cfg_cmd->u.dmi_info.hi_tbl_offset +
+-				reg_cfg_cmd->u.dmi_info.len > cmd_len)) {
+-				pr_err("Invalid Hi Table out of bounds\n");
+-				return -EINVAL;
+-			}
+ 			hi_tbl_ptr = cfg_data +
+ 				reg_cfg_cmd->u.dmi_info.hi_tbl_offset/4;
+ 		}
+-
+-		if (reg_cfg_cmd->u.dmi_info.lo_tbl_offset +
+-			reg_cfg_cmd->u.dmi_info.len > cmd_len) {
+-			pr_err("Invalid Lo Table out of bounds\n");
+-			return -EINVAL;
+-		}
+ 		lo_tbl_ptr = cfg_data +
+ 			reg_cfg_cmd->u.dmi_info.lo_tbl_offset/4;
+ 		if (reg_cfg_cmd->cmd_type == VFE_WRITE_DMI_64BIT)
+@@ -627,30 +669,18 @@ static int msm_isp_send_hw_cmd(struct vfe_device *vfe_dev,
+ 		uint32_t *hi_tbl_ptr = NULL, *lo_tbl_ptr = NULL;
+ 		uint32_t hi_val, lo_val, lo_val1;
+ 		if (reg_cfg_cmd->cmd_type == VFE_READ_DMI_64BIT) {
+-			if (reg_cfg_cmd->u.dmi_info.hi_tbl_offset +
+-				reg_cfg_cmd->u.dmi_info.len > cmd_len) {
+-				pr_err("Invalid Hi Table out of bounds\n");
+-				return -EINVAL;
+-			}
+ 			hi_tbl_ptr = cfg_data +
+ 				reg_cfg_cmd->u.dmi_info.hi_tbl_offset/4;
+ 		}
+ 
+-		if (reg_cfg_cmd->u.dmi_info.lo_tbl_offset +
+-			reg_cfg_cmd->u.dmi_info.len > cmd_len) {
+-			pr_err("Invalid Lo Table out of bounds\n");
+-			return -EINVAL;
+-		}
+ 		lo_tbl_ptr = cfg_data +
+ 			reg_cfg_cmd->u.dmi_info.lo_tbl_offset/4;
+ 
+-		for (i = 0; i < reg_cfg_cmd->u.dmi_info.len/4; i++) {
+-			if (reg_cfg_cmd->cmd_type == VFE_READ_DMI_64BIT) {
+-				hi_val = msm_camera_io_r(vfe_dev->vfe_base +
+-					vfe_dev->hw_info->dmi_reg_offset);
+-				*hi_tbl_ptr++ = hi_val;
+-			}
++		if (reg_cfg_cmd->cmd_type == VFE_READ_DMI_64BIT)
++			reg_cfg_cmd->u.dmi_info.len =
++				reg_cfg_cmd->u.dmi_info.len / 2;
+ 
++		for (i = 0; i < reg_cfg_cmd->u.dmi_info.len/4; i++) {
+ 			lo_val = msm_camera_io_r(vfe_dev->vfe_base +
+ 					vfe_dev->hw_info->dmi_reg_offset + 0x4);
+ 
+@@ -660,6 +690,13 @@ static int msm_isp_send_hw_cmd(struct vfe_device *vfe_dev,
+ 				lo_val |= lo_val1 << 16;
+ 			}
+ 			*lo_tbl_ptr++ = lo_val;
++			if (reg_cfg_cmd->cmd_type == VFE_READ_DMI_64BIT) {
++				hi_val = msm_camera_io_r(vfe_dev->vfe_base +
++					vfe_dev->hw_info->dmi_reg_offset);
++				*hi_tbl_ptr = hi_val;
++				hi_tbl_ptr += 2;
++				lo_tbl_ptr++;
++			}
+ 		}
+ 		break;
+ 	}
+@@ -698,7 +735,7 @@ static int msm_isp_send_hw_cmd(struct vfe_device *vfe_dev,
+ 			if ((data_ptr < cfg_data) ||
+ 				(UINT_MAX / sizeof(*data_ptr) <
+ 				 (data_ptr - cfg_data)) ||
+-				(sizeof(*data_ptr) * (data_ptr - cfg_data) >
++				(sizeof(*data_ptr) * (data_ptr - cfg_data) >=
+ 				 cmd_len))
+ 				return -EINVAL;
+ 			*data_ptr++ = msm_camera_io_r(vfe_dev->vfe_base +
+@@ -707,9 +744,16 @@ static int msm_isp_send_hw_cmd(struct vfe_device *vfe_dev,
+ 		}
+ 		break;
+ 	}
+-	case GET_SOC_HW_VER:
+-		*cfg_data = vfe_dev->soc_hw_version;
+-		break;
++	case GET_SOC_HW_VER: {
++	  if (cmd_len < sizeof(uint32_t)) {
++			pr_err("%s:%d failed: invalid cmd len %u exp %zu\n",
++				__func__, __LINE__, cmd_len,
++				sizeof(uint32_t));
++			return -EINVAL;
++		}
++	  *cfg_data = vfe_dev->soc_hw_version;
++	  break;
++	}
+ 	case GET_MAX_CLK_RATE: {
+ 		int rc = 0;
+ 
+@@ -728,6 +772,12 @@ static int msm_isp_send_hw_cmd(struct vfe_device *vfe_dev,
+ 		break;
+ 	}
+ 	case SET_WM_UB_SIZE: {
++	  	  if (cmd_len < sizeof(uint32_t)) {
++			pr_err("%s:%d failed: invalid cmd len %u exp %zu\n",
++				__func__, __LINE__, cmd_len,
++				sizeof(uint32_t));
++			return -EINVAL;
++		}
+ 		vfe_dev->vfe_ub_size = *cfg_data;
+ 		break;
+ 	}
+diff --git a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_io_util.c b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_io_util.c
+index 46a0542..7d369ff 100644
+--- a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_io_util.c
++++ b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_io_util.c
+@@ -107,6 +107,17 @@ void msm_camera_io_memcpy(void __iomem *dest_addr,
+ 	msm_camera_io_dump(dest_addr, len);
+ }
+ 
++void msm_camera_io_memcpy_mb(void __iomem *dest_addr,
++	void __iomem *src_addr, u32 len)
++{
++	int i;
++	u32 *d = (u32 *) dest_addr;
++	u32 *s = (u32 *) src_addr;
++
++	for (i = 0; i < (len / 4); i++)
++		msm_camera_io_w_mb(*s++, d++);
++}
++
+ int msm_cam_clk_sel_src(struct device *dev, struct msm_cam_clk_info *clk_info,
+ 		struct msm_cam_clk_info *clk_src_info, int num_clk)
+ {
+diff --git a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_io_util.h b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_io_util.h
+index 2e6f809..90925a9 100644
+--- a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_io_util.h
++++ b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_io_util.h
+@@ -28,6 +28,8 @@ u32 msm_camera_io_r_mb(void __iomem *addr);
+ void msm_camera_io_dump(void __iomem *addr, int size);
+ void msm_camera_io_memcpy(void __iomem *dest_addr,
+ 		void __iomem *src_addr, u32 len);
++void msm_camera_io_memcpy_mb(void __iomem *dest_addr,
++	void __iomem *src_addr, u32 len);
+ int msm_cam_clk_sel_src(struct device *dev, struct msm_cam_clk_info *clk_info,
+ 		struct msm_cam_clk_info *clk_src_info, int num_clk);
+ int msm_cam_clk_enable(struct device *dev, struct msm_cam_clk_info *clk_info,
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2014-4655/3.2/1.patch b/Patches/Linux_CVEs/CVE-2014-4655/3.2/1.patch
deleted file mode 100644
index 4628f39f..00000000
--- a/Patches/Linux_CVEs/CVE-2014-4655/3.2/1.patch
+++ /dev/null
@@ -1,90 +0,0 @@
-From 0e2e43eca302b31f64ebfe4734fd2cc7358c4555 Mon Sep 17 00:00:00 2001
-From: Lars-Peter Clausen <lars@metafoo.de>
-Date: Wed, 18 Jun 2014 13:32:32 +0200
-Subject: ALSA: control: Fix replacing user controls
-
-commit 82262a46627bebb0febcc26664746c25cef08563 upstream.
-
-There are two issues with the current implementation for replacing user
-controls. The first is that the code does not check if the control is actually a
-user control and neither does it check if the control is owned by the process
-that tries to remove it. That allows userspace applications to remove arbitrary
-controls, which can cause a user after free if a for example a driver does not
-expect a control to be removed from under its feed.
-
-The second issue is that on one hand when a control is replaced the
-user_ctl_count limit is not checked and on the other hand the user_ctl_count is
-increased (even though the number of user controls does not change). This allows
-userspace, once the user_ctl_count limit as been reached, to repeatedly replace
-a control until user_ctl_count overflows. Once that happens new controls can be
-added effectively bypassing the user_ctl_count limit.
-
-Both issues can be fixed by instead of open-coding the removal of the control
-that is to be replaced to use snd_ctl_remove_user_ctl(). This function does
-proper permission checks as well as decrements user_ctl_count after the control
-has been removed.
-
-Note that by using snd_ctl_remove_user_ctl() the check which returns -EBUSY at
-beginning of the function if the control already exists is removed. This is not
-a problem though since the check is quite useless, because the lock that is
-protecting the control list is released between the check and before adding the
-new control to the list, which means that it is possible that a different
-control with the same settings is added to the list after the check. Luckily
-there is another check that is done while holding the lock in snd_ctl_add(), so
-we'll rely on that to make sure that the same control is not added twice.
-
-Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
-Acked-by: Jaroslav Kysela <perex@perex.cz>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
-Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
----
- sound/core/control.c | 25 +++++++++----------------
- 1 file changed, 9 insertions(+), 16 deletions(-)
-
-diff --git a/sound/core/control.c b/sound/core/control.c
-index 920ea56..caa949e 100644
---- a/sound/core/control.c
-+++ b/sound/core/control.c
-@@ -1151,8 +1151,6 @@ static int snd_ctl_elem_add(struct snd_ctl_file *file,
- 	struct user_element *ue;
- 	int idx, err;
- 
--	if (!replace && card->user_ctl_count >= MAX_USER_CONTROLS)
--		return -ENOMEM;
- 	if (info->count < 1)
- 		return -EINVAL;
- 	access = info->access == 0 ? SNDRV_CTL_ELEM_ACCESS_READWRITE :
-@@ -1161,21 +1159,16 @@ static int snd_ctl_elem_add(struct snd_ctl_file *file,
- 				 SNDRV_CTL_ELEM_ACCESS_TLV_READWRITE));
- 	info->id.numid = 0;
- 	memset(&kctl, 0, sizeof(kctl));
--	down_write(&card->controls_rwsem);
--	_kctl = snd_ctl_find_id(card, &info->id);
--	err = 0;
--	if (_kctl) {
--		if (replace)
--			err = snd_ctl_remove(card, _kctl);
--		else
--			err = -EBUSY;
--	} else {
--		if (replace)
--			err = -ENOENT;
-+
-+	if (replace) {
-+		err = snd_ctl_remove_user_ctl(file, &info->id);
-+		if (err)
-+			return err;
- 	}
--	up_write(&card->controls_rwsem);
--	if (err < 0)
--		return err;
-+
-+	if (card->user_ctl_count >= MAX_USER_CONTROLS)
-+		return -ENOMEM;
-+
- 	memcpy(&kctl.id, &info->id, sizeof(info->id));
- 	kctl.count = info->owner ? info->owner : 1;
- 	access |= SNDRV_CTL_ELEM_ACCESS_USER;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-4655/3.2/2.patch b/Patches/Linux_CVEs/CVE-2014-4655/3.2/2.patch
deleted file mode 100644
index 2b9602fb..00000000
--- a/Patches/Linux_CVEs/CVE-2014-4655/3.2/2.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From 08ede038a738f22c1b3425051175e1d627d8dd43 Mon Sep 17 00:00:00 2001
-From: Lu Guanqun <guanqun.lu@intel.com>
-Date: Wed, 24 Aug 2011 14:45:10 +0800
-Subject: [PATCH] ALSA: core: release the constraint check for replace ops
-
-Suppose the ALSA card already has a number of MAX_USER_CONTROLS controls, and
-the user wants to replace one, it should not fail at this condition check.
-
-Signed-off-by: Lu Guanqun <guanqun.lu@intel.com>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
----
- sound/core/control.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/sound/core/control.c b/sound/core/control.c
-index 7f2b3a7eabb2b..dc2a44048c850 100644
---- a/sound/core/control.c
-+++ b/sound/core/control.c
-@@ -1073,7 +1073,7 @@ static int snd_ctl_elem_add(struct snd_ctl_file *file,
- 	struct user_element *ue;
- 	int idx, err;
- 
--	if (card->user_ctl_count >= MAX_USER_CONTROLS)
-+	if (!replace && card->user_ctl_count >= MAX_USER_CONTROLS)
- 		return -ENOMEM;
- 	if (info->count < 1)
- 		return -EINVAL;
diff --git a/Patches/Linux_CVEs/CVE-2014-4655/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-4655/ANY/0001.patch
similarity index 97%
rename from Patches/Linux_CVEs/CVE-2014-4655/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-4655/ANY/0001.patch
index 14ca8e9d..e310caaa 100644
--- a/Patches/Linux_CVEs/CVE-2014-4655/ANY/0.patch
+++ b/Patches/Linux_CVEs/CVE-2014-4655/ANY/0001.patch
@@ -1,7 +1,7 @@
 From 82262a46627bebb0febcc26664746c25cef08563 Mon Sep 17 00:00:00 2001
 From: Lars-Peter Clausen <lars@metafoo.de>
 Date: Wed, 18 Jun 2014 13:32:32 +0200
-Subject: [PATCH] ALSA: control: Fix replacing user controls
+Subject: ALSA: control: Fix replacing user controls
 
 There are two issues with the current implementation for replacing user
 controls. The first is that the code does not check if the control is actually a
@@ -40,7 +40,7 @@ Signed-off-by: Takashi Iwai <tiwai@suse.de>
  1 file changed, 9 insertions(+), 16 deletions(-)
 
 diff --git a/sound/core/control.c b/sound/core/control.c
-index 00ab034f5fcbe..1f413c2865113 100644
+index 00ab034..1f413c2 100644
 --- a/sound/core/control.c
 +++ b/sound/core/control.c
 @@ -1154,8 +1154,6 @@ static int snd_ctl_elem_add(struct snd_ctl_file *file,
@@ -83,3 +83,6 @@ index 00ab034f5fcbe..1f413c2865113 100644
  	memcpy(&kctl.id, &info->id, sizeof(info->id));
  	kctl.count = info->owner ? info->owner : 1;
  	access |= SNDRV_CTL_ELEM_ACCESS_USER;
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2014-4656/3.2/1.patch b/Patches/Linux_CVEs/CVE-2014-4656/3.2/1.patch
deleted file mode 100644
index 9cc4560c..00000000
--- a/Patches/Linux_CVEs/CVE-2014-4656/3.2/1.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From f7500568b7633324e7c4282bb8baa3ff3f17fd7a Mon Sep 17 00:00:00 2001
-From: Lars-Peter Clausen <lars@metafoo.de>
-Date: Wed, 18 Jun 2014 13:32:35 +0200
-Subject: ALSA: control: Make sure that id->index does not overflow
-
-commit 883a1d49f0d77d30012f114b2e19fc141beb3e8e upstream.
-
-The ALSA control code expects that the range of assigned indices to a control is
-continuous and does not overflow. Currently there are no checks to enforce this.
-If a control with a overflowing index range is created that control becomes
-effectively inaccessible and unremovable since snd_ctl_find_id() will not be
-able to find it. This patch adds a check that makes sure that controls with a
-overflowing index range can not be created.
-
-Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
-Acked-by: Jaroslav Kysela <perex@perex.cz>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
-Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
----
- sound/core/control.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/sound/core/control.c b/sound/core/control.c
-index d3f17de..9210594 100644
---- a/sound/core/control.c
-+++ b/sound/core/control.c
-@@ -341,6 +341,9 @@ int snd_ctl_add(struct snd_card *card, struct snd_kcontrol *kcontrol)
- 	if (snd_BUG_ON(!card || !kcontrol->info))
- 		goto error;
- 	id = kcontrol->id;
-+	if (id.index > UINT_MAX - kcontrol->count)
-+		goto error;
-+
- 	down_write(&card->controls_rwsem);
- 	if (snd_ctl_find_id(card, &id)) {
- 		up_write(&card->controls_rwsem);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-4656/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-4656/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-4656/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-4656/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-4943/3.2/1.patch b/Patches/Linux_CVEs/CVE-2014-4943/3.2/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-4943/3.2/1.patch
rename to Patches/Linux_CVEs/CVE-2014-4943/3.2/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-4943/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-4943/^3.15/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-4943/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-4943/^3.15/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-5206/^3.16/0.patch b/Patches/Linux_CVEs/CVE-2014-5206/^3.16/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-5206/^3.16/0.patch
rename to Patches/Linux_CVEs/CVE-2014-5206/^3.16/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-7822/3.2-^3.16/0.patch b/Patches/Linux_CVEs/CVE-2014-7822/3.2-3.16/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-7822/3.2-^3.16/0.patch
rename to Patches/Linux_CVEs/CVE-2014-7822/3.2-3.16/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-7825/3.2/0.patch b/Patches/Linux_CVEs/CVE-2014-7825/3.2/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-7825/3.2/0.patch
rename to Patches/Linux_CVEs/CVE-2014-7825/3.2/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-7825/3.2/1.patch b/Patches/Linux_CVEs/CVE-2014-7825/3.2/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-7825/3.2/1.patch
rename to Patches/Linux_CVEs/CVE-2014-7825/3.2/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-7825/ANY/2.patch b/Patches/Linux_CVEs/CVE-2014-7825/^3.17/0003.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-7825/ANY/2.patch
rename to Patches/Linux_CVEs/CVE-2014-7825/^3.17/0003.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-7970/3.0/1.patch b/Patches/Linux_CVEs/CVE-2014-7970/3.0/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-7970/3.0/1.patch
rename to Patches/Linux_CVEs/CVE-2014-7970/3.0/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-7970/3.4/2.patch b/Patches/Linux_CVEs/CVE-2014-7970/3.4/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-7970/3.4/2.patch
rename to Patches/Linux_CVEs/CVE-2014-7970/3.4/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-7970/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-7970/^3.17/0003.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-7970/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-7970/^3.17/0003.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-8160/3.2-^3.18/1.patch b/Patches/Linux_CVEs/CVE-2014-8160/3.2/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-8160/3.2-^3.18/1.patch
rename to Patches/Linux_CVEs/CVE-2014-8160/3.2/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-8160/^3.18/0.patch b/Patches/Linux_CVEs/CVE-2014-8160/^3.18/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-8160/^3.18/0.patch
rename to Patches/Linux_CVEs/CVE-2014-8160/^3.18/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-8173/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-8173/3.9-3.12/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-8173/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-8173/3.9-3.12/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-8709/3.2/1.patch b/Patches/Linux_CVEs/CVE-2014-8709/3.2/1.patch
deleted file mode 100644
index 8340cbe2..00000000
--- a/Patches/Linux_CVEs/CVE-2014-8709/3.2/1.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From c7b18cdf1887e8ce91e04342cfd2d8fe1630be92 Mon Sep 17 00:00:00 2001
-From: Johannes Berg <johannes.berg@intel.com>
-Date: Sat, 1 Feb 2014 00:16:23 +0100
-Subject: mac80211: fix fragmentation code, particularly for encryption
-
-commit 338f977f4eb441e69bb9a46eaa0ac715c931a67f upstream.
-
-The "new" fragmentation code (since my rewrite almost 5 years ago)
-erroneously sets skb->len rather than using skb_trim() to adjust
-the length of the first fragment after copying out all the others.
-This leaves the skb tail pointer pointing to after where the data
-originally ended, and thus causes the encryption MIC to be written
-at that point, rather than where it belongs: immediately after the
-data.
-
-The impact of this is that if software encryption is done, then
- a) encryption doesn't work for the first fragment, the connection
-    becomes unusable as the first fragment will never be properly
-    verified at the receiver, the MIC is practically guaranteed to
-    be wrong
- b) we leak up to 8 bytes of plaintext (!) of the packet out into
-    the air
-
-This is only mitigated by the fact that many devices are capable
-of doing encryption in hardware, in which case this can't happen
-as the tail pointer is irrelevant in that case. Additionally,
-fragmentation is not used very frequently and would normally have
-to be configured manually.
-
-Fix this by using skb_trim() properly.
-
-Fixes: 2de8e0d999b8 ("mac80211: rewrite fragmentation")
-Reported-by: Jouni Malinen <j@w1.fi>
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
-[bwh: Backported to 3.2: adjust context]
-Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
----
- net/mac80211/tx.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
-index 4ff35bf..5186f8b 100644
---- a/net/mac80211/tx.c
-+++ b/net/mac80211/tx.c
-@@ -884,7 +884,7 @@ static int ieee80211_fragment(struct ieee80211_local *local,
- 		pos += fraglen;
- 	}
- 
--	skb->len = hdrlen + per_fragm;
-+	skb_trim(skb, hdrlen + per_fragm);
- 	return 0;
- }
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-8709/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-8709/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-8709/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-8709/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0001.patch
new file mode 100644
index 00000000..1e7db87b
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0001.patch
@@ -0,0 +1,16 @@
+diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S
+index 8f3e2de..41baa1f 100644
+--- a/arch/x86/kernel/entry_32.S
++++ b/arch/x86/kernel/entry_32.S
+@@ -554,11 +554,6 @@
+ 
+ 	CFI_RESTORE_STATE
+ ldt_ss:
+-	larl PT_OLDSS(%esp), %eax
+-	jnz restore_nocheck
+-	testl $0x00400000, %eax		# returning to 32bit stack?
+-	jnz restore_nocheck		# allright, normal return
+-
+ #ifdef CONFIG_PARAVIRT
+ 	/*
+ 	 * The kernel can't run on a non-flat stack if paravirt mode
diff --git a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0001.patch.base64
new file mode 100644
index 00000000..e00288ed
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0001.patch.base64
@@ -0,0 +1 @@
+ZGlmZiAtLWdpdCBhL2FyY2gveDg2L2tlcm5lbC9lbnRyeV8zMi5TIGIvYXJjaC94ODYva2VybmVsL2VudHJ5XzMyLlMKaW5kZXggOGYzZTJkZS4uNDFiYWExZiAxMDA2NDQKLS0tIGEvYXJjaC94ODYva2VybmVsL2VudHJ5XzMyLlMKKysrIGIvYXJjaC94ODYva2VybmVsL2VudHJ5XzMyLlMKQEAgLTU1NCwxMSArNTU0LDYgQEAKIAogCUNGSV9SRVNUT1JFX1NUQVRFCiBsZHRfc3M6Ci0JbGFybCBQVF9PTERTUyglZXNwKSwgJWVheAotCWpueiByZXN0b3JlX25vY2hlY2sKLQl0ZXN0bCAkMHgwMDQwMDAwMCwgJWVheAkJIyByZXR1cm5pbmcgdG8gMzJiaXQgc3RhY2s/Ci0Jam56IHJlc3RvcmVfbm9jaGVjawkJIyBhbGxyaWdodCwgbm9ybWFsIHJldHVybgotCiAjaWZkZWYgQ09ORklHX1BBUkFWSVJUCiAJLyoKIAkgKiBUaGUga2VybmVsIGNhbid0IHJ1biBvbiBhIG5vbi1mbGF0IHN0YWNrIGlmIHBhcmF2aXJ0IG1vZGUK
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0002.patch
new file mode 100644
index 00000000..946704fd
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0002.patch
@@ -0,0 +1,519 @@
+diff --git a/Documentation/x86/x86_64/mm.txt b/Documentation/x86/x86_64/mm.txt
+index 881582f..bd43704 100644
+--- a/Documentation/x86/x86_64/mm.txt
++++ b/Documentation/x86/x86_64/mm.txt
+@@ -12,6 +12,8 @@
+ ffffe90000000000 - ffffe9ffffffffff (=40 bits) hole
+ ffffea0000000000 - ffffeaffffffffff (=40 bits) virtual memory map (1TB)
+ ... unused hole ...
++ffffff0000000000 - ffffff7fffffffff (=39 bits) %esp fixup stacks
++... unused hole ...
+ ffffffff80000000 - ffffffffa0000000 (=512 MB)  kernel text mapping, from phys 0
+ ffffffffa0000000 - ffffffffff5fffff (=1525 MB) module mapping space
+ ffffffffff600000 - ffffffffffdfffff (=8 MB) vsyscalls
+diff --git a/arch/x86/include/asm/pgtable_64_types.h b/arch/x86/include/asm/pgtable_64_types.h
+index 2d88344..b1609f2 100644
+--- a/arch/x86/include/asm/pgtable_64_types.h
++++ b/arch/x86/include/asm/pgtable_64_types.h
+@@ -61,6 +61,8 @@
+ #define MODULES_VADDR    _AC(0xffffffffa0000000, UL)
+ #define MODULES_END      _AC(0xffffffffff000000, UL)
+ #define MODULES_LEN   (MODULES_END - MODULES_VADDR)
++#define ESPFIX_PGD_ENTRY _AC(-2, UL)
++#define ESPFIX_BASE_ADDR (ESPFIX_PGD_ENTRY << PGDIR_SHIFT)
+ 
+ #define EARLY_DYNAMIC_PAGE_TABLES	64
+ 
+diff --git a/arch/x86/include/asm/setup.h b/arch/x86/include/asm/setup.h
+index b7bf350..93797d1 100644
+--- a/arch/x86/include/asm/setup.h
++++ b/arch/x86/include/asm/setup.h
+@@ -60,6 +60,9 @@
+ static inline void x86_ce4100_early_setup(void) { }
+ #endif
+ 
++extern void init_espfix_bsp(void);
++extern void init_espfix_ap(void);
++
+ #ifndef _SETUP
+ 
+ /*
+diff --git a/arch/x86/kernel/Makefile b/arch/x86/kernel/Makefile
+index 7bd3bd3..0fde293 100644
+--- a/arch/x86/kernel/Makefile
++++ b/arch/x86/kernel/Makefile
+@@ -27,6 +27,7 @@
+ obj-y			+= syscall_$(BITS).o
+ obj-$(CONFIG_X86_64)	+= vsyscall_64.o
+ obj-$(CONFIG_X86_64)	+= vsyscall_emu_64.o
++obj-$(CONFIG_X86_64)	+= espfix_64.o
+ obj-y			+= bootflag.o e820.o
+ obj-y			+= pci-dma.o quirks.o topology.o kdebugfs.o
+ obj-y			+= alternative.o i8253.o pci-nommu.o hw_breakpoint.o
+diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
+index 7272089..75ccdc1 100644
+--- a/arch/x86/kernel/entry_64.S
++++ b/arch/x86/kernel/entry_64.S
+@@ -58,6 +58,7 @@
+ #include <asm/asm.h>
+ #include <asm/context_tracking.h>
+ #include <asm/smap.h>
++#include <asm/pgtable_types.h>
+ #include <linux/err.h>
+ 
+ /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this.  */
+@@ -1055,8 +1056,16 @@
+ 	RESTORE_ARGS 1,8,1
+ 
+ irq_return:
++	/*
++	 * Are we returning to a stack segment from the LDT?  Note: in
++	 * 64-bit mode SS:RSP on the exception stack is always valid.
++	 */
++	testb $4,(SS-RIP)(%rsp)
++	jnz irq_return_ldt
++
++irq_return_iret:
+ 	INTERRUPT_RETURN
+-	_ASM_EXTABLE(irq_return, bad_iret)
++	_ASM_EXTABLE(irq_return_iret, bad_iret)
+ 
+ #ifdef CONFIG_PARAVIRT
+ ENTRY(native_iret)
+@@ -1064,6 +1073,30 @@
+ 	_ASM_EXTABLE(native_iret, bad_iret)
+ #endif
+ 
++irq_return_ldt:
++	pushq_cfi %rax
++	pushq_cfi %rdi
++	SWAPGS
++	movq PER_CPU_VAR(espfix_waddr),%rdi
++	movq %rax,(0*8)(%rdi)	/* RAX */
++	movq (2*8)(%rsp),%rax	/* RIP */
++	movq %rax,(1*8)(%rdi)
++	movq (3*8)(%rsp),%rax	/* CS */
++	movq %rax,(2*8)(%rdi)
++	movq (4*8)(%rsp),%rax	/* RFLAGS */
++	movq %rax,(3*8)(%rdi)
++	movq (6*8)(%rsp),%rax	/* SS */
++	movq %rax,(5*8)(%rdi)
++	movq (5*8)(%rsp),%rax	/* RSP */
++	movq %rax,(4*8)(%rdi)
++	andl $0xffff0000,%eax
++	popq_cfi %rdi
++	orq PER_CPU_VAR(espfix_stack),%rax
++	SWAPGS
++	movq %rax,%rsp
++	popq_cfi %rax
++	jmp irq_return_iret
++
+ 	.section .fixup,"ax"
+ bad_iret:
+ 	/*
+@@ -1127,9 +1160,41 @@
+ 	call preempt_schedule_irq
+ 	jmp exit_intr
+ #endif
+-
+ 	CFI_ENDPROC
+ END(common_interrupt)
++
++	/*
++	 * If IRET takes a fault on the espfix stack, then we
++	 * end up promoting it to a doublefault.  In that case,
++	 * modify the stack to make it look like we just entered
++	 * the #GP handler from user space, similar to bad_iret.
++	 */
++	ALIGN
++__do_double_fault:
++	XCPT_FRAME 1 RDI+8
++	movq RSP(%rdi),%rax		/* Trap on the espfix stack? */
++	sarq $PGDIR_SHIFT,%rax
++	cmpl $ESPFIX_PGD_ENTRY,%eax
++	jne do_double_fault		/* No, just deliver the fault */
++	cmpl $__KERNEL_CS,CS(%rdi)
++	jne do_double_fault
++	movq RIP(%rdi),%rax
++	cmpq $irq_return_iret,%rax
++#ifdef CONFIG_PARAVIRT
++	je 1f
++	cmpq $native_iret,%rax
++#endif
++	jne do_double_fault		/* This shouldn't happen... */
++1:
++	movq PER_CPU_VAR(kernel_stack),%rax
++	subq $(6*8-KERNEL_STACK_OFFSET),%rax	/* Reset to original stack */
++	movq %rax,RSP(%rdi)
++	movq $0,(%rax)			/* Missing (lost) #GP error code */
++	movq $general_protection,RIP(%rdi)
++	retq
++	CFI_ENDPROC
++END(__do_double_fault)
++
+ /*
+  * End of kprobes section
+  */
+@@ -1298,7 +1363,7 @@
+ zeroentry bounds do_bounds
+ zeroentry invalid_op do_invalid_op
+ zeroentry device_not_available do_device_not_available
+-paranoiderrorentry double_fault do_double_fault
++paranoiderrorentry double_fault __do_double_fault
+ zeroentry coprocessor_segment_overrun do_coprocessor_segment_overrun
+ errorentry invalid_TSS do_invalid_TSS
+ errorentry segment_not_present do_segment_not_present
+@@ -1585,7 +1650,7 @@
+  */
+ error_kernelspace:
+ 	incl %ebx
+-	leaq irq_return(%rip),%rcx
++	leaq irq_return_iret(%rip),%rcx
+ 	cmpq %rcx,RIP+8(%rsp)
+ 	je error_swapgs
+ 	movl %ecx,%eax	/* zero extend */
+diff --git a/arch/x86/kernel/espfix_64.c b/arch/x86/kernel/espfix_64.c
+new file mode 100644
+index 0000000..8a64da3
+--- /dev/null
++++ b/arch/x86/kernel/espfix_64.c
+@@ -0,0 +1,208 @@
++/* ----------------------------------------------------------------------- *
++ *
++ *   Copyright 2014 Intel Corporation; author: H. Peter Anvin
++ *
++ *   This program is free software; you can redistribute it and/or modify it
++ *   under the terms and conditions of the GNU General Public License,
++ *   version 2, as published by the Free Software Foundation.
++ *
++ *   This program is distributed in the hope it will be useful, but WITHOUT
++ *   ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ *   FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
++ *   more details.
++ *
++ * ----------------------------------------------------------------------- */
++
++/*
++ * The IRET instruction, when returning to a 16-bit segment, only
++ * restores the bottom 16 bits of the user space stack pointer.  This
++ * causes some 16-bit software to break, but it also leaks kernel state
++ * to user space.
++ *
++ * This works around this by creating percpu "ministacks", each of which
++ * is mapped 2^16 times 64K apart.  When we detect that the return SS is
++ * on the LDT, we copy the IRET frame to the ministack and use the
++ * relevant alias to return to userspace.  The ministacks are mapped
++ * readonly, so if the IRET fault we promote #GP to #DF which is an IST
++ * vector and thus has its own stack; we then do the fixup in the #DF
++ * handler.
++ *
++ * This file sets up the ministacks and the related page tables.  The
++ * actual ministack invocation is in entry_64.S.
++ */
++
++#include <linux/init.h>
++#include <linux/init_task.h>
++#include <linux/kernel.h>
++#include <linux/percpu.h>
++#include <linux/gfp.h>
++#include <linux/random.h>
++#include <asm/pgtable.h>
++#include <asm/pgalloc.h>
++#include <asm/setup.h>
++
++/*
++ * Note: we only need 6*8 = 48 bytes for the espfix stack, but round
++ * it up to a cache line to avoid unnecessary sharing.
++ */
++#define ESPFIX_STACK_SIZE	(8*8UL)
++#define ESPFIX_STACKS_PER_PAGE	(PAGE_SIZE/ESPFIX_STACK_SIZE)
++
++/* There is address space for how many espfix pages? */
++#define ESPFIX_PAGE_SPACE	(1UL << (PGDIR_SHIFT-PAGE_SHIFT-16))
++
++#define ESPFIX_MAX_CPUS		(ESPFIX_STACKS_PER_PAGE * ESPFIX_PAGE_SPACE)
++#if CONFIG_NR_CPUS > ESPFIX_MAX_CPUS
++# error "Need more than one PGD for the ESPFIX hack"
++#endif
++
++#define PGALLOC_GFP (GFP_KERNEL | __GFP_NOTRACK | __GFP_REPEAT | __GFP_ZERO)
++
++/* This contains the *bottom* address of the espfix stack */
++DEFINE_PER_CPU_READ_MOSTLY(unsigned long, espfix_stack);
++DEFINE_PER_CPU_READ_MOSTLY(unsigned long, espfix_waddr);
++
++/* Initialization mutex - should this be a spinlock? */
++static DEFINE_MUTEX(espfix_init_mutex);
++
++/* Page allocation bitmap - each page serves ESPFIX_STACKS_PER_PAGE CPUs */
++#define ESPFIX_MAX_PAGES  DIV_ROUND_UP(CONFIG_NR_CPUS, ESPFIX_STACKS_PER_PAGE)
++static void *espfix_pages[ESPFIX_MAX_PAGES];
++
++static __page_aligned_bss pud_t espfix_pud_page[PTRS_PER_PUD]
++	__aligned(PAGE_SIZE);
++
++static unsigned int page_random, slot_random;
++
++/*
++ * This returns the bottom address of the espfix stack for a specific CPU.
++ * The math allows for a non-power-of-two ESPFIX_STACK_SIZE, in which case
++ * we have to account for some amount of padding at the end of each page.
++ */
++static inline unsigned long espfix_base_addr(unsigned int cpu)
++{
++	unsigned long page, slot;
++	unsigned long addr;
++
++	page = (cpu / ESPFIX_STACKS_PER_PAGE) ^ page_random;
++	slot = (cpu + slot_random) % ESPFIX_STACKS_PER_PAGE;
++	addr = (page << PAGE_SHIFT) + (slot * ESPFIX_STACK_SIZE);
++	addr = (addr & 0xffffUL) | ((addr & ~0xffffUL) << 16);
++	addr += ESPFIX_BASE_ADDR;
++	return addr;
++}
++
++#define PTE_STRIDE        (65536/PAGE_SIZE)
++#define ESPFIX_PTE_CLONES (PTRS_PER_PTE/PTE_STRIDE)
++#define ESPFIX_PMD_CLONES PTRS_PER_PMD
++#define ESPFIX_PUD_CLONES (65536/(ESPFIX_PTE_CLONES*ESPFIX_PMD_CLONES))
++
++#define PGTABLE_PROT	  ((_KERNPG_TABLE & ~_PAGE_RW) | _PAGE_NX)
++
++static void init_espfix_random(void)
++{
++	unsigned long rand;
++
++	/*
++	 * This is run before the entropy pools are initialized,
++	 * but this is hopefully better than nothing.
++	 */
++	if (!arch_get_random_long(&rand)) {
++		/* The constant is an arbitrary large prime */
++		rdtscll(rand);
++		rand *= 0xc345c6b72fd16123UL;
++	}
++
++	slot_random = rand % ESPFIX_STACKS_PER_PAGE;
++	page_random = (rand / ESPFIX_STACKS_PER_PAGE)
++		& (ESPFIX_PAGE_SPACE - 1);
++}
++
++void __init init_espfix_bsp(void)
++{
++	pgd_t *pgd_p;
++	pteval_t ptemask;
++
++	ptemask = __supported_pte_mask;
++
++	/* Install the espfix pud into the kernel page directory */
++	pgd_p = &init_level4_pgt[pgd_index(ESPFIX_BASE_ADDR)];
++	pgd_populate(&init_mm, pgd_p, (pud_t *)espfix_pud_page);
++
++	/* Randomize the locations */
++	init_espfix_random();
++
++	/* The rest is the same as for any other processor */
++	init_espfix_ap();
++}
++
++void init_espfix_ap(void)
++{
++	unsigned int cpu, page;
++	unsigned long addr;
++	pud_t pud, *pud_p;
++	pmd_t pmd, *pmd_p;
++	pte_t pte, *pte_p;
++	int n;
++	void *stack_page;
++	pteval_t ptemask;
++
++	/* We only have to do this once... */
++	if (likely(this_cpu_read(espfix_stack)))
++		return;		/* Already initialized */
++
++	cpu = smp_processor_id();
++	addr = espfix_base_addr(cpu);
++	page = cpu/ESPFIX_STACKS_PER_PAGE;
++
++	/* Did another CPU already set this up? */
++	stack_page = ACCESS_ONCE(espfix_pages[page]);
++	if (likely(stack_page))
++		goto done;
++
++	mutex_lock(&espfix_init_mutex);
++
++	/* Did we race on the lock? */
++	stack_page = ACCESS_ONCE(espfix_pages[page]);
++	if (stack_page)
++		goto unlock_done;
++
++	ptemask = __supported_pte_mask;
++
++	pud_p = &espfix_pud_page[pud_index(addr)];
++	pud = *pud_p;
++	if (!pud_present(pud)) {
++		pmd_p = (pmd_t *)__get_free_page(PGALLOC_GFP);
++		pud = __pud(__pa(pmd_p) | (PGTABLE_PROT & ptemask));
++		paravirt_alloc_pud(&init_mm, __pa(pmd_p) >> PAGE_SHIFT);
++		for (n = 0; n < ESPFIX_PUD_CLONES; n++)
++			set_pud(&pud_p[n], pud);
++	}
++
++	pmd_p = pmd_offset(&pud, addr);
++	pmd = *pmd_p;
++	if (!pmd_present(pmd)) {
++		pte_p = (pte_t *)__get_free_page(PGALLOC_GFP);
++		pmd = __pmd(__pa(pte_p) | (PGTABLE_PROT & ptemask));
++		paravirt_alloc_pmd(&init_mm, __pa(pte_p) >> PAGE_SHIFT);
++		for (n = 0; n < ESPFIX_PMD_CLONES; n++)
++			set_pmd(&pmd_p[n], pmd);
++	}
++
++	pte_p = pte_offset_kernel(&pmd, addr);
++	stack_page = (void *)__get_free_page(GFP_KERNEL);
++	pte = __pte(__pa(stack_page) | (__PAGE_KERNEL_RO & ptemask));
++	paravirt_alloc_pte(&init_mm, __pa(stack_page) >> PAGE_SHIFT);
++	for (n = 0; n < ESPFIX_PTE_CLONES; n++)
++		set_pte(&pte_p[n*PTE_STRIDE], pte);
++
++	/* Job is done for this CPU and any CPU which shares this page */
++	ACCESS_ONCE(espfix_pages[page]) = stack_page;
++
++unlock_done:
++	mutex_unlock(&espfix_init_mutex);
++done:
++	this_cpu_write(espfix_stack, addr);
++	this_cpu_write(espfix_waddr, (unsigned long)stack_page
++		       + (addr & ~PAGE_MASK));
++}
+diff --git a/arch/x86/kernel/smpboot.c b/arch/x86/kernel/smpboot.c
+index bfd348e..9f009cc 100644
+--- a/arch/x86/kernel/smpboot.c
++++ b/arch/x86/kernel/smpboot.c
+@@ -265,6 +265,13 @@
+ 	check_tsc_sync_target();
+ 
+ 	/*
++	 * Enable the espfix hack for this CPU
++	 */
++#ifdef CONFIG_X86_64
++	init_espfix_ap();
++#endif
++
++	/*
+ 	 * We need to hold vector_lock so there the set of online cpus
+ 	 * does not change while we are assigning vectors to cpus.  Holding
+ 	 * this lock ensures we don't half assign or remove an irq from a cpu.
+diff --git a/arch/x86/mm/dump_pagetables.c b/arch/x86/mm/dump_pagetables.c
+index 0002a3a..e04e677 100644
+--- a/arch/x86/mm/dump_pagetables.c
++++ b/arch/x86/mm/dump_pagetables.c
+@@ -30,11 +30,13 @@
+ 	unsigned long start_address;
+ 	unsigned long current_address;
+ 	const struct addr_marker *marker;
++	unsigned long lines;
+ };
+ 
+ struct addr_marker {
+ 	unsigned long start_address;
+ 	const char *name;
++	unsigned long max_lines;
+ };
+ 
+ /* indices for address_markers; keep sync'd w/ address_markers below */
+@@ -45,6 +47,7 @@
+ 	LOW_KERNEL_NR,
+ 	VMALLOC_START_NR,
+ 	VMEMMAP_START_NR,
++	ESPFIX_START_NR,
+ 	HIGH_KERNEL_NR,
+ 	MODULES_VADDR_NR,
+ 	MODULES_END_NR,
+@@ -67,6 +70,7 @@
+ 	{ PAGE_OFFSET,		"Low Kernel Mapping" },
+ 	{ VMALLOC_START,        "vmalloc() Area" },
+ 	{ VMEMMAP_START,        "Vmemmap" },
++	{ ESPFIX_BASE_ADDR,	"ESPfix Area", 16 },
+ 	{ __START_KERNEL_map,   "High Kernel Mapping" },
+ 	{ MODULES_VADDR,        "Modules" },
+ 	{ MODULES_END,          "End Modules" },
+@@ -163,7 +167,7 @@
+ 		      pgprot_t new_prot, int level)
+ {
+ 	pgprotval_t prot, cur;
+-	static const char units[] = "KMGTPE";
++	static const char units[] = "BKMGTPE";
+ 
+ 	/*
+ 	 * If we have a "break" in the series, we need to flush the state that
+@@ -178,6 +182,7 @@
+ 		st->current_prot = new_prot;
+ 		st->level = level;
+ 		st->marker = address_markers;
++		st->lines = 0;
+ 		seq_printf(m, "---[ %s ]---\n", st->marker->name);
+ 	} else if (prot != cur || level != st->level ||
+ 		   st->current_address >= st->marker[1].start_address) {
+@@ -188,17 +193,21 @@
+ 		/*
+ 		 * Now print the actual finished series
+ 		 */
+-		seq_printf(m, "0x%0*lx-0x%0*lx   ",
+-			   width, st->start_address,
+-			   width, st->current_address);
++		if (!st->marker->max_lines ||
++		    st->lines < st->marker->max_lines) {
++			seq_printf(m, "0x%0*lx-0x%0*lx   ",
++				   width, st->start_address,
++				   width, st->current_address);
+ 
+-		delta = (st->current_address - st->start_address) >> 10;
+-		while (!(delta & 1023) && unit[1]) {
+-			delta >>= 10;
+-			unit++;
++			delta = (st->current_address - st->start_address);
++			while (!(delta & 1023) && unit[1]) {
++				delta >>= 10;
++				unit++;
++			}
++			seq_printf(m, "%9lu%c ", delta, *unit);
++			printk_prot(m, st->current_prot, st->level);
+ 		}
+-		seq_printf(m, "%9lu%c ", delta, *unit);
+-		printk_prot(m, st->current_prot, st->level);
++		st->lines++;
+ 
+ 		/*
+ 		 * We print markers for special areas of address space,
+@@ -206,7 +215,15 @@
+ 		 * This helps in the interpretation.
+ 		 */
+ 		if (st->current_address >= st->marker[1].start_address) {
++			if (st->marker->max_lines &&
++			    st->lines > st->marker->max_lines) {
++				unsigned long nskip =
++					st->lines - st->marker->max_lines;
++				seq_printf(m, "... %lu entr%s skipped ... \n",
++					   nskip, nskip == 1 ? "y" : "ies");
++			}
+ 			st->marker++;
++			st->lines = 0;
+ 			seq_printf(m, "---[ %s ]---\n", st->marker->name);
+ 		}
+ 
+diff --git a/init/main.c b/init/main.c
+index 9484f4b..a9e4a76 100644
+--- a/init/main.c
++++ b/init/main.c
+@@ -605,6 +605,10 @@
+ 	if (efi_enabled(EFI_RUNTIME_SERVICES))
+ 		efi_enter_virtual_mode();
+ #endif
++#ifdef CONFIG_X86_64
++	/* Should be run before the first non-init thread is created */
++	init_espfix_bsp();
++#endif
+ 	thread_info_cache_init();
+ 	cred_init();
+ 	fork_init(totalram_pages);
diff --git a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0002.patch.base64 b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0002.patch.base64
new file mode 100644
index 00000000..2c64bd6e
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0002.patch.base64
@@ -0,0 +1 @@
+ZGlmZiAtLWdpdCBhL0RvY3VtZW50YXRpb24veDg2L3g4Nl82NC9tbS50eHQgYi9Eb2N1bWVudGF0aW9uL3g4Ni94ODZfNjQvbW0udHh0CmluZGV4IDg4MTU4MmYuLmJkNDM3MDQgMTAwNjQ0Ci0tLSBhL0RvY3VtZW50YXRpb24veDg2L3g4Nl82NC9tbS50eHQKKysrIGIvRG9jdW1lbnRhdGlvbi94ODYveDg2XzY0L21tLnR4dApAQCAtMTIsNiArMTIsOCBAQAogZmZmZmU5MDAwMDAwMDAwMCAtIGZmZmZlOWZmZmZmZmZmZmYgKD00MCBiaXRzKSBob2xlCiBmZmZmZWEwMDAwMDAwMDAwIC0gZmZmZmVhZmZmZmZmZmZmZiAoPTQwIGJpdHMpIHZpcnR1YWwgbWVtb3J5IG1hcCAoMVRCKQogLi4uIHVudXNlZCBob2xlIC4uLgorZmZmZmZmMDAwMDAwMDAwMCAtIGZmZmZmZjdmZmZmZmZmZmYgKD0zOSBiaXRzKSAlZXNwIGZpeHVwIHN0YWNrcworLi4uIHVudXNlZCBob2xlIC4uLgogZmZmZmZmZmY4MDAwMDAwMCAtIGZmZmZmZmZmYTAwMDAwMDAgKD01MTIgTUIpICBrZXJuZWwgdGV4dCBtYXBwaW5nLCBmcm9tIHBoeXMgMAogZmZmZmZmZmZhMDAwMDAwMCAtIGZmZmZmZmZmZmY1ZmZmZmYgKD0xNTI1IE1CKSBtb2R1bGUgbWFwcGluZyBzcGFjZQogZmZmZmZmZmZmZjYwMDAwMCAtIGZmZmZmZmZmZmZkZmZmZmYgKD04IE1CKSB2c3lzY2FsbHMKZGlmZiAtLWdpdCBhL2FyY2gveDg2L2luY2x1ZGUvYXNtL3BndGFibGVfNjRfdHlwZXMuaCBiL2FyY2gveDg2L2luY2x1ZGUvYXNtL3BndGFibGVfNjRfdHlwZXMuaAppbmRleCAyZDg4MzQ0Li5iMTYwOWYyIDEwMDY0NAotLS0gYS9hcmNoL3g4Ni9pbmNsdWRlL2FzbS9wZ3RhYmxlXzY0X3R5cGVzLmgKKysrIGIvYXJjaC94ODYvaW5jbHVkZS9hc20vcGd0YWJsZV82NF90eXBlcy5oCkBAIC02MSw2ICs2MSw4IEBACiAjZGVmaW5lIE1PRFVMRVNfVkFERFIgICAgX0FDKDB4ZmZmZmZmZmZhMDAwMDAwMCwgVUwpCiAjZGVmaW5lIE1PRFVMRVNfRU5EICAgICAgX0FDKDB4ZmZmZmZmZmZmZjAwMDAwMCwgVUwpCiAjZGVmaW5lIE1PRFVMRVNfTEVOICAgKE1PRFVMRVNfRU5EIC0gTU9EVUxFU19WQUREUikKKyNkZWZpbmUgRVNQRklYX1BHRF9FTlRSWSBfQUMoLTIsIFVMKQorI2RlZmluZSBFU1BGSVhfQkFTRV9BRERSIChFU1BGSVhfUEdEX0VOVFJZIDw8IFBHRElSX1NISUZUKQogCiAjZGVmaW5lIEVBUkxZX0RZTkFNSUNfUEFHRV9UQUJMRVMJNjQKIApkaWZmIC0tZ2l0IGEvYXJjaC94ODYvaW5jbHVkZS9hc20vc2V0dXAuaCBiL2FyY2gveDg2L2luY2x1ZGUvYXNtL3NldHVwLmgKaW5kZXggYjdiZjM1MC4uOTM3OTdkMSAxMDA2NDQKLS0tIGEvYXJjaC94ODYvaW5jbHVkZS9hc20vc2V0dXAuaAorKysgYi9hcmNoL3g4Ni9pbmNsdWRlL2FzbS9zZXR1cC5oCkBAIC02MCw2ICs2MCw5IEBACiBzdGF0aWMgaW5saW5lIHZvaWQgeDg2X2NlNDEwMF9lYXJseV9zZXR1cCh2b2lkKSB7IH0KICNlbmRpZgogCitleHRlcm4gdm9pZCBpbml0X2VzcGZpeF9ic3Aodm9pZCk7CitleHRlcm4gdm9pZCBpbml0X2VzcGZpeF9hcCh2b2lkKTsKKwogI2lmbmRlZiBfU0VUVVAKIAogLyoKZGlmZiAtLWdpdCBhL2FyY2gveDg2L2tlcm5lbC9NYWtlZmlsZSBiL2FyY2gveDg2L2tlcm5lbC9NYWtlZmlsZQppbmRleCA3YmQzYmQzLi4wZmRlMjkzIDEwMDY0NAotLS0gYS9hcmNoL3g4Ni9rZXJuZWwvTWFrZWZpbGUKKysrIGIvYXJjaC94ODYva2VybmVsL01ha2VmaWxlCkBAIC0yNyw2ICsyNyw3IEBACiBvYmoteQkJCSs9IHN5c2NhbGxfJChCSVRTKS5vCiBvYmotJChDT05GSUdfWDg2XzY0KQkrPSB2c3lzY2FsbF82NC5vCiBvYmotJChDT05GSUdfWDg2XzY0KQkrPSB2c3lzY2FsbF9lbXVfNjQubworb2JqLSQoQ09ORklHX1g4Nl82NCkJKz0gZXNwZml4XzY0Lm8KIG9iai15CQkJKz0gYm9vdGZsYWcubyBlODIwLm8KIG9iai15CQkJKz0gcGNpLWRtYS5vIHF1aXJrcy5vIHRvcG9sb2d5Lm8ga2RlYnVnZnMubwogb2JqLXkJCQkrPSBhbHRlcm5hdGl2ZS5vIGk4MjUzLm8gcGNpLW5vbW11Lm8gaHdfYnJlYWtwb2ludC5vCmRpZmYgLS1naXQgYS9hcmNoL3g4Ni9rZXJuZWwvZW50cnlfNjQuUyBiL2FyY2gveDg2L2tlcm5lbC9lbnRyeV82NC5TCmluZGV4IDcyNzIwODkuLjc1Y2NkYzEgMTAwNjQ0Ci0tLSBhL2FyY2gveDg2L2tlcm5lbC9lbnRyeV82NC5TCisrKyBiL2FyY2gveDg2L2tlcm5lbC9lbnRyeV82NC5TCkBAIC01OCw2ICs1OCw3IEBACiAjaW5jbHVkZSA8YXNtL2FzbS5oPgogI2luY2x1ZGUgPGFzbS9jb250ZXh0X3RyYWNraW5nLmg+CiAjaW5jbHVkZSA8YXNtL3NtYXAuaD4KKyNpbmNsdWRlIDxhc20vcGd0YWJsZV90eXBlcy5oPgogI2luY2x1ZGUgPGxpbnV4L2Vyci5oPgogCiAvKiBBdm9pZCBfX0FTU0VNQkxFUl9fJ2lmeWluZyA8bGludXgvYXVkaXQuaD4ganVzdCBmb3IgdGhpcy4gICovCkBAIC0xMDU1LDggKzEwNTYsMTYgQEAKIAlSRVNUT1JFX0FSR1MgMSw4LDEKIAogaXJxX3JldHVybjoKKwkvKgorCSAqIEFyZSB3ZSByZXR1cm5pbmcgdG8gYSBzdGFjayBzZWdtZW50IGZyb20gdGhlIExEVD8gIE5vdGU6IGluCisJICogNjQtYml0IG1vZGUgU1M6UlNQIG9uIHRoZSBleGNlcHRpb24gc3RhY2sgaXMgYWx3YXlzIHZhbGlkLgorCSAqLworCXRlc3RiICQ0LChTUy1SSVApKCVyc3ApCisJam56IGlycV9yZXR1cm5fbGR0CisKK2lycV9yZXR1cm5faXJldDoKIAlJTlRFUlJVUFRfUkVUVVJOCi0JX0FTTV9FWFRBQkxFKGlycV9yZXR1cm4sIGJhZF9pcmV0KQorCV9BU01fRVhUQUJMRShpcnFfcmV0dXJuX2lyZXQsIGJhZF9pcmV0KQogCiAjaWZkZWYgQ09ORklHX1BBUkFWSVJUCiBFTlRSWShuYXRpdmVfaXJldCkKQEAgLTEwNjQsNiArMTA3MywzMCBAQAogCV9BU01fRVhUQUJMRShuYXRpdmVfaXJldCwgYmFkX2lyZXQpCiAjZW5kaWYKIAoraXJxX3JldHVybl9sZHQ6CisJcHVzaHFfY2ZpICVyYXgKKwlwdXNocV9jZmkgJXJkaQorCVNXQVBHUworCW1vdnEgUEVSX0NQVV9WQVIoZXNwZml4X3dhZGRyKSwlcmRpCisJbW92cSAlcmF4LCgwKjgpKCVyZGkpCS8qIFJBWCAqLworCW1vdnEgKDIqOCkoJXJzcCksJXJheAkvKiBSSVAgKi8KKwltb3ZxICVyYXgsKDEqOCkoJXJkaSkKKwltb3ZxICgzKjgpKCVyc3ApLCVyYXgJLyogQ1MgKi8KKwltb3ZxICVyYXgsKDIqOCkoJXJkaSkKKwltb3ZxICg0KjgpKCVyc3ApLCVyYXgJLyogUkZMQUdTICovCisJbW92cSAlcmF4LCgzKjgpKCVyZGkpCisJbW92cSAoNio4KSglcnNwKSwlcmF4CS8qIFNTICovCisJbW92cSAlcmF4LCg1KjgpKCVyZGkpCisJbW92cSAoNSo4KSglcnNwKSwlcmF4CS8qIFJTUCAqLworCW1vdnEgJXJheCwoNCo4KSglcmRpKQorCWFuZGwgJDB4ZmZmZjAwMDAsJWVheAorCXBvcHFfY2ZpICVyZGkKKwlvcnEgUEVSX0NQVV9WQVIoZXNwZml4X3N0YWNrKSwlcmF4CisJU1dBUEdTCisJbW92cSAlcmF4LCVyc3AKKwlwb3BxX2NmaSAlcmF4CisJam1wIGlycV9yZXR1cm5faXJldAorCiAJLnNlY3Rpb24gLmZpeHVwLCJheCIKIGJhZF9pcmV0OgogCS8qCkBAIC0xMTI3LDkgKzExNjAsNDEgQEAKIAljYWxsIHByZWVtcHRfc2NoZWR1bGVfaXJxCiAJam1wIGV4aXRfaW50cgogI2VuZGlmCi0KIAlDRklfRU5EUFJPQwogRU5EKGNvbW1vbl9pbnRlcnJ1cHQpCisKKwkvKgorCSAqIElmIElSRVQgdGFrZXMgYSBmYXVsdCBvbiB0aGUgZXNwZml4IHN0YWNrLCB0aGVuIHdlCisJICogZW5kIHVwIHByb21vdGluZyBpdCB0byBhIGRvdWJsZWZhdWx0LiAgSW4gdGhhdCBjYXNlLAorCSAqIG1vZGlmeSB0aGUgc3RhY2sgdG8gbWFrZSBpdCBsb29rIGxpa2Ugd2UganVzdCBlbnRlcmVkCisJICogdGhlICNHUCBoYW5kbGVyIGZyb20gdXNlciBzcGFjZSwgc2ltaWxhciB0byBiYWRfaXJldC4KKwkgKi8KKwlBTElHTgorX19kb19kb3VibGVfZmF1bHQ6CisJWENQVF9GUkFNRSAxIFJESSs4CisJbW92cSBSU1AoJXJkaSksJXJheAkJLyogVHJhcCBvbiB0aGUgZXNwZml4IHN0YWNrPyAqLworCXNhcnEgJFBHRElSX1NISUZULCVyYXgKKwljbXBsICRFU1BGSVhfUEdEX0VOVFJZLCVlYXgKKwlqbmUgZG9fZG91YmxlX2ZhdWx0CQkvKiBObywganVzdCBkZWxpdmVyIHRoZSBmYXVsdCAqLworCWNtcGwgJF9fS0VSTkVMX0NTLENTKCVyZGkpCisJam5lIGRvX2RvdWJsZV9mYXVsdAorCW1vdnEgUklQKCVyZGkpLCVyYXgKKwljbXBxICRpcnFfcmV0dXJuX2lyZXQsJXJheAorI2lmZGVmIENPTkZJR19QQVJBVklSVAorCWplIDFmCisJY21wcSAkbmF0aXZlX2lyZXQsJXJheAorI2VuZGlmCisJam5lIGRvX2RvdWJsZV9mYXVsdAkJLyogVGhpcyBzaG91bGRuJ3QgaGFwcGVuLi4uICovCisxOgorCW1vdnEgUEVSX0NQVV9WQVIoa2VybmVsX3N0YWNrKSwlcmF4CisJc3VicSAkKDYqOC1LRVJORUxfU1RBQ0tfT0ZGU0VUKSwlcmF4CS8qIFJlc2V0IHRvIG9yaWdpbmFsIHN0YWNrICovCisJbW92cSAlcmF4LFJTUCglcmRpKQorCW1vdnEgJDAsKCVyYXgpCQkJLyogTWlzc2luZyAobG9zdCkgI0dQIGVycm9yIGNvZGUgKi8KKwltb3ZxICRnZW5lcmFsX3Byb3RlY3Rpb24sUklQKCVyZGkpCisJcmV0cQorCUNGSV9FTkRQUk9DCitFTkQoX19kb19kb3VibGVfZmF1bHQpCisKIC8qCiAgKiBFbmQgb2Yga3Byb2JlcyBzZWN0aW9uCiAgKi8KQEAgLTEyOTgsNyArMTM2Myw3IEBACiB6ZXJvZW50cnkgYm91bmRzIGRvX2JvdW5kcwogemVyb2VudHJ5IGludmFsaWRfb3AgZG9faW52YWxpZF9vcAogemVyb2VudHJ5IGRldmljZV9ub3RfYXZhaWxhYmxlIGRvX2RldmljZV9ub3RfYXZhaWxhYmxlCi1wYXJhbm9pZGVycm9yZW50cnkgZG91YmxlX2ZhdWx0IGRvX2RvdWJsZV9mYXVsdAorcGFyYW5vaWRlcnJvcmVudHJ5IGRvdWJsZV9mYXVsdCBfX2RvX2RvdWJsZV9mYXVsdAogemVyb2VudHJ5IGNvcHJvY2Vzc29yX3NlZ21lbnRfb3ZlcnJ1biBkb19jb3Byb2Nlc3Nvcl9zZWdtZW50X292ZXJydW4KIGVycm9yZW50cnkgaW52YWxpZF9UU1MgZG9faW52YWxpZF9UU1MKIGVycm9yZW50cnkgc2VnbWVudF9ub3RfcHJlc2VudCBkb19zZWdtZW50X25vdF9wcmVzZW50CkBAIC0xNTg1LDcgKzE2NTAsNyBAQAogICovCiBlcnJvcl9rZXJuZWxzcGFjZToKIAlpbmNsICVlYngKLQlsZWFxIGlycV9yZXR1cm4oJXJpcCksJXJjeAorCWxlYXEgaXJxX3JldHVybl9pcmV0KCVyaXApLCVyY3gKIAljbXBxICVyY3gsUklQKzgoJXJzcCkKIAlqZSBlcnJvcl9zd2FwZ3MKIAltb3ZsICVlY3gsJWVheAkvKiB6ZXJvIGV4dGVuZCAqLwpkaWZmIC0tZ2l0IGEvYXJjaC94ODYva2VybmVsL2VzcGZpeF82NC5jIGIvYXJjaC94ODYva2VybmVsL2VzcGZpeF82NC5jCm5ldyBmaWxlIG1vZGUgMTAwNjQ0CmluZGV4IDAwMDAwMDAuLjhhNjRkYTMKLS0tIC9kZXYvbnVsbAorKysgYi9hcmNoL3g4Ni9rZXJuZWwvZXNwZml4XzY0LmMKQEAgLTAsMCArMSwyMDggQEAKKy8qIC0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tICoKKyAqCisgKiAgIENvcHlyaWdodCAyMDE0IEludGVsIENvcnBvcmF0aW9uOyBhdXRob3I6IEguIFBldGVyIEFudmluCisgKgorICogICBUaGlzIHByb2dyYW0gaXMgZnJlZSBzb2Z0d2FyZTsgeW91IGNhbiByZWRpc3RyaWJ1dGUgaXQgYW5kL29yIG1vZGlmeSBpdAorICogICB1bmRlciB0aGUgdGVybXMgYW5kIGNvbmRpdGlvbnMgb2YgdGhlIEdOVSBHZW5lcmFsIFB1YmxpYyBMaWNlbnNlLAorICogICB2ZXJzaW9uIDIsIGFzIHB1Ymxpc2hlZCBieSB0aGUgRnJlZSBTb2Z0d2FyZSBGb3VuZGF0aW9uLgorICoKKyAqICAgVGhpcyBwcm9ncmFtIGlzIGRpc3RyaWJ1dGVkIGluIHRoZSBob3BlIGl0IHdpbGwgYmUgdXNlZnVsLCBidXQgV0lUSE9VVAorICogICBBTlkgV0FSUkFOVFk7IHdpdGhvdXQgZXZlbiB0aGUgaW1wbGllZCB3YXJyYW50eSBvZiBNRVJDSEFOVEFCSUxJVFkgb3IKKyAqICAgRklUTkVTUyBGT1IgQSBQQVJUSUNVTEFSIFBVUlBPU0UuICBTZWUgdGhlIEdOVSBHZW5lcmFsIFB1YmxpYyBMaWNlbnNlIGZvcgorICogICBtb3JlIGRldGFpbHMuCisgKgorICogLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0gKi8KKworLyoKKyAqIFRoZSBJUkVUIGluc3RydWN0aW9uLCB3aGVuIHJldHVybmluZyB0byBhIDE2LWJpdCBzZWdtZW50LCBvbmx5CisgKiByZXN0b3JlcyB0aGUgYm90dG9tIDE2IGJpdHMgb2YgdGhlIHVzZXIgc3BhY2Ugc3RhY2sgcG9pbnRlci4gIFRoaXMKKyAqIGNhdXNlcyBzb21lIDE2LWJpdCBzb2Z0d2FyZSB0byBicmVhaywgYnV0IGl0IGFsc28gbGVha3Mga2VybmVsIHN0YXRlCisgKiB0byB1c2VyIHNwYWNlLgorICoKKyAqIFRoaXMgd29ya3MgYXJvdW5kIHRoaXMgYnkgY3JlYXRpbmcgcGVyY3B1ICJtaW5pc3RhY2tzIiwgZWFjaCBvZiB3aGljaAorICogaXMgbWFwcGVkIDJeMTYgdGltZXMgNjRLIGFwYXJ0LiAgV2hlbiB3ZSBkZXRlY3QgdGhhdCB0aGUgcmV0dXJuIFNTIGlzCisgKiBvbiB0aGUgTERULCB3ZSBjb3B5IHRoZSBJUkVUIGZyYW1lIHRvIHRoZSBtaW5pc3RhY2sgYW5kIHVzZSB0aGUKKyAqIHJlbGV2YW50IGFsaWFzIHRvIHJldHVybiB0byB1c2Vyc3BhY2UuICBUaGUgbWluaXN0YWNrcyBhcmUgbWFwcGVkCisgKiByZWFkb25seSwgc28gaWYgdGhlIElSRVQgZmF1bHQgd2UgcHJvbW90ZSAjR1AgdG8gI0RGIHdoaWNoIGlzIGFuIElTVAorICogdmVjdG9yIGFuZCB0aHVzIGhhcyBpdHMgb3duIHN0YWNrOyB3ZSB0aGVuIGRvIHRoZSBmaXh1cCBpbiB0aGUgI0RGCisgKiBoYW5kbGVyLgorICoKKyAqIFRoaXMgZmlsZSBzZXRzIHVwIHRoZSBtaW5pc3RhY2tzIGFuZCB0aGUgcmVsYXRlZCBwYWdlIHRhYmxlcy4gIFRoZQorICogYWN0dWFsIG1pbmlzdGFjayBpbnZvY2F0aW9uIGlzIGluIGVudHJ5XzY0LlMuCisgKi8KKworI2luY2x1ZGUgPGxpbnV4L2luaXQuaD4KKyNpbmNsdWRlIDxsaW51eC9pbml0X3Rhc2suaD4KKyNpbmNsdWRlIDxsaW51eC9rZXJuZWwuaD4KKyNpbmNsdWRlIDxsaW51eC9wZXJjcHUuaD4KKyNpbmNsdWRlIDxsaW51eC9nZnAuaD4KKyNpbmNsdWRlIDxsaW51eC9yYW5kb20uaD4KKyNpbmNsdWRlIDxhc20vcGd0YWJsZS5oPgorI2luY2x1ZGUgPGFzbS9wZ2FsbG9jLmg+CisjaW5jbHVkZSA8YXNtL3NldHVwLmg+CisKKy8qCisgKiBOb3RlOiB3ZSBvbmx5IG5lZWQgNio4ID0gNDggYnl0ZXMgZm9yIHRoZSBlc3BmaXggc3RhY2ssIGJ1dCByb3VuZAorICogaXQgdXAgdG8gYSBjYWNoZSBsaW5lIHRvIGF2b2lkIHVubmVjZXNzYXJ5IHNoYXJpbmcuCisgKi8KKyNkZWZpbmUgRVNQRklYX1NUQUNLX1NJWkUJKDgqOFVMKQorI2RlZmluZSBFU1BGSVhfU1RBQ0tTX1BFUl9QQUdFCShQQUdFX1NJWkUvRVNQRklYX1NUQUNLX1NJWkUpCisKKy8qIFRoZXJlIGlzIGFkZHJlc3Mgc3BhY2UgZm9yIGhvdyBtYW55IGVzcGZpeCBwYWdlcz8gKi8KKyNkZWZpbmUgRVNQRklYX1BBR0VfU1BBQ0UJKDFVTCA8PCAoUEdESVJfU0hJRlQtUEFHRV9TSElGVC0xNikpCisKKyNkZWZpbmUgRVNQRklYX01BWF9DUFVTCQkoRVNQRklYX1NUQUNLU19QRVJfUEFHRSAqIEVTUEZJWF9QQUdFX1NQQUNFKQorI2lmIENPTkZJR19OUl9DUFVTID4gRVNQRklYX01BWF9DUFVTCisjIGVycm9yICJOZWVkIG1vcmUgdGhhbiBvbmUgUEdEIGZvciB0aGUgRVNQRklYIGhhY2siCisjZW5kaWYKKworI2RlZmluZSBQR0FMTE9DX0dGUCAoR0ZQX0tFUk5FTCB8IF9fR0ZQX05PVFJBQ0sgfCBfX0dGUF9SRVBFQVQgfCBfX0dGUF9aRVJPKQorCisvKiBUaGlzIGNvbnRhaW5zIHRoZSAqYm90dG9tKiBhZGRyZXNzIG9mIHRoZSBlc3BmaXggc3RhY2sgKi8KK0RFRklORV9QRVJfQ1BVX1JFQURfTU9TVExZKHVuc2lnbmVkIGxvbmcsIGVzcGZpeF9zdGFjayk7CitERUZJTkVfUEVSX0NQVV9SRUFEX01PU1RMWSh1bnNpZ25lZCBsb25nLCBlc3BmaXhfd2FkZHIpOworCisvKiBJbml0aWFsaXphdGlvbiBtdXRleCAtIHNob3VsZCB0aGlzIGJlIGEgc3BpbmxvY2s/ICovCitzdGF0aWMgREVGSU5FX01VVEVYKGVzcGZpeF9pbml0X211dGV4KTsKKworLyogUGFnZSBhbGxvY2F0aW9uIGJpdG1hcCAtIGVhY2ggcGFnZSBzZXJ2ZXMgRVNQRklYX1NUQUNLU19QRVJfUEFHRSBDUFVzICovCisjZGVmaW5lIEVTUEZJWF9NQVhfUEFHRVMgIERJVl9ST1VORF9VUChDT05GSUdfTlJfQ1BVUywgRVNQRklYX1NUQUNLU19QRVJfUEFHRSkKK3N0YXRpYyB2b2lkICplc3BmaXhfcGFnZXNbRVNQRklYX01BWF9QQUdFU107CisKK3N0YXRpYyBfX3BhZ2VfYWxpZ25lZF9ic3MgcHVkX3QgZXNwZml4X3B1ZF9wYWdlW1BUUlNfUEVSX1BVRF0KKwlfX2FsaWduZWQoUEFHRV9TSVpFKTsKKworc3RhdGljIHVuc2lnbmVkIGludCBwYWdlX3JhbmRvbSwgc2xvdF9yYW5kb207CisKKy8qCisgKiBUaGlzIHJldHVybnMgdGhlIGJvdHRvbSBhZGRyZXNzIG9mIHRoZSBlc3BmaXggc3RhY2sgZm9yIGEgc3BlY2lmaWMgQ1BVLgorICogVGhlIG1hdGggYWxsb3dzIGZvciBhIG5vbi1wb3dlci1vZi10d28gRVNQRklYX1NUQUNLX1NJWkUsIGluIHdoaWNoIGNhc2UKKyAqIHdlIGhhdmUgdG8gYWNjb3VudCBmb3Igc29tZSBhbW91bnQgb2YgcGFkZGluZyBhdCB0aGUgZW5kIG9mIGVhY2ggcGFnZS4KKyAqLworc3RhdGljIGlubGluZSB1bnNpZ25lZCBsb25nIGVzcGZpeF9iYXNlX2FkZHIodW5zaWduZWQgaW50IGNwdSkKK3sKKwl1bnNpZ25lZCBsb25nIHBhZ2UsIHNsb3Q7CisJdW5zaWduZWQgbG9uZyBhZGRyOworCisJcGFnZSA9IChjcHUgLyBFU1BGSVhfU1RBQ0tTX1BFUl9QQUdFKSBeIHBhZ2VfcmFuZG9tOworCXNsb3QgPSAoY3B1ICsgc2xvdF9yYW5kb20pICUgRVNQRklYX1NUQUNLU19QRVJfUEFHRTsKKwlhZGRyID0gKHBhZ2UgPDwgUEFHRV9TSElGVCkgKyAoc2xvdCAqIEVTUEZJWF9TVEFDS19TSVpFKTsKKwlhZGRyID0gKGFkZHIgJiAweGZmZmZVTCkgfCAoKGFkZHIgJiB+MHhmZmZmVUwpIDw8IDE2KTsKKwlhZGRyICs9IEVTUEZJWF9CQVNFX0FERFI7CisJcmV0dXJuIGFkZHI7Cit9CisKKyNkZWZpbmUgUFRFX1NUUklERSAgICAgICAgKDY1NTM2L1BBR0VfU0laRSkKKyNkZWZpbmUgRVNQRklYX1BURV9DTE9ORVMgKFBUUlNfUEVSX1BURS9QVEVfU1RSSURFKQorI2RlZmluZSBFU1BGSVhfUE1EX0NMT05FUyBQVFJTX1BFUl9QTUQKKyNkZWZpbmUgRVNQRklYX1BVRF9DTE9ORVMgKDY1NTM2LyhFU1BGSVhfUFRFX0NMT05FUypFU1BGSVhfUE1EX0NMT05FUykpCisKKyNkZWZpbmUgUEdUQUJMRV9QUk9UCSAgKChfS0VSTlBHX1RBQkxFICYgfl9QQUdFX1JXKSB8IF9QQUdFX05YKQorCitzdGF0aWMgdm9pZCBpbml0X2VzcGZpeF9yYW5kb20odm9pZCkKK3sKKwl1bnNpZ25lZCBsb25nIHJhbmQ7CisKKwkvKgorCSAqIFRoaXMgaXMgcnVuIGJlZm9yZSB0aGUgZW50cm9weSBwb29scyBhcmUgaW5pdGlhbGl6ZWQsCisJICogYnV0IHRoaXMgaXMgaG9wZWZ1bGx5IGJldHRlciB0aGFuIG5vdGhpbmcuCisJICovCisJaWYgKCFhcmNoX2dldF9yYW5kb21fbG9uZygmcmFuZCkpIHsKKwkJLyogVGhlIGNvbnN0YW50IGlzIGFuIGFyYml0cmFyeSBsYXJnZSBwcmltZSAqLworCQlyZHRzY2xsKHJhbmQpOworCQlyYW5kICo9IDB4YzM0NWM2YjcyZmQxNjEyM1VMOworCX0KKworCXNsb3RfcmFuZG9tID0gcmFuZCAlIEVTUEZJWF9TVEFDS1NfUEVSX1BBR0U7CisJcGFnZV9yYW5kb20gPSAocmFuZCAvIEVTUEZJWF9TVEFDS1NfUEVSX1BBR0UpCisJCSYgKEVTUEZJWF9QQUdFX1NQQUNFIC0gMSk7Cit9CisKK3ZvaWQgX19pbml0IGluaXRfZXNwZml4X2JzcCh2b2lkKQoreworCXBnZF90ICpwZ2RfcDsKKwlwdGV2YWxfdCBwdGVtYXNrOworCisJcHRlbWFzayA9IF9fc3VwcG9ydGVkX3B0ZV9tYXNrOworCisJLyogSW5zdGFsbCB0aGUgZXNwZml4IHB1ZCBpbnRvIHRoZSBrZXJuZWwgcGFnZSBkaXJlY3RvcnkgKi8KKwlwZ2RfcCA9ICZpbml0X2xldmVsNF9wZ3RbcGdkX2luZGV4KEVTUEZJWF9CQVNFX0FERFIpXTsKKwlwZ2RfcG9wdWxhdGUoJmluaXRfbW0sIHBnZF9wLCAocHVkX3QgKillc3BmaXhfcHVkX3BhZ2UpOworCisJLyogUmFuZG9taXplIHRoZSBsb2NhdGlvbnMgKi8KKwlpbml0X2VzcGZpeF9yYW5kb20oKTsKKworCS8qIFRoZSByZXN0IGlzIHRoZSBzYW1lIGFzIGZvciBhbnkgb3RoZXIgcHJvY2Vzc29yICovCisJaW5pdF9lc3BmaXhfYXAoKTsKK30KKwordm9pZCBpbml0X2VzcGZpeF9hcCh2b2lkKQoreworCXVuc2lnbmVkIGludCBjcHUsIHBhZ2U7CisJdW5zaWduZWQgbG9uZyBhZGRyOworCXB1ZF90IHB1ZCwgKnB1ZF9wOworCXBtZF90IHBtZCwgKnBtZF9wOworCXB0ZV90IHB0ZSwgKnB0ZV9wOworCWludCBuOworCXZvaWQgKnN0YWNrX3BhZ2U7CisJcHRldmFsX3QgcHRlbWFzazsKKworCS8qIFdlIG9ubHkgaGF2ZSB0byBkbyB0aGlzIG9uY2UuLi4gKi8KKwlpZiAobGlrZWx5KHRoaXNfY3B1X3JlYWQoZXNwZml4X3N0YWNrKSkpCisJCXJldHVybjsJCS8qIEFscmVhZHkgaW5pdGlhbGl6ZWQgKi8KKworCWNwdSA9IHNtcF9wcm9jZXNzb3JfaWQoKTsKKwlhZGRyID0gZXNwZml4X2Jhc2VfYWRkcihjcHUpOworCXBhZ2UgPSBjcHUvRVNQRklYX1NUQUNLU19QRVJfUEFHRTsKKworCS8qIERpZCBhbm90aGVyIENQVSBhbHJlYWR5IHNldCB0aGlzIHVwPyAqLworCXN0YWNrX3BhZ2UgPSBBQ0NFU1NfT05DRShlc3BmaXhfcGFnZXNbcGFnZV0pOworCWlmIChsaWtlbHkoc3RhY2tfcGFnZSkpCisJCWdvdG8gZG9uZTsKKworCW11dGV4X2xvY2soJmVzcGZpeF9pbml0X211dGV4KTsKKworCS8qIERpZCB3ZSByYWNlIG9uIHRoZSBsb2NrPyAqLworCXN0YWNrX3BhZ2UgPSBBQ0NFU1NfT05DRShlc3BmaXhfcGFnZXNbcGFnZV0pOworCWlmIChzdGFja19wYWdlKQorCQlnb3RvIHVubG9ja19kb25lOworCisJcHRlbWFzayA9IF9fc3VwcG9ydGVkX3B0ZV9tYXNrOworCisJcHVkX3AgPSAmZXNwZml4X3B1ZF9wYWdlW3B1ZF9pbmRleChhZGRyKV07CisJcHVkID0gKnB1ZF9wOworCWlmICghcHVkX3ByZXNlbnQocHVkKSkgeworCQlwbWRfcCA9IChwbWRfdCAqKV9fZ2V0X2ZyZWVfcGFnZShQR0FMTE9DX0dGUCk7CisJCXB1ZCA9IF9fcHVkKF9fcGEocG1kX3ApIHwgKFBHVEFCTEVfUFJPVCAmIHB0ZW1hc2spKTsKKwkJcGFyYXZpcnRfYWxsb2NfcHVkKCZpbml0X21tLCBfX3BhKHBtZF9wKSA+PiBQQUdFX1NISUZUKTsKKwkJZm9yIChuID0gMDsgbiA8IEVTUEZJWF9QVURfQ0xPTkVTOyBuKyspCisJCQlzZXRfcHVkKCZwdWRfcFtuXSwgcHVkKTsKKwl9CisKKwlwbWRfcCA9IHBtZF9vZmZzZXQoJnB1ZCwgYWRkcik7CisJcG1kID0gKnBtZF9wOworCWlmICghcG1kX3ByZXNlbnQocG1kKSkgeworCQlwdGVfcCA9IChwdGVfdCAqKV9fZ2V0X2ZyZWVfcGFnZShQR0FMTE9DX0dGUCk7CisJCXBtZCA9IF9fcG1kKF9fcGEocHRlX3ApIHwgKFBHVEFCTEVfUFJPVCAmIHB0ZW1hc2spKTsKKwkJcGFyYXZpcnRfYWxsb2NfcG1kKCZpbml0X21tLCBfX3BhKHB0ZV9wKSA+PiBQQUdFX1NISUZUKTsKKwkJZm9yIChuID0gMDsgbiA8IEVTUEZJWF9QTURfQ0xPTkVTOyBuKyspCisJCQlzZXRfcG1kKCZwbWRfcFtuXSwgcG1kKTsKKwl9CisKKwlwdGVfcCA9IHB0ZV9vZmZzZXRfa2VybmVsKCZwbWQsIGFkZHIpOworCXN0YWNrX3BhZ2UgPSAodm9pZCAqKV9fZ2V0X2ZyZWVfcGFnZShHRlBfS0VSTkVMKTsKKwlwdGUgPSBfX3B0ZShfX3BhKHN0YWNrX3BhZ2UpIHwgKF9fUEFHRV9LRVJORUxfUk8gJiBwdGVtYXNrKSk7CisJcGFyYXZpcnRfYWxsb2NfcHRlKCZpbml0X21tLCBfX3BhKHN0YWNrX3BhZ2UpID4+IFBBR0VfU0hJRlQpOworCWZvciAobiA9IDA7IG4gPCBFU1BGSVhfUFRFX0NMT05FUzsgbisrKQorCQlzZXRfcHRlKCZwdGVfcFtuKlBURV9TVFJJREVdLCBwdGUpOworCisJLyogSm9iIGlzIGRvbmUgZm9yIHRoaXMgQ1BVIGFuZCBhbnkgQ1BVIHdoaWNoIHNoYXJlcyB0aGlzIHBhZ2UgKi8KKwlBQ0NFU1NfT05DRShlc3BmaXhfcGFnZXNbcGFnZV0pID0gc3RhY2tfcGFnZTsKKwordW5sb2NrX2RvbmU6CisJbXV0ZXhfdW5sb2NrKCZlc3BmaXhfaW5pdF9tdXRleCk7Citkb25lOgorCXRoaXNfY3B1X3dyaXRlKGVzcGZpeF9zdGFjaywgYWRkcik7CisJdGhpc19jcHVfd3JpdGUoZXNwZml4X3dhZGRyLCAodW5zaWduZWQgbG9uZylzdGFja19wYWdlCisJCSAgICAgICArIChhZGRyICYgflBBR0VfTUFTSykpOworfQpkaWZmIC0tZ2l0IGEvYXJjaC94ODYva2VybmVsL3NtcGJvb3QuYyBiL2FyY2gveDg2L2tlcm5lbC9zbXBib290LmMKaW5kZXggYmZkMzQ4ZS4uOWYwMDljYyAxMDA2NDQKLS0tIGEvYXJjaC94ODYva2VybmVsL3NtcGJvb3QuYworKysgYi9hcmNoL3g4Ni9rZXJuZWwvc21wYm9vdC5jCkBAIC0yNjUsNiArMjY1LDEzIEBACiAJY2hlY2tfdHNjX3N5bmNfdGFyZ2V0KCk7CiAKIAkvKgorCSAqIEVuYWJsZSB0aGUgZXNwZml4IGhhY2sgZm9yIHRoaXMgQ1BVCisJICovCisjaWZkZWYgQ09ORklHX1g4Nl82NAorCWluaXRfZXNwZml4X2FwKCk7CisjZW5kaWYKKworCS8qCiAJICogV2UgbmVlZCB0byBob2xkIHZlY3Rvcl9sb2NrIHNvIHRoZXJlIHRoZSBzZXQgb2Ygb25saW5lIGNwdXMKIAkgKiBkb2VzIG5vdCBjaGFuZ2Ugd2hpbGUgd2UgYXJlIGFzc2lnbmluZyB2ZWN0b3JzIHRvIGNwdXMuICBIb2xkaW5nCiAJICogdGhpcyBsb2NrIGVuc3VyZXMgd2UgZG9uJ3QgaGFsZiBhc3NpZ24gb3IgcmVtb3ZlIGFuIGlycSBmcm9tIGEgY3B1LgpkaWZmIC0tZ2l0IGEvYXJjaC94ODYvbW0vZHVtcF9wYWdldGFibGVzLmMgYi9hcmNoL3g4Ni9tbS9kdW1wX3BhZ2V0YWJsZXMuYwppbmRleCAwMDAyYTNhLi5lMDRlNjc3IDEwMDY0NAotLS0gYS9hcmNoL3g4Ni9tbS9kdW1wX3BhZ2V0YWJsZXMuYworKysgYi9hcmNoL3g4Ni9tbS9kdW1wX3BhZ2V0YWJsZXMuYwpAQCAtMzAsMTEgKzMwLDEzIEBACiAJdW5zaWduZWQgbG9uZyBzdGFydF9hZGRyZXNzOwogCXVuc2lnbmVkIGxvbmcgY3VycmVudF9hZGRyZXNzOwogCWNvbnN0IHN0cnVjdCBhZGRyX21hcmtlciAqbWFya2VyOworCXVuc2lnbmVkIGxvbmcgbGluZXM7CiB9OwogCiBzdHJ1Y3QgYWRkcl9tYXJrZXIgewogCXVuc2lnbmVkIGxvbmcgc3RhcnRfYWRkcmVzczsKIAljb25zdCBjaGFyICpuYW1lOworCXVuc2lnbmVkIGxvbmcgbWF4X2xpbmVzOwogfTsKIAogLyogaW5kaWNlcyBmb3IgYWRkcmVzc19tYXJrZXJzOyBrZWVwIHN5bmMnZCB3LyBhZGRyZXNzX21hcmtlcnMgYmVsb3cgKi8KQEAgLTQ1LDYgKzQ3LDcgQEAKIAlMT1dfS0VSTkVMX05SLAogCVZNQUxMT0NfU1RBUlRfTlIsCiAJVk1FTU1BUF9TVEFSVF9OUiwKKwlFU1BGSVhfU1RBUlRfTlIsCiAJSElHSF9LRVJORUxfTlIsCiAJTU9EVUxFU19WQUREUl9OUiwKIAlNT0RVTEVTX0VORF9OUiwKQEAgLTY3LDYgKzcwLDcgQEAKIAl7IFBBR0VfT0ZGU0VULAkJIkxvdyBLZXJuZWwgTWFwcGluZyIgfSwKIAl7IFZNQUxMT0NfU1RBUlQsICAgICAgICAidm1hbGxvYygpIEFyZWEiIH0sCiAJeyBWTUVNTUFQX1NUQVJULCAgICAgICAgIlZtZW1tYXAiIH0sCisJeyBFU1BGSVhfQkFTRV9BRERSLAkiRVNQZml4IEFyZWEiLCAxNiB9LAogCXsgX19TVEFSVF9LRVJORUxfbWFwLCAgICJIaWdoIEtlcm5lbCBNYXBwaW5nIiB9LAogCXsgTU9EVUxFU19WQUREUiwgICAgICAgICJNb2R1bGVzIiB9LAogCXsgTU9EVUxFU19FTkQsICAgICAgICAgICJFbmQgTW9kdWxlcyIgfSwKQEAgLTE2Myw3ICsxNjcsNyBAQAogCQkgICAgICBwZ3Byb3RfdCBuZXdfcHJvdCwgaW50IGxldmVsKQogewogCXBncHJvdHZhbF90IHByb3QsIGN1cjsKLQlzdGF0aWMgY29uc3QgY2hhciB1bml0c1tdID0gIktNR1RQRSI7CisJc3RhdGljIGNvbnN0IGNoYXIgdW5pdHNbXSA9ICJCS01HVFBFIjsKIAogCS8qCiAJICogSWYgd2UgaGF2ZSBhICJicmVhayIgaW4gdGhlIHNlcmllcywgd2UgbmVlZCB0byBmbHVzaCB0aGUgc3RhdGUgdGhhdApAQCAtMTc4LDYgKzE4Miw3IEBACiAJCXN0LT5jdXJyZW50X3Byb3QgPSBuZXdfcHJvdDsKIAkJc3QtPmxldmVsID0gbGV2ZWw7CiAJCXN0LT5tYXJrZXIgPSBhZGRyZXNzX21hcmtlcnM7CisJCXN0LT5saW5lcyA9IDA7CiAJCXNlcV9wcmludGYobSwgIi0tLVsgJXMgXS0tLVxuIiwgc3QtPm1hcmtlci0+bmFtZSk7CiAJfSBlbHNlIGlmIChwcm90ICE9IGN1ciB8fCBsZXZlbCAhPSBzdC0+bGV2ZWwgfHwKIAkJICAgc3QtPmN1cnJlbnRfYWRkcmVzcyA+PSBzdC0+bWFya2VyWzFdLnN0YXJ0X2FkZHJlc3MpIHsKQEAgLTE4OCwxNyArMTkzLDIxIEBACiAJCS8qCiAJCSAqIE5vdyBwcmludCB0aGUgYWN0dWFsIGZpbmlzaGVkIHNlcmllcwogCQkgKi8KLQkJc2VxX3ByaW50ZihtLCAiMHglMCpseC0weCUwKmx4ICAgIiwKLQkJCSAgIHdpZHRoLCBzdC0+c3RhcnRfYWRkcmVzcywKLQkJCSAgIHdpZHRoLCBzdC0+Y3VycmVudF9hZGRyZXNzKTsKKwkJaWYgKCFzdC0+bWFya2VyLT5tYXhfbGluZXMgfHwKKwkJICAgIHN0LT5saW5lcyA8IHN0LT5tYXJrZXItPm1heF9saW5lcykgeworCQkJc2VxX3ByaW50ZihtLCAiMHglMCpseC0weCUwKmx4ICAgIiwKKwkJCQkgICB3aWR0aCwgc3QtPnN0YXJ0X2FkZHJlc3MsCisJCQkJICAgd2lkdGgsIHN0LT5jdXJyZW50X2FkZHJlc3MpOwogCi0JCWRlbHRhID0gKHN0LT5jdXJyZW50X2FkZHJlc3MgLSBzdC0+c3RhcnRfYWRkcmVzcykgPj4gMTA7Ci0JCXdoaWxlICghKGRlbHRhICYgMTAyMykgJiYgdW5pdFsxXSkgewotCQkJZGVsdGEgPj49IDEwOwotCQkJdW5pdCsrOworCQkJZGVsdGEgPSAoc3QtPmN1cnJlbnRfYWRkcmVzcyAtIHN0LT5zdGFydF9hZGRyZXNzKTsKKwkJCXdoaWxlICghKGRlbHRhICYgMTAyMykgJiYgdW5pdFsxXSkgeworCQkJCWRlbHRhID4+PSAxMDsKKwkJCQl1bml0Kys7CisJCQl9CisJCQlzZXFfcHJpbnRmKG0sICIlOWx1JWMgIiwgZGVsdGEsICp1bml0KTsKKwkJCXByaW50a19wcm90KG0sIHN0LT5jdXJyZW50X3Byb3QsIHN0LT5sZXZlbCk7CiAJCX0KLQkJc2VxX3ByaW50ZihtLCAiJTlsdSVjICIsIGRlbHRhLCAqdW5pdCk7Ci0JCXByaW50a19wcm90KG0sIHN0LT5jdXJyZW50X3Byb3QsIHN0LT5sZXZlbCk7CisJCXN0LT5saW5lcysrOwogCiAJCS8qCiAJCSAqIFdlIHByaW50IG1hcmtlcnMgZm9yIHNwZWNpYWwgYXJlYXMgb2YgYWRkcmVzcyBzcGFjZSwKQEAgLTIwNiw3ICsyMTUsMTUgQEAKIAkJICogVGhpcyBoZWxwcyBpbiB0aGUgaW50ZXJwcmV0YXRpb24uCiAJCSAqLwogCQlpZiAoc3QtPmN1cnJlbnRfYWRkcmVzcyA+PSBzdC0+bWFya2VyWzFdLnN0YXJ0X2FkZHJlc3MpIHsKKwkJCWlmIChzdC0+bWFya2VyLT5tYXhfbGluZXMgJiYKKwkJCSAgICBzdC0+bGluZXMgPiBzdC0+bWFya2VyLT5tYXhfbGluZXMpIHsKKwkJCQl1bnNpZ25lZCBsb25nIG5za2lwID0KKwkJCQkJc3QtPmxpbmVzIC0gc3QtPm1hcmtlci0+bWF4X2xpbmVzOworCQkJCXNlcV9wcmludGYobSwgIi4uLiAlbHUgZW50ciVzIHNraXBwZWQgLi4uIFxuIiwKKwkJCQkJICAgbnNraXAsIG5za2lwID09IDEgPyAieSIgOiAiaWVzIik7CisJCQl9CiAJCQlzdC0+bWFya2VyKys7CisJCQlzdC0+bGluZXMgPSAwOwogCQkJc2VxX3ByaW50ZihtLCAiLS0tWyAlcyBdLS0tXG4iLCBzdC0+bWFya2VyLT5uYW1lKTsKIAkJfQogCmRpZmYgLS1naXQgYS9pbml0L21haW4uYyBiL2luaXQvbWFpbi5jCmluZGV4IDk0ODRmNGIuLmE5ZTRhNzYgMTAwNjQ0Ci0tLSBhL2luaXQvbWFpbi5jCisrKyBiL2luaXQvbWFpbi5jCkBAIC02MDUsNiArNjA1LDEwIEBACiAJaWYgKGVmaV9lbmFibGVkKEVGSV9SVU5USU1FX1NFUlZJQ0VTKSkKIAkJZWZpX2VudGVyX3ZpcnR1YWxfbW9kZSgpOwogI2VuZGlmCisjaWZkZWYgQ09ORklHX1g4Nl82NAorCS8qIFNob3VsZCBiZSBydW4gYmVmb3JlIHRoZSBmaXJzdCBub24taW5pdCB0aHJlYWQgaXMgY3JlYXRlZCAqLworCWluaXRfZXNwZml4X2JzcCgpOworI2VuZGlmCiAJdGhyZWFkX2luZm9fY2FjaGVfaW5pdCgpOwogCWNyZWRfaW5pdCgpOwogCWZvcmtfaW5pdCh0b3RhbHJhbV9wYWdlcyk7Cg==
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0003.patch b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0003.patch
new file mode 100644
index 00000000..1b5acc63
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0003.patch
@@ -0,0 +1,52 @@
+diff --git a/arch/x86/include/asm/espfix.h b/arch/x86/include/asm/espfix.h
+new file mode 100644
+index 0000000..729051c
+--- /dev/null
++++ b/arch/x86/include/asm/espfix.h
+@@ -0,0 +1,16 @@
++#ifdef _ASM_X86_ESPFIX_H
++#define _ASM_X86_ESPFIX_H
++
++#ifdef CONFIG_X86_64
++
++#include <asm/percpu.h>
++
++DECLARE_PER_CPU_READ_MOSTLY(unsigned long, espfix_stack);
++DECLARE_PER_CPU_READ_MOSTLY(unsigned long, espfix_waddr);
++
++extern void init_espfix_bsp(void);
++extern void init_espfix_ap(void);
++
++#endif /* CONFIG_X86_64 */
++
++#endif /* _ASM_X86_ESPFIX_H */
+diff --git a/arch/x86/include/asm/setup.h b/arch/x86/include/asm/setup.h
+index 93797d1..2e327f1 100644
+--- a/arch/x86/include/asm/setup.h
++++ b/arch/x86/include/asm/setup.h
+@@ -60,11 +60,10 @@
+ static inline void x86_ce4100_early_setup(void) { }
+ #endif
+ 
+-extern void init_espfix_bsp(void);
+-extern void init_espfix_ap(void);
+-
+ #ifndef _SETUP
+ 
++#include <asm/espfix.h>
++
+ /*
+  * This is set up by the setup-routine at boot-time
+  */
+diff --git a/arch/x86/kernel/espfix_64.c b/arch/x86/kernel/espfix_64.c
+index 8a64da3..6afbb16 100644
+--- a/arch/x86/kernel/espfix_64.c
++++ b/arch/x86/kernel/espfix_64.c
+@@ -40,6 +40,7 @@
+ #include <asm/pgtable.h>
+ #include <asm/pgalloc.h>
+ #include <asm/setup.h>
++#include <asm/espfix.h>
+ 
+ /*
+  * Note: we only need 6*8 = 48 bytes for the espfix stack, but round
diff --git a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0003.patch.base64 b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0003.patch.base64
new file mode 100644
index 00000000..cbc57804
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0003.patch.base64
@@ -0,0 +1 @@
+ZGlmZiAtLWdpdCBhL2FyY2gveDg2L2luY2x1ZGUvYXNtL2VzcGZpeC5oIGIvYXJjaC94ODYvaW5jbHVkZS9hc20vZXNwZml4LmgKbmV3IGZpbGUgbW9kZSAxMDA2NDQKaW5kZXggMDAwMDAwMC4uNzI5MDUxYwotLS0gL2Rldi9udWxsCisrKyBiL2FyY2gveDg2L2luY2x1ZGUvYXNtL2VzcGZpeC5oCkBAIC0wLDAgKzEsMTYgQEAKKyNpZmRlZiBfQVNNX1g4Nl9FU1BGSVhfSAorI2RlZmluZSBfQVNNX1g4Nl9FU1BGSVhfSAorCisjaWZkZWYgQ09ORklHX1g4Nl82NAorCisjaW5jbHVkZSA8YXNtL3BlcmNwdS5oPgorCitERUNMQVJFX1BFUl9DUFVfUkVBRF9NT1NUTFkodW5zaWduZWQgbG9uZywgZXNwZml4X3N0YWNrKTsKK0RFQ0xBUkVfUEVSX0NQVV9SRUFEX01PU1RMWSh1bnNpZ25lZCBsb25nLCBlc3BmaXhfd2FkZHIpOworCitleHRlcm4gdm9pZCBpbml0X2VzcGZpeF9ic3Aodm9pZCk7CitleHRlcm4gdm9pZCBpbml0X2VzcGZpeF9hcCh2b2lkKTsKKworI2VuZGlmIC8qIENPTkZJR19YODZfNjQgKi8KKworI2VuZGlmIC8qIF9BU01fWDg2X0VTUEZJWF9IICovCmRpZmYgLS1naXQgYS9hcmNoL3g4Ni9pbmNsdWRlL2FzbS9zZXR1cC5oIGIvYXJjaC94ODYvaW5jbHVkZS9hc20vc2V0dXAuaAppbmRleCA5Mzc5N2QxLi4yZTMyN2YxIDEwMDY0NAotLS0gYS9hcmNoL3g4Ni9pbmNsdWRlL2FzbS9zZXR1cC5oCisrKyBiL2FyY2gveDg2L2luY2x1ZGUvYXNtL3NldHVwLmgKQEAgLTYwLDExICs2MCwxMCBAQAogc3RhdGljIGlubGluZSB2b2lkIHg4Nl9jZTQxMDBfZWFybHlfc2V0dXAodm9pZCkgeyB9CiAjZW5kaWYKIAotZXh0ZXJuIHZvaWQgaW5pdF9lc3BmaXhfYnNwKHZvaWQpOwotZXh0ZXJuIHZvaWQgaW5pdF9lc3BmaXhfYXAodm9pZCk7Ci0KICNpZm5kZWYgX1NFVFVQCiAKKyNpbmNsdWRlIDxhc20vZXNwZml4Lmg+CisKIC8qCiAgKiBUaGlzIGlzIHNldCB1cCBieSB0aGUgc2V0dXAtcm91dGluZSBhdCBib290LXRpbWUKICAqLwpkaWZmIC0tZ2l0IGEvYXJjaC94ODYva2VybmVsL2VzcGZpeF82NC5jIGIvYXJjaC94ODYva2VybmVsL2VzcGZpeF82NC5jCmluZGV4IDhhNjRkYTMuLjZhZmJiMTYgMTAwNjQ0Ci0tLSBhL2FyY2gveDg2L2tlcm5lbC9lc3BmaXhfNjQuYworKysgYi9hcmNoL3g4Ni9rZXJuZWwvZXNwZml4XzY0LmMKQEAgLTQwLDYgKzQwLDcgQEAKICNpbmNsdWRlIDxhc20vcGd0YWJsZS5oPgogI2luY2x1ZGUgPGFzbS9wZ2FsbG9jLmg+CiAjaW5jbHVkZSA8YXNtL3NldHVwLmg+CisjaW5jbHVkZSA8YXNtL2VzcGZpeC5oPgogCiAvKgogICogTm90ZTogd2Ugb25seSBuZWVkIDYqOCA9IDQ4IGJ5dGVzIGZvciB0aGUgZXNwZml4IHN0YWNrLCBidXQgcm91bmQK
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0004.patch b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0004.patch
new file mode 100644
index 00000000..b5a538da
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0004.patch
@@ -0,0 +1,10 @@
+diff --git a/arch/x86/include/asm/espfix.h b/arch/x86/include/asm/espfix.h
+index 729051c..99efebb 100644
+--- a/arch/x86/include/asm/espfix.h
++++ b/arch/x86/include/asm/espfix.h
+@@ -1,4 +1,4 @@
+-#ifdef _ASM_X86_ESPFIX_H
++#ifndef _ASM_X86_ESPFIX_H
+ #define _ASM_X86_ESPFIX_H
+ 
+ #ifdef CONFIG_X86_64
diff --git a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0004.patch.base64 b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0004.patch.base64
new file mode 100644
index 00000000..02e5bfdf
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0004.patch.base64
@@ -0,0 +1 @@
+ZGlmZiAtLWdpdCBhL2FyY2gveDg2L2luY2x1ZGUvYXNtL2VzcGZpeC5oIGIvYXJjaC94ODYvaW5jbHVkZS9hc20vZXNwZml4LmgKaW5kZXggNzI5MDUxYy4uOTllZmViYiAxMDA2NDQKLS0tIGEvYXJjaC94ODYvaW5jbHVkZS9hc20vZXNwZml4LmgKKysrIGIvYXJjaC94ODYvaW5jbHVkZS9hc20vZXNwZml4LmgKQEAgLTEsNCArMSw0IEBACi0jaWZkZWYgX0FTTV9YODZfRVNQRklYX0gKKyNpZm5kZWYgX0FTTV9YODZfRVNQRklYX0gKICNkZWZpbmUgX0FTTV9YODZfRVNQRklYX0gKIAogI2lmZGVmIENPTkZJR19YODZfNjQK
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0005.patch b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0005.patch
new file mode 100644
index 00000000..5a5a49c2
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0005.patch
@@ -0,0 +1,54 @@
+diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
+index 4b20846..520cde8 100644
+--- a/arch/x86/Kconfig
++++ b/arch/x86/Kconfig
+@@ -972,6 +972,10 @@
+ 	  XFree86 to initialize some video cards via BIOS. Disabling this
+ 	  option saves about 6k.
+ 
++config X86_ESPFIX64
++	def_bool y
++	depends on X86_64
++
+ config TOSHIBA
+ 	tristate "Toshiba Laptop support"
+ 	depends on X86_32
+diff --git a/arch/x86/kernel/Makefile b/arch/x86/kernel/Makefile
+index 0fde293..111eb35 100644
+--- a/arch/x86/kernel/Makefile
++++ b/arch/x86/kernel/Makefile
+@@ -27,7 +27,7 @@
+ obj-y			+= syscall_$(BITS).o
+ obj-$(CONFIG_X86_64)	+= vsyscall_64.o
+ obj-$(CONFIG_X86_64)	+= vsyscall_emu_64.o
+-obj-$(CONFIG_X86_64)	+= espfix_64.o
++obj-$(CONFIG_X86_ESPFIX64)	+= espfix_64.o
+ obj-y			+= bootflag.o e820.o
+ obj-y			+= pci-dma.o quirks.o topology.o kdebugfs.o
+ obj-y			+= alternative.o i8253.o pci-nommu.o hw_breakpoint.o
+diff --git a/arch/x86/kernel/smpboot.c b/arch/x86/kernel/smpboot.c
+index 9f009cc..fe86275 100644
+--- a/arch/x86/kernel/smpboot.c
++++ b/arch/x86/kernel/smpboot.c
+@@ -267,7 +267,7 @@
+ 	/*
+ 	 * Enable the espfix hack for this CPU
+ 	 */
+-#ifdef CONFIG_X86_64
++#ifdef CONFIG_X86_ESPFIX64
+ 	init_espfix_ap();
+ #endif
+ 
+diff --git a/init/main.c b/init/main.c
+index a9e4a76..544cccf 100644
+--- a/init/main.c
++++ b/init/main.c
+@@ -605,7 +605,7 @@
+ 	if (efi_enabled(EFI_RUNTIME_SERVICES))
+ 		efi_enter_virtual_mode();
+ #endif
+-#ifdef CONFIG_X86_64
++#ifdef CONFIG_X86_ESPFIX64
+ 	/* Should be run before the first non-init thread is created */
+ 	init_espfix_bsp();
+ #endif
diff --git a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0005.patch.base64 b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0005.patch.base64
new file mode 100644
index 00000000..dd10351b
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0005.patch.base64
@@ -0,0 +1 @@
+ZGlmZiAtLWdpdCBhL2FyY2gveDg2L0tjb25maWcgYi9hcmNoL3g4Ni9LY29uZmlnCmluZGV4IDRiMjA4NDYuLjUyMGNkZTggMTAwNjQ0Ci0tLSBhL2FyY2gveDg2L0tjb25maWcKKysrIGIvYXJjaC94ODYvS2NvbmZpZwpAQCAtOTcyLDYgKzk3MiwxMCBAQAogCSAgWEZyZWU4NiB0byBpbml0aWFsaXplIHNvbWUgdmlkZW8gY2FyZHMgdmlhIEJJT1MuIERpc2FibGluZyB0aGlzCiAJICBvcHRpb24gc2F2ZXMgYWJvdXQgNmsuCiAKK2NvbmZpZyBYODZfRVNQRklYNjQKKwlkZWZfYm9vbCB5CisJZGVwZW5kcyBvbiBYODZfNjQKKwogY29uZmlnIFRPU0hJQkEKIAl0cmlzdGF0ZSAiVG9zaGliYSBMYXB0b3Agc3VwcG9ydCIKIAlkZXBlbmRzIG9uIFg4Nl8zMgpkaWZmIC0tZ2l0IGEvYXJjaC94ODYva2VybmVsL01ha2VmaWxlIGIvYXJjaC94ODYva2VybmVsL01ha2VmaWxlCmluZGV4IDBmZGUyOTMuLjExMWViMzUgMTAwNjQ0Ci0tLSBhL2FyY2gveDg2L2tlcm5lbC9NYWtlZmlsZQorKysgYi9hcmNoL3g4Ni9rZXJuZWwvTWFrZWZpbGUKQEAgLTI3LDcgKzI3LDcgQEAKIG9iai15CQkJKz0gc3lzY2FsbF8kKEJJVFMpLm8KIG9iai0kKENPTkZJR19YODZfNjQpCSs9IHZzeXNjYWxsXzY0Lm8KIG9iai0kKENPTkZJR19YODZfNjQpCSs9IHZzeXNjYWxsX2VtdV82NC5vCi1vYmotJChDT05GSUdfWDg2XzY0KQkrPSBlc3BmaXhfNjQubworb2JqLSQoQ09ORklHX1g4Nl9FU1BGSVg2NCkJKz0gZXNwZml4XzY0Lm8KIG9iai15CQkJKz0gYm9vdGZsYWcubyBlODIwLm8KIG9iai15CQkJKz0gcGNpLWRtYS5vIHF1aXJrcy5vIHRvcG9sb2d5Lm8ga2RlYnVnZnMubwogb2JqLXkJCQkrPSBhbHRlcm5hdGl2ZS5vIGk4MjUzLm8gcGNpLW5vbW11Lm8gaHdfYnJlYWtwb2ludC5vCmRpZmYgLS1naXQgYS9hcmNoL3g4Ni9rZXJuZWwvc21wYm9vdC5jIGIvYXJjaC94ODYva2VybmVsL3NtcGJvb3QuYwppbmRleCA5ZjAwOWNjLi5mZTg2Mjc1IDEwMDY0NAotLS0gYS9hcmNoL3g4Ni9rZXJuZWwvc21wYm9vdC5jCisrKyBiL2FyY2gveDg2L2tlcm5lbC9zbXBib290LmMKQEAgLTI2Nyw3ICsyNjcsNyBAQAogCS8qCiAJICogRW5hYmxlIHRoZSBlc3BmaXggaGFjayBmb3IgdGhpcyBDUFUKIAkgKi8KLSNpZmRlZiBDT05GSUdfWDg2XzY0CisjaWZkZWYgQ09ORklHX1g4Nl9FU1BGSVg2NAogCWluaXRfZXNwZml4X2FwKCk7CiAjZW5kaWYKIApkaWZmIC0tZ2l0IGEvaW5pdC9tYWluLmMgYi9pbml0L21haW4uYwppbmRleCBhOWU0YTc2Li41NDRjY2NmIDEwMDY0NAotLS0gYS9pbml0L21haW4uYworKysgYi9pbml0L21haW4uYwpAQCAtNjA1LDcgKzYwNSw3IEBACiAJaWYgKGVmaV9lbmFibGVkKEVGSV9SVU5USU1FX1NFUlZJQ0VTKSkKIAkJZWZpX2VudGVyX3ZpcnR1YWxfbW9kZSgpOwogI2VuZGlmCi0jaWZkZWYgQ09ORklHX1g4Nl82NAorI2lmZGVmIENPTkZJR19YODZfRVNQRklYNjQKIAkvKiBTaG91bGQgYmUgcnVuIGJlZm9yZSB0aGUgZmlyc3Qgbm9uLWluaXQgdGhyZWFkIGlzIGNyZWF0ZWQgKi8KIAlpbml0X2VzcGZpeF9ic3AoKTsKICNlbmRpZgo=
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0006.patch b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0006.patch
new file mode 100644
index 00000000..2f014227
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0006.patch
@@ -0,0 +1,195 @@
+diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
+index 520cde8..2b6c572 100644
+--- a/arch/x86/Kconfig
++++ b/arch/x86/Kconfig
+@@ -967,14 +967,27 @@
+ 	default y
+ 	depends on X86_32
+ 	---help---
+-	  This option is required by programs like DOSEMU to run 16-bit legacy
+-	  code on X86 processors. It also may be needed by software like
+-	  XFree86 to initialize some video cards via BIOS. Disabling this
+-	  option saves about 6k.
++	  This option is required by programs like DOSEMU to run
++	  16-bit real mode legacy code on x86 processors. It also may
++	  be needed by software like XFree86 to initialize some video
++	  cards via BIOS. Disabling this option saves about 6K.
++
++config X86_16BIT
++	bool "Enable support for 16-bit segments" if EXPERT
++	default y
++	---help---
++	  This option is required by programs like Wine to run 16-bit
++	  protected mode legacy code on x86 processors.  Disabling
++	  this option saves about 300 bytes on i386, or around 6K text
++	  plus 16K runtime memory on x86-64,
++
++config X86_ESPFIX32
++	def_bool y
++	depends on X86_16BIT && X86_32
+ 
+ config X86_ESPFIX64
+ 	def_bool y
+-	depends on X86_64
++	depends on X86_16BIT && X86_64
+ 
+ config TOSHIBA
+ 	tristate "Toshiba Laptop support"
+diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S
+index 41baa1f..e758e2f 100644
+--- a/arch/x86/kernel/entry_32.S
++++ b/arch/x86/kernel/entry_32.S
+@@ -530,6 +530,7 @@
+ restore_all:
+ 	TRACE_IRQS_IRET
+ restore_all_notrace:
++#ifdef CONFIG_X86_ESPFIX32
+ 	movl PT_EFLAGS(%esp), %eax	# mix EFLAGS, SS and CS
+ 	# Warning: PT_OLDSS(%esp) contains the wrong/random values if we
+ 	# are returning to the kernel.
+@@ -540,6 +541,7 @@
+ 	cmpl $((SEGMENT_LDT << 8) | USER_RPL), %eax
+ 	CFI_REMEMBER_STATE
+ 	je ldt_ss			# returning to user-space with LDT SS
++#endif
+ restore_nocheck:
+ 	RESTORE_REGS 4			# skip orig_eax/error_code
+ irq_return:
+@@ -552,6 +554,7 @@
+ .previous
+ 	_ASM_EXTABLE(irq_return,iret_exc)
+ 
++#ifdef CONFIG_X86_ESPFIX32
+ 	CFI_RESTORE_STATE
+ ldt_ss:
+ #ifdef CONFIG_PARAVIRT
+@@ -595,6 +598,7 @@
+ 	lss (%esp), %esp		/* switch to espfix segment */
+ 	CFI_ADJUST_CFA_OFFSET -8
+ 	jmp restore_nocheck
++#endif
+ 	CFI_ENDPROC
+ ENDPROC(system_call)
+ 
+@@ -702,6 +706,7 @@
+  * the high word of the segment base from the GDT and swiches to the
+  * normal stack and adjusts ESP with the matching offset.
+  */
++#ifdef CONFIG_X86_ESPFIX32
+ 	/* fixup the stack */
+ 	mov GDT_ESPFIX_SS + 4, %al /* bits 16..23 */
+ 	mov GDT_ESPFIX_SS + 7, %ah /* bits 24..31 */
+@@ -711,8 +716,10 @@
+ 	pushl_cfi %eax
+ 	lss (%esp), %esp		/* switch to the normal stack segment */
+ 	CFI_ADJUST_CFA_OFFSET -8
++#endif
+ .endm
+ .macro UNWIND_ESPFIX_STACK
++#ifdef CONFIG_X86_ESPFIX32
+ 	movl %ss, %eax
+ 	/* see if on espfix stack */
+ 	cmpw $__ESPFIX_SS, %ax
+@@ -723,6 +730,7 @@
+ 	/* switch to normal stack */
+ 	FIXUP_ESPFIX_STACK
+ 27:
++#endif
+ .endm
+ 
+ /*
+@@ -1330,11 +1338,13 @@
+ ENTRY(nmi)
+ 	RING0_INT_FRAME
+ 	ASM_CLAC
++#ifdef CONFIG_X86_ESPFIX32
+ 	pushl_cfi %eax
+ 	movl %ss, %eax
+ 	cmpw $__ESPFIX_SS, %ax
+ 	popl_cfi %eax
+ 	je nmi_espfix_stack
++#endif
+ 	cmpl $ia32_sysenter_target,(%esp)
+ 	je nmi_stack_fixup
+ 	pushl_cfi %eax
+@@ -1374,6 +1384,7 @@
+ 	FIX_STACK 24, nmi_stack_correct, 1
+ 	jmp nmi_stack_correct
+ 
++#ifdef CONFIG_X86_ESPFIX32
+ nmi_espfix_stack:
+ 	/* We have a RING0_INT_FRAME here.
+ 	 *
+@@ -1395,6 +1406,7 @@
+ 	lss 12+4(%esp), %esp		# back to espfix stack
+ 	CFI_ADJUST_CFA_OFFSET -24
+ 	jmp irq_return
++#endif
+ 	CFI_ENDPROC
+ END(nmi)
+ 
+diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
+index 75ccdc1..f9315d9 100644
+--- a/arch/x86/kernel/entry_64.S
++++ b/arch/x86/kernel/entry_64.S
+@@ -1060,8 +1060,10 @@
+ 	 * Are we returning to a stack segment from the LDT?  Note: in
+ 	 * 64-bit mode SS:RSP on the exception stack is always valid.
+ 	 */
++#ifdef CONFIG_X86_ESPFIX64
+ 	testb $4,(SS-RIP)(%rsp)
+ 	jnz irq_return_ldt
++#endif
+ 
+ irq_return_iret:
+ 	INTERRUPT_RETURN
+@@ -1073,6 +1075,7 @@
+ 	_ASM_EXTABLE(native_iret, bad_iret)
+ #endif
+ 
++#ifdef CONFIG_X86_ESPFIX64
+ irq_return_ldt:
+ 	pushq_cfi %rax
+ 	pushq_cfi %rdi
+@@ -1096,6 +1099,7 @@
+ 	movq %rax,%rsp
+ 	popq_cfi %rax
+ 	jmp irq_return_iret
++#endif
+ 
+ 	.section .fixup,"ax"
+ bad_iret:
+@@ -1169,6 +1173,7 @@
+ 	 * modify the stack to make it look like we just entered
+ 	 * the #GP handler from user space, similar to bad_iret.
+ 	 */
++#ifdef CONFIG_X86_ESPFIX64
+ 	ALIGN
+ __do_double_fault:
+ 	XCPT_FRAME 1 RDI+8
+@@ -1194,6 +1199,9 @@
+ 	retq
+ 	CFI_ENDPROC
+ END(__do_double_fault)
++#else
++# define __do_double_fault do_double_fault
++#endif
+ 
+ /*
+  * End of kprobes section
+diff --git a/arch/x86/kernel/ldt.c b/arch/x86/kernel/ldt.c
+index ebc9873..c37886d 100644
+--- a/arch/x86/kernel/ldt.c
++++ b/arch/x86/kernel/ldt.c
+@@ -229,6 +229,11 @@
+ 		}
+ 	}
+ 
++	if (!IS_ENABLED(CONFIG_X86_16BIT) && !ldt_info.seg_32bit) {
++		error = -EINVAL;
++		goto out_unlock;
++	}
++
+ 	fill_ldt(&ldt, &ldt_info);
+ 	if (oldmode)
+ 		ldt.avl = 0;
diff --git a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0006.patch.base64 b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0006.patch.base64
new file mode 100644
index 00000000..76214aea
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0006.patch.base64
@@ -0,0 +1 @@
+ZGlmZiAtLWdpdCBhL2FyY2gveDg2L0tjb25maWcgYi9hcmNoL3g4Ni9LY29uZmlnCmluZGV4IDUyMGNkZTguLjJiNmM1NzIgMTAwNjQ0Ci0tLSBhL2FyY2gveDg2L0tjb25maWcKKysrIGIvYXJjaC94ODYvS2NvbmZpZwpAQCAtOTY3LDE0ICs5NjcsMjcgQEAKIAlkZWZhdWx0IHkKIAlkZXBlbmRzIG9uIFg4Nl8zMgogCS0tLWhlbHAtLS0KLQkgIFRoaXMgb3B0aW9uIGlzIHJlcXVpcmVkIGJ5IHByb2dyYW1zIGxpa2UgRE9TRU1VIHRvIHJ1biAxNi1iaXQgbGVnYWN5Ci0JICBjb2RlIG9uIFg4NiBwcm9jZXNzb3JzLiBJdCBhbHNvIG1heSBiZSBuZWVkZWQgYnkgc29mdHdhcmUgbGlrZQotCSAgWEZyZWU4NiB0byBpbml0aWFsaXplIHNvbWUgdmlkZW8gY2FyZHMgdmlhIEJJT1MuIERpc2FibGluZyB0aGlzCi0JICBvcHRpb24gc2F2ZXMgYWJvdXQgNmsuCisJICBUaGlzIG9wdGlvbiBpcyByZXF1aXJlZCBieSBwcm9ncmFtcyBsaWtlIERPU0VNVSB0byBydW4KKwkgIDE2LWJpdCByZWFsIG1vZGUgbGVnYWN5IGNvZGUgb24geDg2IHByb2Nlc3NvcnMuIEl0IGFsc28gbWF5CisJICBiZSBuZWVkZWQgYnkgc29mdHdhcmUgbGlrZSBYRnJlZTg2IHRvIGluaXRpYWxpemUgc29tZSB2aWRlbworCSAgY2FyZHMgdmlhIEJJT1MuIERpc2FibGluZyB0aGlzIG9wdGlvbiBzYXZlcyBhYm91dCA2Sy4KKworY29uZmlnIFg4Nl8xNkJJVAorCWJvb2wgIkVuYWJsZSBzdXBwb3J0IGZvciAxNi1iaXQgc2VnbWVudHMiIGlmIEVYUEVSVAorCWRlZmF1bHQgeQorCS0tLWhlbHAtLS0KKwkgIFRoaXMgb3B0aW9uIGlzIHJlcXVpcmVkIGJ5IHByb2dyYW1zIGxpa2UgV2luZSB0byBydW4gMTYtYml0CisJICBwcm90ZWN0ZWQgbW9kZSBsZWdhY3kgY29kZSBvbiB4ODYgcHJvY2Vzc29ycy4gIERpc2FibGluZworCSAgdGhpcyBvcHRpb24gc2F2ZXMgYWJvdXQgMzAwIGJ5dGVzIG9uIGkzODYsIG9yIGFyb3VuZCA2SyB0ZXh0CisJICBwbHVzIDE2SyBydW50aW1lIG1lbW9yeSBvbiB4ODYtNjQsCisKK2NvbmZpZyBYODZfRVNQRklYMzIKKwlkZWZfYm9vbCB5CisJZGVwZW5kcyBvbiBYODZfMTZCSVQgJiYgWDg2XzMyCiAKIGNvbmZpZyBYODZfRVNQRklYNjQKIAlkZWZfYm9vbCB5Ci0JZGVwZW5kcyBvbiBYODZfNjQKKwlkZXBlbmRzIG9uIFg4Nl8xNkJJVCAmJiBYODZfNjQKIAogY29uZmlnIFRPU0hJQkEKIAl0cmlzdGF0ZSAiVG9zaGliYSBMYXB0b3Agc3VwcG9ydCIKZGlmZiAtLWdpdCBhL2FyY2gveDg2L2tlcm5lbC9lbnRyeV8zMi5TIGIvYXJjaC94ODYva2VybmVsL2VudHJ5XzMyLlMKaW5kZXggNDFiYWExZi4uZTc1OGUyZiAxMDA2NDQKLS0tIGEvYXJjaC94ODYva2VybmVsL2VudHJ5XzMyLlMKKysrIGIvYXJjaC94ODYva2VybmVsL2VudHJ5XzMyLlMKQEAgLTUzMCw2ICs1MzAsNyBAQAogcmVzdG9yZV9hbGw6CiAJVFJBQ0VfSVJRU19JUkVUCiByZXN0b3JlX2FsbF9ub3RyYWNlOgorI2lmZGVmIENPTkZJR19YODZfRVNQRklYMzIKIAltb3ZsIFBUX0VGTEFHUyglZXNwKSwgJWVheAkjIG1peCBFRkxBR1MsIFNTIGFuZCBDUwogCSMgV2FybmluZzogUFRfT0xEU1MoJWVzcCkgY29udGFpbnMgdGhlIHdyb25nL3JhbmRvbSB2YWx1ZXMgaWYgd2UKIAkjIGFyZSByZXR1cm5pbmcgdG8gdGhlIGtlcm5lbC4KQEAgLTU0MCw2ICs1NDEsNyBAQAogCWNtcGwgJCgoU0VHTUVOVF9MRFQgPDwgOCkgfCBVU0VSX1JQTCksICVlYXgKIAlDRklfUkVNRU1CRVJfU1RBVEUKIAlqZSBsZHRfc3MJCQkjIHJldHVybmluZyB0byB1c2VyLXNwYWNlIHdpdGggTERUIFNTCisjZW5kaWYKIHJlc3RvcmVfbm9jaGVjazoKIAlSRVNUT1JFX1JFR1MgNAkJCSMgc2tpcCBvcmlnX2VheC9lcnJvcl9jb2RlCiBpcnFfcmV0dXJuOgpAQCAtNTUyLDYgKzU1NCw3IEBACiAucHJldmlvdXMKIAlfQVNNX0VYVEFCTEUoaXJxX3JldHVybixpcmV0X2V4YykKIAorI2lmZGVmIENPTkZJR19YODZfRVNQRklYMzIKIAlDRklfUkVTVE9SRV9TVEFURQogbGR0X3NzOgogI2lmZGVmIENPTkZJR19QQVJBVklSVApAQCAtNTk1LDYgKzU5OCw3IEBACiAJbHNzICglZXNwKSwgJWVzcAkJLyogc3dpdGNoIHRvIGVzcGZpeCBzZWdtZW50ICovCiAJQ0ZJX0FESlVTVF9DRkFfT0ZGU0VUIC04CiAJam1wIHJlc3RvcmVfbm9jaGVjaworI2VuZGlmCiAJQ0ZJX0VORFBST0MKIEVORFBST0Moc3lzdGVtX2NhbGwpCiAKQEAgLTcwMiw2ICs3MDYsNyBAQAogICogdGhlIGhpZ2ggd29yZCBvZiB0aGUgc2VnbWVudCBiYXNlIGZyb20gdGhlIEdEVCBhbmQgc3dpY2hlcyB0byB0aGUKICAqIG5vcm1hbCBzdGFjayBhbmQgYWRqdXN0cyBFU1Agd2l0aCB0aGUgbWF0Y2hpbmcgb2Zmc2V0LgogICovCisjaWZkZWYgQ09ORklHX1g4Nl9FU1BGSVgzMgogCS8qIGZpeHVwIHRoZSBzdGFjayAqLwogCW1vdiBHRFRfRVNQRklYX1NTICsgNCwgJWFsIC8qIGJpdHMgMTYuLjIzICovCiAJbW92IEdEVF9FU1BGSVhfU1MgKyA3LCAlYWggLyogYml0cyAyNC4uMzEgKi8KQEAgLTcxMSw4ICs3MTYsMTAgQEAKIAlwdXNobF9jZmkgJWVheAogCWxzcyAoJWVzcCksICVlc3AJCS8qIHN3aXRjaCB0byB0aGUgbm9ybWFsIHN0YWNrIHNlZ21lbnQgKi8KIAlDRklfQURKVVNUX0NGQV9PRkZTRVQgLTgKKyNlbmRpZgogLmVuZG0KIC5tYWNybyBVTldJTkRfRVNQRklYX1NUQUNLCisjaWZkZWYgQ09ORklHX1g4Nl9FU1BGSVgzMgogCW1vdmwgJXNzLCAlZWF4CiAJLyogc2VlIGlmIG9uIGVzcGZpeCBzdGFjayAqLwogCWNtcHcgJF9fRVNQRklYX1NTLCAlYXgKQEAgLTcyMyw2ICs3MzAsNyBAQAogCS8qIHN3aXRjaCB0byBub3JtYWwgc3RhY2sgKi8KIAlGSVhVUF9FU1BGSVhfU1RBQ0sKIDI3OgorI2VuZGlmCiAuZW5kbQogCiAvKgpAQCAtMTMzMCwxMSArMTMzOCwxMyBAQAogRU5UUlkobm1pKQogCVJJTkcwX0lOVF9GUkFNRQogCUFTTV9DTEFDCisjaWZkZWYgQ09ORklHX1g4Nl9FU1BGSVgzMgogCXB1c2hsX2NmaSAlZWF4CiAJbW92bCAlc3MsICVlYXgKIAljbXB3ICRfX0VTUEZJWF9TUywgJWF4CiAJcG9wbF9jZmkgJWVheAogCWplIG5taV9lc3BmaXhfc3RhY2sKKyNlbmRpZgogCWNtcGwgJGlhMzJfc3lzZW50ZXJfdGFyZ2V0LCglZXNwKQogCWplIG5taV9zdGFja19maXh1cAogCXB1c2hsX2NmaSAlZWF4CkBAIC0xMzc0LDYgKzEzODQsNyBAQAogCUZJWF9TVEFDSyAyNCwgbm1pX3N0YWNrX2NvcnJlY3QsIDEKIAlqbXAgbm1pX3N0YWNrX2NvcnJlY3QKIAorI2lmZGVmIENPTkZJR19YODZfRVNQRklYMzIKIG5taV9lc3BmaXhfc3RhY2s6CiAJLyogV2UgaGF2ZSBhIFJJTkcwX0lOVF9GUkFNRSBoZXJlLgogCSAqCkBAIC0xMzk1LDYgKzE0MDYsNyBAQAogCWxzcyAxMis0KCVlc3ApLCAlZXNwCQkjIGJhY2sgdG8gZXNwZml4IHN0YWNrCiAJQ0ZJX0FESlVTVF9DRkFfT0ZGU0VUIC0yNAogCWptcCBpcnFfcmV0dXJuCisjZW5kaWYKIAlDRklfRU5EUFJPQwogRU5EKG5taSkKIApkaWZmIC0tZ2l0IGEvYXJjaC94ODYva2VybmVsL2VudHJ5XzY0LlMgYi9hcmNoL3g4Ni9rZXJuZWwvZW50cnlfNjQuUwppbmRleCA3NWNjZGMxLi5mOTMxNWQ5IDEwMDY0NAotLS0gYS9hcmNoL3g4Ni9rZXJuZWwvZW50cnlfNjQuUworKysgYi9hcmNoL3g4Ni9rZXJuZWwvZW50cnlfNjQuUwpAQCAtMTA2MCw4ICsxMDYwLDEwIEBACiAJICogQXJlIHdlIHJldHVybmluZyB0byBhIHN0YWNrIHNlZ21lbnQgZnJvbSB0aGUgTERUPyAgTm90ZTogaW4KIAkgKiA2NC1iaXQgbW9kZSBTUzpSU1Agb24gdGhlIGV4Y2VwdGlvbiBzdGFjayBpcyBhbHdheXMgdmFsaWQuCiAJICovCisjaWZkZWYgQ09ORklHX1g4Nl9FU1BGSVg2NAogCXRlc3RiICQ0LChTUy1SSVApKCVyc3ApCiAJam56IGlycV9yZXR1cm5fbGR0CisjZW5kaWYKIAogaXJxX3JldHVybl9pcmV0OgogCUlOVEVSUlVQVF9SRVRVUk4KQEAgLTEwNzMsNiArMTA3NSw3IEBACiAJX0FTTV9FWFRBQkxFKG5hdGl2ZV9pcmV0LCBiYWRfaXJldCkKICNlbmRpZgogCisjaWZkZWYgQ09ORklHX1g4Nl9FU1BGSVg2NAogaXJxX3JldHVybl9sZHQ6CiAJcHVzaHFfY2ZpICVyYXgKIAlwdXNocV9jZmkgJXJkaQpAQCAtMTA5Niw2ICsxMDk5LDcgQEAKIAltb3ZxICVyYXgsJXJzcAogCXBvcHFfY2ZpICVyYXgKIAlqbXAgaXJxX3JldHVybl9pcmV0CisjZW5kaWYKIAogCS5zZWN0aW9uIC5maXh1cCwiYXgiCiBiYWRfaXJldDoKQEAgLTExNjksNiArMTE3Myw3IEBACiAJICogbW9kaWZ5IHRoZSBzdGFjayB0byBtYWtlIGl0IGxvb2sgbGlrZSB3ZSBqdXN0IGVudGVyZWQKIAkgKiB0aGUgI0dQIGhhbmRsZXIgZnJvbSB1c2VyIHNwYWNlLCBzaW1pbGFyIHRvIGJhZF9pcmV0LgogCSAqLworI2lmZGVmIENPTkZJR19YODZfRVNQRklYNjQKIAlBTElHTgogX19kb19kb3VibGVfZmF1bHQ6CiAJWENQVF9GUkFNRSAxIFJESSs4CkBAIC0xMTk0LDYgKzExOTksOSBAQAogCXJldHEKIAlDRklfRU5EUFJPQwogRU5EKF9fZG9fZG91YmxlX2ZhdWx0KQorI2Vsc2UKKyMgZGVmaW5lIF9fZG9fZG91YmxlX2ZhdWx0IGRvX2RvdWJsZV9mYXVsdAorI2VuZGlmCiAKIC8qCiAgKiBFbmQgb2Yga3Byb2JlcyBzZWN0aW9uCmRpZmYgLS1naXQgYS9hcmNoL3g4Ni9rZXJuZWwvbGR0LmMgYi9hcmNoL3g4Ni9rZXJuZWwvbGR0LmMKaW5kZXggZWJjOTg3My4uYzM3ODg2ZCAxMDA2NDQKLS0tIGEvYXJjaC94ODYva2VybmVsL2xkdC5jCisrKyBiL2FyY2gveDg2L2tlcm5lbC9sZHQuYwpAQCAtMjI5LDYgKzIyOSwxMSBAQAogCQl9CiAJfQogCisJaWYgKCFJU19FTkFCTEVEKENPTkZJR19YODZfMTZCSVQpICYmICFsZHRfaW5mby5zZWdfMzJiaXQpIHsKKwkJZXJyb3IgPSAtRUlOVkFMOworCQlnb3RvIG91dF91bmxvY2s7CisJfQorCiAJZmlsbF9sZHQoJmxkdCwgJmxkdF9pbmZvKTsKIAlpZiAob2xkbW9kZSkKIAkJbGR0LmF2bCA9IDA7Cg==
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0007.patch b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0007.patch
new file mode 100644
index 00000000..a927275d
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0007.patch
@@ -0,0 +1,105 @@
+diff --git a/arch/x86/include/asm/irqflags.h b/arch/x86/include/asm/irqflags.h
+index bba3cf8..0a8b519 100644
+--- a/arch/x86/include/asm/irqflags.h
++++ b/arch/x86/include/asm/irqflags.h
+@@ -129,7 +129,7 @@
+ 
+ #define PARAVIRT_ADJUST_EXCEPTION_FRAME	/*  */
+ 
+-#define INTERRUPT_RETURN	iretq
++#define INTERRUPT_RETURN	jmp native_iret
+ #define USERGS_SYSRET64				\
+ 	swapgs;					\
+ 	sysretq;
+diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
+index f9315d9..db230f8 100644
+--- a/arch/x86/kernel/entry_64.S
++++ b/arch/x86/kernel/entry_64.S
+@@ -1056,27 +1056,24 @@
+ 	RESTORE_ARGS 1,8,1
+ 
+ irq_return:
++	INTERRUPT_RETURN
++
++ENTRY(native_iret)
+ 	/*
+ 	 * Are we returning to a stack segment from the LDT?  Note: in
+ 	 * 64-bit mode SS:RSP on the exception stack is always valid.
+ 	 */
+ #ifdef CONFIG_X86_ESPFIX64
+ 	testb $4,(SS-RIP)(%rsp)
+-	jnz irq_return_ldt
++	jnz native_irq_return_ldt
+ #endif
+ 
+-irq_return_iret:
+-	INTERRUPT_RETURN
+-	_ASM_EXTABLE(irq_return_iret, bad_iret)
+-
+-#ifdef CONFIG_PARAVIRT
+-ENTRY(native_iret)
++native_irq_return_iret:
+ 	iretq
+-	_ASM_EXTABLE(native_iret, bad_iret)
+-#endif
++	_ASM_EXTABLE(native_irq_return_iret, bad_iret)
+ 
+ #ifdef CONFIG_X86_ESPFIX64
+-irq_return_ldt:
++native_irq_return_ldt:
+ 	pushq_cfi %rax
+ 	pushq_cfi %rdi
+ 	SWAPGS
+@@ -1098,7 +1095,7 @@
+ 	SWAPGS
+ 	movq %rax,%rsp
+ 	popq_cfi %rax
+-	jmp irq_return_iret
++	jmp native_irq_return_iret
+ #endif
+ 
+ 	.section .fixup,"ax"
+@@ -1184,13 +1181,8 @@
+ 	cmpl $__KERNEL_CS,CS(%rdi)
+ 	jne do_double_fault
+ 	movq RIP(%rdi),%rax
+-	cmpq $irq_return_iret,%rax
+-#ifdef CONFIG_PARAVIRT
+-	je 1f
+-	cmpq $native_iret,%rax
+-#endif
++	cmpq $native_irq_return_iret,%rax
+ 	jne do_double_fault		/* This shouldn't happen... */
+-1:
+ 	movq PER_CPU_VAR(kernel_stack),%rax
+ 	subq $(6*8-KERNEL_STACK_OFFSET),%rax	/* Reset to original stack */
+ 	movq %rax,RSP(%rdi)
+@@ -1658,7 +1650,7 @@
+  */
+ error_kernelspace:
+ 	incl %ebx
+-	leaq irq_return_iret(%rip),%rcx
++	leaq native_irq_return_iret(%rip),%rcx
+ 	cmpq %rcx,RIP+8(%rsp)
+ 	je error_swapgs
+ 	movl %ecx,%eax	/* zero extend */
+diff --git a/arch/x86/kernel/paravirt_patch_64.c b/arch/x86/kernel/paravirt_patch_64.c
+index 3f08f34..a1da673 100644
+--- a/arch/x86/kernel/paravirt_patch_64.c
++++ b/arch/x86/kernel/paravirt_patch_64.c
+@@ -6,7 +6,6 @@
+ DEF_NATIVE(pv_irq_ops, irq_enable, "sti");
+ DEF_NATIVE(pv_irq_ops, restore_fl, "pushq %rdi; popfq");
+ DEF_NATIVE(pv_irq_ops, save_fl, "pushfq; popq %rax");
+-DEF_NATIVE(pv_cpu_ops, iret, "iretq");
+ DEF_NATIVE(pv_mmu_ops, read_cr2, "movq %cr2, %rax");
+ DEF_NATIVE(pv_mmu_ops, read_cr3, "movq %cr3, %rax");
+ DEF_NATIVE(pv_mmu_ops, write_cr3, "movq %rdi, %cr3");
+@@ -50,7 +49,6 @@
+ 		PATCH_SITE(pv_irq_ops, save_fl);
+ 		PATCH_SITE(pv_irq_ops, irq_enable);
+ 		PATCH_SITE(pv_irq_ops, irq_disable);
+-		PATCH_SITE(pv_cpu_ops, iret);
+ 		PATCH_SITE(pv_cpu_ops, irq_enable_sysexit);
+ 		PATCH_SITE(pv_cpu_ops, usergs_sysret32);
+ 		PATCH_SITE(pv_cpu_ops, usergs_sysret64);
diff --git a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0007.patch.base64 b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0007.patch.base64
new file mode 100644
index 00000000..d448a70d
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0007.patch.base64
@@ -0,0 +1 @@
+ZGlmZiAtLWdpdCBhL2FyY2gveDg2L2luY2x1ZGUvYXNtL2lycWZsYWdzLmggYi9hcmNoL3g4Ni9pbmNsdWRlL2FzbS9pcnFmbGFncy5oCmluZGV4IGJiYTNjZjguLjBhOGI1MTkgMTAwNjQ0Ci0tLSBhL2FyY2gveDg2L2luY2x1ZGUvYXNtL2lycWZsYWdzLmgKKysrIGIvYXJjaC94ODYvaW5jbHVkZS9hc20vaXJxZmxhZ3MuaApAQCAtMTI5LDcgKzEyOSw3IEBACiAKICNkZWZpbmUgUEFSQVZJUlRfQURKVVNUX0VYQ0VQVElPTl9GUkFNRQkvKiAgKi8KIAotI2RlZmluZSBJTlRFUlJVUFRfUkVUVVJOCWlyZXRxCisjZGVmaW5lIElOVEVSUlVQVF9SRVRVUk4Jam1wIG5hdGl2ZV9pcmV0CiAjZGVmaW5lIFVTRVJHU19TWVNSRVQ2NAkJCQlcCiAJc3dhcGdzOwkJCQkJXAogCXN5c3JldHE7CmRpZmYgLS1naXQgYS9hcmNoL3g4Ni9rZXJuZWwvZW50cnlfNjQuUyBiL2FyY2gveDg2L2tlcm5lbC9lbnRyeV82NC5TCmluZGV4IGY5MzE1ZDkuLmRiMjMwZjggMTAwNjQ0Ci0tLSBhL2FyY2gveDg2L2tlcm5lbC9lbnRyeV82NC5TCisrKyBiL2FyY2gveDg2L2tlcm5lbC9lbnRyeV82NC5TCkBAIC0xMDU2LDI3ICsxMDU2LDI0IEBACiAJUkVTVE9SRV9BUkdTIDEsOCwxCiAKIGlycV9yZXR1cm46CisJSU5URVJSVVBUX1JFVFVSTgorCitFTlRSWShuYXRpdmVfaXJldCkKIAkvKgogCSAqIEFyZSB3ZSByZXR1cm5pbmcgdG8gYSBzdGFjayBzZWdtZW50IGZyb20gdGhlIExEVD8gIE5vdGU6IGluCiAJICogNjQtYml0IG1vZGUgU1M6UlNQIG9uIHRoZSBleGNlcHRpb24gc3RhY2sgaXMgYWx3YXlzIHZhbGlkLgogCSAqLwogI2lmZGVmIENPTkZJR19YODZfRVNQRklYNjQKIAl0ZXN0YiAkNCwoU1MtUklQKSglcnNwKQotCWpueiBpcnFfcmV0dXJuX2xkdAorCWpueiBuYXRpdmVfaXJxX3JldHVybl9sZHQKICNlbmRpZgogCi1pcnFfcmV0dXJuX2lyZXQ6Ci0JSU5URVJSVVBUX1JFVFVSTgotCV9BU01fRVhUQUJMRShpcnFfcmV0dXJuX2lyZXQsIGJhZF9pcmV0KQotCi0jaWZkZWYgQ09ORklHX1BBUkFWSVJUCi1FTlRSWShuYXRpdmVfaXJldCkKK25hdGl2ZV9pcnFfcmV0dXJuX2lyZXQ6CiAJaXJldHEKLQlfQVNNX0VYVEFCTEUobmF0aXZlX2lyZXQsIGJhZF9pcmV0KQotI2VuZGlmCisJX0FTTV9FWFRBQkxFKG5hdGl2ZV9pcnFfcmV0dXJuX2lyZXQsIGJhZF9pcmV0KQogCiAjaWZkZWYgQ09ORklHX1g4Nl9FU1BGSVg2NAotaXJxX3JldHVybl9sZHQ6CituYXRpdmVfaXJxX3JldHVybl9sZHQ6CiAJcHVzaHFfY2ZpICVyYXgKIAlwdXNocV9jZmkgJXJkaQogCVNXQVBHUwpAQCAtMTA5OCw3ICsxMDk1LDcgQEAKIAlTV0FQR1MKIAltb3ZxICVyYXgsJXJzcAogCXBvcHFfY2ZpICVyYXgKLQlqbXAgaXJxX3JldHVybl9pcmV0CisJam1wIG5hdGl2ZV9pcnFfcmV0dXJuX2lyZXQKICNlbmRpZgogCiAJLnNlY3Rpb24gLmZpeHVwLCJheCIKQEAgLTExODQsMTMgKzExODEsOCBAQAogCWNtcGwgJF9fS0VSTkVMX0NTLENTKCVyZGkpCiAJam5lIGRvX2RvdWJsZV9mYXVsdAogCW1vdnEgUklQKCVyZGkpLCVyYXgKLQljbXBxICRpcnFfcmV0dXJuX2lyZXQsJXJheAotI2lmZGVmIENPTkZJR19QQVJBVklSVAotCWplIDFmCi0JY21wcSAkbmF0aXZlX2lyZXQsJXJheAotI2VuZGlmCisJY21wcSAkbmF0aXZlX2lycV9yZXR1cm5faXJldCwlcmF4CiAJam5lIGRvX2RvdWJsZV9mYXVsdAkJLyogVGhpcyBzaG91bGRuJ3QgaGFwcGVuLi4uICovCi0xOgogCW1vdnEgUEVSX0NQVV9WQVIoa2VybmVsX3N0YWNrKSwlcmF4CiAJc3VicSAkKDYqOC1LRVJORUxfU1RBQ0tfT0ZGU0VUKSwlcmF4CS8qIFJlc2V0IHRvIG9yaWdpbmFsIHN0YWNrICovCiAJbW92cSAlcmF4LFJTUCglcmRpKQpAQCAtMTY1OCw3ICsxNjUwLDcgQEAKICAqLwogZXJyb3Jfa2VybmVsc3BhY2U6CiAJaW5jbCAlZWJ4Ci0JbGVhcSBpcnFfcmV0dXJuX2lyZXQoJXJpcCksJXJjeAorCWxlYXEgbmF0aXZlX2lycV9yZXR1cm5faXJldCglcmlwKSwlcmN4CiAJY21wcSAlcmN4LFJJUCs4KCVyc3ApCiAJamUgZXJyb3Jfc3dhcGdzCiAJbW92bCAlZWN4LCVlYXgJLyogemVybyBleHRlbmQgKi8KZGlmZiAtLWdpdCBhL2FyY2gveDg2L2tlcm5lbC9wYXJhdmlydF9wYXRjaF82NC5jIGIvYXJjaC94ODYva2VybmVsL3BhcmF2aXJ0X3BhdGNoXzY0LmMKaW5kZXggM2YwOGYzNC4uYTFkYTY3MyAxMDA2NDQKLS0tIGEvYXJjaC94ODYva2VybmVsL3BhcmF2aXJ0X3BhdGNoXzY0LmMKKysrIGIvYXJjaC94ODYva2VybmVsL3BhcmF2aXJ0X3BhdGNoXzY0LmMKQEAgLTYsNyArNiw2IEBACiBERUZfTkFUSVZFKHB2X2lycV9vcHMsIGlycV9lbmFibGUsICJzdGkiKTsKIERFRl9OQVRJVkUocHZfaXJxX29wcywgcmVzdG9yZV9mbCwgInB1c2hxICVyZGk7IHBvcGZxIik7CiBERUZfTkFUSVZFKHB2X2lycV9vcHMsIHNhdmVfZmwsICJwdXNoZnE7IHBvcHEgJXJheCIpOwotREVGX05BVElWRShwdl9jcHVfb3BzLCBpcmV0LCAiaXJldHEiKTsKIERFRl9OQVRJVkUocHZfbW11X29wcywgcmVhZF9jcjIsICJtb3ZxICVjcjIsICVyYXgiKTsKIERFRl9OQVRJVkUocHZfbW11X29wcywgcmVhZF9jcjMsICJtb3ZxICVjcjMsICVyYXgiKTsKIERFRl9OQVRJVkUocHZfbW11X29wcywgd3JpdGVfY3IzLCAibW92cSAlcmRpLCAlY3IzIik7CkBAIC01MCw3ICs0OSw2IEBACiAJCVBBVENIX1NJVEUocHZfaXJxX29wcywgc2F2ZV9mbCk7CiAJCVBBVENIX1NJVEUocHZfaXJxX29wcywgaXJxX2VuYWJsZSk7CiAJCVBBVENIX1NJVEUocHZfaXJxX29wcywgaXJxX2Rpc2FibGUpOwotCQlQQVRDSF9TSVRFKHB2X2NwdV9vcHMsIGlyZXQpOwogCQlQQVRDSF9TSVRFKHB2X2NwdV9vcHMsIGlycV9lbmFibGVfc3lzZXhpdCk7CiAJCVBBVENIX1NJVEUocHZfY3B1X29wcywgdXNlcmdzX3N5c3JldDMyKTsKIAkJUEFUQ0hfU0lURShwdl9jcHVfb3BzLCB1c2VyZ3Nfc3lzcmV0NjQpOwo=
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0008.patch b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0008.patch
new file mode 100644
index 00000000..97c06b01
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0008.patch
@@ -0,0 +1,30 @@
+diff --git a/arch/x86/kernel/espfix_64.c b/arch/x86/kernel/espfix_64.c
+index 6afbb16..94d857f 100644
+--- a/arch/x86/kernel/espfix_64.c
++++ b/arch/x86/kernel/espfix_64.c
+@@ -175,7 +175,7 @@
+ 	if (!pud_present(pud)) {
+ 		pmd_p = (pmd_t *)__get_free_page(PGALLOC_GFP);
+ 		pud = __pud(__pa(pmd_p) | (PGTABLE_PROT & ptemask));
+-		paravirt_alloc_pud(&init_mm, __pa(pmd_p) >> PAGE_SHIFT);
++		paravirt_alloc_pmd(&init_mm, __pa(pmd_p) >> PAGE_SHIFT);
+ 		for (n = 0; n < ESPFIX_PUD_CLONES; n++)
+ 			set_pud(&pud_p[n], pud);
+ 	}
+@@ -185,7 +185,7 @@
+ 	if (!pmd_present(pmd)) {
+ 		pte_p = (pte_t *)__get_free_page(PGALLOC_GFP);
+ 		pmd = __pmd(__pa(pte_p) | (PGTABLE_PROT & ptemask));
+-		paravirt_alloc_pmd(&init_mm, __pa(pte_p) >> PAGE_SHIFT);
++		paravirt_alloc_pte(&init_mm, __pa(pte_p) >> PAGE_SHIFT);
+ 		for (n = 0; n < ESPFIX_PMD_CLONES; n++)
+ 			set_pmd(&pmd_p[n], pmd);
+ 	}
+@@ -193,7 +193,6 @@
+ 	pte_p = pte_offset_kernel(&pmd, addr);
+ 	stack_page = (void *)__get_free_page(GFP_KERNEL);
+ 	pte = __pte(__pa(stack_page) | (__PAGE_KERNEL_RO & ptemask));
+-	paravirt_alloc_pte(&init_mm, __pa(stack_page) >> PAGE_SHIFT);
+ 	for (n = 0; n < ESPFIX_PTE_CLONES; n++)
+ 		set_pte(&pte_p[n*PTE_STRIDE], pte);
+ 
diff --git a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0008.patch.base64 b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0008.patch.base64
new file mode 100644
index 00000000..e39e62e5
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0008.patch.base64
@@ -0,0 +1 @@
+ZGlmZiAtLWdpdCBhL2FyY2gveDg2L2tlcm5lbC9lc3BmaXhfNjQuYyBiL2FyY2gveDg2L2tlcm5lbC9lc3BmaXhfNjQuYwppbmRleCA2YWZiYjE2Li45NGQ4NTdmIDEwMDY0NAotLS0gYS9hcmNoL3g4Ni9rZXJuZWwvZXNwZml4XzY0LmMKKysrIGIvYXJjaC94ODYva2VybmVsL2VzcGZpeF82NC5jCkBAIC0xNzUsNyArMTc1LDcgQEAKIAlpZiAoIXB1ZF9wcmVzZW50KHB1ZCkpIHsKIAkJcG1kX3AgPSAocG1kX3QgKilfX2dldF9mcmVlX3BhZ2UoUEdBTExPQ19HRlApOwogCQlwdWQgPSBfX3B1ZChfX3BhKHBtZF9wKSB8IChQR1RBQkxFX1BST1QgJiBwdGVtYXNrKSk7Ci0JCXBhcmF2aXJ0X2FsbG9jX3B1ZCgmaW5pdF9tbSwgX19wYShwbWRfcCkgPj4gUEFHRV9TSElGVCk7CisJCXBhcmF2aXJ0X2FsbG9jX3BtZCgmaW5pdF9tbSwgX19wYShwbWRfcCkgPj4gUEFHRV9TSElGVCk7CiAJCWZvciAobiA9IDA7IG4gPCBFU1BGSVhfUFVEX0NMT05FUzsgbisrKQogCQkJc2V0X3B1ZCgmcHVkX3Bbbl0sIHB1ZCk7CiAJfQpAQCAtMTg1LDcgKzE4NSw3IEBACiAJaWYgKCFwbWRfcHJlc2VudChwbWQpKSB7CiAJCXB0ZV9wID0gKHB0ZV90ICopX19nZXRfZnJlZV9wYWdlKFBHQUxMT0NfR0ZQKTsKIAkJcG1kID0gX19wbWQoX19wYShwdGVfcCkgfCAoUEdUQUJMRV9QUk9UICYgcHRlbWFzaykpOwotCQlwYXJhdmlydF9hbGxvY19wbWQoJmluaXRfbW0sIF9fcGEocHRlX3ApID4+IFBBR0VfU0hJRlQpOworCQlwYXJhdmlydF9hbGxvY19wdGUoJmluaXRfbW0sIF9fcGEocHRlX3ApID4+IFBBR0VfU0hJRlQpOwogCQlmb3IgKG4gPSAwOyBuIDwgRVNQRklYX1BNRF9DTE9ORVM7IG4rKykKIAkJCXNldF9wbWQoJnBtZF9wW25dLCBwbWQpOwogCX0KQEAgLTE5Myw3ICsxOTMsNiBAQAogCXB0ZV9wID0gcHRlX29mZnNldF9rZXJuZWwoJnBtZCwgYWRkcik7CiAJc3RhY2tfcGFnZSA9ICh2b2lkICopX19nZXRfZnJlZV9wYWdlKEdGUF9LRVJORUwpOwogCXB0ZSA9IF9fcHRlKF9fcGEoc3RhY2tfcGFnZSkgfCAoX19QQUdFX0tFUk5FTF9STyAmIHB0ZW1hc2spKTsKLQlwYXJhdmlydF9hbGxvY19wdGUoJmluaXRfbW0sIF9fcGEoc3RhY2tfcGFnZSkgPj4gUEFHRV9TSElGVCk7CiAJZm9yIChuID0gMDsgbiA8IEVTUEZJWF9QVEVfQ0xPTkVTOyBuKyspCiAJCXNldF9wdGUoJnB0ZV9wW24qUFRFX1NUUklERV0sIHB0ZSk7CiAK
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0009.patch b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0009.patch
new file mode 100644
index 00000000..f655537a
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0009.patch
@@ -0,0 +1,94 @@
+diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
+index db230f8..1a454d0 100644
+--- a/arch/x86/kernel/entry_64.S
++++ b/arch/x86/kernel/entry_64.S
+@@ -1068,6 +1068,7 @@
+ 	jnz native_irq_return_ldt
+ #endif
+ 
++.global native_irq_return_iret
+ native_irq_return_iret:
+ 	iretq
+ 	_ASM_EXTABLE(native_irq_return_iret, bad_iret)
+@@ -1164,37 +1165,6 @@
+ 	CFI_ENDPROC
+ END(common_interrupt)
+ 
+-	/*
+-	 * If IRET takes a fault on the espfix stack, then we
+-	 * end up promoting it to a doublefault.  In that case,
+-	 * modify the stack to make it look like we just entered
+-	 * the #GP handler from user space, similar to bad_iret.
+-	 */
+-#ifdef CONFIG_X86_ESPFIX64
+-	ALIGN
+-__do_double_fault:
+-	XCPT_FRAME 1 RDI+8
+-	movq RSP(%rdi),%rax		/* Trap on the espfix stack? */
+-	sarq $PGDIR_SHIFT,%rax
+-	cmpl $ESPFIX_PGD_ENTRY,%eax
+-	jne do_double_fault		/* No, just deliver the fault */
+-	cmpl $__KERNEL_CS,CS(%rdi)
+-	jne do_double_fault
+-	movq RIP(%rdi),%rax
+-	cmpq $native_irq_return_iret,%rax
+-	jne do_double_fault		/* This shouldn't happen... */
+-	movq PER_CPU_VAR(kernel_stack),%rax
+-	subq $(6*8-KERNEL_STACK_OFFSET),%rax	/* Reset to original stack */
+-	movq %rax,RSP(%rdi)
+-	movq $0,(%rax)			/* Missing (lost) #GP error code */
+-	movq $general_protection,RIP(%rdi)
+-	retq
+-	CFI_ENDPROC
+-END(__do_double_fault)
+-#else
+-# define __do_double_fault do_double_fault
+-#endif
+-
+ /*
+  * End of kprobes section
+  */
+@@ -1363,7 +1333,7 @@
+ zeroentry bounds do_bounds
+ zeroentry invalid_op do_invalid_op
+ zeroentry device_not_available do_device_not_available
+-paranoiderrorentry double_fault __do_double_fault
++paranoiderrorentry double_fault do_double_fault
+ zeroentry coprocessor_segment_overrun do_coprocessor_segment_overrun
+ errorentry invalid_TSS do_invalid_TSS
+ errorentry segment_not_present do_segment_not_present
+diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c
+index 772e2a8..74e0801 100644
+--- a/arch/x86/kernel/traps.c
++++ b/arch/x86/kernel/traps.c
+@@ -247,6 +247,30 @@
+ 	static const char str[] = "double fault";
+ 	struct task_struct *tsk = current;
+ 
++#ifdef CONFIG_X86_ESPFIX64
++	extern unsigned char native_irq_return_iret[];
++
++	/*
++	 * If IRET takes a non-IST fault on the espfix64 stack, then we
++	 * end up promoting it to a doublefault.  In that case, modify
++	 * the stack to make it look like we just entered the #GP
++	 * handler from user space, similar to bad_iret.
++	 */
++	if (((long)regs->sp >> PGDIR_SHIFT) == ESPFIX_PGD_ENTRY &&
++		regs->cs == __KERNEL_CS &&
++		regs->ip == (unsigned long)native_irq_return_iret)
++	{
++		struct pt_regs *normal_regs = task_pt_regs(current);
++
++		/* Fake a #GP(0) from userspace. */
++		memmove(&normal_regs->ip, (void *)regs->sp, 5*8);
++		normal_regs->orig_ax = 0;  /* Missing (lost) #GP error code */
++		regs->ip = (unsigned long)general_protection;
++		regs->sp = (unsigned long)&normal_regs->orig_ax;
++		return;
++	}
++#endif
++
+ 	exception_enter();
+ 	/* Return not checked because double check cannot be ignored */
+ 	notify_die(DIE_TRAP, str, regs, error_code, X86_TRAP_DF, SIGSEGV);
diff --git a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0009.patch.base64 b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0009.patch.base64
new file mode 100644
index 00000000..59821700
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0009.patch.base64
@@ -0,0 +1 @@
+ZGlmZiAtLWdpdCBhL2FyY2gveDg2L2tlcm5lbC9lbnRyeV82NC5TIGIvYXJjaC94ODYva2VybmVsL2VudHJ5XzY0LlMKaW5kZXggZGIyMzBmOC4uMWE0NTRkMCAxMDA2NDQKLS0tIGEvYXJjaC94ODYva2VybmVsL2VudHJ5XzY0LlMKKysrIGIvYXJjaC94ODYva2VybmVsL2VudHJ5XzY0LlMKQEAgLTEwNjgsNiArMTA2OCw3IEBACiAJam56IG5hdGl2ZV9pcnFfcmV0dXJuX2xkdAogI2VuZGlmCiAKKy5nbG9iYWwgbmF0aXZlX2lycV9yZXR1cm5faXJldAogbmF0aXZlX2lycV9yZXR1cm5faXJldDoKIAlpcmV0cQogCV9BU01fRVhUQUJMRShuYXRpdmVfaXJxX3JldHVybl9pcmV0LCBiYWRfaXJldCkKQEAgLTExNjQsMzcgKzExNjUsNiBAQAogCUNGSV9FTkRQUk9DCiBFTkQoY29tbW9uX2ludGVycnVwdCkKIAotCS8qCi0JICogSWYgSVJFVCB0YWtlcyBhIGZhdWx0IG9uIHRoZSBlc3BmaXggc3RhY2ssIHRoZW4gd2UKLQkgKiBlbmQgdXAgcHJvbW90aW5nIGl0IHRvIGEgZG91YmxlZmF1bHQuICBJbiB0aGF0IGNhc2UsCi0JICogbW9kaWZ5IHRoZSBzdGFjayB0byBtYWtlIGl0IGxvb2sgbGlrZSB3ZSBqdXN0IGVudGVyZWQKLQkgKiB0aGUgI0dQIGhhbmRsZXIgZnJvbSB1c2VyIHNwYWNlLCBzaW1pbGFyIHRvIGJhZF9pcmV0LgotCSAqLwotI2lmZGVmIENPTkZJR19YODZfRVNQRklYNjQKLQlBTElHTgotX19kb19kb3VibGVfZmF1bHQ6Ci0JWENQVF9GUkFNRSAxIFJESSs4Ci0JbW92cSBSU1AoJXJkaSksJXJheAkJLyogVHJhcCBvbiB0aGUgZXNwZml4IHN0YWNrPyAqLwotCXNhcnEgJFBHRElSX1NISUZULCVyYXgKLQljbXBsICRFU1BGSVhfUEdEX0VOVFJZLCVlYXgKLQlqbmUgZG9fZG91YmxlX2ZhdWx0CQkvKiBObywganVzdCBkZWxpdmVyIHRoZSBmYXVsdCAqLwotCWNtcGwgJF9fS0VSTkVMX0NTLENTKCVyZGkpCi0Jam5lIGRvX2RvdWJsZV9mYXVsdAotCW1vdnEgUklQKCVyZGkpLCVyYXgKLQljbXBxICRuYXRpdmVfaXJxX3JldHVybl9pcmV0LCVyYXgKLQlqbmUgZG9fZG91YmxlX2ZhdWx0CQkvKiBUaGlzIHNob3VsZG4ndCBoYXBwZW4uLi4gKi8KLQltb3ZxIFBFUl9DUFVfVkFSKGtlcm5lbF9zdGFjayksJXJheAotCXN1YnEgJCg2KjgtS0VSTkVMX1NUQUNLX09GRlNFVCksJXJheAkvKiBSZXNldCB0byBvcmlnaW5hbCBzdGFjayAqLwotCW1vdnEgJXJheCxSU1AoJXJkaSkKLQltb3ZxICQwLCglcmF4KQkJCS8qIE1pc3NpbmcgKGxvc3QpICNHUCBlcnJvciBjb2RlICovCi0JbW92cSAkZ2VuZXJhbF9wcm90ZWN0aW9uLFJJUCglcmRpKQotCXJldHEKLQlDRklfRU5EUFJPQwotRU5EKF9fZG9fZG91YmxlX2ZhdWx0KQotI2Vsc2UKLSMgZGVmaW5lIF9fZG9fZG91YmxlX2ZhdWx0IGRvX2RvdWJsZV9mYXVsdAotI2VuZGlmCi0KIC8qCiAgKiBFbmQgb2Yga3Byb2JlcyBzZWN0aW9uCiAgKi8KQEAgLTEzNjMsNyArMTMzMyw3IEBACiB6ZXJvZW50cnkgYm91bmRzIGRvX2JvdW5kcwogemVyb2VudHJ5IGludmFsaWRfb3AgZG9faW52YWxpZF9vcAogemVyb2VudHJ5IGRldmljZV9ub3RfYXZhaWxhYmxlIGRvX2RldmljZV9ub3RfYXZhaWxhYmxlCi1wYXJhbm9pZGVycm9yZW50cnkgZG91YmxlX2ZhdWx0IF9fZG9fZG91YmxlX2ZhdWx0CitwYXJhbm9pZGVycm9yZW50cnkgZG91YmxlX2ZhdWx0IGRvX2RvdWJsZV9mYXVsdAogemVyb2VudHJ5IGNvcHJvY2Vzc29yX3NlZ21lbnRfb3ZlcnJ1biBkb19jb3Byb2Nlc3Nvcl9zZWdtZW50X292ZXJydW4KIGVycm9yZW50cnkgaW52YWxpZF9UU1MgZG9faW52YWxpZF9UU1MKIGVycm9yZW50cnkgc2VnbWVudF9ub3RfcHJlc2VudCBkb19zZWdtZW50X25vdF9wcmVzZW50CmRpZmYgLS1naXQgYS9hcmNoL3g4Ni9rZXJuZWwvdHJhcHMuYyBiL2FyY2gveDg2L2tlcm5lbC90cmFwcy5jCmluZGV4IDc3MmUyYTguLjc0ZTA4MDEgMTAwNjQ0Ci0tLSBhL2FyY2gveDg2L2tlcm5lbC90cmFwcy5jCisrKyBiL2FyY2gveDg2L2tlcm5lbC90cmFwcy5jCkBAIC0yNDcsNiArMjQ3LDMwIEBACiAJc3RhdGljIGNvbnN0IGNoYXIgc3RyW10gPSAiZG91YmxlIGZhdWx0IjsKIAlzdHJ1Y3QgdGFza19zdHJ1Y3QgKnRzayA9IGN1cnJlbnQ7CiAKKyNpZmRlZiBDT05GSUdfWDg2X0VTUEZJWDY0CisJZXh0ZXJuIHVuc2lnbmVkIGNoYXIgbmF0aXZlX2lycV9yZXR1cm5faXJldFtdOworCisJLyoKKwkgKiBJZiBJUkVUIHRha2VzIGEgbm9uLUlTVCBmYXVsdCBvbiB0aGUgZXNwZml4NjQgc3RhY2ssIHRoZW4gd2UKKwkgKiBlbmQgdXAgcHJvbW90aW5nIGl0IHRvIGEgZG91YmxlZmF1bHQuICBJbiB0aGF0IGNhc2UsIG1vZGlmeQorCSAqIHRoZSBzdGFjayB0byBtYWtlIGl0IGxvb2sgbGlrZSB3ZSBqdXN0IGVudGVyZWQgdGhlICNHUAorCSAqIGhhbmRsZXIgZnJvbSB1c2VyIHNwYWNlLCBzaW1pbGFyIHRvIGJhZF9pcmV0LgorCSAqLworCWlmICgoKGxvbmcpcmVncy0+c3AgPj4gUEdESVJfU0hJRlQpID09IEVTUEZJWF9QR0RfRU5UUlkgJiYKKwkJcmVncy0+Y3MgPT0gX19LRVJORUxfQ1MgJiYKKwkJcmVncy0+aXAgPT0gKHVuc2lnbmVkIGxvbmcpbmF0aXZlX2lycV9yZXR1cm5faXJldCkKKwl7CisJCXN0cnVjdCBwdF9yZWdzICpub3JtYWxfcmVncyA9IHRhc2tfcHRfcmVncyhjdXJyZW50KTsKKworCQkvKiBGYWtlIGEgI0dQKDApIGZyb20gdXNlcnNwYWNlLiAqLworCQltZW1tb3ZlKCZub3JtYWxfcmVncy0+aXAsICh2b2lkICopcmVncy0+c3AsIDUqOCk7CisJCW5vcm1hbF9yZWdzLT5vcmlnX2F4ID0gMDsgIC8qIE1pc3NpbmcgKGxvc3QpICNHUCBlcnJvciBjb2RlICovCisJCXJlZ3MtPmlwID0gKHVuc2lnbmVkIGxvbmcpZ2VuZXJhbF9wcm90ZWN0aW9uOworCQlyZWdzLT5zcCA9ICh1bnNpZ25lZCBsb25nKSZub3JtYWxfcmVncy0+b3JpZ19heDsKKwkJcmV0dXJuOworCX0KKyNlbmRpZgorCiAJZXhjZXB0aW9uX2VudGVyKCk7CiAJLyogUmV0dXJuIG5vdCBjaGVja2VkIGJlY2F1c2UgZG91YmxlIGNoZWNrIGNhbm5vdCBiZSBpZ25vcmVkICovCiAJbm90aWZ5X2RpZShESUVfVFJBUCwgc3RyLCByZWdzLCBlcnJvcl9jb2RlLCBYODZfVFJBUF9ERiwgU0lHU0VHVik7Cg==
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0010.patch b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0010.patch
new file mode 100644
index 00000000..3214fe2e
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0010.patch
@@ -0,0 +1,101 @@
+diff --git a/arch/x86/include/asm/page_32_types.h b/arch/x86/include/asm/page_32_types.h
+index ef17af0..4376b45 100644
+--- a/arch/x86/include/asm/page_32_types.h
++++ b/arch/x86/include/asm/page_32_types.h
+@@ -18,7 +18,6 @@
+ #define THREAD_SIZE_ORDER	1
+ #define THREAD_SIZE		(PAGE_SIZE << THREAD_SIZE_ORDER)
+ 
+-#define STACKFAULT_STACK 0
+ #define DOUBLEFAULT_STACK 1
+ #define NMI_STACK 0
+ #define DEBUG_STACK 0
+diff --git a/arch/x86/include/asm/page_64_types.h b/arch/x86/include/asm/page_64_types.h
+index 6c896fb..970f309 100644
+--- a/arch/x86/include/asm/page_64_types.h
++++ b/arch/x86/include/asm/page_64_types.h
+@@ -14,12 +14,11 @@
+ #define IRQ_STACK_ORDER 2
+ #define IRQ_STACK_SIZE (PAGE_SIZE << IRQ_STACK_ORDER)
+ 
+-#define STACKFAULT_STACK 1
+-#define DOUBLEFAULT_STACK 2
+-#define NMI_STACK 3
+-#define DEBUG_STACK 4
+-#define MCE_STACK 5
+-#define N_EXCEPTION_STACKS 5  /* hw limit: 7 */
++#define DOUBLEFAULT_STACK 1
++#define NMI_STACK 2
++#define DEBUG_STACK 3
++#define MCE_STACK 4
++#define N_EXCEPTION_STACKS 4  /* hw limit: 7 */
+ 
+ #define PUD_PAGE_SIZE		(_AC(1, UL) << PUD_SHIFT)
+ #define PUD_PAGE_MASK		(~(PUD_PAGE_SIZE-1))
+diff --git a/arch/x86/kernel/dumpstack_64.c b/arch/x86/kernel/dumpstack_64.c
+index addb207..66e274a 100644
+--- a/arch/x86/kernel/dumpstack_64.c
++++ b/arch/x86/kernel/dumpstack_64.c
+@@ -24,7 +24,6 @@
+ 		[ DEBUG_STACK-1			]	= "#DB",
+ 		[ NMI_STACK-1			]	= "NMI",
+ 		[ DOUBLEFAULT_STACK-1		]	= "#DF",
+-		[ STACKFAULT_STACK-1		]	= "#SS",
+ 		[ MCE_STACK-1			]	= "#MC",
+ #if DEBUG_STKSZ > EXCEPTION_STKSZ
+ 		[ N_EXCEPTION_STACKS ...
+diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
+index 1a454d0..50e5e59 100644
+--- a/arch/x86/kernel/entry_64.S
++++ b/arch/x86/kernel/entry_64.S
+@@ -1503,7 +1503,7 @@
+ 
+ paranoidzeroentry_ist debug do_debug DEBUG_STACK
+ paranoidzeroentry_ist int3 do_int3 DEBUG_STACK
+-paranoiderrorentry stack_segment do_stack_segment
++errorentry stack_segment do_stack_segment
+ #ifdef CONFIG_XEN
+ zeroentry xen_debug do_debug
+ zeroentry xen_int3 do_int3
+diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c
+index 74e0801..00a2873 100644
+--- a/arch/x86/kernel/traps.c
++++ b/arch/x86/kernel/traps.c
+@@ -220,28 +220,12 @@
+ 		coprocessor_segment_overrun)
+ DO_ERROR(X86_TRAP_TS, SIGSEGV, "invalid TSS", invalid_TSS)
+ DO_ERROR(X86_TRAP_NP, SIGBUS, "segment not present", segment_not_present)
+-#ifdef CONFIG_X86_32
+ DO_ERROR(X86_TRAP_SS, SIGBUS, "stack segment", stack_segment)
+-#endif
+ DO_ERROR_INFO(X86_TRAP_AC, SIGBUS, "alignment check", alignment_check,
+ 		BUS_ADRALN, 0)
+ 
+ #ifdef CONFIG_X86_64
+ /* Runs on IST stack */
+-dotraplinkage void do_stack_segment(struct pt_regs *regs, long error_code)
+-{
+-	enum ctx_state prev_state;
+-
+-	prev_state = exception_enter();
+-	if (notify_die(DIE_TRAP, "stack segment", regs, error_code,
+-		       X86_TRAP_SS, SIGBUS) != NOTIFY_STOP) {
+-		preempt_conditional_sti(regs);
+-		do_trap(X86_TRAP_SS, SIGBUS, "stack segment", regs, error_code, NULL);
+-		preempt_conditional_cli(regs);
+-	}
+-	exception_exit(prev_state);
+-}
+-
+ dotraplinkage void do_double_fault(struct pt_regs *regs, long error_code)
+ {
+ 	static const char str[] = "double fault";
+@@ -769,7 +753,7 @@
+ 	set_intr_gate(X86_TRAP_OLD_MF, &coprocessor_segment_overrun);
+ 	set_intr_gate(X86_TRAP_TS, &invalid_TSS);
+ 	set_intr_gate(X86_TRAP_NP, &segment_not_present);
+-	set_intr_gate_ist(X86_TRAP_SS, &stack_segment, STACKFAULT_STACK);
++	set_intr_gate(X86_TRAP_SS, stack_segment);
+ 	set_intr_gate(X86_TRAP_GP, &general_protection);
+ 	set_intr_gate(X86_TRAP_SPURIOUS, &spurious_interrupt_bug);
+ 	set_intr_gate(X86_TRAP_MF, &coprocessor_error);
diff --git a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0010.patch.base64 b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0010.patch.base64
new file mode 100644
index 00000000..ac00d8ff
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0010.patch.base64
@@ -0,0 +1 @@
+ZGlmZiAtLWdpdCBhL2FyY2gveDg2L2luY2x1ZGUvYXNtL3BhZ2VfMzJfdHlwZXMuaCBiL2FyY2gveDg2L2luY2x1ZGUvYXNtL3BhZ2VfMzJfdHlwZXMuaAppbmRleCBlZjE3YWYwLi40Mzc2YjQ1IDEwMDY0NAotLS0gYS9hcmNoL3g4Ni9pbmNsdWRlL2FzbS9wYWdlXzMyX3R5cGVzLmgKKysrIGIvYXJjaC94ODYvaW5jbHVkZS9hc20vcGFnZV8zMl90eXBlcy5oCkBAIC0xOCw3ICsxOCw2IEBACiAjZGVmaW5lIFRIUkVBRF9TSVpFX09SREVSCTEKICNkZWZpbmUgVEhSRUFEX1NJWkUJCShQQUdFX1NJWkUgPDwgVEhSRUFEX1NJWkVfT1JERVIpCiAKLSNkZWZpbmUgU1RBQ0tGQVVMVF9TVEFDSyAwCiAjZGVmaW5lIERPVUJMRUZBVUxUX1NUQUNLIDEKICNkZWZpbmUgTk1JX1NUQUNLIDAKICNkZWZpbmUgREVCVUdfU1RBQ0sgMApkaWZmIC0tZ2l0IGEvYXJjaC94ODYvaW5jbHVkZS9hc20vcGFnZV82NF90eXBlcy5oIGIvYXJjaC94ODYvaW5jbHVkZS9hc20vcGFnZV82NF90eXBlcy5oCmluZGV4IDZjODk2ZmIuLjk3MGYzMDkgMTAwNjQ0Ci0tLSBhL2FyY2gveDg2L2luY2x1ZGUvYXNtL3BhZ2VfNjRfdHlwZXMuaAorKysgYi9hcmNoL3g4Ni9pbmNsdWRlL2FzbS9wYWdlXzY0X3R5cGVzLmgKQEAgLTE0LDEyICsxNCwxMSBAQAogI2RlZmluZSBJUlFfU1RBQ0tfT1JERVIgMgogI2RlZmluZSBJUlFfU1RBQ0tfU0laRSAoUEFHRV9TSVpFIDw8IElSUV9TVEFDS19PUkRFUikKIAotI2RlZmluZSBTVEFDS0ZBVUxUX1NUQUNLIDEKLSNkZWZpbmUgRE9VQkxFRkFVTFRfU1RBQ0sgMgotI2RlZmluZSBOTUlfU1RBQ0sgMwotI2RlZmluZSBERUJVR19TVEFDSyA0Ci0jZGVmaW5lIE1DRV9TVEFDSyA1Ci0jZGVmaW5lIE5fRVhDRVBUSU9OX1NUQUNLUyA1ICAvKiBodyBsaW1pdDogNyAqLworI2RlZmluZSBET1VCTEVGQVVMVF9TVEFDSyAxCisjZGVmaW5lIE5NSV9TVEFDSyAyCisjZGVmaW5lIERFQlVHX1NUQUNLIDMKKyNkZWZpbmUgTUNFX1NUQUNLIDQKKyNkZWZpbmUgTl9FWENFUFRJT05fU1RBQ0tTIDQgIC8qIGh3IGxpbWl0OiA3ICovCiAKICNkZWZpbmUgUFVEX1BBR0VfU0laRQkJKF9BQygxLCBVTCkgPDwgUFVEX1NISUZUKQogI2RlZmluZSBQVURfUEFHRV9NQVNLCQkofihQVURfUEFHRV9TSVpFLTEpKQpkaWZmIC0tZ2l0IGEvYXJjaC94ODYva2VybmVsL2R1bXBzdGFja182NC5jIGIvYXJjaC94ODYva2VybmVsL2R1bXBzdGFja182NC5jCmluZGV4IGFkZGIyMDcuLjY2ZTI3NGEgMTAwNjQ0Ci0tLSBhL2FyY2gveDg2L2tlcm5lbC9kdW1wc3RhY2tfNjQuYworKysgYi9hcmNoL3g4Ni9rZXJuZWwvZHVtcHN0YWNrXzY0LmMKQEAgLTI0LDcgKzI0LDYgQEAKIAkJWyBERUJVR19TVEFDSy0xCQkJXQk9ICIjREIiLAogCQlbIE5NSV9TVEFDSy0xCQkJXQk9ICJOTUkiLAogCQlbIERPVUJMRUZBVUxUX1NUQUNLLTEJCV0JPSAiI0RGIiwKLQkJWyBTVEFDS0ZBVUxUX1NUQUNLLTEJCV0JPSAiI1NTIiwKIAkJWyBNQ0VfU1RBQ0stMQkJCV0JPSAiI01DIiwKICNpZiBERUJVR19TVEtTWiA+IEVYQ0VQVElPTl9TVEtTWgogCQlbIE5fRVhDRVBUSU9OX1NUQUNLUyAuLi4KZGlmZiAtLWdpdCBhL2FyY2gveDg2L2tlcm5lbC9lbnRyeV82NC5TIGIvYXJjaC94ODYva2VybmVsL2VudHJ5XzY0LlMKaW5kZXggMWE0NTRkMC4uNTBlNWU1OSAxMDA2NDQKLS0tIGEvYXJjaC94ODYva2VybmVsL2VudHJ5XzY0LlMKKysrIGIvYXJjaC94ODYva2VybmVsL2VudHJ5XzY0LlMKQEAgLTE1MDMsNyArMTUwMyw3IEBACiAKIHBhcmFub2lkemVyb2VudHJ5X2lzdCBkZWJ1ZyBkb19kZWJ1ZyBERUJVR19TVEFDSwogcGFyYW5vaWR6ZXJvZW50cnlfaXN0IGludDMgZG9faW50MyBERUJVR19TVEFDSwotcGFyYW5vaWRlcnJvcmVudHJ5IHN0YWNrX3NlZ21lbnQgZG9fc3RhY2tfc2VnbWVudAorZXJyb3JlbnRyeSBzdGFja19zZWdtZW50IGRvX3N0YWNrX3NlZ21lbnQKICNpZmRlZiBDT05GSUdfWEVOCiB6ZXJvZW50cnkgeGVuX2RlYnVnIGRvX2RlYnVnCiB6ZXJvZW50cnkgeGVuX2ludDMgZG9faW50MwpkaWZmIC0tZ2l0IGEvYXJjaC94ODYva2VybmVsL3RyYXBzLmMgYi9hcmNoL3g4Ni9rZXJuZWwvdHJhcHMuYwppbmRleCA3NGUwODAxLi4wMGEyODczIDEwMDY0NAotLS0gYS9hcmNoL3g4Ni9rZXJuZWwvdHJhcHMuYworKysgYi9hcmNoL3g4Ni9rZXJuZWwvdHJhcHMuYwpAQCAtMjIwLDI4ICsyMjAsMTIgQEAKIAkJY29wcm9jZXNzb3Jfc2VnbWVudF9vdmVycnVuKQogRE9fRVJST1IoWDg2X1RSQVBfVFMsIFNJR1NFR1YsICJpbnZhbGlkIFRTUyIsIGludmFsaWRfVFNTKQogRE9fRVJST1IoWDg2X1RSQVBfTlAsIFNJR0JVUywgInNlZ21lbnQgbm90IHByZXNlbnQiLCBzZWdtZW50X25vdF9wcmVzZW50KQotI2lmZGVmIENPTkZJR19YODZfMzIKIERPX0VSUk9SKFg4Nl9UUkFQX1NTLCBTSUdCVVMsICJzdGFjayBzZWdtZW50Iiwgc3RhY2tfc2VnbWVudCkKLSNlbmRpZgogRE9fRVJST1JfSU5GTyhYODZfVFJBUF9BQywgU0lHQlVTLCAiYWxpZ25tZW50IGNoZWNrIiwgYWxpZ25tZW50X2NoZWNrLAogCQlCVVNfQURSQUxOLCAwKQogCiAjaWZkZWYgQ09ORklHX1g4Nl82NAogLyogUnVucyBvbiBJU1Qgc3RhY2sgKi8KLWRvdHJhcGxpbmthZ2Ugdm9pZCBkb19zdGFja19zZWdtZW50KHN0cnVjdCBwdF9yZWdzICpyZWdzLCBsb25nIGVycm9yX2NvZGUpCi17Ci0JZW51bSBjdHhfc3RhdGUgcHJldl9zdGF0ZTsKLQotCXByZXZfc3RhdGUgPSBleGNlcHRpb25fZW50ZXIoKTsKLQlpZiAobm90aWZ5X2RpZShESUVfVFJBUCwgInN0YWNrIHNlZ21lbnQiLCByZWdzLCBlcnJvcl9jb2RlLAotCQkgICAgICAgWDg2X1RSQVBfU1MsIFNJR0JVUykgIT0gTk9USUZZX1NUT1ApIHsKLQkJcHJlZW1wdF9jb25kaXRpb25hbF9zdGkocmVncyk7Ci0JCWRvX3RyYXAoWDg2X1RSQVBfU1MsIFNJR0JVUywgInN0YWNrIHNlZ21lbnQiLCByZWdzLCBlcnJvcl9jb2RlLCBOVUxMKTsKLQkJcHJlZW1wdF9jb25kaXRpb25hbF9jbGkocmVncyk7Ci0JfQotCWV4Y2VwdGlvbl9leGl0KHByZXZfc3RhdGUpOwotfQotCiBkb3RyYXBsaW5rYWdlIHZvaWQgZG9fZG91YmxlX2ZhdWx0KHN0cnVjdCBwdF9yZWdzICpyZWdzLCBsb25nIGVycm9yX2NvZGUpCiB7CiAJc3RhdGljIGNvbnN0IGNoYXIgc3RyW10gPSAiZG91YmxlIGZhdWx0IjsKQEAgLTc2OSw3ICs3NTMsNyBAQAogCXNldF9pbnRyX2dhdGUoWDg2X1RSQVBfT0xEX01GLCAmY29wcm9jZXNzb3Jfc2VnbWVudF9vdmVycnVuKTsKIAlzZXRfaW50cl9nYXRlKFg4Nl9UUkFQX1RTLCAmaW52YWxpZF9UU1MpOwogCXNldF9pbnRyX2dhdGUoWDg2X1RSQVBfTlAsICZzZWdtZW50X25vdF9wcmVzZW50KTsKLQlzZXRfaW50cl9nYXRlX2lzdChYODZfVFJBUF9TUywgJnN0YWNrX3NlZ21lbnQsIFNUQUNLRkFVTFRfU1RBQ0spOworCXNldF9pbnRyX2dhdGUoWDg2X1RSQVBfU1MsIHN0YWNrX3NlZ21lbnQpOwogCXNldF9pbnRyX2dhdGUoWDg2X1RSQVBfR1AsICZnZW5lcmFsX3Byb3RlY3Rpb24pOwogCXNldF9pbnRyX2dhdGUoWDg2X1RSQVBfU1BVUklPVVMsICZzcHVyaW91c19pbnRlcnJ1cHRfYnVnKTsKIAlzZXRfaW50cl9nYXRlKFg4Nl9UUkFQX01GLCAmY29wcm9jZXNzb3JfZXJyb3IpOwo=
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0011.patch b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0011.patch
new file mode 100644
index 00000000..e0d68a85
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0011.patch
@@ -0,0 +1,55 @@
+diff --git a/arch/x86/kernel/tls.c b/arch/x86/kernel/tls.c
+index f7fec09..e7650bd 100644
+--- a/arch/x86/kernel/tls.c
++++ b/arch/x86/kernel/tls.c
+@@ -27,6 +27,21 @@
+ 	return -ESRCH;
+ }
+ 
++static bool tls_desc_okay(const struct user_desc *info)
++{
++	if (LDT_empty(info))
++		return true;
++
++	/*
++	 * espfix is required for 16-bit data segments, but espfix
++	 * only works for LDT segments.
++	 */
++	if (!info->seg_32bit)
++		return false;
++
++	return true;
++}
++
+ static void set_tls_desc(struct task_struct *p, int idx,
+ 			 const struct user_desc *info, int n)
+ {
+@@ -66,6 +81,9 @@
+ 	if (copy_from_user(&info, u_info, sizeof(info)))
+ 		return -EFAULT;
+ 
++	if (!tls_desc_okay(&info))
++		return -EINVAL;
++
+ 	if (idx == -1)
+ 		idx = info.entry_number;
+ 
+@@ -192,6 +210,7 @@
+ {
+ 	struct user_desc infobuf[GDT_ENTRY_TLS_ENTRIES];
+ 	const struct user_desc *info;
++	int i;
+ 
+ 	if (pos >= GDT_ENTRY_TLS_ENTRIES * sizeof(struct user_desc) ||
+ 	    (pos % sizeof(struct user_desc)) != 0 ||
+@@ -205,6 +224,10 @@
+ 	else
+ 		info = infobuf;
+ 
++	for (i = 0; i < count / sizeof(struct user_desc); i++)
++		if (!tls_desc_okay(info + i))
++			return -EINVAL;
++
+ 	set_tls_desc(target,
+ 		     GDT_ENTRY_TLS_MIN + (pos / sizeof(struct user_desc)),
+ 		     info, count / sizeof(struct user_desc));
diff --git a/Patches/Linux_CVEs/CVE-2014-9322/ANY/0011.patch.base64 b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0011.patch.base64
new file mode 100644
index 00000000..db0dc128
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2014-9322/ANY/0011.patch.base64
@@ -0,0 +1 @@
+ZGlmZiAtLWdpdCBhL2FyY2gveDg2L2tlcm5lbC90bHMuYyBiL2FyY2gveDg2L2tlcm5lbC90bHMuYwppbmRleCBmN2ZlYzA5Li5lNzY1MGJkIDEwMDY0NAotLS0gYS9hcmNoL3g4Ni9rZXJuZWwvdGxzLmMKKysrIGIvYXJjaC94ODYva2VybmVsL3Rscy5jCkBAIC0yNyw2ICsyNywyMSBAQAogCXJldHVybiAtRVNSQ0g7CiB9CiAKK3N0YXRpYyBib29sIHRsc19kZXNjX29rYXkoY29uc3Qgc3RydWN0IHVzZXJfZGVzYyAqaW5mbykKK3sKKwlpZiAoTERUX2VtcHR5KGluZm8pKQorCQlyZXR1cm4gdHJ1ZTsKKworCS8qCisJICogZXNwZml4IGlzIHJlcXVpcmVkIGZvciAxNi1iaXQgZGF0YSBzZWdtZW50cywgYnV0IGVzcGZpeAorCSAqIG9ubHkgd29ya3MgZm9yIExEVCBzZWdtZW50cy4KKwkgKi8KKwlpZiAoIWluZm8tPnNlZ18zMmJpdCkKKwkJcmV0dXJuIGZhbHNlOworCisJcmV0dXJuIHRydWU7Cit9CisKIHN0YXRpYyB2b2lkIHNldF90bHNfZGVzYyhzdHJ1Y3QgdGFza19zdHJ1Y3QgKnAsIGludCBpZHgsCiAJCQkgY29uc3Qgc3RydWN0IHVzZXJfZGVzYyAqaW5mbywgaW50IG4pCiB7CkBAIC02Niw2ICs4MSw5IEBACiAJaWYgKGNvcHlfZnJvbV91c2VyKCZpbmZvLCB1X2luZm8sIHNpemVvZihpbmZvKSkpCiAJCXJldHVybiAtRUZBVUxUOwogCisJaWYgKCF0bHNfZGVzY19va2F5KCZpbmZvKSkKKwkJcmV0dXJuIC1FSU5WQUw7CisKIAlpZiAoaWR4ID09IC0xKQogCQlpZHggPSBpbmZvLmVudHJ5X251bWJlcjsKIApAQCAtMTkyLDYgKzIxMCw3IEBACiB7CiAJc3RydWN0IHVzZXJfZGVzYyBpbmZvYnVmW0dEVF9FTlRSWV9UTFNfRU5UUklFU107CiAJY29uc3Qgc3RydWN0IHVzZXJfZGVzYyAqaW5mbzsKKwlpbnQgaTsKIAogCWlmIChwb3MgPj0gR0RUX0VOVFJZX1RMU19FTlRSSUVTICogc2l6ZW9mKHN0cnVjdCB1c2VyX2Rlc2MpIHx8CiAJICAgIChwb3MgJSBzaXplb2Yoc3RydWN0IHVzZXJfZGVzYykpICE9IDAgfHwKQEAgLTIwNSw2ICsyMjQsMTAgQEAKIAllbHNlCiAJCWluZm8gPSBpbmZvYnVmOwogCisJZm9yIChpID0gMDsgaSA8IGNvdW50IC8gc2l6ZW9mKHN0cnVjdCB1c2VyX2Rlc2MpOyBpKyspCisJCWlmICghdGxzX2Rlc2Nfb2theShpbmZvICsgaSkpCisJCQlyZXR1cm4gLUVJTlZBTDsKKwogCXNldF90bHNfZGVzYyh0YXJnZXQsCiAJCSAgICAgR0RUX0VOVFJZX1RMU19NSU4gKyAocG9zIC8gc2l6ZW9mKHN0cnVjdCB1c2VyX2Rlc2MpKSwKIAkJICAgICBpbmZvLCBjb3VudCAvIHNpemVvZihzdHJ1Y3QgdXNlcl9kZXNjKSk7Cg==
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2014-9420/3.2-^3.18/1.patch b/Patches/Linux_CVEs/CVE-2014-9420/3.2-^3.18/1.patch
deleted file mode 100644
index 12f7d903..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9420/3.2-^3.18/1.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From 212c4d33ca83e2144064fe9c2911607fbed5386f Mon Sep 17 00:00:00 2001
-From: Jan Kara <jack@suse.cz>
-Date: Mon, 15 Dec 2014 14:22:46 +0100
-Subject: isofs: Fix infinite looping over CE entries
-
-commit f54e18f1b831c92f6512d2eedb224cd63d607d3d upstream.
-
-Rock Ridge extensions define so called Continuation Entries (CE) which
-define where is further space with Rock Ridge data. Corrupted isofs
-image can contain arbitrarily long chain of these, including a one
-containing loop and thus causing kernel to end in an infinite loop when
-traversing these entries.
-
-Limit the traversal to 32 entries which should be more than enough space
-to store all the Rock Ridge data.
-
-Reported-by: P J P <ppandit@redhat.com>
-Signed-off-by: Jan Kara <jack@suse.cz>
-Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
----
- fs/isofs/rock.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c
-index ee62cc0..26859de 100644
---- a/fs/isofs/rock.c
-+++ b/fs/isofs/rock.c
-@@ -30,6 +30,7 @@ struct rock_state {
- 	int cont_size;
- 	int cont_extent;
- 	int cont_offset;
-+	int cont_loops;
- 	struct inode *inode;
- };
- 
-@@ -73,6 +74,9 @@ static void init_rock_state(struct rock_state *rs, struct inode *inode)
- 	rs->inode = inode;
- }
- 
-+/* Maximum number of Rock Ridge continuation entries */
-+#define RR_MAX_CE_ENTRIES 32
-+
- /*
-  * Returns 0 if the caller should continue scanning, 1 if the scan must end
-  * and -ve on error.
-@@ -105,6 +109,8 @@ static int rock_continue(struct rock_state *rs)
- 			goto out;
- 		}
- 		ret = -EIO;
-+		if (++rs->cont_loops >= RR_MAX_CE_ENTRIES)
-+			goto out;
- 		bh = sb_bread(rs->inode->i_sb, rs->cont_extent);
- 		if (bh) {
- 			memcpy(rs->buffer, bh->b_data + rs->cont_offset,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9420/^3.18/0.patch b/Patches/Linux_CVEs/CVE-2014-9420/ANY/0001.patch
similarity index 93%
rename from Patches/Linux_CVEs/CVE-2014-9420/^3.18/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9420/ANY/0001.patch
index d677dc89..df3a5299 100644
--- a/Patches/Linux_CVEs/CVE-2014-9420/^3.18/0.patch
+++ b/Patches/Linux_CVEs/CVE-2014-9420/ANY/0001.patch
@@ -1,7 +1,7 @@
 From f54e18f1b831c92f6512d2eedb224cd63d607d3d Mon Sep 17 00:00:00 2001
 From: Jan Kara <jack@suse.cz>
 Date: Mon, 15 Dec 2014 14:22:46 +0100
-Subject: [PATCH] isofs: Fix infinite looping over CE entries
+Subject: isofs: Fix infinite looping over CE entries
 
 Rock Ridge extensions define so called Continuation Entries (CE) which
 define where is further space with Rock Ridge data. Corrupted isofs
@@ -20,7 +20,7 @@ Signed-off-by: Jan Kara <jack@suse.cz>
  1 file changed, 6 insertions(+)
 
 diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c
-index f488bbae541ac..bb63254ed8486 100644
+index f488bba..bb63254 100644
 --- a/fs/isofs/rock.c
 +++ b/fs/isofs/rock.c
 @@ -30,6 +30,7 @@ struct rock_state {
@@ -50,3 +50,6 @@ index f488bbae541ac..bb63254ed8486 100644
  		bh = sb_bread(rs->inode->i_sb, rs->cont_extent);
  		if (bh) {
  			memcpy(rs->buffer, bh->b_data + rs->cont_offset,
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2014-9529/3.2/1.patch b/Patches/Linux_CVEs/CVE-2014-9529/3.2/1.patch
deleted file mode 100644
index d6a466df..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9529/3.2/1.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From dc4a2f40de419c01b538c87f6bdfc15d574d9f7e Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sasha.levin@oracle.com>
-Date: Mon, 29 Dec 2014 09:39:01 -0500
-Subject: KEYS: close race between key lookup and freeing
-
-commit a3a8784454692dd72e5d5d34dcdab17b4420e74c upstream.
-
-When a key is being garbage collected, it's key->user would get put before
-the ->destroy() callback is called, where the key is removed from it's
-respective tracking structures.
-
-This leaves a key hanging in a semi-invalid state which leaves a window open
-for a different task to try an access key->user. An example is
-find_keyring_by_name() which would dereference key->user for a key that is
-in the process of being garbage collected (where key->user was freed but
-->destroy() wasn't called yet - so it's still present in the linked list).
-
-This would cause either a panic, or corrupt memory.
-
-Fixes CVE-2014-9529.
-
-Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
-Signed-off-by: David Howells <dhowells@redhat.com>
-[bwh: Backported to 3.2: adjust indentation]
-Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
----
- security/keys/gc.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/security/keys/gc.c b/security/keys/gc.c
-index bf4d8da..2e2395d 100644
---- a/security/keys/gc.c
-+++ b/security/keys/gc.c
-@@ -186,12 +186,12 @@ static noinline void key_gc_unused_key(struct key *key)
- 	if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags))
- 		atomic_dec(&key->user->nikeys);
- 
--	key_user_put(key->user);
--
- 	/* now throw away the key memory */
- 	if (key->type->destroy)
- 		key->type->destroy(key);
- 
-+	key_user_put(key->user);
-+
- 	kfree(key->description);
- 
- #ifdef KEY_DEBUGGING
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9529/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9529/ANY/0001.patch
similarity index 93%
rename from Patches/Linux_CVEs/CVE-2014-9529/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9529/ANY/0001.patch
index 67850775..86efe5aa 100644
--- a/Patches/Linux_CVEs/CVE-2014-9529/ANY/0.patch
+++ b/Patches/Linux_CVEs/CVE-2014-9529/ANY/0001.patch
@@ -1,7 +1,7 @@
 From a3a8784454692dd72e5d5d34dcdab17b4420e74c Mon Sep 17 00:00:00 2001
 From: Sasha Levin <sasha.levin@oracle.com>
 Date: Mon, 29 Dec 2014 09:39:01 -0500
-Subject: [PATCH] KEYS: close race between key lookup and freeing
+Subject: KEYS: close race between key lookup and freeing
 
 When a key is being garbage collected, it's key->user would get put before
 the ->destroy() callback is called, where the key is removed from it's
@@ -24,7 +24,7 @@ Signed-off-by: David Howells <dhowells@redhat.com>
  1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/security/keys/gc.c b/security/keys/gc.c
-index 9609a7f0faea2..c7952375ac532 100644
+index 9609a7f..c795237 100644
 --- a/security/keys/gc.c
 +++ b/security/keys/gc.c
 @@ -148,12 +148,12 @@ static noinline void key_gc_unused_keys(struct list_head *keys)
@@ -42,3 +42,6 @@ index 9609a7f0faea2..c7952375ac532 100644
  		kfree(key->description);
  
  #ifdef KEY_DEBUGGING
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2014-9683/3.2-^3.18/1.patch b/Patches/Linux_CVEs/CVE-2014-9683/3.2/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9683/3.2-^3.18/1.patch
rename to Patches/Linux_CVEs/CVE-2014-9683/3.2/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9683/^3.18/0.patch b/Patches/Linux_CVEs/CVE-2014-9683/^3.18/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9683/^3.18/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9683/^3.18/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9715/3.2/1.patch b/Patches/Linux_CVEs/CVE-2014-9715/3.2/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9715/3.2/1.patch
rename to Patches/Linux_CVEs/CVE-2014-9715/3.2/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9715/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9715/^3.14/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9715/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9715/^3.14/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9731/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9731/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9731/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9731/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9777/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9777/ANY/0001.patch
new file mode 100644
index 00000000..08e16400
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2014-9777/ANY/0001.patch
@@ -0,0 +1,35 @@
+From 17bfaf64ad503d2e6607d2d3e0956f25bf07eb43 Mon Sep 17 00:00:00 2001
+From: "Pachika, Vikas Reddy" <vpachi@codeaurora.org>
+Date: Tue, 5 Nov 2013 12:48:36 +0530
+Subject: msm: vidc: Validate userspace buffer count before using it
+
+Validate the number of buffers count variable before
+using it to avoid structure overflow error.
+
+Change-Id: I61582c93e0f26ec6842e437134fb8a42bdbc36ff
+CRs-fixed: 563654
+Signed-off-by: Pachika, Vikas Reddy <vpachi@codeaurora.org>
+---
+ drivers/video/msm/vidc/common/dec/vdec.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/video/msm/vidc/common/dec/vdec.c b/drivers/video/msm/vidc/common/dec/vdec.c
+index a843889..83adec6 100644
+--- a/drivers/video/msm/vidc/common/dec/vdec.c
++++ b/drivers/video/msm/vidc/common/dec/vdec.c
+@@ -948,6 +948,12 @@ static u32 vid_dec_set_meta_buffers(struct video_client_ctx *client_ctx,
+ 	vcd_meta_buffer->offset = meta_buffers->offset;
+ 	vcd_meta_buffer->pmem_fd_iommu = meta_buffers->pmem_fd_iommu;
+ 
++	if (meta_buffers->count > MAX_META_BUFFERS) {
++		ERR("meta buffers maximum count reached, count = %d",
++			meta_buffers->count);
++		return false;
++	}
++
+ 	if (!vcd_get_ion_status()) {
+ 		if (get_pmem_file(vcd_meta_buffer->pmem_fd,
+ 				(unsigned long *) (&(vcd_meta_buffer->
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2014-9778/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9778/ANY/0.patch
deleted file mode 100644
index 3d3613c3..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9778/ANY/0.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From af85054aa6a1bcd38be2354921f2f80aef1440e5 Mon Sep 17 00:00:00 2001
-From: "Pachika, Vikas Reddy" <vpachi@codeaurora.org>
-Date: Fri, 1 Nov 2013 21:06:37 +0530
-Subject: msm: vidc: Validate userspace buffer count
-
-Makesure the number of buffers count is less than
-the maximum limit to avoid structure overflow errors.
-
-Change-Id: Icf3850de36325637ae43ac95f1c8f0f63e201d31
-CRs-fixed: 563694
-Signed-off-by: Pachika, Vikas Reddy <vpachi@codeaurora.org>
----
- drivers/video/msm/vidc/common/dec/vdec.c | 6 ++++++
- include/media/msm/vidc_init.h            | 1 +
- 2 files changed, 7 insertions(+)
-
-diff --git a/drivers/video/msm/vidc/common/dec/vdec.c b/drivers/video/msm/vidc/common/dec/vdec.c
-index a843889..b45100f 100644
---- a/drivers/video/msm/vidc/common/dec/vdec.c
-+++ b/drivers/video/msm/vidc/common/dec/vdec.c
-@@ -1201,6 +1201,12 @@ static u32 vid_dec_set_h264_mv_buffers(struct video_client_ctx *client_ctx,
- 	vcd_h264_mv_buffer->pmem_fd = mv_data->pmem_fd;
- 	vcd_h264_mv_buffer->offset = mv_data->offset;
- 
-+	if (mv_data->count > MAX_MV_BUFFERS) {
-+		ERR("MV buffers maximum count reached, count = %d",
-+			mv_data->count);
-+		return false;
-+	}
-+
- 	if (!vcd_get_ion_status()) {
- 		if (get_pmem_file(vcd_h264_mv_buffer->pmem_fd,
- 			(unsigned long *) (&(vcd_h264_mv_buffer->
-diff --git a/include/media/msm/vidc_init.h b/include/media/msm/vidc_init.h
-index c35f770..5df0c3e 100644
---- a/include/media/msm/vidc_init.h
-+++ b/include/media/msm/vidc_init.h
-@@ -20,6 +20,7 @@
- #define VIDC_MAX_NUM_CLIENTS 4
- #define MAX_VIDEO_NUM_OF_BUFF 100
- #define MAX_META_BUFFERS 32
-+#define MAX_MV_BUFFERS 32
- 
- enum buffer_dir {
- 	BUFFER_TYPE_INPUT,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9777/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9778/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9777/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9778/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9779/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9779/ANY/0001.patch
new file mode 100644
index 00000000..1707a9db
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2014-9779/ANY/0001.patch
@@ -0,0 +1,44 @@
+From 0b5f49b360afdebf8ef55df1e48ec141b3629621 Mon Sep 17 00:00:00 2001
+From: Fred Oh <fred@codeaurora.org>
+Date: Fri, 11 Oct 2013 15:07:45 -0700
+Subject: ASoc: msm: qdsp6v2: add vm page offset validation
+
+Lack of range validation can lead wrong mapping or expose arbitrary
+memory page to userspace
+
+Change-Id: I8c6eb1b7255d444bffd9d3748ca4815b11bdf16a
+Signed-off-by: Fred Oh <fred@codeaurora.org>
+---
+ arch/arm/mach-msm/qdsp6v2/msm_audio_ion.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+(limited to 'arch/arm/mach-msm/qdsp6v2/msm_audio_ion.c')
+
+diff --git a/arch/arm/mach-msm/qdsp6v2/msm_audio_ion.c b/arch/arm/mach-msm/qdsp6v2/msm_audio_ion.c
+index 0a50bcc..2d375ac 100644
+--- a/arch/arm/mach-msm/qdsp6v2/msm_audio_ion.c
++++ b/arch/arm/mach-msm/qdsp6v2/msm_audio_ion.c
+@@ -269,6 +269,7 @@ int msm_audio_ion_mmap(struct audio_buffer *ab,
+ 	} else {
+ 		ion_phys_addr_t phys_addr;
+ 		size_t phys_len;
++		size_t va_len = 0;
+ 		pr_debug("%s: page is NULL\n", __func__);
+ 
+ 		ret = ion_phys(ab->client, ab->handle, &phys_addr, &phys_len);
+@@ -282,6 +283,12 @@ int msm_audio_ion_mmap(struct audio_buffer *ab,
+ 			vma, (unsigned int)vma->vm_start,
+ 			(unsigned int)vma->vm_end, vma->vm_pgoff,
+ 			(unsigned long int)vma->vm_page_prot);
++		va_len = vma->vm_end - vma->vm_start;
++		if ((offset > phys_len) || (va_len > phys_len-offset)) {
++			pr_err("wrong offset size %ld, lens= %d, va_len=%d\n",
++				offset, phys_len, va_len);
++			return -EINVAL;
++		}
+ 		ret =  remap_pfn_range(vma, vma->vm_start,
+ 				__phys_to_pfn(phys_addr) + vma->vm_pgoff,
+ 				vma->vm_end - vma->vm_start,
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2014-9780/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9780/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9780/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9780/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9781/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9781/ANY/0001.patch
similarity index 97%
rename from Patches/Linux_CVEs/CVE-2014-9781/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9781/ANY/0001.patch
index 7070789a..29a5e0d5 100644
--- a/Patches/Linux_CVEs/CVE-2014-9781/ANY/0.patch
+++ b/Patches/Linux_CVEs/CVE-2014-9781/ANY/0001.patch
@@ -12,6 +12,8 @@ Signed-off-by: Shalabh Jain <shalabhj@codeaurora.org>
  drivers/video/fbcmap.c | 6 ++++--
  1 file changed, 4 insertions(+), 2 deletions(-)
 
+(limited to 'drivers/video')
+
 diff --git a/drivers/video/fbcmap.c b/drivers/video/fbcmap.c
 index 31e93a5..f26570d 100644
 --- a/drivers/video/fbcmap.c
diff --git a/Patches/Linux_CVEs/CVE-2014-9782/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9782/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9782/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9782/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9783/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9783/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9783/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9783/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9783/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2014-9783/ANY/0002.patch
new file mode 100644
index 00000000..f78fd57b
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2014-9783/ANY/0002.patch
@@ -0,0 +1,50 @@
+From a7502f4f801bb95bff73617309835bb7a016cde5 Mon Sep 17 00:00:00 2001
+From: Xu Han <hanxu@codeaurora.org>
+Date: Wed, 25 Sep 2013 15:28:32 -0700
+Subject: msm: camera: Checking an enum value greater than zero
+
+An enum value cci_i2c_master is not checked to be greater than 0.
+Add the check.
+
+Change-Id: Ibe75ab7155def45d81b8127c5eda3fa2ed570bce
+Signed-off-by: Xu Han <hanxu@codeaurora.org>
+---
+ drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c b/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c
+index 273d779..401a671 100644
+--- a/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c
++++ b/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c
+@@ -479,7 +479,8 @@ static int32_t msm_cci_i2c_read_bytes(struct v4l2_subdev *sd,
+ 		return -EINVAL;
+ 	}
+ 
+-	if (c_ctrl->cci_info->cci_i2c_master > MASTER_MAX) {
++	if (c_ctrl->cci_info->cci_i2c_master > MASTER_MAX
++			|| c_ctrl->cci_info->cci_i2c_master < 0) {
+ 		pr_err("%s:%d Invalid I2C master addr\n", __func__, __LINE__);
+ 		return -EINVAL;
+ 	}
+@@ -524,7 +525,8 @@ static int32_t msm_cci_i2c_write(struct v4l2_subdev *sd,
+ 	enum cci_i2c_master_t master;
+ 	enum cci_i2c_queue_t queue = QUEUE_0;
+ 	cci_dev = v4l2_get_subdevdata(sd);
+-	if (c_ctrl->cci_info->cci_i2c_master > MASTER_MAX) {
++	if (c_ctrl->cci_info->cci_i2c_master > MASTER_MAX
++			|| c_ctrl->cci_info->cci_i2c_master < 0) {
+ 		pr_err("%s:%d Invalid I2C master addr\n", __func__, __LINE__);
+ 		return -EINVAL;
+ 	}
+@@ -661,7 +663,7 @@ static int32_t msm_cci_init(struct v4l2_subdev *sd,
+ 		CDBG("%s ref_count %d\n", __func__, cci_dev->ref_count);
+ 		master = c_ctrl->cci_info->cci_i2c_master;
+ 		CDBG("%s:%d master %d\n", __func__, __LINE__, master);
+-		if (master < MASTER_MAX) {
++		if (master < MASTER_MAX && master >= 0) {
+ 			mutex_lock(&cci_dev->cci_master_info[master].mutex);
+ 			/* Set reset pending flag to TRUE */
+ 			cci_dev->cci_master_info[master].reset_pending = TRUE;
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2014-9784/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9784/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9784/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9784/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9785/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9785/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9785/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9785/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9786/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9786/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9786/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9786/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9787/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9787/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9787/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9787/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9788/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9788/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9788/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9788/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9789/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9789/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9789/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9789/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9790/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9790/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9790/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9790/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9790/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2014-9790/ANY/0002.patch
new file mode 100644
index 00000000..cd6b4669
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2014-9790/ANY/0002.patch
@@ -0,0 +1,37 @@
+From 9bc30c0d1832f7dd5b6fa10d5e48a29025176569 Mon Sep 17 00:00:00 2001
+From: Raviv Shvili <rshvili@codeaurora.org>
+Date: Thu, 31 Oct 2013 17:38:19 +0200
+Subject: mmc: core : fix arbitrary read/write to user space
+
+In the MMC card debug_fs the read and write handlers use the strlcat
+and sscanf, without checking the pointer given.
+Since the pointer is not checked it is possible to write
+everywhere (ring 0 or 3).
+In order to fix it, an access_ok function is being used to verify
+the buffer's pointer supplied by user is valid.
+
+CRs-fixed: 545716
+
+Change-Id: I13ca736337fefe29ff9b0df6a318e7d92240f8b2
+Signed-off-by: Raviv Shvili <rshvili@codeaurora.org>
+---
+ drivers/mmc/core/debugfs.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/mmc/core/debugfs.c b/drivers/mmc/core/debugfs.c
+index 9897f9f..4ec8941 100644
+--- a/drivers/mmc/core/debugfs.c
++++ b/drivers/mmc/core/debugfs.c
+@@ -647,6 +647,9 @@ static ssize_t mmc_bkops_stats_write(struct file *filp,
+ 	if (!card)
+ 		return cnt;
+ 
++	if (!access_ok(VERIFY_READ, ubuf, cnt))
++		return cnt;
++
+ 	bkops_stats = &card->bkops_info.bkops_stats;
+ 
+ 	sscanf(ubuf, "%d", &value);
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2014-9791/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2014-9791/ANY/0001.patch
new file mode 100644
index 00000000..b7c78569
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2014-9791/ANY/0001.patch
@@ -0,0 +1,83 @@
+From 9aabfc9e7775abbbcf534cdecccc4f12ee423b27 Mon Sep 17 00:00:00 2001
+From: Peter Hurley <peter@hurleysoftware.com>
+Date: Tue, 13 May 2014 14:36:46 -0700
+Subject: n_tty: Fix n_tty_write crash when echoing in raw mode
+
+The tty atomic_write_lock does not provide an exclusion guarantee for
+the tty driver if the termios settings are LECHO & !OPOST. And since
+it is unexpected and not allowed to call TTY buffer helpers like
+tty_insert_flip_string concurrently, this may lead to crashes when
+concurrect writers call pty_write. In that case the following two
+writers:
+* the ECHOing from a workqueue and
+* pty_write from the process
+race and can overflow the corresponding TTY buffer like follows.
+
+If we look into tty_insert_flip_string_fixed_flag, there is:
+  int space = __tty_buffer_request_room(port, goal, flags);
+  struct tty_buffer *tb = port->buf.tail;
+  ...
+  memcpy(char_buf_ptr(tb, tb->used), chars, space);
+  ...
+  tb->used += space;
+
+so the race of the two can result in something like this:
+          A                             B
+   __tty_buffer_request_room
+                                  __tty_buffer_request_room
+   memcpy(buf(tb->used), ...)
+   tb->used += space;
+                                 memcpy(buf(tb->used), ...) ->BOOM
+
+B's memcpy is past the tty_buffer due to the previous A's tb->used
+increment.
+
+Since the N_TTY line discipline input processing can output
+concurrently with a tty write, obtain the N_TTY ldisc output_lock to
+serialize echo output with normal tty writes. This ensures the tty
+buffer helper tty_insert_flip_string is not called concurrently and
+everything is fine.
+
+Note that this is nicely reproducible by an ordinary user using
+forkpty and some setup around that (raw termios + ECHO). And it is
+present in kernels at least after commit
+d945cb9cce20ac7143c2de8d88b187f62db99bdc (pty: Rework the pty layer to
+use the normal buffering logic) in 2.6.31-rc3.
+
+js: add more info to the commit log
+js: switch to bool
+js: lock unconditionally
+js: lock only the tty->ops->write call
+
+Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Change-Id: I9e235db6ec2bb950f26bd8a23f6145dab5dc0a15
+Git-commit: 4291086b1f081b869c6d79e5b7441633dc3ace00
+Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
+Signed-off-by: Avijit Kanti Das <avijitnsec@codeaurora.org>
+[rsiddoji@codeaurora.org: resolve trivial merge conflicts]
+Signed-off-by: Ravi Kumar S <rsiddoji@codeaurora.org>
+---
+ drivers/tty/n_tty.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
+index 8eb5573..54c46c8 100644
+--- a/drivers/tty/n_tty.c
++++ b/drivers/tty/n_tty.c
+@@ -1998,8 +1998,11 @@ static ssize_t n_tty_write(struct tty_struct *tty, struct file *file,
+ 			if (tty->ops->flush_chars)
+ 				tty->ops->flush_chars(tty);
+ 		} else {
++
+ 			while (nr > 0) {
++				mutex_lock(&tty->output_lock);
+ 				c = tty->ops->write(tty, b, nr);
++				mutex_unlock(&tty->output_lock);
+ 				if (c < 0) {
+ 					retval = c;
+ 					goto break_out;
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2014-9792/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9792/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9792/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9792/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9803/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9803/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9803/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9803/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9863/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9863/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9863/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9863/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9864/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9864/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9864/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9864/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9865/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9865/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9865/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9865/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9866/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9866/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9866/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9866/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9867/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9867/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9867/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9867/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9868/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9868/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9868/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9868/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9869/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9869/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9869/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9869/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9869/ANY/1.patch b/Patches/Linux_CVEs/CVE-2014-9869/ANY/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9869/ANY/1.patch
rename to Patches/Linux_CVEs/CVE-2014-9869/ANY/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9870/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9870/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9870/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9870/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9871/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9871/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9871/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9871/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9872/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9872/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9872/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9872/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9873/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9873/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9873/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9873/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9874/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9874/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9874/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9874/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9874/ANY/1.patch b/Patches/Linux_CVEs/CVE-2014-9874/ANY/1.patch
deleted file mode 100644
index d2dd6731..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9874/ANY/1.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 6b7b66961934660a91fb035e6e4223689a2500da Mon Sep 17 00:00:00 2001
-From: Masaki Sato <ams087@motorola.com>
-Date: Fri, 18 Apr 2014 13:23:17 -0500
-Subject: [PATCH] Revert "(CR): Asoc:msm:Added Buffer overflow check"
-
-This change was only meant for A-family and causes EVRC encoder
-buffer allocation failure on B-family.
-
-This reverts commit fdd50cb69df64e8eef0933c9ee9bccb1eeae69ca.
-
-Change-Id: I2ce76602ef396a2939de05626c43ad4e87737418
-Signed-off-by: Masaki Sato <ams087@motorola.com>
-Reviewed-on: http://gerrit.mot.com/629216
-Submit-Approved: Jira Key <jirakey@motorola.com>
-Tested-by: Jira Key <jirakey@motorola.com>
-SLTApproved: Slta Waiver <sltawvr@motorola.com>
-Reviewed-by: Jeffrey Carlyle <jeff.carlyle@motorola.com>
-Reviewed-by: Sriram Divakar <sriramhd@motorola.com>
-Reviewed-by: Yin-Jun Chen <a7301c@motorola.com>
----
- sound/soc/msm/qdsp6v2/q6asm.c | 3 ---
- 1 file changed, 3 deletions(-)
-
-diff --git a/sound/soc/msm/qdsp6v2/q6asm.c b/sound/soc/msm/qdsp6v2/q6asm.c
-index e09af8b48ba..77736150a60 100644
---- a/sound/soc/msm/qdsp6v2/q6asm.c
-+++ b/sound/soc/msm/qdsp6v2/q6asm.c
-@@ -46,7 +46,6 @@
- 
- #define TRUE        0x01
- #define FALSE       0x00
--#define FRAME_NUM             (8)
- 
- /* TODO, combine them together */
- static DEFINE_MUTEX(session_lock);
-@@ -924,8 +923,6 @@ int q6asm_audio_client_buf_alloc(unsigned int dir,
- 			pr_debug("%s: buffer already allocated\n", __func__);
- 			return 0;
- 		}
--		if (bufcnt != FRAME_NUM)
--			goto fail;
- 		mutex_lock(&ac->cmd_lock);
- 		buf = kzalloc(((sizeof(struct audio_buffer))*bufcnt),
- 				GFP_KERNEL);
diff --git a/Patches/Linux_CVEs/CVE-2014-9875/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9875/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9875/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9875/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9876/3.4/1.patch b/Patches/Linux_CVEs/CVE-2014-9876/3.4/1.patch
deleted file mode 100644
index a277fdce..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9876/3.4/1.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 794cd44fe8e32a4afe31a2f9f6a4499aaa874a48 Mon Sep 17 00:00:00 2001
-From: Mohit Aggarwal <maggarwa@codeaurora.org>
-Date: Thu, 2 Jun 2016 18:02:29 -0700
-Subject: [PATCH] diag: Fix possible underflow/overflow issues
-
-Add check in order to fix possible integer underflow
-during HDLC encoding which may lead to buffer
-overflow. Also added check for packet length to
-avoid buffer overflow.
-
-Bug: 28767796
-Change-Id: Ifbac719a7db73aab121cb00c2090edf1bf1094bb
-Signed-off-by: Yuan Lin <yualin@google.com>
----
- drivers/char/diag/diagfwd.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/char/diag/diagfwd.h b/drivers/char/diag/diagfwd.h
-index c6e1273dc585c..9c514e629fb4c 100644
---- a/drivers/char/diag/diagfwd.h
-+++ b/drivers/char/diag/diagfwd.h
-@@ -20,7 +20,7 @@
- #define RESET_AND_QUEUE 1
- 
- #define CHK_OVERFLOW(bufStart, start, end, length) \
--	((((bufStart) <= (start)) && ((end) - (start) >= (length))) ? 1 : 0)
-+  ((((bufStart) <= (start)) && ((end) - (start) >= (length)) && ((length) > 0)) ? 1 : 0)
- 
- void diagfwd_init(void);
- void diagfwd_exit(void);
diff --git a/Patches/Linux_CVEs/CVE-2014-9876/3.0/0.patch b/Patches/Linux_CVEs/CVE-2014-9876/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9876/3.0/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9876/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9877/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9877/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9877/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9877/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9878/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9878/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9878/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9878/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9879/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9879/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9879/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9879/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9880/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9880/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9880/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9880/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9881/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9881/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9881/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9881/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9882/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9882/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9882/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9882/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9882/ANY/1.patch b/Patches/Linux_CVEs/CVE-2014-9882/ANY/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9882/ANY/1.patch
rename to Patches/Linux_CVEs/CVE-2014-9882/ANY/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9883/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9883/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9883/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9883/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9884/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9884/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9884/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9884/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9885/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9885/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9885/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9885/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9886/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9886/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9886/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9886/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9887/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9887/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9887/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9887/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9888/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9888/ANY/0.patch
deleted file mode 100644
index e0c39a8e..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9888/ANY/0.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 0ea1ec713f04bdfac343c9702b21cd3a7c711826 Mon Sep 17 00:00:00 2001
-From: Russell King <rmk+kernel@arm.linux.org.uk>
-Date: Wed, 23 Oct 2013 16:14:59 +0100
-Subject: [PATCH] ARM: dma-mapping: don't allow DMA mappings to be marked
- executable
-
-DMA mapping permissions were being derived from pgprot_kernel directly
-without using PAGE_KERNEL.  This causes them to be marked with executable
-permission, which is not what we want.  Fix this.
-
-Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
----
- arch/arm/mm/dma-mapping.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/arch/arm/mm/dma-mapping.c b/arch/arm/mm/dma-mapping.c
-index f5e1a8471714c..57438506d5246 100644
---- a/arch/arm/mm/dma-mapping.c
-+++ b/arch/arm/mm/dma-mapping.c
-@@ -687,7 +687,7 @@ static void *__dma_alloc(struct device *dev, size_t size, dma_addr_t *handle,
- void *arm_dma_alloc(struct device *dev, size_t size, dma_addr_t *handle,
- 		    gfp_t gfp, struct dma_attrs *attrs)
- {
--	pgprot_t prot = __get_dma_pgprot(attrs, pgprot_kernel);
-+	pgprot_t prot = __get_dma_pgprot(attrs, PAGE_KERNEL);
- 	void *memory;
- 
- 	if (dma_alloc_from_coherent(dev, size, handle, &memory))
-@@ -700,7 +700,7 @@ void *arm_dma_alloc(struct device *dev, size_t size, dma_addr_t *handle,
- static void *arm_coherent_dma_alloc(struct device *dev, size_t size,
- 	dma_addr_t *handle, gfp_t gfp, struct dma_attrs *attrs)
- {
--	pgprot_t prot = __get_dma_pgprot(attrs, pgprot_kernel);
-+	pgprot_t prot = __get_dma_pgprot(attrs, PAGE_KERNEL);
- 	void *memory;
- 
- 	if (dma_alloc_from_coherent(dev, size, handle, &memory))
diff --git a/Patches/Linux_CVEs/CVE-2014-9888/ANY/1.patch b/Patches/Linux_CVEs/CVE-2014-9888/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9888/ANY/1.patch
rename to Patches/Linux_CVEs/CVE-2014-9888/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9889/3.10/0.patch b/Patches/Linux_CVEs/CVE-2014-9889/3.10/0.patch
deleted file mode 100644
index 3dc90a8a..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9889/3.10/0.patch
+++ /dev/null
@@ -1,85 +0,0 @@
-From b0c2274b13a0487e72e57342a842a99a15149fb9 Mon Sep 17 00:00:00 2001
-From: Iliya Varadzhakov <ivarad@codeaurora.org>
-Date: Thu, 19 Jun 2014 20:03:00 -0700
-Subject: msm: cpp: Validate frame message before manipulating it
-
-CPP frame message is used to send all frame data
-to Microcontroller. It is sent every frame. CPP kernel
-driver has to add information to it before transfer it.
-The message has to be validated before manipulations.
-If it is not valid the message and corresponding frame
-are discarded.
-
-Change-Id: Id272eb2296233c66befd015f41f19a9fbc551572
-Signed-off-by: Iliya Varadzhakov <ivarad@codeaurora.org>
----
- .../platform/msm/camera_v2/pproc/cpp/msm_cpp.c     | 24 ++++++++++++++++++++++
- include/media/msmb_pproc.h                         |  3 ++-
- 2 files changed, 26 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
-index a7589e4..5b17a4d 100644
---- a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
-+++ b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
-@@ -1436,6 +1436,18 @@ static int msm_cpp_cfg_frame(struct cpp_device *cpp_dev,
- 	}
- 	cpp_frame_msg = new_frame->cpp_cmd_msg;
- 
-+	if (cpp_frame_msg == NULL ||
-+		(new_frame->msg_len < MSM_CPP_MIN_FRAME_LENGTH)) {
-+		pr_err("%s %d Length is not correct or frame message is missing\n",
-+			__func__, __LINE__);
-+		return -EINVAL;
-+	}
-+
-+	if (cpp_frame_msg[new_frame->msg_len - 1] != MSM_CPP_MSG_ID_TRAILER) {
-+		pr_err("%s %d Invalid frame message\n", __func__, __LINE__);
-+		return -EINVAL;
-+	}
-+
- 	in_phyaddr = msm_cpp_fetch_buffer_info(cpp_dev,
- 		&new_frame->input_buffer_info,
- 		((new_frame->input_buffer_info.identity >> 16) & 0xFFFF),
-@@ -1532,6 +1544,12 @@ static int msm_cpp_cfg_frame(struct cpp_device *cpp_dev,
- 			goto phyaddr_err;
- 		}
- 
-+		if ((stripe_base + num_stripes*27 + 1) != new_frame->msg_len) {
-+			pr_err("Invalid frame message\n");
-+			rc = -EINVAL;
-+			goto phyaddr_err;
-+		}
-+
- 		for (i = 0; i < num_stripes; i++) {
- 			cpp_frame_msg[stripe_base + 5 + i*27] +=
- 				(uint32_t) in_phyaddr;
-@@ -1572,6 +1590,12 @@ static int msm_cpp_cfg_frame(struct cpp_device *cpp_dev,
- 
- 		stripe_base = STRIPE_BASE_FW_1_8_0;
- 
-+		if ((stripe_base + num_stripes*48 + 1) != new_frame->msg_len) {
-+			pr_err("Invalid frame message\n");
-+			rc = -EINVAL;
-+			goto phyaddr_err;
-+		}
-+
- 		for (i = 0; i < num_stripes; i++) {
- 
- 			cpp_frame_msg[stripe_base + 8 + i * 48] +=
-diff --git a/include/media/msmb_pproc.h b/include/media/msmb_pproc.h
-index 118ec30..3137aaa 100644
---- a/include/media/msmb_pproc.h
-+++ b/include/media/msmb_pproc.h
-@@ -16,7 +16,8 @@
- 
- #define MAX_NUM_CPP_STRIPS 8
- #define MSM_CPP_MAX_NUM_PLANES 3
--#define MSM_CPP_MAX_FRAME_LENGTH 1024
-+#define MSM_CPP_MIN_FRAME_LENGTH 13
-+#define MSM_CPP_MAX_FRAME_LENGTH 2048
- #define MSM_CPP_MAX_FW_NAME_LEN 32
- #define MAX_FREQ_TBL 10
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2014-9889/3.4/1.patch b/Patches/Linux_CVEs/CVE-2014-9889/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9889/3.4/1.patch
rename to Patches/Linux_CVEs/CVE-2014-9889/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9890/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9890/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9890/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9890/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9891/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9891/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9891/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9891/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9892/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9892/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9892/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9892/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9893/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9893/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9893/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9893/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9894/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9894/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9894/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9894/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9895/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9895/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9895/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9895/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9895/ANY/1.patch b/Patches/Linux_CVEs/CVE-2014-9895/ANY/1.patch
deleted file mode 100644
index 334246f6..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9895/ANY/1.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From c88e739b1fad662240e99ecbd0bdaac871717987 Mon Sep 17 00:00:00 2001
-From: Dan Carpenter <dan.carpenter@oracle.com>
-Date: Sat, 13 Apr 2013 06:32:15 -0300
-Subject: [PATCH] [media] media: info leak in __media_device_enum_links()
-
-These structs have holes and reserved struct members which aren't
-cleared.  I've added a memset() so we don't leak stack information.
-
-Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
-Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
-Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
----
- drivers/media/media-device.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/drivers/media/media-device.c b/drivers/media/media-device.c
-index 1957c0df08fdb..d5a7a135f75d3 100644
---- a/drivers/media/media-device.c
-+++ b/drivers/media/media-device.c
-@@ -142,6 +142,8 @@ static long __media_device_enum_links(struct media_device *mdev,
- 
- 		for (p = 0; p < entity->num_pads; p++) {
- 			struct media_pad_desc pad;
-+
-+			memset(&pad, 0, sizeof(pad));
- 			media_device_kpad_to_upad(&entity->pads[p], &pad);
- 			if (copy_to_user(&links->pads[p], &pad, sizeof(pad)))
- 				return -EFAULT;
-@@ -159,6 +161,7 @@ static long __media_device_enum_links(struct media_device *mdev,
- 			if (entity->links[l].source->entity != entity)
- 				continue;
- 
-+			memset(&link, 0, sizeof(link));
- 			media_device_kpad_to_upad(entity->links[l].source,
- 						  &link.source);
- 			media_device_kpad_to_upad(entity->links[l].sink,
diff --git a/Patches/Linux_CVEs/CVE-2014-9896/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9896/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9896/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9896/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9897/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9897/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9897/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9897/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9898/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9898/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9898/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9898/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9899/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9899/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9899/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9899/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9900/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9900/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9900/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9900/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9901/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9901/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9901/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9901/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9902/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9902/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9902/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9902/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9902/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2014-9902/ANY/0002.patch
new file mode 100644
index 00000000..c7b0144d
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2014-9902/ANY/0002.patch
@@ -0,0 +1,61 @@
+From 3b1c44a3a7129dc25abe2c23543f6f66c59e8f50 Mon Sep 17 00:00:00 2001
+From: Kiran Kumar Lokere <klokere@codeaurora.org>
+Date: Thu, 7 Nov 2013 19:01:17 -0800
+Subject: Fix the buffer overflow issue observed in static code analysis.
+
+Fix the possible buffer overflow in IE parsing.
+
+Change-Id: I1a386ac09dbe30562fbd84739eb8d61c6a09b001
+CRs-Fixed: 553937, 553941
+---
+ CORE/MAC/src/include/dot11f.h          | 2 +-
+ CORE/SYS/legacy/src/utils/src/dot11f.c | 6 +++---
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/CORE/MAC/src/include/dot11f.h b/CORE/MAC/src/include/dot11f.h
+index 3a82e65..cc89258 100644
+--- a/CORE/MAC/src/include/dot11f.h
++++ b/CORE/MAC/src/include/dot11f.h
+@@ -52,7 +52,7 @@
+   *
+   *
+   * This file was automatically generated by 'framesc'
+-  * Tue Jul  2 15:39:44 2013 from the following file(s):
++  * Thu Nov  7 16:38:38 2013 from the following file(s):
+   *
+   * dot11f.frms
+   * 
+diff --git a/CORE/SYS/legacy/src/utils/src/dot11f.c b/CORE/SYS/legacy/src/utils/src/dot11f.c
+index 411f593..1b89baa 100644
+--- a/CORE/SYS/legacy/src/utils/src/dot11f.c
++++ b/CORE/SYS/legacy/src/utils/src/dot11f.c
+@@ -29,7 +29,7 @@
+   *
+   *
+   * This file was automatically generated by 'framesc'
+-  * Tue Jul  2 15:39:44 2013 from the following file(s):
++  * Thu Nov  7 16:38:38 2013 from the following file(s):
+   *
+   * dot11f.frms
+   * 
+@@ -2976,7 +2976,7 @@ tANI_U32 dot11fUnpackIeCountry(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen
+     else
+     {
+         pDst->num_triplets = (tANI_U8)( ielen / 3 );
+-        if (ielen / 3 > 84){
++        if (ielen > 84 * 3){
+                 pDst->present = 0;
+                 return DOT11F_SKIPPED_BAD_IE;
+         }
+@@ -4650,7 +4650,7 @@ tANI_U32 dot11fUnpackIeSuppChannels(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8
+     if (pDst->present) status = DOT11F_DUPLICATE_IE;
+     pDst->present = 1;
+     pDst->num_bands = (tANI_U8)( ielen / 2 );
+-    if (ielen / 2 > 48){
++    if (ielen > 48 * 2){
+         pDst->present = 0;
+         return DOT11F_SKIPPED_BAD_IE;
+     }
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2014-9903/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9903/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9903/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9903/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9904/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9904/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9904/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9904/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9914/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9914/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9914/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9914/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9922/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9922/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9922/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9922/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2014-9922/ANY/1.patch b/Patches/Linux_CVEs/CVE-2014-9922/ANY/1.patch
deleted file mode 100644
index 43274984..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9922/ANY/1.patch
+++ /dev/null
@@ -1,18 +0,0 @@
-diff --git a/fs/sdcardfs/main.c b/fs/sdcardfs/main.c
-index a652228..8b51a12 100755
---- a/fs/sdcardfs/main.c
-+++ b/fs/sdcardfs/main.c
-@@ -223,6 +223,13 @@
- 	atomic_inc(&lower_sb->s_active);
- 	sdcardfs_set_lower_super(sb, lower_sb);
- 
-+	sb->s_stack_depth = lower_sb->s_stack_depth + 1;
-+	if (sb->s_stack_depth > FILESYSTEM_MAX_STACK_DEPTH) {
-+		pr_err("sdcardfs: maximum fs stacking depth exceeded\n");
-+		err = -EINVAL;
-+		goto out_sput;
-+	}
-+
- 	/* inherit maxbytes from lower file system */
- 	sb->s_maxbytes = lower_sb->s_maxbytes;
- 
diff --git a/Patches/Linux_CVEs/CVE-2014-9922/ANY/1.patch.base64 b/Patches/Linux_CVEs/CVE-2014-9922/ANY/1.patch.base64
deleted file mode 100644
index 5fd0f880..00000000
--- a/Patches/Linux_CVEs/CVE-2014-9922/ANY/1.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL2ZzL3NkY2FyZGZzL21haW4uYyBiL2ZzL3NkY2FyZGZzL21haW4uYwppbmRleCBhNjUyMjI4Li44YjUxYTEyIDEwMDc1NQotLS0gYS9mcy9zZGNhcmRmcy9tYWluLmMKKysrIGIvZnMvc2RjYXJkZnMvbWFpbi5jCkBAIC0yMjMsNiArMjIzLDEzIEBACiAJYXRvbWljX2luYygmbG93ZXJfc2ItPnNfYWN0aXZlKTsKIAlzZGNhcmRmc19zZXRfbG93ZXJfc3VwZXIoc2IsIGxvd2VyX3NiKTsKIAorCXNiLT5zX3N0YWNrX2RlcHRoID0gbG93ZXJfc2ItPnNfc3RhY2tfZGVwdGggKyAxOworCWlmIChzYi0+c19zdGFja19kZXB0aCA+IEZJTEVTWVNURU1fTUFYX1NUQUNLX0RFUFRIKSB7CisJCXByX2Vycigic2RjYXJkZnM6IG1heGltdW0gZnMgc3RhY2tpbmcgZGVwdGggZXhjZWVkZWRcbiIpOworCQllcnIgPSAtRUlOVkFMOworCQlnb3RvIG91dF9zcHV0OworCX0KKwogCS8qIGluaGVyaXQgbWF4Ynl0ZXMgZnJvbSBsb3dlciBmaWxlIHN5c3RlbSAqLwogCXNiLT5zX21heGJ5dGVzID0gbG93ZXJfc2ItPnNfbWF4Ynl0ZXM7CiAK
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2014-9940/ANY/0.patch b/Patches/Linux_CVEs/CVE-2014-9940/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2014-9940/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2014-9940/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2015-0569/3.10/2.patch b/Patches/Linux_CVEs/CVE-2015-0569/3.10/2.patch
deleted file mode 100644
index d347a8d5..00000000
--- a/Patches/Linux_CVEs/CVE-2015-0569/3.10/2.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From f31e58289c8ebded58ffe1d4709e2f878765b0a6 Mon Sep 17 00:00:00 2001
-From: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
-Date: Wed, 28 Oct 2015 17:38:59 -0700
-Subject: [PATCH] qcacld 2.0: Address buffer overflow due to invalid length
-
-prima to qcacld-2.0 propagation
-
-Check for valid length before copying the packet filter data from
-userspace buffer to kernel space buffer to avoid buffer overflow
-issue.
-
-CRs-Fixed: 930533
-Git-commit: a079d716b5481223f0166c644e9ec7c75a31b02c
-Bug: 25344453
-Signed-off-by: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
----
- drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
-index 93136df4e2480..0b1ee2477e158 100644
---- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
-+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
-@@ -8376,6 +8376,9 @@ int wlan_hdd_set_filter(hdd_context_t *pHddCtx, tpPacketFilterCfg pRequest,
- 
-                 hddLog(VOS_TRACE_LEVEL_INFO, "Data Offset %d Data Len %d",
-                         pRequest->paramsData[i].dataOffset, pRequest->paramsData[i].dataLength);
-+                if ((sizeof(packetFilterSetReq.paramsData[i].compareData)) <
-+                           (pRequest->paramsData[i].dataLength))
-+                    return -EINVAL;
- 
-                 memcpy(&packetFilterSetReq.paramsData[i].compareData,
-                         pRequest->paramsData[i].compareData, pRequest->paramsData[i].dataLength);
diff --git a/Patches/Linux_CVEs/CVE-2015-0569/ANY/0.patch b/Patches/Linux_CVEs/CVE-2015-0569/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2015-0569/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2015-0569/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2015-0569/ANY/1.patch b/Patches/Linux_CVEs/CVE-2015-0569/ANY/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2015-0569/ANY/1.patch
rename to Patches/Linux_CVEs/CVE-2015-0569/ANY/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2015-0570/3.10/2.patch b/Patches/Linux_CVEs/CVE-2015-0570/3.10/2.patch
deleted file mode 100644
index 20d81dd3..00000000
--- a/Patches/Linux_CVEs/CVE-2015-0570/3.10/2.patch
+++ /dev/null
@@ -1,185 +0,0 @@
-From 255dd931573beb3afca15909f483f26db22a5c98 Mon Sep 17 00:00:00 2001
-From: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
-Date: Wed, 28 Oct 2015 20:58:02 -0700
-Subject: [PATCH] qcacld 2.0: Validate ioctls for valid input length
-
-prima to qcacld-2.0 propagation
-
-Return failure to applications if ioctl is invoked with arguments
-of improper length.
-
-CRs-Fixed: 930542
-Git-commit: 8bd73c3452ab22ba9bdbaac5ab12de2ed25fcb9d
-Bug: 25344453
-Signed-off-by: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
----
- .../qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c     | 62 +++++++++++++++++-----
- 1 file changed, 48 insertions(+), 14 deletions(-)
-
-diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c
-index 1f56db21d64dd..51ee5474a53d1 100644
---- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c
-+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c
-@@ -3880,6 +3880,7 @@ static int iw_softap_setwpsie(struct net_device *dev,
-    u_int8_t WPSIeType;
-    u_int16_t length;
-    struct iw_point s_priv_data;
-+   int ret = 0;
- 
-    ENTER();
- 
-@@ -3925,9 +3926,8 @@ static int iw_softap_setwpsie(struct net_device *dev,
-          case DOT11F_EID_WPA:
-             if (wps_genie[1] < 2 + 4)
-             {
--               vos_mem_free(pSap_WPSIe);
--               kfree(fwps_genie);
--               return -EINVAL;
-+                ret = -EINVAL;
-+                goto exit;
-             }
-             else if (memcmp(&wps_genie[2], "\x00\x50\xf2\x04", 4) == 0)
-             {
-@@ -3985,6 +3985,11 @@ static int iw_softap_setwpsie(struct net_device *dev,
-                       pos += 2;
-                       length = *pos<<8 | *(pos+1);
-                       pos += 2;
-+                      if (length > sizeof(pSap_WPSIe->sapwpsie.sapWPSBeaconIE.UUID_E))
-+                      {
-+                          ret = -EINVAL;
-+                          goto exit;
-+                      }
-                       vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSBeaconIE.UUID_E, pos, length);
-                       pSap_WPSIe->sapwpsie.sapWPSBeaconIE.FieldPresent |= WPS_BEACON_UUIDE_PRESENT;
-                       pos += length;
-@@ -3999,9 +4004,8 @@ static int iw_softap_setwpsie(struct net_device *dev,
- 
-                    default:
-                       hddLog (LOGW, "UNKNOWN TLV in WPS IE(%x)", (*pos<<8 | *(pos+1)));
--                      vos_mem_free(pSap_WPSIe);
--                      kfree(fwps_genie);
--                      return -EINVAL;
-+                      ret = -EINVAL;
-+                      goto exit;
-                 }
-               }
-             }
-@@ -4013,9 +4017,8 @@ static int iw_softap_setwpsie(struct net_device *dev,
- 
-          default:
-             hddLog (LOGE, "%s Set UNKNOWN IE %X",__func__, wps_genie[0]);
--            vos_mem_free(pSap_WPSIe);
--            kfree(fwps_genie);
--            return 0;
-+            ret = -EINVAL;
-+            goto exit;
-       }
-     }
-     else if( wps_genie[0] == eQC_WPS_PROBE_RSP_IE)
-@@ -4027,9 +4030,8 @@ static int iw_softap_setwpsie(struct net_device *dev,
-          case DOT11F_EID_WPA:
-             if (wps_genie[1] < 2 + 4)
-             {
--               vos_mem_free(pSap_WPSIe);
--               kfree(fwps_genie);
--               return -EINVAL;
-+                ret = -EINVAL;
-+                goto exit;
-             }
-             else if (memcmp(&wps_genie[2], "\x00\x50\xf2\x04", 4) == 0)
-             {
-@@ -4093,6 +4095,11 @@ static int iw_softap_setwpsie(struct net_device *dev,
-                       pos += 2;
-                       length = *pos<<8 | *(pos+1);
-                       pos += 2;
-+                      if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.UUID_E)))
-+                      {
-+                          ret = -EINVAL;
-+                          goto exit;
-+                      }
-                       vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.UUID_E, pos, length);
-                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_UUIDE_PRESENT;
-                       pos += length;
-@@ -4102,6 +4109,11 @@ static int iw_softap_setwpsie(struct net_device *dev,
-                       pos += 2;
-                       length = *pos<<8 | *(pos+1);
-                       pos += 2;
-+                      if (length >  (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.Manufacture.name)))
-+                      {
-+                          ret = -EINVAL;
-+                          goto exit;
-+                      }
-                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.Manufacture.num_name = length;
-                       vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.Manufacture.name, pos, length);
-                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_MANUFACTURE_PRESENT;
-@@ -4112,6 +4124,11 @@ static int iw_softap_setwpsie(struct net_device *dev,
-                       pos += 2;
-                       length = *pos<<8 | *(pos+1);
-                       pos += 2;
-+                      if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelName.text)))
-+                      {
-+                          ret = -EINVAL;
-+                          goto exit;
-+                      }
-                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelName.num_text = length;
-                       vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelName.text, pos, length);
-                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_MODELNAME_PRESENT;
-@@ -4121,6 +4138,11 @@ static int iw_softap_setwpsie(struct net_device *dev,
-                       pos += 2;
-                       length = *pos<<8 | *(pos+1);
-                       pos += 2;
-+                      if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelNumber.text)))
-+                      {
-+                          ret = -EINVAL;
-+                          goto exit;
-+                      }
-                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelNumber.num_text = length;
-                       vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelNumber.text, pos, length);
-                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_MODELNUMBER_PRESENT;
-@@ -4130,6 +4152,11 @@ static int iw_softap_setwpsie(struct net_device *dev,
-                       pos += 2;
-                       length = *pos<<8 | *(pos+1);
-                       pos += 2;
-+                      if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SerialNumber.text)))
-+                      {
-+                          ret = -EINVAL;
-+                          goto exit;
-+                      }
-                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SerialNumber.num_text = length;
-                       vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SerialNumber.text, pos, length);
-                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_SERIALNUMBER_PRESENT;
-@@ -4153,6 +4180,11 @@ static int iw_softap_setwpsie(struct net_device *dev,
-                       pos += 2;
-                       length = *pos<<8 | *(pos+1);
-                       pos += 2;
-+                      if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DeviceName.text)))
-+                      {
-+                          ret = -EINVAL;
-+                          goto exit;
-+                      }
-                       pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DeviceName.num_text = length;
-                       vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DeviceName.text, pos, length);
-                       pos += length;
-@@ -4189,6 +4221,8 @@ static int iw_softap_setwpsie(struct net_device *dev,
- #else
-     halStatus = WLANSAP_Set_WpsIe(pVosContext, pSap_WPSIe);
- #endif
-+    if (halStatus != eHAL_STATUS_SUCCESS)
-+        ret = -EINVAL;
-     pHostapdState = WLAN_HDD_GET_HOSTAP_STATE_PTR(pHostapdAdapter);
-     if( pHostapdState->bCommit && WPSIeType == eQC_WPS_PROBE_RSP_IE)
-     {
-@@ -4200,11 +4234,11 @@ static int iw_softap_setwpsie(struct net_device *dev,
-         WLANSAP_Update_WpsIe ( pVosContext );
- #endif
-     }
--
-+exit:
-     vos_mem_free(pSap_WPSIe);
-     kfree(fwps_genie);
-     EXIT();
--    return halStatus;
-+    return ret;
- }
- 
- static int iw_softap_stopbss(struct net_device *dev,
diff --git a/Patches/Linux_CVEs/CVE-2015-0570/ANY/0.patch b/Patches/Linux_CVEs/CVE-2015-0570/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2015-0570/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2015-0570/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2015-0570/ANY/1.patch b/Patches/Linux_CVEs/CVE-2015-0570/ANY/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2015-0570/ANY/1.patch
rename to Patches/Linux_CVEs/CVE-2015-0570/ANY/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2015-0571/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2015-0571/ANY/0001.patch
new file mode 100644
index 00000000..27955d7c
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2015-0571/ANY/0001.patch
@@ -0,0 +1,39 @@
+From 6feb2faf80a05940618aa2eef2b62e4e2e54f148 Mon Sep 17 00:00:00 2001
+From: Mukul Sharma <mukul@qti.qualcomm.com>
+Date: Tue, 27 Oct 2015 23:42:45 +0530
+Subject: wlan:Check priviledge permission before processing SET_OEM_DATA_REQ
+ IOCTL
+
+Kernel assumes all SET IOCTL commands are assigned with even
+numbers. But in our WLAN driver, some SET IOCTLS are assigned with
+odd numbers. This leads kernel fail to check, for some SET IOCTLs,
+whether user has the right permission to do SET operation.
+Hence, in driver, before processing SET_OEM_DATA_REQ IOCTLs, making
+sure user task has right permission to process the command.
+
+Change-Id: Ida0133304b00627d01ef7f85f5b15ed9d404d443
+CRs-Fixed: 930549
+---
+ CORE/HDD/src/wlan_hdd_oemdata.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/CORE/HDD/src/wlan_hdd_oemdata.c b/CORE/HDD/src/wlan_hdd_oemdata.c
+index 17e3689..1aef257 100644
+--- a/CORE/HDD/src/wlan_hdd_oemdata.c
++++ b/CORE/HDD/src/wlan_hdd_oemdata.c
+@@ -200,6 +200,12 @@ static int __iw_set_oem_data_req(struct net_device *dev,
+ 
+     ENTER();
+ 
++    if (!capable(CAP_NET_ADMIN)) {
++        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
++                  FL("permission check failed"));
++        return -EPERM;
++    }
++
+     if ((WLAN_HDD_GET_CTX(pAdapter))->isLogpInProgress)
+     {
+        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_FATAL,
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2015-0571/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2015-0571/ANY/0002.patch
new file mode 100644
index 00000000..ddf971b2
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2015-0571/ANY/0002.patch
@@ -0,0 +1,38 @@
+From fe4208157c899a5de4d6769d13f6620fc32ebfa9 Mon Sep 17 00:00:00 2001
+From: Hanumantha Reddy Pothula <c_hpothu@qti.qualcomm.com>
+Date: Thu, 29 Oct 2015 12:13:38 +0530
+Subject: wlan:Check priviledge permission for SET_CHANNEL_RANGE
+
+Kernel assumes all SET IOCTL commands are assigned with even
+numbers. But in our WLAN driver, some SET IOCTLS are assigned with
+odd numbers. This leads kernel fail to check, for some SET IOCTLs,
+whether user has the right permission to do SET operation.
+Hence, in driver, before processing SET_CHANNEL_RANGE IOCTL,
+making sure user task has right permission to process the command.
+
+Change-Id: I48bcd55bee45203667bcc679db4ad96aa9e04b7c
+CRs-Fixed: 930555
+---
+ CORE/HDD/src/wlan_hdd_hostapd.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/CORE/HDD/src/wlan_hdd_hostapd.c b/CORE/HDD/src/wlan_hdd_hostapd.c
+index 270f5e1..c6cce50 100644
+--- a/CORE/HDD/src/wlan_hdd_hostapd.c
++++ b/CORE/HDD/src/wlan_hdd_hostapd.c
+@@ -4231,6 +4231,12 @@ static int wlan_hdd_set_force_acs_ch_range(struct net_device *dev,
+ 	hdd_context_t *hdd_ctx = WLAN_HDD_GET_CTX(adapter);
+ 	int *value = (int *)extra;
+ 
++	if (!capable(CAP_NET_ADMIN)) {
++		VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
++			  FL("permission check failed"));
++		return -EPERM;
++	}
++
+ 	if (wlan_hdd_validate_operation_channel(adapter, value[0]) !=
+ 					 VOS_STATUS_SUCCESS ||
+ 		wlan_hdd_validate_operation_channel(adapter, value[1]) !=
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2015-0571/ANY/0003.patch b/Patches/Linux_CVEs/CVE-2015-0571/ANY/0003.patch
new file mode 100644
index 00000000..9b0fcfa9
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2015-0571/ANY/0003.patch
@@ -0,0 +1,39 @@
+From 0e53a89bfe0dbb50e0dde9a6960d274386247cd9 Mon Sep 17 00:00:00 2001
+From: Mukul Sharma <mukul@qti.qualcomm.com>
+Date: Tue, 27 Oct 2015 23:17:10 +0530
+Subject: wlan:Check priviledge permission before processing SET_CHAR_GET_NONE
+ IOCTL
+
+Kernel assumes all SET IOCTL commands are assigned with even
+numbers. But in our WLAN driver, some SET IOCTLS are assigned with
+odd numbers. This leads kernel fail to check, for some SET IOCTLs,
+whether user has the right permission to do SET operation.
+Hence, in driver, before processing SET_CHAR_GET_NONE IOCTLs, making
+sure user task has right permission to process the command.
+
+Change-Id: I7b060bcdc84f7016e8d301e994437a535533a260
+CRs-Fixed: 930935
+---
+ CORE/HDD/src/wlan_hdd_wext.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/CORE/HDD/src/wlan_hdd_wext.c b/CORE/HDD/src/wlan_hdd_wext.c
+index 668cd1d..610b61b 100644
+--- a/CORE/HDD/src/wlan_hdd_wext.c
++++ b/CORE/HDD/src/wlan_hdd_wext.c
+@@ -7216,6 +7216,12 @@ static int __iw_setchar_getnone(struct net_device *dev,
+     if (0 != ret)
+         return ret;
+ 
++    if (!capable(CAP_NET_ADMIN)){
++        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
++                  FL("permission check failed"));
++        return -EPERM;
++    }
++
+     /* helper function to get iwreq_data with compat handling. */
+     if (hdd_priv_get_data(&s_priv_data, wrqu)) {
+        return -EINVAL;
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2015-0571/ANY/0004.patch b/Patches/Linux_CVEs/CVE-2015-0571/ANY/0004.patch
new file mode 100644
index 00000000..7fea03a5
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2015-0571/ANY/0004.patch
@@ -0,0 +1,39 @@
+From 88ce639e7a0bba852f193b6f53b7ca1926a09b02 Mon Sep 17 00:00:00 2001
+From: Mukul Sharma <mukul@qti.qualcomm.com>
+Date: Tue, 27 Oct 2015 23:47:48 +0530
+Subject: wlan:Check priviledge permission before processing SET_PACKET_FILTER
+ IOCTL
+
+Kernel assumes all SET IOCTL commands are assigned with even
+numbers. But in our WLAN driver, some SET IOCTLS are assigned with
+odd numbers. This leads kernel fail to check, for some SET IOCTLs,
+whether user has the right permission to do SET operation.
+Hence, in driver, before processing SET_PACKET_FILTER IOCTL, making
+sure user task has right permission to process the command.
+
+Change-Id: Ib49c3223eacdc90dfe0d45af1aff7c74518990df
+CRs-Fixed: 930937
+---
+ CORE/HDD/src/wlan_hdd_wext.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/CORE/HDD/src/wlan_hdd_wext.c b/CORE/HDD/src/wlan_hdd_wext.c
+index 610b61b..67ed8a3 100644
+--- a/CORE/HDD/src/wlan_hdd_wext.c
++++ b/CORE/HDD/src/wlan_hdd_wext.c
+@@ -10088,6 +10088,12 @@ static int __iw_set_packet_filter_params(struct net_device *dev,
+ 
+     ENTER();
+ 
++    if (!capable(CAP_NET_ADMIN)) {
++        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
++                  FL("permission check failed"));
++        return -EPERM;
++    }
++
+     hdd_ctx = WLAN_HDD_GET_CTX(pAdapter);
+     ret = wlan_hdd_validate_context(hdd_ctx);
+     if (0 != ret)
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2015-0571/ANY/0005.patch b/Patches/Linux_CVEs/CVE-2015-0571/ANY/0005.patch
new file mode 100644
index 00000000..d4a24982
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2015-0571/ANY/0005.patch
@@ -0,0 +1,37 @@
+From 0858d21caf17d56f8d2353590c1ec245073222e0 Mon Sep 17 00:00:00 2001
+From: Mukul Sharma <mukul@qti.qualcomm.com>
+Date: Tue, 27 Oct 2015 23:37:46 +0530
+Subject: wlan:Check priviledge permission for SET_VAR_INTS_GETNONE IOCTL
+
+Kernel assumes all SET IOCTL commands are assigned with even
+numbers. But in our WLAN driver, some SET IOCTLS are assigned with
+odd numbers. This leads kernel fail to check, for some SET IOCTLs,
+whether user has the right permission to do SET operation.
+Hence, in driver, before processing SET_VAR_INTS_GETNONE, making
+sure user task has right permission to process the command.
+
+Change-Id: Icbdfe69c18c1ab3b75d63e046d5251307a794817
+CRs-Fixed: 930942
+---
+ CORE/HDD/src/wlan_hdd_wext.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/CORE/HDD/src/wlan_hdd_wext.c b/CORE/HDD/src/wlan_hdd_wext.c
+index 67ed8a3..27c1813 100644
+--- a/CORE/HDD/src/wlan_hdd_wext.c
++++ b/CORE/HDD/src/wlan_hdd_wext.c
+@@ -8916,6 +8916,11 @@ static int iw_hdd_set_var_ints_getnone(struct net_device *dev,
+ 	int apps_args[MAX_VAR_ARGS] = {0};
+ 	int ret, num_args;
+ 
++	if (!capable(CAP_NET_ADMIN)) {
++		VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
++			FL("permission check failed"));
++		return -EPERM;
++	}
+ 	/* Helper function to get iwreq_data with compat handling. */
+ 	if (hdd_priv_get_data(&u_priv_wrqu.data, wrqu))
+ 		return -EINVAL;
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2015-0571/ANY/0006.patch b/Patches/Linux_CVEs/CVE-2015-0571/ANY/0006.patch
new file mode 100644
index 00000000..29bc5599
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2015-0571/ANY/0006.patch
@@ -0,0 +1,38 @@
+From 2905578424256be07e6b9d8c63bb83d40cc52a71 Mon Sep 17 00:00:00 2001
+From: Mukul Sharma <mukul@qti.qualcomm.com>
+Date: Wed, 28 Oct 2015 00:26:02 +0530
+Subject: wlan:Check priviledge permission for QCSAP_IOCTL_SETWPSIE
+
+Kernel assumes all SET IOCTL commands are assigned with even
+numbers. But in our WLAN driver, some SET IOCTLS are assigned with
+odd numbers. This leads kernel fail to check, for some SET IOCTLs,
+whether user has the right permission to do SET operation.
+Hence, in driver, before processing QCSAP_IOCTL_SETWPSIE IOCTL,
+making sure user task has right permission to process the command.
+
+Change-Id: Ie1c945afb0f109892beda66bab25647d70cc62d7
+CRs-Fixed: 930944
+---
+ CORE/HDD/src/wlan_hdd_hostapd.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/CORE/HDD/src/wlan_hdd_hostapd.c b/CORE/HDD/src/wlan_hdd_hostapd.c
+index e4e1a63..52402ff 100644
+--- a/CORE/HDD/src/wlan_hdd_hostapd.c
++++ b/CORE/HDD/src/wlan_hdd_hostapd.c
+@@ -5130,6 +5130,12 @@ static int __iw_softap_setwpsie(struct net_device *dev,
+ 
+    ENTER();
+ 
++   if (!capable(CAP_NET_ADMIN)) {
++       VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
++                FL("permission check failed"));
++       return -EPERM;
++   }
++
+    hdd_ctx = WLAN_HDD_GET_CTX(pHostapdAdapter);
+    ret = wlan_hdd_validate_context(hdd_ctx);
+    if (0 != ret)
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2015-0571/ANY/0007.patch b/Patches/Linux_CVEs/CVE-2015-0571/ANY/0007.patch
new file mode 100644
index 00000000..c02c77cc
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2015-0571/ANY/0007.patch
@@ -0,0 +1,38 @@
+From be62ecde85228b91c66fb047e27d25132f56bd0d Mon Sep 17 00:00:00 2001
+From: Mukul Sharma <mukul@qti.qualcomm.com>
+Date: Wed, 28 Oct 2015 00:29:03 +0530
+Subject: wlan:Check priviledge permission for QCSAP_IOCTL_DISASSOC_STA
+
+Kernel assumes all SET IOCTL commands are assigned with even
+numbers. But in our WLAN driver, some SET IOCTLS are assigned with
+odd numbers. This leads kernel fail to check, for some SET IOCTLs,
+whether user has the right permission to do SET operation.
+Hence, in driver, before processing QCSAP_IOCTL_DISASSOC_STA IOCTL,
+making sure user task has right permission to process the command.
+
+Change-Id: I00919a56e93b8b49bce7a314b50f9f48039fbe6f
+CRs-Fixed: 930946
+---
+ CORE/HDD/src/wlan_hdd_hostapd.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/CORE/HDD/src/wlan_hdd_hostapd.c b/CORE/HDD/src/wlan_hdd_hostapd.c
+index 52402ff..9a96d5e 100644
+--- a/CORE/HDD/src/wlan_hdd_hostapd.c
++++ b/CORE/HDD/src/wlan_hdd_hostapd.c
+@@ -4066,6 +4066,12 @@ static __iw_softap_disassoc_sta(struct net_device *dev,
+ 
+     ENTER();
+ 
++    if (!capable(CAP_NET_ADMIN)) {
++        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
++                 FL("permission check failed"));
++        return -EPERM;
++    }
++
+     hdd_ctx = WLAN_HDD_GET_CTX(pHostapdAdapter);
+     ret = wlan_hdd_validate_context(hdd_ctx);
+     if (0 != ret)
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2015-0571/ANY/0008.patch b/Patches/Linux_CVEs/CVE-2015-0571/ANY/0008.patch
new file mode 100644
index 00000000..266962e0
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2015-0571/ANY/0008.patch
@@ -0,0 +1,38 @@
+From aaeeed43f9597631982835481c7cf2621f6455f0 Mon Sep 17 00:00:00 2001
+From: Hanumantha Reddy Pothula <c_hpothu@qti.qualcomm.com>
+Date: Wed, 28 Oct 2015 00:23:45 +0530
+Subject: wlan:Check priviledge permission for SET_THREE_INT_GET_NONE
+
+Kernel assumes all SET IOCTL commands are assigned with even
+numbers. But in our WLAN driver, some SET IOCTLS are assigned with
+odd numbers. This leads kernel fail to check, for some SET IOCTLs,
+whether user has the right permission to do SET operation.
+Hence, in driver, before processing SET_THREE_INT_GET_NONE IOCTL,
+making sure user task has right permission to process the command.
+
+Change-Id: I3c695160d637ed87b04ccf3299985055a9791c4b
+CRs-Fixed: 930948
+---
+ CORE/HDD/src/wlan_hdd_wext.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/CORE/HDD/src/wlan_hdd_wext.c b/CORE/HDD/src/wlan_hdd_wext.c
+index c1ba718..28a280b 100644
+--- a/CORE/HDD/src/wlan_hdd_wext.c
++++ b/CORE/HDD/src/wlan_hdd_wext.c
+@@ -7959,6 +7959,12 @@ static int __iw_set_three_ints_getnone(struct net_device *dev,
+ 
+     ENTER();
+ 
++    if (!capable(CAP_NET_ADMIN)) {
++        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
++                  FL("permission check failed"));
++        return -EPERM;
++    }
++
+     ret = wlan_hdd_validate_context(hdd_ctx);
+     if (0 != ret)
+         return ret;
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2015-0571/ANY/0009.patch b/Patches/Linux_CVEs/CVE-2015-0571/ANY/0009.patch
new file mode 100644
index 00000000..1d9fd9b9
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2015-0571/ANY/0009.patch
@@ -0,0 +1,38 @@
+From 6642bccf3ed8cba176dee7d4bbc21fc4580efb7b Mon Sep 17 00:00:00 2001
+From: Mukul Sharma <mukul@qti.qualcomm.com>
+Date: Tue, 27 Oct 2015 23:51:02 +0530
+Subject: wlan:Check priviledge permission for SET_BAND_CONFIG IOCTL
+
+Kernel assumes all SET IOCTL commands are assigned with even
+numbers. But in our WLAN driver, some SET IOCTLS are assigned with
+odd numbers. This leads kernel fail to check, for some SET IOCTLs,
+whether user has the right permission to do SET operation.
+Hence, in driver, before processing SET_BAND_CONFIG IOCTL, making
+sure user task has right permission to process the command.
+
+Change-Id: Ie8a36bfa07a7b21601364b27b3c4bc888a6a5b4e
+CRs-Fixed: 930952
+---
+ CORE/HDD/src/wlan_hdd_wext.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/CORE/HDD/src/wlan_hdd_wext.c b/CORE/HDD/src/wlan_hdd_wext.c
+index 27c1813..3240c90 100644
+--- a/CORE/HDD/src/wlan_hdd_wext.c
++++ b/CORE/HDD/src/wlan_hdd_wext.c
+@@ -10816,6 +10816,12 @@ static int __iw_set_band_config(struct net_device *dev,
+     if (0 != ret)
+         return ret;
+ 
++    if (!capable(CAP_NET_ADMIN)) {
++        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
++                  FL("permission check failed"));
++        return -EPERM;
++    }
++
+     return hdd_setBand(dev, value[0]);
+ }
+ 
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2015-0571/ANY/0010.patch b/Patches/Linux_CVEs/CVE-2015-0571/ANY/0010.patch
new file mode 100644
index 00000000..44684fad
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2015-0571/ANY/0010.patch
@@ -0,0 +1,38 @@
+From 6665a9697b404acf4d2e7d52d9c2b19512c9b239 Mon Sep 17 00:00:00 2001
+From: Mukul Sharma <mukul@qti.qualcomm.com>
+Date: Tue, 27 Oct 2015 23:56:37 +0530
+Subject: wlan:Check priviledge permission for SET_POWER_PARAMS IOCTL
+
+Kernel assumes all SET IOCTL commands are assigned with even
+numbers. But in our WLAN driver, some SET IOCTLS are assigned with
+odd numbers. This leads kernel fail to check, for some SET IOCTLs,
+whether user has the right permission to do SET operation.
+Hence, in driver, before processing SET_POWER_PARAMS IOCTL, making
+sure user task has right permission to process the command.
+
+Change-Id: Ie930c9723ecbd54ae0e6bf6506815301e0387932
+CRs-Fixed: 930953
+---
+ CORE/HDD/src/wlan_hdd_wext.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/CORE/HDD/src/wlan_hdd_wext.c b/CORE/HDD/src/wlan_hdd_wext.c
+index 3240c90..b7448c3 100644
+--- a/CORE/HDD/src/wlan_hdd_wext.c
++++ b/CORE/HDD/src/wlan_hdd_wext.c
+@@ -10846,6 +10846,12 @@ static int __iw_set_power_params_priv(struct net_device *dev,
+   char *ptr;
+ 
+   ENTER();
++
++  if (!capable(CAP_NET_ADMIN)) {
++      VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
++                 FL("permission check failed"));
++      return -EPERM;
++  }
+   /* ODD number is used for set, copy data using copy_from_user */
+   ptr = mem_alloc_copy_from_user_helper(wrqu->data.pointer,
+                                         wrqu->data.length);
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2015-0571/ANY/0011.patch b/Patches/Linux_CVEs/CVE-2015-0571/ANY/0011.patch
new file mode 100644
index 00000000..e02a099e
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2015-0571/ANY/0011.patch
@@ -0,0 +1,38 @@
+From 9eeafd788f53cc37c169b299f91ca9c558b228f9 Mon Sep 17 00:00:00 2001
+From: Mukul Sharma <mukul@qti.qualcomm.com>
+Date: Tue, 27 Oct 2015 23:54:05 +0530
+Subject: wlan:Check priviledge permission for CLEAR_MCBC_FILTER IOCTL
+
+Kernel assumes all SET IOCTL commands are assigned with even
+numbers. But in our WLAN driver, some SET IOCTLS are assigned with
+odd numbers. This leads kernel fail to check, for some SET IOCTLs,
+whether user has the right permission to do SET operation.
+Hence, in driver, before processing CLEAR_MCBC_FILTER IOCTL, making
+sure user task has right permission to process the command.
+
+Change-Id: I9b50fcc0eeb1c1eb3493eab573f4421b52f0ea9a
+CRs-Fixed: 930954
+---
+ CORE/HDD/src/wlan_hdd_wext.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/CORE/HDD/src/wlan_hdd_wext.c b/CORE/HDD/src/wlan_hdd_wext.c
+index b7448c3..c1ba718 100644
+--- a/CORE/HDD/src/wlan_hdd_wext.c
++++ b/CORE/HDD/src/wlan_hdd_wext.c
+@@ -9458,6 +9458,12 @@ static int __iw_clear_dynamic_mcbc_filter(struct net_device *dev,
+     tpSirWlanSetRxpFilters wlanRxpFilterParam;
+ 
+     ENTER();
++
++    if (!capable(CAP_NET_ADMIN)) {
++        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
++                 FL("permission check failed"));
++        return -EPERM;
++    }
+     //Reset the filter to INI value as we have to clear the dynamic filter
+     pHddCtx->configuredMcastBcastFilter = pHddCtx->cfg_ini->mcastBcastFilterSetting;
+ 
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2015-0571/ANY/0012.patch b/Patches/Linux_CVEs/CVE-2015-0571/ANY/0012.patch
new file mode 100644
index 00000000..46f616ef
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2015-0571/ANY/0012.patch
@@ -0,0 +1,44 @@
+From 55bdc6d1c88a100dc4a71bf855b69db522c9b5b5 Mon Sep 17 00:00:00 2001
+From: Jeff Johnson <jjohnson@qca.qualcomm.com>
+Date: Tue, 27 Oct 2015 13:29:21 -0700
+Subject: qcacld-2.0: Add privilege check for QCSAP_IOCTL_WOWL_CONFIG_PTRN
+
+By convention Wireless Extension SET ioctls are supposed to be
+assigned even ioctl numbers. But in our WLAN driver some SET ioctls
+were assigned odd numbers. This means the kernel will fail to check,
+for those particular SET ioctls, whether or not the user has the right
+permission to do SET operations.  QCSAP_IOCTL_WOWL_CONFIG_PTRN is one
+such ioctl.
+
+Ideally we would renumber this ioctl to conform to the Wireless
+Extensions convention.  Unfortunately we don't know what userspace
+applications have this ioctl number hard-coded.  Hence, in the driver,
+before processing the QCSAP_IOCTL_WOWL_CONFIG_PTRN ioctl, make sure
+the user task has the right permission to execute the command.
+
+Change-Id: Id61c1ec8dbbe4bbec2b032e12ffcc6139bb78b14
+CRs-Fixed: 931127
+---
+ CORE/HDD/src/wlan_hdd_hostapd.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/CORE/HDD/src/wlan_hdd_hostapd.c b/CORE/HDD/src/wlan_hdd_hostapd.c
+index 9a96d5e..270f5e1 100644
+--- a/CORE/HDD/src/wlan_hdd_hostapd.c
++++ b/CORE/HDD/src/wlan_hdd_hostapd.c
+@@ -2525,6 +2525,12 @@ static __iw_softap_wowl_config_pattern(struct net_device *dev,
+     hdd_adapter_t *pAdapter = (netdev_priv(dev));
+     struct iw_point s_priv_data;
+ 
++    if (!capable(CAP_NET_ADMIN)) {
++        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
++                  FL("permission check failed"));
++        return -EPERM;
++    }
++
+     if ((WLAN_HDD_GET_CTX(pAdapter))->isLogpInProgress)
+     {
+         VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_FATAL,
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2015-0571/ANY/0013.patch b/Patches/Linux_CVEs/CVE-2015-0571/ANY/0013.patch
new file mode 100644
index 00000000..3fb62d56
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2015-0571/ANY/0013.patch
@@ -0,0 +1,105 @@
+From fb9fb202c71547dba648c9b08d97645c6f42ca6e Mon Sep 17 00:00:00 2001
+From: Mahesh A Saptasagar <c_msapta@qti.qualcomm.com>
+Date: Wed, 28 Oct 2015 16:36:56 +0530
+Subject: qcacld 2.0: Validate WPA and RSN IE for valid length
+
+prima to qcacld-2.0 propagation
+
+Return failure to applications if genie ioctl is invoked to configure
+WPS/WPA/RSN IEs with arguments of improper length.
+
+Change-Id: I2e034ef9f2537922be35d46ce266e6b99dab7bb6
+CRs-Fixed: 931451
+---
+ CORE/HDD/src/wlan_hdd_wext.c | 34 +++++++++++++++++++++++++---------
+ 1 file changed, 25 insertions(+), 9 deletions(-)
+
+diff --git a/CORE/HDD/src/wlan_hdd_wext.c b/CORE/HDD/src/wlan_hdd_wext.c
+index 28a280b..4349e6b 100644
+--- a/CORE/HDD/src/wlan_hdd_wext.c
++++ b/CORE/HDD/src/wlan_hdd_wext.c
+@@ -2613,8 +2613,8 @@ static int __iw_set_genie(struct net_device *dev, struct iw_request_info *info,
+             case IE_EID_VENDOR:
+                 if ((IE_LEN_SIZE+IE_EID_SIZE+IE_VENDOR_OUI_SIZE) > eLen) /* should have at least OUI */
+                 {
+-                    kfree(base_genie);
+-                    return -EINVAL;
++                    ret = -EINVAL;
++                    goto exit;
+                 }
+ 
+                 if (0 == memcmp(&genie[0], "\x00\x50\xf2\x04", 4))
+@@ -2628,8 +2628,8 @@ static int __iw_set_genie(struct net_device *dev, struct iw_request_info *info,
+                        hddLog(VOS_TRACE_LEVEL_FATAL, "Cannot accommodate genIE. "
+                                                       "Need bigger buffer space");
+                        VOS_ASSERT(0);
+-                       kfree(base_genie);
+-                       return -ENOMEM;
++                       ret = -EINVAL;
++                       goto exit;
+                     }
+                     // save to Additional IE ; it should be accumulated to handle WPS IE + other IE
+                     memcpy( pWextState->genIE.addIEdata + curGenIELen, genie - 2, eLen + 2);
+@@ -2638,6 +2638,14 @@ static int __iw_set_genie(struct net_device *dev, struct iw_request_info *info,
+                 else if (0 == memcmp(&genie[0], "\x00\x50\xf2", 3))
+                 {
+                     hddLog (VOS_TRACE_LEVEL_INFO, "%s Set WPA IE (len %d)",__func__, eLen + 2);
++                    if ((eLen + 2) > (sizeof(pWextState->WPARSNIE)))
++                    {
++                       hddLog(VOS_TRACE_LEVEL_FATAL, "Cannot accommodate genIE. "
++                                                      "Need bigger buffer space");
++                       ret = -EINVAL;
++                       VOS_ASSERT(0);
++                       goto exit;
++                    }
+                     memset( pWextState->WPARSNIE, 0, MAX_WPA_RSN_IE_LEN );
+                     memcpy( pWextState->WPARSNIE, genie - 2, (eLen + 2));
+                     pWextState->roamProfile.pWPAReqIE = pWextState->WPARSNIE;
+@@ -2654,8 +2662,8 @@ static int __iw_set_genie(struct net_device *dev, struct iw_request_info *info,
+                        hddLog(VOS_TRACE_LEVEL_FATAL, "Cannot accommodate genIE. "
+                                                       "Need bigger buffer space");
+                        VOS_ASSERT(0);
+-                       kfree(base_genie);
+-                       return -ENOMEM;
++                       ret = -ENOMEM;
++                       goto exit;
+                     }
+                     // save to Additional IE ; it should be accumulated to handle WPS IE + other IE
+                     memcpy( pWextState->genIE.addIEdata + curGenIELen, genie - 2, eLen + 2);
+@@ -2664,6 +2672,14 @@ static int __iw_set_genie(struct net_device *dev, struct iw_request_info *info,
+               break;
+          case DOT11F_EID_RSN:
+                 hddLog (LOG1, "%s Set RSN IE (len %d)",__func__, eLen+2);
++                if ((eLen + 2) > (sizeof(pWextState->WPARSNIE)))
++                {
++                    hddLog(VOS_TRACE_LEVEL_FATAL, "Cannot accommodate genIE. "
++                                                  "Need bigger buffer space");
++                    ret = -EINVAL;
++                    VOS_ASSERT(0);
++                    goto exit;
++                }
+                 memset( pWextState->WPARSNIE, 0, MAX_WPA_RSN_IE_LEN );
+                 memcpy( pWextState->WPARSNIE, genie - 2, (eLen + 2));
+                 pWextState->roamProfile.pRSNReqIE = pWextState->WPARSNIE;
+@@ -2672,15 +2688,15 @@ static int __iw_set_genie(struct net_device *dev, struct iw_request_info *info,
+ 
+          default:
+                 hddLog (LOGE, "%s Set UNKNOWN IE %X",__func__, elementId);
+-            kfree(base_genie);
+-            return 0;
++                goto exit;
+     }
+         genie += eLen;
+         remLen -= eLen;
+     }
++exit:
+     EXIT();
+     kfree(base_genie);
+-    return 0;
++    return ret;
+ }
+ 
+ /**
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2015-0572/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2015-0572/ANY/0001.patch
new file mode 100644
index 00000000..7682c495
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2015-0572/ANY/0001.patch
@@ -0,0 +1,143 @@
+From 34ad3d34fbff11b8e1210b9da0dac937fb956b61 Mon Sep 17 00:00:00 2001
+From: Sathish Ambley <sathishambley@codeaurora.org>
+Date: Wed, 10 Jun 2015 00:39:41 -0700
+Subject: msm: ADSPRPC: Do not access user memory directly
+
+The buffers being passed in the invocation are copied from user
+memory into the context using copy_from_user. Lookup the buffer
+pointers from the context where it was copied rather than directly
+accessing it from the user memory.
+
+Change-Id: Ief5a840f17f6287ebd48b4ae52facaccb271fab8
+Signed-off-by: Sathish Ambley <sathishambley@codeaurora.org>
+---
+ drivers/char/adsprpc.c        | 27 ++++++++++++++-------------
+ drivers/char/adsprpc_compat.c | 15 +++++++--------
+ 2 files changed, 21 insertions(+), 21 deletions(-)
+
+diff --git a/drivers/char/adsprpc.c b/drivers/char/adsprpc.c
+index a3d0b7f..1eec274 100644
+--- a/drivers/char/adsprpc.c
++++ b/drivers/char/adsprpc.c
+@@ -652,8 +652,7 @@ static int fastrpc_mmap_create(struct fastrpc_file *fl, int fd, uintptr_t va,
+ static int fastrpc_mmap_create_physical(struct fastrpc_file *fl,
+ 		struct fastrpc_ioctl_mmap *ud, struct fastrpc_mmap **ppmap);
+ 
+-static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx,
+-			remote_arg_t *upra)
++static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx)
+ {
+ 	remote_arg64_t *rpra;
+ 	remote_arg_t *lpra = ctx->lpra;
+@@ -793,9 +792,9 @@ static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx,
+ 	}
+ 	inh = inbufs + outbufs;
+ 	for (i = 0; i < REMOTE_SCALARS_INHANDLES(sc); i++) {
+-		rpra[inh + i].buf.pv = ptr_to_uint64(upra[inh + i].buf.pv);
+-		rpra[inh + i].buf.len = upra[inh + i].buf.len;
+-		rpra[inh + i].h = upra[inh + i].h;
++		rpra[inh + i].buf.pv = ptr_to_uint64(ctx->lpra[inh + i].buf.pv);
++		rpra[inh + i].buf.len = ctx->lpra[inh + i].buf.len;
++		rpra[inh + i].h = ctx->lpra[inh + i].h;
+ 	}
+ 	dmac_flush_range((char *)rpra, (char *)rpra + ctx->used);
+  bail:
+@@ -807,7 +806,7 @@ static int put_args(uint32_t kernel, struct smq_invoke_ctx *ctx,
+ {
+ 	uint32_t sc = ctx->sc;
+ 	remote_arg64_t *rpra = ctx->rpra;
+-	int i, inbufs, outbufs, outh;
++	int i, inbufs, outbufs, outh, num;
+ 	int err = 0;
+ 
+ 	inbufs = REMOTE_SCALARS_INBUFS(sc);
+@@ -815,7 +814,7 @@ static int put_args(uint32_t kernel, struct smq_invoke_ctx *ctx,
+ 	for (i = inbufs; i < inbufs + outbufs; ++i) {
+ 		if (!ctx->maps[i]) {
+ 			K_COPY_TO_USER(err, kernel,
+-				upra[i].buf.pv,
++				ctx->lpra[i].buf.pv,
+ 				uint64_to_ptr(rpra[i].buf.pv),
+ 				rpra[i].buf.len);
+ 			if (err)
+@@ -825,11 +824,13 @@ static int put_args(uint32_t kernel, struct smq_invoke_ctx *ctx,
+ 			ctx->maps[i] = 0;
+ 		}
+ 	}
+-	outh = inbufs + outbufs + REMOTE_SCALARS_INHANDLES(sc);
+-	for (i = 0; i < REMOTE_SCALARS_OUTHANDLES(sc); i++) {
+-		upra[outh + i].buf.pv = uint64_to_ptr(rpra[outh + i].buf.pv);
+-		upra[outh + i].buf.len = rpra[outh + i].buf.len;
+-		upra[outh + i].h = rpra[outh + i].h;
++	num = REMOTE_SCALARS_OUTHANDLES(sc);
++	if (num) {
++		outh = inbufs + outbufs + REMOTE_SCALARS_INHANDLES(sc);
++		K_COPY_TO_USER(err, kernel, &upra[outh], &ctx->lpra[outh],
++				num * sizeof(*ctx->lpra));
++		if (err)
++			goto bail;
+ 	}
+  bail:
+ 	return err;
+@@ -992,7 +993,7 @@ static int fastrpc_internal_invoke(struct fastrpc_file *fl, uint32_t mode,
+ 		goto bail;
+ 
+ 	if (REMOTE_SCALARS_LENGTH(ctx->sc)) {
+-		VERIFY(err, 0 == get_args(kernel, ctx, invoke->pra));
++		VERIFY(err, 0 == get_args(kernel, ctx));
+ 		if (err)
+ 			goto bail;
+ 	}
+diff --git a/drivers/char/adsprpc_compat.c b/drivers/char/adsprpc_compat.c
+index 2956702..ee324dc 100644
+--- a/drivers/char/adsprpc_compat.c
++++ b/drivers/char/adsprpc_compat.c
+@@ -98,8 +98,9 @@ static int compat_get_fastrpc_ioctl_invoke(
+ 	if (err)
+ 		return -EFAULT;
+ 
+-	inv->inv.pra = (union remote_arg *)(inv + 1);
+-	err = put_user(sc, &inv->inv.sc);
++	pra = (union remote_arg *)(inv + 1);
++	err = put_user(pra, &inv->inv.pra);
++	err |= put_user(sc, &inv->inv.sc);
+ 	err |= get_user(u, &inv32->inv.handle);
+ 	err |= put_user(u, &inv->inv.handle);
+ 	err |= get_user(p, &inv32->inv.pra);
+@@ -107,12 +108,11 @@ static int compat_get_fastrpc_ioctl_invoke(
+ 		return err;
+ 
+ 	pra32 = compat_ptr(p);
+-	pra = inv->inv.pra;
++	pra = (union remote_arg *)(inv + 1);
+ 	num = REMOTE_SCALARS_INBUFS(sc) + REMOTE_SCALARS_OUTBUFS(sc);
+ 	for (j = 0; j < num; j++) {
+ 		err |= get_user(p, &pra32[j].buf.pv);
+-		pra[j].buf.pv = 0;
+-		err |= put_user(p, (compat_uptr_t *)&pra[j].buf.pv);
++		err |= put_user(p, (uintptr_t *)&pra[j].buf.pv);
+ 		err |= get_user(s, &pra32[j].buf.len);
+ 		err |= put_user(s, &pra[j].buf.len);
+ 	}
+@@ -121,7 +121,7 @@ static int compat_get_fastrpc_ioctl_invoke(
+ 		err |= put_user(u, &pra[num + j].h);
+ 	}
+ 
+-	inv->fds = NULL;
++	err |= put_user(NULL, &inv->fds);
+ 	if (cmd == COMPAT_FASTRPC_IOCTL_INVOKE_FD) {
+ 		err |= get_user(p, &inv32->fds);
+ 		err |= put_user(p, (compat_uptr_t *)&inv->fds);
+@@ -173,8 +173,7 @@ static int compat_get_fastrpc_ioctl_mmap(
+ 	err |= get_user(u, &map32->flags);
+ 	err |= put_user(u, &map->flags);
+ 	err |= get_user(p, &map32->vaddrin);
+-	map->vaddrin = NULL;
+-	err |= put_user(p, (compat_uptr_t *)&map->vaddrin);
++	err |= put_user(p, (uintptr_t *)&map->vaddrin);
+ 	err |= get_user(s, &map32->size);
+ 	err |= put_user(s, &map->size);
+ 
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2015-0573/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2015-0573/ANY/0001.patch
new file mode 100644
index 00000000..3af61d83
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2015-0573/ANY/0001.patch
@@ -0,0 +1,12987 @@
+From e20f20aaed6b6d2fd1667bad9be9ef35103a51df Mon Sep 17 00:00:00 2001
+From: Liron Kuch <lkuch@codeaurora.org>
+Date: Sun, 6 Sep 2015 11:19:39 +0300
+Subject: msm: broadcast: Remove unused TSC and TSPP2 drivers
+
+TSC and TSPP2 were HW blocks in MPQ8092 target which is
+no longer supported. Remove TSC and TSPP2 drivers to
+eliminate unused code.
+
+Change-Id: Ibb55ae0d15b33ba5855bde69e78925d23def3c6b
+Signed-off-by: Liron Kuch <lkuch@codeaurora.org>
+---
+ Documentation/arm/msm/tsc.txt                 |  398 --
+ Documentation/arm/msm/tspp2.txt               |  497 --
+ drivers/media/platform/msm/broadcast/Makefile |    2 -
+ drivers/media/platform/msm/broadcast/tsc.c    | 3450 ----------
+ drivers/media/platform/msm/broadcast/tspp2.c  | 8578 -------------------------
+ 5 files changed, 12925 deletions(-)
+ delete mode 100644 Documentation/arm/msm/tsc.txt
+ delete mode 100644 Documentation/arm/msm/tspp2.txt
+ delete mode 100644 drivers/media/platform/msm/broadcast/tsc.c
+ delete mode 100644 drivers/media/platform/msm/broadcast/tspp2.c
+
+diff --git a/Documentation/arm/msm/tsc.txt b/Documentation/arm/msm/tsc.txt
+deleted file mode 100644
+index 11e74a2..0000000
+--- a/Documentation/arm/msm/tsc.txt
++++ /dev/null
+@@ -1,398 +0,0 @@
+-Introduction
+-============
+-
+-TSC Driver
+-
+-The TSC (Transport Stream Controller) is a hardware block used in products such
+-as smart TVs, Set-top boxes and digital media adapters, and is responsible for
+-two main functionalities:
+-
+-1. Mux function: enabling the routing of MPEG-2 transport streams (TS) received
+-from terrestrial/cable/satelite in order to support the different topologies of
+-the end product, as it may be deployed in many different topologies.
+-In addition, the active topology may change according to various factors such as
+-broadcast technology and/or conditional access system.
+-
+-2. CI function: acting as a common interface, complying with both PC Card and
+-CI/+ specifications.
+-
+-The TSC driver has two different interfaces, one for each function.
+-
+-Hardware description
+-====================
+-The TSC HW contains the TSC core, and uses the VBIF unit (IOMMU) which is part
+-of the broadcast subsystem HW.
+-
+-Mux function:
+--------------
+-The TSC can receive transport streams from:
+-a. Two Transport Stream Interfaces (TSIFs) 0 or 1, connected to two external
+-demods or to external bridge.
+-b. One TSIF from an integrated demod.
+-
+-The TSC can route TS from any of the above TSIFs to an external CICAM, using a
+-software configurable mux.
+-The TSC can route TS from any of the above TSIFs, and TS received from the CI
+-Conditional Access Mudule (CICAM) to two TSIF outputs (0 or 1), using two
+-software configurable muexes.
+-The CICAM input and outputs are also managed via two additional TSIFs: TSIF-out
+-to the CAM, and TSIF-in from the CAM.
+-
+-CI function:
+-------------
+-The common interface is composed of:
+-1. Card detection logic: the TSC notifies the SW of any change in the card
+-detection status (via HW interrupt).
+-
+-2. Control interface used to send/receive the CI messages (APDUs), supporting
+-data transmission in two formats:
+-a. Single byte transactions: to/from the attribute memory space of the CAM and
+-   the command area of the CAM.
+-b. Buffer transactions: to/from the command area of the CAM, using a
+-   configurable buffer size of 1k bytes-64k bytes. This enables transferring
+-   large chunks of data between the CAM and applications.
+-   The data buffer resides in the external memory and the interface to the
+-   memory is done through BCSS VBIF.
+-The TSC uses PCMCIA interface to interact with the CAM.
+-
+-The following diagram provides an overview of the TSC HW:
+-+-------------------------------------------------------------------------+
+-|                                                                         |
+-|                +------------------------------+                         |
+-| +-----------+  |          TSC Core     --.    |                         |
+-| |Ext. TSIF 0+------------+------------>|  \   |  +-----------+          |
+-| +-----------+  |   +-----|------------>|Mux)----->TSPP TSIF 0|          |
+-| +-----------+  |   |  +--|------------>|  /   |  +-----------+          |
+-| |Ext. TSIF 1+------|  |  |          +->--'    |                         |
+-| +-----------+  |   |  |  |          |  --.    |                         |
+-|                |   |  |  +----------|->|  \   |  +-----------+          |
+-| +-----------+  |   +--|--|-+--------|->|Mux)----->TSPP TSIF 1|          |
+-| |Int. TSIF  +---------+--|-|-+------|->|  /   |  +-----------+          |
+-| +-----------+  |         | | |      +->--'    |                         |
+-|                |         | | |      |         |                         |
+-|                |         | | |      |         |                         |
+-|                |+------+(v-v-v--)   |  +-----+|                         |
+-|                ||Card  | \ Mux /    |  |CI/+ +---Data-Interface--+      |
+-|                ||detect|  `---'     |  +----++|                  |      |
+-|                |+-^-^--+    |       |       | |                  |      |
+-|                +--|-|-------|-------|-------|-+           +------+----+ |
+-|                   | |       |       |       |             |   VBIF    | |
+-|                   | | +-----v--+ +--+----+  |             |           | |
+-|                   | | |TSIF-Out| |TSIF-In|  |             +-----------+ |
+-|                   | | +-----+--+ +--^----+  |                           |
+-|                   | |       |       |       |                           |
+-|                  ++-+-------v-------+-------++                          |
+-|                  |         CICAM             |                          |
+-|                  |                           |                          |
+-|                  +---------------------------+                          |
+-+-------------------------------------------------------------------------+
+-
+-Software description
+-====================
+-The TSC Linux kernel driver manages the TSC core. It is a standard Linux
+-platform device driver. It can be configured as a loadable or built-in kernel
+-module. The driver is supported only in platforms that contain the TSC HW.
+-
+-The TSC driver uses ION driver to control the IOMMU and map user-allocated
+-buffers to the TSC IOMMU domain.
+-
+-The driver provides an abstraction of the TSC HW functionality for user-space
+-clients via two separate interfaces: tsc_mux and tsc_ci. These interfaces may
+-be used by upper layers to utilize the TSC HW for routing the TS and supporting
+-the Common Interface specification.
+-
+-Driver initialization
+----------------------
+-The driver's probe function is invoked if there is a matching device tree node.
+-The probe function gets the required memory resources (i.e., register address
+-spaces) and maps them to kernel space for the driver's use.
+-The probe function also requests the required IRQs, GPIOs and clocks, and gets
+-the TSC IOMMU domain. The probe function also disables the TSIFs input.
+-Finally, the function creates two character device drivers: "tsc_mux","tsc_ci".
+-
+-See API description in interface section.
+-
+-Data paths
+------------
+-The TSC does not process the TS data received from the TSIFs. It just manages
+-the routing of that data.
+-
+-Control paths - Mux function
+-----------------------------
+-Example for routing the TS from external demod TSIF 0 to the CAM, and from the
+-CAM to TSIF 1 of the TSPP:
+-
+-struct tsc_route tsif_cam = {TSC_SOURCE_EXTERNAL0, TSC_DEST_CICAM};
+-struct tsc_route cam_tspp = {TSC_SOURCE_CICAM, TSC_DEST_TSPP1};
+-int mux_fd, ret;
+-enum tsc_source tsif0 = TSC_SOURCE_EXTERNAL0;
+-enum tsc_source cam = TSC_SOURCE_CICAM;
+-
+-/* opening Mux char device */
+-mux_fd = open("/dev/tsc_mux0");
+-
+-/* Configure the CAM mux to route TS from external demod TSIF 0: */
+-ret = ioctl(mux_fd, TSC_CONFIG_ROUTE, &tsif_cam);
+-
+-/* Configure the TSPP TSIF 1 mux to route TS from CAM: */
+-ret = ioctl(mux_fd, TSC_CONFIG_ROUTE, &cam_tspp);
+-
+-/* Enabling the external demod TSIF 0, and the CAM TSIF-in and TSIF-out */
+-ret = ioctl(mux_fd, TSC_ENABLE_INPUT, &tsif0);
+-ret = ioctl(mux_fd, TSC_ENABLE_INPUT, &cam);
+-
+-close(mux_fd);
+-
+-Control paths - CI function
+----------------------------
+-Example for writing a buffer to the CAM command area:
+-
+-Assumptions:
+-1. The user allocated a buffer using ION driver and wrote to that buffer.
+-Also, retrieved the ion fd of that buffer and saved it to:
+-int buffer_fd;
+-2. The user already performed buffer size negotiation with the CAM according to
+-CI/+ specification, and had set the CAM size register with the buffer size. This
+-size is saved to: int size;
+-3. The user decided about the time the user wants to wait for the data
+-transmission.
+-struct tsc_buffer_mode buff_params = {buffer_fd, size, timeout};
+-int ret;
+-
+-/* Perform a blocking write buffer transaction for at most timeout */
+-ret = ioctl(fd, TSC_WRITE_CAM_BUFFER, &buff_params);
+-/* ret indicate whether the transaction succeeded */
+-
+-Example for SW reset to the CAM (according to CI/+ specification):
+-struct single_byte_mode cmd_params = {1, RS bit set, timeout};
+-struct single_byte_mode stat_params = {1, not initialize, timeout};
+-int ci_fd, ret;
+-u8 data;
+-
+-/* opening CI char device */
+-ci_fd = open("/dev/tsc_ci0");
+-
+-/* Setting the RS bit of the CAM command register */
+-ret = ioctl(ci_fd, TSC_WRITE_CAM_IO, &cmd_params);
+-
+-/* Polling the FR bit of the CAM status register */
+-ret = ioctl(ci_fd, TSC_READ_CAM_IO, &stat_params);
+-data = stat_params.data;
+-while (data & FR_BIT_MASK) {
+-	ret = ioctl(ci_fd, TSC_READ_CAM_IO, &stat_params);
+-	data = stat_params.data;
+-}
+-
+-close(ci_fd);
+-
+-Design
+-======
+-The TSC driver is a regular Linux platform driver designed to support the
+-TSC HW available on specific SoCs.
+-
+-The driver provides two user-space APIs: tsc_mux that allows the client full
+-control over the configuration of the TS routing, and tsc_ci that enables the
+-client to implement the Common Interface in front of the CAM. It does so while
+-encapsulating HW implementation details that are not relevant to the clients.
+-
+-The driver enforces HW restrictions and checks for input parameters
+-validity, providing a success or failure return value for each API function:
+-0 upon success or negative value on failure. Errno parameter is set to indicate
+-the failure reason.
+-However, the driver does not enforce any high-level policy with regard to the
+-correct use of the TSC HW for various use-cases.
+-
+-Power Management
+-================
+-The TSC driver prevents the CPU from sleeping while the HW is active by using
+-wakeup_source API. When there are no open devices the driver releases the wakeup
+-source. In a similar manner, the driver enables the HW clocks only when needed.
+-
+-SMP/multi-core
+-==============
+-The driver uses a spinlock to protect accesses to its internal databases,
+-for synchronization between user control API and kernel interrupt handlers.
+-
+-The driver uses a mutex for all the Mux operations to synchronize access to the
+-routing internal databases. The driver uses another mutex for all the CI
+-operations to synchronize data sent and received to and from the CAM.
+-
+-Security
+-========
+-Although the TSC is the bridge the external conditional access module, it has no
+-security aspects. Any protection which is needed is performed by the upper
+-layers. For example, the messages which are written to the CAM are encrypted.
+-Thus the TSC accesses only non-protected, HLOS accessible memory regions.
+-
+-Performance
+-===========
+-Control operations are not considered as performance critical.
+-Most of the control operations are assumed to be fairly uncommon.
+-
+-Interface
+-=========
+-Kernel-space API
+-----------------
+-The TSC driver does not provide any kernel-space API, only a user-space API.
+-
+-User-space API
+-----------------
+-Open: upper layer can open tsc_mux device and/or tsc_ci device.
+-Release: close the device and release all the allocated resources.
+-Poll: two different functions- one for Mux, one for CI. The Mux poll wait for
+-rate mismatch interrupt. The CI poll waits for card detection HW interrupt.
+-The rate mismatch interrupt is not cleared in the interrupt handler because it
+-will signal again all the time. Therefore it is cleared via a specific ioctl
+-that upper layer can use after the problem is solved. Additionally, the
+-interrupt is cleared when the card is removed.
+-ioctl: two functions, one for mux and one for ci. The ioctl are specified below.
+-
+-TSC Mux - routing the TS:
+--------------------------
+-enum tsc_source {
+-	TSC_SOURCE_EXTERNAL0,
+-	TSC_SOURCE_EXTERNAL1,
+-	TSC_SOURCE_INTERNAL,
+-	TSC_SOURCE_CICAM
+-};
+-enum tsc_dest {
+-	TSC_DEST_TSPP0,
+-	TSC_DEST_TSPP1,
+-	TSC_DSET_CICAM
+-};
+-
+-struct tsc_route {
+-	enum tsc_source source;
+-	enum tsc_dest dest;
+-};
+-
+-#define TSC_CONFIG_ROUTE _IOW(TSC_IOCTL_BASE, 0, struct tsc_tspp_route)
+-#define TSC_ENABLE_INPUT _IOW(TSC_IOCTL_BASE, 1, enum tsc_source)
+-#define TSC_DISABLE_INPUT _IOW(TSC_IOCTL_BASE, 2, enum tsc_source)
+-
+-These 3 IOCTLs control the 3 muxes that route the TS, and enable/disable the
+-TSIFs input.
+-
+-TSC Mux - configuring the TSIFs:
+---------------------------------
+-enum tsc_data_type {
+-	TSC_DATA_TYPE_SERIAL,
+-	TSC_DATA_TYPE_PARALLEL
+-};
+-enum tsc_receive_mode {
+-	TSC_RECEIVE_MODE_START_VALID,
+-	TSC_RECEIVE_MODE_START_ONLY,
+-	TSC_RECEIVE_MODE_VALID_ONLY
+-};
+-
+-struct tsc_tsif_params {
+-	enum tsc_source source;
+-	enum tsc_receive_mode receive_mode;
+-	enum tsc_data_type data_type;
+-	int clock_polarity;
+-	int data_polarity;
+-	int start_polarity;
+-	int valid_polarity;
+-	int error_polarity;
+-	int data_swap;
+-	int set_error;
+-};
+-
+-#define TSC_SET_TSIF_CONFIG _IOW(TSC_IOCTL_BASE, 3, struct tsc_tsif_params)
+-
+-This IOCTL enables configuring a specific TSIF with all possible configurations.
+-
+-TSC Mux - clearing rate mismatch interrupt
+-------------------------------------------
+-
+-#define TSC_CLEAR_RATE_MISMATCH_IRQ _IO(TSC_IOCTL_BASE, 4)
+-
+-This IOCTL is used for clearing the interrupt, which is not done automatically
+-by the driver.
+-
+-TSC CI - CAM configuration:
+----------------------------
+-enum tsc_cam_personality {
+-	TSC_CICAM_PERSONALITY_CI,
+-	TSC_CICAM_PERSONALITY_CIPLUS,
+-	TSC_CICAM_PERSONALITY_PCCARD,
+-	TSC_CICAM_PERSONALITY_DISABLE
+-};
+-enum tsc_card_status {
+-	TSC_CARD_STATUS_NOT_DETECTED,
+-	TSC_CARD_STATUS_DETECTED,
+-	TSC_CARD_STATUS_FAILURE
+-};
+-
+-#define TSC_CICAM_SET_CLOCK _IOW(TSC_IOCTL_BASE, 5, int)
+-This IOCTL sets the clock rate of the TS from the TSC to the CAM
+-
+-#define TSC_CAM_RESET _IO(TSC_IOCTL_BASE, 6)
+-This IOCTL performs HW reset to the CAM
+-
+-#define TSC_CICAM_PERSONALITY_CHANGE 		\
+-	_IOW(TSC_IOCTL_BASE, 7, enum tsc_cam_personality)
+-This IOCTL configures the PCMCIA pins according to the specified card type.
+-
+-#define TSC_GET_CARD_STATUS _IOR(TSC_IOCTL_BASE, 8, enum tsc_card_status)
+-This IOCTL queries the card detection pins and returns their status.
+-
+-TSC CI - Data transactions:
+----------------------------
+-struct tsc_single_byte_mode {
+-	u16 address;
+-	u8 data;
+-	int timeout; /* in msec */
+-};
+-struct tsc_buffer_mode {
+-	int buffer_fd;
+-	u16 buffer_size;
+-	int timeout; /* in msec */
+-};
+-
+-#define TSC_READ_CAM_MEMORY			\
+-	_IOWR(TSC_IOCTL_BASE, 9, struct tsc_single_byte_mode)
+-#define TSC_WRITE_CAM_MEMORY		\
+-	_IOW(TSC_IOCTL_BASE, 10, struct tsc_single_byte_mode)
+-#define TSC_READ_CAM_IO				\
+-	_IOWR(TSC_IOCTL_BASE, 11, struct tsc_single_byte_mode)
+-#define TSC_WRITE_CAM_IO			\
+-	_IOW(TSC_IOCTL_BASE, 12, struct tsc_single_byte_mode)
+-#define TSC_READ_CAM_BUFFER			\
+-	_IOWR(TSC_IOCTL_BASE, 13, struct tsc_buffer_mode)
+-#define TSC_WRITE_CAM_BUFFER		\
+-	_IOW(TSC_IOCTL_BASE, 14, struct tsc_buffer_mode)
+-
+-These IOCTLs performs a read/write data transaction of the requested type.
+-
+-Driver parameters
+-=================
+-The TSC module receives one parameter:
+-tsc_iommu_bypass -  0 for using the VBIF, 1 for not using it. Not using the VBIF
+-is a debug configuration.
+-
+-Config options
+-==============
+-To enable the driver, set CONFIG_TSC to y (built-in) or m (kernel module)
+-in the kernel configuration menu.
+-
+-Dependencies
+-============
+-The TSC driver uses the ION driver for IOMMU registration and buffer
+-mapping to BCSS VBIF.
+-
+-User space utilities
+-====================
+-None.
+-
+-Other
+-=====
+-None.
+-
+-Known issues
+-============
+-None.
+-
+-To do
+-=====
+-None.
+diff --git a/Documentation/arm/msm/tspp2.txt b/Documentation/arm/msm/tspp2.txt
+deleted file mode 100644
+index 006c688..0000000
+--- a/Documentation/arm/msm/tspp2.txt
++++ /dev/null
+@@ -1,497 +0,0 @@
+-Introduction
+-============
+-
+-TSPP2 Driver
+-
+-The TSPP2 (Transport Stream Packet Processor v2) is a hardware accelerator
+-designed to process MPEG-2 Transport Stream (TS) data. It can be used to
+-process broadcast TV services. The TSPP2 HW processes the TS packets, offloads
+-the host CPU and supports the real-time processing requirements of such
+-services.
+-
+-TS data can be received either from TSIF (Transport Stream Interface) input
+-or from memory input, to support playing live broadcasts as well as
+-playback from memory. Recording is also supported.
+-
+-TSPP2 is a significantly different HW unit than the TSPP unit described in
+-Documentation/arm/msm/tspp.txt. The functionality is enhanced and the HW
+-design is different.
+-
+-Hardware description
+-====================
+-The TSPP2 HW contains the TSPP2 core, a BAM (Bus Access Manager, used for DMA
+-operations) unit, and a VBIF unit (IOMMU).
+-
+-The TSPP2 HW supports:
+-a. Up to two TSIF inputs and up to eight memory inputs.
+-b. Various TS packet sizes (188/192 bytes) and formats (timestamp location).
+-c. PID filtering.
+-d. Raw transmit operation for section filtering or recording.
+-e. Full PES and separated PES transmit operation for audio and video playback.
+-f. Decryption and re-encryption operations for secure transport streams.
+-g. PCR extraction.
+-h. Indexing - identifying patterns in video streams.
+-
+-The following diagram provides an overview of the TSPP2 HW:
+-+------------------------------------------------------------------+
+-|                                                                  |
+-| +-------------+   +--------------------+                         |
+-| |  TSIF 0     +--->      TSPP2 Core    |                         |
+-| +-------------+   |                    |                         |
+-|                   |  +---------------+ |                         |
+-| +-------------+   |  |               | |                         |
+-| |  TSIF 1     +--->  |   Source 0    | |                         |
+-| +-------------+   |  |               | |                         |
+-|                   |  |               | |                         |
+-|                   |  |               | |                         |
+-|                   |  | +------------+| |       +--------------+  |
+-|                   |  | | Filter 0   +|--------->  BAM pipe 3  |  |
+-|                   |  | +------------+| |       +--------------+  |
+-|                   |  | +------------+| |       +--------------+  |
+-| +-------------+   |  | | Filter 1   +|--------->  BAM pipe 4  |  |
+-| |  BAM pipe 0 +--->  | +------------+| |       +--------------+  |
+-| +-------------+   |  |               | |              |          |
+-| +-------------+   |  +---------------+ |    +--------------+     |
+-| |  BAM pipe 1 +--->--------------------|----|              |     |
+-| +-------------+   |                    |    |   VBIF       |     |
+-| +-------------+   |                    |    |   IOMMU      |     |
+-| |  BAM pipe 2 +--->--------------------|----|              |     |
+-| +-------------+   +--------------------+    +--------------+     |
+-+------------------------------------------------------------------+
+-
+-A source is configured to have either a TSIF input (TSIF 0 or 1) or a
+-memory input (a BAM pipe). One or more filters are attached to the source.
+-Each filter has a 13-bit PID and mask values to perform the PID filtering.
+-Additionally, one or more operations are added to each filter to achieve the
+-required functionality. Each operation has specific parameters. The operation's
+-output is usually placed in an output pipe.
+-
+-The TSPP HW uses its own virtual address space, mapping memory buffer addresses
+-using the VBIF IOMMU.
+-
+-Software description
+-====================
+-The TSPP2 Linux kernel driver manages the TSPP2 core. The TSPP2 driver utilizes
+-the SPS driver to configure and manage the BAM unit, which is used to perform
+-DMA operations and move TS data to/from system memory.
+-
+-The TSPP2 driver uses the ION driver to control the IOMMU and map user-allocated
+-buffers to the TSPP2 IOMMU domain.
+-
+-The TSPP2 is a standard Linux platform device driver. It can be configured as a
+-loadable or built-in kernel module. The driver is supported only in platforms
+-that contain the TSPP2 HW.
+-
+-The driver provides an abstraction of the TSPP2 HW functionality for
+-kernel-space clients. For example, the dvb/demux kernel driver, which provides
+-an API for upper layers to perform TS de-multiplexing (including PID filtering,
+-recording, indexing etc.), uses the TSPP2 driver to utilize the TSPP2 HW and
+-offload the CPU, instead of doing all the required processing in SW.
+-
+-For further information please refer to Documentation/dvb/qcom-mpq.txt.
+-
+-Terminology
+------------
+-This section describes some of the software "objects" implemented by the driver.
+-
+-a. TSPP2 device: an instance of the TSPP2 device representing the TSPP2 HW and
+-its capabilities. The client identifies a device instance according to a
+-device ID.
+-
+-b. Indexing table: A TSPP2 device contains 4 indexing tables. These tables are
+-used to identify patterns in the video stream and report on them.
+-The client identifies an indexing table according to a table ID.
+-
+-c. Pipe: a BAM pipe used for DMA operations. The TSPP2 HW has a BAM unit with
+-31 pipes. A pipe contains a memory buffer and a corresponding descriptor ring,
+-and is used as the output for TSPP2 data (e.g. PES payload, PES headers,
+-indexing information etc.). For memory inputs, a pipe is used as the input
+-buffer where data can be written to for TSPP2 processing. BAM Pipes are
+-managed by the TSPP2 driver using the SPS driver which controls BAM HW. The
+-client is responsible for buffer memory allocation, and can control many
+-BAM-related pipe parameters.
+-
+-d. Source: a source object represents data "stream" from the TS input,
+-through the filters and operations that perform the processing on the TS data,
+-until the output. A source has the following properties:
+-	- Either a TSIF or a memory input.
+-	- For memory input: an input pipe.
+-	- Source-related configuration (e.g., packet size and format).
+-	- One or more PID filters. Each filter contains operations.
+-	- One or more output pipes.
+-The client is responsible to configure the source object as needed using the
+-appropriate API. The client identifies a source using a source handle, which
+-the driver provides when opening a source for use.
+-
+-e. Filter: a filter object represents a PID filter which is used to get only the
+-TS packets with specific PIDs and filter out all other TS packets in the stream.
+-The client adds filters to the source object to define the processing of data.
+-Each filter has a 13-bit PID value and bit-mask, so a filter can be used to
+-get TS packets with various PID values. Note, however, that it is highly
+-recommended to use each filter with a unique PID (i.e., 0x1FFF mask), and it is
+-mandatory that the PIDs handled by each source's filters are mutually exclusive
+-(i.e., the client must not configure two filters in the same source that handle
+-the same PID values). A filter has up to 16 operations that instruct the TSPP2
+-HW how to process the data. The client identifies a filter using a filter
+-handle, which the driver provides when opening a filter for use.
+-
+-f. Operation: an operation object represents a basic building block describing
+-how data is processed. Operations are added to a filter and are performed on
+-the data received by this filter, in the order they were added. One or more
+-operations may be required to achieve the desired functionality. For example,
+-a "section filtering" functionality requires a raw transmit operation, while a
+-"recording" functionality requires a raw transmit operations as well as an
+-indexing operation (to support trick modes).
+-
+-Driver initialization
+----------------------
+-The driver's probe function is invoked if there is a matching device tree node
+-(or platform device). The probe function gets the required memory resources
+-(i.e., register address spaces) and maps them to kernel space for the
+-driver's use. The probe function also request the required IRQs and gets the
+-TSPP2 IOMMU domain. Finally, the probe function resets all HW registers to
+-appropriate default values, and resets all the required software structures.
+-
+-See API description in Interface section.
+-
+-Usage examples
+---------------
+-
+-Section filtering example - opening a Raw filter with data from TSIF0:
+-----------------------------------------------------------------------
+-u32 dev_id = 0;
+-u32 src_handle;
+-u32 pipe_handle;
+-u32 filter_handle;
+-u32 iova;
+-u32 vaddress;
+-struct tspp2_config cfg = {...};
+-struct tspp2_pipe_config_params pipe_config;
+-struct tspp2_pipe_pull_mode_params pull_params = {0, 0};
+-struct tspp2_operation raw_op;
+-struct sps_event_notify event;
+-struct sps_iovec desc;
+-
+-/* Open TSPP2 device for use */
+-tspp2_device_open(dev_id);
+-
+-/* Set global configuration */
+-tspp2_config_set(dev_id, &cfg);
+-
+-/* Open source with TSIF0 input */
+-tspp2_src_open(dev_id, TSPP2_INPUT_TSIF0, &src_handle);
+-
+-/* Set parsing options if needed, for example: */
+-tspp2_src_parsing_option_set(src_handle,
+-				TSPP2_SRC_PARSING_OPT_CHECK_CONTINUITY, 1);
+-
+-/* Assume normal sync byte, assume no need for scrambling configuration */
+-
+-/* Set packet size and format: */
+-tspp2_src_packet_format_set(src_handle, TSPP2_PACKET_FORMAT_188_RAW);
+-
+-/* Since this is TSIF input, flow control is in push mode */
+-
+-/* Allocate memory for output pipe via ION – not shown here */
+-
+-/* Open an output pipe for use */
+-pipe_config.ion_client = ...
+-pipe_config.buffer_handle = ...
+-pipe_config.buffer_size = ...
+-pipe_config.pipe_mode = TSPP2_SRC_PIPE_OUTPUT;
+-pipe_config.sps_cfg.descriptor_size = 188;
+-pipe_config.sps_cfg.setting = (SPS_O_AUTO_ENABLE | SPS_O_HYBRID |
+-				SPS_O_OUT_OF_DESC | SPS_O_ACK_TRANSFERS);
+-pipe_config.sps_cfg.wakeup_events = SPS_O_OUT_OF_DESC;
+-pipe_config.sps_cfg.callback = ...
+-pipe_config.sps_cfg.user_info = ...
+-tspp2_pipe_open(dev_id, &pipe_config, &iova, &pipe_handle);
+-
+-/* Attache the pipe to the source */
+-tspp2_src_pipe_attach(src_handle, pipe_handle, &pull_params);
+-/* Open a filter for PID 13 */
+-tspp2_filter_open(src_handle, 13, 0x1FFF, &filter_handle);
+-
+-/* Add a raw transmit operation */
+-raw_op.type = TSPP2_OP_RAW_TRANSMIT;
+-raw_op.params.raw_transmit.input = TSPP2_OP_BUFFER_A;
+-raw_op.params.raw_transmit.timestamp_mode = TSPP2_OP_TIMESTAMP_NONE;
+-raw_op.params.raw_transmit.skip_ts_packets_with_errors = 0;
+-raw_op.params.raw_transmit.output_pipe_handle = pipe_handle;
+-tspp2_filter_operations_add(filter_handle, &raw_op, 1);
+-
+-/* Enable filter and source to start getting data */
+-tspp2_filter_enable(filter_handle);
+-tspp2_source_enable(src_handle);
+-
+-/*
+- * Data path: poll pipe (or get notifications from pipe via
+- * registered callback).
+- */
+-tspp2_pipe_last_address_used_get(pipe_handle, &vaddress);
+-
+-/* Process data... */
+-
+-/* Get and release descriptors: */
+-tspp2_pipe_descriptor_get(pipe_handle, &desc);
+-tspp2_pipe_descriptor_put(pipe_handle, desc.addr, desc.size, ...);
+-
+-/* Teardown: */
+-tspp2_src_disable(src_handle);
+-tspp2_filter_disable(filter_handle);
+-tspp2_filter_close(filter_handle);
+-tspp2_src_pipe_detach(src_handle, pipe_handle);
+-tspp2_pipe_close(pipe_handle);
+-tspp2_src_close(src_handle);
+-tspp2_device_close(dev_id);
+-
+-Debug facilities
+-----------------
+-The TSPP2 driver supports several debug facilities via debugfs:
+-a. Ability to read the status of TSIF and TSPP2 HW registers via debugfs.
+-b. Ability to print HW statistics, error and performance counters via debugfs.
+-c. Ability to print SW status via debugfs.
+-
+-Design
+-======
+-The TSPP2 driver is a regular Linux platform driver designed to support the
+-TSPP2 HW available on specific Qualcomm SoCs.
+-
+-The driver provides an extensive kernel-space API to allow the client full
+-control over the configuration of the TSPP2 HW, while encapsulating HW
+-implementation details that are not relevant to the client.
+-
+-The driver enforces HW restrictions and checks for input parameters
+-validity, providing a success or failure return value for each API function.
+-However, the driver does not enforce any high-level policy with regard to the
+-correct use of the TSPP2 HW for various use-cases.
+-
+-Power Management
+-================
+-The TSPP2 driver prevents the CPU from sleeping while the HW is active by
+-using the wakeup_source API. When the HW is not active (i.e., no sources
+-configured), the driver indicates it is ready for system suspend by invoking
+-__pm_relax(). When the HW needs to be active (i.e., a source has been opened and
+-enabled), the driver invokes __pm_stay_awake().
+-
+-In a similar manner, the driver enables the HW clocks only when needed.
+-The TSPP2 HW manages power saving automatically when the HW is not used.
+-No SW involvement is required.
+-
+-SMP/multi-core
+-==============
+-The driver uses a mutex for mutual exclusion between kernel API calls.
+-A spinlock is used to protect accesses to its internal databases which can be
+-performed both from interrupt handler context and from API context.
+-
+-Security
+-========
+-None.
+-
+-Performance
+-===========
+-Control operations are not considered as performance critical.
+-Most of the control operations are assumed to be fairly uncommon.
+-Data-path operations involve only getting descriptors from the pipe and
+-releasing them back to the pipe for reuse.
+-
+-Interface
+-=========
+-Kernel-space API
+-----------------
+-
+-Control path API
+--------------------
+-
+-TSPP2 device open / close API:
+-------------------------------
+-int tspp2_device_open(u32 dev_id);
+-
+-int tspp2_device_close(u32 dev_id);
+-
+-Global configuration for the TSPP2 device:
+-------------------------------------------
+-int tspp2_config_set(u32 dev_id, const struct tspp2_config *cfg);
+-	Set device global configuration.
+-
+-int tspp2_config_get(u32 dev_id, struct tspp2_config *cfg);
+-	Get current device global configuration.
+-
+-Configure Indexing Tables:
+---------------------------
+-int tspp2_indexing_prefix_set(u32 dev_id, u8 table_id, u32 value, u32 mask);
+-	Set prefix value and mask of an indexing table.
+-
+-int tspp2_indexing_patterns_add(u32 dev_id, u8 table_id, const u32 *values,
+-				const u32 *masks, u8 patterns_num);
+-	Add patterns to an indexing table.
+-
+-int tspp2_indexing_patterns_clear(u32 dev_id, u8 table_id);
+-	Clear all patterns of an indexing table
+-
+-Opening and closing Pipes:
+---------------------------
+-int tspp2_pipe_open(u32 dev_id, const struct tspp2_pipe_config_params *cfg,
+-			u32 *iova, u32 *pipe_handle);
+-	Open a pipe for use.
+-
+-int tspp2_pipe_close(u32 pipe_handle);
+-	Close an opened pipe.
+-
+-Source configuration:
+----------------------
+-int tspp2_src_open(u32 dev_id, enum tspp2_src_input input, u32 *src_handle);
+-	Open a new source for use.
+-
+-int tspp2_src_close(u32 src_handle);
+-	Close an opened source.
+-
+-int tspp2_src_parsing_option_set(u32 src_handle,
+-			enum tspp2_src_parsing_option option, int value);
+-	Set source parsing configuration option.
+-
+-int tspp2_src_parsing_option_get(u32 src_handle,
+-			enum tspp2_src_parsing_option option, int *value);
+-	Get source parsing configuration option.
+-
+-int tspp2_src_sync_byte_config_set(u32 src_handle, int check_sync_byte,
+-			u8 sync_byte_value);
+-	Set source sync byte configuration.
+-
+-int tspp2_src_sync_byte_config_get(u32 src_handle, int *check_sync_byte,
+-			u8 *sync_byte_value);
+-	Get source sync byte configuration.
+-
+-int tspp2_src_scrambling_config_set(u32 src_handle,
+-			const struct tspp2_src_scrambling_config *cfg);
+-	Set source scrambling configuration.
+-
+-int tspp2_src_scrambling_config_get(u32 src_handle,
+-			struct tspp2_src_scrambling_config *cfg);
+-	Get source scrambling configuration.
+-
+-int tspp2_src_packet_format_set(u32 src_handle,
+-			enum tspp2_packet_format format);
+-	Set source packet size and format.
+-
+-int tspp2_src_pipe_attach(u32 src_handle, u32 pipe_handle,
+-			const struct tspp2_pipe_pull_mode_params *cfg);
+-	Attach a pipe to a source.
+-
+-int tspp2_src_pipe_detach(u32 src_handle, u32 pipe_handle);
+-	Detach a pipe from a source.
+-
+-int tspp2_src_enable(u32 src_handle);
+-	Enable source (start using it).
+-
+-int tspp2_src_disable(u32 src_handle);
+-	Disable source (stop using it).
+-
+-int tspp2_src_filters_clear(u32 src_handle);
+-	Clear all filters from a source.
+-
+-Filter and Operation configuration:
+------------------------------------
+-int tspp2_filter_open(u32 src_handle, u16 pid, u16 mask, u32 *filter_handle);
+-	Open a new filter and add it to a source.
+-
+-int tspp2_filter_close(u32 filter_handle);
+-	Close a filter.
+-
+-int tspp2_filter_enable(u32 filter_handle);
+-	Enable a filter.
+-
+-int tspp2_filter_disable(u32 filter_handle);
+-	Disable a filter.
+-
+-int tspp2_filter_operations_set(u32 filter_handle,
+-			const struct tspp2_operation *ops, u8 operations_num);
+-	Set (add or update) operations to a filter.
+-
+-int tspp2_filter_operations_clear(u32 filter_handle);
+-	Clear all operations from a filter.
+-
+-int tspp2_filter_current_scrambling_bits_get(u32 filter_handle,
+-			u8 *scrambling_bits_value);
+-	Get the current scrambling bits.
+-
+-Events notifications registration:
+-----------------------------------
+-int tspp2_global_event_notification_register(u32 dev_id,
+-			u32 global_event_bitmask,
+-			void (*callback)(void *cookie),
+-			void *cookie);
+-	Get notified on a global event.
+-
+-int tspp2_src_event_notification_register(u32 src_handle,
+-			u32 src_event_bitmask,
+-			void (*callback)(void *cookie),
+-			void *cookie);
+-	Get notified on a source event.
+-
+-int tspp2_filter_event_notification_register(u32 filter_handle,
+-			u32 filter_event_bitmask,
+-			void (*callback)(void *cookie),
+-			void *cookie);
+-	Get notified on a filter event.
+-
+-Data path API
+-----------------
+-int tspp2_pipe_descriptor_get(u32 pipe_handle, struct sps_iovec *desc);
+-	Get a data descriptor from a pipe.
+-
+-int tspp2_pipe_descriptor_put(u32 pipe_handle, u32 addr,
+-				u32 size, u32 flags);
+-	Put (release) a descriptor for reuse by the pipe.
+-
+-int tspp2_pipe_last_address_used_get(u32 pipe_handle, u32 *address);
+-	Get the last address the TSPP2 used.
+-
+-int tspp2_data_write(u32 src_handle, u32 offset, u32 size);
+-	Write (feed) data to a source.
+-
+-User-space API
+---------------
+-The TSPP2 driver does not provide any user-space API, only a kernel-space API.
+-The dvb/demux driver, which utilizes the TSPP2 driver (and HW), provides an
+-extensive user-space API, allowing upper layers to achieve complex demuxing
+-functionality.
+-
+-For further information please refer to Documentation/dvb/qcom-mpq.txt.
+-
+-Driver parameters
+-=================
+-The TSPP2 driver supports the following module parameter:
+-tspp2_iommu_bypass: Bypass VBIF/IOMMU and use physical buffer addresses
+-instead. This is mostly useful for debug purposes if something is wrong with
+-the IOMMU configuration. Default is false.
+-
+-Platform-dependent parameters (e.g., IRQ numbers) are provided to the driver
+-via the device tree mechanism or the platform device data mechanism.
+-
+-Config options
+-==============
+-To enable the driver, set CONFIG_TSPP2 to y (built-in) or m (kernel module)
+-in the kernel configuration menu.
+-
+-Dependencies
+-============
+-a. The TSPP2 driver uses the SPS driver to control the BAM unit.
+-b. The TSPP2 driver uses the ION driver for IOMMU registration and buffer
+-mapping. The client is responsible to allocate memory buffers via ION.
+-
+-User space utilities
+-====================
+-None.
+-
+-Other
+-=====
+-None.
+-
+-Known issues
+-============
+-None.
+-
+-To do
+-=====
+-None.
+diff --git a/drivers/media/platform/msm/broadcast/Makefile b/drivers/media/platform/msm/broadcast/Makefile
+index 1233d6d..5e72b0d 100644
+--- a/drivers/media/platform/msm/broadcast/Makefile
++++ b/drivers/media/platform/msm/broadcast/Makefile
+@@ -3,9 +3,7 @@
+ #
+ 
+ obj-$(CONFIG_TSPP) += tspp.o
+-obj-$(CONFIG_TSPP2) += tspp2.o
+ obj-$(CONFIG_CI_BRIDGE_SPI) += ci-bridge-spi.o
+-obj-$(CONFIG_TSC) += tsc.o
+ obj-$(CONFIG_ENSIGMA_UCCP_330) += ensigma_uccp330.o
+ obj-$(CONFIG_DEMOD_WRAPPER) += demod_wrapper.o
+ 
+diff --git a/drivers/media/platform/msm/broadcast/tsc.c b/drivers/media/platform/msm/broadcast/tsc.c
+deleted file mode 100644
+index ec3142e..0000000
+--- a/drivers/media/platform/msm/broadcast/tsc.c
++++ /dev/null
+@@ -1,3450 +0,0 @@
+-/* Copyright (c) 2013-2014, The Linux Foundation. All rights reserved.
+- *
+- * This program is free software; you can redistribute it and/or modify
+- * it under the terms of the GNU General Public License version 2 and
+- * only version 2 as published by the Free Software Foundation.
+- *
+- * This program is distributed in the hope that it will be useful,
+- * but WITHOUT ANY WARRANTY; without even the implied warranty of
+- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+- * GNU General Public License for more details.
+- */
+-
+-#include <linux/tsc.h>
+-#include <linux/init.h>
+-#include <linux/module.h>
+-#include <linux/device.h>        /* Device drivers need this */
+-#include <linux/cdev.h>		/* Char device drivers need that */
+-#include <linux/kernel.h>        /* for KERN_INFO */
+-#include <linux/fs.h>
+-#include <linux/completion.h>	/* for completion signaling after interrupts */
+-#include <linux/uaccess.h>	/* for copy from/to user in the ioctls */
+-#include <linux/msm_iommu_domains.h>
+-#include <linux/mutex.h>
+-#include <linux/of.h>		/* parsing device tree data */
+-#include <linux/of_gpio.h>
+-#include <linux/of_irq.h>
+-#include <mach/gpio.h>		/* gpios definitions */
+-#include <linux/pinctrl/consumer.h> /* pinctrl API */
+-#include <linux/clk.h>
+-#include <linux/wait.h>          /* wait() macros, sleeping */
+-#include <linux/sched.h>         /* Externally defined globals */
+-#include <linux/poll.h>          /* poll() file op */
+-#include <linux/io.h>            /* IO macros */
+-#include <linux/bitops.h>
+-#include <linux/msm_ion.h>	/* ion_map_iommu */
+-#include <linux/iommu.h>
+-#include <linux/platform_device.h>
+-#include <linux/slab.h>          /* kfree, kzalloc */
+-#include <linux/debugfs.h>	/* debugfs support */
+-#include <linux/pm_runtime.h>	/* debugfs support */
+-#include <linux/pm_wakeup.h>	/* debugfs support */
+-#include <linux/regulator/consumer.h> /* gdsc */
+-#include <linux/msm-bus.h>	/* bus client */
+-#include <linux/delay.h>	/* usleep function */
+-/* TODO: include <linux/mpq_standby_if.h> after MCU is mainlined */
+-
+-/*
+- * General defines
+- */
+-#define TEST_BIT(pos, number) (number & (1 << pos))
+-#define CLEAR_BIT(pos, number) (number &= ~(1 << pos))
+-#define SET_BIT(pos, number) (number |= 1 << pos)
+-
+-/*
+- * extract bits [@b0:@b1] (inclusive) from the value @x
+- * it should be @b0 <= @b1, or result is incorrect
+- */
+-static inline u32 GETL_BITS(u32 x, int b0, int b1)
+-{
+-	return (x >> b0) & ((1 << (b1 - b0 + 1)) - 1);
+-}
+-
+-/* Bypass VBIF/IOMMU for debug and bring-up purposes */
+-static int tsc_iommu_bypass; /* defualt=0 using iommu */
+-module_param(tsc_iommu_bypass, int, S_IRUGO | S_IWUSR | S_IWGRP);
+-
+-/* The rate of the clock that control TS from TSC to the CAM */
+-#define CICAM_CLK_RATE_12MHZ		12000000
+-#define CICAM_CLK_RATE_9MHZ		8971962
+-#define CICAM_CLK_RATE_7MHZ		7218045
+-/* Rates for TSC serial and parallel clocks */
+-#define TSC_SER_CLK_RATE		192000000
+-#define TSC_PAR_CLK_RATE		24000000
+-
+-/* CICAM address space according to CI specification */
+-#define CICAM_MAX_ADDRESS		3
+-
+-/*
+- * TSC register offsets
+- */
+-#define TSC_HW_VERSION			(0x0)
+-#define TSC_MUX_CFG			(0x4)	/* Muxs config */
+-#define TSC_IN_IFC_EXT			(0x8)	/* External demods tsifs */
+-#define TSC_IN_IFC_CFG_INT		(0xc)	/* internal demods and
+-						cicam tsif config */
+-#define TSC_FSM_STATE			(0x50)	/* Read FSM state */
+-#define TSC_FSM_STATE_MASK		(0x54)	/* Config FSM state */
+-#define TSC_CAM_CMD			(0x1000)/* Config cam commands */
+-#define TSC_CAM_RD_DATA			(0x1004)/* read data for single-mode
+-							byte */
+-#define TSC_STAT			(0x1008)/* Interrupts status */
+-#define TSC_IRQ_ENA			(0x100C)/* Enable interrupts */
+-#define TSC_IRQ_CLR			(0x1010)/* Clear interrupts */
+-#define TSC_CIP_CFG			(0x1014)/* Enable HW polling */
+-#define TSC_CD_STAT			(0x1020)/* Card pins status */
+-#define TSC_RD_BUFF_ADDR		(0x1024)/* Vbif address for read
+-						buffer */
+-#define TSC_WR_BUFF_ADDR		(0x1028)/* Vbif address for write
+-						buffer */
+-#define TSC_FALSE_CD			(0x102C)/* Counter of false card
+-						detection */
+-#define TSC_FALSE_CD_CLR		(0x1030)/* Clear false cd counter */
+-#define TSC_RESP_ERR			(0x1034)/* State of read/write buffer
+-						error */
+-#define TSC_CICAM_TSIF			(0x1038)/* Enable tsif (tsc->cam) */
+-
+-
+-/*
+- * Registers structure definitions
+- */
+-
+-/* TSC_MUX_CFG */
+-#define MUX_EXTERNAL_DEMOD_0			0
+-#define MUX_EXTERNAL_DEMOD_1			1
+-#define MUX_INTERNAL_DEMOD			2
+-#define MUX_CICAM				3
+-#define MUX0_OFFS				0
+-#define MUX1_OFFS				2
+-#define MUX_CAM_OFFS				4
+-
+-/* TSC_IN_IFC_EXT and TSC_IN_IFC_CFG_INT*/
+-#define TSIF_INPUT_ENABLE			0
+-#define TSIF_INPUT_DISABLE			1
+-
+-#define TSIF_CLK_POL_OFFS			0
+-#define TSIF_DATA_POL_OFFS			1
+-#define TSIF_START_POL_OFFS			2
+-#define TSIF_VALID_POL_OFFS			3
+-#define TSIF_ERROR_POL_OFFS			4
+-#define TSIF_SER_PAR_OFFS			5
+-#define TSIF_REC_MODE_OFFS			6
+-#define TSIF_DATA_SWAP_OFFS			8
+-#define TSIF_DISABLE_OFFS			9
+-#define TSIF_ERR_INSERT_OFFS			10
+-
+-/* TSC_FSM_STATE and TSC_FSM_STATE_MASK*/
+-#define FSM_STATE_BUFFER_BEG			0
+-#define FSM_STATE_BUFFER_END			3
+-#define FSM_STATE_POLL_BEG			8
+-#define FSM_STATE_POLL_END			10
+-#define FSM_STATE_BYTE_BEG			12
+-#define FSM_STATE_BYTE_END			13
+-#define FSM_STATE_MEM_WR_BEG			16
+-#define FSM_STATE_MEM_WR_END			17
+-#define FSM_STATE_MEM_RD_BEG			20
+-#define FSM_STATE_MEM_RD_END			21
+-#define FSM_STATE_IO_RD_BEG			24
+-#define FSM_STATE_IO_RD_END			25
+-#define FSM_STATE_IO_WR_BEG			28
+-#define FSM_STATE_IO_WR_END			29
+-
+-/* TSC_CAM_CMD */
+-#define MEMORY_TRANSACTION			0
+-#define IO_TRANSACTION				1
+-#define WRITE_TRANSACTION			0
+-#define READ_TRANSACTION			1
+-#define SINGLE_BYTE_MODE			0
+-#define BUFFER_MODE				1
+-
+-#define CAM_CMD_ADDR_SIZE_OFFS			0
+-#define CAM_CMD_WR_DATA_OFFS			16
+-#define CAM_CMD_IO_MEM_OFFS			24
+-#define CAM_CMD_RD_WR_OFFS			25
+-#define CAM_CMD_BUFF_MODE_OFFS			26
+-#define CAM_CMD_ABORT				27
+-
+-/* TSC_STAT, TSC_IRQ_ENA and TSC_IRQ_CLR */
+-#define CAM_IRQ_EOT_OFFS			0
+-#define CAM_IRQ_POLL_OFFS			1
+-#define CAM_IRQ_RATE_MISMATCH_OFFS		2
+-#define CAM_IRQ_ERR_OFFS			3
+-#define CAM_IRQ_ABORTED_OFFS			4
+-
+-/* TSC_CD_STAT */
+-#define TSC_CD_STAT_INSERT			0x00
+-#define TSC_CD_STAT_ERROR1			0x01
+-#define TSC_CD_STAT_ERROR2			0x02
+-#define TSC_CD_STAT_REMOVE			0x03
+-
+-#define TSC_CD_BEG				0
+-#define TSC_CD_END				1
+-
+-/* TSC_CICAM_TSIF */
+-#define TSC_CICAM_TSIF_OE_OFFS			0
+-
+-/* Data structures */
+-
+-/**
+- * enum transaction_state - states for the transacation interrupt reason
+- */
+-enum transaction_state {
+-	BEFORE_TRANSACTION = 0,
+-	TRANSACTION_SUCCESS = 1,
+-	TRANSACTION_ERROR = -1,
+-	TRANSACTION_CARD_REMOVED = -2
+-};
+-
+-/**
+-* enum pcmcia_state - states for the pcmcia pinctrl states
+-* Note: the numbers here corresponds to the numbers of enum tsc_cam_personality
+-* in tsc.h file.
+-*/
+-enum pcmcia_state {
+-	PCMCIA_STATE_DISABLE = 0,
+-	PCMCIA_STATE_CI_CARD = 1,
+-	PCMCIA_STATE_CI_PLUS = 2,
+-	PCMCIA_STATE_PC_CARD = 3
+-};
+-
+-/**
+- * struct iommu_info - manage all the iommu information
+- *
+- * @group:		TSC IOMMU group.
+- * @domain:		TSC IOMMU domain.
+- * @domain_num:		TSC IOMMU domain number.
+- * @partition_num:	TSC iommu partition number.
+- * @ion_client:		TSC IOMMU client.
+- * @iommu_group_name	TSC IOMMU group name.
+- */
+-struct iommu_info {
+-	struct iommu_group *group;
+-	struct iommu_domain *domain;
+-	int domain_num;
+-	int partition_num;
+-	struct ion_client *ion_client;
+-	const char *iommu_group_name;
+-};
+-
+-/**
+- * struct pinctrl_current_state - represent which TLMM pins currently active
+- *
+- * @ts0:		true if TS-in 0 is active, false otherwise.
+- * @ts1:		true if TS-in 1 is active, false otherwise.
+- * @pcmcia_state:	Represent the pcmcia pins state.
+- */
+-struct pinctrl_current_state {
+-	bool ts0;
+-	bool ts1;
+-	enum pcmcia_state pcmcia_state;
+-};
+-/**
+- * struct pinctrl_info - manage all the pinctrl information
+- *
+- * @pinctrl:		TSC pinctrl state holder.
+- * @disable:		pinctrl state to disable all the pins.
+- * @ts0:		pinctrl state to activate TS-in 0 alone.
+- * @ts1:		pinctrl state to activate TS-in 1 alone.
+- * @dual_ts:		pinctrl state to activate both TS-in.
+- * @pc_card:		pinctrl state to activate pcmcia upon card insertion.
+- * @ci_card:		pinctrl state to activate pcmcia after personality
+- *			change to CI card.
+- * @ci_plus:		pinctrl state to activate pcmcia after personality
+- *			change to CI+ card.
+- * @ts0_pc_card:	pinctrl state to activate TS-in 0 and pcmcia upon card
+- *			insertion.
+- * @ts0_ci_card:	pinctrl state to activate TS-in 0 and pcmcia after
+- *			personality change to CI card.
+- * @ts0_ci_plus:	pinctrl state to activate TS-in 0 and pcmcia after
+- *			personality change to CI+ card.
+- * @ts1_pc_card:	pinctrl state to activate TS-in 1 and pcmcia upon card
+- *			insertion.
+- * @ts1_ci_card:	pinctrl state to activate TS-in 1 and pcmcia after
+- *			personality change to CI card.
+- * @ts1_ci_plus:	pinctrl state to activate TS-in 1 and pcmcia after
+- *			personality change to CI+ card.
+- * @dual_ts_pc_card:	pinctrl state to activate both TS-in and pcmcia upon
+- *			card insertion.
+- * @dual_ts_ci_card:	pinctrl state to activate both TS-in and pcmcia after
+- *			personality change to CI card.
+- * @dual_ts_ci_plus:	pinctrl state to activate both TS-in and pcmcia after
+- *			personality change to CI+ card.
+- * @is_ts0:		true if ts0 pinctrl states exist in device tree, false
+- *			otherwise.
+- * @is_ts1:		true if ts1 pinctrl states exist in device tree, false
+- *			otherwise.
+- * @is_pcmcia:		true if pcmcia pinctrl states exist in device tree,
+- *			false otherwise.
+- * @curr_state:		the current state of the TLMM pins.
+- */
+-struct pinctrl_info {
+-	struct pinctrl *pinctrl;
+-	struct pinctrl_state *disable;
+-	struct pinctrl_state *ts0;
+-	struct pinctrl_state *ts1;
+-	struct pinctrl_state *dual_ts;
+-	struct pinctrl_state *pc_card;
+-	struct pinctrl_state *ci_card;
+-	struct pinctrl_state *ci_plus;
+-	struct pinctrl_state *ts0_pc_card;
+-	struct pinctrl_state *ts0_ci_card;
+-	struct pinctrl_state *ts0_ci_plus;
+-	struct pinctrl_state *ts1_pc_card;
+-	struct pinctrl_state *ts1_ci_card;
+-	struct pinctrl_state *ts1_ci_plus;
+-	struct pinctrl_state *dual_ts_pc_card;
+-	struct pinctrl_state *dual_ts_ci_card;
+-	struct pinctrl_state *dual_ts_ci_plus;
+-	bool is_ts0;
+-	bool is_ts1;
+-	bool is_pcmcia;
+-	struct pinctrl_current_state curr_state;
+-};
+-
+-/**
+- * struct tsc_mux_chdev - TSC Mux character device
+- *
+- * @cdev:		TSC Mux cdev.
+- * @mutex:		A mutex for mutual exclusion between Mux API calls.
+- * @poll_queue:		Waiting queue for rate mismatch interrupt.
+- * @spinlock:	        A spinlock to protect accesses to
+- *			data structures that happen from APIs and ISRs.
+- * @rate_interrupt:	A flag indicating if rate mismatch interrupt received.
+- */
+-struct tsc_mux_chdev {
+-	struct cdev cdev;
+-	struct mutex mutex;
+-	wait_queue_head_t poll_queue;
+-	spinlock_t spinlock;
+-	bool rate_interrupt;
+-};
+-
+-/**
+- * struct tsc_ci_chdev - TSC CI character device
+- *
+- * @cdev:		TSC CI cdev.
+- * @mutex:		A mutex for mutual exclusion between CI API calls.
+- * @poll_queue:		Waiting queue for card detection interrupt.
+- * @spinlock:	        A spinlock to protect accesses to data structures that
+- *			happen from APIs and ISRs.
+- * @transaction_complete: A completion struct indicating end of data
+- *			transaction.
+- * @transaction_finish: A completion struct indicating data transaction func
+- *                      has finished.
+- * @transaction_state:	flag indicating the reason for transaction end.
+- * @ci_card_status:	The last card status received by the upper layer.
+- * @data_busy:          true when the device is in the middle of data
+- *                      transaction operation, false otherwise.
+- */
+-struct tsc_ci_chdev {
+-	struct cdev cdev;
+-	struct mutex mutex;
+-	wait_queue_head_t poll_queue;
+-	spinlock_t spinlock;
+-	struct completion transaction_complete;
+-	struct completion transaction_finish;
+-	enum transaction_state transaction_state;
+-	enum tsc_card_status card_status;
+-	bool data_busy;
+-};
+-
+-/**
+- * struct tsc_device - TSC device
+- *
+- * @pdev:		TSC platform device.
+- * @device_mux:		Mux device for sysfs and /dev entry.
+- * @device_ci:		CI device for sysfs and /dev entry.
+- * @mux_chdev:		TSC Mux character device instance.
+- * @ci_chdev:		TSC CI character device instance.
+- * @mux_device_number:	TSC Mux major number.
+- * @ci_device_number:	TSC CI major number.
+- * @num_mux_opened:	A counter to ensure 1 TSC Mux character device.
+- * @num_ci_opened:	A counter to ensure 1 TSC CI character device.
+- * @num_device_open:	A counter to synch init of power and bus voting.
+- * @mutex:              Global mutex to to synch init of power and bus voting.
+- * @base:		Base memory address for the TSC registers.
+- * @card_detection_irq:	Interrupt No. of the card detection interrupt.
+- * @cam_cmd_irq:	Interrupt No. of the cam cmd interrupt.
+- * @iommu_info:		TSC IOMMU parameters.
+- * @ahb_clk:		The clock for accessing the TSC registers.
+- * @ci_clk:		The clock for TSC internal logic.
+- * @ser_clk:		The clock for synchronizing serial TS input.
+- * @par_clk:		The clock for synchronizing parallel TS input.
+- * @cicam_ts_clk:	The clock for pushing TS data into the cicam.
+- * @tspp2_core_clk:	The clock for enabling the TSPP2.
+- * @vbif_tspp2_clk:	The clock for accessing the VBIF.
+- * @vbif_ahb_clk:	The clock for VBIF AHB.
+- * @vbif_axi_clk:	The clock for VBIF AXI.
+- * @gdsc:               The Broadcast GDSC.
+- * @bus_client:         The TSC bus client.
+- * @pinctrl_info:	TSC pinctrl parameters.
+- * @reset_cam_gpio:	GPIO No. for CAM HW reset.
+- * @hw_card_status:	The card status as reflected by the HW registers.
+- * @card_power:		True if the card is powered up, false otherwise.
+- * @debugfs_entry:      TSC device debugfs entry.
+- */
+-struct tsc_device {
+-	struct platform_device *pdev;
+-	struct device *device_mux;
+-	struct device *device_ci;
+-	struct tsc_mux_chdev mux_chdev;
+-	struct tsc_ci_chdev ci_chdev;
+-	dev_t mux_device_number;
+-	dev_t ci_device_number;
+-	int num_mux_opened;
+-	int num_ci_opened;
+-	int num_device_open;
+-	struct mutex mutex;
+-	void __iomem *base;
+-	unsigned int card_detection_irq;
+-	unsigned int cam_cmd_irq;
+-	struct iommu_info iommu_info;
+-	struct clk *ahb_clk;
+-	struct clk *ci_clk;
+-	struct clk *ser_clk;
+-	struct clk *par_clk;
+-	struct clk *cicam_ts_clk;
+-	struct clk *tspp2_core_clk;
+-	struct clk *vbif_tspp2_clk;
+-	struct clk *vbif_ahb_clk;
+-	struct clk *vbif_axi_clk;
+-	struct regulator *gdsc;
+-	uint32_t bus_client;
+-	struct pinctrl_info pinctrl_info;
+-	int reset_cam_gpio;
+-	enum tsc_card_status hw_card_status;
+-	bool card_power;
+-	struct dentry *debugfs_entry;
+-};
+-
+-/* Global TSC device class */
+-static struct class *tsc_class;
+-
+-/* Global TSC device database */
+-static struct tsc_device *tsc_device;
+-
+-/************************** Debugfs Support **************************/
+-/* debugfs entries */
+-#define TSC_S_RW	(S_IRUGO | S_IWUSR)
+-
+-struct debugfs_entry {
+-	const char *name;
+-	mode_t mode;
+-	int offset;
+-};
+-
+-static const struct debugfs_entry tsc_regs_32[] = {
+-		{"tsc_hw_version", S_IRUGO, TSC_HW_VERSION},
+-		{"tsc_mux", TSC_S_RW, TSC_MUX_CFG},
+-		{"tsif_external_demods", TSC_S_RW, TSC_IN_IFC_EXT},
+-		{"tsif_internal_demod_cam", TSC_S_RW, TSC_IN_IFC_CFG_INT},
+-		{"tsc_fsm_state", S_IRUGO, TSC_FSM_STATE},
+-		{"tsc_fsm_state_mask", TSC_S_RW, TSC_FSM_STATE_MASK},
+-		{"tsc_cam_cmd", TSC_S_RW, TSC_CAM_CMD},
+-		{"tsc_rd_buff_addr", TSC_S_RW, TSC_RD_BUFF_ADDR},
+-		{"tsc_wr_buff_addr", TSC_S_RW, TSC_WR_BUFF_ADDR},
+-};
+-
+-static const struct debugfs_entry tsc_regs_16[] = {
+-		{"tsc_false_cd_counter", S_IRUGO, TSC_FALSE_CD},
+-		{"tsc_cicam_tsif", TSC_S_RW, TSC_CICAM_TSIF},
+-};
+-
+-static const struct debugfs_entry tsc_regs_8[] = {
+-		{"tsc_cam_rd_data", S_IRUGO, TSC_CAM_RD_DATA},
+-		{"tsc_irq_stat", S_IRUGO, TSC_STAT},
+-		{"tsc_irq_ena", TSC_S_RW, TSC_IRQ_ENA},
+-		{"tsc_irq_clr", TSC_S_RW, TSC_IRQ_CLR},
+-		{"tsc_ena_hw_poll", TSC_S_RW, TSC_CIP_CFG},
+-		{"tsc_card_stat", TSC_S_RW, TSC_CD_STAT},
+-		{"tsc_false_cd_counter_clr", TSC_S_RW, TSC_FALSE_CD_CLR},
+-		{"tsc_last_error_resp", S_IRUGO, TSC_RESP_ERR},
+-};
+-
+-/* debugfs settings */
+-static int debugfs_iomem_set(void *data, u64 val)
+-{
+-	if (mutex_lock_interruptible(&tsc_device->mutex))
+-		return -ERESTARTSYS;
+-
+-	if (!tsc_device->num_device_open) {
+-		mutex_unlock(&tsc_device->mutex);
+-		return -ENXIO;
+-	}
+-
+-	mutex_unlock(&tsc_device->mutex);
+-
+-	writel_relaxed(val, data);
+-	wmb();
+-
+-	return 0;
+-}
+-
+-static int debugfs_iomem_get(void *data, u64 *val)
+-{
+-	if (mutex_lock_interruptible(&tsc_device->mutex))
+-		return -ERESTARTSYS;
+-
+-	if (!tsc_device->num_device_open) {
+-		mutex_unlock(&tsc_device->mutex);
+-		return -ENXIO;
+-	}
+-
+-	mutex_unlock(&tsc_device->mutex);
+-
+-	*val = readl_relaxed(data);
+-
+-	return 0;
+-}
+-
+-DEFINE_SIMPLE_ATTRIBUTE(fops_iomem_x32, debugfs_iomem_get,
+-			debugfs_iomem_set, "0x%08llX");
+-DEFINE_SIMPLE_ATTRIBUTE(fops_iomem_x16, debugfs_iomem_get,
+-			debugfs_iomem_set, "0x%04llX");
+-DEFINE_SIMPLE_ATTRIBUTE(fops_iomem_x8, debugfs_iomem_get,
+-			debugfs_iomem_set, "0x%02llX");
+-
+-/**
+- * tsc_debugfs_init() - TSC device debugfs initialization.
+- */
+-static void tsc_debugfs_init(void)
+-{
+-	int i;
+-	struct dentry *dentry;
+-	void __iomem *base = tsc_device->base;
+-
+-	tsc_device->debugfs_entry = debugfs_create_dir("tsc", NULL);
+-	if (!tsc_device->debugfs_entry)
+-			return;
+-	dentry = debugfs_create_dir("regs", tsc_device->debugfs_entry);
+-	if (dentry) {
+-		for (i = 0; i < ARRAY_SIZE(tsc_regs_32); i++) {
+-			debugfs_create_file(
+-					tsc_regs_32[i].name,
+-					tsc_regs_32[i].mode,
+-					dentry,
+-					base + tsc_regs_32[i].offset,
+-					&fops_iomem_x32);
+-		}
+-		for (i = 0; i < ARRAY_SIZE(tsc_regs_16); i++) {
+-			debugfs_create_file(
+-					tsc_regs_16[i].name,
+-					tsc_regs_16[i].mode,
+-					dentry,
+-					base + tsc_regs_16[i].offset,
+-					&fops_iomem_x16);
+-		}
+-		for (i = 0; i < ARRAY_SIZE(tsc_regs_8); i++) {
+-			debugfs_create_file(
+-					tsc_regs_8[i].name,
+-					tsc_regs_8[i].mode,
+-					dentry,
+-					base + tsc_regs_8[i].offset,
+-					&fops_iomem_x8);
+-		}
+-	}
+-}
+-
+-/**
+- * tsc_debugfs_exit() - TSC device debugfs teardown.
+- */
+-static void tsc_debugfs_exit(void)
+-{
+-	debugfs_remove_recursive(tsc_device->debugfs_entry);
+-	tsc_device->debugfs_entry = NULL;
+-}
+-
+-/**
+- * tsc_update_hw_card_status() - Update the hw_status according to the HW reg.
+- *
+- * Read the register indicating the card status (inserted, removed, error) and
+- * update the tsc_device->hw_card_status accordingly.
+- */
+-static void tsc_update_hw_card_status(void)
+-{
+-	u32 cd_reg, card_status = 0;
+-
+-	cd_reg = readl_relaxed(tsc_device->base + TSC_CD_STAT);
+-	card_status = GETL_BITS(cd_reg, TSC_CD_BEG, TSC_CD_END);
+-	switch (card_status) {
+-	case TSC_CD_STAT_INSERT:
+-		tsc_device->hw_card_status = TSC_CARD_STATUS_DETECTED;
+-		break;
+-	case TSC_CD_STAT_ERROR1:
+-	case TSC_CD_STAT_ERROR2:
+-		tsc_device->hw_card_status = TSC_CARD_STATUS_FAILURE;
+-		break;
+-	case TSC_CD_STAT_REMOVE:
+-		tsc_device->hw_card_status = TSC_CARD_STATUS_NOT_DETECTED;
+-		break;
+-	}
+-}
+-
+-/**
+- * tsc_card_power_down() - power down card interface upon removal.
+- *
+- * Power down the card by disable VPP, disable pins in the TLMM, assert the
+- * reset line and disable the level-shifters. This function assumes the spinlock
+- * of ci device is already taken.
+- *
+- * Return 0 on finish, error value if interrupted while acquiring a mutex.
+- */
+-static int tsc_card_power_down(void)
+-{
+-	int ret = 0;
+-	struct pinctrl_info *ppinctrl = &tsc_device->pinctrl_info;
+-	struct pinctrl_current_state *pcurr_state = &ppinctrl->curr_state;
+-	int reset_gpio = tsc_device->reset_cam_gpio;
+-	u32 reg = 0;
+-
+-	/* Clearing CAM TSIF OE to disable I/O CAM transactions */
+-	CLEAR_BIT(TSC_CICAM_TSIF_OE_OFFS, reg);
+-	writel_relaxed(reg, tsc_device->base + TSC_CICAM_TSIF);
+-
+-	/* Assert the reset line */
+-	ret = gpio_direction_output(reset_gpio, 1); /* assert */
+-	if (ret != 0)
+-		pr_err("%s: Failed to assert the reset CAM GPIO\n", __func__);
+-
+-	/* Disable all the level-shifters */
+-	/* TODO: call mpq_standby_pcmcia_master0_set(0) after MCU mainlined */
+-	if (ret != 0)
+-		pr_err("%s: error disable master0 level-shifters. ret value = %d\n",
+-				__func__, ret);
+-	/* TODO: call mpq_standby_pcmcia_master1_set(1) after MCU mainlined */
+-	if (ret != 0)
+-		pr_err("%s: error disable master1 level-shifters. ret value = %d\n",
+-				__func__, ret);
+-
+-	/* Power-down the card */
+-	/* TODO: call mpq_standby_pcmcia_vpp_set(1) after MCU mainlined */
+-	if (ret != 0)
+-		pr_err("%s: error disabling VPP. ret value = %d\n", __func__,
+-				ret);
+-	/* Wait 10msec until VPP become stable */
+-	usleep(10000);
+-
+-	/* Disable pins in the TLMM */
+-	if (mutex_lock_interruptible(&tsc_device->mutex))
+-		return -ERESTARTSYS;
+-
+-	if (pcurr_state->ts0 && pcurr_state->ts1)
+-		ret = pinctrl_select_state(ppinctrl->pinctrl,
+-				ppinctrl->dual_ts);
+-	else if (pcurr_state->ts0 && !pcurr_state->ts1)
+-		ret = pinctrl_select_state(ppinctrl->pinctrl,
+-				ppinctrl->ts0);
+-	else if (!pcurr_state->ts0 && pcurr_state->ts1)
+-		ret = pinctrl_select_state(ppinctrl->pinctrl,
+-				ppinctrl->ts1);
+-	else
+-		ret = pinctrl_select_state(ppinctrl->pinctrl,
+-				ppinctrl->disable);
+-	if (ret != 0)
+-		pr_err("%s: error changing PCMCIA pins upon card removal. ret value = %d\n",
+-					__func__, ret);
+-	else
+-		pcurr_state->pcmcia_state = PCMCIA_STATE_DISABLE;
+-
+-	mutex_unlock(&tsc_device->mutex);
+-
+-	return 0;
+-}
+-
+-/**
+- * tsc_card_power_up() - power up card interface upon insertion.
+- *
+- * Power up the card by open VPP, enable pins in the TLMM, deassert the reset
+- * line and enable the level-shifters. This function assumes the spinlock of ci
+- * device is already taken.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-static int tsc_card_power_up(void)
+-{
+-	int ret = 0;
+-	struct pinctrl_info *ppinctrl = &tsc_device->pinctrl_info;
+-	struct pinctrl_current_state *pcurr_state = &ppinctrl->curr_state;
+-	int reset_gpio = tsc_device->reset_cam_gpio;
+-
+-	/* Power-up the card */
+-	/* TODO: call mpq_standby_pcmcia_vpp_set(1) after MCU mainlined */
+-	if (ret != 0) {
+-		pr_err("%s: error setting VPP. ret value = %d\n", __func__,
+-				ret);
+-		return ret;
+-	}
+-	/* Wait 10msec until VPP become stable */
+-	usleep(10000);
+-
+-	/* Enable pins in the TLMM */
+-	if (mutex_lock_interruptible(&tsc_device->mutex))
+-		return -ERESTARTSYS;
+-
+-	if (pcurr_state->ts0 && pcurr_state->ts1)
+-		ret = pinctrl_select_state(ppinctrl->pinctrl,
+-				ppinctrl->dual_ts_pc_card);
+-	else if (pcurr_state->ts0 && !pcurr_state->ts1)
+-		ret = pinctrl_select_state(ppinctrl->pinctrl,
+-				ppinctrl->ts0_pc_card);
+-	else if (!pcurr_state->ts0 && pcurr_state->ts1)
+-		ret = pinctrl_select_state(ppinctrl->pinctrl,
+-				ppinctrl->ts1_pc_card);
+-	else
+-		ret = pinctrl_select_state(ppinctrl->pinctrl,
+-				ppinctrl->pc_card);
+-	if (ret != 0) {
+-		pr_err("%s: error changing PCMCIA pins upon card insertion. ret value = %d\n",
+-					__func__, ret);
+-		mutex_unlock(&tsc_device->mutex);
+-		goto err;
+-	} else {
+-		pcurr_state->pcmcia_state = PCMCIA_STATE_PC_CARD;
+-	}
+-	mutex_unlock(&tsc_device->mutex);
+-
+-	/* Release the reset line */
+-	ret = gpio_direction_output(reset_gpio, 0); /* Deassert */
+-	if (ret != 0) {
+-		pr_err("%s: Failed to deassert the reset CAM GPIO\n", __func__);
+-		goto err;
+-	}
+-
+-	/* Enable level-shifters for all pins */
+-	/* TODO: call mpq_standby_pcmcia_master0_set(0) after MCU mainlined */
+-	if (ret != 0) {
+-		pr_err("%s: error setting master0 level-shifters. ret value = %d\n",
+-				__func__, ret);
+-		goto err;
+-	}
+-	/* TODO: call mpq_standby_pcmcia_master1_set(0) after MCU mainlined */
+-	if (ret != 0) {
+-		pr_err("%s: error setting master1 level-shifters. ret value = %d\n",
+-				__func__, ret);
+-		goto err;
+-	}
+-
+-	/* Wait 20msec at the end of the power-up sequence */
+-	usleep(20000);
+-
+-	return ret;
+-
+-err:
+-	tsc_card_power_down();
+-	return ret;
+-}
+-
+-/************************** Interrupt handlers **************************/
+-/**
+- * tsc_card_detect_irq_thread_handler() - TSC card detect interrupt handler.
+- *
+- * @irq:	Interrupt number.
+- * @dev:	TSC device.
+- *
+- * The handler is executed on a thread context, not in the interrupt context
+- * (can take a mutex and sleep).
+- * Read the card detection status from the register and initiate a power-up/down
+- * sequence accordingly. The sequence will occur only if a change is needed in
+- * the current power state.
+- *
+- */
+-static irqreturn_t tsc_card_detect_irq_thread_handler(int irq, void *dev)
+-{
+-	int ret = 0;
+-	struct tsc_ci_chdev *tsc_ci;
+-	unsigned long flags = 0;
+-
+-	tsc_ci = &tsc_device->ci_chdev;
+-
+-	mutex_lock(&tsc_ci->mutex);
+-
+-	tsc_update_hw_card_status();
+-
+-	/* waking-up ci poll queue */
+-	wake_up_interruptible(&tsc_ci->poll_queue);
+-
+-	/* If in the middle of a data transaction- aborting the transaction */
+-	if (tsc_ci->data_busy && tsc_device->hw_card_status ==
+-			TSC_CARD_STATUS_NOT_DETECTED) {
+-		spin_lock_irqsave(&tsc_ci->spinlock, flags);
+-		tsc_ci->transaction_state = TRANSACTION_CARD_REMOVED;
+-		spin_unlock_irqrestore(&tsc_ci->spinlock, flags);
+-		complete_all(&tsc_ci->transaction_complete);
+-	}
+-
+-	if (tsc_device->hw_card_status == TSC_CARD_STATUS_DETECTED &&
+-			!tsc_device->card_power) {
+-		ret = tsc_card_power_up();
+-		if (ret != 0)
+-			pr_err("%s: card power-up failed\n", __func__);
+-		else
+-			tsc_device->card_power = true;
+-	} else if (tsc_device->hw_card_status == TSC_CARD_STATUS_NOT_DETECTED &&
+-			tsc_device->card_power) {
+-		tsc_card_power_down();
+-		/*
+-		 * In case something failed during the power down, the sequence
+-		 * continue and the status of the card power is considered as
+-		 * powered down.
+-		 */
+-		tsc_device->card_power = false;
+-	}
+-
+-	mutex_unlock(&tsc_ci->mutex);
+-
+-	return IRQ_HANDLED;
+-}
+-
+-/**
+- * tsc_cam_cmd_irq_handler() - TSC CAM interrupt handler.
+- *
+- * @irq:	Interrupt number.
+- * @dev:	TSC device.
+- *
+- * Handle TSC CAM HW interrupt. Handle the CAM transaction interrupts by waking
+- * up the completion sync object, handle rate mismatch interrupt by waking-up
+- * the TSC Mux poll wait-queue and clear the interrupts received.
+- *
+- * Return IRQ_HANDLED.
+- */
+-static irqreturn_t tsc_cam_cmd_irq_handler(int irq, void *dev)
+-{
+-	struct tsc_ci_chdev *tsc_ci;
+-	struct tsc_mux_chdev *tsc_mux;
+-	unsigned long flags;
+-	u32 stat_reg, ena_reg;
+-
+-	tsc_ci = &tsc_device->ci_chdev;
+-	tsc_mux = &tsc_device->mux_chdev;
+-
+-	stat_reg = readl_relaxed(tsc_device->base + TSC_STAT);
+-
+-	/* Handling transaction interrupts */
+-	if (TEST_BIT(CAM_IRQ_ERR_OFFS, stat_reg) ||
+-			TEST_BIT(CAM_IRQ_EOT_OFFS, stat_reg)) {
+-		spin_lock_irqsave(&tsc_ci->spinlock, flags);
+-
+-		if (TEST_BIT(CAM_IRQ_EOT_OFFS, stat_reg))
+-			tsc_ci->transaction_state = TRANSACTION_SUCCESS;
+-		else
+-			tsc_ci->transaction_state = TRANSACTION_ERROR;
+-
+-		spin_unlock_irqrestore(&tsc_ci->spinlock, flags);
+-		complete_all(&tsc_ci->transaction_complete);
+-	}
+-
+-	/* Handling rate mismatch interrupt */
+-	if (TEST_BIT(CAM_IRQ_RATE_MISMATCH_OFFS, stat_reg)) {
+-		spin_lock_irqsave(&tsc_mux->spinlock, flags);
+-
+-		/* Disabling rate mismatch interrupt */
+-		ena_reg = readl_relaxed(tsc_device->base + TSC_IRQ_ENA);
+-		CLEAR_BIT(CAM_IRQ_RATE_MISMATCH_OFFS, ena_reg);
+-		writel_relaxed(ena_reg, tsc_device->base + TSC_IRQ_ENA);
+-
+-		/* Setting internal flag for poll */
+-		tsc_mux->rate_interrupt = true;
+-
+-		spin_unlock_irqrestore(&tsc_mux->spinlock, flags);
+-		/* waking-up mux poll queue */
+-		wake_up_interruptible(&tsc_mux->poll_queue);
+-	}
+-
+-	/* Clearing all the interrupts received */
+-	writel_relaxed(stat_reg, tsc_device->base + TSC_IRQ_CLR);
+-
+-	/*
+-	 * Before returning IRQ_HANDLED to the generic interrupt handling
+-	 * framework need to make sure all operations including clearing of
+-	 * interrupt status registers in the hardware is performed.
+-	 * Thus a barrier after clearing the interrupt status register
+-	 * is required to guarantee that the interrupt status register has
+-	 * really been cleared by the time we return from this handler.
+-	 */
+-	wmb();
+-
+-	return IRQ_HANDLED;
+-}
+-
+-/************************** Internal functions **************************/
+-
+-/**
+- * tsc_set_cicam_clk() - Setting the rate of the TS from the TSC to the CAM
+- *
+- * @arg:	The argument received from the user-space via set rate IOCTL.
+- *		It is the value of the requested rate in MHz.
+- *
+- * Setting the rate of the cicam_ts_clk clock, with one of the valid clock
+- * frequencies. The arg value given is rounded to the nearest frequency.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-static int tsc_set_cicam_clk(unsigned long arg)
+-{
+-	int ret;
+-
+-	if (arg <= 8)
+-		ret = clk_set_rate(tsc_device->cicam_ts_clk,
+-				CICAM_CLK_RATE_7MHZ);
+-	else if (arg <= 11)
+-		ret = clk_set_rate(tsc_device->cicam_ts_clk,
+-				CICAM_CLK_RATE_9MHZ);
+-	else
+-		ret = clk_set_rate(tsc_device->cicam_ts_clk,
+-				CICAM_CLK_RATE_12MHZ);
+-	return ret;
+-}
+-
+-/**
+- * tsc_enable_rate_irq() - Enabling the rate mismatch interrupt.
+- *
+- * @tsc_mux:		TSC Mux device.
+- *
+- * Setting the bit of this interrupt in the register that controls which
+- * interrupts are enabled.
+- */
+-static void tsc_enable_rate_irq(struct tsc_mux_chdev *tsc_mux)
+-{
+-	unsigned long flags;
+-	u32 ena_reg = 0;
+-
+-	spin_lock_irqsave(&tsc_mux->spinlock, flags);
+-
+-	/* Setting the bit to start receiving rate mismatch interrupt again */
+-	ena_reg = readl_relaxed(tsc_device->base + TSC_IRQ_ENA);
+-	SET_BIT(CAM_IRQ_RATE_MISMATCH_OFFS, ena_reg);
+-	writel_relaxed(ena_reg, tsc_device->base + TSC_IRQ_ENA);
+-
+-	spin_unlock_irqrestore(&tsc_mux->spinlock, flags);
+-}
+-
+-/**
+- * tsc_config_tsif() - Modifying TSIF configuration.
+- *
+- * @tsc_mux:		TSC Mux device.
+- * @tsif_params:	TSIF parameters received from the user-space via IOCTL.
+- *
+- * Update the specified TSIF parameters according to the values in tsif_params.
+- * The update is done by modifying a HW register.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-static int tsc_config_tsif(struct tsc_mux_chdev *tsc_mux,
+-		struct tsc_tsif_params *tsif_params)
+-{
+-	int ret = 0;
+-	u32 reg;
+-	int reg_internal_offs;
+-	u32 reg_addr_offs;
+-
+-	switch (tsif_params->source) {
+-	case TSC_SOURCE_EXTERNAL0:
+-		reg_internal_offs = 0;
+-		reg_addr_offs = TSC_IN_IFC_EXT;
+-		break;
+-	case TSC_SOURCE_EXTERNAL1:
+-		reg_internal_offs = 16;
+-		reg_addr_offs = TSC_IN_IFC_EXT;
+-		break;
+-	case TSC_SOURCE_INTERNAL:
+-		reg_internal_offs = 0;
+-		reg_addr_offs = TSC_IN_IFC_CFG_INT;
+-		break;
+-	case TSC_SOURCE_CICAM:
+-		reg_internal_offs = 16;
+-		reg_addr_offs = TSC_IN_IFC_CFG_INT;
+-		break;
+-	default:
+-		pr_err("%s: unidentified source parameter\n", __func__);
+-		ret = -EINVAL;
+-		goto err;
+-	}
+-
+-
+-	reg = readl_relaxed(tsc_device->base + reg_addr_offs);
+-
+-	/* Modifying TSIF settings in the register value */
+-	(tsif_params->clock_polarity ?
+-		SET_BIT((reg_internal_offs + TSIF_CLK_POL_OFFS), reg) :
+-		CLEAR_BIT((reg_internal_offs + TSIF_CLK_POL_OFFS), reg));
+-	(tsif_params->data_polarity ?
+-		SET_BIT(((reg_internal_offs + TSIF_DATA_POL_OFFS)), reg) :
+-		CLEAR_BIT((reg_internal_offs + TSIF_DATA_POL_OFFS), reg));
+-	(tsif_params->start_polarity ?
+-		SET_BIT((reg_internal_offs + TSIF_START_POL_OFFS), reg) :
+-		CLEAR_BIT((reg_internal_offs + TSIF_START_POL_OFFS), reg));
+-	(tsif_params->valid_polarity ?
+-		SET_BIT((reg_internal_offs + TSIF_VALID_POL_OFFS), reg) :
+-		CLEAR_BIT((reg_internal_offs + TSIF_VALID_POL_OFFS), reg));
+-	(tsif_params->error_polarity ?
+-		SET_BIT((reg_internal_offs + TSIF_ERROR_POL_OFFS), reg) :
+-		CLEAR_BIT((reg_internal_offs + TSIF_ERROR_POL_OFFS), reg));
+-	(tsif_params->data_type ?
+-		SET_BIT((reg_internal_offs + TSIF_SER_PAR_OFFS), reg) :
+-		CLEAR_BIT((reg_internal_offs + TSIF_SER_PAR_OFFS), reg));
+-	reg &= ~(0x3 << TSIF_REC_MODE_OFFS);
+-	reg |= (tsif_params->receive_mode << TSIF_REC_MODE_OFFS);
+-	(tsif_params->data_swap ?
+-		SET_BIT((reg_internal_offs + TSIF_DATA_SWAP_OFFS), reg) :
+-		CLEAR_BIT((reg_internal_offs + TSIF_DATA_SWAP_OFFS), reg));
+-	(tsif_params->set_error ?
+-		SET_BIT((reg_internal_offs + TSIF_ERR_INSERT_OFFS), reg) :
+-		CLEAR_BIT((reg_internal_offs + TSIF_ERR_INSERT_OFFS), reg));
+-
+-	/* Writing the new settings to the register */
+-	writel_relaxed(reg, tsc_device->base + reg_addr_offs);
+-
+-err:
+-	return ret;
+-}
+-
+-/**
+- * tsc_suspend_ts_pins() - Suspend TS-in pins
+- *
+- * @source:     The TSIF to configure.
+- *
+- * Config the TLMM pins of a TSIF as TS-in pins in sleep state according to
+- * the current pinctrl configuration of the other pins.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-static int tsc_suspend_ts_pins(enum tsc_source source)
+-{
+-	int ret = 0;
+-	struct pinctrl_info *ppinctrl = &tsc_device->pinctrl_info;
+-	struct pinctrl_current_state *pcurr_state = &ppinctrl->curr_state;
+-
+-	if (mutex_lock_interruptible(&tsc_device->mutex))
+-		return -ERESTARTSYS;
+-
+-	if (source == TSC_SOURCE_EXTERNAL0) {
+-		if (!ppinctrl->is_ts0) {
+-			pr_err("%s: No TS0-in pinctrl definitions were found in the TSC devicetree\n",
+-					__func__);
+-			mutex_unlock(&tsc_device->mutex);
+-			return -EPERM;
+-		}
+-
+-		/* Transition from current pinctrl state to curr + ts0 sleep */
+-		switch (pcurr_state->pcmcia_state) {
+-		case PCMCIA_STATE_DISABLE:
+-			if (pcurr_state->ts1)
+-				ret = pinctrl_select_state(ppinctrl->pinctrl,
+-						ppinctrl->ts1);
+-			else
+-				ret = pinctrl_select_state(ppinctrl->pinctrl,
+-						ppinctrl->disable);
+-			break;
+-		case PCMCIA_STATE_PC_CARD:
+-			if (pcurr_state->ts1)
+-				ret = pinctrl_select_state(ppinctrl->pinctrl,
+-					ppinctrl->ts1_pc_card);
+-			else
+-				ret = pinctrl_select_state(ppinctrl->pinctrl,
+-					ppinctrl->pc_card);
+-			break;
+-		case PCMCIA_STATE_CI_CARD:
+-			if (pcurr_state->ts1)
+-				ret = pinctrl_select_state(ppinctrl->pinctrl,
+-					ppinctrl->ts1_ci_card);
+-			else
+-				ret = pinctrl_select_state(ppinctrl->pinctrl,
+-					ppinctrl->ci_card);
+-			break;
+-		case PCMCIA_STATE_CI_PLUS:
+-			if (pcurr_state->ts1)
+-				ret = pinctrl_select_state(ppinctrl->pinctrl,
+-					ppinctrl->ts1_ci_plus);
+-			else
+-				ret = pinctrl_select_state(ppinctrl->pinctrl,
+-					ppinctrl->ci_plus);
+-			break;
+-		}
+-	} else  { /* source == TSC_SOURCE_EXTERNAL1 */
+-		if (!ppinctrl->is_ts1) {
+-			pr_err("%s: No TS1-in pinctrl definitions were found in the TSC devicetree\n",
+-					__func__);
+-			mutex_unlock(&tsc_device->mutex);
+-			return -EPERM;
+-		}
+-
+-		/* Transition from current pinctrl state to curr + ts1 sleep */
+-		switch (pcurr_state->pcmcia_state) {
+-		case PCMCIA_STATE_DISABLE:
+-			if (pcurr_state->ts0)
+-				ret = pinctrl_select_state(ppinctrl->pinctrl,
+-					ppinctrl->ts0);
+-			else
+-				ret = pinctrl_select_state(ppinctrl->pinctrl,
+-					ppinctrl->disable);
+-			break;
+-		case PCMCIA_STATE_PC_CARD:
+-			if (pcurr_state->ts0)
+-				ret = pinctrl_select_state(ppinctrl->pinctrl,
+-					ppinctrl->ts0_pc_card);
+-			else
+-				ret = pinctrl_select_state(ppinctrl->pinctrl,
+-					ppinctrl->pc_card);
+-			break;
+-		case PCMCIA_STATE_CI_CARD:
+-			if (pcurr_state->ts0)
+-				ret = pinctrl_select_state(ppinctrl->pinctrl,
+-					ppinctrl->ts0_ci_card);
+-			else
+-				ret = pinctrl_select_state(ppinctrl->pinctrl,
+-					ppinctrl->ci_card);
+-			break;
+-		case PCMCIA_STATE_CI_PLUS:
+-			if (pcurr_state->ts0)
+-				ret = pinctrl_select_state(ppinctrl->pinctrl,
+-					ppinctrl->ts0_ci_plus);
+-			else
+-				ret = pinctrl_select_state(ppinctrl->pinctrl,
+-					ppinctrl->ci_plus);
+-			break;
+-		}
+-	}
+-
+-	if (ret != 0) {
+-		pr_err("%s: error disabling TS-in pins. ret value = %d\n",
+-			__func__, ret);
+-		mutex_unlock(&tsc_device->mutex);
+-		return -EINVAL;
+-	}
+-
+-	/* Update the current pinctrl state in the internal struct */
+-	if (source == TSC_SOURCE_EXTERNAL0)
+-		pcurr_state->ts0 = false;
+-	else
+-		pcurr_state->ts1 = false;
+-
+-	mutex_unlock(&tsc_device->mutex);
+-
+-	return 0;
+-}
+-
+-/**
+- * tsc_activate_ts_pins() - Activate TS-in pins
+- *
+- * @source:	The TSIF to configure.
+- *
+- * Config the TLMM pins of a TSIF as TS-in pins in active state according to
+- * the current pinctrl configuration of the other pins
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-static int tsc_activate_ts_pins(enum tsc_source source)
+-{
+-	int ret = 0;
+-	struct pinctrl_info *ppinctrl = &tsc_device->pinctrl_info;
+-	struct pinctrl_current_state *pcurr_state = &ppinctrl->curr_state;
+-
+-	if (mutex_lock_interruptible(&tsc_device->mutex))
+-		return -ERESTARTSYS;
+-
+-	if (source == TSC_SOURCE_EXTERNAL0) {
+-		if (!ppinctrl->is_ts0) {
+-			pr_err("%s: No TS0-in pinctrl definitions were found in the TSC devicetree\n",
+-					__func__);
+-			mutex_unlock(&tsc_device->mutex);
+-			return -EPERM;
+-		}
+-
+-		/* Transition from current pinctrl state to curr + ts0 active */
+-		switch (pcurr_state->pcmcia_state) {
+-		case PCMCIA_STATE_DISABLE:
+-			if (pcurr_state->ts1)
+-				ret = pinctrl_select_state(ppinctrl->pinctrl,
+-						ppinctrl->dual_ts);
+-			else
+-				ret = pinctrl_select_state(ppinctrl->pinctrl,
+-						ppinctrl->ts0);
+-			break;
+-		case PCMCIA_STATE_PC_CARD:
+-			if (pcurr_state->ts1)
+-				ret = pinctrl_select_state(ppinctrl->pinctrl,
+-					ppinctrl->dual_ts_pc_card);
+-			else
+-				ret = pinctrl_select_state(ppinctrl->pinctrl,
+-					ppinctrl->ts0_pc_card);
+-			break;
+-		case PCMCIA_STATE_CI_CARD:
+-			if (pcurr_state->ts1)
+-				ret = pinctrl_select_state(ppinctrl->pinctrl,
+-					ppinctrl->dual_ts_ci_card);
+-			else
+-				ret = pinctrl_select_state(ppinctrl->pinctrl,
+-					ppinctrl->ts0_ci_card);
+-			break;
+-		case PCMCIA_STATE_CI_PLUS:
+-			if (pcurr_state->ts1)
+-				ret = pinctrl_select_state(ppinctrl->pinctrl,
+-					ppinctrl->dual_ts_ci_plus);
+-			else
+-				ret = pinctrl_select_state(ppinctrl->pinctrl,
+-					ppinctrl->ts0_ci_plus);
+-			break;
+-		}
+-	} else  { /* source == TSC_SOURCE_EXTERNAL1 */
+-		if (!ppinctrl->is_ts1) {
+-			pr_err("%s: No TS1-in pinctrl definitions were found in the TSC devicetree\n",
+-					__func__);
+-			mutex_unlock(&tsc_device->mutex);
+-			return -EPERM;
+-		}
+-
+-		/* Transition from current pinctrl state to curr + ts1 active */
+-		switch (pcurr_state->pcmcia_state) {
+-		case PCMCIA_STATE_DISABLE:
+-			if (pcurr_state->ts0)
+-				ret = pinctrl_select_state(ppinctrl->pinctrl,
+-					ppinctrl->dual_ts);
+-			else
+-				ret = pinctrl_select_state(ppinctrl->pinctrl,
+-					ppinctrl->ts1);
+-			break;
+-		case PCMCIA_STATE_PC_CARD:
+-			if (pcurr_state->ts0)
+-				ret = pinctrl_select_state(ppinctrl->pinctrl,
+-					ppinctrl->dual_ts_pc_card);
+-			else
+-				ret = pinctrl_select_state(ppinctrl->pinctrl,
+-					ppinctrl->ts1_pc_card);
+-			break;
+-		case PCMCIA_STATE_CI_CARD:
+-			if (pcurr_state->ts0)
+-				ret = pinctrl_select_state(ppinctrl->pinctrl,
+-					ppinctrl->dual_ts_ci_card);
+-			else
+-				ret = pinctrl_select_state(ppinctrl->pinctrl,
+-					ppinctrl->ts1_ci_card);
+-			break;
+-		case PCMCIA_STATE_CI_PLUS:
+-			if (pcurr_state->ts0)
+-				ret = pinctrl_select_state(ppinctrl->pinctrl,
+-					ppinctrl->dual_ts_ci_plus);
+-			else
+-				ret = pinctrl_select_state(ppinctrl->pinctrl,
+-					ppinctrl->ts1_ci_plus);
+-			break;
+-		}
+-	}
+-
+-	if (ret != 0) {
+-		pr_err("%s: error activating TS-in pins. ret value = %d\n",
+-			__func__, ret);
+-		mutex_unlock(&tsc_device->mutex);
+-		return -EINVAL;
+-	}
+-
+-	/* Update the current pinctrl state in the internal struct */
+-	if (source == TSC_SOURCE_EXTERNAL0)
+-		pcurr_state->ts0 = true;
+-	else
+-		pcurr_state->ts1 = true;
+-
+-	mutex_unlock(&tsc_device->mutex);
+-
+-	return 0;
+-}
+-
+-/**
+- * tsc_enable_disable_tsif() - Enable/disable a TSIF.
+- *
+- * @tsc_mux:	TSC Mux device.
+- * @source:	The TSIF to enable or disable.
+- * @operation:	The operation to perform: 0- enable, 1- disable.
+- *
+- * Enable or disable the specified TSIF, which consequently will block the TS
+- * flowing through this TSIF. The update is done by modifying a HW register.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-static int tsc_enable_disable_tsif(struct tsc_mux_chdev *tsc_mux,
+-		enum tsc_source source, int operation)
+-{
+-	int ret = 0;
+-	u32 reg;
+-	u32 addr_offs;
+-	int reg_offs;
+-	int curr_disable_state;
+-
+-	switch (source) {
+-	case TSC_SOURCE_EXTERNAL0:
+-		reg_offs = 0;
+-		addr_offs = TSC_IN_IFC_EXT;
+-		break;
+-	case TSC_SOURCE_EXTERNAL1:
+-		reg_offs = 16;
+-		addr_offs = TSC_IN_IFC_EXT;
+-		break;
+-	case TSC_SOURCE_INTERNAL:
+-		reg_offs = 0;
+-		addr_offs = TSC_IN_IFC_CFG_INT;
+-		break;
+-	case TSC_SOURCE_CICAM:
+-		reg_offs = 16;
+-		addr_offs = TSC_IN_IFC_CFG_INT;
+-		break;
+-	default:
+-		pr_err("%s: unidentified source parameter\n", __func__);
+-		ret = -EINVAL;
+-		return ret;
+-	}
+-
+-	/* Reading the current enable/disable state from the register */
+-	reg = readl_relaxed(tsc_device->base + addr_offs);
+-	curr_disable_state = GETL_BITS(reg, TSIF_DISABLE_OFFS + reg_offs,
+-			TSIF_DISABLE_OFFS + reg_offs);
+-	/* If the current state equals the new state- return success */
+-	if (curr_disable_state == operation)
+-		return ret;
+-
+-	if (operation == TSIF_INPUT_DISABLE) {
+-		if (source == TSC_SOURCE_EXTERNAL0 ||
+-				source == TSC_SOURCE_EXTERNAL1) {
+-			/* Disabling the TS-in pins in the TLMM */
+-			ret = tsc_suspend_ts_pins(source);
+-			if (ret != 0) {
+-				pr_err("%s: Error suspending TS-in pins",
+-						__func__);
+-				return ret;
+-			}
+-		}
+-		SET_BIT((reg_offs + TSIF_DISABLE_OFFS), reg);
+-	} else {
+-		if (source == TSC_SOURCE_EXTERNAL0 ||
+-				source == TSC_SOURCE_EXTERNAL1) {
+-			/* Enabling the TS-in pins in the TLMM */
+-			ret = tsc_activate_ts_pins(source);
+-			if (ret != 0) {
+-				pr_err("%s: Error activating TS-in pins",
+-						__func__);
+-				return ret;
+-			}
+-		}
+-		CLEAR_BIT((reg_offs + TSIF_DISABLE_OFFS), reg);
+-	}
+-
+-	/* Writing back to the reg the enable/disable of the TSIF */
+-	writel_relaxed(reg, tsc_device->base + addr_offs);
+-
+-	return ret;
+-}
+-
+-/**
+- * tsc_route_mux() - Configuring one of the TSC muxes.
+- *
+- * @tsc_mux:	TSC Mux device.
+- * @source:	The requested TS source to be selected by the mux.
+- * @dest:	The requested mux.
+- *
+- * Configuring the specified mux to pass the TS indicated by the src parameter.
+- * The update is done by modifying a HW register.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-static int tsc_route_mux(struct tsc_mux_chdev *tsc_mux, enum tsc_source source,
+-		enum tsc_dest dest)
+-{
+-	int ret = 0;
+-	u32 mux_cfg_reg;
+-	int src_val;
+-
+-	switch (source) {
+-	case TSC_SOURCE_EXTERNAL0:
+-		src_val = MUX_EXTERNAL_DEMOD_0;
+-		break;
+-	case TSC_SOURCE_EXTERNAL1:
+-		src_val = MUX_EXTERNAL_DEMOD_1;
+-		break;
+-	case TSC_SOURCE_INTERNAL:
+-		src_val = MUX_INTERNAL_DEMOD;
+-		break;
+-	case TSC_SOURCE_CICAM:
+-		src_val = MUX_CICAM;
+-		break;
+-	default:
+-		pr_err("%s: unidentified source parameter\n", __func__);
+-		ret = -EINVAL;
+-		goto err;
+-	}
+-
+-	/* Reading the current muxes state, to change only the requested mux */
+-	mux_cfg_reg = readl_relaxed(tsc_device->base + TSC_MUX_CFG);
+-
+-	switch (dest) {
+-	case TSC_DEST_TSPP0:
+-		mux_cfg_reg &= ~(0x3 << MUX0_OFFS);
+-		mux_cfg_reg |= (src_val << MUX0_OFFS);
+-		break;
+-	case TSC_DEST_TSPP1:
+-		mux_cfg_reg &= ~(0x3 << MUX1_OFFS);
+-		mux_cfg_reg |= (src_val << MUX1_OFFS);
+-		break;
+-	case TSC_DEST_CICAM:
+-		if (src_val == TSC_SOURCE_CICAM) {
+-			pr_err("%s: Error: CICAM cannot be source and dest\n",
+-					__func__);
+-			ret = -EINVAL;
+-			goto err;
+-		}
+-		mux_cfg_reg &= ~(0x3 << MUX_CAM_OFFS);
+-		mux_cfg_reg |= (src_val << MUX_CAM_OFFS);
+-		break;
+-	default:
+-		pr_err("%s: unidentified dest parameter\n", __func__);
+-		ret = -EINVAL;
+-		goto err;
+-	}
+-
+-	writel_relaxed(mux_cfg_reg, tsc_device->base + TSC_MUX_CFG);
+-
+-err:
+-	return ret;
+-}
+-
+-/**
+- * is_tsc_idle() - Checking if TSC is idle.
+- *
+- * @tsc_ci:		TSC CI device.
+- *
+- * Reading the TSC state-machine register and checking if the TSC is busy in
+- * one of the operations reflected by this register.
+- *
+- * Return true if the TSC is idle and false if it's busy.
+- */
+-static bool is_tsc_idle(struct tsc_ci_chdev *tsc_ci)
+-{
+-	u32 fsm_reg;
+-
+-	fsm_reg = readl_relaxed(tsc_device->base + TSC_FSM_STATE);
+-	if (GETL_BITS(fsm_reg, FSM_STATE_BUFFER_BEG, FSM_STATE_BUFFER_END) ||
+-		GETL_BITS(fsm_reg, FSM_STATE_POLL_BEG, FSM_STATE_POLL_END) ||
+-		GETL_BITS(fsm_reg, FSM_STATE_BYTE_BEG, FSM_STATE_BYTE_END) ||
+-		GETL_BITS(fsm_reg, FSM_STATE_MEM_WR_BEG,
+-				FSM_STATE_MEM_WR_END) ||
+-		GETL_BITS(fsm_reg, FSM_STATE_MEM_RD_BEG,
+-				FSM_STATE_MEM_RD_END) ||
+-		GETL_BITS(fsm_reg, FSM_STATE_IO_RD_BEG, FSM_STATE_IO_RD_END) ||
+-		GETL_BITS(fsm_reg, FSM_STATE_IO_WR_BEG, FSM_STATE_IO_WR_END) ||
+-			tsc_ci->data_busy)
+-		return false;
+-
+-	tsc_ci->data_busy = true;
+-
+-	return true;
+-}
+-
+-
+-/**
+- * tsc_power_on_buff_mode_clocks() - power-on the TSPP2 and VBIF clocks.
+- *
+- * Power-on the TSPP2 and the VBIF clocks required for buffer mode transaction.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-static int tsc_power_on_buff_mode_clocks(void)
+-{
+-	int ret = 0;
+-
+-	ret = clk_prepare_enable(tsc_device->tspp2_core_clk);
+-	if (ret != 0) {
+-		pr_err("%s: Can't start tspp2_core_clk", __func__);
+-		goto err_tspp2;
+-	}
+-	ret = clk_prepare_enable(tsc_device->vbif_tspp2_clk);
+-	if (ret != 0) {
+-		pr_err("%s: Can't start vbif_tspp2_clk", __func__);
+-		goto err_vbif_tspp2;
+-	}
+-	ret = clk_prepare_enable(tsc_device->vbif_ahb_clk);
+-	if (ret != 0) {
+-		pr_err("%s: Can't start vbif_ahb_clk", __func__);
+-		goto err_vbif_ahb;
+-	}
+-	ret = clk_prepare_enable(tsc_device->vbif_axi_clk);
+-	if (ret != 0) {
+-		pr_err("%s: Can't start vbif_axi_clk", __func__);
+-		goto err_vbif_axi;
+-	}
+-
+-	return ret;
+-
+-err_vbif_axi:
+-	clk_disable_unprepare(tsc_device->vbif_ahb_clk);
+-err_vbif_ahb:
+-	clk_disable_unprepare(tsc_device->vbif_tspp2_clk);
+-err_vbif_tspp2:
+-	clk_disable_unprepare(tsc_device->tspp2_core_clk);
+-err_tspp2:
+-	return ret;
+-}
+-
+-/**
+- * tsc_power_off_buff_mode_clocks() - power-off the SPP2 and VBIF clocks.
+- *
+- * Power-off the TSPP2 and the VBIF clocks required for buffer mode transaction.
+- */
+-static void tsc_power_off_buff_mode_clocks(void)
+-{
+-	clk_disable_unprepare(tsc_device->vbif_axi_clk);
+-	clk_disable_unprepare(tsc_device->vbif_ahb_clk);
+-	clk_disable_unprepare(tsc_device->tspp2_core_clk);
+-	clk_disable_unprepare(tsc_device->vbif_tspp2_clk);
+-}
+-
+-/**
+- * tsc_config_cam_data_transaction() - Configuring a new data transaction.
+- *
+- * @addr_size:	The value for the address_size register field- address when
+- *		using single byte-mode, and size when using buffer mode.
+- * @wr_data:	the value for the wr_data register field- data to write to the
+- *		cam when using single byte mode.
+- * @io_mem:	The value for the io_mem register field- 1 for IO transaction,
+- *		0 for memory transaction.
+- * @read_write:	The value for the read_write register field- 1 for read
+- *		transaction, 0 for write transaction.
+- * @buff_mode:	The value for the buff_mode register field- 1 for buffer mode,
+- *		0 for single byte mode.
+- *
+- * Configuring the cam cmd register with the specified parameters, to initiate
+- * data transaction with the cam.
+- */
+-static void tsc_config_cam_data_transaction(u16 addr_size,
+-		u8 wr_data,
+-		uint io_mem,
+-		uint read_write,
+-		uint buff_mode)
+-{
+-	u32 cam_cmd_reg = 0;
+-
+-	cam_cmd_reg |= (addr_size << CAM_CMD_ADDR_SIZE_OFFS);
+-	cam_cmd_reg |= (wr_data << CAM_CMD_WR_DATA_OFFS);
+-	cam_cmd_reg |= (io_mem << CAM_CMD_IO_MEM_OFFS);
+-	cam_cmd_reg |= (read_write << CAM_CMD_RD_WR_OFFS);
+-	cam_cmd_reg |= (buff_mode << CAM_CMD_BUFF_MODE_OFFS);
+-	writel_relaxed(cam_cmd_reg, tsc_device->base + TSC_CAM_CMD);
+-}
+-
+-/**
+- * tsc_data_transaction() - Blocking function that manage the data transactions.
+- *
+- * @tsc_ci:	TSC CI device.
+- * @io_mem:	The value for the io_mem register field- 1 for IO transaction,
+- *		0 for memory transaction.
+- * @read_write:	The value for the read_write register field- 1 for read
+- *		transaction, 0 for write transaction.
+- * @buff_mode:	The value for the buff_mode register field- 1 for buffer mode,
+- *		0 for single byte mode.
+- * @arg:	The argument received from the user-space via a data transaction
+- *		IOCTL. It is from one of the two following types:
+- *		"struct tsc_single_byte_mode" and "struct tsc_buffer_mode".
+- *
+- * Receiving the transaction paramters from the user-space. Configure the HW
+- * registers to initiate a data transaction with the cam. Wait for an
+- * interrupt indicating the transaction is over and return the the data read
+- * from the cam in case of single-byte read transaction.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-static int tsc_data_transaction(struct tsc_ci_chdev *tsc_ci, uint io_mem,
+-		uint read_write, uint buff_mode, unsigned long arg)
+-{
+-	struct tsc_single_byte_mode arg_byte;
+-	struct tsc_buffer_mode arg_buff;
+-	u16 addr_size;
+-	u8 wr_data;
+-	uint timeout;
+-	u32 cam_cmd_reg;
+-	struct ion_handle *ion_handle = NULL;
+-	ion_phys_addr_t iova = 0;
+-	unsigned long buffer_size = 0;
+-	unsigned long flags = 0;
+-	int ret = 0;
+-
+-	if (!arg)
+-		return -EINVAL;
+-
+-	/* make sure the tsc is in idle state before configuring the cam */
+-	if (!is_tsc_idle(tsc_ci)) {
+-		ret =  -EBUSY;
+-		goto finish;
+-	}
+-
+-	INIT_COMPLETION(tsc_ci->transaction_finish);
+-
+-	/* copying data from the ioctl parameter */
+-	if (buff_mode == SINGLE_BYTE_MODE) {
+-		if (copy_from_user(&arg_byte, (void *)arg,
+-				sizeof(struct tsc_single_byte_mode))) {
+-			ret = -EFAULT;
+-			goto err_copy_arg;
+-		}
+-		addr_size = arg_byte.address;
+-		if (IO_TRANSACTION == io_mem &&
+-				addr_size > CICAM_MAX_ADDRESS) {
+-			pr_err("%s: wrong address parameter: %d\n", __func__,
+-					addr_size);
+-			ret = -EFAULT;
+-			goto err_copy_arg;
+-		}
+-		wr_data = arg_byte.data;
+-		timeout = arg_byte.timeout;
+-	} else {
+-		if (copy_from_user(&arg_buff, (void *)arg,
+-				sizeof(struct tsc_buffer_mode))) {
+-			ret =  -EFAULT;
+-			goto err_copy_arg;
+-		}
+-		addr_size = arg_buff.buffer_size;
+-		if (!addr_size) {
+-			pr_err("%s: size parameter is 0\n", __func__);
+-			ret =  -EFAULT;
+-			goto err_copy_arg;
+-		}
+-		wr_data = 0;
+-		timeout = arg_buff.timeout;
+-
+-		/* import ion handle from the ion fd passed from user-space */
+-		ion_handle = ion_import_dma_buf
+-			(tsc_device->iommu_info.ion_client, arg_buff.buffer_fd);
+-		if (IS_ERR_OR_NULL(ion_handle)) {
+-			pr_err("%s: get_ION_handle failed\n", __func__);
+-			ret =  -EIO;
+-			goto err_ion_handle;
+-		}
+-
+-		/*
+-		 * mapping the ion handle to the VBIF and get the virtual
+-		 * address
+-		 */
+-		ret = ion_map_iommu(tsc_device->iommu_info.ion_client,
+-				ion_handle, tsc_device->iommu_info.domain_num,
+-				tsc_device->iommu_info.partition_num, SZ_4K,
+-				0, &iova, &buffer_size, 0, 0);
+-
+-		if (ret != 0) {
+-			pr_err("%s: get_ION_kernel physical addr fail\n",
+-					__func__);
+-			goto err_ion_map;
+-		}
+-
+-		/*
+-		 * writing the buffer virtual address to the register for buffer
+-		 * address of buffer mode
+-		 */
+-		if (read_write == READ_TRANSACTION)
+-			writel_relaxed(iova,
+-					tsc_device->base + TSC_RD_BUFF_ADDR);
+-		else   /* write transaction */
+-			writel_relaxed(iova,
+-					tsc_device->base + TSC_WR_BUFF_ADDR);
+-	}
+-
+-	/* configuring the cam command register */
+-	tsc_config_cam_data_transaction(addr_size, wr_data, io_mem, read_write,
+-			buff_mode);
+-
+-	/*
+-	 * This function assume the mutex is locked before calling the function,
+-	 * so mutex has to be unlocked before going to sleep when waiting for
+-	 * the transaction.
+-	 */
+-	mutex_unlock(&tsc_ci->mutex);
+-	/* waiting for EOT interrupt or timeout */
+-	if (!wait_for_completion_timeout(&tsc_ci->transaction_complete,
+-			msecs_to_jiffies(timeout))) {
+-		pr_err("%s: Error: wait for transaction timed-out\n", __func__);
+-		ret =  -ETIMEDOUT;
+-		mutex_lock(&tsc_ci->mutex);
+-		/* Aborting the transaction if it's buffer mode */
+-		if (buff_mode) {
+-			cam_cmd_reg = readl_relaxed(tsc_device->base +
+-					TSC_CAM_CMD);
+-			SET_BIT(CAM_CMD_ABORT, cam_cmd_reg);
+-			writel_relaxed(cam_cmd_reg, tsc_device->base +
+-					TSC_CAM_CMD);
+-		}
+-		goto finish;
+-	}
+-	mutex_lock(&tsc_ci->mutex);
+-
+-	/* Checking if transaction ended with error */
+-	spin_lock_irqsave(&tsc_ci->spinlock, flags);
+-	if (tsc_ci->transaction_state == TRANSACTION_ERROR) {
+-		tsc_ci->transaction_state = BEFORE_TRANSACTION;
+-		spin_unlock_irqrestore(&tsc_ci->spinlock, flags);
+-		pr_err("%s: Transaction error\n", __func__);
+-		ret =  -EBADE; /* Invalid exchange error code */
+-		goto finish;
+-	} else if (tsc_ci->transaction_state == TRANSACTION_CARD_REMOVED) {
+-		tsc_ci->transaction_state = BEFORE_TRANSACTION;
+-		spin_unlock_irqrestore(&tsc_ci->spinlock, flags);
+-		pr_err("%s: Card was removed during the transaction. Aborting\n",
+-				__func__);
+-		ret = -ECONNABORTED;
+-		/* Aborting the transaction if it's buffer mode */
+-		if (buff_mode) {
+-			cam_cmd_reg = readl_relaxed(tsc_device->base +
+-					TSC_CAM_CMD);
+-			SET_BIT(CAM_CMD_ABORT, cam_cmd_reg);
+-			writel_relaxed(cam_cmd_reg, tsc_device->base +
+-					TSC_CAM_CMD);
+-		}
+-		goto finish;
+-	}
+-
+-	/* reseting the argument after reading the interrupt type */
+-	tsc_ci->transaction_state = BEFORE_TRANSACTION;
+-	spin_unlock_irqrestore(&tsc_ci->spinlock, flags);
+-
+-	/*
+-	 * Only on case of read single byte operation, we need to copy the data
+-	 * to the arg data field
+-	 */
+-	if (buff_mode == SINGLE_BYTE_MODE && read_write == READ_TRANSACTION)
+-		ret = put_user(readl_relaxed(tsc_device->base +
+-				TSC_CAM_RD_DATA),
+-				&((struct tsc_single_byte_mode *)arg)->data);
+-
+-finish:
+-	if (iova != 0)
+-		ion_unmap_iommu(tsc_device->iommu_info.ion_client, ion_handle,
+-			tsc_device->iommu_info.domain_num,
+-			tsc_device->iommu_info.partition_num);
+-err_ion_map:
+-	if (!IS_ERR_OR_NULL(ion_handle))
+-		ion_free(tsc_device->iommu_info.ion_client, ion_handle);
+-err_ion_handle:
+-err_copy_arg:
+-	tsc_ci->data_busy = false;
+-	INIT_COMPLETION(tsc_ci->transaction_complete);
+-	complete_all(&tsc_ci->transaction_finish);
+-	return ret;
+-}
+-
+-/**
+- * tsc_personality_change() - change the PCMCIA pins state.
+- *
+- * @pcmcia_state:	The new state of the PCMCIA pins.
+- *
+- * Configure the TLMM pins of the PCMCIA according to received state and
+- * the current pinctrl configuration of the other pins. This function assums the
+- * PCMCIA pinctrl definitions were successfully parsed from the devicetree (this
+- * check is done at open device).
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-static int tsc_personality_change(enum tsc_cam_personality pcmcia_state)
+-{
+-	int ret = 0;
+-	struct pinctrl_info *ppinctrl = &tsc_device->pinctrl_info;
+-	struct pinctrl_current_state *pcurr_state = &ppinctrl->curr_state;
+-	u32 reg = 0;
+-
+-	if (mutex_lock_interruptible(&tsc_device->mutex))
+-		return -ERESTARTSYS;
+-
+-	if (pcmcia_state == (enum tsc_cam_personality)pcurr_state->pcmcia_state)
+-		goto exit;
+-
+-	/* Transition from current pinctrl state to curr + new pcmcia state */
+-	switch (pcmcia_state) {
+-	case TSC_CICAM_PERSONALITY_CI:
+-		if (pcurr_state->ts0 && pcurr_state->ts1)
+-			ret = pinctrl_select_state(ppinctrl->pinctrl,
+-					ppinctrl->dual_ts_ci_card);
+-		else if (pcurr_state->ts0 && !pcurr_state->ts1)
+-			ret = pinctrl_select_state(ppinctrl->pinctrl,
+-					ppinctrl->ts0_ci_card);
+-		else if (!pcurr_state->ts0 && pcurr_state->ts1)
+-			ret = pinctrl_select_state(ppinctrl->pinctrl,
+-					ppinctrl->ts1_ci_card);
+-		else
+-			ret = pinctrl_select_state(ppinctrl->pinctrl,
+-					ppinctrl->ci_card);
+-		break;
+-	case TSC_CICAM_PERSONALITY_CIPLUS:
+-		if (pcurr_state->ts0 && pcurr_state->ts1)
+-			ret = pinctrl_select_state(ppinctrl->pinctrl,
+-					ppinctrl->dual_ts_ci_plus);
+-		else if (pcurr_state->ts0 && !pcurr_state->ts1)
+-			ret = pinctrl_select_state(ppinctrl->pinctrl,
+-					ppinctrl->ts0_ci_plus);
+-		else if (!pcurr_state->ts0 && pcurr_state->ts1)
+-			ret = pinctrl_select_state(ppinctrl->pinctrl,
+-					ppinctrl->ts1_ci_plus);
+-		else
+-			ret = pinctrl_select_state(ppinctrl->pinctrl,
+-					ppinctrl->ci_plus);
+-		break;
+-	case TSC_CICAM_PERSONALITY_DISABLE:
+-		if (pcurr_state->ts0 && pcurr_state->ts1)
+-			ret = pinctrl_select_state(ppinctrl->pinctrl,
+-					ppinctrl->dual_ts);
+-		else if (pcurr_state->ts0 && !pcurr_state->ts1)
+-			ret = pinctrl_select_state(ppinctrl->pinctrl,
+-					ppinctrl->ts0);
+-		else if (!pcurr_state->ts0 && pcurr_state->ts1)
+-			ret = pinctrl_select_state(ppinctrl->pinctrl,
+-					ppinctrl->ts1);
+-		else
+-			ret = pinctrl_select_state(ppinctrl->pinctrl,
+-					ppinctrl->disable);
+-		break;
+-	default:
+-		pr_err("%s: Wrong personality parameter\n", __func__);
+-		ret = -EINVAL;
+-		goto exit;
+-	}
+-
+-	if (ret != 0) {
+-		pr_err("%s: error changing PCMCIA pins. ret value = %d\n",
+-			__func__, ret);
+-		ret = -EINVAL;
+-		goto exit;
+-	}
+-
+-	/* Update the current pcmcia state in the internal struct */
+-	pcurr_state->pcmcia_state = (enum pcmcia_state)pcmcia_state;
+-
+-	/*
+-	 * Setting CAM TSIF OE to enable I/O transactions for CI/+ cards
+-	 * or clearing it when moving to disable state
+-	 */
+-	if (TSC_CICAM_PERSONALITY_CI == pcmcia_state ||
+-			TSC_CICAM_PERSONALITY_CIPLUS == pcmcia_state) {
+-		SET_BIT(TSC_CICAM_TSIF_OE_OFFS, reg);
+-		writel_relaxed(reg, tsc_device->base + TSC_CICAM_TSIF);
+-	} else {
+-		CLEAR_BIT(TSC_CICAM_TSIF_OE_OFFS, reg);
+-		writel_relaxed(reg, tsc_device->base + TSC_CICAM_TSIF);
+-	}
+-
+-exit:
+-	mutex_unlock(&tsc_device->mutex);
+-	return ret;
+-}
+-
+-/**
+- * tsc_reset_cam() - HW reset to the CAM.
+- *
+- * Toggle the reset pin of the pcmcia to make a HW reset.
+- * This function assumes that pinctrl_select_state was already called on the
+- * reset pin with its active state (happens during personality change).
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-static int tsc_reset_cam(void)
+-{
+-	int ret;
+-	int reset_gpio = tsc_device->reset_cam_gpio;
+-
+-	/* Toggle the GPIO to create a reset pulse */
+-	ret = gpio_direction_output(reset_gpio, 0); /* Make sure it's 0 */
+-	if (ret != 0)
+-		goto err;
+-
+-	ret = gpio_direction_output(reset_gpio, 1); /* Assert */
+-	if (ret != 0)
+-		goto err;
+-
+-	/*
+-	 * Waiting to enable the CAM to process the assertion before the
+-	 * deassertion. 1ms is needed for this processing.
+-	 */
+-	usleep(1000);
+-
+-	ret = gpio_direction_output(reset_gpio, 0); /* Deassert */
+-	if (ret != 0)
+-		goto err;
+-
+-	return 0;
+-err:
+-	pr_err("%s: Failed writing to reset cam GPIO\n", __func__);
+-	return ret;
+-}
+-
+-/**
+- * tsc_reset_registers() - Reset the TSC registers.
+- *
+- * Write specific reset values to the TSC registers, managed by the driver.
+- */
+-static void tsc_reset_registers(void)
+-{
+-	/* Reset state - all mux transfer ext. demod 0 */
+-	writel_relaxed(0x00000000, tsc_device->base + TSC_MUX_CFG);
+-
+-	/* Disabling TSIFs inputs, putting polarity to normal, data as serial */
+-	writel_relaxed(0x02000200, tsc_device->base + TSC_IN_IFC_EXT);
+-	writel_relaxed(0x02000200, tsc_device->base + TSC_IN_IFC_CFG_INT);
+-
+-	/* Reseting TSC_FSM_STATE_MASK to represent all the states but poll */
+-	writel_relaxed(0x3333300F, tsc_device->base + TSC_FSM_STATE_MASK);
+-
+-	/* Clearing all the CAM interrupt */
+-	writel_relaxed(0x1F, tsc_device->base + TSC_IRQ_CLR);
+-
+-	/* Disabling all cam interrupts (enable is done at - open) */
+-	writel_relaxed(0x00, tsc_device->base + TSC_IRQ_ENA);
+-
+-	/* Disabling HW polling */
+-	writel_relaxed(0x00, tsc_device->base + TSC_CIP_CFG);
+-
+-	/* Reset state - address for read/write buffer */
+-	writel_relaxed(0x00000000, tsc_device->base + TSC_RD_BUFF_ADDR);
+-	writel_relaxed(0x00000000, tsc_device->base + TSC_WR_BUFF_ADDR);
+-
+-	/* Clearing false cd counter */
+-	writel_relaxed(0x01, tsc_device->base + TSC_FALSE_CD_CLR);
+-	writel_relaxed(0x00, tsc_device->base + TSC_FALSE_CD_CLR);
+-
+-	/* Disabling TSIF out to cicam and IO read/write with the CAM */
+-	writel_relaxed(0x00000000, tsc_device->base + TSC_CICAM_TSIF);
+-}
+-
+-/**
+- * tsc_disable_tsifs() - Disable all the TSC Tsifs.
+- *
+- * Disable the TSIFs of the ext. demods, the int. demod and the cam on both
+- * directions.
+- */
+-static void tsc_disable_tsifs(void)
+-{
+-	u32 reg;
+-
+-	/* Ext. TSIFs */
+-	reg = readl_relaxed(tsc_device->base + TSC_IN_IFC_EXT);
+-	SET_BIT(TSIF_DISABLE_OFFS, reg);
+-	SET_BIT((TSIF_DISABLE_OFFS + 16), reg);
+-	writel_relaxed(reg, tsc_device->base + TSC_IN_IFC_EXT);
+-
+-	/* Int. TSIF and TSIF-in from the CAM */
+-	reg = readl_relaxed(tsc_device->base + TSC_IN_IFC_CFG_INT);
+-	SET_BIT(TSIF_DISABLE_OFFS, reg);
+-	SET_BIT((TSIF_DISABLE_OFFS + 16), reg);
+-	writel_relaxed(reg, tsc_device->base + TSC_IN_IFC_CFG_INT);
+-}
+-
+-/**
+- * tsc_power_on_clocks() - power-on the TSC clocks.
+- *
+- * Power-on the TSC clocks required for Mux and/or CI operations.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-static int tsc_power_on_clocks(void)
+-{
+-	int ret = 0;
+-	unsigned long rate_in_hz = 0;
+-
+-	/* Enabling the clocks */
+-	ret = clk_prepare_enable(tsc_device->ahb_clk);
+-	if (ret != 0) {
+-		pr_err("%s: Can't start tsc_ahb_clk", __func__);
+-		return ret;
+-	}
+-
+-	/* We need to set the rate of ci clock before enabling it */
+-	rate_in_hz = clk_round_rate(tsc_device->ci_clk, 1);
+-	if (clk_set_rate(tsc_device->ci_clk, rate_in_hz)) {
+-		pr_err("%s: Failed to set rate to tsc_ci clock\n", __func__);
+-		goto err;
+-	}
+-
+-	ret = clk_prepare_enable(tsc_device->ci_clk);
+-	if (ret != 0) {
+-		pr_err("%s: Can't start tsc_ci_clk", __func__);
+-		goto err;
+-	}
+-
+-	return ret;
+-err:
+-	clk_disable_unprepare(tsc_device->ahb_clk);
+-	return ret;
+-}
+-
+-/**
+- * tsc_power_off_clocks() - power-off the TSC clocks.
+- *
+- * Power-off the TSC clocks required for Mux and/or CI operations.
+- */
+-static void tsc_power_off_clocks(void)
+-{
+-	clk_disable_unprepare(tsc_device->ahb_clk);
+-	clk_disable_unprepare(tsc_device->ci_clk);
+-}
+-
+-/**
+- * tsc_mux_power_on_clocks() - power-on the TSC Mux clocks.
+- *
+- * Power-on the TSC clocks required only for Mux operations, and not for CI.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-static int tsc_mux_power_on_clocks(void)
+-{
+-	int ret = 0;
+-
+-	/* Setting the cicam clock rate */
+-	ret = clk_set_rate(tsc_device->cicam_ts_clk, CICAM_CLK_RATE_7MHZ);
+-	if (ret != 0) {
+-		pr_err("%s: Can't set rate for tsc_cicam_ts_clk", __func__);
+-		goto err_set_rate;
+-	}
+-
+-	/* Setting the TSC serial clock rate */
+-	ret = clk_set_rate(tsc_device->ser_clk, TSC_SER_CLK_RATE);
+-	if (ret != 0) {
+-		pr_err("%s: Can't set rate for tsc serial clock", __func__);
+-		goto err_set_rate;
+-	}
+-
+-	/* Setting the TSC parallel clock rate */
+-	ret = clk_set_rate(tsc_device->par_clk, TSC_PAR_CLK_RATE);
+-	if (ret != 0) {
+-		pr_err("%s: Can't set rate for tsc parallel clock", __func__);
+-		goto err_set_rate;
+-	}
+-
+-	/* Enabling the clocks */
+-	ret = clk_prepare_enable(tsc_device->ser_clk);
+-	if (ret != 0) {
+-		pr_err("%s: Can't start tsc_ser_clk", __func__);
+-		goto err_ser_clk;
+-	}
+-	ret = clk_prepare_enable(tsc_device->par_clk);
+-	if (ret != 0) {
+-		pr_err("%s: Can't start tsc_par_clk", __func__);
+-		goto err_par_clk;
+-	}
+-	ret = clk_prepare_enable(tsc_device->cicam_ts_clk);
+-	if (ret != 0) {
+-		pr_err("%s: Can't start tsc_cicam_ts_clk", __func__);
+-		goto err_cicam_ts_clk;
+-	}
+-
+-	return ret;
+-
+-err_cicam_ts_clk:
+-	clk_disable_unprepare(tsc_device->par_clk);
+-err_par_clk:
+-	clk_disable_unprepare(tsc_device->ser_clk);
+-err_ser_clk:
+-err_set_rate:
+-	return ret;
+-}
+-
+-/**
+- * tsc_mux_power_off_clocks() - power-off the TSC Mux clocks.
+- *
+- * Power-off the TSC clocks required only for Mux operations, and not for CI.
+- */
+-static void tsc_mux_power_off_clocks(void)
+-{
+-	clk_disable_unprepare(tsc_device->ser_clk);
+-	clk_disable_unprepare(tsc_device->par_clk);
+-	clk_disable_unprepare(tsc_device->cicam_ts_clk);
+-}
+-
+-/**
+- * tsc_device_power_up() - Power init done by the first device opened.
+- *
+- * Check if it's the first device and enable the GDSC,power-on the TSC clocks
+- * required for both Mux and CI, Vote for the bus and reset the registers to a
+- * known default values.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-static int tsc_device_power_up(void)
+-{
+-	int ret = 0;
+-
+-	if (mutex_lock_interruptible(&tsc_device->mutex))
+-		return -ERESTARTSYS;
+-
+-	if (tsc_device->num_device_open > 0)
+-		goto not_first_device;
+-
+-	/* Enable the GDSC */
+-	ret = regulator_enable(tsc_device->gdsc);
+-	if (ret != 0) {
+-		pr_err("%s: Failed to enable regulator\n", __func__);
+-		goto err_regulator;
+-	}
+-
+-	/* Power-on the clocks needed by Mux and CI */
+-	ret = tsc_power_on_clocks();
+-	if (ret != 0)
+-		goto err_power_clocks;
+-
+-	/* Voting for bus bandwidth */
+-	if (tsc_device->bus_client) {
+-		ret = msm_bus_scale_client_update_request
+-				(tsc_device->bus_client, 1);
+-		if (ret) {
+-			pr_err("%s: Can't enable bus\n", __func__);
+-			goto err_bus;
+-		}
+-	}
+-
+-	/* Reset the TSC TLMM pins to a default state */
+-	ret = pinctrl_select_state(tsc_device->pinctrl_info.pinctrl,
+-			tsc_device->pinctrl_info.disable);
+-	if (ret != 0) {
+-		pr_err("%s: Failed to disable the TLMM pins\n", __func__);
+-		goto err_pinctrl;
+-	}
+-	/* Update the current pinctrl state in the internal struct */
+-	tsc_device->pinctrl_info.curr_state.ts0 = false;
+-	tsc_device->pinctrl_info.curr_state.ts1 = false;
+-	tsc_device->pinctrl_info.curr_state.pcmcia_state =
+-			TSC_CICAM_PERSONALITY_DISABLE;
+-
+-	/* Reset TSC registers to a default known state */
+-	tsc_reset_registers();
+-
+-not_first_device:
+-	tsc_device->num_device_open++;
+-	mutex_unlock(&tsc_device->mutex);
+-	return ret;
+-
+-err_pinctrl:
+-	if (tsc_device->bus_client)
+-		msm_bus_scale_client_update_request(tsc_device->bus_client, 0);
+-err_bus:
+-	tsc_power_off_clocks();
+-err_power_clocks:
+-	regulator_disable(tsc_device->gdsc);
+-err_regulator:
+-	mutex_unlock(&tsc_device->mutex);
+-	return ret;
+-}
+-
+-/**
+- * tsc_device_power_off() - Power off done by the last device closed.
+- *
+- * Check if it's the last device and unvote the bus, power-off the TSC clocks
+- * required for both Mux and CI, disable the TLMM pins and disable the GDSC.
+- */
+-static void tsc_device_power_off(void)
+-{
+-	mutex_lock(&tsc_device->mutex);
+-
+-	if (tsc_device->num_device_open > 1)
+-		goto not_last_device;
+-
+-	pinctrl_select_state(tsc_device->pinctrl_info.pinctrl,
+-			tsc_device->pinctrl_info.disable);
+-	if (tsc_device->bus_client)
+-		msm_bus_scale_client_update_request(tsc_device->bus_client, 0);
+-
+-	tsc_power_off_clocks();
+-	regulator_disable(tsc_device->gdsc);
+-
+-not_last_device:
+-	tsc_device->num_device_open--;
+-	mutex_unlock(&tsc_device->mutex);
+-}
+-
+-
+-/************************** TSC file operations **************************/
+-/**
+- * tsc_mux_open() - init the TSC Mux char device.
+- *
+- * @inode:	The inode associated with the TSC Mux device.
+- * @flip:	The file pointer associated with the TSC Mux device.
+- *
+- * Enables only one open Mux device.
+- * Init all the data structures and vote for all the power resources needed.
+- * Manage reference counters for initiating resources upon first open.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-static int tsc_mux_open(struct inode *inode, struct file *filp)
+-{
+-	struct tsc_mux_chdev *tsc_mux;
+-	int ret = 0;
+-	u32 ena_reg;
+-
+-	if (mutex_lock_interruptible(&tsc_device->mux_chdev.mutex))
+-		return -ERESTARTSYS;
+-
+-	if (tsc_device->num_mux_opened > 0) {
+-		pr_err("%s: Too many devices open\n", __func__);
+-		mutex_unlock(&tsc_device->mux_chdev.mutex);
+-		return -EMFILE;
+-	}
+-	tsc_device->num_mux_opened++;
+-
+-	tsc_mux = container_of(inode->i_cdev, struct tsc_mux_chdev, cdev);
+-	filp->private_data = tsc_mux;
+-
+-	/* Init all resources if it's the first device (checked inside) */
+-	ret = tsc_device_power_up();
+-	if (ret != 0)
+-		goto err_first_device;
+-
+-	/* Power-on the Mux clocks */
+-	ret = tsc_mux_power_on_clocks();
+-	if (ret != 0)
+-		goto err_mux_clocks;
+-
+-	/* Init TSC Mux args */
+-	spin_lock_init(&tsc_mux->spinlock);
+-	init_waitqueue_head(&tsc_mux->poll_queue);
+-	tsc_mux->rate_interrupt = false;
+-
+-	/* Enabling TSC Mux cam interrupt of rate mismatch */
+-	ena_reg = readl_relaxed(tsc_device->base + TSC_IRQ_ENA);
+-	SET_BIT(CAM_IRQ_RATE_MISMATCH_OFFS, ena_reg);
+-	writel_relaxed(ena_reg, tsc_device->base + TSC_IRQ_ENA);
+-
+-	mutex_unlock(&tsc_device->mux_chdev.mutex);
+-
+-	return ret;
+-
+-err_mux_clocks:
+-	/* De-init all resources if it's the only device (checked inside) */
+-	tsc_device_power_off();
+-err_first_device:
+-	tsc_device->num_mux_opened--;
+-	mutex_unlock(&tsc_device->mux_chdev.mutex);
+-	return ret;
+-}
+-
+-/**
+- * tsc_ci_open() - init the TSC CI char device.
+- *
+- * @inode:	The inode associated with the TSC Mux device.
+- * @flip:	The file pointer associated with the TSC Mux device.
+- *
+- * Enables only one open CI device.
+- * Init all the data structures and vote for all the power resources needed.
+- * Manage reference counters for initiating resources upon first open.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-static int tsc_ci_open(struct inode *inode, struct file *filp)
+-{
+-	struct tsc_ci_chdev *tsc_ci;
+-	int ret = 0;
+-	u32 ena_reg;
+-
+-	if (mutex_lock_interruptible(&tsc_device->ci_chdev.mutex))
+-		return -ERESTARTSYS;
+-
+-	if (tsc_device->num_ci_opened > 0) {
+-		pr_err("%s: Too many devices open\n", __func__);
+-		mutex_unlock(&tsc_device->ci_chdev.mutex);
+-		return -EMFILE;
+-	}
+-
+-	if (!tsc_device->pinctrl_info.is_pcmcia) {
+-		pr_err("%s: No pcmcia pinctrl definitions were found in the TSC devicetree\n",
+-				__func__);
+-		mutex_unlock(&tsc_device->ci_chdev.mutex);
+-		return -EPERM;
+-	}
+-
+-	tsc_device->num_ci_opened++;
+-
+-	tsc_ci = container_of(inode->i_cdev, struct tsc_ci_chdev, cdev);
+-	filp->private_data = tsc_ci;
+-
+-	/* Init all resources if it's the first device (checked inside) */
+-	ret = tsc_device_power_up();
+-	if (ret != 0)
+-		goto err_first_device;
+-
+-	/* powering-up the tspp2 and VBIF clocks */
+-	ret = tsc_power_on_buff_mode_clocks();
+-	if (ret != 0)
+-		goto err_buff_clocks;
+-
+-	/* Request reset CAM GPIO */
+-	ret = gpio_request(tsc_device->reset_cam_gpio, "tsc_ci_reset");
+-	if (ret != 0) {
+-		pr_err("%s: Failed to request reset CAM GPIO\n", __func__);
+-		goto err_gpio_req;
+-	}
+-
+-	/* Set the reset line to default "no card" state */
+-	ret = gpio_direction_output(tsc_device->reset_cam_gpio, 1);
+-	if (ret != 0) {
+-		pr_err("%s: Failed to assert the reset CAM GPIO\n", __func__);
+-		goto err_assert;
+-	}
+-
+-	/* Attach the iommu group to support the required memory mapping */
+-	if (!tsc_iommu_bypass) {
+-		ret = iommu_attach_group(tsc_device->iommu_info.domain,
+-				tsc_device->iommu_info.group);
+-		if (ret != 0) {
+-			pr_err("%s: iommu_attach_group failed\n", __func__);
+-			goto err_iommu_attach;
+-		}
+-	}
+-
+-	/* Init TSC CI args */
+-	spin_lock_init(&tsc_ci->spinlock);
+-	init_waitqueue_head(&tsc_ci->poll_queue);
+-	tsc_ci->transaction_state = BEFORE_TRANSACTION;
+-	tsc_ci->data_busy = false;
+-	tsc_device->card_power = false;
+-
+-	/*
+-	 * Init hw card status flag according to the pins' state.
+-	 * No need to protect from interrupt because the handler is not
+-	 * registred yet.
+-	 */
+-	tsc_update_hw_card_status();
+-	tsc_ci->card_status = tsc_device->hw_card_status;
+-
+-	/* If a card is already inserted - need to power up the card */
+-	if (tsc_device->hw_card_status == TSC_CARD_STATUS_DETECTED) {
+-		ret = tsc_card_power_up();
+-		if (ret != 0)
+-			pr_err("%s: card power-up failed\n", __func__);
+-		else
+-			tsc_device->card_power = true;
+-	}
+-
+-	/* Enabling the TSC CI cam interrupts: EOT and Err */
+-	ena_reg = readl_relaxed(tsc_device->base + TSC_IRQ_ENA);
+-	SET_BIT(CAM_IRQ_EOT_OFFS, ena_reg);
+-	SET_BIT(CAM_IRQ_ERR_OFFS, ena_reg);
+-	writel_relaxed(ena_reg, tsc_device->base + TSC_IRQ_ENA);
+-
+-	/* Registering the CAM cmd interrupt handler */
+-	ret = request_irq(tsc_device->cam_cmd_irq, tsc_cam_cmd_irq_handler,
+-			IRQF_SHARED, dev_name(&tsc_device->pdev->dev),
+-			tsc_device);
+-	if (ret) {
+-		pr_err("%s: failed to request TSC IRQ %d : %d",
+-				__func__, tsc_device->cam_cmd_irq, ret);
+-		goto err_cam_irq;
+-	}
+-
+-	/*
+-	 * Registering the card detect interrupt handler (this interrupt is
+-	 * enabled by default, right after this registration)
+-	 */
+-	ret = request_threaded_irq(tsc_device->card_detection_irq,
+-			NULL, tsc_card_detect_irq_thread_handler,
+-			IRQF_ONESHOT | IRQF_TRIGGER_RISING,
+-			dev_name(&tsc_device->pdev->dev), tsc_device);
+-	if (ret) {
+-		pr_err("%s: failed to request TSC IRQ %d : %d",
+-				__func__, tsc_device->card_detection_irq, ret);
+-		goto err_card_irq;
+-	}
+-
+-	mutex_unlock(&tsc_device->ci_chdev.mutex);
+-
+-	return ret;
+-
+-err_card_irq:
+-	free_irq(tsc_device->cam_cmd_irq, tsc_device);
+-err_cam_irq:
+-	if (!tsc_iommu_bypass)
+-		iommu_detach_group(tsc_device->iommu_info.domain,
+-				tsc_device->iommu_info.group);
+-err_iommu_attach:
+-	gpio_free(tsc_device->reset_cam_gpio);
+-err_assert:
+-err_gpio_req:
+-	tsc_power_off_buff_mode_clocks();
+-err_buff_clocks:
+-	/* De-init all resources if it's the only device (checked inside) */
+-	tsc_device_power_off();
+-err_first_device:
+-	tsc_device->num_ci_opened--;
+-	mutex_unlock(&tsc_device->ci_chdev.mutex);
+-	return ret;
+-}
+-
+-/**
+- * tsc_mux_release() - Release and close the TSC Mux char device.
+- *
+- * @inode:	The inode associated with the TSC Mux device.
+- * @flip:	The file pointer associated with the TSC Mux device.
+- *
+- * Release all the resources allocated for the Mux device and unvote power
+- * resources.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-static int tsc_mux_release(struct inode *inode, struct file *filp)
+-{
+-	struct tsc_mux_chdev *tsc_mux;
+-	u32 ena_reg;
+-
+-	tsc_mux = filp->private_data;
+-	if (!tsc_mux)
+-		return -EINVAL;
+-
+-	mutex_lock(&tsc_mux->mutex);
+-
+-	tsc_mux_power_off_clocks();
+-
+-	/* Disable the TSIFs */
+-	tsc_disable_tsifs();
+-	/* Disabling rate mismatch interrupt */
+-	ena_reg = readl_relaxed(tsc_device->base + TSC_IRQ_ENA);
+-	CLEAR_BIT(CAM_IRQ_RATE_MISMATCH_OFFS, ena_reg);
+-	writel_relaxed(ena_reg, tsc_device->base + TSC_IRQ_ENA);
+-
+-	tsc_device_power_off();
+-
+-	tsc_device->num_mux_opened--;
+-	mutex_unlock(&tsc_mux->mutex);
+-
+-	return 0;
+-}
+-
+-/**
+- * tsc_ci_release() - Release and close the TSC CI char device.
+- *
+- * @inode:	The inode associated with the TSC CI device.
+- * @flip:	The file pointer associated with the TSC CI device.
+- *
+- * Release all the resources allocated for the CI device and unvote power
+- * resources.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-static int tsc_ci_release(struct inode *inode, struct file *filp)
+-{
+-	struct tsc_ci_chdev *tsc_ci;
+-	u32 ena_reg;
+-	int ret;
+-
+-	tsc_ci = filp->private_data;
+-	if (!tsc_ci)
+-		return -EINVAL;
+-
+-	mutex_lock(&tsc_ci->mutex);
+-
+-	/* If in the middle of a data transaction- wake-up completion */
+-	if (tsc_ci->data_busy) {
+-		/* Closing the device is similar in behavior to card removal */
+-		tsc_ci->transaction_state = TRANSACTION_CARD_REMOVED;
+-		mutex_unlock(&tsc_ci->mutex);
+-		complete_all(&tsc_ci->transaction_complete);
+-		wait_for_completion(&tsc_ci->transaction_finish);
+-		mutex_lock(&tsc_ci->mutex);
+-	}
+-
+-	/* clearing EOT and ERR interrupts */
+-	ena_reg = readl_relaxed(tsc_device->base + TSC_IRQ_ENA);
+-	CLEAR_BIT(CAM_IRQ_EOT_OFFS, ena_reg);
+-	CLEAR_BIT(CAM_IRQ_ERR_OFFS, ena_reg);
+-	writel_relaxed(ena_reg, tsc_device->base + TSC_IRQ_ENA);
+-
+-	/* Cancel the  interrupt handlers registration */
+-	free_irq(tsc_device->card_detection_irq, tsc_device);
+-	free_irq(tsc_device->cam_cmd_irq, tsc_device);
+-
+-	/* power down the card interface if it's currently powered up */
+-	if (tsc_device->hw_card_status == TSC_CARD_STATUS_DETECTED &&
+-			tsc_device->card_power) {
+-		ret = tsc_card_power_down();
+-		if (ret != 0)
+-			pr_err("%s: card power-down failed\n", __func__);
+-	}
+-
+-	if (!tsc_iommu_bypass)
+-		iommu_detach_group(tsc_device->iommu_info.domain,
+-				tsc_device->iommu_info.group);
+-
+-	gpio_free(tsc_device->reset_cam_gpio);
+-
+-	tsc_power_off_buff_mode_clocks();
+-	tsc_device_power_off();
+-
+-	tsc_device->num_ci_opened--;
+-	mutex_unlock(&tsc_ci->mutex);
+-
+-	return 0;
+-}
+-
+-/**
+- * tsc_mux_poll() - Perform polling on a designated wait-queue.
+- *
+- * @flip:	The file pointer associated with the TSC Mux device.
+- * @p:		The poll-table struct of the kernel.
+- *
+- * Add the TSC Mux wait-queue to the poll-table. Poll until a rate mismatch
+- * interrupt is received.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-static unsigned int tsc_mux_poll(struct file *filp, struct poll_table_struct *p)
+-{
+-	unsigned long flags;
+-	unsigned int mask = 0;
+-	struct tsc_mux_chdev *tsc_mux;
+-
+-	tsc_mux = filp->private_data;
+-	if (!tsc_mux)
+-		return -EINVAL;
+-
+-	/* register the wait queue for rate mismatch interrupt */
+-	poll_wait(filp, &tsc_mux->poll_queue, p);
+-
+-	/* Setting the mask upon rate mismatch irq and clearing the flag */
+-	spin_lock_irqsave(&tsc_mux->spinlock, flags);
+-	if (tsc_mux->rate_interrupt) {
+-		mask = POLLPRI;
+-		tsc_mux->rate_interrupt = false;
+-	}
+-	spin_unlock_irqrestore(&tsc_mux->spinlock, flags);
+-
+-	return mask;
+-}
+-
+-/**
+- * tsc_ci_poll() - Perform polling on a designated wait-queue.
+- *
+- * @flip:	The file pointer associated with the TSC CI device.
+- * @p:		The poll-table struct of the kernel.
+- *
+- * Add the TSC Mux wait-queue to the poll-table. Poll until a card detection
+- * interrupt is received.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-static unsigned int tsc_ci_poll(struct file *filp, struct poll_table_struct *p)
+-{
+-	unsigned int mask = 0;
+-
+-	struct tsc_ci_chdev *tsc_ci = filp->private_data;
+-	if (!tsc_ci)
+-		return -EINVAL;
+-
+-	/* Register the wait queue for card detection interrupt */
+-	poll_wait(filp, &tsc_ci->poll_queue, p);
+-
+-	/* Setting the mask upon card detect irq and update ci card state */
+-	if (mutex_lock_interruptible(&tsc_ci->mutex))
+-		return -ERESTARTSYS;
+-	if (tsc_ci->card_status != tsc_device->hw_card_status) {
+-		mask = POLLPRI;
+-		tsc_ci->card_status = tsc_device->hw_card_status;
+-	}
+-	mutex_unlock(&tsc_ci->mutex);
+-
+-	return mask;
+-}
+-
+-/**
+- * tsc_mux_ioctl() - Handle IOCTLs sent from user-space application.
+- *
+- * @flip:	The file pointer associated with the TSC Mux device.
+- * @cmd:	The IOCTL code sent
+- * @arg:	The IOCTL argument (if the IOCTL receives an argument)
+- *
+- * Verify the validity of the IOCTL sent and handle it by updating the
+- * appropriate register or calling a function that handle the IOCTL operation.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-static long tsc_mux_ioctl(struct file *filp,
+-		unsigned int cmd,
+-		unsigned long arg)
+-{
+-	int ret = 0;
+-	struct tsc_mux_chdev *tsc_mux;
+-	struct tsc_route tsc_route;
+-	struct tsc_tsif_params tsif_params;
+-
+-	tsc_mux = filp->private_data;
+-	if (!tsc_mux)
+-		return -EINVAL;
+-
+-	if (mutex_lock_interruptible(&tsc_mux->mutex))
+-		return -ERESTARTSYS;
+-
+-	switch (cmd) {
+-	case TSC_CONFIG_ROUTE:
+-		if (!arg || copy_from_user(&tsc_route, (void *)arg,
+-				sizeof(struct tsc_route))) {
+-			ret = -EFAULT;
+-			goto err;
+-		}
+-		ret = tsc_route_mux(tsc_mux, tsc_route.source, tsc_route.dest);
+-		break;
+-	case TSC_ENABLE_INPUT:
+-		ret = tsc_enable_disable_tsif(tsc_mux, arg, TSIF_INPUT_ENABLE);
+-		break;
+-	case TSC_DISABLE_INPUT:
+-		ret = tsc_enable_disable_tsif(tsc_mux, arg, TSIF_INPUT_DISABLE);
+-		break;
+-	case TSC_SET_TSIF_CONFIG:
+-		if (!arg || copy_from_user(&tsif_params, (void *)arg,
+-				sizeof(struct tsc_tsif_params))) {
+-			ret = -EFAULT;
+-			goto err;
+-		}
+-		ret = tsc_config_tsif(tsc_mux, &tsif_params);
+-		break;
+-	case TSC_CLEAR_RATE_MISMATCH_IRQ:
+-		tsc_enable_rate_irq(tsc_mux);
+-		break;
+-	case TSC_CICAM_SET_CLOCK:
+-		ret = tsc_set_cicam_clk(arg);
+-		break;
+-	default:
+-		ret = -EINVAL;
+-		pr_err("%s: Unknown ioctl %i", __func__, cmd);
+-	}
+-
+-err:
+-	mutex_unlock(&tsc_mux->mutex);
+-	return ret;
+-}
+-
+-/**
+- * tsc_ci_ioctl() - Handle IOCTLs sent from user-space application.
+- *
+- * @flip:	The file pointer associated with the TSC CI device.
+- * @cmd:	The IOCTL code sent
+- * @arg:	The IOCTL argument (if the IOCTL receives an argument)
+- *
+- * Verify the validity of the IOCTL sent and handle it by updating the
+- * appropriate register or calling a function that handle the IOCTL operation.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-static long tsc_ci_ioctl(struct file *filp,
+-		unsigned int cmd,
+-		unsigned long arg)
+-{
+-	int ret = 0;
+-	struct tsc_ci_chdev *tsc_ci;
+-	unsigned long flags;
+-
+-	tsc_ci = filp->private_data;
+-	if (!tsc_ci)
+-		return -EINVAL;
+-
+-	if (mutex_lock_interruptible(&tsc_ci->mutex))
+-		return -ERESTARTSYS;
+-
+-	switch (cmd) {
+-
+-	case TSC_CAM_RESET:
+-		ret = tsc_reset_cam();
+-		break;
+-	case TSC_CICAM_PERSONALITY_CHANGE:
+-		ret = tsc_personality_change(arg);
+-		break;
+-	case TSC_GET_CARD_STATUS:
+-		spin_lock_irqsave(&tsc_ci->spinlock, flags);
+-		tsc_ci->card_status = tsc_device->hw_card_status;
+-		ret = __put_user(tsc_ci->card_status,
+-				(enum tsc_card_status __user *)arg);
+-		spin_unlock_irqrestore(&tsc_ci->spinlock, flags);
+-		break;
+-	case TSC_READ_CAM_MEMORY:
+-		ret = tsc_data_transaction(tsc_ci, MEMORY_TRANSACTION,
+-				READ_TRANSACTION, SINGLE_BYTE_MODE, arg);
+-		break;
+-	case TSC_WRITE_CAM_MEMORY:
+-		ret = tsc_data_transaction(tsc_ci, MEMORY_TRANSACTION,
+-				WRITE_TRANSACTION, SINGLE_BYTE_MODE, arg);
+-		break;
+-	case TSC_READ_CAM_IO:
+-		ret = tsc_data_transaction(tsc_ci, IO_TRANSACTION,
+-				READ_TRANSACTION, SINGLE_BYTE_MODE, arg);
+-		break;
+-	case TSC_WRITE_CAM_IO:
+-		ret = tsc_data_transaction(tsc_ci, IO_TRANSACTION,
+-				WRITE_TRANSACTION, SINGLE_BYTE_MODE, arg);
+-		break;
+-	case TSC_READ_CAM_BUFFER:
+-		ret = tsc_data_transaction(tsc_ci, IO_TRANSACTION,
+-				READ_TRANSACTION, BUFFER_MODE, arg);
+-		break;
+-	case TSC_WRITE_CAM_BUFFER:
+-		ret = tsc_data_transaction(tsc_ci, IO_TRANSACTION,
+-				WRITE_TRANSACTION, BUFFER_MODE, arg);
+-		break;
+-	default:
+-		ret = -EINVAL;
+-		pr_err("%s: Unknown ioctl %i\n", __func__, cmd);
+-	}
+-
+-	mutex_unlock(&tsc_ci->mutex);
+-	return ret;
+-}
+-
+-/************************** Probe helper-functions **************************/
+-/**
+- * tsc_init_char_driver() - Initialize a character driver.
+- *
+- * @pcdev:		A pointer to the cdev structure to initialize.
+- * @pfops:		A pointer to the file_operations for this device.
+- * @device_number:	A pointer that will store the device number.
+- * @device:		A pointer that will store the new device upon success.
+- * @name:		A string for the device's name.
+- *
+- * Create a new character device driver inside the TSC class. The new device
+- * is created under "/dev/<name>0".
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-static int tsc_init_char_driver(struct cdev *pcdev,
+-		const struct file_operations *pfops,
+-		dev_t *pdevice_number,
+-		struct device *pdevice,
+-		const char *name)
+-{
+-	int ret = 0;
+-
+-	/* Allocate device number for the char device driver */
+-	ret = alloc_chrdev_region(pdevice_number, 0, 1, name);
+-	if (ret) {
+-		pr_err("%s: alloc_chrdev_region failed: %d\n",  name, ret);
+-		goto err_devrgn;
+-	}
+-
+-	/* initializing the char device structures with file operations */
+-	cdev_init(pcdev, pfops);
+-	pcdev->owner = THIS_MODULE;
+-
+-	/* adding the char device structures to the VFS */
+-	ret = cdev_add(pcdev, *pdevice_number, 1);
+-	if (ret != 0) {
+-		pr_err("%s%d: cdev_add failed\n", name, MINOR(*pdevice_number));
+-		goto err_cdev_add;
+-	}
+-
+-	/* create the char devices under "/dev/" and register them to sysfs */
+-	pdevice = device_create(tsc_class, NULL, pcdev->dev, NULL, "%s%d", name,
+-			MINOR(*pdevice_number));
+-	if (IS_ERR(pdevice)) {
+-		pr_err("%s%d device_create failed\n", name,
+-				MINOR(*pdevice_number));
+-		ret = PTR_ERR(pdevice); /* PTR_ERR return -ENOMEM */
+-		goto err_device_create;
+-	}
+-
+-	return  ret;
+-
+-err_device_create:
+-	cdev_del(pcdev);
+-err_cdev_add:
+-	unregister_chrdev_region(*pdevice_number, 1);
+-err_devrgn:
+-	return ret;
+-}
+-
+-/**
+- * tsc_get_pinctrl() - Get the TSC pinctrl definitions.
+- *
+- * @pdev:	A pointer to the TSC platform device.
+- *
+- * Get the pinctrl states' handles from the device tree. The function doesn't
+- * enforce wrong pinctrl definitions, i.e. it's the client's responsibility to
+- * define all the necessary states for the board being used.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-static int tsc_get_pinctrl(struct platform_device *pdev)
+-{
+-	struct pinctrl *pinctrl;
+-
+-	pinctrl = devm_pinctrl_get(&pdev->dev);
+-	if (IS_ERR(pinctrl)) {
+-		pr_err("%s: Unable to get pinctrl handle\n", __func__);
+-		return -EINVAL;
+-	}
+-	tsc_device->pinctrl_info.pinctrl = pinctrl;
+-
+-	/* get all the states handles */
+-	tsc_device->pinctrl_info.disable =
+-			pinctrl_lookup_state(pinctrl, "disable");
+-	tsc_device->pinctrl_info.ts0 =
+-			pinctrl_lookup_state(pinctrl, "ts-in-0");
+-	tsc_device->pinctrl_info.ts1 =
+-			pinctrl_lookup_state(pinctrl, "ts-in-1");
+-	tsc_device->pinctrl_info.dual_ts =
+-			pinctrl_lookup_state(pinctrl, "dual-ts");
+-	tsc_device->pinctrl_info.pc_card =
+-			pinctrl_lookup_state(pinctrl, "pc-card");
+-	tsc_device->pinctrl_info.ci_card =
+-			pinctrl_lookup_state(pinctrl, "ci-card");
+-	tsc_device->pinctrl_info.ci_plus =
+-			pinctrl_lookup_state(pinctrl, "ci-plus");
+-	tsc_device->pinctrl_info.ts0_pc_card =
+-			pinctrl_lookup_state(pinctrl, "ts-in-0-pc-card");
+-	tsc_device->pinctrl_info.ts0_ci_card =
+-			pinctrl_lookup_state(pinctrl, "ts-in-0-ci-card");
+-	tsc_device->pinctrl_info.ts0_ci_plus =
+-			pinctrl_lookup_state(pinctrl, "ts-in-0-ci-plus");
+-	tsc_device->pinctrl_info.ts1_pc_card =
+-			pinctrl_lookup_state(pinctrl, "ts-in-1-pc-card");
+-	tsc_device->pinctrl_info.ts1_ci_card =
+-			pinctrl_lookup_state(pinctrl, "ts-in-1-ci-card");
+-	tsc_device->pinctrl_info.ts1_ci_plus =
+-			pinctrl_lookup_state(pinctrl, "ts-in-1-ci-plus");
+-	tsc_device->pinctrl_info.dual_ts_pc_card =
+-			pinctrl_lookup_state(pinctrl, "dual-ts-pc-card");
+-	tsc_device->pinctrl_info.dual_ts_ci_card =
+-			pinctrl_lookup_state(pinctrl, "dual-ts-ci-card");
+-	tsc_device->pinctrl_info.dual_ts_ci_plus =
+-			pinctrl_lookup_state(pinctrl, "dual-ts-ci-plus");
+-
+-	if (IS_ERR(tsc_device->pinctrl_info.disable)) {
+-		pr_err("%s: Unable to get pinctrl disable state handle\n",
+-				__func__);
+-		return -EINVAL;
+-	}
+-
+-	/* Basic checks to inquire what pinctrl states are available */
+-	if (IS_ERR(tsc_device->pinctrl_info.ts0))
+-		tsc_device->pinctrl_info.is_ts0 = false;
+-	else
+-		tsc_device->pinctrl_info.is_ts0 = true;
+-
+-	if (IS_ERR(tsc_device->pinctrl_info.ts1))
+-		tsc_device->pinctrl_info.is_ts1 = false;
+-	else
+-		tsc_device->pinctrl_info.is_ts1 = true;
+-
+-	if (IS_ERR(tsc_device->pinctrl_info.pc_card) ||
+-			IS_ERR(tsc_device->pinctrl_info.ci_card) ||
+-			IS_ERR(tsc_device->pinctrl_info.ci_plus))
+-		tsc_device->pinctrl_info.is_pcmcia = false;
+-	else
+-		tsc_device->pinctrl_info.is_pcmcia = true;
+-
+-	return 0;
+-}
+-
+-/**
+- * tsc_get_regulator_bus() - Get the TSC regulator and register the bus client.
+- *
+- * @pdev:	A pointer to the TSC platform device.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-static int tsc_get_regulator_bus(struct platform_device *pdev)
+-{
+-	struct msm_bus_scale_pdata *tsc_bus_pdata = NULL;
+-
+-	/* Reading the GDSC info */
+-	tsc_device->gdsc = devm_regulator_get(&pdev->dev, "vdd");
+-	if (IS_ERR(tsc_device->gdsc)) {
+-		dev_err(&pdev->dev, "%s: Failed to get vdd power regulator\n",
+-				__func__);
+-		return PTR_ERR(tsc_device->gdsc);
+-	}
+-
+-	/* Reading the bus platform data */
+-	tsc_bus_pdata = msm_bus_cl_get_pdata(pdev);
+-	if (tsc_bus_pdata == NULL) {
+-		dev_err(&pdev->dev, "%s: Could not find the bus property. Continue anyway...\n",
+-				__func__);
+-	}
+-
+-	/* Register the bus client */
+-	if (tsc_bus_pdata) {
+-		tsc_device->bus_client =
+-				msm_bus_scale_register_client(tsc_bus_pdata);
+-		if (!tsc_device->bus_client) {
+-			dev_err(&pdev->dev, "%s: Unable to register bus client\n",
+-					__func__);
+-			goto err;
+-		}
+-	}
+-
+-	return 0;
+-err:
+-	devm_regulator_put(tsc_device->gdsc);
+-	return -EINVAL;
+-}
+-
+-/**
+- * tsc_get_irqs() - Get the TSC IRQ numbers and map the cam irq.
+- *
+- * @pdev:	A pointer to the TSC platform device.
+- *
+- * Read the irq numbers from the platform device information.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-static int tsc_get_irqs(struct platform_device *pdev)
+-{
+-	int irq;
+-
+-	irq = platform_get_irq_byname(pdev, "cam-cmd");
+-	if (irq > 0) {
+-		tsc_device->cam_cmd_irq = irq;
+-	} else {
+-		dev_err(&pdev->dev, "%s: Failed to get CAM_CMD IRQ = %d",
+-				__func__, irq);
+-		goto err;
+-	}
+-
+-	irq = platform_get_irq_byname(pdev, "card-detect");
+-	if (irq > 0) {
+-		tsc_device->card_detection_irq = irq;
+-	} else {
+-		dev_err(&pdev->dev, "%s: Failed to get CARD_DETECT IRQ = %d",
+-				__func__, irq);
+-		goto err;
+-	}
+-
+-	return 0;
+-err:
+-	tsc_device->cam_cmd_irq = 0;
+-	tsc_device->card_detection_irq = 0;
+-
+-	return -EINVAL;
+-}
+-
+-/**
+- * tsc_map_io_memory() - Map memory resources to kernel space.
+- *
+- * @pdev:	A pointer to the TSC platform device.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-static int tsc_map_io_memory(struct platform_device *pdev)
+-{
+-	struct resource *registers_mem;
+-
+-	/* Reading memory resources */
+-	registers_mem = platform_get_resource_byname(pdev, IORESOURCE_MEM,
+-			"tsc-base");
+-	if (!registers_mem) {
+-		dev_err(&pdev->dev, "%s: Missing tsc-base MEM resource",
+-				__func__);
+-		return -EINVAL;
+-	}
+-
+-	tsc_device->base = ioremap(registers_mem->start,
+-			resource_size(registers_mem));
+-	if (!tsc_device->base) {
+-		dev_err(&pdev->dev, "%s: ioremap failed", __func__);
+-		return -ENXIO;
+-	}
+-
+-	return 0;
+-}
+-
+-/**
+- * tsc_clocks_put() - Put the clocks
+- */
+-static void tsc_clocks_put(void)
+-{
+-	if (tsc_device->ahb_clk)
+-		clk_put(tsc_device->ahb_clk);
+-	if (tsc_device->ci_clk)
+-		clk_put(tsc_device->ci_clk);
+-	if (tsc_device->ser_clk)
+-		clk_put(tsc_device->ser_clk);
+-	if (tsc_device->par_clk)
+-		clk_put(tsc_device->par_clk);
+-	if (tsc_device->cicam_ts_clk)
+-		clk_put(tsc_device->cicam_ts_clk);
+-	if (tsc_device->tspp2_core_clk)
+-		clk_put(tsc_device->tspp2_core_clk);
+-	if (tsc_device->vbif_tspp2_clk)
+-		clk_put(tsc_device->vbif_tspp2_clk);
+-	if (tsc_device->vbif_ahb_clk)
+-		clk_put(tsc_device->vbif_ahb_clk);
+-	if (tsc_device->vbif_axi_clk)
+-		clk_put(tsc_device->vbif_axi_clk);
+-
+-	tsc_device->ahb_clk = NULL;
+-	tsc_device->ci_clk = NULL;
+-	tsc_device->ser_clk = NULL;
+-	tsc_device->par_clk = NULL;
+-	tsc_device->cicam_ts_clk = NULL;
+-	tsc_device->tspp2_core_clk = NULL;
+-	tsc_device->vbif_tspp2_clk = NULL;
+-	tsc_device->vbif_ahb_clk = NULL;
+-	tsc_device->vbif_axi_clk = NULL;
+-}
+-
+-/**
+- * tsc_clocks_get() - Get the TSC clocks
+- *
+- * @pdev:	A pointer to the TSC platform device.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-static int tsc_clocks_get(struct platform_device *pdev)
+-{
+-	int ret = 0;
+-
+-	tsc_device->ahb_clk = clk_get(&pdev->dev, "bcc_tsc_ahb_clk");
+-	if (IS_ERR(tsc_device->ahb_clk)) {
+-		pr_err("%s: Failed to get bcc_tsc_ahb_clk\n", __func__);
+-		ret = PTR_ERR(tsc_device->ahb_clk);
+-		goto ahb_err;
+-	}
+-
+-	tsc_device->ci_clk = clk_get(&pdev->dev, "bcc_tsc_ci_clk");
+-	if (IS_ERR(tsc_device->ci_clk)) {
+-		pr_err("%s: Failed to get bcc_tsc_ci_clk\n", __func__);
+-		ret = PTR_ERR(tsc_device->ci_clk);
+-		goto ci_err;
+-	}
+-
+-	tsc_device->ser_clk = clk_get(&pdev->dev, "bcc_tsc_ser_clk");
+-	if (IS_ERR(tsc_device->ser_clk)) {
+-		pr_err("%s: Failed to get bcc_tsc_ser_clk\n", __func__);
+-		ret = PTR_ERR(tsc_device->ser_clk);
+-		goto ser_err;
+-	}
+-
+-	tsc_device->par_clk = clk_get(&pdev->dev, "bcc_tsc_par_clk");
+-	if (IS_ERR(tsc_device->par_clk)) {
+-		pr_err("%s: Failed to get bcc_tsc_par_clk", __func__);
+-		ret = PTR_ERR(tsc_device->par_clk);
+-		goto par_err;
+-	}
+-
+-	tsc_device->cicam_ts_clk = clk_get(&pdev->dev, "bcc_tsc_cicam_ts_clk");
+-	if (IS_ERR(tsc_device->cicam_ts_clk)) {
+-		pr_err("%s: Failed to get bcc_tsc_cicam_ts_clk", __func__);
+-		ret = PTR_ERR(tsc_device->cicam_ts_clk);
+-		goto cicam_err;
+-	}
+-
+-	tsc_device->tspp2_core_clk = clk_get(&pdev->dev, "bcc_tspp2_core_clk");
+-	if (IS_ERR(tsc_device->tspp2_core_clk)) {
+-		pr_err("%s: Failed to get bcc_tspp2_core_clk", __func__);
+-		ret = PTR_ERR(tsc_device->tspp2_core_clk);
+-		goto tspp2_err;
+-	}
+-
+-	tsc_device->vbif_tspp2_clk = clk_get(&pdev->dev, "bcc_vbif_tspp2_clk");
+-	if (IS_ERR(tsc_device->vbif_tspp2_clk)) {
+-		pr_err("%s: Failed to get bcc_vbif_tspp2_clk", __func__);
+-		ret = PTR_ERR(tsc_device->vbif_tspp2_clk);
+-		goto vbif_tspp2_err;
+-	}
+-
+-	tsc_device->vbif_ahb_clk = clk_get(&pdev->dev, "iface_vbif_clk");
+-	if (IS_ERR(tsc_device->vbif_ahb_clk)) {
+-		pr_err("%s: Failed to get bcc_vbif_ahb_clk", __func__);
+-		ret = PTR_ERR(tsc_device->vbif_ahb_clk);
+-		goto vbif_ahb_err;
+-	}
+-
+-	tsc_device->vbif_axi_clk = clk_get(&pdev->dev, "vbif_core_clk");
+-	if (IS_ERR(tsc_device->vbif_axi_clk)) {
+-		pr_err("%s: Failed to get bcc_vbif_axi_clk", __func__);
+-		ret = PTR_ERR(tsc_device->vbif_axi_clk);
+-		goto vbif_axi_err;
+-	}
+-
+-	return ret;
+-
+-vbif_axi_err:
+-	tsc_device->vbif_axi_clk = NULL;
+-	clk_put(tsc_device->vbif_ahb_clk);
+-vbif_ahb_err:
+-	tsc_device->vbif_ahb_clk = NULL;
+-	clk_put(tsc_device->vbif_tspp2_clk);
+-vbif_tspp2_err:
+-	tsc_device->vbif_tspp2_clk = NULL;
+-	clk_put(tsc_device->tspp2_core_clk);
+-tspp2_err:
+-	tsc_device->tspp2_core_clk = NULL;
+-	clk_put(tsc_device->cicam_ts_clk);
+-cicam_err:
+-	tsc_device->cicam_ts_clk = NULL;
+-	clk_put(tsc_device->par_clk);
+-par_err:
+-	tsc_device->par_clk = NULL;
+-	clk_put(tsc_device->ser_clk);
+-ser_err:
+-	tsc_device->ser_clk = NULL;
+-	clk_put(tsc_device->ci_clk);
+-ci_err:
+-	tsc_device->ci_clk = NULL;
+-	clk_put(tsc_device->ahb_clk);
+-ahb_err:
+-	tsc_device->ahb_clk = NULL;
+-	return ret;
+-}
+-
+-/**
+- * tsc_free_iommu_info() - Free IOMMU information.
+- */
+-static void tsc_free_iommu_info(void)
+-{
+-	if (tsc_device->iommu_info.group)  {
+-		iommu_group_put(tsc_device->iommu_info.group);
+-		tsc_device->iommu_info.group = NULL;
+-	}
+-
+-	if (tsc_device->iommu_info.ion_client) {
+-		ion_client_destroy(tsc_device->iommu_info.ion_client);
+-		tsc_device->iommu_info.ion_client = NULL;
+-	}
+-
+-	tsc_device->iommu_info.domain = NULL;
+-	tsc_device->iommu_info.domain_num = -1;
+-	tsc_device->iommu_info.partition_num = -1;
+-}
+-
+-/**
+- * tsc_get_iommu_info() - Get IOMMU information.
+- *
+- * @pdev:	A pointer to the TSC platform device.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-static int tsc_get_iommu_info(struct platform_device *pdev)
+-{
+-	int ret = 0;
+-
+-	/* Create a new ION client used by tsc ci to allocate memory */
+-	tsc_device->iommu_info.ion_client = msm_ion_client_create("tsc_client");
+-	if (IS_ERR_OR_NULL(tsc_device->iommu_info.ion_client)) {
+-		pr_err("%s: error in ion_client_create", __func__);
+-		ret = PTR_ERR(tsc_device->iommu_info.ion_client);
+-		if (!ret)
+-			ret = -ENOMEM;
+-		tsc_device->iommu_info.ion_client = NULL;
+-		goto err_client;
+-	}
+-
+-	/* Find the iommu group by the name obtained from the device tree */
+-	tsc_device->iommu_info.group =
+-		iommu_group_find(tsc_device->iommu_info.iommu_group_name);
+-	if (!tsc_device->iommu_info.group) {
+-		pr_err("%s: error in iommu_group_find", __func__);
+-		ret = -EINVAL;
+-		goto err_group;
+-	}
+-
+-	/* Get the domain associated with the iommu group */
+-	tsc_device->iommu_info.domain =
+-			iommu_group_get_iommudata(tsc_device->iommu_info.group);
+-	if (IS_ERR_OR_NULL(tsc_device->iommu_info.domain)) {
+-		pr_err("%s: iommu_group_get_iommudata failed", __func__);
+-		ret = -EINVAL;
+-		goto err_domain;
+-	}
+-
+-	/* Get the domain number */
+-	tsc_device->iommu_info.domain_num =
+-			msm_find_domain_no(tsc_device->iommu_info.domain);
+-
+-	return ret;
+-
+-err_domain:
+-	iommu_group_put(tsc_device->iommu_info.group);
+-	tsc_device->iommu_info.group = NULL;
+-err_group:
+-	ion_client_destroy(tsc_device->iommu_info.ion_client);
+-	tsc_device->iommu_info.ion_client = NULL;
+-err_client:
+-	return ret;
+-}
+-
+-/**
+- * tsc_parse_dt() - Parse device-tree data and save it.
+- *
+- * @pdev:	A pointer to the TSC platform device.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-static int tsc_parse_dt(struct platform_device *pdev)
+-{
+-	struct device_node *node = pdev->dev.of_node;
+-	struct device_node *iommu_pnode;
+-	int ret;
+-
+-	/* Check that power regulator property exist  */
+-	if (!of_get_property(node, "vdd-supply", NULL)) {
+-		dev_err(&pdev->dev, "%s: Could not find vdd-supply property\n",
+-				__func__);
+-		return -EINVAL;
+-	}
+-
+-	/* Reading IOMMU group label by obtaining the group's phandle */
+-	iommu_pnode = of_parse_phandle(node, "qcom,iommu-group", 0);
+-	if (!iommu_pnode) {
+-		dev_err(&pdev->dev, "%s: Couldn't find iommu-group property\n",
+-				__func__);
+-		return -EINVAL;
+-	}
+-	ret = of_property_read_string(iommu_pnode, "label",
+-			&tsc_device->iommu_info.iommu_group_name);
+-	of_node_put(iommu_pnode);
+-	if (ret) {
+-		dev_err(&pdev->dev, "%s: Couldn't find label property of the IOMMU group, err=%d\n",
+-				__func__, ret);
+-		return -EINVAL;
+-	}
+-
+-	/* Reading IOMMU partition */
+-	ret = of_property_read_u32(node, "qcom,iommu-partition",
+-			&tsc_device->iommu_info.partition_num);
+-	if (ret) {
+-		dev_err(&pdev->dev, "%s: Couldn't find iommu-partition property, err=%d\n",
+-				__func__, ret);
+-		return -EINVAL;
+-	}
+-
+-	/* Reading reset cam gpio */
+-	tsc_device->reset_cam_gpio = of_get_named_gpio(node,
+-			"qcom,tsc-reset-cam-gpio", 0);
+-	if (tsc_device->reset_cam_gpio < 0) {
+-		dev_err(&pdev->dev, "%s: Couldn't find qcom,tsc-reset-cam-gpio property\n",
+-				__func__);
+-		return -EINVAL;
+-	}
+-
+-	return 0;
+-}
+-
+-/* TSC Mux file operations */
+-static const struct file_operations tsc_mux_fops = {
+-		.owner   = THIS_MODULE,
+-		.open    = tsc_mux_open,
+-		.poll    = tsc_mux_poll,
+-		.release = tsc_mux_release,
+-		.unlocked_ioctl   = tsc_mux_ioctl,
+-};
+-
+-/* TSC CI file operations */
+-static const struct file_operations tsc_ci_fops = {
+-		.owner   = THIS_MODULE,
+-		.open    = tsc_ci_open,
+-		.poll    = tsc_ci_poll,
+-		.release = tsc_ci_release,
+-		.unlocked_ioctl   = tsc_ci_ioctl,
+-};
+-
+-
+-/************************ Device driver probe function ************************/
+-static int msm_tsc_probe(struct platform_device *pdev)
+-{
+-	int ret;
+-
+-	tsc_device = kzalloc(sizeof(struct tsc_device), GFP_KERNEL);
+-	if (!tsc_device) {
+-		pr_err("%s: Unable to allocate memory for struct\n", __func__);
+-		return -ENOMEM;
+-	}
+-
+-	/* get information from device tree */
+-	if (pdev->dev.of_node) {
+-		ret = tsc_parse_dt(pdev);
+-		if (ret != 0) {
+-			pr_err("%s: devicetree data not available", __func__);
+-			ret =  -EINVAL;
+-			goto err_dt;
+-		}
+-	} else { /* else - devicetree is not found */
+-		pr_err("%s: devicetree data is missing", __func__);
+-		ret =  -EINVAL;
+-		goto err_dt;
+-	}
+-
+-	/* set up references */
+-	tsc_device->pdev = pdev;
+-	platform_set_drvdata(pdev, tsc_device);
+-
+-	/* init iommu client, group and domain */
+-	if (!tsc_iommu_bypass) {
+-		ret = tsc_get_iommu_info(pdev);
+-		if (ret != 0)
+-			return ret;
+-	}
+-
+-	/* Map clocks */
+-	ret = tsc_clocks_get(pdev);
+-	if (ret != 0)
+-		goto err_clocks_get;
+-
+-	/* map registers memory */
+-	ret = tsc_map_io_memory(pdev);
+-	if (ret != 0)
+-		goto err_map_io;
+-
+-	/* map irqs */
+-	ret = tsc_get_irqs(pdev);
+-	if (ret != 0)
+-		goto err_map_irqs;
+-
+-	/* get regulators and bus */
+-	ret = tsc_get_regulator_bus(pdev);
+-	if (ret != 0)
+-		goto err_get_regulator_bus;
+-
+-	/* get pinctrl */
+-	ret = tsc_get_pinctrl(pdev);
+-	if (ret != 0)
+-		goto err_pinctrl;
+-
+-	/* creating the tsc device's class */
+-	tsc_class = class_create(THIS_MODULE, "tsc");
+-	if (IS_ERR(tsc_class)) {
+-		ret = PTR_ERR(tsc_class);
+-		pr_err("%s: Error creating class: %d\n", __func__, ret);
+-		goto err_class;
+-	}
+-
+-	/* Initialize and register mux char device driver */
+-	ret = tsc_init_char_driver(&tsc_device->mux_chdev.cdev, &tsc_mux_fops,
+-			&tsc_device->mux_device_number, tsc_device->device_mux,
+-			"tsc_mux");
+-	if (ret != 0)
+-		goto err_chdev_mux;
+-
+-	/* Initialize and register ci char device drivers */
+-	ret = tsc_init_char_driver(&tsc_device->ci_chdev.cdev, &tsc_ci_fops,
+-			&tsc_device->ci_device_number, tsc_device->device_ci,
+-			"tsc_ci");
+-	if (ret != 0)
+-		goto err_chdev_ci;
+-
+-	/* Init char device counters */
+-	tsc_device->num_device_open = 0;
+-	tsc_device->num_mux_opened = 0;
+-	tsc_device->num_ci_opened = 0;
+-
+-	/* Init char device mutexes and completion structs */
+-	mutex_init(&tsc_device->mux_chdev.mutex);
+-	mutex_init(&tsc_device->ci_chdev.mutex);
+-	mutex_init(&tsc_device->mutex);
+-	init_completion(&tsc_device->ci_chdev.transaction_complete);
+-	init_completion(&tsc_device->ci_chdev.transaction_finish);
+-
+-	/* Init debugfs support */
+-	tsc_debugfs_init();
+-
+-	return ret;
+-
+-err_chdev_ci:
+-	device_destroy(tsc_class, tsc_device->mux_chdev.cdev.dev);
+-	cdev_del(&tsc_device->mux_chdev.cdev);
+-err_chdev_mux:
+-	class_destroy(tsc_class);
+-err_class:
+-err_pinctrl:
+-	if (tsc_device->bus_client)
+-		msm_bus_scale_unregister_client(tsc_device->bus_client);
+-
+-	devm_regulator_put(tsc_device->gdsc);
+-err_get_regulator_bus:
+-err_map_irqs:
+-	iounmap(tsc_device->base);
+-err_map_io:
+-	tsc_clocks_put();
+-err_clocks_get:
+-	tsc_free_iommu_info();
+-err_dt:
+-	kfree(tsc_device);
+-
+-	return ret;
+-}
+-
+-/*********************** Device driver remove function ***********************/
+-static int msm_tsc_remove(struct platform_device *pdev)
+-{
+-	/* Removing debugfs support */
+-	tsc_debugfs_exit();
+-
+-	/* Destroying the char device mutexes */
+-	mutex_destroy(&tsc_device->mux_chdev.mutex);
+-	mutex_destroy(&tsc_device->ci_chdev.mutex);
+-
+-	/* unregistering and deleting the tsc-ci char device driver*/
+-	device_destroy(tsc_class, tsc_device->ci_chdev.cdev.dev);
+-	cdev_del(&tsc_device->ci_chdev.cdev);
+-
+-	/* unregistering and deleting the tsc-mux char device driver*/
+-	device_destroy(tsc_class, tsc_device->mux_chdev.cdev.dev);
+-	cdev_del(&tsc_device->mux_chdev.cdev);
+-
+-	/* Unregistering the char devices */
+-	unregister_chrdev_region(tsc_device->ci_device_number, 1);
+-	unregister_chrdev_region(tsc_device->mux_device_number, 1);
+-
+-	/* Removing the tsc class*/
+-	class_destroy(tsc_class);
+-
+-	/* Unregister the bus client and the regulator */
+-	if (tsc_device->bus_client)
+-		msm_bus_scale_unregister_client(tsc_device->bus_client);
+-
+-	devm_regulator_put(tsc_device->gdsc);
+-
+-	/* Unmapping the io memory */
+-	iounmap(tsc_device->base);
+-
+-	/* Releasing the clocks */
+-	tsc_clocks_put();
+-
+-	/* Releasing the iommu info */
+-	if (!tsc_iommu_bypass)
+-		tsc_free_iommu_info();
+-
+-	/* Releasing the memory allocated for the TSC device struct */
+-	kfree(tsc_device);
+-
+-	return 0;
+-}
+-
+-/*********************** Platform driver information ***********************/
+-static struct of_device_id msm_match_table[] = {
+-		{.compatible = "qcom,msm-tsc"},
+-		{}
+-};
+-
+-static struct platform_driver msm_tsc_driver = {
+-		.probe          = msm_tsc_probe,
+-		.remove         = msm_tsc_remove,
+-		.driver         = {
+-		.name   = "msm_tsc",
+-		.of_match_table = msm_match_table,
+-	},
+-};
+-
+-/**
+- * tsc_init() - TSC driver module init function.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-static int __init tsc_init(void)
+-{
+-	int ret = 0;
+-
+-	/* register the driver, and check hardware */
+-	ret = platform_driver_register(&msm_tsc_driver);
+-	if (ret) {
+-		pr_err("%s: platform_driver_register failed: %d\n", __func__,
+-				ret);
+-		return ret;
+-	}
+-
+-	return ret;
+-}
+-
+-/**
+- * tsc_exit() - TSC driver module exit function.
+- */
+-static void __exit tsc_exit(void)
+-{
+-	platform_driver_unregister(&msm_tsc_driver);
+-}
+-
+-module_init(tsc_init);
+-module_exit(tsc_exit);
+-
+-MODULE_DESCRIPTION("TSC platform device and two char devs: mux and ci");
+-MODULE_LICENSE("GPL v2");
+diff --git a/drivers/media/platform/msm/broadcast/tspp2.c b/drivers/media/platform/msm/broadcast/tspp2.c
+deleted file mode 100644
+index 1f51dca..0000000
+--- a/drivers/media/platform/msm/broadcast/tspp2.c
++++ /dev/null
+@@ -1,8578 +0,0 @@
+-/* Copyright (c) 2013-2014, The Linux Foundation. All rights reserved.
+- *
+- * This program is free software; you can redistribute it and/or modify
+- * it under the terms of the GNU General Public License version 2 and
+- * only version 2 as published by the Free Software Foundation.
+- *
+- * This program is distributed in the hope that it will be useful,
+- * but WITHOUT ANY WARRANTY; without even the implied warranty of
+- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+- * GNU General Public License for more details.
+- */
+-
+-#include <linux/module.h>
+-#include <linux/clk.h>
+-#include <linux/io.h>
+-#include <linux/dma-mapping.h>
+-#include <linux/debugfs.h>
+-#include <linux/device.h>
+-#include <linux/pm_runtime.h>
+-#include <linux/pm_wakeup.h>
+-#include <linux/platform_device.h>
+-#include <linux/msm_ion.h>
+-#include <linux/slab.h>
+-#include <linux/delay.h>
+-#include <linux/of.h>
+-#include <linux/list.h>
+-#include <linux/mutex.h>
+-#include <linux/workqueue.h>
+-#include <linux/iommu.h>
+-#include <linux/qcom_iommu.h>
+-#include <linux/msm_iommu_domains.h>
+-#include <linux/msm-bus.h>
+-#include <mach/msm_tspp2.h>
+-#include <linux/clk/msm-clk.h>
+-
+-#define TSPP2_MODULUS_OP(val, mod)	((val) & ((mod) - 1))
+-
+-/* General definitions. Note we're reserving one batch. */
+-#define TSPP2_NUM_ALL_INPUTS	(TSPP2_NUM_TSIF_INPUTS + TSPP2_NUM_MEM_INPUTS)
+-#define TSPP2_NUM_CONTEXTS		128
+-#define TSPP2_NUM_AVAIL_CONTEXTS	127
+-#define TSPP2_NUM_HW_FILTERS		128
+-#define TSPP2_NUM_BATCHES		15
+-#define TSPP2_FILTERS_PER_BATCH		8
+-#define TSPP2_NUM_AVAIL_FILTERS	(TSPP2_NUM_HW_FILTERS - TSPP2_FILTERS_PER_BATCH)
+-#define TSPP2_NUM_KEYTABLES		32
+-#define TSPP2_TSIF_DEF_TIME_LIMIT   15000 /* Number of tsif-ref-clock ticks */
+-
+-#define TSPP2_NUM_EVENT_WORK_ELEMENTS	256
+-
+-/*
+- * Based on the hardware programming guide, HW requires we wait for up to 2ms
+- * before closing the pipes used by the filter.
+- * This is required to avoid unexpected pipe reset interrupts.
+- */
+-#define TSPP2_HW_DELAY_USEC		2000
+-
+-/*
+- * Default source configuration:
+- * Sync byte 0x47, check sync byte,
+- * Do not monitor scrambling bits,
+- * Discard packets with invalid AF,
+- * Do not assume duplicates,
+- * Do not ignore discontinuity indicator,
+- * Check continuity of TS packets.
+- */
+-#define TSPP2_DEFAULT_SRC_CONFIG	0x47801E49
+-
+-/*
+- * Default memory source configuration:
+- * Use 16 batches,
+- * Attach last batch to each memory source.
+- */
+-#define TSPP2_DEFAULT_MEM_SRC_CONFIG	0x80000010
+-
+-/* Bypass VBIF/IOMMU for debug and bring-up purposes */
+-static int tspp2_iommu_bypass;
+-module_param(tspp2_iommu_bypass, int, S_IRUGO);
+-
+-/* Enable Invalid Adaptation Field control bits event */
+-static int tspp2_en_invalid_af_ctrl;
+-module_param(tspp2_en_invalid_af_ctrl, int, S_IRUGO | S_IWUSR);
+-
+-/* Enable Invalid Adaptation Field length event */
+-static int tspp2_en_invalid_af_length;
+-module_param(tspp2_en_invalid_af_length, int, S_IRUGO | S_IWUSR);
+-
+-/* Enable PES No Sync event */
+-static int tspp2_en_pes_no_sync;
+-module_param(tspp2_en_pes_no_sync, int, S_IRUGO | S_IWUSR);
+-
+-/**
+- * enum tspp2_operation_opcode - TSPP2 Operation opcode for TSPP2_OPCODE
+- */
+-enum tspp2_operation_opcode {
+-	TSPP2_OPCODE_PES_ANALYSIS = 0x03,
+-	TSPP2_OPCODE_RAW_TRANSMIT = 0x07,
+-	TSPP2_OPCODE_PES_TRANSMIT = 0x00,
+-	TSPP2_OPCODE_PCR_EXTRACTION = 0x05,
+-	TSPP2_OPCODE_CIPHER = 0x01,
+-	TSPP2_OPCODE_INDEXING = 0x09,
+-	TSPP2_OPCODE_COPY_PACKET = 0x0B,
+-	TSPP2_OPCODE_EXIT = 0x0F
+-};
+-
+-/* TSIF Register definitions: */
+-#define TSPP2_TSIF_STS_CTL		(0x0000)
+-#define TSPP2_TSIF_TIME_LIMIT		(0x0004)
+-#define TSPP2_TSIF_CLK_REF		(0x0008)
+-#define TSPP2_TSIF_LPBK_FLAGS		(0x000C)
+-#define TSPP2_TSIF_LPBK_DATA		(0x0010)
+-#define TSPP2_TSIF_DATA_PORT		(0x0100)
+-
+-/* Bits for TSPP2_TSIF_STS_CTL register */
+-#define TSIF_STS_CTL_PKT_WRITE_ERR	BIT(30)
+-#define TSIF_STS_CTL_PKT_READ_ERR	BIT(29)
+-#define TSIF_STS_CTL_EN_IRQ		BIT(28)
+-#define TSIF_STS_CTL_PACK_AVAIL		BIT(27)
+-#define TSIF_STS_CTL_1ST_PACKET		BIT(26)
+-#define TSIF_STS_CTL_OVERFLOW		BIT(25)
+-#define TSIF_STS_CTL_LOST_SYNC		BIT(24)
+-#define TSIF_STS_CTL_TIMEOUT		BIT(23)
+-#define TSIF_STS_CTL_INV_SYNC		BIT(21)
+-#define TSIF_STS_CTL_INV_NULL		BIT(20)
+-#define TSIF_STS_CTL_INV_ERROR		BIT(19)
+-#define TSIF_STS_CTL_INV_ENABLE		BIT(18)
+-#define TSIF_STS_CTL_INV_DATA		BIT(17)
+-#define TSIF_STS_CTL_INV_CLOCK		BIT(16)
+-#define TSIF_STS_CTL_PARALLEL		BIT(14)
+-#define TSIF_STS_CTL_EN_NULL		BIT(11)
+-#define TSIF_STS_CTL_EN_ERROR		BIT(10)
+-#define TSIF_STS_CTL_LAST_BIT		BIT(9)
+-#define TSIF_STS_CTL_EN_TIME_LIM	BIT(8)
+-#define TSIF_STS_CTL_EN_TCR		BIT(7)
+-#define TSIF_STS_CTL_TEST_MODE		BIT(6)
+-#define TSIF_STS_CTL_MODE_2		BIT(5)
+-#define TSIF_STS_CTL_EN_DM		BIT(4)
+-#define TSIF_STS_CTL_STOP		BIT(3)
+-#define TSIF_STS_CTL_START		BIT(0)
+-
+-/* Indexing Table Register definitions: id = 0..3, n = 0..25 */
+-#define TSPP2_INDEX_TABLE_PREFIX(id)		(0x6000 + ((id) << 2))
+-#define TSPP2_INDEX_TABLE_PREFIX_MASK(id)	(0x6010 + ((id) << 2))
+-#define TSPP2_INDEX_TABLE_PATTEREN(id, n)	(0x3C00 + ((id) << 8) + \
+-							((n) << 3))
+-#define TSPP2_INDEX_TABLE_MASK(id, n)		(0x3C04 + ((id) << 8) + \
+-							((n) << 3))
+-#define TSPP2_INDEX_TABLE_PARAMS(id)		(0x6020 + ((id) << 2))
+-
+-/* Bits for TSPP2_INDEX_TABLE_PARAMS register */
+-#define INDEX_TABLE_PARAMS_PREFIX_SIZE_OFFS	8
+-#define INDEX_TABLE_PARAMS_NUM_PATTERNS_OFFS	0
+-
+-/* Source with memory input register definitions: n = 0..7 */
+-#define TSPP2_MEM_INPUT_SRC_CONFIG(n)		(0x6040 + ((n) << 2))
+-
+-/* Bits for TSPP2_MEM_INPUT_SRC_CONFIG register */
+-#define MEM_INPUT_SRC_CONFIG_BATCHES_OFFS	16
+-#define MEM_INPUT_SRC_CONFIG_INPUT_PIPE_OFFS	8
+-#define MEM_INPUT_SRC_CONFIG_16_BATCHES_OFFS	4
+-#define MEM_INPUT_SRC_CONFIG_STAMP_SUFFIX_OFFS	2
+-#define MEM_INPUT_SRC_CONFIG_STAMP_EN_OFFS	1
+-#define MEM_INPUT_SRC_CONFIG_INPUT_EN_OFFS	0
+-
+-/* Source with TSIF input register definitions: n = 0..1 */
+-#define TSPP2_TSIF_INPUT_SRC_CONFIG(n)		(0x6060 + ((n) << 2))
+-#define TSIF_INPUT_SRC_CONFIG_16_BATCHES_OFFS	4
+-
+-/* Bits for TSPP2_TSIF_INPUT_SRC_CONFIG register */
+-#define TSIF_INPUT_SRC_CONFIG_BATCHES_OFFS	16
+-#define TSIF_INPUT_SRC_CONFIG_INPUT_EN_OFFS	0
+-
+-/* Source with any input register definitions: n = 0..9 */
+-#define TSPP2_SRC_DEST_PIPES(n)			(0x6070 + ((n) << 2))
+-#define TSPP2_SRC_CONFIG(n)			(0x6120 + ((n) << 2))
+-#define TSPP2_SRC_TOTAL_TSP(n)			(0x6600 + ((n) << 2))
+-#define TSPP2_SRC_FILTERED_OUT_TSP(n)		(0x6630 + ((n) << 2))
+-
+-/* Bits for TSPP2_SRC_CONFIG register */
+-#define SRC_CONFIG_SYNC_BYTE_OFFS		24
+-#define SRC_CONFIG_CHECK_SYNC_OFFS		23
+-#define SRC_CONFIG_SCRAMBLING_MONITOR_OFFS	13
+-#define SRC_CONFIG_VERIFY_PES_START_OFFS	12
+-#define SRC_CONFIG_SCRAMBLING3_OFFS		10
+-#define SRC_CONFIG_SCRAMBLING2_OFFS		8
+-#define SRC_CONFIG_SCRAMBLING1_OFFS		6
+-#define SRC_CONFIG_SCRAMBLING0_OFFS		4
+-#define SRC_CONFIG_DISCARD_INVALID_AF_OFFS	3
+-#define SRC_CONFIG_ASSUME_DUPLICATES_OFFS	2
+-#define SRC_CONFIG_IGNORE_DISCONT_OFFS		1
+-#define SRC_CONFIG_CHECK_CONT_OFFS		0
+-
+-/* Context register definitions: n = 0..127 */
+-#define TSPP2_PES_CONTEXT0(n)		(0x0000 + ((n) << 4))
+-#define TSPP2_PES_CONTEXT1(n)		(0x0004 + ((n) << 4))
+-#define TSPP2_PES_CONTEXT2(n)		(0x0008 + ((n) << 4))
+-#define TSPP2_PES_CONTEXT3(n)		(0x000C + ((n) << 4))
+-#define TSPP2_INDEXING_CONTEXT0(n)	(0x0800 + ((n) << 3))
+-#define TSPP2_INDEXING_CONTEXT1(n)	(0x0804 + ((n) << 3))
+-#define TSPP2_TSP_CONTEXT(n)		(0x5600 + ((n) << 2))
+-
+-/* Bits for TSPP2_TSP_CONTEXT register */
+-#define TSP_CONTEXT_TS_HEADER_SC_OFFS	6
+-#define TSP_CONTEXT_PES_HEADER_SC_OFFS	8
+-
+-/* Operations register definitions: f_idx = 0..127, n = 0..15 */
+-#define TSPP2_OPCODE(f_idx, n)	(0x1000 + \
+-				((f_idx) * (TSPP2_MAX_OPS_PER_FILTER << 2)) + \
+-				((n) << 2))
+-
+-/* Filter register definitions: n = 0..127 */
+-#define TSPP2_FILTER_ENTRY0(n)		(0x5800 + ((n) << 3))
+-#define TSPP2_FILTER_ENTRY1(n)		(0x5804 + ((n) << 3))
+-
+-/* Bits for TSPP2_FILTER_ENTRY0 register */
+-#define FILTER_ENTRY0_PID_OFFS		0
+-#define FILTER_ENTRY0_MASK_OFFS		13
+-#define FILTER_ENTRY0_EN_OFFS		26
+-#define FILTER_ENTRY0_CODEC_OFFS	27
+-
+-/* Bits for TSPP2_FILTER_ENTRY1 register */
+-#define FILTER_ENTRY1_CONTEXT_OFFS	0
+-
+-/* Filter context-based counter register definitions: n = 0..127 */
+-#define TSPP2_FILTER_TSP_SYNC_ERROR(n)		(0x4000 + ((n) << 2))
+-#define TSPP2_FILTER_ERRED_TSP(n)		(0x4200 + ((n) << 2))
+-#define TSPP2_FILTER_DISCONTINUITIES(n)		(0x4400 + ((n) << 2))
+-#define TSPP2_FILTER_SCRAMBLING_BITS_DISCARD(n)	(0x4600 + ((n) << 2))
+-#define TSPP2_FILTER_TSP_TOTAL_NUM(n)		(0x4800 + ((n) << 2))
+-#define TSPP2_FILTER_DISCONT_INDICATOR(n)	(0x4A00 + ((n) << 2))
+-#define TSPP2_FILTER_TSP_NO_PAYLOAD(n)		(0x4C00 + ((n) << 2))
+-#define TSPP2_FILTER_TSP_DUPLICATE(n)		(0x4E00 + ((n) << 2))
+-#define TSPP2_FILTER_KEY_FETCH_FAILURE(n)	(0x5000 + ((n) << 2))
+-#define TSPP2_FILTER_DROPPED_PCR(n)		(0x5200 + ((n) << 2))
+-#define TSPP2_FILTER_PES_ERRORS(n)		(0x5400 + ((n) << 2))
+-
+-/* Pipe register definitions: n = 0..30 */
+-#define TSPP2_PIPE_THRESH_CONFIG(n)		(0x60A0 + ((n) << 2))
+-#define TSPP2_PIPE_LAST_ADDRESS(n)		(0x6190 + ((n) << 2))
+-#define TSPP2_PIPE_SECURITY			0x6150
+-#define TSPP2_DATA_NOT_SENT_ON_PIPE(n)		(0x6660 + ((n) << 2))
+-
+-/* Global register definitions: */
+-#define TSPP2_PCR_GLOBAL_CONFIG			0x6160
+-#define TSPP2_CLK_TO_PCR_TIME_UNIT		0x6170
+-#define TSPP2_DESC_WAIT_TIMEOUT			0x6180
+-#define TSPP2_GLOBAL_IRQ_STATUS			0x6300
+-#define TSPP2_GLOBAL_IRQ_CLEAR			0x6304
+-#define TSPP2_GLOBAL_IRQ_ENABLE			0x6308
+-#define TSPP2_KEY_NOT_READY_IRQ_STATUS		0x6310
+-#define TSPP2_KEY_NOT_READY_IRQ_CLEAR		0x6314
+-#define TSPP2_KEY_NOT_READY_IRQ_ENABLE		0x6318
+-#define TSPP2_UNEXPECTED_RST_IRQ_STATUS		0x6320
+-#define TSPP2_UNEXPECTED_RST_IRQ_CLEAR		0x6324
+-#define TSPP2_UNEXPECTED_RST_IRQ_ENABLE		0x6328
+-#define TSPP2_WRONG_PIPE_DIR_IRQ_STATUS		0x6330
+-#define TSPP2_WRONG_PIPE_DIR_IRQ_CLEAR		0x6334
+-#define TSPP2_WRONG_PIPE_DIR_IRQ_ENABLE		0x6338
+-#define TSPP2_QSB_RESPONSE_ERROR_IRQ_STATUS	0x6340
+-#define TSPP2_QSB_RESPONSE_ERROR_IRQ_CLEAR	0x6344
+-#define TSPP2_QSB_RESPONSE_ERROR_IRQ_ENABLE	0x6348
+-#define TSPP2_SRC_TOTAL_TSP_RESET		0x6710
+-#define TSPP2_SRC_FILTERED_OUT_TSP_RESET	0x6714
+-#define TSPP2_DATA_NOT_SENT_ON_PIPE_RESET	0x6718
+-#define TSPP2_VERSION				0x6FFC
+-
+-/* Bits for TSPP2_GLOBAL_IRQ_CLEAR register */
+-#define GLOBAL_IRQ_CLEAR_RESERVED_OFFS         4
+-
+-/* Bits for TSPP2_VERSION register */
+-#define VERSION_MAJOR_OFFS			28
+-#define VERSION_MINOR_OFFS			16
+-#define VERSION_STEP_OFFS			0
+-
+-/* Bits for TSPP2_GLOBAL_IRQ_XXX registers */
+-#define GLOBAL_IRQ_TSP_INVALID_AF_OFFS		0
+-#define GLOBAL_IRQ_TSP_INVALID_LEN_OFFS		1
+-#define GLOBAL_IRQ_PES_NO_SYNC_OFFS		2
+-#define GLOBAL_IRQ_ENCRYPT_LEVEL_ERR_OFFS	3
+-#define GLOBAL_IRQ_KEY_NOT_READY_OFFS		4
+-#define GLOBAL_IRQ_UNEXPECTED_RESET_OFFS	5
+-#define GLOBAL_IRQ_QSB_RESP_ERR_OFFS		6
+-#define GLOBAL_IRQ_WRONG_PIPE_DIR_OFFS		7
+-#define GLOBAL_IRQ_SC_GO_HIGH_OFFS		8
+-#define GLOBAL_IRQ_SC_GO_LOW_OFFS		9
+-#define GLOBAL_IRQ_READ_FAIL_OFFS		16
+-#define GLOBAL_IRQ_FC_STALL_OFFS		24
+-
+-/* Bits for TSPP2_PCR_GLOBAL_CONFIG register */
+-#define PCR_GLOBAL_CONFIG_PCR_ON_DISCONT_OFFS	10
+-#define PCR_GLOBAL_CONFIG_STC_OFFSET_OFFS	8
+-#define PCR_GLOBAL_CONFIG_PCR_INTERVAL_OFFS	0
+-#define PCR_GLOBAL_CONFIG_PCR_ON_DISCONT	BIT(10)
+-#define PCR_GLOBAL_CONFIG_STC_OFFSET		(BIT(8)|BIT(9))
+-#define PCR_GLOBAL_CONFIG_PCR_INTERVAL		0xFF
+-
+-/* n = 0..3, each register handles 32 filters */
+-#define TSPP2_SC_GO_HIGH_STATUS(n)		(0x6350 + ((n) << 2))
+-#define TSPP2_SC_GO_HIGH_CLEAR(n)		(0x6360 + ((n) << 2))
+-#define TSPP2_SC_GO_HIGH_ENABLE(n)		(0x6370 + ((n) << 2))
+-#define TSPP2_SC_GO_LOW_STATUS(n)		(0x6390 + ((n) << 2))
+-#define TSPP2_SC_GO_LOW_CLEAR(n)		(0x63A0 + ((n) << 2))
+-#define TSPP2_SC_GO_LOW_ENABLE(n)		(0x63B0 + ((n) << 2))
+-
+-/* n = 0..3, each register handles 32 contexts */
+-#define TSPP2_TSP_CONTEXT_RESET(n)		(0x6500 + ((n) << 2))
+-#define TSPP2_PES_CONTEXT_RESET(n)		(0x6510 + ((n) << 2))
+-#define TSPP2_INDEXING_CONTEXT_RESET(n)		(0x6520 + ((n) << 2))
+-
+-/* debugfs entries */
+-
+-#define TSPP2_S_RW	(S_IRUGO | S_IWUSR)
+-
+-struct debugfs_entry {
+-	const char *name;
+-	mode_t mode;
+-	int offset;
+-};
+-
+-static const struct debugfs_entry tsif_regs[] = {
+-	{"sts_ctl",	TSPP2_S_RW,	TSPP2_TSIF_STS_CTL},
+-	{"time_limit",	TSPP2_S_RW,	TSPP2_TSIF_TIME_LIMIT},
+-	{"clk_ref",	TSPP2_S_RW,	TSPP2_TSIF_CLK_REF},
+-	{"lpbk_flags",	TSPP2_S_RW,	TSPP2_TSIF_LPBK_FLAGS},
+-	{"lpbk_data",	TSPP2_S_RW,	TSPP2_TSIF_LPBK_DATA},
+-	{"data_port",	S_IRUGO,	TSPP2_TSIF_DATA_PORT},
+-};
+-
+-static const struct debugfs_entry tspp2_regs[] = {
+-	/* Memory input source configuration registers */
+-	{"mem_input_src_config_0", TSPP2_S_RW, TSPP2_MEM_INPUT_SRC_CONFIG(0)},
+-	{"mem_input_src_config_1", TSPP2_S_RW, TSPP2_MEM_INPUT_SRC_CONFIG(1)},
+-	{"mem_input_src_config_2", TSPP2_S_RW, TSPP2_MEM_INPUT_SRC_CONFIG(2)},
+-	{"mem_input_src_config_3", TSPP2_S_RW, TSPP2_MEM_INPUT_SRC_CONFIG(3)},
+-	{"mem_input_src_config_4", TSPP2_S_RW, TSPP2_MEM_INPUT_SRC_CONFIG(4)},
+-	{"mem_input_src_config_5", TSPP2_S_RW, TSPP2_MEM_INPUT_SRC_CONFIG(5)},
+-	{"mem_input_src_config_6", TSPP2_S_RW, TSPP2_MEM_INPUT_SRC_CONFIG(6)},
+-	{"mem_input_src_config_7", TSPP2_S_RW, TSPP2_MEM_INPUT_SRC_CONFIG(7)},
+-	/* TSIF input source configuration registers */
+-	{"tsif_input_src_config_0", TSPP2_S_RW, TSPP2_TSIF_INPUT_SRC_CONFIG(0)},
+-	{"tsif_input_src_config_1", TSPP2_S_RW, TSPP2_TSIF_INPUT_SRC_CONFIG(1)},
+-	/* Source destination pipes association registers */
+-	{"src_dest_pipes_0", TSPP2_S_RW, TSPP2_SRC_DEST_PIPES(0)},
+-	{"src_dest_pipes_1", TSPP2_S_RW, TSPP2_SRC_DEST_PIPES(1)},
+-	{"src_dest_pipes_2", TSPP2_S_RW, TSPP2_SRC_DEST_PIPES(2)},
+-	{"src_dest_pipes_3", TSPP2_S_RW, TSPP2_SRC_DEST_PIPES(3)},
+-	{"src_dest_pipes_4", TSPP2_S_RW, TSPP2_SRC_DEST_PIPES(4)},
+-	{"src_dest_pipes_5", TSPP2_S_RW, TSPP2_SRC_DEST_PIPES(5)},
+-	{"src_dest_pipes_6", TSPP2_S_RW, TSPP2_SRC_DEST_PIPES(6)},
+-	{"src_dest_pipes_7", TSPP2_S_RW, TSPP2_SRC_DEST_PIPES(7)},
+-	{"src_dest_pipes_8", TSPP2_S_RW, TSPP2_SRC_DEST_PIPES(8)},
+-	{"src_dest_pipes_9", TSPP2_S_RW, TSPP2_SRC_DEST_PIPES(9)},
+-	/* Source configuration registers */
+-	{"src_config_0", TSPP2_S_RW, TSPP2_SRC_CONFIG(0)},
+-	{"src_config_1", TSPP2_S_RW, TSPP2_SRC_CONFIG(1)},
+-	{"src_config_2", TSPP2_S_RW, TSPP2_SRC_CONFIG(2)},
+-	{"src_config_3", TSPP2_S_RW, TSPP2_SRC_CONFIG(3)},
+-	{"src_config_4", TSPP2_S_RW, TSPP2_SRC_CONFIG(4)},
+-	{"src_config_5", TSPP2_S_RW, TSPP2_SRC_CONFIG(5)},
+-	{"src_config_6", TSPP2_S_RW, TSPP2_SRC_CONFIG(6)},
+-	{"src_config_7", TSPP2_S_RW, TSPP2_SRC_CONFIG(7)},
+-	{"src_config_8", TSPP2_S_RW, TSPP2_SRC_CONFIG(8)},
+-	{"src_config_9", TSPP2_S_RW, TSPP2_SRC_CONFIG(9)},
+-	/* Source total TS packets counter registers */
+-	{"src_total_tsp_0", S_IRUGO, TSPP2_SRC_TOTAL_TSP(0)},
+-	{"src_total_tsp_1", S_IRUGO, TSPP2_SRC_TOTAL_TSP(1)},
+-	{"src_total_tsp_2", S_IRUGO, TSPP2_SRC_TOTAL_TSP(2)},
+-	{"src_total_tsp_3", S_IRUGO, TSPP2_SRC_TOTAL_TSP(3)},
+-	{"src_total_tsp_4", S_IRUGO, TSPP2_SRC_TOTAL_TSP(4)},
+-	{"src_total_tsp_5", S_IRUGO, TSPP2_SRC_TOTAL_TSP(5)},
+-	{"src_total_tsp_6", S_IRUGO, TSPP2_SRC_TOTAL_TSP(6)},
+-	{"src_total_tsp_7", S_IRUGO, TSPP2_SRC_TOTAL_TSP(7)},
+-	{"src_total_tsp_8", S_IRUGO, TSPP2_SRC_TOTAL_TSP(8)},
+-	{"src_total_tsp_9", S_IRUGO, TSPP2_SRC_TOTAL_TSP(9)},
+-	/* Source total filtered out TS packets counter registers */
+-	{"src_filtered_out_tsp_0", S_IRUGO, TSPP2_SRC_FILTERED_OUT_TSP(0)},
+-	{"src_filtered_out_tsp_1", S_IRUGO, TSPP2_SRC_FILTERED_OUT_TSP(1)},
+-	{"src_filtered_out_tsp_2", S_IRUGO, TSPP2_SRC_FILTERED_OUT_TSP(2)},
+-	{"src_filtered_out_tsp_3", S_IRUGO, TSPP2_SRC_FILTERED_OUT_TSP(3)},
+-	{"src_filtered_out_tsp_4", S_IRUGO, TSPP2_SRC_FILTERED_OUT_TSP(4)},
+-	{"src_filtered_out_tsp_5", S_IRUGO, TSPP2_SRC_FILTERED_OUT_TSP(5)},
+-	{"src_filtered_out_tsp_6", S_IRUGO, TSPP2_SRC_FILTERED_OUT_TSP(6)},
+-	{"src_filtered_out_tsp_7", S_IRUGO, TSPP2_SRC_FILTERED_OUT_TSP(7)},
+-	{"src_filtered_out_tsp_8", S_IRUGO, TSPP2_SRC_FILTERED_OUT_TSP(8)},
+-	{"src_filtered_out_tsp_9", S_IRUGO, TSPP2_SRC_FILTERED_OUT_TSP(9)},
+-	/* Global registers */
+-	{"pipe_security", TSPP2_S_RW, TSPP2_PIPE_SECURITY},
+-	{"pcr_global_config", TSPP2_S_RW, TSPP2_PCR_GLOBAL_CONFIG},
+-	{"clk_to_pcr_time_unit", TSPP2_S_RW, TSPP2_CLK_TO_PCR_TIME_UNIT},
+-	{"desc_wait_timeout", TSPP2_S_RW, TSPP2_DESC_WAIT_TIMEOUT},
+-	{"global_irq_status", S_IRUGO, TSPP2_GLOBAL_IRQ_STATUS},
+-	{"global_irq_clear", S_IWUSR, TSPP2_GLOBAL_IRQ_CLEAR},
+-	{"global_irq_en", TSPP2_S_RW, TSPP2_GLOBAL_IRQ_ENABLE},
+-	{"key_not_ready_irq_status", S_IRUGO, TSPP2_KEY_NOT_READY_IRQ_STATUS},
+-	{"key_not_ready_irq_clear", S_IWUSR, TSPP2_KEY_NOT_READY_IRQ_CLEAR},
+-	{"key_not_ready_irq_en", TSPP2_S_RW, TSPP2_KEY_NOT_READY_IRQ_ENABLE},
+-	{"unexpected_rst_irq_status", S_IRUGO, TSPP2_UNEXPECTED_RST_IRQ_STATUS},
+-	{"unexpected_rst_irq_clear", S_IWUSR, TSPP2_UNEXPECTED_RST_IRQ_CLEAR},
+-	{"unexpected_rst_irq_en", TSPP2_S_RW, TSPP2_UNEXPECTED_RST_IRQ_ENABLE},
+-	{"wrong_pipe_dir_irq_status", S_IRUGO, TSPP2_WRONG_PIPE_DIR_IRQ_STATUS},
+-	{"wrong_pipe_dir_irq_clear", S_IWUSR, TSPP2_WRONG_PIPE_DIR_IRQ_CLEAR},
+-	{"wrong_pipe_dir_irq_en", TSPP2_S_RW, TSPP2_WRONG_PIPE_DIR_IRQ_ENABLE},
+-	{"qsb_response_error_irq_status", S_IRUGO,
+-					TSPP2_QSB_RESPONSE_ERROR_IRQ_STATUS},
+-	{"qsb_response_error_irq_clear", S_IWUSR,
+-					TSPP2_QSB_RESPONSE_ERROR_IRQ_CLEAR},
+-	{"qsb_response_error_irq_en", TSPP2_S_RW,
+-					TSPP2_QSB_RESPONSE_ERROR_IRQ_ENABLE},
+-	{"src_total_tsp_reset", S_IWUSR, TSPP2_SRC_TOTAL_TSP_RESET},
+-	{"src_filtered_out_tsp_reset", S_IWUSR,
+-					TSPP2_SRC_FILTERED_OUT_TSP_RESET},
+-	{"data_not_sent_on_pipe_reset", S_IWUSR,
+-					TSPP2_DATA_NOT_SENT_ON_PIPE_RESET},
+-	{"version", S_IRUGO, TSPP2_VERSION},
+-	/* Scrambling bits monitoring interrupt registers */
+-	{"sc_go_high_status_0", S_IRUGO, TSPP2_SC_GO_HIGH_STATUS(0)},
+-	{"sc_go_high_status_1", S_IRUGO, TSPP2_SC_GO_HIGH_STATUS(1)},
+-	{"sc_go_high_status_2", S_IRUGO, TSPP2_SC_GO_HIGH_STATUS(2)},
+-	{"sc_go_high_status_3", S_IRUGO, TSPP2_SC_GO_HIGH_STATUS(3)},
+-	{"sc_go_high_clear_0", S_IWUSR, TSPP2_SC_GO_HIGH_CLEAR(0)},
+-	{"sc_go_high_clear_1", S_IWUSR, TSPP2_SC_GO_HIGH_CLEAR(1)},
+-	{"sc_go_high_clear_2", S_IWUSR, TSPP2_SC_GO_HIGH_CLEAR(2)},
+-	{"sc_go_high_clear_3", S_IWUSR, TSPP2_SC_GO_HIGH_CLEAR(3)},
+-	{"sc_go_high_en_0", TSPP2_S_RW, TSPP2_SC_GO_HIGH_ENABLE(0)},
+-	{"sc_go_high_en_1", TSPP2_S_RW, TSPP2_SC_GO_HIGH_ENABLE(1)},
+-	{"sc_go_high_en_2", TSPP2_S_RW, TSPP2_SC_GO_HIGH_ENABLE(2)},
+-	{"sc_go_high_en_3", TSPP2_S_RW, TSPP2_SC_GO_HIGH_ENABLE(3)},
+-	{"sc_go_low_status_0", S_IRUGO, TSPP2_SC_GO_LOW_STATUS(0)},
+-	{"sc_go_low_status_1", S_IRUGO, TSPP2_SC_GO_LOW_STATUS(1)},
+-	{"sc_go_low_status_2", S_IRUGO, TSPP2_SC_GO_LOW_STATUS(2)},
+-	{"sc_go_low_status_3", S_IRUGO, TSPP2_SC_GO_LOW_STATUS(3)},
+-	{"sc_go_low_clear_0", S_IWUSR, TSPP2_SC_GO_LOW_CLEAR(0)},
+-	{"sc_go_low_clear_1", S_IWUSR, TSPP2_SC_GO_LOW_CLEAR(1)},
+-	{"sc_go_low_clear_2", S_IWUSR, TSPP2_SC_GO_LOW_CLEAR(2)},
+-	{"sc_go_low_clear_3", S_IWUSR, TSPP2_SC_GO_LOW_CLEAR(3)},
+-	{"sc_go_low_en_0", TSPP2_S_RW, TSPP2_SC_GO_LOW_ENABLE(0)},
+-	{"sc_go_low_en_1", TSPP2_S_RW, TSPP2_SC_GO_LOW_ENABLE(1)},
+-	{"sc_go_low_en_2", TSPP2_S_RW, TSPP2_SC_GO_LOW_ENABLE(2)},
+-	{"sc_go_low_en_3", TSPP2_S_RW, TSPP2_SC_GO_LOW_ENABLE(3)},
+-};
+-
+-/* Data structures */
+-
+-/**
+- * struct tspp2_tsif_device - TSIF device
+- *
+- * @base:		TSIF device memory base address.
+- * @hw_index:		TSIF device HW index (0 .. (TSPP2_NUM_TSIF_INPUTS - 1)).
+- * @dev:		Back pointer to the TSPP2 device.
+- * @time_limit:		TSIF device time limit
+- *			(maximum time allowed between each TS packet).
+- * @ref_count:		TSIF device reference count.
+- * @tsif_irq:		TSIF device IRQ number.
+- * @mode:		TSIF mode of operation.
+- * @clock_inverse:	Invert input clock signal.
+- * @data_inverse:	Invert input data signal.
+- * @sync_inverse:	Invert input sync signal.
+- * @enable_inverse:	Invert input enable signal.
+- * @debugfs_entrys:	TSIF device debugfs entry.
+- * @stat_pkt_write_err:	TSIF device packet write error statistics.
+- * @stat__pkt_read_err: TSIF device packet read error statistics.
+- * @stat_overflow:	TSIF device overflow statistics.
+- * @stat_lost_sync:	TSIF device lost sync statistics.
+- * @stat_timeout:	TSIF device timeout statistics.
+- */
+-struct tspp2_tsif_device {
+-	void __iomem *base;
+-	u32 hw_index;
+-	struct tspp2_device *dev;
+-	u32 time_limit;
+-	u32 ref_count;
+-	u32 tsif_irq;
+-	enum tspp2_tsif_mode mode;
+-	int clock_inverse;
+-	int data_inverse;
+-	int sync_inverse;
+-	int enable_inverse;
+-	struct dentry *debugfs_entry;
+-	u32 stat_pkt_write_err;
+-	u32 stat_pkt_read_err;
+-	u32 stat_overflow;
+-	u32 stat_lost_sync;
+-	u32 stat_timeout;
+-};
+-
+-/**
+- * struct tspp2_indexing_table - Indexing table
+- *
+- * @prefix_value:	4-byte common prefix value.
+- * @prefix_mask:	4-byte prefix mask.
+- * @entry_value:	An array of 4-byte pattern values.
+- * @entry_mask:		An array of corresponding 4-byte pattern masks.
+- * @num_valid_entries:	Number of valid entries in the arrays.
+- */
+-struct tspp2_indexing_table {
+-	u32 prefix_value;
+-	u32 prefix_mask;
+-	u32 entry_value[TSPP2_NUM_INDEXING_PATTERNS];
+-	u32 entry_mask[TSPP2_NUM_INDEXING_PATTERNS];
+-	u16 num_valid_entries;
+-};
+-
+-/**
+- * struct tspp2_event_work - Event work information
+- *
+- * @device:		TSPP2 device back-pointer.
+- * @callback:		Callback to invoke.
+- * @cookie:		Cookie to pass to the callback.
+- * @event_bitmask:	A bit mask of events to pass to the callback.
+- * @work:		The work structure to queue.
+- * @link:		A list element.
+- */
+-struct tspp2_event_work {
+-	struct tspp2_device *device;
+-	void (*callback)(void *cookie, u32 event_bitmask);
+-	void *cookie;
+-	u32 event_bitmask;
+-	struct work_struct work;
+-	struct list_head link;
+-};
+-
+-/**
+- * struct tspp2_filter - Filter object
+- *
+- * @opened:			A flag to indicate whether the filter is open.
+- * @device:			Back-pointer to the TSPP2 device the filter
+- *				belongs to.
+- * @batch:			The filter batch this filter belongs to.
+- * @src:			Back-pointer to the source the filter is
+- *				associated with.
+- * @hw_index:			The filter's HW index.
+- * @pid_value:			The filter's 13-bit PID value.
+- * @mask:			The corresponding 13-bit bitmask.
+- * @context:			The filter's context ID.
+- * @indexing_table_id:		The ID of the indexing table this filter uses
+- *				in case an indexing operation is set.
+- * @operations:			An array of user-defined operations.
+- * @num_user_operations:	The number of user-defined operations.
+- * @indexing_op_set:		A flag to indicate an indexing operation
+- *				has been set.
+- * @raw_op_with_indexing:	A flag to indicate a Raw Transmit operation
+- *				with support_indexing parameter has been set.
+- * @pes_analysis_op_set:	A flag to indicate a PES Analysis operation
+- *				has been set.
+- * @raw_op_set:			A flag to indicate a Raw Transmit operation
+- *				has been set.
+- * @pes_tx_op_set:		A flag to indicate a PES Transmit operation
+- *				has been set.
+- * @event_callback:		A user callback to invoke when a filter event
+- *				occurs.
+- * @event_cookie:		A user cookie to provide to the callback.
+- * @event_bitmask:		A bit mask of filter events
+- *				TSPP2_FILTER_EVENT_XXX.
+- * @enabled:			A flag to indicate whether the filter
+- *				is enabled.
+- * @link:			A list element. When the filter is associated
+- *				with a source, it is added to the source's
+- *				list of filters.
+- */
+-struct tspp2_filter {
+-	int opened;
+-	struct tspp2_device *device;
+-	struct tspp2_filter_batch *batch;
+-	struct tspp2_src *src;
+-	u16 hw_index;
+-	u16 pid_value;
+-	u16 mask;
+-	u16 context;
+-	u8 indexing_table_id;
+-	struct tspp2_operation operations[TSPP2_MAX_OPS_PER_FILTER];
+-	u8 num_user_operations;
+-	int indexing_op_set;
+-	int raw_op_with_indexing;
+-	int pes_analysis_op_set;
+-	int raw_op_set;
+-	int pes_tx_op_set;
+-	void (*event_callback)(void *cookie, u32 event_bitmask);
+-	void *event_cookie;
+-	u32 event_bitmask;
+-	int enabled;
+-	struct list_head link;
+-};
+-
+-/**
+- * struct tspp2_pipe - Pipe object
+- *
+- * @opened:		A flag to indicate whether the pipe is open.
+- * @device:		Back-pointer to the TSPP2 device the pipe belongs to.
+- * @cfg:		Pipe configuration parameters.
+- * @sps_pipe:		The BAM SPS pipe.
+- * @sps_connect_cfg:	SPS pipe connection configuration.
+- * @sps_event:		SPS pipe event registration parameters.
+- * @desc_ion_handle:	ION handle for the SPS pipe descriptors.
+- * @iova:		TSPP2 IOMMU-mapped virtual address of the
+- *			data buffer provided by the user.
+- * @hw_index:		The pipe's HW index (for register access).
+- * @threshold:		Pipe threshold.
+- * @ref_cnt:		Pipe reference count. Incremented when pipe
+- *			is attached to a source, decremented when it
+- *			is detached from a source.
+- */
+-struct tspp2_pipe {
+-	int opened;
+-	struct tspp2_device *device;
+-	struct tspp2_pipe_config_params cfg;
+-	struct sps_pipe *sps_pipe;
+-	struct sps_connect sps_connect_cfg;
+-	struct sps_register_event sps_event;
+-	struct ion_handle *desc_ion_handle;
+-	ion_phys_addr_t iova;
+-	u32 hw_index;
+-	u16 threshold;
+-	u32 ref_cnt;
+-};
+-
+-/**
+- * struct tspp2_output_pipe - Output pipe element to add to a source's list
+- *
+- * @pipe:	A pointer to an output pipe object.
+- * @link:	A list element. When an output pipe is attached to a source,
+- *		it is added to the source's output pipe list. Note the same pipe
+- *		can be attached to multiple sources, so we allocate an output
+- *		pipe element to add to the list - we don't add the actual pipe.
+- */
+-struct tspp2_output_pipe {
+-	struct tspp2_pipe *pipe;
+-	struct list_head link;
+-};
+-
+-/**
+- * struct tspp2_filter_batch - Filter batch object
+- *
+- * @batch_id:	Filter batch ID.
+- * @hw_filters:	An array of HW filters that belong to this batch. When set, this
+- *		indicates the filter is used. The actual HW index of a filter is
+- *		calculated according to the index in this array along with the
+- *		batch ID.
+- * @src:	Back-pointer to the source the batch is associated with. This is
+- *		also used to indicate this batch is "taken".
+- * @link:	A list element. When the batch is associated with a source, it
+- *		is added to the source's list of filter batches.
+- */
+-struct tspp2_filter_batch {
+-	u8 batch_id;
+-	int hw_filters[TSPP2_FILTERS_PER_BATCH];
+-	struct tspp2_src *src;
+-	struct list_head link;
+-};
+-
+-/**
+- * struct tspp2_src - Source object
+- *
+- * @opened:			A flag to indicate whether the source is open.
+- * @device:			Back-pointer to the TSPP2 device the source
+- *				belongs to.
+- * @hw_index:			The source's HW index. This is used when writing
+- *				to HW registers relevant for this source.
+- *				There are registers specific to TSIF or memory
+- *				sources, and there are registers common to all
+- *				sources.
+- * @input:			Source input type (TSIF / memory).
+- * @pkt_format:			Input packet size and format for this source.
+- * @scrambling_bits_monitoring:	Scrambling bits monitoring mode.
+- * @batches_list:		A list of associated filter batches.
+- * @filters_list:		A list of associated filters.
+- * @input_pipe:			A pointer to the source's input pipe, if exists.
+- * @output_pipe_list:		A list of output pipes attached to the source.
+- *				For each pipe we also save whether it is
+- *				stalling for this source.
+- * @num_associated_batches:	Number of associated filter batches.
+- * @num_associated_pipes:	Number of associated pipes.
+- * @num_associated_filters:	Number of associated filters.
+- * @reserved_filter_hw_index:	A HW filter index reserved for updating an
+- *				active filter's operations.
+- * @event_callback:		A user callback to invoke when a source event
+- *				occurs.
+- * @event_cookie:		A user cookie to provide to the callback.
+- * @event_bitmask:		A bit mask of source events
+- *				TSPP2_SRC_EVENT_XXX.
+- * @enabled:			A flag to indicate whether the source
+- *				is enabled.
+- */
+-struct tspp2_src {
+-	int opened;
+-	struct tspp2_device *device;
+-	u8 hw_index;
+-	enum tspp2_src_input input;
+-	enum tspp2_packet_format pkt_format;
+-	enum tspp2_src_scrambling_monitoring scrambling_bits_monitoring;
+-	struct list_head batches_list;
+-	struct list_head filters_list;
+-	struct tspp2_pipe *input_pipe;
+-	struct list_head output_pipe_list;
+-	u8 num_associated_batches;
+-	u8 num_associated_pipes;
+-	u32 num_associated_filters;
+-	u16 reserved_filter_hw_index;
+-	void (*event_callback)(void *cookie, u32 event_bitmask);
+-	void *event_cookie;
+-	u32 event_bitmask;
+-	int enabled;
+-};
+-
+-/**
+- * struct tspp2_global_irq_stats - Global interrupt statistics counters
+- *
+- * @tsp_invalid_af_control:	Invalid adaptation field control bit.
+- * @tsp_invalid_length:		Invalid adaptation field length.
+- * @pes_no_sync:		PES sync sequence not found.
+- * @encrypt_level_err:		Cipher operation configuration error.
+- */
+-struct tspp2_global_irq_stats {
+-	u32 tsp_invalid_af_control;
+-	u32 tsp_invalid_length;
+-	u32 pes_no_sync;
+-	u32 encrypt_level_err;
+-};
+-
+-/**
+- * struct tspp2_src_irq_stats - Memory source interrupt statistics counters
+- *
+- * @read_failure:	Failure to read from memory input.
+- * @flow_control_stall:	Input is stalled due to flow control.
+- */
+-struct tspp2_src_irq_stats {
+-	u32 read_failure;
+-	u32 flow_control_stall;
+-};
+-
+-/**
+- * struct tspp2_keytable_irq_stats - Key table interrupt statistics counters
+- *
+- * @key_not_ready:	Ciphering keys are not ready in the key table.
+- */
+-struct tspp2_keytable_irq_stats {
+-	u32 key_not_ready;
+-};
+-
+-/**
+- * struct tspp2_pipe_irq_stats - Pipe interrupt statistics counters
+- *
+- * @unexpected_reset:		SW reset the pipe before all operations on this
+- *				pipe ended.
+- * @qsb_response_error:		TX operation ends with QSB error.
+- * @wrong_pipe_direction:	Trying to use a pipe in the wrong direction.
+- */
+-struct tspp2_pipe_irq_stats {
+-	u32 unexpected_reset;
+-	u32 qsb_response_error;
+-	u32 wrong_pipe_direction;
+-};
+-
+-/**
+- * struct tspp2_filter_context_irq_stats - Filter interrupt statistics counters
+- *
+- * @sc_go_high:	Scrambling bits change from clear to encrypted.
+- * @sc_go_low:	Scrambling bits change from encrypted to clear.
+- */
+-struct tspp2_filter_context_irq_stats {
+-	u32 sc_go_high;
+-	u32 sc_go_low;
+-};
+-
+-/**
+- * struct tspp2_irq_stats - Interrupt statistics counters
+- *
+- * @global:	Global interrupt statistics counters
+- * @src:	Memory source interrupt statistics counters
+- * @kt:		Key table interrupt statistics counters
+- * @pipe:	Pipe interrupt statistics counters
+- * @ctx:	Filter context interrupt statistics counters
+- */
+-struct tspp2_irq_stats {
+-	struct tspp2_global_irq_stats global;
+-	struct tspp2_src_irq_stats src[TSPP2_NUM_MEM_INPUTS];
+-	struct tspp2_keytable_irq_stats kt[TSPP2_NUM_KEYTABLES];
+-	struct tspp2_pipe_irq_stats pipe[TSPP2_NUM_PIPES];
+-	struct tspp2_filter_context_irq_stats ctx[TSPP2_NUM_CONTEXTS];
+-};
+-
+-/**
+- * struct tspp2_iommu_info - TSPP2 IOMMU information
+- *
+- * @hlos_group:		TSPP2 IOMMU HLOS (Non-Secure) group.
+- * @cpz_group:		TSPP2 IOMMU HLOS (Secure) group.
+- * @hlos_domain:	TSPP2 IOMMU HLOS (Non-Secure) domain.
+- * @cpz_domain:		TSPP2 IOMMU CPZ (Secure) domain.
+- * @hlos_domain_num:	TSPP2 IOMMU HLOS (Non-Secure) domain number.
+- * @cpz_domain_num:	TSPP2 IOMMU CPZ (Secure) domain number.
+- * @hlos_partition:	TSPP2 IOMMU HLOS partition number.
+- * @cpz_partition:	TSPP2 IOMMU CPZ partition number.
+- */
+-struct tspp2_iommu_info {
+-	struct iommu_group *hlos_group;
+-	struct iommu_group *cpz_group;
+-	struct iommu_domain *hlos_domain;
+-	struct iommu_domain *cpz_domain;
+-	int hlos_domain_num;
+-	int cpz_domain_num;
+-	int hlos_partition;
+-	int cpz_partition;
+-};
+-
+-/**
+- * struct tspp2_device - TSPP2 device
+- *
+- * @dev_id:			TSPP2 device ID.
+- * @opened:			A flag to indicate whether the device is open.
+- * @pdev:			Platform device.
+- * @dev:			Device structure, used for driver prints.
+- * @base:			TSPP2 Device memory base address.
+- * @tspp2_irq:			TSPP2 Device IRQ number.
+- * @bam_handle:			BAM handle.
+- * @bam_irq:			BAM IRQ number.
+- * @bam_props:			BAM properties.
+- * @iommu_info:			IOMMU information.
+- * @wakeup_src:			A wakeup source to keep CPU awake when needed.
+- * @spinlock:			A spinlock to protect accesses to
+- *				data structures that happen from APIs and ISRs.
+- * @mutex:			A mutex for mutual exclusion between API calls.
+- * @tsif_devices:		An array of TSIF devices.
+- * @gdsc:			GDSC power regulator.
+- * @bus_client:			Client for bus bandwidth voting.
+- * @tspp2_ahb_clk:		TSPP2 AHB clock.
+- * @tspp2_core_clk:		TSPP2 core clock.
+- * @tspp2_vbif_clk:		TSPP2 VBIF clock.
+- * @vbif_ahb_clk:               VBIF AHB clock.
+- * @vbif_axi_clk:               VBIF AXI clock.
+- * @tspp2_klm_ahb_clk:		TSPP2 KLM AHB clock.
+- * @tsif_ref_clk:		TSIF reference clock.
+- * @batches:			An array of filter batch objects.
+- * @contexts:			An array of context indexes. The index in this
+- *				array represents the context's HW index, while
+- *				the value represents whether it is used by a
+- *				filter or free.
+- * @indexing_tables:		An array of indexing tables.
+- * @tsif_sources:		An array of source objects for TSIF input.
+- * @mem_sources:		An array of source objects for memory input.
+- * @filters:			An array of filter objects.
+- * @pipes:			An array of pipe objects.
+- * @num_secured_opened_pipes:	Number of secured opened pipes.
+- * @num_non_secured_opened_pipes:	Number of non-secured opened pipes.
+- * @num_enabled_sources:	Number of enabled sources.
+- * @work_queue:			A work queue for invoking user callbacks.
+- * @event_callback:		A user callback to invoke when a global event
+- *				occurs.
+- * @event_cookie:		A user cookie to provide to the callback.
+- * @event_bitmask:		A bit mask of global events
+- *				TSPP2_GLOBAL_EVENT_XXX.
+- * @debugfs_entry:		TSPP2 device debugfs entry.
+- * @irq_stats:			TSPP2 IRQ statistics.
+- * @free_work_list:		A list of available work elements.
+- * @work_pool:			A pool of work elements.
+- */
+-struct tspp2_device {
+-	u32 dev_id;
+-	int opened;
+-	struct platform_device *pdev;
+-	struct device *dev;
+-	void __iomem *base;
+-	u32 tspp2_irq;
+-	unsigned long bam_handle;
+-	u32 bam_irq;
+-	struct sps_bam_props bam_props;
+-	struct tspp2_iommu_info iommu_info;
+-	struct wakeup_source wakeup_src;
+-	spinlock_t spinlock;
+-	struct mutex mutex;
+-	struct tspp2_tsif_device tsif_devices[TSPP2_NUM_TSIF_INPUTS];
+-	struct regulator *gdsc;
+-	uint32_t bus_client;
+-	struct clk *tspp2_ahb_clk;
+-	struct clk *tspp2_core_clk;
+-	struct clk *tspp2_vbif_clk;
+-	struct clk *vbif_ahb_clk;
+-	struct clk *vbif_axi_clk;
+-	struct clk *tspp2_klm_ahb_clk;
+-	struct clk *tsif_ref_clk;
+-	struct tspp2_filter_batch batches[TSPP2_NUM_BATCHES];
+-	int contexts[TSPP2_NUM_AVAIL_CONTEXTS];
+-	struct tspp2_indexing_table indexing_tables[TSPP2_NUM_INDEXING_TABLES];
+-	struct tspp2_src tsif_sources[TSPP2_NUM_TSIF_INPUTS];
+-	struct tspp2_src mem_sources[TSPP2_NUM_MEM_INPUTS];
+-	struct tspp2_filter filters[TSPP2_NUM_AVAIL_FILTERS];
+-	struct tspp2_pipe pipes[TSPP2_NUM_PIPES];
+-	u8 num_secured_opened_pipes;
+-	u8 num_non_secured_opened_pipes;
+-	u8 num_enabled_sources;
+-	struct workqueue_struct *work_queue;
+-	void (*event_callback)(void *cookie, u32 event_bitmask);
+-	void *event_cookie;
+-	u32 event_bitmask;
+-	struct dentry *debugfs_entry;
+-	struct tspp2_irq_stats irq_stats;
+-	struct list_head free_work_list;
+-	struct tspp2_event_work work_pool[TSPP2_NUM_EVENT_WORK_ELEMENTS];
+-};
+-
+-/* Global TSPP2 devices database */
+-static struct tspp2_device *tspp2_devices[TSPP2_NUM_DEVICES];
+-
+-/* debugfs support */
+-
+-static int debugfs_iomem_x32_set(void *data, u64 val)
+-{
+-	int ret;
+-	struct tspp2_device *device = tspp2_devices[0]; /* Assuming device 0 */
+-
+-	if (!device->opened)
+-		return -ENODEV;
+-
+-	ret = pm_runtime_get_sync(device->dev);
+-	if (ret < 0)
+-		return ret;
+-
+-	writel_relaxed(val, data);
+-	wmb();
+-
+-	pm_runtime_mark_last_busy(device->dev);
+-	pm_runtime_put_autosuspend(device->dev);
+-
+-	return 0;
+-}
+-
+-static int debugfs_iomem_x32_get(void *data, u64 *val)
+-{
+-	int ret;
+-	struct tspp2_device *device = tspp2_devices[0]; /* Assuming device 0 */
+-
+-	if (!device->opened)
+-		return -ENODEV;
+-
+-	ret = pm_runtime_get_sync(device->dev);
+-	if (ret < 0)
+-		return ret;
+-
+-	*val = readl_relaxed(data);
+-
+-	pm_runtime_mark_last_busy(device->dev);
+-	pm_runtime_put_autosuspend(device->dev);
+-
+-	return 0;
+-}
+-
+-DEFINE_SIMPLE_ATTRIBUTE(fops_iomem_x32, debugfs_iomem_x32_get,
+-			debugfs_iomem_x32_set, "0x%08llX");
+-
+-static int debugfs_dev_open_set(void *data, u64 val)
+-{
+-	int ret = 0;
+-
+-	/* Assuming device 0 */
+-	if (val == 1)
+-		ret = tspp2_device_open(0);
+-	else
+-		ret = tspp2_device_close(0);
+-
+-	return ret;
+-}
+-
+-static int debugfs_dev_open_get(void *data, u64 *val)
+-{
+-	struct tspp2_device *device = tspp2_devices[0]; /* Assuming device 0 */
+-
+-	*val = device->opened;
+-
+-	return 0;
+-}
+-
+-DEFINE_SIMPLE_ATTRIBUTE(fops_device_open, debugfs_dev_open_get,
+-			debugfs_dev_open_set, "0x%08llX");
+-
+-/**
+- * tspp2_tsif_debugfs_init() - TSIF device debugfs initialization.
+- *
+- * @tsif_device:	TSIF device.
+- */
+-static void tspp2_tsif_debugfs_init(struct tspp2_tsif_device *tsif_device)
+-{
+-	int i;
+-	char name[10];
+-	struct dentry *dentry;
+-	void __iomem *base = tsif_device->base;
+-
+-	snprintf(name, 10, "tsif%i", tsif_device->hw_index);
+-	tsif_device->debugfs_entry = debugfs_create_dir(name, NULL);
+-
+-	if (!tsif_device->debugfs_entry)
+-		return;
+-
+-	dentry = tsif_device->debugfs_entry;
+-	if (dentry) {
+-		for (i = 0; i < ARRAY_SIZE(tsif_regs); i++) {
+-			debugfs_create_file(
+-				tsif_regs[i].name,
+-				tsif_regs[i].mode,
+-				dentry,
+-				base + tsif_regs[i].offset,
+-				&fops_iomem_x32);
+-		}
+-	}
+-
+-	dentry = debugfs_create_dir("statistics", tsif_device->debugfs_entry);
+-	if (dentry) {
+-		debugfs_create_u32(
+-			"stat_pkt_write_err",
+-			S_IRUGO | S_IWUSR | S_IWGRP,
+-			dentry,
+-			&tsif_device->stat_pkt_write_err);
+-
+-		debugfs_create_u32(
+-			"stat_pkt_read_err",
+-			S_IRUGO | S_IWUSR | S_IWGRP,
+-			dentry,
+-			&tsif_device->stat_pkt_read_err);
+-
+-		debugfs_create_u32(
+-			"stat_overflow",
+-			S_IRUGO | S_IWUSR | S_IWGRP,
+-			dentry,
+-			&tsif_device->stat_overflow);
+-
+-		debugfs_create_u32(
+-			"stat_lost_sync",
+-			S_IRUGO | S_IWUSR | S_IWGRP,
+-			dentry,
+-			&tsif_device->stat_lost_sync);
+-
+-		debugfs_create_u32(
+-			"stat_timeout",
+-			S_IRUGO | S_IWUSR | S_IWGRP,
+-			dentry,
+-			&tsif_device->stat_timeout);
+-	}
+-}
+-
+-static char *op_to_string(enum tspp2_operation_type op)
+-{
+-	switch (op) {
+-	case TSPP2_OP_PES_ANALYSIS:
+-		return "TSPP2_OP_PES_ANALYSIS";
+-	case TSPP2_OP_RAW_TRANSMIT:
+-		return "TSPP2_OP_RAW_TRANSMIT";
+-	case TSPP2_OP_PES_TRANSMIT:
+-		return "TSPP2_OP_PES_TRANSMIT";
+-	case TSPP2_OP_PCR_EXTRACTION:
+-		return "TSPP2_OP_PCR_EXTRACTION";
+-	case TSPP2_OP_CIPHER:
+-		return "TSPP2_OP_CIPHER";
+-	case TSPP2_OP_INDEXING:
+-		return "TSPP2_OP_INDEXING";
+-	case TSPP2_OP_COPY_PACKET:
+-		return "TSPP2_OP_COPY_PACKET";
+-	default:
+-		return "Invalid Operation";
+-	}
+-}
+-
+-static char *src_input_to_string(enum tspp2_src_input src_input)
+-{
+-	switch (src_input) {
+-	case TSPP2_INPUT_TSIF0:
+-		return "TSPP2_INPUT_TSIF0";
+-	case TSPP2_INPUT_TSIF1:
+-		return "TSPP2_INPUT_TSIF1";
+-	case TSPP2_INPUT_MEMORY:
+-		return "TSPP2_INPUT_MEMORY";
+-	default:
+-		return "Unknown source input type";
+-	}
+-}
+-
+-static char *pkt_format_to_string(enum tspp2_packet_format pkt_format)
+-{
+-	switch (pkt_format) {
+-	case TSPP2_PACKET_FORMAT_188_RAW:
+-		return "TSPP2_PACKET_FORMAT_188_RAW";
+-	case TSPP2_PACKET_FORMAT_192_HEAD:
+-		return "TSPP2_PACKET_FORMAT_192_HEAD";
+-	case TSPP2_PACKET_FORMAT_192_TAIL:
+-		return "TSPP2_PACKET_FORMAT_192_TAIL";
+-	default:
+-		return "Unknown packet format";
+-	}
+-}
+-
+-/**
+- * debugfs service to print device information.
+- */
+-static int tspp2_device_debugfs_print(struct seq_file *s, void *p)
+-{
+-	int count;
+-	int exist_flag = 0;
+-	struct tspp2_device *device = (struct tspp2_device *)s->private;
+-
+-	seq_printf(s, "dev_id: %d\n", device->dev_id);
+-	seq_puts(s, "Enabled filters:");
+-	for (count = 0; count < TSPP2_NUM_AVAIL_FILTERS; count++)
+-		if (device->filters[count].enabled) {
+-			seq_printf(s, "\n\tfilter%3d", count);
+-			exist_flag = 1;
+-		}
+-	if (!exist_flag)
+-		seq_puts(s, " none\n");
+-	else
+-		seq_puts(s, "\n");
+-
+-	exist_flag = 0;
+-	seq_puts(s, "Opened filters:");
+-	for (count = 0; count < TSPP2_NUM_AVAIL_FILTERS; count++)
+-		if (device->filters[count].opened) {
+-			seq_printf(s, "\n\tfilter%3d", count);
+-			exist_flag = 1;
+-		}
+-	if (!exist_flag)
+-		seq_puts(s, " none\n");
+-	else
+-		seq_puts(s, "\n");
+-
+-	exist_flag = 0;
+-	seq_puts(s, "Opened pipes:\n");
+-	for (count = 0; count < TSPP2_NUM_PIPES; count++)
+-		if (device->pipes[count].opened) {
+-			seq_printf(s, "\tpipe%2d\n", count);
+-			exist_flag = 1;
+-		}
+-	if (!exist_flag)
+-		seq_puts(s, " none\n");
+-	else
+-		seq_puts(s, "\n");
+-
+-	return 0;
+-}
+-
+-/**
+- * debugfs service to print source information.
+- */
+-static int tspp2_src_debugfs_print(struct seq_file *s, void *p)
+-{
+-	struct tspp2_filter_batch *batch;
+-	struct tspp2_filter *filter;
+-	struct tspp2_output_pipe *output_pipe;
+-	struct tspp2_src *src = (struct tspp2_src *)s->private;
+-
+-	if (!src) {
+-		seq_puts(s, "error\n");
+-		return 1;
+-	}
+-	seq_printf(s, "Status: %s\n", src->enabled ? "enabled" : "disabled");
+-	seq_printf(s, "hw_index: %d\n", src->hw_index);
+-	seq_printf(s, "event_bitmask: 0x%08X\n", src->event_bitmask);
+-	if (src->input_pipe)
+-		seq_printf(s, "input_pipe hw_index: %d\n",
+-				src->input_pipe->hw_index);
+-	seq_printf(s, "tspp2_src_input: %s\n", src_input_to_string(src->input));
+-	seq_printf(s, "pkt_format: %s\n",
+-			pkt_format_to_string(src->pkt_format));
+-	seq_printf(s, "num_associated_batches: %d\n",
+-			src->num_associated_batches);
+-
+-	if (src->num_associated_batches) {
+-		seq_puts(s, "batch_ids: ");
+-		list_for_each_entry(batch, &src->batches_list, link)
+-			seq_printf(s, "%d  ", batch->batch_id);
+-		seq_puts(s, "\n");
+-	}
+-
+-	seq_printf(s, "num_associated_pipes: %d\n", src->num_associated_pipes);
+-	if (src->num_associated_pipes) {
+-		seq_puts(s, "pipes_hw_idxs: ");
+-		list_for_each_entry(output_pipe, &src->output_pipe_list, link) {
+-			seq_printf(s, "%d  ", output_pipe->pipe->hw_index);
+-		}
+-		seq_puts(s, "\n");
+-	}
+-
+-	seq_printf(s, "reserved_filter_hw_index: %d\n",
+-			src->reserved_filter_hw_index);
+-
+-	seq_printf(s, "num_associated_filters: %d\n",
+-			src->num_associated_filters);
+-	if (src->num_associated_filters) {
+-		int i;
+-		seq_puts(s, "Open filters:\n");
+-		list_for_each_entry(filter, &src->filters_list, link) {
+-			if (!filter->opened)
+-				continue;
+-			seq_printf(s, "\thw_index: %d\n",
+-					filter->hw_index);
+-			seq_printf(s, "\tStatus: %s\n",
+-					filter->enabled ? "enabled"
+-							: "disabled");
+-			seq_printf(s, "\tpid_value: 0x%08X\n",
+-					filter->pid_value);
+-			seq_printf(s, "\tmask: 0x%08X\n", filter->mask);
+-			seq_printf(s, "\tnum_user_operations: %d\n",
+-					filter->num_user_operations);
+-			if (filter->num_user_operations) {
+-				seq_puts(
+-					s, "\tTypes of operations:\n");
+-				for (i = 0;
+-					i < filter->num_user_operations; i++) {
+-					seq_printf(s, "\t\t%s\n", op_to_string(
+-						filter->operations[i].type));
+-				}
+-			}
+-		}
+-
+-	} else {
+-		seq_puts(s, "no filters\n");
+-	}
+-
+-	return 0;
+-}
+-
+-/**
+- * debugfs service to print filter information.
+- */
+-static int filter_debugfs_print(struct seq_file *s, void *p)
+-{
+-	int i;
+-	struct tspp2_filter *filter = (struct tspp2_filter *)s->private;
+-
+-	seq_printf(s, "Status: %s\n", filter->opened ? "opened" : "closed");
+-	if (filter->batch)
+-		seq_printf(s, "Located in batch %d\n", filter->batch->batch_id);
+-	if (filter->src)
+-		seq_printf(s, "Associated with src %d\n",
+-				filter->src->hw_index);
+-	seq_printf(s, "hw_index: %d\n", filter->hw_index);
+-	seq_printf(s, "pid_value: 0x%08X\n", filter->pid_value);
+-	seq_printf(s, "mask: 0x%08X\n", filter->mask);
+-	seq_printf(s, "context: %d\n", filter->context);
+-	seq_printf(s, "indexing_table_id: %d\n", filter->indexing_table_id);
+-	seq_printf(s, "num_user_operations: %d\n", filter->num_user_operations);
+-	seq_puts(s, "Types of operations:\n");
+-	for (i = 0; i < filter->num_user_operations; i++)
+-		seq_printf(s, "\t%s\n", op_to_string(
+-				filter->operations[i].type));
+-	seq_printf(s, "indexing_op_set: %d\n", filter->indexing_op_set);
+-	seq_printf(s, "raw_op_with_indexing: %d\n",
+-			filter->raw_op_with_indexing);
+-	seq_printf(s, "pes_analysis_op_set: %d\n", filter->pes_analysis_op_set);
+-	seq_printf(s, "raw_op_set: %d\n", filter->raw_op_set);
+-	seq_printf(s, "pes_tx_op_set: %d\n", filter->pes_tx_op_set);
+-	seq_printf(s, "Status: %s\n", filter->enabled ? "enabled" : "disabled");
+-
+-	if (filter->enabled) {
+-		seq_printf(s, "Filter context-based counters, context %d\n",
+-				filter->context);
+-		seq_printf(s, "filter_tsp_sync_err = 0x%08X\n",
+-			readl_relaxed(filter->device->base +
+-			TSPP2_FILTER_TSP_SYNC_ERROR(filter->context)));
+-		seq_printf(s, "filter_erred_tsp = 0x%08X\n",
+-			readl_relaxed(filter->device->base +
+-			TSPP2_FILTER_ERRED_TSP(filter->context)));
+-		seq_printf(s, "filter_discontinuities = 0x%08X\n",
+-			readl_relaxed(filter->device->base +
+-			TSPP2_FILTER_DISCONTINUITIES(filter->context)));
+-		seq_printf(s, "filter_sc_bits_discard = 0x%08X\n",
+-			readl_relaxed(filter->device->base +
+-			TSPP2_FILTER_SCRAMBLING_BITS_DISCARD(filter->context)));
+-		seq_printf(s, "filter_tsp_total_num = 0x%08X\n",
+-			readl_relaxed(filter->device->base +
+-			TSPP2_FILTER_TSP_TOTAL_NUM(filter->context)));
+-		seq_printf(s, "filter_discont_indicator = 0x%08X\n",
+-			readl_relaxed(filter->device->base +
+-			TSPP2_FILTER_DISCONT_INDICATOR(filter->context)));
+-		seq_printf(s, "filter_tsp_no_payload = 0x%08X\n",
+-			readl_relaxed(filter->device->base +
+-			TSPP2_FILTER_TSP_NO_PAYLOAD(filter->context)));
+-		seq_printf(s, "filter_tsp_duplicate = 0x%08X\n",
+-			readl_relaxed(filter->device->base +
+-			TSPP2_FILTER_TSP_DUPLICATE(filter->context)));
+-		seq_printf(s, "filter_key_fetch_fail = 0x%08X\n",
+-			readl_relaxed(filter->device->base +
+-			TSPP2_FILTER_KEY_FETCH_FAILURE(filter->context)));
+-		seq_printf(s, "filter_dropped_pcr = 0x%08X\n",
+-			readl_relaxed(filter->device->base +
+-			TSPP2_FILTER_DROPPED_PCR(filter->context)));
+-		seq_printf(s, "filter_pes_errors = 0x%08X\n",
+-			readl_relaxed(filter->device->base +
+-			TSPP2_FILTER_PES_ERRORS(filter->context)));
+-	}
+-
+-	return 0;
+-}
+-
+-/**
+- * debugfs service to print pipe information.
+- */
+-static int pipe_debugfs_print(struct seq_file *s, void *p)
+-{
+-	struct tspp2_pipe *pipe = (struct tspp2_pipe *)s->private;
+-	seq_printf(s, "hw_index: %d\n", pipe->hw_index);
+-	seq_printf(s, "iova: 0x%08X\n", pipe->iova);
+-	seq_printf(s, "threshold: %d\n", pipe->threshold);
+-	seq_printf(s, "Status: %s\n", pipe->opened ? "opened" : "closed");
+-	seq_printf(s, "ref_cnt: %d\n", pipe->ref_cnt);
+-	return 0;
+-}
+-
+-static int tspp2_dev_dbgfs_open(struct inode *inode, struct file *file)
+-{
+-	return single_open(file, tspp2_device_debugfs_print,
+-			inode->i_private);
+-}
+-
+-static int tspp2_filter_dbgfs_open(struct inode *inode, struct file *file)
+-{
+-	return single_open(file, filter_debugfs_print, inode->i_private);
+-}
+-
+-static int tspp2_pipe_dbgfs_open(struct inode *inode, struct file *file)
+-{
+-	return single_open(file, pipe_debugfs_print, inode->i_private);
+-}
+-
+-static int tspp2_src_dbgfs_open(struct inode *inode, struct file *file)
+-{
+-	return single_open(file, tspp2_src_debugfs_print, inode->i_private);
+-}
+-
+-static const struct file_operations dbgfs_tspp2_device_fops = {
+-	.open = tspp2_dev_dbgfs_open,
+-	.read = seq_read,
+-	.llseek = seq_lseek,
+-	.release = single_release,
+-	.owner = THIS_MODULE,
+-};
+-
+-static const struct file_operations dbgfs_filter_fops = {
+-	.open = tspp2_filter_dbgfs_open,
+-	.read = seq_read,
+-	.llseek = seq_lseek,
+-	.release = single_release,
+-	.owner = THIS_MODULE,
+-};
+-
+-static const struct file_operations dbgfs_pipe_fops = {
+-	.open = tspp2_pipe_dbgfs_open,
+-	.read = seq_read,
+-	.llseek = seq_lseek,
+-	.release = single_release,
+-	.owner = THIS_MODULE,
+-};
+-
+-static const struct file_operations dbgfs_src_fops = {
+-	.open = tspp2_src_dbgfs_open,
+-	.read = seq_read,
+-	.llseek = seq_lseek,
+-	.release = single_release,
+-	.owner = THIS_MODULE,
+-};
+-
+-/**
+- * tspp2_tsif_debugfs_exit() - TSIF device debugfs teardown.
+- *
+- * @tsif_device:	TSIF device.
+- */
+-static void tspp2_tsif_debugfs_exit(struct tspp2_tsif_device *tsif_device)
+-{
+-	debugfs_remove_recursive(tsif_device->debugfs_entry);
+-	tsif_device->debugfs_entry = NULL;
+-}
+-
+-/**
+- * tspp2_debugfs_init() - TSPP2 device debugfs initialization.
+- *
+- * @device:	TSPP2 device.
+- */
+-static void tspp2_debugfs_init(struct tspp2_device *device)
+-{
+-	int i, j;
+-	char name[80];
+-	struct dentry *dentry;
+-	struct dentry *dir;
+-	void __iomem *base = device->base;
+-
+-	snprintf(name, 80, "tspp2_%i", device->dev_id);
+-	device->debugfs_entry = debugfs_create_dir(name, NULL);
+-
+-	if (!device->debugfs_entry)
+-		return;
+-
+-	/* Support device open/close */
+-	debugfs_create_file("open", TSPP2_S_RW, device->debugfs_entry,
+-				NULL, &fops_device_open);
+-
+-	dentry = debugfs_create_dir("regs", device->debugfs_entry);
+-	if (dentry) {
+-		for (i = 0; i < ARRAY_SIZE(tspp2_regs); i++) {
+-			debugfs_create_file(
+-				tspp2_regs[i].name,
+-				tspp2_regs[i].mode,
+-				dentry,
+-				base + tspp2_regs[i].offset,
+-				&fops_iomem_x32);
+-		}
+-	}
+-
+-	dentry = debugfs_create_dir("statistics", device->debugfs_entry);
+-	if (dentry) {
+-		debugfs_create_u32(
+-			"stat_tsp_invalid_af_control",
+-			S_IRUGO | S_IWUSR | S_IWGRP,
+-			dentry,
+-			&device->irq_stats.global.tsp_invalid_af_control);
+-
+-		debugfs_create_u32(
+-			"stat_tsp_invalid_length",
+-			S_IRUGO | S_IWUSR | S_IWGRP,
+-			dentry,
+-			&device->irq_stats.global.tsp_invalid_length);
+-
+-		debugfs_create_u32(
+-			"stat_pes_no_sync",
+-			S_IRUGO | S_IWUSR | S_IWGRP,
+-			dentry,
+-			&device->irq_stats.global.pes_no_sync);
+-
+-		debugfs_create_u32(
+-			"stat_encrypt_level_err",
+-			S_IRUGO | S_IWUSR | S_IWGRP,
+-			dentry,
+-			&device->irq_stats.global.encrypt_level_err);
+-	}
+-
+-	dir = debugfs_create_dir("counters", device->debugfs_entry);
+-	for (i = 0; i < TSPP2_NUM_CONTEXTS; i++) {
+-		snprintf(name, 80, "context%03i", i);
+-		dentry = debugfs_create_dir(name, dir);
+-		if (dentry) {
+-			debugfs_create_file("filter_tsp_sync_err",
+-				TSPP2_S_RW,
+-				dentry,
+-				base + TSPP2_FILTER_TSP_SYNC_ERROR(i),
+-				&fops_iomem_x32);
+-
+-			debugfs_create_file("filter_erred_tsp",
+-				TSPP2_S_RW,
+-				dentry,
+-				base + TSPP2_FILTER_ERRED_TSP(i),
+-				&fops_iomem_x32);
+-
+-			debugfs_create_file("filter_discontinuities",
+-				TSPP2_S_RW,
+-				dentry,
+-				base + TSPP2_FILTER_DISCONTINUITIES(i),
+-				&fops_iomem_x32);
+-
+-			debugfs_create_file("filter_sc_bits_discard",
+-				TSPP2_S_RW,
+-				dentry,
+-				base + TSPP2_FILTER_SCRAMBLING_BITS_DISCARD(i),
+-				&fops_iomem_x32);
+-
+-			debugfs_create_file("filter_tsp_total_num",
+-				TSPP2_S_RW,
+-				dentry,
+-				base + TSPP2_FILTER_TSP_TOTAL_NUM(i),
+-				&fops_iomem_x32);
+-
+-			debugfs_create_file("filter_discont_indicator",
+-				TSPP2_S_RW,
+-				dentry,
+-				base + TSPP2_FILTER_DISCONT_INDICATOR(i),
+-				&fops_iomem_x32);
+-
+-			debugfs_create_file("filter_tsp_no_payload",
+-				TSPP2_S_RW,
+-				dentry,
+-				base + TSPP2_FILTER_TSP_NO_PAYLOAD(i),
+-				&fops_iomem_x32);
+-
+-			debugfs_create_file("filter_tsp_duplicate",
+-				TSPP2_S_RW,
+-				dentry,
+-				base + TSPP2_FILTER_TSP_DUPLICATE(i),
+-				&fops_iomem_x32);
+-
+-			debugfs_create_file("filter_key_fetch_fail",
+-				TSPP2_S_RW,
+-				dentry,
+-				base + TSPP2_FILTER_KEY_FETCH_FAILURE(i),
+-				&fops_iomem_x32);
+-
+-			debugfs_create_file("filter_dropped_pcr",
+-				TSPP2_S_RW,
+-				dentry,
+-				base + TSPP2_FILTER_DROPPED_PCR(i),
+-				&fops_iomem_x32);
+-
+-			debugfs_create_file("filter_pes_errors",
+-				TSPP2_S_RW,
+-				dentry,
+-				base + TSPP2_FILTER_PES_ERRORS(i),
+-				&fops_iomem_x32);
+-
+-			debugfs_create_u32(
+-				"stat_sc_go_high",
+-				S_IRUGO | S_IWUSR | S_IWGRP,
+-				dentry,
+-				&device->irq_stats.ctx[i].sc_go_high);
+-
+-			debugfs_create_u32(
+-				"stat_sc_go_low",
+-				S_IRUGO | S_IWUSR | S_IWGRP,
+-				dentry,
+-				&device->irq_stats.ctx[i].sc_go_low);
+-		}
+-	}
+-
+-	dir = debugfs_create_dir("filters", device->debugfs_entry);
+-	for (i = 0; i < TSPP2_NUM_HW_FILTERS; i++) {
+-		snprintf(name, 80, "filter%03i", i);
+-		dentry = debugfs_create_dir(name, dir);
+-		if (dentry) {
+-			debugfs_create_file("filter_entry0",
+-				TSPP2_S_RW,
+-				dentry,
+-				base + TSPP2_FILTER_ENTRY0(i),
+-				&fops_iomem_x32);
+-
+-			debugfs_create_file("filter_entry1",
+-				TSPP2_S_RW,
+-				dentry,
+-				base + TSPP2_FILTER_ENTRY1(i),
+-				&fops_iomem_x32);
+-
+-			for (j = 0; j < TSPP2_MAX_OPS_PER_FILTER; j++) {
+-				snprintf(name, 80, "opcode%02i", j);
+-				debugfs_create_file(name,
+-					TSPP2_S_RW,
+-					dentry,
+-					base + TSPP2_OPCODE(i, j),
+-					&fops_iomem_x32);
+-			}
+-		}
+-	}
+-
+-	dir = debugfs_create_dir("mem_sources", device->debugfs_entry);
+-	for (i = 0; i < TSPP2_NUM_MEM_INPUTS; i++) {
+-		snprintf(name, 80, "mem_src%i", i);
+-		dentry = debugfs_create_dir(name, dir);
+-		if (dentry) {
+-			debugfs_create_u32(
+-				"stat_read_failure",
+-				S_IRUGO | S_IWUSR | S_IWGRP,
+-				dentry,
+-				&device->irq_stats.src[i].read_failure);
+-
+-			debugfs_create_u32(
+-				"stat_flow_control_stall",
+-				S_IRUGO | S_IWUSR | S_IWGRP,
+-				dentry,
+-				&device->irq_stats.src[i].flow_control_stall);
+-		}
+-	}
+-
+-	dir = debugfs_create_dir("key_tables", device->debugfs_entry);
+-	for (i = 0; i < TSPP2_NUM_KEYTABLES; i++) {
+-		snprintf(name, 80, "key_table%02i", i);
+-		dentry = debugfs_create_dir(name, dir);
+-		if (dentry) {
+-			debugfs_create_u32(
+-				"stat_key_not_ready",
+-				S_IRUGO | S_IWUSR | S_IWGRP,
+-				dentry,
+-				&device->irq_stats.kt[i].key_not_ready);
+-		}
+-	}
+-
+-	dir = debugfs_create_dir("pipes", device->debugfs_entry);
+-	for (i = 0; i < TSPP2_NUM_PIPES; i++) {
+-		snprintf(name, 80, "pipe%02i", i);
+-		dentry = debugfs_create_dir(name, dir);
+-		if (dentry) {
+-			debugfs_create_file("threshold",
+-				TSPP2_S_RW,
+-				dentry,
+-				base + TSPP2_PIPE_THRESH_CONFIG(i),
+-				&fops_iomem_x32);
+-
+-			debugfs_create_file("last_address",
+-				S_IRUGO,
+-				dentry,
+-				base + TSPP2_PIPE_LAST_ADDRESS(i),
+-				&fops_iomem_x32);
+-
+-			debugfs_create_file("data_not_sent",
+-				S_IRUGO,
+-				dentry,
+-				base + TSPP2_DATA_NOT_SENT_ON_PIPE(i),
+-				&fops_iomem_x32);
+-
+-			debugfs_create_u32(
+-				"stat_unexpected_reset",
+-				S_IRUGO | S_IWUSR | S_IWGRP,
+-				dentry,
+-				&device->irq_stats.pipe[i].unexpected_reset);
+-
+-			debugfs_create_u32(
+-				"stat_qsb_response_error",
+-				S_IRUGO | S_IWUSR | S_IWGRP,
+-				dentry,
+-				&device->irq_stats.pipe[i].qsb_response_error);
+-
+-			debugfs_create_u32(
+-				"stat_wrong_pipe_direction",
+-				S_IRUGO | S_IWUSR | S_IWGRP,
+-				dentry,
+-				&device->irq_stats.pipe[i].
+-							wrong_pipe_direction);
+-		}
+-	}
+-
+-	dir = debugfs_create_dir("indexing_tables", device->debugfs_entry);
+-	for (i = 0; i < TSPP2_NUM_INDEXING_TABLES; i++) {
+-		snprintf(name, 80, "indexing_table%i", i);
+-		dentry = debugfs_create_dir(name, dir);
+-		if (dentry) {
+-			debugfs_create_file("prefix",
+-				TSPP2_S_RW,
+-				dentry,
+-				base + TSPP2_INDEX_TABLE_PREFIX(i),
+-				&fops_iomem_x32);
+-
+-			debugfs_create_file("mask",
+-				TSPP2_S_RW,
+-				dentry,
+-				base + TSPP2_INDEX_TABLE_PREFIX_MASK(i),
+-				&fops_iomem_x32);
+-
+-			debugfs_create_file("parameters",
+-				TSPP2_S_RW,
+-				dentry,
+-				base + TSPP2_INDEX_TABLE_PARAMS(i),
+-				&fops_iomem_x32);
+-
+-			for (j = 0; j < TSPP2_NUM_INDEXING_PATTERNS; j++) {
+-				snprintf(name, 80, "pattern_%02i", j);
+-				debugfs_create_file(name,
+-					TSPP2_S_RW,
+-					dentry,
+-					base + TSPP2_INDEX_TABLE_PATTEREN(i, j),
+-					&fops_iomem_x32);
+-
+-				snprintf(name, 80, "mask_%02i", j);
+-				debugfs_create_file(name,
+-					TSPP2_S_RW,
+-					dentry,
+-					base + TSPP2_INDEX_TABLE_MASK(i, j),
+-					&fops_iomem_x32);
+-			}
+-		}
+-	}
+-	dir = debugfs_create_dir("software", device->debugfs_entry);
+-	debugfs_create_file("device", S_IRUGO, dir, device,
+-					&dbgfs_tspp2_device_fops);
+-
+-	dentry = debugfs_create_dir("filters", dir);
+-	if (dentry) {
+-		for (i = 0; i < TSPP2_NUM_AVAIL_FILTERS; i++) {
+-			snprintf(name, 20, "filter%03i", i);
+-			debugfs_create_file(name, S_IRUGO, dentry,
+-				&(device->filters[i]), &dbgfs_filter_fops);
+-		}
+-	}
+-
+-	dentry = debugfs_create_dir("pipes", dir);
+-	if (dentry) {
+-		for (i = 0; i < TSPP2_NUM_PIPES; i++) {
+-			snprintf(name, 20, "pipe%02i", i);
+-			debugfs_create_file(name, S_IRUGO, dentry,
+-					&(device->pipes[i]), &dbgfs_pipe_fops);
+-		}
+-	}
+-
+-	dentry = debugfs_create_dir("sources", dir);
+-	if (dentry) {
+-		for (i = 0; i < TSPP2_NUM_TSIF_INPUTS; i++) {
+-			snprintf(name, 20, "tsif%d", i);
+-			debugfs_create_file(name, S_IRUGO, dentry,
+-				&(device->tsif_sources[i]), &dbgfs_src_fops);
+-		}
+-		for (i = 0; i < TSPP2_NUM_MEM_INPUTS; i++) {
+-			snprintf(name, 20, "mem%d", i);
+-			debugfs_create_file(name, S_IRUGO, dentry,
+-				&(device->mem_sources[i]), &dbgfs_src_fops);
+-		}
+-	}
+-}
+-
+-/**
+- * tspp2_debugfs_exit() - TSPP2 device debugfs teardown.
+- *
+- * @device:	TSPP2 device.
+- */
+-static void tspp2_debugfs_exit(struct tspp2_device *device)
+-{
+-	debugfs_remove_recursive(device->debugfs_entry);
+-	device->debugfs_entry = NULL;
+-}
+-
+-/**
+- *  tspp2_tsif_start() - Start TSIF device HW.
+- *
+- * @tsif_device:	TSIF device.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-static int tspp2_tsif_start(struct tspp2_tsif_device *tsif_device)
+-{
+-	u32 ctl;
+-
+-	if (tsif_device->ref_count > 0)
+-		return 0;
+-
+-	ctl = (TSIF_STS_CTL_EN_IRQ | TSIF_STS_CTL_EN_DM |
+-		TSIF_STS_CTL_PACK_AVAIL | TSIF_STS_CTL_OVERFLOW |
+-		TSIF_STS_CTL_LOST_SYNC | TSIF_STS_CTL_TIMEOUT |
+-		TSIF_STS_CTL_PARALLEL);
+-
+-	if (tsif_device->clock_inverse)
+-		ctl |= TSIF_STS_CTL_INV_CLOCK;
+-
+-	if (tsif_device->data_inverse)
+-		ctl |= TSIF_STS_CTL_INV_DATA;
+-
+-	if (tsif_device->sync_inverse)
+-		ctl |= TSIF_STS_CTL_INV_SYNC;
+-
+-	if (tsif_device->enable_inverse)
+-		ctl |= TSIF_STS_CTL_INV_ENABLE;
+-
+-	switch (tsif_device->mode) {
+-	case TSPP2_TSIF_MODE_LOOPBACK:
+-		ctl |= TSIF_STS_CTL_EN_NULL		|
+-				TSIF_STS_CTL_EN_ERROR	|
+-				TSIF_STS_CTL_TEST_MODE;
+-		break;
+-	case TSPP2_TSIF_MODE_1:
+-		ctl |= TSIF_STS_CTL_EN_TIME_LIM | TSIF_STS_CTL_EN_TCR;
+-		break;
+-	case TSPP2_TSIF_MODE_2:
+-		ctl |= TSIF_STS_CTL_EN_TIME_LIM		|
+-				TSIF_STS_CTL_EN_TCR	|
+-				TSIF_STS_CTL_MODE_2;
+-		break;
+-	default:
+-		pr_warn("%s: Unknown TSIF mode %d, setting to TSPP2_TSIF_MODE_2\n",
+-			__func__, tsif_device->mode);
+-		ctl |= TSIF_STS_CTL_EN_TIME_LIM		|
+-				TSIF_STS_CTL_EN_TCR	|
+-				TSIF_STS_CTL_MODE_2;
+-		break;
+-	}
+-
+-	writel_relaxed(ctl, tsif_device->base + TSPP2_TSIF_STS_CTL);
+-	writel_relaxed(tsif_device->time_limit,
+-		  tsif_device->base + TSPP2_TSIF_TIME_LIMIT);
+-	wmb();
+-	writel_relaxed(ctl | TSIF_STS_CTL_START,
+-		  tsif_device->base + TSPP2_TSIF_STS_CTL);
+-	wmb();
+-
+-	ctl = readl_relaxed(tsif_device->base + TSPP2_TSIF_STS_CTL);
+-	if (ctl & TSIF_STS_CTL_START)
+-		tsif_device->ref_count++;
+-
+-	return (ctl & TSIF_STS_CTL_START) ? 0 : -EBUSY;
+-}
+-
+-
+-static int tspp2_vbif_clock_start(struct tspp2_device *device)
+-{
+-	int ret;
+-
+-	if (device->tspp2_vbif_clk) {
+-		ret = clk_prepare_enable(device->tspp2_vbif_clk);
+-		if (ret) {
+-			pr_err("%s: Can't start tspp2_vbif_clk\n", __func__);
+-			return ret;
+-		}
+-	}
+-
+-	if (device->vbif_ahb_clk) {
+-		ret = clk_prepare_enable(device->vbif_ahb_clk);
+-		if (ret) {
+-			pr_err("%s: Can't start vbif_ahb_clk\n", __func__);
+-			goto disable_vbif_tspp2;
+-		}
+-	}
+-	if (device->vbif_axi_clk) {
+-		ret = clk_prepare_enable(device->vbif_axi_clk);
+-		if (ret) {
+-			pr_err("%s: Can't start vbif_ahb_clk\n", __func__);
+-			goto disable_vbif_ahb;
+-		}
+-	}
+-
+-	return 0;
+-
+-disable_vbif_ahb:
+-	if (device->vbif_ahb_clk)
+-		clk_disable_unprepare(device->vbif_ahb_clk);
+-disable_vbif_tspp2:
+-	if (device->tspp2_vbif_clk)
+-		clk_disable_unprepare(device->tspp2_vbif_clk);
+-
+-	return ret;
+-}
+-
+-static void tspp2_vbif_clock_stop(struct tspp2_device *device)
+-{
+-	if (device->tspp2_vbif_clk)
+-		clk_disable_unprepare(device->tspp2_vbif_clk);
+-
+-	if (device->vbif_ahb_clk)
+-		clk_disable_unprepare(device->vbif_ahb_clk);
+-
+-	if (device->vbif_axi_clk)
+-		clk_disable_unprepare(device->vbif_axi_clk);
+-}
+-
+-/**
+- * tspp2_tsif_stop() - Stop TSIF device HW.
+- *
+- * @tsif_device:	TSIF device.
+- */
+-static void tspp2_tsif_stop(struct tspp2_tsif_device *tsif_device)
+-{
+-	if (tsif_device->ref_count == 0)
+-		return;
+-
+-	tsif_device->ref_count--;
+-
+-	if (tsif_device->ref_count == 0) {
+-		writel_relaxed(TSIF_STS_CTL_STOP,
+-			tsif_device->base + TSPP2_TSIF_STS_CTL);
+-		/*
+-		 * The driver assumes that after this point the TSIF is stopped,
+-		 * so a memory barrier is required to allow
+-		 * further register writes.
+-		 */
+-		wmb();
+-	}
+-}
+-
+-/* Clock functions */
+-
+-static int tspp2_reg_clock_start(struct tspp2_device *device)
+-{
+-	int rc;
+-
+-	if (device->tspp2_ahb_clk &&
+-		clk_prepare_enable(device->tspp2_ahb_clk) != 0) {
+-		pr_err("%s: Can't start tspp2_ahb_clk\n", __func__);
+-		return -EBUSY;
+-	}
+-
+-	if (device->tspp2_core_clk &&
+-		clk_prepare_enable(device->tspp2_core_clk) != 0) {
+-		pr_err("%s: Can't start tspp2_core_clk\n", __func__);
+-		if (device->tspp2_ahb_clk)
+-			clk_disable_unprepare(device->tspp2_ahb_clk);
+-		return -EBUSY;
+-	}
+-
+-	/* Request minimal bandwidth on the bus, required for register access */
+-	if (device->bus_client) {
+-		rc = msm_bus_scale_client_update_request(device->bus_client, 1);
+-		if (rc) {
+-			pr_err("%s: Can't enable bus\n", __func__);
+-			if (device->tspp2_core_clk)
+-				clk_disable_unprepare(device->tspp2_core_clk);
+-			if (device->tspp2_ahb_clk)
+-				clk_disable_unprepare(device->tspp2_ahb_clk);
+-			return -EBUSY;
+-		}
+-	}
+-
+-	return 0;
+-}
+-
+-static int tspp2_reg_clock_stop(struct tspp2_device *device)
+-{
+-	/* Minimize bandwidth bus voting */
+-	if (device->bus_client)
+-		msm_bus_scale_client_update_request(device->bus_client, 0);
+-
+-	if (device->tspp2_core_clk)
+-		clk_disable_unprepare(device->tspp2_core_clk);
+-
+-	if (device->tspp2_ahb_clk)
+-		clk_disable_unprepare(device->tspp2_ahb_clk);
+-
+-	return 0;
+-}
+-
+-/**
+- * tspp2_clock_start() - Enable the required TSPP2 clocks
+- *
+- * @device:	The TSPP2 device.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-static int tspp2_clock_start(struct tspp2_device *device)
+-{
+-	int tspp2_ahb_clk = 0;
+-	int tspp2_core_clk = 0;
+-	int tspp2_vbif_clk = 0;
+-	int tspp2_klm_ahb_clk = 0;
+-	int tsif_ref_clk = 0;
+-
+-	if (device == NULL) {
+-		pr_err("%s: Can't start clocks, invalid device\n", __func__);
+-		return -EINVAL;
+-	}
+-
+-	if (device->tspp2_ahb_clk) {
+-		if (clk_prepare_enable(device->tspp2_ahb_clk) != 0) {
+-			pr_err("%s: Can't start tspp2_ahb_clk\n", __func__);
+-			goto err_clocks;
+-		}
+-		tspp2_ahb_clk = 1;
+-	}
+-
+-	if (device->tspp2_core_clk) {
+-		if (clk_prepare_enable(device->tspp2_core_clk) != 0) {
+-			pr_err("%s: Can't start tspp2_core_clk\n", __func__);
+-			goto err_clocks;
+-		}
+-		tspp2_core_clk = 1;
+-	}
+-
+-	if (device->tspp2_klm_ahb_clk) {
+-		if (clk_prepare_enable(device->tspp2_klm_ahb_clk) != 0) {
+-			pr_err("%s: Can't start tspp2_klm_ahb_clk\n", __func__);
+-			goto err_clocks;
+-		}
+-		tspp2_klm_ahb_clk = 1;
+-	}
+-
+-	if (device->tsif_ref_clk) {
+-		if (clk_prepare_enable(device->tsif_ref_clk) != 0) {
+-			pr_err("%s: Can't start tsif_ref_clk\n", __func__);
+-			goto err_clocks;
+-		}
+-		tsif_ref_clk = 1;
+-	}
+-
+-	/* Request Max bandwidth on the bus, required for full operation */
+-	if (device->bus_client &&
+-		msm_bus_scale_client_update_request(device->bus_client, 2)) {
+-			pr_err("%s: Can't enable bus\n", __func__);
+-			goto err_clocks;
+-	}
+-
+-	return 0;
+-
+-err_clocks:
+-	if (tspp2_ahb_clk)
+-		clk_disable_unprepare(device->tspp2_ahb_clk);
+-
+-	if (tspp2_core_clk)
+-		clk_disable_unprepare(device->tspp2_core_clk);
+-
+-	if (tspp2_vbif_clk)
+-		clk_disable_unprepare(device->tspp2_vbif_clk);
+-
+-	if (tspp2_klm_ahb_clk)
+-		clk_disable_unprepare(device->tspp2_klm_ahb_clk);
+-
+-	if (tsif_ref_clk)
+-		clk_disable_unprepare(device->tsif_ref_clk);
+-
+-	return -EBUSY;
+-}
+-
+-/**
+- * tspp2_clock_stop() - Disable TSPP2 clocks
+- *
+- * @device:	The TSPP2 device.
+- */
+-static void tspp2_clock_stop(struct tspp2_device *device)
+-{
+-	if (device == NULL) {
+-		pr_err("%s: Can't stop clocks, invalid device\n", __func__);
+-		return;
+-	}
+-
+-	/* Minimize bandwidth bus voting */
+-	if (device->bus_client)
+-		msm_bus_scale_client_update_request(device->bus_client, 0);
+-
+-	if (device->tsif_ref_clk)
+-		clk_disable_unprepare(device->tsif_ref_clk);
+-
+-	if (device->tspp2_klm_ahb_clk)
+-		clk_disable_unprepare(device->tspp2_klm_ahb_clk);
+-
+-	if (device->tspp2_core_clk)
+-		clk_disable_unprepare(device->tspp2_core_clk);
+-
+-	if (device->tspp2_ahb_clk)
+-		clk_disable_unprepare(device->tspp2_ahb_clk);
+-}
+-
+-/**
+- * tspp2_filter_counters_reset() - Reset a filter's HW counters.
+- *
+- * @device:	TSPP2 device.
+- * @index:	Filter context index. Note counters are based on the context
+- *		index and not on the filter HW index.
+- */
+-static void tspp2_filter_counters_reset(struct tspp2_device *device, u32 index)
+-{
+-	/* Reset filter counters */
+-	writel_relaxed(0, device->base + TSPP2_FILTER_TSP_SYNC_ERROR(index));
+-	writel_relaxed(0, device->base + TSPP2_FILTER_ERRED_TSP(index));
+-	writel_relaxed(0, device->base + TSPP2_FILTER_DISCONTINUITIES(index));
+-	writel_relaxed(0,
+-		device->base + TSPP2_FILTER_SCRAMBLING_BITS_DISCARD(index));
+-	writel_relaxed(0, device->base + TSPP2_FILTER_TSP_TOTAL_NUM(index));
+-	writel_relaxed(0, device->base + TSPP2_FILTER_DISCONT_INDICATOR(index));
+-	writel_relaxed(0, device->base + TSPP2_FILTER_TSP_NO_PAYLOAD(index));
+-	writel_relaxed(0, device->base + TSPP2_FILTER_TSP_DUPLICATE(index));
+-	writel_relaxed(0, device->base + TSPP2_FILTER_KEY_FETCH_FAILURE(index));
+-	writel_relaxed(0, device->base + TSPP2_FILTER_DROPPED_PCR(index));
+-	writel_relaxed(0, device->base + TSPP2_FILTER_PES_ERRORS(index));
+-}
+-
+-/**
+- * tspp2_global_hw_reset() - Reset TSPP2 device registers to a default state.
+- *
+- * @device:		TSPP2 device.
+- * @enable_intr:	Enable specific interrupts or disable them.
+- *
+- * A helper function called from probe() and remove(), this function resets both
+- * TSIF devices' SW structures and verifies the TSIF HW is stopped. It resets
+- * TSPP2 registers to appropriate default values and makes sure to disable
+- * all sources, filters etc. Finally, it clears all interrupts and unmasks
+- * the "important" interrupts.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-static int tspp2_global_hw_reset(struct tspp2_device *device,
+-				int enable_intr)
+-{
+-	int i, n;
+-	unsigned long rate_in_hz = 0;
+-	u32 global_irq_en = 0;
+-
+-	if (!device) {
+-		pr_err("%s: NULL device\n", __func__);
+-		return -ENODEV;
+-	}
+-
+-	/* Stop TSIF devices */
+-	for (i = 0; i < TSPP2_NUM_TSIF_INPUTS; i++) {
+-		device->tsif_devices[i].hw_index = i;
+-		device->tsif_devices[i].dev = device;
+-		device->tsif_devices[i].mode = TSPP2_TSIF_MODE_2;
+-		device->tsif_devices[i].clock_inverse = 0;
+-		device->tsif_devices[i].data_inverse = 0;
+-		device->tsif_devices[i].sync_inverse = 0;
+-		device->tsif_devices[i].enable_inverse = 0;
+-		device->tsif_devices[i].stat_pkt_write_err = 0;
+-		device->tsif_devices[i].stat_pkt_read_err = 0;
+-		device->tsif_devices[i].stat_overflow = 0;
+-		device->tsif_devices[i].stat_lost_sync = 0;
+-		device->tsif_devices[i].stat_timeout = 0;
+-		device->tsif_devices[i].time_limit = TSPP2_TSIF_DEF_TIME_LIMIT;
+-		/* Set ref_count to 1 to allow stopping HW */
+-		device->tsif_devices[i].ref_count = 1;
+-		/* This will reset ref_count to 0 */
+-		tspp2_tsif_stop(&device->tsif_devices[i]);
+-	}
+-
+-	/* Reset indexing table registers */
+-	for (i = 0; i < TSPP2_NUM_INDEXING_TABLES; i++) {
+-		writel_relaxed(0, device->base + TSPP2_INDEX_TABLE_PREFIX(i));
+-		writel_relaxed(0,
+-			device->base + TSPP2_INDEX_TABLE_PREFIX_MASK(i));
+-		for (n = 0; n < TSPP2_NUM_INDEXING_PATTERNS; n++) {
+-			writel_relaxed(0, device->base +
+-					TSPP2_INDEX_TABLE_PATTEREN(i, n));
+-			writel_relaxed(0,
+-				device->base + TSPP2_INDEX_TABLE_MASK(i, n));
+-		}
+-		/* Set number of patterns to 0, prefix size to 4 by default */
+-		writel_relaxed(0x00000400,
+-			device->base + TSPP2_INDEX_TABLE_PARAMS(i));
+-	}
+-
+-	/* Disable TSIF inputs. Set mode of operation to 16 batches */
+-	for (i = 0; i < TSPP2_NUM_TSIF_INPUTS; i++)
+-		writel_relaxed((0x1 << TSIF_INPUT_SRC_CONFIG_16_BATCHES_OFFS),
+-			device->base + TSPP2_TSIF_INPUT_SRC_CONFIG(i));
+-
+-	/* Reset source related registers and performance counters */
+-	for (i = 0; i < TSPP2_NUM_ALL_INPUTS; i++) {
+-		writel_relaxed(0, device->base + TSPP2_SRC_DEST_PIPES(i));
+-
+-		/* Set source configuration to default values */
+-		writel_relaxed(TSPP2_DEFAULT_SRC_CONFIG,
+-			device->base + TSPP2_SRC_CONFIG(i));
+-	}
+-	writel_relaxed(0x000003FF, device->base + TSPP2_SRC_TOTAL_TSP_RESET);
+-	writel_relaxed(0x000003FF,
+-		device->base + TSPP2_SRC_FILTERED_OUT_TSP_RESET);
+-
+-	/* Reset all contexts, each register handles 32 contexts */
+-	for (i = 0; i < 4; i++) {
+-		writel_relaxed(0xFFFFFFFF,
+-			device->base + TSPP2_TSP_CONTEXT_RESET(i));
+-		writel_relaxed(0xFFFFFFFF,
+-			device->base + TSPP2_PES_CONTEXT_RESET(i));
+-		writel_relaxed(0xFFFFFFFF,
+-			device->base + TSPP2_INDEXING_CONTEXT_RESET(i));
+-	}
+-
+-	for (i = 0; i < TSPP2_NUM_HW_FILTERS; i++) {
+-		/*
+-		 * Reset operations: put exit operation in all filter operations
+-		 */
+-		for (n = 0; n < TSPP2_MAX_OPS_PER_FILTER; n++) {
+-			writel_relaxed(TSPP2_OPCODE_EXIT,
+-				device->base + TSPP2_OPCODE(i, n));
+-		}
+-		/* Disable all HW filters */
+-		writel_relaxed(0, device->base + TSPP2_FILTER_ENTRY0(i));
+-		writel_relaxed(0, device->base + TSPP2_FILTER_ENTRY1(i));
+-	}
+-
+-	for (i = 0; i < TSPP2_NUM_CONTEXTS; i++) {
+-		/* Reset filter context-based counters */
+-		tspp2_filter_counters_reset(device, i);
+-	}
+-
+-	/*
+-	 * Disable memory inputs. Set mode of operation to 16 batches.
+-	 * Configure last batch to be associated with all memory input sources,
+-	 * and add a filter to match all PIDs and drop the TS packets in the
+-	 * last HW filter entry. Use the last context for this filter.
+-	 */
+-	for (i = 0; i < TSPP2_NUM_MEM_INPUTS; i++)
+-		writel_relaxed(TSPP2_DEFAULT_MEM_SRC_CONFIG,
+-			device->base + TSPP2_MEM_INPUT_SRC_CONFIG(i));
+-
+-	writel_relaxed(((TSPP2_NUM_CONTEXTS - 1) << FILTER_ENTRY1_CONTEXT_OFFS),
+-		device->base + TSPP2_FILTER_ENTRY1((TSPP2_NUM_HW_FILTERS - 1)));
+-	writel_relaxed((0x1 << FILTER_ENTRY0_EN_OFFS),
+-		device->base + TSPP2_FILTER_ENTRY0((TSPP2_NUM_HW_FILTERS - 1)));
+-
+-	/* Reset pipe registers */
+-	for (i = 0; i < TSPP2_NUM_PIPES; i++)
+-		writel_relaxed(0xFFFF,
+-			device->base + TSPP2_PIPE_THRESH_CONFIG(i));
+-
+-	writel_relaxed(0, device->base + TSPP2_PIPE_SECURITY);
+-	writel_relaxed(0x7FFFFFFF,
+-		device->base + TSPP2_DATA_NOT_SENT_ON_PIPE_RESET);
+-
+-	/* Set global configuration to default values */
+-
+-	/*
+-	 * Default: minimum time between PCRs = 50msec, STC offset is 0,
+-	 * transmit PCR on discontinuity.
+-	 */
+-	writel_relaxed(0x00000432, device->base + TSPP2_PCR_GLOBAL_CONFIG);
+-
+-	/* Set correct value according to TSPP2 clock: */
+-	if (device->tspp2_core_clk) {
+-		rate_in_hz = clk_get_rate(device->tspp2_core_clk);
+-		writel_relaxed((rate_in_hz / MSEC_PER_SEC),
+-			device->base + TSPP2_CLK_TO_PCR_TIME_UNIT);
+-	} else {
+-		writel_relaxed(0x00000000,
+-			device->base + TSPP2_CLK_TO_PCR_TIME_UNIT);
+-	}
+-
+-	writel_relaxed(0x00000000, device->base + TSPP2_DESC_WAIT_TIMEOUT);
+-
+-	/* Clear all global interrupts */
+-	writel_relaxed(0xFFFF000F, device->base + TSPP2_GLOBAL_IRQ_CLEAR);
+-	writel_relaxed(0x7FFFFFFF,
+-			device->base + TSPP2_UNEXPECTED_RST_IRQ_CLEAR);
+-	writel_relaxed(0x7FFFFFFF,
+-			device->base + TSPP2_WRONG_PIPE_DIR_IRQ_CLEAR);
+-	writel_relaxed(0x7FFFFFFF,
+-			device->base + TSPP2_QSB_RESPONSE_ERROR_IRQ_CLEAR);
+-	writel_relaxed(0xFFFFFFFF,
+-			device->base + TSPP2_KEY_NOT_READY_IRQ_CLEAR);
+-
+-	/*
+-	 * Global interrupts configuration:
+-	 * Flow Control (per memory source):	Disabled
+-	 * Read Failure (per memory source):	Enabled
+-	 * SC_GO_LOW (aggregate):		Enabled
+-	 * SC_GO_HIGH (aggregate):		Enabled
+-	 * Wrong Pipe Direction (aggregate):	Enabled
+-	 * QSB Response Error (aggregate):	Enabled
+-	 * Unexpected Reset (aggregate):	Enabled
+-	 * Key Not Ready (aggregate):		Disabled
+-	 * Op Encrypt Level Error:		Enabled
+-	 * PES No Sync:				Disabled (module parameter)
+-	 * TSP Invalid Length:			Disabled (module parameter)
+-	 * TSP Invalid AF Control:		Disabled (module parameter)
+-	 */
+-	global_irq_en = 0x00FF03E8;
+-	if (tspp2_en_invalid_af_ctrl)
+-		global_irq_en |=
+-			(0x1 << GLOBAL_IRQ_TSP_INVALID_AF_OFFS);
+-	if (tspp2_en_invalid_af_length)
+-		global_irq_en |= (0x1 << GLOBAL_IRQ_TSP_INVALID_LEN_OFFS);
+-	if (tspp2_en_pes_no_sync)
+-		global_irq_en |= (0x1 << GLOBAL_IRQ_PES_NO_SYNC_OFFS);
+-
+-	if (enable_intr)
+-		writel_relaxed(global_irq_en,
+-			device->base + TSPP2_GLOBAL_IRQ_ENABLE);
+-	else
+-		writel_relaxed(0, device->base + TSPP2_GLOBAL_IRQ_ENABLE);
+-
+-	if (enable_intr) {
+-		/* Enable all pipe related interrupts */
+-		writel_relaxed(0x7FFFFFFF,
+-			device->base + TSPP2_UNEXPECTED_RST_IRQ_ENABLE);
+-		writel_relaxed(0x7FFFFFFF,
+-			device->base + TSPP2_WRONG_PIPE_DIR_IRQ_ENABLE);
+-		writel_relaxed(0x7FFFFFFF,
+-			device->base + TSPP2_QSB_RESPONSE_ERROR_IRQ_ENABLE);
+-	} else {
+-		/* Disable all pipe related interrupts */
+-		writel_relaxed(0,
+-			device->base + TSPP2_UNEXPECTED_RST_IRQ_ENABLE);
+-		writel_relaxed(0,
+-			device->base + TSPP2_WRONG_PIPE_DIR_IRQ_ENABLE);
+-		writel_relaxed(0,
+-			device->base + TSPP2_QSB_RESPONSE_ERROR_IRQ_ENABLE);
+-	}
+-
+-	/* Disable Key Ladder interrupts */
+-	writel_relaxed(0, device->base + TSPP2_KEY_NOT_READY_IRQ_ENABLE);
+-
+-	/*
+-	 * Clear and disable scrambling control interrupts.
+-	 * Each register handles 32 filters.
+-	 */
+-	for (i = 0; i < 4; i++) {
+-		writel_relaxed(0xFFFFFFFF,
+-			device->base + TSPP2_SC_GO_HIGH_CLEAR(i));
+-		writel_relaxed(0, device->base + TSPP2_SC_GO_HIGH_ENABLE(i));
+-		writel_relaxed(0xFFFFFFFF,
+-			device->base + TSPP2_SC_GO_LOW_CLEAR(i));
+-		writel_relaxed(0, device->base + TSPP2_SC_GO_LOW_ENABLE(i));
+-	}
+-
+-	dev_dbg(device->dev, "%s: successful\n", __func__);
+-
+-	return 0;
+-}
+-
+-/**
+- * tspp2_event_work_handler - Handle the work - invoke the user callback.
+- *
+- * @work:	The work information.
+- */
+-static void tspp2_event_work_handler(struct work_struct *work)
+-{
+-	struct tspp2_event_work *event_work =
+-		container_of(work, struct tspp2_event_work, work);
+-	struct tspp2_event_work cb_info = *event_work;
+-
+-	if (mutex_lock_interruptible(&event_work->device->mutex))
+-		return;
+-
+-	list_add_tail(&event_work->link, &event_work->device->free_work_list);
+-
+-	mutex_unlock(&event_work->device->mutex);
+-
+-	/*
+-	 * Must run callback with tspp2 device mutex unlocked,
+-	 * as callback might call tspp2 driver API and cause a deadlock.
+-	 */
+-	if (cb_info.callback)
+-		cb_info.callback(cb_info.cookie, cb_info.event_bitmask);
+-}
+-
+-/**
+- * tspp2_device_initialize() - Initialize TSPP2 device SW structures.
+- *
+- * @device:	TSPP2 device
+- *
+- * Initialize the required SW structures and fields in the TSPP2 device,
+- * including ION client creation, BAM registration, debugfs initialization etc.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-static int tspp2_device_initialize(struct tspp2_device *device)
+-{
+-	int i, ret;
+-
+-	if (!device) {
+-		pr_err("%s: NULL device\n", __func__);
+-		return -ENODEV;
+-	}
+-
+-	/* Register BAM */
+-	device->bam_props.summing_threshold = 0x10;
+-	device->bam_props.irq = device->bam_irq;
+-	device->bam_props.manage = SPS_BAM_MGR_LOCAL;
+-
+-	ret = sps_register_bam_device(&device->bam_props, &device->bam_handle);
+-	if (ret) {
+-		pr_err("%s: failed to register BAM\n", __func__);
+-		return ret;
+-	}
+-	ret = sps_device_reset(device->bam_handle);
+-	if (ret) {
+-		sps_deregister_bam_device(device->bam_handle);
+-		pr_err("%s: error resetting BAM\n", __func__);
+-		return ret;
+-	}
+-
+-	spin_lock_init(&device->spinlock);
+-	wakeup_source_init(&device->wakeup_src, dev_name(&device->pdev->dev));
+-
+-	for (i = 0; i < TSPP2_NUM_TSIF_INPUTS; i++)
+-		tspp2_tsif_debugfs_init(&device->tsif_devices[i]);
+-
+-	/*
+-	 * The device structure was allocated using devm_kzalloc() so
+-	 * the memory was initialized to zero. We don't need to specifically set
+-	 * fields to zero, then. We only set the fields we need to, such as
+-	 * batch_id.
+-	 */
+-
+-	for (i = 0; i < TSPP2_NUM_BATCHES; i++) {
+-		device->batches[i].batch_id = i;
+-		device->batches[i].src = NULL;
+-		INIT_LIST_HEAD(&device->batches[i].link);
+-	}
+-
+-	/*
+-	 * We set the device back-pointer in the sources, filters and pipes
+-	 * databases here, so that back-pointer is always valid (instead of
+-	 * setting it when opening a source, filter or pipe).
+-	 */
+-	for (i = 0; i < TSPP2_NUM_TSIF_INPUTS; i++)
+-		device->tsif_sources[i].device = device;
+-
+-	for (i = 0; i < TSPP2_NUM_MEM_INPUTS; i++)
+-		device->mem_sources[i].device = device;
+-
+-	for (i = 0; i < TSPP2_NUM_AVAIL_FILTERS; i++)
+-		device->filters[i].device = device;
+-
+-	for (i = 0; i < TSPP2_NUM_PIPES; i++)
+-		device->pipes[i].device = device;
+-
+-	/*
+-	 * Note: tsif_devices are initialized as part of tspp2_global_hw_reset()
+-	 */
+-
+-	device->work_queue =
+-			create_singlethread_workqueue(dev_name(device->dev));
+-	INIT_LIST_HEAD(&device->free_work_list);
+-	for (i = 0; i < TSPP2_NUM_EVENT_WORK_ELEMENTS; i++) {
+-		device->work_pool[i].device = device;
+-		device->work_pool[i].callback = 0;
+-		device->work_pool[i].cookie = 0;
+-		device->work_pool[i].event_bitmask = 0;
+-		INIT_LIST_HEAD(&device->work_pool[i].link);
+-		INIT_WORK(&device->work_pool[i].work,
+-			tspp2_event_work_handler);
+-
+-		list_add_tail(&device->work_pool[i].link,
+-			&device->free_work_list);
+-	}
+-
+-	device->event_callback = NULL;
+-	device->event_cookie = NULL;
+-
+-	dev_dbg(device->dev, "%s: successful\n", __func__);
+-
+-	return 0;
+-}
+-
+-/**
+- * tspp2_device_uninitialize() - TSPP2 device teardown and cleanup.
+- *
+- * @device:	TSPP2 device
+- *
+- * TSPP2 device teardown: debugfs removal, BAM de-registration etc.
+- * Return 0 on success, error value otherwise.
+- */
+-static int tspp2_device_uninitialize(struct tspp2_device *device)
+-{
+-	int i;
+-
+-	if (!device) {
+-		pr_err("%s: NULL device\n", __func__);
+-		return -ENODEV;
+-	}
+-
+-	destroy_workqueue(device->work_queue);
+-
+-	for (i = 0; i < TSPP2_NUM_TSIF_INPUTS; i++)
+-		tspp2_tsif_debugfs_exit(&device->tsif_devices[i]);
+-
+-	/* Need to start clocks for BAM de-registration */
+-	if (pm_runtime_get_sync(device->dev) >= 0) {
+-		sps_deregister_bam_device(device->bam_handle);
+-		pm_runtime_mark_last_busy(device->dev);
+-		pm_runtime_put_autosuspend(device->dev);
+-	}
+-
+-	wakeup_source_trash(&device->wakeup_src);
+-
+-	dev_dbg(device->dev, "%s: successful\n", __func__);
+-
+-	return 0;
+-}
+-
+-/**
+- * tspp2_src_disable_internal() - Helper function to disable a source.
+- *
+- * @src: Source to disable.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-static int tspp2_src_disable_internal(struct tspp2_src *src)
+-{
+-	u32 reg;
+-
+-	if (!src) {
+-		pr_err("%s: Invalid source handle\n", __func__);
+-		return -EINVAL;
+-	}
+-
+-	if (!src->opened) {
+-		pr_err("%s: Source not opened\n", __func__);
+-		return -EINVAL;
+-	}
+-
+-	if (!src->enabled) {
+-		pr_warn("%s: Source already disabled\n", __func__);
+-		return 0;
+-	}
+-
+-	if ((src->input == TSPP2_INPUT_TSIF0) ||
+-		(src->input == TSPP2_INPUT_TSIF1)) {
+-		reg = readl_relaxed(src->device->base +
+-			TSPP2_TSIF_INPUT_SRC_CONFIG(src->input));
+-		reg &= ~(0x1 << TSIF_INPUT_SRC_CONFIG_INPUT_EN_OFFS);
+-		writel_relaxed(reg, src->device->base +
+-			TSPP2_TSIF_INPUT_SRC_CONFIG(src->input));
+-
+-		tspp2_tsif_stop(&src->device->tsif_devices[src->input]);
+-	} else {
+-		reg = readl_relaxed(src->device->base +
+-			TSPP2_MEM_INPUT_SRC_CONFIG(src->hw_index));
+-		reg &= ~(0x1 << MEM_INPUT_SRC_CONFIG_INPUT_EN_OFFS);
+-		writel_relaxed(reg, src->device->base +
+-			TSPP2_MEM_INPUT_SRC_CONFIG(src->hw_index));
+-	}
+-
+-	/*
+-	 * HW requires we wait for up to 2ms here before closing the pipes
+-	 * attached to (and used by) this source
+-	 */
+-	udelay(TSPP2_HW_DELAY_USEC);
+-
+-	src->enabled = 0;
+-	src->device->num_enabled_sources--;
+-
+-	if (src->device->num_enabled_sources == 0) {
+-		__pm_relax(&src->device->wakeup_src);
+-		tspp2_clock_stop(src->device);
+-	}
+-
+-	return 0;
+-}
+-
+-/* TSPP2 device open / close API */
+-
+-/**
+- * tspp2_device_open() - Open a TSPP2 device for use.
+- *
+- * @dev_id:	TSPP2 device ID.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-int tspp2_device_open(u32 dev_id)
+-{
+-	int rc;
+-	u32 reg = 0;
+-	struct tspp2_device *device;
+-
+-	if (dev_id >= TSPP2_NUM_DEVICES) {
+-		pr_err("%s: Invalid device ID %d\n", __func__, dev_id);
+-		return -ENODEV;
+-	}
+-
+-	device = tspp2_devices[dev_id];
+-	if (!device) {
+-		pr_err("%s: Invalid device\n", __func__);
+-		return -ENODEV;
+-	}
+-
+-	if (mutex_lock_interruptible(&device->mutex))
+-		return -ERESTARTSYS;
+-
+-	if (device->opened) {
+-		pr_err("%s: Device already opened\n", __func__);
+-		mutex_unlock(&device->mutex);
+-		return -EPERM;
+-	}
+-
+-	/* Enable power regulator */
+-	rc = regulator_enable(device->gdsc);
+-	if (rc)
+-		goto err_mutex_unlock;
+-
+-	/* Reset TSPP2 core */
+-	clk_reset(device->tspp2_core_clk, CLK_RESET_ASSERT);
+-	udelay(10);
+-	clk_reset(device->tspp2_core_clk, CLK_RESET_DEASSERT);
+-
+-	/* Start HW clocks before accessing registers */
+-	rc = tspp2_reg_clock_start(device);
+-	if (rc)
+-		goto err_regulator_disable;
+-
+-	rc = tspp2_global_hw_reset(device, 1);
+-	if (rc)
+-		goto err_stop_clocks;
+-
+-	rc = tspp2_device_initialize(device);
+-	if (rc)
+-		goto err_stop_clocks;
+-
+-	reg = readl_relaxed(device->base + TSPP2_VERSION);
+-	pr_info("TSPP2 HW Version: Major = %d, Minor = %d, Step = %d\n",
+-		((reg & 0xF0000000) >> VERSION_MAJOR_OFFS),
+-		((reg & 0x0FFF0000) >> VERSION_MINOR_OFFS),
+-		((reg & 0x0000FFFF) >> VERSION_STEP_OFFS));
+-
+-	/* Stop HW clocks to save power */
+-	tspp2_reg_clock_stop(device);
+-
+-	/* Enable runtime power management */
+-	pm_runtime_set_autosuspend_delay(device->dev, MSEC_PER_SEC);
+-	pm_runtime_use_autosuspend(device->dev);
+-	pm_runtime_enable(device->dev);
+-
+-	device->opened = 1;
+-
+-	mutex_unlock(&device->mutex);
+-
+-	dev_dbg(device->dev, "%s: successful\n", __func__);
+-
+-	return 0;
+-
+-err_stop_clocks:
+-	tspp2_reg_clock_stop(device);
+-err_regulator_disable:
+-	regulator_disable(device->gdsc);
+-err_mutex_unlock:
+-	mutex_unlock(&device->mutex);
+-
+-	return rc;
+-}
+-EXPORT_SYMBOL(tspp2_device_open);
+-
+-/**
+- * tspp2_device_close() - Close a TSPP2 device.
+- *
+- * @dev_id:	TSPP2 device ID.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-int tspp2_device_close(u32 dev_id)
+-{
+-	int i;
+-	int ret = 0;
+-	struct tspp2_device *device;
+-
+-	if (dev_id >= TSPP2_NUM_DEVICES) {
+-		pr_err("%s: Invalid device ID %d\n", __func__, dev_id);
+-		return -ENODEV;
+-	}
+-
+-	device = tspp2_devices[dev_id];
+-	if (!device) {
+-		pr_err("%s: Invalid device\n", __func__);
+-		return -ENODEV;
+-	}
+-
+-	ret = pm_runtime_get_sync(device->dev);
+-	if (ret < 0)
+-		return ret;
+-
+-	mutex_lock(&device->mutex);
+-
+-	if (!device->opened) {
+-		pr_err("%s: Device already closed\n", __func__);
+-		mutex_unlock(&device->mutex);
+-		pm_runtime_mark_last_busy(device->dev);
+-		pm_runtime_put_autosuspend(device->dev);
+-		return -EPERM;
+-	}
+-	device->opened = 0;
+-
+-	/*
+-	 * In case the user has not disabled all the enabled sources, we need
+-	 * to disable them here, specifically in order to call tspp2_clock_stop,
+-	 * because the calls to enable and disable the clocks should be
+-	 * symmetrical (otherwise we cannot put the clocks).
+-	 */
+-	for (i = 0; i < TSPP2_NUM_TSIF_INPUTS; i++) {
+-		if (device->tsif_sources[i].enabled)
+-			tspp2_src_disable_internal(&device->tsif_sources[i]);
+-	}
+-	for (i = 0; i < TSPP2_NUM_MEM_INPUTS; i++) {
+-		if (device->mem_sources[i].enabled)
+-			tspp2_src_disable_internal(&device->mem_sources[i]);
+-	}
+-
+-	/* bring HW registers back to a known state */
+-	tspp2_global_hw_reset(device, 0);
+-
+-	tspp2_device_uninitialize(device);
+-
+-	pm_runtime_mark_last_busy(device->dev);
+-	pm_runtime_put_autosuspend(device->dev);
+-
+-	/* Disable runtime power management */
+-	pm_runtime_disable(device->dev);
+-	pm_runtime_set_suspended(device->dev);
+-
+-	if (regulator_disable(device->gdsc))
+-		pr_err("%s: Error disabling power regulator\n", __func__);
+-
+-	mutex_unlock(&device->mutex);
+-
+-	dev_dbg(device->dev, "%s: successful\n", __func__);
+-
+-	return 0;
+-}
+-EXPORT_SYMBOL(tspp2_device_close);
+-
+-/* Global configuration API */
+-
+-/**
+- * tspp2_config_set() - Set device global configuration.
+- *
+- * @dev_id:	TSPP2 device ID.
+- * @cfg:	TSPP2 global configuration parameters to set.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-int tspp2_config_set(u32 dev_id, const struct tspp2_config *cfg)
+-{
+-	int ret;
+-	u32 reg = 0;
+-	struct tspp2_device *device;
+-
+-	if (dev_id >= TSPP2_NUM_DEVICES) {
+-		pr_err("%s: Invalid device ID %d\n", __func__, dev_id);
+-		return -ENODEV;
+-	}
+-	if (!cfg) {
+-		pr_err("%s: NULL configuration\n", __func__);
+-		return -EINVAL;
+-	}
+-	if (cfg->stc_byte_offset > 3) {
+-		pr_err("%s: Invalid stc_byte_offset %d, valid values are 0 - 3\n",
+-			__func__, cfg->stc_byte_offset);
+-		return -EINVAL;
+-	}
+-
+-	device = tspp2_devices[dev_id];
+-	if (!device) {
+-		pr_err("%s: Invalid device\n", __func__);
+-		return -ENODEV;
+-	}
+-
+-	ret = pm_runtime_get_sync(device->dev);
+-	if (ret < 0)
+-		return ret;
+-
+-	if (mutex_lock_interruptible(&device->mutex)) {
+-		pm_runtime_mark_last_busy(device->dev);
+-		pm_runtime_put_autosuspend(device->dev);
+-		return -ERESTARTSYS;
+-	}
+-
+-	if (!device->opened) {
+-		pr_err("%s: Device must be opened first\n", __func__);
+-		mutex_unlock(&device->mutex);
+-		pm_runtime_mark_last_busy(device->dev);
+-		pm_runtime_put_autosuspend(device->dev);
+-		return -EPERM;
+-	}
+-
+-	if (cfg->pcr_on_discontinuity)
+-		reg |= (0x1 << PCR_GLOBAL_CONFIG_PCR_ON_DISCONT_OFFS);
+-
+-	reg |= (cfg->stc_byte_offset << PCR_GLOBAL_CONFIG_STC_OFFSET_OFFS);
+-	reg |= (cfg->min_pcr_interval << PCR_GLOBAL_CONFIG_PCR_INTERVAL_OFFS);
+-
+-	writel_relaxed(reg, device->base + TSPP2_PCR_GLOBAL_CONFIG);
+-
+-	mutex_unlock(&device->mutex);
+-
+-	pm_runtime_mark_last_busy(device->dev);
+-	pm_runtime_put_autosuspend(device->dev);
+-
+-	dev_dbg(device->dev, "%s: successful\n", __func__);
+-
+-	return 0;
+-}
+-EXPORT_SYMBOL(tspp2_config_set);
+-
+-/**
+- * tspp2_config_get() - Get current global configuration.
+- *
+- * @dev_id:	TSPP2 device ID.
+- * @cfg:	TSPP2 global configuration parameters.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-int tspp2_config_get(u32 dev_id, struct tspp2_config *cfg)
+-{
+-	int ret;
+-	u32 reg = 0;
+-	struct tspp2_device *device;
+-
+-	if (dev_id >= TSPP2_NUM_DEVICES) {
+-		pr_err("%s: Invalid device ID %d\n", __func__, dev_id);
+-		return -ENODEV;
+-	}
+-	if (!cfg) {
+-		pr_err("%s: NULL configuration\n", __func__);
+-		return -EINVAL;
+-	}
+-
+-	device = tspp2_devices[dev_id];
+-	if (!device) {
+-		pr_err("%s: Invalid device\n", __func__);
+-		return -ENODEV;
+-	}
+-
+-	ret = pm_runtime_get_sync(device->dev);
+-	if (ret < 0)
+-		return ret;
+-
+-	if (mutex_lock_interruptible(&device->mutex)) {
+-		pm_runtime_mark_last_busy(device->dev);
+-		pm_runtime_put_autosuspend(device->dev);
+-		return -ERESTARTSYS;
+-	}
+-
+-	if (!device->opened) {
+-		pr_err("%s: Device must be opened first\n", __func__);
+-		mutex_unlock(&device->mutex);
+-		pm_runtime_mark_last_busy(device->dev);
+-		pm_runtime_put_autosuspend(device->dev);
+-		return -EPERM;
+-	}
+-
+-	reg = readl_relaxed(device->base + TSPP2_PCR_GLOBAL_CONFIG);
+-
+-	cfg->pcr_on_discontinuity = ((reg & PCR_GLOBAL_CONFIG_PCR_ON_DISCONT) >>
+-					PCR_GLOBAL_CONFIG_PCR_ON_DISCONT_OFFS);
+-	cfg->stc_byte_offset = ((reg & PCR_GLOBAL_CONFIG_STC_OFFSET) >>
+-					PCR_GLOBAL_CONFIG_STC_OFFSET_OFFS);
+-	cfg->min_pcr_interval = ((reg & PCR_GLOBAL_CONFIG_PCR_INTERVAL) >>
+-					PCR_GLOBAL_CONFIG_PCR_INTERVAL_OFFS);
+-
+-	mutex_unlock(&device->mutex);
+-
+-	pm_runtime_mark_last_busy(device->dev);
+-	pm_runtime_put_autosuspend(device->dev);
+-
+-	dev_dbg(device->dev, "%s: successful\n", __func__);
+-
+-	return 0;
+-}
+-EXPORT_SYMBOL(tspp2_config_get);
+-
+-/* Indexing tables API functions */
+-
+-/**
+- * tspp2_indexing_prefix_set() - Set prefix value and mask of an indexing table.
+- *
+- * @dev_id:	TSPP2 device ID.
+- * @table_id:	Indexing table ID.
+- * @value:	Prefix 4-byte value.
+- * @mask:	Prefix 4-byte mask.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-int tspp2_indexing_prefix_set(u32 dev_id,
+-				u8 table_id,
+-				u32 value,
+-				u32 mask)
+-{
+-	int ret;
+-	u32 reg;
+-	u8 size = 0;
+-	int i;
+-	struct tspp2_device *device;
+-	struct tspp2_indexing_table *table;
+-
+-	if (dev_id >= TSPP2_NUM_DEVICES) {
+-		pr_err("%s: Invalid device ID %d\n", __func__, dev_id);
+-		return -ENODEV;
+-	}
+-	if (table_id >= TSPP2_NUM_INDEXING_TABLES) {
+-		pr_err("%s: Invalid table ID %d\n", __func__, table_id);
+-		return -EINVAL;
+-	}
+-
+-	device = tspp2_devices[dev_id];
+-	if (!device) {
+-		pr_err("%s: Invalid device\n", __func__);
+-		return -ENODEV;
+-	}
+-
+-	ret = pm_runtime_get_sync(device->dev);
+-	if (ret < 0)
+-		return ret;
+-
+-	if (mutex_lock_interruptible(&device->mutex)) {
+-		pm_runtime_mark_last_busy(device->dev);
+-		pm_runtime_put_autosuspend(device->dev);
+-		return -ERESTARTSYS;
+-	}
+-
+-	if (!device->opened) {
+-		pr_err("%s: Device must be opened first\n", __func__);
+-		mutex_unlock(&device->mutex);
+-		pm_runtime_mark_last_busy(device->dev);
+-		pm_runtime_put_autosuspend(device->dev);
+-		return -EPERM;
+-	}
+-
+-	table = &device->indexing_tables[table_id];
+-	table->prefix_value = value;
+-	table->prefix_mask = mask;
+-
+-	/* HW expects values/masks to be written in Big Endian format */
+-	writel_relaxed(cpu_to_be32(value),
+-		device->base + TSPP2_INDEX_TABLE_PREFIX(table_id));
+-	writel_relaxed(cpu_to_be32(mask),
+-		device->base + TSPP2_INDEX_TABLE_PREFIX_MASK(table_id));
+-
+-	/* Find the actual size of the prefix and set to HW */
+-	reg = readl_relaxed(device->base + TSPP2_INDEX_TABLE_PARAMS(table_id));
+-	for (i = 0; i < 32; i += 8) {
+-		if (mask & (0x000000FF << i))
+-			size++;
+-	}
+-	reg &= ~(0x7 << INDEX_TABLE_PARAMS_PREFIX_SIZE_OFFS);
+-	reg |= (size << INDEX_TABLE_PARAMS_PREFIX_SIZE_OFFS);
+-	writel_relaxed(reg, device->base + TSPP2_INDEX_TABLE_PARAMS(table_id));
+-
+-	mutex_unlock(&device->mutex);
+-
+-	pm_runtime_mark_last_busy(device->dev);
+-	pm_runtime_put_autosuspend(device->dev);
+-
+-	dev_dbg(device->dev, "%s: successful\n", __func__);
+-
+-	return 0;
+-}
+-EXPORT_SYMBOL(tspp2_indexing_prefix_set);
+-
+-/**
+- * tspp2_indexing_patterns_add() - Add patterns to an indexing table.
+- *
+- * @dev_id:		TSPP2 device ID.
+- * @table_id:		Indexing table ID.
+- * @values:		An array of 4-byte pattern values.
+- * @masks:		An array of corresponding 4-byte masks.
+- * @patterns_num:	Number of patterns in the values / masks arrays.
+- *			Up to TSPP2_NUM_INDEXING_PATTERNS.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-int tspp2_indexing_patterns_add(u32 dev_id,
+-				u8 table_id,
+-				const u32 *values,
+-				const u32 *masks,
+-				u8 patterns_num)
+-{
+-	int ret;
+-	int i;
+-	u16 offs = 0;
+-	u32 reg;
+-	struct tspp2_device *device;
+-	struct tspp2_indexing_table *table;
+-
+-	if (dev_id >= TSPP2_NUM_DEVICES) {
+-		pr_err("%s: Invalid device ID %d\n", __func__, dev_id);
+-		return -ENODEV;
+-	}
+-	if (table_id >= TSPP2_NUM_INDEXING_TABLES) {
+-		pr_err("%s: Invalid table ID %d\n", __func__, table_id);
+-		return -EINVAL;
+-	}
+-	if (!values || !masks) {
+-		pr_err("%s: NULL values or masks array\n", __func__);
+-		return -EINVAL;
+-	}
+-
+-	device = tspp2_devices[dev_id];
+-	if (!device) {
+-		pr_err("%s: Invalid device\n", __func__);
+-		return -ENODEV;
+-	}
+-
+-	ret = pm_runtime_get_sync(device->dev);
+-	if (ret < 0)
+-		return ret;
+-
+-	if (mutex_lock_interruptible(&device->mutex)) {
+-		pm_runtime_mark_last_busy(device->dev);
+-		pm_runtime_put_autosuspend(device->dev);
+-		return -ERESTARTSYS;
+-	}
+-
+-	if (!device->opened) {
+-		pr_err("%s: Device must be opened first\n", __func__);
+-		mutex_unlock(&device->mutex);
+-		pm_runtime_mark_last_busy(device->dev);
+-		pm_runtime_put_autosuspend(device->dev);
+-		return -EPERM;
+-	}
+-
+-	table = &device->indexing_tables[table_id];
+-
+-	if ((table->num_valid_entries + patterns_num) >
+-			TSPP2_NUM_INDEXING_PATTERNS) {
+-		pr_err("%s: Trying to add too many patterns: current number %d, trying to add %d, maximum allowed %d\n",
+-			__func__, table->num_valid_entries, patterns_num,
+-			TSPP2_NUM_INDEXING_PATTERNS);
+-		mutex_unlock(&device->mutex);
+-		pm_runtime_mark_last_busy(device->dev);
+-		pm_runtime_put_autosuspend(device->dev);
+-		return -EINVAL;
+-	}
+-
+-	/* There's enough room to add all the requested patterns */
+-	offs = table->num_valid_entries;
+-	for (i = 0; i < patterns_num; i++) {
+-		table->entry_value[offs + i] = values[i];
+-		table->entry_mask[offs + i] = masks[i];
+-		writel_relaxed(cpu_to_be32(values[i]),
+-			device->base +
+-				TSPP2_INDEX_TABLE_PATTEREN(table_id, offs + i));
+-		writel_relaxed(cpu_to_be32(masks[i]), device->base +
+-				TSPP2_INDEX_TABLE_MASK(table_id, offs + i));
+-	}
+-	table->num_valid_entries += patterns_num;
+-	reg = readl_relaxed(device->base + TSPP2_INDEX_TABLE_PARAMS(table_id));
+-	reg &= ~(0x1F << INDEX_TABLE_PARAMS_NUM_PATTERNS_OFFS);
+-	reg |= (table->num_valid_entries <<
+-			INDEX_TABLE_PARAMS_NUM_PATTERNS_OFFS);
+-	writel_relaxed(reg, device->base + TSPP2_INDEX_TABLE_PARAMS(table_id));
+-
+-	mutex_unlock(&device->mutex);
+-
+-	pm_runtime_mark_last_busy(device->dev);
+-	pm_runtime_put_autosuspend(device->dev);
+-
+-	dev_dbg(device->dev, "%s: successful\n", __func__);
+-
+-	return 0;
+-}
+-EXPORT_SYMBOL(tspp2_indexing_patterns_add);
+-
+-/**
+- * tspp2_indexing_patterns_clear() - Clear all patterns of an indexing table.
+- *
+- * @dev_id:	TSPP2 device ID.
+- * @table_id:	Indexing table ID.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-int tspp2_indexing_patterns_clear(u32 dev_id,
+-				u8 table_id)
+-{
+-	int ret;
+-	int i;
+-	u32 reg;
+-	struct tspp2_device *device;
+-	struct tspp2_indexing_table *table;
+-
+-	if (dev_id >= TSPP2_NUM_DEVICES) {
+-		pr_err("%s: Invalid device ID %d\n", __func__, dev_id);
+-		return -ENODEV;
+-	}
+-	if (table_id >= TSPP2_NUM_INDEXING_TABLES) {
+-		pr_err("%s: Invalid table ID %d\n", __func__, table_id);
+-		return -EINVAL;
+-	}
+-
+-	device = tspp2_devices[dev_id];
+-	if (!device) {
+-		pr_err("%s: Invalid device\n", __func__);
+-		return -ENODEV;
+-	}
+-
+-	ret = pm_runtime_get_sync(device->dev);
+-	if (ret < 0)
+-		return ret;
+-
+-	if (mutex_lock_interruptible(&device->mutex)) {
+-		pm_runtime_mark_last_busy(device->dev);
+-		pm_runtime_put_autosuspend(device->dev);
+-		return -ERESTARTSYS;
+-	}
+-
+-	if (!device->opened) {
+-		pr_err("%s: Device must be opened first\n", __func__);
+-		mutex_unlock(&device->mutex);
+-		pm_runtime_mark_last_busy(device->dev);
+-		pm_runtime_put_autosuspend(device->dev);
+-		return -EPERM;
+-	}
+-
+-	table = &device->indexing_tables[table_id];
+-
+-	for (i = 0; i < table->num_valid_entries; i++) {
+-		table->entry_value[i] = 0;
+-		table->entry_mask[i] = 0;
+-		writel_relaxed(0, device->base +
+-				TSPP2_INDEX_TABLE_PATTEREN(table_id, i));
+-		writel_relaxed(0, device->base +
+-				TSPP2_INDEX_TABLE_MASK(table_id, i));
+-
+-	}
+-	table->num_valid_entries = 0;
+-	reg = readl_relaxed(device->base + TSPP2_INDEX_TABLE_PARAMS(table_id));
+-	reg &= ~(0x1F << INDEX_TABLE_PARAMS_NUM_PATTERNS_OFFS);
+-	writel_relaxed(reg, device->base + TSPP2_INDEX_TABLE_PARAMS(table_id));
+-
+-	mutex_unlock(&device->mutex);
+-
+-	pm_runtime_mark_last_busy(device->dev);
+-	pm_runtime_put_autosuspend(device->dev);
+-
+-	dev_dbg(device->dev, "%s: successful\n", __func__);
+-
+-	return 0;
+-}
+-EXPORT_SYMBOL(tspp2_indexing_patterns_clear);
+-
+-/* Pipe API functions */
+-
+-/**
+- * tspp2_pipe_memory_init() - Initialize pipe memory helper function.
+- *
+- * @pipe:	The pipe to work on.
+- *
+- * The user is responsible for allocating the pipe's memory buffer via ION.
+- * This helper function maps the given buffer to TSPP2 IOMMU memory space,
+- * and sets the pipe's secure bit.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-static int tspp2_pipe_memory_init(struct tspp2_pipe *pipe)
+-{
+-	int ret = 0;
+-	u32 reg;
+-	size_t align;
+-	unsigned long dummy_size = 0;
+-	size_t len = 0;
+-	int domain = 0;
+-	int partition = 0;
+-	int hlos_group_attached = 0;
+-	int cpz_group_attached = 0;
+-	int vbif_clk_started = 0;
+-
+-	if (pipe->cfg.is_secure) {
+-		domain = pipe->device->iommu_info.cpz_domain_num;
+-		partition = pipe->device->iommu_info.cpz_partition;
+-		align = SZ_1M;
+-	} else {
+-		domain = pipe->device->iommu_info.hlos_domain_num;
+-		partition = pipe->device->iommu_info.hlos_partition;
+-		align = SZ_4K;
+-	}
+-
+-	if (tspp2_iommu_bypass) {
+-		ret = ion_phys(pipe->cfg.ion_client,
+-				pipe->cfg.buffer_handle, &pipe->iova, &len);
+-
+-		dummy_size = 0;
+-
+-		if (ret) {
+-			pr_err("%s: Failed to get buffer physical address, ret = %d\n",
+-				__func__, ret);
+-			return ret;
+-		}
+-
+-		if ((pipe->device->num_secured_opened_pipes +
+-			pipe->device->num_non_secured_opened_pipes) == 0) {
+-			ret = tspp2_vbif_clock_start(pipe->device);
+-			if (ret) {
+-				pr_err(
+-					"%s: tspp2_vbif_clock_start failed, ret=%d\n",
+-					__func__, ret);
+-				return ret;
+-			}
+-			vbif_clk_started = 1;
+-		}
+-	} else {
+-		/*
+-		 * We need to attach the group to enable the IOMMU and support
+-		 * the required memory mapping. This needs to be done before
+-		 * the first mapping is performed, so the number of opened pipes
+-		 * (of each type: secure or non-secure) is used as a
+-		 * reference count. Note that since the pipe descriptors are
+-		 * always allocated from HLOS domain, the HLOS group must be
+-		 * attached regardless of the pipe's security configuration.
+-		 * The mutex is taken at this point so there is no problem with
+-		 * synchronization.
+-		 */
+-		if ((pipe->device->num_secured_opened_pipes +
+-			pipe->device->num_non_secured_opened_pipes) == 0) {
+-			ret = tspp2_vbif_clock_start(pipe->device);
+-			if (ret) {
+-				pr_err("%s: tspp2_vbif_clock_start failed, ret=%d\n",
+-					__func__, ret);
+-				goto err_out;
+-			}
+-			vbif_clk_started = 1;
+-
+-			pr_debug("%s: attaching HLOS group\n", __func__);
+-			ret = iommu_attach_group(
+-				pipe->device->iommu_info.hlos_domain,
+-				pipe->device->iommu_info.hlos_group);
+-
+-			if (ret) {
+-				pr_err("%s: Failed attaching IOMMU HLOS group, %d\n",
+-					__func__, ret);
+-				goto err_out;
+-			}
+-			hlos_group_attached = 1;
+-		}
+-
+-		if (pipe->cfg.is_secure &&
+-			(pipe->device->num_secured_opened_pipes == 0)) {
+-			pr_debug("%s: attaching CPZ group\n", __func__);
+-			ret = iommu_attach_group(
+-				pipe->device->iommu_info.cpz_domain,
+-				pipe->device->iommu_info.cpz_group);
+-
+-			if (ret) {
+-				pr_err("%s: Failed attaching IOMMU CPZ group, %d\n",
+-					__func__, ret);
+-				goto err_out;
+-			}
+-			cpz_group_attached = 1;
+-		}
+-
+-		/* Map to TSPP2 IOMMU */
+-		ret = ion_map_iommu(pipe->cfg.ion_client,
+-				pipe->cfg.buffer_handle,
+-				domain,
+-				partition,
+-				align, 0, &pipe->iova,
+-				&dummy_size, 0, 0); /* Uncached mapping */
+-
+-		if (ret) {
+-			pr_err("%s: Failed mapping buffer to TSPP2, %d\n",
+-				__func__, ret);
+-			goto err_out;
+-		}
+-	}
+-
+-	if (pipe->cfg.is_secure) {
+-		reg = readl_relaxed(pipe->device->base + TSPP2_PIPE_SECURITY);
+-		reg |= (0x1 << pipe->hw_index);
+-		writel_relaxed(reg, pipe->device->base + TSPP2_PIPE_SECURITY);
+-	}
+-
+-	dev_dbg(pipe->device->dev, "%s: successful\n", __func__);
+-
+-	return 0;
+-
+-err_out:
+-	if (hlos_group_attached) {
+-		iommu_detach_group(pipe->device->iommu_info.hlos_domain,
+-				pipe->device->iommu_info.hlos_group);
+-	}
+-
+-	if (cpz_group_attached) {
+-		iommu_detach_group(pipe->device->iommu_info.cpz_domain,
+-				pipe->device->iommu_info.cpz_group);
+-	}
+-
+-	if (vbif_clk_started)
+-		tspp2_vbif_clock_stop(pipe->device);
+-
+-	return ret;
+-}
+-
+-/**
+- * tspp2_pipe_memory_terminate() - Unmap pipe memory.
+- *
+- * @pipe:	The pipe to work on.
+- *
+- * Unmap the pipe's memory and clear the pipe's secure bit.
+- */
+-static void tspp2_pipe_memory_terminate(struct tspp2_pipe *pipe)
+-{
+-	u32 reg;
+-	int domain = 0;
+-	int partition = 0;
+-
+-	if (pipe->cfg.is_secure) {
+-		domain = pipe->device->iommu_info.cpz_domain_num;
+-		partition = pipe->device->iommu_info.cpz_partition;
+-	} else {
+-		domain = pipe->device->iommu_info.hlos_domain_num;
+-		partition = pipe->device->iommu_info.hlos_partition;
+-	}
+-
+-	if (!tspp2_iommu_bypass) {
+-		ion_unmap_iommu(pipe->cfg.ion_client,
+-				pipe->cfg.buffer_handle,
+-				domain,
+-				partition);
+-
+-		/*
+-		 * Opposite to what is done in tspp2_pipe_memory_init(),
+-		 * here we detach the IOMMU group when it is no longer in use.
+-		 */
+-		if (pipe->cfg.is_secure &&
+-			(pipe->device->num_secured_opened_pipes == 0)) {
+-			pr_debug("%s: detaching CPZ group\n", __func__);
+-			iommu_detach_group(
+-				pipe->device->iommu_info.cpz_domain,
+-				pipe->device->iommu_info.cpz_group);
+-		}
+-
+-		if ((pipe->device->num_secured_opened_pipes +
+-			pipe->device->num_non_secured_opened_pipes) == 0) {
+-			pr_debug("%s: detaching HLOS group\n", __func__);
+-			iommu_detach_group(
+-				pipe->device->iommu_info.hlos_domain,
+-				pipe->device->iommu_info.hlos_group);
+-			tspp2_vbif_clock_stop(pipe->device);
+-		}
+-	} else if ((pipe->device->num_secured_opened_pipes +
+-		pipe->device->num_non_secured_opened_pipes) == 0) {
+-		tspp2_vbif_clock_stop(pipe->device);
+-	}
+-
+-	pipe->iova = 0;
+-
+-	if (pipe->cfg.is_secure) {
+-		reg = readl_relaxed(pipe->device->base + TSPP2_PIPE_SECURITY);
+-		reg &= ~(0x1 << pipe->hw_index);
+-		writel_relaxed(reg, pipe->device->base + TSPP2_PIPE_SECURITY);
+-	}
+-
+-	dev_dbg(pipe->device->dev, "%s: successful\n", __func__);
+-}
+-
+-/**
+- * tspp2_sps_pipe_init() - BAM SPS pipe configuration and initialization
+- *
+- * @pipe:	The pipe to work on.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-static int tspp2_sps_pipe_init(struct tspp2_pipe *pipe)
+-{
+-	u32 descriptors_num;
+-	unsigned long dummy_size = 0;
+-	int ret = 0;
+-	int iommu_mapped = 0;
+-
+-	if (pipe->cfg.buffer_size % pipe->cfg.sps_cfg.descriptor_size) {
+-		pr_err(
+-			"%s: Buffer size %d is not aligned to descriptor size %d\n",
+-			__func__, pipe->cfg.buffer_size,
+-			pipe->cfg.sps_cfg.descriptor_size);
+-		return -EINVAL;
+-	}
+-
+-	pipe->sps_pipe = sps_alloc_endpoint();
+-	if (!pipe->sps_pipe) {
+-		pr_err("%s: Failed to allocate BAM pipe\n", __func__);
+-		return -ENOMEM;
+-	}
+-
+-	/* get default configuration */
+-	sps_get_config(pipe->sps_pipe, &pipe->sps_connect_cfg);
+-	if (pipe->cfg.pipe_mode == TSPP2_SRC_PIPE_INPUT) {
+-		pipe->sps_connect_cfg.mode = SPS_MODE_DEST;
+-		pipe->sps_connect_cfg.source = SPS_DEV_HANDLE_MEM;
+-		pipe->sps_connect_cfg.destination = pipe->device->bam_handle;
+-		pipe->sps_connect_cfg.dest_pipe_index = pipe->hw_index;
+-	} else {
+-		pipe->sps_connect_cfg.mode = SPS_MODE_SRC;
+-		pipe->sps_connect_cfg.source = pipe->device->bam_handle;
+-		pipe->sps_connect_cfg.destination = SPS_DEV_HANDLE_MEM;
+-		pipe->sps_connect_cfg.src_pipe_index = pipe->hw_index;
+-	}
+-	pipe->sps_connect_cfg.desc.base = NULL;
+-	pipe->sps_connect_cfg.options = pipe->cfg.sps_cfg.setting;
+-	descriptors_num = (pipe->cfg.buffer_size /
+-				pipe->cfg.sps_cfg.descriptor_size);
+-
+-	/*
+-	 * If size of descriptors FIFO can hold N descriptors, we can submit
+-	 * (N-1) descriptors only, therefore we allocate extra descriptor
+-	 */
+-	descriptors_num++;
+-	pipe->sps_connect_cfg.desc.size = (descriptors_num *
+-					sizeof(struct sps_iovec));
+-
+-	if (tspp2_iommu_bypass) {
+-		pipe->sps_connect_cfg.desc.base = dma_alloc_coherent(NULL,
+-					pipe->sps_connect_cfg.desc.size,
+-					&pipe->sps_connect_cfg.desc.phys_base,
+-					GFP_KERNEL);
+-
+-		if (!pipe->sps_connect_cfg.desc.base) {
+-			pr_err("%s: Failed to allocate descriptor FIFO\n",
+-				__func__);
+-			ret = -ENOMEM;
+-			goto init_sps_failed_free_endpoint;
+-		}
+-	} else {
+-		pipe->desc_ion_handle = ion_alloc(pipe->cfg.ion_client,
+-					pipe->sps_connect_cfg.desc.size,
+-					SZ_4K, ION_HEAP(ION_IOMMU_HEAP_ID), 0);
+-
+-		if (!pipe->desc_ion_handle) {
+-			pr_err("%s: Failed to allocate descriptors via ION\n",
+-				__func__);
+-			ret = -ENOMEM;
+-			goto init_sps_failed_free_endpoint;
+-		}
+-
+-		ret = ion_map_iommu(pipe->cfg.ion_client,
+-			pipe->desc_ion_handle,
+-			pipe->device->iommu_info.hlos_domain_num,
+-			pipe->device->iommu_info.hlos_partition,
+-			SZ_4K, 0,
+-			&pipe->sps_connect_cfg.desc.phys_base,
+-			&dummy_size, 0, 0); /* Uncached mapping */
+-
+-		if (ret) {
+-			pr_err("%s: Failed mapping descriptors to IOMMU\n",
+-				__func__);
+-			goto init_sps_failed_free_mem;
+-		}
+-
+-		iommu_mapped = 1;
+-
+-		pipe->sps_connect_cfg.desc.base =
+-			ion_map_kernel(pipe->cfg.ion_client,
+-			pipe->desc_ion_handle);
+-
+-		if (!pipe->sps_connect_cfg.desc.base) {
+-			pr_err("%s: Failed mapping descriptors to kernel\n",
+-				__func__);
+-			ret = -ENOMEM;
+-			goto init_sps_failed_free_mem;
+-		}
+-	}
+-
+-	ret = sps_connect(pipe->sps_pipe, &pipe->sps_connect_cfg);
+-	if (ret) {
+-		pr_err("%s: Failed to connect BAM, %d\n", __func__, ret);
+-		goto init_sps_failed_free_mem;
+-	}
+-
+-	pipe->sps_event.options = pipe->cfg.sps_cfg.wakeup_events;
+-	if (pipe->sps_event.options) {
+-		pipe->sps_event.mode = SPS_TRIGGER_CALLBACK;
+-		pipe->sps_event.callback = pipe->cfg.sps_cfg.callback;
+-		pipe->sps_event.xfer_done = NULL;
+-		pipe->sps_event.user = pipe->cfg.sps_cfg.user_info;
+-
+-		ret = sps_register_event(pipe->sps_pipe, &pipe->sps_event);
+-		if (ret) {
+-			pr_err("%s: Failed to register pipe event, %d\n",
+-					__func__, ret);
+-			goto init_sps_failed_free_connection;
+-		}
+-	}
+-
+-	dev_dbg(pipe->device->dev, "%s: successful\n", __func__);
+-
+-	return 0;
+-
+-init_sps_failed_free_connection:
+-	sps_disconnect(pipe->sps_pipe);
+-init_sps_failed_free_mem:
+-	if (tspp2_iommu_bypass) {
+-		dma_free_coherent(NULL, pipe->sps_connect_cfg.desc.size,
+-					pipe->sps_connect_cfg.desc.base,
+-					pipe->sps_connect_cfg.desc.phys_base);
+-	} else {
+-		if (pipe->sps_connect_cfg.desc.base)
+-			ion_unmap_kernel(pipe->cfg.ion_client,
+-				pipe->desc_ion_handle);
+-
+-		if (iommu_mapped) {
+-			ion_unmap_iommu(pipe->cfg.ion_client,
+-				pipe->desc_ion_handle,
+-				pipe->device->iommu_info.hlos_domain_num,
+-				pipe->device->iommu_info.hlos_partition);
+-		}
+-
+-		ion_free(pipe->cfg.ion_client, pipe->desc_ion_handle);
+-	}
+-init_sps_failed_free_endpoint:
+-	sps_free_endpoint(pipe->sps_pipe);
+-
+-	return ret;
+-}
+-
+-/**
+- * tspp2_sps_queue_descriptors() - Queue BAM SPS descriptors
+- *
+- * @pipe:	The pipe to work on.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-static int tspp2_sps_queue_descriptors(struct tspp2_pipe *pipe)
+-{
+-	int ret = 0;
+-	u32 data_offset = 0;
+-	u32 desc_length = pipe->cfg.sps_cfg.descriptor_size;
+-	u32 desc_flags = pipe->cfg.sps_cfg.descriptor_flags;
+-	u32 data_length = pipe->cfg.buffer_size;
+-
+-	while (data_length > 0) {
+-		ret = sps_transfer_one(pipe->sps_pipe,
+-				pipe->iova + data_offset,
+-				desc_length,
+-				pipe->cfg.sps_cfg.user_info,
+-				desc_flags);
+-
+-		if (ret) {
+-			pr_err("%s: sps_transfer_one failed, %d\n",
+-				__func__, ret);
+-			return ret;
+-		}
+-
+-		data_offset += desc_length;
+-		data_length -= desc_length;
+-	}
+-
+-	return 0;
+-}
+-
+-/**
+- * tspp2_sps_pipe_terminate() - Disconnect and terminate SPS BAM pipe
+- *
+- * @pipe:	The pipe to work on.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-static int tspp2_sps_pipe_terminate(struct tspp2_pipe *pipe)
+-{
+-	int ret;
+-
+-	ret = sps_disconnect(pipe->sps_pipe);
+-	if (ret) {
+-		pr_err("%s: failed to disconnect BAM pipe, %d\n",
+-			__func__, ret);
+-		return ret;
+-	}
+-	if (tspp2_iommu_bypass) {
+-		dma_free_coherent(NULL, pipe->sps_connect_cfg.desc.size,
+-					pipe->sps_connect_cfg.desc.base,
+-					pipe->sps_connect_cfg.desc.phys_base);
+-	} else {
+-		ion_unmap_kernel(pipe->cfg.ion_client,
+-				pipe->desc_ion_handle);
+-
+-		ion_unmap_iommu(pipe->cfg.ion_client,
+-				pipe->desc_ion_handle,
+-				pipe->device->iommu_info.hlos_domain_num,
+-				pipe->device->iommu_info.hlos_partition);
+-
+-		ion_free(pipe->cfg.ion_client, pipe->desc_ion_handle);
+-	}
+-	pipe->sps_connect_cfg.desc.base = NULL;
+-
+-	ret = sps_free_endpoint(pipe->sps_pipe);
+-	if (ret) {
+-		pr_err("%s: failed to release BAM end-point, %d\n",
+-			__func__, ret);
+-		return ret;
+-	}
+-
+-	return 0;
+-}
+-
+-/**
+- * tspp2_pipe_open() - Open a pipe for use.
+- *
+- * @dev_id:		TSPP2 device ID.
+- * @cfg:		Pipe configuration parameters.
+- * @iova:		TSPP2 IOMMU virtual address of the pipe's buffer.
+- * @pipe_handle:	Opened pipe handle.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-int tspp2_pipe_open(u32 dev_id,
+-			const struct tspp2_pipe_config_params *cfg,
+-			ion_phys_addr_t *iova,
+-			u32 *pipe_handle)
+-{
+-	struct tspp2_device *device;
+-	struct tspp2_pipe *pipe;
+-	int i;
+-	int ret = 0;
+-
+-	if (dev_id >= TSPP2_NUM_DEVICES) {
+-		pr_err("%s: Invalid device ID %d\n", __func__, dev_id);
+-		return -ENODEV;
+-	}
+-
+-	if (!cfg || !iova || !pipe_handle) {
+-		pr_err("%s: Invalid parameters\n", __func__);
+-		return -EINVAL;
+-	}
+-
+-	/* Some minimal sanity tests on the pipe configuration: */
+-	if (!cfg->ion_client || !cfg->buffer_handle) {
+-		pr_err("%s: Invalid parameters\n", __func__);
+-		return -EINVAL;
+-	}
+-
+-	device = tspp2_devices[dev_id];
+-	if (!device) {
+-		pr_err("%s: Invalid device\n", __func__);
+-		return -ENODEV;
+-	}
+-
+-	ret = pm_runtime_get_sync(device->dev);
+-	if (ret < 0)
+-		return ret;
+-
+-	if (mutex_lock_interruptible(&device->mutex)) {
+-		pm_runtime_mark_last_busy(device->dev);
+-		pm_runtime_put_autosuspend(device->dev);
+-		return -ERESTARTSYS;
+-	}
+-
+-	if (!device->opened) {
+-		pr_err("%s: Device must be opened first\n", __func__);
+-		mutex_unlock(&device->mutex);
+-		pm_runtime_mark_last_busy(device->dev);
+-		pm_runtime_put_autosuspend(device->dev);
+-		return -EPERM;
+-	}
+-
+-	/* Find a free pipe */
+-	for (i = 0; i < TSPP2_NUM_PIPES; i++) {
+-		pipe = &device->pipes[i];
+-		if (!pipe->opened)
+-			break;
+-	}
+-	if (i == TSPP2_NUM_PIPES) {
+-		pr_err("%s: No available pipes\n", __func__);
+-		mutex_unlock(&device->mutex);
+-		pm_runtime_mark_last_busy(device->dev);
+-		pm_runtime_put_autosuspend(device->dev);
+-		return -ENOMEM;
+-	}
+-
+-	pipe->hw_index = i;
+-	/* Actual pipe threshold is set when the pipe is attached to a source */
+-	pipe->threshold = 0;
+-	pipe->cfg = *cfg;
+-	pipe->ref_cnt = 0;
+-	/* device back-pointer is already initialized, always remains valid */
+-
+-	ret = tspp2_pipe_memory_init(pipe);
+-	if (ret) {
+-		pr_err("%s: Error initializing pipe memory\n", __func__);
+-		mutex_unlock(&device->mutex);
+-		pm_runtime_mark_last_busy(device->dev);
+-		pm_runtime_put_autosuspend(device->dev);
+-		return ret;
+-	}
+-	ret = tspp2_sps_pipe_init(pipe);
+-	if (ret) {
+-		pr_err("%s: Error initializing BAM pipe\n", __func__);
+-		tspp2_pipe_memory_terminate(pipe);
+-		mutex_unlock(&device->mutex);
+-		pm_runtime_mark_last_busy(device->dev);
+-		pm_runtime_put_autosuspend(device->dev);
+-		return ret;
+-	}
+-
+-	/* For output pipes, we queue BAM descriptors here so they are ready */
+-	if (pipe->cfg.pipe_mode == TSPP2_SRC_PIPE_OUTPUT) {
+-		ret = tspp2_sps_queue_descriptors(pipe);
+-		if (ret) {
+-			pr_err("%s: Error queuing BAM pipe descriptors\n",
+-				__func__);
+-			tspp2_sps_pipe_terminate(pipe);
+-			tspp2_pipe_memory_terminate(pipe);
+-			mutex_unlock(&device->mutex);
+-			pm_runtime_mark_last_busy(device->dev);
+-			pm_runtime_put_autosuspend(device->dev);
+-			return ret;
+-		}
+-	}
+-
+-	/* Reset counter */
+-	writel_relaxed((0x1 << pipe->hw_index),
+-		device->base + TSPP2_DATA_NOT_SENT_ON_PIPE_RESET);
+-
+-	/* Return handle to the caller */
+-	*pipe_handle = (u32)pipe;
+-	*iova = pipe->iova;
+-
+-	pipe->opened = 1;
+-	if (pipe->cfg.is_secure)
+-		device->num_secured_opened_pipes++;
+-	else
+-		device->num_non_secured_opened_pipes++;
+-
+-	mutex_unlock(&device->mutex);
+-
+-	pm_runtime_mark_last_busy(device->dev);
+-	pm_runtime_put_autosuspend(device->dev);
+-
+-	dev_dbg(device->dev, "%s: successful\n", __func__);
+-
+-	return 0;
+-}
+-EXPORT_SYMBOL(tspp2_pipe_open);
+-
+-/**
+- * tspp2_pipe_close() - Close an opened pipe.
+- *
+- * @pipe_handle:	Pipe to be closed.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-int tspp2_pipe_close(u32 pipe_handle)
+-{
+-	int ret;
+-	struct tspp2_pipe *pipe = (struct tspp2_pipe *)pipe_handle;
+-
+-	if (!pipe) {
+-		pr_err("%s: Invalid pipe handle\n", __func__);
+-		return -EINVAL;
+-	}
+-
+-	ret = pm_runtime_get_sync(pipe->device->dev);
+-	if (ret < 0)
+-		return ret;
+-
+-	mutex_lock(&pipe->device->mutex);
+-
+-	if (!pipe->device->opened) {
+-		pr_err("%s: Device must be opened first\n", __func__);
+-		mutex_unlock(&pipe->device->mutex);
+-		pm_runtime_mark_last_busy(pipe->device->dev);
+-		pm_runtime_put_autosuspend(pipe->device->dev);
+-		return -EPERM;
+-	}
+-
+-	if (!pipe->opened) {
+-		pr_err("%s: Pipe already closed\n", __func__);
+-		mutex_unlock(&pipe->device->mutex);
+-		pm_runtime_mark_last_busy(pipe->device->dev);
+-		pm_runtime_put_autosuspend(pipe->device->dev);
+-		return -EINVAL;
+-	}
+-
+-	if (pipe->ref_cnt > 0) {
+-		pr_err("%s: Pipe %u is still attached to a source\n",
+-			__func__, pipe_handle);
+-		mutex_unlock(&pipe->device->mutex);
+-		pm_runtime_mark_last_busy(pipe->device->dev);
+-		pm_runtime_put_autosuspend(pipe->device->dev);
+-		return -EPERM;
+-	}
+-
+-	/*
+-	 * Note: need to decrement the pipe reference count here, before
+-	 * calling tspp2_pipe_memory_terminate().
+-	 */
+-	if (pipe->cfg.is_secure)
+-		pipe->device->num_secured_opened_pipes--;
+-	else
+-		pipe->device->num_non_secured_opened_pipes--;
+-
+-	tspp2_sps_pipe_terminate(pipe);
+-	tspp2_pipe_memory_terminate(pipe);
+-
+-	pipe->iova = 0;
+-	pipe->opened = 0;
+-
+-	mutex_unlock(&pipe->device->mutex);
+-
+-	pm_runtime_mark_last_busy(pipe->device->dev);
+-	pm_runtime_put_autosuspend(pipe->device->dev);
+-
+-	dev_dbg(pipe->device->dev, "%s: successful\n", __func__);
+-
+-	return 0;
+-}
+-EXPORT_SYMBOL(tspp2_pipe_close);
+-
+-/* Source API functions */
+-
+-/**
+- * tspp2_src_open() - Open a new source for use.
+- *
+- * @dev_id:	TSPP2 device ID.
+- * @cfg:	Source configuration parameters.
+- * @src_handle:	Opened source handle.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-int tspp2_src_open(u32 dev_id,
+-			struct tspp2_src_cfg *cfg,
+-			u32 *src_handle)
+-{
+-	int ret;
+-	int i;
+-	struct tspp2_device *device;
+-	struct tspp2_src *src;
+-	enum tspp2_src_input input;
+-
+-	if (dev_id >= TSPP2_NUM_DEVICES) {
+-		pr_err("%s: Invalid device ID %d\n", __func__, dev_id);
+-		return -ENODEV;
+-	}
+-	if (!src_handle) {
+-		pr_err("%s: Invalid source handle pointer\n", __func__);
+-		return -EINVAL;
+-	}
+-	if (!cfg) {
+-		pr_err("%s: Invalid configuration parameters\n", __func__);
+-		return -EINVAL;
+-	}
+-
+-	device = tspp2_devices[dev_id];
+-	if (!device) {
+-		pr_err("%s: Invalid device\n", __func__);
+-		return -ENODEV;
+-	}
+-
+-	ret = pm_runtime_get_sync(device->dev);
+-	if (ret < 0)
+-		return ret;
+-
+-	if (mutex_lock_interruptible(&device->mutex)) {
+-		pm_runtime_mark_last_busy(device->dev);
+-		pm_runtime_put_autosuspend(device->dev);
+-		return -ERESTARTSYS;
+-	}
+-
+-	if (!device->opened) {
+-		pr_err("%s: Device must be opened first\n", __func__);
+-		mutex_unlock(&device->mutex);
+-		pm_runtime_mark_last_busy(device->dev);
+-		pm_runtime_put_autosuspend(device->dev);
+-		return -EPERM;
+-	}
+-
+-	input = cfg->input;
+-	if ((input == TSPP2_INPUT_TSIF0) || (input == TSPP2_INPUT_TSIF1)) {
+-		/* Input from TSIF */
+-		if (device->tsif_sources[input].opened) {
+-			pr_err("%s: TSIF input %d already opened\n",
+-				__func__, input);
+-			mutex_unlock(&device->mutex);
+-			pm_runtime_mark_last_busy(device->dev);
+-			pm_runtime_put_autosuspend(device->dev);
+-			return -EINVAL;
+-		}
+-		src = &device->tsif_sources[input];
+-
+-		/*
+-		 * When writing to HW registers that are relevant to sources
+-		 * of both TSIF and memory input types, the register offsets
+-		 * for the TSIF-related registers come after the memory-related
+-		 * registers. For example: for TSPP2_SRC_CONFIG(n), n=[0..9],
+-		 * indexes 0..7 are for memory inputs, and indexes 8, 9 are
+-		 * for TSIF inputs.
+-		 */
+-		src->hw_index = TSPP2_NUM_MEM_INPUTS + input;
+-
+-		/* Save TSIF source parameters in TSIF device */
+-		device->tsif_devices[input].mode =
+-			cfg->params.tsif_params.tsif_mode;
+-		device->tsif_devices[input].clock_inverse =
+-			cfg->params.tsif_params.clock_inverse;
+-		device->tsif_devices[input].data_inverse =
+-			cfg->params.tsif_params.data_inverse;
+-		device->tsif_devices[input].sync_inverse =
+-			cfg->params.tsif_params.sync_inverse;
+-		device->tsif_devices[input].enable_inverse =
+-			cfg->params.tsif_params.enable_inverse;
+-	} else {
+-		/* Input from memory */
+-		for (i = 0; i < TSPP2_NUM_MEM_INPUTS; i++) {
+-			if (!device->mem_sources[i].opened)
+-				break;
+-		}
+-		if (i == TSPP2_NUM_MEM_INPUTS) {
+-			pr_err("%s: No memory inputs available\n", __func__);
+-			mutex_unlock(&device->mutex);
+-			pm_runtime_mark_last_busy(device->dev);
+-			pm_runtime_put_autosuspend(device->dev);
+-			return -ENOMEM;
+-		}
+-
+-		src = &device->mem_sources[i];
+-		src->hw_index = i;
+-	}
+-
+-	src->opened = 1;
+-	src->input = input;
+-	src->pkt_format = TSPP2_PACKET_FORMAT_188_RAW; /* default value */
+-	src->scrambling_bits_monitoring = TSPP2_SRC_SCRAMBLING_MONITOR_NONE;
+-	INIT_LIST_HEAD(&src->batches_list);
+-	INIT_LIST_HEAD(&src->filters_list);
+-	src->input_pipe = NULL;
+-	INIT_LIST_HEAD(&src->output_pipe_list);
+-	src->num_associated_batches = 0;
+-	src->num_associated_pipes = 0;
+-	src->num_associated_filters = 0;
+-	src->reserved_filter_hw_index = 0;
+-	src->event_callback = NULL;
+-	src->event_cookie = NULL;
+-	src->event_bitmask = 0;
+-	src->enabled = 0;
+-	/* device back-pointer is already initialized, always remains valid */
+-
+-	/* Reset source-related registers */
+-	if ((input == TSPP2_INPUT_TSIF0) || (input == TSPP2_INPUT_TSIF1)) {
+-		writel_relaxed((0x1 << TSIF_INPUT_SRC_CONFIG_16_BATCHES_OFFS),
+-			device->base +
+-			TSPP2_TSIF_INPUT_SRC_CONFIG(src->input));
+-	} else {
+-		/*
+-		 * Disable memory inputs. Set mode of operation to 16 batches.
+-		 * Configure last batch to be associated with this source.
+-		 */
+-		writel_relaxed(TSPP2_DEFAULT_MEM_SRC_CONFIG,
+-			device->base +
+-			TSPP2_MEM_INPUT_SRC_CONFIG(src->hw_index));
+-	}
+-	writel_relaxed(0, device->base +
+-				TSPP2_SRC_DEST_PIPES(src->hw_index));
+-	writel_relaxed(TSPP2_DEFAULT_SRC_CONFIG, device->base +
+-				TSPP2_SRC_CONFIG(src->hw_index));
+-	writel_relaxed((0x1 << src->hw_index),
+-		device->base + TSPP2_SRC_TOTAL_TSP_RESET);
+-	writel_relaxed((0x1 << src->hw_index),
+-		device->base + TSPP2_SRC_FILTERED_OUT_TSP_RESET);
+-
+-	/* Return handle to the caller */
+-	*src_handle = (u32)src;
+-
+-	mutex_unlock(&device->mutex);
+-
+-	pm_runtime_mark_last_busy(device->dev);
+-	pm_runtime_put_autosuspend(device->dev);
+-
+-	dev_dbg(device->dev, "%s: successful\n", __func__);
+-
+-	return 0;
+-}
+-EXPORT_SYMBOL(tspp2_src_open);
+-
+-/**
+- * tspp2_src_close() - Close an opened source.
+- *
+- * @src_handle:	Source to be closed.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-int tspp2_src_close(u32 src_handle)
+-{
+-	unsigned long flags;
+-	struct tspp2_src *src = (struct tspp2_src *)src_handle;
+-
+-	if (!src) {
+-		pr_err("%s: Invalid source handle\n", __func__);
+-		return -EINVAL;
+-	}
+-
+-	mutex_lock(&src->device->mutex);
+-
+-	if (!src->device->opened) {
+-		pr_err("%s: Device must be opened first\n", __func__);
+-		mutex_unlock(&src->device->mutex);
+-		return -EPERM;
+-	}
+-
+-	if (!src->opened) {
+-		pr_err("%s: Source already closed\n", __func__);
+-		mutex_unlock(&src->device->mutex);
+-		return -EINVAL;
+-	}
+-
+-	if (src->enabled) {
+-		pr_err("%s: Source needs to be disabled before it can be closed\n",
+-			__func__);
+-		mutex_unlock(&src->device->mutex);
+-		return -EPERM;
+-	}
+-
+-	/* Verify resources have been released by the caller */
+-	if ((src->num_associated_batches > 0) ||
+-		(src->num_associated_pipes > 0) ||
+-		(src->num_associated_filters > 0)) {
+-		pr_err("%s: Source's resources need to be removed before it can be closed\n",
+-			__func__);
+-		mutex_unlock(&src->device->mutex);
+-		return -EPERM;
+-	}
+-
+-	/*
+-	 * Most fields are reset to default values when opening a source, so
+-	 * there is no need to reset them all here. We only need to mark the
+-	 * source as closed.
+-	 */
+-	src->opened = 0;
+-	spin_lock_irqsave(&src->device->spinlock, flags);
+-	src->event_callback = NULL;
+-	src->event_cookie = NULL;
+-	src->event_bitmask = 0;
+-	spin_unlock_irqrestore(&src->device->spinlock, flags);
+-	src->enabled = 0;
+-
+-	/*
+-	 * Source-related HW registers are reset when opening a source, so
+-	 * we don't reser them here. Note that a source is disabled before
+-	 * it is closed, so no need to disable it here either.
+-	 */
+-
+-	mutex_unlock(&src->device->mutex);
+-
+-	dev_dbg(src->device->dev, "%s: successful\n", __func__);
+-
+-	return 0;
+-}
+-EXPORT_SYMBOL(tspp2_src_close);
+-
+-/**
+- * tspp2_src_parsing_option_set() - Set source parsing configuration option.
+- *
+- * @src_handle:	Source to configure.
+- * @option:	Parsing configuration option to enable / disable.
+- * @enable:	Enable / disable option.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-int tspp2_src_parsing_option_set(u32 src_handle,
+-			enum tspp2_src_parsing_option option,
+-			int enable)
+-{
+-	int ret;
+-	u32 reg = 0;
+-	struct tspp2_src *src = (struct tspp2_src *)src_handle;
+-
+-	if (!src) {
+-		pr_err("%s: Invalid source handle\n", __func__);
+-		return -EINVAL;
+-	}
+-
+-	ret = pm_runtime_get_sync(src->device->dev);
+-	if (ret < 0)
+-		return ret;
+-
+-	if (mutex_lock_interruptible(&src->device->mutex)) {
+-		pm_runtime_mark_last_busy(src->device->dev);
+-		pm_runtime_put_autosuspend(src->device->dev);
+-		return -ERESTARTSYS;
+-	}
+-
+-	if (!src->device->opened) {
+-		pr_err("%s: Device must be opened first\n", __func__);
+-		mutex_unlock(&src->device->mutex);
+-		pm_runtime_mark_last_busy(src->device->dev);
+-		pm_runtime_put_autosuspend(src->device->dev);
+-		return -EPERM;
+-	}
+-
+-	if (!src->opened) {
+-		pr_err("%s: Source not opened\n", __func__);
+-		mutex_unlock(&src->device->mutex);
+-		pm_runtime_mark_last_busy(src->device->dev);
+-		pm_runtime_put_autosuspend(src->device->dev);
+-		return -EINVAL;
+-	}
+-
+-	reg = readl_relaxed(src->device->base +
+-			TSPP2_SRC_CONFIG(src->hw_index));
+-
+-	switch (option) {
+-	case TSPP2_SRC_PARSING_OPT_CHECK_CONTINUITY:
+-		if (enable)
+-			reg |= (0x1 << SRC_CONFIG_CHECK_CONT_OFFS);
+-		else
+-			reg &= ~(0x1 << SRC_CONFIG_CHECK_CONT_OFFS);
+-		break;
+-	case TSPP2_SRC_PARSING_OPT_IGNORE_DISCONTINUITY:
+-		if (enable)
+-			reg |= (0x1 << SRC_CONFIG_IGNORE_DISCONT_OFFS);
+-		else
+-			reg &= ~(0x1 << SRC_CONFIG_IGNORE_DISCONT_OFFS);
+-		break;
+-	case TSPP2_SRC_PARSING_OPT_ASSUME_DUPLICATE_PACKETS:
+-		if (enable)
+-			reg |= (0x1 << SRC_CONFIG_ASSUME_DUPLICATES_OFFS);
+-		else
+-			reg &= ~(0x1 << SRC_CONFIG_ASSUME_DUPLICATES_OFFS);
+-		break;
+-	case TSPP2_SRC_PARSING_OPT_DISCARD_INVALID_AF_PACKETS:
+-		if (enable)
+-			reg |= (0x1 << SRC_CONFIG_DISCARD_INVALID_AF_OFFS);
+-		else
+-			reg &= ~(0x1 << SRC_CONFIG_DISCARD_INVALID_AF_OFFS);
+-		break;
+-	case TSPP2_SRC_PARSING_OPT_VERIFY_PES_START:
+-		if (enable)
+-			reg |= (0x1 << SRC_CONFIG_VERIFY_PES_START_OFFS);
+-		else
+-			reg &= ~(0x1 << SRC_CONFIG_VERIFY_PES_START_OFFS);
+-		break;
+-	default:
+-		pr_err("%s: Invalid option %d\n", __func__, option);
+-		mutex_unlock(&src->device->mutex);
+-		pm_runtime_mark_last_busy(src->device->dev);
+-		pm_runtime_put_autosuspend(src->device->dev);
+-		return -EINVAL;
+-	}
+-
+-	writel_relaxed(reg, src->device->base +
+-			TSPP2_SRC_CONFIG(src->hw_index));
+-
+-	mutex_unlock(&src->device->mutex);
+-
+-	pm_runtime_mark_last_busy(src->device->dev);
+-	pm_runtime_put_autosuspend(src->device->dev);
+-
+-	dev_dbg(src->device->dev, "%s: successful\n", __func__);
+-
+-	return 0;
+-}
+-EXPORT_SYMBOL(tspp2_src_parsing_option_set);
+-
+-/**
+- * tspp2_src_parsing_option_get() - Get source parsing configuration option.
+- *
+- * @src_handle:	Source handle.
+- * @option:	Parsing configuration option to get.
+- * @enable:	Option's enable / disable indication.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-int tspp2_src_parsing_option_get(u32 src_handle,
+-			enum tspp2_src_parsing_option option,
+-			int *enable)
+-{
+-	int ret;
+-	u32 reg = 0;
+-	struct tspp2_src *src = (struct tspp2_src *)src_handle;
+-
+-	if (!src) {
+-		pr_err("%s: Invalid source handle\n", __func__);
+-		return -EINVAL;
+-	}
+-	if (!enable) {
+-		pr_err("%s: NULL pointer\n", __func__);
+-		return -EINVAL;
+-	}
+-
+-	ret = pm_runtime_get_sync(src->device->dev);
+-	if (ret < 0)
+-		return ret;
+-
+-	if (mutex_lock_interruptible(&src->device->mutex)) {
+-		pm_runtime_mark_last_busy(src->device->dev);
+-		pm_runtime_put_autosuspend(src->device->dev);
+-		return -ERESTARTSYS;
+-	}
+-
+-	if (!src->device->opened) {
+-		pr_err("%s: Device must be opened first\n", __func__);
+-		mutex_unlock(&src->device->mutex);
+-		pm_runtime_mark_last_busy(src->device->dev);
+-		pm_runtime_put_autosuspend(src->device->dev);
+-		return -EPERM;
+-	}
+-
+-	if (!src->opened) {
+-		pr_err("%s: Source not opened\n", __func__);
+-		mutex_unlock(&src->device->mutex);
+-		pm_runtime_mark_last_busy(src->device->dev);
+-		pm_runtime_put_autosuspend(src->device->dev);
+-		return -EINVAL;
+-	}
+-
+-	reg = readl_relaxed(src->device->base +
+-			TSPP2_SRC_CONFIG(src->hw_index));
+-
+-	switch (option) {
+-	case TSPP2_SRC_PARSING_OPT_CHECK_CONTINUITY:
+-		*enable = ((reg >> SRC_CONFIG_CHECK_CONT_OFFS) & 0x1);
+-		break;
+-	case TSPP2_SRC_PARSING_OPT_IGNORE_DISCONTINUITY:
+-		*enable = ((reg >> SRC_CONFIG_IGNORE_DISCONT_OFFS) & 0x1);
+-		break;
+-	case TSPP2_SRC_PARSING_OPT_ASSUME_DUPLICATE_PACKETS:
+-		*enable = ((reg >> SRC_CONFIG_ASSUME_DUPLICATES_OFFS) & 0x1);
+-		break;
+-	case TSPP2_SRC_PARSING_OPT_DISCARD_INVALID_AF_PACKETS:
+-		*enable = ((reg >> SRC_CONFIG_DISCARD_INVALID_AF_OFFS) & 0x1);
+-		break;
+-	case TSPP2_SRC_PARSING_OPT_VERIFY_PES_START:
+-		*enable = ((reg >> SRC_CONFIG_VERIFY_PES_START_OFFS) & 0x1);
+-		break;
+-	default:
+-		pr_err("%s: Invalid option %d\n", __func__, option);
+-		mutex_unlock(&src->device->mutex);
+-		pm_runtime_mark_last_busy(src->device->dev);
+-		pm_runtime_put_autosuspend(src->device->dev);
+-		return -EINVAL;
+-	}
+-
+-	mutex_unlock(&src->device->mutex);
+-
+-	pm_runtime_mark_last_busy(src->device->dev);
+-	pm_runtime_put_autosuspend(src->device->dev);
+-
+-	dev_dbg(src->device->dev, "%s: successful\n", __func__);
+-
+-	return 0;
+-}
+-EXPORT_SYMBOL(tspp2_src_parsing_option_get);
+-
+-/**
+- * tspp2_src_sync_byte_config_set() - Set source sync byte configuration.
+- *
+- * @src_handle:		Source to configure.
+- * @check_sync_byte:	Check TS packet sync byte.
+- * @sync_byte_value:	Sync byte value to check (e.g., 0x47).
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-int tspp2_src_sync_byte_config_set(u32 src_handle,
+-			int check_sync_byte,
+-			u8 sync_byte_value)
+-{
+-	int ret;
+-	u32 reg = 0;
+-	struct tspp2_src *src = (struct tspp2_src *)src_handle;
+-
+-	if (!src) {
+-		pr_err("%s: Invalid source handle\n", __func__);
+-		return -EINVAL;
+-	}
+-
+-	ret = pm_runtime_get_sync(src->device->dev);
+-	if (ret < 0)
+-		return ret;
+-
+-	if (mutex_lock_interruptible(&src->device->mutex)) {
+-		pm_runtime_mark_last_busy(src->device->dev);
+-		pm_runtime_put_autosuspend(src->device->dev);
+-		return -ERESTARTSYS;
+-	}
+-
+-	if (!src->device->opened) {
+-		pr_err("%s: Device must be opened first\n", __func__);
+-		mutex_unlock(&src->device->mutex);
+-		pm_runtime_mark_last_busy(src->device->dev);
+-		pm_runtime_put_autosuspend(src->device->dev);
+-		return -EPERM;
+-	}
+-
+-	if (!src->opened) {
+-		pr_err("%s: Source not opened\n", __func__);
+-		mutex_unlock(&src->device->mutex);
+-		pm_runtime_mark_last_busy(src->device->dev);
+-		pm_runtime_put_autosuspend(src->device->dev);
+-		return -EINVAL;
+-	}
+-
+-	reg = readl_relaxed(src->device->base +
+-			TSPP2_SRC_CONFIG(src->hw_index));
+-
+-	if (check_sync_byte)
+-		reg |= (0x1 << SRC_CONFIG_CHECK_SYNC_OFFS);
+-	else
+-		reg &= ~(0x1 << SRC_CONFIG_CHECK_SYNC_OFFS);
+-
+-	reg &= ~(0xFF << SRC_CONFIG_SYNC_BYTE_OFFS);
+-	reg |= (sync_byte_value << SRC_CONFIG_SYNC_BYTE_OFFS);
+-
+-	writel_relaxed(reg, src->device->base +
+-			TSPP2_SRC_CONFIG(src->hw_index));
+-
+-	mutex_unlock(&src->device->mutex);
+-
+-	pm_runtime_mark_last_busy(src->device->dev);
+-	pm_runtime_put_autosuspend(src->device->dev);
+-
+-	dev_dbg(src->device->dev, "%s: successful\n", __func__);
+-
+-	return 0;
+-}
+-EXPORT_SYMBOL(tspp2_src_sync_byte_config_set);
+-
+-/**
+- * tspp2_src_sync_byte_config_get() - Get source sync byte configuration.
+- *
+- * @src_handle:		Source handle.
+- * @check_sync_byte:	Check TS packet sync byte indication.
+- * @sync_byte_value:	Sync byte value.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-int tspp2_src_sync_byte_config_get(u32 src_handle,
+-			int *check_sync_byte,
+-			u8 *sync_byte_value)
+-{
+-	int ret;
+-	u32 reg = 0;
+-	struct tspp2_src *src = (struct tspp2_src *)src_handle;
+-
+-	if (!src) {
+-		pr_err("%s: Invalid source handle\n", __func__);
+-		return -EINVAL;
+-	}
+-	if (!check_sync_byte || !sync_byte_value) {
+-		pr_err("%s: NULL pointer\n", __func__);
+-		return -EINVAL;
+-	}
+-
+-	ret = pm_runtime_get_sync(src->device->dev);
+-	if (ret < 0)
+-		return ret;
+-
+-	if (mutex_lock_interruptible(&src->device->mutex)) {
+-		pm_runtime_mark_last_busy(src->device->dev);
+-		pm_runtime_put_autosuspend(src->device->dev);
+-		return -ERESTARTSYS;
+-	}
+-
+-	if (!src->device->opened) {
+-		pr_err("%s: Device must be opened first\n", __func__);
+-		mutex_unlock(&src->device->mutex);
+-		pm_runtime_mark_last_busy(src->device->dev);
+-		pm_runtime_put_autosuspend(src->device->dev);
+-		return -EPERM;
+-	}
+-
+-	if (!src->opened) {
+-		pr_err("%s: Source not opened\n", __func__);
+-		mutex_unlock(&src->device->mutex);
+-		pm_runtime_mark_last_busy(src->device->dev);
+-		pm_runtime_put_autosuspend(src->device->dev);
+-		return -EINVAL;
+-	}
+-
+-	reg = readl_relaxed(src->device->base +
+-			TSPP2_SRC_CONFIG(src->hw_index));
+-
+-	*check_sync_byte = (reg >> SRC_CONFIG_CHECK_SYNC_OFFS) & 0x1;
+-	*sync_byte_value = (reg >> SRC_CONFIG_SYNC_BYTE_OFFS) & 0xFF;
+-
+-	mutex_unlock(&src->device->mutex);
+-
+-	pm_runtime_mark_last_busy(src->device->dev);
+-	pm_runtime_put_autosuspend(src->device->dev);
+-
+-	dev_dbg(src->device->dev, "%s: successful\n", __func__);
+-
+-	return 0;
+-}
+-EXPORT_SYMBOL(tspp2_src_sync_byte_config_get);
+-
+-/**
+- * tspp2_src_scrambling_config_set() - Set source scrambling configuration.
+- *
+- * @src_handle:	Source to configure.
+- * @cfg:	Scrambling configuration to set.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-int tspp2_src_scrambling_config_set(u32 src_handle,
+-			const struct tspp2_src_scrambling_config *cfg)
+-{
+-	int ret;
+-	u32 reg = 0;
+-	struct tspp2_src *src = (struct tspp2_src *)src_handle;
+-
+-	if (!src) {
+-		pr_err("%s: Invalid source handle\n", __func__);
+-		return -EINVAL;
+-	}
+-	if (!cfg) {
+-		pr_err("%s: NULL pointer\n", __func__);
+-		return -EINVAL;
+-	}
+-
+-	ret = pm_runtime_get_sync(src->device->dev);
+-	if (ret < 0)
+-		return ret;
+-
+-	if (mutex_lock_interruptible(&src->device->mutex)) {
+-		pm_runtime_mark_last_busy(src->device->dev);
+-		pm_runtime_put_autosuspend(src->device->dev);
+-		return -ERESTARTSYS;
+-	}
+-
+-	if (!src->device->opened) {
+-		pr_err("%s: Device must be opened first\n", __func__);
+-		mutex_unlock(&src->device->mutex);
+-		pm_runtime_mark_last_busy(src->device->dev);
+-		pm_runtime_put_autosuspend(src->device->dev);
+-		return -EPERM;
+-	}
+-
+-	if (!src->opened) {
+-		pr_err("%s: Source not opened\n", __func__);
+-		mutex_unlock(&src->device->mutex);
+-		pm_runtime_mark_last_busy(src->device->dev);
+-		pm_runtime_put_autosuspend(src->device->dev);
+-		return -EINVAL;
+-	}
+-
+-	reg = readl_relaxed(src->device->base +
+-			TSPP2_SRC_CONFIG(src->hw_index));
+-
+-	/* Clear all scrambling configuration bits before setting them */
+-	reg &= ~(0x3 << SRC_CONFIG_SCRAMBLING0_OFFS);
+-	reg &= ~(0x3 << SRC_CONFIG_SCRAMBLING1_OFFS);
+-	reg &= ~(0x3 << SRC_CONFIG_SCRAMBLING2_OFFS);
+-	reg &= ~(0x3 << SRC_CONFIG_SCRAMBLING3_OFFS);
+-	reg &= ~(0x3 << SRC_CONFIG_SCRAMBLING_MONITOR_OFFS);
+-
+-	reg |= (cfg->scrambling_0_ctrl << SRC_CONFIG_SCRAMBLING0_OFFS);
+-	reg |= (cfg->scrambling_1_ctrl << SRC_CONFIG_SCRAMBLING1_OFFS);
+-	reg |= (cfg->scrambling_2_ctrl << SRC_CONFIG_SCRAMBLING2_OFFS);
+-	reg |= (cfg->scrambling_3_ctrl << SRC_CONFIG_SCRAMBLING3_OFFS);
+-	reg |= (cfg->scrambling_bits_monitoring <<
+-					SRC_CONFIG_SCRAMBLING_MONITOR_OFFS);
+-
+-	writel_relaxed(reg, src->device->base +
+-			TSPP2_SRC_CONFIG(src->hw_index));
+-
+-	src->scrambling_bits_monitoring = cfg->scrambling_bits_monitoring;
+-
+-	mutex_unlock(&src->device->mutex);
+-
+-	pm_runtime_mark_last_busy(src->device->dev);
+-	pm_runtime_put_autosuspend(src->device->dev);
+-
+-	dev_dbg(src->device->dev, "%s: successful\n", __func__);
+-
+-	return 0;
+-}
+-EXPORT_SYMBOL(tspp2_src_scrambling_config_set);
+-
+-/**
+- * tspp2_src_scrambling_config_get() - Get source scrambling configuration.
+- *
+- * @src_handle:	Source handle.
+- * @cfg:	Scrambling configuration.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-int tspp2_src_scrambling_config_get(u32 src_handle,
+-			struct tspp2_src_scrambling_config *cfg)
+-{
+-	int ret;
+-	u32 reg = 0;
+-	struct tspp2_src *src = (struct tspp2_src *)src_handle;
+-
+-	if (!src) {
+-		pr_err("%s: Invalid source handle\n", __func__);
+-		return -EINVAL;
+-	}
+-	if (!cfg) {
+-		pr_err("%s: NULL pointer\n", __func__);
+-		return -EINVAL;
+-	}
+-
+-	ret = pm_runtime_get_sync(src->device->dev);
+-	if (ret < 0)
+-		return ret;
+-
+-	if (mutex_lock_interruptible(&src->device->mutex)) {
+-		pm_runtime_mark_last_busy(src->device->dev);
+-		pm_runtime_put_autosuspend(src->device->dev);
+-		return -ERESTARTSYS;
+-	}
+-
+-	if (!src->device->opened) {
+-		pr_err("%s: Device must be opened first\n", __func__);
+-		mutex_unlock(&src->device->mutex);
+-		pm_runtime_mark_last_busy(src->device->dev);
+-		pm_runtime_put_autosuspend(src->device->dev);
+-		return -EPERM;
+-	}
+-
+-	if (!src->opened) {
+-		pr_err("%s: Source not opened\n", __func__);
+-		mutex_unlock(&src->device->mutex);
+-		pm_runtime_mark_last_busy(src->device->dev);
+-		pm_runtime_put_autosuspend(src->device->dev);
+-		return -EINVAL;
+-	}
+-
+-	reg = readl_relaxed(src->device->base +
+-			TSPP2_SRC_CONFIG(src->hw_index));
+-
+-	cfg->scrambling_0_ctrl = ((reg >> SRC_CONFIG_SCRAMBLING0_OFFS) & 0x3);
+-	cfg->scrambling_1_ctrl = ((reg >> SRC_CONFIG_SCRAMBLING1_OFFS) & 0x3);
+-	cfg->scrambling_2_ctrl = ((reg >> SRC_CONFIG_SCRAMBLING2_OFFS) & 0x3);
+-	cfg->scrambling_3_ctrl = ((reg >> SRC_CONFIG_SCRAMBLING3_OFFS) & 0x3);
+-	cfg->scrambling_bits_monitoring =
+-			((reg >> SRC_CONFIG_SCRAMBLING_MONITOR_OFFS) & 0x3);
+-
+-	mutex_unlock(&src->device->mutex);
+-
+-	pm_runtime_mark_last_busy(src->device->dev);
+-	pm_runtime_put_autosuspend(src->device->dev);
+-
+-	dev_dbg(src->device->dev, "%s: successful\n", __func__);
+-
+-	return 0;
+-}
+-EXPORT_SYMBOL(tspp2_src_scrambling_config_get);
+-
+-/**
+- * tspp2_src_packet_format_set() - Set source packet size and format.
+- *
+- * @src_handle:	Source to configure.
+- * @format:	Packet format.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-int tspp2_src_packet_format_set(u32 src_handle,
+-				enum tspp2_packet_format format)
+-{
+-	int ret;
+-	u32 reg = 0;
+-	struct tspp2_src *src = (struct tspp2_src *)src_handle;
+-
+-	if (!src) {
+-		pr_err("%s: Invalid source handle\n", __func__);
+-		return -EINVAL;
+-	}
+-
+-	ret = pm_runtime_get_sync(src->device->dev);
+-	if (ret < 0)
+-		return ret;
+-
+-	if (mutex_lock_interruptible(&src->device->mutex)) {
+-		pm_runtime_mark_last_busy(src->device->dev);
+-		pm_runtime_put_autosuspend(src->device->dev);
+-		return -ERESTARTSYS;
+-	}
+-
+-	if (!src->device->opened) {
+-		pr_err("%s: Device must be opened first\n", __func__);
+-		mutex_unlock(&src->device->mutex);
+-		pm_runtime_mark_last_busy(src->device->dev);
+-		pm_runtime_put_autosuspend(src->device->dev);
+-		return -EPERM;
+-	}
+-
+-	if (!src->opened) {
+-		pr_err("%s: Source not opened\n", __func__);
+-		mutex_unlock(&src->device->mutex);
+-		pm_runtime_mark_last_busy(src->device->dev);
+-		pm_runtime_put_autosuspend(src->device->dev);
+-		return -EINVAL;
+-	}
+-
+-	if (src->input == TSPP2_INPUT_MEMORY) {
+-		reg = readl_relaxed(src->device->base +
+-			TSPP2_MEM_INPUT_SRC_CONFIG(src->hw_index));
+-
+-		reg &= ~(0x1 << MEM_INPUT_SRC_CONFIG_STAMP_SUFFIX_OFFS);
+-		reg &= ~(0x1 << MEM_INPUT_SRC_CONFIG_STAMP_EN_OFFS);
+-
+-		switch (format) {
+-		case TSPP2_PACKET_FORMAT_188_RAW:
+-			/* We do not need to set any bit */
+-			break;
+-		case TSPP2_PACKET_FORMAT_192_HEAD:
+-			reg |= (0x1 << MEM_INPUT_SRC_CONFIG_STAMP_EN_OFFS);
+-			break;
+-		case TSPP2_PACKET_FORMAT_192_TAIL:
+-			reg |= (0x1 << MEM_INPUT_SRC_CONFIG_STAMP_EN_OFFS);
+-			reg |= (0x1 << MEM_INPUT_SRC_CONFIG_STAMP_SUFFIX_OFFS);
+-			break;
+-		default:
+-			pr_err("%s: Unknown packet format\n", __func__);
+-			mutex_unlock(&src->device->mutex);
+-			pm_runtime_mark_last_busy(src->device->dev);
+-			pm_runtime_put_autosuspend(src->device->dev);
+-			return -EINVAL;
+-		}
+-		writel_relaxed(reg, src->device->base +
+-			TSPP2_MEM_INPUT_SRC_CONFIG(src->hw_index));
+-	}
+-	src->pkt_format = format;
+-
+-	/* Update source's input pipe threshold if needed */
+-	if (src->input_pipe) {
+-		if (src->pkt_format == TSPP2_PACKET_FORMAT_188_RAW)
+-			src->input_pipe->threshold = 188;
+-		else
+-			src->input_pipe->threshold = 192;
+-
+-		writel_relaxed(src->input_pipe->threshold,
+-			src->input_pipe->device->base +
+-			TSPP2_PIPE_THRESH_CONFIG(src->input_pipe->hw_index));
+-	}
+-
+-	mutex_unlock(&src->device->mutex);
+-
+-	pm_runtime_mark_last_busy(src->device->dev);
+-	pm_runtime_put_autosuspend(src->device->dev);
+-
+-	dev_dbg(src->device->dev, "%s: successful\n", __func__);
+-
+-	return 0;
+-}
+-EXPORT_SYMBOL(tspp2_src_packet_format_set);
+-
+-/**
+- * tspp2_src_pipe_attach() - Attach a pipe to a source.
+- *
+- * @src_handle:		Source to attach the pipe to.
+- * @pipe_handle:	Pipe to attach to the source.
+- * @cfg:		For output pipes - the pipe's pull mode parameters.
+- *			It is not allowed to pass NULL for output pipes.
+- *			For input pipes this is irrelevant and the caller can
+- *			pass NULL.
+- *
+- * This function attaches a given pipe to a given source.
+- * The pipe's mode (input or output) was set when the pipe was opened.
+- * An input pipe can be attached to a single source (with memory input).
+- * A source can have multiple output pipes attached, and an output pipe can
+- * be attached to multiple sources.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-int tspp2_src_pipe_attach(u32 src_handle,
+-				u32 pipe_handle,
+-				const struct tspp2_pipe_pull_mode_params *cfg)
+-{
+-	int ret;
+-	struct tspp2_src *src = (struct tspp2_src *)src_handle;
+-	struct tspp2_pipe *pipe = (struct tspp2_pipe *)pipe_handle;
+-	struct tspp2_output_pipe *output_pipe = NULL;
+-	u32 reg;
+-
+-	if (!src || !pipe) {
+-		pr_err("%s: Invalid source or pipe handle\n", __func__);
+-		return -EINVAL;
+-	}
+-
+-	ret = pm_runtime_get_sync(src->device->dev);
+-	if (ret < 0)
+-		return ret;
+-
+-	if (mutex_lock_interruptible(&src->device->mutex)) {
+-		pm_runtime_mark_last_busy(src->device->dev);
+-		pm_runtime_put_autosuspend(src->device->dev);
+-		return -ERESTARTSYS;
+-	}
+-
+-	if (!src->device->opened) {
+-		pr_err("%s: Device must be opened first\n", __func__);
+-		mutex_unlock(&src->device->mutex);
+-		pm_runtime_mark_last_busy(src->device->dev);
+-		pm_runtime_put_autosuspend(src->device->dev);
+-		return -EPERM;
+-	}
+-
+-	if (!src->opened) {
+-		pr_err("%s: Source not opened\n", __func__);
+-		goto err_inval;
+-	}
+-
+-	if (!pipe->opened) {
+-		pr_err("%s: Pipe not opened\n", __func__);
+-		goto err_inval;
+-	}
+-	if ((pipe->cfg.pipe_mode == TSPP2_SRC_PIPE_OUTPUT) && (cfg == NULL)) {
+-		pr_err("%s: Invalid pull mode parameters\n", __func__);
+-		goto err_inval;
+-	}
+-
+-	if (pipe->cfg.pipe_mode == TSPP2_SRC_PIPE_INPUT) {
+-		if (src->input_pipe != NULL) {
+-			pr_err("%s: Source already has an input pipe attached\n",
+-				__func__);
+-			goto err_inval;
+-		}
+-		if (pipe->ref_cnt > 0) {
+-			pr_err(
+-				"%s: Pipe %u is already attached to a source. An input pipe can only be attached once\n",
+-				__func__, pipe_handle);
+-			goto err_inval;
+-		}
+-		/*
+-		 * Input pipe threshold is determined according to the
+-		 * source's packet size.
+-		 */
+-		if (src->pkt_format == TSPP2_PACKET_FORMAT_188_RAW)
+-			pipe->threshold = 188;
+-		else
+-			pipe->threshold = 192;
+-
+-		src->input_pipe = pipe;
+-
+-		reg = readl_relaxed(src->device->base +
+-			TSPP2_MEM_INPUT_SRC_CONFIG(src->hw_index));
+-		reg &= ~(0x1F << MEM_INPUT_SRC_CONFIG_INPUT_PIPE_OFFS);
+-		reg |= (pipe->hw_index << MEM_INPUT_SRC_CONFIG_INPUT_PIPE_OFFS);
+-		writel_relaxed(reg, src->device->base +
+-			TSPP2_MEM_INPUT_SRC_CONFIG(src->hw_index));
+-	} else {
+-		list_for_each_entry(output_pipe,
+-				&src->output_pipe_list, link) {
+-			if (output_pipe->pipe == pipe) {
+-				pr_err(
+-				"%s: Output pipe %u is already attached to source %u\n",
+-					__func__, pipe_handle, src_handle);
+-				goto err_inval;
+-			}
+-		}
+-		output_pipe = kmalloc(sizeof(struct tspp2_output_pipe),
+-				GFP_KERNEL);
+-		if (!output_pipe) {
+-			pr_err("%s: No memory to save output pipe\n", __func__);
+-			mutex_unlock(&src->device->mutex);
+-			pm_runtime_mark_last_busy(src->device->dev);
+-			pm_runtime_put_autosuspend(src->device->dev);
+-			return -ENOMEM;
+-		}
+-		output_pipe->pipe = pipe;
+-		pipe->threshold = (cfg->threshold & 0xFFFF);
+-		list_add_tail(&output_pipe->link, &src->output_pipe_list);
+-
+-		reg = readl_relaxed(src->device->base +
+-			TSPP2_SRC_DEST_PIPES(src->hw_index));
+-		if (cfg->is_stalling)
+-			reg |= (0x1 << pipe->hw_index);
+-		else
+-			reg &= ~(0x1 << pipe->hw_index);
+-		writel_relaxed(reg, src->device->base +
+-			TSPP2_SRC_DEST_PIPES(src->hw_index));
+-	}
+-
+-	reg = readl_relaxed(pipe->device->base +
+-			TSPP2_PIPE_THRESH_CONFIG(pipe->hw_index));
+-	if ((pipe->cfg.pipe_mode == TSPP2_SRC_PIPE_OUTPUT) &&
+-		(pipe->ref_cnt > 0) && (pipe->threshold != (reg & 0xFFFF))) {
+-		pr_warn("%s: overwriting output pipe threshold\n", __func__);
+-	}
+-
+-	writel_relaxed(pipe->threshold, pipe->device->base +
+-			TSPP2_PIPE_THRESH_CONFIG(pipe->hw_index));
+-
+-	pipe->ref_cnt++;
+-	src->num_associated_pipes++;
+-
+-	mutex_unlock(&src->device->mutex);
+-
+-	pm_runtime_mark_last_busy(src->device->dev);
+-	pm_runtime_put_autosuspend(src->device->dev);
+-
+-	dev_dbg(src->device->dev, "%s: successful\n", __func__);
+-
+-	return 0;
+-
+-err_inval:
+-	mutex_unlock(&src->device->mutex);
+-	pm_runtime_mark_last_busy(src->device->dev);
+-	pm_runtime_put_autosuspend(src->device->dev);
+-
+-	return -EINVAL;
+-}
+-EXPORT_SYMBOL(tspp2_src_pipe_attach);
+-
+-/**
+- * tspp2_src_pipe_detach() - Detach a pipe from a source.
+- *
+- * @src_handle:		Source to detach the pipe from.
+- * @pipe_handle:	Pipe to detach from the source.
+- *
+- * Detaches a pipe from a source. The given pipe should have been previously
+- * attached to this source as either an input pipe or an output pipe.
+- * Note: there is no checking if this pipe is currently defined as the output
+- * pipe of any operation!
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-int tspp2_src_pipe_detach(u32 src_handle, u32 pipe_handle)
+-{
+-	int ret;
+-	struct tspp2_src *src = (struct tspp2_src *)src_handle;
+-	struct tspp2_pipe *pipe = (struct tspp2_pipe *)pipe_handle;
+-	struct tspp2_output_pipe *output_pipe = NULL;
+-	int found = 0;
+-	u32 reg;
+-
+-	if (!src || !pipe) {
+-		pr_err("%s: Invalid source or pipe handle\n", __func__);
+-		return -EINVAL;
+-	}
+-
+-	ret = pm_runtime_get_sync(src->device->dev);
+-	if (ret < 0)
+-		return ret;
+-
+-	mutex_lock(&src->device->mutex);
+-
+-	if (!src->device->opened) {
+-		pr_err("%s: Device must be opened first\n", __func__);
+-		mutex_unlock(&src->device->mutex);
+-		pm_runtime_mark_last_busy(src->device->dev);
+-		pm_runtime_put_autosuspend(src->device->dev);
+-		return -EPERM;
+-	}
+-
+-	if (!src->opened) {
+-		pr_err("%s: Source not opened\n", __func__);
+-		goto err_inval;
+-	}
+-
+-	if (!pipe->opened) {
+-		pr_err("%s: Pipe not opened\n", __func__);
+-		goto err_inval;
+-	}
+-
+-	if (pipe->cfg.pipe_mode == TSPP2_SRC_PIPE_INPUT) {
+-		if (src->input_pipe != pipe) {
+-			pr_err(
+-				"%s: Input pipe %u is not attached to source %u\n",
+-				__func__, pipe_handle, src_handle);
+-			goto err_inval;
+-		}
+-
+-		writel_relaxed(0xFFFF,	src->input_pipe->device->base +
+-			TSPP2_PIPE_THRESH_CONFIG(src->input_pipe->hw_index));
+-
+-		if (src->enabled) {
+-			pr_warn("%s: Detaching input pipe from an active memory source\n",
+-				__func__);
+-		}
+-		/*
+-		 * Note: not updating TSPP2_MEM_INPUT_SRC_CONFIG to reflect
+-		 * this pipe is detached, since there is no invalid value we
+-		 * can write instead. tspp2_src_pipe_attach() already takes
+-		 * care of zeroing the relevant bit-field before writing the
+-		 * new pipe nummber.
+-		 */
+-
+-		src->input_pipe = NULL;
+-	} else {
+-		list_for_each_entry(output_pipe,
+-				&src->output_pipe_list, link) {
+-			if (output_pipe->pipe == pipe) {
+-				found = 1;
+-				break;
+-			}
+-		}
+-		if (found) {
+-			list_del(&output_pipe->link);
+-			kfree(output_pipe);
+-			reg = readl_relaxed(src->device->base +
+-				TSPP2_SRC_DEST_PIPES(src->hw_index));
+-			reg &= ~(0x1 << pipe->hw_index);
+-			writel_relaxed(reg, src->device->base +
+-				TSPP2_SRC_DEST_PIPES(src->hw_index));
+-			if (pipe->ref_cnt == 1) {
+-				writel_relaxed(0xFFFF,	pipe->device->base +
+-					TSPP2_PIPE_THRESH_CONFIG(
+-							pipe->hw_index));
+-			}
+-		} else {
+-			pr_err("%s: Output pipe %u is not attached to source %u\n",
+-				__func__, pipe_handle, src_handle);
+-			goto err_inval;
+-		}
+-	}
+-	pipe->ref_cnt--;
+-	src->num_associated_pipes--;
+-
+-	mutex_unlock(&src->device->mutex);
+-
+-	pm_runtime_mark_last_busy(src->device->dev);
+-	pm_runtime_put_autosuspend(src->device->dev);
+-
+-	dev_dbg(src->device->dev, "%s: successful\n", __func__);
+-
+-	return 0;
+-
+-err_inval:
+-	mutex_unlock(&src->device->mutex);
+-	pm_runtime_mark_last_busy(src->device->dev);
+-	pm_runtime_put_autosuspend(src->device->dev);
+-
+-	return -EINVAL;
+-}
+-EXPORT_SYMBOL(tspp2_src_pipe_detach);
+-
+-/**
+- * tspp2_src_enable() - Enable source.
+- *
+- * @src_handle:	Source to enable.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-int tspp2_src_enable(u32 src_handle)
+-{
+-	struct tspp2_src *src = (struct tspp2_src *)src_handle;
+-	u32 reg;
+-	int ret;
+-
+-	if (!src) {
+-		pr_err("%s: Invalid source handle\n", __func__);
+-		return -EINVAL;
+-	}
+-
+-	ret = pm_runtime_get_sync(src->device->dev);
+-	if (ret < 0)
+-		return ret;
+-
+-	if (mutex_lock_interruptible(&src->device->mutex)) {
+-		pm_runtime_mark_last_busy(src->device->dev);
+-		pm_runtime_put_autosuspend(src->device->dev);
+-		return -ERESTARTSYS;
+-	}
+-
+-	if (!src->device->opened) {
+-		pr_err("%s: Device must be opened first\n", __func__);
+-		mutex_unlock(&src->device->mutex);
+-		pm_runtime_mark_last_busy(src->device->dev);
+-		pm_runtime_put_autosuspend(src->device->dev);
+-		return -EPERM;
+-	}
+-
+-	if (!src->opened) {
+-		pr_err("%s: Source not opened\n", __func__);
+-		mutex_unlock(&src->device->mutex);
+-		pm_runtime_mark_last_busy(src->device->dev);
+-		pm_runtime_put_autosuspend(src->device->dev);
+-		return -EINVAL;
+-	}
+-
+-	if (src->enabled) {
+-		pr_warn("%s: Source already enabled\n", __func__);
+-		mutex_unlock(&src->device->mutex);
+-		pm_runtime_mark_last_busy(src->device->dev);
+-		pm_runtime_put_autosuspend(src->device->dev);
+-		return 0;
+-	}
+-
+-	/*
+-	 * Memory sources require their input pipe to be configured
+-	 * before enabling the source.
+-	 */
+-	if ((src->input == TSPP2_INPUT_MEMORY) && (src->input_pipe == NULL)) {
+-		pr_err("%s: A memory source must have an input pipe attached before enabling the source",
+-			__func__);
+-		mutex_unlock(&src->device->mutex);
+-		pm_runtime_mark_last_busy(src->device->dev);
+-		pm_runtime_put_autosuspend(src->device->dev);
+-		return -EINVAL;
+-	}
+-
+-	if (src->device->num_enabled_sources == 0) {
+-		ret = tspp2_clock_start(src->device);
+-		if (ret) {
+-			mutex_unlock(&src->device->mutex);
+-			pm_runtime_mark_last_busy(src->device->dev);
+-			pm_runtime_put_autosuspend(src->device->dev);
+-			return ret;
+-		}
+-		__pm_stay_awake(&src->device->wakeup_src);
+-	}
+-
+-	if ((src->input == TSPP2_INPUT_TSIF0) ||
+-		(src->input == TSPP2_INPUT_TSIF1)) {
+-		tspp2_tsif_start(&src->device->tsif_devices[src->input]);
+-
+-		reg = readl_relaxed(src->device->base +
+-			TSPP2_TSIF_INPUT_SRC_CONFIG(src->input));
+-		reg |= (0x1 << TSIF_INPUT_SRC_CONFIG_INPUT_EN_OFFS);
+-		writel_relaxed(reg, src->device->base +
+-			TSPP2_TSIF_INPUT_SRC_CONFIG(src->input));
+-	} else {
+-		reg = readl_relaxed(src->device->base +
+-			TSPP2_MEM_INPUT_SRC_CONFIG(src->hw_index));
+-		reg |= (0x1 << MEM_INPUT_SRC_CONFIG_INPUT_EN_OFFS);
+-		writel_relaxed(reg, src->device->base +
+-			TSPP2_MEM_INPUT_SRC_CONFIG(src->hw_index));
+-	}
+-
+-	src->enabled = 1;
+-	src->device->num_enabled_sources++;
+-
+-	mutex_unlock(&src->device->mutex);
+-
+-	pm_runtime_mark_last_busy(src->device->dev);
+-	pm_runtime_put_autosuspend(src->device->dev);
+-
+-	dev_dbg(src->device->dev, "%s: successful\n", __func__);
+-
+-	return 0;
+-}
+-EXPORT_SYMBOL(tspp2_src_enable);
+-
+-/**
+- * tspp2_src_disable() - Disable source.
+- *
+- * @src_handle:	Source to disable.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-int tspp2_src_disable(u32 src_handle)
+-{
+-	struct tspp2_src *src = (struct tspp2_src *)src_handle;
+-	int ret;
+-
+-	if (!src) {
+-		pr_err("%s: Invalid source handle\n", __func__);
+-		return -EINVAL;
+-	}
+-
+-	ret = pm_runtime_get_sync(src->device->dev);
+-	if (ret < 0)
+-		return ret;
+-
+-	mutex_lock(&src->device->mutex);
+-
+-	if (!src->device->opened) {
+-		pr_err("%s: Device must be opened first\n", __func__);
+-		mutex_unlock(&src->device->mutex);
+-		pm_runtime_mark_last_busy(src->device->dev);
+-		pm_runtime_put_autosuspend(src->device->dev);
+-		return -EPERM;
+-	}
+-
+-	ret = tspp2_src_disable_internal(src);
+-
+-	mutex_unlock(&src->device->mutex);
+-
+-	pm_runtime_mark_last_busy(src->device->dev);
+-	pm_runtime_put_autosuspend(src->device->dev);
+-
+-	if (!ret)
+-		dev_dbg(src->device->dev, "%s: successful\n", __func__);
+-
+-	return ret;
+-}
+-EXPORT_SYMBOL(tspp2_src_disable);
+-
+-/**
+- *  tspp2_filter_ops_clear() - Clear filter operations database and HW
+- *
+- * @filter:	The filter to work on.
+- */
+-static void tspp2_filter_ops_clear(struct tspp2_filter *filter)
+-{
+-	int i;
+-
+-	/* Set all filter operations in HW to Exit operation */
+-	for (i = 0; i < TSPP2_MAX_OPS_PER_FILTER; i++) {
+-		writel_relaxed(TSPP2_OPCODE_EXIT, filter->device->base +
+-					TSPP2_OPCODE(filter->hw_index, i));
+-	}
+-	memset(filter->operations, 0,
+-		(sizeof(struct tspp2_operation) * TSPP2_MAX_OPS_PER_FILTER));
+-	filter->num_user_operations = 0;
+-	filter->indexing_op_set = 0;
+-	filter->raw_op_with_indexing = 0;
+-	filter->pes_analysis_op_set = 0;
+-	filter->raw_op_set = 0;
+-	filter->pes_tx_op_set = 0;
+-}
+-
+-/**
+- * tspp2_filter_context_reset() - Reset filter context and release it.
+- *
+- * @filter:	The filter to work on.
+- */
+-static void tspp2_filter_context_reset(struct tspp2_filter *filter)
+-{
+-	/* Reset this filter's context. Each register handles 32 contexts */
+-	writel_relaxed((0x1 << TSPP2_MODULUS_OP(filter->context, 32)),
+-		filter->device->base +
+-			TSPP2_TSP_CONTEXT_RESET(filter->context >> 5));
+-	writel_relaxed((0x1 << TSPP2_MODULUS_OP(filter->context, 32)),
+-		filter->device->base +
+-			TSPP2_PES_CONTEXT_RESET(filter->context >> 5));
+-	writel_relaxed((0x1 << TSPP2_MODULUS_OP(filter->context, 32)),
+-		filter->device->base +
+-			TSPP2_INDEXING_CONTEXT_RESET(filter->context >> 5));
+-
+-	writel_relaxed(0, filter->device->base +
+-		TSPP2_FILTER_ENTRY1(filter->hw_index));
+-
+-	/* Release context */
+-	filter->device->contexts[filter->context] = 0;
+-}
+-
+-/**
+- * tspp2_filter_sw_reset() - Reset filter SW fields helper function.
+- *
+- * @filter:	The filter to work on.
+- */
+-static void tspp2_filter_sw_reset(struct tspp2_filter *filter)
+-{
+-	unsigned long flags;
+-	/*
+-	 * All fields are cleared when opening a filter. Still it is important
+-	 * to reset some of the fields here, specifically to set opened to 0 and
+-	 * also to set the callback to NULL.
+-	 */
+-	filter->opened = 0;
+-	filter->src = NULL;
+-	filter->batch = NULL;
+-	filter->context = 0;
+-	filter->hw_index = 0;
+-	filter->pid_value = 0;
+-	filter->mask = 0;
+-	spin_lock_irqsave(&filter->device->spinlock, flags);
+-	filter->event_callback = NULL;
+-	filter->event_cookie = NULL;
+-	filter->event_bitmask = 0;
+-	spin_unlock_irqrestore(&filter->device->spinlock, flags);
+-	filter->enabled = 0;
+-}
+-
+-/**
+- * tspp2_src_batch_set() - Set/clear a filter batch to/from a source.
+- *
+- * @src:	The source to work on.
+- * @batch_id:	The batch to set/clear.
+- * @set:	Set/clear flag.
+- */
+-static void tspp2_src_batch_set(struct tspp2_src *src, u8 batch_id, int set)
+-{
+-	u32 reg = 0;
+-
+-	if (src->input == TSPP2_INPUT_MEMORY) {
+-		reg = readl_relaxed(src->device->base +
+-			TSPP2_MEM_INPUT_SRC_CONFIG(src->hw_index));
+-		if (set)
+-			reg |= ((1 << batch_id) <<
+-				MEM_INPUT_SRC_CONFIG_BATCHES_OFFS);
+-		else
+-			reg &= ~((1 << batch_id) <<
+-				MEM_INPUT_SRC_CONFIG_BATCHES_OFFS);
+-		writel_relaxed(reg, src->device->base +
+-			TSPP2_MEM_INPUT_SRC_CONFIG(src->hw_index));
+-	} else {
+-		reg = readl_relaxed(src->device->base +
+-			TSPP2_TSIF_INPUT_SRC_CONFIG(src->input));
+-		if (set)
+-			reg |= ((1 << batch_id) <<
+-				TSIF_INPUT_SRC_CONFIG_BATCHES_OFFS);
+-		else
+-			reg &= ~((1 << batch_id) <<
+-				TSIF_INPUT_SRC_CONFIG_BATCHES_OFFS);
+-		writel_relaxed(reg, src->device->base +
+-			TSPP2_TSIF_INPUT_SRC_CONFIG(src->input));
+-	}
+-}
+-
+-/**
+- * tspp2_src_filters_clear() - Clear all filters from a source.
+- *
+- * @src_handle:	Source to clear all filters from.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-int tspp2_src_filters_clear(u32 src_handle)
+-{
+-	int ret;
+-	int i;
+-	struct tspp2_filter *filter = NULL;
+-	struct tspp2_filter *tmp_filter;
+-	struct tspp2_filter_batch *batch = NULL;
+-	struct tspp2_filter_batch *tmp_batch;
+-	struct tspp2_src *src = (struct tspp2_src *)src_handle;
+-
+-	if (!src) {
+-		pr_err("%s: Invalid source handle\n", __func__);
+-		return -EINVAL;
+-	}
+-
+-	ret = pm_runtime_get_sync(src->device->dev);
+-	if (ret < 0)
+-		return ret;
+-
+-	mutex_lock(&src->device->mutex);
+-
+-	if (!src->device->opened) {
+-		pr_err("%s: Device must be opened first\n", __func__);
+-		mutex_unlock(&src->device->mutex);
+-		pm_runtime_mark_last_busy(src->device->dev);
+-		pm_runtime_put_autosuspend(src->device->dev);
+-		return -EPERM;
+-	}
+-
+-	if (!src->opened) {
+-		pr_err("%s: Source not opened\n", __func__);
+-		mutex_unlock(&src->device->mutex);
+-		pm_runtime_mark_last_busy(src->device->dev);
+-		pm_runtime_put_autosuspend(src->device->dev);
+-		return -EINVAL;
+-	}
+-
+-	/* Go over filters in source, disable them, clear their operations,
+-	 * "close" them (similar to tspp2_filter_close function but simpler).
+-	 * No need to worry about cases of reserved filter, so just clear
+-	 * filters HW- and SW-wise. Then update source's filters and batches
+-	 * lists and numbers. Simple :)
+-	 */
+-	list_for_each_entry_safe(filter, tmp_filter, &src->filters_list, link) {
+-		/* Disable filter */
+-		writel_relaxed(0, filter->device->base +
+-			TSPP2_FILTER_ENTRY0(filter->hw_index));
+-		/* Clear filter operations in HW as well as related SW fields */
+-		tspp2_filter_ops_clear(filter);
+-		/* Reset filter context-based counters */
+-		tspp2_filter_counters_reset(filter->device, filter->context);
+-		/* Reset filter context and release it back to the device */
+-		tspp2_filter_context_reset(filter);
+-		/* Reset filter SW fields */
+-		tspp2_filter_sw_reset(filter);
+-
+-		list_del(&filter->link);
+-	}
+-
+-	list_for_each_entry_safe(batch, tmp_batch, &src->batches_list, link) {
+-		tspp2_src_batch_set(src, batch->batch_id, 0);
+-		for (i = 0; i < TSPP2_FILTERS_PER_BATCH; i++)
+-			batch->hw_filters[i] = 0;
+-		batch->src = NULL;
+-		list_del(&batch->link);
+-	}
+-
+-	src->num_associated_batches = 0;
+-	src->num_associated_filters = 0;
+-	src->reserved_filter_hw_index = 0;
+-
+-	mutex_unlock(&src->device->mutex);
+-
+-	pm_runtime_mark_last_busy(src->device->dev);
+-	pm_runtime_put_autosuspend(src->device->dev);
+-
+-	dev_dbg(src->device->dev, "%s: successful\n", __func__);
+-
+-	return 0;
+-}
+-EXPORT_SYMBOL(tspp2_src_filters_clear);
+-
+-/* Filters and Operations API functions */
+-
+-/**
+- * tspp2_filter_open() - Open a new filter and add it to a source.
+- *
+- * @src_handle:		Source to add the new filter to.
+- * @pid:		Filter's 13-bit PID value.
+- * @mask:		Filter's 13-bit mask. Note it is highly recommended
+- *			to use a full bit mask of 0x1FFF, so the filter
+- *			operates on a unique PID.
+- * @filter_handle:	Opened filter handle.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-int tspp2_filter_open(u32 src_handle, u16 pid, u16 mask, u32 *filter_handle)
+-{
+-	struct tspp2_src *src = (struct tspp2_src *)src_handle;
+-	struct tspp2_filter_batch *batch;
+-	struct tspp2_filter *filter = NULL;
+-	u16 hw_idx;
+-	int i;
+-	u32 reg = 0;
+-	int found = 0;
+-	int ret;
+-
+-	if (!src) {
+-		pr_err("%s: Invalid source handle\n", __func__);
+-		return -EINVAL;
+-	}
+-	if (!filter_handle) {
+-		pr_err("%s: Invalid filter handle pointer\n", __func__);
+-		return -EINVAL;
+-	}
+-
+-	if ((pid & ~0x1FFF) || (mask & ~0x1FFF)) {
+-		pr_err("%s: Invalid PID or mask values (13 bits available)\n",
+-			__func__);
+-		return -EINVAL;
+-	}
+-
+-	ret = pm_runtime_get_sync(src->device->dev);
+-	if (ret < 0)
+-		return ret;
+-
+-	if (mutex_lock_interruptible(&src->device->mutex)) {
+-		pm_runtime_mark_last_busy(src->device->dev);
+-		pm_runtime_put_autosuspend(src->device->dev);
+-		return -ERESTARTSYS;
+-	}
+-
+-	if (!src->device->opened) {
+-		pr_err("%s: Device must be opened first\n", __func__);
+-		mutex_unlock(&src->device->mutex);
+-		pm_runtime_mark_last_busy(src->device->dev);
+-		pm_runtime_put_autosuspend(src->device->dev);
+-		return -EPERM;
+-	}
+-
+-	if (!src->opened) {
+-		pr_err("%s: Source not opened\n", __func__);
+-		mutex_unlock(&src->device->mutex);
+-		pm_runtime_mark_last_busy(src->device->dev);
+-		pm_runtime_put_autosuspend(src->device->dev);
+-		return -EINVAL;
+-	}
+-
+-	/* Find an available filter object in the device's filters database */
+-	for (i = 0; i < TSPP2_NUM_AVAIL_FILTERS; i++)
+-		if (!src->device->filters[i].opened)
+-			break;
+-	if (i == TSPP2_NUM_AVAIL_FILTERS) {
+-		pr_err("%s: No available filters\n", __func__);
+-		mutex_unlock(&src->device->mutex);
+-		pm_runtime_mark_last_busy(src->device->dev);
+-		pm_runtime_put_autosuspend(src->device->dev);
+-		return -ENOMEM;
+-	}
+-	filter = &src->device->filters[i];
+-
+-	/* Find an available context. Each new filter needs a unique context */
+-	for (i = 0; i < TSPP2_NUM_AVAIL_CONTEXTS; i++)
+-		if (!src->device->contexts[i])
+-			break;
+-	if (i == TSPP2_NUM_AVAIL_CONTEXTS) {
+-		pr_err("%s: No available filters\n", __func__);
+-		mutex_unlock(&src->device->mutex);
+-		pm_runtime_mark_last_busy(src->device->dev);
+-		pm_runtime_put_autosuspend(src->device->dev);
+-		return -ENOMEM;
+-	}
+-	src->device->contexts[i] = 1;
+-	filter->context = i;
+-
+-	if (src->num_associated_batches) {
+-		/*
+-		 * Look for an available HW filter among the batches
+-		 * already associated with this source.
+-		 */
+-		list_for_each_entry(batch, &src->batches_list, link) {
+-			for (i = 0; i < TSPP2_FILTERS_PER_BATCH; i++) {
+-				hw_idx = (batch->batch_id *
+-						TSPP2_FILTERS_PER_BATCH) + i;
+-				if ((hw_idx != src->reserved_filter_hw_index) &&
+-					(batch->hw_filters[i] == 0))
+-					break;
+-			}
+-			if (i < TSPP2_FILTERS_PER_BATCH) {
+-				/* Found an available HW filter */
+-				batch->hw_filters[i] = 1;
+-				found = 1;
+-				break;
+-			}
+-		}
+-	}
+-
+-	if (!found) {
+-		/* Either the source did not have any associated batches,
+-		 * or we could not find an available HW filter in any of
+-		 * the source's batches. In any case, we need to find a new
+-		 * batch. Then we use the first filter in this batch.
+-		 */
+-		for (i = 0; i < TSPP2_NUM_BATCHES; i++) {
+-			if (!src->device->batches[i].src) {
+-				src->device->batches[i].src = src;
+-				batch = &src->device->batches[i];
+-				batch->hw_filters[0] = 1;
+-				hw_idx = (batch->batch_id *
+-						TSPP2_FILTERS_PER_BATCH);
+-				break;
+-			}
+-		}
+-		if (i == TSPP2_NUM_BATCHES) {
+-			pr_err("%s: No available filters\n", __func__);
+-			src->device->contexts[filter->context] = 0;
+-			filter->context = 0;
+-			mutex_unlock(&src->device->mutex);
+-			pm_runtime_mark_last_busy(src->device->dev);
+-			pm_runtime_put_autosuspend(src->device->dev);
+-			return -ENOMEM;
+-		}
+-
+-		tspp2_src_batch_set(src, batch->batch_id, 1);
+-
+-		list_add_tail(&batch->link, &src->batches_list);
+-
+-		/* Update reserved filter index only when needed */
+-		if (src->num_associated_batches == 0) {
+-			src->reserved_filter_hw_index =
+-				(batch->batch_id * TSPP2_FILTERS_PER_BATCH) +
+-					TSPP2_FILTERS_PER_BATCH - 1;
+-		}
+-		src->num_associated_batches++;
+-	}
+-
+-	filter->opened = 1;
+-	filter->src = src;
+-	filter->batch = batch;
+-	filter->hw_index = hw_idx;
+-	filter->pid_value = pid;
+-	filter->mask = mask;
+-	filter->indexing_table_id = 0;
+-	tspp2_filter_ops_clear(filter);
+-	filter->event_callback = NULL;
+-	filter->event_cookie = NULL;
+-	filter->event_bitmask = 0;
+-	filter->enabled = 0;
+-	/* device back-pointer is already initialized, always remains valid */
+-
+-	list_add_tail(&filter->link, &src->filters_list);
+-	src->num_associated_filters++;
+-
+-	/* Reset filter context-based counters */
+-	tspp2_filter_counters_reset(filter->device, filter->context);
+-
+-	/* Reset this filter's context */
+-	writel_relaxed((0x1 << TSPP2_MODULUS_OP(filter->context, 32)),
+-		filter->device->base +
+-		TSPP2_TSP_CONTEXT_RESET(filter->context >> 5));
+-	writel_relaxed((0x1 << TSPP2_MODULUS_OP(filter->context, 32)),
+-		filter->device->base +
+-		TSPP2_PES_CONTEXT_RESET(filter->context >> 5));
+-	writel_relaxed((0x1 << TSPP2_MODULUS_OP(filter->context, 32)),
+-		filter->device->base +
+-		TSPP2_INDEXING_CONTEXT_RESET(filter->context >> 5));
+-
+-	/* Write PID and mask */
+-	reg = ((pid << FILTER_ENTRY0_PID_OFFS) |
+-		(mask << FILTER_ENTRY0_MASK_OFFS));
+-	writel_relaxed(reg, filter->device->base +
+-		TSPP2_FILTER_ENTRY0(filter->hw_index));
+-
+-	writel_relaxed((filter->context << FILTER_ENTRY1_CONTEXT_OFFS),
+-		filter->device->base + TSPP2_FILTER_ENTRY1(filter->hw_index));
+-
+-	*filter_handle = (u32)filter;
+-
+-	mutex_unlock(&src->device->mutex);
+-
+-	pm_runtime_mark_last_busy(src->device->dev);
+-	pm_runtime_put_autosuspend(src->device->dev);
+-
+-	dev_dbg(src->device->dev, "%s: successful\n", __func__);
+-
+-	return 0;
+-}
+-EXPORT_SYMBOL(tspp2_filter_open);
+-
+-/**
+- * tspp2_hw_filters_in_batch() - Check for used HW filters in a batch.
+- *
+- * @batch:	The filter batch to check.
+- *
+- * Helper function to check if there are any HW filters used on this batch.
+- *
+- * Return 1 if found a used filter in this batch, 0 otherwise.
+- */
+-static inline int tspp2_hw_filters_in_batch(struct tspp2_filter_batch *batch)
+-{
+-	int i;
+-
+-	for (i = 0; i < TSPP2_FILTERS_PER_BATCH; i++)
+-		if (batch->hw_filters[i] == 1)
+-			return 1;
+-
+-	return 0;
+-}
+-
+-/**
+- * tspp2_filter_close() - Close a filter.
+- *
+- * @filter_handle:	Filter to close.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-int tspp2_filter_close(u32 filter_handle)
+-{
+-	int i;
+-	int ret;
+-	struct tspp2_device *device;
+-	struct tspp2_src *src = NULL;
+-	struct tspp2_filter_batch *batch = NULL;
+-	struct tspp2_filter_batch *tmp_batch;
+-	struct tspp2_filter *filter = (struct tspp2_filter *)filter_handle;
+-
+-	if (!filter) {
+-		pr_err("%s: Invalid filter handle\n", __func__);
+-		return -EINVAL;
+-	}
+-
+-	device = filter->device;
+-
+-	ret = pm_runtime_get_sync(device->dev);
+-	if (ret < 0)
+-		return ret;
+-
+-	mutex_lock(&device->mutex);
+-
+-	if (!device->opened) {
+-		pr_err("%s: Device must be opened first\n", __func__);
+-		mutex_unlock(&device->mutex);
+-		pm_runtime_mark_last_busy(device->dev);
+-		pm_runtime_put_autosuspend(device->dev);
+-		return -EPERM;
+-	}
+-
+-	if (!filter->opened) {
+-		pr_err("%s: Filter already closed\n", __func__);
+-		mutex_unlock(&device->mutex);
+-		pm_runtime_mark_last_busy(device->dev);
+-		pm_runtime_put_autosuspend(device->dev);
+-		return -EINVAL;
+-	}
+-
+-	if (filter->num_user_operations)
+-		pr_warn("%s: Closing filters that has %d operations\n",
+-			__func__, filter->num_user_operations);
+-
+-	/* Disable filter */
+-	writel_relaxed(0, device->base +
+-		TSPP2_FILTER_ENTRY0(filter->hw_index));
+-
+-	/* Clear filter operations in HW as well as related SW fields */
+-	tspp2_filter_ops_clear(filter);
+-
+-	/* Reset filter context-based counters */
+-	tspp2_filter_counters_reset(device, filter->context);
+-
+-	/* Reset filter context and release it back to the device */
+-	tspp2_filter_context_reset(filter);
+-
+-	/* Mark filter as unused in batch */
+-	filter->batch->hw_filters[(filter->hw_index -
+-		(filter->batch->batch_id * TSPP2_FILTERS_PER_BATCH))] = 0;
+-
+-	/* Remove filter from source */
+-	list_del(&filter->link);
+-	filter->src->num_associated_filters--;
+-
+-	/* We may need to update the reserved filter for this source.
+-	 * Cases to handle:
+-	 * 1. This is the last filter on this source.
+-	 * 2. This is the last filter on this batch + reserved filter is not on
+-	 * this batch.
+-	 * 3. This is the last filter on this batch + reserved filter is on this
+-	 * batch. Can possibly move reserved filter to another batch if space is
+-	 * available.
+-	 * 4. This is not the last filter on this batch. The reserved filter may
+-	 * be the only one taking another batch and may be moved to this batch
+-	 * to save space.
+-	 */
+-
+-	src = filter->src;
+-	/*
+-	 * Case #1: this could be the last filter associated with this source.
+-	 * If this is the case, we can release the batch too. We don't care
+-	 * about the reserved HW filter index, since there are no more filters.
+-	 */
+-	if (src->num_associated_filters == 0) {
+-		filter->batch->src = NULL;
+-		list_del(&filter->batch->link);
+-		src->num_associated_batches--;
+-		tspp2_src_batch_set(src, filter->batch->batch_id, 0);
+-		src->reserved_filter_hw_index = 0;
+-		goto filter_clear;
+-	}
+-
+-	/*
+-	 * If this is the last filter that was used in this batch, we may be
+-	 * able to release this entire batch. However, we have to make sure the
+-	 * reserved filter is not in this batch. If it is, we may find a place
+-	 * for it in another batch in this source.
+-	 */
+-	if (!tspp2_hw_filters_in_batch(filter->batch)) {
+-		/* There are no more used filters on this batch */
+-		if ((src->reserved_filter_hw_index <
+-			(filter->batch->batch_id * TSPP2_FILTERS_PER_BATCH)) ||
+-			(src->reserved_filter_hw_index >=
+-			((filter->batch->batch_id * TSPP2_FILTERS_PER_BATCH) +
+-				TSPP2_FILTERS_PER_BATCH))) {
+-			/* Case #2: the reserved filter is not on this batch */
+-			filter->batch->src = NULL;
+-			list_del(&filter->batch->link);
+-			src->num_associated_batches--;
+-			tspp2_src_batch_set(src, filter->batch->batch_id, 0);
+-		} else {
+-			/*
+-			 * Case #3: see if we can "move" the reserved filter to
+-			 * a different batch.
+-			 */
+-			list_for_each_entry_safe(batch, tmp_batch,
+-					&src->batches_list, link) {
+-				if (batch == filter->batch)
+-					continue;
+-
+-				for (i = 0; i < TSPP2_FILTERS_PER_BATCH; i++) {
+-					if (batch->hw_filters[i] == 0) {
+-						src->reserved_filter_hw_index =
+-							(batch->batch_id *
+-							TSPP2_FILTERS_PER_BATCH)
+-							+ i;
+-
+-						filter->batch->src = NULL;
+-						list_del(&filter->batch->link);
+-						src->num_associated_batches--;
+-						tspp2_src_batch_set(src,
+-							filter->batch->batch_id,
+-							0);
+-						goto filter_clear;
+-					}
+-				}
+-			}
+-		}
+-	} else {
+-		/* Case #4: whenever we remove a filter, there is always a
+-		 * chance that the reserved filter was the only filter used on a
+-		 * different batch. So now this is a good opportunity to check
+-		 * if we can release that batch and use the index of the filter
+-		 * we're freeing instead.
+-		 */
+-		list_for_each_entry_safe(batch, tmp_batch,
+-				&src->batches_list, link) {
+-			if (((src->reserved_filter_hw_index >=
+-				(batch->batch_id * TSPP2_FILTERS_PER_BATCH)) &&
+-				(src->reserved_filter_hw_index <
+-				(batch->batch_id * TSPP2_FILTERS_PER_BATCH +
+-				TSPP2_FILTERS_PER_BATCH))) &&
+-				!tspp2_hw_filters_in_batch(batch)) {
+-				src->reserved_filter_hw_index =
+-					filter->hw_index;
+-				batch->src = NULL;
+-				list_del(&batch->link);
+-				src->num_associated_batches--;
+-				tspp2_src_batch_set(src, batch->batch_id, 0);
+-				break;
+-			}
+-		}
+-	}
+-
+-filter_clear:
+-	tspp2_filter_sw_reset(filter);
+-
+-	mutex_unlock(&device->mutex);
+-
+-	pm_runtime_mark_last_busy(device->dev);
+-	pm_runtime_put_autosuspend(device->dev);
+-
+-	dev_dbg(device->dev, "%s: successful\n", __func__);
+-
+-	return 0;
+-}
+-EXPORT_SYMBOL(tspp2_filter_close);
+-
+-/**
+- * tspp2_filter_enable() - Enable a filter.
+- *
+- * @filter_handle:	Filter to enable.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-int tspp2_filter_enable(u32 filter_handle)
+-{
+-	struct tspp2_filter *filter = (struct tspp2_filter *)filter_handle;
+-	u32 reg;
+-	int ret;
+-
+-	if (!filter) {
+-		pr_err("%s: Invalid filter handle\n", __func__);
+-		return -EINVAL;
+-	}
+-
+-	ret = pm_runtime_get_sync(filter->device->dev);
+-	if (ret < 0)
+-		return ret;
+-
+-	if (mutex_lock_interruptible(&filter->device->mutex)) {
+-		pm_runtime_mark_last_busy(filter->device->dev);
+-		pm_runtime_put_autosuspend(filter->device->dev);
+-		return -ERESTARTSYS;
+-	}
+-
+-	if (!filter->device->opened) {
+-		pr_err("%s: Device must be opened first\n", __func__);
+-		mutex_unlock(&filter->device->mutex);
+-		pm_runtime_mark_last_busy(filter->device->dev);
+-		pm_runtime_put_autosuspend(filter->device->dev);
+-		return -EPERM;
+-	}
+-
+-	if (!filter->opened) {
+-		pr_err("%s: Filter not opened\n", __func__);
+-		mutex_unlock(&filter->device->mutex);
+-		pm_runtime_mark_last_busy(filter->device->dev);
+-		pm_runtime_put_autosuspend(filter->device->dev);
+-		return -EINVAL;
+-	}
+-
+-	if (filter->enabled) {
+-		pr_warn("%s: Filter already enabled\n", __func__);
+-		mutex_unlock(&filter->device->mutex);
+-		pm_runtime_mark_last_busy(filter->device->dev);
+-		pm_runtime_put_autosuspend(filter->device->dev);
+-		return 0;
+-	}
+-
+-	reg = readl_relaxed(filter->device->base +
+-		TSPP2_FILTER_ENTRY0(filter->hw_index));
+-	reg |= (0x1 << FILTER_ENTRY0_EN_OFFS);
+-	writel_relaxed(reg, filter->device->base +
+-		TSPP2_FILTER_ENTRY0(filter->hw_index));
+-
+-	filter->enabled = 1;
+-
+-	mutex_unlock(&filter->device->mutex);
+-
+-	pm_runtime_mark_last_busy(filter->device->dev);
+-	pm_runtime_put_autosuspend(filter->device->dev);
+-
+-	dev_dbg(filter->device->dev, "%s: successful\n", __func__);
+-
+-	return 0;
+-}
+-EXPORT_SYMBOL(tspp2_filter_enable);
+-
+-/**
+- * tspp2_filter_disable() - Disable a filter.
+- *
+- * @filter_handle:	Filter to disable.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-int tspp2_filter_disable(u32 filter_handle)
+-{
+-	struct tspp2_filter *filter = (struct tspp2_filter *)filter_handle;
+-	u32 reg;
+-	int ret;
+-
+-	if (!filter) {
+-		pr_err("%s: Invalid filter handle\n", __func__);
+-		return -EINVAL;
+-	}
+-
+-	ret = pm_runtime_get_sync(filter->device->dev);
+-	if (ret < 0)
+-		return ret;
+-
+-	mutex_lock(&filter->device->mutex);
+-
+-	if (!filter->device->opened) {
+-		pr_err("%s: Device must be opened first\n", __func__);
+-		mutex_unlock(&filter->device->mutex);
+-		pm_runtime_mark_last_busy(filter->device->dev);
+-		pm_runtime_put_autosuspend(filter->device->dev);
+-		return -EPERM;
+-	}
+-
+-	if (!filter->opened) {
+-		pr_err("%s: Filter not opened\n", __func__);
+-		mutex_unlock(&filter->device->mutex);
+-		pm_runtime_mark_last_busy(filter->device->dev);
+-		pm_runtime_put_autosuspend(filter->device->dev);
+-		return -EINVAL;
+-	}
+-
+-	if (!filter->enabled) {
+-		pr_warn("%s: Filter already disabled\n", __func__);
+-		mutex_unlock(&filter->device->mutex);
+-		pm_runtime_mark_last_busy(filter->device->dev);
+-		pm_runtime_put_autosuspend(filter->device->dev);
+-		return 0;
+-	}
+-
+-	reg = readl_relaxed(filter->device->base +
+-		TSPP2_FILTER_ENTRY0(filter->hw_index));
+-	reg &= ~(0x1 << FILTER_ENTRY0_EN_OFFS);
+-	writel_relaxed(reg, filter->device->base +
+-		TSPP2_FILTER_ENTRY0(filter->hw_index));
+-
+-	/*
+-	 * HW requires we wait for up to 2ms here before closing the pipes
+-	 * used by this filter
+-	 */
+-	udelay(TSPP2_HW_DELAY_USEC);
+-
+-	filter->enabled = 0;
+-
+-	mutex_unlock(&filter->device->mutex);
+-
+-	pm_runtime_mark_last_busy(filter->device->dev);
+-	pm_runtime_put_autosuspend(filter->device->dev);
+-
+-	dev_dbg(filter->device->dev, "%s: successful\n", __func__);
+-
+-	return 0;
+-}
+-EXPORT_SYMBOL(tspp2_filter_disable);
+-
+-/**
+- * tspp2_pes_analysis_op_write() - Write a PES Analysis operation.
+- *
+- * @filter:	The filter to set the operation to.
+- * @op:		The operation.
+- * @op_index:	The operation's index in this filter.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-static int tspp2_pes_analysis_op_write(struct tspp2_filter *filter,
+-				const struct tspp2_operation *op,
+-				u8 op_index)
+-{
+-	u32 reg = 0;
+-
+-	if (filter->mask != TSPP2_UNIQUE_PID_MASK) {
+-		pr_err(
+-			"%s: A filter with a PES Analysis operation must handle a unique PID\n",
+-			__func__);
+-		return -EINVAL;
+-	}
+-
+-	/*
+-	 * Bits[19:6] = 0, Bit[5] = Source,
+-	 * Bit[4] = Skip, Bits[3:0] = Opcode
+-	 */
+-	reg |= TSPP2_OPCODE_PES_ANALYSIS;
+-	if (op->params.pes_analysis.skip_ts_errs)
+-		reg |= (0x1 << 4);
+-
+-	if (op->params.pes_analysis.input == TSPP2_OP_BUFFER_B)
+-		reg |= (0x1 << 5);
+-
+-	filter->pes_analysis_op_set = 1;
+-
+-	writel_relaxed(reg, filter->device->base +
+-				TSPP2_OPCODE(filter->hw_index, op_index));
+-
+-	dev_dbg(filter->device->dev, "%s: successful\n", __func__);
+-
+-	return 0;
+-}
+-
+-/**
+- * tspp2_raw_tx_op_write() - Write a RAW Transmit operation.
+- *
+- * @filter:	The filter to set the operation to.
+- * @op:		The operation.
+- * @op_index:	The operation's index in this filter.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-static int tspp2_raw_tx_op_write(struct tspp2_filter *filter,
+-				const struct tspp2_operation *op,
+-				u8 op_index)
+-{
+-	u32 reg = 0;
+-	int timestamp = 0;
+-	struct tspp2_pipe *pipe = (struct tspp2_pipe *)
+-			op->params.raw_transmit.output_pipe_handle;
+-
+-	if (!pipe || !pipe->opened) {
+-		pr_err("%s: Invalid pipe handle\n", __func__);
+-		return -EINVAL;
+-	}
+-
+-	/*
+-	 * Bits[19:16] = 0, Bit[15] = Support Indexing,
+-	 * Bit[14] = Timestamp position,
+-	 * Bits[13:12] = Timestamp mode,
+-	 * Bits[11:6] = Output pipe, Bit[5] = Source,
+-	 * Bit[4] = Skip, Bits[3:0] = Opcode
+-	 */
+-	reg |= TSPP2_OPCODE_RAW_TRANSMIT;
+-	if (op->params.raw_transmit.skip_ts_errs)
+-		reg |= (0x1 << 4);
+-
+-	if (op->params.raw_transmit.input == TSPP2_OP_BUFFER_B)
+-		reg |= (0x1 << 5);
+-
+-	reg |= ((pipe->hw_index & 0x3F) << 6);
+-
+-	switch (op->params.raw_transmit.timestamp_mode) {
+-	case TSPP2_OP_TIMESTAMP_NONE:
+-		/* nothing to do, keep bits value as 0 */
+-		break;
+-	case TSPP2_OP_TIMESTAMP_ZERO:
+-		reg |= (0x1 << 12);
+-		timestamp = 1;
+-		break;
+-	case TSPP2_OP_TIMESTAMP_STC:
+-		reg |= (0x2 << 12);
+-		timestamp = 1;
+-		break;
+-	default:
+-		pr_err("%s: Invalid timestamp mode\n", __func__);
+-		return -EINVAL;
+-	}
+-
+-	if (timestamp && op->params.raw_transmit.timestamp_position ==
+-					TSPP2_PACKET_FORMAT_188_RAW) {
+-		pr_err("%s: Invalid timestamp position\n", __func__);
+-		return -EINVAL;
+-	}
+-
+-	if (op->params.raw_transmit.timestamp_position ==
+-				TSPP2_PACKET_FORMAT_192_TAIL)
+-		reg |= (0x1 << 14);
+-
+-	if (op->params.raw_transmit.support_indexing) {
+-		if (filter->raw_op_with_indexing) {
+-			pr_err(
+-				"%s: Only one Raw Transmit operation per filter can support HW indexing\n",
+-				__func__);
+-			return -EINVAL;
+-		}
+-		filter->raw_op_with_indexing = 1;
+-		reg |= (0x1 << 15);
+-	}
+-
+-	filter->raw_op_set = 1;
+-
+-	writel_relaxed(reg, filter->device->base +
+-				TSPP2_OPCODE(filter->hw_index, op_index));
+-
+-	dev_dbg(filter->device->dev, "%s: successful\n", __func__);
+-
+-	return 0;
+-}
+-
+-/**
+- * tspp2_pes_tx_op_write() - Write a PES Transmit operation.
+- *
+- * @filter:	The filter to set the operation to.
+- * @op:		The operation.
+- * @op_index:	The operation's index in this filter.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-static int tspp2_pes_tx_op_write(struct tspp2_filter *filter,
+-				const struct tspp2_operation *op,
+-				u8 op_index)
+-{
+-	u32 reg = 0;
+-	struct tspp2_pipe *payload_pipe = (struct tspp2_pipe *)
+-		op->params.pes_transmit.output_pipe_handle;
+-	struct tspp2_pipe *header_pipe;
+-
+-	if (!payload_pipe || !payload_pipe->opened) {
+-		pr_err("%s: Invalid payload pipe handle\n", __func__);
+-		return -EINVAL;
+-	}
+-
+-	if (!filter->pes_analysis_op_set) {
+-		pr_err(
+-			"%s: PES Analysys operation must precede any PES Transmit operation\n",
+-			__func__);
+-		return -EINVAL;
+-	}
+-
+-	/*
+-	 * Bits[19:18] = 0, Bits[17:12] = PES Header output pipe,
+-	 * Bits[11:6] = Output pipe, Bit[5] = Source,
+-	 * Bit[4] = Attach STC and flags,
+-	 * Bit[3] = Disable TX on PES discontinuity,
+-	 * Bit[2] = Enable SW indexing, Bit[1] = Mode, Bit[0] = 0
+-	 */
+-
+-	if (op->params.pes_transmit.mode == TSPP2_OP_PES_TRANSMIT_FULL) {
+-		reg |= (0x1 << 1);
+-	} else {
+-		/* Separated PES mode requires another pipe */
+-		header_pipe = (struct tspp2_pipe *)
+-			op->params.pes_transmit.header_output_pipe_handle;
+-
+-		if (!header_pipe || !header_pipe->opened) {
+-			pr_err("%s: Invalid header pipe handle\n", __func__);
+-			return -EINVAL;
+-		}
+-
+-		reg |= ((header_pipe->hw_index & 0x3F) << 12);
+-	}
+-
+-	if (op->params.pes_transmit.enable_sw_indexing) {
+-		if (!filter->raw_op_set) {
+-			pr_err(
+-				"%s: PES Transmit operation with SW indexing must be preceded by a Raw Transmit operation\n",
+-				__func__);
+-			return -EINVAL;
+-		}
+-		reg |= (0x1 << 2);
+-	}
+-
+-	if (op->params.pes_transmit.disable_tx_on_pes_discontinuity)
+-		reg |= (0x1 << 3);
+-
+-	if (op->params.pes_transmit.attach_stc_flags)
+-		reg |= (0x1 << 4);
+-
+-	if (op->params.pes_transmit.input == TSPP2_OP_BUFFER_B)
+-		reg |= (0x1 << 5);
+-
+-	reg |= ((payload_pipe->hw_index & 0x3F) << 6);
+-
+-	filter->pes_tx_op_set = 1;
+-
+-	writel_relaxed(reg, filter->device->base +
+-				TSPP2_OPCODE(filter->hw_index, op_index));
+-
+-	dev_dbg(filter->device->dev, "%s: successful\n", __func__);
+-
+-	return 0;
+-}
+-
+-/**
+- * tspp2_pcr_op_write() - Write a PCR Extraction operation.
+- *
+- * @filter:	The filter to set the operation to.
+- * @op:		The operation.
+- * @op_index:	The operation's index in this filter.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-static int tspp2_pcr_op_write(struct tspp2_filter *filter,
+-				const struct tspp2_operation *op,
+-				u8 op_index)
+-{
+-	u32 reg = 0;
+-	struct tspp2_pipe *pipe = (struct tspp2_pipe *)
+-			op->params.pcr_extraction.output_pipe_handle;
+-
+-	if (!pipe || !pipe->opened) {
+-		pr_err("%s: Invalid pipe handle\n", __func__);
+-		return -EINVAL;
+-	}
+-
+-	if (!op->params.pcr_extraction.extract_pcr &&
+-		!op->params.pcr_extraction.extract_opcr &&
+-		!op->params.pcr_extraction.extract_splicing_point &&
+-		!op->params.pcr_extraction.extract_transport_private_data &&
+-		!op->params.pcr_extraction.extract_af_extension &&
+-		!op->params.pcr_extraction.extract_all_af) {
+-		pr_err("%s: Invalid extraction parameters\n", __func__);
+-		return -EINVAL;
+-	}
+-
+-	/*
+-	 * Bits[19:18] = 0, Bit[17] = All AF, Bit[16] = AF Extension,
+-	 * Bit[15] = Transport Priave Data, Bit[14] = Splicing Point,
+-	 * Bit[13] = OPCR, Bit[12] = PCR, Bits[11:6] = Output pipe,
+-	 * Bit[5] = Source, Bit[4] = Skip, Bits[3:0] = Opcode
+-	 */
+-	reg |= TSPP2_OPCODE_PCR_EXTRACTION;
+-	if (op->params.pcr_extraction.skip_ts_errs)
+-		reg |= (0x1 << 4);
+-
+-	if (op->params.pcr_extraction.input == TSPP2_OP_BUFFER_B)
+-		reg |= (0x1 << 5);
+-
+-	reg |= ((pipe->hw_index & 0x3F) << 6);
+-
+-	if (op->params.pcr_extraction.extract_pcr)
+-		reg |= (0x1 << 12);
+-
+-	if (op->params.pcr_extraction.extract_opcr)
+-		reg |= (0x1 << 13);
+-
+-	if (op->params.pcr_extraction.extract_splicing_point)
+-		reg |= (0x1 << 14);
+-
+-	if (op->params.pcr_extraction.extract_transport_private_data)
+-		reg |= (0x1 << 15);
+-
+-	if (op->params.pcr_extraction.extract_af_extension)
+-		reg |= (0x1 << 16);
+-
+-	if (op->params.pcr_extraction.extract_all_af)
+-		reg |= (0x1 << 17);
+-
+-	writel_relaxed(reg, filter->device->base +
+-				TSPP2_OPCODE(filter->hw_index, op_index));
+-
+-	dev_dbg(filter->device->dev, "%s: successful\n", __func__);
+-
+-	return 0;
+-}
+-
+-/**
+- * tspp2_cipher_op_write() - Write a Cipher operation.
+- *
+- * @filter:	The filter to set the operation to.
+- * @op:		The operation.
+- * @op_index:	The operation's index in this filter.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-static int tspp2_cipher_op_write(struct tspp2_filter *filter,
+-				const struct tspp2_operation *op,
+-				u8 op_index)
+-{
+-	u32 reg = 0;
+-
+-	/*
+-	 * Bits[19:18] = 0, Bits[17:15] = Scrambling related,
+-	 * Bit[14] = Mode, Bit[13] = Decrypt PES header,
+-	 * Bits[12:7] = Key ladder index, Bit[6] = Destination,
+-	 * Bit[5] = Source, Bit[4] = Skip, Bits[3:0] = Opcode
+-	 */
+-
+-	reg |= TSPP2_OPCODE_CIPHER;
+-	if (op->params.cipher.skip_ts_errs)
+-		reg |= (0x1 << 4);
+-
+-	if (op->params.cipher.input == TSPP2_OP_BUFFER_B)
+-		reg |= (0x1 << 5);
+-
+-	if (op->params.cipher.output == TSPP2_OP_BUFFER_B)
+-		reg |= (0x1 << 6);
+-
+-	reg |= ((op->params.cipher.key_ladder_index & 0x3F) << 7);
+-
+-	if (op->params.cipher.mode == TSPP2_OP_CIPHER_ENCRYPT &&
+-		op->params.cipher.decrypt_pes_header) {
+-		pr_err("%s: Invalid parameters\n", __func__);
+-		return -EINVAL;
+-	}
+-
+-	if (op->params.cipher.decrypt_pes_header)
+-		reg |= (0x1 << 13);
+-
+-	if (op->params.cipher.mode == TSPP2_OP_CIPHER_ENCRYPT)
+-		reg |= (0x1 << 14);
+-
+-	switch (op->params.cipher.scrambling_mode) {
+-	case TSPP2_OP_CIPHER_AS_IS:
+-		reg |= (0x1 << 15);
+-		break;
+-	case TSPP2_OP_CIPHER_SET_SCRAMBLING_0:
+-		/* nothing to do, keep bits[17:16] as 0 */
+-		break;
+-	case TSPP2_OP_CIPHER_SET_SCRAMBLING_1:
+-		reg |= (0x1 << 16);
+-		break;
+-	case TSPP2_OP_CIPHER_SET_SCRAMBLING_2:
+-		reg |= (0x2 << 16);
+-		break;
+-	case TSPP2_OP_CIPHER_SET_SCRAMBLING_3:
+-		reg |= (0x3 << 16);
+-		break;
+-	default:
+-		pr_err("%s: Invalid scrambling mode\n", __func__);
+-		return -EINVAL;
+-	}
+-
+-	writel_relaxed(reg, filter->device->base +
+-				TSPP2_OPCODE(filter->hw_index, op_index));
+-
+-	dev_dbg(filter->device->dev, "%s: successful\n", __func__);
+-
+-	return 0;
+-}
+-
+-/**
+- * tspp2_index_op_write() - Write an Indexing operation.
+- *
+- * @filter:	The filter to set the operation to.
+- * @op:		The operation.
+- * @op_index:	The operation's index in this filter.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-static int tspp2_index_op_write(struct tspp2_filter *filter,
+-				const struct tspp2_operation *op,
+-				u8 op_index)
+-{
+-	u32 reg = 0;
+-	u32 filter_reg = 0;
+-	struct tspp2_pipe *pipe = (struct tspp2_pipe *)
+-			op->params.indexing.output_pipe_handle;
+-
+-	if (!pipe || !pipe->opened) {
+-		pr_err("%s: Invalid pipe handle\n", __func__);
+-		return -EINVAL;
+-	}
+-
+-	/* Enforce Indexing related HW restrictions */
+-	if (filter->indexing_op_set) {
+-		pr_err(
+-			"%s: Only one indexing operation supported per filter\n",
+-			__func__);
+-		return -EINVAL;
+-	}
+-	if (!filter->raw_op_with_indexing) {
+-		pr_err(
+-			"%s: Raw Transmit operation with indexing support must be configured before the Indexing operation\n",
+-			__func__);
+-		return -EINVAL;
+-	}
+-
+-	if (!filter->pes_analysis_op_set) {
+-		pr_err(
+-			"%s: PES Analysis operation must precede Indexing operation\n",
+-			__func__);
+-		return -EINVAL;
+-	}
+-
+-	/*
+-	 * Bits [19:15] = 0, Bit[14] = Index by RAI,
+-	 * Bits[13:12] = 0,
+-	 * Bits[11:6] = Output pipe, Bit[5] = Source,
+-	 * Bit[4] = Skip, Bits[3:0] = Opcode
+-	 */
+-
+-	reg |= TSPP2_OPCODE_INDEXING;
+-	if (op->params.indexing.skip_ts_errs)
+-		reg |= (0x1 << 4);
+-
+-	if (op->params.indexing.input == TSPP2_OP_BUFFER_B)
+-		reg |= (0x1 << 5);
+-
+-	reg |= ((pipe->hw_index & 0x3F) << 6);
+-
+-	if (op->params.indexing.random_access_indicator_indexing)
+-		reg |= (0x1 << 14);
+-
+-	/* Indexing table ID is set in the filter and not in the operation */
+-	filter->indexing_table_id = op->params.indexing.indexing_table_id;
+-	filter_reg = readl_relaxed(filter->device->base +
+-				TSPP2_FILTER_ENTRY0(filter->hw_index));
+-	filter_reg &= ~(0x3 << FILTER_ENTRY0_CODEC_OFFS);
+-	filter_reg |= (filter->indexing_table_id << FILTER_ENTRY0_CODEC_OFFS);
+-	writel_relaxed(filter_reg, filter->device->base +
+-			TSPP2_FILTER_ENTRY0(filter->hw_index));
+-
+-	filter->indexing_op_set = 1;
+-
+-	writel_relaxed(reg, filter->device->base +
+-				TSPP2_OPCODE(filter->hw_index, op_index));
+-
+-	dev_dbg(filter->device->dev, "%s: successful\n", __func__);
+-
+-	return 0;
+-}
+-
+-/**
+- * tspp2_copy_op_write() - Write an Copy operation.
+- *
+- * @filter:	The filter to set the operation to.
+- * @op:		The operation.
+- * @op_index:	The operation's index in this filter.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-static int tspp2_copy_op_write(struct tspp2_filter *filter,
+-				const struct tspp2_operation *op,
+-				u8 op_index)
+-{
+-	u32 reg = 0;
+-
+-	/* Bits[19:6] = 0, Bit[5] = Source, Bit[4] = 0, Bits[3:0] = Opcode */
+-	reg |= TSPP2_OPCODE_COPY_PACKET;
+-	if (op->params.copy_packet.input == TSPP2_OP_BUFFER_B)
+-		reg |= (0x1 << 5);
+-
+-	writel_relaxed(reg, filter->device->base +
+-				TSPP2_OPCODE(filter->hw_index, op_index));
+-
+-	dev_dbg(filter->device->dev, "%s: successful\n", __func__);
+-
+-	return 0;
+-}
+-
+-/**
+- * tspp2_op_write() - Write an operation of any type.
+- *
+- * @filter:	The filter to set the operation to.
+- * @op:		The operation.
+- * @op_index:	The operation's index in this filter.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-static int tspp2_op_write(struct tspp2_filter *filter,
+-				const struct tspp2_operation *op,
+-				u8 op_index)
+-{
+-	switch (op->type) {
+-	case TSPP2_OP_PES_ANALYSIS:
+-		return tspp2_pes_analysis_op_write(filter, op, op_index);
+-	case TSPP2_OP_RAW_TRANSMIT:
+-		return tspp2_raw_tx_op_write(filter, op, op_index);
+-	case TSPP2_OP_PES_TRANSMIT:
+-		return tspp2_pes_tx_op_write(filter, op, op_index);
+-	case TSPP2_OP_PCR_EXTRACTION:
+-		return tspp2_pcr_op_write(filter, op, op_index);
+-	case TSPP2_OP_CIPHER:
+-		return tspp2_cipher_op_write(filter, op, op_index);
+-	case TSPP2_OP_INDEXING:
+-		return tspp2_index_op_write(filter, op, op_index);
+-	case TSPP2_OP_COPY_PACKET:
+-		return tspp2_copy_op_write(filter, op, op_index);
+-	default:
+-		pr_warn("%s: Unknown operation type\n", __func__);
+-		return -EINVAL;
+-	}
+-}
+-
+-/**
+- * tspp2_filter_ops_add() - Set the operations of a disabled filter.
+- *
+- * @filter:	The filter to work on.
+- * @op:		The new operations array.
+- * @op_index:	The number of operations in the array.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-static int tspp2_filter_ops_add(struct tspp2_filter *filter,
+-				const struct tspp2_operation *ops,
+-				u8 operations_num)
+-{
+-	int i;
+-	int ret = 0;
+-
+-	/* User parameter validity checks were already performed */
+-
+-	/*
+-	 * We want to start with a clean slate here. The user may call us to
+-	 * set operations several times, so need to make sure only the last call
+-	 * counts.
+-	 */
+-	tspp2_filter_ops_clear(filter);
+-
+-	/* Save user operations in filter's database */
+-	for (i = 0; i < operations_num; i++)
+-		filter->operations[i] = ops[i];
+-
+-	/* Write user operations to HW */
+-	for (i = 0; i < operations_num; i++) {
+-		ret = tspp2_op_write(filter, &ops[i], i);
+-		if (ret)
+-			goto ops_cleanup;
+-	}
+-
+-	/*
+-	 * Here we want to add the Exit operation implicitly if required, that
+-	 * is, if the user provided less than TSPP2_MAX_OPS_PER_FILTER
+-	 * operations. However, we already called tspp2_filter_ops_clear()
+-	 * which set all the operations in HW to Exit, before writing the
+-	 * actual user operations. So, no need to do it again here.
+-	 * Also, if someone calls this function with operations_num == 0,
+-	 * it is similar to calling tspp2_filter_operations_clear().
+-	 */
+-
+-	filter->num_user_operations = operations_num;
+-
+-	dev_dbg(filter->device->dev, "%s: successful\n", __func__);
+-
+-	return 0;
+-
+-ops_cleanup:
+-	pr_err("%s: Failed to set operations to filter, clearing all\n",
+-		__func__);
+-
+-	tspp2_filter_ops_clear(filter);
+-
+-	return ret;
+-}
+-
+-/**
+- * tspp2_filter_ops_update() - Update the operations of an enabled filter.
+- *
+- * This function updates the operations of an enabled filter. In fact, it is
+- * not possible to update an existing filter without disabling it, clearing
+- * the existing operations and setting new ones. However, if we do that,
+- * we'll miss TS packets and not handle the stream properly, so a smooth
+- * transition is required.
+- * The algorithm is as follows:
+- * 1. Find a free temporary filter object.
+- * 2. Set the new filter's HW index to the reserved HW index.
+- * 3. Set the operations to the new filter. This sets the operations to
+- * the correct HW registers, based on the new HW index, and also updates
+- * the relevant information in the temporary filter object. Later we copy this
+- * to the actual filter object.
+- * 4. Use the same context as the old filter (to maintain HW state).
+- * 5. Reset parts of the context if needed.
+- * 6. Enable the new HW filter, then disable the old filter.
+- * 7. Update the source's reserved filter HW index.
+- * 8. Update the filter's batch, HW index and operations-related information.
+- *
+- * @filter:	The filter to work on.
+- * @op:		The new operations array.
+- * @op_index:	The number of operations in the array.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-static int tspp2_filter_ops_update(struct tspp2_filter *filter,
+-				const struct tspp2_operation *ops,
+-				u8 operations_num)
+-{
+-	int i;
+-	int ret = 0;
+-	int found = 0;
+-	u32 reg = 0;
+-	u16 hw_idx;
+-	struct tspp2_filter_batch *batch;
+-	struct tspp2_filter *tmp_filter = NULL;
+-	struct tspp2_src *src = filter->src;
+-
+-	/*
+-	 * Find an available temporary filter object in the device's
+-	 * filters database.
+-	 */
+-	for (i = 0; i < TSPP2_NUM_AVAIL_FILTERS; i++)
+-		if (!src->device->filters[i].opened)
+-			break;
+-	if (i == TSPP2_NUM_AVAIL_FILTERS) {
+-		/* Should never happen */
+-		pr_err("%s: No available filters\n", __func__);
+-		return -ENOMEM;
+-	}
+-	tmp_filter = &src->device->filters[i];
+-
+-	/*
+-	 * Set new filter operations. We do this relatively early
+-	 * in the function to avoid cleanup operations if this fails.
+-	 * Since this also writes to HW, we have to set the correct HW index.
+-	 */
+-	tmp_filter->hw_index = src->reserved_filter_hw_index;
+-	/*
+-	 * Need to set the mask properly to indicate if the filter handles
+-	 * a unique PID.
+-	 */
+-	tmp_filter->mask = filter->mask;
+-	ret = tspp2_filter_ops_add(tmp_filter, ops, operations_num);
+-	if (ret) {
+-		tmp_filter->hw_index = 0;
+-		tmp_filter->mask = 0;
+-		return ret;
+-	}
+-
+-	/*
+-	 * Mark new filter (in fact, the new filter HW index) as used in the
+-	 * appropriate batch. The batch has to be one of the batches already
+-	 * associated with the source.
+-	 */
+-	list_for_each_entry(batch, &src->batches_list, link) {
+-		for (i = 0; i < TSPP2_FILTERS_PER_BATCH; i++) {
+-			hw_idx = (batch->batch_id *
+-					TSPP2_FILTERS_PER_BATCH) + i;
+-			if (hw_idx == tmp_filter->hw_index) {
+-				batch->hw_filters[i] = 1;
+-				found = 1;
+-				break;
+-			}
+-		}
+-		if (found)
+-			break;
+-	}
+-
+-	if (!found) {
+-		pr_err("%s: Could not find matching batch\n", __func__);
+-		tspp2_filter_ops_clear(tmp_filter);
+-		tmp_filter->hw_index = 0;
+-		return -EINVAL;
+-	}
+-
+-	/* Set the same context of the old filter to the new HW filter */
+-	writel_relaxed((filter->context << FILTER_ENTRY1_CONTEXT_OFFS),
+-		filter->device->base +
+-		TSPP2_FILTER_ENTRY1(tmp_filter->hw_index));
+-
+-	/*
+-	 * Reset partial context, if necessary. We want to reset a partial
+-	 * context before we start using it, so if there's a new operation
+-	 * that uses a context where before there was no operation that used it,
+-	 * we reset that context. We need to do this before we start using the
+-	 * new operation, so before we enable the new filter.
+-	 * Note: there is no need to reset most of the filter's context-based
+-	 * counters, because the filter keeps using the same context. The
+-	 * exception is the PES error counters that we may want to reset when
+-	 * resetting the entire PES context.
+-	 */
+-	if (!filter->pes_tx_op_set && tmp_filter->pes_tx_op_set) {
+-		/* PES Tx operation added */
+-		writel_relaxed(
+-			(0x1 << TSPP2_MODULUS_OP(filter->context, 32)),
+-			filter->device->base +
+-			TSPP2_PES_CONTEXT_RESET(filter->context >> 5));
+-		writel_relaxed(0, filter->device->base +
+-			TSPP2_FILTER_PES_ERRORS(filter->context));
+-	}
+-
+-	if (!filter->indexing_op_set && tmp_filter->indexing_op_set) {
+-		/* Indexing operation added */
+-		writel_relaxed(
+-			(0x1 << TSPP2_MODULUS_OP(filter->context, 32)),
+-			filter->device->base +
+-			TSPP2_INDEXING_CONTEXT_RESET(filter->context >> 5));
+-	}
+-
+-	/*
+-	 * Write PID and mask to new filter HW registers and enable it.
+-	 * Preserve filter indexing table ID.
+-	 */
+-	reg |= (0x1 << FILTER_ENTRY0_EN_OFFS);
+-	reg |= ((filter->pid_value << FILTER_ENTRY0_PID_OFFS) |
+-		(filter->mask << FILTER_ENTRY0_MASK_OFFS));
+-	reg |= (tmp_filter->indexing_table_id << FILTER_ENTRY0_CODEC_OFFS);
+-	writel_relaxed(reg, filter->device->base +
+-		TSPP2_FILTER_ENTRY0(tmp_filter->hw_index));
+-
+-	/* Disable old HW filter */
+-	writel_relaxed(0, filter->device->base +
+-		TSPP2_FILTER_ENTRY0(filter->hw_index));
+-
+-	/*
+-	 * HW requires we wait for up to 2ms here before removing the
+-	 * operations used by this filter.
+-	 */
+-	udelay(TSPP2_HW_DELAY_USEC);
+-
+-	tspp2_filter_ops_clear(filter);
+-
+-	writel_relaxed(0, filter->device->base +
+-		TSPP2_FILTER_ENTRY1(filter->hw_index));
+-
+-	/* Mark HW filter as unused in old batch */
+-	filter->batch->hw_filters[(filter->hw_index -
+-		(filter->batch->batch_id * TSPP2_FILTERS_PER_BATCH))] = 0;
+-
+-	/* The new HW filter may be in a new batch, so we need to update */
+-	filter->batch = batch;
+-
+-	/*
+-	 * Update source's reserved filter HW index, and also update the
+-	 * new HW index in the filter object.
+-	 */
+-	src->reserved_filter_hw_index = filter->hw_index;
+-	filter->hw_index = tmp_filter->hw_index;
+-
+-	/*
+-	 * We've already set the new operations to HW, but we want to
+-	 * update the filter object, too. tmp_filter contains all the
+-	 * operations' related information we need (operations and flags).
+-	 * Also, we make sure to update indexing_table_id based on the new
+-	 * indexing operations.
+-	 */
+-	memcpy(filter->operations, tmp_filter->operations,
+-		(sizeof(struct tspp2_operation) * TSPP2_MAX_OPS_PER_FILTER));
+-	filter->num_user_operations = tmp_filter->num_user_operations;
+-	filter->indexing_op_set = tmp_filter->indexing_op_set;
+-	filter->raw_op_with_indexing = tmp_filter->raw_op_with_indexing;
+-	filter->pes_analysis_op_set = tmp_filter->pes_analysis_op_set;
+-	filter->raw_op_set = tmp_filter->raw_op_set;
+-	filter->pes_tx_op_set = tmp_filter->pes_tx_op_set;
+-	filter->indexing_table_id = tmp_filter->indexing_table_id;
+-
+-	/*
+-	 * Now we can clean tmp_filter. This is really just to keep the filter
+-	 * object clean. However, we don't want to use tspp2_filter_ops_clear()
+-	 * because it clears the operations from HW too.
+-	 */
+-	memset(tmp_filter->operations, 0,
+-		(sizeof(struct tspp2_operation) * TSPP2_MAX_OPS_PER_FILTER));
+-	tmp_filter->num_user_operations = 0;
+-	tmp_filter->indexing_op_set = 0;
+-	tmp_filter->raw_op_with_indexing = 0;
+-	tmp_filter->pes_analysis_op_set = 0;
+-	tmp_filter->raw_op_set = 0;
+-	tmp_filter->pes_tx_op_set = 0;
+-	tmp_filter->indexing_table_id = 0;
+-	tmp_filter->hw_index = 0;
+-
+-	dev_dbg(filter->device->dev, "%s: successful\n", __func__);
+-
+-	return 0;
+-}
+-
+-/**
+- * tspp2_filter_operations_set() - Set operations to a filter.
+- *
+- * @filter_handle:	Filter to set operations to.
+- * @ops:		An array of up to TSPP2_MAX_OPS_PER_FILTER
+- *			operations.
+- * @operations_num:	Number of operations in the ops array.
+- *
+- * This function sets the required operations to a given filter. The filter
+- * can either be disabled (in which case it may or may not already have some
+- * operations set), or enabled (in which case it certainly has some oprations
+- * set). In any case, the filter's previous operations are cleared, and the new
+- * operations provided are set.
+- *
+- * In addition to some trivial parameter validity checks, the following
+- * restrictions are enforced:
+- * 1. A filter with a PES Analysis operation must handle a unique PID (i.e.,
+- *    should have a mask that equals TSPP2_UNIQUE_PID_MASK).
+- * 2. Only a single Raw Transmit operation per filter can support HW indexing
+- *    (i.e., can have its support_indexing configuration parameter set).
+- * 3. A PES Analysys operation must precede any PES Transmit operation.
+- * 4. A PES Transmit operation with SW indexing (i.e., with its
+- *    enable_sw_indexing parameter set) must be preceded by a Raw Transmit
+- *    operation.
+- * 5. Only a single indexing operation is supported per filter.
+- * 6. A Raw Transmit operation with indexing support must be configured before
+- *    the Indexing operation.
+- * 7. A PES Analysis operation must precede the Indexing operation.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-int tspp2_filter_operations_set(u32 filter_handle,
+-			const struct tspp2_operation *ops,
+-			u8 operations_num)
+-{
+-	struct tspp2_filter *filter = (struct tspp2_filter *)filter_handle;
+-	int ret = 0;
+-
+-	if (!filter) {
+-		pr_err("%s: Invalid filter handle\n", __func__);
+-		return -EINVAL;
+-	}
+-	if (!ops || operations_num > TSPP2_MAX_OPS_PER_FILTER ||
+-			operations_num == 0) {
+-		pr_err("%s: Invalid ops parameter\n", __func__);
+-		return -EINVAL;
+-	}
+-
+-	ret = pm_runtime_get_sync(filter->device->dev);
+-	if (ret < 0)
+-		return ret;
+-
+-	if (mutex_lock_interruptible(&filter->device->mutex)) {
+-		pm_runtime_mark_last_busy(filter->device->dev);
+-		pm_runtime_put_autosuspend(filter->device->dev);
+-		return -ERESTARTSYS;
+-	}
+-
+-	if (!filter->device->opened) {
+-		pr_err("%s: Device must be opened first\n", __func__);
+-		mutex_unlock(&filter->device->mutex);
+-		pm_runtime_mark_last_busy(filter->device->dev);
+-		pm_runtime_put_autosuspend(filter->device->dev);
+-		return -EPERM;
+-	}
+-
+-	if (!filter->opened) {
+-		pr_err("%s: Filter not opened\n", __func__);
+-		mutex_unlock(&filter->device->mutex);
+-		pm_runtime_mark_last_busy(filter->device->dev);
+-		pm_runtime_put_autosuspend(filter->device->dev);
+-		return -EINVAL;
+-	}
+-
+-	if (filter->enabled)
+-		ret = tspp2_filter_ops_update(filter, ops, operations_num);
+-	else
+-		ret = tspp2_filter_ops_add(filter, ops, operations_num);
+-
+-	mutex_unlock(&filter->device->mutex);
+-
+-	pm_runtime_mark_last_busy(filter->device->dev);
+-	pm_runtime_put_autosuspend(filter->device->dev);
+-
+-	return ret;
+-}
+-EXPORT_SYMBOL(tspp2_filter_operations_set);
+-
+-/**
+- * tspp2_filter_operations_clear() - Clear all operations from a filter.
+- *
+- * @filter_handle:	Filter to clear all operations from.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-int tspp2_filter_operations_clear(u32 filter_handle)
+-{
+-	int ret;
+-	struct tspp2_filter *filter = (struct tspp2_filter *)filter_handle;
+-
+-	if (!filter) {
+-		pr_err("%s: Invalid filter handle\n", __func__);
+-		return -EINVAL;
+-	}
+-
+-	ret = pm_runtime_get_sync(filter->device->dev);
+-	if (ret < 0)
+-		return ret;
+-
+-	mutex_lock(&filter->device->mutex);
+-
+-	if (!filter->device->opened) {
+-		pr_err("%s: Device must be opened first\n", __func__);
+-		mutex_unlock(&filter->device->mutex);
+-		pm_runtime_mark_last_busy(filter->device->dev);
+-		pm_runtime_put_autosuspend(filter->device->dev);
+-		return -EPERM;
+-	}
+-
+-	if (!filter->opened) {
+-		pr_err("%s: Filter not opened\n", __func__);
+-		mutex_unlock(&filter->device->mutex);
+-		pm_runtime_mark_last_busy(filter->device->dev);
+-		pm_runtime_put_autosuspend(filter->device->dev);
+-		return -EINVAL;
+-	}
+-
+-	if (filter->num_user_operations == 0) {
+-		pr_warn("%s: No operations to clear from filter\n", __func__);
+-		mutex_unlock(&filter->device->mutex);
+-		pm_runtime_mark_last_busy(filter->device->dev);
+-		pm_runtime_put_autosuspend(filter->device->dev);
+-		return 0;
+-	}
+-
+-	tspp2_filter_ops_clear(filter);
+-
+-	mutex_unlock(&filter->device->mutex);
+-
+-	pm_runtime_mark_last_busy(filter->device->dev);
+-	pm_runtime_put_autosuspend(filter->device->dev);
+-
+-	dev_dbg(filter->device->dev, "%s: successful\n", __func__);
+-
+-	return 0;
+-}
+-EXPORT_SYMBOL(tspp2_filter_operations_clear);
+-
+-/**
+- * tspp2_filter_current_scrambling_bits_get() - Get the current scrambling bits.
+- *
+- * @filter_handle:		Filter to get the scrambling bits from.
+- * @scrambling_bits_value:	The current value of the scrambling bits.
+- *				This could be the value from the TS packet
+- *				header, the value from the PES header, or a
+- *				logical OR operation of both values, depending
+- *				on the scrambling_bits_monitoring configuration
+- *				of the source this filter belongs to.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-int tspp2_filter_current_scrambling_bits_get(u32 filter_handle,
+-			u8 *scrambling_bits_value)
+-{
+-	struct tspp2_filter *filter = (struct tspp2_filter *)filter_handle;
+-	u32 reg;
+-	u32 ts_bits;
+-	u32 pes_bits;
+-	int ret;
+-
+-	if (!filter) {
+-		pr_err("%s: Invalid filter handle\n", __func__);
+-		return -EINVAL;
+-	}
+-	if (scrambling_bits_value == NULL) {
+-		pr_err("%s: Invalid parameter\n", __func__);
+-		return -EINVAL;
+-	}
+-
+-	ret = pm_runtime_get_sync(filter->device->dev);
+-	if (ret < 0)
+-		return ret;
+-
+-	if (mutex_lock_interruptible(&filter->device->mutex)) {
+-		pm_runtime_mark_last_busy(filter->device->dev);
+-		pm_runtime_put_autosuspend(filter->device->dev);
+-		return -ERESTARTSYS;
+-	}
+-
+-	if (!filter->device->opened) {
+-		pr_err("%s: Device must be opened first\n", __func__);
+-		mutex_unlock(&filter->device->mutex);
+-		pm_runtime_mark_last_busy(filter->device->dev);
+-		pm_runtime_put_autosuspend(filter->device->dev);
+-		return -EPERM;
+-	}
+-
+-	if (!filter->opened) {
+-		pr_err("%s: Filter not opened\n", __func__);
+-		mutex_unlock(&filter->device->mutex);
+-		pm_runtime_mark_last_busy(filter->device->dev);
+-		pm_runtime_put_autosuspend(filter->device->dev);
+-		return -EINVAL;
+-	}
+-
+-	reg = readl_relaxed(filter->device->base +
+-			TSPP2_TSP_CONTEXT(filter->context));
+-
+-	ts_bits = ((reg >> TSP_CONTEXT_TS_HEADER_SC_OFFS) & 0x3);
+-	pes_bits = ((reg >> TSP_CONTEXT_PES_HEADER_SC_OFFS) & 0x3);
+-
+-	switch (filter->src->scrambling_bits_monitoring) {
+-	case TSPP2_SRC_SCRAMBLING_MONITOR_PES_ONLY:
+-		*scrambling_bits_value = pes_bits;
+-		break;
+-	case TSPP2_SRC_SCRAMBLING_MONITOR_TS_ONLY:
+-		*scrambling_bits_value = ts_bits;
+-		break;
+-	case TSPP2_SRC_SCRAMBLING_MONITOR_PES_AND_TS:
+-		*scrambling_bits_value = (pes_bits | ts_bits);
+-		break;
+-	case TSPP2_SRC_SCRAMBLING_MONITOR_NONE:
+-		/* fall through to default case */
+-	default:
+-		pr_err("%s: Invalid scrambling bits mode\n", __func__);
+-		mutex_unlock(&filter->device->mutex);
+-		pm_runtime_mark_last_busy(filter->device->dev);
+-		pm_runtime_put_autosuspend(filter->device->dev);
+-		return -EINVAL;
+-	}
+-
+-	mutex_unlock(&filter->device->mutex);
+-
+-	pm_runtime_mark_last_busy(filter->device->dev);
+-	pm_runtime_put_autosuspend(filter->device->dev);
+-
+-	dev_dbg(filter->device->dev, "%s: successful\n", __func__);
+-
+-	return 0;
+-}
+-EXPORT_SYMBOL(tspp2_filter_current_scrambling_bits_get);
+-
+-/* Data-path API functions */
+-
+-/**
+- * tspp2_pipe_descriptor_get() - Get a data descriptor from a pipe.
+- *
+- * @pipe_handle:	Pipe to get the descriptor from.
+- * @desc:		Received pipe data descriptor.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-int tspp2_pipe_descriptor_get(u32 pipe_handle, struct sps_iovec *desc)
+-{
+-	int ret;
+-	struct tspp2_pipe *pipe = (struct tspp2_pipe *)pipe_handle;
+-
+-	if (!pipe) {
+-		pr_err("%s: Invalid pipe handle\n", __func__);
+-		return -EINVAL;
+-	}
+-	if (!desc) {
+-		pr_err("%s: Invalid descriptor pointer\n", __func__);
+-		return -EINVAL;
+-	}
+-
+-	/* Descriptor pointer validity is checked inside the SPS driver. */
+-
+-	ret = pm_runtime_get_sync(pipe->device->dev);
+-	if (ret < 0)
+-		return ret;
+-
+-	if (mutex_lock_interruptible(&pipe->device->mutex)) {
+-		pm_runtime_mark_last_busy(pipe->device->dev);
+-		pm_runtime_put_autosuspend(pipe->device->dev);
+-		return -ERESTARTSYS;
+-	}
+-
+-	if (!pipe->device->opened) {
+-		pr_err("%s: Device must be opened first\n", __func__);
+-		mutex_unlock(&pipe->device->mutex);
+-		pm_runtime_mark_last_busy(pipe->device->dev);
+-		pm_runtime_put_autosuspend(pipe->device->dev);
+-		return -EPERM;
+-	}
+-
+-	if (!pipe->opened) {
+-		pr_err("%s: Pipe not opened\n", __func__);
+-		mutex_unlock(&pipe->device->mutex);
+-		pm_runtime_mark_last_busy(pipe->device->dev);
+-		pm_runtime_put_autosuspend(pipe->device->dev);
+-		return -EINVAL;
+-	}
+-
+-	ret = sps_get_iovec(pipe->sps_pipe, desc);
+-
+-	mutex_unlock(&pipe->device->mutex);
+-
+-	pm_runtime_mark_last_busy(pipe->device->dev);
+-	pm_runtime_put_autosuspend(pipe->device->dev);
+-
+-	dev_dbg(pipe->device->dev, "%s: successful\n", __func__);
+-
+-	return ret;
+-
+-}
+-EXPORT_SYMBOL(tspp2_pipe_descriptor_get);
+-
+-/**
+- * tspp2_pipe_descriptor_put() - Release a descriptor for reuse by the pipe.
+- *
+- * @pipe_handle:	Pipe to release the descriptor to.
+- * @addr:		Address to release for reuse.
+- * @size:		Size to release.
+- * @flags:		Descriptor flags.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-int tspp2_pipe_descriptor_put(u32 pipe_handle, u32 addr, u32 size, u32 flags)
+-{
+-	int ret;
+-	struct tspp2_pipe *pipe = (struct tspp2_pipe *)pipe_handle;
+-
+-	if (!pipe) {
+-		pr_err("%s: Invalid pipe handle\n", __func__);
+-		return -EINVAL;
+-	}
+-
+-	ret = pm_runtime_get_sync(pipe->device->dev);
+-	if (ret < 0)
+-		return ret;
+-
+-	if (mutex_lock_interruptible(&pipe->device->mutex)) {
+-		pm_runtime_mark_last_busy(pipe->device->dev);
+-		pm_runtime_put_autosuspend(pipe->device->dev);
+-		return -ERESTARTSYS;
+-	}
+-
+-	if (!pipe->device->opened) {
+-		pr_err("%s: Device must be opened first\n", __func__);
+-		mutex_unlock(&pipe->device->mutex);
+-		pm_runtime_mark_last_busy(pipe->device->dev);
+-		pm_runtime_put_autosuspend(pipe->device->dev);
+-		return -EPERM;
+-	}
+-
+-	if (!pipe->opened) {
+-		pr_err("%s: Pipe not opened\n", __func__);
+-		mutex_unlock(&pipe->device->mutex);
+-		pm_runtime_mark_last_busy(pipe->device->dev);
+-		pm_runtime_put_autosuspend(pipe->device->dev);
+-		return -EINVAL;
+-	}
+-
+-	ret = sps_transfer_one(pipe->sps_pipe, addr, size, NULL, flags);
+-
+-	mutex_unlock(&pipe->device->mutex);
+-
+-	pm_runtime_mark_last_busy(pipe->device->dev);
+-	pm_runtime_put_autosuspend(pipe->device->dev);
+-
+-	dev_dbg(pipe->device->dev, "%s: successful\n", __func__);
+-
+-	return ret;
+-}
+-EXPORT_SYMBOL(tspp2_pipe_descriptor_put);
+-
+-/**
+- * tspp2_pipe_last_address_used_get() - Get the last address the TSPP2 used.
+- *
+- * @pipe_handle:	Pipe to get the address from.
+- * @address:		The last (virtual) address TSPP2 wrote data to.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-int tspp2_pipe_last_address_used_get(u32 pipe_handle, u32 *address)
+-{
+-	int ret;
+-	struct tspp2_pipe *pipe = (struct tspp2_pipe *)pipe_handle;
+-
+-	if (!pipe) {
+-		pr_err("%s: Invalid pipe handle\n", __func__);
+-		return -EINVAL;
+-	}
+-	if (!address) {
+-		pr_err("%s: Invalid address pointer\n", __func__);
+-		return -EINVAL;
+-	}
+-
+-	ret = pm_runtime_get_sync(pipe->device->dev);
+-	if (ret < 0)
+-		return ret;
+-
+-	if (mutex_lock_interruptible(&pipe->device->mutex)) {
+-		pm_runtime_mark_last_busy(pipe->device->dev);
+-		pm_runtime_put_autosuspend(pipe->device->dev);
+-		return -ERESTARTSYS;
+-	}
+-
+-	if (!pipe->device->opened) {
+-		pr_err("%s: Device must be opened first\n", __func__);
+-		mutex_unlock(&pipe->device->mutex);
+-		pm_runtime_mark_last_busy(pipe->device->dev);
+-		pm_runtime_put_autosuspend(pipe->device->dev);
+-		return -EPERM;
+-	}
+-
+-	if (!pipe->opened) {
+-		pr_err("%s: Pipe not opened\n", __func__);
+-		mutex_unlock(&pipe->device->mutex);
+-		pm_runtime_mark_last_busy(pipe->device->dev);
+-		pm_runtime_put_autosuspend(pipe->device->dev);
+-		return -EINVAL;
+-	}
+-
+-	*address = readl_relaxed(pipe->device->base +
+-		TSPP2_PIPE_LAST_ADDRESS(pipe->hw_index));
+-
+-	mutex_unlock(&pipe->device->mutex);
+-
+-	pm_runtime_mark_last_busy(pipe->device->dev);
+-	pm_runtime_put_autosuspend(pipe->device->dev);
+-
+-	*address = be32_to_cpu(*address);
+-
+-	dev_dbg(pipe->device->dev, "%s: successful\n", __func__);
+-
+-	return 0;
+-}
+-EXPORT_SYMBOL(tspp2_pipe_last_address_used_get);
+-
+-/**
+- * tspp2_data_write() - Write (feed) data to a source.
+- *
+- * @src_handle:	Source to feed data to.
+- * @offset:	Offset in the source's input pipe buffer.
+- * @size:	Size of data to write, in bytes.
+- *
+- * Schedule BAM transfers to feed data from the source's input pipe
+- * to TSPP2 for processing. Note that the user is responsible for opening
+- * an input pipe with the appropriate configuration parameters, and attaching
+- * this pipe as an input pipe to the source. Pipe configuration validity is not
+- * verified by this function.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-int tspp2_data_write(u32 src_handle, u32 offset, u32 size)
+-{
+-	int ret;
+-	u32 desc_length;
+-	u32 desc_flags;
+-	u32 data_length = size;
+-	u32 data_offset = offset;
+-	struct tspp2_pipe *pipe;
+-	struct tspp2_src *src = (struct tspp2_src *)src_handle;
+-
+-	if (!src) {
+-		pr_err("%s: Invalid source handle\n", __func__);
+-		return -EINVAL;
+-	}
+-
+-	ret = pm_runtime_get_sync(src->device->dev);
+-	if (ret < 0)
+-		return ret;
+-
+-	if (mutex_lock_interruptible(&src->device->mutex)) {
+-		pm_runtime_mark_last_busy(src->device->dev);
+-		pm_runtime_put_autosuspend(src->device->dev);
+-		return -ERESTARTSYS;
+-	}
+-
+-	if (!src->device->opened) {
+-		pr_err("%s: Device must be opened first\n", __func__);
+-		mutex_unlock(&src->device->mutex);
+-		pm_runtime_mark_last_busy(src->device->dev);
+-		pm_runtime_put_autosuspend(src->device->dev);
+-		return -EPERM;
+-	}
+-
+-	if (!src->opened) {
+-		pr_err("%s: Source not opened\n", __func__);
+-		goto err_inval;
+-	}
+-
+-	if (!src->enabled) {
+-		pr_err("%s: Source not enabled\n", __func__);
+-		goto err_inval;
+-	}
+-
+-	if ((src->input != TSPP2_INPUT_MEMORY) || !src->input_pipe) {
+-		pr_err("%s: Invalid source input or no input pipe\n", __func__);
+-		goto err_inval;
+-	}
+-
+-	pipe = src->input_pipe;
+-
+-	if (offset + size > pipe->cfg.buffer_size) {
+-		pr_err("%s: offset + size > buffer size\n", __func__);
+-		goto err_inval;
+-	}
+-
+-	while (data_length) {
+-		if (data_length > pipe->cfg.sps_cfg.descriptor_size) {
+-			desc_length = pipe->cfg.sps_cfg.descriptor_size;
+-			desc_flags = 0;
+-		} else {
+-			/* last descriptor */
+-			desc_length = data_length;
+-			desc_flags = SPS_IOVEC_FLAG_EOT;
+-		}
+-
+-		ret = sps_transfer_one(pipe->sps_pipe,
+-				pipe->iova + data_offset,
+-				desc_length,
+-				pipe->cfg.sps_cfg.user_info,
+-				desc_flags);
+-
+-		if (ret) {
+-			pr_err("%s: sps_transfer_one failed, %d\n",
+-				__func__, ret);
+-			mutex_unlock(&src->device->mutex);
+-			pm_runtime_mark_last_busy(src->device->dev);
+-			pm_runtime_put_autosuspend(src->device->dev);
+-			return ret;
+-		}
+-
+-		data_offset += desc_length;
+-		data_length -= desc_length;
+-	}
+-
+-	mutex_unlock(&src->device->mutex);
+-
+-	pm_runtime_mark_last_busy(src->device->dev);
+-	pm_runtime_put_autosuspend(src->device->dev);
+-
+-	dev_dbg(src->device->dev, "%s: successful\n", __func__);
+-
+-	return 0;
+-
+-err_inval:
+-	mutex_unlock(&src->device->mutex);
+-	pm_runtime_mark_last_busy(src->device->dev);
+-	pm_runtime_put_autosuspend(src->device->dev);
+-
+-	return -EINVAL;
+-}
+-EXPORT_SYMBOL(tspp2_data_write);
+-
+-/**
+- * tspp2_tsif_data_write() - Write (feed) data to a TSIF source via Loopback.
+- *
+- * @src_handle:	Source to feed data to.
+- * @data:	data buffer containing one TS packet of size 188 Bytes.
+- *
+- * Write one TS packet of size 188 bytes to the TSIF loopback interface.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-int tspp2_tsif_data_write(u32 src_handle, u32 *data)
+-{
+-	int i;
+-	int ret;
+-	struct tspp2_src *src = (struct tspp2_src *)src_handle;
+-	struct tspp2_tsif_device *tsif_device;
+-	const unsigned int loopback_flags[3] = {0x01000000, 0, 0x02000000};
+-
+-	if (data == NULL) {
+-		pr_err("%s: NULL data\n", __func__);
+-		return -EINVAL;
+-	}
+-
+-	if (!src) {
+-		pr_err("%s: Invalid source handle\n", __func__);
+-		return -EINVAL;
+-	}
+-
+-	ret = pm_runtime_get_sync(src->device->dev);
+-	if (ret < 0)
+-		return ret;
+-
+-	if (mutex_lock_interruptible(&src->device->mutex)) {
+-		pm_runtime_mark_last_busy(src->device->dev);
+-		pm_runtime_put_autosuspend(src->device->dev);
+-		return -ERESTARTSYS;
+-	}
+-
+-	if (!src->device->opened) {
+-		pr_err("%s: Device must be opened first\n", __func__);
+-		mutex_unlock(&src->device->mutex);
+-		pm_runtime_mark_last_busy(src->device->dev);
+-		pm_runtime_put_autosuspend(src->device->dev);
+-		return -EPERM;
+-	}
+-
+-	if (!src->opened) {
+-		pr_err("%s: Source not opened\n", __func__);
+-		goto err_inval;
+-	}
+-
+-	if (!src->enabled) {
+-		pr_err("%s: Source not enabled\n", __func__);
+-		goto err_inval;
+-	}
+-
+-	if ((src->input != TSPP2_INPUT_TSIF0)
+-		&& (src->input != TSPP2_INPUT_TSIF1)) {
+-		pr_err("%s: Invalid source input\n", __func__);
+-		goto err_inval;
+-	}
+-
+-	tsif_device = &src->device->tsif_devices[src->input];
+-
+-	/* lpbk_flags : start && !last */
+-	writel_relaxed(loopback_flags[0],
+-		tsif_device->base + TSPP2_TSIF_LPBK_FLAGS);
+-
+-	/* 1-st dword of data */
+-	writel_relaxed(data[0],
+-		tsif_device->base + TSPP2_TSIF_LPBK_DATA);
+-
+-	/* Clear start bit */
+-	writel_relaxed(loopback_flags[1],
+-		tsif_device->base + TSPP2_TSIF_LPBK_FLAGS);
+-
+-	/* 45 more dwords */
+-	for (i = 1; i < 46; i++)
+-		writel_relaxed(data[i],
+-			tsif_device->base + TSPP2_TSIF_LPBK_DATA);
+-
+-	/* Set last bit */
+-	writel_relaxed(loopback_flags[2],
+-		tsif_device->base + TSPP2_TSIF_LPBK_FLAGS);
+-
+-	/* Last data dword */
+-	writel_relaxed(data[46], tsif_device->base + TSPP2_TSIF_LPBK_DATA);
+-
+-	mutex_unlock(&src->device->mutex);
+-
+-	pm_runtime_mark_last_busy(src->device->dev);
+-	pm_runtime_put_autosuspend(src->device->dev);
+-
+-	dev_dbg(src->device->dev, "%s: successful\n", __func__);
+-
+-	return 0;
+-
+-err_inval:
+-	mutex_unlock(&src->device->mutex);
+-	pm_runtime_mark_last_busy(src->device->dev);
+-	pm_runtime_put_autosuspend(src->device->dev);
+-
+-	return -EINVAL;
+-}
+-EXPORT_SYMBOL(tspp2_tsif_data_write);
+-
+-/* Event notification API functions */
+-
+-/**
+- * tspp2_global_event_notification_register() - Get notified on a global event.
+- *
+- * @dev_id:			TSPP2 device ID.
+- * @global_event_bitmask:	A bitmask of global events,
+- *				TSPP2_GLOBAL_EVENT_XXX.
+- * @callback:			User callback function.
+- * @cookie:			User information passed to the callback.
+- *
+- * Register a user callback which will be invoked when certain global
+- * events occur. Note the values (mask, callback and cookie) are overwritten
+- * when calling this function multiple times. Therefore it is possible to
+- * "unregister" a callback by calling this function with the bitmask set to 0
+- * and with NULL callback and cookie.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-int tspp2_global_event_notification_register(u32 dev_id,
+-			u32 global_event_bitmask,
+-			void (*callback)(void *cookie, u32 event_bitmask),
+-			void *cookie)
+-{
+-	struct tspp2_device *device;
+-	unsigned long flags;
+-	u32 reg = 0;
+-
+-	if (dev_id >= TSPP2_NUM_DEVICES) {
+-		pr_err("%s: Invalid device ID %d\n", __func__, dev_id);
+-		return -ENODEV;
+-	}
+-
+-	device = tspp2_devices[dev_id];
+-	if (!device) {
+-		pr_err("%s: Invalid device\n", __func__);
+-		return -ENODEV;
+-	}
+-
+-	if (mutex_lock_interruptible(&device->mutex))
+-		return -ERESTARTSYS;
+-
+-	if (!device->opened) {
+-		pr_err("%s: Device must be opened first\n", __func__);
+-		mutex_unlock(&device->mutex);
+-		return -EPERM;
+-	}
+-
+-	/*
+-	 * Some of the interrupts that are generated when these events occur
+-	 * may be disabled due to module parameters. So we make sure to enable
+-	 * them here, depending on which event was requested. If some events
+-	 * were requested before and now this function is called again with
+-	 * other events, though, we want to restore the interrupt configuration
+-	 * to the default state according to the module parameters.
+-	 */
+-	reg = readl_relaxed(device->base + TSPP2_GLOBAL_IRQ_ENABLE);
+-	if (global_event_bitmask & TSPP2_GLOBAL_EVENT_INVALID_AF_CTRL) {
+-		reg |= (0x1 << GLOBAL_IRQ_TSP_INVALID_AF_OFFS);
+-	} else {
+-		if (tspp2_en_invalid_af_ctrl)
+-			reg |= (0x1 << GLOBAL_IRQ_TSP_INVALID_AF_OFFS);
+-		else
+-			reg &= ~(0x1 << GLOBAL_IRQ_TSP_INVALID_AF_OFFS);
+-	}
+-
+-	if (global_event_bitmask & TSPP2_GLOBAL_EVENT_INVALID_AF_LENGTH) {
+-		reg |= (0x1 << GLOBAL_IRQ_TSP_INVALID_LEN_OFFS);
+-	} else {
+-		if (tspp2_en_invalid_af_length)
+-			reg |= (0x1 << GLOBAL_IRQ_TSP_INVALID_LEN_OFFS);
+-		else
+-			reg &= ~(0x1 << GLOBAL_IRQ_TSP_INVALID_LEN_OFFS);
+-	}
+-
+-	if (global_event_bitmask & TSPP2_GLOBAL_EVENT_PES_NO_SYNC) {
+-		reg |= (0x1 << GLOBAL_IRQ_PES_NO_SYNC_OFFS);
+-	} else {
+-		if (tspp2_en_pes_no_sync)
+-			reg |= (0x1 << GLOBAL_IRQ_PES_NO_SYNC_OFFS);
+-		else
+-			reg &= ~(0x1 << GLOBAL_IRQ_PES_NO_SYNC_OFFS);
+-	}
+-
+-	writel_relaxed(reg, device->base + TSPP2_GLOBAL_IRQ_ENABLE);
+-
+-	spin_lock_irqsave(&device->spinlock, flags);
+-	device->event_callback = callback;
+-	device->event_cookie = cookie;
+-	device->event_bitmask = global_event_bitmask;
+-	spin_unlock_irqrestore(&device->spinlock, flags);
+-
+-	mutex_unlock(&device->mutex);
+-
+-	dev_dbg(device->dev, "%s: successful\n", __func__);
+-
+-	return 0;
+-}
+-EXPORT_SYMBOL(tspp2_global_event_notification_register);
+-
+-/**
+- * tspp2_src_event_notification_register() - Get notified on a source event.
+- *
+- * @src_handle:		Source handle.
+- * @src_event_bitmask:	A bitmask of source events,
+- *			TSPP2_SRC_EVENT_XXX.
+- * @callback:		User callback function.
+- * @cookie:		User information passed to the callback.
+- *
+- * Register a user callback which will be invoked when certain source
+- * events occur. Note the values (mask, callback and cookie) are overwritten
+- * when calling this function multiple times. Therefore it is possible to
+- * "unregister" a callback by calling this function with the bitmask set to 0
+- * and with NULL callback and cookie.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-int tspp2_src_event_notification_register(u32 src_handle,
+-			u32 src_event_bitmask,
+-			void (*callback)(void *cookie, u32 event_bitmask),
+-			void *cookie)
+-{
+-	int ret;
+-	u32 reg;
+-	unsigned long flags;
+-	struct tspp2_src *src = (struct tspp2_src *)src_handle;
+-
+-	if (!src) {
+-		pr_err("%s: Invalid source handle\n", __func__);
+-		return -EINVAL;
+-	}
+-
+-	ret = pm_runtime_get_sync(src->device->dev);
+-	if (ret < 0)
+-		return ret;
+-
+-	if (mutex_lock_interruptible(&src->device->mutex)) {
+-		pm_runtime_mark_last_busy(src->device->dev);
+-		pm_runtime_put_autosuspend(src->device->dev);
+-		return -ERESTARTSYS;
+-	}
+-
+-	if (!src->device->opened) {
+-		pr_err("%s: Device must be opened first\n", __func__);
+-		mutex_unlock(&src->device->mutex);
+-		pm_runtime_mark_last_busy(src->device->dev);
+-		pm_runtime_put_autosuspend(src->device->dev);
+-		return -EPERM;
+-	}
+-
+-	if (!src->opened) {
+-		pr_err("%s: Source not opened\n", __func__);
+-		goto err_inval;
+-	}
+-
+-	if (((src->input == TSPP2_INPUT_TSIF0) ||
+-		(src->input == TSPP2_INPUT_TSIF1)) &&
+-		((src_event_bitmask & TSPP2_SRC_EVENT_MEMORY_READ_ERROR) ||
+-		(src_event_bitmask & TSPP2_SRC_EVENT_FLOW_CTRL_STALL))) {
+-		pr_err("%s: Invalid event bitmask for a source with TSIF input\n",
+-				__func__);
+-		goto err_inval;
+-	}
+-
+-	if ((src->input == TSPP2_INPUT_MEMORY) &&
+-		((src_event_bitmask & TSPP2_SRC_EVENT_TSIF_LOST_SYNC) ||
+-		(src_event_bitmask & TSPP2_SRC_EVENT_TSIF_TIMEOUT) ||
+-		(src_event_bitmask & TSPP2_SRC_EVENT_TSIF_OVERFLOW) ||
+-		(src_event_bitmask & TSPP2_SRC_EVENT_TSIF_PKT_READ_ERROR) ||
+-		(src_event_bitmask & TSPP2_SRC_EVENT_TSIF_PKT_WRITE_ERROR))) {
+-		pr_err("%s: Invalid event bitmask for a source with memory input\n",
+-			__func__);
+-		goto err_inval;
+-	}
+-
+-	spin_lock_irqsave(&src->device->spinlock, flags);
+-	src->event_callback = callback;
+-	src->event_cookie = cookie;
+-	src->event_bitmask = src_event_bitmask;
+-	spin_unlock_irqrestore(&src->device->spinlock, flags);
+-
+-	/* Enable/disable flow control stall interrupt on the source */
+-	reg = readl_relaxed(src->device->base + TSPP2_GLOBAL_IRQ_ENABLE);
+-	if (callback && (src_event_bitmask & TSPP2_SRC_EVENT_FLOW_CTRL_STALL)) {
+-		reg |= ((0x1 << src->hw_index) <<
+-			GLOBAL_IRQ_FC_STALL_OFFS);
+-	} else {
+-		reg &= ~((0x1 << src->hw_index) <<
+-			GLOBAL_IRQ_FC_STALL_OFFS);
+-	}
+-	writel_relaxed(reg, src->device->base + TSPP2_GLOBAL_IRQ_ENABLE);
+-
+-	mutex_unlock(&src->device->mutex);
+-
+-	pm_runtime_mark_last_busy(src->device->dev);
+-	pm_runtime_put_autosuspend(src->device->dev);
+-
+-	dev_dbg(src->device->dev, "%s: successful\n", __func__);
+-
+-	return 0;
+-
+-err_inval:
+-	mutex_unlock(&src->device->mutex);
+-	pm_runtime_mark_last_busy(src->device->dev);
+-	pm_runtime_put_autosuspend(src->device->dev);
+-
+-	return -EINVAL;
+-}
+-EXPORT_SYMBOL(tspp2_src_event_notification_register);
+-
+-/**
+- * tspp2_filter_event_notification_register() - Get notified on a filter event.
+- *
+- * @filter_handle:		Filter handle.
+- * @filter_event_bitmask:	A bitmask of filter events,
+- *				TSPP2_FILTER_EVENT_XXX.
+- * @callback:			User callback function.
+- * @cookie:			User information passed to the callback.
+- *
+- * Register a user callback which will be invoked when certain filter
+- * events occur. Note the values (mask, callback and cookie) are overwritten
+- * when calling this function multiple times. Therefore it is possible to
+- * "unregister" a callback by calling this function with the bitmask set to 0
+- * and with NULL callback and cookie.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-int tspp2_filter_event_notification_register(u32 filter_handle,
+-			u32 filter_event_bitmask,
+-			void (*callback)(void *cookie, u32 event_bitmask),
+-			void *cookie)
+-{
+-	int ret;
+-	int idx;
+-	u32 reg;
+-	unsigned long flags;
+-	struct tspp2_filter *filter = (struct tspp2_filter *)filter_handle;
+-
+-	if (!filter) {
+-		pr_err("%s: Invalid filter handle\n", __func__);
+-		return -EINVAL;
+-	}
+-
+-	ret = pm_runtime_get_sync(filter->device->dev);
+-	if (ret < 0)
+-		return ret;
+-
+-	if (mutex_lock_interruptible(&filter->device->mutex)) {
+-		pm_runtime_mark_last_busy(filter->device->dev);
+-		pm_runtime_put_autosuspend(filter->device->dev);
+-		return -ERESTARTSYS;
+-	}
+-
+-	if (!filter->device->opened) {
+-		pr_err("%s: Device must be opened first\n", __func__);
+-		mutex_unlock(&filter->device->mutex);
+-		pm_runtime_mark_last_busy(filter->device->dev);
+-		pm_runtime_put_autosuspend(filter->device->dev);
+-		return -EPERM;
+-	}
+-
+-	if (!filter->opened) {
+-		pr_err("%s: Filter not opened\n", __func__);
+-		mutex_unlock(&filter->device->mutex);
+-		pm_runtime_mark_last_busy(filter->device->dev);
+-		pm_runtime_put_autosuspend(filter->device->dev);
+-		return -EINVAL;
+-	}
+-
+-	spin_lock_irqsave(&filter->device->spinlock, flags);
+-	filter->event_callback = callback;
+-	filter->event_cookie = cookie;
+-	filter->event_bitmask = filter_event_bitmask;
+-	spin_unlock_irqrestore(&filter->device->spinlock, flags);
+-
+-	/* Enable/disable SC high/low interrupts per filter as requested */
+-	idx = (filter->context >> 5);
+-	reg = readl_relaxed(filter->device->base +
+-		TSPP2_SC_GO_HIGH_ENABLE(idx));
+-	if (callback &&
+-		(filter_event_bitmask & TSPP2_FILTER_EVENT_SCRAMBLING_HIGH)) {
+-		reg |= (0x1 << TSPP2_MODULUS_OP(filter->context, 32));
+-	} else {
+-		reg &= ~(0x1 << TSPP2_MODULUS_OP(filter->context, 32));
+-	}
+-	writel_relaxed(reg, filter->device->base +
+-		TSPP2_SC_GO_HIGH_ENABLE(idx));
+-
+-	reg = readl_relaxed(filter->device->base +
+-		TSPP2_SC_GO_LOW_ENABLE(idx));
+-	if (callback &&
+-		(filter_event_bitmask & TSPP2_FILTER_EVENT_SCRAMBLING_LOW)) {
+-		reg |= (0x1 << TSPP2_MODULUS_OP(filter->context, 32));
+-	} else {
+-		reg &= ~(0x1 << TSPP2_MODULUS_OP(filter->context, 32));
+-	}
+-	writel_relaxed(reg, filter->device->base +
+-		TSPP2_SC_GO_LOW_ENABLE(idx));
+-
+-	mutex_unlock(&filter->device->mutex);
+-
+-	pm_runtime_mark_last_busy(filter->device->dev);
+-	pm_runtime_put_autosuspend(filter->device->dev);
+-
+-	dev_dbg(filter->device->dev, "%s: successful\n", __func__);
+-
+-	return 0;
+-}
+-EXPORT_SYMBOL(tspp2_filter_event_notification_register);
+-
+-/**
+- * tspp2_get_filter_hw_index() - Get a filter's hardware index.
+- *
+- * @filter_handle:		Filter handle.
+- *
+- * This is an helper function to support tspp2 auto-testing.
+- *
+- * Return the filter's hardware index on success, error value otherwise.
+- */
+-int tspp2_get_filter_hw_index(u32 filter_handle)
+-{
+-	struct tspp2_filter *filter = (struct tspp2_filter *)filter_handle;
+-	if (!filter_handle)
+-		return -EINVAL;
+-	return filter->hw_index;
+-}
+-EXPORT_SYMBOL(tspp2_get_filter_hw_index);
+-
+-/**
+- * tspp2_get_reserved_hw_index() - Get a source's reserved hardware index.
+- *
+- * @src_handle:		Source handle.
+- *
+- * This is an helper function to support tspp2 auto-testing.
+- *
+- * Return the source's reserved hardware index on success,
+- * error value otherwise.
+- */
+-int tspp2_get_reserved_hw_index(u32 src_handle)
+-{
+-	struct tspp2_src *src = (struct tspp2_src *)src_handle;
+-	if (!src_handle)
+-		return -EINVAL;
+-	return src->reserved_filter_hw_index;
+-}
+-EXPORT_SYMBOL(tspp2_get_reserved_hw_index);
+-
+-/**
+- * tspp2_get_ops_array() - Get filter's operations.
+- *
+- * @filter_handle:		Filter handle.
+- * @ops_array:			The filter's operations.
+- * @num_of_ops:			The filter's number of operations.
+- *
+- * This is an helper function to support tspp2 auto-testing.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-int tspp2_get_ops_array(u32 filter_handle,
+-		struct tspp2_operation ops_array[TSPP2_MAX_OPS_PER_FILTER],
+-		u8 *num_of_ops)
+-{
+-	int i;
+-	struct tspp2_filter *filter = (struct tspp2_filter *)filter_handle;
+-	if (!filter_handle || !num_of_ops)
+-		return -EINVAL;
+-	*num_of_ops = filter->num_user_operations;
+-	for (i = 0; i < *num_of_ops; i++)
+-		ops_array[i] = filter->operations[i];
+-	return 0;
+-}
+-EXPORT_SYMBOL(tspp2_get_ops_array);
+-
+-/* Platform driver related functions: */
+-
+-/**
+- * msm_tspp2_dt_to_pdata() - Copy device-tree data to platfrom data structure.
+- *
+- * @pdev:	Platform device.
+- *
+- * Return pointer to allocated platform data on success, NULL on failure.
+- */
+-static struct msm_tspp2_platform_data *
+-msm_tspp2_dt_to_pdata(struct platform_device *pdev)
+-{
+-	struct device_node *node = pdev->dev.of_node;
+-	struct msm_tspp2_platform_data *data;
+-	int rc;
+-
+-	/* Note: memory allocated by devm_kzalloc is freed automatically */
+-	data = devm_kzalloc(&pdev->dev, sizeof(*data), GFP_KERNEL);
+-	if (!data) {
+-		pr_err("%s: Unable to allocate platform data\n", __func__);
+-		return NULL;
+-	}
+-
+-	/* Get power regulator */
+-	if (!of_get_property(node, "vdd-supply", NULL)) {
+-		pr_err("%s: Could not find vdd-supply property\n", __func__);
+-		return NULL;
+-	}
+-
+-	/* Get IOMMU information */
+-	rc = of_property_read_string(node, "qcom,iommu-hlos-group",
+-					&data->hlos_group);
+-	if (rc) {
+-		pr_err("%s: Could not find iommu-hlos-group property, err = %d\n",
+-			__func__, rc);
+-		return NULL;
+-	}
+-	rc = of_property_read_string(node, "qcom,iommu-cpz-group",
+-					&data->cpz_group);
+-	if (rc) {
+-		pr_err("%s: Could not find iommu-cpz-group property, err = %d\n",
+-			__func__, rc);
+-		return NULL;
+-	}
+-	rc = of_property_read_u32(node, "qcom,iommu-hlos-partition",
+-					&data->hlos_partition);
+-	if (rc) {
+-		pr_err("%s: Could not find iommu-hlos-partition property, err = %d\n",
+-			__func__, rc);
+-		return NULL;
+-	}
+-	rc = of_property_read_u32(node, "qcom,iommu-cpz-partition",
+-					&data->cpz_partition);
+-	if (rc) {
+-		pr_err("%s: Could not find iommu-cpz-partition property, err = %d\n",
+-			__func__, rc);
+-		return NULL;
+-	}
+-
+-	return data;
+-}
+-
+-static void msm_tspp2_iommu_info_free(struct tspp2_device *device)
+-{
+-	if (device->iommu_info.hlos_group) {
+-		iommu_group_put(device->iommu_info.hlos_group);
+-		device->iommu_info.hlos_group = NULL;
+-	}
+-
+-	if (device->iommu_info.cpz_group) {
+-		iommu_group_put(device->iommu_info.cpz_group);
+-		device->iommu_info.cpz_group = NULL;
+-	}
+-
+-	device->iommu_info.hlos_domain = NULL;
+-	device->iommu_info.cpz_domain = NULL;
+-	device->iommu_info.hlos_domain_num = -1;
+-	device->iommu_info.cpz_domain_num = -1;
+-	device->iommu_info.hlos_partition = -1;
+-	device->iommu_info.cpz_partition = -1;
+-}
+-
+-/**
+- * msm_tspp2_iommu_info_get() - Get IOMMU information.
+- *
+- * @pdev:	Platform device, containing platform information.
+- * @device:	TSPP2 device.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-static int msm_tspp2_iommu_info_get(struct platform_device *pdev,
+-						struct tspp2_device *device)
+-{
+-	int ret = 0;
+-	struct msm_tspp2_platform_data *data = pdev->dev.platform_data;
+-
+-	device->iommu_info.hlos_group = NULL;
+-	device->iommu_info.cpz_group = NULL;
+-	device->iommu_info.hlos_domain = NULL;
+-	device->iommu_info.cpz_domain = NULL;
+-	device->iommu_info.hlos_domain_num = -1;
+-	device->iommu_info.cpz_domain_num = -1;
+-	device->iommu_info.hlos_partition = -1;
+-	device->iommu_info.cpz_partition = -1;
+-
+-	device->iommu_info.hlos_group = iommu_group_find(data->hlos_group);
+-	if (!device->iommu_info.hlos_group) {
+-		dev_err(&pdev->dev, "%s: Cannot find IOMMU HLOS group",
+-			__func__);
+-		ret = -EINVAL;
+-		goto err_out;
+-	}
+-	device->iommu_info.cpz_group = iommu_group_find(data->cpz_group);
+-	if (!device->iommu_info.cpz_group) {
+-		dev_err(&pdev->dev, "%s: Cannot find IOMMU CPZ group",
+-			__func__);
+-		ret = -EINVAL;
+-		goto err_out;
+-	}
+-
+-	device->iommu_info.hlos_domain =
+-		iommu_group_get_iommudata(device->iommu_info.hlos_group);
+-	if (IS_ERR_OR_NULL(device->iommu_info.hlos_domain)) {
+-		dev_err(&pdev->dev, "%s: iommu_group_get_iommudata failed",
+-			__func__);
+-		ret = -EINVAL;
+-		goto err_out;
+-	}
+-
+-	device->iommu_info.cpz_domain =
+-		iommu_group_get_iommudata(device->iommu_info.cpz_group);
+-	if (IS_ERR_OR_NULL(device->iommu_info.cpz_domain)) {
+-		device->iommu_info.hlos_domain = NULL;
+-		dev_err(&pdev->dev, "%s: iommu_group_get_iommudata failed",
+-			__func__);
+-		ret = -EINVAL;
+-		goto err_out;
+-	}
+-
+-	device->iommu_info.hlos_domain_num =
+-			msm_find_domain_no(device->iommu_info.hlos_domain);
+-	device->iommu_info.cpz_domain_num =
+-			msm_find_domain_no(device->iommu_info.cpz_domain);
+-	device->iommu_info.hlos_partition = data->hlos_partition;
+-	device->iommu_info.cpz_partition = data->cpz_partition;
+-
+-	return 0;
+-
+-err_out:
+-	msm_tspp2_iommu_info_free(device);
+-
+-	return ret;
+-}
+-
+-/**
+- * tspp2_clocks_put() - Put clocks and disable regulator.
+- *
+- * @device:	TSPP2 device.
+- */
+-static void tspp2_clocks_put(struct tspp2_device *device)
+-{
+-	if (device->tsif_ref_clk)
+-		clk_put(device->tsif_ref_clk);
+-
+-	if (device->tspp2_klm_ahb_clk)
+-		clk_put(device->tspp2_klm_ahb_clk);
+-
+-	if (device->tspp2_vbif_clk)
+-		clk_put(device->tspp2_vbif_clk);
+-
+-	if (device->vbif_ahb_clk)
+-		clk_put(device->vbif_ahb_clk);
+-
+-	if (device->vbif_axi_clk)
+-		clk_put(device->vbif_axi_clk);
+-
+-	if (device->tspp2_core_clk)
+-		clk_put(device->tspp2_core_clk);
+-
+-	if (device->tspp2_ahb_clk)
+-		clk_put(device->tspp2_ahb_clk);
+-
+-	device->tspp2_ahb_clk = NULL;
+-	device->tspp2_core_clk = NULL;
+-	device->tspp2_vbif_clk = NULL;
+-	device->vbif_ahb_clk = NULL;
+-	device->vbif_axi_clk = NULL;
+-	device->tspp2_klm_ahb_clk = NULL;
+-	device->tsif_ref_clk = NULL;
+-}
+-
+-/**
+- * msm_tspp2_clocks_setup() - Get clocks and set their rate, enable regulator.
+- *
+- * @pdev:	Platform device, containing platform information.
+- * @device:	TSPP2 device.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-static int msm_tspp2_clocks_setup(struct platform_device *pdev,
+-						struct tspp2_device *device)
+-{
+-	int ret = 0;
+-	unsigned long rate_in_hz = 0;
+-	struct clk *tspp2_core_clk_src = NULL;
+-
+-	/* Get power regulator (GDSC) */
+-	device->gdsc = devm_regulator_get(&pdev->dev, "vdd");
+-	if (IS_ERR(device->gdsc)) {
+-		pr_err("%s: Failed to get vdd power regulator\n", __func__);
+-		ret = PTR_ERR(device->gdsc);
+-		device->gdsc = NULL;
+-		return ret;
+-	}
+-
+-	device->tspp2_ahb_clk = NULL;
+-	device->tspp2_core_clk = NULL;
+-	device->tspp2_vbif_clk = NULL;
+-	device->vbif_ahb_clk = NULL;
+-	device->vbif_axi_clk = NULL;
+-	device->tspp2_klm_ahb_clk = NULL;
+-	device->tsif_ref_clk = NULL;
+-
+-	device->tspp2_ahb_clk = clk_get(&pdev->dev, "bcc_tspp2_ahb_clk");
+-	if (IS_ERR(device->tspp2_ahb_clk)) {
+-		pr_err("%s: Failed to get %s", __func__, "bcc_tspp2_ahb_clk");
+-		ret = PTR_ERR(device->tspp2_ahb_clk);
+-		device->tspp2_ahb_clk = NULL;
+-		goto err_clocks;
+-	}
+-
+-	device->tspp2_core_clk = clk_get(&pdev->dev, "bcc_tspp2_core_clk");
+-	if (IS_ERR(device->tspp2_core_clk)) {
+-		pr_err("%s: Failed to get %s", __func__, "bcc_tspp2_core_clk");
+-		ret = PTR_ERR(device->tspp2_core_clk);
+-		device->tspp2_core_clk = NULL;
+-		goto err_clocks;
+-	}
+-
+-	device->tspp2_vbif_clk = clk_get(&pdev->dev, "bcc_vbif_tspp2_clk");
+-	if (IS_ERR(device->tspp2_vbif_clk)) {
+-		pr_err("%s: Failed to get %s", __func__, "bcc_vbif_tspp2_clk");
+-		ret = PTR_ERR(device->tspp2_vbif_clk);
+-		device->tspp2_vbif_clk = NULL;
+-		goto err_clocks;
+-	}
+-
+-	device->vbif_ahb_clk = clk_get(&pdev->dev, "iface_vbif_clk");
+-	if (IS_ERR(device->vbif_ahb_clk)) {
+-		pr_err("%s: Failed to get %s", __func__, "iface_vbif_clk");
+-		ret = PTR_ERR(device->vbif_ahb_clk);
+-		device->vbif_ahb_clk = NULL;
+-		goto err_clocks;
+-	}
+-
+-	device->vbif_axi_clk = clk_get(&pdev->dev, "vbif_core_clk");
+-	if (IS_ERR(device->vbif_axi_clk)) {
+-		pr_err("%s: Failed to get %s", __func__, "vbif_core_clk");
+-		ret = PTR_ERR(device->vbif_axi_clk);
+-		device->vbif_axi_clk = NULL;
+-		goto err_clocks;
+-	}
+-
+-	device->tspp2_klm_ahb_clk = clk_get(&pdev->dev, "bcc_klm_ahb_clk");
+-	if (IS_ERR(device->tspp2_klm_ahb_clk)) {
+-		pr_err("%s: Failed to get %s", __func__, "bcc_klm_ahb_clk");
+-		ret = PTR_ERR(device->tspp2_klm_ahb_clk);
+-		device->tspp2_klm_ahb_clk = NULL;
+-		goto err_clocks;
+-	}
+-
+-	device->tsif_ref_clk = clk_get(&pdev->dev, "gcc_tsif_ref_clk");
+-	if (IS_ERR(device->tsif_ref_clk)) {
+-		pr_err("%s: Failed to get %s", __func__, "gcc_tsif_ref_clk");
+-		ret = PTR_ERR(device->tsif_ref_clk);
+-		device->tsif_ref_clk = NULL;
+-		goto err_clocks;
+-	}
+-
+-	/* Set relevant clock rates */
+-	rate_in_hz = clk_round_rate(device->tsif_ref_clk, 1);
+-	if (clk_set_rate(device->tsif_ref_clk, rate_in_hz)) {
+-		pr_err("%s: Failed to set rate %lu to %s\n", __func__,
+-			rate_in_hz, "gcc_tsif_ref_clk");
+-		goto err_clocks;
+-	}
+-
+-	/* We need to set the rate of tspp2_core_clk_src */
+-	tspp2_core_clk_src = clk_get_parent(device->tspp2_core_clk);
+-	if (tspp2_core_clk_src) {
+-		rate_in_hz = clk_round_rate(tspp2_core_clk_src, 1);
+-		if (clk_set_rate(tspp2_core_clk_src, rate_in_hz)) {
+-			pr_err("%s: Failed to set rate %lu to tspp2_core_clk_src\n",
+-				__func__, rate_in_hz);
+-			goto err_clocks;
+-		}
+-	} else {
+-		pr_err("%s: Failed to get tspp2_core_clk parent\n", __func__);
+-		goto err_clocks;
+-	}
+-
+-	return 0;
+-
+-err_clocks:
+-	tspp2_clocks_put(device);
+-
+-	return ret;
+-}
+-
+-/**
+- * msm_tspp2_map_io_memory() - Map memory resources to kernel space.
+- *
+- * @pdev:	Platform device, containing platform information.
+- * @device:	TSPP2 device.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-static int msm_tspp2_map_io_memory(struct platform_device *pdev,
+-						struct tspp2_device *device)
+-{
+-	struct resource *mem_tsif0;
+-	struct resource *mem_tsif1;
+-	struct resource *mem_tspp2;
+-	struct resource *mem_bam;
+-
+-	/* Get memory resources */
+-	mem_tsif0 = platform_get_resource_byname(pdev,
+-				IORESOURCE_MEM, "MSM_TSIF0");
+-	if (!mem_tsif0) {
+-		dev_err(&pdev->dev, "%s: Missing TSIF0 MEM resource", __func__);
+-		return -ENXIO;
+-	}
+-
+-	mem_tsif1 = platform_get_resource_byname(pdev,
+-				IORESOURCE_MEM, "MSM_TSIF1");
+-	if (!mem_tsif1) {
+-		dev_err(&pdev->dev, "%s: Missing TSIF1 MEM resource", __func__);
+-		return -ENXIO;
+-	}
+-
+-	mem_tspp2 = platform_get_resource_byname(pdev,
+-				IORESOURCE_MEM, "MSM_TSPP2");
+-	if (!mem_tspp2) {
+-		dev_err(&pdev->dev, "%s: Missing TSPP2 MEM resource", __func__);
+-		return -ENXIO;
+-	}
+-
+-	mem_bam = platform_get_resource_byname(pdev,
+-				IORESOURCE_MEM, "MSM_TSPP2_BAM");
+-	if (!mem_bam) {
+-		dev_err(&pdev->dev, "%s: Missing BAM MEM resource", __func__);
+-		return -ENXIO;
+-	}
+-
+-	/* Map memory physical addresses to kernel space */
+-	device->tsif_devices[0].base = ioremap(mem_tsif0->start,
+-		resource_size(mem_tsif0));
+-	if (!device->tsif_devices[0].base) {
+-		dev_err(&pdev->dev, "%s: ioremap failed", __func__);
+-		goto err_map_tsif0;
+-	}
+-
+-	device->tsif_devices[1].base = ioremap(mem_tsif1->start,
+-		resource_size(mem_tsif1));
+-	if (!device->tsif_devices[1].base) {
+-		dev_err(&pdev->dev, "%s: ioremap failed", __func__);
+-		goto err_map_tsif1;
+-	}
+-
+-	device->base = ioremap(mem_tspp2->start, resource_size(mem_tspp2));
+-	if (!device->base) {
+-		dev_err(&pdev->dev, "%s: ioremap failed", __func__);
+-		goto err_map_dev;
+-	}
+-
+-	memset(&device->bam_props, 0, sizeof(device->bam_props));
+-	device->bam_props.phys_addr = mem_bam->start;
+-	device->bam_props.virt_addr = ioremap(mem_bam->start,
+-		resource_size(mem_bam));
+-	if (!device->bam_props.virt_addr) {
+-		dev_err(&pdev->dev, "%s: ioremap failed", __func__);
+-		goto err_map_bam;
+-	}
+-
+-	return 0;
+-
+-err_map_bam:
+-	iounmap(device->base);
+-
+-err_map_dev:
+-	iounmap(device->tsif_devices[1].base);
+-
+-err_map_tsif1:
+-	iounmap(device->tsif_devices[0].base);
+-
+-err_map_tsif0:
+-	return -ENXIO;
+-}
+-
+-/**
+- * tspp2_event_work_prepare() - Prepare and queue a work element.
+- *
+- * @device:		TSPP2 device.
+- * @callback:		User callback to invoke.
+- * @cookie:		User cookie.
+- * @event_bitmask:	Event bitmask
+- *
+- * Get a free work element from the pool, prepare it and queue it
+- * to the work queue. When scheduled, the work will invoke the user callback
+- * for the event that the HW reported.
+- */
+-static void tspp2_event_work_prepare(struct tspp2_device *device,
+-			void (*callback)(void *cookie, u32 event_bitmask),
+-			void *cookie,
+-			u32 event_bitmask)
+-{
+-	struct tspp2_event_work *work = NULL;
+-
+-	if (!list_empty(&device->free_work_list)) {
+-		work = list_first_entry(&device->free_work_list,
+-			struct tspp2_event_work, link);
+-		list_del(&work->link);
+-		work->callback = callback;
+-		work->cookie = cookie;
+-		work->event_bitmask = event_bitmask;
+-		queue_work(device->work_queue, &work->work);
+-	} else {
+-		pr_warn("%s: No available work element\n", __func__);
+-	}
+-}
+-
+-/**
+- * tspp2_isr() - TSPP2 interrupt handler.
+- *
+- * @irq:	Interrupt number.
+- * @dev:	TSPP2 device.
+- *
+- * Handle TSPP2 HW interrupt. Collect relevant statistics and invoke
+- * user registered callbacks for global, source or filter events.
+- *
+- * Return IRQ_HANDLED.
+- */
+-static irqreturn_t tspp2_isr(int irq, void *dev)
+-{
+-	struct tspp2_device *device = dev;
+-	struct tspp2_src *src = NULL;
+-	struct tspp2_filter *f = NULL;
+-	unsigned long ext_reg = 0;
+-	unsigned long val = 0;
+-	unsigned long flags;
+-	u32 i = 0, j = 0;
+-	u32 global_bitmask = 0;
+-	u32 src_bitmask[TSPP2_NUM_MEM_INPUTS] = {0};
+-	u32 filter_bitmask[TSPP2_NUM_CONTEXTS] = {0};
+-	u32 reg = 0;
+-
+-	reg = readl_relaxed(device->base + TSPP2_GLOBAL_IRQ_STATUS);
+-
+-	if (reg & (0x1 << GLOBAL_IRQ_TSP_INVALID_AF_OFFS)) {
+-		device->irq_stats.global.tsp_invalid_af_control++;
+-		global_bitmask |= TSPP2_GLOBAL_EVENT_INVALID_AF_CTRL;
+-	}
+-
+-	if (reg & (0x1 << GLOBAL_IRQ_TSP_INVALID_LEN_OFFS)) {
+-		device->irq_stats.global.tsp_invalid_length++;
+-		global_bitmask |= TSPP2_GLOBAL_EVENT_INVALID_AF_LENGTH;
+-	}
+-
+-	if (reg & (0x1 << GLOBAL_IRQ_PES_NO_SYNC_OFFS)) {
+-		device->irq_stats.global.pes_no_sync++;
+-		global_bitmask |= TSPP2_GLOBAL_EVENT_PES_NO_SYNC;
+-	}
+-
+-	if (reg & (0x1 << GLOBAL_IRQ_ENCRYPT_LEVEL_ERR_OFFS))
+-		device->irq_stats.global.encrypt_level_err++;
+-
+-	if (reg & (0x1 << GLOBAL_IRQ_KEY_NOT_READY_OFFS)) {
+-		ext_reg = readl_relaxed(device->base +
+-				TSPP2_KEY_NOT_READY_IRQ_STATUS);
+-		for_each_set_bit(i, &ext_reg, TSPP2_NUM_KEYTABLES)
+-			device->irq_stats.kt[i].key_not_ready++;
+-		writel_relaxed(ext_reg, device->base +
+-			TSPP2_KEY_NOT_READY_IRQ_CLEAR);
+-	}
+-
+-	if (reg & (0x1 << GLOBAL_IRQ_UNEXPECTED_RESET_OFFS)) {
+-		ext_reg = readl_relaxed(device->base +
+-				TSPP2_UNEXPECTED_RST_IRQ_STATUS);
+-		for_each_set_bit(i, &ext_reg, TSPP2_NUM_PIPES)
+-			device->irq_stats.pipe[i].unexpected_reset++;
+-		writel_relaxed(ext_reg, device->base +
+-			TSPP2_UNEXPECTED_RST_IRQ_CLEAR);
+-	}
+-
+-	if (reg & (0x1 << GLOBAL_IRQ_WRONG_PIPE_DIR_OFFS)) {
+-		ext_reg = readl_relaxed(device->base +
+-				TSPP2_WRONG_PIPE_DIR_IRQ_STATUS);
+-		for_each_set_bit(i, &ext_reg, TSPP2_NUM_PIPES)
+-			device->irq_stats.pipe[i].wrong_pipe_direction++;
+-		writel_relaxed(ext_reg, device->base +
+-			TSPP2_WRONG_PIPE_DIR_IRQ_CLEAR);
+-	}
+-
+-	if (reg & (0x1 << GLOBAL_IRQ_QSB_RESP_ERR_OFFS)) {
+-		global_bitmask |= TSPP2_GLOBAL_EVENT_TX_FAIL;
+-		ext_reg = readl_relaxed(device->base +
+-				TSPP2_QSB_RESPONSE_ERROR_IRQ_STATUS);
+-		for_each_set_bit(i, &ext_reg, TSPP2_NUM_PIPES)
+-			device->irq_stats.pipe[i].qsb_response_error++;
+-		writel_relaxed(ext_reg, device->base +
+-			TSPP2_QSB_RESPONSE_ERROR_IRQ_CLEAR);
+-	}
+-
+-	if (reg & (0x1 << GLOBAL_IRQ_SC_GO_HIGH_OFFS)) {
+-		for (j = 0; j < 3; j++) {
+-			ext_reg = readl_relaxed(device->base +
+-					TSPP2_SC_GO_HIGH_STATUS(j));
+-			for_each_set_bit(i, &ext_reg, 32) {
+-				filter_bitmask[j*32 + i] |=
+-					TSPP2_FILTER_EVENT_SCRAMBLING_HIGH;
+-				device->irq_stats.ctx[j*32 + i].sc_go_high++;
+-			}
+-			writel_relaxed(ext_reg, device->base +
+-					TSPP2_SC_GO_HIGH_CLEAR(j));
+-		}
+-	}
+-
+-	if (reg & (0x1 << GLOBAL_IRQ_SC_GO_LOW_OFFS)) {
+-		for (j = 0; j < 3; j++) {
+-			ext_reg = readl_relaxed(device->base +
+-					TSPP2_SC_GO_LOW_STATUS(j));
+-			for_each_set_bit(i, &ext_reg, 32) {
+-				filter_bitmask[j*32 + i] |=
+-					TSPP2_FILTER_EVENT_SCRAMBLING_LOW;
+-				device->irq_stats.ctx[j*32 + i].sc_go_low++;
+-			}
+-			writel_relaxed(ext_reg, device->base +
+-					TSPP2_SC_GO_LOW_CLEAR(j));
+-		}
+-	}
+-
+-	if (reg & (0xFF << GLOBAL_IRQ_READ_FAIL_OFFS)) {
+-		val = ((reg & (0xFF << GLOBAL_IRQ_READ_FAIL_OFFS)) >>
+-			GLOBAL_IRQ_READ_FAIL_OFFS);
+-		for_each_set_bit(i, &val, TSPP2_NUM_MEM_INPUTS) {
+-			src_bitmask[i] |= TSPP2_SRC_EVENT_MEMORY_READ_ERROR;
+-			device->irq_stats.src[i].read_failure++;
+-		}
+-	}
+-
+-	if (reg & (0xFF << GLOBAL_IRQ_FC_STALL_OFFS)) {
+-		val = ((reg & (0xFF << GLOBAL_IRQ_FC_STALL_OFFS)) >>
+-			GLOBAL_IRQ_FC_STALL_OFFS);
+-		for_each_set_bit(i, &val, TSPP2_NUM_MEM_INPUTS) {
+-			src_bitmask[i] |= TSPP2_SRC_EVENT_FLOW_CTRL_STALL;
+-			device->irq_stats.src[i].flow_control_stall++;
+-		}
+-	}
+-
+-	spin_lock_irqsave(&device->spinlock, flags);
+-
+-	/* Invoke user callback for global events */
+-	if (device->event_callback && (global_bitmask & device->event_bitmask))
+-		tspp2_event_work_prepare(device, device->event_callback,
+-			device->event_cookie,
+-			(global_bitmask & device->event_bitmask));
+-
+-	/* Invoke user callbacks on memory source events */
+-	for (i = 0; i < TSPP2_NUM_MEM_INPUTS; i++) {
+-		src = &device->mem_sources[i];
+-		if (src->event_callback &&
+-			(src_bitmask[src->hw_index] & src->event_bitmask))
+-			tspp2_event_work_prepare(device,
+-				src->event_callback,
+-				src->event_cookie,
+-				(src_bitmask[src->hw_index] &
+-					src->event_bitmask));
+-	}
+-
+-	/* Invoke user callbacks on filter events */
+-	for (i = 0; i < TSPP2_NUM_AVAIL_FILTERS; i++) {
+-		f = &device->filters[i];
+-		if (f->event_callback &&
+-			(f->event_bitmask & filter_bitmask[f->context]))
+-			tspp2_event_work_prepare(device,
+-				f->event_callback,
+-				f->event_cookie,
+-				(f->event_bitmask &
+-					filter_bitmask[f->context]));
+-	}
+-
+-	spin_unlock_irqrestore(&device->spinlock, flags);
+-
+-	/*
+-	 * Clear global interrupts. Note bits [9:4] are an aggregation of
+-	 * other IRQs, and are reserved in the TSPP2_GLOBAL_IRQ_CLEAR register.
+-	 */
+-	reg &= ~(0x0FFF << GLOBAL_IRQ_CLEAR_RESERVED_OFFS);
+-	writel_relaxed(reg, device->base + TSPP2_GLOBAL_IRQ_CLEAR);
+-	/*
+-	 * Before returning IRQ_HANDLED to the generic interrupt handling
+-	 * framework, we need to make sure all operations, including clearing of
+-	 * interrupt status registers in the hardware, are performed.
+-	 * Thus a barrier after clearing the interrupt status register
+-	 * is required to guarantee that the interrupt status register has
+-	 * really been cleared by the time we return from this handler.
+-	 */
+-	wmb();
+-
+-	return IRQ_HANDLED;
+-}
+-
+-/**
+- * tsif_isr() - TSIF interrupt handler.
+- *
+- * @irq:	Interrupt number.
+- * @dev:	TSIF device that generated the interrupt.
+- *
+- * Handle TSIF HW interrupt. Collect HW statistics and, if the user registered
+- * a relevant source callback, invoke it.
+- *
+- * Return IRQ_HANDLED on success, IRQ_NONE on irrelevant interrupts.
+- */
+-static irqreturn_t tsif_isr(int irq, void *dev)
+-{
+-	u32 src_bitmask = 0;
+-	unsigned long flags;
+-	struct tspp2_src *src = NULL;
+-	struct tspp2_tsif_device *tsif_device = dev;
+-	u32 sts_ctl = 0;
+-
+-	sts_ctl = readl_relaxed(tsif_device->base + TSPP2_TSIF_STS_CTL);
+-
+-	if (!(sts_ctl & (TSIF_STS_CTL_PACK_AVAIL	|
+-			TSIF_STS_CTL_PKT_WRITE_ERR	|
+-			TSIF_STS_CTL_PKT_READ_ERR	|
+-			TSIF_STS_CTL_OVERFLOW		|
+-			TSIF_STS_CTL_LOST_SYNC		|
+-			TSIF_STS_CTL_TIMEOUT))) {
+-		return IRQ_NONE;
+-	}
+-
+-	if (sts_ctl & TSIF_STS_CTL_PKT_WRITE_ERR) {
+-		src_bitmask |= TSPP2_SRC_EVENT_TSIF_PKT_WRITE_ERROR;
+-		tsif_device->stat_pkt_write_err++;
+-	}
+-
+-	if (sts_ctl & TSIF_STS_CTL_PKT_READ_ERR) {
+-		src_bitmask |= TSPP2_SRC_EVENT_TSIF_PKT_READ_ERROR;
+-		tsif_device->stat_pkt_read_err++;
+-	}
+-
+-	if (sts_ctl & TSIF_STS_CTL_OVERFLOW) {
+-		src_bitmask |= TSPP2_SRC_EVENT_TSIF_OVERFLOW;
+-		tsif_device->stat_overflow++;
+-	}
+-
+-	if (sts_ctl & TSIF_STS_CTL_LOST_SYNC) {
+-		src_bitmask |= TSPP2_SRC_EVENT_TSIF_LOST_SYNC;
+-		tsif_device->stat_lost_sync++;
+-	}
+-
+-	if (sts_ctl & TSIF_STS_CTL_TIMEOUT) {
+-		src_bitmask |= TSPP2_SRC_EVENT_TSIF_TIMEOUT;
+-		tsif_device->stat_timeout++;
+-	}
+-
+-	/* Invoke user TSIF source callbacks if registered for these events */
+-	src = &tsif_device->dev->tsif_sources[tsif_device->hw_index];
+-
+-	spin_lock_irqsave(&src->device->spinlock, flags);
+-
+-	if (src->event_callback && (src->event_bitmask & src_bitmask))
+-		tspp2_event_work_prepare(tsif_device->dev, src->event_callback,
+-			src->event_cookie, (src->event_bitmask & src_bitmask));
+-
+-	spin_unlock_irqrestore(&src->device->spinlock, flags);
+-
+-	writel_relaxed(sts_ctl, tsif_device->base + TSPP2_TSIF_STS_CTL);
+-	/*
+-	 * Before returning IRQ_HANDLED to the generic interrupt handling
+-	 * framework, we need to make sure all operations, including clearing of
+-	 * interrupt status registers in the hardware, are performed.
+-	 * Thus a barrier after clearing the interrupt status register
+-	 * is required to guarantee that the interrupt status register has
+-	 * really been cleared by the time we return from this handler.
+-	 */
+-	wmb();
+-
+-	return IRQ_HANDLED;
+-}
+-
+-/**
+- * msm_tspp2_map_irqs() - Get and request IRQs.
+- *
+- * @pdev:	Platform device, containing platform information.
+- * @device:	TSPP2 device.
+- *
+- * Helper function to get IRQ numbers from the platform device and request
+- * the IRQs (i.e., set interrupt handlers) for the TSPP2 and TSIF interrupts.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-static int msm_tspp2_map_irqs(struct platform_device *pdev,
+-				struct tspp2_device *device)
+-{
+-	int rc;
+-	int i;
+-
+-	/* get IRQ numbers from platform information */
+-
+-	rc = platform_get_irq_byname(pdev, "TSPP2");
+-	if (rc > 0) {
+-		device->tspp2_irq = rc;
+-	} else {
+-		dev_err(&pdev->dev, "%s: Failed to get TSPP2 IRQ", __func__);
+-		return -EINVAL;
+-	}
+-
+-	rc = platform_get_irq_byname(pdev, "TSIF0");
+-	if (rc > 0) {
+-		device->tsif_devices[0].tsif_irq = rc;
+-	} else {
+-		dev_err(&pdev->dev, "%s: Failed to get TSIF0 IRQ", __func__);
+-		return -EINVAL;
+-	}
+-
+-	rc = platform_get_irq_byname(pdev, "TSIF1");
+-	if (rc > 0) {
+-		device->tsif_devices[1].tsif_irq = rc;
+-	} else {
+-		dev_err(&pdev->dev, "%s: Failed to get TSIF1 IRQ", __func__);
+-		return -EINVAL;
+-	}
+-
+-	rc = platform_get_irq_byname(pdev, "TSPP2_BAM");
+-	if (rc > 0) {
+-		device->bam_irq = rc;
+-	} else {
+-		dev_err(&pdev->dev,
+-			"%s: Failed to get TSPP2 BAM IRQ", __func__);
+-		return -EINVAL;
+-	}
+-
+-	rc = request_irq(device->tspp2_irq, tspp2_isr, IRQF_SHARED,
+-			 dev_name(&pdev->dev), device);
+-	if (rc) {
+-		dev_err(&pdev->dev,
+-			"%s: Failed to request TSPP2 IRQ %d : %d",
+-			__func__, device->tspp2_irq, rc);
+-		goto request_irq_err;
+-	}
+-
+-	for (i = 0; i < TSPP2_NUM_TSIF_INPUTS; i++) {
+-		rc = request_irq(device->tsif_devices[i].tsif_irq,
+-				tsif_isr, IRQF_SHARED,
+-				dev_name(&pdev->dev), &device->tsif_devices[i]);
+-		if (rc) {
+-			dev_warn(&pdev->dev,
+-				"%s: Failed to request TSIF%d IRQ: %d",
+-				__func__, i, rc);
+-			device->tsif_devices[i].tsif_irq = 0;
+-		}
+-	}
+-
+-	return 0;
+-
+-request_irq_err:
+-	device->tspp2_irq = 0;
+-	device->tsif_devices[0].tsif_irq = 0;
+-	device->tsif_devices[1].tsif_irq = 0;
+-	device->bam_irq = 0;
+-
+-	return -EINVAL;
+-}
+-
+-/* Device driver probe function */
+-static int msm_tspp2_probe(struct platform_device *pdev)
+-{
+-	int rc = 0;
+-	struct msm_tspp2_platform_data *data;
+-	struct tspp2_device *device;
+-	struct msm_bus_scale_pdata *tspp2_bus_pdata = NULL;
+-
+-	if (pdev->dev.of_node) {
+-		/* Get information from device tree */
+-		data = msm_tspp2_dt_to_pdata(pdev);
+-		/* get device ID */
+-		rc = of_property_read_u32(pdev->dev.of_node,
+-					"cell-index", &pdev->id);
+-		if (rc)
+-			pdev->id = -1;
+-
+-		tspp2_bus_pdata = msm_bus_cl_get_pdata(pdev);
+-		pdev->dev.platform_data = data;
+-	} else {
+-		/* Get information from platform data */
+-		data = pdev->dev.platform_data;
+-	}
+-	if (!data) {
+-		pr_err("%s: Platform data not available\n", __func__);
+-		return -EINVAL;
+-	}
+-
+-	/* Verify device id is valid */
+-	if ((pdev->id < 0) || (pdev->id >= TSPP2_NUM_DEVICES)) {
+-		pr_err("%s: Invalid device ID %d\n", __func__, pdev->id);
+-		return -EINVAL;
+-	}
+-
+-	device = devm_kzalloc(&pdev->dev,
+-				sizeof(struct tspp2_device),
+-				GFP_KERNEL);
+-	if (!device) {
+-		pr_err("%s: Failed to allocate memory for device\n", __func__);
+-		return -ENOMEM;
+-	}
+-	platform_set_drvdata(pdev, device);
+-	device->pdev = pdev;
+-	device->dev = &pdev->dev;
+-	device->dev_id = pdev->id;
+-	device->opened = 0;
+-
+-	/* Register bus client */
+-	if (tspp2_bus_pdata) {
+-		device->bus_client =
+-			msm_bus_scale_register_client(tspp2_bus_pdata);
+-		if (!device->bus_client)
+-			pr_err("%s: Unable to register bus client\n", __func__);
+-	} else {
+-		pr_err("%s: Platform bus client data not available. Continue anyway...\n",
+-			__func__);
+-	}
+-
+-	rc = msm_tspp2_iommu_info_get(pdev, device);
+-	if (rc) {
+-		pr_err("%s: Failed to get IOMMU information\n", __func__);
+-		goto err_bus_client;
+-	}
+-
+-	rc = msm_tspp2_clocks_setup(pdev, device);
+-	if (rc)
+-		goto err_clocks_setup;
+-
+-	rc = msm_tspp2_map_io_memory(pdev, device);
+-	if (rc)
+-		goto err_map_io_memory;
+-
+-	rc = msm_tspp2_map_irqs(pdev, device);
+-	if (rc)
+-		goto err_map_irq;
+-
+-	mutex_init(&device->mutex);
+-
+-	tspp2_devices[pdev->id] = device;
+-
+-	tspp2_debugfs_init(device);
+-
+-	return rc;
+-
+-err_map_irq:
+-	iounmap(device->base);
+-	iounmap(device->tsif_devices[0].base);
+-	iounmap(device->tsif_devices[1].base);
+-	iounmap(device->bam_props.virt_addr);
+-
+-err_map_io_memory:
+-	tspp2_clocks_put(device);
+-
+-err_clocks_setup:
+-	msm_tspp2_iommu_info_free(device);
+-
+-err_bus_client:
+-	if (device->bus_client)
+-		msm_bus_scale_unregister_client(device->bus_client);
+-
+-	return rc;
+-}
+-
+-/* Device driver remove function */
+-static int msm_tspp2_remove(struct platform_device *pdev)
+-{
+-	int i;
+-	int rc = 0;
+-	struct tspp2_device *device = platform_get_drvdata(pdev);
+-
+-	tspp2_debugfs_exit(device);
+-
+-	if (device->tspp2_irq)
+-		free_irq(device->tspp2_irq, device);
+-
+-	for (i = 0; i < TSPP2_NUM_TSIF_INPUTS; i++)
+-		if (device->tsif_devices[i].tsif_irq)
+-			free_irq(device->tsif_devices[i].tsif_irq,
+-				&device->tsif_devices[i]);
+-
+-	/* Unmap memory */
+-	iounmap(device->base);
+-	iounmap(device->tsif_devices[0].base);
+-	iounmap(device->tsif_devices[1].base);
+-	iounmap(device->bam_props.virt_addr);
+-
+-	msm_tspp2_iommu_info_free(device);
+-
+-	if (device->bus_client)
+-		msm_bus_scale_unregister_client(device->bus_client);
+-
+-	mutex_destroy(&device->mutex);
+-
+-	tspp2_clocks_put(device);
+-
+-	return rc;
+-}
+-
+-/* Power Management */
+-
+-static int tspp2_runtime_suspend(struct device *dev)
+-{
+-	int ret = 0;
+-	struct tspp2_device *device;
+-	struct platform_device *pdev;
+-
+-	/*
+-	 * HW manages power collapse automatically.
+-	 * Disabling AHB and Core clocsk and "cancelling" bus bandwidth voting.
+-	 */
+-
+-	pdev = container_of(dev, struct platform_device, dev);
+-	device = platform_get_drvdata(pdev);
+-
+-	mutex_lock(&device->mutex);
+-
+-	if (!device->opened)
+-		ret = -EPERM;
+-	else
+-		ret = tspp2_reg_clock_stop(device);
+-
+-	mutex_unlock(&device->mutex);
+-
+-	dev_dbg(dev, "%s\n", __func__);
+-
+-	return ret;
+-}
+-
+-static int tspp2_runtime_resume(struct device *dev)
+-{
+-	int ret = 0;
+-	struct tspp2_device *device;
+-	struct platform_device *pdev;
+-
+-	/*
+-	 * HW manages power collapse automatically.
+-	 * Enabling AHB and Core clocks to allow access to unit registers,
+-	 * and voting for the required bus bandwidth for register access.
+-	 */
+-
+-	pdev = container_of(dev, struct platform_device, dev);
+-	device = platform_get_drvdata(pdev);
+-
+-	mutex_lock(&device->mutex);
+-
+-	if (!device->opened)
+-		ret = -EPERM;
+-	else
+-		ret = tspp2_reg_clock_start(device);
+-
+-	mutex_unlock(&device->mutex);
+-
+-	dev_dbg(dev, "%s\n", __func__);
+-
+-	return ret;
+-}
+-
+-static const struct dev_pm_ops tspp2_dev_pm_ops = {
+-	.runtime_suspend = tspp2_runtime_suspend,
+-	.runtime_resume = tspp2_runtime_resume,
+-};
+-
+-/* Platform driver information */
+-
+-static struct of_device_id msm_tspp2_match_table[] = {
+-	{.compatible = "qcom,msm_tspp2"},
+-	{}
+-};
+-
+-static struct platform_driver msm_tspp2_driver = {
+-	.probe          = msm_tspp2_probe,
+-	.remove         = msm_tspp2_remove,
+-	.driver         = {
+-		.name   = "msm_tspp2",
+-		.pm     = &tspp2_dev_pm_ops,
+-		.of_match_table = msm_tspp2_match_table,
+-	},
+-};
+-
+-/**
+- * tspp2_module_init() - TSPP2 driver module init function.
+- *
+- * Return 0 on success, error value otherwise.
+- */
+-static int __init tspp2_module_init(void)
+-{
+-	int rc;
+-
+-	rc = platform_driver_register(&msm_tspp2_driver);
+-	if (rc)
+-		pr_err("%s: platform_driver_register failed: %d\n",
+-			__func__, rc);
+-
+-	return rc;
+-}
+-
+-/**
+- * tspp2_module_exit() - TSPP2 driver module exit function.
+- */
+-static void __exit tspp2_module_exit(void)
+-{
+-	platform_driver_unregister(&msm_tspp2_driver);
+-}
+-
+-module_init(tspp2_module_init);
+-module_exit(tspp2_module_exit);
+-
+-MODULE_DESCRIPTION("TSPP2 (Transport Stream Packet Processor v2) platform device driver");
+-MODULE_LICENSE("GPL v2");
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2015-1420/3.2/0.patch b/Patches/Linux_CVEs/CVE-2015-1420/3.2-3.19/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2015-1420/3.2/0.patch
rename to Patches/Linux_CVEs/CVE-2015-1420/3.2-3.19/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2015-1465/ANY/0.patch b/Patches/Linux_CVEs/CVE-2015-1465/ANY/0001.patch
similarity index 94%
rename from Patches/Linux_CVEs/CVE-2015-1465/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2015-1465/ANY/0001.patch
index 895fdaf4..30f515a8 100644
--- a/Patches/Linux_CVEs/CVE-2015-1465/ANY/0.patch
+++ b/Patches/Linux_CVEs/CVE-2015-1465/ANY/0001.patch
@@ -1,7 +1,7 @@
 From df4d92549f23e1c037e83323aff58a21b3de7fe0 Mon Sep 17 00:00:00 2001
 From: Hannes Frederic Sowa <hannes@stressinduktion.org>
 Date: Fri, 23 Jan 2015 12:01:26 +0100
-Subject: [PATCH] ipv4: try to cache dst_entries which would cause a redirect
+Subject: ipv4: try to cache dst_entries which would cause a redirect
 
 Not caching dst_entries which cause redirects could be exploited by hosts
 on the same subnet, causing a severe DoS attack. This effect aggravated
@@ -32,7 +32,7 @@ Signed-off-by: David S. Miller <davem@davemloft.net>
  3 files changed, 13 insertions(+), 10 deletions(-)
 
 diff --git a/include/net/ip.h b/include/net/ip.h
-index 0bb620702929e..f7cbd703d15d2 100644
+index 0bb6207..f7cbd70 100644
 --- a/include/net/ip.h
 +++ b/include/net/ip.h
 @@ -39,11 +39,12 @@ struct inet_skb_parm {
@@ -54,7 +54,7 @@ index 0bb620702929e..f7cbd703d15d2 100644
  	u16			frag_max_size;
  };
 diff --git a/net/ipv4/ip_forward.c b/net/ipv4/ip_forward.c
-index 3a83ce5efa80e..787b3c294ce67 100644
+index 3a83ce5..787b3c2 100644
 --- a/net/ipv4/ip_forward.c
 +++ b/net/ipv4/ip_forward.c
 @@ -129,7 +129,8 @@ int ip_forward(struct sk_buff *skb)
@@ -68,7 +68,7 @@ index 3a83ce5efa80e..787b3c294ce67 100644
  
  	skb->priority = rt_tos2priority(iph->tos);
 diff --git a/net/ipv4/route.c b/net/ipv4/route.c
-index 6a2155b02602b..d58dd0ec3e530 100644
+index 6a2155b..d58dd0e 100644
 --- a/net/ipv4/route.c
 +++ b/net/ipv4/route.c
 @@ -1554,11 +1554,10 @@ static int __mkroute_input(struct sk_buff *skb,
@@ -95,3 +95,6 @@ index 6a2155b02602b..d58dd0ec3e530 100644
  
  	if (nla_put_be32(skb, RTA_DST, dst))
  		goto nla_put_failure;
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2015-1534/ANY/0.patch b/Patches/Linux_CVEs/CVE-2015-1534/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2015-1534/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2015-1534/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2015-1534/ANY/0.patch.base64 b/Patches/Linux_CVEs/CVE-2015-1534/ANY/0001.patch.base64
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2015-1534/ANY/0.patch.base64
rename to Patches/Linux_CVEs/CVE-2015-1534/ANY/0001.patch.base64
diff --git a/Patches/Linux_CVEs/CVE-2015-1593/ANY/0.patch b/Patches/Linux_CVEs/CVE-2015-1593/ANY/0001.patch
similarity index 89%
rename from Patches/Linux_CVEs/CVE-2015-1593/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2015-1593/ANY/0001.patch
index 7226ebdb..b0a281f0 100644
--- a/Patches/Linux_CVEs/CVE-2015-1593/ANY/0.patch
+++ b/Patches/Linux_CVEs/CVE-2015-1593/ANY/0001.patch
@@ -1,9 +1,7 @@
-From 805f25c4d886cfff790fa8f309e432dd7923d2c2 Mon Sep 17 00:00:00 2001
+From 4e7c22d447bb6d7e37bfe39ff658486ae78e8d77 Mon Sep 17 00:00:00 2001
 From: Hector Marco-Gisbert <hecmargi@upv.es>
 Date: Sat, 14 Feb 2015 09:33:50 -0800
-Subject: [PATCH] x86, mm/ASLR: Fix stack randomization on 64-bit systems
-
-commit 4e7c22d447bb6d7e37bfe39ff658486ae78e8d77 upstream.
+Subject: x86, mm/ASLR: Fix stack randomization on 64-bit systems
 
 The issue is that the stack for processes is not properly randomized on
 64 bit architectures due to an integer overflow.
@@ -58,20 +56,20 @@ Signed-off-by: Hector Marco-Gisbert <hecmargi@upv.es>
 Signed-off-by: Ismael Ripoll <iripoll@upv.es>
 [ Rebased, fixed 80 char bugs, cleaned up commit message, added test example and CVE ]
 Signed-off-by: Kees Cook <keescook@chromium.org>
+Cc: <stable@vger.kernel.org>
 Cc: Linus Torvalds <torvalds@linux-foundation.org>
 Cc: Andrew Morton <akpm@linux-foundation.org>
 Cc: Al Viro <viro@zeniv.linux.org.uk>
 Fixes: CVE-2015-1593
 Link: http://lkml.kernel.org/r/20150214173350.GA18393@www.outflux.net
 Signed-off-by: Borislav Petkov <bp@suse.de>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 ---
  arch/x86/mm/mmap.c | 6 +++---
  fs/binfmt_elf.c    | 5 +++--
  2 files changed, 6 insertions(+), 5 deletions(-)
 
 diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c
-index 919b91205cd4..df4552bd239e 100644
+index 919b912..df4552b 100644
 --- a/arch/x86/mm/mmap.c
 +++ b/arch/x86/mm/mmap.c
 @@ -35,12 +35,12 @@ struct va_alignment __read_mostly va_align = {
@@ -91,10 +89,10 @@ index 919b91205cd4..df4552bd239e 100644
  
  	return max;
 diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
-index d8fc0605b9d2..e1efcaa1b245 100644
+index 02b1691..995986b 100644
 --- a/fs/binfmt_elf.c
 +++ b/fs/binfmt_elf.c
-@@ -554,11 +554,12 @@ static unsigned long load_elf_interp(struct elfhdr *interp_elf_ex,
+@@ -645,11 +645,12 @@ out:
  
  static unsigned long randomize_stack_top(unsigned long stack_top)
  {
@@ -109,3 +107,6 @@ index d8fc0605b9d2..e1efcaa1b245 100644
  		random_variable <<= PAGE_SHIFT;
  	}
  #ifdef CONFIG_STACK_GROWSUP
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2015-1805/3.10/0002.patch b/Patches/Linux_CVEs/CVE-2015-1805/3.10/0002.patch
new file mode 100644
index 00000000..4df035f9
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2015-1805/3.10/0002.patch
@@ -0,0 +1,152 @@
+diff --git a/fs/pipe.c b/fs/pipe.c
+index d2c45e1..d866c6f 100644
+--- a/fs/pipe.c
++++ b/fs/pipe.c
+@@ -117,25 +117,27 @@
+ }
+ 
+ static int
+-pipe_iov_copy_from_user(void *to, struct iovec *iov, unsigned long len,
+-			int atomic)
++pipe_iov_copy_from_user(void *addr, int *offset, struct iovec *iov,
++			size_t *remaining, int atomic)
+ {
+ 	unsigned long copy;
+ 
+-	while (len > 0) {
++	while (*remaining > 0) {
+ 		while (!iov->iov_len)
+ 			iov++;
+-		copy = min_t(unsigned long, len, iov->iov_len);
++		copy = min_t(unsigned long, *remaining, iov->iov_len);
+ 
+ 		if (atomic) {
+-			if (__copy_from_user_inatomic(to, iov->iov_base, copy))
++			if (__copy_from_user_inatomic(addr + *offset,
++						      iov->iov_base, copy))
+ 				return -EFAULT;
+ 		} else {
+-			if (copy_from_user(to, iov->iov_base, copy))
++			if (copy_from_user(addr + *offset,
++					   iov->iov_base, copy))
+ 				return -EFAULT;
+ 		}
+-		to += copy;
+-		len -= copy;
++		*offset += copy;
++		*remaining -= copy;
+ 		iov->iov_base += copy;
+ 		iov->iov_len -= copy;
+ 	}
+@@ -143,25 +145,27 @@
+ }
+ 
+ static int
+-pipe_iov_copy_to_user(struct iovec *iov, const void *from, unsigned long len,
+-		      int atomic)
++pipe_iov_copy_to_user(struct iovec *iov, void *addr, int *offset,
++		      size_t *remaining, int atomic)
+ {
+ 	unsigned long copy;
+ 
+-	while (len > 0) {
++	while (*remaining > 0) {
+ 		while (!iov->iov_len)
+ 			iov++;
+-		copy = min_t(unsigned long, len, iov->iov_len);
++		copy = min_t(unsigned long, *remaining, iov->iov_len);
+ 
+ 		if (atomic) {
+-			if (__copy_to_user_inatomic(iov->iov_base, from, copy))
++			if (__copy_to_user_inatomic(iov->iov_base,
++						    addr + *offset, copy))
+ 				return -EFAULT;
+ 		} else {
+-			if (copy_to_user(iov->iov_base, from, copy))
++			if (copy_to_user(iov->iov_base,
++					 addr + *offset, copy))
+ 				return -EFAULT;
+ 		}
+-		from += copy;
+-		len -= copy;
++		*offset += copy;
++		*remaining -= copy;
+ 		iov->iov_base += copy;
+ 		iov->iov_len -= copy;
+ 	}
+@@ -395,7 +399,7 @@
+ 			struct pipe_buffer *buf = pipe->bufs + curbuf;
+ 			const struct pipe_buf_operations *ops = buf->ops;
+ 			void *addr;
+-			size_t chars = buf->len;
++			size_t chars = buf->len, remaining;
+ 			int error, atomic;
+ 
+ 			if (chars > total_len)
+@@ -409,9 +413,11 @@
+ 			}
+ 
+ 			atomic = !iov_fault_in_pages_write(iov, chars);
++			remaining = chars;
+ redo:
+ 			addr = ops->map(pipe, buf, atomic);
+-			error = pipe_iov_copy_to_user(iov, addr + buf->offset, chars, atomic);
++			error = pipe_iov_copy_to_user(iov, addr, &buf->offset,
++						      &remaining, atomic);
+ 			ops->unmap(pipe, buf, addr);
+ 			if (unlikely(error)) {
+ 				/*
+@@ -426,7 +432,6 @@
+ 				break;
+ 			}
+ 			ret += chars;
+-			buf->offset += chars;
+ 			buf->len -= chars;
+ 
+ 			/* Was it a packet buffer? Clean up and exit */
+@@ -531,6 +536,7 @@
+ 		if (ops->can_merge && offset + chars <= PAGE_SIZE) {
+ 			int error, atomic = 1;
+ 			void *addr;
++			size_t remaining = chars;
+ 
+ 			error = ops->confirm(pipe, buf);
+ 			if (error)
+@@ -539,8 +545,8 @@
+ 			iov_fault_in_pages_read(iov, chars);
+ redo1:
+ 			addr = ops->map(pipe, buf, atomic);
+-			error = pipe_iov_copy_from_user(offset + addr, iov,
+-							chars, atomic);
++			error = pipe_iov_copy_from_user(addr, &offset, iov,
++							&remaining, atomic);
+ 			ops->unmap(pipe, buf, addr);
+ 			ret = error;
+ 			do_wakeup = 1;
+@@ -575,6 +581,8 @@
+ 			struct page *page = pipe->tmp_page;
+ 			char *src;
+ 			int error, atomic = 1;
++			int offset = 0;
++			size_t remaining;
+ 
+ 			if (!page) {
+ 				page = alloc_page(GFP_HIGHUSER);
+@@ -595,14 +603,15 @@
+ 				chars = total_len;
+ 
+ 			iov_fault_in_pages_read(iov, chars);
++			remaining = chars;
+ redo2:
+ 			if (atomic)
+ 				src = kmap_atomic(page);
+ 			else
+ 				src = kmap(page);
+ 
+-			error = pipe_iov_copy_from_user(src, iov, chars,
+-							atomic);
++			error = pipe_iov_copy_from_user(src, &offset, iov,
++							&remaining, atomic);
+ 			if (atomic)
+ 				kunmap_atomic(src);
+ 			else
diff --git a/Patches/Linux_CVEs/CVE-2015-1805/3.10/0002.patch.base64 b/Patches/Linux_CVEs/CVE-2015-1805/3.10/0002.patch.base64
new file mode 100644
index 00000000..42ecdafc
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2015-1805/3.10/0002.patch.base64
@@ -0,0 +1 @@
+ZGlmZiAtLWdpdCBhL2ZzL3BpcGUuYyBiL2ZzL3BpcGUuYwppbmRleCBkMmM0NWUxLi5kODY2YzZmIDEwMDY0NAotLS0gYS9mcy9waXBlLmMKKysrIGIvZnMvcGlwZS5jCkBAIC0xMTcsMjUgKzExNywyNyBAQAogfQogCiBzdGF0aWMgaW50Ci1waXBlX2lvdl9jb3B5X2Zyb21fdXNlcih2b2lkICp0bywgc3RydWN0IGlvdmVjICppb3YsIHVuc2lnbmVkIGxvbmcgbGVuLAotCQkJaW50IGF0b21pYykKK3BpcGVfaW92X2NvcHlfZnJvbV91c2VyKHZvaWQgKmFkZHIsIGludCAqb2Zmc2V0LCBzdHJ1Y3QgaW92ZWMgKmlvdiwKKwkJCXNpemVfdCAqcmVtYWluaW5nLCBpbnQgYXRvbWljKQogewogCXVuc2lnbmVkIGxvbmcgY29weTsKIAotCXdoaWxlIChsZW4gPiAwKSB7CisJd2hpbGUgKCpyZW1haW5pbmcgPiAwKSB7CiAJCXdoaWxlICghaW92LT5pb3ZfbGVuKQogCQkJaW92Kys7Ci0JCWNvcHkgPSBtaW5fdCh1bnNpZ25lZCBsb25nLCBsZW4sIGlvdi0+aW92X2xlbik7CisJCWNvcHkgPSBtaW5fdCh1bnNpZ25lZCBsb25nLCAqcmVtYWluaW5nLCBpb3YtPmlvdl9sZW4pOwogCiAJCWlmIChhdG9taWMpIHsKLQkJCWlmIChfX2NvcHlfZnJvbV91c2VyX2luYXRvbWljKHRvLCBpb3YtPmlvdl9iYXNlLCBjb3B5KSkKKwkJCWlmIChfX2NvcHlfZnJvbV91c2VyX2luYXRvbWljKGFkZHIgKyAqb2Zmc2V0LAorCQkJCQkJICAgICAgaW92LT5pb3ZfYmFzZSwgY29weSkpCiAJCQkJcmV0dXJuIC1FRkFVTFQ7CiAJCX0gZWxzZSB7Ci0JCQlpZiAoY29weV9mcm9tX3VzZXIodG8sIGlvdi0+aW92X2Jhc2UsIGNvcHkpKQorCQkJaWYgKGNvcHlfZnJvbV91c2VyKGFkZHIgKyAqb2Zmc2V0LAorCQkJCQkgICBpb3YtPmlvdl9iYXNlLCBjb3B5KSkKIAkJCQlyZXR1cm4gLUVGQVVMVDsKIAkJfQotCQl0byArPSBjb3B5OwotCQlsZW4gLT0gY29weTsKKwkJKm9mZnNldCArPSBjb3B5OworCQkqcmVtYWluaW5nIC09IGNvcHk7CiAJCWlvdi0+aW92X2Jhc2UgKz0gY29weTsKIAkJaW92LT5pb3ZfbGVuIC09IGNvcHk7CiAJfQpAQCAtMTQzLDI1ICsxNDUsMjcgQEAKIH0KIAogc3RhdGljIGludAotcGlwZV9pb3ZfY29weV90b191c2VyKHN0cnVjdCBpb3ZlYyAqaW92LCBjb25zdCB2b2lkICpmcm9tLCB1bnNpZ25lZCBsb25nIGxlbiwKLQkJICAgICAgaW50IGF0b21pYykKK3BpcGVfaW92X2NvcHlfdG9fdXNlcihzdHJ1Y3QgaW92ZWMgKmlvdiwgdm9pZCAqYWRkciwgaW50ICpvZmZzZXQsCisJCSAgICAgIHNpemVfdCAqcmVtYWluaW5nLCBpbnQgYXRvbWljKQogewogCXVuc2lnbmVkIGxvbmcgY29weTsKIAotCXdoaWxlIChsZW4gPiAwKSB7CisJd2hpbGUgKCpyZW1haW5pbmcgPiAwKSB7CiAJCXdoaWxlICghaW92LT5pb3ZfbGVuKQogCQkJaW92Kys7Ci0JCWNvcHkgPSBtaW5fdCh1bnNpZ25lZCBsb25nLCBsZW4sIGlvdi0+aW92X2xlbik7CisJCWNvcHkgPSBtaW5fdCh1bnNpZ25lZCBsb25nLCAqcmVtYWluaW5nLCBpb3YtPmlvdl9sZW4pOwogCiAJCWlmIChhdG9taWMpIHsKLQkJCWlmIChfX2NvcHlfdG9fdXNlcl9pbmF0b21pYyhpb3YtPmlvdl9iYXNlLCBmcm9tLCBjb3B5KSkKKwkJCWlmIChfX2NvcHlfdG9fdXNlcl9pbmF0b21pYyhpb3YtPmlvdl9iYXNlLAorCQkJCQkJICAgIGFkZHIgKyAqb2Zmc2V0LCBjb3B5KSkKIAkJCQlyZXR1cm4gLUVGQVVMVDsKIAkJfSBlbHNlIHsKLQkJCWlmIChjb3B5X3RvX3VzZXIoaW92LT5pb3ZfYmFzZSwgZnJvbSwgY29weSkpCisJCQlpZiAoY29weV90b191c2VyKGlvdi0+aW92X2Jhc2UsCisJCQkJCSBhZGRyICsgKm9mZnNldCwgY29weSkpCiAJCQkJcmV0dXJuIC1FRkFVTFQ7CiAJCX0KLQkJZnJvbSArPSBjb3B5OwotCQlsZW4gLT0gY29weTsKKwkJKm9mZnNldCArPSBjb3B5OworCQkqcmVtYWluaW5nIC09IGNvcHk7CiAJCWlvdi0+aW92X2Jhc2UgKz0gY29weTsKIAkJaW92LT5pb3ZfbGVuIC09IGNvcHk7CiAJfQpAQCAtMzk1LDcgKzM5OSw3IEBACiAJCQlzdHJ1Y3QgcGlwZV9idWZmZXIgKmJ1ZiA9IHBpcGUtPmJ1ZnMgKyBjdXJidWY7CiAJCQljb25zdCBzdHJ1Y3QgcGlwZV9idWZfb3BlcmF0aW9ucyAqb3BzID0gYnVmLT5vcHM7CiAJCQl2b2lkICphZGRyOwotCQkJc2l6ZV90IGNoYXJzID0gYnVmLT5sZW47CisJCQlzaXplX3QgY2hhcnMgPSBidWYtPmxlbiwgcmVtYWluaW5nOwogCQkJaW50IGVycm9yLCBhdG9taWM7CiAKIAkJCWlmIChjaGFycyA+IHRvdGFsX2xlbikKQEAgLTQwOSw5ICs0MTMsMTEgQEAKIAkJCX0KIAogCQkJYXRvbWljID0gIWlvdl9mYXVsdF9pbl9wYWdlc193cml0ZShpb3YsIGNoYXJzKTsKKwkJCXJlbWFpbmluZyA9IGNoYXJzOwogcmVkbzoKIAkJCWFkZHIgPSBvcHMtPm1hcChwaXBlLCBidWYsIGF0b21pYyk7Ci0JCQllcnJvciA9IHBpcGVfaW92X2NvcHlfdG9fdXNlcihpb3YsIGFkZHIgKyBidWYtPm9mZnNldCwgY2hhcnMsIGF0b21pYyk7CisJCQllcnJvciA9IHBpcGVfaW92X2NvcHlfdG9fdXNlcihpb3YsIGFkZHIsICZidWYtPm9mZnNldCwKKwkJCQkJCSAgICAgICZyZW1haW5pbmcsIGF0b21pYyk7CiAJCQlvcHMtPnVubWFwKHBpcGUsIGJ1ZiwgYWRkcik7CiAJCQlpZiAodW5saWtlbHkoZXJyb3IpKSB7CiAJCQkJLyoKQEAgLTQyNiw3ICs0MzIsNiBAQAogCQkJCWJyZWFrOwogCQkJfQogCQkJcmV0ICs9IGNoYXJzOwotCQkJYnVmLT5vZmZzZXQgKz0gY2hhcnM7CiAJCQlidWYtPmxlbiAtPSBjaGFyczsKIAogCQkJLyogV2FzIGl0IGEgcGFja2V0IGJ1ZmZlcj8gQ2xlYW4gdXAgYW5kIGV4aXQgKi8KQEAgLTUzMSw2ICs1MzYsNyBAQAogCQlpZiAob3BzLT5jYW5fbWVyZ2UgJiYgb2Zmc2V0ICsgY2hhcnMgPD0gUEFHRV9TSVpFKSB7CiAJCQlpbnQgZXJyb3IsIGF0b21pYyA9IDE7CiAJCQl2b2lkICphZGRyOworCQkJc2l6ZV90IHJlbWFpbmluZyA9IGNoYXJzOwogCiAJCQllcnJvciA9IG9wcy0+Y29uZmlybShwaXBlLCBidWYpOwogCQkJaWYgKGVycm9yKQpAQCAtNTM5LDggKzU0NSw4IEBACiAJCQlpb3ZfZmF1bHRfaW5fcGFnZXNfcmVhZChpb3YsIGNoYXJzKTsKIHJlZG8xOgogCQkJYWRkciA9IG9wcy0+bWFwKHBpcGUsIGJ1ZiwgYXRvbWljKTsKLQkJCWVycm9yID0gcGlwZV9pb3ZfY29weV9mcm9tX3VzZXIob2Zmc2V0ICsgYWRkciwgaW92LAotCQkJCQkJCWNoYXJzLCBhdG9taWMpOworCQkJZXJyb3IgPSBwaXBlX2lvdl9jb3B5X2Zyb21fdXNlcihhZGRyLCAmb2Zmc2V0LCBpb3YsCisJCQkJCQkJJnJlbWFpbmluZywgYXRvbWljKTsKIAkJCW9wcy0+dW5tYXAocGlwZSwgYnVmLCBhZGRyKTsKIAkJCXJldCA9IGVycm9yOwogCQkJZG9fd2FrZXVwID0gMTsKQEAgLTU3NSw2ICs1ODEsOCBAQAogCQkJc3RydWN0IHBhZ2UgKnBhZ2UgPSBwaXBlLT50bXBfcGFnZTsKIAkJCWNoYXIgKnNyYzsKIAkJCWludCBlcnJvciwgYXRvbWljID0gMTsKKwkJCWludCBvZmZzZXQgPSAwOworCQkJc2l6ZV90IHJlbWFpbmluZzsKIAogCQkJaWYgKCFwYWdlKSB7CiAJCQkJcGFnZSA9IGFsbG9jX3BhZ2UoR0ZQX0hJR0hVU0VSKTsKQEAgLTU5NSwxNCArNjAzLDE1IEBACiAJCQkJY2hhcnMgPSB0b3RhbF9sZW47CiAKIAkJCWlvdl9mYXVsdF9pbl9wYWdlc19yZWFkKGlvdiwgY2hhcnMpOworCQkJcmVtYWluaW5nID0gY2hhcnM7CiByZWRvMjoKIAkJCWlmIChhdG9taWMpCiAJCQkJc3JjID0ga21hcF9hdG9taWMocGFnZSk7CiAJCQllbHNlCiAJCQkJc3JjID0ga21hcChwYWdlKTsKIAotCQkJZXJyb3IgPSBwaXBlX2lvdl9jb3B5X2Zyb21fdXNlcihzcmMsIGlvdiwgY2hhcnMsCi0JCQkJCQkJYXRvbWljKTsKKwkJCWVycm9yID0gcGlwZV9pb3ZfY29weV9mcm9tX3VzZXIoc3JjLCAmb2Zmc2V0LCBpb3YsCisJCQkJCQkJJnJlbWFpbmluZywgYXRvbWljKTsKIAkJCWlmIChhdG9taWMpCiAJCQkJa3VubWFwX2F0b21pYyhzcmMpOwogCQkJZWxzZQo=
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2015-1805/3.14/0003.patch b/Patches/Linux_CVEs/CVE-2015-1805/3.14/0003.patch
new file mode 100644
index 00000000..0f9c18b8
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2015-1805/3.14/0003.patch
@@ -0,0 +1,152 @@
+diff --git a/fs/pipe.c b/fs/pipe.c
+index 78fd0d0..46f1ab2 100644
+--- a/fs/pipe.c
++++ b/fs/pipe.c
+@@ -117,25 +117,27 @@
+ }
+ 
+ static int
+-pipe_iov_copy_from_user(void *to, struct iovec *iov, unsigned long len,
+-			int atomic)
++pipe_iov_copy_from_user(void *addr, int *offset, struct iovec *iov,
++			size_t *remaining, int atomic)
+ {
+ 	unsigned long copy;
+ 
+-	while (len > 0) {
++	while (*remaining > 0) {
+ 		while (!iov->iov_len)
+ 			iov++;
+-		copy = min_t(unsigned long, len, iov->iov_len);
++		copy = min_t(unsigned long, *remaining, iov->iov_len);
+ 
+ 		if (atomic) {
+-			if (__copy_from_user_inatomic(to, iov->iov_base, copy))
++			if (__copy_from_user_inatomic(addr + *offset,
++						      iov->iov_base, copy))
+ 				return -EFAULT;
+ 		} else {
+-			if (copy_from_user(to, iov->iov_base, copy))
++			if (copy_from_user(addr + *offset,
++					   iov->iov_base, copy))
+ 				return -EFAULT;
+ 		}
+-		to += copy;
+-		len -= copy;
++		*offset += copy;
++		*remaining -= copy;
+ 		iov->iov_base += copy;
+ 		iov->iov_len -= copy;
+ 	}
+@@ -143,25 +145,27 @@
+ }
+ 
+ static int
+-pipe_iov_copy_to_user(struct iovec *iov, const void *from, unsigned long len,
+-		      int atomic)
++pipe_iov_copy_to_user(struct iovec *iov, void *addr, int *offset,
++		      size_t *remaining, int atomic)
+ {
+ 	unsigned long copy;
+ 
+-	while (len > 0) {
++	while (*remaining > 0) {
+ 		while (!iov->iov_len)
+ 			iov++;
+-		copy = min_t(unsigned long, len, iov->iov_len);
++		copy = min_t(unsigned long, *remaining, iov->iov_len);
+ 
+ 		if (atomic) {
+-			if (__copy_to_user_inatomic(iov->iov_base, from, copy))
++			if (__copy_to_user_inatomic(iov->iov_base,
++						    addr + *offset, copy))
+ 				return -EFAULT;
+ 		} else {
+-			if (copy_to_user(iov->iov_base, from, copy))
++			if (copy_to_user(iov->iov_base,
++					 addr + *offset, copy))
+ 				return -EFAULT;
+ 		}
+-		from += copy;
+-		len -= copy;
++		*offset += copy;
++		*remaining -= copy;
+ 		iov->iov_base += copy;
+ 		iov->iov_len -= copy;
+ 	}
+@@ -395,7 +399,7 @@
+ 			struct pipe_buffer *buf = pipe->bufs + curbuf;
+ 			const struct pipe_buf_operations *ops = buf->ops;
+ 			void *addr;
+-			size_t chars = buf->len;
++			size_t chars = buf->len, remaining;
+ 			int error, atomic;
+ 
+ 			if (chars > total_len)
+@@ -409,9 +413,11 @@
+ 			}
+ 
+ 			atomic = !iov_fault_in_pages_write(iov, chars);
++			remaining = chars;
+ redo:
+ 			addr = ops->map(pipe, buf, atomic);
+-			error = pipe_iov_copy_to_user(iov, addr + buf->offset, chars, atomic);
++			error = pipe_iov_copy_to_user(iov, addr, &buf->offset,
++						      &remaining, atomic);
+ 			ops->unmap(pipe, buf, addr);
+ 			if (unlikely(error)) {
+ 				/*
+@@ -426,7 +432,6 @@
+ 				break;
+ 			}
+ 			ret += chars;
+-			buf->offset += chars;
+ 			buf->len -= chars;
+ 
+ 			/* Was it a packet buffer? Clean up and exit */
+@@ -531,6 +536,7 @@
+ 		if (ops->can_merge && offset + chars <= PAGE_SIZE) {
+ 			int error, atomic = 1;
+ 			void *addr;
++			size_t remaining = chars;
+ 
+ 			error = ops->confirm(pipe, buf);
+ 			if (error)
+@@ -539,8 +545,8 @@
+ 			iov_fault_in_pages_read(iov, chars);
+ redo1:
+ 			addr = ops->map(pipe, buf, atomic);
+-			error = pipe_iov_copy_from_user(offset + addr, iov,
+-							chars, atomic);
++			error = pipe_iov_copy_from_user(addr, &offset, iov,
++							&remaining, atomic);
+ 			ops->unmap(pipe, buf, addr);
+ 			ret = error;
+ 			do_wakeup = 1;
+@@ -575,6 +581,8 @@
+ 			struct page *page = pipe->tmp_page;
+ 			char *src;
+ 			int error, atomic = 1;
++			int offset = 0;
++			size_t remaining;
+ 
+ 			if (!page) {
+ 				page = alloc_page(GFP_HIGHUSER);
+@@ -595,14 +603,15 @@
+ 				chars = total_len;
+ 
+ 			iov_fault_in_pages_read(iov, chars);
++			remaining = chars;
+ redo2:
+ 			if (atomic)
+ 				src = kmap_atomic(page);
+ 			else
+ 				src = kmap(page);
+ 
+-			error = pipe_iov_copy_from_user(src, iov, chars,
+-							atomic);
++			error = pipe_iov_copy_from_user(src, &offset, iov,
++							&remaining, atomic);
+ 			if (atomic)
+ 				kunmap_atomic(src);
+ 			else
diff --git a/Patches/Linux_CVEs/CVE-2015-1805/3.14/0003.patch.base64 b/Patches/Linux_CVEs/CVE-2015-1805/3.14/0003.patch.base64
new file mode 100644
index 00000000..870cdeab
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2015-1805/3.14/0003.patch.base64
@@ -0,0 +1 @@
+ZGlmZiAtLWdpdCBhL2ZzL3BpcGUuYyBiL2ZzL3BpcGUuYwppbmRleCA3OGZkMGQwLi40NmYxYWIyIDEwMDY0NAotLS0gYS9mcy9waXBlLmMKKysrIGIvZnMvcGlwZS5jCkBAIC0xMTcsMjUgKzExNywyNyBAQAogfQogCiBzdGF0aWMgaW50Ci1waXBlX2lvdl9jb3B5X2Zyb21fdXNlcih2b2lkICp0bywgc3RydWN0IGlvdmVjICppb3YsIHVuc2lnbmVkIGxvbmcgbGVuLAotCQkJaW50IGF0b21pYykKK3BpcGVfaW92X2NvcHlfZnJvbV91c2VyKHZvaWQgKmFkZHIsIGludCAqb2Zmc2V0LCBzdHJ1Y3QgaW92ZWMgKmlvdiwKKwkJCXNpemVfdCAqcmVtYWluaW5nLCBpbnQgYXRvbWljKQogewogCXVuc2lnbmVkIGxvbmcgY29weTsKIAotCXdoaWxlIChsZW4gPiAwKSB7CisJd2hpbGUgKCpyZW1haW5pbmcgPiAwKSB7CiAJCXdoaWxlICghaW92LT5pb3ZfbGVuKQogCQkJaW92Kys7Ci0JCWNvcHkgPSBtaW5fdCh1bnNpZ25lZCBsb25nLCBsZW4sIGlvdi0+aW92X2xlbik7CisJCWNvcHkgPSBtaW5fdCh1bnNpZ25lZCBsb25nLCAqcmVtYWluaW5nLCBpb3YtPmlvdl9sZW4pOwogCiAJCWlmIChhdG9taWMpIHsKLQkJCWlmIChfX2NvcHlfZnJvbV91c2VyX2luYXRvbWljKHRvLCBpb3YtPmlvdl9iYXNlLCBjb3B5KSkKKwkJCWlmIChfX2NvcHlfZnJvbV91c2VyX2luYXRvbWljKGFkZHIgKyAqb2Zmc2V0LAorCQkJCQkJICAgICAgaW92LT5pb3ZfYmFzZSwgY29weSkpCiAJCQkJcmV0dXJuIC1FRkFVTFQ7CiAJCX0gZWxzZSB7Ci0JCQlpZiAoY29weV9mcm9tX3VzZXIodG8sIGlvdi0+aW92X2Jhc2UsIGNvcHkpKQorCQkJaWYgKGNvcHlfZnJvbV91c2VyKGFkZHIgKyAqb2Zmc2V0LAorCQkJCQkgICBpb3YtPmlvdl9iYXNlLCBjb3B5KSkKIAkJCQlyZXR1cm4gLUVGQVVMVDsKIAkJfQotCQl0byArPSBjb3B5OwotCQlsZW4gLT0gY29weTsKKwkJKm9mZnNldCArPSBjb3B5OworCQkqcmVtYWluaW5nIC09IGNvcHk7CiAJCWlvdi0+aW92X2Jhc2UgKz0gY29weTsKIAkJaW92LT5pb3ZfbGVuIC09IGNvcHk7CiAJfQpAQCAtMTQzLDI1ICsxNDUsMjcgQEAKIH0KIAogc3RhdGljIGludAotcGlwZV9pb3ZfY29weV90b191c2VyKHN0cnVjdCBpb3ZlYyAqaW92LCBjb25zdCB2b2lkICpmcm9tLCB1bnNpZ25lZCBsb25nIGxlbiwKLQkJICAgICAgaW50IGF0b21pYykKK3BpcGVfaW92X2NvcHlfdG9fdXNlcihzdHJ1Y3QgaW92ZWMgKmlvdiwgdm9pZCAqYWRkciwgaW50ICpvZmZzZXQsCisJCSAgICAgIHNpemVfdCAqcmVtYWluaW5nLCBpbnQgYXRvbWljKQogewogCXVuc2lnbmVkIGxvbmcgY29weTsKIAotCXdoaWxlIChsZW4gPiAwKSB7CisJd2hpbGUgKCpyZW1haW5pbmcgPiAwKSB7CiAJCXdoaWxlICghaW92LT5pb3ZfbGVuKQogCQkJaW92Kys7Ci0JCWNvcHkgPSBtaW5fdCh1bnNpZ25lZCBsb25nLCBsZW4sIGlvdi0+aW92X2xlbik7CisJCWNvcHkgPSBtaW5fdCh1bnNpZ25lZCBsb25nLCAqcmVtYWluaW5nLCBpb3YtPmlvdl9sZW4pOwogCiAJCWlmIChhdG9taWMpIHsKLQkJCWlmIChfX2NvcHlfdG9fdXNlcl9pbmF0b21pYyhpb3YtPmlvdl9iYXNlLCBmcm9tLCBjb3B5KSkKKwkJCWlmIChfX2NvcHlfdG9fdXNlcl9pbmF0b21pYyhpb3YtPmlvdl9iYXNlLAorCQkJCQkJICAgIGFkZHIgKyAqb2Zmc2V0LCBjb3B5KSkKIAkJCQlyZXR1cm4gLUVGQVVMVDsKIAkJfSBlbHNlIHsKLQkJCWlmIChjb3B5X3RvX3VzZXIoaW92LT5pb3ZfYmFzZSwgZnJvbSwgY29weSkpCisJCQlpZiAoY29weV90b191c2VyKGlvdi0+aW92X2Jhc2UsCisJCQkJCSBhZGRyICsgKm9mZnNldCwgY29weSkpCiAJCQkJcmV0dXJuIC1FRkFVTFQ7CiAJCX0KLQkJZnJvbSArPSBjb3B5OwotCQlsZW4gLT0gY29weTsKKwkJKm9mZnNldCArPSBjb3B5OworCQkqcmVtYWluaW5nIC09IGNvcHk7CiAJCWlvdi0+aW92X2Jhc2UgKz0gY29weTsKIAkJaW92LT5pb3ZfbGVuIC09IGNvcHk7CiAJfQpAQCAtMzk1LDcgKzM5OSw3IEBACiAJCQlzdHJ1Y3QgcGlwZV9idWZmZXIgKmJ1ZiA9IHBpcGUtPmJ1ZnMgKyBjdXJidWY7CiAJCQljb25zdCBzdHJ1Y3QgcGlwZV9idWZfb3BlcmF0aW9ucyAqb3BzID0gYnVmLT5vcHM7CiAJCQl2b2lkICphZGRyOwotCQkJc2l6ZV90IGNoYXJzID0gYnVmLT5sZW47CisJCQlzaXplX3QgY2hhcnMgPSBidWYtPmxlbiwgcmVtYWluaW5nOwogCQkJaW50IGVycm9yLCBhdG9taWM7CiAKIAkJCWlmIChjaGFycyA+IHRvdGFsX2xlbikKQEAgLTQwOSw5ICs0MTMsMTEgQEAKIAkJCX0KIAogCQkJYXRvbWljID0gIWlvdl9mYXVsdF9pbl9wYWdlc193cml0ZShpb3YsIGNoYXJzKTsKKwkJCXJlbWFpbmluZyA9IGNoYXJzOwogcmVkbzoKIAkJCWFkZHIgPSBvcHMtPm1hcChwaXBlLCBidWYsIGF0b21pYyk7Ci0JCQllcnJvciA9IHBpcGVfaW92X2NvcHlfdG9fdXNlcihpb3YsIGFkZHIgKyBidWYtPm9mZnNldCwgY2hhcnMsIGF0b21pYyk7CisJCQllcnJvciA9IHBpcGVfaW92X2NvcHlfdG9fdXNlcihpb3YsIGFkZHIsICZidWYtPm9mZnNldCwKKwkJCQkJCSAgICAgICZyZW1haW5pbmcsIGF0b21pYyk7CiAJCQlvcHMtPnVubWFwKHBpcGUsIGJ1ZiwgYWRkcik7CiAJCQlpZiAodW5saWtlbHkoZXJyb3IpKSB7CiAJCQkJLyoKQEAgLTQyNiw3ICs0MzIsNiBAQAogCQkJCWJyZWFrOwogCQkJfQogCQkJcmV0ICs9IGNoYXJzOwotCQkJYnVmLT5vZmZzZXQgKz0gY2hhcnM7CiAJCQlidWYtPmxlbiAtPSBjaGFyczsKIAogCQkJLyogV2FzIGl0IGEgcGFja2V0IGJ1ZmZlcj8gQ2xlYW4gdXAgYW5kIGV4aXQgKi8KQEAgLTUzMSw2ICs1MzYsNyBAQAogCQlpZiAob3BzLT5jYW5fbWVyZ2UgJiYgb2Zmc2V0ICsgY2hhcnMgPD0gUEFHRV9TSVpFKSB7CiAJCQlpbnQgZXJyb3IsIGF0b21pYyA9IDE7CiAJCQl2b2lkICphZGRyOworCQkJc2l6ZV90IHJlbWFpbmluZyA9IGNoYXJzOwogCiAJCQllcnJvciA9IG9wcy0+Y29uZmlybShwaXBlLCBidWYpOwogCQkJaWYgKGVycm9yKQpAQCAtNTM5LDggKzU0NSw4IEBACiAJCQlpb3ZfZmF1bHRfaW5fcGFnZXNfcmVhZChpb3YsIGNoYXJzKTsKIHJlZG8xOgogCQkJYWRkciA9IG9wcy0+bWFwKHBpcGUsIGJ1ZiwgYXRvbWljKTsKLQkJCWVycm9yID0gcGlwZV9pb3ZfY29weV9mcm9tX3VzZXIob2Zmc2V0ICsgYWRkciwgaW92LAotCQkJCQkJCWNoYXJzLCBhdG9taWMpOworCQkJZXJyb3IgPSBwaXBlX2lvdl9jb3B5X2Zyb21fdXNlcihhZGRyLCAmb2Zmc2V0LCBpb3YsCisJCQkJCQkJJnJlbWFpbmluZywgYXRvbWljKTsKIAkJCW9wcy0+dW5tYXAocGlwZSwgYnVmLCBhZGRyKTsKIAkJCXJldCA9IGVycm9yOwogCQkJZG9fd2FrZXVwID0gMTsKQEAgLTU3NSw2ICs1ODEsOCBAQAogCQkJc3RydWN0IHBhZ2UgKnBhZ2UgPSBwaXBlLT50bXBfcGFnZTsKIAkJCWNoYXIgKnNyYzsKIAkJCWludCBlcnJvciwgYXRvbWljID0gMTsKKwkJCWludCBvZmZzZXQgPSAwOworCQkJc2l6ZV90IHJlbWFpbmluZzsKIAogCQkJaWYgKCFwYWdlKSB7CiAJCQkJcGFnZSA9IGFsbG9jX3BhZ2UoR0ZQX0hJR0hVU0VSKTsKQEAgLTU5NSwxNCArNjAzLDE1IEBACiAJCQkJY2hhcnMgPSB0b3RhbF9sZW47CiAKIAkJCWlvdl9mYXVsdF9pbl9wYWdlc19yZWFkKGlvdiwgY2hhcnMpOworCQkJcmVtYWluaW5nID0gY2hhcnM7CiByZWRvMjoKIAkJCWlmIChhdG9taWMpCiAJCQkJc3JjID0ga21hcF9hdG9taWMocGFnZSk7CiAJCQllbHNlCiAJCQkJc3JjID0ga21hcChwYWdlKTsKIAotCQkJZXJyb3IgPSBwaXBlX2lvdl9jb3B5X2Zyb21fdXNlcihzcmMsIGlvdiwgY2hhcnMsCi0JCQkJCQkJYXRvbWljKTsKKwkJCWVycm9yID0gcGlwZV9pb3ZfY29weV9mcm9tX3VzZXIoc3JjLCAmb2Zmc2V0LCBpb3YsCisJCQkJCQkJJnJlbWFpbmluZywgYXRvbWljKTsKIAkJCWlmIChhdG9taWMpCiAJCQkJa3VubWFwX2F0b21pYyhzcmMpOwogCQkJZWxzZQo=
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2015-1805/3.4-^3.16/0.patch b/Patches/Linux_CVEs/CVE-2015-1805/3.16/0004.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2015-1805/3.4-^3.16/0.patch
rename to Patches/Linux_CVEs/CVE-2015-1805/3.16/0004.patch
diff --git a/Patches/Linux_CVEs/CVE-2015-1805/3.4/0001.patch b/Patches/Linux_CVEs/CVE-2015-1805/3.4/0001.patch
new file mode 100644
index 00000000..ec40d3ec
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2015-1805/3.4/0001.patch
@@ -0,0 +1,152 @@
+diff --git a/fs/pipe.c b/fs/pipe.c
+index 125f32f..a6321e0 100644
+--- a/fs/pipe.c
++++ b/fs/pipe.c
+@@ -104,25 +104,27 @@
+ }
+ 
+ static int
+-pipe_iov_copy_from_user(void *to, struct iovec *iov, unsigned long len,
+-			int atomic)
++pipe_iov_copy_from_user(void *addr, int *offset, struct iovec *iov,
++			size_t *remaining, int atomic)
+ {
+ 	unsigned long copy;
+ 
+-	while (len > 0) {
++	while (*remaining > 0) {
+ 		while (!iov->iov_len)
+ 			iov++;
+-		copy = min_t(unsigned long, len, iov->iov_len);
++		copy = min_t(unsigned long, *remaining, iov->iov_len);
+ 
+ 		if (atomic) {
+-			if (__copy_from_user_inatomic(to, iov->iov_base, copy))
++			if (__copy_from_user_inatomic(addr + *offset,
++						      iov->iov_base, copy))
+ 				return -EFAULT;
+ 		} else {
+-			if (copy_from_user(to, iov->iov_base, copy))
++			if (copy_from_user(addr + *offset,
++					   iov->iov_base, copy))
+ 				return -EFAULT;
+ 		}
+-		to += copy;
+-		len -= copy;
++		*offset += copy;
++		*remaining -= copy;
+ 		iov->iov_base += copy;
+ 		iov->iov_len -= copy;
+ 	}
+@@ -130,25 +132,27 @@
+ }
+ 
+ static int
+-pipe_iov_copy_to_user(struct iovec *iov, const void *from, unsigned long len,
+-		      int atomic)
++pipe_iov_copy_to_user(struct iovec *iov, void *addr, int *offset,
++		      size_t *remaining, int atomic)
+ {
+ 	unsigned long copy;
+ 
+-	while (len > 0) {
++	while (*remaining > 0) {
+ 		while (!iov->iov_len)
+ 			iov++;
+-		copy = min_t(unsigned long, len, iov->iov_len);
++		copy = min_t(unsigned long, *remaining, iov->iov_len);
+ 
+ 		if (atomic) {
+-			if (__copy_to_user_inatomic(iov->iov_base, from, copy))
++			if (__copy_to_user_inatomic(iov->iov_base,
++						    addr + *offset, copy))
+ 				return -EFAULT;
+ 		} else {
+-			if (copy_to_user(iov->iov_base, from, copy))
++			if (copy_to_user(iov->iov_base,
++					 addr + *offset, copy))
+ 				return -EFAULT;
+ 		}
+-		from += copy;
+-		len -= copy;
++		*offset += copy;
++		*remaining -= copy;
+ 		iov->iov_base += copy;
+ 		iov->iov_len -= copy;
+ 	}
+@@ -384,7 +388,7 @@
+ 			struct pipe_buffer *buf = pipe->bufs + curbuf;
+ 			const struct pipe_buf_operations *ops = buf->ops;
+ 			void *addr;
+-			size_t chars = buf->len;
++			size_t chars = buf->len, remaining;
+ 			int error, atomic;
+ 
+ 			if (chars > total_len)
+@@ -398,9 +402,11 @@
+ 			}
+ 
+ 			atomic = !iov_fault_in_pages_write(iov, chars);
++			remaining = chars;
+ redo:
+ 			addr = ops->map(pipe, buf, atomic);
+-			error = pipe_iov_copy_to_user(iov, addr + buf->offset, chars, atomic);
++			error = pipe_iov_copy_to_user(iov, addr, &buf->offset,
++						      &remaining, atomic);
+ 			ops->unmap(pipe, buf, addr);
+ 			if (unlikely(error)) {
+ 				/*
+@@ -415,7 +421,6 @@
+ 				break;
+ 			}
+ 			ret += chars;
+-			buf->offset += chars;
+ 			buf->len -= chars;
+ 
+ 			/* Was it a packet buffer? Clean up and exit */
+@@ -522,6 +527,7 @@
+ 		if (ops->can_merge && offset + chars <= PAGE_SIZE) {
+ 			int error, atomic = 1;
+ 			void *addr;
++			size_t remaining = chars;
+ 
+ 			error = ops->confirm(pipe, buf);
+ 			if (error)
+@@ -530,8 +536,8 @@
+ 			iov_fault_in_pages_read(iov, chars);
+ redo1:
+ 			addr = ops->map(pipe, buf, atomic);
+-			error = pipe_iov_copy_from_user(offset + addr, iov,
+-							chars, atomic);
++			error = pipe_iov_copy_from_user(addr, &offset, iov,
++							&remaining, atomic);
+ 			ops->unmap(pipe, buf, addr);
+ 			ret = error;
+ 			do_wakeup = 1;
+@@ -566,6 +572,8 @@
+ 			struct page *page = pipe->tmp_page;
+ 			char *src;
+ 			int error, atomic = 1;
++			int offset = 0;
++			size_t remaining;
+ 
+ 			if (!page) {
+ 				page = alloc_page(GFP_HIGHUSER);
+@@ -586,14 +594,15 @@
+ 				chars = total_len;
+ 
+ 			iov_fault_in_pages_read(iov, chars);
++			remaining = chars;
+ redo2:
+ 			if (atomic)
+ 				src = kmap_atomic(page);
+ 			else
+ 				src = kmap(page);
+ 
+-			error = pipe_iov_copy_from_user(src, iov, chars,
+-							atomic);
++			error = pipe_iov_copy_from_user(src, &offset, iov,
++							&remaining, atomic);
+ 			if (atomic)
+ 				kunmap_atomic(src);
+ 			else
diff --git a/Patches/Linux_CVEs/CVE-2015-1805/3.4/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2015-1805/3.4/0001.patch.base64
new file mode 100644
index 00000000..c27350af
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2015-1805/3.4/0001.patch.base64
@@ -0,0 +1 @@
+ZGlmZiAtLWdpdCBhL2ZzL3BpcGUuYyBiL2ZzL3BpcGUuYwppbmRleCAxMjVmMzJmLi5hNjMyMWUwIDEwMDY0NAotLS0gYS9mcy9waXBlLmMKKysrIGIvZnMvcGlwZS5jCkBAIC0xMDQsMjUgKzEwNCwyNyBAQAogfQogCiBzdGF0aWMgaW50Ci1waXBlX2lvdl9jb3B5X2Zyb21fdXNlcih2b2lkICp0bywgc3RydWN0IGlvdmVjICppb3YsIHVuc2lnbmVkIGxvbmcgbGVuLAotCQkJaW50IGF0b21pYykKK3BpcGVfaW92X2NvcHlfZnJvbV91c2VyKHZvaWQgKmFkZHIsIGludCAqb2Zmc2V0LCBzdHJ1Y3QgaW92ZWMgKmlvdiwKKwkJCXNpemVfdCAqcmVtYWluaW5nLCBpbnQgYXRvbWljKQogewogCXVuc2lnbmVkIGxvbmcgY29weTsKIAotCXdoaWxlIChsZW4gPiAwKSB7CisJd2hpbGUgKCpyZW1haW5pbmcgPiAwKSB7CiAJCXdoaWxlICghaW92LT5pb3ZfbGVuKQogCQkJaW92Kys7Ci0JCWNvcHkgPSBtaW5fdCh1bnNpZ25lZCBsb25nLCBsZW4sIGlvdi0+aW92X2xlbik7CisJCWNvcHkgPSBtaW5fdCh1bnNpZ25lZCBsb25nLCAqcmVtYWluaW5nLCBpb3YtPmlvdl9sZW4pOwogCiAJCWlmIChhdG9taWMpIHsKLQkJCWlmIChfX2NvcHlfZnJvbV91c2VyX2luYXRvbWljKHRvLCBpb3YtPmlvdl9iYXNlLCBjb3B5KSkKKwkJCWlmIChfX2NvcHlfZnJvbV91c2VyX2luYXRvbWljKGFkZHIgKyAqb2Zmc2V0LAorCQkJCQkJICAgICAgaW92LT5pb3ZfYmFzZSwgY29weSkpCiAJCQkJcmV0dXJuIC1FRkFVTFQ7CiAJCX0gZWxzZSB7Ci0JCQlpZiAoY29weV9mcm9tX3VzZXIodG8sIGlvdi0+aW92X2Jhc2UsIGNvcHkpKQorCQkJaWYgKGNvcHlfZnJvbV91c2VyKGFkZHIgKyAqb2Zmc2V0LAorCQkJCQkgICBpb3YtPmlvdl9iYXNlLCBjb3B5KSkKIAkJCQlyZXR1cm4gLUVGQVVMVDsKIAkJfQotCQl0byArPSBjb3B5OwotCQlsZW4gLT0gY29weTsKKwkJKm9mZnNldCArPSBjb3B5OworCQkqcmVtYWluaW5nIC09IGNvcHk7CiAJCWlvdi0+aW92X2Jhc2UgKz0gY29weTsKIAkJaW92LT5pb3ZfbGVuIC09IGNvcHk7CiAJfQpAQCAtMTMwLDI1ICsxMzIsMjcgQEAKIH0KIAogc3RhdGljIGludAotcGlwZV9pb3ZfY29weV90b191c2VyKHN0cnVjdCBpb3ZlYyAqaW92LCBjb25zdCB2b2lkICpmcm9tLCB1bnNpZ25lZCBsb25nIGxlbiwKLQkJICAgICAgaW50IGF0b21pYykKK3BpcGVfaW92X2NvcHlfdG9fdXNlcihzdHJ1Y3QgaW92ZWMgKmlvdiwgdm9pZCAqYWRkciwgaW50ICpvZmZzZXQsCisJCSAgICAgIHNpemVfdCAqcmVtYWluaW5nLCBpbnQgYXRvbWljKQogewogCXVuc2lnbmVkIGxvbmcgY29weTsKIAotCXdoaWxlIChsZW4gPiAwKSB7CisJd2hpbGUgKCpyZW1haW5pbmcgPiAwKSB7CiAJCXdoaWxlICghaW92LT5pb3ZfbGVuKQogCQkJaW92Kys7Ci0JCWNvcHkgPSBtaW5fdCh1bnNpZ25lZCBsb25nLCBsZW4sIGlvdi0+aW92X2xlbik7CisJCWNvcHkgPSBtaW5fdCh1bnNpZ25lZCBsb25nLCAqcmVtYWluaW5nLCBpb3YtPmlvdl9sZW4pOwogCiAJCWlmIChhdG9taWMpIHsKLQkJCWlmIChfX2NvcHlfdG9fdXNlcl9pbmF0b21pYyhpb3YtPmlvdl9iYXNlLCBmcm9tLCBjb3B5KSkKKwkJCWlmIChfX2NvcHlfdG9fdXNlcl9pbmF0b21pYyhpb3YtPmlvdl9iYXNlLAorCQkJCQkJICAgIGFkZHIgKyAqb2Zmc2V0LCBjb3B5KSkKIAkJCQlyZXR1cm4gLUVGQVVMVDsKIAkJfSBlbHNlIHsKLQkJCWlmIChjb3B5X3RvX3VzZXIoaW92LT5pb3ZfYmFzZSwgZnJvbSwgY29weSkpCisJCQlpZiAoY29weV90b191c2VyKGlvdi0+aW92X2Jhc2UsCisJCQkJCSBhZGRyICsgKm9mZnNldCwgY29weSkpCiAJCQkJcmV0dXJuIC1FRkFVTFQ7CiAJCX0KLQkJZnJvbSArPSBjb3B5OwotCQlsZW4gLT0gY29weTsKKwkJKm9mZnNldCArPSBjb3B5OworCQkqcmVtYWluaW5nIC09IGNvcHk7CiAJCWlvdi0+aW92X2Jhc2UgKz0gY29weTsKIAkJaW92LT5pb3ZfbGVuIC09IGNvcHk7CiAJfQpAQCAtMzg0LDcgKzM4OCw3IEBACiAJCQlzdHJ1Y3QgcGlwZV9idWZmZXIgKmJ1ZiA9IHBpcGUtPmJ1ZnMgKyBjdXJidWY7CiAJCQljb25zdCBzdHJ1Y3QgcGlwZV9idWZfb3BlcmF0aW9ucyAqb3BzID0gYnVmLT5vcHM7CiAJCQl2b2lkICphZGRyOwotCQkJc2l6ZV90IGNoYXJzID0gYnVmLT5sZW47CisJCQlzaXplX3QgY2hhcnMgPSBidWYtPmxlbiwgcmVtYWluaW5nOwogCQkJaW50IGVycm9yLCBhdG9taWM7CiAKIAkJCWlmIChjaGFycyA+IHRvdGFsX2xlbikKQEAgLTM5OCw5ICs0MDIsMTEgQEAKIAkJCX0KIAogCQkJYXRvbWljID0gIWlvdl9mYXVsdF9pbl9wYWdlc193cml0ZShpb3YsIGNoYXJzKTsKKwkJCXJlbWFpbmluZyA9IGNoYXJzOwogcmVkbzoKIAkJCWFkZHIgPSBvcHMtPm1hcChwaXBlLCBidWYsIGF0b21pYyk7Ci0JCQllcnJvciA9IHBpcGVfaW92X2NvcHlfdG9fdXNlcihpb3YsIGFkZHIgKyBidWYtPm9mZnNldCwgY2hhcnMsIGF0b21pYyk7CisJCQllcnJvciA9IHBpcGVfaW92X2NvcHlfdG9fdXNlcihpb3YsIGFkZHIsICZidWYtPm9mZnNldCwKKwkJCQkJCSAgICAgICZyZW1haW5pbmcsIGF0b21pYyk7CiAJCQlvcHMtPnVubWFwKHBpcGUsIGJ1ZiwgYWRkcik7CiAJCQlpZiAodW5saWtlbHkoZXJyb3IpKSB7CiAJCQkJLyoKQEAgLTQxNSw3ICs0MjEsNiBAQAogCQkJCWJyZWFrOwogCQkJfQogCQkJcmV0ICs9IGNoYXJzOwotCQkJYnVmLT5vZmZzZXQgKz0gY2hhcnM7CiAJCQlidWYtPmxlbiAtPSBjaGFyczsKIAogCQkJLyogV2FzIGl0IGEgcGFja2V0IGJ1ZmZlcj8gQ2xlYW4gdXAgYW5kIGV4aXQgKi8KQEAgLTUyMiw2ICs1MjcsNyBAQAogCQlpZiAob3BzLT5jYW5fbWVyZ2UgJiYgb2Zmc2V0ICsgY2hhcnMgPD0gUEFHRV9TSVpFKSB7CiAJCQlpbnQgZXJyb3IsIGF0b21pYyA9IDE7CiAJCQl2b2lkICphZGRyOworCQkJc2l6ZV90IHJlbWFpbmluZyA9IGNoYXJzOwogCiAJCQllcnJvciA9IG9wcy0+Y29uZmlybShwaXBlLCBidWYpOwogCQkJaWYgKGVycm9yKQpAQCAtNTMwLDggKzUzNiw4IEBACiAJCQlpb3ZfZmF1bHRfaW5fcGFnZXNfcmVhZChpb3YsIGNoYXJzKTsKIHJlZG8xOgogCQkJYWRkciA9IG9wcy0+bWFwKHBpcGUsIGJ1ZiwgYXRvbWljKTsKLQkJCWVycm9yID0gcGlwZV9pb3ZfY29weV9mcm9tX3VzZXIob2Zmc2V0ICsgYWRkciwgaW92LAotCQkJCQkJCWNoYXJzLCBhdG9taWMpOworCQkJZXJyb3IgPSBwaXBlX2lvdl9jb3B5X2Zyb21fdXNlcihhZGRyLCAmb2Zmc2V0LCBpb3YsCisJCQkJCQkJJnJlbWFpbmluZywgYXRvbWljKTsKIAkJCW9wcy0+dW5tYXAocGlwZSwgYnVmLCBhZGRyKTsKIAkJCXJldCA9IGVycm9yOwogCQkJZG9fd2FrZXVwID0gMTsKQEAgLTU2Niw2ICs1NzIsOCBAQAogCQkJc3RydWN0IHBhZ2UgKnBhZ2UgPSBwaXBlLT50bXBfcGFnZTsKIAkJCWNoYXIgKnNyYzsKIAkJCWludCBlcnJvciwgYXRvbWljID0gMTsKKwkJCWludCBvZmZzZXQgPSAwOworCQkJc2l6ZV90IHJlbWFpbmluZzsKIAogCQkJaWYgKCFwYWdlKSB7CiAJCQkJcGFnZSA9IGFsbG9jX3BhZ2UoR0ZQX0hJR0hVU0VSKTsKQEAgLTU4NiwxNCArNTk0LDE1IEBACiAJCQkJY2hhcnMgPSB0b3RhbF9sZW47CiAKIAkJCWlvdl9mYXVsdF9pbl9wYWdlc19yZWFkKGlvdiwgY2hhcnMpOworCQkJcmVtYWluaW5nID0gY2hhcnM7CiByZWRvMjoKIAkJCWlmIChhdG9taWMpCiAJCQkJc3JjID0ga21hcF9hdG9taWMocGFnZSk7CiAJCQllbHNlCiAJCQkJc3JjID0ga21hcChwYWdlKTsKIAotCQkJZXJyb3IgPSBwaXBlX2lvdl9jb3B5X2Zyb21fdXNlcihzcmMsIGlvdiwgY2hhcnMsCi0JCQkJCQkJYXRvbWljKTsKKwkJCWVycm9yID0gcGlwZV9pb3ZfY29weV9mcm9tX3VzZXIoc3JjLCAmb2Zmc2V0LCBpb3YsCisJCQkJCQkJJnJlbWFpbmluZywgYXRvbWljKTsKIAkJCWlmIChhdG9taWMpCiAJCQkJa3VubWFwX2F0b21pYyhzcmMpOwogCQkJZWxzZQo=
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2015-2041/3.2/1.patch b/Patches/Linux_CVEs/CVE-2015-2041/3.2/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2015-2041/3.2/1.patch
rename to Patches/Linux_CVEs/CVE-2015-2041/3.2/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2015-2041/ANY/0.patch b/Patches/Linux_CVEs/CVE-2015-2041/^3.19/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2015-2041/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2015-2041/^3.19/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2015-2686/ANY/0.patch b/Patches/Linux_CVEs/CVE-2015-2686/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2015-2686/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2015-2686/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2015-2922/ANY/0.patch.disabled b/Patches/Linux_CVEs/CVE-2015-2922/ANY/0001.patch
similarity index 94%
rename from Patches/Linux_CVEs/CVE-2015-2922/ANY/0.patch.disabled
rename to Patches/Linux_CVEs/CVE-2015-2922/ANY/0001.patch
index ace47011..6d201090 100644
--- a/Patches/Linux_CVEs/CVE-2015-2922/ANY/0.patch.disabled
+++ b/Patches/Linux_CVEs/CVE-2015-2922/ANY/0001.patch
@@ -1,7 +1,7 @@
 From 6fd99094de2b83d1d4c8457f2c83483b2828e75a Mon Sep 17 00:00:00 2001
 From: "D.S. Ljungmark" <ljungmark@modio.se>
 Date: Wed, 25 Mar 2015 09:28:15 +0100
-Subject: [PATCH] ipv6: Don't reduce hop limit for an interface
+Subject: ipv6: Don't reduce hop limit for an interface
 
 A local route may have a lower hop_limit set than global routes do.
 
@@ -24,7 +24,7 @@ Signed-off-by: David S. Miller <davem@davemloft.net>
  1 file changed, 8 insertions(+), 1 deletion(-)
 
 diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
-index 471ed24aabaec..14ecdaf06bf74 100644
+index 471ed24..14ecdaf 100644
 --- a/net/ipv6/ndisc.c
 +++ b/net/ipv6/ndisc.c
 @@ -1218,7 +1218,14 @@ static void ndisc_router_discovery(struct sk_buff *skb)
@@ -43,3 +43,6 @@ index 471ed24aabaec..14ecdaf06bf74 100644
  		if (rt)
  			dst_metric_set(&rt->dst, RTAX_HOPLIMIT,
  				       ra_msg->icmph.icmp6_hop_limit);
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2015-3288/3.2/1.patch b/Patches/Linux_CVEs/CVE-2015-3288/3.2/1.patch
deleted file mode 100644
index 673a7158..00000000
--- a/Patches/Linux_CVEs/CVE-2015-3288/3.2/1.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-From e2506476534cff7bb3697fbe0654fdefd101bc80 Mon Sep 17 00:00:00 2001
-From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
-Date: Mon, 6 Jul 2015 23:18:37 +0300
-Subject: mm: avoid setting up anonymous pages into file mapping
-
-commit 6b7339f4c31ad69c8e9c0b2859276e22cf72176d upstream.
-
-Reading page fault handler code I've noticed that under right
-circumstances kernel would map anonymous pages into file mappings: if
-the VMA doesn't have vm_ops->fault() and the VMA wasn't fully populated
-on ->mmap(), kernel would handle page fault to not populated pte with
-do_anonymous_page().
-
-Let's change page fault handler to use do_anonymous_page() only on
-anonymous VMA (->vm_ops == NULL) and make sure that the VMA is not
-shared.
-
-For file mappings without vm_ops->fault() or shred VMA without vm_ops,
-page fault on pte_none() entry would lead to SIGBUS.
-
-Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
-Acked-by: Oleg Nesterov <oleg@redhat.com>
-Cc: Andrew Morton <akpm@linux-foundation.org>
-Cc: Willy Tarreau <w@1wt.eu>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-[bwh: Backported to 3.2: adjust context]
-Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
----
- mm/memory.c | 13 +++++++++----
- 1 file changed, 9 insertions(+), 4 deletions(-)
-
-diff --git a/mm/memory.c b/mm/memory.c
-index 452b8ba..7762b1d 100644
---- a/mm/memory.c
-+++ b/mm/memory.c
-@@ -3153,6 +3153,10 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma,
- 
- 	pte_unmap(page_table);
- 
-+	/* File mapping without ->vm_ops ? */
-+	if (vma->vm_flags & VM_SHARED)
-+		return VM_FAULT_SIGBUS;
-+
- 	/* Check if we need to add a guard page to the stack */
- 	if (check_stack_guard_page(vma, address) < 0)
- 		return VM_FAULT_SIGSEGV;
-@@ -3412,6 +3416,9 @@ static int do_linear_fault(struct mm_struct *mm, struct vm_area_struct *vma,
- 			- vma->vm_start) >> PAGE_SHIFT) + vma->vm_pgoff;
- 
- 	pte_unmap(page_table);
-+	/* The VMA was not fully populated on mmap() or missing VM_DONTEXPAND */
-+	if (!vma->vm_ops->fault)
-+		return VM_FAULT_SIGBUS;
- 	return __do_fault(mm, vma, address, pmd, pgoff, flags, orig_pte);
- }
- 
-@@ -3470,11 +3477,9 @@ int handle_pte_fault(struct mm_struct *mm,
- 	entry = *pte;
- 	if (!pte_present(entry)) {
- 		if (pte_none(entry)) {
--			if (vma->vm_ops) {
--				if (likely(vma->vm_ops->fault))
--					return do_linear_fault(mm, vma, address,
-+			if (vma->vm_ops)
-+				return do_linear_fault(mm, vma, address,
- 						pte, pmd, flags, entry);
--			}
- 			return do_anonymous_page(mm, vma, address,
- 						 pte, pmd, flags);
- 		}
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2015-3288/ANY/0.patch b/Patches/Linux_CVEs/CVE-2015-3288/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2015-3288/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2015-3288/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2015-3339/3.2/1.patch b/Patches/Linux_CVEs/CVE-2015-3339/3.2/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2015-3339/3.2/1.patch
rename to Patches/Linux_CVEs/CVE-2015-3339/3.2/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2015-3339/ANY/0.patch b/Patches/Linux_CVEs/CVE-2015-3339/^3.19/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2015-3339/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2015-3339/^3.19/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2015-3636/ANY/0.patch b/Patches/Linux_CVEs/CVE-2015-3636/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2015-3636/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2015-3636/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2015-4170/ANY/0.patch b/Patches/Linux_CVEs/CVE-2015-4170/3.10^/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2015-4170/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2015-4170/3.10^/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2015-4177/ANY/0.patch b/Patches/Linux_CVEs/CVE-2015-4177/4.0/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2015-4177/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2015-4177/4.0/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2015-5366/ANY/0.patch b/Patches/Linux_CVEs/CVE-2015-5364/ANY/0001.patch
similarity index 83%
rename from Patches/Linux_CVEs/CVE-2015-5366/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2015-5364/ANY/0001.patch
index 4d1978db..58c295cc 100644
--- a/Patches/Linux_CVEs/CVE-2015-5366/ANY/0.patch
+++ b/Patches/Linux_CVEs/CVE-2015-5364/ANY/0001.patch
@@ -1,7 +1,7 @@
 From beb39db59d14990e401e235faf66a6b9b31240b0 Mon Sep 17 00:00:00 2001
 From: Eric Dumazet <edumazet@google.com>
 Date: Sat, 30 May 2015 09:16:53 -0700
-Subject: [PATCH] udp: fix behavior of wrong checksums
+Subject: udp: fix behavior of wrong checksums
 
 We have two problems in UDP stack related to bogus checksums :
 
@@ -27,10 +27,10 @@ Signed-off-by: David S. Miller <davem@davemloft.net>
  2 files changed, 4 insertions(+), 8 deletions(-)
 
 diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
-index d10b7e0112ebd..1c92ea67baefe 100644
+index d10b7e0..1c92ea6 100644
 --- a/net/ipv4/udp.c
 +++ b/net/ipv4/udp.c
-@@ -1345,10 +1345,8 @@ int udp_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, int noblock,
+@@ -1345,10 +1345,8 @@ csum_copy_err:
  	}
  	unlock_sock_fast(sk, slow);
  
@@ -44,10 +44,10 @@ index d10b7e0112ebd..1c92ea67baefe 100644
  	goto try_again;
  }
 diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
-index c2ec41617a354..e51fc3eee6dbd 100644
+index c2ec416..e51fc3e 100644
 --- a/net/ipv6/udp.c
 +++ b/net/ipv6/udp.c
-@@ -525,10 +525,8 @@ int udpv6_recvmsg(struct sock *sk, struct msghdr *msg, size_t len,
+@@ -525,10 +525,8 @@ csum_copy_err:
  	}
  	unlock_sock_fast(sk, slow);
  
@@ -60,3 +60,6 @@ index c2ec41617a354..e51fc3eee6dbd 100644
  	msg->msg_flags &= ~MSG_TRUNC;
  	goto try_again;
  }
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-5967/3.10/1.patch b/Patches/Linux_CVEs/CVE-2015-5366/3.10/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-5967/3.10/1.patch
rename to Patches/Linux_CVEs/CVE-2015-5366/3.10/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-5967/3.10/1.patch.base64 b/Patches/Linux_CVEs/CVE-2015-5366/3.10/0001.patch.base64
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-5967/3.10/1.patch.base64
rename to Patches/Linux_CVEs/CVE-2015-5366/3.10/0001.patch.base64
diff --git a/Patches/Linux_CVEs/CVE-2017-5967/3.18/2.patch b/Patches/Linux_CVEs/CVE-2015-5366/3.18/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-5967/3.18/2.patch
rename to Patches/Linux_CVEs/CVE-2015-5366/3.18/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-5967/3.18/2.patch.base64 b/Patches/Linux_CVEs/CVE-2015-5366/3.18/0002.patch.base64
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-5967/3.18/2.patch.base64
rename to Patches/Linux_CVEs/CVE-2015-5366/3.18/0002.patch.base64
diff --git a/Patches/Linux_CVEs/CVE-2017-5967/ANY/0.patch b/Patches/Linux_CVEs/CVE-2015-5366/^4.9/0003.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-5967/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2015-5366/^4.9/0003.patch
diff --git a/Patches/Linux_CVEs/CVE-2015-5697/ANY/0.patch b/Patches/Linux_CVEs/CVE-2015-5697/^4.1/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2015-5697/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2015-5697/^4.1/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2015-5706/ANY/0.patch b/Patches/Linux_CVEs/CVE-2015-5706/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2015-5706/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2015-5706/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2015-5707/ANY/0.patch b/Patches/Linux_CVEs/CVE-2015-5707/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2015-5707/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2015-5707/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2015-5707/ANY/1.patch b/Patches/Linux_CVEs/CVE-2015-5707/ANY/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2015-5707/ANY/1.patch
rename to Patches/Linux_CVEs/CVE-2015-5707/ANY/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2015-6619/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2015-6619/ANY/0001.patch
new file mode 100644
index 00000000..80074c66
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2015-6619/ANY/0001.patch
@@ -0,0 +1,5 @@
+diff --git a/Image.gz-dtb b/Image.gz-dtb
+index afa7ae0..cc18024 100644
+--- a/Image.gz-dtb
++++ b/Image.gz-dtb
+Binary files differ
diff --git a/Patches/Linux_CVEs/CVE-2015-6619/ANY/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2015-6619/ANY/0001.patch.base64
new file mode 100644
index 00000000..e4224e14
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2015-6619/ANY/0001.patch.base64
@@ -0,0 +1 @@
+ZGlmZiAtLWdpdCBhL0ltYWdlLmd6LWR0YiBiL0ltYWdlLmd6LWR0YgppbmRleCBhZmE3YWUwLi5jYzE4MDI0IDEwMDY0NAotLS0gYS9JbWFnZS5nei1kdGIKKysrIGIvSW1hZ2UuZ3otZHRiCkJpbmFyeSBmaWxlcyBkaWZmZXIK
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2015-6640/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2015-6640/ANY/0001.patch
new file mode 100644
index 00000000..5c34a971
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2015-6640/ANY/0001.patch
@@ -0,0 +1,13 @@
+diff --git a/kernel/sys.c b/kernel/sys.c
+index f7e7a8b..800c5f2 100644
+--- a/kernel/sys.c
++++ b/kernel/sys.c
+@@ -1934,7 +1934,7 @@
+ 			tmp = end;
+ 
+ 		/* Here vma->vm_start <= start < tmp <= (end|vma->vm_end). */
+-		error = prctl_update_vma_anon_name(vma, &prev, start, end,
++		error = prctl_update_vma_anon_name(vma, &prev, start, tmp,
+ 				(const char __user *)arg);
+ 		if (error)
+ 			return error;
diff --git a/Patches/Linux_CVEs/CVE-2015-6640/ANY/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2015-6640/ANY/0001.patch.base64
new file mode 100644
index 00000000..59cf86e6
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2015-6640/ANY/0001.patch.base64
@@ -0,0 +1 @@
+ZGlmZiAtLWdpdCBhL2tlcm5lbC9zeXMuYyBiL2tlcm5lbC9zeXMuYwppbmRleCBmN2U3YThiLi44MDBjNWYyIDEwMDY0NAotLS0gYS9rZXJuZWwvc3lzLmMKKysrIGIva2VybmVsL3N5cy5jCkBAIC0xOTM0LDcgKzE5MzQsNyBAQAogCQkJdG1wID0gZW5kOwogCiAJCS8qIEhlcmUgdm1hLT52bV9zdGFydCA8PSBzdGFydCA8IHRtcCA8PSAoZW5kfHZtYS0+dm1fZW5kKS4gKi8KLQkJZXJyb3IgPSBwcmN0bF91cGRhdGVfdm1hX2Fub25fbmFtZSh2bWEsICZwcmV2LCBzdGFydCwgZW5kLAorCQllcnJvciA9IHByY3RsX3VwZGF0ZV92bWFfYW5vbl9uYW1lKHZtYSwgJnByZXYsIHN0YXJ0LCB0bXAsCiAJCQkJKGNvbnN0IGNoYXIgX191c2VyICopYXJnKTsKIAkJaWYgKGVycm9yKQogCQkJcmV0dXJuIGVycm9yOwo=
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2015-6642/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2015-6642/ANY/0001.patch
new file mode 100644
index 00000000..5ac59d67
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2015-6642/ANY/0001.patch
@@ -0,0 +1,57 @@
+From 4ad825ba2968666069740c3e80fe31ed3d0e29ba Mon Sep 17 00:00:00 2001
+From: Arun Kumar Neelakantam <aneela@codeaurora.org>
+Date: Wed, 27 Jan 2016 18:46:01 +0530
+Subject: net: ipc_router: fix leak of kernel memory to userspace
+
+The service info structure is allocated with uninitialized memory for the
+max number of services and returns the complete structure to the usersapce
+resulting in the information leak if lookup operation finds less number of
+services than the requested number.
+
+Check the minimum of requested and available services and copy the minimum
+information to the user-space.
+
+CRs-Fixed: 965934
+Change-Id: Ic97f875855fdc6440c1db1d8d0338ee8b03a9d0a
+Signed-off-by: Arun Kumar Neelakantam <aneela@codeaurora.org>
+---
+ net/ipc_router/ipc_router_socket.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/net/ipc_router/ipc_router_socket.c b/net/ipc_router/ipc_router_socket.c
+index b127120..c26993c 100644
+--- a/net/ipc_router/ipc_router_socket.c
++++ b/net/ipc_router/ipc_router_socket.c
+@@ -1,4 +1,4 @@
+-/* Copyright (c) 2011-2015, The Linux Foundation. All rights reserved.
++/* Copyright (c) 2011-2016, The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -496,13 +496,18 @@ static int msm_ipc_router_ioctl(struct socket *sock,
+ 
+ 		ret = copy_to_user((void *)arg, &server_arg,
+ 				   sizeof(server_arg));
+-		if (srv_info_sz) {
++
++		n = min(server_arg.num_entries_found,
++			server_arg.num_entries_in_array);
++
++		if (ret == 0 && n) {
+ 			ret = copy_to_user((void *)(arg + sizeof(server_arg)),
+-					   srv_info, srv_info_sz);
+-			if (ret)
+-				ret = -EFAULT;
+-			kfree(srv_info);
++					   srv_info, n * sizeof(*srv_info));
+ 		}
++
++		if (ret)
++			ret = -EFAULT;
++		kfree(srv_info);
+ 		break;
+ 
+ 	case IPC_ROUTER_IOCTL_BIND_CONTROL_PORT:
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2015-7509/ANY/0.patch b/Patches/Linux_CVEs/CVE-2015-7509/^3.7/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2015-7509/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2015-7509/^3.7/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2015-7515/3.2-^4.4/1.patch b/Patches/Linux_CVEs/CVE-2015-7515/3.2/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2015-7515/3.2-^4.4/1.patch
rename to Patches/Linux_CVEs/CVE-2015-7515/3.2/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2015-7515/^4.4/0.patch b/Patches/Linux_CVEs/CVE-2015-7515/^4.4/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2015-7515/^4.4/0.patch
rename to Patches/Linux_CVEs/CVE-2015-7515/^4.4/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2015-7550/ANY/0.patch b/Patches/Linux_CVEs/CVE-2015-7550/^4.3/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2015-7550/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2015-7550/^4.3/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2015-7872/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2015-7872/ANY/0001.patch
new file mode 100644
index 00000000..7fcac29f
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2015-7872/ANY/0001.patch
@@ -0,0 +1,79 @@
+From f05819df10d7b09f6d1eb6f8534a8f68e5a4fe61 Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Thu, 15 Oct 2015 17:21:37 +0100
+Subject: KEYS: Fix crash when attempt to garbage collect an uninstantiated
+ keyring
+
+The following sequence of commands:
+
+    i=`keyctl add user a a @s`
+    keyctl request2 keyring foo bar @t
+    keyctl unlink $i @s
+
+tries to invoke an upcall to instantiate a keyring if one doesn't already
+exist by that name within the user's keyring set.  However, if the upcall
+fails, the code sets keyring->type_data.reject_error to -ENOKEY or some
+other error code.  When the key is garbage collected, the key destroy
+function is called unconditionally and keyring_destroy() uses list_empty()
+on keyring->type_data.link - which is in a union with reject_error.
+Subsequently, the kernel tries to unlink the keyring from the keyring names
+list - which oopses like this:
+
+	BUG: unable to handle kernel paging request at 00000000ffffff8a
+	IP: [<ffffffff8126e051>] keyring_destroy+0x3d/0x88
+	...
+	Workqueue: events key_garbage_collector
+	...
+	RIP: 0010:[<ffffffff8126e051>] keyring_destroy+0x3d/0x88
+	RSP: 0018:ffff88003e2f3d30  EFLAGS: 00010203
+	RAX: 00000000ffffff82 RBX: ffff88003bf1a900 RCX: 0000000000000000
+	RDX: 0000000000000000 RSI: 000000003bfc6901 RDI: ffffffff81a73a40
+	RBP: ffff88003e2f3d38 R08: 0000000000000152 R09: 0000000000000000
+	R10: ffff88003e2f3c18 R11: 000000000000865b R12: ffff88003bf1a900
+	R13: 0000000000000000 R14: ffff88003bf1a908 R15: ffff88003e2f4000
+	...
+	CR2: 00000000ffffff8a CR3: 000000003e3ec000 CR4: 00000000000006f0
+	...
+	Call Trace:
+	 [<ffffffff8126c756>] key_gc_unused_keys.constprop.1+0x5d/0x10f
+	 [<ffffffff8126ca71>] key_garbage_collector+0x1fa/0x351
+	 [<ffffffff8105ec9b>] process_one_work+0x28e/0x547
+	 [<ffffffff8105fd17>] worker_thread+0x26e/0x361
+	 [<ffffffff8105faa9>] ? rescuer_thread+0x2a8/0x2a8
+	 [<ffffffff810648ad>] kthread+0xf3/0xfb
+	 [<ffffffff810647ba>] ? kthread_create_on_node+0x1c2/0x1c2
+	 [<ffffffff815f2ccf>] ret_from_fork+0x3f/0x70
+	 [<ffffffff810647ba>] ? kthread_create_on_node+0x1c2/0x1c2
+
+Note the value in RAX.  This is a 32-bit representation of -ENOKEY.
+
+The solution is to only call ->destroy() if the key was successfully
+instantiated.
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Tested-by: Dmitry Vyukov <dvyukov@google.com>
+---
+ security/keys/gc.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/security/keys/gc.c b/security/keys/gc.c
+index 39eac1f..addf060 100644
+--- a/security/keys/gc.c
++++ b/security/keys/gc.c
+@@ -134,8 +134,10 @@ static noinline void key_gc_unused_keys(struct list_head *keys)
+ 		kdebug("- %u", key->serial);
+ 		key_check(key);
+ 
+-		/* Throw away the key data */
+-		if (key->type->destroy)
++		/* Throw away the key data if the key is instantiated */
++		if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags) &&
++		    !test_bit(KEY_FLAG_NEGATIVE, &key->flags) &&
++		    key->type->destroy)
+ 			key->type->destroy(key);
+ 
+ 		security_key_free(key);
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2015-8019/3.10/0.patch b/Patches/Linux_CVEs/CVE-2015-8019/3.10/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2015-8019/3.10/0.patch
rename to Patches/Linux_CVEs/CVE-2015-8019/3.10/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2015-8019/3.18/1.patch b/Patches/Linux_CVEs/CVE-2015-8019/3.18/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2015-8019/3.18/1.patch
rename to Patches/Linux_CVEs/CVE-2015-8019/3.18/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2015-8019/ANY/2.patch b/Patches/Linux_CVEs/CVE-2015-8019/4.3/0003.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2015-8019/ANY/2.patch
rename to Patches/Linux_CVEs/CVE-2015-8019/4.3/0003.patch
diff --git a/Patches/Linux_CVEs/CVE-2015-8539/ANY/0.patch b/Patches/Linux_CVEs/CVE-2015-8539/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2015-8539/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2015-8539/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2015-8543/ANY/0.patch b/Patches/Linux_CVEs/CVE-2015-8543/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2015-8543/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2015-8543/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2015-8575/ANY/0.patch b/Patches/Linux_CVEs/CVE-2015-8575/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2015-8575/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2015-8575/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2015-8785/ANY/0.patch b/Patches/Linux_CVEs/CVE-2015-8785/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2015-8785/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2015-8785/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2015-8830/ANY/0.patch b/Patches/Linux_CVEs/CVE-2015-8830/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2015-8830/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2015-8830/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2015-8830/ANY/1.patch b/Patches/Linux_CVEs/CVE-2015-8830/ANY/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2015-8830/ANY/1.patch
rename to Patches/Linux_CVEs/CVE-2015-8830/ANY/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2015-8839/ANY/0.patch b/Patches/Linux_CVEs/CVE-2015-8839/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2015-8839/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2015-8839/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2015-8839/ANY/1.patch b/Patches/Linux_CVEs/CVE-2015-8839/ANY/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2015-8839/ANY/1.patch
rename to Patches/Linux_CVEs/CVE-2015-8839/ANY/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2015-8937/ANY/0.patch b/Patches/Linux_CVEs/CVE-2015-8937/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2015-8937/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2015-8937/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2015-8938/ANY/0.patch b/Patches/Linux_CVEs/CVE-2015-8938/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2015-8938/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2015-8938/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2015-8939/ANY/0.patch b/Patches/Linux_CVEs/CVE-2015-8939/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2015-8939/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2015-8939/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2015-8940/ANY/0.patch b/Patches/Linux_CVEs/CVE-2015-8940/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2015-8940/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2015-8940/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2015-8941/ANY/0.patch b/Patches/Linux_CVEs/CVE-2015-8941/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2015-8941/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2015-8941/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2015-8942/ANY/0.patch b/Patches/Linux_CVEs/CVE-2015-8942/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2015-8942/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2015-8942/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2015-8943/ANY/0.patch b/Patches/Linux_CVEs/CVE-2015-8943/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2015-8943/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2015-8943/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2015-8944/ANY/0.patch b/Patches/Linux_CVEs/CVE-2015-8944/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2015-8944/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2015-8944/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2015-8950/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2015-8950/ANY/0001.patch
new file mode 100644
index 00000000..69f66afc
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2015-8950/ANY/0001.patch
@@ -0,0 +1,53 @@
+From 6e2c437a2d0a85d90d3db85a7471f99764f7bbf8 Mon Sep 17 00:00:00 2001
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+Date: Thu, 23 Apr 2015 12:46:16 +0100
+Subject: arm64: dma-mapping: always clear allocated buffers
+
+[ Upstream commit 6829e274a623187c24f7cfc0e3d35f25d087fcc5 ]
+
+Buffers allocated by dma_alloc_coherent() are always zeroed on Alpha,
+ARM (32bit), MIPS, PowerPC, x86/x86_64 and probably other architectures.
+It turned out that some drivers rely on this 'feature'. Allocated buffer
+might be also exposed to userspace with dma_mmap() call, so clearing it
+is desired from security point of view to avoid exposing random memory
+to userspace. This patch unifies dma_alloc_coherent() behavior on ARM64
+architecture with other implementations by unconditionally zeroing
+allocated buffer.
+
+CRs-Fixed: 1041735
+Change-Id: I74bf024e0f603ca8c0b05430dc2ee154d579cfb2
+Cc: <stable@vger.kernel.org> # v3.14+
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
+Git-commit: a142e9641dcbead2c8845c949ad518acac96ed28
+Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
+[lmark@codeaurora.org: resolve merge conflicts]
+Signed-off-by: Liam Mark <lmark@codeaurora.org>
+---
+ arch/arm64/mm/dma-mapping.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/arch/arm64/mm/dma-mapping.c b/arch/arm64/mm/dma-mapping.c
+index 9b4716e..2678f6e 100644
+--- a/arch/arm64/mm/dma-mapping.c
++++ b/arch/arm64/mm/dma-mapping.c
+@@ -88,6 +88,7 @@ static void *__alloc_from_pool(size_t size, struct page **ret_page)
+ 	if (pageno < pool->nr_pages) {
+ 		bitmap_set(pool->bitmap, pageno, count);
+ 		ptr = pool->vaddr + PAGE_SIZE * pageno;
++		memset(ptr, 0, size);
+ 		*ret_page = pool->pages[pageno];
+ 	} else {
+ 		pr_err_once("ERROR: %u KiB atomic DMA coherent pool is too small!\n"
+@@ -208,6 +209,7 @@ static void *arm64_swiotlb_alloc_coherent(struct device *dev, size_t size,
+ 
+ 		page = pfn_to_page(pfn);
+ 		addr = page_address(page);
++		memset(addr, 0, size);
+ 
+ 		if (dma_get_attr(DMA_ATTR_NO_KERNEL_MAPPING, attrs) ||
+ 		    dma_get_attr(DMA_ATTR_STRONGLY_ORDERED, attrs)) {
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2015-8951/ANY/0.patch b/Patches/Linux_CVEs/CVE-2015-8951/3.10/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2015-8951/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2015-8951/3.10/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2015-8951/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2015-8951/3.18/0002.patch
new file mode 100644
index 00000000..ea1052cc
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2015-8951/3.18/0002.patch
@@ -0,0 +1,76 @@
+From 0aed2b7e739f7e528ffd8dac3c0c14deb82c9acf Mon Sep 17 00:00:00 2001
+From: Vidyakumar Athota <vathota@codeaurora.org>
+Date: Wed, 16 Dec 2015 15:42:39 -0800
+Subject: ASoC: msm-lsm-client: free lsm client data in msm_lsm_close
+
+Currently lsm client data is deallocated when q6lsm_open() fails
+which can cause memory corruption if lsm client data is accessed
+after freed. Fix this issue by deallocating the client data only
+in msm_lsm_close().
+
+Change-Id: If048c26a0ffd8a346a28622183cbf2ba1e7e5ff3
+Signed-off-by: Vidyakumar Athota <vathota@codeaurora.org>
+---
+ include/sound/q6lsm.h                  |  1 +
+ sound/soc/msm/qdsp6v2/msm-lsm-client.c | 10 +++++++---
+ 2 files changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/include/sound/q6lsm.h b/include/sound/q6lsm.h
+index 7cb7e15..fb848bc 100644
+--- a/include/sound/q6lsm.h
++++ b/include/sound/q6lsm.h
+@@ -71,6 +71,7 @@ struct lsm_client {
+ 	uint16_t	connect_to_port;
+ 	uint8_t		num_confidence_levels;
+ 	uint8_t		*confidence_levels;
++	bool		opened;
+ 	bool		started;
+ 	dma_addr_t	lsm_cal_phy_addr;
+ 	uint32_t	lsm_cal_size;
+diff --git a/sound/soc/msm/qdsp6v2/msm-lsm-client.c b/sound/soc/msm/qdsp6v2/msm-lsm-client.c
+index 37775da..bcd26f6 100644
+--- a/sound/soc/msm/qdsp6v2/msm-lsm-client.c
++++ b/sound/soc/msm/qdsp6v2/msm-lsm-client.c
+@@ -746,10 +746,9 @@ static int msm_lsm_ioctl_shared(struct snd_pcm_substream *substream,
+ 			dev_err(rtd->dev,
+ 				"%s: lsm open failed, %d\n",
+ 				__func__, ret);
+-			q6lsm_client_free(prtd->lsm_client);
+-			kfree(prtd);
+ 			return ret;
+ 		}
++		prtd->lsm_client->opened = true;
+ 		dev_dbg(rtd->dev, "%s: Session_ID = %d, APP ID = %d\n",
+ 			__func__,
+ 			prtd->lsm_client->session,
+@@ -1690,6 +1689,7 @@ static int msm_lsm_open(struct snd_pcm_substream *substream)
+ 		runtime->private_data = NULL;
+ 		return -ENOMEM;
+ 	}
++	prtd->lsm_client->opened = false;
+ 	return 0;
+ }
+ 
+@@ -1762,7 +1762,10 @@ static int msm_lsm_close(struct snd_pcm_substream *substream)
+ 				 __func__);
+ 	}
+ 
+-	q6lsm_close(prtd->lsm_client);
++	if (prtd->lsm_client->opened) {
++		q6lsm_close(prtd->lsm_client);
++		prtd->lsm_client->opened = false;
++	}
+ 	q6lsm_client_free(prtd->lsm_client);
+ 
+ 	spin_lock_irqsave(&prtd->event_lock, flags);
+@@ -1770,6 +1773,7 @@ static int msm_lsm_close(struct snd_pcm_substream *substream)
+ 	prtd->event_status = NULL;
+ 	spin_unlock_irqrestore(&prtd->event_lock, flags);
+ 	kfree(prtd);
++	runtime->private_data = NULL;
+ 
+ 	return 0;
+ }
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2015-8955/ANY/0.patch b/Patches/Linux_CVEs/CVE-2015-8955/ANY/0001.patch
similarity index 53%
rename from Patches/Linux_CVEs/CVE-2015-8955/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2015-8955/ANY/0001.patch
index 913d1798..dd63e79e 100644
--- a/Patches/Linux_CVEs/CVE-2015-8955/ANY/0.patch
+++ b/Patches/Linux_CVEs/CVE-2015-8955/ANY/0001.patch
@@ -1,7 +1,7 @@
-From e429817b401f095ac483fcb02524b01faf45dad6 Mon Sep 17 00:00:00 2001
+From 8fff105e13041e49b82f92eef034f363a6b1c071 Mon Sep 17 00:00:00 2001
 From: "Suzuki K. Poulose" <suzuki.poulose@arm.com>
-Date: Tue, 17 Mar 2015 18:14:58 +0000
-Subject: ARM: perf: reject groups spanning multiple hardware PMUs
+Date: Tue, 17 Mar 2015 18:14:59 +0000
+Subject: arm64: perf: reject groups spanning multiple HW PMUs
 
 The perf core implicitly rejects events spanning multiple HW PMUs, as in
 these cases the event->ctx will differ. However this validation is
@@ -9,36 +9,35 @@ performed after pmu::event_init() is called in perf_init_event(), and
 thus pmu::event_init() may be called with a group leader from a
 different HW PMU.
 
-The ARM PMU driver does not take this fact into account, and when
+The ARM64 PMU driver does not take this fact into account, and when
 validating groups assumes that it can call to_arm_pmu(event->pmu) for
 any HW event. When the event in question is from another HW PMU this is
 wrong, and results in dereferencing garbage.
 
-This patch updates the ARM PMU driver to first test for and reject
+This patch updates the ARM64 PMU driver to first test for and reject
 events from other PMUs, moving the to_arm_pmu and related logic after
 this test. Fixes a crash triggered by perf_fuzzer on Linux-4.0-rc2, with
 a CCI PMU present:
 
- ---
-CPU: 0 PID: 1527 Comm: perf_fuzzer Not tainted 4.0.0-rc2 #57
-Hardware name: ARM-Versatile Express
-task: bd8484c0 ti: be676000 task.ti: be676000
-PC is at 0xbf1bbc90
-LR is at validate_event+0x34/0x5c
-pc : [<bf1bbc90>]    lr : [<80016060>]    psr: 00000013
-...
-[<80016060>] (validate_event) from [<80016198>] (validate_group+0x28/0x90)
-[<80016198>] (validate_group) from [<80016398>] (armpmu_event_init+0x150/0x218)
-[<80016398>] (armpmu_event_init) from [<800882e4>] (perf_try_init_event+0x30/0x48)
-[<800882e4>] (perf_try_init_event) from [<8008f544>] (perf_init_event+0x5c/0xf4)
-[<8008f544>] (perf_init_event) from [<8008f8a8>] (perf_event_alloc+0x2cc/0x35c)
-[<8008f8a8>] (perf_event_alloc) from [<8009015c>] (SyS_perf_event_open+0x498/0xa70)
-[<8009015c>] (SyS_perf_event_open) from [<8000e420>] (ret_fast_syscall+0x0/0x34)
-Code: bf1be000 bf1bb380 802a2664 00000000 (00000002)
----[ end trace 01aff0ff00926a0a ]---
+Bad mode in Synchronous Abort handler detected, code 0x86000006 -- IABT (current EL)
+CPU: 0 PID: 1371 Comm: perf_fuzzer Not tainted 3.19.0+ #249
+Hardware name: V2F-1XV7 Cortex-A53x2 SMM (DT)
+task: ffffffc07c73a280 ti: ffffffc07b0a0000 task.ti: ffffffc07b0a0000
+PC is at 0x0
+LR is at validate_event+0x90/0xa8
+pc : [<0000000000000000>] lr : [<ffffffc000090228>] pstate: 00000145
+sp : ffffffc07b0a3ba0
 
-Also cleans up the code to use the arm_pmu only when we know that
-we are dealing with an arm pmu event.
+[<          (null)>]           (null)
+[<ffffffc0000907d8>] armpmu_event_init+0x174/0x3cc
+[<ffffffc00015d870>] perf_try_init_event+0x34/0x70
+[<ffffffc000164094>] perf_init_event+0xe0/0x10c
+[<ffffffc000164348>] perf_event_alloc+0x288/0x358
+[<ffffffc000164c5c>] SyS_perf_event_open+0x464/0x98c
+Code: bad PC value
+
+Also cleans up the code to use the arm_pmu only when we know
+that we are dealing with an arm pmu event.
 
 Cc: Will Deacon <will.deacon@arm.com>
 Acked-by: Mark Rutland <mark.rutland@arm.com>
@@ -46,24 +45,26 @@ Acked-by: Peter Ziljstra (Intel) <peterz@infradead.org>
 Signed-off-by: Suzuki K. Poulose <suzuki.poulose@arm.com>
 Signed-off-by: Will Deacon <will.deacon@arm.com>
 ---
- arch/arm/kernel/perf_event.c | 21 +++++++++++++++------
+ arch/arm64/kernel/perf_event.c | 21 +++++++++++++++------
  1 file changed, 15 insertions(+), 6 deletions(-)
 
-diff --git a/arch/arm/kernel/perf_event.c b/arch/arm/kernel/perf_event.c
-index 557e128..4a86a01 100644
---- a/arch/arm/kernel/perf_event.c
-+++ b/arch/arm/kernel/perf_event.c
-@@ -259,20 +259,29 @@ out:
+diff --git a/arch/arm64/kernel/perf_event.c b/arch/arm64/kernel/perf_event.c
+index 25a5308..68a7415 100644
+--- a/arch/arm64/kernel/perf_event.c
++++ b/arch/arm64/kernel/perf_event.c
+@@ -322,22 +322,31 @@ out:
  }
  
  static int
 -validate_event(struct pmu_hw_events *hw_events,
 -	       struct perf_event *event)
 +validate_event(struct pmu *pmu, struct pmu_hw_events *hw_events,
-+			       struct perf_event *event)
++				struct perf_event *event)
  {
 -	struct arm_pmu *armpmu = to_arm_pmu(event->pmu);
 +	struct arm_pmu *armpmu;
+ 	struct hw_perf_event fake_event = event->hw;
+ 	struct pmu *leader_pmu = event->group_leader->pmu;
  
  	if (is_software_event(event))
  		return 1;
@@ -76,19 +77,19 @@ index 557e128..4a86a01 100644
 +	if (event->pmu != pmu)
 +		return 0;
 +
- 	if (event->state < PERF_EVENT_STATE_OFF)
+ 	if (event->pmu != leader_pmu || event->state < PERF_EVENT_STATE_OFF)
  		return 1;
  
  	if (event->state == PERF_EVENT_STATE_OFF && !event->attr.enable_on_exec)
  		return 1;
  
 +	armpmu = to_arm_pmu(event->pmu);
- 	return armpmu->get_event_idx(hw_events, event) >= 0;
+ 	return armpmu->get_event_idx(hw_events, &fake_event) >= 0;
  }
  
-@@ -288,15 +297,15 @@ validate_group(struct perf_event *event)
- 	 */
- 	memset(&fake_pmu.used_mask, 0, sizeof(fake_pmu.used_mask));
+@@ -355,15 +364,15 @@ validate_group(struct perf_event *event)
+ 	memset(fake_used_mask, 0, sizeof(fake_used_mask));
+ 	fake_pmu.used_mask = fake_used_mask;
  
 -	if (!validate_event(&fake_pmu, leader))
 +	if (!validate_event(event->pmu, &fake_pmu, leader))
diff --git a/Patches/Linux_CVEs/CVE-2015-8961/ANY/0.patch b/Patches/Linux_CVEs/CVE-2015-8961/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2015-8961/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2015-8961/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2015-8962/ANY/0.patch b/Patches/Linux_CVEs/CVE-2015-8962/ANY/0001.patch
similarity index 95%
rename from Patches/Linux_CVEs/CVE-2015-8962/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2015-8962/ANY/0001.patch
index 4520a6fb..105ef023 100644
--- a/Patches/Linux_CVEs/CVE-2015-8962/ANY/0.patch
+++ b/Patches/Linux_CVEs/CVE-2015-8962/ANY/0001.patch
@@ -1,7 +1,7 @@
 From f3951a3709ff50990bf3e188c27d346792103432 Mon Sep 17 00:00:00 2001
 From: Calvin Owens <calvinowens@fb.com>
 Date: Fri, 30 Oct 2015 16:57:00 -0700
-Subject: [PATCH] sg: Fix double-free when drives detach during SG_IO
+Subject: sg: Fix double-free when drives detach during SG_IO
 
 In sg_common_write(), we free the block request and return -ENODEV if
 the device is detached in the middle of the SG_IO ioctl().
@@ -46,7 +46,7 @@ Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
  1 file changed, 7 insertions(+), 1 deletion(-)
 
 diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
-index 9d7b7db75e4b9..503ab8b46c0b4 100644
+index 9d7b7db..503ab8b 100644
 --- a/drivers/scsi/sg.c
 +++ b/drivers/scsi/sg.c
 @@ -787,8 +787,14 @@ sg_common_write(Sg_fd * sfp, Sg_request * srp,
@@ -65,3 +65,6 @@ index 9d7b7db75e4b9..503ab8b46c0b4 100644
  		sg_finish_rem_req(srp);
  		return -ENODEV;
  	}
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2015-8963/ANY/0.patch b/Patches/Linux_CVEs/CVE-2015-8963/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2015-8963/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2015-8963/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2015-8964/3.10/1.patch b/Patches/Linux_CVEs/CVE-2015-8964/3.10/1.patch
deleted file mode 100644
index fab720b6..00000000
--- a/Patches/Linux_CVEs/CVE-2015-8964/3.10/1.patch
+++ /dev/null
@@ -1,80 +0,0 @@
-From 1a0220ebac77da3d9e2989528e64e1683c63fb58 Mon Sep 17 00:00:00 2001
-From: Peter Hurley <peter@hurleysoftware.com>
-Date: Fri, 27 Nov 2015 14:30:21 -0500
-Subject: [PATCH] BACKPORT: tty: Prevent ldisc drivers from re-using stale tty
- fields
-
-(cherry picked from commit dd42bf1197144ede075a9d4793123f7689e164bc)
-
-Line discipline drivers may mistakenly misuse ldisc-related fields
-when initializing. For example, a failure to initialize tty->receive_room
-in the N_GIGASET_M101 line discipline was recently found and fixed [1].
-Now, the N_X25 line discipline has been discovered accessing the previous
-line discipline's already-freed private data [2].
-
-Harden the ldisc interface against misuse by initializing revelant
-tty fields before instancing the new line discipline.
-
-[1]
-    commit fd98e9419d8d622a4de91f76b306af6aa627aa9c
-    Author: Tilman Schmidt <tilman@imap.cc>
-    Date:   Tue Jul 14 00:37:13 2015 +0200
-
-    isdn/gigaset: reset tty->receive_room when attaching ser_gigaset
-
-[2] Report from Sasha Levin <sasha.levin@oracle.com>
-    [  634.336761] ==================================================================
-    [  634.338226] BUG: KASAN: use-after-free in x25_asy_open_tty+0x13d/0x490 at addr ffff8800a743efd0
-    [  634.339558] Read of size 4 by task syzkaller_execu/8981
-    [  634.340359] =============================================================================
-    [  634.341598] BUG kmalloc-512 (Not tainted): kasan: bad access detected
-    ...
-    [  634.405018] Call Trace:
-    [  634.405277] dump_stack (lib/dump_stack.c:52)
-    [  634.405775] print_trailer (mm/slub.c:655)
-    [  634.406361] object_err (mm/slub.c:662)
-    [  634.406824] kasan_report_error (mm/kasan/report.c:138 mm/kasan/report.c:236)
-    [  634.409581] __asan_report_load4_noabort (mm/kasan/report.c:279)
-    [  634.411355] x25_asy_open_tty (drivers/net/wan/x25_asy.c:559 (discriminator 1))
-    [  634.413997] tty_ldisc_open.isra.2 (drivers/tty/tty_ldisc.c:447)
-    [  634.414549] tty_set_ldisc (drivers/tty/tty_ldisc.c:567)
-    [  634.415057] tty_ioctl (drivers/tty/tty_io.c:2646 drivers/tty/tty_io.c:2879)
-    [  634.423524] do_vfs_ioctl (fs/ioctl.c:43 fs/ioctl.c:607)
-    [  634.427491] SyS_ioctl (fs/ioctl.c:622 fs/ioctl.c:613)
-    [  634.427945] entry_SYSCALL_64_fastpath (arch/x86/entry/entry_64.S:188)
-
-Cc: Tilman Schmidt <tilman@imap.cc>
-Cc: Sasha Levin <sasha.levin@oracle.com>
-Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Change-Id: Ibed6feadfb9706d478f93feec3b240aecfc64af3
-Bug: 30951112
----
- drivers/tty/tty_ldisc.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/drivers/tty/tty_ldisc.c b/drivers/tty/tty_ldisc.c
-index b7b8048f12539..420dd6e52a279 100644
---- a/drivers/tty/tty_ldisc.c
-+++ b/drivers/tty/tty_ldisc.c
-@@ -415,6 +415,10 @@ EXPORT_SYMBOL_GPL(tty_ldisc_flush);
-  *	they are not on hot paths so a little discipline won't do
-  *	any harm.
-  *
-+ *	The line discipline-related tty_struct fields are reset to
-+ *	prevent the ldisc driver from re-using stale information for
-+ *	the new ldisc instance.
-+ *
-  *	Locking: takes termios_mutex
-  */
- 
-@@ -423,6 +427,9 @@ static void tty_set_termios_ldisc(struct tty_struct *tty, int num)
- 	mutex_lock(&tty->termios_mutex);
- 	tty->termios.c_line = num;
- 	mutex_unlock(&tty->termios_mutex);
-+
-+	tty->disc_data = NULL;
-+	tty->receive_room = 0;
- }
- 
- /**
diff --git a/Patches/Linux_CVEs/CVE-2015-8964/ANY/0.patch b/Patches/Linux_CVEs/CVE-2015-8964/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2015-8964/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2015-8964/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2015-8966/ANY/0.patch b/Patches/Linux_CVEs/CVE-2015-8966/3.15+/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2015-8966/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2015-8966/3.15+/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2015-8967/ANY/0.patch b/Patches/Linux_CVEs/CVE-2015-8967/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2015-8967/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2015-8967/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2015-9004/ANY/0.patch b/Patches/Linux_CVEs/CVE-2015-9004/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2015-9004/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2015-9004/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-0723/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-0723/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-0723/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-0723/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-0728/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2016-0728/3.10/0001.patch
new file mode 100644
index 00000000..3ebb9904
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-0728/3.10/0001.patch
@@ -0,0 +1,12 @@
+diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
+index 42defae..cd871dc 100644
+--- a/security/keys/process_keys.c
++++ b/security/keys/process_keys.c
+@@ -792,6 +792,7 @@
+ 		ret = PTR_ERR(keyring);
+ 		goto error2;
+ 	} else if (keyring == new->session_keyring) {
++		key_put(keyring);
+ 		ret = 0;
+ 		goto error2;
+ 	}
diff --git a/Patches/Linux_CVEs/CVE-2016-0728/3.10/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2016-0728/3.10/0001.patch.base64
new file mode 100644
index 00000000..a6fb1945
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-0728/3.10/0001.patch.base64
@@ -0,0 +1 @@
+ZGlmZiAtLWdpdCBhL3NlY3VyaXR5L2tleXMvcHJvY2Vzc19rZXlzLmMgYi9zZWN1cml0eS9rZXlzL3Byb2Nlc3Nfa2V5cy5jCmluZGV4IDQyZGVmYWUuLmNkODcxZGMgMTAwNjQ0Ci0tLSBhL3NlY3VyaXR5L2tleXMvcHJvY2Vzc19rZXlzLmMKKysrIGIvc2VjdXJpdHkva2V5cy9wcm9jZXNzX2tleXMuYwpAQCAtNzkyLDYgKzc5Miw3IEBACiAJCXJldCA9IFBUUl9FUlIoa2V5cmluZyk7CiAJCWdvdG8gZXJyb3IyOwogCX0gZWxzZSBpZiAoa2V5cmluZyA9PSBuZXctPnNlc3Npb25fa2V5cmluZykgeworCQlrZXlfcHV0KGtleXJpbmcpOwogCQlyZXQgPSAwOwogCQlnb3RvIGVycm9yMjsKIAl9Cg==
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2016-0728/3.14/0002.patch b/Patches/Linux_CVEs/CVE-2016-0728/3.14/0002.patch
new file mode 100644
index 00000000..7def8f99
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-0728/3.14/0002.patch
@@ -0,0 +1,12 @@
+diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
+index 0cf8a13..4e56371 100644
+--- a/security/keys/process_keys.c
++++ b/security/keys/process_keys.c
+@@ -793,6 +793,7 @@
+ 		ret = PTR_ERR(keyring);
+ 		goto error2;
+ 	} else if (keyring == new->session_keyring) {
++		key_put(keyring);
+ 		ret = 0;
+ 		goto error2;
+ 	}
diff --git a/Patches/Linux_CVEs/CVE-2016-0728/3.14/0002.patch.base64 b/Patches/Linux_CVEs/CVE-2016-0728/3.14/0002.patch.base64
new file mode 100644
index 00000000..66865b24
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-0728/3.14/0002.patch.base64
@@ -0,0 +1 @@
+ZGlmZiAtLWdpdCBhL3NlY3VyaXR5L2tleXMvcHJvY2Vzc19rZXlzLmMgYi9zZWN1cml0eS9rZXlzL3Byb2Nlc3Nfa2V5cy5jCmluZGV4IDBjZjhhMTMuLjRlNTYzNzEgMTAwNjQ0Ci0tLSBhL3NlY3VyaXR5L2tleXMvcHJvY2Vzc19rZXlzLmMKKysrIGIvc2VjdXJpdHkva2V5cy9wcm9jZXNzX2tleXMuYwpAQCAtNzkzLDYgKzc5Myw3IEBACiAJCXJldCA9IFBUUl9FUlIoa2V5cmluZyk7CiAJCWdvdG8gZXJyb3IyOwogCX0gZWxzZSBpZiAoa2V5cmluZyA9PSBuZXctPnNlc3Npb25fa2V5cmluZykgeworCQlrZXlfcHV0KGtleXJpbmcpOwogCQlyZXQgPSAwOwogCQlnb3RvIGVycm9yMjsKIAl9Cg==
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2016-0728/3.18/0003.patch b/Patches/Linux_CVEs/CVE-2016-0728/3.18/0003.patch
new file mode 100644
index 00000000..c45c3c72
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-0728/3.18/0003.patch
@@ -0,0 +1,12 @@
+diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
+index bd536cb..db91639 100644
+--- a/security/keys/process_keys.c
++++ b/security/keys/process_keys.c
+@@ -794,6 +794,7 @@
+ 		ret = PTR_ERR(keyring);
+ 		goto error2;
+ 	} else if (keyring == new->session_keyring) {
++		key_put(keyring);
+ 		ret = 0;
+ 		goto error2;
+ 	}
diff --git a/Patches/Linux_CVEs/CVE-2016-0728/3.18/0003.patch.base64 b/Patches/Linux_CVEs/CVE-2016-0728/3.18/0003.patch.base64
new file mode 100644
index 00000000..5841bc83
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-0728/3.18/0003.patch.base64
@@ -0,0 +1 @@
+ZGlmZiAtLWdpdCBhL3NlY3VyaXR5L2tleXMvcHJvY2Vzc19rZXlzLmMgYi9zZWN1cml0eS9rZXlzL3Byb2Nlc3Nfa2V5cy5jCmluZGV4IGJkNTM2Y2IuLmRiOTE2MzkgMTAwNjQ0Ci0tLSBhL3NlY3VyaXR5L2tleXMvcHJvY2Vzc19rZXlzLmMKKysrIGIvc2VjdXJpdHkva2V5cy9wcm9jZXNzX2tleXMuYwpAQCAtNzk0LDYgKzc5NCw3IEBACiAJCXJldCA9IFBUUl9FUlIoa2V5cmluZyk7CiAJCWdvdG8gZXJyb3IyOwogCX0gZWxzZSBpZiAoa2V5cmluZyA9PSBuZXctPnNlc3Npb25fa2V5cmluZykgeworCQlrZXlfcHV0KGtleXJpbmcpOwogCQlyZXQgPSAwOwogCQlnb3RvIGVycm9yMjsKIAl9Cg==
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2016-0728/4.1/0004.patch b/Patches/Linux_CVEs/CVE-2016-0728/4.1/0004.patch
new file mode 100644
index 00000000..c45c3c72
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-0728/4.1/0004.patch
@@ -0,0 +1,12 @@
+diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
+index bd536cb..db91639 100644
+--- a/security/keys/process_keys.c
++++ b/security/keys/process_keys.c
+@@ -794,6 +794,7 @@
+ 		ret = PTR_ERR(keyring);
+ 		goto error2;
+ 	} else if (keyring == new->session_keyring) {
++		key_put(keyring);
+ 		ret = 0;
+ 		goto error2;
+ 	}
diff --git a/Patches/Linux_CVEs/CVE-2016-0728/4.1/0004.patch.base64 b/Patches/Linux_CVEs/CVE-2016-0728/4.1/0004.patch.base64
new file mode 100644
index 00000000..5841bc83
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-0728/4.1/0004.patch.base64
@@ -0,0 +1 @@
+ZGlmZiAtLWdpdCBhL3NlY3VyaXR5L2tleXMvcHJvY2Vzc19rZXlzLmMgYi9zZWN1cml0eS9rZXlzL3Byb2Nlc3Nfa2V5cy5jCmluZGV4IGJkNTM2Y2IuLmRiOTE2MzkgMTAwNjQ0Ci0tLSBhL3NlY3VyaXR5L2tleXMvcHJvY2Vzc19rZXlzLmMKKysrIGIvc2VjdXJpdHkva2V5cy9wcm9jZXNzX2tleXMuYwpAQCAtNzk0LDYgKzc5NCw3IEBACiAJCXJldCA9IFBUUl9FUlIoa2V5cmluZyk7CiAJCWdvdG8gZXJyb3IyOwogCX0gZWxzZSBpZiAoa2V5cmluZyA9PSBuZXctPnNlc3Npb25fa2V5cmluZykgeworCQlrZXlfcHV0KGtleXJpbmcpOwogCQlyZXQgPSAwOwogCQlnb3RvIGVycm9yMjsKIAl9Cg==
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2016-0728/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-0728/ANY/0.patch
deleted file mode 100644
index d402663a..00000000
--- a/Patches/Linux_CVEs/CVE-2016-0728/ANY/0.patch
+++ /dev/null
@@ -1,81 +0,0 @@
-From 23567fd052a9abb6d67fe8e7a9ccdd9800a540f2 Mon Sep 17 00:00:00 2001
-From: Yevgeny Pats <yevgeny@perception-point.io>
-Date: Tue, 19 Jan 2016 22:09:04 +0000
-Subject: KEYS: Fix keyring ref leak in join_session_keyring()
-
-This fixes CVE-2016-0728.
-
-If a thread is asked to join as a session keyring the keyring that's already
-set as its session, we leak a keyring reference.
-
-This can be tested with the following program:
-
-	#include <stddef.h>
-	#include <stdio.h>
-	#include <sys/types.h>
-	#include <keyutils.h>
-
-	int main(int argc, const char *argv[])
-	{
-		int i = 0;
-		key_serial_t serial;
-
-		serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
-				"leaked-keyring");
-		if (serial < 0) {
-			perror("keyctl");
-			return -1;
-		}
-
-		if (keyctl(KEYCTL_SETPERM, serial,
-			   KEY_POS_ALL | KEY_USR_ALL) < 0) {
-			perror("keyctl");
-			return -1;
-		}
-
-		for (i = 0; i < 100; i++) {
-			serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
-					"leaked-keyring");
-			if (serial < 0) {
-				perror("keyctl");
-				return -1;
-			}
-		}
-
-		return 0;
-	}
-
-If, after the program has run, there something like the following line in
-/proc/keys:
-
-3f3d898f I--Q---   100 perm 3f3f0000     0     0 keyring   leaked-keyring: empty
-
-with a usage count of 100 * the number of times the program has been run,
-then the kernel is malfunctioning.  If leaked-keyring has zero usages or
-has been garbage collected, then the problem is fixed.
-
-Reported-by: Yevgeny Pats <yevgeny@perception-point.io>
-Signed-off-by: David Howells <dhowells@redhat.com>
-Acked-by: Don Zickus <dzickus@redhat.com>
-Acked-by: Prarit Bhargava <prarit@redhat.com>
-Acked-by: Jarod Wilson <jarod@redhat.com>
-Signed-off-by: James Morris <james.l.morris@oracle.com>
----
- security/keys/process_keys.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
-index a3f85d2..e6d50172 100644
---- a/security/keys/process_keys.c
-+++ b/security/keys/process_keys.c
-@@ -794,6 +794,7 @@ long join_session_keyring(const char *name)
- 		ret = PTR_ERR(keyring);
- 		goto error2;
- 	} else if (keyring == new->session_keyring) {
-+		key_put(keyring);
- 		ret = 0;
- 		goto error2;
- 	}
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-0758/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-0758/ANY/0001.patch
similarity index 84%
rename from Patches/Linux_CVEs/CVE-2016-0758/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-0758/ANY/0001.patch
index 1c8b2139..016fbe0f 100644
--- a/Patches/Linux_CVEs/CVE-2016-0758/ANY/0.patch
+++ b/Patches/Linux_CVEs/CVE-2016-0758/ANY/0001.patch
@@ -1,7 +1,7 @@
 From 23c8a812dc3c621009e4f0e5342aa4e2ede1ceaa Mon Sep 17 00:00:00 2001
 From: David Howells <dhowells@redhat.com>
 Date: Tue, 23 Feb 2016 11:03:12 +0000
-Subject: [PATCH] KEYS: Fix ASN.1 indefinite length object parsing
+Subject: KEYS: Fix ASN.1 indefinite length object parsing
 
 This fixes CVE-2016-0758.
 
@@ -40,10 +40,10 @@ Acked-by: Peter Jones <pjones@redhat.com>
  1 file changed, 9 insertions(+), 7 deletions(-)
 
 diff --git a/lib/asn1_decoder.c b/lib/asn1_decoder.c
-index 2b3f46c049d45..554522934c442 100644
+index 2b3f46c..5545229 100644
 --- a/lib/asn1_decoder.c
 +++ b/lib/asn1_decoder.c
-@@ -74,7 +74,7 @@ static int asn1_find_indefinite_length(const unsigned char *data, size_t datalen
+@@ -74,7 +74,7 @@ next_tag:
  
  	/* Extract a tag from the data */
  	tag = data[dp++];
@@ -52,7 +52,7 @@ index 2b3f46c049d45..554522934c442 100644
  		/* It appears to be an EOC. */
  		if (data[dp++] != 0)
  			goto invalid_eoc;
-@@ -96,10 +96,8 @@ static int asn1_find_indefinite_length(const unsigned char *data, size_t datalen
+@@ -96,10 +96,8 @@ next_tag:
  
  	/* Extract the length */
  	len = data[dp++];
@@ -65,7 +65,7 @@ index 2b3f46c049d45..554522934c442 100644
  
  	if (unlikely(len == ASN1_INDEFINITE_LENGTH)) {
  		/* Indefinite length */
-@@ -110,14 +108,18 @@ static int asn1_find_indefinite_length(const unsigned char *data, size_t datalen
+@@ -110,14 +108,18 @@ next_tag:
  	}
  
  	n = len - 0x80;
@@ -86,3 +86,6 @@ index 2b3f46c049d45..554522934c442 100644
  	dp += len;
  	goto next_tag;
  
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-0774/ANY/0.patch.disabled b/Patches/Linux_CVEs/CVE-2016-0774/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-0774/ANY/0.patch.disabled
rename to Patches/Linux_CVEs/CVE-2016-0774/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-0774/ANY/1.patch b/Patches/Linux_CVEs/CVE-2016-0774/ANY/1.patch
deleted file mode 100644
index f873145e..00000000
--- a/Patches/Linux_CVEs/CVE-2016-0774/ANY/1.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From 4bb62b96dc3d2ef4943d3b78b9db160f545a631f Mon Sep 17 00:00:00 2001
-From: Jeff Vander Stoep <jeffv@google.com>
-Date: Wed, 23 Mar 2016 15:32:14 -0700
-Subject: [PATCH] pipe: iovec: Fix OOB read in pipe_read()
-
-Previous upstream *stable* fix 14f81062 was incomplete.
-
-A local process can trigger a system crash with an OOB read on buf.
-This occurs when the state of buf gets out of sync. After an error in
-pipe_iov_copy_to_user() read_pipe may exit having updated buf->offset
-but not buf->len. Upon retrying pipe_read() while in
-pipe_iov_copy_to_user() *remaining will be larger than the space left
-after buf->offset e.g. *remaing = PAGE_SIZE, buf->len = PAGE_SIZE,
-buf->offset = 0x300.
-
-This is fixed by not updating the state of buf->offset until after the
-full copy is completed, similar to how pipe_write() is implemented.
-
-For stable kernels < 3.16.
-
-Bug: 27721803
-Change-Id: Iefffbcc6cfd159dba69c31bcd98c6d5c1f21ff2e
-Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
----
- fs/pipe.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/fs/pipe.c b/fs/pipe.c
-index 3e7ab278bb0c0..14b58f9f26f2e 100644
---- a/fs/pipe.c
-+++ b/fs/pipe.c
-@@ -400,7 +400,7 @@ pipe_read(struct kiocb *iocb, const struct iovec *_iov,
- 			const struct pipe_buf_operations *ops = buf->ops;
- 			void *addr;
- 			size_t chars = buf->len, remaining;
--			int error, atomic;
-+			int error, atomic, offset;
- 
- 			if (chars > total_len)
- 				chars = total_len;
-@@ -414,9 +414,10 @@ pipe_read(struct kiocb *iocb, const struct iovec *_iov,
- 
- 			atomic = !iov_fault_in_pages_write(iov, chars);
- 			remaining = chars;
-+			offset = buf->offset;
- redo:
- 			addr = ops->map(pipe, buf, atomic);
--			error = pipe_iov_copy_to_user(iov, addr, &buf->offset,
-+			error = pipe_iov_copy_to_user(iov, addr, &offset,
- 						      &remaining, atomic);
- 			ops->unmap(pipe, buf, addr);
- 			if (unlikely(error)) {
-@@ -432,6 +433,7 @@ pipe_read(struct kiocb *iocb, const struct iovec *_iov,
- 				break;
- 			}
- 			ret += chars;
-+			buf->offset += chars;
- 			buf->len -= chars;
- 
- 			/* Was it a packet buffer? Clean up and exit */
diff --git a/Patches/Linux_CVEs/CVE-2016-0801/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-0801/ANY/0001.patch
new file mode 100644
index 00000000..4107b031
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-0801/ANY/0001.patch
@@ -0,0 +1,28 @@
+diff --git a/drivers/net/wireless/bcmdhd/wl_cfg80211.c b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
+index e9eb33d..f2ba9c8 100644
+--- a/drivers/net/wireless/bcmdhd/wl_cfg80211.c
++++ b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
+@@ -1173,8 +1173,9 @@
+ 			WL_DBG(("  attr WPS_ID_CONFIG_METHODS: %x\n", HTON16(val)));
+ 		} else if (subelt_id == WPS_ID_DEVICE_NAME) {
+ 			char devname[100];
+-			memcpy(devname, subel, subelt_len);
+-			devname[subelt_len] = '\0';
++			size_t namelen = MIN(subelt_len, sizeof(devname));
++			memcpy(devname, subel, namelen);
++			devname[namelen-1] = '\0';
+ 			WL_DBG(("  attr WPS_ID_DEVICE_NAME: %s (len %u)\n",
+ 				devname, subelt_len));
+ 		} else if (subelt_id == WPS_ID_DEVICE_PWD_ID) {
+@@ -9678,9 +9679,9 @@
+ 			 * scan request in the form of cfg80211_scan_request. For timebeing, create
+ 			 * cfg80211_scan_request one out of the received PNO event.
+ 			 */
++			ssid[i].ssid_len = MIN(DOT11_MAX_SSID_LEN, netinfo->pfnsubnet.SSID_len);
+ 			memcpy(ssid[i].ssid, netinfo->pfnsubnet.SSID,
+-				netinfo->pfnsubnet.SSID_len);
+-			ssid[i].ssid_len = netinfo->pfnsubnet.SSID_len;
++			       ssid[i].ssid_len);
+ 			request->n_ssids++;
+ 
+ 			channel_req = netinfo->pfnsubnet.channel;
diff --git a/Patches/Linux_CVEs/CVE-2016-0801/ANY/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2016-0801/ANY/0001.patch.base64
new file mode 100644
index 00000000..0d485ae7
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-0801/ANY/0001.patch.base64
@@ -0,0 +1 @@
+ZGlmZiAtLWdpdCBhL2RyaXZlcnMvbmV0L3dpcmVsZXNzL2JjbWRoZC93bF9jZmc4MDIxMS5jIGIvZHJpdmVycy9uZXQvd2lyZWxlc3MvYmNtZGhkL3dsX2NmZzgwMjExLmMKaW5kZXggZTllYjMzZC4uZjJiYTljOCAxMDA2NDQKLS0tIGEvZHJpdmVycy9uZXQvd2lyZWxlc3MvYmNtZGhkL3dsX2NmZzgwMjExLmMKKysrIGIvZHJpdmVycy9uZXQvd2lyZWxlc3MvYmNtZGhkL3dsX2NmZzgwMjExLmMKQEAgLTExNzMsOCArMTE3Myw5IEBACiAJCQlXTF9EQkcoKCIgIGF0dHIgV1BTX0lEX0NPTkZJR19NRVRIT0RTOiAleFxuIiwgSFRPTjE2KHZhbCkpKTsKIAkJfSBlbHNlIGlmIChzdWJlbHRfaWQgPT0gV1BTX0lEX0RFVklDRV9OQU1FKSB7CiAJCQljaGFyIGRldm5hbWVbMTAwXTsKLQkJCW1lbWNweShkZXZuYW1lLCBzdWJlbCwgc3ViZWx0X2xlbik7Ci0JCQlkZXZuYW1lW3N1YmVsdF9sZW5dID0gJ1wwJzsKKwkJCXNpemVfdCBuYW1lbGVuID0gTUlOKHN1YmVsdF9sZW4sIHNpemVvZihkZXZuYW1lKSk7CisJCQltZW1jcHkoZGV2bmFtZSwgc3ViZWwsIG5hbWVsZW4pOworCQkJZGV2bmFtZVtuYW1lbGVuLTFdID0gJ1wwJzsKIAkJCVdMX0RCRygoIiAgYXR0ciBXUFNfSURfREVWSUNFX05BTUU6ICVzIChsZW4gJXUpXG4iLAogCQkJCWRldm5hbWUsIHN1YmVsdF9sZW4pKTsKIAkJfSBlbHNlIGlmIChzdWJlbHRfaWQgPT0gV1BTX0lEX0RFVklDRV9QV0RfSUQpIHsKQEAgLTk2NzgsOSArOTY3OSw5IEBACiAJCQkgKiBzY2FuIHJlcXVlc3QgaW4gdGhlIGZvcm0gb2YgY2ZnODAyMTFfc2Nhbl9yZXF1ZXN0LiBGb3IgdGltZWJlaW5nLCBjcmVhdGUKIAkJCSAqIGNmZzgwMjExX3NjYW5fcmVxdWVzdCBvbmUgb3V0IG9mIHRoZSByZWNlaXZlZCBQTk8gZXZlbnQuCiAJCQkgKi8KKwkJCXNzaWRbaV0uc3NpZF9sZW4gPSBNSU4oRE9UMTFfTUFYX1NTSURfTEVOLCBuZXRpbmZvLT5wZm5zdWJuZXQuU1NJRF9sZW4pOwogCQkJbWVtY3B5KHNzaWRbaV0uc3NpZCwgbmV0aW5mby0+cGZuc3VibmV0LlNTSUQsCi0JCQkJbmV0aW5mby0+cGZuc3VibmV0LlNTSURfbGVuKTsKLQkJCXNzaWRbaV0uc3NpZF9sZW4gPSBuZXRpbmZvLT5wZm5zdWJuZXQuU1NJRF9sZW47CisJCQkgICAgICAgc3NpZFtpXS5zc2lkX2xlbik7CiAJCQlyZXF1ZXN0LT5uX3NzaWRzKys7CiAKIAkJCWNoYW5uZWxfcmVxID0gbmV0aW5mby0+cGZuc3VibmV0LmNoYW5uZWw7Cg==
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2016-0802/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-0802/ANY/0001.patch
new file mode 100644
index 00000000..81904b74
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-0802/ANY/0001.patch
@@ -0,0 +1,152 @@
+diff --git a/drivers/net/wireless/bcmdhd/dhd.h b/drivers/net/wireless/bcmdhd/dhd.h
+index 8c3f0f6..5e33262 100644
+--- a/drivers/net/wireless/bcmdhd/dhd.h
++++ b/drivers/net/wireless/bcmdhd/dhd.h
+@@ -813,7 +813,7 @@
+ extern int dhd_net2idx(struct dhd_info *dhd, struct net_device *net);
+ extern struct net_device * dhd_idx2net(void *pub, int ifidx);
+ extern int net_os_send_hang_message(struct net_device *dev);
+-extern int wl_host_event(dhd_pub_t *dhd_pub, int *idx, void *pktdata,
++extern int wl_host_event(dhd_pub_t *dhd_pub, int *idx, void *pktdata, size_t pktlen,
+                          wl_event_msg_t *, void **data_ptr,  void *);
+ extern void wl_event_to_host_order(wl_event_msg_t * evt);
+ 
+diff --git a/drivers/net/wireless/bcmdhd/dhd_common.c b/drivers/net/wireless/bcmdhd/dhd_common.c
+index 8a6882f..201a0ac 100644
+--- a/drivers/net/wireless/bcmdhd/dhd_common.c
++++ b/drivers/net/wireless/bcmdhd/dhd_common.c
+@@ -109,7 +109,7 @@
+ extern int dhd_socram_dump(struct dhd_bus *bus);
+ #ifdef DNGL_EVENT_SUPPORT
+ static void dngl_host_event_process(dhd_pub_t *dhdp, bcm_dngl_event_t *event);
+-static int dngl_host_event(dhd_pub_t *dhdp, void *pktdata);
++static int dngl_host_event(dhd_pub_t *dhdp, void *pktdata, size_t pktlen);
+ #endif /* DNGL_EVENT_SUPPORT */
+ bool ap_cfg_running = FALSE;
+ bool ap_fw_loaded = FALSE;
+@@ -1380,7 +1380,7 @@
+ #ifdef DNGL_EVENT_SUPPORT
+ /* Check whether packet is a BRCM dngl event pkt. If it is, process event data. */
+ int
+-dngl_host_event(dhd_pub_t *dhdp, void *pktdata)
++dngl_host_event(dhd_pub_t *dhdp, void *pktdata, size_t pktlen)
+ {
+ 	bcm_dngl_event_t *pvt_data = (bcm_dngl_event_t *)pktdata;
+ 
+@@ -1391,14 +1391,14 @@
+ 	/* Check to see if this is a DNGL event */
+ 	if (ntoh16_ua((void *)&pvt_data->bcm_hdr.usr_subtype) ==
+ 		BCMILCP_BCM_SUBTYPE_DNGLEVENT) {
+-  		dngl_host_event_process(dhdp, pvt_data);
++  		dngl_host_event_process(dhdp, pvt_data, pktlen);
+ 		return BCME_OK;
+ 	}
+ 	return BCME_ERROR;
+ }
+ 
+ void
+-dngl_host_event_process(dhd_pub_t *dhdp, bcm_dngl_event_t *event)
++dngl_host_event_process(dhd_pub_t *dhdp, bcm_dngl_event_t *event, size_t pktlen)
+ {
+ 	bcm_dngl_event_msg_t *dngl_event = &event->dngl_event;
+ 	uint8 *p = (uint8 *)(event + 1);
+@@ -1407,6 +1407,9 @@
+ 	uint16 version = ntoh16_ua((void *)&dngl_event->version);
+ 
+ 	DHD_EVENT(("VERSION:%d, EVENT TYPE:%d, DATALEN:%d\n", version, type, datalen));
++	if (datalen > (pktlen - sizeof(bcm_event_t))) {
++		return;
++	}
+ 	if (version != BCM_DNGL_EVENT_MSG_VERSION) {
+ 		DHD_ERROR(("%s:version mismatch:%d:%d\n", __FUNCTION__,
+ 			version, BCM_DNGL_EVENT_MSG_VERSION));
+@@ -1499,7 +1502,7 @@
+ }
+ #endif /* DNGL_EVENT_SUPPORT */
+ 
+-int wl_host_event(dhd_pub_t *dhd_pub, int *ifidx, void *pktdata,
++int wl_host_event(dhd_pub_t *dhd_pub, int *ifidx, void *pktdata, size_t pktlen,
+ 	wl_event_msg_t *event, void **data_ptr, void *raw_event)
+ {
+ 	/* check whether packet is a BRCM event pkt */
+@@ -1512,7 +1515,7 @@
+ 
+ #ifdef DNGL_EVENT_SUPPORT
+ 	/* If it is a DNGL event process it first */
+-	if (dngl_host_event(dhd_pub, pktdata) == BCME_OK) {
++	if (dngl_host_event(dhd_pub, pktdata, pktlen) == BCME_OK) {
+ 		/* Return error purposely to prevent DNGL event being processed as BRCM event */
+ 		return BCME_ERROR;
+ 	}
+@@ -1529,18 +1532,27 @@
+ 		return (BCME_ERROR);
+ 	}
+ 
++	if (pktlen < sizeof(bcm_event_t))
++		return (BCME_ERROR);
++
+ 	*data_ptr = &pvt_data[1];
+ 	event_data = *data_ptr;
+ 
+-
+ 	/* memcpy since BRCM event pkt may be unaligned. */
+ 	memcpy(event, &pvt_data->event, sizeof(wl_event_msg_t));
+ 
+ 	type = ntoh32_ua((void *)&event->event_type);
+ 	flags = ntoh16_ua((void *)&event->flags);
+ 	status = ntoh32_ua((void *)&event->status);
++
+ 	datalen = ntoh32_ua((void *)&event->datalen);
++	if (datalen > pktlen)
++		return (BCME_ERROR);
++
+ 	evlen = datalen + sizeof(bcm_event_t);
++	if (evlen > pktlen) {
++		return BCME_ERROR;
++	}
+ 
+ 	/* find equivalent host index for event ifidx */
+ 	hostidx = dhd_ifidx2hostidx(dhd_pub->info, event->ifidx);
+diff --git a/drivers/net/wireless/bcmdhd/dhd_linux.c b/drivers/net/wireless/bcmdhd/dhd_linux.c
+index 3998402..7c0563a 100644
+--- a/drivers/net/wireless/bcmdhd/dhd_linux.c
++++ b/drivers/net/wireless/bcmdhd/dhd_linux.c
+@@ -700,7 +700,7 @@
+ static int dhd_toe_set(dhd_info_t *dhd, int idx, uint32 toe_ol);
+ #endif /* TOE */
+ 
+-static int dhd_wl_host_event(dhd_info_t *dhd, int *ifidx, void *pktdata,
++static int dhd_wl_host_event(dhd_info_t *dhd, int *ifidx, void *pktdata, size_t pktlen,
+                              wl_event_msg_t *event_ptr, void **data_ptr);
+ #ifdef DHD_UNICAST_DHCP
+ static const uint8 llc_snap_hdr[SNAP_HDR_LEN] = {0xaa, 0xaa, 0x03, 0x00, 0x00, 0x00};
+@@ -3018,6 +3018,7 @@
+ #else
+ 			skb->mac.raw,
+ #endif /* LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 22) */
++			len - 2,
+ 			&event,
+ 			&data);
+ 
+@@ -7452,16 +7453,18 @@
+ #endif /* defined(WL_WIRELESS_EXT) */
+ 
+ static int
+-dhd_wl_host_event(dhd_info_t *dhd, int *ifidx, void *pktdata,
++dhd_wl_host_event(dhd_info_t *dhd, int *ifidx, void *pktdata, size_t pktlen,
+ 	wl_event_msg_t *event, void **data)
+ {
+ 	int bcmerror = 0;
+ 	ASSERT(dhd != NULL);
+ 
+ #ifdef SHOW_LOGTRACE
+-		bcmerror = wl_host_event(&dhd->pub, ifidx, pktdata, event, data, &dhd->event_data);
++		bcmerror = wl_host_event(&dhd->pub, ifidx, pktdata, pktlen,
++				event, data, &dhd->event_data);
+ #else
+-		bcmerror = wl_host_event(&dhd->pub, ifidx, pktdata, event, data, NULL);
++		bcmerror = wl_host_event(&dhd->pub, ifidx, pktdata, pktlen,
++				event, data, NULL);
+ #endif /* SHOW_LOGTRACE */
+ 
+ 	if (bcmerror != BCME_OK)
diff --git a/Patches/Linux_CVEs/CVE-2016-0802/ANY/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2016-0802/ANY/0001.patch.base64
new file mode 100644
index 00000000..35ff7ed6
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-0802/ANY/0001.patch.base64
@@ -0,0 +1 @@
+ZGlmZiAtLWdpdCBhL2RyaXZlcnMvbmV0L3dpcmVsZXNzL2JjbWRoZC9kaGQuaCBiL2RyaXZlcnMvbmV0L3dpcmVsZXNzL2JjbWRoZC9kaGQuaAppbmRleCA4YzNmMGY2Li41ZTMzMjYyIDEwMDY0NAotLS0gYS9kcml2ZXJzL25ldC93aXJlbGVzcy9iY21kaGQvZGhkLmgKKysrIGIvZHJpdmVycy9uZXQvd2lyZWxlc3MvYmNtZGhkL2RoZC5oCkBAIC04MTMsNyArODEzLDcgQEAKIGV4dGVybiBpbnQgZGhkX25ldDJpZHgoc3RydWN0IGRoZF9pbmZvICpkaGQsIHN0cnVjdCBuZXRfZGV2aWNlICpuZXQpOwogZXh0ZXJuIHN0cnVjdCBuZXRfZGV2aWNlICogZGhkX2lkeDJuZXQodm9pZCAqcHViLCBpbnQgaWZpZHgpOwogZXh0ZXJuIGludCBuZXRfb3Nfc2VuZF9oYW5nX21lc3NhZ2Uoc3RydWN0IG5ldF9kZXZpY2UgKmRldik7Ci1leHRlcm4gaW50IHdsX2hvc3RfZXZlbnQoZGhkX3B1Yl90ICpkaGRfcHViLCBpbnQgKmlkeCwgdm9pZCAqcGt0ZGF0YSwKK2V4dGVybiBpbnQgd2xfaG9zdF9ldmVudChkaGRfcHViX3QgKmRoZF9wdWIsIGludCAqaWR4LCB2b2lkICpwa3RkYXRhLCBzaXplX3QgcGt0bGVuLAogICAgICAgICAgICAgICAgICAgICAgICAgIHdsX2V2ZW50X21zZ190ICosIHZvaWQgKipkYXRhX3B0ciwgIHZvaWQgKik7CiBleHRlcm4gdm9pZCB3bF9ldmVudF90b19ob3N0X29yZGVyKHdsX2V2ZW50X21zZ190ICogZXZ0KTsKIApkaWZmIC0tZ2l0IGEvZHJpdmVycy9uZXQvd2lyZWxlc3MvYmNtZGhkL2RoZF9jb21tb24uYyBiL2RyaXZlcnMvbmV0L3dpcmVsZXNzL2JjbWRoZC9kaGRfY29tbW9uLmMKaW5kZXggOGE2ODgyZi4uMjAxYTBhYyAxMDA2NDQKLS0tIGEvZHJpdmVycy9uZXQvd2lyZWxlc3MvYmNtZGhkL2RoZF9jb21tb24uYworKysgYi9kcml2ZXJzL25ldC93aXJlbGVzcy9iY21kaGQvZGhkX2NvbW1vbi5jCkBAIC0xMDksNyArMTA5LDcgQEAKIGV4dGVybiBpbnQgZGhkX3NvY3JhbV9kdW1wKHN0cnVjdCBkaGRfYnVzICpidXMpOwogI2lmZGVmIEROR0xfRVZFTlRfU1VQUE9SVAogc3RhdGljIHZvaWQgZG5nbF9ob3N0X2V2ZW50X3Byb2Nlc3MoZGhkX3B1Yl90ICpkaGRwLCBiY21fZG5nbF9ldmVudF90ICpldmVudCk7Ci1zdGF0aWMgaW50IGRuZ2xfaG9zdF9ldmVudChkaGRfcHViX3QgKmRoZHAsIHZvaWQgKnBrdGRhdGEpOworc3RhdGljIGludCBkbmdsX2hvc3RfZXZlbnQoZGhkX3B1Yl90ICpkaGRwLCB2b2lkICpwa3RkYXRhLCBzaXplX3QgcGt0bGVuKTsKICNlbmRpZiAvKiBETkdMX0VWRU5UX1NVUFBPUlQgKi8KIGJvb2wgYXBfY2ZnX3J1bm5pbmcgPSBGQUxTRTsKIGJvb2wgYXBfZndfbG9hZGVkID0gRkFMU0U7CkBAIC0xMzgwLDcgKzEzODAsNyBAQAogI2lmZGVmIEROR0xfRVZFTlRfU1VQUE9SVAogLyogQ2hlY2sgd2hldGhlciBwYWNrZXQgaXMgYSBCUkNNIGRuZ2wgZXZlbnQgcGt0LiBJZiBpdCBpcywgcHJvY2VzcyBldmVudCBkYXRhLiAqLwogaW50Ci1kbmdsX2hvc3RfZXZlbnQoZGhkX3B1Yl90ICpkaGRwLCB2b2lkICpwa3RkYXRhKQorZG5nbF9ob3N0X2V2ZW50KGRoZF9wdWJfdCAqZGhkcCwgdm9pZCAqcGt0ZGF0YSwgc2l6ZV90IHBrdGxlbikKIHsKIAliY21fZG5nbF9ldmVudF90ICpwdnRfZGF0YSA9IChiY21fZG5nbF9ldmVudF90ICopcGt0ZGF0YTsKIApAQCAtMTM5MSwxNCArMTM5MSwxNCBAQAogCS8qIENoZWNrIHRvIHNlZSBpZiB0aGlzIGlzIGEgRE5HTCBldmVudCAqLwogCWlmIChudG9oMTZfdWEoKHZvaWQgKikmcHZ0X2RhdGEtPmJjbV9oZHIudXNyX3N1YnR5cGUpID09CiAJCUJDTUlMQ1BfQkNNX1NVQlRZUEVfRE5HTEVWRU5UKSB7Ci0gIAkJZG5nbF9ob3N0X2V2ZW50X3Byb2Nlc3MoZGhkcCwgcHZ0X2RhdGEpOworICAJCWRuZ2xfaG9zdF9ldmVudF9wcm9jZXNzKGRoZHAsIHB2dF9kYXRhLCBwa3RsZW4pOwogCQlyZXR1cm4gQkNNRV9PSzsKIAl9CiAJcmV0dXJuIEJDTUVfRVJST1I7CiB9CiAKIHZvaWQKLWRuZ2xfaG9zdF9ldmVudF9wcm9jZXNzKGRoZF9wdWJfdCAqZGhkcCwgYmNtX2RuZ2xfZXZlbnRfdCAqZXZlbnQpCitkbmdsX2hvc3RfZXZlbnRfcHJvY2VzcyhkaGRfcHViX3QgKmRoZHAsIGJjbV9kbmdsX2V2ZW50X3QgKmV2ZW50LCBzaXplX3QgcGt0bGVuKQogewogCWJjbV9kbmdsX2V2ZW50X21zZ190ICpkbmdsX2V2ZW50ID0gJmV2ZW50LT5kbmdsX2V2ZW50OwogCXVpbnQ4ICpwID0gKHVpbnQ4ICopKGV2ZW50ICsgMSk7CkBAIC0xNDA3LDYgKzE0MDcsOSBAQAogCXVpbnQxNiB2ZXJzaW9uID0gbnRvaDE2X3VhKCh2b2lkICopJmRuZ2xfZXZlbnQtPnZlcnNpb24pOwogCiAJREhEX0VWRU5UKCgiVkVSU0lPTjolZCwgRVZFTlQgVFlQRTolZCwgREFUQUxFTjolZFxuIiwgdmVyc2lvbiwgdHlwZSwgZGF0YWxlbikpOworCWlmIChkYXRhbGVuID4gKHBrdGxlbiAtIHNpemVvZihiY21fZXZlbnRfdCkpKSB7CisJCXJldHVybjsKKwl9CiAJaWYgKHZlcnNpb24gIT0gQkNNX0ROR0xfRVZFTlRfTVNHX1ZFUlNJT04pIHsKIAkJREhEX0VSUk9SKCgiJXM6dmVyc2lvbiBtaXNtYXRjaDolZDolZFxuIiwgX19GVU5DVElPTl9fLAogCQkJdmVyc2lvbiwgQkNNX0ROR0xfRVZFTlRfTVNHX1ZFUlNJT04pKTsKQEAgLTE0OTksNyArMTUwMiw3IEBACiB9CiAjZW5kaWYgLyogRE5HTF9FVkVOVF9TVVBQT1JUICovCiAKLWludCB3bF9ob3N0X2V2ZW50KGRoZF9wdWJfdCAqZGhkX3B1YiwgaW50ICppZmlkeCwgdm9pZCAqcGt0ZGF0YSwKK2ludCB3bF9ob3N0X2V2ZW50KGRoZF9wdWJfdCAqZGhkX3B1YiwgaW50ICppZmlkeCwgdm9pZCAqcGt0ZGF0YSwgc2l6ZV90IHBrdGxlbiwKIAl3bF9ldmVudF9tc2dfdCAqZXZlbnQsIHZvaWQgKipkYXRhX3B0ciwgdm9pZCAqcmF3X2V2ZW50KQogewogCS8qIGNoZWNrIHdoZXRoZXIgcGFja2V0IGlzIGEgQlJDTSBldmVudCBwa3QgKi8KQEAgLTE1MTIsNyArMTUxNSw3IEBACiAKICNpZmRlZiBETkdMX0VWRU5UX1NVUFBPUlQKIAkvKiBJZiBpdCBpcyBhIEROR0wgZXZlbnQgcHJvY2VzcyBpdCBmaXJzdCAqLwotCWlmIChkbmdsX2hvc3RfZXZlbnQoZGhkX3B1YiwgcGt0ZGF0YSkgPT0gQkNNRV9PSykgeworCWlmIChkbmdsX2hvc3RfZXZlbnQoZGhkX3B1YiwgcGt0ZGF0YSwgcGt0bGVuKSA9PSBCQ01FX09LKSB7CiAJCS8qIFJldHVybiBlcnJvciBwdXJwb3NlbHkgdG8gcHJldmVudCBETkdMIGV2ZW50IGJlaW5nIHByb2Nlc3NlZCBhcyBCUkNNIGV2ZW50ICovCiAJCXJldHVybiBCQ01FX0VSUk9SOwogCX0KQEAgLTE1MjksMTggKzE1MzIsMjcgQEAKIAkJcmV0dXJuIChCQ01FX0VSUk9SKTsKIAl9CiAKKwlpZiAocGt0bGVuIDwgc2l6ZW9mKGJjbV9ldmVudF90KSkKKwkJcmV0dXJuIChCQ01FX0VSUk9SKTsKKwogCSpkYXRhX3B0ciA9ICZwdnRfZGF0YVsxXTsKIAlldmVudF9kYXRhID0gKmRhdGFfcHRyOwogCi0KIAkvKiBtZW1jcHkgc2luY2UgQlJDTSBldmVudCBwa3QgbWF5IGJlIHVuYWxpZ25lZC4gKi8KIAltZW1jcHkoZXZlbnQsICZwdnRfZGF0YS0+ZXZlbnQsIHNpemVvZih3bF9ldmVudF9tc2dfdCkpOwogCiAJdHlwZSA9IG50b2gzMl91YSgodm9pZCAqKSZldmVudC0+ZXZlbnRfdHlwZSk7CiAJZmxhZ3MgPSBudG9oMTZfdWEoKHZvaWQgKikmZXZlbnQtPmZsYWdzKTsKIAlzdGF0dXMgPSBudG9oMzJfdWEoKHZvaWQgKikmZXZlbnQtPnN0YXR1cyk7CisKIAlkYXRhbGVuID0gbnRvaDMyX3VhKCh2b2lkICopJmV2ZW50LT5kYXRhbGVuKTsKKwlpZiAoZGF0YWxlbiA+IHBrdGxlbikKKwkJcmV0dXJuIChCQ01FX0VSUk9SKTsKKwogCWV2bGVuID0gZGF0YWxlbiArIHNpemVvZihiY21fZXZlbnRfdCk7CisJaWYgKGV2bGVuID4gcGt0bGVuKSB7CisJCXJldHVybiBCQ01FX0VSUk9SOworCX0KIAogCS8qIGZpbmQgZXF1aXZhbGVudCBob3N0IGluZGV4IGZvciBldmVudCBpZmlkeCAqLwogCWhvc3RpZHggPSBkaGRfaWZpZHgyaG9zdGlkeChkaGRfcHViLT5pbmZvLCBldmVudC0+aWZpZHgpOwpkaWZmIC0tZ2l0IGEvZHJpdmVycy9uZXQvd2lyZWxlc3MvYmNtZGhkL2RoZF9saW51eC5jIGIvZHJpdmVycy9uZXQvd2lyZWxlc3MvYmNtZGhkL2RoZF9saW51eC5jCmluZGV4IDM5OTg0MDIuLjdjMDU2M2EgMTAwNjQ0Ci0tLSBhL2RyaXZlcnMvbmV0L3dpcmVsZXNzL2JjbWRoZC9kaGRfbGludXguYworKysgYi9kcml2ZXJzL25ldC93aXJlbGVzcy9iY21kaGQvZGhkX2xpbnV4LmMKQEAgLTcwMCw3ICs3MDAsNyBAQAogc3RhdGljIGludCBkaGRfdG9lX3NldChkaGRfaW5mb190ICpkaGQsIGludCBpZHgsIHVpbnQzMiB0b2Vfb2wpOwogI2VuZGlmIC8qIFRPRSAqLwogCi1zdGF0aWMgaW50IGRoZF93bF9ob3N0X2V2ZW50KGRoZF9pbmZvX3QgKmRoZCwgaW50ICppZmlkeCwgdm9pZCAqcGt0ZGF0YSwKK3N0YXRpYyBpbnQgZGhkX3dsX2hvc3RfZXZlbnQoZGhkX2luZm9fdCAqZGhkLCBpbnQgKmlmaWR4LCB2b2lkICpwa3RkYXRhLCBzaXplX3QgcGt0bGVuLAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICB3bF9ldmVudF9tc2dfdCAqZXZlbnRfcHRyLCB2b2lkICoqZGF0YV9wdHIpOwogI2lmZGVmIERIRF9VTklDQVNUX0RIQ1AKIHN0YXRpYyBjb25zdCB1aW50OCBsbGNfc25hcF9oZHJbU05BUF9IRFJfTEVOXSA9IHsweGFhLCAweGFhLCAweDAzLCAweDAwLCAweDAwLCAweDAwfTsKQEAgLTMwMTgsNiArMzAxOCw3IEBACiAjZWxzZQogCQkJc2tiLT5tYWMucmF3LAogI2VuZGlmIC8qIExJTlVYX1ZFUlNJT05fQ09ERSA+PSBLRVJORUxfVkVSU0lPTigyLCA2LCAyMikgKi8KKwkJCWxlbiAtIDIsCiAJCQkmZXZlbnQsCiAJCQkmZGF0YSk7CiAKQEAgLTc0NTIsMTYgKzc0NTMsMTggQEAKICNlbmRpZiAvKiBkZWZpbmVkKFdMX1dJUkVMRVNTX0VYVCkgKi8KIAogc3RhdGljIGludAotZGhkX3dsX2hvc3RfZXZlbnQoZGhkX2luZm9fdCAqZGhkLCBpbnQgKmlmaWR4LCB2b2lkICpwa3RkYXRhLAorZGhkX3dsX2hvc3RfZXZlbnQoZGhkX2luZm9fdCAqZGhkLCBpbnQgKmlmaWR4LCB2b2lkICpwa3RkYXRhLCBzaXplX3QgcGt0bGVuLAogCXdsX2V2ZW50X21zZ190ICpldmVudCwgdm9pZCAqKmRhdGEpCiB7CiAJaW50IGJjbWVycm9yID0gMDsKIAlBU1NFUlQoZGhkICE9IE5VTEwpOwogCiAjaWZkZWYgU0hPV19MT0dUUkFDRQotCQliY21lcnJvciA9IHdsX2hvc3RfZXZlbnQoJmRoZC0+cHViLCBpZmlkeCwgcGt0ZGF0YSwgZXZlbnQsIGRhdGEsICZkaGQtPmV2ZW50X2RhdGEpOworCQliY21lcnJvciA9IHdsX2hvc3RfZXZlbnQoJmRoZC0+cHViLCBpZmlkeCwgcGt0ZGF0YSwgcGt0bGVuLAorCQkJCWV2ZW50LCBkYXRhLCAmZGhkLT5ldmVudF9kYXRhKTsKICNlbHNlCi0JCWJjbWVycm9yID0gd2xfaG9zdF9ldmVudCgmZGhkLT5wdWIsIGlmaWR4LCBwa3RkYXRhLCBldmVudCwgZGF0YSwgTlVMTCk7CisJCWJjbWVycm9yID0gd2xfaG9zdF9ldmVudCgmZGhkLT5wdWIsIGlmaWR4LCBwa3RkYXRhLCBwa3RsZW4sCisJCQkJZXZlbnQsIGRhdGEsIE5VTEwpOwogI2VuZGlmIC8qIFNIT1dfTE9HVFJBQ0UgKi8KIAogCWlmIChiY21lcnJvciAhPSBCQ01FX09LKQo=
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2016-0805/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-0805/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-0805/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-0805/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-0806/3.4/1.patch b/Patches/Linux_CVEs/CVE-2016-0806/ANY/0001.patch
similarity index 99%
rename from Patches/Linux_CVEs/CVE-2016-0806/3.4/1.patch
rename to Patches/Linux_CVEs/CVE-2016-0806/ANY/0001.patch
index ea0d9d55..62f61cfc 100644
--- a/Patches/Linux_CVEs/CVE-2016-0806/3.4/1.patch
+++ b/Patches/Linux_CVEs/CVE-2016-0806/ANY/0001.patch
@@ -1631,6 +1631,7 @@
 <option value='caf/aosp-new/android-msm-sturgeon-3.10-n-preview-2-wear-release'>caf/aosp-new/android-msm-sturgeon-3.10-n-preview-2-wear-release</option>
 <option value='caf/aosp-new/android-msm-sturgeon-3.10-n-preview-3-wear-release'>caf/aosp-new/android-msm-sturgeon-3.10-n-preview-3-wear-release</option>
 <option value='caf/aosp-new/android-msm-sturgeon-3.10-n-preview-4-wear-release'>caf/aosp-new/android-msm-sturgeon-3.10-n-preview-4-wear-release</option>
+<option value='caf/aosp-new/android-msm-sturgeon-3.10-nougat-dr1-wear'>caf/aosp-new/android-msm-sturgeon-3.10-nougat-dr1-wear</option>
 <option value='caf/aosp-new/android-msm-sturgeon-3.10-nougat-mr1-wear-release'>caf/aosp-new/android-msm-sturgeon-3.10-nougat-mr1-wear-release</option>
 <option value='caf/aosp-new/android-msm-sundial-3.18-nougat-mr1-wear-release'>caf/aosp-new/android-msm-sundial-3.18-nougat-mr1-wear-release</option>
 <option value='caf/aosp-new/android-msm-swift-3.18-marshmallow-mr1-wear-release'>caf/aosp-new/android-msm-swift-3.18-marshmallow-mr1-wear-release</option>
@@ -4121,6 +4122,9 @@
 <option value='caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171101'>caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171101</option>
 <option value='caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171101-2'>caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171101-2</option>
 <option value='caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171101-3'>caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171101-3</option>
+<option value='caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171102'>caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171102</option>
+<option value='caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171103'>caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171103</option>
+<option value='caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171106'>caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171106</option>
 <option value='caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-normalize'>caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-normalize</option>
 <option value='caf/chromium-googlesource-kernel-next/chromeos-4.14-misc'>caf/chromium-googlesource-kernel-next/chromeos-4.14-misc</option>
 <option value='caf/chromium-googlesource-kernel-next/chromeos-4.14-mmc'>caf/chromium-googlesource-kernel-next/chromeos-4.14-mmc</option>
diff --git a/Patches/Linux_CVEs/CVE-2016-0806/3.10/0.patch b/Patches/Linux_CVEs/CVE-2016-0806/ANY/0002.patch
similarity index 99%
rename from Patches/Linux_CVEs/CVE-2016-0806/3.10/0.patch
rename to Patches/Linux_CVEs/CVE-2016-0806/ANY/0002.patch
index 699d9844..c4fcbaad 100644
--- a/Patches/Linux_CVEs/CVE-2016-0806/3.10/0.patch
+++ b/Patches/Linux_CVEs/CVE-2016-0806/ANY/0002.patch
@@ -1631,6 +1631,7 @@
 <option value='caf/aosp-new/android-msm-sturgeon-3.10-n-preview-2-wear-release'>caf/aosp-new/android-msm-sturgeon-3.10-n-preview-2-wear-release</option>
 <option value='caf/aosp-new/android-msm-sturgeon-3.10-n-preview-3-wear-release'>caf/aosp-new/android-msm-sturgeon-3.10-n-preview-3-wear-release</option>
 <option value='caf/aosp-new/android-msm-sturgeon-3.10-n-preview-4-wear-release'>caf/aosp-new/android-msm-sturgeon-3.10-n-preview-4-wear-release</option>
+<option value='caf/aosp-new/android-msm-sturgeon-3.10-nougat-dr1-wear'>caf/aosp-new/android-msm-sturgeon-3.10-nougat-dr1-wear</option>
 <option value='caf/aosp-new/android-msm-sturgeon-3.10-nougat-mr1-wear-release'>caf/aosp-new/android-msm-sturgeon-3.10-nougat-mr1-wear-release</option>
 <option value='caf/aosp-new/android-msm-sundial-3.18-nougat-mr1-wear-release'>caf/aosp-new/android-msm-sundial-3.18-nougat-mr1-wear-release</option>
 <option value='caf/aosp-new/android-msm-swift-3.18-marshmallow-mr1-wear-release'>caf/aosp-new/android-msm-swift-3.18-marshmallow-mr1-wear-release</option>
@@ -4121,6 +4122,9 @@
 <option value='caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171101'>caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171101</option>
 <option value='caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171101-2'>caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171101-2</option>
 <option value='caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171101-3'>caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171101-3</option>
+<option value='caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171102'>caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171102</option>
+<option value='caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171103'>caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171103</option>
+<option value='caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171106'>caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171106</option>
 <option value='caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-normalize'>caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-normalize</option>
 <option value='caf/chromium-googlesource-kernel-next/chromeos-4.14-misc'>caf/chromium-googlesource-kernel-next/chromeos-4.14-misc</option>
 <option value='caf/chromium-googlesource-kernel-next/chromeos-4.14-mmc'>caf/chromium-googlesource-kernel-next/chromeos-4.14-mmc</option>
diff --git a/Patches/Linux_CVEs/CVE-2016-0819/ANY/0.patch.disabled b/Patches/Linux_CVEs/CVE-2016-0819/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-0819/ANY/0.patch.disabled
rename to Patches/Linux_CVEs/CVE-2016-0819/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-0821/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-0821/ANY/0001.patch
similarity index 94%
rename from Patches/Linux_CVEs/CVE-2016-0821/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-0821/ANY/0001.patch
index 3a985b3a..7fd8ff5f 100644
--- a/Patches/Linux_CVEs/CVE-2016-0821/ANY/0.patch
+++ b/Patches/Linux_CVEs/CVE-2016-0821/ANY/0001.patch
@@ -1,7 +1,7 @@
 From 8a5e5e02fc83aaf67053ab53b359af08c6c49aaf Mon Sep 17 00:00:00 2001
 From: Vasily Kulikov <segoon@openwall.com>
 Date: Wed, 9 Sep 2015 15:36:00 -0700
-Subject: include/linux/poison.h: fix LIST_POISON{1,2} offset
+Subject: [PATCH] include/linux/poison.h: fix LIST_POISON{1,2} offset
 
 Poison pointer values should be small enough to find a room in
 non-mmap'able/hardly-mmap'able space.  E.g.  on x86 "poison pointer space"
@@ -29,7 +29,7 @@ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
  1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/include/linux/poison.h b/include/linux/poison.h
-index 2110a81..253c9b4 100644
+index 2110a81c5e2af..253c9b4198eff 100644
 --- a/include/linux/poison.h
 +++ b/include/linux/poison.h
 @@ -19,8 +19,8 @@
@@ -43,6 +43,3 @@ index 2110a81..253c9b4 100644
  
  /********** include/linux/timer.h **********/
  /*
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-0823/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-0823/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-0823/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-0823/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-0843/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-0843/ANY/0001.patch
new file mode 100644
index 00000000..34dc4591
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-0843/ANY/0001.patch
@@ -0,0 +1,101 @@
+From a599a7a83745820b3e1bee9d4b625bd54337e4d0 Mon Sep 17 00:00:00 2001
+From: Kishor PK <kpbhat@codeaurora.org>
+Date: Thu, 18 Feb 2016 15:26:50 +0530
+Subject: msm: perf: validate input argument of ev_constraints functions
+
+Validate input argument before writing into
+pmu_constraints_codes array.
+
+CRs-Fixed: 975404
+Change-Id: Id68b1d2201ab1af783af2236833b1dc894e08cc7
+Signed-off-by: Kishor PK <kpbhat@codeaurora.org>
+---
+ arch/arm/mach-msm/perf_event_msm_krait_l2.c | 23 +++++++++++++++++------
+ 1 file changed, 17 insertions(+), 6 deletions(-)
+
+diff --git a/arch/arm/mach-msm/perf_event_msm_krait_l2.c b/arch/arm/mach-msm/perf_event_msm_krait_l2.c
+index 65a5d2f..43233ab 100644
+--- a/arch/arm/mach-msm/perf_event_msm_krait_l2.c
++++ b/arch/arm/mach-msm/perf_event_msm_krait_l2.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2011,2012,2014 The Linux Foundation. All rights reserved.
++ * Copyright (c) 2011,2012,2014,2016 The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -18,13 +18,15 @@
+ 
+ #include <mach/msm-krait-l2-accessors.h>
+ 
++#define PMU_CODES_SIZE 64
++
+ /*
+  * The L2 PMU is shared between all CPU's, so protect
+  * its bitmap access.
+  */
+ struct pmu_constraints {
+ 	u64 pmu_bitmap;
+-	u8 codes[64];
++	u8 codes[PMU_CODES_SIZE];
+ 	raw_spinlock_t lock;
+ } l2_pmu_constraints = {
+ 	.pmu_bitmap = 0,
+@@ -427,10 +429,9 @@ static int msm_l2_test_set_ev_constraint(struct perf_event *event)
+ 	u8 group = evt_type & 0x0000F;
+ 	u8 code = (evt_type & 0x00FF0) >> 4;
+ 	unsigned long flags;
+-	u32 err = 0;
++	int err = 0;
+ 	u64 bitmap_t;
+ 	u32 shift_idx;
+-
+ 	if (evt_prefix == L2_TRACECTR_PREFIX)
+ 		return err;
+ 	/*
+@@ -444,6 +445,11 @@ static int msm_l2_test_set_ev_constraint(struct perf_event *event)
+ 
+ 	shift_idx = ((reg * 4) + group);
+ 
++	if (shift_idx >= PMU_CODES_SIZE) {
++		err =  -EINVAL;
++		goto out;
++	}
++
+ 	bitmap_t = 1 << shift_idx;
+ 
+ 	if (!(l2_pmu_constraints.pmu_bitmap & bitmap_t)) {
+@@ -484,6 +490,7 @@ static int msm_l2_clear_ev_constraint(struct perf_event *event)
+ 	unsigned long flags;
+ 	u64 bitmap_t;
+ 	u32 shift_idx;
++	int err = 1;
+ 
+ 	if (evt_prefix == L2_TRACECTR_PREFIX)
+ 		return 1;
+@@ -491,6 +498,10 @@ static int msm_l2_clear_ev_constraint(struct perf_event *event)
+ 
+ 	shift_idx = ((reg * 4) + group);
+ 
++	if (shift_idx >= PMU_CODES_SIZE) {
++		err = -EINVAL;
++		goto out;
++	}
+ 	bitmap_t = 1 << shift_idx;
+ 
+ 	/* Clear constraint bit. */
+@@ -498,9 +509,9 @@ static int msm_l2_clear_ev_constraint(struct perf_event *event)
+ 
+ 	/* Clear code. */
+ 	l2_pmu_constraints.codes[shift_idx] = -1;
+-
++out:
+ 	raw_spin_unlock_irqrestore(&l2_pmu_constraints.lock, flags);
+-	return 1;
++	return err;
+ }
+ 
+ int get_num_events(void)
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-0844/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-0844/ANY/0001.patch
new file mode 100644
index 00000000..dcc9705e
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-0844/ANY/0001.patch
@@ -0,0 +1,60 @@
+From 90a9da2ea95e86b4f0ff493cd891a11da0ee67aa Mon Sep 17 00:00:00 2001
+From: Skylar Chang <chiaweic@codeaurora.org>
+Date: Tue, 29 Dec 2015 18:50:34 -0800
+Subject: msm: ipa: fix the mux_channel buffer overflow
+
+Add the check on ipa wan-driver to check if
+receiving more than MAX_NUM_OF_MUX_CHANNEL times
+different RMNET_IOCTL_ADD_MUX_CHANNEL ioctls
+from netmgrd.
+
+CRs-Fixed: 956393
+Change-Id: Ic8890b084a8da69fdcf54541e82f6e4961492ce1
+Signed-off-by: Skylar Chang <chiaweic@codeaurora.org>
+---
+ drivers/platform/msm/ipa/ipa_v2/rmnet_ipa.c | 7 ++++++-
+ drivers/platform/msm/ipa/ipa_v3/rmnet_ipa.c | 6 ++++++
+ 2 files changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/platform/msm/ipa/ipa_v2/rmnet_ipa.c b/drivers/platform/msm/ipa/ipa_v2/rmnet_ipa.c
+index e30d6d1..f3b883e 100644
+--- a/drivers/platform/msm/ipa/ipa_v2/rmnet_ipa.c
++++ b/drivers/platform/msm/ipa/ipa_v2/rmnet_ipa.c
+@@ -1,4 +1,4 @@
+-/* Copyright (c) 2014-2015, The Linux Foundation. All rights reserved.
++/* Copyright (c) 2014-2016, The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -1366,6 +1366,11 @@ static int ipa_wwan_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
+ 					rmnet_mux_val.mux_id);
+ 				return rc;
+ 			}
++			if (rmnet_index >= MAX_NUM_OF_MUX_CHANNEL) {
++				IPAWANERR("Exceed mux_channel limit(%d)\n",
++				rmnet_index);
++				return -EFAULT;
++			}
+ 			IPAWANDBG("ADD_MUX_CHANNEL(%d, name: %s)\n",
+ 			extend_ioctl_data.u.rmnet_mux_val.mux_id,
+ 			extend_ioctl_data.u.rmnet_mux_val.vchannel_name);
+diff --git a/drivers/platform/msm/ipa/ipa_v3/rmnet_ipa.c b/drivers/platform/msm/ipa/ipa_v3/rmnet_ipa.c
+index 9697590..2c3e18e 100644
+--- a/drivers/platform/msm/ipa/ipa_v3/rmnet_ipa.c
++++ b/drivers/platform/msm/ipa/ipa_v3/rmnet_ipa.c
+@@ -1382,6 +1382,12 @@ static int ipa3_wwan_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
+ 					rmnet_mux_val.mux_id);
+ 				return rc;
+ 			}
++			if (rmnet_ipa3_ctx->rmnet_index
++				>= MAX_NUM_OF_MUX_CHANNEL) {
++				IPAWANERR("Exceed mux_channel limit(%d)\n",
++				rmnet_ipa3_ctx->rmnet_index);
++				return -EFAULT;
++			}
+ 			IPAWANDBG("ADD_MUX_CHANNEL(%d, name: %s)\n",
+ 			extend_ioctl_data.u.rmnet_mux_val.mux_id,
+ 			extend_ioctl_data.u.rmnet_mux_val.vchannel_name);
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-10044/ANY/2.patch b/Patches/Linux_CVEs/CVE-2016-10044/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-10044/ANY/2.patch
rename to Patches/Linux_CVEs/CVE-2016-10044/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-10044/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-10044/ANY/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-10044/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-10044/ANY/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-10044/ANY/0.patch.base64 b/Patches/Linux_CVEs/CVE-2016-10044/ANY/0002.patch.base64
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-10044/ANY/0.patch.base64
rename to Patches/Linux_CVEs/CVE-2016-10044/ANY/0002.patch.base64
diff --git a/Patches/Linux_CVEs/CVE-2016-10044/ANY/1.patch b/Patches/Linux_CVEs/CVE-2016-10044/ANY/0003.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-10044/ANY/1.patch
rename to Patches/Linux_CVEs/CVE-2016-10044/ANY/0003.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-10044/ANY/1.patch.base64 b/Patches/Linux_CVEs/CVE-2016-10044/ANY/0003.patch.base64
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-10044/ANY/1.patch.base64
rename to Patches/Linux_CVEs/CVE-2016-10044/ANY/0003.patch.base64
diff --git a/Patches/Linux_CVEs/CVE-2016-10088/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-10088/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-10088/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-10088/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-10153/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-10153/4.9/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-10153/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-10153/4.9/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-10154/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-10154/4.9/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-10154/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-10154/4.9/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-10200/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-10200/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-10200/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-10200/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-10208/3.16/2.patch b/Patches/Linux_CVEs/CVE-2016-10208/3.10-3.16/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-10208/3.16/2.patch
rename to Patches/Linux_CVEs/CVE-2016-10208/3.10-3.16/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-10208/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-10208/ANY/0.patch
deleted file mode 100644
index 4df1e4dd..00000000
--- a/Patches/Linux_CVEs/CVE-2016-10208/ANY/0.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-From cf851ad35fd1e9c7b8ed00741eca613bc1a9c8c8 Mon Sep 17 00:00:00 2001
-From: Eryu Guan <guaneryu@gmail.com>
-Date: Thu, 01 Dec 2016 15:08:37 -0500
-Subject: [PATCH] ext4: validate s_first_meta_bg at mount time
-
-Ralf Spenneberg reported that he hit a kernel crash when mounting a
-modified ext4 image. And it turns out that kernel crashed when
-calculating fs overhead (ext4_calculate_overhead()), this is because
-the image has very large s_first_meta_bg (debug code shows it's
-842150400), and ext4 overruns the memory in count_overhead() when
-setting bitmap buffer, which is PAGE_SIZE.
-
-ext4_calculate_overhead():
-  buf = get_zeroed_page(GFP_NOFS);  <=== PAGE_SIZE buffer
-  blks = count_overhead(sb, i, buf);
-
-count_overhead():
-  for (j = ext4_bg_num_gdb(sb, grp); j > 0; j--) { <=== j = 842150400
-          ext4_set_bit(EXT4_B2C(sbi, s++), buf);   <=== buffer overrun
-          count++;
-  }
-
-This can be reproduced easily for me by this script:
-
-  #!/bin/bash
-  rm -f fs.img
-  mkdir -p /mnt/ext4
-  fallocate -l 16M fs.img
-  mke2fs -t ext4 -O bigalloc,meta_bg,^resize_inode -F fs.img
-  debugfs -w -R "ssv first_meta_bg 842150400" fs.img
-  mount -o loop fs.img /mnt/ext4
-
-Fix it by validating s_first_meta_bg first at mount time, and
-refusing to mount if its value exceeds the largest possible meta_bg
-number.
-
-Change-Id: If8f0dbed1ed36f3ef9b4466feb4245d8ba5c89b6
-Reported-by: Ralf Spenneberg <ralf@os-t.de>
-Signed-off-by: Eryu Guan <guaneryu@gmail.com>
-Signed-off-by: Theodore Ts'o <tytso@mit.edu>
-Reviewed-by: Andreas Dilger <adilger@dilger.ca>
----
-
-diff --git a/fs/ext4/super.c b/fs/ext4/super.c
-index 5862518..fcbc8dc 100644
---- a/fs/ext4/super.c
-+++ b/fs/ext4/super.c
-@@ -3501,6 +3501,15 @@
- 			(EXT4_MAX_BLOCK_FILE_PHYS / EXT4_BLOCKS_PER_GROUP(sb)));
- 	db_count = (sbi->s_groups_count + EXT4_DESC_PER_BLOCK(sb) - 1) /
- 		   EXT4_DESC_PER_BLOCK(sb);
-+	if (EXT4_HAS_INCOMPAT_FEATURE(sb, EXT4_FEATURE_INCOMPAT_FLEX_BG)) {
-+		if (le32_to_cpu(es->s_first_meta_bg) >= db_count) {
-+			ext4_msg(sb, KERN_WARNING,
-+				 "first meta block group too large: %u "
-+				 "(group descriptor block count %u)",
-+				 le32_to_cpu(es->s_first_meta_bg), db_count);
-+			goto failed_mount;
-+		}
-+	}
- 	sbi->s_group_desc = ext4_kvmalloc(db_count *
- 					  sizeof(struct buffer_head *),
- 					  GFP_KERNEL);
diff --git a/Patches/Linux_CVEs/CVE-2016-10208/ANY/0.patch.base64 b/Patches/Linux_CVEs/CVE-2016-10208/ANY/0.patch.base64
deleted file mode 100644
index cab66b52..00000000
--- a/Patches/Linux_CVEs/CVE-2016-10208/ANY/0.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-RnJvbSBjZjg1MWFkMzVmZDFlOWM3YjhlZDAwNzQxZWNhNjEzYmMxYTljOGM4IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBFcnl1IEd1YW4gPGd1YW5lcnl1QGdtYWlsLmNvbT4KRGF0ZTogVGh1LCAwMSBEZWMgMjAxNiAxNTowODozNyAtMDUwMApTdWJqZWN0OiBbUEFUQ0hdIGV4dDQ6IHZhbGlkYXRlIHNfZmlyc3RfbWV0YV9iZyBhdCBtb3VudCB0aW1lCgpSYWxmIFNwZW5uZWJlcmcgcmVwb3J0ZWQgdGhhdCBoZSBoaXQgYSBrZXJuZWwgY3Jhc2ggd2hlbiBtb3VudGluZyBhCm1vZGlmaWVkIGV4dDQgaW1hZ2UuIEFuZCBpdCB0dXJucyBvdXQgdGhhdCBrZXJuZWwgY3Jhc2hlZCB3aGVuCmNhbGN1bGF0aW5nIGZzIG92ZXJoZWFkIChleHQ0X2NhbGN1bGF0ZV9vdmVyaGVhZCgpKSwgdGhpcyBpcyBiZWNhdXNlCnRoZSBpbWFnZSBoYXMgdmVyeSBsYXJnZSBzX2ZpcnN0X21ldGFfYmcgKGRlYnVnIGNvZGUgc2hvd3MgaXQncwo4NDIxNTA0MDApLCBhbmQgZXh0NCBvdmVycnVucyB0aGUgbWVtb3J5IGluIGNvdW50X292ZXJoZWFkKCkgd2hlbgpzZXR0aW5nIGJpdG1hcCBidWZmZXIsIHdoaWNoIGlzIFBBR0VfU0laRS4KCmV4dDRfY2FsY3VsYXRlX292ZXJoZWFkKCk6CiAgYnVmID0gZ2V0X3plcm9lZF9wYWdlKEdGUF9OT0ZTKTsgIDw9PT0gUEFHRV9TSVpFIGJ1ZmZlcgogIGJsa3MgPSBjb3VudF9vdmVyaGVhZChzYiwgaSwgYnVmKTsKCmNvdW50X292ZXJoZWFkKCk6CiAgZm9yIChqID0gZXh0NF9iZ19udW1fZ2RiKHNiLCBncnApOyBqID4gMDsgai0tKSB7IDw9PT0gaiA9IDg0MjE1MDQwMAogICAgICAgICAgZXh0NF9zZXRfYml0KEVYVDRfQjJDKHNiaSwgcysrKSwgYnVmKTsgICA8PT09IGJ1ZmZlciBvdmVycnVuCiAgICAgICAgICBjb3VudCsrOwogIH0KClRoaXMgY2FuIGJlIHJlcHJvZHVjZWQgZWFzaWx5IGZvciBtZSBieSB0aGlzIHNjcmlwdDoKCiAgIyEvYmluL2Jhc2gKICBybSAtZiBmcy5pbWcKICBta2RpciAtcCAvbW50L2V4dDQKICBmYWxsb2NhdGUgLWwgMTZNIGZzLmltZwogIG1rZTJmcyAtdCBleHQ0IC1PIGJpZ2FsbG9jLG1ldGFfYmcsXnJlc2l6ZV9pbm9kZSAtRiBmcy5pbWcKICBkZWJ1Z2ZzIC13IC1SICJzc3YgZmlyc3RfbWV0YV9iZyA4NDIxNTA0MDAiIGZzLmltZwogIG1vdW50IC1vIGxvb3AgZnMuaW1nIC9tbnQvZXh0NAoKRml4IGl0IGJ5IHZhbGlkYXRpbmcgc19maXJzdF9tZXRhX2JnIGZpcnN0IGF0IG1vdW50IHRpbWUsIGFuZApyZWZ1c2luZyB0byBtb3VudCBpZiBpdHMgdmFsdWUgZXhjZWVkcyB0aGUgbGFyZ2VzdCBwb3NzaWJsZSBtZXRhX2JnCm51bWJlci4KCkNoYW5nZS1JZDogSWY4ZjBkYmVkMWVkMzZmM2VmOWI0NDY2ZmViNDI0NWQ4YmE1Yzg5YjYKUmVwb3J0ZWQtYnk6IFJhbGYgU3Blbm5lYmVyZyA8cmFsZkBvcy10LmRlPgpTaWduZWQtb2ZmLWJ5OiBFcnl1IEd1YW4gPGd1YW5lcnl1QGdtYWlsLmNvbT4KU2lnbmVkLW9mZi1ieTogVGhlb2RvcmUgVHMnbyA8dHl0c29AbWl0LmVkdT4KUmV2aWV3ZWQtYnk6IEFuZHJlYXMgRGlsZ2VyIDxhZGlsZ2VyQGRpbGdlci5jYT4KLS0tCgpkaWZmIC0tZ2l0IGEvZnMvZXh0NC9zdXBlci5jIGIvZnMvZXh0NC9zdXBlci5jCmluZGV4IDU4NjI1MTguLmZjYmM4ZGMgMTAwNjQ0Ci0tLSBhL2ZzL2V4dDQvc3VwZXIuYworKysgYi9mcy9leHQ0L3N1cGVyLmMKQEAgLTM1MDEsNiArMzUwMSwxNSBAQAogCQkJKEVYVDRfTUFYX0JMT0NLX0ZJTEVfUEhZUyAvIEVYVDRfQkxPQ0tTX1BFUl9HUk9VUChzYikpKTsKIAlkYl9jb3VudCA9IChzYmktPnNfZ3JvdXBzX2NvdW50ICsgRVhUNF9ERVNDX1BFUl9CTE9DSyhzYikgLSAxKSAvCiAJCSAgIEVYVDRfREVTQ19QRVJfQkxPQ0soc2IpOworCWlmIChFWFQ0X0hBU19JTkNPTVBBVF9GRUFUVVJFKHNiLCBFWFQ0X0ZFQVRVUkVfSU5DT01QQVRfRkxFWF9CRykpIHsKKwkJaWYgKGxlMzJfdG9fY3B1KGVzLT5zX2ZpcnN0X21ldGFfYmcpID49IGRiX2NvdW50KSB7CisJCQlleHQ0X21zZyhzYiwgS0VSTl9XQVJOSU5HLAorCQkJCSAiZmlyc3QgbWV0YSBibG9jayBncm91cCB0b28gbGFyZ2U6ICV1ICIKKwkJCQkgIihncm91cCBkZXNjcmlwdG9yIGJsb2NrIGNvdW50ICV1KSIsCisJCQkJIGxlMzJfdG9fY3B1KGVzLT5zX2ZpcnN0X21ldGFfYmcpLCBkYl9jb3VudCk7CisJCQlnb3RvIGZhaWxlZF9tb3VudDsKKwkJfQorCX0KIAlzYmktPnNfZ3JvdXBfZGVzYyA9IGV4dDRfa3ZtYWxsb2MoZGJfY291bnQgKgogCQkJCQkgIHNpemVvZihzdHJ1Y3QgYnVmZmVyX2hlYWQgKiksCiAJCQkJCSAgR0ZQX0tFUk5FTCk7Cg==
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2016-10208/ANY/1.patch b/Patches/Linux_CVEs/CVE-2016-10208/ANY/1.patch
deleted file mode 100644
index 910a6af3..00000000
--- a/Patches/Linux_CVEs/CVE-2016-10208/ANY/1.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-From 3a4b77cd47bb837b8557595ec7425f281f2ca1fe Mon Sep 17 00:00:00 2001
-From: Eryu Guan <guaneryu@gmail.com>
-Date: Thu, 1 Dec 2016 15:08:37 -0500
-Subject: ext4: validate s_first_meta_bg at mount time
-
-Ralf Spenneberg reported that he hit a kernel crash when mounting a
-modified ext4 image. And it turns out that kernel crashed when
-calculating fs overhead (ext4_calculate_overhead()), this is because
-the image has very large s_first_meta_bg (debug code shows it's
-842150400), and ext4 overruns the memory in count_overhead() when
-setting bitmap buffer, which is PAGE_SIZE.
-
-ext4_calculate_overhead():
-  buf = get_zeroed_page(GFP_NOFS);  <=== PAGE_SIZE buffer
-  blks = count_overhead(sb, i, buf);
-
-count_overhead():
-  for (j = ext4_bg_num_gdb(sb, grp); j > 0; j--) { <=== j = 842150400
-          ext4_set_bit(EXT4_B2C(sbi, s++), buf);   <=== buffer overrun
-          count++;
-  }
-
-This can be reproduced easily for me by this script:
-
-  #!/bin/bash
-  rm -f fs.img
-  mkdir -p /mnt/ext4
-  fallocate -l 16M fs.img
-  mke2fs -t ext4 -O bigalloc,meta_bg,^resize_inode -F fs.img
-  debugfs -w -R "ssv first_meta_bg 842150400" fs.img
-  mount -o loop fs.img /mnt/ext4
-
-Fix it by validating s_first_meta_bg first at mount time, and
-refusing to mount if its value exceeds the largest possible meta_bg
-number.
-
-Reported-by: Ralf Spenneberg <ralf@os-t.de>
-Signed-off-by: Eryu Guan <guaneryu@gmail.com>
-Signed-off-by: Theodore Ts'o <tytso@mit.edu>
-Reviewed-by: Andreas Dilger <adilger@dilger.ca>
----
- fs/ext4/super.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/fs/ext4/super.c b/fs/ext4/super.c
-index a526956..32c0deb 100644
---- a/fs/ext4/super.c
-+++ b/fs/ext4/super.c
-@@ -3842,6 +3842,15 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent)
- 			(EXT4_MAX_BLOCK_FILE_PHYS / EXT4_BLOCKS_PER_GROUP(sb)));
- 	db_count = (sbi->s_groups_count + EXT4_DESC_PER_BLOCK(sb) - 1) /
- 		   EXT4_DESC_PER_BLOCK(sb);
-+	if (ext4_has_feature_meta_bg(sb)) {
-+		if (le32_to_cpu(es->s_first_meta_bg) >= db_count) {
-+			ext4_msg(sb, KERN_WARNING,
-+				 "first meta block group too large: %u "
-+				 "(group descriptor block count %u)",
-+				 le32_to_cpu(es->s_first_meta_bg), db_count);
-+			goto failed_mount;
-+		}
-+	}
- 	sbi->s_group_desc = ext4_kvmalloc(db_count *
- 					  sizeof(struct buffer_head *),
- 					  GFP_KERNEL);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-10208/ANY/3.patch b/Patches/Linux_CVEs/CVE-2016-10208/ANY/3.patch
deleted file mode 100644
index e5f22a8e..00000000
--- a/Patches/Linux_CVEs/CVE-2016-10208/ANY/3.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 2ba3e6e8afc9b6188b471f27cf2b5e3cf34e7af2 Mon Sep 17 00:00:00 2001
-From: Theodore Ts'o <tytso@mit.edu>
-Date: Wed, 15 Feb 2017 01:26:39 -0500
-Subject: [PATCH] ext4: fix fencepost in s_first_meta_bg validation
-
-It is OK for s_first_meta_bg to be equal to the number of block group
-descriptor blocks.  (It rarely happens, but it shouldn't cause any
-problems.)
-
-https://bugzilla.kernel.org/show_bug.cgi?id=194567
-
-Fixes: 3a4b77cd47bb837b8557595ec7425f281f2ca1fe
-Signed-off-by: Theodore Ts'o <tytso@mit.edu>
-Cc: stable@vger.kernel.org
----
- fs/ext4/super.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/fs/ext4/super.c b/fs/ext4/super.c
-index dde14a7ac6d77..a673558fe5f86 100644
---- a/fs/ext4/super.c
-+++ b/fs/ext4/super.c
-@@ -3860,7 +3860,7 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent)
- 	db_count = (sbi->s_groups_count + EXT4_DESC_PER_BLOCK(sb) - 1) /
- 		   EXT4_DESC_PER_BLOCK(sb);
- 	if (ext4_has_feature_meta_bg(sb)) {
--		if (le32_to_cpu(es->s_first_meta_bg) >= db_count) {
-+		if (le32_to_cpu(es->s_first_meta_bg) > db_count) {
- 			ext4_msg(sb, KERN_WARNING,
- 				 "first meta block group too large: %u "
- 				 "(group descriptor block count %u)",
diff --git a/Patches/Linux_CVEs/CVE-2016-10208/ANY/4.patch b/Patches/Linux_CVEs/CVE-2016-10208/ANY/4.patch
deleted file mode 100644
index ff617f15..00000000
--- a/Patches/Linux_CVEs/CVE-2016-10208/ANY/4.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 6cc435bb47841104995c8668de8f5839d0040357 Mon Sep 17 00:00:00 2001
-From: Theodore Ts'o <tytso@mit.edu>
-Date: Wed, 15 Feb 2017 01:26:39 -0500
-Subject: ext4: fix fencepost in s_first_meta_bg validation
-
-commit 2ba3e6e8afc9b6188b471f27cf2b5e3cf34e7af2 upstream.
-
-It is OK for s_first_meta_bg to be equal to the number of block group
-descriptor blocks.  (It rarely happens, but it shouldn't cause any
-problems.)
-
-https://bugzilla.kernel.org/show_bug.cgi?id=194567
-
-Fixes: 3a4b77cd47bb837b8557595ec7425f281f2ca1fe
-Signed-off-by: Theodore Ts'o <tytso@mit.edu>
-[bwh: Backported to 3.16: adjust context]
-Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
----
- fs/ext4/super.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/fs/ext4/super.c b/fs/ext4/super.c
-index a0f6526..af0267f 100644
---- a/fs/ext4/super.c
-+++ b/fs/ext4/super.c
-@@ -3916,7 +3916,7 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent)
- 	db_count = (sbi->s_groups_count + EXT4_DESC_PER_BLOCK(sb) - 1) /
- 		   EXT4_DESC_PER_BLOCK(sb);
- 	if (EXT4_HAS_INCOMPAT_FEATURE(sb,EXT4_FEATURE_INCOMPAT_META_BG)) {
--		if (le32_to_cpu(es->s_first_meta_bg) >= db_count) {
-+		if (le32_to_cpu(es->s_first_meta_bg) > db_count) {
- 			ext4_msg(sb, KERN_WARNING,
- 				 "first meta block group too large: %u "
- 				 "(group descriptor block count %u)",
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-10208/ANY/5.patch b/Patches/Linux_CVEs/CVE-2016-10208/ANY/5.patch
deleted file mode 100644
index 43910f45..00000000
--- a/Patches/Linux_CVEs/CVE-2016-10208/ANY/5.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-From 5063cbf9d49280ac925f86968ff60401b3071603 Mon Sep 17 00:00:00 2001
-From: syphyr <syphyr@gmail.com>
-Date: Sun, 11 Jun 2017 00:40:19 +0200
-Subject: [PATCH] ext4: fix condition of validate s_first_meta_bg
-
-Fixes: ext4: validate s_first_meta_bg at mount time
-
-Change-Id: Iea0fb0df71502c5578c3c96e992d6cc78842ca7e
----
-
-diff --git a/fs/ext4/super.c b/fs/ext4/super.c
-index 0aed818..04294d7 100644
---- a/fs/ext4/super.c
-+++ b/fs/ext4/super.c
-@@ -3804,7 +3804,7 @@
- 			(EXT4_MAX_BLOCK_FILE_PHYS / EXT4_BLOCKS_PER_GROUP(sb)));
- 	db_count = (sbi->s_groups_count + EXT4_DESC_PER_BLOCK(sb) - 1) /
- 		   EXT4_DESC_PER_BLOCK(sb);
--	if (EXT4_HAS_INCOMPAT_FEATURE(sb, EXT4_FEATURE_INCOMPAT_FLEX_BG)) {
-+	if (EXT4_HAS_INCOMPAT_FEATURE(sb, EXT4_FEATURE_INCOMPAT_META_BG)) {
- 		if (le32_to_cpu(es->s_first_meta_bg) >= db_count) {
- 			ext4_msg(sb, KERN_WARNING,
- 				 "first meta block group too large: %u "
diff --git a/Patches/Linux_CVEs/CVE-2016-10208/ANY/5.patch.base64 b/Patches/Linux_CVEs/CVE-2016-10208/ANY/5.patch.base64
deleted file mode 100644
index d4b68e43..00000000
--- a/Patches/Linux_CVEs/CVE-2016-10208/ANY/5.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-RnJvbSA1MDYzY2JmOWQ0OTI4MGFjOTI1Zjg2OTY4ZmY2MDQwMWIzMDcxNjAzIE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBzeXBoeXIgPHN5cGh5ckBnbWFpbC5jb20+CkRhdGU6IFN1biwgMTEgSnVuIDIwMTcgMDA6NDA6MTkgKzAyMDAKU3ViamVjdDogW1BBVENIXSBleHQ0OiBmaXggY29uZGl0aW9uIG9mIHZhbGlkYXRlIHNfZmlyc3RfbWV0YV9iZwoKRml4ZXM6IGV4dDQ6IHZhbGlkYXRlIHNfZmlyc3RfbWV0YV9iZyBhdCBtb3VudCB0aW1lCgpDaGFuZ2UtSWQ6IEllYTBmYjBkZjcxNTAyYzU1NzhjM2M5NmU5OTJkNmNjNzg4NDJjYTdlCi0tLQoKZGlmZiAtLWdpdCBhL2ZzL2V4dDQvc3VwZXIuYyBiL2ZzL2V4dDQvc3VwZXIuYwppbmRleCAwYWVkODE4Li4wNDI5NGQ3IDEwMDY0NAotLS0gYS9mcy9leHQ0L3N1cGVyLmMKKysrIGIvZnMvZXh0NC9zdXBlci5jCkBAIC0zODA0LDcgKzM4MDQsNyBAQAogCQkJKEVYVDRfTUFYX0JMT0NLX0ZJTEVfUEhZUyAvIEVYVDRfQkxPQ0tTX1BFUl9HUk9VUChzYikpKTsKIAlkYl9jb3VudCA9IChzYmktPnNfZ3JvdXBzX2NvdW50ICsgRVhUNF9ERVNDX1BFUl9CTE9DSyhzYikgLSAxKSAvCiAJCSAgIEVYVDRfREVTQ19QRVJfQkxPQ0soc2IpOwotCWlmIChFWFQ0X0hBU19JTkNPTVBBVF9GRUFUVVJFKHNiLCBFWFQ0X0ZFQVRVUkVfSU5DT01QQVRfRkxFWF9CRykpIHsKKwlpZiAoRVhUNF9IQVNfSU5DT01QQVRfRkVBVFVSRShzYiwgRVhUNF9GRUFUVVJFX0lOQ09NUEFUX01FVEFfQkcpKSB7CiAJCWlmIChsZTMyX3RvX2NwdShlcy0+c19maXJzdF9tZXRhX2JnKSA+PSBkYl9jb3VudCkgewogCQkJZXh0NF9tc2coc2IsIEtFUk5fV0FSTklORywKIAkJCQkgImZpcnN0IG1ldGEgYmxvY2sgZ3JvdXAgdG9vIGxhcmdlOiAldSAiCg==
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2016-10229/^4.5/0.patch b/Patches/Linux_CVEs/CVE-2016-10229/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-10229/^4.5/0.patch
rename to Patches/Linux_CVEs/CVE-2016-10229/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-10230/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-10230/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-10230/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-10230/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-10231/3.18/0.patch b/Patches/Linux_CVEs/CVE-2016-10231/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-10231/3.18/0.patch
rename to Patches/Linux_CVEs/CVE-2016-10231/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-10231/ANY/1.patch b/Patches/Linux_CVEs/CVE-2016-10231/ANY/1.patch
deleted file mode 100644
index 4668d712..00000000
--- a/Patches/Linux_CVEs/CVE-2016-10231/ANY/1.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 597b1ae4e29ecbc40dc21ea3646f5ee1ee61932e Mon Sep 17 00:00:00 2001
-From: Karthikeyan Mani <kmani@codeaurora.org>
-Date: Wed, 7 Dec 2016 18:19:31 -0800
-Subject: ASoC: wcd9320: Fix out of bounds for mad input value
-
-Add check in taiko_mad_input_put function to
-return error on out of bounds access using
-mad input value
-
-CRs-fixed: 1096799
-Change-Id: I75ce9e881cf05a50e874a555b2f8bd3286cdaed4
-Signed-off-by: Karthikeyan Mani <kmani@codeaurora.org>
----
- sound/soc/codecs/wcd9320.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/sound/soc/codecs/wcd9320.c b/sound/soc/codecs/wcd9320.c
-index 697a1b6..ee4af87 100644
---- a/sound/soc/codecs/wcd9320.c
-+++ b/sound/soc/codecs/wcd9320.c
-@@ -1204,6 +1204,14 @@ static int taiko_mad_input_put(struct snd_kcontrol *kcontrol,
- 
- 	taiko_mad_input = ucontrol->value.integer.value[0];
- 
-+	if (taiko_mad_input >= ARRAY_SIZE(taiko_conn_mad_text)) {
-+		dev_err(codec->dev,
-+			"%s: taiko_mad_input = %d out of bounds\n",
-+			__func__, taiko_mad_input);
-+		return -EINVAL;
-+	}
-+
-+
- 	micb_4_int_reg = taiko->resmgr.reg_addr->micb_4_int_rbias;
- 	pr_debug("%s: taiko_mad_input = %s\n", __func__,
- 			taiko_conn_mad_text[taiko_mad_input]);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-10232/3.10/1.patch b/Patches/Linux_CVEs/CVE-2016-10232/3.10/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-10232/3.10/1.patch
rename to Patches/Linux_CVEs/CVE-2016-10232/3.10/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-10232/3.18/0.patch b/Patches/Linux_CVEs/CVE-2016-10232/3.18/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-10232/3.18/0.patch
rename to Patches/Linux_CVEs/CVE-2016-10232/3.18/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-10233/3.10/1.patch b/Patches/Linux_CVEs/CVE-2016-10233/3.10/1.patch
deleted file mode 100644
index 139d25cf..00000000
--- a/Patches/Linux_CVEs/CVE-2016-10233/3.10/1.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From ada155f04184f09ed6972ac7bbe86205422275e0 Mon Sep 17 00:00:00 2001
-From: VijayaKumar T M <vtmuni@codeaurora.org>
-Date: Wed, 4 Jan 2017 13:12:38 +0530
-Subject: msm-camera: Addressing possible overflow conditions
-
-Changes to address possible integer overflow and incorrect
-array indexing conditions.
-
-CRs-Fixed: 897259
-Change-Id: Ib134320cd6f7b34d7a10572ec347ec12127049a9
-Signed-off-by: Trilokesh Rangam <tranga@codeaurora.org>
-Signed-off-by: Yang Guang <guyang@codeaurora.org>
-Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
----
- drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_io_util.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_io_util.c b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_io_util.c
-index 41c784a..ffd1f1e 100644
---- a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_io_util.c
-+++ b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_io_util.c
-@@ -253,6 +253,12 @@ int msm_camera_config_vreg(struct device *dev, struct camera_vreg_t *cam_vreg,
- 		pr_err("%s:%d vreg sequence invalid\n", __func__, __LINE__);
- 		return -EINVAL;
- 	}
-+
-+	if (cam_vreg == NULL) {
-+		pr_err("%s:%d cam_vreg sequence invalid\n", __func__, __LINE__);
-+		return -EINVAL;
-+	}
-+
- 	if (!num_vreg_seq)
- 		num_vreg_seq = num_vreg;
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-10233/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-10233/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-10233/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-10233/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-10234/ANY/1.patch b/Patches/Linux_CVEs/CVE-2016-10234/3.10/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-10234/ANY/1.patch
rename to Patches/Linux_CVEs/CVE-2016-10234/3.10/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-10234/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-10234/3.18/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-10234/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-10234/3.18/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-10235/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-10235/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-10235/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-10235/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-10235/ANY/1.patch b/Patches/Linux_CVEs/CVE-2016-10235/ANY/1.patch
deleted file mode 100644
index 14614ba2..00000000
--- a/Patches/Linux_CVEs/CVE-2016-10235/ANY/1.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From a8b3b4ff293108a3aef0ea1ec1760f3d406d1e36 Mon Sep 17 00:00:00 2001
-From: Subrat Dash <sdash@codeaurora.org>
-Date: Wed, 14 Dec 2016 14:35:24 +0530
-Subject: prima: Fix VHT-80 IBSS stops beaconing
-
-A STA entry is created for each peer joining
-the network to take care of the peer specific
-capabilities.
-
-The VDEV need not be reconfigured for IBSS peer
-with different channel width joining the network.
-
-Change-Id: Iec6ec5d2b510b84538f4e5300b3f1c5cc63b334d
-CRs-Fixed: 1046409
----
- CORE/MAC/src/pe/sch/schBeaconProcess.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/CORE/MAC/src/pe/sch/schBeaconProcess.c b/CORE/MAC/src/pe/sch/schBeaconProcess.c
-index 8d3483b..8d32309 100644
---- a/CORE/MAC/src/pe/sch/schBeaconProcess.c
-+++ b/CORE/MAC/src/pe/sch/schBeaconProcess.c
-@@ -469,7 +469,8 @@ static void __schBeaconProcessForSession( tpAniSirGlobal      pMac,
-             sendProbeReq = TRUE;
-     }
- 
--    if ( psessionEntry->htCapability && pBeacon->HTInfo.present )
-+    if ( psessionEntry->htCapability && pBeacon->HTInfo.present &&
-+                                  (!LIM_IS_IBSS_ROLE(psessionEntry)))
-     {
-         limUpdateStaRunTimeHTSwitchChnlParams( pMac, &pBeacon->HTInfo, bssIdx,psessionEntry);
-     }
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-10236/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-10236/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-10236/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-10236/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-10283/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-10283/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-10283/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-10283/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-10283/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2016-10283/ANY/0002.patch
new file mode 100644
index 00000000..37d269c3
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-10283/ANY/0002.patch
@@ -0,0 +1,43 @@
+From d60a5839ba987e2c9d365fef950cae0c9ad11010 Mon Sep 17 00:00:00 2001
+From: SaidiReddy Yenuga <saidir@codeaurora.org>
+Date: Tue, 21 Feb 2017 13:05:26 +0530
+Subject: qcacld-3.0: Trim operation classes to max supported in change station
+
+qcacld-2.0 to qcacld-3.0 Propagation.
+
+Operation classes supported can be controlled by user, which can
+be sent greater than the max supported operations. This results
+in stack overflow in change station command.
+
+Add check to validate operations supported param given by user
+and if it exceeds max supported value, set it to max supported
+value.
+
+CRs-Fixed: 2002052
+Change-Id: Idd3a35e38b091546a17d7ec6329f19429e5c289c
+---
+ core/hdd/src/wlan_hdd_cfg80211.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/core/hdd/src/wlan_hdd_cfg80211.c b/core/hdd/src/wlan_hdd_cfg80211.c
+index 2ac8896..8f13919 100644
+--- a/core/hdd/src/wlan_hdd_cfg80211.c
++++ b/core/hdd/src/wlan_hdd_cfg80211.c
+@@ -10513,6 +10513,14 @@ static int __wlan_hdd_change_station(struct wiphy *wiphy,
+ 				hdd_notice("After removing duplcates StaParams.supported_channels_len: %d",
+ 					  StaParams.supported_channels_len);
+ 			}
++			if (params->supported_oper_classes_len >
++			    CDS_MAX_SUPP_OPER_CLASSES) {
++				hdd_notice("received oper classes:%d, resetting it to max supported: %d",
++					  params->supported_oper_classes_len,
++					  CDS_MAX_SUPP_OPER_CLASSES);
++				params->supported_oper_classes_len =
++					CDS_MAX_SUPP_OPER_CLASSES;
++			}
+ 			qdf_mem_copy(StaParams.supported_oper_classes,
+ 				     params->supported_oper_classes,
+ 				     params->supported_oper_classes_len);
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-10283/ANY/1.patch b/Patches/Linux_CVEs/CVE-2016-10283/ANY/1.patch
deleted file mode 100644
index 82e47015..00000000
--- a/Patches/Linux_CVEs/CVE-2016-10283/ANY/1.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 5842cb5d592b7a4b89f2459ba71f78d860eb6267 Mon Sep 17 00:00:00 2001
-From: SaidiReddy Yenuga <saidir@codeaurora.org>
-Date: Wed, 5 Apr 2017 13:18:26 +0530
-Subject: wlan: Trim operation classes to max supported in change station
-
-qcacld-2.0 to prima propagation.
-
-Operation classes supported can be controlled by user, which can
-be sent greater than the max supported operations. This results
-in stack overflow in change station command.
-
-Add check to validate operations supported param given by user
-and if it exceeds max supported value, set it to max supported
-value.
-
-CRs-Fixed: 2002052
-Change-Id: Idd3a35e38b091546a17d7ec6329f19429e5c289c
----
- CORE/HDD/src/wlan_hdd_cfg80211.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
-index 66c732e..5a35945 100644
---- a/CORE/HDD/src/wlan_hdd_cfg80211.c
-+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
-@@ -11611,6 +11611,15 @@ static int __wlan_hdd_change_station(struct wiphy *wiphy,
-                 }
-                 StaParams.supported_channels_len = j;
-             }
-+            if (params->supported_oper_classes_len >
-+                SIR_MAC_MAX_SUPP_OPER_CLASSES) {
-+                VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO,
-+                          "received oper classes:%d, resetting it to max supported %d",
-+                          params->supported_oper_classes_len,
-+                          SIR_MAC_MAX_SUPP_OPER_CLASSES);
-+                params->supported_oper_classes_len =
-+                    SIR_MAC_MAX_SUPP_OPER_CLASSES;
-+            }
-             vos_mem_copy(StaParams.supported_oper_classes,
-                          params->supported_oper_classes,
-                          params->supported_oper_classes_len);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-10285/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-10285/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-10285/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-10285/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-10286/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-10286/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-10286/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-10286/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-10287/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-10287/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-10287/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-10287/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-10288/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-10288/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-10288/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-10288/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-10289/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-10289/3.18/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-10289/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-10289/3.18/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-10289/4.4/0002.patch b/Patches/Linux_CVEs/CVE-2016-10289/4.4/0002.patch
new file mode 100644
index 00000000..bf53d873
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-10289/4.4/0002.patch
@@ -0,0 +1,80 @@
+From 08a969c0e4c399df047c8055ac11a19e124500ed Mon Sep 17 00:00:00 2001
+From: Zhen Kong <zkong@codeaurora.org>
+Date: Tue, 31 Jan 2017 12:07:10 -0800
+Subject: crypto: msm: check length before copying to buf in _debug_stats_read
+
+Make sure that `len` is not larger than `count` before copying data
+to userspace `buf` in _debug_stats_read().
+
+Change-Id: Iafb7cfa3828653f8c28183c812797c3d9a183da1
+Signed-off-by: Zhen Kong <zkong@codeaurora.org>
+---
+ drivers/crypto/msm/ota_crypto.c | 6 +++---
+ drivers/crypto/msm/qcedev.c     | 4 ++--
+ drivers/crypto/msm/qcrypto.c    | 6 +++---
+ 3 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/crypto/msm/ota_crypto.c b/drivers/crypto/msm/ota_crypto.c
+index 9b4a001..674913c 100644
+--- a/drivers/crypto/msm/ota_crypto.c
++++ b/drivers/crypto/msm/ota_crypto.c
+@@ -1,4 +1,4 @@
+-/* Copyright (c) 2010-2014, The Linux Foundation. All rights reserved.
++/* Copyright (c) 2010-2014,2017 The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -880,8 +880,8 @@ static ssize_t _debug_stats_read(struct file *file, char __user *buf,
+ 	int len;
+ 
+ 	len = _disp_stats();
+-
+-	rc = simple_read_from_buffer((void __user *) buf, len,
++	if (len <= count)
++		rc = simple_read_from_buffer((void __user *) buf, len,
+ 			ppos, (void *) _debug_read_buf, len);
+ 
+ 	return rc;
+diff --git a/drivers/crypto/msm/qcedev.c b/drivers/crypto/msm/qcedev.c
+index a629c62..5ce87a6e 100644
+--- a/drivers/crypto/msm/qcedev.c
++++ b/drivers/crypto/msm/qcedev.c
+@@ -1987,9 +1987,9 @@ static ssize_t _debug_stats_read(struct file *file, char __user *buf,
+ 
+ 	len = _disp_stats(qcedev);
+ 
+-	rc = simple_read_from_buffer((void __user *) buf, len,
++	if (len <= count)
++		rc = simple_read_from_buffer((void __user *) buf, len,
+ 			ppos, (void *) _debug_read_buf, len);
+-
+ 	return rc;
+ }
+ 
+diff --git a/drivers/crypto/msm/qcrypto.c b/drivers/crypto/msm/qcrypto.c
+index a898dbc..893b0b6 100644
+--- a/drivers/crypto/msm/qcrypto.c
++++ b/drivers/crypto/msm/qcrypto.c
+@@ -1,6 +1,6 @@
+ /* Qualcomm Crypto driver
+  *
+- * Copyright (c) 2010-2016, The Linux Foundation. All rights reserved.
++ * Copyright (c) 2010-2017, The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -5419,9 +5419,9 @@ static ssize_t _debug_stats_read(struct file *file, char __user *buf,
+ 
+ 	len = _disp_stats(qcrypto);
+ 
+-	rc = simple_read_from_buffer((void __user *) buf, len,
++	if (len <= count)
++		rc = simple_read_from_buffer((void __user *) buf, len,
+ 			ppos, (void *) _debug_read_buf, len);
+-
+ 	return rc;
+ }
+ 
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-10290/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-10290/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-10290/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-10290/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-10291/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2016-10291/3.10/0001.patch
new file mode 100644
index 00000000..6e74db35
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-10291/3.10/0001.patch
@@ -0,0 +1,74 @@
+From c2b026dcd498c93a789b6b84dbe9a73c4a9d8135 Mon Sep 17 00:00:00 2001
+From: Dilip Kota <dkota@codeaurora.org>
+Date: Mon, 21 Mar 2016 11:28:51 +0530
+Subject: slim-msm: Synchronize SSR callbacks
+
+Subsystem will restart within short timeframe.
+Synchronise subsytem up/down callback notifications
+to avoid functionality failures.
+Use mutex locks to achieve synchronization.
+
+Change-Id: I5881c7d468507bb8402a2e9f8178b9c31e57e8a5
+Signed-off-by: Dilip Kota <dkota@codeaurora.org>
+---
+ drivers/slimbus/slim-msm-ngd.c | 5 +++++
+ drivers/slimbus/slim-msm.h     | 3 ++-
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/slimbus/slim-msm-ngd.c b/drivers/slimbus/slim-msm-ngd.c
+index 5c2c9a6..8c3a184 100644
+--- a/drivers/slimbus/slim-msm-ngd.c
++++ b/drivers/slimbus/slim-msm-ngd.c
+@@ -1446,11 +1446,13 @@ static void ngd_adsp_down(struct msm_slim_ctrl *dev)
+ 	struct slim_controller *ctrl = &dev->ctrl;
+ 	struct slim_device *sbdev;
+ 
++	mutex_lock(&dev->ssr_lock);
+ 	ngd_slim_enable(dev, false);
+ 	/* device up should be called again after SSR */
+ 	list_for_each_entry(sbdev, &ctrl->devs, dev_list)
+ 		slim_report_absent(sbdev);
+ 	SLIM_INFO(dev, "SLIM ADSP SSR (DOWN) done\n");
++	mutex_unlock(&dev->ssr_lock);
+ }
+ 
+ static void ngd_adsp_up(struct work_struct *work)
+@@ -1459,7 +1461,9 @@ static void ngd_adsp_up(struct work_struct *work)
+ 		container_of(work, struct msm_slim_qmi, ssr_up);
+ 	struct msm_slim_ctrl *dev =
+ 		container_of(qmi, struct msm_slim_ctrl, qmi);
++	mutex_lock(&dev->ssr_lock);
+ 	ngd_slim_enable(dev, true);
++	mutex_unlock(&dev->ssr_lock);
+ }
+ 
+ static ssize_t show_mask(struct device *device, struct device_attribute *attr,
+@@ -1623,6 +1627,7 @@ static int ngd_slim_probe(struct platform_device *pdev)
+ 	init_completion(&dev->reconf);
+ 	init_completion(&dev->ctrl_up);
+ 	mutex_init(&dev->tx_lock);
++	mutex_init(&dev->ssr_lock);
+ 	spin_lock_init(&dev->tx_buf_lock);
+ 	spin_lock_init(&dev->rx_lock);
+ 	dev->ee = 1;
+diff --git a/drivers/slimbus/slim-msm.h b/drivers/slimbus/slim-msm.h
+index dbb125d..0b4c4d3 100644
+--- a/drivers/slimbus/slim-msm.h
++++ b/drivers/slimbus/slim-msm.h
+@@ -1,4 +1,4 @@
+-/* Copyright (c) 2011-2015, The Linux Foundation. All rights reserved.
++/* Copyright (c) 2011-2016, The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -284,6 +284,7 @@ struct msm_slim_ctrl {
+ 	struct clk		*rclk;
+ 	struct clk		*hclk;
+ 	struct mutex		tx_lock;
++	struct mutex		ssr_lock;
+ 	spinlock_t		tx_buf_lock;
+ 	u8			pgdla;
+ 	enum msm_slim_msgq	use_rx_msgqs;
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-10291/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-10291/3.18/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-10291/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-10291/3.18/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-10293/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-10293/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-10293/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-10293/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-10293/ANY/1.patch b/Patches/Linux_CVEs/CVE-2016-10293/ANY/1.patch
deleted file mode 100644
index 996402e9..00000000
--- a/Patches/Linux_CVEs/CVE-2016-10293/ANY/1.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/drivers/video/msm/mdss/mdss_debug.c b/drivers/video/msm/mdss/mdss_debug.c
-index feb73bc..759ed14 100644
---- a/drivers/video/msm/mdss/mdss_debug.c
-+++ b/drivers/video/msm/mdss/mdss_debug.c
-@@ -170,6 +170,8 @@
- 		p[2] = 0;
- 		pr_debug("p[%d] = %pK:%s\n", i, p, p);
- 		cnt = sscanf(p, "%x", &tmp);
-+		if (cnt != 1)
-+			return -EFAULT;
- 		reg[i] = tmp;
- 		pr_debug("reg[%d] = %x\n", i, (int)reg[i]);
- 	}
diff --git a/Patches/Linux_CVEs/CVE-2016-10293/ANY/1.patch.base64 b/Patches/Linux_CVEs/CVE-2016-10293/ANY/1.patch.base64
deleted file mode 100644
index 11548278..00000000
--- a/Patches/Linux_CVEs/CVE-2016-10293/ANY/1.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL2RyaXZlcnMvdmlkZW8vbXNtL21kc3MvbWRzc19kZWJ1Zy5jIGIvZHJpdmVycy92aWRlby9tc20vbWRzcy9tZHNzX2RlYnVnLmMKaW5kZXggZmViNzNiYy4uNzU5ZWQxNCAxMDA2NDQKLS0tIGEvZHJpdmVycy92aWRlby9tc20vbWRzcy9tZHNzX2RlYnVnLmMKKysrIGIvZHJpdmVycy92aWRlby9tc20vbWRzcy9tZHNzX2RlYnVnLmMKQEAgLTE3MCw2ICsxNzAsOCBAQAogCQlwWzJdID0gMDsKIAkJcHJfZGVidWcoInBbJWRdID0gJXBLOiVzXG4iLCBpLCBwLCBwKTsKIAkJY250ID0gc3NjYW5mKHAsICIleCIsICZ0bXApOworCQlpZiAoY250ICE9IDEpCisJCQlyZXR1cm4gLUVGQVVMVDsKIAkJcmVnW2ldID0gdG1wOwogCQlwcl9kZWJ1ZygicmVnWyVkXSA9ICV4XG4iLCBpLCAoaW50KXJlZ1tpXSk7CiAJfQo=
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2016-10294/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-10294/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-10294/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-10294/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-10295/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-10295/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-10295/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-10295/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-10296/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-10296/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-10296/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-10296/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-10296/ANY/1.patch b/Patches/Linux_CVEs/CVE-2016-10296/ANY/1.patch
deleted file mode 100644
index 4fd06fba..00000000
--- a/Patches/Linux_CVEs/CVE-2016-10296/ANY/1.patch
+++ /dev/null
@@ -1,78 +0,0 @@
-diff --git a/drivers/uio/msm_sharedmem/sharedmem_qmi.c b/drivers/uio/msm_sharedmem/sharedmem_qmi.c
-index bb6a23b..c8ecd5d 100644
---- a/drivers/uio/msm_sharedmem/sharedmem_qmi.c
-+++ b/drivers/uio/msm_sharedmem/sharedmem_qmi.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2014-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2014-2015, 2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -257,12 +257,17 @@
- #define DEBUG_BUF_SIZE (2048)
- static char *debug_buffer;
- static u32 debug_data_size;
-+static struct mutex dbg_buf_lock;	/* mutex for debug_buffer */
- 
- static ssize_t debug_read(struct file *file, char __user *buf,
- 			  size_t count, loff_t *file_pos)
- {
--	return simple_read_from_buffer(buf, count, file_pos, debug_buffer,
--					debug_data_size);
-+	size_t ret;
-+	mutex_lock(&dbg_buf_lock);
-+	ret = simple_read_from_buffer(buf, count, file_pos,
-+		debug_buffer, debug_data_size);
-+	mutex_unlock(&dbg_buf_lock);
-+	return ret;
- }
- 
- static u32 fill_debug_info(char *buffer, u32 buffer_size)
-@@ -313,21 +318,29 @@
- {
- 	u32 buffer_size;
- 
--	if (debug_buffer != NULL)
-+	mutex_lock(&dbg_buf_lock);
-+	if (debug_buffer != NULL) {
-+		mutex_unlock(&dbg_buf_lock);
- 		return -EBUSY;
-+	}
- 	buffer_size = DEBUG_BUF_SIZE;
- 	debug_buffer = kzalloc(buffer_size, GFP_KERNEL);
--	if (debug_buffer == NULL)
-+	if (debug_buffer == NULL) {
-+		mutex_unlock(&dbg_buf_lock);
- 		return -ENOMEM;
-+	}
- 	debug_data_size = fill_debug_info(debug_buffer, buffer_size);
-+	mutex_unlock(&dbg_buf_lock);
- 	return 0;
- }
- 
- static int debug_close(struct inode *inode, struct file *file)
- {
-+	mutex_lock(&dbg_buf_lock);
- 	kfree(debug_buffer);
- 	debug_buffer = NULL;
- 	debug_data_size = 0;
-+	mutex_unlock(&dbg_buf_lock);
- 	return 0;
- }
- 
-@@ -358,6 +371,7 @@
- {
- 	struct dentry *f_ent;
- 
-+	mutex_init(&dbg_buf_lock);
- 	dir_ent = debugfs_create_dir("rmt_storage", NULL);
- 	if (IS_ERR(dir_ent)) {
- 		pr_err("Failed to create debug_fs directory\n");
-@@ -386,6 +400,7 @@
- static void debugfs_exit(void)
- {
- 	debugfs_remove_recursive(dir_ent);
-+	mutex_destroy(&dbg_buf_lock);
- }
- 
- static void sharedmem_qmi_svc_recv_msg(struct work_struct *work)
diff --git a/Patches/Linux_CVEs/CVE-2016-10296/ANY/1.patch.base64 b/Patches/Linux_CVEs/CVE-2016-10296/ANY/1.patch.base64
deleted file mode 100644
index 6d54277d..00000000
--- a/Patches/Linux_CVEs/CVE-2016-10296/ANY/1.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL2RyaXZlcnMvdWlvL21zbV9zaGFyZWRtZW0vc2hhcmVkbWVtX3FtaS5jIGIvZHJpdmVycy91aW8vbXNtX3NoYXJlZG1lbS9zaGFyZWRtZW1fcW1pLmMKaW5kZXggYmI2YTIzYi4uYzhlY2Q1ZCAxMDA2NDQKLS0tIGEvZHJpdmVycy91aW8vbXNtX3NoYXJlZG1lbS9zaGFyZWRtZW1fcW1pLmMKKysrIGIvZHJpdmVycy91aW8vbXNtX3NoYXJlZG1lbS9zaGFyZWRtZW1fcW1pLmMKQEAgLTEsNCArMSw0IEBACi0vKiBDb3B5cmlnaHQgKGMpIDIwMTQtMjAxNSwgVGhlIExpbnV4IEZvdW5kYXRpb24uIEFsbCByaWdodHMgcmVzZXJ2ZWQuCisvKiBDb3B5cmlnaHQgKGMpIDIwMTQtMjAxNSwgMjAxNywgVGhlIExpbnV4IEZvdW5kYXRpb24uIEFsbCByaWdodHMgcmVzZXJ2ZWQuCiAgKgogICogVGhpcyBwcm9ncmFtIGlzIGZyZWUgc29mdHdhcmU7IHlvdSBjYW4gcmVkaXN0cmlidXRlIGl0IGFuZC9vciBtb2RpZnkKICAqIGl0IHVuZGVyIHRoZSB0ZXJtcyBvZiB0aGUgR05VIEdlbmVyYWwgUHVibGljIExpY2Vuc2UgdmVyc2lvbiAyIGFuZApAQCAtMjU3LDEyICsyNTcsMTcgQEAKICNkZWZpbmUgREVCVUdfQlVGX1NJWkUgKDIwNDgpCiBzdGF0aWMgY2hhciAqZGVidWdfYnVmZmVyOwogc3RhdGljIHUzMiBkZWJ1Z19kYXRhX3NpemU7CitzdGF0aWMgc3RydWN0IG11dGV4IGRiZ19idWZfbG9jazsJLyogbXV0ZXggZm9yIGRlYnVnX2J1ZmZlciAqLwogCiBzdGF0aWMgc3NpemVfdCBkZWJ1Z19yZWFkKHN0cnVjdCBmaWxlICpmaWxlLCBjaGFyIF9fdXNlciAqYnVmLAogCQkJICBzaXplX3QgY291bnQsIGxvZmZfdCAqZmlsZV9wb3MpCiB7Ci0JcmV0dXJuIHNpbXBsZV9yZWFkX2Zyb21fYnVmZmVyKGJ1ZiwgY291bnQsIGZpbGVfcG9zLCBkZWJ1Z19idWZmZXIsCi0JCQkJCWRlYnVnX2RhdGFfc2l6ZSk7CisJc2l6ZV90IHJldDsKKwltdXRleF9sb2NrKCZkYmdfYnVmX2xvY2spOworCXJldCA9IHNpbXBsZV9yZWFkX2Zyb21fYnVmZmVyKGJ1ZiwgY291bnQsIGZpbGVfcG9zLAorCQlkZWJ1Z19idWZmZXIsIGRlYnVnX2RhdGFfc2l6ZSk7CisJbXV0ZXhfdW5sb2NrKCZkYmdfYnVmX2xvY2spOworCXJldHVybiByZXQ7CiB9CiAKIHN0YXRpYyB1MzIgZmlsbF9kZWJ1Z19pbmZvKGNoYXIgKmJ1ZmZlciwgdTMyIGJ1ZmZlcl9zaXplKQpAQCAtMzEzLDIxICszMTgsMjkgQEAKIHsKIAl1MzIgYnVmZmVyX3NpemU7CiAKLQlpZiAoZGVidWdfYnVmZmVyICE9IE5VTEwpCisJbXV0ZXhfbG9jaygmZGJnX2J1Zl9sb2NrKTsKKwlpZiAoZGVidWdfYnVmZmVyICE9IE5VTEwpIHsKKwkJbXV0ZXhfdW5sb2NrKCZkYmdfYnVmX2xvY2spOwogCQlyZXR1cm4gLUVCVVNZOworCX0KIAlidWZmZXJfc2l6ZSA9IERFQlVHX0JVRl9TSVpFOwogCWRlYnVnX2J1ZmZlciA9IGt6YWxsb2MoYnVmZmVyX3NpemUsIEdGUF9LRVJORUwpOwotCWlmIChkZWJ1Z19idWZmZXIgPT0gTlVMTCkKKwlpZiAoZGVidWdfYnVmZmVyID09IE5VTEwpIHsKKwkJbXV0ZXhfdW5sb2NrKCZkYmdfYnVmX2xvY2spOwogCQlyZXR1cm4gLUVOT01FTTsKKwl9CiAJZGVidWdfZGF0YV9zaXplID0gZmlsbF9kZWJ1Z19pbmZvKGRlYnVnX2J1ZmZlciwgYnVmZmVyX3NpemUpOworCW11dGV4X3VubG9jaygmZGJnX2J1Zl9sb2NrKTsKIAlyZXR1cm4gMDsKIH0KIAogc3RhdGljIGludCBkZWJ1Z19jbG9zZShzdHJ1Y3QgaW5vZGUgKmlub2RlLCBzdHJ1Y3QgZmlsZSAqZmlsZSkKIHsKKwltdXRleF9sb2NrKCZkYmdfYnVmX2xvY2spOwogCWtmcmVlKGRlYnVnX2J1ZmZlcik7CiAJZGVidWdfYnVmZmVyID0gTlVMTDsKIAlkZWJ1Z19kYXRhX3NpemUgPSAwOworCW11dGV4X3VubG9jaygmZGJnX2J1Zl9sb2NrKTsKIAlyZXR1cm4gMDsKIH0KIApAQCAtMzU4LDYgKzM3MSw3IEBACiB7CiAJc3RydWN0IGRlbnRyeSAqZl9lbnQ7CiAKKwltdXRleF9pbml0KCZkYmdfYnVmX2xvY2spOwogCWRpcl9lbnQgPSBkZWJ1Z2ZzX2NyZWF0ZV9kaXIoInJtdF9zdG9yYWdlIiwgTlVMTCk7CiAJaWYgKElTX0VSUihkaXJfZW50KSkgewogCQlwcl9lcnIoIkZhaWxlZCB0byBjcmVhdGUgZGVidWdfZnMgZGlyZWN0b3J5XG4iKTsKQEAgLTM4Niw2ICs0MDAsNyBAQAogc3RhdGljIHZvaWQgZGVidWdmc19leGl0KHZvaWQpCiB7CiAJZGVidWdmc19yZW1vdmVfcmVjdXJzaXZlKGRpcl9lbnQpOworCW11dGV4X2Rlc3Ryb3koJmRiZ19idWZfbG9jayk7CiB9CiAKIHN0YXRpYyB2b2lkIHNoYXJlZG1lbV9xbWlfc3ZjX3JlY3ZfbXNnKHN0cnVjdCB3b3JrX3N0cnVjdCAqd29yaykK
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2016-1583/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-1583/ANY/0.patch
deleted file mode 100644
index 9d7b23e6..00000000
--- a/Patches/Linux_CVEs/CVE-2016-1583/ANY/0.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From f0fe970df3838c202ef6c07a4c2b36838ef0a88b Mon Sep 17 00:00:00 2001
-From: Jeff Mahoney <jeffm@suse.com>
-Date: Tue, 5 Jul 2016 17:32:30 -0400
-Subject: ecryptfs: don't allow mmap when the lower fs doesn't support it
-
-There are legitimate reasons to disallow mmap on certain files, notably
-in sysfs or procfs.  We shouldn't emulate mmap support on file systems
-that don't offer support natively.
-
-CVE-2016-1583
-
-Signed-off-by: Jeff Mahoney <jeffm@suse.com>
-Cc: stable@vger.kernel.org
-[tyhicks: clean up f_op check by using ecryptfs_file_to_lower()]
-Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
----
- fs/ecryptfs/file.c | 15 ++++++++++++++-
- 1 file changed, 14 insertions(+), 1 deletion(-)
-
-(limited to 'fs/ecryptfs/file.c')
-
-diff --git a/fs/ecryptfs/file.c b/fs/ecryptfs/file.c
-index 53d0141..ca4e837 100644
---- a/fs/ecryptfs/file.c
-+++ b/fs/ecryptfs/file.c
-@@ -169,6 +169,19 @@ out:
- 	return rc;
- }
- 
-+static int ecryptfs_mmap(struct file *file, struct vm_area_struct *vma)
-+{
-+	struct file *lower_file = ecryptfs_file_to_lower(file);
-+	/*
-+	 * Don't allow mmap on top of file systems that don't support it
-+	 * natively.  If FILESYSTEM_MAX_STACK_DEPTH > 2 or ecryptfs
-+	 * allows recursive mounting, this will need to be extended.
-+	 */
-+	if (!lower_file->f_op->mmap)
-+		return -ENODEV;
-+	return generic_file_mmap(file, vma);
-+}
-+
- /**
-  * ecryptfs_open
-  * @inode: inode specifying file to open
-@@ -403,7 +416,7 @@ const struct file_operations ecryptfs_main_fops = {
- #ifdef CONFIG_COMPAT
- 	.compat_ioctl = ecryptfs_compat_ioctl,
- #endif
--	.mmap = generic_file_mmap,
-+	.mmap = ecryptfs_mmap,
- 	.open = ecryptfs_open,
- 	.flush = ecryptfs_flush,
- 	.release = ecryptfs_release,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-1583/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-1583/ANY/0001.patch
new file mode 100644
index 00000000..f3ede40b
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-1583/ANY/0001.patch
@@ -0,0 +1,41 @@
+From e54ad7f1ee263ffa5a2de9c609d58dfa27b21cd9 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Wed, 1 Jun 2016 11:55:05 +0200
+Subject: proc: prevent stacking filesystems on top
+
+This prevents stacking filesystems (ecryptfs and overlayfs) from using
+procfs as lower filesystem.  There is too much magic going on inside
+procfs, and there is no good reason to stack stuff on top of procfs.
+
+(For example, procfs does access checks in VFS open handlers, and
+ecryptfs by design calls open handlers from a kernel thread that doesn't
+drop privileges or so.)
+
+Signed-off-by: Jann Horn <jannh@google.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+ fs/proc/root.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/fs/proc/root.c b/fs/proc/root.c
+index 361ab4e..ec649c9 100644
+--- a/fs/proc/root.c
++++ b/fs/proc/root.c
+@@ -121,6 +121,13 @@ static struct dentry *proc_mount(struct file_system_type *fs_type,
+ 	if (IS_ERR(sb))
+ 		return ERR_CAST(sb);
+ 
++	/*
++	 * procfs isn't actually a stacking filesystem; however, there is
++	 * too much magic going on inside it to permit stacking things on
++	 * top of it
++	 */
++	sb->s_stack_depth = FILESYSTEM_MAX_STACK_DEPTH;
++
+ 	if (!proc_parse_options(options, ns)) {
+ 		deactivate_locked_super(sb);
+ 		return ERR_PTR(-EINVAL);
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-1583/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2016-1583/ANY/0002.patch
new file mode 100644
index 00000000..a3e2dca7
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-1583/ANY/0002.patch
@@ -0,0 +1,59 @@
+From 2f36db71009304b3f0b95afacd8eba1f9f046b87 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Wed, 1 Jun 2016 11:55:06 +0200
+Subject: ecryptfs: forbid opening files without mmap handler
+
+This prevents users from triggering a stack overflow through a recursive
+invocation of pagefault handling that involves mapping procfs files into
+virtual memory.
+
+Signed-off-by: Jann Horn <jannh@google.com>
+Acked-by: Tyler Hicks <tyhicks@canonical.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+ fs/ecryptfs/kthread.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/fs/ecryptfs/kthread.c b/fs/ecryptfs/kthread.c
+index 866bb18..e818f5a 100644
+--- a/fs/ecryptfs/kthread.c
++++ b/fs/ecryptfs/kthread.c
+@@ -25,6 +25,7 @@
+ #include <linux/slab.h>
+ #include <linux/wait.h>
+ #include <linux/mount.h>
++#include <linux/file.h>
+ #include "ecryptfs_kernel.h"
+ 
+ struct ecryptfs_open_req {
+@@ -147,7 +148,7 @@ int ecryptfs_privileged_open(struct file **lower_file,
+ 	flags |= IS_RDONLY(d_inode(lower_dentry)) ? O_RDONLY : O_RDWR;
+ 	(*lower_file) = dentry_open(&req.path, flags, cred);
+ 	if (!IS_ERR(*lower_file))
+-		goto out;
++		goto have_file;
+ 	if ((flags & O_ACCMODE) == O_RDONLY) {
+ 		rc = PTR_ERR((*lower_file));
+ 		goto out;
+@@ -165,8 +166,16 @@ int ecryptfs_privileged_open(struct file **lower_file,
+ 	mutex_unlock(&ecryptfs_kthread_ctl.mux);
+ 	wake_up(&ecryptfs_kthread_ctl.wait);
+ 	wait_for_completion(&req.done);
+-	if (IS_ERR(*lower_file))
++	if (IS_ERR(*lower_file)) {
+ 		rc = PTR_ERR(*lower_file);
++		goto out;
++	}
++have_file:
++	if ((*lower_file)->f_op->mmap == NULL) {
++		fput(*lower_file);
++		*lower_file = NULL;
++		rc = -EMEDIUMTYPE;
++	}
+ out:
+ 	return rc;
+ }
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-1583/ANY/0003.patch b/Patches/Linux_CVEs/CVE-2016-1583/ANY/0003.patch
new file mode 100644
index 00000000..1aef35de
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-1583/ANY/0003.patch
@@ -0,0 +1,36 @@
+From 29d6455178a09e1dc340380c582b13356227e8df Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Wed, 1 Jun 2016 11:55:07 +0200
+Subject: sched: panic on corrupted stack end
+
+Until now, hitting this BUG_ON caused a recursive oops (because oops
+handling involves do_exit(), which calls into the scheduler, which in
+turn raises an oops), which caused stuff below the stack to be
+overwritten until a panic happened (e.g.  via an oops in interrupt
+context, caused by the overwritten CPU index in the thread_info).
+
+Just panic directly.
+
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+ kernel/sched/core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/kernel/sched/core.c b/kernel/sched/core.c
+index d1f7149..11546a6 100644
+--- a/kernel/sched/core.c
++++ b/kernel/sched/core.c
+@@ -3047,7 +3047,8 @@ static noinline void __schedule_bug(struct task_struct *prev)
+ static inline void schedule_debug(struct task_struct *prev)
+ {
+ #ifdef CONFIG_SCHED_STACK_END_CHECK
+-	BUG_ON(task_stack_end_corrupted(prev));
++	if (task_stack_end_corrupted(prev))
++		panic("corrupted stack end detected inside scheduler\n");
+ #endif
+ 
+ 	if (unlikely(in_atomic_preempt_off())) {
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-2053/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-2053/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-2053/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-2053/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-2059/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-2059/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-2059/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-2059/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-2060/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2060/ANY/0001.patch
new file mode 100644
index 00000000..bc3e6afc
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-2060/ANY/0001.patch
@@ -0,0 +1,34 @@
+From e9925f5acb4401588e23ea8a27c3e318f71b5cf8 Mon Sep 17 00:00:00 2001
+From: Bryse Flowers <bflowers@codeaurora.org>
+Date: Thu, 11 Feb 2016 12:20:37 -0800
+Subject: netd: Validate incoming upstream interface before adding
+
+Add isIfaceName check to addUpstreamInterface.
+
+Change-Id: Iacb5cb1ca6476765e5350b1cf3d822f4fcda32b8
+CRs-Fixed: 959631
+---
+ server/TetherController.cpp | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/server/TetherController.cpp b/server/TetherController.cpp
+index f6287c8..c4d6b83 100644
+--- a/server/TetherController.cpp
++++ b/server/TetherController.cpp
+@@ -482,9 +482,10 @@ int TetherController::addUpstreamInterface(char *iface)
+ 
+     ALOGD("addUpstreamInterface(%s)\n", iface);
+ 
+-    if (!iface) {
+-        ALOGE("addUpstreamInterface: received null interface");
+-        return 0;
++    if (!isIfaceName(iface)) {
++        ALOGE("addUpstreamInterface: received invalid interface");
++        errno = ENOENT;
++        return -1;
+     }
+     for (it = mUpstreamInterfaces->begin(); it != mUpstreamInterfaces->end(); ++it) {
+         ALOGD(".");
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-2061/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-2061/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-2061/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-2061/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-2062/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2062/ANY/0001.patch
new file mode 100644
index 00000000..2b9584e6
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-2062/ANY/0001.patch
@@ -0,0 +1,7 @@
+<html>
+<head><title>301 Moved Permanently</title></head>
+<body bgcolor="white">
+<center><h1>301 Moved Permanently</h1></center>
+<hr><center>nginx/1.12.1</center>
+</body>
+</html>
diff --git a/Patches/Linux_CVEs/CVE-2016-2063/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-2063/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-2063/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-2063/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-2064/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2064/ANY/0001.patch
new file mode 100644
index 00000000..06b77eb4
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-2064/ANY/0001.patch
@@ -0,0 +1,1511 @@
+From 775fca8289eff931f91ff6e8c36cf2034ba59e88 Mon Sep 17 00:00:00 2001
+From: Weiyin Jiang <wjiang@codeaurora.org>
+Date: Wed, 16 Mar 2016 12:51:03 +0800
+Subject: ASoC: msm: audio-effects: fix stack overread and heap overwrite
+
+Fix overwrite of updt_params allocated in heap, and stack overread
+where param pointer is passed from user space.
+
+CRs-Fixed: 989628
+Change-Id: Ida8bdb7da2fcb97023dce3b6eafe4b899a51cb66
+Signed-off-by: Weiyin Jiang <wjiang@codeaurora.org>
+---
+ drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c |   3 +-
+ include/sound/msm-audio-effects-q6-v2.h         |   4 +-
+ sound/soc/msm/qdsp6v2/msm-audio-effects-q6-v2.c | 835 +++++++++++++++++-------
+ sound/soc/msm/qdsp6v2/msm-compress-q6-v2.c      |   2 +-
+ 4 files changed, 588 insertions(+), 256 deletions(-)
+
+diff --git a/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c b/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
+index c100c47..3ba20ca 100644
+--- a/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
++++ b/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2014-2015, The Linux Foundation. All rights reserved.
++ * Copyright (c) 2014-2016, The Linux Foundation. All rights reserved.
+  *
+  * This software is licensed under the terms of the GNU General Public
+  * License version 2, as published by the Free Software Foundation, and
+@@ -20,7 +20,6 @@
+ #include <sound/msm-dts-eagle.h>
+ 
+ #define MAX_CHANNELS_SUPPORTED		8
+-#define MAX_PP_PARAMS_SZ		128
+ #define WAIT_TIMEDOUT_DURATION_SECS	1
+ 
+ struct q6audio_effects {
+diff --git a/include/sound/msm-audio-effects-q6-v2.h b/include/sound/msm-audio-effects-q6-v2.h
+index cbdea32..6bc2338 100644
+--- a/include/sound/msm-audio-effects-q6-v2.h
++++ b/include/sound/msm-audio-effects-q6-v2.h
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2013-2015, The Linux Foundation. All rights reserved.
++ * Copyright (c) 2013-2016, The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -16,6 +16,8 @@
+ 
+ #include <sound/audio_effects.h>
+ 
++#define MAX_PP_PARAMS_SZ   128
++
+ bool msm_audio_effects_is_effmodule_supp_in_top(int effect_module,
+ 						int topology);
+ 
+diff --git a/sound/soc/msm/qdsp6v2/msm-audio-effects-q6-v2.c b/sound/soc/msm/qdsp6v2/msm-audio-effects-q6-v2.c
+index e26c453..1c08842 100644
+--- a/sound/soc/msm/qdsp6v2/msm-audio-effects-q6-v2.c
++++ b/sound/soc/msm/qdsp6v2/msm-audio-effects-q6-v2.c
+@@ -1,4 +1,4 @@
+-/* Copyright (c) 2013-2015, The Linux Foundation. All rights reserved.
++/* Copyright (c) 2013-2016, The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -20,6 +20,24 @@
+ 
+ #define MAX_ENABLE_CMD_SIZE 32
+ 
++#define GET_NEXT(ptr, upper_limit, rc)                                  \
++({                                                                      \
++	if (((ptr) + 1) > (upper_limit)) {                              \
++		pr_err("%s: param list out of boundary\n", __func__);   \
++		(rc) = -EINVAL;                                         \
++	}                                                               \
++	((rc) == 0) ? *(ptr)++ :  -EINVAL;                              \
++})
++
++#define CHECK_PARAM_LEN(len, max_len, tag, rc)                          \
++do {                                                                    \
++	if ((len) > (max_len)) {                                        \
++		pr_err("%s: params length overflows\n", (tag));         \
++		(rc) = -EINVAL;                                         \
++	}                                                               \
++} while (0)
++
++
+ bool msm_audio_effects_is_effmodule_supp_in_top(int effect_module,
+ 						int topology)
+ {
+@@ -109,15 +127,16 @@ int msm_audio_effects_virtualizer_handler(struct audio_client *ac,
+ 				struct virtualizer_params *virtualizer,
+ 				long *values)
+ {
+-	int devices = *values++;
+-	int num_commands = *values++;
+-	char *params;
++	long *param_max_offset = values + MAX_PP_PARAMS_SZ - 1;
++	char *params = NULL;
++	int rc = 0;
++	int devices = GET_NEXT(values, param_max_offset, rc);
++	int num_commands = GET_NEXT(values, param_max_offset, rc);
+ 	int *updt_params, i, prev_enable_flag;
+ 	uint32_t params_length = (MAX_INBAND_PARAM_SZ);
+-	int rc = 0;
+ 
+ 	pr_debug("%s\n", __func__);
+-	if (!ac) {
++	if (!ac || (devices == -EINVAL) || (num_commands == -EINVAL)) {
+ 		pr_err("%s: cannot set audio effects\n", __func__);
+ 		return -EINVAL;
+ 	}
+@@ -130,10 +149,14 @@ int msm_audio_effects_virtualizer_handler(struct audio_client *ac,
+ 	updt_params = (int *)params;
+ 	params_length = 0;
+ 	for (i = 0; i < num_commands; i++) {
+-		uint32_t command_id = *values++;
+-		uint32_t command_config_state = *values++;
+-		uint32_t index_offset = *values++;
+-		uint32_t length = *values++;
++		uint32_t command_id =
++			GET_NEXT(values, param_max_offset, rc);
++		uint32_t command_config_state =
++			GET_NEXT(values, param_max_offset, rc);
++		uint32_t index_offset =
++			GET_NEXT(values, param_max_offset, rc);
++		uint32_t length =
++			GET_NEXT(values, param_max_offset, rc);
+ 		switch (command_id) {
+ 		case VIRTUALIZER_ENABLE:
+ 			if (length != 1 || index_offset != 0) {
+@@ -142,17 +165,26 @@ int msm_audio_effects_virtualizer_handler(struct audio_client *ac,
+ 				goto invalid_config;
+ 			}
+ 			prev_enable_flag = virtualizer->enable_flag;
+-			virtualizer->enable_flag = *values++;
++			virtualizer->enable_flag =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s:VIRT ENABLE prev:%d, new:%d\n", __func__,
+ 				prev_enable_flag, virtualizer->enable_flag);
+ 			if (prev_enable_flag != virtualizer->enable_flag) {
+-				*updt_params++ = AUDPROC_MODULE_ID_VIRTUALIZER;
+-				*updt_params++ =
+-					AUDPROC_PARAM_ID_VIRTUALIZER_ENABLE;
+-				*updt_params++ = VIRTUALIZER_ENABLE_PARAM_SZ;
+-				*updt_params++ = virtualizer->enable_flag;
+ 				params_length += COMMAND_PAYLOAD_SZ +
+ 					VIRTUALIZER_ENABLE_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"VIRT ENABLE", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++				AUDPROC_MODULE_ID_VIRTUALIZER;
++				*updt_params++ =
++				AUDPROC_PARAM_ID_VIRTUALIZER_ENABLE;
++				*updt_params++ =
++				VIRTUALIZER_ENABLE_PARAM_SZ;
++				*updt_params++ =
++				virtualizer->enable_flag;
+ 			}
+ 			break;
+ 		case VIRTUALIZER_STRENGTH:
+@@ -161,17 +193,26 @@ int msm_audio_effects_virtualizer_handler(struct audio_client *ac,
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			virtualizer->strength = *values++;
++			virtualizer->strength =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s: VIRT STRENGTH val: %d\n",
+ 					__func__, virtualizer->strength);
+ 			if (command_config_state == CONFIG_SET) {
+-				*updt_params++ = AUDPROC_MODULE_ID_VIRTUALIZER;
++				params_length += COMMAND_PAYLOAD_SZ +
++					VIRTUALIZER_STRENGTH_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"VIRT STRENGTH", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++					AUDPROC_MODULE_ID_VIRTUALIZER;
+ 				*updt_params++ =
+ 					AUDPROC_PARAM_ID_VIRTUALIZER_STRENGTH;
+-				*updt_params++ = VIRTUALIZER_STRENGTH_PARAM_SZ;
+-				*updt_params++ = virtualizer->strength;
+-				params_length += COMMAND_PAYLOAD_SZ +
++				*updt_params++ =
+ 					VIRTUALIZER_STRENGTH_PARAM_SZ;
++				*updt_params++ =
++					virtualizer->strength;
+ 			}
+ 			break;
+ 		case VIRTUALIZER_OUT_TYPE:
+@@ -180,17 +221,26 @@ int msm_audio_effects_virtualizer_handler(struct audio_client *ac,
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			virtualizer->out_type = *values++;
++			virtualizer->out_type =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s: VIRT OUT_TYPE val:%d\n",
+ 				__func__, virtualizer->out_type);
+ 			if (command_config_state == CONFIG_SET) {
+-				*updt_params++ = AUDPROC_MODULE_ID_VIRTUALIZER;
++				params_length += COMMAND_PAYLOAD_SZ +
++					VIRTUALIZER_OUT_TYPE_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"VIRT OUT_TYPE", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++					AUDPROC_MODULE_ID_VIRTUALIZER;
+ 				*updt_params++ =
+ 					AUDPROC_PARAM_ID_VIRTUALIZER_OUT_TYPE;
+-				*updt_params++ = VIRTUALIZER_OUT_TYPE_PARAM_SZ;
+-				*updt_params++ = virtualizer->out_type;
+-				params_length += COMMAND_PAYLOAD_SZ +
++				*updt_params++ =
+ 					VIRTUALIZER_OUT_TYPE_PARAM_SZ;
++				*updt_params++ =
++					virtualizer->out_type;
+ 			}
+ 			break;
+ 		case VIRTUALIZER_GAIN_ADJUST:
+@@ -199,18 +249,26 @@ int msm_audio_effects_virtualizer_handler(struct audio_client *ac,
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			virtualizer->gain_adjust = *values++;
++			virtualizer->gain_adjust =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s: VIRT GAIN_ADJUST val:%d\n",
+ 				__func__, virtualizer->gain_adjust);
+ 			if (command_config_state == CONFIG_SET) {
+-				*updt_params++ = AUDPROC_MODULE_ID_VIRTUALIZER;
+-				*updt_params++ =
+-				       AUDPROC_PARAM_ID_VIRTUALIZER_GAIN_ADJUST;
+-				*updt_params++ =
+-					VIRTUALIZER_GAIN_ADJUST_PARAM_SZ;
+-				*updt_params++ = virtualizer->gain_adjust;
+ 				params_length += COMMAND_PAYLOAD_SZ +
+ 					VIRTUALIZER_GAIN_ADJUST_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"VIRT GAIN_ADJUST", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++				AUDPROC_MODULE_ID_VIRTUALIZER;
++				*updt_params++ =
++				AUDPROC_PARAM_ID_VIRTUALIZER_GAIN_ADJUST;
++				*updt_params++ =
++				VIRTUALIZER_GAIN_ADJUST_PARAM_SZ;
++				*updt_params++ =
++				virtualizer->gain_adjust;
+ 			}
+ 			break;
+ 		default:
+@@ -218,7 +276,7 @@ int msm_audio_effects_virtualizer_handler(struct audio_client *ac,
+ 			break;
+ 		}
+ 	}
+-	if (params_length && !msm_dts_eagle_is_hpx_on())
++	if (params_length && !msm_dts_eagle_is_hpx_on() && (rc == 0))
+ 		q6asm_send_audio_effects_params(ac, params,
+ 						params_length);
+ 	else
+@@ -232,15 +290,16 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 				     struct reverb_params *reverb,
+ 				     long *values)
+ {
+-	int devices = *values++;
+-	int num_commands = *values++;
+-	char *params;
++	long *param_max_offset = values + MAX_PP_PARAMS_SZ - 1;
++	char *params = NULL;
++	int rc = 0;
++	int devices = GET_NEXT(values, param_max_offset, rc);
++	int num_commands = GET_NEXT(values, param_max_offset, rc);
+ 	int *updt_params, i, prev_enable_flag;
+ 	uint32_t params_length = (MAX_INBAND_PARAM_SZ);
+-	int rc = 0;
+ 
+ 	pr_debug("%s\n", __func__);
+-	if (!ac) {
++	if (!ac || (devices == -EINVAL) || (num_commands == -EINVAL)) {
+ 		pr_err("%s: cannot set audio effects\n", __func__);
+ 		return -EINVAL;
+ 	}
+@@ -253,10 +312,14 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 	updt_params = (int *)params;
+ 	params_length = 0;
+ 	for (i = 0; i < num_commands; i++) {
+-		uint32_t command_id = *values++;
+-		uint32_t command_config_state = *values++;
+-		uint32_t index_offset = *values++;
+-		uint32_t length = *values++;
++		uint32_t command_id =
++			GET_NEXT(values, param_max_offset, rc);
++		uint32_t command_config_state =
++			GET_NEXT(values, param_max_offset, rc);
++		uint32_t index_offset =
++			GET_NEXT(values, param_max_offset, rc);
++		uint32_t length =
++			GET_NEXT(values, param_max_offset, rc);
+ 		switch (command_id) {
+ 		case REVERB_ENABLE:
+ 			if (length != 1 || index_offset != 0) {
+@@ -265,16 +328,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 				goto invalid_config;
+ 			}
+ 			prev_enable_flag = reverb->enable_flag;
+-			reverb->enable_flag = *values++;
++			reverb->enable_flag =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s:REVERB_ENABLE prev:%d,new:%d\n", __func__,
+ 					prev_enable_flag, reverb->enable_flag);
+ 			if (prev_enable_flag != reverb->enable_flag) {
+-				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
+-				*updt_params++ = AUDPROC_PARAM_ID_REVERB_ENABLE;
+-				*updt_params++ = REVERB_ENABLE_PARAM_SZ;
+-				*updt_params++ = reverb->enable_flag;
+ 				params_length += COMMAND_PAYLOAD_SZ +
+ 					REVERB_ENABLE_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"REVERB_ENABLE", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++					AUDPROC_MODULE_ID_REVERB;
++				*updt_params++ =
++					AUDPROC_PARAM_ID_REVERB_ENABLE;
++				*updt_params++ =
++					REVERB_ENABLE_PARAM_SZ;
++				*updt_params++ =
++					reverb->enable_flag;
+ 			}
+ 			break;
+ 		case REVERB_MODE:
+@@ -283,16 +356,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			reverb->mode = *values++;
++			reverb->mode =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s: REVERB_MODE val:%d\n",
+ 				__func__, reverb->mode);
+ 			if (command_config_state == CONFIG_SET) {
+-				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
+-				*updt_params++ = AUDPROC_PARAM_ID_REVERB_MODE;
+-				*updt_params++ = REVERB_MODE_PARAM_SZ;
+-				*updt_params++ = reverb->mode;
+ 				params_length += COMMAND_PAYLOAD_SZ +
+ 					REVERB_MODE_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"REVERB_MODE", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++					AUDPROC_MODULE_ID_REVERB;
++				*updt_params++ =
++					AUDPROC_PARAM_ID_REVERB_MODE;
++				*updt_params++ =
++					REVERB_MODE_PARAM_SZ;
++				*updt_params++ =
++					reverb->mode;
+ 			}
+ 			break;
+ 		case REVERB_PRESET:
+@@ -301,16 +384,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			reverb->preset = *values++;
++			reverb->preset =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s: REVERB_PRESET val:%d\n",
+ 					__func__, reverb->preset);
+ 			if (command_config_state == CONFIG_SET) {
+-				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
+-				*updt_params++ = AUDPROC_PARAM_ID_REVERB_PRESET;
+-				*updt_params++ = REVERB_PRESET_PARAM_SZ;
+-				*updt_params++ = reverb->preset;
+ 				params_length += COMMAND_PAYLOAD_SZ +
+ 					REVERB_PRESET_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"REVERB_PRESET", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++					AUDPROC_MODULE_ID_REVERB;
++				*updt_params++ =
++					AUDPROC_PARAM_ID_REVERB_PRESET;
++				*updt_params++ =
++					REVERB_PRESET_PARAM_SZ;
++				*updt_params++ =
++					reverb->preset;
+ 			}
+ 			break;
+ 		case REVERB_WET_MIX:
+@@ -319,17 +412,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			reverb->wet_mix = *values++;
++			reverb->wet_mix =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s: REVERB_WET_MIX val:%d\n",
+ 				__func__, reverb->wet_mix);
+ 			if (command_config_state == CONFIG_SET) {
+-				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
++				params_length += COMMAND_PAYLOAD_SZ +
++					REVERB_WET_MIX_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"REVERB_WET_MIX", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++					AUDPROC_MODULE_ID_REVERB;
+ 				*updt_params++ =
+ 					AUDPROC_PARAM_ID_REVERB_WET_MIX;
+-				*updt_params++ = REVERB_WET_MIX_PARAM_SZ;
+-				*updt_params++ = reverb->wet_mix;
+-				params_length += COMMAND_PAYLOAD_SZ +
++				*updt_params++ =
+ 					REVERB_WET_MIX_PARAM_SZ;
++				*updt_params++ =
++					reverb->wet_mix;
+ 			}
+ 			break;
+ 		case REVERB_GAIN_ADJUST:
+@@ -338,17 +440,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			reverb->gain_adjust = *values++;
++			reverb->gain_adjust =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s: REVERB_GAIN_ADJUST val:%d\n",
+ 					__func__, reverb->gain_adjust);
+ 			if (command_config_state == CONFIG_SET) {
+-				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
++				params_length += COMMAND_PAYLOAD_SZ +
++					REVERB_GAIN_ADJUST_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"REVERB_GAIN_ADJUST", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++					AUDPROC_MODULE_ID_REVERB;
+ 				*updt_params++ =
+ 					AUDPROC_PARAM_ID_REVERB_GAIN_ADJUST;
+-				*updt_params++ = REVERB_GAIN_ADJUST_PARAM_SZ;
+-				*updt_params++ = reverb->gain_adjust;
+-				params_length += COMMAND_PAYLOAD_SZ +
++				*updt_params++ =
+ 					REVERB_GAIN_ADJUST_PARAM_SZ;
++				*updt_params++ =
++					reverb->gain_adjust;
+ 			}
+ 			break;
+ 		case REVERB_ROOM_LEVEL:
+@@ -357,17 +468,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			reverb->room_level = *values++;
++			reverb->room_level =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s: REVERB_ROOM_LEVEL val:%d\n",
+ 				__func__, reverb->room_level);
+ 			if (command_config_state == CONFIG_SET) {
+-				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
++				params_length += COMMAND_PAYLOAD_SZ +
++					REVERB_ROOM_LEVEL_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"REVERB_ROOM_LEVEL", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++					AUDPROC_MODULE_ID_REVERB;
+ 				*updt_params++ =
+ 					AUDPROC_PARAM_ID_REVERB_ROOM_LEVEL;
+-				*updt_params++ = REVERB_ROOM_LEVEL_PARAM_SZ;
+-				*updt_params++ = reverb->room_level;
+-				params_length += COMMAND_PAYLOAD_SZ +
++				*updt_params++ =
+ 					REVERB_ROOM_LEVEL_PARAM_SZ;
++				*updt_params++ =
++					reverb->room_level;
+ 			}
+ 			break;
+ 		case REVERB_ROOM_HF_LEVEL:
+@@ -376,17 +496,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			reverb->room_hf_level = *values++;
++			reverb->room_hf_level =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s: REVERB_ROOM_HF_LEVEL val%d\n",
+ 				__func__, reverb->room_hf_level);
+ 			if (command_config_state == CONFIG_SET) {
+-				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
++				params_length += COMMAND_PAYLOAD_SZ +
++					REVERB_ROOM_HF_LEVEL_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"REVERB_ROOM_HF_LEVEL", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++					AUDPROC_MODULE_ID_REVERB;
+ 				*updt_params++ =
+ 					AUDPROC_PARAM_ID_REVERB_ROOM_HF_LEVEL;
+-				*updt_params++ = REVERB_ROOM_HF_LEVEL_PARAM_SZ;
+-				*updt_params++ = reverb->room_hf_level;
+-				params_length += COMMAND_PAYLOAD_SZ +
++				*updt_params++ =
+ 					REVERB_ROOM_HF_LEVEL_PARAM_SZ;
++				*updt_params++ =
++					reverb->room_hf_level;
+ 			}
+ 			break;
+ 		case REVERB_DECAY_TIME:
+@@ -395,17 +524,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			reverb->decay_time = *values++;
++			reverb->decay_time =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s: REVERB_DECAY_TIME val:%d\n",
+ 				__func__, reverb->decay_time);
+ 			if (command_config_state == CONFIG_SET) {
+-				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
++				params_length += COMMAND_PAYLOAD_SZ +
++					REVERB_DECAY_TIME_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"REVERB_DECAY_TIME", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++					AUDPROC_MODULE_ID_REVERB;
+ 				*updt_params++ =
+ 					AUDPROC_PARAM_ID_REVERB_DECAY_TIME;
+-				*updt_params++ = REVERB_DECAY_TIME_PARAM_SZ;
+-				*updt_params++ = reverb->decay_time;
+-				params_length += COMMAND_PAYLOAD_SZ +
++				*updt_params++ =
+ 					REVERB_DECAY_TIME_PARAM_SZ;
++				*updt_params++ =
++					reverb->decay_time;
+ 			}
+ 			break;
+ 		case REVERB_DECAY_HF_RATIO:
+@@ -414,17 +552,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			reverb->decay_hf_ratio = *values++;
++			reverb->decay_hf_ratio =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s: REVERB_DECAY_HF_RATIO val%d\n",
+ 				__func__, reverb->decay_hf_ratio);
+ 			if (command_config_state == CONFIG_SET) {
+-				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
++				params_length += COMMAND_PAYLOAD_SZ +
++					REVERB_DECAY_HF_RATIO_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"REVERB_DECAY_HF_RATIO", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++					AUDPROC_MODULE_ID_REVERB;
+ 				*updt_params++ =
+ 					AUDPROC_PARAM_ID_REVERB_DECAY_HF_RATIO;
+-				*updt_params++ = REVERB_DECAY_HF_RATIO_PARAM_SZ;
+-				*updt_params++ = reverb->decay_hf_ratio;
+-				params_length += COMMAND_PAYLOAD_SZ +
++				*updt_params++ =
+ 					REVERB_DECAY_HF_RATIO_PARAM_SZ;
++				*updt_params++ =
++					reverb->decay_hf_ratio;
+ 			}
+ 			break;
+ 		case REVERB_REFLECTIONS_LEVEL:
+@@ -433,18 +580,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			reverb->reflections_level = *values++;
++			reverb->reflections_level =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s: REVERB_REFLECTIONS_LEVEL val:%d\n",
+ 				__func__, reverb->reflections_level);
+ 			if (command_config_state == CONFIG_SET) {
+-				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
+-				*updt_params++ =
+-				      AUDPROC_PARAM_ID_REVERB_REFLECTIONS_LEVEL;
+-				*updt_params++ =
+-					REVERB_REFLECTIONS_LEVEL_PARAM_SZ;
+-				*updt_params++ = reverb->reflections_level;
+ 				params_length += COMMAND_PAYLOAD_SZ +
+ 					REVERB_REFLECTIONS_LEVEL_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"REVERB_REFLECTIONS_LEVEL", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++				AUDPROC_MODULE_ID_REVERB;
++				*updt_params++ =
++				AUDPROC_PARAM_ID_REVERB_REFLECTIONS_LEVEL;
++				*updt_params++ =
++				REVERB_REFLECTIONS_LEVEL_PARAM_SZ;
++				*updt_params++ =
++				reverb->reflections_level;
+ 			}
+ 			break;
+ 		case REVERB_REFLECTIONS_DELAY:
+@@ -453,18 +608,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			reverb->reflections_delay = *values++;
++			reverb->reflections_delay =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s: REVERB_REFLECTIONS_DELAY val:%d\n",
+ 				__func__, reverb->reflections_delay);
+ 			if (command_config_state == CONFIG_SET) {
+-				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
+-				*updt_params++ =
+-				      AUDPROC_PARAM_ID_REVERB_REFLECTIONS_DELAY;
+-				*updt_params++ =
+-					REVERB_REFLECTIONS_DELAY_PARAM_SZ;
+-				*updt_params++ = reverb->reflections_delay;
+ 				params_length += COMMAND_PAYLOAD_SZ +
+ 					REVERB_REFLECTIONS_DELAY_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"REVERB_REFLECTIONS_DELAY", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++				AUDPROC_MODULE_ID_REVERB;
++				*updt_params++ =
++				AUDPROC_PARAM_ID_REVERB_REFLECTIONS_DELAY;
++				*updt_params++ =
++				REVERB_REFLECTIONS_DELAY_PARAM_SZ;
++				*updt_params++ =
++				reverb->reflections_delay;
+ 			}
+ 			break;
+ 		case REVERB_LEVEL:
+@@ -473,16 +636,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			reverb->level = *values++;
++			reverb->level =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s: REVERB_LEVEL val:%d\n",
+ 				__func__, reverb->level);
+ 			if (command_config_state == CONFIG_SET) {
+-				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
+-				*updt_params++ = AUDPROC_PARAM_ID_REVERB_LEVEL;
+-				*updt_params++ = REVERB_LEVEL_PARAM_SZ;
+-				*updt_params++ = reverb->level;
+ 				params_length += COMMAND_PAYLOAD_SZ +
+ 					REVERB_LEVEL_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"REVERB_LEVEL", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++					AUDPROC_MODULE_ID_REVERB;
++				*updt_params++ =
++					AUDPROC_PARAM_ID_REVERB_LEVEL;
++				*updt_params++ =
++					REVERB_LEVEL_PARAM_SZ;
++				*updt_params++ =
++					reverb->level;
+ 			}
+ 			break;
+ 		case REVERB_DELAY:
+@@ -491,16 +664,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			reverb->delay = *values++;
++			reverb->delay =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s:REVERB_DELAY val:%d\n",
+ 					__func__, reverb->delay);
+ 			if (command_config_state == CONFIG_SET) {
+-				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
+-				*updt_params++ = AUDPROC_PARAM_ID_REVERB_DELAY;
+-				*updt_params++ = REVERB_DELAY_PARAM_SZ;
+-				*updt_params++ = reverb->delay;
+ 				params_length += COMMAND_PAYLOAD_SZ +
+ 					REVERB_DELAY_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"REVERB_DELAY", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++					AUDPROC_MODULE_ID_REVERB;
++				*updt_params++ =
++					AUDPROC_PARAM_ID_REVERB_DELAY;
++				*updt_params++ =
++					REVERB_DELAY_PARAM_SZ;
++				*updt_params++ =
++					reverb->delay;
+ 			}
+ 			break;
+ 		case REVERB_DIFFUSION:
+@@ -509,17 +692,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			reverb->diffusion = *values++;
++			reverb->diffusion =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s: REVERB_DIFFUSION val:%d\n",
+ 				__func__, reverb->diffusion);
+ 			if (command_config_state == CONFIG_SET) {
+-				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
++				params_length += COMMAND_PAYLOAD_SZ +
++					REVERB_DIFFUSION_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"REVERB_DIFFUSION", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++					AUDPROC_MODULE_ID_REVERB;
+ 				*updt_params++ =
+ 					AUDPROC_PARAM_ID_REVERB_DIFFUSION;
+-				*updt_params++ = REVERB_DIFFUSION_PARAM_SZ;
+-				*updt_params++ = reverb->diffusion;
+-				params_length += COMMAND_PAYLOAD_SZ +
++				*updt_params++ =
+ 					REVERB_DIFFUSION_PARAM_SZ;
++				*updt_params++ =
++					reverb->diffusion;
+ 			}
+ 			break;
+ 		case REVERB_DENSITY:
+@@ -528,17 +720,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			reverb->density = *values++;
++			reverb->density =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s: REVERB_DENSITY val:%d\n",
+ 				__func__, reverb->density);
+ 			if (command_config_state == CONFIG_SET) {
+-				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
++				params_length += COMMAND_PAYLOAD_SZ +
++					REVERB_DENSITY_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"REVERB_DENSITY", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++					AUDPROC_MODULE_ID_REVERB;
+ 				*updt_params++ =
+ 					AUDPROC_PARAM_ID_REVERB_DENSITY;
+-				*updt_params++ = REVERB_DENSITY_PARAM_SZ;
+-				*updt_params++ = reverb->density;
+-				params_length += COMMAND_PAYLOAD_SZ +
++				*updt_params++ =
+ 					REVERB_DENSITY_PARAM_SZ;
++				*updt_params++ =
++					reverb->density;
+ 			}
+ 			break;
+ 		default:
+@@ -546,7 +747,7 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 			break;
+ 		}
+ 	}
+-	if (params_length && !msm_dts_eagle_is_hpx_on())
++	if (params_length && !msm_dts_eagle_is_hpx_on() && (rc == 0))
+ 		q6asm_send_audio_effects_params(ac, params,
+ 						params_length);
+ 	else
+@@ -560,15 +761,16 @@ int msm_audio_effects_bass_boost_handler(struct audio_client *ac,
+ 					struct bass_boost_params *bass_boost,
+ 					long *values)
+ {
+-	int devices = *values++;
+-	int num_commands = *values++;
+-	char *params;
++	long *param_max_offset = values + MAX_PP_PARAMS_SZ - 1;
++	char *params = NULL;
++	int rc = 0;
++	int devices = GET_NEXT(values, param_max_offset, rc);
++	int num_commands = GET_NEXT(values, param_max_offset, rc);
+ 	int *updt_params, i, prev_enable_flag;
+ 	uint32_t params_length = (MAX_INBAND_PARAM_SZ);
+-	int rc = 0;
+ 
+ 	pr_debug("%s\n", __func__);
+-	if (!ac) {
++	if (!ac || (devices == -EINVAL) || (num_commands == -EINVAL)) {
+ 		pr_err("%s: cannot set audio effects\n", __func__);
+ 		return -EINVAL;
+ 	}
+@@ -581,10 +783,14 @@ int msm_audio_effects_bass_boost_handler(struct audio_client *ac,
+ 	updt_params = (int *)params;
+ 	params_length = 0;
+ 	for (i = 0; i < num_commands; i++) {
+-		uint32_t command_id = *values++;
+-		uint32_t command_config_state = *values++;
+-		uint32_t index_offset = *values++;
+-		uint32_t length = *values++;
++		uint32_t command_id =
++			GET_NEXT(values, param_max_offset, rc);
++		uint32_t command_config_state =
++			GET_NEXT(values, param_max_offset, rc);
++		uint32_t index_offset =
++			GET_NEXT(values, param_max_offset, rc);
++		uint32_t length =
++			GET_NEXT(values, param_max_offset, rc);
+ 		switch (command_id) {
+ 		case BASS_BOOST_ENABLE:
+ 			if (length != 1 || index_offset != 0) {
+@@ -593,18 +799,27 @@ int msm_audio_effects_bass_boost_handler(struct audio_client *ac,
+ 				goto invalid_config;
+ 			}
+ 			prev_enable_flag = bass_boost->enable_flag;
+-			bass_boost->enable_flag = *values++;
++			bass_boost->enable_flag =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s: BASS_BOOST_ENABLE prev:%d new:%d\n",
+ 				__func__, prev_enable_flag,
+ 				bass_boost->enable_flag);
+ 			if (prev_enable_flag != bass_boost->enable_flag) {
+-				*updt_params++ = AUDPROC_MODULE_ID_BASS_BOOST;
++				params_length += COMMAND_PAYLOAD_SZ +
++					BASS_BOOST_ENABLE_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"BASS_BOOST_ENABLE", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++					AUDPROC_MODULE_ID_BASS_BOOST;
+ 				*updt_params++ =
+ 					AUDPROC_PARAM_ID_BASS_BOOST_ENABLE;
+-				*updt_params++ = BASS_BOOST_ENABLE_PARAM_SZ;
+-				*updt_params++ = bass_boost->enable_flag;
+-				params_length += COMMAND_PAYLOAD_SZ +
++				*updt_params++ =
+ 					BASS_BOOST_ENABLE_PARAM_SZ;
++				*updt_params++ =
++					bass_boost->enable_flag;
+ 			}
+ 			break;
+ 		case BASS_BOOST_MODE:
+@@ -613,17 +828,26 @@ int msm_audio_effects_bass_boost_handler(struct audio_client *ac,
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			bass_boost->mode = *values++;
++			bass_boost->mode =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s: BASS_BOOST_MODE val:%d\n",
+ 				__func__, bass_boost->mode);
+ 			if (command_config_state == CONFIG_SET) {
+-				*updt_params++ = AUDPROC_MODULE_ID_BASS_BOOST;
++				params_length += COMMAND_PAYLOAD_SZ +
++					BASS_BOOST_MODE_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"BASS_BOOST_MODE", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++					AUDPROC_MODULE_ID_BASS_BOOST;
+ 				*updt_params++ =
+ 					AUDPROC_PARAM_ID_BASS_BOOST_MODE;
+-				*updt_params++ = BASS_BOOST_MODE_PARAM_SZ;
+-				*updt_params++ = bass_boost->mode;
+-				params_length += COMMAND_PAYLOAD_SZ +
++				*updt_params++ =
+ 					BASS_BOOST_MODE_PARAM_SZ;
++				*updt_params++ =
++					bass_boost->mode;
+ 			}
+ 			break;
+ 		case BASS_BOOST_STRENGTH:
+@@ -632,17 +856,26 @@ int msm_audio_effects_bass_boost_handler(struct audio_client *ac,
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			bass_boost->strength = *values++;
+-			pr_debug("%s: BASS_BOOST_STRENGTHi val:%d\n",
++			bass_boost->strength =
++				GET_NEXT(values, param_max_offset, rc);
++			pr_debug("%s: BASS_BOOST_STRENGTH val:%d\n",
+ 				__func__, bass_boost->strength);
+ 			if (command_config_state == CONFIG_SET) {
+-				*updt_params++ = AUDPROC_MODULE_ID_BASS_BOOST;
++				params_length += COMMAND_PAYLOAD_SZ +
++					BASS_BOOST_STRENGTH_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"BASS_BOOST_STRENGTH", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++					AUDPROC_MODULE_ID_BASS_BOOST;
+ 				*updt_params++ =
+ 					AUDPROC_PARAM_ID_BASS_BOOST_STRENGTH;
+-				*updt_params++ = BASS_BOOST_STRENGTH_PARAM_SZ;
+-				*updt_params++ = bass_boost->strength;
+-				params_length += COMMAND_PAYLOAD_SZ +
++				*updt_params++ =
+ 					BASS_BOOST_STRENGTH_PARAM_SZ;
++				*updt_params++ =
++					bass_boost->strength;
+ 			}
+ 			break;
+ 		default:
+@@ -650,7 +883,7 @@ int msm_audio_effects_bass_boost_handler(struct audio_client *ac,
+ 			break;
+ 		}
+ 	}
+-	if (params_length && !msm_dts_eagle_is_hpx_on())
++	if (params_length && !msm_dts_eagle_is_hpx_on() && (rc == 0))
+ 		q6asm_send_audio_effects_params(ac, params,
+ 						params_length);
+ 	else
+@@ -664,15 +897,16 @@ int msm_audio_effects_pbe_handler(struct audio_client *ac,
+ 					struct pbe_params *pbe,
+ 					long *values)
+ {
+-	int devices = *values++;
+-	int num_commands = *values++;
+-	char *params;
++	long *param_max_offset = values + MAX_PP_PARAMS_SZ - 1;
++	char *params = NULL;
++	int rc = 0;
++	int devices = GET_NEXT(values, param_max_offset, rc);
++	int num_commands = GET_NEXT(values, param_max_offset, rc);
+ 	int *updt_params, i, j, prev_enable_flag;
+ 	uint32_t params_length = (MAX_INBAND_PARAM_SZ);
+-	int rc = 0;
+ 
+ 	pr_debug("%s\n", __func__);
+-	if (!ac) {
++	if (!ac || (devices == -EINVAL) || (num_commands == -EINVAL)) {
+ 		pr_err("%s: cannot set audio effects\n", __func__);
+ 		return -EINVAL;
+ 	}
+@@ -685,10 +919,14 @@ int msm_audio_effects_pbe_handler(struct audio_client *ac,
+ 	updt_params = (int *)params;
+ 	params_length = 0;
+ 	for (i = 0; i < num_commands; i++) {
+-		uint32_t command_id = *values++;
+-		uint32_t command_config_state = *values++;
+-		uint32_t index_offset = *values++;
+-		uint32_t length = *values++;
++		uint32_t command_id =
++			GET_NEXT(values, param_max_offset, rc);
++		uint32_t command_config_state =
++			GET_NEXT(values, param_max_offset, rc);
++		uint32_t index_offset =
++			GET_NEXT(values, param_max_offset, rc);
++		uint32_t length =
++			GET_NEXT(values, param_max_offset, rc);
+ 		switch (command_id) {
+ 		case PBE_ENABLE:
+ 			pr_debug("%s: PBE_ENABLE\n", __func__);
+@@ -698,15 +936,24 @@ int msm_audio_effects_pbe_handler(struct audio_client *ac,
+ 				goto invalid_config;
+ 			}
+ 			prev_enable_flag = pbe->enable_flag;
+-			pbe->enable_flag = *values++;
++			pbe->enable_flag =
++				GET_NEXT(values, param_max_offset, rc);
+ 			if (prev_enable_flag != pbe->enable_flag) {
+-				*updt_params++ = AUDPROC_MODULE_ID_PBE;
++				params_length += COMMAND_PAYLOAD_SZ +
++					PBE_ENABLE_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"PBE_ENABLE", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++					AUDPROC_MODULE_ID_PBE;
+ 				*updt_params++ =
+ 					AUDPROC_PARAM_ID_PBE_ENABLE;
+-				*updt_params++ = PBE_ENABLE_PARAM_SZ;
+-				*updt_params++ = pbe->enable_flag;
+-				params_length += COMMAND_PAYLOAD_SZ +
++				*updt_params++ =
+ 					PBE_ENABLE_PARAM_SZ;
++				*updt_params++ =
++					pbe->enable_flag;
+ 			}
+ 			break;
+ 		case PBE_CONFIG:
+@@ -719,15 +966,26 @@ int msm_audio_effects_pbe_handler(struct audio_client *ac,
+ 				goto invalid_config;
+ 			}
+ 			if (command_config_state == CONFIG_SET) {
+-				*updt_params++ = AUDPROC_MODULE_ID_PBE;
++				params_length += COMMAND_PAYLOAD_SZ + length;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"PBE_PARAM", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++					AUDPROC_MODULE_ID_PBE;
+ 				*updt_params++ =
+ 					AUDPROC_PARAM_ID_PBE_PARAM_CONFIG;
+-				*updt_params++ = length;
++				*updt_params++ =
++					length;
+ 				for (j = 0; j < length; ) {
+ 					j += sizeof(*updt_params);
+-					*updt_params++ = *values++;
++					*updt_params++ =
++						GET_NEXT(
++						values,
++						param_max_offset,
++						rc);
+ 				}
+-				params_length += COMMAND_PAYLOAD_SZ + length;
+ 			}
+ 			break;
+ 		default:
+@@ -735,7 +993,7 @@ int msm_audio_effects_pbe_handler(struct audio_client *ac,
+ 			break;
+ 		}
+ 	}
+-	if (params_length)
++	if (params_length && (rc == 0))
+ 		q6asm_send_audio_effects_params(ac, params,
+ 						params_length);
+ invalid_config:
+@@ -747,15 +1005,16 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
+ 					 struct eq_params *eq,
+ 					 long *values)
+ {
+-	int devices = *values++;
+-	int num_commands = *values++;
+-	char *params;
++	long *param_max_offset = values + MAX_PP_PARAMS_SZ - 1;
++	char *params = NULL;
++	int rc = 0;
++	int devices = GET_NEXT(values, param_max_offset, rc);
++	int num_commands = GET_NEXT(values, param_max_offset, rc);
+ 	int *updt_params, i, prev_enable_flag;
+ 	uint32_t params_length = (MAX_INBAND_PARAM_SZ);
+-	int rc = 0;
+ 
+ 	pr_debug("%s\n", __func__);
+-	if (!ac) {
++	if (!ac || (devices == -EINVAL) || (num_commands == -EINVAL)) {
+ 		pr_err("%s: cannot set audio effects\n", __func__);
+ 		return -EINVAL;
+ 	}
+@@ -768,11 +1027,16 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
+ 	updt_params = (int *)params;
+ 	params_length = 0;
+ 	for (i = 0; i < num_commands; i++) {
+-		uint32_t command_id = *values++;
+-		uint32_t command_config_state = *values++;
+-		uint32_t index_offset = *values++;
+-		uint32_t length = *values++;
+-		int idx, j;
++		uint32_t command_id =
++			GET_NEXT(values, param_max_offset, rc);
++		uint32_t command_config_state =
++			GET_NEXT(values, param_max_offset, rc);
++		uint32_t index_offset =
++			GET_NEXT(values, param_max_offset, rc);
++		uint32_t length =
++			GET_NEXT(values, param_max_offset, rc);
++		uint32_t idx;
++		int j;
+ 		switch (command_id) {
+ 		case EQ_ENABLE:
+ 			if (length != 1 || index_offset != 0) {
+@@ -781,17 +1045,26 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
+ 				goto invalid_config;
+ 			}
+ 			prev_enable_flag = eq->enable_flag;
+-			eq->enable_flag = *values++;
++			eq->enable_flag =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s: EQ_ENABLE prev:%d new:%d\n", __func__,
+ 				prev_enable_flag, eq->enable_flag);
+ 			if (prev_enable_flag != eq->enable_flag) {
++				params_length += COMMAND_PAYLOAD_SZ +
++					EQ_ENABLE_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"EQ_ENABLE", rc);
++				if (rc != 0)
++					break;
+ 				*updt_params++ =
+ 					AUDPROC_MODULE_ID_POPLESS_EQUALIZER;
+-				*updt_params++ = AUDPROC_PARAM_ID_EQ_ENABLE;
+-				*updt_params++ = EQ_ENABLE_PARAM_SZ;
+-				*updt_params++ = eq->enable_flag;
+-				params_length += COMMAND_PAYLOAD_SZ +
++				*updt_params++ =
++					AUDPROC_PARAM_ID_EQ_ENABLE;
++				*updt_params++ =
+ 					EQ_ENABLE_PARAM_SZ;
++				*updt_params++ =
++					eq->enable_flag;
+ 			}
+ 			break;
+ 		case EQ_CONFIG:
+@@ -805,9 +1078,12 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
+ 				eq->config.eq_pregain, eq->config.preset_id);
+ 			for (idx = 0; idx < MAX_EQ_BANDS; idx++)
+ 				eq->per_band_cfg[idx].band_idx = -1;
+-			eq->config.eq_pregain = *values++;
+-			eq->config.preset_id = *values++;
+-			eq->config.num_bands = *values++;
++			eq->config.eq_pregain =
++				GET_NEXT(values, param_max_offset, rc);
++			eq->config.preset_id =
++				GET_NEXT(values, param_max_offset, rc);
++			eq->config.num_bands =
++				GET_NEXT(values, param_max_offset, rc);
+ 			if (eq->config.num_bands > MAX_EQ_BANDS) {
+ 				pr_err("EQ_CONFIG:invalid num of bands\n");
+ 				rc = -EINVAL;
+@@ -822,48 +1098,59 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
+ 				goto invalid_config;
+ 			}
+ 			for (j = 0; j < eq->config.num_bands; j++) {
+-				idx = *values++;
++				idx = GET_NEXT(values, param_max_offset, rc);
+ 				if (idx >= MAX_EQ_BANDS) {
+ 					pr_err("EQ_CONFIG:invalid band index\n");
+ 					rc = -EINVAL;
+ 					goto invalid_config;
+ 				}
+ 				eq->per_band_cfg[idx].band_idx = idx;
+-				eq->per_band_cfg[idx].filter_type = *values++;
++				eq->per_band_cfg[idx].filter_type =
++					GET_NEXT(values, param_max_offset, rc);
+ 				eq->per_band_cfg[idx].freq_millihertz =
+-								*values++;
++					GET_NEXT(values, param_max_offset, rc);
+ 				eq->per_band_cfg[idx].gain_millibels =
+-								*values++;
++					GET_NEXT(values, param_max_offset, rc);
+ 				eq->per_band_cfg[idx].quality_factor =
+-								*values++;
++					GET_NEXT(values, param_max_offset, rc);
+ 			}
+ 			if (command_config_state == CONFIG_SET) {
+ 				int config_param_length = EQ_CONFIG_PARAM_SZ +
+ 					(EQ_CONFIG_PER_BAND_PARAM_SZ*
+ 					 eq->config.num_bands);
++				params_length += COMMAND_PAYLOAD_SZ +
++						config_param_length;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"EQ_CONFIG", rc);
++				if (rc != 0)
++					break;
+ 				*updt_params++ =
+ 					AUDPROC_MODULE_ID_POPLESS_EQUALIZER;
+-				*updt_params++ = AUDPROC_PARAM_ID_EQ_CONFIG;
+-				*updt_params++ = config_param_length;
+-				*updt_params++ = eq->config.eq_pregain;
+-				*updt_params++ = eq->config.preset_id;
+-				*updt_params++ = eq->config.num_bands;
++				*updt_params++ =
++					AUDPROC_PARAM_ID_EQ_CONFIG;
++				*updt_params++ =
++					config_param_length;
++				*updt_params++ =
++					eq->config.eq_pregain;
++				*updt_params++ =
++					eq->config.preset_id;
++				*updt_params++ =
++					eq->config.num_bands;
+ 				for (idx = 0; idx < MAX_EQ_BANDS; idx++) {
+ 					if (eq->per_band_cfg[idx].band_idx < 0)
+ 						continue;
+ 					*updt_params++ =
+-					  eq->per_band_cfg[idx].filter_type;
++					eq->per_band_cfg[idx].filter_type;
+ 					*updt_params++ =
+-					  eq->per_band_cfg[idx].freq_millihertz;
++					eq->per_band_cfg[idx].freq_millihertz;
+ 					*updt_params++ =
+-					  eq->per_band_cfg[idx].gain_millibels;
++					eq->per_band_cfg[idx].gain_millibels;
+ 					*updt_params++ =
+-					  eq->per_band_cfg[idx].quality_factor;
++					eq->per_band_cfg[idx].quality_factor;
+ 					*updt_params++ =
+-					  eq->per_band_cfg[idx].band_idx;
++					eq->per_band_cfg[idx].band_idx;
+ 				}
+-				params_length += COMMAND_PAYLOAD_SZ +
+-						config_param_length;
+ 			}
+ 			break;
+ 		case EQ_BAND_INDEX:
+@@ -872,7 +1159,7 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			idx = *values++;
++			idx = GET_NEXT(values, param_max_offset, rc);
+ 			if (idx > MAX_EQ_BANDS) {
+ 				pr_err("EQ_BAND_INDEX:invalid band index\n");
+ 				rc = -EINVAL;
+@@ -882,14 +1169,21 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
+ 			pr_debug("%s: EQ_BAND_INDEX val:%d\n",
+ 				__func__, eq->band_index);
+ 			if (command_config_state == CONFIG_SET) {
++				params_length += COMMAND_PAYLOAD_SZ +
++					EQ_BAND_INDEX_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"EQ_BAND_INDEX", rc);
++				if (rc != 0)
++					break;
+ 				*updt_params++ =
+ 					AUDPROC_MODULE_ID_POPLESS_EQUALIZER;
+ 				*updt_params++ =
+ 					AUDPROC_PARAM_ID_EQ_BAND_INDEX;
+-				*updt_params++ = EQ_BAND_INDEX_PARAM_SZ;
+-				*updt_params++ = eq->band_index;
+-				params_length += COMMAND_PAYLOAD_SZ +
++				*updt_params++ =
+ 					EQ_BAND_INDEX_PARAM_SZ;
++				*updt_params++ =
++					eq->band_index;
+ 			}
+ 			break;
+ 		case EQ_SINGLE_BAND_FREQ:
+@@ -902,18 +1196,26 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
+ 				pr_err("EQ_SINGLE_BAND_FREQ:invalid index\n");
+ 				break;
+ 			}
+-			eq->freq_millihertz = *values++;
++			eq->freq_millihertz =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s: EQ_SINGLE_BAND_FREQ idx:%d, val:%d\n",
+ 				__func__, eq->band_index, eq->freq_millihertz);
+ 			if (command_config_state == CONFIG_SET) {
++				params_length += COMMAND_PAYLOAD_SZ +
++					EQ_SINGLE_BAND_FREQ_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"EQ_SINGLE_BAND_FREQ", rc);
++				if (rc != 0)
++					break;
+ 				*updt_params++ =
+ 					AUDPROC_MODULE_ID_POPLESS_EQUALIZER;
+ 				*updt_params++ =
+ 					AUDPROC_PARAM_ID_EQ_SINGLE_BAND_FREQ;
+-				*updt_params++ = EQ_SINGLE_BAND_FREQ_PARAM_SZ;
+-				*updt_params++ = eq->freq_millihertz;
+-				params_length += COMMAND_PAYLOAD_SZ +
++				*updt_params++ =
+ 					EQ_SINGLE_BAND_FREQ_PARAM_SZ;
++				*updt_params++ =
++					eq->freq_millihertz;
+ 			}
+ 			break;
+ 		default:
+@@ -921,7 +1223,7 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
+ 			break;
+ 		}
+ 	}
+-	if (params_length && !msm_dts_eagle_is_hpx_on())
++	if (params_length && !msm_dts_eagle_is_hpx_on() && (rc == 0))
+ 		q6asm_send_audio_effects_params(ac, params,
+ 						params_length);
+ 	else
+@@ -938,9 +1240,10 @@ static int __msm_audio_effects_volume_handler(struct audio_client *ac,
+ {
+ 	int devices;
+ 	int num_commands;
+-	char *params;
++	char *params = NULL;
+ 	int *updt_params, i;
+ 	uint32_t params_length = (MAX_INBAND_PARAM_SZ);
++	long *param_max_offset;
+ 	int rc = 0;
+ 
+ 	pr_debug("%s: instance: %d\n", __func__, instance);
+@@ -949,9 +1252,11 @@ static int __msm_audio_effects_volume_handler(struct audio_client *ac,
+ 			__func__);
+ 		return -EINVAL;
+ 	}
+-	if (!ac) {
+-		pr_err("%s: cannot set audio effects as audio client is NULL\n",
+-			__func__);
++	param_max_offset = values + MAX_PP_PARAMS_SZ - 1;
++	devices = GET_NEXT(values, param_max_offset, rc);
++	num_commands = GET_NEXT(values, param_max_offset, rc);
++	if (!ac || (devices == -EINVAL) || (num_commands == -EINVAL)) {
++		pr_err("%s: cannot set audio effects\n", __func__);
+ 		return -EINVAL;
+ 	}
+ 	params = kzalloc(params_length, GFP_KERNEL);
+@@ -959,88 +1264,114 @@ static int __msm_audio_effects_volume_handler(struct audio_client *ac,
+ 		pr_err("%s, params memory alloc failed\n", __func__);
+ 		return -ENOMEM;
+ 	}
+-	devices = *values++;
+-	num_commands = *values++;
+ 	updt_params = (int *)params;
+ 	params_length = 0;
+ 	for (i = 0; i < num_commands; i++) {
+-		uint32_t command_id = *values++;
+-		uint32_t command_config_state = *values++;
+-		uint32_t index_offset = *values++;
+-		uint32_t length = *values++;
++		uint32_t command_id =
++			GET_NEXT(values, param_max_offset, rc);
++		uint32_t command_config_state =
++			GET_NEXT(values, param_max_offset, rc);
++		uint32_t index_offset =
++			GET_NEXT(values, param_max_offset, rc);
++		uint32_t length =
++			GET_NEXT(values, param_max_offset, rc);
+ 		switch (command_id) {
+ 		case SOFT_VOLUME_GAIN_2CH:
+ 		case SOFT_VOLUME2_GAIN_2CH:
+ 			if (length != 2 || index_offset != 0) {
+-				pr_err("VOLUME_GAIN_2CH/VOLUME2_GAIN_2CH:invalid params\n");
++				pr_err("VOLUME_GAIN_2CH: invalid params\n");
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			vol->left_gain = *values++;
+-			vol->right_gain = *values++;
++			vol->left_gain = GET_NEXT(values, param_max_offset, rc);
++			vol->right_gain =
++				GET_NEXT(values, param_max_offset, rc);
+ 			vol->master_gain = 0x2000;
+ 			if (command_config_state == CONFIG_SET) {
++				params_length += COMMAND_PAYLOAD_SZ +
++						SOFT_VOLUME_GAIN_2CH_PARAM_SZ;
++				params_length += COMMAND_PAYLOAD_SZ +
++					SOFT_VOLUME_GAIN_MASTER_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"VOLUME/VOLUME2_GAIN_2CH",
++						rc);
++				if (rc != 0)
++					break;
+ 				if (instance == SOFT_VOLUME_INSTANCE_2)
+ 					*updt_params++ =
+-							ASM_MODULE_ID_VOL_CTRL2;
++						ASM_MODULE_ID_VOL_CTRL2;
+ 				else
+-					*updt_params++ = ASM_MODULE_ID_VOL_CTRL;
++					*updt_params++ =
++						ASM_MODULE_ID_VOL_CTRL;
+ 				*updt_params++ =
+ 					ASM_PARAM_ID_VOL_CTRL_LR_CHANNEL_GAIN;
+-				*updt_params++ = SOFT_VOLUME_GAIN_2CH_PARAM_SZ;
+-				*updt_params++ = (vol->left_gain << 16) |
+-						 vol->right_gain;
+-				params_length += COMMAND_PAYLOAD_SZ +
+-						SOFT_VOLUME_GAIN_2CH_PARAM_SZ;
++				*updt_params++ =
++					SOFT_VOLUME_GAIN_2CH_PARAM_SZ;
++				*updt_params++ =
++					(vol->left_gain << 16) |
++						vol->right_gain;
+ 				if (instance == SOFT_VOLUME_INSTANCE_2)
+ 					*updt_params++ =
+-							ASM_MODULE_ID_VOL_CTRL2;
++						ASM_MODULE_ID_VOL_CTRL2;
+ 				else
+-					*updt_params++ = ASM_MODULE_ID_VOL_CTRL;
++					*updt_params++ =
++						ASM_MODULE_ID_VOL_CTRL;
+ 				*updt_params++ =
+ 					ASM_PARAM_ID_VOL_CTRL_MASTER_GAIN;
+ 				*updt_params++ =
+ 					SOFT_VOLUME_GAIN_MASTER_PARAM_SZ;
+-				*updt_params++ = vol->master_gain;
+-				params_length += COMMAND_PAYLOAD_SZ +
+-					SOFT_VOLUME_GAIN_MASTER_PARAM_SZ;
++				*updt_params++ =
++					vol->master_gain;
+ 			}
+ 			break;
+ 		case SOFT_VOLUME_GAIN_MASTER:
+ 		case SOFT_VOLUME2_GAIN_MASTER:
+ 			if (length != 1 || index_offset != 0) {
+-				pr_err("VOLUME_GAIN_MASTER/VOLUME2_GAIN_MASTER:invalid params\n");
++				pr_err("VOLUME_GAIN_MASTER: invalid params\n");
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+ 			vol->left_gain = 0x2000;
+ 			vol->right_gain = 0x2000;
+-			vol->master_gain = *values++;
++			vol->master_gain =
++				GET_NEXT(values, param_max_offset, rc);
+ 			if (command_config_state == CONFIG_SET) {
++				params_length += COMMAND_PAYLOAD_SZ +
++						SOFT_VOLUME_GAIN_2CH_PARAM_SZ;
++				params_length += COMMAND_PAYLOAD_SZ +
++					SOFT_VOLUME_GAIN_MASTER_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"VOLUME/VOLUME2_GAIN_MASTER",
++						rc);
++				if (rc != 0)
++					break;
+ 				if (instance == SOFT_VOLUME_INSTANCE_2)
+ 					*updt_params++ =
+-							ASM_MODULE_ID_VOL_CTRL2;
++						ASM_MODULE_ID_VOL_CTRL2;
+ 				else
+-					*updt_params++ = ASM_MODULE_ID_VOL_CTRL;
++					*updt_params++ =
++						ASM_MODULE_ID_VOL_CTRL;
+ 				*updt_params++ =
+ 					ASM_PARAM_ID_VOL_CTRL_LR_CHANNEL_GAIN;
+-				*updt_params++ = SOFT_VOLUME_GAIN_2CH_PARAM_SZ;
+-				*updt_params++ = (vol->left_gain << 16) |
+-						 vol->right_gain;
+-				params_length += COMMAND_PAYLOAD_SZ +
+-						SOFT_VOLUME_GAIN_2CH_PARAM_SZ;
++				*updt_params++ =
++					SOFT_VOLUME_GAIN_2CH_PARAM_SZ;
++				*updt_params++ =
++					(vol->left_gain << 16) |
++						vol->right_gain;
+ 				if (instance == SOFT_VOLUME_INSTANCE_2)
+ 					*updt_params++ =
+-							ASM_MODULE_ID_VOL_CTRL2;
++						ASM_MODULE_ID_VOL_CTRL2;
+ 				else
+-					*updt_params++ = ASM_MODULE_ID_VOL_CTRL;
++					*updt_params++ =
++						ASM_MODULE_ID_VOL_CTRL;
+ 				*updt_params++ =
+ 					ASM_PARAM_ID_VOL_CTRL_MASTER_GAIN;
+ 				*updt_params++ =
+ 					SOFT_VOLUME_GAIN_MASTER_PARAM_SZ;
+-				*updt_params++ = vol->master_gain;
+-				params_length += COMMAND_PAYLOAD_SZ +
+-					SOFT_VOLUME_GAIN_MASTER_PARAM_SZ;
++				*updt_params++ =
++					vol->master_gain;
+ 			}
+ 			break;
+ 		default:
+@@ -1049,7 +1380,7 @@ static int __msm_audio_effects_volume_handler(struct audio_client *ac,
+ 			break;
+ 		}
+ 	}
+-	if (params_length)
++	if (params_length && (rc == 0))
+ 		q6asm_send_audio_effects_params(ac, params,
+ 						params_length);
+ invalid_config:
+diff --git a/sound/soc/msm/qdsp6v2/msm-compress-q6-v2.c b/sound/soc/msm/qdsp6v2/msm-compress-q6-v2.c
+index f814434..b4bd43d 100644
+--- a/sound/soc/msm/qdsp6v2/msm-compress-q6-v2.c
++++ b/sound/soc/msm/qdsp6v2/msm-compress-q6-v2.c
+@@ -2839,7 +2839,7 @@ static int msm_compr_audio_effects_config_info(struct snd_kcontrol *kcontrol,
+ 					       struct snd_ctl_elem_info *uinfo)
+ {
+ 	uinfo->type = SNDRV_CTL_ELEM_TYPE_INTEGER;
+-	uinfo->count = 128;
++	uinfo->count = MAX_PP_PARAMS_SZ;
+ 	uinfo->value.integer.min = 0;
+ 	uinfo->value.integer.max = 0xFFFFFFFF;
+ 	return 0;
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-2065/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2065/ANY/0001.patch
new file mode 100644
index 00000000..06b77eb4
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-2065/ANY/0001.patch
@@ -0,0 +1,1511 @@
+From 775fca8289eff931f91ff6e8c36cf2034ba59e88 Mon Sep 17 00:00:00 2001
+From: Weiyin Jiang <wjiang@codeaurora.org>
+Date: Wed, 16 Mar 2016 12:51:03 +0800
+Subject: ASoC: msm: audio-effects: fix stack overread and heap overwrite
+
+Fix overwrite of updt_params allocated in heap, and stack overread
+where param pointer is passed from user space.
+
+CRs-Fixed: 989628
+Change-Id: Ida8bdb7da2fcb97023dce3b6eafe4b899a51cb66
+Signed-off-by: Weiyin Jiang <wjiang@codeaurora.org>
+---
+ drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c |   3 +-
+ include/sound/msm-audio-effects-q6-v2.h         |   4 +-
+ sound/soc/msm/qdsp6v2/msm-audio-effects-q6-v2.c | 835 +++++++++++++++++-------
+ sound/soc/msm/qdsp6v2/msm-compress-q6-v2.c      |   2 +-
+ 4 files changed, 588 insertions(+), 256 deletions(-)
+
+diff --git a/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c b/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
+index c100c47..3ba20ca 100644
+--- a/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
++++ b/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2014-2015, The Linux Foundation. All rights reserved.
++ * Copyright (c) 2014-2016, The Linux Foundation. All rights reserved.
+  *
+  * This software is licensed under the terms of the GNU General Public
+  * License version 2, as published by the Free Software Foundation, and
+@@ -20,7 +20,6 @@
+ #include <sound/msm-dts-eagle.h>
+ 
+ #define MAX_CHANNELS_SUPPORTED		8
+-#define MAX_PP_PARAMS_SZ		128
+ #define WAIT_TIMEDOUT_DURATION_SECS	1
+ 
+ struct q6audio_effects {
+diff --git a/include/sound/msm-audio-effects-q6-v2.h b/include/sound/msm-audio-effects-q6-v2.h
+index cbdea32..6bc2338 100644
+--- a/include/sound/msm-audio-effects-q6-v2.h
++++ b/include/sound/msm-audio-effects-q6-v2.h
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2013-2015, The Linux Foundation. All rights reserved.
++ * Copyright (c) 2013-2016, The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -16,6 +16,8 @@
+ 
+ #include <sound/audio_effects.h>
+ 
++#define MAX_PP_PARAMS_SZ   128
++
+ bool msm_audio_effects_is_effmodule_supp_in_top(int effect_module,
+ 						int topology);
+ 
+diff --git a/sound/soc/msm/qdsp6v2/msm-audio-effects-q6-v2.c b/sound/soc/msm/qdsp6v2/msm-audio-effects-q6-v2.c
+index e26c453..1c08842 100644
+--- a/sound/soc/msm/qdsp6v2/msm-audio-effects-q6-v2.c
++++ b/sound/soc/msm/qdsp6v2/msm-audio-effects-q6-v2.c
+@@ -1,4 +1,4 @@
+-/* Copyright (c) 2013-2015, The Linux Foundation. All rights reserved.
++/* Copyright (c) 2013-2016, The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -20,6 +20,24 @@
+ 
+ #define MAX_ENABLE_CMD_SIZE 32
+ 
++#define GET_NEXT(ptr, upper_limit, rc)                                  \
++({                                                                      \
++	if (((ptr) + 1) > (upper_limit)) {                              \
++		pr_err("%s: param list out of boundary\n", __func__);   \
++		(rc) = -EINVAL;                                         \
++	}                                                               \
++	((rc) == 0) ? *(ptr)++ :  -EINVAL;                              \
++})
++
++#define CHECK_PARAM_LEN(len, max_len, tag, rc)                          \
++do {                                                                    \
++	if ((len) > (max_len)) {                                        \
++		pr_err("%s: params length overflows\n", (tag));         \
++		(rc) = -EINVAL;                                         \
++	}                                                               \
++} while (0)
++
++
+ bool msm_audio_effects_is_effmodule_supp_in_top(int effect_module,
+ 						int topology)
+ {
+@@ -109,15 +127,16 @@ int msm_audio_effects_virtualizer_handler(struct audio_client *ac,
+ 				struct virtualizer_params *virtualizer,
+ 				long *values)
+ {
+-	int devices = *values++;
+-	int num_commands = *values++;
+-	char *params;
++	long *param_max_offset = values + MAX_PP_PARAMS_SZ - 1;
++	char *params = NULL;
++	int rc = 0;
++	int devices = GET_NEXT(values, param_max_offset, rc);
++	int num_commands = GET_NEXT(values, param_max_offset, rc);
+ 	int *updt_params, i, prev_enable_flag;
+ 	uint32_t params_length = (MAX_INBAND_PARAM_SZ);
+-	int rc = 0;
+ 
+ 	pr_debug("%s\n", __func__);
+-	if (!ac) {
++	if (!ac || (devices == -EINVAL) || (num_commands == -EINVAL)) {
+ 		pr_err("%s: cannot set audio effects\n", __func__);
+ 		return -EINVAL;
+ 	}
+@@ -130,10 +149,14 @@ int msm_audio_effects_virtualizer_handler(struct audio_client *ac,
+ 	updt_params = (int *)params;
+ 	params_length = 0;
+ 	for (i = 0; i < num_commands; i++) {
+-		uint32_t command_id = *values++;
+-		uint32_t command_config_state = *values++;
+-		uint32_t index_offset = *values++;
+-		uint32_t length = *values++;
++		uint32_t command_id =
++			GET_NEXT(values, param_max_offset, rc);
++		uint32_t command_config_state =
++			GET_NEXT(values, param_max_offset, rc);
++		uint32_t index_offset =
++			GET_NEXT(values, param_max_offset, rc);
++		uint32_t length =
++			GET_NEXT(values, param_max_offset, rc);
+ 		switch (command_id) {
+ 		case VIRTUALIZER_ENABLE:
+ 			if (length != 1 || index_offset != 0) {
+@@ -142,17 +165,26 @@ int msm_audio_effects_virtualizer_handler(struct audio_client *ac,
+ 				goto invalid_config;
+ 			}
+ 			prev_enable_flag = virtualizer->enable_flag;
+-			virtualizer->enable_flag = *values++;
++			virtualizer->enable_flag =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s:VIRT ENABLE prev:%d, new:%d\n", __func__,
+ 				prev_enable_flag, virtualizer->enable_flag);
+ 			if (prev_enable_flag != virtualizer->enable_flag) {
+-				*updt_params++ = AUDPROC_MODULE_ID_VIRTUALIZER;
+-				*updt_params++ =
+-					AUDPROC_PARAM_ID_VIRTUALIZER_ENABLE;
+-				*updt_params++ = VIRTUALIZER_ENABLE_PARAM_SZ;
+-				*updt_params++ = virtualizer->enable_flag;
+ 				params_length += COMMAND_PAYLOAD_SZ +
+ 					VIRTUALIZER_ENABLE_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"VIRT ENABLE", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++				AUDPROC_MODULE_ID_VIRTUALIZER;
++				*updt_params++ =
++				AUDPROC_PARAM_ID_VIRTUALIZER_ENABLE;
++				*updt_params++ =
++				VIRTUALIZER_ENABLE_PARAM_SZ;
++				*updt_params++ =
++				virtualizer->enable_flag;
+ 			}
+ 			break;
+ 		case VIRTUALIZER_STRENGTH:
+@@ -161,17 +193,26 @@ int msm_audio_effects_virtualizer_handler(struct audio_client *ac,
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			virtualizer->strength = *values++;
++			virtualizer->strength =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s: VIRT STRENGTH val: %d\n",
+ 					__func__, virtualizer->strength);
+ 			if (command_config_state == CONFIG_SET) {
+-				*updt_params++ = AUDPROC_MODULE_ID_VIRTUALIZER;
++				params_length += COMMAND_PAYLOAD_SZ +
++					VIRTUALIZER_STRENGTH_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"VIRT STRENGTH", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++					AUDPROC_MODULE_ID_VIRTUALIZER;
+ 				*updt_params++ =
+ 					AUDPROC_PARAM_ID_VIRTUALIZER_STRENGTH;
+-				*updt_params++ = VIRTUALIZER_STRENGTH_PARAM_SZ;
+-				*updt_params++ = virtualizer->strength;
+-				params_length += COMMAND_PAYLOAD_SZ +
++				*updt_params++ =
+ 					VIRTUALIZER_STRENGTH_PARAM_SZ;
++				*updt_params++ =
++					virtualizer->strength;
+ 			}
+ 			break;
+ 		case VIRTUALIZER_OUT_TYPE:
+@@ -180,17 +221,26 @@ int msm_audio_effects_virtualizer_handler(struct audio_client *ac,
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			virtualizer->out_type = *values++;
++			virtualizer->out_type =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s: VIRT OUT_TYPE val:%d\n",
+ 				__func__, virtualizer->out_type);
+ 			if (command_config_state == CONFIG_SET) {
+-				*updt_params++ = AUDPROC_MODULE_ID_VIRTUALIZER;
++				params_length += COMMAND_PAYLOAD_SZ +
++					VIRTUALIZER_OUT_TYPE_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"VIRT OUT_TYPE", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++					AUDPROC_MODULE_ID_VIRTUALIZER;
+ 				*updt_params++ =
+ 					AUDPROC_PARAM_ID_VIRTUALIZER_OUT_TYPE;
+-				*updt_params++ = VIRTUALIZER_OUT_TYPE_PARAM_SZ;
+-				*updt_params++ = virtualizer->out_type;
+-				params_length += COMMAND_PAYLOAD_SZ +
++				*updt_params++ =
+ 					VIRTUALIZER_OUT_TYPE_PARAM_SZ;
++				*updt_params++ =
++					virtualizer->out_type;
+ 			}
+ 			break;
+ 		case VIRTUALIZER_GAIN_ADJUST:
+@@ -199,18 +249,26 @@ int msm_audio_effects_virtualizer_handler(struct audio_client *ac,
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			virtualizer->gain_adjust = *values++;
++			virtualizer->gain_adjust =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s: VIRT GAIN_ADJUST val:%d\n",
+ 				__func__, virtualizer->gain_adjust);
+ 			if (command_config_state == CONFIG_SET) {
+-				*updt_params++ = AUDPROC_MODULE_ID_VIRTUALIZER;
+-				*updt_params++ =
+-				       AUDPROC_PARAM_ID_VIRTUALIZER_GAIN_ADJUST;
+-				*updt_params++ =
+-					VIRTUALIZER_GAIN_ADJUST_PARAM_SZ;
+-				*updt_params++ = virtualizer->gain_adjust;
+ 				params_length += COMMAND_PAYLOAD_SZ +
+ 					VIRTUALIZER_GAIN_ADJUST_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"VIRT GAIN_ADJUST", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++				AUDPROC_MODULE_ID_VIRTUALIZER;
++				*updt_params++ =
++				AUDPROC_PARAM_ID_VIRTUALIZER_GAIN_ADJUST;
++				*updt_params++ =
++				VIRTUALIZER_GAIN_ADJUST_PARAM_SZ;
++				*updt_params++ =
++				virtualizer->gain_adjust;
+ 			}
+ 			break;
+ 		default:
+@@ -218,7 +276,7 @@ int msm_audio_effects_virtualizer_handler(struct audio_client *ac,
+ 			break;
+ 		}
+ 	}
+-	if (params_length && !msm_dts_eagle_is_hpx_on())
++	if (params_length && !msm_dts_eagle_is_hpx_on() && (rc == 0))
+ 		q6asm_send_audio_effects_params(ac, params,
+ 						params_length);
+ 	else
+@@ -232,15 +290,16 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 				     struct reverb_params *reverb,
+ 				     long *values)
+ {
+-	int devices = *values++;
+-	int num_commands = *values++;
+-	char *params;
++	long *param_max_offset = values + MAX_PP_PARAMS_SZ - 1;
++	char *params = NULL;
++	int rc = 0;
++	int devices = GET_NEXT(values, param_max_offset, rc);
++	int num_commands = GET_NEXT(values, param_max_offset, rc);
+ 	int *updt_params, i, prev_enable_flag;
+ 	uint32_t params_length = (MAX_INBAND_PARAM_SZ);
+-	int rc = 0;
+ 
+ 	pr_debug("%s\n", __func__);
+-	if (!ac) {
++	if (!ac || (devices == -EINVAL) || (num_commands == -EINVAL)) {
+ 		pr_err("%s: cannot set audio effects\n", __func__);
+ 		return -EINVAL;
+ 	}
+@@ -253,10 +312,14 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 	updt_params = (int *)params;
+ 	params_length = 0;
+ 	for (i = 0; i < num_commands; i++) {
+-		uint32_t command_id = *values++;
+-		uint32_t command_config_state = *values++;
+-		uint32_t index_offset = *values++;
+-		uint32_t length = *values++;
++		uint32_t command_id =
++			GET_NEXT(values, param_max_offset, rc);
++		uint32_t command_config_state =
++			GET_NEXT(values, param_max_offset, rc);
++		uint32_t index_offset =
++			GET_NEXT(values, param_max_offset, rc);
++		uint32_t length =
++			GET_NEXT(values, param_max_offset, rc);
+ 		switch (command_id) {
+ 		case REVERB_ENABLE:
+ 			if (length != 1 || index_offset != 0) {
+@@ -265,16 +328,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 				goto invalid_config;
+ 			}
+ 			prev_enable_flag = reverb->enable_flag;
+-			reverb->enable_flag = *values++;
++			reverb->enable_flag =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s:REVERB_ENABLE prev:%d,new:%d\n", __func__,
+ 					prev_enable_flag, reverb->enable_flag);
+ 			if (prev_enable_flag != reverb->enable_flag) {
+-				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
+-				*updt_params++ = AUDPROC_PARAM_ID_REVERB_ENABLE;
+-				*updt_params++ = REVERB_ENABLE_PARAM_SZ;
+-				*updt_params++ = reverb->enable_flag;
+ 				params_length += COMMAND_PAYLOAD_SZ +
+ 					REVERB_ENABLE_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"REVERB_ENABLE", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++					AUDPROC_MODULE_ID_REVERB;
++				*updt_params++ =
++					AUDPROC_PARAM_ID_REVERB_ENABLE;
++				*updt_params++ =
++					REVERB_ENABLE_PARAM_SZ;
++				*updt_params++ =
++					reverb->enable_flag;
+ 			}
+ 			break;
+ 		case REVERB_MODE:
+@@ -283,16 +356,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			reverb->mode = *values++;
++			reverb->mode =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s: REVERB_MODE val:%d\n",
+ 				__func__, reverb->mode);
+ 			if (command_config_state == CONFIG_SET) {
+-				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
+-				*updt_params++ = AUDPROC_PARAM_ID_REVERB_MODE;
+-				*updt_params++ = REVERB_MODE_PARAM_SZ;
+-				*updt_params++ = reverb->mode;
+ 				params_length += COMMAND_PAYLOAD_SZ +
+ 					REVERB_MODE_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"REVERB_MODE", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++					AUDPROC_MODULE_ID_REVERB;
++				*updt_params++ =
++					AUDPROC_PARAM_ID_REVERB_MODE;
++				*updt_params++ =
++					REVERB_MODE_PARAM_SZ;
++				*updt_params++ =
++					reverb->mode;
+ 			}
+ 			break;
+ 		case REVERB_PRESET:
+@@ -301,16 +384,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			reverb->preset = *values++;
++			reverb->preset =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s: REVERB_PRESET val:%d\n",
+ 					__func__, reverb->preset);
+ 			if (command_config_state == CONFIG_SET) {
+-				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
+-				*updt_params++ = AUDPROC_PARAM_ID_REVERB_PRESET;
+-				*updt_params++ = REVERB_PRESET_PARAM_SZ;
+-				*updt_params++ = reverb->preset;
+ 				params_length += COMMAND_PAYLOAD_SZ +
+ 					REVERB_PRESET_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"REVERB_PRESET", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++					AUDPROC_MODULE_ID_REVERB;
++				*updt_params++ =
++					AUDPROC_PARAM_ID_REVERB_PRESET;
++				*updt_params++ =
++					REVERB_PRESET_PARAM_SZ;
++				*updt_params++ =
++					reverb->preset;
+ 			}
+ 			break;
+ 		case REVERB_WET_MIX:
+@@ -319,17 +412,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			reverb->wet_mix = *values++;
++			reverb->wet_mix =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s: REVERB_WET_MIX val:%d\n",
+ 				__func__, reverb->wet_mix);
+ 			if (command_config_state == CONFIG_SET) {
+-				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
++				params_length += COMMAND_PAYLOAD_SZ +
++					REVERB_WET_MIX_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"REVERB_WET_MIX", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++					AUDPROC_MODULE_ID_REVERB;
+ 				*updt_params++ =
+ 					AUDPROC_PARAM_ID_REVERB_WET_MIX;
+-				*updt_params++ = REVERB_WET_MIX_PARAM_SZ;
+-				*updt_params++ = reverb->wet_mix;
+-				params_length += COMMAND_PAYLOAD_SZ +
++				*updt_params++ =
+ 					REVERB_WET_MIX_PARAM_SZ;
++				*updt_params++ =
++					reverb->wet_mix;
+ 			}
+ 			break;
+ 		case REVERB_GAIN_ADJUST:
+@@ -338,17 +440,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			reverb->gain_adjust = *values++;
++			reverb->gain_adjust =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s: REVERB_GAIN_ADJUST val:%d\n",
+ 					__func__, reverb->gain_adjust);
+ 			if (command_config_state == CONFIG_SET) {
+-				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
++				params_length += COMMAND_PAYLOAD_SZ +
++					REVERB_GAIN_ADJUST_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"REVERB_GAIN_ADJUST", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++					AUDPROC_MODULE_ID_REVERB;
+ 				*updt_params++ =
+ 					AUDPROC_PARAM_ID_REVERB_GAIN_ADJUST;
+-				*updt_params++ = REVERB_GAIN_ADJUST_PARAM_SZ;
+-				*updt_params++ = reverb->gain_adjust;
+-				params_length += COMMAND_PAYLOAD_SZ +
++				*updt_params++ =
+ 					REVERB_GAIN_ADJUST_PARAM_SZ;
++				*updt_params++ =
++					reverb->gain_adjust;
+ 			}
+ 			break;
+ 		case REVERB_ROOM_LEVEL:
+@@ -357,17 +468,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			reverb->room_level = *values++;
++			reverb->room_level =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s: REVERB_ROOM_LEVEL val:%d\n",
+ 				__func__, reverb->room_level);
+ 			if (command_config_state == CONFIG_SET) {
+-				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
++				params_length += COMMAND_PAYLOAD_SZ +
++					REVERB_ROOM_LEVEL_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"REVERB_ROOM_LEVEL", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++					AUDPROC_MODULE_ID_REVERB;
+ 				*updt_params++ =
+ 					AUDPROC_PARAM_ID_REVERB_ROOM_LEVEL;
+-				*updt_params++ = REVERB_ROOM_LEVEL_PARAM_SZ;
+-				*updt_params++ = reverb->room_level;
+-				params_length += COMMAND_PAYLOAD_SZ +
++				*updt_params++ =
+ 					REVERB_ROOM_LEVEL_PARAM_SZ;
++				*updt_params++ =
++					reverb->room_level;
+ 			}
+ 			break;
+ 		case REVERB_ROOM_HF_LEVEL:
+@@ -376,17 +496,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			reverb->room_hf_level = *values++;
++			reverb->room_hf_level =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s: REVERB_ROOM_HF_LEVEL val%d\n",
+ 				__func__, reverb->room_hf_level);
+ 			if (command_config_state == CONFIG_SET) {
+-				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
++				params_length += COMMAND_PAYLOAD_SZ +
++					REVERB_ROOM_HF_LEVEL_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"REVERB_ROOM_HF_LEVEL", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++					AUDPROC_MODULE_ID_REVERB;
+ 				*updt_params++ =
+ 					AUDPROC_PARAM_ID_REVERB_ROOM_HF_LEVEL;
+-				*updt_params++ = REVERB_ROOM_HF_LEVEL_PARAM_SZ;
+-				*updt_params++ = reverb->room_hf_level;
+-				params_length += COMMAND_PAYLOAD_SZ +
++				*updt_params++ =
+ 					REVERB_ROOM_HF_LEVEL_PARAM_SZ;
++				*updt_params++ =
++					reverb->room_hf_level;
+ 			}
+ 			break;
+ 		case REVERB_DECAY_TIME:
+@@ -395,17 +524,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			reverb->decay_time = *values++;
++			reverb->decay_time =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s: REVERB_DECAY_TIME val:%d\n",
+ 				__func__, reverb->decay_time);
+ 			if (command_config_state == CONFIG_SET) {
+-				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
++				params_length += COMMAND_PAYLOAD_SZ +
++					REVERB_DECAY_TIME_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"REVERB_DECAY_TIME", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++					AUDPROC_MODULE_ID_REVERB;
+ 				*updt_params++ =
+ 					AUDPROC_PARAM_ID_REVERB_DECAY_TIME;
+-				*updt_params++ = REVERB_DECAY_TIME_PARAM_SZ;
+-				*updt_params++ = reverb->decay_time;
+-				params_length += COMMAND_PAYLOAD_SZ +
++				*updt_params++ =
+ 					REVERB_DECAY_TIME_PARAM_SZ;
++				*updt_params++ =
++					reverb->decay_time;
+ 			}
+ 			break;
+ 		case REVERB_DECAY_HF_RATIO:
+@@ -414,17 +552,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			reverb->decay_hf_ratio = *values++;
++			reverb->decay_hf_ratio =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s: REVERB_DECAY_HF_RATIO val%d\n",
+ 				__func__, reverb->decay_hf_ratio);
+ 			if (command_config_state == CONFIG_SET) {
+-				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
++				params_length += COMMAND_PAYLOAD_SZ +
++					REVERB_DECAY_HF_RATIO_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"REVERB_DECAY_HF_RATIO", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++					AUDPROC_MODULE_ID_REVERB;
+ 				*updt_params++ =
+ 					AUDPROC_PARAM_ID_REVERB_DECAY_HF_RATIO;
+-				*updt_params++ = REVERB_DECAY_HF_RATIO_PARAM_SZ;
+-				*updt_params++ = reverb->decay_hf_ratio;
+-				params_length += COMMAND_PAYLOAD_SZ +
++				*updt_params++ =
+ 					REVERB_DECAY_HF_RATIO_PARAM_SZ;
++				*updt_params++ =
++					reverb->decay_hf_ratio;
+ 			}
+ 			break;
+ 		case REVERB_REFLECTIONS_LEVEL:
+@@ -433,18 +580,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			reverb->reflections_level = *values++;
++			reverb->reflections_level =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s: REVERB_REFLECTIONS_LEVEL val:%d\n",
+ 				__func__, reverb->reflections_level);
+ 			if (command_config_state == CONFIG_SET) {
+-				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
+-				*updt_params++ =
+-				      AUDPROC_PARAM_ID_REVERB_REFLECTIONS_LEVEL;
+-				*updt_params++ =
+-					REVERB_REFLECTIONS_LEVEL_PARAM_SZ;
+-				*updt_params++ = reverb->reflections_level;
+ 				params_length += COMMAND_PAYLOAD_SZ +
+ 					REVERB_REFLECTIONS_LEVEL_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"REVERB_REFLECTIONS_LEVEL", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++				AUDPROC_MODULE_ID_REVERB;
++				*updt_params++ =
++				AUDPROC_PARAM_ID_REVERB_REFLECTIONS_LEVEL;
++				*updt_params++ =
++				REVERB_REFLECTIONS_LEVEL_PARAM_SZ;
++				*updt_params++ =
++				reverb->reflections_level;
+ 			}
+ 			break;
+ 		case REVERB_REFLECTIONS_DELAY:
+@@ -453,18 +608,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			reverb->reflections_delay = *values++;
++			reverb->reflections_delay =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s: REVERB_REFLECTIONS_DELAY val:%d\n",
+ 				__func__, reverb->reflections_delay);
+ 			if (command_config_state == CONFIG_SET) {
+-				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
+-				*updt_params++ =
+-				      AUDPROC_PARAM_ID_REVERB_REFLECTIONS_DELAY;
+-				*updt_params++ =
+-					REVERB_REFLECTIONS_DELAY_PARAM_SZ;
+-				*updt_params++ = reverb->reflections_delay;
+ 				params_length += COMMAND_PAYLOAD_SZ +
+ 					REVERB_REFLECTIONS_DELAY_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"REVERB_REFLECTIONS_DELAY", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++				AUDPROC_MODULE_ID_REVERB;
++				*updt_params++ =
++				AUDPROC_PARAM_ID_REVERB_REFLECTIONS_DELAY;
++				*updt_params++ =
++				REVERB_REFLECTIONS_DELAY_PARAM_SZ;
++				*updt_params++ =
++				reverb->reflections_delay;
+ 			}
+ 			break;
+ 		case REVERB_LEVEL:
+@@ -473,16 +636,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			reverb->level = *values++;
++			reverb->level =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s: REVERB_LEVEL val:%d\n",
+ 				__func__, reverb->level);
+ 			if (command_config_state == CONFIG_SET) {
+-				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
+-				*updt_params++ = AUDPROC_PARAM_ID_REVERB_LEVEL;
+-				*updt_params++ = REVERB_LEVEL_PARAM_SZ;
+-				*updt_params++ = reverb->level;
+ 				params_length += COMMAND_PAYLOAD_SZ +
+ 					REVERB_LEVEL_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"REVERB_LEVEL", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++					AUDPROC_MODULE_ID_REVERB;
++				*updt_params++ =
++					AUDPROC_PARAM_ID_REVERB_LEVEL;
++				*updt_params++ =
++					REVERB_LEVEL_PARAM_SZ;
++				*updt_params++ =
++					reverb->level;
+ 			}
+ 			break;
+ 		case REVERB_DELAY:
+@@ -491,16 +664,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			reverb->delay = *values++;
++			reverb->delay =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s:REVERB_DELAY val:%d\n",
+ 					__func__, reverb->delay);
+ 			if (command_config_state == CONFIG_SET) {
+-				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
+-				*updt_params++ = AUDPROC_PARAM_ID_REVERB_DELAY;
+-				*updt_params++ = REVERB_DELAY_PARAM_SZ;
+-				*updt_params++ = reverb->delay;
+ 				params_length += COMMAND_PAYLOAD_SZ +
+ 					REVERB_DELAY_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"REVERB_DELAY", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++					AUDPROC_MODULE_ID_REVERB;
++				*updt_params++ =
++					AUDPROC_PARAM_ID_REVERB_DELAY;
++				*updt_params++ =
++					REVERB_DELAY_PARAM_SZ;
++				*updt_params++ =
++					reverb->delay;
+ 			}
+ 			break;
+ 		case REVERB_DIFFUSION:
+@@ -509,17 +692,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			reverb->diffusion = *values++;
++			reverb->diffusion =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s: REVERB_DIFFUSION val:%d\n",
+ 				__func__, reverb->diffusion);
+ 			if (command_config_state == CONFIG_SET) {
+-				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
++				params_length += COMMAND_PAYLOAD_SZ +
++					REVERB_DIFFUSION_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"REVERB_DIFFUSION", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++					AUDPROC_MODULE_ID_REVERB;
+ 				*updt_params++ =
+ 					AUDPROC_PARAM_ID_REVERB_DIFFUSION;
+-				*updt_params++ = REVERB_DIFFUSION_PARAM_SZ;
+-				*updt_params++ = reverb->diffusion;
+-				params_length += COMMAND_PAYLOAD_SZ +
++				*updt_params++ =
+ 					REVERB_DIFFUSION_PARAM_SZ;
++				*updt_params++ =
++					reverb->diffusion;
+ 			}
+ 			break;
+ 		case REVERB_DENSITY:
+@@ -528,17 +720,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			reverb->density = *values++;
++			reverb->density =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s: REVERB_DENSITY val:%d\n",
+ 				__func__, reverb->density);
+ 			if (command_config_state == CONFIG_SET) {
+-				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
++				params_length += COMMAND_PAYLOAD_SZ +
++					REVERB_DENSITY_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"REVERB_DENSITY", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++					AUDPROC_MODULE_ID_REVERB;
+ 				*updt_params++ =
+ 					AUDPROC_PARAM_ID_REVERB_DENSITY;
+-				*updt_params++ = REVERB_DENSITY_PARAM_SZ;
+-				*updt_params++ = reverb->density;
+-				params_length += COMMAND_PAYLOAD_SZ +
++				*updt_params++ =
+ 					REVERB_DENSITY_PARAM_SZ;
++				*updt_params++ =
++					reverb->density;
+ 			}
+ 			break;
+ 		default:
+@@ -546,7 +747,7 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 			break;
+ 		}
+ 	}
+-	if (params_length && !msm_dts_eagle_is_hpx_on())
++	if (params_length && !msm_dts_eagle_is_hpx_on() && (rc == 0))
+ 		q6asm_send_audio_effects_params(ac, params,
+ 						params_length);
+ 	else
+@@ -560,15 +761,16 @@ int msm_audio_effects_bass_boost_handler(struct audio_client *ac,
+ 					struct bass_boost_params *bass_boost,
+ 					long *values)
+ {
+-	int devices = *values++;
+-	int num_commands = *values++;
+-	char *params;
++	long *param_max_offset = values + MAX_PP_PARAMS_SZ - 1;
++	char *params = NULL;
++	int rc = 0;
++	int devices = GET_NEXT(values, param_max_offset, rc);
++	int num_commands = GET_NEXT(values, param_max_offset, rc);
+ 	int *updt_params, i, prev_enable_flag;
+ 	uint32_t params_length = (MAX_INBAND_PARAM_SZ);
+-	int rc = 0;
+ 
+ 	pr_debug("%s\n", __func__);
+-	if (!ac) {
++	if (!ac || (devices == -EINVAL) || (num_commands == -EINVAL)) {
+ 		pr_err("%s: cannot set audio effects\n", __func__);
+ 		return -EINVAL;
+ 	}
+@@ -581,10 +783,14 @@ int msm_audio_effects_bass_boost_handler(struct audio_client *ac,
+ 	updt_params = (int *)params;
+ 	params_length = 0;
+ 	for (i = 0; i < num_commands; i++) {
+-		uint32_t command_id = *values++;
+-		uint32_t command_config_state = *values++;
+-		uint32_t index_offset = *values++;
+-		uint32_t length = *values++;
++		uint32_t command_id =
++			GET_NEXT(values, param_max_offset, rc);
++		uint32_t command_config_state =
++			GET_NEXT(values, param_max_offset, rc);
++		uint32_t index_offset =
++			GET_NEXT(values, param_max_offset, rc);
++		uint32_t length =
++			GET_NEXT(values, param_max_offset, rc);
+ 		switch (command_id) {
+ 		case BASS_BOOST_ENABLE:
+ 			if (length != 1 || index_offset != 0) {
+@@ -593,18 +799,27 @@ int msm_audio_effects_bass_boost_handler(struct audio_client *ac,
+ 				goto invalid_config;
+ 			}
+ 			prev_enable_flag = bass_boost->enable_flag;
+-			bass_boost->enable_flag = *values++;
++			bass_boost->enable_flag =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s: BASS_BOOST_ENABLE prev:%d new:%d\n",
+ 				__func__, prev_enable_flag,
+ 				bass_boost->enable_flag);
+ 			if (prev_enable_flag != bass_boost->enable_flag) {
+-				*updt_params++ = AUDPROC_MODULE_ID_BASS_BOOST;
++				params_length += COMMAND_PAYLOAD_SZ +
++					BASS_BOOST_ENABLE_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"BASS_BOOST_ENABLE", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++					AUDPROC_MODULE_ID_BASS_BOOST;
+ 				*updt_params++ =
+ 					AUDPROC_PARAM_ID_BASS_BOOST_ENABLE;
+-				*updt_params++ = BASS_BOOST_ENABLE_PARAM_SZ;
+-				*updt_params++ = bass_boost->enable_flag;
+-				params_length += COMMAND_PAYLOAD_SZ +
++				*updt_params++ =
+ 					BASS_BOOST_ENABLE_PARAM_SZ;
++				*updt_params++ =
++					bass_boost->enable_flag;
+ 			}
+ 			break;
+ 		case BASS_BOOST_MODE:
+@@ -613,17 +828,26 @@ int msm_audio_effects_bass_boost_handler(struct audio_client *ac,
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			bass_boost->mode = *values++;
++			bass_boost->mode =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s: BASS_BOOST_MODE val:%d\n",
+ 				__func__, bass_boost->mode);
+ 			if (command_config_state == CONFIG_SET) {
+-				*updt_params++ = AUDPROC_MODULE_ID_BASS_BOOST;
++				params_length += COMMAND_PAYLOAD_SZ +
++					BASS_BOOST_MODE_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"BASS_BOOST_MODE", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++					AUDPROC_MODULE_ID_BASS_BOOST;
+ 				*updt_params++ =
+ 					AUDPROC_PARAM_ID_BASS_BOOST_MODE;
+-				*updt_params++ = BASS_BOOST_MODE_PARAM_SZ;
+-				*updt_params++ = bass_boost->mode;
+-				params_length += COMMAND_PAYLOAD_SZ +
++				*updt_params++ =
+ 					BASS_BOOST_MODE_PARAM_SZ;
++				*updt_params++ =
++					bass_boost->mode;
+ 			}
+ 			break;
+ 		case BASS_BOOST_STRENGTH:
+@@ -632,17 +856,26 @@ int msm_audio_effects_bass_boost_handler(struct audio_client *ac,
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			bass_boost->strength = *values++;
+-			pr_debug("%s: BASS_BOOST_STRENGTHi val:%d\n",
++			bass_boost->strength =
++				GET_NEXT(values, param_max_offset, rc);
++			pr_debug("%s: BASS_BOOST_STRENGTH val:%d\n",
+ 				__func__, bass_boost->strength);
+ 			if (command_config_state == CONFIG_SET) {
+-				*updt_params++ = AUDPROC_MODULE_ID_BASS_BOOST;
++				params_length += COMMAND_PAYLOAD_SZ +
++					BASS_BOOST_STRENGTH_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"BASS_BOOST_STRENGTH", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++					AUDPROC_MODULE_ID_BASS_BOOST;
+ 				*updt_params++ =
+ 					AUDPROC_PARAM_ID_BASS_BOOST_STRENGTH;
+-				*updt_params++ = BASS_BOOST_STRENGTH_PARAM_SZ;
+-				*updt_params++ = bass_boost->strength;
+-				params_length += COMMAND_PAYLOAD_SZ +
++				*updt_params++ =
+ 					BASS_BOOST_STRENGTH_PARAM_SZ;
++				*updt_params++ =
++					bass_boost->strength;
+ 			}
+ 			break;
+ 		default:
+@@ -650,7 +883,7 @@ int msm_audio_effects_bass_boost_handler(struct audio_client *ac,
+ 			break;
+ 		}
+ 	}
+-	if (params_length && !msm_dts_eagle_is_hpx_on())
++	if (params_length && !msm_dts_eagle_is_hpx_on() && (rc == 0))
+ 		q6asm_send_audio_effects_params(ac, params,
+ 						params_length);
+ 	else
+@@ -664,15 +897,16 @@ int msm_audio_effects_pbe_handler(struct audio_client *ac,
+ 					struct pbe_params *pbe,
+ 					long *values)
+ {
+-	int devices = *values++;
+-	int num_commands = *values++;
+-	char *params;
++	long *param_max_offset = values + MAX_PP_PARAMS_SZ - 1;
++	char *params = NULL;
++	int rc = 0;
++	int devices = GET_NEXT(values, param_max_offset, rc);
++	int num_commands = GET_NEXT(values, param_max_offset, rc);
+ 	int *updt_params, i, j, prev_enable_flag;
+ 	uint32_t params_length = (MAX_INBAND_PARAM_SZ);
+-	int rc = 0;
+ 
+ 	pr_debug("%s\n", __func__);
+-	if (!ac) {
++	if (!ac || (devices == -EINVAL) || (num_commands == -EINVAL)) {
+ 		pr_err("%s: cannot set audio effects\n", __func__);
+ 		return -EINVAL;
+ 	}
+@@ -685,10 +919,14 @@ int msm_audio_effects_pbe_handler(struct audio_client *ac,
+ 	updt_params = (int *)params;
+ 	params_length = 0;
+ 	for (i = 0; i < num_commands; i++) {
+-		uint32_t command_id = *values++;
+-		uint32_t command_config_state = *values++;
+-		uint32_t index_offset = *values++;
+-		uint32_t length = *values++;
++		uint32_t command_id =
++			GET_NEXT(values, param_max_offset, rc);
++		uint32_t command_config_state =
++			GET_NEXT(values, param_max_offset, rc);
++		uint32_t index_offset =
++			GET_NEXT(values, param_max_offset, rc);
++		uint32_t length =
++			GET_NEXT(values, param_max_offset, rc);
+ 		switch (command_id) {
+ 		case PBE_ENABLE:
+ 			pr_debug("%s: PBE_ENABLE\n", __func__);
+@@ -698,15 +936,24 @@ int msm_audio_effects_pbe_handler(struct audio_client *ac,
+ 				goto invalid_config;
+ 			}
+ 			prev_enable_flag = pbe->enable_flag;
+-			pbe->enable_flag = *values++;
++			pbe->enable_flag =
++				GET_NEXT(values, param_max_offset, rc);
+ 			if (prev_enable_flag != pbe->enable_flag) {
+-				*updt_params++ = AUDPROC_MODULE_ID_PBE;
++				params_length += COMMAND_PAYLOAD_SZ +
++					PBE_ENABLE_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"PBE_ENABLE", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++					AUDPROC_MODULE_ID_PBE;
+ 				*updt_params++ =
+ 					AUDPROC_PARAM_ID_PBE_ENABLE;
+-				*updt_params++ = PBE_ENABLE_PARAM_SZ;
+-				*updt_params++ = pbe->enable_flag;
+-				params_length += COMMAND_PAYLOAD_SZ +
++				*updt_params++ =
+ 					PBE_ENABLE_PARAM_SZ;
++				*updt_params++ =
++					pbe->enable_flag;
+ 			}
+ 			break;
+ 		case PBE_CONFIG:
+@@ -719,15 +966,26 @@ int msm_audio_effects_pbe_handler(struct audio_client *ac,
+ 				goto invalid_config;
+ 			}
+ 			if (command_config_state == CONFIG_SET) {
+-				*updt_params++ = AUDPROC_MODULE_ID_PBE;
++				params_length += COMMAND_PAYLOAD_SZ + length;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"PBE_PARAM", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++					AUDPROC_MODULE_ID_PBE;
+ 				*updt_params++ =
+ 					AUDPROC_PARAM_ID_PBE_PARAM_CONFIG;
+-				*updt_params++ = length;
++				*updt_params++ =
++					length;
+ 				for (j = 0; j < length; ) {
+ 					j += sizeof(*updt_params);
+-					*updt_params++ = *values++;
++					*updt_params++ =
++						GET_NEXT(
++						values,
++						param_max_offset,
++						rc);
+ 				}
+-				params_length += COMMAND_PAYLOAD_SZ + length;
+ 			}
+ 			break;
+ 		default:
+@@ -735,7 +993,7 @@ int msm_audio_effects_pbe_handler(struct audio_client *ac,
+ 			break;
+ 		}
+ 	}
+-	if (params_length)
++	if (params_length && (rc == 0))
+ 		q6asm_send_audio_effects_params(ac, params,
+ 						params_length);
+ invalid_config:
+@@ -747,15 +1005,16 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
+ 					 struct eq_params *eq,
+ 					 long *values)
+ {
+-	int devices = *values++;
+-	int num_commands = *values++;
+-	char *params;
++	long *param_max_offset = values + MAX_PP_PARAMS_SZ - 1;
++	char *params = NULL;
++	int rc = 0;
++	int devices = GET_NEXT(values, param_max_offset, rc);
++	int num_commands = GET_NEXT(values, param_max_offset, rc);
+ 	int *updt_params, i, prev_enable_flag;
+ 	uint32_t params_length = (MAX_INBAND_PARAM_SZ);
+-	int rc = 0;
+ 
+ 	pr_debug("%s\n", __func__);
+-	if (!ac) {
++	if (!ac || (devices == -EINVAL) || (num_commands == -EINVAL)) {
+ 		pr_err("%s: cannot set audio effects\n", __func__);
+ 		return -EINVAL;
+ 	}
+@@ -768,11 +1027,16 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
+ 	updt_params = (int *)params;
+ 	params_length = 0;
+ 	for (i = 0; i < num_commands; i++) {
+-		uint32_t command_id = *values++;
+-		uint32_t command_config_state = *values++;
+-		uint32_t index_offset = *values++;
+-		uint32_t length = *values++;
+-		int idx, j;
++		uint32_t command_id =
++			GET_NEXT(values, param_max_offset, rc);
++		uint32_t command_config_state =
++			GET_NEXT(values, param_max_offset, rc);
++		uint32_t index_offset =
++			GET_NEXT(values, param_max_offset, rc);
++		uint32_t length =
++			GET_NEXT(values, param_max_offset, rc);
++		uint32_t idx;
++		int j;
+ 		switch (command_id) {
+ 		case EQ_ENABLE:
+ 			if (length != 1 || index_offset != 0) {
+@@ -781,17 +1045,26 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
+ 				goto invalid_config;
+ 			}
+ 			prev_enable_flag = eq->enable_flag;
+-			eq->enable_flag = *values++;
++			eq->enable_flag =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s: EQ_ENABLE prev:%d new:%d\n", __func__,
+ 				prev_enable_flag, eq->enable_flag);
+ 			if (prev_enable_flag != eq->enable_flag) {
++				params_length += COMMAND_PAYLOAD_SZ +
++					EQ_ENABLE_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"EQ_ENABLE", rc);
++				if (rc != 0)
++					break;
+ 				*updt_params++ =
+ 					AUDPROC_MODULE_ID_POPLESS_EQUALIZER;
+-				*updt_params++ = AUDPROC_PARAM_ID_EQ_ENABLE;
+-				*updt_params++ = EQ_ENABLE_PARAM_SZ;
+-				*updt_params++ = eq->enable_flag;
+-				params_length += COMMAND_PAYLOAD_SZ +
++				*updt_params++ =
++					AUDPROC_PARAM_ID_EQ_ENABLE;
++				*updt_params++ =
+ 					EQ_ENABLE_PARAM_SZ;
++				*updt_params++ =
++					eq->enable_flag;
+ 			}
+ 			break;
+ 		case EQ_CONFIG:
+@@ -805,9 +1078,12 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
+ 				eq->config.eq_pregain, eq->config.preset_id);
+ 			for (idx = 0; idx < MAX_EQ_BANDS; idx++)
+ 				eq->per_band_cfg[idx].band_idx = -1;
+-			eq->config.eq_pregain = *values++;
+-			eq->config.preset_id = *values++;
+-			eq->config.num_bands = *values++;
++			eq->config.eq_pregain =
++				GET_NEXT(values, param_max_offset, rc);
++			eq->config.preset_id =
++				GET_NEXT(values, param_max_offset, rc);
++			eq->config.num_bands =
++				GET_NEXT(values, param_max_offset, rc);
+ 			if (eq->config.num_bands > MAX_EQ_BANDS) {
+ 				pr_err("EQ_CONFIG:invalid num of bands\n");
+ 				rc = -EINVAL;
+@@ -822,48 +1098,59 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
+ 				goto invalid_config;
+ 			}
+ 			for (j = 0; j < eq->config.num_bands; j++) {
+-				idx = *values++;
++				idx = GET_NEXT(values, param_max_offset, rc);
+ 				if (idx >= MAX_EQ_BANDS) {
+ 					pr_err("EQ_CONFIG:invalid band index\n");
+ 					rc = -EINVAL;
+ 					goto invalid_config;
+ 				}
+ 				eq->per_band_cfg[idx].band_idx = idx;
+-				eq->per_band_cfg[idx].filter_type = *values++;
++				eq->per_band_cfg[idx].filter_type =
++					GET_NEXT(values, param_max_offset, rc);
+ 				eq->per_band_cfg[idx].freq_millihertz =
+-								*values++;
++					GET_NEXT(values, param_max_offset, rc);
+ 				eq->per_band_cfg[idx].gain_millibels =
+-								*values++;
++					GET_NEXT(values, param_max_offset, rc);
+ 				eq->per_band_cfg[idx].quality_factor =
+-								*values++;
++					GET_NEXT(values, param_max_offset, rc);
+ 			}
+ 			if (command_config_state == CONFIG_SET) {
+ 				int config_param_length = EQ_CONFIG_PARAM_SZ +
+ 					(EQ_CONFIG_PER_BAND_PARAM_SZ*
+ 					 eq->config.num_bands);
++				params_length += COMMAND_PAYLOAD_SZ +
++						config_param_length;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"EQ_CONFIG", rc);
++				if (rc != 0)
++					break;
+ 				*updt_params++ =
+ 					AUDPROC_MODULE_ID_POPLESS_EQUALIZER;
+-				*updt_params++ = AUDPROC_PARAM_ID_EQ_CONFIG;
+-				*updt_params++ = config_param_length;
+-				*updt_params++ = eq->config.eq_pregain;
+-				*updt_params++ = eq->config.preset_id;
+-				*updt_params++ = eq->config.num_bands;
++				*updt_params++ =
++					AUDPROC_PARAM_ID_EQ_CONFIG;
++				*updt_params++ =
++					config_param_length;
++				*updt_params++ =
++					eq->config.eq_pregain;
++				*updt_params++ =
++					eq->config.preset_id;
++				*updt_params++ =
++					eq->config.num_bands;
+ 				for (idx = 0; idx < MAX_EQ_BANDS; idx++) {
+ 					if (eq->per_band_cfg[idx].band_idx < 0)
+ 						continue;
+ 					*updt_params++ =
+-					  eq->per_band_cfg[idx].filter_type;
++					eq->per_band_cfg[idx].filter_type;
+ 					*updt_params++ =
+-					  eq->per_band_cfg[idx].freq_millihertz;
++					eq->per_band_cfg[idx].freq_millihertz;
+ 					*updt_params++ =
+-					  eq->per_band_cfg[idx].gain_millibels;
++					eq->per_band_cfg[idx].gain_millibels;
+ 					*updt_params++ =
+-					  eq->per_band_cfg[idx].quality_factor;
++					eq->per_band_cfg[idx].quality_factor;
+ 					*updt_params++ =
+-					  eq->per_band_cfg[idx].band_idx;
++					eq->per_band_cfg[idx].band_idx;
+ 				}
+-				params_length += COMMAND_PAYLOAD_SZ +
+-						config_param_length;
+ 			}
+ 			break;
+ 		case EQ_BAND_INDEX:
+@@ -872,7 +1159,7 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			idx = *values++;
++			idx = GET_NEXT(values, param_max_offset, rc);
+ 			if (idx > MAX_EQ_BANDS) {
+ 				pr_err("EQ_BAND_INDEX:invalid band index\n");
+ 				rc = -EINVAL;
+@@ -882,14 +1169,21 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
+ 			pr_debug("%s: EQ_BAND_INDEX val:%d\n",
+ 				__func__, eq->band_index);
+ 			if (command_config_state == CONFIG_SET) {
++				params_length += COMMAND_PAYLOAD_SZ +
++					EQ_BAND_INDEX_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"EQ_BAND_INDEX", rc);
++				if (rc != 0)
++					break;
+ 				*updt_params++ =
+ 					AUDPROC_MODULE_ID_POPLESS_EQUALIZER;
+ 				*updt_params++ =
+ 					AUDPROC_PARAM_ID_EQ_BAND_INDEX;
+-				*updt_params++ = EQ_BAND_INDEX_PARAM_SZ;
+-				*updt_params++ = eq->band_index;
+-				params_length += COMMAND_PAYLOAD_SZ +
++				*updt_params++ =
+ 					EQ_BAND_INDEX_PARAM_SZ;
++				*updt_params++ =
++					eq->band_index;
+ 			}
+ 			break;
+ 		case EQ_SINGLE_BAND_FREQ:
+@@ -902,18 +1196,26 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
+ 				pr_err("EQ_SINGLE_BAND_FREQ:invalid index\n");
+ 				break;
+ 			}
+-			eq->freq_millihertz = *values++;
++			eq->freq_millihertz =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s: EQ_SINGLE_BAND_FREQ idx:%d, val:%d\n",
+ 				__func__, eq->band_index, eq->freq_millihertz);
+ 			if (command_config_state == CONFIG_SET) {
++				params_length += COMMAND_PAYLOAD_SZ +
++					EQ_SINGLE_BAND_FREQ_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"EQ_SINGLE_BAND_FREQ", rc);
++				if (rc != 0)
++					break;
+ 				*updt_params++ =
+ 					AUDPROC_MODULE_ID_POPLESS_EQUALIZER;
+ 				*updt_params++ =
+ 					AUDPROC_PARAM_ID_EQ_SINGLE_BAND_FREQ;
+-				*updt_params++ = EQ_SINGLE_BAND_FREQ_PARAM_SZ;
+-				*updt_params++ = eq->freq_millihertz;
+-				params_length += COMMAND_PAYLOAD_SZ +
++				*updt_params++ =
+ 					EQ_SINGLE_BAND_FREQ_PARAM_SZ;
++				*updt_params++ =
++					eq->freq_millihertz;
+ 			}
+ 			break;
+ 		default:
+@@ -921,7 +1223,7 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
+ 			break;
+ 		}
+ 	}
+-	if (params_length && !msm_dts_eagle_is_hpx_on())
++	if (params_length && !msm_dts_eagle_is_hpx_on() && (rc == 0))
+ 		q6asm_send_audio_effects_params(ac, params,
+ 						params_length);
+ 	else
+@@ -938,9 +1240,10 @@ static int __msm_audio_effects_volume_handler(struct audio_client *ac,
+ {
+ 	int devices;
+ 	int num_commands;
+-	char *params;
++	char *params = NULL;
+ 	int *updt_params, i;
+ 	uint32_t params_length = (MAX_INBAND_PARAM_SZ);
++	long *param_max_offset;
+ 	int rc = 0;
+ 
+ 	pr_debug("%s: instance: %d\n", __func__, instance);
+@@ -949,9 +1252,11 @@ static int __msm_audio_effects_volume_handler(struct audio_client *ac,
+ 			__func__);
+ 		return -EINVAL;
+ 	}
+-	if (!ac) {
+-		pr_err("%s: cannot set audio effects as audio client is NULL\n",
+-			__func__);
++	param_max_offset = values + MAX_PP_PARAMS_SZ - 1;
++	devices = GET_NEXT(values, param_max_offset, rc);
++	num_commands = GET_NEXT(values, param_max_offset, rc);
++	if (!ac || (devices == -EINVAL) || (num_commands == -EINVAL)) {
++		pr_err("%s: cannot set audio effects\n", __func__);
+ 		return -EINVAL;
+ 	}
+ 	params = kzalloc(params_length, GFP_KERNEL);
+@@ -959,88 +1264,114 @@ static int __msm_audio_effects_volume_handler(struct audio_client *ac,
+ 		pr_err("%s, params memory alloc failed\n", __func__);
+ 		return -ENOMEM;
+ 	}
+-	devices = *values++;
+-	num_commands = *values++;
+ 	updt_params = (int *)params;
+ 	params_length = 0;
+ 	for (i = 0; i < num_commands; i++) {
+-		uint32_t command_id = *values++;
+-		uint32_t command_config_state = *values++;
+-		uint32_t index_offset = *values++;
+-		uint32_t length = *values++;
++		uint32_t command_id =
++			GET_NEXT(values, param_max_offset, rc);
++		uint32_t command_config_state =
++			GET_NEXT(values, param_max_offset, rc);
++		uint32_t index_offset =
++			GET_NEXT(values, param_max_offset, rc);
++		uint32_t length =
++			GET_NEXT(values, param_max_offset, rc);
+ 		switch (command_id) {
+ 		case SOFT_VOLUME_GAIN_2CH:
+ 		case SOFT_VOLUME2_GAIN_2CH:
+ 			if (length != 2 || index_offset != 0) {
+-				pr_err("VOLUME_GAIN_2CH/VOLUME2_GAIN_2CH:invalid params\n");
++				pr_err("VOLUME_GAIN_2CH: invalid params\n");
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			vol->left_gain = *values++;
+-			vol->right_gain = *values++;
++			vol->left_gain = GET_NEXT(values, param_max_offset, rc);
++			vol->right_gain =
++				GET_NEXT(values, param_max_offset, rc);
+ 			vol->master_gain = 0x2000;
+ 			if (command_config_state == CONFIG_SET) {
++				params_length += COMMAND_PAYLOAD_SZ +
++						SOFT_VOLUME_GAIN_2CH_PARAM_SZ;
++				params_length += COMMAND_PAYLOAD_SZ +
++					SOFT_VOLUME_GAIN_MASTER_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"VOLUME/VOLUME2_GAIN_2CH",
++						rc);
++				if (rc != 0)
++					break;
+ 				if (instance == SOFT_VOLUME_INSTANCE_2)
+ 					*updt_params++ =
+-							ASM_MODULE_ID_VOL_CTRL2;
++						ASM_MODULE_ID_VOL_CTRL2;
+ 				else
+-					*updt_params++ = ASM_MODULE_ID_VOL_CTRL;
++					*updt_params++ =
++						ASM_MODULE_ID_VOL_CTRL;
+ 				*updt_params++ =
+ 					ASM_PARAM_ID_VOL_CTRL_LR_CHANNEL_GAIN;
+-				*updt_params++ = SOFT_VOLUME_GAIN_2CH_PARAM_SZ;
+-				*updt_params++ = (vol->left_gain << 16) |
+-						 vol->right_gain;
+-				params_length += COMMAND_PAYLOAD_SZ +
+-						SOFT_VOLUME_GAIN_2CH_PARAM_SZ;
++				*updt_params++ =
++					SOFT_VOLUME_GAIN_2CH_PARAM_SZ;
++				*updt_params++ =
++					(vol->left_gain << 16) |
++						vol->right_gain;
+ 				if (instance == SOFT_VOLUME_INSTANCE_2)
+ 					*updt_params++ =
+-							ASM_MODULE_ID_VOL_CTRL2;
++						ASM_MODULE_ID_VOL_CTRL2;
+ 				else
+-					*updt_params++ = ASM_MODULE_ID_VOL_CTRL;
++					*updt_params++ =
++						ASM_MODULE_ID_VOL_CTRL;
+ 				*updt_params++ =
+ 					ASM_PARAM_ID_VOL_CTRL_MASTER_GAIN;
+ 				*updt_params++ =
+ 					SOFT_VOLUME_GAIN_MASTER_PARAM_SZ;
+-				*updt_params++ = vol->master_gain;
+-				params_length += COMMAND_PAYLOAD_SZ +
+-					SOFT_VOLUME_GAIN_MASTER_PARAM_SZ;
++				*updt_params++ =
++					vol->master_gain;
+ 			}
+ 			break;
+ 		case SOFT_VOLUME_GAIN_MASTER:
+ 		case SOFT_VOLUME2_GAIN_MASTER:
+ 			if (length != 1 || index_offset != 0) {
+-				pr_err("VOLUME_GAIN_MASTER/VOLUME2_GAIN_MASTER:invalid params\n");
++				pr_err("VOLUME_GAIN_MASTER: invalid params\n");
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+ 			vol->left_gain = 0x2000;
+ 			vol->right_gain = 0x2000;
+-			vol->master_gain = *values++;
++			vol->master_gain =
++				GET_NEXT(values, param_max_offset, rc);
+ 			if (command_config_state == CONFIG_SET) {
++				params_length += COMMAND_PAYLOAD_SZ +
++						SOFT_VOLUME_GAIN_2CH_PARAM_SZ;
++				params_length += COMMAND_PAYLOAD_SZ +
++					SOFT_VOLUME_GAIN_MASTER_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"VOLUME/VOLUME2_GAIN_MASTER",
++						rc);
++				if (rc != 0)
++					break;
+ 				if (instance == SOFT_VOLUME_INSTANCE_2)
+ 					*updt_params++ =
+-							ASM_MODULE_ID_VOL_CTRL2;
++						ASM_MODULE_ID_VOL_CTRL2;
+ 				else
+-					*updt_params++ = ASM_MODULE_ID_VOL_CTRL;
++					*updt_params++ =
++						ASM_MODULE_ID_VOL_CTRL;
+ 				*updt_params++ =
+ 					ASM_PARAM_ID_VOL_CTRL_LR_CHANNEL_GAIN;
+-				*updt_params++ = SOFT_VOLUME_GAIN_2CH_PARAM_SZ;
+-				*updt_params++ = (vol->left_gain << 16) |
+-						 vol->right_gain;
+-				params_length += COMMAND_PAYLOAD_SZ +
+-						SOFT_VOLUME_GAIN_2CH_PARAM_SZ;
++				*updt_params++ =
++					SOFT_VOLUME_GAIN_2CH_PARAM_SZ;
++				*updt_params++ =
++					(vol->left_gain << 16) |
++						vol->right_gain;
+ 				if (instance == SOFT_VOLUME_INSTANCE_2)
+ 					*updt_params++ =
+-							ASM_MODULE_ID_VOL_CTRL2;
++						ASM_MODULE_ID_VOL_CTRL2;
+ 				else
+-					*updt_params++ = ASM_MODULE_ID_VOL_CTRL;
++					*updt_params++ =
++						ASM_MODULE_ID_VOL_CTRL;
+ 				*updt_params++ =
+ 					ASM_PARAM_ID_VOL_CTRL_MASTER_GAIN;
+ 				*updt_params++ =
+ 					SOFT_VOLUME_GAIN_MASTER_PARAM_SZ;
+-				*updt_params++ = vol->master_gain;
+-				params_length += COMMAND_PAYLOAD_SZ +
+-					SOFT_VOLUME_GAIN_MASTER_PARAM_SZ;
++				*updt_params++ =
++					vol->master_gain;
+ 			}
+ 			break;
+ 		default:
+@@ -1049,7 +1380,7 @@ static int __msm_audio_effects_volume_handler(struct audio_client *ac,
+ 			break;
+ 		}
+ 	}
+-	if (params_length)
++	if (params_length && (rc == 0))
+ 		q6asm_send_audio_effects_params(ac, params,
+ 						params_length);
+ invalid_config:
+diff --git a/sound/soc/msm/qdsp6v2/msm-compress-q6-v2.c b/sound/soc/msm/qdsp6v2/msm-compress-q6-v2.c
+index f814434..b4bd43d 100644
+--- a/sound/soc/msm/qdsp6v2/msm-compress-q6-v2.c
++++ b/sound/soc/msm/qdsp6v2/msm-compress-q6-v2.c
+@@ -2839,7 +2839,7 @@ static int msm_compr_audio_effects_config_info(struct snd_kcontrol *kcontrol,
+ 					       struct snd_ctl_elem_info *uinfo)
+ {
+ 	uinfo->type = SNDRV_CTL_ELEM_TYPE_INTEGER;
+-	uinfo->count = 128;
++	uinfo->count = MAX_PP_PARAMS_SZ;
+ 	uinfo->value.integer.min = 0;
+ 	uinfo->value.integer.max = 0xFFFFFFFF;
+ 	return 0;
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-2066/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2066/ANY/0001.patch
new file mode 100644
index 00000000..06b77eb4
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-2066/ANY/0001.patch
@@ -0,0 +1,1511 @@
+From 775fca8289eff931f91ff6e8c36cf2034ba59e88 Mon Sep 17 00:00:00 2001
+From: Weiyin Jiang <wjiang@codeaurora.org>
+Date: Wed, 16 Mar 2016 12:51:03 +0800
+Subject: ASoC: msm: audio-effects: fix stack overread and heap overwrite
+
+Fix overwrite of updt_params allocated in heap, and stack overread
+where param pointer is passed from user space.
+
+CRs-Fixed: 989628
+Change-Id: Ida8bdb7da2fcb97023dce3b6eafe4b899a51cb66
+Signed-off-by: Weiyin Jiang <wjiang@codeaurora.org>
+---
+ drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c |   3 +-
+ include/sound/msm-audio-effects-q6-v2.h         |   4 +-
+ sound/soc/msm/qdsp6v2/msm-audio-effects-q6-v2.c | 835 +++++++++++++++++-------
+ sound/soc/msm/qdsp6v2/msm-compress-q6-v2.c      |   2 +-
+ 4 files changed, 588 insertions(+), 256 deletions(-)
+
+diff --git a/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c b/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
+index c100c47..3ba20ca 100644
+--- a/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
++++ b/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2014-2015, The Linux Foundation. All rights reserved.
++ * Copyright (c) 2014-2016, The Linux Foundation. All rights reserved.
+  *
+  * This software is licensed under the terms of the GNU General Public
+  * License version 2, as published by the Free Software Foundation, and
+@@ -20,7 +20,6 @@
+ #include <sound/msm-dts-eagle.h>
+ 
+ #define MAX_CHANNELS_SUPPORTED		8
+-#define MAX_PP_PARAMS_SZ		128
+ #define WAIT_TIMEDOUT_DURATION_SECS	1
+ 
+ struct q6audio_effects {
+diff --git a/include/sound/msm-audio-effects-q6-v2.h b/include/sound/msm-audio-effects-q6-v2.h
+index cbdea32..6bc2338 100644
+--- a/include/sound/msm-audio-effects-q6-v2.h
++++ b/include/sound/msm-audio-effects-q6-v2.h
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2013-2015, The Linux Foundation. All rights reserved.
++ * Copyright (c) 2013-2016, The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -16,6 +16,8 @@
+ 
+ #include <sound/audio_effects.h>
+ 
++#define MAX_PP_PARAMS_SZ   128
++
+ bool msm_audio_effects_is_effmodule_supp_in_top(int effect_module,
+ 						int topology);
+ 
+diff --git a/sound/soc/msm/qdsp6v2/msm-audio-effects-q6-v2.c b/sound/soc/msm/qdsp6v2/msm-audio-effects-q6-v2.c
+index e26c453..1c08842 100644
+--- a/sound/soc/msm/qdsp6v2/msm-audio-effects-q6-v2.c
++++ b/sound/soc/msm/qdsp6v2/msm-audio-effects-q6-v2.c
+@@ -1,4 +1,4 @@
+-/* Copyright (c) 2013-2015, The Linux Foundation. All rights reserved.
++/* Copyright (c) 2013-2016, The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -20,6 +20,24 @@
+ 
+ #define MAX_ENABLE_CMD_SIZE 32
+ 
++#define GET_NEXT(ptr, upper_limit, rc)                                  \
++({                                                                      \
++	if (((ptr) + 1) > (upper_limit)) {                              \
++		pr_err("%s: param list out of boundary\n", __func__);   \
++		(rc) = -EINVAL;                                         \
++	}                                                               \
++	((rc) == 0) ? *(ptr)++ :  -EINVAL;                              \
++})
++
++#define CHECK_PARAM_LEN(len, max_len, tag, rc)                          \
++do {                                                                    \
++	if ((len) > (max_len)) {                                        \
++		pr_err("%s: params length overflows\n", (tag));         \
++		(rc) = -EINVAL;                                         \
++	}                                                               \
++} while (0)
++
++
+ bool msm_audio_effects_is_effmodule_supp_in_top(int effect_module,
+ 						int topology)
+ {
+@@ -109,15 +127,16 @@ int msm_audio_effects_virtualizer_handler(struct audio_client *ac,
+ 				struct virtualizer_params *virtualizer,
+ 				long *values)
+ {
+-	int devices = *values++;
+-	int num_commands = *values++;
+-	char *params;
++	long *param_max_offset = values + MAX_PP_PARAMS_SZ - 1;
++	char *params = NULL;
++	int rc = 0;
++	int devices = GET_NEXT(values, param_max_offset, rc);
++	int num_commands = GET_NEXT(values, param_max_offset, rc);
+ 	int *updt_params, i, prev_enable_flag;
+ 	uint32_t params_length = (MAX_INBAND_PARAM_SZ);
+-	int rc = 0;
+ 
+ 	pr_debug("%s\n", __func__);
+-	if (!ac) {
++	if (!ac || (devices == -EINVAL) || (num_commands == -EINVAL)) {
+ 		pr_err("%s: cannot set audio effects\n", __func__);
+ 		return -EINVAL;
+ 	}
+@@ -130,10 +149,14 @@ int msm_audio_effects_virtualizer_handler(struct audio_client *ac,
+ 	updt_params = (int *)params;
+ 	params_length = 0;
+ 	for (i = 0; i < num_commands; i++) {
+-		uint32_t command_id = *values++;
+-		uint32_t command_config_state = *values++;
+-		uint32_t index_offset = *values++;
+-		uint32_t length = *values++;
++		uint32_t command_id =
++			GET_NEXT(values, param_max_offset, rc);
++		uint32_t command_config_state =
++			GET_NEXT(values, param_max_offset, rc);
++		uint32_t index_offset =
++			GET_NEXT(values, param_max_offset, rc);
++		uint32_t length =
++			GET_NEXT(values, param_max_offset, rc);
+ 		switch (command_id) {
+ 		case VIRTUALIZER_ENABLE:
+ 			if (length != 1 || index_offset != 0) {
+@@ -142,17 +165,26 @@ int msm_audio_effects_virtualizer_handler(struct audio_client *ac,
+ 				goto invalid_config;
+ 			}
+ 			prev_enable_flag = virtualizer->enable_flag;
+-			virtualizer->enable_flag = *values++;
++			virtualizer->enable_flag =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s:VIRT ENABLE prev:%d, new:%d\n", __func__,
+ 				prev_enable_flag, virtualizer->enable_flag);
+ 			if (prev_enable_flag != virtualizer->enable_flag) {
+-				*updt_params++ = AUDPROC_MODULE_ID_VIRTUALIZER;
+-				*updt_params++ =
+-					AUDPROC_PARAM_ID_VIRTUALIZER_ENABLE;
+-				*updt_params++ = VIRTUALIZER_ENABLE_PARAM_SZ;
+-				*updt_params++ = virtualizer->enable_flag;
+ 				params_length += COMMAND_PAYLOAD_SZ +
+ 					VIRTUALIZER_ENABLE_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"VIRT ENABLE", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++				AUDPROC_MODULE_ID_VIRTUALIZER;
++				*updt_params++ =
++				AUDPROC_PARAM_ID_VIRTUALIZER_ENABLE;
++				*updt_params++ =
++				VIRTUALIZER_ENABLE_PARAM_SZ;
++				*updt_params++ =
++				virtualizer->enable_flag;
+ 			}
+ 			break;
+ 		case VIRTUALIZER_STRENGTH:
+@@ -161,17 +193,26 @@ int msm_audio_effects_virtualizer_handler(struct audio_client *ac,
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			virtualizer->strength = *values++;
++			virtualizer->strength =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s: VIRT STRENGTH val: %d\n",
+ 					__func__, virtualizer->strength);
+ 			if (command_config_state == CONFIG_SET) {
+-				*updt_params++ = AUDPROC_MODULE_ID_VIRTUALIZER;
++				params_length += COMMAND_PAYLOAD_SZ +
++					VIRTUALIZER_STRENGTH_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"VIRT STRENGTH", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++					AUDPROC_MODULE_ID_VIRTUALIZER;
+ 				*updt_params++ =
+ 					AUDPROC_PARAM_ID_VIRTUALIZER_STRENGTH;
+-				*updt_params++ = VIRTUALIZER_STRENGTH_PARAM_SZ;
+-				*updt_params++ = virtualizer->strength;
+-				params_length += COMMAND_PAYLOAD_SZ +
++				*updt_params++ =
+ 					VIRTUALIZER_STRENGTH_PARAM_SZ;
++				*updt_params++ =
++					virtualizer->strength;
+ 			}
+ 			break;
+ 		case VIRTUALIZER_OUT_TYPE:
+@@ -180,17 +221,26 @@ int msm_audio_effects_virtualizer_handler(struct audio_client *ac,
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			virtualizer->out_type = *values++;
++			virtualizer->out_type =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s: VIRT OUT_TYPE val:%d\n",
+ 				__func__, virtualizer->out_type);
+ 			if (command_config_state == CONFIG_SET) {
+-				*updt_params++ = AUDPROC_MODULE_ID_VIRTUALIZER;
++				params_length += COMMAND_PAYLOAD_SZ +
++					VIRTUALIZER_OUT_TYPE_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"VIRT OUT_TYPE", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++					AUDPROC_MODULE_ID_VIRTUALIZER;
+ 				*updt_params++ =
+ 					AUDPROC_PARAM_ID_VIRTUALIZER_OUT_TYPE;
+-				*updt_params++ = VIRTUALIZER_OUT_TYPE_PARAM_SZ;
+-				*updt_params++ = virtualizer->out_type;
+-				params_length += COMMAND_PAYLOAD_SZ +
++				*updt_params++ =
+ 					VIRTUALIZER_OUT_TYPE_PARAM_SZ;
++				*updt_params++ =
++					virtualizer->out_type;
+ 			}
+ 			break;
+ 		case VIRTUALIZER_GAIN_ADJUST:
+@@ -199,18 +249,26 @@ int msm_audio_effects_virtualizer_handler(struct audio_client *ac,
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			virtualizer->gain_adjust = *values++;
++			virtualizer->gain_adjust =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s: VIRT GAIN_ADJUST val:%d\n",
+ 				__func__, virtualizer->gain_adjust);
+ 			if (command_config_state == CONFIG_SET) {
+-				*updt_params++ = AUDPROC_MODULE_ID_VIRTUALIZER;
+-				*updt_params++ =
+-				       AUDPROC_PARAM_ID_VIRTUALIZER_GAIN_ADJUST;
+-				*updt_params++ =
+-					VIRTUALIZER_GAIN_ADJUST_PARAM_SZ;
+-				*updt_params++ = virtualizer->gain_adjust;
+ 				params_length += COMMAND_PAYLOAD_SZ +
+ 					VIRTUALIZER_GAIN_ADJUST_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"VIRT GAIN_ADJUST", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++				AUDPROC_MODULE_ID_VIRTUALIZER;
++				*updt_params++ =
++				AUDPROC_PARAM_ID_VIRTUALIZER_GAIN_ADJUST;
++				*updt_params++ =
++				VIRTUALIZER_GAIN_ADJUST_PARAM_SZ;
++				*updt_params++ =
++				virtualizer->gain_adjust;
+ 			}
+ 			break;
+ 		default:
+@@ -218,7 +276,7 @@ int msm_audio_effects_virtualizer_handler(struct audio_client *ac,
+ 			break;
+ 		}
+ 	}
+-	if (params_length && !msm_dts_eagle_is_hpx_on())
++	if (params_length && !msm_dts_eagle_is_hpx_on() && (rc == 0))
+ 		q6asm_send_audio_effects_params(ac, params,
+ 						params_length);
+ 	else
+@@ -232,15 +290,16 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 				     struct reverb_params *reverb,
+ 				     long *values)
+ {
+-	int devices = *values++;
+-	int num_commands = *values++;
+-	char *params;
++	long *param_max_offset = values + MAX_PP_PARAMS_SZ - 1;
++	char *params = NULL;
++	int rc = 0;
++	int devices = GET_NEXT(values, param_max_offset, rc);
++	int num_commands = GET_NEXT(values, param_max_offset, rc);
+ 	int *updt_params, i, prev_enable_flag;
+ 	uint32_t params_length = (MAX_INBAND_PARAM_SZ);
+-	int rc = 0;
+ 
+ 	pr_debug("%s\n", __func__);
+-	if (!ac) {
++	if (!ac || (devices == -EINVAL) || (num_commands == -EINVAL)) {
+ 		pr_err("%s: cannot set audio effects\n", __func__);
+ 		return -EINVAL;
+ 	}
+@@ -253,10 +312,14 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 	updt_params = (int *)params;
+ 	params_length = 0;
+ 	for (i = 0; i < num_commands; i++) {
+-		uint32_t command_id = *values++;
+-		uint32_t command_config_state = *values++;
+-		uint32_t index_offset = *values++;
+-		uint32_t length = *values++;
++		uint32_t command_id =
++			GET_NEXT(values, param_max_offset, rc);
++		uint32_t command_config_state =
++			GET_NEXT(values, param_max_offset, rc);
++		uint32_t index_offset =
++			GET_NEXT(values, param_max_offset, rc);
++		uint32_t length =
++			GET_NEXT(values, param_max_offset, rc);
+ 		switch (command_id) {
+ 		case REVERB_ENABLE:
+ 			if (length != 1 || index_offset != 0) {
+@@ -265,16 +328,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 				goto invalid_config;
+ 			}
+ 			prev_enable_flag = reverb->enable_flag;
+-			reverb->enable_flag = *values++;
++			reverb->enable_flag =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s:REVERB_ENABLE prev:%d,new:%d\n", __func__,
+ 					prev_enable_flag, reverb->enable_flag);
+ 			if (prev_enable_flag != reverb->enable_flag) {
+-				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
+-				*updt_params++ = AUDPROC_PARAM_ID_REVERB_ENABLE;
+-				*updt_params++ = REVERB_ENABLE_PARAM_SZ;
+-				*updt_params++ = reverb->enable_flag;
+ 				params_length += COMMAND_PAYLOAD_SZ +
+ 					REVERB_ENABLE_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"REVERB_ENABLE", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++					AUDPROC_MODULE_ID_REVERB;
++				*updt_params++ =
++					AUDPROC_PARAM_ID_REVERB_ENABLE;
++				*updt_params++ =
++					REVERB_ENABLE_PARAM_SZ;
++				*updt_params++ =
++					reverb->enable_flag;
+ 			}
+ 			break;
+ 		case REVERB_MODE:
+@@ -283,16 +356,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			reverb->mode = *values++;
++			reverb->mode =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s: REVERB_MODE val:%d\n",
+ 				__func__, reverb->mode);
+ 			if (command_config_state == CONFIG_SET) {
+-				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
+-				*updt_params++ = AUDPROC_PARAM_ID_REVERB_MODE;
+-				*updt_params++ = REVERB_MODE_PARAM_SZ;
+-				*updt_params++ = reverb->mode;
+ 				params_length += COMMAND_PAYLOAD_SZ +
+ 					REVERB_MODE_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"REVERB_MODE", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++					AUDPROC_MODULE_ID_REVERB;
++				*updt_params++ =
++					AUDPROC_PARAM_ID_REVERB_MODE;
++				*updt_params++ =
++					REVERB_MODE_PARAM_SZ;
++				*updt_params++ =
++					reverb->mode;
+ 			}
+ 			break;
+ 		case REVERB_PRESET:
+@@ -301,16 +384,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			reverb->preset = *values++;
++			reverb->preset =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s: REVERB_PRESET val:%d\n",
+ 					__func__, reverb->preset);
+ 			if (command_config_state == CONFIG_SET) {
+-				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
+-				*updt_params++ = AUDPROC_PARAM_ID_REVERB_PRESET;
+-				*updt_params++ = REVERB_PRESET_PARAM_SZ;
+-				*updt_params++ = reverb->preset;
+ 				params_length += COMMAND_PAYLOAD_SZ +
+ 					REVERB_PRESET_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"REVERB_PRESET", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++					AUDPROC_MODULE_ID_REVERB;
++				*updt_params++ =
++					AUDPROC_PARAM_ID_REVERB_PRESET;
++				*updt_params++ =
++					REVERB_PRESET_PARAM_SZ;
++				*updt_params++ =
++					reverb->preset;
+ 			}
+ 			break;
+ 		case REVERB_WET_MIX:
+@@ -319,17 +412,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			reverb->wet_mix = *values++;
++			reverb->wet_mix =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s: REVERB_WET_MIX val:%d\n",
+ 				__func__, reverb->wet_mix);
+ 			if (command_config_state == CONFIG_SET) {
+-				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
++				params_length += COMMAND_PAYLOAD_SZ +
++					REVERB_WET_MIX_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"REVERB_WET_MIX", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++					AUDPROC_MODULE_ID_REVERB;
+ 				*updt_params++ =
+ 					AUDPROC_PARAM_ID_REVERB_WET_MIX;
+-				*updt_params++ = REVERB_WET_MIX_PARAM_SZ;
+-				*updt_params++ = reverb->wet_mix;
+-				params_length += COMMAND_PAYLOAD_SZ +
++				*updt_params++ =
+ 					REVERB_WET_MIX_PARAM_SZ;
++				*updt_params++ =
++					reverb->wet_mix;
+ 			}
+ 			break;
+ 		case REVERB_GAIN_ADJUST:
+@@ -338,17 +440,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			reverb->gain_adjust = *values++;
++			reverb->gain_adjust =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s: REVERB_GAIN_ADJUST val:%d\n",
+ 					__func__, reverb->gain_adjust);
+ 			if (command_config_state == CONFIG_SET) {
+-				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
++				params_length += COMMAND_PAYLOAD_SZ +
++					REVERB_GAIN_ADJUST_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"REVERB_GAIN_ADJUST", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++					AUDPROC_MODULE_ID_REVERB;
+ 				*updt_params++ =
+ 					AUDPROC_PARAM_ID_REVERB_GAIN_ADJUST;
+-				*updt_params++ = REVERB_GAIN_ADJUST_PARAM_SZ;
+-				*updt_params++ = reverb->gain_adjust;
+-				params_length += COMMAND_PAYLOAD_SZ +
++				*updt_params++ =
+ 					REVERB_GAIN_ADJUST_PARAM_SZ;
++				*updt_params++ =
++					reverb->gain_adjust;
+ 			}
+ 			break;
+ 		case REVERB_ROOM_LEVEL:
+@@ -357,17 +468,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			reverb->room_level = *values++;
++			reverb->room_level =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s: REVERB_ROOM_LEVEL val:%d\n",
+ 				__func__, reverb->room_level);
+ 			if (command_config_state == CONFIG_SET) {
+-				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
++				params_length += COMMAND_PAYLOAD_SZ +
++					REVERB_ROOM_LEVEL_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"REVERB_ROOM_LEVEL", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++					AUDPROC_MODULE_ID_REVERB;
+ 				*updt_params++ =
+ 					AUDPROC_PARAM_ID_REVERB_ROOM_LEVEL;
+-				*updt_params++ = REVERB_ROOM_LEVEL_PARAM_SZ;
+-				*updt_params++ = reverb->room_level;
+-				params_length += COMMAND_PAYLOAD_SZ +
++				*updt_params++ =
+ 					REVERB_ROOM_LEVEL_PARAM_SZ;
++				*updt_params++ =
++					reverb->room_level;
+ 			}
+ 			break;
+ 		case REVERB_ROOM_HF_LEVEL:
+@@ -376,17 +496,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			reverb->room_hf_level = *values++;
++			reverb->room_hf_level =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s: REVERB_ROOM_HF_LEVEL val%d\n",
+ 				__func__, reverb->room_hf_level);
+ 			if (command_config_state == CONFIG_SET) {
+-				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
++				params_length += COMMAND_PAYLOAD_SZ +
++					REVERB_ROOM_HF_LEVEL_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"REVERB_ROOM_HF_LEVEL", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++					AUDPROC_MODULE_ID_REVERB;
+ 				*updt_params++ =
+ 					AUDPROC_PARAM_ID_REVERB_ROOM_HF_LEVEL;
+-				*updt_params++ = REVERB_ROOM_HF_LEVEL_PARAM_SZ;
+-				*updt_params++ = reverb->room_hf_level;
+-				params_length += COMMAND_PAYLOAD_SZ +
++				*updt_params++ =
+ 					REVERB_ROOM_HF_LEVEL_PARAM_SZ;
++				*updt_params++ =
++					reverb->room_hf_level;
+ 			}
+ 			break;
+ 		case REVERB_DECAY_TIME:
+@@ -395,17 +524,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			reverb->decay_time = *values++;
++			reverb->decay_time =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s: REVERB_DECAY_TIME val:%d\n",
+ 				__func__, reverb->decay_time);
+ 			if (command_config_state == CONFIG_SET) {
+-				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
++				params_length += COMMAND_PAYLOAD_SZ +
++					REVERB_DECAY_TIME_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"REVERB_DECAY_TIME", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++					AUDPROC_MODULE_ID_REVERB;
+ 				*updt_params++ =
+ 					AUDPROC_PARAM_ID_REVERB_DECAY_TIME;
+-				*updt_params++ = REVERB_DECAY_TIME_PARAM_SZ;
+-				*updt_params++ = reverb->decay_time;
+-				params_length += COMMAND_PAYLOAD_SZ +
++				*updt_params++ =
+ 					REVERB_DECAY_TIME_PARAM_SZ;
++				*updt_params++ =
++					reverb->decay_time;
+ 			}
+ 			break;
+ 		case REVERB_DECAY_HF_RATIO:
+@@ -414,17 +552,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			reverb->decay_hf_ratio = *values++;
++			reverb->decay_hf_ratio =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s: REVERB_DECAY_HF_RATIO val%d\n",
+ 				__func__, reverb->decay_hf_ratio);
+ 			if (command_config_state == CONFIG_SET) {
+-				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
++				params_length += COMMAND_PAYLOAD_SZ +
++					REVERB_DECAY_HF_RATIO_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"REVERB_DECAY_HF_RATIO", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++					AUDPROC_MODULE_ID_REVERB;
+ 				*updt_params++ =
+ 					AUDPROC_PARAM_ID_REVERB_DECAY_HF_RATIO;
+-				*updt_params++ = REVERB_DECAY_HF_RATIO_PARAM_SZ;
+-				*updt_params++ = reverb->decay_hf_ratio;
+-				params_length += COMMAND_PAYLOAD_SZ +
++				*updt_params++ =
+ 					REVERB_DECAY_HF_RATIO_PARAM_SZ;
++				*updt_params++ =
++					reverb->decay_hf_ratio;
+ 			}
+ 			break;
+ 		case REVERB_REFLECTIONS_LEVEL:
+@@ -433,18 +580,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			reverb->reflections_level = *values++;
++			reverb->reflections_level =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s: REVERB_REFLECTIONS_LEVEL val:%d\n",
+ 				__func__, reverb->reflections_level);
+ 			if (command_config_state == CONFIG_SET) {
+-				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
+-				*updt_params++ =
+-				      AUDPROC_PARAM_ID_REVERB_REFLECTIONS_LEVEL;
+-				*updt_params++ =
+-					REVERB_REFLECTIONS_LEVEL_PARAM_SZ;
+-				*updt_params++ = reverb->reflections_level;
+ 				params_length += COMMAND_PAYLOAD_SZ +
+ 					REVERB_REFLECTIONS_LEVEL_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"REVERB_REFLECTIONS_LEVEL", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++				AUDPROC_MODULE_ID_REVERB;
++				*updt_params++ =
++				AUDPROC_PARAM_ID_REVERB_REFLECTIONS_LEVEL;
++				*updt_params++ =
++				REVERB_REFLECTIONS_LEVEL_PARAM_SZ;
++				*updt_params++ =
++				reverb->reflections_level;
+ 			}
+ 			break;
+ 		case REVERB_REFLECTIONS_DELAY:
+@@ -453,18 +608,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			reverb->reflections_delay = *values++;
++			reverb->reflections_delay =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s: REVERB_REFLECTIONS_DELAY val:%d\n",
+ 				__func__, reverb->reflections_delay);
+ 			if (command_config_state == CONFIG_SET) {
+-				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
+-				*updt_params++ =
+-				      AUDPROC_PARAM_ID_REVERB_REFLECTIONS_DELAY;
+-				*updt_params++ =
+-					REVERB_REFLECTIONS_DELAY_PARAM_SZ;
+-				*updt_params++ = reverb->reflections_delay;
+ 				params_length += COMMAND_PAYLOAD_SZ +
+ 					REVERB_REFLECTIONS_DELAY_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"REVERB_REFLECTIONS_DELAY", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++				AUDPROC_MODULE_ID_REVERB;
++				*updt_params++ =
++				AUDPROC_PARAM_ID_REVERB_REFLECTIONS_DELAY;
++				*updt_params++ =
++				REVERB_REFLECTIONS_DELAY_PARAM_SZ;
++				*updt_params++ =
++				reverb->reflections_delay;
+ 			}
+ 			break;
+ 		case REVERB_LEVEL:
+@@ -473,16 +636,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			reverb->level = *values++;
++			reverb->level =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s: REVERB_LEVEL val:%d\n",
+ 				__func__, reverb->level);
+ 			if (command_config_state == CONFIG_SET) {
+-				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
+-				*updt_params++ = AUDPROC_PARAM_ID_REVERB_LEVEL;
+-				*updt_params++ = REVERB_LEVEL_PARAM_SZ;
+-				*updt_params++ = reverb->level;
+ 				params_length += COMMAND_PAYLOAD_SZ +
+ 					REVERB_LEVEL_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"REVERB_LEVEL", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++					AUDPROC_MODULE_ID_REVERB;
++				*updt_params++ =
++					AUDPROC_PARAM_ID_REVERB_LEVEL;
++				*updt_params++ =
++					REVERB_LEVEL_PARAM_SZ;
++				*updt_params++ =
++					reverb->level;
+ 			}
+ 			break;
+ 		case REVERB_DELAY:
+@@ -491,16 +664,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			reverb->delay = *values++;
++			reverb->delay =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s:REVERB_DELAY val:%d\n",
+ 					__func__, reverb->delay);
+ 			if (command_config_state == CONFIG_SET) {
+-				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
+-				*updt_params++ = AUDPROC_PARAM_ID_REVERB_DELAY;
+-				*updt_params++ = REVERB_DELAY_PARAM_SZ;
+-				*updt_params++ = reverb->delay;
+ 				params_length += COMMAND_PAYLOAD_SZ +
+ 					REVERB_DELAY_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"REVERB_DELAY", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++					AUDPROC_MODULE_ID_REVERB;
++				*updt_params++ =
++					AUDPROC_PARAM_ID_REVERB_DELAY;
++				*updt_params++ =
++					REVERB_DELAY_PARAM_SZ;
++				*updt_params++ =
++					reverb->delay;
+ 			}
+ 			break;
+ 		case REVERB_DIFFUSION:
+@@ -509,17 +692,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			reverb->diffusion = *values++;
++			reverb->diffusion =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s: REVERB_DIFFUSION val:%d\n",
+ 				__func__, reverb->diffusion);
+ 			if (command_config_state == CONFIG_SET) {
+-				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
++				params_length += COMMAND_PAYLOAD_SZ +
++					REVERB_DIFFUSION_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"REVERB_DIFFUSION", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++					AUDPROC_MODULE_ID_REVERB;
+ 				*updt_params++ =
+ 					AUDPROC_PARAM_ID_REVERB_DIFFUSION;
+-				*updt_params++ = REVERB_DIFFUSION_PARAM_SZ;
+-				*updt_params++ = reverb->diffusion;
+-				params_length += COMMAND_PAYLOAD_SZ +
++				*updt_params++ =
+ 					REVERB_DIFFUSION_PARAM_SZ;
++				*updt_params++ =
++					reverb->diffusion;
+ 			}
+ 			break;
+ 		case REVERB_DENSITY:
+@@ -528,17 +720,26 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			reverb->density = *values++;
++			reverb->density =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s: REVERB_DENSITY val:%d\n",
+ 				__func__, reverb->density);
+ 			if (command_config_state == CONFIG_SET) {
+-				*updt_params++ = AUDPROC_MODULE_ID_REVERB;
++				params_length += COMMAND_PAYLOAD_SZ +
++					REVERB_DENSITY_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"REVERB_DENSITY", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++					AUDPROC_MODULE_ID_REVERB;
+ 				*updt_params++ =
+ 					AUDPROC_PARAM_ID_REVERB_DENSITY;
+-				*updt_params++ = REVERB_DENSITY_PARAM_SZ;
+-				*updt_params++ = reverb->density;
+-				params_length += COMMAND_PAYLOAD_SZ +
++				*updt_params++ =
+ 					REVERB_DENSITY_PARAM_SZ;
++				*updt_params++ =
++					reverb->density;
+ 			}
+ 			break;
+ 		default:
+@@ -546,7 +747,7 @@ int msm_audio_effects_reverb_handler(struct audio_client *ac,
+ 			break;
+ 		}
+ 	}
+-	if (params_length && !msm_dts_eagle_is_hpx_on())
++	if (params_length && !msm_dts_eagle_is_hpx_on() && (rc == 0))
+ 		q6asm_send_audio_effects_params(ac, params,
+ 						params_length);
+ 	else
+@@ -560,15 +761,16 @@ int msm_audio_effects_bass_boost_handler(struct audio_client *ac,
+ 					struct bass_boost_params *bass_boost,
+ 					long *values)
+ {
+-	int devices = *values++;
+-	int num_commands = *values++;
+-	char *params;
++	long *param_max_offset = values + MAX_PP_PARAMS_SZ - 1;
++	char *params = NULL;
++	int rc = 0;
++	int devices = GET_NEXT(values, param_max_offset, rc);
++	int num_commands = GET_NEXT(values, param_max_offset, rc);
+ 	int *updt_params, i, prev_enable_flag;
+ 	uint32_t params_length = (MAX_INBAND_PARAM_SZ);
+-	int rc = 0;
+ 
+ 	pr_debug("%s\n", __func__);
+-	if (!ac) {
++	if (!ac || (devices == -EINVAL) || (num_commands == -EINVAL)) {
+ 		pr_err("%s: cannot set audio effects\n", __func__);
+ 		return -EINVAL;
+ 	}
+@@ -581,10 +783,14 @@ int msm_audio_effects_bass_boost_handler(struct audio_client *ac,
+ 	updt_params = (int *)params;
+ 	params_length = 0;
+ 	for (i = 0; i < num_commands; i++) {
+-		uint32_t command_id = *values++;
+-		uint32_t command_config_state = *values++;
+-		uint32_t index_offset = *values++;
+-		uint32_t length = *values++;
++		uint32_t command_id =
++			GET_NEXT(values, param_max_offset, rc);
++		uint32_t command_config_state =
++			GET_NEXT(values, param_max_offset, rc);
++		uint32_t index_offset =
++			GET_NEXT(values, param_max_offset, rc);
++		uint32_t length =
++			GET_NEXT(values, param_max_offset, rc);
+ 		switch (command_id) {
+ 		case BASS_BOOST_ENABLE:
+ 			if (length != 1 || index_offset != 0) {
+@@ -593,18 +799,27 @@ int msm_audio_effects_bass_boost_handler(struct audio_client *ac,
+ 				goto invalid_config;
+ 			}
+ 			prev_enable_flag = bass_boost->enable_flag;
+-			bass_boost->enable_flag = *values++;
++			bass_boost->enable_flag =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s: BASS_BOOST_ENABLE prev:%d new:%d\n",
+ 				__func__, prev_enable_flag,
+ 				bass_boost->enable_flag);
+ 			if (prev_enable_flag != bass_boost->enable_flag) {
+-				*updt_params++ = AUDPROC_MODULE_ID_BASS_BOOST;
++				params_length += COMMAND_PAYLOAD_SZ +
++					BASS_BOOST_ENABLE_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"BASS_BOOST_ENABLE", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++					AUDPROC_MODULE_ID_BASS_BOOST;
+ 				*updt_params++ =
+ 					AUDPROC_PARAM_ID_BASS_BOOST_ENABLE;
+-				*updt_params++ = BASS_BOOST_ENABLE_PARAM_SZ;
+-				*updt_params++ = bass_boost->enable_flag;
+-				params_length += COMMAND_PAYLOAD_SZ +
++				*updt_params++ =
+ 					BASS_BOOST_ENABLE_PARAM_SZ;
++				*updt_params++ =
++					bass_boost->enable_flag;
+ 			}
+ 			break;
+ 		case BASS_BOOST_MODE:
+@@ -613,17 +828,26 @@ int msm_audio_effects_bass_boost_handler(struct audio_client *ac,
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			bass_boost->mode = *values++;
++			bass_boost->mode =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s: BASS_BOOST_MODE val:%d\n",
+ 				__func__, bass_boost->mode);
+ 			if (command_config_state == CONFIG_SET) {
+-				*updt_params++ = AUDPROC_MODULE_ID_BASS_BOOST;
++				params_length += COMMAND_PAYLOAD_SZ +
++					BASS_BOOST_MODE_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"BASS_BOOST_MODE", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++					AUDPROC_MODULE_ID_BASS_BOOST;
+ 				*updt_params++ =
+ 					AUDPROC_PARAM_ID_BASS_BOOST_MODE;
+-				*updt_params++ = BASS_BOOST_MODE_PARAM_SZ;
+-				*updt_params++ = bass_boost->mode;
+-				params_length += COMMAND_PAYLOAD_SZ +
++				*updt_params++ =
+ 					BASS_BOOST_MODE_PARAM_SZ;
++				*updt_params++ =
++					bass_boost->mode;
+ 			}
+ 			break;
+ 		case BASS_BOOST_STRENGTH:
+@@ -632,17 +856,26 @@ int msm_audio_effects_bass_boost_handler(struct audio_client *ac,
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			bass_boost->strength = *values++;
+-			pr_debug("%s: BASS_BOOST_STRENGTHi val:%d\n",
++			bass_boost->strength =
++				GET_NEXT(values, param_max_offset, rc);
++			pr_debug("%s: BASS_BOOST_STRENGTH val:%d\n",
+ 				__func__, bass_boost->strength);
+ 			if (command_config_state == CONFIG_SET) {
+-				*updt_params++ = AUDPROC_MODULE_ID_BASS_BOOST;
++				params_length += COMMAND_PAYLOAD_SZ +
++					BASS_BOOST_STRENGTH_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"BASS_BOOST_STRENGTH", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++					AUDPROC_MODULE_ID_BASS_BOOST;
+ 				*updt_params++ =
+ 					AUDPROC_PARAM_ID_BASS_BOOST_STRENGTH;
+-				*updt_params++ = BASS_BOOST_STRENGTH_PARAM_SZ;
+-				*updt_params++ = bass_boost->strength;
+-				params_length += COMMAND_PAYLOAD_SZ +
++				*updt_params++ =
+ 					BASS_BOOST_STRENGTH_PARAM_SZ;
++				*updt_params++ =
++					bass_boost->strength;
+ 			}
+ 			break;
+ 		default:
+@@ -650,7 +883,7 @@ int msm_audio_effects_bass_boost_handler(struct audio_client *ac,
+ 			break;
+ 		}
+ 	}
+-	if (params_length && !msm_dts_eagle_is_hpx_on())
++	if (params_length && !msm_dts_eagle_is_hpx_on() && (rc == 0))
+ 		q6asm_send_audio_effects_params(ac, params,
+ 						params_length);
+ 	else
+@@ -664,15 +897,16 @@ int msm_audio_effects_pbe_handler(struct audio_client *ac,
+ 					struct pbe_params *pbe,
+ 					long *values)
+ {
+-	int devices = *values++;
+-	int num_commands = *values++;
+-	char *params;
++	long *param_max_offset = values + MAX_PP_PARAMS_SZ - 1;
++	char *params = NULL;
++	int rc = 0;
++	int devices = GET_NEXT(values, param_max_offset, rc);
++	int num_commands = GET_NEXT(values, param_max_offset, rc);
+ 	int *updt_params, i, j, prev_enable_flag;
+ 	uint32_t params_length = (MAX_INBAND_PARAM_SZ);
+-	int rc = 0;
+ 
+ 	pr_debug("%s\n", __func__);
+-	if (!ac) {
++	if (!ac || (devices == -EINVAL) || (num_commands == -EINVAL)) {
+ 		pr_err("%s: cannot set audio effects\n", __func__);
+ 		return -EINVAL;
+ 	}
+@@ -685,10 +919,14 @@ int msm_audio_effects_pbe_handler(struct audio_client *ac,
+ 	updt_params = (int *)params;
+ 	params_length = 0;
+ 	for (i = 0; i < num_commands; i++) {
+-		uint32_t command_id = *values++;
+-		uint32_t command_config_state = *values++;
+-		uint32_t index_offset = *values++;
+-		uint32_t length = *values++;
++		uint32_t command_id =
++			GET_NEXT(values, param_max_offset, rc);
++		uint32_t command_config_state =
++			GET_NEXT(values, param_max_offset, rc);
++		uint32_t index_offset =
++			GET_NEXT(values, param_max_offset, rc);
++		uint32_t length =
++			GET_NEXT(values, param_max_offset, rc);
+ 		switch (command_id) {
+ 		case PBE_ENABLE:
+ 			pr_debug("%s: PBE_ENABLE\n", __func__);
+@@ -698,15 +936,24 @@ int msm_audio_effects_pbe_handler(struct audio_client *ac,
+ 				goto invalid_config;
+ 			}
+ 			prev_enable_flag = pbe->enable_flag;
+-			pbe->enable_flag = *values++;
++			pbe->enable_flag =
++				GET_NEXT(values, param_max_offset, rc);
+ 			if (prev_enable_flag != pbe->enable_flag) {
+-				*updt_params++ = AUDPROC_MODULE_ID_PBE;
++				params_length += COMMAND_PAYLOAD_SZ +
++					PBE_ENABLE_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"PBE_ENABLE", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++					AUDPROC_MODULE_ID_PBE;
+ 				*updt_params++ =
+ 					AUDPROC_PARAM_ID_PBE_ENABLE;
+-				*updt_params++ = PBE_ENABLE_PARAM_SZ;
+-				*updt_params++ = pbe->enable_flag;
+-				params_length += COMMAND_PAYLOAD_SZ +
++				*updt_params++ =
+ 					PBE_ENABLE_PARAM_SZ;
++				*updt_params++ =
++					pbe->enable_flag;
+ 			}
+ 			break;
+ 		case PBE_CONFIG:
+@@ -719,15 +966,26 @@ int msm_audio_effects_pbe_handler(struct audio_client *ac,
+ 				goto invalid_config;
+ 			}
+ 			if (command_config_state == CONFIG_SET) {
+-				*updt_params++ = AUDPROC_MODULE_ID_PBE;
++				params_length += COMMAND_PAYLOAD_SZ + length;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"PBE_PARAM", rc);
++				if (rc != 0)
++					break;
++				*updt_params++ =
++					AUDPROC_MODULE_ID_PBE;
+ 				*updt_params++ =
+ 					AUDPROC_PARAM_ID_PBE_PARAM_CONFIG;
+-				*updt_params++ = length;
++				*updt_params++ =
++					length;
+ 				for (j = 0; j < length; ) {
+ 					j += sizeof(*updt_params);
+-					*updt_params++ = *values++;
++					*updt_params++ =
++						GET_NEXT(
++						values,
++						param_max_offset,
++						rc);
+ 				}
+-				params_length += COMMAND_PAYLOAD_SZ + length;
+ 			}
+ 			break;
+ 		default:
+@@ -735,7 +993,7 @@ int msm_audio_effects_pbe_handler(struct audio_client *ac,
+ 			break;
+ 		}
+ 	}
+-	if (params_length)
++	if (params_length && (rc == 0))
+ 		q6asm_send_audio_effects_params(ac, params,
+ 						params_length);
+ invalid_config:
+@@ -747,15 +1005,16 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
+ 					 struct eq_params *eq,
+ 					 long *values)
+ {
+-	int devices = *values++;
+-	int num_commands = *values++;
+-	char *params;
++	long *param_max_offset = values + MAX_PP_PARAMS_SZ - 1;
++	char *params = NULL;
++	int rc = 0;
++	int devices = GET_NEXT(values, param_max_offset, rc);
++	int num_commands = GET_NEXT(values, param_max_offset, rc);
+ 	int *updt_params, i, prev_enable_flag;
+ 	uint32_t params_length = (MAX_INBAND_PARAM_SZ);
+-	int rc = 0;
+ 
+ 	pr_debug("%s\n", __func__);
+-	if (!ac) {
++	if (!ac || (devices == -EINVAL) || (num_commands == -EINVAL)) {
+ 		pr_err("%s: cannot set audio effects\n", __func__);
+ 		return -EINVAL;
+ 	}
+@@ -768,11 +1027,16 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
+ 	updt_params = (int *)params;
+ 	params_length = 0;
+ 	for (i = 0; i < num_commands; i++) {
+-		uint32_t command_id = *values++;
+-		uint32_t command_config_state = *values++;
+-		uint32_t index_offset = *values++;
+-		uint32_t length = *values++;
+-		int idx, j;
++		uint32_t command_id =
++			GET_NEXT(values, param_max_offset, rc);
++		uint32_t command_config_state =
++			GET_NEXT(values, param_max_offset, rc);
++		uint32_t index_offset =
++			GET_NEXT(values, param_max_offset, rc);
++		uint32_t length =
++			GET_NEXT(values, param_max_offset, rc);
++		uint32_t idx;
++		int j;
+ 		switch (command_id) {
+ 		case EQ_ENABLE:
+ 			if (length != 1 || index_offset != 0) {
+@@ -781,17 +1045,26 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
+ 				goto invalid_config;
+ 			}
+ 			prev_enable_flag = eq->enable_flag;
+-			eq->enable_flag = *values++;
++			eq->enable_flag =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s: EQ_ENABLE prev:%d new:%d\n", __func__,
+ 				prev_enable_flag, eq->enable_flag);
+ 			if (prev_enable_flag != eq->enable_flag) {
++				params_length += COMMAND_PAYLOAD_SZ +
++					EQ_ENABLE_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"EQ_ENABLE", rc);
++				if (rc != 0)
++					break;
+ 				*updt_params++ =
+ 					AUDPROC_MODULE_ID_POPLESS_EQUALIZER;
+-				*updt_params++ = AUDPROC_PARAM_ID_EQ_ENABLE;
+-				*updt_params++ = EQ_ENABLE_PARAM_SZ;
+-				*updt_params++ = eq->enable_flag;
+-				params_length += COMMAND_PAYLOAD_SZ +
++				*updt_params++ =
++					AUDPROC_PARAM_ID_EQ_ENABLE;
++				*updt_params++ =
+ 					EQ_ENABLE_PARAM_SZ;
++				*updt_params++ =
++					eq->enable_flag;
+ 			}
+ 			break;
+ 		case EQ_CONFIG:
+@@ -805,9 +1078,12 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
+ 				eq->config.eq_pregain, eq->config.preset_id);
+ 			for (idx = 0; idx < MAX_EQ_BANDS; idx++)
+ 				eq->per_band_cfg[idx].band_idx = -1;
+-			eq->config.eq_pregain = *values++;
+-			eq->config.preset_id = *values++;
+-			eq->config.num_bands = *values++;
++			eq->config.eq_pregain =
++				GET_NEXT(values, param_max_offset, rc);
++			eq->config.preset_id =
++				GET_NEXT(values, param_max_offset, rc);
++			eq->config.num_bands =
++				GET_NEXT(values, param_max_offset, rc);
+ 			if (eq->config.num_bands > MAX_EQ_BANDS) {
+ 				pr_err("EQ_CONFIG:invalid num of bands\n");
+ 				rc = -EINVAL;
+@@ -822,48 +1098,59 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
+ 				goto invalid_config;
+ 			}
+ 			for (j = 0; j < eq->config.num_bands; j++) {
+-				idx = *values++;
++				idx = GET_NEXT(values, param_max_offset, rc);
+ 				if (idx >= MAX_EQ_BANDS) {
+ 					pr_err("EQ_CONFIG:invalid band index\n");
+ 					rc = -EINVAL;
+ 					goto invalid_config;
+ 				}
+ 				eq->per_band_cfg[idx].band_idx = idx;
+-				eq->per_band_cfg[idx].filter_type = *values++;
++				eq->per_band_cfg[idx].filter_type =
++					GET_NEXT(values, param_max_offset, rc);
+ 				eq->per_band_cfg[idx].freq_millihertz =
+-								*values++;
++					GET_NEXT(values, param_max_offset, rc);
+ 				eq->per_band_cfg[idx].gain_millibels =
+-								*values++;
++					GET_NEXT(values, param_max_offset, rc);
+ 				eq->per_band_cfg[idx].quality_factor =
+-								*values++;
++					GET_NEXT(values, param_max_offset, rc);
+ 			}
+ 			if (command_config_state == CONFIG_SET) {
+ 				int config_param_length = EQ_CONFIG_PARAM_SZ +
+ 					(EQ_CONFIG_PER_BAND_PARAM_SZ*
+ 					 eq->config.num_bands);
++				params_length += COMMAND_PAYLOAD_SZ +
++						config_param_length;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"EQ_CONFIG", rc);
++				if (rc != 0)
++					break;
+ 				*updt_params++ =
+ 					AUDPROC_MODULE_ID_POPLESS_EQUALIZER;
+-				*updt_params++ = AUDPROC_PARAM_ID_EQ_CONFIG;
+-				*updt_params++ = config_param_length;
+-				*updt_params++ = eq->config.eq_pregain;
+-				*updt_params++ = eq->config.preset_id;
+-				*updt_params++ = eq->config.num_bands;
++				*updt_params++ =
++					AUDPROC_PARAM_ID_EQ_CONFIG;
++				*updt_params++ =
++					config_param_length;
++				*updt_params++ =
++					eq->config.eq_pregain;
++				*updt_params++ =
++					eq->config.preset_id;
++				*updt_params++ =
++					eq->config.num_bands;
+ 				for (idx = 0; idx < MAX_EQ_BANDS; idx++) {
+ 					if (eq->per_band_cfg[idx].band_idx < 0)
+ 						continue;
+ 					*updt_params++ =
+-					  eq->per_band_cfg[idx].filter_type;
++					eq->per_band_cfg[idx].filter_type;
+ 					*updt_params++ =
+-					  eq->per_band_cfg[idx].freq_millihertz;
++					eq->per_band_cfg[idx].freq_millihertz;
+ 					*updt_params++ =
+-					  eq->per_band_cfg[idx].gain_millibels;
++					eq->per_band_cfg[idx].gain_millibels;
+ 					*updt_params++ =
+-					  eq->per_band_cfg[idx].quality_factor;
++					eq->per_band_cfg[idx].quality_factor;
+ 					*updt_params++ =
+-					  eq->per_band_cfg[idx].band_idx;
++					eq->per_band_cfg[idx].band_idx;
+ 				}
+-				params_length += COMMAND_PAYLOAD_SZ +
+-						config_param_length;
+ 			}
+ 			break;
+ 		case EQ_BAND_INDEX:
+@@ -872,7 +1159,7 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			idx = *values++;
++			idx = GET_NEXT(values, param_max_offset, rc);
+ 			if (idx > MAX_EQ_BANDS) {
+ 				pr_err("EQ_BAND_INDEX:invalid band index\n");
+ 				rc = -EINVAL;
+@@ -882,14 +1169,21 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
+ 			pr_debug("%s: EQ_BAND_INDEX val:%d\n",
+ 				__func__, eq->band_index);
+ 			if (command_config_state == CONFIG_SET) {
++				params_length += COMMAND_PAYLOAD_SZ +
++					EQ_BAND_INDEX_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"EQ_BAND_INDEX", rc);
++				if (rc != 0)
++					break;
+ 				*updt_params++ =
+ 					AUDPROC_MODULE_ID_POPLESS_EQUALIZER;
+ 				*updt_params++ =
+ 					AUDPROC_PARAM_ID_EQ_BAND_INDEX;
+-				*updt_params++ = EQ_BAND_INDEX_PARAM_SZ;
+-				*updt_params++ = eq->band_index;
+-				params_length += COMMAND_PAYLOAD_SZ +
++				*updt_params++ =
+ 					EQ_BAND_INDEX_PARAM_SZ;
++				*updt_params++ =
++					eq->band_index;
+ 			}
+ 			break;
+ 		case EQ_SINGLE_BAND_FREQ:
+@@ -902,18 +1196,26 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
+ 				pr_err("EQ_SINGLE_BAND_FREQ:invalid index\n");
+ 				break;
+ 			}
+-			eq->freq_millihertz = *values++;
++			eq->freq_millihertz =
++				GET_NEXT(values, param_max_offset, rc);
+ 			pr_debug("%s: EQ_SINGLE_BAND_FREQ idx:%d, val:%d\n",
+ 				__func__, eq->band_index, eq->freq_millihertz);
+ 			if (command_config_state == CONFIG_SET) {
++				params_length += COMMAND_PAYLOAD_SZ +
++					EQ_SINGLE_BAND_FREQ_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"EQ_SINGLE_BAND_FREQ", rc);
++				if (rc != 0)
++					break;
+ 				*updt_params++ =
+ 					AUDPROC_MODULE_ID_POPLESS_EQUALIZER;
+ 				*updt_params++ =
+ 					AUDPROC_PARAM_ID_EQ_SINGLE_BAND_FREQ;
+-				*updt_params++ = EQ_SINGLE_BAND_FREQ_PARAM_SZ;
+-				*updt_params++ = eq->freq_millihertz;
+-				params_length += COMMAND_PAYLOAD_SZ +
++				*updt_params++ =
+ 					EQ_SINGLE_BAND_FREQ_PARAM_SZ;
++				*updt_params++ =
++					eq->freq_millihertz;
+ 			}
+ 			break;
+ 		default:
+@@ -921,7 +1223,7 @@ int msm_audio_effects_popless_eq_handler(struct audio_client *ac,
+ 			break;
+ 		}
+ 	}
+-	if (params_length && !msm_dts_eagle_is_hpx_on())
++	if (params_length && !msm_dts_eagle_is_hpx_on() && (rc == 0))
+ 		q6asm_send_audio_effects_params(ac, params,
+ 						params_length);
+ 	else
+@@ -938,9 +1240,10 @@ static int __msm_audio_effects_volume_handler(struct audio_client *ac,
+ {
+ 	int devices;
+ 	int num_commands;
+-	char *params;
++	char *params = NULL;
+ 	int *updt_params, i;
+ 	uint32_t params_length = (MAX_INBAND_PARAM_SZ);
++	long *param_max_offset;
+ 	int rc = 0;
+ 
+ 	pr_debug("%s: instance: %d\n", __func__, instance);
+@@ -949,9 +1252,11 @@ static int __msm_audio_effects_volume_handler(struct audio_client *ac,
+ 			__func__);
+ 		return -EINVAL;
+ 	}
+-	if (!ac) {
+-		pr_err("%s: cannot set audio effects as audio client is NULL\n",
+-			__func__);
++	param_max_offset = values + MAX_PP_PARAMS_SZ - 1;
++	devices = GET_NEXT(values, param_max_offset, rc);
++	num_commands = GET_NEXT(values, param_max_offset, rc);
++	if (!ac || (devices == -EINVAL) || (num_commands == -EINVAL)) {
++		pr_err("%s: cannot set audio effects\n", __func__);
+ 		return -EINVAL;
+ 	}
+ 	params = kzalloc(params_length, GFP_KERNEL);
+@@ -959,88 +1264,114 @@ static int __msm_audio_effects_volume_handler(struct audio_client *ac,
+ 		pr_err("%s, params memory alloc failed\n", __func__);
+ 		return -ENOMEM;
+ 	}
+-	devices = *values++;
+-	num_commands = *values++;
+ 	updt_params = (int *)params;
+ 	params_length = 0;
+ 	for (i = 0; i < num_commands; i++) {
+-		uint32_t command_id = *values++;
+-		uint32_t command_config_state = *values++;
+-		uint32_t index_offset = *values++;
+-		uint32_t length = *values++;
++		uint32_t command_id =
++			GET_NEXT(values, param_max_offset, rc);
++		uint32_t command_config_state =
++			GET_NEXT(values, param_max_offset, rc);
++		uint32_t index_offset =
++			GET_NEXT(values, param_max_offset, rc);
++		uint32_t length =
++			GET_NEXT(values, param_max_offset, rc);
+ 		switch (command_id) {
+ 		case SOFT_VOLUME_GAIN_2CH:
+ 		case SOFT_VOLUME2_GAIN_2CH:
+ 			if (length != 2 || index_offset != 0) {
+-				pr_err("VOLUME_GAIN_2CH/VOLUME2_GAIN_2CH:invalid params\n");
++				pr_err("VOLUME_GAIN_2CH: invalid params\n");
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+-			vol->left_gain = *values++;
+-			vol->right_gain = *values++;
++			vol->left_gain = GET_NEXT(values, param_max_offset, rc);
++			vol->right_gain =
++				GET_NEXT(values, param_max_offset, rc);
+ 			vol->master_gain = 0x2000;
+ 			if (command_config_state == CONFIG_SET) {
++				params_length += COMMAND_PAYLOAD_SZ +
++						SOFT_VOLUME_GAIN_2CH_PARAM_SZ;
++				params_length += COMMAND_PAYLOAD_SZ +
++					SOFT_VOLUME_GAIN_MASTER_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"VOLUME/VOLUME2_GAIN_2CH",
++						rc);
++				if (rc != 0)
++					break;
+ 				if (instance == SOFT_VOLUME_INSTANCE_2)
+ 					*updt_params++ =
+-							ASM_MODULE_ID_VOL_CTRL2;
++						ASM_MODULE_ID_VOL_CTRL2;
+ 				else
+-					*updt_params++ = ASM_MODULE_ID_VOL_CTRL;
++					*updt_params++ =
++						ASM_MODULE_ID_VOL_CTRL;
+ 				*updt_params++ =
+ 					ASM_PARAM_ID_VOL_CTRL_LR_CHANNEL_GAIN;
+-				*updt_params++ = SOFT_VOLUME_GAIN_2CH_PARAM_SZ;
+-				*updt_params++ = (vol->left_gain << 16) |
+-						 vol->right_gain;
+-				params_length += COMMAND_PAYLOAD_SZ +
+-						SOFT_VOLUME_GAIN_2CH_PARAM_SZ;
++				*updt_params++ =
++					SOFT_VOLUME_GAIN_2CH_PARAM_SZ;
++				*updt_params++ =
++					(vol->left_gain << 16) |
++						vol->right_gain;
+ 				if (instance == SOFT_VOLUME_INSTANCE_2)
+ 					*updt_params++ =
+-							ASM_MODULE_ID_VOL_CTRL2;
++						ASM_MODULE_ID_VOL_CTRL2;
+ 				else
+-					*updt_params++ = ASM_MODULE_ID_VOL_CTRL;
++					*updt_params++ =
++						ASM_MODULE_ID_VOL_CTRL;
+ 				*updt_params++ =
+ 					ASM_PARAM_ID_VOL_CTRL_MASTER_GAIN;
+ 				*updt_params++ =
+ 					SOFT_VOLUME_GAIN_MASTER_PARAM_SZ;
+-				*updt_params++ = vol->master_gain;
+-				params_length += COMMAND_PAYLOAD_SZ +
+-					SOFT_VOLUME_GAIN_MASTER_PARAM_SZ;
++				*updt_params++ =
++					vol->master_gain;
+ 			}
+ 			break;
+ 		case SOFT_VOLUME_GAIN_MASTER:
+ 		case SOFT_VOLUME2_GAIN_MASTER:
+ 			if (length != 1 || index_offset != 0) {
+-				pr_err("VOLUME_GAIN_MASTER/VOLUME2_GAIN_MASTER:invalid params\n");
++				pr_err("VOLUME_GAIN_MASTER: invalid params\n");
+ 				rc = -EINVAL;
+ 				goto invalid_config;
+ 			}
+ 			vol->left_gain = 0x2000;
+ 			vol->right_gain = 0x2000;
+-			vol->master_gain = *values++;
++			vol->master_gain =
++				GET_NEXT(values, param_max_offset, rc);
+ 			if (command_config_state == CONFIG_SET) {
++				params_length += COMMAND_PAYLOAD_SZ +
++						SOFT_VOLUME_GAIN_2CH_PARAM_SZ;
++				params_length += COMMAND_PAYLOAD_SZ +
++					SOFT_VOLUME_GAIN_MASTER_PARAM_SZ;
++				CHECK_PARAM_LEN(params_length,
++						MAX_INBAND_PARAM_SZ,
++						"VOLUME/VOLUME2_GAIN_MASTER",
++						rc);
++				if (rc != 0)
++					break;
+ 				if (instance == SOFT_VOLUME_INSTANCE_2)
+ 					*updt_params++ =
+-							ASM_MODULE_ID_VOL_CTRL2;
++						ASM_MODULE_ID_VOL_CTRL2;
+ 				else
+-					*updt_params++ = ASM_MODULE_ID_VOL_CTRL;
++					*updt_params++ =
++						ASM_MODULE_ID_VOL_CTRL;
+ 				*updt_params++ =
+ 					ASM_PARAM_ID_VOL_CTRL_LR_CHANNEL_GAIN;
+-				*updt_params++ = SOFT_VOLUME_GAIN_2CH_PARAM_SZ;
+-				*updt_params++ = (vol->left_gain << 16) |
+-						 vol->right_gain;
+-				params_length += COMMAND_PAYLOAD_SZ +
+-						SOFT_VOLUME_GAIN_2CH_PARAM_SZ;
++				*updt_params++ =
++					SOFT_VOLUME_GAIN_2CH_PARAM_SZ;
++				*updt_params++ =
++					(vol->left_gain << 16) |
++						vol->right_gain;
+ 				if (instance == SOFT_VOLUME_INSTANCE_2)
+ 					*updt_params++ =
+-							ASM_MODULE_ID_VOL_CTRL2;
++						ASM_MODULE_ID_VOL_CTRL2;
+ 				else
+-					*updt_params++ = ASM_MODULE_ID_VOL_CTRL;
++					*updt_params++ =
++						ASM_MODULE_ID_VOL_CTRL;
+ 				*updt_params++ =
+ 					ASM_PARAM_ID_VOL_CTRL_MASTER_GAIN;
+ 				*updt_params++ =
+ 					SOFT_VOLUME_GAIN_MASTER_PARAM_SZ;
+-				*updt_params++ = vol->master_gain;
+-				params_length += COMMAND_PAYLOAD_SZ +
+-					SOFT_VOLUME_GAIN_MASTER_PARAM_SZ;
++				*updt_params++ =
++					vol->master_gain;
+ 			}
+ 			break;
+ 		default:
+@@ -1049,7 +1380,7 @@ static int __msm_audio_effects_volume_handler(struct audio_client *ac,
+ 			break;
+ 		}
+ 	}
+-	if (params_length)
++	if (params_length && (rc == 0))
+ 		q6asm_send_audio_effects_params(ac, params,
+ 						params_length);
+ invalid_config:
+diff --git a/sound/soc/msm/qdsp6v2/msm-compress-q6-v2.c b/sound/soc/msm/qdsp6v2/msm-compress-q6-v2.c
+index f814434..b4bd43d 100644
+--- a/sound/soc/msm/qdsp6v2/msm-compress-q6-v2.c
++++ b/sound/soc/msm/qdsp6v2/msm-compress-q6-v2.c
+@@ -2839,7 +2839,7 @@ static int msm_compr_audio_effects_config_info(struct snd_kcontrol *kcontrol,
+ 					       struct snd_ctl_elem_info *uinfo)
+ {
+ 	uinfo->type = SNDRV_CTL_ELEM_TYPE_INTEGER;
+-	uinfo->count = 128;
++	uinfo->count = MAX_PP_PARAMS_SZ;
+ 	uinfo->value.integer.min = 0;
+ 	uinfo->value.integer.max = 0xFFFFFFFF;
+ 	return 0;
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-2067/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2067/ANY/0001.patch
new file mode 100644
index 00000000..1266bd30
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-2067/ANY/0001.patch
@@ -0,0 +1,82 @@
+From 410cfa95f0a1cf58819cbfbd896f9aa45b004ac0 Mon Sep 17 00:00:00 2001
+From: Tarun Karra <tkarra@codeaurora.org>
+Date: Thu, 17 Mar 2016 21:10:36 -0700
+Subject: msm: kgsl: verify user memory permissions before mapping to GPU
+ driver
+
+For user memory of type KGSL_USER_MEM_TYPE_ADDR mapped to GPU driver
+verify permissions and map GPU permissions same as CPU permissions.
+If elevated permissions are requested return an error to prevent
+privilege escalation. Without this check user could map readonly
+memory into GPU driver as readwrite and gain elevated privilege.
+
+Write permissions check is currently inverted causing readonly
+user pages to be mapped as readwrite in GPU driver. Fix this
+check to map readonly pages as readonly.
+
+CRs-Fixed: 988993
+Change-Id: I0e097d7e4e4c414c0849e33bcc61a26fb94291ad
+Signed-off-by: Tarun Karra <tkarra@codeaurora.org>
+---
+ drivers/gpu/msm/kgsl.c | 24 ++++++++++++++++++++++--
+ 1 file changed, 22 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/msm/kgsl.c b/drivers/gpu/msm/kgsl.c
+index d5e96ab..cecc463 100644
+--- a/drivers/gpu/msm/kgsl.c
++++ b/drivers/gpu/msm/kgsl.c
+@@ -1961,6 +1961,20 @@ static inline int _check_region(unsigned long start, unsigned long size,
+ 	return (end > len);
+ }
+ 
++static int check_vma_flags(struct vm_area_struct *vma,
++		unsigned int flags)
++{
++	unsigned long flags_requested = (VM_READ | VM_WRITE);
++
++	if (flags & KGSL_MEMFLAGS_GPUREADONLY)
++		flags_requested &= ~VM_WRITE;
++
++	if ((vma->vm_flags & flags_requested) == flags_requested)
++		return 0;
++
++	return -EFAULT;
++}
++
+ static int check_vma(struct vm_area_struct *vma, struct file *vmfile,
+ 		struct kgsl_memdesc *memdesc)
+ {
+@@ -1974,7 +1988,7 @@ static int check_vma(struct vm_area_struct *vma, struct file *vmfile,
+ 	if (vma->vm_start != memdesc->useraddr ||
+ 		(memdesc->useraddr + memdesc->size) != vma->vm_end)
+ 		return -EINVAL;
+-	return 0;
++	return check_vma_flags(vma, memdesc->flags);
+ }
+ 
+ static int memdesc_sg_virt(struct kgsl_memdesc *memdesc, struct file *vmfile)
+@@ -1983,7 +1997,7 @@ static int memdesc_sg_virt(struct kgsl_memdesc *memdesc, struct file *vmfile)
+ 	long npages = 0, i;
+ 	size_t sglen = (size_t) (memdesc->size / PAGE_SIZE);
+ 	struct page **pages = NULL;
+-	int write = (memdesc->flags & KGSL_MEMFLAGS_GPUREADONLY) != 0;
++	int write = ((memdesc->flags & KGSL_MEMFLAGS_GPUREADONLY) ? 0 : 1);
+ 
+ 	if (sglen == 0 || sglen >= LONG_MAX)
+ 		return -EINVAL;
+@@ -2102,6 +2116,12 @@ static int kgsl_setup_dmabuf_useraddr(struct kgsl_device *device,
+ 	if (vma && vma->vm_file) {
+ 		int fd;
+ 
++		ret = check_vma_flags(vma, entry->memdesc.flags);
++		if (ret) {
++			up_read(&current->mm->mmap_sem);
++			return ret;
++		}
++
+ 		/*
+ 		 * Check to see that this isn't our own memory that we have
+ 		 * already mapped
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-2068/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-2068/ANY/0001.patch
similarity index 73%
rename from Patches/Linux_CVEs/CVE-2016-2068/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-2068/ANY/0001.patch
index b724c522..69a66f37 100644
--- a/Patches/Linux_CVEs/CVE-2016-2068/ANY/0.patch
+++ b/Patches/Linux_CVEs/CVE-2016-2068/ANY/0001.patch
@@ -1,4 +1,4 @@
-From 2c04c0dab66013b7dfbe4d5a523c2c1d6b5b11d6 Mon Sep 17 00:00:00 2001
+From 01ee86da5a0cd788f134e360e2be517ef52b6b00 Mon Sep 17 00:00:00 2001
 From: Weiyin Jiang <wjiang@codeaurora.org>
 Date: Tue, 26 Apr 2016 14:35:38 +0800
 Subject: ASoC: msm: audio-effects: misc fixes in h/w accelerated effect
@@ -11,14 +11,14 @@ CRs-Fixed: 1006609
 Signed-off-by: Weiyin Jiang <wjiang@codeaurora.org>
 ---
  drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c | 8 +++++---
- sound/soc/msm/qdsp6v2/q6asm.c                   | 6 ++++++
- 2 files changed, 11 insertions(+), 3 deletions(-)
+ sound/soc/msm/qdsp6v2/q6asm.c                   | 8 +++++++-
+ 2 files changed, 12 insertions(+), 4 deletions(-)
 
 diff --git a/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c b/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
-index 3ba20ca..3a88344 100644
+index c100c47..525d72a 100644
 --- a/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
 +++ b/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
-@@ -163,7 +163,7 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
+@@ -164,7 +164,7 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
  
  		pr_debug("%s: dec buf size: %d, num_buf: %d, enc buf size: %d, num_buf: %d\n",
  			 __func__, effects->config.output.buf_size,
@@ -27,7 +27,7 @@ index 3ba20ca..3a88344 100644
  			 effects->config.input.buf_size,
  			 effects->config.input.num_buf);
  		rc = q6asm_audio_client_buf_alloc_contiguous(IN, effects->ac,
-@@ -251,7 +251,8 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
+@@ -252,7 +252,8 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
  
  		bufptr = q6asm_is_cpu_buf_avail(IN, effects->ac, &size, &idx);
  		if (bufptr) {
@@ -37,7 +37,7 @@ index 3ba20ca..3a88344 100644
  					effects->config.buf_cfg.output_len)) {
  				rc = -EFAULT;
  				goto ioctl_fail;
-@@ -307,7 +308,8 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
+@@ -308,7 +309,8 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
  				rc = -EFAULT;
  				goto ioctl_fail;
  			}
@@ -48,10 +48,17 @@ index 3ba20ca..3a88344 100644
  				rc = -EFAULT;
  				goto ioctl_fail;
 diff --git a/sound/soc/msm/qdsp6v2/q6asm.c b/sound/soc/msm/qdsp6v2/q6asm.c
-index df310b8..d143eb0 100644
+index 0991d30..1c6e938 100644
 --- a/sound/soc/msm/qdsp6v2/q6asm.c
 +++ b/sound/soc/msm/qdsp6v2/q6asm.c
-@@ -1300,6 +1300,12 @@ int q6asm_audio_client_buf_alloc_contiguous(unsigned int dir,
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
++ * Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
+  * Author: Brian Swetland <swetland@google.com>
+  *
+  * This software is licensed under the terms of the GNU General Public
+@@ -1212,6 +1212,12 @@ int q6asm_audio_client_buf_alloc_contiguous(unsigned int dir,
  
  	ac->port[dir].buf = buf;
  
diff --git a/Patches/Linux_CVEs/CVE-2016-2184/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2184/ANY/0001.patch
new file mode 100644
index 00000000..e0050c6a
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-2184/ANY/0001.patch
@@ -0,0 +1,101 @@
+From 836b34a935abc91e13e63053d0a83b24dfb5ea78 Mon Sep 17 00:00:00 2001
+From: Vladis Dronov <vdronov@redhat.com>
+Date: Thu, 31 Mar 2016 12:05:43 -0400
+Subject: ALSA: usb-audio: Fix double-free in error paths after
+ snd_usb_add_audio_stream() call
+
+create_fixed_stream_quirk(), snd_usb_parse_audio_interface() and
+create_uaxx_quirk() functions allocate the audioformat object by themselves
+and free it upon error before returning. However, once the object is linked
+to a stream, it's freed again in snd_usb_audio_pcm_free(), thus it'll be
+double-freed, eventually resulting in a memory corruption.
+
+This patch fixes these failures in the error paths by unlinking the audioformat
+object before freeing it.
+
+Based on a patch by Takashi Iwai <tiwai@suse.de>
+
+[Note for stable backports:
+ this patch requires the commit 902eb7fd1e4a ('ALSA: usb-audio: Minor
+ code cleanup in create_fixed_stream_quirk()')]
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1283358
+Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
+Cc: <stable@vger.kernel.org> # see the note above
+Signed-off-by: Vladis Dronov <vdronov@redhat.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+---
+ sound/usb/quirks.c | 4 ++++
+ sound/usb/stream.c | 6 +++++-
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/sound/usb/quirks.c b/sound/usb/quirks.c
+index fb62bce..6178bb5 100644
+--- a/sound/usb/quirks.c
++++ b/sound/usb/quirks.c
+@@ -150,6 +150,7 @@ static int create_fixed_stream_quirk(struct snd_usb_audio *chip,
+ 		usb_audio_err(chip, "cannot memdup\n");
+ 		return -ENOMEM;
+ 	}
++	INIT_LIST_HEAD(&fp->list);
+ 	if (fp->nr_rates > MAX_NR_RATES) {
+ 		kfree(fp);
+ 		return -EINVAL;
+@@ -193,6 +194,7 @@ static int create_fixed_stream_quirk(struct snd_usb_audio *chip,
+ 	return 0;
+ 
+  error:
++	list_del(&fp->list); /* unlink for avoiding double-free */
+ 	kfree(fp);
+ 	kfree(rate_table);
+ 	return err;
+@@ -469,6 +471,7 @@ static int create_uaxx_quirk(struct snd_usb_audio *chip,
+ 	fp->ep_attr = get_endpoint(alts, 0)->bmAttributes;
+ 	fp->datainterval = 0;
+ 	fp->maxpacksize = le16_to_cpu(get_endpoint(alts, 0)->wMaxPacketSize);
++	INIT_LIST_HEAD(&fp->list);
+ 
+ 	switch (fp->maxpacksize) {
+ 	case 0x120:
+@@ -492,6 +495,7 @@ static int create_uaxx_quirk(struct snd_usb_audio *chip,
+ 		? SNDRV_PCM_STREAM_CAPTURE : SNDRV_PCM_STREAM_PLAYBACK;
+ 	err = snd_usb_add_audio_stream(chip, stream, fp);
+ 	if (err < 0) {
++		list_del(&fp->list); /* unlink for avoiding double-free */
+ 		kfree(fp);
+ 		return err;
+ 	}
+diff --git a/sound/usb/stream.c b/sound/usb/stream.c
+index c4dc577..8e9548bc 100644
+--- a/sound/usb/stream.c
++++ b/sound/usb/stream.c
+@@ -314,7 +314,9 @@ static struct snd_pcm_chmap_elem *convert_chmap(int channels, unsigned int bits,
+ /*
+  * add this endpoint to the chip instance.
+  * if a stream with the same endpoint already exists, append to it.
+- * if not, create a new pcm stream.
++ * if not, create a new pcm stream. note, fp is added to the substream
++ * fmt_list and will be freed on the chip instance release. do not free
++ * fp or do remove it from the substream fmt_list to avoid double-free.
+  */
+ int snd_usb_add_audio_stream(struct snd_usb_audio *chip,
+ 			     int stream,
+@@ -675,6 +677,7 @@ int snd_usb_parse_audio_interface(struct snd_usb_audio *chip, int iface_no)
+ 					* (fp->maxpacksize & 0x7ff);
+ 		fp->attributes = parse_uac_endpoint_attributes(chip, alts, protocol, iface_no);
+ 		fp->clock = clock;
++		INIT_LIST_HEAD(&fp->list);
+ 
+ 		/* some quirks for attributes here */
+ 
+@@ -723,6 +726,7 @@ int snd_usb_parse_audio_interface(struct snd_usb_audio *chip, int iface_no)
+ 		dev_dbg(&dev->dev, "%u:%d: add audio endpoint %#x\n", iface_no, altno, fp->endpoint);
+ 		err = snd_usb_add_audio_stream(chip, stream, fp);
+ 		if (err < 0) {
++			list_del(&fp->list); /* unlink for avoiding double-free */
+ 			kfree(fp->rate_table);
+ 			kfree(fp->chmap);
+ 			kfree(fp);
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-2185/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-2185/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-2185/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-2185/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-2185/ANY/1.patch.dupe b/Patches/Linux_CVEs/CVE-2016-2185/ANY/1.patch.dupe
deleted file mode 100644
index 9cf00e3d..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2185/ANY/1.patch.dupe
+++ /dev/null
@@ -1,109 +0,0 @@
-From 37735ed2c8c12e9671a3742d6b9028bad43852df Mon Sep 17 00:00:00 2001
-From: Vladis Dronov <vdronov@redhat.com>
-Date: Wed, 23 Mar 2016 11:53:46 -0700
-Subject: [PATCH] Input: ati_remote2 - fix crashes on detecting device with
- invalid descriptor
-
-[ Upstream commit 950336ba3e4a1ffd2ca60d29f6ef386dd2c7351d ]
-
-The ati_remote2 driver expects at least two interfaces with one
-endpoint each. If given malicious descriptor that specify one
-interface or no endpoints, it will crash in the probe function.
-Ensure there is at least two interfaces and one endpoint for each
-interface before using it.
-
-The full disclosure: http://seclists.org/bugtraq/2016/Mar/90
-
-Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
-Signed-off-by: Vladis Dronov <vdronov@redhat.com>
-Cc: stable@vger.kernel.org
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
----
- drivers/input/misc/ati_remote2.c | 36 ++++++++++++++++++++++++++++++------
- 1 file changed, 30 insertions(+), 6 deletions(-)
-
-diff --git a/drivers/input/misc/ati_remote2.c b/drivers/input/misc/ati_remote2.c
-index f63341f20b91a..e8c6a4842e91c 100644
---- a/drivers/input/misc/ati_remote2.c
-+++ b/drivers/input/misc/ati_remote2.c
-@@ -817,26 +817,49 @@ static int ati_remote2_probe(struct usb_interface *interface, const struct usb_d
- 
- 	ar2->udev = udev;
- 
-+	/* Sanity check, first interface must have an endpoint */
-+	if (alt->desc.bNumEndpoints < 1 || !alt->endpoint) {
-+		dev_err(&interface->dev,
-+			"%s(): interface 0 must have an endpoint\n", __func__);
-+		r = -ENODEV;
-+		goto fail1;
-+	}
- 	ar2->intf[0] = interface;
- 	ar2->ep[0] = &alt->endpoint[0].desc;
- 
-+	/* Sanity check, the device must have two interfaces */
- 	ar2->intf[1] = usb_ifnum_to_if(udev, 1);
-+	if ((udev->actconfig->desc.bNumInterfaces < 2) || !ar2->intf[1]) {
-+		dev_err(&interface->dev, "%s(): need 2 interfaces, found %d\n",
-+			__func__, udev->actconfig->desc.bNumInterfaces);
-+		r = -ENODEV;
-+		goto fail1;
-+	}
-+
- 	r = usb_driver_claim_interface(&ati_remote2_driver, ar2->intf[1], ar2);
- 	if (r)
- 		goto fail1;
-+
-+	/* Sanity check, second interface must have an endpoint */
- 	alt = ar2->intf[1]->cur_altsetting;
-+	if (alt->desc.bNumEndpoints < 1 || !alt->endpoint) {
-+		dev_err(&interface->dev,
-+			"%s(): interface 1 must have an endpoint\n", __func__);
-+		r = -ENODEV;
-+		goto fail2;
-+	}
- 	ar2->ep[1] = &alt->endpoint[0].desc;
- 
- 	r = ati_remote2_urb_init(ar2);
- 	if (r)
--		goto fail2;
-+		goto fail3;
- 
- 	ar2->channel_mask = channel_mask;
- 	ar2->mode_mask = mode_mask;
- 
- 	r = ati_remote2_setup(ar2, ar2->channel_mask);
- 	if (r)
--		goto fail2;
-+		goto fail3;
- 
- 	usb_make_path(udev, ar2->phys, sizeof(ar2->phys));
- 	strlcat(ar2->phys, "/input0", sizeof(ar2->phys));
-@@ -845,11 +868,11 @@ static int ati_remote2_probe(struct usb_interface *interface, const struct usb_d
- 
- 	r = sysfs_create_group(&udev->dev.kobj, &ati_remote2_attr_group);
- 	if (r)
--		goto fail2;
-+		goto fail3;
- 
- 	r = ati_remote2_input_init(ar2);
- 	if (r)
--		goto fail3;
-+		goto fail4;
- 
- 	usb_set_intfdata(interface, ar2);
- 
-@@ -857,10 +880,11 @@ static int ati_remote2_probe(struct usb_interface *interface, const struct usb_d
- 
- 	return 0;
- 
-- fail3:
-+ fail4:
- 	sysfs_remove_group(&udev->dev.kobj, &ati_remote2_attr_group);
-- fail2:
-+ fail3:
- 	ati_remote2_urb_cleanup(ar2);
-+ fail2:
- 	usb_driver_release_interface(&ati_remote2_driver, ar2->intf[1]);
-  fail1:
- 	kfree(ar2);
diff --git a/Patches/Linux_CVEs/CVE-2016-2186/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-2186/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-2186/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-2186/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-2186/ANY/1.patch.dupe b/Patches/Linux_CVEs/CVE-2016-2186/ANY/1.patch.dupe
deleted file mode 100644
index e0bca0ae..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2186/ANY/1.patch.dupe
+++ /dev/null
@@ -1,38 +0,0 @@
-From b684cb33d6867e10ba45375a12ef9f3ceb6f0aa7 Mon Sep 17 00:00:00 2001
-From: Josh Boyer <jwboyer@fedoraproject.org>
-Date: Mon, 14 Mar 2016 09:33:40 -0700
-Subject: [PATCH] Input: powermate - fix oops with malicious USB descriptors
-
-[ Upstream commit 9c6ba456711687b794dcf285856fc14e2c76074f ]
-
-The powermate driver expects at least one valid USB endpoint in its
-probe function.  If given malicious descriptors that specify 0 for
-the number of endpoints, it will crash.  Validate the number of
-endpoints on the interface before using them.
-
-The full report for this issue can be found here:
-http://seclists.org/bugtraq/2016/Mar/85
-
-Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
-Cc: stable <stable@vger.kernel.org>
-Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
----
- drivers/input/misc/powermate.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/drivers/input/misc/powermate.c b/drivers/input/misc/powermate.c
-index 63b539d3dabae..84909a12ff36c 100644
---- a/drivers/input/misc/powermate.c
-+++ b/drivers/input/misc/powermate.c
-@@ -307,6 +307,9 @@ static int powermate_probe(struct usb_interface *intf, const struct usb_device_i
- 	int error = -ENOMEM;
- 
- 	interface = intf->cur_altsetting;
-+	if (interface->desc.bNumEndpoints < 1)
-+		return -EINVAL;
-+
- 	endpoint = &interface->endpoint[0].desc;
- 	if (!usb_endpoint_is_int_in(endpoint))
- 		return -EIO;
diff --git a/Patches/Linux_CVEs/CVE-2016-2187/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-2187/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-2187/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-2187/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-2187/ANY/1.patch.dupe b/Patches/Linux_CVEs/CVE-2016-2187/ANY/1.patch.dupe
deleted file mode 100644
index 72d5fe93..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2187/ANY/1.patch.dupe
+++ /dev/null
@@ -1,59 +0,0 @@
-From adaad9d866105bcb8f87293a0a675f573a39129d Mon Sep 17 00:00:00 2001
-From: Vladis Dronov <vdronov@redhat.com>
-Date: Thu, 31 Mar 2016 10:53:42 -0700
-Subject: Input: gtco - fix crash on detecting device without endpoints
-
-commit 162f98dea487206d9ab79fc12ed64700667a894d upstream.
-
-The gtco driver expects at least one valid endpoint. If given malicious
-descriptors that specify 0 for the number of endpoints, it will crash in
-the probe function. Ensure there is at least one endpoint on the interface
-before using it.
-
-Also let's fix a minor coding style issue.
-
-The full correct report of this issue can be found in the public
-Red Hat Bugzilla:
-
-https://bugzilla.redhat.com/show_bug.cgi?id=1283385
-
-Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
-Signed-off-by: Vladis Dronov <vdronov@redhat.com>
-Cc: stable@vger.kernel.org
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Willy Tarreau <w@1wt.eu>
----
- drivers/input/tablet/gtco.c | 10 +++++++++-
- 1 file changed, 9 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c
-index 29e01ab..a9f8f92 100644
---- a/drivers/input/tablet/gtco.c
-+++ b/drivers/input/tablet/gtco.c
-@@ -869,6 +869,14 @@ static int gtco_probe(struct usb_interface *usbinterface,
- 		goto err_free_buf;
- 	}
- 
-+	/* Sanity check that a device has an endpoint */
-+	if (usbinterface->altsetting[0].desc.bNumEndpoints < 1) {
-+		dev_err(&usbinterface->dev,
-+			"Invalid number of endpoints\n");
-+		error = -EINVAL;
-+		goto err_free_urb;
-+	}
-+
- 	/*
- 	 * The endpoint is always altsetting 0, we know this since we know
- 	 * this device only has one interrupt endpoint
-@@ -890,7 +898,7 @@ static int gtco_probe(struct usb_interface *usbinterface,
- 	 * HID report descriptor
- 	 */
- 	if (usb_get_extra_descriptor(usbinterface->cur_altsetting,
--				     HID_DEVICE_TYPE, &hid_desc) != 0){
-+				     HID_DEVICE_TYPE, &hid_desc) != 0) {
- 		dev_err(&usbinterface->dev,
- 			"Can't retrieve exta USB descriptor to get hid report descriptor length\n");
- 		error = -EIO;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-2188/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-2188/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-2188/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-2188/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-2188/ANY/2.patch b/Patches/Linux_CVEs/CVE-2016-2188/ANY/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-2188/ANY/2.patch
rename to Patches/Linux_CVEs/CVE-2016-2188/ANY/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-2188/ANY/1.patch b/Patches/Linux_CVEs/CVE-2016-2188/ANY/1.patch
deleted file mode 100644
index 12c35b6b..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2188/ANY/1.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From 2fac1c275bbea560d607f2e52d23c4f92dccc12f Mon Sep 17 00:00:00 2001
-From: Badhri Jagan Sridharan <Badhri@google.com>
-Date: Tue, 30 Aug 2016 13:37:07 -0700
-Subject: UPSTREAM: USB: iowarrior: fix oops with malicious USB descriptors
-
-commit 4ec0ef3a82125efc36173062a50624550a900ae0 upstream.
-
-The iowarrior driver expects at least one valid endpoint.  If given
-malicious descriptors that specify 0 for the number of endpoints,
-it will crash in the probe function.  Ensure there is at least
-one endpoint on the interface before using it.
-
-The full report of this issue can be found here:
-http://seclists.org/bugtraq/2016/Mar/87
-
-BUG: 28242610
-
-Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
-Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Badhri Jagan Sridharan <Badhri@google.com>
-Change-Id: If5161c23928e9ef77cb3359cba9b36622b1908df
----
- drivers/usb/misc/iowarrior.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c
-index d36f34e..4c24ba0 100644
---- a/drivers/usb/misc/iowarrior.c
-+++ b/drivers/usb/misc/iowarrior.c
-@@ -792,6 +792,12 @@ static int iowarrior_probe(struct usb_interface *interface,
- 	iface_desc = interface->cur_altsetting;
- 	dev->product_id = le16_to_cpu(udev->descriptor.idProduct);
- 
-+	if (iface_desc->desc.bNumEndpoints < 1) {
-+		dev_err(&interface->dev, "Invalid number of endpoints\n");
-+		retval = -EINVAL;
-+		goto error;
-+	}
-+
- 	/* set up the endpoint information */
- 	for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) {
- 		endpoint = &iface_desc->endpoint[i].desc;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-2384/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-2384/^4.5/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-2384/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-2384/^4.5/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-2411/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2411/ANY/0001.patch
new file mode 100644
index 00000000..24611568
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-2411/ANY/0001.patch
@@ -0,0 +1,49 @@
+From 43e6938f37be0386fff4117e8aefff9be49bfe8a Mon Sep 17 00:00:00 2001
+From: Mahesh Sivasubramanian <msivasub@codeaurora.org>
+Date: Wed, 17 Feb 2016 14:36:32 -0700
+Subject: msm: thermal: Add range checking for cluster_id
+
+The cluster id flag is passed in from the userspace through ioctl
+interface. Ensure correctness of cluster id to avoid out of bounds array
+accesses.
+
+CRS-fixed: 977508
+Change-Id: I778b962d347b90488b983a15087b13e90ad06688
+Signed-off-by: Mahesh Sivasubramanian <msivasub@codeaurora.org>
+---
+ drivers/thermal/msm_thermal-dev.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/thermal/msm_thermal-dev.c b/drivers/thermal/msm_thermal-dev.c
+index e1032bc..e6af6b8 100644
+--- a/drivers/thermal/msm_thermal-dev.c
++++ b/drivers/thermal/msm_thermal-dev.c
+@@ -1,4 +1,4 @@
+-/* Copyright (c) 2013-2015, The Linux Foundation. All rights reserved.
++/* Copyright (c) 2013-2016, The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -114,6 +114,9 @@ static long msm_thermal_process_freq_table_req(struct msm_thermal_ioctl *query,
+ 	uint32_t table_idx, idx = 0, cluster_id = query->clock_freq.cluster_num;
+ 	struct clock_plan_arg *clock_freq = &(query->clock_freq);
+ 
++	if (cluster_id >= num_possible_cpus())
++		return -EINVAL;
++
+ 	if (!freq_table_len[cluster_id]) {
+ 		ret = msm_thermal_get_freq_plan_size(cluster_id,
+ 			&freq_table_len[cluster_id]);
+@@ -200,6 +203,9 @@ static long msm_thermal_process_voltage_table_req(
+ 	uint32_t cluster_id = query->voltage.cluster_num;
+ 	struct voltage_plan_arg *voltage = &(query->voltage);
+ 
++	if (cluster_id >= num_possible_cpus())
++		return -EINVAL;
++
+ 	if (!voltage_table_ptr[cluster_id]) {
+ 		if (!freq_table_len[cluster_id]) {
+ 			ret = msm_thermal_get_freq_plan_size(cluster_id,
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-2438/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2438/ANY/0001.patch
new file mode 100644
index 00000000..b317ec29
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-2438/ANY/0001.patch
@@ -0,0 +1,98 @@
+From b5a663aa426f4884c71cd8580adae73f33570f0d Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 14 Jan 2016 16:30:58 +0100
+Subject: [PATCH] ALSA: timer: Harden slave timer list handling
+
+A slave timer instance might be still accessible in a racy way while
+operating the master instance as it lacks of locking.  Since the
+master operation is mostly protected with timer->lock, we should cope
+with it while changing the slave instance, too.  Also, some linked
+lists (active_list and ack_list) of slave instances aren't unlinked
+immediately at stopping or closing, and this may lead to unexpected
+accesses.
+
+This patch tries to address these issues.  It adds spin lock of
+timer->lock (either from master or slave, which is equivalent) in a
+few places.  For avoiding a deadlock, we ensure that the global
+slave_active_lock is always locked at first before each timer lock.
+
+Also, ack and active_list of slave instances are properly unlinked at
+snd_timer_stop() and snd_timer_close().
+
+Last but not least, remove the superfluous call of _snd_timer_stop()
+at removing slave links.  This is a noop, and calling it may confuse
+readers wrt locking.  Further cleanup will follow in a later patch.
+
+Actually we've got reports of use-after-free by syzkaller fuzzer, and
+this hopefully fixes these issues.
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+---
+ sound/core/timer.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/sound/core/timer.c b/sound/core/timer.c
+index 3810ee8f12051..4e8d7bfffff6b 100644
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -215,11 +215,13 @@ static void snd_timer_check_master(struct snd_timer_instance *master)
+ 		    slave->slave_id == master->slave_id) {
+ 			list_move_tail(&slave->open_list, &master->slave_list_head);
+ 			spin_lock_irq(&slave_active_lock);
++			spin_lock(&master->timer->lock);
+ 			slave->master = master;
+ 			slave->timer = master->timer;
+ 			if (slave->flags & SNDRV_TIMER_IFLG_RUNNING)
+ 				list_add_tail(&slave->active_list,
+ 					      &master->slave_active_head);
++			spin_unlock(&master->timer->lock);
+ 			spin_unlock_irq(&slave_active_lock);
+ 		}
+ 	}
+@@ -346,15 +348,18 @@ int snd_timer_close(struct snd_timer_instance *timeri)
+ 		    timer->hw.close)
+ 			timer->hw.close(timer);
+ 		/* remove slave links */
++		spin_lock_irq(&slave_active_lock);
++		spin_lock(&timer->lock);
+ 		list_for_each_entry_safe(slave, tmp, &timeri->slave_list_head,
+ 					 open_list) {
+-			spin_lock_irq(&slave_active_lock);
+-			_snd_timer_stop(slave, 1, SNDRV_TIMER_EVENT_RESOLUTION);
+ 			list_move_tail(&slave->open_list, &snd_timer_slave_list);
+ 			slave->master = NULL;
+ 			slave->timer = NULL;
+-			spin_unlock_irq(&slave_active_lock);
++			list_del_init(&slave->ack_list);
++			list_del_init(&slave->active_list);
+ 		}
++		spin_unlock(&timer->lock);
++		spin_unlock_irq(&slave_active_lock);
+ 		mutex_unlock(&register_mutex);
+ 	}
+  out:
+@@ -441,9 +446,12 @@ static int snd_timer_start_slave(struct snd_timer_instance *timeri)
+ 
+ 	spin_lock_irqsave(&slave_active_lock, flags);
+ 	timeri->flags |= SNDRV_TIMER_IFLG_RUNNING;
+-	if (timeri->master)
++	if (timeri->master && timeri->timer) {
++		spin_lock(&timeri->timer->lock);
+ 		list_add_tail(&timeri->active_list,
+ 			      &timeri->master->slave_active_head);
++		spin_unlock(&timeri->timer->lock);
++	}
+ 	spin_unlock_irqrestore(&slave_active_lock, flags);
+ 	return 1; /* delayed start */
+ }
+@@ -489,6 +497,8 @@ static int _snd_timer_stop(struct snd_timer_instance * timeri,
+ 		if (!keep_flag) {
+ 			spin_lock_irqsave(&slave_active_lock, flags);
+ 			timeri->flags &= ~SNDRV_TIMER_IFLG_RUNNING;
++			list_del_init(&timeri->ack_list);
++			list_del_init(&timeri->active_list);
+ 			spin_unlock_irqrestore(&slave_active_lock, flags);
+ 		}
+ 		goto __end;
diff --git a/Patches/Linux_CVEs/CVE-2016-2441/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2441/ANY/0001.patch
new file mode 100644
index 00000000..ababce7e
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-2441/ANY/0001.patch
@@ -0,0 +1,605 @@
+From 6fb29c4773f632b7b6c31a8de56f55c32de3d350 Mon Sep 17 00:00:00 2001
+From: Kiran Gunda <kgunda@codeaurora.org>
+Date: Mon, 29 Feb 2016 13:27:50 +0530
+Subject: msm: msm_bus: remove the buspm module from kernel
+
+Remove the buspm module from msm_bus since it adds
+no functionality to the bus bandwidth aggregation
+driver. It is a loadable module used for profiling
+purposes.
+
+Change-Id: Ia0d21eb7e48d3cb2a74d4fae5ee4fb2fd449ea9f
+Signed-off-by: Kiran Gunda <kgunda@codeaurora.org>
+---
+ arch/arm/configs/msm8909_defconfig                 |   1 -
+ arch/arm/configs/msm8909w-perf_defconfig           |   1 -
+ arch/arm/configs/msm8909w_defconfig                |   1 -
+ arch/arm/configs/msm8937-perf_defconfig            |   1 -
+ arch/arm/configs/msm8937_defconfig                 |   1 -
+ arch/arm/configs/msmcortex-perf_defconfig          |   1 -
+ arch/arm/configs/msmcortex_defconfig               |   1 -
+ arch/arm64/configs/msm-perf_defconfig              |   1 -
+ arch/arm64/configs/msm8937-perf_defconfig          |   1 -
+ arch/arm64/configs/msm8937_defconfig               |   1 -
+ arch/arm64/configs/msm_defconfig                   |   1 -
+ arch/arm64/configs/msmcortex-perf_defconfig        |   1 -
+ arch/arm64/configs/msmcortex_defconfig             |   1 -
+ drivers/platform/msm/Kconfig                       |   9 -
+ drivers/platform/msm/msm_bus/Makefile              |   1 -
+ drivers/platform/msm/msm_bus/msm-buspm-dev.c       | 368 ---------------------
+ .../msm/msm_bus/msm_buspm_coresight_adhoc.c        |   1 +
+ 17 files changed, 1 insertion(+), 391 deletions(-)
+
+diff --git a/arch/arm/configs/msm8909_defconfig b/arch/arm/configs/msm8909_defconfig
+index a8ab18c..e2621aa 100644
+--- a/arch/arm/configs/msm8909_defconfig
++++ b/arch/arm/configs/msm8909_defconfig
+@@ -383,7 +383,6 @@ CONFIG_ANDROID_LOW_MEMORY_KILLER=y
+ CONFIG_ION=y
+ CONFIG_ION_MSM=y
+ CONFIG_MSM_BUS_SCALING=y
+-CONFIG_MSM_BUSPM_DEV=m
+ CONFIG_BUS_TOPOLOGY_ADHOC=y
+ CONFIG_QPNP_REVID=y
+ CONFIG_SPS=y
+diff --git a/arch/arm/configs/msm8909w-perf_defconfig b/arch/arm/configs/msm8909w-perf_defconfig
+index e6a2585..435f97e 100644
+--- a/arch/arm/configs/msm8909w-perf_defconfig
++++ b/arch/arm/configs/msm8909w-perf_defconfig
+@@ -407,7 +407,6 @@ CONFIG_ANDROID_LOW_MEMORY_KILLER=y
+ CONFIG_ION=y
+ CONFIG_ION_MSM=y
+ CONFIG_MSM_BUS_SCALING=y
+-CONFIG_MSM_BUSPM_DEV=m
+ CONFIG_BUS_TOPOLOGY_ADHOC=y
+ CONFIG_QPNP_POWER_ON=y
+ CONFIG_QPNP_REVID=y
+diff --git a/arch/arm/configs/msm8909w_defconfig b/arch/arm/configs/msm8909w_defconfig
+index 7e4d0308d..2a8c354 100644
+--- a/arch/arm/configs/msm8909w_defconfig
++++ b/arch/arm/configs/msm8909w_defconfig
+@@ -409,7 +409,6 @@ CONFIG_ANDROID_LOW_MEMORY_KILLER=y
+ CONFIG_ION=y
+ CONFIG_ION_MSM=y
+ CONFIG_MSM_BUS_SCALING=y
+-CONFIG_MSM_BUSPM_DEV=m
+ CONFIG_BUS_TOPOLOGY_ADHOC=y
+ CONFIG_QPNP_POWER_ON=y
+ CONFIG_QPNP_REVID=y
+diff --git a/arch/arm/configs/msm8937-perf_defconfig b/arch/arm/configs/msm8937-perf_defconfig
+index fd0c4e9..48c10c8 100644
+--- a/arch/arm/configs/msm8937-perf_defconfig
++++ b/arch/arm/configs/msm8937-perf_defconfig
+@@ -471,7 +471,6 @@ CONFIG_ION=y
+ CONFIG_ION_MSM=y
+ CONFIG_MSM_AVTIMER=y
+ CONFIG_MSM_BUS_SCALING=y
+-CONFIG_MSM_BUSPM_DEV=m
+ CONFIG_BUS_TOPOLOGY_ADHOC=y
+ CONFIG_QPNP_POWER_ON=y
+ CONFIG_QPNP_REVID=y
+diff --git a/arch/arm/configs/msm8937_defconfig b/arch/arm/configs/msm8937_defconfig
+index 0c3e1d1..0d89f31 100644
+--- a/arch/arm/configs/msm8937_defconfig
++++ b/arch/arm/configs/msm8937_defconfig
+@@ -478,7 +478,6 @@ CONFIG_ION=y
+ CONFIG_ION_MSM=y
+ CONFIG_MSM_AVTIMER=y
+ CONFIG_MSM_BUS_SCALING=y
+-CONFIG_MSM_BUSPM_DEV=m
+ CONFIG_BUS_TOPOLOGY_ADHOC=y
+ CONFIG_QPNP_POWER_ON=y
+ CONFIG_QPNP_REVID=y
+diff --git a/arch/arm/configs/msmcortex-perf_defconfig b/arch/arm/configs/msmcortex-perf_defconfig
+index f41e11d..be65d54 100644
+--- a/arch/arm/configs/msmcortex-perf_defconfig
++++ b/arch/arm/configs/msmcortex-perf_defconfig
+@@ -474,7 +474,6 @@ CONFIG_ION=y
+ CONFIG_ION_MSM=y
+ CONFIG_MSM_AVTIMER=y
+ CONFIG_MSM_BUS_SCALING=y
+-CONFIG_MSM_BUSPM_DEV=m
+ CONFIG_BUS_TOPOLOGY_ADHOC=y
+ CONFIG_QPNP_POWER_ON=y
+ CONFIG_QPNP_REVID=y
+diff --git a/arch/arm/configs/msmcortex_defconfig b/arch/arm/configs/msmcortex_defconfig
+index 3306d6c..c58a80a 100644
+--- a/arch/arm/configs/msmcortex_defconfig
++++ b/arch/arm/configs/msmcortex_defconfig
+@@ -475,7 +475,6 @@ CONFIG_ION=y
+ CONFIG_ION_MSM=y
+ CONFIG_MSM_AVTIMER=y
+ CONFIG_MSM_BUS_SCALING=y
+-CONFIG_MSM_BUSPM_DEV=m
+ CONFIG_BUS_TOPOLOGY_ADHOC=y
+ CONFIG_QPNP_POWER_ON=y
+ CONFIG_QPNP_REVID=y
+diff --git a/arch/arm64/configs/msm-perf_defconfig b/arch/arm64/configs/msm-perf_defconfig
+index c2c0232..05efc6f 100644
+--- a/arch/arm64/configs/msm-perf_defconfig
++++ b/arch/arm64/configs/msm-perf_defconfig
+@@ -479,7 +479,6 @@ CONFIG_ION=y
+ CONFIG_ION_MSM=y
+ CONFIG_MSM_AVTIMER=y
+ CONFIG_MSM_BUS_SCALING=y
+-CONFIG_MSM_BUSPM_DEV=m
+ CONFIG_BUS_TOPOLOGY_ADHOC=y
+ CONFIG_QPNP_POWER_ON=y
+ CONFIG_QPNP_REVID=y
+diff --git a/arch/arm64/configs/msm8937-perf_defconfig b/arch/arm64/configs/msm8937-perf_defconfig
+index c697e1f..e10acc8 100644
+--- a/arch/arm64/configs/msm8937-perf_defconfig
++++ b/arch/arm64/configs/msm8937-perf_defconfig
+@@ -484,7 +484,6 @@ CONFIG_ION=y
+ CONFIG_ION_MSM=y
+ CONFIG_MSM_AVTIMER=y
+ CONFIG_MSM_BUS_SCALING=y
+-CONFIG_MSM_BUSPM_DEV=m
+ CONFIG_BUS_TOPOLOGY_ADHOC=y
+ CONFIG_QPNP_POWER_ON=y
+ CONFIG_QPNP_REVID=y
+diff --git a/arch/arm64/configs/msm8937_defconfig b/arch/arm64/configs/msm8937_defconfig
+index b05e721c..3342d55 100644
+--- a/arch/arm64/configs/msm8937_defconfig
++++ b/arch/arm64/configs/msm8937_defconfig
+@@ -488,7 +488,6 @@ CONFIG_ION=y
+ CONFIG_ION_MSM=y
+ CONFIG_MSM_AVTIMER=y
+ CONFIG_MSM_BUS_SCALING=y
+-CONFIG_MSM_BUSPM_DEV=m
+ CONFIG_BUS_TOPOLOGY_ADHOC=y
+ CONFIG_QPNP_POWER_ON=y
+ CONFIG_QPNP_REVID=y
+diff --git a/arch/arm64/configs/msm_defconfig b/arch/arm64/configs/msm_defconfig
+index 3d907ce..7054eb2 100644
+--- a/arch/arm64/configs/msm_defconfig
++++ b/arch/arm64/configs/msm_defconfig
+@@ -485,7 +485,6 @@ CONFIG_ION=y
+ CONFIG_ION_MSM=y
+ CONFIG_MSM_AVTIMER=y
+ CONFIG_MSM_BUS_SCALING=y
+-CONFIG_MSM_BUSPM_DEV=m
+ CONFIG_BUS_TOPOLOGY_ADHOC=y
+ CONFIG_DEBUG_BUS_VOTER=y
+ CONFIG_QPNP_POWER_ON=y
+diff --git a/arch/arm64/configs/msmcortex-perf_defconfig b/arch/arm64/configs/msmcortex-perf_defconfig
+index b3292ed..d0b9681 100644
+--- a/arch/arm64/configs/msmcortex-perf_defconfig
++++ b/arch/arm64/configs/msmcortex-perf_defconfig
+@@ -487,7 +487,6 @@ CONFIG_ION=y
+ CONFIG_ION_MSM=y
+ CONFIG_MSM_AVTIMER=y
+ CONFIG_MSM_BUS_SCALING=y
+-CONFIG_MSM_BUSPM_DEV=m
+ CONFIG_BUS_TOPOLOGY_ADHOC=y
+ CONFIG_QPNP_POWER_ON=y
+ CONFIG_QPNP_REVID=y
+diff --git a/arch/arm64/configs/msmcortex_defconfig b/arch/arm64/configs/msmcortex_defconfig
+index a0176f1..8d449f9 100644
+--- a/arch/arm64/configs/msmcortex_defconfig
++++ b/arch/arm64/configs/msmcortex_defconfig
+@@ -491,7 +491,6 @@ CONFIG_ION=y
+ CONFIG_ION_MSM=y
+ CONFIG_MSM_AVTIMER=y
+ CONFIG_MSM_BUS_SCALING=y
+-CONFIG_MSM_BUSPM_DEV=m
+ CONFIG_BUS_TOPOLOGY_ADHOC=y
+ CONFIG_QPNP_POWER_ON=y
+ CONFIG_QPNP_REVID=y
+diff --git a/drivers/platform/msm/Kconfig b/drivers/platform/msm/Kconfig
+index d1fabe1..b0a9a54 100644
+--- a/drivers/platform/msm/Kconfig
++++ b/drivers/platform/msm/Kconfig
+@@ -16,15 +16,6 @@ config MSM_BUS_SCALING
+ 		for the active devices needs without keeping the clocks at max
+ 		frequency when a slower speed is sufficient.
+ 
+-config MSM_BUSPM_DEV
+-	tristate "MSM Bus Performance Monitor Kernel Module"
+-	depends on MSM_BUS_SCALING
+-	help
+-	  This kernel module is used to mmap() hardware registers for the
+-	  performance monitors, counters, etc. The module can also be used to
+-	  allocate physical memory which is used by bus performance hardware to
+-	  dump performance data
+-
+ config BUS_TOPOLOGY_ADHOC
+ 	bool "ad-hoc bus scaling topology"
+ 	help
+diff --git a/drivers/platform/msm/msm_bus/Makefile b/drivers/platform/msm/msm_bus/Makefile
+index fec4537..a58994d 100644
+--- a/drivers/platform/msm/msm_bus/Makefile
++++ b/drivers/platform/msm/msm_bus/Makefile
+@@ -24,4 +24,3 @@ endif
+ 
+ 
+ obj-$(CONFIG_DEBUG_FS) += msm_bus_dbg.o
+-obj-$(CONFIG_MSM_BUSPM_DEV) += msm-buspm-dev.o
+diff --git a/drivers/platform/msm/msm_bus/msm-buspm-dev.c b/drivers/platform/msm/msm_bus/msm-buspm-dev.c
+index 4d9262b..e69de29 100644
+--- a/drivers/platform/msm/msm_bus/msm-buspm-dev.c
++++ b/drivers/platform/msm/msm_bus/msm-buspm-dev.c
+@@ -1,368 +0,0 @@
+-/* Copyright (c) 2011-2015, The Linux Foundation. All rights reserved.
+- *
+- * This program is free software; you can redistribute it and/or modify
+- * it under the terms of the GNU General Public License version 2 and
+- * only version 2 as published by the Free Software Foundation.
+- *
+- * This program is distributed in the hope that it will be useful,
+- * but WITHOUT ANY WARRANTY; without even the implied warranty of
+- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+- * GNU General Public License for more details.
+- */
+-
+-/* #define DEBUG */
+-
+-#include <linux/module.h>
+-#include <linux/fs.h>
+-#include <linux/mm.h>
+-#include <linux/err.h>
+-#include <linux/slab.h>
+-#include <linux/errno.h>
+-#include <linux/device.h>
+-#include <linux/uaccess.h>
+-#include <linux/miscdevice.h>
+-#include <linux/dma-mapping.h>
+-#include <soc/qcom/rpm-smd.h>
+-#include <uapi/linux/msm-buspm-dev.h>
+-
+-#define MSM_BUSPM_DRV_NAME "msm-buspm-dev"
+-
+-#ifdef CONFIG_COMPAT
+-static long
+-msm_buspm_dev_compat_ioctl(struct file *filp, unsigned int cmd,
+-						unsigned long arg);
+-#else
+-#define msm_buspm_dev_compat_ioctl NULL
+-#endif
+-
+-static long
+-msm_buspm_dev_ioctl(struct file *filp, unsigned int cmd, unsigned long arg);
+-static int msm_buspm_dev_mmap(struct file *filp, struct vm_area_struct *vma);
+-static int msm_buspm_dev_release(struct inode *inode, struct file *filp);
+-static int msm_buspm_dev_open(struct inode *inode, struct file *filp);
+-
+-static const struct file_operations msm_buspm_dev_fops = {
+-	.owner		= THIS_MODULE,
+-	.mmap		= msm_buspm_dev_mmap,
+-	.open		= msm_buspm_dev_open,
+-	.unlocked_ioctl	= msm_buspm_dev_ioctl,
+-	.compat_ioctl	= msm_buspm_dev_compat_ioctl,
+-	.llseek		= noop_llseek,
+-	.release	= msm_buspm_dev_release,
+-};
+-
+-struct miscdevice msm_buspm_misc = {
+-	.minor	= MISC_DYNAMIC_MINOR,
+-	.name	= MSM_BUSPM_DRV_NAME,
+-	.fops	= &msm_buspm_dev_fops,
+-};
+-
+-
+-enum msm_buspm_spdm_res {
+-	SPDM_RES_ID = 0,
+-	SPDM_RES_TYPE = 0x63707362,
+-	SPDM_KEY = 0x00006e65,
+-	SPDM_SIZE = 4,
+-};
+-/*
+- * Allocate kernel buffer.
+- * Currently limited to one buffer per file descriptor.  If alloc() is
+- * called twice for the same descriptor, the original buffer is freed.
+- * There is also no locking protection so the same descriptor can not be shared.
+- */
+-
+-static inline void *msm_buspm_dev_get_vaddr(struct file *filp)
+-{
+-	struct msm_buspm_map_dev *dev = filp->private_data;
+-
+-	return (dev) ? dev->vaddr : NULL;
+-}
+-
+-static inline unsigned int msm_buspm_dev_get_buflen(struct file *filp)
+-{
+-	struct msm_buspm_map_dev *dev = filp->private_data;
+-
+-	return dev ? dev->buflen : 0;
+-}
+-
+-static inline unsigned long msm_buspm_dev_get_paddr(struct file *filp)
+-{
+-	struct msm_buspm_map_dev *dev = filp->private_data;
+-
+-	return (dev) ? dev->paddr : 0L;
+-}
+-
+-static void msm_buspm_dev_free(struct file *filp)
+-{
+-	struct msm_buspm_map_dev *dev = filp->private_data;
+-
+-	if (dev && dev->vaddr) {
+-		pr_debug("freeing memory at 0x%p\n", dev->vaddr);
+-		dma_free_coherent(msm_buspm_misc.this_device, dev->buflen,
+-							dev->vaddr, dev->paddr);
+-		dev->paddr = 0L;
+-		dev->vaddr = NULL;
+-	}
+-}
+-
+-static int msm_buspm_dev_open(struct inode *inode, struct file *filp)
+-{
+-	struct msm_buspm_map_dev *dev;
+-
+-	if (capable(CAP_SYS_ADMIN)) {
+-		dev = kzalloc(sizeof(*dev), GFP_KERNEL);
+-		if (dev)
+-			filp->private_data = dev;
+-		else
+-			return -ENOMEM;
+-	} else {
+-		return -EPERM;
+-	}
+-
+-	return 0;
+-}
+-
+-static int
+-msm_buspm_dev_alloc(struct file *filp, struct buspm_alloc_params data)
+-{
+-	dma_addr_t paddr;
+-	void *vaddr;
+-	struct msm_buspm_map_dev *dev = filp->private_data;
+-
+-	/* If buffer already allocated, then free it */
+-	if (dev->vaddr)
+-		msm_buspm_dev_free(filp);
+-
+-	/* Allocate uncached memory */
+-	vaddr = dma_alloc_coherent(msm_buspm_misc.this_device, data.size,
+-							&paddr, GFP_KERNEL);
+-
+-	if (vaddr == NULL) {
+-		pr_err("allocation of 0x%zu bytes failed", data.size);
+-		return -ENOMEM;
+-	}
+-
+-	dev->vaddr = vaddr;
+-	dev->paddr = paddr;
+-	dev->buflen = data.size;
+-	filp->f_pos = 0;
+-	pr_debug("virt addr = 0x%p\n", dev->vaddr);
+-	pr_debug("phys addr = 0x%lx\n", dev->paddr);
+-
+-	return 0;
+-}
+-
+-static int msm_bus_rpm_req(u32 rsc_type, u32 key, u32 hwid,
+-	int ctx, u32 val)
+-{
+-	struct msm_rpm_request *rpm_req;
+-	int ret, msg_id;
+-
+-	rpm_req = msm_rpm_create_request(ctx, rsc_type, SPDM_RES_ID, 1);
+-	if (rpm_req == NULL) {
+-		pr_err("RPM: Couldn't create RPM Request\n");
+-		return -ENXIO;
+-	}
+-
+-	ret = msm_rpm_add_kvp_data(rpm_req, key, (const uint8_t *)&val,
+-		(int)(sizeof(uint32_t)));
+-	if (ret) {
+-		pr_err("RPM: Add KVP failed for RPM Req:%u\n",
+-			rsc_type);
+-		goto err;
+-	}
+-
+-	pr_debug("Added Key: %d, Val: %u, size: %zu\n", key,
+-		(uint32_t)val, sizeof(uint32_t));
+-	msg_id = msm_rpm_send_request(rpm_req);
+-	if (!msg_id) {
+-		pr_err("RPM: No message ID for req\n");
+-		ret = -ENXIO;
+-		goto err;
+-	}
+-
+-	ret = msm_rpm_wait_for_ack(msg_id);
+-	if (ret) {
+-		pr_err("RPM: Ack failed\n");
+-		goto err;
+-	}
+-
+-err:
+-	msm_rpm_free_request(rpm_req);
+-	return ret;
+-}
+-
+-static int msm_buspm_ioc_cmds(uint32_t arg)
+-{
+-	switch (arg) {
+-	case MSM_BUSPM_SPDM_CLK_DIS:
+-	case MSM_BUSPM_SPDM_CLK_EN:
+-		return msm_bus_rpm_req(SPDM_RES_TYPE, SPDM_KEY, 0,
+-				MSM_RPM_CTX_ACTIVE_SET, arg);
+-	default:
+-		pr_warn("Unsupported ioctl command: %d\n", arg);
+-		return -EINVAL;
+-	}
+-}
+-
+-
+-
+-static long
+-msm_buspm_dev_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
+-{
+-	struct buspm_xfer_req xfer;
+-	struct buspm_alloc_params alloc_data;
+-	unsigned long paddr;
+-	int retval = 0;
+-	void *buf = msm_buspm_dev_get_vaddr(filp);
+-	unsigned int buflen = msm_buspm_dev_get_buflen(filp);
+-	unsigned char *dbgbuf = buf;
+-
+-	if (_IOC_TYPE(cmd) != MSM_BUSPM_IOC_MAGIC) {
+-		pr_err("Wrong IOC_MAGIC.Exiting\n");
+-		return -ENOTTY;
+-	}
+-
+-	switch (cmd) {
+-	case MSM_BUSPM_IOC_FREE:
+-		pr_debug("cmd = 0x%x (FREE)\n", cmd);
+-		msm_buspm_dev_free(filp);
+-		break;
+-
+-	case MSM_BUSPM_IOC_ALLOC:
+-		pr_debug("cmd = 0x%x (ALLOC)\n", cmd);
+-		retval = __get_user(alloc_data.size, (uint32_t __user *)arg);
+-
+-		if (retval == 0)
+-			retval = msm_buspm_dev_alloc(filp, alloc_data);
+-		break;
+-
+-	case MSM_BUSPM_IOC_RD_PHYS_ADDR:
+-		pr_debug("Read Physical Address\n");
+-		paddr = msm_buspm_dev_get_paddr(filp);
+-		if (paddr == 0L) {
+-			retval = -EINVAL;
+-		} else {
+-			pr_debug("phys addr = 0x%lx\n", paddr);
+-			retval = __put_user(paddr,
+-				(unsigned long __user *)arg);
+-		}
+-		break;
+-
+-	case MSM_BUSPM_IOC_RDBUF:
+-		if (!buf) {
+-			retval = -EINVAL;
+-			break;
+-		}
+-
+-		pr_debug("Read Buffer: 0x%x%x%x%x\n",
+-				dbgbuf[0], dbgbuf[1], dbgbuf[2], dbgbuf[3]);
+-
+-		if (copy_from_user(&xfer, (void __user *)arg, sizeof(xfer))) {
+-			retval = -EFAULT;
+-			break;
+-		}
+-
+-		if ((xfer.size <= buflen) &&
+-			(copy_to_user((void __user *)xfer.data, buf,
+-					xfer.size))) {
+-			retval = -EFAULT;
+-			break;
+-		}
+-		break;
+-
+-	case MSM_BUSPM_IOC_WRBUF:
+-		pr_debug("Write Buffer\n");
+-
+-		if (!buf) {
+-			retval = -EINVAL;
+-			break;
+-		}
+-
+-		if (copy_from_user(&xfer, (void __user *)arg, sizeof(xfer))) {
+-			retval = -EFAULT;
+-			break;
+-		}
+-
+-		if ((buflen <= xfer.size) &&
+-			(copy_from_user(buf, (void __user *)xfer.data,
+-			xfer.size))) {
+-			retval = -EFAULT;
+-			break;
+-		}
+-		break;
+-
+-	case MSM_BUSPM_IOC_CMD:
+-		pr_debug("IOCTL command: cmd: %d arg: %lu\n", cmd, arg);
+-		retval = msm_buspm_ioc_cmds(arg);
+-		break;
+-
+-	default:
+-		pr_debug("Unknown command 0x%x\n", cmd);
+-		retval = -EINVAL;
+-		break;
+-	}
+-
+-	return retval;
+-}
+-
+-static int msm_buspm_dev_release(struct inode *inode, struct file *filp)
+-{
+-	struct msm_buspm_map_dev *dev = filp->private_data;
+-
+-	msm_buspm_dev_free(filp);
+-	kfree(dev);
+-	filp->private_data = NULL;
+-
+-	return 0;
+-}
+-
+-static int msm_buspm_dev_mmap(struct file *filp, struct vm_area_struct *vma)
+-{
+-	pr_debug("vma = 0x%p\n", vma);
+-
+-	/* Mappings are uncached */
+-	vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot);
+-	if (remap_pfn_range(vma, vma->vm_start, vma->vm_pgoff,
+-		vma->vm_end - vma->vm_start, vma->vm_page_prot))
+-		return -EFAULT;
+-
+-	return 0;
+-}
+-
+-#ifdef CONFIG_COMPAT
+-static long
+-msm_buspm_dev_compat_ioctl(struct file *filp, unsigned int cmd,
+-						unsigned long arg)
+-{
+-	return msm_buspm_dev_ioctl(filp, cmd, (unsigned long)compat_ptr(arg));
+-}
+-#endif
+-
+-static int __init msm_buspm_dev_init(void)
+-{
+-	int ret = 0;
+-
+-	ret = misc_register(&msm_buspm_misc);
+-	if (ret < 0) {
+-		WARN_ON(1);
+-		return ret;
+-	}
+-
+-	if (msm_buspm_misc.this_device->coherent_dma_mask == 0)
+-		msm_buspm_misc.this_device->coherent_dma_mask =
+-							DMA_BIT_MASK(32);
+-
+-	return ret;
+-}
+-
+-static void __exit msm_buspm_dev_exit(void)
+-{
+-	misc_deregister(&msm_buspm_misc);
+-}
+-module_init(msm_buspm_dev_init);
+-module_exit(msm_buspm_dev_exit);
+-
+-MODULE_LICENSE("GPL v2");
+-MODULE_VERSION("1.0");
+-MODULE_ALIAS("platform:"MSM_BUSPM_DRV_NAME);
+diff --git a/drivers/platform/msm/msm_bus/msm_buspm_coresight_adhoc.c b/drivers/platform/msm/msm_bus/msm_buspm_coresight_adhoc.c
+index 9aec824..00b6e9a3 100644
+--- a/drivers/platform/msm/msm_bus/msm_buspm_coresight_adhoc.c
++++ b/drivers/platform/msm/msm_bus/msm_buspm_coresight_adhoc.c
+@@ -135,6 +135,7 @@ int msmbus_coresight_init_adhoc(struct platform_device *pdev,
+ 		return PTR_ERR(pdata);
+ 
+ 	drvdata = platform_get_drvdata(pdev);
++	dev_info(dev, "info: removed buspm module from kernel space\n");
+ 	if (IS_ERR_OR_NULL(drvdata)) {
+ 		drvdata = devm_kzalloc(dev, sizeof(*drvdata), GFP_KERNEL);
+ 		if (!drvdata) {
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-2442/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2442/ANY/0001.patch
new file mode 100644
index 00000000..ababce7e
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-2442/ANY/0001.patch
@@ -0,0 +1,605 @@
+From 6fb29c4773f632b7b6c31a8de56f55c32de3d350 Mon Sep 17 00:00:00 2001
+From: Kiran Gunda <kgunda@codeaurora.org>
+Date: Mon, 29 Feb 2016 13:27:50 +0530
+Subject: msm: msm_bus: remove the buspm module from kernel
+
+Remove the buspm module from msm_bus since it adds
+no functionality to the bus bandwidth aggregation
+driver. It is a loadable module used for profiling
+purposes.
+
+Change-Id: Ia0d21eb7e48d3cb2a74d4fae5ee4fb2fd449ea9f
+Signed-off-by: Kiran Gunda <kgunda@codeaurora.org>
+---
+ arch/arm/configs/msm8909_defconfig                 |   1 -
+ arch/arm/configs/msm8909w-perf_defconfig           |   1 -
+ arch/arm/configs/msm8909w_defconfig                |   1 -
+ arch/arm/configs/msm8937-perf_defconfig            |   1 -
+ arch/arm/configs/msm8937_defconfig                 |   1 -
+ arch/arm/configs/msmcortex-perf_defconfig          |   1 -
+ arch/arm/configs/msmcortex_defconfig               |   1 -
+ arch/arm64/configs/msm-perf_defconfig              |   1 -
+ arch/arm64/configs/msm8937-perf_defconfig          |   1 -
+ arch/arm64/configs/msm8937_defconfig               |   1 -
+ arch/arm64/configs/msm_defconfig                   |   1 -
+ arch/arm64/configs/msmcortex-perf_defconfig        |   1 -
+ arch/arm64/configs/msmcortex_defconfig             |   1 -
+ drivers/platform/msm/Kconfig                       |   9 -
+ drivers/platform/msm/msm_bus/Makefile              |   1 -
+ drivers/platform/msm/msm_bus/msm-buspm-dev.c       | 368 ---------------------
+ .../msm/msm_bus/msm_buspm_coresight_adhoc.c        |   1 +
+ 17 files changed, 1 insertion(+), 391 deletions(-)
+
+diff --git a/arch/arm/configs/msm8909_defconfig b/arch/arm/configs/msm8909_defconfig
+index a8ab18c..e2621aa 100644
+--- a/arch/arm/configs/msm8909_defconfig
++++ b/arch/arm/configs/msm8909_defconfig
+@@ -383,7 +383,6 @@ CONFIG_ANDROID_LOW_MEMORY_KILLER=y
+ CONFIG_ION=y
+ CONFIG_ION_MSM=y
+ CONFIG_MSM_BUS_SCALING=y
+-CONFIG_MSM_BUSPM_DEV=m
+ CONFIG_BUS_TOPOLOGY_ADHOC=y
+ CONFIG_QPNP_REVID=y
+ CONFIG_SPS=y
+diff --git a/arch/arm/configs/msm8909w-perf_defconfig b/arch/arm/configs/msm8909w-perf_defconfig
+index e6a2585..435f97e 100644
+--- a/arch/arm/configs/msm8909w-perf_defconfig
++++ b/arch/arm/configs/msm8909w-perf_defconfig
+@@ -407,7 +407,6 @@ CONFIG_ANDROID_LOW_MEMORY_KILLER=y
+ CONFIG_ION=y
+ CONFIG_ION_MSM=y
+ CONFIG_MSM_BUS_SCALING=y
+-CONFIG_MSM_BUSPM_DEV=m
+ CONFIG_BUS_TOPOLOGY_ADHOC=y
+ CONFIG_QPNP_POWER_ON=y
+ CONFIG_QPNP_REVID=y
+diff --git a/arch/arm/configs/msm8909w_defconfig b/arch/arm/configs/msm8909w_defconfig
+index 7e4d0308d..2a8c354 100644
+--- a/arch/arm/configs/msm8909w_defconfig
++++ b/arch/arm/configs/msm8909w_defconfig
+@@ -409,7 +409,6 @@ CONFIG_ANDROID_LOW_MEMORY_KILLER=y
+ CONFIG_ION=y
+ CONFIG_ION_MSM=y
+ CONFIG_MSM_BUS_SCALING=y
+-CONFIG_MSM_BUSPM_DEV=m
+ CONFIG_BUS_TOPOLOGY_ADHOC=y
+ CONFIG_QPNP_POWER_ON=y
+ CONFIG_QPNP_REVID=y
+diff --git a/arch/arm/configs/msm8937-perf_defconfig b/arch/arm/configs/msm8937-perf_defconfig
+index fd0c4e9..48c10c8 100644
+--- a/arch/arm/configs/msm8937-perf_defconfig
++++ b/arch/arm/configs/msm8937-perf_defconfig
+@@ -471,7 +471,6 @@ CONFIG_ION=y
+ CONFIG_ION_MSM=y
+ CONFIG_MSM_AVTIMER=y
+ CONFIG_MSM_BUS_SCALING=y
+-CONFIG_MSM_BUSPM_DEV=m
+ CONFIG_BUS_TOPOLOGY_ADHOC=y
+ CONFIG_QPNP_POWER_ON=y
+ CONFIG_QPNP_REVID=y
+diff --git a/arch/arm/configs/msm8937_defconfig b/arch/arm/configs/msm8937_defconfig
+index 0c3e1d1..0d89f31 100644
+--- a/arch/arm/configs/msm8937_defconfig
++++ b/arch/arm/configs/msm8937_defconfig
+@@ -478,7 +478,6 @@ CONFIG_ION=y
+ CONFIG_ION_MSM=y
+ CONFIG_MSM_AVTIMER=y
+ CONFIG_MSM_BUS_SCALING=y
+-CONFIG_MSM_BUSPM_DEV=m
+ CONFIG_BUS_TOPOLOGY_ADHOC=y
+ CONFIG_QPNP_POWER_ON=y
+ CONFIG_QPNP_REVID=y
+diff --git a/arch/arm/configs/msmcortex-perf_defconfig b/arch/arm/configs/msmcortex-perf_defconfig
+index f41e11d..be65d54 100644
+--- a/arch/arm/configs/msmcortex-perf_defconfig
++++ b/arch/arm/configs/msmcortex-perf_defconfig
+@@ -474,7 +474,6 @@ CONFIG_ION=y
+ CONFIG_ION_MSM=y
+ CONFIG_MSM_AVTIMER=y
+ CONFIG_MSM_BUS_SCALING=y
+-CONFIG_MSM_BUSPM_DEV=m
+ CONFIG_BUS_TOPOLOGY_ADHOC=y
+ CONFIG_QPNP_POWER_ON=y
+ CONFIG_QPNP_REVID=y
+diff --git a/arch/arm/configs/msmcortex_defconfig b/arch/arm/configs/msmcortex_defconfig
+index 3306d6c..c58a80a 100644
+--- a/arch/arm/configs/msmcortex_defconfig
++++ b/arch/arm/configs/msmcortex_defconfig
+@@ -475,7 +475,6 @@ CONFIG_ION=y
+ CONFIG_ION_MSM=y
+ CONFIG_MSM_AVTIMER=y
+ CONFIG_MSM_BUS_SCALING=y
+-CONFIG_MSM_BUSPM_DEV=m
+ CONFIG_BUS_TOPOLOGY_ADHOC=y
+ CONFIG_QPNP_POWER_ON=y
+ CONFIG_QPNP_REVID=y
+diff --git a/arch/arm64/configs/msm-perf_defconfig b/arch/arm64/configs/msm-perf_defconfig
+index c2c0232..05efc6f 100644
+--- a/arch/arm64/configs/msm-perf_defconfig
++++ b/arch/arm64/configs/msm-perf_defconfig
+@@ -479,7 +479,6 @@ CONFIG_ION=y
+ CONFIG_ION_MSM=y
+ CONFIG_MSM_AVTIMER=y
+ CONFIG_MSM_BUS_SCALING=y
+-CONFIG_MSM_BUSPM_DEV=m
+ CONFIG_BUS_TOPOLOGY_ADHOC=y
+ CONFIG_QPNP_POWER_ON=y
+ CONFIG_QPNP_REVID=y
+diff --git a/arch/arm64/configs/msm8937-perf_defconfig b/arch/arm64/configs/msm8937-perf_defconfig
+index c697e1f..e10acc8 100644
+--- a/arch/arm64/configs/msm8937-perf_defconfig
++++ b/arch/arm64/configs/msm8937-perf_defconfig
+@@ -484,7 +484,6 @@ CONFIG_ION=y
+ CONFIG_ION_MSM=y
+ CONFIG_MSM_AVTIMER=y
+ CONFIG_MSM_BUS_SCALING=y
+-CONFIG_MSM_BUSPM_DEV=m
+ CONFIG_BUS_TOPOLOGY_ADHOC=y
+ CONFIG_QPNP_POWER_ON=y
+ CONFIG_QPNP_REVID=y
+diff --git a/arch/arm64/configs/msm8937_defconfig b/arch/arm64/configs/msm8937_defconfig
+index b05e721c..3342d55 100644
+--- a/arch/arm64/configs/msm8937_defconfig
++++ b/arch/arm64/configs/msm8937_defconfig
+@@ -488,7 +488,6 @@ CONFIG_ION=y
+ CONFIG_ION_MSM=y
+ CONFIG_MSM_AVTIMER=y
+ CONFIG_MSM_BUS_SCALING=y
+-CONFIG_MSM_BUSPM_DEV=m
+ CONFIG_BUS_TOPOLOGY_ADHOC=y
+ CONFIG_QPNP_POWER_ON=y
+ CONFIG_QPNP_REVID=y
+diff --git a/arch/arm64/configs/msm_defconfig b/arch/arm64/configs/msm_defconfig
+index 3d907ce..7054eb2 100644
+--- a/arch/arm64/configs/msm_defconfig
++++ b/arch/arm64/configs/msm_defconfig
+@@ -485,7 +485,6 @@ CONFIG_ION=y
+ CONFIG_ION_MSM=y
+ CONFIG_MSM_AVTIMER=y
+ CONFIG_MSM_BUS_SCALING=y
+-CONFIG_MSM_BUSPM_DEV=m
+ CONFIG_BUS_TOPOLOGY_ADHOC=y
+ CONFIG_DEBUG_BUS_VOTER=y
+ CONFIG_QPNP_POWER_ON=y
+diff --git a/arch/arm64/configs/msmcortex-perf_defconfig b/arch/arm64/configs/msmcortex-perf_defconfig
+index b3292ed..d0b9681 100644
+--- a/arch/arm64/configs/msmcortex-perf_defconfig
++++ b/arch/arm64/configs/msmcortex-perf_defconfig
+@@ -487,7 +487,6 @@ CONFIG_ION=y
+ CONFIG_ION_MSM=y
+ CONFIG_MSM_AVTIMER=y
+ CONFIG_MSM_BUS_SCALING=y
+-CONFIG_MSM_BUSPM_DEV=m
+ CONFIG_BUS_TOPOLOGY_ADHOC=y
+ CONFIG_QPNP_POWER_ON=y
+ CONFIG_QPNP_REVID=y
+diff --git a/arch/arm64/configs/msmcortex_defconfig b/arch/arm64/configs/msmcortex_defconfig
+index a0176f1..8d449f9 100644
+--- a/arch/arm64/configs/msmcortex_defconfig
++++ b/arch/arm64/configs/msmcortex_defconfig
+@@ -491,7 +491,6 @@ CONFIG_ION=y
+ CONFIG_ION_MSM=y
+ CONFIG_MSM_AVTIMER=y
+ CONFIG_MSM_BUS_SCALING=y
+-CONFIG_MSM_BUSPM_DEV=m
+ CONFIG_BUS_TOPOLOGY_ADHOC=y
+ CONFIG_QPNP_POWER_ON=y
+ CONFIG_QPNP_REVID=y
+diff --git a/drivers/platform/msm/Kconfig b/drivers/platform/msm/Kconfig
+index d1fabe1..b0a9a54 100644
+--- a/drivers/platform/msm/Kconfig
++++ b/drivers/platform/msm/Kconfig
+@@ -16,15 +16,6 @@ config MSM_BUS_SCALING
+ 		for the active devices needs without keeping the clocks at max
+ 		frequency when a slower speed is sufficient.
+ 
+-config MSM_BUSPM_DEV
+-	tristate "MSM Bus Performance Monitor Kernel Module"
+-	depends on MSM_BUS_SCALING
+-	help
+-	  This kernel module is used to mmap() hardware registers for the
+-	  performance monitors, counters, etc. The module can also be used to
+-	  allocate physical memory which is used by bus performance hardware to
+-	  dump performance data
+-
+ config BUS_TOPOLOGY_ADHOC
+ 	bool "ad-hoc bus scaling topology"
+ 	help
+diff --git a/drivers/platform/msm/msm_bus/Makefile b/drivers/platform/msm/msm_bus/Makefile
+index fec4537..a58994d 100644
+--- a/drivers/platform/msm/msm_bus/Makefile
++++ b/drivers/platform/msm/msm_bus/Makefile
+@@ -24,4 +24,3 @@ endif
+ 
+ 
+ obj-$(CONFIG_DEBUG_FS) += msm_bus_dbg.o
+-obj-$(CONFIG_MSM_BUSPM_DEV) += msm-buspm-dev.o
+diff --git a/drivers/platform/msm/msm_bus/msm-buspm-dev.c b/drivers/platform/msm/msm_bus/msm-buspm-dev.c
+index 4d9262b..e69de29 100644
+--- a/drivers/platform/msm/msm_bus/msm-buspm-dev.c
++++ b/drivers/platform/msm/msm_bus/msm-buspm-dev.c
+@@ -1,368 +0,0 @@
+-/* Copyright (c) 2011-2015, The Linux Foundation. All rights reserved.
+- *
+- * This program is free software; you can redistribute it and/or modify
+- * it under the terms of the GNU General Public License version 2 and
+- * only version 2 as published by the Free Software Foundation.
+- *
+- * This program is distributed in the hope that it will be useful,
+- * but WITHOUT ANY WARRANTY; without even the implied warranty of
+- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+- * GNU General Public License for more details.
+- */
+-
+-/* #define DEBUG */
+-
+-#include <linux/module.h>
+-#include <linux/fs.h>
+-#include <linux/mm.h>
+-#include <linux/err.h>
+-#include <linux/slab.h>
+-#include <linux/errno.h>
+-#include <linux/device.h>
+-#include <linux/uaccess.h>
+-#include <linux/miscdevice.h>
+-#include <linux/dma-mapping.h>
+-#include <soc/qcom/rpm-smd.h>
+-#include <uapi/linux/msm-buspm-dev.h>
+-
+-#define MSM_BUSPM_DRV_NAME "msm-buspm-dev"
+-
+-#ifdef CONFIG_COMPAT
+-static long
+-msm_buspm_dev_compat_ioctl(struct file *filp, unsigned int cmd,
+-						unsigned long arg);
+-#else
+-#define msm_buspm_dev_compat_ioctl NULL
+-#endif
+-
+-static long
+-msm_buspm_dev_ioctl(struct file *filp, unsigned int cmd, unsigned long arg);
+-static int msm_buspm_dev_mmap(struct file *filp, struct vm_area_struct *vma);
+-static int msm_buspm_dev_release(struct inode *inode, struct file *filp);
+-static int msm_buspm_dev_open(struct inode *inode, struct file *filp);
+-
+-static const struct file_operations msm_buspm_dev_fops = {
+-	.owner		= THIS_MODULE,
+-	.mmap		= msm_buspm_dev_mmap,
+-	.open		= msm_buspm_dev_open,
+-	.unlocked_ioctl	= msm_buspm_dev_ioctl,
+-	.compat_ioctl	= msm_buspm_dev_compat_ioctl,
+-	.llseek		= noop_llseek,
+-	.release	= msm_buspm_dev_release,
+-};
+-
+-struct miscdevice msm_buspm_misc = {
+-	.minor	= MISC_DYNAMIC_MINOR,
+-	.name	= MSM_BUSPM_DRV_NAME,
+-	.fops	= &msm_buspm_dev_fops,
+-};
+-
+-
+-enum msm_buspm_spdm_res {
+-	SPDM_RES_ID = 0,
+-	SPDM_RES_TYPE = 0x63707362,
+-	SPDM_KEY = 0x00006e65,
+-	SPDM_SIZE = 4,
+-};
+-/*
+- * Allocate kernel buffer.
+- * Currently limited to one buffer per file descriptor.  If alloc() is
+- * called twice for the same descriptor, the original buffer is freed.
+- * There is also no locking protection so the same descriptor can not be shared.
+- */
+-
+-static inline void *msm_buspm_dev_get_vaddr(struct file *filp)
+-{
+-	struct msm_buspm_map_dev *dev = filp->private_data;
+-
+-	return (dev) ? dev->vaddr : NULL;
+-}
+-
+-static inline unsigned int msm_buspm_dev_get_buflen(struct file *filp)
+-{
+-	struct msm_buspm_map_dev *dev = filp->private_data;
+-
+-	return dev ? dev->buflen : 0;
+-}
+-
+-static inline unsigned long msm_buspm_dev_get_paddr(struct file *filp)
+-{
+-	struct msm_buspm_map_dev *dev = filp->private_data;
+-
+-	return (dev) ? dev->paddr : 0L;
+-}
+-
+-static void msm_buspm_dev_free(struct file *filp)
+-{
+-	struct msm_buspm_map_dev *dev = filp->private_data;
+-
+-	if (dev && dev->vaddr) {
+-		pr_debug("freeing memory at 0x%p\n", dev->vaddr);
+-		dma_free_coherent(msm_buspm_misc.this_device, dev->buflen,
+-							dev->vaddr, dev->paddr);
+-		dev->paddr = 0L;
+-		dev->vaddr = NULL;
+-	}
+-}
+-
+-static int msm_buspm_dev_open(struct inode *inode, struct file *filp)
+-{
+-	struct msm_buspm_map_dev *dev;
+-
+-	if (capable(CAP_SYS_ADMIN)) {
+-		dev = kzalloc(sizeof(*dev), GFP_KERNEL);
+-		if (dev)
+-			filp->private_data = dev;
+-		else
+-			return -ENOMEM;
+-	} else {
+-		return -EPERM;
+-	}
+-
+-	return 0;
+-}
+-
+-static int
+-msm_buspm_dev_alloc(struct file *filp, struct buspm_alloc_params data)
+-{
+-	dma_addr_t paddr;
+-	void *vaddr;
+-	struct msm_buspm_map_dev *dev = filp->private_data;
+-
+-	/* If buffer already allocated, then free it */
+-	if (dev->vaddr)
+-		msm_buspm_dev_free(filp);
+-
+-	/* Allocate uncached memory */
+-	vaddr = dma_alloc_coherent(msm_buspm_misc.this_device, data.size,
+-							&paddr, GFP_KERNEL);
+-
+-	if (vaddr == NULL) {
+-		pr_err("allocation of 0x%zu bytes failed", data.size);
+-		return -ENOMEM;
+-	}
+-
+-	dev->vaddr = vaddr;
+-	dev->paddr = paddr;
+-	dev->buflen = data.size;
+-	filp->f_pos = 0;
+-	pr_debug("virt addr = 0x%p\n", dev->vaddr);
+-	pr_debug("phys addr = 0x%lx\n", dev->paddr);
+-
+-	return 0;
+-}
+-
+-static int msm_bus_rpm_req(u32 rsc_type, u32 key, u32 hwid,
+-	int ctx, u32 val)
+-{
+-	struct msm_rpm_request *rpm_req;
+-	int ret, msg_id;
+-
+-	rpm_req = msm_rpm_create_request(ctx, rsc_type, SPDM_RES_ID, 1);
+-	if (rpm_req == NULL) {
+-		pr_err("RPM: Couldn't create RPM Request\n");
+-		return -ENXIO;
+-	}
+-
+-	ret = msm_rpm_add_kvp_data(rpm_req, key, (const uint8_t *)&val,
+-		(int)(sizeof(uint32_t)));
+-	if (ret) {
+-		pr_err("RPM: Add KVP failed for RPM Req:%u\n",
+-			rsc_type);
+-		goto err;
+-	}
+-
+-	pr_debug("Added Key: %d, Val: %u, size: %zu\n", key,
+-		(uint32_t)val, sizeof(uint32_t));
+-	msg_id = msm_rpm_send_request(rpm_req);
+-	if (!msg_id) {
+-		pr_err("RPM: No message ID for req\n");
+-		ret = -ENXIO;
+-		goto err;
+-	}
+-
+-	ret = msm_rpm_wait_for_ack(msg_id);
+-	if (ret) {
+-		pr_err("RPM: Ack failed\n");
+-		goto err;
+-	}
+-
+-err:
+-	msm_rpm_free_request(rpm_req);
+-	return ret;
+-}
+-
+-static int msm_buspm_ioc_cmds(uint32_t arg)
+-{
+-	switch (arg) {
+-	case MSM_BUSPM_SPDM_CLK_DIS:
+-	case MSM_BUSPM_SPDM_CLK_EN:
+-		return msm_bus_rpm_req(SPDM_RES_TYPE, SPDM_KEY, 0,
+-				MSM_RPM_CTX_ACTIVE_SET, arg);
+-	default:
+-		pr_warn("Unsupported ioctl command: %d\n", arg);
+-		return -EINVAL;
+-	}
+-}
+-
+-
+-
+-static long
+-msm_buspm_dev_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
+-{
+-	struct buspm_xfer_req xfer;
+-	struct buspm_alloc_params alloc_data;
+-	unsigned long paddr;
+-	int retval = 0;
+-	void *buf = msm_buspm_dev_get_vaddr(filp);
+-	unsigned int buflen = msm_buspm_dev_get_buflen(filp);
+-	unsigned char *dbgbuf = buf;
+-
+-	if (_IOC_TYPE(cmd) != MSM_BUSPM_IOC_MAGIC) {
+-		pr_err("Wrong IOC_MAGIC.Exiting\n");
+-		return -ENOTTY;
+-	}
+-
+-	switch (cmd) {
+-	case MSM_BUSPM_IOC_FREE:
+-		pr_debug("cmd = 0x%x (FREE)\n", cmd);
+-		msm_buspm_dev_free(filp);
+-		break;
+-
+-	case MSM_BUSPM_IOC_ALLOC:
+-		pr_debug("cmd = 0x%x (ALLOC)\n", cmd);
+-		retval = __get_user(alloc_data.size, (uint32_t __user *)arg);
+-
+-		if (retval == 0)
+-			retval = msm_buspm_dev_alloc(filp, alloc_data);
+-		break;
+-
+-	case MSM_BUSPM_IOC_RD_PHYS_ADDR:
+-		pr_debug("Read Physical Address\n");
+-		paddr = msm_buspm_dev_get_paddr(filp);
+-		if (paddr == 0L) {
+-			retval = -EINVAL;
+-		} else {
+-			pr_debug("phys addr = 0x%lx\n", paddr);
+-			retval = __put_user(paddr,
+-				(unsigned long __user *)arg);
+-		}
+-		break;
+-
+-	case MSM_BUSPM_IOC_RDBUF:
+-		if (!buf) {
+-			retval = -EINVAL;
+-			break;
+-		}
+-
+-		pr_debug("Read Buffer: 0x%x%x%x%x\n",
+-				dbgbuf[0], dbgbuf[1], dbgbuf[2], dbgbuf[3]);
+-
+-		if (copy_from_user(&xfer, (void __user *)arg, sizeof(xfer))) {
+-			retval = -EFAULT;
+-			break;
+-		}
+-
+-		if ((xfer.size <= buflen) &&
+-			(copy_to_user((void __user *)xfer.data, buf,
+-					xfer.size))) {
+-			retval = -EFAULT;
+-			break;
+-		}
+-		break;
+-
+-	case MSM_BUSPM_IOC_WRBUF:
+-		pr_debug("Write Buffer\n");
+-
+-		if (!buf) {
+-			retval = -EINVAL;
+-			break;
+-		}
+-
+-		if (copy_from_user(&xfer, (void __user *)arg, sizeof(xfer))) {
+-			retval = -EFAULT;
+-			break;
+-		}
+-
+-		if ((buflen <= xfer.size) &&
+-			(copy_from_user(buf, (void __user *)xfer.data,
+-			xfer.size))) {
+-			retval = -EFAULT;
+-			break;
+-		}
+-		break;
+-
+-	case MSM_BUSPM_IOC_CMD:
+-		pr_debug("IOCTL command: cmd: %d arg: %lu\n", cmd, arg);
+-		retval = msm_buspm_ioc_cmds(arg);
+-		break;
+-
+-	default:
+-		pr_debug("Unknown command 0x%x\n", cmd);
+-		retval = -EINVAL;
+-		break;
+-	}
+-
+-	return retval;
+-}
+-
+-static int msm_buspm_dev_release(struct inode *inode, struct file *filp)
+-{
+-	struct msm_buspm_map_dev *dev = filp->private_data;
+-
+-	msm_buspm_dev_free(filp);
+-	kfree(dev);
+-	filp->private_data = NULL;
+-
+-	return 0;
+-}
+-
+-static int msm_buspm_dev_mmap(struct file *filp, struct vm_area_struct *vma)
+-{
+-	pr_debug("vma = 0x%p\n", vma);
+-
+-	/* Mappings are uncached */
+-	vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot);
+-	if (remap_pfn_range(vma, vma->vm_start, vma->vm_pgoff,
+-		vma->vm_end - vma->vm_start, vma->vm_page_prot))
+-		return -EFAULT;
+-
+-	return 0;
+-}
+-
+-#ifdef CONFIG_COMPAT
+-static long
+-msm_buspm_dev_compat_ioctl(struct file *filp, unsigned int cmd,
+-						unsigned long arg)
+-{
+-	return msm_buspm_dev_ioctl(filp, cmd, (unsigned long)compat_ptr(arg));
+-}
+-#endif
+-
+-static int __init msm_buspm_dev_init(void)
+-{
+-	int ret = 0;
+-
+-	ret = misc_register(&msm_buspm_misc);
+-	if (ret < 0) {
+-		WARN_ON(1);
+-		return ret;
+-	}
+-
+-	if (msm_buspm_misc.this_device->coherent_dma_mask == 0)
+-		msm_buspm_misc.this_device->coherent_dma_mask =
+-							DMA_BIT_MASK(32);
+-
+-	return ret;
+-}
+-
+-static void __exit msm_buspm_dev_exit(void)
+-{
+-	misc_deregister(&msm_buspm_misc);
+-}
+-module_init(msm_buspm_dev_init);
+-module_exit(msm_buspm_dev_exit);
+-
+-MODULE_LICENSE("GPL v2");
+-MODULE_VERSION("1.0");
+-MODULE_ALIAS("platform:"MSM_BUSPM_DRV_NAME);
+diff --git a/drivers/platform/msm/msm_bus/msm_buspm_coresight_adhoc.c b/drivers/platform/msm/msm_bus/msm_buspm_coresight_adhoc.c
+index 9aec824..00b6e9a3 100644
+--- a/drivers/platform/msm/msm_bus/msm_buspm_coresight_adhoc.c
++++ b/drivers/platform/msm/msm_bus/msm_buspm_coresight_adhoc.c
+@@ -135,6 +135,7 @@ int msmbus_coresight_init_adhoc(struct platform_device *pdev,
+ 		return PTR_ERR(pdata);
+ 
+ 	drvdata = platform_get_drvdata(pdev);
++	dev_info(dev, "info: removed buspm module from kernel space\n");
+ 	if (IS_ERR_OR_NULL(drvdata)) {
+ 		drvdata = devm_kzalloc(dev, sizeof(*drvdata), GFP_KERNEL);
+ 		if (!drvdata) {
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-2443/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-2443/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-2443/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-2443/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-2443/ANY/0.patch.base64 b/Patches/Linux_CVEs/CVE-2016-2443/ANY/0001.patch.base64
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-2443/ANY/0.patch.base64
rename to Patches/Linux_CVEs/CVE-2016-2443/ANY/0001.patch.base64
diff --git a/Patches/Linux_CVEs/CVE-2016-2465/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-2465/3.10/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-2465/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-2465/3.10/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-2465/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2016-2465/3.18/0002.patch
new file mode 100644
index 00000000..1af62167
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-2465/3.18/0002.patch
@@ -0,0 +1,178 @@
+From 240f3bd82840fe6df7989339e465e9558f42fb85 Mon Sep 17 00:00:00 2001
+From: Veera Sundaram Sankaran <veeras@codeaurora.org>
+Date: Tue, 15 Mar 2016 18:42:27 -0700
+Subject: msm: mdss: fix possible out-of-bounds and overflow issue in mdp
+ debugfs
+
+There are few cases where the count argument passed by the user
+space is not validated, which can potentially lead to out of bounds
+or overflow issues. In some cases, kernel might copy more data than
+what is requested. Add necessary checks to avoid such cases.
+
+Change-Id: Ifa42fbd475665a0ca581c907ce5432584ea0e7ed
+[veeras@codeaurora.org: Resolve conflicts in mdss_debug.c]
+Signed-off-by: Veera Sundaram Sankaran <veeras@codeaurora.org>
+---
+ drivers/video/msm/mdss/mdss_debug.c | 47 +++++++++++++++++++++++--------------
+ 1 file changed, 29 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/video/msm/mdss/mdss_debug.c b/drivers/video/msm/mdss/mdss_debug.c
+index e4749c5..09b0694 100644
+--- a/drivers/video/msm/mdss/mdss_debug.c
++++ b/drivers/video/msm/mdss/mdss_debug.c
+@@ -111,11 +111,11 @@ static ssize_t panel_debug_base_offset_read(struct file *file,
+ 	if (*ppos)
+ 		return 0;	/* the end */
+ 
+-	len = snprintf(buf, sizeof(buf), "0x%02zx %zd\n", dbg->off, dbg->cnt);
+-	if (len < 0)
++	len = snprintf(buf, sizeof(buf), "0x%02zx %zx\n", dbg->off, dbg->cnt);
++	if (len < 0 || len >= sizeof(buf))
+ 		return 0;
+ 
+-	if (copy_to_user(buff, buf, len))
++	if ((count < sizeof(buf)) || copy_to_user(buff, buf, len))
+ 		return -EFAULT;
+ 
+ 	*ppos += len;	/* increase offset */
+@@ -244,7 +244,11 @@ static ssize_t panel_debug_base_reg_read(struct file *file,
+ 	if (mdata->debug_inf.debug_enable_clock)
+ 		mdata->debug_inf.debug_enable_clock(0);
+ 
+-	if (copy_to_user(user_buf, panel_reg_buf, len))
++	if (len < 0 || len >= sizeof(panel_reg_buf))
++		return 0;
++
++	if ((count < sizeof(panel_reg_buf))
++			|| (copy_to_user(user_buf, panel_reg_buf, len)))
+ 		goto read_reg_fail;
+ 
+ 	kfree(rx_buf);
+@@ -403,7 +407,7 @@ static ssize_t mdss_debug_base_offset_read(struct file *file,
+ {
+ 	struct mdss_debug_base *dbg = file->private_data;
+ 	int len = 0;
+-	char buf[24];
++	char buf[24] = {'\0'};
+ 
+ 	if (!dbg)
+ 		return -ENODEV;
+@@ -412,10 +416,10 @@ static ssize_t mdss_debug_base_offset_read(struct file *file,
+ 		return 0;	/* the end */
+ 
+ 	len = snprintf(buf, sizeof(buf), "0x%08zx %zx\n", dbg->off, dbg->cnt);
+-	if (len < 0)
++	if (len < 0 || len >= sizeof(buf))
+ 		return 0;
+ 
+-	if (copy_to_user(buff, buf, len))
++	if ((count < sizeof(buf)) || copy_to_user(buff, buf, len))
+ 		return -EFAULT;
+ 
+ 	*ppos += len;	/* increase offset */
+@@ -759,7 +763,7 @@ static ssize_t mdss_debug_factor_read(struct file *file,
+ {
+ 	struct mult_factor *factor = file->private_data;
+ 	int len = 0;
+-	char buf[32];
++	char buf[32] = {'\0'};
+ 
+ 	if (!factor)
+ 		return -ENODEV;
+@@ -769,10 +773,10 @@ static ssize_t mdss_debug_factor_read(struct file *file,
+ 
+ 	len = snprintf(buf, sizeof(buf), "%d/%d\n",
+ 			factor->numer, factor->denom);
+-	if (len < 0)
++	if (len < 0 || len >= sizeof(buf))
+ 		return 0;
+ 
+-	if (copy_to_user(buff, buf, len))
++	if ((count < sizeof(buf)) || copy_to_user(buff, buf, len))
+ 		return -EFAULT;
+ 
+ 	*ppos += len;	/* increase offset */
+@@ -803,6 +807,8 @@ static ssize_t mdss_debug_perf_mode_write(struct file *file,
+ 	if (copy_from_user(buf, user_buf, count))
+ 		return -EFAULT;
+ 
++	buf[count] = 0;	/* end of string */
++
+ 	if (sscanf(buf, "%d", &perf_mode) != 1)
+ 		return -EFAULT;
+ 
+@@ -823,7 +829,7 @@ static ssize_t mdss_debug_perf_mode_read(struct file *file,
+ {
+ 	struct mdss_perf_tune *perf_tune = file->private_data;
+ 	int len = 0;
+-	char buf[40];
++	char buf[40] = {'\0'};
+ 
+ 	if (!perf_tune)
+ 		return -ENODEV;
+@@ -833,10 +839,10 @@ static ssize_t mdss_debug_perf_mode_read(struct file *file,
+ 
+ 	len = snprintf(buf, sizeof(buf), "min_mdp_clk %lu min_bus_vote %llu\n",
+ 	perf_tune->min_mdp_clk, perf_tune->min_bus_vote);
+-	if (len < 0)
++	if (len < 0 || len >= sizeof(buf))
+ 		return 0;
+ 
+-	if (copy_to_user(buff, buf, len))
++	if ((count < sizeof(buf)) || copy_to_user(buff, buf, len))
+ 		return -EFAULT;
+ 
+ 	*ppos += len;   /* increase offset */
+@@ -856,7 +862,7 @@ static ssize_t mdss_debug_perf_panic_read(struct file *file,
+ {
+ 	struct mdss_data_type *mdata = file->private_data;
+ 	int len = 0;
+-	char buf[40];
++	char buf[40] = {'\0'};
+ 
+ 	if (!mdata)
+ 		return -ENODEV;
+@@ -866,10 +872,10 @@ static ssize_t mdss_debug_perf_panic_read(struct file *file,
+ 
+ 	len = snprintf(buf, sizeof(buf), "%d\n",
+ 		!mdata->has_panic_ctrl);
+-	if (len < 0)
++	if (len < 0 || len >= sizeof(buf))
+ 		return 0;
+ 
+-	if (copy_to_user(buff, buf, len))
++	if ((count < sizeof(buf)) || copy_to_user(buff, buf, len))
+ 		return -EFAULT;
+ 
+ 	*ppos += len;   /* increase offset */
+@@ -932,9 +938,14 @@ static ssize_t mdss_debug_perf_panic_write(struct file *file,
+ 	if (!mdata)
+ 		return -EFAULT;
+ 
++	if (count >= sizeof(buf))
++		return -EFAULT;
++
+ 	if (copy_from_user(buf, user_buf, count))
+ 		return -EFAULT;
+ 
++	buf[count] = 0;	/* end of string */
++
+ 	if (sscanf(buf, "%d", &disable_panic) != 1)
+ 		return -EFAULT;
+ 
+@@ -1004,10 +1015,10 @@ static ssize_t mdss_debug_perf_bw_limit_read(struct file *file,
+ 		temp_settings++;
+ 	}
+ 
+-	if (len < 0)
++	if (len < 0 || len >= sizeof(buf))
+ 		return 0;
+ 
+-	if (copy_to_user(buff, buf, len))
++	if ((count < sizeof(buf)) || copy_to_user(buff, buf, len))
+ 		return -EFAULT;
+ 
+ 	*ppos += len;	/* increase offset */
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-2466/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-2466/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-2466/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-2466/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-2466/ANY/0.patch.base64 b/Patches/Linux_CVEs/CVE-2016-2466/ANY/0001.patch.base64
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-2466/ANY/0.patch.base64
rename to Patches/Linux_CVEs/CVE-2016-2466/ANY/0001.patch.base64
diff --git a/Patches/Linux_CVEs/CVE-2016-2467/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-2467/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-2467/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-2467/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-2468/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-2468/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-2468/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-2468/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-2468/ANY/1.patch b/Patches/Linux_CVEs/CVE-2016-2468/ANY/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-2468/ANY/1.patch
rename to Patches/Linux_CVEs/CVE-2016-2468/ANY/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-2468/ANY/1.patch.base64 b/Patches/Linux_CVEs/CVE-2016-2468/ANY/0002.patch.base64
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-2468/ANY/1.patch.base64
rename to Patches/Linux_CVEs/CVE-2016-2468/ANY/0002.patch.base64
diff --git a/Patches/Linux_CVEs/CVE-2016-2469/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2016-2469/3.10/0001.patch
new file mode 100644
index 00000000..1aa84540
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-2469/3.10/0001.patch
@@ -0,0 +1,90 @@
+From e7369163162e7773bc887f7a264d6aa46cfcc665 Mon Sep 17 00:00:00 2001
+From: Patrick Daly <pdaly@codeaurora.org>
+Date: Thu, 28 May 2015 18:05:54 -0700
+Subject: ASoC: msm: qdsp6v2: DAP: Fix unprotected userspace access
+
+Use get_user() & friends to access userspace addresses.
+
+Change-Id: I9741a60e53f6253da27913175e9b8c4abbf50db9
+Signed-off-by: Patrick Daly <pdaly@codeaurora.org>
+Signed-off-by: Pradnya Chaphekar <pradnyac@codeaurora.org>
+---
+ sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c | 21 ++++++++++++---------
+ 1 file changed, 12 insertions(+), 9 deletions(-)
+
+diff --git a/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c b/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
+index 67a9400..7761b9c 100644
+--- a/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
++++ b/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
+@@ -1354,11 +1354,13 @@ end:
+ static int msm_ds2_dap_handle_commands(u32 cmd, void *arg)
+ {
+ 	int ret  = 0, port_id = 0;
++	int32_t data;
+ 	struct dolby_param_data *dolby_data = (struct dolby_param_data *)arg;
++	get_user(data, &dolby_data->data[0]);
+ 
+ 	pr_debug("%s: param_id %d,be_id %d,device_id 0x%x,length %d,data %d\n",
+ 		 __func__, dolby_data->param_id, dolby_data->be_id,
+-		dolby_data->device_id, dolby_data->length, dolby_data->data[0]);
++		dolby_data->device_id, dolby_data->length, data);
+ 
+ 	switch (dolby_data->param_id) {
+ 	case DAP_CMD_COMMIT_ALL:
+@@ -1370,18 +1372,18 @@ static int msm_ds2_dap_handle_commands(u32 cmd, void *arg)
+ 	break;
+ 
+ 	case DAP_CMD_USE_CACHE_FOR_INIT:
+-		ds2_dap_params_states.use_cache = dolby_data->data[0];
++		ds2_dap_params_states.use_cache = data;
+ 	break;
+ 
+ 	case DAP_CMD_SET_BYPASS:
+ 		pr_debug("%s: bypass %d bypass type %d, data %d\n", __func__,
+ 			 ds2_dap_params_states.dap_bypass,
+ 			 ds2_dap_params_states.dap_bypass_type,
+-			 dolby_data->data[0]);
++			 data);
+ 		/* Do not perform bypass operation if bypass state is same*/
+-		if (ds2_dap_params_states.dap_bypass == dolby_data->data[0])
++		if (ds2_dap_params_states.dap_bypass == data)
+ 			break;
+-		ds2_dap_params_states.dap_bypass = dolby_data->data[0];
++		ds2_dap_params_states.dap_bypass = data;
+ 		/* hard bypass */
+ 		if (ds2_dap_params_states.dap_bypass_type == DAP_HARD_BYPASS)
+ 			msm_ds2_dap_handle_bypass(dolby_data);
+@@ -1390,7 +1392,7 @@ static int msm_ds2_dap_handle_commands(u32 cmd, void *arg)
+ 	break;
+ 
+ 	case DAP_CMD_SET_BYPASS_TYPE:
+-		if (dolby_data->data[0] == true)
++		if (data == true)
+ 			ds2_dap_params_states.dap_bypass_type =
+ 				DAP_HARD_BYPASS;
+ 		else
+@@ -1429,6 +1431,7 @@ static int msm_ds2_dap_set_param(u32 cmd, void *arg)
+ {
+ 	int rc = 0, idx, i, j, off, port_id = 0, cdev = 0;
+ 	int32_t num_device = 0;
++	int32_t data = 0;
+ 	int32_t dev_arr[DS2_DSP_SUPPORTED_ENDP_DEVICE] = {0};
+ 	struct dolby_param_data *dolby_data =  (struct dolby_param_data *)arg;
+ 
+@@ -1472,10 +1475,10 @@ static int msm_ds2_dap_set_param(u32 cmd, void *arg)
+ 		ds2_dap_params[cdev].dap_params_modified[idx] += 1;
+ 		for (j = 0; j <  dolby_data->length; j++) {
+ 			off = ds2_dap_params_offset[idx];
+-			ds2_dap_params[cdev].params_val[off + j] =
+-							dolby_data->data[j];
++			get_user(data, &dolby_data->data[j]);
++			ds2_dap_params[cdev].params_val[off + j] = data;
+ 				pr_debug("%s:off %d,val[i/p:o/p]-[%d / %d]\n",
+-					 __func__, off, dolby_data->data[j],
++					 __func__, off, data,
+ 					 ds2_dap_params[cdev].
+ 					 params_val[off + j]);
+ 		}
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-2469/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2016-2469/3.18/0002.patch
new file mode 100644
index 00000000..cb6541fe
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-2469/3.18/0002.patch
@@ -0,0 +1,67 @@
+From 7eb824e8e1ebbdbfad896b090a9f048ca6e63c9e Mon Sep 17 00:00:00 2001
+From: Ashish Jain <ashishj@codeaurora.org>
+Date: Fri, 15 Apr 2016 15:33:14 +0530
+Subject: ASoC: msm: qdsp6v2: DAP: Fix buffer overflow
+
+Add check to avoid out of bound access.
+Check return value of get_user api.
+
+CRs-Fixed: 997025
+Change-Id: Ibbace116ac206007fa1928555838285304737737
+Signed-off-by: Ashish Jain <ashishj@codeaurora.org>
+---
+ sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c | 24 ++++++++++++++++++++----
+ 1 file changed, 20 insertions(+), 4 deletions(-)
+
+diff --git a/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c b/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
+index 242dc5f..ace747d 100644
+--- a/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
++++ b/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
+@@ -1,4 +1,4 @@
+-/* Copyright (c) 2013-2015, The Linux Foundation. All rights reserved.
++/* Copyright (c) 2013-2016, The Linux Foundation. All rights reserved.
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 and
+ * only version 2 as published by the Free Software Foundation.
+@@ -1356,7 +1356,11 @@ static int msm_ds2_dap_handle_commands(u32 cmd, void *arg)
+ 	int ret  = 0, port_id = 0;
+ 	int32_t data;
+ 	struct dolby_param_data *dolby_data = (struct dolby_param_data *)arg;
+-	get_user(data, &dolby_data->data[0]);
++	if (get_user(data, &dolby_data->data[0])) {
++		pr_debug("%s error getting data\n", __func__);
++		ret = -EFAULT;
++		goto end;
++	}
+ 
+ 	pr_debug("%s: param_id %d,be_id %d,device_id 0x%x,length %d,data %d\n",
+ 		 __func__, dolby_data->param_id, dolby_data->be_id,
+@@ -1471,11 +1475,23 @@ static int msm_ds2_dap_set_param(u32 cmd, void *arg)
+ 			goto end;
+ 		}
+ 
++		off = ds2_dap_params_offset[idx];
++		if ((dolby_data->length <= 0) ||
++			(dolby_data->length > TOTAL_LENGTH_DS2_PARAM - off)) {
++			pr_err("%s: invalid length %d at idx %d\n",
++				__func__, dolby_data->length, idx);
++			rc = -EINVAL;
++			goto end;
++		}
++
+ 		/* cache the parameters */
+ 		ds2_dap_params[cdev].dap_params_modified[idx] += 1;
+ 		for (j = 0; j <  dolby_data->length; j++) {
+-			off = ds2_dap_params_offset[idx];
+-			get_user(data, &dolby_data->data[j]);
++			if (get_user(data, &dolby_data->data[j])) {
++				pr_debug("%s:error getting data\n", __func__);
++				rc = -EFAULT;
++				goto end;
++			}
+ 			ds2_dap_params[cdev].params_val[off + j] = data;
+ 				pr_debug("%s:off %d,val[i/p:o/p]-[%d / %d]\n",
+ 					 __func__, off, data,
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-2469/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-2469/ANY/0.patch
deleted file mode 100644
index 64ab5eae..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2469/ANY/0.patch
+++ /dev/null
@@ -1,104 +0,0 @@
-diff --git a/sound/soc/msm/Kconfig b/sound/soc/msm/Kconfig
-index b47f9f6..93fbed3 100644
---- a/sound/soc/msm/Kconfig
-+++ b/sound/soc/msm/Kconfig
-@@ -83,35 +83,6 @@
- 	 OCMEM gets exercised for low-power
- 	 audio and voice use cases.
- 
--config DOLBY_DAP
--	bool "Enable Dolby DAP"
--	depends on SND_SOC_MSM_QDSP6V2_INTF
--	help
--	 To add support for dolby DAP post processing.
--	 This support is to configure the post processing parameters
--	 to DSP. The configuration includes sending the end point
--	 device, end point dependent post processing parameters and
--	 the various posrt processing parameters
--
--config DOLBY_DS2
--	bool "Enable Dolby DS2"
--	depends on SND_SOC_MSM_QDSP6V2_INTF
--	help
--	 To add support for dolby DAP post processing.
--	 This support is to configure the post processing parameters
--	 to DSP. The configuration includes sending the end point
--	 device, end point dependent post processing parameters and
--	 the various posrt processing parameters
--
--config DTS_SRS_TM
--	bool "Enable DTS SRS"
--	depends on SND_SOC_MSM_QDSP6V2_INTF
--	help
--	 To add support for DTS SRS post processing.
--	 This support is to configure the post processing
--	 parameters to DSP. The configuration includes sending
--	 tuning parameters of various modules.
--
- config QTI_PP
- 	bool "Enable QTI PP"
- 	depends on SND_SOC_MSM_QDSP6V2_INTF
-@@ -141,8 +112,6 @@
- 	select SND_SOC_WCD9320
- 	select SND_DYNAMIC_MINORS
- 	select AUDIO_OCMEM
--	select DOLBY_DAP
--	select DTS_SRS_TM
- 	select QTI_PP
- 	help
- 	 To add support for SoC audio on MSM8974.
-@@ -161,7 +130,6 @@
- 	select SND_SOC_MSM_HDMI_CODEC_RX
- 	select SND_DYNAMIC_MINORS
- 	select AUDIO_OCMEM
--	select DTS_SRS_TM
- 	select QTI_PP
- 	help
- 	 To add support for SoC audio on APQ8074.
-@@ -178,8 +146,6 @@
- 	select SND_SOC_MSM_HOSTLESS_PCM
- 	select SND_SOC_WCD9306
- 	select SND_DYNAMIC_MINORS
--	select DOLBY_DAP
--	select DTS_SRS_TM
- 	select QTI_PP
- 	help
- 	 To add support for SoC audio on MSM8226.
-@@ -239,15 +205,11 @@
- 	select SND_SOC_WCD9320
- 	select SND_DYNAMIC_MINORS
- 	select AUDIO_OCMEM
--	select DOLBY_DAP
--	select DTS_SRS_TM
- 	select QTI_PP
- 	select SND_SOC_CPE
--	select DOLBY_DS2
- 	select SND_SOC_TPA6165A2
- 	select SND_SOC_TFA9890
- 	select SND_SOC_FSA8500
--
- 	help
- 	 To add support for SoC audio on APQ8084.
- 	 This will enable sound soc drivers which
-@@ -264,7 +226,6 @@
- 	select SND_SOC_WCD9306
- 	select SND_DYNAMIC_MINORS
- 	select AUDIO_OCMEM
--	select DOLBY_DAP
- 	help
- 	 To add support for SoC audio on MSMSAMARIUM.
- 
-diff --git a/sound/soc/msm/qdsp6v2/Makefile b/sound/soc/msm/qdsp6v2/Makefile
-index bdcd0cc..24777cc 100644
---- a/sound/soc/msm/qdsp6v2/Makefile
-+++ b/sound/soc/msm/qdsp6v2/Makefile
-@@ -8,9 +8,6 @@
- 			msm-pcm-routing-devdep.o
- obj-$(CONFIG_SND_SOC_QDSP6V2) += snd-soc-qdsp6v2.o msm-pcm-dtmf-v2.o \
- 				 msm-dai-stub-v2.o
--obj-$(CONFIG_DOLBY_DAP) += msm-dolby-dap-config.o
--obj-$(CONFIG_DOLBY_DS2) += msm-ds2-dap-config.o
--obj-$(CONFIG_DTS_SRS_TM) += msm-dts-srs-tm-config.o
- obj-$(CONFIG_QTI_PP) += msm-qti-pp-config.o
- obj-y += q6adm.o q6afe.o q6asm.o q6audio-v2.o q6voice.o q6core.o audio_acdb.o \
- 	 rtac.o q6lsm.o audio_slimslave.o
diff --git a/Patches/Linux_CVEs/CVE-2016-2469/ANY/0.patch.base64 b/Patches/Linux_CVEs/CVE-2016-2469/ANY/0.patch.base64
deleted file mode 100644
index dc2234cb..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2469/ANY/0.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL3NvdW5kL3NvYy9tc20vS2NvbmZpZyBiL3NvdW5kL3NvYy9tc20vS2NvbmZpZwppbmRleCBiNDdmOWY2Li45M2ZiZWQzIDEwMDY0NAotLS0gYS9zb3VuZC9zb2MvbXNtL0tjb25maWcKKysrIGIvc291bmQvc29jL21zbS9LY29uZmlnCkBAIC04MywzNSArODMsNiBAQAogCSBPQ01FTSBnZXRzIGV4ZXJjaXNlZCBmb3IgbG93LXBvd2VyCiAJIGF1ZGlvIGFuZCB2b2ljZSB1c2UgY2FzZXMuCiAKLWNvbmZpZyBET0xCWV9EQVAKLQlib29sICJFbmFibGUgRG9sYnkgREFQIgotCWRlcGVuZHMgb24gU05EX1NPQ19NU01fUURTUDZWMl9JTlRGCi0JaGVscAotCSBUbyBhZGQgc3VwcG9ydCBmb3IgZG9sYnkgREFQIHBvc3QgcHJvY2Vzc2luZy4KLQkgVGhpcyBzdXBwb3J0IGlzIHRvIGNvbmZpZ3VyZSB0aGUgcG9zdCBwcm9jZXNzaW5nIHBhcmFtZXRlcnMKLQkgdG8gRFNQLiBUaGUgY29uZmlndXJhdGlvbiBpbmNsdWRlcyBzZW5kaW5nIHRoZSBlbmQgcG9pbnQKLQkgZGV2aWNlLCBlbmQgcG9pbnQgZGVwZW5kZW50IHBvc3QgcHJvY2Vzc2luZyBwYXJhbWV0ZXJzIGFuZAotCSB0aGUgdmFyaW91cyBwb3NydCBwcm9jZXNzaW5nIHBhcmFtZXRlcnMKLQotY29uZmlnIERPTEJZX0RTMgotCWJvb2wgIkVuYWJsZSBEb2xieSBEUzIiCi0JZGVwZW5kcyBvbiBTTkRfU09DX01TTV9RRFNQNlYyX0lOVEYKLQloZWxwCi0JIFRvIGFkZCBzdXBwb3J0IGZvciBkb2xieSBEQVAgcG9zdCBwcm9jZXNzaW5nLgotCSBUaGlzIHN1cHBvcnQgaXMgdG8gY29uZmlndXJlIHRoZSBwb3N0IHByb2Nlc3NpbmcgcGFyYW1ldGVycwotCSB0byBEU1AuIFRoZSBjb25maWd1cmF0aW9uIGluY2x1ZGVzIHNlbmRpbmcgdGhlIGVuZCBwb2ludAotCSBkZXZpY2UsIGVuZCBwb2ludCBkZXBlbmRlbnQgcG9zdCBwcm9jZXNzaW5nIHBhcmFtZXRlcnMgYW5kCi0JIHRoZSB2YXJpb3VzIHBvc3J0IHByb2Nlc3NpbmcgcGFyYW1ldGVycwotCi1jb25maWcgRFRTX1NSU19UTQotCWJvb2wgIkVuYWJsZSBEVFMgU1JTIgotCWRlcGVuZHMgb24gU05EX1NPQ19NU01fUURTUDZWMl9JTlRGCi0JaGVscAotCSBUbyBhZGQgc3VwcG9ydCBmb3IgRFRTIFNSUyBwb3N0IHByb2Nlc3NpbmcuCi0JIFRoaXMgc3VwcG9ydCBpcyB0byBjb25maWd1cmUgdGhlIHBvc3QgcHJvY2Vzc2luZwotCSBwYXJhbWV0ZXJzIHRvIERTUC4gVGhlIGNvbmZpZ3VyYXRpb24gaW5jbHVkZXMgc2VuZGluZwotCSB0dW5pbmcgcGFyYW1ldGVycyBvZiB2YXJpb3VzIG1vZHVsZXMuCi0KIGNvbmZpZyBRVElfUFAKIAlib29sICJFbmFibGUgUVRJIFBQIgogCWRlcGVuZHMgb24gU05EX1NPQ19NU01fUURTUDZWMl9JTlRGCkBAIC0xNDEsOCArMTEyLDYgQEAKIAlzZWxlY3QgU05EX1NPQ19XQ0Q5MzIwCiAJc2VsZWN0IFNORF9EWU5BTUlDX01JTk9SUwogCXNlbGVjdCBBVURJT19PQ01FTQotCXNlbGVjdCBET0xCWV9EQVAKLQlzZWxlY3QgRFRTX1NSU19UTQogCXNlbGVjdCBRVElfUFAKIAloZWxwCiAJIFRvIGFkZCBzdXBwb3J0IGZvciBTb0MgYXVkaW8gb24gTVNNODk3NC4KQEAgLTE2MSw3ICsxMzAsNiBAQAogCXNlbGVjdCBTTkRfU09DX01TTV9IRE1JX0NPREVDX1JYCiAJc2VsZWN0IFNORF9EWU5BTUlDX01JTk9SUwogCXNlbGVjdCBBVURJT19PQ01FTQotCXNlbGVjdCBEVFNfU1JTX1RNCiAJc2VsZWN0IFFUSV9QUAogCWhlbHAKIAkgVG8gYWRkIHN1cHBvcnQgZm9yIFNvQyBhdWRpbyBvbiBBUFE4MDc0LgpAQCAtMTc4LDggKzE0Niw2IEBACiAJc2VsZWN0IFNORF9TT0NfTVNNX0hPU1RMRVNTX1BDTQogCXNlbGVjdCBTTkRfU09DX1dDRDkzMDYKIAlzZWxlY3QgU05EX0RZTkFNSUNfTUlOT1JTCi0Jc2VsZWN0IERPTEJZX0RBUAotCXNlbGVjdCBEVFNfU1JTX1RNCiAJc2VsZWN0IFFUSV9QUAogCWhlbHAKIAkgVG8gYWRkIHN1cHBvcnQgZm9yIFNvQyBhdWRpbyBvbiBNU004MjI2LgpAQCAtMjM5LDE1ICsyMDUsMTEgQEAKIAlzZWxlY3QgU05EX1NPQ19XQ0Q5MzIwCiAJc2VsZWN0IFNORF9EWU5BTUlDX01JTk9SUwogCXNlbGVjdCBBVURJT19PQ01FTQotCXNlbGVjdCBET0xCWV9EQVAKLQlzZWxlY3QgRFRTX1NSU19UTQogCXNlbGVjdCBRVElfUFAKIAlzZWxlY3QgU05EX1NPQ19DUEUKLQlzZWxlY3QgRE9MQllfRFMyCiAJc2VsZWN0IFNORF9TT0NfVFBBNjE2NUEyCiAJc2VsZWN0IFNORF9TT0NfVEZBOTg5MAogCXNlbGVjdCBTTkRfU09DX0ZTQTg1MDAKLQogCWhlbHAKIAkgVG8gYWRkIHN1cHBvcnQgZm9yIFNvQyBhdWRpbyBvbiBBUFE4MDg0LgogCSBUaGlzIHdpbGwgZW5hYmxlIHNvdW5kIHNvYyBkcml2ZXJzIHdoaWNoCkBAIC0yNjQsNyArMjI2LDYgQEAKIAlzZWxlY3QgU05EX1NPQ19XQ0Q5MzA2CiAJc2VsZWN0IFNORF9EWU5BTUlDX01JTk9SUwogCXNlbGVjdCBBVURJT19PQ01FTQotCXNlbGVjdCBET0xCWV9EQVAKIAloZWxwCiAJIFRvIGFkZCBzdXBwb3J0IGZvciBTb0MgYXVkaW8gb24gTVNNU0FNQVJJVU0uCiAKZGlmZiAtLWdpdCBhL3NvdW5kL3NvYy9tc20vcWRzcDZ2Mi9NYWtlZmlsZSBiL3NvdW5kL3NvYy9tc20vcWRzcDZ2Mi9NYWtlZmlsZQppbmRleCBiZGNkMGNjLi4yNDc3N2NjIDEwMDY0NAotLS0gYS9zb3VuZC9zb2MvbXNtL3Fkc3A2djIvTWFrZWZpbGUKKysrIGIvc291bmQvc29jL21zbS9xZHNwNnYyL01ha2VmaWxlCkBAIC04LDkgKzgsNiBAQAogCQkJbXNtLXBjbS1yb3V0aW5nLWRldmRlcC5vCiBvYmotJChDT05GSUdfU05EX1NPQ19RRFNQNlYyKSArPSBzbmQtc29jLXFkc3A2djIubyBtc20tcGNtLWR0bWYtdjIubyBcCiAJCQkJIG1zbS1kYWktc3R1Yi12Mi5vCi1vYmotJChDT05GSUdfRE9MQllfREFQKSArPSBtc20tZG9sYnktZGFwLWNvbmZpZy5vCi1vYmotJChDT05GSUdfRE9MQllfRFMyKSArPSBtc20tZHMyLWRhcC1jb25maWcubwotb2JqLSQoQ09ORklHX0RUU19TUlNfVE0pICs9IG1zbS1kdHMtc3JzLXRtLWNvbmZpZy5vCiBvYmotJChDT05GSUdfUVRJX1BQKSArPSBtc20tcXRpLXBwLWNvbmZpZy5vCiBvYmoteSArPSBxNmFkbS5vIHE2YWZlLm8gcTZhc20ubyBxNmF1ZGlvLXYyLm8gcTZ2b2ljZS5vIHE2Y29yZS5vIGF1ZGlvX2FjZGIubyBcCiAJIHJ0YWMubyBxNmxzbS5vIGF1ZGlvX3NsaW1zbGF2ZS5vCg==
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2016-2470/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2470/ANY/0001.patch
new file mode 100644
index 00000000..97a04077
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-2470/ANY/0001.patch
@@ -0,0 +1,303 @@
+From 05ce237387c6e1d101bbb4b825e56757576748e6 Mon Sep 17 00:00:00 2001
+From: Arif Hussain <c_arifh@qca.qualcomm.com>
+Date: Mon, 11 Nov 2013 22:59:34 -0800
+Subject: wlan:  wlan_hdd_wext Userspace data copy fix
+
+Use copy_to_user and copy_from_user for
+copying data to/from user space.
+
+Change-Id: I98fb6352b654af8f78160738e7ccd902c3c70031
+CRs-Fixed: 561028
+---
+ CORE/HDD/src/wlan_hdd_wext.c | 75 +++++++++++++++++++++++++-------------------
+ 1 file changed, 42 insertions(+), 33 deletions(-)
+
+diff --git a/CORE/HDD/src/wlan_hdd_wext.c b/CORE/HDD/src/wlan_hdd_wext.c
+index c5247d3..6d60f14 100644
+--- a/CORE/HDD/src/wlan_hdd_wext.c
++++ b/CORE/HDD/src/wlan_hdd_wext.c
+@@ -1385,7 +1385,7 @@ static int iw_set_genie(struct net_device *dev,
+ {
+    hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
+     hdd_wext_state_t *pWextState = WLAN_HDD_GET_WEXT_STATE_PTR(pAdapter);
+-    u_int8_t *genie;
++    u_int8_t *genie = (u_int8_t *)extra;
+     v_U16_t remLen;
+ 
+    ENTER();
+@@ -1400,7 +1400,6 @@ static int iw_set_genie(struct net_device *dev,
+       return 0;
+    }
+ 
+-    genie = wrqu->data.pointer;
+     remLen = wrqu->data.length;
+ 
+     hddLog(LOG1,"iw_set_genie ioctl IE[0x%X], LEN[%d]\n", genie[0], genie[1]);
+@@ -1528,9 +1527,14 @@ static int iw_get_genie(struct net_device *dev,
+                                    pAdapter->sessionId,
+                                    &length,
+                                    genIeBytes);
+-    wrqu->data.length = VOS_MIN((u_int16_t) length, DOT11F_IE_RSN_MAX_LEN);
+-
+-    vos_mem_copy( wrqu->data.pointer, (v_VOID_t*)genIeBytes, wrqu->data.length);
++    length = VOS_MIN((u_int16_t) length, DOT11F_IE_RSN_MAX_LEN);
++    if (wrqu->data.length < length)
++    {
++        hddLog(LOG1, "%s: failed to copy data to user buffer", __func__);
++        return -EFAULT;
++    }
++    vos_mem_copy( extra, (v_VOID_t*)genIeBytes, wrqu->data.length);
++    wrqu->data.length = length;
+ 
+     hddLog(LOG1,"%s: RSN IE of %d bytes returned\n", __func__, wrqu->data.length );
+ 
+@@ -2220,7 +2224,7 @@ static int iw_get_rssi(struct net_device *dev,
+                        union iwreq_data *wrqu, char *extra)
+ {
+    hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
+-   char *cmd = (char*)wrqu->data.pointer;
++   char *cmd = extra;
+    int len = wrqu->data.length;
+    v_S7_t s7Rssi = 0;
+    hdd_station_ctx_t *pHddStaCtx = WLAN_HDD_GET_STATION_CTX_PTR(pAdapter);
+@@ -2477,7 +2481,7 @@ static int iw_set_priv(struct net_device *dev,
+                        union iwreq_data *wrqu, char *extra)
+ {
+     hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
+-    char *cmd = (char*)wrqu->data.pointer;
++    char *cmd = extra;
+     int cmd_len = wrqu->data.length;
+     int ret = 0;
+     int status = 0;
+@@ -2731,6 +2735,16 @@ done:
+        /* there was an encoding error or overflow */
+        status = -EIO;
+     }
++    else if (ret > 0)
++    {
++       if (copy_to_user(wrqu->data.pointer, cmd, ret))
++       {
++          hddLog(VOS_TRACE_LEVEL_ERROR,
++                 "%s: failed to copy data to user buffer", __func__);
++          return -EFAULT;
++       }
++       wrqu->data.length = ret;
++    }
+ 
+     if (ioctl_debug)
+     {
+@@ -2738,7 +2752,6 @@ done:
+                __func__, cmd, wrqu->data.length, status);
+     }
+     return status;
+-
+ }
+ 
+ static int iw_set_nick(struct net_device *dev,
+@@ -3683,7 +3696,7 @@ static int iw_setchar_getnone(struct net_device *dev, struct iw_request_info *in
+ #endif /* WLAN_FEATURE_VOWIFI */
+ 
+     VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO, "%s: Received length %d", __func__, wrqu->data.length);
+-    VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO, "%s: Received data %s", __func__, (char*)wrqu->data.pointer);
++    VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO, "%s: Received data %s", __func__, extra);
+ 
+     if ((WLAN_HDD_GET_CTX(pAdapter))->isLogpInProgress)
+     {
+@@ -3696,11 +3709,11 @@ static int iw_setchar_getnone(struct net_device *dev, struct iw_request_info *in
+     {
+        case WE_WOWL_ADD_PTRN:
+           VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO, "ADD_PTRN\n");
+-          hdd_add_wowl_ptrn(pAdapter, (char*)wrqu->data.pointer);
++          hdd_add_wowl_ptrn(pAdapter, extra);
+           break;
+        case WE_WOWL_DEL_PTRN:
+           VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO, "DEL_PTRN\n");
+-          hdd_del_wowl_ptrn(pAdapter, (char*)wrqu->data.pointer);
++          hdd_del_wowl_ptrn(pAdapter, extra);
+           break;
+ #if defined WLAN_FEATURE_VOWIFI
+        case WE_NEIGHBOR_REPORT_REQUEST:
+@@ -3715,7 +3728,7 @@ static int iw_setchar_getnone(struct net_device *dev, struct iw_request_info *in
+                 if( !neighborReq.no_ssid )
+                 {
+                    neighborReq.ssid.length = (wrqu->data.length - 1) > 32 ? 32 : (wrqu->data.length - 1) ;
+-                   vos_mem_copy( neighborReq.ssid.ssId, wrqu->data.pointer, neighborReq.ssid.length );
++                   vos_mem_copy( neighborReq.ssid.ssId, extra, neighborReq.ssid.length );
+                 }
+ 
+                 callbackInfo.neighborRspCallback = NULL;
+@@ -3733,10 +3746,10 @@ static int iw_setchar_getnone(struct net_device *dev, struct iw_request_info *in
+ #endif
+        case WE_SET_AP_WPS_IE:
+           hddLog( LOGE, "Received WE_SET_AP_WPS_IE" );
+-          sme_updateP2pIe( WLAN_HDD_GET_HAL_CTX(pAdapter), wrqu->data.pointer, wrqu->data.length );
++          sme_updateP2pIe( WLAN_HDD_GET_HAL_CTX(pAdapter), extra, wrqu->data.length );
+           break;
+        case WE_SET_CONFIG:
+-          vstatus = hdd_execute_config_command(pHddCtx, wrqu->data.pointer);
++          vstatus = hdd_execute_config_command(pHddCtx, extra);
+           if (VOS_STATUS_SUCCESS != vstatus)
+           {
+              ret = -EINVAL;
+@@ -4244,7 +4257,7 @@ int iw_set_var_ints_getnone(struct net_device *dev, struct iw_request_info *info
+     hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
+     tHalHandle hHal = WLAN_HDD_GET_HAL_CTX(pAdapter);
+     int sub_cmd = wrqu->data.flags;
+-    int *value = (int*)wrqu->data.pointer;
++    int *value = (int*)extra;
+     int apps_args[MAX_VAR_ARGS] = {0};
+     int num_args = wrqu->data.length;
+     hdd_station_ctx_t *pStaCtx = NULL ;
+@@ -4595,10 +4608,10 @@ static int iw_qcom_set_wapi_mode(struct net_device *dev, struct iw_request_info
+     hdd_station_ctx_t *pHddStaCtx = WLAN_HDD_GET_STATION_CTX_PTR(pAdapter);
+     tCsrRoamProfile *pRoamProfile = &pWextState->roamProfile;
+ 
+-    WAPI_FUNCTION_MODE *pWapiMode = (WAPI_FUNCTION_MODE *)wrqu->data.pointer;
++    WAPI_FUNCTION_MODE *pWapiMode = (WAPI_FUNCTION_MODE *)extra;
+ 
+     hddLog(LOG1, "The function iw_qcom_set_wapi_mode called");
+-    hddLog(LOG1, "%s: Received data %s", __func__, (char*)wrqu->data.pointer);
++    hddLog(LOG1, "%s: Received data %s", __func__, extra);
+     hddLog(LOG1, "%s: Received length %d", __func__, wrqu->data.length);
+     hddLog(LOG1, "%s: Input Data (wreq) WAPI Mode:%02d", __func__, pWapiMode->wapiMode);
+ 
+@@ -4661,7 +4674,6 @@ static int iw_qcom_set_wapi_assoc_info(struct net_device *dev, struct iw_request
+     int i = 0, j = 0;
+     hddLog(LOG1, "The function iw_qcom_set_wapi_assoc_info called");
+     hddLog(LOG1, "%s: Received length %d", __func__, wrqu->data.length);
+-    hddLog(LOG1, "%s: Received data %s", __func__, (char*)wrqu->data.pointer);
+     hddLog(LOG1, "%s: Received data %s", __func__, (char*)extra);
+ 
+     if ((WLAN_HDD_GET_CTX(pAdapter))->isLogpInProgress)
+@@ -4727,7 +4739,6 @@ static int iw_qcom_set_wapi_key(struct net_device *dev, struct iw_request_info *
+ 
+     hddLog(LOG1, "The function iw_qcom_set_wapi_key called ");
+     hddLog(LOG1, "%s: Received length %d", __func__, wrqu->data.length);
+-    hddLog(LOG1, "%s: Received data %s", __func__, (char*)wrqu->data.pointer);
+     hddLog(LOG1, "%s: Received data %s", __func__, (char*)extra);
+ 
+     hddLog(LOG1,":s: INPUT DATA:\nKey Type:0x%02x Key Direction:0x%02x KEY ID:0x%02x\n", __func__,pWapiKey->keyType,pWapiKey->keyDirection,pWapiKey->keyId);
+@@ -4828,12 +4839,11 @@ static int iw_qcom_set_wapi_bkid(struct net_device *dev, struct iw_request_info
+     hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
+ #ifdef WLAN_DEBUG
+     int i = 0;
+-    WLAN_BKID_LIST  *pBkid       = ( WLAN_BKID_LIST *) (wrqu->data.pointer);
++    WLAN_BKID_LIST  *pBkid       = ( WLAN_BKID_LIST *) extra;
+ #endif
+ 
+     hddLog(LOG1, "The function iw_qcom_set_wapi_bkid called");
+     hddLog(LOG1, "%s: Received length %d", __func__, wrqu->data.length);
+-    hddLog(LOG1, "%s: Received data %s", __func__, (char*)wrqu->data.pointer);
+     hddLog(LOG1, "%s: Received data %s", __func__, (char*)extra);
+ 
+     hddLog(LOG1,"%s: INPUT DATA:\n BKID Length:0x%08lx\n", __func__,pBkid->length);
+@@ -4910,7 +4920,7 @@ static int iw_set_fties(struct net_device *dev, struct iw_request_info *info,
+ #endif
+ 
+     // Pass the received FT IEs to SME
+-    sme_SetFTIEs( WLAN_HDD_GET_HAL_CTX(pAdapter), pAdapter->sessionId, wrqu->data.pointer,
++    sme_SetFTIEs( WLAN_HDD_GET_HAL_CTX(pAdapter), pAdapter->sessionId, extra,
+         wrqu->data.length);
+ 
+     return 0;
+@@ -4922,7 +4932,7 @@ static int iw_set_dynamic_mcbc_filter(struct net_device *dev,
+         union iwreq_data *wrqu, char *extra)
+ {
+     hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
+-    tpRcvFltMcAddrList pRequest = (tpRcvFltMcAddrList)wrqu->data.pointer;
++    tpRcvFltMcAddrList pRequest = (tpRcvFltMcAddrList)extra;
+     hdd_context_t *pHddCtx = WLAN_HDD_GET_CTX(pAdapter);
+     tpSirWlanSetRxpFilters wlanRxpFilterParam;
+     tHalHandle hHal = WLAN_HDD_GET_HAL_CTX(pAdapter);
+@@ -5067,7 +5077,7 @@ static int iw_set_host_offload(struct net_device *dev, struct iw_request_info *i
+         union iwreq_data *wrqu, char *extra)
+ {
+     hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
+-    tpHostOffloadRequest pRequest = (tpHostOffloadRequest)wrqu->data.pointer;
++    tpHostOffloadRequest pRequest = (tpHostOffloadRequest) extra;
+     tSirHostOffloadReq offloadRequest;
+ 
+     if ((WLAN_HDD_GET_CTX(pAdapter))->isLogpInProgress)
+@@ -5076,7 +5086,6 @@ static int iw_set_host_offload(struct net_device *dev, struct iw_request_info *i
+                                   "%s:LOGP in Progress. Ignore!!!", __func__);
+        return -EBUSY;
+     }
+-
+     /* Debug display of request components. */
+     switch (pRequest->offloadType)
+     {
+@@ -5139,7 +5148,7 @@ static int iw_set_keepalive_params(struct net_device *dev, struct iw_request_inf
+         union iwreq_data *wrqu, char *extra)
+ {
+     hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
+-    tpKeepAliveRequest pRequest = (tpKeepAliveRequest)wrqu->data.pointer;
++    tpKeepAliveRequest pRequest = (tpKeepAliveRequest) extra;
+     tSirKeepAliveReq keepaliveRequest;
+ 
+     if ((WLAN_HDD_GET_CTX(pAdapter))->isLogpInProgress)
+@@ -5340,7 +5349,7 @@ static int iw_set_packet_filter_params(struct net_device *dev, struct iw_request
+         union iwreq_data *wrqu, char *extra)
+ {   
+     hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
+-    tpPacketFilterCfg pRequest = (tpPacketFilterCfg)wrqu->data.pointer;
++    tpPacketFilterCfg pRequest = (tpPacketFilterCfg) extra;
+ 
+     return wlan_hdd_set_filter(WLAN_HDD_GET_CTX(pAdapter), pRequest, pAdapter->sessionId);
+ }
+@@ -5573,7 +5582,7 @@ VOS_STATUS iw_set_pno(struct net_device *dev, struct iw_request_info *info,
+   VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO,
+             "PNO data len %d data %s",
+             wrqu->data.length,
+-            wrqu->data.pointer);
++            extra);
+ 
+   if (wrqu->data.length <= nOffset )
+   {
+@@ -5611,7 +5620,7 @@ VOS_STATUS iw_set_pno(struct net_device *dev, struct iw_request_info *info,
+ 
+     scan every 5 seconds 2 times, scan every 300 seconds until stopped 
+   -----------------------------------------------------------------------*/
+-  ptr = (char*)(wrqu->data.pointer + nOffset);
++  ptr = extra + nOffset;
+ 
+   sscanf(ptr,"%hhu%n", &(pnoRequest.enable), &nOffset);
+ 
+@@ -5822,7 +5831,7 @@ VOS_STATUS iw_set_rssi_filter(struct net_device *dev, struct iw_request_info *in
+     v_U8_t rssiThreshold = 0;
+     v_U8_t nRead;
+ 
+-    nRead = sscanf(wrqu->data.pointer + nOffset,"%hhu",
++    nRead = sscanf(extra + nOffset,"%hhu",
+            &rssiThreshold);
+ 
+     if ( 1 != nRead )
+@@ -5983,7 +5992,7 @@ static int iw_set_band_config(struct net_device *dev,
+                            union iwreq_data *wrqu, char *extra)
+ {
+     hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
+-    tANI_U8 *ptr = (tANI_U8*)wrqu->data.pointer;
++    tANI_U8 *ptr = extra;
+     int ret = 0;
+ 
+     VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,"%s: ", __func__);
+@@ -6030,7 +6039,7 @@ VOS_STATUS iw_set_power_params(struct net_device *dev, struct iw_request_info *i
+   VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO,
+             "Power Params data len %d data %s",
+             wrqu->data.length,
+-            wrqu->data.pointer);
++            extra);
+ 
+   if ((WLAN_HDD_GET_CTX(pAdapter))->isLogpInProgress)
+   {
+@@ -6072,7 +6081,7 @@ VOS_STATUS iw_set_power_params(struct net_device *dev, struct iw_request_info *i
+   powerRequest.uEnableBET        = SIR_NOCHANGE_POWER_VALUE;
+   powerRequest.uBETInterval      = SIR_NOCHANGE_POWER_VALUE;
+ 
+-  ptr = (char*)(wrqu->data.pointer + nOffset);
++  ptr = extra + nOffset;
+ 
+   while ( uTotalSize )
+   {
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-2470/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2016-2470/ANY/0002.patch
new file mode 100644
index 00000000..b2007b28
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-2470/ANY/0002.patch
@@ -0,0 +1,88 @@
+From 4c9789ba9ed03adaa689d0831524ed6e5ca00fcd Mon Sep 17 00:00:00 2001
+From: Vinay Krishna Eranna <c_veran@qti.qualcomm.com>
+Date: Mon, 21 Apr 2014 20:17:57 +0530
+Subject: wlan: Avoid abort due to access of deinitialised socket
+
+If driver initialization fails after nl initialization,
+driver tries to stop PE by posting the message to MC
+thread which in turn tries to send a message to the
+ptt App, by this time the socket would have been
+de-initialized due to which abort occurs.
+
+Avoid sending any message during load unload in progress.
+Reduce the min number of logging buffers to support low
+memory devices and use vmalloc instead for logging buffer
+allocation.
+
+Change-Id: Ifdcd6ef0d92f0a68d03193070057a67818371674
+CRs-Fixed: 652067
+---
+ CORE/HDD/inc/wlan_hdd_cfg.h                  | 2 +-
+ CORE/SVC/src/logging/wlan_logging_sock_svc.c | 5 +++--
+ CORE/VOSS/src/vos_diag.c                     | 7 +++++++
+ 3 files changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/CORE/HDD/inc/wlan_hdd_cfg.h b/CORE/HDD/inc/wlan_hdd_cfg.h
+index 6451154..ea5e05d 100644
+--- a/CORE/HDD/inc/wlan_hdd_cfg.h
++++ b/CORE/HDD/inc/wlan_hdd_cfg.h
+@@ -2067,7 +2067,7 @@ This feature requires the dependent cfg.ini "gRoamPrefer5GHz" set to 1 */
+ 
+ //Number of buffers to be used for WLAN logging
+ #define CFG_WLAN_LOGGING_NUM_BUF_NAME     "wlanLoggingNumBuf"
+-#define CFG_WLAN_LOGGING_NUM_BUF_MIN      ( 8  )
++#define CFG_WLAN_LOGGING_NUM_BUF_MIN      ( 4  )
+ #define CFG_WLAN_LOGGING_NUM_BUF_MAX      ( 64 )
+ #define CFG_WLAN_LOGGING_NUM_BUF_DEFAULT  ( 32 )
+ #endif //WLAN_LOGGING_SOCK_SVC_ENABLE
+diff --git a/CORE/SVC/src/logging/wlan_logging_sock_svc.c b/CORE/SVC/src/logging/wlan_logging_sock_svc.c
+index 9ac2201..4b78a0d 100644
+--- a/CORE/SVC/src/logging/wlan_logging_sock_svc.c
++++ b/CORE/SVC/src/logging/wlan_logging_sock_svc.c
+@@ -30,6 +30,7 @@
+  *
+  ******************************************************************************/
+ #ifdef WLAN_LOGGING_SOCK_SVC_ENABLE
++#include <vmalloc.h>
+ #include <wlan_nlink_srv.h>
+ #include <vos_status.h>
+ #include <vos_trace.h>
+@@ -487,7 +488,7 @@ int wlan_logging_sock_activate_svc(int log_fe_to_console, int num_buf)
+ 
+ 	gapp_pid = INVALID_PID;
+ 
+-	gplog_msg = (struct log_msg *) vos_mem_malloc(
++	gplog_msg = (struct log_msg *) vmalloc(
+ 			num_buf * sizeof(struct log_msg));
+ 	if (!gplog_msg) {
+ 		pr_err("%s: Could not allocate memory\n", __func__);
+@@ -545,7 +546,7 @@ int wlan_logging_sock_deactivate_svc(void)
+ 	wake_up_interruptible(&gwlan_logging.wait_queue);
+ 	wait_for_completion_interruptible(&gwlan_logging.shutdown_comp);
+ 
+-	vos_mem_free(gplog_msg);
++	vfree(gplog_msg);
+ 
+ 	pr_info("%s: Deactivate wlan_logging svc\n", __func__);
+ 
+diff --git a/CORE/VOSS/src/vos_diag.c b/CORE/VOSS/src/vos_diag.c
+index 5b1dfde..06be463 100644
+--- a/CORE/VOSS/src/vos_diag.c
++++ b/CORE/VOSS/src/vos_diag.c
+@@ -131,6 +131,13 @@ void vos_log_submit(v_VOID_t *plog_hdr_ptr)
+      /*Get the Hdd Context */
+     pHddCtx = ((VosContextType*)(pVosContext))->pHDDContext;
+ 
++    if (WLAN_HDD_IS_LOAD_UNLOAD_IN_PROGRESS(pHddCtx))
++    {
++        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO,
++                  "%s: Unloading/Loading in Progress. Ignore!!!", __func__);
++        return;
++    }
++
+ #ifdef WLAN_KD_READY_NOTIFIER
+     /* NL is not ready yet, WLAN KO started first */
+     if ((pHddCtx->kd_nl_init) && (!pHddCtx->ptt_pid))
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-2471/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2471/ANY/0001.patch
new file mode 100644
index 00000000..18eed761
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-2471/ANY/0001.patch
@@ -0,0 +1,43 @@
+From 2c8961821b7691a95cbf5ecc6996e8229d6d5303 Mon Sep 17 00:00:00 2001
+From: Arun Khandavalli <akhandav@qti.qualcomm.com>
+Date: Mon, 9 Nov 2015 10:28:18 +0530
+Subject: wlan: validate essid length before processing scan req
+
+Presently we are not validating the length of the essid received
+and directly copying the buffer without size checking.
+Perform bound checking before processing the scan req.
+
+Change-Id: I786e4feb67bf039df3d217138a412da54f51787d
+CRs-fixed: 890228
+---
+ CORE/HDD/src/wlan_hdd_scan.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/CORE/HDD/src/wlan_hdd_scan.c b/CORE/HDD/src/wlan_hdd_scan.c
+index 8d3fa84..709fdec 100644
+--- a/CORE/HDD/src/wlan_hdd_scan.c
++++ b/CORE/HDD/src/wlan_hdd_scan.c
+@@ -740,7 +740,8 @@ int __iw_set_scan(struct net_device *dev, struct iw_request_info *info,
+ 
+       if (wrqu->data.flags & IW_SCAN_THIS_ESSID)  {
+ 
+-          if(scanReq->essid_len) {
++          if(scanReq->essid_len  &&
++               (scanReq->essid_len <= SIR_MAC_MAX_SSID_LENGTH)) {
+               scanRequest.SSIDs.numOfSSIDs = 1;
+               scanRequest.SSIDs.SSIDList =( tCsrSSIDInfo *)vos_mem_malloc(sizeof(tCsrSSIDInfo));
+               if(scanRequest.SSIDs.SSIDList) {
+@@ -754,6 +755,10 @@ int __iw_set_scan(struct net_device *dev, struct iw_request_info *info,
+                 VOS_ASSERT(0);
+               }
+           }
++          else
++          {
++            hddLog(LOGE, FL("Invalid essid length : %d"), scanReq->essid_len);
++          }
+       }
+ 
+        /* set min and max channel time */
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-2472/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2472/ANY/0001.patch
new file mode 100644
index 00000000..ee065765
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-2472/ANY/0001.patch
@@ -0,0 +1,398 @@
+From 464c9c8a984c3a36f63b1625d7ab2a1c9eec9697 Mon Sep 17 00:00:00 2001
+From: Girish Gowli <c_ggowli@qti.qualcomm.com>
+Date: Mon, 9 Jun 2014 19:47:53 +0530
+Subject: wlan: Deprecate all WAPI ioctls
+
+ALL WAPI ioctls WLAN_PRIV_SET_WAPI_MODE, WLAN_PRIV_GET_WAPI_MODE
+WLAN_PRIV_SET_WAPI_ASSOC_INFO, WLAN_PRIV_SET_WAPI_KEY,
+WLAN_PRIV_SET_WAPI_BKID, WLAN_PRIV_GET_WAPI_BKID are not being
+used, hence removing the source code related to all these ioctls
+
+Change-Id: I204cd579b4e29df7e995f30cc0aa8612bc7965ee
+CRs-Fixed: 677410
+---
+ CORE/HDD/src/wlan_hdd_wext.c | 347 +------------------------------------------
+ 1 file changed, 6 insertions(+), 341 deletions(-)
+
+diff --git a/CORE/HDD/src/wlan_hdd_wext.c b/CORE/HDD/src/wlan_hdd_wext.c
+index 4af981f..8949474 100644
+--- a/CORE/HDD/src/wlan_hdd_wext.c
++++ b/CORE/HDD/src/wlan_hdd_wext.c
+@@ -244,17 +244,12 @@ static const hdd_freq_chan_map_t freq_chan_map[] = { {2412, 1}, {2417, 2},
+ #define WLAN_PRIV_DEL_TSPEC (SIOCIWFIRSTPRIV + 11)
+ #define WLAN_PRIV_GET_TSPEC (SIOCIWFIRSTPRIV + 13)
+ 
+-#ifdef FEATURE_WLAN_WAPI
+-/* Private ioctls EVEN NO: SET, ODD NO:GET */
+-#define WLAN_PRIV_SET_WAPI_MODE         (SIOCIWFIRSTPRIV + 8)
+-#define WLAN_PRIV_GET_WAPI_MODE         (SIOCIWFIRSTPRIV + 16)
+-#define WLAN_PRIV_SET_WAPI_ASSOC_INFO   (SIOCIWFIRSTPRIV + 10)
+-#define WLAN_PRIV_SET_WAPI_KEY          (SIOCIWFIRSTPRIV + 12)
+-#define WLAN_PRIV_SET_WAPI_BKID         (SIOCIWFIRSTPRIV + 14)
+-#define WLAN_PRIV_GET_WAPI_BKID         (SIOCIWFIRSTPRIV + 15)
+-#define WAPI_PSK_AKM_SUITE  0x02721400
+-#define WAPI_CERT_AKM_SUITE 0x01721400
+-#endif
++/* (SIOCIWFIRSTPRIV + 8)  is currently unused */
++/* (SIOCIWFIRSTPRIV + 16) is currently unused */
++/* (SIOCIWFIRSTPRIV + 10) is currently unused */
++/* (SIOCIWFIRSTPRIV + 12) is currently unused */
++/* (SIOCIWFIRSTPRIV + 14) is currently unused */
++/* (SIOCIWFIRSTPRIV + 15) is currently unused */
+ 
+ #ifdef FEATURE_OEM_DATA_SUPPORT
+ /* Private ioctls for setting the measurement configuration */
+@@ -5797,290 +5792,6 @@ static int iw_get_tspec(struct net_device *dev, struct iw_request_info *info,
+    return 0;
+ }
+ 
+-
+-#ifdef FEATURE_WLAN_WAPI
+-static int iw_qcom_set_wapi_mode(struct net_device *dev, struct iw_request_info *info,
+-        union iwreq_data *wrqu, char *extra)
+-{
+-    hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
+-    hdd_wext_state_t *pWextState = WLAN_HDD_GET_WEXT_STATE_PTR(pAdapter);
+-    hdd_station_ctx_t *pHddStaCtx = WLAN_HDD_GET_STATION_CTX_PTR(pAdapter);
+-    tCsrRoamProfile *pRoamProfile = &pWextState->roamProfile;
+-
+-    WAPI_FUNCTION_MODE *pWapiMode = (WAPI_FUNCTION_MODE *)extra;
+-
+-    hddLog(LOG1, "The function iw_qcom_set_wapi_mode called");
+-    hddLog(LOG1, "%s: Received data %s", __func__, extra);
+-    hddLog(LOG1, "%s: Received length %d", __func__, wrqu->data.length);
+-    hddLog(LOG1, "%s: Input Data (wreq) WAPI Mode:%02d", __func__, pWapiMode->wapiMode);
+-
+-    if ((WLAN_HDD_GET_CTX(pAdapter))->isLogpInProgress)
+-    {
+-       VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_FATAL,
+-                                  "%s:LOGP in Progress. Ignore!!!", __func__);
+-       return -EBUSY;
+-    }
+-
+-    if(WZC_ORIGINAL == pWapiMode->wapiMode) {
+-        hddLog(LOG1, "%s: WAPI Mode Set to OFF", __func__);
+-         /* Set Encryption mode to defualt , this allows next successfull non-WAPI Association */
+-        pRoamProfile->EncryptionType.numEntries = 1;
+-        pRoamProfile->EncryptionType.encryptionType[0] = eCSR_ENCRYPT_TYPE_NONE;
+-        pRoamProfile->mcEncryptionType.numEntries = 1;
+-        pRoamProfile->mcEncryptionType.encryptionType[0] = eCSR_ENCRYPT_TYPE_NONE;
+-
+-        pRoamProfile->AuthType.numEntries = 1;
+-        pHddStaCtx->conn_info.authType = eCSR_AUTH_TYPE_OPEN_SYSTEM;
+-        pRoamProfile->AuthType.authType[0] = pHddStaCtx->conn_info.authType;
+-    }
+-    else if(WAPI_EXTENTION == pWapiMode->wapiMode) {
+-        hddLog(LOG1, "%s: WAPI Mode Set to ON", __func__);
+-    }
+-    else
+-         return -EINVAL;
+-
+-    pAdapter->wapi_info.nWapiMode = pWapiMode->wapiMode;
+-
+-    return 0;
+-}
+-
+-static int iw_qcom_get_wapi_mode(struct net_device *dev, struct iw_request_info *info,
+-        union iwreq_data *wrqu, char *extra)
+-{
+-    hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
+-    WAPI_FUNCTION_MODE *pWapiMode = (WAPI_FUNCTION_MODE *)(extra);
+-
+-    if ((WLAN_HDD_GET_CTX(pAdapter))->isLogpInProgress)
+-    {
+-       VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_FATAL,
+-                                  "%s:LOGP in Progress. Ignore!!!", __func__);
+-       return -EBUSY;
+-    }
+-    hddLog(LOG1, "The function iw_qcom_get_wapi_mode called");
+-
+-    pWapiMode->wapiMode = pAdapter->wapi_info.nWapiMode;
+-    hddLog(LOG1, "%s: GET WAPI Mode Value:%02d", __func__, pWapiMode->wapiMode);
+-    return 0;
+-}
+-
+-static int iw_qcom_set_wapi_assoc_info(struct net_device *dev, struct iw_request_info *info,
+-        union iwreq_data *wrqu, char *extra)
+-{
+-    hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
+-//    WAPI_AssocInfo *pWapiAssocInfo = (WAPI_AssocInfo *)(wrqu->data.pointer);
+-    WAPI_AssocInfo *pWapiAssocInfo = (WAPI_AssocInfo *)(extra);
+-    int i = 0, j = 0;
+-    hddLog(LOG1, "The function iw_qcom_set_wapi_assoc_info called");
+-    hddLog(LOG1, "%s: Received length %d", __func__, wrqu->data.length);
+-    hddLog(LOG1, "%s: Received data %s", __func__, (char*)extra);
+-
+-    if ((WLAN_HDD_GET_CTX(pAdapter))->isLogpInProgress)
+-    {
+-       VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_FATAL,
+-                                  "%s:LOGP in Progress. Ignore!!!", __func__);
+-       return -EBUSY;
+-    }
+-
+-    if (NULL == pWapiAssocInfo)
+-    {
+-       VOS_TRACE(VOS_MODULE_ID_SYS, VOS_TRACE_LEVEL_ERROR,
+-             "%s: WDA NULL context", __func__);
+-       VOS_ASSERT(0);
+-       return VOS_STATUS_E_FAILURE;
+-    }
+-
+-    hddLog(LOG1, "%s: INPUT DATA:\nElement ID:0x%02x Length:0x%02x Version:0x%04x",__func__,pWapiAssocInfo->elementID,pWapiAssocInfo->length,pWapiAssocInfo->version);
+-    hddLog(LOG1,"%s: akm Suite Cnt:0x%04x",__func__,pWapiAssocInfo->akmSuiteCount);
+-    for(i =0 ; i < 16 ; i++)
+-        hddLog(LOG1,"akm suite[%02d]:0x%08x",i,pWapiAssocInfo->akmSuite[i]);
+-
+-    hddLog(LOG1,"%s: Unicast Suite Cnt:0x%04x",__func__,pWapiAssocInfo->unicastSuiteCount);
+-    for(i =0 ; i < 16 ; i++)
+-        hddLog(LOG1, "Unicast suite[%02d]:0x%08x",i,pWapiAssocInfo->unicastSuite[i]);
+-
+-    hddLog(LOG1,"%s: Multicast suite:0x%08x Wapi capa:0x%04x",__func__,pWapiAssocInfo->multicastSuite,pWapiAssocInfo->wapiCability);
+-    hddLog(LOG1, "%s: BKID Cnt:0x%04x",__func__,pWapiAssocInfo->bkidCount);
+-    for(i = 0 ; i < 16 ; i++) {
+-        hddLog(LOG1, "BKID List[%02d].bkid:0x",i);
+-        for(j = 0 ; j < 16 ; j++)
+-            hddLog(LOG1,"%02x",pWapiAssocInfo->bkidList[i].bkid[j]);
+-    }
+-
+-    /* We are not using the entire IE as provided by the supplicant.
+-     * This is being calculated by SME. This is the same as in the
+-     * case of WPA. Only the auth mode information needs to be
+-     * extracted here*/
+-    if ( pWapiAssocInfo->akmSuite[0] == WAPI_PSK_AKM_SUITE ) {
+-       hddLog(LOG1, "%s: WAPI AUTH MODE SET TO PSK",__func__);
+-       pAdapter->wapi_info.wapiAuthMode = WAPI_AUTH_MODE_PSK;
+-    }
+-
+-    if ( pWapiAssocInfo->akmSuite[0] == WAPI_CERT_AKM_SUITE) {
+-       hddLog(LOG1, "%s: WAPI AUTH MODE SET TO CERTIFICATE",__func__);
+-       pAdapter->wapi_info.wapiAuthMode = WAPI_AUTH_MODE_CERT;
+-    }
+-    return 0;
+-}
+-
+-static int iw_qcom_set_wapi_key(struct net_device *dev, struct iw_request_info *info,
+-        union iwreq_data *wrqu, char *extra)
+-{
+-    hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
+-    hdd_station_ctx_t *pHddStaCtx = WLAN_HDD_GET_STATION_CTX_PTR(pAdapter);
+-    eHalStatus       halStatus   = eHAL_STATUS_SUCCESS;
+-    tANI_U32         roamId      = 0xFF;
+-    tANI_U8         *pKeyPtr     = NULL;
+-    v_BOOL_t         isConnected = TRUE;
+-    tCsrRoamSetKey   setKey;
+-    int i = 0;
+-    WLAN_WAPI_KEY *pWapiKey = (WLAN_WAPI_KEY *)(extra);
+-
+-    if ((WLAN_HDD_GET_CTX(pAdapter))->isLogpInProgress)
+-    {
+-       VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_FATAL,
+-                                  "%s:LOGP in Progress. Ignore!!!", __func__);
+-       return -EBUSY;
+-    }
+-
+-    hddLog(LOG1, "The function iw_qcom_set_wapi_key called ");
+-    hddLog(LOG1, "%s: Received length %d", __func__, wrqu->data.length);
+-    hddLog(LOG1, "%s: Received data %s", __func__, (char*)extra);
+-
+-    hddLog(LOG1,":%s: INPUT DATA:\nKey Type:0x%02x Key Direction:0x%02x KEY ID:0x%02x", __func__, pWapiKey->keyType, pWapiKey->keyDirection, pWapiKey->keyId);
+-    hddLog(LOG1,"Add Index:0x");
+-    for(i =0 ; i < 12 ; i++)
+-        hddLog(LOG1,"%02x",pWapiKey->addrIndex[i]);
+-
+-    hddLog(LOG1,"%s: WAPI ENCRYPTION KEY LENGTH:0x%04x", __func__,pWapiKey->wpiekLen);
+-    hddLog(LOG1, "WAPI ENCRYPTION KEY:0x");
+-    for(i =0 ; i < 16 ; i++)
+-        hddLog(LOG1,"%02x",pWapiKey->wpiek[i]);
+-
+-    hddLog(LOG1,"%s: WAPI INTEGRITY CHECK KEY LENGTH:0x%04x", __func__,pWapiKey->wpickLen);
+-    hddLog(LOG1,"WAPI INTEGRITY CHECK KEY:0x");
+-    for(i =0 ; i < 16 ; i++)
+-        hddLog(LOG1,"%02x",pWapiKey->wpick[i]);
+-
+-    hddLog(LOG1,"WAPI PN NUMBER:0x");
+-    for(i = 0 ; i < 16 ; i++)
+-        hddLog(LOG1,"%02x",pWapiKey->pn[i]);
+-
+-    // Clear the setkey memory
+-    vos_mem_zero(&setKey,sizeof(tCsrRoamSetKey));
+-    // Store Key ID
+-    setKey.keyId = (unsigned char)( pWapiKey->keyId );
+-    // SET WAPI Encryption
+-    setKey.encType  = eCSR_ENCRYPT_TYPE_WPI;
+-    // Key Directionn both TX and RX
+-    setKey.keyDirection = eSIR_TX_RX; // Do WE NEED to update this based on Key Type as GRP/UNICAST??
+-    // the PAE role
+-    setKey.paeRole = 0 ;
+-
+-    switch ( pWapiKey->keyType )
+-    {
+-        case PAIRWISE_KEY:
+-        {
+-            isConnected = hdd_connIsConnected(pHddStaCtx);
+-            vos_mem_copy(setKey.peerMac,&pHddStaCtx->conn_info.bssId,WNI_CFG_BSSID_LEN);
+-            break;
+-        }
+-        case GROUP_KEY:
+-        {
+-            vos_set_macaddr_broadcast( (v_MACADDR_t *)setKey.peerMac );
+-            break;
+-        }
+-        default:
+-        {
+-            //Any other option is invalid.
+-            VOS_TRACE( VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
+-                       "[%4d] %s() failed to Set Key. Invalid key type %d", __LINE__,__func__ , -1 );
+-
+-            hddLog(LOGE," %s: Error WAPI Key Add Type",__func__);
+-            halStatus = !eHAL_STATUS_SUCCESS; // NEED TO UPDATE THIS WITH CORRECT VALUE
+-            break; // NEED RETURN FROM HERE ????
+-        }
+-    }
+-
+-    // Concatenating the Encryption Key (EK) and the MIC key (CK): EK followed by CK
+-    setKey.keyLength = (v_U16_t)((pWapiKey->wpiekLen)+(pWapiKey->wpickLen));
+-    pKeyPtr = setKey.Key;
+-    memcpy( pKeyPtr, pWapiKey->wpiek, pWapiKey->wpiekLen );
+-    pKeyPtr += pWapiKey->wpiekLen;
+-    memcpy( pKeyPtr, pWapiKey->wpick, pWapiKey->wpickLen );
+-
+-    // Set the new key with SME.
+-    pHddStaCtx->roam_info.roamingState = HDD_ROAM_STATE_SETTING_KEY;
+-
+-    if ( isConnected ) {
+-        halStatus = sme_RoamSetKey( WLAN_HDD_GET_HAL_CTX(pAdapter), pAdapter->sessionId, &setKey, &roamId );
+-        if ( halStatus != eHAL_STATUS_SUCCESS )
+-        {
+-            VOS_TRACE( VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
+-                       "[%4d] sme_RoamSetKey returned ERROR status= %d", __LINE__, halStatus );
+-
+-            pHddStaCtx->roam_info.roamingState = HDD_ROAM_STATE_NONE;
+-        }
+-    }
+-#if 0 /// NEED TO CHECK ON THIS
+-    else
+-    {
+-        // Store the keys in the adapter to be moved to the profile & passed to
+-        // SME in the ConnectRequest if we are not yet in connected state.
+-         memcpy( &pAdapter->setKey[ setKey.keyId ], &setKey, sizeof( setKey ) );
+-         pAdapter->fKeySet[ setKey.keyId ] = TRUE;
+-
+-         VOS_TRACE( VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO_MED,
+-                    "  Saving key [idx= %d] to apply when moving to connected state ",
+-                    setKey.keyId );
+-
+-    }
+-#endif
+-    return halStatus;
+-}
+-
+-static int iw_qcom_set_wapi_bkid(struct net_device *dev, struct iw_request_info *info,
+-        union iwreq_data *wrqu, char *extra)
+-{
+-    hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
+-#ifdef WLAN_DEBUG
+-    int i = 0;
+-    WLAN_BKID_LIST  *pBkid       = ( WLAN_BKID_LIST *) extra;
+-#endif
+-
+-    hddLog(LOG1, "The function iw_qcom_set_wapi_bkid called");
+-    hddLog(LOG1, "%s: Received length %d", __func__, wrqu->data.length);
+-    hddLog(LOG1, "%s: Received data %s", __func__, (char*)extra);
+-
+-    hddLog(LOG1,"%s: INPUT DATA:\n BKID Length:0x%08x", __func__,pBkid->length);
+-    hddLog(LOG1,"%s: BKID Cnt:0x%04x", __func__, pBkid->BKIDCount);
+-
+-    hddLog(LOG1,"BKID KEY LIST[0]:0x");
+-
+-    if ((WLAN_HDD_GET_CTX(pAdapter))->isLogpInProgress)
+-    {
+-       VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_FATAL,
+-                                  "%s:LOGP in Progress. Ignore!!!", __func__);
+-       return -EBUSY;
+-    }
+-
+-#ifdef WLAN_DEBUG
+-    for(i =0 ; i < 16 ; i++)
+-        hddLog(LOG1,"%02x",pBkid->BKID[0].bkid[i]);
+-#endif
+-
+-    return 0;
+-}
+-
+-static int iw_qcom_get_wapi_bkid(struct net_device *dev, struct iw_request_info *info,
+-        union iwreq_data *wrqu, char *extra)
+-{
+-    /* Yet to implement this function, 19th April 2010 */
+-    hddLog(LOG1, "The function iw_qcom_get_wapi_bkid called ");
+-
+-    return 0;
+-}
+-#endif /* FEATURE_WLAN_WAPI */
+-
+ #ifdef WLAN_FEATURE_VOWIFI_11R
+ //
+ //
+@@ -7801,14 +7512,6 @@ static const iw_handler we_private[] = {
+    [WLAN_PRIV_GET_OEM_DATA_RSP - SIOCIWFIRSTPRIV] = iw_get_oem_data_rsp, //oem data req Specifc
+ #endif
+ 
+-#ifdef FEATURE_WLAN_WAPI
+-   [WLAN_PRIV_SET_WAPI_MODE             - SIOCIWFIRSTPRIV]  = iw_qcom_set_wapi_mode,
+-   [WLAN_PRIV_GET_WAPI_MODE             - SIOCIWFIRSTPRIV]  = iw_qcom_get_wapi_mode,
+-   [WLAN_PRIV_SET_WAPI_ASSOC_INFO       - SIOCIWFIRSTPRIV]  = iw_qcom_set_wapi_assoc_info,
+-   [WLAN_PRIV_SET_WAPI_KEY              - SIOCIWFIRSTPRIV]  = iw_qcom_set_wapi_key,
+-   [WLAN_PRIV_SET_WAPI_BKID             - SIOCIWFIRSTPRIV]  = iw_qcom_set_wapi_bkid,
+-   [WLAN_PRIV_GET_WAPI_BKID             - SIOCIWFIRSTPRIV]  = iw_qcom_get_wapi_bkid,
+-#endif /* FEATURE_WLAN_WAPI */
+ #ifdef WLAN_FEATURE_VOWIFI_11R
+    [WLAN_PRIV_SET_FTIES                 - SIOCIWFIRSTPRIV]   = iw_set_fties,
+ #endif
+@@ -8214,44 +7917,6 @@ static const struct iw_priv_args we_private_args[] = {
+         "get_oem_data_rsp" },
+ #endif
+ 
+-#ifdef FEATURE_WLAN_WAPI
+-   /* handlers for main ioctl SET_WAPI_MODE */
+-    {   WLAN_PRIV_SET_WAPI_MODE,
+-        IW_PRIV_TYPE_INT | IW_PRIV_SIZE_FIXED | 1,
+-        0,
+-        "SET_WAPI_MODE" },
+-
+-   /* handlers for main ioctl GET_WAPI_MODE */
+-    {   WLAN_PRIV_GET_WAPI_MODE,
+-        0,
+-        IW_PRIV_TYPE_INT | IW_PRIV_SIZE_FIXED | 1,
+-        "GET_WAPI_MODE" },
+-
+-   /* handlers for main ioctl SET_ASSOC_INFO */
+-    {   WLAN_PRIV_SET_WAPI_ASSOC_INFO,
+-        IW_PRIV_TYPE_BYTE | IW_PRIV_SIZE_FIXED | 400,
+-        0,
+-        "SET_WAPI_ASSOC" },
+-
+-   /* handlers for main ioctl SET_WAPI_KEY */
+-    {   WLAN_PRIV_SET_WAPI_KEY,
+-        IW_PRIV_TYPE_BYTE | IW_PRIV_SIZE_FIXED | 71,
+-        0,
+-        "SET_WAPI_KEY" },
+-
+-   /* handlers for main ioctl SET_WAPI_BKID */
+-    {   WLAN_PRIV_SET_WAPI_BKID,
+-        IW_PRIV_TYPE_BYTE | IW_PRIV_SIZE_FIXED | 24,
+-        0,
+-        "SET_WAPI_BKID" },
+-
+-   /* handlers for main ioctl GET_WAPI_BKID */
+-    {   WLAN_PRIV_GET_WAPI_BKID,
+-        0,
+-        IW_PRIV_TYPE_BYTE | IW_PRIV_SIZE_FIXED | 24,
+-        "GET_WAPI_BKID" },
+-#endif /* FEATURE_WLAN_WAPI */
+-
+     /* handlers for main ioctl - host offload */
+     {
+         WLAN_PRIV_SET_HOST_OFFLOAD,
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-2473/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2473/ANY/0001.patch
new file mode 100644
index 00000000..e7492a22
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-2473/ANY/0001.patch
@@ -0,0 +1,284 @@
+From 0273cba64b0436d481e09222a631a6acc274b96c Mon Sep 17 00:00:00 2001
+From: Arif Hussain <c_arifh@qca.qualcomm.com>
+Date: Tue, 7 Jan 2014 20:58:29 -0800
+Subject: wlan: Fix ioctl copy issue
+
+Few IOCTL's SET command's uses ODD number,
+so we cannot utilize kernel facility "extra".
+We need to copy the user data in kernel buffer
+using copy_from_user function.
+
+Change-Id: I550bf90fbbacb9d5ac4187ed423fca90fafccad1
+CRs-Fixed: 596898
+---
+ CORE/HDD/src/wlan_hdd_wext.c | 146 +++++++++++++++++++++++++++++++++++++------
+ 1 file changed, 127 insertions(+), 19 deletions(-)
+
+(limited to 'CORE/HDD/src/wlan_hdd_wext.c')
+
+diff --git a/CORE/HDD/src/wlan_hdd_wext.c b/CORE/HDD/src/wlan_hdd_wext.c
+index 55b2100..90df277 100644
+--- a/CORE/HDD/src/wlan_hdd_wext.c
++++ b/CORE/HDD/src/wlan_hdd_wext.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2012-2013, The Linux Foundation. All rights reserved.
++ * Copyright (c) 2012-2014, The Linux Foundation. All rights reserved.
+  *
+  * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
+  *
+@@ -373,6 +373,56 @@ int wlan_hdd_set_filter(hdd_context_t *pHddCtx, tpPacketFilterCfg pRequest,
+ 
+ /**---------------------------------------------------------------------------
+ 
++  \brief mem_alloc_copy_from_user_helper -
++
++   Helper function to allocate buffer and copy user data.
++
++  \param  - wrqu - Pointer to IOCTL Data.
++            len  - size
++
++  \return - On Success pointer to buffer, On failure NULL
++
++  --------------------------------------------------------------------------*/
++static void *mem_alloc_copy_from_user_helper(const void *wrqu_data, size_t len)
++{
++    u8 *ptr = NULL;
++
++  /* in order to protect the code, an extra byte is post appended to the buffer
++   * and the null termination is added.  However, when allocating (len+1) byte
++   * of memory, we need to make sure that there is no uint overflow when doing
++   * addition. In theory check len < UINT_MAX protects the uint overflow. For
++   * wlan private ioctl, the buffer size is much less than UINT_MAX, as a good
++   * guess, now, it is assumed that the private command buffer size is no
++   * greater than 4K (4096 bytes). So we use 4096 as the upper boundary for now.
++   */
++    if (len > MAX_USER_COMMAND_SIZE)
++    {
++        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
++                  "Invalid length");
++        return NULL;
++    }
++
++    ptr = kmalloc(len + 1, GFP_KERNEL);
++    if (NULL == ptr)
++    {
++        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
++                  "unable to allocate memory");
++        return NULL;
++    }
++
++    if (copy_from_user(ptr, wrqu_data, len))
++    {
++        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
++                  "%s: failed to copy data to user buffer", __func__);
++        kfree(ptr);
++        return NULL;
++    }
++    ptr[len] = '\0';
++    return ptr;
++}
++
++/**---------------------------------------------------------------------------
++
+   \brief hdd_wlan_get_version() -
+ 
+    This function use to get Wlan Driver, Firmware, & Hardware Version.
+@@ -4220,15 +4270,13 @@ static int iw_setchar_getnone(struct net_device *dev, struct iw_request_info *in
+     VOS_STATUS vstatus;
+     int sub_cmd = wrqu->data.flags;
+     int ret = 0; /* success */
++    char *pBuffer = NULL;
+     hdd_adapter_t *pAdapter = (netdev_priv(dev));
+     hdd_context_t *pHddCtx = WLAN_HDD_GET_CTX(pAdapter);
+ #ifdef WLAN_FEATURE_VOWIFI
+     hdd_config_t  *pConfig = pHddCtx->cfg_ini;
+ #endif /* WLAN_FEATURE_VOWIFI */
+ 
+-    VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO, "%s: Received length %d", __func__, wrqu->data.length);
+-    VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO, "%s: Received data %s", __func__, extra);
+-
+     if ((WLAN_HDD_GET_CTX(pAdapter))->isLogpInProgress)
+     {
+         VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_FATAL,
+@@ -4236,15 +4284,30 @@ static int iw_setchar_getnone(struct net_device *dev, struct iw_request_info *in
+         return -EBUSY;
+     }
+ 
++    /* ODD number is used for set, copy data using copy_from_user */
++    pBuffer = mem_alloc_copy_from_user_helper(wrqu->data.pointer,
++                                              wrqu->data.length);
++    if (NULL == pBuffer)
++    {
++        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
++                  "mem_alloc_copy_from_user_helper fail");
++        return -ENOMEM;
++    }
++
++    VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO,
++              "%s: Received length %d", __func__, wrqu->data.length);
++    VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO,
++              "%s: Received data %s", __func__, pBuffer);
++
+     switch(sub_cmd)
+     {
+        case WE_WOWL_ADD_PTRN:
+           VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO, "ADD_PTRN");
+-          hdd_add_wowl_ptrn(pAdapter, extra);
++          hdd_add_wowl_ptrn(pAdapter, pBuffer);
+           break;
+        case WE_WOWL_DEL_PTRN:
+           VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO, "DEL_PTRN");
+-          hdd_del_wowl_ptrn(pAdapter, extra);
++          hdd_del_wowl_ptrn(pAdapter, pBuffer);
+           break;
+ #if defined WLAN_FEATURE_VOWIFI
+        case WE_NEIGHBOR_REPORT_REQUEST:
+@@ -4259,7 +4322,7 @@ static int iw_setchar_getnone(struct net_device *dev, struct iw_request_info *in
+                 if( !neighborReq.no_ssid )
+                 {
+                    neighborReq.ssid.length = (wrqu->data.length - 1) > 32 ? 32 : (wrqu->data.length - 1) ;
+-                   vos_mem_copy( neighborReq.ssid.ssId, extra, neighborReq.ssid.length );
++                   vos_mem_copy( neighborReq.ssid.ssId, pBuffer, neighborReq.ssid.length );
+                 }
+ 
+                 callbackInfo.neighborRspCallback = NULL;
+@@ -4277,10 +4340,10 @@ static int iw_setchar_getnone(struct net_device *dev, struct iw_request_info *in
+ #endif
+        case WE_SET_AP_WPS_IE:
+           hddLog( LOGE, "Received WE_SET_AP_WPS_IE" );
+-          sme_updateP2pIe( WLAN_HDD_GET_HAL_CTX(pAdapter), extra, wrqu->data.length );
++          sme_updateP2pIe( WLAN_HDD_GET_HAL_CTX(pAdapter), pBuffer, wrqu->data.length );
+           break;
+        case WE_SET_CONFIG:
+-          vstatus = hdd_execute_config_command(pHddCtx, extra);
++          vstatus = hdd_execute_config_command(pHddCtx, pBuffer);
+           if (VOS_STATUS_SUCCESS != vstatus)
+           {
+              ret = -EINVAL;
+@@ -4293,6 +4356,7 @@ static int iw_setchar_getnone(struct net_device *dev, struct iw_request_info *in
+            break;
+        }
+     }
++    kfree(pBuffer);
+     return ret;
+ }
+ 
+@@ -5014,7 +5078,6 @@ int iw_set_var_ints_getnone(struct net_device *dev, struct iw_request_info *info
+     hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
+     tHalHandle hHal = WLAN_HDD_GET_HAL_CTX(pAdapter);
+     int sub_cmd = wrqu->data.flags;
+-    int *value = (int*)extra;
+     int apps_args[MAX_VAR_ARGS] = {0};
+     int num_args = wrqu->data.length;
+     hdd_station_ctx_t *pStaCtx = NULL ;
+@@ -5035,7 +5098,14 @@ int iw_set_var_ints_getnone(struct net_device *dev, struct iw_request_info *info
+     {
+        num_args = MAX_VAR_ARGS;
+     }
+-    vos_mem_copy(apps_args, value, (sizeof(int)) * num_args);
++
++    /* ODD number is used for set, copy data using copy_from_user */
++    if (copy_from_user(apps_args, wrqu->data.pointer, (sizeof(int)) * num_args))
++    {
++        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
++                  "%s: failed to copy data to user buffer", __func__);
++        return -EFAULT;
++    }
+ 
+     if(( sub_cmd == WE_MCC_CONFIG_CREDENTIAL ) ||
+         (sub_cmd == WE_MCC_CONFIG_PARAMS ))
+@@ -6377,9 +6447,23 @@ static int iw_set_packet_filter_params(struct net_device *dev, struct iw_request
+         union iwreq_data *wrqu, char *extra)
+ {
+     hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
+-    tpPacketFilterCfg pRequest = (tpPacketFilterCfg) extra;
++    tpPacketFilterCfg pRequest = NULL;
++    int ret;
+ 
+-    return wlan_hdd_set_filter(WLAN_HDD_GET_CTX(pAdapter), pRequest, pAdapter->sessionId);
++    /* ODD number is used for set, copy data using copy_from_user */
++    pRequest = mem_alloc_copy_from_user_helper(wrqu->data.pointer,
++                                               wrqu->data.length);
++    if (NULL == pRequest)
++    {
++        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
++                  "mem_alloc_copy_from_user_helper fail");
++        return -ENOMEM;
++    }
++
++    ret = wlan_hdd_set_filter(WLAN_HDD_GET_CTX(pAdapter), pRequest, pAdapter->sessionId);
++    kfree(pRequest);
++
++    return ret;
+ }
+ #endif
+ static int iw_get_statistics(struct net_device *dev,
+@@ -7053,10 +7137,10 @@ static int iw_set_band_config(struct net_device *dev,
+                            union iwreq_data *wrqu, char *extra)
+ {
+     hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
+-    tANI_U8 *ptr = extra;
++    tANI_U8 *ptr = NULL;
+     int ret = 0;
+ 
+-    VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,"%s: ", __func__);
++    VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO, "%s: ", __func__);
+ 
+     if ((WLAN_HDD_GET_CTX(pAdapter))->isLogpInProgress)
+     {
+@@ -7065,23 +7149,47 @@ static int iw_set_band_config(struct net_device *dev,
+         return -EBUSY;
+     }
+ 
++    /* ODD number is used for set, copy data using copy_from_user */
++    ptr = mem_alloc_copy_from_user_helper(wrqu->data.pointer,
++                                          wrqu->data.length);
++    if (NULL == ptr)
++    {
++        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
++                  "mem_alloc_copy_from_user_helper fail");
++        return -ENOMEM;
++    }
++
+     if (memcmp(ptr, "SETBAND ", 8) == 0)
+     {
+         /* Change band request received */
+         ret = hdd_setBand_helper(dev, ptr);
+-        return ret;
+-
+     }
+-    return 0;
++    kfree(ptr);
++
++    return ret;
+ }
+ 
+ static int iw_set_power_params_priv(struct net_device *dev,
+                            struct iw_request_info *info,
+                            union iwreq_data *wrqu, char *extra)
+ {
++  int ret;
++  char *ptr;
+   VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO,
+                 "Set power params Private");
+-  return iw_set_power_params(dev,info,wrqu,extra,0);
++  /* ODD number is used for set, copy data using copy_from_user */
++  ptr = mem_alloc_copy_from_user_helper(wrqu->data.pointer,
++                                          wrqu->data.length);
++  if (NULL == ptr)
++  {
++      VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
++                "mem_alloc_copy_from_user_helper fail");
++      return -ENOMEM;
++  }
++
++  ret = iw_set_power_params(dev, info, wrqu, ptr, 0);
++  kfree(ptr);
++  return ret;
+ }
+ 
+ 
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-2474/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-2474/ANY/0.patch
deleted file mode 100644
index 8b4be440..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2474/ANY/0.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_main.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_main.c
-index 06d1298..48488eda 100644
---- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_main.c
-+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_main.c
-@@ -5337,17 +5337,17 @@
-     /*no argument followed by spaces*/
-     if ('\0' == *inPtr) return -EINVAL;
- 
--    /*getting the first argument ie measurement token*/
-+    /* Getting the first argument ie Number of IE fields */
-     v = sscanf(inPtr, "%31s ", buf);
-     if (1 != v) return -EINVAL;
- 
-     v = kstrtos32(buf, 10, &tempInt);
-     if ( v < 0) return -EINVAL;
- 
-+    tempInt = VOS_MIN(tempInt, SIR_ESE_MAX_MEAS_IE_REQS);
-     pEseBcnReq->numBcnReqIe = tempInt;
- 
--    VOS_TRACE( VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO_HIGH,
--               "Number of Bcn Req Ie fields(%d)", pEseBcnReq->numBcnReqIe);
-+    hddLog(LOG1, "Number of Bcn Req Ie fields: %d", pEseBcnReq->numBcnReqIe);
- 
-     for (j = 0; j < (pEseBcnReq->numBcnReqIe); j++)
-     {
diff --git a/Patches/Linux_CVEs/CVE-2016-2474/ANY/0.patch.base64 b/Patches/Linux_CVEs/CVE-2016-2474/ANY/0.patch.base64
deleted file mode 100644
index 6d87917c..00000000
--- a/Patches/Linux_CVEs/CVE-2016-2474/ANY/0.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL2RyaXZlcnMvc3RhZ2luZy9xY2FjbGQtMi4wL0NPUkUvSEREL3NyYy93bGFuX2hkZF9tYWluLmMgYi9kcml2ZXJzL3N0YWdpbmcvcWNhY2xkLTIuMC9DT1JFL0hERC9zcmMvd2xhbl9oZGRfbWFpbi5jCmluZGV4IDA2ZDEyOTguLjQ4NDg4ZWRhIDEwMDY0NAotLS0gYS9kcml2ZXJzL3N0YWdpbmcvcWNhY2xkLTIuMC9DT1JFL0hERC9zcmMvd2xhbl9oZGRfbWFpbi5jCisrKyBiL2RyaXZlcnMvc3RhZ2luZy9xY2FjbGQtMi4wL0NPUkUvSEREL3NyYy93bGFuX2hkZF9tYWluLmMKQEAgLTUzMzcsMTcgKzUzMzcsMTcgQEAKICAgICAvKm5vIGFyZ3VtZW50IGZvbGxvd2VkIGJ5IHNwYWNlcyovCiAgICAgaWYgKCdcMCcgPT0gKmluUHRyKSByZXR1cm4gLUVJTlZBTDsKIAotICAgIC8qZ2V0dGluZyB0aGUgZmlyc3QgYXJndW1lbnQgaWUgbWVhc3VyZW1lbnQgdG9rZW4qLworICAgIC8qIEdldHRpbmcgdGhlIGZpcnN0IGFyZ3VtZW50IGllIE51bWJlciBvZiBJRSBmaWVsZHMgKi8KICAgICB2ID0gc3NjYW5mKGluUHRyLCAiJTMxcyAiLCBidWYpOwogICAgIGlmICgxICE9IHYpIHJldHVybiAtRUlOVkFMOwogCiAgICAgdiA9IGtzdHJ0b3MzMihidWYsIDEwLCAmdGVtcEludCk7CiAgICAgaWYgKCB2IDwgMCkgcmV0dXJuIC1FSU5WQUw7CiAKKyAgICB0ZW1wSW50ID0gVk9TX01JTih0ZW1wSW50LCBTSVJfRVNFX01BWF9NRUFTX0lFX1JFUVMpOwogICAgIHBFc2VCY25SZXEtPm51bUJjblJlcUllID0gdGVtcEludDsKIAotICAgIFZPU19UUkFDRSggVk9TX01PRFVMRV9JRF9IREQsIFZPU19UUkFDRV9MRVZFTF9JTkZPX0hJR0gsCi0gICAgICAgICAgICAgICAiTnVtYmVyIG9mIEJjbiBSZXEgSWUgZmllbGRzKCVkKSIsIHBFc2VCY25SZXEtPm51bUJjblJlcUllKTsKKyAgICBoZGRMb2coTE9HMSwgIk51bWJlciBvZiBCY24gUmVxIEllIGZpZWxkczogJWQiLCBwRXNlQmNuUmVxLT5udW1CY25SZXFJZSk7CiAKICAgICBmb3IgKGogPSAwOyBqIDwgKHBFc2VCY25SZXEtPm51bUJjblJlcUllKTsgaisrKQogICAgIHsK
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2016-2474/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2474/ANY/0001.patch
new file mode 100644
index 00000000..626ed25f
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-2474/ANY/0001.patch
@@ -0,0 +1,41 @@
+From d541aecce07c65fee3ad3a4d900016e4d22f2b3d Mon Sep 17 00:00:00 2001
+From: Karthik Jadala <karthikjk@codeaurora.org>
+Date: Wed, 4 May 2016 11:15:45 +0530
+Subject: qcacld-2.0: Fix buffer overwrite problem in CCXBEACONREQ
+
+Set the number of IE fields to minimum of input data and
+SIR_ESE_MAX_MEAS_IE_REQS.
+Change-Id: Ie53cfec7872ab69530bbb8932f9f9e85fb319f92
+CRs-Fixed: 993561
+---
+ CORE/HDD/src/wlan_hdd_main.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/CORE/HDD/src/wlan_hdd_main.c b/CORE/HDD/src/wlan_hdd_main.c
+index c3e3786..4d5a86c 100644
+--- a/CORE/HDD/src/wlan_hdd_main.c
++++ b/CORE/HDD/src/wlan_hdd_main.c
+@@ -5530,17 +5530,17 @@ static VOS_STATUS hdd_parse_ese_beacon_req(tANI_U8 *pValue,
+     /*no argument followed by spaces*/
+     if ('\0' == *inPtr) return -EINVAL;
+ 
+-    /*getting the first argument ie measurement token*/
++    /*getting the first argument ie Number of IE fields*/
+     v = sscanf(inPtr, "%31s ", buf);
+     if (1 != v) return -EINVAL;
+ 
+     v = kstrtos32(buf, 10, &tempInt);
+     if ( v < 0) return -EINVAL;
+ 
++    tempInt = VOS_MIN(tempInt, SIR_ESE_MAX_MEAS_IE_REQS);
+     pEseBcnReq->numBcnReqIe = tempInt;
+ 
+-    VOS_TRACE( VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO_HIGH,
+-               "Number of Bcn Req Ie fields(%d)", pEseBcnReq->numBcnReqIe);
++    hddLog(LOG1, "Number of Bcn Req Ie fields: %d", pEseBcnReq->numBcnReqIe);
+ 
+     for (j = 0; j < (pEseBcnReq->numBcnReqIe); j++)
+     {
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-2474/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2016-2474/ANY/0002.patch
new file mode 100644
index 00000000..9e47b371
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-2474/ANY/0002.patch
@@ -0,0 +1,99 @@
+From 681c310490e49adc43065d1d11006c5a5dc43568 Mon Sep 17 00:00:00 2001
+From: Srinivas Girigowda <sgirigow@qca.qualcomm.com>
+Date: Tue, 7 Jun 2016 08:51:34 -0700
+Subject: qcacld-2.0: Validate CCXBEACONREQ IE fields
+
+Validate CCXBEACONREQ IE fields.
+
+Change-Id: Ie64a642abdd7923e91801186aa5743094a739fc9
+CRs-Fixed: 1025185
+---
+ CORE/HDD/src/wlan_hdd_main.c | 28 ++++++++++++++--------------
+ 1 file changed, 14 insertions(+), 14 deletions(-)
+
+diff --git a/CORE/HDD/src/wlan_hdd_main.c b/CORE/HDD/src/wlan_hdd_main.c
+index b3e855a..bd5c69d 100644
+--- a/CORE/HDD/src/wlan_hdd_main.c
++++ b/CORE/HDD/src/wlan_hdd_main.c
+@@ -4201,7 +4201,8 @@ static VOS_STATUS hdd_parse_ese_beacon_req(tANI_U8 *pValue,
+                                      tCsrEseBeaconReq *pEseBcnReq)
+ {
+     tANI_U8 *inPtr = pValue;
+-    int tempInt = 0;
++    uint8_t input = 0;
++    uint32_t tempInt = 0;
+     int j = 0, i = 0, v = 0;
+     char buf[32];
+ 
+@@ -4224,11 +4225,11 @@ static VOS_STATUS hdd_parse_ese_beacon_req(tANI_U8 *pValue,
+     v = sscanf(inPtr, "%31s ", buf);
+     if (1 != v) return -EINVAL;
+ 
+-    v = kstrtos32(buf, 10, &tempInt);
++    v = kstrtou8(buf, 10, &input);
+     if (v < 0) return -EINVAL;
+ 
+-    tempInt = VOS_MIN(tempInt, SIR_ESE_MAX_MEAS_IE_REQS);
+-    pEseBcnReq->numBcnReqIe = tempInt;
++    input = VOS_MIN(input, SIR_ESE_MAX_MEAS_IE_REQS);
++    pEseBcnReq->numBcnReqIe = input;
+ 
+     hddLog(LOG1, "Number of Bcn Req Ie fields: %d", pEseBcnReq->numBcnReqIe);
+ 
+@@ -4249,24 +4250,24 @@ static VOS_STATUS hdd_parse_ese_beacon_req(tANI_U8 *pValue,
+             v = sscanf(inPtr, "%31s ", buf);
+             if (1 != v) return -EINVAL;
+ 
+-            v = kstrtos32(buf, 10, &tempInt);
++            v = kstrtou32(buf, 10, &tempInt);
+             if (v < 0) return -EINVAL;
+ 
+             switch (i) {
+             case 0:  /* Measurement token */
+-                if (tempInt <= 0) {
++                if (!tempInt) {
+                    VOS_TRACE( VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
+-                             "Invalid Measurement Token(%d)", tempInt);
++                             "Invalid Measurement Token: %d", tempInt);
+                    return -EINVAL;
+                 }
+                 pEseBcnReq->bcnReq[j].measurementToken = tempInt;
+                 break;
+ 
+             case 1:  /* Channel number */
+-                if ((tempInt <= 0) ||
++                if ((!tempInt) ||
+                     (tempInt > WNI_CFG_CURRENT_CHANNEL_STAMAX)) {
+                    VOS_TRACE( VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
+-                             "Invalid Channel Number(%d)", tempInt);
++                             "Invalid Channel Number: %d", tempInt);
+                    return -EINVAL;
+                 }
+                 pEseBcnReq->bcnReq[j].channel = tempInt;
+@@ -4276,19 +4277,18 @@ static VOS_STATUS hdd_parse_ese_beacon_req(tANI_U8 *pValue,
+                 if ((tempInt < eSIR_PASSIVE_SCAN) ||
+                     (tempInt > eSIR_BEACON_TABLE)) {
+                    VOS_TRACE( VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
+-                             "Invalid Scan Mode(%d) Expected{0|1|2}", tempInt);
++                             "Invalid Scan Mode: %d Expected{0|1|2}", tempInt);
+                    return -EINVAL;
+                 }
+                 pEseBcnReq->bcnReq[j].scanMode= tempInt;
+                 break;
+ 
+             case 3:  /* Measurement duration */
+-                if (((tempInt <= 0) &&
++                if (((!tempInt) &&
+                     (pEseBcnReq->bcnReq[j].scanMode != eSIR_BEACON_TABLE)) ||
+-                    ((tempInt < 0) &&
+-                    (pEseBcnReq->bcnReq[j].scanMode == eSIR_BEACON_TABLE))) {
++                    ((pEseBcnReq->bcnReq[j].scanMode == eSIR_BEACON_TABLE))) {
+                    VOS_TRACE( VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
+-                             "Invalid Measurement Duration(%d)", tempInt);
++                             "Invalid Measurement Duration: %d", tempInt);
+                    return -EINVAL;
+                 }
+                 pEseBcnReq->bcnReq[j].measurementDuration = tempInt;
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-2475/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-2475/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-2475/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-2475/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-2475/ANY/0.patch.base64 b/Patches/Linux_CVEs/CVE-2016-2475/ANY/0001.patch.base64
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-2475/ANY/0.patch.base64
rename to Patches/Linux_CVEs/CVE-2016-2475/ANY/0001.patch.base64
diff --git a/Patches/Linux_CVEs/CVE-2016-2477/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2477/ANY/0001.patch
new file mode 100644
index 00000000..420fbeff
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-2477/ANY/0001.patch
@@ -0,0 +1,116 @@
+diff --git a/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp b/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
+index 3b84707..977aef2 100644
+--- a/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
++++ b/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
+@@ -4272,110 +4272,7 @@
+ 
+     DEBUG_PRINT_LOW("Set Config Called");
+ 
+-    if (configIndex == (OMX_INDEXTYPE)OMX_IndexVendorVideoExtraData) {
+-        OMX_VENDOR_EXTRADATATYPE *config = (OMX_VENDOR_EXTRADATATYPE *) configData;
+-        DEBUG_PRINT_LOW("Index OMX_IndexVendorVideoExtraData called");
+-        if (!strcmp(drv_ctx.kind, "OMX.qcom.video.decoder.avc") ||
+-            !strcmp(drv_ctx.kind, "OMX.qcom.video.decoder.mvc")) {
+-            DEBUG_PRINT_LOW("Index OMX_IndexVendorVideoExtraData AVC");
+-            OMX_U32 extra_size;
+-            // Parsing done here for the AVC atom is definitely not generic
+-            // Currently this piece of code is working, but certainly
+-            // not tested with all .mp4 files.
+-            // Incase of failure, we might need to revisit this
+-            // for a generic piece of code.
+-
+-            // Retrieve size of NAL length field
+-            // byte #4 contains the size of NAL lenght field
+-            nal_length = (config->pData[4] & 0x03) + 1;
+-
+-            extra_size = 0;
+-            if (nal_length > 2) {
+-                /* Presently we assume that only one SPS and one PPS in AvC1 Atom */
+-                extra_size = (nal_length - 2) * 2;
+-            }
+-
+-            // SPS starts from byte #6
+-            OMX_U8 *pSrcBuf = (OMX_U8 *) (&config->pData[6]);
+-            OMX_U8 *pDestBuf;
+-            m_vendor_config.nPortIndex = config->nPortIndex;
+-
+-            // minus 6 --> SPS starts from byte #6
+-            // minus 1 --> picture param set byte to be ignored from avcatom
+-            m_vendor_config.nDataSize = config->nDataSize - 6 - 1 + extra_size;
+-            m_vendor_config.pData = (OMX_U8 *) malloc(m_vendor_config.nDataSize);
+-            OMX_U32 len;
+-            OMX_U8 index = 0;
+-            // case where SPS+PPS is sent as part of set_config
+-            pDestBuf = m_vendor_config.pData;
+-
+-            DEBUG_PRINT_LOW("Rxd SPS+PPS nPortIndex[%u] len[%u] data[%p]",
+-                    (unsigned int)m_vendor_config.nPortIndex,
+-                    (unsigned int)m_vendor_config.nDataSize,
+-                    m_vendor_config.pData);
+-            while (index < 2) {
+-                uint8 *psize;
+-                len = *pSrcBuf;
+-                len = len << 8;
+-                len |= *(pSrcBuf + 1);
+-                psize = (uint8 *) & len;
+-                memcpy(pDestBuf + nal_length, pSrcBuf + 2,len);
+-                for (unsigned int i = 0; i < nal_length; i++) {
+-                    pDestBuf[i] = psize[nal_length - 1 - i];
+-                }
+-                //memcpy(pDestBuf,pSrcBuf,(len+2));
+-                pDestBuf += len + nal_length;
+-                pSrcBuf += len + 2;
+-                index++;
+-                pSrcBuf++;   // skip picture param set
+-                len = 0;
+-            }
+-        } else if (!strcmp(drv_ctx.kind, "OMX.qcom.video.decoder.mpeg4") ||
+-                !strcmp(drv_ctx.kind, "OMX.qcom.video.decoder.mpeg2")) {
+-            m_vendor_config.nPortIndex = config->nPortIndex;
+-            m_vendor_config.nDataSize = config->nDataSize;
+-            m_vendor_config.pData = (OMX_U8 *) malloc((config->nDataSize));
+-            memcpy(m_vendor_config.pData, config->pData,config->nDataSize);
+-        } else if (!strcmp(drv_ctx.kind, "OMX.qcom.video.decoder.vc1")) {
+-            if (m_vendor_config.pData) {
+-                free(m_vendor_config.pData);
+-                m_vendor_config.pData = NULL;
+-                m_vendor_config.nDataSize = 0;
+-            }
+-
+-            if (((*((OMX_U32 *) config->pData)) &
+-                        VC1_SP_MP_START_CODE_MASK) ==
+-                    VC1_SP_MP_START_CODE) {
+-                DEBUG_PRINT_LOW("set_config - VC1 simple/main profile");
+-                m_vendor_config.nPortIndex = config->nPortIndex;
+-                m_vendor_config.nDataSize = config->nDataSize;
+-                m_vendor_config.pData =
+-                    (OMX_U8 *) malloc(config->nDataSize);
+-                memcpy(m_vendor_config.pData, config->pData,
+-                        config->nDataSize);
+-                m_vc1_profile = VC1_SP_MP_RCV;
+-            } else if (*((OMX_U32 *) config->pData) == VC1_AP_SEQ_START_CODE) {
+-                DEBUG_PRINT_LOW("set_config - VC1 Advance profile");
+-                m_vendor_config.nPortIndex = config->nPortIndex;
+-                m_vendor_config.nDataSize = config->nDataSize;
+-                m_vendor_config.pData =
+-                    (OMX_U8 *) malloc((config->nDataSize));
+-                memcpy(m_vendor_config.pData, config->pData,
+-                        config->nDataSize);
+-                m_vc1_profile = VC1_AP;
+-            } else if ((config->nDataSize == VC1_STRUCT_C_LEN)) {
+-                DEBUG_PRINT_LOW("set_config - VC1 Simple/Main profile struct C only");
+-                m_vendor_config.nPortIndex = config->nPortIndex;
+-                m_vendor_config.nDataSize  = config->nDataSize;
+-                m_vendor_config.pData = (OMX_U8*)malloc(config->nDataSize);
+-                memcpy(m_vendor_config.pData,config->pData,config->nDataSize);
+-                m_vc1_profile = VC1_SP_MP_RCV;
+-            } else {
+-                DEBUG_PRINT_LOW("set_config - Error: Unknown VC1 profile");
+-            }
+-        }
+-        return ret;
+-    } else if (configIndex == OMX_IndexConfigVideoNalSize) {
++    if (configIndex == OMX_IndexConfigVideoNalSize) {
+         struct v4l2_control temp;
+         temp.id = V4L2_CID_MPEG_VIDC_VIDEO_STREAM_FORMAT;
+ 
diff --git a/Patches/Linux_CVEs/CVE-2016-2477/ANY/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2016-2477/ANY/0001.patch.base64
new file mode 100644
index 00000000..d5f478b9
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-2477/ANY/0001.patch.base64
@@ -0,0 +1 @@
+ZGlmZiAtLWdpdCBhL21tLXZpZGVvLXY0bDIvdmlkYy92ZGVjL3NyYy9vbXhfdmRlY19tc204OTc0LmNwcCBiL21tLXZpZGVvLXY0bDIvdmlkYy92ZGVjL3NyYy9vbXhfdmRlY19tc204OTc0LmNwcAppbmRleCAzYjg0NzA3Li45NzdhZWYyIDEwMDY0NAotLS0gYS9tbS12aWRlby12NGwyL3ZpZGMvdmRlYy9zcmMvb214X3ZkZWNfbXNtODk3NC5jcHAKKysrIGIvbW0tdmlkZW8tdjRsMi92aWRjL3ZkZWMvc3JjL29teF92ZGVjX21zbTg5NzQuY3BwCkBAIC00MjcyLDExMCArNDI3Miw3IEBACiAKICAgICBERUJVR19QUklOVF9MT1coIlNldCBDb25maWcgQ2FsbGVkIik7CiAKLSAgICBpZiAoY29uZmlnSW5kZXggPT0gKE9NWF9JTkRFWFRZUEUpT01YX0luZGV4VmVuZG9yVmlkZW9FeHRyYURhdGEpIHsKLSAgICAgICAgT01YX1ZFTkRPUl9FWFRSQURBVEFUWVBFICpjb25maWcgPSAoT01YX1ZFTkRPUl9FWFRSQURBVEFUWVBFICopIGNvbmZpZ0RhdGE7Ci0gICAgICAgIERFQlVHX1BSSU5UX0xPVygiSW5kZXggT01YX0luZGV4VmVuZG9yVmlkZW9FeHRyYURhdGEgY2FsbGVkIik7Ci0gICAgICAgIGlmICghc3RyY21wKGRydl9jdHgua2luZCwgIk9NWC5xY29tLnZpZGVvLmRlY29kZXIuYXZjIikgfHwKLSAgICAgICAgICAgICFzdHJjbXAoZHJ2X2N0eC5raW5kLCAiT01YLnFjb20udmlkZW8uZGVjb2Rlci5tdmMiKSkgewotICAgICAgICAgICAgREVCVUdfUFJJTlRfTE9XKCJJbmRleCBPTVhfSW5kZXhWZW5kb3JWaWRlb0V4dHJhRGF0YSBBVkMiKTsKLSAgICAgICAgICAgIE9NWF9VMzIgZXh0cmFfc2l6ZTsKLSAgICAgICAgICAgIC8vIFBhcnNpbmcgZG9uZSBoZXJlIGZvciB0aGUgQVZDIGF0b20gaXMgZGVmaW5pdGVseSBub3QgZ2VuZXJpYwotICAgICAgICAgICAgLy8gQ3VycmVudGx5IHRoaXMgcGllY2Ugb2YgY29kZSBpcyB3b3JraW5nLCBidXQgY2VydGFpbmx5Ci0gICAgICAgICAgICAvLyBub3QgdGVzdGVkIHdpdGggYWxsIC5tcDQgZmlsZXMuCi0gICAgICAgICAgICAvLyBJbmNhc2Ugb2YgZmFpbHVyZSwgd2UgbWlnaHQgbmVlZCB0byByZXZpc2l0IHRoaXMKLSAgICAgICAgICAgIC8vIGZvciBhIGdlbmVyaWMgcGllY2Ugb2YgY29kZS4KLQotICAgICAgICAgICAgLy8gUmV0cmlldmUgc2l6ZSBvZiBOQUwgbGVuZ3RoIGZpZWxkCi0gICAgICAgICAgICAvLyBieXRlICM0IGNvbnRhaW5zIHRoZSBzaXplIG9mIE5BTCBsZW5naHQgZmllbGQKLSAgICAgICAgICAgIG5hbF9sZW5ndGggPSAoY29uZmlnLT5wRGF0YVs0XSAmIDB4MDMpICsgMTsKLQotICAgICAgICAgICAgZXh0cmFfc2l6ZSA9IDA7Ci0gICAgICAgICAgICBpZiAobmFsX2xlbmd0aCA+IDIpIHsKLSAgICAgICAgICAgICAgICAvKiBQcmVzZW50bHkgd2UgYXNzdW1lIHRoYXQgb25seSBvbmUgU1BTIGFuZCBvbmUgUFBTIGluIEF2QzEgQXRvbSAqLwotICAgICAgICAgICAgICAgIGV4dHJhX3NpemUgPSAobmFsX2xlbmd0aCAtIDIpICogMjsKLSAgICAgICAgICAgIH0KLQotICAgICAgICAgICAgLy8gU1BTIHN0YXJ0cyBmcm9tIGJ5dGUgIzYKLSAgICAgICAgICAgIE9NWF9VOCAqcFNyY0J1ZiA9IChPTVhfVTggKikgKCZjb25maWctPnBEYXRhWzZdKTsKLSAgICAgICAgICAgIE9NWF9VOCAqcERlc3RCdWY7Ci0gICAgICAgICAgICBtX3ZlbmRvcl9jb25maWcublBvcnRJbmRleCA9IGNvbmZpZy0+blBvcnRJbmRleDsKLQotICAgICAgICAgICAgLy8gbWludXMgNiAtLT4gU1BTIHN0YXJ0cyBmcm9tIGJ5dGUgIzYKLSAgICAgICAgICAgIC8vIG1pbnVzIDEgLS0+IHBpY3R1cmUgcGFyYW0gc2V0IGJ5dGUgdG8gYmUgaWdub3JlZCBmcm9tIGF2Y2F0b20KLSAgICAgICAgICAgIG1fdmVuZG9yX2NvbmZpZy5uRGF0YVNpemUgPSBjb25maWctPm5EYXRhU2l6ZSAtIDYgLSAxICsgZXh0cmFfc2l6ZTsKLSAgICAgICAgICAgIG1fdmVuZG9yX2NvbmZpZy5wRGF0YSA9IChPTVhfVTggKikgbWFsbG9jKG1fdmVuZG9yX2NvbmZpZy5uRGF0YVNpemUpOwotICAgICAgICAgICAgT01YX1UzMiBsZW47Ci0gICAgICAgICAgICBPTVhfVTggaW5kZXggPSAwOwotICAgICAgICAgICAgLy8gY2FzZSB3aGVyZSBTUFMrUFBTIGlzIHNlbnQgYXMgcGFydCBvZiBzZXRfY29uZmlnCi0gICAgICAgICAgICBwRGVzdEJ1ZiA9IG1fdmVuZG9yX2NvbmZpZy5wRGF0YTsKLQotICAgICAgICAgICAgREVCVUdfUFJJTlRfTE9XKCJSeGQgU1BTK1BQUyBuUG9ydEluZGV4WyV1XSBsZW5bJXVdIGRhdGFbJXBdIiwKLSAgICAgICAgICAgICAgICAgICAgKHVuc2lnbmVkIGludCltX3ZlbmRvcl9jb25maWcublBvcnRJbmRleCwKLSAgICAgICAgICAgICAgICAgICAgKHVuc2lnbmVkIGludCltX3ZlbmRvcl9jb25maWcubkRhdGFTaXplLAotICAgICAgICAgICAgICAgICAgICBtX3ZlbmRvcl9jb25maWcucERhdGEpOwotICAgICAgICAgICAgd2hpbGUgKGluZGV4IDwgMikgewotICAgICAgICAgICAgICAgIHVpbnQ4ICpwc2l6ZTsKLSAgICAgICAgICAgICAgICBsZW4gPSAqcFNyY0J1ZjsKLSAgICAgICAgICAgICAgICBsZW4gPSBsZW4gPDwgODsKLSAgICAgICAgICAgICAgICBsZW4gfD0gKihwU3JjQnVmICsgMSk7Ci0gICAgICAgICAgICAgICAgcHNpemUgPSAodWludDggKikgJiBsZW47Ci0gICAgICAgICAgICAgICAgbWVtY3B5KHBEZXN0QnVmICsgbmFsX2xlbmd0aCwgcFNyY0J1ZiArIDIsbGVuKTsKLSAgICAgICAgICAgICAgICBmb3IgKHVuc2lnbmVkIGludCBpID0gMDsgaSA8IG5hbF9sZW5ndGg7IGkrKykgewotICAgICAgICAgICAgICAgICAgICBwRGVzdEJ1ZltpXSA9IHBzaXplW25hbF9sZW5ndGggLSAxIC0gaV07Ci0gICAgICAgICAgICAgICAgfQotICAgICAgICAgICAgICAgIC8vbWVtY3B5KHBEZXN0QnVmLHBTcmNCdWYsKGxlbisyKSk7Ci0gICAgICAgICAgICAgICAgcERlc3RCdWYgKz0gbGVuICsgbmFsX2xlbmd0aDsKLSAgICAgICAgICAgICAgICBwU3JjQnVmICs9IGxlbiArIDI7Ci0gICAgICAgICAgICAgICAgaW5kZXgrKzsKLSAgICAgICAgICAgICAgICBwU3JjQnVmKys7ICAgLy8gc2tpcCBwaWN0dXJlIHBhcmFtIHNldAotICAgICAgICAgICAgICAgIGxlbiA9IDA7Ci0gICAgICAgICAgICB9Ci0gICAgICAgIH0gZWxzZSBpZiAoIXN0cmNtcChkcnZfY3R4LmtpbmQsICJPTVgucWNvbS52aWRlby5kZWNvZGVyLm1wZWc0IikgfHwKLSAgICAgICAgICAgICAgICAhc3RyY21wKGRydl9jdHgua2luZCwgIk9NWC5xY29tLnZpZGVvLmRlY29kZXIubXBlZzIiKSkgewotICAgICAgICAgICAgbV92ZW5kb3JfY29uZmlnLm5Qb3J0SW5kZXggPSBjb25maWctPm5Qb3J0SW5kZXg7Ci0gICAgICAgICAgICBtX3ZlbmRvcl9jb25maWcubkRhdGFTaXplID0gY29uZmlnLT5uRGF0YVNpemU7Ci0gICAgICAgICAgICBtX3ZlbmRvcl9jb25maWcucERhdGEgPSAoT01YX1U4ICopIG1hbGxvYygoY29uZmlnLT5uRGF0YVNpemUpKTsKLSAgICAgICAgICAgIG1lbWNweShtX3ZlbmRvcl9jb25maWcucERhdGEsIGNvbmZpZy0+cERhdGEsY29uZmlnLT5uRGF0YVNpemUpOwotICAgICAgICB9IGVsc2UgaWYgKCFzdHJjbXAoZHJ2X2N0eC5raW5kLCAiT01YLnFjb20udmlkZW8uZGVjb2Rlci52YzEiKSkgewotICAgICAgICAgICAgaWYgKG1fdmVuZG9yX2NvbmZpZy5wRGF0YSkgewotICAgICAgICAgICAgICAgIGZyZWUobV92ZW5kb3JfY29uZmlnLnBEYXRhKTsKLSAgICAgICAgICAgICAgICBtX3ZlbmRvcl9jb25maWcucERhdGEgPSBOVUxMOwotICAgICAgICAgICAgICAgIG1fdmVuZG9yX2NvbmZpZy5uRGF0YVNpemUgPSAwOwotICAgICAgICAgICAgfQotCi0gICAgICAgICAgICBpZiAoKCgqKChPTVhfVTMyICopIGNvbmZpZy0+cERhdGEpKSAmCi0gICAgICAgICAgICAgICAgICAgICAgICBWQzFfU1BfTVBfU1RBUlRfQ09ERV9NQVNLKSA9PQotICAgICAgICAgICAgICAgICAgICBWQzFfU1BfTVBfU1RBUlRfQ09ERSkgewotICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0xPVygic2V0X2NvbmZpZyAtIFZDMSBzaW1wbGUvbWFpbiBwcm9maWxlIik7Ci0gICAgICAgICAgICAgICAgbV92ZW5kb3JfY29uZmlnLm5Qb3J0SW5kZXggPSBjb25maWctPm5Qb3J0SW5kZXg7Ci0gICAgICAgICAgICAgICAgbV92ZW5kb3JfY29uZmlnLm5EYXRhU2l6ZSA9IGNvbmZpZy0+bkRhdGFTaXplOwotICAgICAgICAgICAgICAgIG1fdmVuZG9yX2NvbmZpZy5wRGF0YSA9Ci0gICAgICAgICAgICAgICAgICAgIChPTVhfVTggKikgbWFsbG9jKGNvbmZpZy0+bkRhdGFTaXplKTsKLSAgICAgICAgICAgICAgICBtZW1jcHkobV92ZW5kb3JfY29uZmlnLnBEYXRhLCBjb25maWctPnBEYXRhLAotICAgICAgICAgICAgICAgICAgICAgICAgY29uZmlnLT5uRGF0YVNpemUpOwotICAgICAgICAgICAgICAgIG1fdmMxX3Byb2ZpbGUgPSBWQzFfU1BfTVBfUkNWOwotICAgICAgICAgICAgfSBlbHNlIGlmICgqKChPTVhfVTMyICopIGNvbmZpZy0+cERhdGEpID09IFZDMV9BUF9TRVFfU1RBUlRfQ09ERSkgewotICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0xPVygic2V0X2NvbmZpZyAtIFZDMSBBZHZhbmNlIHByb2ZpbGUiKTsKLSAgICAgICAgICAgICAgICBtX3ZlbmRvcl9jb25maWcublBvcnRJbmRleCA9IGNvbmZpZy0+blBvcnRJbmRleDsKLSAgICAgICAgICAgICAgICBtX3ZlbmRvcl9jb25maWcubkRhdGFTaXplID0gY29uZmlnLT5uRGF0YVNpemU7Ci0gICAgICAgICAgICAgICAgbV92ZW5kb3JfY29uZmlnLnBEYXRhID0KLSAgICAgICAgICAgICAgICAgICAgKE9NWF9VOCAqKSBtYWxsb2MoKGNvbmZpZy0+bkRhdGFTaXplKSk7Ci0gICAgICAgICAgICAgICAgbWVtY3B5KG1fdmVuZG9yX2NvbmZpZy5wRGF0YSwgY29uZmlnLT5wRGF0YSwKLSAgICAgICAgICAgICAgICAgICAgICAgIGNvbmZpZy0+bkRhdGFTaXplKTsKLSAgICAgICAgICAgICAgICBtX3ZjMV9wcm9maWxlID0gVkMxX0FQOwotICAgICAgICAgICAgfSBlbHNlIGlmICgoY29uZmlnLT5uRGF0YVNpemUgPT0gVkMxX1NUUlVDVF9DX0xFTikpIHsKLSAgICAgICAgICAgICAgICBERUJVR19QUklOVF9MT1coInNldF9jb25maWcgLSBWQzEgU2ltcGxlL01haW4gcHJvZmlsZSBzdHJ1Y3QgQyBvbmx5Iik7Ci0gICAgICAgICAgICAgICAgbV92ZW5kb3JfY29uZmlnLm5Qb3J0SW5kZXggPSBjb25maWctPm5Qb3J0SW5kZXg7Ci0gICAgICAgICAgICAgICAgbV92ZW5kb3JfY29uZmlnLm5EYXRhU2l6ZSAgPSBjb25maWctPm5EYXRhU2l6ZTsKLSAgICAgICAgICAgICAgICBtX3ZlbmRvcl9jb25maWcucERhdGEgPSAoT01YX1U4KiltYWxsb2MoY29uZmlnLT5uRGF0YVNpemUpOwotICAgICAgICAgICAgICAgIG1lbWNweShtX3ZlbmRvcl9jb25maWcucERhdGEsY29uZmlnLT5wRGF0YSxjb25maWctPm5EYXRhU2l6ZSk7Ci0gICAgICAgICAgICAgICAgbV92YzFfcHJvZmlsZSA9IFZDMV9TUF9NUF9SQ1Y7Ci0gICAgICAgICAgICB9IGVsc2UgewotICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0xPVygic2V0X2NvbmZpZyAtIEVycm9yOiBVbmtub3duIFZDMSBwcm9maWxlIik7Ci0gICAgICAgICAgICB9Ci0gICAgICAgIH0KLSAgICAgICAgcmV0dXJuIHJldDsKLSAgICB9IGVsc2UgaWYgKGNvbmZpZ0luZGV4ID09IE9NWF9JbmRleENvbmZpZ1ZpZGVvTmFsU2l6ZSkgeworICAgIGlmIChjb25maWdJbmRleCA9PSBPTVhfSW5kZXhDb25maWdWaWRlb05hbFNpemUpIHsKICAgICAgICAgc3RydWN0IHY0bDJfY29udHJvbCB0ZW1wOwogICAgICAgICB0ZW1wLmlkID0gVjRMMl9DSURfTVBFR19WSURDX1ZJREVPX1NUUkVBTV9GT1JNQVQ7CiAK
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2016-2478/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2478/ANY/0001.patch
new file mode 100644
index 00000000..420fbeff
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-2478/ANY/0001.patch
@@ -0,0 +1,116 @@
+diff --git a/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp b/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
+index 3b84707..977aef2 100644
+--- a/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
++++ b/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
+@@ -4272,110 +4272,7 @@
+ 
+     DEBUG_PRINT_LOW("Set Config Called");
+ 
+-    if (configIndex == (OMX_INDEXTYPE)OMX_IndexVendorVideoExtraData) {
+-        OMX_VENDOR_EXTRADATATYPE *config = (OMX_VENDOR_EXTRADATATYPE *) configData;
+-        DEBUG_PRINT_LOW("Index OMX_IndexVendorVideoExtraData called");
+-        if (!strcmp(drv_ctx.kind, "OMX.qcom.video.decoder.avc") ||
+-            !strcmp(drv_ctx.kind, "OMX.qcom.video.decoder.mvc")) {
+-            DEBUG_PRINT_LOW("Index OMX_IndexVendorVideoExtraData AVC");
+-            OMX_U32 extra_size;
+-            // Parsing done here for the AVC atom is definitely not generic
+-            // Currently this piece of code is working, but certainly
+-            // not tested with all .mp4 files.
+-            // Incase of failure, we might need to revisit this
+-            // for a generic piece of code.
+-
+-            // Retrieve size of NAL length field
+-            // byte #4 contains the size of NAL lenght field
+-            nal_length = (config->pData[4] & 0x03) + 1;
+-
+-            extra_size = 0;
+-            if (nal_length > 2) {
+-                /* Presently we assume that only one SPS and one PPS in AvC1 Atom */
+-                extra_size = (nal_length - 2) * 2;
+-            }
+-
+-            // SPS starts from byte #6
+-            OMX_U8 *pSrcBuf = (OMX_U8 *) (&config->pData[6]);
+-            OMX_U8 *pDestBuf;
+-            m_vendor_config.nPortIndex = config->nPortIndex;
+-
+-            // minus 6 --> SPS starts from byte #6
+-            // minus 1 --> picture param set byte to be ignored from avcatom
+-            m_vendor_config.nDataSize = config->nDataSize - 6 - 1 + extra_size;
+-            m_vendor_config.pData = (OMX_U8 *) malloc(m_vendor_config.nDataSize);
+-            OMX_U32 len;
+-            OMX_U8 index = 0;
+-            // case where SPS+PPS is sent as part of set_config
+-            pDestBuf = m_vendor_config.pData;
+-
+-            DEBUG_PRINT_LOW("Rxd SPS+PPS nPortIndex[%u] len[%u] data[%p]",
+-                    (unsigned int)m_vendor_config.nPortIndex,
+-                    (unsigned int)m_vendor_config.nDataSize,
+-                    m_vendor_config.pData);
+-            while (index < 2) {
+-                uint8 *psize;
+-                len = *pSrcBuf;
+-                len = len << 8;
+-                len |= *(pSrcBuf + 1);
+-                psize = (uint8 *) & len;
+-                memcpy(pDestBuf + nal_length, pSrcBuf + 2,len);
+-                for (unsigned int i = 0; i < nal_length; i++) {
+-                    pDestBuf[i] = psize[nal_length - 1 - i];
+-                }
+-                //memcpy(pDestBuf,pSrcBuf,(len+2));
+-                pDestBuf += len + nal_length;
+-                pSrcBuf += len + 2;
+-                index++;
+-                pSrcBuf++;   // skip picture param set
+-                len = 0;
+-            }
+-        } else if (!strcmp(drv_ctx.kind, "OMX.qcom.video.decoder.mpeg4") ||
+-                !strcmp(drv_ctx.kind, "OMX.qcom.video.decoder.mpeg2")) {
+-            m_vendor_config.nPortIndex = config->nPortIndex;
+-            m_vendor_config.nDataSize = config->nDataSize;
+-            m_vendor_config.pData = (OMX_U8 *) malloc((config->nDataSize));
+-            memcpy(m_vendor_config.pData, config->pData,config->nDataSize);
+-        } else if (!strcmp(drv_ctx.kind, "OMX.qcom.video.decoder.vc1")) {
+-            if (m_vendor_config.pData) {
+-                free(m_vendor_config.pData);
+-                m_vendor_config.pData = NULL;
+-                m_vendor_config.nDataSize = 0;
+-            }
+-
+-            if (((*((OMX_U32 *) config->pData)) &
+-                        VC1_SP_MP_START_CODE_MASK) ==
+-                    VC1_SP_MP_START_CODE) {
+-                DEBUG_PRINT_LOW("set_config - VC1 simple/main profile");
+-                m_vendor_config.nPortIndex = config->nPortIndex;
+-                m_vendor_config.nDataSize = config->nDataSize;
+-                m_vendor_config.pData =
+-                    (OMX_U8 *) malloc(config->nDataSize);
+-                memcpy(m_vendor_config.pData, config->pData,
+-                        config->nDataSize);
+-                m_vc1_profile = VC1_SP_MP_RCV;
+-            } else if (*((OMX_U32 *) config->pData) == VC1_AP_SEQ_START_CODE) {
+-                DEBUG_PRINT_LOW("set_config - VC1 Advance profile");
+-                m_vendor_config.nPortIndex = config->nPortIndex;
+-                m_vendor_config.nDataSize = config->nDataSize;
+-                m_vendor_config.pData =
+-                    (OMX_U8 *) malloc((config->nDataSize));
+-                memcpy(m_vendor_config.pData, config->pData,
+-                        config->nDataSize);
+-                m_vc1_profile = VC1_AP;
+-            } else if ((config->nDataSize == VC1_STRUCT_C_LEN)) {
+-                DEBUG_PRINT_LOW("set_config - VC1 Simple/Main profile struct C only");
+-                m_vendor_config.nPortIndex = config->nPortIndex;
+-                m_vendor_config.nDataSize  = config->nDataSize;
+-                m_vendor_config.pData = (OMX_U8*)malloc(config->nDataSize);
+-                memcpy(m_vendor_config.pData,config->pData,config->nDataSize);
+-                m_vc1_profile = VC1_SP_MP_RCV;
+-            } else {
+-                DEBUG_PRINT_LOW("set_config - Error: Unknown VC1 profile");
+-            }
+-        }
+-        return ret;
+-    } else if (configIndex == OMX_IndexConfigVideoNalSize) {
++    if (configIndex == OMX_IndexConfigVideoNalSize) {
+         struct v4l2_control temp;
+         temp.id = V4L2_CID_MPEG_VIDC_VIDEO_STREAM_FORMAT;
+ 
diff --git a/Patches/Linux_CVEs/CVE-2016-2478/ANY/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2016-2478/ANY/0001.patch.base64
new file mode 100644
index 00000000..d5f478b9
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-2478/ANY/0001.patch.base64
@@ -0,0 +1 @@
+ZGlmZiAtLWdpdCBhL21tLXZpZGVvLXY0bDIvdmlkYy92ZGVjL3NyYy9vbXhfdmRlY19tc204OTc0LmNwcCBiL21tLXZpZGVvLXY0bDIvdmlkYy92ZGVjL3NyYy9vbXhfdmRlY19tc204OTc0LmNwcAppbmRleCAzYjg0NzA3Li45NzdhZWYyIDEwMDY0NAotLS0gYS9tbS12aWRlby12NGwyL3ZpZGMvdmRlYy9zcmMvb214X3ZkZWNfbXNtODk3NC5jcHAKKysrIGIvbW0tdmlkZW8tdjRsMi92aWRjL3ZkZWMvc3JjL29teF92ZGVjX21zbTg5NzQuY3BwCkBAIC00MjcyLDExMCArNDI3Miw3IEBACiAKICAgICBERUJVR19QUklOVF9MT1coIlNldCBDb25maWcgQ2FsbGVkIik7CiAKLSAgICBpZiAoY29uZmlnSW5kZXggPT0gKE9NWF9JTkRFWFRZUEUpT01YX0luZGV4VmVuZG9yVmlkZW9FeHRyYURhdGEpIHsKLSAgICAgICAgT01YX1ZFTkRPUl9FWFRSQURBVEFUWVBFICpjb25maWcgPSAoT01YX1ZFTkRPUl9FWFRSQURBVEFUWVBFICopIGNvbmZpZ0RhdGE7Ci0gICAgICAgIERFQlVHX1BSSU5UX0xPVygiSW5kZXggT01YX0luZGV4VmVuZG9yVmlkZW9FeHRyYURhdGEgY2FsbGVkIik7Ci0gICAgICAgIGlmICghc3RyY21wKGRydl9jdHgua2luZCwgIk9NWC5xY29tLnZpZGVvLmRlY29kZXIuYXZjIikgfHwKLSAgICAgICAgICAgICFzdHJjbXAoZHJ2X2N0eC5raW5kLCAiT01YLnFjb20udmlkZW8uZGVjb2Rlci5tdmMiKSkgewotICAgICAgICAgICAgREVCVUdfUFJJTlRfTE9XKCJJbmRleCBPTVhfSW5kZXhWZW5kb3JWaWRlb0V4dHJhRGF0YSBBVkMiKTsKLSAgICAgICAgICAgIE9NWF9VMzIgZXh0cmFfc2l6ZTsKLSAgICAgICAgICAgIC8vIFBhcnNpbmcgZG9uZSBoZXJlIGZvciB0aGUgQVZDIGF0b20gaXMgZGVmaW5pdGVseSBub3QgZ2VuZXJpYwotICAgICAgICAgICAgLy8gQ3VycmVudGx5IHRoaXMgcGllY2Ugb2YgY29kZSBpcyB3b3JraW5nLCBidXQgY2VydGFpbmx5Ci0gICAgICAgICAgICAvLyBub3QgdGVzdGVkIHdpdGggYWxsIC5tcDQgZmlsZXMuCi0gICAgICAgICAgICAvLyBJbmNhc2Ugb2YgZmFpbHVyZSwgd2UgbWlnaHQgbmVlZCB0byByZXZpc2l0IHRoaXMKLSAgICAgICAgICAgIC8vIGZvciBhIGdlbmVyaWMgcGllY2Ugb2YgY29kZS4KLQotICAgICAgICAgICAgLy8gUmV0cmlldmUgc2l6ZSBvZiBOQUwgbGVuZ3RoIGZpZWxkCi0gICAgICAgICAgICAvLyBieXRlICM0IGNvbnRhaW5zIHRoZSBzaXplIG9mIE5BTCBsZW5naHQgZmllbGQKLSAgICAgICAgICAgIG5hbF9sZW5ndGggPSAoY29uZmlnLT5wRGF0YVs0XSAmIDB4MDMpICsgMTsKLQotICAgICAgICAgICAgZXh0cmFfc2l6ZSA9IDA7Ci0gICAgICAgICAgICBpZiAobmFsX2xlbmd0aCA+IDIpIHsKLSAgICAgICAgICAgICAgICAvKiBQcmVzZW50bHkgd2UgYXNzdW1lIHRoYXQgb25seSBvbmUgU1BTIGFuZCBvbmUgUFBTIGluIEF2QzEgQXRvbSAqLwotICAgICAgICAgICAgICAgIGV4dHJhX3NpemUgPSAobmFsX2xlbmd0aCAtIDIpICogMjsKLSAgICAgICAgICAgIH0KLQotICAgICAgICAgICAgLy8gU1BTIHN0YXJ0cyBmcm9tIGJ5dGUgIzYKLSAgICAgICAgICAgIE9NWF9VOCAqcFNyY0J1ZiA9IChPTVhfVTggKikgKCZjb25maWctPnBEYXRhWzZdKTsKLSAgICAgICAgICAgIE9NWF9VOCAqcERlc3RCdWY7Ci0gICAgICAgICAgICBtX3ZlbmRvcl9jb25maWcublBvcnRJbmRleCA9IGNvbmZpZy0+blBvcnRJbmRleDsKLQotICAgICAgICAgICAgLy8gbWludXMgNiAtLT4gU1BTIHN0YXJ0cyBmcm9tIGJ5dGUgIzYKLSAgICAgICAgICAgIC8vIG1pbnVzIDEgLS0+IHBpY3R1cmUgcGFyYW0gc2V0IGJ5dGUgdG8gYmUgaWdub3JlZCBmcm9tIGF2Y2F0b20KLSAgICAgICAgICAgIG1fdmVuZG9yX2NvbmZpZy5uRGF0YVNpemUgPSBjb25maWctPm5EYXRhU2l6ZSAtIDYgLSAxICsgZXh0cmFfc2l6ZTsKLSAgICAgICAgICAgIG1fdmVuZG9yX2NvbmZpZy5wRGF0YSA9IChPTVhfVTggKikgbWFsbG9jKG1fdmVuZG9yX2NvbmZpZy5uRGF0YVNpemUpOwotICAgICAgICAgICAgT01YX1UzMiBsZW47Ci0gICAgICAgICAgICBPTVhfVTggaW5kZXggPSAwOwotICAgICAgICAgICAgLy8gY2FzZSB3aGVyZSBTUFMrUFBTIGlzIHNlbnQgYXMgcGFydCBvZiBzZXRfY29uZmlnCi0gICAgICAgICAgICBwRGVzdEJ1ZiA9IG1fdmVuZG9yX2NvbmZpZy5wRGF0YTsKLQotICAgICAgICAgICAgREVCVUdfUFJJTlRfTE9XKCJSeGQgU1BTK1BQUyBuUG9ydEluZGV4WyV1XSBsZW5bJXVdIGRhdGFbJXBdIiwKLSAgICAgICAgICAgICAgICAgICAgKHVuc2lnbmVkIGludCltX3ZlbmRvcl9jb25maWcublBvcnRJbmRleCwKLSAgICAgICAgICAgICAgICAgICAgKHVuc2lnbmVkIGludCltX3ZlbmRvcl9jb25maWcubkRhdGFTaXplLAotICAgICAgICAgICAgICAgICAgICBtX3ZlbmRvcl9jb25maWcucERhdGEpOwotICAgICAgICAgICAgd2hpbGUgKGluZGV4IDwgMikgewotICAgICAgICAgICAgICAgIHVpbnQ4ICpwc2l6ZTsKLSAgICAgICAgICAgICAgICBsZW4gPSAqcFNyY0J1ZjsKLSAgICAgICAgICAgICAgICBsZW4gPSBsZW4gPDwgODsKLSAgICAgICAgICAgICAgICBsZW4gfD0gKihwU3JjQnVmICsgMSk7Ci0gICAgICAgICAgICAgICAgcHNpemUgPSAodWludDggKikgJiBsZW47Ci0gICAgICAgICAgICAgICAgbWVtY3B5KHBEZXN0QnVmICsgbmFsX2xlbmd0aCwgcFNyY0J1ZiArIDIsbGVuKTsKLSAgICAgICAgICAgICAgICBmb3IgKHVuc2lnbmVkIGludCBpID0gMDsgaSA8IG5hbF9sZW5ndGg7IGkrKykgewotICAgICAgICAgICAgICAgICAgICBwRGVzdEJ1ZltpXSA9IHBzaXplW25hbF9sZW5ndGggLSAxIC0gaV07Ci0gICAgICAgICAgICAgICAgfQotICAgICAgICAgICAgICAgIC8vbWVtY3B5KHBEZXN0QnVmLHBTcmNCdWYsKGxlbisyKSk7Ci0gICAgICAgICAgICAgICAgcERlc3RCdWYgKz0gbGVuICsgbmFsX2xlbmd0aDsKLSAgICAgICAgICAgICAgICBwU3JjQnVmICs9IGxlbiArIDI7Ci0gICAgICAgICAgICAgICAgaW5kZXgrKzsKLSAgICAgICAgICAgICAgICBwU3JjQnVmKys7ICAgLy8gc2tpcCBwaWN0dXJlIHBhcmFtIHNldAotICAgICAgICAgICAgICAgIGxlbiA9IDA7Ci0gICAgICAgICAgICB9Ci0gICAgICAgIH0gZWxzZSBpZiAoIXN0cmNtcChkcnZfY3R4LmtpbmQsICJPTVgucWNvbS52aWRlby5kZWNvZGVyLm1wZWc0IikgfHwKLSAgICAgICAgICAgICAgICAhc3RyY21wKGRydl9jdHgua2luZCwgIk9NWC5xY29tLnZpZGVvLmRlY29kZXIubXBlZzIiKSkgewotICAgICAgICAgICAgbV92ZW5kb3JfY29uZmlnLm5Qb3J0SW5kZXggPSBjb25maWctPm5Qb3J0SW5kZXg7Ci0gICAgICAgICAgICBtX3ZlbmRvcl9jb25maWcubkRhdGFTaXplID0gY29uZmlnLT5uRGF0YVNpemU7Ci0gICAgICAgICAgICBtX3ZlbmRvcl9jb25maWcucERhdGEgPSAoT01YX1U4ICopIG1hbGxvYygoY29uZmlnLT5uRGF0YVNpemUpKTsKLSAgICAgICAgICAgIG1lbWNweShtX3ZlbmRvcl9jb25maWcucERhdGEsIGNvbmZpZy0+cERhdGEsY29uZmlnLT5uRGF0YVNpemUpOwotICAgICAgICB9IGVsc2UgaWYgKCFzdHJjbXAoZHJ2X2N0eC5raW5kLCAiT01YLnFjb20udmlkZW8uZGVjb2Rlci52YzEiKSkgewotICAgICAgICAgICAgaWYgKG1fdmVuZG9yX2NvbmZpZy5wRGF0YSkgewotICAgICAgICAgICAgICAgIGZyZWUobV92ZW5kb3JfY29uZmlnLnBEYXRhKTsKLSAgICAgICAgICAgICAgICBtX3ZlbmRvcl9jb25maWcucERhdGEgPSBOVUxMOwotICAgICAgICAgICAgICAgIG1fdmVuZG9yX2NvbmZpZy5uRGF0YVNpemUgPSAwOwotICAgICAgICAgICAgfQotCi0gICAgICAgICAgICBpZiAoKCgqKChPTVhfVTMyICopIGNvbmZpZy0+cERhdGEpKSAmCi0gICAgICAgICAgICAgICAgICAgICAgICBWQzFfU1BfTVBfU1RBUlRfQ09ERV9NQVNLKSA9PQotICAgICAgICAgICAgICAgICAgICBWQzFfU1BfTVBfU1RBUlRfQ09ERSkgewotICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0xPVygic2V0X2NvbmZpZyAtIFZDMSBzaW1wbGUvbWFpbiBwcm9maWxlIik7Ci0gICAgICAgICAgICAgICAgbV92ZW5kb3JfY29uZmlnLm5Qb3J0SW5kZXggPSBjb25maWctPm5Qb3J0SW5kZXg7Ci0gICAgICAgICAgICAgICAgbV92ZW5kb3JfY29uZmlnLm5EYXRhU2l6ZSA9IGNvbmZpZy0+bkRhdGFTaXplOwotICAgICAgICAgICAgICAgIG1fdmVuZG9yX2NvbmZpZy5wRGF0YSA9Ci0gICAgICAgICAgICAgICAgICAgIChPTVhfVTggKikgbWFsbG9jKGNvbmZpZy0+bkRhdGFTaXplKTsKLSAgICAgICAgICAgICAgICBtZW1jcHkobV92ZW5kb3JfY29uZmlnLnBEYXRhLCBjb25maWctPnBEYXRhLAotICAgICAgICAgICAgICAgICAgICAgICAgY29uZmlnLT5uRGF0YVNpemUpOwotICAgICAgICAgICAgICAgIG1fdmMxX3Byb2ZpbGUgPSBWQzFfU1BfTVBfUkNWOwotICAgICAgICAgICAgfSBlbHNlIGlmICgqKChPTVhfVTMyICopIGNvbmZpZy0+cERhdGEpID09IFZDMV9BUF9TRVFfU1RBUlRfQ09ERSkgewotICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0xPVygic2V0X2NvbmZpZyAtIFZDMSBBZHZhbmNlIHByb2ZpbGUiKTsKLSAgICAgICAgICAgICAgICBtX3ZlbmRvcl9jb25maWcublBvcnRJbmRleCA9IGNvbmZpZy0+blBvcnRJbmRleDsKLSAgICAgICAgICAgICAgICBtX3ZlbmRvcl9jb25maWcubkRhdGFTaXplID0gY29uZmlnLT5uRGF0YVNpemU7Ci0gICAgICAgICAgICAgICAgbV92ZW5kb3JfY29uZmlnLnBEYXRhID0KLSAgICAgICAgICAgICAgICAgICAgKE9NWF9VOCAqKSBtYWxsb2MoKGNvbmZpZy0+bkRhdGFTaXplKSk7Ci0gICAgICAgICAgICAgICAgbWVtY3B5KG1fdmVuZG9yX2NvbmZpZy5wRGF0YSwgY29uZmlnLT5wRGF0YSwKLSAgICAgICAgICAgICAgICAgICAgICAgIGNvbmZpZy0+bkRhdGFTaXplKTsKLSAgICAgICAgICAgICAgICBtX3ZjMV9wcm9maWxlID0gVkMxX0FQOwotICAgICAgICAgICAgfSBlbHNlIGlmICgoY29uZmlnLT5uRGF0YVNpemUgPT0gVkMxX1NUUlVDVF9DX0xFTikpIHsKLSAgICAgICAgICAgICAgICBERUJVR19QUklOVF9MT1coInNldF9jb25maWcgLSBWQzEgU2ltcGxlL01haW4gcHJvZmlsZSBzdHJ1Y3QgQyBvbmx5Iik7Ci0gICAgICAgICAgICAgICAgbV92ZW5kb3JfY29uZmlnLm5Qb3J0SW5kZXggPSBjb25maWctPm5Qb3J0SW5kZXg7Ci0gICAgICAgICAgICAgICAgbV92ZW5kb3JfY29uZmlnLm5EYXRhU2l6ZSAgPSBjb25maWctPm5EYXRhU2l6ZTsKLSAgICAgICAgICAgICAgICBtX3ZlbmRvcl9jb25maWcucERhdGEgPSAoT01YX1U4KiltYWxsb2MoY29uZmlnLT5uRGF0YVNpemUpOwotICAgICAgICAgICAgICAgIG1lbWNweShtX3ZlbmRvcl9jb25maWcucERhdGEsY29uZmlnLT5wRGF0YSxjb25maWctPm5EYXRhU2l6ZSk7Ci0gICAgICAgICAgICAgICAgbV92YzFfcHJvZmlsZSA9IFZDMV9TUF9NUF9SQ1Y7Ci0gICAgICAgICAgICB9IGVsc2UgewotICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0xPVygic2V0X2NvbmZpZyAtIEVycm9yOiBVbmtub3duIFZDMSBwcm9maWxlIik7Ci0gICAgICAgICAgICB9Ci0gICAgICAgIH0KLSAgICAgICAgcmV0dXJuIHJldDsKLSAgICB9IGVsc2UgaWYgKGNvbmZpZ0luZGV4ID09IE9NWF9JbmRleENvbmZpZ1ZpZGVvTmFsU2l6ZSkgeworICAgIGlmIChjb25maWdJbmRleCA9PSBPTVhfSW5kZXhDb25maWdWaWRlb05hbFNpemUpIHsKICAgICAgICAgc3RydWN0IHY0bDJfY29udHJvbCB0ZW1wOwogICAgICAgICB0ZW1wLmlkID0gVjRMMl9DSURfTVBFR19WSURDX1ZJREVPX1NUUkVBTV9GT1JNQVQ7CiAK
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2016-2480/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2480/ANY/0001.patch
new file mode 100644
index 00000000..ad8516e6
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-2480/ANY/0001.patch
@@ -0,0 +1,1138 @@
+diff --git a/mm-core/inc/OMX_QCOMExtns.h b/mm-core/inc/OMX_QCOMExtns.h
+index f0e1593..eb1b990 100644
+--- a/mm-core/inc/OMX_QCOMExtns.h
++++ b/mm-core/inc/OMX_QCOMExtns.h
+@@ -1,5 +1,5 @@
+ /*--------------------------------------------------------------------------
+-Copyright (c) 2009-2015, The Linux Foundation. All rights reserved.
++Copyright (c) 2009-2016, The Linux Foundation. All rights reserved.
+ 
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+@@ -1348,6 +1348,8 @@
+ } QOMX_VIDEO_QUERY_DECODER_INSTANCES;
+ 
+ typedef struct QOMX_ENABLETYPE {
++    OMX_U32 nSize;
++    OMX_VERSIONTYPE nVersion;
+     OMX_BOOL bEnable;
+ } QOMX_ENABLETYPE;
+ 
+@@ -1451,6 +1453,8 @@
+ 
+ 
+ typedef struct QOMX_RECTTYPE {
++    OMX_U32 nSize;
++    OMX_VERSIONTYPE nVersion;
+     OMX_S32 nLeft;
+     OMX_S32 nTop;
+     OMX_U32 nWidth;
+@@ -1551,7 +1555,6 @@
+     QOMX_VIDEO_HIERARCHICALCODINGTYPE eHierarchicalCodingType;
+ } QOMX_VIDEO_HIERARCHICALLAYERS;
+ 
+-
+ #ifdef __cplusplus
+ }
+ #endif /* __cplusplus */
+diff --git a/mm-video-v4l2/vidc/common/inc/vidc_debug.h b/mm-video-v4l2/vidc/common/inc/vidc_debug.h
+index d7a158c..0ce747c 100755
+--- a/mm-video-v4l2/vidc/common/inc/vidc_debug.h
++++ b/mm-video-v4l2/vidc/common/inc/vidc_debug.h
+@@ -1,5 +1,5 @@
+ /*--------------------------------------------------------------------------
+-Copyright (c) 2013, The Linux Foundation. All rights reserved.
++Copyright (c) 2013 - 2016, The Linux Foundation. All rights reserved.
+ 
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+@@ -64,4 +64,15 @@
+ #define DEBUG_PRINT_HIGH printf
+ #endif
+ 
++#define VALIDATE_OMX_PARAM_DATA(ptr, paramType)                                \
++    {                                                                          \
++        if (ptr == NULL) { return OMX_ErrorBadParameter; }                     \
++        paramType *p = reinterpret_cast<paramType *>(ptr);                     \
++        if (p->nSize < sizeof(paramType)) {                                    \
++            ALOGE("Insufficient object size(%u) v/s expected(%zu) for type %s",\
++                    (unsigned int)p->nSize, sizeof(paramType), #paramType);    \
++            return OMX_ErrorBadParameter;                                      \
++        }                                                                      \
++    }                                                                          \
++
+ #endif
+diff --git a/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp b/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
+index 19c1596..3b84707 100644
+--- a/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
++++ b/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
+@@ -2979,6 +2979,7 @@
+     }
+     switch ((unsigned long)paramIndex) {
+         case OMX_IndexParamPortDefinition: {
++                               VALIDATE_OMX_PARAM_DATA(paramData, OMX_PARAM_PORTDEFINITIONTYPE);
+                                OMX_PARAM_PORTDEFINITIONTYPE *portDefn =
+                                    (OMX_PARAM_PORTDEFINITIONTYPE *) paramData;
+                                DEBUG_PRINT_LOW("get_parameter: OMX_IndexParamPortDefinition");
+@@ -2988,23 +2989,25 @@
+                                break;
+                            }
+         case OMX_IndexParamVideoInit: {
++                              VALIDATE_OMX_PARAM_DATA(paramData, OMX_PORT_PARAM_TYPE);
+                               OMX_PORT_PARAM_TYPE *portParamType =
+                                   (OMX_PORT_PARAM_TYPE *) paramData;
+                               DEBUG_PRINT_LOW("get_parameter: OMX_IndexParamVideoInit");
+ 
+                               portParamType->nVersion.nVersion = OMX_SPEC_VERSION;
+-                              portParamType->nSize = sizeof(portParamType);
++                              portParamType->nSize = sizeof(OMX_PORT_PARAM_TYPE);
+                               portParamType->nPorts           = 2;
+                               portParamType->nStartPortNumber = 0;
+                               break;
+                           }
+         case OMX_IndexParamVideoPortFormat: {
++                                VALIDATE_OMX_PARAM_DATA(paramData, OMX_VIDEO_PARAM_PORTFORMATTYPE);
+                                 OMX_VIDEO_PARAM_PORTFORMATTYPE *portFmt =
+                                     (OMX_VIDEO_PARAM_PORTFORMATTYPE *)paramData;
+                                 DEBUG_PRINT_LOW("get_parameter: OMX_IndexParamVideoPortFormat");
+ 
+                                 portFmt->nVersion.nVersion = OMX_SPEC_VERSION;
+-                                portFmt->nSize             = sizeof(portFmt);
++                                portFmt->nSize             = sizeof(OMX_VIDEO_PARAM_PORTFORMATTYPE);
+ 
+                                 if (0 == portFmt->nPortIndex) {
+                                     if (0 == portFmt->nIndex) {
+@@ -3046,22 +3049,24 @@
+                             }
+                             /*Component should support this port definition*/
+         case OMX_IndexParamAudioInit: {
++                              VALIDATE_OMX_PARAM_DATA(paramData, OMX_PORT_PARAM_TYPE);
+                               OMX_PORT_PARAM_TYPE *audioPortParamType =
+                                   (OMX_PORT_PARAM_TYPE *) paramData;
+                               DEBUG_PRINT_LOW("get_parameter: OMX_IndexParamAudioInit");
+                               audioPortParamType->nVersion.nVersion = OMX_SPEC_VERSION;
+-                              audioPortParamType->nSize = sizeof(audioPortParamType);
++                              audioPortParamType->nSize = sizeof(OMX_PORT_PARAM_TYPE);
+                               audioPortParamType->nPorts           = 0;
+                               audioPortParamType->nStartPortNumber = 0;
+                               break;
+                           }
+                           /*Component should support this port definition*/
+         case OMX_IndexParamImageInit: {
++                              VALIDATE_OMX_PARAM_DATA(paramData, OMX_PORT_PARAM_TYPE);
+                               OMX_PORT_PARAM_TYPE *imagePortParamType =
+                                   (OMX_PORT_PARAM_TYPE *) paramData;
+                               DEBUG_PRINT_LOW("get_parameter: OMX_IndexParamImageInit");
+                               imagePortParamType->nVersion.nVersion = OMX_SPEC_VERSION;
+-                              imagePortParamType->nSize = sizeof(imagePortParamType);
++                              imagePortParamType->nSize = sizeof(OMX_PORT_PARAM_TYPE);
+                               imagePortParamType->nPorts           = 0;
+                               imagePortParamType->nStartPortNumber = 0;
+                               break;
+@@ -3075,6 +3080,7 @@
+                               break;
+                           }
+         case OMX_IndexParamStandardComponentRole: {
++                                  VALIDATE_OMX_PARAM_DATA(paramData, OMX_PARAM_COMPONENTROLETYPE);
+                                   OMX_PARAM_COMPONENTROLETYPE *comp_role;
+                                   comp_role = (OMX_PARAM_COMPONENTROLETYPE *) paramData;
+                                   comp_role->nVersion.nVersion = OMX_SPEC_VERSION;
+@@ -3088,22 +3094,23 @@
+                               }
+                               /* Added for parameter test */
+         case OMX_IndexParamPriorityMgmt: {
+-
++                             VALIDATE_OMX_PARAM_DATA(paramData, OMX_PRIORITYMGMTTYPE);
+                              OMX_PRIORITYMGMTTYPE *priorityMgmType =
+                                  (OMX_PRIORITYMGMTTYPE *) paramData;
+                              DEBUG_PRINT_LOW("get_parameter: OMX_IndexParamPriorityMgmt");
+                              priorityMgmType->nVersion.nVersion = OMX_SPEC_VERSION;
+-                             priorityMgmType->nSize = sizeof(priorityMgmType);
++                             priorityMgmType->nSize = sizeof(OMX_PRIORITYMGMTTYPE);
+ 
+                              break;
+                          }
+                          /* Added for parameter test */
+         case OMX_IndexParamCompBufferSupplier: {
++                                   VALIDATE_OMX_PARAM_DATA(paramData, OMX_PARAM_BUFFERSUPPLIERTYPE);
+                                    OMX_PARAM_BUFFERSUPPLIERTYPE *bufferSupplierType =
+                                        (OMX_PARAM_BUFFERSUPPLIERTYPE*) paramData;
+                                    DEBUG_PRINT_LOW("get_parameter: OMX_IndexParamCompBufferSupplier");
+ 
+-                                   bufferSupplierType->nSize = sizeof(bufferSupplierType);
++                                   bufferSupplierType->nSize = sizeof(OMX_PARAM_BUFFERSUPPLIERTYPE);
+                                    bufferSupplierType->nVersion.nVersion = OMX_SPEC_VERSION;
+                                    if (0 == bufferSupplierType->nPortIndex)
+                                        bufferSupplierType->nPortIndex = OMX_BufferSupplyUnspecified;
+@@ -3141,6 +3148,7 @@
+                                break;
+                            }
+         case OMX_IndexParamVideoProfileLevelQuerySupported: {
++                                        VALIDATE_OMX_PARAM_DATA(paramData, OMX_VIDEO_PARAM_PROFILELEVELTYPE);
+                                         DEBUG_PRINT_LOW("get_parameter: OMX_IndexParamVideoProfileLevelQuerySupported %08x", paramIndex);
+                                         OMX_VIDEO_PARAM_PROFILELEVELTYPE *profileLevelType =
+                                             (OMX_VIDEO_PARAM_PROFILELEVELTYPE *)paramData;
+@@ -3149,6 +3157,7 @@
+                                     }
+ #if defined (_ANDROID_HONEYCOMB_) || defined (_ANDROID_ICS_)
+         case OMX_GoogleAndroidIndexGetAndroidNativeBufferUsage: {
++                                        VALIDATE_OMX_PARAM_DATA(paramData, GetAndroidNativeBufferUsageParams);
+                                         DEBUG_PRINT_LOW("get_parameter: OMX_GoogleAndroidIndexGetAndroidNativeBufferUsage");
+                                         GetAndroidNativeBufferUsageParams* nativeBuffersUsage = (GetAndroidNativeBufferUsageParams *) paramData;
+                                         if (nativeBuffersUsage->nPortIndex == OMX_CORE_OUTPUT_PORT_INDEX) {
+@@ -3172,6 +3181,7 @@
+ #ifdef FLEXYUV_SUPPORTED
+         case OMX_QcomIndexFlexibleYUVDescription: {
+                 DEBUG_PRINT_LOW("get_parameter: describeColorFormat");
++                VALIDATE_OMX_PARAM_DATA(paramData, DescribeColorFormatParams);
+                 eRet = describeColorFormat(paramData);
+                 break;
+             }
+@@ -3282,6 +3292,7 @@
+     }
+     switch ((unsigned long)paramIndex) {
+         case OMX_IndexParamPortDefinition: {
++                               VALIDATE_OMX_PARAM_DATA(paramData, OMX_PARAM_PORTDEFINITIONTYPE);
+                                OMX_PARAM_PORTDEFINITIONTYPE *portDefn;
+                                portDefn = (OMX_PARAM_PORTDEFINITIONTYPE *) paramData;
+                                //TODO: Check if any allocate buffer/use buffer/useNativeBuffer has
+@@ -3525,6 +3536,7 @@
+                            }
+                            break;
+         case OMX_IndexParamVideoPortFormat: {
++                                VALIDATE_OMX_PARAM_DATA(paramData, OMX_VIDEO_PARAM_PORTFORMATTYPE);
+                                 OMX_VIDEO_PARAM_PORTFORMATTYPE *portFmt =
+                                     (OMX_VIDEO_PARAM_PORTFORMATTYPE *)paramData;
+                                 int ret=0;
+@@ -3571,6 +3583,7 @@
+                             break;
+ 
+         case OMX_QcomIndexPortDefn: {
++                            VALIDATE_OMX_PARAM_DATA(paramData, OMX_QCOM_PARAM_PORTDEFINITIONTYPE);
+                             OMX_QCOM_PARAM_PORTDEFINITIONTYPE *portFmt =
+                                 (OMX_QCOM_PARAM_PORTDEFINITIONTYPE *) paramData;
+                             DEBUG_PRINT_LOW("set_parameter: OMX_IndexQcomParamPortDefinitionType %u",
+@@ -3617,6 +3630,7 @@
+                         break;
+ 
+         case OMX_IndexParamStandardComponentRole: {
++                                  VALIDATE_OMX_PARAM_DATA(paramData, OMX_PARAM_COMPONENTROLETYPE);
+                                   OMX_PARAM_COMPONENTROLETYPE *comp_role;
+                                   comp_role = (OMX_PARAM_COMPONENTROLETYPE *) paramData;
+                                   DEBUG_PRINT_LOW("set_parameter: OMX_IndexParamStandardComponentRole %s",
+@@ -3707,6 +3721,7 @@
+                               }
+ 
+         case OMX_IndexParamPriorityMgmt: {
++                             VALIDATE_OMX_PARAM_DATA(paramData, OMX_PRIORITYMGMTTYPE);
+                              if (m_state != OMX_StateLoaded) {
+                                  DEBUG_PRINT_ERROR("Set Parameter called in Invalid State");
+                                  return OMX_ErrorIncorrectStateOperation;
+@@ -3725,6 +3740,7 @@
+                          }
+ 
+         case OMX_IndexParamCompBufferSupplier: {
++                                   VALIDATE_OMX_PARAM_DATA(paramData, OMX_PARAM_BUFFERSUPPLIERTYPE);
+                                    OMX_PARAM_BUFFERSUPPLIERTYPE *bufferSupplierType = (OMX_PARAM_BUFFERSUPPLIERTYPE*) paramData;
+                                    DEBUG_PRINT_LOW("set_parameter: OMX_IndexParamCompBufferSupplier %d",
+                                            bufferSupplierType->eBufferSupplier);
+@@ -3764,6 +3780,7 @@
+                                break;
+                            }
+         case OMX_QcomIndexParamVideoDecoderPictureOrder: {
++                                     VALIDATE_OMX_PARAM_DATA(paramData, QOMX_VIDEO_DECODER_PICTURE_ORDER);
+                                      QOMX_VIDEO_DECODER_PICTURE_ORDER *pictureOrder =
+                                          (QOMX_VIDEO_DECODER_PICTURE_ORDER *)paramData;
+                                      struct v4l2_control control;
+@@ -3789,42 +3806,52 @@
+                                      break;
+                                  }
+         case OMX_QcomIndexParamConcealMBMapExtraData:
++                               VALIDATE_OMX_PARAM_DATA(paramData, QOMX_ENABLETYPE);
+                                      eRet = enable_extradata(VDEC_EXTRADATA_MB_ERROR_MAP, false,
+                                              ((QOMX_ENABLETYPE *)paramData)->bEnable);
+                                  break;
+         case OMX_QcomIndexParamFrameInfoExtraData:
++                               VALIDATE_OMX_PARAM_DATA(paramData, QOMX_ENABLETYPE);
+                                        eRet = enable_extradata(OMX_FRAMEINFO_EXTRADATA, false,
+                                                ((QOMX_ENABLETYPE *)paramData)->bEnable);
+                                    break;
+         case OMX_ExtraDataFrameDimension:
++                               VALIDATE_OMX_PARAM_DATA(paramData, QOMX_ENABLETYPE);
+                                eRet = enable_extradata(OMX_FRAMEDIMENSION_EXTRADATA, false,
+                                        ((QOMX_ENABLETYPE *)paramData)->bEnable);
+                                break;
+         case OMX_QcomIndexParamInterlaceExtraData:
++                               VALIDATE_OMX_PARAM_DATA(paramData, QOMX_ENABLETYPE);
+                                    eRet = enable_extradata(OMX_INTERLACE_EXTRADATA, false,
+                                            ((QOMX_ENABLETYPE *)paramData)->bEnable);
+                                break;
+         case OMX_QcomIndexParamH264TimeInfo:
++                               VALIDATE_OMX_PARAM_DATA(paramData, QOMX_ENABLETYPE);
+                                    eRet = enable_extradata(OMX_TIMEINFO_EXTRADATA, false,
+                                            ((QOMX_ENABLETYPE *)paramData)->bEnable);
+                                break;
+         case OMX_QcomIndexParamVideoFramePackingExtradata:
++                               VALIDATE_OMX_PARAM_DATA(paramData, QOMX_ENABLETYPE);
+                                eRet = enable_extradata(OMX_FRAMEPACK_EXTRADATA, false,
+                                        ((QOMX_ENABLETYPE *)paramData)->bEnable);
+                                break;
+         case OMX_QcomIndexParamVideoQPExtraData:
++                               VALIDATE_OMX_PARAM_DATA(paramData, QOMX_ENABLETYPE);
+                                eRet = enable_extradata(OMX_QP_EXTRADATA, false,
+                                        ((QOMX_ENABLETYPE *)paramData)->bEnable);
+                                break;
+         case OMX_QcomIndexParamVideoInputBitsInfoExtraData:
++                               VALIDATE_OMX_PARAM_DATA(paramData, QOMX_ENABLETYPE);
+                                eRet = enable_extradata(OMX_BITSINFO_EXTRADATA, false,
+                                        ((QOMX_ENABLETYPE *)paramData)->bEnable);
+                                break;
+         case OMX_QcomIndexEnableExtnUserData:
++                               VALIDATE_OMX_PARAM_DATA(paramData, QOMX_ENABLETYPE);
+                                 eRet = enable_extradata(OMX_EXTNUSER_EXTRADATA, false,
+                                     ((QOMX_ENABLETYPE *)paramData)->bEnable);
+                                break;
+         case OMX_QcomIndexParamMpeg2SeqDispExtraData:
++                               VALIDATE_OMX_PARAM_DATA(paramData, QOMX_ENABLETYPE);
+                                 eRet = enable_extradata(OMX_MPEG2SEQDISP_EXTRADATA, false,
+                                     ((QOMX_ENABLETYPE *)paramData)->bEnable);
+                                 break;
+@@ -3833,6 +3860,7 @@
+                           }
+                           break;
+         case OMX_QcomIndexPlatformPvt: {
++                               VALIDATE_OMX_PARAM_DATA(paramData, OMX_QCOM_PLATFORMPRIVATE_EXTN);
+                                DEBUG_PRINT_HIGH("set_parameter: OMX_QcomIndexPlatformPvt OP Port");
+                                OMX_QCOM_PLATFORMPRIVATE_EXTN* entryType = (OMX_QCOM_PLATFORMPRIVATE_EXTN *) paramData;
+                                if (entryType->type != OMX_QCOM_PLATFORM_PRIVATE_PMEM) {
+@@ -3883,6 +3911,7 @@
+                                    break;
+ 
+         case OMX_QcomIndexParamIndexExtraDataType: {
++                                    VALIDATE_OMX_PARAM_DATA(paramData, QOMX_INDEXEXTRADATATYPE);
+                                        QOMX_INDEXEXTRADATATYPE *extradataIndexType = (QOMX_INDEXEXTRADATATYPE *) paramData;
+                                        if ((extradataIndexType->nIndex == OMX_IndexParamPortDefinition) &&
+                                                (extradataIndexType->bEnabled == OMX_TRUE) &&
+@@ -3906,6 +3935,7 @@
+                                    * state. This is ANDROID architecture which is not in sync
+                                    * with openmax standard. */
+         case OMX_GoogleAndroidIndexEnableAndroidNativeBuffers: {
++                                           VALIDATE_OMX_PARAM_DATA(paramData, EnableAndroidNativeBuffersParams);
+                                            EnableAndroidNativeBuffersParams* enableNativeBuffers = (EnableAndroidNativeBuffersParams *) paramData;
+                                            if (enableNativeBuffers) {
+                                                m_enable_android_native_buffers = enableNativeBuffers->enable;
+@@ -3922,11 +3952,13 @@
+                                        }
+                                        break;
+         case OMX_GoogleAndroidIndexUseAndroidNativeBuffer: {
++                                       VALIDATE_OMX_PARAM_DATA(paramData, UseAndroidNativeBufferParams);
+                                        eRet = use_android_native_buffer(hComp, paramData);
+                                    }
+                                    break;
+ #endif
+         case OMX_QcomIndexParamEnableTimeStampReorder: {
++                                       VALIDATE_OMX_PARAM_DATA(paramData, QOMX_INDEXTIMESTAMPREORDER);
+                                        QOMX_INDEXTIMESTAMPREORDER *reorder = (QOMX_INDEXTIMESTAMPREORDER *)paramData;
+                                        if (drv_ctx.picture_order == (vdec_output_order)QOMX_VIDEO_DISPLAY_ORDER) {
+                                            if (reorder->bEnable == OMX_TRUE) {
+@@ -3943,6 +3975,7 @@
+                                    }
+                                    break;
+         case OMX_IndexParamVideoProfileLevelCurrent: {
++                                     VALIDATE_OMX_PARAM_DATA(paramData, OMX_VIDEO_PARAM_PROFILELEVELTYPE);
+                                      OMX_VIDEO_PARAM_PROFILELEVELTYPE* pParam =
+                                          (OMX_VIDEO_PARAM_PROFILELEVELTYPE*)paramData;
+                                      if (pParam) {
+@@ -3954,6 +3987,7 @@
+                                  }
+         case OMX_QcomIndexParamVideoMetaBufferMode:
+         {
++            VALIDATE_OMX_PARAM_DATA(paramData, StoreMetaDataInBuffersParams);
+             StoreMetaDataInBuffersParams *metabuffer =
+                 (StoreMetaDataInBuffersParams *)paramData;
+             if (!metabuffer) {
+@@ -3996,6 +4030,7 @@
+         }
+         case OMX_QcomIndexParamVideoDownScalar:
+         {
++            VALIDATE_OMX_PARAM_DATA(paramData, QOMX_INDEXDOWNSCALAR);
+             QOMX_INDEXDOWNSCALAR* pParam = (QOMX_INDEXDOWNSCALAR*)paramData;
+             struct v4l2_control control;
+             int rc;
+@@ -4024,6 +4059,7 @@
+ #ifdef ADAPTIVE_PLAYBACK_SUPPORTED
+         case OMX_QcomIndexParamVideoAdaptivePlaybackMode:
+         {
++            VALIDATE_OMX_PARAM_DATA(paramData, PrepareForAdaptivePlaybackParams);
+             DEBUG_PRINT_LOW("set_parameter: OMX_GoogleAndroidIndexPrepareForAdaptivePlayback");
+             PrepareForAdaptivePlaybackParams* pParams =
+                     (PrepareForAdaptivePlaybackParams *) paramData;
+@@ -4052,6 +4088,7 @@
+ #endif
+         case OMX_QcomIndexParamVideoCustomBufferSize:
+         {
++            VALIDATE_OMX_PARAM_DATA(paramData, QOMX_VIDEO_CUSTOM_BUFFERSIZE);
+             DEBUG_PRINT_LOW("set_parameter: OMX_QcomIndexParamVideoCustomBufferSize");
+             QOMX_VIDEO_CUSTOM_BUFFERSIZE* pParam = (QOMX_VIDEO_CUSTOM_BUFFERSIZE*)paramData;
+             if (pParam->nPortIndex == OMX_CORE_INPUT_PORT_INDEX) {
+@@ -4115,6 +4152,7 @@
+ 
+     switch ((unsigned long)configIndex) {
+         case OMX_QcomIndexConfigInterlaced: {
++                                VALIDATE_OMX_PARAM_DATA(configData, OMX_QCOM_CONFIG_INTERLACETYPE);
+                                 OMX_QCOM_CONFIG_INTERLACETYPE *configFmt =
+                                     (OMX_QCOM_CONFIG_INTERLACETYPE *) configData;
+                                 if (configFmt->nPortIndex == 1) {
+@@ -4140,6 +4178,7 @@
+                                 break;
+                             }
+         case OMX_QcomIndexQueryNumberOfVideoDecInstance: {
++                                     VALIDATE_OMX_PARAM_DATA(configData, QOMX_VIDEO_QUERY_DECODER_INSTANCES);
+                                      QOMX_VIDEO_QUERY_DECODER_INSTANCES *decoderinstances =
+                                          (QOMX_VIDEO_QUERY_DECODER_INSTANCES*)configData;
+                                      decoderinstances->nNumOfInstances = 16;
+@@ -4148,6 +4187,7 @@
+                                  }
+         case OMX_QcomIndexConfigVideoFramePackingArrangement: {
+                                           if (drv_ctx.decoder_format == VDEC_CODECTYPE_H264) {
++                                              VALIDATE_OMX_PARAM_DATA(configData, OMX_QCOM_FRAME_PACK_ARRANGEMENT);
+                                               OMX_QCOM_FRAME_PACK_ARRANGEMENT *configFmt =
+                                                   (OMX_QCOM_FRAME_PACK_ARRANGEMENT *) configData;
+                                               memcpy(configFmt, &m_frame_pack_arrangement,
+@@ -4158,6 +4198,7 @@
+                                           break;
+                                       }
+         case OMX_IndexConfigCommonOutputCrop: {
++                                  VALIDATE_OMX_PARAM_DATA(configData, OMX_CONFIG_RECTTYPE);
+                                   OMX_CONFIG_RECTTYPE *rect = (OMX_CONFIG_RECTTYPE *) configData;
+                                   memcpy(rect, &rectangle, sizeof(OMX_CONFIG_RECTTYPE));
+                                   DEBUG_PRINT_HIGH("get_config: crop info: L: %u, T: %u, R: %u, B: %u",
+@@ -4166,6 +4207,7 @@
+                                   break;
+                               }
+         case OMX_QcomIndexConfigPerfLevel: {
++                VALIDATE_OMX_PARAM_DATA(configData, OMX_QCOM_VIDEO_CONFIG_PERF_LEVEL);
+                 struct v4l2_control control;
+                 OMX_QCOM_VIDEO_CONFIG_PERF_LEVEL *perf =
+                         (OMX_QCOM_VIDEO_CONFIG_PERF_LEVEL *)configData;
+@@ -4191,7 +4233,7 @@
+                 }
+ 
+                                   break;
+-                              }
++        }
+         default: {
+                  DEBUG_PRINT_ERROR("get_config: unknown param %d",configIndex);
+                  eRet = OMX_ErrorBadParameter;
+@@ -4337,6 +4379,7 @@
+         struct v4l2_control temp;
+         temp.id = V4L2_CID_MPEG_VIDC_VIDEO_STREAM_FORMAT;
+ 
++        VALIDATE_OMX_PARAM_DATA(configData, OMX_VIDEO_CONFIG_NALSIZE);
+         pNal = reinterpret_cast < OMX_VIDEO_CONFIG_NALSIZE * >(configData);
+         switch (pNal->nNaluBytes) {
+             case 0:
+@@ -8752,7 +8795,7 @@
+     }
+     DEBUG_PRINT_LOW("omx_vdec::update_portdef");
+     portDefn->nVersion.nVersion = OMX_SPEC_VERSION;
+-    portDefn->nSize = sizeof(portDefn);
++    portDefn->nSize = sizeof(OMX_PARAM_PORTDEFINITIONTYPE);
+     portDefn->eDomain    = OMX_PortDomainVideo;
+     if (drv_ctx.frame_rate.fps_denominator > 0)
+         portDefn->format.video.xFramerate = (drv_ctx.frame_rate.fps_numerator /
+diff --git a/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp b/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp
+index 7f0482f..1aee2c1 100644
+--- a/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp
++++ b/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp
+@@ -84,6 +84,8 @@
+ 
+ typedef struct OMXComponentCapabilityFlagsType {
+     ////////////////// OMX COMPONENT CAPABILITY RELATED MEMBERS
++    OMX_U32 nSize;
++    OMX_VERSIONTYPE nVersion;
+     OMX_BOOL iIsOMXComponentMultiThreaded;
+     OMX_BOOL iOMXComponentSupportsExternalOutputBufferAlloc;
+     OMX_BOOL iOMXComponentSupportsExternalInputBufferAlloc;
+@@ -1443,6 +1445,7 @@
+     switch ((int)paramIndex) {
+         case OMX_IndexParamPortDefinition:
+             {
++                VALIDATE_OMX_PARAM_DATA(paramData, OMX_PARAM_PORTDEFINITIONTYPE);
+                 OMX_PARAM_PORTDEFINITIONTYPE *portDefn;
+                 portDefn = (OMX_PARAM_PORTDEFINITIONTYPE *) paramData;
+ 
+@@ -1484,6 +1487,7 @@
+             }
+         case OMX_IndexParamVideoInit:
+             {
++                VALIDATE_OMX_PARAM_DATA(paramData, OMX_PORT_PARAM_TYPE);
+                 OMX_PORT_PARAM_TYPE *portParamType =
+                     (OMX_PORT_PARAM_TYPE *) paramData;
+                 DEBUG_PRINT_LOW("get_parameter: OMX_IndexParamVideoInit");
+@@ -1493,6 +1497,7 @@
+             }
+         case OMX_IndexParamVideoPortFormat:
+             {
++                VALIDATE_OMX_PARAM_DATA(paramData, OMX_VIDEO_PARAM_PORTFORMATTYPE);
+                 OMX_VIDEO_PARAM_PORTFORMATTYPE *portFmt =
+                     (OMX_VIDEO_PARAM_PORTFORMATTYPE *)paramData;
+                 DEBUG_PRINT_LOW("get_parameter: OMX_IndexParamVideoPortFormat");
+@@ -1527,6 +1532,7 @@
+             }
+         case OMX_IndexParamVideoBitrate:
+             {
++                VALIDATE_OMX_PARAM_DATA(paramData, OMX_VIDEO_PARAM_BITRATETYPE);
+                 OMX_VIDEO_PARAM_BITRATETYPE* pParam = (OMX_VIDEO_PARAM_BITRATETYPE*)paramData;
+                 DEBUG_PRINT_LOW("get_parameter: OMX_IndexParamVideoBitrate");
+ 
+@@ -1541,6 +1547,7 @@
+             }
+         case OMX_IndexParamVideoMpeg4:
+             {
++                VALIDATE_OMX_PARAM_DATA(paramData, OMX_VIDEO_PARAM_MPEG4TYPE);
+                 OMX_VIDEO_PARAM_MPEG4TYPE* pParam = (OMX_VIDEO_PARAM_MPEG4TYPE*)paramData;
+                 DEBUG_PRINT_LOW("get_parameter: OMX_IndexParamVideoMpeg4");
+                 memcpy(pParam, &m_sParamMPEG4, sizeof(m_sParamMPEG4));
+@@ -1548,6 +1555,7 @@
+             }
+         case OMX_IndexParamVideoH263:
+             {
++                VALIDATE_OMX_PARAM_DATA(paramData, OMX_VIDEO_PARAM_H263TYPE);
+                 OMX_VIDEO_PARAM_H263TYPE* pParam = (OMX_VIDEO_PARAM_H263TYPE*)paramData;
+                 DEBUG_PRINT_LOW("get_parameter: OMX_IndexParamVideoH263");
+                 memcpy(pParam, &m_sParamH263, sizeof(m_sParamH263));
+@@ -1555,6 +1563,7 @@
+             }
+         case OMX_IndexParamVideoAvc:
+             {
++                VALIDATE_OMX_PARAM_DATA(paramData, OMX_VIDEO_PARAM_AVCTYPE);
+                 OMX_VIDEO_PARAM_AVCTYPE* pParam = (OMX_VIDEO_PARAM_AVCTYPE*)paramData;
+                 DEBUG_PRINT_LOW("get_parameter: OMX_IndexParamVideoAvc");
+                 memcpy(pParam, &m_sParamAVC, sizeof(m_sParamAVC));
+@@ -1562,6 +1571,7 @@
+             }
+         case (OMX_INDEXTYPE)OMX_IndexParamVideoVp8:
+             {
++                VALIDATE_OMX_PARAM_DATA(paramData, OMX_VIDEO_PARAM_VP8TYPE);
+                 OMX_VIDEO_PARAM_VP8TYPE* pParam = (OMX_VIDEO_PARAM_VP8TYPE*)paramData;
+                 DEBUG_PRINT_LOW("get_parameter: OMX_IndexParamVideoVp8");
+                 memcpy(pParam, &m_sParamVP8, sizeof(m_sParamVP8));
+@@ -1569,6 +1579,7 @@
+             }
+         case (OMX_INDEXTYPE)OMX_IndexParamVideoHevc:
+             {
++                VALIDATE_OMX_PARAM_DATA(paramData, OMX_VIDEO_PARAM_HEVCTYPE);
+                 OMX_VIDEO_PARAM_HEVCTYPE* pParam = (OMX_VIDEO_PARAM_HEVCTYPE*)paramData;
+                 DEBUG_PRINT_LOW("get_parameter: OMX_IndexParamVideoHevc");
+                 memcpy(pParam, &m_sParamHEVC, sizeof(m_sParamHEVC));
+@@ -1576,6 +1587,7 @@
+             }
+         case OMX_IndexParamVideoProfileLevelQuerySupported:
+             {
++                VALIDATE_OMX_PARAM_DATA(paramData, OMX_VIDEO_PARAM_PROFILELEVELTYPE);
+                 OMX_VIDEO_PARAM_PROFILELEVELTYPE* pParam = (OMX_VIDEO_PARAM_PROFILELEVELTYPE*)paramData;
+                 DEBUG_PRINT_LOW("get_parameter: OMX_IndexParamVideoProfileLevelQuerySupported");
+                 eRet = get_supported_profile_level(pParam);
+@@ -1586,6 +1598,7 @@
+             }
+         case OMX_IndexParamVideoProfileLevelCurrent:
+             {
++                VALIDATE_OMX_PARAM_DATA(paramData, OMX_VIDEO_PARAM_PROFILELEVELTYPE);
+                 OMX_VIDEO_PARAM_PROFILELEVELTYPE* pParam = (OMX_VIDEO_PARAM_PROFILELEVELTYPE*)paramData;
+                 DEBUG_PRINT_LOW("get_parameter: OMX_IndexParamVideoProfileLevelCurrent");
+                 memcpy(pParam, &m_sParamProfileLevel, sizeof(m_sParamProfileLevel));
+@@ -1594,6 +1607,7 @@
+             /*Component should support this port definition*/
+         case OMX_IndexParamAudioInit:
+             {
++                VALIDATE_OMX_PARAM_DATA(paramData, OMX_PORT_PARAM_TYPE);
+                 OMX_PORT_PARAM_TYPE *audioPortParamType = (OMX_PORT_PARAM_TYPE *) paramData;
+                 DEBUG_PRINT_LOW("get_parameter: OMX_IndexParamAudioInit");
+                 memcpy(audioPortParamType, &m_sPortParam_audio, sizeof(m_sPortParam_audio));
+@@ -1602,6 +1616,7 @@
+             /*Component should support this port definition*/
+         case OMX_IndexParamImageInit:
+             {
++                VALIDATE_OMX_PARAM_DATA(paramData, OMX_PORT_PARAM_TYPE);
+                 OMX_PORT_PARAM_TYPE *imagePortParamType = (OMX_PORT_PARAM_TYPE *) paramData;
+                 DEBUG_PRINT_LOW("get_parameter: OMX_IndexParamImageInit");
+                 memcpy(imagePortParamType, &m_sPortParam_img, sizeof(m_sPortParam_img));
+@@ -1617,6 +1632,7 @@
+             }
+         case OMX_IndexParamStandardComponentRole:
+             {
++                VALIDATE_OMX_PARAM_DATA(paramData, OMX_PARAM_COMPONENTROLETYPE);
+                 OMX_PARAM_COMPONENTROLETYPE *comp_role;
+                 comp_role = (OMX_PARAM_COMPONENTROLETYPE *) paramData;
+                 comp_role->nVersion.nVersion = OMX_SPEC_VERSION;
+@@ -1629,7 +1645,7 @@
+             /* Added for parameter test */
+         case OMX_IndexParamPriorityMgmt:
+             {
+-
++                VALIDATE_OMX_PARAM_DATA(paramData, OMX_PRIORITYMGMTTYPE);
+                 OMX_PRIORITYMGMTTYPE *priorityMgmType = (OMX_PRIORITYMGMTTYPE *) paramData;
+                 DEBUG_PRINT_LOW("get_parameter: OMX_IndexParamPriorityMgmt");
+                 memcpy(priorityMgmType, &m_sPriorityMgmt, sizeof(m_sPriorityMgmt));
+@@ -1638,6 +1654,7 @@
+             /* Added for parameter test */
+         case OMX_IndexParamCompBufferSupplier:
+             {
++                VALIDATE_OMX_PARAM_DATA(paramData, OMX_PARAM_BUFFERSUPPLIERTYPE);
+                 OMX_PARAM_BUFFERSUPPLIERTYPE *bufferSupplierType = (OMX_PARAM_BUFFERSUPPLIERTYPE*) paramData;
+                 DEBUG_PRINT_LOW("get_parameter: OMX_IndexParamCompBufferSupplier");
+                 if (bufferSupplierType->nPortIndex ==(OMX_U32) PORT_INDEX_IN) {
+@@ -1653,6 +1670,7 @@
+ 
+         case OMX_IndexParamVideoQuantization:
+             {
++                VALIDATE_OMX_PARAM_DATA(paramData, OMX_VIDEO_PARAM_QUANTIZATIONTYPE);
+                 OMX_VIDEO_PARAM_QUANTIZATIONTYPE *session_qp = (OMX_VIDEO_PARAM_QUANTIZATIONTYPE*) paramData;
+                 DEBUG_PRINT_LOW("get_parameter: OMX_IndexParamVideoQuantization");
+                 memcpy(session_qp, &m_sSessionQuantization, sizeof(m_sSessionQuantization));
+@@ -1661,6 +1679,7 @@
+ 
+         case OMX_QcomIndexParamVideoQPRange:
+             {
++                VALIDATE_OMX_PARAM_DATA(paramData, OMX_QCOM_VIDEO_PARAM_QPRANGETYPE);
+                 OMX_QCOM_VIDEO_PARAM_QPRANGETYPE *qp_range = (OMX_QCOM_VIDEO_PARAM_QPRANGETYPE*) paramData;
+                 DEBUG_PRINT_LOW("get_parameter: OMX_QcomIndexParamVideoQPRange");
+                 memcpy(qp_range, &m_sSessionQPRange, sizeof(m_sSessionQPRange));
+@@ -1669,6 +1688,7 @@
+ 
+         case OMX_IndexParamVideoErrorCorrection:
+             {
++                VALIDATE_OMX_PARAM_DATA(paramData, OMX_VIDEO_PARAM_ERRORCORRECTIONTYPE);
+                 OMX_VIDEO_PARAM_ERRORCORRECTIONTYPE* errorresilience = (OMX_VIDEO_PARAM_ERRORCORRECTIONTYPE*)paramData;
+                 DEBUG_PRINT_LOW("OMX_IndexParamVideoErrorCorrection");
+                 errorresilience->bEnableHEC = m_sErrorCorrection.bEnableHEC;
+@@ -1678,6 +1698,7 @@
+             }
+         case OMX_IndexParamVideoIntraRefresh:
+             {
++                VALIDATE_OMX_PARAM_DATA(paramData, OMX_VIDEO_PARAM_INTRAREFRESHTYPE);
+                 OMX_VIDEO_PARAM_INTRAREFRESHTYPE* intrarefresh = (OMX_VIDEO_PARAM_INTRAREFRESHTYPE*)paramData;
+                 DEBUG_PRINT_LOW("OMX_IndexParamVideoIntraRefresh");
+                 DEBUG_PRINT_ERROR("OMX_IndexParamVideoIntraRefresh GET");
+@@ -1690,6 +1711,7 @@
+             break;
+         case OMX_COMPONENT_CAPABILITY_TYPE_INDEX:
+             {
++                VALIDATE_OMX_PARAM_DATA(paramData, OMXComponentCapabilityFlagsType);
+                 OMXComponentCapabilityFlagsType *pParam = reinterpret_cast<OMXComponentCapabilityFlagsType*>(paramData);
+                 DEBUG_PRINT_LOW("get_parameter: OMX_COMPONENT_CAPABILITY_TYPE_INDEX");
+                 pParam->iIsOMXComponentMultiThreaded = OMX_TRUE;
+@@ -1707,6 +1729,7 @@
+ #if !defined(MAX_RES_720P) || defined(_MSM8974_)
+         case OMX_QcomIndexParamIndexExtraDataType:
+             {
++                VALIDATE_OMX_PARAM_DATA(paramData, QOMX_INDEXEXTRADATATYPE);
+                 DEBUG_PRINT_LOW("get_parameter: OMX_QcomIndexParamIndexExtraDataType");
+                 QOMX_INDEXEXTRADATATYPE *pParam = (QOMX_INDEXEXTRADATATYPE *)paramData;
+                 if (pParam->nIndex == (OMX_INDEXTYPE)OMX_ExtraDataVideoEncoderSliceInfo) {
+@@ -1752,6 +1775,7 @@
+             }
+         case QOMX_IndexParamVideoLTRCountRangeSupported:
+             {
++                VALIDATE_OMX_PARAM_DATA(paramData, QOMX_EXTNINDEX_RANGETYPE);
+                 DEBUG_PRINT_HIGH("get_parameter: QOMX_IndexParamVideoLTRCountRangeSupported");
+                 QOMX_EXTNINDEX_RANGETYPE *pParam = (QOMX_EXTNINDEX_RANGETYPE *)paramData;
+                 if (pParam->nPortIndex == PORT_INDEX_OUT) {
+@@ -1772,6 +1796,7 @@
+             break;
+         case OMX_QcomIndexParamVideoLTRCount:
+             {
++                VALIDATE_OMX_PARAM_DATA(paramData, OMX_QCOM_VIDEO_PARAM_LTRCOUNT_TYPE);
+                 DEBUG_PRINT_LOW("get_parameter: OMX_QcomIndexParamVideoLTRCount");
+                 OMX_QCOM_VIDEO_PARAM_LTRCOUNT_TYPE *pParam =
+                         reinterpret_cast<OMX_QCOM_VIDEO_PARAM_LTRCOUNT_TYPE*>(paramData);
+@@ -1781,6 +1806,7 @@
+ #endif
+         case QOMX_IndexParamVideoSyntaxHdr:
+             {
++                VALIDATE_OMX_PARAM_DATA(paramData, QOMX_EXTNINDEX_PARAMTYPE);
+                 DEBUG_PRINT_HIGH("QOMX_IndexParamVideoSyntaxHdr");
+                 QOMX_EXTNINDEX_PARAMTYPE* pParam =
+                     reinterpret_cast<QOMX_EXTNINDEX_PARAMTYPE*>(paramData);
+@@ -1826,6 +1852,7 @@
+             }
+         case OMX_QcomIndexHierarchicalStructure:
+             {
++                VALIDATE_OMX_PARAM_DATA(paramData, QOMX_VIDEO_HIERARCHICALLAYERS);
+                 QOMX_VIDEO_HIERARCHICALLAYERS* hierp = (QOMX_VIDEO_HIERARCHICALLAYERS*) paramData;
+                 DEBUG_PRINT_LOW("get_parameter: OMX_QcomIndexHierarchicalStructure");
+                 memcpy(hierp, &m_sHierLayers, sizeof(m_sHierLayers));
+@@ -1833,6 +1860,7 @@
+             }
+         case OMX_QcomIndexParamPerfLevel:
+             {
++                VALIDATE_OMX_PARAM_DATA(paramData, OMX_QCOM_VIDEO_PARAM_PERF_LEVEL);
+                 OMX_U32 perflevel;
+                 OMX_QCOM_VIDEO_PARAM_PERF_LEVEL *pParam =
+                     reinterpret_cast<OMX_QCOM_VIDEO_PARAM_PERF_LEVEL*>(paramData);
+@@ -1847,6 +1875,7 @@
+             }
+         case OMX_QcomIndexParamH264VUITimingInfo:
+             {
++                VALIDATE_OMX_PARAM_DATA(paramData, OMX_QCOM_VIDEO_PARAM_VUI_TIMING_INFO);
+                 OMX_U32 enabled;
+                 OMX_QCOM_VIDEO_PARAM_VUI_TIMING_INFO *pParam =
+                     reinterpret_cast<OMX_QCOM_VIDEO_PARAM_VUI_TIMING_INFO*>(paramData);
+@@ -1861,6 +1890,7 @@
+             }
+         case OMX_QcomIndexParamPeakBitrate:
+             {
++                VALIDATE_OMX_PARAM_DATA(paramData, OMX_QCOM_VIDEO_PARAM_PEAK_BITRATE);
+                 OMX_U32 peakbitrate;
+                 OMX_QCOM_VIDEO_PARAM_PEAK_BITRATE *pParam =
+                     reinterpret_cast<OMX_QCOM_VIDEO_PARAM_PEAK_BITRATE*>(paramData);
+@@ -1875,6 +1905,7 @@
+             }
+          case QOMX_IndexParamVideoInitialQp:
+             {
++                VALIDATE_OMX_PARAM_DATA(paramData, QOMX_EXTNINDEX_VIDEO_INITIALQP);
+                  QOMX_EXTNINDEX_VIDEO_INITIALQP* initqp =
+                      reinterpret_cast<QOMX_EXTNINDEX_VIDEO_INITIALQP *>(paramData);
+                      memcpy(initqp, &m_sParamInitqp, sizeof(m_sParamInitqp));
+@@ -1934,18 +1965,21 @@
+     switch ((int)configIndex) {
+         case OMX_IndexConfigVideoBitrate:
+             {
++                VALIDATE_OMX_PARAM_DATA(configData, OMX_VIDEO_CONFIG_BITRATETYPE);
+                 OMX_VIDEO_CONFIG_BITRATETYPE* pParam = reinterpret_cast<OMX_VIDEO_CONFIG_BITRATETYPE*>(configData);
+                 memcpy(pParam, &m_sConfigBitrate, sizeof(m_sConfigBitrate));
+                 break;
+             }
+         case OMX_IndexConfigVideoFramerate:
+             {
++                VALIDATE_OMX_PARAM_DATA(configData, OMX_CONFIG_FRAMERATETYPE);
+                 OMX_CONFIG_FRAMERATETYPE* pParam = reinterpret_cast<OMX_CONFIG_FRAMERATETYPE*>(configData);
+                 memcpy(pParam, &m_sConfigFramerate, sizeof(m_sConfigFramerate));
+                 break;
+             }
+         case OMX_IndexConfigCommonRotate:
+             {
++                VALIDATE_OMX_PARAM_DATA(configData, OMX_CONFIG_ROTATIONTYPE);
+                 OMX_CONFIG_ROTATIONTYPE* pParam = reinterpret_cast<OMX_CONFIG_ROTATIONTYPE*>(configData);
+                 memcpy(pParam, &m_sConfigFrameRotation, sizeof(m_sConfigFrameRotation));
+                 break;
+@@ -1953,12 +1987,14 @@
+         case QOMX_IndexConfigVideoIntraperiod:
+             {
+                 DEBUG_PRINT_LOW("get_config:QOMX_IndexConfigVideoIntraperiod");
++                VALIDATE_OMX_PARAM_DATA(configData, QOMX_VIDEO_INTRAPERIODTYPE);
+                 QOMX_VIDEO_INTRAPERIODTYPE* pParam = reinterpret_cast<QOMX_VIDEO_INTRAPERIODTYPE*>(configData);
+                 memcpy(pParam, &m_sIntraperiod, sizeof(m_sIntraperiod));
+                 break;
+             }
+         case OMX_IndexConfigVideoAVCIntraPeriod:
+             {
++                VALIDATE_OMX_PARAM_DATA(configData, OMX_VIDEO_CONFIG_AVCINTRAPERIOD);
+                 OMX_VIDEO_CONFIG_AVCINTRAPERIOD *pParam =
+                     reinterpret_cast<OMX_VIDEO_CONFIG_AVCINTRAPERIOD*>(configData);
+                 DEBUG_PRINT_LOW("get_config: OMX_IndexConfigVideoAVCIntraPeriod");
+@@ -1967,6 +2003,7 @@
+             }
+         case OMX_IndexConfigCommonDeinterlace:
+             {
++                VALIDATE_OMX_PARAM_DATA(configData, OMX_VIDEO_CONFIG_DEINTERLACE);
+                 OMX_VIDEO_CONFIG_DEINTERLACE *pParam =
+                     reinterpret_cast<OMX_VIDEO_CONFIG_DEINTERLACE*>(configData);
+                 DEBUG_PRINT_LOW("get_config: OMX_IndexConfigCommonDeinterlace");
+@@ -1975,6 +2012,7 @@
+             }
+        case OMX_IndexConfigVideoVp8ReferenceFrame:
+            {
++                VALIDATE_OMX_PARAM_DATA(configData, OMX_VIDEO_VP8REFERENCEFRAMETYPE);
+                OMX_VIDEO_VP8REFERENCEFRAMETYPE* pParam =
+                    reinterpret_cast<OMX_VIDEO_VP8REFERENCEFRAMETYPE*>(configData);
+                DEBUG_PRINT_LOW("get_config: OMX_IndexConfigVideoVp8ReferenceFrame");
+@@ -1983,6 +2021,7 @@
+            }
+         case OMX_QcomIndexConfigPerfLevel:
+             {
++                VALIDATE_OMX_PARAM_DATA(configData, OMX_QCOM_VIDEO_CONFIG_PERF_LEVEL);
+                 OMX_U32 perflevel;
+                 OMX_QCOM_VIDEO_CONFIG_PERF_LEVEL *pParam =
+                     reinterpret_cast<OMX_QCOM_VIDEO_CONFIG_PERF_LEVEL*>(configData);
+diff --git a/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp b/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp
+index a72e07e..70d6260 100644
+--- a/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp
++++ b/mm-video-v4l2/vidc/venc/src/omx_video_encoder.cpp
+@@ -577,6 +577,7 @@
+     switch ((int)paramIndex) {
+         case OMX_IndexParamPortDefinition:
+             {
++                VALIDATE_OMX_PARAM_DATA(paramData, OMX_PARAM_PORTDEFINITIONTYPE);
+                 OMX_PARAM_PORTDEFINITIONTYPE *portDefn;
+                 portDefn = (OMX_PARAM_PORTDEFINITIONTYPE *) paramData;
+                 DEBUG_PRINT_LOW("set_parameter: OMX_IndexParamPortDefinition H= %d, W = %d",
+@@ -676,6 +677,7 @@
+ 
+         case OMX_IndexParamVideoPortFormat:
+             {
++                VALIDATE_OMX_PARAM_DATA(paramData, OMX_VIDEO_PARAM_PORTFORMATTYPE);
+                 OMX_VIDEO_PARAM_PORTFORMATTYPE *portFmt =
+                     (OMX_VIDEO_PARAM_PORTFORMATTYPE *)paramData;
+                 DEBUG_PRINT_LOW("set_parameter: OMX_IndexParamVideoPortFormat %d",
+@@ -719,6 +721,7 @@
+             break;
+         case OMX_IndexParamVideoInit:
+             { //TODO, do we need this index set param
++                VALIDATE_OMX_PARAM_DATA(paramData, OMX_PORT_PARAM_TYPE);
+                 OMX_PORT_PARAM_TYPE* pParam = (OMX_PORT_PARAM_TYPE*)(paramData);
+                 DEBUG_PRINT_LOW("Set OMX_IndexParamVideoInit called");
+                 break;
+@@ -726,6 +729,7 @@
+ 
+         case OMX_IndexParamVideoBitrate:
+             {
++                VALIDATE_OMX_PARAM_DATA(paramData, OMX_VIDEO_PARAM_BITRATETYPE);
+                 OMX_VIDEO_PARAM_BITRATETYPE* pParam = (OMX_VIDEO_PARAM_BITRATETYPE*)paramData;
+                 DEBUG_PRINT_LOW("set_parameter: OMX_IndexParamVideoBitrate");
+                 if (handle->venc_set_param(paramData,OMX_IndexParamVideoBitrate) != true) {
+@@ -742,6 +746,7 @@
+             }
+         case OMX_IndexParamVideoMpeg4:
+             {
++                VALIDATE_OMX_PARAM_DATA(paramData, OMX_VIDEO_PARAM_MPEG4TYPE);
+                 OMX_VIDEO_PARAM_MPEG4TYPE* pParam = (OMX_VIDEO_PARAM_MPEG4TYPE*)paramData;
+                 OMX_VIDEO_PARAM_MPEG4TYPE mp4_param;
+                 memcpy(&mp4_param, pParam, sizeof(struct OMX_VIDEO_PARAM_MPEG4TYPE));
+@@ -795,6 +800,7 @@
+             }
+         case OMX_IndexParamVideoAvc:
+             {
++                VALIDATE_OMX_PARAM_DATA(paramData, OMX_VIDEO_PARAM_AVCTYPE);
+                 OMX_VIDEO_PARAM_AVCTYPE* pParam = (OMX_VIDEO_PARAM_AVCTYPE*)paramData;
+                 OMX_VIDEO_PARAM_AVCTYPE avc_param;
+                 memcpy(&avc_param, pParam, sizeof( struct OMX_VIDEO_PARAM_AVCTYPE));
+@@ -854,6 +860,7 @@
+             }
+         case (OMX_INDEXTYPE)OMX_IndexParamVideoVp8:
+             {
++                VALIDATE_OMX_PARAM_DATA(paramData, OMX_VIDEO_PARAM_VP8TYPE);
+                 OMX_VIDEO_PARAM_VP8TYPE* pParam = (OMX_VIDEO_PARAM_VP8TYPE*)paramData;
+                 OMX_VIDEO_PARAM_VP8TYPE vp8_param;
+                 DEBUG_PRINT_LOW("set_parameter: OMX_IndexParamVideoVp8");
+@@ -870,6 +877,7 @@
+             }
+         case (OMX_INDEXTYPE)OMX_IndexParamVideoHevc:
+             {
++                VALIDATE_OMX_PARAM_DATA(paramData, OMX_VIDEO_PARAM_HEVCTYPE);
+                 OMX_VIDEO_PARAM_HEVCTYPE* pParam = (OMX_VIDEO_PARAM_HEVCTYPE*)paramData;
+                 OMX_VIDEO_PARAM_HEVCTYPE hevc_param;
+                 DEBUG_PRINT_LOW("set_parameter: OMX_IndexParamVideoHevc");
+@@ -883,6 +891,7 @@
+             }
+         case OMX_IndexParamVideoProfileLevelCurrent:
+             {
++                VALIDATE_OMX_PARAM_DATA(paramData, OMX_VIDEO_PARAM_PROFILELEVELTYPE);
+                 OMX_VIDEO_PARAM_PROFILELEVELTYPE* pParam = (OMX_VIDEO_PARAM_PROFILELEVELTYPE*)paramData;
+                 DEBUG_PRINT_LOW("set_parameter: OMX_IndexParamVideoProfileLevelCurrent");
+                 if (handle->venc_set_param(pParam,OMX_IndexParamVideoProfileLevelCurrent) != true) {
+@@ -937,6 +946,7 @@
+             }
+         case OMX_IndexParamStandardComponentRole:
+             {
++                VALIDATE_OMX_PARAM_DATA(paramData, OMX_PARAM_COMPONENTROLETYPE);
+                 OMX_PARAM_COMPONENTROLETYPE *comp_role;
+                 comp_role = (OMX_PARAM_COMPONENTROLETYPE *) paramData;
+                 DEBUG_PRINT_LOW("set_parameter: OMX_IndexParamStandardComponentRole %s",
+@@ -1007,6 +1017,7 @@
+ 
+         case OMX_IndexParamPriorityMgmt:
+             {
++                VALIDATE_OMX_PARAM_DATA(paramData, OMX_PRIORITYMGMTTYPE);
+                 DEBUG_PRINT_LOW("set_parameter: OMX_IndexParamPriorityMgmt");
+                 if (m_state != OMX_StateLoaded) {
+                     DEBUG_PRINT_ERROR("ERROR: Set Parameter called in Invalid State");
+@@ -1027,6 +1038,7 @@
+ 
+         case OMX_IndexParamCompBufferSupplier:
+             {
++                VALIDATE_OMX_PARAM_DATA(paramData, OMX_PARAM_BUFFERSUPPLIERTYPE);
+                 DEBUG_PRINT_LOW("set_parameter: OMX_IndexParamCompBufferSupplier");
+                 OMX_PARAM_BUFFERSUPPLIERTYPE *bufferSupplierType = (OMX_PARAM_BUFFERSUPPLIERTYPE*) paramData;
+                 DEBUG_PRINT_LOW("set_parameter: OMX_IndexParamCompBufferSupplier %d",
+@@ -1043,6 +1055,7 @@
+             }
+         case OMX_IndexParamVideoQuantization:
+             {
++                VALIDATE_OMX_PARAM_DATA(paramData, OMX_VIDEO_PARAM_QUANTIZATIONTYPE);
+                 DEBUG_PRINT_LOW("set_parameter: OMX_IndexParamVideoQuantization");
+                 OMX_VIDEO_PARAM_QUANTIZATIONTYPE *session_qp = (OMX_VIDEO_PARAM_QUANTIZATIONTYPE*) paramData;
+                 if (session_qp->nPortIndex == PORT_INDEX_OUT) {
+@@ -1061,6 +1074,7 @@
+ 
+         case OMX_QcomIndexParamVideoQPRange:
+             {
++                VALIDATE_OMX_PARAM_DATA(paramData, OMX_QCOM_VIDEO_PARAM_QPRANGETYPE);
+                 DEBUG_PRINT_LOW("set_parameter: OMX_QcomIndexParamVideoQPRange");
+                 OMX_QCOM_VIDEO_PARAM_QPRANGETYPE *qp_range = (OMX_QCOM_VIDEO_PARAM_QPRANGETYPE*) paramData;
+                 if (qp_range->nPortIndex == PORT_INDEX_OUT) {
+@@ -1079,6 +1093,7 @@
+ 
+         case OMX_QcomIndexPortDefn:
+             {
++                VALIDATE_OMX_PARAM_DATA(paramData, OMX_QCOM_PARAM_PORTDEFINITIONTYPE);
+                 OMX_QCOM_PARAM_PORTDEFINITIONTYPE* pParam =
+                     (OMX_QCOM_PARAM_PORTDEFINITIONTYPE*)paramData;
+                 DEBUG_PRINT_LOW("set_parameter: OMX_QcomIndexPortDefn");
+@@ -1105,6 +1120,7 @@
+ 
+         case OMX_IndexParamVideoErrorCorrection:
+             {
++                VALIDATE_OMX_PARAM_DATA(paramData, OMX_VIDEO_PARAM_ERRORCORRECTIONTYPE);
+                 DEBUG_PRINT_LOW("OMX_IndexParamVideoErrorCorrection");
+                 OMX_VIDEO_PARAM_ERRORCORRECTIONTYPE* pParam =
+                     (OMX_VIDEO_PARAM_ERRORCORRECTIONTYPE*)paramData;
+@@ -1117,6 +1133,7 @@
+             }
+         case OMX_IndexParamVideoIntraRefresh:
+             {
++                VALIDATE_OMX_PARAM_DATA(paramData, OMX_VIDEO_PARAM_INTRAREFRESHTYPE);
+                 DEBUG_PRINT_LOW("set_param:OMX_IndexParamVideoIntraRefresh");
+                 OMX_VIDEO_PARAM_INTRAREFRESHTYPE* pParam =
+                     (OMX_VIDEO_PARAM_INTRAREFRESHTYPE*)paramData;
+@@ -1130,6 +1147,7 @@
+ #ifdef _ANDROID_ICS_
+         case OMX_QcomIndexParamVideoMetaBufferMode:
+             {
++                VALIDATE_OMX_PARAM_DATA(paramData, StoreMetaDataInBuffersParams);
+                 StoreMetaDataInBuffersParams *pParam =
+                     (StoreMetaDataInBuffersParams*)paramData;
+                 DEBUG_PRINT_HIGH("set_parameter:OMX_QcomIndexParamVideoMetaBufferMode: "
+@@ -1176,6 +1194,7 @@
+ #if !defined(MAX_RES_720P) || defined(_MSM8974_)
+         case OMX_QcomIndexParamIndexExtraDataType:
+             {
++                VALIDATE_OMX_PARAM_DATA(paramData, QOMX_INDEXEXTRADATATYPE);
+                 DEBUG_PRINT_HIGH("set_parameter: OMX_QcomIndexParamIndexExtraDataType");
+                 QOMX_INDEXEXTRADATATYPE *pParam = (QOMX_INDEXEXTRADATATYPE *)paramData;
+                 bool enable = false;
+@@ -1256,6 +1275,7 @@
+             }
+         case QOMX_IndexParamVideoLTRMode:
+             {
++                VALIDATE_OMX_PARAM_DATA(paramData, QOMX_VIDEO_PARAM_LTRMODE_TYPE);
+                 QOMX_VIDEO_PARAM_LTRMODE_TYPE* pParam =
+                     (QOMX_VIDEO_PARAM_LTRMODE_TYPE*)paramData;
+                 if (!handle->venc_set_param(paramData, (OMX_INDEXTYPE)QOMX_IndexParamVideoLTRMode)) {
+@@ -1267,6 +1287,7 @@
+             }
+         case QOMX_IndexParamVideoLTRCount:
+             {
++                VALIDATE_OMX_PARAM_DATA(paramData, QOMX_VIDEO_PARAM_LTRCOUNT_TYPE);
+                 QOMX_VIDEO_PARAM_LTRCOUNT_TYPE* pParam =
+                     (QOMX_VIDEO_PARAM_LTRCOUNT_TYPE*)paramData;
+                 if (!handle->venc_set_param(paramData, (OMX_INDEXTYPE)QOMX_IndexParamVideoLTRCount)) {
+@@ -1279,6 +1300,7 @@
+ #endif
+         case OMX_QcomIndexParamVideoMaxAllowedBitrateCheck:
+             {
++                VALIDATE_OMX_PARAM_DATA(paramData, QOMX_EXTNINDEX_PARAMTYPE);
+                 QOMX_EXTNINDEX_PARAMTYPE* pParam =
+                     (QOMX_EXTNINDEX_PARAMTYPE*)paramData;
+                 if (pParam->nPortIndex == PORT_INDEX_OUT) {
+@@ -1296,6 +1318,7 @@
+ #ifdef MAX_RES_1080P
+         case OMX_QcomIndexEnableSliceDeliveryMode:
+             {
++                VALIDATE_OMX_PARAM_DATA(paramData, QOMX_EXTNINDEX_PARAMTYPE);
+                 QOMX_EXTNINDEX_PARAMTYPE* pParam =
+                     (QOMX_EXTNINDEX_PARAMTYPE*)paramData;
+                 if (pParam->nPortIndex == PORT_INDEX_OUT) {
+@@ -1314,6 +1337,7 @@
+ #endif
+         case OMX_QcomIndexEnableH263PlusPType:
+             {
++                VALIDATE_OMX_PARAM_DATA(paramData, QOMX_EXTNINDEX_PARAMTYPE);
+                 QOMX_EXTNINDEX_PARAMTYPE* pParam =
+                     (QOMX_EXTNINDEX_PARAMTYPE*)paramData;
+                 DEBUG_PRINT_LOW("OMX_QcomIndexEnableH263PlusPType");
+@@ -1332,6 +1356,7 @@
+             }
+         case OMX_QcomIndexParamSequenceHeaderWithIDR:
+             {
++                VALIDATE_OMX_PARAM_DATA(paramData, PrependSPSPPSToIDRFramesParams);
+                 if(!handle->venc_set_param(paramData,
+                             (OMX_INDEXTYPE)OMX_QcomIndexParamSequenceHeaderWithIDR)) {
+                     DEBUG_PRINT_ERROR("%s: %s",
+@@ -1343,6 +1368,7 @@
+             }
+         case OMX_QcomIndexParamH264AUDelimiter:
+             {
++                VALIDATE_OMX_PARAM_DATA(paramData, OMX_QCOM_VIDEO_CONFIG_H264_AUD);
+                 if(!handle->venc_set_param(paramData,
+                             (OMX_INDEXTYPE)OMX_QcomIndexParamH264AUDelimiter)) {
+                     DEBUG_PRINT_ERROR("%s: %s",
+@@ -1354,6 +1380,7 @@
+             }
+        case OMX_QcomIndexHierarchicalStructure:
+            {
++                VALIDATE_OMX_PARAM_DATA(paramData, QOMX_VIDEO_HIERARCHICALLAYERS);
+                 QOMX_VIDEO_HIERARCHICALLAYERS* pParam =
+                     (QOMX_VIDEO_HIERARCHICALLAYERS*)paramData;
+                 DEBUG_PRINT_LOW("OMX_QcomIndexHierarchicalStructure");
+@@ -1377,6 +1404,7 @@
+            }
+         case OMX_QcomIndexParamPerfLevel:
+             {
++                VALIDATE_OMX_PARAM_DATA(paramData, OMX_QCOM_VIDEO_PARAM_PERF_LEVEL);
+                 if (!handle->venc_set_param(paramData,
+                             (OMX_INDEXTYPE) OMX_QcomIndexParamPerfLevel)) {
+                     DEBUG_PRINT_ERROR("ERROR: Setting performance level");
+@@ -1386,6 +1414,7 @@
+             }
+         case OMX_QcomIndexParamH264VUITimingInfo:
+             {
++                VALIDATE_OMX_PARAM_DATA(paramData, OMX_QCOM_VIDEO_PARAM_VUI_TIMING_INFO);
+                 if (!handle->venc_set_param(paramData,
+                             (OMX_INDEXTYPE) OMX_QcomIndexParamH264VUITimingInfo)) {
+                     DEBUG_PRINT_ERROR("ERROR: Setting VUI timing info");
+@@ -1395,6 +1424,7 @@
+             }
+         case OMX_QcomIndexParamPeakBitrate:
+             {
++                VALIDATE_OMX_PARAM_DATA(paramData, OMX_QCOM_VIDEO_PARAM_PEAK_BITRATE);
+                 if (!handle->venc_set_param(paramData,
+                             (OMX_INDEXTYPE) OMX_QcomIndexParamPeakBitrate)) {
+                     DEBUG_PRINT_ERROR("ERROR: Setting peak bitrate");
+@@ -1404,6 +1434,7 @@
+              }
+        case QOMX_IndexParamVideoInitialQp:
+             {
++                VALIDATE_OMX_PARAM_DATA(paramData, QOMX_EXTNINDEX_VIDEO_INITIALQP);
+                 if(!handle->venc_set_param(paramData,
+                             (OMX_INDEXTYPE)QOMX_IndexParamVideoInitialQp)) {
+                     DEBUG_PRINT_ERROR("Request to Enable initial QP failed");
+@@ -1423,6 +1454,7 @@
+             }
+         case OMX_QcomIndexParamVideoHybridHierpMode:
+             {
++                VALIDATE_OMX_PARAM_DATA(paramData, QOMX_EXTNINDEX_VIDEO_HYBRID_HP_MODE);
+                if(!handle->venc_set_param(paramData,
+                          (OMX_INDEXTYPE)OMX_QcomIndexParamVideoHybridHierpMode)) {
+                    DEBUG_PRINT_ERROR("Request to Enable Hybrid Hier-P failed");
+@@ -1527,6 +1559,7 @@
+     switch ((int)configIndex) {
+         case OMX_IndexConfigVideoBitrate:
+             {
++                VALIDATE_OMX_PARAM_DATA(configData, OMX_VIDEO_CONFIG_BITRATETYPE);
+                 OMX_VIDEO_CONFIG_BITRATETYPE* pParam =
+                     reinterpret_cast<OMX_VIDEO_CONFIG_BITRATETYPE*>(configData);
+                 DEBUG_PRINT_HIGH("set_config(): OMX_IndexConfigVideoBitrate (%u)", (unsigned int)pParam->nEncodeBitrate);
+@@ -1548,6 +1581,7 @@
+             }
+         case OMX_IndexConfigVideoFramerate:
+             {
++                VALIDATE_OMX_PARAM_DATA(configData, OMX_CONFIG_FRAMERATETYPE);
+                 OMX_CONFIG_FRAMERATETYPE* pParam =
+                     reinterpret_cast<OMX_CONFIG_FRAMERATETYPE*>(configData);
+                 DEBUG_PRINT_HIGH("set_config(): OMX_IndexConfigVideoFramerate (0x%x)", (unsigned int)pParam->xEncodeFramerate);
+@@ -1570,6 +1604,7 @@
+             }
+         case QOMX_IndexConfigVideoIntraperiod:
+             {
++                VALIDATE_OMX_PARAM_DATA(configData, QOMX_VIDEO_INTRAPERIODTYPE);
+                 QOMX_VIDEO_INTRAPERIODTYPE* pParam =
+                     reinterpret_cast<QOMX_VIDEO_INTRAPERIODTYPE*>(configData);
+ 
+@@ -1627,6 +1662,7 @@
+ 
+         case OMX_IndexConfigVideoIntraVOPRefresh:
+             {
++                VALIDATE_OMX_PARAM_DATA(configData, OMX_CONFIG_INTRAREFRESHVOPTYPE);
+                 OMX_CONFIG_INTRAREFRESHVOPTYPE* pParam =
+                     reinterpret_cast<OMX_CONFIG_INTRAREFRESHVOPTYPE*>(configData);
+ 
+@@ -1648,6 +1684,7 @@
+             }
+         case OMX_IndexConfigCommonRotate:
+             {
++                VALIDATE_OMX_PARAM_DATA(configData, OMX_CONFIG_ROTATIONTYPE);
+                 OMX_CONFIG_ROTATIONTYPE *pParam =
+                     reinterpret_cast<OMX_CONFIG_ROTATIONTYPE*>(configData);
+                 OMX_S32 nRotation;
+@@ -1695,6 +1732,7 @@
+             {
+                 DEBUG_PRINT_HIGH("set_config(): OMX_QcomIndexConfigVideoFramePackingArrangement");
+                 if (m_sOutPortFormat.eCompressionFormat == OMX_VIDEO_CodingAVC) {
++                    VALIDATE_OMX_PARAM_DATA(configData, OMX_QCOM_FRAME_PACK_ARRANGEMENT);
+                     OMX_QCOM_FRAME_PACK_ARRANGEMENT *configFmt =
+                         (OMX_QCOM_FRAME_PACK_ARRANGEMENT *) configData;
+                     extra_data_handle.set_frame_pack_data(configFmt);
+@@ -1705,6 +1743,7 @@
+             }
+         case QOMX_IndexConfigVideoLTRPeriod:
+             {
++                VALIDATE_OMX_PARAM_DATA(configData, QOMX_VIDEO_CONFIG_LTRPERIOD_TYPE);
+                 QOMX_VIDEO_CONFIG_LTRPERIOD_TYPE* pParam = (QOMX_VIDEO_CONFIG_LTRPERIOD_TYPE*)configData;
+                 if (!handle->venc_set_config(configData, (OMX_INDEXTYPE)QOMX_IndexConfigVideoLTRPeriod)) {
+                     DEBUG_PRINT_ERROR("ERROR: Setting LTR period failed");
+@@ -1716,6 +1755,7 @@
+ 
+        case OMX_IndexConfigVideoVp8ReferenceFrame:
+            {
++                VALIDATE_OMX_PARAM_DATA(configData, OMX_VIDEO_VP8REFERENCEFRAMETYPE);
+                OMX_VIDEO_VP8REFERENCEFRAMETYPE* pParam = (OMX_VIDEO_VP8REFERENCEFRAMETYPE*) configData;
+                if (!handle->venc_set_config(pParam, (OMX_INDEXTYPE) OMX_IndexConfigVideoVp8ReferenceFrame)) {
+                    DEBUG_PRINT_ERROR("ERROR: Setting VP8 reference frame");
+@@ -1727,6 +1767,7 @@
+ 
+         case QOMX_IndexConfigVideoLTRUse:
+             {
++                VALIDATE_OMX_PARAM_DATA(configData, QOMX_VIDEO_CONFIG_LTRUSE_TYPE);
+                 QOMX_VIDEO_CONFIG_LTRUSE_TYPE* pParam = (QOMX_VIDEO_CONFIG_LTRUSE_TYPE*)configData;
+                 if (!handle->venc_set_config(pParam, (OMX_INDEXTYPE)QOMX_IndexConfigVideoLTRUse)) {
+                     DEBUG_PRINT_ERROR("ERROR: Setting LTR use failed");
+@@ -1737,6 +1778,7 @@
+             }
+         case QOMX_IndexConfigVideoLTRMark:
+             {
++                VALIDATE_OMX_PARAM_DATA(configData, QOMX_VIDEO_CONFIG_LTRMARK_TYPE);
+                 QOMX_VIDEO_CONFIG_LTRMARK_TYPE* pParam = (QOMX_VIDEO_CONFIG_LTRMARK_TYPE*)configData;
+                 if (!handle->venc_set_config(pParam, (OMX_INDEXTYPE)QOMX_IndexConfigVideoLTRMark)) {
+                     DEBUG_PRINT_ERROR("ERROR: Setting LTR mark failed");
+@@ -1746,6 +1788,7 @@
+             }
+         case OMX_IndexConfigVideoAVCIntraPeriod:
+             {
++                VALIDATE_OMX_PARAM_DATA(configData, OMX_VIDEO_CONFIG_AVCINTRAPERIOD);
+                 OMX_VIDEO_CONFIG_AVCINTRAPERIOD *pParam = (OMX_VIDEO_CONFIG_AVCINTRAPERIOD*) configData;
+                 DEBUG_PRINT_LOW("set_config: OMX_IndexConfigVideoAVCIntraPeriod");
+                 if (!handle->venc_set_config(pParam, (OMX_INDEXTYPE)OMX_IndexConfigVideoAVCIntraPeriod)) {
+@@ -1757,6 +1800,7 @@
+             }
+         case OMX_IndexConfigCommonDeinterlace:
+             {
++                VALIDATE_OMX_PARAM_DATA(configData, OMX_VIDEO_CONFIG_DEINTERLACE);
+                 OMX_VIDEO_CONFIG_DEINTERLACE *pParam = (OMX_VIDEO_CONFIG_DEINTERLACE*) configData;
+                 DEBUG_PRINT_LOW("set_config: OMX_IndexConfigCommonDeinterlace");
+                 if (!handle->venc_set_config(pParam, (OMX_INDEXTYPE)OMX_IndexConfigCommonDeinterlace)) {
+@@ -1768,6 +1812,7 @@
+             }
+         case OMX_QcomIndexConfigVideoVencPerfMode:
+             {
++                VALIDATE_OMX_PARAM_DATA(configData, QOMX_EXTNINDEX_VIDEO_PERFMODE);
+                 QOMX_EXTNINDEX_VIDEO_PERFMODE* pParam = (QOMX_EXTNINDEX_VIDEO_PERFMODE*)configData;
+                 if (!handle->venc_set_config(pParam, (OMX_INDEXTYPE)OMX_QcomIndexConfigVideoVencPerfMode)) {
+                     DEBUG_PRINT_ERROR("ERROR: Setting OMX_QcomIndexConfigVideoVencPerfMode failed");
+@@ -1777,6 +1822,7 @@
+             }
+         case OMX_IndexConfigPriority:
+             {
++                VALIDATE_OMX_PARAM_DATA(configData, OMX_PARAM_U32TYPE);
+                 if (!handle->venc_set_config(configData, (OMX_INDEXTYPE)OMX_IndexConfigPriority)) {
+                     DEBUG_PRINT_ERROR("Failed to set OMX_IndexConfigPriority");
+                     return OMX_ErrorUnsupportedSetting;
+@@ -1785,6 +1831,7 @@
+             }
+         case OMX_IndexConfigOperatingRate:
+             {
++                VALIDATE_OMX_PARAM_DATA(configData, OMX_PARAM_U32TYPE);
+                 if (!handle->venc_set_config(configData, (OMX_INDEXTYPE)OMX_IndexConfigOperatingRate)) {
+                     DEBUG_PRINT_ERROR("Failed to set OMX_IndexConfigOperatingRate");
+                     return handle->hw_overload ? OMX_ErrorInsufficientResources :
diff --git a/Patches/Linux_CVEs/CVE-2016-2480/ANY/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2016-2480/ANY/0001.patch.base64
new file mode 100644
index 00000000..f954ff7c
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-2480/ANY/0001.patch.base64
@@ -0,0 +1 @@
+ZGlmZiAtLWdpdCBhL21tLWNvcmUvaW5jL09NWF9RQ09NRXh0bnMuaCBiL21tLWNvcmUvaW5jL09NWF9RQ09NRXh0bnMuaAppbmRleCBmMGUxNTkzLi5lYjFiOTkwIDEwMDY0NAotLS0gYS9tbS1jb3JlL2luYy9PTVhfUUNPTUV4dG5zLmgKKysrIGIvbW0tY29yZS9pbmMvT01YX1FDT01FeHRucy5oCkBAIC0xLDUgKzEsNSBAQAogLyotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQotQ29weXJpZ2h0IChjKSAyMDA5LTIwMTUsIFRoZSBMaW51eCBGb3VuZGF0aW9uLiBBbGwgcmlnaHRzIHJlc2VydmVkLgorQ29weXJpZ2h0IChjKSAyMDA5LTIwMTYsIFRoZSBMaW51eCBGb3VuZGF0aW9uLiBBbGwgcmlnaHRzIHJlc2VydmVkLgogCiBSZWRpc3RyaWJ1dGlvbiBhbmQgdXNlIGluIHNvdXJjZSBhbmQgYmluYXJ5IGZvcm1zLCB3aXRoIG9yIHdpdGhvdXQKIG1vZGlmaWNhdGlvbiwgYXJlIHBlcm1pdHRlZCBwcm92aWRlZCB0aGF0IHRoZSBmb2xsb3dpbmcgY29uZGl0aW9ucyBhcmUgbWV0OgpAQCAtMTM0OCw2ICsxMzQ4LDggQEAKIH0gUU9NWF9WSURFT19RVUVSWV9ERUNPREVSX0lOU1RBTkNFUzsKIAogdHlwZWRlZiBzdHJ1Y3QgUU9NWF9FTkFCTEVUWVBFIHsKKyAgICBPTVhfVTMyIG5TaXplOworICAgIE9NWF9WRVJTSU9OVFlQRSBuVmVyc2lvbjsKICAgICBPTVhfQk9PTCBiRW5hYmxlOwogfSBRT01YX0VOQUJMRVRZUEU7CiAKQEAgLTE0NTEsNiArMTQ1Myw4IEBACiAKIAogdHlwZWRlZiBzdHJ1Y3QgUU9NWF9SRUNUVFlQRSB7CisgICAgT01YX1UzMiBuU2l6ZTsKKyAgICBPTVhfVkVSU0lPTlRZUEUgblZlcnNpb247CiAgICAgT01YX1MzMiBuTGVmdDsKICAgICBPTVhfUzMyIG5Ub3A7CiAgICAgT01YX1UzMiBuV2lkdGg7CkBAIC0xNTUxLDcgKzE1NTUsNiBAQAogICAgIFFPTVhfVklERU9fSElFUkFSQ0hJQ0FMQ09ESU5HVFlQRSBlSGllcmFyY2hpY2FsQ29kaW5nVHlwZTsKIH0gUU9NWF9WSURFT19ISUVSQVJDSElDQUxMQVlFUlM7CiAKLQogI2lmZGVmIF9fY3BsdXNwbHVzCiB9CiAjZW5kaWYgLyogX19jcGx1c3BsdXMgKi8KZGlmZiAtLWdpdCBhL21tLXZpZGVvLXY0bDIvdmlkYy9jb21tb24vaW5jL3ZpZGNfZGVidWcuaCBiL21tLXZpZGVvLXY0bDIvdmlkYy9jb21tb24vaW5jL3ZpZGNfZGVidWcuaAppbmRleCBkN2ExNThjLi4wY2U3NDdjIDEwMDc1NQotLS0gYS9tbS12aWRlby12NGwyL3ZpZGMvY29tbW9uL2luYy92aWRjX2RlYnVnLmgKKysrIGIvbW0tdmlkZW8tdjRsMi92aWRjL2NvbW1vbi9pbmMvdmlkY19kZWJ1Zy5oCkBAIC0xLDUgKzEsNSBAQAogLyotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQotQ29weXJpZ2h0IChjKSAyMDEzLCBUaGUgTGludXggRm91bmRhdGlvbi4gQWxsIHJpZ2h0cyByZXNlcnZlZC4KK0NvcHlyaWdodCAoYykgMjAxMyAtIDIwMTYsIFRoZSBMaW51eCBGb3VuZGF0aW9uLiBBbGwgcmlnaHRzIHJlc2VydmVkLgogCiBSZWRpc3RyaWJ1dGlvbiBhbmQgdXNlIGluIHNvdXJjZSBhbmQgYmluYXJ5IGZvcm1zLCB3aXRoIG9yIHdpdGhvdXQKIG1vZGlmaWNhdGlvbiwgYXJlIHBlcm1pdHRlZCBwcm92aWRlZCB0aGF0IHRoZSBmb2xsb3dpbmcgY29uZGl0aW9ucyBhcmUgbWV0OgpAQCAtNjQsNCArNjQsMTUgQEAKICNkZWZpbmUgREVCVUdfUFJJTlRfSElHSCBwcmludGYKICNlbmRpZgogCisjZGVmaW5lIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHB0ciwgcGFyYW1UeXBlKSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgXAorICAgIHsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFwKKyAgICAgICAgaWYgKHB0ciA9PSBOVUxMKSB7IHJldHVybiBPTVhfRXJyb3JCYWRQYXJhbWV0ZXI7IH0gICAgICAgICAgICAgICAgICAgICBcCisgICAgICAgIHBhcmFtVHlwZSAqcCA9IHJlaW50ZXJwcmV0X2Nhc3Q8cGFyYW1UeXBlICo+KHB0cik7ICAgICAgICAgICAgICAgICAgICAgXAorICAgICAgICBpZiAocC0+blNpemUgPCBzaXplb2YocGFyYW1UeXBlKSkgeyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFwKKyAgICAgICAgICAgIEFMT0dFKCJJbnN1ZmZpY2llbnQgb2JqZWN0IHNpemUoJXUpIHYvcyBleHBlY3RlZCglenUpIGZvciB0eXBlICVzIixcCisgICAgICAgICAgICAgICAgICAgICh1bnNpZ25lZCBpbnQpcC0+blNpemUsIHNpemVvZihwYXJhbVR5cGUpLCAjcGFyYW1UeXBlKTsgICAgXAorICAgICAgICAgICAgcmV0dXJuIE9NWF9FcnJvckJhZFBhcmFtZXRlcjsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFwKKyAgICAgICAgfSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBcCisgICAgfSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgXAorCiAjZW5kaWYKZGlmZiAtLWdpdCBhL21tLXZpZGVvLXY0bDIvdmlkYy92ZGVjL3NyYy9vbXhfdmRlY19tc204OTc0LmNwcCBiL21tLXZpZGVvLXY0bDIvdmlkYy92ZGVjL3NyYy9vbXhfdmRlY19tc204OTc0LmNwcAppbmRleCAxOWMxNTk2Li4zYjg0NzA3IDEwMDY0NAotLS0gYS9tbS12aWRlby12NGwyL3ZpZGMvdmRlYy9zcmMvb214X3ZkZWNfbXNtODk3NC5jcHAKKysrIGIvbW0tdmlkZW8tdjRsMi92aWRjL3ZkZWMvc3JjL29teF92ZGVjX21zbTg5NzQuY3BwCkBAIC0yOTc5LDYgKzI5NzksNyBAQAogICAgIH0KICAgICBzd2l0Y2ggKCh1bnNpZ25lZCBsb25nKXBhcmFtSW5kZXgpIHsKICAgICAgICAgY2FzZSBPTVhfSW5kZXhQYXJhbVBvcnREZWZpbml0aW9uOiB7CisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEocGFyYW1EYXRhLCBPTVhfUEFSQU1fUE9SVERFRklOSVRJT05UWVBFKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBPTVhfUEFSQU1fUE9SVERFRklOSVRJT05UWVBFICpwb3J0RGVmbiA9CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIChPTVhfUEFSQU1fUE9SVERFRklOSVRJT05UWVBFICopIHBhcmFtRGF0YTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9MT1coImdldF9wYXJhbWV0ZXI6IE9NWF9JbmRleFBhcmFtUG9ydERlZmluaXRpb24iKTsKQEAgLTI5ODgsMjMgKzI5ODksMjUgQEAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBicmVhazsKICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgY2FzZSBPTVhfSW5kZXhQYXJhbVZpZGVvSW5pdDogeworICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEocGFyYW1EYXRhLCBPTVhfUE9SVF9QQVJBTV9UWVBFKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE9NWF9QT1JUX1BBUkFNX1RZUEUgKnBvcnRQYXJhbVR5cGUgPQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIChPTVhfUE9SVF9QQVJBTV9UWVBFICopIHBhcmFtRGF0YTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0xPVygiZ2V0X3BhcmFtZXRlcjogT01YX0luZGV4UGFyYW1WaWRlb0luaXQiKTsKIAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcG9ydFBhcmFtVHlwZS0+blZlcnNpb24ublZlcnNpb24gPSBPTVhfU1BFQ19WRVJTSU9OOwotICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcG9ydFBhcmFtVHlwZS0+blNpemUgPSBzaXplb2YocG9ydFBhcmFtVHlwZSk7CisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwb3J0UGFyYW1UeXBlLT5uU2l6ZSA9IHNpemVvZihPTVhfUE9SVF9QQVJBTV9UWVBFKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHBvcnRQYXJhbVR5cGUtPm5Qb3J0cyAgICAgICAgICAgPSAyOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcG9ydFBhcmFtVHlwZS0+blN0YXJ0UG9ydE51bWJlciA9IDA7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBicmVhazsKICAgICAgICAgICAgICAgICAgICAgICAgICAgfQogICAgICAgICBjYXNlIE9NWF9JbmRleFBhcmFtVmlkZW9Qb3J0Rm9ybWF0OiB7CisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgT01YX1ZJREVPX1BBUkFNX1BPUlRGT1JNQVRUWVBFKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT01YX1ZJREVPX1BBUkFNX1BPUlRGT1JNQVRUWVBFICpwb3J0Rm10ID0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIChPTVhfVklERU9fUEFSQU1fUE9SVEZPUk1BVFRZUEUgKilwYXJhbURhdGE7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0xPVygiZ2V0X3BhcmFtZXRlcjogT01YX0luZGV4UGFyYW1WaWRlb1BvcnRGb3JtYXQiKTsKIAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwb3J0Rm10LT5uVmVyc2lvbi5uVmVyc2lvbiA9IE9NWF9TUEVDX1ZFUlNJT047Ci0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHBvcnRGbXQtPm5TaXplICAgICAgICAgICAgID0gc2l6ZW9mKHBvcnRGbXQpOworICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwb3J0Rm10LT5uU2l6ZSAgICAgICAgICAgICA9IHNpemVvZihPTVhfVklERU9fUEFSQU1fUE9SVEZPUk1BVFRZUEUpOwogCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlmICgwID09IHBvcnRGbXQtPm5Qb3J0SW5kZXgpIHsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlmICgwID09IHBvcnRGbXQtPm5JbmRleCkgewpAQCAtMzA0NiwyMiArMzA0OSwyNCBAQAogICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAvKkNvbXBvbmVudCBzaG91bGQgc3VwcG9ydCB0aGlzIHBvcnQgZGVmaW5pdGlvbiovCiAgICAgICAgIGNhc2UgT01YX0luZGV4UGFyYW1BdWRpb0luaXQ6IHsKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgT01YX1BPUlRfUEFSQU1fVFlQRSk7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBPTVhfUE9SVF9QQVJBTV9UWVBFICphdWRpb1BvcnRQYXJhbVR5cGUgPQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIChPTVhfUE9SVF9QQVJBTV9UWVBFICopIHBhcmFtRGF0YTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0xPVygiZ2V0X3BhcmFtZXRlcjogT01YX0luZGV4UGFyYW1BdWRpb0luaXQiKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGF1ZGlvUG9ydFBhcmFtVHlwZS0+blZlcnNpb24ublZlcnNpb24gPSBPTVhfU1BFQ19WRVJTSU9OOwotICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYXVkaW9Qb3J0UGFyYW1UeXBlLT5uU2l6ZSA9IHNpemVvZihhdWRpb1BvcnRQYXJhbVR5cGUpOworICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYXVkaW9Qb3J0UGFyYW1UeXBlLT5uU2l6ZSA9IHNpemVvZihPTVhfUE9SVF9QQVJBTV9UWVBFKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGF1ZGlvUG9ydFBhcmFtVHlwZS0+blBvcnRzICAgICAgICAgICA9IDA7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhdWRpb1BvcnRQYXJhbVR5cGUtPm5TdGFydFBvcnROdW1iZXIgPSAwOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgICAgICAgICAgICAgLypDb21wb25lbnQgc2hvdWxkIHN1cHBvcnQgdGhpcyBwb3J0IGRlZmluaXRpb24qLwogICAgICAgICBjYXNlIE9NWF9JbmRleFBhcmFtSW1hZ2VJbml0OiB7CisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIE9NWF9QT1JUX1BBUkFNX1RZUEUpOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT01YX1BPUlRfUEFSQU1fVFlQRSAqaW1hZ2VQb3J0UGFyYW1UeXBlID0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAoT01YX1BPUlRfUEFSQU1fVFlQRSAqKSBwYXJhbURhdGE7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9MT1coImdldF9wYXJhbWV0ZXI6IE9NWF9JbmRleFBhcmFtSW1hZ2VJbml0Iik7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpbWFnZVBvcnRQYXJhbVR5cGUtPm5WZXJzaW9uLm5WZXJzaW9uID0gT01YX1NQRUNfVkVSU0lPTjsKLSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGltYWdlUG9ydFBhcmFtVHlwZS0+blNpemUgPSBzaXplb2YoaW1hZ2VQb3J0UGFyYW1UeXBlKTsKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGltYWdlUG9ydFBhcmFtVHlwZS0+blNpemUgPSBzaXplb2YoT01YX1BPUlRfUEFSQU1fVFlQRSk7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpbWFnZVBvcnRQYXJhbVR5cGUtPm5Qb3J0cyAgICAgICAgICAgPSAwOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaW1hZ2VQb3J0UGFyYW1UeXBlLT5uU3RhcnRQb3J0TnVtYmVyID0gMDsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJyZWFrOwpAQCAtMzA3NSw2ICszMDgwLDcgQEAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJyZWFrOwogICAgICAgICAgICAgICAgICAgICAgICAgICB9CiAgICAgICAgIGNhc2UgT01YX0luZGV4UGFyYW1TdGFuZGFyZENvbXBvbmVudFJvbGU6IHsKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIE9NWF9QQVJBTV9DT01QT05FTlRST0xFVFlQRSk7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT01YX1BBUkFNX0NPTVBPTkVOVFJPTEVUWVBFICpjb21wX3JvbGU7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgY29tcF9yb2xlID0gKE9NWF9QQVJBTV9DT01QT05FTlRST0xFVFlQRSAqKSBwYXJhbURhdGE7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgY29tcF9yb2xlLT5uVmVyc2lvbi5uVmVyc2lvbiA9IE9NWF9TUEVDX1ZFUlNJT047CkBAIC0zMDg4LDIyICszMDk0LDIzIEBACiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAvKiBBZGRlZCBmb3IgcGFyYW1ldGVyIHRlc3QgKi8KICAgICAgICAgY2FzZSBPTVhfSW5kZXhQYXJhbVByaW9yaXR5TWdtdDogewotCisgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgT01YX1BSSU9SSVRZTUdNVFRZUEUpOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICBPTVhfUFJJT1JJVFlNR01UVFlQRSAqcHJpb3JpdHlNZ21UeXBlID0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIChPTVhfUFJJT1JJVFlNR01UVFlQRSAqKSBwYXJhbURhdGE7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0xPVygiZ2V0X3BhcmFtZXRlcjogT01YX0luZGV4UGFyYW1Qcmlvcml0eU1nbXQiKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcHJpb3JpdHlNZ21UeXBlLT5uVmVyc2lvbi5uVmVyc2lvbiA9IE9NWF9TUEVDX1ZFUlNJT047Ci0gICAgICAgICAgICAgICAgICAgICAgICAgICAgIHByaW9yaXR5TWdtVHlwZS0+blNpemUgPSBzaXplb2YocHJpb3JpdHlNZ21UeXBlKTsKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcHJpb3JpdHlNZ21UeXBlLT5uU2l6ZSA9IHNpemVvZihPTVhfUFJJT1JJVFlNR01UVFlQRSk7CiAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgICAgICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgICAgICAgICAgIC8qIEFkZGVkIGZvciBwYXJhbWV0ZXIgdGVzdCAqLwogICAgICAgICBjYXNlIE9NWF9JbmRleFBhcmFtQ29tcEJ1ZmZlclN1cHBsaWVyOiB7CisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgT01YX1BBUkFNX0JVRkZFUlNVUFBMSUVSVFlQRSk7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE9NWF9QQVJBTV9CVUZGRVJTVVBQTElFUlRZUEUgKmJ1ZmZlclN1cHBsaWVyVHlwZSA9CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAoT01YX1BBUkFNX0JVRkZFUlNVUFBMSUVSVFlQRSopIHBhcmFtRGF0YTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfTE9XKCJnZXRfcGFyYW1ldGVyOiBPTVhfSW5kZXhQYXJhbUNvbXBCdWZmZXJTdXBwbGllciIpOwogCi0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJ1ZmZlclN1cHBsaWVyVHlwZS0+blNpemUgPSBzaXplb2YoYnVmZmVyU3VwcGxpZXJUeXBlKTsKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYnVmZmVyU3VwcGxpZXJUeXBlLT5uU2l6ZSA9IHNpemVvZihPTVhfUEFSQU1fQlVGRkVSU1VQUExJRVJUWVBFKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYnVmZmVyU3VwcGxpZXJUeXBlLT5uVmVyc2lvbi5uVmVyc2lvbiA9IE9NWF9TUEVDX1ZFUlNJT047CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlmICgwID09IGJ1ZmZlclN1cHBsaWVyVHlwZS0+blBvcnRJbmRleCkKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJ1ZmZlclN1cHBsaWVyVHlwZS0+blBvcnRJbmRleCA9IE9NWF9CdWZmZXJTdXBwbHlVbnNwZWNpZmllZDsKQEAgLTMxNDEsNiArMzE0OCw3IEBACiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICB9CiAgICAgICAgIGNhc2UgT01YX0luZGV4UGFyYW1WaWRlb1Byb2ZpbGVMZXZlbFF1ZXJ5U3VwcG9ydGVkOiB7CisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEocGFyYW1EYXRhLCBPTVhfVklERU9fUEFSQU1fUFJPRklMRUxFVkVMVFlQRSk7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfTE9XKCJnZXRfcGFyYW1ldGVyOiBPTVhfSW5kZXhQYXJhbVZpZGVvUHJvZmlsZUxldmVsUXVlcnlTdXBwb3J0ZWQgJTA4eCIsIHBhcmFtSW5kZXgpOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE9NWF9WSURFT19QQVJBTV9QUk9GSUxFTEVWRUxUWVBFICpwcm9maWxlTGV2ZWxUeXBlID0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKE9NWF9WSURFT19QQVJBTV9QUk9GSUxFTEVWRUxUWVBFICopcGFyYW1EYXRhOwpAQCAtMzE0OSw2ICszMTU3LDcgQEAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0KICNpZiBkZWZpbmVkIChfQU5EUk9JRF9IT05FWUNPTUJfKSB8fCBkZWZpbmVkIChfQU5EUk9JRF9JQ1NfKQogICAgICAgICBjYXNlIE9NWF9Hb29nbGVBbmRyb2lkSW5kZXhHZXRBbmRyb2lkTmF0aXZlQnVmZmVyVXNhZ2U6IHsKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIEdldEFuZHJvaWROYXRpdmVCdWZmZXJVc2FnZVBhcmFtcyk7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfTE9XKCJnZXRfcGFyYW1ldGVyOiBPTVhfR29vZ2xlQW5kcm9pZEluZGV4R2V0QW5kcm9pZE5hdGl2ZUJ1ZmZlclVzYWdlIik7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgR2V0QW5kcm9pZE5hdGl2ZUJ1ZmZlclVzYWdlUGFyYW1zKiBuYXRpdmVCdWZmZXJzVXNhZ2UgPSAoR2V0QW5kcm9pZE5hdGl2ZUJ1ZmZlclVzYWdlUGFyYW1zICopIHBhcmFtRGF0YTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpZiAobmF0aXZlQnVmZmVyc1VzYWdlLT5uUG9ydEluZGV4ID09IE9NWF9DT1JFX09VVFBVVF9QT1JUX0lOREVYKSB7CkBAIC0zMTcyLDYgKzMxODEsNyBAQAogI2lmZGVmIEZMRVhZVVZfU1VQUE9SVEVECiAgICAgICAgIGNhc2UgT01YX1Fjb21JbmRleEZsZXhpYmxlWVVWRGVzY3JpcHRpb246IHsKICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9MT1coImdldF9wYXJhbWV0ZXI6IGRlc2NyaWJlQ29sb3JGb3JtYXQiKTsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIERlc2NyaWJlQ29sb3JGb3JtYXRQYXJhbXMpOwogICAgICAgICAgICAgICAgIGVSZXQgPSBkZXNjcmliZUNvbG9yRm9ybWF0KHBhcmFtRGF0YSk7CiAgICAgICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgICAgICB9CkBAIC0zMjgyLDYgKzMyOTIsNyBAQAogICAgIH0KICAgICBzd2l0Y2ggKCh1bnNpZ25lZCBsb25nKXBhcmFtSW5kZXgpIHsKICAgICAgICAgY2FzZSBPTVhfSW5kZXhQYXJhbVBvcnREZWZpbml0aW9uOiB7CisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEocGFyYW1EYXRhLCBPTVhfUEFSQU1fUE9SVERFRklOSVRJT05UWVBFKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBPTVhfUEFSQU1fUE9SVERFRklOSVRJT05UWVBFICpwb3J0RGVmbjsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwb3J0RGVmbiA9IChPTVhfUEFSQU1fUE9SVERFRklOSVRJT05UWVBFICopIHBhcmFtRGF0YTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAvL1RPRE86IENoZWNrIGlmIGFueSBhbGxvY2F0ZSBidWZmZXIvdXNlIGJ1ZmZlci91c2VOYXRpdmVCdWZmZXIgaGFzCkBAIC0zNTI1LDYgKzM1MzYsNyBAQAogICAgICAgICAgICAgICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgIGNhc2UgT01YX0luZGV4UGFyYW1WaWRlb1BvcnRGb3JtYXQ6IHsKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEocGFyYW1EYXRhLCBPTVhfVklERU9fUEFSQU1fUE9SVEZPUk1BVFRZUEUpOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBPTVhfVklERU9fUEFSQU1fUE9SVEZPUk1BVFRZUEUgKnBvcnRGbXQgPQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKE9NWF9WSURFT19QQVJBTV9QT1JURk9STUFUVFlQRSAqKXBhcmFtRGF0YTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaW50IHJldD0wOwpAQCAtMzU3MSw2ICszNTgzLDcgQEAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICBicmVhazsKIAogICAgICAgICBjYXNlIE9NWF9RY29tSW5kZXhQb3J0RGVmbjogeworICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgT01YX1FDT01fUEFSQU1fUE9SVERFRklOSVRJT05UWVBFKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICBPTVhfUUNPTV9QQVJBTV9QT1JUREVGSU5JVElPTlRZUEUgKnBvcnRGbXQgPQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAoT01YX1FDT01fUEFSQU1fUE9SVERFRklOSVRJT05UWVBFICopIHBhcmFtRGF0YTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9MT1coInNldF9wYXJhbWV0ZXI6IE9NWF9JbmRleFFjb21QYXJhbVBvcnREZWZpbml0aW9uVHlwZSAldSIsCkBAIC0zNjE3LDYgKzM2MzAsNyBAQAogICAgICAgICAgICAgICAgICAgICAgICAgYnJlYWs7CiAKICAgICAgICAgY2FzZSBPTVhfSW5kZXhQYXJhbVN0YW5kYXJkQ29tcG9uZW50Um9sZTogeworICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgT01YX1BBUkFNX0NPTVBPTkVOVFJPTEVUWVBFKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBPTVhfUEFSQU1fQ09NUE9ORU5UUk9MRVRZUEUgKmNvbXBfcm9sZTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjb21wX3JvbGUgPSAoT01YX1BBUkFNX0NPTVBPTkVOVFJPTEVUWVBFICopIHBhcmFtRGF0YTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9MT1coInNldF9wYXJhbWV0ZXI6IE9NWF9JbmRleFBhcmFtU3RhbmRhcmRDb21wb25lbnRSb2xlICVzIiwKQEAgLTM3MDcsNiArMzcyMSw3IEBACiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB9CiAKICAgICAgICAgY2FzZSBPTVhfSW5kZXhQYXJhbVByaW9yaXR5TWdtdDogeworICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIE9NWF9QUklPUklUWU1HTVRUWVBFKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaWYgKG1fc3RhdGUgIT0gT01YX1N0YXRlTG9hZGVkKSB7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9FUlJPUigiU2V0IFBhcmFtZXRlciBjYWxsZWQgaW4gSW52YWxpZCBTdGF0ZSIpOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcmV0dXJuIE9NWF9FcnJvckluY29ycmVjdFN0YXRlT3BlcmF0aW9uOwpAQCAtMzcyNSw2ICszNzQwLDcgQEAKICAgICAgICAgICAgICAgICAgICAgICAgICB9CiAKICAgICAgICAgY2FzZSBPTVhfSW5kZXhQYXJhbUNvbXBCdWZmZXJTdXBwbGllcjogeworICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIE9NWF9QQVJBTV9CVUZGRVJTVVBQTElFUlRZUEUpOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBPTVhfUEFSQU1fQlVGRkVSU1VQUExJRVJUWVBFICpidWZmZXJTdXBwbGllclR5cGUgPSAoT01YX1BBUkFNX0JVRkZFUlNVUFBMSUVSVFlQRSopIHBhcmFtRGF0YTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfTE9XKCJzZXRfcGFyYW1ldGVyOiBPTVhfSW5kZXhQYXJhbUNvbXBCdWZmZXJTdXBwbGllciAlZCIsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYnVmZmVyU3VwcGxpZXJUeXBlLT5lQnVmZmVyU3VwcGxpZXIpOwpAQCAtMzc2NCw2ICszNzgwLDcgQEAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBicmVhazsKICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgY2FzZSBPTVhfUWNvbUluZGV4UGFyYW1WaWRlb0RlY29kZXJQaWN0dXJlT3JkZXI6IHsKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIFFPTVhfVklERU9fREVDT0RFUl9QSUNUVVJFX09SREVSKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRT01YX1ZJREVPX0RFQ09ERVJfUElDVFVSRV9PUkRFUiAqcGljdHVyZU9yZGVyID0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKFFPTVhfVklERU9fREVDT0RFUl9QSUNUVVJFX09SREVSICopcGFyYW1EYXRhOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHN0cnVjdCB2NGwyX2NvbnRyb2wgY29udHJvbDsKQEAgLTM3ODksNDIgKzM4MDYsNTIgQEAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBicmVhazsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgY2FzZSBPTVhfUWNvbUluZGV4UGFyYW1Db25jZWFsTUJNYXBFeHRyYURhdGE6CisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEocGFyYW1EYXRhLCBRT01YX0VOQUJMRVRZUEUpOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVSZXQgPSBlbmFibGVfZXh0cmFkYXRhKFZERUNfRVhUUkFEQVRBX01CX0VSUk9SX01BUCwgZmFsc2UsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAoKFFPTVhfRU5BQkxFVFlQRSAqKXBhcmFtRGF0YSktPmJFbmFibGUpOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgIGNhc2UgT01YX1Fjb21JbmRleFBhcmFtRnJhbWVJbmZvRXh0cmFEYXRhOgorICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgUU9NWF9FTkFCTEVUWVBFKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVSZXQgPSBlbmFibGVfZXh0cmFkYXRhKE9NWF9GUkFNRUlORk9fRVhUUkFEQVRBLCBmYWxzZSwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKChRT01YX0VOQUJMRVRZUEUgKilwYXJhbURhdGEpLT5iRW5hYmxlKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgIGNhc2UgT01YX0V4dHJhRGF0YUZyYW1lRGltZW5zaW9uOgorICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgUU9NWF9FTkFCTEVUWVBFKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlUmV0ID0gZW5hYmxlX2V4dHJhZGF0YShPTVhfRlJBTUVESU1FTlNJT05fRVhUUkFEQVRBLCBmYWxzZSwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICgoUU9NWF9FTkFCTEVUWVBFICopcGFyYW1EYXRhKS0+YkVuYWJsZSk7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgIGNhc2UgT01YX1Fjb21JbmRleFBhcmFtSW50ZXJsYWNlRXh0cmFEYXRhOgorICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgUU9NWF9FTkFCTEVUWVBFKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZVJldCA9IGVuYWJsZV9leHRyYWRhdGEoT01YX0lOVEVSTEFDRV9FWFRSQURBVEEsIGZhbHNlLAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICgoUU9NWF9FTkFCTEVUWVBFICopcGFyYW1EYXRhKS0+YkVuYWJsZSk7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgIGNhc2UgT01YX1Fjb21JbmRleFBhcmFtSDI2NFRpbWVJbmZvOgorICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgUU9NWF9FTkFCTEVUWVBFKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZVJldCA9IGVuYWJsZV9leHRyYWRhdGEoT01YX1RJTUVJTkZPX0VYVFJBREFUQSwgZmFsc2UsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKChRT01YX0VOQUJMRVRZUEUgKilwYXJhbURhdGEpLT5iRW5hYmxlKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBicmVhazsKICAgICAgICAgY2FzZSBPTVhfUWNvbUluZGV4UGFyYW1WaWRlb0ZyYW1lUGFja2luZ0V4dHJhZGF0YToKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIFFPTVhfRU5BQkxFVFlQRSk7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZVJldCA9IGVuYWJsZV9leHRyYWRhdGEoT01YX0ZSQU1FUEFDS19FWFRSQURBVEEsIGZhbHNlLAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKChRT01YX0VOQUJMRVRZUEUgKilwYXJhbURhdGEpLT5iRW5hYmxlKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBicmVhazsKICAgICAgICAgY2FzZSBPTVhfUWNvbUluZGV4UGFyYW1WaWRlb1FQRXh0cmFEYXRhOgorICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgUU9NWF9FTkFCTEVUWVBFKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlUmV0ID0gZW5hYmxlX2V4dHJhZGF0YShPTVhfUVBfRVhUUkFEQVRBLCBmYWxzZSwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICgoUU9NWF9FTkFCTEVUWVBFICopcGFyYW1EYXRhKS0+YkVuYWJsZSk7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgIGNhc2UgT01YX1Fjb21JbmRleFBhcmFtVmlkZW9JbnB1dEJpdHNJbmZvRXh0cmFEYXRhOgorICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgUU9NWF9FTkFCTEVUWVBFKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlUmV0ID0gZW5hYmxlX2V4dHJhZGF0YShPTVhfQklUU0lORk9fRVhUUkFEQVRBLCBmYWxzZSwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICgoUU9NWF9FTkFCTEVUWVBFICopcGFyYW1EYXRhKS0+YkVuYWJsZSk7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgIGNhc2UgT01YX1Fjb21JbmRleEVuYWJsZUV4dG5Vc2VyRGF0YToKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIFFPTVhfRU5BQkxFVFlQRSk7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVSZXQgPSBlbmFibGVfZXh0cmFkYXRhKE9NWF9FWFROVVNFUl9FWFRSQURBVEEsIGZhbHNlLAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKChRT01YX0VOQUJMRVRZUEUgKilwYXJhbURhdGEpLT5iRW5hYmxlKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBicmVhazsKICAgICAgICAgY2FzZSBPTVhfUWNvbUluZGV4UGFyYW1NcGVnMlNlcURpc3BFeHRyYURhdGE6CisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEocGFyYW1EYXRhLCBRT01YX0VOQUJMRVRZUEUpOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlUmV0ID0gZW5hYmxlX2V4dHJhZGF0YShPTVhfTVBFRzJTRVFESVNQX0VYVFJBREFUQSwgZmFsc2UsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAoKFFPTVhfRU5BQkxFVFlQRSAqKXBhcmFtRGF0YSktPmJFbmFibGUpOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBicmVhazsKQEAgLTM4MzMsNiArMzg2MCw3IEBACiAgICAgICAgICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgIGNhc2UgT01YX1Fjb21JbmRleFBsYXRmb3JtUHZ0OiB7CisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEocGFyYW1EYXRhLCBPTVhfUUNPTV9QTEFURk9STVBSSVZBVEVfRVhUTik7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfSElHSCgic2V0X3BhcmFtZXRlcjogT01YX1Fjb21JbmRleFBsYXRmb3JtUHZ0IE9QIFBvcnQiKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBPTVhfUUNPTV9QTEFURk9STVBSSVZBVEVfRVhUTiogZW50cnlUeXBlID0gKE9NWF9RQ09NX1BMQVRGT1JNUFJJVkFURV9FWFROICopIHBhcmFtRGF0YTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpZiAoZW50cnlUeXBlLT50eXBlICE9IE9NWF9RQ09NX1BMQVRGT1JNX1BSSVZBVEVfUE1FTSkgewpAQCAtMzg4Myw2ICszOTExLDcgQEAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYnJlYWs7CiAKICAgICAgICAgY2FzZSBPTVhfUWNvbUluZGV4UGFyYW1JbmRleEV4dHJhRGF0YVR5cGU6IHsKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgUU9NWF9JTkRFWEVYVFJBREFUQVRZUEUpOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUU9NWF9JTkRFWEVYVFJBREFUQVRZUEUgKmV4dHJhZGF0YUluZGV4VHlwZSA9IChRT01YX0lOREVYRVhUUkFEQVRBVFlQRSAqKSBwYXJhbURhdGE7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpZiAoKGV4dHJhZGF0YUluZGV4VHlwZS0+bkluZGV4ID09IE9NWF9JbmRleFBhcmFtUG9ydERlZmluaXRpb24pICYmCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIChleHRyYWRhdGFJbmRleFR5cGUtPmJFbmFibGVkID09IE9NWF9UUlVFKSAmJgpAQCAtMzkwNiw2ICszOTM1LDcgQEAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKiBzdGF0ZS4gVGhpcyBpcyBBTkRST0lEIGFyY2hpdGVjdHVyZSB3aGljaCBpcyBub3QgaW4gc3luYwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAqIHdpdGggb3Blbm1heCBzdGFuZGFyZC4gKi8KICAgICAgICAgY2FzZSBPTVhfR29vZ2xlQW5kcm9pZEluZGV4RW5hYmxlQW5kcm9pZE5hdGl2ZUJ1ZmZlcnM6IHsKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIEVuYWJsZUFuZHJvaWROYXRpdmVCdWZmZXJzUGFyYW1zKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFbmFibGVBbmRyb2lkTmF0aXZlQnVmZmVyc1BhcmFtcyogZW5hYmxlTmF0aXZlQnVmZmVycyA9IChFbmFibGVBbmRyb2lkTmF0aXZlQnVmZmVyc1BhcmFtcyAqKSBwYXJhbURhdGE7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaWYgKGVuYWJsZU5hdGl2ZUJ1ZmZlcnMpIHsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbV9lbmFibGVfYW5kcm9pZF9uYXRpdmVfYnVmZmVycyA9IGVuYWJsZU5hdGl2ZUJ1ZmZlcnMtPmVuYWJsZTsKQEAgLTM5MjIsMTEgKzM5NTIsMTMgQEAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJyZWFrOwogICAgICAgICBjYXNlIE9NWF9Hb29nbGVBbmRyb2lkSW5kZXhVc2VBbmRyb2lkTmF0aXZlQnVmZmVyOiB7CisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIFVzZUFuZHJvaWROYXRpdmVCdWZmZXJQYXJhbXMpOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZVJldCA9IHVzZV9hbmRyb2lkX25hdGl2ZV9idWZmZXIoaENvbXAsIHBhcmFtRGF0YSk7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYnJlYWs7CiAjZW5kaWYKICAgICAgICAgY2FzZSBPTVhfUWNvbUluZGV4UGFyYW1FbmFibGVUaW1lU3RhbXBSZW9yZGVyOiB7CisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIFFPTVhfSU5ERVhUSU1FU1RBTVBSRU9SREVSKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFPTVhfSU5ERVhUSU1FU1RBTVBSRU9SREVSICpyZW9yZGVyID0gKFFPTVhfSU5ERVhUSU1FU1RBTVBSRU9SREVSICopcGFyYW1EYXRhOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaWYgKGRydl9jdHgucGljdHVyZV9vcmRlciA9PSAodmRlY19vdXRwdXRfb3JkZXIpUU9NWF9WSURFT19ESVNQTEFZX09SREVSKSB7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaWYgKHJlb3JkZXItPmJFbmFibGUgPT0gT01YX1RSVUUpIHsKQEAgLTM5NDMsNiArMzk3NSw3IEBACiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgIGNhc2UgT01YX0luZGV4UGFyYW1WaWRlb1Byb2ZpbGVMZXZlbEN1cnJlbnQ6IHsKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIE9NWF9WSURFT19QQVJBTV9QUk9GSUxFTEVWRUxUWVBFKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBPTVhfVklERU9fUEFSQU1fUFJPRklMRUxFVkVMVFlQRSogcFBhcmFtID0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKE9NWF9WSURFT19QQVJBTV9QUk9GSUxFTEVWRUxUWVBFKilwYXJhbURhdGE7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaWYgKHBQYXJhbSkgewpAQCAtMzk1NCw2ICszOTg3LDcgQEAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgY2FzZSBPTVhfUWNvbUluZGV4UGFyYW1WaWRlb01ldGFCdWZmZXJNb2RlOgogICAgICAgICB7CisgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIFN0b3JlTWV0YURhdGFJbkJ1ZmZlcnNQYXJhbXMpOwogICAgICAgICAgICAgU3RvcmVNZXRhRGF0YUluQnVmZmVyc1BhcmFtcyAqbWV0YWJ1ZmZlciA9CiAgICAgICAgICAgICAgICAgKFN0b3JlTWV0YURhdGFJbkJ1ZmZlcnNQYXJhbXMgKilwYXJhbURhdGE7CiAgICAgICAgICAgICBpZiAoIW1ldGFidWZmZXIpIHsKQEAgLTM5OTYsNiArNDAzMCw3IEBACiAgICAgICAgIH0KICAgICAgICAgY2FzZSBPTVhfUWNvbUluZGV4UGFyYW1WaWRlb0Rvd25TY2FsYXI6CiAgICAgICAgIHsKKyAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgUU9NWF9JTkRFWERPV05TQ0FMQVIpOwogICAgICAgICAgICAgUU9NWF9JTkRFWERPV05TQ0FMQVIqIHBQYXJhbSA9IChRT01YX0lOREVYRE9XTlNDQUxBUiopcGFyYW1EYXRhOwogICAgICAgICAgICAgc3RydWN0IHY0bDJfY29udHJvbCBjb250cm9sOwogICAgICAgICAgICAgaW50IHJjOwpAQCAtNDAyNCw2ICs0MDU5LDcgQEAKICNpZmRlZiBBREFQVElWRV9QTEFZQkFDS19TVVBQT1JURUQKICAgICAgICAgY2FzZSBPTVhfUWNvbUluZGV4UGFyYW1WaWRlb0FkYXB0aXZlUGxheWJhY2tNb2RlOgogICAgICAgICB7CisgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIFByZXBhcmVGb3JBZGFwdGl2ZVBsYXliYWNrUGFyYW1zKTsKICAgICAgICAgICAgIERFQlVHX1BSSU5UX0xPVygic2V0X3BhcmFtZXRlcjogT01YX0dvb2dsZUFuZHJvaWRJbmRleFByZXBhcmVGb3JBZGFwdGl2ZVBsYXliYWNrIik7CiAgICAgICAgICAgICBQcmVwYXJlRm9yQWRhcHRpdmVQbGF5YmFja1BhcmFtcyogcFBhcmFtcyA9CiAgICAgICAgICAgICAgICAgICAgIChQcmVwYXJlRm9yQWRhcHRpdmVQbGF5YmFja1BhcmFtcyAqKSBwYXJhbURhdGE7CkBAIC00MDUyLDYgKzQwODgsNyBAQAogI2VuZGlmCiAgICAgICAgIGNhc2UgT01YX1Fjb21JbmRleFBhcmFtVmlkZW9DdXN0b21CdWZmZXJTaXplOgogICAgICAgICB7CisgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIFFPTVhfVklERU9fQ1VTVE9NX0JVRkZFUlNJWkUpOwogICAgICAgICAgICAgREVCVUdfUFJJTlRfTE9XKCJzZXRfcGFyYW1ldGVyOiBPTVhfUWNvbUluZGV4UGFyYW1WaWRlb0N1c3RvbUJ1ZmZlclNpemUiKTsKICAgICAgICAgICAgIFFPTVhfVklERU9fQ1VTVE9NX0JVRkZFUlNJWkUqIHBQYXJhbSA9IChRT01YX1ZJREVPX0NVU1RPTV9CVUZGRVJTSVpFKilwYXJhbURhdGE7CiAgICAgICAgICAgICBpZiAocFBhcmFtLT5uUG9ydEluZGV4ID09IE9NWF9DT1JFX0lOUFVUX1BPUlRfSU5ERVgpIHsKQEAgLTQxMTUsNiArNDE1Miw3IEBACiAKICAgICBzd2l0Y2ggKCh1bnNpZ25lZCBsb25nKWNvbmZpZ0luZGV4KSB7CiAgICAgICAgIGNhc2UgT01YX1Fjb21JbmRleENvbmZpZ0ludGVybGFjZWQ6IHsKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEoY29uZmlnRGF0YSwgT01YX1FDT01fQ09ORklHX0lOVEVSTEFDRVRZUEUpOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBPTVhfUUNPTV9DT05GSUdfSU5URVJMQUNFVFlQRSAqY29uZmlnRm10ID0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIChPTVhfUUNPTV9DT05GSUdfSU5URVJMQUNFVFlQRSAqKSBjb25maWdEYXRhOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpZiAoY29uZmlnRm10LT5uUG9ydEluZGV4ID09IDEpIHsKQEAgLTQxNDAsNiArNDE3OCw3IEBACiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJyZWFrOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgY2FzZSBPTVhfUWNvbUluZGV4UXVlcnlOdW1iZXJPZlZpZGVvRGVjSW5zdGFuY2U6IHsKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShjb25maWdEYXRhLCBRT01YX1ZJREVPX1FVRVJZX0RFQ09ERVJfSU5TVEFOQ0VTKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBRT01YX1ZJREVPX1FVRVJZX0RFQ09ERVJfSU5TVEFOQ0VTICpkZWNvZGVyaW5zdGFuY2VzID0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKFFPTVhfVklERU9fUVVFUllfREVDT0RFUl9JTlNUQU5DRVMqKWNvbmZpZ0RhdGE7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZGVjb2Rlcmluc3RhbmNlcy0+bk51bU9mSW5zdGFuY2VzID0gMTY7CkBAIC00MTQ4LDYgKzQxODcsNyBAQAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfQogICAgICAgICBjYXNlIE9NWF9RY29tSW5kZXhDb25maWdWaWRlb0ZyYW1lUGFja2luZ0FycmFuZ2VtZW50OiB7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpZiAoZHJ2X2N0eC5kZWNvZGVyX2Zvcm1hdCA9PSBWREVDX0NPREVDVFlQRV9IMjY0KSB7CisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEoY29uZmlnRGF0YSwgT01YX1FDT01fRlJBTUVfUEFDS19BUlJBTkdFTUVOVCk7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT01YX1FDT01fRlJBTUVfUEFDS19BUlJBTkdFTUVOVCAqY29uZmlnRm10ID0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKE9NWF9RQ09NX0ZSQU1FX1BBQ0tfQVJSQU5HRU1FTlQgKikgY29uZmlnRGF0YTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtZW1jcHkoY29uZmlnRm10LCAmbV9mcmFtZV9wYWNrX2FycmFuZ2VtZW50LApAQCAtNDE1OCw2ICs0MTk4LDcgQEAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJyZWFrOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB9CiAgICAgICAgIGNhc2UgT01YX0luZGV4Q29uZmlnQ29tbW9uT3V0cHV0Q3JvcDogeworICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKGNvbmZpZ0RhdGEsIE9NWF9DT05GSUdfUkVDVFRZUEUpOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE9NWF9DT05GSUdfUkVDVFRZUEUgKnJlY3QgPSAoT01YX0NPTkZJR19SRUNUVFlQRSAqKSBjb25maWdEYXRhOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1lbWNweShyZWN0LCAmcmVjdGFuZ2xlLCBzaXplb2YoT01YX0NPTkZJR19SRUNUVFlQRSkpOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0hJR0goImdldF9jb25maWc6IGNyb3AgaW5mbzogTDogJXUsIFQ6ICV1LCBSOiAldSwgQjogJXUiLApAQCAtNDE2Niw2ICs0MjA3LDcgQEAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBicmVhazsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgY2FzZSBPTVhfUWNvbUluZGV4Q29uZmlnUGVyZkxldmVsOiB7CisgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEoY29uZmlnRGF0YSwgT01YX1FDT01fVklERU9fQ09ORklHX1BFUkZfTEVWRUwpOwogICAgICAgICAgICAgICAgIHN0cnVjdCB2NGwyX2NvbnRyb2wgY29udHJvbDsKICAgICAgICAgICAgICAgICBPTVhfUUNPTV9WSURFT19DT05GSUdfUEVSRl9MRVZFTCAqcGVyZiA9CiAgICAgICAgICAgICAgICAgICAgICAgICAoT01YX1FDT01fVklERU9fQ09ORklHX1BFUkZfTEVWRUwgKiljb25maWdEYXRhOwpAQCAtNDE5MSw3ICs0MjMzLDcgQEAKICAgICAgICAgICAgICAgICB9CiAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBicmVhazsKLSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0KKyAgICAgICAgfQogICAgICAgICBkZWZhdWx0OiB7CiAgICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0VSUk9SKCJnZXRfY29uZmlnOiB1bmtub3duIHBhcmFtICVkIixjb25maWdJbmRleCk7CiAgICAgICAgICAgICAgICAgIGVSZXQgPSBPTVhfRXJyb3JCYWRQYXJhbWV0ZXI7CkBAIC00MzM3LDYgKzQzNzksNyBAQAogICAgICAgICBzdHJ1Y3QgdjRsMl9jb250cm9sIHRlbXA7CiAgICAgICAgIHRlbXAuaWQgPSBWNEwyX0NJRF9NUEVHX1ZJRENfVklERU9fU1RSRUFNX0ZPUk1BVDsKIAorICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShjb25maWdEYXRhLCBPTVhfVklERU9fQ09ORklHX05BTFNJWkUpOwogICAgICAgICBwTmFsID0gcmVpbnRlcnByZXRfY2FzdCA8IE9NWF9WSURFT19DT05GSUdfTkFMU0laRSAqID4oY29uZmlnRGF0YSk7CiAgICAgICAgIHN3aXRjaCAocE5hbC0+bk5hbHVCeXRlcykgewogICAgICAgICAgICAgY2FzZSAwOgpAQCAtODc1Miw3ICs4Nzk1LDcgQEAKICAgICB9CiAgICAgREVCVUdfUFJJTlRfTE9XKCJvbXhfdmRlYzo6dXBkYXRlX3BvcnRkZWYiKTsKICAgICBwb3J0RGVmbi0+blZlcnNpb24ublZlcnNpb24gPSBPTVhfU1BFQ19WRVJTSU9OOwotICAgIHBvcnREZWZuLT5uU2l6ZSA9IHNpemVvZihwb3J0RGVmbik7CisgICAgcG9ydERlZm4tPm5TaXplID0gc2l6ZW9mKE9NWF9QQVJBTV9QT1JUREVGSU5JVElPTlRZUEUpOwogICAgIHBvcnREZWZuLT5lRG9tYWluICAgID0gT01YX1BvcnREb21haW5WaWRlbzsKICAgICBpZiAoZHJ2X2N0eC5mcmFtZV9yYXRlLmZwc19kZW5vbWluYXRvciA+IDApCiAgICAgICAgIHBvcnREZWZuLT5mb3JtYXQudmlkZW8ueEZyYW1lcmF0ZSA9IChkcnZfY3R4LmZyYW1lX3JhdGUuZnBzX251bWVyYXRvciAvCmRpZmYgLS1naXQgYS9tbS12aWRlby12NGwyL3ZpZGMvdmVuYy9zcmMvb214X3ZpZGVvX2Jhc2UuY3BwIGIvbW0tdmlkZW8tdjRsMi92aWRjL3ZlbmMvc3JjL29teF92aWRlb19iYXNlLmNwcAppbmRleCA3ZjA0ODJmLi4xYWVlMmMxIDEwMDY0NAotLS0gYS9tbS12aWRlby12NGwyL3ZpZGMvdmVuYy9zcmMvb214X3ZpZGVvX2Jhc2UuY3BwCisrKyBiL21tLXZpZGVvLXY0bDIvdmlkYy92ZW5jL3NyYy9vbXhfdmlkZW9fYmFzZS5jcHAKQEAgLTg0LDYgKzg0LDggQEAKIAogdHlwZWRlZiBzdHJ1Y3QgT01YQ29tcG9uZW50Q2FwYWJpbGl0eUZsYWdzVHlwZSB7CiAgICAgLy8vLy8vLy8vLy8vLy8vLy8vIE9NWCBDT01QT05FTlQgQ0FQQUJJTElUWSBSRUxBVEVEIE1FTUJFUlMKKyAgICBPTVhfVTMyIG5TaXplOworICAgIE9NWF9WRVJTSU9OVFlQRSBuVmVyc2lvbjsKICAgICBPTVhfQk9PTCBpSXNPTVhDb21wb25lbnRNdWx0aVRocmVhZGVkOwogICAgIE9NWF9CT09MIGlPTVhDb21wb25lbnRTdXBwb3J0c0V4dGVybmFsT3V0cHV0QnVmZmVyQWxsb2M7CiAgICAgT01YX0JPT0wgaU9NWENvbXBvbmVudFN1cHBvcnRzRXh0ZXJuYWxJbnB1dEJ1ZmZlckFsbG9jOwpAQCAtMTQ0Myw2ICsxNDQ1LDcgQEAKICAgICBzd2l0Y2ggKChpbnQpcGFyYW1JbmRleCkgewogICAgICAgICBjYXNlIE9NWF9JbmRleFBhcmFtUG9ydERlZmluaXRpb246CiAgICAgICAgICAgICB7CisgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEocGFyYW1EYXRhLCBPTVhfUEFSQU1fUE9SVERFRklOSVRJT05UWVBFKTsKICAgICAgICAgICAgICAgICBPTVhfUEFSQU1fUE9SVERFRklOSVRJT05UWVBFICpwb3J0RGVmbjsKICAgICAgICAgICAgICAgICBwb3J0RGVmbiA9IChPTVhfUEFSQU1fUE9SVERFRklOSVRJT05UWVBFICopIHBhcmFtRGF0YTsKIApAQCAtMTQ4NCw2ICsxNDg3LDcgQEAKICAgICAgICAgICAgIH0KICAgICAgICAgY2FzZSBPTVhfSW5kZXhQYXJhbVZpZGVvSW5pdDoKICAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIE9NWF9QT1JUX1BBUkFNX1RZUEUpOwogICAgICAgICAgICAgICAgIE9NWF9QT1JUX1BBUkFNX1RZUEUgKnBvcnRQYXJhbVR5cGUgPQogICAgICAgICAgICAgICAgICAgICAoT01YX1BPUlRfUEFSQU1fVFlQRSAqKSBwYXJhbURhdGE7CiAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfTE9XKCJnZXRfcGFyYW1ldGVyOiBPTVhfSW5kZXhQYXJhbVZpZGVvSW5pdCIpOwpAQCAtMTQ5Myw2ICsxNDk3LDcgQEAKICAgICAgICAgICAgIH0KICAgICAgICAgY2FzZSBPTVhfSW5kZXhQYXJhbVZpZGVvUG9ydEZvcm1hdDoKICAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIE9NWF9WSURFT19QQVJBTV9QT1JURk9STUFUVFlQRSk7CiAgICAgICAgICAgICAgICAgT01YX1ZJREVPX1BBUkFNX1BPUlRGT1JNQVRUWVBFICpwb3J0Rm10ID0KICAgICAgICAgICAgICAgICAgICAgKE9NWF9WSURFT19QQVJBTV9QT1JURk9STUFUVFlQRSAqKXBhcmFtRGF0YTsKICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9MT1coImdldF9wYXJhbWV0ZXI6IE9NWF9JbmRleFBhcmFtVmlkZW9Qb3J0Rm9ybWF0Iik7CkBAIC0xNTI3LDYgKzE1MzIsNyBAQAogICAgICAgICAgICAgfQogICAgICAgICBjYXNlIE9NWF9JbmRleFBhcmFtVmlkZW9CaXRyYXRlOgogICAgICAgICAgICAgeworICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgT01YX1ZJREVPX1BBUkFNX0JJVFJBVEVUWVBFKTsKICAgICAgICAgICAgICAgICBPTVhfVklERU9fUEFSQU1fQklUUkFURVRZUEUqIHBQYXJhbSA9IChPTVhfVklERU9fUEFSQU1fQklUUkFURVRZUEUqKXBhcmFtRGF0YTsKICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9MT1coImdldF9wYXJhbWV0ZXI6IE9NWF9JbmRleFBhcmFtVmlkZW9CaXRyYXRlIik7CiAKQEAgLTE1NDEsNiArMTU0Nyw3IEBACiAgICAgICAgICAgICB9CiAgICAgICAgIGNhc2UgT01YX0luZGV4UGFyYW1WaWRlb01wZWc0OgogICAgICAgICAgICAgeworICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgT01YX1ZJREVPX1BBUkFNX01QRUc0VFlQRSk7CiAgICAgICAgICAgICAgICAgT01YX1ZJREVPX1BBUkFNX01QRUc0VFlQRSogcFBhcmFtID0gKE9NWF9WSURFT19QQVJBTV9NUEVHNFRZUEUqKXBhcmFtRGF0YTsKICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9MT1coImdldF9wYXJhbWV0ZXI6IE9NWF9JbmRleFBhcmFtVmlkZW9NcGVnNCIpOwogICAgICAgICAgICAgICAgIG1lbWNweShwUGFyYW0sICZtX3NQYXJhbU1QRUc0LCBzaXplb2YobV9zUGFyYW1NUEVHNCkpOwpAQCAtMTU0OCw2ICsxNTU1LDcgQEAKICAgICAgICAgICAgIH0KICAgICAgICAgY2FzZSBPTVhfSW5kZXhQYXJhbVZpZGVvSDI2MzoKICAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIE9NWF9WSURFT19QQVJBTV9IMjYzVFlQRSk7CiAgICAgICAgICAgICAgICAgT01YX1ZJREVPX1BBUkFNX0gyNjNUWVBFKiBwUGFyYW0gPSAoT01YX1ZJREVPX1BBUkFNX0gyNjNUWVBFKilwYXJhbURhdGE7CiAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfTE9XKCJnZXRfcGFyYW1ldGVyOiBPTVhfSW5kZXhQYXJhbVZpZGVvSDI2MyIpOwogICAgICAgICAgICAgICAgIG1lbWNweShwUGFyYW0sICZtX3NQYXJhbUgyNjMsIHNpemVvZihtX3NQYXJhbUgyNjMpKTsKQEAgLTE1NTUsNiArMTU2Myw3IEBACiAgICAgICAgICAgICB9CiAgICAgICAgIGNhc2UgT01YX0luZGV4UGFyYW1WaWRlb0F2YzoKICAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIE9NWF9WSURFT19QQVJBTV9BVkNUWVBFKTsKICAgICAgICAgICAgICAgICBPTVhfVklERU9fUEFSQU1fQVZDVFlQRSogcFBhcmFtID0gKE9NWF9WSURFT19QQVJBTV9BVkNUWVBFKilwYXJhbURhdGE7CiAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfTE9XKCJnZXRfcGFyYW1ldGVyOiBPTVhfSW5kZXhQYXJhbVZpZGVvQXZjIik7CiAgICAgICAgICAgICAgICAgbWVtY3B5KHBQYXJhbSwgJm1fc1BhcmFtQVZDLCBzaXplb2YobV9zUGFyYW1BVkMpKTsKQEAgLTE1NjIsNiArMTU3MSw3IEBACiAgICAgICAgICAgICB9CiAgICAgICAgIGNhc2UgKE9NWF9JTkRFWFRZUEUpT01YX0luZGV4UGFyYW1WaWRlb1ZwODoKICAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIE9NWF9WSURFT19QQVJBTV9WUDhUWVBFKTsKICAgICAgICAgICAgICAgICBPTVhfVklERU9fUEFSQU1fVlA4VFlQRSogcFBhcmFtID0gKE9NWF9WSURFT19QQVJBTV9WUDhUWVBFKilwYXJhbURhdGE7CiAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfTE9XKCJnZXRfcGFyYW1ldGVyOiBPTVhfSW5kZXhQYXJhbVZpZGVvVnA4Iik7CiAgICAgICAgICAgICAgICAgbWVtY3B5KHBQYXJhbSwgJm1fc1BhcmFtVlA4LCBzaXplb2YobV9zUGFyYW1WUDgpKTsKQEAgLTE1NjksNiArMTU3OSw3IEBACiAgICAgICAgICAgICB9CiAgICAgICAgIGNhc2UgKE9NWF9JTkRFWFRZUEUpT01YX0luZGV4UGFyYW1WaWRlb0hldmM6CiAgICAgICAgICAgICB7CisgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEocGFyYW1EYXRhLCBPTVhfVklERU9fUEFSQU1fSEVWQ1RZUEUpOwogICAgICAgICAgICAgICAgIE9NWF9WSURFT19QQVJBTV9IRVZDVFlQRSogcFBhcmFtID0gKE9NWF9WSURFT19QQVJBTV9IRVZDVFlQRSopcGFyYW1EYXRhOwogICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0xPVygiZ2V0X3BhcmFtZXRlcjogT01YX0luZGV4UGFyYW1WaWRlb0hldmMiKTsKICAgICAgICAgICAgICAgICBtZW1jcHkocFBhcmFtLCAmbV9zUGFyYW1IRVZDLCBzaXplb2YobV9zUGFyYW1IRVZDKSk7CkBAIC0xNTc2LDYgKzE1ODcsNyBAQAogICAgICAgICAgICAgfQogICAgICAgICBjYXNlIE9NWF9JbmRleFBhcmFtVmlkZW9Qcm9maWxlTGV2ZWxRdWVyeVN1cHBvcnRlZDoKICAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIE9NWF9WSURFT19QQVJBTV9QUk9GSUxFTEVWRUxUWVBFKTsKICAgICAgICAgICAgICAgICBPTVhfVklERU9fUEFSQU1fUFJPRklMRUxFVkVMVFlQRSogcFBhcmFtID0gKE9NWF9WSURFT19QQVJBTV9QUk9GSUxFTEVWRUxUWVBFKilwYXJhbURhdGE7CiAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfTE9XKCJnZXRfcGFyYW1ldGVyOiBPTVhfSW5kZXhQYXJhbVZpZGVvUHJvZmlsZUxldmVsUXVlcnlTdXBwb3J0ZWQiKTsKICAgICAgICAgICAgICAgICBlUmV0ID0gZ2V0X3N1cHBvcnRlZF9wcm9maWxlX2xldmVsKHBQYXJhbSk7CkBAIC0xNTg2LDYgKzE1OTgsNyBAQAogICAgICAgICAgICAgfQogICAgICAgICBjYXNlIE9NWF9JbmRleFBhcmFtVmlkZW9Qcm9maWxlTGV2ZWxDdXJyZW50OgogICAgICAgICAgICAgeworICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgT01YX1ZJREVPX1BBUkFNX1BST0ZJTEVMRVZFTFRZUEUpOwogICAgICAgICAgICAgICAgIE9NWF9WSURFT19QQVJBTV9QUk9GSUxFTEVWRUxUWVBFKiBwUGFyYW0gPSAoT01YX1ZJREVPX1BBUkFNX1BST0ZJTEVMRVZFTFRZUEUqKXBhcmFtRGF0YTsKICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9MT1coImdldF9wYXJhbWV0ZXI6IE9NWF9JbmRleFBhcmFtVmlkZW9Qcm9maWxlTGV2ZWxDdXJyZW50Iik7CiAgICAgICAgICAgICAgICAgbWVtY3B5KHBQYXJhbSwgJm1fc1BhcmFtUHJvZmlsZUxldmVsLCBzaXplb2YobV9zUGFyYW1Qcm9maWxlTGV2ZWwpKTsKQEAgLTE1OTQsNiArMTYwNyw3IEBACiAgICAgICAgICAgICAvKkNvbXBvbmVudCBzaG91bGQgc3VwcG9ydCB0aGlzIHBvcnQgZGVmaW5pdGlvbiovCiAgICAgICAgIGNhc2UgT01YX0luZGV4UGFyYW1BdWRpb0luaXQ6CiAgICAgICAgICAgICB7CisgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEocGFyYW1EYXRhLCBPTVhfUE9SVF9QQVJBTV9UWVBFKTsKICAgICAgICAgICAgICAgICBPTVhfUE9SVF9QQVJBTV9UWVBFICphdWRpb1BvcnRQYXJhbVR5cGUgPSAoT01YX1BPUlRfUEFSQU1fVFlQRSAqKSBwYXJhbURhdGE7CiAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfTE9XKCJnZXRfcGFyYW1ldGVyOiBPTVhfSW5kZXhQYXJhbUF1ZGlvSW5pdCIpOwogICAgICAgICAgICAgICAgIG1lbWNweShhdWRpb1BvcnRQYXJhbVR5cGUsICZtX3NQb3J0UGFyYW1fYXVkaW8sIHNpemVvZihtX3NQb3J0UGFyYW1fYXVkaW8pKTsKQEAgLTE2MDIsNiArMTYxNiw3IEBACiAgICAgICAgICAgICAvKkNvbXBvbmVudCBzaG91bGQgc3VwcG9ydCB0aGlzIHBvcnQgZGVmaW5pdGlvbiovCiAgICAgICAgIGNhc2UgT01YX0luZGV4UGFyYW1JbWFnZUluaXQ6CiAgICAgICAgICAgICB7CisgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEocGFyYW1EYXRhLCBPTVhfUE9SVF9QQVJBTV9UWVBFKTsKICAgICAgICAgICAgICAgICBPTVhfUE9SVF9QQVJBTV9UWVBFICppbWFnZVBvcnRQYXJhbVR5cGUgPSAoT01YX1BPUlRfUEFSQU1fVFlQRSAqKSBwYXJhbURhdGE7CiAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfTE9XKCJnZXRfcGFyYW1ldGVyOiBPTVhfSW5kZXhQYXJhbUltYWdlSW5pdCIpOwogICAgICAgICAgICAgICAgIG1lbWNweShpbWFnZVBvcnRQYXJhbVR5cGUsICZtX3NQb3J0UGFyYW1faW1nLCBzaXplb2YobV9zUG9ydFBhcmFtX2ltZykpOwpAQCAtMTYxNyw2ICsxNjMyLDcgQEAKICAgICAgICAgICAgIH0KICAgICAgICAgY2FzZSBPTVhfSW5kZXhQYXJhbVN0YW5kYXJkQ29tcG9uZW50Um9sZToKICAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIE9NWF9QQVJBTV9DT01QT05FTlRST0xFVFlQRSk7CiAgICAgICAgICAgICAgICAgT01YX1BBUkFNX0NPTVBPTkVOVFJPTEVUWVBFICpjb21wX3JvbGU7CiAgICAgICAgICAgICAgICAgY29tcF9yb2xlID0gKE9NWF9QQVJBTV9DT01QT05FTlRST0xFVFlQRSAqKSBwYXJhbURhdGE7CiAgICAgICAgICAgICAgICAgY29tcF9yb2xlLT5uVmVyc2lvbi5uVmVyc2lvbiA9IE9NWF9TUEVDX1ZFUlNJT047CkBAIC0xNjI5LDcgKzE2NDUsNyBAQAogICAgICAgICAgICAgLyogQWRkZWQgZm9yIHBhcmFtZXRlciB0ZXN0ICovCiAgICAgICAgIGNhc2UgT01YX0luZGV4UGFyYW1Qcmlvcml0eU1nbXQ6CiAgICAgICAgICAgICB7Ci0KKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIE9NWF9QUklPUklUWU1HTVRUWVBFKTsKICAgICAgICAgICAgICAgICBPTVhfUFJJT1JJVFlNR01UVFlQRSAqcHJpb3JpdHlNZ21UeXBlID0gKE9NWF9QUklPUklUWU1HTVRUWVBFICopIHBhcmFtRGF0YTsKICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9MT1coImdldF9wYXJhbWV0ZXI6IE9NWF9JbmRleFBhcmFtUHJpb3JpdHlNZ210Iik7CiAgICAgICAgICAgICAgICAgbWVtY3B5KHByaW9yaXR5TWdtVHlwZSwgJm1fc1ByaW9yaXR5TWdtdCwgc2l6ZW9mKG1fc1ByaW9yaXR5TWdtdCkpOwpAQCAtMTYzOCw2ICsxNjU0LDcgQEAKICAgICAgICAgICAgIC8qIEFkZGVkIGZvciBwYXJhbWV0ZXIgdGVzdCAqLwogICAgICAgICBjYXNlIE9NWF9JbmRleFBhcmFtQ29tcEJ1ZmZlclN1cHBsaWVyOgogICAgICAgICAgICAgeworICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgT01YX1BBUkFNX0JVRkZFUlNVUFBMSUVSVFlQRSk7CiAgICAgICAgICAgICAgICAgT01YX1BBUkFNX0JVRkZFUlNVUFBMSUVSVFlQRSAqYnVmZmVyU3VwcGxpZXJUeXBlID0gKE9NWF9QQVJBTV9CVUZGRVJTVVBQTElFUlRZUEUqKSBwYXJhbURhdGE7CiAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfTE9XKCJnZXRfcGFyYW1ldGVyOiBPTVhfSW5kZXhQYXJhbUNvbXBCdWZmZXJTdXBwbGllciIpOwogICAgICAgICAgICAgICAgIGlmIChidWZmZXJTdXBwbGllclR5cGUtPm5Qb3J0SW5kZXggPT0oT01YX1UzMikgUE9SVF9JTkRFWF9JTikgewpAQCAtMTY1Myw2ICsxNjcwLDcgQEAKIAogICAgICAgICBjYXNlIE9NWF9JbmRleFBhcmFtVmlkZW9RdWFudGl6YXRpb246CiAgICAgICAgICAgICB7CisgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEocGFyYW1EYXRhLCBPTVhfVklERU9fUEFSQU1fUVVBTlRJWkFUSU9OVFlQRSk7CiAgICAgICAgICAgICAgICAgT01YX1ZJREVPX1BBUkFNX1FVQU5USVpBVElPTlRZUEUgKnNlc3Npb25fcXAgPSAoT01YX1ZJREVPX1BBUkFNX1FVQU5USVpBVElPTlRZUEUqKSBwYXJhbURhdGE7CiAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfTE9XKCJnZXRfcGFyYW1ldGVyOiBPTVhfSW5kZXhQYXJhbVZpZGVvUXVhbnRpemF0aW9uIik7CiAgICAgICAgICAgICAgICAgbWVtY3B5KHNlc3Npb25fcXAsICZtX3NTZXNzaW9uUXVhbnRpemF0aW9uLCBzaXplb2YobV9zU2Vzc2lvblF1YW50aXphdGlvbikpOwpAQCAtMTY2MSw2ICsxNjc5LDcgQEAKIAogICAgICAgICBjYXNlIE9NWF9RY29tSW5kZXhQYXJhbVZpZGVvUVBSYW5nZToKICAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIE9NWF9RQ09NX1ZJREVPX1BBUkFNX1FQUkFOR0VUWVBFKTsKICAgICAgICAgICAgICAgICBPTVhfUUNPTV9WSURFT19QQVJBTV9RUFJBTkdFVFlQRSAqcXBfcmFuZ2UgPSAoT01YX1FDT01fVklERU9fUEFSQU1fUVBSQU5HRVRZUEUqKSBwYXJhbURhdGE7CiAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfTE9XKCJnZXRfcGFyYW1ldGVyOiBPTVhfUWNvbUluZGV4UGFyYW1WaWRlb1FQUmFuZ2UiKTsKICAgICAgICAgICAgICAgICBtZW1jcHkocXBfcmFuZ2UsICZtX3NTZXNzaW9uUVBSYW5nZSwgc2l6ZW9mKG1fc1Nlc3Npb25RUFJhbmdlKSk7CkBAIC0xNjY5LDYgKzE2ODgsNyBAQAogCiAgICAgICAgIGNhc2UgT01YX0luZGV4UGFyYW1WaWRlb0Vycm9yQ29ycmVjdGlvbjoKICAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIE9NWF9WSURFT19QQVJBTV9FUlJPUkNPUlJFQ1RJT05UWVBFKTsKICAgICAgICAgICAgICAgICBPTVhfVklERU9fUEFSQU1fRVJST1JDT1JSRUNUSU9OVFlQRSogZXJyb3JyZXNpbGllbmNlID0gKE9NWF9WSURFT19QQVJBTV9FUlJPUkNPUlJFQ1RJT05UWVBFKilwYXJhbURhdGE7CiAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfTE9XKCJPTVhfSW5kZXhQYXJhbVZpZGVvRXJyb3JDb3JyZWN0aW9uIik7CiAgICAgICAgICAgICAgICAgZXJyb3JyZXNpbGllbmNlLT5iRW5hYmxlSEVDID0gbV9zRXJyb3JDb3JyZWN0aW9uLmJFbmFibGVIRUM7CkBAIC0xNjc4LDYgKzE2OTgsNyBAQAogICAgICAgICAgICAgfQogICAgICAgICBjYXNlIE9NWF9JbmRleFBhcmFtVmlkZW9JbnRyYVJlZnJlc2g6CiAgICAgICAgICAgICB7CisgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEocGFyYW1EYXRhLCBPTVhfVklERU9fUEFSQU1fSU5UUkFSRUZSRVNIVFlQRSk7CiAgICAgICAgICAgICAgICAgT01YX1ZJREVPX1BBUkFNX0lOVFJBUkVGUkVTSFRZUEUqIGludHJhcmVmcmVzaCA9IChPTVhfVklERU9fUEFSQU1fSU5UUkFSRUZSRVNIVFlQRSopcGFyYW1EYXRhOwogICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0xPVygiT01YX0luZGV4UGFyYW1WaWRlb0ludHJhUmVmcmVzaCIpOwogICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0VSUk9SKCJPTVhfSW5kZXhQYXJhbVZpZGVvSW50cmFSZWZyZXNoIEdFVCIpOwpAQCAtMTY5MCw2ICsxNzExLDcgQEAKICAgICAgICAgICAgIGJyZWFrOwogICAgICAgICBjYXNlIE9NWF9DT01QT05FTlRfQ0FQQUJJTElUWV9UWVBFX0lOREVYOgogICAgICAgICAgICAgeworICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgT01YQ29tcG9uZW50Q2FwYWJpbGl0eUZsYWdzVHlwZSk7CiAgICAgICAgICAgICAgICAgT01YQ29tcG9uZW50Q2FwYWJpbGl0eUZsYWdzVHlwZSAqcFBhcmFtID0gcmVpbnRlcnByZXRfY2FzdDxPTVhDb21wb25lbnRDYXBhYmlsaXR5RmxhZ3NUeXBlKj4ocGFyYW1EYXRhKTsKICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9MT1coImdldF9wYXJhbWV0ZXI6IE9NWF9DT01QT05FTlRfQ0FQQUJJTElUWV9UWVBFX0lOREVYIik7CiAgICAgICAgICAgICAgICAgcFBhcmFtLT5pSXNPTVhDb21wb25lbnRNdWx0aVRocmVhZGVkID0gT01YX1RSVUU7CkBAIC0xNzA3LDYgKzE3MjksNyBAQAogI2lmICFkZWZpbmVkKE1BWF9SRVNfNzIwUCkgfHwgZGVmaW5lZChfTVNNODk3NF8pCiAgICAgICAgIGNhc2UgT01YX1Fjb21JbmRleFBhcmFtSW5kZXhFeHRyYURhdGFUeXBlOgogICAgICAgICAgICAgeworICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgUU9NWF9JTkRFWEVYVFJBREFUQVRZUEUpOwogICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0xPVygiZ2V0X3BhcmFtZXRlcjogT01YX1Fjb21JbmRleFBhcmFtSW5kZXhFeHRyYURhdGFUeXBlIik7CiAgICAgICAgICAgICAgICAgUU9NWF9JTkRFWEVYVFJBREFUQVRZUEUgKnBQYXJhbSA9IChRT01YX0lOREVYRVhUUkFEQVRBVFlQRSAqKXBhcmFtRGF0YTsKICAgICAgICAgICAgICAgICBpZiAocFBhcmFtLT5uSW5kZXggPT0gKE9NWF9JTkRFWFRZUEUpT01YX0V4dHJhRGF0YVZpZGVvRW5jb2RlclNsaWNlSW5mbykgewpAQCAtMTc1Miw2ICsxNzc1LDcgQEAKICAgICAgICAgICAgIH0KICAgICAgICAgY2FzZSBRT01YX0luZGV4UGFyYW1WaWRlb0xUUkNvdW50UmFuZ2VTdXBwb3J0ZWQ6CiAgICAgICAgICAgICB7CisgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEocGFyYW1EYXRhLCBRT01YX0VYVE5JTkRFWF9SQU5HRVRZUEUpOwogICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0hJR0goImdldF9wYXJhbWV0ZXI6IFFPTVhfSW5kZXhQYXJhbVZpZGVvTFRSQ291bnRSYW5nZVN1cHBvcnRlZCIpOwogICAgICAgICAgICAgICAgIFFPTVhfRVhUTklOREVYX1JBTkdFVFlQRSAqcFBhcmFtID0gKFFPTVhfRVhUTklOREVYX1JBTkdFVFlQRSAqKXBhcmFtRGF0YTsKICAgICAgICAgICAgICAgICBpZiAocFBhcmFtLT5uUG9ydEluZGV4ID09IFBPUlRfSU5ERVhfT1VUKSB7CkBAIC0xNzcyLDYgKzE3OTYsNyBAQAogICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgIGNhc2UgT01YX1Fjb21JbmRleFBhcmFtVmlkZW9MVFJDb3VudDoKICAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIE9NWF9RQ09NX1ZJREVPX1BBUkFNX0xUUkNPVU5UX1RZUEUpOwogICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0xPVygiZ2V0X3BhcmFtZXRlcjogT01YX1Fjb21JbmRleFBhcmFtVmlkZW9MVFJDb3VudCIpOwogICAgICAgICAgICAgICAgIE9NWF9RQ09NX1ZJREVPX1BBUkFNX0xUUkNPVU5UX1RZUEUgKnBQYXJhbSA9CiAgICAgICAgICAgICAgICAgICAgICAgICByZWludGVycHJldF9jYXN0PE9NWF9RQ09NX1ZJREVPX1BBUkFNX0xUUkNPVU5UX1RZUEUqPihwYXJhbURhdGEpOwpAQCAtMTc4MSw2ICsxODA2LDcgQEAKICNlbmRpZgogICAgICAgICBjYXNlIFFPTVhfSW5kZXhQYXJhbVZpZGVvU3ludGF4SGRyOgogICAgICAgICAgICAgeworICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgUU9NWF9FWFROSU5ERVhfUEFSQU1UWVBFKTsKICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9ISUdIKCJRT01YX0luZGV4UGFyYW1WaWRlb1N5bnRheEhkciIpOwogICAgICAgICAgICAgICAgIFFPTVhfRVhUTklOREVYX1BBUkFNVFlQRSogcFBhcmFtID0KICAgICAgICAgICAgICAgICAgICAgcmVpbnRlcnByZXRfY2FzdDxRT01YX0VYVE5JTkRFWF9QQVJBTVRZUEUqPihwYXJhbURhdGEpOwpAQCAtMTgyNiw2ICsxODUyLDcgQEAKICAgICAgICAgICAgIH0KICAgICAgICAgY2FzZSBPTVhfUWNvbUluZGV4SGllcmFyY2hpY2FsU3RydWN0dXJlOgogICAgICAgICAgICAgeworICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgUU9NWF9WSURFT19ISUVSQVJDSElDQUxMQVlFUlMpOwogICAgICAgICAgICAgICAgIFFPTVhfVklERU9fSElFUkFSQ0hJQ0FMTEFZRVJTKiBoaWVycCA9IChRT01YX1ZJREVPX0hJRVJBUkNISUNBTExBWUVSUyopIHBhcmFtRGF0YTsKICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9MT1coImdldF9wYXJhbWV0ZXI6IE9NWF9RY29tSW5kZXhIaWVyYXJjaGljYWxTdHJ1Y3R1cmUiKTsKICAgICAgICAgICAgICAgICBtZW1jcHkoaGllcnAsICZtX3NIaWVyTGF5ZXJzLCBzaXplb2YobV9zSGllckxheWVycykpOwpAQCAtMTgzMyw2ICsxODYwLDcgQEAKICAgICAgICAgICAgIH0KICAgICAgICAgY2FzZSBPTVhfUWNvbUluZGV4UGFyYW1QZXJmTGV2ZWw6CiAgICAgICAgICAgICB7CisgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEocGFyYW1EYXRhLCBPTVhfUUNPTV9WSURFT19QQVJBTV9QRVJGX0xFVkVMKTsKICAgICAgICAgICAgICAgICBPTVhfVTMyIHBlcmZsZXZlbDsKICAgICAgICAgICAgICAgICBPTVhfUUNPTV9WSURFT19QQVJBTV9QRVJGX0xFVkVMICpwUGFyYW0gPQogICAgICAgICAgICAgICAgICAgICByZWludGVycHJldF9jYXN0PE9NWF9RQ09NX1ZJREVPX1BBUkFNX1BFUkZfTEVWRUwqPihwYXJhbURhdGEpOwpAQCAtMTg0Nyw2ICsxODc1LDcgQEAKICAgICAgICAgICAgIH0KICAgICAgICAgY2FzZSBPTVhfUWNvbUluZGV4UGFyYW1IMjY0VlVJVGltaW5nSW5mbzoKICAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIE9NWF9RQ09NX1ZJREVPX1BBUkFNX1ZVSV9USU1JTkdfSU5GTyk7CiAgICAgICAgICAgICAgICAgT01YX1UzMiBlbmFibGVkOwogICAgICAgICAgICAgICAgIE9NWF9RQ09NX1ZJREVPX1BBUkFNX1ZVSV9USU1JTkdfSU5GTyAqcFBhcmFtID0KICAgICAgICAgICAgICAgICAgICAgcmVpbnRlcnByZXRfY2FzdDxPTVhfUUNPTV9WSURFT19QQVJBTV9WVUlfVElNSU5HX0lORk8qPihwYXJhbURhdGEpOwpAQCAtMTg2MSw2ICsxODkwLDcgQEAKICAgICAgICAgICAgIH0KICAgICAgICAgY2FzZSBPTVhfUWNvbUluZGV4UGFyYW1QZWFrQml0cmF0ZToKICAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIE9NWF9RQ09NX1ZJREVPX1BBUkFNX1BFQUtfQklUUkFURSk7CiAgICAgICAgICAgICAgICAgT01YX1UzMiBwZWFrYml0cmF0ZTsKICAgICAgICAgICAgICAgICBPTVhfUUNPTV9WSURFT19QQVJBTV9QRUFLX0JJVFJBVEUgKnBQYXJhbSA9CiAgICAgICAgICAgICAgICAgICAgIHJlaW50ZXJwcmV0X2Nhc3Q8T01YX1FDT01fVklERU9fUEFSQU1fUEVBS19CSVRSQVRFKj4ocGFyYW1EYXRhKTsKQEAgLTE4NzUsNiArMTkwNSw3IEBACiAgICAgICAgICAgICB9CiAgICAgICAgICBjYXNlIFFPTVhfSW5kZXhQYXJhbVZpZGVvSW5pdGlhbFFwOgogICAgICAgICAgICAgeworICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgUU9NWF9FWFROSU5ERVhfVklERU9fSU5JVElBTFFQKTsKICAgICAgICAgICAgICAgICAgUU9NWF9FWFROSU5ERVhfVklERU9fSU5JVElBTFFQKiBpbml0cXAgPQogICAgICAgICAgICAgICAgICAgICAgcmVpbnRlcnByZXRfY2FzdDxRT01YX0VYVE5JTkRFWF9WSURFT19JTklUSUFMUVAgKj4ocGFyYW1EYXRhKTsKICAgICAgICAgICAgICAgICAgICAgIG1lbWNweShpbml0cXAsICZtX3NQYXJhbUluaXRxcCwgc2l6ZW9mKG1fc1BhcmFtSW5pdHFwKSk7CkBAIC0xOTM0LDE4ICsxOTY1LDIxIEBACiAgICAgc3dpdGNoICgoaW50KWNvbmZpZ0luZGV4KSB7CiAgICAgICAgIGNhc2UgT01YX0luZGV4Q29uZmlnVmlkZW9CaXRyYXRlOgogICAgICAgICAgICAgeworICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKGNvbmZpZ0RhdGEsIE9NWF9WSURFT19DT05GSUdfQklUUkFURVRZUEUpOwogICAgICAgICAgICAgICAgIE9NWF9WSURFT19DT05GSUdfQklUUkFURVRZUEUqIHBQYXJhbSA9IHJlaW50ZXJwcmV0X2Nhc3Q8T01YX1ZJREVPX0NPTkZJR19CSVRSQVRFVFlQRSo+KGNvbmZpZ0RhdGEpOwogICAgICAgICAgICAgICAgIG1lbWNweShwUGFyYW0sICZtX3NDb25maWdCaXRyYXRlLCBzaXplb2YobV9zQ29uZmlnQml0cmF0ZSkpOwogICAgICAgICAgICAgICAgIGJyZWFrOwogICAgICAgICAgICAgfQogICAgICAgICBjYXNlIE9NWF9JbmRleENvbmZpZ1ZpZGVvRnJhbWVyYXRlOgogICAgICAgICAgICAgeworICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKGNvbmZpZ0RhdGEsIE9NWF9DT05GSUdfRlJBTUVSQVRFVFlQRSk7CiAgICAgICAgICAgICAgICAgT01YX0NPTkZJR19GUkFNRVJBVEVUWVBFKiBwUGFyYW0gPSByZWludGVycHJldF9jYXN0PE9NWF9DT05GSUdfRlJBTUVSQVRFVFlQRSo+KGNvbmZpZ0RhdGEpOwogICAgICAgICAgICAgICAgIG1lbWNweShwUGFyYW0sICZtX3NDb25maWdGcmFtZXJhdGUsIHNpemVvZihtX3NDb25maWdGcmFtZXJhdGUpKTsKICAgICAgICAgICAgICAgICBicmVhazsKICAgICAgICAgICAgIH0KICAgICAgICAgY2FzZSBPTVhfSW5kZXhDb25maWdDb21tb25Sb3RhdGU6CiAgICAgICAgICAgICB7CisgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEoY29uZmlnRGF0YSwgT01YX0NPTkZJR19ST1RBVElPTlRZUEUpOwogICAgICAgICAgICAgICAgIE9NWF9DT05GSUdfUk9UQVRJT05UWVBFKiBwUGFyYW0gPSByZWludGVycHJldF9jYXN0PE9NWF9DT05GSUdfUk9UQVRJT05UWVBFKj4oY29uZmlnRGF0YSk7CiAgICAgICAgICAgICAgICAgbWVtY3B5KHBQYXJhbSwgJm1fc0NvbmZpZ0ZyYW1lUm90YXRpb24sIHNpemVvZihtX3NDb25maWdGcmFtZVJvdGF0aW9uKSk7CiAgICAgICAgICAgICAgICAgYnJlYWs7CkBAIC0xOTUzLDEyICsxOTg3LDE0IEBACiAgICAgICAgIGNhc2UgUU9NWF9JbmRleENvbmZpZ1ZpZGVvSW50cmFwZXJpb2Q6CiAgICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfTE9XKCJnZXRfY29uZmlnOlFPTVhfSW5kZXhDb25maWdWaWRlb0ludHJhcGVyaW9kIik7CisgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEoY29uZmlnRGF0YSwgUU9NWF9WSURFT19JTlRSQVBFUklPRFRZUEUpOwogICAgICAgICAgICAgICAgIFFPTVhfVklERU9fSU5UUkFQRVJJT0RUWVBFKiBwUGFyYW0gPSByZWludGVycHJldF9jYXN0PFFPTVhfVklERU9fSU5UUkFQRVJJT0RUWVBFKj4oY29uZmlnRGF0YSk7CiAgICAgICAgICAgICAgICAgbWVtY3B5KHBQYXJhbSwgJm1fc0ludHJhcGVyaW9kLCBzaXplb2YobV9zSW50cmFwZXJpb2QpKTsKICAgICAgICAgICAgICAgICBicmVhazsKICAgICAgICAgICAgIH0KICAgICAgICAgY2FzZSBPTVhfSW5kZXhDb25maWdWaWRlb0FWQ0ludHJhUGVyaW9kOgogICAgICAgICAgICAgeworICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKGNvbmZpZ0RhdGEsIE9NWF9WSURFT19DT05GSUdfQVZDSU5UUkFQRVJJT0QpOwogICAgICAgICAgICAgICAgIE9NWF9WSURFT19DT05GSUdfQVZDSU5UUkFQRVJJT0QgKnBQYXJhbSA9CiAgICAgICAgICAgICAgICAgICAgIHJlaW50ZXJwcmV0X2Nhc3Q8T01YX1ZJREVPX0NPTkZJR19BVkNJTlRSQVBFUklPRCo+KGNvbmZpZ0RhdGEpOwogICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0xPVygiZ2V0X2NvbmZpZzogT01YX0luZGV4Q29uZmlnVmlkZW9BVkNJbnRyYVBlcmlvZCIpOwpAQCAtMTk2Nyw2ICsyMDAzLDcgQEAKICAgICAgICAgICAgIH0KICAgICAgICAgY2FzZSBPTVhfSW5kZXhDb25maWdDb21tb25EZWludGVybGFjZToKICAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShjb25maWdEYXRhLCBPTVhfVklERU9fQ09ORklHX0RFSU5URVJMQUNFKTsKICAgICAgICAgICAgICAgICBPTVhfVklERU9fQ09ORklHX0RFSU5URVJMQUNFICpwUGFyYW0gPQogICAgICAgICAgICAgICAgICAgICByZWludGVycHJldF9jYXN0PE9NWF9WSURFT19DT05GSUdfREVJTlRFUkxBQ0UqPihjb25maWdEYXRhKTsKICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9MT1coImdldF9jb25maWc6IE9NWF9JbmRleENvbmZpZ0NvbW1vbkRlaW50ZXJsYWNlIik7CkBAIC0xOTc1LDYgKzIwMTIsNyBAQAogICAgICAgICAgICAgfQogICAgICAgIGNhc2UgT01YX0luZGV4Q29uZmlnVmlkZW9WcDhSZWZlcmVuY2VGcmFtZToKICAgICAgICAgICAgeworICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKGNvbmZpZ0RhdGEsIE9NWF9WSURFT19WUDhSRUZFUkVOQ0VGUkFNRVRZUEUpOwogICAgICAgICAgICAgICAgT01YX1ZJREVPX1ZQOFJFRkVSRU5DRUZSQU1FVFlQRSogcFBhcmFtID0KICAgICAgICAgICAgICAgICAgICByZWludGVycHJldF9jYXN0PE9NWF9WSURFT19WUDhSRUZFUkVOQ0VGUkFNRVRZUEUqPihjb25maWdEYXRhKTsKICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0xPVygiZ2V0X2NvbmZpZzogT01YX0luZGV4Q29uZmlnVmlkZW9WcDhSZWZlcmVuY2VGcmFtZSIpOwpAQCAtMTk4Myw2ICsyMDIxLDcgQEAKICAgICAgICAgICAgfQogICAgICAgICBjYXNlIE9NWF9RY29tSW5kZXhDb25maWdQZXJmTGV2ZWw6CiAgICAgICAgICAgICB7CisgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEoY29uZmlnRGF0YSwgT01YX1FDT01fVklERU9fQ09ORklHX1BFUkZfTEVWRUwpOwogICAgICAgICAgICAgICAgIE9NWF9VMzIgcGVyZmxldmVsOwogICAgICAgICAgICAgICAgIE9NWF9RQ09NX1ZJREVPX0NPTkZJR19QRVJGX0xFVkVMICpwUGFyYW0gPQogICAgICAgICAgICAgICAgICAgICByZWludGVycHJldF9jYXN0PE9NWF9RQ09NX1ZJREVPX0NPTkZJR19QRVJGX0xFVkVMKj4oY29uZmlnRGF0YSk7CmRpZmYgLS1naXQgYS9tbS12aWRlby12NGwyL3ZpZGMvdmVuYy9zcmMvb214X3ZpZGVvX2VuY29kZXIuY3BwIGIvbW0tdmlkZW8tdjRsMi92aWRjL3ZlbmMvc3JjL29teF92aWRlb19lbmNvZGVyLmNwcAppbmRleCBhNzJlMDdlLi43MGQ2MjYwIDEwMDY0NAotLS0gYS9tbS12aWRlby12NGwyL3ZpZGMvdmVuYy9zcmMvb214X3ZpZGVvX2VuY29kZXIuY3BwCisrKyBiL21tLXZpZGVvLXY0bDIvdmlkYy92ZW5jL3NyYy9vbXhfdmlkZW9fZW5jb2Rlci5jcHAKQEAgLTU3Nyw2ICs1NzcsNyBAQAogICAgIHN3aXRjaCAoKGludClwYXJhbUluZGV4KSB7CiAgICAgICAgIGNhc2UgT01YX0luZGV4UGFyYW1Qb3J0RGVmaW5pdGlvbjoKICAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIE9NWF9QQVJBTV9QT1JUREVGSU5JVElPTlRZUEUpOwogICAgICAgICAgICAgICAgIE9NWF9QQVJBTV9QT1JUREVGSU5JVElPTlRZUEUgKnBvcnREZWZuOwogICAgICAgICAgICAgICAgIHBvcnREZWZuID0gKE9NWF9QQVJBTV9QT1JUREVGSU5JVElPTlRZUEUgKikgcGFyYW1EYXRhOwogICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0xPVygic2V0X3BhcmFtZXRlcjogT01YX0luZGV4UGFyYW1Qb3J0RGVmaW5pdGlvbiBIPSAlZCwgVyA9ICVkIiwKQEAgLTY3Niw2ICs2NzcsNyBAQAogCiAgICAgICAgIGNhc2UgT01YX0luZGV4UGFyYW1WaWRlb1BvcnRGb3JtYXQ6CiAgICAgICAgICAgICB7CisgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEocGFyYW1EYXRhLCBPTVhfVklERU9fUEFSQU1fUE9SVEZPUk1BVFRZUEUpOwogICAgICAgICAgICAgICAgIE9NWF9WSURFT19QQVJBTV9QT1JURk9STUFUVFlQRSAqcG9ydEZtdCA9CiAgICAgICAgICAgICAgICAgICAgIChPTVhfVklERU9fUEFSQU1fUE9SVEZPUk1BVFRZUEUgKilwYXJhbURhdGE7CiAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfTE9XKCJzZXRfcGFyYW1ldGVyOiBPTVhfSW5kZXhQYXJhbVZpZGVvUG9ydEZvcm1hdCAlZCIsCkBAIC03MTksNiArNzIxLDcgQEAKICAgICAgICAgICAgIGJyZWFrOwogICAgICAgICBjYXNlIE9NWF9JbmRleFBhcmFtVmlkZW9Jbml0OgogICAgICAgICAgICAgeyAvL1RPRE8sIGRvIHdlIG5lZWQgdGhpcyBpbmRleCBzZXQgcGFyYW0KKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIE9NWF9QT1JUX1BBUkFNX1RZUEUpOwogICAgICAgICAgICAgICAgIE9NWF9QT1JUX1BBUkFNX1RZUEUqIHBQYXJhbSA9IChPTVhfUE9SVF9QQVJBTV9UWVBFKikocGFyYW1EYXRhKTsKICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9MT1coIlNldCBPTVhfSW5kZXhQYXJhbVZpZGVvSW5pdCBjYWxsZWQiKTsKICAgICAgICAgICAgICAgICBicmVhazsKQEAgLTcyNiw2ICs3MjksNyBAQAogCiAgICAgICAgIGNhc2UgT01YX0luZGV4UGFyYW1WaWRlb0JpdHJhdGU6CiAgICAgICAgICAgICB7CisgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEocGFyYW1EYXRhLCBPTVhfVklERU9fUEFSQU1fQklUUkFURVRZUEUpOwogICAgICAgICAgICAgICAgIE9NWF9WSURFT19QQVJBTV9CSVRSQVRFVFlQRSogcFBhcmFtID0gKE9NWF9WSURFT19QQVJBTV9CSVRSQVRFVFlQRSopcGFyYW1EYXRhOwogICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0xPVygic2V0X3BhcmFtZXRlcjogT01YX0luZGV4UGFyYW1WaWRlb0JpdHJhdGUiKTsKICAgICAgICAgICAgICAgICBpZiAoaGFuZGxlLT52ZW5jX3NldF9wYXJhbShwYXJhbURhdGEsT01YX0luZGV4UGFyYW1WaWRlb0JpdHJhdGUpICE9IHRydWUpIHsKQEAgLTc0Miw2ICs3NDYsNyBAQAogICAgICAgICAgICAgfQogICAgICAgICBjYXNlIE9NWF9JbmRleFBhcmFtVmlkZW9NcGVnNDoKICAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIE9NWF9WSURFT19QQVJBTV9NUEVHNFRZUEUpOwogICAgICAgICAgICAgICAgIE9NWF9WSURFT19QQVJBTV9NUEVHNFRZUEUqIHBQYXJhbSA9IChPTVhfVklERU9fUEFSQU1fTVBFRzRUWVBFKilwYXJhbURhdGE7CiAgICAgICAgICAgICAgICAgT01YX1ZJREVPX1BBUkFNX01QRUc0VFlQRSBtcDRfcGFyYW07CiAgICAgICAgICAgICAgICAgbWVtY3B5KCZtcDRfcGFyYW0sIHBQYXJhbSwgc2l6ZW9mKHN0cnVjdCBPTVhfVklERU9fUEFSQU1fTVBFRzRUWVBFKSk7CkBAIC03OTUsNiArODAwLDcgQEAKICAgICAgICAgICAgIH0KICAgICAgICAgY2FzZSBPTVhfSW5kZXhQYXJhbVZpZGVvQXZjOgogICAgICAgICAgICAgeworICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgT01YX1ZJREVPX1BBUkFNX0FWQ1RZUEUpOwogICAgICAgICAgICAgICAgIE9NWF9WSURFT19QQVJBTV9BVkNUWVBFKiBwUGFyYW0gPSAoT01YX1ZJREVPX1BBUkFNX0FWQ1RZUEUqKXBhcmFtRGF0YTsKICAgICAgICAgICAgICAgICBPTVhfVklERU9fUEFSQU1fQVZDVFlQRSBhdmNfcGFyYW07CiAgICAgICAgICAgICAgICAgbWVtY3B5KCZhdmNfcGFyYW0sIHBQYXJhbSwgc2l6ZW9mKCBzdHJ1Y3QgT01YX1ZJREVPX1BBUkFNX0FWQ1RZUEUpKTsKQEAgLTg1NCw2ICs4NjAsNyBAQAogICAgICAgICAgICAgfQogICAgICAgICBjYXNlIChPTVhfSU5ERVhUWVBFKU9NWF9JbmRleFBhcmFtVmlkZW9WcDg6CiAgICAgICAgICAgICB7CisgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEocGFyYW1EYXRhLCBPTVhfVklERU9fUEFSQU1fVlA4VFlQRSk7CiAgICAgICAgICAgICAgICAgT01YX1ZJREVPX1BBUkFNX1ZQOFRZUEUqIHBQYXJhbSA9IChPTVhfVklERU9fUEFSQU1fVlA4VFlQRSopcGFyYW1EYXRhOwogICAgICAgICAgICAgICAgIE9NWF9WSURFT19QQVJBTV9WUDhUWVBFIHZwOF9wYXJhbTsKICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9MT1coInNldF9wYXJhbWV0ZXI6IE9NWF9JbmRleFBhcmFtVmlkZW9WcDgiKTsKQEAgLTg3MCw2ICs4NzcsNyBAQAogICAgICAgICAgICAgfQogICAgICAgICBjYXNlIChPTVhfSU5ERVhUWVBFKU9NWF9JbmRleFBhcmFtVmlkZW9IZXZjOgogICAgICAgICAgICAgeworICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgT01YX1ZJREVPX1BBUkFNX0hFVkNUWVBFKTsKICAgICAgICAgICAgICAgICBPTVhfVklERU9fUEFSQU1fSEVWQ1RZUEUqIHBQYXJhbSA9IChPTVhfVklERU9fUEFSQU1fSEVWQ1RZUEUqKXBhcmFtRGF0YTsKICAgICAgICAgICAgICAgICBPTVhfVklERU9fUEFSQU1fSEVWQ1RZUEUgaGV2Y19wYXJhbTsKICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9MT1coInNldF9wYXJhbWV0ZXI6IE9NWF9JbmRleFBhcmFtVmlkZW9IZXZjIik7CkBAIC04ODMsNiArODkxLDcgQEAKICAgICAgICAgICAgIH0KICAgICAgICAgY2FzZSBPTVhfSW5kZXhQYXJhbVZpZGVvUHJvZmlsZUxldmVsQ3VycmVudDoKICAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIE9NWF9WSURFT19QQVJBTV9QUk9GSUxFTEVWRUxUWVBFKTsKICAgICAgICAgICAgICAgICBPTVhfVklERU9fUEFSQU1fUFJPRklMRUxFVkVMVFlQRSogcFBhcmFtID0gKE9NWF9WSURFT19QQVJBTV9QUk9GSUxFTEVWRUxUWVBFKilwYXJhbURhdGE7CiAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfTE9XKCJzZXRfcGFyYW1ldGVyOiBPTVhfSW5kZXhQYXJhbVZpZGVvUHJvZmlsZUxldmVsQ3VycmVudCIpOwogICAgICAgICAgICAgICAgIGlmIChoYW5kbGUtPnZlbmNfc2V0X3BhcmFtKHBQYXJhbSxPTVhfSW5kZXhQYXJhbVZpZGVvUHJvZmlsZUxldmVsQ3VycmVudCkgIT0gdHJ1ZSkgewpAQCAtOTM3LDYgKzk0Niw3IEBACiAgICAgICAgICAgICB9CiAgICAgICAgIGNhc2UgT01YX0luZGV4UGFyYW1TdGFuZGFyZENvbXBvbmVudFJvbGU6CiAgICAgICAgICAgICB7CisgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEocGFyYW1EYXRhLCBPTVhfUEFSQU1fQ09NUE9ORU5UUk9MRVRZUEUpOwogICAgICAgICAgICAgICAgIE9NWF9QQVJBTV9DT01QT05FTlRST0xFVFlQRSAqY29tcF9yb2xlOwogICAgICAgICAgICAgICAgIGNvbXBfcm9sZSA9IChPTVhfUEFSQU1fQ09NUE9ORU5UUk9MRVRZUEUgKikgcGFyYW1EYXRhOwogICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0xPVygic2V0X3BhcmFtZXRlcjogT01YX0luZGV4UGFyYW1TdGFuZGFyZENvbXBvbmVudFJvbGUgJXMiLApAQCAtMTAwNyw2ICsxMDE3LDcgQEAKIAogICAgICAgICBjYXNlIE9NWF9JbmRleFBhcmFtUHJpb3JpdHlNZ210OgogICAgICAgICAgICAgeworICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgT01YX1BSSU9SSVRZTUdNVFRZUEUpOwogICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0xPVygic2V0X3BhcmFtZXRlcjogT01YX0luZGV4UGFyYW1Qcmlvcml0eU1nbXQiKTsKICAgICAgICAgICAgICAgICBpZiAobV9zdGF0ZSAhPSBPTVhfU3RhdGVMb2FkZWQpIHsKICAgICAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfRVJST1IoIkVSUk9SOiBTZXQgUGFyYW1ldGVyIGNhbGxlZCBpbiBJbnZhbGlkIFN0YXRlIik7CkBAIC0xMDI3LDYgKzEwMzgsNyBAQAogCiAgICAgICAgIGNhc2UgT01YX0luZGV4UGFyYW1Db21wQnVmZmVyU3VwcGxpZXI6CiAgICAgICAgICAgICB7CisgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEocGFyYW1EYXRhLCBPTVhfUEFSQU1fQlVGRkVSU1VQUExJRVJUWVBFKTsKICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9MT1coInNldF9wYXJhbWV0ZXI6IE9NWF9JbmRleFBhcmFtQ29tcEJ1ZmZlclN1cHBsaWVyIik7CiAgICAgICAgICAgICAgICAgT01YX1BBUkFNX0JVRkZFUlNVUFBMSUVSVFlQRSAqYnVmZmVyU3VwcGxpZXJUeXBlID0gKE9NWF9QQVJBTV9CVUZGRVJTVVBQTElFUlRZUEUqKSBwYXJhbURhdGE7CiAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfTE9XKCJzZXRfcGFyYW1ldGVyOiBPTVhfSW5kZXhQYXJhbUNvbXBCdWZmZXJTdXBwbGllciAlZCIsCkBAIC0xMDQzLDYgKzEwNTUsNyBAQAogICAgICAgICAgICAgfQogICAgICAgICBjYXNlIE9NWF9JbmRleFBhcmFtVmlkZW9RdWFudGl6YXRpb246CiAgICAgICAgICAgICB7CisgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEocGFyYW1EYXRhLCBPTVhfVklERU9fUEFSQU1fUVVBTlRJWkFUSU9OVFlQRSk7CiAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfTE9XKCJzZXRfcGFyYW1ldGVyOiBPTVhfSW5kZXhQYXJhbVZpZGVvUXVhbnRpemF0aW9uIik7CiAgICAgICAgICAgICAgICAgT01YX1ZJREVPX1BBUkFNX1FVQU5USVpBVElPTlRZUEUgKnNlc3Npb25fcXAgPSAoT01YX1ZJREVPX1BBUkFNX1FVQU5USVpBVElPTlRZUEUqKSBwYXJhbURhdGE7CiAgICAgICAgICAgICAgICAgaWYgKHNlc3Npb25fcXAtPm5Qb3J0SW5kZXggPT0gUE9SVF9JTkRFWF9PVVQpIHsKQEAgLTEwNjEsNiArMTA3NCw3IEBACiAKICAgICAgICAgY2FzZSBPTVhfUWNvbUluZGV4UGFyYW1WaWRlb1FQUmFuZ2U6CiAgICAgICAgICAgICB7CisgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEocGFyYW1EYXRhLCBPTVhfUUNPTV9WSURFT19QQVJBTV9RUFJBTkdFVFlQRSk7CiAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfTE9XKCJzZXRfcGFyYW1ldGVyOiBPTVhfUWNvbUluZGV4UGFyYW1WaWRlb1FQUmFuZ2UiKTsKICAgICAgICAgICAgICAgICBPTVhfUUNPTV9WSURFT19QQVJBTV9RUFJBTkdFVFlQRSAqcXBfcmFuZ2UgPSAoT01YX1FDT01fVklERU9fUEFSQU1fUVBSQU5HRVRZUEUqKSBwYXJhbURhdGE7CiAgICAgICAgICAgICAgICAgaWYgKHFwX3JhbmdlLT5uUG9ydEluZGV4ID09IFBPUlRfSU5ERVhfT1VUKSB7CkBAIC0xMDc5LDYgKzEwOTMsNyBAQAogCiAgICAgICAgIGNhc2UgT01YX1Fjb21JbmRleFBvcnREZWZuOgogICAgICAgICAgICAgeworICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgT01YX1FDT01fUEFSQU1fUE9SVERFRklOSVRJT05UWVBFKTsKICAgICAgICAgICAgICAgICBPTVhfUUNPTV9QQVJBTV9QT1JUREVGSU5JVElPTlRZUEUqIHBQYXJhbSA9CiAgICAgICAgICAgICAgICAgICAgIChPTVhfUUNPTV9QQVJBTV9QT1JUREVGSU5JVElPTlRZUEUqKXBhcmFtRGF0YTsKICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9MT1coInNldF9wYXJhbWV0ZXI6IE9NWF9RY29tSW5kZXhQb3J0RGVmbiIpOwpAQCAtMTEwNSw2ICsxMTIwLDcgQEAKIAogICAgICAgICBjYXNlIE9NWF9JbmRleFBhcmFtVmlkZW9FcnJvckNvcnJlY3Rpb246CiAgICAgICAgICAgICB7CisgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEocGFyYW1EYXRhLCBPTVhfVklERU9fUEFSQU1fRVJST1JDT1JSRUNUSU9OVFlQRSk7CiAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfTE9XKCJPTVhfSW5kZXhQYXJhbVZpZGVvRXJyb3JDb3JyZWN0aW9uIik7CiAgICAgICAgICAgICAgICAgT01YX1ZJREVPX1BBUkFNX0VSUk9SQ09SUkVDVElPTlRZUEUqIHBQYXJhbSA9CiAgICAgICAgICAgICAgICAgICAgIChPTVhfVklERU9fUEFSQU1fRVJST1JDT1JSRUNUSU9OVFlQRSopcGFyYW1EYXRhOwpAQCAtMTExNyw2ICsxMTMzLDcgQEAKICAgICAgICAgICAgIH0KICAgICAgICAgY2FzZSBPTVhfSW5kZXhQYXJhbVZpZGVvSW50cmFSZWZyZXNoOgogICAgICAgICAgICAgeworICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgT01YX1ZJREVPX1BBUkFNX0lOVFJBUkVGUkVTSFRZUEUpOwogICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0xPVygic2V0X3BhcmFtOk9NWF9JbmRleFBhcmFtVmlkZW9JbnRyYVJlZnJlc2giKTsKICAgICAgICAgICAgICAgICBPTVhfVklERU9fUEFSQU1fSU5UUkFSRUZSRVNIVFlQRSogcFBhcmFtID0KICAgICAgICAgICAgICAgICAgICAgKE9NWF9WSURFT19QQVJBTV9JTlRSQVJFRlJFU0hUWVBFKilwYXJhbURhdGE7CkBAIC0xMTMwLDYgKzExNDcsNyBAQAogI2lmZGVmIF9BTkRST0lEX0lDU18KICAgICAgICAgY2FzZSBPTVhfUWNvbUluZGV4UGFyYW1WaWRlb01ldGFCdWZmZXJNb2RlOgogICAgICAgICAgICAgeworICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgU3RvcmVNZXRhRGF0YUluQnVmZmVyc1BhcmFtcyk7CiAgICAgICAgICAgICAgICAgU3RvcmVNZXRhRGF0YUluQnVmZmVyc1BhcmFtcyAqcFBhcmFtID0KICAgICAgICAgICAgICAgICAgICAgKFN0b3JlTWV0YURhdGFJbkJ1ZmZlcnNQYXJhbXMqKXBhcmFtRGF0YTsKICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9ISUdIKCJzZXRfcGFyYW1ldGVyOk9NWF9RY29tSW5kZXhQYXJhbVZpZGVvTWV0YUJ1ZmZlck1vZGU6ICIKQEAgLTExNzYsNiArMTE5NCw3IEBACiAjaWYgIWRlZmluZWQoTUFYX1JFU183MjBQKSB8fCBkZWZpbmVkKF9NU004OTc0XykKICAgICAgICAgY2FzZSBPTVhfUWNvbUluZGV4UGFyYW1JbmRleEV4dHJhRGF0YVR5cGU6CiAgICAgICAgICAgICB7CisgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEocGFyYW1EYXRhLCBRT01YX0lOREVYRVhUUkFEQVRBVFlQRSk7CiAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfSElHSCgic2V0X3BhcmFtZXRlcjogT01YX1Fjb21JbmRleFBhcmFtSW5kZXhFeHRyYURhdGFUeXBlIik7CiAgICAgICAgICAgICAgICAgUU9NWF9JTkRFWEVYVFJBREFUQVRZUEUgKnBQYXJhbSA9IChRT01YX0lOREVYRVhUUkFEQVRBVFlQRSAqKXBhcmFtRGF0YTsKICAgICAgICAgICAgICAgICBib29sIGVuYWJsZSA9IGZhbHNlOwpAQCAtMTI1Niw2ICsxMjc1LDcgQEAKICAgICAgICAgICAgIH0KICAgICAgICAgY2FzZSBRT01YX0luZGV4UGFyYW1WaWRlb0xUUk1vZGU6CiAgICAgICAgICAgICB7CisgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEocGFyYW1EYXRhLCBRT01YX1ZJREVPX1BBUkFNX0xUUk1PREVfVFlQRSk7CiAgICAgICAgICAgICAgICAgUU9NWF9WSURFT19QQVJBTV9MVFJNT0RFX1RZUEUqIHBQYXJhbSA9CiAgICAgICAgICAgICAgICAgICAgIChRT01YX1ZJREVPX1BBUkFNX0xUUk1PREVfVFlQRSopcGFyYW1EYXRhOwogICAgICAgICAgICAgICAgIGlmICghaGFuZGxlLT52ZW5jX3NldF9wYXJhbShwYXJhbURhdGEsIChPTVhfSU5ERVhUWVBFKVFPTVhfSW5kZXhQYXJhbVZpZGVvTFRSTW9kZSkpIHsKQEAgLTEyNjcsNiArMTI4Nyw3IEBACiAgICAgICAgICAgICB9CiAgICAgICAgIGNhc2UgUU9NWF9JbmRleFBhcmFtVmlkZW9MVFJDb3VudDoKICAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIFFPTVhfVklERU9fUEFSQU1fTFRSQ09VTlRfVFlQRSk7CiAgICAgICAgICAgICAgICAgUU9NWF9WSURFT19QQVJBTV9MVFJDT1VOVF9UWVBFKiBwUGFyYW0gPQogICAgICAgICAgICAgICAgICAgICAoUU9NWF9WSURFT19QQVJBTV9MVFJDT1VOVF9UWVBFKilwYXJhbURhdGE7CiAgICAgICAgICAgICAgICAgaWYgKCFoYW5kbGUtPnZlbmNfc2V0X3BhcmFtKHBhcmFtRGF0YSwgKE9NWF9JTkRFWFRZUEUpUU9NWF9JbmRleFBhcmFtVmlkZW9MVFJDb3VudCkpIHsKQEAgLTEyNzksNiArMTMwMCw3IEBACiAjZW5kaWYKICAgICAgICAgY2FzZSBPTVhfUWNvbUluZGV4UGFyYW1WaWRlb01heEFsbG93ZWRCaXRyYXRlQ2hlY2s6CiAgICAgICAgICAgICB7CisgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEocGFyYW1EYXRhLCBRT01YX0VYVE5JTkRFWF9QQVJBTVRZUEUpOwogICAgICAgICAgICAgICAgIFFPTVhfRVhUTklOREVYX1BBUkFNVFlQRSogcFBhcmFtID0KICAgICAgICAgICAgICAgICAgICAgKFFPTVhfRVhUTklOREVYX1BBUkFNVFlQRSopcGFyYW1EYXRhOwogICAgICAgICAgICAgICAgIGlmIChwUGFyYW0tPm5Qb3J0SW5kZXggPT0gUE9SVF9JTkRFWF9PVVQpIHsKQEAgLTEyOTYsNiArMTMxOCw3IEBACiAjaWZkZWYgTUFYX1JFU18xMDgwUAogICAgICAgICBjYXNlIE9NWF9RY29tSW5kZXhFbmFibGVTbGljZURlbGl2ZXJ5TW9kZToKICAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIFFPTVhfRVhUTklOREVYX1BBUkFNVFlQRSk7CiAgICAgICAgICAgICAgICAgUU9NWF9FWFROSU5ERVhfUEFSQU1UWVBFKiBwUGFyYW0gPQogICAgICAgICAgICAgICAgICAgICAoUU9NWF9FWFROSU5ERVhfUEFSQU1UWVBFKilwYXJhbURhdGE7CiAgICAgICAgICAgICAgICAgaWYgKHBQYXJhbS0+blBvcnRJbmRleCA9PSBQT1JUX0lOREVYX09VVCkgewpAQCAtMTMxNCw2ICsxMzM3LDcgQEAKICNlbmRpZgogICAgICAgICBjYXNlIE9NWF9RY29tSW5kZXhFbmFibGVIMjYzUGx1c1BUeXBlOgogICAgICAgICAgICAgeworICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgUU9NWF9FWFROSU5ERVhfUEFSQU1UWVBFKTsKICAgICAgICAgICAgICAgICBRT01YX0VYVE5JTkRFWF9QQVJBTVRZUEUqIHBQYXJhbSA9CiAgICAgICAgICAgICAgICAgICAgIChRT01YX0VYVE5JTkRFWF9QQVJBTVRZUEUqKXBhcmFtRGF0YTsKICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9MT1coIk9NWF9RY29tSW5kZXhFbmFibGVIMjYzUGx1c1BUeXBlIik7CkBAIC0xMzMyLDYgKzEzNTYsNyBAQAogICAgICAgICAgICAgfQogICAgICAgICBjYXNlIE9NWF9RY29tSW5kZXhQYXJhbVNlcXVlbmNlSGVhZGVyV2l0aElEUjoKICAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIFByZXBlbmRTUFNQUFNUb0lEUkZyYW1lc1BhcmFtcyk7CiAgICAgICAgICAgICAgICAgaWYoIWhhbmRsZS0+dmVuY19zZXRfcGFyYW0ocGFyYW1EYXRhLAogICAgICAgICAgICAgICAgICAgICAgICAgICAgIChPTVhfSU5ERVhUWVBFKU9NWF9RY29tSW5kZXhQYXJhbVNlcXVlbmNlSGVhZGVyV2l0aElEUikpIHsKICAgICAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfRVJST1IoIiVzOiAlcyIsCkBAIC0xMzQzLDYgKzEzNjgsNyBAQAogICAgICAgICAgICAgfQogICAgICAgICBjYXNlIE9NWF9RY29tSW5kZXhQYXJhbUgyNjRBVURlbGltaXRlcjoKICAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIE9NWF9RQ09NX1ZJREVPX0NPTkZJR19IMjY0X0FVRCk7CiAgICAgICAgICAgICAgICAgaWYoIWhhbmRsZS0+dmVuY19zZXRfcGFyYW0ocGFyYW1EYXRhLAogICAgICAgICAgICAgICAgICAgICAgICAgICAgIChPTVhfSU5ERVhUWVBFKU9NWF9RY29tSW5kZXhQYXJhbUgyNjRBVURlbGltaXRlcikpIHsKICAgICAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfRVJST1IoIiVzOiAlcyIsCkBAIC0xMzU0LDYgKzEzODAsNyBAQAogICAgICAgICAgICAgfQogICAgICAgIGNhc2UgT01YX1Fjb21JbmRleEhpZXJhcmNoaWNhbFN0cnVjdHVyZToKICAgICAgICAgICAgeworICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgUU9NWF9WSURFT19ISUVSQVJDSElDQUxMQVlFUlMpOwogICAgICAgICAgICAgICAgIFFPTVhfVklERU9fSElFUkFSQ0hJQ0FMTEFZRVJTKiBwUGFyYW0gPQogICAgICAgICAgICAgICAgICAgICAoUU9NWF9WSURFT19ISUVSQVJDSElDQUxMQVlFUlMqKXBhcmFtRGF0YTsKICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9MT1coIk9NWF9RY29tSW5kZXhIaWVyYXJjaGljYWxTdHJ1Y3R1cmUiKTsKQEAgLTEzNzcsNiArMTQwNCw3IEBACiAgICAgICAgICAgIH0KICAgICAgICAgY2FzZSBPTVhfUWNvbUluZGV4UGFyYW1QZXJmTGV2ZWw6CiAgICAgICAgICAgICB7CisgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEocGFyYW1EYXRhLCBPTVhfUUNPTV9WSURFT19QQVJBTV9QRVJGX0xFVkVMKTsKICAgICAgICAgICAgICAgICBpZiAoIWhhbmRsZS0+dmVuY19zZXRfcGFyYW0ocGFyYW1EYXRhLAogICAgICAgICAgICAgICAgICAgICAgICAgICAgIChPTVhfSU5ERVhUWVBFKSBPTVhfUWNvbUluZGV4UGFyYW1QZXJmTGV2ZWwpKSB7CiAgICAgICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0VSUk9SKCJFUlJPUjogU2V0dGluZyBwZXJmb3JtYW5jZSBsZXZlbCIpOwpAQCAtMTM4Niw2ICsxNDE0LDcgQEAKICAgICAgICAgICAgIH0KICAgICAgICAgY2FzZSBPTVhfUWNvbUluZGV4UGFyYW1IMjY0VlVJVGltaW5nSW5mbzoKICAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIE9NWF9RQ09NX1ZJREVPX1BBUkFNX1ZVSV9USU1JTkdfSU5GTyk7CiAgICAgICAgICAgICAgICAgaWYgKCFoYW5kbGUtPnZlbmNfc2V0X3BhcmFtKHBhcmFtRGF0YSwKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAoT01YX0lOREVYVFlQRSkgT01YX1Fjb21JbmRleFBhcmFtSDI2NFZVSVRpbWluZ0luZm8pKSB7CiAgICAgICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0VSUk9SKCJFUlJPUjogU2V0dGluZyBWVUkgdGltaW5nIGluZm8iKTsKQEAgLTEzOTUsNiArMTQyNCw3IEBACiAgICAgICAgICAgICB9CiAgICAgICAgIGNhc2UgT01YX1Fjb21JbmRleFBhcmFtUGVha0JpdHJhdGU6CiAgICAgICAgICAgICB7CisgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEocGFyYW1EYXRhLCBPTVhfUUNPTV9WSURFT19QQVJBTV9QRUFLX0JJVFJBVEUpOwogICAgICAgICAgICAgICAgIGlmICghaGFuZGxlLT52ZW5jX3NldF9wYXJhbShwYXJhbURhdGEsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKE9NWF9JTkRFWFRZUEUpIE9NWF9RY29tSW5kZXhQYXJhbVBlYWtCaXRyYXRlKSkgewogICAgICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9FUlJPUigiRVJST1I6IFNldHRpbmcgcGVhayBiaXRyYXRlIik7CkBAIC0xNDA0LDYgKzE0MzQsNyBAQAogICAgICAgICAgICAgIH0KICAgICAgICBjYXNlIFFPTVhfSW5kZXhQYXJhbVZpZGVvSW5pdGlhbFFwOgogICAgICAgICAgICAgeworICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKHBhcmFtRGF0YSwgUU9NWF9FWFROSU5ERVhfVklERU9fSU5JVElBTFFQKTsKICAgICAgICAgICAgICAgICBpZighaGFuZGxlLT52ZW5jX3NldF9wYXJhbShwYXJhbURhdGEsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgKE9NWF9JTkRFWFRZUEUpUU9NWF9JbmRleFBhcmFtVmlkZW9Jbml0aWFsUXApKSB7CiAgICAgICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0VSUk9SKCJSZXF1ZXN0IHRvIEVuYWJsZSBpbml0aWFsIFFQIGZhaWxlZCIpOwpAQCAtMTQyMyw2ICsxNDU0LDcgQEAKICAgICAgICAgICAgIH0KICAgICAgICAgY2FzZSBPTVhfUWNvbUluZGV4UGFyYW1WaWRlb0h5YnJpZEhpZXJwTW9kZToKICAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShwYXJhbURhdGEsIFFPTVhfRVhUTklOREVYX1ZJREVPX0hZQlJJRF9IUF9NT0RFKTsKICAgICAgICAgICAgICAgIGlmKCFoYW5kbGUtPnZlbmNfc2V0X3BhcmFtKHBhcmFtRGF0YSwKICAgICAgICAgICAgICAgICAgICAgICAgICAoT01YX0lOREVYVFlQRSlPTVhfUWNvbUluZGV4UGFyYW1WaWRlb0h5YnJpZEhpZXJwTW9kZSkpIHsKICAgICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9FUlJPUigiUmVxdWVzdCB0byBFbmFibGUgSHlicmlkIEhpZXItUCBmYWlsZWQiKTsKQEAgLTE1MjcsNiArMTU1OSw3IEBACiAgICAgc3dpdGNoICgoaW50KWNvbmZpZ0luZGV4KSB7CiAgICAgICAgIGNhc2UgT01YX0luZGV4Q29uZmlnVmlkZW9CaXRyYXRlOgogICAgICAgICAgICAgeworICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKGNvbmZpZ0RhdGEsIE9NWF9WSURFT19DT05GSUdfQklUUkFURVRZUEUpOwogICAgICAgICAgICAgICAgIE9NWF9WSURFT19DT05GSUdfQklUUkFURVRZUEUqIHBQYXJhbSA9CiAgICAgICAgICAgICAgICAgICAgIHJlaW50ZXJwcmV0X2Nhc3Q8T01YX1ZJREVPX0NPTkZJR19CSVRSQVRFVFlQRSo+KGNvbmZpZ0RhdGEpOwogICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0hJR0goInNldF9jb25maWcoKTogT01YX0luZGV4Q29uZmlnVmlkZW9CaXRyYXRlICgldSkiLCAodW5zaWduZWQgaW50KXBQYXJhbS0+bkVuY29kZUJpdHJhdGUpOwpAQCAtMTU0OCw2ICsxNTgxLDcgQEAKICAgICAgICAgICAgIH0KICAgICAgICAgY2FzZSBPTVhfSW5kZXhDb25maWdWaWRlb0ZyYW1lcmF0ZToKICAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShjb25maWdEYXRhLCBPTVhfQ09ORklHX0ZSQU1FUkFURVRZUEUpOwogICAgICAgICAgICAgICAgIE9NWF9DT05GSUdfRlJBTUVSQVRFVFlQRSogcFBhcmFtID0KICAgICAgICAgICAgICAgICAgICAgcmVpbnRlcnByZXRfY2FzdDxPTVhfQ09ORklHX0ZSQU1FUkFURVRZUEUqPihjb25maWdEYXRhKTsKICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9ISUdIKCJzZXRfY29uZmlnKCk6IE9NWF9JbmRleENvbmZpZ1ZpZGVvRnJhbWVyYXRlICgweCV4KSIsICh1bnNpZ25lZCBpbnQpcFBhcmFtLT54RW5jb2RlRnJhbWVyYXRlKTsKQEAgLTE1NzAsNiArMTYwNCw3IEBACiAgICAgICAgICAgICB9CiAgICAgICAgIGNhc2UgUU9NWF9JbmRleENvbmZpZ1ZpZGVvSW50cmFwZXJpb2Q6CiAgICAgICAgICAgICB7CisgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEoY29uZmlnRGF0YSwgUU9NWF9WSURFT19JTlRSQVBFUklPRFRZUEUpOwogICAgICAgICAgICAgICAgIFFPTVhfVklERU9fSU5UUkFQRVJJT0RUWVBFKiBwUGFyYW0gPQogICAgICAgICAgICAgICAgICAgICByZWludGVycHJldF9jYXN0PFFPTVhfVklERU9fSU5UUkFQRVJJT0RUWVBFKj4oY29uZmlnRGF0YSk7CiAKQEAgLTE2MjcsNiArMTY2Miw3IEBACiAKICAgICAgICAgY2FzZSBPTVhfSW5kZXhDb25maWdWaWRlb0ludHJhVk9QUmVmcmVzaDoKICAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShjb25maWdEYXRhLCBPTVhfQ09ORklHX0lOVFJBUkVGUkVTSFZPUFRZUEUpOwogICAgICAgICAgICAgICAgIE9NWF9DT05GSUdfSU5UUkFSRUZSRVNIVk9QVFlQRSogcFBhcmFtID0KICAgICAgICAgICAgICAgICAgICAgcmVpbnRlcnByZXRfY2FzdDxPTVhfQ09ORklHX0lOVFJBUkVGUkVTSFZPUFRZUEUqPihjb25maWdEYXRhKTsKIApAQCAtMTY0OCw2ICsxNjg0LDcgQEAKICAgICAgICAgICAgIH0KICAgICAgICAgY2FzZSBPTVhfSW5kZXhDb25maWdDb21tb25Sb3RhdGU6CiAgICAgICAgICAgICB7CisgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEoY29uZmlnRGF0YSwgT01YX0NPTkZJR19ST1RBVElPTlRZUEUpOwogICAgICAgICAgICAgICAgIE9NWF9DT05GSUdfUk9UQVRJT05UWVBFICpwUGFyYW0gPQogICAgICAgICAgICAgICAgICAgICByZWludGVycHJldF9jYXN0PE9NWF9DT05GSUdfUk9UQVRJT05UWVBFKj4oY29uZmlnRGF0YSk7CiAgICAgICAgICAgICAgICAgT01YX1MzMiBuUm90YXRpb247CkBAIC0xNjk1LDYgKzE3MzIsNyBAQAogICAgICAgICAgICAgewogICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0hJR0goInNldF9jb25maWcoKTogT01YX1Fjb21JbmRleENvbmZpZ1ZpZGVvRnJhbWVQYWNraW5nQXJyYW5nZW1lbnQiKTsKICAgICAgICAgICAgICAgICBpZiAobV9zT3V0UG9ydEZvcm1hdC5lQ29tcHJlc3Npb25Gb3JtYXQgPT0gT01YX1ZJREVPX0NvZGluZ0FWQykgeworICAgICAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShjb25maWdEYXRhLCBPTVhfUUNPTV9GUkFNRV9QQUNLX0FSUkFOR0VNRU5UKTsKICAgICAgICAgICAgICAgICAgICAgT01YX1FDT01fRlJBTUVfUEFDS19BUlJBTkdFTUVOVCAqY29uZmlnRm10ID0KICAgICAgICAgICAgICAgICAgICAgICAgIChPTVhfUUNPTV9GUkFNRV9QQUNLX0FSUkFOR0VNRU5UICopIGNvbmZpZ0RhdGE7CiAgICAgICAgICAgICAgICAgICAgIGV4dHJhX2RhdGFfaGFuZGxlLnNldF9mcmFtZV9wYWNrX2RhdGEoY29uZmlnRm10KTsKQEAgLTE3MDUsNiArMTc0Myw3IEBACiAgICAgICAgICAgICB9CiAgICAgICAgIGNhc2UgUU9NWF9JbmRleENvbmZpZ1ZpZGVvTFRSUGVyaW9kOgogICAgICAgICAgICAgeworICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKGNvbmZpZ0RhdGEsIFFPTVhfVklERU9fQ09ORklHX0xUUlBFUklPRF9UWVBFKTsKICAgICAgICAgICAgICAgICBRT01YX1ZJREVPX0NPTkZJR19MVFJQRVJJT0RfVFlQRSogcFBhcmFtID0gKFFPTVhfVklERU9fQ09ORklHX0xUUlBFUklPRF9UWVBFKiljb25maWdEYXRhOwogICAgICAgICAgICAgICAgIGlmICghaGFuZGxlLT52ZW5jX3NldF9jb25maWcoY29uZmlnRGF0YSwgKE9NWF9JTkRFWFRZUEUpUU9NWF9JbmRleENvbmZpZ1ZpZGVvTFRSUGVyaW9kKSkgewogICAgICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9FUlJPUigiRVJST1I6IFNldHRpbmcgTFRSIHBlcmlvZCBmYWlsZWQiKTsKQEAgLTE3MTYsNiArMTc1NSw3IEBACiAKICAgICAgICBjYXNlIE9NWF9JbmRleENvbmZpZ1ZpZGVvVnA4UmVmZXJlbmNlRnJhbWU6CiAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShjb25maWdEYXRhLCBPTVhfVklERU9fVlA4UkVGRVJFTkNFRlJBTUVUWVBFKTsKICAgICAgICAgICAgICAgIE9NWF9WSURFT19WUDhSRUZFUkVOQ0VGUkFNRVRZUEUqIHBQYXJhbSA9IChPTVhfVklERU9fVlA4UkVGRVJFTkNFRlJBTUVUWVBFKikgY29uZmlnRGF0YTsKICAgICAgICAgICAgICAgIGlmICghaGFuZGxlLT52ZW5jX3NldF9jb25maWcocFBhcmFtLCAoT01YX0lOREVYVFlQRSkgT01YX0luZGV4Q29uZmlnVmlkZW9WcDhSZWZlcmVuY2VGcmFtZSkpIHsKICAgICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9FUlJPUigiRVJST1I6IFNldHRpbmcgVlA4IHJlZmVyZW5jZSBmcmFtZSIpOwpAQCAtMTcyNyw2ICsxNzY3LDcgQEAKIAogICAgICAgICBjYXNlIFFPTVhfSW5kZXhDb25maWdWaWRlb0xUUlVzZToKICAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShjb25maWdEYXRhLCBRT01YX1ZJREVPX0NPTkZJR19MVFJVU0VfVFlQRSk7CiAgICAgICAgICAgICAgICAgUU9NWF9WSURFT19DT05GSUdfTFRSVVNFX1RZUEUqIHBQYXJhbSA9IChRT01YX1ZJREVPX0NPTkZJR19MVFJVU0VfVFlQRSopY29uZmlnRGF0YTsKICAgICAgICAgICAgICAgICBpZiAoIWhhbmRsZS0+dmVuY19zZXRfY29uZmlnKHBQYXJhbSwgKE9NWF9JTkRFWFRZUEUpUU9NWF9JbmRleENvbmZpZ1ZpZGVvTFRSVXNlKSkgewogICAgICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9FUlJPUigiRVJST1I6IFNldHRpbmcgTFRSIHVzZSBmYWlsZWQiKTsKQEAgLTE3MzcsNiArMTc3OCw3IEBACiAgICAgICAgICAgICB9CiAgICAgICAgIGNhc2UgUU9NWF9JbmRleENvbmZpZ1ZpZGVvTFRSTWFyazoKICAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShjb25maWdEYXRhLCBRT01YX1ZJREVPX0NPTkZJR19MVFJNQVJLX1RZUEUpOwogICAgICAgICAgICAgICAgIFFPTVhfVklERU9fQ09ORklHX0xUUk1BUktfVFlQRSogcFBhcmFtID0gKFFPTVhfVklERU9fQ09ORklHX0xUUk1BUktfVFlQRSopY29uZmlnRGF0YTsKICAgICAgICAgICAgICAgICBpZiAoIWhhbmRsZS0+dmVuY19zZXRfY29uZmlnKHBQYXJhbSwgKE9NWF9JTkRFWFRZUEUpUU9NWF9JbmRleENvbmZpZ1ZpZGVvTFRSTWFyaykpIHsKICAgICAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfRVJST1IoIkVSUk9SOiBTZXR0aW5nIExUUiBtYXJrIGZhaWxlZCIpOwpAQCAtMTc0Niw2ICsxNzg4LDcgQEAKICAgICAgICAgICAgIH0KICAgICAgICAgY2FzZSBPTVhfSW5kZXhDb25maWdWaWRlb0FWQ0ludHJhUGVyaW9kOgogICAgICAgICAgICAgeworICAgICAgICAgICAgICAgIFZBTElEQVRFX09NWF9QQVJBTV9EQVRBKGNvbmZpZ0RhdGEsIE9NWF9WSURFT19DT05GSUdfQVZDSU5UUkFQRVJJT0QpOwogICAgICAgICAgICAgICAgIE9NWF9WSURFT19DT05GSUdfQVZDSU5UUkFQRVJJT0QgKnBQYXJhbSA9IChPTVhfVklERU9fQ09ORklHX0FWQ0lOVFJBUEVSSU9EKikgY29uZmlnRGF0YTsKICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9MT1coInNldF9jb25maWc6IE9NWF9JbmRleENvbmZpZ1ZpZGVvQVZDSW50cmFQZXJpb2QiKTsKICAgICAgICAgICAgICAgICBpZiAoIWhhbmRsZS0+dmVuY19zZXRfY29uZmlnKHBQYXJhbSwgKE9NWF9JTkRFWFRZUEUpT01YX0luZGV4Q29uZmlnVmlkZW9BVkNJbnRyYVBlcmlvZCkpIHsKQEAgLTE3NTcsNiArMTgwMCw3IEBACiAgICAgICAgICAgICB9CiAgICAgICAgIGNhc2UgT01YX0luZGV4Q29uZmlnQ29tbW9uRGVpbnRlcmxhY2U6CiAgICAgICAgICAgICB7CisgICAgICAgICAgICAgICAgVkFMSURBVEVfT01YX1BBUkFNX0RBVEEoY29uZmlnRGF0YSwgT01YX1ZJREVPX0NPTkZJR19ERUlOVEVSTEFDRSk7CiAgICAgICAgICAgICAgICAgT01YX1ZJREVPX0NPTkZJR19ERUlOVEVSTEFDRSAqcFBhcmFtID0gKE9NWF9WSURFT19DT05GSUdfREVJTlRFUkxBQ0UqKSBjb25maWdEYXRhOwogICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0xPVygic2V0X2NvbmZpZzogT01YX0luZGV4Q29uZmlnQ29tbW9uRGVpbnRlcmxhY2UiKTsKICAgICAgICAgICAgICAgICBpZiAoIWhhbmRsZS0+dmVuY19zZXRfY29uZmlnKHBQYXJhbSwgKE9NWF9JTkRFWFRZUEUpT01YX0luZGV4Q29uZmlnQ29tbW9uRGVpbnRlcmxhY2UpKSB7CkBAIC0xNzY4LDYgKzE4MTIsNyBAQAogICAgICAgICAgICAgfQogICAgICAgICBjYXNlIE9NWF9RY29tSW5kZXhDb25maWdWaWRlb1ZlbmNQZXJmTW9kZToKICAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShjb25maWdEYXRhLCBRT01YX0VYVE5JTkRFWF9WSURFT19QRVJGTU9ERSk7CiAgICAgICAgICAgICAgICAgUU9NWF9FWFROSU5ERVhfVklERU9fUEVSRk1PREUqIHBQYXJhbSA9IChRT01YX0VYVE5JTkRFWF9WSURFT19QRVJGTU9ERSopY29uZmlnRGF0YTsKICAgICAgICAgICAgICAgICBpZiAoIWhhbmRsZS0+dmVuY19zZXRfY29uZmlnKHBQYXJhbSwgKE9NWF9JTkRFWFRZUEUpT01YX1Fjb21JbmRleENvbmZpZ1ZpZGVvVmVuY1BlcmZNb2RlKSkgewogICAgICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9FUlJPUigiRVJST1I6IFNldHRpbmcgT01YX1Fjb21JbmRleENvbmZpZ1ZpZGVvVmVuY1BlcmZNb2RlIGZhaWxlZCIpOwpAQCAtMTc3Nyw2ICsxODIyLDcgQEAKICAgICAgICAgICAgIH0KICAgICAgICAgY2FzZSBPTVhfSW5kZXhDb25maWdQcmlvcml0eToKICAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShjb25maWdEYXRhLCBPTVhfUEFSQU1fVTMyVFlQRSk7CiAgICAgICAgICAgICAgICAgaWYgKCFoYW5kbGUtPnZlbmNfc2V0X2NvbmZpZyhjb25maWdEYXRhLCAoT01YX0lOREVYVFlQRSlPTVhfSW5kZXhDb25maWdQcmlvcml0eSkpIHsKICAgICAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfRVJST1IoIkZhaWxlZCB0byBzZXQgT01YX0luZGV4Q29uZmlnUHJpb3JpdHkiKTsKICAgICAgICAgICAgICAgICAgICAgcmV0dXJuIE9NWF9FcnJvclVuc3VwcG9ydGVkU2V0dGluZzsKQEAgLTE3ODUsNiArMTgzMSw3IEBACiAgICAgICAgICAgICB9CiAgICAgICAgIGNhc2UgT01YX0luZGV4Q29uZmlnT3BlcmF0aW5nUmF0ZToKICAgICAgICAgICAgIHsKKyAgICAgICAgICAgICAgICBWQUxJREFURV9PTVhfUEFSQU1fREFUQShjb25maWdEYXRhLCBPTVhfUEFSQU1fVTMyVFlQRSk7CiAgICAgICAgICAgICAgICAgaWYgKCFoYW5kbGUtPnZlbmNfc2V0X2NvbmZpZyhjb25maWdEYXRhLCAoT01YX0lOREVYVFlQRSlPTVhfSW5kZXhDb25maWdPcGVyYXRpbmdSYXRlKSkgewogICAgICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9FUlJPUigiRmFpbGVkIHRvIHNldCBPTVhfSW5kZXhDb25maWdPcGVyYXRpbmdSYXRlIik7CiAgICAgICAgICAgICAgICAgICAgIHJldHVybiBoYW5kbGUtPmh3X292ZXJsb2FkID8gT01YX0Vycm9ySW5zdWZmaWNpZW50UmVzb3VyY2VzIDoK
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2016-2482/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2482/ANY/0001.patch
new file mode 100644
index 00000000..1f87b1be
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-2482/ANY/0001.patch
@@ -0,0 +1,131 @@
+diff --git a/mm-video-v4l2/vidc/vdec/inc/omx_vdec.h b/mm-video-v4l2/vidc/vdec/inc/omx_vdec.h
+index 120a11d..3d8ec9e 100644
+--- a/mm-video-v4l2/vidc/vdec/inc/omx_vdec.h
++++ b/mm-video-v4l2/vidc/vdec/inc/omx_vdec.h
+@@ -183,7 +183,7 @@
+ #define DESC_BUFFER_SIZE (8192 * 16)
+ 
+ #ifdef _ANDROID_
+-#define MAX_NUM_INPUT_OUTPUT_BUFFERS 32
++#define MAX_NUM_INPUT_OUTPUT_BUFFERS 64
+ #endif
+ 
+ #ifdef _ION_HEAP_MASK_COMPATIBILITY_WA
+diff --git a/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp b/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
+index 977aef2..95ffb98 100644
+--- a/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
++++ b/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
+@@ -3401,10 +3401,22 @@
+                                        break;
+                                    }
+ 
+-                                   if (!client_buffers.get_buffer_req(buffer_size)) {
++                                   if (portDefn->nBufferCountActual > MAX_NUM_INPUT_OUTPUT_BUFFERS) {
++                                       DEBUG_PRINT_ERROR("Requested o/p buf count (%u) exceeds limit (%u)",
++                                               portDefn->nBufferCountActual, MAX_NUM_INPUT_OUTPUT_BUFFERS);
++                                       eRet = OMX_ErrorBadParameter;
++                                   } else if (!client_buffers.get_buffer_req(buffer_size)) {
+                                        DEBUG_PRINT_ERROR("Error in getting buffer requirements");
+                                        eRet = OMX_ErrorBadParameter;
+                                    } else if (!port_format_changed) {
++
++                                       // Buffer count can change only when port is disabled
++                                       if (!release_output_done()) {
++                                           DEBUG_PRINT_ERROR("Cannot change o/p buffer count since all buffers are not freed yet !");
++                                           eRet = OMX_ErrorInvalidState;
++                                           break;
++                                       }
++
+                                        if ( portDefn->nBufferCountActual >= drv_ctx.op_buf.mincount &&
+                                                portDefn->nBufferSize >=  drv_ctx.op_buf.buffer_size ) {
+                                            drv_ctx.op_buf.actualcount = portDefn->nBufferCountActual;
+@@ -3513,6 +3525,19 @@
+                                        eRet = OMX_ErrorBadParameter;
+                                        break;
+                                    }
++                                   if (portDefn->nBufferCountActual > MAX_NUM_INPUT_OUTPUT_BUFFERS) {
++                                       DEBUG_PRINT_ERROR("Requested i/p buf count (%u) exceeds limit (%u)",
++                                               portDefn->nBufferCountActual, MAX_NUM_INPUT_OUTPUT_BUFFERS);
++                                       eRet = OMX_ErrorBadParameter;
++                                       break;
++                                   }
++                                   // Buffer count can change only when port is disabled
++                                   if (!release_input_done()) {
++                                       DEBUG_PRINT_ERROR("Cannot change i/p buffer count since all buffers are not freed yet !");
++                                       eRet = OMX_ErrorInvalidState;
++                                       break;
++                                   }
++
+                                    if (portDefn->nBufferCountActual >= drv_ctx.ip_buf.mincount
+                                            || portDefn->nBufferSize != drv_ctx.ip_buf.buffer_size) {
+                                        port_format_changed = true;
+@@ -5882,7 +5907,8 @@
+             nPortIndex = buffer - m_inp_heap_ptr;
+ 
+         DEBUG_PRINT_LOW("free_buffer on i/p port - Port idx %d", nPortIndex);
+-        if (nPortIndex < drv_ctx.ip_buf.actualcount) {
++        if (nPortIndex < drv_ctx.ip_buf.actualcount &&
++                BITMASK_PRESENT(&m_inp_bm_count, nPortIndex)) {
+             // Clear the bit associated with it.
+             BITMASK_CLEAR(&m_inp_bm_count,nPortIndex);
+             BITMASK_CLEAR(&m_heap_inp_bm_count,nPortIndex);
+@@ -5924,7 +5950,8 @@
+     } else if (port == OMX_CORE_OUTPUT_PORT_INDEX) {
+         // check if the buffer is valid
+         nPortIndex = buffer - client_buffers.get_il_buf_hdr();
+-        if (nPortIndex < drv_ctx.op_buf.actualcount) {
++        if (nPortIndex < drv_ctx.op_buf.actualcount &&
++                BITMASK_PRESENT(&m_out_bm_count, nPortIndex)) {
+             DEBUG_PRINT_LOW("free_buffer on o/p port - Port idx %d", nPortIndex);
+             // Clear the bit associated with it.
+             BITMASK_CLEAR(&m_out_bm_count,nPortIndex);
+@@ -6576,7 +6603,14 @@
+     if (m_out_mem_ptr) {
+         DEBUG_PRINT_LOW("Freeing the Output Memory");
+         for (i = 0; i < drv_ctx.op_buf.actualcount; i++ ) {
+-            free_output_buffer (&m_out_mem_ptr[i]);
++            if (BITMASK_PRESENT(&m_out_bm_count, i)) {
++                BITMASK_CLEAR(&m_out_bm_count, i);
++                client_buffers.free_output_buffer (&m_out_mem_ptr[i]);
++            }
++
++            if (release_output_done()) {
++                break;
++            }
+         }
+ #ifdef _ANDROID_ICS_
+         memset(&native_buffer, 0, (sizeof(nativebuffer) * MAX_NUM_INPUT_OUTPUT_BUFFERS));
+@@ -6587,11 +6621,19 @@
+     if (m_inp_mem_ptr || m_inp_heap_ptr) {
+         DEBUG_PRINT_LOW("Freeing the Input Memory");
+         for (i = 0; i<drv_ctx.ip_buf.actualcount; i++ ) {
+-            if (m_inp_mem_ptr)
+-                free_input_buffer (i,&m_inp_mem_ptr[i]);
+-            else
+-                free_input_buffer (i,NULL);
+-        }
++
++            if (BITMASK_PRESENT(&m_inp_bm_count, i)) {
++                BITMASK_CLEAR(&m_inp_bm_count, i);
++                if (m_inp_mem_ptr)
++                    free_input_buffer (i,&m_inp_mem_ptr[i]);
++                else
++                    free_input_buffer (i,NULL);
++            }
++
++            if (release_input_done()) {
++                break;
++            }
++       }
+     }
+     free_input_buffer_header();
+     free_output_buffer_header();
+@@ -6993,7 +7035,7 @@
+     bool bRet = false;
+     unsigned i=0,j=0;
+ 
+-    DEBUG_PRINT_LOW("Value of m_out_mem_ptr %p",m_inp_mem_ptr);
++    DEBUG_PRINT_LOW("Value of m_out_mem_ptr %p",m_out_mem_ptr);
+     if (m_out_mem_ptr) {
+         for (; j < drv_ctx.op_buf.actualcount ; j++) {
+             if (BITMASK_PRESENT(&m_out_bm_count,j)) {
diff --git a/Patches/Linux_CVEs/CVE-2016-2482/ANY/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2016-2482/ANY/0001.patch.base64
new file mode 100644
index 00000000..75b0e231
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-2482/ANY/0001.patch.base64
@@ -0,0 +1 @@
+ZGlmZiAtLWdpdCBhL21tLXZpZGVvLXY0bDIvdmlkYy92ZGVjL2luYy9vbXhfdmRlYy5oIGIvbW0tdmlkZW8tdjRsMi92aWRjL3ZkZWMvaW5jL29teF92ZGVjLmgKaW5kZXggMTIwYTExZC4uM2Q4ZWM5ZSAxMDA2NDQKLS0tIGEvbW0tdmlkZW8tdjRsMi92aWRjL3ZkZWMvaW5jL29teF92ZGVjLmgKKysrIGIvbW0tdmlkZW8tdjRsMi92aWRjL3ZkZWMvaW5jL29teF92ZGVjLmgKQEAgLTE4Myw3ICsxODMsNyBAQAogI2RlZmluZSBERVNDX0JVRkZFUl9TSVpFICg4MTkyICogMTYpCiAKICNpZmRlZiBfQU5EUk9JRF8KLSNkZWZpbmUgTUFYX05VTV9JTlBVVF9PVVRQVVRfQlVGRkVSUyAzMgorI2RlZmluZSBNQVhfTlVNX0lOUFVUX09VVFBVVF9CVUZGRVJTIDY0CiAjZW5kaWYKIAogI2lmZGVmIF9JT05fSEVBUF9NQVNLX0NPTVBBVElCSUxJVFlfV0EKZGlmZiAtLWdpdCBhL21tLXZpZGVvLXY0bDIvdmlkYy92ZGVjL3NyYy9vbXhfdmRlY19tc204OTc0LmNwcCBiL21tLXZpZGVvLXY0bDIvdmlkYy92ZGVjL3NyYy9vbXhfdmRlY19tc204OTc0LmNwcAppbmRleCA5NzdhZWYyLi45NWZmYjk4IDEwMDY0NAotLS0gYS9tbS12aWRlby12NGwyL3ZpZGMvdmRlYy9zcmMvb214X3ZkZWNfbXNtODk3NC5jcHAKKysrIGIvbW0tdmlkZW8tdjRsMi92aWRjL3ZkZWMvc3JjL29teF92ZGVjX21zbTg5NzQuY3BwCkBAIC0zNDAxLDEwICszNDAxLDIyIEBACiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBicmVhazsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfQogCi0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlmICghY2xpZW50X2J1ZmZlcnMuZ2V0X2J1ZmZlcl9yZXEoYnVmZmVyX3NpemUpKSB7CisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlmIChwb3J0RGVmbi0+bkJ1ZmZlckNvdW50QWN0dWFsID4gTUFYX05VTV9JTlBVVF9PVVRQVVRfQlVGRkVSUykgeworICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfRVJST1IoIlJlcXVlc3RlZCBvL3AgYnVmIGNvdW50ICgldSkgZXhjZWVkcyBsaW1pdCAoJXUpIiwKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcG9ydERlZm4tPm5CdWZmZXJDb3VudEFjdHVhbCwgTUFYX05VTV9JTlBVVF9PVVRQVVRfQlVGRkVSUyk7CisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlUmV0ID0gT01YX0Vycm9yQmFkUGFyYW1ldGVyOworICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB9IGVsc2UgaWYgKCFjbGllbnRfYnVmZmVycy5nZXRfYnVmZmVyX3JlcShidWZmZXJfc2l6ZSkpIHsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIERFQlVHX1BSSU5UX0VSUk9SKCJFcnJvciBpbiBnZXR0aW5nIGJ1ZmZlciByZXF1aXJlbWVudHMiKTsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVSZXQgPSBPTVhfRXJyb3JCYWRQYXJhbWV0ZXI7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0gZWxzZSBpZiAoIXBvcnRfZm9ybWF0X2NoYW5nZWQpIHsKKworICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLy8gQnVmZmVyIGNvdW50IGNhbiBjaGFuZ2Ugb25seSB3aGVuIHBvcnQgaXMgZGlzYWJsZWQKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlmICghcmVsZWFzZV9vdXRwdXRfZG9uZSgpKSB7CisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgREVCVUdfUFJJTlRfRVJST1IoIkNhbm5vdCBjaGFuZ2Ugby9wIGJ1ZmZlciBjb3VudCBzaW5jZSBhbGwgYnVmZmVycyBhcmUgbm90IGZyZWVkIHlldCAhIik7CisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZVJldCA9IE9NWF9FcnJvckludmFsaWRTdGF0ZTsKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBicmVhazsKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0KKwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaWYgKCBwb3J0RGVmbi0+bkJ1ZmZlckNvdW50QWN0dWFsID49IGRydl9jdHgub3BfYnVmLm1pbmNvdW50ICYmCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHBvcnREZWZuLT5uQnVmZmVyU2l6ZSA+PSAgZHJ2X2N0eC5vcF9idWYuYnVmZmVyX3NpemUgKSB7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZHJ2X2N0eC5vcF9idWYuYWN0dWFsY291bnQgPSBwb3J0RGVmbi0+bkJ1ZmZlckNvdW50QWN0dWFsOwpAQCAtMzUxMyw2ICszNTI1LDE5IEBACiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlUmV0ID0gT01YX0Vycm9yQmFkUGFyYW1ldGVyOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0KKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaWYgKHBvcnREZWZuLT5uQnVmZmVyQ291bnRBY3R1YWwgPiBNQVhfTlVNX0lOUFVUX09VVFBVVF9CVUZGRVJTKSB7CisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9FUlJPUigiUmVxdWVzdGVkIGkvcCBidWYgY291bnQgKCV1KSBleGNlZWRzIGxpbWl0ICgldSkiLAorICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwb3J0RGVmbi0+bkJ1ZmZlckNvdW50QWN0dWFsLCBNQVhfTlVNX0lOUFVUX09VVFBVVF9CVUZGRVJTKTsKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVSZXQgPSBPTVhfRXJyb3JCYWRQYXJhbWV0ZXI7CisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBicmVhazsKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfQorICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAvLyBCdWZmZXIgY291bnQgY2FuIGNoYW5nZSBvbmx5IHdoZW4gcG9ydCBpcyBkaXNhYmxlZAorICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpZiAoIXJlbGVhc2VfaW5wdXRfZG9uZSgpKSB7CisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBERUJVR19QUklOVF9FUlJPUigiQ2Fubm90IGNoYW5nZSBpL3AgYnVmZmVyIGNvdW50IHNpbmNlIGFsbCBidWZmZXJzIGFyZSBub3QgZnJlZWQgeWV0ICEiKTsKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVSZXQgPSBPTVhfRXJyb3JJbnZhbGlkU3RhdGU7CisgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBicmVhazsKKyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfQorCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlmIChwb3J0RGVmbi0+bkJ1ZmZlckNvdW50QWN0dWFsID49IGRydl9jdHguaXBfYnVmLm1pbmNvdW50CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfHwgcG9ydERlZm4tPm5CdWZmZXJTaXplICE9IGRydl9jdHguaXBfYnVmLmJ1ZmZlcl9zaXplKSB7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwb3J0X2Zvcm1hdF9jaGFuZ2VkID0gdHJ1ZTsKQEAgLTU4ODIsNyArNTkwNyw4IEBACiAgICAgICAgICAgICBuUG9ydEluZGV4ID0gYnVmZmVyIC0gbV9pbnBfaGVhcF9wdHI7CiAKICAgICAgICAgREVCVUdfUFJJTlRfTE9XKCJmcmVlX2J1ZmZlciBvbiBpL3AgcG9ydCAtIFBvcnQgaWR4ICVkIiwgblBvcnRJbmRleCk7Ci0gICAgICAgIGlmIChuUG9ydEluZGV4IDwgZHJ2X2N0eC5pcF9idWYuYWN0dWFsY291bnQpIHsKKyAgICAgICAgaWYgKG5Qb3J0SW5kZXggPCBkcnZfY3R4LmlwX2J1Zi5hY3R1YWxjb3VudCAmJgorICAgICAgICAgICAgICAgIEJJVE1BU0tfUFJFU0VOVCgmbV9pbnBfYm1fY291bnQsIG5Qb3J0SW5kZXgpKSB7CiAgICAgICAgICAgICAvLyBDbGVhciB0aGUgYml0IGFzc29jaWF0ZWQgd2l0aCBpdC4KICAgICAgICAgICAgIEJJVE1BU0tfQ0xFQVIoJm1faW5wX2JtX2NvdW50LG5Qb3J0SW5kZXgpOwogICAgICAgICAgICAgQklUTUFTS19DTEVBUigmbV9oZWFwX2lucF9ibV9jb3VudCxuUG9ydEluZGV4KTsKQEAgLTU5MjQsNyArNTk1MCw4IEBACiAgICAgfSBlbHNlIGlmIChwb3J0ID09IE9NWF9DT1JFX09VVFBVVF9QT1JUX0lOREVYKSB7CiAgICAgICAgIC8vIGNoZWNrIGlmIHRoZSBidWZmZXIgaXMgdmFsaWQKICAgICAgICAgblBvcnRJbmRleCA9IGJ1ZmZlciAtIGNsaWVudF9idWZmZXJzLmdldF9pbF9idWZfaGRyKCk7Ci0gICAgICAgIGlmIChuUG9ydEluZGV4IDwgZHJ2X2N0eC5vcF9idWYuYWN0dWFsY291bnQpIHsKKyAgICAgICAgaWYgKG5Qb3J0SW5kZXggPCBkcnZfY3R4Lm9wX2J1Zi5hY3R1YWxjb3VudCAmJgorICAgICAgICAgICAgICAgIEJJVE1BU0tfUFJFU0VOVCgmbV9vdXRfYm1fY291bnQsIG5Qb3J0SW5kZXgpKSB7CiAgICAgICAgICAgICBERUJVR19QUklOVF9MT1coImZyZWVfYnVmZmVyIG9uIG8vcCBwb3J0IC0gUG9ydCBpZHggJWQiLCBuUG9ydEluZGV4KTsKICAgICAgICAgICAgIC8vIENsZWFyIHRoZSBiaXQgYXNzb2NpYXRlZCB3aXRoIGl0LgogICAgICAgICAgICAgQklUTUFTS19DTEVBUigmbV9vdXRfYm1fY291bnQsblBvcnRJbmRleCk7CkBAIC02NTc2LDcgKzY2MDMsMTQgQEAKICAgICBpZiAobV9vdXRfbWVtX3B0cikgewogICAgICAgICBERUJVR19QUklOVF9MT1coIkZyZWVpbmcgdGhlIE91dHB1dCBNZW1vcnkiKTsKICAgICAgICAgZm9yIChpID0gMDsgaSA8IGRydl9jdHgub3BfYnVmLmFjdHVhbGNvdW50OyBpKysgKSB7Ci0gICAgICAgICAgICBmcmVlX291dHB1dF9idWZmZXIgKCZtX291dF9tZW1fcHRyW2ldKTsKKyAgICAgICAgICAgIGlmIChCSVRNQVNLX1BSRVNFTlQoJm1fb3V0X2JtX2NvdW50LCBpKSkgeworICAgICAgICAgICAgICAgIEJJVE1BU0tfQ0xFQVIoJm1fb3V0X2JtX2NvdW50LCBpKTsKKyAgICAgICAgICAgICAgICBjbGllbnRfYnVmZmVycy5mcmVlX291dHB1dF9idWZmZXIgKCZtX291dF9tZW1fcHRyW2ldKTsKKyAgICAgICAgICAgIH0KKworICAgICAgICAgICAgaWYgKHJlbGVhc2Vfb3V0cHV0X2RvbmUoKSkgeworICAgICAgICAgICAgICAgIGJyZWFrOworICAgICAgICAgICAgfQogICAgICAgICB9CiAjaWZkZWYgX0FORFJPSURfSUNTXwogICAgICAgICBtZW1zZXQoJm5hdGl2ZV9idWZmZXIsIDAsIChzaXplb2YobmF0aXZlYnVmZmVyKSAqIE1BWF9OVU1fSU5QVVRfT1VUUFVUX0JVRkZFUlMpKTsKQEAgLTY1ODcsMTEgKzY2MjEsMTkgQEAKICAgICBpZiAobV9pbnBfbWVtX3B0ciB8fCBtX2lucF9oZWFwX3B0cikgewogICAgICAgICBERUJVR19QUklOVF9MT1coIkZyZWVpbmcgdGhlIElucHV0IE1lbW9yeSIpOwogICAgICAgICBmb3IgKGkgPSAwOyBpPGRydl9jdHguaXBfYnVmLmFjdHVhbGNvdW50OyBpKysgKSB7Ci0gICAgICAgICAgICBpZiAobV9pbnBfbWVtX3B0cikKLSAgICAgICAgICAgICAgICBmcmVlX2lucHV0X2J1ZmZlciAoaSwmbV9pbnBfbWVtX3B0cltpXSk7Ci0gICAgICAgICAgICBlbHNlCi0gICAgICAgICAgICAgICAgZnJlZV9pbnB1dF9idWZmZXIgKGksTlVMTCk7Ci0gICAgICAgIH0KKworICAgICAgICAgICAgaWYgKEJJVE1BU0tfUFJFU0VOVCgmbV9pbnBfYm1fY291bnQsIGkpKSB7CisgICAgICAgICAgICAgICAgQklUTUFTS19DTEVBUigmbV9pbnBfYm1fY291bnQsIGkpOworICAgICAgICAgICAgICAgIGlmIChtX2lucF9tZW1fcHRyKQorICAgICAgICAgICAgICAgICAgICBmcmVlX2lucHV0X2J1ZmZlciAoaSwmbV9pbnBfbWVtX3B0cltpXSk7CisgICAgICAgICAgICAgICAgZWxzZQorICAgICAgICAgICAgICAgICAgICBmcmVlX2lucHV0X2J1ZmZlciAoaSxOVUxMKTsKKyAgICAgICAgICAgIH0KKworICAgICAgICAgICAgaWYgKHJlbGVhc2VfaW5wdXRfZG9uZSgpKSB7CisgICAgICAgICAgICAgICAgYnJlYWs7CisgICAgICAgICAgICB9CisgICAgICAgfQogICAgIH0KICAgICBmcmVlX2lucHV0X2J1ZmZlcl9oZWFkZXIoKTsKICAgICBmcmVlX291dHB1dF9idWZmZXJfaGVhZGVyKCk7CkBAIC02OTkzLDcgKzcwMzUsNyBAQAogICAgIGJvb2wgYlJldCA9IGZhbHNlOwogICAgIHVuc2lnbmVkIGk9MCxqPTA7CiAKLSAgICBERUJVR19QUklOVF9MT1coIlZhbHVlIG9mIG1fb3V0X21lbV9wdHIgJXAiLG1faW5wX21lbV9wdHIpOworICAgIERFQlVHX1BSSU5UX0xPVygiVmFsdWUgb2YgbV9vdXRfbWVtX3B0ciAlcCIsbV9vdXRfbWVtX3B0cik7CiAgICAgaWYgKG1fb3V0X21lbV9wdHIpIHsKICAgICAgICAgZm9yICg7IGogPCBkcnZfY3R4Lm9wX2J1Zi5hY3R1YWxjb3VudCA7IGorKykgewogICAgICAgICAgICAgaWYgKEJJVE1BU0tfUFJFU0VOVCgmbV9vdXRfYm1fY291bnQsaikpIHsK
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2016-2488/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-2488/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-2488/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-2488/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-2498/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2498/ANY/0001.patch
new file mode 100644
index 00000000..2b3c646e
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-2498/ANY/0001.patch
@@ -0,0 +1,303 @@
+From 1d23dacdbd6b3a2b59b952f2fa3a578f9d15f60f Mon Sep 17 00:00:00 2001
+From: Arif Hussain <c_arifh@qca.qualcomm.com>
+Date: Mon, 11 Nov 2013 22:59:34 -0800
+Subject: wlan:  wlan_hdd_wext Userspace data copy fix
+
+Use copy_to_user and copy_from_user for
+copying data to/from user space.
+
+Change-Id: I98fb6352b654af8f78160738e7ccd902c3c70031
+CRs-Fixed: 561028
+---
+ CORE/HDD/src/wlan_hdd_wext.c | 75 +++++++++++++++++++++++++-------------------
+ 1 file changed, 42 insertions(+), 33 deletions(-)
+
+diff --git a/CORE/HDD/src/wlan_hdd_wext.c b/CORE/HDD/src/wlan_hdd_wext.c
+index 83107e1..1e9ba2e 100644
+--- a/CORE/HDD/src/wlan_hdd_wext.c
++++ b/CORE/HDD/src/wlan_hdd_wext.c
+@@ -1529,7 +1529,7 @@ static int iw_set_genie(struct net_device *dev,
+ {
+    hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
+     hdd_wext_state_t *pWextState = WLAN_HDD_GET_WEXT_STATE_PTR(pAdapter);
+-    u_int8_t *genie;
++    u_int8_t *genie = (u_int8_t *)extra;
+     v_U16_t remLen;
+ 
+    ENTER();
+@@ -1544,7 +1544,6 @@ static int iw_set_genie(struct net_device *dev,
+       return 0;
+    }
+ 
+-    genie = wrqu->data.pointer;
+     remLen = wrqu->data.length;
+ 
+     hddLog(LOG1,"iw_set_genie ioctl IE[0x%X], LEN[%d]\n", genie[0], genie[1]);
+@@ -1672,9 +1671,14 @@ static int iw_get_genie(struct net_device *dev,
+                                    pAdapter->sessionId,
+                                    &length,
+                                    genIeBytes);
+-    wrqu->data.length = VOS_MIN((u_int16_t) length, DOT11F_IE_RSN_MAX_LEN);
+-
+-    vos_mem_copy( wrqu->data.pointer, (v_VOID_t*)genIeBytes, wrqu->data.length);
++    length = VOS_MIN((u_int16_t) length, DOT11F_IE_RSN_MAX_LEN);
++    if (wrqu->data.length < length)
++    {
++        hddLog(LOG1, "%s: failed to copy data to user buffer", __func__);
++        return -EFAULT;
++    }
++    vos_mem_copy( extra, (v_VOID_t*)genIeBytes, wrqu->data.length);
++    wrqu->data.length = length;
+ 
+     hddLog(LOG1,"%s: RSN IE of %d bytes returned\n", __func__, wrqu->data.length );
+ 
+@@ -2364,7 +2368,7 @@ static int iw_get_rssi(struct net_device *dev,
+                        union iwreq_data *wrqu, char *extra)
+ {
+    hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
+-   char *cmd = (char*)wrqu->data.pointer;
++   char *cmd = extra;
+    int len = wrqu->data.length;
+    v_S7_t s7Rssi = 0;
+    hdd_station_ctx_t *pHddStaCtx = WLAN_HDD_GET_STATION_CTX_PTR(pAdapter);
+@@ -2621,7 +2625,7 @@ static int iw_set_priv(struct net_device *dev,
+                        union iwreq_data *wrqu, char *extra)
+ {
+     hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
+-    char *cmd = (char*)wrqu->data.pointer;
++    char *cmd = extra;
+     int cmd_len = wrqu->data.length;
+     int ret = 0;
+     int status = 0;
+@@ -2875,6 +2879,16 @@ done:
+        /* there was an encoding error or overflow */
+        status = -EIO;
+     }
++    else if (ret > 0)
++    {
++       if (copy_to_user(wrqu->data.pointer, cmd, ret))
++       {
++          hddLog(VOS_TRACE_LEVEL_ERROR,
++                 "%s: failed to copy data to user buffer", __func__);
++          return -EFAULT;
++       }
++       wrqu->data.length = ret;
++    }
+ 
+     if (ioctl_debug)
+     {
+@@ -2882,7 +2896,6 @@ done:
+                __func__, cmd, wrqu->data.length, status);
+     }
+     return status;
+-
+ }
+ 
+ static int iw_set_nick(struct net_device *dev,
+@@ -3827,7 +3840,7 @@ static int iw_setchar_getnone(struct net_device *dev, struct iw_request_info *in
+ #endif /* WLAN_FEATURE_VOWIFI */
+ 
+     VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO, "%s: Received length %d", __func__, wrqu->data.length);
+-    VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO, "%s: Received data %s", __func__, (char*)wrqu->data.pointer);
++    VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO, "%s: Received data %s", __func__, extra);
+ 
+     if ((WLAN_HDD_GET_CTX(pAdapter))->isLogpInProgress)
+     {
+@@ -3840,11 +3853,11 @@ static int iw_setchar_getnone(struct net_device *dev, struct iw_request_info *in
+     {
+        case WE_WOWL_ADD_PTRN:
+           VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO, "ADD_PTRN\n");
+-          hdd_add_wowl_ptrn(pAdapter, (char*)wrqu->data.pointer);
++          hdd_add_wowl_ptrn(pAdapter, extra);
+           break;
+        case WE_WOWL_DEL_PTRN:
+           VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO, "DEL_PTRN\n");
+-          hdd_del_wowl_ptrn(pAdapter, (char*)wrqu->data.pointer);
++          hdd_del_wowl_ptrn(pAdapter, extra);
+           break;
+ #if defined WLAN_FEATURE_VOWIFI
+        case WE_NEIGHBOR_REPORT_REQUEST:
+@@ -3859,7 +3872,7 @@ static int iw_setchar_getnone(struct net_device *dev, struct iw_request_info *in
+                 if( !neighborReq.no_ssid )
+                 {
+                    neighborReq.ssid.length = (wrqu->data.length - 1) > 32 ? 32 : (wrqu->data.length - 1) ;
+-                   vos_mem_copy( neighborReq.ssid.ssId, wrqu->data.pointer, neighborReq.ssid.length );
++                   vos_mem_copy( neighborReq.ssid.ssId, extra, neighborReq.ssid.length );
+                 }
+ 
+                 callbackInfo.neighborRspCallback = NULL;
+@@ -3877,10 +3890,10 @@ static int iw_setchar_getnone(struct net_device *dev, struct iw_request_info *in
+ #endif
+        case WE_SET_AP_WPS_IE:
+           hddLog( LOGE, "Received WE_SET_AP_WPS_IE" );
+-          sme_updateP2pIe( WLAN_HDD_GET_HAL_CTX(pAdapter), wrqu->data.pointer, wrqu->data.length );
++          sme_updateP2pIe( WLAN_HDD_GET_HAL_CTX(pAdapter), extra, wrqu->data.length );
+           break;
+        case WE_SET_CONFIG:
+-          vstatus = hdd_execute_config_command(pHddCtx, wrqu->data.pointer);
++          vstatus = hdd_execute_config_command(pHddCtx, extra);
+           if (VOS_STATUS_SUCCESS != vstatus)
+           {
+              ret = -EINVAL;
+@@ -4400,7 +4413,7 @@ int iw_set_var_ints_getnone(struct net_device *dev, struct iw_request_info *info
+     hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
+     tHalHandle hHal = WLAN_HDD_GET_HAL_CTX(pAdapter);
+     int sub_cmd = wrqu->data.flags;
+-    int *value = (int*)wrqu->data.pointer;
++    int *value = (int*)extra;
+     int apps_args[MAX_VAR_ARGS] = {0};
+     int num_args = wrqu->data.length;
+     hdd_station_ctx_t *pStaCtx = NULL ;
+@@ -4751,10 +4764,10 @@ static int iw_qcom_set_wapi_mode(struct net_device *dev, struct iw_request_info
+     hdd_station_ctx_t *pHddStaCtx = WLAN_HDD_GET_STATION_CTX_PTR(pAdapter);
+     tCsrRoamProfile *pRoamProfile = &pWextState->roamProfile;
+ 
+-    WAPI_FUNCTION_MODE *pWapiMode = (WAPI_FUNCTION_MODE *)wrqu->data.pointer;
++    WAPI_FUNCTION_MODE *pWapiMode = (WAPI_FUNCTION_MODE *)extra;
+ 
+     hddLog(LOG1, "The function iw_qcom_set_wapi_mode called");
+-    hddLog(LOG1, "%s: Received data %s", __func__, (char*)wrqu->data.pointer);
++    hddLog(LOG1, "%s: Received data %s", __func__, extra);
+     hddLog(LOG1, "%s: Received length %d", __func__, wrqu->data.length);
+     hddLog(LOG1, "%s: Input Data (wreq) WAPI Mode:%02d", __func__, pWapiMode->wapiMode);
+ 
+@@ -4817,7 +4830,6 @@ static int iw_qcom_set_wapi_assoc_info(struct net_device *dev, struct iw_request
+     int i = 0, j = 0;
+     hddLog(LOG1, "The function iw_qcom_set_wapi_assoc_info called");
+     hddLog(LOG1, "%s: Received length %d", __func__, wrqu->data.length);
+-    hddLog(LOG1, "%s: Received data %s", __func__, (char*)wrqu->data.pointer);
+     hddLog(LOG1, "%s: Received data %s", __func__, (char*)extra);
+ 
+     if ((WLAN_HDD_GET_CTX(pAdapter))->isLogpInProgress)
+@@ -4883,7 +4895,6 @@ static int iw_qcom_set_wapi_key(struct net_device *dev, struct iw_request_info *
+ 
+     hddLog(LOG1, "The function iw_qcom_set_wapi_key called ");
+     hddLog(LOG1, "%s: Received length %d", __func__, wrqu->data.length);
+-    hddLog(LOG1, "%s: Received data %s", __func__, (char*)wrqu->data.pointer);
+     hddLog(LOG1, "%s: Received data %s", __func__, (char*)extra);
+ 
+     hddLog(LOG1,":s: INPUT DATA:\nKey Type:0x%02x Key Direction:0x%02x KEY ID:0x%02x\n", __func__,pWapiKey->keyType,pWapiKey->keyDirection,pWapiKey->keyId);
+@@ -4984,12 +4995,11 @@ static int iw_qcom_set_wapi_bkid(struct net_device *dev, struct iw_request_info
+     hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
+ #ifdef WLAN_DEBUG
+     int i = 0;
+-    WLAN_BKID_LIST  *pBkid       = ( WLAN_BKID_LIST *) (wrqu->data.pointer);
++    WLAN_BKID_LIST  *pBkid       = ( WLAN_BKID_LIST *) extra;
+ #endif
+ 
+     hddLog(LOG1, "The function iw_qcom_set_wapi_bkid called");
+     hddLog(LOG1, "%s: Received length %d", __func__, wrqu->data.length);
+-    hddLog(LOG1, "%s: Received data %s", __func__, (char*)wrqu->data.pointer);
+     hddLog(LOG1, "%s: Received data %s", __func__, (char*)extra);
+ 
+     hddLog(LOG1,"%s: INPUT DATA:\n BKID Length:0x%08lx\n", __func__,pBkid->length);
+@@ -5066,7 +5076,7 @@ static int iw_set_fties(struct net_device *dev, struct iw_request_info *info,
+ #endif
+ 
+     // Pass the received FT IEs to SME
+-    sme_SetFTIEs( WLAN_HDD_GET_HAL_CTX(pAdapter), pAdapter->sessionId, wrqu->data.pointer,
++    sme_SetFTIEs( WLAN_HDD_GET_HAL_CTX(pAdapter), pAdapter->sessionId, extra,
+         wrqu->data.length);
+ 
+     return 0;
+@@ -5078,7 +5088,7 @@ static int iw_set_dynamic_mcbc_filter(struct net_device *dev,
+         union iwreq_data *wrqu, char *extra)
+ {
+     hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
+-    tpRcvFltMcAddrList pRequest = (tpRcvFltMcAddrList)wrqu->data.pointer;
++    tpRcvFltMcAddrList pRequest = (tpRcvFltMcAddrList)extra;
+     hdd_context_t *pHddCtx = WLAN_HDD_GET_CTX(pAdapter);
+     tpSirWlanSetRxpFilters wlanRxpFilterParam;
+     tHalHandle hHal = WLAN_HDD_GET_HAL_CTX(pAdapter);
+@@ -5227,7 +5237,7 @@ static int iw_set_host_offload(struct net_device *dev, struct iw_request_info *i
+         union iwreq_data *wrqu, char *extra)
+ {
+     hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
+-    tpHostOffloadRequest pRequest = (tpHostOffloadRequest)wrqu->data.pointer;
++    tpHostOffloadRequest pRequest = (tpHostOffloadRequest) extra;
+     tSirHostOffloadReq offloadRequest;
+ 
+     if ((WLAN_HDD_GET_CTX(pAdapter))->isLogpInProgress)
+@@ -5236,7 +5246,6 @@ static int iw_set_host_offload(struct net_device *dev, struct iw_request_info *i
+                                   "%s:LOGP in Progress. Ignore!!!", __func__);
+        return -EBUSY;
+     }
+-
+     /* Debug display of request components. */
+     switch (pRequest->offloadType)
+     {
+@@ -5299,7 +5308,7 @@ static int iw_set_keepalive_params(struct net_device *dev, struct iw_request_inf
+         union iwreq_data *wrqu, char *extra)
+ {
+     hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
+-    tpKeepAliveRequest pRequest = (tpKeepAliveRequest)wrqu->data.pointer;
++    tpKeepAliveRequest pRequest = (tpKeepAliveRequest) extra;
+     tSirKeepAliveReq keepaliveRequest;
+ 
+     if ((WLAN_HDD_GET_CTX(pAdapter))->isLogpInProgress)
+@@ -5500,7 +5509,7 @@ static int iw_set_packet_filter_params(struct net_device *dev, struct iw_request
+         union iwreq_data *wrqu, char *extra)
+ {   
+     hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
+-    tpPacketFilterCfg pRequest = (tpPacketFilterCfg)wrqu->data.pointer;
++    tpPacketFilterCfg pRequest = (tpPacketFilterCfg) extra;
+ 
+     return wlan_hdd_set_filter(WLAN_HDD_GET_CTX(pAdapter), pRequest, pAdapter->sessionId);
+ }
+@@ -5733,7 +5742,7 @@ VOS_STATUS iw_set_pno(struct net_device *dev, struct iw_request_info *info,
+   VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO,
+             "PNO data len %d data %s",
+             wrqu->data.length,
+-            wrqu->data.pointer);
++            extra);
+ 
+   if (wrqu->data.length <= nOffset )
+   {
+@@ -5771,7 +5780,7 @@ VOS_STATUS iw_set_pno(struct net_device *dev, struct iw_request_info *info,
+ 
+     scan every 5 seconds 2 times, scan every 300 seconds until stopped
+   -----------------------------------------------------------------------*/
+-  ptr = (char*)(wrqu->data.pointer + nOffset);
++  ptr = extra + nOffset;
+ 
+   sscanf(ptr,"%hhu%n", &(pnoRequest.enable), &nOffset);
+ 
+@@ -5982,7 +5991,7 @@ VOS_STATUS iw_set_rssi_filter(struct net_device *dev, struct iw_request_info *in
+     v_U8_t rssiThreshold = 0;
+     v_U8_t nRead;
+ 
+-    nRead = sscanf(wrqu->data.pointer + nOffset,"%hhu",
++    nRead = sscanf(extra + nOffset,"%hhu",
+            &rssiThreshold);
+ 
+     if ( 1 != nRead )
+@@ -6143,7 +6152,7 @@ static int iw_set_band_config(struct net_device *dev,
+                            union iwreq_data *wrqu, char *extra)
+ {
+     hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
+-    tANI_U8 *ptr = (tANI_U8*)wrqu->data.pointer;
++    tANI_U8 *ptr = extra;
+     int ret = 0;
+ 
+     VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,"%s: ", __func__);
+@@ -6190,7 +6199,7 @@ VOS_STATUS iw_set_power_params(struct net_device *dev, struct iw_request_info *i
+   VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO,
+             "Power Params data len %d data %s",
+             wrqu->data.length,
+-            wrqu->data.pointer);
++            extra);
+ 
+   if ((WLAN_HDD_GET_CTX(pAdapter))->isLogpInProgress)
+   {
+@@ -6232,7 +6241,7 @@ VOS_STATUS iw_set_power_params(struct net_device *dev, struct iw_request_info *i
+   powerRequest.uEnableBET        = SIR_NOCHANGE_POWER_VALUE;
+   powerRequest.uBETInterval      = SIR_NOCHANGE_POWER_VALUE;
+ 
+-  ptr = (char*)(wrqu->data.pointer + nOffset);
++  ptr = extra + nOffset;
+ 
+   while ( uTotalSize )
+   {
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-2501/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2501/ANY/0001.patch
new file mode 100644
index 00000000..a03745c2
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-2501/ANY/0001.patch
@@ -0,0 +1,96 @@
+From 0ee6c6f748e840c266fe26ed3c89d6bd7e3c9d4e Mon Sep 17 00:00:00 2001
+From: Rajesh Bondugula <rajeshb@codeaurora.org>
+Date: Wed, 13 Apr 2016 14:31:58 -0700
+Subject: msm: camera: sensor: Validate step_boundary
+
+step_boundary can take values upto the total_steps
+Validate the step_boundary before consuming it.
+Convert the type of step_index and region_index to uint16_t
+step_index and region_index cannot be negative.
+
+CRs-Fixed: 1001092
+Change-Id: I1f23fd6f28bb897824a1ef99a8873b9f986eee70
+Signed-off-by: Rajesh Bondugula <rajeshb@codeaurora.org>
+---
+ .../msm/camera_v2/sensor/actuator/msm_actuator.c   | 35 ++++++++++++++++++----
+ 1 file changed, 29 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c b/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c
+index 7653b1b..b87e31e 100644
+--- a/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c
++++ b/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c
+@@ -853,7 +853,7 @@ static int32_t msm_actuator_bivcm_init_step_table(
+ {
+ 	int16_t code_per_step = 0;
+ 	int16_t cur_code = 0;
+-	int16_t step_index = 0, region_index = 0;
++	uint16_t step_index = 0, region_index = 0;
+ 	uint16_t step_boundary = 0;
+ 	uint32_t max_code_size = 1;
+ 	uint16_t data_size = set_info->actuator_params.data_size;
+@@ -894,6 +894,15 @@ static int32_t msm_actuator_bivcm_init_step_table(
+ 		step_boundary =
+ 			a_ctrl->region_params[region_index].
+ 			step_bound[MOVE_NEAR];
++		if (step_boundary >
++			set_info->af_tuning_params.total_steps) {
++			pr_err("invalid step_boundary = %d, max_val = %d",
++				step_boundary,
++				set_info->af_tuning_params.total_steps);
++			kfree(a_ctrl->step_position_table);
++			a_ctrl->step_position_table = NULL;
++			return -EINVAL;
++		}
+ 		qvalue = a_ctrl->region_params[region_index].qvalue;
+ 		for (; step_index <= step_boundary;
+ 			step_index++) {
+@@ -929,20 +938,25 @@ static int32_t msm_actuator_init_step_table(struct msm_actuator_ctrl_t *a_ctrl,
+ 	int16_t code_per_step = 0;
+ 	uint32_t qvalue = 0;
+ 	int16_t cur_code = 0;
+-	int16_t step_index = 0, region_index = 0;
++	uint16_t step_index = 0, region_index = 0;
+ 	uint16_t step_boundary = 0;
+ 	uint32_t max_code_size = 1;
+ 	uint16_t data_size = set_info->actuator_params.data_size;
+ 	CDBG("Enter\n");
+ 
++	/* validate the actuator state */
++	if (a_ctrl->actuator_state != ACT_OPS_ACTIVE) {
++		pr_err("%s:%d invalid actuator_state %d\n"
++			, __func__, __LINE__, a_ctrl->actuator_state);
++		return -EINVAL;
++	}
+ 	for (; data_size > 0; data_size--)
+ 		max_code_size *= 2;
+ 
+ 	a_ctrl->max_code_size = max_code_size;
+-	if ((a_ctrl->actuator_state == ACT_OPS_ACTIVE) &&
+-		(a_ctrl->step_position_table != NULL)) {
+-		kfree(a_ctrl->step_position_table);
+-	}
++
++	/* free the step_position_table to allocate a new one */
++	kfree(a_ctrl->step_position_table);
+ 	a_ctrl->step_position_table = NULL;
+ 
+ 	if (set_info->af_tuning_params.total_steps
+@@ -971,6 +985,15 @@ static int32_t msm_actuator_init_step_table(struct msm_actuator_ctrl_t *a_ctrl,
+ 		step_boundary =
+ 			a_ctrl->region_params[region_index].
+ 			step_bound[MOVE_NEAR];
++		if (step_boundary >
++			set_info->af_tuning_params.total_steps) {
++			pr_err("invalid step_boundary = %d, max_val = %d",
++				step_boundary,
++				set_info->af_tuning_params.total_steps);
++			kfree(a_ctrl->step_position_table);
++			a_ctrl->step_position_table = NULL;
++			return -EINVAL;
++		}
+ 		for (; step_index <= step_boundary;
+ 			step_index++) {
+ 			if (qvalue > 1 && qvalue <= MAX_QVALUE)
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-2502/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-2502/ANY/0001.patch
new file mode 100644
index 00000000..0fc56780
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-2502/ANY/0001.patch
@@ -0,0 +1,37 @@
+From 0bc45d7712eabe315ce8299a49d16433c3801156 Mon Sep 17 00:00:00 2001
+From: Manu Gautam <mgautam@codeaurora.org>
+Date: Tue, 5 Apr 2016 15:20:47 +0530
+Subject: usb: f_serial: Check for SMD data length in GSER_IOCTL
+
+If user tries to send SMD data more than the driver
+buffer can handle then fail the same and print
+error message. This smd_write is exposed to userspace
+through ioctl using a misc device.
+
+Change-Id: Ie8a1c1c0799cd10cef512ad6b1e1e95001dd43b2
+Signed-off-by: Manu Gautam <mgautam@codeaurora.org>
+---
+ drivers/usb/gadget/f_serial.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/usb/gadget/f_serial.c b/drivers/usb/gadget/f_serial.c
+index 8d510e1..4e84de8 100644
+--- a/drivers/usb/gadget/f_serial.c
++++ b/drivers/usb/gadget/f_serial.c
+@@ -1361,6 +1361,13 @@ static long gser_ioctl(struct file *fp, unsigned cmd, unsigned long arg)
+ 		smd_port_num =
+ 			gserial_ports[gser->port_num].client_port_num;
+ 
++		if (smd_write_arg.size > GSERIAL_BUF_LEN) {
++			pr_err("%s: Invalid size:%u, max: %u", __func__,
++				smd_write_arg.size, GSERIAL_BUF_LEN);
++			ret = -EINVAL;
++			break;
++		}
++
+ 		pr_debug("%s: Copying %d bytes from user buffer to local\n",
+ 			__func__, smd_write_arg.size);
+ 
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-2503/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-2503/3.10/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-2503/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-2503/3.10/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-2503/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2016-2503/3.18/0002.patch
new file mode 100644
index 00000000..2ac901a1
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-2503/3.18/0002.patch
@@ -0,0 +1,102 @@
+From 9ae71bc3a542f68ea93c4eff01a41201ee6d9402 Mon Sep 17 00:00:00 2001
+From: Divya Ponnusamy <pdivya@codeaurora.org>
+Date: Fri, 6 May 2016 13:24:37 -0600
+Subject: msm: kgsl: Avoid race condition in ioctl_syncsource_destroy
+
+If the ioctl syncsource_destroy is accessed by parallel
+threads, where the spinlock is acquired by threads after
+getting syncsource, then the simultaneous processes try
+to remove the already destroyed syncsource->refcount by
+the first thread that acquires this spinlock. This leads
+to race condition while removing syncsource->idr.
+
+Avoid separate lock inside getting syncsource, instead
+acquire spinlock before we get the syncsource in
+destroy ioctl so that the threads access the spinlock
+and operate on syncsource without use-after-free issue.
+
+Change-Id: I6add3800c40cd09f6e6e0cf2720e69059bd83cbc
+Signed-off-by: Divya Ponnusamy <pdivya@codeaurora.org>
+---
+ drivers/gpu/msm/kgsl_sync.c | 36 +++++++++++++++++-------------------
+ 1 file changed, 17 insertions(+), 19 deletions(-)
+
+diff --git a/drivers/gpu/msm/kgsl_sync.c b/drivers/gpu/msm/kgsl_sync.c
+index abbdc5d..5c3ae1b 100644
+--- a/drivers/gpu/msm/kgsl_sync.c
++++ b/drivers/gpu/msm/kgsl_sync.c
+@@ -1,4 +1,4 @@
+-/* Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
++/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -474,23 +474,23 @@ long kgsl_ioctl_syncsource_create(struct kgsl_device_private *dev_priv,
+ 		goto out;
+ 	}
+ 
++	kref_init(&syncsource->refcount);
++	syncsource->private = private;
++
+ 	idr_preload(GFP_KERNEL);
+ 	spin_lock(&private->syncsource_lock);
+ 	id = idr_alloc(&private->syncsource_idr, syncsource, 1, 0, GFP_NOWAIT);
+-	spin_unlock(&private->syncsource_lock);
+-	idr_preload_end();
+-
+ 	if (id > 0) {
+-		kref_init(&syncsource->refcount);
+ 		syncsource->id = id;
+-		syncsource->private = private;
+-
+ 		param->id = id;
+ 		ret = 0;
+ 	} else {
+ 		ret = id;
+ 	}
+ 
++	spin_unlock(&private->syncsource_lock);
++	idr_preload_end();
++
+ out:
+ 	if (ret) {
+ 		if (syncsource && syncsource->oneshot)
+@@ -548,25 +548,23 @@ long kgsl_ioctl_syncsource_destroy(struct kgsl_device_private *dev_priv,
+ {
+ 	struct kgsl_syncsource_destroy *param = data;
+ 	struct kgsl_syncsource *syncsource = NULL;
+-	struct kgsl_process_private *private;
+-
+-	syncsource = kgsl_syncsource_get(dev_priv->process_priv,
+-				     param->id);
++	struct kgsl_process_private *private = dev_priv->process_priv;
+ 
+-	if (syncsource == NULL)
+-		return -EINVAL;
++	spin_lock(&private->syncsource_lock);
++	syncsource = idr_find(&private->syncsource_idr, param->id);
+ 
+-	private = syncsource->private;
++	if (syncsource) {
++		idr_remove(&private->syncsource_idr, param->id);
++		syncsource->id = 0;
++	}
+ 
+-	spin_lock(&private->syncsource_lock);
+-	idr_remove(&private->syncsource_idr, param->id);
+-	syncsource->id = 0;
+ 	spin_unlock(&private->syncsource_lock);
+ 
++	if (syncsource == NULL)
++		return -EINVAL;
++
+ 	/* put reference from syncsource creation */
+ 	kgsl_syncsource_put(syncsource);
+-	/* put reference from getting the syncsource above */
+-	kgsl_syncsource_put(syncsource);
+ 	return 0;
+ }
+ 
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-2504/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2016-2504/3.18/0002.patch
new file mode 100644
index 00000000..63e5b99b
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-2504/3.18/0002.patch
@@ -0,0 +1,80 @@
+From 75adbb8cebfe17ace640e6bd89582c1d72196378 Mon Sep 17 00:00:00 2001
+From: Jordan Crouse <jcrouse@codeaurora.org>
+Date: Tue, 3 May 2016 14:11:03 -0600
+Subject: msm: kgsl: Defer adding the mem entry to a process
+
+If we add the mem entry pointer in the process mem_idr too early
+other threads can do operations on the entry by guessing the ID
+or GPU address before the object gets returned by the creating
+operation.
+
+Allocate an ID for the object but don't assign the pointer until
+right before the creating function returns ensuring that another
+operation can't access it until it is ready.
+
+CRs-Fixed: 1002974
+Change-Id: Ic0dedbadc0dd2125bd2a7bcc152972c0555e07f8
+Signed-off-by: Jordan Crouse <jcrouse@codeaurora.org>
+---
+ drivers/gpu/msm/kgsl.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/msm/kgsl.c b/drivers/gpu/msm/kgsl.c
+index 738b2f4..8e68a88 100644
+--- a/drivers/gpu/msm/kgsl.c
++++ b/drivers/gpu/msm/kgsl.c
+@@ -388,6 +388,17 @@ kgsl_mem_entry_untrack_gpuaddr(struct kgsl_process_private *process,
+ 		kgsl_mmu_put_gpuaddr(pagetable, &entry->memdesc);
+ }
+ 
++/* Commit the entry to the process so it can be accessed by other operations */
++static void kgsl_mem_entry_commit_process(struct kgsl_mem_entry *entry)
++{
++	if (!entry)
++		return;
++
++	spin_lock(&entry->priv->mem_lock);
++	idr_replace(&entry->priv->mem_idr, entry, entry->id);
++	spin_unlock(&entry->priv->mem_lock);
++}
++
+ /**
+  * kgsl_mem_entry_attach_process - Attach a mem_entry to its owner process
+  * @entry: the memory entry
+@@ -418,7 +429,8 @@ kgsl_mem_entry_attach_process(struct kgsl_mem_entry *entry,
+ 
+ 	idr_preload(GFP_KERNEL);
+ 	spin_lock(&process->mem_lock);
+-	id = idr_alloc(&process->mem_idr, entry, 1, 0, GFP_NOWAIT);
++	/* Allocate the ID but don't attach the pointer just yet */
++	id = idr_alloc(&process->mem_idr, NULL, 1, 0, GFP_NOWAIT);
+ 	spin_unlock(&process->mem_lock);
+ 	idr_preload_end();
+ 
+@@ -2317,6 +2329,7 @@ long kgsl_ioctl_gpuobj_import(struct kgsl_device_private *dev_priv,
+ 
+ 	trace_kgsl_mem_map(entry, fd);
+ 
++	kgsl_mem_entry_commit_process(entry);
+ 	return 0;
+ 
+ unmap:
+@@ -2580,6 +2593,7 @@ long kgsl_ioctl_map_user_mem(struct kgsl_device_private *dev_priv,
+ 
+ 	trace_kgsl_mem_map(entry, param->fd);
+ 
++	kgsl_mem_entry_commit_process(entry);
+ 	return result;
+ 
+ error_attach:
+@@ -2971,6 +2985,7 @@ static struct kgsl_mem_entry *gpumem_alloc_entry(
+ 			entry->memdesc.size);
+ 	trace_kgsl_mem_alloc(entry);
+ 
++	kgsl_mem_entry_commit_process(entry);
+ 	return entry;
+ err:
+ 	kfree(entry);
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-2504/3.4-3.10/0001.patch b/Patches/Linux_CVEs/CVE-2016-2504/3.4-3.10/0001.patch
new file mode 100644
index 00000000..e15d8a6f
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-2504/3.4-3.10/0001.patch
@@ -0,0 +1,164 @@
+From f7c8dfd7060867d71fc370527e2e2278ffc3ba5e Mon Sep 17 00:00:00 2001
+From: Sunil Khatri <sunilkh@codeaurora.org>
+Date: Wed, 25 May 2016 21:13:46 +0530
+Subject: msm: kgsl: Defer adding the mem entry to a process
+
+If we add the mem entry pointer in the process idr and rb tree
+too early, other threads can do operations on the entry by
+guessing the ID or GPU address before the object gets returned
+by the creating operation.
+
+Allocate an ID for the object but don't assign the pointer until
+right before the creating function returns ensuring that another
+operation can't access it until it is ready.
+
+CRs-Fixed: 1002974
+Change-Id: Ic0dedbadc0dd2125bd2a7bcc152972c0555e07f8
+Signed-off-by: Jordan Crouse <jcrouse@codeaurora.org>
+Signed-off-by: Sunil Khatri <sunilkh@codeaurora.org>
+---
+ drivers/gpu/msm/kgsl.c | 62 +++++++++++++++++++++++++++++++++++---------------
+ 1 file changed, 44 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/gpu/msm/kgsl.c b/drivers/gpu/msm/kgsl.c
+index e1fd99e..ad1e4e0 100644
+--- a/drivers/gpu/msm/kgsl.c
++++ b/drivers/gpu/msm/kgsl.c
+@@ -1,4 +1,4 @@
+-/* Copyright (c) 2008-2015, The Linux Foundation. All rights reserved.
++/* Copyright (c) 2008-2016, The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -296,27 +296,20 @@ kgsl_mem_entry_destroy(struct kref *kref)
+ EXPORT_SYMBOL(kgsl_mem_entry_destroy);
+ 
+ /**
+- * kgsl_mem_entry_track_gpuaddr - Insert a mem_entry in the address tree and
+- * assign it with a gpu address space before insertion
++ * kgsl_mem_entry_track_gpuaddr - Get the entry gpu address space before
++ * insertion to the process
+  * @process: the process that owns the memory
+  * @entry: the memory entry
+  *
+- * @returns - 0 on succcess else error code
++ * @returns - 0 on success else error code
+  *
+- * Insert the kgsl_mem_entry in to the rb_tree for searching by GPU address.
+- * The assignment of gpu address and insertion into list needs to
+- * happen with the memory lock held to avoid race conditions between
+- * gpu address being selected and some other thread looking through the
+- * rb list in search of memory based on gpuaddr
+  * This function should be called with processes memory spinlock held
+- */
++*/
+ static int
+ kgsl_mem_entry_track_gpuaddr(struct kgsl_process_private *process,
+ 				struct kgsl_mem_entry *entry)
+ {
+ 	int ret = 0;
+-	struct rb_node **node;
+-	struct rb_node *parent = NULL;
+ 	struct kgsl_pagetable *pagetable = process->pagetable;
+ 
+ 	assert_spin_locked(&process->mem_lock);
+@@ -337,11 +330,22 @@ kgsl_mem_entry_track_gpuaddr(struct kgsl_process_private *process,
+ 		pagetable = pagetable->mmu->securepagetable;
+ 
+ 	ret = kgsl_mmu_get_gpuaddr(pagetable, &entry->memdesc);
+-	if (ret)
+-		goto done;
+ 
+-	node = &process->mem_rb.rb_node;
++done:
++	return ret;
++}
++
++static void kgsl_mem_entry_commit_mem_list(struct kgsl_process_private *process,
++				struct kgsl_mem_entry *entry)
++{
++	struct rb_node **node;
++	struct rb_node *parent = NULL;
++
++	if (!entry->memdesc.gpuaddr)
++		return;
+ 
++	/* Insert mem entry in mem_rb tree */
++	node = &process->mem_rb.rb_node;
+ 	while (*node) {
+ 		struct kgsl_mem_entry *cur;
+ 
+@@ -356,9 +360,20 @@ kgsl_mem_entry_track_gpuaddr(struct kgsl_process_private *process,
+ 
+ 	rb_link_node(&entry->node, parent, node);
+ 	rb_insert_color(&entry->node, &process->mem_rb);
++}
+ 
+-done:
+-	return ret;
++static void kgsl_mem_entry_commit_process(struct kgsl_process_private *process,
++				struct kgsl_mem_entry *entry)
++{
++	if (!entry)
++		return;
++
++	spin_lock(&entry->priv->mem_lock);
++	/* Insert mem entry in mem_rb tree */
++	kgsl_mem_entry_commit_mem_list(process, entry);
++	/* Replace mem entry in mem_idr using id */
++	idr_replace(&entry->priv->mem_idr, entry, entry->id);
++	spin_unlock(&entry->priv->mem_lock);
+ }
+ 
+ /**
+@@ -407,7 +422,8 @@ kgsl_mem_entry_attach_process(struct kgsl_mem_entry *entry,
+ 		return -EBADF;
+ 	idr_preload(GFP_KERNEL);
+ 	spin_lock(&process->mem_lock);
+-	id = idr_alloc(&process->mem_idr, entry, 1, 0, GFP_NOWAIT);
++	/* Allocate the ID but don't attach the pointer just yet */
++	id = idr_alloc(&process->mem_idr, NULL, 1, 0, GFP_NOWAIT);
+ 	spin_unlock(&process->mem_lock);
+ 	idr_preload_end();
+ 
+@@ -3279,6 +3295,7 @@ long kgsl_ioctl_map_user_mem(struct kgsl_device_private *dev_priv,
+ 
+ 	trace_kgsl_mem_map(entry, param->fd);
+ 
++	kgsl_mem_entry_commit_process(private, entry);
+ 	return result;
+ 
+ error_attach:
+@@ -3633,6 +3650,8 @@ long kgsl_ioctl_gpumem_alloc(struct kgsl_device_private *dev_priv,
+ 	param->gpuaddr = entry->memdesc.gpuaddr;
+ 	param->size = entry->memdesc.size;
+ 	param->flags = entry->memdesc.flags;
++
++	kgsl_mem_entry_commit_process(private, entry);
+ 	return result;
+ err:
+ 	kgsl_sharedmem_free(&entry->memdesc);
+@@ -3678,6 +3697,8 @@ long kgsl_ioctl_gpumem_alloc_id(struct kgsl_device_private *dev_priv,
+ 	param->size = entry->memdesc.size;
+ 	param->mmapsize = kgsl_memdesc_mmapsize(&entry->memdesc);
+ 	param->gpuaddr = entry->memdesc.gpuaddr;
++
++	kgsl_mem_entry_commit_process(private, entry);
+ 	return result;
+ err:
+ 	if (entry)
+@@ -4201,6 +4222,11 @@ static int kgsl_check_gpu_addr_collision(
+ 			spin_lock(&private->mem_lock);
+ 			kgsl_mem_entry_untrack_gpuaddr(private, entry);
+ 			spin_unlock(&private->mem_lock);
++		} else {
++			/* Insert mem entry in mem_rb tree */
++			spin_lock(&private->mem_lock);
++			kgsl_mem_entry_commit_mem_list(private, entry);
++			spin_unlock(&private->mem_lock);
+ 		}
+ 	} else {
+ 		trace_kgsl_mem_unmapped_area_collision(entry, addr, len,
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-2504/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-2504/ANY/0003.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-2504/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-2504/ANY/0003.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-2544/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-2544/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-2544/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-2544/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-2545/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-2545/^4.4/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-2545/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-2545/^4.4/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-2546/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-2546/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-2546/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-2546/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-2547/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-2547/^4.4/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-2547/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-2547/^4.4/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-2549/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-2549/^4.4/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-2549/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-2549/^4.4/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-2847/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-2847/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-2847/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-2847/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-3070/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-3070/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-3070/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-3070/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-3134/3.10/0.patch b/Patches/Linux_CVEs/CVE-2016-3134/3.10/0.patch
deleted file mode 100644
index 42416182..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3134/3.10/0.patch
+++ /dev/null
@@ -1,115 +0,0 @@
-From 82e2616ad251a3f72991036d6e8acebbd0aceb80 Mon Sep 17 00:00:00 2001
-From: Florian Westphal <fw@strlen.de>
-Date: Fri, 15 Jul 2016 15:08:15 -0400
-Subject: netfilter: x_tables: don't move to non-existent next rule
-
-commit f24e230d257af1ad7476c6e81a8dc3127a74204e upstream.
-
-Ben Hawkes says:
-
- In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
- is possible for a user-supplied ipt_entry structure to have a large
- next_offset field. This field is not bounds checked prior to writing a
- counter value at the supplied offset.
-
-Base chains enforce absolute verdict.
-
-User defined chains are supposed to end with an unconditional return,
-xtables userspace adds them automatically.
-
-But if such return is missing we will move to non-existent next rule.
-
-CVE-2016-3134
-
-Reported-by: Ben Hawkes <hawkes@google.com>
-Signed-off-by: Florian Westphal <fw@strlen.de>
-Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-Signed-off-by: Chas Williams <3chas3@gmail.com>
-Signed-off-by: Willy Tarreau <w@1wt.eu>
----
- net/ipv4/netfilter/arp_tables.c | 8 +++++---
- net/ipv4/netfilter/ip_tables.c  | 4 ++++
- net/ipv6/netfilter/ip6_tables.c | 4 ++++
- 3 files changed, 13 insertions(+), 3 deletions(-)
-
-diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
-index 456fc6e..7460b7b 100644
---- a/net/ipv4/netfilter/arp_tables.c
-+++ b/net/ipv4/netfilter/arp_tables.c
-@@ -430,6 +430,8 @@ static int mark_source_chains(const struct xt_table_info *newinfo,
- 				size = e->next_offset;
- 				e = (struct arpt_entry *)
- 					(entry0 + pos + size);
-+				if (pos + size >= newinfo->size)
-+					return 0;
- 				e->counters.pcnt = pos;
- 				pos += size;
- 			} else {
-@@ -452,6 +454,8 @@ static int mark_source_chains(const struct xt_table_info *newinfo,
- 				} else {
- 					/* ... this is a fallthru */
- 					newpos = pos + e->next_offset;
-+					if (newpos >= newinfo->size)
-+						return 0;
- 				}
- 				e = (struct arpt_entry *)
- 					(entry0 + newpos);
-@@ -675,10 +679,8 @@ static int translate_table(struct xt_table_info *newinfo, void *entry0,
- 		}
- 	}
- 
--	if (!mark_source_chains(newinfo, repl->valid_hooks, entry0)) {
--		duprintf("Looping hook\n");
-+	if (!mark_source_chains(newinfo, repl->valid_hooks, entry0))
- 		return -ELOOP;
--	}
- 
- 	/* Finally, each sanity check must pass */
- 	i = 0;
-diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
-index a5bd3c8..8fc22ee 100644
---- a/net/ipv4/netfilter/ip_tables.c
-+++ b/net/ipv4/netfilter/ip_tables.c
-@@ -511,6 +511,8 @@ mark_source_chains(const struct xt_table_info *newinfo,
- 				size = e->next_offset;
- 				e = (struct ipt_entry *)
- 					(entry0 + pos + size);
-+				if (pos + size >= newinfo->size)
-+					return 0;
- 				e->counters.pcnt = pos;
- 				pos += size;
- 			} else {
-@@ -532,6 +534,8 @@ mark_source_chains(const struct xt_table_info *newinfo,
- 				} else {
- 					/* ... this is a fallthru */
- 					newpos = pos + e->next_offset;
-+					if (newpos >= newinfo->size)
-+						return 0;
- 				}
- 				e = (struct ipt_entry *)
- 					(entry0 + newpos);
-diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
-index fb8a146..63f7876 100644
---- a/net/ipv6/netfilter/ip6_tables.c
-+++ b/net/ipv6/netfilter/ip6_tables.c
-@@ -521,6 +521,8 @@ mark_source_chains(const struct xt_table_info *newinfo,
- 				size = e->next_offset;
- 				e = (struct ip6t_entry *)
- 					(entry0 + pos + size);
-+				if (pos + size >= newinfo->size)
-+					return 0;
- 				e->counters.pcnt = pos;
- 				pos += size;
- 			} else {
-@@ -542,6 +544,8 @@ mark_source_chains(const struct xt_table_info *newinfo,
- 				} else {
- 					/* ... this is a fallthru */
- 					newpos = pos + e->next_offset;
-+					if (newpos >= newinfo->size)
-+						return 0;
- 				}
- 				e = (struct ip6t_entry *)
- 					(entry0 + newpos);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-3134/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-3134/ANY/0001.patch
new file mode 100644
index 00000000..87dd172a
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-3134/ANY/0001.patch
@@ -0,0 +1,234 @@
+From 54d83fc74aa9ec72794373cb47432c5f7fb1a309 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Tue, 22 Mar 2016 18:02:52 +0100
+Subject: netfilter: x_tables: fix unconditional helper
+
+Ben Hawkes says:
+
+ In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
+ is possible for a user-supplied ipt_entry structure to have a large
+ next_offset field. This field is not bounds checked prior to writing a
+ counter value at the supplied offset.
+
+Problem is that mark_source_chains should not have been called --
+the rule doesn't have a next entry, so its supposed to return
+an absolute verdict of either ACCEPT or DROP.
+
+However, the function conditional() doesn't work as the name implies.
+It only checks that the rule is using wildcard address matching.
+
+However, an unconditional rule must also not be using any matches
+(no -m args).
+
+The underflow validator only checked the addresses, therefore
+passing the 'unconditional absolute verdict' test, while
+mark_source_chains also tested for presence of matches, and thus
+proceeeded to the next (not-existent) rule.
+
+Unify this so that all the callers have same idea of 'unconditional rule'.
+
+Reported-by: Ben Hawkes <hawkes@google.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ net/ipv4/netfilter/arp_tables.c | 18 +++++++++---------
+ net/ipv4/netfilter/ip_tables.c  | 23 +++++++++++------------
+ net/ipv6/netfilter/ip6_tables.c | 23 +++++++++++------------
+ 3 files changed, 31 insertions(+), 33 deletions(-)
+
+diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
+index 51d4fe5..a1bb5e7 100644
+--- a/net/ipv4/netfilter/arp_tables.c
++++ b/net/ipv4/netfilter/arp_tables.c
+@@ -359,11 +359,12 @@ unsigned int arpt_do_table(struct sk_buff *skb,
+ }
+ 
+ /* All zeroes == unconditional rule. */
+-static inline bool unconditional(const struct arpt_arp *arp)
++static inline bool unconditional(const struct arpt_entry *e)
+ {
+ 	static const struct arpt_arp uncond;
+ 
+-	return memcmp(arp, &uncond, sizeof(uncond)) == 0;
++	return e->target_offset == sizeof(struct arpt_entry) &&
++	       memcmp(&e->arp, &uncond, sizeof(uncond)) == 0;
+ }
+ 
+ /* Figures out from what hook each rule can be called: returns 0 if
+@@ -402,11 +403,10 @@ static int mark_source_chains(const struct xt_table_info *newinfo,
+ 				|= ((1 << hook) | (1 << NF_ARP_NUMHOOKS));
+ 
+ 			/* Unconditional return/END. */
+-			if ((e->target_offset == sizeof(struct arpt_entry) &&
++			if ((unconditional(e) &&
+ 			     (strcmp(t->target.u.user.name,
+ 				     XT_STANDARD_TARGET) == 0) &&
+-			     t->verdict < 0 && unconditional(&e->arp)) ||
+-			    visited) {
++			     t->verdict < 0) || visited) {
+ 				unsigned int oldpos, size;
+ 
+ 				if ((strcmp(t->target.u.user.name,
+@@ -551,7 +551,7 @@ static bool check_underflow(const struct arpt_entry *e)
+ 	const struct xt_entry_target *t;
+ 	unsigned int verdict;
+ 
+-	if (!unconditional(&e->arp))
++	if (!unconditional(e))
+ 		return false;
+ 	t = arpt_get_target_c(e);
+ 	if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0)
+@@ -598,9 +598,9 @@ static inline int check_entry_size_and_hooks(struct arpt_entry *e,
+ 			newinfo->hook_entry[h] = hook_entries[h];
+ 		if ((unsigned char *)e - base == underflows[h]) {
+ 			if (!check_underflow(e)) {
+-				pr_err("Underflows must be unconditional and "
+-				       "use the STANDARD target with "
+-				       "ACCEPT/DROP\n");
++				pr_debug("Underflows must be unconditional and "
++					 "use the STANDARD target with "
++					 "ACCEPT/DROP\n");
+ 				return -EINVAL;
+ 			}
+ 			newinfo->underflow[h] = underflows[h];
+diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
+index fb7694e6..89b5d95 100644
+--- a/net/ipv4/netfilter/ip_tables.c
++++ b/net/ipv4/netfilter/ip_tables.c
+@@ -168,11 +168,12 @@ get_entry(const void *base, unsigned int offset)
+ 
+ /* All zeroes == unconditional rule. */
+ /* Mildly perf critical (only if packet tracing is on) */
+-static inline bool unconditional(const struct ipt_ip *ip)
++static inline bool unconditional(const struct ipt_entry *e)
+ {
+ 	static const struct ipt_ip uncond;
+ 
+-	return memcmp(ip, &uncond, sizeof(uncond)) == 0;
++	return e->target_offset == sizeof(struct ipt_entry) &&
++	       memcmp(&e->ip, &uncond, sizeof(uncond)) == 0;
+ #undef FWINV
+ }
+ 
+@@ -229,11 +230,10 @@ get_chainname_rulenum(const struct ipt_entry *s, const struct ipt_entry *e,
+ 	} else if (s == e) {
+ 		(*rulenum)++;
+ 
+-		if (s->target_offset == sizeof(struct ipt_entry) &&
++		if (unconditional(s) &&
+ 		    strcmp(t->target.u.kernel.target->name,
+ 			   XT_STANDARD_TARGET) == 0 &&
+-		   t->verdict < 0 &&
+-		   unconditional(&s->ip)) {
++		   t->verdict < 0) {
+ 			/* Tail of chains: STANDARD target (return/policy) */
+ 			*comment = *chainname == hookname
+ 				? comments[NF_IP_TRACE_COMMENT_POLICY]
+@@ -476,11 +476,10 @@ mark_source_chains(const struct xt_table_info *newinfo,
+ 			e->comefrom |= ((1 << hook) | (1 << NF_INET_NUMHOOKS));
+ 
+ 			/* Unconditional return/END. */
+-			if ((e->target_offset == sizeof(struct ipt_entry) &&
++			if ((unconditional(e) &&
+ 			     (strcmp(t->target.u.user.name,
+ 				     XT_STANDARD_TARGET) == 0) &&
+-			     t->verdict < 0 && unconditional(&e->ip)) ||
+-			    visited) {
++			     t->verdict < 0) || visited) {
+ 				unsigned int oldpos, size;
+ 
+ 				if ((strcmp(t->target.u.user.name,
+@@ -715,7 +714,7 @@ static bool check_underflow(const struct ipt_entry *e)
+ 	const struct xt_entry_target *t;
+ 	unsigned int verdict;
+ 
+-	if (!unconditional(&e->ip))
++	if (!unconditional(e))
+ 		return false;
+ 	t = ipt_get_target_c(e);
+ 	if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0)
+@@ -763,9 +762,9 @@ check_entry_size_and_hooks(struct ipt_entry *e,
+ 			newinfo->hook_entry[h] = hook_entries[h];
+ 		if ((unsigned char *)e - base == underflows[h]) {
+ 			if (!check_underflow(e)) {
+-				pr_err("Underflows must be unconditional and "
+-				       "use the STANDARD target with "
+-				       "ACCEPT/DROP\n");
++				pr_debug("Underflows must be unconditional and "
++					 "use the STANDARD target with "
++					 "ACCEPT/DROP\n");
+ 				return -EINVAL;
+ 			}
+ 			newinfo->underflow[h] = underflows[h];
+diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
+index b248528f..541b59f 100644
+--- a/net/ipv6/netfilter/ip6_tables.c
++++ b/net/ipv6/netfilter/ip6_tables.c
+@@ -198,11 +198,12 @@ get_entry(const void *base, unsigned int offset)
+ 
+ /* All zeroes == unconditional rule. */
+ /* Mildly perf critical (only if packet tracing is on) */
+-static inline bool unconditional(const struct ip6t_ip6 *ipv6)
++static inline bool unconditional(const struct ip6t_entry *e)
+ {
+ 	static const struct ip6t_ip6 uncond;
+ 
+-	return memcmp(ipv6, &uncond, sizeof(uncond)) == 0;
++	return e->target_offset == sizeof(struct ip6t_entry) &&
++	       memcmp(&e->ipv6, &uncond, sizeof(uncond)) == 0;
+ }
+ 
+ static inline const struct xt_entry_target *
+@@ -258,11 +259,10 @@ get_chainname_rulenum(const struct ip6t_entry *s, const struct ip6t_entry *e,
+ 	} else if (s == e) {
+ 		(*rulenum)++;
+ 
+-		if (s->target_offset == sizeof(struct ip6t_entry) &&
++		if (unconditional(s) &&
+ 		    strcmp(t->target.u.kernel.target->name,
+ 			   XT_STANDARD_TARGET) == 0 &&
+-		    t->verdict < 0 &&
+-		    unconditional(&s->ipv6)) {
++		    t->verdict < 0) {
+ 			/* Tail of chains: STANDARD target (return/policy) */
+ 			*comment = *chainname == hookname
+ 				? comments[NF_IP6_TRACE_COMMENT_POLICY]
+@@ -488,11 +488,10 @@ mark_source_chains(const struct xt_table_info *newinfo,
+ 			e->comefrom |= ((1 << hook) | (1 << NF_INET_NUMHOOKS));
+ 
+ 			/* Unconditional return/END. */
+-			if ((e->target_offset == sizeof(struct ip6t_entry) &&
++			if ((unconditional(e) &&
+ 			     (strcmp(t->target.u.user.name,
+ 				     XT_STANDARD_TARGET) == 0) &&
+-			     t->verdict < 0 &&
+-			     unconditional(&e->ipv6)) || visited) {
++			     t->verdict < 0) || visited) {
+ 				unsigned int oldpos, size;
+ 
+ 				if ((strcmp(t->target.u.user.name,
+@@ -727,7 +726,7 @@ static bool check_underflow(const struct ip6t_entry *e)
+ 	const struct xt_entry_target *t;
+ 	unsigned int verdict;
+ 
+-	if (!unconditional(&e->ipv6))
++	if (!unconditional(e))
+ 		return false;
+ 	t = ip6t_get_target_c(e);
+ 	if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0)
+@@ -775,9 +774,9 @@ check_entry_size_and_hooks(struct ip6t_entry *e,
+ 			newinfo->hook_entry[h] = hook_entries[h];
+ 		if ((unsigned char *)e - base == underflows[h]) {
+ 			if (!check_underflow(e)) {
+-				pr_err("Underflows must be unconditional and "
+-				       "use the STANDARD target with "
+-				       "ACCEPT/DROP\n");
++				pr_debug("Underflows must be unconditional and "
++					 "use the STANDARD target with "
++					 "ACCEPT/DROP\n");
+ 				return -EINVAL;
+ 			}
+ 			newinfo->underflow[h] = underflows[h];
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-3135/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-3135/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-3135/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-3135/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-3136/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-3136/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-3136/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-3136/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-3136/ANY/1.patch.dupe b/Patches/Linux_CVEs/CVE-2016-3136/ANY/1.patch.dupe
deleted file mode 100644
index 52e03439..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3136/ANY/1.patch.dupe
+++ /dev/null
@@ -1,53 +0,0 @@
-From 2633b8df3dff0377066fb32feb8ef06ae834d7ff Mon Sep 17 00:00:00 2001
-From: Badhri Jagan Sridharan <Badhri@google.com>
-Date: Tue, 30 Aug 2016 13:33:55 -0700
-Subject: UPSTREAM: USB: mct_u232: add sanity checking in probe
-
-commit 4e9a0b05257f29cf4b75f3209243ed71614d062e upstream.
-
-An attack using the lack of sanity checking in probe is known. This
-patch checks for the existence of a second port.
-
-CVE-2016-3136
-BUG: 28242610
-Signed-off-by: Oliver Neukum <ONeukum@suse.com>
-[johan: add error message ]
-Signed-off-by: Johan Hovold <johan@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
-Signed-off-by: Badhri Jagan Sridharan <Badhri@google.com>
-Change-Id: I284ad648c2087c34a098d67e0cc6d948a568413c
----
- drivers/usb/serial/mct_u232.c | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/usb/serial/mct_u232.c b/drivers/usb/serial/mct_u232.c
-index 6a15adf..c14c29f 100644
---- a/drivers/usb/serial/mct_u232.c
-+++ b/drivers/usb/serial/mct_u232.c
-@@ -377,14 +377,21 @@ static void mct_u232_msr_to_state(struct usb_serial_port *port,
- 
- static int mct_u232_port_probe(struct usb_serial_port *port)
- {
-+	struct usb_serial *serial = port->serial;
- 	struct mct_u232_private *priv;
- 
-+	/* check first to simplify error handling */
-+	if (!serial->port[1] || !serial->port[1]->interrupt_in_urb) {
-+		dev_err(&port->dev, "expected endpoint missing\n");
-+		return -ENODEV;
-+	}
-+
- 	priv = kzalloc(sizeof(*priv), GFP_KERNEL);
- 	if (!priv)
- 		return -ENOMEM;
- 
- 	/* Use second interrupt-in endpoint for reading. */
--	priv->read_urb = port->serial->port[1]->interrupt_in_urb;
-+	priv->read_urb = serial->port[1]->interrupt_in_urb;
- 	priv->read_urb->context = port;
- 
- 	spin_lock_init(&priv->lock);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-3137/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-3137/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-3137/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-3137/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-3137/ANY/1.patch.dupe b/Patches/Linux_CVEs/CVE-2016-3137/ANY/1.patch.dupe
deleted file mode 100644
index 9e9f9b88..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3137/ANY/1.patch.dupe
+++ /dev/null
@@ -1,53 +0,0 @@
-From 7a17891b0194ba11f7ee15a18e545808b0d27495 Mon Sep 17 00:00:00 2001
-From: Badhri Jagan Sridharan <Badhri@google.com>
-Date: Mon, 29 Aug 2016 17:33:52 -0700
-Subject: UPSTREAM: USB: cypress_m8: add endpoint sanity check
-
-commit c55aee1bf0e6b6feec8b2927b43f7a09a6d5f754 upstream.
-
-An attack using missing endpoints exists.
-
-CVE-2016-3137
-
-BUG: 28242610
-Signed-off-by: Oliver Neukum <ONeukum@suse.com>
-Signed-off-by: Johan Hovold <johan@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Badhri Jagan Sridharan <Badhri@google.com>
-Change-Id: I1cc7957a5924175d24f12fdc41162ece67c907e5
----
- drivers/usb/serial/cypress_m8.c | 11 +++++------
- 1 file changed, 5 insertions(+), 6 deletions(-)
-
-diff --git a/drivers/usb/serial/cypress_m8.c b/drivers/usb/serial/cypress_m8.c
-index 08212019..09f0f63 100644
---- a/drivers/usb/serial/cypress_m8.c
-+++ b/drivers/usb/serial/cypress_m8.c
-@@ -449,6 +449,11 @@ static int cypress_generic_port_probe(struct usb_serial_port *port)
- 	struct usb_serial *serial = port->serial;
- 	struct cypress_private *priv;
- 
-+	if (!port->interrupt_out_urb || !port->interrupt_in_urb) {
-+		dev_err(&port->dev, "required endpoint is missing\n");
-+		return -ENODEV;
-+	}
-+
- 	priv = kzalloc(sizeof(struct cypress_private), GFP_KERNEL);
- 	if (!priv)
- 		return -ENOMEM;
-@@ -606,12 +611,6 @@ static int cypress_open(struct tty_struct *tty, struct usb_serial_port *port)
- 		cypress_set_termios(tty, port, &priv->tmp_termios);
- 
- 	/* setup the port and start reading from the device */
--	if (!port->interrupt_in_urb) {
--		dev_err(&port->dev, "%s - interrupt_in_urb is empty!\n",
--			__func__);
--		return -1;
--	}
--
- 	usb_fill_int_urb(port->interrupt_in_urb, serial->dev,
- 		usb_rcvintpipe(serial->dev, port->interrupt_in_endpointAddress),
- 		port->interrupt_in_urb->transfer_buffer,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-3138/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-3138/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-3138/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-3138/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-3138/ANY/1.patch.dupe b/Patches/Linux_CVEs/CVE-2016-3138/ANY/1.patch.dupe
deleted file mode 100644
index eee71747..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3138/ANY/1.patch.dupe
+++ /dev/null
@@ -1,39 +0,0 @@
-From 801c5f937ef7edb23e411bc00d3695496b89dca2 Mon Sep 17 00:00:00 2001
-From: Badhri Jagan Sridharan <Badhri@google.com>
-Date: Tue, 30 Aug 2016 13:39:02 -0700
-Subject: UPSTREAM: USB: cdc-acm: more sanity checking
-
-commit 8835ba4a39cf53f705417b3b3a94eb067673f2c9 upstream.
-
-An attack has become available which pretends to be a quirky
-device circumventing normal sanity checks and crashes the kernel
-by an insufficient number of interfaces. This patch adds a check
-to the code path for quirky devices.
-
-BUG: 28242610
-
-Signed-off-by: Oliver Neukum <ONeukum@suse.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Badhri Jagan Sridharan <Badhri@google.com>
-Change-Id: I9a5f7f3c704b65e866335054f470451fcfae9d1c
----
- drivers/usb/class/cdc-acm.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
-index 9b1cbcf..f519d28 100644
---- a/drivers/usb/class/cdc-acm.c
-+++ b/drivers/usb/class/cdc-acm.c
-@@ -972,6 +972,9 @@ static int acm_probe(struct usb_interface *intf,
- 	if (quirks == NO_UNION_NORMAL) {
- 		data_interface = usb_ifnum_to_if(usb_dev, 1);
- 		control_interface = usb_ifnum_to_if(usb_dev, 0);
-+		/* we would crash */
-+		if (!data_interface || !control_interface)
-+			return -ENODEV;
- 		goto skip_normal_probe;
- 	}
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-3140/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-3140/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-3140/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-3140/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-3140/ANY/1.patch.dupe b/Patches/Linux_CVEs/CVE-2016-3140/ANY/1.patch.dupe
deleted file mode 100644
index bd2011bc..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3140/ANY/1.patch.dupe
+++ /dev/null
@@ -1,57 +0,0 @@
-From 129e6372f40a423bcded0a6dae547205edf652fb Mon Sep 17 00:00:00 2001
-From: Oliver Neukum <oneukum@suse.com>
-Date: Thu, 31 Mar 2016 12:04:26 -0400
-Subject: USB: digi_acceleport: do sanity checking for the number of ports
-
-commit 5a07975ad0a36708c6b0a5b9fea1ff811d0b0c1f upstream.
-
-The driver can be crashed with devices that expose crafted descriptors
-with too few endpoints.
-
-See: http://seclists.org/bugtraq/2016/Mar/61
-
-Signed-off-by: Oliver Neukum <ONeukum@suse.com>
-[johan: fix OOB endpoint check and add error messages ]
-Cc: stable <stable@vger.kernel.org>
-Signed-off-by: Johan Hovold <johan@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Willy Tarreau <w@1wt.eu>
----
- drivers/usb/serial/digi_acceleport.c | 19 +++++++++++++++++++
- 1 file changed, 19 insertions(+)
-
-diff --git a/drivers/usb/serial/digi_acceleport.c b/drivers/usb/serial/digi_acceleport.c
-index 7b807d3..8c34d9c 100644
---- a/drivers/usb/serial/digi_acceleport.c
-+++ b/drivers/usb/serial/digi_acceleport.c
-@@ -1253,8 +1253,27 @@ static int digi_port_init(struct usb_serial_port *port, unsigned port_num)
- 
- static int digi_startup(struct usb_serial *serial)
- {
-+	struct device *dev = &serial->interface->dev;
- 	struct digi_serial *serial_priv;
- 	int ret;
-+	int i;
-+
-+	/* check whether the device has the expected number of endpoints */
-+	if (serial->num_port_pointers < serial->type->num_ports + 1) {
-+		dev_err(dev, "OOB endpoints missing\n");
-+		return -ENODEV;
-+	}
-+
-+	for (i = 0; i < serial->type->num_ports + 1 ; i++) {
-+		if (!serial->port[i]->read_urb) {
-+			dev_err(dev, "bulk-in endpoint missing\n");
-+			return -ENODEV;
-+		}
-+		if (!serial->port[i]->write_urb) {
-+			dev_err(dev, "bulk-out endpoint missing\n");
-+			return -ENODEV;
-+		}
-+	}
- 
- 	serial_priv = kzalloc(sizeof(*serial_priv), GFP_KERNEL);
- 	if (!serial_priv)
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-3156/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-3156/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-3156/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-3156/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-3672/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-3672/ANY/0001.patch
similarity index 72%
rename from Patches/Linux_CVEs/CVE-2016-3672/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-3672/ANY/0001.patch
index 483f87d7..de810f0b 100644
--- a/Patches/Linux_CVEs/CVE-2016-3672/ANY/0.patch
+++ b/Patches/Linux_CVEs/CVE-2016-3672/ANY/0001.patch
@@ -1,12 +1,11 @@
-From d6dee0ccda11e6d9f8b47acd112b399d8afd34bc Mon Sep 17 00:00:00 2001
+From 8b8addf891de8a00e4d39fc32f93f7c5eb8feceb Mon Sep 17 00:00:00 2001
 From: Hector Marco-Gisbert <hecmargi@upv.es>
 Date: Thu, 10 Mar 2016 20:51:00 +0100
-Subject: [PATCH] UPSTREAM: x86/mm/32: Enable full randomization on i386 and
- X86_32
+Subject: x86/mm/32: Enable full randomization on i386 and X86_32
 
 Currently on i386 and on X86_64 when emulating X86_32 in legacy mode, only
 the stack and the executable are randomized but not other mmapped files
-
+(libraries, vDSO, etc.). This patch enables randomization for the
 libraries, vDSO and mmap requests on i386 and in X86_32 in legacy mode.
 
 By default on i386 there are 8 bits for the randomization of the libraries,
@@ -43,53 +42,42 @@ Cc: akpm@linux-foundation.org
 Cc: kees Cook <keescook@chromium.org>
 Link: http://lkml.kernel.org/r/1457639460-5242-1-git-send-email-hecmargi@upv.es
 Signed-off-by: Ingo Molnar <mingo@kernel.org>
-
-Bug: 28763575
-Change-Id: Icd128489c3c196ade64f79d4ea898d29f8471baf
-(cherry picked from commit 8b8addf891de8a00e4d39fc32f93f7c5eb8feceb)
 ---
- arch/x86/mm/mmap.c | 21 +++++++--------------
- 1 file changed, 7 insertions(+), 14 deletions(-)
+ arch/x86/mm/mmap.c | 14 +-------------
+ 1 file changed, 1 insertion(+), 13 deletions(-)
 
 diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c
-index 084c36f6b4e3..47287ea3f080 100644
+index 96bd1e2..389939f 100644
 --- a/arch/x86/mm/mmap.c
 +++ b/arch/x86/mm/mmap.c
-@@ -95,30 +95,23 @@ static unsigned long mmap_base(void)
+@@ -94,18 +94,6 @@ static unsigned long mmap_base(unsigned long rnd)
  }
  
  /*
 - * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
 - * does, but not when emulating X86_32
 - */
--static unsigned long mmap_legacy_base(void)
+-static unsigned long mmap_legacy_base(unsigned long rnd)
 -{
 -	if (mmap_is_ia32())
 -		return TASK_UNMAPPED_BASE;
 -	else
--		return TASK_UNMAPPED_BASE + mmap_rnd();
+-		return TASK_UNMAPPED_BASE + rnd;
 -}
 -
 -/*
   * This function, called very early during the creation of a new
   * process VM image, sets up which VM layout function to use:
   */
- void arch_pick_mmap_layout(struct mm_struct *mm)
- {
--	mm->mmap_legacy_base = mmap_legacy_base();
--	mm->mmap_base = mmap_base();
-+	unsigned long random_factor = 0UL;
-+
-+	if (current->flags & PF_RANDOMIZE)
-+		random_factor = mmap_rnd();
-+
+@@ -116,7 +104,7 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
+ 	if (current->flags & PF_RANDOMIZE)
+ 		random_factor = arch_mmap_rnd();
+ 
+-	mm->mmap_legacy_base = mmap_legacy_base(random_factor);
 +	mm->mmap_legacy_base = TASK_UNMAPPED_BASE + random_factor;
  
  	if (mmap_is_legacy()) {
  		mm->mmap_base = mm->mmap_legacy_base;
- 		mm->get_unmapped_area = arch_get_unmapped_area;
- 	} else {
-+		mm->mmap_base = mmap_base();
- 		mm->get_unmapped_area = arch_get_unmapped_area_topdown;
- 	}
- }
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-3689/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-3689/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-3689/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-3689/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-3689/ANY/1.patch.dupe b/Patches/Linux_CVEs/CVE-2016-3689/ANY/1.patch.dupe
deleted file mode 100644
index abc036f7..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3689/ANY/1.patch.dupe
+++ /dev/null
@@ -1,40 +0,0 @@
-From 7ca573e32c0a6634d679540314a80d235f224bfb Mon Sep 17 00:00:00 2001
-From: Oliver Neukum <oneukum@suse.com>
-Date: Thu, 17 Mar 2016 14:00:17 -0700
-Subject: [PATCH] Input: ims-pcu - sanity check against missing interfaces
-
-[ Upstream commit a0ad220c96692eda76b2e3fd7279f3dcd1d8a8ff ]
-
-A malicious device missing interface can make the driver oops.
-Add sanity checking.
-
-Signed-off-by: Oliver Neukum <ONeukum@suse.com>
-CC: stable@vger.kernel.org
-Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
-Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
----
- drivers/input/misc/ims-pcu.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/drivers/input/misc/ims-pcu.c b/drivers/input/misc/ims-pcu.c
-index afed8e2b2f944..41ef29b516f35 100644
---- a/drivers/input/misc/ims-pcu.c
-+++ b/drivers/input/misc/ims-pcu.c
-@@ -1663,6 +1663,8 @@ static int ims_pcu_parse_cdc_data(struct usb_interface *intf, struct ims_pcu *pc
- 
- 	pcu->ctrl_intf = usb_ifnum_to_if(pcu->udev,
- 					 union_desc->bMasterInterface0);
-+	if (!pcu->ctrl_intf)
-+		return -EINVAL;
- 
- 	alt = pcu->ctrl_intf->cur_altsetting;
- 	pcu->ep_ctrl = &alt->endpoint[0].desc;
-@@ -1670,6 +1672,8 @@ static int ims_pcu_parse_cdc_data(struct usb_interface *intf, struct ims_pcu *pc
- 
- 	pcu->data_intf = usb_ifnum_to_if(pcu->udev,
- 					 union_desc->bSlaveInterface0);
-+	if (!pcu->data_intf)
-+		return -EINVAL;
- 
- 	alt = pcu->data_intf->cur_altsetting;
- 	if (alt->desc.bNumEndpoints != 2) {
diff --git a/Patches/Linux_CVEs/CVE-2016-3746/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-3746/ANY/0001.patch
new file mode 100644
index 00000000..1bf7d443
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-3746/ANY/0001.patch
@@ -0,0 +1,162 @@
+From c2e66c4ee83b4264d691d8aaabb2e94744df1e25 Mon Sep 17 00:00:00 2001
+From: Praveen Chavan <pchavan@codeaurora.org>
+Date: Mon, 25 Apr 2016 10:03:42 -0700
+Subject: mm-video-v4l2: vdec: Avoid processing ETBs/FTBs in invalid states
+
+(per the spec) ETB/FTB should not be handled in states other than
+Executing, Paused and Idle. This avoids accessing invalid buffers.
+Also add a lock to protect the private-buffers from being deleted
+while accessing from another thread.
+
+Bug: 27890802
+Security Vulnerability - Heap Use-After-Free and Possible LPE in
+MediaServer (libOmxVdec problem #6)
+
+CRs-Fixed: 1008882
+
+Change-Id: Iaac2e383cd53cf9cf8042c9ed93ddc76dba3907e
+---
+ mm-video-v4l2/vidc/common/inc/vidc_debug.h       | 14 +++++++++++
+ mm-video-v4l2/vidc/vdec/inc/omx_vdec.h           |  1 +
+ mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp | 32 +++++++++++++++++-------
+ 3 files changed, 38 insertions(+), 9 deletions(-)
+
+diff --git a/mm-video-v4l2/vidc/common/inc/vidc_debug.h b/mm-video-v4l2/vidc/common/inc/vidc_debug.h
+index 0ce747c..d9007f2 100644
+--- a/mm-video-v4l2/vidc/common/inc/vidc_debug.h
++++ b/mm-video-v4l2/vidc/common/inc/vidc_debug.h
+@@ -31,6 +31,7 @@ ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ 
+ #ifdef _ANDROID_
+ #include <cstdio>
++#include <pthread.h>
+ 
+ enum {
+    PRIO_ERROR=0x1,
+@@ -75,4 +76,17 @@ extern int debug_level;
+         }                                                                      \
+     }                                                                          \
+ 
++class auto_lock {
++    public:
++        auto_lock(pthread_mutex_t &lock)
++            : mLock(lock) {
++                pthread_mutex_lock(&mLock);
++            }
++        ~auto_lock() {
++            pthread_mutex_unlock(&mLock);
++        }
++    private:
++        pthread_mutex_t &mLock;
++};
++
+ #endif
+diff --git a/mm-video-v4l2/vidc/vdec/inc/omx_vdec.h b/mm-video-v4l2/vidc/vdec/inc/omx_vdec.h
+index 2df1b6e..616b8c2 100644
+--- a/mm-video-v4l2/vidc/vdec/inc/omx_vdec.h
++++ b/mm-video-v4l2/vidc/vdec/inc/omx_vdec.h
+@@ -772,6 +772,7 @@ class omx_vdec: public qc_omx_component
+         //*************************************************************
+         pthread_mutex_t       m_lock;
+         pthread_mutex_t       c_lock;
++        pthread_mutex_t       buf_lock;
+         //sem to handle the minimum procesing of commands
+         sem_t                 m_cmd_lock;
+         sem_t                 m_safe_flush;
+diff --git a/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp b/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
+index 646f211..f490fad 100644
+--- a/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
++++ b/mm-video-v4l2/vidc/vdec/src/omx_vdec_msm8974.cpp
+@@ -685,6 +685,7 @@ omx_vdec::omx_vdec(): m_error_propogated(false),
+     m_vendor_config.pData = NULL;
+     pthread_mutex_init(&m_lock, NULL);
+     pthread_mutex_init(&c_lock, NULL);
++    pthread_mutex_init(&buf_lock, NULL);
+     sem_init(&m_cmd_lock,0,0);
+     sem_init(&m_safe_flush, 0, 0);
+     streaming[CAPTURE_PORT] =
+@@ -812,6 +813,7 @@ omx_vdec::~omx_vdec()
+     close(drv_ctx.video_driver_fd);
+     pthread_mutex_destroy(&m_lock);
+     pthread_mutex_destroy(&c_lock);
++    pthread_mutex_destroy(&buf_lock);
+     sem_destroy(&m_cmd_lock);
+     if (perf_flag) {
+         DEBUG_PRINT_HIGH("--> TOTAL PROCESSING TIME");
+@@ -5041,6 +5043,9 @@ OMX_ERRORTYPE omx_vdec::free_input_buffer(OMX_BUFFERHEADERTYPE *bufferHdr)
+     index = bufferHdr - m_inp_mem_ptr;
+     DEBUG_PRINT_LOW("Free Input Buffer index = %d",index);
+ 
++    auto_lock l(buf_lock);
++    bufferHdr->pInputPortPrivate = NULL;
++
+     if (index < drv_ctx.ip_buf.actualcount && drv_ctx.ptr_inputbuffer) {
+         DEBUG_PRINT_LOW("Free Input Buffer index = %d",index);
+         if (drv_ctx.ptr_inputbuffer[index].pmem_fd > 0) {
+@@ -5985,7 +5990,9 @@ OMX_ERRORTYPE  omx_vdec::empty_this_buffer(OMX_IN OMX_HANDLETYPE         hComp,
+     OMX_ERRORTYPE ret1 = OMX_ErrorNone;
+     unsigned int nBufferIndex = drv_ctx.ip_buf.actualcount;
+ 
+-    if (m_state == OMX_StateInvalid) {
++    if (m_state != OMX_StateExecuting &&
++            m_state != OMX_StatePause &&
++            m_state != OMX_StateIdle) {
+         DEBUG_PRINT_ERROR("Empty this buffer in Invalid State");
+         return OMX_ErrorInvalidState;
+     }
+@@ -6136,9 +6143,10 @@ OMX_ERRORTYPE  omx_vdec::empty_this_buffer_proxy(OMX_IN OMX_HANDLETYPE  hComp,
+         return OMX_ErrorNone;
+     }
+ 
++    auto_lock l(buf_lock);
+     temp_buffer = (struct vdec_bufferpayload *)buffer->pInputPortPrivate;
+ 
+-    if ((temp_buffer -  drv_ctx.ptr_inputbuffer) > (int)drv_ctx.ip_buf.actualcount) {
++    if (!temp_buffer || (temp_buffer -  drv_ctx.ptr_inputbuffer) > (int)drv_ctx.ip_buf.actualcount) {
+         return OMX_ErrorBadParameter;
+     }
+     /* If its first frame, H264 codec and reject is true, then parse the nal
+@@ -6164,7 +6172,7 @@ OMX_ERRORTYPE  omx_vdec::empty_this_buffer_proxy(OMX_IN OMX_HANDLETYPE  hComp,
+     /*for use buffer we need to memcpy the data*/
+     temp_buffer->buffer_len = buffer->nFilledLen;
+ 
+-    if (input_use_buffer) {
++    if (input_use_buffer && temp_buffer->bufferaddr) {
+         if (buffer->nFilledLen <= temp_buffer->buffer_len) {
+             if (arbitrary_bytes) {
+                 memcpy (temp_buffer->bufferaddr, (buffer->pBuffer + buffer->nOffset),buffer->nFilledLen);
+@@ -6340,6 +6348,18 @@ if (buffer->nFlags & QOMX_VIDEO_BUFFERFLAG_EOSEQ) {
+ OMX_ERRORTYPE  omx_vdec::fill_this_buffer(OMX_IN OMX_HANDLETYPE  hComp,
+         OMX_IN OMX_BUFFERHEADERTYPE* buffer)
+ {
++    if (m_state != OMX_StateExecuting &&
++            m_state != OMX_StatePause &&
++            m_state != OMX_StateIdle) {
++        DEBUG_PRINT_ERROR("FTB in Invalid State");
++        return OMX_ErrorInvalidState;
++    }
++
++    if (!m_out_bEnabled) {
++        DEBUG_PRINT_ERROR("ERROR:FTB incorrect state operation, output port is disabled.");
++        return OMX_ErrorIncorrectStateOperation;
++    }
++
+     unsigned nPortIndex = 0;
+     if (dynamic_buf_mode) {
+         private_handle_t *handle = NULL;
+@@ -6376,12 +6396,6 @@ OMX_ERRORTYPE  omx_vdec::fill_this_buffer(OMX_IN OMX_HANDLETYPE  hComp,
+         buffer->nAllocLen = handle->size;
+     }
+ 
+-
+-    if (m_state == OMX_StateInvalid) {
+-        DEBUG_PRINT_ERROR("FTB in Invalid State");
+-        return OMX_ErrorInvalidState;
+-    }
+-
+     if (!m_out_bEnabled) {
+         DEBUG_PRINT_ERROR("ERROR:FTB incorrect state operation, output port is disabled.");
+         return OMX_ErrorIncorrectStateOperation;
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-3747/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-3747/ANY/0001.patch
new file mode 100644
index 00000000..8b429546
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-3747/ANY/0001.patch
@@ -0,0 +1,91 @@
+From 905826825e4459c0dfc9d6475e950d6be3a16fc7 Mon Sep 17 00:00:00 2001
+From: Praveen Chavan <pchavan@codeaurora.org>
+Date: Mon, 25 Apr 2016 11:51:05 -0700
+Subject: mm-video-v4l2: venc: Avoid processing ETBs/FTBs in invalid states
+
+(per the spec) ETB/FTB should not be handled in states other than
+Executing, Paused and Idle. This avoids accessing invalid buffers.
+Also add a lock to protect the private-buffers from being deleted
+while accessing from another thread.
+
+Bug: 27903498
+Security Vulnerability - Heap Use-After-Free and Possible LPE in
+MediaServer (libOmxVenc problem #3)
+
+CRs-Fixed: 1010088
+
+Change-Id: I898b42034c0add621d4f9d8e02ca0ed4403d4fd3
+---
+ mm-video-v4l2/vidc/venc/src/omx_video_base.cpp | 20 ++++++++++++++++----
+ 1 file changed, 16 insertions(+), 4 deletions(-)
+
+diff --git a/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp b/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp
+index a481872..df30748 100644
+--- a/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp
++++ b/mm-video-v4l2/vidc/venc/src/omx_video_base.cpp
+@@ -2561,6 +2561,8 @@ OMX_ERRORTYPE omx_video::free_input_buffer(OMX_BUFFERHEADERTYPE *bufferHdr)
+     }
+ 
+     if (index < m_sInPortDef.nBufferCountActual && m_pInput_pmem) {
++        auto_lock l(m_lock);
++
+         if (m_pInput_pmem[index].fd > 0 && input_use_buffer == false) {
+             DEBUG_PRINT_LOW("FreeBuffer:: i/p AllocateBuffer case");
+             if(!secure_session) {
+@@ -2568,6 +2570,7 @@ OMX_ERRORTYPE omx_video::free_input_buffer(OMX_BUFFERHEADERTYPE *bufferHdr)
+             } else {
+                 free(m_pInput_pmem[index].buffer);
+             }
++            m_pInput_pmem[index].buffer = NULL;
+             close (m_pInput_pmem[index].fd);
+ #ifdef USE_ION
+             free_ion_memory(&m_pInput_ion[index]);
+@@ -2581,6 +2584,7 @@ OMX_ERRORTYPE omx_video::free_input_buffer(OMX_BUFFERHEADERTYPE *bufferHdr)
+             }
+             if(!secure_session) {
+                 munmap (m_pInput_pmem[index].buffer,m_pInput_pmem[index].size);
++                m_pInput_pmem[index].buffer = NULL;
+             }
+             close (m_pInput_pmem[index].fd);
+ #ifdef USE_ION
+@@ -3296,7 +3300,9 @@ OMX_ERRORTYPE  omx_video::empty_this_buffer(OMX_IN OMX_HANDLETYPE         hComp,
+     unsigned int nBufferIndex ;
+ 
+     DEBUG_PRINT_LOW("ETB: buffer = %p, buffer->pBuffer[%p]", buffer, buffer->pBuffer);
+-    if (m_state == OMX_StateInvalid) {
++    if (m_state != OMX_StateExecuting &&
++            m_state != OMX_StatePause &&
++            m_state != OMX_StateIdle) {
+         DEBUG_PRINT_ERROR("ERROR: Empty this buffer in Invalid State");
+         return OMX_ErrorInvalidState;
+     }
+@@ -3459,9 +3465,13 @@ OMX_ERRORTYPE  omx_video::empty_this_buffer_proxy(OMX_IN OMX_HANDLETYPE  hComp,
+ #endif
+     {
+         DEBUG_PRINT_LOW("Heap UseBuffer case, so memcpy the data");
++
++        auto_lock l(m_lock);
+         pmem_data_buf = (OMX_U8 *)m_pInput_pmem[nBufIndex].buffer;
+-        memcpy (pmem_data_buf, (buffer->pBuffer + buffer->nOffset),
+-                buffer->nFilledLen);
++        if (pmem_data_buf) {
++            memcpy (pmem_data_buf, (buffer->pBuffer + buffer->nOffset),
++                    buffer->nFilledLen);
++        }
+         DEBUG_PRINT_LOW("memcpy() done in ETBProxy for i/p Heap UseBuf");
+     } else if (mUseProxyColorFormat) {
+         // Gralloc-source buffers with color-conversion
+@@ -3520,7 +3530,9 @@ OMX_ERRORTYPE  omx_video::fill_this_buffer(OMX_IN OMX_HANDLETYPE  hComp,
+         OMX_IN OMX_BUFFERHEADERTYPE* buffer)
+ {
+     DEBUG_PRINT_LOW("FTB: buffer->pBuffer[%p]", buffer->pBuffer);
+-    if (m_state == OMX_StateInvalid) {
++    if (m_state != OMX_StateExecuting &&
++            m_state != OMX_StatePause &&
++            m_state != OMX_StateIdle) {
+         DEBUG_PRINT_ERROR("ERROR: FTB in Invalid State");
+         return OMX_ErrorInvalidState;
+     }
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-3768/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-3768/ANY/0001.patch
new file mode 100644
index 00000000..5e0db56f
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-3768/ANY/0001.patch
@@ -0,0 +1,90 @@
+From d75be03af111fb5a31eba82f665242e6d8b07008 Mon Sep 17 00:00:00 2001
+From: Arun KS <arunks@codeaurora.org>
+Date: Wed, 11 May 2016 10:11:36 +0530
+Subject: msm: perf: Do not allocate new hw_event if event is duplicate.
+
+During a perf_event_enable, kernel/events/core.c calls pmu->add() which
+is platform implementation(arch/arm/kernel/perf_event.c). Due to the
+duplicate constraints, arch/arm/mach-msm/perf_event_msm_krait_l2.c
+drivers marks the event as OFF but returns TRUE to perf_event.c which
+goes ahead and allocates the hw_event and enables it.
+
+Since event is marked OFF, kernel events core will try to enable this event
+again during next perf_event_enable. Which results in same event enabled
+on multiple hw_events. But during the perf_release, event struct is freed
+and only one hw_event is released. This results in dereferencing the
+invalid pointer and hence the crash.
+
+Fix this by returning error in case of constraint event duplicate. Hence
+avoiding the same event programmed on multiple hw event counters.
+
+Change-Id: Ia3360be027dfe87ac753191ffe7e0bc947e72455
+Signed-off-by: Arun KS <arunks@codeaurora.org>
+---
+ arch/arm/kernel/perf_event.c                | 1 +
+ arch/arm/mach-msm/perf_event_msm_krait_l2.c | 1 +
+ arch/arm/mach-msm/perf_event_msm_l2.c       | 4 +++-
+ kernel/events/core.c                        | 7 -------
+ 4 files changed, 5 insertions(+), 8 deletions(-)
+
+diff --git a/arch/arm/kernel/perf_event.c b/arch/arm/kernel/perf_event.c
+index 1541a80..a1264ac 100644
+--- a/arch/arm/kernel/perf_event.c
++++ b/arch/arm/kernel/perf_event.c
+@@ -308,6 +308,7 @@ armpmu_add(struct perf_event *event, int flags)
+ 			pr_err("Event: %llx failed constraint check.\n",
+ 					event->attr.config);
+ 			event->state = PERF_EVENT_STATE_OFF;
++			err = -EPERM;
+ 			goto out;
+ 		}
+ 
+diff --git a/arch/arm/mach-msm/perf_event_msm_krait_l2.c b/arch/arm/mach-msm/perf_event_msm_krait_l2.c
+index d816794..57f82d0 100644
+--- a/arch/arm/mach-msm/perf_event_msm_krait_l2.c
++++ b/arch/arm/mach-msm/perf_event_msm_krait_l2.c
+@@ -463,6 +463,7 @@ static int msm_l2_test_set_ev_constraint(struct perf_event *event)
+ 			if (!(event->cpu < 0)) {
+ 				event->state = PERF_EVENT_STATE_OFF;
+ 				event->attr.constraint_duplicate = 1;
++				err = -EPERM;
+ 			}
+ 	}
+ out:
+diff --git a/arch/arm/mach-msm/perf_event_msm_l2.c b/arch/arm/mach-msm/perf_event_msm_l2.c
+index f78487a..93695e2 100644
+--- a/arch/arm/mach-msm/perf_event_msm_l2.c
++++ b/arch/arm/mach-msm/perf_event_msm_l2.c
+@@ -836,8 +836,10 @@ static int msm_l2_test_set_ev_constraint(struct perf_event *event)
+ 			 * This sets the event OFF on all but one
+ 			 * CPU.
+ 			 */
+-			if (!(event->cpu < 0))
++			if (!(event->cpu < 0)) {
+ 				event->state = PERF_EVENT_STATE_OFF;
++				err = -EPERM;
++			}
+ 	}
+ 
+ out:
+diff --git a/kernel/events/core.c b/kernel/events/core.c
+index 33ad70a..7ebe09a 100644
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -3030,13 +3030,6 @@ static void put_event(struct perf_event *event)
+ 
+ 	if (!atomic_long_dec_and_test(&event->refcount))
+ 		return;
+-	/*
+-	 * Event can be in state OFF because of a constraint check.
+-	 * Change to ACTIVE so that it gets cleaned up correctly.
+-	 */
+-	if ((event->state == PERF_EVENT_STATE_OFF) &&
+-	    event->attr.constraint_duplicate)
+-		event->state = PERF_EVENT_STATE_ACTIVE;
+ 
+ 	rcu_read_lock();
+ 	owner = ACCESS_ONCE(event->owner);
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-3768/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-3768/ANY/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-3768/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-3768/ANY/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-3775/3.10/0.patch b/Patches/Linux_CVEs/CVE-2016-3775/3.10/0003.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-3775/3.10/0.patch
rename to Patches/Linux_CVEs/CVE-2016-3775/3.10/0003.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-3775/3.18/1.patch b/Patches/Linux_CVEs/CVE-2016-3775/3.18/0004.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-3775/3.18/1.patch
rename to Patches/Linux_CVEs/CVE-2016-3775/3.18/0004.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-3775/3.4/3.patch b/Patches/Linux_CVEs/CVE-2016-3775/3.4/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-3775/3.4/3.patch
rename to Patches/Linux_CVEs/CVE-2016-3775/3.4/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-3775/3.4/2.patch b/Patches/Linux_CVEs/CVE-2016-3775/3.4/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-3775/3.4/2.patch
rename to Patches/Linux_CVEs/CVE-2016-3775/3.4/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-3775/3.4/2.patch.base64 b/Patches/Linux_CVEs/CVE-2016-3775/3.4/0002.patch.base64
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-3775/3.4/2.patch.base64
rename to Patches/Linux_CVEs/CVE-2016-3775/3.4/0002.patch.base64
diff --git a/Patches/Linux_CVEs/CVE-2016-3792/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-3792/ANY/0001.patch
new file mode 100644
index 00000000..d556ad88
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-3792/ANY/0001.patch
@@ -0,0 +1,336 @@
+From 28d4f0c1f712bffb4aa5b47f06e97d5a9fa06d29 Mon Sep 17 00:00:00 2001
+From: Arif Hussain <c_arifh@qca.qualcomm.com>
+Date: Sun, 27 Oct 2013 23:01:14 -0700
+Subject: wlan: Userspace data copy fix
+
+Use copy_to_user and copy_from_user for
+copying data to/from user space.
+
+Change-Id: I07ed5361b439f4bcd61bbf693cc17c950f5b2660
+CRs-Fixed: 561022
+---
+ CORE/HDD/inc/wlan_hdd_main.h    |   1 +
+ CORE/HDD/src/wlan_hdd_hostapd.c | 160 ++++++++++++++++++++++++++++++----------
+ 2 files changed, 124 insertions(+), 37 deletions(-)
+
+diff --git a/CORE/HDD/inc/wlan_hdd_main.h b/CORE/HDD/inc/wlan_hdd_main.h
+index 57b2ec0..e3fcca4 100644
+--- a/CORE/HDD/inc/wlan_hdd_main.h
++++ b/CORE/HDD/inc/wlan_hdd_main.h
+@@ -153,6 +153,7 @@
+ #define MAC_ADDR_ARRAY(a) (a)[0], (a)[1], (a)[2], (a)[3], (a)[4], (a)[5]
+ /** Mac Address string **/
+ #define MAC_ADDRESS_STR "%02x:%02x:%02x:%02x:%02x:%02x"
++#define MAC_ADDRESS_STR_LEN 18 /* Including null terminator */
+ #define MAX_GENIE_LEN 255
+ 
+ #define WLAN_CHIP_VERSION   "WCNSS"
+diff --git a/CORE/HDD/src/wlan_hdd_hostapd.c b/CORE/HDD/src/wlan_hdd_hostapd.c
+index a5d696e..a155932 100644
+--- a/CORE/HDD/src/wlan_hdd_hostapd.c
++++ b/CORE/HDD/src/wlan_hdd_hostapd.c
+@@ -1418,12 +1418,13 @@ static iw_softap_getassoc_stamacaddr(struct net_device *dev,
+                         union iwreq_data *wrqu, char *extra)
+ {
+     hdd_adapter_t *pHostapdAdapter = (netdev_priv(dev));
+-    unsigned char *pmaclist;
++    unsigned int maclist_index;
+     hdd_station_info_t *pStaInfo = pHostapdAdapter->aStaInfo;
++    char maclist_null = '\0';
+     int cnt = 0, len;
+ 
+ 
+-    pmaclist = wrqu->data.pointer + sizeof(unsigned long int);
++    maclist_index = sizeof(unsigned long int);
+     len = wrqu->data.length;
+ 
+     spin_lock_bh( &pHostapdAdapter->staInfo_lock );
+@@ -1431,8 +1432,13 @@ static iw_softap_getassoc_stamacaddr(struct net_device *dev,
+         if (TRUE == pStaInfo[cnt].isUsed) {
+             
+             if(!IS_BROADCAST_MAC(pStaInfo[cnt].macAddrSTA.bytes)) {
+-                memcpy((void *)pmaclist, (void *)&(pStaInfo[cnt].macAddrSTA), sizeof(v_MACADDR_t));
+-                pmaclist += sizeof(v_MACADDR_t);
++                if (copy_to_user((void *)wrqu->data.pointer + maclist_index,
++                    (void *)&(pStaInfo[cnt].macAddrSTA), sizeof(v_MACADDR_t)))
++                {
++                    hddLog(LOG1, "%s: failed to copy data to user buffer", __func__);
++                    return -EFAULT;
++                }
++                maclist_index += sizeof(v_MACADDR_t);
+                 len -= sizeof(v_MACADDR_t);
+             }
+         }
+@@ -1440,12 +1446,16 @@ static iw_softap_getassoc_stamacaddr(struct net_device *dev,
+     } 
+     spin_unlock_bh( &pHostapdAdapter->staInfo_lock );
+ 
+-    *pmaclist = '\0';
+-
++    if (copy_to_user((void *)wrqu->data.pointer + maclist_index,
++                     (void *)&maclist_null, sizeof(maclist_null)) ||
++        copy_to_user((void *)wrqu->data.pointer,
++                     (void *)&wrqu->data.length, sizeof(wrqu->data.length)))
++    {
++        hddLog(LOG1, "%s: failed to copy data to user buffer", __func__);
++        return -EFAULT;
++    }
+     wrqu->data.length -= len;
+ 
+-    *(unsigned long int *)(wrqu->data.pointer) = wrqu->data.length;
+-
+     return 0;
+ }
+ 
+@@ -1494,20 +1504,35 @@ static iw_softap_ap_stats(struct net_device *dev,
+     int len = wrqu->data.length;
+     pstatbuf = wrqu->data.pointer;
+ 
+-    WLANSAP_GetStatistics((WLAN_HDD_GET_CTX(pHostapdAdapter))->pvosContext, &statBuffer, (v_BOOL_t)wrqu->data.flags);
+-
+-    len = scnprintf(pstatbuf, len,
+-            "RUF=%d RMF=%d RBF=%d "
+-            "RUB=%d RMB=%d RBB=%d "
+-            "TUF=%d TMF=%d TBF=%d "
+-            "TUB=%d TMB=%d TBB=%d",
+-            (int)statBuffer.rxUCFcnt, (int)statBuffer.rxMCFcnt, (int)statBuffer.rxBCFcnt,
+-            (int)statBuffer.rxUCBcnt, (int)statBuffer.rxMCBcnt, (int)statBuffer.rxBCBcnt,
+-            (int)statBuffer.txUCFcnt, (int)statBuffer.txMCFcnt, (int)statBuffer.txBCFcnt,
+-            (int)statBuffer.txUCBcnt, (int)statBuffer.txMCBcnt, (int)statBuffer.txBCBcnt
+-            );
++    WLANSAP_GetStatistics((WLAN_HDD_GET_CTX(pHostapdAdapter))->pvosContext,
++                           &statBuffer, (v_BOOL_t)wrqu->data.flags);
+ 
++    pstatbuf = kmalloc(wrqu->data.length, GFP_KERNEL);
++    if(NULL == pstatbuf) {
++        hddLog(LOG1, "unable to allocate memory");
++        return -ENOMEM;
++    }
++    len = scnprintf(pstatbuf, wrqu->data.length,
++                    "RUF=%d RMF=%d RBF=%d "
++                    "RUB=%d RMB=%d RBB=%d "
++                    "TUF=%d TMF=%d TBF=%d "
++                    "TUB=%d TMB=%d TBB=%d",
++                    (int)statBuffer.rxUCFcnt, (int)statBuffer.rxMCFcnt,
++                    (int)statBuffer.rxBCFcnt, (int)statBuffer.rxUCBcnt,
++                    (int)statBuffer.rxMCBcnt, (int)statBuffer.rxBCBcnt,
++                    (int)statBuffer.txUCFcnt, (int)statBuffer.txMCFcnt,
++                    (int)statBuffer.txBCFcnt, (int)statBuffer.txUCBcnt,
++                    (int)statBuffer.txMCBcnt, (int)statBuffer.txBCBcnt);
++
++    if (len > wrqu->data.length ||
++        copy_to_user((void *)wrqu->data.pointer, (void *)pstatbuf, len))
++    {
++        hddLog(LOG1, "%s: failed to copy data to user buffer", __func__);
++        kfree(pstatbuf);
++        return -EFAULT;
++    }
+     wrqu->data.length -= len;
++    kfree(pstatbuf);
+     return 0;
+ }
+ 
+@@ -1870,8 +1895,15 @@ int iw_get_genie(struct net_device *dev,
+     status = WLANSap_getstationIE_information(pVosContext, 
+                                    &length,
+                                    genIeBytes);
+-    wrqu->data.length = VOS_MIN((u_int16_t) length, DOT11F_IE_RSN_MAX_LEN);
+-    vos_mem_copy( wrqu->data.pointer, (v_VOID_t*)genIeBytes, wrqu->data.length);
++    length = VOS_MIN((u_int16_t) length, DOT11F_IE_RSN_MAX_LEN);
++    if (wrqu->data.length < length ||
++        copy_to_user(wrqu->data.pointer,
++                      (v_VOID_t*)genIeBytes, length))
++    {
++        hddLog(LOG1, "%s: failed to copy data to user buffer", __func__);
++        return -EFAULT;
++    }
++    wrqu->data.length = length;
+     
+     hddLog(LOG1,FL(" RSN IE of %d bytes returned\n"), wrqu->data.length ); 
+     
+@@ -1885,18 +1917,30 @@ int iw_get_WPSPBCProbeReqIEs(struct net_device *dev,
+                         union iwreq_data *wrqu, char *extra)
+ {
+     hdd_adapter_t *pHostapdAdapter = (netdev_priv(dev));    
+-    sQcSapreq_WPSPBCProbeReqIES_t *pWPSPBCProbeReqIEs;
++    sQcSapreq_WPSPBCProbeReqIES_t WPSPBCProbeReqIEs;
+     hdd_ap_ctx_t *pHddApCtx = WLAN_HDD_GET_AP_CTX_PTR(pHostapdAdapter);
+     ENTER();
+-        
++
+     hddLog(LOG1,FL("get_WPSPBCProbeReqIEs ioctl\n"));
+-    
+-    pWPSPBCProbeReqIEs = (sQcSapreq_WPSPBCProbeReqIES_t *)(wrqu->data.pointer);
+-    pWPSPBCProbeReqIEs->probeReqIELen = pHddApCtx->WPSPBCProbeReq.probeReqIELen;
+-    vos_mem_copy(pWPSPBCProbeReqIEs->probeReqIE, pHddApCtx->WPSPBCProbeReq.probeReqIE, pWPSPBCProbeReqIEs->probeReqIELen);
+-    vos_mem_copy(pWPSPBCProbeReqIEs->macaddr, pHddApCtx->WPSPBCProbeReq.peerMacAddr, sizeof(v_MACADDR_t));
+-    wrqu->data.length = 12 + pWPSPBCProbeReqIEs->probeReqIELen;
+-    hddLog(LOG1, FL("Macaddress : "MAC_ADDRESS_STR"\n"),  MAC_ADDR_ARRAY(pWPSPBCProbeReqIEs->macaddr));
++    memset((void*)&WPSPBCProbeReqIEs, 0, sizeof(WPSPBCProbeReqIEs));
++
++    WPSPBCProbeReqIEs.probeReqIELen = pHddApCtx->WPSPBCProbeReq.probeReqIELen;
++    vos_mem_copy(&WPSPBCProbeReqIEs.probeReqIE,
++                 pHddApCtx->WPSPBCProbeReq.probeReqIE,
++                 WPSPBCProbeReqIEs.probeReqIELen);
++    vos_mem_copy(&WPSPBCProbeReqIEs.macaddr,
++                 pHddApCtx->WPSPBCProbeReq.peerMacAddr,
++                 sizeof(v_MACADDR_t));
++    if (copy_to_user(wrqu->data.pointer,
++                     (void *)&WPSPBCProbeReqIEs,
++                      sizeof(WPSPBCProbeReqIEs)))
++    {
++         hddLog(LOG1, "%s: failed to copy data to user buffer", __func__);
++         return -EFAULT;
++    }
++    wrqu->data.length = 12 + WPSPBCProbeReqIEs.probeReqIELen;
++    hddLog(LOG1, FL("Macaddress : "MAC_ADDRESS_STR"\n"),
++           MAC_ADDR_ARRAY(WPSPBCProbeReqIEs.macaddr));
+     up(&pHddApCtx->semWpsPBCOverlapInd);
+     EXIT();
+     return 0;
+@@ -2282,20 +2326,37 @@ static int iw_softap_setwpsie(struct net_device *dev,
+    v_CONTEXT_t pVosContext = (WLAN_HDD_GET_CTX(pHostapdAdapter))->pvosContext;
+    hdd_hostapd_state_t *pHostapdState;
+    eHalStatus halStatus= eHAL_STATUS_SUCCESS;
+-   u_int8_t *wps_genie =  wrqu->data.pointer;
++   u_int8_t *wps_genie;
++   u_int8_t *fwps_genie;
+    u_int8_t *pos;
+    tpSap_WPSIE pSap_WPSIe;
+    u_int8_t WPSIeType;
+    u_int16_t length;   
+    ENTER();
+ 
+-   if(!wrqu->data.length)
++   if(!wrqu->data.length || wrqu->data.length <= QCSAP_MAX_WSC_IE)
+       return 0;
+ 
++   wps_genie = kmalloc(wrqu->data.length, GFP_KERNEL);
++
++   if(NULL == wps_genie) {
++       hddLog(LOG1, "unable to allocate memory");
++       return -ENOMEM;
++   }
++   fwps_genie = wps_genie;
++   if (copy_from_user((void *)wps_genie,
++       wrqu->data.pointer, wrqu->data.length))
++   {
++       hddLog(LOG1, "%s: failed to copy data to user buffer", __func__);
++       kfree(fwps_genie);
++       return -EFAULT;
++   }
++
+    pSap_WPSIe = vos_mem_malloc(sizeof(tSap_WPSIE));
+    if (NULL == pSap_WPSIe) 
+    {
+       hddLog(LOGE, "VOS unable to allocate memory\n");
++      kfree(fwps_genie);
+       return -ENOMEM;
+    }
+    vos_mem_zero(pSap_WPSIe, sizeof(tSap_WPSIE));
+@@ -2312,6 +2373,7 @@ static int iw_softap_setwpsie(struct net_device *dev,
+             if (wps_genie[1] < 2 + 4)
+             {
+                vos_mem_free(pSap_WPSIe); 
++               kfree(fwps_genie);
+                return -EINVAL;
+             }
+             else if (memcmp(&wps_genie[2], "\x00\x50\xf2\x04", 4) == 0) 
+@@ -2385,6 +2447,7 @@ static int iw_softap_setwpsie(struct net_device *dev,
+                    default:
+                       hddLog (LOGW, "UNKNOWN TLV in WPS IE(%x)\n", (*pos<<8 | *(pos+1)));
+                       vos_mem_free(pSap_WPSIe);
++                      kfree(fwps_genie);
+                       return -EINVAL; 
+                 }
+               }  
+@@ -2398,6 +2461,7 @@ static int iw_softap_setwpsie(struct net_device *dev,
+          default:
+             hddLog (LOGE, "%s Set UNKNOWN IE %X",__func__, wps_genie[0]);
+             vos_mem_free(pSap_WPSIe);
++            kfree(fwps_genie);
+             return 0;
+       }
+     } 
+@@ -2411,6 +2475,7 @@ static int iw_softap_setwpsie(struct net_device *dev,
+             if (wps_genie[1] < 2 + 4)
+             {
+                vos_mem_free(pSap_WPSIe); 
++               kfree(fwps_genie);
+                return -EINVAL;
+             }
+             else if (memcmp(&wps_genie[2], "\x00\x50\xf2\x04", 4) == 0) 
+@@ -2575,6 +2640,7 @@ static int iw_softap_setwpsie(struct net_device *dev,
+     }
+  
+     vos_mem_free(pSap_WPSIe);   
++    kfree(fwps_genie);
+     EXIT();
+     return halStatus;
+ }
+@@ -2682,7 +2748,7 @@ static int iw_set_ap_genie(struct net_device *dev,
+     hdd_adapter_t *pHostapdAdapter = (netdev_priv(dev));
+     v_CONTEXT_t pVosContext = (WLAN_HDD_GET_CTX(pHostapdAdapter))->pvosContext;
+     eHalStatus halStatus= eHAL_STATUS_SUCCESS;
+-    u_int8_t *genie = wrqu->data.pointer;
++    u_int8_t *genie = (u_int8_t *)extra;
+     
+     ENTER();
+     
+@@ -2691,7 +2757,7 @@ static int iw_set_ap_genie(struct net_device *dev,
+         EXIT();
+         return 0;
+     }
+-    
++
+     switch (genie[0]) 
+     {
+         case DOT11F_EID_WPA: 
+@@ -2702,7 +2768,7 @@ static int iw_set_ap_genie(struct net_device *dev,
+                 hdd_softap_Register_BC_STA(pHostapdAdapter, 1);
+             }   
+             (WLAN_HDD_GET_AP_CTX_PTR(pHostapdAdapter))->uPrivacy = 1;
+-            halStatus = WLANSAP_Set_WPARSNIes(pVosContext, wrqu->data.pointer, wrqu->data.length);
++            halStatus = WLANSAP_Set_WPARSNIes(pVosContext, genie, wrqu->data.length);
+             break;
+             
+         default:
+@@ -2768,6 +2834,7 @@ int iw_get_softap_linkspeed(struct net_device *dev,
+    hdd_adapter_t *pHostapdAdapter = (netdev_priv(dev));
+    hdd_context_t *pHddCtx;
+    char *pLinkSpeed = (char*)extra;
++   char *pmacAddress;
+    v_U32_t link_speed;
+    unsigned short staId;
+    int len = sizeof(v_U32_t)+1;
+@@ -2786,7 +2853,26 @@ int iw_get_softap_linkspeed(struct net_device *dev,
+    }
+ 
+    hddLog(VOS_TRACE_LEVEL_INFO, "%s wrqu->data.length= %d\n", __func__, wrqu->data.length);
+-   status = hdd_string_to_hex ((char *)wrqu->data.pointer, wrqu->data.length, macAddress );
++   if (wrqu->data.length != MAC_ADDRESS_STR_LEN)
++   {
++       hddLog(LOG1, "Invalid length");
++       return -EINVAL;
++   }
++   pmacAddress = kmalloc(MAC_ADDRESS_STR_LEN, GFP_KERNEL);
++   if(NULL == pmacAddress) {
++       hddLog(LOG1, "unable to allocate memory");
++       return -ENOMEM;
++   }
++   if (copy_from_user((void *)pmacAddress,
++       wrqu->data.pointer, wrqu->data.length))
++   {
++       hddLog(LOG1, "%s: failed to copy data to user buffer", __func__);
++       kfree(pmacAddress);
++       return -EFAULT;
++   }
++
++   status = hdd_string_to_hex (pmacAddress, wrqu->data.length, macAddress );
++   kfree(pmacAddress);
+ 
+    if (!VOS_IS_STATUS_SUCCESS(status ))
+    {
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-3797/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-3797/ANY/0001.patch
new file mode 100644
index 00000000..bff80ffa
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-3797/ANY/0001.patch
@@ -0,0 +1,60 @@
+From fdda9c0af64d6e5cdf006e2d8dd57e655821a962 Mon Sep 17 00:00:00 2001
+From: Srinivas Girigowda <sgirigow@qca.qualcomm.com>
+Date: Sun, 10 Apr 2016 00:35:17 -0700
+Subject: qcacld-2.0: Fix buffer overwrite problem in CCXPLMREQ
+
+Set the number of channels to minimum of input data and
+WNI_CFG_VALID_CHANNEL_LIST_LEN.
+
+Change-Id: Ib6fca483ac99cddfcd3b739ce62e86ecd498f1f5
+CRs-Fixed: 1001450
+---
+ CORE/HDD/src/wlan_hdd_main.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/CORE/HDD/src/wlan_hdd_main.c b/CORE/HDD/src/wlan_hdd_main.c
+index a6249e1..38452eb 100644
+--- a/CORE/HDD/src/wlan_hdd_main.c
++++ b/CORE/HDD/src/wlan_hdd_main.c
+@@ -3002,8 +3002,9 @@ static eHalStatus hdd_parse_plm_cmd(tANI_U8 *pValue, tSirPlmReq *pPlmRequest)
+         if (content < 0)
+            return eHAL_STATUS_FAILURE;
+ 
++        content = VOS_MIN(content, WNI_CFG_VALID_CHANNEL_LIST_LEN);
+         pPlmRequest->plmNumCh = content;
+-        hddLog(VOS_TRACE_LEVEL_DEBUG, "numch %d", pPlmRequest->plmNumCh);
++        hddLog(LOG1, FL("Numch: %d"), pPlmRequest->plmNumCh);
+ 
+         /* Channel numbers */
+         for (count = 0; count < pPlmRequest->plmNumCh; count++)
+@@ -3021,10 +3022,9 @@ static eHalStatus hdd_parse_plm_cmd(tANI_U8 *pValue, tSirPlmReq *pPlmRequest)
+              if (1 != ret) return eHAL_STATUS_FAILURE;
+ 
+              ret = kstrtos32(buf, 10, &content);
+-             if ( ret < 0) return eHAL_STATUS_FAILURE;
+-
+-             if (content <= 0)
+-                return eHAL_STATUS_FAILURE;
++             if (ret < 0 || content <= 0 ||
++                 content > WNI_CFG_CURRENT_CHANNEL_STAMAX)
++                 return eHAL_STATUS_FAILURE;
+ 
+              pPlmRequest->plmChList[count]= content;
+              hddLog(VOS_TRACE_LEVEL_DEBUG, " ch- %d",
+@@ -6464,11 +6464,11 @@ static int hdd_driver_command(hdd_adapter_t *pAdapter,
+        {
+            tANI_U8 *value = command;
+            eHalStatus status = eHAL_STATUS_SUCCESS;
+-           tpSirPlmReq pPlmRequest = NULL;
++           tpSirPlmReq pPlmRequest;
+ 
+            pPlmRequest = vos_mem_malloc(sizeof(tSirPlmReq));
+            if (NULL == pPlmRequest){
+-               ret = -EINVAL;
++               ret = -ENOMEM;
+                goto exit;
+            }
+ 
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-3809/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-3809/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-3809/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-3809/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-3809/ANY/0.patch.base64 b/Patches/Linux_CVEs/CVE-2016-3809/ANY/0001.patch.base64
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-3809/ANY/0.patch.base64
rename to Patches/Linux_CVEs/CVE-2016-3809/ANY/0001.patch.base64
diff --git a/Patches/Linux_CVEs/CVE-2016-3813/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-3813/3.10/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-3813/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-3813/3.10/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-3813/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2016-3813/3.18/0002.patch
new file mode 100644
index 00000000..dc954494
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-3813/3.18/0002.patch
@@ -0,0 +1,51 @@
+From de81d402f12a3492400644024e694748d3514951 Mon Sep 17 00:00:00 2001
+From: Vijayavardhan Vennapusa <vvreddy@codeaurora.org>
+Date: Thu, 5 May 2016 14:37:08 +0530
+Subject: USB: dwc3: debugfs: Add boundary check in dwc3_store_ep_num()
+
+User can pass arguments as part of write to requests and endpoint number
+will be calculated based on the arguments. There is a chance that driver
+can access ep structue that is not allocated due to invalid arguments
+passed by user. Hence fix the issue by having check and return error in
+case of invalid arguments.
+
+Change-Id: I060ea878b55ce0f9983b91c50e58718c8a2c2fa1
+Signed-off-by: Vijayavardhan Vennapusa <vvreddy@codeaurora.org>
+---
+ drivers/usb/dwc3/debugfs.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/usb/dwc3/debugfs.c b/drivers/usb/dwc3/debugfs.c
+index 7a88671..c82647f 100644
+--- a/drivers/usb/dwc3/debugfs.c
++++ b/drivers/usb/dwc3/debugfs.c
+@@ -630,7 +630,7 @@ static ssize_t dwc3_store_ep_num(struct file *file, const char __user *ubuf,
+ 	struct seq_file		*s = file->private_data;
+ 	struct dwc3		*dwc = s->private;
+ 	char			kbuf[10];
+-	unsigned int		num, dir;
++	unsigned int		num, dir, temp;
+ 	unsigned long		flags;
+ 
+ 	memset(kbuf, 0, 10);
+@@ -641,8 +641,16 @@ static ssize_t dwc3_store_ep_num(struct file *file, const char __user *ubuf,
+ 	if (sscanf(kbuf, "%u %u", &num, &dir) != 2)
+ 		return -EINVAL;
+ 
++	if (dir != 0 && dir != 1)
++		return -EINVAL;
++
++	temp = (num << 1) + dir;
++	if (temp >= (dwc->num_in_eps + dwc->num_out_eps) ||
++					temp >= DWC3_ENDPOINTS_NUM)
++		return -EINVAL;
++
+ 	spin_lock_irqsave(&dwc->lock, flags);
+-	ep_num = (num << 1) + dir;
++	ep_num = temp;
+ 	spin_unlock_irqrestore(&dwc->lock, flags);
+ 
+ 	return count;
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-3841/3.10/1.patch b/Patches/Linux_CVEs/CVE-2016-3841/3.10/1.patch
deleted file mode 100644
index 22b6dfb3..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3841/3.10/1.patch
+++ /dev/null
@@ -1,574 +0,0 @@
-From 07bd7f369c24d534163ed0f1cffdd461af648732 Mon Sep 17 00:00:00 2001
-From: Eric Dumazet <edumazet@google.com>
-Date: Sun, 29 Nov 2015 19:37:57 -0800
-Subject: [PATCH] ipv6: add complete rcu protection around np->opt
-
-[ Upstream commit 45f6fad84cc305103b28d73482b344d7f5b76f39 ]
-
-This patch addresses multiple problems :
-
-UDP/RAW sendmsg() need to get a stable struct ipv6_txoptions
-while socket is not locked : Other threads can change np->opt
-concurrently. Dmitry posted a syzkaller
-(http://github.com/google/syzkaller) program desmonstrating
-use-after-free.
-
-Starting with TCP/DCCP lockless listeners, tcp_v6_syn_recv_sock()
-and dccp_v6_request_recv_sock() also need to use RCU protection
-to dereference np->opt once (before calling ipv6_dup_options())
-
-This patch adds full RCU protection to np->opt
-
-BUG: 28746669
-
-Reported-by: Dmitry Vyukov <dvyukov@google.com>
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Jiri Slaby <jslaby@suse.cz>
----
- include/linux/ipv6.h             |  2 +-
- include/net/ipv6.h               | 21 ++++++++++++++++++++-
- net/dccp/ipv6.c                  | 33 +++++++++++++++++++++------------
- net/ipv6/af_inet6.c              | 13 +++++++++----
- net/ipv6/datagram.c              |  4 +++-
- net/ipv6/exthdrs.c               |  3 ++-
- net/ipv6/inet6_connection_sock.c | 11 ++++++++---
- net/ipv6/ipv6_sockglue.c         | 36 ++++++++++++++++++++++++------------
- net/ipv6/raw.c                   |  8 ++++++--
- net/ipv6/syncookies.c            |  2 +-
- net/ipv6/tcp_ipv6.c              | 28 +++++++++++++++++-----------
- net/ipv6/udp.c                   |  8 ++++++--
- net/l2tp/l2tp_ip6.c              |  8 ++++++--
- 13 files changed, 124 insertions(+), 53 deletions(-)
-
-diff --git a/include/linux/ipv6.h b/include/linux/ipv6.h
-index 9f3792c1dcde3..f6f0c3cfd6771 100644
---- a/include/linux/ipv6.h
-+++ b/include/linux/ipv6.h
-@@ -222,7 +222,7 @@ struct ipv6_pinfo {
- 	struct ipv6_ac_socklist	*ipv6_ac_list;
- 	struct ipv6_fl_socklist __rcu *ipv6_fl_list;
- 
--	struct ipv6_txoptions	*opt;
-+	struct ipv6_txoptions __rcu	*opt;
- 	struct sk_buff		*pktoptions;
- 	struct sk_buff		*rxpmtu;
- 	struct {
-diff --git a/include/net/ipv6.h b/include/net/ipv6.h
-index 27e9ba47b3040..48c799736152e 100644
---- a/include/net/ipv6.h
-+++ b/include/net/ipv6.h
-@@ -203,6 +203,7 @@ extern rwlock_t ip6_ra_lock;
-  */
- 
- struct ipv6_txoptions {
-+	atomic_t		refcnt;
- 	/* Length of this structure */
- 	int			tot_len;
- 
-@@ -215,7 +216,7 @@ struct ipv6_txoptions {
- 	struct ipv6_opt_hdr	*dst0opt;
- 	struct ipv6_rt_hdr	*srcrt;	/* Routing Header */
- 	struct ipv6_opt_hdr	*dst1opt;
--
-+	struct rcu_head		rcu;
- 	/* Option buffer, as read by IPV6_PKTOPTIONS, starts here. */
- };
- 
-@@ -246,6 +247,24 @@ struct ipv6_fl_socklist {
- 	struct rcu_head			rcu;
- };
- 
-+static inline struct ipv6_txoptions *txopt_get(const struct ipv6_pinfo *np)
-+{
-+	struct ipv6_txoptions *opt;
-+
-+	rcu_read_lock();
-+	opt = rcu_dereference(np->opt);
-+	if (opt && !atomic_inc_not_zero(&opt->refcnt))
-+		opt = NULL;
-+	rcu_read_unlock();
-+	return opt;
-+}
-+
-+static inline void txopt_put(struct ipv6_txoptions *opt)
-+{
-+	if (opt && atomic_dec_and_test(&opt->refcnt))
-+		kfree_rcu(opt, rcu);
-+}
-+
- extern struct ip6_flowlabel	*fl6_sock_lookup(struct sock *sk, __be32 label);
- extern struct ipv6_txoptions	*fl6_merge_options(struct ipv6_txoptions * opt_space,
- 						   struct ip6_flowlabel * fl,
-diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
-index 6cf9f7782ad42..86eedbaf037ff 100644
---- a/net/dccp/ipv6.c
-+++ b/net/dccp/ipv6.c
-@@ -235,7 +235,9 @@ static int dccp_v6_send_response(struct sock *sk, struct request_sock *req)
- 	security_req_classify_flow(req, flowi6_to_flowi(&fl6));
- 
- 
--	final_p = fl6_update_dst(&fl6, np->opt, &final);
-+	rcu_read_lock();
-+	final_p = fl6_update_dst(&fl6, rcu_dereference(np->opt), &final);
-+	rcu_read_unlock();
- 
- 	dst = ip6_dst_lookup_flow(sk, &fl6, final_p, false);
- 	if (IS_ERR(dst)) {
-@@ -252,7 +254,10 @@ static int dccp_v6_send_response(struct sock *sk, struct request_sock *req)
- 							 &ireq6->loc_addr,
- 							 &ireq6->rmt_addr);
- 		fl6.daddr = ireq6->rmt_addr;
--		err = ip6_xmit(sk, skb, &fl6, np->opt, np->tclass);
-+		rcu_read_lock();
-+		err = ip6_xmit(sk, skb, &fl6, rcu_dereference(np->opt),
-+			       np->tclass);
-+		rcu_read_unlock();
- 		err = net_xmit_eval(err);
- 	}
- 
-@@ -448,6 +453,7 @@ static struct sock *dccp_v6_request_recv_sock(struct sock *sk,
- {
- 	struct inet6_request_sock *ireq6 = inet6_rsk(req);
- 	struct ipv6_pinfo *newnp, *np = inet6_sk(sk);
-+	struct ipv6_txoptions *opt;
- 	struct inet_sock *newinet;
- 	struct dccp6_sock *newdp6;
- 	struct sock *newsk;
-@@ -571,13 +577,15 @@ static struct sock *dccp_v6_request_recv_sock(struct sock *sk,
- 	 * Yes, keeping reference count would be much more clever, but we make
- 	 * one more one thing there: reattach optmem to newsk.
- 	 */
--	if (np->opt != NULL)
--		newnp->opt = ipv6_dup_options(newsk, np->opt);
--
-+	opt = rcu_dereference(np->opt);
-+	if (opt) {
-+		opt = ipv6_dup_options(newsk, opt);
-+		RCU_INIT_POINTER(newnp->opt, opt);
-+	}
- 	inet_csk(newsk)->icsk_ext_hdr_len = 0;
--	if (newnp->opt != NULL)
--		inet_csk(newsk)->icsk_ext_hdr_len = (newnp->opt->opt_nflen +
--						     newnp->opt->opt_flen);
-+	if (opt)
-+		inet_csk(newsk)->icsk_ext_hdr_len = opt->opt_nflen +
-+						    opt->opt_flen;
- 
- 	dccp_sync_mss(newsk, dst_mtu(dst));
- 
-@@ -829,6 +837,7 @@ static int dccp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
- 	struct ipv6_pinfo *np = inet6_sk(sk);
- 	struct dccp_sock *dp = dccp_sk(sk);
- 	struct in6_addr *saddr = NULL, *final_p, final;
-+	struct ipv6_txoptions *opt;
- 	struct flowi6 fl6;
- 	struct dst_entry *dst;
- 	int addr_type;
-@@ -931,7 +940,8 @@ static int dccp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
- 	fl6.fl6_sport = inet->inet_sport;
- 	security_sk_classify_flow(sk, flowi6_to_flowi(&fl6));
- 
--	final_p = fl6_update_dst(&fl6, np->opt, &final);
-+	opt = rcu_dereference_protected(np->opt, sock_owned_by_user(sk));
-+	final_p = fl6_update_dst(&fl6, opt, &final);
- 
- 	dst = ip6_dst_lookup_flow(sk, &fl6, final_p, true);
- 	if (IS_ERR(dst)) {
-@@ -951,9 +961,8 @@ static int dccp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
- 	__ip6_dst_store(sk, dst, NULL, NULL);
- 
- 	icsk->icsk_ext_hdr_len = 0;
--	if (np->opt != NULL)
--		icsk->icsk_ext_hdr_len = (np->opt->opt_flen +
--					  np->opt->opt_nflen);
-+	if (opt)
-+		icsk->icsk_ext_hdr_len = opt->opt_flen + opt->opt_nflen;
- 
- 	inet->inet_dport = usin->sin6_port;
- 
-diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
-index d29ae19ae698f..04e88b508d4e8 100644
---- a/net/ipv6/af_inet6.c
-+++ b/net/ipv6/af_inet6.c
-@@ -448,9 +448,11 @@ void inet6_destroy_sock(struct sock *sk)
- 
- 	/* Free tx options */
- 
--	opt = xchg(&np->opt, NULL);
--	if (opt != NULL)
--		sock_kfree_s(sk, opt, opt->tot_len);
-+	opt = xchg((__force struct ipv6_txoptions **)&np->opt, NULL);
-+	if (opt) {
-+		atomic_sub(opt->tot_len, &sk->sk_omem_alloc);
-+		txopt_put(opt);
-+	}
- }
- EXPORT_SYMBOL_GPL(inet6_destroy_sock);
- 
-@@ -697,7 +699,10 @@ int inet6_sk_rebuild_header(struct sock *sk)
- 		fl6.flowi6_uid = sock_i_uid(sk);
- 		security_sk_classify_flow(sk, flowi6_to_flowi(&fl6));
- 
--		final_p = fl6_update_dst(&fl6, np->opt, &final);
-+		rcu_read_lock();
-+		final_p = fl6_update_dst(&fl6, rcu_dereference(np->opt),
-+					 &final);
-+		rcu_read_unlock();
- 
- 		dst = ip6_dst_lookup_flow(sk, &fl6, final_p, false);
- 		if (IS_ERR(dst)) {
-diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
-index 2b7cbebcd2b1f..7d766307438c0 100644
---- a/net/ipv6/datagram.c
-+++ b/net/ipv6/datagram.c
-@@ -169,8 +169,10 @@ int ip6_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
- 
- 	security_sk_classify_flow(sk, flowi6_to_flowi(&fl6));
- 
--	opt = flowlabel ? flowlabel->opt : np->opt;
-+	rcu_read_lock();
-+	opt = flowlabel ? flowlabel->opt : rcu_dereference(np->opt);
- 	final_p = fl6_update_dst(&fl6, opt, &final);
-+	rcu_read_unlock();
- 
- 	dst = ip6_dst_lookup_flow(sk, &fl6, final_p, true);
- 	err = 0;
-diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c
-index 8d67900aa0036..33dbd6c1a00df 100644
---- a/net/ipv6/exthdrs.c
-+++ b/net/ipv6/exthdrs.c
-@@ -727,6 +727,7 @@ ipv6_dup_options(struct sock *sk, struct ipv6_txoptions *opt)
- 			*((char **)&opt2->dst1opt) += dif;
- 		if (opt2->srcrt)
- 			*((char **)&opt2->srcrt) += dif;
-+		atomic_set(&opt2->refcnt, 1);
- 	}
- 	return opt2;
- }
-@@ -790,7 +791,7 @@ ipv6_renew_options(struct sock *sk, struct ipv6_txoptions *opt,
- 		return ERR_PTR(-ENOBUFS);
- 
- 	memset(opt2, 0, tot_len);
--
-+	atomic_set(&opt2->refcnt, 1);
- 	opt2->tot_len = tot_len;
- 	p = (char *)(opt2 + 1);
- 
-diff --git a/net/ipv6/inet6_connection_sock.c b/net/ipv6/inet6_connection_sock.c
-index 65a46058c8544..157f2b2bb3ee8 100644
---- a/net/ipv6/inet6_connection_sock.c
-+++ b/net/ipv6/inet6_connection_sock.c
-@@ -78,7 +78,9 @@ struct dst_entry *inet6_csk_route_req(struct sock *sk,
- 	memset(fl6, 0, sizeof(*fl6));
- 	fl6->flowi6_proto = IPPROTO_TCP;
- 	fl6->daddr = treq->rmt_addr;
--	final_p = fl6_update_dst(fl6, np->opt, &final);
-+	rcu_read_lock();
-+	final_p = fl6_update_dst(fl6, rcu_dereference(np->opt), &final);
-+	rcu_read_unlock();
- 	fl6->saddr = treq->loc_addr;
- 	fl6->flowi6_oif = treq->iif;
- 	fl6->flowi6_mark = inet_rsk(req)->ir_mark;
-@@ -215,7 +217,9 @@ static struct dst_entry *inet6_csk_route_socket(struct sock *sk,
- 	fl6->flowi6_uid = sock_i_uid(sk);
- 	security_sk_classify_flow(sk, flowi6_to_flowi(fl6));
- 
--	final_p = fl6_update_dst(fl6, np->opt, &final);
-+	rcu_read_lock();
-+	final_p = fl6_update_dst(fl6, rcu_dereference(np->opt), &final);
-+	rcu_read_unlock();
- 
- 	dst = __inet6_csk_dst_check(sk, np->dst_cookie);
- 	if (!dst) {
-@@ -249,7 +253,8 @@ int inet6_csk_xmit(struct sk_buff *skb, struct flowi *fl_unused)
- 	/* Restore final destination back after routing done */
- 	fl6.daddr = np->daddr;
- 
--	res = ip6_xmit(sk, skb, &fl6, np->opt, np->tclass);
-+	res = ip6_xmit(sk, skb, &fl6, rcu_dereference(np->opt),
-+		       np->tclass);
- 	rcu_read_unlock();
- 	return res;
- }
-diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
-index d1e2e8ef29c54..f4d2412d9c608 100644
---- a/net/ipv6/ipv6_sockglue.c
-+++ b/net/ipv6/ipv6_sockglue.c
-@@ -110,10 +110,12 @@ struct ipv6_txoptions *ipv6_update_options(struct sock *sk,
- 			icsk->icsk_ext_hdr_len = opt->opt_flen + opt->opt_nflen;
- 			icsk->icsk_sync_mss(sk, icsk->icsk_pmtu_cookie);
- 		}
--		opt = xchg(&inet6_sk(sk)->opt, opt);
-+		opt = xchg((__force struct ipv6_txoptions **)&inet6_sk(sk)->opt,
-+			   opt);
- 	} else {
- 		spin_lock(&sk->sk_dst_lock);
--		opt = xchg(&inet6_sk(sk)->opt, opt);
-+		opt = xchg((__force struct ipv6_txoptions **)&inet6_sk(sk)->opt,
-+			   opt);
- 		spin_unlock(&sk->sk_dst_lock);
- 	}
- 	sk_dst_reset(sk);
-@@ -213,9 +215,12 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
- 				sk->sk_socket->ops = &inet_dgram_ops;
- 				sk->sk_family = PF_INET;
- 			}
--			opt = xchg(&np->opt, NULL);
--			if (opt)
--				sock_kfree_s(sk, opt, opt->tot_len);
-+			opt = xchg((__force struct ipv6_txoptions **)&np->opt,
-+				   NULL);
-+			if (opt) {
-+				atomic_sub(opt->tot_len, &sk->sk_omem_alloc);
-+				txopt_put(opt);
-+			}
- 			pktopt = xchg(&np->pktoptions, NULL);
- 			kfree_skb(pktopt);
- 
-@@ -385,7 +390,8 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
- 		if (optname != IPV6_RTHDR && !ns_capable(net->user_ns, CAP_NET_RAW))
- 			break;
- 
--		opt = ipv6_renew_options(sk, np->opt, optname,
-+		opt = rcu_dereference_protected(np->opt, sock_owned_by_user(sk));
-+		opt = ipv6_renew_options(sk, opt, optname,
- 					 (struct ipv6_opt_hdr __user *)optval,
- 					 optlen);
- 		if (IS_ERR(opt)) {
-@@ -414,8 +420,10 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
- 		retv = 0;
- 		opt = ipv6_update_options(sk, opt);
- sticky_done:
--		if (opt)
--			sock_kfree_s(sk, opt, opt->tot_len);
-+		if (opt) {
-+			atomic_sub(opt->tot_len, &sk->sk_omem_alloc);
-+			txopt_put(opt);
-+		}
- 		break;
- 	}
- 
-@@ -468,6 +476,7 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
- 			break;
- 
- 		memset(opt, 0, sizeof(*opt));
-+		atomic_set(&opt->refcnt, 1);
- 		opt->tot_len = sizeof(*opt) + optlen;
- 		retv = -EFAULT;
- 		if (copy_from_user(opt+1, optval, optlen))
-@@ -484,8 +493,10 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
- 		retv = 0;
- 		opt = ipv6_update_options(sk, opt);
- done:
--		if (opt)
--			sock_kfree_s(sk, opt, opt->tot_len);
-+		if (opt) {
-+			atomic_sub(opt->tot_len, &sk->sk_omem_alloc);
-+			txopt_put(opt);
-+		}
- 		break;
- 	}
- 	case IPV6_UNICAST_HOPS:
-@@ -1085,10 +1096,11 @@ static int do_ipv6_getsockopt(struct sock *sk, int level, int optname,
- 	case IPV6_RTHDR:
- 	case IPV6_DSTOPTS:
- 	{
-+		struct ipv6_txoptions *opt;
- 
- 		lock_sock(sk);
--		len = ipv6_getsockopt_sticky(sk, np->opt,
--					     optname, optval, len);
-+		opt = rcu_dereference_protected(np->opt, sock_owned_by_user(sk));
-+		len = ipv6_getsockopt_sticky(sk, opt, optname, optval, len);
- 		release_sock(sk);
- 		/* check if ipv6_getsockopt_sticky() returns err code */
- 		if (len < 0)
-diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
-index a9db8d252c9b4..5693cf212e8d7 100644
---- a/net/ipv6/raw.c
-+++ b/net/ipv6/raw.c
-@@ -726,6 +726,7 @@ static int rawv6_probe_proto_opt(struct flowi6 *fl6, struct msghdr *msg)
- static int rawv6_sendmsg(struct kiocb *iocb, struct sock *sk,
- 		   struct msghdr *msg, size_t len)
- {
-+	struct ipv6_txoptions *opt_to_free = NULL;
- 	struct ipv6_txoptions opt_space;
- 	struct sockaddr_in6 * sin6 = (struct sockaddr_in6 *) msg->msg_name;
- 	struct in6_addr *daddr, *final_p, final;
-@@ -833,8 +834,10 @@ static int rawv6_sendmsg(struct kiocb *iocb, struct sock *sk,
- 		if (!(opt->opt_nflen|opt->opt_flen))
- 			opt = NULL;
- 	}
--	if (opt == NULL)
--		opt = np->opt;
-+	if (!opt) {
-+		opt = txopt_get(np);
-+		opt_to_free = opt;
-+	}
- 	if (flowlabel)
- 		opt = fl6_merge_options(&opt_space, flowlabel, opt);
- 	opt = ipv6_fixup_options(&opt_space, opt);
-@@ -901,6 +904,7 @@ static int rawv6_sendmsg(struct kiocb *iocb, struct sock *sk,
- 	dst_release(dst);
- out:
- 	fl6_sock_release(flowlabel);
-+	txopt_put(opt_to_free);
- 	return err<0?err:len;
- do_confirm:
- 	dst_confirm(dst);
-diff --git a/net/ipv6/syncookies.c b/net/ipv6/syncookies.c
-index ba8622daffd7e..701d0656a4021 100644
---- a/net/ipv6/syncookies.c
-+++ b/net/ipv6/syncookies.c
-@@ -237,7 +237,7 @@ struct sock *cookie_v6_check(struct sock *sk, struct sk_buff *skb)
- 		memset(&fl6, 0, sizeof(fl6));
- 		fl6.flowi6_proto = IPPROTO_TCP;
- 		fl6.daddr = ireq6->rmt_addr;
--		final_p = fl6_update_dst(&fl6, np->opt, &final);
-+		final_p = fl6_update_dst(&fl6, rcu_dereference(np->opt), &final);
- 		fl6.saddr = ireq6->loc_addr;
- 		fl6.flowi6_oif = sk->sk_bound_dev_if;
- 		fl6.flowi6_mark = ireq->ir_mark;
-diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
-index 32d2141a2f7e6..eea4de6b6a4d2 100644
---- a/net/ipv6/tcp_ipv6.c
-+++ b/net/ipv6/tcp_ipv6.c
-@@ -133,6 +133,7 @@ static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
- 	struct ipv6_pinfo *np = inet6_sk(sk);
- 	struct tcp_sock *tp = tcp_sk(sk);
- 	struct in6_addr *saddr = NULL, *final_p, final;
-+	struct ipv6_txoptions *opt;
- 	struct rt6_info *rt;
- 	struct flowi6 fl6;
- 	struct dst_entry *dst;
-@@ -254,7 +255,8 @@ static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
- 	fl6.fl6_sport = inet->inet_sport;
- 	fl6.flowi6_uid = sock_i_uid(sk);
- 
--	final_p = fl6_update_dst(&fl6, np->opt, &final);
-+	opt = rcu_dereference_protected(np->opt, sock_owned_by_user(sk));
-+	final_p = fl6_update_dst(&fl6, opt, &final);
- 
- 	security_sk_classify_flow(sk, flowi6_to_flowi(&fl6));
- 
-@@ -283,9 +285,9 @@ static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
- 		tcp_fetch_timewait_stamp(sk, dst);
- 
- 	icsk->icsk_ext_hdr_len = 0;
--	if (np->opt)
--		icsk->icsk_ext_hdr_len = (np->opt->opt_flen +
--					  np->opt->opt_nflen);
-+	if (opt)
-+		icsk->icsk_ext_hdr_len = opt->opt_flen +
-+					 opt->opt_nflen;
- 
- 	tp->rx_opt.mss_clamp = IPV6_MIN_MTU - sizeof(struct tcphdr) - sizeof(struct ipv6hdr);
- 
-@@ -481,7 +483,8 @@ static int tcp_v6_send_synack(struct sock *sk, struct dst_entry *dst,
- 
- 		fl6->daddr = treq->rmt_addr;
- 		skb_set_queue_mapping(skb, queue_mapping);
--		err = ip6_xmit(sk, skb, fl6, np->opt, np->tclass);
-+		err = ip6_xmit(sk, skb, fl6, rcu_dereference(np->opt),
-+			       np->tclass);
- 		err = net_xmit_eval(err);
- 	}
- 
-@@ -1090,6 +1093,7 @@ static struct sock * tcp_v6_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
- 	struct inet6_request_sock *treq;
- 	struct ipv6_pinfo *newnp, *np = inet6_sk(sk);
- 	struct tcp6_sock *newtcp6sk;
-+	struct ipv6_txoptions *opt;
- 	struct inet_sock *newinet;
- 	struct tcp_sock *newtp;
- 	struct sock *newsk;
-@@ -1223,13 +1227,15 @@ static struct sock * tcp_v6_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
- 	   but we make one more one thing there: reattach optmem
- 	   to newsk.
- 	 */
--	if (np->opt)
--		newnp->opt = ipv6_dup_options(newsk, np->opt);
--
-+	opt = rcu_dereference(np->opt);
-+	if (opt) {
-+		opt = ipv6_dup_options(newsk, opt);
-+		RCU_INIT_POINTER(newnp->opt, opt);
-+	}
- 	inet_csk(newsk)->icsk_ext_hdr_len = 0;
--	if (newnp->opt)
--		inet_csk(newsk)->icsk_ext_hdr_len = (newnp->opt->opt_nflen +
--						     newnp->opt->opt_flen);
-+	if (opt)
-+		inet_csk(newsk)->icsk_ext_hdr_len = opt->opt_nflen +
-+						    opt->opt_flen;
- 
- 	tcp_mtup_init(newsk);
- 	tcp_sync_mss(newsk, dst_mtu(dst));
-diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
-index a2a6dab2363e5..5720144529d59 100644
---- a/net/ipv6/udp.c
-+++ b/net/ipv6/udp.c
-@@ -1017,6 +1017,7 @@ int udpv6_sendmsg(struct kiocb *iocb, struct sock *sk,
- 	struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *) msg->msg_name;
- 	struct in6_addr *daddr, *final_p, final;
- 	struct ipv6_txoptions *opt = NULL;
-+	struct ipv6_txoptions *opt_to_free = NULL;
- 	struct ip6_flowlabel *flowlabel = NULL;
- 	struct flowi6 fl6;
- 	struct dst_entry *dst;
-@@ -1171,8 +1172,10 @@ int udpv6_sendmsg(struct kiocb *iocb, struct sock *sk,
- 			opt = NULL;
- 		connected = 0;
- 	}
--	if (opt == NULL)
--		opt = np->opt;
-+	if (!opt) {
-+		opt = txopt_get(np);
-+		opt_to_free = opt;
-+	}
- 	if (flowlabel)
- 		opt = fl6_merge_options(&opt_space, flowlabel, opt);
- 	opt = ipv6_fixup_options(&opt_space, opt);
-@@ -1273,6 +1276,7 @@ int udpv6_sendmsg(struct kiocb *iocb, struct sock *sk,
- out:
- 	dst_release(dst);
- 	fl6_sock_release(flowlabel);
-+	txopt_put(opt_to_free);
- 	if (!err)
- 		return len;
- 	/*
-diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
-index e6e8408c9e367..3b61ddd6e4a67 100644
---- a/net/l2tp/l2tp_ip6.c
-+++ b/net/l2tp/l2tp_ip6.c
-@@ -485,6 +485,7 @@ static int l2tp_ip6_sendmsg(struct kiocb *iocb, struct sock *sk,
- 		(struct sockaddr_l2tpip6 *) msg->msg_name;
- 	struct in6_addr *daddr, *final_p, final;
- 	struct ipv6_pinfo *np = inet6_sk(sk);
-+	struct ipv6_txoptions *opt_to_free = NULL;
- 	struct ipv6_txoptions *opt = NULL;
- 	struct ip6_flowlabel *flowlabel = NULL;
- 	struct dst_entry *dst = NULL;
-@@ -575,8 +576,10 @@ static int l2tp_ip6_sendmsg(struct kiocb *iocb, struct sock *sk,
- 			opt = NULL;
- 	}
- 
--	if (opt == NULL)
--		opt = np->opt;
-+	if (!opt) {
-+		opt = txopt_get(np);
-+		opt_to_free = opt;
-+	}
- 	if (flowlabel)
- 		opt = fl6_merge_options(&opt_space, flowlabel, opt);
- 	opt = ipv6_fixup_options(&opt_space, opt);
-@@ -637,6 +640,7 @@ static int l2tp_ip6_sendmsg(struct kiocb *iocb, struct sock *sk,
- 	dst_release(dst);
- out:
- 	fl6_sock_release(flowlabel);
-+	txopt_put(opt_to_free);
- 
- 	return err < 0 ? err : len;
- 
diff --git a/Patches/Linux_CVEs/CVE-2016-3841/3.4/0.patch b/Patches/Linux_CVEs/CVE-2016-3841/3.4/0.patch
deleted file mode 100644
index 24a2041c..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3841/3.4/0.patch
+++ /dev/null
@@ -1,557 +0,0 @@
-From a6a295a31168eafb4049a81f2db7bedc339da75e Mon Sep 17 00:00:00 2001
-From: Eric Dumazet <edumazet@google.com>
-Date: Sun, 29 Nov 2015 19:37:57 -0800
-Subject: [PATCH] ipv6: add complete rcu protection around np->opt
-
-[ Upstream commit 45f6fad84cc305103b28d73482b344d7f5b76f39 ]
-
-This patch addresses multiple problems :
-
-UDP/RAW sendmsg() need to get a stable struct ipv6_txoptions
-while socket is not locked : Other threads can change np->opt
-concurrently. Dmitry posted a syzkaller
-(http://github.com/google/syzkaller) program desmonstrating
-use-after-free.
-
-Starting with TCP/DCCP lockless listeners, tcp_v6_syn_recv_sock()
-and dccp_v6_request_recv_sock() also need to use RCU protection
-to dereference np->opt once (before calling ipv6_dup_options())
-
-This patch adds full RCU protection to np->opt
-
-BUG: 28746669
-
-Change-Id: I207da29ac48bb6dd7c40d65f9e27c4e3ff508da0
-Reported-by: Dmitry Vyukov <dvyukov@google.com>
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Jiri Slaby <jslaby@suse.cz>
-Signed-off-by: Pierre Imai <imaipi@google.com>
----
- include/linux/ipv6.h             |  2 +-
- include/net/ipv6.h               | 21 ++++++++++++++++++++-
- net/dccp/ipv6.c                  | 39 +++++++++++++++++++++------------------
- net/ipv6/af_inet6.c              | 12 +++++++++---
- net/ipv6/datagram.c              |  4 +++-
- net/ipv6/exthdrs.c               |  3 ++-
- net/ipv6/inet6_connection_sock.c | 11 ++++++++---
- net/ipv6/ipv6_sockglue.c         | 36 ++++++++++++++++++++++++------------
- net/ipv6/raw.c                   |  8 ++++++--
- net/ipv6/syncookies.c            |  2 +-
- net/ipv6/tcp_ipv6.c              | 28 +++++++++++++++-------------
- net/ipv6/udp.c                   |  8 ++++++--
- 12 files changed, 116 insertions(+), 58 deletions(-)
-
-diff --git a/include/linux/ipv6.h b/include/linux/ipv6.h
-index d5041862ed6cc..8e3f2cb7d7cf1 100644
---- a/include/linux/ipv6.h
-+++ b/include/linux/ipv6.h
-@@ -382,7 +382,7 @@ struct ipv6_pinfo {
- 	struct ipv6_ac_socklist	*ipv6_ac_list;
- 	struct ipv6_fl_socklist *ipv6_fl_list;
- 
--	struct ipv6_txoptions	*opt;
-+	struct ipv6_txoptions __rcu	*opt;
- 	struct sk_buff		*pktoptions;
- 	struct sk_buff		*rxpmtu;
- 	struct {
-diff --git a/include/net/ipv6.h b/include/net/ipv6.h
-index f3d9b54e81d4d..1f455db905900 100644
---- a/include/net/ipv6.h
-+++ b/include/net/ipv6.h
-@@ -203,6 +203,7 @@ extern rwlock_t ip6_ra_lock;
-  */
- 
- struct ipv6_txoptions {
-+	atomic_t		refcnt;
- 	/* Length of this structure */
- 	int			tot_len;
- 
-@@ -215,7 +216,7 @@ struct ipv6_txoptions {
- 	struct ipv6_opt_hdr	*dst0opt;
- 	struct ipv6_rt_hdr	*srcrt;	/* Routing Header */
- 	struct ipv6_opt_hdr	*dst1opt;
--
-+	struct rcu_head		rcu;
- 	/* Option buffer, as read by IPV6_PKTOPTIONS, starts here. */
- };
- 
-@@ -241,6 +242,24 @@ struct ipv6_fl_socklist {
- 	struct ip6_flowlabel	*fl;
- };
- 
-+static inline struct ipv6_txoptions *txopt_get(const struct ipv6_pinfo *np)
-+{
-+	struct ipv6_txoptions *opt;
-+
-+	rcu_read_lock();
-+	opt = rcu_dereference(np->opt);
-+	if (opt && !atomic_inc_not_zero(&opt->refcnt))
-+		opt = NULL;
-+	rcu_read_unlock();
-+	return opt;
-+}
-+
-+static inline void txopt_put(struct ipv6_txoptions *opt)
-+{
-+	if (opt && atomic_dec_and_test(&opt->refcnt))
-+		kfree_rcu(opt, rcu);
-+}
-+
- extern struct ip6_flowlabel	*fl6_sock_lookup(struct sock *sk, __be32 label);
- extern struct ipv6_txoptions	*fl6_merge_options(struct ipv6_txoptions * opt_space,
- 						   struct ip6_flowlabel * fl,
-diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
-index 4dc588f520e04..95fd5ec945f03 100644
---- a/net/dccp/ipv6.c
-+++ b/net/dccp/ipv6.c
-@@ -253,9 +253,9 @@ static int dccp_v6_send_response(struct sock *sk, struct request_sock *req,
- 	fl6.fl6_sport = inet_rsk(req)->loc_port;
- 	security_req_classify_flow(req, flowi6_to_flowi(&fl6));
- 
--	opt = np->opt;
--
--	final_p = fl6_update_dst(&fl6, opt, &final);
-+	rcu_read_lock();
-+	final_p = fl6_update_dst(&fl6, rcu_dereference(np->opt), &final);
-+	rcu_read_unlock();
- 
- 	dst = ip6_dst_lookup_flow(sk, &fl6, final_p, false);
- 	if (IS_ERR(dst)) {
-@@ -272,13 +272,14 @@ static int dccp_v6_send_response(struct sock *sk, struct request_sock *req,
- 							 &ireq6->loc_addr,
- 							 &ireq6->rmt_addr);
- 		fl6.daddr = ireq6->rmt_addr;
--		err = ip6_xmit(sk, skb, &fl6, opt, np->tclass);
-+		rcu_read_lock();
-+		err = ip6_xmit(sk, skb, &fl6, rcu_dereference(np->opt),
-+			       np->tclass);
-+		rcu_read_unlock();
- 		err = net_xmit_eval(err);
- 	}
- 
- done:
--	if (opt != NULL && opt != np->opt)
--		sock_kfree_s(sk, opt, opt->tot_len);
- 	dst_release(dst);
- 	return err;
- }
-@@ -469,6 +470,7 @@ static struct sock *dccp_v6_request_recv_sock(struct sock *sk,
- {
- 	struct inet6_request_sock *ireq6 = inet6_rsk(req);
- 	struct ipv6_pinfo *newnp, *np = inet6_sk(sk);
-+	struct ipv6_txoptions *opt;
- 	struct inet_sock *newinet;
- 	struct dccp6_sock *newdp6;
- 	struct sock *newsk;
-@@ -594,16 +596,16 @@ static struct sock *dccp_v6_request_recv_sock(struct sock *sk,
- 	 * Yes, keeping reference count would be much more clever, but we make
- 	 * one more one thing there: reattach optmem to newsk.
- 	 */
--	if (opt != NULL) {
--		newnp->opt = ipv6_dup_options(newsk, opt);
--		if (opt != np->opt)
--			sock_kfree_s(sk, opt, opt->tot_len);
--	}
- 
-+	opt = rcu_dereference(np->opt);
-+	if (opt) {
-+		opt = ipv6_dup_options(newsk, opt);
-+		RCU_INIT_POINTER(newnp->opt, opt);
-+	}
- 	inet_csk(newsk)->icsk_ext_hdr_len = 0;
--	if (newnp->opt != NULL)
--		inet_csk(newsk)->icsk_ext_hdr_len = (newnp->opt->opt_nflen +
--						     newnp->opt->opt_flen);
-+	if (opt)
-+		inet_csk(newsk)->icsk_ext_hdr_len = opt->opt_nflen +
-+						    opt->opt_flen;
- 
- 	dccp_sync_mss(newsk, dst_mtu(dst));
- 
-@@ -856,6 +858,7 @@ static int dccp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
- 	struct ipv6_pinfo *np = inet6_sk(sk);
- 	struct dccp_sock *dp = dccp_sk(sk);
- 	struct in6_addr *saddr = NULL, *final_p, final;
-+	struct ipv6_txoptions *opt;
- 	struct flowi6 fl6;
- 	struct dst_entry *dst;
- 	int addr_type;
-@@ -958,7 +961,8 @@ static int dccp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
- 	fl6.fl6_sport = inet->inet_sport;
- 	security_sk_classify_flow(sk, flowi6_to_flowi(&fl6));
- 
--	final_p = fl6_update_dst(&fl6, np->opt, &final);
-+	opt = rcu_dereference_protected(np->opt, sock_owned_by_user(sk));
-+	final_p = fl6_update_dst(&fl6, opt, &final);
- 
- 	dst = ip6_dst_lookup_flow(sk, &fl6, final_p, true);
- 	if (IS_ERR(dst)) {
-@@ -978,9 +982,8 @@ static int dccp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
- 	__ip6_dst_store(sk, dst, NULL, NULL);
- 
- 	icsk->icsk_ext_hdr_len = 0;
--	if (np->opt != NULL)
--		icsk->icsk_ext_hdr_len = (np->opt->opt_flen +
--					  np->opt->opt_nflen);
-+	if (opt)
-+		icsk->icsk_ext_hdr_len = opt->opt_flen + opt->opt_nflen;
- 
- 	inet->inet_dport = usin->sin6_port;
- 
-diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
-index 296886bff7348..69b587e3a5cbb 100644
---- a/net/ipv6/af_inet6.c
-+++ b/net/ipv6/af_inet6.c
-@@ -448,8 +448,11 @@ void inet6_destroy_sock(struct sock *sk)
- 
- 	/* Free tx options */
- 
--	if ((opt = xchg(&np->opt, NULL)) != NULL)
--		sock_kfree_s(sk, opt, opt->tot_len);
-+	opt = xchg((__force struct ipv6_txoptions **)&np->opt, NULL);
-+	if (opt) {
-+		atomic_sub(opt->tot_len, &sk->sk_omem_alloc);
-+		txopt_put(opt);
-+	}
- }
- 
- EXPORT_SYMBOL_GPL(inet6_destroy_sock);
-@@ -705,7 +708,10 @@ int inet6_sk_rebuild_header(struct sock *sk)
- 		fl6.flowi6_uid = sock_i_uid(sk);
- 		security_sk_classify_flow(sk, flowi6_to_flowi(&fl6));
- 
--		final_p = fl6_update_dst(&fl6, np->opt, &final);
-+		rcu_read_lock();
-+		final_p = fl6_update_dst(&fl6, rcu_dereference(np->opt),
-+					 &final);
-+		rcu_read_unlock();
- 
- 		dst = ip6_dst_lookup_flow(sk, &fl6, final_p, false);
- 		if (IS_ERR(dst)) {
-diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
-index ae4d713ac88d8..2659d0028bb12 100644
---- a/net/ipv6/datagram.c
-+++ b/net/ipv6/datagram.c
-@@ -167,8 +167,10 @@ int ip6_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
- 
- 	security_sk_classify_flow(sk, flowi6_to_flowi(&fl6));
- 
--	opt = flowlabel ? flowlabel->opt : np->opt;
-+	rcu_read_lock();
-+	opt = flowlabel ? flowlabel->opt : rcu_dereference(np->opt);
- 	final_p = fl6_update_dst(&fl6, opt, &final);
-+	rcu_read_unlock();
- 
- 	dst = ip6_dst_lookup_flow(sk, &fl6, final_p, true);
- 	err = 0;
-diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c
-index 3d641b6e9b092..e66773850e50d 100644
---- a/net/ipv6/exthdrs.c
-+++ b/net/ipv6/exthdrs.c
-@@ -748,6 +748,7 @@ ipv6_dup_options(struct sock *sk, struct ipv6_txoptions *opt)
- 			*((char**)&opt2->dst1opt) += dif;
- 		if (opt2->srcrt)
- 			*((char**)&opt2->srcrt) += dif;
-+		atomic_set(&opt2->refcnt, 1);
- 	}
- 	return opt2;
- }
-@@ -812,7 +813,7 @@ ipv6_renew_options(struct sock *sk, struct ipv6_txoptions *opt,
- 		return ERR_PTR(-ENOBUFS);
- 
- 	memset(opt2, 0, tot_len);
--
-+	atomic_set(&opt2->refcnt, 1);
- 	opt2->tot_len = tot_len;
- 	p = (char *)(opt2 + 1);
- 
-diff --git a/net/ipv6/inet6_connection_sock.c b/net/ipv6/inet6_connection_sock.c
-index aefc8b7180951..67aa2c2b502c9 100644
---- a/net/ipv6/inet6_connection_sock.c
-+++ b/net/ipv6/inet6_connection_sock.c
-@@ -66,7 +66,9 @@ struct dst_entry *inet6_csk_route_req(struct sock *sk,
- 	memset(&fl6, 0, sizeof(fl6));
- 	fl6.flowi6_proto = IPPROTO_TCP;
- 	fl6.daddr = treq->rmt_addr;
--	final_p = fl6_update_dst(&fl6, np->opt, &final);
-+        rcu_read_lock();
-+	final_p = fl6_update_dst(&fl6, rcu_dereference(np->opt), &final);
-+        rcu_read_unlock();
- 	fl6.saddr = treq->loc_addr;
- 	fl6.flowi6_oif = sk->sk_bound_dev_if;
- 	fl6.flowi6_mark = inet_rsk(req)->ir_mark;
-@@ -227,7 +229,9 @@ int inet6_csk_xmit(struct sk_buff *skb, struct flowi *fl_unused)
- 	fl6.flowi6_uid = sock_i_uid(sk);
- 	security_sk_classify_flow(sk, flowi6_to_flowi(&fl6));
- 
--	final_p = fl6_update_dst(&fl6, np->opt, &final);
-+        rcu_read_lock();
-+        final_p = fl6_update_dst(&fl6, rcu_dereference(np->opt), &final);
-+        rcu_read_unlock();
- 
- 	dst = __inet6_csk_dst_check(sk, np->dst_cookie);
- 
-@@ -250,7 +254,8 @@ int inet6_csk_xmit(struct sk_buff *skb, struct flowi *fl_unused)
- 	/* Restore final destination back after routing done */
- 	fl6.daddr = np->daddr;
- 
--	res = ip6_xmit(sk, skb, &fl6, np->opt, np->tclass);
-+	res = ip6_xmit(sk, skb, &fl6, rcu_dereference(np->opt),
-+		       np->tclass);
- 	rcu_read_unlock();
- 	return res;
- }
-diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
-index 63dd1f89ed7de..601360e6bb839 100644
---- a/net/ipv6/ipv6_sockglue.c
-+++ b/net/ipv6/ipv6_sockglue.c
-@@ -110,10 +110,12 @@ struct ipv6_txoptions *ipv6_update_options(struct sock *sk,
- 			icsk->icsk_ext_hdr_len = opt->opt_flen + opt->opt_nflen;
- 			icsk->icsk_sync_mss(sk, icsk->icsk_pmtu_cookie);
- 		}
--		opt = xchg(&inet6_sk(sk)->opt, opt);
-+		opt = xchg((__force struct ipv6_txoptions **)&inet6_sk(sk)->opt,
-+			   opt);
- 	} else {
- 		spin_lock(&sk->sk_dst_lock);
--		opt = xchg(&inet6_sk(sk)->opt, opt);
-+		opt = xchg((__force struct ipv6_txoptions **)&inet6_sk(sk)->opt,
-+			   opt);
- 		spin_unlock(&sk->sk_dst_lock);
- 	}
- 	sk_dst_reset(sk);
-@@ -213,9 +215,12 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
- 				sk->sk_socket->ops = &inet_dgram_ops;
- 				sk->sk_family = PF_INET;
- 			}
--			opt = xchg(&np->opt, NULL);
--			if (opt)
--				sock_kfree_s(sk, opt, opt->tot_len);
-+			opt = xchg((__force struct ipv6_txoptions **)&np->opt,
-+				   NULL);
-+			if (opt) {
-+				atomic_sub(opt->tot_len, &sk->sk_omem_alloc);
-+				txopt_put(opt);
-+			}
- 			pktopt = xchg(&np->pktoptions, NULL);
- 			kfree_skb(pktopt);
- 
-@@ -384,7 +389,8 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
- 		if (optname != IPV6_RTHDR && !capable(CAP_NET_RAW))
- 			break;
- 
--		opt = ipv6_renew_options(sk, np->opt, optname,
-+		opt = rcu_dereference_protected(np->opt, sock_owned_by_user(sk));
-+		opt = ipv6_renew_options(sk, opt, optname,
- 					 (struct ipv6_opt_hdr __user *)optval,
- 					 optlen);
- 		if (IS_ERR(opt)) {
-@@ -413,8 +419,10 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
- 		retv = 0;
- 		opt = ipv6_update_options(sk, opt);
- sticky_done:
--		if (opt)
--			sock_kfree_s(sk, opt, opt->tot_len);
-+		if (opt) {
-+			atomic_sub(opt->tot_len, &sk->sk_omem_alloc);
-+			txopt_put(opt);
-+		}
- 		break;
- 	}
- 
-@@ -467,6 +475,7 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
- 			break;
- 
- 		memset(opt, 0, sizeof(*opt));
-+		atomic_set(&opt->refcnt, 1);
- 		opt->tot_len = sizeof(*opt) + optlen;
- 		retv = -EFAULT;
- 		if (copy_from_user(opt+1, optval, optlen))
-@@ -483,8 +492,10 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
- 		retv = 0;
- 		opt = ipv6_update_options(sk, opt);
- done:
--		if (opt)
--			sock_kfree_s(sk, opt, opt->tot_len);
-+		if (opt) {
-+			atomic_sub(opt->tot_len, &sk->sk_omem_alloc);
-+			txopt_put(opt);
-+		}
- 		break;
- 	}
- 	case IPV6_UNICAST_HOPS:
-@@ -1084,10 +1095,11 @@ static int do_ipv6_getsockopt(struct sock *sk, int level, int optname,
- 	case IPV6_RTHDR:
- 	case IPV6_DSTOPTS:
- 	{
-+		struct ipv6_txoptions *opt;
- 
- 		lock_sock(sk);
--		len = ipv6_getsockopt_sticky(sk, np->opt,
--					     optname, optval, len);
-+		opt = rcu_dereference_protected(np->opt, sock_owned_by_user(sk));
-+		len = ipv6_getsockopt_sticky(sk, opt, optname, optval, len);
- 		release_sock(sk);
- 		/* check if ipv6_getsockopt_sticky() returns err code */
- 		if (len < 0)
-diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
-index 49ec3f8e7ceaa..dbe4e09ee7c5f 100644
---- a/net/ipv6/raw.c
-+++ b/net/ipv6/raw.c
-@@ -728,6 +728,7 @@ static int rawv6_probe_proto_opt(struct flowi6 *fl6, struct msghdr *msg)
- static int rawv6_sendmsg(struct kiocb *iocb, struct sock *sk,
- 		   struct msghdr *msg, size_t len)
- {
-+	struct ipv6_txoptions *opt_to_free = NULL;
- 	struct ipv6_txoptions opt_space;
- 	struct sockaddr_in6 * sin6 = (struct sockaddr_in6 *) msg->msg_name;
- 	struct in6_addr *daddr, *final_p, final;
-@@ -835,8 +836,10 @@ static int rawv6_sendmsg(struct kiocb *iocb, struct sock *sk,
- 		if (!(opt->opt_nflen|opt->opt_flen))
- 			opt = NULL;
- 	}
--	if (opt == NULL)
--		opt = np->opt;
-+	if (!opt) {
-+		opt = txopt_get(np);
-+		opt_to_free = opt;
-+	}
- 	if (flowlabel)
- 		opt = fl6_merge_options(&opt_space, flowlabel, opt);
- 	opt = ipv6_fixup_options(&opt_space, opt);
-@@ -903,6 +906,7 @@ static int rawv6_sendmsg(struct kiocb *iocb, struct sock *sk,
- 	dst_release(dst);
- out:
- 	fl6_sock_release(flowlabel);
-+	txopt_put(opt_to_free);
- 	return err<0?err:len;
- do_confirm:
- 	dst_confirm(dst);
-diff --git a/net/ipv6/syncookies.c b/net/ipv6/syncookies.c
-index af939afeae226..b57996a4fd66d 100644
---- a/net/ipv6/syncookies.c
-+++ b/net/ipv6/syncookies.c
-@@ -240,7 +240,7 @@ struct sock *cookie_v6_check(struct sock *sk, struct sk_buff *skb)
- 		memset(&fl6, 0, sizeof(fl6));
- 		fl6.flowi6_proto = IPPROTO_TCP;
- 		fl6.daddr = ireq6->rmt_addr;
--		final_p = fl6_update_dst(&fl6, np->opt, &final);
-+		final_p = fl6_update_dst(&fl6, rcu_dereference(np->opt), &final);
- 		fl6.saddr = ireq6->loc_addr;
- 		fl6.flowi6_oif = sk->sk_bound_dev_if;
- 		fl6.flowi6_mark = inet_rsk(req)->ir_mark;
-diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
-index c4de212ad12c2..c39a2f47dd8c7 100644
---- a/net/ipv6/tcp_ipv6.c
-+++ b/net/ipv6/tcp_ipv6.c
-@@ -132,6 +132,7 @@ static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
- 	struct ipv6_pinfo *np = inet6_sk(sk);
- 	struct tcp_sock *tp = tcp_sk(sk);
- 	struct in6_addr *saddr = NULL, *final_p, final;
-+	struct ipv6_txoptions *opt;
- 	struct rt6_info *rt;
- 	struct flowi6 fl6;
- 	struct dst_entry *dst;
-@@ -253,7 +254,8 @@ static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
- 	fl6.fl6_sport = inet->inet_sport;
- 	fl6.flowi6_uid = sock_i_uid(sk);
- 
--	final_p = fl6_update_dst(&fl6, np->opt, &final);
-+	opt = rcu_dereference_protected(np->opt, sock_owned_by_user(sk));
-+	final_p = fl6_update_dst(&fl6, opt, &final);
- 
- 	security_sk_classify_flow(sk, flowi6_to_flowi(&fl6));
- 
-@@ -296,9 +298,9 @@ static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
- 	}
- 
- 	icsk->icsk_ext_hdr_len = 0;
--	if (np->opt)
--		icsk->icsk_ext_hdr_len = (np->opt->opt_flen +
--					  np->opt->opt_nflen);
-+	if (opt)
-+		icsk->icsk_ext_hdr_len = opt->opt_flen +
-+					 opt->opt_nflen;
- 
- 	tp->rx_opt.mss_clamp = IPV6_MIN_MTU - sizeof(struct tcphdr) - sizeof(struct ipv6hdr);
- 
-@@ -516,7 +518,8 @@ static int tcp_v6_send_synack(struct sock *sk, struct request_sock *req,
- 		__tcp_v6_send_check(skb, &treq->loc_addr, &treq->rmt_addr);
- 
- 		fl6.daddr = treq->rmt_addr;
--		err = ip6_xmit(sk, skb, &fl6, opt, np->tclass);
-+		err = ip6_xmit(sk, skb, &fl6, rcu_dereference(np->opt),
-+			       np->tclass);
- 		err = net_xmit_eval(err);
- 	}
- 
-@@ -1243,10 +1246,10 @@ static struct sock * tcp_v6_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
- 	struct inet6_request_sock *treq;
- 	struct ipv6_pinfo *newnp, *np = inet6_sk(sk);
- 	struct tcp6_sock *newtcp6sk;
-+	struct ipv6_txoptions *opt;
- 	struct inet_sock *newinet;
- 	struct tcp_sock *newtp;
- 	struct sock *newsk;
--	struct ipv6_txoptions *opt;
- #ifdef CONFIG_TCP_MD5SIG
- 	struct tcp_md5sig_key *key;
- #endif
-@@ -1375,16 +1378,15 @@ static struct sock * tcp_v6_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
- 	   but we make one more one thing there: reattach optmem
- 	   to newsk.
- 	 */
-+	opt = rcu_dereference(np->opt);
- 	if (opt) {
--		newnp->opt = ipv6_dup_options(newsk, opt);
--		if (opt != np->opt)
--			sock_kfree_s(sk, opt, opt->tot_len);
-+		opt = ipv6_dup_options(newsk, opt);
-+		RCU_INIT_POINTER(newnp->opt, opt);
- 	}
--
- 	inet_csk(newsk)->icsk_ext_hdr_len = 0;
--	if (newnp->opt)
--		inet_csk(newsk)->icsk_ext_hdr_len = (newnp->opt->opt_nflen +
--						     newnp->opt->opt_flen);
-+	if (opt)
-+		inet_csk(newsk)->icsk_ext_hdr_len = opt->opt_nflen +
-+						    opt->opt_flen;
- 
- 	tcp_mtup_init(newsk);
- 	tcp_sync_mss(newsk, dst_mtu(dst));
-diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
-index a20d55dc9c2aa..101d2ba8df281 100644
---- a/net/ipv6/udp.c
-+++ b/net/ipv6/udp.c
-@@ -955,6 +955,7 @@ int udpv6_sendmsg(struct kiocb *iocb, struct sock *sk,
- 	struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *) msg->msg_name;
- 	struct in6_addr *daddr, *final_p, final;
- 	struct ipv6_txoptions *opt = NULL;
-+	struct ipv6_txoptions *opt_to_free = NULL;
- 	struct ip6_flowlabel *flowlabel = NULL;
- 	struct flowi6 fl6;
- 	struct dst_entry *dst;
-@@ -1109,8 +1110,10 @@ int udpv6_sendmsg(struct kiocb *iocb, struct sock *sk,
- 			opt = NULL;
- 		connected = 0;
- 	}
--	if (opt == NULL)
--		opt = np->opt;
-+	if (!opt) {
-+		opt = txopt_get(np);
-+		opt_to_free = opt;
-+	}
- 	if (flowlabel)
- 		opt = fl6_merge_options(&opt_space, flowlabel, opt);
- 	opt = ipv6_fixup_options(&opt_space, opt);
-@@ -1211,6 +1214,7 @@ int udpv6_sendmsg(struct kiocb *iocb, struct sock *sk,
- out:
- 	dst_release(dst);
- 	fl6_sock_release(flowlabel);
-+	txopt_put(opt_to_free);
- 	if (!err)
- 		return len;
- 	/*
diff --git a/Patches/Linux_CVEs/CVE-2016-3841/3.18/2.patch b/Patches/Linux_CVEs/CVE-2016-3841/ANY/0001.patch
similarity index 75%
rename from Patches/Linux_CVEs/CVE-2016-3841/3.18/2.patch
rename to Patches/Linux_CVEs/CVE-2016-3841/ANY/0001.patch
index 3fd8d1c8..548bec76 100644
--- a/Patches/Linux_CVEs/CVE-2016-3841/3.18/2.patch
+++ b/Patches/Linux_CVEs/CVE-2016-3841/ANY/0001.patch
@@ -1,9 +1,7 @@
-From 46ddb98e2018a5a62cefa75b3c80882850c91e39 Mon Sep 17 00:00:00 2001
+From 45f6fad84cc305103b28d73482b344d7f5b76f39 Mon Sep 17 00:00:00 2001
 From: Eric Dumazet <edumazet@google.com>
 Date: Sun, 29 Nov 2015 19:37:57 -0800
-Subject: [PATCH] ipv6: add complete rcu protection around np->opt
-
-[ Upstream commit 45f6fad84cc305103b28d73482b344d7f5b76f39 ]
+Subject: ipv6: add complete rcu protection around np->opt
 
 This patch addresses multiple problems :
 
@@ -23,7 +21,6 @@ Reported-by: Dmitry Vyukov <dvyukov@google.com>
 Signed-off-by: Eric Dumazet <edumazet@google.com>
 Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
 Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
 ---
  include/linux/ipv6.h             |  2 +-
  include/net/ipv6.h               | 21 ++++++++++++++++++++-
@@ -32,19 +29,19 @@ Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
  net/ipv6/datagram.c              |  4 +++-
  net/ipv6/exthdrs.c               |  3 ++-
  net/ipv6/inet6_connection_sock.c | 11 ++++++++---
- net/ipv6/ipv6_sockglue.c         | 36 ++++++++++++++++++++++++------------
+ net/ipv6/ipv6_sockglue.c         | 33 ++++++++++++++++++++++-----------
  net/ipv6/raw.c                   |  8 ++++++--
  net/ipv6/syncookies.c            |  2 +-
  net/ipv6/tcp_ipv6.c              | 28 +++++++++++++++++-----------
  net/ipv6/udp.c                   |  8 ++++++--
  net/l2tp/l2tp_ip6.c              |  8 ++++++--
- 13 files changed, 124 insertions(+), 53 deletions(-)
+ 13 files changed, 122 insertions(+), 52 deletions(-)
 
 diff --git a/include/linux/ipv6.h b/include/linux/ipv6.h
-index ff560537dd61b..2725b03b4ae2d 100644
+index 0ef2a97..402753b 100644
 --- a/include/linux/ipv6.h
 +++ b/include/linux/ipv6.h
-@@ -212,7 +212,7 @@ struct ipv6_pinfo {
+@@ -227,7 +227,7 @@ struct ipv6_pinfo {
  	struct ipv6_ac_socklist	*ipv6_ac_list;
  	struct ipv6_fl_socklist __rcu *ipv6_fl_list;
  
@@ -52,12 +49,12 @@ index ff560537dd61b..2725b03b4ae2d 100644
 +	struct ipv6_txoptions __rcu	*opt;
  	struct sk_buff		*pktoptions;
  	struct sk_buff		*rxpmtu;
- 	struct {
+ 	struct inet6_cork	cork;
 diff --git a/include/net/ipv6.h b/include/net/ipv6.h
-index bc56e8a6fbd98..a5169a4e9ef76 100644
+index ea5a13e..9a5c9f0 100644
 --- a/include/net/ipv6.h
 +++ b/include/net/ipv6.h
-@@ -207,6 +207,7 @@ extern rwlock_t ip6_ra_lock;
+@@ -205,6 +205,7 @@ extern rwlock_t ip6_ra_lock;
   */
  
  struct ipv6_txoptions {
@@ -65,7 +62,7 @@ index bc56e8a6fbd98..a5169a4e9ef76 100644
  	/* Length of this structure */
  	int			tot_len;
  
-@@ -219,7 +220,7 @@ struct ipv6_txoptions {
+@@ -217,7 +218,7 @@ struct ipv6_txoptions {
  	struct ipv6_opt_hdr	*dst0opt;
  	struct ipv6_rt_hdr	*srcrt;	/* Routing Header */
  	struct ipv6_opt_hdr	*dst1opt;
@@ -100,10 +97,10 @@ index bc56e8a6fbd98..a5169a4e9ef76 100644
  struct ipv6_txoptions *fl6_merge_options(struct ipv6_txoptions *opt_space,
  					 struct ip6_flowlabel *fl,
 diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
-index 6bcaa33cd804d..7bcb223178415 100644
+index db5fc24..e7e0b9b 100644
 --- a/net/dccp/ipv6.c
 +++ b/net/dccp/ipv6.c
-@@ -238,7 +238,9 @@ static int dccp_v6_send_response(struct sock *sk, struct request_sock *req)
+@@ -202,7 +202,9 @@ static int dccp_v6_send_response(const struct sock *sk, struct request_sock *req
  	security_req_classify_flow(req, flowi6_to_flowi(&fl6));
  
  
@@ -114,7 +111,7 @@ index 6bcaa33cd804d..7bcb223178415 100644
  
  	dst = ip6_dst_lookup_flow(sk, &fl6, final_p);
  	if (IS_ERR(dst)) {
-@@ -255,7 +257,10 @@ static int dccp_v6_send_response(struct sock *sk, struct request_sock *req)
+@@ -219,7 +221,10 @@ static int dccp_v6_send_response(const struct sock *sk, struct request_sock *req
  							 &ireq->ir_v6_loc_addr,
  							 &ireq->ir_v6_rmt_addr);
  		fl6.daddr = ireq->ir_v6_rmt_addr;
@@ -126,15 +123,15 @@ index 6bcaa33cd804d..7bcb223178415 100644
  		err = net_xmit_eval(err);
  	}
  
-@@ -450,6 +455,7 @@ static struct sock *dccp_v6_request_recv_sock(struct sock *sk,
- {
+@@ -387,6 +392,7 @@ static struct sock *dccp_v6_request_recv_sock(const struct sock *sk,
  	struct inet_request_sock *ireq = inet_rsk(req);
- 	struct ipv6_pinfo *newnp, *np = inet6_sk(sk);
+ 	struct ipv6_pinfo *newnp;
+ 	const struct ipv6_pinfo *np = inet6_sk(sk);
 +	struct ipv6_txoptions *opt;
  	struct inet_sock *newinet;
  	struct dccp6_sock *newdp6;
  	struct sock *newsk;
-@@ -573,13 +579,15 @@ static struct sock *dccp_v6_request_recv_sock(struct sock *sk,
+@@ -488,13 +494,15 @@ static struct sock *dccp_v6_request_recv_sock(const struct sock *sk,
  	 * Yes, keeping reference count would be much more clever, but we make
  	 * one more one thing there: reattach optmem to newsk.
  	 */
@@ -156,7 +153,7 @@ index 6bcaa33cd804d..7bcb223178415 100644
  
  	dccp_sync_mss(newsk, dst_mtu(dst));
  
-@@ -832,6 +840,7 @@ static int dccp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
+@@ -757,6 +765,7 @@ static int dccp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
  	struct ipv6_pinfo *np = inet6_sk(sk);
  	struct dccp_sock *dp = dccp_sk(sk);
  	struct in6_addr *saddr = NULL, *final_p, final;
@@ -164,7 +161,7 @@ index 6bcaa33cd804d..7bcb223178415 100644
  	struct flowi6 fl6;
  	struct dst_entry *dst;
  	int addr_type;
-@@ -933,7 +942,8 @@ static int dccp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
+@@ -856,7 +865,8 @@ static int dccp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
  	fl6.fl6_sport = inet->inet_sport;
  	security_sk_classify_flow(sk, flowi6_to_flowi(&fl6));
  
@@ -174,7 +171,7 @@ index 6bcaa33cd804d..7bcb223178415 100644
  
  	dst = ip6_dst_lookup_flow(sk, &fl6, final_p);
  	if (IS_ERR(dst)) {
-@@ -953,9 +963,8 @@ static int dccp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
+@@ -876,9 +886,8 @@ static int dccp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
  	__ip6_dst_store(sk, dst, NULL, NULL);
  
  	icsk->icsk_ext_hdr_len = 0;
@@ -187,15 +184,15 @@ index 6bcaa33cd804d..7bcb223178415 100644
  	inet->inet_dport = usin->sin6_port;
  
 diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
-index e8c4400f23e9b..05417c330f4ed 100644
+index 44bb66b..38d66dd 100644
 --- a/net/ipv6/af_inet6.c
 +++ b/net/ipv6/af_inet6.c
-@@ -425,9 +425,11 @@ void inet6_destroy_sock(struct sock *sk)
+@@ -428,9 +428,11 @@ void inet6_destroy_sock(struct sock *sk)
  
  	/* Free tx options */
  
 -	opt = xchg(&np->opt, NULL);
--	if (opt != NULL)
+-	if (opt)
 -		sock_kfree_s(sk, opt, opt->tot_len);
 +	opt = xchg((__force struct ipv6_txoptions **)&np->opt, NULL);
 +	if (opt) {
@@ -205,7 +202,7 @@ index e8c4400f23e9b..05417c330f4ed 100644
  }
  EXPORT_SYMBOL_GPL(inet6_destroy_sock);
  
-@@ -656,7 +658,10 @@ int inet6_sk_rebuild_header(struct sock *sk)
+@@ -659,7 +661,10 @@ int inet6_sk_rebuild_header(struct sock *sk)
  		fl6.fl6_sport = inet->inet_sport;
  		security_sk_classify_flow(sk, flowi6_to_flowi(&fl6));
  
@@ -218,10 +215,10 @@ index e8c4400f23e9b..05417c330f4ed 100644
  		dst = ip6_dst_lookup_flow(sk, &fl6, final_p);
  		if (IS_ERR(dst)) {
 diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
-index e069aeb2cf72b..9e3b0b66a4f38 100644
+index d70b023..517c55b 100644
 --- a/net/ipv6/datagram.c
 +++ b/net/ipv6/datagram.c
-@@ -167,8 +167,10 @@ static int __ip6_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int a
+@@ -167,8 +167,10 @@ ipv4_connected:
  
  	security_sk_classify_flow(sk, flowi6_to_flowi(&fl6));
  
@@ -234,7 +231,7 @@ index e069aeb2cf72b..9e3b0b66a4f38 100644
  	dst = ip6_dst_lookup_flow(sk, &fl6, final_p);
  	err = 0;
 diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c
-index bfde361b61340..4f08a0f452eb2 100644
+index ce203b0..ea7c4d6 100644
 --- a/net/ipv6/exthdrs.c
 +++ b/net/ipv6/exthdrs.c
 @@ -727,6 +727,7 @@ ipv6_dup_options(struct sock *sk, struct ipv6_txoptions *opt)
@@ -255,12 +252,12 @@ index bfde361b61340..4f08a0f452eb2 100644
  	p = (char *)(opt2 + 1);
  
 diff --git a/net/ipv6/inet6_connection_sock.c b/net/ipv6/inet6_connection_sock.c
-index 29b32206e4948..6cc516c825b68 100644
+index 5d1c7ce..3ff5208 100644
 --- a/net/ipv6/inet6_connection_sock.c
 +++ b/net/ipv6/inet6_connection_sock.c
-@@ -77,7 +77,9 @@ struct dst_entry *inet6_csk_route_req(struct sock *sk,
+@@ -78,7 +78,9 @@ struct dst_entry *inet6_csk_route_req(const struct sock *sk,
  	memset(fl6, 0, sizeof(*fl6));
- 	fl6->flowi6_proto = IPPROTO_TCP;
+ 	fl6->flowi6_proto = proto;
  	fl6->daddr = ireq->ir_v6_rmt_addr;
 -	final_p = fl6_update_dst(fl6, np->opt, &final);
 +	rcu_read_lock();
@@ -269,7 +266,7 @@ index 29b32206e4948..6cc516c825b68 100644
  	fl6->saddr = ireq->ir_v6_loc_addr;
  	fl6->flowi6_oif = ireq->ir_iif;
  	fl6->flowi6_mark = ireq->ir_mark;
-@@ -208,7 +210,9 @@ static struct dst_entry *inet6_csk_route_socket(struct sock *sk,
+@@ -142,7 +144,9 @@ static struct dst_entry *inet6_csk_route_socket(struct sock *sk,
  	fl6->fl6_dport = inet->inet_dport;
  	security_sk_classify_flow(sk, flowi6_to_flowi(fl6));
  
@@ -280,7 +277,7 @@ index 29b32206e4948..6cc516c825b68 100644
  
  	dst = __inet6_csk_dst_check(sk, np->dst_cookie);
  	if (!dst) {
-@@ -241,7 +245,8 @@ int inet6_csk_xmit(struct sock *sk, struct sk_buff *skb, struct flowi *fl_unused
+@@ -175,7 +179,8 @@ int inet6_csk_xmit(struct sock *sk, struct sk_buff *skb, struct flowi *fl_unused
  	/* Restore final destination back after routing done */
  	fl6.daddr = sk->sk_v6_daddr;
  
@@ -291,25 +288,20 @@ index 29b32206e4948..6cc516c825b68 100644
  	return res;
  }
 diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
-index e1a9583bb4191..f81fcc09ea6c8 100644
+index 63e6956..4449ad1 100644
 --- a/net/ipv6/ipv6_sockglue.c
 +++ b/net/ipv6/ipv6_sockglue.c
-@@ -110,10 +110,12 @@ struct ipv6_txoptions *ipv6_update_options(struct sock *sk,
- 			icsk->icsk_ext_hdr_len = opt->opt_flen + opt->opt_nflen;
+@@ -111,7 +111,8 @@ struct ipv6_txoptions *ipv6_update_options(struct sock *sk,
  			icsk->icsk_sync_mss(sk, icsk->icsk_pmtu_cookie);
  		}
--		opt = xchg(&inet6_sk(sk)->opt, opt);
-+		opt = xchg((__force struct ipv6_txoptions **)&inet6_sk(sk)->opt,
-+			   opt);
- 	} else {
- 		spin_lock(&sk->sk_dst_lock);
--		opt = xchg(&inet6_sk(sk)->opt, opt);
-+		opt = xchg((__force struct ipv6_txoptions **)&inet6_sk(sk)->opt,
-+			   opt);
- 		spin_unlock(&sk->sk_dst_lock);
  	}
+-	opt = xchg(&inet6_sk(sk)->opt, opt);
++	opt = xchg((__force struct ipv6_txoptions **)&inet6_sk(sk)->opt,
++		   opt);
  	sk_dst_reset(sk);
-@@ -213,9 +215,12 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
+ 
+ 	return opt;
+@@ -231,9 +232,12 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
  				sk->sk_socket->ops = &inet_dgram_ops;
  				sk->sk_family = PF_INET;
  			}
@@ -325,7 +317,7 @@ index e1a9583bb4191..f81fcc09ea6c8 100644
  			pktopt = xchg(&np->pktoptions, NULL);
  			kfree_skb(pktopt);
  
-@@ -385,7 +390,8 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
+@@ -403,7 +407,8 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
  		if (optname != IPV6_RTHDR && !ns_capable(net->user_ns, CAP_NET_RAW))
  			break;
  
@@ -335,7 +327,7 @@ index e1a9583bb4191..f81fcc09ea6c8 100644
  					 (struct ipv6_opt_hdr __user *)optval,
  					 optlen);
  		if (IS_ERR(opt)) {
-@@ -414,8 +420,10 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
+@@ -432,8 +437,10 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
  		retv = 0;
  		opt = ipv6_update_options(sk, opt);
  sticky_done:
@@ -348,7 +340,7 @@ index e1a9583bb4191..f81fcc09ea6c8 100644
  		break;
  	}
  
-@@ -468,6 +476,7 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
+@@ -486,6 +493,7 @@ sticky_done:
  			break;
  
  		memset(opt, 0, sizeof(*opt));
@@ -356,7 +348,7 @@ index e1a9583bb4191..f81fcc09ea6c8 100644
  		opt->tot_len = sizeof(*opt) + optlen;
  		retv = -EFAULT;
  		if (copy_from_user(opt+1, optval, optlen))
-@@ -484,8 +493,10 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
+@@ -502,8 +510,10 @@ update:
  		retv = 0;
  		opt = ipv6_update_options(sk, opt);
  done:
@@ -369,7 +361,7 @@ index e1a9583bb4191..f81fcc09ea6c8 100644
  		break;
  	}
  	case IPV6_UNICAST_HOPS:
-@@ -1092,10 +1103,11 @@ static int do_ipv6_getsockopt(struct sock *sk, int level, int optname,
+@@ -1110,10 +1120,11 @@ static int do_ipv6_getsockopt(struct sock *sk, int level, int optname,
  	case IPV6_RTHDR:
  	case IPV6_DSTOPTS:
  	{
@@ -384,31 +376,31 @@ index e1a9583bb4191..f81fcc09ea6c8 100644
  		/* check if ipv6_getsockopt_sticky() returns err code */
  		if (len < 0)
 diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
-index 896af8807979f..a66a67d17ed67 100644
+index dc65ec1..9914098 100644
 --- a/net/ipv6/raw.c
 +++ b/net/ipv6/raw.c
-@@ -735,6 +735,7 @@ static int rawv6_probe_proto_opt(struct flowi6 *fl6, struct msghdr *msg)
- static int rawv6_sendmsg(struct kiocb *iocb, struct sock *sk,
- 		   struct msghdr *msg, size_t len)
+@@ -733,6 +733,7 @@ static int raw6_getfrag(void *from, char *to, int offset, int len, int odd,
+ 
+ static int rawv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
  {
 +	struct ipv6_txoptions *opt_to_free = NULL;
  	struct ipv6_txoptions opt_space;
  	DECLARE_SOCKADDR(struct sockaddr_in6 *, sin6, msg->msg_name);
  	struct in6_addr *daddr, *final_p, final;
-@@ -840,8 +841,10 @@ static int rawv6_sendmsg(struct kiocb *iocb, struct sock *sk,
+@@ -839,8 +840,10 @@ static int rawv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
  		if (!(opt->opt_nflen|opt->opt_flen))
  			opt = NULL;
  	}
--	if (opt == NULL)
+-	if (!opt)
 -		opt = np->opt;
 +	if (!opt) {
 +		opt = txopt_get(np);
 +		opt_to_free = opt;
-+	}
++		}
  	if (flowlabel)
  		opt = fl6_merge_options(&opt_space, flowlabel, opt);
  	opt = ipv6_fixup_options(&opt_space, opt);
-@@ -902,6 +905,7 @@ static int rawv6_sendmsg(struct kiocb *iocb, struct sock *sk,
+@@ -906,6 +909,7 @@ done:
  	dst_release(dst);
  out:
  	fl6_sock_release(flowlabel);
@@ -417,10 +409,10 @@ index 896af8807979f..a66a67d17ed67 100644
  do_confirm:
  	dst_confirm(dst);
 diff --git a/net/ipv6/syncookies.c b/net/ipv6/syncookies.c
-index 2f25cb6347ca5..aa9699301ea8e 100644
+index bb8f2fa..eaf7ac4 100644
 --- a/net/ipv6/syncookies.c
 +++ b/net/ipv6/syncookies.c
-@@ -241,7 +241,7 @@ struct sock *cookie_v6_check(struct sock *sk, struct sk_buff *skb)
+@@ -222,7 +222,7 @@ struct sock *cookie_v6_check(struct sock *sk, struct sk_buff *skb)
  		memset(&fl6, 0, sizeof(fl6));
  		fl6.flowi6_proto = IPPROTO_TCP;
  		fl6.daddr = ireq->ir_v6_rmt_addr;
@@ -430,18 +422,18 @@ index 2f25cb6347ca5..aa9699301ea8e 100644
  		fl6.flowi6_oif = sk->sk_bound_dev_if;
  		fl6.flowi6_mark = ireq->ir_mark;
 diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
-index a3f9f11abf4cf..26feadd0b763f 100644
+index c5429a6..6a50bb4 100644
 --- a/net/ipv6/tcp_ipv6.c
 +++ b/net/ipv6/tcp_ipv6.c
-@@ -134,6 +134,7 @@ static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
+@@ -120,6 +120,7 @@ static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
  	struct ipv6_pinfo *np = inet6_sk(sk);
  	struct tcp_sock *tp = tcp_sk(sk);
  	struct in6_addr *saddr = NULL, *final_p, final;
 +	struct ipv6_txoptions *opt;
- 	struct rt6_info *rt;
  	struct flowi6 fl6;
  	struct dst_entry *dst;
-@@ -253,7 +254,8 @@ static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
+ 	int addr_type;
+@@ -235,7 +236,8 @@ static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
  	fl6.fl6_dport = usin->sin6_port;
  	fl6.fl6_sport = inet->inet_sport;
  
@@ -451,7 +443,7 @@ index a3f9f11abf4cf..26feadd0b763f 100644
  
  	security_sk_classify_flow(sk, flowi6_to_flowi(&fl6));
  
-@@ -282,9 +284,9 @@ static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
+@@ -263,9 +265,9 @@ static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
  		tcp_fetch_timewait_stamp(sk, dst);
  
  	icsk->icsk_ext_hdr_len = 0;
@@ -464,25 +456,25 @@ index a3f9f11abf4cf..26feadd0b763f 100644
  
  	tp->rx_opt.mss_clamp = IPV6_MIN_MTU - sizeof(struct tcphdr) - sizeof(struct ipv6hdr);
  
-@@ -501,7 +503,8 @@ static int tcp_v6_send_synack(struct sock *sk, struct dst_entry *dst,
+@@ -461,7 +463,8 @@ static int tcp_v6_send_synack(const struct sock *sk, struct dst_entry *dst,
+ 		if (np->repflow && ireq->pktopts)
  			fl6->flowlabel = ip6_flowlabel(ipv6_hdr(ireq->pktopts));
  
- 		skb_set_queue_mapping(skb, queue_mapping);
 -		err = ip6_xmit(sk, skb, fl6, np->opt, np->tclass);
 +		err = ip6_xmit(sk, skb, fl6, rcu_dereference(np->opt),
 +			       np->tclass);
  		err = net_xmit_eval(err);
  	}
  
-@@ -1052,6 +1055,7 @@ static struct sock *tcp_v6_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
+@@ -972,6 +975,7 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff *
  	struct inet_request_sock *ireq;
- 	struct ipv6_pinfo *newnp, *np = inet6_sk(sk);
- 	struct tcp6_sock *newtcp6sk;
+ 	struct ipv6_pinfo *newnp;
+ 	const struct ipv6_pinfo *np = inet6_sk(sk);
 +	struct ipv6_txoptions *opt;
+ 	struct tcp6_sock *newtcp6sk;
  	struct inet_sock *newinet;
  	struct tcp_sock *newtp;
- 	struct sock *newsk;
-@@ -1191,13 +1195,15 @@ static struct sock *tcp_v6_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
+@@ -1098,13 +1102,15 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff *
  	   but we make one more one thing there: reattach optmem
  	   to newsk.
  	 */
@@ -502,13 +494,13 @@ index a3f9f11abf4cf..26feadd0b763f 100644
 +		inet_csk(newsk)->icsk_ext_hdr_len = opt->opt_nflen +
 +						    opt->opt_flen;
  
- 	tcp_sync_mss(newsk, dst_mtu(dst));
- 	newtp->advmss = dst_metric_advmss(dst);
+ 	tcp_ca_openreq_child(newsk, dst);
+ 
 diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
-index dd530f0e5a8a2..a5ce705026993 100644
+index 01bcb49..9da3287 100644
 --- a/net/ipv6/udp.c
 +++ b/net/ipv6/udp.c
-@@ -1082,6 +1082,7 @@ int udpv6_sendmsg(struct kiocb *iocb, struct sock *sk,
+@@ -1110,6 +1110,7 @@ int udpv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
  	DECLARE_SOCKADDR(struct sockaddr_in6 *, sin6, msg->msg_name);
  	struct in6_addr *daddr, *final_p, final;
  	struct ipv6_txoptions *opt = NULL;
@@ -516,11 +508,11 @@ index dd530f0e5a8a2..a5ce705026993 100644
  	struct ip6_flowlabel *flowlabel = NULL;
  	struct flowi6 fl6;
  	struct dst_entry *dst;
-@@ -1234,8 +1235,10 @@ int udpv6_sendmsg(struct kiocb *iocb, struct sock *sk,
+@@ -1263,8 +1264,10 @@ do_udp_sendmsg:
  			opt = NULL;
  		connected = 0;
  	}
--	if (opt == NULL)
+-	if (!opt)
 -		opt = np->opt;
 +	if (!opt) {
 +		opt = txopt_get(np);
@@ -529,7 +521,7 @@ index dd530f0e5a8a2..a5ce705026993 100644
  	if (flowlabel)
  		opt = fl6_merge_options(&opt_space, flowlabel, opt);
  	opt = ipv6_fixup_options(&opt_space, opt);
-@@ -1329,6 +1332,7 @@ int udpv6_sendmsg(struct kiocb *iocb, struct sock *sk,
+@@ -1373,6 +1376,7 @@ release_dst:
  out:
  	dst_release(dst);
  	fl6_sock_release(flowlabel);
@@ -538,10 +530,10 @@ index dd530f0e5a8a2..a5ce705026993 100644
  		return len;
  	/*
 diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
-index 0edb263cc002e..38658826175ca 100644
+index aca38d8..a2c8747 100644
 --- a/net/l2tp/l2tp_ip6.c
 +++ b/net/l2tp/l2tp_ip6.c
-@@ -487,6 +487,7 @@ static int l2tp_ip6_sendmsg(struct kiocb *iocb, struct sock *sk,
+@@ -486,6 +486,7 @@ static int l2tp_ip6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
  	DECLARE_SOCKADDR(struct sockaddr_l2tpip6 *, lsa, msg->msg_name);
  	struct in6_addr *daddr, *final_p, final;
  	struct ipv6_pinfo *np = inet6_sk(sk);
@@ -549,7 +541,7 @@ index 0edb263cc002e..38658826175ca 100644
  	struct ipv6_txoptions *opt = NULL;
  	struct ip6_flowlabel *flowlabel = NULL;
  	struct dst_entry *dst = NULL;
-@@ -576,8 +577,10 @@ static int l2tp_ip6_sendmsg(struct kiocb *iocb, struct sock *sk,
+@@ -575,8 +576,10 @@ static int l2tp_ip6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
  			opt = NULL;
  	}
  
@@ -562,7 +554,7 @@ index 0edb263cc002e..38658826175ca 100644
  	if (flowlabel)
  		opt = fl6_merge_options(&opt_space, flowlabel, opt);
  	opt = ipv6_fixup_options(&opt_space, opt);
-@@ -632,6 +635,7 @@ static int l2tp_ip6_sendmsg(struct kiocb *iocb, struct sock *sk,
+@@ -631,6 +634,7 @@ done:
  	dst_release(dst);
  out:
  	fl6_sock_release(flowlabel);
@@ -570,3 +562,6 @@ index 0edb263cc002e..38658826175ca 100644
  
  	return err < 0 ? err : len;
  
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-3842/3.10/1.patch b/Patches/Linux_CVEs/CVE-2016-3842/3.10/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-3842/3.10/1.patch
rename to Patches/Linux_CVEs/CVE-2016-3842/3.10/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-3842/3.18/2.patch b/Patches/Linux_CVEs/CVE-2016-3842/3.18/0003.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-3842/3.18/2.patch
rename to Patches/Linux_CVEs/CVE-2016-3842/3.18/0003.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-3842/3.4/0.patch b/Patches/Linux_CVEs/CVE-2016-3842/3.4/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-3842/3.4/0.patch
rename to Patches/Linux_CVEs/CVE-2016-3842/3.4/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-3843/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-3843/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-3843/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-3843/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-3843/ANY/1.patch b/Patches/Linux_CVEs/CVE-2016-3843/ANY/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-3843/ANY/1.patch
rename to Patches/Linux_CVEs/CVE-2016-3843/ANY/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-3843/ANY/2.patch b/Patches/Linux_CVEs/CVE-2016-3843/ANY/0003.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-3843/ANY/2.patch
rename to Patches/Linux_CVEs/CVE-2016-3843/ANY/0003.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-3843/ANY/3.patch b/Patches/Linux_CVEs/CVE-2016-3843/ANY/0004.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-3843/ANY/3.patch
rename to Patches/Linux_CVEs/CVE-2016-3843/ANY/0004.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-3850/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-3850/ANY/0001.patch
new file mode 100644
index 00000000..ff93d534
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-3850/ANY/0001.patch
@@ -0,0 +1,36 @@
+From 9a59b04c8ed8b57537f2f3cbcb06645575f64ac1 Mon Sep 17 00:00:00 2001
+From: Vijay Kumar Pendoti <vpendo@codeaurora.org>
+Date: Thu, 9 Jun 2016 19:34:01 +0530
+Subject: app: aboot: add integer overflow in booting from emmc
+
+Added integer overflow checks in case of booting from emmc.
+
+Change-Id: If251c7d83a8658a6507e4bbc2a4b86a777505081
+---
+ app/aboot/aboot.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/app/aboot/aboot.c b/app/aboot/aboot.c
+index b59aa5d..6418ecb 100644
+--- a/app/aboot/aboot.c
++++ b/app/aboot/aboot.c
+@@ -1077,8 +1077,16 @@ int boot_linux_from_mmc(void)
+ 
+ #if DEVICE_TREE
+ 	dt_actual = ROUND_TO_PAGE(hdr->dt_size, page_mask);
++	if (UINT_MAX < ((uint64_t)kernel_actual + (uint64_t)ramdisk_actual+ (uint64_t)dt_actual + page_size)) {
++		dprintf(CRITICAL, "Integer overflow detected in bootimage header fields at %u in %s\n",__LINE__,__FILE__);
++		return -1;
++	}
+ 	imagesize_actual = (page_size + kernel_actual + ramdisk_actual + dt_actual);
+ #else
++	if (UINT_MAX < ((uint64_t)kernel_actual + (uint64_t)ramdisk_actual + page_size)) {
++		dprintf(CRITICAL, "Integer overflow detected in bootimage header fields at %u in %s\n",__LINE__,__FILE__);
++		return -1;
++	}
+ 	imagesize_actual = (page_size + kernel_actual + ramdisk_actual);
+ #endif
+ 
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-3854/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-3854/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-3854/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-3854/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-3855/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-3855/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-3855/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-3855/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-3857/3.10/0.patch b/Patches/Linux_CVEs/CVE-2016-3857/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-3857/3.10/0.patch
rename to Patches/Linux_CVEs/CVE-2016-3857/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-3857/ANY/1.patch b/Patches/Linux_CVEs/CVE-2016-3857/ANY/1.patch
deleted file mode 100644
index 98d5e7c5..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3857/ANY/1.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From cd169f77b41de0fc1c8b790d71ac8c6c0c0dc7ef Mon Sep 17 00:00:00 2001
-From: Thierry Strudel <tstrudel@google.com>
-Date: Mon, 13 Jun 2016 16:58:43 -0700
-Subject: [PATCH] flo_defconfig: disable CONFIG_OABI_COMPAT
-
-Bug: 28522518
-Change-Id: I11ec8e02bdb330c10f06e923c1c3d45a145ced15
-Signed-off-by: Thierry Strudel <tstrudel@google.com>
----
- arch/arm/configs/flo_defconfig | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/arch/arm/configs/flo_defconfig b/arch/arm/configs/flo_defconfig
-index cd2ddd65d3325..81c433b95aa40 100644
---- a/arch/arm/configs/flo_defconfig
-+++ b/arch/arm/configs/flo_defconfig
-@@ -89,6 +89,7 @@ CONFIG_SMP=y
- CONFIG_SCHED_MC=y
- CONFIG_PREEMPT=y
- CONFIG_AEABI=y
-+# CONFIG_OABI_COMPAT is not set
- CONFIG_HIGHMEM=y
- CONFIG_SECCOMP=y
- CONFIG_CC_STACKPROTECTOR=y
-@@ -364,7 +365,6 @@ CONFIG_VIDEO_HELPER_CHIPS_AUTO=y
- CONFIG_USB_VIDEO_CLASS=y
- CONFIG_V4L_PLATFORM_DRIVERS=y
- CONFIG_MSM_WFD=y
--# CONFIG_RADIO_IRIS is not set
- CONFIG_ION=y
- CONFIG_ION_MSM=y
- CONFIG_MSM_KGSL=y
diff --git a/Patches/Linux_CVEs/CVE-2016-3857/ANY/2.patch b/Patches/Linux_CVEs/CVE-2016-3857/ANY/2.patch
deleted file mode 100644
index 86fed14b..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3857/ANY/2.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 127f66a3cfe0df54c4a3e86c0bc64d6a49f570a8 Mon Sep 17 00:00:00 2001
-From: Marcos Marado <mmarado@cyngn.com>
-Date: Tue, 12 Jul 2016 17:45:06 +0100
-Subject: [PATCH] CVE-2016-3857: CONFIG_OABI_COMPAT must be disabled
-
-An elevation of privilege vulnerability in the kernel could enable a local
-malicious application to execute arbitrary code within the context of the
-kernel.
-This issue is rated as Critical due to the possibility of a local permanent
-device compromise, which may require reflashing the operating system to repair
-the device.
-
-ANDROID_28522518
-
-There is no validation of the events variable passed to the sys_oabi_epoll_wait
-function.
-The fix is designed to disable OABI support, which will remove the vulnerable
-code.
-
-Issue: CYNGNOS-3257
-
-Change-Id: I1002e9feeaecc276aeda73f86ff089b58e9f626f
----
-
-diff --git a/arch/arm64/configs/cyanogenmod_crackling-64_defconfig b/arch/arm64/configs/cyanogenmod_crackling-64_defconfig
-index 6d95cf4..1bb5ac4 100644
---- a/arch/arm64/configs/cyanogenmod_crackling-64_defconfig
-+++ b/arch/arm64/configs/cyanogenmod_crackling-64_defconfig
-@@ -321,6 +321,7 @@
- CONFIG_VIDEO_V4L2_SUBDEV_API=y
- CONFIG_VIDEOBUF2_MSM_MEM=y
- CONFIG_V4L_PLATFORM_DRIVERS=y
-+# CONFIG_OABI_COMPAT is not set
- CONFIG_MSMB_CAMERA=y
- CONFIG_MSM_CAMERA_SENSOR=y
- CONFIG_MSM_CPP=y
-diff --git a/arch/arm64/configs/cyanogenmod_kipper-64_defconfig b/arch/arm64/configs/cyanogenmod_kipper-64_defconfig
-index 19813d4..a64717e 100644
---- a/arch/arm64/configs/cyanogenmod_kipper-64_defconfig
-+++ b/arch/arm64/configs/cyanogenmod_kipper-64_defconfig
-@@ -373,6 +373,7 @@
- CONFIG_VIDEO_V4L2_SUBDEV_API=y
- CONFIG_VIDEOBUF2_MSM_MEM=y
- CONFIG_V4L_PLATFORM_DRIVERS=y
-+# CONFIG_OABI_COMPAT is not set
- CONFIG_MSMB_CAMERA=y
- CONFIG_MSM_CAMERA_SENSOR=y
- CONFIG_MSM_CPP=y
diff --git a/Patches/Linux_CVEs/CVE-2016-3857/ANY/2.patch.base64 b/Patches/Linux_CVEs/CVE-2016-3857/ANY/2.patch.base64
deleted file mode 100644
index a9c590d8..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3857/ANY/2.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-RnJvbSAxMjdmNjZhM2NmZTBkZjU0YzRhM2U4NmMwYmM2NGQ2YTQ5ZjU3MGE4IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBNYXJjb3MgTWFyYWRvIDxtbWFyYWRvQGN5bmduLmNvbT4KRGF0ZTogVHVlLCAxMiBKdWwgMjAxNiAxNzo0NTowNiArMDEwMApTdWJqZWN0OiBbUEFUQ0hdIENWRS0yMDE2LTM4NTc6IENPTkZJR19PQUJJX0NPTVBBVCBtdXN0IGJlIGRpc2FibGVkCgpBbiBlbGV2YXRpb24gb2YgcHJpdmlsZWdlIHZ1bG5lcmFiaWxpdHkgaW4gdGhlIGtlcm5lbCBjb3VsZCBlbmFibGUgYSBsb2NhbAptYWxpY2lvdXMgYXBwbGljYXRpb24gdG8gZXhlY3V0ZSBhcmJpdHJhcnkgY29kZSB3aXRoaW4gdGhlIGNvbnRleHQgb2YgdGhlCmtlcm5lbC4KVGhpcyBpc3N1ZSBpcyByYXRlZCBhcyBDcml0aWNhbCBkdWUgdG8gdGhlIHBvc3NpYmlsaXR5IG9mIGEgbG9jYWwgcGVybWFuZW50CmRldmljZSBjb21wcm9taXNlLCB3aGljaCBtYXkgcmVxdWlyZSByZWZsYXNoaW5nIHRoZSBvcGVyYXRpbmcgc3lzdGVtIHRvIHJlcGFpcgp0aGUgZGV2aWNlLgoKQU5EUk9JRF8yODUyMjUxOAoKVGhlcmUgaXMgbm8gdmFsaWRhdGlvbiBvZiB0aGUgZXZlbnRzIHZhcmlhYmxlIHBhc3NlZCB0byB0aGUgc3lzX29hYmlfZXBvbGxfd2FpdApmdW5jdGlvbi4KVGhlIGZpeCBpcyBkZXNpZ25lZCB0byBkaXNhYmxlIE9BQkkgc3VwcG9ydCwgd2hpY2ggd2lsbCByZW1vdmUgdGhlIHZ1bG5lcmFibGUKY29kZS4KCklzc3VlOiBDWU5HTk9TLTMyNTcKCkNoYW5nZS1JZDogSTEwMDJlOWZlZWFlY2MyNzZhZWRhNzNmODZmZjA4OWI1OGU5ZjYyNmYKLS0tCgpkaWZmIC0tZ2l0IGEvYXJjaC9hcm02NC9jb25maWdzL2N5YW5vZ2VubW9kX2NyYWNrbGluZy02NF9kZWZjb25maWcgYi9hcmNoL2FybTY0L2NvbmZpZ3MvY3lhbm9nZW5tb2RfY3JhY2tsaW5nLTY0X2RlZmNvbmZpZwppbmRleCA2ZDk1Y2Y0Li4xYmI1YWM0IDEwMDY0NAotLS0gYS9hcmNoL2FybTY0L2NvbmZpZ3MvY3lhbm9nZW5tb2RfY3JhY2tsaW5nLTY0X2RlZmNvbmZpZworKysgYi9hcmNoL2FybTY0L2NvbmZpZ3MvY3lhbm9nZW5tb2RfY3JhY2tsaW5nLTY0X2RlZmNvbmZpZwpAQCAtMzIxLDYgKzMyMSw3IEBACiBDT05GSUdfVklERU9fVjRMMl9TVUJERVZfQVBJPXkKIENPTkZJR19WSURFT0JVRjJfTVNNX01FTT15CiBDT05GSUdfVjRMX1BMQVRGT1JNX0RSSVZFUlM9eQorIyBDT05GSUdfT0FCSV9DT01QQVQgaXMgbm90IHNldAogQ09ORklHX01TTUJfQ0FNRVJBPXkKIENPTkZJR19NU01fQ0FNRVJBX1NFTlNPUj15CiBDT05GSUdfTVNNX0NQUD15CmRpZmYgLS1naXQgYS9hcmNoL2FybTY0L2NvbmZpZ3MvY3lhbm9nZW5tb2Rfa2lwcGVyLTY0X2RlZmNvbmZpZyBiL2FyY2gvYXJtNjQvY29uZmlncy9jeWFub2dlbm1vZF9raXBwZXItNjRfZGVmY29uZmlnCmluZGV4IDE5ODEzZDQuLmE2NDcxN2UgMTAwNjQ0Ci0tLSBhL2FyY2gvYXJtNjQvY29uZmlncy9jeWFub2dlbm1vZF9raXBwZXItNjRfZGVmY29uZmlnCisrKyBiL2FyY2gvYXJtNjQvY29uZmlncy9jeWFub2dlbm1vZF9raXBwZXItNjRfZGVmY29uZmlnCkBAIC0zNzMsNiArMzczLDcgQEAKIENPTkZJR19WSURFT19WNEwyX1NVQkRFVl9BUEk9eQogQ09ORklHX1ZJREVPQlVGMl9NU01fTUVNPXkKIENPTkZJR19WNExfUExBVEZPUk1fRFJJVkVSUz15CisjIENPTkZJR19PQUJJX0NPTVBBVCBpcyBub3Qgc2V0CiBDT05GSUdfTVNNQl9DQU1FUkE9eQogQ09ORklHX01TTV9DQU1FUkFfU0VOU09SPXkKIENPTkZJR19NU01fQ1BQPXkK
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2016-3858/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-3858/ANY/0001.patch
new file mode 100644
index 00000000..6febaff9
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-3858/ANY/0001.patch
@@ -0,0 +1,31 @@
+From cab2ba71f13f04aa73c8b8dadc3fc184205c9474 Mon Sep 17 00:00:00 2001
+From: Srinivasarao P <spathi@codeaurora.org>
+Date: Mon, 6 Jun 2016 12:33:50 +0530
+Subject: qcom: ssr: Fix possible overflow when copying firmware name
+
+Array overflow can occur in firmware_name_store(), if the variable
+buf contains the string larger than size of subsys->desc->fw_name
+
+Change-Id: Ice39d7a1eb0b5f53125cc5d528021a99b9f7ff90
+Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
+---
+ drivers/soc/qcom/subsystem_restart.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/soc/qcom/subsystem_restart.c b/drivers/soc/qcom/subsystem_restart.c
+index de3a5a4..c6dbf2e 100644
+--- a/drivers/soc/qcom/subsystem_restart.c
++++ b/drivers/soc/qcom/subsystem_restart.c
+@@ -293,7 +293,8 @@ static ssize_t firmware_name_store(struct device *dev,
+ 
+ 	pr_info("Changing subsys fw_name to %s\n", buf);
+ 	mutex_lock(&track->lock);
+-	strlcpy(subsys->desc->fw_name, buf, count + 1);
++	strlcpy(subsys->desc->fw_name, buf,
++			 min(count + 1, sizeof(subsys->desc->fw_name)));
+ 	mutex_unlock(&track->lock);
+ 	return count;
+ }
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-3859/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-3859/3.10/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-3859/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-3859/3.10/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-3859/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2016-3859/3.18/0002.patch
new file mode 100644
index 00000000..c65b1d80
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-3859/3.18/0002.patch
@@ -0,0 +1,36 @@
+From 61b419297e13ed9a28e9b880548b2d96d4aa6c0d Mon Sep 17 00:00:00 2001
+From: Trishansh Bhardwaj <tbhardwa@codeaurora.org>
+Date: Wed, 29 Jun 2016 14:34:31 +0530
+Subject: msm: camera: Fix memory read by adding bounds check
+
+Adds bound check on reg_cfg_cmd->u.dmi_info.hi_tbl_offset.
+
+IOCTL VIDIOC_MSM_VFE_REG_CFG uses usersupplied value without
+performing bounds check for following cmd_type.
+VFE_READ_DMI_16BIT
+VFE_READ_DMI_32BIT
+VFE_READ_DMI_64BIT
+
+Change-Id: I554c45ef3a172f5b5891b67a7e8e7a1f3f3882ed
+Signed-off-by: Trishansh Bhardwaj <tbhardwa@codeaurora.org>
+---
+ drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
+index 8e7cb68..86392c6 100644
+--- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
++++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
+@@ -1234,7 +1234,8 @@ static int msm_isp_send_hw_cmd(struct vfe_device *vfe_dev,
+ 	case VFE_READ_DMI_16BIT:
+ 	case VFE_READ_DMI_32BIT:
+ 	case VFE_READ_DMI_64BIT: {
+-		if (reg_cfg_cmd->cmd_type == VFE_WRITE_DMI_64BIT) {
++		if (reg_cfg_cmd->cmd_type == VFE_WRITE_DMI_64BIT ||
++			reg_cfg_cmd->cmd_type == VFE_READ_DMI_64BIT) {
+ 			if ((reg_cfg_cmd->u.dmi_info.hi_tbl_offset <=
+ 				reg_cfg_cmd->u.dmi_info.lo_tbl_offset) ||
+ 				(reg_cfg_cmd->u.dmi_info.hi_tbl_offset -
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-3860/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-3860/ANY/0001.patch
new file mode 100644
index 00000000..05688a3b
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-3860/ANY/0001.patch
@@ -0,0 +1,7585 @@
+<!DOCTYPE html>
+<html lang='en'>
+<head>
+<title>kernel/msm-3.18 - Unnamed repository</title>
+<meta name='generator' content='cgit v1.1'/>
+<meta name='robots' content='noindex, nofollow'/>
+<link rel='stylesheet' type='text/css' href='/cgit-data/cgit.css'/>
+<link rel='shortcut icon' href='/favicon.ico'/>
+<link rel='alternate' title='Atom feed' href='https://source.codeaurora.org/quic/la/kernel/msm-3.18/atom/sound/soc/msm/qdsp6v2/audio_calibration.c?h=LA.HB.0.3' type='application/atom+xml'/>
+<link rel='vcs-git' href='https://source.codeaurora.org/quic/la/kernel/msm-3.18' title='kernel/msm-3.18 Git repository'/>
+</head>
+<body>
+    <div id="lfcollabprojects-header">
+      <div class="gray-diagonal">
+        <div class="header-inner">
+          <a id="lfcollabprojects-logo" href="http://collabprojects.linuxfoundation.org">Linux Foundation Collaborative Projects</a>
+        </div>
+      </div>
+    </div>
+<div id='cgit'><table id='header'>
+<tr>
+<td class='logo' rowspan='2'><a href='/'><img src='/cgit-data/cgit.png' alt='cgit logo'/></a></td>
+<td class='main'><a href='/'>index</a> : <a title='kernel/msm-3.18' href='/quic/la/kernel/msm-3.18/'>kernel/msm-3.18</a></td><td class='form'><form method='get'>
+<input type='hidden' name='id' value='528976f54be246ec93a71ac53aa4faf3e3791c48'/><select name='h' onchange='this.form.submit();'>
+<option value='LA.HB.0.3' selected='selected'>LA.HB.0.3</option>
+<option value='LA.HB.1.1.1.c2'>LA.HB.1.1.1.c2</option>
+<option value='LA.HB.1.1.1_rb4.12'>LA.HB.1.1.1_rb4.12</option>
+<option value='LA.HB.1.1.1_rb4.5'>LA.HB.1.1.1_rb4.5</option>
+<option value='LA.HB.1.1.1_rb4.6'>LA.HB.1.1.1_rb4.6</option>
+<option value='LA.HB.1.1.1_rb4.7'>LA.HB.1.1.1_rb4.7</option>
+<option value='LA.HB.1.1.1_rb4.8'>LA.HB.1.1.1_rb4.8</option>
+<option value='LA.HB.1.1.1_rb4.9'>LA.HB.1.1.1_rb4.9</option>
+<option value='LA.HB.1.1.2_rb1.10'>LA.HB.1.1.2_rb1.10</option>
+<option value='LA.HB.1.1.2_rb1.12'>LA.HB.1.1.2_rb1.12</option>
+<option value='LA.HB.1.1.2_rb1.13'>LA.HB.1.1.2_rb1.13</option>
+<option value='LA.HB.1.1.2_rb1.14'>LA.HB.1.1.2_rb1.14</option>
+<option value='LA.HB.1.1.2_rb1.16'>LA.HB.1.1.2_rb1.16</option>
+<option value='LA.HB.1.1.2_rb1.19'>LA.HB.1.1.2_rb1.19</option>
+<option value='LA.HB.1.1.2_rb1.21'>LA.HB.1.1.2_rb1.21</option>
+<option value='LA.HB.1.1.2_rb1.9'>LA.HB.1.1.2_rb1.9</option>
+<option value='LA.HB.1.1.5_rb1.11'>LA.HB.1.1.5_rb1.11</option>
+<option value='LA.HB.1.1.5_rb1.12'>LA.HB.1.1.5_rb1.12</option>
+<option value='LA.HB.1.1.5_rb1.8'>LA.HB.1.1.5_rb1.8</option>
+<option value='LA.HB.1.1.5_rb1.9'>LA.HB.1.1.5_rb1.9</option>
+<option value='LA.HB.1.3.1'>LA.HB.1.3.1</option>
+<option value='LA.HB.1.3.1.c1'>LA.HB.1.3.1.c1</option>
+<option value='LA.HB.1.3.1_rb1.10'>LA.HB.1.3.1_rb1.10</option>
+<option value='LA.HB.1.3.1_rb1.11'>LA.HB.1.3.1_rb1.11</option>
+<option value='LA.HB.1.3.1_rb1.12'>LA.HB.1.3.1_rb1.12</option>
+<option value='LA.HB.1.3.1_rb1.13'>LA.HB.1.3.1_rb1.13</option>
+<option value='LA.HB.1.3.1_rb1.15'>LA.HB.1.3.1_rb1.15</option>
+<option value='LA.HB.1.3.1_rb1.2'>LA.HB.1.3.1_rb1.2</option>
+<option value='LA.HB.1.3.1_rb1.3'>LA.HB.1.3.1_rb1.3</option>
+<option value='LA.HB.1.3.1_rb1.4'>LA.HB.1.3.1_rb1.4</option>
+<option value='LA.HB.1.3.1_rb1.5'>LA.HB.1.3.1_rb1.5</option>
+<option value='LA.HB.1.3.1_rb1.7'>LA.HB.1.3.1_rb1.7</option>
+<option value='LA.HB.1.3.1_rb1.8'>LA.HB.1.3.1_rb1.8</option>
+<option value='LA.UM.5.1_rb1.3'>LA.UM.5.1_rb1.3</option>
+<option value='LA.UM.5.1_rb1.4'>LA.UM.5.1_rb1.4</option>
+<option value='LA.UM.5.3.1_rb1'>LA.UM.5.3.1_rb1</option>
+<option value='LA.UM.5.3_rb1'>LA.UM.5.3_rb1</option>
+<option value='LA.UM.5.3_rb1.1'>LA.UM.5.3_rb1.1</option>
+<option value='LA.UM.5.5_rb1.10'>LA.UM.5.5_rb1.10</option>
+<option value='LA.UM.5.6.c1'>LA.UM.5.6.c1</option>
+<option value='LAW.BR.1.0_rb1.10'>LAW.BR.1.0_rb1.10</option>
+<option value='LAW.BR.1.0_rb1.13'>LAW.BR.1.0_rb1.13</option>
+<option value='LAW.BR.1.0_rb1.14'>LAW.BR.1.0_rb1.14</option>
+<option value='LAW.BR.1.0_rb1.15'>LAW.BR.1.0_rb1.15</option>
+<option value='LAW.BR.1.0_rb1.16'>LAW.BR.1.0_rb1.16</option>
+<option value='LAW.BR.1.0_rb1.17'>LAW.BR.1.0_rb1.17</option>
+<option value='LAW.BR.1.0_rb1.18'>LAW.BR.1.0_rb1.18</option>
+<option value='LAW.BR.1.0_rb1.19'>LAW.BR.1.0_rb1.19</option>
+<option value='LAW.BR.1.0_rb1.20'>LAW.BR.1.0_rb1.20</option>
+<option value='LAW.BR.1.0_rb1.21'>LAW.BR.1.0_rb1.21</option>
+<option value='LAW.BR.1.0_rb1.22'>LAW.BR.1.0_rb1.22</option>
+<option value='LAW.BR.1.0_rb1.23'>LAW.BR.1.0_rb1.23</option>
+<option value='LAW.BR.1.0_rb1.24'>LAW.BR.1.0_rb1.24</option>
+<option value='LAW.BR.1.0_rb1.6'>LAW.BR.1.0_rb1.6</option>
+<option value='LAW.BR.1.0_rb1.9'>LAW.BR.1.0_rb1.9</option>
+<option value='LAW.BR.2.0'>LAW.BR.2.0</option>
+<option value='LAW.BR.2.0_rb1.10'>LAW.BR.2.0_rb1.10</option>
+<option value='LAW.BR.2.0_rb1.11'>LAW.BR.2.0_rb1.11</option>
+<option value='LAW.BR.2.0_rb1.12'>LAW.BR.2.0_rb1.12</option>
+<option value='LAW.BR.2.0_rb1.13'>LAW.BR.2.0_rb1.13</option>
+<option value='LAW.BR.2.0_rb1.14'>LAW.BR.2.0_rb1.14</option>
+<option value='LAW.BR.2.0_rb1.17'>LAW.BR.2.0_rb1.17</option>
+<option value='LAW.BR.2.0_rb1.18'>LAW.BR.2.0_rb1.18</option>
+<option value='LAW.BR.2.0_rb1.19'>LAW.BR.2.0_rb1.19</option>
+<option value='LAW.BR.2.0_rb1.2'>LAW.BR.2.0_rb1.2</option>
+<option value='LAW.BR.2.0_rb1.3'>LAW.BR.2.0_rb1.3</option>
+<option value='LAW.BR.2.0_rb1.4'>LAW.BR.2.0_rb1.4</option>
+<option value='LAW.BR.2.0_rb1.5'>LAW.BR.2.0_rb1.5</option>
+<option value='LAW.BR.2.0_rb1.6'>LAW.BR.2.0_rb1.6</option>
+<option value='LAW.BR.2.0_rb1.7'>LAW.BR.2.0_rb1.7</option>
+<option value='LAW.BR.2.0_rb1.8'>LAW.BR.2.0_rb1.8</option>
+<option value='LAW.BR.2.0_rb1.9'>LAW.BR.2.0_rb1.9</option>
+<option value='LE.BR.1.2.1'>LE.BR.1.2.1</option>
+<option value='LE.BR.1.2.1.1_1'>LE.BR.1.2.1.1_1</option>
+<option value='LE.BR.1.2.1_rb1.3'>LE.BR.1.2.1_rb1.3</option>
+<option value='LE.BR.1.2.1_rb1.8'>LE.BR.1.2.1_rb1.8</option>
+<option value='LE.BR.1.3.1_rb1.10'>LE.BR.1.3.1_rb1.10</option>
+<option value='LE.BR.1.3.1_rb1.14'>LE.BR.1.3.1_rb1.14</option>
+<option value='LE.BR.1.3.1_rb1.15'>LE.BR.1.3.1_rb1.15</option>
+<option value='LE.BR.1.3.1_rb1.16'>LE.BR.1.3.1_rb1.16</option>
+<option value='LE.BR.1.3.1_rb1.2'>LE.BR.1.3.1_rb1.2</option>
+<option value='LE.BR.1.3.1_rb1.20'>LE.BR.1.3.1_rb1.20</option>
+<option value='LE.BR.1.3.1_rb1.21'>LE.BR.1.3.1_rb1.21</option>
+<option value='LE.BR.1.3.1_rb1.22'>LE.BR.1.3.1_rb1.22</option>
+<option value='LE.BR.1.3.1_rb1.23'>LE.BR.1.3.1_rb1.23</option>
+<option value='LE.BR.1.3.1_rb1.24'>LE.BR.1.3.1_rb1.24</option>
+<option value='LE.BR.1.3.1_rb1.27'>LE.BR.1.3.1_rb1.27</option>
+<option value='LE.BR.1.3.1_rb1.29'>LE.BR.1.3.1_rb1.29</option>
+<option value='LE.BR.1.3.1_rb1.3'>LE.BR.1.3.1_rb1.3</option>
+<option value='LE.BR.1.3.1_rb1.30'>LE.BR.1.3.1_rb1.30</option>
+<option value='LE.BR.1.3.1_rb1.31'>LE.BR.1.3.1_rb1.31</option>
+<option value='LE.BR.1.3.1_rb1.32'>LE.BR.1.3.1_rb1.32</option>
+<option value='LE.BR.1.3.1_rb1.33'>LE.BR.1.3.1_rb1.33</option>
+<option value='LE.BR.1.3.1_rb1.34'>LE.BR.1.3.1_rb1.34</option>
+<option value='LE.BR.1.3.1_rb1.35'>LE.BR.1.3.1_rb1.35</option>
+<option value='LE.BR.1.3.1_rb1.36'>LE.BR.1.3.1_rb1.36</option>
+<option value='LE.BR.1.3.1_rb1.37'>LE.BR.1.3.1_rb1.37</option>
+<option value='LE.BR.1.3.1_rb1.38'>LE.BR.1.3.1_rb1.38</option>
+<option value='LE.BR.1.3.1_rb1.39'>LE.BR.1.3.1_rb1.39</option>
+<option value='LE.BR.1.3.1_rb1.4'>LE.BR.1.3.1_rb1.4</option>
+<option value='LE.BR.1.3.1_rb1.40'>LE.BR.1.3.1_rb1.40</option>
+<option value='LE.BR.1.3.1_rb1.42'>LE.BR.1.3.1_rb1.42</option>
+<option value='LE.BR.1.3.1_rb1.43'>LE.BR.1.3.1_rb1.43</option>
+<option value='LE.BR.1.3.1_rb1.44'>LE.BR.1.3.1_rb1.44</option>
+<option value='LE.BR.1.3.1_rb1.45'>LE.BR.1.3.1_rb1.45</option>
+<option value='LE.BR.1.3.1_rb1.46'>LE.BR.1.3.1_rb1.46</option>
+<option value='LE.BR.1.3.1_rb1.48'>LE.BR.1.3.1_rb1.48</option>
+<option value='LE.BR.1.3.1_rb1.49'>LE.BR.1.3.1_rb1.49</option>
+<option value='LE.BR.1.3.1_rb1.5'>LE.BR.1.3.1_rb1.5</option>
+<option value='LE.BR.1.3.1_rb1.50'>LE.BR.1.3.1_rb1.50</option>
+<option value='LE.BR.1.3.1_rb1.6'>LE.BR.1.3.1_rb1.6</option>
+<option value='LE.BR.1.3.1_rb1.7'>LE.BR.1.3.1_rb1.7</option>
+<option value='LE.UM.1.0.4_rb1.3'>LE.UM.1.0.4_rb1.3</option>
+<option value='LE.UM.1.0.5_rb1.4'>LE.UM.1.0.5_rb1.4</option>
+<option value='LE.UM.1.0.5_rb1.6'>LE.UM.1.0.5_rb1.6</option>
+<option value='LE.UM.1.0.6_rb1.1'>LE.UM.1.0.6_rb1.1</option>
+<option value='LE.UM.1.1.10_rb1.1'>LE.UM.1.1.10_rb1.1</option>
+<option value='LE.UM.1.1.4.r1'>LE.UM.1.1.4.r1</option>
+<option value='LE.UM.1.1.5_rb1.3'>LE.UM.1.1.5_rb1.3</option>
+<option value='LE.UM.1.1.5_rb1.5'>LE.UM.1.1.5_rb1.5</option>
+<option value='LE.UM.1.1.5_rb1.6'>LE.UM.1.1.5_rb1.6</option>
+<option value='LE.UM.1.1.6_rb1.4'>LE.UM.1.1.6_rb1.4</option>
+<option value='LE.UM.1.2.7.r1.2'>LE.UM.1.2.7.r1.2</option>
+<option value='LE.UM.1.2.8.r1'>LE.UM.1.2.8.r1</option>
+<option value='LE.UM.1.3.r1.1'>LE.UM.1.3.r1.1</option>
+<option value='LE.UM.1.3.r1.11'>LE.UM.1.3.r1.11</option>
+<option value='LE.UM.1.3.r1.14'>LE.UM.1.3.r1.14</option>
+<option value='LE.UM.1.3.r1.3'>LE.UM.1.3.r1.3</option>
+<option value='LE.UM.1.3.r1.5'>LE.UM.1.3.r1.5</option>
+<option value='LE.UM.1.3.r1.8'>LE.UM.1.3.r1.8</option>
+<option value='LE.UM.1.3.r3.1'>LE.UM.1.3.r3.1</option>
+<option value='LE.UM.1.3.r4.1'>LE.UM.1.3.r4.1</option>
+<option value='LE.UM.1.3.r4.2'>LE.UM.1.3.r4.2</option>
+<option value='LE.UM.1.3.r4.3'>LE.UM.1.3.r4.3</option>
+<option value='LE.UM.1.3.r4.4'>LE.UM.1.3.r4.4</option>
+<option value='LE.UM.1.3_rb1.2'>LE.UM.1.3_rb1.2</option>
+<option value='LNX.LE.5.3.1'>LNX.LE.5.3.1</option>
+<option value='LNX.LE.5.3_1'>LNX.LE.5.3_1</option>
+<option value='LNX.LE.5.3_rb1.1'>LNX.LE.5.3_rb1.1</option>
+<option value='LNX.LE.5.3_rb1.2'>LNX.LE.5.3_rb1.2</option>
+<option value='LV.HB.1.1.1_rb1.12'>LV.HB.1.1.1_rb1.12</option>
+<option value='LV.HB.1.1.1_rb1.17'>LV.HB.1.1.1_rb1.17</option>
+<option value='LV.HB.1.1.1_rb1.19'>LV.HB.1.1.1_rb1.19</option>
+<option value='LV.HB.1.1.1_rb1.2'>LV.HB.1.1.1_rb1.2</option>
+<option value='LV.HB.1.1.1_rb1.24'>LV.HB.1.1.1_rb1.24</option>
+<option value='LV.HB.1.1.1_rb1.25'>LV.HB.1.1.1_rb1.25</option>
+<option value='LV.HB.1.1.1_rb1.26'>LV.HB.1.1.1_rb1.26</option>
+<option value='LV.HB.1.1.1_rb1.27'>LV.HB.1.1.1_rb1.27</option>
+<option value='LV.HB.1.1.1_rb1.30'>LV.HB.1.1.1_rb1.30</option>
+<option value='LV.HB.1.1.1_rb1.32'>LV.HB.1.1.1_rb1.32</option>
+<option value='LV.HB.1.1.1_rb1.4'>LV.HB.1.1.1_rb1.4</option>
+<option value='LV.HB.1.1.1_rb1.5'>LV.HB.1.1.1_rb1.5</option>
+<option value='LV.HB.1.1.1_rb1.7'>LV.HB.1.1.1_rb1.7</option>
+<option value='LV.HB.1.1.2_rb1.5'>LV.HB.1.1.2_rb1.5</option>
+<option value='LV.HB.1.1.2_rb1.7'>LV.HB.1.1.2_rb1.7</option>
+<option value='LW.BR.1.0_rb1.3'>LW.BR.1.0_rb1.3</option>
+<option value='aosp/android-3.10'>aosp/android-3.10</option>
+<option value='aosp/android-3.10.y'>aosp/android-3.10.y</option>
+<option value='aosp/android-3.14'>aosp/android-3.14</option>
+<option value='aosp/android-3.18'>aosp/android-3.18</option>
+<option value='aosp/android-3.18-n-release'>aosp/android-3.18-n-release</option>
+<option value='aosp/android-3.18-o-release'>aosp/android-3.18-o-release</option>
+<option value='aosp/android-3.4'>aosp/android-3.4</option>
+<option value='aosp/android-4.1'>aosp/android-4.1</option>
+<option value='aosp/android-4.4'>aosp/android-4.4</option>
+<option value='aosp/android-4.4-eas-test'>aosp/android-4.4-eas-test</option>
+<option value='aosp/android-4.4-llvm'>aosp/android-4.4-llvm</option>
+<option value='aosp/android-4.4-n'>aosp/android-4.4-n</option>
+<option value='aosp/android-4.4-n-release'>aosp/android-4.4-n-release</option>
+<option value='aosp/android-4.4-o'>aosp/android-4.4-o</option>
+<option value='aosp/android-4.4-o-release'>aosp/android-4.4-o-release</option>
+<option value='aosp/android-4.4.y'>aosp/android-4.4.y</option>
+<option value='aosp/android-4.9'>aosp/android-4.9</option>
+<option value='aosp/android-4.9-eas-dev'>aosp/android-4.9-eas-dev</option>
+<option value='aosp/android-4.9-llvm'>aosp/android-4.9-llvm</option>
+<option value='aosp/android-4.9-o'>aosp/android-4.9-o</option>
+<option value='aosp/android-4.9-o-release'>aosp/android-4.9-o-release</option>
+<option value='aosp/android-trusty-3.10'>aosp/android-trusty-3.10</option>
+<option value='aosp/android-trusty-3.18'>aosp/android-trusty-3.18</option>
+<option value='aosp/android-trusty-4.4'>aosp/android-trusty-4.4</option>
+<option value='aosp/android-trusty-4.9'>aosp/android-trusty-4.9</option>
+<option value='aosp/bcmdhd-3.10'>aosp/bcmdhd-3.10</option>
+<option value='aosp/brillo-m10-dev'>aosp/brillo-m10-dev</option>
+<option value='aosp/brillo-m10-release'>aosp/brillo-m10-release</option>
+<option value='aosp/brillo-m7-dev'>aosp/brillo-m7-dev</option>
+<option value='aosp/brillo-m7-mr-dev'>aosp/brillo-m7-mr-dev</option>
+<option value='aosp/brillo-m7-release'>aosp/brillo-m7-release</option>
+<option value='aosp/brillo-m8-dev'>aosp/brillo-m8-dev</option>
+<option value='aosp/brillo-m8-release'>aosp/brillo-m8-release</option>
+<option value='aosp/brillo-m9-dev'>aosp/brillo-m9-dev</option>
+<option value='aosp/brillo-m9-release'>aosp/brillo-m9-release</option>
+<option value='aosp/deprecated/android-2.6.39'>aosp/deprecated/android-2.6.39</option>
+<option value='aosp/deprecated/android-3.0'>aosp/deprecated/android-3.0</option>
+<option value='aosp/deprecated/android-3.10-adf'>aosp/deprecated/android-3.10-adf</option>
+<option value='aosp/deprecated/android-3.14'>aosp/deprecated/android-3.14</option>
+<option value='aosp/deprecated/android-3.3'>aosp/deprecated/android-3.3</option>
+<option value='aosp/deprecated/android-3.4'>aosp/deprecated/android-3.4</option>
+<option value='aosp/deprecated/android-3.4-compat'>aosp/deprecated/android-3.4-compat</option>
+<option value='aosp/deprecated/android-4.1'>aosp/deprecated/android-4.1</option>
+<option value='aosp/deprecated/android-4.4.y'>aosp/deprecated/android-4.4.y</option>
+<option value='aosp/deprecated/coupled-cpuidle'>aosp/deprecated/coupled-cpuidle</option>
+<option value='aosp/deprecated/experimental/android-3.10'>aosp/deprecated/experimental/android-3.10</option>
+<option value='aosp/deprecated/experimental/android-3.10-rc5'>aosp/deprecated/experimental/android-3.10-rc5</option>
+<option value='aosp/deprecated/experimental/android-3.14'>aosp/deprecated/experimental/android-3.14</option>
+<option value='aosp/deprecated/experimental/android-3.18'>aosp/deprecated/experimental/android-3.18</option>
+<option value='aosp/deprecated/experimental/android-3.8'>aosp/deprecated/experimental/android-3.8</option>
+<option value='aosp/deprecated/experimental/android-3.9'>aosp/deprecated/experimental/android-3.9</option>
+<option value='aosp/deprecated/experimental/android-3.9-rc2'>aosp/deprecated/experimental/android-3.9-rc2</option>
+<option value='aosp/deprecated/experimental/android-3.9-rc7'>aosp/deprecated/experimental/android-3.9-rc7</option>
+<option value='aosp/deprecated/linux-bcm43xx-2.6.39'>aosp/deprecated/linux-bcm43xx-2.6.39</option>
+<option value='aosp/experimental/android-4.1'>aosp/experimental/android-4.1</option>
+<option value='aosp/experimental/android-4.4'>aosp/experimental/android-4.4</option>
+<option value='aosp/experimental/android-4.4-eas'>aosp/experimental/android-4.4-eas</option>
+<option value='aosp/experimental/android-4.4-llvm'>aosp/experimental/android-4.4-llvm</option>
+<option value='aosp/experimental/android-4.9'>aosp/experimental/android-4.9</option>
+<option value='aosp/experimental/android-4.9-llvm'>aosp/experimental/android-4.9-llvm</option>
+<option value='aosp/master'>aosp/master</option>
+<option value='aosp/ref/for/android-3.10'>aosp/ref/for/android-3.10</option>
+<option value='aosp/upstream-f2fs-stable-linux-3.18.y'>aosp/upstream-f2fs-stable-linux-3.18.y</option>
+<option value='aosp/upstream-f2fs-stable-linux-4.4.y'>aosp/upstream-f2fs-stable-linux-4.4.y</option>
+<option value='aosp/upstream-f2fs-stable-linux-4.9.y'>aosp/upstream-f2fs-stable-linux-4.9.y</option>
+<option value='aosp/upstream-linux-3.18.y'>aosp/upstream-linux-3.18.y</option>
+<option value='aosp/upstream-linux-4.4.y'>aosp/upstream-linux-4.4.y</option>
+<option value='aosp/upstream-linux-4.8.y'>aosp/upstream-linux-4.8.y</option>
+<option value='aosp/upstream-linux-4.9.y'>aosp/upstream-linux-4.9.y</option>
+<option value='caf/3.10/APSS.FSM.3.0'>caf/3.10/APSS.FSM.3.0</option>
+<option value='caf/3.10/APSS.FSM.3.0.r6'>caf/3.10/APSS.FSM.3.0.r6</option>
+<option value='caf/3.10/APSS.FSM.3.0.r7'>caf/3.10/APSS.FSM.3.0.r7</option>
+<option value='caf/3.10/APSS.FSM.3.0.r8'>caf/3.10/APSS.FSM.3.0.r8</option>
+<option value='caf/3.10/APSS.FSM4.1.0'>caf/3.10/APSS.FSM4.1.0</option>
+<option value='caf/3.10/LA.BF.2.1.2_rb1.10'>caf/3.10/LA.BF.2.1.2_rb1.10</option>
+<option value='caf/3.10/LA.BF.2.1.2_rb1.11'>caf/3.10/LA.BF.2.1.2_rb1.11</option>
+<option value='caf/3.10/LA.BF.2.1.2_rb1.12'>caf/3.10/LA.BF.2.1.2_rb1.12</option>
+<option value='caf/3.10/LA.BF.2.1.2_rb1.13'>caf/3.10/LA.BF.2.1.2_rb1.13</option>
+<option value='caf/3.10/LA.BF.2.1.2_rb1.14'>caf/3.10/LA.BF.2.1.2_rb1.14</option>
+<option value='caf/3.10/LA.BF.2.1.2_rb1.15'>caf/3.10/LA.BF.2.1.2_rb1.15</option>
+<option value='caf/3.10/LA.BF.2.1.2_rb1.16'>caf/3.10/LA.BF.2.1.2_rb1.16</option>
+<option value='caf/3.10/LA.BF.2.1.2_rb1.2'>caf/3.10/LA.BF.2.1.2_rb1.2</option>
+<option value='caf/3.10/LA.BF.2.1.2_rb1.3'>caf/3.10/LA.BF.2.1.2_rb1.3</option>
+<option value='caf/3.10/LA.BF.2.1.2_rb1.4'>caf/3.10/LA.BF.2.1.2_rb1.4</option>
+<option value='caf/3.10/LA.BF.2.1.2_rb1.5'>caf/3.10/LA.BF.2.1.2_rb1.5</option>
+<option value='caf/3.10/LA.BF.2.1.2_rb1.7'>caf/3.10/LA.BF.2.1.2_rb1.7</option>
+<option value='caf/3.10/LA.BF.2.1.2_rb1.8'>caf/3.10/LA.BF.2.1.2_rb1.8</option>
+<option value='caf/3.10/LA.BF.2.1.2_rb1.9'>caf/3.10/LA.BF.2.1.2_rb1.9</option>
+<option value='caf/3.10/LA.BF.2.1_rb1.10'>caf/3.10/LA.BF.2.1_rb1.10</option>
+<option value='caf/3.10/LA.BF.2.1_rb1.11'>caf/3.10/LA.BF.2.1_rb1.11</option>
+<option value='caf/3.10/LA.BF.2.1_rb1.12'>caf/3.10/LA.BF.2.1_rb1.12</option>
+<option value='caf/3.10/LA.BF.2.1_rb1.13'>caf/3.10/LA.BF.2.1_rb1.13</option>
+<option value='caf/3.10/LA.BF.2.1_rb1.14'>caf/3.10/LA.BF.2.1_rb1.14</option>
+<option value='caf/3.10/LA.BF.2.1_rb1.16'>caf/3.10/LA.BF.2.1_rb1.16</option>
+<option value='caf/3.10/LA.BF.2.1_rb1.17'>caf/3.10/LA.BF.2.1_rb1.17</option>
+<option value='caf/3.10/LA.BF.2.1_rb1.19'>caf/3.10/LA.BF.2.1_rb1.19</option>
+<option value='caf/3.10/LA.BF.2.1_rb1.2'>caf/3.10/LA.BF.2.1_rb1.2</option>
+<option value='caf/3.10/LA.BF.2.1_rb1.20'>caf/3.10/LA.BF.2.1_rb1.20</option>
+<option value='caf/3.10/LA.BF.2.1_rb1.21'>caf/3.10/LA.BF.2.1_rb1.21</option>
+<option value='caf/3.10/LA.BF.2.1_rb1.22'>caf/3.10/LA.BF.2.1_rb1.22</option>
+<option value='caf/3.10/LA.BF.2.1_rb1.23'>caf/3.10/LA.BF.2.1_rb1.23</option>
+<option value='caf/3.10/LA.BF.2.1_rb1.24'>caf/3.10/LA.BF.2.1_rb1.24</option>
+<option value='caf/3.10/LA.BF.2.1_rb1.25'>caf/3.10/LA.BF.2.1_rb1.25</option>
+<option value='caf/3.10/LA.BF.2.1_rb1.26'>caf/3.10/LA.BF.2.1_rb1.26</option>
+<option value='caf/3.10/LA.BF.2.1_rb1.27'>caf/3.10/LA.BF.2.1_rb1.27</option>
+<option value='caf/3.10/LA.BF.2.1_rb1.28'>caf/3.10/LA.BF.2.1_rb1.28</option>
+<option value='caf/3.10/LA.BF.2.1_rb1.29'>caf/3.10/LA.BF.2.1_rb1.29</option>
+<option value='caf/3.10/LA.BF.2.1_rb1.3'>caf/3.10/LA.BF.2.1_rb1.3</option>
+<option value='caf/3.10/LA.BF.2.1_rb1.30'>caf/3.10/LA.BF.2.1_rb1.30</option>
+<option value='caf/3.10/LA.BF.2.1_rb1.31'>caf/3.10/LA.BF.2.1_rb1.31</option>
+<option value='caf/3.10/LA.BF.2.1_rb1.32'>caf/3.10/LA.BF.2.1_rb1.32</option>
+<option value='caf/3.10/LA.BF.2.1_rb1.33'>caf/3.10/LA.BF.2.1_rb1.33</option>
+<option value='caf/3.10/LA.BF.2.1_rb1.34'>caf/3.10/LA.BF.2.1_rb1.34</option>
+<option value='caf/3.10/LA.BF.2.1_rb1.35'>caf/3.10/LA.BF.2.1_rb1.35</option>
+<option value='caf/3.10/LA.BF.2.1_rb1.36'>caf/3.10/LA.BF.2.1_rb1.36</option>
+<option value='caf/3.10/LA.BF.2.1_rb1.38'>caf/3.10/LA.BF.2.1_rb1.38</option>
+<option value='caf/3.10/LA.BF.2.1_rb1.39'>caf/3.10/LA.BF.2.1_rb1.39</option>
+<option value='caf/3.10/LA.BF.2.1_rb1.4'>caf/3.10/LA.BF.2.1_rb1.4</option>
+<option value='caf/3.10/LA.BF.2.1_rb1.41'>caf/3.10/LA.BF.2.1_rb1.41</option>
+<option value='caf/3.10/LA.BF.2.1_rb1.43'>caf/3.10/LA.BF.2.1_rb1.43</option>
+<option value='caf/3.10/LA.BF.2.1_rb1.5'>caf/3.10/LA.BF.2.1_rb1.5</option>
+<option value='caf/3.10/LA.BF.2.1_rb1.6'>caf/3.10/LA.BF.2.1_rb1.6</option>
+<option value='caf/3.10/LA.BF.2.1_rb1.8'>caf/3.10/LA.BF.2.1_rb1.8</option>
+<option value='caf/3.10/LA.BF64.1.1.c3'>caf/3.10/LA.BF64.1.1.c3</option>
+<option value='caf/3.10/LA.BF64.1.1.c3.1'>caf/3.10/LA.BF64.1.1.c3.1</option>
+<option value='caf/3.10/LA.BF64.1.1.c6.1'>caf/3.10/LA.BF64.1.1.c6.1</option>
+<option value='caf/3.10/LA.BF64.1.1.c6.10'>caf/3.10/LA.BF64.1.1.c6.10</option>
+<option value='caf/3.10/LA.BF64.1.1.c6.12'>caf/3.10/LA.BF64.1.1.c6.12</option>
+<option value='caf/3.10/LA.BF64.1.1.c6.13'>caf/3.10/LA.BF64.1.1.c6.13</option>
+<option value='caf/3.10/LA.BF64.1.1.c6.14'>caf/3.10/LA.BF64.1.1.c6.14</option>
+<option value='caf/3.10/LA.BF64.1.1.c6.15'>caf/3.10/LA.BF64.1.1.c6.15</option>
+<option value='caf/3.10/LA.BF64.1.1.c6.16'>caf/3.10/LA.BF64.1.1.c6.16</option>
+<option value='caf/3.10/LA.BF64.1.1.c6.2'>caf/3.10/LA.BF64.1.1.c6.2</option>
+<option value='caf/3.10/LA.BF64.1.1.c6.5'>caf/3.10/LA.BF64.1.1.c6.5</option>
+<option value='caf/3.10/LA.BF64.1.1.c6.6'>caf/3.10/LA.BF64.1.1.c6.6</option>
+<option value='caf/3.10/LA.BF64.1.1.c6.7'>caf/3.10/LA.BF64.1.1.c6.7</option>
+<option value='caf/3.10/LA.BF64.1.1.c6.8'>caf/3.10/LA.BF64.1.1.c6.8</option>
+<option value='caf/3.10/LA.BF64.1.1_rb1.10'>caf/3.10/LA.BF64.1.1_rb1.10</option>
+<option value='caf/3.10/LA.BF64.1.1_rb1.11'>caf/3.10/LA.BF64.1.1_rb1.11</option>
+<option value='caf/3.10/LA.BF64.1.1_rb1.12'>caf/3.10/LA.BF64.1.1_rb1.12</option>
+<option value='caf/3.10/LA.BF64.1.1_rb1.13'>caf/3.10/LA.BF64.1.1_rb1.13</option>
+<option value='caf/3.10/LA.BF64.1.1_rb1.14'>caf/3.10/LA.BF64.1.1_rb1.14</option>
+<option value='caf/3.10/LA.BF64.1.1_rb1.15'>caf/3.10/LA.BF64.1.1_rb1.15</option>
+<option value='caf/3.10/LA.BF64.1.1_rb1.16'>caf/3.10/LA.BF64.1.1_rb1.16</option>
+<option value='caf/3.10/LA.BF64.1.1_rb1.17'>caf/3.10/LA.BF64.1.1_rb1.17</option>
+<option value='caf/3.10/LA.BF64.1.1_rb1.18'>caf/3.10/LA.BF64.1.1_rb1.18</option>
+<option value='caf/3.10/LA.BF64.1.1_rb1.19'>caf/3.10/LA.BF64.1.1_rb1.19</option>
+<option value='caf/3.10/LA.BF64.1.1_rb1.2'>caf/3.10/LA.BF64.1.1_rb1.2</option>
+<option value='caf/3.10/LA.BF64.1.1_rb1.21'>caf/3.10/LA.BF64.1.1_rb1.21</option>
+<option value='caf/3.10/LA.BF64.1.1_rb1.22'>caf/3.10/LA.BF64.1.1_rb1.22</option>
+<option value='caf/3.10/LA.BF64.1.1_rb1.23'>caf/3.10/LA.BF64.1.1_rb1.23</option>
+<option value='caf/3.10/LA.BF64.1.1_rb1.24'>caf/3.10/LA.BF64.1.1_rb1.24</option>
+<option value='caf/3.10/LA.BF64.1.1_rb1.25'>caf/3.10/LA.BF64.1.1_rb1.25</option>
+<option value='caf/3.10/LA.BF64.1.1_rb1.26'>caf/3.10/LA.BF64.1.1_rb1.26</option>
+<option value='caf/3.10/LA.BF64.1.1_rb1.27'>caf/3.10/LA.BF64.1.1_rb1.27</option>
+<option value='caf/3.10/LA.BF64.1.1_rb1.28'>caf/3.10/LA.BF64.1.1_rb1.28</option>
+<option value='caf/3.10/LA.BF64.1.1_rb1.29'>caf/3.10/LA.BF64.1.1_rb1.29</option>
+<option value='caf/3.10/LA.BF64.1.1_rb1.3'>caf/3.10/LA.BF64.1.1_rb1.3</option>
+<option value='caf/3.10/LA.BF64.1.1_rb1.30'>caf/3.10/LA.BF64.1.1_rb1.30</option>
+<option value='caf/3.10/LA.BF64.1.1_rb1.31'>caf/3.10/LA.BF64.1.1_rb1.31</option>
+<option value='caf/3.10/LA.BF64.1.1_rb1.32'>caf/3.10/LA.BF64.1.1_rb1.32</option>
+<option value='caf/3.10/LA.BF64.1.1_rb1.34'>caf/3.10/LA.BF64.1.1_rb1.34</option>
+<option value='caf/3.10/LA.BF64.1.1_rb1.35'>caf/3.10/LA.BF64.1.1_rb1.35</option>
+<option value='caf/3.10/LA.BF64.1.1_rb1.36'>caf/3.10/LA.BF64.1.1_rb1.36</option>
+<option value='caf/3.10/LA.BF64.1.1_rb1.37'>caf/3.10/LA.BF64.1.1_rb1.37</option>
+<option value='caf/3.10/LA.BF64.1.1_rb1.38'>caf/3.10/LA.BF64.1.1_rb1.38</option>
+<option value='caf/3.10/LA.BF64.1.1_rb1.39'>caf/3.10/LA.BF64.1.1_rb1.39</option>
+<option value='caf/3.10/LA.BF64.1.1_rb1.4'>caf/3.10/LA.BF64.1.1_rb1.4</option>
+<option value='caf/3.10/LA.BF64.1.1_rb1.40'>caf/3.10/LA.BF64.1.1_rb1.40</option>
+<option value='caf/3.10/LA.BF64.1.1_rb1.41'>caf/3.10/LA.BF64.1.1_rb1.41</option>
+<option value='caf/3.10/LA.BF64.1.1_rb1.43'>caf/3.10/LA.BF64.1.1_rb1.43</option>
+<option value='caf/3.10/LA.BF64.1.1_rb1.5'>caf/3.10/LA.BF64.1.1_rb1.5</option>
+<option value='caf/3.10/LA.BF64.1.1_rb1.6'>caf/3.10/LA.BF64.1.1_rb1.6</option>
+<option value='caf/3.10/LA.BF64.1.1_rb1.9'>caf/3.10/LA.BF64.1.1_rb1.9</option>
+<option value='caf/3.10/LA.BF64.1.2'>caf/3.10/LA.BF64.1.2</option>
+<option value='caf/3.10/LA.BF64.1.2.1'>caf/3.10/LA.BF64.1.2.1</option>
+<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.10'>caf/3.10/LA.BF64.1.2.1.c1_rb1.10</option>
+<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.11'>caf/3.10/LA.BF64.1.2.1.c1_rb1.11</option>
+<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.12'>caf/3.10/LA.BF64.1.2.1.c1_rb1.12</option>
+<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.13'>caf/3.10/LA.BF64.1.2.1.c1_rb1.13</option>
+<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.15'>caf/3.10/LA.BF64.1.2.1.c1_rb1.15</option>
+<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.16'>caf/3.10/LA.BF64.1.2.1.c1_rb1.16</option>
+<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.17'>caf/3.10/LA.BF64.1.2.1.c1_rb1.17</option>
+<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.18'>caf/3.10/LA.BF64.1.2.1.c1_rb1.18</option>
+<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.19'>caf/3.10/LA.BF64.1.2.1.c1_rb1.19</option>
+<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.2'>caf/3.10/LA.BF64.1.2.1.c1_rb1.2</option>
+<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.20'>caf/3.10/LA.BF64.1.2.1.c1_rb1.20</option>
+<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.22'>caf/3.10/LA.BF64.1.2.1.c1_rb1.22</option>
+<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.23'>caf/3.10/LA.BF64.1.2.1.c1_rb1.23</option>
+<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.24'>caf/3.10/LA.BF64.1.2.1.c1_rb1.24</option>
+<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.25'>caf/3.10/LA.BF64.1.2.1.c1_rb1.25</option>
+<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.26'>caf/3.10/LA.BF64.1.2.1.c1_rb1.26</option>
+<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.27'>caf/3.10/LA.BF64.1.2.1.c1_rb1.27</option>
+<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.28'>caf/3.10/LA.BF64.1.2.1.c1_rb1.28</option>
+<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.3'>caf/3.10/LA.BF64.1.2.1.c1_rb1.3</option>
+<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.30'>caf/3.10/LA.BF64.1.2.1.c1_rb1.30</option>
+<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.31'>caf/3.10/LA.BF64.1.2.1.c1_rb1.31</option>
+<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.33'>caf/3.10/LA.BF64.1.2.1.c1_rb1.33</option>
+<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.34'>caf/3.10/LA.BF64.1.2.1.c1_rb1.34</option>
+<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.35'>caf/3.10/LA.BF64.1.2.1.c1_rb1.35</option>
+<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.36'>caf/3.10/LA.BF64.1.2.1.c1_rb1.36</option>
+<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.37'>caf/3.10/LA.BF64.1.2.1.c1_rb1.37</option>
+<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.38'>caf/3.10/LA.BF64.1.2.1.c1_rb1.38</option>
+<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.39'>caf/3.10/LA.BF64.1.2.1.c1_rb1.39</option>
+<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.4'>caf/3.10/LA.BF64.1.2.1.c1_rb1.4</option>
+<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.40'>caf/3.10/LA.BF64.1.2.1.c1_rb1.40</option>
+<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.41'>caf/3.10/LA.BF64.1.2.1.c1_rb1.41</option>
+<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.42'>caf/3.10/LA.BF64.1.2.1.c1_rb1.42</option>
+<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.43'>caf/3.10/LA.BF64.1.2.1.c1_rb1.43</option>
+<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.44'>caf/3.10/LA.BF64.1.2.1.c1_rb1.44</option>
+<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.45'>caf/3.10/LA.BF64.1.2.1.c1_rb1.45</option>
+<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.46'>caf/3.10/LA.BF64.1.2.1.c1_rb1.46</option>
+<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.47'>caf/3.10/LA.BF64.1.2.1.c1_rb1.47</option>
+<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.49'>caf/3.10/LA.BF64.1.2.1.c1_rb1.49</option>
+<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.5'>caf/3.10/LA.BF64.1.2.1.c1_rb1.5</option>
+<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.6'>caf/3.10/LA.BF64.1.2.1.c1_rb1.6</option>
+<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.8'>caf/3.10/LA.BF64.1.2.1.c1_rb1.8</option>
+<option value='caf/3.10/LA.BF64.1.2.1.c1_rb1.9'>caf/3.10/LA.BF64.1.2.1.c1_rb1.9</option>
+<option value='caf/3.10/LA.BF64.1.2.1.c2'>caf/3.10/LA.BF64.1.2.1.c2</option>
+<option value='caf/3.10/LA.BF64.1.2.1.c2.1'>caf/3.10/LA.BF64.1.2.1.c2.1</option>
+<option value='caf/3.10/LA.BF64.1.2.1_rb1.1'>caf/3.10/LA.BF64.1.2.1_rb1.1</option>
+<option value='caf/3.10/LA.BF64.1.2.1_rb1.10'>caf/3.10/LA.BF64.1.2.1_rb1.10</option>
+<option value='caf/3.10/LA.BF64.1.2.1_rb1.14'>caf/3.10/LA.BF64.1.2.1_rb1.14</option>
+<option value='caf/3.10/LA.BF64.1.2.1_rb1.17'>caf/3.10/LA.BF64.1.2.1_rb1.17</option>
+<option value='caf/3.10/LA.BF64.1.2.1_rb1.18'>caf/3.10/LA.BF64.1.2.1_rb1.18</option>
+<option value='caf/3.10/LA.BF64.1.2.1_rb1.2'>caf/3.10/LA.BF64.1.2.1_rb1.2</option>
+<option value='caf/3.10/LA.BF64.1.2.1_rb1.4'>caf/3.10/LA.BF64.1.2.1_rb1.4</option>
+<option value='caf/3.10/LA.BF64.1.2.1_rb2.10'>caf/3.10/LA.BF64.1.2.1_rb2.10</option>
+<option value='caf/3.10/LA.BF64.1.2.1_rb2.11'>caf/3.10/LA.BF64.1.2.1_rb2.11</option>
+<option value='caf/3.10/LA.BF64.1.2.1_rb2.12'>caf/3.10/LA.BF64.1.2.1_rb2.12</option>
+<option value='caf/3.10/LA.BF64.1.2.1_rb2.13'>caf/3.10/LA.BF64.1.2.1_rb2.13</option>
+<option value='caf/3.10/LA.BF64.1.2.1_rb2.14'>caf/3.10/LA.BF64.1.2.1_rb2.14</option>
+<option value='caf/3.10/LA.BF64.1.2.1_rb2.15'>caf/3.10/LA.BF64.1.2.1_rb2.15</option>
+<option value='caf/3.10/LA.BF64.1.2.1_rb2.16'>caf/3.10/LA.BF64.1.2.1_rb2.16</option>
+<option value='caf/3.10/LA.BF64.1.2.1_rb2.17'>caf/3.10/LA.BF64.1.2.1_rb2.17</option>
+<option value='caf/3.10/LA.BF64.1.2.1_rb2.18'>caf/3.10/LA.BF64.1.2.1_rb2.18</option>
+<option value='caf/3.10/LA.BF64.1.2.1_rb2.19'>caf/3.10/LA.BF64.1.2.1_rb2.19</option>
+<option value='caf/3.10/LA.BF64.1.2.1_rb2.20'>caf/3.10/LA.BF64.1.2.1_rb2.20</option>
+<option value='caf/3.10/LA.BF64.1.2.1_rb2.21'>caf/3.10/LA.BF64.1.2.1_rb2.21</option>
+<option value='caf/3.10/LA.BF64.1.2.1_rb2.22'>caf/3.10/LA.BF64.1.2.1_rb2.22</option>
+<option value='caf/3.10/LA.BF64.1.2.1_rb2.23'>caf/3.10/LA.BF64.1.2.1_rb2.23</option>
+<option value='caf/3.10/LA.BF64.1.2.1_rb2.25'>caf/3.10/LA.BF64.1.2.1_rb2.25</option>
+<option value='caf/3.10/LA.BF64.1.2.1_rb2.26'>caf/3.10/LA.BF64.1.2.1_rb2.26</option>
+<option value='caf/3.10/LA.BF64.1.2.1_rb2.27'>caf/3.10/LA.BF64.1.2.1_rb2.27</option>
+<option value='caf/3.10/LA.BF64.1.2.1_rb2.28'>caf/3.10/LA.BF64.1.2.1_rb2.28</option>
+<option value='caf/3.10/LA.BF64.1.2.1_rb2.29'>caf/3.10/LA.BF64.1.2.1_rb2.29</option>
+<option value='caf/3.10/LA.BF64.1.2.1_rb2.31'>caf/3.10/LA.BF64.1.2.1_rb2.31</option>
+<option value='caf/3.10/LA.BF64.1.2.1_rb2.33'>caf/3.10/LA.BF64.1.2.1_rb2.33</option>
+<option value='caf/3.10/LA.BF64.1.2.1_rb2.35'>caf/3.10/LA.BF64.1.2.1_rb2.35</option>
+<option value='caf/3.10/LA.BF64.1.2.1_rb2.36'>caf/3.10/LA.BF64.1.2.1_rb2.36</option>
+<option value='caf/3.10/LA.BF64.1.2.1_rb2.37'>caf/3.10/LA.BF64.1.2.1_rb2.37</option>
+<option value='caf/3.10/LA.BF64.1.2.1_rb2.38'>caf/3.10/LA.BF64.1.2.1_rb2.38</option>
+<option value='caf/3.10/LA.BF64.1.2.1_rb2.4'>caf/3.10/LA.BF64.1.2.1_rb2.4</option>
+<option value='caf/3.10/LA.BF64.1.2.1_rb2.40'>caf/3.10/LA.BF64.1.2.1_rb2.40</option>
+<option value='caf/3.10/LA.BF64.1.2.1_rb2.41'>caf/3.10/LA.BF64.1.2.1_rb2.41</option>
+<option value='caf/3.10/LA.BF64.1.2.1_rb2.42'>caf/3.10/LA.BF64.1.2.1_rb2.42</option>
+<option value='caf/3.10/LA.BF64.1.2.1_rb2.43'>caf/3.10/LA.BF64.1.2.1_rb2.43</option>
+<option value='caf/3.10/LA.BF64.1.2.1_rb2.45'>caf/3.10/LA.BF64.1.2.1_rb2.45</option>
+<option value='caf/3.10/LA.BF64.1.2.1_rb2.46'>caf/3.10/LA.BF64.1.2.1_rb2.46</option>
+<option value='caf/3.10/LA.BF64.1.2.1_rb2.47'>caf/3.10/LA.BF64.1.2.1_rb2.47</option>
+<option value='caf/3.10/LA.BF64.1.2.1_rb2.49'>caf/3.10/LA.BF64.1.2.1_rb2.49</option>
+<option value='caf/3.10/LA.BF64.1.2.1_rb2.5'>caf/3.10/LA.BF64.1.2.1_rb2.5</option>
+<option value='caf/3.10/LA.BF64.1.2.1_rb2.6'>caf/3.10/LA.BF64.1.2.1_rb2.6</option>
+<option value='caf/3.10/LA.BF64.1.2.1_rb2.7'>caf/3.10/LA.BF64.1.2.1_rb2.7</option>
+<option value='caf/3.10/LA.BF64.1.2.1_rb2.8'>caf/3.10/LA.BF64.1.2.1_rb2.8</option>
+<option value='caf/3.10/LA.BF64.1.2.1_rb2.9'>caf/3.10/LA.BF64.1.2.1_rb2.9</option>
+<option value='caf/3.10/LA.BF64.1.2.2_rb4.1'>caf/3.10/LA.BF64.1.2.2_rb4.1</option>
+<option value='caf/3.10/LA.BF64.1.2.2_rb4.10'>caf/3.10/LA.BF64.1.2.2_rb4.10</option>
+<option value='caf/3.10/LA.BF64.1.2.2_rb4.12'>caf/3.10/LA.BF64.1.2.2_rb4.12</option>
+<option value='caf/3.10/LA.BF64.1.2.2_rb4.14'>caf/3.10/LA.BF64.1.2.2_rb4.14</option>
+<option value='caf/3.10/LA.BF64.1.2.2_rb4.16'>caf/3.10/LA.BF64.1.2.2_rb4.16</option>
+<option value='caf/3.10/LA.BF64.1.2.2_rb4.17'>caf/3.10/LA.BF64.1.2.2_rb4.17</option>
+<option value='caf/3.10/LA.BF64.1.2.2_rb4.19'>caf/3.10/LA.BF64.1.2.2_rb4.19</option>
+<option value='caf/3.10/LA.BF64.1.2.2_rb4.20'>caf/3.10/LA.BF64.1.2.2_rb4.20</option>
+<option value='caf/3.10/LA.BF64.1.2.2_rb4.22'>caf/3.10/LA.BF64.1.2.2_rb4.22</option>
+<option value='caf/3.10/LA.BF64.1.2.2_rb4.23'>caf/3.10/LA.BF64.1.2.2_rb4.23</option>
+<option value='caf/3.10/LA.BF64.1.2.2_rb4.24'>caf/3.10/LA.BF64.1.2.2_rb4.24</option>
+<option value='caf/3.10/LA.BF64.1.2.2_rb4.25'>caf/3.10/LA.BF64.1.2.2_rb4.25</option>
+<option value='caf/3.10/LA.BF64.1.2.2_rb4.26'>caf/3.10/LA.BF64.1.2.2_rb4.26</option>
+<option value='caf/3.10/LA.BF64.1.2.2_rb4.27'>caf/3.10/LA.BF64.1.2.2_rb4.27</option>
+<option value='caf/3.10/LA.BF64.1.2.2_rb4.28'>caf/3.10/LA.BF64.1.2.2_rb4.28</option>
+<option value='caf/3.10/LA.BF64.1.2.2_rb4.29'>caf/3.10/LA.BF64.1.2.2_rb4.29</option>
+<option value='caf/3.10/LA.BF64.1.2.2_rb4.30'>caf/3.10/LA.BF64.1.2.2_rb4.30</option>
+<option value='caf/3.10/LA.BF64.1.2.2_rb4.31'>caf/3.10/LA.BF64.1.2.2_rb4.31</option>
+<option value='caf/3.10/LA.BF64.1.2.2_rb4.32'>caf/3.10/LA.BF64.1.2.2_rb4.32</option>
+<option value='caf/3.10/LA.BF64.1.2.2_rb4.33'>caf/3.10/LA.BF64.1.2.2_rb4.33</option>
+<option value='caf/3.10/LA.BF64.1.2.2_rb4.34'>caf/3.10/LA.BF64.1.2.2_rb4.34</option>
+<option value='caf/3.10/LA.BF64.1.2.2_rb4.35'>caf/3.10/LA.BF64.1.2.2_rb4.35</option>
+<option value='caf/3.10/LA.BF64.1.2.2_rb4.36'>caf/3.10/LA.BF64.1.2.2_rb4.36</option>
+<option value='caf/3.10/LA.BF64.1.2.2_rb4.37'>caf/3.10/LA.BF64.1.2.2_rb4.37</option>
+<option value='caf/3.10/LA.BF64.1.2.2_rb4.38'>caf/3.10/LA.BF64.1.2.2_rb4.38</option>
+<option value='caf/3.10/LA.BF64.1.2.2_rb4.39'>caf/3.10/LA.BF64.1.2.2_rb4.39</option>
+<option value='caf/3.10/LA.BF64.1.2.2_rb4.4'>caf/3.10/LA.BF64.1.2.2_rb4.4</option>
+<option value='caf/3.10/LA.BF64.1.2.2_rb4.40'>caf/3.10/LA.BF64.1.2.2_rb4.40</option>
+<option value='caf/3.10/LA.BF64.1.2.2_rb4.41'>caf/3.10/LA.BF64.1.2.2_rb4.41</option>
+<option value='caf/3.10/LA.BF64.1.2.2_rb4.42'>caf/3.10/LA.BF64.1.2.2_rb4.42</option>
+<option value='caf/3.10/LA.BF64.1.2.2_rb4.44'>caf/3.10/LA.BF64.1.2.2_rb4.44</option>
+<option value='caf/3.10/LA.BF64.1.2.2_rb4.45'>caf/3.10/LA.BF64.1.2.2_rb4.45</option>
+<option value='caf/3.10/LA.BF64.1.2.2_rb4.46'>caf/3.10/LA.BF64.1.2.2_rb4.46</option>
+<option value='caf/3.10/LA.BF64.1.2.2_rb4.6'>caf/3.10/LA.BF64.1.2.2_rb4.6</option>
+<option value='caf/3.10/LA.BF64.1.2.2_rb4.7'>caf/3.10/LA.BF64.1.2.2_rb4.7</option>
+<option value='caf/3.10/LA.BF64.1.2.2_rb4.8'>caf/3.10/LA.BF64.1.2.2_rb4.8</option>
+<option value='caf/3.10/LA.BF64.1.2.2_rb4.9'>caf/3.10/LA.BF64.1.2.2_rb4.9</option>
+<option value='caf/3.10/LA.BF64.1.2.3_rb1.11'>caf/3.10/LA.BF64.1.2.3_rb1.11</option>
+<option value='caf/3.10/LA.BF64.1.2.3_rb1.12'>caf/3.10/LA.BF64.1.2.3_rb1.12</option>
+<option value='caf/3.10/LA.BF64.1.2.3_rb1.13'>caf/3.10/LA.BF64.1.2.3_rb1.13</option>
+<option value='caf/3.10/LA.BF64.1.2.3_rb1.14'>caf/3.10/LA.BF64.1.2.3_rb1.14</option>
+<option value='caf/3.10/LA.BF64.1.2.3_rb1.15'>caf/3.10/LA.BF64.1.2.3_rb1.15</option>
+<option value='caf/3.10/LA.BF64.1.2.3_rb1.16'>caf/3.10/LA.BF64.1.2.3_rb1.16</option>
+<option value='caf/3.10/LA.BF64.1.2.3_rb1.17'>caf/3.10/LA.BF64.1.2.3_rb1.17</option>
+<option value='caf/3.10/LA.BF64.1.2.3_rb1.3'>caf/3.10/LA.BF64.1.2.3_rb1.3</option>
+<option value='caf/3.10/LA.BF64.1.2.3_rb1.4'>caf/3.10/LA.BF64.1.2.3_rb1.4</option>
+<option value='caf/3.10/LA.BF64.1.2.3_rb1.5'>caf/3.10/LA.BF64.1.2.3_rb1.5</option>
+<option value='caf/3.10/LA.BF64.1.2.3_rb1.6'>caf/3.10/LA.BF64.1.2.3_rb1.6</option>
+<option value='caf/3.10/LA.BF64.1.2.3_rb1.7'>caf/3.10/LA.BF64.1.2.3_rb1.7</option>
+<option value='caf/3.10/LA.BF64.1.2.3_rb1.8'>caf/3.10/LA.BF64.1.2.3_rb1.8</option>
+<option value='caf/3.10/LA.BF64.1.2.3_rb1.9'>caf/3.10/LA.BF64.1.2.3_rb1.9</option>
+<option value='caf/3.10/LA.BR.1.1.2'>caf/3.10/LA.BR.1.1.2</option>
+<option value='caf/3.10/LA.BR.1.1.2.c1'>caf/3.10/LA.BR.1.1.2.c1</option>
+<option value='caf/3.10/LA.BR.1.1.2.c2'>caf/3.10/LA.BR.1.1.2.c2</option>
+<option value='caf/3.10/LA.BR.1.1.2.c3'>caf/3.10/LA.BR.1.1.2.c3</option>
+<option value='caf/3.10/LA.BR.1.1.2.c6'>caf/3.10/LA.BR.1.1.2.c6</option>
+<option value='caf/3.10/LA.BR.1.1.2_rb1.10'>caf/3.10/LA.BR.1.1.2_rb1.10</option>
+<option value='caf/3.10/LA.BR.1.1.2_rb1.11'>caf/3.10/LA.BR.1.1.2_rb1.11</option>
+<option value='caf/3.10/LA.BR.1.1.2_rb1.12'>caf/3.10/LA.BR.1.1.2_rb1.12</option>
+<option value='caf/3.10/LA.BR.1.1.2_rb1.13'>caf/3.10/LA.BR.1.1.2_rb1.13</option>
+<option value='caf/3.10/LA.BR.1.1.2_rb1.14'>caf/3.10/LA.BR.1.1.2_rb1.14</option>
+<option value='caf/3.10/LA.BR.1.1.2_rb1.15'>caf/3.10/LA.BR.1.1.2_rb1.15</option>
+<option value='caf/3.10/LA.BR.1.1.2_rb1.16'>caf/3.10/LA.BR.1.1.2_rb1.16</option>
+<option value='caf/3.10/LA.BR.1.1.2_rb1.17'>caf/3.10/LA.BR.1.1.2_rb1.17</option>
+<option value='caf/3.10/LA.BR.1.1.2_rb1.18'>caf/3.10/LA.BR.1.1.2_rb1.18</option>
+<option value='caf/3.10/LA.BR.1.1.2_rb1.2'>caf/3.10/LA.BR.1.1.2_rb1.2</option>
+<option value='caf/3.10/LA.BR.1.1.2_rb1.4'>caf/3.10/LA.BR.1.1.2_rb1.4</option>
+<option value='caf/3.10/LA.BR.1.1.2_rb1.5'>caf/3.10/LA.BR.1.1.2_rb1.5</option>
+<option value='caf/3.10/LA.BR.1.1.2_rb1.6'>caf/3.10/LA.BR.1.1.2_rb1.6</option>
+<option value='caf/3.10/LA.BR.1.1.2_rb1.7'>caf/3.10/LA.BR.1.1.2_rb1.7</option>
+<option value='caf/3.10/LA.BR.1.1.2_rb1.8'>caf/3.10/LA.BR.1.1.2_rb1.8</option>
+<option value='caf/3.10/LA.BR.1.1.2_rb1.9'>caf/3.10/LA.BR.1.1.2_rb1.9</option>
+<option value='caf/3.10/LA.BR.1.1.2_rb2.1'>caf/3.10/LA.BR.1.1.2_rb2.1</option>
+<option value='caf/3.10/LA.BR.1.1.2_rb2.2'>caf/3.10/LA.BR.1.1.2_rb2.2</option>
+<option value='caf/3.10/LA.BR.1.1.2_rb2.3'>caf/3.10/LA.BR.1.1.2_rb2.3</option>
+<option value='caf/3.10/LA.BR.1.1.2_rb2.4'>caf/3.10/LA.BR.1.1.2_rb2.4</option>
+<option value='caf/3.10/LA.BR.1.1.2_rb2.5'>caf/3.10/LA.BR.1.1.2_rb2.5</option>
+<option value='caf/3.10/LA.BR.1.1.2_rb2.7'>caf/3.10/LA.BR.1.1.2_rb2.7</option>
+<option value='caf/3.10/LA.BR.1.1.2_rb2.8'>caf/3.10/LA.BR.1.1.2_rb2.8</option>
+<option value='caf/3.10/LA.BR.1.1.2_rb2.9'>caf/3.10/LA.BR.1.1.2_rb2.9</option>
+<option value='caf/3.10/LA.BR.1.1.3.c1'>caf/3.10/LA.BR.1.1.3.c1</option>
+<option value='caf/3.10/LA.BR.1.1.3.c11'>caf/3.10/LA.BR.1.1.3.c11</option>
+<option value='caf/3.10/LA.BR.1.1.3.c12'>caf/3.10/LA.BR.1.1.3.c12</option>
+<option value='caf/3.10/LA.BR.1.1.3.c13'>caf/3.10/LA.BR.1.1.3.c13</option>
+<option value='caf/3.10/LA.BR.1.1.3.c14'>caf/3.10/LA.BR.1.1.3.c14</option>
+<option value='caf/3.10/LA.BR.1.1.3.c14_1'>caf/3.10/LA.BR.1.1.3.c14_1</option>
+<option value='caf/3.10/LA.BR.1.1.3.c3'>caf/3.10/LA.BR.1.1.3.c3</option>
+<option value='caf/3.10/LA.BR.1.1.3.c4'>caf/3.10/LA.BR.1.1.3.c4</option>
+<option value='caf/3.10/LA.BR.1.1.3.c7'>caf/3.10/LA.BR.1.1.3.c7</option>
+<option value='caf/3.10/LA.BR.1.1.3.c8'>caf/3.10/LA.BR.1.1.3.c8</option>
+<option value='caf/3.10/LA.BR.1.1.3.c9'>caf/3.10/LA.BR.1.1.3.c9</option>
+<option value='caf/3.10/LA.BR.1.1.3_rb1.1'>caf/3.10/LA.BR.1.1.3_rb1.1</option>
+<option value='caf/3.10/LA.BR.1.1.3_rb1.10'>caf/3.10/LA.BR.1.1.3_rb1.10</option>
+<option value='caf/3.10/LA.BR.1.1.3_rb1.11'>caf/3.10/LA.BR.1.1.3_rb1.11</option>
+<option value='caf/3.10/LA.BR.1.1.3_rb1.12'>caf/3.10/LA.BR.1.1.3_rb1.12</option>
+<option value='caf/3.10/LA.BR.1.1.3_rb1.13'>caf/3.10/LA.BR.1.1.3_rb1.13</option>
+<option value='caf/3.10/LA.BR.1.1.3_rb1.14'>caf/3.10/LA.BR.1.1.3_rb1.14</option>
+<option value='caf/3.10/LA.BR.1.1.3_rb1.15'>caf/3.10/LA.BR.1.1.3_rb1.15</option>
+<option value='caf/3.10/LA.BR.1.1.3_rb1.16'>caf/3.10/LA.BR.1.1.3_rb1.16</option>
+<option value='caf/3.10/LA.BR.1.1.3_rb1.17'>caf/3.10/LA.BR.1.1.3_rb1.17</option>
+<option value='caf/3.10/LA.BR.1.1.3_rb1.18'>caf/3.10/LA.BR.1.1.3_rb1.18</option>
+<option value='caf/3.10/LA.BR.1.1.3_rb1.19'>caf/3.10/LA.BR.1.1.3_rb1.19</option>
+<option value='caf/3.10/LA.BR.1.1.3_rb1.2'>caf/3.10/LA.BR.1.1.3_rb1.2</option>
+<option value='caf/3.10/LA.BR.1.1.3_rb1.20'>caf/3.10/LA.BR.1.1.3_rb1.20</option>
+<option value='caf/3.10/LA.BR.1.1.3_rb1.21'>caf/3.10/LA.BR.1.1.3_rb1.21</option>
+<option value='caf/3.10/LA.BR.1.1.3_rb1.22'>caf/3.10/LA.BR.1.1.3_rb1.22</option>
+<option value='caf/3.10/LA.BR.1.1.3_rb1.23'>caf/3.10/LA.BR.1.1.3_rb1.23</option>
+<option value='caf/3.10/LA.BR.1.1.3_rb1.24'>caf/3.10/LA.BR.1.1.3_rb1.24</option>
+<option value='caf/3.10/LA.BR.1.1.3_rb1.25'>caf/3.10/LA.BR.1.1.3_rb1.25</option>
+<option value='caf/3.10/LA.BR.1.1.3_rb1.26'>caf/3.10/LA.BR.1.1.3_rb1.26</option>
+<option value='caf/3.10/LA.BR.1.1.3_rb1.28'>caf/3.10/LA.BR.1.1.3_rb1.28</option>
+<option value='caf/3.10/LA.BR.1.1.3_rb1.29'>caf/3.10/LA.BR.1.1.3_rb1.29</option>
+<option value='caf/3.10/LA.BR.1.1.3_rb1.3'>caf/3.10/LA.BR.1.1.3_rb1.3</option>
+<option value='caf/3.10/LA.BR.1.1.3_rb1.30'>caf/3.10/LA.BR.1.1.3_rb1.30</option>
+<option value='caf/3.10/LA.BR.1.1.3_rb1.32'>caf/3.10/LA.BR.1.1.3_rb1.32</option>
+<option value='caf/3.10/LA.BR.1.1.3_rb1.33'>caf/3.10/LA.BR.1.1.3_rb1.33</option>
+<option value='caf/3.10/LA.BR.1.1.3_rb1.34'>caf/3.10/LA.BR.1.1.3_rb1.34</option>
+<option value='caf/3.10/LA.BR.1.1.3_rb1.35'>caf/3.10/LA.BR.1.1.3_rb1.35</option>
+<option value='caf/3.10/LA.BR.1.1.3_rb1.36'>caf/3.10/LA.BR.1.1.3_rb1.36</option>
+<option value='caf/3.10/LA.BR.1.1.3_rb1.39'>caf/3.10/LA.BR.1.1.3_rb1.39</option>
+<option value='caf/3.10/LA.BR.1.1.3_rb1.4'>caf/3.10/LA.BR.1.1.3_rb1.4</option>
+<option value='caf/3.10/LA.BR.1.1.3_rb1.40'>caf/3.10/LA.BR.1.1.3_rb1.40</option>
+<option value='caf/3.10/LA.BR.1.1.3_rb1.41'>caf/3.10/LA.BR.1.1.3_rb1.41</option>
+<option value='caf/3.10/LA.BR.1.1.3_rb1.42'>caf/3.10/LA.BR.1.1.3_rb1.42</option>
+<option value='caf/3.10/LA.BR.1.1.3_rb1.43'>caf/3.10/LA.BR.1.1.3_rb1.43</option>
+<option value='caf/3.10/LA.BR.1.1.3_rb1.44'>caf/3.10/LA.BR.1.1.3_rb1.44</option>
+<option value='caf/3.10/LA.BR.1.1.3_rb1.45'>caf/3.10/LA.BR.1.1.3_rb1.45</option>
+<option value='caf/3.10/LA.BR.1.1.3_rb1.46'>caf/3.10/LA.BR.1.1.3_rb1.46</option>
+<option value='caf/3.10/LA.BR.1.1.3_rb1.49'>caf/3.10/LA.BR.1.1.3_rb1.49</option>
+<option value='caf/3.10/LA.BR.1.1.3_rb1.5'>caf/3.10/LA.BR.1.1.3_rb1.5</option>
+<option value='caf/3.10/LA.BR.1.1.3_rb1.50'>caf/3.10/LA.BR.1.1.3_rb1.50</option>
+<option value='caf/3.10/LA.BR.1.1.3_rb1.51'>caf/3.10/LA.BR.1.1.3_rb1.51</option>
+<option value='caf/3.10/LA.BR.1.1.3_rb1.52'>caf/3.10/LA.BR.1.1.3_rb1.52</option>
+<option value='caf/3.10/LA.BR.1.1.3_rb1.53'>caf/3.10/LA.BR.1.1.3_rb1.53</option>
+<option value='caf/3.10/LA.BR.1.1.3_rb1.54'>caf/3.10/LA.BR.1.1.3_rb1.54</option>
+<option value='caf/3.10/LA.BR.1.1.3_rb1.6'>caf/3.10/LA.BR.1.1.3_rb1.6</option>
+<option value='caf/3.10/LA.BR.1.1.3_rb1.7'>caf/3.10/LA.BR.1.1.3_rb1.7</option>
+<option value='caf/3.10/LA.BR.1.1.3_rb1.8'>caf/3.10/LA.BR.1.1.3_rb1.8</option>
+<option value='caf/3.10/LA.BR.1.1.3_rb1.9'>caf/3.10/LA.BR.1.1.3_rb1.9</option>
+<option value='caf/3.10/LA.BR.1.2.1'>caf/3.10/LA.BR.1.2.1</option>
+<option value='caf/3.10/LA.BR.1.2.1.c1'>caf/3.10/LA.BR.1.2.1.c1</option>
+<option value='caf/3.10/LA.BR.1.2.1.c1_1'>caf/3.10/LA.BR.1.2.1.c1_1</option>
+<option value='caf/3.10/LA.BR.1.2.1.c3'>caf/3.10/LA.BR.1.2.1.c3</option>
+<option value='caf/3.10/LA.BR.1.2.1.c4'>caf/3.10/LA.BR.1.2.1.c4</option>
+<option value='caf/3.10/LA.BR.1.2.1_rb1.1'>caf/3.10/LA.BR.1.2.1_rb1.1</option>
+<option value='caf/3.10/LA.BR.1.2.1_rb1.11'>caf/3.10/LA.BR.1.2.1_rb1.11</option>
+<option value='caf/3.10/LA.BR.1.2.1_rb1.12'>caf/3.10/LA.BR.1.2.1_rb1.12</option>
+<option value='caf/3.10/LA.BR.1.2.1_rb1.13'>caf/3.10/LA.BR.1.2.1_rb1.13</option>
+<option value='caf/3.10/LA.BR.1.2.1_rb1.14'>caf/3.10/LA.BR.1.2.1_rb1.14</option>
+<option value='caf/3.10/LA.BR.1.2.1_rb1.15'>caf/3.10/LA.BR.1.2.1_rb1.15</option>
+<option value='caf/3.10/LA.BR.1.2.1_rb1.16'>caf/3.10/LA.BR.1.2.1_rb1.16</option>
+<option value='caf/3.10/LA.BR.1.2.1_rb1.17'>caf/3.10/LA.BR.1.2.1_rb1.17</option>
+<option value='caf/3.10/LA.BR.1.2.1_rb1.18'>caf/3.10/LA.BR.1.2.1_rb1.18</option>
+<option value='caf/3.10/LA.BR.1.2.1_rb1.19'>caf/3.10/LA.BR.1.2.1_rb1.19</option>
+<option value='caf/3.10/LA.BR.1.2.1_rb1.2'>caf/3.10/LA.BR.1.2.1_rb1.2</option>
+<option value='caf/3.10/LA.BR.1.2.1_rb1.4'>caf/3.10/LA.BR.1.2.1_rb1.4</option>
+<option value='caf/3.10/LA.BR.1.2.1_rb1.5'>caf/3.10/LA.BR.1.2.1_rb1.5</option>
+<option value='caf/3.10/LA.BR.1.2.1_rb1.6'>caf/3.10/LA.BR.1.2.1_rb1.6</option>
+<option value='caf/3.10/LA.BR.1.2.1_rb1.7'>caf/3.10/LA.BR.1.2.1_rb1.7</option>
+<option value='caf/3.10/LA.BR.1.2.1_rb1.8'>caf/3.10/LA.BR.1.2.1_rb1.8</option>
+<option value='caf/3.10/LA.BR.1.2.1_rb1.9'>caf/3.10/LA.BR.1.2.1_rb1.9</option>
+<option value='caf/3.10/LA.BR.1.2.1_rb2.10'>caf/3.10/LA.BR.1.2.1_rb2.10</option>
+<option value='caf/3.10/LA.BR.1.2.1_rb2.12'>caf/3.10/LA.BR.1.2.1_rb2.12</option>
+<option value='caf/3.10/LA.BR.1.2.1_rb2.17'>caf/3.10/LA.BR.1.2.1_rb2.17</option>
+<option value='caf/3.10/LA.BR.1.2.1_rb2.18'>caf/3.10/LA.BR.1.2.1_rb2.18</option>
+<option value='caf/3.10/LA.BR.1.2.1_rb2.19'>caf/3.10/LA.BR.1.2.1_rb2.19</option>
+<option value='caf/3.10/LA.BR.1.2.1_rb2.2'>caf/3.10/LA.BR.1.2.1_rb2.2</option>
+<option value='caf/3.10/LA.BR.1.2.1_rb2.3'>caf/3.10/LA.BR.1.2.1_rb2.3</option>
+<option value='caf/3.10/LA.BR.1.2.1_rb2.4'>caf/3.10/LA.BR.1.2.1_rb2.4</option>
+<option value='caf/3.10/LA.BR.1.2.1_rb2.6'>caf/3.10/LA.BR.1.2.1_rb2.6</option>
+<option value='caf/3.10/LA.BR.1.2.1_rb2.7'>caf/3.10/LA.BR.1.2.1_rb2.7</option>
+<option value='caf/3.10/LA.BR.1.2.1_rb2.8'>caf/3.10/LA.BR.1.2.1_rb2.8</option>
+<option value='caf/3.10/LA.BR.1.2.1_rb3'>caf/3.10/LA.BR.1.2.1_rb3</option>
+<option value='caf/3.10/LA.BR.1.2.1_rb3.1'>caf/3.10/LA.BR.1.2.1_rb3.1</option>
+<option value='caf/3.10/LA.BR.1.2.1_rb3.2'>caf/3.10/LA.BR.1.2.1_rb3.2</option>
+<option value='caf/3.10/LA.BR.1.2.1_rb3.3'>caf/3.10/LA.BR.1.2.1_rb3.3</option>
+<option value='caf/3.10/LA.BR.1.2.1_rb3.6'>caf/3.10/LA.BR.1.2.1_rb3.6</option>
+<option value='caf/3.10/LA.BR.1.2.3'>caf/3.10/LA.BR.1.2.3</option>
+<option value='caf/3.10/LA.BR.1.2.3.c1'>caf/3.10/LA.BR.1.2.3.c1</option>
+<option value='caf/3.10/LA.BR.1.2.3.c2_1'>caf/3.10/LA.BR.1.2.3.c2_1</option>
+<option value='caf/3.10/LA.BR.1.2.3.c3'>caf/3.10/LA.BR.1.2.3.c3</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.1'>caf/3.10/LA.BR.1.2.3_rb1.1</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.102'>caf/3.10/LA.BR.1.2.3_rb1.102</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.103'>caf/3.10/LA.BR.1.2.3_rb1.103</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.104'>caf/3.10/LA.BR.1.2.3_rb1.104</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.105'>caf/3.10/LA.BR.1.2.3_rb1.105</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.106'>caf/3.10/LA.BR.1.2.3_rb1.106</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.109'>caf/3.10/LA.BR.1.2.3_rb1.109</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.11'>caf/3.10/LA.BR.1.2.3_rb1.11</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.110'>caf/3.10/LA.BR.1.2.3_rb1.110</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.113'>caf/3.10/LA.BR.1.2.3_rb1.113</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.16'>caf/3.10/LA.BR.1.2.3_rb1.16</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.17'>caf/3.10/LA.BR.1.2.3_rb1.17</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.18'>caf/3.10/LA.BR.1.2.3_rb1.18</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.20'>caf/3.10/LA.BR.1.2.3_rb1.20</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.21'>caf/3.10/LA.BR.1.2.3_rb1.21</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.22'>caf/3.10/LA.BR.1.2.3_rb1.22</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.23'>caf/3.10/LA.BR.1.2.3_rb1.23</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.27'>caf/3.10/LA.BR.1.2.3_rb1.27</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.31'>caf/3.10/LA.BR.1.2.3_rb1.31</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.32'>caf/3.10/LA.BR.1.2.3_rb1.32</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.34'>caf/3.10/LA.BR.1.2.3_rb1.34</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.36'>caf/3.10/LA.BR.1.2.3_rb1.36</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.37'>caf/3.10/LA.BR.1.2.3_rb1.37</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.4'>caf/3.10/LA.BR.1.2.3_rb1.4</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.40'>caf/3.10/LA.BR.1.2.3_rb1.40</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.44'>caf/3.10/LA.BR.1.2.3_rb1.44</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.50'>caf/3.10/LA.BR.1.2.3_rb1.50</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.51'>caf/3.10/LA.BR.1.2.3_rb1.51</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.54'>caf/3.10/LA.BR.1.2.3_rb1.54</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.55'>caf/3.10/LA.BR.1.2.3_rb1.55</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.56'>caf/3.10/LA.BR.1.2.3_rb1.56</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.57'>caf/3.10/LA.BR.1.2.3_rb1.57</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.58'>caf/3.10/LA.BR.1.2.3_rb1.58</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.59'>caf/3.10/LA.BR.1.2.3_rb1.59</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.6'>caf/3.10/LA.BR.1.2.3_rb1.6</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.60'>caf/3.10/LA.BR.1.2.3_rb1.60</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.61'>caf/3.10/LA.BR.1.2.3_rb1.61</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.62'>caf/3.10/LA.BR.1.2.3_rb1.62</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.63'>caf/3.10/LA.BR.1.2.3_rb1.63</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.64'>caf/3.10/LA.BR.1.2.3_rb1.64</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.65'>caf/3.10/LA.BR.1.2.3_rb1.65</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.67'>caf/3.10/LA.BR.1.2.3_rb1.67</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.69'>caf/3.10/LA.BR.1.2.3_rb1.69</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.71'>caf/3.10/LA.BR.1.2.3_rb1.71</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.72'>caf/3.10/LA.BR.1.2.3_rb1.72</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.74'>caf/3.10/LA.BR.1.2.3_rb1.74</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.75'>caf/3.10/LA.BR.1.2.3_rb1.75</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.76'>caf/3.10/LA.BR.1.2.3_rb1.76</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.78'>caf/3.10/LA.BR.1.2.3_rb1.78</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.79'>caf/3.10/LA.BR.1.2.3_rb1.79</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.80'>caf/3.10/LA.BR.1.2.3_rb1.80</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.81'>caf/3.10/LA.BR.1.2.3_rb1.81</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.83'>caf/3.10/LA.BR.1.2.3_rb1.83</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.86'>caf/3.10/LA.BR.1.2.3_rb1.86</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.87'>caf/3.10/LA.BR.1.2.3_rb1.87</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.89'>caf/3.10/LA.BR.1.2.3_rb1.89</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.9'>caf/3.10/LA.BR.1.2.3_rb1.9</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.90'>caf/3.10/LA.BR.1.2.3_rb1.90</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.91'>caf/3.10/LA.BR.1.2.3_rb1.91</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.92'>caf/3.10/LA.BR.1.2.3_rb1.92</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.93'>caf/3.10/LA.BR.1.2.3_rb1.93</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.94'>caf/3.10/LA.BR.1.2.3_rb1.94</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.95'>caf/3.10/LA.BR.1.2.3_rb1.95</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.96'>caf/3.10/LA.BR.1.2.3_rb1.96</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.97'>caf/3.10/LA.BR.1.2.3_rb1.97</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb1.98'>caf/3.10/LA.BR.1.2.3_rb1.98</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb2.1'>caf/3.10/LA.BR.1.2.3_rb2.1</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb3.1'>caf/3.10/LA.BR.1.2.3_rb3.1</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb3.3'>caf/3.10/LA.BR.1.2.3_rb3.3</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb3.4'>caf/3.10/LA.BR.1.2.3_rb3.4</option>
+<option value='caf/3.10/LA.BR.1.2.3_rb3.6'>caf/3.10/LA.BR.1.2.3_rb3.6</option>
+<option value='caf/3.10/LA.BR.1.2.4.c1'>caf/3.10/LA.BR.1.2.4.c1</option>
+<option value='caf/3.10/LA.BR.1.2.4_rb1.1'>caf/3.10/LA.BR.1.2.4_rb1.1</option>
+<option value='caf/3.10/LA.BR.1.2.4_rb1.10'>caf/3.10/LA.BR.1.2.4_rb1.10</option>
+<option value='caf/3.10/LA.BR.1.2.4_rb1.11'>caf/3.10/LA.BR.1.2.4_rb1.11</option>
+<option value='caf/3.10/LA.BR.1.2.4_rb1.12'>caf/3.10/LA.BR.1.2.4_rb1.12</option>
+<option value='caf/3.10/LA.BR.1.2.4_rb1.13'>caf/3.10/LA.BR.1.2.4_rb1.13</option>
+<option value='caf/3.10/LA.BR.1.2.4_rb1.14'>caf/3.10/LA.BR.1.2.4_rb1.14</option>
+<option value='caf/3.10/LA.BR.1.2.4_rb1.16'>caf/3.10/LA.BR.1.2.4_rb1.16</option>
+<option value='caf/3.10/LA.BR.1.2.4_rb1.17'>caf/3.10/LA.BR.1.2.4_rb1.17</option>
+<option value='caf/3.10/LA.BR.1.2.4_rb1.19'>caf/3.10/LA.BR.1.2.4_rb1.19</option>
+<option value='caf/3.10/LA.BR.1.2.4_rb1.2'>caf/3.10/LA.BR.1.2.4_rb1.2</option>
+<option value='caf/3.10/LA.BR.1.2.4_rb1.20'>caf/3.10/LA.BR.1.2.4_rb1.20</option>
+<option value='caf/3.10/LA.BR.1.2.4_rb1.21'>caf/3.10/LA.BR.1.2.4_rb1.21</option>
+<option value='caf/3.10/LA.BR.1.2.4_rb1.22'>caf/3.10/LA.BR.1.2.4_rb1.22</option>
+<option value='caf/3.10/LA.BR.1.2.4_rb1.23'>caf/3.10/LA.BR.1.2.4_rb1.23</option>
+<option value='caf/3.10/LA.BR.1.2.4_rb1.24'>caf/3.10/LA.BR.1.2.4_rb1.24</option>
+<option value='caf/3.10/LA.BR.1.2.4_rb1.25'>caf/3.10/LA.BR.1.2.4_rb1.25</option>
+<option value='caf/3.10/LA.BR.1.2.4_rb1.27'>caf/3.10/LA.BR.1.2.4_rb1.27</option>
+<option value='caf/3.10/LA.BR.1.2.4_rb1.28'>caf/3.10/LA.BR.1.2.4_rb1.28</option>
+<option value='caf/3.10/LA.BR.1.2.4_rb1.29'>caf/3.10/LA.BR.1.2.4_rb1.29</option>
+<option value='caf/3.10/LA.BR.1.2.4_rb1.3'>caf/3.10/LA.BR.1.2.4_rb1.3</option>
+<option value='caf/3.10/LA.BR.1.2.4_rb1.30'>caf/3.10/LA.BR.1.2.4_rb1.30</option>
+<option value='caf/3.10/LA.BR.1.2.4_rb1.31'>caf/3.10/LA.BR.1.2.4_rb1.31</option>
+<option value='caf/3.10/LA.BR.1.2.4_rb1.33'>caf/3.10/LA.BR.1.2.4_rb1.33</option>
+<option value='caf/3.10/LA.BR.1.2.4_rb1.34'>caf/3.10/LA.BR.1.2.4_rb1.34</option>
+<option value='caf/3.10/LA.BR.1.2.4_rb1.36'>caf/3.10/LA.BR.1.2.4_rb1.36</option>
+<option value='caf/3.10/LA.BR.1.2.4_rb1.37'>caf/3.10/LA.BR.1.2.4_rb1.37</option>
+<option value='caf/3.10/LA.BR.1.2.4_rb1.39'>caf/3.10/LA.BR.1.2.4_rb1.39</option>
+<option value='caf/3.10/LA.BR.1.2.4_rb1.4'>caf/3.10/LA.BR.1.2.4_rb1.4</option>
+<option value='caf/3.10/LA.BR.1.2.4_rb1.41'>caf/3.10/LA.BR.1.2.4_rb1.41</option>
+<option value='caf/3.10/LA.BR.1.2.4_rb1.43'>caf/3.10/LA.BR.1.2.4_rb1.43</option>
+<option value='caf/3.10/LA.BR.1.2.4_rb1.44'>caf/3.10/LA.BR.1.2.4_rb1.44</option>
+<option value='caf/3.10/LA.BR.1.2.4_rb1.45'>caf/3.10/LA.BR.1.2.4_rb1.45</option>
+<option value='caf/3.10/LA.BR.1.2.4_rb1.46'>caf/3.10/LA.BR.1.2.4_rb1.46</option>
+<option value='caf/3.10/LA.BR.1.2.4_rb1.47'>caf/3.10/LA.BR.1.2.4_rb1.47</option>
+<option value='caf/3.10/LA.BR.1.2.4_rb1.48'>caf/3.10/LA.BR.1.2.4_rb1.48</option>
+<option value='caf/3.10/LA.BR.1.2.4_rb1.5'>caf/3.10/LA.BR.1.2.4_rb1.5</option>
+<option value='caf/3.10/LA.BR.1.2.4_rb1.6'>caf/3.10/LA.BR.1.2.4_rb1.6</option>
+<option value='caf/3.10/LA.BR.1.2.4_rb1.7'>caf/3.10/LA.BR.1.2.4_rb1.7</option>
+<option value='caf/3.10/LA.BR.1.2.4_rb1.8'>caf/3.10/LA.BR.1.2.4_rb1.8</option>
+<option value='caf/3.10/LA.BR.1.2.5'>caf/3.10/LA.BR.1.2.5</option>
+<option value='caf/3.10/LA.BR.1.2.5.c1'>caf/3.10/LA.BR.1.2.5.c1</option>
+<option value='caf/3.10/LA.BR.1.2.5_rb1.1'>caf/3.10/LA.BR.1.2.5_rb1.1</option>
+<option value='caf/3.10/LA.BR.1.2.5_rb1.4'>caf/3.10/LA.BR.1.2.5_rb1.4</option>
+<option value='caf/3.10/LA.BR.1.2.5_rb2.10'>caf/3.10/LA.BR.1.2.5_rb2.10</option>
+<option value='caf/3.10/LA.BR.1.2.5_rb2.11'>caf/3.10/LA.BR.1.2.5_rb2.11</option>
+<option value='caf/3.10/LA.BR.1.2.5_rb2.13'>caf/3.10/LA.BR.1.2.5_rb2.13</option>
+<option value='caf/3.10/LA.BR.1.2.5_rb2.14'>caf/3.10/LA.BR.1.2.5_rb2.14</option>
+<option value='caf/3.10/LA.BR.1.2.5_rb2.15'>caf/3.10/LA.BR.1.2.5_rb2.15</option>
+<option value='caf/3.10/LA.BR.1.2.5_rb2.16'>caf/3.10/LA.BR.1.2.5_rb2.16</option>
+<option value='caf/3.10/LA.BR.1.2.5_rb2.17'>caf/3.10/LA.BR.1.2.5_rb2.17</option>
+<option value='caf/3.10/LA.BR.1.2.5_rb2.18'>caf/3.10/LA.BR.1.2.5_rb2.18</option>
+<option value='caf/3.10/LA.BR.1.2.5_rb2.19'>caf/3.10/LA.BR.1.2.5_rb2.19</option>
+<option value='caf/3.10/LA.BR.1.2.5_rb2.2'>caf/3.10/LA.BR.1.2.5_rb2.2</option>
+<option value='caf/3.10/LA.BR.1.2.5_rb2.20'>caf/3.10/LA.BR.1.2.5_rb2.20</option>
+<option value='caf/3.10/LA.BR.1.2.5_rb2.21'>caf/3.10/LA.BR.1.2.5_rb2.21</option>
+<option value='caf/3.10/LA.BR.1.2.5_rb2.22'>caf/3.10/LA.BR.1.2.5_rb2.22</option>
+<option value='caf/3.10/LA.BR.1.2.5_rb2.23'>caf/3.10/LA.BR.1.2.5_rb2.23</option>
+<option value='caf/3.10/LA.BR.1.2.5_rb2.26'>caf/3.10/LA.BR.1.2.5_rb2.26</option>
+<option value='caf/3.10/LA.BR.1.2.5_rb2.27'>caf/3.10/LA.BR.1.2.5_rb2.27</option>
+<option value='caf/3.10/LA.BR.1.2.5_rb2.28'>caf/3.10/LA.BR.1.2.5_rb2.28</option>
+<option value='caf/3.10/LA.BR.1.2.5_rb2.30'>caf/3.10/LA.BR.1.2.5_rb2.30</option>
+<option value='caf/3.10/LA.BR.1.2.5_rb2.32'>caf/3.10/LA.BR.1.2.5_rb2.32</option>
+<option value='caf/3.10/LA.BR.1.2.5_rb2.33'>caf/3.10/LA.BR.1.2.5_rb2.33</option>
+<option value='caf/3.10/LA.BR.1.2.5_rb2.34'>caf/3.10/LA.BR.1.2.5_rb2.34</option>
+<option value='caf/3.10/LA.BR.1.2.5_rb2.39'>caf/3.10/LA.BR.1.2.5_rb2.39</option>
+<option value='caf/3.10/LA.BR.1.2.5_rb2.43'>caf/3.10/LA.BR.1.2.5_rb2.43</option>
+<option value='caf/3.10/LA.BR.1.2.5_rb2.44'>caf/3.10/LA.BR.1.2.5_rb2.44</option>
+<option value='caf/3.10/LA.BR.1.2.5_rb2.45'>caf/3.10/LA.BR.1.2.5_rb2.45</option>
+<option value='caf/3.10/LA.BR.1.2.5_rb2.46'>caf/3.10/LA.BR.1.2.5_rb2.46</option>
+<option value='caf/3.10/LA.BR.1.2.5_rb2.5'>caf/3.10/LA.BR.1.2.5_rb2.5</option>
+<option value='caf/3.10/LA.BR.1.2.5_rb2.8'>caf/3.10/LA.BR.1.2.5_rb2.8</option>
+<option value='caf/3.10/LA.BR.1.2.5_rb2.9'>caf/3.10/LA.BR.1.2.5_rb2.9</option>
+<option value='caf/3.10/LA.BR.1.2.6'>caf/3.10/LA.BR.1.2.6</option>
+<option value='caf/3.10/LA.BR.1.2.6.c1'>caf/3.10/LA.BR.1.2.6.c1</option>
+<option value='caf/3.10/LA.BR.1.2.6_rb1.1'>caf/3.10/LA.BR.1.2.6_rb1.1</option>
+<option value='caf/3.10/LA.BR.1.2.6_rb1.10'>caf/3.10/LA.BR.1.2.6_rb1.10</option>
+<option value='caf/3.10/LA.BR.1.2.6_rb1.12'>caf/3.10/LA.BR.1.2.6_rb1.12</option>
+<option value='caf/3.10/LA.BR.1.2.6_rb1.13'>caf/3.10/LA.BR.1.2.6_rb1.13</option>
+<option value='caf/3.10/LA.BR.1.2.6_rb1.14'>caf/3.10/LA.BR.1.2.6_rb1.14</option>
+<option value='caf/3.10/LA.BR.1.2.6_rb1.15'>caf/3.10/LA.BR.1.2.6_rb1.15</option>
+<option value='caf/3.10/LA.BR.1.2.6_rb1.16'>caf/3.10/LA.BR.1.2.6_rb1.16</option>
+<option value='caf/3.10/LA.BR.1.2.6_rb1.17'>caf/3.10/LA.BR.1.2.6_rb1.17</option>
+<option value='caf/3.10/LA.BR.1.2.6_rb1.18'>caf/3.10/LA.BR.1.2.6_rb1.18</option>
+<option value='caf/3.10/LA.BR.1.2.6_rb1.19'>caf/3.10/LA.BR.1.2.6_rb1.19</option>
+<option value='caf/3.10/LA.BR.1.2.6_rb1.2'>caf/3.10/LA.BR.1.2.6_rb1.2</option>
+<option value='caf/3.10/LA.BR.1.2.6_rb1.20'>caf/3.10/LA.BR.1.2.6_rb1.20</option>
+<option value='caf/3.10/LA.BR.1.2.6_rb1.21'>caf/3.10/LA.BR.1.2.6_rb1.21</option>
+<option value='caf/3.10/LA.BR.1.2.6_rb1.22'>caf/3.10/LA.BR.1.2.6_rb1.22</option>
+<option value='caf/3.10/LA.BR.1.2.6_rb1.23'>caf/3.10/LA.BR.1.2.6_rb1.23</option>
+<option value='caf/3.10/LA.BR.1.2.6_rb1.25'>caf/3.10/LA.BR.1.2.6_rb1.25</option>
+<option value='caf/3.10/LA.BR.1.2.6_rb1.27'>caf/3.10/LA.BR.1.2.6_rb1.27</option>
+<option value='caf/3.10/LA.BR.1.2.6_rb1.28'>caf/3.10/LA.BR.1.2.6_rb1.28</option>
+<option value='caf/3.10/LA.BR.1.2.6_rb1.29'>caf/3.10/LA.BR.1.2.6_rb1.29</option>
+<option value='caf/3.10/LA.BR.1.2.6_rb1.3'>caf/3.10/LA.BR.1.2.6_rb1.3</option>
+<option value='caf/3.10/LA.BR.1.2.6_rb1.30'>caf/3.10/LA.BR.1.2.6_rb1.30</option>
+<option value='caf/3.10/LA.BR.1.2.6_rb1.31'>caf/3.10/LA.BR.1.2.6_rb1.31</option>
+<option value='caf/3.10/LA.BR.1.2.6_rb1.32'>caf/3.10/LA.BR.1.2.6_rb1.32</option>
+<option value='caf/3.10/LA.BR.1.2.6_rb1.33'>caf/3.10/LA.BR.1.2.6_rb1.33</option>
+<option value='caf/3.10/LA.BR.1.2.6_rb1.4'>caf/3.10/LA.BR.1.2.6_rb1.4</option>
+<option value='caf/3.10/LA.BR.1.2.6_rb1.5'>caf/3.10/LA.BR.1.2.6_rb1.5</option>
+<option value='caf/3.10/LA.BR.1.2.6_rb1.6'>caf/3.10/LA.BR.1.2.6_rb1.6</option>
+<option value='caf/3.10/LA.BR.1.2.6_rb1.7'>caf/3.10/LA.BR.1.2.6_rb1.7</option>
+<option value='caf/3.10/LA.BR.1.2.6_rb1.8'>caf/3.10/LA.BR.1.2.6_rb1.8</option>
+<option value='caf/3.10/LA.BR.1.2.6_rb1.9'>caf/3.10/LA.BR.1.2.6_rb1.9</option>
+<option value='caf/3.10/LA.BR.1.2.7.c1'>caf/3.10/LA.BR.1.2.7.c1</option>
+<option value='caf/3.10/LA.BR.1.2.7_rb1'>caf/3.10/LA.BR.1.2.7_rb1</option>
+<option value='caf/3.10/LA.BR.1.2.7_rb1.1'>caf/3.10/LA.BR.1.2.7_rb1.1</option>
+<option value='caf/3.10/LA.BR.1.2.7_rb1.11'>caf/3.10/LA.BR.1.2.7_rb1.11</option>
+<option value='caf/3.10/LA.BR.1.2.7_rb1.12'>caf/3.10/LA.BR.1.2.7_rb1.12</option>
+<option value='caf/3.10/LA.BR.1.2.7_rb1.13'>caf/3.10/LA.BR.1.2.7_rb1.13</option>
+<option value='caf/3.10/LA.BR.1.2.7_rb1.14'>caf/3.10/LA.BR.1.2.7_rb1.14</option>
+<option value='caf/3.10/LA.BR.1.2.7_rb1.15'>caf/3.10/LA.BR.1.2.7_rb1.15</option>
+<option value='caf/3.10/LA.BR.1.2.7_rb1.16'>caf/3.10/LA.BR.1.2.7_rb1.16</option>
+<option value='caf/3.10/LA.BR.1.2.7_rb1.18'>caf/3.10/LA.BR.1.2.7_rb1.18</option>
+<option value='caf/3.10/LA.BR.1.2.7_rb1.2'>caf/3.10/LA.BR.1.2.7_rb1.2</option>
+<option value='caf/3.10/LA.BR.1.2.7_rb1.20'>caf/3.10/LA.BR.1.2.7_rb1.20</option>
+<option value='caf/3.10/LA.BR.1.2.7_rb1.21'>caf/3.10/LA.BR.1.2.7_rb1.21</option>
+<option value='caf/3.10/LA.BR.1.2.7_rb1.22'>caf/3.10/LA.BR.1.2.7_rb1.22</option>
+<option value='caf/3.10/LA.BR.1.2.7_rb1.24'>caf/3.10/LA.BR.1.2.7_rb1.24</option>
+<option value='caf/3.10/LA.BR.1.2.7_rb1.25'>caf/3.10/LA.BR.1.2.7_rb1.25</option>
+<option value='caf/3.10/LA.BR.1.2.7_rb1.27'>caf/3.10/LA.BR.1.2.7_rb1.27</option>
+<option value='caf/3.10/LA.BR.1.2.7_rb1.28'>caf/3.10/LA.BR.1.2.7_rb1.28</option>
+<option value='caf/3.10/LA.BR.1.2.7_rb1.29'>caf/3.10/LA.BR.1.2.7_rb1.29</option>
+<option value='caf/3.10/LA.BR.1.2.7_rb1.30'>caf/3.10/LA.BR.1.2.7_rb1.30</option>
+<option value='caf/3.10/LA.BR.1.2.7_rb1.31'>caf/3.10/LA.BR.1.2.7_rb1.31</option>
+<option value='caf/3.10/LA.BR.1.2.7_rb1.32'>caf/3.10/LA.BR.1.2.7_rb1.32</option>
+<option value='caf/3.10/LA.BR.1.2.7_rb1.33'>caf/3.10/LA.BR.1.2.7_rb1.33</option>
+<option value='caf/3.10/LA.BR.1.2.7_rb1.34'>caf/3.10/LA.BR.1.2.7_rb1.34</option>
+<option value='caf/3.10/LA.BR.1.2.7_rb1.36'>caf/3.10/LA.BR.1.2.7_rb1.36</option>
+<option value='caf/3.10/LA.BR.1.2.7_rb1.37'>caf/3.10/LA.BR.1.2.7_rb1.37</option>
+<option value='caf/3.10/LA.BR.1.2.7_rb1.38'>caf/3.10/LA.BR.1.2.7_rb1.38</option>
+<option value='caf/3.10/LA.BR.1.2.7_rb1.4'>caf/3.10/LA.BR.1.2.7_rb1.4</option>
+<option value='caf/3.10/LA.BR.1.2.7_rb1.40'>caf/3.10/LA.BR.1.2.7_rb1.40</option>
+<option value='caf/3.10/LA.BR.1.2.7_rb1.41'>caf/3.10/LA.BR.1.2.7_rb1.41</option>
+<option value='caf/3.10/LA.BR.1.2.7_rb1.42'>caf/3.10/LA.BR.1.2.7_rb1.42</option>
+<option value='caf/3.10/LA.BR.1.2.7_rb1.43'>caf/3.10/LA.BR.1.2.7_rb1.43</option>
+<option value='caf/3.10/LA.BR.1.2.7_rb1.44'>caf/3.10/LA.BR.1.2.7_rb1.44</option>
+<option value='caf/3.10/LA.BR.1.2.7_rb1.45'>caf/3.10/LA.BR.1.2.7_rb1.45</option>
+<option value='caf/3.10/LA.BR.1.2.7_rb1.46'>caf/3.10/LA.BR.1.2.7_rb1.46</option>
+<option value='caf/3.10/LA.BR.1.2.7_rb1.47'>caf/3.10/LA.BR.1.2.7_rb1.47</option>
+<option value='caf/3.10/LA.BR.1.2.7_rb1.48'>caf/3.10/LA.BR.1.2.7_rb1.48</option>
+<option value='caf/3.10/LA.BR.1.2.7_rb1.5'>caf/3.10/LA.BR.1.2.7_rb1.5</option>
+<option value='caf/3.10/LA.BR.1.2.7_rb1.7'>caf/3.10/LA.BR.1.2.7_rb1.7</option>
+<option value='caf/3.10/LA.BR.1.2.8'>caf/3.10/LA.BR.1.2.8</option>
+<option value='caf/3.10/LA.BR.1.2.9'>caf/3.10/LA.BR.1.2.9</option>
+<option value='caf/3.10/LA.BR.1.2.9_rb1.10'>caf/3.10/LA.BR.1.2.9_rb1.10</option>
+<option value='caf/3.10/LA.BR.1.2.9_rb1.11'>caf/3.10/LA.BR.1.2.9_rb1.11</option>
+<option value='caf/3.10/LA.BR.1.2.9_rb1.12'>caf/3.10/LA.BR.1.2.9_rb1.12</option>
+<option value='caf/3.10/LA.BR.1.2.9_rb1.14'>caf/3.10/LA.BR.1.2.9_rb1.14</option>
+<option value='caf/3.10/LA.BR.1.2.9_rb1.15'>caf/3.10/LA.BR.1.2.9_rb1.15</option>
+<option value='caf/3.10/LA.BR.1.2.9_rb1.16'>caf/3.10/LA.BR.1.2.9_rb1.16</option>
+<option value='caf/3.10/LA.BR.1.2.9_rb1.18'>caf/3.10/LA.BR.1.2.9_rb1.18</option>
+<option value='caf/3.10/LA.BR.1.2.9_rb1.22'>caf/3.10/LA.BR.1.2.9_rb1.22</option>
+<option value='caf/3.10/LA.BR.1.2.9_rb1.23'>caf/3.10/LA.BR.1.2.9_rb1.23</option>
+<option value='caf/3.10/LA.BR.1.2.9_rb1.24'>caf/3.10/LA.BR.1.2.9_rb1.24</option>
+<option value='caf/3.10/LA.BR.1.2.9_rb1.26'>caf/3.10/LA.BR.1.2.9_rb1.26</option>
+<option value='caf/3.10/LA.BR.1.2.9_rb1.27'>caf/3.10/LA.BR.1.2.9_rb1.27</option>
+<option value='caf/3.10/LA.BR.1.2.9_rb1.5'>caf/3.10/LA.BR.1.2.9_rb1.5</option>
+<option value='caf/3.10/LA.BR.1.2.9_rb1.6'>caf/3.10/LA.BR.1.2.9_rb1.6</option>
+<option value='caf/3.10/LA.BR.1.2.9_rb1.7'>caf/3.10/LA.BR.1.2.9_rb1.7</option>
+<option value='caf/3.10/LA.BR.1.2.9_rb1.8'>caf/3.10/LA.BR.1.2.9_rb1.8</option>
+<option value='caf/3.10/LA.BR.1.2.9_rb1.9'>caf/3.10/LA.BR.1.2.9_rb1.9</option>
+<option value='caf/3.10/LA.BR.1.3.1_rb1.2'>caf/3.10/LA.BR.1.3.1_rb1.2</option>
+<option value='caf/3.10/LA.BR.1.3.1_rb3'>caf/3.10/LA.BR.1.3.1_rb3</option>
+<option value='caf/3.10/LA.BR.1.3.1_rb4.2'>caf/3.10/LA.BR.1.3.1_rb4.2</option>
+<option value='caf/3.10/LA.BR.1.3.2'>caf/3.10/LA.BR.1.3.2</option>
+<option value='caf/3.10/LA.BR.1.3.2.c1'>caf/3.10/LA.BR.1.3.2.c1</option>
+<option value='caf/3.10/LA.BR.1.3.2.c2'>caf/3.10/LA.BR.1.3.2.c2</option>
+<option value='caf/3.10/LA.BR.1.3.2.c3'>caf/3.10/LA.BR.1.3.2.c3</option>
+<option value='caf/3.10/LA.BR.1.3.2.c3_rb1.10'>caf/3.10/LA.BR.1.3.2.c3_rb1.10</option>
+<option value='caf/3.10/LA.BR.1.3.2.c3_rb1.11'>caf/3.10/LA.BR.1.3.2.c3_rb1.11</option>
+<option value='caf/3.10/LA.BR.1.3.2.c3_rb1.12'>caf/3.10/LA.BR.1.3.2.c3_rb1.12</option>
+<option value='caf/3.10/LA.BR.1.3.2.c3_rb1.13'>caf/3.10/LA.BR.1.3.2.c3_rb1.13</option>
+<option value='caf/3.10/LA.BR.1.3.2.c3_rb1.14'>caf/3.10/LA.BR.1.3.2.c3_rb1.14</option>
+<option value='caf/3.10/LA.BR.1.3.2.c3_rb1.15'>caf/3.10/LA.BR.1.3.2.c3_rb1.15</option>
+<option value='caf/3.10/LA.BR.1.3.2.c3_rb1.2'>caf/3.10/LA.BR.1.3.2.c3_rb1.2</option>
+<option value='caf/3.10/LA.BR.1.3.2.c3_rb1.4'>caf/3.10/LA.BR.1.3.2.c3_rb1.4</option>
+<option value='caf/3.10/LA.BR.1.3.2.c3_rb1.5'>caf/3.10/LA.BR.1.3.2.c3_rb1.5</option>
+<option value='caf/3.10/LA.BR.1.3.2.c3_rb1.6'>caf/3.10/LA.BR.1.3.2.c3_rb1.6</option>
+<option value='caf/3.10/LA.BR.1.3.2.c3_rb1.7'>caf/3.10/LA.BR.1.3.2.c3_rb1.7</option>
+<option value='caf/3.10/LA.BR.1.3.2.c3_rb1.8'>caf/3.10/LA.BR.1.3.2.c3_rb1.8</option>
+<option value='caf/3.10/LA.BR.1.3.2.c3_rb1.9'>caf/3.10/LA.BR.1.3.2.c3_rb1.9</option>
+<option value='caf/3.10/LA.BR.1.3.2_rb3.10'>caf/3.10/LA.BR.1.3.2_rb3.10</option>
+<option value='caf/3.10/LA.BR.1.3.2_rb3.11'>caf/3.10/LA.BR.1.3.2_rb3.11</option>
+<option value='caf/3.10/LA.BR.1.3.2_rb3.13'>caf/3.10/LA.BR.1.3.2_rb3.13</option>
+<option value='caf/3.10/LA.BR.1.3.2_rb3.14'>caf/3.10/LA.BR.1.3.2_rb3.14</option>
+<option value='caf/3.10/LA.BR.1.3.2_rb3.15'>caf/3.10/LA.BR.1.3.2_rb3.15</option>
+<option value='caf/3.10/LA.BR.1.3.2_rb3.16'>caf/3.10/LA.BR.1.3.2_rb3.16</option>
+<option value='caf/3.10/LA.BR.1.3.2_rb3.18'>caf/3.10/LA.BR.1.3.2_rb3.18</option>
+<option value='caf/3.10/LA.BR.1.3.2_rb3.19'>caf/3.10/LA.BR.1.3.2_rb3.19</option>
+<option value='caf/3.10/LA.BR.1.3.2_rb3.20'>caf/3.10/LA.BR.1.3.2_rb3.20</option>
+<option value='caf/3.10/LA.BR.1.3.2_rb3.21'>caf/3.10/LA.BR.1.3.2_rb3.21</option>
+<option value='caf/3.10/LA.BR.1.3.2_rb3.23'>caf/3.10/LA.BR.1.3.2_rb3.23</option>
+<option value='caf/3.10/LA.BR.1.3.2_rb3.24'>caf/3.10/LA.BR.1.3.2_rb3.24</option>
+<option value='caf/3.10/LA.BR.1.3.2_rb3.25'>caf/3.10/LA.BR.1.3.2_rb3.25</option>
+<option value='caf/3.10/LA.BR.1.3.2_rb3.26'>caf/3.10/LA.BR.1.3.2_rb3.26</option>
+<option value='caf/3.10/LA.BR.1.3.2_rb3.27'>caf/3.10/LA.BR.1.3.2_rb3.27</option>
+<option value='caf/3.10/LA.BR.1.3.2_rb3.28'>caf/3.10/LA.BR.1.3.2_rb3.28</option>
+<option value='caf/3.10/LA.BR.1.3.2_rb3.29'>caf/3.10/LA.BR.1.3.2_rb3.29</option>
+<option value='caf/3.10/LA.BR.1.3.2_rb3.30'>caf/3.10/LA.BR.1.3.2_rb3.30</option>
+<option value='caf/3.10/LA.BR.1.3.2_rb3.32'>caf/3.10/LA.BR.1.3.2_rb3.32</option>
+<option value='caf/3.10/LA.BR.1.3.2_rb3.33'>caf/3.10/LA.BR.1.3.2_rb3.33</option>
+<option value='caf/3.10/LA.BR.1.3.2_rb3.4'>caf/3.10/LA.BR.1.3.2_rb3.4</option>
+<option value='caf/3.10/LA.BR.1.3.2_rb3.6'>caf/3.10/LA.BR.1.3.2_rb3.6</option>
+<option value='caf/3.10/LA.BR.1.3.2_rb3.7'>caf/3.10/LA.BR.1.3.2_rb3.7</option>
+<option value='caf/3.10/LA.BR.1.3.2_rb3.8'>caf/3.10/LA.BR.1.3.2_rb3.8</option>
+<option value='caf/3.10/LA.BR.1.3.2_rb3.9'>caf/3.10/LA.BR.1.3.2_rb3.9</option>
+<option value='caf/3.10/LA.BR.1.3.3'>caf/3.10/LA.BR.1.3.3</option>
+<option value='caf/3.10/LA.BR.1.3.3.c2'>caf/3.10/LA.BR.1.3.3.c2</option>
+<option value='caf/3.10/LA.BR.1.3.3.c3'>caf/3.10/LA.BR.1.3.3.c3</option>
+<option value='caf/3.10/LA.BR.1.3.3.c4'>caf/3.10/LA.BR.1.3.3.c4</option>
+<option value='caf/3.10/LA.BR.1.3.3.c5'>caf/3.10/LA.BR.1.3.3.c5</option>
+<option value='caf/3.10/LA.BR.1.3.3_rb1.1'>caf/3.10/LA.BR.1.3.3_rb1.1</option>
+<option value='caf/3.10/LA.BR.1.3.3_rb1.10'>caf/3.10/LA.BR.1.3.3_rb1.10</option>
+<option value='caf/3.10/LA.BR.1.3.3_rb1.11'>caf/3.10/LA.BR.1.3.3_rb1.11</option>
+<option value='caf/3.10/LA.BR.1.3.3_rb1.12'>caf/3.10/LA.BR.1.3.3_rb1.12</option>
+<option value='caf/3.10/LA.BR.1.3.3_rb1.13'>caf/3.10/LA.BR.1.3.3_rb1.13</option>
+<option value='caf/3.10/LA.BR.1.3.3_rb1.15'>caf/3.10/LA.BR.1.3.3_rb1.15</option>
+<option value='caf/3.10/LA.BR.1.3.3_rb1.16'>caf/3.10/LA.BR.1.3.3_rb1.16</option>
+<option value='caf/3.10/LA.BR.1.3.3_rb1.17'>caf/3.10/LA.BR.1.3.3_rb1.17</option>
+<option value='caf/3.10/LA.BR.1.3.3_rb1.18'>caf/3.10/LA.BR.1.3.3_rb1.18</option>
+<option value='caf/3.10/LA.BR.1.3.3_rb1.19'>caf/3.10/LA.BR.1.3.3_rb1.19</option>
+<option value='caf/3.10/LA.BR.1.3.3_rb1.2'>caf/3.10/LA.BR.1.3.3_rb1.2</option>
+<option value='caf/3.10/LA.BR.1.3.3_rb1.21'>caf/3.10/LA.BR.1.3.3_rb1.21</option>
+<option value='caf/3.10/LA.BR.1.3.3_rb1.22'>caf/3.10/LA.BR.1.3.3_rb1.22</option>
+<option value='caf/3.10/LA.BR.1.3.3_rb1.23'>caf/3.10/LA.BR.1.3.3_rb1.23</option>
+<option value='caf/3.10/LA.BR.1.3.3_rb1.24'>caf/3.10/LA.BR.1.3.3_rb1.24</option>
+<option value='caf/3.10/LA.BR.1.3.3_rb1.25'>caf/3.10/LA.BR.1.3.3_rb1.25</option>
+<option value='caf/3.10/LA.BR.1.3.3_rb1.26'>caf/3.10/LA.BR.1.3.3_rb1.26</option>
+<option value='caf/3.10/LA.BR.1.3.3_rb1.28'>caf/3.10/LA.BR.1.3.3_rb1.28</option>
+<option value='caf/3.10/LA.BR.1.3.3_rb1.29'>caf/3.10/LA.BR.1.3.3_rb1.29</option>
+<option value='caf/3.10/LA.BR.1.3.3_rb1.3'>caf/3.10/LA.BR.1.3.3_rb1.3</option>
+<option value='caf/3.10/LA.BR.1.3.3_rb1.30'>caf/3.10/LA.BR.1.3.3_rb1.30</option>
+<option value='caf/3.10/LA.BR.1.3.3_rb1.4'>caf/3.10/LA.BR.1.3.3_rb1.4</option>
+<option value='caf/3.10/LA.BR.1.3.3_rb1.5'>caf/3.10/LA.BR.1.3.3_rb1.5</option>
+<option value='caf/3.10/LA.BR.1.3.3_rb1.6'>caf/3.10/LA.BR.1.3.3_rb1.6</option>
+<option value='caf/3.10/LA.BR.1.3.3_rb1.7'>caf/3.10/LA.BR.1.3.3_rb1.7</option>
+<option value='caf/3.10/LA.BR.1.3.3_rb1.8'>caf/3.10/LA.BR.1.3.3_rb1.8</option>
+<option value='caf/3.10/LA.BR.1.3.3_rb1.9'>caf/3.10/LA.BR.1.3.3_rb1.9</option>
+<option value='caf/3.10/LA.BR.1.3.3_rb2.1'>caf/3.10/LA.BR.1.3.3_rb2.1</option>
+<option value='caf/3.10/LA.BR.1.3.3_rb2.10'>caf/3.10/LA.BR.1.3.3_rb2.10</option>
+<option value='caf/3.10/LA.BR.1.3.3_rb2.11'>caf/3.10/LA.BR.1.3.3_rb2.11</option>
+<option value='caf/3.10/LA.BR.1.3.3_rb2.12'>caf/3.10/LA.BR.1.3.3_rb2.12</option>
+<option value='caf/3.10/LA.BR.1.3.3_rb2.13'>caf/3.10/LA.BR.1.3.3_rb2.13</option>
+<option value='caf/3.10/LA.BR.1.3.3_rb2.14'>caf/3.10/LA.BR.1.3.3_rb2.14</option>
+<option value='caf/3.10/LA.BR.1.3.3_rb2.15'>caf/3.10/LA.BR.1.3.3_rb2.15</option>
+<option value='caf/3.10/LA.BR.1.3.3_rb2.16'>caf/3.10/LA.BR.1.3.3_rb2.16</option>
+<option value='caf/3.10/LA.BR.1.3.3_rb2.17'>caf/3.10/LA.BR.1.3.3_rb2.17</option>
+<option value='caf/3.10/LA.BR.1.3.3_rb2.18'>caf/3.10/LA.BR.1.3.3_rb2.18</option>
+<option value='caf/3.10/LA.BR.1.3.3_rb2.2'>caf/3.10/LA.BR.1.3.3_rb2.2</option>
+<option value='caf/3.10/LA.BR.1.3.3_rb2.20'>caf/3.10/LA.BR.1.3.3_rb2.20</option>
+<option value='caf/3.10/LA.BR.1.3.3_rb2.21'>caf/3.10/LA.BR.1.3.3_rb2.21</option>
+<option value='caf/3.10/LA.BR.1.3.3_rb2.22'>caf/3.10/LA.BR.1.3.3_rb2.22</option>
+<option value='caf/3.10/LA.BR.1.3.3_rb2.23'>caf/3.10/LA.BR.1.3.3_rb2.23</option>
+<option value='caf/3.10/LA.BR.1.3.3_rb2.24'>caf/3.10/LA.BR.1.3.3_rb2.24</option>
+<option value='caf/3.10/LA.BR.1.3.3_rb2.25'>caf/3.10/LA.BR.1.3.3_rb2.25</option>
+<option value='caf/3.10/LA.BR.1.3.3_rb2.26'>caf/3.10/LA.BR.1.3.3_rb2.26</option>
+<option value='caf/3.10/LA.BR.1.3.3_rb2.27'>caf/3.10/LA.BR.1.3.3_rb2.27</option>
+<option value='caf/3.10/LA.BR.1.3.3_rb2.28'>caf/3.10/LA.BR.1.3.3_rb2.28</option>
+<option value='caf/3.10/LA.BR.1.3.3_rb2.29'>caf/3.10/LA.BR.1.3.3_rb2.29</option>
+<option value='caf/3.10/LA.BR.1.3.3_rb2.31'>caf/3.10/LA.BR.1.3.3_rb2.31</option>
+<option value='caf/3.10/LA.BR.1.3.3_rb2.4'>caf/3.10/LA.BR.1.3.3_rb2.4</option>
+<option value='caf/3.10/LA.BR.1.3.3_rb2.6'>caf/3.10/LA.BR.1.3.3_rb2.6</option>
+<option value='caf/3.10/LA.BR.1.3.3_rb2.7'>caf/3.10/LA.BR.1.3.3_rb2.7</option>
+<option value='caf/3.10/LA.BR.1.3.3_rb2.8'>caf/3.10/LA.BR.1.3.3_rb2.8</option>
+<option value='caf/3.10/LA.BR.1.3.3_rb2.9'>caf/3.10/LA.BR.1.3.3_rb2.9</option>
+<option value='caf/3.10/LA.BR.1.3.3_rb3'>caf/3.10/LA.BR.1.3.3_rb3</option>
+<option value='caf/3.10/LA.BR.1.3.3_rb3.1'>caf/3.10/LA.BR.1.3.3_rb3.1</option>
+<option value='caf/3.10/LA.BR.1.3.4'>caf/3.10/LA.BR.1.3.4</option>
+<option value='caf/3.10/LA.BR.1.3.4_rb1.1'>caf/3.10/LA.BR.1.3.4_rb1.1</option>
+<option value='caf/3.10/LA.BR.1.3.4_rb1.10'>caf/3.10/LA.BR.1.3.4_rb1.10</option>
+<option value='caf/3.10/LA.BR.1.3.4_rb1.11'>caf/3.10/LA.BR.1.3.4_rb1.11</option>
+<option value='caf/3.10/LA.BR.1.3.4_rb1.12'>caf/3.10/LA.BR.1.3.4_rb1.12</option>
+<option value='caf/3.10/LA.BR.1.3.4_rb1.13'>caf/3.10/LA.BR.1.3.4_rb1.13</option>
+<option value='caf/3.10/LA.BR.1.3.4_rb1.14'>caf/3.10/LA.BR.1.3.4_rb1.14</option>
+<option value='caf/3.10/LA.BR.1.3.4_rb1.15'>caf/3.10/LA.BR.1.3.4_rb1.15</option>
+<option value='caf/3.10/LA.BR.1.3.4_rb1.16'>caf/3.10/LA.BR.1.3.4_rb1.16</option>
+<option value='caf/3.10/LA.BR.1.3.4_rb1.17'>caf/3.10/LA.BR.1.3.4_rb1.17</option>
+<option value='caf/3.10/LA.BR.1.3.4_rb1.18'>caf/3.10/LA.BR.1.3.4_rb1.18</option>
+<option value='caf/3.10/LA.BR.1.3.4_rb1.19'>caf/3.10/LA.BR.1.3.4_rb1.19</option>
+<option value='caf/3.10/LA.BR.1.3.4_rb1.2'>caf/3.10/LA.BR.1.3.4_rb1.2</option>
+<option value='caf/3.10/LA.BR.1.3.4_rb1.20'>caf/3.10/LA.BR.1.3.4_rb1.20</option>
+<option value='caf/3.10/LA.BR.1.3.4_rb1.21'>caf/3.10/LA.BR.1.3.4_rb1.21</option>
+<option value='caf/3.10/LA.BR.1.3.4_rb1.22'>caf/3.10/LA.BR.1.3.4_rb1.22</option>
+<option value='caf/3.10/LA.BR.1.3.4_rb1.24'>caf/3.10/LA.BR.1.3.4_rb1.24</option>
+<option value='caf/3.10/LA.BR.1.3.4_rb1.25'>caf/3.10/LA.BR.1.3.4_rb1.25</option>
+<option value='caf/3.10/LA.BR.1.3.4_rb1.27'>caf/3.10/LA.BR.1.3.4_rb1.27</option>
+<option value='caf/3.10/LA.BR.1.3.4_rb1.28'>caf/3.10/LA.BR.1.3.4_rb1.28</option>
+<option value='caf/3.10/LA.BR.1.3.4_rb1.29'>caf/3.10/LA.BR.1.3.4_rb1.29</option>
+<option value='caf/3.10/LA.BR.1.3.4_rb1.3'>caf/3.10/LA.BR.1.3.4_rb1.3</option>
+<option value='caf/3.10/LA.BR.1.3.4_rb1.30'>caf/3.10/LA.BR.1.3.4_rb1.30</option>
+<option value='caf/3.10/LA.BR.1.3.4_rb1.31'>caf/3.10/LA.BR.1.3.4_rb1.31</option>
+<option value='caf/3.10/LA.BR.1.3.4_rb1.33'>caf/3.10/LA.BR.1.3.4_rb1.33</option>
+<option value='caf/3.10/LA.BR.1.3.4_rb1.4'>caf/3.10/LA.BR.1.3.4_rb1.4</option>
+<option value='caf/3.10/LA.BR.1.3.4_rb1.5'>caf/3.10/LA.BR.1.3.4_rb1.5</option>
+<option value='caf/3.10/LA.BR.1.3.4_rb1.6'>caf/3.10/LA.BR.1.3.4_rb1.6</option>
+<option value='caf/3.10/LA.BR.1.3.4_rb1.7'>caf/3.10/LA.BR.1.3.4_rb1.7</option>
+<option value='caf/3.10/LA.BR.1.3.4_rb1.8'>caf/3.10/LA.BR.1.3.4_rb1.8</option>
+<option value='caf/3.10/LA.BR.1.3.4_rb1.9'>caf/3.10/LA.BR.1.3.4_rb1.9</option>
+<option value='caf/3.10/LA.BR.1.3.5'>caf/3.10/LA.BR.1.3.5</option>
+<option value='caf/3.10/LA.BR.1.3.5.c1_rb1'>caf/3.10/LA.BR.1.3.5.c1_rb1</option>
+<option value='caf/3.10/LA.BR.1.3.5.c1_rb1.1'>caf/3.10/LA.BR.1.3.5.c1_rb1.1</option>
+<option value='caf/3.10/LA.BR.1.3.5.c1_rb1.2'>caf/3.10/LA.BR.1.3.5.c1_rb1.2</option>
+<option value='caf/3.10/LA.BR.1.3.5.c1_rb1.3'>caf/3.10/LA.BR.1.3.5.c1_rb1.3</option>
+<option value='caf/3.10/LA.BR.1.3.5.c1_rb1.4'>caf/3.10/LA.BR.1.3.5.c1_rb1.4</option>
+<option value='caf/3.10/LA.BR.1.3.5.c1_rb1.5'>caf/3.10/LA.BR.1.3.5.c1_rb1.5</option>
+<option value='caf/3.10/LA.BR.1.3.5_rb1'>caf/3.10/LA.BR.1.3.5_rb1</option>
+<option value='caf/3.10/LA.BR.1.3.5_rb1.1'>caf/3.10/LA.BR.1.3.5_rb1.1</option>
+<option value='caf/3.10/LA.BR.1.3.5_rb1.10'>caf/3.10/LA.BR.1.3.5_rb1.10</option>
+<option value='caf/3.10/LA.BR.1.3.5_rb1.12'>caf/3.10/LA.BR.1.3.5_rb1.12</option>
+<option value='caf/3.10/LA.BR.1.3.5_rb1.13'>caf/3.10/LA.BR.1.3.5_rb1.13</option>
+<option value='caf/3.10/LA.BR.1.3.5_rb1.2'>caf/3.10/LA.BR.1.3.5_rb1.2</option>
+<option value='caf/3.10/LA.BR.1.3.5_rb1.3'>caf/3.10/LA.BR.1.3.5_rb1.3</option>
+<option value='caf/3.10/LA.BR.1.3.5_rb1.4'>caf/3.10/LA.BR.1.3.5_rb1.4</option>
+<option value='caf/3.10/LA.BR.1.3.5_rb1.5'>caf/3.10/LA.BR.1.3.5_rb1.5</option>
+<option value='caf/3.10/LA.BR.1.3.5_rb1.6'>caf/3.10/LA.BR.1.3.5_rb1.6</option>
+<option value='caf/3.10/LA.BR.1.3.5_rb1.7'>caf/3.10/LA.BR.1.3.5_rb1.7</option>
+<option value='caf/3.10/LA.BR.1.3.5_rb1.8'>caf/3.10/LA.BR.1.3.5_rb1.8</option>
+<option value='caf/3.10/LA.BR.1.3.5_rb1.9'>caf/3.10/LA.BR.1.3.5_rb1.9</option>
+<option value='caf/3.10/LA.BR.1.3.6.c1_rb1.1'>caf/3.10/LA.BR.1.3.6.c1_rb1.1</option>
+<option value='caf/3.10/LA.BR.1.3.6.c1_rb1.2'>caf/3.10/LA.BR.1.3.6.c1_rb1.2</option>
+<option value='caf/3.10/LA.BR.1.3.6.c1_rb1.3'>caf/3.10/LA.BR.1.3.6.c1_rb1.3</option>
+<option value='caf/3.10/LA.BR.1.3.6.c1_rb1.4'>caf/3.10/LA.BR.1.3.6.c1_rb1.4</option>
+<option value='caf/3.10/LA.BR.1.3.6.c1_rb1.5'>caf/3.10/LA.BR.1.3.6.c1_rb1.5</option>
+<option value='caf/3.10/LA.BR.1.3.6.c2_rb2.11'>caf/3.10/LA.BR.1.3.6.c2_rb2.11</option>
+<option value='caf/3.10/LA.BR.1.3.6.c2_rb2.12'>caf/3.10/LA.BR.1.3.6.c2_rb2.12</option>
+<option value='caf/3.10/LA.BR.1.3.6.c2_rb2.13'>caf/3.10/LA.BR.1.3.6.c2_rb2.13</option>
+<option value='caf/3.10/LA.BR.1.3.6.c2_rb2.14'>caf/3.10/LA.BR.1.3.6.c2_rb2.14</option>
+<option value='caf/3.10/LA.BR.1.3.6.c2_rb2.15'>caf/3.10/LA.BR.1.3.6.c2_rb2.15</option>
+<option value='caf/3.10/LA.BR.1.3.6.c2_rb2.16'>caf/3.10/LA.BR.1.3.6.c2_rb2.16</option>
+<option value='caf/3.10/LA.BR.1.3.6.c2_rb2.21'>caf/3.10/LA.BR.1.3.6.c2_rb2.21</option>
+<option value='caf/3.10/LA.BR.1.3.6.c2_rb2.22'>caf/3.10/LA.BR.1.3.6.c2_rb2.22</option>
+<option value='caf/3.10/LA.BR.1.3.6.c2_rb2.23'>caf/3.10/LA.BR.1.3.6.c2_rb2.23</option>
+<option value='caf/3.10/LA.BR.1.3.6.c2_rb2.27'>caf/3.10/LA.BR.1.3.6.c2_rb2.27</option>
+<option value='caf/3.10/LA.BR.1.3.6.c2_rb2.3'>caf/3.10/LA.BR.1.3.6.c2_rb2.3</option>
+<option value='caf/3.10/LA.BR.1.3.6.c2_rb2.4'>caf/3.10/LA.BR.1.3.6.c2_rb2.4</option>
+<option value='caf/3.10/LA.BR.1.3.6.c2_rb2.5'>caf/3.10/LA.BR.1.3.6.c2_rb2.5</option>
+<option value='caf/3.10/LA.BR.1.3.6.c2_rb2.7'>caf/3.10/LA.BR.1.3.6.c2_rb2.7</option>
+<option value='caf/3.10/LA.BR.1.3.6.c2_rb2.8'>caf/3.10/LA.BR.1.3.6.c2_rb2.8</option>
+<option value='caf/3.10/LA.BR.1.3.6.c2_rb2.9'>caf/3.10/LA.BR.1.3.6.c2_rb2.9</option>
+<option value='caf/3.10/LA.BR.1.3.6_rb1.10'>caf/3.10/LA.BR.1.3.6_rb1.10</option>
+<option value='caf/3.10/LA.BR.1.3.6_rb1.11'>caf/3.10/LA.BR.1.3.6_rb1.11</option>
+<option value='caf/3.10/LA.BR.1.3.6_rb1.12'>caf/3.10/LA.BR.1.3.6_rb1.12</option>
+<option value='caf/3.10/LA.BR.1.3.6_rb1.13'>caf/3.10/LA.BR.1.3.6_rb1.13</option>
+<option value='caf/3.10/LA.BR.1.3.6_rb1.14'>caf/3.10/LA.BR.1.3.6_rb1.14</option>
+<option value='caf/3.10/LA.BR.1.3.6_rb1.16'>caf/3.10/LA.BR.1.3.6_rb1.16</option>
+<option value='caf/3.10/LA.BR.1.3.6_rb1.17'>caf/3.10/LA.BR.1.3.6_rb1.17</option>
+<option value='caf/3.10/LA.BR.1.3.6_rb1.18'>caf/3.10/LA.BR.1.3.6_rb1.18</option>
+<option value='caf/3.10/LA.BR.1.3.6_rb1.19'>caf/3.10/LA.BR.1.3.6_rb1.19</option>
+<option value='caf/3.10/LA.BR.1.3.6_rb1.20'>caf/3.10/LA.BR.1.3.6_rb1.20</option>
+<option value='caf/3.10/LA.BR.1.3.6_rb1.21'>caf/3.10/LA.BR.1.3.6_rb1.21</option>
+<option value='caf/3.10/LA.BR.1.3.6_rb1.22'>caf/3.10/LA.BR.1.3.6_rb1.22</option>
+<option value='caf/3.10/LA.BR.1.3.6_rb1.23'>caf/3.10/LA.BR.1.3.6_rb1.23</option>
+<option value='caf/3.10/LA.BR.1.3.6_rb1.3'>caf/3.10/LA.BR.1.3.6_rb1.3</option>
+<option value='caf/3.10/LA.BR.1.3.6_rb1.4'>caf/3.10/LA.BR.1.3.6_rb1.4</option>
+<option value='caf/3.10/LA.BR.1.3.6_rb1.5'>caf/3.10/LA.BR.1.3.6_rb1.5</option>
+<option value='caf/3.10/LA.BR.1.3.6_rb1.6'>caf/3.10/LA.BR.1.3.6_rb1.6</option>
+<option value='caf/3.10/LA.BR.1.3.6_rb1.7'>caf/3.10/LA.BR.1.3.6_rb1.7</option>
+<option value='caf/3.10/LA.BR.1.3.6_rb1.8'>caf/3.10/LA.BR.1.3.6_rb1.8</option>
+<option value='caf/3.10/LA.BR.1.3.6_rb1.9'>caf/3.10/LA.BR.1.3.6_rb1.9</option>
+<option value='caf/3.10/LA.BR.1.3.7_rb1.3'>caf/3.10/LA.BR.1.3.7_rb1.3</option>
+<option value='caf/3.10/LA.BR.1.3.7_rb1.4'>caf/3.10/LA.BR.1.3.7_rb1.4</option>
+<option value='caf/3.10/LA.BR.1.3.7_rb1.5'>caf/3.10/LA.BR.1.3.7_rb1.5</option>
+<option value='caf/3.10/LA.BR64.1.1'>caf/3.10/LA.BR64.1.1</option>
+<option value='caf/3.10/LA.BR64.1.1.1_rb1.3'>caf/3.10/LA.BR64.1.1.1_rb1.3</option>
+<option value='caf/3.10/LA.BR64.1.1.1_rb2.6'>caf/3.10/LA.BR64.1.1.1_rb2.6</option>
+<option value='caf/3.10/LA.BR64.1.1.1_rb3.7'>caf/3.10/LA.BR64.1.1.1_rb3.7</option>
+<option value='caf/3.10/LA.BR64.1.1_RB1.10'>caf/3.10/LA.BR64.1.1_RB1.10</option>
+<option value='caf/3.10/LA.BR64.1.1_RB1.11'>caf/3.10/LA.BR64.1.1_RB1.11</option>
+<option value='caf/3.10/LA.BR64.1.1_RB1.12'>caf/3.10/LA.BR64.1.1_RB1.12</option>
+<option value='caf/3.10/LAW.BR.1.0_rb1.2'>caf/3.10/LAW.BR.1.0_rb1.2</option>
+<option value='caf/3.10/LB.BF.1.0'>caf/3.10/LB.BF.1.0</option>
+<option value='caf/3.10/LBR.BR.1.0'>caf/3.10/LBR.BR.1.0</option>
+<option value='caf/3.10/LF.BR.1.2.1'>caf/3.10/LF.BR.1.2.1</option>
+<option value='caf/3.10/LF.BR.1.2.3'>caf/3.10/LF.BR.1.2.3</option>
+<option value='caf/3.10/LF.BR.1.2.6'>caf/3.10/LF.BR.1.2.6</option>
+<option value='caf/3.10/LF.BR.1.2.8'>caf/3.10/LF.BR.1.2.8</option>
+<option value='caf/3.10/LF.BR.1.2.8.db'>caf/3.10/LF.BR.1.2.8.db</option>
+<option value='caf/3.10/LF.BR.1.2.8_LF1.2'>caf/3.10/LF.BR.1.2.8_LF1.2</option>
+<option value='caf/3.10/LNX.LA.3.6.1'>caf/3.10/LNX.LA.3.6.1</option>
+<option value='caf/3.10/LNX.LA.3.6.1.c2'>caf/3.10/LNX.LA.3.6.1.c2</option>
+<option value='caf/3.10/LNX.LA.3.6.1.c4'>caf/3.10/LNX.LA.3.6.1.c4</option>
+<option value='caf/3.10/LNX.LA.3.6.c1'>caf/3.10/LNX.LA.3.6.c1</option>
+<option value='caf/3.10/LNX.LA.3.6_rb1.1'>caf/3.10/LNX.LA.3.6_rb1.1</option>
+<option value='caf/3.10/LNX.LA.3.6_rb1.11'>caf/3.10/LNX.LA.3.6_rb1.11</option>
+<option value='caf/3.10/LNX.LA.3.6_rb1.13'>caf/3.10/LNX.LA.3.6_rb1.13</option>
+<option value='caf/3.10/LNX.LA.3.6_rb1.16'>caf/3.10/LNX.LA.3.6_rb1.16</option>
+<option value='caf/3.10/LNX.LA.3.6_rb1.20'>caf/3.10/LNX.LA.3.6_rb1.20</option>
+<option value='caf/3.10/LNX.LA.3.6_rb1.21'>caf/3.10/LNX.LA.3.6_rb1.21</option>
+<option value='caf/3.10/LNX.LA.3.6_rb1.22'>caf/3.10/LNX.LA.3.6_rb1.22</option>
+<option value='caf/3.10/LNX.LA.3.6_rb1.24'>caf/3.10/LNX.LA.3.6_rb1.24</option>
+<option value='caf/3.10/LNX.LA.3.6_rb1.26'>caf/3.10/LNX.LA.3.6_rb1.26</option>
+<option value='caf/3.10/LNX.LA.3.6_rb1.27'>caf/3.10/LNX.LA.3.6_rb1.27</option>
+<option value='caf/3.10/LNX.LA.3.6_rb1.3'>caf/3.10/LNX.LA.3.6_rb1.3</option>
+<option value='caf/3.10/LNX.LA.3.6_rb1.7'>caf/3.10/LNX.LA.3.6_rb1.7</option>
+<option value='caf/3.10/LNX.LA.3.6_rb1.9'>caf/3.10/LNX.LA.3.6_rb1.9</option>
+<option value='caf/3.10/LNX.LA.3.6_rb2.2'>caf/3.10/LNX.LA.3.6_rb2.2</option>
+<option value='caf/3.10/LNX.LA.3.6_rb2.3'>caf/3.10/LNX.LA.3.6_rb2.3</option>
+<option value='caf/3.10/LNX.LA.3.6_rb2.4'>caf/3.10/LNX.LA.3.6_rb2.4</option>
+<option value='caf/3.10/LNX.LA.3.7'>caf/3.10/LNX.LA.3.7</option>
+<option value='caf/3.10/LNX.LA.3.7.1.1.c2.1'>caf/3.10/LNX.LA.3.7.1.1.c2.1</option>
+<option value='caf/3.10/LNX.LA.3.7.1.1_rb1'>caf/3.10/LNX.LA.3.7.1.1_rb1</option>
+<option value='caf/3.10/LNX.LA.3.7.1.1_rb1.11'>caf/3.10/LNX.LA.3.7.1.1_rb1.11</option>
+<option value='caf/3.10/LNX.LA.3.7.1.1_rb1.15'>caf/3.10/LNX.LA.3.7.1.1_rb1.15</option>
+<option value='caf/3.10/LNX.LA.3.7.1.1_rb1.18'>caf/3.10/LNX.LA.3.7.1.1_rb1.18</option>
+<option value='caf/3.10/LNX.LA.3.7.1.1_rb1.23'>caf/3.10/LNX.LA.3.7.1.1_rb1.23</option>
+<option value='caf/3.10/LNX.LA.3.7.1.1_rb1.26'>caf/3.10/LNX.LA.3.7.1.1_rb1.26</option>
+<option value='caf/3.10/LNX.LA.3.7.1.1_rb1.35'>caf/3.10/LNX.LA.3.7.1.1_rb1.35</option>
+<option value='caf/3.10/LNX.LA.3.7.1.1_rb1.36'>caf/3.10/LNX.LA.3.7.1.1_rb1.36</option>
+<option value='caf/3.10/LNX.LA.3.7.1.1_rb1.39'>caf/3.10/LNX.LA.3.7.1.1_rb1.39</option>
+<option value='caf/3.10/LNX.LA.3.7.1.1_rb1.41'>caf/3.10/LNX.LA.3.7.1.1_rb1.41</option>
+<option value='caf/3.10/LNX.LA.3.7.1.1_rb1.42'>caf/3.10/LNX.LA.3.7.1.1_rb1.42</option>
+<option value='caf/3.10/LNX.LA.3.7.1.1_rb1.43'>caf/3.10/LNX.LA.3.7.1.1_rb1.43</option>
+<option value='caf/3.10/LNX.LA.3.7.1.1_rb1.44'>caf/3.10/LNX.LA.3.7.1.1_rb1.44</option>
+<option value='caf/3.10/LNX.LA.3.7.1.1_rb1.47'>caf/3.10/LNX.LA.3.7.1.1_rb1.47</option>
+<option value='caf/3.10/LNX.LA.3.7.1.1_rb1.49'>caf/3.10/LNX.LA.3.7.1.1_rb1.49</option>
+<option value='caf/3.10/LNX.LA.3.7.1.1_rb1.51'>caf/3.10/LNX.LA.3.7.1.1_rb1.51</option>
+<option value='caf/3.10/LNX.LA.3.7.1.1_rb1.7'>caf/3.10/LNX.LA.3.7.1.1_rb1.7</option>
+<option value='caf/3.10/LNX.LA.3.7.1.c2'>caf/3.10/LNX.LA.3.7.1.c2</option>
+<option value='caf/3.10/LNX.LA.3.7.1.c4'>caf/3.10/LNX.LA.3.7.1.c4</option>
+<option value='caf/3.10/LNX.LA.3.7.1_CTA'>caf/3.10/LNX.LA.3.7.1_CTA</option>
+<option value='caf/3.10/LNX.LA.3.7.1_HW'>caf/3.10/LNX.LA.3.7.1_HW</option>
+<option value='caf/3.10/LNX.LA.3.7.1_RB1.10'>caf/3.10/LNX.LA.3.7.1_RB1.10</option>
+<option value='caf/3.10/LNX.LA.3.7.1_RB1.3'>caf/3.10/LNX.LA.3.7.1_RB1.3</option>
+<option value='caf/3.10/LNX.LA.3.7.1_RB1.4'>caf/3.10/LNX.LA.3.7.1_RB1.4</option>
+<option value='caf/3.10/LNX.LA.3.7.1_RB1.5'>caf/3.10/LNX.LA.3.7.1_RB1.5</option>
+<option value='caf/3.10/LNX.LA.3.7.1_RB1.6'>caf/3.10/LNX.LA.3.7.1_RB1.6</option>
+<option value='caf/3.10/LNX.LA.3.7.1_RB1.7'>caf/3.10/LNX.LA.3.7.1_RB1.7</option>
+<option value='caf/3.10/LNX.LA.3.7.1_RB1.9'>caf/3.10/LNX.LA.3.7.1_RB1.9</option>
+<option value='caf/3.10/LNX.LA.3.7.1_rb3.2'>caf/3.10/LNX.LA.3.7.1_rb3.2</option>
+<option value='caf/3.10/LNX.LA.3.7.1_rb4'>caf/3.10/LNX.LA.3.7.1_rb4</option>
+<option value='caf/3.10/LNX.LA.3.7.2'>caf/3.10/LNX.LA.3.7.2</option>
+<option value='caf/3.10/LNX.LA.3.7.2.1.c1'>caf/3.10/LNX.LA.3.7.2.1.c1</option>
+<option value='caf/3.10/LNX.LA.3.7.2.1.c3'>caf/3.10/LNX.LA.3.7.2.1.c3</option>
+<option value='caf/3.10/LNX.LA.3.7.2.1.c4'>caf/3.10/LNX.LA.3.7.2.1.c4</option>
+<option value='caf/3.10/LNX.LA.3.7.2.1.c6'>caf/3.10/LNX.LA.3.7.2.1.c6</option>
+<option value='caf/3.10/LNX.LA.3.7.2.1_RB3.1'>caf/3.10/LNX.LA.3.7.2.1_RB3.1</option>
+<option value='caf/3.10/LNX.LA.3.7.2.1_rb1'>caf/3.10/LNX.LA.3.7.2.1_rb1</option>
+<option value='caf/3.10/LNX.LA.3.7.2.c1'>caf/3.10/LNX.LA.3.7.2.c1</option>
+<option value='caf/3.10/LNX.LA.3.7.2.c2'>caf/3.10/LNX.LA.3.7.2.c2</option>
+<option value='caf/3.10/LNX.LA.3.7.2.c3'>caf/3.10/LNX.LA.3.7.2.c3</option>
+<option value='caf/3.10/LNX.LA.3.7.2.c4'>caf/3.10/LNX.LA.3.7.2.c4</option>
+<option value='caf/3.10/LNX.LA.3.7.2.c5'>caf/3.10/LNX.LA.3.7.2.c5</option>
+<option value='caf/3.10/LNX.LA.3.7.2.c6'>caf/3.10/LNX.LA.3.7.2.c6</option>
+<option value='caf/3.10/LNX.LA.3.7.2_rb1'>caf/3.10/LNX.LA.3.7.2_rb1</option>
+<option value='caf/3.10/LNX.LA.3.7.3.1.c1'>caf/3.10/LNX.LA.3.7.3.1.c1</option>
+<option value='caf/3.10/LNX.LA.3.7.3.1.c4'>caf/3.10/LNX.LA.3.7.3.1.c4</option>
+<option value='caf/3.10/LNX.LA.3.7.3.1.c6'>caf/3.10/LNX.LA.3.7.3.1.c6</option>
+<option value='caf/3.10/LNX.LA.3.7.3.1_rb1.2'>caf/3.10/LNX.LA.3.7.3.1_rb1.2</option>
+<option value='caf/3.10/LNX.LA.3.7.3.1_rb1.3'>caf/3.10/LNX.LA.3.7.3.1_rb1.3</option>
+<option value='caf/3.10/LNX.LA.3.7.3.c1'>caf/3.10/LNX.LA.3.7.3.c1</option>
+<option value='caf/3.10/LNX.LA.3.7.3.c2'>caf/3.10/LNX.LA.3.7.3.c2</option>
+<option value='caf/3.10/LNX.LA.3.7.3.c4'>caf/3.10/LNX.LA.3.7.3.c4</option>
+<option value='caf/3.10/LNX.LA.3.7.3.c4.1'>caf/3.10/LNX.LA.3.7.3.c4.1</option>
+<option value='caf/3.10/LNX.LA.3.7.3.c5'>caf/3.10/LNX.LA.3.7.3.c5</option>
+<option value='caf/3.10/LNX.LA.3.7.3.c6'>caf/3.10/LNX.LA.3.7.3.c6</option>
+<option value='caf/3.10/LNX.LA.3.7.3.c8'>caf/3.10/LNX.LA.3.7.3.c8</option>
+<option value='caf/3.10/LNX.LA.3.7.3_rb1.2'>caf/3.10/LNX.LA.3.7.3_rb1.2</option>
+<option value='caf/3.10/LNX.LA.3.7.3_rb1.3'>caf/3.10/LNX.LA.3.7.3_rb1.3</option>
+<option value='caf/3.10/LNX.LA.3.7.c2'>caf/3.10/LNX.LA.3.7.c2</option>
+<option value='caf/3.10/LNX.LA.3.7.c3'>caf/3.10/LNX.LA.3.7.c3</option>
+<option value='caf/3.10/LNX.LA.3.7.c5'>caf/3.10/LNX.LA.3.7.c5</option>
+<option value='caf/3.10/LNX.LA.3.7.c7'>caf/3.10/LNX.LA.3.7.c7</option>
+<option value='caf/3.10/LNX.LA.3.7_CTA'>caf/3.10/LNX.LA.3.7_CTA</option>
+<option value='caf/3.10/LNX.LA.3.7_HW'>caf/3.10/LNX.LA.3.7_HW</option>
+<option value='caf/3.10/LNX.LA.3.7_RB1.10'>caf/3.10/LNX.LA.3.7_RB1.10</option>
+<option value='caf/3.10/LNX.LA.3.7_RB1.3'>caf/3.10/LNX.LA.3.7_RB1.3</option>
+<option value='caf/3.10/LNX.LA.3.7_RB1.4'>caf/3.10/LNX.LA.3.7_RB1.4</option>
+<option value='caf/3.10/LNX.LA.3.7_RB1.5'>caf/3.10/LNX.LA.3.7_RB1.5</option>
+<option value='caf/3.10/LNX.LA.3.7_RB1.6'>caf/3.10/LNX.LA.3.7_RB1.6</option>
+<option value='caf/3.10/LNX.LA.3.7_RB1.7'>caf/3.10/LNX.LA.3.7_RB1.7</option>
+<option value='caf/3.10/LNX.LA.3.7_RB1.8'>caf/3.10/LNX.LA.3.7_RB1.8</option>
+<option value='caf/3.10/LNX.LA.3.7_RB1.9'>caf/3.10/LNX.LA.3.7_RB1.9</option>
+<option value='caf/3.10/LNX.LA.3.7_master'>caf/3.10/LNX.LA.3.7_master</option>
+<option value='caf/3.10/LNX.LA.3.7_rb3.1'>caf/3.10/LNX.LA.3.7_rb3.1</option>
+<option value='caf/3.10/LNX.LA.3.7_rb3.2'>caf/3.10/LNX.LA.3.7_rb3.2</option>
+<option value='caf/3.10/LNX.LA.3.8_RB1.2'>caf/3.10/LNX.LA.3.8_RB1.2</option>
+<option value='caf/3.10/LNX.LC.1.0'>caf/3.10/LNX.LC.1.0</option>
+<option value='caf/3.10/LNX.LE.0.0_rb1.1'>caf/3.10/LNX.LE.0.0_rb1.1</option>
+<option value='caf/3.10/LNX.LE.0.0_rb1.2'>caf/3.10/LNX.LE.0.0_rb1.2</option>
+<option value='caf/3.10/LNX.LE.0.0_rb1.3'>caf/3.10/LNX.LE.0.0_rb1.3</option>
+<option value='caf/3.10/LNX.LE.0.0_rb1.4'>caf/3.10/LNX.LE.0.0_rb1.4</option>
+<option value='caf/3.10/LNX.LE.4.0'>caf/3.10/LNX.LE.4.0</option>
+<option value='caf/3.10/LNX.LE.4.0.1'>caf/3.10/LNX.LE.4.0.1</option>
+<option value='caf/3.10/LNX.LE.4.0.1.c1'>caf/3.10/LNX.LE.4.0.1.c1</option>
+<option value='caf/3.10/LNX.LE.4.0.1_rb1.10'>caf/3.10/LNX.LE.4.0.1_rb1.10</option>
+<option value='caf/3.10/LNX.LE.4.0.1_rb1.13'>caf/3.10/LNX.LE.4.0.1_rb1.13</option>
+<option value='caf/3.10/LNX.LE.4.0.1_rb1.15'>caf/3.10/LNX.LE.4.0.1_rb1.15</option>
+<option value='caf/3.10/LNX.LE.4.0.1_rb1.16'>caf/3.10/LNX.LE.4.0.1_rb1.16</option>
+<option value='caf/3.10/LNX.LE.4.0.1_rb1.17'>caf/3.10/LNX.LE.4.0.1_rb1.17</option>
+<option value='caf/3.10/LNX.LE.4.0.1_rb1.18'>caf/3.10/LNX.LE.4.0.1_rb1.18</option>
+<option value='caf/3.10/LNX.LE.4.0.1_rb1.19'>caf/3.10/LNX.LE.4.0.1_rb1.19</option>
+<option value='caf/3.10/LNX.LE.4.0.1_rb1.20'>caf/3.10/LNX.LE.4.0.1_rb1.20</option>
+<option value='caf/3.10/LNX.LE.4.0.1_rb1.22'>caf/3.10/LNX.LE.4.0.1_rb1.22</option>
+<option value='caf/3.10/LNX.LE.4.0.1_rb1.23'>caf/3.10/LNX.LE.4.0.1_rb1.23</option>
+<option value='caf/3.10/LNX.LE.4.0.1_rb1.4'>caf/3.10/LNX.LE.4.0.1_rb1.4</option>
+<option value='caf/3.10/LNX.LE.4.0.1_rb1.5'>caf/3.10/LNX.LE.4.0.1_rb1.5</option>
+<option value='caf/3.10/LNX.LE.4.0.1_rb1.6'>caf/3.10/LNX.LE.4.0.1_rb1.6</option>
+<option value='caf/3.10/LNX.LE.4.0.1_rb1.8'>caf/3.10/LNX.LE.4.0.1_rb1.8</option>
+<option value='caf/3.10/LNX.LE.4.0.1_rb1.9'>caf/3.10/LNX.LE.4.0.1_rb1.9</option>
+<option value='caf/3.10/LNX.LE.4.0.c1'>caf/3.10/LNX.LE.4.0.c1</option>
+<option value='caf/3.10/LNX.LE.4.0.c1.1'>caf/3.10/LNX.LE.4.0.c1.1</option>
+<option value='caf/3.10/LNX.LE.4.0.c1.2'>caf/3.10/LNX.LE.4.0.c1.2</option>
+<option value='caf/3.10/LNX.LE.4.0.c2.1'>caf/3.10/LNX.LE.4.0.c2.1</option>
+<option value='caf/3.10/LNX.LE.4.0_rb1.11'>caf/3.10/LNX.LE.4.0_rb1.11</option>
+<option value='caf/3.10/LNX.LE.4.0_rb1.13'>caf/3.10/LNX.LE.4.0_rb1.13</option>
+<option value='caf/3.10/LNX.LE.4.0_rb1.15'>caf/3.10/LNX.LE.4.0_rb1.15</option>
+<option value='caf/3.10/LNX.LE.4.0_rb1.18'>caf/3.10/LNX.LE.4.0_rb1.18</option>
+<option value='caf/3.10/LNX.LE.4.0_rb1.19'>caf/3.10/LNX.LE.4.0_rb1.19</option>
+<option value='caf/3.10/LNX.LE.4.0_rb1.2'>caf/3.10/LNX.LE.4.0_rb1.2</option>
+<option value='caf/3.10/LNX.LE.4.0_rb1.20'>caf/3.10/LNX.LE.4.0_rb1.20</option>
+<option value='caf/3.10/LNX.LE.4.0_rb1.21'>caf/3.10/LNX.LE.4.0_rb1.21</option>
+<option value='caf/3.10/LNX.LE.4.0_rb1.3'>caf/3.10/LNX.LE.4.0_rb1.3</option>
+<option value='caf/3.10/LNX.LE.4.0_rb1.9'>caf/3.10/LNX.LE.4.0_rb1.9</option>
+<option value='caf/3.10/LNX.LE.4.1'>caf/3.10/LNX.LE.4.1</option>
+<option value='caf/3.10/LNX.LE.4.1.c1'>caf/3.10/LNX.LE.4.1.c1</option>
+<option value='caf/3.10/LNX.LE.4.1_rb1.10'>caf/3.10/LNX.LE.4.1_rb1.10</option>
+<option value='caf/3.10/LNX.LE.4.1_rb1.11'>caf/3.10/LNX.LE.4.1_rb1.11</option>
+<option value='caf/3.10/LNX.LE.4.1_rb1.13'>caf/3.10/LNX.LE.4.1_rb1.13</option>
+<option value='caf/3.10/LNX.LE.4.1_rb1.14'>caf/3.10/LNX.LE.4.1_rb1.14</option>
+<option value='caf/3.10/LNX.LE.4.1_rb1.15'>caf/3.10/LNX.LE.4.1_rb1.15</option>
+<option value='caf/3.10/LNX.LE.4.1_rb1.16'>caf/3.10/LNX.LE.4.1_rb1.16</option>
+<option value='caf/3.10/LNX.LE.4.1_rb1.17'>caf/3.10/LNX.LE.4.1_rb1.17</option>
+<option value='caf/3.10/LNX.LE.4.1_rb1.18'>caf/3.10/LNX.LE.4.1_rb1.18</option>
+<option value='caf/3.10/LNX.LE.4.1_rb1.19'>caf/3.10/LNX.LE.4.1_rb1.19</option>
+<option value='caf/3.10/LNX.LE.4.1_rb1.2'>caf/3.10/LNX.LE.4.1_rb1.2</option>
+<option value='caf/3.10/LNX.LE.4.1_rb1.20'>caf/3.10/LNX.LE.4.1_rb1.20</option>
+<option value='caf/3.10/LNX.LE.4.1_rb1.22'>caf/3.10/LNX.LE.4.1_rb1.22</option>
+<option value='caf/3.10/LNX.LE.4.1_rb1.23'>caf/3.10/LNX.LE.4.1_rb1.23</option>
+<option value='caf/3.10/LNX.LE.4.1_rb1.24'>caf/3.10/LNX.LE.4.1_rb1.24</option>
+<option value='caf/3.10/LNX.LE.4.1_rb1.25'>caf/3.10/LNX.LE.4.1_rb1.25</option>
+<option value='caf/3.10/LNX.LE.4.1_rb1.26'>caf/3.10/LNX.LE.4.1_rb1.26</option>
+<option value='caf/3.10/LNX.LE.4.1_rb1.3'>caf/3.10/LNX.LE.4.1_rb1.3</option>
+<option value='caf/3.10/LNX.LE.4.1_rb1.4'>caf/3.10/LNX.LE.4.1_rb1.4</option>
+<option value='caf/3.10/LNX.LE.4.1_rb1.5'>caf/3.10/LNX.LE.4.1_rb1.5</option>
+<option value='caf/3.10/LNX.LE.4.1_rb1.6'>caf/3.10/LNX.LE.4.1_rb1.6</option>
+<option value='caf/3.10/LNX.LE.4.1_rb1.7'>caf/3.10/LNX.LE.4.1_rb1.7</option>
+<option value='caf/3.10/LNX.LE.4.1_rb1.8'>caf/3.10/LNX.LE.4.1_rb1.8</option>
+<option value='caf/3.10/LNX.LE.4.1_rb1.9'>caf/3.10/LNX.LE.4.1_rb1.9</option>
+<option value='caf/3.10/LNX.LE.4.2.c1'>caf/3.10/LNX.LE.4.2.c1</option>
+<option value='caf/3.10/LNX.LE.4.2_rb1.1'>caf/3.10/LNX.LE.4.2_rb1.1</option>
+<option value='caf/3.10/LNX.LE.4.2_rb1.10'>caf/3.10/LNX.LE.4.2_rb1.10</option>
+<option value='caf/3.10/LNX.LE.4.2_rb1.11'>caf/3.10/LNX.LE.4.2_rb1.11</option>
+<option value='caf/3.10/LNX.LE.4.2_rb1.12'>caf/3.10/LNX.LE.4.2_rb1.12</option>
+<option value='caf/3.10/LNX.LE.4.2_rb1.13'>caf/3.10/LNX.LE.4.2_rb1.13</option>
+<option value='caf/3.10/LNX.LE.4.2_rb1.14'>caf/3.10/LNX.LE.4.2_rb1.14</option>
+<option value='caf/3.10/LNX.LE.4.2_rb1.15'>caf/3.10/LNX.LE.4.2_rb1.15</option>
+<option value='caf/3.10/LNX.LE.4.2_rb1.16'>caf/3.10/LNX.LE.4.2_rb1.16</option>
+<option value='caf/3.10/LNX.LE.4.2_rb1.17'>caf/3.10/LNX.LE.4.2_rb1.17</option>
+<option value='caf/3.10/LNX.LE.4.2_rb1.18'>caf/3.10/LNX.LE.4.2_rb1.18</option>
+<option value='caf/3.10/LNX.LE.4.2_rb1.19'>caf/3.10/LNX.LE.4.2_rb1.19</option>
+<option value='caf/3.10/LNX.LE.4.2_rb1.20'>caf/3.10/LNX.LE.4.2_rb1.20</option>
+<option value='caf/3.10/LNX.LE.4.2_rb1.21'>caf/3.10/LNX.LE.4.2_rb1.21</option>
+<option value='caf/3.10/LNX.LE.4.2_rb1.26'>caf/3.10/LNX.LE.4.2_rb1.26</option>
+<option value='caf/3.10/LNX.LE.4.2_rb1.27'>caf/3.10/LNX.LE.4.2_rb1.27</option>
+<option value='caf/3.10/LNX.LE.4.2_rb1.28'>caf/3.10/LNX.LE.4.2_rb1.28</option>
+<option value='caf/3.10/LNX.LE.4.2_rb1.29'>caf/3.10/LNX.LE.4.2_rb1.29</option>
+<option value='caf/3.10/LNX.LE.4.2_rb1.3'>caf/3.10/LNX.LE.4.2_rb1.3</option>
+<option value='caf/3.10/LNX.LE.4.2_rb1.30'>caf/3.10/LNX.LE.4.2_rb1.30</option>
+<option value='caf/3.10/LNX.LE.4.2_rb1.31'>caf/3.10/LNX.LE.4.2_rb1.31</option>
+<option value='caf/3.10/LNX.LE.4.2_rb1.32'>caf/3.10/LNX.LE.4.2_rb1.32</option>
+<option value='caf/3.10/LNX.LE.4.2_rb1.33'>caf/3.10/LNX.LE.4.2_rb1.33</option>
+<option value='caf/3.10/LNX.LE.4.2_rb1.4'>caf/3.10/LNX.LE.4.2_rb1.4</option>
+<option value='caf/3.10/LNX.LE.4.2_rb1.5'>caf/3.10/LNX.LE.4.2_rb1.5</option>
+<option value='caf/3.10/LNX.LE.4.2_rb1.6'>caf/3.10/LNX.LE.4.2_rb1.6</option>
+<option value='caf/3.10/LNX.LE.4.2_rb1.7'>caf/3.10/LNX.LE.4.2_rb1.7</option>
+<option value='caf/3.10/LNX.LE.4.2_rb1.8'>caf/3.10/LNX.LE.4.2_rb1.8</option>
+<option value='caf/3.10/LNX.LE.4.2_rb1.9'>caf/3.10/LNX.LE.4.2_rb1.9</option>
+<option value='caf/3.10/LNX.LE.5.0.1_rb1.10'>caf/3.10/LNX.LE.5.0.1_rb1.10</option>
+<option value='caf/3.10/LNX.LE.5.0.1_rb1.11'>caf/3.10/LNX.LE.5.0.1_rb1.11</option>
+<option value='caf/3.10/LNX.LE.5.0.1_rb1.12'>caf/3.10/LNX.LE.5.0.1_rb1.12</option>
+<option value='caf/3.10/LNX.LE.5.0.1_rb1.13'>caf/3.10/LNX.LE.5.0.1_rb1.13</option>
+<option value='caf/3.10/LNX.LE.5.0.1_rb1.14'>caf/3.10/LNX.LE.5.0.1_rb1.14</option>
+<option value='caf/3.10/LNX.LE.5.0.1_rb1.15'>caf/3.10/LNX.LE.5.0.1_rb1.15</option>
+<option value='caf/3.10/LNX.LE.5.0.1_rb1.16'>caf/3.10/LNX.LE.5.0.1_rb1.16</option>
+<option value='caf/3.10/LNX.LE.5.0.1_rb1.17'>caf/3.10/LNX.LE.5.0.1_rb1.17</option>
+<option value='caf/3.10/LNX.LE.5.0.1_rb1.18'>caf/3.10/LNX.LE.5.0.1_rb1.18</option>
+<option value='caf/3.10/LNX.LE.5.0.1_rb1.19'>caf/3.10/LNX.LE.5.0.1_rb1.19</option>
+<option value='caf/3.10/LNX.LE.5.0.1_rb1.20'>caf/3.10/LNX.LE.5.0.1_rb1.20</option>
+<option value='caf/3.10/LNX.LE.5.0.1_rb1.21'>caf/3.10/LNX.LE.5.0.1_rb1.21</option>
+<option value='caf/3.10/LNX.LE.5.0.1_rb1.22'>caf/3.10/LNX.LE.5.0.1_rb1.22</option>
+<option value='caf/3.10/LNX.LE.5.0.1_rb1.23'>caf/3.10/LNX.LE.5.0.1_rb1.23</option>
+<option value='caf/3.10/LNX.LE.5.0.1_rb1.24'>caf/3.10/LNX.LE.5.0.1_rb1.24</option>
+<option value='caf/3.10/LNX.LE.5.0.1_rb1.3'>caf/3.10/LNX.LE.5.0.1_rb1.3</option>
+<option value='caf/3.10/LNX.LE.5.0.1_rb1.4'>caf/3.10/LNX.LE.5.0.1_rb1.4</option>
+<option value='caf/3.10/LNX.LE.5.0.1_rb1.5'>caf/3.10/LNX.LE.5.0.1_rb1.5</option>
+<option value='caf/3.10/LNX.LE.5.0.1_rb1.6'>caf/3.10/LNX.LE.5.0.1_rb1.6</option>
+<option value='caf/3.10/LNX.LE.5.0.1_rb1.7'>caf/3.10/LNX.LE.5.0.1_rb1.7</option>
+<option value='caf/3.10/LNX.LE.5.0.1_rb1.8'>caf/3.10/LNX.LE.5.0.1_rb1.8</option>
+<option value='caf/3.10/LNX.LE.5.0.1_rb1.9'>caf/3.10/LNX.LE.5.0.1_rb1.9</option>
+<option value='caf/3.10/LNX.LE.5.0_rb1.1'>caf/3.10/LNX.LE.5.0_rb1.1</option>
+<option value='caf/3.10/LNX.LE.5.0_rb1.10'>caf/3.10/LNX.LE.5.0_rb1.10</option>
+<option value='caf/3.10/LNX.LE.5.0_rb1.11'>caf/3.10/LNX.LE.5.0_rb1.11</option>
+<option value='caf/3.10/LNX.LE.5.0_rb1.14'>caf/3.10/LNX.LE.5.0_rb1.14</option>
+<option value='caf/3.10/LNX.LE.5.0_rb1.15'>caf/3.10/LNX.LE.5.0_rb1.15</option>
+<option value='caf/3.10/LNX.LE.5.0_rb1.16'>caf/3.10/LNX.LE.5.0_rb1.16</option>
+<option value='caf/3.10/LNX.LE.5.0_rb1.17'>caf/3.10/LNX.LE.5.0_rb1.17</option>
+<option value='caf/3.10/LNX.LE.5.0_rb1.18'>caf/3.10/LNX.LE.5.0_rb1.18</option>
+<option value='caf/3.10/LNX.LE.5.0_rb1.3'>caf/3.10/LNX.LE.5.0_rb1.3</option>
+<option value='caf/3.10/LNX.LE.5.0_rb1.4'>caf/3.10/LNX.LE.5.0_rb1.4</option>
+<option value='caf/3.10/LNX.LE.5.0_rb1.5'>caf/3.10/LNX.LE.5.0_rb1.5</option>
+<option value='caf/3.10/LNX.LE.5.0_rb1.6'>caf/3.10/LNX.LE.5.0_rb1.6</option>
+<option value='caf/3.10/LNX.LE.5.0_rb1.7'>caf/3.10/LNX.LE.5.0_rb1.7</option>
+<option value='caf/3.10/LNX.LE.5.0_rb1.8'>caf/3.10/LNX.LE.5.0_rb1.8</option>
+<option value='caf/3.10/LNX.LE.5.0_rb1.9'>caf/3.10/LNX.LE.5.0_rb1.9</option>
+<option value='caf/3.10/LNX.LE.5.1'>caf/3.10/LNX.LE.5.1</option>
+<option value='caf/3.10/LNX.LE.5.1_rb1.10'>caf/3.10/LNX.LE.5.1_rb1.10</option>
+<option value='caf/3.10/LNX.LE.5.1_rb1.11'>caf/3.10/LNX.LE.5.1_rb1.11</option>
+<option value='caf/3.10/LNX.LE.5.1_rb1.12'>caf/3.10/LNX.LE.5.1_rb1.12</option>
+<option value='caf/3.10/LNX.LE.5.1_rb1.13'>caf/3.10/LNX.LE.5.1_rb1.13</option>
+<option value='caf/3.10/LNX.LE.5.1_rb1.15'>caf/3.10/LNX.LE.5.1_rb1.15</option>
+<option value='caf/3.10/LNX.LE.5.1_rb1.16'>caf/3.10/LNX.LE.5.1_rb1.16</option>
+<option value='caf/3.10/LNX.LE.5.1_rb1.17'>caf/3.10/LNX.LE.5.1_rb1.17</option>
+<option value='caf/3.10/LNX.LE.5.1_rb1.18'>caf/3.10/LNX.LE.5.1_rb1.18</option>
+<option value='caf/3.10/LNX.LE.5.1_rb1.19'>caf/3.10/LNX.LE.5.1_rb1.19</option>
+<option value='caf/3.10/LNX.LE.5.1_rb1.20'>caf/3.10/LNX.LE.5.1_rb1.20</option>
+<option value='caf/3.10/LNX.LE.5.1_rb1.22'>caf/3.10/LNX.LE.5.1_rb1.22</option>
+<option value='caf/3.10/LNX.LE.5.1_rb1.23'>caf/3.10/LNX.LE.5.1_rb1.23</option>
+<option value='caf/3.10/LNX.LE.5.1_rb1.24'>caf/3.10/LNX.LE.5.1_rb1.24</option>
+<option value='caf/3.10/LNX.LE.5.1_rb1.3'>caf/3.10/LNX.LE.5.1_rb1.3</option>
+<option value='caf/3.10/LNX.LE.5.1_rb1.4'>caf/3.10/LNX.LE.5.1_rb1.4</option>
+<option value='caf/3.10/LNX.LE.5.1_rb1.5'>caf/3.10/LNX.LE.5.1_rb1.5</option>
+<option value='caf/3.10/LNX.LE.5.1_rb1.6'>caf/3.10/LNX.LE.5.1_rb1.6</option>
+<option value='caf/3.10/LNX.LE.5.1_rb1.7'>caf/3.10/LNX.LE.5.1_rb1.7</option>
+<option value='caf/3.10/LNX.LE.5.1_rb1.8'>caf/3.10/LNX.LE.5.1_rb1.8</option>
+<option value='caf/3.10/LNX.LE.5.1_rb1.9'>caf/3.10/LNX.LE.5.1_rb1.9</option>
+<option value='caf/3.10/LNX.LE.6.0_rb1.2'>caf/3.10/LNX.LE.6.0_rb1.2</option>
+<option value='caf/3.10/LNX.LE.6.0_rb1.4'>caf/3.10/LNX.LE.6.0_rb1.4</option>
+<option value='caf/3.10/LNX.LE.6.0_rb1.5'>caf/3.10/LNX.LE.6.0_rb1.5</option>
+<option value='caf/3.10/LNX.LE.6.0_rb1.6'>caf/3.10/LNX.LE.6.0_rb1.6</option>
+<option value='caf/3.10/LNX.LE.6.0_rb1.8'>caf/3.10/LNX.LE.6.0_rb1.8</option>
+<option value='caf/3.10/LNX.LE.6.0_rb1.9'>caf/3.10/LNX.LE.6.0_rb1.9</option>
+<option value='caf/3.10/LNX.LE.6.1'>caf/3.10/LNX.LE.6.1</option>
+<option value='caf/3.10/LNX.LW.1.0'>caf/3.10/LNX.LW.1.0</option>
+<option value='caf/3.10/LNX.LW.1.1'>caf/3.10/LNX.LW.1.1</option>
+<option value='caf/3.10/LNX.LW.1.2'>caf/3.10/LNX.LW.1.2</option>
+<option value='caf/3.10/LNX.LW.2.0'>caf/3.10/LNX.LW.2.0</option>
+<option value='caf/3.10/LNX.LW.2.1'>caf/3.10/LNX.LW.2.1</option>
+<option value='caf/3.10/LNX.LW.2.1_1'>caf/3.10/LNX.LW.2.1_1</option>
+<option value='caf/3.10/LW.BF.3.0'>caf/3.10/LW.BF.3.0</option>
+<option value='caf/3.10/akm-kernel/master'>caf/3.10/akm-kernel/master</option>
+<option value='caf/3.10/argo8/kernel_argo8'>caf/3.10/argo8/kernel_argo8</option>
+<option value='caf/3.10/autobot84/master'>caf/3.10/autobot84/master</option>
+<option value='caf/3.10/beaglebrd/3.12'>caf/3.10/beaglebrd/3.12</option>
+<option value='caf/3.10/beaglebrd/3.13'>caf/3.10/beaglebrd/3.13</option>
+<option value='caf/3.10/beaglebrd/3.14'>caf/3.10/beaglebrd/3.14</option>
+<option value='caf/3.10/beaglebrd/3.8'>caf/3.10/beaglebrd/3.8</option>
+<option value='caf/3.10/beaglebrd/3.8-green'>caf/3.10/beaglebrd/3.8-green</option>
+<option value='caf/3.10/beaglebrd/3.8.13-bone67-pruspeak'>caf/3.10/beaglebrd/3.8.13-bone67-pruspeak</option>
+<option value='caf/3.10/beaglebrd/3.8.13-bone69-bb-view-7'>caf/3.10/beaglebrd/3.8.13-bone69-bb-view-7</option>
+<option value='caf/3.10/beaglebrd/3.8.13-bone71-input-polldev'>caf/3.10/beaglebrd/3.8.13-bone71-input-polldev</option>
+<option value='caf/3.10/beaglebrd/3.8.13-bone71-lsm303'>caf/3.10/beaglebrd/3.8.13-bone71-lsm303</option>
+<option value='caf/3.10/beaglebrd/4.1'>caf/3.10/beaglebrd/4.1</option>
+<option value='caf/3.10/beaglebrd/4.1-abbbi'>caf/3.10/beaglebrd/4.1-abbbi</option>
+<option value='caf/3.10/beaglebrd/4.4'>caf/3.10/beaglebrd/4.4</option>
+<option value='caf/3.10/beaglebrd/beaglebone-3.2'>caf/3.10/beaglebrd/beaglebone-3.2</option>
+<option value='caf/3.10/beaglebrd/master'>caf/3.10/beaglebrd/master</option>
+<option value='caf/3.10/boschsensortec/master'>caf/3.10/boschsensortec/master</option>
+<option value='caf/3.10/caf/Goodix-GT9xx-MSM8x26-kernel/trunk@15'>caf/3.10/caf/Goodix-GT9xx-MSM8x26-kernel/trunk@15</option>
+<option value='caf/3.10/caf/LA.AF.1.1'>caf/3.10/caf/LA.AF.1.1</option>
+<option value='caf/3.10/caf/LA.AF.1.1.1_kernel'>caf/3.10/caf/LA.AF.1.1.1_kernel</option>
+<option value='caf/3.10/caf/LA.AF.1.1.1_rb1.15'>caf/3.10/caf/LA.AF.1.1.1_rb1.15</option>
+<option value='caf/3.10/caf/LA.AF.1.1.1_rb1.16'>caf/3.10/caf/LA.AF.1.1.1_rb1.16</option>
+<option value='caf/3.10/caf/LA.AF.1.1.1_rb1.17'>caf/3.10/caf/LA.AF.1.1.1_rb1.17</option>
+<option value='caf/3.10/caf/LA.AF.1.1.1_rb1.18'>caf/3.10/caf/LA.AF.1.1.1_rb1.18</option>
+<option value='caf/3.10/caf/LA.AF.1.1.1_rb1.3'>caf/3.10/caf/LA.AF.1.1.1_rb1.3</option>
+<option value='caf/3.10/caf/LA.AF.1.1.c1'>caf/3.10/caf/LA.AF.1.1.c1</option>
+<option value='caf/3.10/caf/LA.AF.1.1_rb1.12'>caf/3.10/caf/LA.AF.1.1_rb1.12</option>
+<option value='caf/3.10/caf/LA.AF.1.1_rb1.13'>caf/3.10/caf/LA.AF.1.1_rb1.13</option>
+<option value='caf/3.10/caf/LA.AF.1.1_rb1.15'>caf/3.10/caf/LA.AF.1.1_rb1.15</option>
+<option value='caf/3.10/caf/LA.AF.1.1_rb1.16'>caf/3.10/caf/LA.AF.1.1_rb1.16</option>
+<option value='caf/3.10/caf/LA.AF.1.1_rb1.17'>caf/3.10/caf/LA.AF.1.1_rb1.17</option>
+<option value='caf/3.10/caf/LA.AF.1.1_rb1.18'>caf/3.10/caf/LA.AF.1.1_rb1.18</option>
+<option value='caf/3.10/caf/LA.AF.1.1_rb1.5'>caf/3.10/caf/LA.AF.1.1_rb1.5</option>
+<option value='caf/3.10/caf/LA.AF.1.1_rb1.6'>caf/3.10/caf/LA.AF.1.1_rb1.6</option>
+<option value='caf/3.10/caf/LA.AF.1.1_rb1.7'>caf/3.10/caf/LA.AF.1.1_rb1.7</option>
+<option value='caf/3.10/caf/LA.AF.1.1_rb1.8'>caf/3.10/caf/LA.AF.1.1_rb1.8</option>
+<option value='caf/3.10/caf/LA.AF.1.1_rb1.9'>caf/3.10/caf/LA.AF.1.1_rb1.9</option>
+<option value='caf/3.10/caf/LA.AF.1.2.1_rb1.10'>caf/3.10/caf/LA.AF.1.2.1_rb1.10</option>
+<option value='caf/3.10/caf/LA.AF.1.2.1_rb1.11'>caf/3.10/caf/LA.AF.1.2.1_rb1.11</option>
+<option value='caf/3.10/caf/LA.AF.1.2.1_rb1.12'>caf/3.10/caf/LA.AF.1.2.1_rb1.12</option>
+<option value='caf/3.10/caf/LA.AF.1.2.1_rb1.14'>caf/3.10/caf/LA.AF.1.2.1_rb1.14</option>
+<option value='caf/3.10/caf/LA.AF.1.2.1_rb1.16'>caf/3.10/caf/LA.AF.1.2.1_rb1.16</option>
+<option value='caf/3.10/caf/LA.AF.1.2.1_rb1.17'>caf/3.10/caf/LA.AF.1.2.1_rb1.17</option>
+<option value='caf/3.10/caf/LA.AF.1.2.1_rb1.18'>caf/3.10/caf/LA.AF.1.2.1_rb1.18</option>
+<option value='caf/3.10/caf/LA.AF.1.2.1_rb1.2'>caf/3.10/caf/LA.AF.1.2.1_rb1.2</option>
+<option value='caf/3.10/caf/LA.AF.1.2.1_rb1.20'>caf/3.10/caf/LA.AF.1.2.1_rb1.20</option>
+<option value='caf/3.10/caf/LA.AF.1.2.1_rb1.21'>caf/3.10/caf/LA.AF.1.2.1_rb1.21</option>
+<option value='caf/3.10/caf/LA.AF.1.2.1_rb1.22'>caf/3.10/caf/LA.AF.1.2.1_rb1.22</option>
+<option value='caf/3.10/caf/LA.AF.1.2.1_rb1.23'>caf/3.10/caf/LA.AF.1.2.1_rb1.23</option>
+<option value='caf/3.10/caf/LA.AF.1.2.1_rb1.24'>caf/3.10/caf/LA.AF.1.2.1_rb1.24</option>
+<option value='caf/3.10/caf/LA.AF.1.2.1_rb1.25'>caf/3.10/caf/LA.AF.1.2.1_rb1.25</option>
+<option value='caf/3.10/caf/LA.AF.1.2.1_rb1.26'>caf/3.10/caf/LA.AF.1.2.1_rb1.26</option>
+<option value='caf/3.10/caf/LA.AF.1.2.1_rb1.27'>caf/3.10/caf/LA.AF.1.2.1_rb1.27</option>
+<option value='caf/3.10/caf/LA.AF.1.2.1_rb1.28'>caf/3.10/caf/LA.AF.1.2.1_rb1.28</option>
+<option value='caf/3.10/caf/LA.AF.1.2.1_rb1.3'>caf/3.10/caf/LA.AF.1.2.1_rb1.3</option>
+<option value='caf/3.10/caf/LA.AF.1.2.1_rb1.30'>caf/3.10/caf/LA.AF.1.2.1_rb1.30</option>
+<option value='caf/3.10/caf/LA.AF.1.2.1_rb1.5'>caf/3.10/caf/LA.AF.1.2.1_rb1.5</option>
+<option value='caf/3.10/caf/LA.AF.1.2.1_rb1.6'>caf/3.10/caf/LA.AF.1.2.1_rb1.6</option>
+<option value='caf/3.10/caf/LA.AF.1.2.1_rb1.7'>caf/3.10/caf/LA.AF.1.2.1_rb1.7</option>
+<option value='caf/3.10/caf/LA.AF.1.2.1_rb1.8'>caf/3.10/caf/LA.AF.1.2.1_rb1.8</option>
+<option value='caf/3.10/caf/LA.AF.1.2.1_rb1.9'>caf/3.10/caf/LA.AF.1.2.1_rb1.9</option>
+<option value='caf/3.10/caf/LA.AF.1.2.2'>caf/3.10/caf/LA.AF.1.2.2</option>
+<option value='caf/3.10/caf/LA.AF.2.1_rb1.2'>caf/3.10/caf/LA.AF.2.1_rb1.2</option>
+<option value='caf/3.10/caf/LA.BF.1.1.1.c1_rb1'>caf/3.10/caf/LA.BF.1.1.1.c1_rb1</option>
+<option value='caf/3.10/caf/LA.BF.1.1.1.c1_rb1.1'>caf/3.10/caf/LA.BF.1.1.1.c1_rb1.1</option>
+<option value='caf/3.10/caf/LA.BF.1.1.1.c1_rb1.2'>caf/3.10/caf/LA.BF.1.1.1.c1_rb1.2</option>
+<option value='caf/3.10/caf/LA.BF.1.1.1.c2'>caf/3.10/caf/LA.BF.1.1.1.c2</option>
+<option value='caf/3.10/caf/LA.BF.1.1.1.c3'>caf/3.10/caf/LA.BF.1.1.1.c3</option>
+<option value='caf/3.10/caf/LA.BF.1.1.1.c4'>caf/3.10/caf/LA.BF.1.1.1.c4</option>
+<option value='caf/3.10/caf/LA.BF.1.1.1.c5'>caf/3.10/caf/LA.BF.1.1.1.c5</option>
+<option value='caf/3.10/caf/LA.BF.1.1.1_rb1.1'>caf/3.10/caf/LA.BF.1.1.1_rb1.1</option>
+<option value='caf/3.10/caf/LA.BF.1.1.1_rb1.10'>caf/3.10/caf/LA.BF.1.1.1_rb1.10</option>
+<option value='caf/3.10/caf/LA.BF.1.1.1_rb1.12'>caf/3.10/caf/LA.BF.1.1.1_rb1.12</option>
+<option value='caf/3.10/caf/LA.BF.1.1.1_rb1.13'>caf/3.10/caf/LA.BF.1.1.1_rb1.13</option>
+<option value='caf/3.10/caf/LA.BF.1.1.1_rb1.14'>caf/3.10/caf/LA.BF.1.1.1_rb1.14</option>
+<option value='caf/3.10/caf/LA.BF.1.1.1_rb1.15'>caf/3.10/caf/LA.BF.1.1.1_rb1.15</option>
+<option value='caf/3.10/caf/LA.BF.1.1.1_rb1.16'>caf/3.10/caf/LA.BF.1.1.1_rb1.16</option>
+<option value='caf/3.10/caf/LA.BF.1.1.1_rb1.17'>caf/3.10/caf/LA.BF.1.1.1_rb1.17</option>
+<option value='caf/3.10/caf/LA.BF.1.1.1_rb1.18'>caf/3.10/caf/LA.BF.1.1.1_rb1.18</option>
+<option value='caf/3.10/caf/LA.BF.1.1.1_rb1.19'>caf/3.10/caf/LA.BF.1.1.1_rb1.19</option>
+<option value='caf/3.10/caf/LA.BF.1.1.1_rb1.20'>caf/3.10/caf/LA.BF.1.1.1_rb1.20</option>
+<option value='caf/3.10/caf/LA.BF.1.1.1_rb1.21'>caf/3.10/caf/LA.BF.1.1.1_rb1.21</option>
+<option value='caf/3.10/caf/LA.BF.1.1.1_rb1.22'>caf/3.10/caf/LA.BF.1.1.1_rb1.22</option>
+<option value='caf/3.10/caf/LA.BF.1.1.1_rb1.23'>caf/3.10/caf/LA.BF.1.1.1_rb1.23</option>
+<option value='caf/3.10/caf/LA.BF.1.1.1_rb1.24'>caf/3.10/caf/LA.BF.1.1.1_rb1.24</option>
+<option value='caf/3.10/caf/LA.BF.1.1.1_rb1.25'>caf/3.10/caf/LA.BF.1.1.1_rb1.25</option>
+<option value='caf/3.10/caf/LA.BF.1.1.1_rb1.26'>caf/3.10/caf/LA.BF.1.1.1_rb1.26</option>
+<option value='caf/3.10/caf/LA.BF.1.1.1_rb1.3'>caf/3.10/caf/LA.BF.1.1.1_rb1.3</option>
+<option value='caf/3.10/caf/LA.BF.1.1.1_rb1.4'>caf/3.10/caf/LA.BF.1.1.1_rb1.4</option>
+<option value='caf/3.10/caf/LA.BF.1.1.1_rb1.6'>caf/3.10/caf/LA.BF.1.1.1_rb1.6</option>
+<option value='caf/3.10/caf/LA.BF.1.1.1_rb1.7'>caf/3.10/caf/LA.BF.1.1.1_rb1.7</option>
+<option value='caf/3.10/caf/LA.BF.1.1.1_rb1.8'>caf/3.10/caf/LA.BF.1.1.1_rb1.8</option>
+<option value='caf/3.10/caf/LA.BF.1.1.1_rb1.9'>caf/3.10/caf/LA.BF.1.1.1_rb1.9</option>
+<option value='caf/3.10/caf/LA.BF.1.1.2.1'>caf/3.10/caf/LA.BF.1.1.2.1</option>
+<option value='caf/3.10/caf/LA.BF.1.1.2.c1'>caf/3.10/caf/LA.BF.1.1.2.c1</option>
+<option value='caf/3.10/caf/LA.BF.1.1.2.c3'>caf/3.10/caf/LA.BF.1.1.2.c3</option>
+<option value='caf/3.10/caf/LA.BF.1.1.2_rb1.1'>caf/3.10/caf/LA.BF.1.1.2_rb1.1</option>
+<option value='caf/3.10/caf/LA.BF.1.1.2_rb1.10'>caf/3.10/caf/LA.BF.1.1.2_rb1.10</option>
+<option value='caf/3.10/caf/LA.BF.1.1.2_rb1.11'>caf/3.10/caf/LA.BF.1.1.2_rb1.11</option>
+<option value='caf/3.10/caf/LA.BF.1.1.2_rb1.12'>caf/3.10/caf/LA.BF.1.1.2_rb1.12</option>
+<option value='caf/3.10/caf/LA.BF.1.1.2_rb1.13'>caf/3.10/caf/LA.BF.1.1.2_rb1.13</option>
+<option value='caf/3.10/caf/LA.BF.1.1.2_rb1.14'>caf/3.10/caf/LA.BF.1.1.2_rb1.14</option>
+<option value='caf/3.10/caf/LA.BF.1.1.2_rb1.15'>caf/3.10/caf/LA.BF.1.1.2_rb1.15</option>
+<option value='caf/3.10/caf/LA.BF.1.1.2_rb1.16'>caf/3.10/caf/LA.BF.1.1.2_rb1.16</option>
+<option value='caf/3.10/caf/LA.BF.1.1.2_rb1.17'>caf/3.10/caf/LA.BF.1.1.2_rb1.17</option>
+<option value='caf/3.10/caf/LA.BF.1.1.2_rb1.18'>caf/3.10/caf/LA.BF.1.1.2_rb1.18</option>
+<option value='caf/3.10/caf/LA.BF.1.1.2_rb1.19'>caf/3.10/caf/LA.BF.1.1.2_rb1.19</option>
+<option value='caf/3.10/caf/LA.BF.1.1.2_rb1.20'>caf/3.10/caf/LA.BF.1.1.2_rb1.20</option>
+<option value='caf/3.10/caf/LA.BF.1.1.2_rb1.21'>caf/3.10/caf/LA.BF.1.1.2_rb1.21</option>
+<option value='caf/3.10/caf/LA.BF.1.1.2_rb1.22'>caf/3.10/caf/LA.BF.1.1.2_rb1.22</option>
+<option value='caf/3.10/caf/LA.BF.1.1.2_rb1.23'>caf/3.10/caf/LA.BF.1.1.2_rb1.23</option>
+<option value='caf/3.10/caf/LA.BF.1.1.2_rb1.24'>caf/3.10/caf/LA.BF.1.1.2_rb1.24</option>
+<option value='caf/3.10/caf/LA.BF.1.1.2_rb1.3'>caf/3.10/caf/LA.BF.1.1.2_rb1.3</option>
+<option value='caf/3.10/caf/LA.BF.1.1.2_rb1.5'>caf/3.10/caf/LA.BF.1.1.2_rb1.5</option>
+<option value='caf/3.10/caf/LA.BF.1.1.2_rb1.7'>caf/3.10/caf/LA.BF.1.1.2_rb1.7</option>
+<option value='caf/3.10/caf/LA.BF.1.1.2_rb1.9'>caf/3.10/caf/LA.BF.1.1.2_rb1.9</option>
+<option value='caf/3.10/caf/LA.BF.1.1.2_rb3'>caf/3.10/caf/LA.BF.1.1.2_rb3</option>
+<option value='caf/3.10/caf/LA.BF.1.1.2_rb3.2'>caf/3.10/caf/LA.BF.1.1.2_rb3.2</option>
+<option value='caf/3.10/caf/LA.BF.1.1.2_rb4.1'>caf/3.10/caf/LA.BF.1.1.2_rb4.1</option>
+<option value='caf/3.10/caf/LA.BF.1.1.3_rb1.10'>caf/3.10/caf/LA.BF.1.1.3_rb1.10</option>
+<option value='caf/3.10/caf/LA.BF.1.1.3_rb1.11'>caf/3.10/caf/LA.BF.1.1.3_rb1.11</option>
+<option value='caf/3.10/caf/LA.BF.1.1.3_rb1.12'>caf/3.10/caf/LA.BF.1.1.3_rb1.12</option>
+<option value='caf/3.10/caf/LA.BF.1.1.3_rb1.13'>caf/3.10/caf/LA.BF.1.1.3_rb1.13</option>
+<option value='caf/3.10/caf/LA.BF.1.1.3_rb1.15'>caf/3.10/caf/LA.BF.1.1.3_rb1.15</option>
+<option value='caf/3.10/caf/LA.BF.1.1.3_rb1.2'>caf/3.10/caf/LA.BF.1.1.3_rb1.2</option>
+<option value='caf/3.10/caf/LA.BF.1.1.3_rb1.3'>caf/3.10/caf/LA.BF.1.1.3_rb1.3</option>
+<option value='caf/3.10/caf/LA.BF.1.1.3_rb1.4'>caf/3.10/caf/LA.BF.1.1.3_rb1.4</option>
+<option value='caf/3.10/caf/LA.BF.1.1.3_rb1.5'>caf/3.10/caf/LA.BF.1.1.3_rb1.5</option>
+<option value='caf/3.10/caf/LA.BF.1.1.3_rb1.6'>caf/3.10/caf/LA.BF.1.1.3_rb1.6</option>
+<option value='caf/3.10/caf/LA.BF.1.1.3_rb1.7'>caf/3.10/caf/LA.BF.1.1.3_rb1.7</option>
+<option value='caf/3.10/caf/LA.BF.1.1.3_rb1.8'>caf/3.10/caf/LA.BF.1.1.3_rb1.8</option>
+<option value='caf/3.10/caf/LA.BF.1.1.3_rb1.9'>caf/3.10/caf/LA.BF.1.1.3_rb1.9</option>
+<option value='caf/3.10/caf/LA.BF.1.1_rb1.10'>caf/3.10/caf/LA.BF.1.1_rb1.10</option>
+<option value='caf/3.10/caf/LA.BF.1.1_rb1.11'>caf/3.10/caf/LA.BF.1.1_rb1.11</option>
+<option value='caf/3.10/caf/LA.BF.1.1_rb1.12'>caf/3.10/caf/LA.BF.1.1_rb1.12</option>
+<option value='caf/3.10/caf/LA.BF.1.1_rb1.14'>caf/3.10/caf/LA.BF.1.1_rb1.14</option>
+<option value='caf/3.10/caf/LA.BF.1.1_rb1.16'>caf/3.10/caf/LA.BF.1.1_rb1.16</option>
+<option value='caf/3.10/caf/LA.BF.1.1_rb1.9'>caf/3.10/caf/LA.BF.1.1_rb1.9</option>
+<option value='caf/3.10/caf/LNX.LA.2.7.3'>caf/3.10/caf/LNX.LA.2.7.3</option>
+<option value='caf/3.10/caf/LNX.LA.2.7.4'>caf/3.10/caf/LNX.LA.2.7.4</option>
+<option value='caf/3.10/caf/LNX.LA.3.2.1.5'>caf/3.10/caf/LNX.LA.3.2.1.5</option>
+<option value='caf/3.10/caf/LNX.LA.3.2.1.5.c1'>caf/3.10/caf/LNX.LA.3.2.1.5.c1</option>
+<option value='caf/3.10/caf/LNX.LA.3.2.5.1'>caf/3.10/caf/LNX.LA.3.2.5.1</option>
+<option value='caf/3.10/caf/LNX.LA.3.2.7'>caf/3.10/caf/LNX.LA.3.2.7</option>
+<option value='caf/3.10/caf/LNX.LA.3.2.7_rb1'>caf/3.10/caf/LNX.LA.3.2.7_rb1</option>
+<option value='caf/3.10/caf/LNX.LA.3.5.1'>caf/3.10/caf/LNX.LA.3.5.1</option>
+<option value='caf/3.10/caf/LNX.LA.3.5.1.1'>caf/3.10/caf/LNX.LA.3.5.1.1</option>
+<option value='caf/3.10/caf/LNX.LA.3.5.1.1.1'>caf/3.10/caf/LNX.LA.3.5.1.1.1</option>
+<option value='caf/3.10/caf/LNX.LA.3.5.1.4_RB1'>caf/3.10/caf/LNX.LA.3.5.1.4_RB1</option>
+<option value='caf/3.10/caf/LNX.LA.3.5.1.5'>caf/3.10/caf/LNX.LA.3.5.1.5</option>
+<option value='caf/3.10/caf/LNX.LA.3.5.1_RB1.1'>caf/3.10/caf/LNX.LA.3.5.1_RB1.1</option>
+<option value='caf/3.10/caf/LNX.LA.3.5.1_RB1.2'>caf/3.10/caf/LNX.LA.3.5.1_RB1.2</option>
+<option value='caf/3.10/caf/LNX.LA.3.5.2'>caf/3.10/caf/LNX.LA.3.5.2</option>
+<option value='caf/3.10/caf/LNX.LA.3.5.2.1.1'>caf/3.10/caf/LNX.LA.3.5.2.1.1</option>
+<option value='caf/3.10/caf/LNX.LA.3.5.2.1.2'>caf/3.10/caf/LNX.LA.3.5.2.1.2</option>
+<option value='caf/3.10/caf/LNX.LA.3.5.2.1.5'>caf/3.10/caf/LNX.LA.3.5.2.1.5</option>
+<option value='caf/3.10/caf/LNX.LA.3.5.2.1.5_1'>caf/3.10/caf/LNX.LA.3.5.2.1.5_1</option>
+<option value='caf/3.10/caf/LNX.LA.3.5.2.1_RB1.1'>caf/3.10/caf/LNX.LA.3.5.2.1_RB1.1</option>
+<option value='caf/3.10/caf/LNX.LA.3.5.2.2'>caf/3.10/caf/LNX.LA.3.5.2.2</option>
+<option value='caf/3.10/caf/LNX.LA.3.5.2.2.1'>caf/3.10/caf/LNX.LA.3.5.2.2.1</option>
+<option value='caf/3.10/caf/LNX.LA.3.5.2.2.1_rb1'>caf/3.10/caf/LNX.LA.3.5.2.2.1_rb1</option>
+<option value='caf/3.10/caf/LNX.LA.3.5.2.2.2'>caf/3.10/caf/LNX.LA.3.5.2.2.2</option>
+<option value='caf/3.10/caf/LNX.LA.3.5.2.2.2_rb1'>caf/3.10/caf/LNX.LA.3.5.2.2.2_rb1</option>
+<option value='caf/3.10/caf/LNX.LA.3.5.2.2.c3_rb1'>caf/3.10/caf/LNX.LA.3.5.2.2.c3_rb1</option>
+<option value='caf/3.10/caf/LNX.LA.3.5.2.2.c4_1'>caf/3.10/caf/LNX.LA.3.5.2.2.c4_1</option>
+<option value='caf/3.10/caf/LNX.LA.3.5.2.2.c5'>caf/3.10/caf/LNX.LA.3.5.2.2.c5</option>
+<option value='caf/3.10/caf/LNX.LA.3.5.2.2.c5.2'>caf/3.10/caf/LNX.LA.3.5.2.2.c5.2</option>
+<option value='caf/3.10/caf/LNX.LA.3.5.2.2.c6'>caf/3.10/caf/LNX.LA.3.5.2.2.c6</option>
+<option value='caf/3.10/caf/LNX.LA.3.5.2.2.c7'>caf/3.10/caf/LNX.LA.3.5.2.2.c7</option>
+<option value='caf/3.10/caf/LNX.LA.3.5.2.2_rb1'>caf/3.10/caf/LNX.LA.3.5.2.2_rb1</option>
+<option value='caf/3.10/caf/LNX.LA.3.5.2.3_RB1.1'>caf/3.10/caf/LNX.LA.3.5.2.3_RB1.1</option>
+<option value='caf/3.10/caf/LNX.LA.3.5.2_RB1'>caf/3.10/caf/LNX.LA.3.5.2_RB1</option>
+<option value='caf/3.10/caf/LNX.LA.3.5.2_RB1.1'>caf/3.10/caf/LNX.LA.3.5.2_RB1.1</option>
+<option value='caf/3.10/caf/LNX.LA.3.5.3'>caf/3.10/caf/LNX.LA.3.5.3</option>
+<option value='caf/3.10/caf/LNX.LA.3.5.3.1'>caf/3.10/caf/LNX.LA.3.5.3.1</option>
+<option value='caf/3.10/caf/LNX.LA.3.5.3.2'>caf/3.10/caf/LNX.LA.3.5.3.2</option>
+<option value='caf/3.10/caf/LNX.LA.3.5.3.3'>caf/3.10/caf/LNX.LA.3.5.3.3</option>
+<option value='caf/3.10/caf/LNX.LA.3.5.3.3_rb1.1'>caf/3.10/caf/LNX.LA.3.5.3.3_rb1.1</option>
+<option value='caf/3.10/caf/LNX.LA.3.5.3.4'>caf/3.10/caf/LNX.LA.3.5.3.4</option>
+<option value='caf/3.10/caf/LNX.LA.3.5.3_RB1.1'>caf/3.10/caf/LNX.LA.3.5.3_RB1.1</option>
+<option value='caf/3.10/caf/LNX.LA.3.5.3_RB1.2'>caf/3.10/caf/LNX.LA.3.5.3_RB1.2</option>
+<option value='caf/3.10/caf/LNX.LA.3.5.3_RB1.3'>caf/3.10/caf/LNX.LA.3.5.3_RB1.3</option>
+<option value='caf/3.10/caf/LNX.LA.3.5.3_RB1.4'>caf/3.10/caf/LNX.LA.3.5.3_RB1.4</option>
+<option value='caf/3.10/caf/LNX.LA.3.5.3_RB2.2'>caf/3.10/caf/LNX.LA.3.5.3_RB2.2</option>
+<option value='caf/3.10/caf/LNX.LA.3.5.3_RB2.3'>caf/3.10/caf/LNX.LA.3.5.3_RB2.3</option>
+<option value='caf/3.10/caf/LNX.LA.3.5.3_RB2.4'>caf/3.10/caf/LNX.LA.3.5.3_RB2.4</option>
+<option value='caf/3.10/caf/LNX.LA.3.5.3_RB2.5'>caf/3.10/caf/LNX.LA.3.5.3_RB2.5</option>
+<option value='caf/3.10/caf/LNX.LA.3.5.5'>caf/3.10/caf/LNX.LA.3.5.5</option>
+<option value='caf/3.10/caf/LNX.LA.3.5.5_rb1'>caf/3.10/caf/LNX.LA.3.5.5_rb1</option>
+<option value='caf/3.10/caf/LNX.LE.2.1'>caf/3.10/caf/LNX.LE.2.1</option>
+<option value='caf/3.10/caf/LNX.LE.3.2.1'>caf/3.10/caf/LNX.LE.3.2.1</option>
+<option value='caf/3.10/caf/LNX.LE.3.2.c1'>caf/3.10/caf/LNX.LE.3.2.c1</option>
+<option value='caf/3.10/caf/LNX.LER.1.0'>caf/3.10/caf/LNX.LER.1.0</option>
+<option value='caf/3.10/caf/LNX.LF.3.5.1_RB1.2'>caf/3.10/caf/LNX.LF.3.5.1_RB1.2</option>
+<option value='caf/3.10/caf/MQ/caf-master'>caf/3.10/caf/MQ/caf-master</option>
+<option value='caf/3.10/caf/MQ/jasonh'>caf/3.10/caf/MQ/jasonh</option>
+<option value='caf/3.10/caf/MQ/kgsl_sync_dump_update'>caf/3.10/caf/MQ/kgsl_sync_dump_update</option>
+<option value='caf/3.10/caf/Q8650BSDCAALZA2140'>caf/3.10/caf/Q8650BSDCAALZA2140</option>
+<option value='caf/3.10/caf/Q8650BSDCAOLZA2155'>caf/3.10/caf/Q8650BSDCAOLZA2155</option>
+<option value='caf/3.10/caf/Q8650BSDCAOLZA2170'>caf/3.10/caf/Q8650BSDCAOLZA2170</option>
+<option value='caf/3.10/caf/android-msm-2.6.27'>caf/3.10/caf/android-msm-2.6.27</option>
+<option value='caf/3.10/caf/android-msm-2.6.29'>caf/3.10/caf/android-msm-2.6.29</option>
+<option value='caf/3.10/caf/android-msm-2.6.29-donut'>caf/3.10/caf/android-msm-2.6.29-donut</option>
+<option value='caf/3.10/caf/android-msm-2.6.29b'>caf/3.10/caf/android-msm-2.6.29b</option>
+<option value='caf/3.10/caf/android-msm-2.6.32'>caf/3.10/caf/android-msm-2.6.32</option>
+<option value='caf/3.10/caf/android-msm-2.6.35'>caf/3.10/caf/android-msm-2.6.35</option>
+<option value='caf/3.10/caf/android-msm-2.6.35-froyo'>caf/3.10/caf/android-msm-2.6.35-froyo</option>
+<option value='caf/3.10/caf/aosp-common/android-2.6.39'>caf/3.10/caf/aosp-common/android-2.6.39</option>
+<option value='caf/3.10/caf/aosp-common/android-3.0'>caf/3.10/caf/aosp-common/android-3.0</option>
+<option value='caf/3.10/caf/aosp-common/android-3.10'>caf/3.10/caf/aosp-common/android-3.10</option>
+<option value='caf/3.10/caf/aosp-common/android-3.10-adf'>caf/3.10/caf/aosp-common/android-3.10-adf</option>
+<option value='caf/3.10/caf/aosp-common/android-3.10.y'>caf/3.10/caf/aosp-common/android-3.10.y</option>
+<option value='caf/3.10/caf/aosp-common/android-3.14'>caf/3.10/caf/aosp-common/android-3.14</option>
+<option value='caf/3.10/caf/aosp-common/android-3.18'>caf/3.10/caf/aosp-common/android-3.18</option>
+<option value='caf/3.10/caf/aosp-common/android-3.18-n-release'>caf/3.10/caf/aosp-common/android-3.18-n-release</option>
+<option value='caf/3.10/caf/aosp-common/android-3.18-o-release'>caf/3.10/caf/aosp-common/android-3.18-o-release</option>
+<option value='caf/3.10/caf/aosp-common/android-3.3'>caf/3.10/caf/aosp-common/android-3.3</option>
+<option value='caf/3.10/caf/aosp-common/android-3.4'>caf/3.10/caf/aosp-common/android-3.4</option>
+<option value='caf/3.10/caf/aosp-common/android-3.4-compat'>caf/3.10/caf/aosp-common/android-3.4-compat</option>
+<option value='caf/3.10/caf/aosp-common/android-4.1'>caf/3.10/caf/aosp-common/android-4.1</option>
+<option value='caf/3.10/caf/aosp-common/android-4.4'>caf/3.10/caf/aosp-common/android-4.4</option>
+<option value='caf/3.10/caf/aosp-common/android-4.4-eas-test'>caf/3.10/caf/aosp-common/android-4.4-eas-test</option>
+<option value='caf/3.10/caf/aosp-common/android-4.4-llvm'>caf/3.10/caf/aosp-common/android-4.4-llvm</option>
+<option value='caf/3.10/caf/aosp-common/android-4.4-n'>caf/3.10/caf/aosp-common/android-4.4-n</option>
+<option value='caf/3.10/caf/aosp-common/android-4.4-n-release'>caf/3.10/caf/aosp-common/android-4.4-n-release</option>
+<option value='caf/3.10/caf/aosp-common/android-4.4-o'>caf/3.10/caf/aosp-common/android-4.4-o</option>
+<option value='caf/3.10/caf/aosp-common/android-4.4-o-release'>caf/3.10/caf/aosp-common/android-4.4-o-release</option>
+<option value='caf/3.10/caf/aosp-common/android-4.4.y'>caf/3.10/caf/aosp-common/android-4.4.y</option>
+<option value='caf/3.10/caf/aosp-common/android-4.9'>caf/3.10/caf/aosp-common/android-4.9</option>
+<option value='caf/3.10/caf/aosp-common/android-4.9-eas-dev'>caf/3.10/caf/aosp-common/android-4.9-eas-dev</option>
+<option value='caf/3.10/caf/aosp-common/android-4.9-llvm'>caf/3.10/caf/aosp-common/android-4.9-llvm</option>
+<option value='caf/3.10/caf/aosp-common/android-4.9-o'>caf/3.10/caf/aosp-common/android-4.9-o</option>
+<option value='caf/3.10/caf/aosp-common/android-4.9-o-release'>caf/3.10/caf/aosp-common/android-4.9-o-release</option>
+<option value='caf/3.10/caf/aosp-common/android-trusty-3.10'>caf/3.10/caf/aosp-common/android-trusty-3.10</option>
+<option value='caf/3.10/caf/aosp-common/android-trusty-3.18'>caf/3.10/caf/aosp-common/android-trusty-3.18</option>
+<option value='caf/3.10/caf/aosp-common/android-trusty-4.4'>caf/3.10/caf/aosp-common/android-trusty-4.4</option>
+<option value='caf/3.10/caf/aosp-common/android-trusty-4.9'>caf/3.10/caf/aosp-common/android-trusty-4.9</option>
+<option value='caf/3.10/caf/aosp-common/bcmdhd-3.10'>caf/3.10/caf/aosp-common/bcmdhd-3.10</option>
+<option value='caf/3.10/caf/aosp-common/brillo-m10-dev'>caf/3.10/caf/aosp-common/brillo-m10-dev</option>
+<option value='caf/3.10/caf/aosp-common/brillo-m10-release'>caf/3.10/caf/aosp-common/brillo-m10-release</option>
+<option value='caf/3.10/caf/aosp-common/brillo-m7-dev'>caf/3.10/caf/aosp-common/brillo-m7-dev</option>
+<option value='caf/3.10/caf/aosp-common/brillo-m7-mr-dev'>caf/3.10/caf/aosp-common/brillo-m7-mr-dev</option>
+<option value='caf/3.10/caf/aosp-common/brillo-m7-release'>caf/3.10/caf/aosp-common/brillo-m7-release</option>
+<option value='caf/3.10/caf/aosp-common/brillo-m8-dev'>caf/3.10/caf/aosp-common/brillo-m8-dev</option>
+<option value='caf/3.10/caf/aosp-common/brillo-m8-release'>caf/3.10/caf/aosp-common/brillo-m8-release</option>
+<option value='caf/3.10/caf/aosp-common/brillo-m9-dev'>caf/3.10/caf/aosp-common/brillo-m9-dev</option>
+<option value='caf/3.10/caf/aosp-common/brillo-m9-release'>caf/3.10/caf/aosp-common/brillo-m9-release</option>
+<option value='caf/3.10/caf/aosp-common/coupled-cpuidle'>caf/3.10/caf/aosp-common/coupled-cpuidle</option>
+<option value='caf/3.10/caf/aosp-common/deprecated/android-2.6.39'>caf/3.10/caf/aosp-common/deprecated/android-2.6.39</option>
+<option value='caf/3.10/caf/aosp-common/deprecated/android-3.0'>caf/3.10/caf/aosp-common/deprecated/android-3.0</option>
+<option value='caf/3.10/caf/aosp-common/deprecated/android-3.10-adf'>caf/3.10/caf/aosp-common/deprecated/android-3.10-adf</option>
+<option value='caf/3.10/caf/aosp-common/deprecated/android-3.14'>caf/3.10/caf/aosp-common/deprecated/android-3.14</option>
+<option value='caf/3.10/caf/aosp-common/deprecated/android-3.3'>caf/3.10/caf/aosp-common/deprecated/android-3.3</option>
+<option value='caf/3.10/caf/aosp-common/deprecated/android-3.4'>caf/3.10/caf/aosp-common/deprecated/android-3.4</option>
+<option value='caf/3.10/caf/aosp-common/deprecated/android-3.4-compat'>caf/3.10/caf/aosp-common/deprecated/android-3.4-compat</option>
+<option value='caf/3.10/caf/aosp-common/deprecated/android-4.1'>caf/3.10/caf/aosp-common/deprecated/android-4.1</option>
+<option value='caf/3.10/caf/aosp-common/deprecated/android-4.4.y'>caf/3.10/caf/aosp-common/deprecated/android-4.4.y</option>
+<option value='caf/3.10/caf/aosp-common/deprecated/coupled-cpuidle'>caf/3.10/caf/aosp-common/deprecated/coupled-cpuidle</option>
+<option value='caf/3.10/caf/aosp-common/deprecated/experimental/android-3.10'>caf/3.10/caf/aosp-common/deprecated/experimental/android-3.10</option>
+<option value='caf/3.10/caf/aosp-common/deprecated/experimental/android-3.10-rc5'>caf/3.10/caf/aosp-common/deprecated/experimental/android-3.10-rc5</option>
+<option value='caf/3.10/caf/aosp-common/deprecated/experimental/android-3.14'>caf/3.10/caf/aosp-common/deprecated/experimental/android-3.14</option>
+<option value='caf/3.10/caf/aosp-common/deprecated/experimental/android-3.18'>caf/3.10/caf/aosp-common/deprecated/experimental/android-3.18</option>
+<option value='caf/3.10/caf/aosp-common/deprecated/experimental/android-3.8'>caf/3.10/caf/aosp-common/deprecated/experimental/android-3.8</option>
+<option value='caf/3.10/caf/aosp-common/deprecated/experimental/android-3.9'>caf/3.10/caf/aosp-common/deprecated/experimental/android-3.9</option>
+<option value='caf/3.10/caf/aosp-common/deprecated/experimental/android-3.9-rc2'>caf/3.10/caf/aosp-common/deprecated/experimental/android-3.9-rc2</option>
+<option value='caf/3.10/caf/aosp-common/deprecated/experimental/android-3.9-rc7'>caf/3.10/caf/aosp-common/deprecated/experimental/android-3.9-rc7</option>
+<option value='caf/3.10/caf/aosp-common/deprecated/linux-bcm43xx-2.6.39'>caf/3.10/caf/aosp-common/deprecated/linux-bcm43xx-2.6.39</option>
+<option value='caf/3.10/caf/aosp-common/experimental/android-3.10'>caf/3.10/caf/aosp-common/experimental/android-3.10</option>
+<option value='caf/3.10/caf/aosp-common/experimental/android-3.10-rc5'>caf/3.10/caf/aosp-common/experimental/android-3.10-rc5</option>
+<option value='caf/3.10/caf/aosp-common/experimental/android-3.14'>caf/3.10/caf/aosp-common/experimental/android-3.14</option>
+<option value='caf/3.10/caf/aosp-common/experimental/android-3.18'>caf/3.10/caf/aosp-common/experimental/android-3.18</option>
+<option value='caf/3.10/caf/aosp-common/experimental/android-3.8'>caf/3.10/caf/aosp-common/experimental/android-3.8</option>
+<option value='caf/3.10/caf/aosp-common/experimental/android-3.9'>caf/3.10/caf/aosp-common/experimental/android-3.9</option>
+<option value='caf/3.10/caf/aosp-common/experimental/android-3.9-rc2'>caf/3.10/caf/aosp-common/experimental/android-3.9-rc2</option>
+<option value='caf/3.10/caf/aosp-common/experimental/android-3.9-rc7'>caf/3.10/caf/aosp-common/experimental/android-3.9-rc7</option>
+<option value='caf/3.10/caf/aosp-common/experimental/android-4.1'>caf/3.10/caf/aosp-common/experimental/android-4.1</option>
+<option value='caf/3.10/caf/aosp-common/experimental/android-4.4'>caf/3.10/caf/aosp-common/experimental/android-4.4</option>
+<option value='caf/3.10/caf/aosp-common/experimental/android-4.4-eas'>caf/3.10/caf/aosp-common/experimental/android-4.4-eas</option>
+<option value='caf/3.10/caf/aosp-common/experimental/android-4.4-llvm'>caf/3.10/caf/aosp-common/experimental/android-4.4-llvm</option>
+<option value='caf/3.10/caf/aosp-common/experimental/android-4.9'>caf/3.10/caf/aosp-common/experimental/android-4.9</option>
+<option value='caf/3.10/caf/aosp-common/experimental/android-4.9-llvm'>caf/3.10/caf/aosp-common/experimental/android-4.9-llvm</option>
+<option value='caf/3.10/caf/aosp-common/linux-bcm43xx-2.6.39'>caf/3.10/caf/aosp-common/linux-bcm43xx-2.6.39</option>
+<option value='caf/3.10/caf/aosp-common/master'>caf/3.10/caf/aosp-common/master</option>
+<option value='caf/3.10/caf/aosp-common/ref/for/android-3.10'>caf/3.10/caf/aosp-common/ref/for/android-3.10</option>
+<option value='caf/3.10/caf/aosp-common/upstream-f2fs-stable-linux-3.18.y'>caf/3.10/caf/aosp-common/upstream-f2fs-stable-linux-3.18.y</option>
+<option value='caf/3.10/caf/aosp-common/upstream-f2fs-stable-linux-4.4.y'>caf/3.10/caf/aosp-common/upstream-f2fs-stable-linux-4.4.y</option>
+<option value='caf/3.10/caf/aosp-common/upstream-f2fs-stable-linux-4.9.y'>caf/3.10/caf/aosp-common/upstream-f2fs-stable-linux-4.9.y</option>
+<option value='caf/3.10/caf/aosp-common/upstream-linux-3.18.y'>caf/3.10/caf/aosp-common/upstream-linux-3.18.y</option>
+<option value='caf/3.10/caf/aosp-common/upstream-linux-4.4.y'>caf/3.10/caf/aosp-common/upstream-linux-4.4.y</option>
+<option value='caf/3.10/caf/aosp-common/upstream-linux-4.8.y'>caf/3.10/caf/aosp-common/upstream-linux-4.8.y</option>
+<option value='caf/3.10/caf/aosp-common/upstream-linux-4.9.y'>caf/3.10/caf/aosp-common/upstream-linux-4.9.y</option>
+<option value='caf/3.10/caf/aosp-kernel-common/android-2.6.25'>caf/3.10/caf/aosp-kernel-common/android-2.6.25</option>
+<option value='caf/3.10/caf/aosp-kernel-common/android-2.6.27'>caf/3.10/caf/aosp-kernel-common/android-2.6.27</option>
+<option value='caf/3.10/caf/aosp-kernel-common/android-2.6.29'>caf/3.10/caf/aosp-kernel-common/android-2.6.29</option>
+<option value='caf/3.10/caf/aosp-kernel-common/android-2.6.32'>caf/3.10/caf/aosp-kernel-common/android-2.6.32</option>
+<option value='caf/3.10/caf/aosp-kernel-common/android-2.6.35'>caf/3.10/caf/aosp-kernel-common/android-2.6.35</option>
+<option value='caf/3.10/caf/aosp-kernel-common/android-2.6.36'>caf/3.10/caf/aosp-kernel-common/android-2.6.36</option>
+<option value='caf/3.10/caf/aosp-kernel-common/android-goldfish-2.6.27'>caf/3.10/caf/aosp-kernel-common/android-goldfish-2.6.27</option>
+<option value='caf/3.10/caf/aosp-kernel-common/android-goldfish-2.6.29'>caf/3.10/caf/aosp-kernel-common/android-goldfish-2.6.29</option>
+<option value='caf/3.10/caf/aosp-new/android-4.4'>caf/3.10/caf/aosp-new/android-4.4</option>
+<option value='caf/3.10/caf/aosp-new/android-4.4.y'>caf/3.10/caf/aosp-new/android-4.4.y</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-2.6.35'>caf/3.10/caf/aosp-new/android-msm-2.6.35</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-3.9-usb-and-mmc-hacks'>caf/3.10/caf/aosp-new/android-msm-3.9-usb-and-mmc-hacks</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-angler-3.10-marshmallow-dr'>caf/3.10/caf/aosp-new/android-msm-angler-3.10-marshmallow-dr</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-angler-3.10-marshmallow-dr1.5'>caf/3.10/caf/aosp-new/android-msm-angler-3.10-marshmallow-dr1.5</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-angler-3.10-marshmallow-dr1.6'>caf/3.10/caf/aosp-new/android-msm-angler-3.10-marshmallow-dr1.6</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-angler-3.10-marshmallow-dr1.6-1'>caf/3.10/caf/aosp-new/android-msm-angler-3.10-marshmallow-dr1.6-1</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-angler-3.10-marshmallow-mr1'>caf/3.10/caf/aosp-new/android-msm-angler-3.10-marshmallow-mr1</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-angler-3.10-marshmallow-mr1-eas'>caf/3.10/caf/aosp-new/android-msm-angler-3.10-marshmallow-mr1-eas</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-angler-3.10-n-mr1-preview-1'>caf/3.10/caf/aosp-new/android-msm-angler-3.10-n-mr1-preview-1</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-angler-3.10-n-mr1-preview-2'>caf/3.10/caf/aosp-new/android-msm-angler-3.10-n-mr1-preview-2</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-angler-3.10-n-mr2-preview-1'>caf/3.10/caf/aosp-new/android-msm-angler-3.10-n-mr2-preview-1</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-angler-3.10-n-mr2-preview-2'>caf/3.10/caf/aosp-new/android-msm-angler-3.10-n-mr2-preview-2</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-angler-3.10-n-preview-1'>caf/3.10/caf/aosp-new/android-msm-angler-3.10-n-preview-1</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-angler-3.10-n-preview-2'>caf/3.10/caf/aosp-new/android-msm-angler-3.10-n-preview-2</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-angler-3.10-n-preview-3'>caf/3.10/caf/aosp-new/android-msm-angler-3.10-n-preview-3</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-angler-3.10-n-preview-4'>caf/3.10/caf/aosp-new/android-msm-angler-3.10-n-preview-4</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-angler-3.10-n-preview-5'>caf/3.10/caf/aosp-new/android-msm-angler-3.10-n-preview-5</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-angler-3.10-nougat'>caf/3.10/caf/aosp-new/android-msm-angler-3.10-nougat</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-angler-3.10-nougat-bugfix'>caf/3.10/caf/aosp-new/android-msm-angler-3.10-nougat-bugfix</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-angler-3.10-nougat-hwbinder'>caf/3.10/caf/aosp-new/android-msm-angler-3.10-nougat-hwbinder</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-angler-3.10-nougat-mr0.5'>caf/3.10/caf/aosp-new/android-msm-angler-3.10-nougat-mr0.5</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-angler-3.10-nougat-mr1'>caf/3.10/caf/aosp-new/android-msm-angler-3.10-nougat-mr1</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-angler-3.10-nougat-mr1.1'>caf/3.10/caf/aosp-new/android-msm-angler-3.10-nougat-mr1.1</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-angler-3.10-nougat-mr1.4'>caf/3.10/caf/aosp-new/android-msm-angler-3.10-nougat-mr1.4</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-angler-3.10-nougat-mr2'>caf/3.10/caf/aosp-new/android-msm-angler-3.10-nougat-mr2</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-angler-3.10-o-preview-1'>caf/3.10/caf/aosp-new/android-msm-angler-3.10-o-preview-1</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-angler-3.10-o-preview-2'>caf/3.10/caf/aosp-new/android-msm-angler-3.10-o-preview-2</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-angler-3.10-o-preview-3'>caf/3.10/caf/aosp-new/android-msm-angler-3.10-o-preview-3</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-angler-3.10-o-preview-4'>caf/3.10/caf/aosp-new/android-msm-angler-3.10-o-preview-4</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-angler-3.10-oreo-r5'>caf/3.10/caf/aosp-new/android-msm-angler-3.10-oreo-r5</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-angler-3.10-oreo-r6'>caf/3.10/caf/aosp-new/android-msm-angler-3.10-oreo-r6</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-anthias-3.10-lollipop-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-anthias-3.10-lollipop-mr1-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-anthias-3.10-lollipop-wear-release'>caf/3.10/caf/aosp-new/android-msm-anthias-3.10-lollipop-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-anthias-3.10-marshmallow-dr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-anthias-3.10-marshmallow-dr1-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-anthias-3.10-marshmallow-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-anthias-3.10-marshmallow-mr1-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-asus-3.10-lollipop-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-asus-3.10-lollipop-mr1-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-asus-3.10-marshmallow-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-asus-3.10-marshmallow-mr1-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-asus-3.10-nougat-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-asus-3.10-nougat-mr1-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-bass-3.10-lollipop-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-bass-3.10-lollipop-mr1-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-bass-3.10-marshmallow-dr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-bass-3.10-marshmallow-dr1-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-bass-3.10-marshmallow-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-bass-3.10-marshmallow-mr1-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-bass-3.10-marshmallow-mr1-wear-release-1'>caf/3.10/caf/aosp-new/android-msm-bass-3.10-marshmallow-mr1-wear-release-1</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-bass-3.10-nougat-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-bass-3.10-nougat-mr1-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-bluegill-3.18-nougat-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-bluegill-3.18-nougat-mr1-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-marshmallow-dr'>caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-marshmallow-dr</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-marshmallow-dr-0'>caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-marshmallow-dr-0</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-marshmallow-dr1.5'>caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-marshmallow-dr1.5</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-marshmallow-dr1.6'>caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-marshmallow-dr1.6</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-marshmallow-mr1'>caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-marshmallow-mr1</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-marshmallow-mr1-eas'>caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-marshmallow-mr1-eas</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-marshmallow-mr2'>caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-marshmallow-mr2</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-n-mr1-preview-1'>caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-n-mr1-preview-1</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-n-mr1-preview-2'>caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-n-mr1-preview-2</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-n-mr2-preview-1'>caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-n-mr2-preview-1</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-n-mr2-preview-2'>caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-n-mr2-preview-2</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-n-preview-1'>caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-n-preview-1</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-n-preview-2'>caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-n-preview-2</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-n-preview-3'>caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-n-preview-3</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-n-preview-4'>caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-n-preview-4</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-n-preview-5'>caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-n-preview-5</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-nougat'>caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-nougat</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-nougat-bugfix'>caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-nougat-bugfix</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-nougat-hwbinder'>caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-nougat-hwbinder</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-nougat-mr0.5'>caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-nougat-mr0.5</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-nougat-mr0.6'>caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-nougat-mr0.6</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-nougat-mr1'>caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-nougat-mr1</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-nougat-mr1.1'>caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-nougat-mr1.1</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-nougat-mr2'>caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-nougat-mr2</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-o-preview-1'>caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-o-preview-1</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-o-preview-2'>caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-o-preview-2</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-o-preview-3'>caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-o-preview-3</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-o-preview-4'>caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-o-preview-4</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-oreo-r4'>caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-oreo-r4</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-oreo-r6'>caf/3.10/caf/aosp-new/android-msm-bullhead-3.10-oreo-r6</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-dorado-3.18-marshmallow-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-dorado-3.18-marshmallow-mr1-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-dorado-3.18-nougat-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-dorado-3.18-nougat-mr1-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-dory-3.10-kitkat-wear'>caf/3.10/caf/aosp-new/android-msm-dory-3.10-kitkat-wear</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-dory-3.10-lollipop-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-dory-3.10-lollipop-mr1-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-dory-3.10-lollipop-wear-release'>caf/3.10/caf/aosp-new/android-msm-dory-3.10-lollipop-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-dory-3.10-marshmallow-dr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-dory-3.10-marshmallow-dr1-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-dory-3.10-marshmallow-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-dory-3.10-marshmallow-mr1-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-flo-3.4-jb-mr2'>caf/3.10/caf/aosp-new/android-msm-flo-3.4-jb-mr2</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-flo-3.4-kitkat-mr0'>caf/3.10/caf/aosp-new/android-msm-flo-3.4-kitkat-mr0</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-flo-3.4-kitkat-mr1'>caf/3.10/caf/aosp-new/android-msm-flo-3.4-kitkat-mr1</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-flo-3.4-kitkat-mr2'>caf/3.10/caf/aosp-new/android-msm-flo-3.4-kitkat-mr2</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-flo-3.4-l-preview'>caf/3.10/caf/aosp-new/android-msm-flo-3.4-l-preview</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-flo-3.4-lollipop-mr1'>caf/3.10/caf/aosp-new/android-msm-flo-3.4-lollipop-mr1</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-flo-3.4-lollipop-mr1.1'>caf/3.10/caf/aosp-new/android-msm-flo-3.4-lollipop-mr1.1</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-flo-3.4-lollipop-mr1.2'>caf/3.10/caf/aosp-new/android-msm-flo-3.4-lollipop-mr1.2</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-flo-3.4-lollipop-release'>caf/3.10/caf/aosp-new/android-msm-flo-3.4-lollipop-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-flo-3.4-marshmallow'>caf/3.10/caf/aosp-new/android-msm-flo-3.4-marshmallow</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-flo-3.4-marshmallow-mr1'>caf/3.10/caf/aosp-new/android-msm-flo-3.4-marshmallow-mr1</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-flo-3.4-marshmallow-mr2'>caf/3.10/caf/aosp-new/android-msm-flo-3.4-marshmallow-mr2</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-gar-3.18-marshmallow-dr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-gar-3.18-marshmallow-dr1-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-gar-3.18-marshmallow-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-gar-3.18-marshmallow-mr1-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-glowlight-3.18-nougat-dr-wear-release'>caf/3.10/caf/aosp-new/android-msm-glowlight-3.18-nougat-dr-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-hammerhead-3.4-kitkat-mr1'>caf/3.10/caf/aosp-new/android-msm-hammerhead-3.4-kitkat-mr1</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-hammerhead-3.4-kitkat-mr2'>caf/3.10/caf/aosp-new/android-msm-hammerhead-3.4-kitkat-mr2</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-hammerhead-3.4-kk-fr1'>caf/3.10/caf/aosp-new/android-msm-hammerhead-3.4-kk-fr1</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-hammerhead-3.4-kk-fr2'>caf/3.10/caf/aosp-new/android-msm-hammerhead-3.4-kk-fr2</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-hammerhead-3.4-kk-r1'>caf/3.10/caf/aosp-new/android-msm-hammerhead-3.4-kk-r1</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-hammerhead-3.4-l-preview'>caf/3.10/caf/aosp-new/android-msm-hammerhead-3.4-l-preview</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-hammerhead-3.4-lollipop-mr1'>caf/3.10/caf/aosp-new/android-msm-hammerhead-3.4-lollipop-mr1</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-hammerhead-3.4-lollipop-mr1.1'>caf/3.10/caf/aosp-new/android-msm-hammerhead-3.4-lollipop-mr1.1</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-hammerhead-3.4-lollipop-release'>caf/3.10/caf/aosp-new/android-msm-hammerhead-3.4-lollipop-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-hammerhead-3.4-m-preview'>caf/3.10/caf/aosp-new/android-msm-hammerhead-3.4-m-preview</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-hammerhead-3.4-marshmallow'>caf/3.10/caf/aosp-new/android-msm-hammerhead-3.4-marshmallow</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-hammerhead-3.4-marshmallow-mr1'>caf/3.10/caf/aosp-new/android-msm-hammerhead-3.4-marshmallow-mr1</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-hammerhead-3.4-marshmallow-mr2'>caf/3.10/caf/aosp-new/android-msm-hammerhead-3.4-marshmallow-mr2</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-hammerhead-3.4-marshmallow-mr3'>caf/3.10/caf/aosp-new/android-msm-hammerhead-3.4-marshmallow-mr3</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-huawei-3.10-lollipop-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-huawei-3.10-lollipop-mr1-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-huawei-3.10-lollipop-mr1-wear-release-1'>caf/3.10/caf/aosp-new/android-msm-huawei-3.10-lollipop-mr1-wear-release-1</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-huawei-3.10-marshmallow-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-huawei-3.10-marshmallow-mr1-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-huawei-3.10-marshmallow-mr1-wear-release-1'>caf/3.10/caf/aosp-new/android-msm-huawei-3.10-marshmallow-mr1-wear-release-1</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-huawei-3.10-marshmallow-mr1-wear-release-2'>caf/3.10/caf/aosp-new/android-msm-huawei-3.10-marshmallow-mr1-wear-release-2</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-lego-3.10-marshmallow-dr'>caf/3.10/caf/aosp-new/android-msm-lego-3.10-marshmallow-dr</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-lenok-3.10-kitkat-wear'>caf/3.10/caf/aosp-new/android-msm-lenok-3.10-kitkat-wear</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-lenok-3.10-lollipop-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-lenok-3.10-lollipop-mr1-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-lenok-3.10-lollipop-wear-release'>caf/3.10/caf/aosp-new/android-msm-lenok-3.10-lollipop-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-lenok-3.10-marshmallow-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-lenok-3.10-marshmallow-mr1-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-lionfish-3.18-nougat-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-lionfish-3.18-nougat-mr1-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-mako-3.4-jb-mr1'>caf/3.10/caf/aosp-new/android-msm-mako-3.4-jb-mr1</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-mako-3.4-jb-mr1-fr'>caf/3.10/caf/aosp-new/android-msm-mako-3.4-jb-mr1-fr</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-mako-3.4-jb-mr1-kgsl'>caf/3.10/caf/aosp-new/android-msm-mako-3.4-jb-mr1-kgsl</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-mako-3.4-jb-mr1.1'>caf/3.10/caf/aosp-new/android-msm-mako-3.4-jb-mr1.1</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-mako-3.4-jb-mr2'>caf/3.10/caf/aosp-new/android-msm-mako-3.4-jb-mr2</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-mako-3.4-kitkat-mr0'>caf/3.10/caf/aosp-new/android-msm-mako-3.4-kitkat-mr0</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-mako-3.4-kitkat-mr1'>caf/3.10/caf/aosp-new/android-msm-mako-3.4-kitkat-mr1</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-mako-3.4-kitkat-mr2'>caf/3.10/caf/aosp-new/android-msm-mako-3.4-kitkat-mr2</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-mako-3.4-lollipop-mr1'>caf/3.10/caf/aosp-new/android-msm-mako-3.4-lollipop-mr1</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-mako-3.4-lollipop-mr1.1'>caf/3.10/caf/aosp-new/android-msm-mako-3.4-lollipop-mr1.1</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-mako-3.4-lollipop-release'>caf/3.10/caf/aosp-new/android-msm-mako-3.4-lollipop-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-marlin-3.18-n-mr1-preview-2'>caf/3.10/caf/aosp-new/android-msm-marlin-3.18-n-mr1-preview-2</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-marlin-3.18-n-mr2-preview-1'>caf/3.10/caf/aosp-new/android-msm-marlin-3.18-n-mr2-preview-1</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-marlin-3.18-n-mr2-preview-2'>caf/3.10/caf/aosp-new/android-msm-marlin-3.18-n-mr2-preview-2</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-marlin-3.18-nougat-dr1'>caf/3.10/caf/aosp-new/android-msm-marlin-3.18-nougat-dr1</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-marlin-3.18-nougat-hwbinder'>caf/3.10/caf/aosp-new/android-msm-marlin-3.18-nougat-hwbinder</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-marlin-3.18-nougat-mr1'>caf/3.10/caf/aosp-new/android-msm-marlin-3.18-nougat-mr1</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-marlin-3.18-nougat-mr1-eas-experimental'>caf/3.10/caf/aosp-new/android-msm-marlin-3.18-nougat-mr1-eas-experimental</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-marlin-3.18-nougat-mr1.3'>caf/3.10/caf/aosp-new/android-msm-marlin-3.18-nougat-mr1.3</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-marlin-3.18-nougat-mr2'>caf/3.10/caf/aosp-new/android-msm-marlin-3.18-nougat-mr2</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-marlin-3.18-nougat-mr2-pixel'>caf/3.10/caf/aosp-new/android-msm-marlin-3.18-nougat-mr2-pixel</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-marlin-3.18-nougat-mr2.1'>caf/3.10/caf/aosp-new/android-msm-marlin-3.18-nougat-mr2.1</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-marlin-3.18-nougat-mr2.2'>caf/3.10/caf/aosp-new/android-msm-marlin-3.18-nougat-mr2.2</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-marlin-3.18-nougat-mr2.3'>caf/3.10/caf/aosp-new/android-msm-marlin-3.18-nougat-mr2.3</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-marlin-3.18-o-preview-1'>caf/3.10/caf/aosp-new/android-msm-marlin-3.18-o-preview-1</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-marlin-3.18-o-preview-2'>caf/3.10/caf/aosp-new/android-msm-marlin-3.18-o-preview-2</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-marlin-3.18-o-preview-3'>caf/3.10/caf/aosp-new/android-msm-marlin-3.18-o-preview-3</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-marlin-3.18-o-preview-4'>caf/3.10/caf/aosp-new/android-msm-marlin-3.18-o-preview-4</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-marlin-3.18-oreo'>caf/3.10/caf/aosp-new/android-msm-marlin-3.18-oreo</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-marlin-3.18-oreo-r3'>caf/3.10/caf/aosp-new/android-msm-marlin-3.18-oreo-r3</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-marlin-3.18-oreo-r6'>caf/3.10/caf/aosp-new/android-msm-marlin-3.18-oreo-r6</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-moto-3.10-lollipop-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-moto-3.10-lollipop-mr1-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-mullet-3.18-nougat-dr1-wear'>caf/3.10/caf/aosp-new/android-msm-mullet-3.18-nougat-dr1-wear</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-nemo-3.10-marshmallow-dr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-nemo-3.10-marshmallow-dr1-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-nemo-3.10-marshmallow-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-nemo-3.10-marshmallow-mr1-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-nemo-3.10-n-preview-1-wear-release'>caf/3.10/caf/aosp-new/android-msm-nemo-3.10-n-preview-1-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-nemo-3.10-n-preview-2-wear-release'>caf/3.10/caf/aosp-new/android-msm-nemo-3.10-n-preview-2-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-nemo-3.10-n-preview-3-wear-release'>caf/3.10/caf/aosp-new/android-msm-nemo-3.10-n-preview-3-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-nemo-3.10-n-preview-4-wear-release'>caf/3.10/caf/aosp-new/android-msm-nemo-3.10-n-preview-4-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-platy-3.18-nougat-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-platy-3.18-nougat-mr1-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-sawshark-3.18-nougat-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-sawshark-3.18-nougat-mr1-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-sawshark-3.18-nougat-mr1-wear-release-1'>caf/3.10/caf/aosp-new/android-msm-sawshark-3.18-nougat-mr1-wear-release-1</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-sawshark-3.18-o-wear-preview-4'>caf/3.10/caf/aosp-new/android-msm-sawshark-3.18-o-wear-preview-4</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-sculpin-3.18-marshmallow-dr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-sculpin-3.18-marshmallow-dr1-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-sculpin-3.18-marshmallow-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-sculpin-3.18-marshmallow-mr1-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-sculpin-3.18-nougat-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-sculpin-3.18-nougat-mr1-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-seed-3.10-lollipop-mr1'>caf/3.10/caf/aosp-new/android-msm-seed-3.10-lollipop-mr1</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-seed-3.10-marshmallow'>caf/3.10/caf/aosp-new/android-msm-seed-3.10-marshmallow</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-seed-3.10-marshmallow-mr1'>caf/3.10/caf/aosp-new/android-msm-seed-3.10-marshmallow-mr1</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-seed-3.10-marshmallow-mr2'>caf/3.10/caf/aosp-new/android-msm-seed-3.10-marshmallow-mr2</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-seed-3.10-n-mr1-preview-2'>caf/3.10/caf/aosp-new/android-msm-seed-3.10-n-mr1-preview-2</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-seed-3.10-n-preview-2'>caf/3.10/caf/aosp-new/android-msm-seed-3.10-n-preview-2</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-seed-3.10-n-preview-3'>caf/3.10/caf/aosp-new/android-msm-seed-3.10-n-preview-3</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-seed-3.10-n-preview-4'>caf/3.10/caf/aosp-new/android-msm-seed-3.10-n-preview-4</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-seed-3.10-n-preview-5'>caf/3.10/caf/aosp-new/android-msm-seed-3.10-n-preview-5</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-seed-3.10-nougat'>caf/3.10/caf/aosp-new/android-msm-seed-3.10-nougat</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-seed-3.10-nougat-mr1'>caf/3.10/caf/aosp-new/android-msm-seed-3.10-nougat-mr1</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-seed-3.10-nougat-mr1.1'>caf/3.10/caf/aosp-new/android-msm-seed-3.10-nougat-mr1.1</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-shamrock-3.10-nougat-mr1-release'>caf/3.10/caf/aosp-new/android-msm-shamrock-3.10-nougat-mr1-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-shamrock-3.10-nougat-release'>caf/3.10/caf/aosp-new/android-msm-shamrock-3.10-nougat-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-shamu-3.10-lollipop-mr1'>caf/3.10/caf/aosp-new/android-msm-shamu-3.10-lollipop-mr1</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-shamu-3.10-lollipop-release'>caf/3.10/caf/aosp-new/android-msm-shamu-3.10-lollipop-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-shamu-3.10-m-preview'>caf/3.10/caf/aosp-new/android-msm-shamu-3.10-m-preview</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-shamu-3.10-marshmallow'>caf/3.10/caf/aosp-new/android-msm-shamu-3.10-marshmallow</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-shamu-3.10-marshmallow-mr1'>caf/3.10/caf/aosp-new/android-msm-shamu-3.10-marshmallow-mr1</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-shamu-3.10-marshmallow-mr1-r0.15'>caf/3.10/caf/aosp-new/android-msm-shamu-3.10-marshmallow-mr1-r0.15</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-shamu-3.10-marshmallow-mr2'>caf/3.10/caf/aosp-new/android-msm-shamu-3.10-marshmallow-mr2</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-shamu-3.10-n-preview-1'>caf/3.10/caf/aosp-new/android-msm-shamu-3.10-n-preview-1</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-shamu-3.10-n-preview-2'>caf/3.10/caf/aosp-new/android-msm-shamu-3.10-n-preview-2</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-shamu-3.10-n-preview-3'>caf/3.10/caf/aosp-new/android-msm-shamu-3.10-n-preview-3</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-shamu-3.10-n-preview-4'>caf/3.10/caf/aosp-new/android-msm-shamu-3.10-n-preview-4</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-shamu-3.10-n-preview-5'>caf/3.10/caf/aosp-new/android-msm-shamu-3.10-n-preview-5</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-shamu-3.10-nougat-bugfix'>caf/3.10/caf/aosp-new/android-msm-shamu-3.10-nougat-bugfix</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-shamu-3.10-nougat-mr0.5'>caf/3.10/caf/aosp-new/android-msm-shamu-3.10-nougat-mr0.5</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-shamu-3.10-nougat-mr1.2'>caf/3.10/caf/aosp-new/android-msm-shamu-3.10-nougat-mr1.2</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-shamu-3.10-nougat-mr1.5'>caf/3.10/caf/aosp-new/android-msm-shamu-3.10-nougat-mr1.5</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-shamu-3.10-nougat-mr1.6'>caf/3.10/caf/aosp-new/android-msm-shamu-3.10-nougat-mr1.6</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-shamu-3.10-nougat-mr1.7'>caf/3.10/caf/aosp-new/android-msm-shamu-3.10-nougat-mr1.7</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-shiner-3.18-nougat-dr-wear-release'>caf/3.10/caf/aosp-new/android-msm-shiner-3.18-nougat-dr-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-smelt-3.10-lollipop-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-smelt-3.10-lollipop-mr1-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-smelt-3.10-marshmallow-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-smelt-3.10-marshmallow-mr1-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-sony-cm-jb-3.0'>caf/3.10/caf/aosp-new/android-msm-sony-cm-jb-3.0</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-sparrow-3.10-marshmallow-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-sparrow-3.10-marshmallow-mr1-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-sprat-3.10-kitkat-wear'>caf/3.10/caf/aosp-new/android-msm-sprat-3.10-kitkat-wear</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-sprat-3.10-lollipop-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-sprat-3.10-lollipop-mr1-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-sprat-3.10-lollipop-wear-release'>caf/3.10/caf/aosp-new/android-msm-sprat-3.10-lollipop-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-sprat-3.10-marshmallow-dr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-sprat-3.10-marshmallow-dr1-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-sprat-3.10-marshmallow-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-sprat-3.10-marshmallow-mr1-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-stargazer-3.18-nougat-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-stargazer-3.18-nougat-mr1-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-sturgeon-3.10-marshmallow-dr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-sturgeon-3.10-marshmallow-dr1-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-sturgeon-3.10-marshmallow-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-sturgeon-3.10-marshmallow-mr1-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-sturgeon-3.10-marshmallow-mr1-wear-release-1'>caf/3.10/caf/aosp-new/android-msm-sturgeon-3.10-marshmallow-mr1-wear-release-1</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-sturgeon-3.10-n-preview-1-wear-release'>caf/3.10/caf/aosp-new/android-msm-sturgeon-3.10-n-preview-1-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-sturgeon-3.10-n-preview-2-wear-release'>caf/3.10/caf/aosp-new/android-msm-sturgeon-3.10-n-preview-2-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-sturgeon-3.10-n-preview-3-wear-release'>caf/3.10/caf/aosp-new/android-msm-sturgeon-3.10-n-preview-3-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-sturgeon-3.10-n-preview-4-wear-release'>caf/3.10/caf/aosp-new/android-msm-sturgeon-3.10-n-preview-4-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-sturgeon-3.10-nougat-dr1-wear'>caf/3.10/caf/aosp-new/android-msm-sturgeon-3.10-nougat-dr1-wear</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-sturgeon-3.10-nougat-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-sturgeon-3.10-nougat-mr1-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-sundial-3.18-nougat-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-sundial-3.18-nougat-mr1-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-swift-3.18-marshmallow-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-swift-3.18-marshmallow-mr1-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-swift-3.18-nougat-dr-release'>caf/3.10/caf/aosp-new/android-msm-swift-3.18-nougat-dr-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-swordfish-3.18-nougat-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-swordfish-3.18-nougat-mr1-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-swordfish-3.18-nougat-wear-release'>caf/3.10/caf/aosp-new/android-msm-swordfish-3.18-nougat-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-swordfish-3.18-o-wear-preview-4'>caf/3.10/caf/aosp-new/android-msm-swordfish-3.18-o-wear-preview-4</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-wahoo-4.4-oreo-dr1'>caf/3.10/caf/aosp-new/android-msm-wahoo-4.4-oreo-dr1</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-wren-3.10-marshmallow-dr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-wren-3.10-marshmallow-dr1-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/android-msm-wren-3.10-marshmallow-mr1-wear-release'>caf/3.10/caf/aosp-new/android-msm-wren-3.10-marshmallow-mr1-wear-release</option>
+<option value='caf/3.10/caf/aosp-new/changes/00/10200/1'>caf/3.10/caf/aosp-new/changes/00/10200/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/00/10200/2'>caf/3.10/caf/aosp-new/changes/00/10200/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/00/10200/3'>caf/3.10/caf/aosp-new/changes/00/10200/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/00/10200/meta'>caf/3.10/caf/aosp-new/changes/00/10200/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/00/13700/1'>caf/3.10/caf/aosp-new/changes/00/13700/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/00/13700/2'>caf/3.10/caf/aosp-new/changes/00/13700/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/00/13700/meta'>caf/3.10/caf/aosp-new/changes/00/13700/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/00/14000/1'>caf/3.10/caf/aosp-new/changes/00/14000/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/00/14000/meta'>caf/3.10/caf/aosp-new/changes/00/14000/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/00/200500/1'>caf/3.10/caf/aosp-new/changes/00/200500/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/00/200500/meta'>caf/3.10/caf/aosp-new/changes/00/200500/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/00/324000/1'>caf/3.10/caf/aosp-new/changes/00/324000/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/00/324000/meta'>caf/3.10/caf/aosp-new/changes/00/324000/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/00/325300/1'>caf/3.10/caf/aosp-new/changes/00/325300/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/00/325300/meta'>caf/3.10/caf/aosp-new/changes/00/325300/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/00/329900/1'>caf/3.10/caf/aosp-new/changes/00/329900/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/00/329900/meta'>caf/3.10/caf/aosp-new/changes/00/329900/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/00/89900/1'>caf/3.10/caf/aosp-new/changes/00/89900/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/00/89900/meta'>caf/3.10/caf/aosp-new/changes/00/89900/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/01/10201/1'>caf/3.10/caf/aosp-new/changes/01/10201/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/01/10201/2'>caf/3.10/caf/aosp-new/changes/01/10201/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/01/10201/3'>caf/3.10/caf/aosp-new/changes/01/10201/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/01/10201/meta'>caf/3.10/caf/aosp-new/changes/01/10201/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/01/12601/1'>caf/3.10/caf/aosp-new/changes/01/12601/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/01/12601/meta'>caf/3.10/caf/aosp-new/changes/01/12601/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/01/14001/1'>caf/3.10/caf/aosp-new/changes/01/14001/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/01/14001/2'>caf/3.10/caf/aosp-new/changes/01/14001/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/01/14001/meta'>caf/3.10/caf/aosp-new/changes/01/14001/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/01/200501/1'>caf/3.10/caf/aosp-new/changes/01/200501/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/01/200501/meta'>caf/3.10/caf/aosp-new/changes/01/200501/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/01/324001/1'>caf/3.10/caf/aosp-new/changes/01/324001/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/01/324001/meta'>caf/3.10/caf/aosp-new/changes/01/324001/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/01/325301/1'>caf/3.10/caf/aosp-new/changes/01/325301/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/01/325301/meta'>caf/3.10/caf/aosp-new/changes/01/325301/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/01/329901/1'>caf/3.10/caf/aosp-new/changes/01/329901/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/01/329901/meta'>caf/3.10/caf/aosp-new/changes/01/329901/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/01/59301/1'>caf/3.10/caf/aosp-new/changes/01/59301/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/01/59301/meta'>caf/3.10/caf/aosp-new/changes/01/59301/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/01/8801/1'>caf/3.10/caf/aosp-new/changes/01/8801/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/01/8801/2'>caf/3.10/caf/aosp-new/changes/01/8801/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/01/8801/3'>caf/3.10/caf/aosp-new/changes/01/8801/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/01/8801/4'>caf/3.10/caf/aosp-new/changes/01/8801/4</option>
+<option value='caf/3.10/caf/aosp-new/changes/01/8801/meta'>caf/3.10/caf/aosp-new/changes/01/8801/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/02/10202/1'>caf/3.10/caf/aosp-new/changes/02/10202/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/02/10202/2'>caf/3.10/caf/aosp-new/changes/02/10202/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/02/10202/3'>caf/3.10/caf/aosp-new/changes/02/10202/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/02/10202/meta'>caf/3.10/caf/aosp-new/changes/02/10202/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/02/12602/1'>caf/3.10/caf/aosp-new/changes/02/12602/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/02/12602/meta'>caf/3.10/caf/aosp-new/changes/02/12602/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/02/13702/1'>caf/3.10/caf/aosp-new/changes/02/13702/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/02/13702/2'>caf/3.10/caf/aosp-new/changes/02/13702/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/02/13702/meta'>caf/3.10/caf/aosp-new/changes/02/13702/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/02/14402/1'>caf/3.10/caf/aosp-new/changes/02/14402/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/02/14402/2'>caf/3.10/caf/aosp-new/changes/02/14402/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/02/14402/3'>caf/3.10/caf/aosp-new/changes/02/14402/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/02/14402/meta'>caf/3.10/caf/aosp-new/changes/02/14402/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/02/324002/1'>caf/3.10/caf/aosp-new/changes/02/324002/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/02/324002/meta'>caf/3.10/caf/aosp-new/changes/02/324002/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/02/325302/1'>caf/3.10/caf/aosp-new/changes/02/325302/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/02/325302/meta'>caf/3.10/caf/aosp-new/changes/02/325302/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/02/329902/1'>caf/3.10/caf/aosp-new/changes/02/329902/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/02/329902/meta'>caf/3.10/caf/aosp-new/changes/02/329902/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/02/59302/1'>caf/3.10/caf/aosp-new/changes/02/59302/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/02/59302/meta'>caf/3.10/caf/aosp-new/changes/02/59302/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/03/10203/1'>caf/3.10/caf/aosp-new/changes/03/10203/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/03/10203/2'>caf/3.10/caf/aosp-new/changes/03/10203/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/03/10203/3'>caf/3.10/caf/aosp-new/changes/03/10203/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/03/10203/meta'>caf/3.10/caf/aosp-new/changes/03/10203/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/03/12603/1'>caf/3.10/caf/aosp-new/changes/03/12603/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/03/12603/2'>caf/3.10/caf/aosp-new/changes/03/12603/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/03/12603/meta'>caf/3.10/caf/aosp-new/changes/03/12603/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/03/13703/1'>caf/3.10/caf/aosp-new/changes/03/13703/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/03/13703/2'>caf/3.10/caf/aosp-new/changes/03/13703/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/03/13703/meta'>caf/3.10/caf/aosp-new/changes/03/13703/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/03/13803/1'>caf/3.10/caf/aosp-new/changes/03/13803/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/03/13803/2'>caf/3.10/caf/aosp-new/changes/03/13803/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/03/13803/meta'>caf/3.10/caf/aosp-new/changes/03/13803/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/03/14603/1'>caf/3.10/caf/aosp-new/changes/03/14603/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/03/14603/meta'>caf/3.10/caf/aosp-new/changes/03/14603/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/03/19103/1'>caf/3.10/caf/aosp-new/changes/03/19103/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/03/19103/meta'>caf/3.10/caf/aosp-new/changes/03/19103/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/03/319203/1'>caf/3.10/caf/aosp-new/changes/03/319203/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/03/319203/2'>caf/3.10/caf/aosp-new/changes/03/319203/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/03/319203/meta'>caf/3.10/caf/aosp-new/changes/03/319203/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/03/324003/1'>caf/3.10/caf/aosp-new/changes/03/324003/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/03/324003/meta'>caf/3.10/caf/aosp-new/changes/03/324003/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/03/325303/1'>caf/3.10/caf/aosp-new/changes/03/325303/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/03/325303/meta'>caf/3.10/caf/aosp-new/changes/03/325303/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/03/329903/1'>caf/3.10/caf/aosp-new/changes/03/329903/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/03/329903/meta'>caf/3.10/caf/aosp-new/changes/03/329903/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/04/10004/1'>caf/3.10/caf/aosp-new/changes/04/10004/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/04/10004/2'>caf/3.10/caf/aosp-new/changes/04/10004/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/04/10004/3'>caf/3.10/caf/aosp-new/changes/04/10004/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/04/10004/meta'>caf/3.10/caf/aosp-new/changes/04/10004/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/04/10204/1'>caf/3.10/caf/aosp-new/changes/04/10204/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/04/10204/2'>caf/3.10/caf/aosp-new/changes/04/10204/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/04/10204/3'>caf/3.10/caf/aosp-new/changes/04/10204/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/04/10204/meta'>caf/3.10/caf/aosp-new/changes/04/10204/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/04/10704/1'>caf/3.10/caf/aosp-new/changes/04/10704/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/04/10704/meta'>caf/3.10/caf/aosp-new/changes/04/10704/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/04/13204/1'>caf/3.10/caf/aosp-new/changes/04/13204/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/04/13204/meta'>caf/3.10/caf/aosp-new/changes/04/13204/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/04/13704/1'>caf/3.10/caf/aosp-new/changes/04/13704/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/04/13704/2'>caf/3.10/caf/aosp-new/changes/04/13704/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/04/13704/meta'>caf/3.10/caf/aosp-new/changes/04/13704/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/04/13804/1'>caf/3.10/caf/aosp-new/changes/04/13804/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/04/13804/meta'>caf/3.10/caf/aosp-new/changes/04/13804/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/04/16004/1'>caf/3.10/caf/aosp-new/changes/04/16004/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/04/16004/meta'>caf/3.10/caf/aosp-new/changes/04/16004/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/04/21804/1'>caf/3.10/caf/aosp-new/changes/04/21804/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/04/21804/meta'>caf/3.10/caf/aosp-new/changes/04/21804/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/04/319204/1'>caf/3.10/caf/aosp-new/changes/04/319204/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/04/319204/2'>caf/3.10/caf/aosp-new/changes/04/319204/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/04/319204/meta'>caf/3.10/caf/aosp-new/changes/04/319204/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/04/324004/1'>caf/3.10/caf/aosp-new/changes/04/324004/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/04/324004/meta'>caf/3.10/caf/aosp-new/changes/04/324004/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/04/325304/1'>caf/3.10/caf/aosp-new/changes/04/325304/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/04/325304/meta'>caf/3.10/caf/aosp-new/changes/04/325304/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/04/329904/1'>caf/3.10/caf/aosp-new/changes/04/329904/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/04/329904/meta'>caf/3.10/caf/aosp-new/changes/04/329904/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/05/10205/1'>caf/3.10/caf/aosp-new/changes/05/10205/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/05/10205/2'>caf/3.10/caf/aosp-new/changes/05/10205/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/05/10205/3'>caf/3.10/caf/aosp-new/changes/05/10205/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/05/10205/meta'>caf/3.10/caf/aosp-new/changes/05/10205/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/05/10705/1'>caf/3.10/caf/aosp-new/changes/05/10705/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/05/10705/meta'>caf/3.10/caf/aosp-new/changes/05/10705/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/05/13205/1'>caf/3.10/caf/aosp-new/changes/05/13205/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/05/13205/meta'>caf/3.10/caf/aosp-new/changes/05/13205/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/05/13805/1'>caf/3.10/caf/aosp-new/changes/05/13805/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/05/13805/2'>caf/3.10/caf/aosp-new/changes/05/13805/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/05/13805/3'>caf/3.10/caf/aosp-new/changes/05/13805/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/05/13805/4'>caf/3.10/caf/aosp-new/changes/05/13805/4</option>
+<option value='caf/3.10/caf/aosp-new/changes/05/13805/meta'>caf/3.10/caf/aosp-new/changes/05/13805/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/05/14005/1'>caf/3.10/caf/aosp-new/changes/05/14005/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/05/14005/2'>caf/3.10/caf/aosp-new/changes/05/14005/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/05/14005/meta'>caf/3.10/caf/aosp-new/changes/05/14005/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/05/319205/1'>caf/3.10/caf/aosp-new/changes/05/319205/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/05/319205/2'>caf/3.10/caf/aosp-new/changes/05/319205/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/05/319205/meta'>caf/3.10/caf/aosp-new/changes/05/319205/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/05/324005/1'>caf/3.10/caf/aosp-new/changes/05/324005/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/05/324005/meta'>caf/3.10/caf/aosp-new/changes/05/324005/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/05/325305/1'>caf/3.10/caf/aosp-new/changes/05/325305/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/05/325305/meta'>caf/3.10/caf/aosp-new/changes/05/325305/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/05/329905/1'>caf/3.10/caf/aosp-new/changes/05/329905/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/05/329905/meta'>caf/3.10/caf/aosp-new/changes/05/329905/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/06/10006/1'>caf/3.10/caf/aosp-new/changes/06/10006/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/06/10006/meta'>caf/3.10/caf/aosp-new/changes/06/10006/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/06/10206/1'>caf/3.10/caf/aosp-new/changes/06/10206/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/06/10206/2'>caf/3.10/caf/aosp-new/changes/06/10206/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/06/10206/3'>caf/3.10/caf/aosp-new/changes/06/10206/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/06/10206/meta'>caf/3.10/caf/aosp-new/changes/06/10206/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/06/13606/1'>caf/3.10/caf/aosp-new/changes/06/13606/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/06/13606/meta'>caf/3.10/caf/aosp-new/changes/06/13606/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/06/14006/1'>caf/3.10/caf/aosp-new/changes/06/14006/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/06/14006/2'>caf/3.10/caf/aosp-new/changes/06/14006/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/06/14006/meta'>caf/3.10/caf/aosp-new/changes/06/14006/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/06/319206/1'>caf/3.10/caf/aosp-new/changes/06/319206/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/06/319206/2'>caf/3.10/caf/aosp-new/changes/06/319206/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/06/319206/meta'>caf/3.10/caf/aosp-new/changes/06/319206/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/06/324006/1'>caf/3.10/caf/aosp-new/changes/06/324006/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/06/324006/meta'>caf/3.10/caf/aosp-new/changes/06/324006/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/06/325306/1'>caf/3.10/caf/aosp-new/changes/06/325306/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/06/325306/meta'>caf/3.10/caf/aosp-new/changes/06/325306/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/06/329906/1'>caf/3.10/caf/aosp-new/changes/06/329906/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/06/329906/meta'>caf/3.10/caf/aosp-new/changes/06/329906/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/06/9106/1'>caf/3.10/caf/aosp-new/changes/06/9106/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/06/9106/meta'>caf/3.10/caf/aosp-new/changes/06/9106/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/07/10207/1'>caf/3.10/caf/aosp-new/changes/07/10207/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/07/10207/2'>caf/3.10/caf/aosp-new/changes/07/10207/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/07/10207/3'>caf/3.10/caf/aosp-new/changes/07/10207/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/07/10207/4'>caf/3.10/caf/aosp-new/changes/07/10207/4</option>
+<option value='caf/3.10/caf/aosp-new/changes/07/10207/meta'>caf/3.10/caf/aosp-new/changes/07/10207/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/07/11207/1'>caf/3.10/caf/aosp-new/changes/07/11207/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/07/11207/2'>caf/3.10/caf/aosp-new/changes/07/11207/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/07/11207/meta'>caf/3.10/caf/aosp-new/changes/07/11207/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/07/13607/1'>caf/3.10/caf/aosp-new/changes/07/13607/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/07/13607/meta'>caf/3.10/caf/aosp-new/changes/07/13607/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/07/14007/1'>caf/3.10/caf/aosp-new/changes/07/14007/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/07/14007/2'>caf/3.10/caf/aosp-new/changes/07/14007/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/07/14007/meta'>caf/3.10/caf/aosp-new/changes/07/14007/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/07/15707/1'>caf/3.10/caf/aosp-new/changes/07/15707/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/07/15707/meta'>caf/3.10/caf/aosp-new/changes/07/15707/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/07/319207/1'>caf/3.10/caf/aosp-new/changes/07/319207/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/07/319207/2'>caf/3.10/caf/aosp-new/changes/07/319207/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/07/319207/meta'>caf/3.10/caf/aosp-new/changes/07/319207/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/07/324007/1'>caf/3.10/caf/aosp-new/changes/07/324007/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/07/324007/meta'>caf/3.10/caf/aosp-new/changes/07/324007/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/07/325307/1'>caf/3.10/caf/aosp-new/changes/07/325307/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/07/325307/meta'>caf/3.10/caf/aosp-new/changes/07/325307/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/07/329907/1'>caf/3.10/caf/aosp-new/changes/07/329907/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/07/329907/meta'>caf/3.10/caf/aosp-new/changes/07/329907/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/07/9107/1'>caf/3.10/caf/aosp-new/changes/07/9107/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/07/9107/meta'>caf/3.10/caf/aosp-new/changes/07/9107/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/08/10008/1'>caf/3.10/caf/aosp-new/changes/08/10008/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/08/10008/meta'>caf/3.10/caf/aosp-new/changes/08/10008/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/08/10108/1'>caf/3.10/caf/aosp-new/changes/08/10108/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/08/10108/meta'>caf/3.10/caf/aosp-new/changes/08/10108/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/08/10208/1'>caf/3.10/caf/aosp-new/changes/08/10208/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/08/10208/2'>caf/3.10/caf/aosp-new/changes/08/10208/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/08/10208/3'>caf/3.10/caf/aosp-new/changes/08/10208/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/08/10208/meta'>caf/3.10/caf/aosp-new/changes/08/10208/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/08/11208/1'>caf/3.10/caf/aosp-new/changes/08/11208/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/08/11208/2'>caf/3.10/caf/aosp-new/changes/08/11208/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/08/11208/meta'>caf/3.10/caf/aosp-new/changes/08/11208/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/08/13608/1'>caf/3.10/caf/aosp-new/changes/08/13608/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/08/13608/meta'>caf/3.10/caf/aosp-new/changes/08/13608/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/08/14008/1'>caf/3.10/caf/aosp-new/changes/08/14008/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/08/14008/2'>caf/3.10/caf/aosp-new/changes/08/14008/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/08/14008/meta'>caf/3.10/caf/aosp-new/changes/08/14008/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/08/14208/1'>caf/3.10/caf/aosp-new/changes/08/14208/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/08/14208/2'>caf/3.10/caf/aosp-new/changes/08/14208/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/08/14208/meta'>caf/3.10/caf/aosp-new/changes/08/14208/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/08/319208/1'>caf/3.10/caf/aosp-new/changes/08/319208/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/08/319208/2'>caf/3.10/caf/aosp-new/changes/08/319208/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/08/319208/meta'>caf/3.10/caf/aosp-new/changes/08/319208/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/08/324008/1'>caf/3.10/caf/aosp-new/changes/08/324008/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/08/324008/meta'>caf/3.10/caf/aosp-new/changes/08/324008/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/08/325308/1'>caf/3.10/caf/aosp-new/changes/08/325308/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/08/325308/meta'>caf/3.10/caf/aosp-new/changes/08/325308/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/08/329908/1'>caf/3.10/caf/aosp-new/changes/08/329908/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/08/329908/meta'>caf/3.10/caf/aosp-new/changes/08/329908/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/09/10009/1'>caf/3.10/caf/aosp-new/changes/09/10009/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/09/10009/2'>caf/3.10/caf/aosp-new/changes/09/10009/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/09/10009/meta'>caf/3.10/caf/aosp-new/changes/09/10009/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/09/10109/1'>caf/3.10/caf/aosp-new/changes/09/10109/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/09/10109/meta'>caf/3.10/caf/aosp-new/changes/09/10109/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/09/10209/1'>caf/3.10/caf/aosp-new/changes/09/10209/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/09/10209/2'>caf/3.10/caf/aosp-new/changes/09/10209/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/09/10209/3'>caf/3.10/caf/aosp-new/changes/09/10209/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/09/10209/meta'>caf/3.10/caf/aosp-new/changes/09/10209/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/09/13709/1'>caf/3.10/caf/aosp-new/changes/09/13709/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/09/13709/2'>caf/3.10/caf/aosp-new/changes/09/13709/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/09/13709/3'>caf/3.10/caf/aosp-new/changes/09/13709/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/09/13709/4'>caf/3.10/caf/aosp-new/changes/09/13709/4</option>
+<option value='caf/3.10/caf/aosp-new/changes/09/13709/meta'>caf/3.10/caf/aosp-new/changes/09/13709/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/09/14009/1'>caf/3.10/caf/aosp-new/changes/09/14009/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/09/14009/2'>caf/3.10/caf/aosp-new/changes/09/14009/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/09/14009/meta'>caf/3.10/caf/aosp-new/changes/09/14009/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/09/14209/1'>caf/3.10/caf/aosp-new/changes/09/14209/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/09/14209/2'>caf/3.10/caf/aosp-new/changes/09/14209/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/09/14209/meta'>caf/3.10/caf/aosp-new/changes/09/14209/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/09/14509/1'>caf/3.10/caf/aosp-new/changes/09/14509/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/09/14509/meta'>caf/3.10/caf/aosp-new/changes/09/14509/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/09/14609/1'>caf/3.10/caf/aosp-new/changes/09/14609/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/09/14609/meta'>caf/3.10/caf/aosp-new/changes/09/14609/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/09/205509/1'>caf/3.10/caf/aosp-new/changes/09/205509/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/09/205509/meta'>caf/3.10/caf/aosp-new/changes/09/205509/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/09/319209/1'>caf/3.10/caf/aosp-new/changes/09/319209/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/09/319209/2'>caf/3.10/caf/aosp-new/changes/09/319209/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/09/319209/meta'>caf/3.10/caf/aosp-new/changes/09/319209/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/09/324009/1'>caf/3.10/caf/aosp-new/changes/09/324009/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/09/324009/meta'>caf/3.10/caf/aosp-new/changes/09/324009/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/09/329909/1'>caf/3.10/caf/aosp-new/changes/09/329909/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/09/329909/meta'>caf/3.10/caf/aosp-new/changes/09/329909/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/09/347909/1'>caf/3.10/caf/aosp-new/changes/09/347909/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/09/347909/meta'>caf/3.10/caf/aosp-new/changes/09/347909/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/09/9309/1'>caf/3.10/caf/aosp-new/changes/09/9309/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/09/9309/meta'>caf/3.10/caf/aosp-new/changes/09/9309/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/10/10110/1'>caf/3.10/caf/aosp-new/changes/10/10110/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/10/10110/meta'>caf/3.10/caf/aosp-new/changes/10/10110/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/10/10210/1'>caf/3.10/caf/aosp-new/changes/10/10210/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/10/10210/2'>caf/3.10/caf/aosp-new/changes/10/10210/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/10/10210/3'>caf/3.10/caf/aosp-new/changes/10/10210/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/10/10210/meta'>caf/3.10/caf/aosp-new/changes/10/10210/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/10/13610/1'>caf/3.10/caf/aosp-new/changes/10/13610/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/10/13610/2'>caf/3.10/caf/aosp-new/changes/10/13610/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/10/13610/meta'>caf/3.10/caf/aosp-new/changes/10/13610/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/10/13710/1'>caf/3.10/caf/aosp-new/changes/10/13710/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/10/13710/2'>caf/3.10/caf/aosp-new/changes/10/13710/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/10/13710/3'>caf/3.10/caf/aosp-new/changes/10/13710/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/10/13710/4'>caf/3.10/caf/aosp-new/changes/10/13710/4</option>
+<option value='caf/3.10/caf/aosp-new/changes/10/13710/meta'>caf/3.10/caf/aosp-new/changes/10/13710/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/10/14210/1'>caf/3.10/caf/aosp-new/changes/10/14210/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/10/14210/2'>caf/3.10/caf/aosp-new/changes/10/14210/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/10/14210/3'>caf/3.10/caf/aosp-new/changes/10/14210/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/10/14210/meta'>caf/3.10/caf/aosp-new/changes/10/14210/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/10/17710/1'>caf/3.10/caf/aosp-new/changes/10/17710/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/10/17710/meta'>caf/3.10/caf/aosp-new/changes/10/17710/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/10/205710/1'>caf/3.10/caf/aosp-new/changes/10/205710/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/10/205710/meta'>caf/3.10/caf/aosp-new/changes/10/205710/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/10/319210/1'>caf/3.10/caf/aosp-new/changes/10/319210/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/10/319210/2'>caf/3.10/caf/aosp-new/changes/10/319210/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/10/319210/meta'>caf/3.10/caf/aosp-new/changes/10/319210/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/10/329910/1'>caf/3.10/caf/aosp-new/changes/10/329910/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/10/329910/meta'>caf/3.10/caf/aosp-new/changes/10/329910/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/10/347910/1'>caf/3.10/caf/aosp-new/changes/10/347910/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/10/347910/meta'>caf/3.10/caf/aosp-new/changes/10/347910/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/10/9310/1'>caf/3.10/caf/aosp-new/changes/10/9310/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/10/9310/meta'>caf/3.10/caf/aosp-new/changes/10/9310/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/10/9910/1'>caf/3.10/caf/aosp-new/changes/10/9910/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/10/9910/meta'>caf/3.10/caf/aosp-new/changes/10/9910/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/11/10111/1'>caf/3.10/caf/aosp-new/changes/11/10111/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/11/10111/meta'>caf/3.10/caf/aosp-new/changes/11/10111/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/11/10211/1'>caf/3.10/caf/aosp-new/changes/11/10211/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/11/10211/2'>caf/3.10/caf/aosp-new/changes/11/10211/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/11/10211/3'>caf/3.10/caf/aosp-new/changes/11/10211/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/11/10211/meta'>caf/3.10/caf/aosp-new/changes/11/10211/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/11/14011/1'>caf/3.10/caf/aosp-new/changes/11/14011/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/11/14011/2'>caf/3.10/caf/aosp-new/changes/11/14011/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/11/14011/meta'>caf/3.10/caf/aosp-new/changes/11/14011/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/11/205711/1'>caf/3.10/caf/aosp-new/changes/11/205711/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/11/205711/meta'>caf/3.10/caf/aosp-new/changes/11/205711/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/11/319211/1'>caf/3.10/caf/aosp-new/changes/11/319211/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/11/319211/meta'>caf/3.10/caf/aosp-new/changes/11/319211/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/11/329911/1'>caf/3.10/caf/aosp-new/changes/11/329911/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/11/329911/meta'>caf/3.10/caf/aosp-new/changes/11/329911/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/11/347911/1'>caf/3.10/caf/aosp-new/changes/11/347911/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/11/347911/meta'>caf/3.10/caf/aosp-new/changes/11/347911/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/11/9311/1'>caf/3.10/caf/aosp-new/changes/11/9311/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/11/9311/meta'>caf/3.10/caf/aosp-new/changes/11/9311/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/12/10112/1'>caf/3.10/caf/aosp-new/changes/12/10112/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/12/10112/meta'>caf/3.10/caf/aosp-new/changes/12/10112/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/12/10212/1'>caf/3.10/caf/aosp-new/changes/12/10212/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/12/10212/2'>caf/3.10/caf/aosp-new/changes/12/10212/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/12/10212/3'>caf/3.10/caf/aosp-new/changes/12/10212/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/12/10212/meta'>caf/3.10/caf/aosp-new/changes/12/10212/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/12/10512/1'>caf/3.10/caf/aosp-new/changes/12/10512/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/12/10512/2'>caf/3.10/caf/aosp-new/changes/12/10512/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/12/10512/meta'>caf/3.10/caf/aosp-new/changes/12/10512/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/12/13612/1'>caf/3.10/caf/aosp-new/changes/12/13612/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/12/13612/meta'>caf/3.10/caf/aosp-new/changes/12/13612/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/12/13812/1'>caf/3.10/caf/aosp-new/changes/12/13812/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/12/13812/meta'>caf/3.10/caf/aosp-new/changes/12/13812/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/12/14212/1'>caf/3.10/caf/aosp-new/changes/12/14212/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/12/14212/2'>caf/3.10/caf/aosp-new/changes/12/14212/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/12/14212/meta'>caf/3.10/caf/aosp-new/changes/12/14212/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/12/329912/1'>caf/3.10/caf/aosp-new/changes/12/329912/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/12/329912/meta'>caf/3.10/caf/aosp-new/changes/12/329912/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/12/347912/1'>caf/3.10/caf/aosp-new/changes/12/347912/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/12/347912/meta'>caf/3.10/caf/aosp-new/changes/12/347912/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/12/373112/1'>caf/3.10/caf/aosp-new/changes/12/373112/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/12/373112/meta'>caf/3.10/caf/aosp-new/changes/12/373112/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/12/90112/1'>caf/3.10/caf/aosp-new/changes/12/90112/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/12/90112/meta'>caf/3.10/caf/aosp-new/changes/12/90112/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/12/9312/1'>caf/3.10/caf/aosp-new/changes/12/9312/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/12/9312/meta'>caf/3.10/caf/aosp-new/changes/12/9312/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/13/10113/1'>caf/3.10/caf/aosp-new/changes/13/10113/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/13/10113/meta'>caf/3.10/caf/aosp-new/changes/13/10113/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/13/10213/1'>caf/3.10/caf/aosp-new/changes/13/10213/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/13/10213/2'>caf/3.10/caf/aosp-new/changes/13/10213/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/13/10213/3'>caf/3.10/caf/aosp-new/changes/13/10213/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/13/10213/meta'>caf/3.10/caf/aosp-new/changes/13/10213/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/13/13613/1'>caf/3.10/caf/aosp-new/changes/13/13613/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/13/13613/meta'>caf/3.10/caf/aosp-new/changes/13/13613/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/13/13813/1'>caf/3.10/caf/aosp-new/changes/13/13813/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/13/13813/meta'>caf/3.10/caf/aosp-new/changes/13/13813/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/13/329913/1'>caf/3.10/caf/aosp-new/changes/13/329913/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/13/329913/meta'>caf/3.10/caf/aosp-new/changes/13/329913/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/13/347913/1'>caf/3.10/caf/aosp-new/changes/13/347913/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/13/347913/meta'>caf/3.10/caf/aosp-new/changes/13/347913/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/13/383813/1'>caf/3.10/caf/aosp-new/changes/13/383813/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/13/383813/2'>caf/3.10/caf/aosp-new/changes/13/383813/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/13/383813/3'>caf/3.10/caf/aosp-new/changes/13/383813/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/13/383813/meta'>caf/3.10/caf/aosp-new/changes/13/383813/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/13/9713/1'>caf/3.10/caf/aosp-new/changes/13/9713/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/13/9713/2'>caf/3.10/caf/aosp-new/changes/13/9713/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/13/9713/meta'>caf/3.10/caf/aosp-new/changes/13/9713/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/14/10114/1'>caf/3.10/caf/aosp-new/changes/14/10114/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/14/10114/meta'>caf/3.10/caf/aosp-new/changes/14/10114/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/14/10214/1'>caf/3.10/caf/aosp-new/changes/14/10214/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/14/10214/2'>caf/3.10/caf/aosp-new/changes/14/10214/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/14/10214/3'>caf/3.10/caf/aosp-new/changes/14/10214/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/14/10214/meta'>caf/3.10/caf/aosp-new/changes/14/10214/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/14/10514/1'>caf/3.10/caf/aosp-new/changes/14/10514/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/14/10514/meta'>caf/3.10/caf/aosp-new/changes/14/10514/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/14/13614/1'>caf/3.10/caf/aosp-new/changes/14/13614/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/14/13614/meta'>caf/3.10/caf/aosp-new/changes/14/13614/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/14/13714/1'>caf/3.10/caf/aosp-new/changes/14/13714/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/14/13714/meta'>caf/3.10/caf/aosp-new/changes/14/13714/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/14/13814/1'>caf/3.10/caf/aosp-new/changes/14/13814/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/14/13814/meta'>caf/3.10/caf/aosp-new/changes/14/13814/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/14/329914/1'>caf/3.10/caf/aosp-new/changes/14/329914/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/14/329914/meta'>caf/3.10/caf/aosp-new/changes/14/329914/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/14/347914/1'>caf/3.10/caf/aosp-new/changes/14/347914/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/14/347914/meta'>caf/3.10/caf/aosp-new/changes/14/347914/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/14/8814/1'>caf/3.10/caf/aosp-new/changes/14/8814/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/14/8814/2'>caf/3.10/caf/aosp-new/changes/14/8814/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/14/8814/3'>caf/3.10/caf/aosp-new/changes/14/8814/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/14/8814/4'>caf/3.10/caf/aosp-new/changes/14/8814/4</option>
+<option value='caf/3.10/caf/aosp-new/changes/14/8814/5'>caf/3.10/caf/aosp-new/changes/14/8814/5</option>
+<option value='caf/3.10/caf/aosp-new/changes/14/8814/meta'>caf/3.10/caf/aosp-new/changes/14/8814/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/15/10115/1'>caf/3.10/caf/aosp-new/changes/15/10115/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/15/10115/meta'>caf/3.10/caf/aosp-new/changes/15/10115/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/15/10215/1'>caf/3.10/caf/aosp-new/changes/15/10215/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/15/10215/2'>caf/3.10/caf/aosp-new/changes/15/10215/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/15/10215/3'>caf/3.10/caf/aosp-new/changes/15/10215/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/15/10215/meta'>caf/3.10/caf/aosp-new/changes/15/10215/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/15/10815/1'>caf/3.10/caf/aosp-new/changes/15/10815/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/15/10815/meta'>caf/3.10/caf/aosp-new/changes/15/10815/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/15/13715/1'>caf/3.10/caf/aosp-new/changes/15/13715/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/15/13715/meta'>caf/3.10/caf/aosp-new/changes/15/13715/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/15/13915/1'>caf/3.10/caf/aosp-new/changes/15/13915/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/15/13915/2'>caf/3.10/caf/aosp-new/changes/15/13915/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/15/13915/meta'>caf/3.10/caf/aosp-new/changes/15/13915/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/15/314515/1'>caf/3.10/caf/aosp-new/changes/15/314515/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/15/314515/meta'>caf/3.10/caf/aosp-new/changes/15/314515/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/15/329915/1'>caf/3.10/caf/aosp-new/changes/15/329915/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/15/329915/meta'>caf/3.10/caf/aosp-new/changes/15/329915/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/15/347915/1'>caf/3.10/caf/aosp-new/changes/15/347915/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/15/347915/meta'>caf/3.10/caf/aosp-new/changes/15/347915/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/16/10116/1'>caf/3.10/caf/aosp-new/changes/16/10116/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/16/10116/meta'>caf/3.10/caf/aosp-new/changes/16/10116/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/16/10216/1'>caf/3.10/caf/aosp-new/changes/16/10216/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/16/10216/2'>caf/3.10/caf/aosp-new/changes/16/10216/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/16/10216/3'>caf/3.10/caf/aosp-new/changes/16/10216/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/16/10216/meta'>caf/3.10/caf/aosp-new/changes/16/10216/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/16/10316/1'>caf/3.10/caf/aosp-new/changes/16/10316/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/16/10316/meta'>caf/3.10/caf/aosp-new/changes/16/10316/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/16/13916/1'>caf/3.10/caf/aosp-new/changes/16/13916/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/16/13916/meta'>caf/3.10/caf/aosp-new/changes/16/13916/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/16/15216/1'>caf/3.10/caf/aosp-new/changes/16/15216/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/16/15216/2'>caf/3.10/caf/aosp-new/changes/16/15216/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/16/15216/3'>caf/3.10/caf/aosp-new/changes/16/15216/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/16/15216/meta'>caf/3.10/caf/aosp-new/changes/16/15216/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/16/19116/1'>caf/3.10/caf/aosp-new/changes/16/19116/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/16/19116/2'>caf/3.10/caf/aosp-new/changes/16/19116/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/16/19116/meta'>caf/3.10/caf/aosp-new/changes/16/19116/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/16/329916/1'>caf/3.10/caf/aosp-new/changes/16/329916/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/16/329916/meta'>caf/3.10/caf/aosp-new/changes/16/329916/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/16/347916/1'>caf/3.10/caf/aosp-new/changes/16/347916/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/16/347916/meta'>caf/3.10/caf/aosp-new/changes/16/347916/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/16/8716/1'>caf/3.10/caf/aosp-new/changes/16/8716/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/16/8716/2'>caf/3.10/caf/aosp-new/changes/16/8716/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/16/8716/4'>caf/3.10/caf/aosp-new/changes/16/8716/4</option>
+<option value='caf/3.10/caf/aosp-new/changes/16/8716/5'>caf/3.10/caf/aosp-new/changes/16/8716/5</option>
+<option value='caf/3.10/caf/aosp-new/changes/16/8716/6'>caf/3.10/caf/aosp-new/changes/16/8716/6</option>
+<option value='caf/3.10/caf/aosp-new/changes/16/8716/meta'>caf/3.10/caf/aosp-new/changes/16/8716/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/17/10117/1'>caf/3.10/caf/aosp-new/changes/17/10117/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/17/10117/meta'>caf/3.10/caf/aosp-new/changes/17/10117/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/17/10217/1'>caf/3.10/caf/aosp-new/changes/17/10217/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/17/10217/meta'>caf/3.10/caf/aosp-new/changes/17/10217/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/17/13617/1'>caf/3.10/caf/aosp-new/changes/17/13617/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/17/13617/meta'>caf/3.10/caf/aosp-new/changes/17/13617/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/17/15217/1'>caf/3.10/caf/aosp-new/changes/17/15217/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/17/15217/meta'>caf/3.10/caf/aosp-new/changes/17/15217/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/17/229417/1'>caf/3.10/caf/aosp-new/changes/17/229417/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/17/229417/2'>caf/3.10/caf/aosp-new/changes/17/229417/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/17/229417/3'>caf/3.10/caf/aosp-new/changes/17/229417/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/17/229417/4'>caf/3.10/caf/aosp-new/changes/17/229417/4</option>
+<option value='caf/3.10/caf/aosp-new/changes/17/229417/meta'>caf/3.10/caf/aosp-new/changes/17/229417/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/17/329917/1'>caf/3.10/caf/aosp-new/changes/17/329917/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/17/329917/meta'>caf/3.10/caf/aosp-new/changes/17/329917/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/17/8717/1'>caf/3.10/caf/aosp-new/changes/17/8717/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/17/8717/meta'>caf/3.10/caf/aosp-new/changes/17/8717/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/17/8917/1'>caf/3.10/caf/aosp-new/changes/17/8917/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/17/8917/meta'>caf/3.10/caf/aosp-new/changes/17/8917/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/18/10218/1'>caf/3.10/caf/aosp-new/changes/18/10218/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/18/10218/2'>caf/3.10/caf/aosp-new/changes/18/10218/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/18/10218/3'>caf/3.10/caf/aosp-new/changes/18/10218/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/18/10218/meta'>caf/3.10/caf/aosp-new/changes/18/10218/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/18/10318/1'>caf/3.10/caf/aosp-new/changes/18/10318/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/18/10318/meta'>caf/3.10/caf/aosp-new/changes/18/10318/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/18/11218/1'>caf/3.10/caf/aosp-new/changes/18/11218/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/18/11218/meta'>caf/3.10/caf/aosp-new/changes/18/11218/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/18/11418/1'>caf/3.10/caf/aosp-new/changes/18/11418/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/18/11418/2'>caf/3.10/caf/aosp-new/changes/18/11418/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/18/11418/meta'>caf/3.10/caf/aosp-new/changes/18/11418/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/18/13618/1'>caf/3.10/caf/aosp-new/changes/18/13618/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/18/13618/meta'>caf/3.10/caf/aosp-new/changes/18/13618/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/18/15318/1'>caf/3.10/caf/aosp-new/changes/18/15318/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/18/15318/meta'>caf/3.10/caf/aosp-new/changes/18/15318/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/18/329918/1'>caf/3.10/caf/aosp-new/changes/18/329918/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/18/329918/meta'>caf/3.10/caf/aosp-new/changes/18/329918/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/18/8918/1'>caf/3.10/caf/aosp-new/changes/18/8918/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/18/8918/meta'>caf/3.10/caf/aosp-new/changes/18/8918/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/19/10119/1'>caf/3.10/caf/aosp-new/changes/19/10119/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/19/10119/2'>caf/3.10/caf/aosp-new/changes/19/10119/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/19/10119/meta'>caf/3.10/caf/aosp-new/changes/19/10119/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/19/10219/1'>caf/3.10/caf/aosp-new/changes/19/10219/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/19/10219/2'>caf/3.10/caf/aosp-new/changes/19/10219/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/19/10219/3'>caf/3.10/caf/aosp-new/changes/19/10219/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/19/10219/meta'>caf/3.10/caf/aosp-new/changes/19/10219/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/19/11219/1'>caf/3.10/caf/aosp-new/changes/19/11219/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/19/11219/meta'>caf/3.10/caf/aosp-new/changes/19/11219/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/19/13919/1'>caf/3.10/caf/aosp-new/changes/19/13919/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/19/13919/meta'>caf/3.10/caf/aosp-new/changes/19/13919/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/19/14219/1'>caf/3.10/caf/aosp-new/changes/19/14219/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/19/14219/meta'>caf/3.10/caf/aosp-new/changes/19/14219/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/19/329919/1'>caf/3.10/caf/aosp-new/changes/19/329919/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/19/329919/meta'>caf/3.10/caf/aosp-new/changes/19/329919/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/19/8919/1'>caf/3.10/caf/aosp-new/changes/19/8919/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/19/8919/meta'>caf/3.10/caf/aosp-new/changes/19/8919/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/19/9319/1'>caf/3.10/caf/aosp-new/changes/19/9319/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/19/9319/meta'>caf/3.10/caf/aosp-new/changes/19/9319/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/20/10120/1'>caf/3.10/caf/aosp-new/changes/20/10120/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/20/10120/2'>caf/3.10/caf/aosp-new/changes/20/10120/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/20/10120/3'>caf/3.10/caf/aosp-new/changes/20/10120/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/20/10120/meta'>caf/3.10/caf/aosp-new/changes/20/10120/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/20/10220/1'>caf/3.10/caf/aosp-new/changes/20/10220/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/20/10220/2'>caf/3.10/caf/aosp-new/changes/20/10220/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/20/10220/3'>caf/3.10/caf/aosp-new/changes/20/10220/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/20/10220/meta'>caf/3.10/caf/aosp-new/changes/20/10220/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/20/10420/1'>caf/3.10/caf/aosp-new/changes/20/10420/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/20/10420/meta'>caf/3.10/caf/aosp-new/changes/20/10420/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/20/11220/1'>caf/3.10/caf/aosp-new/changes/20/11220/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/20/11220/meta'>caf/3.10/caf/aosp-new/changes/20/11220/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/20/11420/1'>caf/3.10/caf/aosp-new/changes/20/11420/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/20/11420/meta'>caf/3.10/caf/aosp-new/changes/20/11420/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/20/13920/1'>caf/3.10/caf/aosp-new/changes/20/13920/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/20/13920/meta'>caf/3.10/caf/aosp-new/changes/20/13920/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/20/14220/1'>caf/3.10/caf/aosp-new/changes/20/14220/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/20/14220/meta'>caf/3.10/caf/aosp-new/changes/20/14220/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/20/19620/1'>caf/3.10/caf/aosp-new/changes/20/19620/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/20/19620/meta'>caf/3.10/caf/aosp-new/changes/20/19620/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/20/329920/1'>caf/3.10/caf/aosp-new/changes/20/329920/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/20/329920/meta'>caf/3.10/caf/aosp-new/changes/20/329920/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/20/354320/1'>caf/3.10/caf/aosp-new/changes/20/354320/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/20/354320/meta'>caf/3.10/caf/aosp-new/changes/20/354320/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/20/8820/1'>caf/3.10/caf/aosp-new/changes/20/8820/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/20/8820/2'>caf/3.10/caf/aosp-new/changes/20/8820/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/20/8820/3'>caf/3.10/caf/aosp-new/changes/20/8820/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/20/8820/4'>caf/3.10/caf/aosp-new/changes/20/8820/4</option>
+<option value='caf/3.10/caf/aosp-new/changes/20/8820/meta'>caf/3.10/caf/aosp-new/changes/20/8820/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/20/8920/1'>caf/3.10/caf/aosp-new/changes/20/8920/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/20/8920/meta'>caf/3.10/caf/aosp-new/changes/20/8920/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/20/90120/1'>caf/3.10/caf/aosp-new/changes/20/90120/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/20/90120/meta'>caf/3.10/caf/aosp-new/changes/20/90120/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/21/10121/1'>caf/3.10/caf/aosp-new/changes/21/10121/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/21/10121/2'>caf/3.10/caf/aosp-new/changes/21/10121/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/21/10121/3'>caf/3.10/caf/aosp-new/changes/21/10121/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/21/10121/meta'>caf/3.10/caf/aosp-new/changes/21/10121/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/21/10221/1'>caf/3.10/caf/aosp-new/changes/21/10221/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/21/10221/2'>caf/3.10/caf/aosp-new/changes/21/10221/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/21/10221/3'>caf/3.10/caf/aosp-new/changes/21/10221/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/21/10221/meta'>caf/3.10/caf/aosp-new/changes/21/10221/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/21/10521/1'>caf/3.10/caf/aosp-new/changes/21/10521/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/21/10521/meta'>caf/3.10/caf/aosp-new/changes/21/10521/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/21/11221/1'>caf/3.10/caf/aosp-new/changes/21/11221/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/21/11221/meta'>caf/3.10/caf/aosp-new/changes/21/11221/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/21/12321/1'>caf/3.10/caf/aosp-new/changes/21/12321/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/21/12321/meta'>caf/3.10/caf/aosp-new/changes/21/12321/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/21/329921/1'>caf/3.10/caf/aosp-new/changes/21/329921/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/21/329921/meta'>caf/3.10/caf/aosp-new/changes/21/329921/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/21/354321/1'>caf/3.10/caf/aosp-new/changes/21/354321/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/21/354321/meta'>caf/3.10/caf/aosp-new/changes/21/354321/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/22/10122/1'>caf/3.10/caf/aosp-new/changes/22/10122/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/22/10122/2'>caf/3.10/caf/aosp-new/changes/22/10122/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/22/10122/3'>caf/3.10/caf/aosp-new/changes/22/10122/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/22/10122/meta'>caf/3.10/caf/aosp-new/changes/22/10122/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/22/10222/1'>caf/3.10/caf/aosp-new/changes/22/10222/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/22/10222/2'>caf/3.10/caf/aosp-new/changes/22/10222/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/22/10222/3'>caf/3.10/caf/aosp-new/changes/22/10222/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/22/10222/meta'>caf/3.10/caf/aosp-new/changes/22/10222/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/22/11222/1'>caf/3.10/caf/aosp-new/changes/22/11222/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/22/11222/meta'>caf/3.10/caf/aosp-new/changes/22/11222/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/22/12222/1'>caf/3.10/caf/aosp-new/changes/22/12222/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/22/12222/2'>caf/3.10/caf/aosp-new/changes/22/12222/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/22/12222/3'>caf/3.10/caf/aosp-new/changes/22/12222/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/22/12222/meta'>caf/3.10/caf/aosp-new/changes/22/12222/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/22/13822/1'>caf/3.10/caf/aosp-new/changes/22/13822/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/22/13822/2'>caf/3.10/caf/aosp-new/changes/22/13822/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/22/13822/meta'>caf/3.10/caf/aosp-new/changes/22/13822/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/22/13922/1'>caf/3.10/caf/aosp-new/changes/22/13922/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/22/13922/2'>caf/3.10/caf/aosp-new/changes/22/13922/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/22/13922/meta'>caf/3.10/caf/aosp-new/changes/22/13922/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/22/14222/1'>caf/3.10/caf/aosp-new/changes/22/14222/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/22/14222/meta'>caf/3.10/caf/aosp-new/changes/22/14222/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/22/329922/1'>caf/3.10/caf/aosp-new/changes/22/329922/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/22/329922/meta'>caf/3.10/caf/aosp-new/changes/22/329922/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/22/354322/1'>caf/3.10/caf/aosp-new/changes/22/354322/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/22/354322/meta'>caf/3.10/caf/aosp-new/changes/22/354322/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/22/8822/1'>caf/3.10/caf/aosp-new/changes/22/8822/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/22/8822/meta'>caf/3.10/caf/aosp-new/changes/22/8822/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/23/10223/1'>caf/3.10/caf/aosp-new/changes/23/10223/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/23/10223/2'>caf/3.10/caf/aosp-new/changes/23/10223/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/23/10223/meta'>caf/3.10/caf/aosp-new/changes/23/10223/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/23/11023/1'>caf/3.10/caf/aosp-new/changes/23/11023/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/23/11023/meta'>caf/3.10/caf/aosp-new/changes/23/11023/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/23/11223/1'>caf/3.10/caf/aosp-new/changes/23/11223/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/23/11223/meta'>caf/3.10/caf/aosp-new/changes/23/11223/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/23/13823/1'>caf/3.10/caf/aosp-new/changes/23/13823/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/23/13823/2'>caf/3.10/caf/aosp-new/changes/23/13823/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/23/13823/meta'>caf/3.10/caf/aosp-new/changes/23/13823/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/23/14223/1'>caf/3.10/caf/aosp-new/changes/23/14223/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/23/14223/meta'>caf/3.10/caf/aosp-new/changes/23/14223/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/23/14423/1'>caf/3.10/caf/aosp-new/changes/23/14423/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/23/14423/meta'>caf/3.10/caf/aosp-new/changes/23/14423/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/23/19223/1'>caf/3.10/caf/aosp-new/changes/23/19223/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/23/19223/2'>caf/3.10/caf/aosp-new/changes/23/19223/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/23/19223/meta'>caf/3.10/caf/aosp-new/changes/23/19223/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/23/354323/1'>caf/3.10/caf/aosp-new/changes/23/354323/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/23/354323/meta'>caf/3.10/caf/aosp-new/changes/23/354323/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/23/8823/1'>caf/3.10/caf/aosp-new/changes/23/8823/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/23/8823/meta'>caf/3.10/caf/aosp-new/changes/23/8823/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/23/8923/1'>caf/3.10/caf/aosp-new/changes/23/8923/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/23/8923/2'>caf/3.10/caf/aosp-new/changes/23/8923/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/23/8923/meta'>caf/3.10/caf/aosp-new/changes/23/8923/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/24/11224/1'>caf/3.10/caf/aosp-new/changes/24/11224/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/24/11224/meta'>caf/3.10/caf/aosp-new/changes/24/11224/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/24/11824/1'>caf/3.10/caf/aosp-new/changes/24/11824/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/24/11824/meta'>caf/3.10/caf/aosp-new/changes/24/11824/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/24/13824/1'>caf/3.10/caf/aosp-new/changes/24/13824/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/24/13824/meta'>caf/3.10/caf/aosp-new/changes/24/13824/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/24/14224/1'>caf/3.10/caf/aosp-new/changes/24/14224/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/24/14224/2'>caf/3.10/caf/aosp-new/changes/24/14224/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/24/14224/meta'>caf/3.10/caf/aosp-new/changes/24/14224/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/24/205524/1'>caf/3.10/caf/aosp-new/changes/24/205524/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/24/205524/meta'>caf/3.10/caf/aosp-new/changes/24/205524/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/24/319224/1'>caf/3.10/caf/aosp-new/changes/24/319224/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/24/319224/meta'>caf/3.10/caf/aosp-new/changes/24/319224/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/24/354324/1'>caf/3.10/caf/aosp-new/changes/24/354324/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/24/354324/meta'>caf/3.10/caf/aosp-new/changes/24/354324/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/24/8824/1'>caf/3.10/caf/aosp-new/changes/24/8824/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/24/8824/meta'>caf/3.10/caf/aosp-new/changes/24/8824/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/24/9324/1'>caf/3.10/caf/aosp-new/changes/24/9324/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/24/9324/2'>caf/3.10/caf/aosp-new/changes/24/9324/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/24/9324/3'>caf/3.10/caf/aosp-new/changes/24/9324/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/24/9324/meta'>caf/3.10/caf/aosp-new/changes/24/9324/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/25/10825/1'>caf/3.10/caf/aosp-new/changes/25/10825/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/25/10825/2'>caf/3.10/caf/aosp-new/changes/25/10825/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/25/10825/meta'>caf/3.10/caf/aosp-new/changes/25/10825/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/25/11225/1'>caf/3.10/caf/aosp-new/changes/25/11225/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/25/11225/meta'>caf/3.10/caf/aosp-new/changes/25/11225/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/25/11825/1'>caf/3.10/caf/aosp-new/changes/25/11825/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/25/11825/meta'>caf/3.10/caf/aosp-new/changes/25/11825/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/25/12525/1'>caf/3.10/caf/aosp-new/changes/25/12525/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/25/12525/2'>caf/3.10/caf/aosp-new/changes/25/12525/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/25/12525/meta'>caf/3.10/caf/aosp-new/changes/25/12525/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/25/13825/1'>caf/3.10/caf/aosp-new/changes/25/13825/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/25/13825/meta'>caf/3.10/caf/aosp-new/changes/25/13825/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/25/314425/1'>caf/3.10/caf/aosp-new/changes/25/314425/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/25/314425/meta'>caf/3.10/caf/aosp-new/changes/25/314425/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/25/354325/1'>caf/3.10/caf/aosp-new/changes/25/354325/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/25/354325/meta'>caf/3.10/caf/aosp-new/changes/25/354325/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/25/8725/1'>caf/3.10/caf/aosp-new/changes/25/8725/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/25/8725/2'>caf/3.10/caf/aosp-new/changes/25/8725/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/25/8725/3'>caf/3.10/caf/aosp-new/changes/25/8725/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/25/8725/meta'>caf/3.10/caf/aosp-new/changes/25/8725/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/25/8825/1'>caf/3.10/caf/aosp-new/changes/25/8825/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/25/8825/meta'>caf/3.10/caf/aosp-new/changes/25/8825/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/25/9325/1'>caf/3.10/caf/aosp-new/changes/25/9325/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/25/9325/meta'>caf/3.10/caf/aosp-new/changes/25/9325/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/26/11226/1'>caf/3.10/caf/aosp-new/changes/26/11226/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/26/11226/meta'>caf/3.10/caf/aosp-new/changes/26/11226/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/26/11826/1'>caf/3.10/caf/aosp-new/changes/26/11826/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/26/11826/meta'>caf/3.10/caf/aosp-new/changes/26/11826/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/26/13826/1'>caf/3.10/caf/aosp-new/changes/26/13826/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/26/13826/meta'>caf/3.10/caf/aosp-new/changes/26/13826/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/26/14226/1'>caf/3.10/caf/aosp-new/changes/26/14226/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/26/14226/meta'>caf/3.10/caf/aosp-new/changes/26/14226/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/26/8726/1'>caf/3.10/caf/aosp-new/changes/26/8726/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/26/8726/meta'>caf/3.10/caf/aosp-new/changes/26/8726/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/26/8926/1'>caf/3.10/caf/aosp-new/changes/26/8926/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/26/8926/meta'>caf/3.10/caf/aosp-new/changes/26/8926/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/26/9526/1'>caf/3.10/caf/aosp-new/changes/26/9526/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/26/9526/2'>caf/3.10/caf/aosp-new/changes/26/9526/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/26/9526/meta'>caf/3.10/caf/aosp-new/changes/26/9526/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/27/11227/1'>caf/3.10/caf/aosp-new/changes/27/11227/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/27/11227/meta'>caf/3.10/caf/aosp-new/changes/27/11227/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/27/13127/1'>caf/3.10/caf/aosp-new/changes/27/13127/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/27/13127/meta'>caf/3.10/caf/aosp-new/changes/27/13127/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/27/1927/1'>caf/3.10/caf/aosp-new/changes/27/1927/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/27/1927/meta'>caf/3.10/caf/aosp-new/changes/27/1927/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/27/8727/1'>caf/3.10/caf/aosp-new/changes/27/8727/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/27/8727/2'>caf/3.10/caf/aosp-new/changes/27/8727/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/27/8727/meta'>caf/3.10/caf/aosp-new/changes/27/8727/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/27/8927/1'>caf/3.10/caf/aosp-new/changes/27/8927/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/27/8927/meta'>caf/3.10/caf/aosp-new/changes/27/8927/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/28/11228/1'>caf/3.10/caf/aosp-new/changes/28/11228/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/28/11228/2'>caf/3.10/caf/aosp-new/changes/28/11228/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/28/11228/meta'>caf/3.10/caf/aosp-new/changes/28/11228/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/28/13128/1'>caf/3.10/caf/aosp-new/changes/28/13128/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/28/13128/meta'>caf/3.10/caf/aosp-new/changes/28/13128/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/28/13828/1'>caf/3.10/caf/aosp-new/changes/28/13828/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/28/13828/meta'>caf/3.10/caf/aosp-new/changes/28/13828/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/28/14128/1'>caf/3.10/caf/aosp-new/changes/28/14128/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/28/14128/meta'>caf/3.10/caf/aosp-new/changes/28/14128/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/28/18328/1'>caf/3.10/caf/aosp-new/changes/28/18328/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/28/18328/meta'>caf/3.10/caf/aosp-new/changes/28/18328/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/28/1928/1'>caf/3.10/caf/aosp-new/changes/28/1928/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/28/1928/meta'>caf/3.10/caf/aosp-new/changes/28/1928/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/28/314428/1'>caf/3.10/caf/aosp-new/changes/28/314428/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/28/314428/meta'>caf/3.10/caf/aosp-new/changes/28/314428/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/28/8728/1'>caf/3.10/caf/aosp-new/changes/28/8728/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/28/8728/meta'>caf/3.10/caf/aosp-new/changes/28/8728/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/28/8828/1'>caf/3.10/caf/aosp-new/changes/28/8828/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/28/8828/2'>caf/3.10/caf/aosp-new/changes/28/8828/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/28/8828/meta'>caf/3.10/caf/aosp-new/changes/28/8828/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/29/13129/1'>caf/3.10/caf/aosp-new/changes/29/13129/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/29/13129/meta'>caf/3.10/caf/aosp-new/changes/29/13129/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/29/14629/1'>caf/3.10/caf/aosp-new/changes/29/14629/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/29/14629/2'>caf/3.10/caf/aosp-new/changes/29/14629/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/29/14629/meta'>caf/3.10/caf/aosp-new/changes/29/14629/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/29/1729/1'>caf/3.10/caf/aosp-new/changes/29/1729/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/29/1729/meta'>caf/3.10/caf/aosp-new/changes/29/1729/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/29/1929/1'>caf/3.10/caf/aosp-new/changes/29/1929/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/29/1929/meta'>caf/3.10/caf/aosp-new/changes/29/1929/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/29/8729/1'>caf/3.10/caf/aosp-new/changes/29/8729/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/29/8729/meta'>caf/3.10/caf/aosp-new/changes/29/8729/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/29/8829/1'>caf/3.10/caf/aosp-new/changes/29/8829/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/29/8829/meta'>caf/3.10/caf/aosp-new/changes/29/8829/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/30/10330/1'>caf/3.10/caf/aosp-new/changes/30/10330/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/30/10330/2'>caf/3.10/caf/aosp-new/changes/30/10330/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/30/10330/3'>caf/3.10/caf/aosp-new/changes/30/10330/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/30/10330/meta'>caf/3.10/caf/aosp-new/changes/30/10330/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/30/11230/1'>caf/3.10/caf/aosp-new/changes/30/11230/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/30/11230/meta'>caf/3.10/caf/aosp-new/changes/30/11230/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/30/12130/1'>caf/3.10/caf/aosp-new/changes/30/12130/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/30/12130/meta'>caf/3.10/caf/aosp-new/changes/30/12130/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/30/12430/1'>caf/3.10/caf/aosp-new/changes/30/12430/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/30/12430/meta'>caf/3.10/caf/aosp-new/changes/30/12430/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/30/16430/1'>caf/3.10/caf/aosp-new/changes/30/16430/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/30/16430/meta'>caf/3.10/caf/aosp-new/changes/30/16430/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/30/8730/1'>caf/3.10/caf/aosp-new/changes/30/8730/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/30/8730/meta'>caf/3.10/caf/aosp-new/changes/30/8730/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/30/8830/1'>caf/3.10/caf/aosp-new/changes/30/8830/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/30/8830/meta'>caf/3.10/caf/aosp-new/changes/30/8830/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/30/8930/1'>caf/3.10/caf/aosp-new/changes/30/8930/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/30/8930/meta'>caf/3.10/caf/aosp-new/changes/30/8930/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/31/11831/1'>caf/3.10/caf/aosp-new/changes/31/11831/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/31/11831/meta'>caf/3.10/caf/aosp-new/changes/31/11831/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/31/12131/1'>caf/3.10/caf/aosp-new/changes/31/12131/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/31/12131/meta'>caf/3.10/caf/aosp-new/changes/31/12131/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/31/349031/1'>caf/3.10/caf/aosp-new/changes/31/349031/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/31/349031/2'>caf/3.10/caf/aosp-new/changes/31/349031/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/31/349031/3'>caf/3.10/caf/aosp-new/changes/31/349031/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/31/349031/meta'>caf/3.10/caf/aosp-new/changes/31/349031/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/31/8731/1'>caf/3.10/caf/aosp-new/changes/31/8731/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/31/8731/meta'>caf/3.10/caf/aosp-new/changes/31/8731/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/31/8831/1'>caf/3.10/caf/aosp-new/changes/31/8831/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/31/8831/meta'>caf/3.10/caf/aosp-new/changes/31/8831/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/31/8931/1'>caf/3.10/caf/aosp-new/changes/31/8931/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/31/8931/meta'>caf/3.10/caf/aosp-new/changes/31/8931/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/31/9231/1'>caf/3.10/caf/aosp-new/changes/31/9231/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/31/9231/2'>caf/3.10/caf/aosp-new/changes/31/9231/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/31/9231/meta'>caf/3.10/caf/aosp-new/changes/31/9231/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/31/9331/1'>caf/3.10/caf/aosp-new/changes/31/9331/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/31/9331/2'>caf/3.10/caf/aosp-new/changes/31/9331/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/31/9331/meta'>caf/3.10/caf/aosp-new/changes/31/9331/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/32/10432/1'>caf/3.10/caf/aosp-new/changes/32/10432/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/32/10432/2'>caf/3.10/caf/aosp-new/changes/32/10432/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/32/10432/meta'>caf/3.10/caf/aosp-new/changes/32/10432/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/32/14132/1'>caf/3.10/caf/aosp-new/changes/32/14132/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/32/14132/meta'>caf/3.10/caf/aosp-new/changes/32/14132/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/32/19232/1'>caf/3.10/caf/aosp-new/changes/32/19232/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/32/19232/meta'>caf/3.10/caf/aosp-new/changes/32/19232/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/32/394532/1'>caf/3.10/caf/aosp-new/changes/32/394532/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/32/394532/meta'>caf/3.10/caf/aosp-new/changes/32/394532/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/32/8832/1'>caf/3.10/caf/aosp-new/changes/32/8832/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/32/8832/2'>caf/3.10/caf/aosp-new/changes/32/8832/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/32/8832/meta'>caf/3.10/caf/aosp-new/changes/32/8832/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/32/8932/1'>caf/3.10/caf/aosp-new/changes/32/8932/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/32/8932/meta'>caf/3.10/caf/aosp-new/changes/32/8932/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/32/9132/1'>caf/3.10/caf/aosp-new/changes/32/9132/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/32/9132/meta'>caf/3.10/caf/aosp-new/changes/32/9132/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/32/9232/1'>caf/3.10/caf/aosp-new/changes/32/9232/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/32/9232/meta'>caf/3.10/caf/aosp-new/changes/32/9232/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/32/9332/1'>caf/3.10/caf/aosp-new/changes/32/9332/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/32/9332/2'>caf/3.10/caf/aosp-new/changes/32/9332/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/32/9332/meta'>caf/3.10/caf/aosp-new/changes/32/9332/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/33/21533/1'>caf/3.10/caf/aosp-new/changes/33/21533/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/33/21533/2'>caf/3.10/caf/aosp-new/changes/33/21533/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/33/21533/meta'>caf/3.10/caf/aosp-new/changes/33/21533/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/33/8833/1'>caf/3.10/caf/aosp-new/changes/33/8833/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/33/8833/meta'>caf/3.10/caf/aosp-new/changes/33/8833/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/33/8933/1'>caf/3.10/caf/aosp-new/changes/33/8933/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/33/8933/meta'>caf/3.10/caf/aosp-new/changes/33/8933/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/33/9133/1'>caf/3.10/caf/aosp-new/changes/33/9133/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/33/9133/meta'>caf/3.10/caf/aosp-new/changes/33/9133/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/33/9233/1'>caf/3.10/caf/aosp-new/changes/33/9233/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/33/9233/meta'>caf/3.10/caf/aosp-new/changes/33/9233/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/33/9333/1'>caf/3.10/caf/aosp-new/changes/33/9333/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/33/9333/2'>caf/3.10/caf/aosp-new/changes/33/9333/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/33/9333/meta'>caf/3.10/caf/aosp-new/changes/33/9333/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/34/12634/1'>caf/3.10/caf/aosp-new/changes/34/12634/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/34/12634/meta'>caf/3.10/caf/aosp-new/changes/34/12634/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/34/13634/1'>caf/3.10/caf/aosp-new/changes/34/13634/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/34/13634/meta'>caf/3.10/caf/aosp-new/changes/34/13634/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/34/14034/1'>caf/3.10/caf/aosp-new/changes/34/14034/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/34/14034/2'>caf/3.10/caf/aosp-new/changes/34/14034/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/34/14034/meta'>caf/3.10/caf/aosp-new/changes/34/14034/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/34/14234/1'>caf/3.10/caf/aosp-new/changes/34/14234/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/34/14234/meta'>caf/3.10/caf/aosp-new/changes/34/14234/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/34/8834/1'>caf/3.10/caf/aosp-new/changes/34/8834/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/34/8834/meta'>caf/3.10/caf/aosp-new/changes/34/8834/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/34/8934/1'>caf/3.10/caf/aosp-new/changes/34/8934/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/34/8934/meta'>caf/3.10/caf/aosp-new/changes/34/8934/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/34/9134/1'>caf/3.10/caf/aosp-new/changes/34/9134/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/34/9134/meta'>caf/3.10/caf/aosp-new/changes/34/9134/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/34/9234/1'>caf/3.10/caf/aosp-new/changes/34/9234/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/34/9234/meta'>caf/3.10/caf/aosp-new/changes/34/9234/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/34/9334/1'>caf/3.10/caf/aosp-new/changes/34/9334/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/34/9334/2'>caf/3.10/caf/aosp-new/changes/34/9334/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/34/9334/meta'>caf/3.10/caf/aosp-new/changes/34/9334/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/34/9834/1'>caf/3.10/caf/aosp-new/changes/34/9834/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/34/9834/meta'>caf/3.10/caf/aosp-new/changes/34/9834/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/35/10535/1'>caf/3.10/caf/aosp-new/changes/35/10535/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/35/10535/meta'>caf/3.10/caf/aosp-new/changes/35/10535/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/35/12635/1'>caf/3.10/caf/aosp-new/changes/35/12635/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/35/12635/2'>caf/3.10/caf/aosp-new/changes/35/12635/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/35/12635/meta'>caf/3.10/caf/aosp-new/changes/35/12635/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/35/13435/1'>caf/3.10/caf/aosp-new/changes/35/13435/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/35/13435/2'>caf/3.10/caf/aosp-new/changes/35/13435/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/35/13435/meta'>caf/3.10/caf/aosp-new/changes/35/13435/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/35/14035/1'>caf/3.10/caf/aosp-new/changes/35/14035/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/35/14035/meta'>caf/3.10/caf/aosp-new/changes/35/14035/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/35/14335/1'>caf/3.10/caf/aosp-new/changes/35/14335/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/35/14335/meta'>caf/3.10/caf/aosp-new/changes/35/14335/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/35/8835/1'>caf/3.10/caf/aosp-new/changes/35/8835/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/35/8835/meta'>caf/3.10/caf/aosp-new/changes/35/8835/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/35/8935/1'>caf/3.10/caf/aosp-new/changes/35/8935/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/35/8935/meta'>caf/3.10/caf/aosp-new/changes/35/8935/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/35/9135/1'>caf/3.10/caf/aosp-new/changes/35/9135/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/35/9135/meta'>caf/3.10/caf/aosp-new/changes/35/9135/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/35/9235/1'>caf/3.10/caf/aosp-new/changes/35/9235/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/35/9235/meta'>caf/3.10/caf/aosp-new/changes/35/9235/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/35/9835/1'>caf/3.10/caf/aosp-new/changes/35/9835/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/35/9835/meta'>caf/3.10/caf/aosp-new/changes/35/9835/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/36/10336/1'>caf/3.10/caf/aosp-new/changes/36/10336/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/36/10336/2'>caf/3.10/caf/aosp-new/changes/36/10336/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/36/10336/meta'>caf/3.10/caf/aosp-new/changes/36/10336/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/36/14236/1'>caf/3.10/caf/aosp-new/changes/36/14236/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/36/14236/meta'>caf/3.10/caf/aosp-new/changes/36/14236/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/36/14336/1'>caf/3.10/caf/aosp-new/changes/36/14336/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/36/14336/meta'>caf/3.10/caf/aosp-new/changes/36/14336/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/36/15836/1'>caf/3.10/caf/aosp-new/changes/36/15836/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/36/15836/meta'>caf/3.10/caf/aosp-new/changes/36/15836/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/36/8936/1'>caf/3.10/caf/aosp-new/changes/36/8936/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/36/8936/meta'>caf/3.10/caf/aosp-new/changes/36/8936/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/36/9136/1'>caf/3.10/caf/aosp-new/changes/36/9136/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/36/9136/meta'>caf/3.10/caf/aosp-new/changes/36/9136/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/36/9236/1'>caf/3.10/caf/aosp-new/changes/36/9236/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/36/9236/meta'>caf/3.10/caf/aosp-new/changes/36/9236/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/37/10337/1'>caf/3.10/caf/aosp-new/changes/37/10337/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/37/10337/2'>caf/3.10/caf/aosp-new/changes/37/10337/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/37/10337/meta'>caf/3.10/caf/aosp-new/changes/37/10337/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/37/12137/1'>caf/3.10/caf/aosp-new/changes/37/12137/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/37/12137/meta'>caf/3.10/caf/aosp-new/changes/37/12137/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/37/13937/1'>caf/3.10/caf/aosp-new/changes/37/13937/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/37/13937/2'>caf/3.10/caf/aosp-new/changes/37/13937/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/37/13937/3'>caf/3.10/caf/aosp-new/changes/37/13937/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/37/13937/meta'>caf/3.10/caf/aosp-new/changes/37/13937/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/37/14237/1'>caf/3.10/caf/aosp-new/changes/37/14237/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/37/14237/2'>caf/3.10/caf/aosp-new/changes/37/14237/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/37/14237/meta'>caf/3.10/caf/aosp-new/changes/37/14237/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/37/14337/1'>caf/3.10/caf/aosp-new/changes/37/14337/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/37/14337/meta'>caf/3.10/caf/aosp-new/changes/37/14337/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/37/15837/1'>caf/3.10/caf/aosp-new/changes/37/15837/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/37/15837/meta'>caf/3.10/caf/aosp-new/changes/37/15837/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/37/8737/1'>caf/3.10/caf/aosp-new/changes/37/8737/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/37/8737/meta'>caf/3.10/caf/aosp-new/changes/37/8737/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/37/8837/1'>caf/3.10/caf/aosp-new/changes/37/8837/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/37/8837/2'>caf/3.10/caf/aosp-new/changes/37/8837/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/37/8837/meta'>caf/3.10/caf/aosp-new/changes/37/8837/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/37/8937/1'>caf/3.10/caf/aosp-new/changes/37/8937/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/37/8937/meta'>caf/3.10/caf/aosp-new/changes/37/8937/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/37/9137/1'>caf/3.10/caf/aosp-new/changes/37/9137/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/37/9137/meta'>caf/3.10/caf/aosp-new/changes/37/9137/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/37/9237/1'>caf/3.10/caf/aosp-new/changes/37/9237/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/37/9237/meta'>caf/3.10/caf/aosp-new/changes/37/9237/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/38/10438/1'>caf/3.10/caf/aosp-new/changes/38/10438/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/38/10438/meta'>caf/3.10/caf/aosp-new/changes/38/10438/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/38/12138/1'>caf/3.10/caf/aosp-new/changes/38/12138/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/38/12138/meta'>caf/3.10/caf/aosp-new/changes/38/12138/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/38/17738/1'>caf/3.10/caf/aosp-new/changes/38/17738/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/38/17738/meta'>caf/3.10/caf/aosp-new/changes/38/17738/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/38/329838/1'>caf/3.10/caf/aosp-new/changes/38/329838/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/38/329838/meta'>caf/3.10/caf/aosp-new/changes/38/329838/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/38/8738/1'>caf/3.10/caf/aosp-new/changes/38/8738/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/38/8738/meta'>caf/3.10/caf/aosp-new/changes/38/8738/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/38/8938/1'>caf/3.10/caf/aosp-new/changes/38/8938/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/38/8938/meta'>caf/3.10/caf/aosp-new/changes/38/8938/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/38/9138/1'>caf/3.10/caf/aosp-new/changes/38/9138/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/38/9138/meta'>caf/3.10/caf/aosp-new/changes/38/9138/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/39/12139/1'>caf/3.10/caf/aosp-new/changes/39/12139/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/39/12139/meta'>caf/3.10/caf/aosp-new/changes/39/12139/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/39/14139/1'>caf/3.10/caf/aosp-new/changes/39/14139/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/39/14139/2'>caf/3.10/caf/aosp-new/changes/39/14139/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/39/14139/3'>caf/3.10/caf/aosp-new/changes/39/14139/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/39/14139/meta'>caf/3.10/caf/aosp-new/changes/39/14139/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/39/329839/1'>caf/3.10/caf/aosp-new/changes/39/329839/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/39/329839/meta'>caf/3.10/caf/aosp-new/changes/39/329839/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/39/424639/1'>caf/3.10/caf/aosp-new/changes/39/424639/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/39/424639/meta'>caf/3.10/caf/aosp-new/changes/39/424639/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/39/8739/1'>caf/3.10/caf/aosp-new/changes/39/8739/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/39/8739/2'>caf/3.10/caf/aosp-new/changes/39/8739/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/39/8739/meta'>caf/3.10/caf/aosp-new/changes/39/8739/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/39/8939/1'>caf/3.10/caf/aosp-new/changes/39/8939/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/39/8939/meta'>caf/3.10/caf/aosp-new/changes/39/8939/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/39/9139/1'>caf/3.10/caf/aosp-new/changes/39/9139/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/39/9139/meta'>caf/3.10/caf/aosp-new/changes/39/9139/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/40/12140/1'>caf/3.10/caf/aosp-new/changes/40/12140/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/40/12140/meta'>caf/3.10/caf/aosp-new/changes/40/12140/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/40/157840/1'>caf/3.10/caf/aosp-new/changes/40/157840/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/40/157840/meta'>caf/3.10/caf/aosp-new/changes/40/157840/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/40/329840/1'>caf/3.10/caf/aosp-new/changes/40/329840/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/40/329840/meta'>caf/3.10/caf/aosp-new/changes/40/329840/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/40/8740/1'>caf/3.10/caf/aosp-new/changes/40/8740/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/40/8740/2'>caf/3.10/caf/aosp-new/changes/40/8740/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/40/8740/meta'>caf/3.10/caf/aosp-new/changes/40/8740/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/40/8840/1'>caf/3.10/caf/aosp-new/changes/40/8840/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/40/8840/2'>caf/3.10/caf/aosp-new/changes/40/8840/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/40/8840/3'>caf/3.10/caf/aosp-new/changes/40/8840/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/40/8840/meta'>caf/3.10/caf/aosp-new/changes/40/8840/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/40/8940/1'>caf/3.10/caf/aosp-new/changes/40/8940/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/40/8940/meta'>caf/3.10/caf/aosp-new/changes/40/8940/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/40/9840/1'>caf/3.10/caf/aosp-new/changes/40/9840/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/40/9840/meta'>caf/3.10/caf/aosp-new/changes/40/9840/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/41/12141/1'>caf/3.10/caf/aosp-new/changes/41/12141/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/41/12141/meta'>caf/3.10/caf/aosp-new/changes/41/12141/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/41/14541/1'>caf/3.10/caf/aosp-new/changes/41/14541/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/41/14541/meta'>caf/3.10/caf/aosp-new/changes/41/14541/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/41/205641/1'>caf/3.10/caf/aosp-new/changes/41/205641/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/41/205641/meta'>caf/3.10/caf/aosp-new/changes/41/205641/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/41/329841/1'>caf/3.10/caf/aosp-new/changes/41/329841/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/41/329841/meta'>caf/3.10/caf/aosp-new/changes/41/329841/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/41/8741/1'>caf/3.10/caf/aosp-new/changes/41/8741/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/41/8741/2'>caf/3.10/caf/aosp-new/changes/41/8741/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/41/8741/meta'>caf/3.10/caf/aosp-new/changes/41/8741/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/41/8941/1'>caf/3.10/caf/aosp-new/changes/41/8941/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/41/8941/meta'>caf/3.10/caf/aosp-new/changes/41/8941/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/42/11142/1'>caf/3.10/caf/aosp-new/changes/42/11142/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/42/11142/meta'>caf/3.10/caf/aosp-new/changes/42/11142/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/42/14242/1'>caf/3.10/caf/aosp-new/changes/42/14242/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/42/14242/2'>caf/3.10/caf/aosp-new/changes/42/14242/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/42/14242/meta'>caf/3.10/caf/aosp-new/changes/42/14242/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/42/15142/1'>caf/3.10/caf/aosp-new/changes/42/15142/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/42/15142/meta'>caf/3.10/caf/aosp-new/changes/42/15142/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/42/205642/1'>caf/3.10/caf/aosp-new/changes/42/205642/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/42/205642/meta'>caf/3.10/caf/aosp-new/changes/42/205642/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/42/325442/1'>caf/3.10/caf/aosp-new/changes/42/325442/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/42/325442/meta'>caf/3.10/caf/aosp-new/changes/42/325442/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/42/329842/1'>caf/3.10/caf/aosp-new/changes/42/329842/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/42/329842/meta'>caf/3.10/caf/aosp-new/changes/42/329842/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/42/8942/1'>caf/3.10/caf/aosp-new/changes/42/8942/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/42/8942/meta'>caf/3.10/caf/aosp-new/changes/42/8942/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/43/14043/1'>caf/3.10/caf/aosp-new/changes/43/14043/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/43/14043/meta'>caf/3.10/caf/aosp-new/changes/43/14043/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/43/205543/1'>caf/3.10/caf/aosp-new/changes/43/205543/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/43/205543/meta'>caf/3.10/caf/aosp-new/changes/43/205543/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/43/205643/1'>caf/3.10/caf/aosp-new/changes/43/205643/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/43/205643/meta'>caf/3.10/caf/aosp-new/changes/43/205643/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/43/329843/1'>caf/3.10/caf/aosp-new/changes/43/329843/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/43/329843/meta'>caf/3.10/caf/aosp-new/changes/43/329843/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/43/8943/1'>caf/3.10/caf/aosp-new/changes/43/8943/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/43/8943/meta'>caf/3.10/caf/aosp-new/changes/43/8943/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/44/12244/1'>caf/3.10/caf/aosp-new/changes/44/12244/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/44/12244/meta'>caf/3.10/caf/aosp-new/changes/44/12244/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/44/14044/1'>caf/3.10/caf/aosp-new/changes/44/14044/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/44/14044/meta'>caf/3.10/caf/aosp-new/changes/44/14044/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/44/205644/1'>caf/3.10/caf/aosp-new/changes/44/205644/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/44/205644/meta'>caf/3.10/caf/aosp-new/changes/44/205644/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/44/205944/1'>caf/3.10/caf/aosp-new/changes/44/205944/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/44/205944/meta'>caf/3.10/caf/aosp-new/changes/44/205944/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/44/329844/1'>caf/3.10/caf/aosp-new/changes/44/329844/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/44/329844/meta'>caf/3.10/caf/aosp-new/changes/44/329844/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/44/8944/1'>caf/3.10/caf/aosp-new/changes/44/8944/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/44/8944/meta'>caf/3.10/caf/aosp-new/changes/44/8944/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/44/9144/1'>caf/3.10/caf/aosp-new/changes/44/9144/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/44/9144/meta'>caf/3.10/caf/aosp-new/changes/44/9144/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/45/10645/1'>caf/3.10/caf/aosp-new/changes/45/10645/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/45/10645/meta'>caf/3.10/caf/aosp-new/changes/45/10645/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/45/11945/1'>caf/3.10/caf/aosp-new/changes/45/11945/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/45/11945/meta'>caf/3.10/caf/aosp-new/changes/45/11945/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/45/12245/1'>caf/3.10/caf/aosp-new/changes/45/12245/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/45/12245/meta'>caf/3.10/caf/aosp-new/changes/45/12245/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/45/12445/1'>caf/3.10/caf/aosp-new/changes/45/12445/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/45/12445/meta'>caf/3.10/caf/aosp-new/changes/45/12445/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/45/14045/1'>caf/3.10/caf/aosp-new/changes/45/14045/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/45/14045/meta'>caf/3.10/caf/aosp-new/changes/45/14045/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/45/15145/1'>caf/3.10/caf/aosp-new/changes/45/15145/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/45/15145/meta'>caf/3.10/caf/aosp-new/changes/45/15145/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/45/205645/1'>caf/3.10/caf/aosp-new/changes/45/205645/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/45/205645/meta'>caf/3.10/caf/aosp-new/changes/45/205645/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/45/205945/1'>caf/3.10/caf/aosp-new/changes/45/205945/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/45/205945/meta'>caf/3.10/caf/aosp-new/changes/45/205945/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/45/329845/1'>caf/3.10/caf/aosp-new/changes/45/329845/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/45/329845/meta'>caf/3.10/caf/aosp-new/changes/45/329845/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/45/400345/1'>caf/3.10/caf/aosp-new/changes/45/400345/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/45/400345/meta'>caf/3.10/caf/aosp-new/changes/45/400345/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/45/8945/1'>caf/3.10/caf/aosp-new/changes/45/8945/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/45/8945/meta'>caf/3.10/caf/aosp-new/changes/45/8945/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/45/9145/1'>caf/3.10/caf/aosp-new/changes/45/9145/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/45/9145/2'>caf/3.10/caf/aosp-new/changes/45/9145/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/45/9145/3'>caf/3.10/caf/aosp-new/changes/45/9145/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/45/9145/meta'>caf/3.10/caf/aosp-new/changes/45/9145/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/46/11346/1'>caf/3.10/caf/aosp-new/changes/46/11346/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/46/11346/meta'>caf/3.10/caf/aosp-new/changes/46/11346/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/46/12246/1'>caf/3.10/caf/aosp-new/changes/46/12246/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/46/12246/2'>caf/3.10/caf/aosp-new/changes/46/12246/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/46/12246/meta'>caf/3.10/caf/aosp-new/changes/46/12246/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/46/12446/1'>caf/3.10/caf/aosp-new/changes/46/12446/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/46/12446/2'>caf/3.10/caf/aosp-new/changes/46/12446/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/46/12446/meta'>caf/3.10/caf/aosp-new/changes/46/12446/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/46/1646/1'>caf/3.10/caf/aosp-new/changes/46/1646/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/46/1646/meta'>caf/3.10/caf/aosp-new/changes/46/1646/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/46/205646/1'>caf/3.10/caf/aosp-new/changes/46/205646/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/46/205646/meta'>caf/3.10/caf/aosp-new/changes/46/205646/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/46/329846/1'>caf/3.10/caf/aosp-new/changes/46/329846/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/46/329846/meta'>caf/3.10/caf/aosp-new/changes/46/329846/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/46/8846/1'>caf/3.10/caf/aosp-new/changes/46/8846/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/46/8846/meta'>caf/3.10/caf/aosp-new/changes/46/8846/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/46/8946/1'>caf/3.10/caf/aosp-new/changes/46/8946/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/46/8946/meta'>caf/3.10/caf/aosp-new/changes/46/8946/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/46/9146/1'>caf/3.10/caf/aosp-new/changes/46/9146/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/46/9146/meta'>caf/3.10/caf/aosp-new/changes/46/9146/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/47/12247/1'>caf/3.10/caf/aosp-new/changes/47/12247/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/47/12247/2'>caf/3.10/caf/aosp-new/changes/47/12247/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/47/12247/meta'>caf/3.10/caf/aosp-new/changes/47/12247/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/47/15747/1'>caf/3.10/caf/aosp-new/changes/47/15747/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/47/15747/meta'>caf/3.10/caf/aosp-new/changes/47/15747/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/47/1747/1'>caf/3.10/caf/aosp-new/changes/47/1747/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/47/1747/meta'>caf/3.10/caf/aosp-new/changes/47/1747/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/47/205647/1'>caf/3.10/caf/aosp-new/changes/47/205647/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/47/205647/meta'>caf/3.10/caf/aosp-new/changes/47/205647/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/47/329847/1'>caf/3.10/caf/aosp-new/changes/47/329847/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/47/329847/meta'>caf/3.10/caf/aosp-new/changes/47/329847/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/47/8947/1'>caf/3.10/caf/aosp-new/changes/47/8947/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/47/8947/meta'>caf/3.10/caf/aosp-new/changes/47/8947/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/47/9147/1'>caf/3.10/caf/aosp-new/changes/47/9147/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/47/9147/2'>caf/3.10/caf/aosp-new/changes/47/9147/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/47/9147/3'>caf/3.10/caf/aosp-new/changes/47/9147/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/47/9147/meta'>caf/3.10/caf/aosp-new/changes/47/9147/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/48/10348/1'>caf/3.10/caf/aosp-new/changes/48/10348/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/48/10348/meta'>caf/3.10/caf/aosp-new/changes/48/10348/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/48/10948/1'>caf/3.10/caf/aosp-new/changes/48/10948/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/48/10948/meta'>caf/3.10/caf/aosp-new/changes/48/10948/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/48/12248/1'>caf/3.10/caf/aosp-new/changes/48/12248/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/48/12248/2'>caf/3.10/caf/aosp-new/changes/48/12248/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/48/12248/meta'>caf/3.10/caf/aosp-new/changes/48/12248/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/48/12348/1'>caf/3.10/caf/aosp-new/changes/48/12348/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/48/12348/2'>caf/3.10/caf/aosp-new/changes/48/12348/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/48/12348/meta'>caf/3.10/caf/aosp-new/changes/48/12348/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/48/13848/1'>caf/3.10/caf/aosp-new/changes/48/13848/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/48/13848/meta'>caf/3.10/caf/aosp-new/changes/48/13848/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/48/13948/1'>caf/3.10/caf/aosp-new/changes/48/13948/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/48/13948/meta'>caf/3.10/caf/aosp-new/changes/48/13948/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/48/1748/1'>caf/3.10/caf/aosp-new/changes/48/1748/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/48/1748/meta'>caf/3.10/caf/aosp-new/changes/48/1748/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/48/19548/1'>caf/3.10/caf/aosp-new/changes/48/19548/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/48/19548/meta'>caf/3.10/caf/aosp-new/changes/48/19548/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/48/205648/1'>caf/3.10/caf/aosp-new/changes/48/205648/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/48/205648/meta'>caf/3.10/caf/aosp-new/changes/48/205648/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/48/329848/1'>caf/3.10/caf/aosp-new/changes/48/329848/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/48/329848/meta'>caf/3.10/caf/aosp-new/changes/48/329848/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/48/8748/1'>caf/3.10/caf/aosp-new/changes/48/8748/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/48/8748/2'>caf/3.10/caf/aosp-new/changes/48/8748/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/48/8748/3'>caf/3.10/caf/aosp-new/changes/48/8748/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/48/8748/meta'>caf/3.10/caf/aosp-new/changes/48/8748/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/48/8948/1'>caf/3.10/caf/aosp-new/changes/48/8948/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/48/8948/meta'>caf/3.10/caf/aosp-new/changes/48/8948/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/49/10949/1'>caf/3.10/caf/aosp-new/changes/49/10949/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/49/10949/meta'>caf/3.10/caf/aosp-new/changes/49/10949/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/49/11849/1'>caf/3.10/caf/aosp-new/changes/49/11849/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/49/11849/2'>caf/3.10/caf/aosp-new/changes/49/11849/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/49/11849/3'>caf/3.10/caf/aosp-new/changes/49/11849/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/49/11849/meta'>caf/3.10/caf/aosp-new/changes/49/11849/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/49/12249/1'>caf/3.10/caf/aosp-new/changes/49/12249/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/49/12249/2'>caf/3.10/caf/aosp-new/changes/49/12249/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/49/12249/meta'>caf/3.10/caf/aosp-new/changes/49/12249/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/49/12349/1'>caf/3.10/caf/aosp-new/changes/49/12349/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/49/12349/2'>caf/3.10/caf/aosp-new/changes/49/12349/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/49/12349/meta'>caf/3.10/caf/aosp-new/changes/49/12349/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/49/13949/1'>caf/3.10/caf/aosp-new/changes/49/13949/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/49/13949/meta'>caf/3.10/caf/aosp-new/changes/49/13949/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/49/14849/1'>caf/3.10/caf/aosp-new/changes/49/14849/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/49/14849/2'>caf/3.10/caf/aosp-new/changes/49/14849/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/49/14849/meta'>caf/3.10/caf/aosp-new/changes/49/14849/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/49/1749/1'>caf/3.10/caf/aosp-new/changes/49/1749/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/49/1749/meta'>caf/3.10/caf/aosp-new/changes/49/1749/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/49/19549/1'>caf/3.10/caf/aosp-new/changes/49/19549/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/49/19549/meta'>caf/3.10/caf/aosp-new/changes/49/19549/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/49/205649/1'>caf/3.10/caf/aosp-new/changes/49/205649/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/49/205649/meta'>caf/3.10/caf/aosp-new/changes/49/205649/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/49/329849/1'>caf/3.10/caf/aosp-new/changes/49/329849/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/49/329849/meta'>caf/3.10/caf/aosp-new/changes/49/329849/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/49/8749/1'>caf/3.10/caf/aosp-new/changes/49/8749/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/49/8749/2'>caf/3.10/caf/aosp-new/changes/49/8749/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/49/8749/meta'>caf/3.10/caf/aosp-new/changes/49/8749/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/50/10250/1'>caf/3.10/caf/aosp-new/changes/50/10250/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/50/10250/2'>caf/3.10/caf/aosp-new/changes/50/10250/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/50/10250/meta'>caf/3.10/caf/aosp-new/changes/50/10250/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/50/10950/1'>caf/3.10/caf/aosp-new/changes/50/10950/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/50/10950/meta'>caf/3.10/caf/aosp-new/changes/50/10950/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/50/11350/1'>caf/3.10/caf/aosp-new/changes/50/11350/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/50/11350/meta'>caf/3.10/caf/aosp-new/changes/50/11350/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/50/117750/1'>caf/3.10/caf/aosp-new/changes/50/117750/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/50/117750/meta'>caf/3.10/caf/aosp-new/changes/50/117750/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/50/11850/1'>caf/3.10/caf/aosp-new/changes/50/11850/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/50/11850/2'>caf/3.10/caf/aosp-new/changes/50/11850/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/50/11850/3'>caf/3.10/caf/aosp-new/changes/50/11850/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/50/11850/meta'>caf/3.10/caf/aosp-new/changes/50/11850/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/50/12250/1'>caf/3.10/caf/aosp-new/changes/50/12250/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/50/12250/2'>caf/3.10/caf/aosp-new/changes/50/12250/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/50/12250/meta'>caf/3.10/caf/aosp-new/changes/50/12250/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/50/12350/1'>caf/3.10/caf/aosp-new/changes/50/12350/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/50/12350/2'>caf/3.10/caf/aosp-new/changes/50/12350/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/50/12350/meta'>caf/3.10/caf/aosp-new/changes/50/12350/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/50/13250/1'>caf/3.10/caf/aosp-new/changes/50/13250/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/50/13250/2'>caf/3.10/caf/aosp-new/changes/50/13250/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/50/13250/meta'>caf/3.10/caf/aosp-new/changes/50/13250/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/50/13650/1'>caf/3.10/caf/aosp-new/changes/50/13650/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/50/13650/meta'>caf/3.10/caf/aosp-new/changes/50/13650/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/50/14550/1'>caf/3.10/caf/aosp-new/changes/50/14550/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/50/14550/2'>caf/3.10/caf/aosp-new/changes/50/14550/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/50/14550/meta'>caf/3.10/caf/aosp-new/changes/50/14550/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/50/19550/1'>caf/3.10/caf/aosp-new/changes/50/19550/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/50/19550/meta'>caf/3.10/caf/aosp-new/changes/50/19550/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/50/205650/1'>caf/3.10/caf/aosp-new/changes/50/205650/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/50/205650/meta'>caf/3.10/caf/aosp-new/changes/50/205650/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/50/322450/1'>caf/3.10/caf/aosp-new/changes/50/322450/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/50/322450/meta'>caf/3.10/caf/aosp-new/changes/50/322450/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/50/329850/1'>caf/3.10/caf/aosp-new/changes/50/329850/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/50/329850/meta'>caf/3.10/caf/aosp-new/changes/50/329850/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/50/8750/1'>caf/3.10/caf/aosp-new/changes/50/8750/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/50/8750/2'>caf/3.10/caf/aosp-new/changes/50/8750/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/50/8750/3'>caf/3.10/caf/aosp-new/changes/50/8750/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/50/8750/4'>caf/3.10/caf/aosp-new/changes/50/8750/4</option>
+<option value='caf/3.10/caf/aosp-new/changes/50/8750/meta'>caf/3.10/caf/aosp-new/changes/50/8750/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/50/9750/1'>caf/3.10/caf/aosp-new/changes/50/9750/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/50/9750/2'>caf/3.10/caf/aosp-new/changes/50/9750/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/50/9750/meta'>caf/3.10/caf/aosp-new/changes/50/9750/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/51/10651/1'>caf/3.10/caf/aosp-new/changes/51/10651/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/51/10651/meta'>caf/3.10/caf/aosp-new/changes/51/10651/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/51/10951/1'>caf/3.10/caf/aosp-new/changes/51/10951/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/51/10951/meta'>caf/3.10/caf/aosp-new/changes/51/10951/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/51/11351/1'>caf/3.10/caf/aosp-new/changes/51/11351/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/51/11351/meta'>caf/3.10/caf/aosp-new/changes/51/11351/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/51/11851/1'>caf/3.10/caf/aosp-new/changes/51/11851/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/51/11851/2'>caf/3.10/caf/aosp-new/changes/51/11851/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/51/11851/3'>caf/3.10/caf/aosp-new/changes/51/11851/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/51/11851/meta'>caf/3.10/caf/aosp-new/changes/51/11851/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/51/12351/1'>caf/3.10/caf/aosp-new/changes/51/12351/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/51/12351/2'>caf/3.10/caf/aosp-new/changes/51/12351/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/51/12351/meta'>caf/3.10/caf/aosp-new/changes/51/12351/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/51/13651/1'>caf/3.10/caf/aosp-new/changes/51/13651/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/51/13651/2'>caf/3.10/caf/aosp-new/changes/51/13651/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/51/13651/meta'>caf/3.10/caf/aosp-new/changes/51/13651/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/51/13851/1'>caf/3.10/caf/aosp-new/changes/51/13851/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/51/13851/2'>caf/3.10/caf/aosp-new/changes/51/13851/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/51/13851/3'>caf/3.10/caf/aosp-new/changes/51/13851/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/51/13851/meta'>caf/3.10/caf/aosp-new/changes/51/13851/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/51/14151/1'>caf/3.10/caf/aosp-new/changes/51/14151/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/51/14151/meta'>caf/3.10/caf/aosp-new/changes/51/14151/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/51/19551/1'>caf/3.10/caf/aosp-new/changes/51/19551/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/51/19551/meta'>caf/3.10/caf/aosp-new/changes/51/19551/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/51/205651/1'>caf/3.10/caf/aosp-new/changes/51/205651/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/51/205651/meta'>caf/3.10/caf/aosp-new/changes/51/205651/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/51/329851/1'>caf/3.10/caf/aosp-new/changes/51/329851/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/51/329851/meta'>caf/3.10/caf/aosp-new/changes/51/329851/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/51/350351/1'>caf/3.10/caf/aosp-new/changes/51/350351/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/51/350351/meta'>caf/3.10/caf/aosp-new/changes/51/350351/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/51/8751/1'>caf/3.10/caf/aosp-new/changes/51/8751/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/51/8751/2'>caf/3.10/caf/aosp-new/changes/51/8751/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/51/8751/3'>caf/3.10/caf/aosp-new/changes/51/8751/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/51/8751/4'>caf/3.10/caf/aosp-new/changes/51/8751/4</option>
+<option value='caf/3.10/caf/aosp-new/changes/51/8751/5'>caf/3.10/caf/aosp-new/changes/51/8751/5</option>
+<option value='caf/3.10/caf/aosp-new/changes/51/8751/6'>caf/3.10/caf/aosp-new/changes/51/8751/6</option>
+<option value='caf/3.10/caf/aosp-new/changes/51/8751/7'>caf/3.10/caf/aosp-new/changes/51/8751/7</option>
+<option value='caf/3.10/caf/aosp-new/changes/51/8751/meta'>caf/3.10/caf/aosp-new/changes/51/8751/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/52/10452/1'>caf/3.10/caf/aosp-new/changes/52/10452/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/52/10452/2'>caf/3.10/caf/aosp-new/changes/52/10452/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/52/10452/3'>caf/3.10/caf/aosp-new/changes/52/10452/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/52/10452/4'>caf/3.10/caf/aosp-new/changes/52/10452/4</option>
+<option value='caf/3.10/caf/aosp-new/changes/52/10452/meta'>caf/3.10/caf/aosp-new/changes/52/10452/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/52/11852/1'>caf/3.10/caf/aosp-new/changes/52/11852/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/52/11852/meta'>caf/3.10/caf/aosp-new/changes/52/11852/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/52/12352/1'>caf/3.10/caf/aosp-new/changes/52/12352/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/52/12352/meta'>caf/3.10/caf/aosp-new/changes/52/12352/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/52/13652/1'>caf/3.10/caf/aosp-new/changes/52/13652/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/52/13652/meta'>caf/3.10/caf/aosp-new/changes/52/13652/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/52/13852/1'>caf/3.10/caf/aosp-new/changes/52/13852/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/52/13852/2'>caf/3.10/caf/aosp-new/changes/52/13852/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/52/13852/3'>caf/3.10/caf/aosp-new/changes/52/13852/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/52/13852/4'>caf/3.10/caf/aosp-new/changes/52/13852/4</option>
+<option value='caf/3.10/caf/aosp-new/changes/52/13852/meta'>caf/3.10/caf/aosp-new/changes/52/13852/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/52/17752/1'>caf/3.10/caf/aosp-new/changes/52/17752/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/52/17752/meta'>caf/3.10/caf/aosp-new/changes/52/17752/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/52/19552/1'>caf/3.10/caf/aosp-new/changes/52/19552/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/52/19552/meta'>caf/3.10/caf/aosp-new/changes/52/19552/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/52/205652/1'>caf/3.10/caf/aosp-new/changes/52/205652/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/52/205652/meta'>caf/3.10/caf/aosp-new/changes/52/205652/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/52/205952/1'>caf/3.10/caf/aosp-new/changes/52/205952/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/52/205952/meta'>caf/3.10/caf/aosp-new/changes/52/205952/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/52/329852/1'>caf/3.10/caf/aosp-new/changes/52/329852/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/52/329852/meta'>caf/3.10/caf/aosp-new/changes/52/329852/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/52/350352/1'>caf/3.10/caf/aosp-new/changes/52/350352/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/52/350352/meta'>caf/3.10/caf/aosp-new/changes/52/350352/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/52/393752/1'>caf/3.10/caf/aosp-new/changes/52/393752/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/52/393752/meta'>caf/3.10/caf/aosp-new/changes/52/393752/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/52/394552/1'>caf/3.10/caf/aosp-new/changes/52/394552/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/52/394552/meta'>caf/3.10/caf/aosp-new/changes/52/394552/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/52/8752/1'>caf/3.10/caf/aosp-new/changes/52/8752/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/52/8752/2'>caf/3.10/caf/aosp-new/changes/52/8752/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/52/8752/3'>caf/3.10/caf/aosp-new/changes/52/8752/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/52/8752/4'>caf/3.10/caf/aosp-new/changes/52/8752/4</option>
+<option value='caf/3.10/caf/aosp-new/changes/52/8752/5'>caf/3.10/caf/aosp-new/changes/52/8752/5</option>
+<option value='caf/3.10/caf/aosp-new/changes/52/8752/6'>caf/3.10/caf/aosp-new/changes/52/8752/6</option>
+<option value='caf/3.10/caf/aosp-new/changes/52/8752/7'>caf/3.10/caf/aosp-new/changes/52/8752/7</option>
+<option value='caf/3.10/caf/aosp-new/changes/52/8752/meta'>caf/3.10/caf/aosp-new/changes/52/8752/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/53/13653/1'>caf/3.10/caf/aosp-new/changes/53/13653/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/53/13653/meta'>caf/3.10/caf/aosp-new/changes/53/13653/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/53/13853/1'>caf/3.10/caf/aosp-new/changes/53/13853/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/53/13853/2'>caf/3.10/caf/aosp-new/changes/53/13853/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/53/13853/3'>caf/3.10/caf/aosp-new/changes/53/13853/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/53/13853/4'>caf/3.10/caf/aosp-new/changes/53/13853/4</option>
+<option value='caf/3.10/caf/aosp-new/changes/53/13853/meta'>caf/3.10/caf/aosp-new/changes/53/13853/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/53/14053/1'>caf/3.10/caf/aosp-new/changes/53/14053/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/53/14053/meta'>caf/3.10/caf/aosp-new/changes/53/14053/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/53/19553/1'>caf/3.10/caf/aosp-new/changes/53/19553/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/53/19553/meta'>caf/3.10/caf/aosp-new/changes/53/19553/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/53/205653/1'>caf/3.10/caf/aosp-new/changes/53/205653/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/53/205653/meta'>caf/3.10/caf/aosp-new/changes/53/205653/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/53/229753/1'>caf/3.10/caf/aosp-new/changes/53/229753/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/53/229753/2'>caf/3.10/caf/aosp-new/changes/53/229753/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/53/229753/3'>caf/3.10/caf/aosp-new/changes/53/229753/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/53/229753/4'>caf/3.10/caf/aosp-new/changes/53/229753/4</option>
+<option value='caf/3.10/caf/aosp-new/changes/53/229753/meta'>caf/3.10/caf/aosp-new/changes/53/229753/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/53/329853/1'>caf/3.10/caf/aosp-new/changes/53/329853/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/53/329853/meta'>caf/3.10/caf/aosp-new/changes/53/329853/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/53/331953/1'>caf/3.10/caf/aosp-new/changes/53/331953/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/53/331953/meta'>caf/3.10/caf/aosp-new/changes/53/331953/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/53/350353/1'>caf/3.10/caf/aosp-new/changes/53/350353/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/53/350353/meta'>caf/3.10/caf/aosp-new/changes/53/350353/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/53/366153/1'>caf/3.10/caf/aosp-new/changes/53/366153/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/53/366153/meta'>caf/3.10/caf/aosp-new/changes/53/366153/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/53/393753/1'>caf/3.10/caf/aosp-new/changes/53/393753/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/53/393753/meta'>caf/3.10/caf/aosp-new/changes/53/393753/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/53/8753/1'>caf/3.10/caf/aosp-new/changes/53/8753/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/53/8753/2'>caf/3.10/caf/aosp-new/changes/53/8753/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/53/8753/3'>caf/3.10/caf/aosp-new/changes/53/8753/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/53/8753/4'>caf/3.10/caf/aosp-new/changes/53/8753/4</option>
+<option value='caf/3.10/caf/aosp-new/changes/53/8753/meta'>caf/3.10/caf/aosp-new/changes/53/8753/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/53/8953/1'>caf/3.10/caf/aosp-new/changes/53/8953/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/53/8953/meta'>caf/3.10/caf/aosp-new/changes/53/8953/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/54/13654/1'>caf/3.10/caf/aosp-new/changes/54/13654/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/54/13654/2'>caf/3.10/caf/aosp-new/changes/54/13654/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/54/13654/meta'>caf/3.10/caf/aosp-new/changes/54/13654/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/54/13854/1'>caf/3.10/caf/aosp-new/changes/54/13854/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/54/13854/2'>caf/3.10/caf/aosp-new/changes/54/13854/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/54/13854/3'>caf/3.10/caf/aosp-new/changes/54/13854/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/54/13854/meta'>caf/3.10/caf/aosp-new/changes/54/13854/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/54/14054/1'>caf/3.10/caf/aosp-new/changes/54/14054/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/54/14054/meta'>caf/3.10/caf/aosp-new/changes/54/14054/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/54/19554/1'>caf/3.10/caf/aosp-new/changes/54/19554/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/54/19554/meta'>caf/3.10/caf/aosp-new/changes/54/19554/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/54/205654/1'>caf/3.10/caf/aosp-new/changes/54/205654/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/54/205654/meta'>caf/3.10/caf/aosp-new/changes/54/205654/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/54/329854/1'>caf/3.10/caf/aosp-new/changes/54/329854/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/54/329854/meta'>caf/3.10/caf/aosp-new/changes/54/329854/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/54/331954/1'>caf/3.10/caf/aosp-new/changes/54/331954/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/54/331954/meta'>caf/3.10/caf/aosp-new/changes/54/331954/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/54/350354/1'>caf/3.10/caf/aosp-new/changes/54/350354/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/54/350354/meta'>caf/3.10/caf/aosp-new/changes/54/350354/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/54/8754/4'>caf/3.10/caf/aosp-new/changes/54/8754/4</option>
+<option value='caf/3.10/caf/aosp-new/changes/54/8954/1'>caf/3.10/caf/aosp-new/changes/54/8954/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/54/8954/meta'>caf/3.10/caf/aosp-new/changes/54/8954/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/55/11755/1'>caf/3.10/caf/aosp-new/changes/55/11755/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/55/11755/meta'>caf/3.10/caf/aosp-new/changes/55/11755/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/55/13255/1'>caf/3.10/caf/aosp-new/changes/55/13255/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/55/13255/2'>caf/3.10/caf/aosp-new/changes/55/13255/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/55/13255/meta'>caf/3.10/caf/aosp-new/changes/55/13255/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/55/13655/1'>caf/3.10/caf/aosp-new/changes/55/13655/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/55/13655/2'>caf/3.10/caf/aosp-new/changes/55/13655/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/55/13655/meta'>caf/3.10/caf/aosp-new/changes/55/13655/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/55/14055/1'>caf/3.10/caf/aosp-new/changes/55/14055/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/55/14055/2'>caf/3.10/caf/aosp-new/changes/55/14055/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/55/14055/meta'>caf/3.10/caf/aosp-new/changes/55/14055/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/55/205655/1'>caf/3.10/caf/aosp-new/changes/55/205655/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/55/205655/meta'>caf/3.10/caf/aosp-new/changes/55/205655/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/55/329855/1'>caf/3.10/caf/aosp-new/changes/55/329855/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/55/329855/meta'>caf/3.10/caf/aosp-new/changes/55/329855/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/55/331955/1'>caf/3.10/caf/aosp-new/changes/55/331955/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/55/331955/meta'>caf/3.10/caf/aosp-new/changes/55/331955/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/55/350355/1'>caf/3.10/caf/aosp-new/changes/55/350355/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/55/350355/meta'>caf/3.10/caf/aosp-new/changes/55/350355/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/55/8955/1'>caf/3.10/caf/aosp-new/changes/55/8955/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/55/8955/meta'>caf/3.10/caf/aosp-new/changes/55/8955/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/56/121056/1'>caf/3.10/caf/aosp-new/changes/56/121056/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/56/121056/meta'>caf/3.10/caf/aosp-new/changes/56/121056/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/56/13256/1'>caf/3.10/caf/aosp-new/changes/56/13256/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/56/13256/2'>caf/3.10/caf/aosp-new/changes/56/13256/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/56/13256/3'>caf/3.10/caf/aosp-new/changes/56/13256/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/56/13256/meta'>caf/3.10/caf/aosp-new/changes/56/13256/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/56/13656/1'>caf/3.10/caf/aosp-new/changes/56/13656/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/56/13656/2'>caf/3.10/caf/aosp-new/changes/56/13656/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/56/13656/meta'>caf/3.10/caf/aosp-new/changes/56/13656/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/56/13956/1'>caf/3.10/caf/aosp-new/changes/56/13956/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/56/13956/meta'>caf/3.10/caf/aosp-new/changes/56/13956/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/56/14056/1'>caf/3.10/caf/aosp-new/changes/56/14056/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/56/14056/meta'>caf/3.10/caf/aosp-new/changes/56/14056/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/56/14256/1'>caf/3.10/caf/aosp-new/changes/56/14256/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/56/14256/meta'>caf/3.10/caf/aosp-new/changes/56/14256/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/56/205656/1'>caf/3.10/caf/aosp-new/changes/56/205656/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/56/205656/meta'>caf/3.10/caf/aosp-new/changes/56/205656/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/56/329856/1'>caf/3.10/caf/aosp-new/changes/56/329856/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/56/329856/meta'>caf/3.10/caf/aosp-new/changes/56/329856/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/56/331956/1'>caf/3.10/caf/aosp-new/changes/56/331956/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/56/331956/meta'>caf/3.10/caf/aosp-new/changes/56/331956/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/56/350356/1'>caf/3.10/caf/aosp-new/changes/56/350356/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/56/350356/meta'>caf/3.10/caf/aosp-new/changes/56/350356/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/56/366056/1'>caf/3.10/caf/aosp-new/changes/56/366056/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/56/366056/meta'>caf/3.10/caf/aosp-new/changes/56/366056/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/56/460056/1'>caf/3.10/caf/aosp-new/changes/56/460056/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/56/460056/meta'>caf/3.10/caf/aosp-new/changes/56/460056/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/57/10257/1'>caf/3.10/caf/aosp-new/changes/57/10257/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/57/10257/meta'>caf/3.10/caf/aosp-new/changes/57/10257/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/57/13257/1'>caf/3.10/caf/aosp-new/changes/57/13257/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/57/13257/2'>caf/3.10/caf/aosp-new/changes/57/13257/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/57/13257/3'>caf/3.10/caf/aosp-new/changes/57/13257/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/57/13257/meta'>caf/3.10/caf/aosp-new/changes/57/13257/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/57/13657/1'>caf/3.10/caf/aosp-new/changes/57/13657/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/57/13657/meta'>caf/3.10/caf/aosp-new/changes/57/13657/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/57/14157/1'>caf/3.10/caf/aosp-new/changes/57/14157/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/57/14157/2'>caf/3.10/caf/aosp-new/changes/57/14157/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/57/14157/3'>caf/3.10/caf/aosp-new/changes/57/14157/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/57/14157/meta'>caf/3.10/caf/aosp-new/changes/57/14157/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/57/205657/1'>caf/3.10/caf/aosp-new/changes/57/205657/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/57/205657/meta'>caf/3.10/caf/aosp-new/changes/57/205657/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/57/329857/1'>caf/3.10/caf/aosp-new/changes/57/329857/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/57/329857/meta'>caf/3.10/caf/aosp-new/changes/57/329857/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/57/331957/1'>caf/3.10/caf/aosp-new/changes/57/331957/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/57/331957/meta'>caf/3.10/caf/aosp-new/changes/57/331957/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/57/342657/1'>caf/3.10/caf/aosp-new/changes/57/342657/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/57/342657/meta'>caf/3.10/caf/aosp-new/changes/57/342657/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/57/460057/1'>caf/3.10/caf/aosp-new/changes/57/460057/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/57/460057/meta'>caf/3.10/caf/aosp-new/changes/57/460057/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/57/8957/1'>caf/3.10/caf/aosp-new/changes/57/8957/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/57/8957/2'>caf/3.10/caf/aosp-new/changes/57/8957/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/57/8957/meta'>caf/3.10/caf/aosp-new/changes/57/8957/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/58/10258/1'>caf/3.10/caf/aosp-new/changes/58/10258/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/58/10258/2'>caf/3.10/caf/aosp-new/changes/58/10258/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/58/10258/3'>caf/3.10/caf/aosp-new/changes/58/10258/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/58/10258/4'>caf/3.10/caf/aosp-new/changes/58/10258/4</option>
+<option value='caf/3.10/caf/aosp-new/changes/58/10258/meta'>caf/3.10/caf/aosp-new/changes/58/10258/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/58/13258/1'>caf/3.10/caf/aosp-new/changes/58/13258/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/58/13258/2'>caf/3.10/caf/aosp-new/changes/58/13258/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/58/13258/3'>caf/3.10/caf/aosp-new/changes/58/13258/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/58/13258/meta'>caf/3.10/caf/aosp-new/changes/58/13258/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/58/13658/1'>caf/3.10/caf/aosp-new/changes/58/13658/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/58/13658/meta'>caf/3.10/caf/aosp-new/changes/58/13658/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/58/13958/1'>caf/3.10/caf/aosp-new/changes/58/13958/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/58/13958/meta'>caf/3.10/caf/aosp-new/changes/58/13958/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/58/205658/1'>caf/3.10/caf/aosp-new/changes/58/205658/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/58/205658/meta'>caf/3.10/caf/aosp-new/changes/58/205658/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/58/329858/1'>caf/3.10/caf/aosp-new/changes/58/329858/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/58/329858/meta'>caf/3.10/caf/aosp-new/changes/58/329858/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/58/331958/1'>caf/3.10/caf/aosp-new/changes/58/331958/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/58/331958/meta'>caf/3.10/caf/aosp-new/changes/58/331958/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/58/8958/1'>caf/3.10/caf/aosp-new/changes/58/8958/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/58/8958/meta'>caf/3.10/caf/aosp-new/changes/58/8958/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/59/10059/1'>caf/3.10/caf/aosp-new/changes/59/10059/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/59/10059/2'>caf/3.10/caf/aosp-new/changes/59/10059/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/59/10059/3'>caf/3.10/caf/aosp-new/changes/59/10059/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/59/10059/meta'>caf/3.10/caf/aosp-new/changes/59/10059/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/59/10859/1'>caf/3.10/caf/aosp-new/changes/59/10859/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/59/10859/meta'>caf/3.10/caf/aosp-new/changes/59/10859/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/59/11559/1'>caf/3.10/caf/aosp-new/changes/59/11559/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/59/11559/2'>caf/3.10/caf/aosp-new/changes/59/11559/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/59/11559/meta'>caf/3.10/caf/aosp-new/changes/59/11559/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/59/13259/1'>caf/3.10/caf/aosp-new/changes/59/13259/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/59/13259/2'>caf/3.10/caf/aosp-new/changes/59/13259/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/59/13259/3'>caf/3.10/caf/aosp-new/changes/59/13259/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/59/13259/4'>caf/3.10/caf/aosp-new/changes/59/13259/4</option>
+<option value='caf/3.10/caf/aosp-new/changes/59/13259/meta'>caf/3.10/caf/aosp-new/changes/59/13259/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/59/13659/1'>caf/3.10/caf/aosp-new/changes/59/13659/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/59/13659/meta'>caf/3.10/caf/aosp-new/changes/59/13659/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/59/18459/1'>caf/3.10/caf/aosp-new/changes/59/18459/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/59/18459/meta'>caf/3.10/caf/aosp-new/changes/59/18459/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/59/205659/1'>caf/3.10/caf/aosp-new/changes/59/205659/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/59/205659/meta'>caf/3.10/caf/aosp-new/changes/59/205659/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/59/329859/1'>caf/3.10/caf/aosp-new/changes/59/329859/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/59/329859/meta'>caf/3.10/caf/aosp-new/changes/59/329859/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/59/331959/1'>caf/3.10/caf/aosp-new/changes/59/331959/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/59/331959/meta'>caf/3.10/caf/aosp-new/changes/59/331959/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/60/10260/1'>caf/3.10/caf/aosp-new/changes/60/10260/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/60/10260/2'>caf/3.10/caf/aosp-new/changes/60/10260/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/60/10260/meta'>caf/3.10/caf/aosp-new/changes/60/10260/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/60/12260/1'>caf/3.10/caf/aosp-new/changes/60/12260/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/60/12260/meta'>caf/3.10/caf/aosp-new/changes/60/12260/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/60/13260/1'>caf/3.10/caf/aosp-new/changes/60/13260/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/60/13260/2'>caf/3.10/caf/aosp-new/changes/60/13260/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/60/13260/3'>caf/3.10/caf/aosp-new/changes/60/13260/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/60/13260/meta'>caf/3.10/caf/aosp-new/changes/60/13260/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/60/13560/1'>caf/3.10/caf/aosp-new/changes/60/13560/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/60/13560/2'>caf/3.10/caf/aosp-new/changes/60/13560/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/60/13560/meta'>caf/3.10/caf/aosp-new/changes/60/13560/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/60/14060/1'>caf/3.10/caf/aosp-new/changes/60/14060/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/60/14060/meta'>caf/3.10/caf/aosp-new/changes/60/14060/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/60/205660/1'>caf/3.10/caf/aosp-new/changes/60/205660/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/60/205660/meta'>caf/3.10/caf/aosp-new/changes/60/205660/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/60/205960/1'>caf/3.10/caf/aosp-new/changes/60/205960/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/60/205960/meta'>caf/3.10/caf/aosp-new/changes/60/205960/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/60/314260/1'>caf/3.10/caf/aosp-new/changes/60/314260/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/60/314260/meta'>caf/3.10/caf/aosp-new/changes/60/314260/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/60/329860/1'>caf/3.10/caf/aosp-new/changes/60/329860/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/60/329860/meta'>caf/3.10/caf/aosp-new/changes/60/329860/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/60/331960/1'>caf/3.10/caf/aosp-new/changes/60/331960/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/60/331960/meta'>caf/3.10/caf/aosp-new/changes/60/331960/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/61/10261/1'>caf/3.10/caf/aosp-new/changes/61/10261/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/61/10261/meta'>caf/3.10/caf/aosp-new/changes/61/10261/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/61/13261/1'>caf/3.10/caf/aosp-new/changes/61/13261/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/61/13261/2'>caf/3.10/caf/aosp-new/changes/61/13261/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/61/13261/3'>caf/3.10/caf/aosp-new/changes/61/13261/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/61/13261/meta'>caf/3.10/caf/aosp-new/changes/61/13261/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/61/13561/1'>caf/3.10/caf/aosp-new/changes/61/13561/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/61/13561/2'>caf/3.10/caf/aosp-new/changes/61/13561/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/61/13561/meta'>caf/3.10/caf/aosp-new/changes/61/13561/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/61/13661/1'>caf/3.10/caf/aosp-new/changes/61/13661/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/61/13661/meta'>caf/3.10/caf/aosp-new/changes/61/13661/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/61/205661/1'>caf/3.10/caf/aosp-new/changes/61/205661/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/61/205661/meta'>caf/3.10/caf/aosp-new/changes/61/205661/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/61/329861/1'>caf/3.10/caf/aosp-new/changes/61/329861/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/61/329861/meta'>caf/3.10/caf/aosp-new/changes/61/329861/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/61/331961/1'>caf/3.10/caf/aosp-new/changes/61/331961/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/61/331961/meta'>caf/3.10/caf/aosp-new/changes/61/331961/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/61/8961/1'>caf/3.10/caf/aosp-new/changes/61/8961/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/61/8961/2'>caf/3.10/caf/aosp-new/changes/61/8961/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/61/8961/meta'>caf/3.10/caf/aosp-new/changes/61/8961/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/62/10262/1'>caf/3.10/caf/aosp-new/changes/62/10262/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/62/10262/meta'>caf/3.10/caf/aosp-new/changes/62/10262/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/62/11162/1'>caf/3.10/caf/aosp-new/changes/62/11162/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/62/11162/meta'>caf/3.10/caf/aosp-new/changes/62/11162/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/62/11762/1'>caf/3.10/caf/aosp-new/changes/62/11762/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/62/11762/2'>caf/3.10/caf/aosp-new/changes/62/11762/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/62/11762/meta'>caf/3.10/caf/aosp-new/changes/62/11762/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/62/13262/1'>caf/3.10/caf/aosp-new/changes/62/13262/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/62/13262/2'>caf/3.10/caf/aosp-new/changes/62/13262/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/62/13262/3'>caf/3.10/caf/aosp-new/changes/62/13262/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/62/13262/meta'>caf/3.10/caf/aosp-new/changes/62/13262/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/62/13862/1'>caf/3.10/caf/aosp-new/changes/62/13862/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/62/13862/2'>caf/3.10/caf/aosp-new/changes/62/13862/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/62/13862/meta'>caf/3.10/caf/aosp-new/changes/62/13862/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/62/13962/1'>caf/3.10/caf/aosp-new/changes/62/13962/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/62/13962/2'>caf/3.10/caf/aosp-new/changes/62/13962/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/62/13962/meta'>caf/3.10/caf/aosp-new/changes/62/13962/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/62/14362/1'>caf/3.10/caf/aosp-new/changes/62/14362/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/62/14362/meta'>caf/3.10/caf/aosp-new/changes/62/14362/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/62/1762/1'>caf/3.10/caf/aosp-new/changes/62/1762/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/62/1762/meta'>caf/3.10/caf/aosp-new/changes/62/1762/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/62/329862/1'>caf/3.10/caf/aosp-new/changes/62/329862/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/62/329862/meta'>caf/3.10/caf/aosp-new/changes/62/329862/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/62/331962/1'>caf/3.10/caf/aosp-new/changes/62/331962/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/62/331962/meta'>caf/3.10/caf/aosp-new/changes/62/331962/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/62/64162/1'>caf/3.10/caf/aosp-new/changes/62/64162/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/62/64162/meta'>caf/3.10/caf/aosp-new/changes/62/64162/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/62/8862/1'>caf/3.10/caf/aosp-new/changes/62/8862/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/62/8862/2'>caf/3.10/caf/aosp-new/changes/62/8862/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/62/8862/3'>caf/3.10/caf/aosp-new/changes/62/8862/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/62/8862/meta'>caf/3.10/caf/aosp-new/changes/62/8862/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/62/9762/1'>caf/3.10/caf/aosp-new/changes/62/9762/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/62/9762/meta'>caf/3.10/caf/aosp-new/changes/62/9762/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/63/11163/1'>caf/3.10/caf/aosp-new/changes/63/11163/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/63/11163/meta'>caf/3.10/caf/aosp-new/changes/63/11163/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/63/11763/1'>caf/3.10/caf/aosp-new/changes/63/11763/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/63/11763/2'>caf/3.10/caf/aosp-new/changes/63/11763/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/63/11763/meta'>caf/3.10/caf/aosp-new/changes/63/11763/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/63/12263/1'>caf/3.10/caf/aosp-new/changes/63/12263/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/63/12263/meta'>caf/3.10/caf/aosp-new/changes/63/12263/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/63/13263/1'>caf/3.10/caf/aosp-new/changes/63/13263/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/63/13263/2'>caf/3.10/caf/aosp-new/changes/63/13263/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/63/13263/3'>caf/3.10/caf/aosp-new/changes/63/13263/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/63/13263/meta'>caf/3.10/caf/aosp-new/changes/63/13263/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/63/13563/1'>caf/3.10/caf/aosp-new/changes/63/13563/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/63/13563/meta'>caf/3.10/caf/aosp-new/changes/63/13563/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/63/13863/1'>caf/3.10/caf/aosp-new/changes/63/13863/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/63/13863/2'>caf/3.10/caf/aosp-new/changes/63/13863/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/63/13863/meta'>caf/3.10/caf/aosp-new/changes/63/13863/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/63/13963/1'>caf/3.10/caf/aosp-new/changes/63/13963/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/63/13963/2'>caf/3.10/caf/aosp-new/changes/63/13963/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/63/13963/3'>caf/3.10/caf/aosp-new/changes/63/13963/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/63/13963/meta'>caf/3.10/caf/aosp-new/changes/63/13963/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/63/15663/1'>caf/3.10/caf/aosp-new/changes/63/15663/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/63/15663/meta'>caf/3.10/caf/aosp-new/changes/63/15663/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/63/313463/1'>caf/3.10/caf/aosp-new/changes/63/313463/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/63/313463/meta'>caf/3.10/caf/aosp-new/changes/63/313463/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/63/329863/1'>caf/3.10/caf/aosp-new/changes/63/329863/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/63/329863/meta'>caf/3.10/caf/aosp-new/changes/63/329863/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/63/332163/1'>caf/3.10/caf/aosp-new/changes/63/332163/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/63/332163/meta'>caf/3.10/caf/aosp-new/changes/63/332163/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/63/8863/1'>caf/3.10/caf/aosp-new/changes/63/8863/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/63/8863/2'>caf/3.10/caf/aosp-new/changes/63/8863/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/63/8863/3'>caf/3.10/caf/aosp-new/changes/63/8863/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/63/8863/meta'>caf/3.10/caf/aosp-new/changes/63/8863/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/63/8963/1'>caf/3.10/caf/aosp-new/changes/63/8963/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/63/8963/meta'>caf/3.10/caf/aosp-new/changes/63/8963/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/63/9763/1'>caf/3.10/caf/aosp-new/changes/63/9763/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/63/9763/meta'>caf/3.10/caf/aosp-new/changes/63/9763/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/64/11564/1'>caf/3.10/caf/aosp-new/changes/64/11564/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/64/11564/meta'>caf/3.10/caf/aosp-new/changes/64/11564/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/64/11764/1'>caf/3.10/caf/aosp-new/changes/64/11764/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/64/11764/2'>caf/3.10/caf/aosp-new/changes/64/11764/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/64/11764/meta'>caf/3.10/caf/aosp-new/changes/64/11764/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/64/12264/1'>caf/3.10/caf/aosp-new/changes/64/12264/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/64/12264/meta'>caf/3.10/caf/aosp-new/changes/64/12264/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/64/12364/1'>caf/3.10/caf/aosp-new/changes/64/12364/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/64/12364/2'>caf/3.10/caf/aosp-new/changes/64/12364/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/64/12364/meta'>caf/3.10/caf/aosp-new/changes/64/12364/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/64/13264/1'>caf/3.10/caf/aosp-new/changes/64/13264/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/64/13264/2'>caf/3.10/caf/aosp-new/changes/64/13264/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/64/13264/meta'>caf/3.10/caf/aosp-new/changes/64/13264/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/64/13864/1'>caf/3.10/caf/aosp-new/changes/64/13864/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/64/13864/2'>caf/3.10/caf/aosp-new/changes/64/13864/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/64/13864/meta'>caf/3.10/caf/aosp-new/changes/64/13864/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/64/14264/1'>caf/3.10/caf/aosp-new/changes/64/14264/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/64/14264/meta'>caf/3.10/caf/aosp-new/changes/64/14264/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/64/14364/1'>caf/3.10/caf/aosp-new/changes/64/14364/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/64/14364/2'>caf/3.10/caf/aosp-new/changes/64/14364/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/64/14364/3'>caf/3.10/caf/aosp-new/changes/64/14364/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/64/14364/meta'>caf/3.10/caf/aosp-new/changes/64/14364/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/64/313464/1'>caf/3.10/caf/aosp-new/changes/64/313464/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/64/313464/meta'>caf/3.10/caf/aosp-new/changes/64/313464/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/64/319164/1'>caf/3.10/caf/aosp-new/changes/64/319164/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/64/319164/meta'>caf/3.10/caf/aosp-new/changes/64/319164/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/64/329864/1'>caf/3.10/caf/aosp-new/changes/64/329864/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/64/329864/meta'>caf/3.10/caf/aosp-new/changes/64/329864/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/64/332164/1'>caf/3.10/caf/aosp-new/changes/64/332164/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/64/332164/meta'>caf/3.10/caf/aosp-new/changes/64/332164/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/64/9764/1'>caf/3.10/caf/aosp-new/changes/64/9764/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/64/9764/meta'>caf/3.10/caf/aosp-new/changes/64/9764/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/65/11565/1'>caf/3.10/caf/aosp-new/changes/65/11565/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/65/11565/2'>caf/3.10/caf/aosp-new/changes/65/11565/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/65/11565/meta'>caf/3.10/caf/aosp-new/changes/65/11565/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/65/11765/1'>caf/3.10/caf/aosp-new/changes/65/11765/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/65/11765/2'>caf/3.10/caf/aosp-new/changes/65/11765/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/65/11765/3'>caf/3.10/caf/aosp-new/changes/65/11765/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/65/11765/meta'>caf/3.10/caf/aosp-new/changes/65/11765/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/65/12265/1'>caf/3.10/caf/aosp-new/changes/65/12265/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/65/12265/2'>caf/3.10/caf/aosp-new/changes/65/12265/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/65/12265/meta'>caf/3.10/caf/aosp-new/changes/65/12265/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/65/13865/1'>caf/3.10/caf/aosp-new/changes/65/13865/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/65/13865/2'>caf/3.10/caf/aosp-new/changes/65/13865/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/65/13865/meta'>caf/3.10/caf/aosp-new/changes/65/13865/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/65/13965/1'>caf/3.10/caf/aosp-new/changes/65/13965/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/65/13965/meta'>caf/3.10/caf/aosp-new/changes/65/13965/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/65/14265/1'>caf/3.10/caf/aosp-new/changes/65/14265/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/65/14265/meta'>caf/3.10/caf/aosp-new/changes/65/14265/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/65/313465/1'>caf/3.10/caf/aosp-new/changes/65/313465/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/65/313465/meta'>caf/3.10/caf/aosp-new/changes/65/313465/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/65/319165/1'>caf/3.10/caf/aosp-new/changes/65/319165/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/65/319165/meta'>caf/3.10/caf/aosp-new/changes/65/319165/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/65/329865/1'>caf/3.10/caf/aosp-new/changes/65/329865/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/65/329865/meta'>caf/3.10/caf/aosp-new/changes/65/329865/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/65/332165/1'>caf/3.10/caf/aosp-new/changes/65/332165/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/65/332165/meta'>caf/3.10/caf/aosp-new/changes/65/332165/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/65/9765/1'>caf/3.10/caf/aosp-new/changes/65/9765/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/65/9765/meta'>caf/3.10/caf/aosp-new/changes/65/9765/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/66/10466/1'>caf/3.10/caf/aosp-new/changes/66/10466/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/66/10466/2'>caf/3.10/caf/aosp-new/changes/66/10466/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/66/10466/3'>caf/3.10/caf/aosp-new/changes/66/10466/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/66/10466/4'>caf/3.10/caf/aosp-new/changes/66/10466/4</option>
+<option value='caf/3.10/caf/aosp-new/changes/66/10466/meta'>caf/3.10/caf/aosp-new/changes/66/10466/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/66/11166/1'>caf/3.10/caf/aosp-new/changes/66/11166/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/66/11166/2'>caf/3.10/caf/aosp-new/changes/66/11166/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/66/11166/meta'>caf/3.10/caf/aosp-new/changes/66/11166/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/66/11766/1'>caf/3.10/caf/aosp-new/changes/66/11766/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/66/11766/2'>caf/3.10/caf/aosp-new/changes/66/11766/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/66/11766/meta'>caf/3.10/caf/aosp-new/changes/66/11766/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/66/12266/1'>caf/3.10/caf/aosp-new/changes/66/12266/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/66/12266/2'>caf/3.10/caf/aosp-new/changes/66/12266/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/66/12266/meta'>caf/3.10/caf/aosp-new/changes/66/12266/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/66/14266/1'>caf/3.10/caf/aosp-new/changes/66/14266/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/66/14266/meta'>caf/3.10/caf/aosp-new/changes/66/14266/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/66/15766/1'>caf/3.10/caf/aosp-new/changes/66/15766/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/66/15766/meta'>caf/3.10/caf/aosp-new/changes/66/15766/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/66/313466/1'>caf/3.10/caf/aosp-new/changes/66/313466/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/66/313466/meta'>caf/3.10/caf/aosp-new/changes/66/313466/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/66/319166/1'>caf/3.10/caf/aosp-new/changes/66/319166/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/66/319166/meta'>caf/3.10/caf/aosp-new/changes/66/319166/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/66/329866/1'>caf/3.10/caf/aosp-new/changes/66/329866/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/66/329866/meta'>caf/3.10/caf/aosp-new/changes/66/329866/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/66/332166/1'>caf/3.10/caf/aosp-new/changes/66/332166/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/66/332166/meta'>caf/3.10/caf/aosp-new/changes/66/332166/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/66/9766/1'>caf/3.10/caf/aosp-new/changes/66/9766/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/66/9766/meta'>caf/3.10/caf/aosp-new/changes/66/9766/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/67/10267/1'>caf/3.10/caf/aosp-new/changes/67/10267/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/67/10267/meta'>caf/3.10/caf/aosp-new/changes/67/10267/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/67/11767/1'>caf/3.10/caf/aosp-new/changes/67/11767/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/67/11767/2'>caf/3.10/caf/aosp-new/changes/67/11767/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/67/11767/3'>caf/3.10/caf/aosp-new/changes/67/11767/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/67/11767/4'>caf/3.10/caf/aosp-new/changes/67/11767/4</option>
+<option value='caf/3.10/caf/aosp-new/changes/67/11767/meta'>caf/3.10/caf/aosp-new/changes/67/11767/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/67/14267/1'>caf/3.10/caf/aosp-new/changes/67/14267/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/67/14267/meta'>caf/3.10/caf/aosp-new/changes/67/14267/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/67/14367/1'>caf/3.10/caf/aosp-new/changes/67/14367/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/67/14367/2'>caf/3.10/caf/aosp-new/changes/67/14367/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/67/14367/meta'>caf/3.10/caf/aosp-new/changes/67/14367/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/67/15767/1'>caf/3.10/caf/aosp-new/changes/67/15767/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/67/15767/meta'>caf/3.10/caf/aosp-new/changes/67/15767/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/67/313467/1'>caf/3.10/caf/aosp-new/changes/67/313467/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/67/313467/meta'>caf/3.10/caf/aosp-new/changes/67/313467/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/67/319167/1'>caf/3.10/caf/aosp-new/changes/67/319167/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/67/319167/meta'>caf/3.10/caf/aosp-new/changes/67/319167/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/67/329867/1'>caf/3.10/caf/aosp-new/changes/67/329867/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/67/329867/meta'>caf/3.10/caf/aosp-new/changes/67/329867/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/67/332167/1'>caf/3.10/caf/aosp-new/changes/67/332167/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/67/332167/meta'>caf/3.10/caf/aosp-new/changes/67/332167/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/67/9767/1'>caf/3.10/caf/aosp-new/changes/67/9767/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/67/9767/meta'>caf/3.10/caf/aosp-new/changes/67/9767/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/68/10268/1'>caf/3.10/caf/aosp-new/changes/68/10268/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/68/10268/2'>caf/3.10/caf/aosp-new/changes/68/10268/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/68/10268/meta'>caf/3.10/caf/aosp-new/changes/68/10268/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/68/11768/1'>caf/3.10/caf/aosp-new/changes/68/11768/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/68/11768/2'>caf/3.10/caf/aosp-new/changes/68/11768/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/68/11768/meta'>caf/3.10/caf/aosp-new/changes/68/11768/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/68/15768/1'>caf/3.10/caf/aosp-new/changes/68/15768/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/68/15768/meta'>caf/3.10/caf/aosp-new/changes/68/15768/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/68/313468/1'>caf/3.10/caf/aosp-new/changes/68/313468/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/68/313468/meta'>caf/3.10/caf/aosp-new/changes/68/313468/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/68/319168/1'>caf/3.10/caf/aosp-new/changes/68/319168/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/68/319168/meta'>caf/3.10/caf/aosp-new/changes/68/319168/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/68/329868/1'>caf/3.10/caf/aosp-new/changes/68/329868/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/68/329868/meta'>caf/3.10/caf/aosp-new/changes/68/329868/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/68/332168/1'>caf/3.10/caf/aosp-new/changes/68/332168/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/68/332168/meta'>caf/3.10/caf/aosp-new/changes/68/332168/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/69/10269/1'>caf/3.10/caf/aosp-new/changes/69/10269/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/69/10269/2'>caf/3.10/caf/aosp-new/changes/69/10269/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/69/10269/3'>caf/3.10/caf/aosp-new/changes/69/10269/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/69/10269/4'>caf/3.10/caf/aosp-new/changes/69/10269/4</option>
+<option value='caf/3.10/caf/aosp-new/changes/69/10269/5'>caf/3.10/caf/aosp-new/changes/69/10269/5</option>
+<option value='caf/3.10/caf/aosp-new/changes/69/10269/meta'>caf/3.10/caf/aosp-new/changes/69/10269/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/69/11769/1'>caf/3.10/caf/aosp-new/changes/69/11769/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/69/11769/meta'>caf/3.10/caf/aosp-new/changes/69/11769/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/69/15769/1'>caf/3.10/caf/aosp-new/changes/69/15769/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/69/15769/meta'>caf/3.10/caf/aosp-new/changes/69/15769/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/69/205569/1'>caf/3.10/caf/aosp-new/changes/69/205569/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/69/205569/meta'>caf/3.10/caf/aosp-new/changes/69/205569/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/69/313469/1'>caf/3.10/caf/aosp-new/changes/69/313469/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/69/313469/meta'>caf/3.10/caf/aosp-new/changes/69/313469/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/69/319169/1'>caf/3.10/caf/aosp-new/changes/69/319169/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/69/319169/meta'>caf/3.10/caf/aosp-new/changes/69/319169/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/69/329869/1'>caf/3.10/caf/aosp-new/changes/69/329869/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/69/329869/meta'>caf/3.10/caf/aosp-new/changes/69/329869/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/69/332169/1'>caf/3.10/caf/aosp-new/changes/69/332169/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/69/332169/meta'>caf/3.10/caf/aosp-new/changes/69/332169/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/70/11770/1'>caf/3.10/caf/aosp-new/changes/70/11770/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/70/11770/meta'>caf/3.10/caf/aosp-new/changes/70/11770/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/70/12370/1'>caf/3.10/caf/aosp-new/changes/70/12370/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/70/12370/2'>caf/3.10/caf/aosp-new/changes/70/12370/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/70/12370/3'>caf/3.10/caf/aosp-new/changes/70/12370/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/70/12370/meta'>caf/3.10/caf/aosp-new/changes/70/12370/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/70/12570/1'>caf/3.10/caf/aosp-new/changes/70/12570/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/70/12570/2'>caf/3.10/caf/aosp-new/changes/70/12570/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/70/12570/meta'>caf/3.10/caf/aosp-new/changes/70/12570/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/70/13570/1'>caf/3.10/caf/aosp-new/changes/70/13570/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/70/13570/meta'>caf/3.10/caf/aosp-new/changes/70/13570/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/70/13970/1'>caf/3.10/caf/aosp-new/changes/70/13970/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/70/13970/meta'>caf/3.10/caf/aosp-new/changes/70/13970/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/70/151070/1'>caf/3.10/caf/aosp-new/changes/70/151070/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/70/151070/2'>caf/3.10/caf/aosp-new/changes/70/151070/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/70/151070/meta'>caf/3.10/caf/aosp-new/changes/70/151070/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/70/197570/1'>caf/3.10/caf/aosp-new/changes/70/197570/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/70/197570/meta'>caf/3.10/caf/aosp-new/changes/70/197570/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/70/313470/1'>caf/3.10/caf/aosp-new/changes/70/313470/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/70/313470/meta'>caf/3.10/caf/aosp-new/changes/70/313470/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/70/319170/1'>caf/3.10/caf/aosp-new/changes/70/319170/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/70/319170/meta'>caf/3.10/caf/aosp-new/changes/70/319170/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/70/329870/1'>caf/3.10/caf/aosp-new/changes/70/329870/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/70/329870/meta'>caf/3.10/caf/aosp-new/changes/70/329870/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/70/332170/1'>caf/3.10/caf/aosp-new/changes/70/332170/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/70/332170/meta'>caf/3.10/caf/aosp-new/changes/70/332170/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/70/348970/1'>caf/3.10/caf/aosp-new/changes/70/348970/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/70/348970/meta'>caf/3.10/caf/aosp-new/changes/70/348970/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/70/8970/1'>caf/3.10/caf/aosp-new/changes/70/8970/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/70/8970/meta'>caf/3.10/caf/aosp-new/changes/70/8970/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/70/9370/1'>caf/3.10/caf/aosp-new/changes/70/9370/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/70/9370/meta'>caf/3.10/caf/aosp-new/changes/70/9370/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/71/10271/1'>caf/3.10/caf/aosp-new/changes/71/10271/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/71/10271/2'>caf/3.10/caf/aosp-new/changes/71/10271/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/71/10271/3'>caf/3.10/caf/aosp-new/changes/71/10271/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/71/10271/4'>caf/3.10/caf/aosp-new/changes/71/10271/4</option>
+<option value='caf/3.10/caf/aosp-new/changes/71/10271/meta'>caf/3.10/caf/aosp-new/changes/71/10271/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/71/11771/1'>caf/3.10/caf/aosp-new/changes/71/11771/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/71/11771/2'>caf/3.10/caf/aosp-new/changes/71/11771/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/71/11771/3'>caf/3.10/caf/aosp-new/changes/71/11771/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/71/11771/4'>caf/3.10/caf/aosp-new/changes/71/11771/4</option>
+<option value='caf/3.10/caf/aosp-new/changes/71/11771/meta'>caf/3.10/caf/aosp-new/changes/71/11771/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/71/12371/1'>caf/3.10/caf/aosp-new/changes/71/12371/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/71/12371/meta'>caf/3.10/caf/aosp-new/changes/71/12371/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/71/14271/1'>caf/3.10/caf/aosp-new/changes/71/14271/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/71/14271/2'>caf/3.10/caf/aosp-new/changes/71/14271/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/71/14271/meta'>caf/3.10/caf/aosp-new/changes/71/14271/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/71/3071/1'>caf/3.10/caf/aosp-new/changes/71/3071/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/71/3071/meta'>caf/3.10/caf/aosp-new/changes/71/3071/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/71/313471/1'>caf/3.10/caf/aosp-new/changes/71/313471/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/71/313471/meta'>caf/3.10/caf/aosp-new/changes/71/313471/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/71/319171/1'>caf/3.10/caf/aosp-new/changes/71/319171/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/71/319171/meta'>caf/3.10/caf/aosp-new/changes/71/319171/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/71/329871/1'>caf/3.10/caf/aosp-new/changes/71/329871/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/71/329871/meta'>caf/3.10/caf/aosp-new/changes/71/329871/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/71/332171/1'>caf/3.10/caf/aosp-new/changes/71/332171/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/71/332171/meta'>caf/3.10/caf/aosp-new/changes/71/332171/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/71/8871/1'>caf/3.10/caf/aosp-new/changes/71/8871/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/71/8871/2'>caf/3.10/caf/aosp-new/changes/71/8871/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/71/8871/meta'>caf/3.10/caf/aosp-new/changes/71/8871/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/71/9371/1'>caf/3.10/caf/aosp-new/changes/71/9371/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/71/9371/2'>caf/3.10/caf/aosp-new/changes/71/9371/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/71/9371/meta'>caf/3.10/caf/aosp-new/changes/71/9371/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/72/11772/1'>caf/3.10/caf/aosp-new/changes/72/11772/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/72/11772/2'>caf/3.10/caf/aosp-new/changes/72/11772/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/72/11772/3'>caf/3.10/caf/aosp-new/changes/72/11772/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/72/11772/4'>caf/3.10/caf/aosp-new/changes/72/11772/4</option>
+<option value='caf/3.10/caf/aosp-new/changes/72/11772/meta'>caf/3.10/caf/aosp-new/changes/72/11772/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/72/13972/1'>caf/3.10/caf/aosp-new/changes/72/13972/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/72/13972/meta'>caf/3.10/caf/aosp-new/changes/72/13972/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/72/313472/1'>caf/3.10/caf/aosp-new/changes/72/313472/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/72/313472/meta'>caf/3.10/caf/aosp-new/changes/72/313472/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/72/329872/1'>caf/3.10/caf/aosp-new/changes/72/329872/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/72/329872/meta'>caf/3.10/caf/aosp-new/changes/72/329872/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/72/364572/1'>caf/3.10/caf/aosp-new/changes/72/364572/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/72/364572/meta'>caf/3.10/caf/aosp-new/changes/72/364572/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/72/373972/1'>caf/3.10/caf/aosp-new/changes/72/373972/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/72/373972/meta'>caf/3.10/caf/aosp-new/changes/72/373972/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/72/8872/1'>caf/3.10/caf/aosp-new/changes/72/8872/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/72/8872/meta'>caf/3.10/caf/aosp-new/changes/72/8872/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/72/9372/1'>caf/3.10/caf/aosp-new/changes/72/9372/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/72/9372/2'>caf/3.10/caf/aosp-new/changes/72/9372/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/72/9372/meta'>caf/3.10/caf/aosp-new/changes/72/9372/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/73/11773/1'>caf/3.10/caf/aosp-new/changes/73/11773/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/73/11773/2'>caf/3.10/caf/aosp-new/changes/73/11773/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/73/11773/3'>caf/3.10/caf/aosp-new/changes/73/11773/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/73/11773/4'>caf/3.10/caf/aosp-new/changes/73/11773/4</option>
+<option value='caf/3.10/caf/aosp-new/changes/73/11773/meta'>caf/3.10/caf/aosp-new/changes/73/11773/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/73/13573/1'>caf/3.10/caf/aosp-new/changes/73/13573/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/73/13573/2'>caf/3.10/caf/aosp-new/changes/73/13573/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/73/13573/meta'>caf/3.10/caf/aosp-new/changes/73/13573/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/73/329873/1'>caf/3.10/caf/aosp-new/changes/73/329873/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/73/329873/meta'>caf/3.10/caf/aosp-new/changes/73/329873/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/73/364573/1'>caf/3.10/caf/aosp-new/changes/73/364573/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/73/364573/meta'>caf/3.10/caf/aosp-new/changes/73/364573/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/73/9373/1'>caf/3.10/caf/aosp-new/changes/73/9373/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/73/9373/2'>caf/3.10/caf/aosp-new/changes/73/9373/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/73/9373/meta'>caf/3.10/caf/aosp-new/changes/73/9373/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/74/11774/1'>caf/3.10/caf/aosp-new/changes/74/11774/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/74/11774/2'>caf/3.10/caf/aosp-new/changes/74/11774/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/74/11774/3'>caf/3.10/caf/aosp-new/changes/74/11774/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/74/11774/4'>caf/3.10/caf/aosp-new/changes/74/11774/4</option>
+<option value='caf/3.10/caf/aosp-new/changes/74/11774/5'>caf/3.10/caf/aosp-new/changes/74/11774/5</option>
+<option value='caf/3.10/caf/aosp-new/changes/74/11774/meta'>caf/3.10/caf/aosp-new/changes/74/11774/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/74/13274/1'>caf/3.10/caf/aosp-new/changes/74/13274/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/74/13274/2'>caf/3.10/caf/aosp-new/changes/74/13274/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/74/13274/meta'>caf/3.10/caf/aosp-new/changes/74/13274/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/74/13574/1'>caf/3.10/caf/aosp-new/changes/74/13574/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/74/13574/2'>caf/3.10/caf/aosp-new/changes/74/13574/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/74/13574/meta'>caf/3.10/caf/aosp-new/changes/74/13574/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/74/329874/1'>caf/3.10/caf/aosp-new/changes/74/329874/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/74/329874/meta'>caf/3.10/caf/aosp-new/changes/74/329874/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/74/9374/1'>caf/3.10/caf/aosp-new/changes/74/9374/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/74/9374/2'>caf/3.10/caf/aosp-new/changes/74/9374/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/74/9374/meta'>caf/3.10/caf/aosp-new/changes/74/9374/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/75/11075/1'>caf/3.10/caf/aosp-new/changes/75/11075/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/75/11075/2'>caf/3.10/caf/aosp-new/changes/75/11075/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/75/11075/3'>caf/3.10/caf/aosp-new/changes/75/11075/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/75/11075/meta'>caf/3.10/caf/aosp-new/changes/75/11075/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/75/13575/1'>caf/3.10/caf/aosp-new/changes/75/13575/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/75/13575/meta'>caf/3.10/caf/aosp-new/changes/75/13575/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/75/329875/1'>caf/3.10/caf/aosp-new/changes/75/329875/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/75/329875/meta'>caf/3.10/caf/aosp-new/changes/75/329875/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/75/8775/1'>caf/3.10/caf/aosp-new/changes/75/8775/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/75/8775/2'>caf/3.10/caf/aosp-new/changes/75/8775/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/75/8775/3'>caf/3.10/caf/aosp-new/changes/75/8775/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/75/8775/meta'>caf/3.10/caf/aosp-new/changes/75/8775/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/75/9375/1'>caf/3.10/caf/aosp-new/changes/75/9375/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/75/9375/2'>caf/3.10/caf/aosp-new/changes/75/9375/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/75/9375/meta'>caf/3.10/caf/aosp-new/changes/75/9375/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/76/11076/1'>caf/3.10/caf/aosp-new/changes/76/11076/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/76/11076/2'>caf/3.10/caf/aosp-new/changes/76/11076/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/76/11076/3'>caf/3.10/caf/aosp-new/changes/76/11076/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/76/11076/meta'>caf/3.10/caf/aosp-new/changes/76/11076/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/76/11576/1'>caf/3.10/caf/aosp-new/changes/76/11576/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/76/11576/meta'>caf/3.10/caf/aosp-new/changes/76/11576/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/76/11776/1'>caf/3.10/caf/aosp-new/changes/76/11776/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/76/11776/meta'>caf/3.10/caf/aosp-new/changes/76/11776/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/76/13576/1'>caf/3.10/caf/aosp-new/changes/76/13576/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/76/13576/meta'>caf/3.10/caf/aosp-new/changes/76/13576/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/76/13776/1'>caf/3.10/caf/aosp-new/changes/76/13776/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/76/13776/meta'>caf/3.10/caf/aosp-new/changes/76/13776/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/76/329876/1'>caf/3.10/caf/aosp-new/changes/76/329876/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/76/329876/meta'>caf/3.10/caf/aosp-new/changes/76/329876/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/76/9376/1'>caf/3.10/caf/aosp-new/changes/76/9376/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/76/9376/2'>caf/3.10/caf/aosp-new/changes/76/9376/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/76/9376/meta'>caf/3.10/caf/aosp-new/changes/76/9376/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/77/10277/1'>caf/3.10/caf/aosp-new/changes/77/10277/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/77/10277/meta'>caf/3.10/caf/aosp-new/changes/77/10277/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/77/11077/1'>caf/3.10/caf/aosp-new/changes/77/11077/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/77/11077/2'>caf/3.10/caf/aosp-new/changes/77/11077/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/77/11077/3'>caf/3.10/caf/aosp-new/changes/77/11077/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/77/11077/meta'>caf/3.10/caf/aosp-new/changes/77/11077/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/77/11577/1'>caf/3.10/caf/aosp-new/changes/77/11577/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/77/11577/meta'>caf/3.10/caf/aosp-new/changes/77/11577/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/77/11777/1'>caf/3.10/caf/aosp-new/changes/77/11777/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/77/11777/meta'>caf/3.10/caf/aosp-new/changes/77/11777/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/77/13577/1'>caf/3.10/caf/aosp-new/changes/77/13577/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/77/13577/meta'>caf/3.10/caf/aosp-new/changes/77/13577/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/77/13777/1'>caf/3.10/caf/aosp-new/changes/77/13777/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/77/13777/meta'>caf/3.10/caf/aosp-new/changes/77/13777/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/77/322777/1'>caf/3.10/caf/aosp-new/changes/77/322777/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/77/322777/meta'>caf/3.10/caf/aosp-new/changes/77/322777/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/77/329877/1'>caf/3.10/caf/aosp-new/changes/77/329877/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/77/329877/meta'>caf/3.10/caf/aosp-new/changes/77/329877/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/77/8977/1'>caf/3.10/caf/aosp-new/changes/77/8977/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/77/8977/meta'>caf/3.10/caf/aosp-new/changes/77/8977/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/77/9377/1'>caf/3.10/caf/aosp-new/changes/77/9377/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/77/9377/2'>caf/3.10/caf/aosp-new/changes/77/9377/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/77/9377/meta'>caf/3.10/caf/aosp-new/changes/77/9377/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/78/10278/1'>caf/3.10/caf/aosp-new/changes/78/10278/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/78/10278/meta'>caf/3.10/caf/aosp-new/changes/78/10278/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/78/11578/1'>caf/3.10/caf/aosp-new/changes/78/11578/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/78/11578/2'>caf/3.10/caf/aosp-new/changes/78/11578/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/78/11578/meta'>caf/3.10/caf/aosp-new/changes/78/11578/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/78/11778/1'>caf/3.10/caf/aosp-new/changes/78/11778/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/78/11778/meta'>caf/3.10/caf/aosp-new/changes/78/11778/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/78/13578/1'>caf/3.10/caf/aosp-new/changes/78/13578/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/78/13578/2'>caf/3.10/caf/aosp-new/changes/78/13578/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/78/13578/meta'>caf/3.10/caf/aosp-new/changes/78/13578/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/78/13678/1'>caf/3.10/caf/aosp-new/changes/78/13678/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/78/13678/meta'>caf/3.10/caf/aosp-new/changes/78/13678/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/78/13778/1'>caf/3.10/caf/aosp-new/changes/78/13778/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/78/13778/2'>caf/3.10/caf/aosp-new/changes/78/13778/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/78/13778/meta'>caf/3.10/caf/aosp-new/changes/78/13778/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/78/329878/1'>caf/3.10/caf/aosp-new/changes/78/329878/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/78/329878/meta'>caf/3.10/caf/aosp-new/changes/78/329878/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/78/354278/1'>caf/3.10/caf/aosp-new/changes/78/354278/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/78/354278/meta'>caf/3.10/caf/aosp-new/changes/78/354278/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/78/8778/1'>caf/3.10/caf/aosp-new/changes/78/8778/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/78/8778/2'>caf/3.10/caf/aosp-new/changes/78/8778/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/78/8778/meta'>caf/3.10/caf/aosp-new/changes/78/8778/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/79/11779/1'>caf/3.10/caf/aosp-new/changes/79/11779/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/79/11779/meta'>caf/3.10/caf/aosp-new/changes/79/11779/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/79/12679/1'>caf/3.10/caf/aosp-new/changes/79/12679/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/79/12679/meta'>caf/3.10/caf/aosp-new/changes/79/12679/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/79/13579/1'>caf/3.10/caf/aosp-new/changes/79/13579/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/79/13579/meta'>caf/3.10/caf/aosp-new/changes/79/13579/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/79/13679/1'>caf/3.10/caf/aosp-new/changes/79/13679/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/79/13679/meta'>caf/3.10/caf/aosp-new/changes/79/13679/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/79/329879/1'>caf/3.10/caf/aosp-new/changes/79/329879/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/79/329879/meta'>caf/3.10/caf/aosp-new/changes/79/329879/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/80/11380/1'>caf/3.10/caf/aosp-new/changes/80/11380/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/80/11380/meta'>caf/3.10/caf/aosp-new/changes/80/11380/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/80/11780/1'>caf/3.10/caf/aosp-new/changes/80/11780/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/80/11780/meta'>caf/3.10/caf/aosp-new/changes/80/11780/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/80/13580/1'>caf/3.10/caf/aosp-new/changes/80/13580/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/80/13580/meta'>caf/3.10/caf/aosp-new/changes/80/13580/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/80/13680/1'>caf/3.10/caf/aosp-new/changes/80/13680/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/80/13680/meta'>caf/3.10/caf/aosp-new/changes/80/13680/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/80/151080/1'>caf/3.10/caf/aosp-new/changes/80/151080/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/80/151080/meta'>caf/3.10/caf/aosp-new/changes/80/151080/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/80/197580/1'>caf/3.10/caf/aosp-new/changes/80/197580/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/80/197580/meta'>caf/3.10/caf/aosp-new/changes/80/197580/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/80/329880/1'>caf/3.10/caf/aosp-new/changes/80/329880/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/80/329880/meta'>caf/3.10/caf/aosp-new/changes/80/329880/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/80/9680/1'>caf/3.10/caf/aosp-new/changes/80/9680/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/80/9680/meta'>caf/3.10/caf/aosp-new/changes/80/9680/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/81/10281/1'>caf/3.10/caf/aosp-new/changes/81/10281/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/81/10281/2'>caf/3.10/caf/aosp-new/changes/81/10281/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/81/10281/meta'>caf/3.10/caf/aosp-new/changes/81/10281/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/81/11781/1'>caf/3.10/caf/aosp-new/changes/81/11781/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/81/11781/meta'>caf/3.10/caf/aosp-new/changes/81/11781/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/81/12081/1'>caf/3.10/caf/aosp-new/changes/81/12081/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/81/12081/meta'>caf/3.10/caf/aosp-new/changes/81/12081/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/81/13781/1'>caf/3.10/caf/aosp-new/changes/81/13781/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/81/13781/2'>caf/3.10/caf/aosp-new/changes/81/13781/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/81/13781/meta'>caf/3.10/caf/aosp-new/changes/81/13781/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/81/14181/1'>caf/3.10/caf/aosp-new/changes/81/14181/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/81/14181/meta'>caf/3.10/caf/aosp-new/changes/81/14181/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/81/205681/1'>caf/3.10/caf/aosp-new/changes/81/205681/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/81/205681/meta'>caf/3.10/caf/aosp-new/changes/81/205681/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/81/329881/1'>caf/3.10/caf/aosp-new/changes/81/329881/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/81/329881/meta'>caf/3.10/caf/aosp-new/changes/81/329881/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/82/10382/1'>caf/3.10/caf/aosp-new/changes/82/10382/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/82/10382/meta'>caf/3.10/caf/aosp-new/changes/82/10382/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/82/11782/1'>caf/3.10/caf/aosp-new/changes/82/11782/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/82/11782/meta'>caf/3.10/caf/aosp-new/changes/82/11782/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/82/12082/1'>caf/3.10/caf/aosp-new/changes/82/12082/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/82/12082/meta'>caf/3.10/caf/aosp-new/changes/82/12082/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/82/12682/1'>caf/3.10/caf/aosp-new/changes/82/12682/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/82/12682/2'>caf/3.10/caf/aosp-new/changes/82/12682/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/82/12682/meta'>caf/3.10/caf/aosp-new/changes/82/12682/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/82/13582/1'>caf/3.10/caf/aosp-new/changes/82/13582/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/82/13582/10'>caf/3.10/caf/aosp-new/changes/82/13582/10</option>
+<option value='caf/3.10/caf/aosp-new/changes/82/13582/11'>caf/3.10/caf/aosp-new/changes/82/13582/11</option>
+<option value='caf/3.10/caf/aosp-new/changes/82/13582/12'>caf/3.10/caf/aosp-new/changes/82/13582/12</option>
+<option value='caf/3.10/caf/aosp-new/changes/82/13582/13'>caf/3.10/caf/aosp-new/changes/82/13582/13</option>
+<option value='caf/3.10/caf/aosp-new/changes/82/13582/14'>caf/3.10/caf/aosp-new/changes/82/13582/14</option>
+<option value='caf/3.10/caf/aosp-new/changes/82/13582/2'>caf/3.10/caf/aosp-new/changes/82/13582/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/82/13582/3'>caf/3.10/caf/aosp-new/changes/82/13582/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/82/13582/4'>caf/3.10/caf/aosp-new/changes/82/13582/4</option>
+<option value='caf/3.10/caf/aosp-new/changes/82/13582/5'>caf/3.10/caf/aosp-new/changes/82/13582/5</option>
+<option value='caf/3.10/caf/aosp-new/changes/82/13582/6'>caf/3.10/caf/aosp-new/changes/82/13582/6</option>
+<option value='caf/3.10/caf/aosp-new/changes/82/13582/7'>caf/3.10/caf/aosp-new/changes/82/13582/7</option>
+<option value='caf/3.10/caf/aosp-new/changes/82/13582/8'>caf/3.10/caf/aosp-new/changes/82/13582/8</option>
+<option value='caf/3.10/caf/aosp-new/changes/82/13582/9'>caf/3.10/caf/aosp-new/changes/82/13582/9</option>
+<option value='caf/3.10/caf/aosp-new/changes/82/13582/meta'>caf/3.10/caf/aosp-new/changes/82/13582/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/82/14182/1'>caf/3.10/caf/aosp-new/changes/82/14182/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/82/14182/meta'>caf/3.10/caf/aosp-new/changes/82/14182/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/82/14282/1'>caf/3.10/caf/aosp-new/changes/82/14282/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/82/14282/2'>caf/3.10/caf/aosp-new/changes/82/14282/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/82/14282/meta'>caf/3.10/caf/aosp-new/changes/82/14282/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/82/151082/1'>caf/3.10/caf/aosp-new/changes/82/151082/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/82/151082/meta'>caf/3.10/caf/aosp-new/changes/82/151082/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/82/18382/1'>caf/3.10/caf/aosp-new/changes/82/18382/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/82/18382/meta'>caf/3.10/caf/aosp-new/changes/82/18382/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/82/202582/1'>caf/3.10/caf/aosp-new/changes/82/202582/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/82/202582/meta'>caf/3.10/caf/aosp-new/changes/82/202582/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/82/22682/1'>caf/3.10/caf/aosp-new/changes/82/22682/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/82/22682/meta'>caf/3.10/caf/aosp-new/changes/82/22682/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/82/329882/1'>caf/3.10/caf/aosp-new/changes/82/329882/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/82/329882/meta'>caf/3.10/caf/aosp-new/changes/82/329882/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/82/8782/1'>caf/3.10/caf/aosp-new/changes/82/8782/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/82/8782/2'>caf/3.10/caf/aosp-new/changes/82/8782/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/82/8782/3'>caf/3.10/caf/aosp-new/changes/82/8782/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/82/8782/meta'>caf/3.10/caf/aosp-new/changes/82/8782/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/83/10683/1'>caf/3.10/caf/aosp-new/changes/83/10683/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/83/10683/2'>caf/3.10/caf/aosp-new/changes/83/10683/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/83/10683/meta'>caf/3.10/caf/aosp-new/changes/83/10683/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/83/11783/1'>caf/3.10/caf/aosp-new/changes/83/11783/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/83/11783/meta'>caf/3.10/caf/aosp-new/changes/83/11783/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/83/12083/1'>caf/3.10/caf/aosp-new/changes/83/12083/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/83/12083/meta'>caf/3.10/caf/aosp-new/changes/83/12083/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/83/13583/1'>caf/3.10/caf/aosp-new/changes/83/13583/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/83/13583/meta'>caf/3.10/caf/aosp-new/changes/83/13583/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/83/14083/1'>caf/3.10/caf/aosp-new/changes/83/14083/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/83/14083/meta'>caf/3.10/caf/aosp-new/changes/83/14083/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/83/14183/1'>caf/3.10/caf/aosp-new/changes/83/14183/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/83/14183/meta'>caf/3.10/caf/aosp-new/changes/83/14183/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/83/313483/1'>caf/3.10/caf/aosp-new/changes/83/313483/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/83/313483/meta'>caf/3.10/caf/aosp-new/changes/83/313483/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/83/329883/1'>caf/3.10/caf/aosp-new/changes/83/329883/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/83/329883/meta'>caf/3.10/caf/aosp-new/changes/83/329883/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/83/8783/1'>caf/3.10/caf/aosp-new/changes/83/8783/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/83/8783/2'>caf/3.10/caf/aosp-new/changes/83/8783/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/83/8783/3'>caf/3.10/caf/aosp-new/changes/83/8783/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/83/8783/meta'>caf/3.10/caf/aosp-new/changes/83/8783/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/83/8883/1'>caf/3.10/caf/aosp-new/changes/83/8883/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/83/8883/2'>caf/3.10/caf/aosp-new/changes/83/8883/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/83/8883/3'>caf/3.10/caf/aosp-new/changes/83/8883/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/83/8883/4'>caf/3.10/caf/aosp-new/changes/83/8883/4</option>
+<option value='caf/3.10/caf/aosp-new/changes/83/8883/5'>caf/3.10/caf/aosp-new/changes/83/8883/5</option>
+<option value='caf/3.10/caf/aosp-new/changes/83/8883/6'>caf/3.10/caf/aosp-new/changes/83/8883/6</option>
+<option value='caf/3.10/caf/aosp-new/changes/83/8883/7'>caf/3.10/caf/aosp-new/changes/83/8883/7</option>
+<option value='caf/3.10/caf/aosp-new/changes/83/8883/meta'>caf/3.10/caf/aosp-new/changes/83/8883/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/84/10684/1'>caf/3.10/caf/aosp-new/changes/84/10684/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/84/10684/2'>caf/3.10/caf/aosp-new/changes/84/10684/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/84/10684/meta'>caf/3.10/caf/aosp-new/changes/84/10684/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/84/10884/1'>caf/3.10/caf/aosp-new/changes/84/10884/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/84/10884/meta'>caf/3.10/caf/aosp-new/changes/84/10884/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/84/11784/1'>caf/3.10/caf/aosp-new/changes/84/11784/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/84/11784/meta'>caf/3.10/caf/aosp-new/changes/84/11784/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/84/12084/1'>caf/3.10/caf/aosp-new/changes/84/12084/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/84/12084/2'>caf/3.10/caf/aosp-new/changes/84/12084/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/84/12084/3'>caf/3.10/caf/aosp-new/changes/84/12084/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/84/12084/meta'>caf/3.10/caf/aosp-new/changes/84/12084/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/84/13284/1'>caf/3.10/caf/aosp-new/changes/84/13284/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/84/13284/meta'>caf/3.10/caf/aosp-new/changes/84/13284/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/84/13584/1'>caf/3.10/caf/aosp-new/changes/84/13584/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/84/13584/meta'>caf/3.10/caf/aosp-new/changes/84/13584/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/84/313484/1'>caf/3.10/caf/aosp-new/changes/84/313484/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/84/313484/meta'>caf/3.10/caf/aosp-new/changes/84/313484/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/84/329884/1'>caf/3.10/caf/aosp-new/changes/84/329884/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/84/329884/meta'>caf/3.10/caf/aosp-new/changes/84/329884/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/84/8784/1'>caf/3.10/caf/aosp-new/changes/84/8784/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/84/8784/2'>caf/3.10/caf/aosp-new/changes/84/8784/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/84/8784/3'>caf/3.10/caf/aosp-new/changes/84/8784/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/84/8784/meta'>caf/3.10/caf/aosp-new/changes/84/8784/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/84/8884/1'>caf/3.10/caf/aosp-new/changes/84/8884/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/84/8884/meta'>caf/3.10/caf/aosp-new/changes/84/8884/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/85/109485/1'>caf/3.10/caf/aosp-new/changes/85/109485/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/85/109485/meta'>caf/3.10/caf/aosp-new/changes/85/109485/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/85/11785/1'>caf/3.10/caf/aosp-new/changes/85/11785/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/85/11785/2'>caf/3.10/caf/aosp-new/changes/85/11785/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/85/11785/meta'>caf/3.10/caf/aosp-new/changes/85/11785/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/85/12085/1'>caf/3.10/caf/aosp-new/changes/85/12085/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/85/12085/2'>caf/3.10/caf/aosp-new/changes/85/12085/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/85/12085/3'>caf/3.10/caf/aosp-new/changes/85/12085/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/85/12085/meta'>caf/3.10/caf/aosp-new/changes/85/12085/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/85/12485/1'>caf/3.10/caf/aosp-new/changes/85/12485/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/85/12485/2'>caf/3.10/caf/aosp-new/changes/85/12485/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/85/12485/3'>caf/3.10/caf/aosp-new/changes/85/12485/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/85/12485/meta'>caf/3.10/caf/aosp-new/changes/85/12485/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/85/12785/1'>caf/3.10/caf/aosp-new/changes/85/12785/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/85/12785/meta'>caf/3.10/caf/aosp-new/changes/85/12785/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/85/13285/1'>caf/3.10/caf/aosp-new/changes/85/13285/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/85/13285/meta'>caf/3.10/caf/aosp-new/changes/85/13285/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/85/14385/1'>caf/3.10/caf/aosp-new/changes/85/14385/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/85/14385/2'>caf/3.10/caf/aosp-new/changes/85/14385/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/85/14385/meta'>caf/3.10/caf/aosp-new/changes/85/14385/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/85/14785/1'>caf/3.10/caf/aosp-new/changes/85/14785/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/85/14785/2'>caf/3.10/caf/aosp-new/changes/85/14785/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/85/14785/meta'>caf/3.10/caf/aosp-new/changes/85/14785/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/85/313485/1'>caf/3.10/caf/aosp-new/changes/85/313485/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/85/313485/meta'>caf/3.10/caf/aosp-new/changes/85/313485/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/85/329885/1'>caf/3.10/caf/aosp-new/changes/85/329885/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/85/329885/meta'>caf/3.10/caf/aosp-new/changes/85/329885/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/85/8785/1'>caf/3.10/caf/aosp-new/changes/85/8785/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/85/8785/2'>caf/3.10/caf/aosp-new/changes/85/8785/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/85/8785/3'>caf/3.10/caf/aosp-new/changes/85/8785/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/85/8785/meta'>caf/3.10/caf/aosp-new/changes/85/8785/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/85/8885/1'>caf/3.10/caf/aosp-new/changes/85/8885/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/85/8885/2'>caf/3.10/caf/aosp-new/changes/85/8885/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/85/8885/3'>caf/3.10/caf/aosp-new/changes/85/8885/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/85/8885/4'>caf/3.10/caf/aosp-new/changes/85/8885/4</option>
+<option value='caf/3.10/caf/aosp-new/changes/85/8885/5'>caf/3.10/caf/aosp-new/changes/85/8885/5</option>
+<option value='caf/3.10/caf/aosp-new/changes/85/8885/meta'>caf/3.10/caf/aosp-new/changes/85/8885/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/85/9985/1'>caf/3.10/caf/aosp-new/changes/85/9985/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/85/9985/2'>caf/3.10/caf/aosp-new/changes/85/9985/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/85/9985/meta'>caf/3.10/caf/aosp-new/changes/85/9985/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/86/10286/1'>caf/3.10/caf/aosp-new/changes/86/10286/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/86/10286/2'>caf/3.10/caf/aosp-new/changes/86/10286/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/86/10286/3'>caf/3.10/caf/aosp-new/changes/86/10286/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/86/10286/4'>caf/3.10/caf/aosp-new/changes/86/10286/4</option>
+<option value='caf/3.10/caf/aosp-new/changes/86/10286/meta'>caf/3.10/caf/aosp-new/changes/86/10286/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/86/10486/1'>caf/3.10/caf/aosp-new/changes/86/10486/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/86/10486/meta'>caf/3.10/caf/aosp-new/changes/86/10486/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/86/12486/1'>caf/3.10/caf/aosp-new/changes/86/12486/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/86/12486/meta'>caf/3.10/caf/aosp-new/changes/86/12486/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/86/12586/1'>caf/3.10/caf/aosp-new/changes/86/12586/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/86/12586/meta'>caf/3.10/caf/aosp-new/changes/86/12586/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/86/13286/1'>caf/3.10/caf/aosp-new/changes/86/13286/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/86/13286/meta'>caf/3.10/caf/aosp-new/changes/86/13286/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/86/13586/1'>caf/3.10/caf/aosp-new/changes/86/13586/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/86/13586/meta'>caf/3.10/caf/aosp-new/changes/86/13586/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/86/14086/1'>caf/3.10/caf/aosp-new/changes/86/14086/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/86/14086/meta'>caf/3.10/caf/aosp-new/changes/86/14086/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/86/14186/1'>caf/3.10/caf/aosp-new/changes/86/14186/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/86/14186/meta'>caf/3.10/caf/aosp-new/changes/86/14186/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/86/1886/1'>caf/3.10/caf/aosp-new/changes/86/1886/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/86/1886/meta'>caf/3.10/caf/aosp-new/changes/86/1886/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/86/313486/1'>caf/3.10/caf/aosp-new/changes/86/313486/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/86/313486/meta'>caf/3.10/caf/aosp-new/changes/86/313486/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/86/329886/1'>caf/3.10/caf/aosp-new/changes/86/329886/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/86/329886/meta'>caf/3.10/caf/aosp-new/changes/86/329886/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/86/8786/1'>caf/3.10/caf/aosp-new/changes/86/8786/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/86/8786/2'>caf/3.10/caf/aosp-new/changes/86/8786/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/86/8786/3'>caf/3.10/caf/aosp-new/changes/86/8786/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/86/8786/meta'>caf/3.10/caf/aosp-new/changes/86/8786/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/86/8886/1'>caf/3.10/caf/aosp-new/changes/86/8886/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/86/8886/meta'>caf/3.10/caf/aosp-new/changes/86/8886/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/86/9686/1'>caf/3.10/caf/aosp-new/changes/86/9686/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/86/9686/meta'>caf/3.10/caf/aosp-new/changes/86/9686/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/86/9786/1'>caf/3.10/caf/aosp-new/changes/86/9786/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/86/9786/meta'>caf/3.10/caf/aosp-new/changes/86/9786/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/87/10187/1'>caf/3.10/caf/aosp-new/changes/87/10187/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/87/10187/meta'>caf/3.10/caf/aosp-new/changes/87/10187/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/87/10287/1'>caf/3.10/caf/aosp-new/changes/87/10287/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/87/10287/2'>caf/3.10/caf/aosp-new/changes/87/10287/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/87/10287/3'>caf/3.10/caf/aosp-new/changes/87/10287/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/87/10287/meta'>caf/3.10/caf/aosp-new/changes/87/10287/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/87/109387/1'>caf/3.10/caf/aosp-new/changes/87/109387/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/87/109387/meta'>caf/3.10/caf/aosp-new/changes/87/109387/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/87/11787/1'>caf/3.10/caf/aosp-new/changes/87/11787/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/87/11787/meta'>caf/3.10/caf/aosp-new/changes/87/11787/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/87/12287/1'>caf/3.10/caf/aosp-new/changes/87/12287/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/87/12287/meta'>caf/3.10/caf/aosp-new/changes/87/12287/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/87/12587/1'>caf/3.10/caf/aosp-new/changes/87/12587/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/87/12587/meta'>caf/3.10/caf/aosp-new/changes/87/12587/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/87/13187/1'>caf/3.10/caf/aosp-new/changes/87/13187/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/87/13187/2'>caf/3.10/caf/aosp-new/changes/87/13187/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/87/13187/meta'>caf/3.10/caf/aosp-new/changes/87/13187/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/87/14187/1'>caf/3.10/caf/aosp-new/changes/87/14187/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/87/14187/meta'>caf/3.10/caf/aosp-new/changes/87/14187/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/87/14487/1'>caf/3.10/caf/aosp-new/changes/87/14487/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/87/14487/2'>caf/3.10/caf/aosp-new/changes/87/14487/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/87/14487/meta'>caf/3.10/caf/aosp-new/changes/87/14487/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/87/313487/1'>caf/3.10/caf/aosp-new/changes/87/313487/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/87/313487/meta'>caf/3.10/caf/aosp-new/changes/87/313487/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/87/329887/1'>caf/3.10/caf/aosp-new/changes/87/329887/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/87/329887/meta'>caf/3.10/caf/aosp-new/changes/87/329887/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/87/8887/1'>caf/3.10/caf/aosp-new/changes/87/8887/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/87/8887/meta'>caf/3.10/caf/aosp-new/changes/87/8887/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/87/9687/1'>caf/3.10/caf/aosp-new/changes/87/9687/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/87/9687/meta'>caf/3.10/caf/aosp-new/changes/87/9687/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/88/10188/1'>caf/3.10/caf/aosp-new/changes/88/10188/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/88/10188/meta'>caf/3.10/caf/aosp-new/changes/88/10188/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/88/11788/1'>caf/3.10/caf/aosp-new/changes/88/11788/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/88/11788/meta'>caf/3.10/caf/aosp-new/changes/88/11788/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/88/12488/1'>caf/3.10/caf/aosp-new/changes/88/12488/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/88/12488/2'>caf/3.10/caf/aosp-new/changes/88/12488/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/88/12488/meta'>caf/3.10/caf/aosp-new/changes/88/12488/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/88/12588/1'>caf/3.10/caf/aosp-new/changes/88/12588/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/88/12588/meta'>caf/3.10/caf/aosp-new/changes/88/12588/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/88/12888/1'>caf/3.10/caf/aosp-new/changes/88/12888/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/88/12888/meta'>caf/3.10/caf/aosp-new/changes/88/12888/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/88/13588/1'>caf/3.10/caf/aosp-new/changes/88/13588/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/88/13588/meta'>caf/3.10/caf/aosp-new/changes/88/13588/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/88/14388/1'>caf/3.10/caf/aosp-new/changes/88/14388/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/88/14388/meta'>caf/3.10/caf/aosp-new/changes/88/14388/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/88/15088/1'>caf/3.10/caf/aosp-new/changes/88/15088/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/88/15088/meta'>caf/3.10/caf/aosp-new/changes/88/15088/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/88/16088/1'>caf/3.10/caf/aosp-new/changes/88/16088/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/88/16088/meta'>caf/3.10/caf/aosp-new/changes/88/16088/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/88/313488/1'>caf/3.10/caf/aosp-new/changes/88/313488/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/88/313488/meta'>caf/3.10/caf/aosp-new/changes/88/313488/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/88/329888/1'>caf/3.10/caf/aosp-new/changes/88/329888/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/88/329888/meta'>caf/3.10/caf/aosp-new/changes/88/329888/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/89/12889/1'>caf/3.10/caf/aosp-new/changes/89/12889/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/89/12889/meta'>caf/3.10/caf/aosp-new/changes/89/12889/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/89/14389/1'>caf/3.10/caf/aosp-new/changes/89/14389/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/89/14389/meta'>caf/3.10/caf/aosp-new/changes/89/14389/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/89/313489/1'>caf/3.10/caf/aosp-new/changes/89/313489/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/89/313489/meta'>caf/3.10/caf/aosp-new/changes/89/313489/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/89/329889/1'>caf/3.10/caf/aosp-new/changes/89/329889/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/89/329889/meta'>caf/3.10/caf/aosp-new/changes/89/329889/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/89/345989/1'>caf/3.10/caf/aosp-new/changes/89/345989/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/89/345989/meta'>caf/3.10/caf/aosp-new/changes/89/345989/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/90/14190/1'>caf/3.10/caf/aosp-new/changes/90/14190/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/90/14190/meta'>caf/3.10/caf/aosp-new/changes/90/14190/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/90/14390/1'>caf/3.10/caf/aosp-new/changes/90/14390/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/90/14390/meta'>caf/3.10/caf/aosp-new/changes/90/14390/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/90/14590/1'>caf/3.10/caf/aosp-new/changes/90/14590/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/90/14590/meta'>caf/3.10/caf/aosp-new/changes/90/14590/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/90/151090/1'>caf/3.10/caf/aosp-new/changes/90/151090/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/90/151090/2'>caf/3.10/caf/aosp-new/changes/90/151090/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/90/151090/meta'>caf/3.10/caf/aosp-new/changes/90/151090/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/90/200490/1'>caf/3.10/caf/aosp-new/changes/90/200490/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/90/200490/meta'>caf/3.10/caf/aosp-new/changes/90/200490/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/90/313490/1'>caf/3.10/caf/aosp-new/changes/90/313490/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/90/313490/meta'>caf/3.10/caf/aosp-new/changes/90/313490/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/90/329890/1'>caf/3.10/caf/aosp-new/changes/90/329890/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/90/329890/meta'>caf/3.10/caf/aosp-new/changes/90/329890/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/90/329990/1'>caf/3.10/caf/aosp-new/changes/90/329990/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/90/329990/meta'>caf/3.10/caf/aosp-new/changes/90/329990/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/90/350490/1'>caf/3.10/caf/aosp-new/changes/90/350490/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/90/350490/meta'>caf/3.10/caf/aosp-new/changes/90/350490/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/91/13591/1'>caf/3.10/caf/aosp-new/changes/91/13591/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/91/13591/meta'>caf/3.10/caf/aosp-new/changes/91/13591/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/91/200491/1'>caf/3.10/caf/aosp-new/changes/91/200491/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/91/200491/meta'>caf/3.10/caf/aosp-new/changes/91/200491/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/91/313491/1'>caf/3.10/caf/aosp-new/changes/91/313491/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/91/313491/meta'>caf/3.10/caf/aosp-new/changes/91/313491/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/91/322391/1'>caf/3.10/caf/aosp-new/changes/91/322391/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/91/322391/meta'>caf/3.10/caf/aosp-new/changes/91/322391/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/91/329891/1'>caf/3.10/caf/aosp-new/changes/91/329891/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/91/329891/meta'>caf/3.10/caf/aosp-new/changes/91/329891/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/92/13592/1'>caf/3.10/caf/aosp-new/changes/92/13592/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/92/13592/meta'>caf/3.10/caf/aosp-new/changes/92/13592/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/92/200492/1'>caf/3.10/caf/aosp-new/changes/92/200492/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/92/200492/meta'>caf/3.10/caf/aosp-new/changes/92/200492/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/92/313492/1'>caf/3.10/caf/aosp-new/changes/92/313492/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/92/313492/meta'>caf/3.10/caf/aosp-new/changes/92/313492/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/92/329892/1'>caf/3.10/caf/aosp-new/changes/92/329892/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/92/329892/meta'>caf/3.10/caf/aosp-new/changes/92/329892/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/92/373092/1'>caf/3.10/caf/aosp-new/changes/92/373092/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/92/373092/meta'>caf/3.10/caf/aosp-new/changes/92/373092/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/93/11793/1'>caf/3.10/caf/aosp-new/changes/93/11793/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/93/11793/2'>caf/3.10/caf/aosp-new/changes/93/11793/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/93/11793/meta'>caf/3.10/caf/aosp-new/changes/93/11793/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/93/13993/1'>caf/3.10/caf/aosp-new/changes/93/13993/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/93/13993/2'>caf/3.10/caf/aosp-new/changes/93/13993/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/93/13993/meta'>caf/3.10/caf/aosp-new/changes/93/13993/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/93/14593/1'>caf/3.10/caf/aosp-new/changes/93/14593/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/93/14593/meta'>caf/3.10/caf/aosp-new/changes/93/14593/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/93/200493/1'>caf/3.10/caf/aosp-new/changes/93/200493/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/93/200493/meta'>caf/3.10/caf/aosp-new/changes/93/200493/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/93/329893/1'>caf/3.10/caf/aosp-new/changes/93/329893/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/93/329893/meta'>caf/3.10/caf/aosp-new/changes/93/329893/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/93/8893/1'>caf/3.10/caf/aosp-new/changes/93/8893/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/93/8893/meta'>caf/3.10/caf/aosp-new/changes/93/8893/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/94/10194/1'>caf/3.10/caf/aosp-new/changes/94/10194/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/94/10194/2'>caf/3.10/caf/aosp-new/changes/94/10194/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/94/10194/meta'>caf/3.10/caf/aosp-new/changes/94/10194/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/94/11794/1'>caf/3.10/caf/aosp-new/changes/94/11794/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/94/11794/2'>caf/3.10/caf/aosp-new/changes/94/11794/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/94/11794/3'>caf/3.10/caf/aosp-new/changes/94/11794/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/94/11794/4'>caf/3.10/caf/aosp-new/changes/94/11794/4</option>
+<option value='caf/3.10/caf/aosp-new/changes/94/11794/meta'>caf/3.10/caf/aosp-new/changes/94/11794/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/94/12094/1'>caf/3.10/caf/aosp-new/changes/94/12094/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/94/12094/2'>caf/3.10/caf/aosp-new/changes/94/12094/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/94/12094/3'>caf/3.10/caf/aosp-new/changes/94/12094/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/94/12094/meta'>caf/3.10/caf/aosp-new/changes/94/12094/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/94/13594/1'>caf/3.10/caf/aosp-new/changes/94/13594/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/94/13594/meta'>caf/3.10/caf/aosp-new/changes/94/13594/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/94/13994/1'>caf/3.10/caf/aosp-new/changes/94/13994/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/94/13994/2'>caf/3.10/caf/aosp-new/changes/94/13994/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/94/13994/meta'>caf/3.10/caf/aosp-new/changes/94/13994/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/94/14194/1'>caf/3.10/caf/aosp-new/changes/94/14194/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/94/14194/2'>caf/3.10/caf/aosp-new/changes/94/14194/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/94/14194/3'>caf/3.10/caf/aosp-new/changes/94/14194/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/94/14194/4'>caf/3.10/caf/aosp-new/changes/94/14194/4</option>
+<option value='caf/3.10/caf/aosp-new/changes/94/14194/meta'>caf/3.10/caf/aosp-new/changes/94/14194/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/94/14594/1'>caf/3.10/caf/aosp-new/changes/94/14594/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/94/14594/meta'>caf/3.10/caf/aosp-new/changes/94/14594/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/94/200494/1'>caf/3.10/caf/aosp-new/changes/94/200494/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/94/200494/meta'>caf/3.10/caf/aosp-new/changes/94/200494/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/94/329894/1'>caf/3.10/caf/aosp-new/changes/94/329894/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/94/329894/meta'>caf/3.10/caf/aosp-new/changes/94/329894/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/95/10195/1'>caf/3.10/caf/aosp-new/changes/95/10195/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/95/10195/meta'>caf/3.10/caf/aosp-new/changes/95/10195/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/95/10495/1'>caf/3.10/caf/aosp-new/changes/95/10495/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/95/10495/2'>caf/3.10/caf/aosp-new/changes/95/10495/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/95/10495/meta'>caf/3.10/caf/aosp-new/changes/95/10495/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/95/13595/1'>caf/3.10/caf/aosp-new/changes/95/13595/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/95/13595/meta'>caf/3.10/caf/aosp-new/changes/95/13595/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/95/13995/1'>caf/3.10/caf/aosp-new/changes/95/13995/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/95/13995/2'>caf/3.10/caf/aosp-new/changes/95/13995/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/95/13995/meta'>caf/3.10/caf/aosp-new/changes/95/13995/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/95/14595/1'>caf/3.10/caf/aosp-new/changes/95/14595/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/95/14595/2'>caf/3.10/caf/aosp-new/changes/95/14595/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/95/14595/meta'>caf/3.10/caf/aosp-new/changes/95/14595/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/95/19595/1'>caf/3.10/caf/aosp-new/changes/95/19595/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/95/19595/meta'>caf/3.10/caf/aosp-new/changes/95/19595/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/95/200495/1'>caf/3.10/caf/aosp-new/changes/95/200495/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/95/200495/meta'>caf/3.10/caf/aosp-new/changes/95/200495/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/95/329895/1'>caf/3.10/caf/aosp-new/changes/95/329895/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/95/329895/meta'>caf/3.10/caf/aosp-new/changes/95/329895/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/95/54795/1'>caf/3.10/caf/aosp-new/changes/95/54795/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/95/54795/meta'>caf/3.10/caf/aosp-new/changes/95/54795/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/96/10196/1'>caf/3.10/caf/aosp-new/changes/96/10196/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/96/10196/meta'>caf/3.10/caf/aosp-new/changes/96/10196/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/96/13596/1'>caf/3.10/caf/aosp-new/changes/96/13596/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/96/13596/meta'>caf/3.10/caf/aosp-new/changes/96/13596/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/96/14596/1'>caf/3.10/caf/aosp-new/changes/96/14596/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/96/14596/meta'>caf/3.10/caf/aosp-new/changes/96/14596/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/96/200296/1'>caf/3.10/caf/aosp-new/changes/96/200296/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/96/200296/meta'>caf/3.10/caf/aosp-new/changes/96/200296/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/96/200496/1'>caf/3.10/caf/aosp-new/changes/96/200496/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/96/200496/meta'>caf/3.10/caf/aosp-new/changes/96/200496/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/96/329896/1'>caf/3.10/caf/aosp-new/changes/96/329896/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/96/329896/meta'>caf/3.10/caf/aosp-new/changes/96/329896/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/97/10197/1'>caf/3.10/caf/aosp-new/changes/97/10197/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/97/10197/meta'>caf/3.10/caf/aosp-new/changes/97/10197/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/97/13597/1'>caf/3.10/caf/aosp-new/changes/97/13597/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/97/13597/meta'>caf/3.10/caf/aosp-new/changes/97/13597/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/97/13997/1'>caf/3.10/caf/aosp-new/changes/97/13997/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/97/13997/2'>caf/3.10/caf/aosp-new/changes/97/13997/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/97/13997/3'>caf/3.10/caf/aosp-new/changes/97/13997/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/97/13997/4'>caf/3.10/caf/aosp-new/changes/97/13997/4</option>
+<option value='caf/3.10/caf/aosp-new/changes/97/13997/meta'>caf/3.10/caf/aosp-new/changes/97/13997/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/97/14597/1'>caf/3.10/caf/aosp-new/changes/97/14597/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/97/14597/meta'>caf/3.10/caf/aosp-new/changes/97/14597/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/97/14797/1'>caf/3.10/caf/aosp-new/changes/97/14797/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/97/14797/meta'>caf/3.10/caf/aosp-new/changes/97/14797/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/97/18797/1'>caf/3.10/caf/aosp-new/changes/97/18797/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/97/18797/meta'>caf/3.10/caf/aosp-new/changes/97/18797/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/97/200297/1'>caf/3.10/caf/aosp-new/changes/97/200297/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/97/200297/meta'>caf/3.10/caf/aosp-new/changes/97/200297/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/97/200497/1'>caf/3.10/caf/aosp-new/changes/97/200497/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/97/200497/meta'>caf/3.10/caf/aosp-new/changes/97/200497/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/97/329897/1'>caf/3.10/caf/aosp-new/changes/97/329897/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/97/329897/meta'>caf/3.10/caf/aosp-new/changes/97/329897/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/98/10198/1'>caf/3.10/caf/aosp-new/changes/98/10198/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/98/10198/meta'>caf/3.10/caf/aosp-new/changes/98/10198/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/98/10798/1'>caf/3.10/caf/aosp-new/changes/98/10798/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/98/10798/meta'>caf/3.10/caf/aosp-new/changes/98/10798/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/98/11298/1'>caf/3.10/caf/aosp-new/changes/98/11298/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/98/11298/2'>caf/3.10/caf/aosp-new/changes/98/11298/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/98/11298/3'>caf/3.10/caf/aosp-new/changes/98/11298/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/98/11298/4'>caf/3.10/caf/aosp-new/changes/98/11298/4</option>
+<option value='caf/3.10/caf/aosp-new/changes/98/11298/meta'>caf/3.10/caf/aosp-new/changes/98/11298/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/98/13698/1'>caf/3.10/caf/aosp-new/changes/98/13698/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/98/13698/meta'>caf/3.10/caf/aosp-new/changes/98/13698/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/98/13998/1'>caf/3.10/caf/aosp-new/changes/98/13998/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/98/13998/2'>caf/3.10/caf/aosp-new/changes/98/13998/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/98/13998/3'>caf/3.10/caf/aosp-new/changes/98/13998/3</option>
+<option value='caf/3.10/caf/aosp-new/changes/98/13998/4'>caf/3.10/caf/aosp-new/changes/98/13998/4</option>
+<option value='caf/3.10/caf/aosp-new/changes/98/13998/5'>caf/3.10/caf/aosp-new/changes/98/13998/5</option>
+<option value='caf/3.10/caf/aosp-new/changes/98/13998/meta'>caf/3.10/caf/aosp-new/changes/98/13998/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/98/15098/1'>caf/3.10/caf/aosp-new/changes/98/15098/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/98/15098/meta'>caf/3.10/caf/aosp-new/changes/98/15098/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/98/19598/1'>caf/3.10/caf/aosp-new/changes/98/19598/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/98/19598/meta'>caf/3.10/caf/aosp-new/changes/98/19598/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/98/200298/1'>caf/3.10/caf/aosp-new/changes/98/200298/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/98/200298/meta'>caf/3.10/caf/aosp-new/changes/98/200298/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/98/200498/1'>caf/3.10/caf/aosp-new/changes/98/200498/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/98/200498/meta'>caf/3.10/caf/aosp-new/changes/98/200498/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/98/329898/1'>caf/3.10/caf/aosp-new/changes/98/329898/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/98/329898/meta'>caf/3.10/caf/aosp-new/changes/98/329898/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/98/8698/1'>caf/3.10/caf/aosp-new/changes/98/8698/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/98/8698/meta'>caf/3.10/caf/aosp-new/changes/98/8698/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/99/10199/1'>caf/3.10/caf/aosp-new/changes/99/10199/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/99/10199/meta'>caf/3.10/caf/aosp-new/changes/99/10199/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/99/13699/1'>caf/3.10/caf/aosp-new/changes/99/13699/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/99/13699/meta'>caf/3.10/caf/aosp-new/changes/99/13699/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/99/200299/1'>caf/3.10/caf/aosp-new/changes/99/200299/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/99/200299/meta'>caf/3.10/caf/aosp-new/changes/99/200299/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/99/200499/1'>caf/3.10/caf/aosp-new/changes/99/200499/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/99/200499/meta'>caf/3.10/caf/aosp-new/changes/99/200499/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/99/329899/1'>caf/3.10/caf/aosp-new/changes/99/329899/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/99/329899/meta'>caf/3.10/caf/aosp-new/changes/99/329899/meta</option>
+<option value='caf/3.10/caf/aosp-new/changes/99/424599/1'>caf/3.10/caf/aosp-new/changes/99/424599/1</option>
+<option value='caf/3.10/caf/aosp-new/changes/99/424599/2'>caf/3.10/caf/aosp-new/changes/99/424599/2</option>
+<option value='caf/3.10/caf/aosp-new/changes/99/424599/meta'>caf/3.10/caf/aosp-new/changes/99/424599/meta</option>
+<option value='caf/3.10/caf/aosp-new/master'>caf/3.10/caf/aosp-new/master</option>
+<option value='caf/3.10/caf/aosp-synaptic/master'>caf/3.10/caf/aosp-synaptic/master</option>
+<option value='caf/3.10/caf/aosp/android-msm-2.6.25'>caf/3.10/caf/aosp/android-msm-2.6.25</option>
+<option value='caf/3.10/caf/aosp/android-msm-2.6.27'>caf/3.10/caf/aosp/android-msm-2.6.27</option>
+<option value='caf/3.10/caf/aosp/android-msm-2.6.29'>caf/3.10/caf/aosp/android-msm-2.6.29</option>
+<option value='caf/3.10/caf/aosp/android-msm-2.6.29-donut'>caf/3.10/caf/aosp/android-msm-2.6.29-donut</option>
+<option value='caf/3.10/caf/aosp/android-msm-2.6.29-nexusone'>caf/3.10/caf/aosp/android-msm-2.6.29-nexusone</option>
+<option value='caf/3.10/caf/aosp/android-msm-2.6.32'>caf/3.10/caf/aosp/android-msm-2.6.32</option>
+<option value='caf/3.10/caf/aosp/android-msm-2.6.32-nexusonec'>caf/3.10/caf/aosp/android-msm-2.6.32-nexusonec</option>
+<option value='caf/3.10/caf/aosp/android-msm-2.6.35'>caf/3.10/caf/aosp/android-msm-2.6.35</option>
+<option value='caf/3.10/caf/aosp/android-msm-htc-2.6.25'>caf/3.10/caf/aosp/android-msm-htc-2.6.25</option>
+<option value='caf/3.10/caf/aosp/android-msm8k-2.6.29'>caf/3.10/caf/aosp/android-msm8k-2.6.29</option>
+<option value='caf/3.10/caf/aosp/archive/android-msm-2.6.25'>caf/3.10/caf/aosp/archive/android-msm-2.6.25</option>
+<option value='caf/3.10/caf/aosp/archive/android-msm-2.6.27'>caf/3.10/caf/aosp/archive/android-msm-2.6.27</option>
+<option value='caf/3.10/caf/aosp/archive/android-msm-2.6.29'>caf/3.10/caf/aosp/archive/android-msm-2.6.29</option>
+<option value='caf/3.10/caf/aosp/archive/android-msm-2.6.29-donut'>caf/3.10/caf/aosp/archive/android-msm-2.6.29-donut</option>
+<option value='caf/3.10/caf/aosp/archive/android-msm-2.6.29-nexusone'>caf/3.10/caf/aosp/archive/android-msm-2.6.29-nexusone</option>
+<option value='caf/3.10/caf/aosp/archive/android-msm-2.6.32'>caf/3.10/caf/aosp/archive/android-msm-2.6.32</option>
+<option value='caf/3.10/caf/aosp/archive/android-msm-htc-2.6.25'>caf/3.10/caf/aosp/archive/android-msm-htc-2.6.25</option>
+<option value='caf/3.10/caf/aosp/archive/msm-2.6.25'>caf/3.10/caf/aosp/archive/msm-2.6.25</option>
+<option value='caf/3.10/caf/aosp/msm-2.6.25'>caf/3.10/caf/aosp/msm-2.6.25</option>
+<option value='caf/3.10/caf/apple'>caf/3.10/caf/apple</option>
+<option value='caf/3.10/caf/asix-github/master'>caf/3.10/caf/asix-github/master</option>
+<option value='caf/3.10/caf/ax88179_178a/master'>caf/3.10/caf/ax88179_178a/master</option>
+<option value='caf/3.10/caf/b2g/ics_strawberry'>caf/3.10/caf/b2g/ics_strawberry</option>
+<option value='caf/3.10/caf/b2g/ics_strawberry_v1'>caf/3.10/caf/b2g/ics_strawberry_v1</option>
+<option value='caf/3.10/caf/b2g/jb_mr1_rb2.17'>caf/3.10/caf/b2g/jb_mr1_rb2.17</option>
+<option value='caf/3.10/caf/b2g_ics_1.2'>caf/3.10/caf/b2g_ics_1.2</option>
+<option value='caf/3.10/caf/b2g_jb_3.2'>caf/3.10/caf/b2g_jb_3.2</option>
+<option value='caf/3.10/caf/b2g_jb_3.2_1'>caf/3.10/caf/b2g_jb_3.2_1</option>
+<option value='caf/3.10/caf/b2g_kk_3.5'>caf/3.10/caf/b2g_kk_3.5</option>
+<option value='caf/3.10/caf/b2g_msm-3.4'>caf/3.10/caf/b2g_msm-3.4</option>
+<option value='caf/3.10/caf/banana.cupcake'>caf/3.10/caf/banana.cupcake</option>
+<option value='caf/3.10/caf/blackhawk'>caf/3.10/caf/blackhawk</option>
+<option value='caf/3.10/caf/blueberry.cupcake'>caf/3.10/caf/blueberry.cupcake</option>
+<option value='caf/3.10/caf/canary'>caf/3.10/caf/canary</option>
+<option value='caf/3.10/caf/canary_rb1.2'>caf/3.10/caf/canary_rb1.2</option>
+<option value='caf/3.10/caf/carrot.cupcake'>caf/3.10/caf/carrot.cupcake</option>
+<option value='caf/3.10/caf/chocolate.cupcake'>caf/3.10/caf/chocolate.cupcake</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/0.11.241.B'>caf/3.10/caf/chromium-googlesource-kernel-next/0.11.241.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/0.11.257.B'>caf/3.10/caf/chromium-googlesource-kernel-next/0.11.257.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/0.11.257.B90'>caf/3.10/caf/chromium-googlesource-kernel-next/0.11.257.B90</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/0.12.362.B'>caf/3.10/caf/chromium-googlesource-kernel-next/0.12.362.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/0.12.369.B'>caf/3.10/caf/chromium-googlesource-kernel-next/0.12.369.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/0.12.392.B'>caf/3.10/caf/chromium-googlesource-kernel-next/0.12.392.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/0.12.433.B'>caf/3.10/caf/chromium-googlesource-kernel-next/0.12.433.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/0.12.433.B109'>caf/3.10/caf/chromium-googlesource-kernel-next/0.12.433.B109</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/0.12.433.B62'>caf/3.10/caf/chromium-googlesource-kernel-next/0.12.433.B62</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/0.13.434.B'>caf/3.10/caf/chromium-googlesource-kernel-next/0.13.434.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/0.13.509.B'>caf/3.10/caf/chromium-googlesource-kernel-next/0.13.509.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/0.13.558.B'>caf/3.10/caf/chromium-googlesource-kernel-next/0.13.558.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/0.13.587.B'>caf/3.10/caf/chromium-googlesource-kernel-next/0.13.587.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/0.14.811.B'>caf/3.10/caf/chromium-googlesource-kernel-next/0.14.811.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/0.15.877.B'>caf/3.10/caf/chromium-googlesource-kernel-next/0.15.877.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/0310_hid-logitech-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/0310_hid-logitech-3.14</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/11.1.241.B'>caf/3.10/caf/chromium-googlesource-kernel-next/11.1.241.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/780.B'>caf/3.10/caf/chromium-googlesource-kernel-next/780.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/ab8f654c9e83c73ac382bb683b89141a2950f386'>caf/3.10/caf/chromium-googlesource-kernel-next/ab8f654c9e83c73ac382bb683b89141a2950f386</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/add-huawei'>caf/3.10/caf/chromium-googlesource-kernel-next/add-huawei</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-2.6.35'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-2.6.35</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-2.6.36'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-2.6.36</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-2.6.37'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-2.6.37</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-2.6.37-rc5'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-2.6.37-rc5</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-2.6.38'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-2.6.38</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-2.6.38-old'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-2.6.38-old</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.0'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.0</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.10-last-synced-point-for-topic-branches'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.10-last-synced-point-for-topic-branches</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.10-last-synced-point-on-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.10-last-synced-point-on-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.10-moved-to-kernel-repo'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.10-moved-to-kernel-repo</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.14</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.14-experiment'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.14-experiment</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.14-last-synced-point-on-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.14-last-synced-point-on-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.14-moved-to-kernel-repo'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.14-moved-to-kernel-repo</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.16wifi-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.16wifi-3.14</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.18-experiment'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.18-experiment</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.18-oldexperiment'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.18-oldexperiment</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.18-test'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.18-test</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.18wifi-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.18wifi-3.14</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.2'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.2</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.2-premove'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.2-premove</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.3'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.3</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.4</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.4-rc1'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.4-rc1</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.4-rc3'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.4-rc3</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.4-rc4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.4-rc4</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.4-rc5'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.4-rc5</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.4wifi-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.4wifi-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.4wifi-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.4wifi-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.7-rc5'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.7-rc5</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.7-rc8'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.7-rc8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.8-moved-to-kernel-repo'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.8-moved-to-kernel-repo</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.8-rc7'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.8-rc7</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.8wifi-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.8wifi-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.8wifi-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-3.8wifi-3.14</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-acpi'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-acpi</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-android'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-android</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-android-ashmem'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-android-ashmem</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-android-binder'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-android-binder</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-android-dm'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-android-dm</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-android-net'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-android-net</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-android-netfilter'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-android-netfilter</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-android-sdcardfs'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-android-sdcardfs</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-android-security'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-android-security</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-android-uid'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-android-uid</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-android-usb'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-android-usb</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-asoc'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-asoc</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-asoc-intel'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-asoc-intel</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-backlight'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-backlight</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-base'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-base</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-base+stable'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-base+stable</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-base+upstream'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-base+upstream</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-binder'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-binder</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-binder-170916'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-binder-170916</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-bluetooth'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-bluetooth</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-chromeos'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-chromeos</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-clang'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-clang</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-cpufreq'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-cpufreq</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-cros-android'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-cros-android</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-cros-collabora'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-cros-collabora</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-cros-collabora-fixup'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-cros-collabora-fixup</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-dm'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-dm</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-driver-base'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-driver-base</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-drm'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-drm</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-drm-analogix'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-drm-analogix</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-drm-evdi'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-drm-evdi</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-fs'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-fs</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-hid'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-hid</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-i915'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-i915</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-iio'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-iio</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-input'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-input</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-kahlee'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-kahlee</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-lowmem+mm'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-lowmem+mm</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-media'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-media</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-memconsole'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-memconsole</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170712'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170712</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170714'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170714</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170719'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170719</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170720'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170720</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170721'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170721</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170725'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170725</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170802'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170802</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170803'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170803</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170804'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170804</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170807'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170807</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170808'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170808</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170809'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170809</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170814'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170814</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170815'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170815</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170816'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170816</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170817'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170817</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170818'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170818</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170828'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170828</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170829'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170829</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170830'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170830</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170831'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170831</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170901'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170901</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170907'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170907</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170908'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170908</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170918'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-170918</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-latest'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-latest</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-normalize'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-merge-normalize</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-mfd'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-mfd</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-misc'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-misc</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-mmc'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-mmc</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-mtd'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-mtd</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-net'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-net</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-normalize'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-normalize</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-pci'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-pci</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-pm'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-pm</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-regulator'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-regulator</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-sched'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-sched</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-scsi'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-scsi</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-security'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-security</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-sysrq'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-sysrq</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-thermal'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-thermal</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-tpm'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-tpm</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-tps68470'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-tps68470</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-typec'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-typec</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-usb'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-usb</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-wireless'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-wireless</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-x86'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.12-x86</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-acpi'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-acpi</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-android'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-android</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-arm64'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-arm64</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-backlight'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-backlight</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-base'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-base</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-binder'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-binder</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-bluetooth'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-bluetooth</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-chromeos'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-chromeos</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-cpufreq'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-cpufreq</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-cros_ec'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-cros_ec</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-dm-verity'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-dm-verity</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-driver-core'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-driver-core</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-drm'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-drm</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-fs'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-fs</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-iio'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-iio</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-input'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-input</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-lowmem'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-lowmem</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-media'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-media</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171026'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171026</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171027'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171027</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171030'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171030</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171031'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171031</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171101'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171101</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171101-2'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171101-2</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171101-3'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171101-3</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171102'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171102</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171103'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171103</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171106'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-171106</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-normalize'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-merge-normalize</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-misc'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-misc</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-mmc'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-mmc</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-mtd'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-mtd</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-net'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-net</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-net-lannm'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-net-lannm</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-pcie'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-pcie</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-pm'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-pm</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-pstore'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-pstore</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-regulator'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-regulator</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-sched'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-sched</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-scsi'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-scsi</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-security'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-security</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-security-groeck'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-security-groeck</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-sound'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-sound</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-sysrq'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-sysrq</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-thermal'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-thermal</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-tpm'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-tpm</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-usb'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-usb</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-wireless'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-wireless</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-x86'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.14-x86</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.4</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-acpi'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-acpi</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-asoc'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-asoc</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-backlight'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-backlight</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-base'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-base</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-base+upstream'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-base+upstream</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-bluetooth'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-bluetooth</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-chromeos'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-chromeos</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-cpufreq'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-cpufreq</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-cros'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-cros</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-dm'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-dm</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-dmabuf'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-dmabuf</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-driver-base'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-driver-base</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-drm'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-drm</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-fs'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-fs</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-hid'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-hid</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-i915'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-i915</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-i915+dmabuf'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-i915+dmabuf</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-i915+drm'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-i915+drm</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-iio'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-iio</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-input'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-input</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-lowmem+mm'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-lowmem+mm</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-memconsole'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-memconsole</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-170411'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-170411</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-170412'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-170412</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-170414'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-170414</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-170418'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-170418</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-170419'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-170419</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-170425'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-170425</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-170501'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-170501</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-170505'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-170505</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-170516'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-170516</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-170517'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-170517</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-170518'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-170518</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-170612'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-170612</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-170613'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-170613</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-170614'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-170614</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-170626'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-170626</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-latest'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-merge-latest</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-misc'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-misc</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-mmc'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-mmc</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-mtd'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-mtd</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-net'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-net</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-pci'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-pci</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-pm'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-pm</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-pstore'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-pstore</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-regulator'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-regulator</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-rockchip-base'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-rockchip-base</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-sched'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-sched</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-scsi'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-scsi</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-security'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-security</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-sysrq'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-sysrq</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-thermal'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-thermal</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-tpm'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-tpm</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-typec'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-typec</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-typec-google-170413'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-typec-google-170413</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-typec-google-170418'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-typec-google-170418</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-typec-google-170419'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-typec-google-170419</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-typec-google-170424'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-typec-google-170424</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-typec-google-170425'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-typec-google-170425</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-typec-google-170504'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-typec-google-170504</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-typec-google-170511'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-typec-google-170511</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-typec-google-170516'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-typec-google-170516</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-typec-google-170517'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-typec-google-170517</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-typec-tcpm-170516'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-typec-tcpm-170516</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-usb'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-usb</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-wireless'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-wireless</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-x86'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-4.9-x86</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-android-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-android-3.14</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-arm-common-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-arm-common-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-arm-mips-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-arm-mips-3.14</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-arm_platform+android-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-arm_platform+android-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-atmel_mxt_ts-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-atmel_mxt_ts-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-atmel_mxt_ts-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-atmel_mxt_ts-3.14</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-atmel_mxt_ts-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-atmel_mxt_ts-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-atmel_mxt_ts-3.18-old'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-atmel_mxt_ts-3.18-old</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-atmel_mxt_ts-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-atmel_mxt_ts-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-atmel_mxt_ts-3.8-rc7'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-atmel_mxt_ts-3.8-rc7</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-2.6.36'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-2.6.36</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-2.6.37'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-2.6.37</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-2.6.37-rc5'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-2.6.37-rc5</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-2.6.38'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-2.6.38</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.0'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.0</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.0-premove'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.0-premove</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.14</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.18-old'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.18-old</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.2'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.2</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.2-fixed'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.2-fixed</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.2-premove'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.2-premove</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.3'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.3</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.4</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.4-rc1'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.4-rc1</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.4-rc3'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.4-rc3</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.4-rc4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.4-rc4</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.4-rc5'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.4-rc5</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.4-rc7'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.4-rc7</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.7-rc5'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.7-rc5</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.7-rc8'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.7-rc8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.8-rc3'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.8-rc3</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.8-rc7'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-3.8-rc7</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-4.4</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-mm-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-mm-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-mm-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-base-mm-4.4</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-bluetooth-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-bluetooth-3.14</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-bluetooth-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-bluetooth-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-bluetooth-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-bluetooth-4.4</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-braswell-dptf-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-braswell-dptf-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-braswell-dptf-3.18-old'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-braswell-dptf-3.18-old</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-braswell-i915-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-braswell-i915-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-braswell-i915-3.18-old'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-braswell-i915-3.18-old</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cdcdrivers-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cdcdrivers-3.14</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cdcdrivers-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cdcdrivers-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cdcdrivers-3.18-old'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cdcdrivers-3.18-old</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-charger_manager-3.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-charger_manager-3.4</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-chromeos-sysrq-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-chromeos-sysrq-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cpufreq-interactive-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cpufreq-interactive-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cpufreq-interactive-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cpufreq-interactive-4.4</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cpufreq_interactive-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cpufreq_interactive-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cpufreq_interactive-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cpufreq_interactive-3.14</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cpufreq_interactive-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cpufreq_interactive-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cpufreq_interactive-3.18-old'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cpufreq_interactive-3.18-old</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cpuidle-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cpuidle-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cpuquiet-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cpuquiet-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cros_ec-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cros_ec-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cros_ec-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cros_ec-3.14</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cros_ec-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cros_ec-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cros_ec-3.18-old'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cros_ec-3.18-old</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cros_ec-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cros_ec-4.4</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cyapa-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cyapa-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cyapa-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cyapa-3.14</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cyapa-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cyapa-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cyapa-3.18-old'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cyapa-3.18-old</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cyapa-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-cyapa-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-devfreq-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-devfreq-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-devfreq-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-devfreq-4.4</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-device-blacklist-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-device-blacklist-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-device-blacklist-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-device-blacklist-4.4</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-drm-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-drm-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-drm-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-drm-3.14</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-drm-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-drm-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-drm-3.18-old'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-drm-3.18-old</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-drm-3.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-drm-3.4</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-drm-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-drm-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-drm-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-drm-4.4</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-drm-intel-forklift-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-drm-intel-forklift-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-drm-intel-forklift-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-drm-intel-forklift-3.14</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-elan-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-elan-3.14</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-elan-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-elan-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-elan-3.18-old'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-elan-3.18-old</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-elan-i2c-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-elan-i2c-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-elan-i2c-3.18-old'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-elan-i2c-3.18-old</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-elan_i2c-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-elan_i2c-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-elants-i2c-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-elants-i2c-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-elants-i2c-3.18-old'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-elants-i2c-3.18-old</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-exynos-3.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-exynos-3.4</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-exynos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-exynos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-gobi-3.0'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-gobi-3.0</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-gobi-3.2'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-gobi-3.2</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-gobi-3.2-premove'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-gobi-3.2-premove</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-gobi-3.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-gobi-3.4</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-gobi-3.4-rc7'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-gobi-3.4-rc7</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-gobi-3.7-rc5'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-gobi-3.7-rc5</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-gobi-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-gobi-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-google-firmware-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-google-firmware-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-google-firmware-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-google-firmware-4.4</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-gpio-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-gpio-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-gpu-3.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-gpu-3.4</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-hid-logitech-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-hid-logitech-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-hid-logitech-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-hid-logitech-3.14</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-hid-rmi-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-hid-rmi-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-hid-rmi-3.18-old'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-hid-rmi-3.18-old</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-hid-rmi-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-hid-rmi-4.4</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-i2c-core-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-i2c-core-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-i2c-core-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-i2c-core-4.4</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-i2c-hid-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-i2c-hid-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-i2c-hid-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-i2c-hid-4.4</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-i2c-i915-3.8-rc7'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-i2c-i915-3.8-rc7</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-i2c_i915-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-i2c_i915-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-i2c_i915-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-i2c_i915-3.14</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-i2c_i915-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-i2c_i915-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-iio-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-iio-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-iio-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-iio-4.4</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-input-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-input-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-input-3.2'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-input-3.2</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-input-3.2-premove'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-input-3.2-premove</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-input-3.3'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-input-3.3</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-input-3.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-input-3.4</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-input-3.4-rc1'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-input-3.4-rc1</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-input-3.4-rc3'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-input-3.4-rc3</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-input-3.4-rc4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-input-3.4-rc4</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-input-3.4-rc5'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-input-3.4-rc5</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-input-3.4-rc7'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-input-3.4-rc7</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-input-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-input-4.4</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-intel_i2c-3.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-intel_i2c-3.4</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-intel_i2c-3.4-rc7'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-intel_i2c-3.4-rc7</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-ipvlan-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-ipvlan-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-kasan-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-kasan-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-keyboard-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-keyboard-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-keyboard-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-keyboard-3.14</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-keyboard-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-keyboard-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-keyboard-3.8-rc7'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-keyboard-3.8-rc7</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-lastpass-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-lastpass-4.4</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-legacy-verity-3.8-rc7'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-legacy-verity-3.8-rc7</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-lowmem-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-lowmem-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-lowmem-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-lowmem-4.4</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-mali-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-mali-3.14</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-mali-wk4_2014-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-mali-wk4_2014-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-media-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-media-3.14</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-media-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-media-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-media-3.18-old'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-media-3.18-old</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-media-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-media-4.4</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-mfd-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-mfd-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-2.6.36'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-2.6.36</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-2.6.37'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-2.6.37</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-2.6.37-rc5'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-2.6.37-rc5</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-2.6.38'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-2.6.38</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.0'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.0</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.0-premove'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.0-premove</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.14</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.18-old'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.18-old</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.2'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.2</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.2-premove'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.2-premove</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.3'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.3</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.4</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.4-rc1'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.4-rc1</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.4-rc3'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.4-rc3</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.4-rc4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.4-rc4</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.4-rc5'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.4-rc5</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.4-rc7'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.4-rc7</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.7-rc5'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.7-rc5</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.7-rc8'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.7-rc8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.8-rc3'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.8-rc3</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.8-rc7'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-3.8-rc7</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-drivers-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-drivers-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-drivers-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-drivers-4.4</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-upstream-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-upstream-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-upstream-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-misc-upstream-4.4</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-mmc-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-mmc-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-mmc-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-mmc-4.4</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-mtd-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-mtd-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-mtd-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-mtd-4.4</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-nfc-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-nfc-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-nfc-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-nfc-3.14</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-nfc-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-nfc-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-nfc-3.18-old'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-nfc-3.18-old</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-nvmem-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-nvmem-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-nvmem-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-nvmem-4.4</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-phy-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-phy-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-phy-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-phy-4.4</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.14</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.18-old'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.18-old</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.2'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.2</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.3'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.3</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.4</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.4-rc1'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.4-rc1</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.4-rc3'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.4-rc3</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.4-rc4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.4-rc4</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.4-rc5'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.4-rc5</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.4-rc7'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.4-rc7</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.7-rc5'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.7-rc5</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.8-rc3'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.8-rc3</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.8-rc7'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-platform-3.8-rc7</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-power-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-power-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-power-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-power-4.4</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-regmap-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-regmap-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-regmap-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-regmap-4.4</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-samus3-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-samus3-3.14</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-seccomp-3.4-rc3'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-seccomp-3.4-rc3</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-seccomp-3.4-rc4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-seccomp-3.4-rc4</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-seccomp-3.4-rc5'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-seccomp-3.4-rc5</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-security-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-security-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-security-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-security-3.14</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-security-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-security-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-security-3.18+empty_commits'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-security-3.18+empty_commits</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-security-3.18-old'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-security-3.18-old</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-security-3.2'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-security-3.2</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-security-3.3'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-security-3.3</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-security-3.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-security-3.4</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-security-3.4-rc5'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-security-3.4-rc5</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-security-3.4-rc7'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-security-3.4-rc7</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-security-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-security-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-security-3.8-updated'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-security-3.8-updated</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-security-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-security-4.4</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-sound-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-sound-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-sound-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-sound-3.14</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-sound-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-sound-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-sound-3.18-old'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-sound-3.18-old</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-sound-3.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-sound-3.4</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-sound-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-sound-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-sound-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-sound-4.4</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-synaptics-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-synaptics-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-synaptics-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-synaptics-3.14</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-synaptics-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-synaptics-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-synaptics-3.18-old'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-synaptics-3.18-old</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-synaptics-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-synaptics-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-synaptics-3.8-rc7'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-synaptics-3.8-rc7</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-sysrq-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-sysrq-4.4</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tegra-2.6.36'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tegra-2.6.36</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tegra-2.6.37'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tegra-2.6.37</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tegra-2.6.37-rc5'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tegra-2.6.37-rc5</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tegra-2.6.38'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tegra-2.6.38</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tegra-3.0'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tegra-3.0</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tegra-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tegra-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tegra-3.2'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tegra-3.2</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tegra-3.2-premove'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tegra-3.2-premove</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tegra-dma-3.2'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tegra-dma-3.2</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tegra-usb-3.2'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tegra-usb-3.2</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tegra-video-3.2'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tegra-video-3.2</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-thermal-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-thermal-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-thermal-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-thermal-4.4</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tpm-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tpm-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tpm-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tpm-3.14</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tpm-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tpm-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tpm-3.18-old'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tpm-3.18-old</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tpm-3.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tpm-3.4</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tpm-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tpm-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tpm-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-tpm-4.4</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-ubi-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-ubi-3.14</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-ubi-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-ubi-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-ubi-3.18-old'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-ubi-3.18-old</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-usb-ohci-ehci-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-usb-ohci-ehci-3.14</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-usb-ohci-ehci-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-usb-ohci-ehci-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-usb-ohci-ehci-3.18-old'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-usb-ohci-ehci-3.18-old</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-usb-storage-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-usb-storage-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-usb-xhci-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-usb-xhci-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-usb-xhci-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-usb-xhci-3.14</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-usb-xhci-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-usb-xhci-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-usb-xhci-3.18-old'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-usb-xhci-3.18-old</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-usb-xhci-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-usb-xhci-4.4</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-usbeth-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-usbeth-3.14</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-2.6.36'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-2.6.36</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-2.6.37'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-2.6.37</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-2.6.37-rc5'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-2.6.37-rc5</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-2.6.38'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-2.6.38</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.0'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.0</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.14'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.14</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.18-old'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.18-old</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.2'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.2</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.2-premove'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.2-premove</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.3'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.3</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.4</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.4-rc3'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.4-rc3</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.4-rc4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.4-rc4</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.4-rc5'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.4-rc5</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.4-rc7'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.4-rc7</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.7-rc8'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.7-rc8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.8-rc3'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-3.8-rc3</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-4.4</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-bootcache-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-verity-bootcache-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-watchdog-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-watchdog-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-wifi-3.2'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-wifi-3.2</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-wifi-3.3'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-wifi-3.3</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-wifi-3.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-wifi-3.4</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-wifi-3.4-rc1'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-wifi-3.4-rc1</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-wifi-3.4-rc3'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-wifi-3.4-rc3</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-wifi-3.4-rc4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-wifi-3.4-rc4</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-wifi-3.4-rc5'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-wifi-3.4-rc5</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-wifi-3.4-rc7'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-wifi-3.4-rc7</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-wifi38-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-wifi38-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-wifi42-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-wifi42-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-wireless-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-wireless-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-x86_platform-3.18'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-x86_platform-3.18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-x86_platform-4.4'>caf/3.10/caf/chromium-googlesource-kernel-next/chromeos-x86_platform-4.4</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/cros/heads/chromeos-cpufreq_interactive-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/cros/heads/chromeos-cpufreq_interactive-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/experimental-baytrail-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/experimental-baytrail-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-1020.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-1020.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-1235.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-1235.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-1284.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-1284.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-1412.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-1412.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-1987.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-1987.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-2268.16.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-2268.16.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-2305.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-2305.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-2338.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-2338.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-2368.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-2368.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-2394.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-2394.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-2460.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-2460.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-2475.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-2475.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-2569.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-2569.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-2717.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-2717.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-2723.14.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-2723.14.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-2846.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-2846.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-2848.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-2848.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-2914.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-2914.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-2985.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-2985.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-2993.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-2993.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-3004.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-3004.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-3536.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-3536.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-4128.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-4128.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-4290.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-4290.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-4455.228.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-4455.228.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-4455.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-4455.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-980.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-980.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-arkham-7077.113.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-arkham-7077.113.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-auron-6459.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-auron-6459.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-beltino-5140.14.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-beltino-5140.14.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-beltino-5140.14.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-beltino-5140.14.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-daisy-4731.81.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-daisy-4731.81.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-monroe-5140.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-monroe-5140.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-monroe-5140.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-monroe-5140.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-nyan-5772.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-nyan-5772.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-nyan-5772.B-chromeos-3.10-16May14'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-nyan-5772.B-chromeos-3.10-16May14</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-nyan-5772.B-chromeos-3.10-Orig'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-nyan-5772.B-chromeos-3.10-Orig</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-nyan-5772.B-chromeos-3.14-experiment'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-nyan-5772.B-chromeos-3.14-experiment</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-nyan-5772.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-nyan-5772.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-oak-8141.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-oak-8141.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-oak-8182.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-oak-8182.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-panther-4920.1.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-panther-4920.1.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-panther-4920.23.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-panther-4920.23.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-pather-4920.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-pather-4920.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-pit-4280.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-pit-4280.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-pit-4390-old.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-pit-4390-old.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-pit-4390.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-pit-4390.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-pit-4471-dvt-old.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-pit-4471-dvt-old.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-pit-4471-old.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-pit-4471-old.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-pit-4471-pvt-old.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-pit-4471-pvt-old.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-pit-4471-pvt2.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-pit-4471-pvt2.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-pit-4471.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-pit-4471.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-pit-5499-EVT.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-pit-5499-EVT.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-pit-5499.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-pit-5499.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-pit-5499.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-pit-5499.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-rambi-5517.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-rambi-5517.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-rambi-5517.B-chromeos-3.10-EVT'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-rambi-5517.B-chromeos-3.10-EVT</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-rambi-5517.B-chromeos-3.10-original'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-rambi-5517.B-chromeos-3.10-original</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-rambi-5517.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-rambi-5517.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-rambi-6420.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-rambi-6420.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-ryu-6212.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-ryu-6212.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-ryu-6486.1.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-ryu-6486.1.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-ryu-6486.14.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-ryu-6486.14.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-ryu-6486.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-ryu-6486.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-samus-4788.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-samus-4788.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-samus-5939.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-samus-5939.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-samus-6207.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-samus-6207.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-samus-6375.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-samus-6375.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-skate-4262.459.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-skate-4262.459.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-smaug-7265.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-smaug-7265.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-spring-3842.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-spring-3842.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-spring-4131.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-spring-4131.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-spring-4262.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-spring-4262.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-storm-6269.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-storm-6269.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-test-7077.114.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-test-7077.114.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-whirlwind-6509.B'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-whirlwind-6509.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-zako-5216.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-zako-5216.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-zako-5216.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-zako-5216.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-zako-5220.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-zako-5220.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/factory-zako-5220.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/factory-zako-5220.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-4389.71.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-4389.71.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-881-u-boot-v1'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-881-u-boot-v1</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-auron-6301.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-auron-6301.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-banjo-5216.334.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-banjo-5216.334.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-banjo-5216.334.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-banjo-5216.334.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-bolt_kirby-4979.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-bolt_kirby-4979.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-buddy-6301.202.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-buddy-6301.202.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-butterfly-2788.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-butterfly-2788.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-candy-5216.310.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-candy-5216.310.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-candy-5216.310.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-candy-5216.310.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-celes-7287.92.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-celes-7287.92.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-clapper-5216.199.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-clapper-5216.199.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-clapper-5216.199.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-clapper-5216.199.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-clapper-5216.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-clapper-5216.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-clapper-5216.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-clapper-5216.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-clapper-5218.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-clapper-5218.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-clapper-5218.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-clapper-5218.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-cyan-7287.57.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-cyan-7287.57.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-edgar-7287.167.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-edgar-7287.167.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-enguarde-5216.201.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-enguarde-5216.201.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-enguarde-5216.201.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-enguarde-5216.201.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-expresso-5216.223.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-expresso-5216.223.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-expresso-5216.223.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-expresso-5216.223.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-falco_peppy-4389.81.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-falco_peppy-4389.81.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-falco_peppy-4389.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-falco_peppy-4389.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-gandof-6301.155.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-gandof-6301.155.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-glimmer-5216.198.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-glimmer-5216.198.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-glimmer-5216.198.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-glimmer-5216.198.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-glimmer-5216.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-glimmer-5216.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-glimmer-5216.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-glimmer-5216.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-glimmer-5217.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-glimmer-5217.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-glimmer-5217.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-glimmer-5217.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-gnawty-5216.239.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-gnawty-5216.239.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-gnawty-5216.239.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-gnawty-5216.239.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-guado-6301.108.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-guado-6301.108.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-heli-5216.392.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-heli-5216.392.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-heli-5216.392.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-heli-5216.392.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-kiev-2.112.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-kiev-2.112.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-kip-5216.227.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-kip-5216.227.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-kip-5216.227.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-kip-5216.227.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-kitty-5771.61.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-kitty-5771.61.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-kitty-5771.61.B-chromeos-3.14-experiment'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-kitty-5771.61.B-chromeos-3.14-experiment</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-kitty-5771.61.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-kitty-5771.61.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-leon-4389.26.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-leon-4389.26.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-leon-4389.61.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-leon-4389.61.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-link-2348.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-link-2348.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-link-2695.2.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-link-2695.2.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-link-2695.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-link-2695.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-lucid-8173.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-lucid-8173.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-lulu-6301.136.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-lulu-6301.136.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-mccloud-5827.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-mccloud-5827.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-mccloud-5827.B-chromeos-3.14-experiment'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-mccloud-5827.B-chromeos-3.14-experiment</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-mccloud-5827.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-mccloud-5827.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-monroe-4921.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-monroe-4921.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-ninja-5216.383.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-ninja-5216.383.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-ninja-5216.383.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-ninja-5216.383.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-nyan-5771.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-nyan-5771.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-nyan-5771.B-chromeos-3.14-experiment'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-nyan-5771.B-chromeos-3.14-experiment</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-nyan-5771.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-nyan-5771.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-orco-5216.362.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-orco-5216.362.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-orco-5216.362.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-orco-5216.362.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-paine-6301.58.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-paine-6301.58.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-panther-4920.24.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-panther-4920.24.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-panther-4920.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-panther-4920.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-parrot-2685.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-parrot-2685.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-pit-4482.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-pit-4482.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-quawks-5216.204.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-quawks-5216.204.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-quawks-5216.204.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-quawks-5216.204.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-rambi-5216.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-rambi-5216.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-rambi-5216.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-rambi-5216.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-reks-7287.133.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-reks-7287.133.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-rikku-6301.110.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-rikku-6301.110.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-samus-6300.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-samus-6300.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-skate-3824.129.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-skate-3824.129.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-smaug-7132.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-smaug-7132.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-smaug-7900.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-smaug-7900.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-snow-2695.90.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-snow-2695.90.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-snow-2695.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-snow-2695.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-spring-3824.4.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-spring-3824.4.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-spring-3824.55.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-spring-3824.55.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-spring-3824.84.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-spring-3824.84.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-spring-3824.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-spring-3824.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-squawks-5216.152.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-squawks-5216.152.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-squawks-5216.152.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-squawks-5216.152.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-storm-6315.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-storm-6315.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-stout-2817.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-stout-2817.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-strago-7287.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-strago-7287.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-sumo-5216.382.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-sumo-5216.382.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-sumo-5216.382.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-sumo-5216.382.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-swanky-5216.238.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-swanky-5216.238.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-swanky-5216.238.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-swanky-5216.238.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-terra-7287.154.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-terra-7287.154.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-tidus-6301.109.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-tidus-6301.109.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-tricky-5829.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-tricky-5829.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-tricky-5829.B-chromeos-3.14-experiment'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-tricky-5829.B-chromeos-3.14-experiment</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-tricky-5829.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-tricky-5829.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-u-boot-v1'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-u-boot-v1</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-uboot_v2-1299.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-uboot_v2-1299.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-ultima-7287.131.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-ultima-7287.131.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-winky-5216.1.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-winky-5216.1.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-winky-5216.1.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-winky-5216.1.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-winky-5216.265.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-winky-5216.265.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-winky-5216.265.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-winky-5216.265.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-wolf-4389.24.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-wolf-4389.24.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-yuna-6301.59.B'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-yuna-6301.59.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-zako-5216.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-zako-5216.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-zako-5216.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-zako-5216.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-zako-5219.17.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-zako-5219.17.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-zako-5219.17.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-zako-5219.17.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-zako-5219.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-zako-5219.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/firmware-zako-5219.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/firmware-zako-5219.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/foo-test'>caf/3.10/caf/chromium-googlesource-kernel-next/foo-test</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/johannes-chromeos-3.18-Core18'>caf/3.10/caf/chromium-googlesource-kernel-next/johannes-chromeos-3.18-Core18</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/master'>caf/3.10/caf/chromium-googlesource-kernel-next/master</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/old-chromeos-3.18-experiment'>caf/3.10/caf/chromium-googlesource-kernel-next/old-chromeos-3.18-experiment</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/origin/chromeos-4.9-merge-170612'>caf/3.10/caf/chromium-googlesource-kernel-next/origin/chromeos-4.9-merge-170612</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/origin/chromeos-4.9-merge-latest'>caf/3.10/caf/chromium-googlesource-kernel-next/origin/chromeos-4.9-merge-latest</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/qualcomm-gobi-2000'>caf/3.10/caf/chromium-googlesource-kernel-next/qualcomm-gobi-2000</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/arm_platform+android'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/arm_platform+android</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/atmel_mxt_ts'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/atmel_mxt_ts</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/base'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/base</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/base-mm'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/base-mm</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/bluetooth'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/bluetooth</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/chromeos-sysrq'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/chromeos-sysrq</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/cpufreq-interactive'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/cpufreq-interactive</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/cpuidle'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/cpuidle</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/cpuquiet'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/cpuquiet</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/cros_ec'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/cros_ec</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/cyapa'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/cyapa</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/devfreq'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/devfreq</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/device-blacklist'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/device-blacklist</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/drm'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/drm</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/elan_i2c'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/elan_i2c</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/google-firmware'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/google-firmware</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/gpio'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/gpio</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/hid-rmi'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/hid-rmi</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/i2c-core'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/i2c-core</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/i2c-hid'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/i2c-hid</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/iio'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/iio</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/input'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/input</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/ipvlan'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/ipvlan</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/kasan'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/kasan</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/lowmem'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/lowmem</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/media'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/media</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/mfd'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/mfd</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/misc-drivers'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/misc-drivers</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/misc-upstream'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/misc-upstream</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/mmc'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/mmc</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/mtd'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/mtd</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/nvmem'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/nvmem</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/phy'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/phy</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/power'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/power</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/regmap'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/regmap</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/security'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/security</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/sound'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/sound</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/thermal'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/thermal</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/tpm'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/tpm</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/ubi'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/ubi</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/usb-ohci-ehci'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/usb-ohci-ehci</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/usb-storage'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/usb-storage</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/usb-xhci'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/usb-xhci</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/verity-bootcache'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/verity-bootcache</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/watchdog'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/watchdog</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/wifi38'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/wifi38</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/wifi42'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/wifi42</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/wireless'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/wireless</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/x86_platform'>caf/3.10/caf/chromium-googlesource-kernel-next/rebase/kernel-3.18/x86_platform</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-1011.B'>caf/3.10/caf/chromium-googlesource-kernel-next/release-1011.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R16-1193.B'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R16-1193.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R17-1412.B'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R17-1412.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R18-1660.B'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R18-1660.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R19-2046.B'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R19-2046.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R20-2268.B'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R20-2268.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R21-2465.B'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R21-2465.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R22-2723.B'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R22-2723.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R23-2913.B'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R23-2913.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R25-3428.B'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R25-3428.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R26-3701.B'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R26-3701.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R27-3912.B'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R27-3912.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R28-4100.B'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R28-4100.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R29-4319.B'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R29-4319.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R30-4537.B'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R30-4537.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R31-4731.B'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R31-4731.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R32-4920.B'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R32-4920.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R33-5116.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R33-5116.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R33-5116.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R33-5116.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R34-5500.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R34-5500.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R34-5500.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R34-5500.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R35-5712.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R35-5712.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R35-5712.B-chromeos-3.14-experiment'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R35-5712.B-chromeos-3.14-experiment</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R35-5712.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R35-5712.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R36-5841.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R36-5841.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R36-5841.B-chromeos-3.14-experiment'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R36-5841.B-chromeos-3.14-experiment</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R36-5841.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R36-5841.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R37-5978.B'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R37-5978.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R38-6158.B'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R38-6158.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R39-6310.B'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R39-6310.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R40-6457.B'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R40-6457.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R43-6946.B'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R43-6946.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R44-7077.B'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R44-7077.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R45-7262.B'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R45-7262.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R46-7390.B'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R46-7390.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R50-7978.B'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R50-7978.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/release-R51-8172.B'>caf/3.10/caf/chromium-googlesource-kernel-next/release-R51-8172.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/sandbox/msb/exynos-drm-next'>caf/3.10/caf/chromium-googlesource-kernel-next/sandbox/msb/exynos-drm-next</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/sandbox/rebase/kernel-4.4/hid-rmi'>caf/3.10/caf/chromium-googlesource-kernel-next/sandbox/rebase/kernel-4.4/hid-rmi</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-3428.110.0'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-3428.110.0</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-3428.149'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-3428.149</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-3428.149.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-3428.149.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-3428.193'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-3428.193</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-3658.0.0'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-3658.0.0</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-3701.30.0'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-3701.30.0</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-3701.30.0b'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-3701.30.0b</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-3701.46.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-3701.46.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-3701.81.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-3701.81.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-3881.0.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-3881.0.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-3912.79.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-3912.79.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4008.0.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4008.0.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4035.0.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4035.0.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4068.0.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4068.0.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4100.38.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4100.38.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4255.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4255.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4287.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4287.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4443.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4443.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4512.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4512.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4537.118.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4537.118.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4537.147.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4537.147.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4636.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4636.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4701.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4701.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4731.31.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4731.31.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4731.62.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4731.62.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4731.85.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4731.85.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4825.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4825.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4856.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4856.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4886.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4886.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4920.6.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4920.6.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4982.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-4982.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5062.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5062.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5062.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5062.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5085.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5085.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5085.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5085.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5116.113.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5116.113.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5116.113.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5116.113.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5116.115.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5116.115.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5116.115.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5116.115.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5116.53.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5116.53.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5116.53.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5116.53.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5116.88.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5116.88.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5116.88.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5116.88.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5254.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5254.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5254.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5254.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5339.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5339.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5339.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5339.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5412.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5412.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5412.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5412.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5414.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5414.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5414.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5414.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5463.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5463.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5463.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5463.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5500.100.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5500.100.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5500.100.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5500.100.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5500.130.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5500.130.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5500.130.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5500.130.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5500.26.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5500.26.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5500.26.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5500.26.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5500.71.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5500.71.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5500.71.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5500.71.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5511.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5511.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5511.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5511.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5579.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5579.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5579.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5579.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5656.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5656.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5656.B-chromeos-3.14-experiment'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5656.B-chromeos-3.14-experiment</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5656.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5656.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5680.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5680.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5680.B-chromeos-3.14-experiment'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5680.B-chromeos-3.14-experiment</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5680.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5680.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5696.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5696.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5696.B-chromeos-3.14-experiment'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5696.B-chromeos-3.14-experiment</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5696.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5696.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5712.49.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5712.49.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5712.49.B-chromeos-3.14-experiment'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5712.49.B-chromeos-3.14-experiment</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5712.49.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5712.49.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5712.61.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5712.61.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5712.61.B-chromeos-3.14-experiment'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5712.61.B-chromeos-3.14-experiment</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5712.61.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5712.61.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5712.8.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5712.8.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5712.8.B-chromeos-3.14-experiment'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5712.8.B-chromeos-3.14-experiment</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5712.8.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5712.8.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5712.89.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5712.89.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5712.89.B-chromeos-3.14-experiment'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5712.89.B-chromeos-3.14-experiment</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5712.89.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5712.89.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5784.0.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5784.0.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5784.0.B-chromeos-3.14-experiment'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5784.0.B-chromeos-3.14-experiment</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5784.0.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5784.0.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5791.0.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5791.0.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5791.0.B-chromeos-3.14-experiment'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5791.0.B-chromeos-3.14-experiment</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5791.0.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5791.0.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5807.0.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5807.0.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5807.0.B-chromeos-3.14-experiment'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5807.0.B-chromeos-3.14-experiment</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5807.0.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5807.0.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5828.0.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5828.0.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5828.0.B-chromeos-3.14-experiment'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5828.0.B-chromeos-3.14-experiment</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5828.0.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5828.0.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5841.76.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5841.76.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5841.76.B-chromeos-3.14-experiment'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5841.76.B-chromeos-3.14-experiment</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5841.76.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5841.76.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5841.83.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5841.83.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5841.83.B-chromeos-3.14-experiment'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5841.83.B-chromeos-3.14-experiment</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5841.83.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5841.83.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5875.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5875.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5899.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5899.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5942.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5942.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5943.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5943.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5944.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-5944.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-6082.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-6082.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-6092.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-6092.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-6146.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-6146.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-6297.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-6297.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-6310.69.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-6310.69.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-6412.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-6412.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-6415.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-6415.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-6436.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-6436.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-6480.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-6480.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-6909.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-6909.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-6919.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-6919.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-6937.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-6937.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-6946.55.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-6946.55.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-6996.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-6996.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7018.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7018.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7019.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7019.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7039.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7039.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7059.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7059.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7060.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7060.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7077.111.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7077.111.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7077.122.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7077.122.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7077.123.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7077.123.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7077.134.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7077.134.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7131.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7131.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7134.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7134.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7155.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7155.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7173.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7173.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7199.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7199.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7202.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7202.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7204.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7204.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7356.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7356.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7374.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7374.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7390.59.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7390.59.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7390.68.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7390.68.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7442.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7442.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7956.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7956.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7978.18.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7978.18.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7978.51.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7978.51.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7978.66.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7978.66.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7978.74.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7978.74.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7978.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-7978.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-8104.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-8104.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-8172.47.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-8172.47.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-R33-4982.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-R33-4982.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-bluetooth-smart'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-bluetooth-smart</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-daisy'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-daisy</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-daisy-4319.96.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-daisy-4319.96.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-falco-4537.91.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-falco-4537.91.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-gnawty-5841.84.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-gnawty-5841.84.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-gnawty-5841.84.B-chromeos-3.14-experiment'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-gnawty-5841.84.B-chromeos-3.14-experiment</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-gnawty-5841.84.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-gnawty-5841.84.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-jetstream-7390.54.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-jetstream-7390.54.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-jetstream-7390.62.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-jetstream-7390.62.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-link'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-link</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-link-2913.278'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-link-2913.278</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-spring-4100.53.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-spring-4100.53.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-springlte-5116.46.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-springlte-5116.46.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-springlte-5116.46.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-springlte-5116.46.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-swanky-5841.55.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-swanky-5841.55.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-swanky-5841.55.B-chromeos-3.14-experiment'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-swanky-5841.55.B-chromeos-3.14-experiment</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-swanky-5841.55.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-swanky-5841.55.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-zako-5712.88.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-zako-5712.88.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-zako-5712.88.B-chromeos-3.14-experiment'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-zako-5712.88.B-chromeos-3.14-experiment</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-zako-5712.88.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize-zako-5712.88.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize.5978.51.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize.5978.51.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize.5978.98.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize.5978.98.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize.59781.98.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize.59781.98.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilize2'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilize2</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/stabilze-7441.B'>caf/3.10/caf/chromium-googlesource-kernel-next/stabilze-7441.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/test-4824.B'>caf/3.10/caf/chromium-googlesource-kernel-next/test-4824.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/test-4980.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/test-4980.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/test-4980.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/test-4980.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/test-5394.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/test-5394.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/test-5394.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/test-5394.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/test-5619.B-chromeos-3.10'>caf/3.10/caf/chromium-googlesource-kernel-next/test-5619.B-chromeos-3.10</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/test-5619.B-chromeos-3.8'>caf/3.10/caf/chromium-googlesource-kernel-next/test-5619.B-chromeos-3.8</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/test-982.B'>caf/3.10/caf/chromium-googlesource-kernel-next/test-982.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/toolchain-3428.65.B'>caf/3.10/caf/chromium-googlesource-kernel-next/toolchain-3428.65.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/toolchain-3701.42.B'>caf/3.10/caf/chromium-googlesource-kernel-next/toolchain-3701.42.B</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/toolchainA'>caf/3.10/caf/chromium-googlesource-kernel-next/toolchainA</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/toolchainB'>caf/3.10/caf/chromium-googlesource-kernel-next/toolchainB</option>
+<option value='caf/3.10/caf/chromium-googlesource-kernel-next/x32'>caf/3.10/caf/chromium-googlesource-kernel-next/x32</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/0.11.241.B'>caf/3.10/caf/chromiumos-third-party-kernel/0.11.241.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/0.11.257.B'>caf/3.10/caf/chromiumos-third-party-kernel/0.11.257.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/0.11.257.B90'>caf/3.10/caf/chromiumos-third-party-kernel/0.11.257.B90</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/0.12.362.B'>caf/3.10/caf/chromiumos-third-party-kernel/0.12.362.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/0.12.369.B'>caf/3.10/caf/chromiumos-third-party-kernel/0.12.369.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/0.12.392.B'>caf/3.10/caf/chromiumos-third-party-kernel/0.12.392.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/0.12.433.B'>caf/3.10/caf/chromiumos-third-party-kernel/0.12.433.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/0.12.433.B109'>caf/3.10/caf/chromiumos-third-party-kernel/0.12.433.B109</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/0.12.433.B62'>caf/3.10/caf/chromiumos-third-party-kernel/0.12.433.B62</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/0.13.434.B'>caf/3.10/caf/chromiumos-third-party-kernel/0.13.434.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/0.13.509.B'>caf/3.10/caf/chromiumos-third-party-kernel/0.13.509.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/0.13.558.B'>caf/3.10/caf/chromiumos-third-party-kernel/0.13.558.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/0.13.587.B'>caf/3.10/caf/chromiumos-third-party-kernel/0.13.587.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/0.14.811.B'>caf/3.10/caf/chromiumos-third-party-kernel/0.14.811.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/0.15.877.B'>caf/3.10/caf/chromiumos-third-party-kernel/0.15.877.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/11.1.241.B'>caf/3.10/caf/chromiumos-third-party-kernel/11.1.241.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/780.B'>caf/3.10/caf/chromiumos-third-party-kernel/780.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/ath9k-ar94xx-btcoex'>caf/3.10/caf/chromiumos-third-party-kernel/ath9k-ar94xx-btcoex</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/chromeos-2.6.32'>caf/3.10/caf/chromiumos-third-party-kernel/chromeos-2.6.32</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/chromeos-2.6.38'>caf/3.10/caf/chromiumos-third-party-kernel/chromeos-2.6.38</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/chromeos-3.0'>caf/3.10/caf/chromiumos-third-party-kernel/chromeos-3.0</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/chromeos-3.2'>caf/3.10/caf/chromiumos-third-party-kernel/chromeos-3.2</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/chromeos-3.4'>caf/3.10/caf/chromiumos-third-party-kernel/chromeos-3.4</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/chromeos-base-3.0'>caf/3.10/caf/chromiumos-third-party-kernel/chromeos-base-3.0</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/chromeos-base-3.2'>caf/3.10/caf/chromiumos-third-party-kernel/chromeos-base-3.2</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/chromeos-base-3.4'>caf/3.10/caf/chromiumos-third-party-kernel/chromeos-base-3.4</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/chromeos-drm-3.4'>caf/3.10/caf/chromiumos-third-party-kernel/chromeos-drm-3.4</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/chromeos-exynos-3.4'>caf/3.10/caf/chromiumos-third-party-kernel/chromeos-exynos-3.4</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/chromeos-gobi-3.0'>caf/3.10/caf/chromiumos-third-party-kernel/chromeos-gobi-3.0</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/chromeos-gobi-3.2'>caf/3.10/caf/chromiumos-third-party-kernel/chromeos-gobi-3.2</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/chromeos-gobi-3.4'>caf/3.10/caf/chromiumos-third-party-kernel/chromeos-gobi-3.4</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/chromeos-input-3.2'>caf/3.10/caf/chromiumos-third-party-kernel/chromeos-input-3.2</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/chromeos-input-3.4'>caf/3.10/caf/chromiumos-third-party-kernel/chromeos-input-3.4</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/chromeos-intel_i2c-3.4'>caf/3.10/caf/chromiumos-third-party-kernel/chromeos-intel_i2c-3.4</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/chromeos-misc-3.0'>caf/3.10/caf/chromiumos-third-party-kernel/chromeos-misc-3.0</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/chromeos-misc-3.2'>caf/3.10/caf/chromiumos-third-party-kernel/chromeos-misc-3.2</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/chromeos-misc-3.4'>caf/3.10/caf/chromiumos-third-party-kernel/chromeos-misc-3.4</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/chromeos-platform-3.4'>caf/3.10/caf/chromiumos-third-party-kernel/chromeos-platform-3.4</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/chromeos-pstore-3.4'>caf/3.10/caf/chromiumos-third-party-kernel/chromeos-pstore-3.4</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/chromeos-security-3.4'>caf/3.10/caf/chromiumos-third-party-kernel/chromeos-security-3.4</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/chromeos-sound-3.4'>caf/3.10/caf/chromiumos-third-party-kernel/chromeos-sound-3.4</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/chromeos-tegra-3.0'>caf/3.10/caf/chromiumos-third-party-kernel/chromeos-tegra-3.0</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/chromeos-tegra-3.2'>caf/3.10/caf/chromiumos-third-party-kernel/chromeos-tegra-3.2</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/chromeos-tpm-3.4'>caf/3.10/caf/chromiumos-third-party-kernel/chromeos-tpm-3.4</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/chromeos-verity-3.0'>caf/3.10/caf/chromiumos-third-party-kernel/chromeos-verity-3.0</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/chromeos-verity-3.2'>caf/3.10/caf/chromiumos-third-party-kernel/chromeos-verity-3.2</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/chromeos-verity-3.4'>caf/3.10/caf/chromiumos-third-party-kernel/chromeos-verity-3.4</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/chromeos-wifi-3.4'>caf/3.10/caf/chromiumos-third-party-kernel/chromeos-wifi-3.4</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-1020.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-1020.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-1235.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-1235.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-1284.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-1284.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-1412.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-1412.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-1987.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-1987.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-2268.16.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-2268.16.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-2305.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-2305.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-2338.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-2338.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-2368.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-2368.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-2394.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-2394.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-2460.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-2460.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-2475.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-2475.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-2569.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-2569.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-2717.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-2717.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-2723.14.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-2723.14.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-2723.14.orig.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-2723.14.orig.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-2846.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-2846.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-2848.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-2848.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-2914.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-2914.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-2985.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-2985.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-2993.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-2993.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-3004.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-3004.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-3536.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-3536.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-4128.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-4128.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-4290.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-4290.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-4455.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-4455.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-980.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-980.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-pit-4280.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-pit-4280.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-pit-4390.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-pit-4390.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-pit-4471.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-pit-4471.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-spring-3842.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-spring-3842.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-spring-4131.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-spring-4131.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/factory-spring-4262.B'>caf/3.10/caf/chromiumos-third-party-kernel/factory-spring-4262.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/firmware-881-u-boot-v1'>caf/3.10/caf/chromiumos-third-party-kernel/firmware-881-u-boot-v1</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/firmware-butterfly-2788.B'>caf/3.10/caf/chromiumos-third-party-kernel/firmware-butterfly-2788.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/firmware-falco_peppy-4389.B'>caf/3.10/caf/chromiumos-third-party-kernel/firmware-falco_peppy-4389.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/firmware-kiev-2.112.B'>caf/3.10/caf/chromiumos-third-party-kernel/firmware-kiev-2.112.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/firmware-leon-4389.26.B'>caf/3.10/caf/chromiumos-third-party-kernel/firmware-leon-4389.26.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/firmware-link-2348.B'>caf/3.10/caf/chromiumos-third-party-kernel/firmware-link-2348.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/firmware-link-2695.2.B'>caf/3.10/caf/chromiumos-third-party-kernel/firmware-link-2695.2.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/firmware-link-2695.B'>caf/3.10/caf/chromiumos-third-party-kernel/firmware-link-2695.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/firmware-parrot-2685.B'>caf/3.10/caf/chromiumos-third-party-kernel/firmware-parrot-2685.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/firmware-pit-4482.B'>caf/3.10/caf/chromiumos-third-party-kernel/firmware-pit-4482.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/firmware-snow-2695.90.B'>caf/3.10/caf/chromiumos-third-party-kernel/firmware-snow-2695.90.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/firmware-snow-2695.B'>caf/3.10/caf/chromiumos-third-party-kernel/firmware-snow-2695.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/firmware-spring-3824.4.B'>caf/3.10/caf/chromiumos-third-party-kernel/firmware-spring-3824.4.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/firmware-spring-3824.55.B'>caf/3.10/caf/chromiumos-third-party-kernel/firmware-spring-3824.55.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/firmware-spring-3824.84.B'>caf/3.10/caf/chromiumos-third-party-kernel/firmware-spring-3824.84.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/firmware-spring-3824.B'>caf/3.10/caf/chromiumos-third-party-kernel/firmware-spring-3824.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/firmware-stout-2817.B'>caf/3.10/caf/chromiumos-third-party-kernel/firmware-stout-2817.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/firmware-u-boot-v1'>caf/3.10/caf/chromiumos-third-party-kernel/firmware-u-boot-v1</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/firmware-uboot_v2-1299.B'>caf/3.10/caf/chromiumos-third-party-kernel/firmware-uboot_v2-1299.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/firmware-wolf-4389.24.B'>caf/3.10/caf/chromiumos-third-party-kernel/firmware-wolf-4389.24.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/master'>caf/3.10/caf/chromiumos-third-party-kernel/master</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/release-1011.B'>caf/3.10/caf/chromiumos-third-party-kernel/release-1011.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/release-R16-1193.B'>caf/3.10/caf/chromiumos-third-party-kernel/release-R16-1193.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/release-R17-1412.B'>caf/3.10/caf/chromiumos-third-party-kernel/release-R17-1412.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/release-R18-1660.B'>caf/3.10/caf/chromiumos-third-party-kernel/release-R18-1660.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/release-R19-2046.B'>caf/3.10/caf/chromiumos-third-party-kernel/release-R19-2046.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/release-R20-2268.B'>caf/3.10/caf/chromiumos-third-party-kernel/release-R20-2268.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/release-R21-2465.B'>caf/3.10/caf/chromiumos-third-party-kernel/release-R21-2465.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/release-R22-2723.B'>caf/3.10/caf/chromiumos-third-party-kernel/release-R22-2723.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/release-R23-2913.B'>caf/3.10/caf/chromiumos-third-party-kernel/release-R23-2913.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/release-R25-3428.B'>caf/3.10/caf/chromiumos-third-party-kernel/release-R25-3428.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/release-R26-3701.B'>caf/3.10/caf/chromiumos-third-party-kernel/release-R26-3701.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/release-R27-3912.B'>caf/3.10/caf/chromiumos-third-party-kernel/release-R27-3912.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/release-R28-4100.B'>caf/3.10/caf/chromiumos-third-party-kernel/release-R28-4100.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/release-R29-4319.B'>caf/3.10/caf/chromiumos-third-party-kernel/release-R29-4319.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/release-R30-4537.B'>caf/3.10/caf/chromiumos-third-party-kernel/release-R30-4537.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/stabilize'>caf/3.10/caf/chromiumos-third-party-kernel/stabilize</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/stabilize-3428.110.0'>caf/3.10/caf/chromiumos-third-party-kernel/stabilize-3428.110.0</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/stabilize-3428.149'>caf/3.10/caf/chromiumos-third-party-kernel/stabilize-3428.149</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/stabilize-3428.149.B'>caf/3.10/caf/chromiumos-third-party-kernel/stabilize-3428.149.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/stabilize-3428.193'>caf/3.10/caf/chromiumos-third-party-kernel/stabilize-3428.193</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/stabilize-3658.0.0'>caf/3.10/caf/chromiumos-third-party-kernel/stabilize-3658.0.0</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/stabilize-3701.30.0'>caf/3.10/caf/chromiumos-third-party-kernel/stabilize-3701.30.0</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/stabilize-3701.30.0b'>caf/3.10/caf/chromiumos-third-party-kernel/stabilize-3701.30.0b</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/stabilize-3701.46.B'>caf/3.10/caf/chromiumos-third-party-kernel/stabilize-3701.46.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/stabilize-3701.81.B'>caf/3.10/caf/chromiumos-third-party-kernel/stabilize-3701.81.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/stabilize-3881.0.B'>caf/3.10/caf/chromiumos-third-party-kernel/stabilize-3881.0.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/stabilize-3912.79.B'>caf/3.10/caf/chromiumos-third-party-kernel/stabilize-3912.79.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/stabilize-4008.0.B'>caf/3.10/caf/chromiumos-third-party-kernel/stabilize-4008.0.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/stabilize-4035.0.B'>caf/3.10/caf/chromiumos-third-party-kernel/stabilize-4035.0.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/stabilize-4068.0.B'>caf/3.10/caf/chromiumos-third-party-kernel/stabilize-4068.0.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/stabilize-4100.38.B'>caf/3.10/caf/chromiumos-third-party-kernel/stabilize-4100.38.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/stabilize-4255.B'>caf/3.10/caf/chromiumos-third-party-kernel/stabilize-4255.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/stabilize-4287.B'>caf/3.10/caf/chromiumos-third-party-kernel/stabilize-4287.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/stabilize-4443.B'>caf/3.10/caf/chromiumos-third-party-kernel/stabilize-4443.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/stabilize-4512.B'>caf/3.10/caf/chromiumos-third-party-kernel/stabilize-4512.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/stabilize-bluetooth-smart'>caf/3.10/caf/chromiumos-third-party-kernel/stabilize-bluetooth-smart</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/stabilize-daisy'>caf/3.10/caf/chromiumos-third-party-kernel/stabilize-daisy</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/stabilize-link'>caf/3.10/caf/chromiumos-third-party-kernel/stabilize-link</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/stabilize-link-2913.278'>caf/3.10/caf/chromiumos-third-party-kernel/stabilize-link-2913.278</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/stabilize-spring-4100.53.B'>caf/3.10/caf/chromiumos-third-party-kernel/stabilize-spring-4100.53.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/stabilize2'>caf/3.10/caf/chromiumos-third-party-kernel/stabilize2</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/test-982.B'>caf/3.10/caf/chromiumos-third-party-kernel/test-982.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/toolchain-3428.65.B'>caf/3.10/caf/chromiumos-third-party-kernel/toolchain-3428.65.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/toolchain-3701.42.B'>caf/3.10/caf/chromiumos-third-party-kernel/toolchain-3701.42.B</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/toolchainA'>caf/3.10/caf/chromiumos-third-party-kernel/toolchainA</option>
+<option value='caf/3.10/caf/chromiumos-third-party-kernel/toolchainB'>caf/3.10/caf/chromiumos-third-party-kernel/toolchainB</option>
+<option value='caf/3.10/caf/cm36283_release_v0_1/master'>caf/3.10/caf/cm36283_release_v0_1/master</option>
+<option value='caf/3.10/caf/coconut.cupcake'>caf/3.10/caf/coconut.cupcake</option>
+<option value='caf/3.10/caf/donut_cinnamon'>caf/3.10/caf/donut_cinnamon</option>
+<option value='caf/3.10/caf/donut_cream'>caf/3.10/caf/donut_cream</option>
+<option value='caf/3.10/caf/donut_frosted'>caf/3.10/caf/donut_frosted</option>
+<option value='caf/3.10/caf/donut_glazed'>caf/3.10/caf/donut_glazed</option>
+<option value='caf/3.10/caf/donut_honey'>caf/3.10/caf/donut_honey</option>
+<option value='caf/3.10/caf/donut_lemon'>caf/3.10/caf/donut_lemon</option>
+<option value='caf/3.10/caf/donut_strawberry'>caf/3.10/caf/donut_strawberry</option>
+<option value='caf/3.10/caf/eclair'>caf/3.10/caf/eclair</option>
+<option value='caf/3.10/caf/eclair_caramel'>caf/3.10/caf/eclair_caramel</option>
+<option value='caf/3.10/caf/eclair_chocolate'>caf/3.10/caf/eclair_chocolate</option>
+<option value='caf/3.10/caf/eclair_coffee'>caf/3.10/caf/eclair_coffee</option>
+<option value='caf/3.10/caf/eclair_rum'>caf/3.10/caf/eclair_rum</option>
+<option value='caf/3.10/caf/eclair_strawberry'>caf/3.10/caf/eclair_strawberry</option>
+<option value='caf/3.10/caf/eclair_vanilla'>caf/3.10/caf/eclair_vanilla</option>
+<option value='caf/3.10/caf/ext4/kernel.org/3.2-punch-fix'>caf/3.10/caf/ext4/kernel.org/3.2-punch-fix</option>
+<option value='caf/3.10/caf/ext4/kernel.org/backport-to-3.10'>caf/3.10/caf/ext4/kernel.org/backport-to-3.10</option>
+<option value='caf/3.10/caf/ext4/kernel.org/crypto'>caf/3.10/caf/ext4/kernel.org/crypto</option>
+<option value='caf/3.10/caf/ext4/kernel.org/dev'>caf/3.10/caf/ext4/kernel.org/dev</option>
+<option value='caf/3.10/caf/ext4/kernel.org/dev2'>caf/3.10/caf/ext4/kernel.org/dev2</option>
+<option value='caf/3.10/caf/ext4/kernel.org/fltest'>caf/3.10/caf/ext4/kernel.org/fltest</option>
+<option value='caf/3.10/caf/ext4/kernel.org/for-stable'>caf/3.10/caf/ext4/kernel.org/for-stable</option>
+<option value='caf/3.10/caf/ext4/kernel.org/for-stable-2.6.27'>caf/3.10/caf/ext4/kernel.org/for-stable-2.6.27</option>
+<option value='caf/3.10/caf/ext4/kernel.org/for_linus'>caf/3.10/caf/ext4/kernel.org/for_linus</option>
+<option value='caf/3.10/caf/ext4/kernel.org/for_linus_merged'>caf/3.10/caf/ext4/kernel.org/for_linus_merged</option>
+<option value='caf/3.10/caf/ext4/kernel.org/for_linus_urgent'>caf/3.10/caf/ext4/kernel.org/for_linus_urgent</option>
+<option value='caf/3.10/caf/ext4/kernel.org/i915-test-4.2.0-rc4'>caf/3.10/caf/ext4/kernel.org/i915-test-4.2.0-rc4</option>
+<option value='caf/3.10/caf/ext4/kernel.org/master'>caf/3.10/caf/ext4/kernel.org/master</option>
+<option value='caf/3.10/caf/ext4/kernel.org/merge-fixup'>caf/3.10/caf/ext4/kernel.org/merge-fixup</option>
+<option value='caf/3.10/caf/ext4/kernel.org/origin'>caf/3.10/caf/ext4/kernel.org/origin</option>
+<option value='caf/3.10/caf/ext4/kernel.org/test'>caf/3.10/caf/ext4/kernel.org/test</option>
+<option value='caf/3.10/caf/ext4/kernel.org/test-mb_generate_buddy-failure'>caf/3.10/caf/ext4/kernel.org/test-mb_generate_buddy-failure</option>
+<option value='caf/3.10/caf/ext4/kernel.org/unstable'>caf/3.10/caf/ext4/kernel.org/unstable</option>
+<option value='caf/3.10/caf/froyo'>caf/3.10/caf/froyo</option>
+<option value='caf/3.10/caf/froyo-release'>caf/3.10/caf/froyo-release</option>
+<option value='caf/3.10/caf/froyo-release-2'>caf/3.10/caf/froyo-release-2</option>
+<option value='caf/3.10/caf/froyo_almond'>caf/3.10/caf/froyo_almond</option>
+<option value='caf/3.10/caf/froyo_pumpkin'>caf/3.10/caf/froyo_pumpkin</option>
+<option value='caf/3.10/caf/froyo_squash'>caf/3.10/caf/froyo_squash</option>
+<option value='caf/3.10/caf/froyo_strawberry'>caf/3.10/caf/froyo_strawberry</option>
+<option value='caf/3.10/caf/fuse/kernel.org/for-linus'>caf/3.10/caf/fuse/kernel.org/for-linus</option>
+<option value='caf/3.10/caf/fuse/kernel.org/for-next'>caf/3.10/caf/fuse/kernel.org/for-next</option>
+<option value='caf/3.10/caf/fuse/kernel.org/master'>caf/3.10/caf/fuse/kernel.org/master</option>
+<option value='caf/3.10/caf/fuse/kernel.org/sync_release'>caf/3.10/caf/fuse/kernel.org/sync_release</option>
+<option value='caf/3.10/caf/gingerbread_chocolate'>caf/3.10/caf/gingerbread_chocolate</option>
+<option value='caf/3.10/caf/gingerbread_rel'>caf/3.10/caf/gingerbread_rel</option>
+<option value='caf/3.10/caf/git-hub/master'>caf/3.10/caf/git-hub/master</option>
+<option value='caf/3.10/caf/github-analogdevicesinc/2014_R1'>caf/3.10/caf/github-analogdevicesinc/2014_R1</option>
+<option value='caf/3.10/caf/github-analogdevicesinc/2014_R2'>caf/3.10/caf/github-analogdevicesinc/2014_R2</option>
+<option value='caf/3.10/caf/github-analogdevicesinc/2014_R2_altera'>caf/3.10/caf/github-analogdevicesinc/2014_R2_altera</option>
+<option value='caf/3.10/caf/github-analogdevicesinc/802154-6lowpan-devel'>caf/3.10/caf/github-analogdevicesinc/802154-6lowpan-devel</option>
+<option value='caf/3.10/caf/github-analogdevicesinc/ad799x'>caf/3.10/caf/github-analogdevicesinc/ad799x</option>
+<option value='caf/3.10/caf/github-analogdevicesinc/adas1000'>caf/3.10/caf/github-analogdevicesinc/adas1000</option>
+<option value='caf/3.10/caf/github-analogdevicesinc/adau1761-3.10'>caf/3.10/caf/github-analogdevicesinc/adau1761-3.10</option>
+<option value='caf/3.10/caf/github-analogdevicesinc/adau17x1'>caf/3.10/caf/github-analogdevicesinc/adau17x1</option>
+<option value='caf/3.10/caf/github-analogdevicesinc/adis'>caf/3.10/caf/github-analogdevicesinc/adis</option>
+<option value='caf/3.10/caf/github-analogdevicesinc/adis-lib'>caf/3.10/caf/github-analogdevicesinc/adis-lib</option>
+<option value='caf/3.10/caf/github-analogdevicesinc/adv7280'>caf/3.10/caf/github-analogdevicesinc/adv7280</option>
+<option value='caf/3.10/caf/github-analogdevicesinc/adv7511-3.10'>caf/3.10/caf/github-analogdevicesinc/adv7511-3.10</option>
+<option value='caf/3.10/caf/github-analogdevicesinc/adv7533'>caf/3.10/caf/github-analogdevicesinc/adv7533</option>
+<option value='caf/3.10/caf/github-analogdevicesinc/adv7611_for_xilinx'>caf/3.10/caf/github-analogdevicesinc/adv7611_for_xilinx</option>
+<option value='caf/3.10/caf/github-analogdevicesinc/adxl362'>caf/3.10/caf/github-analogdevicesinc/adxl362</option>
+<option value='caf/3.10/caf/github-analogdevicesinc/altera'>caf/3.10/caf/github-analogdevicesinc/altera</option>
+<option value='caf/3.10/caf/github-analogdevicesinc/altera_test'>caf/3.10/caf/github-analogdevicesinc/altera_test</option>
+<option value='caf/3.10/caf/github-analogdevicesinc/asoc-adau1761-alc'>caf/3.10/caf/github-analogdevicesinc/asoc-adau1761-alc</option>
+<option value='caf/3.10/caf/github-analogdevicesinc/asoc-adau1977'>caf/3.10/caf/github-analogdevicesinc/asoc-adau1977</option>
+<option value='caf/3.10/caf/github-analogdevicesinc/asoc-adau7002'>caf/3.10/caf/github-analogdevicesinc/asoc-adau7002</option>
+<option value='caf/3.10/caf/github-analogdevicesinc/asoc-sigmadsp'>caf/3.10/caf/github-analogdevicesinc/asoc-sigmadsp</option>
+<option value='caf/3.10/caf/github-analogdevicesinc/asoc-sigmadsp-preview'>caf/3.10/caf/github-analogdevicesinc/asoc-sigmadsp-preview</option>
+<option value='caf/3.10/caf/github-analogdevicesinc/asoc-ssm4329'>caf/3.10/caf/github-analogdevicesinc/asoc-ssm4329</option>
+<option value='caf/3.10/caf/github-analogdevicesinc/asoc-ssm4329-3.4'>caf/3.10/caf/github-analogdevicesinc/asoc-ssm4329-3.4</option>
+<option value='caf/3.10/caf/github-analogdevicesinc/audio_zynq'>caf/3.10/caf/github-analogdevicesinc/audio_zynq</option>
+<option value='caf/3.10/caf/github-analogdevicesinc/daq3'>caf/3.10/caf/github-analogdevicesinc/daq3</option>
+<option value='caf/3.10/caf/github-analogdevicesinc/iio-xadc'>caf/3.10/caf/github-analogdevicesinc/iio-xadc</option>
+<option value='caf/3.10/caf/github-analogdevicesinc/imageon_zynq'>caf/3.10/caf/github-analogdevicesinc/imageon_zynq</option>
+<option value='caf/3.10/caf/github-analogdevicesinc/master'>caf/3.10/caf/github-analogdevicesinc/master</option>
+<option value='caf/3.10/caf/github-analogdevicesinc/rpi-audio'>caf/3.10/caf/github-analogdevicesinc/rpi-audio</option>
+<option value='caf/3.10/caf/github-analogdevicesinc/sigmadsp'>caf/3.10/caf/github-analogdevicesinc/sigmadsp</option>
+<option value='caf/3.10/caf/github-analogdevicesinc/ssm2518'>caf/3.10/caf/github-analogdevicesinc/ssm2518</option>
+<option value='caf/3.10/caf/github-analogdevicesinc/v4l2-async-3.10'>caf/3.10/caf/github-analogdevicesinc/v4l2-async-3.10</option>
+<option value='caf/3.10/caf/github-analogdevicesinc/xcomm_zynq'>caf/3.10/caf/github-analogdevicesinc/xcomm_zynq</option>
+<option value='caf/3.10/caf/github-analogdevicesinc/xcomm_zynq_3_10'>caf/3.10/caf/github-analogdevicesinc/xcomm_zynq_3_10</option>
+<option value='caf/3.10/caf/github-analogdevicesinc/xcomm_zynq_3_8'>caf/3.10/caf/github-analogdevicesinc/xcomm_zynq_3_8</option>
+<option value='caf/3.10/caf/github-analogdevicesinc/xcomm_zynq_buffer_repeat'>caf/3.10/caf/github-analogdevicesinc/xcomm_zynq_buffer_repeat</option>
+<option value='caf/3.10/caf/github-analogdevicesinc/xcomm_zynq_gpio_irq_preview'>caf/3.10/caf/github-analogdevicesinc/xcomm_zynq_gpio_irq_preview</option>
+<option value='caf/3.10/caf/github-analogdevicesinc/xcomm_zynq_new_pcore_regmap'>caf/3.10/caf/github-analogdevicesinc/xcomm_zynq_new_pcore_regmap</option>
+<option value='caf/3.10/caf/github-analogdevicesinc/xcomm_zynq_streaming_tx'>caf/3.10/caf/github-analogdevicesinc/xcomm_zynq_streaming_tx</option>
+<option value='caf/3.10/caf/github-dan3400/master'>caf/3.10/caf/github-dan3400/master</option>
+<option value='caf/3.10/caf/github-dtsinc-kernel/master'>caf/3.10/caf/github-dtsinc-kernel/master</option>
+<option value='caf/3.10/caf/github-dtsinc/master'>caf/3.10/caf/github-dtsinc/master</option>
+<option value='caf/3.10/caf/github-stflight/master'>caf/3.10/caf/github-stflight/master</option>
+<option value='caf/3.10/caf/github-stmems/master'>caf/3.10/caf/github-stmems/master</option>
+<option value='caf/3.10/caf/github-stmems2/master'>caf/3.10/caf/github-stmems2/master</option>
+<option value='caf/3.10/caf/gnd/Int250'>caf/3.10/caf/gnd/Int250</option>
+<option value='caf/3.10/caf/gnd/Int280'>caf/3.10/caf/gnd/Int280</option>
+<option value='caf/3.10/caf/gnd/MC12'>caf/3.10/caf/gnd/MC12</option>
+<option value='caf/3.10/caf/gnd/MC12+'>caf/3.10/caf/gnd/MC12+</option>
+<option value='caf/3.10/caf/gnd/master'>caf/3.10/caf/gnd/master</option>
+<option value='caf/3.10/caf/gnd/reviewedSept03'>caf/3.10/caf/gnd/reviewedSept03</option>
+<option value='caf/3.10/caf/gnd/tbase-202'>caf/3.10/caf/gnd/tbase-202</option>
+<option value='caf/3.10/caf/gnd/tbase-300'>caf/3.10/caf/gnd/tbase-300</option>
+<option value='caf/3.10/caf/gnd/tbase-400'>caf/3.10/caf/gnd/tbase-400</option>
+<option value='caf/3.10/caf/goodix/drivers'>caf/3.10/caf/goodix/drivers</option>
+<option value='caf/3.10/caf/gtp-drivers/drivers'>caf/3.10/caf/gtp-drivers/drivers</option>
+<option value='caf/3.10/caf/horseshoe'>caf/3.10/caf/horseshoe</option>
+<option value='caf/3.10/caf/hummingbird'>caf/3.10/caf/hummingbird</option>
+<option value='caf/3.10/caf/hummingbird_rb1.3'>caf/3.10/caf/hummingbird_rb1.3</option>
+<option value='caf/3.10/caf/hummingbird_rb1.5'>caf/3.10/caf/hummingbird_rb1.5</option>
+<option value='caf/3.10/caf/ics'>caf/3.10/caf/ics</option>
+<option value='caf/3.10/caf/ics_choco_cs'>caf/3.10/caf/ics_choco_cs</option>
+<option value='caf/3.10/caf/ics_chocolate'>caf/3.10/caf/ics_chocolate</option>
+<option value='caf/3.10/caf/ics_chocolate_rb1'>caf/3.10/caf/ics_chocolate_rb1</option>
+<option value='caf/3.10/caf/ics_chocolate_rb1.1'>caf/3.10/caf/ics_chocolate_rb1.1</option>
+<option value='caf/3.10/caf/ics_chocolate_rb1.10'>caf/3.10/caf/ics_chocolate_rb1.10</option>
+<option value='caf/3.10/caf/ics_chocolate_rb1.2'>caf/3.10/caf/ics_chocolate_rb1.2</option>
+<option value='caf/3.10/caf/ics_chocolate_rb1.3'>caf/3.10/caf/ics_chocolate_rb1.3</option>
+<option value='caf/3.10/caf/ics_chocolate_rb1.6'>caf/3.10/caf/ics_chocolate_rb1.6</option>
+<option value='caf/3.10/caf/ics_chocolate_rb1.7'>caf/3.10/caf/ics_chocolate_rb1.7</option>
+<option value='caf/3.10/caf/ics_chocolate_rb1.9'>caf/3.10/caf/ics_chocolate_rb1.9</option>
+<option value='caf/3.10/caf/ics_chocolate_rb3.2'>caf/3.10/caf/ics_chocolate_rb3.2</option>
+<option value='caf/3.10/caf/ics_chocolate_rb4.2'>caf/3.10/caf/ics_chocolate_rb4.2</option>
+<option value='caf/3.10/caf/ics_chocolate_rb7.1'>caf/3.10/caf/ics_chocolate_rb7.1</option>
+<option value='caf/3.10/caf/ics_chocolate_rb7.2'>caf/3.10/caf/ics_chocolate_rb7.2</option>
+<option value='caf/3.10/caf/ics_es3'>caf/3.10/caf/ics_es3</option>
+<option value='caf/3.10/caf/ics_rb1.3'>caf/3.10/caf/ics_rb1.3</option>
+<option value='caf/3.10/caf/ics_rb1.5'>caf/3.10/caf/ics_rb1.5</option>
+<option value='caf/3.10/caf/ics_rb1.6'>caf/3.10/caf/ics_rb1.6</option>
+<option value='caf/3.10/caf/ics_rb2.1'>caf/3.10/caf/ics_rb2.1</option>
+<option value='caf/3.10/caf/ics_rb2.4'>caf/3.10/caf/ics_rb2.4</option>
+<option value='caf/3.10/caf/ics_rb3.2'>caf/3.10/caf/ics_rb3.2</option>
+<option value='caf/3.10/caf/ics_rb3.4'>caf/3.10/caf/ics_rb3.4</option>
+<option value='caf/3.10/caf/ics_rb4.2'>caf/3.10/caf/ics_rb4.2</option>
+<option value='caf/3.10/caf/ics_rb4.3'>caf/3.10/caf/ics_rb4.3</option>
+<option value='caf/3.10/caf/ics_rb6.2'>caf/3.10/caf/ics_rb6.2</option>
+<option value='caf/3.10/caf/ics_rb6.3'>caf/3.10/caf/ics_rb6.3</option>
+<option value='caf/3.10/caf/ics_rb7.1'>caf/3.10/caf/ics_rb7.1</option>
+<option value='caf/3.10/caf/ics_rb7.2'>caf/3.10/caf/ics_rb7.2</option>
+<option value='caf/3.10/caf/ics_strawberry'>caf/3.10/caf/ics_strawberry</option>
+<option value='caf/3.10/caf/ics_strawberry_rb1.3'>caf/3.10/caf/ics_strawberry_rb1.3</option>
+<option value='caf/3.10/caf/ics_strawberry_rb2.2'>caf/3.10/caf/ics_strawberry_rb2.2</option>
+<option value='caf/3.10/caf/ics_strawberry_rb3.1'>caf/3.10/caf/ics_strawberry_rb3.1</option>
+<option value='caf/3.10/caf/ics_strawberry_rb3.2'>caf/3.10/caf/ics_strawberry_rb3.2</option>
+<option value='caf/3.10/caf/ics_strawberry_rb3.4'>caf/3.10/caf/ics_strawberry_rb3.4</option>
+<option value='caf/3.10/caf/ics_strawberry_rb3.6'>caf/3.10/caf/ics_strawberry_rb3.6</option>
+<option value='caf/3.10/caf/ics_strawberry_rb5.1'>caf/3.10/caf/ics_strawberry_rb5.1</option>
+<option value='caf/3.10/caf/ics_strawberry_rb5.3'>caf/3.10/caf/ics_strawberry_rb5.3</option>
+<option value='caf/3.10/caf/jb_1.9.6'>caf/3.10/caf/jb_1.9.6</option>
+<option value='caf/3.10/caf/jb_2.2'>caf/3.10/caf/jb_2.2</option>
+<option value='caf/3.10/caf/jb_2.2_rb2.2'>caf/3.10/caf/jb_2.2_rb2.2</option>
+<option value='caf/3.10/caf/jb_2.2_rb2.3'>caf/3.10/caf/jb_2.2_rb2.3</option>
+<option value='caf/3.10/caf/jb_2.2_rb2_1.1'>caf/3.10/caf/jb_2.2_rb2_1.1</option>
+<option value='caf/3.10/caf/jb_2.2_rb2_1.2'>caf/3.10/caf/jb_2.2_rb2_1.2</option>
+<option value='caf/3.10/caf/jb_2.2_rb2_2.1'>caf/3.10/caf/jb_2.2_rb2_2.1</option>
+<option value='caf/3.10/caf/jb_2.2_rb2_2.2'>caf/3.10/caf/jb_2.2_rb2_2.2</option>
+<option value='caf/3.10/caf/jb_2.2_rb2_2.4'>caf/3.10/caf/jb_2.2_rb2_2.4</option>
+<option value='caf/3.10/caf/jb_2.2_rb2_2_1.1'>caf/3.10/caf/jb_2.2_rb2_2_1.1</option>
+<option value='caf/3.10/caf/jb_2.2_rb2_3.1'>caf/3.10/caf/jb_2.2_rb2_3.1</option>
+<option value='caf/3.10/caf/jb_2.2_rb2_4.1'>caf/3.10/caf/jb_2.2_rb2_4.1</option>
+<option value='caf/3.10/caf/jb_2.2_rb2_4.2'>caf/3.10/caf/jb_2.2_rb2_4.2</option>
+<option value='caf/3.10/caf/jb_2.2_rb2_5.2'>caf/3.10/caf/jb_2.2_rb2_5.2</option>
+<option value='caf/3.10/caf/jb_2.2_rb2_5_1.1'>caf/3.10/caf/jb_2.2_rb2_5_1.1</option>
+<option value='caf/3.10/caf/jb_2.2_rb2_6.1'>caf/3.10/caf/jb_2.2_rb2_6.1</option>
+<option value='caf/3.10/caf/jb_2.2_rb3.1'>caf/3.10/caf/jb_2.2_rb3.1</option>
+<option value='caf/3.10/caf/jb_2.2_rb3.2'>caf/3.10/caf/jb_2.2_rb3.2</option>
+<option value='caf/3.10/caf/jb_2.2_rb4.1'>caf/3.10/caf/jb_2.2_rb4.1</option>
+<option value='caf/3.10/caf/jb_2.3.2'>caf/3.10/caf/jb_2.3.2</option>
+<option value='caf/3.10/caf/jb_2.3_rb1.2'>caf/3.10/caf/jb_2.3_rb1.2</option>
+<option value='caf/3.10/caf/jb_2.3_rb2.2'>caf/3.10/caf/jb_2.3_rb2.2</option>
+<option value='caf/3.10/caf/jb_2.5'>caf/3.10/caf/jb_2.5</option>
+<option value='caf/3.10/caf/jb_2.5.1'>caf/3.10/caf/jb_2.5.1</option>
+<option value='caf/3.10/caf/jb_2.5.2'>caf/3.10/caf/jb_2.5.2</option>
+<option value='caf/3.10/caf/jb_2.5.3'>caf/3.10/caf/jb_2.5.3</option>
+<option value='caf/3.10/caf/jb_2.5.3_rb1.1'>caf/3.10/caf/jb_2.5.3_rb1.1</option>
+<option value='caf/3.10/caf/jb_2.5.4'>caf/3.10/caf/jb_2.5.4</option>
+<option value='caf/3.10/caf/jb_2.5.5'>caf/3.10/caf/jb_2.5.5</option>
+<option value='caf/3.10/caf/jb_2.5.6'>caf/3.10/caf/jb_2.5.6</option>
+<option value='caf/3.10/caf/jb_2.5_auto'>caf/3.10/caf/jb_2.5_auto</option>
+<option value='caf/3.10/caf/jb_2.5_next'>caf/3.10/caf/jb_2.5_next</option>
+<option value='caf/3.10/caf/jb_2.5_rb5'>caf/3.10/caf/jb_2.5_rb5</option>
+<option value='caf/3.10/caf/jb_2.5_release'>caf/3.10/caf/jb_2.5_release</option>
+<option value='caf/3.10/caf/jb_2.5_release.2'>caf/3.10/caf/jb_2.5_release.2</option>
+<option value='caf/3.10/caf/jb_2.5_temp'>caf/3.10/caf/jb_2.5_temp</option>
+<option value='caf/3.10/caf/jb_2.6'>caf/3.10/caf/jb_2.6</option>
+<option value='caf/3.10/caf/jb_2.6.1'>caf/3.10/caf/jb_2.6.1</option>
+<option value='caf/3.10/caf/jb_2.6.1_rb1'>caf/3.10/caf/jb_2.6.1_rb1</option>
+<option value='caf/3.10/caf/jb_2.6_rb1.10'>caf/3.10/caf/jb_2.6_rb1.10</option>
+<option value='caf/3.10/caf/jb_2.6_rb1.5'>caf/3.10/caf/jb_2.6_rb1.5</option>
+<option value='caf/3.10/caf/jb_2.6_rb1.6'>caf/3.10/caf/jb_2.6_rb1.6</option>
+<option value='caf/3.10/caf/jb_2.6_rb1.7'>caf/3.10/caf/jb_2.6_rb1.7</option>
+<option value='caf/3.10/caf/jb_2.6_rb1.9'>caf/3.10/caf/jb_2.6_rb1.9</option>
+<option value='caf/3.10/caf/jb_2.6_rb4.2'>caf/3.10/caf/jb_2.6_rb4.2</option>
+<option value='caf/3.10/caf/jb_3.1'>caf/3.10/caf/jb_3.1</option>
+<option value='caf/3.10/caf/jb_3.1.2_rb2.10'>caf/3.10/caf/jb_3.1.2_rb2.10</option>
+<option value='caf/3.10/caf/jb_3.1.2_rb2.11'>caf/3.10/caf/jb_3.1.2_rb2.11</option>
+<option value='caf/3.10/caf/jb_3.1.2_rb2.12'>caf/3.10/caf/jb_3.1.2_rb2.12</option>
+<option value='caf/3.10/caf/jb_3.1.2_rb2.17'>caf/3.10/caf/jb_3.1.2_rb2.17</option>
+<option value='caf/3.10/caf/jb_3.1.2_rb2.18'>caf/3.10/caf/jb_3.1.2_rb2.18</option>
+<option value='caf/3.10/caf/jb_3.1.2_rb2.19'>caf/3.10/caf/jb_3.1.2_rb2.19</option>
+<option value='caf/3.10/caf/jb_3.1.2_rb2.20'>caf/3.10/caf/jb_3.1.2_rb2.20</option>
+<option value='caf/3.10/caf/jb_3.1.2_rb2.23'>caf/3.10/caf/jb_3.1.2_rb2.23</option>
+<option value='caf/3.10/caf/jb_3.1.2_rb2.24'>caf/3.10/caf/jb_3.1.2_rb2.24</option>
+<option value='caf/3.10/caf/jb_3.1.2_rb2.4'>caf/3.10/caf/jb_3.1.2_rb2.4</option>
+<option value='caf/3.10/caf/jb_3.1.2_rb2.5'>caf/3.10/caf/jb_3.1.2_rb2.5</option>
+<option value='caf/3.10/caf/jb_3.1.2_rb2.7'>caf/3.10/caf/jb_3.1.2_rb2.7</option>
+<option value='caf/3.10/caf/jb_3.1.2_rb2.8'>caf/3.10/caf/jb_3.1.2_rb2.8</option>
+<option value='caf/3.10/caf/jb_3.1.2_rb2.9'>caf/3.10/caf/jb_3.1.2_rb2.9</option>
+<option value='caf/3.10/caf/jb_3.1_rb1.1'>caf/3.10/caf/jb_3.1_rb1.1</option>
+<option value='caf/3.10/caf/jb_3.1_rb1.3'>caf/3.10/caf/jb_3.1_rb1.3</option>
+<option value='caf/3.10/caf/jb_3.2.1'>caf/3.10/caf/jb_3.2.1</option>
+<option value='caf/3.10/caf/jb_3.2.1.1'>caf/3.10/caf/jb_3.2.1.1</option>
+<option value='caf/3.10/caf/jb_3.2.1.3'>caf/3.10/caf/jb_3.2.1.3</option>
+<option value='caf/3.10/caf/jb_3.2.1.4'>caf/3.10/caf/jb_3.2.1.4</option>
+<option value='caf/3.10/caf/jb_3.2.1.4_rb1'>caf/3.10/caf/jb_3.2.1.4_rb1</option>
+<option value='caf/3.10/caf/jb_3.2.1_rb1'>caf/3.10/caf/jb_3.2.1_rb1</option>
+<option value='caf/3.10/caf/jb_3.2.1_rb1.1'>caf/3.10/caf/jb_3.2.1_rb1.1</option>
+<option value='caf/3.10/caf/jb_3.2.1_rb1.10'>caf/3.10/caf/jb_3.2.1_rb1.10</option>
+<option value='caf/3.10/caf/jb_3.2.1_rb1.18'>caf/3.10/caf/jb_3.2.1_rb1.18</option>
+<option value='caf/3.10/caf/jb_3.2.1_rb1.19'>caf/3.10/caf/jb_3.2.1_rb1.19</option>
+<option value='caf/3.10/caf/jb_3.2.1_rb1.21'>caf/3.10/caf/jb_3.2.1_rb1.21</option>
+<option value='caf/3.10/caf/jb_3.2.1_rb1.23'>caf/3.10/caf/jb_3.2.1_rb1.23</option>
+<option value='caf/3.10/caf/jb_3.2.1_rb1.24'>caf/3.10/caf/jb_3.2.1_rb1.24</option>
+<option value='caf/3.10/caf/jb_3.2.1_rb1.26'>caf/3.10/caf/jb_3.2.1_rb1.26</option>
+<option value='caf/3.10/caf/jb_3.2.1_rb1.27'>caf/3.10/caf/jb_3.2.1_rb1.27</option>
+<option value='caf/3.10/caf/jb_3.2.1_rb1.28'>caf/3.10/caf/jb_3.2.1_rb1.28</option>
+<option value='caf/3.10/caf/jb_3.2.1_rb1.30'>caf/3.10/caf/jb_3.2.1_rb1.30</option>
+<option value='caf/3.10/caf/jb_3.2.1_rb1.31'>caf/3.10/caf/jb_3.2.1_rb1.31</option>
+<option value='caf/3.10/caf/jb_3.2.1_rb1.4'>caf/3.10/caf/jb_3.2.1_rb1.4</option>
+<option value='caf/3.10/caf/jb_3.2.1_rb1.8'>caf/3.10/caf/jb_3.2.1_rb1.8</option>
+<option value='caf/3.10/caf/jb_3.2.1_rb1.9'>caf/3.10/caf/jb_3.2.1_rb1.9</option>
+<option value='caf/3.10/caf/jb_3.2.1_rb2.11'>caf/3.10/caf/jb_3.2.1_rb2.11</option>
+<option value='caf/3.10/caf/jb_3.2.1_rb2.13'>caf/3.10/caf/jb_3.2.1_rb2.13</option>
+<option value='caf/3.10/caf/jb_3.2.1_rb2.2'>caf/3.10/caf/jb_3.2.1_rb2.2</option>
+<option value='caf/3.10/caf/jb_3.2.1_rb2.4'>caf/3.10/caf/jb_3.2.1_rb2.4</option>
+<option value='caf/3.10/caf/jb_3.2.1_rb2.5'>caf/3.10/caf/jb_3.2.1_rb2.5</option>
+<option value='caf/3.10/caf/jb_3.2.1_rb2.6'>caf/3.10/caf/jb_3.2.1_rb2.6</option>
+<option value='caf/3.10/caf/jb_3.2.1_rb2.7'>caf/3.10/caf/jb_3.2.1_rb2.7</option>
+<option value='caf/3.10/caf/jb_3.2.1_rb3.10'>caf/3.10/caf/jb_3.2.1_rb3.10</option>
+<option value='caf/3.10/caf/jb_3.2.1_rb3.12'>caf/3.10/caf/jb_3.2.1_rb3.12</option>
+<option value='caf/3.10/caf/jb_3.2.1_rb3.13'>caf/3.10/caf/jb_3.2.1_rb3.13</option>
+<option value='caf/3.10/caf/jb_3.2.1_rb3.3'>caf/3.10/caf/jb_3.2.1_rb3.3</option>
+<option value='caf/3.10/caf/jb_3.2.1_rb3.5'>caf/3.10/caf/jb_3.2.1_rb3.5</option>
+<option value='caf/3.10/caf/jb_3.2.1_rb3.8'>caf/3.10/caf/jb_3.2.1_rb3.8</option>
+<option value='caf/3.10/caf/jb_3.2.1_rb4.2'>caf/3.10/caf/jb_3.2.1_rb4.2</option>
+<option value='caf/3.10/caf/jb_3.2.1_rb4.4'>caf/3.10/caf/jb_3.2.1_rb4.4</option>
+<option value='caf/3.10/caf/jb_3.2.1_rb4.5'>caf/3.10/caf/jb_3.2.1_rb4.5</option>
+<option value='caf/3.10/caf/jb_3.2.1_rb4.6'>caf/3.10/caf/jb_3.2.1_rb4.6</option>
+<option value='caf/3.10/caf/jb_3.2.1_rb5.1'>caf/3.10/caf/jb_3.2.1_rb5.1</option>
+<option value='caf/3.10/caf/jb_3.2.1_rb6.2'>caf/3.10/caf/jb_3.2.1_rb6.2</option>
+<option value='caf/3.10/caf/jb_3.2.1_rb6.3'>caf/3.10/caf/jb_3.2.1_rb6.3</option>
+<option value='caf/3.10/caf/jb_3.2.3'>caf/3.10/caf/jb_3.2.3</option>
+<option value='caf/3.10/caf/jb_3.2.4'>caf/3.10/caf/jb_3.2.4</option>
+<option value='caf/3.10/caf/jb_3.2.5_rb1.10'>caf/3.10/caf/jb_3.2.5_rb1.10</option>
+<option value='caf/3.10/caf/jb_3.2.5_rb1.11'>caf/3.10/caf/jb_3.2.5_rb1.11</option>
+<option value='caf/3.10/caf/jb_3.2.5_rb1.12'>caf/3.10/caf/jb_3.2.5_rb1.12</option>
+<option value='caf/3.10/caf/jb_3.2.5_rb1.13'>caf/3.10/caf/jb_3.2.5_rb1.13</option>
+<option value='caf/3.10/caf/jb_3.2.5_rb1.14'>caf/3.10/caf/jb_3.2.5_rb1.14</option>
+<option value='caf/3.10/caf/jb_3.2.5_rb1.15'>caf/3.10/caf/jb_3.2.5_rb1.15</option>
+<option value='caf/3.10/caf/jb_3.2.5_rb1.16'>caf/3.10/caf/jb_3.2.5_rb1.16</option>
+<option value='caf/3.10/caf/jb_3.2.5_rb1.17'>caf/3.10/caf/jb_3.2.5_rb1.17</option>
+<option value='caf/3.10/caf/jb_3.2.5_rb1.2'>caf/3.10/caf/jb_3.2.5_rb1.2</option>
+<option value='caf/3.10/caf/jb_3.2.5_rb1.3'>caf/3.10/caf/jb_3.2.5_rb1.3</option>
+<option value='caf/3.10/caf/jb_3.2.5_rb1.4'>caf/3.10/caf/jb_3.2.5_rb1.4</option>
+<option value='caf/3.10/caf/jb_3.2.5_rb1.5'>caf/3.10/caf/jb_3.2.5_rb1.5</option>
+<option value='caf/3.10/caf/jb_3.2.5_rb1.6'>caf/3.10/caf/jb_3.2.5_rb1.6</option>
+<option value='caf/3.10/caf/jb_3.2.5_rb1.7'>caf/3.10/caf/jb_3.2.5_rb1.7</option>
+<option value='caf/3.10/caf/jb_3.2.5_rb1.8'>caf/3.10/caf/jb_3.2.5_rb1.8</option>
+<option value='caf/3.10/caf/jb_3.2.5_rb1.9'>caf/3.10/caf/jb_3.2.5_rb1.9</option>
+<option value='caf/3.10/caf/jb_3.2.6'>caf/3.10/caf/jb_3.2.6</option>
+<option value='caf/3.10/caf/jb_3.2_1'>caf/3.10/caf/jb_3.2_1</option>
+<option value='caf/3.10/caf/jb_3.2_rb2.11'>caf/3.10/caf/jb_3.2_rb2.11</option>
+<option value='caf/3.10/caf/jb_3.2_rb2.12'>caf/3.10/caf/jb_3.2_rb2.12</option>
+<option value='caf/3.10/caf/jb_3.2_rb2.14'>caf/3.10/caf/jb_3.2_rb2.14</option>
+<option value='caf/3.10/caf/jb_3.2_rb2.15'>caf/3.10/caf/jb_3.2_rb2.15</option>
+<option value='caf/3.10/caf/jb_3.2_rb2.16'>caf/3.10/caf/jb_3.2_rb2.16</option>
+<option value='caf/3.10/caf/jb_3.2_rb2.17'>caf/3.10/caf/jb_3.2_rb2.17</option>
+<option value='caf/3.10/caf/jb_3.2_rb2.19'>caf/3.10/caf/jb_3.2_rb2.19</option>
+<option value='caf/3.10/caf/jb_3.2_rb2.20'>caf/3.10/caf/jb_3.2_rb2.20</option>
+<option value='caf/3.10/caf/jb_3.2_rb2.21'>caf/3.10/caf/jb_3.2_rb2.21</option>
+<option value='caf/3.10/caf/jb_3.2_rb2.22'>caf/3.10/caf/jb_3.2_rb2.22</option>
+<option value='caf/3.10/caf/jb_3.2_rb2.24'>caf/3.10/caf/jb_3.2_rb2.24</option>
+<option value='caf/3.10/caf/jb_3.2_rb2.25'>caf/3.10/caf/jb_3.2_rb2.25</option>
+<option value='caf/3.10/caf/jb_3.2_rb2.26'>caf/3.10/caf/jb_3.2_rb2.26</option>
+<option value='caf/3.10/caf/jb_3.2_rb2.27'>caf/3.10/caf/jb_3.2_rb2.27</option>
+<option value='caf/3.10/caf/jb_3.2_rb2.28'>caf/3.10/caf/jb_3.2_rb2.28</option>
+<option value='caf/3.10/caf/jb_3.2_rb2.29'>caf/3.10/caf/jb_3.2_rb2.29</option>
+<option value='caf/3.10/caf/jb_3.2_rb2.30'>caf/3.10/caf/jb_3.2_rb2.30</option>
+<option value='caf/3.10/caf/jb_3.2_rb2.32'>caf/3.10/caf/jb_3.2_rb2.32</option>
+<option value='caf/3.10/caf/jb_3.2_rb2.5'>caf/3.10/caf/jb_3.2_rb2.5</option>
+<option value='caf/3.10/caf/jb_3.2_rb2.6'>caf/3.10/caf/jb_3.2_rb2.6</option>
+<option value='caf/3.10/caf/jb_3.2_rb2.7'>caf/3.10/caf/jb_3.2_rb2.7</option>
+<option value='caf/3.10/caf/jb_3.2_rb2.8'>caf/3.10/caf/jb_3.2_rb2.8</option>
+<option value='caf/3.10/caf/jb_3.2_rb2.9'>caf/3.10/caf/jb_3.2_rb2.9</option>
+<option value='caf/3.10/caf/jb_3.2_rb3.10'>caf/3.10/caf/jb_3.2_rb3.10</option>
+<option value='caf/3.10/caf/jb_3.2_rb3.11'>caf/3.10/caf/jb_3.2_rb3.11</option>
+<option value='caf/3.10/caf/jb_3.2_rb3.13'>caf/3.10/caf/jb_3.2_rb3.13</option>
+<option value='caf/3.10/caf/jb_3.2_rb3.14'>caf/3.10/caf/jb_3.2_rb3.14</option>
+<option value='caf/3.10/caf/jb_3.2_rb3.16'>caf/3.10/caf/jb_3.2_rb3.16</option>
+<option value='caf/3.10/caf/jb_3.2_rb3.19'>caf/3.10/caf/jb_3.2_rb3.19</option>
+<option value='caf/3.10/caf/jb_3.2_rb3.21'>caf/3.10/caf/jb_3.2_rb3.21</option>
+<option value='caf/3.10/caf/jb_3.2_rb3.24'>caf/3.10/caf/jb_3.2_rb3.24</option>
+<option value='caf/3.10/caf/jb_3.2_rb3.27'>caf/3.10/caf/jb_3.2_rb3.27</option>
+<option value='caf/3.10/caf/jb_3.2_rb3.28'>caf/3.10/caf/jb_3.2_rb3.28</option>
+<option value='caf/3.10/caf/jb_3.2_rb3.29'>caf/3.10/caf/jb_3.2_rb3.29</option>
+<option value='caf/3.10/caf/jb_3.2_rb3.5'>caf/3.10/caf/jb_3.2_rb3.5</option>
+<option value='caf/3.10/caf/jb_3.2_rb3.6'>caf/3.10/caf/jb_3.2_rb3.6</option>
+<option value='caf/3.10/caf/jb_3.2_rb5.12'>caf/3.10/caf/jb_3.2_rb5.12</option>
+<option value='caf/3.10/caf/jb_3.2_rb5.13'>caf/3.10/caf/jb_3.2_rb5.13</option>
+<option value='caf/3.10/caf/jb_3.2_rb5.15'>caf/3.10/caf/jb_3.2_rb5.15</option>
+<option value='caf/3.10/caf/jb_3.2_rb5.18'>caf/3.10/caf/jb_3.2_rb5.18</option>
+<option value='caf/3.10/caf/jb_3.2_rb5.2'>caf/3.10/caf/jb_3.2_rb5.2</option>
+<option value='caf/3.10/caf/jb_3.2_rb5.20'>caf/3.10/caf/jb_3.2_rb5.20</option>
+<option value='caf/3.10/caf/jb_3.2_rb5.21'>caf/3.10/caf/jb_3.2_rb5.21</option>
+<option value='caf/3.10/caf/jb_3.2_rb5.23'>caf/3.10/caf/jb_3.2_rb5.23</option>
+<option value='caf/3.10/caf/jb_3.2_rb5.25'>caf/3.10/caf/jb_3.2_rb5.25</option>
+<option value='caf/3.10/caf/jb_3.2_rb5.28'>caf/3.10/caf/jb_3.2_rb5.28</option>
+<option value='caf/3.10/caf/jb_3.2_rb5.3'>caf/3.10/caf/jb_3.2_rb5.3</option>
+<option value='caf/3.10/caf/jb_3.2_rb5.30'>caf/3.10/caf/jb_3.2_rb5.30</option>
+<option value='caf/3.10/caf/jb_3.2_rb5.31'>caf/3.10/caf/jb_3.2_rb5.31</option>
+<option value='caf/3.10/caf/jb_3.2_rb5.32'>caf/3.10/caf/jb_3.2_rb5.32</option>
+<option value='caf/3.10/caf/jb_3.2_rb5.33'>caf/3.10/caf/jb_3.2_rb5.33</option>
+<option value='caf/3.10/caf/jb_3.2_rb5.36'>caf/3.10/caf/jb_3.2_rb5.36</option>
+<option value='caf/3.10/caf/jb_3.2_rb5.37'>caf/3.10/caf/jb_3.2_rb5.37</option>
+<option value='caf/3.10/caf/jb_3.2_rb5.38'>caf/3.10/caf/jb_3.2_rb5.38</option>
+<option value='caf/3.10/caf/jb_3.2_rb5.39'>caf/3.10/caf/jb_3.2_rb5.39</option>
+<option value='caf/3.10/caf/jb_3.2_rb5.4'>caf/3.10/caf/jb_3.2_rb5.4</option>
+<option value='caf/3.10/caf/jb_3.2_rb5.41'>caf/3.10/caf/jb_3.2_rb5.41</option>
+<option value='caf/3.10/caf/jb_3.2_rb5.42'>caf/3.10/caf/jb_3.2_rb5.42</option>
+<option value='caf/3.10/caf/jb_3.2_rb5.43'>caf/3.10/caf/jb_3.2_rb5.43</option>
+<option value='caf/3.10/caf/jb_3.2_rb5.45'>caf/3.10/caf/jb_3.2_rb5.45</option>
+<option value='caf/3.10/caf/jb_3.2_rb5.46'>caf/3.10/caf/jb_3.2_rb5.46</option>
+<option value='caf/3.10/caf/jb_3.2_rb5.47'>caf/3.10/caf/jb_3.2_rb5.47</option>
+<option value='caf/3.10/caf/jb_3.2_rb5.48'>caf/3.10/caf/jb_3.2_rb5.48</option>
+<option value='caf/3.10/caf/jb_3.2_rb5.49'>caf/3.10/caf/jb_3.2_rb5.49</option>
+<option value='caf/3.10/caf/jb_3.2_rb5.5'>caf/3.10/caf/jb_3.2_rb5.5</option>
+<option value='caf/3.10/caf/jb_3.2_rb5.50'>caf/3.10/caf/jb_3.2_rb5.50</option>
+<option value='caf/3.10/caf/jb_3.2_rb5.51'>caf/3.10/caf/jb_3.2_rb5.51</option>
+<option value='caf/3.10/caf/jb_3.2_rb5.52'>caf/3.10/caf/jb_3.2_rb5.52</option>
+<option value='caf/3.10/caf/jb_3.2_rb5.53'>caf/3.10/caf/jb_3.2_rb5.53</option>
+<option value='caf/3.10/caf/jb_3.2_rb5.54'>caf/3.10/caf/jb_3.2_rb5.54</option>
+<option value='caf/3.10/caf/jb_3.2_rb5.55'>caf/3.10/caf/jb_3.2_rb5.55</option>
+<option value='caf/3.10/caf/jb_3.2_rb5.56'>caf/3.10/caf/jb_3.2_rb5.56</option>
+<option value='caf/3.10/caf/jb_3.2_rb5.57'>caf/3.10/caf/jb_3.2_rb5.57</option>
+<option value='caf/3.10/caf/jb_3.2_rb5.58'>caf/3.10/caf/jb_3.2_rb5.58</option>
+<option value='caf/3.10/caf/jb_3.2_rb5.6'>caf/3.10/caf/jb_3.2_rb5.6</option>
+<option value='caf/3.10/caf/jb_3.2_rb5.60'>caf/3.10/caf/jb_3.2_rb5.60</option>
+<option value='caf/3.10/caf/jb_3.2_rb5.7'>caf/3.10/caf/jb_3.2_rb5.7</option>
+<option value='caf/3.10/caf/jb_3.2_rb5.8'>caf/3.10/caf/jb_3.2_rb5.8</option>
+<option value='caf/3.10/caf/jb_3.2_rb5.9'>caf/3.10/caf/jb_3.2_rb5.9</option>
+<option value='caf/3.10/caf/jb_3.2_rb8.4'>caf/3.10/caf/jb_3.2_rb8.4</option>
+<option value='caf/3.10/caf/jb_chocolate'>caf/3.10/caf/jb_chocolate</option>
+<option value='caf/3.10/caf/jb_chocolate_rb1.1'>caf/3.10/caf/jb_chocolate_rb1.1</option>
+<option value='caf/3.10/caf/jb_chocolate_rb1.2'>caf/3.10/caf/jb_chocolate_rb1.2</option>
+<option value='caf/3.10/caf/jb_chocolate_rb2.1'>caf/3.10/caf/jb_chocolate_rb2.1</option>
+<option value='caf/3.10/caf/jb_chocolate_rb3.1'>caf/3.10/caf/jb_chocolate_rb3.1</option>
+<option value='caf/3.10/caf/jb_chocolate_rb4.1'>caf/3.10/caf/jb_chocolate_rb4.1</option>
+<option value='caf/3.10/caf/jb_mr1_chocolate'>caf/3.10/caf/jb_mr1_chocolate</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.1'>caf/3.10/caf/jb_mr1_rb1.1</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.11'>caf/3.10/caf/jb_mr1_rb1.11</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.12'>caf/3.10/caf/jb_mr1_rb1.12</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.13'>caf/3.10/caf/jb_mr1_rb1.13</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.17'>caf/3.10/caf/jb_mr1_rb1.17</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.18'>caf/3.10/caf/jb_mr1_rb1.18</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.19'>caf/3.10/caf/jb_mr1_rb1.19</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.2'>caf/3.10/caf/jb_mr1_rb1.2</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.20'>caf/3.10/caf/jb_mr1_rb1.20</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.21'>caf/3.10/caf/jb_mr1_rb1.21</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.22'>caf/3.10/caf/jb_mr1_rb1.22</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.23'>caf/3.10/caf/jb_mr1_rb1.23</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.24'>caf/3.10/caf/jb_mr1_rb1.24</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.25'>caf/3.10/caf/jb_mr1_rb1.25</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.26'>caf/3.10/caf/jb_mr1_rb1.26</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.27'>caf/3.10/caf/jb_mr1_rb1.27</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.29'>caf/3.10/caf/jb_mr1_rb1.29</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.3'>caf/3.10/caf/jb_mr1_rb1.3</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.31'>caf/3.10/caf/jb_mr1_rb1.31</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.32'>caf/3.10/caf/jb_mr1_rb1.32</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.33'>caf/3.10/caf/jb_mr1_rb1.33</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.34'>caf/3.10/caf/jb_mr1_rb1.34</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.35'>caf/3.10/caf/jb_mr1_rb1.35</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.36'>caf/3.10/caf/jb_mr1_rb1.36</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.37'>caf/3.10/caf/jb_mr1_rb1.37</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.38'>caf/3.10/caf/jb_mr1_rb1.38</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.39'>caf/3.10/caf/jb_mr1_rb1.39</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.4'>caf/3.10/caf/jb_mr1_rb1.4</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.40'>caf/3.10/caf/jb_mr1_rb1.40</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.41'>caf/3.10/caf/jb_mr1_rb1.41</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.42'>caf/3.10/caf/jb_mr1_rb1.42</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.44'>caf/3.10/caf/jb_mr1_rb1.44</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.45'>caf/3.10/caf/jb_mr1_rb1.45</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.47'>caf/3.10/caf/jb_mr1_rb1.47</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.48'>caf/3.10/caf/jb_mr1_rb1.48</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.5'>caf/3.10/caf/jb_mr1_rb1.5</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.50'>caf/3.10/caf/jb_mr1_rb1.50</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.51'>caf/3.10/caf/jb_mr1_rb1.51</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.53'>caf/3.10/caf/jb_mr1_rb1.53</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.55'>caf/3.10/caf/jb_mr1_rb1.55</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.56'>caf/3.10/caf/jb_mr1_rb1.56</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.58'>caf/3.10/caf/jb_mr1_rb1.58</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.59'>caf/3.10/caf/jb_mr1_rb1.59</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.6'>caf/3.10/caf/jb_mr1_rb1.6</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.60'>caf/3.10/caf/jb_mr1_rb1.60</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.63'>caf/3.10/caf/jb_mr1_rb1.63</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.64'>caf/3.10/caf/jb_mr1_rb1.64</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.66'>caf/3.10/caf/jb_mr1_rb1.66</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.67'>caf/3.10/caf/jb_mr1_rb1.67</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.68'>caf/3.10/caf/jb_mr1_rb1.68</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.69'>caf/3.10/caf/jb_mr1_rb1.69</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.7'>caf/3.10/caf/jb_mr1_rb1.7</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.70'>caf/3.10/caf/jb_mr1_rb1.70</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.71'>caf/3.10/caf/jb_mr1_rb1.71</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.72'>caf/3.10/caf/jb_mr1_rb1.72</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.73'>caf/3.10/caf/jb_mr1_rb1.73</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.74'>caf/3.10/caf/jb_mr1_rb1.74</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.75'>caf/3.10/caf/jb_mr1_rb1.75</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.77'>caf/3.10/caf/jb_mr1_rb1.77</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.8'>caf/3.10/caf/jb_mr1_rb1.8</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.80'>caf/3.10/caf/jb_mr1_rb1.80</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.81'>caf/3.10/caf/jb_mr1_rb1.81</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.82'>caf/3.10/caf/jb_mr1_rb1.82</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.83'>caf/3.10/caf/jb_mr1_rb1.83</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.84'>caf/3.10/caf/jb_mr1_rb1.84</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.89'>caf/3.10/caf/jb_mr1_rb1.89</option>
+<option value='caf/3.10/caf/jb_mr1_rb1.9'>caf/3.10/caf/jb_mr1_rb1.9</option>
+<option value='caf/3.10/caf/jb_mr1_rb2.12'>caf/3.10/caf/jb_mr1_rb2.12</option>
+<option value='caf/3.10/caf/jb_mr1_rb2.14'>caf/3.10/caf/jb_mr1_rb2.14</option>
+<option value='caf/3.10/caf/jb_mr1_rb2.15'>caf/3.10/caf/jb_mr1_rb2.15</option>
+<option value='caf/3.10/caf/jb_mr1_rb2.17'>caf/3.10/caf/jb_mr1_rb2.17</option>
+<option value='caf/3.10/caf/jb_mr1_rb2.18'>caf/3.10/caf/jb_mr1_rb2.18</option>
+<option value='caf/3.10/caf/jb_mr1_rb2.19'>caf/3.10/caf/jb_mr1_rb2.19</option>
+<option value='caf/3.10/caf/jb_mr1_rb2.20'>caf/3.10/caf/jb_mr1_rb2.20</option>
+<option value='caf/3.10/caf/jb_mr1_rb2.21'>caf/3.10/caf/jb_mr1_rb2.21</option>
+<option value='caf/3.10/caf/jb_mr1_rb2.22'>caf/3.10/caf/jb_mr1_rb2.22</option>
+<option value='caf/3.10/caf/jb_mr1_rb2.3'>caf/3.10/caf/jb_mr1_rb2.3</option>
+<option value='caf/3.10/caf/jb_mr1_rb2.7'>caf/3.10/caf/jb_mr1_rb2.7</option>
+<option value='caf/3.10/caf/jb_mr1_rb2.9'>caf/3.10/caf/jb_mr1_rb2.9</option>
+<option value='caf/3.10/caf/jb_mr1_rb3.12'>caf/3.10/caf/jb_mr1_rb3.12</option>
+<option value='caf/3.10/caf/jb_mr1_rb3.7'>caf/3.10/caf/jb_mr1_rb3.7</option>
+<option value='caf/3.10/caf/jb_mr1_rb3.8'>caf/3.10/caf/jb_mr1_rb3.8</option>
+<option value='caf/3.10/caf/jb_mr1_rb4.1'>caf/3.10/caf/jb_mr1_rb4.1</option>
+<option value='caf/3.10/caf/jb_mr1_rb4.10'>caf/3.10/caf/jb_mr1_rb4.10</option>
+<option value='caf/3.10/caf/jb_mr1_rb4.11'>caf/3.10/caf/jb_mr1_rb4.11</option>
+<option value='caf/3.10/caf/jb_mr1_rb4.12'>caf/3.10/caf/jb_mr1_rb4.12</option>
+<option value='caf/3.10/caf/jb_mr1_rb4.13'>caf/3.10/caf/jb_mr1_rb4.13</option>
+<option value='caf/3.10/caf/jb_mr1_rb4.14'>caf/3.10/caf/jb_mr1_rb4.14</option>
+<option value='caf/3.10/caf/jb_mr1_rb4.19'>caf/3.10/caf/jb_mr1_rb4.19</option>
+<option value='caf/3.10/caf/jb_mr1_rb4.2'>caf/3.10/caf/jb_mr1_rb4.2</option>
+<option value='caf/3.10/caf/jb_mr1_rb4.3'>caf/3.10/caf/jb_mr1_rb4.3</option>
+<option value='caf/3.10/caf/jb_mr1_rb4.4'>caf/3.10/caf/jb_mr1_rb4.4</option>
+<option value='caf/3.10/caf/jb_mr1_rb4.5'>caf/3.10/caf/jb_mr1_rb4.5</option>
+<option value='caf/3.10/caf/jb_mr1_rb4.7'>caf/3.10/caf/jb_mr1_rb4.7</option>
+<option value='caf/3.10/caf/jb_rb1.10'>caf/3.10/caf/jb_rb1.10</option>
+<option value='caf/3.10/caf/jb_rb1.11'>caf/3.10/caf/jb_rb1.11</option>
+<option value='caf/3.10/caf/jb_rb1.12'>caf/3.10/caf/jb_rb1.12</option>
+<option value='caf/3.10/caf/jb_rb1.13'>caf/3.10/caf/jb_rb1.13</option>
+<option value='caf/3.10/caf/jb_rb1.14'>caf/3.10/caf/jb_rb1.14</option>
+<option value='caf/3.10/caf/jb_rb1.16'>caf/3.10/caf/jb_rb1.16</option>
+<option value='caf/3.10/caf/jb_rb1.6'>caf/3.10/caf/jb_rb1.6</option>
+<option value='caf/3.10/caf/jb_rb1.7'>caf/3.10/caf/jb_rb1.7</option>
+<option value='caf/3.10/caf/jb_rb1.8'>caf/3.10/caf/jb_rb1.8</option>
+<option value='caf/3.10/caf/jb_rb1.9'>caf/3.10/caf/jb_rb1.9</option>
+<option value='caf/3.10/caf/jb_rb2.1'>caf/3.10/caf/jb_rb2.1</option>
+<option value='caf/3.10/caf/jb_rb2.2'>caf/3.10/caf/jb_rb2.2</option>
+<option value='caf/3.10/caf/jb_rb2.3'>caf/3.10/caf/jb_rb2.3</option>
+<option value='caf/3.10/caf/jb_rb2.4'>caf/3.10/caf/jb_rb2.4</option>
+<option value='caf/3.10/caf/jb_rb3.1'>caf/3.10/caf/jb_rb3.1</option>
+<option value='caf/3.10/caf/jb_rb3.2'>caf/3.10/caf/jb_rb3.2</option>
+<option value='caf/3.10/caf/jb_rb3.3'>caf/3.10/caf/jb_rb3.3</option>
+<option value='caf/3.10/caf/jb_rb4.1'>caf/3.10/caf/jb_rb4.1</option>
+<option value='caf/3.10/caf/jb_rel'>caf/3.10/caf/jb_rel</option>
+<option value='caf/3.10/caf/jb_rel_2.0.0.1'>caf/3.10/caf/jb_rel_2.0.0.1</option>
+<option value='caf/3.10/caf/jb_rel_2.0.0.1_rb1'>caf/3.10/caf/jb_rel_2.0.0.1_rb1</option>
+<option value='caf/3.10/caf/jb_rel_2.0.2'>caf/3.10/caf/jb_rel_2.0.2</option>
+<option value='caf/3.10/caf/jb_rel_2.0.3'>caf/3.10/caf/jb_rel_2.0.3</option>
+<option value='caf/3.10/caf/jb_rel_2.0.3.1'>caf/3.10/caf/jb_rel_2.0.3.1</option>
+<option value='caf/3.10/caf/jb_rel_2.0.3.1.1'>caf/3.10/caf/jb_rel_2.0.3.1.1</option>
+<option value='caf/3.10/caf/jb_rel_2.0.3.1_rb1.1'>caf/3.10/caf/jb_rel_2.0.3.1_rb1.1</option>
+<option value='caf/3.10/caf/jb_rel_2.0.3.1_rb2.1'>caf/3.10/caf/jb_rel_2.0.3.1_rb2.1</option>
+<option value='caf/3.10/caf/jb_rel_2.0.3_rb2.1'>caf/3.10/caf/jb_rel_2.0.3_rb2.1</option>
+<option value='caf/3.10/caf/jb_rel_2.0.3_rb3.1'>caf/3.10/caf/jb_rel_2.0.3_rb3.1</option>
+<option value='caf/3.10/caf/jb_rel_2.0.3_rb3.2'>caf/3.10/caf/jb_rel_2.0.3_rb3.2</option>
+<option value='caf/3.10/caf/jb_rel_rb1.1'>caf/3.10/caf/jb_rel_rb1.1</option>
+<option value='caf/3.10/caf/jb_rel_rb1.2'>caf/3.10/caf/jb_rel_rb1.2</option>
+<option value='caf/3.10/caf/jb_rel_rb2.1'>caf/3.10/caf/jb_rel_rb2.1</option>
+<option value='caf/3.10/caf/jb_rel_rb2.2'>caf/3.10/caf/jb_rel_rb2.2</option>
+<option value='caf/3.10/caf/jb_rel_rb3.1'>caf/3.10/caf/jb_rel_rb3.1</option>
+<option value='caf/3.10/caf/jb_rel_rb3_1.1'>caf/3.10/caf/jb_rel_rb3_1.1</option>
+<option value='caf/3.10/caf/jb_rel_rb3_2.2'>caf/3.10/caf/jb_rel_rb3_2.2</option>
+<option value='caf/3.10/caf/jb_rel_rb3_2.3'>caf/3.10/caf/jb_rel_rb3_2.3</option>
+<option value='caf/3.10/caf/jb_rel_rb3_4.1'>caf/3.10/caf/jb_rel_rb3_4.1</option>
+<option value='caf/3.10/caf/jb_rel_rb4.1'>caf/3.10/caf/jb_rel_rb4.1</option>
+<option value='caf/3.10/caf/jb_rel_rb4.2'>caf/3.10/caf/jb_rel_rb4.2</option>
+<option value='caf/3.10/caf/jb_rel_rb4_2.1'>caf/3.10/caf/jb_rel_rb4_2.1</option>
+<option value='caf/3.10/caf/jb_rel_rb5.1'>caf/3.10/caf/jb_rel_rb5.1</option>
+<option value='caf/3.10/caf/jb_rel_rb6.1'>caf/3.10/caf/jb_rel_rb6.1</option>
+<option value='caf/3.10/caf/jb_vanilla'>caf/3.10/caf/jb_vanilla</option>
+<option value='caf/3.10/caf/joro/iommu/amd/fixes'>caf/3.10/caf/joro/iommu/amd/fixes</option>
+<option value='caf/3.10/caf/joro/iommu/api/iommu-ops-per-bus'>caf/3.10/caf/joro/iommu/api/iommu-ops-per-bus</option>
+<option value='caf/3.10/caf/joro/iommu/arm/exynos'>caf/3.10/caf/joro/iommu/arm/exynos</option>
+<option value='caf/3.10/caf/joro/iommu/arm/msm'>caf/3.10/caf/joro/iommu/arm/msm</option>
+<option value='caf/3.10/caf/joro/iommu/arm/omap'>caf/3.10/caf/joro/iommu/arm/omap</option>
+<option value='caf/3.10/caf/joro/iommu/arm/renesas'>caf/3.10/caf/joro/iommu/arm/renesas</option>
+<option value='caf/3.10/caf/joro/iommu/arm/rockchip'>caf/3.10/caf/joro/iommu/arm/rockchip</option>
+<option value='caf/3.10/caf/joro/iommu/arm/shmobile'>caf/3.10/caf/joro/iommu/arm/shmobile</option>
+<option value='caf/3.10/caf/joro/iommu/arm/smmu'>caf/3.10/caf/joro/iommu/arm/smmu</option>
+<option value='caf/3.10/caf/joro/iommu/arm/tegra'>caf/3.10/caf/joro/iommu/arm/tegra</option>
+<option value='caf/3.10/caf/joro/iommu/core'>caf/3.10/caf/joro/iommu/core</option>
+<option value='caf/3.10/caf/joro/iommu/debug/dma-api'>caf/3.10/caf/joro/iommu/debug/dma-api</option>
+<option value='caf/3.10/caf/joro/iommu/default-domains'>caf/3.10/caf/joro/iommu/default-domains</option>
+<option value='caf/3.10/caf/joro/iommu/devel/amd-iommu'>caf/3.10/caf/joro/iommu/devel/amd-iommu</option>
+<option value='caf/3.10/caf/joro/iommu/dma-debug'>caf/3.10/caf/joro/iommu/dma-debug</option>
+<option value='caf/3.10/caf/joro/iommu/groups'>caf/3.10/caf/joro/iommu/groups</option>
+<option value='caf/3.10/caf/joro/iommu/intr-remapping'>caf/3.10/caf/joro/iommu/intr-remapping</option>
+<option value='caf/3.10/caf/joro/iommu/intr-remapping-ops'>caf/3.10/caf/joro/iommu/intr-remapping-ops</option>
+<option value='caf/3.10/caf/joro/iommu/ioapic-cleanups'>caf/3.10/caf/joro/iommu/ioapic-cleanups</option>
+<option value='caf/3.10/caf/joro/iommu/iommu/fault-reporting'>caf/3.10/caf/joro/iommu/iommu/fault-reporting</option>
+<option value='caf/3.10/caf/joro/iommu/iommu/fixes'>caf/3.10/caf/joro/iommu/iommu/fixes</option>
+<option value='caf/3.10/caf/joro/iommu/iommu/group-id'>caf/3.10/caf/joro/iommu/iommu/group-id</option>
+<option value='caf/3.10/caf/joro/iommu/iommu/page-sizes'>caf/3.10/caf/joro/iommu/iommu/page-sizes</option>
+<option value='caf/3.10/caf/joro/iommu/irq-remapping'>caf/3.10/caf/joro/iommu/irq-remapping</option>
+<option value='caf/3.10/caf/joro/iommu/master'>caf/3.10/caf/joro/iommu/master</option>
+<option value='caf/3.10/caf/joro/iommu/next'>caf/3.10/caf/joro/iommu/next</option>
+<option value='caf/3.10/caf/joro/iommu/ppc/pamu'>caf/3.10/caf/joro/iommu/ppc/pamu</option>
+<option value='caf/3.10/caf/joro/iommu/tracing'>caf/3.10/caf/joro/iommu/tracing</option>
+<option value='caf/3.10/caf/joro/iommu/x86/amd'>caf/3.10/caf/joro/iommu/x86/amd</option>
+<option value='caf/3.10/caf/joro/iommu/x86/amd-irq-remapping'>caf/3.10/caf/joro/iommu/x86/amd-irq-remapping</option>
+<option value='caf/3.10/caf/joro/iommu/x86/vt-d'>caf/3.10/caf/joro/iommu/x86/vt-d</option>
+<option value='caf/3.10/caf/kernel-android-galaxy-s2-ics/master'>caf/3.10/caf/kernel-android-galaxy-s2-ics/master</option>
+<option value='caf/3.10/caf/kk_2.7'>caf/3.10/caf/kk_2.7</option>
+<option value='caf/3.10/caf/kk_2.7-stable'>caf/3.10/caf/kk_2.7-stable</option>
+<option value='caf/3.10/caf/kk_2.7.1'>caf/3.10/caf/kk_2.7.1</option>
+<option value='caf/3.10/caf/kk_2.7.2'>caf/3.10/caf/kk_2.7.2</option>
+<option value='caf/3.10/caf/kk_2.7.2_opt3'>caf/3.10/caf/kk_2.7.2_opt3</option>
+<option value='caf/3.10/caf/kk_2.7_rb1.10'>caf/3.10/caf/kk_2.7_rb1.10</option>
+<option value='caf/3.10/caf/kk_2.7_rb1.11'>caf/3.10/caf/kk_2.7_rb1.11</option>
+<option value='caf/3.10/caf/kk_2.7_rb1.13'>caf/3.10/caf/kk_2.7_rb1.13</option>
+<option value='caf/3.10/caf/kk_2.7_rb1.15'>caf/3.10/caf/kk_2.7_rb1.15</option>
+<option value='caf/3.10/caf/kk_2.7_rb1.16'>caf/3.10/caf/kk_2.7_rb1.16</option>
+<option value='caf/3.10/caf/kk_2.7_rb1.17'>caf/3.10/caf/kk_2.7_rb1.17</option>
+<option value='caf/3.10/caf/kk_2.7_rb1.18'>caf/3.10/caf/kk_2.7_rb1.18</option>
+<option value='caf/3.10/caf/kk_2.7_rb1.20'>caf/3.10/caf/kk_2.7_rb1.20</option>
+<option value='caf/3.10/caf/kk_2.7_rb1.21'>caf/3.10/caf/kk_2.7_rb1.21</option>
+<option value='caf/3.10/caf/kk_2.7_rb1.22'>caf/3.10/caf/kk_2.7_rb1.22</option>
+<option value='caf/3.10/caf/kk_2.7_rb1.23'>caf/3.10/caf/kk_2.7_rb1.23</option>
+<option value='caf/3.10/caf/kk_2.7_rb1.24'>caf/3.10/caf/kk_2.7_rb1.24</option>
+<option value='caf/3.10/caf/kk_2.7_rb1.25'>caf/3.10/caf/kk_2.7_rb1.25</option>
+<option value='caf/3.10/caf/kk_2.7_rb1.26'>caf/3.10/caf/kk_2.7_rb1.26</option>
+<option value='caf/3.10/caf/kk_2.7_rb1.27'>caf/3.10/caf/kk_2.7_rb1.27</option>
+<option value='caf/3.10/caf/kk_2.7_rb1.28'>caf/3.10/caf/kk_2.7_rb1.28</option>
+<option value='caf/3.10/caf/kk_2.7_rb1.29'>caf/3.10/caf/kk_2.7_rb1.29</option>
+<option value='caf/3.10/caf/kk_2.7_rb1.30'>caf/3.10/caf/kk_2.7_rb1.30</option>
+<option value='caf/3.10/caf/kk_2.7_rb1.31'>caf/3.10/caf/kk_2.7_rb1.31</option>
+<option value='caf/3.10/caf/kk_2.7_rb1.32'>caf/3.10/caf/kk_2.7_rb1.32</option>
+<option value='caf/3.10/caf/kk_2.7_rb1.33'>caf/3.10/caf/kk_2.7_rb1.33</option>
+<option value='caf/3.10/caf/kk_2.7_rb1.34'>caf/3.10/caf/kk_2.7_rb1.34</option>
+<option value='caf/3.10/caf/kk_2.7_rb1.35'>caf/3.10/caf/kk_2.7_rb1.35</option>
+<option value='caf/3.10/caf/kk_2.7_rb1.36'>caf/3.10/caf/kk_2.7_rb1.36</option>
+<option value='caf/3.10/caf/kk_2.7_rb1.37'>caf/3.10/caf/kk_2.7_rb1.37</option>
+<option value='caf/3.10/caf/kk_2.7_rb1.38'>caf/3.10/caf/kk_2.7_rb1.38</option>
+<option value='caf/3.10/caf/kk_2.7_rb1.40'>caf/3.10/caf/kk_2.7_rb1.40</option>
+<option value='caf/3.10/caf/kk_2.7_rb1.41'>caf/3.10/caf/kk_2.7_rb1.41</option>
+<option value='caf/3.10/caf/kk_2.7_rb1.42'>caf/3.10/caf/kk_2.7_rb1.42</option>
+<option value='caf/3.10/caf/kk_2.7_rb1.43'>caf/3.10/caf/kk_2.7_rb1.43</option>
+<option value='caf/3.10/caf/kk_2.7_rb1.9'>caf/3.10/caf/kk_2.7_rb1.9</option>
+<option value='caf/3.10/caf/kk_3.5'>caf/3.10/caf/kk_3.5</option>
+<option value='caf/3.10/caf/kk_3.5_rb1.10'>caf/3.10/caf/kk_3.5_rb1.10</option>
+<option value='caf/3.10/caf/kk_3.5_rb1.11'>caf/3.10/caf/kk_3.5_rb1.11</option>
+<option value='caf/3.10/caf/kk_3.5_rb1.12'>caf/3.10/caf/kk_3.5_rb1.12</option>
+<option value='caf/3.10/caf/kk_3.5_rb1.13'>caf/3.10/caf/kk_3.5_rb1.13</option>
+<option value='caf/3.10/caf/kk_3.5_rb1.14'>caf/3.10/caf/kk_3.5_rb1.14</option>
+<option value='caf/3.10/caf/kk_3.5_rb1.15'>caf/3.10/caf/kk_3.5_rb1.15</option>
+<option value='caf/3.10/caf/kk_3.5_rb1.16'>caf/3.10/caf/kk_3.5_rb1.16</option>
+<option value='caf/3.10/caf/kk_3.5_rb1.18'>caf/3.10/caf/kk_3.5_rb1.18</option>
+<option value='caf/3.10/caf/kk_3.5_rb1.19'>caf/3.10/caf/kk_3.5_rb1.19</option>
+<option value='caf/3.10/caf/kk_3.5_rb1.20'>caf/3.10/caf/kk_3.5_rb1.20</option>
+<option value='caf/3.10/caf/kk_3.5_rb1.21'>caf/3.10/caf/kk_3.5_rb1.21</option>
+<option value='caf/3.10/caf/kk_3.5_rb1.9'>caf/3.10/caf/kk_3.5_rb1.9</option>
+<option value='caf/3.10/caf/kk_3.5_rb2.10'>caf/3.10/caf/kk_3.5_rb2.10</option>
+<option value='caf/3.10/caf/kk_3.5_rb2.5'>caf/3.10/caf/kk_3.5_rb2.5</option>
+<option value='caf/3.10/caf/kk_3.5_rb2.7'>caf/3.10/caf/kk_3.5_rb2.7</option>
+<option value='caf/3.10/caf/kk_3.5_rb2.8'>caf/3.10/caf/kk_3.5_rb2.8</option>
+<option value='caf/3.10/caf/kk_3.5_rb2.9'>caf/3.10/caf/kk_3.5_rb2.9</option>
+<option value='caf/3.10/caf/kk_3.5_rb3.2'>caf/3.10/caf/kk_3.5_rb3.2</option>
+<option value='caf/3.10/caf/kk_3.5_rb4'>caf/3.10/caf/kk_3.5_rb4</option>
+<option value='caf/3.10/caf/kk_3.5_rb4.1'>caf/3.10/caf/kk_3.5_rb4.1</option>
+<option value='caf/3.10/caf/korg/linux-2.6.11.y'>caf/3.10/caf/korg/linux-2.6.11.y</option>
+<option value='caf/3.10/caf/korg/linux-2.6.12.y'>caf/3.10/caf/korg/linux-2.6.12.y</option>
+<option value='caf/3.10/caf/korg/linux-2.6.13.y'>caf/3.10/caf/korg/linux-2.6.13.y</option>
+<option value='caf/3.10/caf/korg/linux-2.6.14.y'>caf/3.10/caf/korg/linux-2.6.14.y</option>
+<option value='caf/3.10/caf/korg/linux-2.6.15.y'>caf/3.10/caf/korg/linux-2.6.15.y</option>
+<option value='caf/3.10/caf/korg/linux-2.6.16.y'>caf/3.10/caf/korg/linux-2.6.16.y</option>
+<option value='caf/3.10/caf/korg/linux-2.6.17.y'>caf/3.10/caf/korg/linux-2.6.17.y</option>
+<option value='caf/3.10/caf/korg/linux-2.6.18.y'>caf/3.10/caf/korg/linux-2.6.18.y</option>
+<option value='caf/3.10/caf/korg/linux-2.6.19.y'>caf/3.10/caf/korg/linux-2.6.19.y</option>
+<option value='caf/3.10/caf/korg/linux-2.6.20.y'>caf/3.10/caf/korg/linux-2.6.20.y</option>
+<option value='caf/3.10/caf/korg/linux-2.6.21.y'>caf/3.10/caf/korg/linux-2.6.21.y</option>
+<option value='caf/3.10/caf/korg/linux-2.6.22.y'>caf/3.10/caf/korg/linux-2.6.22.y</option>
+<option value='caf/3.10/caf/korg/linux-2.6.23.y'>caf/3.10/caf/korg/linux-2.6.23.y</option>
+<option value='caf/3.10/caf/korg/linux-2.6.24.y'>caf/3.10/caf/korg/linux-2.6.24.y</option>
+<option value='caf/3.10/caf/korg/linux-2.6.25.y'>caf/3.10/caf/korg/linux-2.6.25.y</option>
+<option value='caf/3.10/caf/korg/linux-2.6.26.y'>caf/3.10/caf/korg/linux-2.6.26.y</option>
+<option value='caf/3.10/caf/korg/linux-2.6.27.y'>caf/3.10/caf/korg/linux-2.6.27.y</option>
+<option value='caf/3.10/caf/korg/linux-2.6.28.y'>caf/3.10/caf/korg/linux-2.6.28.y</option>
+<option value='caf/3.10/caf/korg/linux-2.6.29.y'>caf/3.10/caf/korg/linux-2.6.29.y</option>
+<option value='caf/3.10/caf/korg/linux-2.6.30.y'>caf/3.10/caf/korg/linux-2.6.30.y</option>
+<option value='caf/3.10/caf/korg/linux-2.6.31.y'>caf/3.10/caf/korg/linux-2.6.31.y</option>
+<option value='caf/3.10/caf/korg/linux-2.6.32.y'>caf/3.10/caf/korg/linux-2.6.32.y</option>
+<option value='caf/3.10/caf/korg/linux-2.6.33.y'>caf/3.10/caf/korg/linux-2.6.33.y</option>
+<option value='caf/3.10/caf/korg/linux-2.6.34.y'>caf/3.10/caf/korg/linux-2.6.34.y</option>
+<option value='caf/3.10/caf/korg/linux-2.6.35.y'>caf/3.10/caf/korg/linux-2.6.35.y</option>
+<option value='caf/3.10/caf/korg/linux-2.6.36.y'>caf/3.10/caf/korg/linux-2.6.36.y</option>
+<option value='caf/3.10/caf/korg/linux-2.6.37.y'>caf/3.10/caf/korg/linux-2.6.37.y</option>
+<option value='caf/3.10/caf/korg/linux-2.6.38.y'>caf/3.10/caf/korg/linux-2.6.38.y</option>
+<option value='caf/3.10/caf/korg/linux-2.6.39.y'>caf/3.10/caf/korg/linux-2.6.39.y</option>
+<option value='caf/3.10/caf/korg/linux-3.0.y'>caf/3.10/caf/korg/linux-3.0.y</option>
+<option value='caf/3.10/caf/korg/linux-3.1.y'>caf/3.10/caf/korg/linux-3.1.y</option>
+<option value='caf/3.10/caf/korg/linux-3.10.y'>caf/3.10/caf/korg/linux-3.10.y</option>
+<option value='caf/3.10/caf/korg/linux-3.11.y'>caf/3.10/caf/korg/linux-3.11.y</option>
+<option value='caf/3.10/caf/korg/linux-3.12.y'>caf/3.10/caf/korg/linux-3.12.y</option>
+<option value='caf/3.10/caf/korg/linux-3.13.y'>caf/3.10/caf/korg/linux-3.13.y</option>
+<option value='caf/3.10/caf/korg/linux-3.14.y'>caf/3.10/caf/korg/linux-3.14.y</option>
+<option value='caf/3.10/caf/korg/linux-3.15.y'>caf/3.10/caf/korg/linux-3.15.y</option>
+<option value='caf/3.10/caf/korg/linux-3.16.y'>caf/3.10/caf/korg/linux-3.16.y</option>
+<option value='caf/3.10/caf/korg/linux-3.17.y'>caf/3.10/caf/korg/linux-3.17.y</option>
+<option value='caf/3.10/caf/korg/linux-3.18.y'>caf/3.10/caf/korg/linux-3.18.y</option>
+<option value='caf/3.10/caf/korg/linux-3.19.y'>caf/3.10/caf/korg/linux-3.19.y</option>
+<option value='caf/3.10/caf/korg/linux-3.2.y'>caf/3.10/caf/korg/linux-3.2.y</option>
+<option value='caf/3.10/caf/korg/linux-3.3.y'>caf/3.10/caf/korg/linux-3.3.y</option>
+<option value='caf/3.10/caf/korg/linux-3.4.y'>caf/3.10/caf/korg/linux-3.4.y</option>
+<option value='caf/3.10/caf/korg/linux-3.5.y'>caf/3.10/caf/korg/linux-3.5.y</option>
+<option value='caf/3.10/caf/korg/linux-3.6.y'>caf/3.10/caf/korg/linux-3.6.y</option>
+<option value='caf/3.10/caf/korg/linux-3.7.y'>caf/3.10/caf/korg/linux-3.7.y</option>
+<option value='caf/3.10/caf/korg/linux-3.8.y'>caf/3.10/caf/korg/linux-3.8.y</option>
+<option value='caf/3.10/caf/korg/linux-3.9.y'>caf/3.10/caf/korg/linux-3.9.y</option>
+<option value='caf/3.10/caf/korg/linux-4.0.y'>caf/3.10/caf/korg/linux-4.0.y</option>
+<option value='caf/3.10/caf/korg/linux-4.1.y'>caf/3.10/caf/korg/linux-4.1.y</option>
+<option value='caf/3.10/caf/korg/linux-4.10.y'>caf/3.10/caf/korg/linux-4.10.y</option>
+<option value='caf/3.10/caf/korg/linux-4.11.y'>caf/3.10/caf/korg/linux-4.11.y</option>
+<option value='caf/3.10/caf/korg/linux-4.12.y'>caf/3.10/caf/korg/linux-4.12.y</option>
+<option value='caf/3.10/caf/korg/linux-4.13.y'>caf/3.10/caf/korg/linux-4.13.y</option>
+<option value='caf/3.10/caf/korg/linux-4.2.y'>caf/3.10/caf/korg/linux-4.2.y</option>
+<option value='caf/3.10/caf/korg/linux-4.3.y'>caf/3.10/caf/korg/linux-4.3.y</option>
+<option value='caf/3.10/caf/korg/linux-4.4.y'>caf/3.10/caf/korg/linux-4.4.y</option>
+<option value='caf/3.10/caf/korg/linux-4.5.y'>caf/3.10/caf/korg/linux-4.5.y</option>
+<option value='caf/3.10/caf/korg/linux-4.6.y'>caf/3.10/caf/korg/linux-4.6.y</option>
+<option value='caf/3.10/caf/korg/linux-4.7.y'>caf/3.10/caf/korg/linux-4.7.y</option>
+<option value='caf/3.10/caf/korg/linux-4.8.y'>caf/3.10/caf/korg/linux-4.8.y</option>
+<option value='caf/3.10/caf/korg/linux-4.9.y'>caf/3.10/caf/korg/linux-4.9.y</option>
+<option value='caf/3.10/caf/korg/master'>caf/3.10/caf/korg/master</option>
+<option value='caf/3.10/caf/linaro/bjorn/qcomlt-v4.9-backport-merge'>caf/3.10/caf/linaro/bjorn/qcomlt-v4.9-backport-merge</option>
+<option value='caf/3.10/caf/linaro/bjorn/qcomlt-v4.9-backports'>caf/3.10/caf/linaro/bjorn/qcomlt-v4.9-backports</option>
+<option value='caf/3.10/caf/linaro/caf/msm-3.18/LA.HB.1.1.1_rb4.5'>caf/3.10/caf/linaro/caf/msm-3.18/LA.HB.1.1.1_rb4.5</option>
+<option value='caf/3.10/caf/linaro/caf/msm-3.18/LA.HB.1.3.2-16800'>caf/3.10/caf/linaro/caf/msm-3.18/LA.HB.1.3.2-16800</option>
+<option value='caf/3.10/caf/linaro/db820c/qcomlt-4.9'>caf/3.10/caf/linaro/db820c/qcomlt-4.9</option>
+<option value='caf/3.10/caf/linaro/dev/srini/v3.14'>caf/3.10/caf/linaro/dev/srini/v3.14</option>
+<option value='caf/3.10/caf/linaro/freedreno/ifc6410-drm'>caf/3.10/caf/linaro/freedreno/ifc6410-drm</option>
+<option value='caf/3.10/caf/linaro/freedreno/ifc6410-v2.0-drm'>caf/3.10/caf/linaro/freedreno/ifc6410-v2.0-drm</option>
+<option value='caf/3.10/caf/linaro/galak-msm/apq_ipq_base'>caf/3.10/caf/linaro/galak-msm/apq_ipq_base</option>
+<option value='caf/3.10/caf/linaro/inforce/ifc6410/v1.5'>caf/3.10/caf/linaro/inforce/ifc6410/v1.5</option>
+<option value='caf/3.10/caf/linaro/inforce/ifc6410/v2.0'>caf/3.10/caf/linaro/inforce/ifc6410/v2.0</option>
+<option value='caf/3.10/caf/linaro/inforce/ifc6410/v3.0'>caf/3.10/caf/linaro/inforce/ifc6410/v3.0</option>
+<option value='caf/3.10/caf/linaro/integration-linux-ifc6410'>caf/3.10/caf/linaro/integration-linux-ifc6410</option>
+<option value='caf/3.10/caf/linaro/integration-linux-qcomlt'>caf/3.10/caf/linaro/integration-linux-qcomlt</option>
+<option value='caf/3.10/caf/linaro/integration-linux-qcomlt-v4.9'>caf/3.10/caf/linaro/integration-linux-qcomlt-v4.9</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/arm64-v3.10'>caf/3.10/caf/linaro/linux-linaro-stable/arm64-v3.10</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/for-test'>caf/3.10/caf/linaro/linux-linaro-stable/for-test</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/junor1-pcie-temp'>caf/3.10/caf/linaro/linux-linaro-stable/junor1-pcie-temp</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/linus/master'>caf/3.10/caf/linaro/linux-linaro-stable/linus/master</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/linus/mastere'>caf/3.10/caf/linaro/linux-linaro-stable/linus/mastere</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linar-lsk-v3.14-test'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linar-lsk-v3.14-test</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-android'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-android</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-android-test'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-android-test</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-rt'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-rt</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-rt-test'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-rt-test</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-test'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-test</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.10'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.10</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.10-android'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.10-android</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.10-android-test'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.10-android-test</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.10-rt'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.10-rt</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.10-rt-test'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.10-rt-test</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.10-test'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.10-test</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.14'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.14</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.14-android'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.14-android</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.14-android-test'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.14-android-test</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.14-rt'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.14-rt</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.14-rt-test'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.14-rt-test</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.14-test'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.14-test</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.18'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.18</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.18-android'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.18-android</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.18-android-test'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.18-android-test</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.18-eas-test'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.18-eas-test</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.18-rt'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.18-rt</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.18-rt-test'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.18-rt-test</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.18-test'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v3.18-test</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v4.0'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v4.0</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v4.1'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v4.1</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v4.1-android'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v4.1-android</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v4.1-android-test'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v4.1-android-test</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v4.1-rt'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v4.1-rt</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v4.1-rt-test'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v4.1-rt-test</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v4.1-test'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v4.1-test</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v4.4'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v4.4</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v4.4-android'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v4.4-android</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v4.4-android-test'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v4.4-android-test</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v4.4-rt'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v4.4-rt</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v4.4-test'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v4.4-test</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v9.1'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v9.1</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v9.1-android-test'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v9.1-android-test</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v9.1-test'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v9.1-test</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v9.18'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-lsk-v9.18</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-v3.18-test'>caf/3.10/caf/linaro/linux-linaro-stable/linux-linaro-v3.18-test</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/lsk'>caf/3.10/caf/linaro/linux-linaro-stable/lsk</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/lsk-android'>caf/3.10/caf/linaro/linux-linaro-stable/lsk-android</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/master'>caf/3.10/caf/linaro/linux-linaro-stable/master</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/origin/linux-linaro-lsk-v3.14-test'>caf/3.10/caf/linaro/linux-linaro-stable/origin/linux-linaro-lsk-v3.14-test</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/origin/v3.18/topic/EAS'>caf/3.10/caf/linaro/linux-linaro-stable/origin/v3.18/topic/EAS</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/origin/v4.1/topic/pcie-junor1-temp'>caf/3.10/caf/linaro/linux-linaro-stable/origin/v4.1/topic/pcie-junor1-temp</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/tmp/for-tyler'>caf/3.10/caf/linaro/linux-linaro-stable/tmp/for-tyler</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/topic/v3.10/iks'>caf/3.10/caf/linaro/linux-linaro-stable/topic/v3.10/iks</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/old/mailbox'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/old/mailbox</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/android-fixes'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/android-fixes</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/aosp'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/aosp</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/aosp-warnings'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/aosp-warnings</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm32-cache'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm32-cache</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-be'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-be</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-bl-cpufreq'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-bl-cpufreq</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-cma'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-cma</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-cpu'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-cpu</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-cpuidle'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-cpuidle</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-crypto'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-crypto</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-dma'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-dma</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-efi'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-efi</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-errata'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-errata</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-fpsimd'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-fpsimd</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-ftrace'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-ftrace</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-fvp'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-fvp</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-hmp'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-hmp</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-hugepages'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-hugepages</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-insn'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-insn</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-kgdb'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-kgdb</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-lts'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-lts</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-misc'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-misc</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-perf'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-perf</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-ptrace'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-ptrace</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-topology'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-topology</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-usb'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/arm64-usb</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/asoc-compress'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/asoc-compress</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/be'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/be</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/big.LITTLE'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/big.LITTLE</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/clk-divider'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/clk-divider</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/configs'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/configs</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/coresight'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/coresight</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/cpufreq'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/cpufreq</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/devm'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/devm</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/dm-crypt'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/dm-crypt</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/dma-mapping'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/dma-mapping</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/earlycon'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/earlycon</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/efi'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/efi</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/evtstream'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/evtstream</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/exynos'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/exynos</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/gator'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/gator</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/gcov'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/gcov</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/genpd'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/genpd</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/gic-workaround'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/gic-workaround</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/gicv3'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/gicv3</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/hisilicon-inet'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/hisilicon-inet</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/hrtimer'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/hrtimer</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/iks'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/iks</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/interactive'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/interactive</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/juno'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/juno</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/kvm'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/kvm</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/libfdt'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/libfdt</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/mailbox'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/mailbox</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/misc'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/misc</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/mm'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/mm</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/mm-timer'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/mm-timer</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/netdrv'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/netdrv</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/of'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/of</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/old-arm64-be'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/old-arm64-be</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/old-arm64-cma'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/old-arm64-cma</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/old-arm64-hugepages'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/old-arm64-hugepages</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/old-arm64-topology'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/old-arm64-topology</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/old-evtstream'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/old-evtstream</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/old-mailbox-2'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/old-mailbox-2</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/pe-wq'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/pe-wq</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/pinctrl'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/pinctrl</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/ptr-err'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/ptr-err</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/ptrace'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/ptrace</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/tagged-pointers'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/tagged-pointers</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/tc2'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/tc2</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/thermal-framework'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/thermal-framework</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/thp'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/thp</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/topology'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/topology</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/usb'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/usb</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/warnings'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/warnings</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/zram'>caf/3.10/caf/linaro/linux-linaro-stable/v3.10/topic/zram</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/old/mailbox'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/old/mailbox</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/aosp'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/aosp</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-apm'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-apm</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-be'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-be</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-bl-cpufreq'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-bl-cpufreq</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-cma'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-cma</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-cmadma'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-cmadma</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-crypto'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-crypto</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-dts'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-dts</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-efi'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-efi</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-errata'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-errata</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-fpsimd'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-fpsimd</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-ftrace'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-ftrace</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-fvp'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-fvp</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-hugepages'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-hugepages</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-kgdb'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-kgdb</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-lts'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-lts</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-misc'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-misc</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-perf'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-perf</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-ptrace'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-ptrace</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-topology'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-topology</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-usb'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/arm64-usb</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/clk-divider'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/clk-divider</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/configs'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/configs</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/coresight'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/coresight</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/dm-crypt'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/dm-crypt</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/dwc3'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/dwc3</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/earlycon'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/earlycon</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/efi'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/efi</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/gator'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/gator</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/gcov'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/gcov</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/gendpd'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/gendpd</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/genpd'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/genpd</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/gicv3'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/gicv3</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/juno'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/juno</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/kvm'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/kvm</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/libfdt'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/libfdt</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/mailbox'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/mailbox</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/misc'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/misc</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/nohz'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/nohz</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/of'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/of</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/old-mailbox-2'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/old-mailbox-2</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/overlayfs'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/overlayfs</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/usb'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/usb</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/vexpress'>caf/3.10/caf/linaro/linux-linaro-stable/v3.14/topic/vexpress</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/EAS'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/EAS</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/EAS-LSK'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/EAS-LSK</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/GICv2m'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/GICv2m</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/KASAN'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/KASAN</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/OPPv2'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/OPPv2</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/PAN'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/PAN</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/android'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/android</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/aosp'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/aosp</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/aosp-fixes'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/aosp-fixes</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/arm64/dt'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/arm64/dt</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/arm64/dt-juno'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/arm64/dt-juno</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/configs'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/configs</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/coresight'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/coresight</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/dm-crypt'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/dm-crypt</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/dt-overlay'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/dt-overlay</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/fixes'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/fixes</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/for-stable'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/for-stable</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/iommu'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/iommu</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/msi-irqdomain'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/msi-irqdomain</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/of'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/of</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/of-overlay'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/of-overlay</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/optee'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/optee</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/pcie-temp'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/pcie-temp</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/pcie/gic'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/pcie/gic</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/pcie/gic-msi-irqdomain'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/pcie/gic-msi-irqdomain</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/pcie/imx-fix'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/pcie/imx-fix</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/pcie/master'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/pcie/master</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/pcie/msi-irqdomain'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/pcie/msi-irqdomain</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/pcie/mustang-fix-tmp'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/pcie/mustang-fix-tmp</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/pcie/of-iommu'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/pcie/of-iommu</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/thermal'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/thermal</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/thermal-deps'>caf/3.10/caf/linaro/linux-linaro-stable/v3.18/topic/thermal-deps</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.9/android-fixes'>caf/3.10/caf/linaro/linux-linaro-stable/v3.9/android-fixes</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.9/big-little-arm'>caf/3.10/caf/linaro/linux-linaro-stable/v3.9/big-little-arm</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.9/configs'>caf/3.10/caf/linaro/linux-linaro-stable/v3.9/configs</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.9/iks'>caf/3.10/caf/linaro/linux-linaro-stable/v3.9/iks</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.9/linaro-builddeb-tweaks'>caf/3.10/caf/linaro/linux-linaro-stable/v3.9/linaro-builddeb-tweaks</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.9/vexpress'>caf/3.10/caf/linaro/linux-linaro-stable/v3.9/vexpress</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v3.9/ynk-fixes'>caf/3.10/caf/linaro/linux-linaro-stable/v3.9/ynk-fixes</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v4.1/topic/IOMMU-DMA'>caf/3.10/caf/linaro/linux-linaro-stable/v4.1/topic/IOMMU-DMA</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v4.1/topic/KASAN'>caf/3.10/caf/linaro/linux-linaro-stable/v4.1/topic/KASAN</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v4.1/topic/OPPv2'>caf/3.10/caf/linaro/linux-linaro-stable/v4.1/topic/OPPv2</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v4.1/topic/PAN'>caf/3.10/caf/linaro/linux-linaro-stable/v4.1/topic/PAN</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v4.1/topic/PSCI'>caf/3.10/caf/linaro/linux-linaro-stable/v4.1/topic/PSCI</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v4.1/topic/configs'>caf/3.10/caf/linaro/linux-linaro-stable/v4.1/topic/configs</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v4.1/topic/iommu-dma'>caf/3.10/caf/linaro/linux-linaro-stable/v4.1/topic/iommu-dma</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v4.1/topic/pcie-junor1'>caf/3.10/caf/linaro/linux-linaro-stable/v4.1/topic/pcie-junor1</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v4.1/topic/pcie-junor1-temp'>caf/3.10/caf/linaro/linux-linaro-stable/v4.1/topic/pcie-junor1-temp</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v4.1/topic/perf'>caf/3.10/caf/linaro/linux-linaro-stable/v4.1/topic/perf</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v4.1/topic/ro-vDSO'>caf/3.10/caf/linaro/linux-linaro-stable/v4.1/topic/ro-vDSO</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v4.1/topic/rt'>caf/3.10/caf/linaro/linux-linaro-stable/v4.1/topic/rt</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v4.1/topic/thermal'>caf/3.10/caf/linaro/linux-linaro-stable/v4.1/topic/thermal</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v4.1/topic/writeback-cg'>caf/3.10/caf/linaro/linux-linaro-stable/v4.1/topic/writeback-cg</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v4.4/topic/OPPv2'>caf/3.10/caf/linaro/linux-linaro-stable/v4.4/topic/OPPv2</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v4.4/topic/mm-kaslr'>caf/3.10/caf/linaro/linux-linaro-stable/v4.4/topic/mm-kaslr</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v4.4/topic/optee'>caf/3.10/caf/linaro/linux-linaro-stable/v4.4/topic/optee</option>
+<option value='caf/3.10/caf/linaro/linux-linaro-stable/v4.4/topic/ro-vdso'>caf/3.10/caf/linaro/linux-linaro-stable/v4.4/topic/ro-vdso</option>
+<option value='caf/3.10/caf/linaro/master'>caf/3.10/caf/linaro/master</option>
+<option value='caf/3.10/caf/linaro/ndec/freedreno/ifc6410-v2.0-drm-thermal'>caf/3.10/caf/linaro/ndec/freedreno/ifc6410-v2.0-drm-thermal</option>
+<option value='caf/3.10/caf/linaro/ndec/qcomlt-v4.9-backports'>caf/3.10/caf/linaro/ndec/qcomlt-v4.9-backports</option>
+<option value='caf/3.10/caf/linaro/psci-for-4.4'>caf/3.10/caf/linaro/psci-for-4.4</option>
+<option value='caf/3.10/caf/linaro/qcomlt-v3.14-dev'>caf/3.10/caf/linaro/qcomlt-v3.14-dev</option>
+<option value='caf/3.10/caf/linaro/release/db820c/qcomlt-4.9'>caf/3.10/caf/linaro/release/db820c/qcomlt-4.9</option>
+<option value='caf/3.10/caf/linaro/release/qcomlt-3.17'>caf/3.10/caf/linaro/release/qcomlt-3.17</option>
+<option value='caf/3.10/caf/linaro/release/qcomlt-3.18'>caf/3.10/caf/linaro/release/qcomlt-3.18</option>
+<option value='caf/3.10/caf/linaro/release/qcomlt-3.19'>caf/3.10/caf/linaro/release/qcomlt-3.19</option>
+<option value='caf/3.10/caf/linaro/release/qcomlt-3.4'>caf/3.10/caf/linaro/release/qcomlt-3.4</option>
+<option value='caf/3.10/caf/linaro/release/qcomlt-4.0'>caf/3.10/caf/linaro/release/qcomlt-4.0</option>
+<option value='caf/3.10/caf/linaro/release/qcomlt-4.2'>caf/3.10/caf/linaro/release/qcomlt-4.2</option>
+<option value='caf/3.10/caf/linaro/release/qcomlt-4.2-bis'>caf/3.10/caf/linaro/release/qcomlt-4.2-bis</option>
+<option value='caf/3.10/caf/linaro/release/qcomlt-4.3'>caf/3.10/caf/linaro/release/qcomlt-4.3</option>
+<option value='caf/3.10/caf/linaro/release/qcomlt-4.4'>caf/3.10/caf/linaro/release/qcomlt-4.4</option>
+<option value='caf/3.10/caf/linaro/release/qcomlt-4.4-next'>caf/3.10/caf/linaro/release/qcomlt-4.4-next</option>
+<option value='caf/3.10/caf/linaro/release/qcomlt-4.7'>caf/3.10/caf/linaro/release/qcomlt-4.7</option>
+<option value='caf/3.10/caf/linaro/release/qcomlt-4.9'>caf/3.10/caf/linaro/release/qcomlt-4.9</option>
+<option value='caf/3.10/caf/linaro/release/qcomlt-4.9-dev'>caf/3.10/caf/linaro/release/qcomlt-4.9-dev</option>
+<option value='caf/3.10/caf/linaro/release/qcomlt-4.9-next'>caf/3.10/caf/linaro/release/qcomlt-4.9-next</option>
+<option value='caf/3.10/caf/linaro/test-ndec-bisect'>caf/3.10/caf/linaro/test-ndec-bisect</option>
+<option value='caf/3.10/caf/linaro/tracking-next-mmc'>caf/3.10/caf/linaro/tracking-next-mmc</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-8064-restart'>caf/3.10/caf/linaro/tracking-qcomlt-8064-restart</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-adm-dma'>caf/3.10/caf/linaro/tracking-qcomlt-adm-dma</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-adv7511'>caf/3.10/caf/linaro/tracking-qcomlt-adv7511</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-adv7533'>caf/3.10/caf/linaro/tracking-qcomlt-adv7533</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-apq8016-dt'>caf/3.10/caf/linaro/tracking-qcomlt-apq8016-dt</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-apq8064-audio'>caf/3.10/caf/linaro/tracking-qcomlt-apq8064-audio</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-apq8064-dt'>caf/3.10/caf/linaro/tracking-qcomlt-apq8064-dt</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-apq8096-dt'>caf/3.10/caf/linaro/tracking-qcomlt-apq8096-dt</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-arm64'>caf/3.10/caf/linaro/tracking-qcomlt-arm64</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-arm64-smp'>caf/3.10/caf/linaro/tracking-qcomlt-arm64-smp</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-audio'>caf/3.10/caf/linaro/tracking-qcomlt-audio</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-bus-scaling'>caf/3.10/caf/linaro/tracking-qcomlt-bus-scaling</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-card-detect'>caf/3.10/caf/linaro/tracking-qcomlt-card-detect</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-clk'>caf/3.10/caf/linaro/tracking-qcomlt-clk</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-config-fragments'>caf/3.10/caf/linaro/tracking-qcomlt-config-fragments</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-coresight'>caf/3.10/caf/linaro/tracking-qcomlt-coresight</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-cpu-clk-8996'>caf/3.10/caf/linaro/tracking-qcomlt-cpu-clk-8996</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-cpu-regulators'>caf/3.10/caf/linaro/tracking-qcomlt-cpu-regulators</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-cpufreq'>caf/3.10/caf/linaro/tracking-qcomlt-cpufreq</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-cpufreq-8016-8064'>caf/3.10/caf/linaro/tracking-qcomlt-cpufreq-8016-8064</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-cpuidle'>caf/3.10/caf/linaro/tracking-qcomlt-cpuidle</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-dma'>caf/3.10/caf/linaro/tracking-qcomlt-dma</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-drm-msm'>caf/3.10/caf/linaro/tracking-qcomlt-drm-msm</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-drm-msm-v4.9'>caf/3.10/caf/linaro/tracking-qcomlt-drm-msm-v4.9</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-drm_msm'>caf/3.10/caf/linaro/tracking-qcomlt-drm_msm</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-dsi'>caf/3.10/caf/linaro/tracking-qcomlt-dsi</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-dt'>caf/3.10/caf/linaro/tracking-qcomlt-dt</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-efuse'>caf/3.10/caf/linaro/tracking-qcomlt-efuse</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-fixes'>caf/3.10/caf/linaro/tracking-qcomlt-fixes</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-gdsc'>caf/3.10/caf/linaro/tracking-qcomlt-gdsc</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-glink'>caf/3.10/caf/linaro/tracking-qcomlt-glink</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-glink-smd'>caf/3.10/caf/linaro/tracking-qcomlt-glink-smd</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-gsbi'>caf/3.10/caf/linaro/tracking-qcomlt-gsbi</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-hci_smd'>caf/3.10/caf/linaro/tracking-qcomlt-hci_smd</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-hsuart'>caf/3.10/caf/linaro/tracking-qcomlt-hsuart</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-i2c'>caf/3.10/caf/linaro/tracking-qcomlt-i2c</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-iommu'>caf/3.10/caf/linaro/tracking-qcomlt-iommu</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-iommu_apq8016'>caf/3.10/caf/linaro/tracking-qcomlt-iommu_apq8016</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-ipcrtr'>caf/3.10/caf/linaro/tracking-qcomlt-ipcrtr</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-mainline-pcie'>caf/3.10/caf/linaro/tracking-qcomlt-mainline-pcie</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-mainline-rpm-smd'>caf/3.10/caf/linaro/tracking-qcomlt-mainline-rpm-smd</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-mainline-rpm-smd-pil'>caf/3.10/caf/linaro/tracking-qcomlt-mainline-rpm-smd-pil</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-mmc'>caf/3.10/caf/linaro/tracking-qcomlt-mmc</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-msm8916-smd-rpm'>caf/3.10/caf/linaro/tracking-qcomlt-msm8916-smd-rpm</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-msm8996-cpuclk'>caf/3.10/caf/linaro/tracking-qcomlt-msm8996-cpuclk</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-msm8996-dt'>caf/3.10/caf/linaro/tracking-qcomlt-msm8996-dt</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-msm8996-pcie'>caf/3.10/caf/linaro/tracking-qcomlt-msm8996-pcie</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-msm8996-usb'>caf/3.10/caf/linaro/tracking-qcomlt-msm8996-usb</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-nvmem'>caf/3.10/caf/linaro/tracking-qcomlt-nvmem</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-panelpicker'>caf/3.10/caf/linaro/tracking-qcomlt-panelpicker</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-pcie'>caf/3.10/caf/linaro/tracking-qcomlt-pcie</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-pmic-gpio'>caf/3.10/caf/linaro/tracking-qcomlt-pmic-gpio</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-pmic-gpio-mpp'>caf/3.10/caf/linaro/tracking-qcomlt-pmic-gpio-mpp</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-power-regulator'>caf/3.10/caf/linaro/tracking-qcomlt-power-regulator</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-powerseq'>caf/3.10/caf/linaro/tracking-qcomlt-powerseq</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-qcom-configs'>caf/3.10/caf/linaro/tracking-qcomlt-qcom-configs</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-qcom-rproc'>caf/3.10/caf/linaro/tracking-qcomlt-qcom-rproc</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-qmp-phy'>caf/3.10/caf/linaro/tracking-qcomlt-qmp-phy</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-regulators'>caf/3.10/caf/linaro/tracking-qcomlt-regulators</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-remoteproc'>caf/3.10/caf/linaro/tracking-qcomlt-remoteproc</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-rpm'>caf/3.10/caf/linaro/tracking-qcomlt-rpm</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-rpmclk'>caf/3.10/caf/linaro/tracking-qcomlt-rpmclk</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-rpmsg-4.9-backports'>caf/3.10/caf/linaro/tracking-qcomlt-rpmsg-4.9-backports</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-sata'>caf/3.10/caf/linaro/tracking-qcomlt-sata</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-scm'>caf/3.10/caf/linaro/tracking-qcomlt-scm</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-sdcc'>caf/3.10/caf/linaro/tracking-qcomlt-sdcc</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-sdhci'>caf/3.10/caf/linaro/tracking-qcomlt-sdhci</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-smd'>caf/3.10/caf/linaro/tracking-qcomlt-smd</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-smem-state'>caf/3.10/caf/linaro/tracking-qcomlt-smem-state</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-tsens'>caf/3.10/caf/linaro/tracking-qcomlt-tsens</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-tz-pil'>caf/3.10/caf/linaro/tracking-qcomlt-tz-pil</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-ufs'>caf/3.10/caf/linaro/tracking-qcomlt-ufs</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-usb'>caf/3.10/caf/linaro/tracking-qcomlt-usb</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-venus'>caf/3.10/caf/linaro/tracking-qcomlt-venus</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-wcn36xx'>caf/3.10/caf/linaro/tracking-qcomlt-wcn36xx</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-wcnss'>caf/3.10/caf/linaro/tracking-qcomlt-wcnss</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-wcnss_ctrl'>caf/3.10/caf/linaro/tracking-qcomlt-wcnss_ctrl</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-wcnss_pil'>caf/3.10/caf/linaro/tracking-qcomlt-wcnss_pil</option>
+<option value='caf/3.10/caf/linaro/tracking-qcomlt-wlan'>caf/3.10/caf/linaro/tracking-qcomlt-wlan</option>
+<option value='caf/3.10/caf/linux-next/akpm'>caf/3.10/caf/linux-next/akpm</option>
+<option value='caf/3.10/caf/linux-next/akpm-base'>caf/3.10/caf/linux-next/akpm-base</option>
+<option value='caf/3.10/caf/linux-next/master'>caf/3.10/caf/linux-next/master</option>
+<option value='caf/3.10/caf/linux-next/stable'>caf/3.10/caf/linux-next/stable</option>
+<option value='caf/3.10/caf/mango.cupcake'>caf/3.10/caf/mango.cupcake</option>
+<option value='caf/3.10/caf/master_rb1.10'>caf/3.10/caf/master_rb1.10</option>
+<option value='caf/3.10/caf/master_rb1.11'>caf/3.10/caf/master_rb1.11</option>
+<option value='caf/3.10/caf/master_rb1.13'>caf/3.10/caf/master_rb1.13</option>
+<option value='caf/3.10/caf/master_rb1.15'>caf/3.10/caf/master_rb1.15</option>
+<option value='caf/3.10/caf/master_rb1.4'>caf/3.10/caf/master_rb1.4</option>
+<option value='caf/3.10/caf/master_rb1.7'>caf/3.10/caf/master_rb1.7</option>
+<option value='caf/3.10/caf/master_rb1.9'>caf/3.10/caf/master_rb1.9</option>
+<option value='caf/3.10/caf/msm-2.6.31.5'>caf/3.10/caf/msm-2.6.31.5</option>
+<option value='caf/3.10/caf/msm-2.6.35'>caf/3.10/caf/msm-2.6.35</option>
+<option value='caf/3.10/caf/msm-2.6.38'>caf/3.10/caf/msm-2.6.38</option>
+<option value='caf/3.10/caf/msm-3.0'>caf/3.10/caf/msm-3.0</option>
+<option value='caf/3.10/caf/msm-3.4'>caf/3.10/caf/msm-3.4</option>
+<option value='caf/3.10/caf/msm-3.7'>caf/3.10/caf/msm-3.7</option>
+<option value='caf/3.10/caf/q3.4/android-jb_2.5'>caf/3.10/caf/q3.4/android-jb_2.5</option>
+<option value='caf/3.10/caf/q3.4/android-msm-3.4'>caf/3.10/caf/q3.4/android-msm-3.4</option>
+<option value='caf/3.10/caf/q3.4/core-3.4'>caf/3.10/caf/q3.4/core-3.4</option>
+<option value='caf/3.10/caf/q3.4/jb_2.5'>caf/3.10/caf/q3.4/jb_2.5</option>
+<option value='caf/3.10/caf/q3.4/qandroid-3.4'>caf/3.10/caf/q3.4/qandroid-3.4</option>
+<option value='caf/3.10/caf/q3.9/android-msm-3.9-rc2'>caf/3.10/caf/q3.9/android-msm-3.9-rc2</option>
+<option value='caf/3.10/caf/redcloud'>caf/3.10/caf/redcloud</option>
+<option value='caf/3.10/caf/rhea'>caf/3.10/caf/rhea</option>
+<option value='caf/3.10/caf/rtsp-linux-github/master'>caf/3.10/caf/rtsp-linux-github/master</option>
+<option value='caf/3.10/caf/sensors-bmp180-driver/master'>caf/3.10/caf/sensors-bmp180-driver/master</option>
+<option value='caf/3.10/caf/sensors-mma8653-driver/master'>caf/3.10/caf/sensors-mma8653-driver/master</option>
+<option value='caf/3.10/caf/sensors-tsl277x-driver/master'>caf/3.10/caf/sensors-tsl277x-driver/master</option>
+<option value='caf/3.10/caf/stmems/master'>caf/3.10/caf/stmems/master</option>
+<option value='caf/3.10/caf/swift'>caf/3.10/caf/swift</option>
+<option value='caf/3.10/caf/swift_rb1.1'>caf/3.10/caf/swift_rb1.1</option>
+<option value='caf/3.10/caf/swift_rb1.2'>caf/3.10/caf/swift_rb1.2</option>
+<option value='caf/3.10/caf/swift_rb1.3'>caf/3.10/caf/swift_rb1.3</option>
+<option value='caf/3.10/caf/synaptics-touch/master'>caf/3.10/caf/synaptics-touch/master</option>
+<option value='caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/8909_ZTE'>caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/8909_ZTE</option>
+<option value='caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/8909_ZTE_TXT'>caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/8909_ZTE_TXT</option>
+<option value='caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/8x12-PL1.1-CS'>caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/8x12-PL1.1-CS</option>
+<option value='caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/8x12-PL1.1-Pre-CS'>caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/8x12-PL1.1-Pre-CS</option>
+<option value='caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/8x12-PL1.9-CS'>caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/8x12-PL1.9-CS</option>
+<option value='caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/8x12-PL1.9-FC'>caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/8x12-PL1.9-FC</option>
+<option value='caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/8x12-PL1.9-Post-CS'>caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/8x12-PL1.9-Post-CS</option>
+<option value='caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/8x12bringup'>caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/8x12bringup</option>
+<option value='caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/8x12bringup-MR2'>caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/8x12bringup-MR2</option>
+<option value='caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/8x12bringup-MR2-ES4'>caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/8x12bringup-MR2-ES4</option>
+<option value='caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/8x12bringup-MR2-FC'>caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/8x12bringup-MR2-FC</option>
+<option value='caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/8x12bringup-MR2-FC1'>caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/8x12bringup-MR2-FC1</option>
+<option value='caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/Himax_ctp'>caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/Himax_ctp</option>
+<option value='caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/Himax_ctp_V2.0'>caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/Himax_ctp_V2.0</option>
+<option value='caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/Himax_ctp_update'>caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/Himax_ctp_update</option>
+<option value='caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/QSIP_Sensor'>caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/QSIP_Sensor</option>
+<option value='caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/QSIP_Sensor_update'>caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/QSIP_Sensor_update</option>
+<option value='caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/STMicroelectronics_ctp_V4.1.0'>caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/STMicroelectronics_ctp_V4.1.0</option>
+<option value='caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/STMicroelectronics_ctp_V4.1.0_update'>caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/STMicroelectronics_ctp_V4.1.0_update</option>
+<option value='caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/Sensor-CAPELLA-CM36283-MSM8X25EVBV21-hal'>caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/Sensor-CAPELLA-CM36283-MSM8X25EVBV21-hal</option>
+<option value='caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/Sensor-CAPELLA-CM36283-MSM8X25EVBV21-kernel'>caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/Sensor-CAPELLA-CM36283-MSM8X25EVBV21-kernel</option>
+<option value='caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/Sensor-SITRONIX-STK3310-MSM8X25EVBV21-hal'>caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/Sensor-SITRONIX-STK3310-MSM8X25EVBV21-hal</option>
+<option value='caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/Sensor-SITRONIX-STK3310-MSM8X25EVBV21-kernel'>caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/Sensor-SITRONIX-STK3310-MSM8X25EVBV21-kernel</option>
+<option value='caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/Synaptics_ctp_v2.7'>caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/Synaptics_ctp_v2.7</option>
+<option value='caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/master'>caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/master</option>
+<option value='caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/modify-flash-light'>caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/modify-flash-light</option>
+<option value='caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/sensor_qsip_new'>caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/sensor_qsip_new</option>
+<option value='caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/sensor_qsip_update'>caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/sensor_qsip_update</option>
+<option value='caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/test1'>caf/3.10/caf/thundersoft/ihvjointlab/sensor-driver/test1</option>
+<option value='caf/3.10/caf/tizen_0.1'>caf/3.10/caf/tizen_0.1</option>
+<option value='caf/3.10/caf/torvalds/block-dev'>caf/3.10/caf/torvalds/block-dev</option>
+<option value='caf/3.10/caf/torvalds/master'>caf/3.10/caf/torvalds/master</option>
+<option value='caf/3.10/caf/torvalds/next'>caf/3.10/caf/torvalds/next</option>
+<option value='caf/3.10/caf/trovalds/master'>caf/3.10/caf/trovalds/master</option>
+<option value='caf/3.10/caf/tsoft/8909_ZTE'>caf/3.10/caf/tsoft/8909_ZTE</option>
+<option value='caf/3.10/caf/tsoft/8909_ZTE_TXT'>caf/3.10/caf/tsoft/8909_ZTE_TXT</option>
+<option value='caf/3.10/caf/tsoft/QSIP_Sensor_update'>caf/3.10/caf/tsoft/QSIP_Sensor_update</option>
+<option value='caf/3.10/caf/tsoft/sensor_qsip_update'>caf/3.10/caf/tsoft/sensor_qsip_update</option>
+<option value='caf/3.10/caf/ub/master'>caf/3.10/caf/ub/master</option>
+<option value='caf/3.10/caf/ubifs/infradead.org/devel'>caf/3.10/caf/ubifs/infradead.org/devel</option>
+<option value='caf/3.10/caf/ubifs/infradead.org/df_new'>caf/3.10/caf/ubifs/infradead.org/df_new</option>
+<option value='caf/3.10/caf/ubifs/infradead.org/experimental'>caf/3.10/caf/ubifs/infradead.org/experimental</option>
+<option value='caf/3.10/caf/ubifs/infradead.org/for-linus-v3.20'>caf/3.10/caf/ubifs/infradead.org/for-linus-v3.20</option>
+<option value='caf/3.10/caf/ubifs/infradead.org/linux-next'>caf/3.10/caf/ubifs/infradead.org/linux-next</option>
+<option value='caf/3.10/caf/ubifs/infradead.org/linux-next-4.4'>caf/3.10/caf/ubifs/infradead.org/linux-next-4.4</option>
+<option value='caf/3.10/caf/ubifs/infradead.org/master'>caf/3.10/caf/ubifs/infradead.org/master</option>
+<option value='caf/3.10/caf/ubifs/infradead.org/new_truncate'>caf/3.10/caf/ubifs/infradead.org/new_truncate</option>
+<option value='caf/3.10/caf/ubifs/infradead.org/qi'>caf/3.10/caf/ubifs/infradead.org/qi</option>
+<option value='caf/3.10/caf/ubifs/infradead.org/todo'>caf/3.10/caf/ubifs/infradead.org/todo</option>
+<option value='caf/3.10/caf/will/linux/aarch64/asids'>caf/3.10/caf/will/linux/aarch64/asids</option>
+<option value='caf/3.10/caf/will/linux/aarch64/devel'>caf/3.10/caf/will/linux/aarch64/devel</option>
+<option value='caf/3.10/caf/will/linux/atomics'>caf/3.10/caf/will/linux/atomics</option>
+<option value='caf/3.10/caf/will/linux/cacheflush'>caf/3.10/caf/will/linux/cacheflush</option>
+<option value='caf/3.10/caf/will/linux/checkers'>caf/3.10/caf/will/linux/checkers</option>
+<option value='caf/3.10/caf/will/linux/for-bjorn/pci-host-generic'>caf/3.10/caf/will/linux/for-bjorn/pci-host-generic</option>
+<option value='caf/3.10/caf/will/linux/for-joerg/arm-smmu/fixes'>caf/3.10/caf/will/linux/for-joerg/arm-smmu/fixes</option>
+<option value='caf/3.10/caf/will/linux/for-joerg/arm-smmu/pgsize'>caf/3.10/caf/will/linux/for-joerg/arm-smmu/pgsize</option>
+<option value='caf/3.10/caf/will/linux/for-joerg/arm-smmu/updates'>caf/3.10/caf/will/linux/for-joerg/arm-smmu/updates</option>
+<option value='caf/3.10/caf/will/linux/for-next/perf'>caf/3.10/caf/will/linux/for-next/perf</option>
+<option value='caf/3.10/caf/will/linux/for-rmk/hw-breakpoint'>caf/3.10/caf/will/linux/for-rmk/hw-breakpoint</option>
+<option value='caf/3.10/caf/will/linux/for-rmk/perf'>caf/3.10/caf/will/linux/for-rmk/perf</option>
+<option value='caf/3.10/caf/will/linux/io'>caf/3.10/caf/will/linux/io</option>
+<option value='caf/3.10/caf/will/linux/iommu/devel'>caf/3.10/caf/will/linux/iommu/devel</option>
+<option value='caf/3.10/caf/will/linux/iommu/dma'>caf/3.10/caf/will/linux/iommu/dma</option>
+<option value='caf/3.10/caf/will/linux/iommu/pci'>caf/3.10/caf/will/linux/iommu/pci</option>
+<option value='caf/3.10/caf/will/linux/iommu/pgsize'>caf/3.10/caf/will/linux/iommu/pgsize</option>
+<option value='caf/3.10/caf/will/linux/iommu/pgtbl'>caf/3.10/caf/will/linux/iommu/pgtbl</option>
+<option value='caf/3.10/caf/will/linux/iommu/smmuv3'>caf/3.10/caf/will/linux/iommu/smmuv3</option>
+<option value='caf/3.10/caf/will/linux/iommu/staging'>caf/3.10/caf/will/linux/iommu/staging</option>
+<option value='caf/3.10/caf/will/linux/iommu/vsmmu'>caf/3.10/caf/will/linux/iommu/vsmmu</option>
+<option value='caf/3.10/caf/will/linux/irq'>caf/3.10/caf/will/linux/irq</option>
+<option value='caf/3.10/caf/will/linux/locking'>caf/3.10/caf/will/linux/locking</option>
+<option value='caf/3.10/caf/will/linux/master'>caf/3.10/caf/will/linux/master</option>
+<option value='caf/3.10/caf/will/linux/misc-patches'>caf/3.10/caf/will/linux/misc-patches</option>
+<option value='caf/3.10/caf/will/linux/pci/bios32'>caf/3.10/caf/will/linux/pci/bios32</option>
+<option value='caf/3.10/caf/will/linux/perf/cci'>caf/3.10/caf/will/linux/perf/cci</option>
+<option value='caf/3.10/caf/will/linux/perf/core'>caf/3.10/caf/will/linux/perf/core</option>
+<option value='caf/3.10/caf/will/linux/perf/drivers'>caf/3.10/caf/will/linux/perf/drivers</option>
+<option value='caf/3.10/caf/will/linux/perf/fixes'>caf/3.10/caf/will/linux/perf/fixes</option>
+<option value='caf/3.10/caf/will/linux/perf/updates'>caf/3.10/caf/will/linux/perf/updates</option>
+<option value='caf/3.10/cmarinas/devel'>caf/3.10/cmarinas/devel</option>
+<option value='caf/3.10/cmarinas/ilp32'>caf/3.10/cmarinas/ilp32</option>
+<option value='caf/3.10/cmarinas/kmemleak'>caf/3.10/cmarinas/kmemleak</option>
+<option value='caf/3.10/cmarinas/master'>caf/3.10/cmarinas/master</option>
+<option value='caf/3.10/cmarinas/pgtable-4levels'>caf/3.10/cmarinas/pgtable-4levels</option>
+<option value='caf/3.10/cmarinas/soc-armv8-model'>caf/3.10/cmarinas/soc-armv8-model</option>
+<option value='caf/3.10/cmarinas/stable'>caf/3.10/cmarinas/stable</option>
+<option value='caf/3.10/cmarinas/upstream'>caf/3.10/cmarinas/upstream</option>
+<option value='caf/3.10/fsm3-3.10-4.0'>caf/3.10/fsm3-3.10-4.0</option>
+<option value='caf/3.10/fsm3-3.10-5'>caf/3.10/fsm3-3.10-5</option>
+<option value='caf/3.10/fsm3-3.10-6'>caf/3.10/fsm3-3.10-6</option>
+<option value='caf/3.10/fsm3-3.10-9900-rel5_ext'>caf/3.10/fsm3-3.10-9900-rel5_ext</option>
+<option value='caf/3.10/fsm4-9010-1.1.0'>caf/3.10/fsm4-9010-1.1.0</option>
+<option value='caf/3.10/github-borqsblr/borqs_b256_dvlp'>caf/3.10/github-borqsblr/borqs_b256_dvlp</option>
+<option value='caf/3.10/github-borqsblr/borqs_b256_rel'>caf/3.10/github-borqsblr/borqs_b256_rel</option>
+<option value='caf/3.10/github-borqsblr/borqs_feature_phone_dvlp'>caf/3.10/github-borqsblr/borqs_feature_phone_dvlp</option>
+<option value='caf/3.10/github-borqsblr/borqs_ftrphone_dvlp'>caf/3.10/github-borqsblr/borqs_ftrphone_dvlp</option>
+<option value='caf/3.10/github-borqsblr/master'>caf/3.10/github-borqsblr/master</option>
+<option value='caf/3.10/github-borqsindia/master'>caf/3.10/github-borqsindia/master</option>
+<option value='caf/3.10/github-boschsensortec/master'>caf/3.10/github-boschsensortec/master</option>
+<option value='caf/3.10/github-boschsensortec/old_master'>caf/3.10/github-boschsensortec/old_master</option>
+<option value='caf/3.10/github-cm-android_kernel_samsung_d2/cm-10.1'>caf/3.10/github-cm-android_kernel_samsung_d2/cm-10.1</option>
+<option value='caf/3.10/github-cm-android_kernel_samsung_d2/cm-10.1-rebase'>caf/3.10/github-cm-android_kernel_samsung_d2/cm-10.1-rebase</option>
+<option value='caf/3.10/github-cm-android_kernel_samsung_d2/cm-10.1-staging'>caf/3.10/github-cm-android_kernel_samsung_d2/cm-10.1-staging</option>
+<option value='caf/3.10/github-cm-android_kernel_samsung_d2/cm-10.1_3.0'>caf/3.10/github-cm-android_kernel_samsung_d2/cm-10.1_3.0</option>
+<option value='caf/3.10/github-cm-android_kernel_samsung_d2/cm-10.2'>caf/3.10/github-cm-android_kernel_samsung_d2/cm-10.2</option>
+<option value='caf/3.10/github-cm-android_kernel_samsung_d2/cm-10.2-jb_2.6'>caf/3.10/github-cm-android_kernel_samsung_d2/cm-10.2-jb_2.6</option>
+<option value='caf/3.10/github-cm-android_kernel_samsung_d2/cm-10.2_cafmerge'>caf/3.10/github-cm-android_kernel_samsung_d2/cm-10.2_cafmerge</option>
+<option value='caf/3.10/github-cm-android_kernel_samsung_d2/cm-10.2_kgsl'>caf/3.10/github-cm-android_kernel_samsung_d2/cm-10.2_kgsl</option>
+<option value='caf/3.10/github-cm-android_kernel_samsung_d2/cm-11.0'>caf/3.10/github-cm-android_kernel_samsung_d2/cm-11.0</option>
+<option value='caf/3.10/github-cm-android_kernel_samsung_d2/cm-12.0'>caf/3.10/github-cm-android_kernel_samsung_d2/cm-12.0</option>
+<option value='caf/3.10/github-cm-android_kernel_samsung_d2/cm-12.1'>caf/3.10/github-cm-android_kernel_samsung_d2/cm-12.1</option>
+<option value='caf/3.10/github-cm-android_kernel_samsung_d2/cm-13.0'>caf/3.10/github-cm-android_kernel_samsung_d2/cm-13.0</option>
+<option value='caf/3.10/github-cm-android_kernel_samsung_d2/cm-14.0'>caf/3.10/github-cm-android_kernel_samsung_d2/cm-14.0</option>
+<option value='caf/3.10/github-cm-android_kernel_samsung_d2/cm-14.1'>caf/3.10/github-cm-android_kernel_samsung_d2/cm-14.1</option>
+<option value='caf/3.10/github-cm-android_kernel_samsung_d2/cma-test'>caf/3.10/github-cm-android_kernel_samsung_d2/cma-test</option>
+<option value='caf/3.10/github-cm-android_kernel_samsung_d2/ics'>caf/3.10/github-cm-android_kernel_samsung_d2/ics</option>
+<option value='caf/3.10/github-cm-android_kernel_samsung_d2/jellybean'>caf/3.10/github-cm-android_kernel_samsung_d2/jellybean</option>
+<option value='caf/3.10/github-cm-android_kernel_samsung_d2/jellybean-stable'>caf/3.10/github-cm-android_kernel_samsung_d2/jellybean-stable</option>
+<option value='caf/3.10/github-cm-android_kernel_samsung_d2/kgsl-testing'>caf/3.10/github-cm-android_kernel_samsung_d2/kgsl-testing</option>
+<option value='caf/3.10/github-cm-android_kernel_samsung_d2/next'>caf/3.10/github-cm-android_kernel_samsung_d2/next</option>
+<option value='caf/3.10/github-cm-android_kernel_samsung_d2/stable/cm-11.0'>caf/3.10/github-cm-android_kernel_samsung_d2/stable/cm-11.0</option>
+<option value='caf/3.10/github-cm-android_kernel_samsung_d2/stable/cm-11.0-XNG3C'>caf/3.10/github-cm-android_kernel_samsung_d2/stable/cm-11.0-XNG3C</option>
+<option value='caf/3.10/github-cm-android_kernel_samsung_d2/stable/cm-12.0-YNG3C'>caf/3.10/github-cm-android_kernel_samsung_d2/stable/cm-12.0-YNG3C</option>
+<option value='caf/3.10/github-cm-android_kernel_samsung_d2/stable/cm-12.0-YNG4N'>caf/3.10/github-cm-android_kernel_samsung_d2/stable/cm-12.0-YNG4N</option>
+<option value='caf/3.10/github-cm-android_kernel_samsung_d2/stable/cm-12.1-YOG7D'>caf/3.10/github-cm-android_kernel_samsung_d2/stable/cm-12.1-YOG7D</option>
+<option value='caf/3.10/github-cm-android_kernel_samsung_d2/upstream-wip'>caf/3.10/github-cm-android_kernel_samsung_d2/upstream-wip</option>
+<option value='caf/3.10/github-dtsinc/master'>caf/3.10/github-dtsinc/master</option>
+<option value='caf/3.10/github-ite-touch/input'>caf/3.10/github-ite-touch/input</option>
+<option value='caf/3.10/github-ite-touch/master'>caf/3.10/github-ite-touch/master</option>
+<option value='caf/3.10/github-jdi/bu21150touch/master'>caf/3.10/github-jdi/bu21150touch/master</option>
+<option value='caf/3.10/github-max1187x/D1'>caf/3.10/github-max1187x/D1</option>
+<option value='caf/3.10/github-max1187x/D2'>caf/3.10/github-max1187x/D2</option>
+<option value='caf/3.10/github-max1187x/D3'>caf/3.10/github-max1187x/D3</option>
+<option value='caf/3.10/github-max1187x/E1'>caf/3.10/github-max1187x/E1</option>
+<option value='caf/3.10/github-max1187x/E2'>caf/3.10/github-max1187x/E2</option>
+<option value='caf/3.10/github-max1187x/master'>caf/3.10/github-max1187x/master</option>
+<option value='caf/3.10/github-maxim_1187x/D1'>caf/3.10/github-maxim_1187x/D1</option>
+<option value='caf/3.10/github-maxim_1187x/D2'>caf/3.10/github-maxim_1187x/D2</option>
+<option value='caf/3.10/github-maxim_1187x/D3'>caf/3.10/github-maxim_1187x/D3</option>
+<option value='caf/3.10/github-maxim_1187x/E1'>caf/3.10/github-maxim_1187x/E1</option>
+<option value='caf/3.10/github-maxim_1187x/E2'>caf/3.10/github-maxim_1187x/E2</option>
+<option value='caf/3.10/github-maxim_1187x/master'>caf/3.10/github-maxim_1187x/master</option>
+<option value='caf/3.10/github-maxim_sti/A1'>caf/3.10/github-maxim_sti/A1</option>
+<option value='caf/3.10/github-maxim_sti/A2'>caf/3.10/github-maxim_sti/A2</option>
+<option value='caf/3.10/github-maxim_sti/B1'>caf/3.10/github-maxim_sti/B1</option>
+<option value='caf/3.10/github-maxim_sti/B2'>caf/3.10/github-maxim_sti/B2</option>
+<option value='caf/3.10/github-maxim_sti/C1'>caf/3.10/github-maxim_sti/C1</option>
+<option value='caf/3.10/github-maxim_sti/C2'>caf/3.10/github-maxim_sti/C2</option>
+<option value='caf/3.10/github-maxim_sti/C3'>caf/3.10/github-maxim_sti/C3</option>
+<option value='caf/3.10/github-maxim_sti/C4'>caf/3.10/github-maxim_sti/C4</option>
+<option value='caf/3.10/github-maxim_sti/C5'>caf/3.10/github-maxim_sti/C5</option>
+<option value='caf/3.10/github-maxim_sti/D1'>caf/3.10/github-maxim_sti/D1</option>
+<option value='caf/3.10/github-maxim_sti/E1'>caf/3.10/github-maxim_sti/E1</option>
+<option value='caf/3.10/github-maxim_sti/E2'>caf/3.10/github-maxim_sti/E2</option>
+<option value='caf/3.10/github-maxim_sti/F1'>caf/3.10/github-maxim_sti/F1</option>
+<option value='caf/3.10/github-maxim_sti/master'>caf/3.10/github-maxim_sti/master</option>
+<option value='caf/3.10/github-maxtouch/for-upstream'>caf/3.10/github-maxtouch/for-upstream</option>
+<option value='caf/3.10/github-maxtouch/gen2-active-stylus'>caf/3.10/github-maxtouch/gen2-active-stylus</option>
+<option value='caf/3.10/github-maxtouch/maxtouch-v2.6.35'>caf/3.10/github-maxtouch/maxtouch-v2.6.35</option>
+<option value='caf/3.10/github-maxtouch/maxtouch-v2.6.39'>caf/3.10/github-maxtouch/maxtouch-v2.6.39</option>
+<option value='caf/3.10/github-maxtouch/maxtouch-v3.0'>caf/3.10/github-maxtouch/maxtouch-v3.0</option>
+<option value='caf/3.10/github-maxtouch/maxtouch-v3.10'>caf/3.10/github-maxtouch/maxtouch-v3.10</option>
+<option value='caf/3.10/github-maxtouch/maxtouch-v3.14'>caf/3.10/github-maxtouch/maxtouch-v3.14</option>
+<option value='caf/3.10/github-maxtouch/t107-active-stylus'>caf/3.10/github-maxtouch/t107-active-stylus</option>
+<option value='caf/3.10/github-polaris/kernel_polaris'>caf/3.10/github-polaris/kernel_polaris</option>
+<option value='caf/3.10/github-siliconimageinc/main'>caf/3.10/github-siliconimageinc/main</option>
+<option value='caf/3.10/github-sonymsm8x27/marshmallow'>caf/3.10/github-sonymsm8x27/marshmallow</option>
+<option value='caf/3.10/github-stflight/master'>caf/3.10/github-stflight/master</option>
+<option value='caf/3.10/github-stgasgauge/master'>caf/3.10/github-stgasgauge/master</option>
+<option value='caf/3.10/github-stmems/master'>caf/3.10/github-stmems/master</option>
+<option value='caf/3.10/github-stmems2/master'>caf/3.10/github-stmems2/master</option>
+<option value='caf/3.10/github-trustonic/Int250'>caf/3.10/github-trustonic/Int250</option>
+<option value='caf/3.10/github-trustonic/Int280'>caf/3.10/github-trustonic/Int280</option>
+<option value='caf/3.10/github-trustonic/MC12'>caf/3.10/github-trustonic/MC12</option>
+<option value='caf/3.10/github-trustonic/MC12+'>caf/3.10/github-trustonic/MC12+</option>
+<option value='caf/3.10/github-trustonic/androidMReady_301B'>caf/3.10/github-trustonic/androidMReady_301B</option>
+<option value='caf/3.10/github-trustonic/master'>caf/3.10/github-trustonic/master</option>
+<option value='caf/3.10/github-trustonic/reviewedSept03'>caf/3.10/github-trustonic/reviewedSept03</option>
+<option value='caf/3.10/github-trustonic/tbase-202'>caf/3.10/github-trustonic/tbase-202</option>
+<option value='caf/3.10/github-trustonic/tbase-300'>caf/3.10/github-trustonic/tbase-300</option>
+<option value='caf/3.10/github-trustonic/tbase-400'>caf/3.10/github-trustonic/tbase-400</option>
+<option value='caf/3.10/github-trustonic/trunk_8916_release'>caf/3.10/github-trustonic/trunk_8916_release</option>
+<option value='caf/3.10/jb_mr2_rb1.3'>caf/3.10/jb_mr2_rb1.3</option>
+<option value='caf/3.10/jb_mr2_rb1.7'>caf/3.10/jb_mr2_rb1.7</option>
+<option value='caf/3.10/jb_mr2_rb2.11'>caf/3.10/jb_mr2_rb2.11</option>
+<option value='caf/3.10/jb_mr2_rb2.2'>caf/3.10/jb_mr2_rb2.2</option>
+<option value='caf/3.10/kk_rb1.11'>caf/3.10/kk_rb1.11</option>
+<option value='caf/3.10/kk_rb1.25'>caf/3.10/kk_rb1.25</option>
+<option value='caf/3.10/kk_rb1.27'>caf/3.10/kk_rb1.27</option>
+<option value='caf/3.10/kk_rb1.28'>caf/3.10/kk_rb1.28</option>
+<option value='caf/3.10/kk_rb1.29'>caf/3.10/kk_rb1.29</option>
+<option value='caf/3.10/kk_rb1.3'>caf/3.10/kk_rb1.3</option>
+<option value='caf/3.10/kk_rb1.30'>caf/3.10/kk_rb1.30</option>
+<option value='caf/3.10/kk_rb1.31'>caf/3.10/kk_rb1.31</option>
+<option value='caf/3.10/kk_rb1.32'>caf/3.10/kk_rb1.32</option>
+<option value='caf/3.10/kk_rb1.33'>caf/3.10/kk_rb1.33</option>
+<option value='caf/3.10/kk_rb1.34'>caf/3.10/kk_rb1.34</option>
+<option value='caf/3.10/kk_rb1.4'>caf/3.10/kk_rb1.4</option>
+<option value='caf/3.10/kk_rb1.7'>caf/3.10/kk_rb1.7</option>
+<option value='caf/3.10/kk_rb1.8'>caf/3.10/kk_rb1.8</option>
+<option value='caf/3.10/kk_rb2.18'>caf/3.10/kk_rb2.18</option>
+<option value='caf/3.10/kk_rb2.23'>caf/3.10/kk_rb2.23</option>
+<option value='caf/3.10/kk_rb2.36'>caf/3.10/kk_rb2.36</option>
+<option value='caf/3.10/kk_rb2.41'>caf/3.10/kk_rb2.41</option>
+<option value='caf/3.10/kk_rb3.1'>caf/3.10/kk_rb3.1</option>
+<option value='caf/3.10/kk_rb3.2'>caf/3.10/kk_rb3.2</option>
+<option value='caf/3.10/kk_rb3.3'>caf/3.10/kk_rb3.3</option>
+<option value='caf/3.10/kk_rb5'>caf/3.10/kk_rb5</option>
+<option value='caf/3.10/l_LNX.LA.3.6'>caf/3.10/l_LNX.LA.3.6</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/arm64-v3.10'>caf/3.10/linaro/linux-linaro-stable/arm64-v3.10</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/linux-linaro-lsk'>caf/3.10/linaro/linux-linaro-stable/linux-linaro-lsk</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/linux-linaro-lsk-android'>caf/3.10/linaro/linux-linaro-stable/linux-linaro-lsk-android</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/linux-linaro-lsk-android-test'>caf/3.10/linaro/linux-linaro-stable/linux-linaro-lsk-android-test</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/linux-linaro-lsk-rt'>caf/3.10/linaro/linux-linaro-stable/linux-linaro-lsk-rt</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/linux-linaro-lsk-rt-test'>caf/3.10/linaro/linux-linaro-stable/linux-linaro-lsk-rt-test</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/linux-linaro-lsk-test'>caf/3.10/linaro/linux-linaro-stable/linux-linaro-lsk-test</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/linux-linaro-lsk-v3.10'>caf/3.10/linaro/linux-linaro-stable/linux-linaro-lsk-v3.10</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/linux-linaro-lsk-v3.10-android'>caf/3.10/linaro/linux-linaro-stable/linux-linaro-lsk-v3.10-android</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/linux-linaro-lsk-v3.10-rt'>caf/3.10/linaro/linux-linaro-stable/linux-linaro-lsk-v3.10-rt</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/linux-linaro-lsk-v3.14'>caf/3.10/linaro/linux-linaro-stable/linux-linaro-lsk-v3.14</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/linux-linaro-lsk-v3.14-android'>caf/3.10/linaro/linux-linaro-stable/linux-linaro-lsk-v3.14-android</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/linux-linaro-lsk-v3.14-android-test'>caf/3.10/linaro/linux-linaro-stable/linux-linaro-lsk-v3.14-android-test</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/linux-linaro-lsk-v3.14-rt'>caf/3.10/linaro/linux-linaro-stable/linux-linaro-lsk-v3.14-rt</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/linux-linaro-lsk-v3.14-rt-test'>caf/3.10/linaro/linux-linaro-stable/linux-linaro-lsk-v3.14-rt-test</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/linux-linaro-lsk-v3.14-test'>caf/3.10/linaro/linux-linaro-stable/linux-linaro-lsk-v3.14-test</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/lsk'>caf/3.10/linaro/linux-linaro-stable/lsk</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/lsk-android'>caf/3.10/linaro/linux-linaro-stable/lsk-android</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/origin/linux-linaro-lsk-v3.14-test'>caf/3.10/linaro/linux-linaro-stable/origin/linux-linaro-lsk-v3.14-test</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/topic/v3.10/iks'>caf/3.10/linaro/linux-linaro-stable/topic/v3.10/iks</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/android-fixes'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/android-fixes</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/aosp'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/aosp</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/aosp-warnings'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/aosp-warnings</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm32-cache'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm32-cache</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-be'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-be</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-bl-cpufreq'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-bl-cpufreq</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-cma'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-cma</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-cpu'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-cpu</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-cpuidle'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-cpuidle</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-crypto'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-crypto</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-dma'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-dma</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-fpsimd'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-fpsimd</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-ftrace'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-ftrace</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-fvp'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-fvp</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-hmp'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-hmp</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-hugepages'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-hugepages</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-insn'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-insn</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-kgdb'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-kgdb</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-lts'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-lts</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-misc'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-misc</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-perf'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-perf</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-ptrace'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-ptrace</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-topology'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-topology</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-usb'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/arm64-usb</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/asoc-compress'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/asoc-compress</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/be'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/be</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/big.LITTLE'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/big.LITTLE</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/configs'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/configs</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/cpufreq'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/cpufreq</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/devm'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/devm</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/earlycon'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/earlycon</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/evtstream'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/evtstream</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/exynos'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/exynos</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/gator'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/gator</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/gic-workaround'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/gic-workaround</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/iks'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/iks</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/interactive'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/interactive</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/juno'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/juno</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/mailbox'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/mailbox</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/misc'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/misc</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/mm'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/mm</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/mm-timer'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/mm-timer</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/netdrv'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/netdrv</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/of'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/of</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/old-arm64-be'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/old-arm64-be</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/old-arm64-cma'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/old-arm64-cma</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/old-arm64-hugepages'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/old-arm64-hugepages</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/old-arm64-topology'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/old-arm64-topology</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/old-evtstream'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/old-evtstream</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/pe-wq'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/pe-wq</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/pinctrl'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/pinctrl</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/tagged-pointers'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/tagged-pointers</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/tc2'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/tc2</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/topology'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/topology</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/usb'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/usb</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.10/topic/warnings'>caf/3.10/linaro/linux-linaro-stable/v3.10/topic/warnings</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.14/topic/aosp'>caf/3.10/linaro/linux-linaro-stable/v3.14/topic/aosp</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.14/topic/arm64-be'>caf/3.10/linaro/linux-linaro-stable/v3.14/topic/arm64-be</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.14/topic/arm64-bl-cpufreq'>caf/3.10/linaro/linux-linaro-stable/v3.14/topic/arm64-bl-cpufreq</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.14/topic/arm64-cma'>caf/3.10/linaro/linux-linaro-stable/v3.14/topic/arm64-cma</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.14/topic/arm64-cmadma'>caf/3.10/linaro/linux-linaro-stable/v3.14/topic/arm64-cmadma</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.14/topic/arm64-crypto'>caf/3.10/linaro/linux-linaro-stable/v3.14/topic/arm64-crypto</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.14/topic/arm64-ftrace'>caf/3.10/linaro/linux-linaro-stable/v3.14/topic/arm64-ftrace</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.14/topic/arm64-fvp'>caf/3.10/linaro/linux-linaro-stable/v3.14/topic/arm64-fvp</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.14/topic/arm64-hugepages'>caf/3.10/linaro/linux-linaro-stable/v3.14/topic/arm64-hugepages</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.14/topic/arm64-kgdb'>caf/3.10/linaro/linux-linaro-stable/v3.14/topic/arm64-kgdb</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.14/topic/arm64-lts'>caf/3.10/linaro/linux-linaro-stable/v3.14/topic/arm64-lts</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.14/topic/arm64-perf'>caf/3.10/linaro/linux-linaro-stable/v3.14/topic/arm64-perf</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.14/topic/arm64-topology'>caf/3.10/linaro/linux-linaro-stable/v3.14/topic/arm64-topology</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.14/topic/arm64-usb'>caf/3.10/linaro/linux-linaro-stable/v3.14/topic/arm64-usb</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.14/topic/configs'>caf/3.10/linaro/linux-linaro-stable/v3.14/topic/configs</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.14/topic/earlycon'>caf/3.10/linaro/linux-linaro-stable/v3.14/topic/earlycon</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.14/topic/juno'>caf/3.10/linaro/linux-linaro-stable/v3.14/topic/juno</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.14/topic/mailbox'>caf/3.10/linaro/linux-linaro-stable/v3.14/topic/mailbox</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.14/topic/misc'>caf/3.10/linaro/linux-linaro-stable/v3.14/topic/misc</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.14/topic/usb'>caf/3.10/linaro/linux-linaro-stable/v3.14/topic/usb</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.9/android-fixes'>caf/3.10/linaro/linux-linaro-stable/v3.9/android-fixes</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.9/big-little-arm'>caf/3.10/linaro/linux-linaro-stable/v3.9/big-little-arm</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.9/configs'>caf/3.10/linaro/linux-linaro-stable/v3.9/configs</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.9/iks'>caf/3.10/linaro/linux-linaro-stable/v3.9/iks</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.9/linaro-builddeb-tweaks'>caf/3.10/linaro/linux-linaro-stable/v3.9/linaro-builddeb-tweaks</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.9/vexpress'>caf/3.10/linaro/linux-linaro-stable/v3.9/vexpress</option>
+<option value='caf/3.10/linaro/linux-linaro-stable/v3.9/ynk-fixes'>caf/3.10/linaro/linux-linaro-stable/v3.9/ynk-fixes</option>
+<option value='caf/3.10/linux-2.6-armdroid/2.6.33-armdroid'>caf/3.10/linux-2.6-armdroid/2.6.33-armdroid</option>
+<option value='caf/3.10/linux-2.6-armdroid/2.6.35-armdroid'>caf/3.10/linux-2.6-armdroid/2.6.35-armdroid</option>
+<option value='caf/3.10/linux-2.6-armdroid/2.6.38-armdroid'>caf/3.10/linux-2.6-armdroid/2.6.38-armdroid</option>
+<option value='caf/3.10/linux-2.6-armdroid/linux-3.10-armdroid-binder'>caf/3.10/linux-2.6-armdroid/linux-3.10-armdroid-binder</option>
+<option value='caf/3.10/linux-2.6-armdroid/linux-3.10-armdroid64'>caf/3.10/linux-2.6-armdroid/linux-3.10-armdroid64</option>
+<option value='caf/3.10/linux-2.6-armdroid/linux-3.10-armdroid64-new-ABI'>caf/3.10/linux-2.6-armdroid/linux-3.10-armdroid64-new-ABI</option>
+<option value='caf/3.10/linux-2.6-armdroid/linux-3.13-armdroid-binder-compat'>caf/3.10/linux-2.6-armdroid/linux-3.13-armdroid-binder-compat</option>
+<option value='caf/3.10/linux-2.6-armdroid/linux-3.3-armdroid'>caf/3.10/linux-2.6-armdroid/linux-3.3-armdroid</option>
+<option value='caf/3.10/linux-2.6-armdroid/linux-3.6-armdroid'>caf/3.10/linux-2.6-armdroid/linux-3.6-armdroid</option>
+<option value='caf/3.10/linux-2.6-armdroid/linux-3.7-armdroid'>caf/3.10/linux-2.6-armdroid/linux-3.7-armdroid</option>
+<option value='caf/3.10/linux-2.6-armdroid/linux-3.8-armdroid-ashmem'>caf/3.10/linux-2.6-armdroid/linux-3.8-armdroid-ashmem</option>
+<option value='caf/3.10/linux-2.6-armdroid/linux-3.8-armdroid-binder'>caf/3.10/linux-2.6-armdroid/linux-3.8-armdroid-binder</option>
+<option value='caf/3.10/linux-2.6-armdroid/linux-3.8-armdroid-binder-temp'>caf/3.10/linux-2.6-armdroid/linux-3.8-armdroid-binder-temp</option>
+<option value='caf/3.10/mac80211-next/for-john'>caf/3.10/mac80211-next/for-john</option>
+<option value='caf/3.10/mac80211-next/genl-rework'>caf/3.10/mac80211-next/genl-rework</option>
+<option value='caf/3.10/mac80211-next/master'>caf/3.10/mac80211-next/master</option>
+<option value='caf/3.10/mac80211-next/merge-wnext-w'>caf/3.10/mac80211-next/merge-wnext-w</option>
+<option value='caf/3.10/mac80211-next/radiotap-vendor'>caf/3.10/mac80211-next/radiotap-vendor</option>
+<option value='caf/3.10/mac80211-next/rfkill-gpio-cleanups'>caf/3.10/mac80211-next/rfkill-gpio-cleanups</option>
+<option value='caf/3.10/mac80211-next/statistics'>caf/3.10/mac80211-next/statistics</option>
+<option value='caf/3.10/mac80211-next/wip'>caf/3.10/mac80211-next/wip</option>
+<option value='caf/3.10/master_kb_kw.3'>caf/3.10/master_kb_kw.3</option>
+<option value='caf/3.10/master_rb1.18'>caf/3.10/master_rb1.18</option>
+<option value='caf/3.10/master_rb1.19'>caf/3.10/master_rb1.19</option>
+<option value='caf/3.10/maxtouch-3.0/for-upstream'>caf/3.10/maxtouch-3.0/for-upstream</option>
+<option value='caf/3.10/maxtouch-3.0/gen2-active-stylus'>caf/3.10/maxtouch-3.0/gen2-active-stylus</option>
+<option value='caf/3.10/maxtouch-3.0/maxtouch-v2.6.35'>caf/3.10/maxtouch-3.0/maxtouch-v2.6.35</option>
+<option value='caf/3.10/maxtouch-3.0/maxtouch-v2.6.39'>caf/3.10/maxtouch-3.0/maxtouch-v2.6.39</option>
+<option value='caf/3.10/maxtouch-3.0/maxtouch-v3.0'>caf/3.10/maxtouch-3.0/maxtouch-v3.0</option>
+<option value='caf/3.10/maxtouch-3.0/maxtouch-v3.10'>caf/3.10/maxtouch-3.0/maxtouch-v3.10</option>
+<option value='caf/3.10/maxtouch-3.0/maxtouch-v3.14'>caf/3.10/maxtouch-3.0/maxtouch-v3.14</option>
+<option value='caf/3.10/maxtouch-3.0/t107-active-stylus'>caf/3.10/maxtouch-3.0/t107-active-stylus</option>
+<option value='caf/3.10/mmotm/master'>caf/3.10/mmotm/master</option>
+<option value='caf/3.10/msm-3.10'>caf/3.10/msm-3.10</option>
+<option value='caf/3.10/mstar-touch/master'>caf/3.10/mstar-touch/master</option>
+<option value='caf/3.10/stmems/master'>caf/3.10/stmems/master</option>
+<option value='caf/3.10/synaptics-dsx-v2.1/master'>caf/3.10/synaptics-dsx-v2.1/master</option>
+<option value='caf/3.10/tizen_0.3'>caf/3.10/tizen_0.3</option>
+<option value='caf/3.10/tmp-f3fe28f'>caf/3.10/tmp-f3fe28f</option>
+<option value='caf/3.10/torvalds/master'>caf/3.10/torvalds/master</option>
+<option value='caf/3.10/torvalds/next'>caf/3.10/torvalds/next</option>
+<option value='caf/3.10/wireless-regdb/master'>caf/3.10/wireless-regdb/master</option>
+<option value='caf/3.10/wireless-testing/master'>caf/3.10/wireless-testing/master</option>
+<option value='caf/3.14/LA.HB.1.1.1_rb1.10'>caf/3.14/LA.HB.1.1.1_rb1.10</option>
+<option value='caf/3.14/LA.HB.1.1.1_rb1.12'>caf/3.14/LA.HB.1.1.1_rb1.12</option>
+<option value='caf/3.14/caf/ext4/kernel.org/3.2-punch-fix'>caf/3.14/caf/ext4/kernel.org/3.2-punch-fix</option>
+<option value='caf/3.14/caf/ext4/kernel.org/backport-to-3.10'>caf/3.14/caf/ext4/kernel.org/backport-to-3.10</option>
+<option value='caf/3.14/caf/ext4/kernel.org/crypto'>caf/3.14/caf/ext4/kernel.org/crypto</option>
+<option value='caf/3.14/caf/ext4/kernel.org/dev'>caf/3.14/caf/ext4/kernel.org/dev</option>
+<option value='caf/3.14/caf/ext4/kernel.org/dev2'>caf/3.14/caf/ext4/kernel.org/dev2</option>
+<option value='caf/3.14/caf/ext4/kernel.org/fltest'>caf/3.14/caf/ext4/kernel.org/fltest</option>
+<option value='caf/3.14/caf/ext4/kernel.org/for-stable'>caf/3.14/caf/ext4/kernel.org/for-stable</option>
+<option value='caf/3.14/caf/ext4/kernel.org/for-stable-2.6.27'>caf/3.14/caf/ext4/kernel.org/for-stable-2.6.27</option>
+<option value='caf/3.14/caf/ext4/kernel.org/for_linus'>caf/3.14/caf/ext4/kernel.org/for_linus</option>
+<option value='caf/3.14/caf/ext4/kernel.org/for_linus_merged'>caf/3.14/caf/ext4/kernel.org/for_linus_merged</option>
+<option value='caf/3.14/caf/ext4/kernel.org/for_linus_urgent'>caf/3.14/caf/ext4/kernel.org/for_linus_urgent</option>
+<option value='caf/3.14/caf/ext4/kernel.org/i915-test-4.2.0-rc4'>caf/3.14/caf/ext4/kernel.org/i915-test-4.2.0-rc4</option>
+<option value='caf/3.14/caf/ext4/kernel.org/master'>caf/3.14/caf/ext4/kernel.org/master</option>
+<option value='caf/3.14/caf/ext4/kernel.org/merge-fixup'>caf/3.14/caf/ext4/kernel.org/merge-fixup</option>
+<option value='caf/3.14/caf/ext4/kernel.org/origin'>caf/3.14/caf/ext4/kernel.org/origin</option>
+<option value='caf/3.14/caf/ext4/kernel.org/test'>caf/3.14/caf/ext4/kernel.org/test</option>
+<option value='caf/3.14/caf/ext4/kernel.org/test-mb_generate_buddy-failure'>caf/3.14/caf/ext4/kernel.org/test-mb_generate_buddy-failure</option>
+<option value='caf/3.14/caf/ext4/kernel.org/unstable'>caf/3.14/caf/ext4/kernel.org/unstable</option>
+<option value='caf/3.14/caf/fuse/kernel.org/for-linus'>caf/3.14/caf/fuse/kernel.org/for-linus</option>
+<option value='caf/3.14/caf/fuse/kernel.org/for-next'>caf/3.14/caf/fuse/kernel.org/for-next</option>
+<option value='caf/3.14/caf/fuse/kernel.org/master'>caf/3.14/caf/fuse/kernel.org/master</option>
+<option value='caf/3.14/caf/fuse/kernel.org/sync_release'>caf/3.14/caf/fuse/kernel.org/sync_release</option>
+<option value='caf/3.14/caf/gnd/MC12'>caf/3.14/caf/gnd/MC12</option>
+<option value='caf/3.14/caf/gnd/tbase-400'>caf/3.14/caf/gnd/tbase-400</option>
+<option value='caf/3.14/caf/tmp-f3fe28f'>caf/3.14/caf/tmp-f3fe28f</option>
+<option value='caf/3.14/github-ite-touch/input'>caf/3.14/github-ite-touch/input</option>
+<option value='caf/3.14/github-ite-touch/master'>caf/3.14/github-ite-touch/master</option>
+<option value='caf/3.14/github-stmems/master'>caf/3.14/github-stmems/master</option>
+<option value='caf/3.14/github-stmems2/master'>caf/3.14/github-stmems2/master</option>
+<option value='caf/3.14/github-trustonic/Int250'>caf/3.14/github-trustonic/Int250</option>
+<option value='caf/3.14/github-trustonic/Int280'>caf/3.14/github-trustonic/Int280</option>
+<option value='caf/3.14/github-trustonic/MC12'>caf/3.14/github-trustonic/MC12</option>
+<option value='caf/3.14/github-trustonic/MC12+'>caf/3.14/github-trustonic/MC12+</option>
+<option value='caf/3.14/github-trustonic/androidMReady_301B'>caf/3.14/github-trustonic/androidMReady_301B</option>
+<option value='caf/3.14/github-trustonic/master'>caf/3.14/github-trustonic/master</option>
+<option value='caf/3.14/github-trustonic/reviewedSept03'>caf/3.14/github-trustonic/reviewedSept03</option>
+<option value='caf/3.14/github-trustonic/tbase-202'>caf/3.14/github-trustonic/tbase-202</option>
+<option value='caf/3.14/github-trustonic/tbase-300'>caf/3.14/github-trustonic/tbase-300</option>
+<option value='caf/3.14/github-trustonic/tbase-400'>caf/3.14/github-trustonic/tbase-400</option>
+<option value='caf/3.14/github_anx-sw/master'>caf/3.14/github_anx-sw/master</option>
+<option value='caf/3.14/korg-groeck-staging/hwmon'>caf/3.14/korg-groeck-staging/hwmon</option>
+<option value='caf/3.14/korg-groeck-staging/hwmon-next'>caf/3.14/korg-groeck-staging/hwmon-next</option>
+<option value='caf/3.14/korg-groeck-staging/hwmon-staging'>caf/3.14/korg-groeck-staging/hwmon-staging</option>
+<option value='caf/3.14/korg-groeck-staging/master'>caf/3.14/korg-groeck-staging/master</option>
+<option value='caf/3.14/korg-groeck-staging/master-fixes'>caf/3.14/korg-groeck-staging/master-fixes</option>
+<option value='caf/3.14/korg-groeck-staging/watchdog'>caf/3.14/korg-groeck-staging/watchdog</option>
+<option value='caf/3.14/korg-groeck-staging/watchdog-next'>caf/3.14/korg-groeck-staging/watchdog-next</option>
+<option value='caf/3.14/korg-jberg/mac80211-next/fast-rx'>caf/3.14/korg-jberg/mac80211-next/fast-rx</option>
+<option value='caf/3.14/korg-jberg/mac80211-next/fast-xmit'>caf/3.14/korg-jberg/mac80211-next/fast-xmit</option>
+<option value='caf/3.14/korg-jberg/mac80211-next/genl-rework'>caf/3.14/korg-jberg/mac80211-next/genl-rework</option>
+<option value='caf/3.14/korg-jberg/mac80211-next/hs2-filter'>caf/3.14/korg-jberg/mac80211-next/hs2-filter</option>
+<option value='caf/3.14/korg-jberg/mac80211-next/master'>caf/3.14/korg-jberg/mac80211-next/master</option>
+<option value='caf/3.14/korg-jberg/mac80211-next/merge-wnext-w'>caf/3.14/korg-jberg/mac80211-next/merge-wnext-w</option>
+<option value='caf/3.14/korg-jberg/mac80211-next/rfkill-gpio-cleanups'>caf/3.14/korg-jberg/mac80211-next/rfkill-gpio-cleanups</option>
+<option value='caf/3.14/korg-jberg/mac80211-next/statistics'>caf/3.14/korg-jberg/mac80211-next/statistics</option>
+<option value='caf/3.14/korg-jberg/mac80211-next/wip'>caf/3.14/korg-jberg/mac80211-next/wip</option>
+<option value='caf/3.14/korg-jberg/mac80211/for-davem'>caf/3.14/korg-jberg/mac80211/for-davem</option>
+<option value='caf/3.14/korg-jberg/mac80211/master'>caf/3.14/korg-jberg/mac80211/master</option>
+<option value='caf/3.14/korg-wireless-testing/master'>caf/3.14/korg-wireless-testing/master</option>
+<option value='caf/3.14/linux-linaro-stable/arm64-v3.10'>caf/3.14/linux-linaro-stable/arm64-v3.10</option>
+<option value='caf/3.14/linux-linaro-stable/eas-test'>caf/3.14/linux-linaro-stable/eas-test</option>
+<option value='caf/3.14/linux-linaro-stable/linus/master'>caf/3.14/linux-linaro-stable/linus/master</option>
+<option value='caf/3.14/linux-linaro-stable/linux-linar-lsk-v3.14-test'>caf/3.14/linux-linaro-stable/linux-linar-lsk-v3.14-test</option>
+<option value='caf/3.14/linux-linaro-stable/linux-linaro-lsk'>caf/3.14/linux-linaro-stable/linux-linaro-lsk</option>
+<option value='caf/3.14/linux-linaro-stable/linux-linaro-lsk-android'>caf/3.14/linux-linaro-stable/linux-linaro-lsk-android</option>
+<option value='caf/3.14/linux-linaro-stable/linux-linaro-lsk-android-test'>caf/3.14/linux-linaro-stable/linux-linaro-lsk-android-test</option>
+<option value='caf/3.14/linux-linaro-stable/linux-linaro-lsk-rt'>caf/3.14/linux-linaro-stable/linux-linaro-lsk-rt</option>
+<option value='caf/3.14/linux-linaro-stable/linux-linaro-lsk-rt-test'>caf/3.14/linux-linaro-stable/linux-linaro-lsk-rt-test</option>
+<option value='caf/3.14/linux-linaro-stable/linux-linaro-lsk-test'>caf/3.14/linux-linaro-stable/linux-linaro-lsk-test</option>
+<option value='caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.10'>caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.10</option>
+<option value='caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.10-android'>caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.10-android</option>
+<option value='caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.10-android-test'>caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.10-android-test</option>
+<option value='caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.10-rt'>caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.10-rt</option>
+<option value='caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.10-rt-test'>caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.10-rt-test</option>
+<option value='caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.10-test'>caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.10-test</option>
+<option value='caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.14'>caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.14</option>
+<option value='caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.14-android'>caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.14-android</option>
+<option value='caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.14-android-test'>caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.14-android-test</option>
+<option value='caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.14-rt'>caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.14-rt</option>
+<option value='caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.14-rt-test'>caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.14-rt-test</option>
+<option value='caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.14-test'>caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.14-test</option>
+<option value='caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.18'>caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.18</option>
+<option value='caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.18-android'>caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.18-android</option>
+<option value='caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.18-android-test'>caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.18-android-test</option>
+<option value='caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.18-rt'>caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.18-rt</option>
+<option value='caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.18-rt-test'>caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.18-rt-test</option>
+<option value='caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.18-test'>caf/3.14/linux-linaro-stable/linux-linaro-lsk-v3.18-test</option>
+<option value='caf/3.14/linux-linaro-stable/linux-linaro-lsk-v4.1'>caf/3.14/linux-linaro-stable/linux-linaro-lsk-v4.1</option>
+<option value='caf/3.14/linux-linaro-stable/linux-linaro-lsk-v4.1-rt'>caf/3.14/linux-linaro-stable/linux-linaro-lsk-v4.1-rt</option>
+<option value='caf/3.14/linux-linaro-stable/linux-linaro-lsk-v4.1-test'>caf/3.14/linux-linaro-stable/linux-linaro-lsk-v4.1-test</option>
+<option value='caf/3.14/linux-linaro-stable/linux-linaro-lsk-v9.1'>caf/3.14/linux-linaro-stable/linux-linaro-lsk-v9.1</option>
+<option value='caf/3.14/linux-linaro-stable/linux-linaro-lsk-v9.18'>caf/3.14/linux-linaro-stable/linux-linaro-lsk-v9.18</option>
+<option value='caf/3.14/linux-linaro-stable/linux-linaro-v3.18-test'>caf/3.14/linux-linaro-stable/linux-linaro-v3.18-test</option>
+<option value='caf/3.14/linux-linaro-stable/lsk'>caf/3.14/linux-linaro-stable/lsk</option>
+<option value='caf/3.14/linux-linaro-stable/lsk-android'>caf/3.14/linux-linaro-stable/lsk-android</option>
+<option value='caf/3.14/linux-linaro-stable/thermal-framework'>caf/3.14/linux-linaro-stable/thermal-framework</option>
+<option value='caf/3.14/linux-linaro-stable/tmp/for-tyler'>caf/3.14/linux-linaro-stable/tmp/for-tyler</option>
+<option value='caf/3.14/linux-linaro-stable/topic/v3.10/iks'>caf/3.14/linux-linaro-stable/topic/v3.10/iks</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/old/mailbox'>caf/3.14/linux-linaro-stable/v3.10/old/mailbox</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/android-fixes'>caf/3.14/linux-linaro-stable/v3.10/topic/android-fixes</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/aosp'>caf/3.14/linux-linaro-stable/v3.10/topic/aosp</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/aosp-warnings'>caf/3.14/linux-linaro-stable/v3.10/topic/aosp-warnings</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/arm32-cache'>caf/3.14/linux-linaro-stable/v3.10/topic/arm32-cache</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/arm64-be'>caf/3.14/linux-linaro-stable/v3.10/topic/arm64-be</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/arm64-bl-cpufreq'>caf/3.14/linux-linaro-stable/v3.10/topic/arm64-bl-cpufreq</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/arm64-cma'>caf/3.14/linux-linaro-stable/v3.10/topic/arm64-cma</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/arm64-cpu'>caf/3.14/linux-linaro-stable/v3.10/topic/arm64-cpu</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/arm64-cpuidle'>caf/3.14/linux-linaro-stable/v3.10/topic/arm64-cpuidle</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/arm64-crypto'>caf/3.14/linux-linaro-stable/v3.10/topic/arm64-crypto</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/arm64-dma'>caf/3.14/linux-linaro-stable/v3.10/topic/arm64-dma</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/arm64-efi'>caf/3.14/linux-linaro-stable/v3.10/topic/arm64-efi</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/arm64-errata'>caf/3.14/linux-linaro-stable/v3.10/topic/arm64-errata</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/arm64-fpsimd'>caf/3.14/linux-linaro-stable/v3.10/topic/arm64-fpsimd</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/arm64-ftrace'>caf/3.14/linux-linaro-stable/v3.10/topic/arm64-ftrace</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/arm64-fvp'>caf/3.14/linux-linaro-stable/v3.10/topic/arm64-fvp</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/arm64-hmp'>caf/3.14/linux-linaro-stable/v3.10/topic/arm64-hmp</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/arm64-hugepages'>caf/3.14/linux-linaro-stable/v3.10/topic/arm64-hugepages</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/arm64-insn'>caf/3.14/linux-linaro-stable/v3.10/topic/arm64-insn</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/arm64-kgdb'>caf/3.14/linux-linaro-stable/v3.10/topic/arm64-kgdb</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/arm64-lts'>caf/3.14/linux-linaro-stable/v3.10/topic/arm64-lts</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/arm64-misc'>caf/3.14/linux-linaro-stable/v3.10/topic/arm64-misc</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/arm64-perf'>caf/3.14/linux-linaro-stable/v3.10/topic/arm64-perf</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/arm64-ptrace'>caf/3.14/linux-linaro-stable/v3.10/topic/arm64-ptrace</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/arm64-topology'>caf/3.14/linux-linaro-stable/v3.10/topic/arm64-topology</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/arm64-usb'>caf/3.14/linux-linaro-stable/v3.10/topic/arm64-usb</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/asoc-compress'>caf/3.14/linux-linaro-stable/v3.10/topic/asoc-compress</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/be'>caf/3.14/linux-linaro-stable/v3.10/topic/be</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/big.LITTLE'>caf/3.14/linux-linaro-stable/v3.10/topic/big.LITTLE</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/clk-divider'>caf/3.14/linux-linaro-stable/v3.10/topic/clk-divider</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/configs'>caf/3.14/linux-linaro-stable/v3.10/topic/configs</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/coresight'>caf/3.14/linux-linaro-stable/v3.10/topic/coresight</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/cpufreq'>caf/3.14/linux-linaro-stable/v3.10/topic/cpufreq</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/devm'>caf/3.14/linux-linaro-stable/v3.10/topic/devm</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/dm-crypt'>caf/3.14/linux-linaro-stable/v3.10/topic/dm-crypt</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/dma-mapping'>caf/3.14/linux-linaro-stable/v3.10/topic/dma-mapping</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/earlycon'>caf/3.14/linux-linaro-stable/v3.10/topic/earlycon</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/eas-core-test'>caf/3.14/linux-linaro-stable/v3.10/topic/eas-core-test</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/eas-test'>caf/3.14/linux-linaro-stable/v3.10/topic/eas-test</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/efi'>caf/3.14/linux-linaro-stable/v3.10/topic/efi</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/evtstream'>caf/3.14/linux-linaro-stable/v3.10/topic/evtstream</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/exynos'>caf/3.14/linux-linaro-stable/v3.10/topic/exynos</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/gator'>caf/3.14/linux-linaro-stable/v3.10/topic/gator</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/gcov'>caf/3.14/linux-linaro-stable/v3.10/topic/gcov</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/genpd'>caf/3.14/linux-linaro-stable/v3.10/topic/genpd</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/gic-workaround'>caf/3.14/linux-linaro-stable/v3.10/topic/gic-workaround</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/gicv3'>caf/3.14/linux-linaro-stable/v3.10/topic/gicv3</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/hrtimer'>caf/3.14/linux-linaro-stable/v3.10/topic/hrtimer</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/iks'>caf/3.14/linux-linaro-stable/v3.10/topic/iks</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/interactive'>caf/3.14/linux-linaro-stable/v3.10/topic/interactive</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/juno'>caf/3.14/linux-linaro-stable/v3.10/topic/juno</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/kvm'>caf/3.14/linux-linaro-stable/v3.10/topic/kvm</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/libfdt'>caf/3.14/linux-linaro-stable/v3.10/topic/libfdt</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/mailbox'>caf/3.14/linux-linaro-stable/v3.10/topic/mailbox</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/misc'>caf/3.14/linux-linaro-stable/v3.10/topic/misc</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/mm'>caf/3.14/linux-linaro-stable/v3.10/topic/mm</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/mm-timer'>caf/3.14/linux-linaro-stable/v3.10/topic/mm-timer</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/netdrv'>caf/3.14/linux-linaro-stable/v3.10/topic/netdrv</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/of'>caf/3.14/linux-linaro-stable/v3.10/topic/of</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/old-arm64-be'>caf/3.14/linux-linaro-stable/v3.10/topic/old-arm64-be</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/old-arm64-cma'>caf/3.14/linux-linaro-stable/v3.10/topic/old-arm64-cma</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/old-arm64-hugepages'>caf/3.14/linux-linaro-stable/v3.10/topic/old-arm64-hugepages</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/old-arm64-topology'>caf/3.14/linux-linaro-stable/v3.10/topic/old-arm64-topology</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/old-evtstream'>caf/3.14/linux-linaro-stable/v3.10/topic/old-evtstream</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/old-mailbox-2'>caf/3.14/linux-linaro-stable/v3.10/topic/old-mailbox-2</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/pe-wq'>caf/3.14/linux-linaro-stable/v3.10/topic/pe-wq</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/pinctrl'>caf/3.14/linux-linaro-stable/v3.10/topic/pinctrl</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/ptr-err'>caf/3.14/linux-linaro-stable/v3.10/topic/ptr-err</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/ptrace'>caf/3.14/linux-linaro-stable/v3.10/topic/ptrace</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/tagged-pointers'>caf/3.14/linux-linaro-stable/v3.10/topic/tagged-pointers</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/tc2'>caf/3.14/linux-linaro-stable/v3.10/topic/tc2</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/thermal-framework'>caf/3.14/linux-linaro-stable/v3.10/topic/thermal-framework</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/thp'>caf/3.14/linux-linaro-stable/v3.10/topic/thp</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/topology'>caf/3.14/linux-linaro-stable/v3.10/topic/topology</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/usb'>caf/3.14/linux-linaro-stable/v3.10/topic/usb</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/warnings'>caf/3.14/linux-linaro-stable/v3.10/topic/warnings</option>
+<option value='caf/3.14/linux-linaro-stable/v3.10/topic/zram'>caf/3.14/linux-linaro-stable/v3.10/topic/zram</option>
+<option value='caf/3.14/linux-linaro-stable/v3.14/old/mailbox'>caf/3.14/linux-linaro-stable/v3.14/old/mailbox</option>
+<option value='caf/3.14/linux-linaro-stable/v3.14/topic/aosp'>caf/3.14/linux-linaro-stable/v3.14/topic/aosp</option>
+<option value='caf/3.14/linux-linaro-stable/v3.14/topic/arm64-apm'>caf/3.14/linux-linaro-stable/v3.14/topic/arm64-apm</option>
+<option value='caf/3.14/linux-linaro-stable/v3.14/topic/arm64-be'>caf/3.14/linux-linaro-stable/v3.14/topic/arm64-be</option>
+<option value='caf/3.14/linux-linaro-stable/v3.14/topic/arm64-bl-cpufreq'>caf/3.14/linux-linaro-stable/v3.14/topic/arm64-bl-cpufreq</option>
+<option value='caf/3.14/linux-linaro-stable/v3.14/topic/arm64-cma'>caf/3.14/linux-linaro-stable/v3.14/topic/arm64-cma</option>
+<option value='caf/3.14/linux-linaro-stable/v3.14/topic/arm64-cmadma'>caf/3.14/linux-linaro-stable/v3.14/topic/arm64-cmadma</option>
+<option value='caf/3.14/linux-linaro-stable/v3.14/topic/arm64-crypto'>caf/3.14/linux-linaro-stable/v3.14/topic/arm64-crypto</option>
+<option value='caf/3.14/linux-linaro-stable/v3.14/topic/arm64-dts'>caf/3.14/linux-linaro-stable/v3.14/topic/arm64-dts</option>
+<option value='caf/3.14/linux-linaro-stable/v3.14/topic/arm64-efi'>caf/3.14/linux-linaro-stable/v3.14/topic/arm64-efi</option>
+<option value='caf/3.14/linux-linaro-stable/v3.14/topic/arm64-errata'>caf/3.14/linux-linaro-stable/v3.14/topic/arm64-errata</option>
+<option value='caf/3.14/linux-linaro-stable/v3.14/topic/arm64-fpsimd'>caf/3.14/linux-linaro-stable/v3.14/topic/arm64-fpsimd</option>
+<option value='caf/3.14/linux-linaro-stable/v3.14/topic/arm64-ftrace'>caf/3.14/linux-linaro-stable/v3.14/topic/arm64-ftrace</option>
+<option value='caf/3.14/linux-linaro-stable/v3.14/topic/arm64-fvp'>caf/3.14/linux-linaro-stable/v3.14/topic/arm64-fvp</option>
+<option value='caf/3.14/linux-linaro-stable/v3.14/topic/arm64-hugepages'>caf/3.14/linux-linaro-stable/v3.14/topic/arm64-hugepages</option>
+<option value='caf/3.14/linux-linaro-stable/v3.14/topic/arm64-kgdb'>caf/3.14/linux-linaro-stable/v3.14/topic/arm64-kgdb</option>
+<option value='caf/3.14/linux-linaro-stable/v3.14/topic/arm64-lts'>caf/3.14/linux-linaro-stable/v3.14/topic/arm64-lts</option>
+<option value='caf/3.14/linux-linaro-stable/v3.14/topic/arm64-misc'>caf/3.14/linux-linaro-stable/v3.14/topic/arm64-misc</option>
+<option value='caf/3.14/linux-linaro-stable/v3.14/topic/arm64-perf'>caf/3.14/linux-linaro-stable/v3.14/topic/arm64-perf</option>
+<option value='caf/3.14/linux-linaro-stable/v3.14/topic/arm64-ptrace'>caf/3.14/linux-linaro-stable/v3.14/topic/arm64-ptrace</option>
+<option value='caf/3.14/linux-linaro-stable/v3.14/topic/arm64-topology'>caf/3.14/linux-linaro-stable/v3.14/topic/arm64-topology</option>
+<option value='caf/3.14/linux-linaro-stable/v3.14/topic/arm64-usb'>caf/3.14/linux-linaro-stable/v3.14/topic/arm64-usb</option>
+<option value='caf/3.14/linux-linaro-stable/v3.14/topic/clk-divider'>caf/3.14/linux-linaro-stable/v3.14/topic/clk-divider</option>
+<option value='caf/3.14/linux-linaro-stable/v3.14/topic/configs'>caf/3.14/linux-linaro-stable/v3.14/topic/configs</option>
+<option value='caf/3.14/linux-linaro-stable/v3.14/topic/coresight'>caf/3.14/linux-linaro-stable/v3.14/topic/coresight</option>
+<option value='caf/3.14/linux-linaro-stable/v3.14/topic/dm-crypt'>caf/3.14/linux-linaro-stable/v3.14/topic/dm-crypt</option>
+<option value='caf/3.14/linux-linaro-stable/v3.14/topic/dwc3'>caf/3.14/linux-linaro-stable/v3.14/topic/dwc3</option>
+<option value='caf/3.14/linux-linaro-stable/v3.14/topic/earlycon'>caf/3.14/linux-linaro-stable/v3.14/topic/earlycon</option>
+<option value='caf/3.14/linux-linaro-stable/v3.14/topic/efi'>caf/3.14/linux-linaro-stable/v3.14/topic/efi</option>
+<option value='caf/3.14/linux-linaro-stable/v3.14/topic/gator'>caf/3.14/linux-linaro-stable/v3.14/topic/gator</option>
+<option value='caf/3.14/linux-linaro-stable/v3.14/topic/gcov'>caf/3.14/linux-linaro-stable/v3.14/topic/gcov</option>
+<option value='caf/3.14/linux-linaro-stable/v3.14/topic/gendpd'>caf/3.14/linux-linaro-stable/v3.14/topic/gendpd</option>
+<option value='caf/3.14/linux-linaro-stable/v3.14/topic/genpd'>caf/3.14/linux-linaro-stable/v3.14/topic/genpd</option>
+<option value='caf/3.14/linux-linaro-stable/v3.14/topic/gicv3'>caf/3.14/linux-linaro-stable/v3.14/topic/gicv3</option>
+<option value='caf/3.14/linux-linaro-stable/v3.14/topic/juno'>caf/3.14/linux-linaro-stable/v3.14/topic/juno</option>
+<option value='caf/3.14/linux-linaro-stable/v3.14/topic/kvm'>caf/3.14/linux-linaro-stable/v3.14/topic/kvm</option>
+<option value='caf/3.14/linux-linaro-stable/v3.14/topic/libfdt'>caf/3.14/linux-linaro-stable/v3.14/topic/libfdt</option>
+<option value='caf/3.14/linux-linaro-stable/v3.14/topic/mailbox'>caf/3.14/linux-linaro-stable/v3.14/topic/mailbox</option>
+<option value='caf/3.14/linux-linaro-stable/v3.14/topic/misc'>caf/3.14/linux-linaro-stable/v3.14/topic/misc</option>
+<option value='caf/3.14/linux-linaro-stable/v3.14/topic/of'>caf/3.14/linux-linaro-stable/v3.14/topic/of</option>
+<option value='caf/3.14/linux-linaro-stable/v3.14/topic/old-mailbox-2'>caf/3.14/linux-linaro-stable/v3.14/topic/old-mailbox-2</option>
+<option value='caf/3.14/linux-linaro-stable/v3.14/topic/overlayfs'>caf/3.14/linux-linaro-stable/v3.14/topic/overlayfs</option>
+<option value='caf/3.14/linux-linaro-stable/v3.14/topic/usb'>caf/3.14/linux-linaro-stable/v3.14/topic/usb</option>
+<option value='caf/3.14/linux-linaro-stable/v3.14/topic/vexpress'>caf/3.14/linux-linaro-stable/v3.14/topic/vexpress</option>
+<option value='caf/3.14/linux-linaro-stable/v3.18/topic/android'>caf/3.14/linux-linaro-stable/v3.18/topic/android</option>
+<option value='caf/3.14/linux-linaro-stable/v3.18/topic/arm64/dt'>caf/3.14/linux-linaro-stable/v3.18/topic/arm64/dt</option>
+<option value='caf/3.14/linux-linaro-stable/v3.18/topic/arm64/dt-juno'>caf/3.14/linux-linaro-stable/v3.18/topic/arm64/dt-juno</option>
+<option value='caf/3.14/linux-linaro-stable/v3.18/topic/configs'>caf/3.14/linux-linaro-stable/v3.18/topic/configs</option>
+<option value='caf/3.14/linux-linaro-stable/v3.18/topic/coresight'>caf/3.14/linux-linaro-stable/v3.18/topic/coresight</option>
+<option value='caf/3.14/linux-linaro-stable/v3.18/topic/dm-crypt'>caf/3.14/linux-linaro-stable/v3.18/topic/dm-crypt</option>
+<option value='caf/3.14/linux-linaro-stable/v3.18/topic/for-stable'>caf/3.14/linux-linaro-stable/v3.18/topic/for-stable</option>
+<option value='caf/3.14/linux-linaro-stable/v3.18/topic/thermal'>caf/3.14/linux-linaro-stable/v3.18/topic/thermal</option>
+<option value='caf/3.14/linux-linaro-stable/v3.18/topic/thermal-deps'>caf/3.14/linux-linaro-stable/v3.18/topic/thermal-deps</option>
+<option value='caf/3.14/linux-linaro-stable/v3.9/android-fixes'>caf/3.14/linux-linaro-stable/v3.9/android-fixes</option>
+<option value='caf/3.14/linux-linaro-stable/v3.9/big-little-arm'>caf/3.14/linux-linaro-stable/v3.9/big-little-arm</option>
+<option value='caf/3.14/linux-linaro-stable/v3.9/configs'>caf/3.14/linux-linaro-stable/v3.9/configs</option>
+<option value='caf/3.14/linux-linaro-stable/v3.9/iks'>caf/3.14/linux-linaro-stable/v3.9/iks</option>
+<option value='caf/3.14/linux-linaro-stable/v3.9/linaro-builddeb-tweaks'>caf/3.14/linux-linaro-stable/v3.9/linaro-builddeb-tweaks</option>
+<option value='caf/3.14/linux-linaro-stable/v3.9/vexpress'>caf/3.14/linux-linaro-stable/v3.9/vexpress</option>
+<option value='caf/3.14/linux-linaro-stable/v3.9/ynk-fixes'>caf/3.14/linux-linaro-stable/v3.9/ynk-fixes</option>
+<option value='caf/3.14/linux-linaro-stable/v4.1/topic/thermal'>caf/3.14/linux-linaro-stable/v4.1/topic/thermal</option>
+<option value='caf/3.14/msm-3.14'>caf/3.14/msm-3.14</option>
+<option value='caf/thundersoft/rel/msm-3.18.c2'>caf/thundersoft/rel/msm-3.18.c2</option>
+<option value='caf/ubifs/infradead.org/devel'>caf/ubifs/infradead.org/devel</option>
+<option value='caf/ubifs/infradead.org/df_new'>caf/ubifs/infradead.org/df_new</option>
+<option value='caf/ubifs/infradead.org/experimental'>caf/ubifs/infradead.org/experimental</option>
+<option value='caf/ubifs/infradead.org/for-linus-v3.20'>caf/ubifs/infradead.org/for-linus-v3.20</option>
+<option value='caf/ubifs/infradead.org/linux-next'>caf/ubifs/infradead.org/linux-next</option>
+<option value='caf/ubifs/infradead.org/linux-next-4.4'>caf/ubifs/infradead.org/linux-next-4.4</option>
+<option value='caf/ubifs/infradead.org/master'>caf/ubifs/infradead.org/master</option>
+<option value='caf/ubifs/infradead.org/new_truncate'>caf/ubifs/infradead.org/new_truncate</option>
+<option value='caf/ubifs/infradead.org/qi'>caf/ubifs/infradead.org/qi</option>
+<option value='caf/ubifs/infradead.org/todo'>caf/ubifs/infradead.org/todo</option>
+<option value='github-dtsinc/master'>github-dtsinc/master</option>
+<option value='github-kvalo/master'>github-kvalo/master</option>
+<option value='github-stflight/master'>github-stflight/master</option>
+<option value='github-stgasgauge/master'>github-stgasgauge/master</option>
+<option value='github-synaptics/master'>github-synaptics/master</option>
+<option value='github/boschsensortec/master'>github/boschsensortec/master</option>
+<option value='github/boschsensortec/old_master'>github/boschsensortec/old_master</option>
+<option value='github/mobicore/Int250'>github/mobicore/Int250</option>
+<option value='github/mobicore/Int280'>github/mobicore/Int280</option>
+<option value='github/mobicore/MC12'>github/mobicore/MC12</option>
+<option value='github/mobicore/MC12+'>github/mobicore/MC12+</option>
+<option value='github/mobicore/androidMReady_301B'>github/mobicore/androidMReady_301B</option>
+<option value='github/mobicore/master'>github/mobicore/master</option>
+<option value='github/mobicore/release'>github/mobicore/release</option>
+<option value='github/mobicore/reviewedSept03'>github/mobicore/reviewedSept03</option>
+<option value='github/mobicore/tbase-202'>github/mobicore/tbase-202</option>
+<option value='github/mobicore/tbase-300'>github/mobicore/tbase-300</option>
+<option value='github/mobicore/tbase-400'>github/mobicore/tbase-400</option>
+<option value='github/mobicore/trunk_8916_release'>github/mobicore/trunk_8916_release</option>
+<option value='himax/master'>himax/master</option>
+<option value='kernel.lnx.3.18.c3-rel'>kernel.lnx.3.18.c3-rel</option>
+<option value='kernel.lnx.3.18.r14-rel'>kernel.lnx.3.18.r14-rel</option>
+<option value='kernel.lnx.3.18.r15-rel'>kernel.lnx.3.18.r15-rel</option>
+<option value='kernel.lnx.3.18.r19-rel'>kernel.lnx.3.18.r19-rel</option>
+<option value='kernel.lnx.3.18.r20-rel'>kernel.lnx.3.18.r20-rel</option>
+<option value='kernel.lnx.3.18.r22-rel'>kernel.lnx.3.18.r22-rel</option>
+<option value='kernel.lnx.3.18.r25-rel'>kernel.lnx.3.18.r25-rel</option>
+<option value='kernel.lnx.3.18.r27-rel'>kernel.lnx.3.18.r27-rel</option>
+<option value='kernel.lnx.3.18.r28-rel'>kernel.lnx.3.18.r28-rel</option>
+<option value='kernel.lnx.3.18.r29-rel'>kernel.lnx.3.18.r29-rel</option>
+<option value='kernel.lnx.3.18.r30-rel'>kernel.lnx.3.18.r30-rel</option>
+<option value='kernel.lnx.3.18.r31-rel'>kernel.lnx.3.18.r31-rel</option>
+<option value='korg/robh/all-dtbs'>korg/robh/all-dtbs</option>
+<option value='korg/robh/android-4.4'>korg/robh/android-4.4</option>
+<option value='korg/robh/drm-compile-test'>korg/robh/drm-compile-test</option>
+<option value='korg/robh/dt-device_node-cleanup'>korg/robh/dt-device_node-cleanup</option>
+<option value='korg/robh/dt-printf'>korg/robh/dt-printf</option>
+<option value='korg/robh/dt-rm-mach-name'>korg/robh/dt-rm-mach-name</option>
+<option value='korg/robh/dt-yaml'>korg/robh/dt-yaml</option>
+<option value='korg/robh/dt-yaml-v2'>korg/robh/dt-yaml-v2</option>
+<option value='korg/robh/dt/linus'>korg/robh/dt/linus</option>
+<option value='korg/robh/dt/mem-opt'>korg/robh/dt/mem-opt</option>
+<option value='korg/robh/dt/next'>korg/robh/dt/next</option>
+<option value='korg/robh/dt/property-move'>korg/robh/dt/property-move</option>
+<option value='korg/robh/dt/testing'>korg/robh/dt/testing</option>
+<option value='korg/robh/dtc-import'>korg/robh/dtc-import</option>
+<option value='korg/robh/dtc-testing'>korg/robh/dtc-testing</option>
+<option value='korg/robh/earlycon'>korg/robh/earlycon</option>
+<option value='korg/robh/etnaviv'>korg/robh/etnaviv</option>
+<option value='korg/robh/fixmap'>korg/robh/fixmap</option>
+<option value='korg/robh/for-grant'>korg/robh/for-grant</option>
+<option value='korg/robh/for-next'>korg/robh/for-next</option>
+<option value='korg/robh/has-iomem'>korg/robh/has-iomem</option>
+<option value='korg/robh/highbank-rm-mach-desc'>korg/robh/highbank-rm-mach-desc</option>
+<option value='korg/robh/irqdomain-for-grant'>korg/robh/irqdomain-for-grant</option>
+<option value='korg/robh/irqflags'>korg/robh/irqflags</option>
+<option value='korg/robh/marvell/rtc'>korg/robh/marvell/rtc</option>
+<option value='korg/robh/master'>korg/robh/master</option>
+<option value='korg/robh/of-graph-helpers'>korg/robh/of-graph-helpers</option>
+<option value='korg/robh/of-populate'>korg/robh/of-populate</option>
+<option value='korg/robh/pci-config-access'>korg/robh/pci-config-access</option>
+<option value='korg/robh/qcom-4.11-db820'>korg/robh/qcom-4.11-db820</option>
+<option value='korg/robh/qcom-4.14'>korg/robh/qcom-4.14</option>
+<option value='korg/robh/serdev-4.9'>korg/robh/serdev-4.9</option>
+<option value='korg/robh/serdev-ldisc'>korg/robh/serdev-ldisc</option>
+<option value='korg/robh/serdev-ldisc-v2'>korg/robh/serdev-ldisc-v2</option>
+<option value='korg/robh/serial-bus-serio'>korg/robh/serial-bus-serio</option>
+<option value='korg/robh/serial-bus-v2'>korg/robh/serial-bus-v2</option>
+<option value='korg/robh/serial-bus-v3'>korg/robh/serial-bus-v3</option>
+<option value='korg/robh/serial-bus-v4'>korg/robh/serial-bus-v4</option>
+<option value='korg/robh/serial-bus-v5'>korg/robh/serial-bus-v5</option>
+<option value='korg/robh/serio-tty-slave'>korg/robh/serio-tty-slave</option>
+<option value='korg/robh/testing'>korg/robh/testing</option>
+<option value='korg/robh/testing-irqflags'>korg/robh/testing-irqflags</option>
+<option value='korg/robh/ti-bluetooth'>korg/robh/ti-bluetooth</option>
+<option value='korg/robh/tty-flags'>korg/robh/tty-flags</option>
+<option value='korg/robh/tty-port'>korg/robh/tty-port</option>
+<option value='korg/robh/tty-testing'>korg/robh/tty-testing</option>
+<option value='korg/robh/versatile-multiplatform'>korg/robh/versatile-multiplatform</option>
+<option value='korg/robh/versatile-v2'>korg/robh/versatile-v2</option>
+<option value='korg/robh/virgl-fence'>korg/robh/virgl-fence</option>
+<option value='korg/robh/virgl-fence-v2'>korg/robh/virgl-fence-v2</option>
+<option value='korg/stable/linux-2.6.11.y'>korg/stable/linux-2.6.11.y</option>
+<option value='korg/stable/linux-2.6.12.y'>korg/stable/linux-2.6.12.y</option>
+<option value='korg/stable/linux-2.6.13.y'>korg/stable/linux-2.6.13.y</option>
+<option value='korg/stable/linux-2.6.14.y'>korg/stable/linux-2.6.14.y</option>
+<option value='korg/stable/linux-2.6.15.y'>korg/stable/linux-2.6.15.y</option>
+<option value='korg/stable/linux-2.6.16.y'>korg/stable/linux-2.6.16.y</option>
+<option value='korg/stable/linux-2.6.17.y'>korg/stable/linux-2.6.17.y</option>
+<option value='korg/stable/linux-2.6.18.y'>korg/stable/linux-2.6.18.y</option>
+<option value='korg/stable/linux-2.6.19.y'>korg/stable/linux-2.6.19.y</option>
+<option value='korg/stable/linux-2.6.20.y'>korg/stable/linux-2.6.20.y</option>
+<option value='korg/stable/linux-2.6.21.y'>korg/stable/linux-2.6.21.y</option>
+<option value='korg/stable/linux-2.6.22.y'>korg/stable/linux-2.6.22.y</option>
+<option value='korg/stable/linux-2.6.23.y'>korg/stable/linux-2.6.23.y</option>
+<option value='korg/stable/linux-2.6.24.y'>korg/stable/linux-2.6.24.y</option>
+<option value='korg/stable/linux-2.6.25.y'>korg/stable/linux-2.6.25.y</option>
+<option value='korg/stable/linux-2.6.26.y'>korg/stable/linux-2.6.26.y</option>
+<option value='korg/stable/linux-2.6.27.y'>korg/stable/linux-2.6.27.y</option>
+<option value='korg/stable/linux-2.6.28.y'>korg/stable/linux-2.6.28.y</option>
+<option value='korg/stable/linux-2.6.29.y'>korg/stable/linux-2.6.29.y</option>
+<option value='korg/stable/linux-2.6.30.y'>korg/stable/linux-2.6.30.y</option>
+<option value='korg/stable/linux-2.6.31.y'>korg/stable/linux-2.6.31.y</option>
+<option value='korg/stable/linux-2.6.32.y'>korg/stable/linux-2.6.32.y</option>
+<option value='korg/stable/linux-2.6.33.y'>korg/stable/linux-2.6.33.y</option>
+<option value='korg/stable/linux-2.6.34.y'>korg/stable/linux-2.6.34.y</option>
+<option value='korg/stable/linux-2.6.35.y'>korg/stable/linux-2.6.35.y</option>
+<option value='korg/stable/linux-2.6.36.y'>korg/stable/linux-2.6.36.y</option>
+<option value='korg/stable/linux-2.6.37.y'>korg/stable/linux-2.6.37.y</option>
+<option value='korg/stable/linux-2.6.38.y'>korg/stable/linux-2.6.38.y</option>
+<option value='korg/stable/linux-2.6.39.y'>korg/stable/linux-2.6.39.y</option>
+<option value='korg/stable/linux-3.0.y'>korg/stable/linux-3.0.y</option>
+<option value='korg/stable/linux-3.1.y'>korg/stable/linux-3.1.y</option>
+<option value='korg/stable/linux-3.10.y'>korg/stable/linux-3.10.y</option>
+<option value='korg/stable/linux-3.11.y'>korg/stable/linux-3.11.y</option>
+<option value='korg/stable/linux-3.12.y'>korg/stable/linux-3.12.y</option>
+<option value='korg/stable/linux-3.13.y'>korg/stable/linux-3.13.y</option>
+<option value='korg/stable/linux-3.14.y'>korg/stable/linux-3.14.y</option>
+<option value='korg/stable/linux-3.15.y'>korg/stable/linux-3.15.y</option>
+<option value='korg/stable/linux-3.16.y'>korg/stable/linux-3.16.y</option>
+<option value='korg/stable/linux-3.17.y'>korg/stable/linux-3.17.y</option>
+<option value='korg/stable/linux-3.18.y'>korg/stable/linux-3.18.y</option>
+<option value='korg/stable/linux-3.19.y'>korg/stable/linux-3.19.y</option>
+<option value='korg/stable/linux-3.2.y'>korg/stable/linux-3.2.y</option>
+<option value='korg/stable/linux-3.3.y'>korg/stable/linux-3.3.y</option>
+<option value='korg/stable/linux-3.4.y'>korg/stable/linux-3.4.y</option>
+<option value='korg/stable/linux-3.5.y'>korg/stable/linux-3.5.y</option>
+<option value='korg/stable/linux-3.6.y'>korg/stable/linux-3.6.y</option>
+<option value='korg/stable/linux-3.7.y'>korg/stable/linux-3.7.y</option>
+<option value='korg/stable/linux-3.8.y'>korg/stable/linux-3.8.y</option>
+<option value='korg/stable/linux-3.9.y'>korg/stable/linux-3.9.y</option>
+<option value='korg/stable/linux-4.0.y'>korg/stable/linux-4.0.y</option>
+<option value='korg/stable/linux-4.1.y'>korg/stable/linux-4.1.y</option>
+<option value='korg/stable/linux-4.10.y'>korg/stable/linux-4.10.y</option>
+<option value='korg/stable/linux-4.11.y'>korg/stable/linux-4.11.y</option>
+<option value='korg/stable/linux-4.12.y'>korg/stable/linux-4.12.y</option>
+<option value='korg/stable/linux-4.13.y'>korg/stable/linux-4.13.y</option>
+<option value='korg/stable/linux-4.2.y'>korg/stable/linux-4.2.y</option>
+<option value='korg/stable/linux-4.3.y'>korg/stable/linux-4.3.y</option>
+<option value='korg/stable/linux-4.4.y'>korg/stable/linux-4.4.y</option>
+<option value='korg/stable/linux-4.5.y'>korg/stable/linux-4.5.y</option>
+<option value='korg/stable/linux-4.6.y'>korg/stable/linux-4.6.y</option>
+<option value='korg/stable/linux-4.7.y'>korg/stable/linux-4.7.y</option>
+<option value='korg/stable/linux-4.8.y'>korg/stable/linux-4.8.y</option>
+<option value='korg/stable/linux-4.9.y'>korg/stable/linux-4.9.y</option>
+<option value='korg/stable/master'>korg/stable/master</option>
+<option value='korg/torvalds/master'>korg/torvalds/master</option>
+<option value='linaro-landing-teams/bjorn/qcomlt-v4.9-backport-merge'>linaro-landing-teams/bjorn/qcomlt-v4.9-backport-merge</option>
+<option value='linaro-landing-teams/bjorn/qcomlt-v4.9-backports'>linaro-landing-teams/bjorn/qcomlt-v4.9-backports</option>
+<option value='linaro-landing-teams/caf/msm-3.18/LA.HB.1.1.1_rb4.5'>linaro-landing-teams/caf/msm-3.18/LA.HB.1.1.1_rb4.5</option>
+<option value='linaro-landing-teams/caf/msm-3.18/LA.HB.1.3.2-16800'>linaro-landing-teams/caf/msm-3.18/LA.HB.1.3.2-16800</option>
+<option value='linaro-landing-teams/db820c/qcomlt-4.9'>linaro-landing-teams/db820c/qcomlt-4.9</option>
+<option value='linaro-landing-teams/dev/srini/v3.14'>linaro-landing-teams/dev/srini/v3.14</option>
+<option value='linaro-landing-teams/freedreno/ifc6410-drm'>linaro-landing-teams/freedreno/ifc6410-drm</option>
+<option value='linaro-landing-teams/freedreno/ifc6410-v2.0-drm'>linaro-landing-teams/freedreno/ifc6410-v2.0-drm</option>
+<option value='linaro-landing-teams/galak-msm/apq_ipq_base'>linaro-landing-teams/galak-msm/apq_ipq_base</option>
+<option value='linaro-landing-teams/inforce/ifc6410/v1.5'>linaro-landing-teams/inforce/ifc6410/v1.5</option>
+<option value='linaro-landing-teams/inforce/ifc6410/v2.0'>linaro-landing-teams/inforce/ifc6410/v2.0</option>
+<option value='linaro-landing-teams/inforce/ifc6410/v3.0'>linaro-landing-teams/inforce/ifc6410/v3.0</option>
+<option value='linaro-landing-teams/integration-linux-ifc6410'>linaro-landing-teams/integration-linux-ifc6410</option>
+<option value='linaro-landing-teams/integration-linux-qcomlt'>linaro-landing-teams/integration-linux-qcomlt</option>
+<option value='linaro-landing-teams/integration-linux-qcomlt-v4.9'>linaro-landing-teams/integration-linux-qcomlt-v4.9</option>
+<option value='linaro-landing-teams/jro'>linaro-landing-teams/jro</option>
+<option value='linaro-landing-teams/master'>linaro-landing-teams/master</option>
+<option value='linaro-landing-teams/ndec/freedreno/ifc6410-v2.0-drm-thermal'>linaro-landing-teams/ndec/freedreno/ifc6410-v2.0-drm-thermal</option>
+<option value='linaro-landing-teams/ndec/qcomlt-v4.9-backports'>linaro-landing-teams/ndec/qcomlt-v4.9-backports</option>
+<option value='linaro-landing-teams/psci-for-4.4'>linaro-landing-teams/psci-for-4.4</option>
+<option value='linaro-landing-teams/qcomlt-v3.14-dev'>linaro-landing-teams/qcomlt-v3.14-dev</option>
+<option value='linaro-landing-teams/release/db820c/qcomlt-4.11'>linaro-landing-teams/release/db820c/qcomlt-4.11</option>
+<option value='linaro-landing-teams/release/db820c/qcomlt-4.9'>linaro-landing-teams/release/db820c/qcomlt-4.9</option>
+<option value='linaro-landing-teams/release/qcomlt-3.17'>linaro-landing-teams/release/qcomlt-3.17</option>
+<option value='linaro-landing-teams/release/qcomlt-3.18'>linaro-landing-teams/release/qcomlt-3.18</option>
+<option value='linaro-landing-teams/release/qcomlt-3.19'>linaro-landing-teams/release/qcomlt-3.19</option>
+<option value='linaro-landing-teams/release/qcomlt-3.4'>linaro-landing-teams/release/qcomlt-3.4</option>
+<option value='linaro-landing-teams/release/qcomlt-4.0'>linaro-landing-teams/release/qcomlt-4.0</option>
+<option value='linaro-landing-teams/release/qcomlt-4.14'>linaro-landing-teams/release/qcomlt-4.14</option>
+<option value='linaro-landing-teams/release/qcomlt-4.2'>linaro-landing-teams/release/qcomlt-4.2</option>
+<option value='linaro-landing-teams/release/qcomlt-4.2-bis'>linaro-landing-teams/release/qcomlt-4.2-bis</option>
+<option value='linaro-landing-teams/release/qcomlt-4.3'>linaro-landing-teams/release/qcomlt-4.3</option>
+<option value='linaro-landing-teams/release/qcomlt-4.4'>linaro-landing-teams/release/qcomlt-4.4</option>
+<option value='linaro-landing-teams/release/qcomlt-4.4-next'>linaro-landing-teams/release/qcomlt-4.4-next</option>
+<option value='linaro-landing-teams/release/qcomlt-4.7'>linaro-landing-teams/release/qcomlt-4.7</option>
+<option value='linaro-landing-teams/release/qcomlt-4.9'>linaro-landing-teams/release/qcomlt-4.9</option>
+<option value='linaro-landing-teams/release/qcomlt-4.9-dev'>linaro-landing-teams/release/qcomlt-4.9-dev</option>
+<option value='linaro-landing-teams/release/qcomlt-4.9-next'>linaro-landing-teams/release/qcomlt-4.9-next</option>
+<option value='linaro-landing-teams/test-ndec-bisect'>linaro-landing-teams/test-ndec-bisect</option>
+<option value='linaro-landing-teams/tracking-next-mmc'>linaro-landing-teams/tracking-next-mmc</option>
+<option value='linaro-landing-teams/tracking-qcomlt-8064-restart'>linaro-landing-teams/tracking-qcomlt-8064-restart</option>
+<option value='linaro-landing-teams/tracking-qcomlt-adm-dma'>linaro-landing-teams/tracking-qcomlt-adm-dma</option>
+<option value='linaro-landing-teams/tracking-qcomlt-adv7511'>linaro-landing-teams/tracking-qcomlt-adv7511</option>
+<option value='linaro-landing-teams/tracking-qcomlt-adv7533'>linaro-landing-teams/tracking-qcomlt-adv7533</option>
+<option value='linaro-landing-teams/tracking-qcomlt-apq8016-dt'>linaro-landing-teams/tracking-qcomlt-apq8016-dt</option>
+<option value='linaro-landing-teams/tracking-qcomlt-apq8064-audio'>linaro-landing-teams/tracking-qcomlt-apq8064-audio</option>
+<option value='linaro-landing-teams/tracking-qcomlt-apq8064-dt'>linaro-landing-teams/tracking-qcomlt-apq8064-dt</option>
+<option value='linaro-landing-teams/tracking-qcomlt-apq8096-dt'>linaro-landing-teams/tracking-qcomlt-apq8096-dt</option>
+<option value='linaro-landing-teams/tracking-qcomlt-arm64'>linaro-landing-teams/tracking-qcomlt-arm64</option>
+<option value='linaro-landing-teams/tracking-qcomlt-arm64-smp'>linaro-landing-teams/tracking-qcomlt-arm64-smp</option>
+<option value='linaro-landing-teams/tracking-qcomlt-audio'>linaro-landing-teams/tracking-qcomlt-audio</option>
+<option value='linaro-landing-teams/tracking-qcomlt-bus-scaling'>linaro-landing-teams/tracking-qcomlt-bus-scaling</option>
+<option value='linaro-landing-teams/tracking-qcomlt-card-detect'>linaro-landing-teams/tracking-qcomlt-card-detect</option>
+<option value='linaro-landing-teams/tracking-qcomlt-clk'>linaro-landing-teams/tracking-qcomlt-clk</option>
+<option value='linaro-landing-teams/tracking-qcomlt-config-fragments'>linaro-landing-teams/tracking-qcomlt-config-fragments</option>
+<option value='linaro-landing-teams/tracking-qcomlt-coresight'>linaro-landing-teams/tracking-qcomlt-coresight</option>
+<option value='linaro-landing-teams/tracking-qcomlt-cpu-clk-8996'>linaro-landing-teams/tracking-qcomlt-cpu-clk-8996</option>
+<option value='linaro-landing-teams/tracking-qcomlt-cpu-regulators'>linaro-landing-teams/tracking-qcomlt-cpu-regulators</option>
+<option value='linaro-landing-teams/tracking-qcomlt-cpufreq'>linaro-landing-teams/tracking-qcomlt-cpufreq</option>
+<option value='linaro-landing-teams/tracking-qcomlt-cpufreq-8016-8064'>linaro-landing-teams/tracking-qcomlt-cpufreq-8016-8064</option>
+<option value='linaro-landing-teams/tracking-qcomlt-cpuidle'>linaro-landing-teams/tracking-qcomlt-cpuidle</option>
+<option value='linaro-landing-teams/tracking-qcomlt-dma'>linaro-landing-teams/tracking-qcomlt-dma</option>
+<option value='linaro-landing-teams/tracking-qcomlt-drm-msm'>linaro-landing-teams/tracking-qcomlt-drm-msm</option>
+<option value='linaro-landing-teams/tracking-qcomlt-drm-msm-v4.9'>linaro-landing-teams/tracking-qcomlt-drm-msm-v4.9</option>
+<option value='linaro-landing-teams/tracking-qcomlt-drm_msm'>linaro-landing-teams/tracking-qcomlt-drm_msm</option>
+<option value='linaro-landing-teams/tracking-qcomlt-dsi'>linaro-landing-teams/tracking-qcomlt-dsi</option>
+<option value='linaro-landing-teams/tracking-qcomlt-dt'>linaro-landing-teams/tracking-qcomlt-dt</option>
+<option value='linaro-landing-teams/tracking-qcomlt-efuse'>linaro-landing-teams/tracking-qcomlt-efuse</option>
+<option value='linaro-landing-teams/tracking-qcomlt-fixes'>linaro-landing-teams/tracking-qcomlt-fixes</option>
+<option value='linaro-landing-teams/tracking-qcomlt-gdsc'>linaro-landing-teams/tracking-qcomlt-gdsc</option>
+<option value='linaro-landing-teams/tracking-qcomlt-glink'>linaro-landing-teams/tracking-qcomlt-glink</option>
+<option value='linaro-landing-teams/tracking-qcomlt-glink-smd'>linaro-landing-teams/tracking-qcomlt-glink-smd</option>
+<option value='linaro-landing-teams/tracking-qcomlt-gsbi'>linaro-landing-teams/tracking-qcomlt-gsbi</option>
+<option value='linaro-landing-teams/tracking-qcomlt-hci_smd'>linaro-landing-teams/tracking-qcomlt-hci_smd</option>
+<option value='linaro-landing-teams/tracking-qcomlt-hsuart'>linaro-landing-teams/tracking-qcomlt-hsuart</option>
+<option value='linaro-landing-teams/tracking-qcomlt-i2c'>linaro-landing-teams/tracking-qcomlt-i2c</option>
+<option value='linaro-landing-teams/tracking-qcomlt-iommu'>linaro-landing-teams/tracking-qcomlt-iommu</option>
+<option value='linaro-landing-teams/tracking-qcomlt-iommu_apq8016'>linaro-landing-teams/tracking-qcomlt-iommu_apq8016</option>
+<option value='linaro-landing-teams/tracking-qcomlt-ipcrtr'>linaro-landing-teams/tracking-qcomlt-ipcrtr</option>
+<option value='linaro-landing-teams/tracking-qcomlt-mainline-pcie'>linaro-landing-teams/tracking-qcomlt-mainline-pcie</option>
+<option value='linaro-landing-teams/tracking-qcomlt-mainline-rpm-smd'>linaro-landing-teams/tracking-qcomlt-mainline-rpm-smd</option>
+<option value='linaro-landing-teams/tracking-qcomlt-mainline-rpm-smd-pil'>linaro-landing-teams/tracking-qcomlt-mainline-rpm-smd-pil</option>
+<option value='linaro-landing-teams/tracking-qcomlt-mmc'>linaro-landing-teams/tracking-qcomlt-mmc</option>
+<option value='linaro-landing-teams/tracking-qcomlt-msm8916-smd-rpm'>linaro-landing-teams/tracking-qcomlt-msm8916-smd-rpm</option>
+<option value='linaro-landing-teams/tracking-qcomlt-msm8996-cpuclk'>linaro-landing-teams/tracking-qcomlt-msm8996-cpuclk</option>
+<option value='linaro-landing-teams/tracking-qcomlt-msm8996-dt'>linaro-landing-teams/tracking-qcomlt-msm8996-dt</option>
+<option value='linaro-landing-teams/tracking-qcomlt-msm8996-pcie'>linaro-landing-teams/tracking-qcomlt-msm8996-pcie</option>
+<option value='linaro-landing-teams/tracking-qcomlt-msm8996-usb'>linaro-landing-teams/tracking-qcomlt-msm8996-usb</option>
+<option value='linaro-landing-teams/tracking-qcomlt-nvmem'>linaro-landing-teams/tracking-qcomlt-nvmem</option>
+<option value='linaro-landing-teams/tracking-qcomlt-panelpicker'>linaro-landing-teams/tracking-qcomlt-panelpicker</option>
+<option value='linaro-landing-teams/tracking-qcomlt-pcie'>linaro-landing-teams/tracking-qcomlt-pcie</option>
+<option value='linaro-landing-teams/tracking-qcomlt-pmic-gpio'>linaro-landing-teams/tracking-qcomlt-pmic-gpio</option>
+<option value='linaro-landing-teams/tracking-qcomlt-pmic-gpio-mpp'>linaro-landing-teams/tracking-qcomlt-pmic-gpio-mpp</option>
+<option value='linaro-landing-teams/tracking-qcomlt-power-regulator'>linaro-landing-teams/tracking-qcomlt-power-regulator</option>
+<option value='linaro-landing-teams/tracking-qcomlt-powerseq'>linaro-landing-teams/tracking-qcomlt-powerseq</option>
+<option value='linaro-landing-teams/tracking-qcomlt-qcom-configs'>linaro-landing-teams/tracking-qcomlt-qcom-configs</option>
+<option value='linaro-landing-teams/tracking-qcomlt-qcom-rproc'>linaro-landing-teams/tracking-qcomlt-qcom-rproc</option>
+<option value='linaro-landing-teams/tracking-qcomlt-qmp-phy'>linaro-landing-teams/tracking-qcomlt-qmp-phy</option>
+<option value='linaro-landing-teams/tracking-qcomlt-regulators'>linaro-landing-teams/tracking-qcomlt-regulators</option>
+<option value='linaro-landing-teams/tracking-qcomlt-remoteproc'>linaro-landing-teams/tracking-qcomlt-remoteproc</option>
+<option value='linaro-landing-teams/tracking-qcomlt-rpm'>linaro-landing-teams/tracking-qcomlt-rpm</option>
+<option value='linaro-landing-teams/tracking-qcomlt-rpmclk'>linaro-landing-teams/tracking-qcomlt-rpmclk</option>
+<option value='linaro-landing-teams/tracking-qcomlt-rpmsg-4.9-backports'>linaro-landing-teams/tracking-qcomlt-rpmsg-4.9-backports</option>
+<option value='linaro-landing-teams/tracking-qcomlt-sata'>linaro-landing-teams/tracking-qcomlt-sata</option>
+<option value='linaro-landing-teams/tracking-qcomlt-scm'>linaro-landing-teams/tracking-qcomlt-scm</option>
+<option value='linaro-landing-teams/tracking-qcomlt-sdcc'>linaro-landing-teams/tracking-qcomlt-sdcc</option>
+<option value='linaro-landing-teams/tracking-qcomlt-sdhci'>linaro-landing-teams/tracking-qcomlt-sdhci</option>
+<option value='linaro-landing-teams/tracking-qcomlt-smd'>linaro-landing-teams/tracking-qcomlt-smd</option>
+<option value='linaro-landing-teams/tracking-qcomlt-smem-state'>linaro-landing-teams/tracking-qcomlt-smem-state</option>
+<option value='linaro-landing-teams/tracking-qcomlt-tsens'>linaro-landing-teams/tracking-qcomlt-tsens</option>
+<option value='linaro-landing-teams/tracking-qcomlt-tz-pil'>linaro-landing-teams/tracking-qcomlt-tz-pil</option>
+<option value='linaro-landing-teams/tracking-qcomlt-ufs'>linaro-landing-teams/tracking-qcomlt-ufs</option>
+<option value='linaro-landing-teams/tracking-qcomlt-usb'>linaro-landing-teams/tracking-qcomlt-usb</option>
+<option value='linaro-landing-teams/tracking-qcomlt-venus'>linaro-landing-teams/tracking-qcomlt-venus</option>
+<option value='linaro-landing-teams/tracking-qcomlt-wcn36xx'>linaro-landing-teams/tracking-qcomlt-wcn36xx</option>
+<option value='linaro-landing-teams/tracking-qcomlt-wcnss'>linaro-landing-teams/tracking-qcomlt-wcnss</option>
+<option value='linaro-landing-teams/tracking-qcomlt-wcnss_ctrl'>linaro-landing-teams/tracking-qcomlt-wcnss_ctrl</option>
+<option value='linaro-landing-teams/tracking-qcomlt-wcnss_pil'>linaro-landing-teams/tracking-qcomlt-wcnss_pil</option>
+<option value='linaro-landing-teams/tracking-qcomlt-wlan'>linaro-landing-teams/tracking-qcomlt-wlan</option>
+<option value='linaro-lng-isol/lng-v3.18-isol'>linaro-lng-isol/lng-v3.18-isol</option>
+<option value='linaro/arm64-v3.10'>linaro/arm64-v3.10</option>
+<option value='linaro/for-test'>linaro/for-test</option>
+<option value='linaro/hikey-hibernate-v4.4'>linaro/hikey-hibernate-v4.4</option>
+<option value='linaro/idle-steal-from-int'>linaro/idle-steal-from-int</option>
+<option value='linaro/junor1-pcie-temp'>linaro/junor1-pcie-temp</option>
+<option value='linaro/linus/master'>linaro/linus/master</option>
+<option value='linaro/linus/mastere'>linaro/linus/mastere</option>
+<option value='linaro/linux-linar-lsk-v3.14-test'>linaro/linux-linar-lsk-v3.14-test</option>
+<option value='linaro/linux-linaro-lsk'>linaro/linux-linaro-lsk</option>
+<option value='linaro/linux-linaro-lsk-android'>linaro/linux-linaro-lsk-android</option>
+<option value='linaro/linux-linaro-lsk-android-test'>linaro/linux-linaro-lsk-android-test</option>
+<option value='linaro/linux-linaro-lsk-rt'>linaro/linux-linaro-lsk-rt</option>
+<option value='linaro/linux-linaro-lsk-v3.10'>linaro/linux-linaro-lsk-v3.10</option>
+<option value='linaro/linux-linaro-lsk-v3.10-android'>linaro/linux-linaro-lsk-v3.10-android</option>
+<option value='linaro/linux-linaro-lsk-v3.10-android-test'>linaro/linux-linaro-lsk-v3.10-android-test</option>
+<option value='linaro/linux-linaro-lsk-v3.10-rt'>linaro/linux-linaro-lsk-v3.10-rt</option>
+<option value='linaro/linux-linaro-lsk-v3.10-rt-test'>linaro/linux-linaro-lsk-v3.10-rt-test</option>
+<option value='linaro/linux-linaro-lsk-v3.10-test'>linaro/linux-linaro-lsk-v3.10-test</option>
+<option value='linaro/linux-linaro-lsk-v3.14'>linaro/linux-linaro-lsk-v3.14</option>
+<option value='linaro/linux-linaro-lsk-v3.14-android'>linaro/linux-linaro-lsk-v3.14-android</option>
+<option value='linaro/linux-linaro-lsk-v3.14-android-test'>linaro/linux-linaro-lsk-v3.14-android-test</option>
+<option value='linaro/linux-linaro-lsk-v3.14-rt'>linaro/linux-linaro-lsk-v3.14-rt</option>
+<option value='linaro/linux-linaro-lsk-v3.14-rt-test'>linaro/linux-linaro-lsk-v3.14-rt-test</option>
+<option value='linaro/linux-linaro-lsk-v3.14-test'>linaro/linux-linaro-lsk-v3.14-test</option>
+<option value='linaro/linux-linaro-lsk-v3.18'>linaro/linux-linaro-lsk-v3.18</option>
+<option value='linaro/linux-linaro-lsk-v3.18-android'>linaro/linux-linaro-lsk-v3.18-android</option>
+<option value='linaro/linux-linaro-lsk-v3.18-android-test'>linaro/linux-linaro-lsk-v3.18-android-test</option>
+<option value='linaro/linux-linaro-lsk-v3.18-eas-test'>linaro/linux-linaro-lsk-v3.18-eas-test</option>
+<option value='linaro/linux-linaro-lsk-v3.18-rt'>linaro/linux-linaro-lsk-v3.18-rt</option>
+<option value='linaro/linux-linaro-lsk-v3.18-rt-test'>linaro/linux-linaro-lsk-v3.18-rt-test</option>
+<option value='linaro/linux-linaro-lsk-v3.18-test'>linaro/linux-linaro-lsk-v3.18-test</option>
+<option value='linaro/linux-linaro-lsk-v4.0'>linaro/linux-linaro-lsk-v4.0</option>
+<option value='linaro/linux-linaro-lsk-v4.1'>linaro/linux-linaro-lsk-v4.1</option>
+<option value='linaro/linux-linaro-lsk-v4.1-android'>linaro/linux-linaro-lsk-v4.1-android</option>
+<option value='linaro/linux-linaro-lsk-v4.1-android-test'>linaro/linux-linaro-lsk-v4.1-android-test</option>
+<option value='linaro/linux-linaro-lsk-v4.1-rt'>linaro/linux-linaro-lsk-v4.1-rt</option>
+<option value='linaro/linux-linaro-lsk-v4.1-rt-test'>linaro/linux-linaro-lsk-v4.1-rt-test</option>
+<option value='linaro/linux-linaro-lsk-v4.1-test'>linaro/linux-linaro-lsk-v4.1-test</option>
+<option value='linaro/linux-linaro-lsk-v4.14'>linaro/linux-linaro-lsk-v4.14</option>
+<option value='linaro/linux-linaro-lsk-v4.14-rt'>linaro/linux-linaro-lsk-v4.14-rt</option>
+<option value='linaro/linux-linaro-lsk-v4.4'>linaro/linux-linaro-lsk-v4.4</option>
+<option value='linaro/linux-linaro-lsk-v4.4-android'>linaro/linux-linaro-lsk-v4.4-android</option>
+<option value='linaro/linux-linaro-lsk-v4.4-android-test'>linaro/linux-linaro-lsk-v4.4-android-test</option>
+<option value='linaro/linux-linaro-lsk-v4.4-rt'>linaro/linux-linaro-lsk-v4.4-rt</option>
+<option value='linaro/linux-linaro-lsk-v4.4-rt-test'>linaro/linux-linaro-lsk-v4.4-rt-test</option>
+<option value='linaro/linux-linaro-lsk-v4.4-test'>linaro/linux-linaro-lsk-v4.4-test</option>
+<option value='linaro/linux-linaro-lsk-v4.9'>linaro/linux-linaro-lsk-v4.9</option>
+<option value='linaro/linux-linaro-lsk-v4.9-android'>linaro/linux-linaro-lsk-v4.9-android</option>
+<option value='linaro/linux-linaro-lsk-v4.9-rt'>linaro/linux-linaro-lsk-v4.9-rt</option>
+<option value='linaro/linux-linaro-lsk-v4.9-rt-test'>linaro/linux-linaro-lsk-v4.9-rt-test</option>
+<option value='linaro/linux-linaro-lsk-v4.9-test'>linaro/linux-linaro-lsk-v4.9-test</option>
+<option value='linaro/linux-linaro-lsk-v9.1'>linaro/linux-linaro-lsk-v9.1</option>
+<option value='linaro/linux-linaro-lsk-v9.1-android-test'>linaro/linux-linaro-lsk-v9.1-android-test</option>
+<option value='linaro/linux-linaro-lsk-v9.1-test'>linaro/linux-linaro-lsk-v9.1-test</option>
+<option value='linaro/linux-linaro-lsk-v9.18'>linaro/linux-linaro-lsk-v9.18</option>
+<option value='linaro/linux-linaro-v4.1-test'>linaro/linux-linaro-v4.1-test</option>
+<option value='linaro/master'>linaro/master</option>
+<option value='linaro/origin/v3.18/topic/EAS'>linaro/origin/v3.18/topic/EAS</option>
+<option value='linaro/origin/v4.1/topic/pcie-junor1-temp'>linaro/origin/v4.1/topic/pcie-junor1-temp</option>
+<option value='linaro/topic/v3.10/iks'>linaro/topic/v3.10/iks</option>
+<option value='linaro/v3.10/old/mailbox'>linaro/v3.10/old/mailbox</option>
+<option value='linaro/v3.10/topic/android-fixes'>linaro/v3.10/topic/android-fixes</option>
+<option value='linaro/v3.10/topic/aosp'>linaro/v3.10/topic/aosp</option>
+<option value='linaro/v3.10/topic/aosp-warnings'>linaro/v3.10/topic/aosp-warnings</option>
+<option value='linaro/v3.10/topic/arm32-cache'>linaro/v3.10/topic/arm32-cache</option>
+<option value='linaro/v3.10/topic/arm64-be'>linaro/v3.10/topic/arm64-be</option>
+<option value='linaro/v3.10/topic/arm64-bl-cpufreq'>linaro/v3.10/topic/arm64-bl-cpufreq</option>
+<option value='linaro/v3.10/topic/arm64-cma'>linaro/v3.10/topic/arm64-cma</option>
+<option value='linaro/v3.10/topic/arm64-cpu'>linaro/v3.10/topic/arm64-cpu</option>
+<option value='linaro/v3.10/topic/arm64-cpuidle'>linaro/v3.10/topic/arm64-cpuidle</option>
+<option value='linaro/v3.10/topic/arm64-crypto'>linaro/v3.10/topic/arm64-crypto</option>
+<option value='linaro/v3.10/topic/arm64-dma'>linaro/v3.10/topic/arm64-dma</option>
+<option value='linaro/v3.10/topic/arm64-efi'>linaro/v3.10/topic/arm64-efi</option>
+<option value='linaro/v3.10/topic/arm64-errata'>linaro/v3.10/topic/arm64-errata</option>
+<option value='linaro/v3.10/topic/arm64-fpsimd'>linaro/v3.10/topic/arm64-fpsimd</option>
+<option value='linaro/v3.10/topic/arm64-ftrace'>linaro/v3.10/topic/arm64-ftrace</option>
+<option value='linaro/v3.10/topic/arm64-fvp'>linaro/v3.10/topic/arm64-fvp</option>
+<option value='linaro/v3.10/topic/arm64-hmp'>linaro/v3.10/topic/arm64-hmp</option>
+<option value='linaro/v3.10/topic/arm64-hugepages'>linaro/v3.10/topic/arm64-hugepages</option>
+<option value='linaro/v3.10/topic/arm64-insn'>linaro/v3.10/topic/arm64-insn</option>
+<option value='linaro/v3.10/topic/arm64-kgdb'>linaro/v3.10/topic/arm64-kgdb</option>
+<option value='linaro/v3.10/topic/arm64-lts'>linaro/v3.10/topic/arm64-lts</option>
+<option value='linaro/v3.10/topic/arm64-misc'>linaro/v3.10/topic/arm64-misc</option>
+<option value='linaro/v3.10/topic/arm64-perf'>linaro/v3.10/topic/arm64-perf</option>
+<option value='linaro/v3.10/topic/arm64-ptrace'>linaro/v3.10/topic/arm64-ptrace</option>
+<option value='linaro/v3.10/topic/arm64-topology'>linaro/v3.10/topic/arm64-topology</option>
+<option value='linaro/v3.10/topic/arm64-usb'>linaro/v3.10/topic/arm64-usb</option>
+<option value='linaro/v3.10/topic/asoc-compress'>linaro/v3.10/topic/asoc-compress</option>
+<option value='linaro/v3.10/topic/be'>linaro/v3.10/topic/be</option>
+<option value='linaro/v3.10/topic/big.LITTLE'>linaro/v3.10/topic/big.LITTLE</option>
+<option value='linaro/v3.10/topic/clk-divider'>linaro/v3.10/topic/clk-divider</option>
+<option value='linaro/v3.10/topic/configs'>linaro/v3.10/topic/configs</option>
+<option value='linaro/v3.10/topic/coresight'>linaro/v3.10/topic/coresight</option>
+<option value='linaro/v3.10/topic/cpufreq'>linaro/v3.10/topic/cpufreq</option>
+<option value='linaro/v3.10/topic/devm'>linaro/v3.10/topic/devm</option>
+<option value='linaro/v3.10/topic/dm-crypt'>linaro/v3.10/topic/dm-crypt</option>
+<option value='linaro/v3.10/topic/dma-mapping'>linaro/v3.10/topic/dma-mapping</option>
+<option value='linaro/v3.10/topic/earlycon'>linaro/v3.10/topic/earlycon</option>
+<option value='linaro/v3.10/topic/efi'>linaro/v3.10/topic/efi</option>
+<option value='linaro/v3.10/topic/evtstream'>linaro/v3.10/topic/evtstream</option>
+<option value='linaro/v3.10/topic/exynos'>linaro/v3.10/topic/exynos</option>
+<option value='linaro/v3.10/topic/gator'>linaro/v3.10/topic/gator</option>
+<option value='linaro/v3.10/topic/gcov'>linaro/v3.10/topic/gcov</option>
+<option value='linaro/v3.10/topic/genpd'>linaro/v3.10/topic/genpd</option>
+<option value='linaro/v3.10/topic/gic-workaround'>linaro/v3.10/topic/gic-workaround</option>
+<option value='linaro/v3.10/topic/gicv3'>linaro/v3.10/topic/gicv3</option>
+<option value='linaro/v3.10/topic/hisilicon-inet'>linaro/v3.10/topic/hisilicon-inet</option>
+<option value='linaro/v3.10/topic/hrtimer'>linaro/v3.10/topic/hrtimer</option>
+<option value='linaro/v3.10/topic/iks'>linaro/v3.10/topic/iks</option>
+<option value='linaro/v3.10/topic/interactive'>linaro/v3.10/topic/interactive</option>
+<option value='linaro/v3.10/topic/juno'>linaro/v3.10/topic/juno</option>
+<option value='linaro/v3.10/topic/kvm'>linaro/v3.10/topic/kvm</option>
+<option value='linaro/v3.10/topic/libfdt'>linaro/v3.10/topic/libfdt</option>
+<option value='linaro/v3.10/topic/mailbox'>linaro/v3.10/topic/mailbox</option>
+<option value='linaro/v3.10/topic/misc'>linaro/v3.10/topic/misc</option>
+<option value='linaro/v3.10/topic/mm'>linaro/v3.10/topic/mm</option>
+<option value='linaro/v3.10/topic/mm-timer'>linaro/v3.10/topic/mm-timer</option>
+<option value='linaro/v3.10/topic/netdrv'>linaro/v3.10/topic/netdrv</option>
+<option value='linaro/v3.10/topic/of'>linaro/v3.10/topic/of</option>
+<option value='linaro/v3.10/topic/old-arm64-be'>linaro/v3.10/topic/old-arm64-be</option>
+<option value='linaro/v3.10/topic/old-arm64-cma'>linaro/v3.10/topic/old-arm64-cma</option>
+<option value='linaro/v3.10/topic/old-arm64-hugepages'>linaro/v3.10/topic/old-arm64-hugepages</option>
+<option value='linaro/v3.10/topic/old-arm64-topology'>linaro/v3.10/topic/old-arm64-topology</option>
+<option value='linaro/v3.10/topic/old-evtstream'>linaro/v3.10/topic/old-evtstream</option>
+<option value='linaro/v3.10/topic/old-mailbox-2'>linaro/v3.10/topic/old-mailbox-2</option>
+<option value='linaro/v3.10/topic/pe-wq'>linaro/v3.10/topic/pe-wq</option>
+<option value='linaro/v3.10/topic/pinctrl'>linaro/v3.10/topic/pinctrl</option>
+<option value='linaro/v3.10/topic/ptr-err'>linaro/v3.10/topic/ptr-err</option>
+<option value='linaro/v3.10/topic/ptrace'>linaro/v3.10/topic/ptrace</option>
+<option value='linaro/v3.10/topic/tagged-pointers'>linaro/v3.10/topic/tagged-pointers</option>
+<option value='linaro/v3.10/topic/tc2'>linaro/v3.10/topic/tc2</option>
+<option value='linaro/v3.10/topic/thermal-framework'>linaro/v3.10/topic/thermal-framework</option>
+<option value='linaro/v3.10/topic/thp'>linaro/v3.10/topic/thp</option>
+<option value='linaro/v3.10/topic/topology'>linaro/v3.10/topic/topology</option>
+<option value='linaro/v3.10/topic/usb'>linaro/v3.10/topic/usb</option>
+<option value='linaro/v3.10/topic/warnings'>linaro/v3.10/topic/warnings</option>
+<option value='linaro/v3.10/topic/zram'>linaro/v3.10/topic/zram</option>
+<option value='linaro/v3.14/old/mailbox'>linaro/v3.14/old/mailbox</option>
+<option value='linaro/v3.14/topic/aosp'>linaro/v3.14/topic/aosp</option>
+<option value='linaro/v3.14/topic/arm64-apm'>linaro/v3.14/topic/arm64-apm</option>
+<option value='linaro/v3.14/topic/arm64-be'>linaro/v3.14/topic/arm64-be</option>
+<option value='linaro/v3.14/topic/arm64-bl-cpufreq'>linaro/v3.14/topic/arm64-bl-cpufreq</option>
+<option value='linaro/v3.14/topic/arm64-cma'>linaro/v3.14/topic/arm64-cma</option>
+<option value='linaro/v3.14/topic/arm64-cmadma'>linaro/v3.14/topic/arm64-cmadma</option>
+<option value='linaro/v3.14/topic/arm64-crypto'>linaro/v3.14/topic/arm64-crypto</option>
+<option value='linaro/v3.14/topic/arm64-dts'>linaro/v3.14/topic/arm64-dts</option>
+<option value='linaro/v3.14/topic/arm64-efi'>linaro/v3.14/topic/arm64-efi</option>
+<option value='linaro/v3.14/topic/arm64-errata'>linaro/v3.14/topic/arm64-errata</option>
+<option value='linaro/v3.14/topic/arm64-fpsimd'>linaro/v3.14/topic/arm64-fpsimd</option>
+<option value='linaro/v3.14/topic/arm64-ftrace'>linaro/v3.14/topic/arm64-ftrace</option>
+<option value='linaro/v3.14/topic/arm64-fvp'>linaro/v3.14/topic/arm64-fvp</option>
+<option value='linaro/v3.14/topic/arm64-hugepages'>linaro/v3.14/topic/arm64-hugepages</option>
+<option value='linaro/v3.14/topic/arm64-kgdb'>linaro/v3.14/topic/arm64-kgdb</option>
+<option value='linaro/v3.14/topic/arm64-lts'>linaro/v3.14/topic/arm64-lts</option>
+<option value='linaro/v3.14/topic/arm64-misc'>linaro/v3.14/topic/arm64-misc</option>
+<option value='linaro/v3.14/topic/arm64-perf'>linaro/v3.14/topic/arm64-perf</option>
+<option value='linaro/v3.14/topic/arm64-ptrace'>linaro/v3.14/topic/arm64-ptrace</option>
+<option value='linaro/v3.14/topic/arm64-topology'>linaro/v3.14/topic/arm64-topology</option>
+<option value='linaro/v3.14/topic/arm64-usb'>linaro/v3.14/topic/arm64-usb</option>
+<option value='linaro/v3.14/topic/clk-divider'>linaro/v3.14/topic/clk-divider</option>
+<option value='linaro/v3.14/topic/configs'>linaro/v3.14/topic/configs</option>
+<option value='linaro/v3.14/topic/coresight'>linaro/v3.14/topic/coresight</option>
+<option value='linaro/v3.14/topic/dm-crypt'>linaro/v3.14/topic/dm-crypt</option>
+<option value='linaro/v3.14/topic/dwc3'>linaro/v3.14/topic/dwc3</option>
+<option value='linaro/v3.14/topic/earlycon'>linaro/v3.14/topic/earlycon</option>
+<option value='linaro/v3.14/topic/efi'>linaro/v3.14/topic/efi</option>
+<option value='linaro/v3.14/topic/gator'>linaro/v3.14/topic/gator</option>
+<option value='linaro/v3.14/topic/gcov'>linaro/v3.14/topic/gcov</option>
+<option value='linaro/v3.14/topic/gendpd'>linaro/v3.14/topic/gendpd</option>
+<option value='linaro/v3.14/topic/genpd'>linaro/v3.14/topic/genpd</option>
+<option value='linaro/v3.14/topic/gicv3'>linaro/v3.14/topic/gicv3</option>
+<option value='linaro/v3.14/topic/juno'>linaro/v3.14/topic/juno</option>
+<option value='linaro/v3.14/topic/kvm'>linaro/v3.14/topic/kvm</option>
+<option value='linaro/v3.14/topic/libfdt'>linaro/v3.14/topic/libfdt</option>
+<option value='linaro/v3.14/topic/mailbox'>linaro/v3.14/topic/mailbox</option>
+<option value='linaro/v3.14/topic/misc'>linaro/v3.14/topic/misc</option>
+<option value='linaro/v3.14/topic/nohz'>linaro/v3.14/topic/nohz</option>
+<option value='linaro/v3.14/topic/of'>linaro/v3.14/topic/of</option>
+<option value='linaro/v3.14/topic/old-mailbox-2'>linaro/v3.14/topic/old-mailbox-2</option>
+<option value='linaro/v3.14/topic/overlayfs'>linaro/v3.14/topic/overlayfs</option>
+<option value='linaro/v3.14/topic/usb'>linaro/v3.14/topic/usb</option>
+<option value='linaro/v3.14/topic/vexpress'>linaro/v3.14/topic/vexpress</option>
+<option value='linaro/v3.18/topic/EAS'>linaro/v3.18/topic/EAS</option>
+<option value='linaro/v3.18/topic/EAS-LSK'>linaro/v3.18/topic/EAS-LSK</option>
+<option value='linaro/v3.18/topic/GICv2m'>linaro/v3.18/topic/GICv2m</option>
+<option value='linaro/v3.18/topic/KASAN'>linaro/v3.18/topic/KASAN</option>
+<option value='linaro/v3.18/topic/OPPv2'>linaro/v3.18/topic/OPPv2</option>
+<option value='linaro/v3.18/topic/PAN'>linaro/v3.18/topic/PAN</option>
+<option value='linaro/v3.18/topic/android/aosp'>linaro/v3.18/topic/android/aosp</option>
+<option value='linaro/v3.18/topic/android/aosp-fixes'>linaro/v3.18/topic/android/aosp-fixes</option>
+<option value='linaro/v3.18/topic/aosp'>linaro/v3.18/topic/aosp</option>
+<option value='linaro/v3.18/topic/aosp-fixes'>linaro/v3.18/topic/aosp-fixes</option>
+<option value='linaro/v3.18/topic/arm64/dt'>linaro/v3.18/topic/arm64/dt</option>
+<option value='linaro/v3.18/topic/arm64/dt-juno'>linaro/v3.18/topic/arm64/dt-juno</option>
+<option value='linaro/v3.18/topic/configs'>linaro/v3.18/topic/configs</option>
+<option value='linaro/v3.18/topic/coresight'>linaro/v3.18/topic/coresight</option>
+<option value='linaro/v3.18/topic/dm-crypt'>linaro/v3.18/topic/dm-crypt</option>
+<option value='linaro/v3.18/topic/dt-overlay'>linaro/v3.18/topic/dt-overlay</option>
+<option value='linaro/v3.18/topic/fixes'>linaro/v3.18/topic/fixes</option>
+<option value='linaro/v3.18/topic/for-stable'>linaro/v3.18/topic/for-stable</option>
+<option value='linaro/v3.18/topic/iommu'>linaro/v3.18/topic/iommu</option>
+<option value='linaro/v3.18/topic/mm-kaslr'>linaro/v3.18/topic/mm-kaslr</option>
+<option value='linaro/v3.18/topic/msi-irqdomain'>linaro/v3.18/topic/msi-irqdomain</option>
+<option value='linaro/v3.18/topic/of'>linaro/v3.18/topic/of</option>
+<option value='linaro/v3.18/topic/of-overlay'>linaro/v3.18/topic/of-overlay</option>
+<option value='linaro/v3.18/topic/optee'>linaro/v3.18/topic/optee</option>
+<option value='linaro/v3.18/topic/pcie-temp'>linaro/v3.18/topic/pcie-temp</option>
+<option value='linaro/v3.18/topic/pcie/gic'>linaro/v3.18/topic/pcie/gic</option>
+<option value='linaro/v3.18/topic/pcie/gic-msi-irqdomain'>linaro/v3.18/topic/pcie/gic-msi-irqdomain</option>
+<option value='linaro/v3.18/topic/pcie/imx-fix'>linaro/v3.18/topic/pcie/imx-fix</option>
+<option value='linaro/v3.18/topic/pcie/master'>linaro/v3.18/topic/pcie/master</option>
+<option value='linaro/v3.18/topic/pcie/msi-irqdomain'>linaro/v3.18/topic/pcie/msi-irqdomain</option>
+<option value='linaro/v3.18/topic/pcie/mustang-fix-tmp'>linaro/v3.18/topic/pcie/mustang-fix-tmp</option>
+<option value='linaro/v3.18/topic/pcie/of-iommu'>linaro/v3.18/topic/pcie/of-iommu</option>
+<option value='linaro/v3.18/topic/thermal'>linaro/v3.18/topic/thermal</option>
+<option value='linaro/v3.18/topic/thermal-deps'>linaro/v3.18/topic/thermal-deps</option>
+<option value='linaro/v3.9/android-fixes'>linaro/v3.9/android-fixes</option>
+<option value='linaro/v3.9/big-little-arm'>linaro/v3.9/big-little-arm</option>
+<option value='linaro/v3.9/configs'>linaro/v3.9/configs</option>
+<option value='linaro/v3.9/iks'>linaro/v3.9/iks</option>
+<option value='linaro/v3.9/linaro-builddeb-tweaks'>linaro/v3.9/linaro-builddeb-tweaks</option>
+<option value='linaro/v3.9/vexpress'>linaro/v3.9/vexpress</option>
+<option value='linaro/v3.9/ynk-fixes'>linaro/v3.9/ynk-fixes</option>
+<option value='linaro/v4.1/topic/IOMMU-DMA'>linaro/v4.1/topic/IOMMU-DMA</option>
+<option value='linaro/v4.1/topic/KASAN'>linaro/v4.1/topic/KASAN</option>
+<option value='linaro/v4.1/topic/OPPv2'>linaro/v4.1/topic/OPPv2</option>
+<option value='linaro/v4.1/topic/PAN'>linaro/v4.1/topic/PAN</option>
+<option value='linaro/v4.1/topic/PSCI'>linaro/v4.1/topic/PSCI</option>
+<option value='linaro/v4.1/topic/configs'>linaro/v4.1/topic/configs</option>
+<option value='linaro/v4.1/topic/devfreq-cooling'>linaro/v4.1/topic/devfreq-cooling</option>
+<option value='linaro/v4.1/topic/hibernate'>linaro/v4.1/topic/hibernate</option>
+<option value='linaro/v4.1/topic/iommu-dma'>linaro/v4.1/topic/iommu-dma</option>
+<option value='linaro/v4.1/topic/pcie-junor1'>linaro/v4.1/topic/pcie-junor1</option>
+<option value='linaro/v4.1/topic/pcie-junor1-temp'>linaro/v4.1/topic/pcie-junor1-temp</option>
+<option value='linaro/v4.1/topic/perf'>linaro/v4.1/topic/perf</option>
+<option value='linaro/v4.1/topic/ro-vDSO'>linaro/v4.1/topic/ro-vDSO</option>
+<option value='linaro/v4.1/topic/rt'>linaro/v4.1/topic/rt</option>
+<option value='linaro/v4.1/topic/thermal'>linaro/v4.1/topic/thermal</option>
+<option value='linaro/v4.1/topic/writeback-cg'>linaro/v4.1/topic/writeback-cg</option>
+<option value='linaro/v4.4/topic/OPPv2'>linaro/v4.4/topic/OPPv2</option>
+<option value='linaro/v4.4/topic/coresight'>linaro/v4.4/topic/coresight</option>
+<option value='linaro/v4.4/topic/hibernate'>linaro/v4.4/topic/hibernate</option>
+<option value='linaro/v4.4/topic/hibernate-temp'>linaro/v4.4/topic/hibernate-temp</option>
+<option value='linaro/v4.4/topic/kexec-kdump'>linaro/v4.4/topic/kexec-kdump</option>
+<option value='linaro/v4.4/topic/kprobes64'>linaro/v4.4/topic/kprobes64</option>
+<option value='linaro/v4.4/topic/mm-kaslr'>linaro/v4.4/topic/mm-kaslr</option>
+<option value='linaro/v4.4/topic/mm-kaslr-pax_usercopy'>linaro/v4.4/topic/mm-kaslr-pax_usercopy</option>
+<option value='linaro/v4.4/topic/optee'>linaro/v4.4/topic/optee</option>
+<option value='linaro/v4.4/topic/optee-lsk-mainline'>linaro/v4.4/topic/optee-lsk-mainline</option>
+<option value='linaro/v4.4/topic/perf-opencsd-4.4-github'>linaro/v4.4/topic/perf-opencsd-4.4-github</option>
+<option value='linaro/v4.4/topic/ro-vdso'>linaro/v4.4/topic/ro-vdso</option>
+<option value='linaro/v4.4/topic/wb-cg2'>linaro/v4.4/topic/wb-cg2</option>
+<option value='linaro/v4.9/topic/OPTEE'>linaro/v4.9/topic/OPTEE</option>
+<option value='linaro/v4.9/topic/PANemulation'>linaro/v4.9/topic/PANemulation</option>
+<option value='linaro/v4.9/topic/ion'>linaro/v4.9/topic/ion</option>
+<option value='linaro/v4.9/topic/kexec-kdump'>linaro/v4.9/topic/kexec-kdump</option>
+<option value='linaro/v4.9/topic/optee'>linaro/v4.9/topic/optee</option>
+<option value='linaro/v4.9/topic/optee-lsk-mainline'>linaro/v4.9/topic/optee-lsk-mainline</option>
+<option value='msm-3.18'>msm-3.18</option>
+<option value='pixart-sensor-db810-linux-driver/PIXART_OTS'>pixart-sensor-db810-linux-driver/PIXART_OTS</option>
+<option value='rel/msm-3.18'>rel/msm-3.18</option>
+<option value='rel/msm-3.18.c2'>rel/msm-3.18.c2</option>
+<option value='rel/msm-3.18.c5'>rel/msm-3.18.c5</option>
+<option value='rel/msm-3.18.c7'>rel/msm-3.18.c7</option>
+<option value='rel/msm-3.18.c8'>rel/msm-3.18.c8</option>
+<option value='rel/msm-3.18.c9'>rel/msm-3.18.c9</option>
+<option value='rel/msm-3.18.r17'>rel/msm-3.18.r17</option>
+<option value='rel/msm-3.18.r18'>rel/msm-3.18.r18</option>
+<option value='rel/msm-3.18.r5'>rel/msm-3.18.r5</option>
+</select> <input type='submit' value='switch'/></form></td></tr>
+<tr><td class='sub'>Unnamed repository</td><td class='sub right'>Git</td></tr></table>
+<table class='tabs'><tr><td>
+<a href='/quic/la/kernel/msm-3.18/?h=LA.HB.0.3'>summary</a><a href='/quic/la/kernel/msm-3.18/refs/?h=LA.HB.0.3&amp;id=528976f54be246ec93a71ac53aa4faf3e3791c48'>refs</a><a href='/quic/la/kernel/msm-3.18/log/sound/soc/msm/qdsp6v2/audio_calibration.c?h=LA.HB.0.3'>log</a><a href='/quic/la/kernel/msm-3.18/tree/sound/soc/msm/qdsp6v2/audio_calibration.c?h=LA.HB.0.3&amp;id=528976f54be246ec93a71ac53aa4faf3e3791c48'>tree</a><a href='/quic/la/kernel/msm-3.18/commit/sound/soc/msm/qdsp6v2/audio_calibration.c?h=LA.HB.0.3&amp;id=528976f54be246ec93a71ac53aa4faf3e3791c48'>commit</a><a class='active' href='/quic/la/kernel/msm-3.18/diff/sound/soc/msm/qdsp6v2/audio_calibration.c?h=LA.HB.0.3&amp;id=528976f54be246ec93a71ac53aa4faf3e3791c48'>diff</a><a href='/quic/la/kernel/msm-3.18/stats/sound/soc/msm/qdsp6v2/audio_calibration.c?h=LA.HB.0.3'>stats</a></td><td class='form'><form class='right' method='get' action='/quic/la/kernel/msm-3.18/log/sound/soc/msm/qdsp6v2/audio_calibration.c'>
+<input type='hidden' name='h' value='LA.HB.0.3'/><input type='hidden' name='id' value='528976f54be246ec93a71ac53aa4faf3e3791c48'/><select name='qt'>
+<option value='grep'>log msg</option>
+<option value='author'>author</option>
+<option value='committer'>committer</option>
+<option value='range'>range</option>
+</select>
+<input class='txt' type='text' size='10' name='q' value=''/>
+<input type='submit' value='search'/>
+</form>
+</td></tr></table>
+<div class='path'>path: <a href='/quic/la/kernel/msm-3.18/diff/?h=LA.HB.0.3&amp;id=528976f54be246ec93a71ac53aa4faf3e3791c48'>root</a>/<a href='/quic/la/kernel/msm-3.18/diff/sound?h=LA.HB.0.3&amp;id=528976f54be246ec93a71ac53aa4faf3e3791c48'>sound</a>/<a href='/quic/la/kernel/msm-3.18/diff/sound/soc?h=LA.HB.0.3&amp;id=528976f54be246ec93a71ac53aa4faf3e3791c48'>soc</a>/<a href='/quic/la/kernel/msm-3.18/diff/sound/soc/msm?h=LA.HB.0.3&amp;id=528976f54be246ec93a71ac53aa4faf3e3791c48'>msm</a>/<a href='/quic/la/kernel/msm-3.18/diff/sound/soc/msm/qdsp6v2?h=LA.HB.0.3&amp;id=528976f54be246ec93a71ac53aa4faf3e3791c48'>qdsp6v2</a>/<a href='/quic/la/kernel/msm-3.18/diff/sound/soc/msm/qdsp6v2/audio_calibration.c?h=LA.HB.0.3&amp;id=528976f54be246ec93a71ac53aa4faf3e3791c48'>audio_calibration.c</a></div><div class='content'><div class='cgit-panel'><b>diff options</b><form method='get'><input type='hidden' name='h' value='LA.HB.0.3'/><input type='hidden' name='id' value='528976f54be246ec93a71ac53aa4faf3e3791c48'/><table><tr><td colspan='2'/></tr><tr><td class='label'>context:</td><td class='ctrl'><select name='context' onchange='this.form.submit();'><option value='1'>1</option><option value='2'>2</option><option value='3' selected='selected'>3</option><option value='4'>4</option><option value='5'>5</option><option value='6'>6</option><option value='7'>7</option><option value='8'>8</option><option value='9'>9</option><option value='10'>10</option><option value='15'>15</option><option value='20'>20</option><option value='25'>25</option><option value='30'>30</option><option value='35'>35</option><option value='40'>40</option></select></td></tr><tr><td class='label'>space:</td><td class='ctrl'><select name='ignorews' onchange='this.form.submit();'><option value='0' selected='selected'>include</option><option value='1'>ignore</option></select></td></tr><tr><td class='label'>mode:</td><td class='ctrl'><select name='dt' onchange='this.form.submit();'><option value='0' selected='selected'>unified</option><option value='1'>ssdiff</option><option value='2'>stat only</option></select></td></tr><tr><td/><td class='ctrl'><noscript><input type='submit' value='reload'/></noscript></td></tr></table></form></div><div class='diffstat-header'><a href='/quic/la/kernel/msm-3.18/diff/?h=LA.HB.0.3&amp;id=528976f54be246ec93a71ac53aa4faf3e3791c48'>Diffstat</a> (limited to 'sound/soc/msm/qdsp6v2/audio_calibration.c')</div><table summary='diffstat' class='diffstat'><tr><td class='mode'>-rw-r--r--</td><td class='upd'><a href='/quic/la/kernel/msm-3.18/diff/sound/soc/msm/qdsp6v2/audio_calibration.c?h=LA.HB.0.3&amp;id=528976f54be246ec93a71ac53aa4faf3e3791c48'>sound/soc/msm/qdsp6v2/audio_calibration.c</a></td><td class='right'>10</td><td class='graph'><table summary='file diffstat' width='10%'><tr><td class='add' style='width: 80.0%;'/><td class='rem' style='width: 20.0%;'/><td class='none' style='width: 0.0%;'/></tr></table></td></tr>
+</table><div class='diffstat-summary'>1 files changed, 8 insertions, 2 deletions</div><table summary='diff' class='diff'><tr><td><div class='head'>diff --git a/sound/soc/msm/qdsp6v2/audio_calibration.c b/sound/soc/msm/qdsp6v2/audio_calibration.c<br/>index c4ea4ed..60d09df 100644<br/>--- a/<a href='/quic/la/kernel/msm-3.18/tree/sound/soc/msm/qdsp6v2/audio_calibration.c?h=LA.HB.0.3&amp;id=3333d3cd218fbfe7e369f269335d38bd76a4741e'>sound/soc/msm/qdsp6v2/audio_calibration.c</a><br/>+++ b/<a href='/quic/la/kernel/msm-3.18/tree/sound/soc/msm/qdsp6v2/audio_calibration.c?h=LA.HB.0.3&amp;id=528976f54be246ec93a71ac53aa4faf3e3791c48'>sound/soc/msm/qdsp6v2/audio_calibration.c</a></div><div class='hunk'>@@ -1,4 +1,4 @@</div><div class='del'>-/* Copyright (c) 2014, The Linux Foundation. All rights reserved.</div><div class='add'>+/* Copyright (c) 2014, 2016 The Linux Foundation. All rights reserved.</div><div class='ctx'>  *</div><div class='ctx'>  * This program is free software; you can redistribute it and/or modify</div><div class='ctx'>  * it under the terms of the GNU General Public License version 2 and</div><div class='hunk'>@@ -490,7 +490,13 @@ static long audio_cal_shared_ioctl(struct file *file, unsigned int cmd,</div><div class='ctx'> 			goto unlock;</div><div class='ctx'> 		if (data == NULL)</div><div class='ctx'> 			goto unlock;</div><div class='del'>-		if (copy_to_user((void *)arg, data,</div><div class='add'>+		if ((sizeof(data-&gt;hdr) + data-&gt;hdr.cal_type_size) &gt; size) {</div><div class='add'>+			pr_err("%s: header size %zd plus cal type size %d are greater than data buffer size %d\n",</div><div class='add'>+				__func__, sizeof(data-&gt;hdr),</div><div class='add'>+				data-&gt;hdr.cal_type_size, size);</div><div class='add'>+			ret = -EFAULT;</div><div class='add'>+			goto unlock;</div><div class='add'>+		} else if (copy_to_user((void *)arg, data,</div><div class='ctx'> 			sizeof(data-&gt;hdr) + data-&gt;hdr.cal_type_size)) {</div><div class='ctx'> 			pr_err("%s: Could not copy cal type to user\n",</div><div class='ctx'> 				__func__);</div></td></tr></table></div> <!-- class=content -->
+    <div id="lfcollabprojects-footer">
+      <div class="gray-diagonal">
+        <div class="footer-inner">
+          <p>&copy; 2016 Code Aurora Forum, a Linux Foundation Collaborative Project. All Rights Reserved.</p>
+          <p>Linux Foundation and Code Aurora Forum are registered trademarks of The Linux Foundation.</p>
+          <p>Linux is a registered <a href="http://www.linuxfoundation.org/programs/legal/trademark" title="Linux Mark Institute">trademark</a> of Linus Torvalds.</p>
+          <p>Please see our <a href="http://www.linuxfoundation.org/privacy">privacy policy</a>, <a href="http://www.linuxfoundation.org/antitrust-policy">antitrust policy</a> and <a href="http://www.linuxfoundation.org/terms">terms of use</a>.</p>
+        </div>
+      </div>
+    </div>
+</div> <!-- id=cgit -->
+</body>
+</html>
diff --git a/Patches/Linux_CVEs/CVE-2016-3865/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-3865/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-3865/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-3865/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-3865/ANY/1.patch b/Patches/Linux_CVEs/CVE-2016-3865/ANY/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-3865/ANY/1.patch
rename to Patches/Linux_CVEs/CVE-2016-3865/ANY/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-3866/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-3866/ANY/0001.patch
new file mode 100644
index 00000000..cedadb2a
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-3866/ANY/0001.patch
@@ -0,0 +1,31 @@
+From 5180cefe0eeb6f3e6e0c4967652facd20f07c20c Mon Sep 17 00:00:00 2001
+From: Surendar karka <sukark@codeaurora.org>
+Date: Wed, 29 Jun 2016 14:23:25 +0530
+Subject: ASoC: msm: qdsp6v2: check param length for EAC3 format
+
+Initialize param length with user space argument and
+check the condition for maximum length in
+SND_AUDIOCODEC_EAC3 format.
+
+CRs-Fixed: 1032820
+Change-Id: I710c1f743d7502e93989e8cc487078366570e723
+Signed-off-by: Surendar karka <sukark@codeaurora.org>
+---
+ sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c b/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c
+index f577637..26528e6 100644
+--- a/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c
++++ b/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c
+@@ -1070,6 +1070,7 @@ static int msm_compr_ioctl_shared(struct snd_pcm_substream *substream,
+ 				__func__, ddp->params_length);
+ 				return -EINVAL;
+ 			}
++			params_length = ddp->params_length*sizeof(int);
+ 			if (params_length > MAX_AC3_PARAM_SIZE) {
+ 				/*MAX is 36*sizeof(int) this should not happen*/
+ 				pr_err("%s: params_length(%d) is greater than %zd\n",
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-3867/3.10/0.patch b/Patches/Linux_CVEs/CVE-2016-3867/3.10/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-3867/3.10/0.patch
rename to Patches/Linux_CVEs/CVE-2016-3867/3.10/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-3867/3.18/1.patch b/Patches/Linux_CVEs/CVE-2016-3867/3.18/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-3867/3.18/1.patch
rename to Patches/Linux_CVEs/CVE-2016-3867/3.18/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-3868/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-3868/ANY/0001.patch
new file mode 100644
index 00000000..1a6f475f
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-3868/ANY/0001.patch
@@ -0,0 +1,74 @@
+From 17014696ce3836c91215b6d6dd82f3befd6e7d4d Mon Sep 17 00:00:00 2001
+From: Archana Sathyakumar <asathyak@codeaurora.org>
+Date: Wed, 29 Jun 2016 11:47:47 -0600
+Subject: msm-core: debug: Fix the number of arguments for sysfs nodes
+
+Ptable and enable node parses the input arguments incorrectly. Parse the
+input message into exact number of arguments that are required for the
+respective nodes.
+
+CRs-fixed: 1032875
+Change-Id: I881f18217b703a497efa4799288dee39a28ea8ab
+Signed-off-by: Archana Sathyakumar <asathyak@codeaurora.org>
+---
+ drivers/power/qcom/debug_core.c | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/power/qcom/debug_core.c b/drivers/power/qcom/debug_core.c
+index d3620bb..e9c578f 100644
+--- a/drivers/power/qcom/debug_core.c
++++ b/drivers/power/qcom/debug_core.c
+@@ -1,4 +1,4 @@
+-/* Copyright (c) 2014-2015, The Linux Foundation. All rights reserved.
++/* Copyright (c) 2014-2016, The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -22,6 +22,8 @@
+ #include "soc/qcom/msm-core.h"
+ 
+ #define MAX_PSTATES 50
++#define NUM_OF_PENTRY 3 /* number of variables for ptable node */
++#define NUM_OF_EENTRY 2 /* number of variables for enable node */
+ 
+ enum arg_offset {
+ 	CPU_OFFSET,
+@@ -131,13 +133,15 @@ static void add_to_ptable(uint64_t *arg)
+ 		node->ptr->len = node->len;
+ }
+ 
+-static int split_ptable_args(char *line, uint64_t *arg)
++static int split_ptable_args(char *line, uint64_t *arg, uint32_t n)
+ {
+ 	char *args;
+ 	int i;
+ 	int ret = 0;
+ 
+-	for (i = 0; line; i++) {
++	for (i = 0; i < n; i++) {
++		if (!line)
++			break;
+ 		args = strsep(&line, " ");
+ 		ret = kstrtoull(args, 10, &arg[i]);
+ 	}
+@@ -163,7 +167,7 @@ static ssize_t msm_core_ptable_write(struct file *file,
+ 		goto done;
+ 	}
+ 	kbuf[len] = '\0';
+-	ret = split_ptable_args(kbuf, arg);
++	ret = split_ptable_args(kbuf, arg, NUM_OF_PENTRY);
+ 	if (!ret) {
+ 		add_to_ptable(arg);
+ 		ret = len;
+@@ -227,7 +231,7 @@ static ssize_t msm_core_enable_write(struct file *file,
+ 		goto done;
+ 	}
+ 	kbuf[len] = '\0';
+-	ret = split_ptable_args(kbuf, arg);
++	ret = split_ptable_args(kbuf, arg, NUM_OF_EENTRY);
+ 	if (ret)
+ 		goto done;
+ 	cpu = arg[CPU_OFFSET];
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-3874/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-3874/ANY/0001.patch
new file mode 100644
index 00000000..dd8e504c
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-3874/ANY/0001.patch
@@ -0,0 +1,47 @@
+From 50e8f265b3f7926aeb4e49c33f7301ace89faa77 Mon Sep 17 00:00:00 2001
+From: SaidiReddy Yenuga <c_saidir@qti.qualcomm.com>
+Date: Mon, 30 May 2016 20:06:19 +0530
+Subject: qcacld-2.0: Fix buffer over read in iwpriv WE_UNIT_TEST_CMD command
+
+In current driver, WE_UNIT_TEST_CMD has below problems.
+- apps_arg[1] can have negative value and can lead to
+  buffer overead.
+- apps_arg[] can be dereferenced beyond the allocated length.
+
+Change the code to handle the number of args if user has
+given negative value. Also avoid dereferencing the
+apps_arg[] beyond the allocated length.
+
+CRs-Fixed: 997797
+Change-Id: Id26ebc32324b800ccdbecbd03f23861b5bde2aaf
+---
+ CORE/HDD/src/wlan_hdd_wext.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/CORE/HDD/src/wlan_hdd_wext.c b/CORE/HDD/src/wlan_hdd_wext.c
+index d6cf499..e49ea8e 100644
+--- a/CORE/HDD/src/wlan_hdd_wext.c
++++ b/CORE/HDD/src/wlan_hdd_wext.c
+@@ -9106,7 +9106,8 @@ static int __iw_set_var_ints_getnone(struct net_device *dev,
+                     hddLog(LOGE, FL("Invalid MODULE ID %d"), apps_args[0]);
+                     return -EINVAL;
+                 }
+-                if (apps_args[1] > (WMA_MAX_NUM_ARGS)) {
++                if ((apps_args[1] > (WMA_MAX_NUM_ARGS)) ||
++                    (apps_args[1] < 0)) {
+                     hddLog(LOGE, FL("Too Many args %d"), apps_args[1]);
+                     return -EINVAL;
+                 }
+@@ -9119,7 +9120,8 @@ static int __iw_set_var_ints_getnone(struct net_device *dev,
+                 unitTestArgs->vdev_id            = (int)pAdapter->sessionId;
+                 unitTestArgs->module_id          = apps_args[0];
+                 unitTestArgs->num_args           = apps_args[1];
+-                for (i = 0, j = 2; i < unitTestArgs->num_args; i++, j++) {
++                for (i = 0, j = 2; i < unitTestArgs->num_args - 1;
++                     i++, j++) {
+                     unitTestArgs->args[i] = apps_args[j];
+                 }
+                 msg.type = SIR_HAL_UNIT_TEST_CMD;
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-3874/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2016-3874/ANY/0002.patch
new file mode 100644
index 00000000..2c2c44ef
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-3874/ANY/0002.patch
@@ -0,0 +1,44 @@
+From a3974e61c960aadcc147c3c5704a67309171642d Mon Sep 17 00:00:00 2001
+From: SaidiReddy Yenuga <c_saidir@qti.qualcomm.com>
+Date: Thu, 16 Jun 2016 13:20:35 +0530
+Subject: qcacld-2.0: Fix buffer over read in iwpriv WE_UNIT_TEST_CMD command
+
+In current driver, WE_UNIT_TEST_CMD has below problem.
+- apps_arg[1] can have zero value and can lead to
+  buffer overead
+
+Change the code to handle the number of args if user has
+given zero.
+
+CRs-Fixed: 1029540
+Change-Id: Idc8e1d77d9623daeb98d0c4b7ad8a8d6cfa9c2d2
+---
+ CORE/HDD/src/wlan_hdd_wext.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/CORE/HDD/src/wlan_hdd_wext.c b/CORE/HDD/src/wlan_hdd_wext.c
+index fd738da..33d4dfd 100644
+--- a/CORE/HDD/src/wlan_hdd_wext.c
++++ b/CORE/HDD/src/wlan_hdd_wext.c
+@@ -9072,7 +9072,7 @@ static int __iw_set_var_ints_getnone(struct net_device *dev,
+                 }
+                 if ((apps_args[1] > (WMA_MAX_NUM_ARGS)) ||
+                     (apps_args[1] < 0)) {
+-                    hddLog(LOGE, FL("Too Many args %d"), apps_args[1]);
++                    hddLog(LOGE, FL("Too Many/Few args %d"), apps_args[1]);
+                     return -EINVAL;
+                 }
+                 unitTestArgs = vos_mem_malloc(sizeof(*unitTestArgs));
+@@ -9084,8 +9084,7 @@ static int __iw_set_var_ints_getnone(struct net_device *dev,
+                 unitTestArgs->vdev_id            = (int)pAdapter->sessionId;
+                 unitTestArgs->module_id          = apps_args[0];
+                 unitTestArgs->num_args           = apps_args[1];
+-                for (i = 0, j = 2; i < unitTestArgs->num_args - 1;
+-                     i++, j++) {
++                for (i = 0, j = 2; i < unitTestArgs->num_args; i++, j++) {
+                     unitTestArgs->args[i] = apps_args[j];
+                 }
+                 msg.type = SIR_HAL_UNIT_TEST_CMD;
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-3892/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-3892/ANY/0001.patch
new file mode 100644
index 00000000..349c36d0
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-3892/ANY/0001.patch
@@ -0,0 +1,105 @@
+From dd40cc2bd210dd7a4dd649e8f79add2bbeda2bd5 Mon Sep 17 00:00:00 2001
+From: Abhijeet Dharmapurikar <adharmap@codeaurora.org>
+Date: Wed, 15 Jun 2016 09:46:21 -0700
+Subject: spmi: prevent showing the address of spmidev
+
+Creating devices with the address of the container spmidev is not
+indicative of the actual hardware device it represents.
+
+Instead use an unique id to indicate the device it represents.
+
+CRs-Fixed: 1024197
+Change-Id: Id18e2a19f4fa1249901a3f275defa8f589270d69
+Signed-off-by: Abhijeet Dharmapurikar <adharmap@codeaurora.org>
+---
+ drivers/spmi/spmi.c  | 18 +++++++++++++++---
+ include/linux/spmi.h |  6 +++++-
+ 2 files changed, 20 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/spmi/spmi.c b/drivers/spmi/spmi.c
+index f5e49c8..1a1bae9 100644
+--- a/drivers/spmi/spmi.c
++++ b/drivers/spmi/spmi.c
+@@ -32,6 +32,7 @@ struct spmii_boardinfo {
+ static DEFINE_MUTEX(board_lock);
+ static LIST_HEAD(board_list);
+ static DEFINE_IDR(ctrl_idr);
++static DEFINE_IDA(spmi_devid_ida);
+ static struct device_type spmi_dev_type;
+ static struct device_type spmi_ctrl_type;
+ 
+@@ -229,22 +230,32 @@ int spmi_add_device(struct spmi_device *spmidev)
+ {
+ 	int rc;
+ 	struct device *dev = get_valid_device(spmidev);
++	int id;
+ 
+ 	if (!dev) {
+ 		pr_err("invalid SPMI device\n");
+ 		return -EINVAL;
+ 	}
+ 
++	id = ida_simple_get(&spmi_devid_ida, 0, 0, GFP_KERNEL);
++	if (id < 0) {
++		pr_err("No id available status = %d\n", id);
++		return id;
++	}
++
+ 	/* Set the device name */
+-	dev_set_name(dev, "%s-%p", spmidev->name, spmidev);
++	spmidev->id = id;
++	dev_set_name(dev, "%s-%d", spmidev->name, spmidev->id);
+ 
+ 	/* Device may be bound to an active driver when this returns */
+ 	rc = device_add(dev);
+ 
+-	if (rc < 0)
++	if (rc < 0) {
++		ida_simple_remove(&spmi_devid_ida, spmidev->id);
+ 		dev_err(dev, "Can't add %s, status %d\n", dev_name(dev), rc);
+-	else
++	} else {
+ 		dev_dbg(dev, "device %s registered\n", dev_name(dev));
++	}
+ 
+ 	return rc;
+ }
+@@ -292,6 +303,7 @@ EXPORT_SYMBOL_GPL(spmi_new_device);
+ void spmi_remove_device(struct spmi_device *spmi_dev)
+ {
+ 	device_unregister(&spmi_dev->dev);
++	ida_simple_remove(&spmi_devid_ida, spmi_dev->id);
+ }
+ EXPORT_SYMBOL_GPL(spmi_remove_device);
+ 
+diff --git a/include/linux/spmi.h b/include/linux/spmi.h
+index b581de8..5a8525d 100644
+--- a/include/linux/spmi.h
++++ b/include/linux/spmi.h
+@@ -1,4 +1,4 @@
+-/* Copyright (c) 2012-2014 The Linux Foundation. All rights reserved.
++/* Copyright (c) 2012-2014, 2016 The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -120,6 +120,9 @@ struct spmi_resource {
+  *  @dev_node: array of SPMI resources when used with spmi-dev-container.
+  *  @num_dev_node: number of device_node structures.
+  *  @sid: Slave Identifier.
++ *  @id: Unique identifier to differentiate from other spmi devices with
++ *       possibly same name.
++ *
+  */
+ struct spmi_device {
+ 	struct device		dev;
+@@ -129,6 +132,7 @@ struct spmi_device {
+ 	struct spmi_resource	*dev_node;
+ 	u32			num_dev_node;
+ 	u8			sid;
++	int			id;
+ };
+ #define to_spmi_device(d) container_of(d, struct spmi_device, dev)
+ 
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-3893/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-3893/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-3893/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-3893/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-3894/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-3894/ANY/0.patch
deleted file mode 100644
index c1f6cbc8..00000000
--- a/Patches/Linux_CVEs/CVE-2016-3894/ANY/0.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From c91479f60bbca0ece50d184e4cfcda52ddb5983e Mon Sep 17 00:00:00 2001
-From: Min Chong <mchong@google.com>
-Date: Sun, 17 Jul 2016 23:23:02 -0700
-Subject: [PATCH] msm: dma: remove dma_test from defconfig
-
-Unset CONFIG_MSM_DMA_TEST since it is not required.
-
-Bug: 29618014
-Change-Id: Iac46f1b028c96af765d5c2a5a501cdcd19513f84
-Signed-off-by: Min Chong <mchong@google.com>
----
- arch/arm/configs/shamu_defconfig | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/arch/arm/configs/shamu_defconfig b/arch/arm/configs/shamu_defconfig
-index 558714ebd51ff..92fa34b5597c4 100644
---- a/arch/arm/configs/shamu_defconfig
-+++ b/arch/arm/configs/shamu_defconfig
-@@ -37,6 +37,7 @@ CONFIG_MSM_SMD=y
- CONFIG_MSM_PCIE=y
- CONFIG_MSM_SMP2P=y
- CONFIG_MSM_SMP2P_TEST=y
-+# CONFIG_MSM_DMA_TEST is not set
- CONFIG_MSM_SUBSYSTEM_RESTART=y
- CONFIG_MSM_SYSMON_COMM=y
- CONFIG_MSM_PIL_SSR_GENERIC=y
diff --git a/Patches/Linux_CVEs/CVE-2016-3894/ANY/1.patch b/Patches/Linux_CVEs/CVE-2016-3894/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-3894/ANY/1.patch
rename to Patches/Linux_CVEs/CVE-2016-3894/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-3935/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-3901/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-3935/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-3901/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-3902/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-3902/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-3902/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-3902/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-3903/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-3903/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-3903/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-3903/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-3904/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-3904/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-3904/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-3904/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-3905/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-3905/ANY/0001.patch
new file mode 100644
index 00000000..adb60fd8
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-3905/ANY/0001.patch
@@ -0,0 +1,170 @@
+From b5112838eb91b71eded4b5ee37338535784e0aef Mon Sep 17 00:00:00 2001
+From: Srinivas Girigowda <sgirigow@qca.qualcomm.com>
+Date: Sun, 10 Apr 2016 00:03:18 -0700
+Subject: qcacld-2.0: Add input validation for SENDACTIONFRAME
+
+Add input validation for SENDACTIONFRAME driver command.
+
+Change-Id: I3d1bf424e5e0f9a3b6f4662dd12a3a7314c7eace
+CRs-Fixed: 1001449
+---
+ CORE/HDD/src/wlan_hdd_main.c | 97 +++++++++++++++++++++++++++-----------------
+ 1 file changed, 59 insertions(+), 38 deletions(-)
+
+diff --git a/CORE/HDD/src/wlan_hdd_main.c b/CORE/HDD/src/wlan_hdd_main.c
+index a647bb5..8b7a441 100644
+--- a/CORE/HDD/src/wlan_hdd_main.c
++++ b/CORE/HDD/src/wlan_hdd_main.c
+@@ -2205,16 +2205,15 @@ hdd_parse_send_action_frame_v1_data(const tANI_U8 *pValue,
+ static int
+ hdd_sendactionframe(hdd_adapter_t *pAdapter, const tANI_U8 *bssid,
+                     const tANI_U8 channel, const tANI_U8 dwell_time,
+-                    const tANI_U8 payload_len, const tANI_U8 *payload)
++                    const int payload_len, const tANI_U8 *payload)
+ {
+    struct ieee80211_channel chan;
+-   tANI_U8 frame_len;
++   int frame_len, ret = 0;
+    tANI_U8 *frame;
+    struct ieee80211_hdr_3addr *hdr;
+    u64 cookie;
+    hdd_station_ctx_t *pHddStaCtx;
+    hdd_context_t *pHddCtx;
+-   int ret = 0;
+    tpSirMacVendorSpecificFrameHdr pVendorSpecific =
+                    (tpSirMacVendorSpecificFrameHdr) payload;
+ #if (LINUX_VERSION_CODE >= KERNEL_VERSION(3,14,0)) || defined(WITH_BACKPORTS)
+@@ -2371,45 +2370,57 @@ hdd_parse_sendactionframe_v1(hdd_adapter_t *pAdapter, const char *command)
+    return ret;
+ }
+ 
+-/*
+-  \brief hdd_parse_sendactionframe_v2() - parse version 2 of the
+-         SENDACTIONFRAME command
+-
+-  This function parses the v2 SENDACTIONFRAME command with the format
++/**
++ * hdd_parse_sendactionframe_v2() - parse version 2 of the
++ *                                  SENDACTIONFRAME command
++ * @pAdapter: Adapter upon which the command was received
++ * @command: command that was received, ASCII command followed
++ *           by binary data
++ * @total_len: total length of command
++ *
++ * This function parses the v2 SENDACTIONFRAME command with the format
++ * SENDACTIONFRAME <android_wifi_af_params>
++ *
++ * Return: 0 for success non-zero for failure
++ */
++static int
++hdd_parse_sendactionframe_v2(hdd_adapter_t *pAdapter,
++                             const char *command, int total_len)
++{
++	struct android_wifi_af_params *params;
++	tSirMacAddr bssid;
++	int ret;
+ 
+-      SENDACTIONFRAME <android_wifi_af_params>
++	/* The params are located after "SENDACTIONFRAME " */
++	total_len -= 16;
++	params = (struct android_wifi_af_params *)(command + 16);
+ 
+-  \param - pAdapter - Adapter upon which the command was received
+-  \param - command - command that was received, ASCII command followed
+-                     by binary data
++	if (params->len <= 0 || params->len > ANDROID_WIFI_ACTION_FRAME_SIZE ||
++            (params->len > total_len)) {
++		hddLog(LOGE, FL("Invalid payload length: %d"), params->len);
++		return -EINVAL;
++	}
+ 
+-  \return - 0 for success non-zero for failure
++	if (!mac_pton(params->bssid, (u8 *)&bssid)) {
++		hddLog(LOGE, FL("MAC address parsing failed"));
++		return -EINVAL;
++	}
+ 
+-  --------------------------------------------------------------------------*/
+-static int
+-hdd_parse_sendactionframe_v2(hdd_adapter_t *pAdapter,
+-                             const char *command)
+-{
+-   struct android_wifi_af_params *params;
+-   tSirMacAddr bssid;
+-   int ret;
++	if (params->channel < 0 ||
++	    params->channel > WNI_CFG_CURRENT_CHANNEL_STAMAX) {
++		hddLog(LOGE, FL("Invalid channel: %d"), params->channel);
++		return -EINVAL;
++	}
+ 
+-   /* params are large so keep off the stack */
+-   params = kmalloc(sizeof(*params), GFP_KERNEL);
+-   if (!params) return -ENOMEM;
++	if (params->dwell_time < 0) {
++		hddLog(LOGE, FL("Invalid dwell_time: %d"), params->dwell_time);
++		return -EINVAL;
++	}
+ 
+-   /* The params are located after "SENDACTIONFRAME " */
+-   memcpy(params, command + 16, sizeof(*params));
++	ret = hdd_sendactionframe(pAdapter, bssid, params->channel,
++				params->dwell_time, params->len, params->data);
+ 
+-   if (!mac_pton(params->bssid, (u8 *)&bssid)) {
+-      hddLog(LOGE, "%s: MAC address parsing failed", __func__);
+-      ret = -EINVAL;
+-   } else {
+-      ret = hdd_sendactionframe(pAdapter, bssid, params->channel,
+-                                params->dwell_time, params->len, params->data);
+-   }
+-   kfree(params);
+-   return ret;
++	return ret;
+ }
+ 
+ /*
+@@ -2429,7 +2440,8 @@ hdd_parse_sendactionframe_v2(hdd_adapter_t *pAdapter,
+ 
+   --------------------------------------------------------------------------*/
+ static int
+-hdd_parse_sendactionframe(hdd_adapter_t *pAdapter, const char *command)
++hdd_parse_sendactionframe(hdd_adapter_t *pAdapter, const char *command,
++                          int total_len)
+ {
+    int ret;
+ 
+@@ -2445,11 +2457,19 @@ hdd_parse_sendactionframe(hdd_adapter_t *pAdapter, const char *command)
+     * SENDACTIONFRAME xx:xx:xx:xx:xx:xx*
+     *           111111111122222222223333
+     * 0123456789012345678901234567890123
++    *
++    * For both the commands, a valid command must have atleast first 34 length
++    * of data.
+     */
++   if (total_len < 34) {
++       hddLog(LOGE, FL("Invalid command (total_len=%d)"), total_len);
++       return -EINVAL;
++   }
++
+    if (command[33]) {
+       ret = hdd_parse_sendactionframe_v1(pAdapter, command);
+    } else {
+-      ret = hdd_parse_sendactionframe_v2(pAdapter, command);
++      ret = hdd_parse_sendactionframe_v2(pAdapter, command, total_len);
+    }
+ 
+    return ret;
+@@ -5851,7 +5871,8 @@ static int hdd_driver_command(hdd_adapter_t *pAdapter,
+        }
+        else if (strncmp(command, "SENDACTIONFRAME", 15) == 0)
+        {
+-           ret = hdd_parse_sendactionframe(pAdapter, command);
++           ret = hdd_parse_sendactionframe(pAdapter, command,
++                                           priv_data.total_len);
+        }
+        else if (strncmp(command, "GETROAMSCANCHANNELMINTIME", 25) == 0)
+        {
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-3906/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-3906/ANY/0001.patch
similarity index 85%
rename from Patches/Linux_CVEs/CVE-2016-3906/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-3906/ANY/0001.patch
index bf4ab19e..6b7ddda6 100644
--- a/Patches/Linux_CVEs/CVE-2016-3906/ANY/0.patch
+++ b/Patches/Linux_CVEs/CVE-2016-3906/ANY/0001.patch
@@ -1,7 +1,7 @@
-From 46d740d12c2a8bd9e0b27a968af6544682f7cb0e Mon Sep 17 00:00:00 2001
+From b333d32745fec4fb1098ee1a03d4425f3c1b4c2e Mon Sep 17 00:00:00 2001
 From: Archana Sathyakumar <asathyak@codeaurora.org>
 Date: Mon, 22 Aug 2016 15:20:02 -0600
-Subject: msm-core: debug: Update the number of supported pstates
+Subject: msm-core: debug: Update the number of supported pstates.
 
 Update the number of power-freq pair value supported in the debug
 interface. Parse the arguments as uint32_t instead of uint64_t which
@@ -15,10 +15,10 @@ Signed-off-by: Archana Sathyakumar <asathyak@codeaurora.org>
  1 file changed, 31 insertions(+), 20 deletions(-)
 
 diff --git a/drivers/power/qcom/debug_core.c b/drivers/power/qcom/debug_core.c
-index e1375ff..f0333cb 100644
+index e9c578f..ccef04a 100644
 --- a/drivers/power/qcom/debug_core.c
 +++ b/drivers/power/qcom/debug_core.c
-@@ -83,15 +83,28 @@ static struct debugfs_blob_wrapper help_msg = {
+@@ -84,15 +84,28 @@ static struct debugfs_blob_wrapper help_msg = {
  
  };
  
@@ -48,7 +48,7 @@ index e1375ff..f0333cb 100644
  	if (!node->head) {
  		node->head = kzalloc(sizeof(struct cpu_pstate_pwr) *
  				     (MAX_PSTATES + 1),
-@@ -99,24 +112,18 @@ static void add_to_ptable(uint64_t *arg)
+@@ -100,24 +113,18 @@ static void add_to_ptable(uint64_t *arg)
  		if (!node->head)
  			return;
  	}
@@ -78,7 +78,7 @@ index e1375ff..f0333cb 100644
  			node->head[i].freq = node->head[i-1].freq;
  			node->head[i].power = node->head[i-1].power;
  		} else if (node->head[i-1].freq != 0) {
-@@ -124,15 +131,17 @@ static void add_to_ptable(uint64_t *arg)
+@@ -125,15 +132,17 @@ static void add_to_ptable(uint64_t *arg)
  		}
  	}
  
@@ -100,7 +100,7 @@ index e1375ff..f0333cb 100644
  {
  	char *args;
  	int i;
-@@ -142,7 +151,9 @@ static int split_ptable_args(char *line, uint64_t *arg, uint32_t n)
+@@ -143,7 +152,9 @@ static int split_ptable_args(char *line, uint64_t *arg, uint32_t n)
  		if (!line)
  			break;
  		args = strsep(&line, " ");
@@ -111,7 +111,7 @@ index e1375ff..f0333cb 100644
  	}
  	return ret;
  }
-@@ -152,7 +163,7 @@ static ssize_t msm_core_ptable_write(struct file *file,
+@@ -153,7 +164,7 @@ static ssize_t msm_core_ptable_write(struct file *file,
  {
  	char *kbuf;
  	int ret;
@@ -120,7 +120,7 @@ index e1375ff..f0333cb 100644
  
  	if (len == 0)
  		return 0;
-@@ -204,7 +215,7 @@ static int msm_core_ptable_read(struct seq_file *m, void *data)
+@@ -205,7 +216,7 @@ static int msm_core_ptable_read(struct seq_file *m, void *data)
  			seq_printf(m, "--- CPU%d - Live numbers at %ldC---\n",
  			cpu, node->ptr->temp);
  			print_table(m, msm_core_data[cpu].ptable,
@@ -129,7 +129,7 @@ index e1375ff..f0333cb 100644
  		}
  	}
  	return 0;
-@@ -215,7 +226,7 @@ static ssize_t msm_core_enable_write(struct file *file,
+@@ -216,7 +227,7 @@ static ssize_t msm_core_enable_write(struct file *file,
  {
  	char *kbuf;
  	int ret;
diff --git a/Patches/Linux_CVEs/CVE-2016-3907/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-3907/3.10/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-3907/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-3907/3.10/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-3907/3.10/0002.patch b/Patches/Linux_CVEs/CVE-2016-3907/3.10/0002.patch
new file mode 100644
index 00000000..f57f2f22
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-3907/3.10/0002.patch
@@ -0,0 +1,33 @@
+From 289ede9d6bfb46178326ae9ca86033bbd452f269 Mon Sep 17 00:00:00 2001
+From: Siena Richard <sienar@codeaurora.org>
+Date: Tue, 16 Aug 2016 13:03:56 -0700
+Subject: misc: qcom: qdsp6v2: initialize wma_config_32
+
+Not all memebers of wma_config_32 are set before they are used which
+might lead to invalid values being passed and used. To fix this issue
+initialize all member variables of struct wma_config_32 to 0 before
+assigning specific values individually.
+
+Change-Id: Ibb082ce691625527e9a9ffd4978dea7ba4df9e84
+CRs-Fixed: 1054352
+Signed-off-by: Siena Richard <sienar@codeaurora.org>
+---
+ drivers/misc/qcom/qdsp6v2/audio_wma.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/misc/qcom/qdsp6v2/audio_wma.c b/drivers/misc/qcom/qdsp6v2/audio_wma.c
+index 3d57d38d..4389c0f 100644
+--- a/drivers/misc/qcom/qdsp6v2/audio_wma.c
++++ b/drivers/misc/qcom/qdsp6v2/audio_wma.c
+@@ -166,6 +166,8 @@ static long audio_compat_ioctl(struct file *file, unsigned int cmd,
+ 		struct msm_audio_wma_config_v2 *wma_config;
+ 		struct msm_audio_wma_config_v2_32 wma_config_32;
+ 
++		memset(&wma_config_32, 0, sizeof(wma_config_32));
++
+ 		wma_config = (struct msm_audio_wma_config_v2 *)audio->codec_cfg;
+ 		wma_config_32.format_tag = wma_config->format_tag;
+ 		wma_config_32.numchannels = wma_config->numchannels;
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-3931/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-3931/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-3931/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-3931/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-3934/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-3934/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-3934/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-3934/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-3935/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-3935/ANY/0001.patch
new file mode 100644
index 00000000..4b807753
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-3935/ANY/0001.patch
@@ -0,0 +1,59 @@
+From 5f69ccf3b011c1d14a1b1b00dbaacf74307c9132 Mon Sep 17 00:00:00 2001
+From: Zhen Kong <zkong@codeaurora.org>
+Date: Fri, 29 Jul 2016 15:32:31 -0700
+Subject: msm: crypto: Fix integer over flow check in qcedev driver
+
+Integer overflow check always fails when ULONG_MAX is used,
+as ULONG_MAX is 2^64-1, while req->data[i].len and total
+are uint32_t. Make change to use U32_MAX instead of
+ULONG_MAX.
+
+CRs-fixed: 1046507
+Change-Id: Iccf9c32400ecc7ffc0afae16f58c38e5d78a5b64
+Signed-off-by: Zhen Kong <zkong@codeaurora.org>
+---
+ drivers/crypto/msm/qcedev.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/crypto/msm/qcedev.c b/drivers/crypto/msm/qcedev.c
+index 51f5069..e63f061 100644
+--- a/drivers/crypto/msm/qcedev.c
++++ b/drivers/crypto/msm/qcedev.c
+@@ -1,6 +1,6 @@
+ /* Qualcomm CE device driver.
+  *
+- * Copyright (c) 2010-2015, The Linux Foundation. All rights reserved.
++ * Copyright (c) 2010-2016, The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -1543,7 +1543,7 @@ static int qcedev_check_cipher_params(struct qcedev_cipher_op_req *req,
+ 	}
+ 	/* Check for sum of all dst length is equal to data_len  */
+ 	for (i = 0; i < req->entries; i++) {
+-		if (req->vbuf.dst[i].len >= ULONG_MAX - total) {
++		if (req->vbuf.dst[i].len >= U32_MAX - total) {
+ 			pr_err("%s: Integer overflow on total req dst vbuf length\n",
+ 				__func__);
+ 			goto error;
+@@ -1557,7 +1557,7 @@ static int qcedev_check_cipher_params(struct qcedev_cipher_op_req *req,
+ 	}
+ 	/* Check for sum of all src length is equal to data_len  */
+ 	for (i = 0, total = 0; i < req->entries; i++) {
+-		if (req->vbuf.src[i].len > ULONG_MAX - total) {
++		if (req->vbuf.src[i].len > U32_MAX - total) {
+ 			pr_err("%s: Integer overflow on total req src vbuf length\n",
+ 				__func__);
+ 			goto error;
+@@ -1619,7 +1619,7 @@ static int qcedev_check_sha_params(struct qcedev_sha_op_req *req,
+ 
+ 	/* Check for sum of all src length is equal to data_len  */
+ 	for (i = 0, total = 0; i < req->entries; i++) {
+-		if (req->data[i].len > ULONG_MAX - total) {
++		if (req->data[i].len > U32_MAX - total) {
+ 			pr_err("%s: Integer overflow on total req buf length\n",
+ 				__func__);
+ 			goto sha_error;
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-3938/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-3938/ANY/0001.patch
new file mode 100644
index 00000000..6b340a02
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-3938/ANY/0001.patch
@@ -0,0 +1,48 @@
+From 467c81f9736b1ebc8d4ba70f9221bba02425ca10 Mon Sep 17 00:00:00 2001
+From: Shalini Krishnamoorthi <shakri@codeaurora.org>
+Date: Tue, 2 Aug 2016 10:29:00 -0700
+Subject: msm: mdss: Fix to validate data copied from user space
+
+The overlay zorder values copied from user space are used
+as index in left_lm_zo_cnt and right_lm_zo_cnt. This fix
+will validate the overlay zorder value copied from user
+space to not go beyond MDSS_MDP_MAX_STAGE, thus preventing
+any arbitrary increments in kernel memory.
+
+CRs-Fixed: 1049232
+Change-Id: Ie8e65ce9f58cb357204bfa4c6a6e0fccec82d5ba
+Signed-off-by: Shalini Krishnamoorthi <shakri@codeaurora.org>
+---
+ drivers/video/msm/mdss/mdss_mdp_overlay.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/video/msm/mdss/mdss_mdp_overlay.c b/drivers/video/msm/mdss/mdss_mdp_overlay.c
+index 2024bd4..e8a91cf 100644
+--- a/drivers/video/msm/mdss/mdss_mdp_overlay.c
++++ b/drivers/video/msm/mdss/mdss_mdp_overlay.c
+@@ -4070,16 +4070,20 @@ static int __mdss_overlay_src_split_sort(struct msm_fb_data_type *mfd,
+ 		__overlay_swap_func);
+ 
+ 	for (i = 0; i < num_ovs; i++) {
++		if (ovs[i].z_order >= MDSS_MDP_MAX_STAGE) {
++			pr_err("invalid stage:%u\n", ovs[i].z_order);
++			return -EINVAL;
++		}
+ 		if (ovs[i].dst_rect.x < left_lm_w) {
+ 			if (left_lm_zo_cnt[ovs[i].z_order] == 2) {
+-				pr_err("more than 2 ov @ stage%d on left lm\n",
++				pr_err("more than 2 ov @ stage%u on left lm\n",
+ 					ovs[i].z_order);
+ 				return -EINVAL;
+ 			}
+ 			left_lm_zo_cnt[ovs[i].z_order]++;
+ 		} else {
+ 			if (right_lm_zo_cnt[ovs[i].z_order] == 2) {
+-				pr_err("more than 2 ov @ stage%d on right lm\n",
++				pr_err("more than 2 ov @ stage%u on right lm\n",
+ 					ovs[i].z_order);
+ 				return -EINVAL;
+ 			}
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-3939/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-3939/ANY/0001.patch
new file mode 100644
index 00000000..b7308472
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-3939/ANY/0001.patch
@@ -0,0 +1,49 @@
+From e0bb18771d6ca71db2c2a61226827059be3fa424 Mon Sep 17 00:00:00 2001
+From: Ping Li <pingli@codeaurora.org>
+Date: Fri, 15 Apr 2016 15:27:36 -0700
+Subject: msm: mdss: Correct block id check for mdss_mdp_misr_table
+
+DISPLAY_MISR_LCDC block doesn't have corresponding mdss_mdp_misr_table,
+this change corrects the block id check for mdss_mdp_misr_table.
+
+CRs-Fixed: 1001224
+Change-Id: I74b03c31542d4b239eb2ffdc4dc6345dff5eab86
+Signed-off-by: Ping Li <pingli@codeaurora.org>
+---
+ drivers/video/msm/mdss/mdss_debug.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/video/msm/mdss/mdss_debug.c b/drivers/video/msm/mdss/mdss_debug.c
+index e4749c5..e1d4b5f 100644
+--- a/drivers/video/msm/mdss/mdss_debug.c
++++ b/drivers/video/msm/mdss/mdss_debug.c
+@@ -1266,7 +1266,7 @@ static inline struct mdss_mdp_misr_map *mdss_misr_get_map(u32 block_id,
+ 	char *ctrl_reg = NULL, *value_reg = NULL;
+ 	char *intf_base = NULL;
+ 
+-	if (block_id > DISPLAY_MISR_MDP) {
++	if (block_id > DISPLAY_MISR_HDMI && block_id != DISPLAY_MISR_MDP) {
+ 		pr_err("MISR Block id (%d) out of range\n", block_id);
+ 		return NULL;
+ 	}
+@@ -1408,12 +1408,16 @@ int mdss_misr_set(struct mdss_data_type *mdata,
+ 	bool is_valid_wb_mixer = true;
+ 	bool use_mdp_up_misr = false;
+ 
++	if (!mdata || !req || !ctl) {
++		pr_err("Invalid input params: mdata = %p req = %p ctl = %p",
++			mdata, req, ctl);
++		return -EINVAL;
++	}
+ 	pr_debug("req[block:%d frame:%d op_mode:%d]\n",
+ 		req->block_id, req->frame_count, req->crc_op_mode);
+ 
+ 	map = mdss_misr_get_map(req->block_id, ctl, mdata,
+ 		ctl->is_video_mode);
+-
+ 	if (!map) {
+ 		pr_err("Invalid MISR Block=%d\n", req->block_id);
+ 		return -EINVAL;
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-3951/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-3951/ANY/0001.patch
new file mode 100644
index 00000000..29b94c50
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-3951/ANY/0001.patch
@@ -0,0 +1,87 @@
+From 4d06dd537f95683aba3651098ae288b7cbff8274 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
+Date: Mon, 7 Mar 2016 21:15:36 +0100
+Subject: cdc_ncm: do not call usbnet_link_change from cdc_ncm_bind
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+usbnet_link_change will call schedule_work and should be
+avoided if bind is failing. Otherwise we will end up with
+scheduled work referring to a netdev which has gone away.
+
+Instead of making the call conditional, we can just defer
+it to usbnet_probe, using the driver_info flag made for
+this purpose.
+
+Fixes: 8a34b0ae8778 ("usbnet: cdc_ncm: apply usbnet_link_change")
+Reported-by: Andrey Konovalov <andreyknvl@gmail.com>
+Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ drivers/net/usb/cdc_ncm.c | 20 +++++---------------
+ 1 file changed, 5 insertions(+), 15 deletions(-)
+
+diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c
+index be92796..86ba30b 100644
+--- a/drivers/net/usb/cdc_ncm.c
++++ b/drivers/net/usb/cdc_ncm.c
+@@ -988,8 +988,6 @@ EXPORT_SYMBOL_GPL(cdc_ncm_select_altsetting);
+ 
+ static int cdc_ncm_bind(struct usbnet *dev, struct usb_interface *intf)
+ {
+-	int ret;
+-
+ 	/* MBIM backwards compatible function? */
+ 	if (cdc_ncm_select_altsetting(intf) != CDC_NCM_COMM_ALTSETTING_NCM)
+ 		return -ENODEV;
+@@ -998,16 +996,7 @@ static int cdc_ncm_bind(struct usbnet *dev, struct usb_interface *intf)
+ 	 * Additionally, generic NCM devices are assumed to accept arbitrarily
+ 	 * placed NDP.
+ 	 */
+-	ret = cdc_ncm_bind_common(dev, intf, CDC_NCM_DATA_ALTSETTING_NCM, 0);
+-
+-	/*
+-	 * We should get an event when network connection is "connected" or
+-	 * "disconnected". Set network connection in "disconnected" state
+-	 * (carrier is OFF) during attach, so the IP network stack does not
+-	 * start IPv6 negotiation and more.
+-	 */
+-	usbnet_link_change(dev, 0, 0);
+-	return ret;
++	return cdc_ncm_bind_common(dev, intf, CDC_NCM_DATA_ALTSETTING_NCM, 0);
+ }
+ 
+ static void cdc_ncm_align_tail(struct sk_buff *skb, size_t modulus, size_t remainder, size_t max)
+@@ -1590,7 +1579,8 @@ static void cdc_ncm_status(struct usbnet *dev, struct urb *urb)
+ 
+ static const struct driver_info cdc_ncm_info = {
+ 	.description = "CDC NCM",
+-	.flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET,
++	.flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET
++			| FLAG_LINK_INTR,
+ 	.bind = cdc_ncm_bind,
+ 	.unbind = cdc_ncm_unbind,
+ 	.manage_power = usbnet_manage_power,
+@@ -1603,7 +1593,7 @@ static const struct driver_info cdc_ncm_info = {
+ static const struct driver_info wwan_info = {
+ 	.description = "Mobile Broadband Network Device",
+ 	.flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET
+-			| FLAG_WWAN,
++			| FLAG_LINK_INTR | FLAG_WWAN,
+ 	.bind = cdc_ncm_bind,
+ 	.unbind = cdc_ncm_unbind,
+ 	.manage_power = usbnet_manage_power,
+@@ -1616,7 +1606,7 @@ static const struct driver_info wwan_info = {
+ static const struct driver_info wwan_noarp_info = {
+ 	.description = "Mobile Broadband Network Device (NO ARP)",
+ 	.flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET
+-			| FLAG_WWAN | FLAG_NOARP,
++			| FLAG_LINK_INTR | FLAG_WWAN | FLAG_NOARP,
+ 	.bind = cdc_ncm_bind,
+ 	.unbind = cdc_ncm_unbind,
+ 	.manage_power = usbnet_manage_power,
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-3951/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2016-3951/ANY/0002.patch
new file mode 100644
index 00000000..8e04b70b
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-3951/ANY/0002.patch
@@ -0,0 +1,39 @@
+From 1666984c8625b3db19a9abc298931d35ab7bc64b Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Mon, 7 Mar 2016 11:31:10 +0100
+Subject: usbnet: cleanup after bind() in probe()
+
+In case bind() works, but a later error forces bailing
+in probe() in error cases work and a timer may be scheduled.
+They must be killed. This fixes an error case related to
+the double free reported in
+http://www.spinics.net/lists/netdev/msg367669.html
+and needs to go on top of Linus' fix to cdc-ncm.
+
+Signed-off-by: Oliver Neukum <ONeukum@suse.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ drivers/net/usb/usbnet.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
+index 0b0ba7e..1079812 100644
+--- a/drivers/net/usb/usbnet.c
++++ b/drivers/net/usb/usbnet.c
+@@ -1769,6 +1769,13 @@ out3:
+ 	if (info->unbind)
+ 		info->unbind (dev, udev);
+ out1:
++	/* subdrivers must undo all they did in bind() if they
++	 * fail it, but we may fail later and a deferred kevent
++	 * may trigger an error resubmitting itself and, worse,
++	 * schedule a timer. So we kill it all just in case.
++	 */
++	cancel_work_sync(&dev->kevent);
++	del_timer_sync(&dev->delay);
+ 	free_netdev(net);
+ out:
+ 	return status;
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-4470/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-4470/ANY/0001.patch
new file mode 100644
index 00000000..0b6bc265
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-4470/ANY/0001.patch
@@ -0,0 +1,91 @@
+From 38327424b40bcebe2de92d07312c89360ac9229a Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 16 Jun 2016 15:48:57 +0100
+Subject: KEYS: potential uninitialized variable
+
+If __key_link_begin() failed then "edit" would be uninitialized.  I've
+added a check to fix that.
+
+This allows a random user to crash the kernel, though it's quite
+difficult to achieve.  There are three ways it can be done as the user
+would have to cause an error to occur in __key_link():
+
+ (1) Cause the kernel to run out of memory.  In practice, this is difficult
+     to achieve without ENOMEM cropping up elsewhere and aborting the
+     attempt.
+
+ (2) Revoke the destination keyring between the keyring ID being looked up
+     and it being tested for revocation.  In practice, this is difficult to
+     time correctly because the KEYCTL_REJECT function can only be used
+     from the request-key upcall process.  Further, users can only make use
+     of what's in /sbin/request-key.conf, though this does including a
+     rejection debugging test - which means that the destination keyring
+     has to be the caller's session keyring in practice.
+
+ (3) Have just enough key quota available to create a key, a new session
+     keyring for the upcall and a link in the session keyring, but not then
+     sufficient quota to create a link in the nominated destination keyring
+     so that it fails with EDQUOT.
+
+The bug can be triggered using option (3) above using something like the
+following:
+
+	echo 80 >/proc/sys/kernel/keys/root_maxbytes
+	keyctl request2 user debug:fred negate @t
+
+The above sets the quota to something much lower (80) to make the bug
+easier to trigger, but this is dependent on the system.  Note also that
+the name of the keyring created contains a random number that may be
+between 1 and 10 characters in size, so may throw the test off by
+changing the amount of quota used.
+
+Assuming the failure occurs, something like the following will be seen:
+
+	kfree_debugcheck: out of range ptr 6b6b6b6b6b6b6b68h
+	------------[ cut here ]------------
+	kernel BUG at ../mm/slab.c:2821!
+	...
+	RIP: 0010:[<ffffffff811600f9>] kfree_debugcheck+0x20/0x25
+	RSP: 0018:ffff8804014a7de8  EFLAGS: 00010092
+	RAX: 0000000000000034 RBX: 6b6b6b6b6b6b6b68 RCX: 0000000000000000
+	RDX: 0000000000040001 RSI: 00000000000000f6 RDI: 0000000000000300
+	RBP: ffff8804014a7df0 R08: 0000000000000001 R09: 0000000000000000
+	R10: ffff8804014a7e68 R11: 0000000000000054 R12: 0000000000000202
+	R13: ffffffff81318a66 R14: 0000000000000000 R15: 0000000000000001
+	...
+	Call Trace:
+	  kfree+0xde/0x1bc
+	  assoc_array_cancel_edit+0x1f/0x36
+	  __key_link_end+0x55/0x63
+	  key_reject_and_link+0x124/0x155
+	  keyctl_reject_key+0xb6/0xe0
+	  keyctl_negate_key+0x10/0x12
+	  SyS_keyctl+0x9f/0xe7
+	  do_syscall_64+0x63/0x13a
+	  entry_SYSCALL64_slow_path+0x25/0x25
+
+Fixes: f70e2e06196a ('KEYS: Do preallocation for __key_link()')
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+cc: stable@vger.kernel.org
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+ security/keys/key.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/security/keys/key.c b/security/keys/key.c
+index bd5a272..346fbf2 100644
+--- a/security/keys/key.c
++++ b/security/keys/key.c
+@@ -597,7 +597,7 @@ int key_reject_and_link(struct key *key,
+ 
+ 	mutex_unlock(&key_construction_mutex);
+ 
+-	if (keyring)
++	if (keyring && link_ret == 0)
+ 		__key_link_end(keyring, &key->index_key, edit);
+ 
+ 	/* wake up anyone waiting for a key to be constructed */
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-4482/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-4482/ANY/0001.patch
new file mode 100644
index 00000000..c22dfd4b
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-4482/ANY/0001.patch
@@ -0,0 +1,41 @@
+From 681fef8380eb818c0b845fca5d2ab1dcbab114ee Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kangjielu@gmail.com>
+Date: Tue, 3 May 2016 16:32:16 -0400
+Subject: USB: usbfs: fix potential infoleak in devio
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The stack object “ci” has a total size of 8 bytes. Its last 3 bytes
+are padding bytes which are not initialized and leaked to userland
+via “copy_to_user”.
+
+Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/core/devio.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
+index 73ce871..e9f5043 100644
+--- a/drivers/usb/core/devio.c
++++ b/drivers/usb/core/devio.c
+@@ -1316,10 +1316,11 @@ static int proc_getdriver(struct usb_dev_state *ps, void __user *arg)
+ 
+ static int proc_connectinfo(struct usb_dev_state *ps, void __user *arg)
+ {
+-	struct usbdevfs_connectinfo ci = {
+-		.devnum = ps->dev->devnum,
+-		.slow = ps->dev->speed == USB_SPEED_LOW
+-	};
++	struct usbdevfs_connectinfo ci;
++
++	memset(&ci, 0, sizeof(ci));
++	ci.devnum = ps->dev->devnum;
++	ci.slow = ps->dev->speed == USB_SPEED_LOW;
+ 
+ 	if (copy_to_user(arg, &ci, sizeof(ci)))
+ 		return -EFAULT;
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-4486/^4.5/0.patch b/Patches/Linux_CVEs/CVE-2016-4486/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-4486/^4.5/0.patch
rename to Patches/Linux_CVEs/CVE-2016-4486/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-4569/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-4569/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-4569/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-4569/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-4578/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-4578/ANY/0001.patch
new file mode 100644
index 00000000..89b9c4ec
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-4578/ANY/0001.patch
@@ -0,0 +1,33 @@
+From e4ec8cc8039a7063e24204299b462bd1383184a5 Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kangjielu@gmail.com>
+Date: Tue, 3 May 2016 16:44:32 -0400
+Subject: ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The stack object “r1” has a total size of 32 bytes. Its field
+“event” and “val” both contain 4 bytes padding. These 8 bytes
+padding bytes are sent to user without being initialized.
+
+Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+---
+ sound/core/timer.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sound/core/timer.c b/sound/core/timer.c
+index cc3c08d..e722022 100644
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -1266,6 +1266,7 @@ static void snd_timer_user_tinterrupt(struct snd_timer_instance *timeri,
+ 	}
+ 	if ((tu->filter & (1 << SNDRV_TIMER_EVENT_RESOLUTION)) &&
+ 	    tu->last_resolution != resolution) {
++		memset(&r1, 0, sizeof(r1));
+ 		r1.event = SNDRV_TIMER_EVENT_RESOLUTION;
+ 		r1.tstamp = tstamp;
+ 		r1.val = resolution;
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-4578/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-4578/ANY/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-4578/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-4578/ANY/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-4794/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-4794/3.18+/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-4794/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-4794/3.18+/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-4794/ANY/1.patch b/Patches/Linux_CVEs/CVE-2016-4794/3.18+/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-4794/ANY/1.patch
rename to Patches/Linux_CVEs/CVE-2016-4794/3.18+/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-4805/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-4805/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-4805/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-4805/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-4805/ANY/1.patch b/Patches/Linux_CVEs/CVE-2016-4805/ANY/1.patch
deleted file mode 100644
index 981bf9af..00000000
--- a/Patches/Linux_CVEs/CVE-2016-4805/ANY/1.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From 205e1e255c479f3fd77446415706463b282f94e4 Mon Sep 17 00:00:00 2001
-From: WANG Cong <xiyou.wangcong@gmail.com>
-Date: Tue, 5 Jul 2016 22:12:36 -0700
-Subject: ppp: defer netns reference release for ppp channel
-
-Matt reported that we have a NULL pointer dereference
-in ppp_pernet() from ppp_connect_channel(),
-i.e. pch->chan_net is NULL.
-
-This is due to that a parallel ppp_unregister_channel()
-could happen while we are in ppp_connect_channel(), during
-which pch->chan_net set to NULL. Since we need a reference
-to net per channel, it makes sense to sync the refcnt
-with the life time of the channel, therefore we should
-release this reference when we destroy it.
-
-Fixes: 1f461dcdd296 ("ppp: take reference on channels netns")
-Reported-by: Matt Bennett <Matt.Bennett@alliedtelesis.co.nz>
-Cc: Paul Mackerras <paulus@samba.org>
-Cc: linux-ppp@vger.kernel.org
-Cc: Guillaume Nault <g.nault@alphalink.fr>
-Cc: Cyrill Gorcunov <gorcunov@openvz.org>
-Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
-Reviewed-by: Cyrill Gorcunov <gorcunov@openvz.org>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- drivers/net/ppp/ppp_generic.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
-index 8dedafa..a30ee42 100644
---- a/drivers/net/ppp/ppp_generic.c
-+++ b/drivers/net/ppp/ppp_generic.c
-@@ -2601,8 +2601,6 @@ ppp_unregister_channel(struct ppp_channel *chan)
- 	spin_lock_bh(&pn->all_channels_lock);
- 	list_del(&pch->list);
- 	spin_unlock_bh(&pn->all_channels_lock);
--	put_net(pch->chan_net);
--	pch->chan_net = NULL;
- 
- 	pch->file.dead = 1;
- 	wake_up_interruptible(&pch->file.rwait);
-@@ -3136,6 +3134,9 @@ ppp_disconnect_channel(struct channel *pch)
-  */
- static void ppp_destroy_channel(struct channel *pch)
- {
-+	put_net(pch->chan_net);
-+	pch->chan_net = NULL;
-+
- 	atomic_dec(&channel_count);
- 
- 	if (!pch->file.dead) {
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-4998/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-4998/ANY/0001.patch
new file mode 100644
index 00000000..37e46d21
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-4998/ANY/0001.patch
@@ -0,0 +1,200 @@
+From bdf533de6968e9686df777dc178486f600c6e617 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Tue, 22 Mar 2016 18:02:49 +0100
+Subject: netfilter: x_tables: validate e->target_offset early
+
+We should check that e->target_offset is sane before
+mark_source_chains gets called since it will fetch the target entry
+for loop detection.
+
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ net/ipv4/netfilter/arp_tables.c | 17 ++++++++---------
+ net/ipv4/netfilter/ip_tables.c  | 17 ++++++++---------
+ net/ipv6/netfilter/ip6_tables.c | 17 ++++++++---------
+ 3 files changed, 24 insertions(+), 27 deletions(-)
+
+diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
+index bf08192..830bbe8 100644
+--- a/net/ipv4/netfilter/arp_tables.c
++++ b/net/ipv4/netfilter/arp_tables.c
+@@ -474,14 +474,12 @@ next:
+ 	return 1;
+ }
+ 
+-static inline int check_entry(const struct arpt_entry *e, const char *name)
++static inline int check_entry(const struct arpt_entry *e)
+ {
+ 	const struct xt_entry_target *t;
+ 
+-	if (!arp_checkentry(&e->arp)) {
+-		duprintf("arp_tables: arp check failed %p %s.\n", e, name);
++	if (!arp_checkentry(&e->arp))
+ 		return -EINVAL;
+-	}
+ 
+ 	if (e->target_offset + sizeof(struct xt_entry_target) > e->next_offset)
+ 		return -EINVAL;
+@@ -522,10 +520,6 @@ find_check_entry(struct arpt_entry *e, const char *name, unsigned int size)
+ 	struct xt_target *target;
+ 	int ret;
+ 
+-	ret = check_entry(e, name);
+-	if (ret)
+-		return ret;
+-
+ 	e->counters.pcnt = xt_percpu_counter_alloc();
+ 	if (IS_ERR_VALUE(e->counters.pcnt))
+ 		return -ENOMEM;
+@@ -576,6 +570,7 @@ static inline int check_entry_size_and_hooks(struct arpt_entry *e,
+ 					     unsigned int valid_hooks)
+ {
+ 	unsigned int h;
++	int err;
+ 
+ 	if ((unsigned long)e % __alignof__(struct arpt_entry) != 0 ||
+ 	    (unsigned char *)e + sizeof(struct arpt_entry) >= limit) {
+@@ -590,6 +585,10 @@ static inline int check_entry_size_and_hooks(struct arpt_entry *e,
+ 		return -EINVAL;
+ 	}
+ 
++	err = check_entry(e);
++	if (err)
++		return err;
++
+ 	/* Check hooks & underflows */
+ 	for (h = 0; h < NF_ARP_NUMHOOKS; h++) {
+ 		if (!(valid_hooks & (1 << h)))
+@@ -1246,7 +1245,7 @@ check_compat_entry_size_and_hooks(struct compat_arpt_entry *e,
+ 	}
+ 
+ 	/* For purposes of check_entry casting the compat entry is fine */
+-	ret = check_entry((struct arpt_entry *)e, name);
++	ret = check_entry((struct arpt_entry *)e);
+ 	if (ret)
+ 		return ret;
+ 
+diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
+index e53f8d6..1d72a3c 100644
+--- a/net/ipv4/netfilter/ip_tables.c
++++ b/net/ipv4/netfilter/ip_tables.c
+@@ -569,14 +569,12 @@ static void cleanup_match(struct xt_entry_match *m, struct net *net)
+ }
+ 
+ static int
+-check_entry(const struct ipt_entry *e, const char *name)
++check_entry(const struct ipt_entry *e)
+ {
+ 	const struct xt_entry_target *t;
+ 
+-	if (!ip_checkentry(&e->ip)) {
+-		duprintf("ip check failed %p %s.\n", e, name);
++	if (!ip_checkentry(&e->ip))
+ 		return -EINVAL;
+-	}
+ 
+ 	if (e->target_offset + sizeof(struct xt_entry_target) >
+ 	    e->next_offset)
+@@ -666,10 +664,6 @@ find_check_entry(struct ipt_entry *e, struct net *net, const char *name,
+ 	struct xt_mtchk_param mtpar;
+ 	struct xt_entry_match *ematch;
+ 
+-	ret = check_entry(e, name);
+-	if (ret)
+-		return ret;
+-
+ 	e->counters.pcnt = xt_percpu_counter_alloc();
+ 	if (IS_ERR_VALUE(e->counters.pcnt))
+ 		return -ENOMEM;
+@@ -741,6 +735,7 @@ check_entry_size_and_hooks(struct ipt_entry *e,
+ 			   unsigned int valid_hooks)
+ {
+ 	unsigned int h;
++	int err;
+ 
+ 	if ((unsigned long)e % __alignof__(struct ipt_entry) != 0 ||
+ 	    (unsigned char *)e + sizeof(struct ipt_entry) >= limit) {
+@@ -755,6 +750,10 @@ check_entry_size_and_hooks(struct ipt_entry *e,
+ 		return -EINVAL;
+ 	}
+ 
++	err = check_entry(e);
++	if (err)
++		return err;
++
+ 	/* Check hooks & underflows */
+ 	for (h = 0; h < NF_INET_NUMHOOKS; h++) {
+ 		if (!(valid_hooks & (1 << h)))
+@@ -1506,7 +1505,7 @@ check_compat_entry_size_and_hooks(struct compat_ipt_entry *e,
+ 	}
+ 
+ 	/* For purposes of check_entry casting the compat entry is fine */
+-	ret = check_entry((struct ipt_entry *)e, name);
++	ret = check_entry((struct ipt_entry *)e);
+ 	if (ret)
+ 		return ret;
+ 
+diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
+index 84f9baf..26a5ad1 100644
+--- a/net/ipv6/netfilter/ip6_tables.c
++++ b/net/ipv6/netfilter/ip6_tables.c
+@@ -581,14 +581,12 @@ static void cleanup_match(struct xt_entry_match *m, struct net *net)
+ }
+ 
+ static int
+-check_entry(const struct ip6t_entry *e, const char *name)
++check_entry(const struct ip6t_entry *e)
+ {
+ 	const struct xt_entry_target *t;
+ 
+-	if (!ip6_checkentry(&e->ipv6)) {
+-		duprintf("ip_tables: ip check failed %p %s.\n", e, name);
++	if (!ip6_checkentry(&e->ipv6))
+ 		return -EINVAL;
+-	}
+ 
+ 	if (e->target_offset + sizeof(struct xt_entry_target) >
+ 	    e->next_offset)
+@@ -679,10 +677,6 @@ find_check_entry(struct ip6t_entry *e, struct net *net, const char *name,
+ 	struct xt_mtchk_param mtpar;
+ 	struct xt_entry_match *ematch;
+ 
+-	ret = check_entry(e, name);
+-	if (ret)
+-		return ret;
+-
+ 	e->counters.pcnt = xt_percpu_counter_alloc();
+ 	if (IS_ERR_VALUE(e->counters.pcnt))
+ 		return -ENOMEM;
+@@ -753,6 +747,7 @@ check_entry_size_and_hooks(struct ip6t_entry *e,
+ 			   unsigned int valid_hooks)
+ {
+ 	unsigned int h;
++	int err;
+ 
+ 	if ((unsigned long)e % __alignof__(struct ip6t_entry) != 0 ||
+ 	    (unsigned char *)e + sizeof(struct ip6t_entry) >= limit) {
+@@ -767,6 +762,10 @@ check_entry_size_and_hooks(struct ip6t_entry *e,
+ 		return -EINVAL;
+ 	}
+ 
++	err = check_entry(e);
++	if (err)
++		return err;
++
+ 	/* Check hooks & underflows */
+ 	for (h = 0; h < NF_INET_NUMHOOKS; h++) {
+ 		if (!(valid_hooks & (1 << h)))
+@@ -1518,7 +1517,7 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
+ 	}
+ 
+ 	/* For purposes of check_entry casting the compat entry is fine */
+-	ret = check_entry((struct ip6t_entry *)e, name);
++	ret = check_entry((struct ip6t_entry *)e);
+ 	if (ret)
+ 		return ret;
+ 
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-4998/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-4998/ANY/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-4998/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-4998/ANY/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-5195/3.4/0.patch b/Patches/Linux_CVEs/CVE-2016-5195/3.4/0.patch
deleted file mode 100644
index cce6b2c1..00000000
--- a/Patches/Linux_CVEs/CVE-2016-5195/3.4/0.patch
+++ /dev/null
@@ -1,148 +0,0 @@
-From 1c8544a93151329be95f702f6f4029f860b77ee7 Mon Sep 17 00:00:00 2001
-From: Michal Hocko <mhocko@suse.com>
-Date: Sun, 16 Oct 2016 11:55:00 +0200
-Subject: mm, gup: close FOLL MAP_PRIVATE race
-
-commit 19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619 upstream.
-
-faultin_page drops FOLL_WRITE after the page fault handler did the CoW
-and then we retry follow_page_mask to get our CoWed page. This is racy,
-however because the page might have been unmapped by that time and so
-we would have to do a page fault again, this time without CoW. This
-would cause the page cache corruption for FOLL_FORCE on MAP_PRIVATE
-read only mappings with obvious consequences.
-
-This is an ancient bug that was actually already fixed once by Linus
-eleven years ago in commit 4ceb5db9757a ("Fix get_user_pages() race
-for write access") but that was then undone due to problems on s390
-by commit f33ea7f404e5 ("fix get_user_pages bug") because s390 didn't
-have proper dirty pte tracking until abf09bed3cce ("s390/mm: implement
-software dirty bits"). This wasn't a problem at the time as pointed out
-by Hugh Dickins because madvise relied on mmap_sem for write up until
-0a27a14a6292 ("mm: madvise avoid exclusive mmap_sem") but since then we
-can race with madvise which can unmap the fresh COWed page or with KSM
-and corrupt the content of the shared page.
-
-This patch is based on the Linus' approach to not clear FOLL_WRITE after
-the CoW page fault (aka VM_FAULT_WRITE) but instead introduces FOLL_COW
-to note this fact. The flag is then rechecked during follow_pfn_pte to
-enforce the page fault again if we do not see the CoWed page. Linus was
-suggesting to check pte_dirty again as s390 is OK now. But that would
-make backporting to some old kernels harder. So instead let's just make
-sure that vm_normal_page sees a pure anonymous page.
-
-This would guarantee we are seeing a real CoW page. Introduce
-can_follow_write_pte which checks both pte_write and falls back to
-PageAnon on forced write faults which passed CoW already. Thanks to Hugh
-to point out that a special care has to be taken for KSM pages because
-our COWed page might have been merged with a KSM one and keep its
-PageAnon flag.
-
-Fixes: 0a27a14a6292 ("mm: madvise avoid exclusive mmap_sem")
-Reported-by: Phil "not Paul" Oester <kernel@linuxace.com>
-Disclosed-by: Andy Lutomirski <luto@kernel.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Michal Hocko <mhocko@suse.com>
-[bwh: Backported to 3.2:
- - Adjust filename, context, indentation
- - The 'no_page' exit path in follow_page() is different, so open-code the
-   cleanup
- - Delete a now-unused label]
-Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
-Signed-off-by: Zefan Li <lizefan@huawei.com>
----
- include/linux/mm.h |  1 +
- mm/memory.c        | 39 ++++++++++++++++++++++++++++-----------
- 2 files changed, 29 insertions(+), 11 deletions(-)
-
-diff --git a/include/linux/mm.h b/include/linux/mm.h
-index ceebf63..ef706ab 100644
---- a/include/linux/mm.h
-+++ b/include/linux/mm.h
-@@ -1525,6 +1525,7 @@ struct page *follow_page(struct vm_area_struct *, unsigned long address,
- #define FOLL_MLOCK	0x40	/* mark page as mlocked */
- #define FOLL_SPLIT	0x80	/* don't return transhuge pages, split them */
- #define FOLL_HWPOISON	0x100	/* check page is hwpoisoned */
-+#define FOLL_COW	0x4000	/* internal GUP flag */
- 
- typedef int (*pte_fn_t)(pte_t *pte, pgtable_t token, unsigned long addr,
- 			void *data);
-diff --git a/mm/memory.c b/mm/memory.c
-index 4774579..9701911 100644
---- a/mm/memory.c
-+++ b/mm/memory.c
-@@ -1447,6 +1447,24 @@ int zap_vma_ptes(struct vm_area_struct *vma, unsigned long address,
- }
- EXPORT_SYMBOL_GPL(zap_vma_ptes);
- 
-+static inline bool can_follow_write_pte(pte_t pte, struct page *page,
-+					unsigned int flags)
-+{
-+	if (pte_write(pte))
-+		return true;
-+
-+	/*
-+	 * Make sure that we are really following CoWed page. We do not really
-+	 * have to care about exclusiveness of the page because we only want
-+	 * to ensure that once COWed page hasn't disappeared in the meantime
-+	 * or it hasn't been merged to a KSM page.
-+	 */
-+	if ((flags & FOLL_FORCE) && (flags & FOLL_COW))
-+		return page && PageAnon(page) && !PageKsm(page);
-+
-+	return false;
-+}
-+
- /**
-  * follow_page - look up a page descriptor from a user-virtual address
-  * @vma: vm_area_struct mapping @address
-@@ -1529,10 +1547,13 @@ split_fallthrough:
- 	pte = *ptep;
- 	if (!pte_present(pte))
- 		goto no_page;
--	if ((flags & FOLL_WRITE) && !pte_write(pte))
--		goto unlock;
- 
- 	page = vm_normal_page(vma, address, pte);
-+	if ((flags & FOLL_WRITE) && !can_follow_write_pte(pte, page, flags)) {
-+		pte_unmap_unlock(ptep, ptl);
-+		return NULL;
-+	}
-+
- 	if (unlikely(!page)) {
- 		if ((flags & FOLL_DUMP) ||
- 		    !is_zero_pfn(pte_pfn(pte)))
-@@ -1575,7 +1596,7 @@ split_fallthrough:
- 			unlock_page(page);
- 		}
- 	}
--unlock:
-+
- 	pte_unmap_unlock(ptep, ptl);
- out:
- 	return page;
-@@ -1809,17 +1830,13 @@ int __get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
- 				 * The VM_FAULT_WRITE bit tells us that
- 				 * do_wp_page has broken COW when necessary,
- 				 * even if maybe_mkwrite decided not to set
--				 * pte_write. We can thus safely do subsequent
--				 * page lookups as if they were reads. But only
--				 * do so when looping for pte_write is futile:
--				 * in some cases userspace may also be wanting
--				 * to write to the gotten user page, which a
--				 * read fault here might prevent (a readonly
--				 * page might get reCOWed by userspace write).
-+				 * pte_write. We cannot simply drop FOLL_WRITE
-+				 * here because the COWed page might be gone by
-+				 * the time we do the subsequent page lookups.
- 				 */
- 				if ((ret & VM_FAULT_WRITE) &&
- 				    !(vma->vm_flags & VM_WRITE))
--					foll_flags &= ~FOLL_WRITE;
-+					foll_flags |= FOLL_COW;
- 
- 				cond_resched();
- 			}
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-5195/3.10/1.patch b/Patches/Linux_CVEs/CVE-2016-5195/ANY/0001.patch
similarity index 82%
rename from Patches/Linux_CVEs/CVE-2016-5195/3.10/1.patch
rename to Patches/Linux_CVEs/CVE-2016-5195/ANY/0001.patch
index c8ae9d00..b4d3fc9c 100644
--- a/Patches/Linux_CVEs/CVE-2016-5195/3.10/1.patch
+++ b/Patches/Linux_CVEs/CVE-2016-5195/ANY/0001.patch
@@ -1,10 +1,7 @@
-From c33d1bdff9c4c24e73e7c7f48ce8f8c1819a233f Mon Sep 17 00:00:00 2001
+From 9691eac5593ff1e2f82391ad327f21d90322aec1 Mon Sep 17 00:00:00 2001
 From: Linus Torvalds <torvalds@linux-foundation.org>
-Date: Thu, 20 Oct 2016 14:11:10 -0700
-Subject: [PATCH] UPSTREAM: mm: remove gup_flags FOLL_WRITE games from
- __get_user_pages()
-
-(cherry-picked from 9691eac5593ff1e2f82391ad327f21d90322aec1)
+Date: Thu, 13 Oct 2016 13:07:36 -0700
+Subject: mm: remove gup_flags FOLL_WRITE games from __get_user_pages()
 
 commit 19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619 upstream.
 
@@ -41,18 +38,16 @@ Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
 [wt: s/gup.c/memory.c; s/follow_page_pte/follow_page_mask;
      s/faultin_page/__get_user_page]
 Signed-off-by: Willy Tarreau <w@1wt.eu>
-Change-Id: I42e448ecacad4781b460c4c989026307169ba1b5
-Bug: 32141528
 ---
  include/linux/mm.h |  1 +
  mm/memory.c        | 14 ++++++++++++--
  2 files changed, 13 insertions(+), 2 deletions(-)
 
 diff --git a/include/linux/mm.h b/include/linux/mm.h
-index b582c9d07fcd5..54567b0c41d63 100644
+index 53b0d70..55590f4 100644
 --- a/include/linux/mm.h
 +++ b/include/linux/mm.h
-@@ -1752,6 +1752,7 @@ static inline struct page *follow_page(struct vm_area_struct *vma,
+@@ -1715,6 +1715,7 @@ static inline struct page *follow_page(struct vm_area_struct *vma,
  #define FOLL_HWPOISON	0x100	/* check page is hwpoisoned */
  #define FOLL_NUMA	0x200	/* force NUMA hinting page fault */
  #define FOLL_MIGRATION	0x400	/* wait for page to replace migration entry */
@@ -61,10 +56,10 @@ index b582c9d07fcd5..54567b0c41d63 100644
  typedef int (*pte_fn_t)(pte_t *pte, pgtable_t token, unsigned long addr,
  			void *data);
 diff --git a/mm/memory.c b/mm/memory.c
-index ac61bc57e3ef4..fd453654d3008 100644
+index 10cdade..2ca2ee1 100644
 --- a/mm/memory.c
 +++ b/mm/memory.c
-@@ -1467,6 +1467,16 @@ int zap_vma_ptes(struct vm_area_struct *vma, unsigned long address,
+@@ -1462,6 +1462,16 @@ int zap_vma_ptes(struct vm_area_struct *vma, unsigned long address,
  }
  EXPORT_SYMBOL_GPL(zap_vma_ptes);
  
@@ -81,7 +76,7 @@ index ac61bc57e3ef4..fd453654d3008 100644
  /**
   * follow_page_mask - look up a page descriptor from a user-virtual address
   * @vma: vm_area_struct mapping @address
-@@ -1574,7 +1584,7 @@ struct page *follow_page_mask(struct vm_area_struct *vma,
+@@ -1569,7 +1579,7 @@ split_fallthrough:
  	}
  	if ((flags & FOLL_NUMA) && pte_numa(pte))
  		goto no_page;
@@ -90,7 +85,7 @@ index ac61bc57e3ef4..fd453654d3008 100644
  		goto unlock;
  
  	page = vm_normal_page(vma, address, pte);
-@@ -1894,7 +1904,7 @@ long __get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
+@@ -1877,7 +1887,7 @@ long __get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
  				 */
  				if ((ret & VM_FAULT_WRITE) &&
  				    !(vma->vm_flags & VM_WRITE))
@@ -99,3 +94,6 @@ index ac61bc57e3ef4..fd453654d3008 100644
  
  				cond_resched();
  			}
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-5195/3.18/2.patch b/Patches/Linux_CVEs/CVE-2016-5195/ANY/0002.patch
similarity index 81%
rename from Patches/Linux_CVEs/CVE-2016-5195/3.18/2.patch
rename to Patches/Linux_CVEs/CVE-2016-5195/ANY/0002.patch
index 3cd4fded..c1b8aea7 100644
--- a/Patches/Linux_CVEs/CVE-2016-5195/3.18/2.patch
+++ b/Patches/Linux_CVEs/CVE-2016-5195/ANY/0002.patch
@@ -1,8 +1,9 @@
-From 47f4f5225f27dc8b495ef2f946edd405630245ca Mon Sep 17 00:00:00 2001
+From e45a502bdeae5a075257c4f061d1ff4ff0821354 Mon Sep 17 00:00:00 2001
 From: Linus Torvalds <torvalds@linux-foundation.org>
 Date: Thu, 13 Oct 2016 13:07:36 -0700
-Subject: [PATCH] CHROMIUM: UPSTREAM: mm: remove gup_flags FOLL_WRITE games
- from __get_user_pages()
+Subject: mm: remove gup_flags FOLL_WRITE games from __get_user_pages()
+
+[ Upstream commit 19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619 ]
 
 This is an ancient bug that was actually attempted to be fixed once
 (badly) by me eleven years ago in commit 4ceb5db9757a ("Fix
@@ -23,10 +24,6 @@ we already did a COW" rather than play racy games with FOLL_WRITE that
 is very fundamental, and then use the pte dirty flag to validate that
 the FOLL_COW flag is still valid.
 
-BUG=chromium:657609
-TEST=None
-
-Change-Id: I42e448ecacad4781b460c4c989026307169ba1b5
 Reported-and-tested-by: Phil "not Paul" Oester <kernel@linuxace.com>
 Acked-by: Hugh Dickins <hughd@google.com>
 Reviewed-by: Michal Hocko <mhocko@suse.com>
@@ -38,21 +35,17 @@ Cc: Nick Piggin <npiggin@gmail.com>
 Cc: Greg Thelen <gthelen@google.com>
 Cc: stable@vger.kernel.org
 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-(cherry picked from commit 19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619)
-Signed-off-by: Andrey Ulanov <andreyu@google.com>
-Reviewed-on: https://chromium-review.googlesource.com/401142
-Reviewed-by: Guenter Roeck <groeck@chromium.org>
-Bug: 32141528
+Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
 ---
  include/linux/mm.h |  1 +
  mm/gup.c           | 14 ++++++++++++--
  2 files changed, 13 insertions(+), 2 deletions(-)
 
 diff --git a/include/linux/mm.h b/include/linux/mm.h
-index 4f0afdd748180..f410ba03afd93 100644
+index 9eef3a1..db853de 100644
 --- a/include/linux/mm.h
 +++ b/include/linux/mm.h
-@@ -2050,6 +2050,7 @@ static inline struct page *follow_page(struct vm_area_struct *vma,
+@@ -2029,6 +2029,7 @@ static inline struct page *follow_page(struct vm_area_struct *vma,
  #define FOLL_NUMA	0x200	/* force NUMA hinting page fault */
  #define FOLL_MIGRATION	0x400	/* wait for page to replace migration entry */
  #define FOLL_TRIED	0x800	/* a retry, previous pass started an IO */
@@ -61,7 +54,7 @@ index 4f0afdd748180..f410ba03afd93 100644
  typedef int (*pte_fn_t)(pte_t *pte, pgtable_t token, unsigned long addr,
  			void *data);
 diff --git a/mm/gup.c b/mm/gup.c
-index 377a5a796242e..bef4bb0f79625 100644
+index 377a5a7..3cec4df 100644
 --- a/mm/gup.c
 +++ b/mm/gup.c
 @@ -32,6 +32,16 @@ static struct page *no_page_table(struct vm_area_struct *vma,
@@ -81,7 +74,7 @@ index 377a5a796242e..bef4bb0f79625 100644
  static struct page *follow_page_pte(struct vm_area_struct *vma,
  		unsigned long address, pmd_t *pmd, unsigned int flags)
  {
-@@ -66,7 +76,7 @@ static struct page *follow_page_pte(struct vm_area_struct *vma,
+@@ -66,7 +76,7 @@ retry:
  	}
  	if ((flags & FOLL_NUMA) && pte_numa(pte))
  		goto no_page;
@@ -95,7 +88,10 @@ index 377a5a796242e..bef4bb0f79625 100644
  	 */
  	if ((ret & VM_FAULT_WRITE) && !(vma->vm_flags & VM_WRITE))
 -		*flags &= ~FOLL_WRITE;
-+		*flags |= FOLL_COW;
++	        *flags |= FOLL_COW;
  	return 0;
  }
  
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-5340/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-5340/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-5340/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-5340/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-5342/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-5342/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-5342/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-5342/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-5343/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-5343/ANY/0001.patch
similarity index 91%
rename from Patches/Linux_CVEs/CVE-2016-5343/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-5343/ANY/0001.patch
index 9dfae3b9..1f15f28b 100644
--- a/Patches/Linux_CVEs/CVE-2016-5343/ANY/0.patch
+++ b/Patches/Linux_CVEs/CVE-2016-5343/ANY/0001.patch
@@ -1,21 +1,19 @@
-From 4b60975d224bf12fc20ccbe76bfedb411c4e833d Mon Sep 17 00:00:00 2001
+From 6927e2e0af4dcac357be86ba563c9ae12354bb08 Mon Sep 17 00:00:00 2001
 From: Josh Kirsch <jkirsch@codeaurora.org>
 Date: Mon, 2 May 2016 14:55:04 -0700
-Subject: [PATCH] drivers: soc: Add buffer overflow check for svc send request
+Subject: drivers: soc: Add buffer overflow check for svc send request
 
 Add buffer overflow check in voice_svc_send_req.
 
 CRs-fixed: 1010081
-
-Bug: 31796345
-Change-Id: Ice173a9f553022251bd58b0ac03c6fef2f4e0b40
+Change-Id: I4ae703334b0cf04f327b392bc9cd6febd4ad32f2
 Signed-off-by: Josh Kirsch <jkirsch@codeaurora.org>
 ---
  drivers/soc/qcom/qdsp6v2/voice_svc.c | 46 +++++++++++++++++++++++++-----------
  1 file changed, 32 insertions(+), 14 deletions(-)
 
 diff --git a/drivers/soc/qcom/qdsp6v2/voice_svc.c b/drivers/soc/qcom/qdsp6v2/voice_svc.c
-index 23b8292c8db5b..67c58d1e6d4cd 100644
+index 23b8292..67c58d1 100644
 --- a/drivers/soc/qcom/qdsp6v2/voice_svc.c
 +++ b/drivers/soc/qcom/qdsp6v2/voice_svc.c
 @@ -1,4 +1,4 @@
@@ -98,3 +96,6 @@ index 23b8292c8db5b..67c58d1e6d4cd 100644
  		break;
  	default:
  		pr_debug("%s: Invalid command: %u\n", __func__, cmd);
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-5344/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-5344/ANY/0001.patch
new file mode 100644
index 00000000..89c1cc05
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-5344/ANY/0001.patch
@@ -0,0 +1,167 @@
+From 64e15c36d6c1c57dc2d95a3f163bc830a469fc20 Mon Sep 17 00:00:00 2001
+From: Dhaval Patel <pdhaval@codeaurora.org>
+Date: Tue, 22 Mar 2016 22:56:38 -0700
+Subject: msm: mdss: validate layer count before copying userdata
+
+Validate input layer count in rotator and async update
+ioctl call before copying the rotator request list and
+async update layer list.
+
+Change-Id: I3489e5a2d4237a47bddf56c2f44c9e3001f0b2b4
+Signed-off-by: Dhaval Patel <pdhaval@codeaurora.org>
+---
+ drivers/video/msm/mdss/mdss_compat_utils.c |  6 +++---
+ drivers/video/msm/mdss/mdss_fb.c           |  6 +++---
+ drivers/video/msm/mdss/mdss_fb.h           |  3 +--
+ drivers/video/msm/mdss/mdss_mdp.h          |  4 +++-
+ drivers/video/msm/mdss/mdss_rotator.c      | 20 +++++++++++++++++---
+ 5 files changed, 27 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/video/msm/mdss/mdss_compat_utils.c b/drivers/video/msm/mdss/mdss_compat_utils.c
+index 3bc5de6..e391a5a 100644
+--- a/drivers/video/msm/mdss/mdss_compat_utils.c
++++ b/drivers/video/msm/mdss/mdss_compat_utils.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2013-2015, The Linux Foundation. All rights reserved.
++ * Copyright (c) 2013-2016, The Linux Foundation. All rights reserved.
+  * Copyright (C) 1994 Martin Schaller
+  *
+  * 2001 - Documented with DocBook
+@@ -445,8 +445,8 @@ static int __compat_async_position_update(struct fb_info *info,
+ 
+ 	update_pos.input_layer_cnt = update_pos32.input_layer_cnt;
+ 	layer_cnt = update_pos32.input_layer_cnt;
+-	if (!layer_cnt) {
+-		pr_err("no async layer to update\n");
++	if ((!layer_cnt) || (layer_cnt > MAX_LAYER_COUNT)) {
++		pr_err("invalid async layers :%d to update\n", layer_cnt);
+ 		return -EINVAL;
+ 	}
+ 
+diff --git a/drivers/video/msm/mdss/mdss_fb.c b/drivers/video/msm/mdss/mdss_fb.c
+index 73ab61e..9aa87d0 100644
+--- a/drivers/video/msm/mdss/mdss_fb.c
++++ b/drivers/video/msm/mdss/mdss_fb.c
+@@ -2,7 +2,7 @@
+  * Core MDSS framebuffer driver.
+  *
+  * Copyright (C) 2007 Google Incorporated
+- * Copyright (c) 2008-2015, The Linux Foundation. All rights reserved.
++ * Copyright (c) 2008-2016, The Linux Foundation. All rights reserved.
+  *
+  * This software is licensed under the terms of the GNU General Public
+  * License version 2, as published by the Free Software Foundation, and
+@@ -3781,8 +3781,8 @@ static int mdss_fb_async_position_update_ioctl(struct fb_info *info,
+ 	input_layer_list = update_pos.input_layers;
+ 
+ 	layer_cnt = update_pos.input_layer_cnt;
+-	if (!layer_cnt) {
+-		pr_err("no async layers to update\n");
++	if ((!layer_cnt) || (layer_cnt > MAX_LAYER_COUNT)) {
++		pr_err("invalid async layers :%d to update\n", layer_cnt);
+ 		return -EINVAL;
+ 	}
+ 
+diff --git a/drivers/video/msm/mdss/mdss_fb.h b/drivers/video/msm/mdss/mdss_fb.h
+index 9bb8b40..f4825e3 100644
+--- a/drivers/video/msm/mdss/mdss_fb.h
++++ b/drivers/video/msm/mdss/mdss_fb.h
+@@ -1,4 +1,4 @@
+-/* Copyright (c) 2008-2015, The Linux Foundation. All rights reserved.
++/* Copyright (c) 2008-2016, The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -56,7 +56,6 @@
+ 
+ #define MDP_PP_AD_BL_LINEAR	0x0
+ #define MDP_PP_AD_BL_LINEAR_INV	0x1
+-#define MAX_LAYER_COUNT		0xC
+ 
+ /**
+  * enum mdp_notify_event - Different frame events to indicate frame update state
+diff --git a/drivers/video/msm/mdss/mdss_mdp.h b/drivers/video/msm/mdss/mdss_mdp.h
+index b2083c5..40ec88c 100644
+--- a/drivers/video/msm/mdss/mdss_mdp.h
++++ b/drivers/video/msm/mdss/mdss_mdp.h
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
++ * Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -83,6 +83,8 @@
+ 
+ #define XIN_HALT_TIMEOUT_US	0x4000
+ 
++#define MAX_LAYER_COUNT		0xC
++
+ /* hw cursor can only be setup in highest mixer stage */
+ #define HW_CURSOR_STAGE(mdata) \
+ 	(((mdata)->max_target_zorder + MDSS_MDP_STAGE_0) - 1)
+diff --git a/drivers/video/msm/mdss/mdss_rotator.c b/drivers/video/msm/mdss/mdss_rotator.c
+index 86e3665..e3c46fc 100644
+--- a/drivers/video/msm/mdss/mdss_rotator.c
++++ b/drivers/video/msm/mdss/mdss_rotator.c
+@@ -1,4 +1,4 @@
+-/* Copyright (c) 2014-2015, The Linux Foundation. All rights reserved.
++/* Copyright (c) 2014-2016, The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -2129,6 +2129,7 @@ static int mdss_rotator_handle_request(struct mdss_rot_mgr *mgr,
+ 	struct mdp_rotation_item *items = NULL;
+ 	struct mdss_rot_entry_container *req = NULL;
+ 	int size, ret;
++	uint32_t req_count;
+ 
+ 	ret = copy_from_user(&user_req, (void __user *)arg,
+ 					sizeof(user_req));
+@@ -2137,12 +2138,18 @@ static int mdss_rotator_handle_request(struct mdss_rot_mgr *mgr,
+ 		return ret;
+ 	}
+ 
++	req_count = user_req.count;
++	if ((!req_count) || (req_count > MAX_LAYER_COUNT)) {
++		pr_err("invalid rotator req count :%d\n", req_count);
++		return -EINVAL;
++	}
++
+ 	/*
+ 	 * here, we make a copy of the items so that we can copy
+ 	 * all the output fences to the client in one call.   Otherwise,
+ 	 * we will have to call multiple copy_to_user
+ 	 */
+-	size = sizeof(struct mdp_rotation_item) * user_req.count;
++	size = sizeof(struct mdp_rotation_item) * req_count;
+ 	items = devm_kzalloc(&mgr->pdev->dev, size, GFP_KERNEL);
+ 	if (!items) {
+ 		pr_err("fail to allocate rotation items\n");
+@@ -2281,6 +2288,7 @@ static int mdss_rotator_handle_request32(struct mdss_rot_mgr *mgr,
+ 	struct mdp_rotation_item *items = NULL;
+ 	struct mdss_rot_entry_container *req = NULL;
+ 	int size, ret;
++	uint32_t req_count;
+ 
+ 	ret = copy_from_user(&user_req32, (void __user *)arg,
+ 					sizeof(user_req32));
+@@ -2289,7 +2297,13 @@ static int mdss_rotator_handle_request32(struct mdss_rot_mgr *mgr,
+ 		return ret;
+ 	}
+ 
+-	size = sizeof(struct mdp_rotation_item) * user_req32.count;
++	req_count = user_req32.count;
++	if ((!req_count) || (req_count > MAX_LAYER_COUNT)) {
++		pr_err("invalid rotator req count :%d\n", req_count);
++		return -EINVAL;
++	}
++
++	size = sizeof(struct mdp_rotation_item) * req_count;
+ 	items = devm_kzalloc(&mgr->pdev->dev, size, GFP_KERNEL);
+ 	if (!items) {
+ 		pr_err("fail to allocate rotation items\n");
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-5345/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-5345/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-5345/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-5345/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-5346/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-5346/3.18/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-5346/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-5346/3.18/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-5346/4.4/0002.patch b/Patches/Linux_CVEs/CVE-2016-5346/4.4/0002.patch
new file mode 100644
index 00000000..fb5b5e83
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-5346/4.4/0002.patch
@@ -0,0 +1,48 @@
+From 25a64e34bbec7b14887cbfe8266ccf6f27113bab Mon Sep 17 00:00:00 2001
+From: Xiaoyu Ye <benyxy@codeaurora.org>
+Date: Wed, 7 Dec 2016 16:35:07 -0800
+Subject: drivers: soc: qcom: Add error handling in function avtimer_ioctl
+
+Error handling is added to prevent garbage value being passed to
+user space by the uninitialized local variable avtimer_tick.
+
+CRs-Fixed: 1097878
+Change-Id: I3f895deaae3acf329088cf8135859cc41e781763
+Signed-off-by: Xiaoyu Ye <benyxy@codeaurora.org>
+---
+ drivers/soc/qcom/avtimer.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/soc/qcom/avtimer.c b/drivers/soc/qcom/avtimer.c
+index 2bded5e..4331af8 100644
+--- a/drivers/soc/qcom/avtimer.c
++++ b/drivers/soc/qcom/avtimer.c
+@@ -1,4 +1,4 @@
+-/* Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
++/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
+ 
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 and
+@@ -331,9 +331,17 @@ static long avtimer_ioctl(struct file *file, unsigned int ioctl_num,
+ 	switch (ioctl_num) {
+ 	case IOCTL_GET_AVTIMER_TICK:
+ 	{
+-		uint64_t avtimer_tick;
++		uint64_t avtimer_tick = 0;
++		int rc;
++
++		rc = avcs_core_query_timer(&avtimer_tick);
++
++		if (rc) {
++			pr_err("%s: Error: Invalid AV Timer tick, rc = %d\n",
++				__func__, rc);
++			return rc;
++		}
+ 
+-		avcs_core_query_timer(&avtimer_tick);
+ 		pr_debug_ratelimited("%s: AV Timer tick: time %llx\n",
+ 		__func__, avtimer_tick);
+ 		if (copy_to_user((void *) ioctl_param, &avtimer_tick,
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-5347/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-5347/3.18/0001.patch
similarity index 83%
rename from Patches/Linux_CVEs/CVE-2016-5347/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-5347/3.18/0001.patch
index 0d77e275..821b98fd 100644
--- a/Patches/Linux_CVEs/CVE-2016-5347/ANY/0.patch
+++ b/Patches/Linux_CVEs/CVE-2016-5347/3.18/0001.patch
@@ -1,4 +1,4 @@
-From ae6485b9656470e9a64d5320cb8efd5820ddec8d Mon Sep 17 00:00:00 2001
+From ed4d6f5d8451d99860950d0abf8ad583efed6d5c Mon Sep 17 00:00:00 2001
 From: Xiaojun Sang <xsang@codeaurora.org>
 Date: Fri, 16 Dec 2016 16:25:27 +0800
 Subject: ASoC: soc: msm: initialize buffer to prevent kernel data leakage
@@ -14,10 +14,10 @@ Signed-off-by: Xiaojun Sang <xsang@codeaurora.org>
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/sound/soc/msm/qdsp6v2/msm-qti-pp-config.c b/sound/soc/msm/qdsp6v2/msm-qti-pp-config.c
-index 1eeb577..94d6cf7 100644
+index 9e34bd3..510ddc7 100644
 --- a/sound/soc/msm/qdsp6v2/msm-qti-pp-config.c
 +++ b/sound/soc/msm/qdsp6v2/msm-qti-pp-config.c
-@@ -484,7 +484,7 @@ static int msm_qti_pp_set_auxpcm_lb_vol_mixer(struct snd_kcontrol *kcontrol,
+@@ -575,7 +575,7 @@ static int msm_qti_pp_set_sec_auxpcm_lb_vol_mixer(
  static int msm_qti_pp_get_channel_map_mixer(struct snd_kcontrol *kcontrol,
  					    struct snd_ctl_elem_value *ucontrol)
  {
diff --git a/Patches/Linux_CVEs/CVE-2016-5347/4.4/0002.patch b/Patches/Linux_CVEs/CVE-2016-5347/4.4/0002.patch
new file mode 100644
index 00000000..3978c945
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-5347/4.4/0002.patch
@@ -0,0 +1,31 @@
+From f14390f13e62460fc6b05fc0acde0e825374fdb6 Mon Sep 17 00:00:00 2001
+From: Xiaojun Sang <xsang@codeaurora.org>
+Date: Fri, 16 Dec 2016 16:25:27 +0800
+Subject: ASoC: soc: msm: initialize buffer to prevent kernel data leakage
+
+To prevent potential kernel stack data leakage, initialize
+channel_map[].
+
+CRs-Fixed: 1100878
+Change-Id: I7b81cea20485bc7514551672bb54c7fd455049e3
+Signed-off-by: Xiaojun Sang <xsang@codeaurora.org>
+---
+ sound/soc/msm/qdsp6v2/msm-qti-pp-config.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sound/soc/msm/qdsp6v2/msm-qti-pp-config.c b/sound/soc/msm/qdsp6v2/msm-qti-pp-config.c
+index 7c8af09..832d7c01 100644
+--- a/sound/soc/msm/qdsp6v2/msm-qti-pp-config.c
++++ b/sound/soc/msm/qdsp6v2/msm-qti-pp-config.c
+@@ -579,7 +579,7 @@ static int msm_qti_pp_set_sec_auxpcm_lb_vol_mixer(
+ static int msm_qti_pp_get_channel_map_mixer(struct snd_kcontrol *kcontrol,
+ 					    struct snd_ctl_elem_value *ucontrol)
+ {
+-	char channel_map[PCM_FORMAT_MAX_NUM_CHANNEL];
++	char channel_map[PCM_FORMAT_MAX_NUM_CHANNEL] = {0};
+ 	int i;
+ 
+ 	adm_get_multi_ch_map(channel_map, ADM_PATH_PLAYBACK);
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-5349/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-5349/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-5349/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-5349/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-5349/ANY/3.patch b/Patches/Linux_CVEs/CVE-2016-5349/ANY/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-5349/ANY/3.patch
rename to Patches/Linux_CVEs/CVE-2016-5349/ANY/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-5349/ANY/2.patch b/Patches/Linux_CVEs/CVE-2016-5349/ANY/0003.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-5349/ANY/2.patch
rename to Patches/Linux_CVEs/CVE-2016-5349/ANY/0003.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-5349/ANY/1.patch b/Patches/Linux_CVEs/CVE-2016-5349/ANY/0004.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-5349/ANY/1.patch
rename to Patches/Linux_CVEs/CVE-2016-5349/ANY/0004.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-5696/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-5696/ANY/0001.patch
new file mode 100644
index 00000000..d91940dc
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-5696/ANY/0001.patch
@@ -0,0 +1,81 @@
+From 75ff39ccc1bd5d3c455b6822ab09e533c551f758 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Sun, 10 Jul 2016 10:04:02 +0200
+Subject: tcp: make challenge acks less predictable
+
+Yue Cao claims that current host rate limiting of challenge ACKS
+(RFC 5961) could leak enough information to allow a patient attacker
+to hijack TCP sessions. He will soon provide details in an academic
+paper.
+
+This patch increases the default limit from 100 to 1000, and adds
+some randomization so that the attacker can no longer hijack
+sessions without spending a considerable amount of probes.
+
+Based on initial analysis and patch from Linus.
+
+Note that we also have per socket rate limiting, so it is tempting
+to remove the host limit in the future.
+
+v2: randomize the count of challenge acks per second, not the period.
+
+Fixes: 282f23c6ee34 ("tcp: implement RFC 5961 3.2")
+Reported-by: Yue Cao <ycao009@ucr.edu>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Yuchung Cheng <ycheng@google.com>
+Cc: Neal Cardwell <ncardwell@google.com>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Acked-by: Yuchung Cheng <ycheng@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/ipv4/tcp_input.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
+index d6c8f4cd0..91868bb 100644
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -87,7 +87,7 @@ int sysctl_tcp_adv_win_scale __read_mostly = 1;
+ EXPORT_SYMBOL(sysctl_tcp_adv_win_scale);
+ 
+ /* rfc5961 challenge ack rate limiting */
+-int sysctl_tcp_challenge_ack_limit = 100;
++int sysctl_tcp_challenge_ack_limit = 1000;
+ 
+ int sysctl_tcp_stdurg __read_mostly;
+ int sysctl_tcp_rfc1337 __read_mostly;
+@@ -3458,7 +3458,7 @@ static void tcp_send_challenge_ack(struct sock *sk, const struct sk_buff *skb)
+ 	static u32 challenge_timestamp;
+ 	static unsigned int challenge_count;
+ 	struct tcp_sock *tp = tcp_sk(sk);
+-	u32 now;
++	u32 count, now;
+ 
+ 	/* First check our per-socket dupack rate limit. */
+ 	if (tcp_oow_rate_limited(sock_net(sk), skb,
+@@ -3466,13 +3466,18 @@ static void tcp_send_challenge_ack(struct sock *sk, const struct sk_buff *skb)
+ 				 &tp->last_oow_ack_time))
+ 		return;
+ 
+-	/* Then check the check host-wide RFC 5961 rate limit. */
++	/* Then check host-wide RFC 5961 rate limit. */
+ 	now = jiffies / HZ;
+ 	if (now != challenge_timestamp) {
++		u32 half = (sysctl_tcp_challenge_ack_limit + 1) >> 1;
++
+ 		challenge_timestamp = now;
+-		challenge_count = 0;
++		WRITE_ONCE(challenge_count, half +
++			   prandom_u32_max(sysctl_tcp_challenge_ack_limit));
+ 	}
+-	if (++challenge_count <= sysctl_tcp_challenge_ack_limit) {
++	count = READ_ONCE(challenge_count);
++	if (count > 0) {
++		WRITE_ONCE(challenge_count, count - 1);
+ 		NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPCHALLENGEACK);
+ 		tcp_send_ack(sk);
+ 	}
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-5829/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-5829/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-5829/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-5829/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-5853/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2016-5853/3.10/0001.patch
new file mode 100644
index 00000000..5a346499
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-5853/3.10/0001.patch
@@ -0,0 +1,35 @@
+From e879fc7eca7e3ba0ab9dcf24d2f717e49718a01e Mon Sep 17 00:00:00 2001
+From: kunleiz <kunleiz@codeaurora.org>
+Date: Tue, 27 Dec 2016 16:15:51 +0800
+Subject: ASoC: msm: qdsp6v2: DAP: Add check to validate param length
+
+Return an error code to ensure valid length value is valid.
+
+CRs-fixed: 1102987
+Change-Id: I6a679d08342d1da58c20b5c3d4e436dd335764ae
+Signed-off-by: kunleiz <kunleiz@codeaurora.org>
+---
+ sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c b/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
+index 59835e6..d654b30 100644
+--- a/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
++++ b/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
+@@ -1,4 +1,4 @@
+-/* Copyright (c) 2013-2016, The Linux Foundation. All rights reserved.
++/* Copyright (c) 2013-2017, The Linux Foundation. All rights reserved.
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 and
+ * only version 2 as published by the Free Software Foundation.
+@@ -1656,6 +1656,7 @@ static int msm_ds2_dap_param_visualizer_control_get(u32 cmd, void *arg)
+ 		ret = 0;
+ 		dolby_data->length = 0;
+ 		pr_err("%s Incorrect VCNB length", __func__);
++		return -EINVAL;
+ 	}
+ 
+ 	params_length = (2*length + DOLBY_VIS_PARAM_HEADER_SIZE) *
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-5853/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2016-5853/3.18/0002.patch
new file mode 100644
index 00000000..aa063c79
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-5853/3.18/0002.patch
@@ -0,0 +1,35 @@
+From 49d27afe9a76273e0d5314cf9241d1d1c3561d13 Mon Sep 17 00:00:00 2001
+From: kunleiz <kunleiz@codeaurora.org>
+Date: Tue, 27 Dec 2016 16:15:51 +0800
+Subject: ASoC: msm: qdsp6v2: DAP: Add check to validate param length
+
+Return an error code to ensure valid length value is valid.
+
+CRs-fixed: 1102987
+Change-Id: I6a679d08342d1da58c20b5c3d4e436dd335764ae
+Signed-off-by: kunleiz <kunleiz@codeaurora.org>
+---
+ sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c b/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
+index 59835e6..d654b30 100644
+--- a/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
++++ b/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
+@@ -1,4 +1,4 @@
+-/* Copyright (c) 2013-2016, The Linux Foundation. All rights reserved.
++/* Copyright (c) 2013-2017, The Linux Foundation. All rights reserved.
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 and
+ * only version 2 as published by the Free Software Foundation.
+@@ -1656,6 +1656,7 @@ static int msm_ds2_dap_param_visualizer_control_get(u32 cmd, void *arg)
+ 		ret = 0;
+ 		dolby_data->length = 0;
+ 		pr_err("%s Incorrect VCNB length", __func__);
++		return -EINVAL;
+ 	}
+ 
+ 	params_length = (2*length + DOLBY_VIS_PARAM_HEADER_SIZE) *
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-5853/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-5853/4.4/0003.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-5853/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-5853/4.4/0003.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-5854/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-5854/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-5854/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-5854/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-5855/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-5855/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-5855/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-5855/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-5856/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-5856/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-5856/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-5856/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-5857/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-5857/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-5857/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-5857/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-5858/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-5858/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-5858/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-5858/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-5858/ANY/1.patch b/Patches/Linux_CVEs/CVE-2016-5858/ANY/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-5858/ANY/1.patch
rename to Patches/Linux_CVEs/CVE-2016-5858/ANY/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-5858/ANY/0003.patch b/Patches/Linux_CVEs/CVE-2016-5858/ANY/0003.patch
new file mode 100644
index 00000000..bd6cb256
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-5858/ANY/0003.patch
@@ -0,0 +1,37 @@
+From 3bfe5a89916f7d29492e9f6d941d108b688cb804 Mon Sep 17 00:00:00 2001
+From: Karthikeyan Mani <kmani@codeaurora.org>
+Date: Wed, 14 Dec 2016 11:46:35 -0800
+Subject: ASoC: wcd9335: Fix out of bounds for mad input value
+
+Add check in tasha_mad_input_put function to
+return error on out of bounds access using
+mad input value.
+
+CRs-fixed: 1096799
+Change-Id: Iddaa3fef362f7cb1919aa3bd8dd4b83133fe7c97
+Signed-off-by: Karthikeyan Mani <kmani@codeaurora.org>
+---
+ sound/soc/codecs/wcd9335.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/sound/soc/codecs/wcd9335.c b/sound/soc/codecs/wcd9335.c
+index c94623c..1f97326 100644
+--- a/sound/soc/codecs/wcd9335.c
++++ b/sound/soc/codecs/wcd9335.c
+@@ -7575,6 +7575,13 @@ static int tasha_mad_input_put(struct snd_kcontrol *kcontrol,
+ 
+ 	tasha_mad_input = ucontrol->value.integer.value[0];
+ 
++	if (tasha_mad_input >= ARRAY_SIZE(tasha_conn_mad_text)) {
++		dev_err(codec->dev,
++			"%s: tasha_mad_input = %d out of bounds\n",
++			__func__, tasha_mad_input);
++		return -EINVAL;
++	}
++
+ 	if (!strcmp(tasha_conn_mad_text[tasha_mad_input], "NOTUSED1") ||
+ 	    !strcmp(tasha_conn_mad_text[tasha_mad_input], "NOTUSED2") ||
+ 	    !strcmp(tasha_conn_mad_text[tasha_mad_input], "NOTUSED3") ||
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-5859/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2016-5859/3.10/0001.patch
new file mode 100644
index 00000000..81b2bac5
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-5859/3.10/0001.patch
@@ -0,0 +1,51 @@
+From 302b5348ecbba8cf032a9ffaaa63222a2b285d89 Mon Sep 17 00:00:00 2001
+From: Sharad Sangle <assangle@codeaurora.org>
+Date: Tue, 13 Dec 2016 14:35:39 +0530
+Subject: ASoC: msm: qdsp6v2: DAP: Add check to validate param length
+
+To avoid buffer overflow, validate input length used to
+fetch visualizer data.
+
+CRs-fixed: 1096672
+Change-Id: I224bc2f20d94182713c565972fb0bd52cad6f3fd
+Signed-off-by: Sharad Sangle <assangle@codeaurora.org>
+---
+ sound/soc/msm/qdsp6v2/msm-dolby-dap-config.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/msm/qdsp6v2/msm-dolby-dap-config.c b/sound/soc/msm/qdsp6v2/msm-dolby-dap-config.c
+index bb0f890..5866e46 100644
+--- a/sound/soc/msm/qdsp6v2/msm-dolby-dap-config.c
++++ b/sound/soc/msm/qdsp6v2/msm-dolby-dap-config.c
+@@ -1,4 +1,4 @@
+-/* Copyright (c) 2013-2014, The Linux Foundation. All rights reserved.
++/* Copyright (c) 2013-2014, 2016, The Linux Foundation. All rights reserved.
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 and
+ * only version 2 as published by the Free Software Foundation.
+@@ -18,6 +18,10 @@
+ 
+ #include "msm-dolby-dap-config.h"
+ 
++#ifndef DOLBY_PARAM_VCNB_MAX_LENGTH
++#define DOLBY_PARAM_VCNB_MAX_LENGTH 40
++#endif
++
+ /* dolby endp based parameters */
+ struct dolby_dap_endp_params_s {
+ 	int device;
+@@ -896,6 +900,11 @@ int msm_dolby_dap_param_visualizer_control_get(struct snd_kcontrol *kcontrol,
+ 	uint32_t param_payload_len =
+ 		DOLBY_PARAM_PAYLOAD_SIZE * sizeof(uint32_t);
+ 	int port_id, copp_idx, idx;
++	if (length > DOLBY_PARAM_VCNB_MAX_LENGTH || length <= 0) {
++		pr_err("%s Incorrect VCNB length", __func__);
++		ucontrol->value.integer.value[0] = 0;
++		return -EINVAL;
++	}
+ 	for (idx = 0; idx < AFE_MAX_PORTS; idx++) {
+ 		port_id = dolby_dap_params_states.port_id[idx];
+ 		copp_idx = dolby_dap_params_states.copp_idx[idx];
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-5859/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-5859/3.18/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-5859/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-5859/3.18/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-5860/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2016-5860/3.10/0001.patch
new file mode 100644
index 00000000..40111085
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-5860/3.10/0001.patch
@@ -0,0 +1,36 @@
+From 25ab82f5d7d8d8d3b4c8eaaa02944dd5a81be7c3 Mon Sep 17 00:00:00 2001
+From: Karthik Reddy Katta <a_katta@codeaurora.org>
+Date: Wed, 28 Dec 2016 11:24:33 +0530
+Subject: drivers: soc: qcom: Add overflow check for sound model size
+
+Overflow check is added for sound model size to prevent
+heap overflow while allocating memory for sound model data.
+
+CRs-Fixed: 1100682
+Change-Id: Id38523a5e79028c692670e84d5fe924a855a5a10
+Signed-off-by: Karthik Reddy Katta <a_katta@codeaurora.org>
+---
+ sound/soc/msm/msm-cpe-lsm.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/sound/soc/msm/msm-cpe-lsm.c b/sound/soc/msm/msm-cpe-lsm.c
+index d5b675f..a4daf91d 100644
+--- a/sound/soc/msm/msm-cpe-lsm.c
++++ b/sound/soc/msm/msm-cpe-lsm.c
+@@ -1913,6 +1913,13 @@ static int msm_cpe_lsm_reg_model(struct snd_pcm_substream *substream,
+ 
+ 	lsm_ops->lsm_get_snd_model_offset(cpe->core_handle,
+ 			session, &offset);
++	/* Check if 'p_info->param_size + offset' crosses U32_MAX. */
++	if (p_info->param_size > U32_MAX - offset) {
++		dev_err(rtd->dev,
++			"%s: Invalid param_size %d\n",
++			__func__, p_info->param_size);
++		return -EINVAL;
++	}
+ 	session->snd_model_size = p_info->param_size + offset;
+ 
+ 	session->snd_model_data = vzalloc(session->snd_model_size);
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-5860/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2016-5860/3.18/0002.patch
new file mode 100644
index 00000000..5b3d26f9
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-5860/3.18/0002.patch
@@ -0,0 +1,36 @@
+From 9bcf048a7d1a8a0511feb39d6d3111044e6278ec Mon Sep 17 00:00:00 2001
+From: Karthik Reddy Katta <a_katta@codeaurora.org>
+Date: Wed, 28 Dec 2016 11:24:33 +0530
+Subject: drivers: soc: qcom: Add overflow check for sound model size
+
+Overflow check is added for sound model size to prevent
+heap overflow while allocating memory for sound model data.
+
+CRs-Fixed: 1100682
+Change-Id: Id38523a5e79028c692670e84d5fe924a855a5a10
+Signed-off-by: Karthik Reddy Katta <a_katta@codeaurora.org>
+---
+ sound/soc/msm/msm-cpe-lsm.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/sound/soc/msm/msm-cpe-lsm.c b/sound/soc/msm/msm-cpe-lsm.c
+index 6483b93..0c10829 100644
+--- a/sound/soc/msm/msm-cpe-lsm.c
++++ b/sound/soc/msm/msm-cpe-lsm.c
+@@ -1874,6 +1874,13 @@ static int msm_cpe_lsm_reg_model(struct snd_pcm_substream *substream,
+ 
+ 	lsm_ops->lsm_get_snd_model_offset(cpe->core_handle,
+ 			session, &offset);
++	/* Check if 'p_info->param_size + offset' crosses U32_MAX. */
++	if (p_info->param_size > U32_MAX - offset) {
++		dev_err(rtd->dev,
++			"%s: Invalid param_size %d\n",
++			__func__, p_info->param_size);
++		return -EINVAL;
++	}
+ 	session->snd_model_size = p_info->param_size + offset;
+ 
+ 	session->snd_model_data = vzalloc(session->snd_model_size);
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-5860/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-5860/4.4/0003.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-5860/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-5860/4.4/0003.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-5861/3.10/2.patch b/Patches/Linux_CVEs/CVE-2016-5861/3.10/2.patch
deleted file mode 100644
index 912d44a7..00000000
--- a/Patches/Linux_CVEs/CVE-2016-5861/3.10/2.patch
+++ /dev/null
@@ -1,78 +0,0 @@
-From bfc6eee5e30a0c20bc37495233506f4f0cc4991d Mon Sep 17 00:00:00 2001
-From: Ping Li <quicpingli@codeaurora.org>
-Date: Thu, 3 Oct 2013 20:01:52 -0400
-Subject: msm: mdss: Replace the size check for gamut LUTs
-
-Add more reliable size check for gamut LUTs to prevent potential
-security issues such as information leak.
-
-Change-Id: I32be41a2612a100b9ba6167737c2f8778f720fa2
-Signed-off-by: Ping Li <quicpingli@codeaurora.org>
----
- drivers/video/msm/mdss/mdss_mdp_pp.c | 33 +++++++++++++++++++++++++++++----
- 1 file changed, 29 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/video/msm/mdss/mdss_mdp_pp.c b/drivers/video/msm/mdss/mdss_mdp_pp.c
-index ed95030..1d8430e 100644
---- a/drivers/video/msm/mdss/mdss_mdp_pp.c
-+++ b/drivers/video/msm/mdss/mdss_mdp_pp.c
-@@ -295,6 +295,10 @@ static void pp_update_argc_lut(char __iomem *addr,
- 				struct mdp_pgc_lut_data *config);
- static void pp_update_hist_lut(char __iomem *base,
- 				struct mdp_hist_lut_data *cfg);
-+static int pp_gm_has_invalid_lut_size(struct mdp_gamut_cfg_data *config);
-+static void pp_gamut_config(struct mdp_gamut_cfg_data *gamut_cfg,
-+				char __iomem *base,
-+				struct pp_sts_type *pp_sts);
- static void pp_pa_config(unsigned long flags, char __iomem *addr,
- 				struct pp_sts_type *pp_sts,
- 				struct mdp_pa_cfg *pa_config);
-@@ -2086,10 +2090,32 @@ int mdss_mdp_dither_config(struct mdp_dither_cfg_data *config,
- 	return 0;
- }
- 
-+static int pp_gm_has_invalid_lut_size(struct mdp_gamut_cfg_data *config)
-+{
-+	if (config->tbl_size[0] != GAMUT_T0_SIZE)
-+		return -EINVAL;
-+	if (config->tbl_size[1] != GAMUT_T1_SIZE)
-+		return -EINVAL;
-+	if (config->tbl_size[2] != GAMUT_T2_SIZE)
-+		return -EINVAL;
-+	if (config->tbl_size[3] != GAMUT_T3_SIZE)
-+		return -EINVAL;
-+	if (config->tbl_size[4] != GAMUT_T4_SIZE)
-+		return -EINVAL;
-+	if (config->tbl_size[5] != GAMUT_T5_SIZE)
-+		return -EINVAL;
-+	if (config->tbl_size[6] != GAMUT_T6_SIZE)
-+		return -EINVAL;
-+	if (config->tbl_size[7] != GAMUT_T7_SIZE)
-+		return -EINVAL;
-+
-+	return 0;
-+}
-+
- int mdss_mdp_gamut_config(struct mdp_gamut_cfg_data *config,
- 					u32 *copyback)
- {
--	int i, j, size_total = 0, ret = 0;
-+	int i, j, ret = 0;
- 
- 	u32 disp_num, dspp_num = 0;
- 	uint16_t *tbl_off;
-@@ -2102,9 +2128,8 @@ int mdss_mdp_gamut_config(struct mdp_gamut_cfg_data *config,
- 	if ((config->block < MDP_LOGICAL_BLOCK_DISP_0) ||
- 		(config->block >= MDP_BLOCK_MAX))
- 		return -EINVAL;
--	for (i = 0; i < MDP_GAMUT_TABLE_NUM; i++)
--		size_total += config->tbl_size[i];
--	if (size_total != GAMUT_TOTAL_TABLE_SIZE)
-+
-+	if (pp_gm_has_invalid_lut_size(config))
- 		return -EINVAL;
- 
- 	mutex_lock(&mdss_pp_mutex);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-5861/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-5861/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-5861/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-5861/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-5861/ANY/1.patch b/Patches/Linux_CVEs/CVE-2016-5861/ANY/1.patch
deleted file mode 100644
index ae7652aa..00000000
--- a/Patches/Linux_CVEs/CVE-2016-5861/ANY/1.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 17b37501db36fb1723e31ea17961b66df7432fc7 Mon Sep 17 00:00:00 2001
-From: Ping Li <pingli@codeaurora.org>
-Date: Tue, 3 Jan 2017 13:19:32 -0800
-Subject: msm: mdss: Add sanity check for Gamut LUT size
-
-The Gamut LUT size passed from user space needs to go through
-a sanity check to avoid heap overflow. This patch adds the missing
-sanity check in the Gamut LUT config write path.
-
-Change-Id: I365938e06dbc6ca01961c9be01db10a5a9c863e4
-Signed-off-by: Ping Li <pingli@codeaurora.org>
----
- drivers/video/msm/mdss/mdss_mdp_pp.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/drivers/video/msm/mdss/mdss_mdp_pp.c b/drivers/video/msm/mdss/mdss_mdp_pp.c
-index 3960595..029fad1 100644
---- a/drivers/video/msm/mdss/mdss_mdp_pp.c
-+++ b/drivers/video/msm/mdss/mdss_mdp_pp.c
-@@ -4671,6 +4671,11 @@ gamut_clk_off:
- 				goto gamut_set_dirty;
- 			}
- 		}
-+		if (pp_gm_has_invalid_lut_size(config)) {
-+			pr_err("invalid lut size for gamut\n");
-+			ret = -EINVAL;
-+			goto gamut_config_exit;
-+		}
- 		local_cfg = *config;
- 		tbl_off = mdss_pp_res->gamut_tbl[disp_num];
- 		for (i = 0; i < MDP_GAMUT_TABLE_NUM; i++) {
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-5862/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-5862/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-5862/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-5862/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-5863/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-5863/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-5863/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-5863/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-5864/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-5864/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-5864/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-5864/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-5867/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2016-5867/3.10/0001.patch
new file mode 100644
index 00000000..fd845599
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-5867/3.10/0001.patch
@@ -0,0 +1,51 @@
+From 8db70aafea51b60dbe9faaba5707be0046758521 Mon Sep 17 00:00:00 2001
+From: Sharad Sangle <assangle@codeaurora.org>
+Date: Mon, 19 Dec 2016 17:00:25 +0530
+Subject: ASoC: msm: qdsp6v2: DAP: Add check to validate param length
+
+To avoid buffer overflow, validate input length used to
+set Dolby params.
+
+Change-Id: I3f9d6040f118f63b60c20c83b0d8cae638f4a530
+CRs-Fixed: 1095947
+Signed-off-by: Sharad Sangle <assangle@codeaurora.org>
+---
+ sound/soc/msm/qdsp6v2/msm-dolby-dap-config.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/msm/qdsp6v2/msm-dolby-dap-config.c b/sound/soc/msm/qdsp6v2/msm-dolby-dap-config.c
+index bb0f890..493daf4 100644
+--- a/sound/soc/msm/qdsp6v2/msm-dolby-dap-config.c
++++ b/sound/soc/msm/qdsp6v2/msm-dolby-dap-config.c
+@@ -677,7 +677,7 @@ int msm_dolby_dap_param_to_set_control_put(struct snd_kcontrol *kcontrol,
+ 					   struct snd_ctl_elem_value *ucontrol)
+ {
+ 	int rc = 0, port_id, copp_idx;
+-	uint32_t idx, j;
++	uint32_t idx, j, current_offset;
+ 	uint32_t device = ucontrol->value.integer.value[0];
+ 	uint32_t param_id = ucontrol->value.integer.value[1];
+ 	uint32_t offset = ucontrol->value.integer.value[2];
+@@ -754,6 +754,19 @@ int msm_dolby_dap_param_to_set_control_put(struct snd_kcontrol *kcontrol,
+ 		default: {
+ 			/* cache the parameters */
+ 			dolby_dap_params_modified[idx] += 1;
++			current_offset = dolby_dap_params_offset[idx] + offset;
++			if (current_offset >= TOTAL_LENGTH_DOLBY_PARAM) {
++				pr_err("%s: invalid offset %d at idx %d\n",
++				__func__, offset, idx);
++				return -EINVAL;
++			}
++			if ((0 == length) || (current_offset + length - 1
++				< current_offset) || (current_offset + length
++				> TOTAL_LENGTH_DOLBY_PARAM)) {
++				pr_err("%s: invalid length %d at idx %d\n",
++				__func__, length, idx);
++				return -EINVAL;
++			}
+ 			dolby_dap_params_length[idx] = length;
+ 			pr_debug("%s: param recvd deviceId=0x%x paramId=0x%x offset=%d length=%d\n",
+ 				__func__, device, param_id, offset, length);
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-5867/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-5867/3.18/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-5867/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-5867/3.18/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-5867/4.4/0003.patch b/Patches/Linux_CVEs/CVE-2016-5867/4.4/0003.patch
new file mode 100644
index 00000000..ec36d15d
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-5867/4.4/0003.patch
@@ -0,0 +1,51 @@
+From 5e3dd3f21b44424405a009ba676df52322d9e7cf Mon Sep 17 00:00:00 2001
+From: Sharad Sangle <assangle@codeaurora.org>
+Date: Mon, 19 Dec 2016 17:00:25 +0530
+Subject: ASoC: msm: qdsp6v2: DAP: Add check to validate param length
+
+To avoid buffer overflow, validate input length used to
+set Dolby params.
+
+Change-Id: I3f9d6040f118f63b60c20c83b0d8cae638f4a530
+CRs-Fixed: 1095947
+Signed-off-by: Sharad Sangle <assangle@codeaurora.org>
+---
+ sound/soc/msm/qdsp6v2/msm-dolby-dap-config.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/msm/qdsp6v2/msm-dolby-dap-config.c b/sound/soc/msm/qdsp6v2/msm-dolby-dap-config.c
+index df32ede..8da75d7 100644
+--- a/sound/soc/msm/qdsp6v2/msm-dolby-dap-config.c
++++ b/sound/soc/msm/qdsp6v2/msm-dolby-dap-config.c
+@@ -681,7 +681,7 @@ int msm_dolby_dap_param_to_set_control_put(struct snd_kcontrol *kcontrol,
+ 					   struct snd_ctl_elem_value *ucontrol)
+ {
+ 	int rc = 0, port_id, copp_idx;
+-	uint32_t idx, j;
++	uint32_t idx, j, current_offset;
+ 	uint32_t device = ucontrol->value.integer.value[0];
+ 	uint32_t param_id = ucontrol->value.integer.value[1];
+ 	uint32_t offset = ucontrol->value.integer.value[2];
+@@ -758,6 +758,19 @@ int msm_dolby_dap_param_to_set_control_put(struct snd_kcontrol *kcontrol,
+ 		default: {
+ 			/* cache the parameters */
+ 			dolby_dap_params_modified[idx] += 1;
++			current_offset = dolby_dap_params_offset[idx] + offset;
++			if (current_offset >= TOTAL_LENGTH_DOLBY_PARAM) {
++				pr_err("%s: invalid offset %d at idx %d\n",
++				__func__, offset, idx);
++				return -EINVAL;
++			}
++			if ((length == 0) || (current_offset + length - 1
++				< current_offset) || (current_offset + length
++				> TOTAL_LENGTH_DOLBY_PARAM)) {
++				pr_err("%s: invalid length %d at idx %d\n",
++				__func__, length, idx);
++				return -EINVAL;
++			}
+ 			dolby_dap_params_length[idx] = length;
+ 			pr_debug("%s: param recvd deviceId=0x%x paramId=0x%x offset=%d length=%d\n",
+ 				__func__, device, param_id, offset, length);
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-5868/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2016-5868/3.10/0001.patch
new file mode 100644
index 00000000..c78fd7d3
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-5868/3.10/0001.patch
@@ -0,0 +1,525 @@
+From dc85dc0b21b1ee3715ee6e80f405d5606ca5e8d2 Mon Sep 17 00:00:00 2001
+From: Ghanim Fodi <gfodi@codeaurora.org>
+Date: Tue, 3 Jan 2017 12:11:18 +0200
+Subject: msm: rndis_ipa: Remove rndis_ipa loopback functionality
+
+Rndis_ipa loopback functionality at rndis_ipa driver
+is a debug functionality that is not used.
+
+Change-Id: Ibbcb26d3871cffeb46b028efcf4d428e88eb9e10
+CRs-fixed: 1104431
+Signed-off-by: Ghanim Fodi <gfodi@codeaurora.org>
+---
+ drivers/net/ethernet/msm/rndis_ipa.c | 432 +----------------------------------
+ 1 file changed, 1 insertion(+), 431 deletions(-)
+
+diff --git a/drivers/net/ethernet/msm/rndis_ipa.c b/drivers/net/ethernet/msm/rndis_ipa.c
+index 09b85fb..c61e2a7 100644
+--- a/drivers/net/ethernet/msm/rndis_ipa.c
++++ b/drivers/net/ethernet/msm/rndis_ipa.c
+@@ -1,4 +1,4 @@
+-/* Copyright (c) 2013-2015, The Linux Foundation. All rights reserved.
++/* Copyright (c) 2013-2015, 2017 The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -132,29 +132,6 @@ enum rndis_ipa_operation {
+ 	RNDIS_IPA_DEBUG("Driver state: %s\n",\
+ 	rndis_ipa_state_string(ctx->state));
+ 
+-/**
+- * struct rndis_loopback_pipe - hold all information needed for
+- *  pipe loopback logic
+- */
+-struct rndis_loopback_pipe {
+-	struct sps_pipe          *ipa_sps;
+-	struct ipa_sps_params ipa_sps_connect;
+-	struct ipa_connect_params ipa_connect_params;
+-
+-	struct sps_pipe          *dma_sps;
+-	struct sps_connect        dma_connect;
+-
+-	struct sps_alloc_dma_chan dst_alloc;
+-	struct sps_dma_chan       ipa_sps_channel;
+-	enum sps_mode mode;
+-	u32 ipa_peer_bam_hdl;
+-	u32 peer_pipe_index;
+-	u32 ipa_drv_ep_hdl;
+-	u32 ipa_pipe_index;
+-	enum ipa_client_type ipa_client;
+-	ipa_notify_cb ipa_callback;
+-	struct ipa_ep_cfg *ipa_ep_cfg;
+-};
+ 
+ /**
+  * struct rndis_ipa_dev - main driver context parameters
+@@ -169,13 +146,9 @@ struct rndis_loopback_pipe {
+  * @rx_dump_enable: dump all Rx packets
+  * @icmp_filter: allow all ICMP packet to pass through the filters
+  * @rm_enable: flag that enable/disable Resource manager request prior to Tx
+- * @loopback_enable:  flag that enable/disable USB stub loopback
+  * @deaggregation_enable: enable/disable IPA HW deaggregation logic
+  * @during_xmit_error: flags that indicate that the driver is in a middle
+  *  of error handling in Tx path
+- * @usb_to_ipa_loopback_pipe: usb to ipa (Rx) pipe representation for loopback
+- * @ipa_to_usb_loopback_pipe: ipa to usb (Tx) pipe representation for loopback
+- * @bam_dma_hdl: handle representing bam-dma, used for loopback logic
+  * @directory: holds all debug flags used by the driver to allow cleanup
+  *  for driver unload
+  * @eth_ipv4_hdr_hdl: saved handle for ipv4 header-insertion table
+@@ -205,12 +178,8 @@ struct rndis_ipa_dev {
+ 	u32 rx_dump_enable;
+ 	u32 icmp_filter;
+ 	u32 rm_enable;
+-	bool loopback_enable;
+ 	u32 deaggregation_enable;
+ 	u32 during_xmit_error;
+-	struct rndis_loopback_pipe usb_to_ipa_loopback_pipe;
+-	struct rndis_loopback_pipe ipa_to_usb_loopback_pipe;
+-	u32 bam_dma_hdl;
+ 	struct dentry *directory;
+ 	uint32_t eth_ipv4_hdr_hdl;
+ 	uint32_t eth_ipv6_hdr_hdl;
+@@ -274,31 +243,12 @@ static int resource_request(struct rndis_ipa_dev *rndis_ipa_ctx);
+ static void resource_release(struct rndis_ipa_dev *rndis_ipa_ctx);
+ static netdev_tx_t rndis_ipa_start_xmit(struct sk_buff *skb,
+ 					struct net_device *net);
+-static int rndis_ipa_loopback_pipe_create(
+-		struct rndis_ipa_dev *rndis_ipa_ctx,
+-		struct rndis_loopback_pipe *loopback_pipe);
+-static void rndis_ipa_destroy_loopback_pipe(
+-		struct rndis_loopback_pipe *loopback_pipe);
+-static int rndis_ipa_create_loopback(struct rndis_ipa_dev *rndis_ipa_ctx);
+-static void rndis_ipa_destroy_loopback(struct rndis_ipa_dev *rndis_ipa_ctx);
+-static int rndis_ipa_setup_loopback(bool enable,
+-		struct rndis_ipa_dev *rndis_ipa_ctx);
+-static int rndis_ipa_debugfs_loopback_open(struct inode *inode,
+-		struct file *file);
+ static int rndis_ipa_debugfs_atomic_open(struct inode *inode,
+ 		struct file *file);
+ static int rndis_ipa_debugfs_aggr_open(struct inode *inode,
+ 		struct file *file);
+ static ssize_t rndis_ipa_debugfs_aggr_write(struct file *file,
+ 		const char __user *buf, size_t count, loff_t *ppos);
+-static ssize_t rndis_ipa_debugfs_loopback_write(struct file *file,
+-		const char __user *buf, size_t count, loff_t *ppos);
+-static ssize_t rndis_ipa_debugfs_enable_write(struct file *file,
+-		const char __user *buf, size_t count, loff_t *ppos);
+-static ssize_t rndis_ipa_debugfs_enable_read(struct file *file,
+-		char __user *ubuf, size_t count, loff_t *ppos);
+-static ssize_t rndis_ipa_debugfs_loopback_read(struct file *file,
+-		char __user *ubuf, size_t count, loff_t *ppos);
+ static ssize_t rndis_ipa_debugfs_atomic_read(struct file *file,
+ 		char __user *ubuf, size_t count, loff_t *ppos);
+ static void rndis_ipa_dump_skb(struct sk_buff *skb);
+@@ -333,12 +283,6 @@ const struct file_operations rndis_ipa_debugfs_atomic_ops = {
+ 	.read = rndis_ipa_debugfs_atomic_read,
+ };
+ 
+-const struct file_operations rndis_ipa_loopback_ops = {
+-		.open = rndis_ipa_debugfs_loopback_open,
+-		.read = rndis_ipa_debugfs_loopback_read,
+-		.write = rndis_ipa_debugfs_loopback_write,
+-};
+-
+ const struct file_operations rndis_ipa_aggr_ops = {
+ 		.open = rndis_ipa_debugfs_aggr_open,
+ 		.write = rndis_ipa_debugfs_aggr_write,
+@@ -2188,14 +2132,6 @@ static int rndis_ipa_debugfs_init(struct rndis_ipa_dev *rndis_ipa_ctx)
+ 		goto fail_file;
+ 	}
+ 
+-	file = debugfs_create_file("loopback_enable", flags_read_write,
+-				rndis_ipa_ctx->directory,
+-				rndis_ipa_ctx, &rndis_ipa_loopback_ops);
+-	if (!file) {
+-		RNDIS_IPA_ERROR("could not create outstanding file\n");
+-		goto fail_file;
+-	}
+-
+ 	file = debugfs_create_u8("state", flags_read_only,
+ 			rndis_ipa_ctx->directory, (u8 *)&rndis_ipa_ctx->state);
+ 	if (!file) {
+@@ -2351,59 +2287,6 @@ static ssize_t rndis_ipa_debugfs_aggr_write(struct file *file,
+ 	return count;
+ }
+ 
+-static int rndis_ipa_debugfs_loopback_open(struct inode *inode,
+-		struct file *file)
+-{
+-	struct rndis_ipa_dev *rndis_ipa_ctx = inode->i_private;
+-	file->private_data = rndis_ipa_ctx;
+-
+-	return 0;
+-}
+-
+-static ssize_t rndis_ipa_debugfs_loopback_read(struct file *file,
+-		char __user *ubuf, size_t count, loff_t *ppos)
+-{
+-	int cnt;
+-	struct rndis_ipa_dev *rndis_ipa_ctx = file->private_data;
+-
+-	file->private_data = &rndis_ipa_ctx->loopback_enable;
+-
+-	cnt = rndis_ipa_debugfs_enable_read(file,
+-			ubuf, count, ppos);
+-
+-	return cnt;
+-}
+-
+-static ssize_t rndis_ipa_debugfs_loopback_write(struct file *file,
+-		const char __user *buf, size_t count, loff_t *ppos)
+-{
+-	int retval;
+-	int cnt;
+-	struct rndis_ipa_dev *rndis_ipa_ctx = file->private_data;
+-	bool old_state = rndis_ipa_ctx->loopback_enable;
+-
+-	file->private_data = &rndis_ipa_ctx->loopback_enable;
+-
+-	cnt = rndis_ipa_debugfs_enable_write(file,
+-			buf, count, ppos);
+-
+-	RNDIS_IPA_DEBUG("loopback_enable was set to:%d->%d\n",
+-			old_state, rndis_ipa_ctx->loopback_enable);
+-
+-	if (old_state == rndis_ipa_ctx->loopback_enable) {
+-		RNDIS_IPA_ERROR("NOP - same state\n");
+-		return cnt;
+-	}
+-
+-	retval = rndis_ipa_setup_loopback(
+-				rndis_ipa_ctx->loopback_enable,
+-				rndis_ipa_ctx);
+-	if (retval)
+-		rndis_ipa_ctx->loopback_enable = old_state;
+-
+-	return cnt;
+-}
+-
+ static int rndis_ipa_debugfs_atomic_open(struct inode *inode, struct file *file)
+ {
+ 	struct rndis_ipa_dev *rndis_ipa_ctx = inode->i_private;
+@@ -2434,319 +2317,6 @@ static ssize_t rndis_ipa_debugfs_atomic_read(struct file *file,
+ 	return simple_read_from_buffer(ubuf, count, ppos, atomic_str, nbytes);
+ }
+ 
+-static ssize_t rndis_ipa_debugfs_enable_read(struct file *file,
+-		char __user *ubuf, size_t count, loff_t *ppos)
+-{
+-	int nbytes;
+-	int size = 0;
+-	int ret;
+-	loff_t pos;
+-	u8 enable_str[sizeof(char)*3] = {0};
+-	bool *enable = file->private_data;
+-	pos = *ppos;
+-	nbytes = scnprintf(enable_str, sizeof(enable_str), "%d\n", *enable);
+-	ret = simple_read_from_buffer(ubuf, count, ppos, enable_str, nbytes);
+-	if (ret < 0) {
+-		RNDIS_IPA_ERROR("simple_read_from_buffer problem\n");
+-		return ret;
+-	}
+-	size += ret;
+-	count -= nbytes;
+-	*ppos = pos + size;
+-	return size;
+-}
+-
+-static ssize_t rndis_ipa_debugfs_enable_write(struct file *file,
+-		const char __user *buf, size_t count, loff_t *ppos)
+-{
+-	unsigned long missing;
+-	char input;
+-	bool *enable = file->private_data;
+-	if (count != sizeof(input) + 1) {
+-		RNDIS_IPA_ERROR("wrong input length(%zd)\n", count);
+-		return -EINVAL;
+-	}
+-	if (!buf) {
+-		RNDIS_IPA_ERROR("Bad argument\n");
+-		return -EINVAL;
+-	}
+-	missing = copy_from_user(&input, buf, 1);
+-	if (missing)
+-		return -EFAULT;
+-	RNDIS_IPA_DEBUG("input received %c\n", input);
+-	*enable = input - '0';
+-	RNDIS_IPA_DEBUG("value was set to %d\n", *enable);
+-	return count;
+-}
+-
+-/**
+- * Connects IPA->BAMDMA
+- * This shall simulate the path from IPA to USB
+- * Allowing the driver TX path
+- */
+-static int rndis_ipa_loopback_pipe_create(
+-		struct rndis_ipa_dev *rndis_ipa_ctx,
+-		struct rndis_loopback_pipe *loopback_pipe)
+-{
+-	int retval;
+-
+-	RNDIS_IPA_LOG_ENTRY();
+-
+-	/* SPS pipe has two side handshake
+-	 * This is the first handshake of IPA->BAMDMA,
+-	 * This is the IPA side
+-	 */
+-	loopback_pipe->ipa_connect_params.client = loopback_pipe->ipa_client;
+-	loopback_pipe->ipa_connect_params.client_bam_hdl =
+-			rndis_ipa_ctx->bam_dma_hdl;
+-	loopback_pipe->ipa_connect_params.client_ep_idx =
+-		loopback_pipe->peer_pipe_index;
+-	loopback_pipe->ipa_connect_params.desc_fifo_sz = BAM_DMA_DESC_FIFO_SIZE;
+-	loopback_pipe->ipa_connect_params.data_fifo_sz = BAM_DMA_DATA_FIFO_SIZE;
+-	loopback_pipe->ipa_connect_params.notify = loopback_pipe->ipa_callback;
+-	loopback_pipe->ipa_connect_params.priv = rndis_ipa_ctx;
+-	loopback_pipe->ipa_connect_params.ipa_ep_cfg =
+-		*(loopback_pipe->ipa_ep_cfg);
+-
+-	/* loopback_pipe->ipa_sps_connect is out param */
+-	retval = ipa_connect(&loopback_pipe->ipa_connect_params,
+-			&loopback_pipe->ipa_sps_connect,
+-			&loopback_pipe->ipa_drv_ep_hdl);
+-	if (retval) {
+-		RNDIS_IPA_ERROR("ipa_connect() fail (%d)", retval);
+-		return retval;
+-	}
+-	RNDIS_IPA_DEBUG("ipa_connect() succeeded, ipa_drv_ep_hdl=%d",
+-			loopback_pipe->ipa_drv_ep_hdl);
+-
+-	/* SPS pipe has two side handshake
+-	 * This is the second handshake of IPA->BAMDMA,
+-	 * This is the BAMDMA side
+-	 */
+-	loopback_pipe->dma_sps = sps_alloc_endpoint();
+-	if (!loopback_pipe->dma_sps) {
+-		RNDIS_IPA_ERROR("sps_alloc_endpoint() failed ");
+-		retval = -ENOMEM;
+-		goto fail_sps_alloc;
+-	}
+-
+-	retval = sps_get_config(loopback_pipe->dma_sps,
+-		&loopback_pipe->dma_connect);
+-	if (retval) {
+-		RNDIS_IPA_ERROR("sps_get_config() failed (%d)", retval);
+-		goto fail_get_cfg;
+-	}
+-
+-	/* Start setting the non IPA ep for SPS driver*/
+-	loopback_pipe->dma_connect.mode = loopback_pipe->mode;
+-
+-	/* SPS_MODE_DEST: DMA end point is the dest (consumer) IPA->DMA */
+-	if (loopback_pipe->mode == SPS_MODE_DEST) {
+-
+-		loopback_pipe->dma_connect.source =
+-				loopback_pipe->ipa_sps_connect.ipa_bam_hdl;
+-		loopback_pipe->dma_connect.src_pipe_index =
+-				loopback_pipe->ipa_sps_connect.ipa_ep_idx;
+-		loopback_pipe->dma_connect.destination =
+-				rndis_ipa_ctx->bam_dma_hdl;
+-		loopback_pipe->dma_connect.dest_pipe_index =
+-				loopback_pipe->peer_pipe_index;
+-
+-	/* SPS_MODE_SRC: DMA end point is the source (producer) DMA->IPA */
+-	} else {
+-
+-		loopback_pipe->dma_connect.source =
+-				rndis_ipa_ctx->bam_dma_hdl;
+-		loopback_pipe->dma_connect.src_pipe_index =
+-				loopback_pipe->peer_pipe_index;
+-		loopback_pipe->dma_connect.destination =
+-				loopback_pipe->ipa_sps_connect.ipa_bam_hdl;
+-		loopback_pipe->dma_connect.dest_pipe_index =
+-				loopback_pipe->ipa_sps_connect.ipa_ep_idx;
+-
+-	}
+-
+-	loopback_pipe->dma_connect.desc = loopback_pipe->ipa_sps_connect.desc;
+-	loopback_pipe->dma_connect.data = loopback_pipe->ipa_sps_connect.data;
+-	loopback_pipe->dma_connect.event_thresh = 0x10;
+-	/* BAM-to-BAM */
+-	loopback_pipe->dma_connect.options = SPS_O_AUTO_ENABLE;
+-
+-	RNDIS_IPA_DEBUG("doing sps_connect() with - ");
+-	RNDIS_IPA_DEBUG("src bam_hdl:0x%lx, src_pipe#:%d",
+-			loopback_pipe->dma_connect.source,
+-			loopback_pipe->dma_connect.src_pipe_index);
+-	RNDIS_IPA_DEBUG("dst bam_hdl:0x%lx, dst_pipe#:%d",
+-			loopback_pipe->dma_connect.destination,
+-			loopback_pipe->dma_connect.dest_pipe_index);
+-
+-	retval = sps_connect(loopback_pipe->dma_sps,
+-		&loopback_pipe->dma_connect);
+-	if (retval) {
+-		RNDIS_IPA_ERROR("sps_connect() fail for BAMDMA side (%d)",
+-			retval);
+-		goto fail_sps_connect;
+-	}
+-
+-	RNDIS_IPA_LOG_EXIT();
+-
+-	return 0;
+-
+-fail_sps_connect:
+-fail_get_cfg:
+-	sps_free_endpoint(loopback_pipe->dma_sps);
+-fail_sps_alloc:
+-	ipa_disconnect(loopback_pipe->ipa_drv_ep_hdl);
+-	return retval;
+-}
+-
+-static void rndis_ipa_destroy_loopback_pipe(
+-		struct rndis_loopback_pipe *loopback_pipe)
+-{
+-	sps_disconnect(loopback_pipe->dma_sps);
+-	sps_free_endpoint(loopback_pipe->dma_sps);
+-}
+-
+-/**
+- * rndis_ipa_create_loopback() - create a BAM-DMA loopback
+- *  in order to replace the USB core
+- */
+-static int rndis_ipa_create_loopback(struct rndis_ipa_dev *rndis_ipa_ctx)
+-{
+-	/* The BAM handle should be use as
+-	 * source/destination in the sps_connect()
+-	 */
+-	int retval;
+-
+-	RNDIS_IPA_LOG_ENTRY();
+-
+-
+-	retval = sps_ctrl_bam_dma_clk(true);
+-	if (retval) {
+-		RNDIS_IPA_ERROR("fail on enabling BAM-DMA clocks");
+-		return -ENODEV;
+-	}
+-
+-	/* Get BAM handle instead of USB handle */
+-	rndis_ipa_ctx->bam_dma_hdl = sps_dma_get_bam_handle();
+-	if (!rndis_ipa_ctx->bam_dma_hdl) {
+-		RNDIS_IPA_ERROR("sps_dma_get_bam_handle() failed");
+-		return -ENODEV;
+-	}
+-	RNDIS_IPA_DEBUG("sps_dma_get_bam_handle() succeeded (0x%x)",
+-			rndis_ipa_ctx->bam_dma_hdl);
+-
+-	/* IPA<-BAMDMA, NetDev Rx path (BAMDMA is the USB stub) */
+-	rndis_ipa_ctx->usb_to_ipa_loopback_pipe.ipa_client =
+-	IPA_CLIENT_USB_PROD;
+-	rndis_ipa_ctx->usb_to_ipa_loopback_pipe.peer_pipe_index =
+-		FROM_USB_TO_IPA_BAMDMA;
+-	/*DMA EP mode*/
+-	rndis_ipa_ctx->usb_to_ipa_loopback_pipe.mode = SPS_MODE_SRC;
+-	rndis_ipa_ctx->usb_to_ipa_loopback_pipe.ipa_ep_cfg =
+-		&usb_to_ipa_ep_cfg_deaggr_en;
+-	rndis_ipa_ctx->usb_to_ipa_loopback_pipe.ipa_callback =
+-			rndis_ipa_packet_receive_notify;
+-	RNDIS_IPA_DEBUG("setting up IPA<-BAMDAM pipe (RNDIS_IPA RX path)");
+-	retval = rndis_ipa_loopback_pipe_create(rndis_ipa_ctx,
+-			&rndis_ipa_ctx->usb_to_ipa_loopback_pipe);
+-	if (retval) {
+-		RNDIS_IPA_ERROR("fail to close IPA->BAMDAM pipe");
+-		goto fail_to_usb;
+-	}
+-	RNDIS_IPA_DEBUG("IPA->BAMDAM pipe successfully connected (TX path)");
+-
+-	/* IPA->BAMDMA, NetDev Tx path (BAMDMA is the USB stub)*/
+-	rndis_ipa_ctx->ipa_to_usb_loopback_pipe.ipa_client =
+-		IPA_CLIENT_USB_CONS;
+-	/*DMA EP mode*/
+-	rndis_ipa_ctx->ipa_to_usb_loopback_pipe.mode = SPS_MODE_DEST;
+-	rndis_ipa_ctx->ipa_to_usb_loopback_pipe.ipa_ep_cfg = &ipa_to_usb_ep_cfg;
+-	rndis_ipa_ctx->ipa_to_usb_loopback_pipe.peer_pipe_index =
+-		FROM_IPA_TO_USB_BAMDMA;
+-	rndis_ipa_ctx->ipa_to_usb_loopback_pipe.ipa_callback =
+-			rndis_ipa_tx_complete_notify;
+-	RNDIS_IPA_DEBUG("setting up IPA->BAMDAM pipe (RNDIS_IPA TX path)");
+-	retval = rndis_ipa_loopback_pipe_create(rndis_ipa_ctx,
+-			&rndis_ipa_ctx->ipa_to_usb_loopback_pipe);
+-	if (retval) {
+-		RNDIS_IPA_ERROR("fail to close IPA<-BAMDAM pipe");
+-		goto fail_from_usb;
+-	}
+-	RNDIS_IPA_DEBUG("IPA<-BAMDAM pipe successfully connected(RX path)");
+-
+-	RNDIS_IPA_LOG_EXIT();
+-
+-	return 0;
+-
+-fail_from_usb:
+-	rndis_ipa_destroy_loopback_pipe(
+-			&rndis_ipa_ctx->usb_to_ipa_loopback_pipe);
+-fail_to_usb:
+-
+-	return retval;
+-}
+-
+-static void rndis_ipa_destroy_loopback(struct rndis_ipa_dev *rndis_ipa_ctx)
+-{
+-	rndis_ipa_destroy_loopback_pipe(
+-			&rndis_ipa_ctx->ipa_to_usb_loopback_pipe);
+-	rndis_ipa_destroy_loopback_pipe(
+-			&rndis_ipa_ctx->usb_to_ipa_loopback_pipe);
+-	sps_dma_free_bam_handle(rndis_ipa_ctx->bam_dma_hdl);
+-	if (sps_ctrl_bam_dma_clk(false))
+-		RNDIS_IPA_ERROR("fail to disable BAM-DMA clocks");
+-}
+-
+-/**
+- * rndis_ipa_setup_loopback() - create/destroy a loopback on IPA HW
+- *  (as USB pipes loopback) and notify RNDIS_IPA netdev for pipe connected
+- * @enable: flag that determines if the loopback should be created or destroyed
+- * @rndis_ipa_ctx: driver main context
+- *
+- * This function is the main loopback logic.
+- * It shall create/destory the loopback by using BAM-DMA and notify
+- * the netdev accordingly.
+- */
+-static int rndis_ipa_setup_loopback(bool enable,
+-		struct rndis_ipa_dev *rndis_ipa_ctx)
+-{
+-	int retval;
+-
+-	if (!enable) {
+-		rndis_ipa_destroy_loopback(rndis_ipa_ctx);
+-		RNDIS_IPA_DEBUG("loopback destroy done");
+-		retval = rndis_ipa_pipe_disconnect_notify(rndis_ipa_ctx);
+-		if (retval) {
+-			RNDIS_IPA_ERROR("connect notify fail");
+-			return -ENODEV;
+-		}
+-		return 0;
+-	}
+-
+-	RNDIS_IPA_DEBUG("creating loopback (instead of USB core)");
+-	retval = rndis_ipa_create_loopback(rndis_ipa_ctx);
+-	RNDIS_IPA_DEBUG("creating loopback- %s", (retval ? "FAIL" : "OK"));
+-	if (retval) {
+-		RNDIS_IPA_ERROR("Fail to connect loopback");
+-		return -ENODEV;
+-	}
+-	retval = rndis_ipa_pipe_connect_notify(
+-			rndis_ipa_ctx->usb_to_ipa_loopback_pipe.ipa_drv_ep_hdl,
+-			rndis_ipa_ctx->ipa_to_usb_loopback_pipe.ipa_drv_ep_hdl,
+-			BAM_DMA_DATA_FIFO_SIZE,
+-			15,
+-			BAM_DMA_DATA_FIFO_SIZE - rndis_ipa_ctx->net->mtu,
+-			rndis_ipa_ctx);
+-	if (retval) {
+-		RNDIS_IPA_ERROR("connect notify fail");
+-		return -ENODEV;
+-	}
+-
+-	return 0;
+-
+-}
+-
+ static int rndis_ipa_init_module(void)
+ {
+ 	pr_info("RNDIS_IPA module is loaded.");
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-5868/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2016-5868/3.18/0002.patch
new file mode 100644
index 00000000..df9b3317
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-5868/3.18/0002.patch
@@ -0,0 +1,519 @@
+From 0ada77c044be09db1a35e4718209f41d05d27fe0 Mon Sep 17 00:00:00 2001
+From: Ghanim Fodi <gfodi@codeaurora.org>
+Date: Tue, 27 Dec 2016 13:32:35 +0200
+Subject: msm: rndis_ipa: Remove rndis_ipa loopback functionality
+
+Rndis_ipa loopback functionality at rndis_ipa driver
+is a debug functionality that is not used.
+
+Change-Id: Ibbcb26d3871cffeb46b028efcf4d428e88eb9e10
+CRs-fixed: 1104431
+Signed-off-by: Ghanim Fodi <gfodi@codeaurora.org>
+---
+ drivers/net/ethernet/msm/rndis_ipa.c | 430 -----------------------------------
+ 1 file changed, 430 deletions(-)
+
+diff --git a/drivers/net/ethernet/msm/rndis_ipa.c b/drivers/net/ethernet/msm/rndis_ipa.c
+index e411693..179e708 100644
+--- a/drivers/net/ethernet/msm/rndis_ipa.c
++++ b/drivers/net/ethernet/msm/rndis_ipa.c
+@@ -135,29 +135,6 @@ enum rndis_ipa_operation {
+ 	RNDIS_IPA_DEBUG("Driver state: %s\n",\
+ 	rndis_ipa_state_string(ctx->state));
+ 
+-/**
+- * struct rndis_loopback_pipe - hold all information needed for
+- *  pipe loopback logic
+- */
+-struct rndis_loopback_pipe {
+-	struct sps_pipe          *ipa_sps;
+-	struct ipa_sps_params ipa_sps_connect;
+-	struct ipa_connect_params ipa_connect_params;
+-
+-	struct sps_pipe          *dma_sps;
+-	struct sps_connect        dma_connect;
+-
+-	struct sps_alloc_dma_chan dst_alloc;
+-	struct sps_dma_chan       ipa_sps_channel;
+-	enum sps_mode mode;
+-	u32 ipa_peer_bam_hdl;
+-	u32 peer_pipe_index;
+-	u32 ipa_drv_ep_hdl;
+-	u32 ipa_pipe_index;
+-	enum ipa_client_type ipa_client;
+-	ipa_notify_cb ipa_callback;
+-	struct ipa_ep_cfg *ipa_ep_cfg;
+-};
+ 
+ /**
+  * struct rndis_ipa_dev - main driver context parameters
+@@ -172,13 +149,9 @@ struct rndis_loopback_pipe {
+  * @rx_dump_enable: dump all Rx packets
+  * @icmp_filter: allow all ICMP packet to pass through the filters
+  * @rm_enable: flag that enable/disable Resource manager request prior to Tx
+- * @loopback_enable:  flag that enable/disable USB stub loopback
+  * @deaggregation_enable: enable/disable IPA HW deaggregation logic
+  * @during_xmit_error: flags that indicate that the driver is in a middle
+  *  of error handling in Tx path
+- * @usb_to_ipa_loopback_pipe: usb to ipa (Rx) pipe representation for loopback
+- * @ipa_to_usb_loopback_pipe: ipa to usb (Tx) pipe representation for loopback
+- * @bam_dma_hdl: handle representing bam-dma, used for loopback logic
+  * @directory: holds all debug flags used by the driver to allow cleanup
+  *  for driver unload
+  * @eth_ipv4_hdr_hdl: saved handle for ipv4 header-insertion table
+@@ -209,12 +182,8 @@ struct rndis_ipa_dev {
+ 	u32 rx_dump_enable;
+ 	u32 icmp_filter;
+ 	u32 rm_enable;
+-	bool loopback_enable;
+ 	u32 deaggregation_enable;
+ 	u32 during_xmit_error;
+-	struct rndis_loopback_pipe usb_to_ipa_loopback_pipe;
+-	struct rndis_loopback_pipe ipa_to_usb_loopback_pipe;
+-	u32 bam_dma_hdl;
+ 	struct dentry *directory;
+ 	uint32_t eth_ipv4_hdr_hdl;
+ 	uint32_t eth_ipv6_hdr_hdl;
+@@ -279,31 +248,12 @@ static int resource_request(struct rndis_ipa_dev *rndis_ipa_ctx);
+ static void resource_release(struct rndis_ipa_dev *rndis_ipa_ctx);
+ static netdev_tx_t rndis_ipa_start_xmit(struct sk_buff *skb,
+ 					struct net_device *net);
+-static int rndis_ipa_loopback_pipe_create(
+-		struct rndis_ipa_dev *rndis_ipa_ctx,
+-		struct rndis_loopback_pipe *loopback_pipe);
+-static void rndis_ipa_destroy_loopback_pipe(
+-		struct rndis_loopback_pipe *loopback_pipe);
+-static int rndis_ipa_create_loopback(struct rndis_ipa_dev *rndis_ipa_ctx);
+-static void rndis_ipa_destroy_loopback(struct rndis_ipa_dev *rndis_ipa_ctx);
+-static int rndis_ipa_setup_loopback(bool enable,
+-		struct rndis_ipa_dev *rndis_ipa_ctx);
+-static int rndis_ipa_debugfs_loopback_open(struct inode *inode,
+-		struct file *file);
+ static int rndis_ipa_debugfs_atomic_open(struct inode *inode,
+ 		struct file *file);
+ static int rndis_ipa_debugfs_aggr_open(struct inode *inode,
+ 		struct file *file);
+ static ssize_t rndis_ipa_debugfs_aggr_write(struct file *file,
+ 		const char __user *buf, size_t count, loff_t *ppos);
+-static ssize_t rndis_ipa_debugfs_loopback_write(struct file *file,
+-		const char __user *buf, size_t count, loff_t *ppos);
+-static ssize_t rndis_ipa_debugfs_enable_write(struct file *file,
+-		const char __user *buf, size_t count, loff_t *ppos);
+-static ssize_t rndis_ipa_debugfs_enable_read(struct file *file,
+-		char __user *ubuf, size_t count, loff_t *ppos);
+-static ssize_t rndis_ipa_debugfs_loopback_read(struct file *file,
+-		char __user *ubuf, size_t count, loff_t *ppos);
+ static ssize_t rndis_ipa_debugfs_atomic_read(struct file *file,
+ 		char __user *ubuf, size_t count, loff_t *ppos);
+ static void rndis_ipa_dump_skb(struct sk_buff *skb);
+@@ -338,12 +288,6 @@ const struct file_operations rndis_ipa_debugfs_atomic_ops = {
+ 	.read = rndis_ipa_debugfs_atomic_read,
+ };
+ 
+-const struct file_operations rndis_ipa_loopback_ops = {
+-		.open = rndis_ipa_debugfs_loopback_open,
+-		.read = rndis_ipa_debugfs_loopback_read,
+-		.write = rndis_ipa_debugfs_loopback_write,
+-};
+-
+ const struct file_operations rndis_ipa_aggr_ops = {
+ 		.open = rndis_ipa_debugfs_aggr_open,
+ 		.write = rndis_ipa_debugfs_aggr_write,
+@@ -2253,14 +2197,6 @@ static void rndis_ipa_debugfs_init(struct rndis_ipa_dev *rndis_ipa_ctx)
+ 		goto fail_file;
+ 	}
+ 
+-	file = debugfs_create_file("loopback_enable", flags_read_write,
+-				rndis_ipa_ctx->directory,
+-				rndis_ipa_ctx, &rndis_ipa_loopback_ops);
+-	if (!file) {
+-		RNDIS_IPA_ERROR("could not create outstanding file\n");
+-		goto fail_file;
+-	}
+-
+ 	file = debugfs_create_u8("state", flags_read_only,
+ 			rndis_ipa_ctx->directory, (u8 *)&rndis_ipa_ctx->state);
+ 	if (!file) {
+@@ -2424,59 +2360,6 @@ static ssize_t rndis_ipa_debugfs_aggr_write(struct file *file,
+ 	return count;
+ }
+ 
+-static int rndis_ipa_debugfs_loopback_open(struct inode *inode,
+-		struct file *file)
+-{
+-	struct rndis_ipa_dev *rndis_ipa_ctx = inode->i_private;
+-	file->private_data = rndis_ipa_ctx;
+-
+-	return 0;
+-}
+-
+-static ssize_t rndis_ipa_debugfs_loopback_read(struct file *file,
+-		char __user *ubuf, size_t count, loff_t *ppos)
+-{
+-	int cnt;
+-	struct rndis_ipa_dev *rndis_ipa_ctx = file->private_data;
+-
+-	file->private_data = &rndis_ipa_ctx->loopback_enable;
+-
+-	cnt = rndis_ipa_debugfs_enable_read(file,
+-			ubuf, count, ppos);
+-
+-	return cnt;
+-}
+-
+-static ssize_t rndis_ipa_debugfs_loopback_write(struct file *file,
+-		const char __user *buf, size_t count, loff_t *ppos)
+-{
+-	int retval;
+-	int cnt;
+-	struct rndis_ipa_dev *rndis_ipa_ctx = file->private_data;
+-	bool old_state = rndis_ipa_ctx->loopback_enable;
+-
+-	file->private_data = &rndis_ipa_ctx->loopback_enable;
+-
+-	cnt = rndis_ipa_debugfs_enable_write(file,
+-			buf, count, ppos);
+-
+-	RNDIS_IPA_DEBUG("loopback_enable was set to:%d->%d\n",
+-			old_state, rndis_ipa_ctx->loopback_enable);
+-
+-	if (old_state == rndis_ipa_ctx->loopback_enable) {
+-		RNDIS_IPA_ERROR("NOP - same state\n");
+-		return cnt;
+-	}
+-
+-	retval = rndis_ipa_setup_loopback(
+-				rndis_ipa_ctx->loopback_enable,
+-				rndis_ipa_ctx);
+-	if (retval)
+-		rndis_ipa_ctx->loopback_enable = old_state;
+-
+-	return cnt;
+-}
+-
+ static int rndis_ipa_debugfs_atomic_open(struct inode *inode, struct file *file)
+ {
+ 	struct rndis_ipa_dev *rndis_ipa_ctx = inode->i_private;
+@@ -2507,319 +2390,6 @@ static ssize_t rndis_ipa_debugfs_atomic_read(struct file *file,
+ 	return simple_read_from_buffer(ubuf, count, ppos, atomic_str, nbytes);
+ }
+ 
+-static ssize_t rndis_ipa_debugfs_enable_read(struct file *file,
+-		char __user *ubuf, size_t count, loff_t *ppos)
+-{
+-	int nbytes;
+-	int size = 0;
+-	int ret;
+-	loff_t pos;
+-	u8 enable_str[sizeof(char)*3] = {0};
+-	bool *enable = file->private_data;
+-	pos = *ppos;
+-	nbytes = scnprintf(enable_str, sizeof(enable_str), "%d\n", *enable);
+-	ret = simple_read_from_buffer(ubuf, count, ppos, enable_str, nbytes);
+-	if (ret < 0) {
+-		RNDIS_IPA_ERROR("simple_read_from_buffer problem\n");
+-		return ret;
+-	}
+-	size += ret;
+-	count -= nbytes;
+-	*ppos = pos + size;
+-	return size;
+-}
+-
+-static ssize_t rndis_ipa_debugfs_enable_write(struct file *file,
+-		const char __user *buf, size_t count, loff_t *ppos)
+-{
+-	unsigned long missing;
+-	char input;
+-	bool *enable = file->private_data;
+-	if (count != sizeof(input) + 1) {
+-		RNDIS_IPA_ERROR("wrong input length(%zd)\n", count);
+-		return -EINVAL;
+-	}
+-	if (!buf) {
+-		RNDIS_IPA_ERROR("Bad argument\n");
+-		return -EINVAL;
+-	}
+-	missing = copy_from_user(&input, buf, 1);
+-	if (missing)
+-		return -EFAULT;
+-	RNDIS_IPA_DEBUG("input received %c\n", input);
+-	*enable = input - '0';
+-	RNDIS_IPA_DEBUG("value was set to %d\n", *enable);
+-	return count;
+-}
+-
+-/**
+- * Connects IPA->BAMDMA
+- * This shall simulate the path from IPA to USB
+- * Allowing the driver TX path
+- */
+-static int rndis_ipa_loopback_pipe_create(
+-		struct rndis_ipa_dev *rndis_ipa_ctx,
+-		struct rndis_loopback_pipe *loopback_pipe)
+-{
+-	int retval;
+-
+-	RNDIS_IPA_LOG_ENTRY();
+-
+-	/* SPS pipe has two side handshake
+-	 * This is the first handshake of IPA->BAMDMA,
+-	 * This is the IPA side
+-	 */
+-	loopback_pipe->ipa_connect_params.client = loopback_pipe->ipa_client;
+-	loopback_pipe->ipa_connect_params.client_bam_hdl =
+-			rndis_ipa_ctx->bam_dma_hdl;
+-	loopback_pipe->ipa_connect_params.client_ep_idx =
+-		loopback_pipe->peer_pipe_index;
+-	loopback_pipe->ipa_connect_params.desc_fifo_sz = BAM_DMA_DESC_FIFO_SIZE;
+-	loopback_pipe->ipa_connect_params.data_fifo_sz = BAM_DMA_DATA_FIFO_SIZE;
+-	loopback_pipe->ipa_connect_params.notify = loopback_pipe->ipa_callback;
+-	loopback_pipe->ipa_connect_params.priv = rndis_ipa_ctx;
+-	loopback_pipe->ipa_connect_params.ipa_ep_cfg =
+-		*(loopback_pipe->ipa_ep_cfg);
+-
+-	/* loopback_pipe->ipa_sps_connect is out param */
+-	retval = ipa_connect(&loopback_pipe->ipa_connect_params,
+-			&loopback_pipe->ipa_sps_connect,
+-			&loopback_pipe->ipa_drv_ep_hdl);
+-	if (retval) {
+-		RNDIS_IPA_ERROR("ipa_connect() fail (%d)", retval);
+-		return retval;
+-	}
+-	RNDIS_IPA_DEBUG("ipa_connect() succeeded, ipa_drv_ep_hdl=%d",
+-			loopback_pipe->ipa_drv_ep_hdl);
+-
+-	/* SPS pipe has two side handshake
+-	 * This is the second handshake of IPA->BAMDMA,
+-	 * This is the BAMDMA side
+-	 */
+-	loopback_pipe->dma_sps = sps_alloc_endpoint();
+-	if (!loopback_pipe->dma_sps) {
+-		RNDIS_IPA_ERROR("sps_alloc_endpoint() failed ");
+-		retval = -ENOMEM;
+-		goto fail_sps_alloc;
+-	}
+-
+-	retval = sps_get_config(loopback_pipe->dma_sps,
+-		&loopback_pipe->dma_connect);
+-	if (retval) {
+-		RNDIS_IPA_ERROR("sps_get_config() failed (%d)", retval);
+-		goto fail_get_cfg;
+-	}
+-
+-	/* Start setting the non IPA ep for SPS driver*/
+-	loopback_pipe->dma_connect.mode = loopback_pipe->mode;
+-
+-	/* SPS_MODE_DEST: DMA end point is the dest (consumer) IPA->DMA */
+-	if (loopback_pipe->mode == SPS_MODE_DEST) {
+-
+-		loopback_pipe->dma_connect.source =
+-				loopback_pipe->ipa_sps_connect.ipa_bam_hdl;
+-		loopback_pipe->dma_connect.src_pipe_index =
+-				loopback_pipe->ipa_sps_connect.ipa_ep_idx;
+-		loopback_pipe->dma_connect.destination =
+-				rndis_ipa_ctx->bam_dma_hdl;
+-		loopback_pipe->dma_connect.dest_pipe_index =
+-				loopback_pipe->peer_pipe_index;
+-
+-	/* SPS_MODE_SRC: DMA end point is the source (producer) DMA->IPA */
+-	} else {
+-
+-		loopback_pipe->dma_connect.source =
+-				rndis_ipa_ctx->bam_dma_hdl;
+-		loopback_pipe->dma_connect.src_pipe_index =
+-				loopback_pipe->peer_pipe_index;
+-		loopback_pipe->dma_connect.destination =
+-				loopback_pipe->ipa_sps_connect.ipa_bam_hdl;
+-		loopback_pipe->dma_connect.dest_pipe_index =
+-				loopback_pipe->ipa_sps_connect.ipa_ep_idx;
+-
+-	}
+-
+-	loopback_pipe->dma_connect.desc = loopback_pipe->ipa_sps_connect.desc;
+-	loopback_pipe->dma_connect.data = loopback_pipe->ipa_sps_connect.data;
+-	loopback_pipe->dma_connect.event_thresh = 0x10;
+-	/* BAM-to-BAM */
+-	loopback_pipe->dma_connect.options = SPS_O_AUTO_ENABLE;
+-
+-	RNDIS_IPA_DEBUG("doing sps_connect() with - ");
+-	RNDIS_IPA_DEBUG("src bam_hdl:0x%lx, src_pipe#:%d",
+-			loopback_pipe->dma_connect.source,
+-			loopback_pipe->dma_connect.src_pipe_index);
+-	RNDIS_IPA_DEBUG("dst bam_hdl:0x%lx, dst_pipe#:%d",
+-			loopback_pipe->dma_connect.destination,
+-			loopback_pipe->dma_connect.dest_pipe_index);
+-
+-	retval = sps_connect(loopback_pipe->dma_sps,
+-		&loopback_pipe->dma_connect);
+-	if (retval) {
+-		RNDIS_IPA_ERROR("sps_connect() fail for BAMDMA side (%d)",
+-			retval);
+-		goto fail_sps_connect;
+-	}
+-
+-	RNDIS_IPA_LOG_EXIT();
+-
+-	return 0;
+-
+-fail_sps_connect:
+-fail_get_cfg:
+-	sps_free_endpoint(loopback_pipe->dma_sps);
+-fail_sps_alloc:
+-	ipa_disconnect(loopback_pipe->ipa_drv_ep_hdl);
+-	return retval;
+-}
+-
+-static void rndis_ipa_destroy_loopback_pipe(
+-		struct rndis_loopback_pipe *loopback_pipe)
+-{
+-	sps_disconnect(loopback_pipe->dma_sps);
+-	sps_free_endpoint(loopback_pipe->dma_sps);
+-}
+-
+-/**
+- * rndis_ipa_create_loopback() - create a BAM-DMA loopback
+- *  in order to replace the USB core
+- */
+-static int rndis_ipa_create_loopback(struct rndis_ipa_dev *rndis_ipa_ctx)
+-{
+-	/* The BAM handle should be use as
+-	 * source/destination in the sps_connect()
+-	 */
+-	int retval;
+-
+-	RNDIS_IPA_LOG_ENTRY();
+-
+-
+-	retval = sps_ctrl_bam_dma_clk(true);
+-	if (retval) {
+-		RNDIS_IPA_ERROR("fail on enabling BAM-DMA clocks");
+-		return -ENODEV;
+-	}
+-
+-	/* Get BAM handle instead of USB handle */
+-	rndis_ipa_ctx->bam_dma_hdl = sps_dma_get_bam_handle();
+-	if (!rndis_ipa_ctx->bam_dma_hdl) {
+-		RNDIS_IPA_ERROR("sps_dma_get_bam_handle() failed");
+-		return -ENODEV;
+-	}
+-	RNDIS_IPA_DEBUG("sps_dma_get_bam_handle() succeeded (0x%x)",
+-			rndis_ipa_ctx->bam_dma_hdl);
+-
+-	/* IPA<-BAMDMA, NetDev Rx path (BAMDMA is the USB stub) */
+-	rndis_ipa_ctx->usb_to_ipa_loopback_pipe.ipa_client =
+-	IPA_CLIENT_USB_PROD;
+-	rndis_ipa_ctx->usb_to_ipa_loopback_pipe.peer_pipe_index =
+-		FROM_USB_TO_IPA_BAMDMA;
+-	/*DMA EP mode*/
+-	rndis_ipa_ctx->usb_to_ipa_loopback_pipe.mode = SPS_MODE_SRC;
+-	rndis_ipa_ctx->usb_to_ipa_loopback_pipe.ipa_ep_cfg =
+-		&usb_to_ipa_ep_cfg_deaggr_en;
+-	rndis_ipa_ctx->usb_to_ipa_loopback_pipe.ipa_callback =
+-			rndis_ipa_packet_receive_notify;
+-	RNDIS_IPA_DEBUG("setting up IPA<-BAMDAM pipe (RNDIS_IPA RX path)");
+-	retval = rndis_ipa_loopback_pipe_create(rndis_ipa_ctx,
+-			&rndis_ipa_ctx->usb_to_ipa_loopback_pipe);
+-	if (retval) {
+-		RNDIS_IPA_ERROR("fail to close IPA->BAMDAM pipe");
+-		goto fail_to_usb;
+-	}
+-	RNDIS_IPA_DEBUG("IPA->BAMDAM pipe successfully connected (TX path)");
+-
+-	/* IPA->BAMDMA, NetDev Tx path (BAMDMA is the USB stub)*/
+-	rndis_ipa_ctx->ipa_to_usb_loopback_pipe.ipa_client =
+-		IPA_CLIENT_USB_CONS;
+-	/*DMA EP mode*/
+-	rndis_ipa_ctx->ipa_to_usb_loopback_pipe.mode = SPS_MODE_DEST;
+-	rndis_ipa_ctx->ipa_to_usb_loopback_pipe.ipa_ep_cfg = &ipa_to_usb_ep_cfg;
+-	rndis_ipa_ctx->ipa_to_usb_loopback_pipe.peer_pipe_index =
+-		FROM_IPA_TO_USB_BAMDMA;
+-	rndis_ipa_ctx->ipa_to_usb_loopback_pipe.ipa_callback =
+-			rndis_ipa_tx_complete_notify;
+-	RNDIS_IPA_DEBUG("setting up IPA->BAMDAM pipe (RNDIS_IPA TX path)");
+-	retval = rndis_ipa_loopback_pipe_create(rndis_ipa_ctx,
+-			&rndis_ipa_ctx->ipa_to_usb_loopback_pipe);
+-	if (retval) {
+-		RNDIS_IPA_ERROR("fail to close IPA<-BAMDAM pipe");
+-		goto fail_from_usb;
+-	}
+-	RNDIS_IPA_DEBUG("IPA<-BAMDAM pipe successfully connected(RX path)");
+-
+-	RNDIS_IPA_LOG_EXIT();
+-
+-	return 0;
+-
+-fail_from_usb:
+-	rndis_ipa_destroy_loopback_pipe(
+-			&rndis_ipa_ctx->usb_to_ipa_loopback_pipe);
+-fail_to_usb:
+-
+-	return retval;
+-}
+-
+-static void rndis_ipa_destroy_loopback(struct rndis_ipa_dev *rndis_ipa_ctx)
+-{
+-	rndis_ipa_destroy_loopback_pipe(
+-			&rndis_ipa_ctx->ipa_to_usb_loopback_pipe);
+-	rndis_ipa_destroy_loopback_pipe(
+-			&rndis_ipa_ctx->usb_to_ipa_loopback_pipe);
+-	sps_dma_free_bam_handle(rndis_ipa_ctx->bam_dma_hdl);
+-	if (sps_ctrl_bam_dma_clk(false))
+-		RNDIS_IPA_ERROR("fail to disable BAM-DMA clocks");
+-}
+-
+-/**
+- * rndis_ipa_setup_loopback() - create/destroy a loopback on IPA HW
+- *  (as USB pipes loopback) and notify RNDIS_IPA netdev for pipe connected
+- * @enable: flag that determines if the loopback should be created or destroyed
+- * @rndis_ipa_ctx: driver main context
+- *
+- * This function is the main loopback logic.
+- * It shall create/destory the loopback by using BAM-DMA and notify
+- * the netdev accordingly.
+- */
+-static int rndis_ipa_setup_loopback(bool enable,
+-		struct rndis_ipa_dev *rndis_ipa_ctx)
+-{
+-	int retval;
+-
+-	if (!enable) {
+-		rndis_ipa_destroy_loopback(rndis_ipa_ctx);
+-		RNDIS_IPA_DEBUG("loopback destroy done");
+-		retval = rndis_ipa_pipe_disconnect_notify(rndis_ipa_ctx);
+-		if (retval) {
+-			RNDIS_IPA_ERROR("connect notify fail");
+-			return -ENODEV;
+-		}
+-		return 0;
+-	}
+-
+-	RNDIS_IPA_DEBUG("creating loopback (instead of USB core)");
+-	retval = rndis_ipa_create_loopback(rndis_ipa_ctx);
+-	RNDIS_IPA_DEBUG("creating loopback- %s", (retval ? "FAIL" : "OK"));
+-	if (retval) {
+-		RNDIS_IPA_ERROR("Fail to connect loopback");
+-		return -ENODEV;
+-	}
+-	retval = rndis_ipa_pipe_connect_notify(
+-			rndis_ipa_ctx->usb_to_ipa_loopback_pipe.ipa_drv_ep_hdl,
+-			rndis_ipa_ctx->ipa_to_usb_loopback_pipe.ipa_drv_ep_hdl,
+-			BAM_DMA_DATA_FIFO_SIZE,
+-			15,
+-			BAM_DMA_DATA_FIFO_SIZE - rndis_ipa_ctx->net->mtu,
+-			rndis_ipa_ctx);
+-	if (retval) {
+-		RNDIS_IPA_ERROR("connect notify fail");
+-		return -ENODEV;
+-	}
+-
+-	return 0;
+-
+-}
+-
+ static int rndis_ipa_init_module(void)
+ {
+ 	pr_info("RNDIS_IPA module is loaded.");
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-5868/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-5868/4.4/0003.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-5868/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-5868/4.4/0003.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-5870/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-5870/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-5870/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-5870/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-6136/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-6136/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-6136/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-6136/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-6672/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-6672/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-6672/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-6672/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-6675/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-6675/ANY/0001.patch
new file mode 100644
index 00000000..3d55ca34
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-6675/ANY/0001.patch
@@ -0,0 +1,35 @@
+From 1353fa0bd0c78427f3ae7d9bde7daeb75bd01d09 Mon Sep 17 00:00:00 2001
+From: Manjeet Singh <c_manjee@qti.qualcomm.com>
+Date: Tue, 3 May 2016 16:21:46 +0530
+Subject: wlan: fix buffer overflow in linkspeed ioctl
+
+cld to prima propagation.
+
+In linkspeed ioctl handler, mac address array is allocated a
+size of MAC_ADDRESS_STR_LEN, which is 18 bytes taking account of null
+terminator '\0'. But in code, a null terminator is being manually added
+at index MAC_ADDRESS_STR_LEN. This would overflow the buffer and hence
+null terminator should be added at MAC_ADDRESS_STR_LEN -1.
+
+Change-Id: I16c2d0f787dfa339780db7d888aff37355c32322
+CRs-fixed: 1000861
+---
+ CORE/HDD/src/wlan_hdd_hostapd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/CORE/HDD/src/wlan_hdd_hostapd.c b/CORE/HDD/src/wlan_hdd_hostapd.c
+index a9167f3..03889a4 100644
+--- a/CORE/HDD/src/wlan_hdd_hostapd.c
++++ b/CORE/HDD/src/wlan_hdd_hostapd.c
+@@ -4662,7 +4662,7 @@ int __iw_get_softap_linkspeed(struct net_device *dev,
+            kfree(pmacAddress);
+            return -EFAULT;
+        }
+-       pmacAddress[MAC_ADDRESS_STR_LEN] = '\0';
++       pmacAddress[MAC_ADDRESS_STR_LEN-1] = '\0';
+ 
+        status = hdd_string_to_hex (pmacAddress, MAC_ADDRESS_STR_LEN, macAddress );
+        kfree(pmacAddress);
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-6676/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-6676/ANY/0001.patch
new file mode 100644
index 00000000..d3ff16bf
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-6676/ANY/0001.patch
@@ -0,0 +1,33 @@
+From 6ba9136879232442a182996427e5c88e5a7512a8 Mon Sep 17 00:00:00 2001
+From: Hanumantha Reddy Pothula <c_hpothu@qti.qualcomm.com>
+Date: Wed, 13 Apr 2016 10:50:46 +0530
+Subject: qcacld-2.0: Resolve buffer overflow issue while processing GET_CFG
+ IOCTL
+
+There is a possibility of buffer overflow while processing
+GET_CFG IOCTL to retrieve ini parameters from a global array,
+because of invalid if condition.
+Resolve buffer overflow issue by correcting if condition.
+
+Change-Id: I8881abde0b543d7b1562968ecbb6240a0ca552a3
+CRs-Fixed: 1000853
+---
+ CORE/HDD/src/wlan_hdd_cfg.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/CORE/HDD/src/wlan_hdd_cfg.c b/CORE/HDD/src/wlan_hdd_cfg.c
+index 2904284..1a669d9 100644
+--- a/CORE/HDD/src/wlan_hdd_cfg.c
++++ b/CORE/HDD/src/wlan_hdd_cfg.c
+@@ -4974,7 +4974,7 @@ static VOS_STATUS hdd_cfg_get_config(REG_TABLE_ENTRY *reg_table,
+       // ideally we want to return the config to the application
+       // however the config is too big so we just printk() for now
+ #ifdef RETURN_IN_BUFFER
+-      if (curlen <= buflen)
++      if (curlen < buflen)
+       {
+          // copy string + '\0'
+          memcpy(pCur, configStr, curlen+1);
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-6679/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-6679/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-6679/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-6679/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-6679/ANY/1.patch b/Patches/Linux_CVEs/CVE-2016-6679/ANY/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-6679/ANY/1.patch
rename to Patches/Linux_CVEs/CVE-2016-6679/ANY/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-6679/ANY/2.patch b/Patches/Linux_CVEs/CVE-2016-6679/ANY/2.patch
deleted file mode 100644
index 08bfb43a..00000000
--- a/Patches/Linux_CVEs/CVE-2016-6679/ANY/2.patch
+++ /dev/null
@@ -1,476 +0,0 @@
-From 2d8b76ef0d269dd2939050c4eae4838803730c42 Mon Sep 17 00:00:00 2001
-From: SaidiReddy Yenuga <c_saidir@qti.qualcomm.com>
-Date: Thu, 26 May 2016 15:24:26 +0530
-Subject: [PATCH] qcacld-2.0: Remove the support for setwpaie ioctl
-
-This ioctl gets call during the start of SAP/hostapd with wext
-interface and which is obsolete, currently using nl80211 interface
-for the same
-
-Remove the code related to setwpaie ioctl
-
-Bug: 29915601
-CRs-Fixed: 1000913
-Change-Id: Ia45860d7143639aa62d02afe8c08e283e20ba27a
----
- .../staging/qcacld-2.0/CORE/HDD/inc/qc_sap_ioctl.h |   2 +-
- .../qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c     | 419 ---------------------
- 2 files changed, 1 insertion(+), 420 deletions(-)
-
-diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/inc/qc_sap_ioctl.h b/drivers/staging/qcacld-2.0/CORE/HDD/inc/qc_sap_ioctl.h
-index 256c14d8e2a49..010be1cb7fb7a 100644
---- a/drivers/staging/qcacld-2.0/CORE/HDD/inc/qc_sap_ioctl.h
-+++ b/drivers/staging/qcacld-2.0/CORE/HDD/inc/qc_sap_ioctl.h
-@@ -143,7 +143,7 @@ typedef struct
- #define QCSAP_IOCTL_SET_NONE_GET_THREE      (SIOCIWFIRSTPRIV+3)
- #define WE_GET_TSF 1
- #define QCSAP_IOCTL_GET_STAWPAIE      (SIOCIWFIRSTPRIV+4)
--#define QCSAP_IOCTL_SETWPAIE          (SIOCIWFIRSTPRIV+5)
-+
- #define QCSAP_IOCTL_STOPBSS           (SIOCIWFIRSTPRIV+6)
- #define QCSAP_IOCTL_VERSION           (SIOCIWFIRSTPRIV+7)
- #define QCSAP_IOCTL_GET_WPS_PBC_PROBE_REQ_IES       (SIOCIWFIRSTPRIV+8)
-diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c
-index 354d69cc522c9..024b3135ee74f 100644
---- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c
-+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c
-@@ -5241,422 +5241,6 @@ static int iw_get_mode(struct net_device *dev,
- }
- 
- 
--static int __iw_softap_setwpsie(struct net_device *dev,
--                                struct iw_request_info *info,
--                                union iwreq_data *wrqu,
--                                char *extra)
--{
--   hdd_adapter_t *pHostapdAdapter = (netdev_priv(dev));
--#ifndef WLAN_FEATURE_MBSSID
--   v_CONTEXT_t pVosContext;
--#endif
--   hdd_hostapd_state_t *pHostapdState;
--   eHalStatus halStatus= eHAL_STATUS_SUCCESS;
--   u_int8_t *wps_genie;
--   u_int8_t *fwps_genie;
--   u_int8_t *pos;
--   tpSap_WPSIE pSap_WPSIe;
--   u_int8_t WPSIeType;
--   u_int16_t length;
--   struct iw_point s_priv_data;
--   hdd_context_t *hdd_ctx;
--   int ret;
--
--   ENTER();
--
--   if (!capable(CAP_NET_ADMIN)) {
--       VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
--                FL("permission check failed"));
--       return -EPERM;
--   }
--
--   hdd_ctx = WLAN_HDD_GET_CTX(pHostapdAdapter);
--   ret = wlan_hdd_validate_context(hdd_ctx);
--   if (0 != ret)
--       return ret;
--
--#ifndef WLAN_FEATURE_MBSSID
--   pVosContext = hdd_ctx->pvosContext;
--   if (NULL == pVosContext) {
--       VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
--                 "%s: VOS context is not valid ", __func__);
--       return -EINVAL;
--   }
--#endif
--
--   /* helper function to get iwreq_data with compat handling. */
--   if (hdd_priv_get_data(&s_priv_data, wrqu)) {
--      return -EINVAL;
--   }
--
--   if ((NULL == s_priv_data.pointer) ||
--       (s_priv_data.length < QCSAP_MAX_WSC_IE)) {
--      return -EINVAL;
--   }
--
--   wps_genie = mem_alloc_copy_from_user_helper(s_priv_data.pointer,
--                                               s_priv_data.length);
--
--   if (NULL == wps_genie) {
--       hddLog(LOG1,
--              "%s: failed to alloc memory and copy data from user buffer",
--              __func__);
--       return -EFAULT;
--   }
--
--   fwps_genie = wps_genie;
--
--   pSap_WPSIe = vos_mem_malloc(sizeof(tSap_WPSIE));
--   if (NULL == pSap_WPSIe)
--   {
--      hddLog(LOGE, "VOS unable to allocate memory");
--      kfree(fwps_genie);
--      return -ENOMEM;
--   }
--   vos_mem_zero(pSap_WPSIe, sizeof(tSap_WPSIE));
--
--   hddLog(LOG1,"%s WPS IE type[0x%X] IE[0x%X], LEN[%d]", __func__, wps_genie[0], wps_genie[1], wps_genie[2]);
--   WPSIeType = wps_genie[0];
--   if ( wps_genie[0] == eQC_WPS_BEACON_IE)
--   {
--      pSap_WPSIe->sapWPSIECode = eSAP_WPS_BEACON_IE;
--      wps_genie = wps_genie + 1;
--      switch ( wps_genie[0] )
--      {
--         case DOT11F_EID_WPA:
--            if (wps_genie[1] < DOT11F_EID_HEADER_LEN ||
--                wps_genie[1] > DOT11F_IE_WPA_MAX_LEN + DOT11F_EID_HEADER_LEN)
--            {
--                ret = -EINVAL;
--                goto exit;
--            }
--            else if (memcmp(&wps_genie[2], "\x00\x50\xf2\x04", 4) == 0)
--            {
--             hddLog (LOG1, "%s Set WPS BEACON IE(len %d)",__func__, wps_genie[1]+2);
--             pos = &wps_genie[6];
--             while (((size_t)pos - (size_t)&wps_genie[6])  < (wps_genie[1] - 4) )
--             {
--                switch((u_int16_t)(*pos<<8) | *(pos+1))
--                {
--                   case HDD_WPS_ELEM_VERSION:
--                      pos += 4;
--                      pSap_WPSIe->sapwpsie.sapWPSBeaconIE.Version = *pos;
--                      hddLog(LOG1, "WPS version %d", pSap_WPSIe->sapwpsie.sapWPSBeaconIE.Version);
--                      pSap_WPSIe->sapwpsie.sapWPSBeaconIE.FieldPresent |= WPS_BEACON_VER_PRESENT;
--                      pos += 1;
--                      break;
--
--                   case HDD_WPS_ELEM_WPS_STATE:
--                      pos +=4;
--                      pSap_WPSIe->sapwpsie.sapWPSBeaconIE.wpsState = *pos;
--                      hddLog(LOG1, "WPS State %d", pSap_WPSIe->sapwpsie.sapWPSBeaconIE.wpsState);
--                      pSap_WPSIe->sapwpsie.sapWPSBeaconIE.FieldPresent |= WPS_BEACON_STATE_PRESENT;
--                      pos += 1;
--                      break;
--                   case HDD_WPS_ELEM_APSETUPLOCK:
--                      pos += 4;
--                      pSap_WPSIe->sapwpsie.sapWPSBeaconIE.APSetupLocked = *pos;
--                      hddLog(LOG1, "AP setup lock %d", pSap_WPSIe->sapwpsie.sapWPSBeaconIE.APSetupLocked);
--                      pSap_WPSIe->sapwpsie.sapWPSBeaconIE.FieldPresent |= WPS_BEACON_APSETUPLOCK_PRESENT;
--                      pos += 1;
--                      break;
--                   case HDD_WPS_ELEM_SELECTEDREGISTRA:
--                      pos += 4;
--                      pSap_WPSIe->sapwpsie.sapWPSBeaconIE.SelectedRegistra = *pos;
--                      hddLog(LOG1, "Selected Registra %d", pSap_WPSIe->sapwpsie.sapWPSBeaconIE.SelectedRegistra);
--                      pSap_WPSIe->sapwpsie.sapWPSBeaconIE.FieldPresent |= WPS_BEACON_SELECTEDREGISTRA_PRESENT;
--                      pos += 1;
--                      break;
--                   case HDD_WPS_ELEM_DEVICE_PASSWORD_ID:
--                      pos += 4;
--                      pSap_WPSIe->sapwpsie.sapWPSBeaconIE.DevicePasswordID = (*pos<<8) | *(pos+1);
--                      hddLog(LOG1, "Password ID: %x", pSap_WPSIe->sapwpsie.sapWPSBeaconIE.DevicePasswordID);
--                      pSap_WPSIe->sapwpsie.sapWPSBeaconIE.FieldPresent |= WPS_BEACON_DEVICEPASSWORDID_PRESENT;
--                      pos += 2;
--                      break;
--                   case HDD_WPS_ELEM_REGISTRA_CONF_METHODS:
--                      pos += 4;
--                      pSap_WPSIe->sapwpsie.sapWPSBeaconIE.SelectedRegistraCfgMethod = (*pos<<8) | *(pos+1);
--                      hddLog(LOG1, "Select Registra Config Methods: %x", pSap_WPSIe->sapwpsie.sapWPSBeaconIE.SelectedRegistraCfgMethod);
--                      pSap_WPSIe->sapwpsie.sapWPSBeaconIE.FieldPresent |= WPS_BEACON_SELECTEDREGISTRACFGMETHOD_PRESENT;
--                      pos += 2;
--                      break;
--
--                   case HDD_WPS_ELEM_UUID_E:
--                      pos += 2;
--                      length = *pos<<8 | *(pos+1);
--                      pos += 2;
--                      if (length > sizeof(pSap_WPSIe->sapwpsie.sapWPSBeaconIE.UUID_E))
--                      {
--                          ret = -EINVAL;
--                          goto exit;
--                      }
--                      vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSBeaconIE.UUID_E, pos, length);
--                      pSap_WPSIe->sapwpsie.sapWPSBeaconIE.FieldPresent |= WPS_BEACON_UUIDE_PRESENT;
--                      pos += length;
--                      break;
--                   case HDD_WPS_ELEM_RF_BANDS:
--                      pos += 4;
--                      pSap_WPSIe->sapwpsie.sapWPSBeaconIE.RFBand = *pos;
--                      hddLog(LOG1, "RF band: %d", pSap_WPSIe->sapwpsie.sapWPSBeaconIE.RFBand);
--                      pSap_WPSIe->sapwpsie.sapWPSBeaconIE.FieldPresent |= WPS_BEACON_RF_BANDS_PRESENT;
--                      pos += 1;
--                      break;
--
--                   default:
--                      hddLog (LOGW, "UNKNOWN TLV in WPS IE(%x)", (*pos<<8 | *(pos+1)));
--                      ret = -EINVAL;
--                      goto exit;
--                }
--              }
--            }
--            else {
--                 hddLog (LOGE, "%s WPS IE Mismatch %X",
--                         __func__, wps_genie[0]);
--            }
--            break;
--
--         default:
--            hddLog (LOGE, "%s Set UNKNOWN IE %X",__func__, wps_genie[0]);
--            ret = -EINVAL;
--            goto exit;
--      }
--    }
--    else if( wps_genie[0] == eQC_WPS_PROBE_RSP_IE)
--    {
--      pSap_WPSIe->sapWPSIECode = eSAP_WPS_PROBE_RSP_IE;
--      wps_genie = wps_genie + 1;
--      switch ( wps_genie[0] )
--      {
--         case DOT11F_EID_WPA:
--            if (wps_genie[1] < DOT11F_EID_HEADER_LEN ||
--                wps_genie[1] > DOT11F_IE_WPA_MAX_LEN + DOT11F_EID_HEADER_LEN)
--            {
--                ret = -EINVAL;
--                goto exit;
--            }
--            else if (memcmp(&wps_genie[2], "\x00\x50\xf2\x04", 4) == 0)
--            {
--             hddLog (LOG1, "%s Set WPS PROBE RSP IE(len %d)",__func__, wps_genie[1]+2);
--             pos = &wps_genie[6];
--             while (((size_t)pos - (size_t)&wps_genie[6])  < (wps_genie[1] - 4) )
--             {
--              switch((u_int16_t)(*pos<<8) | *(pos+1))
--              {
--                   case HDD_WPS_ELEM_VERSION:
--                      pos += 4;
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.Version = *pos;
--                      hddLog(LOG1, "WPS version %d", pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.Version);
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_VER_PRESENT;
--                      pos += 1;
--                      break;
--
--                   case HDD_WPS_ELEM_WPS_STATE:
--                      pos +=4;
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.wpsState = *pos;
--                      hddLog(LOG1, "WPS State %d", pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.wpsState);
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_STATE_PRESENT;
--                      pos += 1;
--                      break;
--                   case HDD_WPS_ELEM_APSETUPLOCK:
--                      pos += 4;
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.APSetupLocked = *pos;
--                      hddLog(LOG1, "AP setup lock %d", pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.APSetupLocked);
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_APSETUPLOCK_PRESENT;
--                      pos += 1;
--                      break;
--                   case HDD_WPS_ELEM_SELECTEDREGISTRA:
--                      pos += 4;
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SelectedRegistra = *pos;
--                      hddLog(LOG1, "Selected Registra %d", pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SelectedRegistra);
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_SELECTEDREGISTRA_PRESENT;
--                      pos += 1;
--                      break;
--                   case HDD_WPS_ELEM_DEVICE_PASSWORD_ID:
--                      pos += 4;
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DevicePasswordID = (*pos<<8) | *(pos+1);
--                      hddLog(LOG1, "Password ID: %d", pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DevicePasswordID);
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_DEVICEPASSWORDID_PRESENT;
--                      pos += 2;
--                      break;
--                   case HDD_WPS_ELEM_REGISTRA_CONF_METHODS:
--                      pos += 4;
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SelectedRegistraCfgMethod = (*pos<<8) | *(pos+1);
--                      hddLog(LOG1, "Select Registra Config Methods: %x", pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SelectedRegistraCfgMethod);
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_SELECTEDREGISTRACFGMETHOD_PRESENT;
--                      pos += 2;
--                      break;
--                  case HDD_WPS_ELEM_RSP_TYPE:
--                      pos += 4;
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ResponseType = *pos;
--                      hddLog(LOG1, "Config Methods: %d", pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ResponseType);
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_RESPONSETYPE_PRESENT;
--                      pos += 1;
--                      break;
--                   case HDD_WPS_ELEM_UUID_E:
--                      pos += 2;
--                      length = *pos<<8 | *(pos+1);
--                      pos += 2;
--                      if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.UUID_E)))
--                      {
--                          ret = -EINVAL;
--                          goto exit;
--                      }
--                      vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.UUID_E, pos, length);
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_UUIDE_PRESENT;
--                      pos += length;
--                      break;
--
--                   case HDD_WPS_ELEM_MANUFACTURER:
--                      pos += 2;
--                      length = *pos<<8 | *(pos+1);
--                      pos += 2;
--                      if (length >  (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.Manufacture.name)))
--                      {
--                          ret = -EINVAL;
--                          goto exit;
--                      }
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.Manufacture.num_name = length;
--                      vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.Manufacture.name, pos, length);
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_MANUFACTURE_PRESENT;
--                      pos += length;
--                      break;
--
--                   case HDD_WPS_ELEM_MODEL_NAME:
--                      pos += 2;
--                      length = *pos<<8 | *(pos+1);
--                      pos += 2;
--                      if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelName.text)))
--                      {
--                          ret = -EINVAL;
--                          goto exit;
--                      }
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelName.num_text = length;
--                      vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelName.text, pos, length);
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_MODELNAME_PRESENT;
--                      pos += length;
--                      break;
--                   case HDD_WPS_ELEM_MODEL_NUM:
--                      pos += 2;
--                      length = *pos<<8 | *(pos+1);
--                      pos += 2;
--                      if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelNumber.text)))
--                      {
--                          ret = -EINVAL;
--                          goto exit;
--                      }
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelNumber.num_text = length;
--                      vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelNumber.text, pos, length);
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_MODELNUMBER_PRESENT;
--                      pos += length;
--                      break;
--                   case HDD_WPS_ELEM_SERIAL_NUM:
--                      pos += 2;
--                      length = *pos<<8 | *(pos+1);
--                      pos += 2;
--                      if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SerialNumber.text)))
--                      {
--                          ret = -EINVAL;
--                          goto exit;
--                      }
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SerialNumber.num_text = length;
--                      vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SerialNumber.text, pos, length);
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_SERIALNUMBER_PRESENT;
--                      pos += length;
--                      break;
--                   case HDD_WPS_ELEM_PRIMARY_DEVICE_TYPE:
--                      pos += 4;
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.PrimaryDeviceCategory = (*pos<<8 | *(pos+1));
--                      hddLog(LOG1, "primary dev category: %d", pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.PrimaryDeviceCategory);
--                      pos += 2;
--
--                      vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.PrimaryDeviceOUI, pos, HDD_WPS_DEVICE_OUI_LEN);
--                      hddLog(LOG1, "primary dev oui: %02x, %02x, %02x, %02x", pos[0], pos[1], pos[2], pos[3]);
--                      pos += 4;
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DeviceSubCategory = (*pos<<8 | *(pos+1));
--                      hddLog(LOG1, "primary dev sub category: %d", pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DeviceSubCategory);
--                      pos += 2;
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_PRIMARYDEVICETYPE_PRESENT;
--                      break;
--                   case HDD_WPS_ELEM_DEVICE_NAME:
--                      pos += 2;
--                      length = *pos<<8 | *(pos+1);
--                      pos += 2;
--                      if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DeviceName.text)))
--                      {
--                          ret = -EINVAL;
--                          goto exit;
--                      }
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DeviceName.num_text = length;
--                      vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DeviceName.text, pos, length);
--                      pos += length;
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_DEVICENAME_PRESENT;
--                      break;
--                   case HDD_WPS_ELEM_CONFIG_METHODS:
--                      pos += 4;
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ConfigMethod = (*pos<<8) | *(pos+1);
--                      hddLog(LOG1, "Config Methods: %d", pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SelectedRegistraCfgMethod);
--                      pos += 2;
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_CONFIGMETHODS_PRESENT;
--                      break;
--
--                   case HDD_WPS_ELEM_RF_BANDS:
--                      pos += 4;
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.RFBand = *pos;
--                      hddLog(LOG1, "RF band: %d", pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.RFBand);
--                      pos += 1;
--                      pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_RF_BANDS_PRESENT;
--                      break;
--              }  // switch
--            }
--         }
--         else
--         {
--            hddLog (LOGE, "%s WPS IE Mismatch %X",__func__, wps_genie[0]);
--         }
--
--      } // switch
--    }
--
--#ifdef WLAN_FEATURE_MBSSID
--    halStatus = WLANSAP_Set_WpsIe(WLAN_HDD_GET_SAP_CTX_PTR(pHostapdAdapter), pSap_WPSIe);
--#else
--    halStatus = WLANSAP_Set_WpsIe(pVosContext, pSap_WPSIe);
--#endif
--    if (halStatus != eHAL_STATUS_SUCCESS)
--        ret = -EINVAL;
--    pHostapdState = WLAN_HDD_GET_HOSTAP_STATE_PTR(pHostapdAdapter);
--    if( pHostapdState->bCommit && WPSIeType == eQC_WPS_PROBE_RSP_IE)
--    {
--        //hdd_adapter_t *pHostapdAdapter = (netdev_priv(dev));
--        //v_CONTEXT_t pVosContext = pHostapdAdapter->pvosContext;
--#ifdef WLAN_FEATURE_MBSSID
--        WLANSAP_Update_WpsIe ( WLAN_HDD_GET_SAP_CTX_PTR(pHostapdAdapter) );
--#else
--        WLANSAP_Update_WpsIe ( pVosContext );
--#endif
--    }
--exit:
--    vos_mem_free(pSap_WPSIe);
--    kfree(fwps_genie);
--    EXIT();
--    return ret;
--}
--
--static int iw_softap_setwpsie(struct net_device *dev,
--                              struct iw_request_info *info,
--                              union iwreq_data *wrqu,
--                              char *extra)
--{
--	int ret;
--
--	vos_ssr_protect(__func__);
--	ret = __iw_softap_setwpsie(dev, info, wrqu, extra);
--	vos_ssr_unprotect(__func__);
--
--	return ret;
--}
--
- static int __iw_softap_stopbss(struct net_device *dev,
-                              struct iw_request_info *info,
-                              union iwreq_data *wrqu,
-@@ -6719,8 +6303,6 @@ static const struct iw_priv_args hostapd_private_args[] = {
- 
-   { QCSAP_IOCTL_GET_STAWPAIE,
-       IW_PRIV_TYPE_BYTE | IW_PRIV_SIZE_FIXED | 1, 0, "get_staWPAIE" },
--  { QCSAP_IOCTL_SETWPAIE,
--      IW_PRIV_TYPE_BYTE | QCSAP_MAX_WSC_IE | IW_PRIV_SIZE_FIXED, 0, "setwpaie" },
-   { QCSAP_IOCTL_STOPBSS,
-       IW_PRIV_TYPE_BYTE | IW_PRIV_SIZE_FIXED, 0, "stopbss" },
-   { QCSAP_IOCTL_VERSION, 0,
-@@ -6884,7 +6466,6 @@ static const iw_handler hostapd_private[] = {
-    [QCSAP_IOCTL_GETPARAM - SIOCIWFIRSTPRIV] = iw_softap_getparam,  //get priv ioctl
-    [QCSAP_IOCTL_SET_NONE_GET_THREE - SIOCIWFIRSTPRIV] = iw_softap_get_three,
-    [QCSAP_IOCTL_GET_STAWPAIE - SIOCIWFIRSTPRIV] = iw_get_genie, //get station genIE
--   [QCSAP_IOCTL_SETWPAIE - SIOCIWFIRSTPRIV] = iw_softap_setwpsie,
-    [QCSAP_IOCTL_STOPBSS - SIOCIWFIRSTPRIV] = iw_softap_stopbss,       // stop bss
-    [QCSAP_IOCTL_VERSION - SIOCIWFIRSTPRIV] = iw_softap_version,       // get driver version
-    [QCSAP_IOCTL_GET_WPS_PBC_PROBE_REQ_IES - SIOCIWFIRSTPRIV] = iw_get_WPSPBCProbeReqIEs,
diff --git a/Patches/Linux_CVEs/CVE-2016-6680/ANY/1.patch b/Patches/Linux_CVEs/CVE-2016-6680/ANY/0001.patch
similarity index 78%
rename from Patches/Linux_CVEs/CVE-2016-6680/ANY/1.patch
rename to Patches/Linux_CVEs/CVE-2016-6680/ANY/0001.patch
index e7377ad5..97b3afb3 100644
--- a/Patches/Linux_CVEs/CVE-2016-6680/ANY/1.patch
+++ b/Patches/Linux_CVEs/CVE-2016-6680/ANY/0001.patch
@@ -1,7 +1,7 @@
-From f4e24e60b5729032ac9d53cb2ac08ab0d05d67a4 Mon Sep 17 00:00:00 2001
-From: Srinivas Girigowda <sgirigow@codeaurora.org>
-Date: Tue, 16 Aug 2016 14:29:26 -0700
-Subject: [PATCH] qcacld-2.0: Remove the support for iw_set_priv ioctl
+From 08ce2a9e1ccdf6081fc1efb47d2edea4f4ad2ecf Mon Sep 17 00:00:00 2001
+From: SaidiReddy Yenuga <c_saidir@qti.qualcomm.com>
+Date: Tue, 9 Aug 2016 18:19:04 +0530
+Subject: wlan: Remove the support for iw_set_priv ioctl
 
 iw_set_priv is obsolete, now hdd_ioctl handles the
 driver commands.
@@ -9,22 +9,19 @@ driver commands.
 Remove the code related to iw_set_priv ioctl
 
 CRs-Fixed: 1048052
-Change-Id: Ic64a45aab2d23669d6d1219f6d2d8a465d34ac10
-Bug: 29982678
-Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
+Change-Id: I3e50fdc2f648ace1b6c260e3d579d93d8e546446
 ---
- .../qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c        | 436 +--------------------
- 1 file changed, 1 insertion(+), 435 deletions(-)
+ CORE/HDD/src/wlan_hdd_wext.c | 427 +------------------------------------------
+ 1 file changed, 1 insertion(+), 426 deletions(-)
 
-diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
-index b226a9d42daa2..804c74f5d03e9 100644
---- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
-+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
-@@ -4005,69 +4005,6 @@ static int iw_get_linkspeed_priv(struct net_device *dev,
- 	return ret;
+diff --git a/CORE/HDD/src/wlan_hdd_wext.c b/CORE/HDD/src/wlan_hdd_wext.c
+index 255a723..3ab228d 100644
+--- a/CORE/HDD/src/wlan_hdd_wext.c
++++ b/CORE/HDD/src/wlan_hdd_wext.c
+@@ -3765,69 +3765,6 @@ static int iw_get_linkspeed_priv(struct net_device *dev,
  }
  
--/*
+ /*
 - * Support for the RSSI & RSSI-APPROX private commands
 - * Per the WiFi framework the response must be of the form
 - *         "<ssid> rssi <xx>"
@@ -87,34 +84,42 @@ index b226a9d42daa2..804c74f5d03e9 100644
 -   return rc;
 -}
 -
- VOS_STATUS  wlan_hdd_enter_bmps(hdd_adapter_t *pAdapter, int mode)
- {
-    struct statsContext context;
-@@ -4300,377 +4237,6 @@ void* wlan_hdd_change_country_code_callback(void *pAdapter)
+-/*
+  * Support for SoftAP channel range private command
+  */
+ static int iw_softap_set_channel_range( struct net_device *dev,
+@@ -4262,368 +4199,6 @@ void* wlan_hdd_change_country_code_callback(void *pAdapter)
+     return NULL;
  }
  
- /**
-- * __iw_set_priv() - SIOCSIWPRIV ioctl handler
-- * @dev: device upon which the ioctl was received
-- * @info: ioctl request information
-- * @wrqu: ioctl request data
-- * @extra: ioctl extra data
-- *
-- * Return: 0 on success, non-zero on error
-- */
--static int __iw_set_priv(struct net_device *dev, struct iw_request_info *info,
--			 union iwreq_data *wrqu, char *extra)
+-static int __iw_set_priv(struct net_device *dev,
+-                       struct iw_request_info *info,
+-                       union iwreq_data *wrqu, char *extra)
 -{
--    hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
+-    hdd_adapter_t *pAdapter;
 -    char *cmd = NULL;
 -    int cmd_len = wrqu->data.length;
--    int ret = 0;
--    int rc = 0;
+-    int rc = 0, ret = 0;
 -    VOS_STATUS vos_status = VOS_STATUS_SUCCESS;
 -
--    hdd_context_t *pHddCtx = WLAN_HDD_GET_CTX(pAdapter);
+-    hdd_context_t *pHddCtx;
 -
 -    ENTER();
+-
+-    pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
+-    if (NULL == pAdapter)
+-    {
+-        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
+-                  "mem_alloc_copy_from_user_helper fail");
+-        return -EINVAL;
+-    }
+-    pHddCtx = WLAN_HDD_GET_CTX(pAdapter);
+-    rc = wlan_hdd_validate_context(pHddCtx);
+-    if (0 != rc)
+-    {
+-        return rc;
+-    }
+-
 -    cmd = mem_alloc_copy_from_user_helper(wrqu->data.pointer,
 -                                          wrqu->data.length);
 -    if (NULL == cmd)
@@ -132,18 +137,6 @@ index b226a9d42daa2..804c74f5d03e9 100644
 -    hddLog(VOS_TRACE_LEVEL_INFO_MED,
 -           "%s: ***Received %s cmd from Wi-Fi GUI***", __func__, cmd);
 -
--    if (pHddCtx->isLogpInProgress) {
--        if (ioctl_debug)
--        {
--            pr_info("%s: RESTART in progress\n", __func__);
--        }
--
--        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_FATAL,
--                 "%s:LOGP in Progress. Ignore!!!",__func__);
--        kfree(cmd);
--        return -EBUSY;
--    }
--
 -    if (strncmp(cmd, "CSCAN", 5) == 0 )
 -    {
 -       if (eHAL_STATUS_SUCCESS != iw_set_cscan(dev, info, wrqu, cmd)) {
@@ -194,21 +187,21 @@ index b226a9d42daa2..804c74f5d03e9 100644
 -    }
 -    else if (strcasecmp(cmd, "scan-active") == 0)
 -    {
--        hdd_context_t *pHddCtx = WLAN_HDD_GET_CTX(pAdapter);
--        hddLog(LOG1, FL("making default scan to active"));
--        pHddCtx->ioctl_scan_mode = eSIR_ACTIVE_SCAN;
+-        hddLog(LOG1,
+-                FL("making default scan to active"));
+-        pHddCtx->scan_info.scan_mode = eSIR_ACTIVE_SCAN;
 -        ret = snprintf(cmd, cmd_len, "OK");
 -    }
 -    else if (strcasecmp(cmd, "scan-passive") == 0)
 -    {
--        hdd_context_t *pHddCtx = WLAN_HDD_GET_CTX(pAdapter);
--        hddLog(LOG1, FL("making default scan to active"));
--        pHddCtx->ioctl_scan_mode = eSIR_PASSIVE_SCAN;
+-        hddLog(LOG1,
+-               FL("making default scan to passive"));
+-        pHddCtx->scan_info.scan_mode = eSIR_PASSIVE_SCAN;
 -        ret = snprintf(cmd, cmd_len, "OK");
 -    }
 -    else if( strcasecmp(cmd, "scan-mode") == 0 )
 -    {
--        ret = snprintf(cmd, cmd_len, "ScanMode = %u", pAdapter->scan_info.scan_mode);
+-        ret = snprintf(cmd, cmd_len, "ScanMode = %u", pHddCtx->scan_info.scan_mode);
 -    }
 -    else if( strcasecmp(cmd, "linkspeed") == 0 )
 -    {
@@ -216,7 +209,7 @@ index b226a9d42daa2..804c74f5d03e9 100644
 -    }
 -    else if( strncasecmp(cmd, "COUNTRY", 7) == 0 ) {
 -        char *country_code;
--        unsigned long rc;
+-        long lrc;
 -        eHalStatus eHal_status;
 -
 -        country_code =  cmd + 8;
@@ -232,12 +225,13 @@ index b226a9d42daa2..804c74f5d03e9 100644
 -                                            eSIR_TRUE);
 -
 -        /* Wait for completion */
--        rc = wait_for_completion_timeout(&pAdapter->change_country_code,
--                                  msecs_to_jiffies(WLAN_WAIT_TIME_STATS));
+-        lrc = wait_for_completion_interruptible_timeout(&pAdapter->change_country_code,
+-                                    msecs_to_jiffies(WLAN_WAIT_TIME_STATS));
 -
--        if (!rc) {
--            hddLog(VOS_TRACE_LEVEL_ERROR,
--               FL("SME timedout while setting country code"));
+-        if (lrc <= 0)
+-        {
+-            hddLog(VOS_TRACE_LEVEL_ERROR,"%s: SME %s while setting country code ",
+-                   __func__, "Timed out");
 -        }
 -
 -        if (eHAL_STATUS_SUCCESS != eHal_status)
@@ -275,10 +269,8 @@ index b226a9d42daa2..804c74f5d03e9 100644
 -            return -EIO;
 -        }
 -
--        if(!pHddCtx->cfg_ini->enablePowersaveOffload)
--            wlan_hdd_enter_bmps(pAdapter, mode);
--        else
--            wlan_hdd_set_powersave(pAdapter, mode);
+-        wlan_hdd_enter_bmps(pAdapter, mode);
+-        /*TODO:Set the power mode*/
 -    }
 -    else if (strncasecmp(cmd, "getpower", 8) == 0 ) {
 -        v_U32_t pmc_state;
@@ -341,9 +333,15 @@ index b226a9d42daa2..804c74f5d03e9 100644
 -    else if( strncasecmp(cmd, "pno",3) == 0 ) {
 -
 -        hddLog( VOS_TRACE_LEVEL_INFO, "pno");
--        ret = iw_set_pno(dev, info, wrqu, cmd, 3);
+-        vos_status = iw_set_pno(dev, info, wrqu, cmd, 3);
 -        kfree(cmd);
--        return ret;
+-        return (vos_status == VOS_STATUS_SUCCESS) ? 0 : -EINVAL;
+-    }
+-    else if( strncasecmp(cmd, "rssifilter",10) == 0 ) {
+-        hddLog( VOS_TRACE_LEVEL_INFO, "rssifilter");
+-        vos_status = iw_set_rssi_filter(dev, info, wrqu, cmd, 10);
+-        kfree(cmd);
+-        return (vos_status == VOS_STATUS_SUCCESS) ? 0 : -EINVAL;
 -    }
 -#endif /*FEATURE_WLAN_SCAN_PNO*/
 -    else if( strncasecmp(cmd, "powerparams",11) == 0 ) {
@@ -440,40 +438,34 @@ index b226a9d42daa2..804c74f5d03e9 100644
 -               __func__, cmd, wrqu->data.length, rc);
 -    }
 -    kfree(cmd);
+-    EXIT();
 -    return rc;
 -}
 -
--/**
-- * iw_set_priv() - SSR wrapper for __iw_set_priv()
-- * @dev: pointer to net_device
-- * @info: pointer to iw_request_info
-- * @wrqu: pointer to iwreq_data
-- * @extra: pointer to extra ioctl payload
-- *
-- * Return: 0 on success, error number otherwise
-- */
--static int iw_set_priv(struct net_device *dev, struct iw_request_info *info,
--		       union iwreq_data *wrqu, char *extra)
+-static int iw_set_priv(struct net_device *dev,
+-                       struct iw_request_info *info,
+-                       union iwreq_data *wrqu, char *extra)
 -{
--	int ret;
+-   int ret;
+-   vos_ssr_protect(__func__);
+-   ret = __iw_set_priv(dev, info, wrqu, extra);
+-   vos_ssr_unprotect(__func__);
 -
--	vos_ssr_protect(__func__);
--	ret = __iw_set_priv(dev, info, wrqu, extra);
--	vos_ssr_unprotect(__func__);
--
--	return ret;
+-   return ret;
 -}
 -
--/**
-  * __iw_set_nick() - set nick
-  * @dev: pointer to net_device
-  * @info: pointer to iw_request_info
-@@ -11405,7 +10971,7 @@ static const iw_handler      we_handler[] =
+ static int __iw_set_nick(struct net_device *dev,
+                        struct iw_request_info *info,
+                        union iwreq_data *wrqu, char *extra)
+@@ -10805,7 +10380,7 @@ static const iw_handler      we_handler[] =
     (iw_handler) NULL,              /* SIOCGIWSENS */
     (iw_handler) NULL,             /* SIOCSIWRANGE */
     (iw_handler) iw_get_range,      /* SIOCGIWRANGE */
 -   (iw_handler) iw_set_priv,       /* SIOCSIWPRIV */
-+   (iw_handler) NULL,             /* SIOCSIWPRIV */
++   (iw_handler) NULL,              /* SIOCSIWPRIV */
     (iw_handler) NULL,             /* SIOCGIWPRIV */
     (iw_handler) NULL,             /* SIOCSIWSTATS */
     (iw_handler) NULL,             /* SIOCGIWSTATS */
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-6680/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-6680/ANY/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-6680/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-6680/ANY/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-6682/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-6681/ANY/0001.patch
similarity index 70%
rename from Patches/Linux_CVEs/CVE-2016-6682/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-6681/ANY/0001.patch
index f827297d..5ee20560 100644
--- a/Patches/Linux_CVEs/CVE-2016-6682/ANY/0.patch
+++ b/Patches/Linux_CVEs/CVE-2016-6681/ANY/0001.patch
@@ -1,30 +1,29 @@
-From f3a55611dc1c0363374ad92eb52b6ee09bf5ff49 Mon Sep 17 00:00:00 2001
-From: vivek mehta <mvivek@codeaurora.org>
-Date: Thu, 11 Aug 2016 13:27:32 -0700
-Subject: [PATCH] misc: qcom: qdsp6v2: Add missing initialization
+From 0950fbd39ff189497f1b6115825c210e3eeaf395 Mon Sep 17 00:00:00 2001
+From: Haynes Mathew George <hgeorge@codeaurora.org>
+Date: Wed, 3 Aug 2016 11:55:07 -0700
+Subject: misc: qcom: qdsp6v2: Add missing initialization
 
 Use variables in driver context after proper initialization
 
-Bug: 30152182 30152501
+CRs-Fixed: 1049521, 1049615
 Change-Id: I3e59e27534b8e1088d74b42c72e0075d2fe910e6
 Signed-off-by: Haynes Mathew George <hgeorge@codeaurora.org>
-Signed-off-by: vivek mehta <mvivek@codeaurora.org>
 ---
  drivers/misc/qcom/qdsp6v2/audio_utils.c     | 3 ++-
  drivers/misc/qcom/qdsp6v2/audio_utils_aio.c | 1 +
  2 files changed, 3 insertions(+), 1 deletion(-)
 
 diff --git a/drivers/misc/qcom/qdsp6v2/audio_utils.c b/drivers/misc/qcom/qdsp6v2/audio_utils.c
-index 2206a3461cc0d..ac56464683600 100644
+index cad0220..cec449d 100644
 --- a/drivers/misc/qcom/qdsp6v2/audio_utils.c
 +++ b/drivers/misc/qcom/qdsp6v2/audio_utils.c
 @@ -1,4 +1,4 @@
--/* Copyright (c) 2010-2014, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2010-2014, 2016, The Linux Foundation. All rights reserved.
+-/* Copyright (c) 2010-2015, The Linux Foundation. All rights reserved.
++/* Copyright (c) 2010-2016, The Linux Foundation. All rights reserved.
   *
   * This program is free software; you can redistribute it and/or modify
   * it under the terms of the GNU General Public License version 2 and
-@@ -593,6 +593,7 @@ long audio_in_compat_ioctl(struct file *file,
+@@ -588,6 +588,7 @@ long audio_in_compat_ioctl(struct file *file,
  	}
  	case AUDIO_GET_CONFIG_32: {
  		struct msm_audio_config32 cfg_32;
@@ -33,10 +32,10 @@ index 2206a3461cc0d..ac56464683600 100644
  		cfg_32.buffer_count = audio->pcm_cfg.buffer_count;
  		cfg_32.channel_count = audio->pcm_cfg.channel_count;
 diff --git a/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c b/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c
-index 11d890d443007..d444742c603cb 100644
+index b87b208..b48aff3 100644
 --- a/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c
 +++ b/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c
-@@ -1877,6 +1877,7 @@ static long audio_aio_compat_ioctl(struct file *file, unsigned int cmd,
+@@ -1935,6 +1935,7 @@ static long audio_aio_compat_ioctl(struct file *file, unsigned int cmd,
  	case AUDIO_GET_CONFIG_32: {
  		struct msm_audio_config32 cfg_32;
  		mutex_lock(&audio->lock);
@@ -44,3 +43,6 @@ index 11d890d443007..d444742c603cb 100644
  		cfg_32.buffer_size = audio->pcm_cfg.buffer_size;
  		cfg_32.buffer_count = audio->pcm_cfg.buffer_count;
  		cfg_32.channel_count = audio->pcm_cfg.channel_count;
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-6681/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-6682/ANY/0001.patch
similarity index 70%
rename from Patches/Linux_CVEs/CVE-2016-6681/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-6682/ANY/0001.patch
index f827297d..5ee20560 100644
--- a/Patches/Linux_CVEs/CVE-2016-6681/ANY/0.patch
+++ b/Patches/Linux_CVEs/CVE-2016-6682/ANY/0001.patch
@@ -1,30 +1,29 @@
-From f3a55611dc1c0363374ad92eb52b6ee09bf5ff49 Mon Sep 17 00:00:00 2001
-From: vivek mehta <mvivek@codeaurora.org>
-Date: Thu, 11 Aug 2016 13:27:32 -0700
-Subject: [PATCH] misc: qcom: qdsp6v2: Add missing initialization
+From 0950fbd39ff189497f1b6115825c210e3eeaf395 Mon Sep 17 00:00:00 2001
+From: Haynes Mathew George <hgeorge@codeaurora.org>
+Date: Wed, 3 Aug 2016 11:55:07 -0700
+Subject: misc: qcom: qdsp6v2: Add missing initialization
 
 Use variables in driver context after proper initialization
 
-Bug: 30152182 30152501
+CRs-Fixed: 1049521, 1049615
 Change-Id: I3e59e27534b8e1088d74b42c72e0075d2fe910e6
 Signed-off-by: Haynes Mathew George <hgeorge@codeaurora.org>
-Signed-off-by: vivek mehta <mvivek@codeaurora.org>
 ---
  drivers/misc/qcom/qdsp6v2/audio_utils.c     | 3 ++-
  drivers/misc/qcom/qdsp6v2/audio_utils_aio.c | 1 +
  2 files changed, 3 insertions(+), 1 deletion(-)
 
 diff --git a/drivers/misc/qcom/qdsp6v2/audio_utils.c b/drivers/misc/qcom/qdsp6v2/audio_utils.c
-index 2206a3461cc0d..ac56464683600 100644
+index cad0220..cec449d 100644
 --- a/drivers/misc/qcom/qdsp6v2/audio_utils.c
 +++ b/drivers/misc/qcom/qdsp6v2/audio_utils.c
 @@ -1,4 +1,4 @@
--/* Copyright (c) 2010-2014, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2010-2014, 2016, The Linux Foundation. All rights reserved.
+-/* Copyright (c) 2010-2015, The Linux Foundation. All rights reserved.
++/* Copyright (c) 2010-2016, The Linux Foundation. All rights reserved.
   *
   * This program is free software; you can redistribute it and/or modify
   * it under the terms of the GNU General Public License version 2 and
-@@ -593,6 +593,7 @@ long audio_in_compat_ioctl(struct file *file,
+@@ -588,6 +588,7 @@ long audio_in_compat_ioctl(struct file *file,
  	}
  	case AUDIO_GET_CONFIG_32: {
  		struct msm_audio_config32 cfg_32;
@@ -33,10 +32,10 @@ index 2206a3461cc0d..ac56464683600 100644
  		cfg_32.buffer_count = audio->pcm_cfg.buffer_count;
  		cfg_32.channel_count = audio->pcm_cfg.channel_count;
 diff --git a/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c b/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c
-index 11d890d443007..d444742c603cb 100644
+index b87b208..b48aff3 100644
 --- a/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c
 +++ b/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c
-@@ -1877,6 +1877,7 @@ static long audio_aio_compat_ioctl(struct file *file, unsigned int cmd,
+@@ -1935,6 +1935,7 @@ static long audio_aio_compat_ioctl(struct file *file, unsigned int cmd,
  	case AUDIO_GET_CONFIG_32: {
  		struct msm_audio_config32 cfg_32;
  		mutex_lock(&audio->lock);
@@ -44,3 +43,6 @@ index 11d890d443007..d444742c603cb 100644
  		cfg_32.buffer_size = audio->pcm_cfg.buffer_size;
  		cfg_32.buffer_count = audio->pcm_cfg.buffer_count;
  		cfg_32.channel_count = audio->pcm_cfg.channel_count;
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-6683/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-6683/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-6683/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-6683/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-6683/ANY/0.patch.base64 b/Patches/Linux_CVEs/CVE-2016-6683/ANY/0001.patch.base64
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-6683/ANY/0.patch.base64
rename to Patches/Linux_CVEs/CVE-2016-6683/ANY/0001.patch.base64
diff --git a/Patches/Linux_CVEs/CVE-2016-6692/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-6692/ANY/0001.patch
new file mode 100644
index 00000000..c863936e
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-6692/ANY/0001.patch
@@ -0,0 +1,58 @@
+From 0f0e7047d39f9fb3a1a7f389918ff79cdb4a50b3 Mon Sep 17 00:00:00 2001
+From: Ping Li <pingli@codeaurora.org>
+Date: Tue, 19 Apr 2016 18:52:10 -0700
+Subject: msm: mdss: Properly set the PP feature cfg_payload in layers
+
+Set the PP feature cfg_payload properly to avoid invalid pointer
+cases.
+
+CRs-Fixed: 1004933
+Change-Id: I44314b49a6ebb5dedfdedfcddd88c12eabd1f125
+Signed-off-by: Ping Li <pingli@codeaurora.org>
+---
+ drivers/video/msm/mdss/mdss_mdp_pp.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/drivers/video/msm/mdss/mdss_mdp_pp.c b/drivers/video/msm/mdss/mdss_mdp_pp.c
+index 06ba5b1..0ed13ed0 100644
+--- a/drivers/video/msm/mdss/mdss_mdp_pp.c
++++ b/drivers/video/msm/mdss/mdss_mdp_pp.c
+@@ -7162,6 +7162,8 @@ int mdss_mdp_copy_layer_pp_info(struct mdp_input_layer *layer)
+ 			pr_err("Failed to copy IGC payload, ret = %d\n", ret);
+ 			goto exit_pp_info;
+ 		}
++	} else {
++		pp_info->igc_cfg.cfg_payload = NULL;
+ 	}
+ 	if (ops & MDP_OVERLAY_PP_HIST_LUT_CFG) {
+ 		ret = pp_copy_layer_hist_lut_payload(pp_info);
+@@ -7170,6 +7172,8 @@ int mdss_mdp_copy_layer_pp_info(struct mdp_input_layer *layer)
+ 				ret);
+ 			goto exit_igc;
+ 		}
++	} else {
++		pp_info->hist_lut_cfg.cfg_payload = NULL;
+ 	}
+ 	if (ops & MDP_OVERLAY_PP_PA_V2_CFG) {
+ 		ret = pp_copy_layer_pa_payload(pp_info);
+@@ -7177,6 +7181,8 @@ int mdss_mdp_copy_layer_pp_info(struct mdp_input_layer *layer)
+ 			pr_err("Failed to copy PA payload, ret = %d\n", ret);
+ 			goto exit_hist_lut;
+ 		}
++	} else {
++		pp_info->pa_v2_cfg_data.cfg_payload = NULL;
+ 	}
+ 	if (ops & MDP_OVERLAY_PP_PCC_CFG) {
+ 		ret = pp_copy_layer_pcc_payload(pp_info);
+@@ -7184,6 +7190,8 @@ int mdss_mdp_copy_layer_pp_info(struct mdp_input_layer *layer)
+ 			pr_err("Failed to copy PCC payload, ret = %d\n", ret);
+ 			goto exit_pa;
+ 		}
++	} else {
++		pp_info->pcc_cfg_data.cfg_payload = NULL;
+ 	}
+ 
+ 	layer->pp_info = pp_info;
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-6693/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-6693/ANY/0001.patch
new file mode 100644
index 00000000..865d8d71
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-6693/ANY/0001.patch
@@ -0,0 +1,37 @@
+From ac328eb631fa74a63d5d2583e6bfeeb5a7a2df65 Mon Sep 17 00:00:00 2001
+From: Ashish Jain <ashishj@codeaurora.org>
+Date: Mon, 20 Jun 2016 18:09:07 +0530
+Subject: ASoC: msm: qdsp6v2: DAP: Add check to validate data length
+
+Validate input data length to ensure only relevant data
+is copied.
+
+CRs-Fixed: 1027585
+Change-Id: I67eb4f162f944bbf4d9e55fb8fe93759e6b8ff91
+Signed-off-by: Ashish Jain <ashishj@codeaurora.org>
+---
+ sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c b/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
+index fea7bb4..379062e 100644
+--- a/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
++++ b/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
+@@ -1522,6 +1522,14 @@ static int msm_ds2_dap_get_param(u32 cmd, void *arg)
+ 		goto end;
+ 	}
+ 
++	/* Return if invalid length */
++	if (dolby_data->length >
++	       (DOLBY_MAX_LENGTH_INDIVIDUAL_PARAM - DOLBY_PARAM_PAYLOAD_SIZE)) {
++		pr_err("Invalid length %d", dolby_data->length);
++		rc = -EINVAL;
++		goto end;
++	}
++
+ 	for (i = 0; i < DS2_DEVICES_ALL; i++) {
+ 		if ((dev_map[i].active) &&
+ 			(dev_map[i].device_id & dolby_data->device_id)) {
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-6694/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-6694/ANY/0001.patch
new file mode 100644
index 00000000..8379f2a8
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-6694/ANY/0001.patch
@@ -0,0 +1,45 @@
+From 961e38553aae8ba9b1af77c7a49acfbb7b0b6f62 Mon Sep 17 00:00:00 2001
+From: Ashish Jain <ashishj@codeaurora.org>
+Date: Thu, 30 Jun 2016 18:28:37 +0530
+Subject: ASoC: msm: qdsp6v2: DAP: Allocate param buffer with correct size
+
+Size of param buffer should be big enough to hold param length
+of data and param payload.
+
+CRs-Fixed: 1033525
+Change-Id: I6fa58f87a7c7df5f0485ea5b368ea090eb8bedb4
+Signed-off-by: Ashish Jain <ashishj@codeaurora.org>
+---
+ sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c b/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
+index 379062e..7bd6ee8 100644
+--- a/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
++++ b/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
+@@ -1554,7 +1554,8 @@ static int msm_ds2_dap_get_param(u32 cmd, void *arg)
+ 	pr_debug("%s: port_id 0x%x, copp_idx %d, dev_map[i].device_id %x\n",
+ 		 __func__, port_id, copp_idx, dev_map[i].device_id);
+ 
+-	params_value = kzalloc(params_length, GFP_KERNEL);
++	params_value = kzalloc(params_length + param_payload_len,
++				GFP_KERNEL);
+ 	if (!params_value) {
+ 		pr_err("%s: params memory alloc failed\n", __func__);
+ 		rc = -ENOMEM;
+@@ -1578,9 +1579,9 @@ static int msm_ds2_dap_get_param(u32 cmd, void *arg)
+ 			rc = -EINVAL;
+ 			goto end;
+ 		} else {
+-			params_length = (ds2_dap_params_length[i] +
+-						DOLBY_PARAM_PAYLOAD_SIZE) *
+-						sizeof(uint32_t);
++			params_length =
++			ds2_dap_params_length[i] * sizeof(uint32_t);
++
+ 			rc = adm_get_params(port_id, copp_idx,
+ 					    DOLBY_BUNDLE_MODULE_ID,
+ 					    ds2_dap_params_id[i],
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-6695/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-6695/ANY/0001.patch
new file mode 100644
index 00000000..9b67d853
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-6695/ANY/0001.patch
@@ -0,0 +1,56 @@
+From c319c2b0926d1ea5edb4d0778d88bd3ce37c4b95 Mon Sep 17 00:00:00 2001
+From: Ashish Jain <ashishj@codeaurora.org>
+Date: Fri, 1 Jul 2016 12:31:21 +0530
+Subject: ASoC: msm: qdsp6v2: DAP: Add check to validate param length
+
+To avoid buffer overflow, validate input length used to
+fetch visualizer data.
+
+CRs-Fixed: 1033540
+Change-Id: I445d1ba3bce47308bc31ae24a70d5ee358f22a2d
+Signed-off-by: Ashish Jain <ashishj@codeaurora.org>
+---
+ sound/soc/msm/qdsp6v2/msm-dolby-common.h   | 3 ++-
+ sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c | 7 +++++++
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/sound/soc/msm/qdsp6v2/msm-dolby-common.h b/sound/soc/msm/qdsp6v2/msm-dolby-common.h
+index aab6dc8..f14e42e 100644
+--- a/sound/soc/msm/qdsp6v2/msm-dolby-common.h
++++ b/sound/soc/msm/qdsp6v2/msm-dolby-common.h
+@@ -1,5 +1,5 @@
+ 
+-/* Copyright (c) 2013-2014, The Linux Foundation. All rights reserved.
++/* Copyright (c) 2013-2014, 2016 The Linux Foundation. All rights reserved.
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+  * only version 2 as published by the Free Software Foundation.
+@@ -232,6 +232,7 @@
+ 
+ #define TOTAL_LENGTH_DOLBY_PARAM		745
+ #define DOLBY_VIS_PARAM_HEADER_SIZE		25
++#define DOLBY_PARAM_VCNB_MAX_LENGTH		40
+ 
+ #define DOLBY_INVALID_PORT_ID			-1
+ 
+diff --git a/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c b/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
+index 379062e..86290aa 100644
+--- a/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
++++ b/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
+@@ -1635,6 +1635,13 @@ static int msm_ds2_dap_param_visualizer_control_get(u32 cmd, void *arg)
+ 	}
+ 
+ 	length = ds2_dap_params[cache_dev].params_val[DOLBY_PARAM_VCNB_OFFSET];
++
++	if (length > DOLBY_PARAM_VCNB_MAX_LENGTH || length <= 0) {
++		ret = 0;
++		dolby_data->length = 0;
++		pr_err("%s Incorrect VCNB length", __func__);
++	}
++
+ 	params_length = (2*length + DOLBY_VIS_PARAM_HEADER_SIZE) *
+ 							 sizeof(uint32_t);
+ 
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-6696/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-6696/ANY/0001.patch
new file mode 100644
index 00000000..87463916
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-6696/ANY/0001.patch
@@ -0,0 +1,35 @@
+From c3c9341bfdf93606983f893a086cb33a487306e5 Mon Sep 17 00:00:00 2001
+From: Ashish Jain <ashishj@codeaurora.org>
+Date: Mon, 18 Jul 2016 16:07:42 +0530
+Subject: ASoC: msm: qdsp6v2: DAP: Update check to validate data length
+
+A big negative data length value can bypass the current check,
+update the condition to ensure that only valid data length is used
+to copy the params.
+
+CRs-Fixed: 1041130
+Change-Id: I6e1a58e901e4c042acfb0ab0a6223dec2949aefe
+Signed-off-by: Ashish Jain <ashishj@codeaurora.org>
+---
+ sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c b/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
+index 48180cf..ad2f2e9 100644
+--- a/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
++++ b/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c
+@@ -1523,8 +1523,9 @@ static int msm_ds2_dap_get_param(u32 cmd, void *arg)
+ 	}
+ 
+ 	/* Return if invalid length */
+-	if (dolby_data->length >
+-	       (DOLBY_MAX_LENGTH_INDIVIDUAL_PARAM - DOLBY_PARAM_PAYLOAD_SIZE)) {
++	if ((dolby_data->length >
++	      (DOLBY_MAX_LENGTH_INDIVIDUAL_PARAM - DOLBY_PARAM_PAYLOAD_SIZE)) ||
++	      (dolby_data->length <= 0)) {
+ 		pr_err("Invalid length %d", dolby_data->length);
+ 		rc = -EINVAL;
+ 		goto end;
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-6698/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-6698/3.10/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-6698/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-6698/3.10/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-6698/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2016-6698/3.18/0002.patch
new file mode 100644
index 00000000..1195eb29
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-6698/3.18/0002.patch
@@ -0,0 +1,213 @@
+From 3baefa3af45c0ab1ca8391821ea55b9049a3a3da Mon Sep 17 00:00:00 2001
+From: Laxminath Kasam <lkasam@codeaurora.org>
+Date: Mon, 29 Aug 2016 21:58:32 +0530
+Subject: misc: qcom: qdsp6v2: initialize config_32
+
+Not all members of config_32 are set before they are used which
+might lead to invalid values being passed and used. To fix this
+issue initialize all member variables of struct config_32 to 0 before
+assigning specific values individually.
+
+CRs-Fixed: 1058826
+Change-Id: Ifea3a6e8bf45481c65a4455ee64318304798fee2
+Signed-off-by: Laxminath Kasam <lkasam@codeaurora.org>
+---
+ drivers/misc/qcom/qdsp6v2/aac_in.c              | 4 +++-
+ drivers/misc/qcom/qdsp6v2/amrnb_in.c            | 4 +++-
+ drivers/misc/qcom/qdsp6v2/amrwb_in.c            | 2 ++
+ drivers/misc/qcom/qdsp6v2/audio_alac.c          | 2 ++
+ drivers/misc/qcom/qdsp6v2/audio_amrwbplus.c     | 4 ++++
+ drivers/misc/qcom/qdsp6v2/audio_ape.c           | 2 ++
+ drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c | 2 ++
+ drivers/misc/qcom/qdsp6v2/audio_multi_aac.c     | 2 ++
+ drivers/misc/qcom/qdsp6v2/audio_utils_aio.c     | 1 +
+ drivers/misc/qcom/qdsp6v2/audio_wmapro.c        | 2 ++
+ drivers/misc/qcom/qdsp6v2/evrc_in.c             | 4 +++-
+ drivers/misc/qcom/qdsp6v2/qcelp_in.c            | 4 +++-
+ 12 files changed, 29 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/misc/qcom/qdsp6v2/aac_in.c b/drivers/misc/qcom/qdsp6v2/aac_in.c
+index c9d5dbb..7176c114 100644
+--- a/drivers/misc/qcom/qdsp6v2/aac_in.c
++++ b/drivers/misc/qcom/qdsp6v2/aac_in.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2010-2015, The Linux Foundation. All rights reserved.
++ * Copyright (c) 2010-2016, The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -421,6 +421,8 @@ static long aac_in_compat_ioctl(struct file *file, unsigned int cmd,
+ 		struct msm_audio_aac_enc_config cfg;
+ 		struct msm_audio_aac_enc_config32 cfg_32;
+ 
++		memset(&cfg_32, 0, sizeof(cfg_32));
++
+ 		cmd = AUDIO_GET_AAC_ENC_CONFIG;
+ 		rc = aac_in_ioctl_shared(file, cmd, &cfg);
+ 		if (rc) {
+diff --git a/drivers/misc/qcom/qdsp6v2/amrnb_in.c b/drivers/misc/qcom/qdsp6v2/amrnb_in.c
+index eb92137..9d4cf5c 100644
+--- a/drivers/misc/qcom/qdsp6v2/amrnb_in.c
++++ b/drivers/misc/qcom/qdsp6v2/amrnb_in.c
+@@ -1,4 +1,4 @@
+-/* Copyright (c) 2010-2012, 2014 The Linux Foundation. All rights reserved.
++/* Copyright (c) 2010-2016 The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -221,6 +221,8 @@ static long amrnb_in_compat_ioctl(struct file *file,
+ 		struct msm_audio_amrnb_enc_config_v2 *amrnb_config;
+ 		struct msm_audio_amrnb_enc_config_v2_32 amrnb_config_32;
+ 
++		memset(&amrnb_config_32, 0, sizeof(amrnb_config_32));
++
+ 		amrnb_config =
+ 		(struct msm_audio_amrnb_enc_config_v2 *)audio->enc_cfg;
+ 		amrnb_config_32.band_mode = amrnb_config->band_mode;
+diff --git a/drivers/misc/qcom/qdsp6v2/amrwb_in.c b/drivers/misc/qcom/qdsp6v2/amrwb_in.c
+index 9bd19d9..43dcbd5 100644
+--- a/drivers/misc/qcom/qdsp6v2/amrwb_in.c
++++ b/drivers/misc/qcom/qdsp6v2/amrwb_in.c
+@@ -217,6 +217,8 @@ static long amrwb_in_compat_ioctl(struct file *file,
+ 		struct msm_audio_amrwb_enc_config *amrwb_config;
+ 		struct msm_audio_amrwb_enc_config_32 amrwb_config_32;
+ 
++		memset(&amrwb_config_32, 0, sizeof(amrwb_config_32));
++
+ 		amrwb_config =
+ 		(struct msm_audio_amrwb_enc_config *)audio->enc_cfg;
+ 		amrwb_config_32.band_mode = amrwb_config->band_mode;
+diff --git a/drivers/misc/qcom/qdsp6v2/audio_alac.c b/drivers/misc/qcom/qdsp6v2/audio_alac.c
+index 7b18e3a..646d37d 100644
+--- a/drivers/misc/qcom/qdsp6v2/audio_alac.c
++++ b/drivers/misc/qcom/qdsp6v2/audio_alac.c
+@@ -196,6 +196,8 @@ static long audio_compat_ioctl(struct file *file, unsigned int cmd,
+ 		struct msm_audio_alac_config *alac_config;
+ 		struct msm_audio_alac_config_32 alac_config_32;
+ 
++		memset(&alac_config_32, 0, sizeof(alac_config_32));
++
+ 		alac_config = (struct msm_audio_alac_config *)audio->codec_cfg;
+ 		alac_config_32.frameLength = alac_config->frameLength;
+ 		alac_config_32.compatVersion =
+diff --git a/drivers/misc/qcom/qdsp6v2/audio_amrwbplus.c b/drivers/misc/qcom/qdsp6v2/audio_amrwbplus.c
+index e96e23a..3c3f1c4 100644
+--- a/drivers/misc/qcom/qdsp6v2/audio_amrwbplus.c
++++ b/drivers/misc/qcom/qdsp6v2/audio_amrwbplus.c
+@@ -205,6 +205,10 @@ static long audio_compat_ioctl(struct file *file, unsigned int cmd,
+ 			struct msm_audio_amrwbplus_config_v2 *amrwbplus_config;
+ 			struct msm_audio_amrwbplus_config_v2_32
+ 						amrwbplus_config_32;
++
++			memset(&amrwbplus_config_32, 0,
++					sizeof(amrwbplus_config_32));
++
+ 			amrwbplus_config =
+ 				(struct msm_audio_amrwbplus_config_v2 *)
+ 				audio->codec_cfg;
+diff --git a/drivers/misc/qcom/qdsp6v2/audio_ape.c b/drivers/misc/qcom/qdsp6v2/audio_ape.c
+index 8d78124..7371512 100644
+--- a/drivers/misc/qcom/qdsp6v2/audio_ape.c
++++ b/drivers/misc/qcom/qdsp6v2/audio_ape.c
+@@ -180,6 +180,8 @@ static long audio_compat_ioctl(struct file *file, unsigned int cmd,
+ 		struct msm_audio_ape_config *ape_config;
+ 		struct msm_audio_ape_config_32 ape_config_32;
+ 
++		memset(&ape_config_32, 0, sizeof(ape_config_32));
++
+ 		ape_config = (struct msm_audio_ape_config *)audio->codec_cfg;
+ 		ape_config_32.compatibleVersion = ape_config->compatibleVersion;
+ 		ape_config_32.compressionLevel =
+diff --git a/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c b/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
+index 6843fd7..940fd08 100644
+--- a/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
++++ b/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
+@@ -630,6 +630,8 @@ static long audio_effects_compat_ioctl(struct file *file, unsigned int cmd,
+ 	case AUDIO_EFFECTS_GET_BUF_AVAIL32: {
+ 		struct msm_hwacc_buf_avail32 buf_avail;
+ 
++		memset(&buf_avail, 0, sizeof(buf_avail));
++
+ 		buf_avail.input_num_avail = atomic_read(&effects->in_count);
+ 		buf_avail.output_num_avail = atomic_read(&effects->out_count);
+ 		pr_debug("%s: write buf avail: %d, read buf avail: %d\n",
+diff --git a/drivers/misc/qcom/qdsp6v2/audio_multi_aac.c b/drivers/misc/qcom/qdsp6v2/audio_multi_aac.c
+index 858f7bc..4ac74a5 100644
+--- a/drivers/misc/qcom/qdsp6v2/audio_multi_aac.c
++++ b/drivers/misc/qcom/qdsp6v2/audio_multi_aac.c
+@@ -302,6 +302,8 @@ static long audio_compat_ioctl(struct file *file, unsigned int cmd,
+ 		struct msm_audio_aac_config *aac_config;
+ 		struct msm_audio_aac_config32 aac_config_32;
+ 
++		memset(&aac_config_32, 0, sizeof(aac_config_32));
++
+ 		aac_config = (struct msm_audio_aac_config *)audio->codec_cfg;
+ 		aac_config_32.format = aac_config->format;
+ 		aac_config_32.audio_object = aac_config->audio_object;
+diff --git a/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c b/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c
+index 4edc814..2b0af2e 100644
+--- a/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c
++++ b/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c
+@@ -2038,6 +2038,7 @@ static long audio_aio_compat_ioctl(struct file *file, unsigned int cmd,
+ 			audio->buf_cfg.frames_per_buf);
+ 
+ 		mutex_lock(&audio->lock);
++		memset(&cfg_32, 0, sizeof(cfg_32));
+ 		cfg_32.meta_info_enable = audio->buf_cfg.meta_info_enable;
+ 		cfg_32.frames_per_buf = audio->buf_cfg.frames_per_buf;
+ 		if (copy_to_user((void *)arg, &cfg_32,
+diff --git a/drivers/misc/qcom/qdsp6v2/audio_wmapro.c b/drivers/misc/qcom/qdsp6v2/audio_wmapro.c
+index 2c88e77..d389d9b 100644
+--- a/drivers/misc/qcom/qdsp6v2/audio_wmapro.c
++++ b/drivers/misc/qcom/qdsp6v2/audio_wmapro.c
+@@ -217,6 +217,8 @@ static long audio_compat_ioctl(struct file *file, unsigned int cmd,
+ 		struct msm_audio_wmapro_config *wmapro_config;
+ 		struct msm_audio_wmapro_config32 wmapro_config_32;
+ 
++		memset(&wmapro_config_32, 0, sizeof(wmapro_config_32));
++
+ 		wmapro_config =
+ 			(struct msm_audio_wmapro_config *)audio->codec_cfg;
+ 		wmapro_config_32.armdatareqthr = wmapro_config->armdatareqthr;
+diff --git a/drivers/misc/qcom/qdsp6v2/evrc_in.c b/drivers/misc/qcom/qdsp6v2/evrc_in.c
+index 2f931be..aab8e27 100644
+--- a/drivers/misc/qcom/qdsp6v2/evrc_in.c
++++ b/drivers/misc/qcom/qdsp6v2/evrc_in.c
+@@ -1,4 +1,4 @@
+-/* Copyright (c) 2010-2015, The Linux Foundation. All rights reserved.
++/* Copyright (c) 2010-2016, The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -224,6 +224,8 @@ static long evrc_in_compat_ioctl(struct file *file,
+ 		struct msm_audio_evrc_enc_config32 cfg_32;
+ 		struct msm_audio_evrc_enc_config *enc_cfg;
+ 
++		memset(&cfg_32, 0, sizeof(cfg_32));
++
+ 		enc_cfg = audio->enc_cfg;
+ 		cfg_32.cdma_rate = enc_cfg->cdma_rate;
+ 		cfg_32.min_bit_rate = enc_cfg->min_bit_rate;
+diff --git a/drivers/misc/qcom/qdsp6v2/qcelp_in.c b/drivers/misc/qcom/qdsp6v2/qcelp_in.c
+index b5d5ad1..aabf5d3 100644
+--- a/drivers/misc/qcom/qdsp6v2/qcelp_in.c
++++ b/drivers/misc/qcom/qdsp6v2/qcelp_in.c
+@@ -1,4 +1,4 @@
+-/* Copyright (c) 2010-2015, The Linux Foundation. All rights reserved.
++/* Copyright (c) 2010-2016, The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -225,6 +225,8 @@ static long qcelp_in_compat_ioctl(struct file *file,
+ 		struct msm_audio_qcelp_enc_config32 cfg_32;
+ 		struct msm_audio_qcelp_enc_config *enc_cfg;
+ 
++		memset(&cfg_32, 0, sizeof(cfg_32));
++
+ 		enc_cfg = (struct msm_audio_qcelp_enc_config *)audio->enc_cfg;
+ 		cfg_32.cdma_rate = enc_cfg->cdma_rate;
+ 		cfg_32.min_bit_rate = enc_cfg->min_bit_rate;
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-6725/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-6725/3.10/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-6725/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-6725/3.10/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-6725/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2016-6725/3.18/0002.patch
new file mode 100644
index 00000000..0aac1c13
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-6725/3.18/0002.patch
@@ -0,0 +1,40 @@
+From a8bfc6888280ac70c9c13b1802c1e962522714a4 Mon Sep 17 00:00:00 2001
+From: Zhen Kong <zkong@codeaurora.org>
+Date: Tue, 16 Aug 2016 12:46:12 -0700
+Subject: msm: crypto: Fix integer over flow check in qcrypto driver
+
+Integer overflow check is invalid when ULONG_MAX is used,
+as ULONG_MAX has typeof 'unsigned long', while req->assoclen,
+req->crytlen, and qreq.ivsize are 'unsigned int'. Make change
+to use UINT_MAX instead of ULONG_MAX.
+
+CRs-fixed: 1050970
+Change-Id: I3782ea7ed2eaacdcad15b34e047a4699bf4f9e4f
+Signed-off-by: Zhen Kong <zkong@codeaurora.org>
+---
+ drivers/crypto/msm/qcrypto.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/crypto/msm/qcrypto.c b/drivers/crypto/msm/qcrypto.c
+index a975575..79e5ae9 100644
+--- a/drivers/crypto/msm/qcrypto.c
++++ b/drivers/crypto/msm/qcrypto.c
+@@ -2168,12 +2168,12 @@ static int _qcrypto_process_aead(struct  crypto_engine *pengine,
+ 			 * include  assoicated data, ciphering data stream,
+ 			 * generated MAC, and CCM padding.
+ 			 */
+-			if ((MAX_ALIGN_SIZE * 2 > ULONG_MAX - req->assoclen) ||
++			if ((MAX_ALIGN_SIZE * 2 > UINT_MAX - req->assoclen) ||
+ 				((MAX_ALIGN_SIZE * 2 + req->assoclen) >
+-						ULONG_MAX - qreq.ivsize) ||
++						UINT_MAX - qreq.ivsize) ||
+ 				((MAX_ALIGN_SIZE * 2 + req->assoclen
+ 					+ qreq.ivsize)
+-						> ULONG_MAX - req->cryptlen)) {
++						> UINT_MAX - req->cryptlen)) {
+ 				pr_err("Integer overflow on aead req length.\n");
+ 				return -EINVAL;
+ 			}
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-6728/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-6728/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-6728/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-6728/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-6728/ANY/1.patch b/Patches/Linux_CVEs/CVE-2016-6728/ANY/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-6728/ANY/1.patch
rename to Patches/Linux_CVEs/CVE-2016-6728/ANY/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-6728/ANY/2.patch b/Patches/Linux_CVEs/CVE-2016-6728/ANY/2.patch
deleted file mode 100644
index b1f4e3bf..00000000
--- a/Patches/Linux_CVEs/CVE-2016-6728/ANY/2.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 6d907675d409feb2145add6aa7f905002a50e8ca Mon Sep 17 00:00:00 2001
-From: Daniel Rosenberg <drosen@google.com>
-Date: Fri, 9 Sep 2016 15:32:34 -0700
-Subject: [PATCH] ion: Disable ION_HEAP_TYPE_SYSTEM_CONTIG
-
-Bug: 30400942
-Change-Id: I19fa5bf6e5c66b532b842180b2cf0ae04ddca337
-Signed-off-by: Daniel Rosenberg <drosen@google.com>
----
- drivers/staging/android/ion/ion_heap.c | 8 +++++---
- 1 file changed, 5 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/staging/android/ion/ion_heap.c b/drivers/staging/android/ion/ion_heap.c
-index 0c62683ac0409..fa6c9daf8eec9 100644
---- a/drivers/staging/android/ion/ion_heap.c
-+++ b/drivers/staging/android/ion/ion_heap.c
-@@ -300,8 +300,9 @@ struct ion_heap *ion_heap_create(struct ion_platform_heap *heap_data)
- 
- 	switch (heap_data->type) {
- 	case ION_HEAP_TYPE_SYSTEM_CONTIG:
--		heap = ion_system_contig_heap_create(heap_data);
--		break;
-+		pr_err("%s: Heap type is disabled: %d\n", __func__,
-+		       heap_data->type);
-+		return ERR_PTR(-EINVAL);
- 	case ION_HEAP_TYPE_SYSTEM:
- 		heap = ion_system_heap_create(heap_data);
- 		break;
-@@ -340,7 +341,8 @@ void ion_heap_destroy(struct ion_heap *heap)
- 
- 	switch (heap->type) {
- 	case ION_HEAP_TYPE_SYSTEM_CONTIG:
--		ion_system_contig_heap_destroy(heap);
-+		pr_err("%s: Heap type is disabled: %d\n", __func__,
-+		       heap->type);
- 		break;
- 	case ION_HEAP_TYPE_SYSTEM:
- 		ion_system_heap_destroy(heap);
diff --git a/Patches/Linux_CVEs/CVE-2016-6738/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-6738/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-6738/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-6738/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-6739/3.10/1.patch b/Patches/Linux_CVEs/CVE-2016-6739/3.10/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-6739/3.10/1.patch
rename to Patches/Linux_CVEs/CVE-2016-6739/3.10/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-6739/3.18/0.patch b/Patches/Linux_CVEs/CVE-2016-6739/3.18/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-6739/3.18/0.patch
rename to Patches/Linux_CVEs/CVE-2016-6739/3.18/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-6740/3.10/1.patch b/Patches/Linux_CVEs/CVE-2016-6740/3.10/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-6740/3.10/1.patch
rename to Patches/Linux_CVEs/CVE-2016-6740/3.10/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-6740/3.18/0.patch b/Patches/Linux_CVEs/CVE-2016-6740/3.18/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-6740/3.18/0.patch
rename to Patches/Linux_CVEs/CVE-2016-6740/3.18/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-6741/3.10/0.patch.disabled b/Patches/Linux_CVEs/CVE-2016-6741/3.10/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-6741/3.10/0.patch.disabled
rename to Patches/Linux_CVEs/CVE-2016-6741/3.10/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-6741/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2016-6741/3.18/0002.patch
new file mode 100644
index 00000000..bab8e7f4
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-6741/3.18/0002.patch
@@ -0,0 +1,137 @@
+From d291eebd8e43bba3229ae7ef9146a132894dc293 Mon Sep 17 00:00:00 2001
+From: Samyukta Mogily <smogily@codeaurora.org>
+Date: Thu, 8 Sep 2016 17:35:52 +0530
+Subject: msm: camera: Restructure data handling to be more robust
+
+Use dynamic array allocation instead of static array to
+prevent stack overflow.
+User-supplied number of bytes may result in integer overflow.
+To fix this we check that the num_byte isn't above 8K size.
+
+CRs-Fixed: 1060554
+Change-Id: I407b5ec8cdc2ac7f3b491644418d3eb1101ce65a
+Signed-off-by: Samyukta Mogily <smogily@codeaurora.org>
+---
+ .../msm/camera_v2/sensor/io/msm_camera_cci_i2c.c   |  6 ++++
+ .../msm/camera_v2/sensor/io/msm_camera_qup_i2c.c   | 39 ++++++++++++++++++++--
+ 2 files changed, 43 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c
+index a4ee504..27d4f5e 100644
+--- a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c
++++ b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c
+@@ -69,6 +69,12 @@ int32_t msm_camera_cci_i2c_read_seq(struct msm_camera_i2c_client *client,
+ 		|| num_byte == 0)
+ 		return rc;
+ 
++	if (num_byte > I2C_REG_DATA_MAX) {
++			pr_err("%s: Error num_byte:0x%x exceeds 8K max supported:0x%x\n",
++			__func__, num_byte, I2C_REG_DATA_MAX);
++		return rc;
++	}
++
+ 	buf = kzalloc(num_byte, GFP_KERNEL);
+ 	if (!buf) {
+ 		pr_err("%s:%d no memory\n", __func__, __LINE__);
+diff --git a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_qup_i2c.c b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_qup_i2c.c
+index 7a0fb97..7d21866 100644
+--- a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_qup_i2c.c
++++ b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_qup_i2c.c
+@@ -73,7 +73,7 @@ int32_t msm_camera_qup_i2c_read(struct msm_camera_i2c_client *client,
+ 	enum msm_camera_i2c_data_type data_type)
+ {
+ 	int32_t rc = -EFAULT;
+-	unsigned char buf[client->addr_type+data_type];
++	unsigned char *buf = NULL;
+ 
+ 	if ((client->addr_type != MSM_CAMERA_I2C_BYTE_ADDR
+ 		&& client->addr_type != MSM_CAMERA_I2C_WORD_ADDR)
+@@ -81,6 +81,17 @@ int32_t msm_camera_qup_i2c_read(struct msm_camera_i2c_client *client,
+ 		&& data_type != MSM_CAMERA_I2C_WORD_DATA))
+ 		return rc;
+ 
++	if (client->addr_type > UINT_MAX - data_type) {
++			pr_err("%s: integer overflow prevented\n", __func__);
++			return rc;
++	}
++
++	buf = kzalloc(client->addr_type+data_type, GFP_KERNEL);
++	if (!buf) {
++			pr_err("%s:%d no memory\n", __func__, __LINE__);
++			return -ENOMEM;
++	}
++
+ 	if (client->addr_type == MSM_CAMERA_I2C_BYTE_ADDR) {
+ 		buf[0] = addr;
+ 	} else if (client->addr_type == MSM_CAMERA_I2C_WORD_ADDR) {
+@@ -90,6 +101,8 @@ int32_t msm_camera_qup_i2c_read(struct msm_camera_i2c_client *client,
+ 	rc = msm_camera_qup_i2c_rxdata(client, buf, data_type);
+ 	if (rc < 0) {
+ 		S_I2C_DBG("%s fail\n", __func__);
++		kfree(buf);
++		buf = NULL;
+ 		return rc;
+ 	}
+ 
+@@ -99,6 +112,8 @@ int32_t msm_camera_qup_i2c_read(struct msm_camera_i2c_client *client,
+ 		*data = buf[0] << 8 | buf[1];
+ 
+ 	S_I2C_DBG("%s addr = 0x%x data: 0x%x\n", __func__, addr, *data);
++	kfree(buf);
++	buf = NULL;
+ 	return rc;
+ }
+ 
+@@ -106,7 +121,7 @@ int32_t msm_camera_qup_i2c_read_seq(struct msm_camera_i2c_client *client,
+ 	uint32_t addr, uint8_t *data, uint32_t num_byte)
+ {
+ 	int32_t rc = -EFAULT;
+-	unsigned char buf[client->addr_type+num_byte];
++	unsigned char *buf = NULL;
+ 	int i;
+ 
+ 	if ((client->addr_type != MSM_CAMERA_I2C_BYTE_ADDR
+@@ -114,6 +129,22 @@ int32_t msm_camera_qup_i2c_read_seq(struct msm_camera_i2c_client *client,
+ 		|| num_byte == 0)
+ 		return rc;
+ 
++	if (num_byte > I2C_REG_DATA_MAX) {
++			pr_err("%s: Error num_byte:0x%x exceeds 8K max supported:0x%x\n",
++					__func__, num_byte, I2C_REG_DATA_MAX);
++			return rc;
++	}
++	if (client->addr_type > UINT_MAX - num_byte) {
++			pr_err("%s: integer overflow prevented\n", __func__);
++			return rc;
++	}
++
++	buf = kzalloc(client->addr_type+num_byte, GFP_KERNEL);
++	if (!buf) {
++			pr_err("%s:%d no memory\n", __func__, __LINE__);
++			return -ENOMEM;
++	}
++
+ 	if (client->addr_type == MSM_CAMERA_I2C_BYTE_ADDR) {
+ 		buf[0] = addr;
+ 	} else if (client->addr_type == MSM_CAMERA_I2C_WORD_ADDR) {
+@@ -123,6 +154,8 @@ int32_t msm_camera_qup_i2c_read_seq(struct msm_camera_i2c_client *client,
+ 	rc = msm_camera_qup_i2c_rxdata(client, buf, num_byte);
+ 	if (rc < 0) {
+ 		S_I2C_DBG("%s fail\n", __func__);
++		kfree(buf);
++		buf = NULL;
+ 		return rc;
+ 	}
+ 
+@@ -132,6 +165,8 @@ int32_t msm_camera_qup_i2c_read_seq(struct msm_camera_i2c_client *client,
+ 		S_I2C_DBG("Byte %d: 0x%x\n", i, buf[i]);
+ 		S_I2C_DBG("Data: 0x%x\n", data[i]);
+ 	}
++	kfree(buf);
++	buf = NULL;
+ 	return rc;
+ }
+ 
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-6742/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-6742/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-6742/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-6742/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-6745/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-6745/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-6745/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-6745/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-6745/ANY/1.patch b/Patches/Linux_CVEs/CVE-2016-6745/ANY/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-6745/ANY/1.patch
rename to Patches/Linux_CVEs/CVE-2016-6745/ANY/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-6745/ANY/2.patch b/Patches/Linux_CVEs/CVE-2016-6745/ANY/0003.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-6745/ANY/2.patch
rename to Patches/Linux_CVEs/CVE-2016-6745/ANY/0003.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-6745/ANY/3.patch b/Patches/Linux_CVEs/CVE-2016-6745/ANY/0004.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-6745/ANY/3.patch
rename to Patches/Linux_CVEs/CVE-2016-6745/ANY/0004.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-6745/ANY/0005.patch b/Patches/Linux_CVEs/CVE-2016-6745/ANY/0005.patch
new file mode 100644
index 00000000..b8e553b4
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-6745/ANY/0005.patch
@@ -0,0 +1,401 @@
+From f5c96a8c96615490b72357b1c0940196f7dde474 Mon Sep 17 00:00:00 2001
+From: Andrew Chant <achant@google.com>
+Date: Wed, 14 Sep 2016 14:12:13 -0700
+Subject: [PATCH] input: touchscreen: Synaptics: prevent sysfs races
+
+Concurrent sysfs calls can cause ugly race conditions.
+Return EBUSY on concurrent sysfs calls, and prevent sysfs calls
+during initial fw load.
+
+Change-Id: Iec3db7f3fe9d33104319fd3e2bbf1d70ba68221b
+Bug: 31252388
+Signed-off-by: Andrew Chant <achant@google.com>
+---
+ .../synaptics_dsx_fw_update.c                      | 133 +++++++++++++++------
+ 1 file changed, 99 insertions(+), 34 deletions(-)
+
+diff --git a/drivers/input/touchscreen/synaptics_dsx_htc_2.6/synaptics_dsx_fw_update.c b/drivers/input/touchscreen/synaptics_dsx_htc_2.6/synaptics_dsx_fw_update.c
+index 3887f79a97a08..af6f92553aa7e 100644
+--- a/drivers/input/touchscreen/synaptics_dsx_htc_2.6/synaptics_dsx_fw_update.c
++++ b/drivers/input/touchscreen/synaptics_dsx_htc_2.6/synaptics_dsx_fw_update.c
+@@ -35,6 +35,7 @@
+ #include <linux/module.h>
+ #include <linux/slab.h>
+ #include <linux/interrupt.h>
++#include <linux/mutex.h>
+ #include <linux/delay.h>
+ #include <linux/input.h>
+ #include <linux/firmware.h>
+@@ -768,6 +769,8 @@ static struct device_attribute attrs[] = {
+ static struct synaptics_rmi4_fwu_handle *fwu;
+ 
+ DECLARE_COMPLETION(fwu_remove_complete);
++DEFINE_MUTEX(fwu_sysfs_mutex);
++
+ #ifdef HTC_FEATURE
+ static uint32_t syn_crc(uint16_t *data, uint32_t len)
+ {
+@@ -5087,6 +5090,9 @@ static void fwu_startup_fw_update_work(struct work_struct *work)
+ 	}
+ #endif
+ 
++	/* Prevent sysfs operations during initial update. */
++	mutex_lock(&fwu_sysfs_mutex);
++
+ #ifdef HTC_FEATURE
+ 	wake_lock(&fwu->fwu_wake_lock);
+ 	if (bdata->update_feature & SYNAPTICS_RMI4_UPDATE_IMAGE)
+@@ -5101,7 +5107,7 @@ static void fwu_startup_fw_update_work(struct work_struct *work)
+ #else
+ 	synaptics_fw_updater(NULL);
+ #endif
+-
++	mutex_unlock(&fwu_sysfs_mutex);
+ 	return;
+ }
+ #endif
+@@ -5113,11 +5119,15 @@ static ssize_t fwu_sysfs_show_image(struct file *data_file,
+ 	int retval;
+ 	struct synaptics_rmi4_data *rmi4_data = fwu->rmi4_data;
+ 
++	if (!mutex_trylock(&fwu_sysfs_mutex))
++		return -EBUSY;
++
+ 	if (count < fwu->config_size) {
+ 		dev_err(rmi4_data->pdev->dev.parent,
+ 				"%s: Not enough space (%d bytes) in buffer\n",
+ 				__func__, (unsigned int)count);
+-		return -EINVAL;
++		retval = -EINVAL;
++		goto show_image_exit;
+ 	}
+ 
+ 	retval = secure_memcpy(buf, count, fwu->read_config_buf,
+@@ -5126,10 +5136,14 @@ static ssize_t fwu_sysfs_show_image(struct file *data_file,
+ 		dev_err(rmi4_data->pdev->dev.parent,
+ 				"%s: Failed to copy config data\n",
+ 				__func__);
+-		return retval;
++		goto show_image_exit;
+ 	}
+ 
+-	return fwu->config_size;
++	retval = fwu->config_size;
++
++show_image_exit:
++	mutex_unlock(&fwu_sysfs_mutex);
++	return retval;
+ }
+ 
+ static ssize_t fwu_sysfs_store_image(struct file *data_file,
+@@ -5139,18 +5153,24 @@ static ssize_t fwu_sysfs_store_image(struct file *data_file,
+ 	int retval;
+ 	struct synaptics_rmi4_data *rmi4_data = fwu->rmi4_data;
+ 
++	if (!mutex_trylock(&fwu_sysfs_mutex))
++		return -EBUSY;
++
+ 	retval = secure_memcpy(&fwu->ext_data_source[fwu->data_pos],
+ 			fwu->image_size - fwu->data_pos, buf, count, count);
+ 	if (retval < 0) {
+ 		dev_err(rmi4_data->pdev->dev.parent,
+ 				"%s: Failed to copy image data\n",
+ 				__func__);
+-		return retval;
++		goto store_image_exit;
+ 	}
+ 
+ 	fwu->data_pos += count;
++	retval = count;
+ 
+-	return count;
++store_image_exit:
++	mutex_unlock(&fwu_sysfs_mutex);
++	return retval;
+ }
+ 
+ static ssize_t fwu_sysfs_do_recovery_store(struct device *dev,
+@@ -5160,9 +5180,12 @@ static ssize_t fwu_sysfs_do_recovery_store(struct device *dev,
+ 	unsigned int input;
+ 	struct synaptics_rmi4_data *rmi4_data = fwu->rmi4_data;
+ 
++	if (!mutex_trylock(&fwu_sysfs_mutex))
++		return -EBUSY;
++
+ 	if (sscanf(buf, "%u", &input) != 1) {
+ 		retval = -EINVAL;
+-		goto exit;
++		goto do_recovery_store_exit;
+ 	}
+ 
+ 	if (!fwu->in_ub_mode) {
+@@ -5170,11 +5193,13 @@ static ssize_t fwu_sysfs_do_recovery_store(struct device *dev,
+ 				"%s: Not in microbootloader mode\n",
+ 				__func__);
+ 		retval = -EINVAL;
+-		goto exit;
++		goto do_recovery_store_exit;
+ 	}
+ 
+-	if (!fwu->ext_data_source)
+-		return -EINVAL;
++	if (!fwu->ext_data_source) {
++		retval = -EINVAL;
++		goto do_recovery_store_exit;
++	}
+ 	else
+ 		fwu->image = fwu->ext_data_source;
+ 
+@@ -5183,15 +5208,18 @@ static ssize_t fwu_sysfs_do_recovery_store(struct device *dev,
+ 		dev_err(rmi4_data->pdev->dev.parent,
+ 				"%s: Failed to do recovery\n",
+ 				__func__);
+-		goto exit;
++		goto free_data_source_recovery_exit;
+ 	}
+ 
+ 	retval = count;
+ 
+-exit:
++free_data_source_recovery_exit:
+ 	kfree(fwu->ext_data_source);
+ 	fwu->ext_data_source = NULL;
+ 	fwu->image = NULL;
++
++do_recovery_store_exit:
++	mutex_unlock(&fwu_sysfs_mutex);
+ 	return retval;
+ }
+ 
+@@ -5201,9 +5229,13 @@ static ssize_t fwu_sysfs_do_reflash_store(struct device *dev,
+ 	int retval;
+ 	unsigned int input;
+ 	struct synaptics_rmi4_data *rmi4_data = fwu->rmi4_data;
++
++	if (!mutex_trylock(&fwu_sysfs_mutex))
++		return -EBUSY;
++
+ 	if (sscanf(buf, "%u", &input) != 1) {
+ 		retval = -EINVAL;
+-		goto exit;
++		goto reflash_store_exit;
+ 	}
+ 
+ 	if (fwu->in_ub_mode) {
+@@ -5211,7 +5243,7 @@ static ssize_t fwu_sysfs_do_reflash_store(struct device *dev,
+ 				"%s: In microbootloader mode\n",
+ 				__func__);
+ 		retval = -EINVAL;
+-		goto exit;
++		goto reflash_store_exit;
+ 	}
+ 
+ 	//if (!fwu->ext_data_source)
+@@ -5226,7 +5258,7 @@ static ssize_t fwu_sysfs_do_reflash_store(struct device *dev,
+ 
+ 	if ((input != NORMAL) && (input != FORCE)) {
+ 		retval = -EINVAL;
+-		goto exit;
++		goto reflash_store_exit;
+ 	}
+ 
+ 	if (input == FORCE)
+@@ -5237,12 +5269,12 @@ static ssize_t fwu_sysfs_do_reflash_store(struct device *dev,
+ 		dev_err(rmi4_data->pdev->dev.parent,
+ 				"%s: Failed to do reflash\n",
+ 				__func__);
+-		goto exit;
++		goto reflash_store_free_exit;
+ 	}
+ 
+ 	retval = count;
+ 
+-exit:
++reflash_store_free_exit:
+ 	if (fwu->ext_data_source != NULL) {
+ 		kfree(fwu->ext_data_source);
+ 		fwu->ext_data_source = NULL;
+@@ -5250,6 +5282,9 @@ static ssize_t fwu_sysfs_do_reflash_store(struct device *dev,
+ 	fwu->image = NULL;
+ 	fwu->force_update = FORCE_UPDATE;
+ 	fwu->do_lockdown = DO_LOCKDOWN;
++
++reflash_store_exit:
++	mutex_unlock(&fwu_sysfs_mutex);
+ 	return retval;
+ }
+ 
+@@ -5260,14 +5295,17 @@ static ssize_t fwu_sysfs_write_config_store(struct device *dev,
+ 	unsigned int input;
+ 	struct synaptics_rmi4_data *rmi4_data = fwu->rmi4_data;
+ 
++	if (!mutex_trylock(&fwu_sysfs_mutex))
++		return -EBUSY;
++
+ 	if (sscanf(buf, "%u", &input) != 1) {
+ 		retval = -EINVAL;
+-		goto exit;
++		goto write_config_store_exit;
+ 	}
+ 
+ 	if (input != 1) {
+ 		retval = -EINVAL;
+-		goto exit;
++		goto write_config_store_exit;
+ 	}
+ 
+ 	if (fwu->in_ub_mode) {
+@@ -5275,28 +5313,32 @@ static ssize_t fwu_sysfs_write_config_store(struct device *dev,
+ 				"%s: In microbootloader mode\n",
+ 				__func__);
+ 		retval = -EINVAL;
+-		goto exit;
++		goto write_config_store_exit;
+ 	}
+ 
+-	if (!fwu->ext_data_source)
+-		return -EINVAL;
+-	else
++	if (!fwu->ext_data_source) {
++		retval = -EINVAL;
++		goto write_config_store_exit;
++	} else {
+ 		fwu->image = fwu->ext_data_source;
+-
++	}
+ 	retval = fwu_start_write_config();
+ 	if (retval < 0) {
+ 		dev_err(rmi4_data->pdev->dev.parent,
+ 				"%s: Failed to write config\n",
+ 				__func__);
+-		goto exit;
++		goto write_config_store_free_exit;
+ 	}
+ 
+ 	retval = count;
+ 
+-exit:
++write_config_store_free_exit:
+ 	kfree(fwu->ext_data_source);
+ 	fwu->ext_data_source = NULL;
+ 	fwu->image = NULL;
++
++write_config_store_exit:
++	mutex_unlock(&fwu_sysfs_mutex);
+ 	return retval;
+ }
+ 
+@@ -5320,7 +5362,11 @@ static ssize_t fwu_sysfs_read_config_store(struct device *dev,
+ 		return -EINVAL;
+ 	}
+ 
++	if (!mutex_trylock(&fwu_sysfs_mutex))
++		return -EBUSY;
+ 	retval = fwu_do_read_config();
++	mutex_unlock(&fwu_sysfs_mutex);
++
+ 	if (retval < 0) {
+ 		dev_err(rmi4_data->pdev->dev.parent,
+ 				"%s: Failed to read config\n",
+@@ -5341,7 +5387,10 @@ static ssize_t fwu_sysfs_config_area_store(struct device *dev,
+ 	if (retval)
+ 		return retval;
+ 
++	if (!mutex_trylock(&fwu_sysfs_mutex))
++		return -EBUSY;
+ 	fwu->config_area = config_area;
++	mutex_unlock(&fwu_sysfs_mutex);
+ 
+ 	return count;
+ }
+@@ -5352,8 +5401,12 @@ static ssize_t fwu_sysfs_image_name_store(struct device *dev,
+ 	int retval;
+ 	struct synaptics_rmi4_data *rmi4_data = fwu->rmi4_data;
+ 
++	if (!mutex_trylock(&fwu_sysfs_mutex))
++		return -EBUSY;
+ 	retval = secure_memcpy(fwu->image_name, MAX_IMAGE_NAME_LEN,
+ 			buf, count, count);
++	mutex_unlock(&fwu_sysfs_mutex);
++
+ 	if (retval < 0) {
+ 		dev_err(rmi4_data->pdev->dev.parent,
+ 				"%s: Failed to copy image file name\n",
+@@ -5375,6 +5428,9 @@ static ssize_t fwu_sysfs_image_size_store(struct device *dev,
+ 	if (retval)
+ 		return retval;
+ 
++	if (!mutex_trylock(&fwu_sysfs_mutex))
++		return -EBUSY;
++
+ 	fwu->image_size = size;
+ 	fwu->data_pos = 0;
+ 
+@@ -5382,6 +5438,8 @@ static ssize_t fwu_sysfs_image_size_store(struct device *dev,
+ 		kfree(fwu->ext_data_source);
+ 	}
+ 	fwu->ext_data_source = kzalloc(fwu->image_size, GFP_KERNEL);
++	mutex_unlock(&fwu_sysfs_mutex);
++
+ 	if (!fwu->ext_data_source) {
+ 		dev_err(rmi4_data->pdev->dev.parent,
+ 				"%s: Failed to alloc mem for image data\n",
+@@ -5441,14 +5499,17 @@ static ssize_t fwu_sysfs_write_guest_code_store(struct device *dev,
+ 	unsigned int input;
+ 	struct synaptics_rmi4_data *rmi4_data = fwu->rmi4_data;
+ 
++	if (!mutex_trylock(&fwu_sysfs_mutex))
++		return -EBUSY;
++
+ 	if (sscanf(buf, "%u", &input) != 1) {
+ 		retval = -EINVAL;
+-		goto exit;
++		goto write_guest_code_store_exit;
+ 	}
+ 
+ 	if (input != 1) {
+ 		retval = -EINVAL;
+-		goto exit;
++		goto write_guest_code_store_exit;
+ 	}
+ 
+ 	if (fwu->in_ub_mode) {
+@@ -5456,28 +5517,32 @@ static ssize_t fwu_sysfs_write_guest_code_store(struct device *dev,
+ 				"%s: In microbootloader mode\n",
+ 				__func__);
+ 		retval = -EINVAL;
+-		goto exit;
++		goto write_guest_code_store_exit;
+ 	}
+ 
+-	if (!fwu->ext_data_source)
+-		return -EINVAL;
+-	else
++	if (!fwu->ext_data_source) {
++		retval = -EINVAL;
++		goto write_guest_code_store_exit;
++	} else {
+ 		fwu->image = fwu->ext_data_source;
++	}
+ 
+ 	retval = fwu_start_write_guest_code();
+ 	if (retval < 0) {
+ 		dev_err(rmi4_data->pdev->dev.parent,
+ 				"%s: Failed to write guest code\n",
+ 				__func__);
+-		goto exit;
++		goto write_guest_code_store_free_exit;
+ 	}
+ 
+ 	retval = count;
+ 
+-exit:
++write_guest_code_store_free_exit:
+ 	kfree(fwu->ext_data_source);
+ 	fwu->ext_data_source = NULL;
+ 	fwu->image = NULL;
++write_guest_code_store_exit:
++	mutex_unlock(&fwu_sysfs_mutex);
+ 	return retval;
+ }
+ 
diff --git a/Patches/Linux_CVEs/CVE-2016-6748/ANY/1.patch b/Patches/Linux_CVEs/CVE-2016-6748/3.10/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-6748/ANY/1.patch
rename to Patches/Linux_CVEs/CVE-2016-6748/3.10/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-6748/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-6748/3.18/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-6748/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-6748/3.18/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-6749/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-6749/ANY/0001.patch
new file mode 100644
index 00000000..0eadbd3e
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-6749/ANY/0001.patch
@@ -0,0 +1,214 @@
+From f9185dc83b92e7d1ee341e32e8cf5ed00a7253a7 Mon Sep 17 00:00:00 2001
+From: Divya Ponnusamy <pdivya@codeaurora.org>
+Date: Wed, 24 Aug 2016 17:06:54 +0530
+Subject: msm: kgsl: Change %p to %pK in debug messages
+
+The format specifier %p can leak kernel addresses
+while not valuing the kptr_restrict system settings.
+Use %pK instead of %p, which evaluates whether
+kptr_restrict is set.
+
+Change-Id: I0778e43e0a03852ca2944377256a7b401586a747
+Signed-off-by: Divya Ponnusamy <pdivya@codeaurora.org>
+---
+ drivers/gpu/msm/adreno_debugfs.c |  4 ++--
+ drivers/gpu/msm/kgsl.c           |  5 ++---
+ drivers/gpu/msm/kgsl_cffdump.c   |  9 +--------
+ drivers/gpu/msm/kgsl_cmdbatch.c  |  4 ++--
+ drivers/gpu/msm/kgsl_iommu.c     | 19 +++++++++----------
+ drivers/gpu/msm/kgsl_pwrctrl.c   |  4 ++--
+ drivers/gpu/msm/kgsl_snapshot.c  |  5 +----
+ 7 files changed, 19 insertions(+), 31 deletions(-)
+
+diff --git a/drivers/gpu/msm/adreno_debugfs.c b/drivers/gpu/msm/adreno_debugfs.c
+index 9c045b5..7628285 100644
+--- a/drivers/gpu/msm/adreno_debugfs.c
++++ b/drivers/gpu/msm/adreno_debugfs.c
+@@ -1,4 +1,4 @@
+-/* Copyright (c) 2002,2008-2015, The Linux Foundation. All rights reserved.
++/* Copyright (c) 2002,2008-2016, The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -83,7 +83,7 @@ static void sync_event_print(struct seq_file *s,
+ 		break;
+ 	}
+ 	case KGSL_CMD_SYNCPOINT_TYPE_FENCE:
+-		seq_printf(s, "sync: [%p] %s", sync_event->handle,
++		seq_printf(s, "sync: [%pK] %s", sync_event->handle,
+ 		(sync_event->handle && sync_event->handle->fence)
+ 				? sync_event->handle->fence->name : "NULL");
+ 		break;
+diff --git a/drivers/gpu/msm/kgsl.c b/drivers/gpu/msm/kgsl.c
+index 4c3753e..18cc267 100644
+--- a/drivers/gpu/msm/kgsl.c
++++ b/drivers/gpu/msm/kgsl.c
+@@ -4131,9 +4131,8 @@ int kgsl_device_platform_probe(struct kgsl_device *device)
+ 	disable_irq(device->pwrctrl.interrupt_num);
+ 
+ 	KGSL_DRV_INFO(device,
+-		"dev_id %d regs phys 0x%08lx size 0x%08x virt %p\n",
+-		device->id, device->reg_phys, device->reg_len,
+-		device->reg_virt);
++		"dev_id %d regs phys 0x%08lx size 0x%08x\n",
++		device->id, device->reg_phys, device->reg_len);
+ 
+ 	rwlock_init(&device->context_lock);
+ 
+diff --git a/drivers/gpu/msm/kgsl_cffdump.c b/drivers/gpu/msm/kgsl_cffdump.c
+index 1f10a33..67e3d02 100644
+--- a/drivers/gpu/msm/kgsl_cffdump.c
++++ b/drivers/gpu/msm/kgsl_cffdump.c
+@@ -1,4 +1,4 @@
+-/* Copyright (c) 2010-2015, The Linux Foundation. All rights reserved.
++/* Copyright (c) 2010-2016, The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -515,10 +515,6 @@ EXPORT_SYMBOL(kgsl_cffdump_waitirq);
+ static int subbuf_start_handler(struct rchan_buf *buf,
+ 	void *subbuf, void *prev_subbuf, size_t prev_padding)
+ {
+-	pr_debug("kgsl: cffdump: subbuf_start_handler(subbuf=%p, prev_subbuf"
+-		"=%p, prev_padding=%08zx)\n", subbuf, prev_subbuf,
+-		 prev_padding);
+-
+ 	if (relay_buf_full(buf)) {
+ 		if (!suspended) {
+ 			suspended = 1;
+@@ -575,9 +571,6 @@ static struct rchan *create_channel(unsigned subbuf_size, unsigned n_subbufs)
+ {
+ 	struct rchan *chan;
+ 
+-	pr_info("kgsl: cffdump: relay: create_channel: subbuf_size %u, "
+-		"n_subbufs %u, dir 0x%p\n", subbuf_size, n_subbufs, dir);
+-
+ 	chan = relay_open("cpu", dir, subbuf_size,
+ 			  n_subbufs, &relay_callbacks, NULL);
+ 	if (!chan) {
+diff --git a/drivers/gpu/msm/kgsl_cmdbatch.c b/drivers/gpu/msm/kgsl_cmdbatch.c
+index 46e053f..7dfd691 100644
+--- a/drivers/gpu/msm/kgsl_cmdbatch.c
++++ b/drivers/gpu/msm/kgsl_cmdbatch.c
+@@ -1,4 +1,4 @@
+-/* Copyright (c) 2008-2015, The Linux Foundation. All rights reserved.
++/* Copyright (c) 2008-2016, The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -92,7 +92,7 @@ void kgsl_dump_syncpoints(struct kgsl_device *device,
+ 		}
+ 		case KGSL_CMD_SYNCPOINT_TYPE_FENCE:
+ 			if (event->handle)
+-				dev_err(device->dev, "  fence: [%p] %s\n",
++				dev_err(device->dev, "  fence: [%pK] %s\n",
+ 					event->handle->fence,
+ 					event->handle->name);
+ 			else
+diff --git a/drivers/gpu/msm/kgsl_iommu.c b/drivers/gpu/msm/kgsl_iommu.c
+index 249df4d..f510ac4 100644
+--- a/drivers/gpu/msm/kgsl_iommu.c
++++ b/drivers/gpu/msm/kgsl_iommu.c
+@@ -1,4 +1,4 @@
+-/* Copyright (c) 2011-2015, The Linux Foundation. All rights reserved.
++/* Copyright (c) 2011-2016, The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -612,7 +612,7 @@ static void kgsl_detach_pagetable_iommu_domain(struct kgsl_mmu *mmu)
+ 			iommu_detach_device(iommu_pt->domain, ctx->dev);
+ 			ctx->attached = false;
+ 			KGSL_MEM_INFO(mmu->device,
+-				"iommu %p detached from user dev of MMU: %p\n",
++				"iommu %pK detached from user dev of MMU: %pK\n",
+ 				iommu_pt->domain, mmu);
+ 		}
+ 	}
+@@ -700,7 +700,7 @@ static int kgsl_attach_pagetable_iommu_domain(struct kgsl_mmu *mmu)
+ 		}
+ 		ctx->attached = true;
+ 		KGSL_MEM_INFO(mmu->device,
+-				"iommu pt %p attached to dev %p, ctx_id %d\n",
++				"iommu pt %pK attached to dev %pK, ctx_id %d\n",
+ 				iommu_pt->domain, ctx->dev, ctx->ctx_id);
+ 		if (KGSL_IOMMU_CONTEXT_SECURE != i) {
+ 			ret = iommu_domain_get_attr(iommu_pt->domain,
+@@ -1108,8 +1108,8 @@ kgsl_iommu_unmap(struct kgsl_pagetable *pt,
+ 		unmapped = iommu_unmap(iommu_pt->domain, gpuaddr, range);
+ 	if (unmapped != range) {
+ 		KGSL_CORE_ERR(
+-			"iommu_unmap(%p, %llx, %lld) failed with unmapped size: %zd\n",
+-			iommu_pt->domain, gpuaddr, range, unmapped);
++			"iommu_unmap(%llx, %lld) failed with unmapped size: %zd\n",
++			gpuaddr, range, unmapped);
+ 		return -EINVAL;
+ 	}
+ 
+@@ -1237,8 +1237,8 @@ int _iommu_add_guard_page(struct kgsl_pagetable *pt,
+ 				protflags & ~IOMMU_WRITE);
+ 		if (ret) {
+ 			KGSL_CORE_ERR(
+-			"iommu_map(%p, addr %016llX, flags %x) err: %d\n",
+-			iommu_pt->domain, gpuaddr, protflags & ~IOMMU_WRITE,
++			"iommu_map(addr %016llX, flags %x) err: %d\n",
++			gpuaddr, protflags & ~IOMMU_WRITE,
+ 			ret);
+ 			return ret;
+ 		}
+@@ -1306,9 +1306,8 @@ kgsl_iommu_map(struct kgsl_pagetable *pt,
+ 	}
+ 
+ 	if (mapped != size) {
+-		KGSL_CORE_ERR("iommu_map_sg(%p, %016llX, %lld, %x) err: %zd\n",
+-				iommu_pt->domain, addr, size,
+-				flags, mapped);
++		KGSL_CORE_ERR("iommu_map_sg(%016llX, %lld, %x) err: %zd\n",
++				addr, size,	flags, mapped);
+ 		return -ENODEV;
+ 	}
+ 
+diff --git a/drivers/gpu/msm/kgsl_pwrctrl.c b/drivers/gpu/msm/kgsl_pwrctrl.c
+index 1c89d74..f50e6d7 100644
+--- a/drivers/gpu/msm/kgsl_pwrctrl.c
++++ b/drivers/gpu/msm/kgsl_pwrctrl.c
+@@ -1593,7 +1593,7 @@ int kgsl_pwrctrl_init(struct kgsl_device *device)
+ 
+ 		if (!pwr->ocmem_pcl) {
+ 			KGSL_PWR_ERR(device,
+-				"msm_bus_scale_register_client failed: id %d table %p",
++				"msm_bus_scale_register_client failed: id %d table %pK",
+ 				device->id, ocmem_scale_table);
+ 			result = -EINVAL;
+ 			goto done;
+@@ -1643,7 +1643,7 @@ int kgsl_pwrctrl_init(struct kgsl_device *device)
+ 				(pdata->bus_scale_table);
+ 		if (!pwr->pcl) {
+ 			KGSL_PWR_ERR(device,
+-				"msm_bus_scale_register_client failed: id %d table %p",
++				"msm_bus_scale_register_client failed: id %d table %pK",
+ 				device->id, pdata->bus_scale_table);
+ 			result = -EINVAL;
+ 			goto done;
+diff --git a/drivers/gpu/msm/kgsl_snapshot.c b/drivers/gpu/msm/kgsl_snapshot.c
+index 42eabe4..bbfd8a7 100644
+--- a/drivers/gpu/msm/kgsl_snapshot.c
++++ b/drivers/gpu/msm/kgsl_snapshot.c
+@@ -1,4 +1,4 @@
+-/* Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
++/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -1120,9 +1120,6 @@ void kgsl_snapshot_save_frozen_objs(struct work_struct *work)
+ 		goto done;
+ 
+ 	snapshot->mempool = vmalloc(size);
+-	if (snapshot->mempool != NULL)
+-		KGSL_CORE_ERR("snapshot: mempool address %p, size %zx\n",
+-				snapshot->mempool, size);
+ 
+ 	ptr = snapshot->mempool;
+ 	snapshot->mempool_size = 0;
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-6750/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-6750/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-6750/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-6750/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-6751/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-6751/ANY/0001.patch
similarity index 71%
rename from Patches/Linux_CVEs/CVE-2016-6751/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-6751/ANY/0001.patch
index 0f1fdc01..c424fb7e 100644
--- a/Patches/Linux_CVEs/CVE-2016-6751/ANY/0.patch
+++ b/Patches/Linux_CVEs/CVE-2016-6751/ANY/0001.patch
@@ -1,23 +1,23 @@
-From 38ddb9427aa96bdfcdc5fe1877f439d2f7bdd87b Mon Sep 17 00:00:00 2001
-From: vivek mehta <mvivek@codeaurora.org>
-Date: Mon, 12 Sep 2016 17:27:06 -0700
-Subject: [PATCH] ASoC: msm: initialize the params array before using it
+From 4907b74ecd5ef8c6d85f1b430f386e381d5b8229 Mon Sep 17 00:00:00 2001
+From: Walter Yang <yandongy@codeaurora.org>
+Date: Wed, 7 Sep 2016 16:28:50 +0800
+Subject: ASoC: msm: initialize the params array before using it
 
 The params array is used without initialization, which may cause
 security issues. Initialize it as all zero after the definition.
 
-bug: 30902162
+CRs-Fixed: 1062271
 Change-Id: If462fe3d82f139d72547f82dc7eb564f83cb35bf
-Signed-off-by: vivek mehta <mvivek@codeaurora.org>
+Signed-off-by: Walter Yang <yandongy@codeaurora.org>
 ---
  sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c | 2 ++
  1 file changed, 2 insertions(+)
 
 diff --git a/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c b/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c
-index cec79eaa81e4c..0d957246459ad 100644
+index 26528e6..58a4de5 100644
 --- a/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c
 +++ b/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c
-@@ -1036,6 +1036,7 @@ static int msm_compr_ioctl_shared(struct snd_pcm_substream *substream,
+@@ -1024,6 +1024,7 @@ static int msm_compr_ioctl_shared(struct snd_pcm_substream *substream,
  			struct snd_dec_ddp *ddp =
  				&compr->info.codec_param.codec.options.ddp;
  			uint32_t params_length = 0;
@@ -25,7 +25,7 @@ index cec79eaa81e4c..0d957246459ad 100644
  			/* check integer overflow */
  			if (ddp->params_length > UINT_MAX/sizeof(int)) {
  				pr_err("%s: Integer overflow ddp->params_length %d\n",
-@@ -1076,6 +1077,7 @@ static int msm_compr_ioctl_shared(struct snd_pcm_substream *substream,
+@@ -1064,6 +1065,7 @@ static int msm_compr_ioctl_shared(struct snd_pcm_substream *substream,
  			struct snd_dec_ddp *ddp =
  				&compr->info.codec_param.codec.options.ddp;
  			uint32_t params_length = 0;
@@ -33,3 +33,6 @@ index cec79eaa81e4c..0d957246459ad 100644
  			/* check integer overflow */
  			if (ddp->params_length > UINT_MAX/sizeof(int)) {
  				pr_err("%s: Integer overflow ddp->params_length %d\n",
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-6752/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-6752/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-6752/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-6752/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-6753/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-6753/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-6753/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-6753/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-6755/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-6755/3.10/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-6755/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-6755/3.10/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-6755/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2016-6755/3.18/0002.patch
new file mode 100644
index 00000000..d6da36b4
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-6755/3.18/0002.patch
@@ -0,0 +1,57 @@
+From 652c8005752b28c22107e928c28aabce1dfdde84 Mon Sep 17 00:00:00 2001
+From: Sureshnaidu Laveti <lsuresh@codeaurora.org>
+Date: Wed, 14 Sep 2016 07:03:44 -0700
+Subject: msm: sensor: validate the i2c table index before use
+
+Verifying the i2c table index value before accessing
+the i2c table to avoid memory corruption issues.
+
+CRs-Fixed: 1065916
+Change-Id: I0e31c22f90006f27a77cd420288334b8355cee95
+Signed-off-by: Sureshnaidu Laveti <lsuresh@codeaurora.org>
+---
+ .../platform/msm/camera_v2/sensor/actuator/msm_actuator.c  | 14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c b/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c
+index 0b3e4e1..bf39738 100644
+--- a/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c
++++ b/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c
+@@ -101,11 +101,6 @@ static void msm_actuator_parse_i2c_params(struct msm_actuator_ctrl_t *a_ctrl,
+ 	i2c_tbl = a_ctrl->i2c_reg_tbl;
+ 
+ 	for (i = 0; i < size; i++) {
+-		/* check that the index into i2c_tbl cannot grow larger that
+-		the allocated size of i2c_tbl */
+-		if ((a_ctrl->total_steps + 1) < (a_ctrl->i2c_tbl_index))
+-			break;
+-
+ 		if (write_arr[i].reg_write_type == MSM_ACTUATOR_WRITE_DAC) {
+ 			value = (next_lens_position <<
+ 				write_arr[i].data_shift) |
+@@ -119,6 +114,11 @@ static void msm_actuator_parse_i2c_params(struct msm_actuator_ctrl_t *a_ctrl,
+ 					i2c_byte2 = value & 0xFF;
+ 					CDBG("byte1:0x%x, byte2:0x%x\n",
+ 						i2c_byte1, i2c_byte2);
++					if (a_ctrl->i2c_tbl_index >
++						a_ctrl->total_steps) {
++						pr_err("failed:i2c table index out of bound\n");
++						break;
++					}
+ 					i2c_tbl[a_ctrl->i2c_tbl_index].
+ 						reg_addr = i2c_byte1;
+ 					i2c_tbl[a_ctrl->i2c_tbl_index].
+@@ -139,6 +139,10 @@ static void msm_actuator_parse_i2c_params(struct msm_actuator_ctrl_t *a_ctrl,
+ 			i2c_byte2 = (hw_dword & write_arr[i].hw_mask) >>
+ 				write_arr[i].hw_shift;
+ 		}
++		if (a_ctrl->i2c_tbl_index > a_ctrl->total_steps) {
++			pr_err("failed: i2c table index out of bound\n");
++			break;
++		}
+ 		CDBG("i2c_byte1:0x%x, i2c_byte2:0x%x\n", i2c_byte1, i2c_byte2);
+ 		i2c_tbl[a_ctrl->i2c_tbl_index].reg_addr = i2c_byte1;
+ 		i2c_tbl[a_ctrl->i2c_tbl_index].reg_data = i2c_byte2;
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-6756/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-6756/3.10/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-6756/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-6756/3.10/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-6756/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2016-6756/3.18/0002.patch
new file mode 100644
index 00000000..cbaf34cf
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-6756/3.18/0002.patch
@@ -0,0 +1,1593 @@
+From 3a214ef870dc97437c7de79a1507dfe5079dce88 Mon Sep 17 00:00:00 2001
+From: Azam Sadiq Pasha Kapatrala Syed <akapatra@codeaurora.org>
+Date: Thu, 10 Mar 2016 15:01:06 -0800
+Subject: msm: camera: Avoid exposing kernel addresses
+
+Usage of %p exposes the kernel addresses, an easy target to
+kernel write vulnerabilities. With this patch currently
+%pK prints only Zeros as address. If you need actual address
+echo 0 > /proc/sys/kernel/kptr_restrict
+
+CRs-Fixed: 987011
+Change-Id: I6c79f82376936fc646b723872a96a6694fe47cd9
+Signed-off-by: Azam Sadiq Pasha Kapatrala Syed <akapatra@codeaurora.org>
+---
+ .../platform/msm/camera_v2/common/cam_smmu_api.c   | 32 ++++++++--------
+ .../platform/msm/camera_v2/common/cam_soc_api.c    | 26 ++++++-------
+ .../msm/camera_v2/common/msm_camera_io_util.c      | 26 ++++++-------
+ .../media/platform/msm/camera_v2/fd/msm_fd_hw.c    |  2 +-
+ .../media/platform/msm/camera_v2/isp/msm_buf_mgr.c |  8 ++--
+ .../media/platform/msm/camera_v2/isp/msm_isp46.c   |  2 +-
+ .../media/platform/msm/camera_v2/isp/msm_isp47.c   |  2 +-
+ .../platform/msm/camera_v2/isp/msm_isp_axi_util.c  | 16 ++++----
+ .../msm/camera_v2/isp/msm_isp_stats_util.c         |  7 ++--
+ .../platform/msm/camera_v2/isp/msm_isp_util.c      | 40 ++++++++++----------
+ .../media/platform/msm/camera_v2/ispif/msm_ispif.c |  4 +-
+ .../platform/msm/camera_v2/jpeg_10/msm_jpeg_hw.c   |  6 +--
+ .../msm/camera_v2/jpeg_10/msm_jpeg_platform.c      |  2 +-
+ .../platform/msm/camera_v2/jpeg_10/msm_jpeg_sync.c |  2 +-
+ .../msm/camera_v2/jpeg_dma/msm_jpeg_dma_hw.c       |  2 +-
+ .../media/platform/msm/camera_v2/msm_vb2/msm_vb2.c |  4 +-
+ .../platform/msm/camera_v2/pproc/cpp/msm_cpp.c     | 33 +++++++++--------
+ .../platform/msm/camera_v2/pproc/vpe/msm_vpe.c     |  8 ++--
+ .../msm/camera_v2/sensor/actuator/msm_actuator.c   |  8 ++--
+ .../platform/msm/camera_v2/sensor/cci/msm_cci.c    | 14 +++----
+ .../platform/msm/camera_v2/sensor/csid/msm_csid.c  |  6 +--
+ .../msm/camera_v2/sensor/csiphy/msm_csiphy.c       |  6 +--
+ .../msm/camera_v2/sensor/eeprom/msm_eeprom.c       |  6 +--
+ .../msm/camera_v2/sensor/flash/msm_flash.c         |  2 +-
+ .../msm/camera_v2/sensor/io/msm_camera_dt_util.c   |  6 +--
+ .../platform/msm/camera_v2/sensor/msm_sensor.c     | 18 ++++-----
+ .../msm/camera_v2/sensor/msm_sensor_driver.c       | 43 ++++++++--------------
+ .../msm/camera_v2/sensor/msm_sensor_init.c         | 12 +++---
+ .../platform/msm/camera_v2/sensor/ois/msm_ois.c    |  4 +-
+ 29 files changed, 167 insertions(+), 180 deletions(-)
+
+diff --git a/drivers/media/platform/msm/camera_v2/common/cam_smmu_api.c b/drivers/media/platform/msm/camera_v2/common/cam_smmu_api.c
+index e703791..5d5ceb7 100644
+--- a/drivers/media/platform/msm/camera_v2/common/cam_smmu_api.c
++++ b/drivers/media/platform/msm/camera_v2/common/cam_smmu_api.c
+@@ -229,7 +229,7 @@ static void cam_smmu_print_list(int idx)
+ 	pr_err("index = %d ", idx);
+ 	list_for_each_entry(mapping,
+ 		&iommu_cb_set.cb_info[idx].smmu_buf_list, list) {
+-		pr_err("ion_fd = %d, paddr= 0x%p, len = %u\n",
++		pr_err("ion_fd = %d, paddr= 0x%pK, len = %u\n",
+ 			 mapping->ion_fd, (void *)mapping->paddr,
+ 			 (unsigned int)mapping->len);
+ 	}
+@@ -240,10 +240,10 @@ static void cam_smmu_print_table(void)
+ 	int i;
+ 
+ 	for (i = 0; i < iommu_cb_set.cb_num; i++) {
+-		pr_err("i= %d, handle= %d, name_addr=%p\n", i,
++		pr_err("i= %d, handle= %d, name_addr=%pK\n", i,
+ 			   (int)iommu_cb_set.cb_info[i].handle,
+ 			   (void *)iommu_cb_set.cb_info[i].name);
+-		pr_err("dev = %p ", iommu_cb_set.cb_info[i].dev);
++		pr_err("dev = %pK ", iommu_cb_set.cb_info[i].dev);
+ 	}
+ }
+ 
+@@ -306,18 +306,18 @@ static void cam_smmu_check_vaddr_in_range(int idx, void *vaddr)
+ 		end_addr = (unsigned long)mapping->paddr + mapping->len;
+ 
+ 		if (start_addr <= current_addr && current_addr < end_addr) {
+-			pr_err("Error: va %p is valid: range:%p-%p, fd = %d cb: %s\n",
++			pr_err("Error: va %pK is valid: range:%pK-%pK, fd = %d cb: %s\n",
+ 				vaddr, (void *)start_addr, (void *)end_addr,
+ 				mapping->ion_fd,
+ 				iommu_cb_set.cb_info[idx].name);
+ 			return;
+ 		} else {
+-			CDBG("va %p is not in this range: %p-%p, fd = %d\n",
++			CDBG("va %pK is not in this range: %pK-%pK, fd = %d\n",
+ 				vaddr, (void *)start_addr, (void *)end_addr,
+ 				mapping->ion_fd);
+ 		}
+ 	}
+-	pr_err("Cannot find vaddr:%p in SMMU. %s uses invalid virtual address\n",
++	pr_err("Cannot find vaddr:%pK in SMMU. %s uses invalid virtual address\n",
+ 		vaddr, iommu_cb_set.cb_info[idx].name);
+ 	return;
+ }
+@@ -393,7 +393,7 @@ static int cam_smmu_iommu_fault_handler(struct iommu_domain *domain,
+ 
+ 	if (!token) {
+ 		pr_err("Error: token is NULL\n");
+-		pr_err("Error: domain = %p, device = %p\n", domain, dev);
++		pr_err("Error: domain = %pK, device = %pK\n", domain, dev);
+ 		pr_err("iova = %lX, flags = %d\n", iova, flags);
+ 		return 0;
+ 	}
+@@ -705,7 +705,7 @@ static void cam_smmu_clean_buffer_list(int idx)
+ 
+ 	list_for_each_entry_safe(mapping_info, temp,
+ 			&iommu_cb_set.cb_info[idx].smmu_buf_list, list) {
+-		CDBG("Free mapping address %p, i = %d, fd = %d\n",
++		CDBG("Free mapping address %pK, i = %d, fd = %d\n",
+ 			 (void *)mapping_info->paddr, idx,
+ 			mapping_info->ion_fd);
+ 
+@@ -800,11 +800,11 @@ static int cam_smmu_map_buffer_and_add_to_list(int idx, int ion_fd,
+ 	}
+ 
+ 	if (table->sgl) {
+-		CDBG("DMA buf: %p, device: %p, attach: %p, table: %p\n",
++		CDBG("DMA buf: %pK, device: %pK, attach: %pK, table: %pK\n",
+ 				(void *)buf,
+ 				(void *)iommu_cb_set.cb_info[idx].dev,
+ 				(void *)attach, (void *)table);
+-		CDBG("table sgl: %p, rc: %d, dma_address: 0x%x\n",
++		CDBG("table sgl: %pK, rc: %d, dma_address: 0x%x\n",
+ 				(void *)table->sgl, rc,
+ 				(unsigned int)table->sgl->dma_address);
+ 	} else {
+@@ -838,7 +838,7 @@ static int cam_smmu_map_buffer_and_add_to_list(int idx, int ion_fd,
+ 		rc = -ENOSPC;
+ 		goto err_unmap_sg;
+ 	}
+-	CDBG("ion_fd = %d, dev = %p, paddr= %p, len = %u\n", ion_fd,
++	CDBG("ion_fd = %d, dev = %pK, paddr= %pK, len = %u\n", ion_fd,
+ 			(void *)iommu_cb_set.cb_info[idx].dev,
+ 			(void *)*paddr_ptr, (unsigned int)*len_ptr);
+ 
+@@ -862,10 +862,10 @@ static int cam_smmu_unmap_buf_and_remove_from_list(
+ {
+ 	if ((!mapping_info->buf) || (!mapping_info->table) ||
+ 		(!mapping_info->attach)) {
+-		pr_err("Error: Invalid params dev = %p, table = %p",
++		pr_err("Error: Invalid params dev = %pK, table = %pK",
+ 			(void *)iommu_cb_set.cb_info[idx].dev,
+ 			(void *)mapping_info->table);
+-		pr_err("Error:dma_buf = %p, attach = %p\n",
++		pr_err("Error:dma_buf = %pK, attach = %pK\n",
+ 			(void *)mapping_info->buf,
+ 			(void *)mapping_info->attach);
+ 		return -EINVAL;
+@@ -989,7 +989,7 @@ static int cam_smmu_alloc_scratch_buffer_add_to_list(int idx,
+ 
+ 	CDBG("%s: nents = %lu, idx = %d, virt_len  = %zx\n",
+ 		__func__, nents, idx, virt_len);
+-	CDBG("%s: phys_len = %zx, iommu_dir = %d, virt_addr = %p\n",
++	CDBG("%s: phys_len = %zx, iommu_dir = %d, virt_addr = %pK\n",
+ 		__func__, phys_len, iommu_dir, virt_addr);
+ 
+ 	/* This table will go inside the 'mapping' structure
+@@ -1055,7 +1055,7 @@ static int cam_smmu_alloc_scratch_buffer_add_to_list(int idx,
+ 	mapping_info->ref_count = 1;
+ 	mapping_info->phys_len = phys_len;
+ 
+-	CDBG("%s: paddr = %p, len = %zx, phys_len = %zx",
++	CDBG("%s: paddr = %pK, len = %zx, phys_len = %zx",
+ 		__func__, (void *)mapping_info->paddr,
+ 		mapping_info->len, mapping_info->phys_len);
+ 
+@@ -1093,7 +1093,7 @@ static int cam_smmu_free_scratch_buffer_remove_from_list(
+ 		&iommu_cb_set.cb_info[idx].scratch_map;
+ 
+ 	if (!mapping_info->table) {
+-		pr_err("Error: Invalid params: dev = %p, table = %p, ",
++		pr_err("Error: Invalid params: dev = %pK, table = %pK, ",
+ 				(void *)iommu_cb_set.cb_info[idx].dev,
+ 				(void *)mapping_info->table);
+ 		return -EINVAL;
+diff --git a/drivers/media/platform/msm/camera_v2/common/cam_soc_api.c b/drivers/media/platform/msm/camera_v2/common/cam_soc_api.c
+index 33e1299..21ac680 100644
+--- a/drivers/media/platform/msm/camera_v2/common/cam_soc_api.c
++++ b/drivers/media/platform/msm/camera_v2/common/cam_soc_api.c
+@@ -165,7 +165,7 @@ int msm_camera_get_clk_info(struct platform_device *pdev,
+ 			rc = PTR_ERR((*clk_ptr)[i]);
+ 			goto err4;
+ 		}
+-		CDBG("clk ptr[%d] :%p\n", i, (*clk_ptr)[i]);
++		CDBG("clk ptr[%d] :%pK\n", i, (*clk_ptr)[i]);
+ 	}
+ 
+ 	devm_kfree(&pdev->dev, rates);
+@@ -289,7 +289,7 @@ int msm_camera_get_clk_info_and_rates(
+ 			rc = PTR_ERR(clks[i]);
+ 			goto err5;
+ 		}
+-		CDBG("clk ptr[%d] :%p\n", i, clks[i]);
++		CDBG("clk ptr[%d] :%pK\n", i, clks[i]);
+ 	}
+ 	*pclk_info = clk_info;
+ 	*pclks = clks;
+@@ -405,7 +405,7 @@ long msm_camera_clk_set_rate(struct device *dev,
+ 	if (!dev || !clk || (clk_rate < 0))
+ 		return -EINVAL;
+ 
+-	CDBG("clk : %p, enable : %ld\n", clk, clk_rate);
++	CDBG("clk : %pK, enable : %ld\n", clk, clk_rate);
+ 
+ 	if (clk_rate > 0) {
+ 		rate = clk_round_rate(clk, clk_rate);
+@@ -436,7 +436,7 @@ int msm_camera_put_clk_info(struct platform_device *pdev,
+ 		if (clk_ptr[i] != NULL)
+ 			devm_clk_put(&pdev->dev, (*clk_ptr)[i]);
+ 
+-		CDBG("clk ptr[%d] :%p\n", i, (*clk_ptr)[i]);
++		CDBG("clk ptr[%d] :%pK\n", i, (*clk_ptr)[i]);
+ 	}
+ 	devm_kfree(&pdev->dev, *clk_info);
+ 	devm_kfree(&pdev->dev, *clk_ptr);
+@@ -460,7 +460,7 @@ int msm_camera_put_clk_info_and_rates(struct platform_device *pdev,
+ 	for (i = cnt - 1; i >= 0; i--) {
+ 		if (clk_ptr[i] != NULL)
+ 			devm_clk_put(&pdev->dev, (*clk_ptr)[i]);
+-		CDBG("clk ptr[%d] :%p\n", i, (*clk_ptr)[i]);
++		CDBG("clk ptr[%d] :%pK\n", i, (*clk_ptr)[i]);
+ 	}
+ 	devm_kfree(&pdev->dev, *clk_info);
+ 	devm_kfree(&pdev->dev, *clk_ptr);
+@@ -531,7 +531,7 @@ int msm_camera_get_regulator_info(struct platform_device *pdev,
+ 			rc = -EINVAL;
+ 			goto err1;
+ 		}
+-		CDBG("vdd ptr[%d] :%p\n", i, tmp_reg[i].vdd);
++		CDBG("vdd ptr[%d] :%pK\n", i, tmp_reg[i].vdd);
+ 	}
+ 
+ 	*num_reg = cnt;
+@@ -607,7 +607,7 @@ void msm_camera_put_regulators(struct platform_device *pdev,
+ 	for (i = cnt - 1; i >= 0; i--) {
+ 		if (vdd_info[i] && !IS_ERR_OR_NULL(vdd_info[i]->vdd))
+ 			devm_regulator_put(vdd_info[i]->vdd);
+-			CDBG("vdd ptr[%d] :%p\n", i, vdd_info[i]->vdd);
++			CDBG("vdd ptr[%d] :%pK\n", i, vdd_info[i]->vdd);
+ 	}
+ 
+ 	devm_kfree(&pdev->dev, *vdd_info);
+@@ -646,7 +646,7 @@ int msm_camera_register_irq(struct platform_device *pdev,
+ 		rc = -EINVAL;
+ 	}
+ 
+-	CDBG("Registered irq for %s[resource - %p]\n", irq_name, irq);
++	CDBG("Registered irq for %s[resource - %pK]\n", irq_name, irq);
+ 
+ 	return rc;
+ }
+@@ -671,7 +671,7 @@ int msm_camera_register_threaded_irq(struct platform_device *pdev,
+ 		rc = -EINVAL;
+ 	}
+ 
+-	CDBG("Registered irq for %s[resource - %p]\n", irq_name, irq);
++	CDBG("Registered irq for %s[resource - %pK]\n", irq_name, irq);
+ 
+ 	return rc;
+ }
+@@ -703,7 +703,7 @@ int msm_camera_unregister_irq(struct platform_device *pdev,
+ 		return -EINVAL;
+ 	}
+ 
+-	CDBG("Un Registering irq for [resource - %p]\n", irq);
++	CDBG("Un Registering irq for [resource - %pK]\n", irq);
+ 	devm_free_irq(&pdev->dev, irq->start, dev_id);
+ 
+ 	return 0;
+@@ -730,7 +730,7 @@ void __iomem *msm_camera_get_reg_base(struct platform_device *pdev,
+ 	}
+ 
+ 	if (reserve_mem) {
+-		CDBG("device:%p, mem : %p, size : %d\n",
++		CDBG("device:%pK, mem : %pK, size : %d\n",
+ 			&pdev->dev, mem, (int)resource_size(mem));
+ 		if (!devm_request_mem_region(&pdev->dev, mem->start,
+ 			resource_size(mem),
+@@ -749,7 +749,7 @@ void __iomem *msm_camera_get_reg_base(struct platform_device *pdev,
+ 		return NULL;
+ 	}
+ 
+-	CDBG("base : %p\n", base);
++	CDBG("base : %pK\n", base);
+ 	return base;
+ }
+ EXPORT_SYMBOL(msm_camera_get_reg_base);
+@@ -793,7 +793,7 @@ int msm_camera_put_reg_base(struct platform_device *pdev,
+ 		pr_err("err: mem resource %s not found\n", device_name);
+ 		return -EINVAL;
+ 	}
+-	CDBG("mem : %p, size : %d\n", mem, (int)resource_size(mem));
++	CDBG("mem : %pK, size : %d\n", mem, (int)resource_size(mem));
+ 
+ 	devm_iounmap(&pdev->dev, base);
+ 	if (reserve_mem)
+diff --git a/drivers/media/platform/msm/camera_v2/common/msm_camera_io_util.c b/drivers/media/platform/msm/camera_v2/common/msm_camera_io_util.c
+index f978f97..51a9ea8 100644
+--- a/drivers/media/platform/msm/camera_v2/common/msm_camera_io_util.c
++++ b/drivers/media/platform/msm/camera_v2/common/msm_camera_io_util.c
+@@ -27,7 +27,7 @@
+ 
+ void msm_camera_io_w(u32 data, void __iomem *addr)
+ {
+-	CDBG("%s: 0x%p %08x\n", __func__,  (addr), (data));
++	CDBG("%s: 0x%pK %08x\n", __func__,  (addr), (data));
+ 	writel_relaxed((data), (addr));
+ }
+ 
+@@ -43,7 +43,7 @@ int32_t msm_camera_io_w_block(const u32 *addr, void __iomem *base,
+ 		return -EINVAL;
+ 
+ 	for (i = 0; i < len; i++) {
+-		CDBG("%s: len =%d val=%x base =%p\n", __func__,
++		CDBG("%s: len =%d val=%x base =%pK\n", __func__,
+ 			len, addr[i], base);
+ 		writel_relaxed(addr[i], base);
+ 	}
+@@ -62,7 +62,7 @@ int32_t msm_camera_io_w_reg_block(const u32 *addr, void __iomem *base,
+ 		return -EINVAL;
+ 
+ 	for (i = 0; i < len; i = i + 2) {
+-		CDBG("%s: len =%d val=%x base =%p reg=%x\n", __func__,
++		CDBG("%s: len =%d val=%x base =%pK reg=%x\n", __func__,
+ 			len, addr[i + 1], base,  addr[i]);
+ 		writel_relaxed(addr[i + 1], base + addr[i]);
+ 	}
+@@ -71,7 +71,7 @@ int32_t msm_camera_io_w_reg_block(const u32 *addr, void __iomem *base,
+ 
+ void msm_camera_io_w_mb(u32 data, void __iomem *addr)
+ {
+-	CDBG("%s: 0x%p %08x\n", __func__,  (addr), (data));
++	CDBG("%s: 0x%pK %08x\n", __func__,  (addr), (data));
+ 	/* ensure write is done */
+ 	wmb();
+ 	writel_relaxed((data), (addr));
+@@ -89,7 +89,7 @@ int32_t msm_camera_io_w_mb_block(const u32 *addr, void __iomem *base, u32 len)
+ 	for (i = 0; i < len; i++) {
+ 		/* ensure write is done */
+ 		wmb();
+-		CDBG("%s: len =%d val=%x base =%p\n", __func__,
++		CDBG("%s: len =%d val=%x base =%pK\n", __func__,
+ 			len, addr[i], base);
+ 		writel_relaxed(addr[i], base);
+ 	}
+@@ -102,7 +102,7 @@ u32 msm_camera_io_r(void __iomem *addr)
+ {
+ 	uint32_t data = readl_relaxed(addr);
+ 
+-	CDBG("%s: 0x%p %08x\n", __func__,  (addr), (data));
++	CDBG("%s: 0x%pK %08x\n", __func__,  (addr), (data));
+ 	return data;
+ }
+ 
+@@ -114,7 +114,7 @@ u32 msm_camera_io_r_mb(void __iomem *addr)
+ 	data = readl_relaxed(addr);
+ 	/* ensure read is done */
+ 	rmb();
+-	CDBG("%s: 0x%p %08x\n", __func__,  (addr), (data));
++	CDBG("%s: 0x%pK %08x\n", __func__,  (addr), (data));
+ 	return data;
+ }
+ 
+@@ -180,7 +180,7 @@ void msm_camera_io_dump(void __iomem *addr, int size, int enable)
+ 	u32 *p = (u32 *) addr;
+ 	u32 data;
+ 
+-	CDBG("%s: addr=%p size=%d\n", __func__, addr, size);
++	CDBG("%s: addr=%pK size=%d\n", __func__, addr, size);
+ 
+ 	if (!p || (size <= 0) || !enable)
+ 		return;
+@@ -216,12 +216,12 @@ void msm_camera_io_dump_wstring_base(void __iomem *addr,
+ {
+ 	int i, u = sizeof(struct msm_cam_dump_string_info);
+ 
+-	pr_debug("%s: addr=%p data=%p size=%d u=%d, cnt=%d\n", __func__,
++	pr_debug("%s: addr=%pK data=%pK size=%d u=%d, cnt=%d\n", __func__,
+ 		addr, dump_data, size, u,
+ 		(size/u));
+ 
+ 	if (!addr || (size <= 0) || !dump_data) {
+-		pr_err("%s: addr=%p data=%p size=%d\n", __func__,
++		pr_err("%s: addr=%pK data=%pK size=%d\n", __func__,
+ 			addr, dump_data, size);
+ 		return;
+ 	}
+@@ -233,7 +233,7 @@ void msm_camera_io_dump_wstring_base(void __iomem *addr,
+ void msm_camera_io_memcpy(void __iomem *dest_addr,
+ 	void __iomem *src_addr, u32 len)
+ {
+-	CDBG("%s: %p %p %d\n", __func__, dest_addr, src_addr, len);
++	CDBG("%s: %pK %pK %d\n", __func__, dest_addr, src_addr, len);
+ 	msm_camera_io_memcpy_toio(dest_addr, src_addr, len / 4);
+ }
+ 
+@@ -728,7 +728,7 @@ int msm_camera_request_gpio_table(struct gpio *gpio_tbl, uint8_t size,
+ 	int rc = 0, i = 0, err = 0;
+ 
+ 	if (!gpio_tbl || !size) {
+-		pr_err("%s:%d invalid gpio_tbl %p / size %d\n", __func__,
++		pr_err("%s:%d invalid gpio_tbl %pK / size %d\n", __func__,
+ 			__LINE__, gpio_tbl, size);
+ 		return -EINVAL;
+ 	}
+@@ -772,7 +772,7 @@ int msm_camera_get_dt_reg_settings(struct device_node *of_node,
+ 	unsigned int cnt;
+ 
+ 	if (!of_node || !dt_prop_name || !size || !reg_s) {
+-		pr_err("%s: Error invalid args %p:%p:%p:%p\n",
++		pr_err("%s: Error invalid args %pK:%pK:%pK:%pK\n",
+ 			__func__, size, reg_s, of_node, dt_prop_name);
+ 		return -EINVAL;
+ 	}
+diff --git a/drivers/media/platform/msm/camera_v2/fd/msm_fd_hw.c b/drivers/media/platform/msm/camera_v2/fd/msm_fd_hw.c
+index 680bdf5..a20f40a0 100644
+--- a/drivers/media/platform/msm/camera_v2/fd/msm_fd_hw.c
++++ b/drivers/media/platform/msm/camera_v2/fd/msm_fd_hw.c
+@@ -669,7 +669,7 @@ int32_t msm_fd_hw_set_dt_parms_by_name(struct msm_fd_device *fd,
+ 				dt_reg_settings[i + MSM_FD_REG_ADDR_OFFSET_IDX],
+ 				dt_reg_settings[i + MSM_FD_REG_VALUE_IDX] &
+ 				dt_reg_settings[i + MSM_FD_REG_MASK_IDX]);
+-			pr_debug("%s:%d] %p %08x\n", __func__, __LINE__,
++			pr_debug("%s:%d] %pK %08x\n", __func__, __LINE__,
+ 				fd->iomem_base[base_idx] +
+ 				dt_reg_settings[i + MSM_FD_REG_ADDR_OFFSET_IDX],
+ 				dt_reg_settings[i + MSM_FD_REG_VALUE_IDX] &
+diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_buf_mgr.c b/drivers/media/platform/msm/camera_v2/isp/msm_buf_mgr.c
+index 3331f0d..94e9745 100644
+--- a/drivers/media/platform/msm/camera_v2/isp/msm_buf_mgr.c
++++ b/drivers/media/platform/msm/camera_v2/isp/msm_buf_mgr.c
+@@ -62,13 +62,13 @@ static int msm_buf_check_head_sanity(struct msm_isp_bufq *bufq)
+ 	}
+ 
+ 	if (prev->next != &bufq->head) {
+-		pr_err("%s: Error! head prev->next is %p should be %p\n",
++		pr_err("%s: Error! head prev->next is %pK should be %pK\n",
+ 			__func__, prev->next, &bufq->head);
+ 		return -EINVAL;
+ 	}
+ 
+ 	if (next->prev != &bufq->head) {
+-		pr_err("%s: Error! head next->prev is %p should be %p\n",
++		pr_err("%s: Error! head next->prev is %pK should be %pK\n",
+ 			__func__, next->prev, &bufq->head);
+ 		return -EINVAL;
+ 	}
+@@ -228,7 +228,7 @@ static void msm_isp_unprepare_v4l2_buf(
+ 	struct msm_isp_bufq *bufq = NULL;
+ 
+ 	if (!buf_mgr || !buf_info) {
+-		pr_err("%s: NULL ptr %p %p\n", __func__,
++		pr_err("%s: NULL ptr %pK %pK\n", __func__,
+ 			buf_mgr, buf_info);
+ 		return;
+ 	}
+@@ -255,7 +255,7 @@ static int msm_isp_map_buf(struct msm_isp_buf_mgr *buf_mgr,
+ 	int ret;
+ 
+ 	if (!buf_mgr || !mapped_info) {
+-		pr_err_ratelimited("%s: %d] NULL ptr buf_mgr %p mapped_info %p\n",
++		pr_err_ratelimited("%s: %d] NULL ptr buf_mgr %pK mapped_info %pK\n",
+ 			__func__, __LINE__, buf_mgr, mapped_info);
+ 		return -EINVAL;
+ 	}
+diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp46.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp46.c
+index e1e579b..f15f234 100644
+--- a/drivers/media/platform/msm/camera_v2/isp/msm_isp46.c
++++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp46.c
+@@ -920,7 +920,7 @@ static int msm_vfe46_start_fetch_engine(struct vfe_device *vfe_dev,
+ 		rc = vfe_dev->buf_mgr->ops->get_buf_by_index(
+ 			vfe_dev->buf_mgr, bufq_handle, fe_cfg->buf_idx, &buf);
+ 		if (rc < 0 || !buf) {
+-			pr_err("%s: No fetch buffer rc= %d buf= %p\n",
++			pr_err("%s: No fetch buffer rc= %d buf= %pK\n",
+ 				__func__, rc, buf);
+ 			return -EINVAL;
+ 		}
+diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp47.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp47.c
+index 603e83a..ebf38dd 100644
+--- a/drivers/media/platform/msm/camera_v2/isp/msm_isp47.c
++++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp47.c
+@@ -1058,7 +1058,7 @@ static int msm_vfe47_start_fetch_engine(struct vfe_device *vfe_dev,
+ 		rc = vfe_dev->buf_mgr->ops->get_buf_by_index(
+ 			vfe_dev->buf_mgr, bufq_handle, fe_cfg->buf_idx, &buf);
+ 		if (rc < 0 || !buf) {
+-			pr_err("%s: No fetch buffer rc= %d buf= %p\n",
++			pr_err("%s: No fetch buffer rc= %d buf= %pK\n",
+ 				__func__, rc, buf);
+ 			return -EINVAL;
+ 		}
+diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c
+index fbda545..a5952a5 100644
+--- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c
++++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c
+@@ -725,7 +725,7 @@ void msm_isp_check_for_output_error(struct vfe_device *vfe_dev,
+ 	int i;
+ 
+ 	if (!vfe_dev || !sof_info) {
+-		pr_err("%s %d failed: vfe_dev %p sof_info %p\n", __func__,
++		pr_err("%s %d failed: vfe_dev %pK sof_info %pK\n", __func__,
+ 			__LINE__, vfe_dev, sof_info);
+ 		return;
+ 	}
+@@ -1284,7 +1284,7 @@ static int  msm_isp_axi_stream_enable_cfg(
+ 				!dual_vfe_res->axi_data[ISP_VFE0] ||
+ 				!dual_vfe_res->vfe_base[ISP_VFE1] ||
+ 				!dual_vfe_res->axi_data[ISP_VFE1]) {
+-				pr_err("%s:%d failed vfe0 %p %p vfe %p %p\n",
++				pr_err("%s:%d failed vfe0 %pK %pK vfe %pK %pK\n",
+ 					__func__, __LINE__,
+ 					dual_vfe_res->vfe_base[ISP_VFE0],
+ 					dual_vfe_res->axi_data[ISP_VFE0],
+@@ -1659,7 +1659,7 @@ static int msm_isp_cfg_ping_pong_address(struct vfe_device *vfe_dev,
+ 			!dual_vfe_res->axi_data[ISP_VFE0] ||
+ 			!dual_vfe_res->vfe_base[ISP_VFE1] ||
+ 			!dual_vfe_res->axi_data[ISP_VFE1]) {
+-			pr_err("%s:%d failed vfe0 %p %p vfe %p %p\n",
++			pr_err("%s:%d failed vfe0 %pK %pK vfe %pK %pK\n",
+ 				__func__, __LINE__,
+ 				dual_vfe_res->vfe_base[ISP_VFE0],
+ 				dual_vfe_res->axi_data[ISP_VFE0],
+@@ -1940,7 +1940,7 @@ int msm_isp_drop_frame(struct vfe_device *vfe_dev,
+ 	uint32_t pingpong_bit;
+ 
+ 	if (!vfe_dev || !stream_info || !ts || !sof_info) {
+-		pr_err("%s %d vfe_dev %p stream_info %p ts %p op_info %p\n",
++		pr_err("%s %d vfe_dev %pK stream_info %pK ts %pK op_info %pK\n",
+ 			 __func__, __LINE__, vfe_dev, stream_info, ts,
+ 			sof_info);
+ 		return -EINVAL;
+@@ -2230,7 +2230,7 @@ int msm_isp_axi_reset(struct vfe_device *vfe_dev,
+ 	unsigned long flags;
+ 
+ 	if (!reset_cmd) {
+-		pr_err("%s: NULL pointer reset cmd %p\n", __func__, reset_cmd);
++		pr_err("%s: NULL pointer reset cmd %pK\n", __func__, reset_cmd);
+ 		rc = -1;
+ 		return rc;
+ 	}
+@@ -2928,7 +2928,7 @@ static int msm_isp_return_empty_buffer(struct vfe_device *vfe_dev,
+ 	struct msm_isp_timestamp timestamp;
+ 
+ 	if (!vfe_dev || !stream_info) {
+-		pr_err("%s %d failed: vfe_dev %p stream_info %p\n", __func__,
++		pr_err("%s %d failed: vfe_dev %pK stream_info %pK\n", __func__,
+ 			__LINE__, vfe_dev, stream_info);
+ 		return -EINVAL;
+ 	}
+@@ -3007,7 +3007,7 @@ static int msm_isp_request_frame(struct vfe_device *vfe_dev,
+ 	bool dual_vfe = false;
+ 
+ 	if (!vfe_dev || !stream_info) {
+-		pr_err("%s %d failed: vfe_dev %p stream_info %p\n", __func__,
++		pr_err("%s %d failed: vfe_dev %pK stream_info %pK\n", __func__,
+ 			__LINE__, vfe_dev, stream_info);
+ 		return -EINVAL;
+ 	}
+@@ -3659,7 +3659,7 @@ void msm_isp_axi_disable_all_wm(struct vfe_device *vfe_dev)
+ 	int i, j;
+ 
+ 	if (!vfe_dev || !axi_data) {
+-		pr_err("%s: error  %p %p\n", __func__, vfe_dev, axi_data);
++		pr_err("%s: error  %pK %pK\n", __func__, vfe_dev, axi_data);
+ 		return;
+ 	}
+ 
+diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
+index 7eaffad..03c587e 100644
+--- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
++++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
+@@ -88,8 +88,9 @@ static int msm_isp_stats_cfg_ping_pong_address(struct vfe_device *vfe_dev,
+ 			!dual_vfe_res->stats_data[ISP_VFE0] ||
+ 			!dual_vfe_res->vfe_base[ISP_VFE1] ||
+ 			!dual_vfe_res->stats_data[ISP_VFE1]) {
+-			pr_err("%s:%d error vfe0 %p %p vfe1 %p %p\n", __func__,
+-				__LINE__, dual_vfe_res->vfe_base[ISP_VFE0],
++			pr_err("%s:%d error vfe0 %pK %pK vfe1 %pK %pK\n",
++				__func__, __LINE__,
++				dual_vfe_res->vfe_base[ISP_VFE0],
+ 				dual_vfe_res->stats_data[ISP_VFE0],
+ 				dual_vfe_res->vfe_base[ISP_VFE1],
+ 				dual_vfe_res->stats_data[ISP_VFE1]);
+@@ -156,7 +157,7 @@ static int32_t msm_isp_stats_buf_divert(struct vfe_device *vfe_dev,
+ 	uint32_t stats_idx;
+ 
+ 	if (!vfe_dev || !ts || !buf_event || !stream_info) {
+-		pr_err("%s:%d failed: invalid params %p %p %p %p\n",
++		pr_err("%s:%d failed: invalid params %pK %pK %pK %pK\n",
+ 			__func__, __LINE__, vfe_dev, ts, buf_event,
+ 			stream_info);
+ 		return -EINVAL;
+diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
+index 5f1b208..dc209d7 100644
+--- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
++++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
+@@ -468,14 +468,14 @@ static int msm_isp_get_max_clk_rate(struct vfe_device *vfe_dev, long *rate)
+ 	long          round_rate = 0;
+ 
+ 	if (!vfe_dev || !rate) {
+-		pr_err("%s:%d failed: vfe_dev %p rate %p\n", __func__, __LINE__,
+-			vfe_dev, rate);
++		pr_err("%s:%d failed: vfe_dev %pK rate %pK\n", __func__,
++			__LINE__, vfe_dev, rate);
+ 		return -EINVAL;
+ 	}
+ 
+ 	*rate = 0;
+ 	if (!vfe_dev->hw_info) {
+-		pr_err("%s:%d failed: vfe_dev->hw_info %p\n", __func__,
++		pr_err("%s:%d failed: vfe_dev->hw_info %pK\n", __func__,
+ 			__LINE__, vfe_dev->hw_info);
+ 		return -EINVAL;
+ 	}
+@@ -505,13 +505,13 @@ static int msm_isp_get_clk_rates(struct vfe_device *vfe_dev,
+ 	int32_t  rc = 0;
+ 	uint32_t svs = 0, nominal = 0, turbo = 0;
+ 	if (!vfe_dev || !rates) {
+-		pr_err("%s:%d failed: vfe_dev %p rates %p\n", __func__,
++		pr_err("%s:%d failed: vfe_dev %pK rates %pK\n", __func__,
+ 			__LINE__, vfe_dev, rates);
+ 		return -EINVAL;
+ 	}
+ 
+ 	if (!vfe_dev->pdev) {
+-		pr_err("%s:%d failed: vfe_dev->pdev %p\n", __func__,
++		pr_err("%s:%d failed: vfe_dev->pdev %pK\n", __func__,
+ 			__LINE__, vfe_dev->pdev);
+ 		return -EINVAL;
+ 	}
+@@ -519,7 +519,7 @@ static int msm_isp_get_clk_rates(struct vfe_device *vfe_dev,
+ 	of_node = vfe_dev->pdev->dev.of_node;
+ 
+ 	if (!of_node) {
+-		pr_err("%s %d failed: of_node = %p\n", __func__,
++		pr_err("%s %d failed: of_node = %pK\n", __func__,
+ 		 __LINE__, of_node);
+ 		return -EINVAL;
+ 	}
+@@ -728,7 +728,7 @@ static int msm_isp_set_dual_HW_master_slave_mode(
+ 	unsigned long flags;
+ 
+ 	if (!vfe_dev || !arg) {
+-		pr_err("%s: Error! Invalid input vfe_dev %p arg %p\n",
++		pr_err("%s: Error! Invalid input vfe_dev %pK arg %pK\n",
+ 			__func__, vfe_dev, arg);
+ 		return -EINVAL;
+ 	}
+@@ -819,7 +819,7 @@ static int msm_isp_proc_cmd_list_unlocked(struct vfe_device *vfe_dev, void *arg)
+ 	struct msm_vfe_cfg_cmd_list cmd, cmd_next;
+ 
+ 	if (!vfe_dev || !arg) {
+-		pr_err("%s:%d failed: vfe_dev %p arg %p", __func__, __LINE__,
++		pr_err("%s:%d failed: vfe_dev %pK arg %pK", __func__, __LINE__,
+ 			vfe_dev, arg);
+ 		return -EINVAL;
+ 	}
+@@ -889,7 +889,7 @@ static int msm_isp_proc_cmd_list_compat(struct vfe_device *vfe_dev, void *arg)
+ 	struct msm_vfe_cfg_cmd2 current_cmd;
+ 
+ 	if (!vfe_dev || !arg) {
+-		pr_err("%s:%d failed: vfe_dev %p arg %p", __func__, __LINE__,
++		pr_err("%s:%d failed: vfe_dev %pK arg %pK", __func__, __LINE__,
+ 			vfe_dev, arg);
+ 		return -EINVAL;
+ 	}
+@@ -946,10 +946,10 @@ static long msm_isp_ioctl_unlocked(struct v4l2_subdev *sd,
+ 	struct vfe_device *vfe_dev = v4l2_get_subdevdata(sd);
+ 
+ 	if (!vfe_dev || !vfe_dev->vfe_base) {
+-		pr_err("%s:%d failed: invalid params %p\n",
++		pr_err("%s:%d failed: invalid params %pK\n",
+ 			__func__, __LINE__, vfe_dev);
+ 		if (vfe_dev)
+-			pr_err("%s:%d failed %p\n", __func__,
++			pr_err("%s:%d failed %pK\n", __func__,
+ 				__LINE__, vfe_dev->vfe_base);
+ 		return -EINVAL;
+ 	}
+@@ -1134,10 +1134,10 @@ static long msm_isp_ioctl_compat(struct v4l2_subdev *sd,
+ 	long rc = 0;
+ 
+ 	if (!vfe_dev || !vfe_dev->vfe_base) {
+-		pr_err("%s:%d failed: invalid params %p\n",
++		pr_err("%s:%d failed: invalid params %pK\n",
+ 			__func__, __LINE__, vfe_dev);
+ 		if (vfe_dev)
+-			pr_err("%s:%d failed %p\n", __func__,
++			pr_err("%s:%d failed %pK\n", __func__,
+ 				__LINE__, vfe_dev->vfe_base);
+ 		return -EINVAL;
+ 	}
+@@ -1183,13 +1183,13 @@ static int msm_isp_send_hw_cmd(struct vfe_device *vfe_dev,
+ 	uint32_t *cfg_data, uint32_t cmd_len)
+ {
+ 	if (!vfe_dev || !reg_cfg_cmd) {
+-		pr_err("%s:%d failed: vfe_dev %p reg_cfg_cmd %p\n", __func__,
++		pr_err("%s:%d failed: vfe_dev %pK reg_cfg_cmd %pK\n", __func__,
+ 			__LINE__, vfe_dev, reg_cfg_cmd);
+ 		return -EINVAL;
+ 	}
+ 	if ((reg_cfg_cmd->cmd_type != VFE_CFG_MASK) &&
+ 		(!cfg_data || !cmd_len)) {
+-		pr_err("%s:%d failed: cmd type %d cfg_data %p cmd_len %d\n",
++		pr_err("%s:%d failed: cmd type %d cfg_data %pK cmd_len %d\n",
+ 			__func__, __LINE__, reg_cfg_cmd->cmd_type, cfg_data,
+ 			cmd_len);
+ 		return -EINVAL;
+@@ -1856,7 +1856,7 @@ static int msm_isp_process_iommu_page_fault(struct vfe_device *vfe_dev)
+ {
+ 	int rc = vfe_dev->buf_mgr->pagefault_debug_disable;
+ 
+-	pr_err("%s:%d] VFE%d Handle Page fault! vfe_dev %p\n", __func__,
++	pr_err("%s:%d] VFE%d Handle Page fault! vfe_dev %pK\n", __func__,
+ 		__LINE__,  vfe_dev->pdev->id, vfe_dev);
+ 
+ 	msm_isp_halt_send_error(vfe_dev, ISP_EVENT_IOMMU_P_FAULT);
+@@ -2048,7 +2048,7 @@ void msm_isp_do_tasklet(unsigned long data)
+ 	uint32_t irq_status0, irq_status1, pingpong_status;
+ 
+ 	if (vfe_dev->vfe_base == NULL || vfe_dev->vfe_open_cnt == 0) {
+-		ISP_DBG("%s: VFE%d open cnt = %d, device closed(base = %p)\n",
++		ISP_DBG("%s: VFE%d open cnt = %d, device closed(base = %pK)\n",
+ 			__func__, vfe_dev->pdev->id, vfe_dev->vfe_open_cnt,
+ 			vfe_dev->vfe_base);
+ 		return;
+@@ -2121,7 +2121,7 @@ static void msm_vfe_iommu_fault_handler(struct iommu_domain *domain,
+ 		vfe_dev->page_fault_addr = iova;
+ 		if (!vfe_dev->buf_mgr || !vfe_dev->buf_mgr->ops ||
+ 			!vfe_dev->axi_data.num_active_stream) {
+-			pr_err("%s:%d buf_mgr %p active strms %d\n", __func__,
++			pr_err("%s:%d buf_mgr %pK active strms %d\n", __func__,
+ 				__LINE__, vfe_dev->buf_mgr,
+ 				vfe_dev->axi_data.num_active_stream);
+ 			goto end;
+@@ -2138,7 +2138,7 @@ static void msm_vfe_iommu_fault_handler(struct iommu_domain *domain,
+ 		}
+ 		mutex_unlock(&vfe_dev->core_mutex);
+ 	} else {
+-		ISP_DBG("%s:%d] no token received: %p\n",
++		ISP_DBG("%s:%d] no token received: %pK\n",
+ 			__func__, __LINE__, token);
+ 		goto end;
+ 	}
+@@ -2173,7 +2173,7 @@ int msm_isp_open_node(struct v4l2_subdev *sd, struct v4l2_subdev_fh *fh)
+ 	}
+ 
+ 	if (vfe_dev->vfe_base) {
+-		pr_err("%s:%d invalid params cnt %d base %p\n", __func__,
++		pr_err("%s:%d invalid params cnt %d base %pK\n", __func__,
+ 			__LINE__, vfe_dev->vfe_open_cnt, vfe_dev->vfe_base);
+ 		vfe_dev->vfe_base = NULL;
+ 	}
+diff --git a/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c b/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c
+index 640379d..abfae4f 100644
+--- a/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c
++++ b/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c
+@@ -1292,7 +1292,7 @@ static int msm_ispif_set_vfe_info(struct ispif_device *ispif,
+ {
+ 	if (!vfe_info || (vfe_info->num_vfe == 0) ||
+ 		(vfe_info->num_vfe > ispif->hw_num_isps)) {
+-		pr_err("Invalid VFE info: %p %d\n", vfe_info,
++		pr_err("Invalid VFE info: %pK %d\n", vfe_info,
+ 			   (vfe_info ? vfe_info->num_vfe : 0));
+ 		return -EINVAL;
+ 	}
+@@ -1327,7 +1327,7 @@ static int msm_ispif_init(struct ispif_device *ispif,
+ 
+ 	if (ispif->csid_version >= CSID_VERSION_V30) {
+ 		if (!ispif->clk_mux_mem || !ispif->clk_mux_io) {
+-			pr_err("%s csi clk mux mem %p io %p\n", __func__,
++			pr_err("%s csi clk mux mem %pK io %pK\n", __func__,
+ 				ispif->clk_mux_mem, ispif->clk_mux_io);
+ 			rc = -ENOMEM;
+ 			return rc;
+diff --git a/drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_hw.c b/drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_hw.c
+index 9339029..071ce0a 100644
+--- a/drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_hw.c
++++ b/drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_hw.c
+@@ -1,4 +1,4 @@
+-/* Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
++/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -805,7 +805,7 @@ void msm_jpeg_hw_write(struct msm_jpeg_hw_cmd *hw_cmd_p,
+ 
+ 	new_data = hw_cmd_p->data & hw_cmd_p->mask;
+ 	new_data |= old_data;
+-	JPEG_DBG("%s:%d] %p %08x\n", __func__, __LINE__,
++	JPEG_DBG("%s:%d] %pK %08x\n", __func__, __LINE__,
+ 		paddr, new_data);
+ 	msm_camera_io_w(new_data, paddr);
+ }
+@@ -908,7 +908,7 @@ void msm_jpeg_io_dump(void *base, int size)
+ 	int i;
+ 	u32 *p = (u32 *) addr;
+ 	u32 data;
+-	JPEG_DBG_HIGH("%s:%d] %p %d", __func__, __LINE__, addr, size);
++	JPEG_DBG_HIGH("%s:%d] %pK %d", __func__, __LINE__, addr, size);
+ 	line_str[0] = '\0';
+ 	p_str = line_str;
+ 	for (i = 0; i < size/4; i++) {
+diff --git a/drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_platform.c b/drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_platform.c
+index e076d35..266a5a6 100644
+--- a/drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_platform.c
++++ b/drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_platform.c
+@@ -210,7 +210,7 @@ static int32_t msm_jpeg_set_init_dt_parms(struct msm_jpeg_device *pgmn_dev,
+ 			return -EINVAL;
+ 		}
+ 		for (i = 0; i < dt_count; i = i + 2) {
+-			JPEG_DBG("%s:%d] %p %08x\n",
++			JPEG_DBG("%s:%d] %pK %08x\n",
+ 					__func__, __LINE__,
+ 					base + dt_reg_settings[i],
+ 					dt_reg_settings[i + 1]);
+diff --git a/drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_sync.c b/drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_sync.c
+index 2e2841a..d27f56a 100644
+--- a/drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_sync.c
++++ b/drivers/media/platform/msm/camera_v2/jpeg_10/msm_jpeg_sync.c
+@@ -754,7 +754,7 @@ int __msm_jpeg_open(struct msm_jpeg_device *pgmn_dev)
+ 			__LINE__, rc);
+ 		goto platform_init_fail;
+ 	}
+-	JPEG_DBG("%s:%d] platform resources - base %p, irq %d\n",
++	JPEG_DBG("%s:%d] platform resources - base %pK, irq %d\n",
+ 		__func__, __LINE__,
+ 		pgmn_dev->base, (int)pgmn_dev->jpeg_irq_res->start);
+ 	msm_jpeg_q_cleanup(&pgmn_dev->evt_q);
+diff --git a/drivers/media/platform/msm/camera_v2/jpeg_dma/msm_jpeg_dma_hw.c b/drivers/media/platform/msm/camera_v2/jpeg_dma/msm_jpeg_dma_hw.c
+index 4108693..f3ceaad 100644
+--- a/drivers/media/platform/msm/camera_v2/jpeg_dma/msm_jpeg_dma_hw.c
++++ b/drivers/media/platform/msm/camera_v2/jpeg_dma/msm_jpeg_dma_hw.c
+@@ -93,7 +93,7 @@ static inline u32 msm_jpegdma_hw_read_reg(struct msm_jpegdma_device *dma,
+ static inline void msm_jpegdma_hw_write_reg(struct msm_jpegdma_device *dma,
+ 	enum msm_jpegdma_mem_resources base_idx, u32 reg, u32 value)
+ {
+-	pr_debug("%s:%d]%p %08x\n", __func__, __LINE__,
++	pr_debug("%s:%d]%pK %08x\n", __func__, __LINE__,
+ 		dma->iomem_base[base_idx] + reg,
+ 		value);
+ 	msm_camera_io_w(value, dma->iomem_base[base_idx] + reg);
+diff --git a/drivers/media/platform/msm/camera_v2/msm_vb2/msm_vb2.c b/drivers/media/platform/msm/camera_v2/msm_vb2/msm_vb2.c
+index f7246f2..0e4a453 100644
+--- a/drivers/media/platform/msm/camera_v2/msm_vb2/msm_vb2.c
++++ b/drivers/media/platform/msm/camera_v2/msm_vb2/msm_vb2.c
+@@ -248,7 +248,7 @@ static int msm_vb2_put_buf(struct vb2_buffer *vb, int session_id,
+ 				break;
+ 		}
+ 		if (WARN_ON(vb2_buf != vb)) {
+-			pr_err("VB buffer is INVALID vb=%p, ses_id=%d, str_id=%d\n",
++			pr_err("VB buffer is INVALID vb=%pK, ses_id=%d, str_id=%d\n",
+ 					vb, session_id, stream_id);
+ 			spin_unlock_irqrestore(&stream->stream_lock, flags);
+ 			return -EINVAL;
+@@ -290,7 +290,7 @@ static int msm_vb2_buf_done(struct vb2_buffer *vb, int session_id,
+ 				break;
+ 		}
+ 		if (WARN_ON(vb2_buf != vb)) {
+-			pr_err("VB buffer is INVALID ses_id=%d, str_id=%d, vb=%p\n",
++			pr_err("VB buffer is INVALID ses_id=%d, str_id=%d, vb=%pK\n",
+ 				    session_id, stream_id, vb);
+ 			spin_unlock_irqrestore(&stream->stream_lock, flags);
+ 			return -EINVAL;
+diff --git a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
+index 55fc18e..3ee49db 100644
+--- a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
++++ b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
+@@ -148,7 +148,7 @@ void msm_cpp_vbif_register_error_handler(void *dev,
+ 	int (*client_vbif_error_handler)(void *, uint32_t))
+ {
+ 	if (dev == NULL || client >= VBIF_CLIENT_MAX) {
+-		pr_err("%s: Fail to register handler! dev = %p, client %d\n",
++		pr_err("%s: Fail to register handler! dev = %pK,client %d\n",
+ 			__func__, dev, client);
+ 		return;
+ 	}
+@@ -1054,7 +1054,7 @@ int cpp_vbif_error_handler(void *dev, uint32_t vbif_error)
+ 	struct cpp_device *cpp_dev = NULL;
+ 
+ 	if (dev == NULL || vbif_error >= CPP_VBIF_ERROR_MAX) {
+-		pr_err("failed: dev %p, vbif error %d\n", dev, vbif_error);
++		pr_err("failed: dev %pK,vbif error %d\n", dev, vbif_error);
+ 		return -EINVAL;
+ 	}
+ 
+@@ -1083,13 +1083,13 @@ static int cpp_open_node(struct v4l2_subdev *sd, struct v4l2_subdev_fh *fh)
+ 	CPP_DBG("E\n");
+ 
+ 	if (!sd || !fh) {
+-		pr_err("Wrong input parameters sd %p fh %p!",
++		pr_err("Wrong input parameters sd %pK fh %pK!",
+ 			sd, fh);
+ 		return -EINVAL;
+ 	}
+ 	cpp_dev = v4l2_get_subdevdata(sd);
+ 	if (!cpp_dev) {
+-		pr_err("failed: cpp_dev %p\n", cpp_dev);
++		pr_err("failed: cpp_dev %pK\n", cpp_dev);
+ 		return -EINVAL;
+ 	}
+ 	mutex_lock(&cpp_dev->mutex);
+@@ -1112,7 +1112,7 @@ static int cpp_open_node(struct v4l2_subdev *sd, struct v4l2_subdev_fh *fh)
+ 		return -ENODEV;
+ 	}
+ 
+-	CPP_DBG("open %d %p\n", i, &fh->vfh);
++	CPP_DBG("open %d %pK\n", i, &fh->vfh);
+ 	cpp_dev->cpp_open_cnt++;
+ 	if (cpp_dev->cpp_open_cnt == 1) {
+ 		rc = cpp_init_hardware(cpp_dev);
+@@ -1158,7 +1158,7 @@ static int cpp_close_node(struct v4l2_subdev *sd, struct v4l2_subdev_fh *fh)
+ 	cpp_dev =  v4l2_get_subdevdata(sd);
+ 
+ 	if (!cpp_dev) {
+-		pr_err("failed: cpp_dev %p\n", cpp_dev);
++		pr_err("failed: cpp_dev %pK\n", cpp_dev);
+ 		return -EINVAL;
+ 	}
+ 
+@@ -1446,7 +1446,7 @@ static void msm_cpp_do_timeout_work(struct work_struct *work)
+ 	mutex_lock(&cpp_dev->mutex);
+ 
+ 	if (!work || (cpp_timer.data.cpp_dev->state != CPP_STATE_ACTIVE)) {
+-		pr_err("Invalid work:%p or state:%d\n", work,
++		pr_err("Invalid work:%pK or state:%d\n", work,
+ 			cpp_timer.data.cpp_dev->state);
+ 		/* Do not flush queue here as it is not a fatal error */
+ 		goto end;
+@@ -2512,7 +2512,7 @@ static int msm_cpp_copy_from_ioctl_ptr(void *dst_ptr,
+ {
+ 	int ret;
+ 	if ((ioctl_ptr->ioctl_ptr == NULL) || (ioctl_ptr->len == 0)) {
+-		pr_err("%s: Wrong ioctl_ptr %p / len %zu\n", __func__,
++		pr_err("%s: Wrong ioctl_ptr %pK / len %zu\n", __func__,
+ 			ioctl_ptr, ioctl_ptr->len);
+ 		return -EINVAL;
+ 	}
+@@ -2535,7 +2535,7 @@ static int msm_cpp_copy_from_ioctl_ptr(void *dst_ptr,
+ {
+ 	int ret;
+ 	if ((ioctl_ptr->ioctl_ptr == NULL) || (ioctl_ptr->len == 0)) {
+-		pr_err("%s: Wrong ioctl_ptr %p / len %zu\n", __func__,
++		pr_err("%s: Wrong ioctl_ptr %pK / len %zu\n", __func__,
+ 			ioctl_ptr, ioctl_ptr->len);
+ 		return -EINVAL;
+ 	}
+@@ -2607,14 +2607,14 @@ static int msm_cpp_validate_input(unsigned int cmd, void *arg,
+ 		break;
+ 	default: {
+ 		if (ioctl_ptr == NULL) {
+-			pr_err("Wrong ioctl_ptr %p\n", ioctl_ptr);
++			pr_err("Wrong ioctl_ptr %pK\n", ioctl_ptr);
+ 			return -EINVAL;
+ 		}
+ 
+ 		*ioctl_ptr = arg;
+ 		if ((*ioctl_ptr == NULL) ||
+ 			((*ioctl_ptr)->ioctl_ptr == NULL)) {
+-			pr_err("Wrong arg %p\n", arg);
++			pr_err("Wrong arg %pK\n", arg);
+ 			return -EINVAL;
+ 		}
+ 		break;
+@@ -2631,7 +2631,7 @@ long msm_cpp_subdev_ioctl(struct v4l2_subdev *sd,
+ 	int rc = 0;
+ 
+ 	if (sd == NULL) {
+-		pr_err("sd %p\n", sd);
++		pr_err("sd %pK\n", sd);
+ 		return -EINVAL;
+ 	}
+ 	cpp_dev = v4l2_get_subdevdata(sd);
+@@ -2707,7 +2707,7 @@ long msm_cpp_subdev_ioctl(struct v4l2_subdev *sd,
+ 				&cpp_dev->pdev->dev);
+ 			if (rc) {
+ 				dev_err(&cpp_dev->pdev->dev,
+-					"Fail to loc blob %s dev %p, rc:%d\n",
++					"Fail to loc blob %s dev %pK, rc:%d\n",
+ 					cpp_dev->fw_name_bin,
+ 					&cpp_dev->pdev->dev, rc);
+ 				kfree(cpp_dev->fw_name_bin);
+@@ -3170,14 +3170,15 @@ static long msm_cpp_subdev_do_ioctl(
+ 	struct v4l2_fh *vfh = NULL;
+ 
+ 	if ((arg == NULL) || (file == NULL)) {
+-		pr_err("Invalid input parameters arg %p, file %p\n", arg, file);
++		pr_err("Invalid input parameters arg %pK, file %pK\n",
++			arg, file);
+ 		return -EINVAL;
+ 	}
+ 	vdev = video_devdata(file);
+ 	sd = vdev_to_v4l2_subdev(vdev);
+ 
+ 	if (sd == NULL) {
+-		pr_err("Invalid input parameter sd %p\n", sd);
++		pr_err("Invalid input parameter sd %pK\n", sd);
+ 		return -EINVAL;
+ 	}
+ 	vfh = file->private_data;
+@@ -3451,7 +3452,7 @@ static long msm_cpp_subdev_fops_compat_ioctl(struct file *file,
+ 	}
+ 	cpp_dev = v4l2_get_subdevdata(sd);
+ 	if (!vdev || !cpp_dev) {
+-		pr_err("Invalid vdev %p or cpp_dev %p structures!",
++		pr_err("Invalid vdev %pK or cpp_dev %pK structures!",
+ 			vdev, cpp_dev);
+ 		return -EINVAL;
+ 	}
+diff --git a/drivers/media/platform/msm/camera_v2/pproc/vpe/msm_vpe.c b/drivers/media/platform/msm/camera_v2/pproc/vpe/msm_vpe.c
+index bf4d359..f2f1dca 100644
+--- a/drivers/media/platform/msm/camera_v2/pproc/vpe/msm_vpe.c
++++ b/drivers/media/platform/msm/camera_v2/pproc/vpe/msm_vpe.c
+@@ -56,12 +56,12 @@ static void vpe_mem_dump(const char * const name, const void * const addr,
+ 	int i;
+ 	u32 *p = (u32 *) addr;
+ 	u32 data;
+-	VPE_DBG("%s: (%s) %p %d\n", __func__, name, addr, size);
++	VPE_DBG("%s: (%s) %pK %d\n", __func__, name, addr, size);
+ 	line_str[0] = '\0';
+ 	p_str = line_str;
+ 	for (i = 0; i < size/4; i++) {
+ 		if (i % 4 == 0) {
+-			snprintf(p_str, 12, "%p: ", p);
++			snprintf(p_str, 12, "%pK: ", p);
+ 			p_str += 10;
+ 		}
+ 		data = *p++;
+@@ -614,7 +614,7 @@ static int vpe_open_node(struct v4l2_subdev *sd, struct v4l2_subdev_fh *fh)
+ 		goto err_mutex_unlock;
+ 	}
+ 
+-	VPE_DBG("open %d %p\n", i, &fh->vfh);
++	VPE_DBG("open %d %pK\n", i, &fh->vfh);
+ 	vpe_dev->vpe_open_cnt++;
+ 	if (vpe_dev->vpe_open_cnt == 1) {
+ 		rc = vpe_init_hardware(vpe_dev);
+@@ -669,7 +669,7 @@ static int vpe_close_node(struct v4l2_subdev *sd, struct v4l2_subdev_fh *fh)
+ 		return -ENODEV;
+ 	}
+ 
+-	VPE_DBG("close %d %p\n", i, &fh->vfh);
++	VPE_DBG("close %d %pK\n", i, &fh->vfh);
+ 	vpe_dev->vpe_open_cnt--;
+ 	if (vpe_dev->vpe_open_cnt == 0) {
+ 		vpe_deinit_mem(vpe_dev);
+diff --git a/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c b/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c
+index 0ad3d9a..c33e66f 100644
+--- a/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c
++++ b/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c
+@@ -583,7 +583,7 @@ static int32_t msm_actuator_move_focus(
+ 	if ((a_ctrl->region_size <= 0) ||
+ 		(a_ctrl->region_size > MAX_ACTUATOR_REGION) ||
+ 		(!move_params->ringing_params)) {
+-		pr_err("Invalid-region size = %d, ringing_params = %p\n",
++		pr_err("Invalid-region size = %d, ringing_params = %pK\n",
+ 		a_ctrl->region_size, move_params->ringing_params);
+ 		return -EFAULT;
+ 	}
+@@ -703,7 +703,7 @@ static int32_t msm_actuator_bivcm_move_focus(
+ 	if ((a_ctrl->region_size <= 0) ||
+ 		(a_ctrl->region_size > MAX_ACTUATOR_REGION) ||
+ 		(!move_params->ringing_params)) {
+-		pr_err("Invalid-region size = %d, ringing_params = %p\n",
++		pr_err("Invalid-region size = %d, ringing_params = %pK\n",
+ 		a_ctrl->region_size, move_params->ringing_params);
+ 		return -EFAULT;
+ 	}
+@@ -1516,7 +1516,7 @@ static long msm_actuator_subdev_ioctl(struct v4l2_subdev *sd,
+ 	struct msm_actuator_ctrl_t *a_ctrl = v4l2_get_subdevdata(sd);
+ 	void __user *argp = (void __user *)arg;
+ 	CDBG("Enter\n");
+-	CDBG("%s:%d a_ctrl %p argp %p\n", __func__, __LINE__, a_ctrl, argp);
++	CDBG("%s:%d a_ctrl %pK argp %pK\n", __func__, __LINE__, a_ctrl, argp);
+ 	switch (cmd) {
+ 	case VIDIOC_MSM_SENSOR_GET_SUBDEV_ID:
+ 		return msm_actuator_get_subdev_id(a_ctrl, argp);
+@@ -1777,7 +1777,7 @@ static int32_t msm_actuator_i2c_probe(struct i2c_client *client,
+ 		goto probe_failure;
+ 	}
+ 
+-	CDBG("client = 0x%p\n",  client);
++	CDBG("client = 0x%pK\n",  client);
+ 
+ 	rc = of_property_read_u32(client->dev.of_node, "cell-index",
+ 		&act_ctrl_t->subdev_id);
+diff --git a/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c b/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c
+index 7099d9f..817870e 100644
+--- a/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c
++++ b/drivers/media/platform/msm/camera_v2/sensor/cci/msm_cci.c
+@@ -945,7 +945,7 @@ static int32_t msm_cci_i2c_read_bytes(struct v4l2_subdev *sd,
+ 	uint16_t read_bytes = 0;
+ 
+ 	if (!sd || !c_ctrl) {
+-		pr_err("%s:%d sd %p c_ctrl %p\n", __func__,
++		pr_err("%s:%d sd %pK c_ctrl %pK\n", __func__,
+ 			__LINE__, sd, c_ctrl);
+ 		return -EINVAL;
+ 	}
+@@ -1238,7 +1238,7 @@ static int32_t msm_cci_i2c_set_sync_prms(struct v4l2_subdev *sd,
+ 
+ 	cci_dev = v4l2_get_subdevdata(sd);
+ 	if (!cci_dev || !c_ctrl) {
+-		pr_err("%s:%d failed: invalid params %p %p\n", __func__,
++		pr_err("%s:%d failed: invalid params %pK %pK\n", __func__,
+ 			__LINE__, cci_dev, c_ctrl);
+ 		rc = -EINVAL;
+ 		return rc;
+@@ -1260,7 +1260,7 @@ static int32_t msm_cci_init(struct v4l2_subdev *sd,
+ 
+ 	cci_dev = v4l2_get_subdevdata(sd);
+ 	if (!cci_dev || !c_ctrl) {
+-		pr_err("%s:%d failed: invalid params %p %p\n", __func__,
++		pr_err("%s:%d failed: invalid params %pK %pK\n", __func__,
+ 			__LINE__, cci_dev, c_ctrl);
+ 		rc = -EINVAL;
+ 		return rc;
+@@ -1539,7 +1539,7 @@ static int32_t msm_cci_write(struct v4l2_subdev *sd,
+ 
+ 	cci_dev = v4l2_get_subdevdata(sd);
+ 	if (!cci_dev || !c_ctrl) {
+-		pr_err("%s:%d failed: invalid params %p %p\n", __func__,
++		pr_err("%s:%d failed: invalid params %pK %pK\n", __func__,
+ 			__LINE__, cci_dev, c_ctrl);
+ 		rc = -EINVAL;
+ 		return rc;
+@@ -1984,7 +1984,7 @@ static int msm_cci_probe(struct platform_device *pdev)
+ {
+ 	struct cci_device *new_cci_dev;
+ 	int rc = 0, i = 0;
+-	CDBG("%s: pdev %p device id = %d\n", __func__, pdev, pdev->id);
++	CDBG("%s: pdev %pK device id = %d\n", __func__, pdev, pdev->id);
+ 	new_cci_dev = kzalloc(sizeof(struct cci_device), GFP_KERNEL);
+ 	if (!new_cci_dev) {
+ 		pr_err("%s: no enough memory\n", __func__);
+@@ -1996,7 +1996,7 @@ static int msm_cci_probe(struct platform_device *pdev)
+ 			ARRAY_SIZE(new_cci_dev->msm_sd.sd.name), "msm_cci");
+ 	v4l2_set_subdevdata(&new_cci_dev->msm_sd.sd, new_cci_dev);
+ 	platform_set_drvdata(pdev, &new_cci_dev->msm_sd.sd);
+-	CDBG("%s sd %p\n", __func__, &new_cci_dev->msm_sd.sd);
++	CDBG("%s sd %pK\n", __func__, &new_cci_dev->msm_sd.sd);
+ 	if (pdev->dev.of_node)
+ 		of_property_read_u32((&pdev->dev)->of_node,
+ 			"cell-index", &pdev->id);
+@@ -2071,7 +2071,7 @@ static int msm_cci_probe(struct platform_device *pdev)
+ 		if (!new_cci_dev->write_wq[i])
+ 			pr_err("Failed to create write wq\n");
+ 	}
+-	CDBG("%s cci subdev %p\n", __func__, &new_cci_dev->msm_sd.sd);
++	CDBG("%s cci subdev %pK\n", __func__, &new_cci_dev->msm_sd.sd);
+ 	CDBG("%s line %d\n", __func__, __LINE__);
+ 	return 0;
+ 
+diff --git a/drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c b/drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c
+index ef07a54..46e8594 100644
+--- a/drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c
++++ b/drivers/media/platform/msm/camera_v2/sensor/csid/msm_csid.c
+@@ -265,7 +265,7 @@ static int msm_csid_config(struct csid_device *csid_dev,
+ 	void __iomem *csidbase;
+ 	csidbase = csid_dev->base;
+ 	if (!csidbase || !csid_params) {
+-		pr_err("%s:%d csidbase %p, csid params %p\n", __func__,
++		pr_err("%s:%d csidbase %pK, csid params %pK\n", __func__,
+ 			__LINE__, csidbase, csid_params);
+ 		return -EINVAL;
+ 	}
+@@ -651,7 +651,7 @@ static int32_t msm_csid_cmd(struct csid_device *csid_dev, void __user *arg)
+ 	struct csid_cfg_data *cdata = (struct csid_cfg_data *)arg;
+ 
+ 	if (!csid_dev || !cdata) {
+-		pr_err("%s:%d csid_dev %p, cdata %p\n", __func__, __LINE__,
++		pr_err("%s:%d csid_dev %pK, cdata %pK\n", __func__, __LINE__,
+ 			csid_dev, cdata);
+ 		return -EINVAL;
+ 	}
+@@ -792,7 +792,7 @@ static int32_t msm_csid_cmd32(struct csid_device *csid_dev, void __user *arg)
+ 	cdata = &local_arg;
+ 
+ 	if (!csid_dev || !cdata) {
+-		pr_err("%s:%d csid_dev %p, cdata %p\n", __func__, __LINE__,
++		pr_err("%s:%d csid_dev %pK, cdata %pK\n", __func__, __LINE__,
+ 			csid_dev, cdata);
+ 		return -EINVAL;
+ 	}
+diff --git a/drivers/media/platform/msm/camera_v2/sensor/csiphy/msm_csiphy.c b/drivers/media/platform/msm/camera_v2/sensor/csiphy/msm_csiphy.c
+index 8363912..7bdaf67 100644
+--- a/drivers/media/platform/msm/camera_v2/sensor/csiphy/msm_csiphy.c
++++ b/drivers/media/platform/msm/camera_v2/sensor/csiphy/msm_csiphy.c
+@@ -497,7 +497,7 @@ static int msm_csiphy_lane_config(struct csiphy_device *csiphy_dev,
+ 			val |= csiphy_params->csid_core;
+ 		}
+ 		msm_camera_io_w(val, csiphy_dev->clk_mux_base);
+-		CDBG("%s clk mux addr %p val 0x%x\n", __func__,
++		CDBG("%s clk mux addr %pK val 0x%x\n", __func__,
+ 			csiphy_dev->clk_mux_base, val);
+ 		/* ensure write is done */
+ 		mb();
+@@ -924,7 +924,7 @@ static int msm_csiphy_release(struct csiphy_device *csiphy_dev, void *arg)
+ 			mipi_csiphy_glbl_pwr_cfg_addr);
+ 	} else {
+ 		if (!csi_lane_params) {
+-			pr_err("%s:%d failed: csi_lane_params %p\n", __func__,
++			pr_err("%s:%d failed: csi_lane_params %pK\n", __func__,
+ 				__LINE__, csi_lane_params);
+ 			return -EINVAL;
+ 		}
+@@ -1030,7 +1030,7 @@ static int msm_csiphy_release(struct csiphy_device *csiphy_dev, void *arg)
+ 			mipi_csiphy_glbl_pwr_cfg_addr);
+ 	} else {
+ 		if (!csi_lane_params) {
+-			pr_err("%s:%d failed: csi_lane_params %p\n", __func__,
++			pr_err("%s:%d failed: csi_lane_params %pK\n", __func__,
+ 				__LINE__, csi_lane_params);
+ 			return -EINVAL;
+ 		}
+diff --git a/drivers/media/platform/msm/camera_v2/sensor/eeprom/msm_eeprom.c b/drivers/media/platform/msm/camera_v2/sensor/eeprom/msm_eeprom.c
+index 8e50646..c9f2c8c 100644
+--- a/drivers/media/platform/msm/camera_v2/sensor/eeprom/msm_eeprom.c
++++ b/drivers/media/platform/msm/camera_v2/sensor/eeprom/msm_eeprom.c
+@@ -696,7 +696,7 @@ static long msm_eeprom_subdev_ioctl(struct v4l2_subdev *sd,
+ 	struct msm_eeprom_ctrl_t *e_ctrl = v4l2_get_subdevdata(sd);
+ 	void __user *argp = (void __user *)arg;
+ 	CDBG("%s E\n", __func__);
+-	CDBG("%s:%d a_ctrl %p argp %p\n", __func__, __LINE__, e_ctrl, argp);
++	CDBG("%s:%d a_ctrl %pK argp %pK\n", __func__, __LINE__, e_ctrl, argp);
+ 	switch (cmd) {
+ 	case VIDIOC_MSM_SENSOR_GET_SUBDEV_ID:
+ 		return msm_eeprom_get_subdev_id(e_ctrl, argp);
+@@ -795,7 +795,7 @@ static int msm_eeprom_i2c_probe(struct i2c_client *client,
+ 	}
+ 	e_ctrl->eeprom_v4l2_subdev_ops = &msm_eeprom_subdev_ops;
+ 	e_ctrl->eeprom_mutex = &msm_eeprom_mutex;
+-	CDBG("%s client = 0x%p\n", __func__, client);
++	CDBG("%s client = 0x%pK\n", __func__, client);
+ 	e_ctrl->eboard_info = (struct msm_eeprom_board_info *)(id->driver_data);
+ 	if (!e_ctrl->eboard_info) {
+ 		pr_err("%s:%d board info NULL\n", __func__, __LINE__);
+@@ -1521,7 +1521,7 @@ static long msm_eeprom_subdev_ioctl32(struct v4l2_subdev *sd,
+ 	void __user *argp = (void __user *)arg;
+ 
+ 	CDBG("%s E\n", __func__);
+-	CDBG("%s:%d a_ctrl %p argp %p\n", __func__, __LINE__, e_ctrl, argp);
++	CDBG("%s:%d a_ctrl %pK argp %pK\n", __func__, __LINE__, e_ctrl, argp);
+ 	switch (cmd) {
+ 	case VIDIOC_MSM_SENSOR_GET_SUBDEV_ID:
+ 		return msm_eeprom_get_subdev_id(e_ctrl, argp);
+diff --git a/drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c b/drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c
+index 86d61e7..84bd3fe 100644
+--- a/drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c
++++ b/drivers/media/platform/msm/camera_v2/sensor/flash/msm_flash.c
+@@ -347,7 +347,7 @@ static int32_t msm_flash_i2c_release(
+ 	int32_t rc = 0;
+ 
+ 	if (!(&flash_ctrl->power_info) || !(&flash_ctrl->flash_i2c_client)) {
+-		pr_err("%s:%d failed: %p %p\n",
++		pr_err("%s:%d failed: %pK %pK\n",
+ 			__func__, __LINE__, &flash_ctrl->power_info,
+ 			&flash_ctrl->flash_i2c_client);
+ 		return -EINVAL;
+diff --git a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_dt_util.c b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_dt_util.c
+index af47235..6b867bf 100644
+--- a/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_dt_util.c
++++ b/drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_dt_util.c
+@@ -34,7 +34,7 @@ int msm_camera_fill_vreg_params(struct camera_vreg_t *cam_vreg,
+ 
+ 	/* Validate input parameters */
+ 	if (!cam_vreg || !power_setting) {
+-		pr_err("%s:%d failed: cam_vreg %p power_setting %p", __func__,
++		pr_err("%s:%d failed: cam_vreg %pK power_setting %pK", __func__,
+ 			__LINE__,  cam_vreg, power_setting);
+ 		return -EINVAL;
+ 	}
+@@ -1327,7 +1327,7 @@ int msm_camera_power_up(struct msm_camera_power_ctrl_t *ctrl,
+ 
+ 	CDBG("%s:%d\n", __func__, __LINE__);
+ 	if (!ctrl || !sensor_i2c_client) {
+-		pr_err("failed ctrl %p sensor_i2c_client %p\n", ctrl,
++		pr_err("failed ctrl %pK sensor_i2c_client %pK\n", ctrl,
+ 			sensor_i2c_client);
+ 		return -EINVAL;
+ 	}
+@@ -1549,7 +1549,7 @@ int msm_camera_power_down(struct msm_camera_power_ctrl_t *ctrl,
+ 
+ 	CDBG("%s:%d\n", __func__, __LINE__);
+ 	if (!ctrl || !sensor_i2c_client) {
+-		pr_err("failed ctrl %p sensor_i2c_client %p\n", ctrl,
++		pr_err("failed ctrl %pK sensor_i2c_client %pK\n", ctrl,
+ 			sensor_i2c_client);
+ 		return -EINVAL;
+ 	}
+diff --git a/drivers/media/platform/msm/camera_v2/sensor/msm_sensor.c b/drivers/media/platform/msm/camera_v2/sensor/msm_sensor.c
+index 6a4dcdc..d09e29d 100644
+--- a/drivers/media/platform/msm/camera_v2/sensor/msm_sensor.c
++++ b/drivers/media/platform/msm/camera_v2/sensor/msm_sensor.c
+@@ -106,7 +106,7 @@ int msm_sensor_power_down(struct msm_sensor_ctrl_t *s_ctrl)
+ 	struct msm_camera_i2c_client *sensor_i2c_client;
+ 
+ 	if (!s_ctrl) {
+-		pr_err("%s:%d failed: s_ctrl %p\n",
++		pr_err("%s:%d failed: s_ctrl %pK\n",
+ 			__func__, __LINE__, s_ctrl);
+ 		return -EINVAL;
+ 	}
+@@ -119,7 +119,7 @@ int msm_sensor_power_down(struct msm_sensor_ctrl_t *s_ctrl)
+ 	sensor_i2c_client = s_ctrl->sensor_i2c_client;
+ 
+ 	if (!power_info || !sensor_i2c_client) {
+-		pr_err("%s:%d failed: power_info %p sensor_i2c_client %p\n",
++		pr_err("%s:%d failed: power_info %pK sensor_i2c_client %pK\n",
+ 			__func__, __LINE__, power_info, sensor_i2c_client);
+ 		return -EINVAL;
+ 	}
+@@ -137,7 +137,7 @@ int msm_sensor_power_up(struct msm_sensor_ctrl_t *s_ctrl)
+ 	uint32_t retry = 0;
+ 
+ 	if (!s_ctrl) {
+-		pr_err("%s:%d failed: %p\n",
++		pr_err("%s:%d failed: %pK\n",
+ 			__func__, __LINE__, s_ctrl);
+ 		return -EINVAL;
+ 	}
+@@ -152,7 +152,7 @@ int msm_sensor_power_up(struct msm_sensor_ctrl_t *s_ctrl)
+ 
+ 	if (!power_info || !sensor_i2c_client || !slave_info ||
+ 		!sensor_name) {
+-		pr_err("%s:%d failed: %p %p %p %p\n",
++		pr_err("%s:%d failed: %pK %pK %pK %pK\n",
+ 			__func__, __LINE__, power_info,
+ 			sensor_i2c_client, slave_info, sensor_name);
+ 		return -EINVAL;
+@@ -208,7 +208,7 @@ int msm_sensor_match_id(struct msm_sensor_ctrl_t *s_ctrl)
+ 	const char *sensor_name;
+ 
+ 	if (!s_ctrl) {
+-		pr_err("%s:%d failed: %p\n",
++		pr_err("%s:%d failed: %pK\n",
+ 			__func__, __LINE__, s_ctrl);
+ 		return -EINVAL;
+ 	}
+@@ -217,7 +217,7 @@ int msm_sensor_match_id(struct msm_sensor_ctrl_t *s_ctrl)
+ 	sensor_name = s_ctrl->sensordata->sensor_name;
+ 
+ 	if (!sensor_i2c_client || !slave_info || !sensor_name) {
+-		pr_err("%s:%d failed: %p %p %p\n",
++		pr_err("%s:%d failed: %pK %pK %pK\n",
+ 			__func__, __LINE__, sensor_i2c_client, slave_info,
+ 			sensor_name);
+ 		return -EINVAL;
+@@ -1450,13 +1450,13 @@ int32_t msm_sensor_init_default_params(struct msm_sensor_ctrl_t *s_ctrl)
+ 
+ 	/* Validate input parameters */
+ 	if (!s_ctrl) {
+-		pr_err("%s:%d failed: invalid params s_ctrl %p\n", __func__,
++		pr_err("%s:%d failed: invalid params s_ctrl %pK\n", __func__,
+ 			__LINE__, s_ctrl);
+ 		return -EINVAL;
+ 	}
+ 
+ 	if (!s_ctrl->sensor_i2c_client) {
+-		pr_err("%s:%d failed: invalid params sensor_i2c_client %p\n",
++		pr_err("%s:%d failed: invalid params sensor_i2c_client %pK\n",
+ 			__func__, __LINE__, s_ctrl->sensor_i2c_client);
+ 		return -EINVAL;
+ 	}
+@@ -1465,7 +1465,7 @@ int32_t msm_sensor_init_default_params(struct msm_sensor_ctrl_t *s_ctrl)
+ 	s_ctrl->sensor_i2c_client->cci_client = kzalloc(sizeof(
+ 		struct msm_camera_cci_client), GFP_KERNEL);
+ 	if (!s_ctrl->sensor_i2c_client->cci_client) {
+-		pr_err("%s:%d failed: no memory cci_client %p\n", __func__,
++		pr_err("%s:%d failed: no memory cci_client %pK\n", __func__,
+ 			__LINE__, s_ctrl->sensor_i2c_client->cci_client);
+ 		return -ENOMEM;
+ 	}
+diff --git a/drivers/media/platform/msm/camera_v2/sensor/msm_sensor_driver.c b/drivers/media/platform/msm/camera_v2/sensor/msm_sensor_driver.c
+index 36ad847..d075a6d 100644
+--- a/drivers/media/platform/msm/camera_v2/sensor/msm_sensor_driver.c
++++ b/drivers/media/platform/msm/camera_v2/sensor/msm_sensor_driver.c
+@@ -474,10 +474,8 @@ static int32_t msm_sensor_get_power_down_settings(void *setting,
+ 	}
+ 	/* Allocate memory for power down setting */
+ 	pd = kzalloc(sizeof(*pd) * size_down, GFP_KERNEL);
+-	if (!pd) {
+-		pr_err("failed: no memory power_setting %p", pd);
++	if (!pd)
+ 		return -EFAULT;
+-	}
+ 
+ 	if (slave_info->power_setting_array.power_down_setting) {
+ #ifdef CONFIG_COMPAT
+@@ -541,10 +539,8 @@ static int32_t msm_sensor_get_power_up_settings(void *setting,
+ 
+ 	/* Allocate memory for power up setting */
+ 	pu = kzalloc(sizeof(*pu) * size, GFP_KERNEL);
+-	if (!pu) {
+-		pr_err("failed: no memory power_setting %p", pu);
++	if (!pu)
+ 		return -ENOMEM;
+-	}
+ 
+ #ifdef CONFIG_COMPAT
+ 	if (is_compat_task()) {
+@@ -655,22 +651,20 @@ int32_t msm_sensor_driver_probe(void *setting,
+ 
+ 	/* Validate input parameters */
+ 	if (!setting) {
+-		pr_err("failed: slave_info %p", setting);
++		pr_err("failed: slave_info %pK", setting);
+ 		return -EINVAL;
+ 	}
+ 
+ 	/* Allocate memory for slave info */
+ 	slave_info = kzalloc(sizeof(*slave_info), GFP_KERNEL);
+-	if (!slave_info) {
+-		pr_err("failed: no memory slave_info %p", slave_info);
++	if (!slave_info)
+ 		return -ENOMEM;
+-	}
+ #ifdef CONFIG_COMPAT
+ 	if (is_compat_task()) {
+ 		struct msm_camera_sensor_slave_info32 *slave_info32 =
+ 			kzalloc(sizeof(*slave_info32), GFP_KERNEL);
+ 		if (!slave_info32) {
+-			pr_err("failed: no memory for slave_info32 %p\n",
++			pr_err("failed: no memory for slave_info32 %pK\n",
+ 				slave_info32);
+ 			rc = -ENOMEM;
+ 			goto free_slave_info;
+@@ -765,13 +759,13 @@ int32_t msm_sensor_driver_probe(void *setting,
+ 	/* Extract s_ctrl from camera id */
+ 	s_ctrl = g_sctrl[slave_info->camera_id];
+ 	if (!s_ctrl) {
+-		pr_err("failed: s_ctrl %p for camera_id %d", s_ctrl,
++		pr_err("failed: s_ctrl %pK for camera_id %d", s_ctrl,
+ 			slave_info->camera_id);
+ 		rc = -EINVAL;
+ 		goto free_slave_info;
+ 	}
+ 
+-	CDBG("s_ctrl[%d] %p", slave_info->camera_id, s_ctrl);
++	CDBG("s_ctrl[%d] %pK", slave_info->camera_id, s_ctrl);
+ 
+ 	if (s_ctrl->is_probe_succeed == 1) {
+ 		/*
+@@ -811,12 +805,9 @@ int32_t msm_sensor_driver_probe(void *setting,
+ 
+ 
+ 	camera_info = kzalloc(sizeof(struct msm_camera_slave_info), GFP_KERNEL);
+-	if (!camera_info) {
+-		pr_err("failed: no memory slave_info %p", camera_info);
++	if (!camera_info)
+ 		goto free_slave_info;
+ 
+-	}
+-
+ 	s_ctrl->sensordata->slave_info = camera_info;
+ 
+ 	/* Fill sensor slave info */
+@@ -828,7 +819,7 @@ int32_t msm_sensor_driver_probe(void *setting,
+ 
+ 	/* Fill CCI master, slave address and CCI default params */
+ 	if (!s_ctrl->sensor_i2c_client) {
+-		pr_err("failed: sensor_i2c_client %p",
++		pr_err("failed: sensor_i2c_client %pK",
+ 			s_ctrl->sensor_i2c_client);
+ 		rc = -EINVAL;
+ 		goto free_camera_info;
+@@ -841,7 +832,7 @@ int32_t msm_sensor_driver_probe(void *setting,
+ 
+ 	cci_client = s_ctrl->sensor_i2c_client->cci_client;
+ 	if (!cci_client) {
+-		pr_err("failed: cci_client %p", cci_client);
++		pr_err("failed: cci_client %pK", cci_client);
+ 		goto free_camera_info;
+ 	}
+ 	cci_client->cci_i2c_master = s_ctrl->cci_i2c_master;
+@@ -1129,7 +1120,7 @@ static int32_t msm_sensor_driver_parse(struct msm_sensor_ctrl_t *s_ctrl)
+ 	s_ctrl->sensor_i2c_client = kzalloc(sizeof(*s_ctrl->sensor_i2c_client),
+ 		GFP_KERNEL);
+ 	if (!s_ctrl->sensor_i2c_client) {
+-		pr_err("failed: no memory sensor_i2c_client %p",
++		pr_err("failed: no memory sensor_i2c_client %pK",
+ 			s_ctrl->sensor_i2c_client);
+ 		return -ENOMEM;
+ 	}
+@@ -1138,7 +1129,7 @@ static int32_t msm_sensor_driver_parse(struct msm_sensor_ctrl_t *s_ctrl)
+ 	s_ctrl->msm_sensor_mutex = kzalloc(sizeof(*s_ctrl->msm_sensor_mutex),
+ 		GFP_KERNEL);
+ 	if (!s_ctrl->msm_sensor_mutex) {
+-		pr_err("failed: no memory msm_sensor_mutex %p",
++		pr_err("failed: no memory msm_sensor_mutex %pK",
+ 			s_ctrl->msm_sensor_mutex);
+ 		goto FREE_SENSOR_I2C_CLIENT;
+ 	}
+@@ -1167,7 +1158,7 @@ static int32_t msm_sensor_driver_parse(struct msm_sensor_ctrl_t *s_ctrl)
+ 
+ 	/* Store sensor control structure in static database */
+ 	g_sctrl[s_ctrl->id] = s_ctrl;
+-	CDBG("g_sctrl[%d] %p", s_ctrl->id, g_sctrl[s_ctrl->id]);
++	CDBG("g_sctrl[%d] %pK", s_ctrl->id, g_sctrl[s_ctrl->id]);
+ 
+ 	return rc;
+ 
+@@ -1191,10 +1182,8 @@ static int32_t msm_sensor_driver_platform_probe(struct platform_device *pdev)
+ 
+ 	/* Create sensor control structure */
+ 	s_ctrl = kzalloc(sizeof(*s_ctrl), GFP_KERNEL);
+-	if (!s_ctrl) {
+-		pr_err("failed: no memory s_ctrl %p", s_ctrl);
++	if (!s_ctrl)
+ 		return -ENOMEM;
+-	}
+ 
+ 	platform_set_drvdata(pdev, s_ctrl);
+ 
+@@ -1238,10 +1227,8 @@ static int32_t msm_sensor_driver_i2c_probe(struct i2c_client *client,
+ 
+ 	/* Create sensor control structure */
+ 	s_ctrl = kzalloc(sizeof(*s_ctrl), GFP_KERNEL);
+-	if (!s_ctrl) {
+-		pr_err("failed: no memory s_ctrl %p", s_ctrl);
++	if (!s_ctrl)
+ 		return -ENOMEM;
+-	}
+ 
+ 	i2c_set_clientdata(client, s_ctrl);
+ 
+diff --git a/drivers/media/platform/msm/camera_v2/sensor/msm_sensor_init.c b/drivers/media/platform/msm/camera_v2/sensor/msm_sensor_init.c
+index 8b6e3d3..ed0b974 100644
+--- a/drivers/media/platform/msm/camera_v2/sensor/msm_sensor_init.c
++++ b/drivers/media/platform/msm/camera_v2/sensor/msm_sensor_init.c
+@@ -1,4 +1,4 @@
+-/* Copyright (c) 2013-2015, The Linux Foundation. All rights reserved.
++/* Copyright (c) 2013-2016, The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -64,7 +64,7 @@ static int32_t msm_sensor_driver_cmd(struct msm_sensor_init_t *s_init,
+ 
+ 	/* Validate input parameters */
+ 	if (!s_init || !cfg) {
+-		pr_err("failed: s_init %p cfg %p", s_init, cfg);
++		pr_err("failed: s_init %pK cfg %pK", s_init, cfg);
+ 		return -EINVAL;
+ 	}
+ 
+@@ -106,7 +106,7 @@ static long msm_sensor_init_subdev_ioctl(struct v4l2_subdev *sd,
+ 
+ 	/* Validate input parameters */
+ 	if (!s_init) {
+-		pr_err("failed: s_init %p", s_init);
++		pr_err("failed: s_init %pK", s_init);
+ 		return -EINVAL;
+ 	}
+ 
+@@ -167,12 +167,10 @@ static int __init msm_sensor_init_module(void)
+ 	int ret = 0;
+ 	/* Allocate memory for msm_sensor_init control structure */
+ 	s_init = kzalloc(sizeof(struct msm_sensor_init_t), GFP_KERNEL);
+-	if (!s_init) {
+-		pr_err("failed: no memory s_init %p", NULL);
++	if (!s_init)
+ 		return -ENOMEM;
+-	}
+ 
+-	CDBG("MSM_SENSOR_INIT_MODULE %p", NULL);
++	CDBG("MSM_SENSOR_INIT_MODULE %pK", NULL);
+ 
+ 	/* Initialize mutex */
+ 	mutex_init(&s_init->imutex);
+diff --git a/drivers/media/platform/msm/camera_v2/sensor/ois/msm_ois.c b/drivers/media/platform/msm/camera_v2/sensor/ois/msm_ois.c
+index 947eeaf..82c9e5c5 100644
+--- a/drivers/media/platform/msm/camera_v2/sensor/ois/msm_ois.c
++++ b/drivers/media/platform/msm/camera_v2/sensor/ois/msm_ois.c
+@@ -448,7 +448,7 @@ static long msm_ois_subdev_ioctl(struct v4l2_subdev *sd,
+ 	struct msm_ois_ctrl_t *o_ctrl = v4l2_get_subdevdata(sd);
+ 	void __user *argp = (void __user *)arg;
+ 	CDBG("Enter\n");
+-	CDBG("%s:%d o_ctrl %p argp %p\n", __func__, __LINE__, o_ctrl, argp);
++	CDBG("%s:%d o_ctrl %pK argp %pK\n", __func__, __LINE__, o_ctrl, argp);
+ 	switch (cmd) {
+ 	case VIDIOC_MSM_SENSOR_GET_SUBDEV_ID:
+ 		return msm_ois_get_subdev_id(o_ctrl, argp);
+@@ -553,7 +553,7 @@ static int32_t msm_ois_i2c_probe(struct i2c_client *client,
+ 		goto probe_failure;
+ 	}
+ 
+-	CDBG("client = 0x%p\n",  client);
++	CDBG("client = 0x%pK\n",  client);
+ 
+ 	rc = of_property_read_u32(client->dev.of_node, "cell-index",
+ 		&ois_ctrl_t->subdev_id);
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-6757/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-6757/3.10/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-6757/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-6757/3.10/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-6757/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2016-6757/3.18/0002.patch
new file mode 100644
index 00000000..8edc43e5
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-6757/3.18/0002.patch
@@ -0,0 +1,2368 @@
+From f2ba68242d79016cc07b59aa41a67b7a1d36bf9b Mon Sep 17 00:00:00 2001
+From: Abhijit Kulkarni <kabhijit@codeaurora.org>
+Date: Mon, 12 Sep 2016 12:41:53 -0700
+Subject: msm: mdss: hide kernel addresses from unprevileged users
+
+for printing kernel pointers which should be hidden from unprivileged
+users, use %pK which evaluates whether kptr_restrict is set.
+
+CRs-Fixed: 987021
+Change-Id: Ie49eee9478f4657cfb2a994ba60da1ec4c356339
+Signed-off-by: Abhijit Kulkarni <kabhijit@codeaurora.org>
+---
+ drivers/video/msm/mdss/mdp3.c                     | 16 ++---
+ drivers/video/msm/mdss/mdp3_ppp_hwio.c            |  6 +-
+ drivers/video/msm/mdss/mdss_compat_utils.c        | 18 ++---
+ drivers/video/msm/mdss/mdss_debug.c               |  4 +-
+ drivers/video/msm/mdss/mdss_debug_xlog.c          | 14 ++--
+ drivers/video/msm/mdss/mdss_dsi.c                 | 28 ++++----
+ drivers/video/msm/mdss/mdss_dsi_clk.c             |  6 +-
+ drivers/video/msm/mdss/mdss_dsi_host.c            |  2 +-
+ drivers/video/msm/mdss/mdss_dsi_panel.c           | 10 +--
+ drivers/video/msm/mdss/mdss_fb.c                  | 12 ++--
+ drivers/video/msm/mdss/mdss_hdmi_tx.c             |  6 +-
+ drivers/video/msm/mdss/mdss_mdp.c                 | 12 ++--
+ drivers/video/msm/mdss/mdss_mdp_intf_cmd.c        |  6 +-
+ drivers/video/msm/mdss/mdss_mdp_intf_video.c      | 10 +--
+ drivers/video/msm/mdss/mdss_mdp_layer.c           |  4 +-
+ drivers/video/msm/mdss/mdss_mdp_overlay.c         | 10 +--
+ drivers/video/msm/mdss/mdss_mdp_pipe.c            |  4 +-
+ drivers/video/msm/mdss/mdss_mdp_pp.c              | 70 +++++++++----------
+ drivers/video/msm/mdss/mdss_mdp_pp_cache_config.c | 66 +++++++++---------
+ drivers/video/msm/mdss/mdss_mdp_pp_v1_7.c         | 82 +++++++++++------------
+ drivers/video/msm/mdss/mdss_mdp_rotator.c         |  6 +-
+ drivers/video/msm/mdss/mdss_mdp_util.c            |  9 +--
+ drivers/video/msm/mdss/mdss_mdp_wb.c              | 10 +--
+ drivers/video/msm/mdss/mdss_util.c                |  2 +-
+ drivers/video/msm/mdss/mhl3/mhl_linux_tx.c        |  4 +-
+ drivers/video/msm/mdss/mhl3/mhl_supp.c            | 14 ++--
+ drivers/video/msm/mdss/mhl3/platform.c            |  8 +--
+ drivers/video/msm/mdss/mhl3/si_8620_drv.c         |  4 +-
+ drivers/video/msm/mdss/mhl3/si_emsc_hid.c         |  8 +--
+ drivers/video/msm/mdss/mhl3/si_mdt_inputdev.c     | 27 ++++----
+ drivers/video/msm/mdss/mhl3/si_mhl2_edid_3d.c     | 27 ++++----
+ 31 files changed, 253 insertions(+), 252 deletions(-)
+
+diff --git a/drivers/video/msm/mdss/mdp3.c b/drivers/video/msm/mdss/mdp3.c
+index 88e34c3..b5deef6 100644
+--- a/drivers/video/msm/mdss/mdp3.c
++++ b/drivers/video/msm/mdss/mdp3.c
+@@ -1135,7 +1135,7 @@ static int mdp3_res_init(void)
+ 
+ 	mdp3_res->ion_client = msm_ion_client_create(mdp3_res->pdev->name);
+ 	if (IS_ERR_OR_NULL(mdp3_res->ion_client)) {
+-		pr_err("msm_ion_client_create() return error (%p)\n",
++		pr_err("msm_ion_client_create() return error (%pK)\n",
+ 				mdp3_res->ion_client);
+ 		mdp3_res->ion_client = NULL;
+ 		return -EINVAL;
+@@ -1565,7 +1565,7 @@ void mdp3_unmap_iommu(struct ion_client *client, struct ion_handle *handle)
+ 	mutex_lock(&mdp3_res->iommu_lock);
+ 	meta = mdp3_iommu_meta_lookup(table);
+ 	if (!meta) {
+-		WARN(1, "%s: buffer was never mapped for %p\n", __func__,
++		WARN(1, "%s: buffer was never mapped for %pK\n", __func__,
+ 				handle);
+ 		mutex_unlock(&mdp3_res->iommu_lock);
+ 		return;
+@@ -1591,7 +1591,7 @@ static void mdp3_iommu_meta_add(struct mdp3_iommu_meta *meta)
+ 		} else if (meta->table > entry->table) {
+ 			p = &(*p)->rb_right;
+ 		} else {
+-			pr_err("%s: handle %p already exists\n", __func__,
++			pr_err("%s: handle %pK already exists\n", __func__,
+ 				entry->handle);
+ 			BUG();
+ 		}
+@@ -1654,7 +1654,7 @@ static int mdp3_iommu_map_iommu(struct mdp3_iommu_meta *meta,
+ 	ret = iommu_map_range(domain, meta->iova_addr + padding,
+ 			table->sgl, size, prot);
+ 	if (ret) {
+-		pr_err("%s: could not map %pa in domain %p\n",
++		pr_err("%s: could not map %pa in domain %pK\n",
+ 			__func__, &meta->iova_addr, domain);
+ 			unmap_size = padding;
+ 		goto out2;
+@@ -1777,12 +1777,12 @@ int mdp3_self_map_iommu(struct ion_client *client, struct ion_handle *handle,
+ 		}
+ 	} else {
+ 		if (iommu_meta->flags != iommu_flags) {
+-			pr_err("%s: hndl %p already mapped with diff flag\n",
++			pr_err("%s: hndl %pK already mapped with diff flag\n",
+ 				__func__, handle);
+ 			ret = -EINVAL;
+ 			goto out_unlock;
+ 		} else if (iommu_meta->mapped_size != iova_length) {
+-			pr_err("%s: hndl %p already mapped with diff len\n",
++			pr_err("%s: hndl %pK already mapped with diff len\n",
+ 				__func__, handle);
+ 			ret = -EINVAL;
+ 			goto out_unlock;
+@@ -1816,7 +1816,7 @@ int mdp3_put_img(struct mdp3_img_data *data, int client)
+ 		fdput(data->srcp_f);
+ 		memset(&data->srcp_f, 0, sizeof(struct fd));
+ 	} else if (!IS_ERR_OR_NULL(data->srcp_dma_buf)) {
+-		pr_debug("ion hdl = %p buf=0x%pa\n", data->srcp_dma_buf,
++		pr_debug("ion hdl = %pK buf=0x%pa\n", data->srcp_dma_buf,
+ 							&data->addr);
+ 		if (!iclient) {
+ 			pr_err("invalid ion client\n");
+@@ -1919,7 +1919,7 @@ done:
+ 		data->addr += img->offset;
+ 		data->len -= img->offset;
+ 
+-		pr_debug("mem=%d ihdl=%p buf=0x%pa len=0x%lx\n",
++		pr_debug("mem=%d ihdl=%pK buf=0x%pa len=0x%lx\n",
+ 			img->memory_id, data->srcp_dma_buf,
+ 			&data->addr, data->len);
+ 
+diff --git a/drivers/video/msm/mdss/mdp3_ppp_hwio.c b/drivers/video/msm/mdss/mdp3_ppp_hwio.c
+index e14abd0..907063c 100644
+--- a/drivers/video/msm/mdss/mdp3_ppp_hwio.c
++++ b/drivers/video/msm/mdss/mdp3_ppp_hwio.c
+@@ -1308,7 +1308,7 @@ int config_ppp_op_mode(struct ppp_blit_op *blit_op)
+ 	pr_debug("ROI(x %d,y %d,w %d, h %d) ",
+ 		blit_op->src.roi.x, blit_op->src.roi.y,
+ 		blit_op->src.roi.width, blit_op->src.roi.height);
+-	pr_debug("Addr_P0 %p, Stride S0 %d Addr_P1 %p, Stride S1 %d\n",
++	pr_debug("Addr_P0 %pK, Stride S0 %d Addr_P1 %pK, Stride S1 %d\n",
+ 		blit_op->src.p0, blit_op->src.stride0,
+ 		blit_op->src.p1, blit_op->src.stride1);
+ 
+@@ -1320,7 +1320,7 @@ int config_ppp_op_mode(struct ppp_blit_op *blit_op)
+ 		pr_debug("ROI(x %d,y %d, w  %d, h %d) ",
+ 			blit_op->bg.roi.x, blit_op->bg.roi.y,
+ 			blit_op->bg.roi.width, blit_op->bg.roi.height);
+-		pr_debug("Addr %p, Stride S0 %d	Addr_P1 %p, Stride S1 %d\n",
++		pr_debug("Addr %pK, Stride S0 %d Addr_P1 %pK, Stride S1 %d\n",
+ 			blit_op->bg.p0,	blit_op->bg.stride0,
+ 			blit_op->bg.p1,	blit_op->bg.stride1);
+ 	}
+@@ -1331,7 +1331,7 @@ int config_ppp_op_mode(struct ppp_blit_op *blit_op)
+ 	pr_debug("ROI(x %d,y %d, w %d, h %d) ",
+ 		blit_op->dst.roi.x, blit_op->dst.roi.y,
+ 		blit_op->dst.roi.width, blit_op->dst.roi.height);
+-	pr_debug("Addr %p, Stride S0 %d Addr_P1 %p, Stride S1 %d\n",
++	pr_debug("Addr %pK, Stride S0 %d Addr_P1 %pK, Stride S1 %d\n",
+ 		blit_op->dst.p0, blit_op->dst.stride0,
+ 		blit_op->dst.p1, blit_op->dst.stride1);
+ 
+diff --git a/drivers/video/msm/mdss/mdss_compat_utils.c b/drivers/video/msm/mdss/mdss_compat_utils.c
+index e883f04..5ad51dd 100644
+--- a/drivers/video/msm/mdss/mdss_compat_utils.c
++++ b/drivers/video/msm/mdss/mdss_compat_utils.c
+@@ -150,7 +150,7 @@ static struct mdp_input_layer32 *__create_layer_list32(
+ 			compat_ptr(commit32->commit_v1.input_layers),
+ 			sizeof(struct mdp_input_layer32) * layer_count);
+ 	if (ret) {
+-		pr_err("layer list32 copy from user failed, ptr %p\n",
++		pr_err("layer list32 copy from user failed, ptr %pK\n",
+ 			compat_ptr(commit32->commit_v1.input_layers));
+ 		kfree(layer_list32);
+ 		ret = -EFAULT;
+@@ -182,7 +182,7 @@ static int __copy_scale_params(struct mdp_input_layer *layer,
+ 			sizeof(struct mdp_scale_data));
+ 	if (ret) {
+ 		kfree(scale);
+-		pr_err("scale param copy from user failed, ptr %p\n",
++		pr_err("scale param copy from user failed, ptr %pK\n",
+ 			compat_ptr(layer32->scale));
+ 		ret = -EFAULT;
+ 	} else {
+@@ -307,7 +307,7 @@ static int __compat_atomic_commit(struct fb_info *info, unsigned int cmd,
+ 	ret = copy_from_user(&commit32, (void __user *)argp,
+ 		sizeof(struct mdp_layer_commit32));
+ 	if (ret) {
+-		pr_err("%s:copy_from_user failed, ptr %p\n", __func__,
++		pr_err("%s:copy_from_user failed, ptr %pK\n", __func__,
+ 			(void __user *)argp);
+ 		ret = -EFAULT;
+ 		return ret;
+@@ -325,7 +325,7 @@ static int __compat_atomic_commit(struct fb_info *info, unsigned int cmd,
+ 				compat_ptr(commit32.commit_v1.output_layer),
+ 				buffer_size);
+ 		if (ret) {
+-			pr_err("fail to copy output layer from user, ptr %p\n",
++			pr_err("fail to copy output layer from user, ptr %pK\n",
+ 				compat_ptr(commit32.commit_v1.output_layer));
+ 			ret = -EFAULT;
+ 			goto layer_list_err;
+@@ -3418,7 +3418,7 @@ static int __copy_layer_igc_lut_data_v1_7(
+ 			cfg_payload32,
+ 			sizeof(struct mdp_igc_lut_data_v1_7_32));
+ 	if (ret) {
+-		pr_err("copy from user failed, IGC cfg payload = %p\n",
++		pr_err("copy from user failed, IGC cfg payload = %pK\n",
+ 			cfg_payload32);
+ 		ret = -EFAULT;
+ 		goto exit;
+@@ -3493,7 +3493,7 @@ static int __copy_layer_hist_lut_data_v1_7(
+ 			cfg_payload32,
+ 			sizeof(struct mdp_hist_lut_data_v1_7_32));
+ 	if (ret) {
+-		pr_err("copy from user failed, hist lut cfg_payload = %p\n",
++		pr_err("copy from user failed, hist lut cfg_payload = %pK\n",
+ 			cfg_payload32);
+ 		ret = -EFAULT;
+ 		goto exit;
+@@ -3565,7 +3565,7 @@ static int __copy_layer_pa_data_v1_7(
+ 			cfg_payload32,
+ 			sizeof(struct mdp_pa_data_v1_7_32));
+ 	if (ret) {
+-		pr_err("copy from user failed, pa cfg_payload = %p\n",
++		pr_err("copy from user failed, pa cfg_payload = %pK\n",
+ 			cfg_payload32);
+ 		ret = -EFAULT;
+ 		goto exit;
+@@ -3707,7 +3707,7 @@ static int __copy_layer_pp_info_pcc_params(
+ 			compat_ptr(pp_info32->pcc_cfg_data.cfg_payload),
+ 			sizeof(struct mdp_pcc_data_v1_7));
+ 		if (ret) {
+-			pr_err("compat copy of PCC cfg payload failed, ptr %p\n",
++			pr_err("compat copy of PCC cfg payload failed, ptr %pK\n",
+ 				compat_ptr(
+ 				pp_info32->pcc_cfg_data.cfg_payload));
+ 			ret = -EFAULT;
+@@ -3741,7 +3741,7 @@ static int __copy_layer_pp_info_params(struct mdp_input_layer *layer,
+ 			compat_ptr(layer32->pp_info),
+ 			sizeof(struct mdp_overlay_pp_params32));
+ 	if (ret) {
+-		pr_err("pp info copy from user failed, pp_info %p\n",
++		pr_err("pp info copy from user failed, pp_info %pK\n",
+ 			compat_ptr(layer32->pp_info));
+ 		ret = -EFAULT;
+ 		goto exit;
+diff --git a/drivers/video/msm/mdss/mdss_debug.c b/drivers/video/msm/mdss/mdss_debug.c
+index a16063b..a2912e6 100644
+--- a/drivers/video/msm/mdss/mdss_debug.c
++++ b/drivers/video/msm/mdss/mdss_debug.c
+@@ -1317,7 +1317,7 @@ static inline struct mdss_mdp_misr_map *mdss_misr_get_map(u32 block_id,
+ 		return NULL;
+ 	}
+ 
+-	pr_debug("MISR Module(%d) CTRL(0x%x) SIG(0x%x) intf_base(0x%p)\n",
++	pr_debug("MISR Module(%d) CTRL(0x%x) SIG(0x%x) intf_base(0x%pK)\n",
+ 			block_id, map->ctrl_reg, map->value_reg, intf_base);
+ 	return map;
+ }
+@@ -1360,7 +1360,7 @@ int mdss_misr_set(struct mdss_data_type *mdata,
+ 	bool use_mdp_up_misr = false;
+ 
+ 	if (!mdata || !req || !ctl) {
+-		pr_err("Invalid input params: mdata = %p req = %p ctl = %p",
++		pr_err("Invalid input params: mdata = %pK req = %pK ctl = %pK",
+ 			mdata, req, ctl);
+ 		return -EINVAL;
+ 	}
+diff --git a/drivers/video/msm/mdss/mdss_debug_xlog.c b/drivers/video/msm/mdss/mdss_debug_xlog.c
+index c9a4073..795ff55 100644
+--- a/drivers/video/msm/mdss/mdss_debug_xlog.c
++++ b/drivers/video/msm/mdss/mdss_debug_xlog.c
+@@ -1,4 +1,4 @@
+-/* Copyright (c) 2014-2015, The Linux Foundation. All rights reserved.
++/* Copyright (c) 2014-2016, The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -253,7 +253,7 @@ static void mdss_dump_debug_bus(u32 bus_dump_flag,
+ 
+ 		if (*dump_mem) {
+ 			dump_addr = *dump_mem;
+-			pr_info("%s: start_addr:0x%p end_addr:0x%p\n",
++			pr_info("%s: start_addr:0x%pK end_addr:0x%pK\n",
+ 				__func__, dump_addr, dump_addr + list_size);
+ 		} else {
+ 			in_mem = false;
+@@ -371,7 +371,7 @@ static void mdss_dump_vbif_debug_bus(u32 bus_dump_flag,
+ 
+ 		if (*dump_mem) {
+ 			dump_addr = *dump_mem;
+-			pr_info("%s: start_addr:0x%p end_addr:0x%p\n",
++			pr_info("%s: start_addr:0x%pK end_addr:0x%pK\n",
+ 				__func__, dump_addr, dump_addr + list_size);
+ 		} else {
+ 			in_mem = false;
+@@ -431,7 +431,7 @@ static void mdss_dump_reg(const char *dump_name, u32 reg_dump_flag,
+ 
+ 		if (*dump_mem) {
+ 			dump_addr = *dump_mem;
+-			pr_info("%s: start_addr:0x%p end_addr:0x%p reg_addr=0x%p\n",
++			pr_info("%s: start_addr:0x%pK end_addr:0x%pK reg_addr=0x%pK\n",
+ 				dump_name, dump_addr, dump_addr + (u32)len * 16,
+ 				addr);
+ 		} else {
+@@ -450,7 +450,7 @@ static void mdss_dump_reg(const char *dump_name, u32 reg_dump_flag,
+ 		xc = readl_relaxed(addr+0xc);
+ 
+ 		if (in_log)
+-			pr_info("%p : %08x %08x %08x %08x\n", addr, x0, x4, x8,
++			pr_info("%pK : %08x %08x %08x %08x\n", addr, x0, x4, x8,
+ 				xc);
+ 
+ 		if (dump_addr && in_mem) {
+@@ -486,7 +486,7 @@ static void mdss_dump_reg_by_ranges(struct mdss_debug_base *dbg,
+ 			len = get_dump_range(&xlog_node->offset,
+ 				dbg->max_offset);
+ 			addr = dbg->base + xlog_node->offset.start;
+-			pr_debug("%s: range_base=0x%p start=0x%x end=0x%x\n",
++			pr_debug("%s: range_base=0x%pK start=0x%x end=0x%x\n",
+ 				xlog_node->range_name,
+ 				addr, xlog_node->offset.start,
+ 				xlog_node->offset.end);
+@@ -496,7 +496,7 @@ static void mdss_dump_reg_by_ranges(struct mdss_debug_base *dbg,
+ 	} else {
+ 		/* If there is no list to dump ranges, dump all registers */
+ 		pr_info("Ranges not found, will dump full registers");
+-		pr_info("base:0x%p len:0x%zu\n", dbg->base, dbg->max_offset);
++		pr_info("base:0x%pK len:0x%zu\n", dbg->base, dbg->max_offset);
+ 		addr = dbg->base;
+ 		len = dbg->max_offset;
+ 		mdss_dump_reg((const char *)dbg->name, reg_dump_flag, addr,
+diff --git a/drivers/video/msm/mdss/mdss_dsi.c b/drivers/video/msm/mdss/mdss_dsi.c
+index a39d2f3..6933388 100644
+--- a/drivers/video/msm/mdss/mdss_dsi.c
++++ b/drivers/video/msm/mdss/mdss_dsi.c
+@@ -1185,7 +1185,7 @@ static int mdss_dsi_off(struct mdss_panel_data *pdata, int power_state)
+ 	mutex_lock(&ctrl_pdata->mutex);
+ 	panel_info = &ctrl_pdata->panel_data.panel_info;
+ 
+-	pr_debug("%s+: ctrl=%p ndx=%d power_state=%d\n",
++	pr_debug("%s+: ctrl=%pK ndx=%d power_state=%d\n",
+ 		__func__, ctrl_pdata, ctrl_pdata->ndx, power_state);
+ 
+ 	if (power_state == panel_info->panel_power_state) {
+@@ -1369,7 +1369,7 @@ int mdss_dsi_on(struct mdss_panel_data *pdata)
+ 		mdss_dsi_validate_debugfs_info(ctrl_pdata);
+ 
+ 	cur_power_state = pdata->panel_info.panel_power_state;
+-	pr_debug("%s+: ctrl=%p ndx=%d cur_power_state=%d\n", __func__,
++	pr_debug("%s+: ctrl=%pK ndx=%d cur_power_state=%d\n", __func__,
+ 		ctrl_pdata, ctrl_pdata->ndx, cur_power_state);
+ 
+ 	pinfo = &pdata->panel_info;
+@@ -1547,7 +1547,7 @@ static int mdss_dsi_unblank(struct mdss_panel_data *pdata)
+ 				panel_data);
+ 	mipi  = &pdata->panel_info.mipi;
+ 
+-	pr_debug("%s+: ctrl=%p ndx=%d cur_power_state=%d ctrl_state=%x\n",
++	pr_debug("%s+: ctrl=%pK ndx=%d cur_power_state=%d ctrl_state=%x\n",
+ 			__func__, ctrl_pdata, ctrl_pdata->ndx,
+ 		pdata->panel_info.panel_power_state, ctrl_pdata->ctrl_state);
+ 
+@@ -1618,7 +1618,7 @@ static int mdss_dsi_blank(struct mdss_panel_data *pdata, int power_state)
+ 				panel_data);
+ 	mipi = &pdata->panel_info.mipi;
+ 
+-	pr_debug("%s+: ctrl=%p ndx=%d power_state=%d\n",
++	pr_debug("%s+: ctrl=%pK ndx=%d power_state=%d\n",
+ 		__func__, ctrl_pdata, ctrl_pdata->ndx, power_state);
+ 
+ 	mdss_dsi_clk_ctrl(ctrl_pdata, ctrl_pdata->dsi_clk_handle,
+@@ -1687,7 +1687,7 @@ static int mdss_dsi_post_panel_on(struct mdss_panel_data *pdata)
+ 	ctrl_pdata = container_of(pdata, struct mdss_dsi_ctrl_pdata,
+ 				panel_data);
+ 
+-	pr_debug("%s+: ctrl=%p ndx=%d\n", __func__,
++	pr_debug("%s+: ctrl=%pK ndx=%d\n", __func__,
+ 				ctrl_pdata, ctrl_pdata->ndx);
+ 
+ 	mdss_dsi_clk_ctrl(ctrl_pdata, ctrl_pdata->dsi_clk_handle,
+@@ -1721,7 +1721,7 @@ int mdss_dsi_cont_splash_on(struct mdss_panel_data *pdata)
+ 	ctrl_pdata = container_of(pdata, struct mdss_dsi_ctrl_pdata,
+ 				panel_data);
+ 
+-	pr_debug("%s+: ctrl=%p ndx=%d\n", __func__,
++	pr_debug("%s+: ctrl=%pK ndx=%d\n", __func__,
+ 				ctrl_pdata, ctrl_pdata->ndx);
+ 
+ 	WARN((ctrl_pdata->ctrl_state & CTRL_STATE_PANEL_INIT),
+@@ -2998,8 +2998,8 @@ static int mdss_dsi_get_bridge_chip_params(struct mdss_panel_info *pinfo,
+ 	u32 temp_val = 0;
+ 
+ 	if (!ctrl_pdata || !pdev || !pinfo) {
+-		pr_err("%s: Invalid Params ctrl_pdata=%p, pdev=%p\n", __func__,
+-			ctrl_pdata, pdev);
++		pr_err("%s: Invalid Params ctrl_pdata=%pK, pdev=%pK\n",
++			 __func__, ctrl_pdata, pdev);
+ 		rc = -EINVAL;
+ 		goto end;
+ 	}
+@@ -3321,7 +3321,7 @@ static int mdss_dsi_res_init(struct platform_device *pdev)
+ 		mdss_dsi_res->shared_data = devm_kzalloc(&pdev->dev,
+ 				sizeof(struct dsi_shared_data),
+ 				GFP_KERNEL);
+-		pr_debug("%s Allocated shared_data=%p\n", __func__,
++		pr_debug("%s Allocated shared_data=%pK\n", __func__,
+ 				mdss_dsi_res->shared_data);
+ 		if (!mdss_dsi_res->shared_data) {
+ 			pr_err("%s Unable to alloc mem for shared_data\n",
+@@ -3386,7 +3386,7 @@ static int mdss_dsi_res_init(struct platform_device *pdev)
+ 				rc = -ENOMEM;
+ 				goto mem_fail;
+ 			}
+-			pr_debug("%s Allocated ctrl_pdata[%d]=%p\n",
++			pr_debug("%s Allocated ctrl_pdata[%d]=%pK\n",
+ 				__func__, i, mdss_dsi_res->ctrl_pdata[i]);
+ 			mdss_dsi_res->ctrl_pdata[i]->shared_data =
+ 				mdss_dsi_res->shared_data;
+@@ -3396,7 +3396,7 @@ static int mdss_dsi_res_init(struct platform_device *pdev)
+ 	}
+ 
+ 	mdss_dsi_res->pdev = pdev;
+-	pr_debug("%s: Setting up mdss_dsi_res=%p\n", __func__, mdss_dsi_res);
++	pr_debug("%s: Setting up mdss_dsi_res=%pK\n", __func__, mdss_dsi_res);
+ 
+ 	return 0;
+ 
+@@ -3723,11 +3723,11 @@ int mdss_dsi_retrieve_ctrl_resources(struct platform_device *pdev, int mode,
+ 		pr_debug("%s:%d unable to remap dsi phy regulator resources\n",
+ 			       __func__, __LINE__);
+ 	else
+-		pr_info("%s: phy_regulator_base=%p phy_regulator_size=%x\n",
++		pr_info("%s: phy_regulator_base=%pK phy_regulator_size=%x\n",
+ 			__func__, ctrl->phy_regulator_io.base,
+ 			ctrl->phy_regulator_io.len);
+ 
+-	pr_info("%s: ctrl_base=%p ctrl_size=%x phy_base=%p phy_size=%x\n",
++	pr_info("%s: ctrl_base=%pK ctrl_size=%x phy_base=%pK phy_size=%x\n",
+ 		__func__, ctrl->ctrl_base, ctrl->reg_size, ctrl->phy_io.base,
+ 		ctrl->phy_io.len);
+ 
+@@ -3871,7 +3871,7 @@ static int mdss_dsi_parse_ctrl_params(struct platform_device *ctrl_pdev,
+ 	data = of_get_property(ctrl_pdev->dev.of_node,
+ 		"qcom,display-id", &len);
+ 	if (!data || len <= 0)
+-		pr_err("%s:%d Unable to read qcom,display-id, data=%p,len=%d\n",
++		pr_err("%s:%d Unable to read qcom,display-id, data=%pK,len=%d\n",
+ 			__func__, __LINE__, data, len);
+ 	else
+ 		snprintf(ctrl_pdata->panel_data.panel_info.display_id,
+diff --git a/drivers/video/msm/mdss/mdss_dsi_clk.c b/drivers/video/msm/mdss/mdss_dsi_clk.c
+index bac8391..e92f6df 100644
+--- a/drivers/video/msm/mdss/mdss_dsi_clk.c
++++ b/drivers/video/msm/mdss/mdss_dsi_clk.c
+@@ -732,7 +732,7 @@ int mdss_dsi_clk_req_state(void *client, enum mdss_dsi_clk_type clk,
+ 
+ 	if (!client || !clk || clk > (MDSS_DSI_CORE_CLK | MDSS_DSI_LINK_CLK) ||
+ 	    state > MDSS_DSI_CLK_EARLY_GATE) {
+-		pr_err("Invalid params, client = %p, clk = 0x%x, state = %d\n",
++		pr_err("Invalid params, client = %pK, clk = 0x%x, state = %d\n",
+ 		       client, clk, state);
+ 		return -EINVAL;
+ 	}
+@@ -830,7 +830,7 @@ int mdss_dsi_clk_set_link_rate(void *client, enum mdss_dsi_link_clk_type clk,
+ 	struct mdss_dsi_clk_mngr *mngr;
+ 
+ 	if (!client || (clk > MDSS_DSI_LINK_CLK_MAX)) {
+-		pr_err("Invalid params, client = %p, clk = 0x%x", client, clk);
++		pr_err("Invalid params, client = %pK, clk = 0x%x", client, clk);
+ 		return -EINVAL;
+ 	}
+ 
+@@ -929,7 +929,7 @@ int mdss_dsi_clk_force_toggle(void *client, u32 clk)
+ 	struct mdss_dsi_clk_mngr *mngr;
+ 
+ 	if (!client || !clk || clk >= MDSS_DSI_CLKS_MAX) {
+-		pr_err("Invalid params, client = %p, clk = 0x%x\n",
++		pr_err("Invalid params, client = %pK, clk = 0x%x\n",
+ 		       client, clk);
+ 		return -EINVAL;
+ 	}
+diff --git a/drivers/video/msm/mdss/mdss_dsi_host.c b/drivers/video/msm/mdss/mdss_dsi_host.c
+index 66bbff5..f6fbd66 100644
+--- a/drivers/video/msm/mdss/mdss_dsi_host.c
++++ b/drivers/video/msm/mdss/mdss_dsi_host.c
+@@ -102,7 +102,7 @@ void mdss_dsi_ctrl_init(struct device *ctrl_dev,
+ 	if (ctrl->mdss_util->register_irq(ctrl->dsi_hw))
+ 		pr_err("%s: mdss_register_irq failed.\n", __func__);
+ 
+-	pr_debug("%s: ndx=%d base=%p\n", __func__, ctrl->ndx, ctrl->ctrl_base);
++	pr_debug("%s: ndx=%d base=%pK\n", __func__, ctrl->ndx, ctrl->ctrl_base);
+ 
+ 	init_completion(&ctrl->dma_comp);
+ 	init_completion(&ctrl->mdp_comp);
+diff --git a/drivers/video/msm/mdss/mdss_dsi_panel.c b/drivers/video/msm/mdss/mdss_dsi_panel.c
+index 2428af7..06dc0ec 100644
+--- a/drivers/video/msm/mdss/mdss_dsi_panel.c
++++ b/drivers/video/msm/mdss/mdss_dsi_panel.c
+@@ -721,7 +721,7 @@ static int mdss_dsi_post_panel_on(struct mdss_panel_data *pdata)
+ 	ctrl = container_of(pdata, struct mdss_dsi_ctrl_pdata,
+ 				panel_data);
+ 
+-	pr_debug("%s: ctrl=%p ndx=%d\n", __func__, ctrl, ctrl->ndx);
++	pr_debug("%s: ctrl=%pK ndx=%d\n", __func__, ctrl, ctrl->ndx);
+ 
+ 	pinfo = &pdata->panel_info;
+ 	if (pinfo->dcs_cmd_by_left && ctrl->ndx != DSI_CTRL_LEFT)
+@@ -760,7 +760,7 @@ static int mdss_dsi_panel_off(struct mdss_panel_data *pdata)
+ 	ctrl = container_of(pdata, struct mdss_dsi_ctrl_pdata,
+ 				panel_data);
+ 
+-	pr_debug("%s: ctrl=%p ndx=%d\n", __func__, ctrl, ctrl->ndx);
++	pr_debug("%s: ctrl=%pK ndx=%d\n", __func__, ctrl, ctrl->ndx);
+ 
+ 	if (pinfo->dcs_cmd_by_left) {
+ 		if (ctrl->ndx != DSI_CTRL_LEFT)
+@@ -795,7 +795,7 @@ static int mdss_dsi_panel_low_power_config(struct mdss_panel_data *pdata,
+ 	ctrl = container_of(pdata, struct mdss_dsi_ctrl_pdata,
+ 				panel_data);
+ 
+-	pr_debug("%s: ctrl=%p ndx=%d enable=%d\n", __func__, ctrl, ctrl->ndx,
++	pr_debug("%s: ctrl=%pK ndx=%d enable=%d\n", __func__, ctrl, ctrl->ndx,
+ 		enable);
+ 
+ 	/* Any panel specific low power commands/config */
+@@ -2066,7 +2066,7 @@ static int mdss_dsi_panel_timing_from_dt(struct device_node *np,
+ 
+ 	if (np->name) {
+ 		pt->timing.name = kstrdup(np->name, GFP_KERNEL);
+-		pr_info("%s: found new timing \"%s\" (%p)\n", __func__,
++		pr_info("%s: found new timing \"%s\" (%pK)\n", __func__,
+ 				np->name, &pt->timing);
+ 	}
+ 
+@@ -2400,7 +2400,7 @@ static int mdss_panel_parse_dt(struct device_node *np,
+ 		bridge_chip_name = of_get_property(np,
+ 			"qcom,bridge-name", &len);
+ 		if (!bridge_chip_name || len <= 0) {
+-			pr_err("%s:%d Unable to read qcom,bridge_name, data=%p,len=%d\n",
++			pr_err("%s:%d Unable to read qcom,bridge_name, data=%pK,len=%d\n",
+ 				__func__, __LINE__, bridge_chip_name, len);
+ 			rc = -EINVAL;
+ 			goto error;
+diff --git a/drivers/video/msm/mdss/mdss_fb.c b/drivers/video/msm/mdss/mdss_fb.c
+index 570471d..3b68ee2 100644
+--- a/drivers/video/msm/mdss/mdss_fb.c
++++ b/drivers/video/msm/mdss/mdss_fb.c
+@@ -2029,7 +2029,7 @@ int mdss_fb_alloc_fb_ion_memory(struct msm_fb_data_type *mfd, size_t fb_size)
+ 		rc = PTR_ERR(vaddr);
+ 		goto err_unmap;
+ 	}
+-	pr_debug("alloc 0x%zuB vaddr = %p for fb%d\n", fb_size,
++	pr_debug("alloc 0x%zuB vaddr = %pK for fb%d\n", fb_size,
+ 			vaddr, mfd->index);
+ 
+ 	mfd->fbi->screen_base = (char *) vaddr;
+@@ -2128,7 +2128,7 @@ static int mdss_fb_fbmem_ion_mmap(struct fb_info *info,
+ 				vma->vm_page_prot =
+ 					pgprot_writecombine(vma->vm_page_prot);
+ 
+-			pr_debug("vma=%p, addr=%x len=%ld\n",
++			pr_debug("vma=%pK, addr=%x len=%ld\n",
+ 					vma, (unsigned int)addr, len);
+ 			pr_debug("vm_start=%x vm_end=%x vm_page_prot=%ld\n",
+ 					(unsigned int)vma->vm_start,
+@@ -2295,7 +2295,7 @@ static int mdss_fb_alloc_fbmem_iommu(struct msm_fb_data_type *mfd, int dom)
+ 		return -ERANGE;
+ 	}
+ 
+-	pr_debug("alloc 0x%zxB @ (%pa phys) (0x%p virt) (%pa iova) for fb%d\n",
++	pr_debug("alloc 0x%zxB @ (%pa phys) (0x%pK virt) (%pa iova) for fb%d\n",
+ 		 size, &phys, virt, &mfd->iova, mfd->index);
+ 
+ 	mfd->fbi->screen_base = virt;
+@@ -2583,7 +2583,7 @@ static int mdss_fb_open(struct fb_info *info, int user)
+ 	}
+ 
+ 	mfd->ref_cnt++;
+-	pr_debug("mfd refcount:%d file:%p\n", mfd->ref_cnt, info->file);
++	pr_debug("mfd refcount:%d file:%pK\n", mfd->ref_cnt, info->file);
+ 
+ 	return 0;
+ 
+@@ -2648,7 +2648,7 @@ static int mdss_fb_release_all(struct fb_info *info, bool release_all)
+ 		pr_warn("file node not found or wrong ref cnt: release all:%d refcnt:%d\n",
+ 			release_all, mfd->ref_cnt);
+ 
+-	pr_debug("current process=%s pid=%d mfd->ref=%d file:%p\n",
++	pr_debug("current process=%s pid=%d mfd->ref=%d file:%pK\n",
+ 		task->comm, current->tgid, mfd->ref_cnt, info->file);
+ 
+ 	if (!mfd->ref_cnt || release_all) {
+@@ -4242,7 +4242,7 @@ static int mdss_fb_atomic_commit_ioctl(struct fb_info *info,
+ 			ret = copy_from_user(scale, layer->scale,
+ 					sizeof(struct mdp_scale_data));
+ 			if (ret) {
+-				pr_err("layer list copy from user failed, scale = %p\n",
++				pr_err("layer list copy from user failed, scale = %pK\n",
+ 						layer->scale);
+ 				kfree(scale);
+ 				scale = NULL;
+diff --git a/drivers/video/msm/mdss/mdss_hdmi_tx.c b/drivers/video/msm/mdss/mdss_hdmi_tx.c
+index 9ce7812..b234d1e 100644
+--- a/drivers/video/msm/mdss/mdss_hdmi_tx.c
++++ b/drivers/video/msm/mdss/mdss_hdmi_tx.c
+@@ -1458,7 +1458,7 @@ static int hdmi_tx_sysfs_create(struct hdmi_tx_ctrl *hdmi_ctrl,
+ 		return rc;
+ 	}
+ 	hdmi_ctrl->kobj = &fbi->dev->kobj;
+-	DEV_DBG("%s: sysfs group %p\n", __func__, hdmi_ctrl->kobj);
++	DEV_DBG("%s: sysfs group %pK\n", __func__, hdmi_ctrl->kobj);
+ 
+ 	return 0;
+ } /* hdmi_tx_sysfs_create */
+@@ -4790,7 +4790,7 @@ static int hdmi_tx_init_resource(struct hdmi_tx_ctrl *hdmi_ctrl)
+ 			DEV_DBG("%s: '%s' remap failed or not available\n",
+ 				__func__, hdmi_tx_io_name(i));
+ 		}
+-		DEV_INFO("%s: '%s': start = 0x%p, len=0x%x\n", __func__,
++		DEV_INFO("%s: '%s': start = 0x%pK, len=0x%x\n", __func__,
+ 			hdmi_tx_io_name(i), pdata->io[i].base,
+ 			pdata->io[i].len);
+ 	}
+@@ -5298,7 +5298,7 @@ static int hdmi_tx_get_dt_data(struct platform_device *pdev,
+ 
+ 	data = of_get_property(pdev->dev.of_node, "qcom,display-id", &len);
+ 	if (!data || len <= 0)
+-		pr_err("%s:%d Unable to read qcom,display-id, data=%p,len=%d\n",
++		pr_err("%s:%d Unable to read qcom,display-id, data=%pK,len=%d\n",
+ 			__func__, __LINE__, data, len);
+ 	else
+ 		snprintf(hdmi_ctrl->panel_data.panel_info.display_id,
+diff --git a/drivers/video/msm/mdss/mdss_mdp.c b/drivers/video/msm/mdss/mdss_mdp.c
+index e7301ae..2b0bcec 100644
+--- a/drivers/video/msm/mdss/mdss_mdp.c
++++ b/drivers/video/msm/mdss/mdss_mdp.c
+@@ -481,7 +481,7 @@ struct reg_bus_client *mdss_reg_bus_vote_client_create(char *client_name)
+ 	strlcpy(client->name, client_name, MAX_CLIENT_NAME_LEN);
+ 	client->usecase_ndx = VOTE_INDEX_DISABLE;
+ 	client->id = id;
+-	pr_debug("bus vote client %s created:%p id :%d\n", client_name,
++	pr_debug("bus vote client %s created:%pK id :%d\n", client_name,
+ 		client, id);
+ 	id++;
+ 	list_add(&client->list, &mdss_res->reg_bus_clist);
+@@ -495,7 +495,7 @@ void mdss_reg_bus_vote_client_destroy(struct reg_bus_client *client)
+ 	if (!client) {
+ 		pr_err("reg bus vote: invalid client handle\n");
+ 	} else {
+-		pr_debug("bus vote client %s destroyed:%p id:%u\n",
++		pr_debug("bus vote client %s destroyed:%pK id:%u\n",
+ 			client->name, client, client->id);
+ 		mutex_lock(&mdss_res->reg_bus_lock);
+ 		list_del_init(&client->list);
+@@ -1561,7 +1561,7 @@ static u32 mdss_mdp_res_init(struct mdss_data_type *mdata)
+ 
+ 	mdata->iclient = msm_ion_client_create(mdata->pdev->name);
+ 	if (IS_ERR_OR_NULL(mdata->iclient)) {
+-		pr_err("msm_ion_client_create() return error (%p)\n",
++		pr_err("msm_ion_client_create() return error (%pK)\n",
+ 				mdata->iclient);
+ 		mdata->iclient = NULL;
+ 	}
+@@ -2028,7 +2028,7 @@ static int mdss_mdp_probe(struct platform_device *pdev)
+ 	if (rc)
+ 		pr_debug("unable to map MDSS VBIF non-realtime base\n");
+ 	else
+-		pr_debug("MDSS VBIF NRT HW Base addr=%p len=0x%x\n",
++		pr_debug("MDSS VBIF NRT HW Base addr=%pK len=0x%x\n",
+ 			mdata->vbif_nrt_io.base, mdata->vbif_nrt_io.len);
+ 
+ 	res = platform_get_resource(pdev, IORESOURCE_IRQ, 0);
+@@ -2923,7 +2923,7 @@ static int mdss_mdp_cdm_addr_setup(struct mdss_data_type *mdata,
+ 		head[i].base = (mdata->mdss_io.base) + cdm_offsets[i];
+ 		atomic_set(&head[i].kref.refcount, 0);
+ 		mutex_init(&head[i].lock);
+-		pr_debug("%s: cdm off (%d) = %p\n", __func__, i, head[i].base);
++		pr_debug("%s: cdm off (%d) = %pK\n", __func__, i, head[i].base);
+ 	}
+ 
+ 	mdata->cdm_off = head;
+@@ -2990,7 +2990,7 @@ static int mdss_mdp_dsc_addr_setup(struct mdss_data_type *mdata,
+ 	for (i = 0; i < len; i++) {
+ 		head[i].num = i;
+ 		head[i].base = (mdata->mdss_io.base) + dsc_offsets[i];
+-		pr_debug("dsc off (%d) = %p\n", i, head[i].base);
++		pr_debug("dsc off (%d) = %pK\n", i, head[i].base);
+ 	}
+ 
+ 	mdata->dsc_off = head;
+diff --git a/drivers/video/msm/mdss/mdss_mdp_intf_cmd.c b/drivers/video/msm/mdss/mdss_mdp_intf_cmd.c
+index ba13444..cd1f02b 100644
+--- a/drivers/video/msm/mdss/mdss_mdp_intf_cmd.c
++++ b/drivers/video/msm/mdss/mdss_mdp_intf_cmd.c
+@@ -1549,7 +1549,7 @@ static int mdss_mdp_cmd_wait4pingpong(struct mdss_mdp_ctl *ctl, void *arg)
+ 	MDSS_XLOG(ctl->num, atomic_read(&ctx->koff_cnt), ctl->roi_bkup.w,
+ 			ctl->roi_bkup.h);
+ 
+-	pr_debug("%s: intf_num=%d ctx=%p koff_cnt=%d\n", __func__,
++	pr_debug("%s: intf_num=%d ctx=%pK koff_cnt=%d\n", __func__,
+ 			ctl->intf_num, ctx, atomic_read(&ctx->koff_cnt));
+ 
+ 	rc = wait_event_timeout(ctx->pp_waitq,
+@@ -1777,7 +1777,7 @@ int mdss_mdp_cmd_set_autorefresh_mode(struct mdss_mdp_ctl *mctl, int frame_cnt)
+ 	struct mdss_panel_info *pinfo;
+ 
+ 	if (!mctl || !mctl->is_master || !mctl->panel_data) {
+-		pr_err("invalid ctl mctl:%p pdata:%p\n",
++		pr_err("invalid ctl mctl:%pK pdata:%pK\n",
+ 			mctl, mctl ? mctl->panel_data : 0);
+ 		return -ENODEV;
+ 	}
+@@ -2782,7 +2782,7 @@ static int mdss_mdp_cmd_ctx_setup(struct mdss_mdp_ctl *ctl,
+ 
+ 	ctx->intf_stopped = 0;
+ 
+-	pr_debug("%s: ctx=%p num=%d aux=%d\n", __func__, ctx,
++	pr_debug("%s: ctx=%pK num=%d aux=%d\n", __func__, ctx,
+ 		default_pp_num, aux_pp_num);
+ 	MDSS_XLOG(ctl->num, atomic_read(&ctx->koff_cnt));
+ 
+diff --git a/drivers/video/msm/mdss/mdss_mdp_intf_video.c b/drivers/video/msm/mdss/mdss_mdp_intf_video.c
+index 6924e64..b0fc8fc 100644
+--- a/drivers/video/msm/mdss/mdss_mdp_intf_video.c
++++ b/drivers/video/msm/mdss/mdss_mdp_intf_video.c
+@@ -123,7 +123,7 @@ int mdss_mdp_video_addr_setup(struct mdss_data_type *mdata,
+ 
+ 	for (i = 0; i < count; i++) {
+ 		head[i].base = mdata->mdss_io.base + offsets[i];
+-		pr_debug("adding Video Intf #%d offset=0x%x virt=%p\n", i,
++		pr_debug("adding Video Intf #%d offset=0x%x virt=%pK\n", i,
+ 				offsets[i], head[i].base);
+ 		head[i].ref_cnt = 0;
+ 		head[i].intf_num = i + MDSS_MDP_INTF0;
+@@ -520,7 +520,7 @@ static int mdss_mdp_video_intfs_stop(struct mdss_mdp_ctl *ctl,
+ 		pr_err("Intf %d not in use\n", (inum + MDSS_MDP_INTF0));
+ 		return -ENODEV;
+ 	}
+-	pr_debug("stop ctl=%d video Intf #%d base=%p", ctl->num, ctx->intf_num,
++	pr_debug("stop ctl=%d video Intf #%d base=%pK", ctl->num, ctx->intf_num,
+ 			ctx->base);
+ 
+ 	ret = mdss_mdp_video_ctx_stop(ctl, pinfo, ctx);
+@@ -538,7 +538,7 @@ static int mdss_mdp_video_intfs_stop(struct mdss_mdp_ctl *ctl,
+ 			pr_err("Intf %d not in use\n", (inum + MDSS_MDP_INTF0));
+ 			return -ENODEV;
+ 		}
+-		pr_debug("stop ctl=%d video Intf #%d base=%p", ctl->num,
++		pr_debug("stop ctl=%d video Intf #%d base=%pK", ctl->num,
+ 				sctx->intf_num, sctx->base);
+ 
+ 		ret = mdss_mdp_video_ctx_stop(ctl, pinfo, sctx);
+@@ -1535,7 +1535,7 @@ static int mdss_mdp_video_intfs_setup(struct mdss_mdp_ctl *ctl,
+ 					(inum + MDSS_MDP_INTF0));
+ 			return -EBUSY;
+ 		}
+-		pr_debug("video Intf #%d base=%p", ctx->intf_num, ctx->base);
++		pr_debug("video Intf #%d base=%pK", ctx->intf_num, ctx->base);
+ 		ctx->ref_cnt++;
+ 	} else {
+ 		pr_err("Invalid intf number: %d\n", (inum + MDSS_MDP_INTF0));
+@@ -1568,7 +1568,7 @@ static int mdss_mdp_video_intfs_setup(struct mdss_mdp_ctl *ctl,
+ 					(inum + MDSS_MDP_INTF0));
+ 			return -EBUSY;
+ 		}
+-		pr_debug("video Intf #%d base=%p", ctx->intf_num, ctx->base);
++		pr_debug("video Intf #%d base=%pK", ctx->intf_num, ctx->base);
+ 		ctx->ref_cnt++;
+ 
+ 		ctl->intf_ctx[SLAVE_CTX] = ctx;
+diff --git a/drivers/video/msm/mdss/mdss_mdp_layer.c b/drivers/video/msm/mdss/mdss_mdp_layer.c
+index 2e8008d..0615625 100644
+--- a/drivers/video/msm/mdss/mdss_mdp_layer.c
++++ b/drivers/video/msm/mdss/mdss_mdp_layer.c
+@@ -446,7 +446,7 @@ static int __configure_pipe_params(struct msm_fb_data_type *mfd,
+ 	mixer = mdss_mdp_mixer_get(mdp5_data->ctl, mixer_mux);
+ 	pipe->src_fmt = mdss_mdp_get_format_params(layer->buffer.format);
+ 	if (!pipe->src_fmt || !mixer) {
+-		pr_err("invalid layer format:%d or mixer:%p\n",
++		pr_err("invalid layer format:%d or mixer:%pK\n",
+ 				layer->buffer.format, pipe->mixer_left);
+ 		ret = -EINVAL;
+ 		goto end;
+@@ -1354,7 +1354,7 @@ validate_exit:
+ 			}
+ 		} else {
+ 			pipe->file = file;
+-			pr_debug("file pointer attached with pipe is %p\n",
++			pr_debug("file pointer attached with pipe is %pK\n",
+ 				file);
+ 		}
+ 	}
+diff --git a/drivers/video/msm/mdss/mdss_mdp_overlay.c b/drivers/video/msm/mdss/mdss_mdp_overlay.c
+index 495b28f..c01968c 100644
+--- a/drivers/video/msm/mdss/mdss_mdp_overlay.c
++++ b/drivers/video/msm/mdss/mdss_mdp_overlay.c
+@@ -1080,7 +1080,7 @@ struct mdss_mdp_data *mdss_mdp_overlay_buf_alloc(struct msm_fb_data_type *mfd,
+ 	list_move_tail(&buf->buf_list, &mdp5_data->bufs_used);
+ 	list_add_tail(&buf->pipe_list, &pipe->buf_queue);
+ 
+-	pr_debug("buffer alloc: %p\n", buf);
++	pr_debug("buffer alloc: %pK\n", buf);
+ 
+ 	return buf;
+ }
+@@ -1134,7 +1134,7 @@ void mdss_mdp_overlay_buf_free(struct msm_fb_data_type *mfd,
+ 	buf->last_freed = local_clock();
+ 	buf->state = MDP_BUF_STATE_UNUSED;
+ 
+-	pr_debug("buffer freed: %p\n", buf);
++	pr_debug("buffer freed: %pK\n", buf);
+ 
+ 	list_move_tail(&buf->buf_list, &mdp5_data->bufs_pool);
+ }
+@@ -1474,7 +1474,7 @@ static int __overlay_queue_pipes(struct msm_fb_data_type *mfd)
+ 		if (buf) {
+ 			switch (buf->state) {
+ 			case MDP_BUF_STATE_READY:
+-				pr_debug("pnum=%d buf=%p first buffer ready\n",
++				pr_debug("pnum=%d buf=%pK first buffer ready\n",
+ 						pipe->num, buf);
+ 				break;
+ 			case MDP_BUF_STATE_ACTIVE:
+@@ -1494,7 +1494,7 @@ static int __overlay_queue_pipes(struct msm_fb_data_type *mfd)
+ 				}
+ 				break;
+ 			default:
+-				pr_err("invalid state of buf %p=%d\n",
++				pr_err("invalid state of buf %pK=%d\n",
+ 						buf, buf->state);
+ 				BUG();
+ 				break;
+@@ -2160,7 +2160,7 @@ static int __mdss_mdp_overlay_release_all(struct msm_fb_data_type *mfd,
+ 	u32 unset_ndx = 0;
+ 	int cnt = 0;
+ 
+-	pr_debug("releasing all resources for fb%d file:%p\n",
++	pr_debug("releasing all resources for fb%d file:%pK\n",
+ 		mfd->index, file);
+ 
+ 	mutex_lock(&mdp5_data->ov_lock);
+diff --git a/drivers/video/msm/mdss/mdss_mdp_pipe.c b/drivers/video/msm/mdss/mdss_mdp_pipe.c
+index b14dd17..f7fbb7f 100644
+--- a/drivers/video/msm/mdss/mdss_mdp_pipe.c
++++ b/drivers/video/msm/mdss/mdss_mdp_pipe.c
+@@ -1,4 +1,4 @@
+-/* Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
++/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -2278,7 +2278,7 @@ int mdss_mdp_pipe_queue_data(struct mdss_mdp_pipe *pipe,
+ 	}
+ 
+ 	if (src_data == NULL) {
+-		pr_debug("src_data=%p pipe num=%dx\n",
++		pr_debug("src_data=%pK pipe num=%dx\n",
+ 				src_data, pipe->num);
+ 		goto update_nobuf;
+ 	}
+diff --git a/drivers/video/msm/mdss/mdss_mdp_pp.c b/drivers/video/msm/mdss/mdss_mdp_pp.c
+index 580d10b..6d59502 100644
+--- a/drivers/video/msm/mdss/mdss_mdp_pp.c
++++ b/drivers/video/msm/mdss/mdss_mdp_pp.c
+@@ -1096,7 +1096,7 @@ static int pp_rgb_pipe_setup(struct mdss_mdp_pipe *pipe, u32 *op)
+ 	int ret = 0;
+ 
+ 	if (!pipe) {
+-		pr_err("invalid param pipe %p\n", pipe);
++		pr_err("invalid param pipe %pK\n", pipe);
+ 		return -EINVAL;
+ 	}
+ 	if (pipe->flags & MDP_OVERLAY_PP_CFG_EN &&
+@@ -1114,7 +1114,7 @@ static int pp_dma_pipe_setup(struct mdss_mdp_pipe *pipe, u32 *op)
+ 	int ret = 0;
+ 
+ 	if (!pipe) {
+-		pr_err("invalid param pipe %p\n", pipe);
++		pr_err("invalid param pipe %pK\n", pipe);
+ 		return -EINVAL;
+ 	}
+ 	if (pipe->flags & MDP_OVERLAY_PP_CFG_EN &&
+@@ -1435,7 +1435,7 @@ void mdss_mdp_pipe_pp_clear(struct mdss_mdp_pipe *pipe)
+ 	struct pp_hist_col_info *hist_info;
+ 
+ 	if (!pipe) {
+-		pr_err("Invalid pipe context passed, %p\n",
++		pr_err("Invalid pipe context passed, %pK\n",
+ 			pipe);
+ 		return;
+ 	}
+@@ -1582,7 +1582,7 @@ static int pp_mixer_setup(struct mdss_mdp_mixer *mixer)
+ 	struct mdss_data_type *mdata = mdss_mdp_get_mdata();
+ 
+ 	if (!mixer || !mixer->ctl || !mixer->ctl->mfd || !mdata) {
+-		pr_err("invalid parameters, mixer %p ctl %p mfd %p mdata %p\n",
++		pr_err("invalid parameters, mixer %pK ctl %pK mfd %pK mdata %pK\n",
+ 			mixer, (mixer ? mixer->ctl : NULL),
+ 			(mixer ? (mixer->ctl ? mixer->ctl->mfd : NULL) : NULL),
+ 			mdata);
+@@ -2200,7 +2200,7 @@ int mdss_mdp_pp_resume(struct msm_fb_data_type *mfd)
+ 	struct mdp_pa_v2_cfg_data *pa_v2_cache_cfg = NULL;
+ 
+ 	if (!mfd) {
+-		pr_err("invalid input: mfd = 0x%p\n", mfd);
++		pr_err("invalid input: mfd = 0x%pK\n", mfd);
+ 		return -EINVAL;
+ 	}
+ 
+@@ -2290,7 +2290,7 @@ int mdss_mdp_pp_resume(struct msm_fb_data_type *mfd)
+ 			mfd->index);
+ 		return 0;
+ 	} else if (ret || !ad) {
+-		pr_err("Failed to get ad info: ret = %d, ad = 0x%p.\n",
++		pr_err("Failed to get ad info: ret = %d, ad = 0x%pK.\n",
+ 			ret, ad);
+ 		return ret;
+ 	}
+@@ -2431,7 +2431,7 @@ static int mdss_mdp_pp_dt_parse(struct device *dev)
+ 			ret = 0;
+ 		}
+ 	} else {
+-		pr_err("invalid dev %p mdata %p\n", dev, mdata);
++		pr_err("invalid dev %pK mdata %pK\n", dev, mdata);
+ 		ret = -EINVAL;
+ 	}
+ bail_out:
+@@ -2570,7 +2570,7 @@ int mdss_mdp_pp_overlay_init(struct msm_fb_data_type *mfd)
+ 	struct mdss_data_type *mdata = mdss_mdp_get_mdata();
+ 
+ 	if (!mfd || !mdata) {
+-		pr_err("Invalid mfd %p mdata %p\n", mfd, mdata);
++		pr_err("Invalid mfd %pK mdata %pK\n", mfd, mdata);
+ 		return -EPERM;
+ 	}
+ 
+@@ -2586,7 +2586,7 @@ int mdss_mdp_pp_default_overlay_config(struct msm_fb_data_type *mfd,
+ 	int ret = 0;
+ 
+ 	if (!mfd || !pdata) {
+-		pr_err("Invalid parameters mfd %p pdata %p\n", mfd, pdata);
++		pr_err("Invalid parameters mfd %pK pdata %pK\n", mfd, pdata);
+ 		return -EINVAL;
+ 	}
+ 
+@@ -2639,7 +2639,7 @@ static int pp_ad_calc_bl(struct msm_fb_data_type *mfd, int bl_in, int *bl_out,
+ 			mfd->index);
+ 		return 0;
+ 	} else if (ret || !ad) {
+-		pr_err("Failed to get ad info: ret = %d, ad = 0x%p.\n",
++		pr_err("Failed to get ad info: ret = %d, ad = 0x%pK\n",
+ 			ret, ad);
+ 		return ret;
+ 	}
+@@ -2655,7 +2655,7 @@ static int pp_ad_calc_bl(struct msm_fb_data_type *mfd, int bl_in, int *bl_out,
+ 
+ 	if (!ad->bl_mfd || !ad->bl_mfd->panel_info ||
+ 		!ad->bl_att_lut) {
+-		pr_err("Invalid ad info: bl_mfd = 0x%p, ad->bl_mfd->panel_info = 0x%p, bl_att_lut = 0x%p\n",
++		pr_err("Invalid ad info: bl_mfd = 0x%pK, ad->bl_mfd->panel_info = 0x%pK, bl_att_lut = 0x%pK\n",
+ 			ad->bl_mfd,
+ 			(!ad->bl_mfd) ? NULL : ad->bl_mfd->panel_info,
+ 			ad->bl_att_lut);
+@@ -3147,7 +3147,7 @@ int mdss_mdp_pcc_config(struct msm_fb_data_type *mfd,
+ 		if (pp_ops[PCC].pp_get_config) {
+ 			addr = mdss_mdp_get_dspp_addr_off(disp_num);
+ 			if (IS_ERR_OR_NULL(addr)) {
+-				pr_err("invalid dspp base_addr %p\n",
++				pr_err("invalid dspp base_addr %pK\n",
+ 					addr);
+ 				ret = -EINVAL;
+ 				goto pcc_clk_off;
+@@ -3835,7 +3835,7 @@ int mdss_mdp_hist_lut_config(struct msm_fb_data_type *mfd,
+ 		mdss_mdp_clk_ctrl(MDP_BLOCK_POWER_ON);
+ 		base_addr = mdss_mdp_get_dspp_addr_off(dspp_num);
+ 		if (IS_ERR_OR_NULL(base_addr)) {
+-			pr_err("invalid base addr %p\n",
++			pr_err("invalid base addr %pK\n",
+ 				base_addr);
+ 			ret = -EINVAL;
+ 			goto hist_lut_clk_off;
+@@ -4063,7 +4063,7 @@ int mdss_mdp_gamut_config(struct msm_fb_data_type *mfd,
+ 		if (pp_ops[GAMUT].pp_get_config) {
+ 			addr = mdss_mdp_get_dspp_addr_off(disp_num);
+ 			if (IS_ERR_OR_NULL(addr)) {
+-				pr_err("invalid dspp base addr %p\n",
++				pr_err("invalid dspp base addr %pK\n",
+ 				       addr);
+ 				ret = -EINVAL;
+ 				goto gamut_clk_off;
+@@ -4249,7 +4249,7 @@ static int pp_hist_enable(struct pp_hist_col_info *hist_info,
+ 	spin_lock_irqsave(&hist_info->hist_lock, flag);
+ 	if (hist_info->col_en) {
+ 		spin_unlock_irqrestore(&hist_info->hist_lock, flag);
+-		pr_err("%s Hist collection has already been enabled %p\n",
++		pr_err("%s Hist collection has already been enabled %pK\n",
+ 			__func__, hist_info->base);
+ 		ret = -EBUSY;
+ 		goto exit;
+@@ -4405,7 +4405,7 @@ static int pp_hist_disable(struct pp_hist_col_info *hist_info)
+ 	spin_lock_irqsave(&hist_info->hist_lock, flag);
+ 	if (hist_info->col_en == false) {
+ 		spin_unlock_irqrestore(&hist_info->hist_lock, flag);
+-		pr_debug("Histogram already disabled (%p)\n", hist_info->base);
++		pr_debug("Histogram already disabled (%pK)\n", hist_info->base);
+ 		ret = -EINVAL;
+ 		goto exit;
+ 	}
+@@ -4508,7 +4508,7 @@ int mdss_mdp_hist_intr_req(struct mdss_intr *intr, u32 bits, bool en)
+ 	unsigned long flag;
+ 	int ret = 0;
+ 	if (!intr) {
+-		pr_err("NULL addr passed, %p\n", intr);
++		pr_err("NULL addr passed, %pK\n", intr);
+ 		return -EINVAL;
+ 	}
+ 
+@@ -5086,7 +5086,7 @@ static int mdss_mdp_get_ad(struct msm_fb_data_type *mfd,
+ 
+ 	*ret_ad = NULL;
+ 	if (!mfd) {
+-		pr_err("invalid parameter mfd %p\n", mfd);
++		pr_err("invalid parameter mfd %pK\n", mfd);
+ 		return -EINVAL;
+ 	}
+ 	mdata = mfd_to_mdata(mfd);
+@@ -5133,7 +5133,7 @@ static int pp_ad_invalidate_input(struct msm_fb_data_type *mfd)
+ 			mfd->index);
+ 		return 0;
+ 	} else if (ret || !ad) {
+-		pr_err("Failed to get ad info: ret = %d, ad = 0x%p.\n",
++		pr_err("Failed to get ad info: ret = %d, ad = 0x%pK\n",
+ 			ret, ad);
+ 		return ret;
+ 	}
+@@ -5168,7 +5168,7 @@ int mdss_mdp_ad_config(struct msm_fb_data_type *mfd,
+ 			mfd->index);
+ 		return ret;
+ 	} else if (ret || !ad) {
+-		pr_err("Failed to get ad info: ret = %d, ad = 0x%p.\n",
++		pr_err("Failed to get ad info: ret = %d, ad = 0x%pK\n",
+ 			ret, ad);
+ 		return ret;
+ 	}
+@@ -5285,7 +5285,7 @@ int mdss_mdp_ad_input(struct msm_fb_data_type *mfd,
+ 			mfd->index);
+ 		return ret;
+ 	} else if (ret || !ad) {
+-		pr_err("Failed to get ad info: ret = %d, ad = 0x%p.\n",
++		pr_err("Failed to get ad info: ret = %d, ad = 0x%pK\n",
+ 			ret, ad);
+ 		return ret;
+ 	}
+@@ -5638,7 +5638,7 @@ static int mdss_mdp_ad_ipc_reset(struct msm_fb_data_type *mfd)
+ 	struct mdss_ad_info *ad;
+ 
+ 	if (!mfd) {
+-		pr_err("mfd = 0x%p\n", mfd);
++		pr_err("mfd = 0x%pK\n", mfd);
+ 		return -EINVAL;
+ 	}
+ 
+@@ -5648,7 +5648,7 @@ static int mdss_mdp_ad_ipc_reset(struct msm_fb_data_type *mfd)
+ 			mfd->index);
+ 		return 0;
+ 	} else if (ret || !ad) {
+-		pr_err("Failed to get ad info: ret = %d, ad = 0x%p.\n",
++		pr_err("Failed to get ad info: ret = %d, ad = 0x%pK\n",
+ 			ret, ad);
+ 		return ret;
+ 	}
+@@ -5672,13 +5672,13 @@ static int mdss_mdp_ad_setup(struct msm_fb_data_type *mfd)
+ 	u32 width;
+ 
+ 	if (!mfd) {
+-		pr_err("mfd = 0x%p\n", mfd);
++		pr_err("mfd = 0x%pK\n", mfd);
+ 		return -EINVAL;
+ 	}
+ 
+ 	ctl = mfd_to_ctl(mfd);
+ 	if (!ctl) {
+-		pr_err("ctl = 0x%p\n", ctl);
++		pr_err("ctl = 0x%pK\n", ctl);
+ 		return -EINVAL;
+ 	}
+ 	sctl = mdss_mdp_get_split_ctl(ctl);
+@@ -5689,7 +5689,7 @@ static int mdss_mdp_ad_setup(struct msm_fb_data_type *mfd)
+ 			mfd->index);
+ 		return 0;
+ 	} else if (ret || !ad) {
+-		pr_err("Failed to get ad info: ret = %d, ad = 0x%p.\n",
++		pr_err("Failed to get ad info: ret = %d, ad = 0x%pK\n",
+ 			ret, ad);
+ 		return ret;
+ 	}
+@@ -5873,7 +5873,7 @@ static void pp_ad_calc_worker(struct work_struct *work)
+ 	}
+ 	mdp5_data = mfd_to_mdp5_data(ad->mfd);
+ 	if (!mdp5_data) {
+-		pr_err("mdp5_data = 0x%p\n", mdp5_data);
++		pr_err("mdp5_data = 0x%pK\n", mdp5_data);
+ 		mutex_unlock(&ad->lock);
+ 		return;
+ 	}
+@@ -5881,7 +5881,7 @@ static void pp_ad_calc_worker(struct work_struct *work)
+ 	ctl = mfd_to_ctl(ad->mfd);
+ 	mdata = mfd_to_mdata(ad->mfd);
+ 	if (!ctl || !mdata || ad->calc_hw_num >= mdata->nad_cfgs) {
+-		pr_err("ctl = 0x%p, mdata = 0x%p, ad->calc_hw_num = %d, mdata->nad_cfg = %d\n",
++		pr_err("ctl = 0x%pK, mdata = 0x%pK, ad->calc_hw_num = %d, mdata->nad_cfg = %d\n",
+ 			ctl, mdata, ad->calc_hw_num,
+ 			(!mdata ? 0 : mdata->nad_cfgs));
+ 		mutex_unlock(&ad->lock);
+@@ -6492,7 +6492,7 @@ static int sspp_cache_location(u32 pipe_type, enum pp_config_block *block)
+ 	int ret = 0;
+ 
+ 	if (!block) {
+-		pr_err("invalid params %p\n", block);
++		pr_err("invalid params %pK\n", block);
+ 		return -EINVAL;
+ 	}
+ 	switch (pipe_type) {
+@@ -6521,7 +6521,7 @@ int mdss_mdp_pp_sspp_config(struct mdss_mdp_pipe *pipe)
+ 	int ret = 0;
+ 
+ 	if (!pipe) {
+-		pr_err("invalid params, pipe %p\n", pipe);
++		pr_err("invalid params, pipe %pK\n", pipe);
+ 		return -EINVAL;
+ 	}
+ 
+@@ -6643,7 +6643,7 @@ static int pp_update_pcc_pipe_setup(struct mdss_mdp_pipe *pipe, u32 location)
+ 	char __iomem *pipe_base = NULL;
+ 
+ 	if (!pipe) {
+-		pr_err("invalid param pipe %p\n", pipe);
++		pr_err("invalid param pipe %pK\n", pipe);
+ 		return -EINVAL;
+ 	}
+ 
+@@ -6695,7 +6695,7 @@ int mdss_mdp_pp_get_version(struct mdp_pp_feature_version *version)
+ 	u32 ver_info = mdp_pp_legacy;
+ 
+ 	if (!version) {
+-		pr_err("invalid param version %p\n", version);
++		pr_err("invalid param version %pK\n", version);
+ 		ret = -EINVAL;
+ 		goto exit_version;
+ 	}
+@@ -6776,7 +6776,7 @@ int mdss_mdp_copy_layer_pp_info(struct mdp_input_layer *layer)
+ 	uint32_t ops;
+ 
+ 	if (!layer) {
+-		pr_err("invalid layer pointer passed %p\n", layer);
++		pr_err("invalid layer pointer passed %pK\n", layer);
+ 		return -EFAULT;
+ 	}
+ 
+@@ -6788,7 +6788,7 @@ int mdss_mdp_copy_layer_pp_info(struct mdp_input_layer *layer)
+ 	ret = copy_from_user(pp_info, layer->pp_info,
+ 			sizeof(struct mdp_overlay_pp_params));
+ 	if (ret) {
+-		pr_err("layer list copy from user failed, pp_info = %p\n",
++		pr_err("layer list copy from user failed, pp_info = %pK\n",
+ 			layer->pp_info);
+ 		ret = -EFAULT;
+ 		goto exit_pp_info;
+@@ -6921,7 +6921,7 @@ static int pp_mfd_ad_release_all(struct msm_fb_data_type *mfd)
+ 	int ret = 0;
+ 
+ 	if (!mdata || !mfd) {
+-		pr_err("invalid params mdata %p mfd %p\n", mdata, mfd);
++		pr_err("invalid params mdata %pK mfd %pK\n", mdata, mfd);
+ 		return -EINVAL;
+ 	}
+ 	if (!mdata->ad_calc_wq)
+diff --git a/drivers/video/msm/mdss/mdss_mdp_pp_cache_config.c b/drivers/video/msm/mdss/mdss_mdp_pp_cache_config.c
+index 7769a8f..5fe7e48 100644
+--- a/drivers/video/msm/mdss/mdss_mdp_pp_cache_config.c
++++ b/drivers/video/msm/mdss/mdss_mdp_pp_cache_config.c
+@@ -103,7 +103,7 @@ static int pp_hist_lut_cache_params_v1_7(struct mdp_hist_lut_data *config,
+ 	int ret = 0;
+ 
+ 	if (!config || !mdss_pp_res) {
+-		pr_err("invalid param config %p pp_res %p\n",
++		pr_err("invalid param config %pK pp_res %pK\n",
+ 			config, mdss_pp_res);
+ 		return -EINVAL;
+ 	}
+@@ -113,7 +113,7 @@ static int pp_hist_lut_cache_params_v1_7(struct mdp_hist_lut_data *config,
+ 		return -EINVAL;
+ 	}
+ 	if (!mdss_pp_res->pp_data_res) {
+-		pr_err("invalid pp_data_res %p\n", mdss_pp_res->pp_data_res);
++		pr_err("invalid pp_data_res %pK\n", mdss_pp_res->pp_data_res);
+ 		return -EINVAL;
+ 	}
+ 
+@@ -165,7 +165,7 @@ static int pp_hist_lut_cache_params_pipe_v1_7(struct mdp_hist_lut_data *config,
+ 	int ret = 0;
+ 
+ 	if (!config || !pipe) {
+-		pr_err("Invalid param config %p pipe %p\n",
++		pr_err("Invalid param config %pK pipe %pK\n",
+ 			config, pipe);
+ 		return -EINVAL;
+ 	}
+@@ -236,7 +236,7 @@ int pp_hist_lut_cache_params(struct mdp_hist_lut_data *config,
+ 	int ret = 0;
+ 
+ 	if (!config || !res_cache) {
+-		pr_err("invalid param config %p res_cache %p\n",
++		pr_err("invalid param config %pK res_cache %pK\n",
+ 			config, res_cache);
+ 		return -EINVAL;
+ 	}
+@@ -245,7 +245,7 @@ int pp_hist_lut_cache_params(struct mdp_hist_lut_data *config,
+ 		return -EINVAL;
+ 	}
+ 	if (!res_cache->mdss_pp_res && !res_cache->pipe_res) {
+-		pr_err("NULL payload for block %d mdss_pp_res %p pipe_res %p\n",
++		pr_err("NULL payload for block %d mdss_pp_res %pK pipe_res %pK\n",
+ 			res_cache->block, res_cache->mdss_pp_res,
+ 			res_cache->pipe_res);
+ 		return -EINVAL;
+@@ -286,7 +286,7 @@ int pp_dither_cache_params_v1_7(struct mdp_dither_cfg_data *config,
+ 	struct mdp_dither_data_v1_7 *v17_cache_data = NULL, v17_usr_config;
+ 
+ 	if (!config || !mdss_pp_res) {
+-		pr_err("invalid param config %p pp_res %p\n",
++		pr_err("invalid param config %pK pp_res %pK\n",
+ 			config, mdss_pp_res);
+ 		return -EINVAL;
+ 	}
+@@ -296,7 +296,7 @@ int pp_dither_cache_params_v1_7(struct mdp_dither_cfg_data *config,
+ 		return -EINVAL;
+ 	}
+ 	if (!mdss_pp_res->pp_data_res) {
+-		pr_err("invalid pp_data_res %p\n", mdss_pp_res->pp_data_res);
++		pr_err("invalid pp_data_res %pK\n", mdss_pp_res->pp_data_res);
+ 		return -EINVAL;
+ 	}
+ 
+@@ -358,7 +358,7 @@ int pp_dither_cache_params(struct mdp_dither_cfg_data *config,
+ {
+ 	int ret = 0;
+ 	if (!config || !mdss_pp_res) {
+-		pr_err("invalid param config %pi pp_res %p\n",
++		pr_err("invalid param config %pK pp_res %pK\n",
+ 			config, mdss_pp_res);
+ 		return -EINVAL;
+ 	}
+@@ -387,7 +387,7 @@ static int pp_gamut_cache_params_v1_7(struct mdp_gamut_cfg_data *config,
+ 	int ret = 0, i = 0;
+ 
+ 	if (!config || !mdss_pp_res) {
+-		pr_err("invalid param config %p pp_res %p\n",
++		pr_err("invalid param config %pK pp_res %pK\n",
+ 			config, mdss_pp_res);
+ 		return -EINVAL;
+ 	}
+@@ -398,7 +398,7 @@ static int pp_gamut_cache_params_v1_7(struct mdp_gamut_cfg_data *config,
+ 		return -EINVAL;
+ 	}
+ 	if (!mdss_pp_res->pp_data_res) {
+-		pr_err("invalid pp_data_res %p\n", mdss_pp_res->pp_data_res);
++		pr_err("invalid pp_data_res %pK\n", mdss_pp_res->pp_data_res);
+ 		return -EINVAL;
+ 	}
+ 	res_cache = mdss_pp_res->pp_data_res;
+@@ -555,7 +555,7 @@ int pp_gamut_cache_params(struct mdp_gamut_cfg_data *config,
+ {
+ 	int ret = 0;
+ 	if (!config || !mdss_pp_res) {
+-		pr_err("invalid param config %p pp_res %p\n",
++		pr_err("invalid param config %pK pp_res %pK\n",
+ 			config, mdss_pp_res);
+ 		return -EINVAL;
+ 	}
+@@ -578,7 +578,7 @@ static int pp_pcc_cache_params_pipe_v1_7(struct mdp_pcc_cfg_data *config,
+ 	struct mdp_pcc_data_v1_7 *v17_cache_data = NULL, v17_usr_config;
+ 
+ 	if (!pipe || !config) {
+-		pr_err("invalid params pipe %p config %p\n", pipe, config);
++		pr_err("invalid params pipe %pK config %pK\n", pipe, config);
+ 		return -EINVAL;
+ 	}
+ 
+@@ -636,7 +636,7 @@ static int pp_pcc_cache_params_v1_7(struct mdp_pcc_cfg_data *config,
+ 	struct mdp_pcc_data_v1_7 *v17_cache_data, v17_usr_config;
+ 
+ 	if (!config || !mdss_pp_res) {
+-		pr_err("invalid param config %p pp_res %p\n",
++		pr_err("invalid param config %pK pp_res %pK\n",
+ 			config, mdss_pp_res);
+ 		return -EINVAL;
+ 	}
+@@ -647,7 +647,7 @@ static int pp_pcc_cache_params_v1_7(struct mdp_pcc_cfg_data *config,
+ 		return -EINVAL;
+ 	}
+ 	if (!mdss_pp_res->pp_data_res) {
+-		pr_err("invalid pp_data_res %p\n", mdss_pp_res->pp_data_res);
++		pr_err("invalid pp_data_res %pK\n", mdss_pp_res->pp_data_res);
+ 		return -EINVAL;
+ 	}
+ 
+@@ -687,7 +687,7 @@ int pp_pcc_cache_params(struct mdp_pcc_cfg_data *config,
+ {
+ 	int ret = 0;
+ 	if (!config || !res_cache) {
+-		pr_err("invalid param config %p pp_res %p\n",
++		pr_err("invalid param config %pK pp_res %pK\n",
+ 			config, res_cache);
+ 		return -EINVAL;
+ 	}
+@@ -696,7 +696,7 @@ int pp_pcc_cache_params(struct mdp_pcc_cfg_data *config,
+ 		return -EINVAL;
+ 	}
+ 	if (!res_cache->mdss_pp_res && !res_cache->pipe_res) {
+-		pr_err("NULL payload for block %d mdss_pp_res %p pipe_res %p\n",
++		pr_err("NULL payload for block %d mdss_pp_res %pK pipe_res %pK\n",
+ 			res_cache->block, res_cache->mdss_pp_res,
+ 			res_cache->pipe_res);
+ 		return -EINVAL;
+@@ -735,7 +735,7 @@ static int pp_igc_lut_cache_params_v1_7(struct mdp_igc_lut_data *config,
+ 	struct mdp_igc_lut_data_v1_7 *v17_cache_data, v17_usr_config;
+ 	u32 disp_num;
+ 	if (!config || !mdss_pp_res) {
+-		pr_err("invalid param config %p pp_res %p\n",
++		pr_err("invalid param config %pK pp_res %pK\n",
+ 			config, mdss_pp_res);
+ 		return -EINVAL;
+ 	}
+@@ -745,7 +745,7 @@ static int pp_igc_lut_cache_params_v1_7(struct mdp_igc_lut_data *config,
+ 		return -EINVAL;
+ 	}
+ 	if (!mdss_pp_res->pp_data_res) {
+-		pr_err("invalid pp_data_res %p\n", mdss_pp_res->pp_data_res);
++		pr_err("invalid pp_data_res %pK\n", mdss_pp_res->pp_data_res);
+ 		return -EINVAL;
+ 	}
+ 	res_cache = mdss_pp_res->pp_data_res;
+@@ -781,7 +781,7 @@ static int pp_igc_lut_cache_params_v1_7(struct mdp_igc_lut_data *config,
+ 		}
+ 		if (copy_from_kernel && (!v17_usr_config.c0_c1_data ||
+ 		    !v17_usr_config.c2_data)) {
+-			pr_err("copy from kernel invalid params c0_c1_data %p c2_data %p\n",
++			pr_err("copy from kernel invalid params c0_c1_data %pK c2_data %pK\n",
+ 				v17_usr_config.c0_c1_data,
+ 				v17_usr_config.c2_data);
+ 			ret = -EINVAL;
+@@ -837,7 +837,7 @@ static int pp_igc_lut_cache_params_pipe_v1_7(struct mdp_igc_lut_data *config,
+ 	struct mdp_igc_lut_data_v1_7 *v17_cache_data = NULL, v17_usr_config;
+ 	int ret = 0, fix_up = 0, i = 0;
+ 	if (!config || !pipe) {
+-		pr_err("invalid param config %p pipe %p\n",
++		pr_err("invalid param config %pK pipe %pK\n",
+ 			config, pipe);
+ 		return -EINVAL;
+ 	}
+@@ -865,7 +865,7 @@ static int pp_igc_lut_cache_params_pipe_v1_7(struct mdp_igc_lut_data *config,
+ 		if (!v17_usr_config.c0_c1_data ||
+ 		    !v17_usr_config.c2_data ||
+ 		    v17_usr_config.len != IGC_LUT_ENTRIES) {
+-			pr_err("invalid c0_c1data %p c2_data %p tbl len %d\n",
++			pr_err("invalid c0_c1data %pK c2_data %pK tbl len %d\n",
+ 					v17_usr_config.c0_c1_data,
+ 					v17_usr_config.c2_data,
+ 					v17_usr_config.len);
+@@ -959,7 +959,7 @@ int pp_igc_lut_cache_params(struct mdp_igc_lut_data *config,
+ {
+ 	int ret = 0;
+ 	if (!config || !res_cache) {
+-		pr_err("invalid param config %p pp_res %p\n",
++		pr_err("invalid param config %pK pp_res %pK\n",
+ 			config, res_cache);
+ 		return -EINVAL;
+ 	}
+@@ -968,7 +968,7 @@ int pp_igc_lut_cache_params(struct mdp_igc_lut_data *config,
+ 		return -EINVAL;
+ 	}
+ 	if (!res_cache->mdss_pp_res && !res_cache->pipe_res) {
+-		pr_err("NULL payload for block %d mdss_pp_res %p pipe_res %p\n",
++		pr_err("NULL payload for block %d mdss_pp_res %pK pipe_res %pK\n",
+ 			res_cache->block, res_cache->mdss_pp_res,
+ 			res_cache->pipe_res);
+ 		ret = -EINVAL;
+@@ -1103,7 +1103,7 @@ int pp_pgc_lut_cache_params(struct mdp_pgc_lut_data *config,
+ {
+ 	int ret = 0;
+ 	if (!config || !mdss_pp_res) {
+-		pr_err("invalid param config %p pp_res %p\n",
++		pr_err("invalid param config %pK pp_res %pK\n",
+ 			config, mdss_pp_res);
+ 		return -EINVAL;
+ 	}
+@@ -1128,7 +1128,7 @@ static int pp_pa_cache_params_v1_7(struct mdp_pa_v2_cfg_data *config,
+ 	int disp_num, ret = 0;
+ 
+ 	if (!config || !mdss_pp_res) {
+-		pr_err("Invalid param config %p pp_res %p\n",
++		pr_err("Invalid param config %pK pp_res %pK\n",
+ 			config, mdss_pp_res);
+ 		return -EINVAL;
+ 	}
+@@ -1140,7 +1140,7 @@ static int pp_pa_cache_params_v1_7(struct mdp_pa_v2_cfg_data *config,
+ 	}
+ 
+ 	if (!mdss_pp_res->pp_data_res) {
+-		pr_err("Invalid pp_data_res %p\n", mdss_pp_res->pp_data_res);
++		pr_err("Invalid pp_data_res %pK\n", mdss_pp_res->pp_data_res);
+ 		return -EINVAL;
+ 	}
+ 
+@@ -1228,7 +1228,7 @@ static int pp_pa_cache_params_pipe_v1_7(struct mdp_pa_v2_cfg_data *config,
+ 	int ret = 0;
+ 
+ 	if (!config || !pipe) {
+-		pr_err("Invalid param config %p pipe %p\n",
++		pr_err("Invalid param config %pK pipe %pK\n",
+ 			config, pipe);
+ 		return -EINVAL;
+ 	}
+@@ -1284,7 +1284,7 @@ int pp_pa_cache_params(struct mdp_pa_v2_cfg_data *config,
+ {
+ 	int ret = 0;
+ 	if (!config || !res_cache) {
+-		pr_err("invalid param config %p pp_res %p\n",
++		pr_err("invalid param config %pK pp_res %pK\n",
+ 			config, res_cache);
+ 		return -EINVAL;
+ 	}
+@@ -1293,7 +1293,7 @@ int pp_pa_cache_params(struct mdp_pa_v2_cfg_data *config,
+ 		return -EINVAL;
+ 	}
+ 	if (!res_cache->mdss_pp_res && !res_cache->pipe_res) {
+-		pr_err("NULL payload for block %d mdss_pp_res %p pipe_res %p\n",
++		pr_err("NULL payload for block %d mdss_pp_res %pK pipe_res %pK\n",
+ 			res_cache->block, res_cache->mdss_pp_res,
+ 			res_cache->pipe_res);
+ 		return -EINVAL;
+@@ -1344,7 +1344,7 @@ int pp_copy_layer_igc_payload(struct mdp_overlay_pp_params *pp_info)
+ 				pp_info->igc_cfg.cfg_payload,
+ 				sizeof(struct mdp_igc_lut_data_v1_7));
+ 		if (ret) {
+-			pr_err("layer list copy from user failed, IGC cfg payload = %p\n",
++			pr_err("layer list copy from user failed, IGC cfg payload = %pK\n",
+ 				pp_info->igc_cfg.cfg_payload);
+ 			ret = -EFAULT;
+ 			kfree(cfg_payload);
+@@ -1382,7 +1382,7 @@ int pp_copy_layer_hist_lut_payload(struct mdp_overlay_pp_params *pp_info)
+ 				pp_info->hist_lut_cfg.cfg_payload,
+ 				sizeof(struct mdp_hist_lut_data_v1_7));
+ 		if (ret) {
+-			pr_err("layer list copy from user failed, Hist LUT cfg payload = %p\n",
++			pr_err("layer list copy from user failed, Hist LUT cfg payload = %pK\n",
+ 				pp_info->hist_lut_cfg.cfg_payload);
+ 			ret = -EFAULT;
+ 			kfree(cfg_payload);
+@@ -1420,7 +1420,7 @@ int pp_copy_layer_pa_payload(struct mdp_overlay_pp_params *pp_info)
+ 				pp_info->pa_v2_cfg_data.cfg_payload,
+ 				sizeof(struct mdp_pa_data_v1_7));
+ 		if (ret) {
+-			pr_err("layer list copy from user failed, PA cfg payload = %p\n",
++			pr_err("layer list copy from user failed, PA cfg payload = %pK\n",
+ 				pp_info->pa_v2_cfg_data.cfg_payload);
+ 			ret = -EFAULT;
+ 			kfree(cfg_payload);
+@@ -1458,7 +1458,7 @@ int pp_copy_layer_pcc_payload(struct mdp_overlay_pp_params *pp_info)
+ 				pp_info->pcc_cfg_data.cfg_payload,
+ 				sizeof(struct mdp_pcc_data_v1_7));
+ 		if (ret) {
+-			pr_err("layer list copy from user failed, PCC cfg payload = %p\n",
++			pr_err("layer list copy from user failed, PCC cfg payload = %pK\n",
+ 				pp_info->pcc_cfg_data.cfg_payload);
+ 			ret = -EFAULT;
+ 			kfree(cfg_payload);
+diff --git a/drivers/video/msm/mdss/mdss_mdp_pp_v1_7.c b/drivers/video/msm/mdss/mdss_mdp_pp_v1_7.c
+index fe88fe6..bc19b5b 100644
+--- a/drivers/video/msm/mdss/mdss_mdp_pp_v1_7.c
++++ b/drivers/video/msm/mdss/mdss_mdp_pp_v1_7.c
+@@ -245,7 +245,7 @@ static void pp_gamut_clock_gating_en(char __iomem *base_addr);
+ void *pp_get_driver_ops(struct mdp_pp_driver_ops *ops)
+ {
+ 	if (!ops) {
+-		pr_err("PP driver ops invalid %p\n", ops);
++		pr_err("PP driver ops invalid %pK\n", ops);
+ 		return ERR_PTR(-EINVAL);
+ 	}
+ 
+@@ -307,7 +307,7 @@ static void pp_opmode_config(int location, struct pp_sts_type *pp_sts,
+ 		u32 *opmode, int side)
+ {
+ 	if (!pp_sts || !opmode) {
+-		pr_err("Invalid pp_sts %p or opmode %p\n", pp_sts, opmode);
++		pr_err("Invalid pp_sts %pK or opmode %pK\n", pp_sts, opmode);
+ 		return;
+ 	}
+ 	switch (location) {
+@@ -361,7 +361,7 @@ static int pp_hist_lut_get_config(char __iomem *base_addr, void *cfg_data,
+ 	struct mdp_hist_lut_data *lut_cfg_data = NULL;
+ 
+ 	if (!base_addr || !cfg_data) {
+-		pr_err("invalid params base_addr %p cfg_data %p\n",
++		pr_err("invalid params base_addr %pK cfg_data %pK\n",
+ 		       base_addr, cfg_data);
+ 		return -EINVAL;
+ 	}
+@@ -373,7 +373,7 @@ static int pp_hist_lut_get_config(char __iomem *base_addr, void *cfg_data,
+ 	}
+ 	if (lut_cfg_data->version != mdp_hist_lut_v1_7 ||
+ 		!lut_cfg_data->cfg_payload) {
+-		pr_err("invalid hist_lut version %d payload %p\n",
++		pr_err("invalid hist_lut version %d payload %pK\n",
+ 		       lut_cfg_data->version, lut_cfg_data->cfg_payload);
+ 		return -EINVAL;
+ 	}
+@@ -438,7 +438,7 @@ static int pp_hist_lut_set_config(char __iomem *base_addr,
+ 	char __iomem *hist_addr = NULL, *swap_addr = NULL;
+ 
+ 	if (!base_addr || !cfg_data || !pp_sts) {
+-		pr_err("invalid params base_addr %p cfg_data %p pp_sts_type %p\n",
++		pr_err("invalid params base_addr %pK cfg_data %pK pp_sts_type %pK\n",
+ 		      base_addr, cfg_data, pp_sts);
+ 		return -EINVAL;
+ 	}
+@@ -464,12 +464,12 @@ static int pp_hist_lut_set_config(char __iomem *base_addr,
+ 	}
+ 	lut_data = lut_cfg_data->cfg_payload;
+ 	if (!lut_data) {
+-		pr_err("invalid hist_lut cfg_payload %p\n", lut_data);
++		pr_err("invalid hist_lut cfg_payload %pK\n", lut_data);
+ 		return -EINVAL;
+ 	}
+ 
+ 	if (lut_data->len != ENHIST_LUT_ENTRIES || !lut_data->data) {
+-		pr_err("invalid hist_lut len %d data %p\n",
++		pr_err("invalid hist_lut len %d data %pK\n",
+ 		       lut_data->len, lut_data->data);
+ 		return -EINVAL;
+ 	}
+@@ -533,7 +533,7 @@ static int pp_dither_set_config(char __iomem *base_addr,
+ 	uint32_t *pdata = NULL;
+ 
+ 	if (!base_addr || !cfg_data || !pp_sts) {
+-		pr_err("invalid params base_addr %p cfg_data %p pp_sts_type %p\n",
++		pr_err("invalid params base_addr %pK cfg_data %pK pp_sts_type %pK\n",
+ 		      base_addr, cfg_data, pp_sts);
+ 		return -EINVAL;
+ 	}
+@@ -560,7 +560,7 @@ static int pp_dither_set_config(char __iomem *base_addr,
+ 
+ 	dither_data = dither_cfg_data->cfg_payload;
+ 	if (!dither_data) {
+-		pr_err("invalid payload for dither %p\n", dither_data);
++		pr_err("invalid payload for dither %pK\n", dither_data);
+ 		return -EINVAL;
+ 	}
+ 
+@@ -608,7 +608,7 @@ static int pp_hist_get_config(char __iomem *base_addr, void *cfg_data,
+ 	struct pp_hist_col_info *hist_info = NULL;
+ 
+ 	if (!base_addr || !cfg_data) {
+-		pr_err("invalid params base_addr %p cfg_data %p\n",
++		pr_err("invalid params base_addr %pK cfg_data %pK\n",
+ 		       base_addr, cfg_data);
+ 		return -EINVAL;
+ 	}
+@@ -646,7 +646,7 @@ static int pp_get_hist_offset(u32 block, u32 *ctl_off)
+ 	int ret = 0;
+ 
+ 	if (!ctl_off) {
+-		pr_err("invalid params ctl_off %p\n", ctl_off);
++		pr_err("invalid params ctl_off %pK\n", ctl_off);
+ 		return -EINVAL;
+ 	}
+ 	switch (block) {
+@@ -667,7 +667,7 @@ static int pp_get_hist_offset(u32 block, u32 *ctl_off)
+ static int pp_get_hist_isr(u32 *isr_mask)
+ {
+ 	if (!isr_mask) {
+-		pr_err("invalid params isr_mask %p\n", isr_mask);
++		pr_err("invalid params isr_mask %pK\n", isr_mask);
+ 		return -EINVAL;
+ 	}
+ 
+@@ -693,7 +693,7 @@ static int pp_gamut_get_config(char __iomem *base_addr, void *cfg_data,
+ 	u32 clk_gate_disable = 0;
+ 
+ 	if (!base_addr || !cfg_data) {
+-		pr_err("invalid params base_addr %p cfg_data %p\n",
++		pr_err("invalid params base_addr %pK cfg_data %pK\n",
+ 		       base_addr, cfg_data);
+ 		return -EINVAL;
+ 	}
+@@ -831,7 +831,7 @@ static int pp_gamut_set_config(char __iomem *base_addr,
+ 	struct mdp_gamut_data_v1_7 *gamut_data = NULL;
+ 	char __iomem *base_addr_scale = base_addr;
+ 	if (!base_addr || !cfg_data || !pp_sts) {
+-		pr_err("invalid params base_addr %p cfg_data %p pp_sts_type %p\n",
++		pr_err("invalid params base_addr %pK cfg_data %pK pp_sts_type %pK\n",
+ 		      base_addr, cfg_data, pp_sts);
+ 		return -EINVAL;
+ 	}
+@@ -853,7 +853,7 @@ static int pp_gamut_set_config(char __iomem *base_addr,
+ 	gamut_data = (struct mdp_gamut_data_v1_7 *)
+ 		      gamut_cfg_data->cfg_payload;
+ 	if (!gamut_data) {
+-		pr_err("invalid payload for gamut %p\n", gamut_data);
++		pr_err("invalid payload for gamut %pK\n", gamut_data);
+ 		return -EINVAL;
+ 	}
+ 
+@@ -872,7 +872,7 @@ static int pp_gamut_set_config(char __iomem *base_addr,
+ 	for (i = 0; i < MDP_GAMUT_TABLE_NUM_V1_7; i++) {
+ 		if (!gamut_data->c0_data[i] || !gamut_data->c1_c2_data[i]
+ 		    || (gamut_data->tbl_size[i] != tbl_sz)) {
+-			pr_err("invalid param for c0 %p c1c2 %p table %d size %d expected sz %d\n",
++			pr_err("invalid param for c0 %pK c1c2 %pK table %d size %d expected sz %d\n",
+ 			       gamut_data->c0_data[i],
+ 			       gamut_data->c1_c2_data[i], i,
+ 			       gamut_data->tbl_size[i], tbl_sz);
+@@ -883,7 +883,7 @@ static int pp_gamut_set_config(char __iomem *base_addr,
+ 		    (!gamut_data->scale_off_data[i] ||
+ 		    (gamut_data->tbl_scale_off_sz[i] !=
+ 		    MDP_GAMUT_SCALE_OFF_SZ))) {
+-			pr_err("invalid param for scale table %p for c%d size %d expected size%d\n",
++			pr_err("invalid param for scale table %pK for c%d size %d expected size%d\n",
+ 				gamut_data->scale_off_data[i], i,
+ 				gamut_data->tbl_scale_off_sz[i],
+ 				MDP_GAMUT_SCALE_OFF_SZ);
+@@ -948,7 +948,7 @@ static int pp_pcc_set_config(char __iomem *base_addr,
+ 	u32 opmode = 0;
+ 
+ 	if (!base_addr || !cfg_data || !pp_sts) {
+-		pr_err("invalid params base_addr %p cfg_data %p pp_sts %p\n",
++		pr_err("invalid params base_addr %pK cfg_data %pK pp_sts %pK\n",
+ 			base_addr, cfg_data, pp_sts);
+ 		return -EINVAL;
+ 	}
+@@ -963,7 +963,7 @@ static int pp_pcc_set_config(char __iomem *base_addr,
+ 	}
+ 	pcc_data = pcc_cfg_data->cfg_payload;
+ 	if (!pcc_data) {
+-		pr_err("invalid payload for pcc %p\n", pcc_data);
++		pr_err("invalid payload for pcc %pK\n", pcc_data);
+ 		return -EINVAL;
+ 	}
+ 
+@@ -1033,7 +1033,7 @@ static int pp_pcc_get_config(char __iomem *base_addr, void *cfg_data,
+ 	struct mdp_pcc_data_v1_7 pcc_data;
+ 
+ 	if (!base_addr || !cfg_data) {
+-		pr_err("invalid params base_addr %p cfg_data %p\n",
++		pr_err("invalid params base_addr %pK cfg_data %pK\n",
+ 		       base_addr, cfg_data);
+ 		return -EINVAL;
+ 	}
+@@ -1230,7 +1230,7 @@ static void pp_pa_set_six_zone(char __iomem *base_addr,
+ 
+ 	if (!pa_data->six_zone_len || !pa_data->six_zone_curve_p0 ||
+ 	    !pa_data->six_zone_curve_p1) {
+-		pr_err("Invalid six zone data: len %d curve_p0 %p curve_p1 %p\n",
++		pr_err("Invalid six zone data: len %d curve_p0 %pK curve_p1 %pK\n",
+ 		       pa_data->six_zone_len,
+ 		       pa_data->six_zone_curve_p0,
+ 		       pa_data->six_zone_curve_p1);
+@@ -1348,7 +1348,7 @@ static int pp_pa_set_config(char __iomem *base_addr,
+ 	int ret = 0;
+ 
+ 	if (!base_addr || !cfg_data || !pp_sts) {
+-		pr_err("invalid params base_addr %p cfg_data %p pp_sts_type %p\n",
++		pr_err("invalid params base_addr %pK cfg_data %pK pp_sts_type %pK\n",
+ 		      base_addr, cfg_data, pp_sts);
+ 		return -EINVAL;
+ 	}
+@@ -1373,7 +1373,7 @@ static int pp_pa_set_config(char __iomem *base_addr,
+ 
+ 	pa_data = pa_cfg_data->cfg_payload;
+ 	if (!pa_data) {
+-		pr_err("invalid payload for pa %p\n", pa_data);
++		pr_err("invalid payload for pa %pK\n", pa_data);
+ 		return -EINVAL;
+ 	}
+ 
+@@ -1622,7 +1622,7 @@ static int pp_pa_get_config(char __iomem *base_addr, void *cfg_data,
+ 	char __iomem *pa_hold_addr = NULL;
+ 
+ 	if (!base_addr || !cfg_data) {
+-		pr_err("invalid params base_addr %p cfg_data %p\n",
++		pr_err("invalid params base_addr %pK cfg_data %pK\n",
+ 		      base_addr, cfg_data);
+ 		return -EINVAL;
+ 	}
+@@ -1755,7 +1755,7 @@ static int pp_igc_set_config(char __iomem *base_addr,
+ 	u32 data;
+ 
+ 	if (!base_addr || !cfg_data || !pp_sts) {
+-		pr_err("invalid params base_addr %p cfg_data %p pp_sts_type %p\n",
++		pr_err("invalid params base_addr %pK cfg_data %pK pp_sts_type %pK\n",
+ 		      base_addr, cfg_data, pp_sts);
+ 		return -EINVAL;
+ 	}
+@@ -1763,7 +1763,7 @@ static int pp_igc_set_config(char __iomem *base_addr,
+ 	lut_cfg_data = (struct mdp_igc_lut_data *) cfg_data;
+ 	if (lut_cfg_data->version != mdp_igc_v1_7 ||
+ 	    !lut_cfg_data->cfg_payload) {
+-		pr_err("invalid igc version %d payload %p\n",
++		pr_err("invalid igc version %d payload %pK\n",
+ 		       lut_cfg_data->version, lut_cfg_data->cfg_payload);
+ 		return -EINVAL;
+ 	}
+@@ -1782,7 +1782,7 @@ static int pp_igc_set_config(char __iomem *base_addr,
+ 	lut_data = lut_cfg_data->cfg_payload;
+ 	if (lut_data->len != IGC_LUT_ENTRIES || !lut_data->c0_c1_data ||
+ 	    !lut_data->c2_data) {
+-		pr_err("invalid lut len %d c0_c1_data %p  c2_data %p\n",
++		pr_err("invalid lut len %d c0_c1_data %pK  c2_data %pK\n",
+ 		       lut_data->len, lut_data->c0_c1_data, lut_data->c2_data);
+ 		return -EINVAL;
+ 	}
+@@ -1849,7 +1849,7 @@ static int pp_igc_get_config(char __iomem *base_addr, void *cfg_data,
+ 	u32 data = 0, sz = 0;
+ 
+ 	if (!base_addr || !cfg_data || block_type != DSPP) {
+-		pr_err("invalid params base_addr %p cfg_data %p block_type %d\n",
++		pr_err("invalid params base_addr %pK cfg_data %pK block_type %d\n",
+ 		      base_addr, cfg_data, block_type);
+ 		return -EINVAL;
+ 	}
+@@ -1861,7 +1861,7 @@ static int pp_igc_get_config(char __iomem *base_addr, void *cfg_data,
+ 	if (lut_cfg_data->version != mdp_igc_v1_7 ||
+ 	    !lut_cfg_data->cfg_payload ||
+ 	    lut_cfg_data->block > IGC_MASK_MAX) {
+-		pr_err("invalid igc version %d payload %p block %d\n",
++		pr_err("invalid igc version %d payload %pK block %d\n",
+ 		       lut_cfg_data->version, lut_cfg_data->cfg_payload,
+ 		       lut_cfg_data->block);
+ 		ret = -EINVAL;
+@@ -1926,7 +1926,7 @@ static int pp_pgc_set_config(char __iomem *base_addr,
+ 	struct mdp_pgc_lut_data_v1_7  *pgc_data_v17 = NULL;
+ 
+ 	if (!base_addr || !cfg_data || !pp_sts) {
+-		pr_err("invalid params base_addr %p cfg_data %p pp_sts_type %p\n",
++		pr_err("invalid params base_addr %pK cfg_data %pK pp_sts_type %pK\n",
+ 		      base_addr, cfg_data, pp_sts);
+ 		return -EINVAL;
+ 	}
+@@ -1952,13 +1952,13 @@ static int pp_pgc_set_config(char __iomem *base_addr,
+ 
+ 	pgc_data_v17 = (struct mdp_pgc_lut_data_v1_7 *) pgc_data->cfg_payload;
+ 	if (!pgc_data_v17) {
+-		pr_err("invalid payload for GC %p\n", pgc_data_v17);
++		pr_err("invalid payload for GC %pK\n", pgc_data_v17);
+ 		return -EINVAL;
+ 	}
+ 
+ 	if (pgc_data_v17->len != PGC_LUT_ENTRIES || !pgc_data_v17->c0_data ||
+ 	    !pgc_data_v17->c1_data || !pgc_data_v17->c2_data) {
+-		pr_err("Invalid params entries %d c0_data %p c1_data %p c2_data %p\n",
++		pr_err("Invalid params entries %d c0_data %pK c1_data %pK c2_data %pK\n",
+ 			pgc_data_v17->len, pgc_data_v17->c0_data,
+ 			pgc_data_v17->c1_data, pgc_data_v17->c2_data);
+ 		return -EINVAL;
+@@ -2011,7 +2011,7 @@ static int pp_pgc_get_config(char __iomem *base_addr, void *cfg_data,
+ 	struct mdp_pgc_lut_data *pgc_data = NULL;
+ 	struct mdp_pgc_lut_data_v1_7  *pgc_data_v17 = NULL;
+ 	if (!base_addr || !cfg_data) {
+-		pr_err("invalid params base_addr %p cfg_data %p block_type %d\n",
++		pr_err("invalid params base_addr %pK cfg_data %pK block_type %d\n",
+ 		      base_addr, cfg_data, block_type);
+ 		return -EINVAL;
+ 	}
+@@ -2019,7 +2019,7 @@ static int pp_pgc_get_config(char __iomem *base_addr, void *cfg_data,
+ 	pgc_data_v17 = (struct mdp_pgc_lut_data_v1_7 *)
+ 			pgc_data->cfg_payload;
+ 	if (pgc_data->version != mdp_pgc_v1_7 || !pgc_data_v17) {
+-		pr_err("invalid pgc version %d payload %p\n",
++		pr_err("invalid pgc version %d payload %pK\n",
+ 			pgc_data->version, pgc_data_v17);
+ 		return -EINVAL;
+ 	}
+@@ -2081,7 +2081,7 @@ static int pp_pgc_get_config(char __iomem *base_addr, void *cfg_data,
+ static int pp_pcc_get_version(u32 *version)
+ {
+ 	if (!version) {
+-		pr_err("invalid param version %p\n", version);
++		pr_err("invalid param version %pK\n", version);
+ 		return -EINVAL;
+ 	}
+ 	*version = mdp_pcc_v1_7;
+@@ -2091,7 +2091,7 @@ static int pp_pcc_get_version(u32 *version)
+ static int pp_igc_get_version(u32 *version)
+ {
+ 	if (!version) {
+-		pr_err("invalid param version %p\n", version);
++		pr_err("invalid param version %pK\n", version);
+ 		return -EINVAL;
+ 	}
+ 	*version = mdp_igc_v1_7;
+@@ -2101,7 +2101,7 @@ static int pp_igc_get_version(u32 *version)
+ static int pp_pgc_get_version(u32 *version)
+ {
+ 	if (!version) {
+-		pr_err("invalid param version %p\n", version);
++		pr_err("invalid param version %pK\n", version);
+ 		return -EINVAL;
+ 	}
+ 	*version = mdp_pgc_v1_7;
+@@ -2111,7 +2111,7 @@ static int pp_pgc_get_version(u32 *version)
+ static int pp_pa_get_version(u32 *version)
+ {
+ 	if (!version) {
+-		pr_err("invalid param version %p\n", version);
++		pr_err("invalid param version %pK\n", version);
+ 		return -EINVAL;
+ 	}
+ 	*version = mdp_pa_v1_7;
+@@ -2121,7 +2121,7 @@ static int pp_pa_get_version(u32 *version)
+ static int pp_gamut_get_version(u32 *version)
+ {
+ 	if (!version) {
+-		pr_err("invalid param version %p\n", version);
++		pr_err("invalid param version %pK\n", version);
+ 		return -EINVAL;
+ 	}
+ 	*version = mdp_gamut_v1_7;
+@@ -2131,7 +2131,7 @@ static int pp_gamut_get_version(u32 *version)
+ static int pp_dither_get_version(u32 *version)
+ {
+ 	if (!version) {
+-		pr_err("invalid param version %p\n", version);
++		pr_err("invalid param version %pK\n", version);
+ 		return -EINVAL;
+ 	}
+ 	*version = mdp_dither_v1_7;
+@@ -2141,7 +2141,7 @@ static int pp_dither_get_version(u32 *version)
+ static int pp_hist_lut_get_version(u32 *version)
+ {
+ 	if (!version) {
+-		pr_err("invalid param version %p\n", version);
++		pr_err("invalid param version %pK\n", version);
+ 		return -EINVAL;
+ 	}
+ 	*version = mdp_hist_lut_v1_7;
+diff --git a/drivers/video/msm/mdss/mdss_mdp_rotator.c b/drivers/video/msm/mdss/mdss_mdp_rotator.c
+index ac957a0..e5307da 100644
+--- a/drivers/video/msm/mdss/mdss_mdp_rotator.c
++++ b/drivers/video/msm/mdss/mdss_mdp_rotator.c
+@@ -1,4 +1,4 @@
+-/* Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
++/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -190,11 +190,11 @@ static struct mdss_mdp_rot_pipe *mdss_mdp_rot_mgr_acquire_pipe(
+ 			(free_rot_pipe->previous_session != rot);
+ 
+ 		rot_pipe = free_rot_pipe;
+-		pr_debug("find a free pipe %p\n", rot_pipe->pipe);
++		pr_debug("find a free pipe %pK\n", rot_pipe->pipe);
+ 	} else {
+ 		rot_pipe = busy_rot_pipe;
+ 		if (rot_pipe)
+-			pr_debug("find a busy pipe %p\n", rot_pipe->pipe);
++			pr_debug("find a busy pipe %pK\n", rot_pipe->pipe);
+ 	}
+ 
+ 	if (rot_pipe)
+diff --git a/drivers/video/msm/mdss/mdss_mdp_util.c b/drivers/video/msm/mdss/mdss_mdp_util.c
+index fba7c86..af4920c 100644
+--- a/drivers/video/msm/mdss/mdss_mdp_util.c
++++ b/drivers/video/msm/mdss/mdss_mdp_util.c
+@@ -1052,7 +1052,7 @@ static int mdss_mdp_put_img(struct mdss_mdp_img_data *data, bool rotator,
+ 		pr_debug("pmem buf=0x%pa\n", &data->addr);
+ 		memset(&data->srcp_f, 0, sizeof(struct fd));
+ 	} else if (!IS_ERR_OR_NULL(data->srcp_dma_buf)) {
+-		pr_debug("ion hdl=%p buf=0x%pa\n", data->srcp_dma_buf,
++		pr_debug("ion hdl=%pK buf=0x%pa\n", data->srcp_dma_buf,
+ 							&data->addr);
+ 		if (!iclient) {
+ 			pr_err("invalid ion client\n");
+@@ -1211,8 +1211,9 @@ static int mdss_mdp_get_img(struct msmfb_data *img,
+ 		data->addr += data->offset;
+ 		data->len -= data->offset;
+ 
+-		pr_debug("mem=%d ihdl=%p buf=0x%pa len=0x%lx\n", img->memory_id,
+-			 data->srcp_dma_buf, &data->addr, data->len);
++		pr_debug("mem=%d ihdl=%pK buf=0x%pa len=0x%lx\n",
++			 img->memory_id, data->srcp_dma_buf,
++			 &data->addr, data->len);
+ 	} else {
+ 		mdss_mdp_put_img(data, rotator, dir);
+ 		return ret ? : -EOVERFLOW;
+@@ -1267,7 +1268,7 @@ static int mdss_mdp_map_buffer(struct mdss_mdp_img_data *data, bool rotator,
+ 		data->addr += data->offset;
+ 		data->len -= data->offset;
+ 
+-		pr_debug("ihdl=%p buf=0x%pa len=0x%lx\n",
++		pr_debug("ihdl=%pK buf=0x%pa len=0x%lx\n",
+ 			 data->srcp_dma_buf, &data->addr, data->len);
+ 	} else {
+ 		mdss_mdp_put_img(data, rotator, dir);
+diff --git a/drivers/video/msm/mdss/mdss_mdp_wb.c b/drivers/video/msm/mdss/mdss_mdp_wb.c
+index c9b6945..993b8d6 100644
+--- a/drivers/video/msm/mdss/mdss_mdp_wb.c
++++ b/drivers/video/msm/mdss/mdss_mdp_wb.c
+@@ -1,4 +1,4 @@
+-/* Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
++/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -95,7 +95,7 @@ struct mdss_mdp_data *mdss_mdp_wb_debug_buffer(struct msm_fb_data_type *mfd)
+ 		ihdl = ion_alloc(iclient, img_size, SZ_4K,
+ 				 ION_HEAP(ION_SF_HEAP_ID), 0);
+ 		if (IS_ERR_OR_NULL(ihdl)) {
+-			pr_err("unable to alloc fbmem from ion (%p)\n", ihdl);
++			pr_err("unable to alloc fbmem from ion (%pK)\n", ihdl);
+ 			return NULL;
+ 		}
+ 
+@@ -122,7 +122,7 @@ struct mdss_mdp_data *mdss_mdp_wb_debug_buffer(struct msm_fb_data_type *mfd)
+ 			img->len = img_size;
+ 		}
+ 
+-		pr_debug("ihdl=%p virt=%p phys=0x%pa iova=0x%pa size=%u\n",
++		pr_debug("ihdl=%pK virt=%pK phys=0x%pa iova=0x%pa size=%u\n",
+ 			 ihdl, videomemory, &mdss_wb_mem, &img->addr, img_size);
+ 	}
+ 	return &mdss_wb_buffer;
+@@ -437,7 +437,7 @@ static struct mdss_mdp_wb_data *get_user_node(struct msm_fb_data_type *mfd,
+ 		list_for_each_entry(node, &wb->register_queue, registered_entry)
+ 			if ((node->buf_data.p[0].srcp_ihdl == ihdl) &&
+ 				    (node->buf_info.offset == data->offset)) {
+-				pr_debug("found fd=%d hdl=%p off=%x addr=%pa\n",
++				pr_debug("found fd=%d hdl=%pK off=%x addr=%pa\n",
+ 						data->memory_id, ihdl,
+ 						data->offset,
+ 						&node->buf_data.p[0].addr);
+@@ -513,7 +513,7 @@ static void mdss_mdp_wb_free_node(struct mdss_mdp_wb_data *node)
+ 	if (node->user_alloc) {
+ 		buf = &node->buf_data.p[0];
+ 
+-		pr_debug("free user mem_id=%d ihdl=%p, offset=%u addr=0x%pa\n",
++		pr_debug("free user mem_id=%d ihdl=%pK, offset=%u addr=0x%pa\n",
+ 				node->buf_info.memory_id,
+ 				buf->srcp_ihdl,
+ 				node->buf_info.offset,
+diff --git a/drivers/video/msm/mdss/mdss_util.c b/drivers/video/msm/mdss/mdss_util.c
+index 3a9ff9b..2f9dd44 100644
+--- a/drivers/video/msm/mdss/mdss_util.c
++++ b/drivers/video/msm/mdss/mdss_util.c
+@@ -33,7 +33,7 @@ int mdss_register_irq(struct mdss_hw *hw)
+ 	if (!mdss_irq_handlers[hw->hw_ndx])
+ 		mdss_irq_handlers[hw->hw_ndx] = hw;
+ 	else
+-		pr_err("panel %d's irq at %p is already registered\n",
++		pr_err("panel %d's irq at %pK is already registered\n",
+ 			hw->hw_ndx, hw->irq_handler);
+ 	spin_unlock_irqrestore(&mdss_lock, irq_flags);
+ 
+diff --git a/drivers/video/msm/mdss/mhl3/mhl_linux_tx.c b/drivers/video/msm/mdss/mhl3/mhl_linux_tx.c
+index 1514f02..d3dc874 100644
+--- a/drivers/video/msm/mdss/mhl3/mhl_linux_tx.c
++++ b/drivers/video/msm/mdss/mhl3/mhl_linux_tx.c
+@@ -1,7 +1,7 @@
+ /*
+  * SiI8620 Linux Driver
+  *
+- * Copyright (C) 2013-2014 Silicon Image, Inc.
++ * Copyright (C) 2013-2014, 2016 Silicon Image, Inc.
+  *
+  * This program is free software; you can redistribute it and/or
+  * modify it under the terms of the GNU General Public License as
+@@ -5599,7 +5599,7 @@ static int is_timer_handle_valid(struct mhl_dev_context *dev_context,
+ 	}
+ 
+ 	if (timer != timer_handle) {
+-		MHL_TX_DBG_WARN("Invalid timer handle %p received\n",
++		MHL_TX_DBG_WARN("Invalid timer handle %pK received\n",
+ 				timer_handle);
+ 		return -EINVAL;
+ 	}
+diff --git a/drivers/video/msm/mdss/mhl3/mhl_supp.c b/drivers/video/msm/mdss/mhl3/mhl_supp.c
+index 7055d8c..de0e207 100644
+--- a/drivers/video/msm/mdss/mhl3/mhl_supp.c
++++ b/drivers/video/msm/mdss/mhl3/mhl_supp.c
+@@ -1,7 +1,7 @@
+ /*
+  * SiI8620 Linux Driver
+  *
+- * Copyright (C) 2013-2014 Silicon Image, Inc.
++ * Copyright (C) 2013-2014, 2016 Silicon Image, Inc.
+  *
+  * This program is free software; you can redistribute it and/or
+  * modify it under the terms of the GNU General Public License as
+@@ -185,7 +185,7 @@ static struct cbus_req *get_free_cbus_queue_entry_impl(
+ 	req->function = function;
+ 	req->line = line;
+ 	req->sequence = dev_context->sequence++;
+-	/*MHL_TX_DBG_ERR(,"q %d get:0x%p %s:%d\n",
++	/*MHL_TX_DBG_ERR(,"q %d get:0x%pK %s:%d\n",
+ 		req->sequence,req,function,line); */
+ 	return req;
+ }
+@@ -197,7 +197,7 @@ static void return_cbus_queue_entry_impl(struct mhl_dev_context *dev_context,
+ 					 struct cbus_req *pReq,
+ 					 const char *function, int line)
+ {
+-	/* MHL_TX_DBG_ERR(,"q ret:0x%p %s:%d\n",pReq,function,line); */
++	/* MHL_TX_DBG_ERR(,"q ret:0x%pK %s:%d\n",pReq,function,line); */
+ 	list_add(&pReq->link, &dev_context->cbus_free_list);
+ 
+ }
+@@ -372,7 +372,7 @@ static struct block_req *start_new_block_marshalling_req_impl(
+ 	    sizeof(payload->as_bytes) -
+ 	    sizeof(struct SI_PACK_THIS_STRUCT standard_transport_header_t);
+ 	dev_context->block_protocol.marshalling_req = req;
+-	MHL_TX_DBG_WARN("q %d get:0x%p %s:%d\n", req->sequence, req, function,
++	MHL_TX_DBG_WARN("q %d get:0x%pK %s:%d\n", req->sequence, req, function,
+ 			line);
+ 	return req;
+ }
+@@ -384,7 +384,7 @@ static void return_block_queue_entry_impl(struct mhl_dev_context *dev_context,
+ 					  struct block_req *pReq,
+ 					  const char *function, int line)
+ {
+-	/* MHL_TX_DBG_ERR(,"q ret:0x%p %s:%d\n",pReq,function,line); */
++	/* MHL_TX_DBG_ERR(,"q ret:0x%pK %s:%d\n",pReq,function,line); */
+ 	list_add(&pReq->link, &dev_context->block_protocol.free_list);
+ 
+ }
+@@ -1283,7 +1283,7 @@ void si_mhl_tx_drive_states(struct mhl_dev_context *dev_context)
+ 	if (req == NULL)
+ 		return;
+ 
+-	MHL_TX_DBG_INFO("req: %p\n", req);
++	MHL_TX_DBG_INFO("req: %pK\n", req);
+ 	/* coordinate write burst requests and grants. */
+ 	if (MHL_MSC_MSG == req->command) {
+ 		dev_context->msc_msg_last_data = req->msg_data[1];
+@@ -1298,7 +1298,7 @@ void si_mhl_tx_drive_states(struct mhl_dev_context *dev_context)
+ 		}
+ 	}
+ 
+-	MHL_TX_DBG_INFO("req: %p\n", req);
++	MHL_TX_DBG_INFO("req: %pK\n", req);
+ 	if (req) {
+ 		uint8_t ret_val;
+ 		dev_context->current_cbus_req = req;
+diff --git a/drivers/video/msm/mdss/mhl3/platform.c b/drivers/video/msm/mdss/mhl3/platform.c
+index c0e5174..16ce64e 100644
+--- a/drivers/video/msm/mdss/mhl3/platform.c
++++ b/drivers/video/msm/mdss/mhl3/platform.c
+@@ -1,7 +1,7 @@
+ /*
+  * SiI8620 Linux Driver
+  *
+- * Copyright (C) 2013-2014 Silicon Image, Inc.
++ * Copyright (C) 2013-2014, 2016 Silicon Image, Inc.
+  *
+  * This program is free software; you can redistribute it and/or
+  * modify it under the terms of the GNU General Public License as
+@@ -1590,7 +1590,7 @@ static int __devinit si_8620_mhl_tx_i2c_probe(struct i2c_client *client,
+ {
+ 	int ret;
+ 
+-	pr_info("%s(), i2c_device_id = %p\n", __func__, id);
++	pr_info("%s(), i2c_device_id = %pK\n", __func__, id);
+ 
+ #if defined(SIMG_USE_DTS)
+ 	/*
+@@ -1844,7 +1844,7 @@ static int __devinit si_8620_mhl_tx_spi_probe(struct spi_device *spi)
+ {
+ 	int ret;
+ 
+-	pr_info("%s(), spi = %p\n", __func__, spi);
++	pr_info("%s(), spi = %pK\n", __func__, spi);
+ 	spi->bits_per_word = 8;
+ 	spi_dev = spi;
+ 	spi_bus_num = spi->master->bus_num;
+@@ -2161,7 +2161,7 @@ static void __exit si_8620_exit(void)
+ 		for (idx = 0; idx < ARRAY_SIZE(device_addresses); idx++) {
+ 			MHL_TX_DBG_INFO("\n");
+ 			if (device_addresses[idx].client != NULL) {
+-				MHL_TX_DBG_INFO("unregistering device:%p\n",
++				MHL_TX_DBG_INFO("unregistering device:%pK\n",
+ 						device_addresses[idx].client);
+ 				i2c_unregister_device(device_addresses[idx].
+ 						      client);
+diff --git a/drivers/video/msm/mdss/mhl3/si_8620_drv.c b/drivers/video/msm/mdss/mhl3/si_8620_drv.c
+index dd71f1b..9d68f28 100644
+--- a/drivers/video/msm/mdss/mhl3/si_8620_drv.c
++++ b/drivers/video/msm/mdss/mhl3/si_8620_drv.c
+@@ -2367,7 +2367,7 @@ int si_mhl_tx_drv_get_edid_fifo_partial_block(struct drv_hw_context *hw_context,
+ 	offset = EDID_BLOCK_SIZE * (hw_context->edid_fifo_block_number & 0x01);
+ 	offset += start;
+ 
+-	MHL_TX_DBG_INFO("%p %p\n", hw_context, edid_buf);
++	MHL_TX_DBG_INFO("%pK %pK\n", hw_context, edid_buf);
+ 	if (EDID_BLOCK_SIZE == (offset + length))
+ 		hw_context->edid_fifo_block_number++;
+ 
+@@ -2401,7 +2401,7 @@ int si_mhl_tx_drv_get_edid_fifo_next_block(struct drv_hw_context *hw_context,
+ 
+ 	offset = EDID_BLOCK_SIZE * (hw_context->edid_fifo_block_number & 0x01);
+ 
+-	MHL_TX_DBG_INFO("%p %p\n", hw_context, edid_buf);
++	MHL_TX_DBG_INFO("%pK %pK\n", hw_context, edid_buf);
+ 	hw_context->edid_fifo_block_number++;
+ 
+ #ifdef MANUAL_EDID_FETCH
+diff --git a/drivers/video/msm/mdss/mhl3/si_emsc_hid.c b/drivers/video/msm/mdss/mhl3/si_emsc_hid.c
+index 17d33c9..52acb26 100644
+--- a/drivers/video/msm/mdss/mhl3/si_emsc_hid.c
++++ b/drivers/video/msm/mdss/mhl3/si_emsc_hid.c
+@@ -1,8 +1,8 @@
+ /*
+  * MHL3 HID Tunneling implementation
+  *
+- * Copyright (c) 2013-2014 Lee Mulcahy <william.mulcahy@siliconimage.com>
+- * Copyright (c) 2013-2014 Silicon Image, Inc
++ * Copyright (c) 2013-2014, 2016 Lee Mulcahy <william.mulcahy@siliconimage.com>
++ * Copyright (c) 2013-2014, 2016 Silicon Image, Inc
+  *
+  * This program is free software; you can redistribute it and/or
+  * modify it under the terms of the GNU General Public License as
+@@ -461,7 +461,7 @@ static int mhl3_send_ack(struct mhl3_hid_data *mhid, uint8_t reason)
+ 		return -ENODEV;
+ 
+ 	MHL3_HID_DBG_WARN("%s - HID_ACK reason code: %02X\n", __func__, reason);
+-	MHL3_HID_DBG_ERR("mhid->mdev: %p\n", mhid->mdev);
++	MHL3_HID_DBG_ERR("mhid->mdev: %pK\n", mhid->mdev);
+ 	mhid->out_data[0] = MHL3_HID_ACK;
+ 	mhid->out_data[1] = reason;
+ 
+@@ -1089,7 +1089,7 @@ mhid_cleanup:
+ 	mhl3_send_ack(mhid, HID_ACK_NODEV);
+ 
+ 	mhid->flags |= HID_FLAGS_WQ_CANCEL;
+-	MHL3_HID_DBG_ERR("WORK QUEUE function FAIL - mhid: %p\n", mhid);
++	MHL3_HID_DBG_ERR("WORK QUEUE function FAIL - mhid: %pK\n", mhid);
+ 	mhl3_disconnect_and_destroy_hid_device(mhid);
+ 
+ 	/*
+diff --git a/drivers/video/msm/mdss/mhl3/si_mdt_inputdev.c b/drivers/video/msm/mdss/mhl3/si_mdt_inputdev.c
+index 13d2a08..573684a1 100644
+--- a/drivers/video/msm/mdss/mhl3/si_mdt_inputdev.c
++++ b/drivers/video/msm/mdss/mhl3/si_mdt_inputdev.c
+@@ -1,7 +1,7 @@
+ /*
+  * SiI8620 Linux Driver
+  *
+- * Copyright (C) 2013-2014 Silicon Image, Inc.
++ * Copyright (C) 2013-2014, 2016 Silicon Image, Inc.
+  *
+  * This program is free software; you can redistribute it and/or
+  * modify it under the terms of the GNU General Public License as
+@@ -80,10 +80,11 @@ static void destroy_mouse(struct mhl_dev_context *dev_context)
+ 	if (dev_context->mdt_devs.dev_mouse == NULL)
+ 		return;
+ 
+-	MHL_TX_DBG_INFO("Unregistering mouse: %p\n",
++	MHL_TX_DBG_INFO("Unregistering mouse: %pK\n",
+ 			dev_context->mdt_devs.dev_mouse);
+ 	input_unregister_device(dev_context->mdt_devs.dev_mouse);
+-	MHL_TX_DBG_INFO("Freeing mouse: %p\n", dev_context->mdt_devs.dev_mouse);
++	MHL_TX_DBG_INFO("Freeing mouse: %pK\n",
++			 dev_context->mdt_devs.dev_mouse);
+ 	input_free_device(dev_context->mdt_devs.dev_mouse);
+ 	dev_context->mdt_devs.dev_mouse = NULL;
+ }
+@@ -93,10 +94,10 @@ static void destroy_keyboard(struct mhl_dev_context *dev_context)
+ 	if (dev_context->mdt_devs.dev_keyboard == NULL)
+ 		return;
+ 
+-	MHL_TX_DBG_INFO("Unregistering keyboard: %p\n",
++	MHL_TX_DBG_INFO("Unregistering keyboard: %pK\n",
+ 			dev_context->mdt_devs.dev_keyboard);
+ 	input_unregister_device(dev_context->mdt_devs.dev_keyboard);
+-	MHL_TX_DBG_INFO("Freeing keyboard: %p\n",
++	MHL_TX_DBG_INFO("Freeing keyboard: %pK\n",
+ 			dev_context->mdt_devs.dev_keyboard);
+ 	input_free_device(dev_context->mdt_devs.dev_keyboard);
+ 	dev_context->mdt_devs.dev_keyboard = NULL;
+@@ -107,10 +108,10 @@ static void destroy_touchscreen(struct mhl_dev_context *dev_context)
+ 	if (dev_context->mdt_devs.dev_touchscreen == NULL)
+ 		return;
+ 
+-	MHL_TX_DBG_INFO("Unregistering mouse: %p\n",
++	MHL_TX_DBG_INFO("Unregistering mouse: %pK\n",
+ 			dev_context->mdt_devs.dev_touchscreen);
+ 	input_unregister_device(dev_context->mdt_devs.dev_touchscreen);
+-	MHL_TX_DBG_INFO("Freeing mouse: %p\n",
++	MHL_TX_DBG_INFO("Freeing mouse: %pK\n",
+ 			dev_context->mdt_devs.dev_touchscreen);
+ 	input_free_device(dev_context->mdt_devs.dev_touchscreen);
+ 	dev_context->mdt_devs.dev_touchscreen = NULL;
+@@ -130,7 +131,7 @@ int init_mdt_keyboard(struct mhl_dev_context *dev_context)
+ 		MHL_TX_DBG_ERR("Not enough memory\n");
+ 		return -ENOMEM;
+ 	}
+-	MHL_TX_DBG_INFO("Allocated keyboard: %p\n", dev_keyboard);
++	MHL_TX_DBG_INFO("Allocated keyboard: %pK\n", dev_keyboard);
+ 
+ 	set_bit(EV_KEY, dev_keyboard->evbit);
+ 	set_bit(EV_REP, dev_keyboard->evbit);
+@@ -158,7 +159,7 @@ int init_mdt_keyboard(struct mhl_dev_context *dev_context)
+ 		return error;
+ 	}
+ 
+-	MHL_TX_DBG_INFO("Registered keyboard: %p\n", dev_keyboard);
++	MHL_TX_DBG_INFO("Registered keyboard: %pK\n", dev_keyboard);
+ 
+ 	dev_context->mdt_devs.dev_keyboard = dev_keyboard;
+ 
+@@ -175,7 +176,7 @@ int init_mdt_mouse(struct mhl_dev_context *dev_context)
+ 		MHL_TX_DBG_ERR("Not enough memory\n");
+ 		return -ENOMEM;
+ 	}
+-	MHL_TX_DBG_INFO("Allocated mouse: %p\n", dev_mouse);
++	MHL_TX_DBG_INFO("Allocated mouse: %pK\n", dev_mouse);
+ 
+ 	set_bit(EV_REL, dev_mouse->evbit);
+ 	set_bit(EV_KEY, dev_mouse->evbit);
+@@ -208,7 +209,7 @@ int init_mdt_mouse(struct mhl_dev_context *dev_context)
+ 		return error;
+ 	}
+ 
+-	MHL_TX_DBG_INFO("Registered mouse: %p\n", dev_mouse);
++	MHL_TX_DBG_INFO("Registered mouse: %pK\n", dev_mouse);
+ 
+ 	dev_context->mdt_devs.dev_mouse = dev_mouse;
+ 
+@@ -226,7 +227,7 @@ int init_mdt_touchscreen(struct mhl_dev_context *dev_context)
+ 		return -ENOMEM;
+ 	}
+ 
+-	MHL_TX_DBG_INFO("Allocated touch screen: %p\n", dev_touchscreen);
++	MHL_TX_DBG_INFO("Allocated touch screen: %pK\n", dev_touchscreen);
+ 
+ #if !defined(SINGLE_TOUCH) && defined(KERNEL_2_6_38_AND_LATER)
+ 	input_mt_init_slots(dev_touchscreen, MAX_TOUCH_CONTACTS);
+@@ -301,7 +302,7 @@ int init_mdt_touchscreen(struct mhl_dev_context *dev_context)
+ 		input_free_device(dev_touchscreen);
+ 		return error;
+ 	}
+-	MHL_TX_DBG_INFO("Registered touchscreen: %p\n", dev_touchscreen);
++	MHL_TX_DBG_INFO("Registered touchscreen: %pK\n", dev_touchscreen);
+ 
+ 	dev_context->mdt_devs.dev_touchscreen = dev_touchscreen;
+ 
+diff --git a/drivers/video/msm/mdss/mhl3/si_mhl2_edid_3d.c b/drivers/video/msm/mdss/mhl3/si_mhl2_edid_3d.c
+index fd6918f..0e7a35c 100644
+--- a/drivers/video/msm/mdss/mhl3/si_mhl2_edid_3d.c
++++ b/drivers/video/msm/mdss/mhl3/si_mhl2_edid_3d.c
+@@ -1,7 +1,7 @@
+ /*
+  * SiI8620 Linux Driver
+  *
+- * Copyright (C) 2013-2014 Silicon Image, Inc.
++ * Copyright (C) 2013-2014, 2016 Silicon Image, Inc.
+  *
+  * This program is free software; you can redistribute it and/or
+  * modify it under the terms of the GNU General Public License as
+@@ -1118,7 +1118,7 @@ static void tx_prune_dtd_list(struct edid_3d_data_t *mhl_edid_3d_data,
+ 			if ((0 != p_desc->dtd.pixel_clock_low) ||
+ 				(0 != p_desc->dtd.pixel_clock_high)) {
+ 				MHL_TX_EDID_INFO(
+-					"pix clock non-zero p_desc:%p", p_desc)
++					"pix clock non-zero p_desc:%pK", p_desc)
+ 				if ((0 == p_desc->dtd.horz_active_7_0) &&
+ 				    (0 == p_desc->dtd.horz_active_blanking_high.
+ 					horz_active_11_8)) {
+@@ -1133,7 +1133,7 @@ static void tx_prune_dtd_list(struct edid_3d_data_t *mhl_edid_3d_data,
+ 						 * one by one
+ 						 */
+ 						MHL_TX_EDID_INFO(
+-						"p_desc:%p p_next_desc:%p\n",
++						"p_desc:%pK p_next_desc:%pK\n",
+ 						p_desc, p_next_desc)
+ 						*p_desc++ = *p_next_desc++;
+ 					}
+@@ -1144,7 +1144,7 @@ static void tx_prune_dtd_list(struct edid_3d_data_t *mhl_edid_3d_data,
+ 					p_desc = p_holder;
+ 				} else {
+ 					p_desc++;
+-					MHL_TX_EDID_INFO("p_desc:%p\n", p_desc)
++					MHL_TX_EDID_INFO("p_desc:%pK\n", p_desc)
+ 				}
+ 			}
+ 		}
+@@ -1446,7 +1446,7 @@ static bool si_mhl_tx_parse_detailed_timing_descriptor(
+ 			 * Mark this mode for pruning by setting
+ 			 * horizontal active to zero
+ 			 */
+-			MHL_TX_DBG_ERR("%smark for pruning%s %p\n",
++			MHL_TX_DBG_ERR("%smark for pruning%s %pK\n",
+ 				ANSI_ESC_YELLOW_TEXT,
+ 				ANSI_ESC_RESET_TEXT,
+ 				p_desc);
+@@ -1500,7 +1500,7 @@ static uint8_t si_mhl_tx_parse_861_long_descriptors(
+ 				++mhl_edid_3d_data->parse_data.
+ 				    num_cea_861_timing_dtds;
+ 			} else if (valid) {
+-				MHL_TX_EDID_INFO("stopping at %p\n",
++				MHL_TX_EDID_INFO("stopping at %pK\n",
+ 					p_data_u.p_long_descriptors)
+ 				break;
+ 			}
+@@ -1600,7 +1600,7 @@ static void prune_hdmi_vsdb_vic_list(
+ 		HDMI_VIC_len = inner_loop_limit;
+ 	p_CEA_extension->byte_offset_to_18_byte_descriptors -=
+ 	    num_HDMI_VICs_pruned;
+-	MHL_TX_EDID_INFO("%p\n", mhl_edid_3d_data->parse_data.p_HDMI_vsdb);
++	MHL_TX_EDID_INFO("%pK\n", mhl_edid_3d_data->parse_data.p_HDMI_vsdb);
+ 	if (mhl_edid_3d_data->parse_data.p_HDMI_vsdb) {
+ 		mhl_edid_3d_data->parse_data.p_HDMI_vsdb->
+ 		    header.fields.length_following_header -=
+@@ -1722,8 +1722,7 @@ static void prune_svd_list(
+ 					   ("\n\nInvalid extension size\n\n"));
+ 				while (pb_src < pb_limit) {
+ 					MHL_TX_EDID_INFO(
+-					    "moving data up %p(0x%02X) "
+-					    "<- %p(0x%02X)\n",
++					    "moving data up %pK(0x%02X)<- %pK(0x%02X)\n",
+ 					    pb_dest, (uint16_t)*pb_dest,
+ 					    pb_src, (uint16_t)*pb_src);
+ 					*pb_dest++ = *pb_src++;
+@@ -3123,7 +3122,7 @@ void si_mhl_tx_process_hev_vic_burst(struct edid_3d_data_t *mhl_edid_3d_data,
+ 				     ANSI_ESC_RED_TEXT, ANSI_ESC_RESET_TEXT);
+ 				return;
+ 			} else {
+-				MHL_TX_DBG_WARN(" %d %p\n", hev_index,
++				MHL_TX_DBG_WARN(" %d %pK\n", hev_index,
+ 					mhl_edid_3d_data->hev_vic_list)
+ 				mhl_edid_3d_data->hev_vic_info.
+ 				    num_items_allocated =
+@@ -3136,7 +3135,7 @@ void si_mhl_tx_process_hev_vic_burst(struct edid_3d_data_t *mhl_edid_3d_data,
+ 		MHL_TX_DBG_ERR("bogus write burst, no hev_vic_list\n")
+ 		return;
+ 	}
+-	MHL_TX_DBG_WARN(" %d %p\n", hev_index, mhl_edid_3d_data->hev_vic_list)
++	MHL_TX_DBG_WARN(" %d %pK\n", hev_index, mhl_edid_3d_data->hev_vic_list)
+ 	if (NULL == mhl_edid_3d_data->hev_vic_list) {
+ 		MHL_TX_DBG_ERR("%s no place to put HEV_VIC burst%s\n",
+ 			       ANSI_ESC_RED_TEXT, ANSI_ESC_RESET_TEXT);
+@@ -3155,7 +3154,7 @@ void si_mhl_tx_process_hev_vic_burst(struct edid_3d_data_t *mhl_edid_3d_data,
+ 		     burst_id_HEV_VIC,
+ 		     (union video_burst_descriptor_u *) &p_burst->
+ 		     video_descriptors[i])) {
+-			MHL_TX_DBG_INFO(" %d %p\n",
++			MHL_TX_DBG_INFO(" %d %pK\n",
+ 				hev_index, mhl_edid_3d_data->hev_vic_list)
+ 			mhl_edid_3d_data->hev_vic_list[hev_index].
+ 			    mhl3_hev_vic_descriptor =
+@@ -4036,7 +4035,7 @@ static uint8_t parse_861_block(struct edid_3d_data_t *mhl_edid_3d_data,
+ 
+ 	mhl_edid_3d_data->parse_data.p_HDMI_vsdb = NULL;
+ 
+-	MHL_TX_EDID_INFO("tag:place holder EDID block:%p\n", p_EDID_block_data);
++	MHL_TX_EDID_INFO("tag:place holdr EDID block:%pK\n", p_EDID_block_data);
+ 	if (EDID_EXTENSION_BLOCK_MAP == p_CEA_extension->tag) {
+ 		struct block_map_t *p_block_map;
+ 		int i;
+@@ -4123,7 +4122,7 @@ void si_mhl_tx_handle_atomic_hw_edid_read_complete(
+ 		     mhl_edid_3d_data->parse_data.num_EDID_extensions;
+ 		     ++counter) {
+ 			MHL_TX_EDID_INFO
+-			    (" counter:%d tag:place holder EDID block:%p\n",
++			    (" counter:%d tag:place holder EDID block:%pK\n",
+ 			     counter,
+ 			     &mhl_edid_3d_data->
+ 			     EDID_block_data[EDID_BLOCK_SIZE * counter]);
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-6786/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-6786/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-6786/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-6786/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-6787/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-6787/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-6787/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-6787/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-6791/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-6791/ANY/0001.patch
new file mode 100644
index 00000000..5db9e5c2
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-6791/ANY/0001.patch
@@ -0,0 +1,79 @@
+From 30a4f0783d2978e27a8b8856d8e358ccaf5ddab4 Mon Sep 17 00:00:00 2001
+From: Walter Yang <yandongy@codeaurora.org>
+Date: Thu, 13 Oct 2016 10:48:39 +0800
+Subject: ASoC: msm: lock read/write when add/free audio ion memory
+
+As read/write get access to ion memory region as well, it's
+necessary to lock them when ion memory is about to be added/freed
+to avoid racing cases.
+
+CRs-Fixed: 1071809
+Change-Id: I436ead23c93384961b38ca99b9312a40c50ad03a
+Signed-off-by: Walter Yang <yandongy@codeaurora.org>
+---
+ arch/arm/mach-msm/qdsp6v2/audio_utils_aio.c | 20 +++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm/mach-msm/qdsp6v2/audio_utils_aio.c b/arch/arm/mach-msm/qdsp6v2/audio_utils_aio.c
+index 5bdd10a..4455368 100644
+--- a/arch/arm/mach-msm/qdsp6v2/audio_utils_aio.c
++++ b/arch/arm/mach-msm/qdsp6v2/audio_utils_aio.c
+@@ -1,6 +1,6 @@
+ /* Copyright (C) 2008 Google, Inc.
+  * Copyright (C) 2008 HTC Corporation
+- * Copyright (c) 2009-2013, The Linux Foundation. All rights reserved.
++ * Copyright (c) 2009-2013,2016 The Linux Foundation. All rights reserved.
+  *
+  * This software is licensed under the terms of the GNU General Public
+  * License version 2, as published by the Free Software Foundation, and
+@@ -562,6 +562,8 @@ int audio_aio_release(struct inode *inode, struct file *file)
+ 	struct q6audio_aio *audio = file->private_data;
+ 	pr_debug("%s[%p]\n", __func__, audio);
+ 	mutex_lock(&audio->lock);
++	mutex_lock(&audio->read_lock);
++	mutex_lock(&audio->write_lock);
+ 	audio->wflush = 1;
+ 	if (audio->enabled)
+ 		audio_aio_flush(audio);
+@@ -577,6 +579,8 @@ int audio_aio_release(struct inode *inode, struct file *file)
+ 	audio_aio_reset_event_queue(audio);
+ 	q6asm_audio_client_free(audio->ac);
+ 	mutex_unlock(&audio->lock);
++	mutex_unlock(&audio->write_lock);
++	mutex_unlock(&audio->read_lock);
+ 	mutex_destroy(&audio->lock);
+ 	mutex_destroy(&audio->read_lock);
+ 	mutex_destroy(&audio->write_lock);
+@@ -1349,8 +1353,13 @@ long audio_aio_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+ 		mutex_lock(&audio->lock);
+ 		if (copy_from_user(&info, (void *)arg, sizeof(info)))
+ 			rc = -EFAULT;
+-		else
++		else{
++			mutex_lock(&audio->read_lock);
++			mutex_lock(&audio->write_lock);
+ 			rc = audio_aio_ion_add(audio, &info);
++			mutex_unlock(&audio->write_lock);
++			mutex_unlock(&audio->read_lock);
++		}
+ 		mutex_unlock(&audio->lock);
+ 		break;
+ 	}
+@@ -1360,8 +1369,13 @@ long audio_aio_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+ 		pr_debug("%s[%p]:AUDIO_DEREGISTER_ION\n", __func__, audio);
+ 		if (copy_from_user(&info, (void *)arg, sizeof(info)))
+ 			rc = -EFAULT;
+-		else
++		else{
++                        mutex_lock(&audio->read_lock);
++                        mutex_lock(&audio->write_lock);
+ 			rc = audio_aio_ion_remove(audio, &info);
++                        mutex_unlock(&audio->write_lock);
++                        mutex_unlock(&audio->read_lock);
++		}
+ 		mutex_unlock(&audio->lock);
+ 		break;
+ 	}
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-6791/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-6791/ANY/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-6791/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-6791/ANY/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-6828/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-6828/ANY/0001.patch
similarity index 98%
rename from Patches/Linux_CVEs/CVE-2016-6828/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-6828/ANY/0001.patch
index 0d4cfdd4..e2ec7d0b 100644
--- a/Patches/Linux_CVEs/CVE-2016-6828/ANY/0.patch
+++ b/Patches/Linux_CVEs/CVE-2016-6828/ANY/0001.patch
@@ -37,6 +37,8 @@ Signed-off-by: David S. Miller <davem@davemloft.net>
  include/net/tcp.h | 2 ++
  1 file changed, 2 insertions(+)
 
+(limited to 'include/net/tcp.h')
+
 diff --git a/include/net/tcp.h b/include/net/tcp.h
 index c00e7d5..7717302 100644
 --- a/include/net/tcp.h
diff --git a/Patches/Linux_CVEs/CVE-2016-7042/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-7042/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-7042/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-7042/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-7097/^4.8/0.patch b/Patches/Linux_CVEs/CVE-2016-7097/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-7097/^4.8/0.patch
rename to Patches/Linux_CVEs/CVE-2016-7097/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-8281/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-7117/ANY/0001.patch
similarity index 87%
rename from Patches/Linux_CVEs/CVE-2017-8281/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-7117/ANY/0001.patch
index 87e22688..0d30b687 100644
--- a/Patches/Linux_CVEs/CVE-2017-8281/ANY/0.patch
+++ b/Patches/Linux_CVEs/CVE-2016-7117/ANY/0001.patch
@@ -1,4 +1,4 @@
-From 14290556e50c3264d633f79f9d998aa34d5049d6 Mon Sep 17 00:00:00 2001
+From 34b88a68f26a75e4fded796f1a49c40f82234b7d Mon Sep 17 00:00:00 2001
 From: Arnaldo Carvalho de Melo <acme@redhat.com>
 Date: Mon, 14 Mar 2016 09:56:35 -0300
 Subject: net: Fix use after free in the recvmmsg exit path
@@ -27,20 +27,16 @@ Fixes: a2e2725541fa ("net: Introduce recvmmsg socket syscall")
 http://lkml.kernel.org/r/20160122211644.GC2470@redhat.com
 Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
 Signed-off-by: David S. Miller <davem@davemloft.net>
-Change-Id: I447302392f46841f31c374bdb560fe5ee9c2d687
-Git-repo: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git
-Git-commit: 34b88a68f26a75e4fded796f1a49c40f82234b7d
-Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
 ---
  net/socket.c | 38 +++++++++++++++++++-------------------
  1 file changed, 19 insertions(+), 19 deletions(-)
 
 diff --git a/net/socket.c b/net/socket.c
-index be0d5a2..09ae8ba 100644
+index c5ddc52..5f77a8e 100644
 --- a/net/socket.c
 +++ b/net/socket.c
-@@ -2447,31 +2447,31 @@ int __sys_recvmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen,
- 			break;
+@@ -2244,31 +2244,31 @@ int __sys_recvmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen,
+ 		cond_resched();
  	}
  
 -out_put:
diff --git a/Patches/Linux_CVEs/CVE-2016-7910/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-7910/ANY/0001.patch
new file mode 100644
index 00000000..995fc458
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-7910/ANY/0001.patch
@@ -0,0 +1,112 @@
+From 77da160530dd1dc94f6ae15a981f24e5f0021e84 Mon Sep 17 00:00:00 2001
+From: Vegard Nossum <vegard.nossum@oracle.com>
+Date: Fri, 29 Jul 2016 10:40:31 +0200
+Subject: block: fix use-after-free in seq file
+
+I got a KASAN report of use-after-free:
+
+    ==================================================================
+    BUG: KASAN: use-after-free in klist_iter_exit+0x61/0x70 at addr ffff8800b6581508
+    Read of size 8 by task trinity-c1/315
+    =============================================================================
+    BUG kmalloc-32 (Not tainted): kasan: bad access detected
+    -----------------------------------------------------------------------------
+
+    Disabling lock debugging due to kernel taint
+    INFO: Allocated in disk_seqf_start+0x66/0x110 age=144 cpu=1 pid=315
+            ___slab_alloc+0x4f1/0x520
+            __slab_alloc.isra.58+0x56/0x80
+            kmem_cache_alloc_trace+0x260/0x2a0
+            disk_seqf_start+0x66/0x110
+            traverse+0x176/0x860
+            seq_read+0x7e3/0x11a0
+            proc_reg_read+0xbc/0x180
+            do_loop_readv_writev+0x134/0x210
+            do_readv_writev+0x565/0x660
+            vfs_readv+0x67/0xa0
+            do_preadv+0x126/0x170
+            SyS_preadv+0xc/0x10
+            do_syscall_64+0x1a1/0x460
+            return_from_SYSCALL_64+0x0/0x6a
+    INFO: Freed in disk_seqf_stop+0x42/0x50 age=160 cpu=1 pid=315
+            __slab_free+0x17a/0x2c0
+            kfree+0x20a/0x220
+            disk_seqf_stop+0x42/0x50
+            traverse+0x3b5/0x860
+            seq_read+0x7e3/0x11a0
+            proc_reg_read+0xbc/0x180
+            do_loop_readv_writev+0x134/0x210
+            do_readv_writev+0x565/0x660
+            vfs_readv+0x67/0xa0
+            do_preadv+0x126/0x170
+            SyS_preadv+0xc/0x10
+            do_syscall_64+0x1a1/0x460
+            return_from_SYSCALL_64+0x0/0x6a
+
+    CPU: 1 PID: 315 Comm: trinity-c1 Tainted: G    B           4.7.0+ #62
+    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
+     ffffea0002d96000 ffff880119b9f918 ffffffff81d6ce81 ffff88011a804480
+     ffff8800b6581500 ffff880119b9f948 ffffffff8146c7bd ffff88011a804480
+     ffffea0002d96000 ffff8800b6581500 fffffffffffffff4 ffff880119b9f970
+    Call Trace:
+     [<ffffffff81d6ce81>] dump_stack+0x65/0x84
+     [<ffffffff8146c7bd>] print_trailer+0x10d/0x1a0
+     [<ffffffff814704ff>] object_err+0x2f/0x40
+     [<ffffffff814754d1>] kasan_report_error+0x221/0x520
+     [<ffffffff8147590e>] __asan_report_load8_noabort+0x3e/0x40
+     [<ffffffff83888161>] klist_iter_exit+0x61/0x70
+     [<ffffffff82404389>] class_dev_iter_exit+0x9/0x10
+     [<ffffffff81d2e8ea>] disk_seqf_stop+0x3a/0x50
+     [<ffffffff8151f812>] seq_read+0x4b2/0x11a0
+     [<ffffffff815f8fdc>] proc_reg_read+0xbc/0x180
+     [<ffffffff814b24e4>] do_loop_readv_writev+0x134/0x210
+     [<ffffffff814b4c45>] do_readv_writev+0x565/0x660
+     [<ffffffff814b8a17>] vfs_readv+0x67/0xa0
+     [<ffffffff814b8de6>] do_preadv+0x126/0x170
+     [<ffffffff814b92ec>] SyS_preadv+0xc/0x10
+
+This problem can occur in the following situation:
+
+open()
+ - pread()
+    - .seq_start()
+       - iter = kmalloc() // succeeds
+       - seqf->private = iter
+    - .seq_stop()
+       - kfree(seqf->private)
+ - pread()
+    - .seq_start()
+       - iter = kmalloc() // fails
+    - .seq_stop()
+       - class_dev_iter_exit(seqf->private) // boom! old pointer
+
+As the comment in disk_seqf_stop() says, stop is called even if start
+failed, so we need to reinitialise the private pointer to NULL when seq
+iteration stops.
+
+An alternative would be to set the private pointer to NULL when the
+kmalloc() in disk_seqf_start() fails.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
+Acked-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Jens Axboe <axboe@fb.com>
+---
+ block/genhd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/block/genhd.c b/block/genhd.c
+index 3c9dede..0ad8796 100644
+--- a/block/genhd.c
++++ b/block/genhd.c
+@@ -856,6 +856,7 @@ static void disk_seqf_stop(struct seq_file *seqf, void *v)
+ 	if (iter) {
+ 		class_dev_iter_exit(iter);
+ 		kfree(iter);
++		seqf->private = NULL;
+ 	}
+ }
+ 
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-7911/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-7911/ANY/0001.patch
new file mode 100644
index 00000000..99e2ddff
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-7911/ANY/0001.patch
@@ -0,0 +1,123 @@
+From 8ba8682107ee2ca3347354e018865d8e1967c5f4 Mon Sep 17 00:00:00 2001
+From: Omar Sandoval <osandov@fb.com>
+Date: Fri, 1 Jul 2016 00:39:35 -0700
+Subject: block: fix use-after-free in sys_ioprio_get()
+
+get_task_ioprio() accesses the task->io_context without holding the task
+lock and thus can race with exit_io_context(), leading to a
+use-after-free. The reproducer below hits this within a few seconds on
+my 4-core QEMU VM:
+
+#define _GNU_SOURCE
+#include <assert.h>
+#include <unistd.h>
+#include <sys/syscall.h>
+#include <sys/wait.h>
+
+int main(int argc, char **argv)
+{
+	pid_t pid, child;
+	long nproc, i;
+
+	/* ioprio_set(IOPRIO_WHO_PROCESS, 0, IOPRIO_PRIO_VALUE(IOPRIO_CLASS_IDLE, 0)); */
+	syscall(SYS_ioprio_set, 1, 0, 0x6000);
+
+	nproc = sysconf(_SC_NPROCESSORS_ONLN);
+
+	for (i = 0; i < nproc; i++) {
+		pid = fork();
+		assert(pid != -1);
+		if (pid == 0) {
+			for (;;) {
+				pid = fork();
+				assert(pid != -1);
+				if (pid == 0) {
+					_exit(0);
+				} else {
+					child = wait(NULL);
+					assert(child == pid);
+				}
+			}
+		}
+
+		pid = fork();
+		assert(pid != -1);
+		if (pid == 0) {
+			for (;;) {
+				/* ioprio_get(IOPRIO_WHO_PGRP, 0); */
+				syscall(SYS_ioprio_get, 2, 0);
+			}
+		}
+	}
+
+	for (;;) {
+		/* ioprio_get(IOPRIO_WHO_PGRP, 0); */
+		syscall(SYS_ioprio_get, 2, 0);
+	}
+
+	return 0;
+}
+
+This gets us KASAN dumps like this:
+
+[   35.526914] ==================================================================
+[   35.530009] BUG: KASAN: out-of-bounds in get_task_ioprio+0x7b/0x90 at addr ffff880066f34e6c
+[   35.530009] Read of size 2 by task ioprio-gpf/363
+[   35.530009] =============================================================================
+[   35.530009] BUG blkdev_ioc (Not tainted): kasan: bad access detected
+[   35.530009] -----------------------------------------------------------------------------
+
+[   35.530009] Disabling lock debugging due to kernel taint
+[   35.530009] INFO: Allocated in create_task_io_context+0x2b/0x370 age=0 cpu=0 pid=360
+[   35.530009] 	___slab_alloc+0x55d/0x5a0
+[   35.530009] 	__slab_alloc.isra.20+0x2b/0x40
+[   35.530009] 	kmem_cache_alloc_node+0x84/0x200
+[   35.530009] 	create_task_io_context+0x2b/0x370
+[   35.530009] 	get_task_io_context+0x92/0xb0
+[   35.530009] 	copy_process.part.8+0x5029/0x5660
+[   35.530009] 	_do_fork+0x155/0x7e0
+[   35.530009] 	SyS_clone+0x19/0x20
+[   35.530009] 	do_syscall_64+0x195/0x3a0
+[   35.530009] 	return_from_SYSCALL_64+0x0/0x6a
+[   35.530009] INFO: Freed in put_io_context+0xe7/0x120 age=0 cpu=0 pid=1060
+[   35.530009] 	__slab_free+0x27b/0x3d0
+[   35.530009] 	kmem_cache_free+0x1fb/0x220
+[   35.530009] 	put_io_context+0xe7/0x120
+[   35.530009] 	put_io_context_active+0x238/0x380
+[   35.530009] 	exit_io_context+0x66/0x80
+[   35.530009] 	do_exit+0x158e/0x2b90
+[   35.530009] 	do_group_exit+0xe5/0x2b0
+[   35.530009] 	SyS_exit_group+0x1d/0x20
+[   35.530009] 	entry_SYSCALL_64_fastpath+0x1a/0xa4
+[   35.530009] INFO: Slab 0xffffea00019bcd00 objects=20 used=4 fp=0xffff880066f34ff0 flags=0x1fffe0000004080
+[   35.530009] INFO: Object 0xffff880066f34e58 @offset=3672 fp=0x0000000000000001
+[   35.530009] ==================================================================
+
+Fix it by grabbing the task lock while we poke at the io_context.
+
+Cc: stable@vger.kernel.org
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Omar Sandoval <osandov@fb.com>
+Signed-off-by: Jens Axboe <axboe@fb.com>
+---
+ block/ioprio.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/block/ioprio.c b/block/ioprio.c
+index cc7800e..01b8116 100644
+--- a/block/ioprio.c
++++ b/block/ioprio.c
+@@ -150,8 +150,10 @@ static int get_task_ioprio(struct task_struct *p)
+ 	if (ret)
+ 		goto out;
+ 	ret = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_NONE, IOPRIO_NORM);
++	task_lock(p);
+ 	if (p->io_context)
+ 		ret = p->io_context->ioprio;
++	task_unlock(p);
+ out:
+ 	return ret;
+ }
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-7912/3.18/0.patch b/Patches/Linux_CVEs/CVE-2016-7912/ANY/0001.patch
similarity index 52%
rename from Patches/Linux_CVEs/CVE-2016-7912/3.18/0.patch
rename to Patches/Linux_CVEs/CVE-2016-7912/ANY/0001.patch
index d439e339..03c5bdbe 100644
--- a/Patches/Linux_CVEs/CVE-2016-7912/3.18/0.patch
+++ b/Patches/Linux_CVEs/CVE-2016-7912/ANY/0001.patch
@@ -1,9 +1,7 @@
-From 83af063d6dec0439eb5abf3b19df2b4990e88e86 Mon Sep 17 00:00:00 2001
+From 38740a5b87d53ceb89eb2c970150f6e94e00373a Mon Sep 17 00:00:00 2001
 From: Lars-Peter Clausen <lars@metafoo.de>
 Date: Thu, 14 Apr 2016 17:01:17 +0200
-Subject: [PATCH] BACKPORT: usb: gadget: f_fs: Fix use-after-free
-
-(cherry picked from commit 38740a5b87d53ceb89eb2c970150f6e94e00373a)
+Subject: usb: gadget: f_fs: Fix use-after-free
 
 When using asynchronous read or write operations on the USB endpoints the
 issuer of the IO request is notified by calling the ki_complete() callback
@@ -17,21 +15,37 @@ Fixes: 2e4c7553cd6f ("usb: gadget: f_fs: add aio support")
 Cc: <stable@vger.kernel.org> # v3.15+
 Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
 Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
-Change-Id: I3c7b643f6440c4fb6160a57c1058523030b46a6c
-Bug: 30950866
 ---
- drivers/usb/gadget/function/f_fs.c | 1 -
- 1 file changed, 1 deletion(-)
+ drivers/usb/gadget/function/f_fs.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
 
 diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c
-index e389c27d8e202..599a4273d29d4 100644
+index e21ca2bd..15b648c 100644
 --- a/drivers/usb/gadget/function/f_fs.c
 +++ b/drivers/usb/gadget/function/f_fs.c
-@@ -689,7 +689,6 @@ static void ffs_user_copy_worker(struct work_struct *work)
+@@ -646,6 +646,7 @@ static void ffs_user_copy_worker(struct work_struct *work)
+ 						   work);
+ 	int ret = io_data->req->status ? io_data->req->status :
+ 					 io_data->req->actual;
++	bool kiocb_has_eventfd = io_data->kiocb->ki_flags & IOCB_EVENTFD;
+ 
+ 	if (io_data->read && ret > 0) {
+ 		use_mm(io_data->mm);
+@@ -657,13 +658,11 @@ static void ffs_user_copy_worker(struct work_struct *work)
+ 
+ 	io_data->kiocb->ki_complete(io_data->kiocb, ret, ret);
+ 
+-	if (io_data->ffs->ffs_eventfd &&
+-	    !(io_data->kiocb->ki_flags & IOCB_EVENTFD))
++	if (io_data->ffs->ffs_eventfd && !kiocb_has_eventfd)
+ 		eventfd_signal(io_data->ffs->ffs_eventfd, 1);
  
  	usb_ep_free_request(io_data->ep, io_data->req);
  
 -	io_data->kiocb->private = NULL;
  	if (io_data->read)
- 		kfree(io_data->iovec);
+ 		kfree(io_data->to_free);
  	kfree(io_data->buf);
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-7913/3.10/1.patch b/Patches/Linux_CVEs/CVE-2016-7913/3.10/1.patch
deleted file mode 100644
index bd96fdc9..00000000
--- a/Patches/Linux_CVEs/CVE-2016-7913/3.10/1.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From b151b71cd689c9002b94c295bedd8c8c0b7ae98e Mon Sep 17 00:00:00 2001
-From: Dan Carpenter <dan.carpenter@oracle.com>
-Date: Wed, 3 Feb 2016 13:34:00 -0200
-Subject: [PATCH] UPSTREAM: [media] xc2028: unlock on error in
- xc2028_set_config()
-
-We have to unlock before returning -ENOMEM.
-
-Fixes: 8dfbcc4351a0 ('[media] xc2028: avoid use after free')
-
-Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
-Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
-(cherry picked from commit 210bd104c6acd31c3c6b8b075b3f12d4a9f6b60d)
-Bug: 30946097
-
-Change-Id: I2d0bab35824d204a05de36e265c443938033eb81
----
- drivers/media/tuners/tuner-xc2028.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/media/tuners/tuner-xc2028.c b/drivers/media/tuners/tuner-xc2028.c
-index 38afc54ef3497..ab0bfc46f99f2 100644
---- a/drivers/media/tuners/tuner-xc2028.c
-+++ b/drivers/media/tuners/tuner-xc2028.c
-@@ -1389,8 +1389,10 @@ static int xc2028_set_config(struct dvb_frontend *fe, void *priv_cfg)
- 	memcpy(&priv->ctrl, p, sizeof(priv->ctrl));
- 	if (p->fname) {
- 		priv->ctrl.fname = kstrdup(p->fname, GFP_KERNEL);
--		if (priv->ctrl.fname == NULL)
--			return -ENOMEM;
-+		if (priv->ctrl.fname == NULL) {
-+			rc = -ENOMEM;
-+			goto unlock;
-+		}
- 	}
- 
- 	/*
-@@ -1422,6 +1424,7 @@ static int xc2028_set_config(struct dvb_frontend *fe, void *priv_cfg)
- 		} else
- 			priv->state = XC2028_WAITING_FIRMWARE;
- 	}
-+unlock:
- 	mutex_unlock(&priv->lock);
- 
- 	return rc;
diff --git a/Patches/Linux_CVEs/CVE-2016-7913/3.10/2.patch b/Patches/Linux_CVEs/CVE-2016-7913/3.10/2.patch
deleted file mode 100644
index d337894f..00000000
--- a/Patches/Linux_CVEs/CVE-2016-7913/3.10/2.patch
+++ /dev/null
@@ -1,131 +0,0 @@
-From 3bdb157105639fdcdff744432760c3f25c545678 Mon Sep 17 00:00:00 2001
-From: Takashi Iwai <tiwai@suse.de>
-Date: Thu, 17 Nov 2016 10:49:31 +0100
-Subject: xc2028: Fix use-after-free bug properly
-
-commit 22a1e7783e173ab3d86018eb590107d68df46c11 upstream.
-
-The commit 8dfbcc4351a0 ("[media] xc2028: avoid use after free") tried
-to address the reported use-after-free by clearing the reference.
-
-However, it's clearing the wrong pointer; it sets NULL to
-priv->ctrl.fname, but it's anyway overwritten by the next line
-memcpy(&priv->ctrl, p, sizeof(priv->ctrl)).
-
-OTOH, the actual code accessing the freed string is the strcmp() call
-with priv->fname:
-	if (!firmware_name[0] && p->fname &&
-	    priv->fname && strcmp(p->fname, priv->fname))
-		free_firmware(priv);
-
-where priv->fname points to the previous file name, and this was
-already freed by kfree().
-
-For fixing the bug properly, this patch does the following:
-
-- Keep the copy of firmware file name in only priv->fname,
-  priv->ctrl.fname isn't changed;
-- The allocation is done only when the firmware gets loaded;
-- The kfree() is called in free_firmware() commonly
-
-Fixes: commit 8dfbcc4351a0 ('[media] xc2028: avoid use after free')
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
-Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
-Signed-off-by: Willy Tarreau <w@1wt.eu>
----
- drivers/media/tuners/tuner-xc2028.c | 36 ++++++++++++++++--------------------
- 1 file changed, 16 insertions(+), 20 deletions(-)
-
-diff --git a/drivers/media/tuners/tuner-xc2028.c b/drivers/media/tuners/tuner-xc2028.c
-index ab0bfc46..3a615e4 100644
---- a/drivers/media/tuners/tuner-xc2028.c
-+++ b/drivers/media/tuners/tuner-xc2028.c
-@@ -289,6 +289,14 @@ static void free_firmware(struct xc2028_data *priv)
- 	int i;
- 	tuner_dbg("%s called\n", __func__);
- 
-+	/* free allocated f/w string */
-+	if (priv->fname != firmware_name)
-+		kfree(priv->fname);
-+	priv->fname = NULL;
-+
-+	priv->state = XC2028_NO_FIRMWARE;
-+	memset(&priv->cur_fw, 0, sizeof(priv->cur_fw));
-+
- 	if (!priv->firm)
- 		return;
- 
-@@ -299,9 +307,6 @@ static void free_firmware(struct xc2028_data *priv)
- 
- 	priv->firm = NULL;
- 	priv->firm_size = 0;
--	priv->state = XC2028_NO_FIRMWARE;
--
--	memset(&priv->cur_fw, 0, sizeof(priv->cur_fw));
- }
- 
- static int load_all_firmwares(struct dvb_frontend *fe,
-@@ -890,9 +895,9 @@ read_not_reliable:
- 	return 0;
- 
- fail:
-+	free_firmware(priv);
- 	priv->state = XC2028_SLEEP;
- 
--	memset(&priv->cur_fw, 0, sizeof(priv->cur_fw));
- 	if (retry_count < 8) {
- 		msleep(50);
- 		retry_count++;
-@@ -1314,11 +1319,8 @@ static int xc2028_dvb_release(struct dvb_frontend *fe)
- 	mutex_lock(&xc2028_list_mutex);
- 
- 	/* only perform final cleanup if this is the last instance */
--	if (hybrid_tuner_report_instance_count(priv) == 1) {
-+	if (hybrid_tuner_report_instance_count(priv) == 1)
- 		free_firmware(priv);
--		kfree(priv->ctrl.fname);
--		priv->ctrl.fname = NULL;
--	}
- 
- 	if (priv)
- 		hybrid_tuner_release_state(priv);
-@@ -1381,19 +1383,8 @@ static int xc2028_set_config(struct dvb_frontend *fe, void *priv_cfg)
- 
- 	/*
- 	 * Copy the config data.
--	 * For the firmware name, keep a local copy of the string,
--	 * in order to avoid troubles during device release.
- 	 */
--	kfree(priv->ctrl.fname);
--	priv->ctrl.fname = NULL;
- 	memcpy(&priv->ctrl, p, sizeof(priv->ctrl));
--	if (p->fname) {
--		priv->ctrl.fname = kstrdup(p->fname, GFP_KERNEL);
--		if (priv->ctrl.fname == NULL) {
--			rc = -ENOMEM;
--			goto unlock;
--		}
--	}
- 
- 	/*
- 	 * If firmware name changed, frees firmware. As free_firmware will
-@@ -1408,10 +1399,15 @@ static int xc2028_set_config(struct dvb_frontend *fe, void *priv_cfg)
- 
- 	if (priv->state == XC2028_NO_FIRMWARE) {
- 		if (!firmware_name[0])
--			priv->fname = priv->ctrl.fname;
-+			priv->fname = kstrdup(p->fname, GFP_KERNEL);
- 		else
- 			priv->fname = firmware_name;
- 
-+		if (!priv->fname) {
-+			rc = -ENOMEM;
-+			goto unlock;
-+		}
-+
- 		rc = request_firmware_nowait(THIS_MODULE, 1,
- 					     priv->fname,
- 					     priv->i2c_props.adap->dev.parent,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-7913/3.10/0.patch b/Patches/Linux_CVEs/CVE-2016-7913/ANY/0001.patch
similarity index 96%
rename from Patches/Linux_CVEs/CVE-2016-7913/3.10/0.patch
rename to Patches/Linux_CVEs/CVE-2016-7913/ANY/0001.patch
index dc42deea..26af8224 100644
--- a/Patches/Linux_CVEs/CVE-2016-7913/3.10/0.patch
+++ b/Patches/Linux_CVEs/CVE-2016-7913/ANY/0001.patch
@@ -1,7 +1,7 @@
-From 3240604bf46443d9eff61d1be7c0b9a9b247851b Mon Sep 17 00:00:00 2001
+From 8dfbcc4351a0b6d2f2d77f367552f48ffefafe18 Mon Sep 17 00:00:00 2001
 From: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
 Date: Thu, 28 Jan 2016 09:22:44 -0200
-Subject: [PATCH] UPSTREAM: [media] xc2028: avoid use after free
+Subject: [media] xc2028: avoid use after free
 
 If struct xc2028_config is passed without a firmware name,
 the following trouble may happen:
@@ -135,18 +135,15 @@ name to NULL after freeing it. While here, return an error if
 the memory allocation fails.
 
 Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
-(cherry picked from commit 8dfbcc4351a0b6d2f2d77f367552f48ffefafe18)
-Bug: 30946097
-Change-Id: I95d962c55c8c9b39d747cb326de263972331e8cd
 ---
  drivers/media/tuners/tuner-xc2028.c | 3 ++-
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/drivers/media/tuners/tuner-xc2028.c b/drivers/media/tuners/tuner-xc2028.c
-index 9771cd83c06e2..38afc54ef3497 100644
+index 4e941f0..082ff56 100644
 --- a/drivers/media/tuners/tuner-xc2028.c
 +++ b/drivers/media/tuners/tuner-xc2028.c
-@@ -1385,11 +1385,12 @@ static int xc2028_set_config(struct dvb_frontend *fe, void *priv_cfg)
+@@ -1403,11 +1403,12 @@ static int xc2028_set_config(struct dvb_frontend *fe, void *priv_cfg)
  	 * in order to avoid troubles during device release.
  	 */
  	kfree(priv->ctrl.fname);
@@ -160,3 +157,6 @@ index 9771cd83c06e2..38afc54ef3497 100644
  	}
  
  	/*
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-7914/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-7914/ANY/0001.patch
similarity index 98%
rename from Patches/Linux_CVEs/CVE-2016-7914/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-7914/ANY/0001.patch
index dfe5c639..7d535a0a 100644
--- a/Patches/Linux_CVEs/CVE-2016-7914/ANY/0.patch
+++ b/Patches/Linux_CVEs/CVE-2016-7914/ANY/0001.patch
@@ -1,7 +1,7 @@
 From 8d4a2ec1e0b41b0cf9a0c5cd4511da7f8e4f3de2 Mon Sep 17 00:00:00 2001
 From: Jerome Marchand <jmarchan@redhat.com>
 Date: Wed, 6 Apr 2016 14:06:48 +0100
-Subject: [PATCH] assoc_array: don't call compare_object() on a node
+Subject: assoc_array: don't call compare_object() on a node
 
 Changes since V1: fixed the description and added KASan warning.
 
@@ -93,7 +93,7 @@ cc: stable@vger.kernel.org
  1 file changed, 3 insertions(+), 1 deletion(-)
 
 diff --git a/lib/assoc_array.c b/lib/assoc_array.c
-index 03dd576e67730..59fd7c0b119cb 100644
+index 03dd576..59fd7c0 100644
 --- a/lib/assoc_array.c
 +++ b/lib/assoc_array.c
 @@ -524,7 +524,9 @@ static bool assoc_array_insert_into_terminal_node(struct assoc_array_edit *edit,
@@ -107,3 +107,6 @@ index 03dd576e67730..59fd7c0b119cb 100644
  			pr_devel("replace in slot %d\n", i);
  			edit->leaf_p = &node->slots[i];
  			edit->dead_leaf = node->slots[i];
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-7915/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-7915/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-7915/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-7915/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-7916/^4.5/0.patch b/Patches/Linux_CVEs/CVE-2016-7916/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-7916/^4.5/0.patch
rename to Patches/Linux_CVEs/CVE-2016-7916/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-7917/3.18/1.patch b/Patches/Linux_CVEs/CVE-2016-7917/3.18/1.patch
deleted file mode 100644
index c8ffb672..00000000
--- a/Patches/Linux_CVEs/CVE-2016-7917/3.18/1.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
-index e41bab3..daec7d6 100644
---- a/net/netfilter/nfnetlink.c
-+++ b/net/netfilter/nfnetlink.c
-@@ -321,10 +321,12 @@
- 		nlh = nlmsg_hdr(skb);
- 		err = 0;
- 
--		if (nlmsg_len(nlh) < sizeof(struct nfgenmsg) ||
--		    skb->len < nlh->nlmsg_len) {
--			err = -EINVAL;
--			goto ack;
-+		if (nlh->nlmsg_len < NLMSG_HDRLEN ||
-+		    skb->len < nlh->nlmsg_len ||
-+		    nlmsg_len(nlh) < sizeof(struct nfgenmsg)) {
-+			nfnl_err_reset(&err_list);
-+			success = false;
-+			goto done;
- 		}
- 
- 		/* Only requests are handled by the kernel */
diff --git a/Patches/Linux_CVEs/CVE-2016-7917/3.18/1.patch.base64 b/Patches/Linux_CVEs/CVE-2016-7917/3.18/1.patch.base64
deleted file mode 100644
index 2a97715f..00000000
--- a/Patches/Linux_CVEs/CVE-2016-7917/3.18/1.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL25ldC9uZXRmaWx0ZXIvbmZuZXRsaW5rLmMgYi9uZXQvbmV0ZmlsdGVyL25mbmV0bGluay5jCmluZGV4IGU0MWJhYjMuLmRhZWM3ZDYgMTAwNjQ0Ci0tLSBhL25ldC9uZXRmaWx0ZXIvbmZuZXRsaW5rLmMKKysrIGIvbmV0L25ldGZpbHRlci9uZm5ldGxpbmsuYwpAQCAtMzIxLDEwICszMjEsMTIgQEAKIAkJbmxoID0gbmxtc2dfaGRyKHNrYik7CiAJCWVyciA9IDA7CiAKLQkJaWYgKG5sbXNnX2xlbihubGgpIDwgc2l6ZW9mKHN0cnVjdCBuZmdlbm1zZykgfHwKLQkJICAgIHNrYi0+bGVuIDwgbmxoLT5ubG1zZ19sZW4pIHsKLQkJCWVyciA9IC1FSU5WQUw7Ci0JCQlnb3RvIGFjazsKKwkJaWYgKG5saC0+bmxtc2dfbGVuIDwgTkxNU0dfSERSTEVOIHx8CisJCSAgICBza2ItPmxlbiA8IG5saC0+bmxtc2dfbGVuIHx8CisJCSAgICBubG1zZ19sZW4obmxoKSA8IHNpemVvZihzdHJ1Y3QgbmZnZW5tc2cpKSB7CisJCQluZm5sX2Vycl9yZXNldCgmZXJyX2xpc3QpOworCQkJc3VjY2VzcyA9IGZhbHNlOworCQkJZ290byBkb25lOwogCQl9CiAKIAkJLyogT25seSByZXF1ZXN0cyBhcmUgaGFuZGxlZCBieSB0aGUga2VybmVsICovCg==
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2016-7917/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-7917/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-7917/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-7917/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8391/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-8391/ANY/0001.patch
new file mode 100644
index 00000000..5db9e5c2
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-8391/ANY/0001.patch
@@ -0,0 +1,79 @@
+From 30a4f0783d2978e27a8b8856d8e358ccaf5ddab4 Mon Sep 17 00:00:00 2001
+From: Walter Yang <yandongy@codeaurora.org>
+Date: Thu, 13 Oct 2016 10:48:39 +0800
+Subject: ASoC: msm: lock read/write when add/free audio ion memory
+
+As read/write get access to ion memory region as well, it's
+necessary to lock them when ion memory is about to be added/freed
+to avoid racing cases.
+
+CRs-Fixed: 1071809
+Change-Id: I436ead23c93384961b38ca99b9312a40c50ad03a
+Signed-off-by: Walter Yang <yandongy@codeaurora.org>
+---
+ arch/arm/mach-msm/qdsp6v2/audio_utils_aio.c | 20 +++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm/mach-msm/qdsp6v2/audio_utils_aio.c b/arch/arm/mach-msm/qdsp6v2/audio_utils_aio.c
+index 5bdd10a..4455368 100644
+--- a/arch/arm/mach-msm/qdsp6v2/audio_utils_aio.c
++++ b/arch/arm/mach-msm/qdsp6v2/audio_utils_aio.c
+@@ -1,6 +1,6 @@
+ /* Copyright (C) 2008 Google, Inc.
+  * Copyright (C) 2008 HTC Corporation
+- * Copyright (c) 2009-2013, The Linux Foundation. All rights reserved.
++ * Copyright (c) 2009-2013,2016 The Linux Foundation. All rights reserved.
+  *
+  * This software is licensed under the terms of the GNU General Public
+  * License version 2, as published by the Free Software Foundation, and
+@@ -562,6 +562,8 @@ int audio_aio_release(struct inode *inode, struct file *file)
+ 	struct q6audio_aio *audio = file->private_data;
+ 	pr_debug("%s[%p]\n", __func__, audio);
+ 	mutex_lock(&audio->lock);
++	mutex_lock(&audio->read_lock);
++	mutex_lock(&audio->write_lock);
+ 	audio->wflush = 1;
+ 	if (audio->enabled)
+ 		audio_aio_flush(audio);
+@@ -577,6 +579,8 @@ int audio_aio_release(struct inode *inode, struct file *file)
+ 	audio_aio_reset_event_queue(audio);
+ 	q6asm_audio_client_free(audio->ac);
+ 	mutex_unlock(&audio->lock);
++	mutex_unlock(&audio->write_lock);
++	mutex_unlock(&audio->read_lock);
+ 	mutex_destroy(&audio->lock);
+ 	mutex_destroy(&audio->read_lock);
+ 	mutex_destroy(&audio->write_lock);
+@@ -1349,8 +1353,13 @@ long audio_aio_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+ 		mutex_lock(&audio->lock);
+ 		if (copy_from_user(&info, (void *)arg, sizeof(info)))
+ 			rc = -EFAULT;
+-		else
++		else{
++			mutex_lock(&audio->read_lock);
++			mutex_lock(&audio->write_lock);
+ 			rc = audio_aio_ion_add(audio, &info);
++			mutex_unlock(&audio->write_lock);
++			mutex_unlock(&audio->read_lock);
++		}
+ 		mutex_unlock(&audio->lock);
+ 		break;
+ 	}
+@@ -1360,8 +1369,13 @@ long audio_aio_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+ 		pr_debug("%s[%p]:AUDIO_DEREGISTER_ION\n", __func__, audio);
+ 		if (copy_from_user(&info, (void *)arg, sizeof(info)))
+ 			rc = -EFAULT;
+-		else
++		else{
++                        mutex_lock(&audio->read_lock);
++                        mutex_lock(&audio->write_lock);
+ 			rc = audio_aio_ion_remove(audio, &info);
++                        mutex_unlock(&audio->write_lock);
++                        mutex_unlock(&audio->read_lock);
++		}
+ 		mutex_unlock(&audio->lock);
+ 		break;
+ 	}
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-8391/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-8391/ANY/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8391/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-8391/ANY/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8392/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-8392/ANY/0001.patch
new file mode 100644
index 00000000..5db9e5c2
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-8392/ANY/0001.patch
@@ -0,0 +1,79 @@
+From 30a4f0783d2978e27a8b8856d8e358ccaf5ddab4 Mon Sep 17 00:00:00 2001
+From: Walter Yang <yandongy@codeaurora.org>
+Date: Thu, 13 Oct 2016 10:48:39 +0800
+Subject: ASoC: msm: lock read/write when add/free audio ion memory
+
+As read/write get access to ion memory region as well, it's
+necessary to lock them when ion memory is about to be added/freed
+to avoid racing cases.
+
+CRs-Fixed: 1071809
+Change-Id: I436ead23c93384961b38ca99b9312a40c50ad03a
+Signed-off-by: Walter Yang <yandongy@codeaurora.org>
+---
+ arch/arm/mach-msm/qdsp6v2/audio_utils_aio.c | 20 +++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm/mach-msm/qdsp6v2/audio_utils_aio.c b/arch/arm/mach-msm/qdsp6v2/audio_utils_aio.c
+index 5bdd10a..4455368 100644
+--- a/arch/arm/mach-msm/qdsp6v2/audio_utils_aio.c
++++ b/arch/arm/mach-msm/qdsp6v2/audio_utils_aio.c
+@@ -1,6 +1,6 @@
+ /* Copyright (C) 2008 Google, Inc.
+  * Copyright (C) 2008 HTC Corporation
+- * Copyright (c) 2009-2013, The Linux Foundation. All rights reserved.
++ * Copyright (c) 2009-2013,2016 The Linux Foundation. All rights reserved.
+  *
+  * This software is licensed under the terms of the GNU General Public
+  * License version 2, as published by the Free Software Foundation, and
+@@ -562,6 +562,8 @@ int audio_aio_release(struct inode *inode, struct file *file)
+ 	struct q6audio_aio *audio = file->private_data;
+ 	pr_debug("%s[%p]\n", __func__, audio);
+ 	mutex_lock(&audio->lock);
++	mutex_lock(&audio->read_lock);
++	mutex_lock(&audio->write_lock);
+ 	audio->wflush = 1;
+ 	if (audio->enabled)
+ 		audio_aio_flush(audio);
+@@ -577,6 +579,8 @@ int audio_aio_release(struct inode *inode, struct file *file)
+ 	audio_aio_reset_event_queue(audio);
+ 	q6asm_audio_client_free(audio->ac);
+ 	mutex_unlock(&audio->lock);
++	mutex_unlock(&audio->write_lock);
++	mutex_unlock(&audio->read_lock);
+ 	mutex_destroy(&audio->lock);
+ 	mutex_destroy(&audio->read_lock);
+ 	mutex_destroy(&audio->write_lock);
+@@ -1349,8 +1353,13 @@ long audio_aio_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+ 		mutex_lock(&audio->lock);
+ 		if (copy_from_user(&info, (void *)arg, sizeof(info)))
+ 			rc = -EFAULT;
+-		else
++		else{
++			mutex_lock(&audio->read_lock);
++			mutex_lock(&audio->write_lock);
+ 			rc = audio_aio_ion_add(audio, &info);
++			mutex_unlock(&audio->write_lock);
++			mutex_unlock(&audio->read_lock);
++		}
+ 		mutex_unlock(&audio->lock);
+ 		break;
+ 	}
+@@ -1360,8 +1369,13 @@ long audio_aio_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+ 		pr_debug("%s[%p]:AUDIO_DEREGISTER_ION\n", __func__, audio);
+ 		if (copy_from_user(&info, (void *)arg, sizeof(info)))
+ 			rc = -EFAULT;
+-		else
++		else{
++                        mutex_lock(&audio->read_lock);
++                        mutex_lock(&audio->write_lock);
+ 			rc = audio_aio_ion_remove(audio, &info);
++                        mutex_unlock(&audio->write_lock);
++                        mutex_unlock(&audio->read_lock);
++		}
+ 		mutex_unlock(&audio->lock);
+ 		break;
+ 	}
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-8392/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2016-8392/ANY/0002.patch
new file mode 100644
index 00000000..01fe5416
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-8392/ANY/0002.patch
@@ -0,0 +1,97 @@
+From 62580295210b6c0bd809cde7088b45ebb65ace79 Mon Sep 17 00:00:00 2001
+From: Walter Yang <yandongy@codeaurora.org>
+Date: Wed, 28 Sep 2016 20:11:23 +0800
+Subject: ASoC: msm: lock read/write when add/free audio ion memory
+
+As read/write get access to ion memory region as well, it's
+necessary to lock them when ion memory is about to be added/freed
+to avoid racing cases.
+
+CRs-Fixed: 1071809
+Change-Id: I436ead23c93384961b38ca99b9312a40c50ad03a
+Signed-off-by: Walter Yang <yandongy@codeaurora.org>
+---
+ drivers/misc/qcom/qdsp6v2/audio_utils_aio.c | 22 +++++++++++++++++++++-
+ 1 file changed, 21 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c b/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c
+index 8041111..7a4bae3 100644
+--- a/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c
++++ b/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c
+@@ -1,6 +1,6 @@
+ /* Copyright (C) 2008 Google, Inc.
+  * Copyright (C) 2008 HTC Corporation
+- * Copyright (c) 2009-2014, The Linux Foundation. All rights reserved.
++ * Copyright (c) 2009-2016, The Linux Foundation. All rights reserved.
+  *
+  * This software is licensed under the terms of the GNU General Public
+  * License version 2, as published by the Free Software Foundation, and
+@@ -570,6 +570,8 @@ int audio_aio_release(struct inode *inode, struct file *file)
+ 	struct q6audio_aio *audio = file->private_data;
+ 	pr_debug("%s[%p]\n", __func__, audio);
+ 	mutex_lock(&audio->lock);
++	mutex_lock(&audio->read_lock);
++	mutex_lock(&audio->write_lock);
+ 	audio->wflush = 1;
+ 	if (audio->enabled)
+ 		audio_aio_flush(audio);
+@@ -584,6 +586,8 @@ int audio_aio_release(struct inode *inode, struct file *file)
+ 	wake_up(&audio->event_wait);
+ 	audio_aio_reset_event_queue(audio);
+ 	q6asm_audio_client_free(audio->ac);
++	mutex_unlock(&audio->write_lock);
++	mutex_unlock(&audio->read_lock);
+ 	mutex_unlock(&audio->lock);
+ 	mutex_destroy(&audio->lock);
+ 	mutex_destroy(&audio->read_lock);
+@@ -1679,7 +1683,11 @@ static long audio_aio_ioctl(struct file *file, unsigned int cmd,
+ 				__func__);
+ 			rc = -EFAULT;
+ 		} else {
++			mutex_lock(&audio->read_lock);
++			mutex_lock(&audio->write_lock);
+ 			rc = audio_aio_ion_add(audio, &info);
++			mutex_unlock(&audio->write_lock);
++			mutex_unlock(&audio->read_lock);
+ 		}
+ 		mutex_unlock(&audio->lock);
+ 		break;
+@@ -1694,7 +1702,11 @@ static long audio_aio_ioctl(struct file *file, unsigned int cmd,
+ 				__func__);
+ 			rc = -EFAULT;
+ 		} else {
++			mutex_lock(&audio->read_lock);
++			mutex_lock(&audio->write_lock);
+ 			rc = audio_aio_ion_remove(audio, &info);
++			mutex_unlock(&audio->write_lock);
++			mutex_unlock(&audio->read_lock);
+ 		}
+ 		mutex_unlock(&audio->lock);
+ 		break;
+@@ -1996,7 +2008,11 @@ static long audio_aio_compat_ioctl(struct file *file, unsigned int cmd,
+ 		} else {
+ 			info.fd = info_32.fd;
+ 			info.vaddr = compat_ptr(info_32.vaddr);
++			mutex_lock(&audio->read_lock);
++			mutex_lock(&audio->write_lock);
+ 			rc = audio_aio_ion_add(audio, &info);
++			mutex_unlock(&audio->write_lock);
++			mutex_unlock(&audio->read_lock);
+ 		}
+ 		mutex_unlock(&audio->lock);
+ 		break;
+@@ -2013,7 +2029,11 @@ static long audio_aio_compat_ioctl(struct file *file, unsigned int cmd,
+ 		} else {
+ 			info.fd = info_32.fd;
+ 			info.vaddr = compat_ptr(info_32.vaddr);
++			mutex_lock(&audio->read_lock);
++			mutex_lock(&audio->write_lock);
+ 			rc = audio_aio_ion_remove(audio, &info);
++			mutex_unlock(&audio->write_lock);
++			mutex_unlock(&audio->read_lock);
+ 		}
+ 		mutex_unlock(&audio->lock);
+ 		break;
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-8393/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-8393/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8393/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-8393/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8393/ANY/1.patch b/Patches/Linux_CVEs/CVE-2016-8393/ANY/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8393/ANY/1.patch
rename to Patches/Linux_CVEs/CVE-2016-8393/ANY/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8393/ANY/2.patch b/Patches/Linux_CVEs/CVE-2016-8393/ANY/0003.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8393/ANY/2.patch
rename to Patches/Linux_CVEs/CVE-2016-8393/ANY/0003.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8394/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-8394/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8394/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-8394/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8399/ANY/0.patch.disabled b/Patches/Linux_CVEs/CVE-2016-8399/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8399/ANY/0.patch.disabled
rename to Patches/Linux_CVEs/CVE-2016-8399/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8399/ANY/1.patch b/Patches/Linux_CVEs/CVE-2016-8399/ANY/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8399/ANY/1.patch
rename to Patches/Linux_CVEs/CVE-2016-8399/ANY/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8401/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-8401/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8401/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-8401/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8402/3.10/0.patch b/Patches/Linux_CVEs/CVE-2016-8402/3.10/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8402/3.10/0.patch
rename to Patches/Linux_CVEs/CVE-2016-8402/3.10/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8402/3.4/1.patch b/Patches/Linux_CVEs/CVE-2016-8402/3.4/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8402/3.4/1.patch
rename to Patches/Linux_CVEs/CVE-2016-8402/3.4/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8403/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-8403/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8403/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-8403/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8403/ANY/0.patch.base64 b/Patches/Linux_CVEs/CVE-2016-8403/ANY/0001.patch.base64
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8403/ANY/0.patch.base64
rename to Patches/Linux_CVEs/CVE-2016-8403/ANY/0001.patch.base64
diff --git a/Patches/Linux_CVEs/CVE-2016-8404/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-8404/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8404/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-8404/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8405/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-8405/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8405/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-8405/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8406/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-8406/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8406/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-8406/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8407/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-8407/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8407/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-8407/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8410/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-8410/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8410/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-8410/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8412/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-8412/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8412/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-8412/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8413/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-8413/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8413/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-8413/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8414/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-8414/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8414/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-8414/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8415/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-8415/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8415/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-8415/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8415/ANY/1.patch b/Patches/Linux_CVEs/CVE-2016-8415/ANY/1.patch
deleted file mode 100644
index 2321f4a1..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8415/ANY/1.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From c3ef29be79ea5d1c67cde62c7666cb6d4778383c Mon Sep 17 00:00:00 2001
-From: Srinivas Girigowda <sgirigow@codeaurora.org>
-Date: Fri, 21 Oct 2016 14:17:14 -0700
-Subject: [PATCH] qcacld-2.0: Fix hdd_ocb_config_new() signature
-
-hdd_ocb_config_new() takes four "length" parameters, currently defined
-to be of type 'int'. Since these are summed to calculate the size of a
-dynamic memory allocation they must be non-negative so change them to
-'uint32_t'.
-
-Change-Id: Ie66bbb7c69aba92d9d846cb90628110b3bea8f74
-CRs-Fixed: 1079596
-Bug: 31750554
-Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
----
- drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_ocb.c | 11 ++++++-----
- 1 file changed, 6 insertions(+), 5 deletions(-)
-
-diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_ocb.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_ocb.c
-index 3e2d88987e013..eec9b9e094480 100644
---- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_ocb.c
-+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_ocb.c
-@@ -406,10 +406,11 @@ static int hdd_ocb_register_sta(hdd_adapter_t *adapter)
-  *
-  * Return: A pointer to the OCB configuration struct, NULL on failure.
-  */
--static struct sir_ocb_config *hdd_ocb_config_new(int num_channels,
--						 int num_schedule,
--						 int ndl_chan_list_len,
--						 int ndl_active_state_list_len)
-+static
-+struct sir_ocb_config *hdd_ocb_config_new(uint32_t num_channels,
-+					  uint32_t num_schedule,
-+					  uint32_t ndl_chan_list_len,
-+					  uint32_t ndl_active_state_list_len)
- {
- 	struct sir_ocb_config *ret = 0;
- 	uint32_t len;
-@@ -904,7 +905,7 @@ static int __wlan_hdd_cfg80211_ocb_set_config(struct wiphy *wiphy,
- 	void *def_tx_param = NULL;
- 	uint32_t def_tx_param_size = 0;
- 	int i;
--	int channel_count, schedule_size;
-+	uint32_t channel_count, schedule_size;
- 	struct sir_ocb_config *config;
- 	int rc = -EINVAL;
- 	uint8_t *mac_addr;
diff --git a/Patches/Linux_CVEs/CVE-2016-8416/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-8416/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8416/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-8416/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8417/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-8417/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8417/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-8417/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8418/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-8418/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8418/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-8418/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8419/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-8419/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8419/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-8419/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8419/ANY/1.patch b/Patches/Linux_CVEs/CVE-2016-8419/ANY/1.patch
deleted file mode 100644
index 2be193d6..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8419/ANY/1.patch
+++ /dev/null
@@ -1,102 +0,0 @@
-From 5dcbbf80f4deb9b078cca860f6d1760d6f9398b8 Mon Sep 17 00:00:00 2001
-From: Srinivas Girigowda <sgirigow@codeaurora.org>
-Date: Wed, 9 Nov 2016 13:54:57 -0800
-Subject: [PATCH] qcacld-2.0: Properly parse PNO vendor command
-
-Currently there is a single wlan_hdd_extscan_config_policy which
-contains entries for both EXTSCAN and PNO attributes. However the
-EXTSCAN and PNO attributes have separate and overlapping
-assignments. Therefore one policy cannot be used by both types of
-commands. In addition, when parsing nested PNO attributes the policy
-is not used, and hence no checking is performed on the nested
-data. This can result in a buffer overflow.
-
-To address these issues introduce a new policy for PNO vendor
-commands, and use that policy both when parsing the initial command
-and when parsing the nested attributes.
-
-Change-Id: I92c8fc7ca1c44971502ea68b5486a2b3ae941cc5
-CRs-Fixed: 1087209
-Bug: 32454494
-Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
----
- .../qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c    | 39 ++++++++++++++--------
- 1 file changed, 25 insertions(+), 14 deletions(-)
-
-diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-index ae8d13dd85b29..29f388fc7433f 100644
---- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-@@ -842,11 +842,6 @@ wlan_hdd_extscan_config_policy[QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_
-     [QCA_WLAN_VENDOR_ATTR_EXTSCAN_SIGNIFICANT_CHANGE_PARAMS_LOST_AP_SAMPLE_SIZE] = { .type = NLA_U32 },
-     [QCA_WLAN_VENDOR_ATTR_EXTSCAN_SIGNIFICANT_CHANGE_PARAMS_MIN_BREACHING] = { .type = NLA_U32 },
-     [QCA_WLAN_VENDOR_ATTR_EXTSCAN_SIGNIFICANT_CHANGE_PARAMS_NUM_AP] = { .type = NLA_U32 },
--    [QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_NUM_NETWORKS] = { .type = NLA_U32 },
--    [QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_EPNO_NETWORK_SSID] = { .type = NLA_BINARY,
--							.len = IEEE80211_MAX_SSID_LEN },
--    [QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_EPNO_NETWORK_FLAGS] = { .type = NLA_U8 },
--    [QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_EPNO_NETWORK_AUTH_BIT] = { .type = NLA_U8 },
-     [QCA_WLAN_VENDOR_ATTR_EXTSCAN_SSID_THRESHOLD_PARAM_SSID] = { .type = NLA_BINARY,
- 							.len = IEEE80211_MAX_SSID_LEN + 1 },
-     [QCA_WLAN_VENDOR_ATTR_EXTSCAN_SSID_HOTLIST_PARAMS_LOST_SSID_SAMPLE_SIZE] = { .type = NLA_U32 },
-@@ -858,6 +853,23 @@ wlan_hdd_extscan_config_policy[QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_
- };
- 
- static const struct nla_policy
-+wlan_hdd_pno_config_policy[QCA_WLAN_VENDOR_ATTR_PNO_MAX + 1] = {
-+	[QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_NUM_NETWORKS] = {
-+		.type = NLA_U32
-+	},
-+	[QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_EPNO_NETWORK_SSID] = {
-+		.type = NLA_BINARY,
-+		.len = IEEE80211_MAX_SSID_LEN + 1
-+	},
-+	[QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_EPNO_NETWORK_FLAGS] = {
-+		.type = NLA_U8
-+	},
-+	[QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_EPNO_NETWORK_AUTH_BIT] = {
-+		.type = NLA_U8
-+	},
-+};
-+
-+static const struct nla_policy
- wlan_hdd_extscan_results_policy[QCA_WLAN_VENDOR_ATTR_EXTSCAN_RESULTS_MAX + 1] =
- {
-     [QCA_WLAN_VENDOR_ATTR_EXTSCAN_RESULTS_SCAN_RESULT_BEACON_PERIOD] = { .type = NLA_U16 },
-@@ -4675,19 +4687,18 @@ static int hdd_extscan_epno_fill_network_list(
- 			struct wifi_epno_params *req_msg,
- 			struct nlattr **tb)
- {
--	struct nlattr *network[
--		QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_MAX + 1];
-+	struct nlattr *network[QCA_WLAN_VENDOR_ATTR_PNO_MAX + 1];
- 	struct nlattr *networks;
- 	int rem1, ssid_len;
- 	uint8_t index, *ssid;
- 
- 	index = 0;
- 	nla_for_each_nested(networks,
--		tb[QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_EPNO_NETWORKS_LIST],
--		rem1) {
--		if (nla_parse(network,
--			QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_MAX,
--			nla_data(networks), nla_len(networks), NULL)) {
-+			    tb[QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_EPNO_NETWORKS_LIST],
-+			    rem1) {
-+		if (nla_parse(network, QCA_WLAN_VENDOR_ATTR_PNO_MAX,
-+			      nla_data(networks), nla_len(networks),
-+			      wlan_hdd_pno_config_policy)) {
- 			hddLog(LOGE, FL("nla_parse failed"));
- 			return -EINVAL;
- 		}
-@@ -4774,8 +4785,8 @@ static int __wlan_hdd_cfg80211_set_epno_list(struct wiphy *wiphy,
- 	}
- 
- 	if (nla_parse(tb, QCA_WLAN_VENDOR_ATTR_PNO_MAX,
--		data, data_len,
--		wlan_hdd_extscan_config_policy)) {
-+		      data, data_len,
-+		      wlan_hdd_pno_config_policy)) {
- 		hddLog(LOGE, FL("Invalid ATTR"));
- 		return -EINVAL;
- 	}
diff --git a/Patches/Linux_CVEs/CVE-2016-8420/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-8420/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8420/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-8420/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8420/ANY/1.patch b/Patches/Linux_CVEs/CVE-2016-8420/ANY/1.patch
deleted file mode 100644
index 0ebb4e2f..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8420/ANY/1.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From 983ad9423f67549b074cdb4fd5e51ed8248e2ccd Mon Sep 17 00:00:00 2001
-From: Srinivas Girigowda <sgirigow@codeaurora.org>
-Date: Wed, 9 Nov 2016 13:55:17 -0800
-Subject: [PATCH] qcacld-2.0: Avoid overflow of EPNO network list
-
-Currently when processing an EPNO vendor command the "num networks"
-attribute is limit checked and if it exceeds a MAX value then it is
-reset to that MAX value. This value is then used to calculate the size
-of the buffer allocated to hold the internal representation of the
-request. However later when the network attributes are parsed there is
-no check to make sure the number of networks processed does not exceed
-the (possibly modified) "num networks" used to allocate memory, and as
-a result a buffer overflow can occur. Address this issue by aborting
-the network parsing once "num networks" records have been parsed.
-
-Change-Id: I6e5f321d23471d082bb000ad0422ea9baa76577a
-CRs-Fixed: 1087807
-Bug: 32451171
-Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
----
- drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-index 29f388fc7433f..a22714874062e 100644
---- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-@@ -4691,11 +4691,19 @@ static int hdd_extscan_epno_fill_network_list(
- 	struct nlattr *networks;
- 	int rem1, ssid_len;
- 	uint8_t index, *ssid;
-+	uint32_t expected_networks;
- 
-+	expected_networks = req_msg->num_networks;
- 	index = 0;
- 	nla_for_each_nested(networks,
- 			    tb[QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_EPNO_NETWORKS_LIST],
- 			    rem1) {
-+
-+		if (index == expected_networks) {
-+			hddLog(LOGW, FL("ignoring excess networks"));
-+			break;
-+		}
-+
- 		if (nla_parse(network, QCA_WLAN_VENDOR_ATTR_PNO_MAX,
- 			      nla_data(networks), nla_len(networks),
- 			      wlan_hdd_pno_config_policy)) {
-@@ -4743,6 +4751,7 @@ static int hdd_extscan_epno_fill_network_list(
- 
- 		index++;
- 	}
-+	req_msg->num_networks = index;
- 	return 0;
- }
- 
diff --git a/Patches/Linux_CVEs/CVE-2016-8421/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-8421/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8421/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-8421/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8421/ANY/1.patch b/Patches/Linux_CVEs/CVE-2016-8421/ANY/1.patch
deleted file mode 100644
index 16d9ff3e..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8421/ANY/1.patch
+++ /dev/null
@@ -1,75 +0,0 @@
-From 0160130f4217c782a7857588f668ab54fae21f58 Mon Sep 17 00:00:00 2001
-From: Srinivas Girigowda <sgirigow@codeaurora.org>
-Date: Wed, 9 Nov 2016 13:55:37 -0800
-Subject: [PATCH] qcacld-2.0: Avoid overflow of EXTSCAN bucket list
-
-Currently when processing an EXTSCAN vendor command the "num buckets"
-attribute is limit checked and if it exceeds a MAX value then a
-warning message is issued. But beyond that the "num buckets" attribute
-is not used. Instead when the buckets are actually parsed the number
-of buckets is calculated dynamically based upon the number of
-attributes present in the request. Unfortunately when the bucket
-attributes are parsed there is no check to make sure the number of
-buckets processed does not exceed the MAX value, and as a result a
-buffer overflow can occur. Address this issue by aborting the bucket
-parsing once the expected number of records have been parsed.
-
-Change-Id: Ic260dd65dc99118afbb8042d102acb5b26d1e123
-CRs-Fixed: 1087797
-Bug: 32451104
-Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
----
- drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c | 13 ++++++++++++-
- 1 file changed, 12 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-index a22714874062e..e628b575350e4 100644
---- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-@@ -3525,6 +3525,7 @@ static int hdd_extscan_start_fill_bucket_channel_spec(
- 	int rem1, rem2;
- 	eHalStatus status;
- 	uint8_t bktIndex, j, numChannels, total_channels = 0;
-+	uint32_t expected_buckets;
- 	uint32_t chanList[WNI_CFG_VALID_CHANNEL_LIST_LEN] = {0};
- 
- 	uint32_t min_dwell_time_active_bucket =
-@@ -3536,7 +3537,6 @@ static int hdd_extscan_start_fill_bucket_channel_spec(
- 	uint32_t max_dwell_time_passive_bucket =
- 		pHddCtx->cfg_ini->extscan_passive_max_chn_time;
- 
--	bktIndex = 0;
- 	pReqMsg->min_dwell_time_active =
- 		pReqMsg->max_dwell_time_active =
- 			pHddCtx->cfg_ini->extscan_active_max_chn_time;
-@@ -3544,10 +3544,19 @@ static int hdd_extscan_start_fill_bucket_channel_spec(
- 	pReqMsg->min_dwell_time_passive =
- 		pReqMsg->max_dwell_time_passive =
- 			pHddCtx->cfg_ini->extscan_passive_max_chn_time;
-+
-+	expected_buckets = pReqMsg->numBuckets;
- 	pReqMsg->numBuckets = 0;
-+	bktIndex = 0;
- 
- 	nla_for_each_nested(buckets,
- 			tb[QCA_WLAN_VENDOR_ATTR_EXTSCAN_BUCKET_SPEC], rem1) {
-+
-+		if (bktIndex >= expected_buckets) {
-+			hddLog(LOGW, FL("ignoring excess buckets"));
-+			break;
-+		}
-+
- 		if (nla_parse(bucket,
- 			QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_MAX,
- 			nla_data(buckets), nla_len(buckets), NULL)) {
-@@ -4058,8 +4067,10 @@ static int __wlan_hdd_cfg80211_extscan_start(struct wiphy *wiphy,
- 		hddLog(LOGW,
- 			FL("Exceeded MAX number of buckets: %d"),
- 			WLAN_EXTSCAN_MAX_BUCKETS);
-+		num_buckets = WLAN_EXTSCAN_MAX_BUCKETS;
- 	}
- 	hddLog(LOG1, FL("Input: Number of Buckets %d"), num_buckets);
-+	pReqMsg->numBuckets = num_buckets;
- 
- 	/* This is optional attribute, if not present set it to 0 */
- 	if (!tb[PARAM_CONFIG_FLAGS])
diff --git a/Patches/Linux_CVEs/CVE-2016-8434/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-8434/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8434/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-8434/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8436/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-8436/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8436/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-8436/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8444/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-8444/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8444/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-8444/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8450/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-8450/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8450/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-8450/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8452/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-8452/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8452/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-8452/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8452/ANY/1.patch b/Patches/Linux_CVEs/CVE-2016-8452/ANY/1.patch
deleted file mode 100644
index 8f01f321..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8452/ANY/1.patch
+++ /dev/null
@@ -1,98 +0,0 @@
-From b05c022755257abacfc6df9e4c649adcdc3099b5 Mon Sep 17 00:00:00 2001
-From: Ecco Park <eccopark@google.com>
-Date: Tue, 1 Nov 2016 16:54:45 -0700
-Subject: [PATCH] qcacld-2.0: Use heap memory for station_info instead of stack
-
-From kernel 3.19-rc4, size of struct station_info is around 600 bytes,
-so stack frame size of such routine use this struct will easily
-exceed 1024 bytes, the default value of stack frame size.
-
-So use heap memory for this struct instead.
-
-CRs-Fixed: 1050323
-
-Bug: 32506396
-
-Change-Id: I64835329dc2e46ae33c12585f92c6a75401cfc5c
-Signed-off-by: Ecco Park <eccopark@google.com>
----
- .../staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_assoc.c   | 17 ++++++++++++-----
- .../staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c | 18 ++++++++++++------
- 2 files changed, 24 insertions(+), 11 deletions(-)
-
-diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_assoc.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_assoc.c
-index 05bc9524088ca..9225042e4319e 100644
---- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_assoc.c
-+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_assoc.c
-@@ -2694,7 +2694,7 @@ static eHalStatus roamRoamConnectStatusUpdateHandler( hdd_adapter_t *pAdapter, t
-       case eCSR_ROAM_RESULT_IBSS_NEW_PEER:
-       {
-          hdd_station_ctx_t *pHddStaCtx = WLAN_HDD_GET_STATION_CTX_PTR(pAdapter);
--         struct station_info staInfo;
-+         struct station_info *stainfo;
- 
-          pr_info ( "IBSS New Peer indication from SME "
-                     "with peerMac " MAC_ADDRESS_STR " BSSID: " MAC_ADDRESS_STR " and stationID= %d",
-@@ -2728,13 +2728,20 @@ static eHalStatus roamRoamConnectStatusUpdateHandler( hdd_adapter_t *pAdapter, t
-                vosStatus, vosStatus );
-          }
-          pHddStaCtx->ibss_sta_generation++;
--         memset(&staInfo, 0, sizeof(staInfo));
--         staInfo.filled = 0;
--         staInfo.generation = pHddStaCtx->ibss_sta_generation;
-+         stainfo = vos_mem_malloc(sizeof(*stainfo));
-+         if (stainfo == NULL) {
-+             VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
-+                     "memory allocation for station_info failed");
-+             return eHAL_STATUS_FAILED_ALLOC;
-+         }
-+         memset(stainfo, 0, sizeof(*stainfo));
-+         stainfo->filled = 0;
-+         stainfo->generation = pHddStaCtx->ibss_sta_generation;
- 
-          cfg80211_new_sta(pAdapter->dev,
-                       (const u8 *)pRoamInfo->peerMac,
--                      &staInfo, GFP_KERNEL);
-+                      stainfo, GFP_KERNEL);
-+         vos_mem_free(stainfo);
- 
-          if ( eCSR_ENCRYPT_TYPE_WEP40_STATICKEY == pHddStaCtx->ibss_enc_key.encType
-             ||eCSR_ENCRYPT_TYPE_WEP104_STATICKEY == pHddStaCtx->ibss_enc_key.encType
-diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c
-index 024b3135ee74f..ee90efa1db586 100644
---- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c
-+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c
-@@ -1823,21 +1823,27 @@ VOS_STATUS hdd_hostapd_SAPEventCB( tpSap_Event pSapEvent, v_PVOID_t usrDataForCa
-                                           HDD_SAP_WAKE_LOCK_DURATION,
-                                           WIFI_POWER_EVENT_WAKELOCK_SAP);
-             {
--               struct station_info staInfo;
-                v_U16_t iesLen =  pSapEvent->sapevt.sapStationAssocReassocCompleteEvent.iesLen;
- 
--               memset(&staInfo, 0, sizeof(staInfo));
-                if (iesLen <= MAX_ASSOC_IND_IE_LEN )
-                {
--                  staInfo.assoc_req_ies =
-+                  struct station_info *stainfo;
-+                  stainfo = vos_mem_malloc(sizeof(*stainfo));
-+                  if (stainfo == NULL) {
-+                      hddLog(LOGE, FL("alloc station_info failed"));
-+                      return VOS_STATUS_E_NOMEM;
-+                  }
-+                  memset(stainfo, 0, sizeof(*stainfo));
-+                  stainfo->assoc_req_ies =
-                      (const u8 *)&pSapEvent->sapevt.sapStationAssocReassocCompleteEvent.ies[0];
--                  staInfo.assoc_req_ies_len = iesLen;
-+                  stainfo->assoc_req_ies_len = iesLen;
- #if (LINUX_VERSION_CODE >= KERNEL_VERSION(3,0,31)) || defined(WITH_BACKPORTS)
--                  staInfo.filled |= STATION_INFO_ASSOC_REQ_IES;
-+                  stainfo->filled |= STATION_INFO_ASSOC_REQ_IES;
- #endif
-                   cfg80211_new_sta(dev,
-                         (const u8 *)&pSapEvent->sapevt.sapStationAssocReassocCompleteEvent.staMac.bytes[0],
--                        &staInfo, GFP_KERNEL);
-+                        stainfo, GFP_KERNEL);
-+                  vos_mem_free(stainfo);
-                }
-                else
-                {
diff --git a/Patches/Linux_CVEs/CVE-2016-8452/ANY/2.patch b/Patches/Linux_CVEs/CVE-2016-8452/ANY/2.patch
deleted file mode 100644
index 08d1f69c..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8452/ANY/2.patch
+++ /dev/null
@@ -1,102 +0,0 @@
-From 1216822e1d051247ae1f6e194f16d2fc40f1eba2 Mon Sep 17 00:00:00 2001
-From: SaidiReddy Yenuga <c_saidir@qti.qualcomm.com>
-Date: Wed, 7 Dec 2016 16:21:07 +0530
-Subject: wlan: Use heap memory for station_info instead of stack
-
-qcacld-2.0 to prima propagation.
-
-From kernel 3.19-rc4, size of struct station_info is around 600 bytes,
-so stack frame size of such routine use this struct will easily
-exceed 1024 bytes, the default value of stack frame size.
-
-So use heap memory for this struct instead.
-
-Change-Id: Ibe8a4f5189fcc9d5554f7a5d851c93be8fa8dbad
-CRs-Fixed: 1050323
----
- CORE/HDD/src/wlan_hdd_assoc.c   | 19 ++++++++++++++-----
- CORE/HDD/src/wlan_hdd_hostapd.c | 19 +++++++++++++------
- 2 files changed, 27 insertions(+), 11 deletions(-)
-
-diff --git a/CORE/HDD/src/wlan_hdd_assoc.c b/CORE/HDD/src/wlan_hdd_assoc.c
-index 933a2df..cd5686f 100644
---- a/CORE/HDD/src/wlan_hdd_assoc.c
-+++ b/CORE/HDD/src/wlan_hdd_assoc.c
-@@ -2730,7 +2730,7 @@ static eHalStatus roamRoamConnectStatusUpdateHandler( hdd_adapter_t *pAdapter, t
-       case eCSR_ROAM_RESULT_IBSS_NEW_PEER:
-       {
-          hdd_station_ctx_t *pHddStaCtx = WLAN_HDD_GET_STATION_CTX_PTR(pAdapter);
--         struct station_info staInfo;
-+         struct station_info *staInfo;
- 
-          VOS_TRACE( VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
-                    "IBSS New Peer indication from SME with peerMac " MAC_ADDRESS_STR " BSSID: " MAC_ADDRESS_STR " and stationID= %d",
-@@ -2764,13 +2764,22 @@ static eHalStatus roamRoamConnectStatusUpdateHandler( hdd_adapter_t *pAdapter, t
-             break;
-          }
-          pHddStaCtx->ibss_sta_generation++;
--         memset(&staInfo, 0, sizeof(staInfo));
--         staInfo.filled = 0;
--         staInfo.generation = pHddStaCtx->ibss_sta_generation;
-+
-+         staInfo = vos_mem_malloc(sizeof(*staInfo));
-+         if (staInfo == NULL) {
-+             VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
-+                       "memory allocation for station_info failed");
-+             return eHAL_STATUS_FAILED_ALLOC;
-+         }
-+
-+         memset(staInfo, 0, sizeof(*staInfo));
-+         staInfo->filled = 0;
-+         staInfo->generation = pHddStaCtx->ibss_sta_generation;
- 
-          cfg80211_new_sta(pAdapter->dev,
-                       (const u8 *)pRoamInfo->peerMac,
--                      &staInfo, GFP_KERNEL);
-+                      staInfo, GFP_KERNEL);
-+         vos_mem_free(staInfo);
- 
-          if ( eCSR_ENCRYPT_TYPE_WEP40_STATICKEY == pHddStaCtx->ibss_enc_key.encType
-             ||eCSR_ENCRYPT_TYPE_WEP104_STATICKEY == pHddStaCtx->ibss_enc_key.encType
-diff --git a/CORE/HDD/src/wlan_hdd_hostapd.c b/CORE/HDD/src/wlan_hdd_hostapd.c
-index e67db4d..427a350 100644
---- a/CORE/HDD/src/wlan_hdd_hostapd.c
-+++ b/CORE/HDD/src/wlan_hdd_hostapd.c
-@@ -1065,21 +1065,28 @@ VOS_STATUS hdd_hostapd_SAPEventCB( tpSap_Event pSapEvent, v_PVOID_t usrDataForCa
- #endif
- #if (LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,38))
-             {
--                struct station_info staInfo;
-+                struct station_info *staInfo;
-                 v_U16_t iesLen =  pSapEvent->sapevt.sapStationAssocReassocCompleteEvent.iesLen;
- 
--                memset(&staInfo, 0, sizeof(staInfo));
-+                staInfo = vos_mem_malloc(sizeof(*staInfo));
-+                if (staInfo == NULL) {
-+                    hddLog(LOGE, FL("alloc station_info failed"));
-+                    return VOS_STATUS_E_NOMEM;
-+                }
-+
-+                memset(staInfo, 0, sizeof(*staInfo));
-                 if (iesLen <= MAX_ASSOC_IND_IE_LEN )
-                 {
--                    staInfo.assoc_req_ies =
-+                    staInfo->assoc_req_ies =
-                         (const u8 *)&pSapEvent->sapevt.sapStationAssocReassocCompleteEvent.ies[0];
--                    staInfo.assoc_req_ies_len = iesLen;
-+                    staInfo->assoc_req_ies_len = iesLen;
- #if (LINUX_VERSION_CODE >= KERNEL_VERSION(3,0,31))
--                    staInfo.filled |= STATION_INFO_ASSOC_REQ_IES;
-+                    staInfo->filled |= STATION_INFO_ASSOC_REQ_IES;
- #endif
-                     cfg80211_new_sta(dev,
-                                  (const u8 *)&pSapEvent->sapevt.sapStationAssocReassocCompleteEvent.staMac.bytes[0],
--                                 &staInfo, GFP_KERNEL);
-+                                 staInfo, GFP_KERNEL);
-+                    vos_mem_free(staInfo);
-                 }
-                 else
-                 {
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-8453/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-8453/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8453/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-8453/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8454/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-8454/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8454/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-8454/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8455/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-8455/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8455/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-8455/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8456/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-8456/ANY/0.patch
deleted file mode 100644
index 56fd18c6..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8456/ANY/0.patch
+++ /dev/null
@@ -1,143 +0,0 @@
-From c2f9a396f1236a5a5e7bd1c90e32fbcf2ef35367 Mon Sep 17 00:00:00 2001
-From: Sudhir Kohalli <sudhir.kohalli@broadcom.com>
-Date: Mon, 31 Oct 2016 14:49:11 -0700
-Subject: [PATCH] net: wireless: bcmdhd: Fix up the BRCM wifi DHD code
-
-Security Vulnerability fix for memory overflow wifi driver
-function wl_cfgvendor_rtt_set_config. In the current fix added
-check to validate if the target_cnt is valid or not if it is not valid
-then parse error. Since target_cnt can be controlled by user netlink
-input which needs to validated at the DHD level.
-
-Signed-off-by: Sudhir Kohalli <sudhir.kohalli@broadcom.com>
-Bug: 32219255
-Change-Id: I5cf771c60a6ae8019e5e36571197e2849c572b40
----
- drivers/net/wireless/bcmdhd/wl_cfgvendor.c | 62 ++++++++++++++++++++++--------
- 1 file changed, 46 insertions(+), 16 deletions(-)
-
-diff --git a/drivers/net/wireless/bcmdhd/wl_cfgvendor.c b/drivers/net/wireless/bcmdhd/wl_cfgvendor.c
-index b536de31010a9..eb83c8339e471 100644
---- a/drivers/net/wireless/bcmdhd/wl_cfgvendor.c
-+++ b/drivers/net/wireless/bcmdhd/wl_cfgvendor.c
-@@ -1537,13 +1537,18 @@ wl_cfgvendor_rtt_set_config(struct wiphy *wiphy, struct wireless_dev *wdev,
- 	}
- 
- 	memset(&rtt_param, 0, sizeof(rtt_param));
-+	if (len <= 0) {
-+		err = BCME_ERROR;
-+		goto exit;
-+	}
- 	nla_for_each_attr(iter, data, len, rem) {
- 		type = nla_type(iter);
- 		switch (type) {
- 		case RTT_ATTRIBUTE_TARGET_CNT:
- 			target_cnt = nla_get_u8(iter);
--			if (rtt_param.rtt_target_cnt > RTT_MAX_TARGET_CNT) {
--				WL_ERR(("exceed max target count : %d\n",
-+			if ((target_cnt <= 0) ||
-+			    (target_cnt > RTT_MAX_TARGET_CNT)) {
-+				WL_ERR(("target_cnt is not valid: %d",
- 					target_cnt));
- 				err = BCME_RANGE;
- 				goto exit;
-@@ -1557,6 +1562,13 @@ wl_cfgvendor_rtt_set_config(struct wiphy *wiphy, struct wireless_dev *wdev,
- 			}
- 			break;
- 		case RTT_ATTRIBUTE_TARGET_INFO:
-+			/* Added this variable for safe check to avoid crash
-+			 * incase the caller did not respect the order
-+			 */
-+			if (!rtt_param.target_info) {
-+				err = BCME_NOMEM;
-+				goto exit;
-+			}
- 			rtt_target = rtt_param.target_info;
- 			nla_for_each_nested(iter1, iter, rem1) {
- 				nla_for_each_nested(iter2, iter1, rem2) {
-@@ -1677,6 +1689,7 @@ wl_cfgvendor_rtt_set_config(struct wiphy *wiphy, struct wireless_dev *wdev,
- exit:
- 	/* free the target info list */
- 	kfree(rtt_param.target_info);
-+	rtt_param.target_info = NULL;
- 	return err;
- }
- 
-@@ -1685,46 +1698,63 @@ wl_cfgvendor_rtt_cancel_config(struct wiphy *wiphy, struct wireless_dev *wdev,
- 	const void *data, int len)
- {
- 	int err = 0, rem, type, target_cnt = 0;
--	int target_cnt_chk = 0;
-+	int target_idx = 0;
- 	const struct nlattr *iter;
--	struct ether_addr *mac_list = NULL, *mac_addr = NULL;
-+	struct ether_addr *mac_list = NULL;
- 	struct bcm_cfg80211 *cfg = wiphy_priv(wiphy);
- 
-+	if (len <= 0) {
-+		err = -EINVAL;
-+		goto exit;
-+	}
- 	nla_for_each_attr(iter, data, len, rem) {
- 		type = nla_type(iter);
- 		switch (type) {
- 		case RTT_ATTRIBUTE_TARGET_CNT:
- 			if (mac_list != NULL) {
- 				WL_ERR(("mac_list is not NULL\n"));
-+				err = -EINVAL;
- 				goto exit;
- 			}
- 			target_cnt = nla_get_u8(iter);
--			if (target_cnt > 0) {
-+			if ((target_cnt > 0) &&
-+			    (target_cnt < RTT_MAX_TARGET_CNT)) {
- 				mac_list = (struct ether_addr *)kzalloc(target_cnt * ETHER_ADDR_LEN,
- 					GFP_KERNEL);
- 				if (mac_list == NULL) {
- 					WL_ERR(("failed to allocate mem for mac list\n"));
-+					err = -EINVAL;
- 					goto exit;
- 				}
--				mac_addr = &mac_list[0];
- 			} else {
- 				/* cancel the current whole RTT process */
- 				goto cancel;
- 			}
- 			break;
- 		case RTT_ATTRIBUTE_TARGET_MAC:
--			if (mac_addr) {
--				memcpy(mac_addr++, nla_data(iter), ETHER_ADDR_LEN);
--				target_cnt_chk++;
--				if (target_cnt_chk > target_cnt) {
--					WL_ERR(("over target count\n"));
--					goto exit;
--				}
--				break;
--			} else {
--				WL_ERR(("mac_list is NULL\n"));
-+			if (!mac_list) {
-+				err = -EINVAL;
- 				goto exit;
- 			}
-+
-+			if (target_idx >= target_cnt) {
-+				err = -EINVAL;
-+				goto exit;
-+			}
-+
-+			if (nla_len(iter) != ETHER_ADDR_LEN) {
-+				err = -EINVAL;
-+				goto exit;
-+			}
-+
-+			memcpy(&mac_list[target_idx], nla_data(iter),
-+			       ETHER_ADDR_LEN);
-+			target_idx++;
-+			break;
-+
-+		default:
-+			err = -EINVAL;
-+			goto exit;
- 		}
- 	}
- cancel:
diff --git a/Patches/Linux_CVEs/CVE-2016-8457/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-8456/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8457/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-8456/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8457/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2016-8457/ANY/0001.patch
new file mode 100644
index 00000000..57a46338
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-8457/ANY/0001.patch
@@ -0,0 +1,348 @@
+From e5c1b001a822e8b38680655c400e7b3f67cc3323 Mon Sep 17 00:00:00 2001
+From: Insun Song <insun.song@broadcom.com>
+Date: Thu, 10 Nov 2016 15:01:31 -0800
+Subject: [PATCH] net: wireless: bcmdhd: fix buffer overrun in anqpo config
+
+1. memory leak fix when input packet content corrupted.
+2. reduced unnecessary debug messages
+
+Signed-off-by: Insun Song <insun.song@broadcom.com>
+Bug: 32219453
+Change-Id: I0f79310c97571cd46afff29f58f66b17a2471927
+---
+ drivers/net/wireless/bcmdhd/dhd_linux.c    |   2 +
+ drivers/net/wireless/bcmdhd/dhd_pno.c      |   3 +-
+ drivers/net/wireless/bcmdhd/dhd_pno.h      |  17 ++--
+ drivers/net/wireless/bcmdhd/wl_cfg80211.c  |  14 +++
+ drivers/net/wireless/bcmdhd/wl_cfgvendor.c | 141 ++++++++++++++++++++---------
+ 5 files changed, 127 insertions(+), 50 deletions(-)
+
+diff --git a/drivers/net/wireless/bcmdhd/dhd_linux.c b/drivers/net/wireless/bcmdhd/dhd_linux.c
+index 2fd2934a7e851..00201de5de5b8 100644
+--- a/drivers/net/wireless/bcmdhd/dhd_linux.c
++++ b/drivers/net/wireless/bcmdhd/dhd_linux.c
+@@ -8621,6 +8621,7 @@ int dhd_dev_set_whitelist_ssid(struct net_device *dev, wl_ssid_whitelist_t *ssid
+ 	return err;
+ }
+ 
++#ifdef DHD_ANQPO_SUPPORT
+ void * dhd_dev_process_anqpo_result(struct net_device *dev,
+ 			const void  *data, uint32 event, int *send_evt_bytes)
+ {
+@@ -8628,6 +8629,7 @@ void * dhd_dev_process_anqpo_result(struct net_device *dev,
+ 
+ 	return (dhd_pno_process_anqpo_result(&dhd->pub, data, event, send_evt_bytes));
+ }
++#endif /* DHD_ANQPO_SUPPORT */
+ #endif /* GSCAN_SUPPORT */
+ 
+ int dhd_dev_set_rssi_monitor_cfg(struct net_device *dev, int start,
+diff --git a/drivers/net/wireless/bcmdhd/dhd_pno.c b/drivers/net/wireless/bcmdhd/dhd_pno.c
+index 8d6d234cd11b3..a88d1e2e41320 100644
+--- a/drivers/net/wireless/bcmdhd/dhd_pno.c
++++ b/drivers/net/wireless/bcmdhd/dhd_pno.c
+@@ -3798,6 +3798,7 @@ dhd_pno_process_epno_result(dhd_pub_t *dhd, const void *data, uint32 event, int
+ 	return results;
+ }
+ 
++#ifdef DHD_ANQPO_SUPPORT
+ void *
+ dhd_pno_process_anqpo_result(dhd_pub_t *dhd, const void *data, uint32 event, int *size)
+ {
+@@ -3849,7 +3850,7 @@ dhd_pno_process_anqpo_result(dhd_pub_t *dhd, const void *data, uint32 event, int
+ 
+ 	return result;
+ }
+-
++#endif /* DHD_ANQPO_SUPPORT */
+ 
+ void *dhd_handle_hotlist_scan_evt(dhd_pub_t *dhd, const void *event_data, int *send_evt_bytes,
+       hotlist_type_t type)
+diff --git a/drivers/net/wireless/bcmdhd/dhd_pno.h b/drivers/net/wireless/bcmdhd/dhd_pno.h
+index b61d0fd866364..a0edf54049acf 100644
+--- a/drivers/net/wireless/bcmdhd/dhd_pno.h
++++ b/drivers/net/wireless/bcmdhd/dhd_pno.h
+@@ -98,8 +98,9 @@
+ 
+ #define CHANNEL_BUCKET_EMPTY_INDEX                      0xFFFF
+ #define GSCAN_RETRY_THRESHOLD              3
+-#define MAX_EPNO_SSID_NUM                   64
+-
++#define MAX_EPNO_SSID_NUM                  64
++#define GSCAN_ANQPO_MAX_HS_LIST_SIZE	   16
++#define ANQPO_MAX_HS_NAI_REALM_SIZE	   256
+ #endif /* GSCAN_SUPPORT */
+ 
+ enum scan_status {
+@@ -351,10 +352,10 @@ typedef struct gscan_results_cache {
+ } gscan_results_cache_t;
+ 
+ typedef struct {
+-    int  id;                            /* identifier of this network block, report this in event */
+-    char realm[256];                    /* null terminated UTF8 encoded realm, 0 if unspecified */
+-    int64_t roamingConsortiumIds[16];   /* roaming consortium ids to match, 0s if unspecified */
+-    uint8 plmn[3];                      /* mcc/mnc combination as per rules, 0s if unspecified */
++	int  id;
++	char realm[ANQPO_MAX_HS_NAI_REALM_SIZE];
++	int64_t roamingConsortiumIds[ANQPO_MAX_PFN_HS];
++	uint8 plmn[ANQPO_MCC_LENGTH];
+ } wifi_passpoint_network;
+ 
+ typedef struct dhd_pno_gscan_capabilities {
+@@ -517,8 +518,10 @@ extern void dhd_dev_gscan_hotlist_cache_cleanup(struct net_device *dev, hotlist_
+ extern int dhd_dev_wait_batch_results_complete(struct net_device *dev);
+ extern void * dhd_dev_process_epno_result(struct net_device *dev,
+                         const void  *data, uint32 event, int *send_evt_bytes);
++#ifdef DHD_ANQPO_SUPPORT
+ extern void * dhd_dev_process_anqpo_result(struct net_device *dev,
+ 	const void  *data, uint32 event, int *send_evt_bytes);
++#endif /* DHD_ANQPO_SUPPORT */
+ extern int dhd_dev_set_epno(struct net_device *dev);
+ extern int dhd_dev_flush_fw_epno(struct net_device *dev);
+ #endif /* GSCAN_SUPPORT */
+@@ -567,7 +570,9 @@ extern void dhd_gscan_hotlist_cache_cleanup(dhd_pub_t *dhd, hotlist_type_t type)
+ extern int dhd_wait_batch_results_complete(dhd_pub_t *dhd);
+ extern void * dhd_pno_process_epno_result(dhd_pub_t *dhd, const void *data,
+ 	uint32 event, int *size);
++#ifdef DHD_ANQPO_SUPPORT
+ extern void * dhd_pno_process_anqpo_result(dhd_pub_t *dhd, const void *data, uint32 event, int *size);
++#endif /* DHD_ANQPO_SUPPORT */
+ extern void dhd_pno_translate_epno_fw_flags(uint32 *flags);
+ extern int dhd_pno_set_epno(dhd_pub_t *dhd);
+ extern int dhd_pno_flush_fw_epno(dhd_pub_t *dhd);
+diff --git a/drivers/net/wireless/bcmdhd/wl_cfg80211.c b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
+index a56ba6b82e197..3d70a82adfa5e 100644
+--- a/drivers/net/wireless/bcmdhd/wl_cfg80211.c
++++ b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
+@@ -9423,6 +9423,16 @@ wl_notify_gscan_event(struct bcm_cfg80211 *cfg, bcm_struct_cfgdev *cfgdev,
+ 			} else
+ 				err = -ENOMEM;
+ 			break;
++		case WLC_E_PFN_SSID_EXT:
++			ptr = dhd_dev_process_epno_result(ndev, data, event, &send_evt_bytes);
++			if (ptr) {
++				wl_cfgvendor_send_async_event(wiphy, ndev,
++				    GOOGLE_SCAN_EPNO_EVENT, ptr, send_evt_bytes);
++				kfree(ptr);
++			} else
++				err = -ENOMEM;
++			break;
++#ifdef DHD_ANQPO_SUPPORT
+ 		case WLC_E_PFN_NET_FOUND:
+ 			ptr = dhd_dev_process_anqpo_result(ndev, data, event, &len);
+ 			if (ptr) {
+@@ -9432,6 +9442,7 @@ wl_notify_gscan_event(struct bcm_cfg80211 *cfg, bcm_struct_cfgdev *cfgdev,
+ 			} else
+ 				err = -ENOMEM;
+ 			break;
++#endif /* DHD_ANQPO_SUPPORT */
+ 		default:
+ 			WL_ERR(("Unknown event %d\n", event));
+ 			break;
+@@ -10035,7 +10046,10 @@ static void wl_init_event_handler(struct bcm_cfg80211 *cfg)
+ 	cfg->evt_handler[WLC_E_PFN_SWC] = wl_notify_gscan_event;
+ 	cfg->evt_handler[WLC_E_PFN_BSSID_NET_FOUND] = wl_notify_gscan_event;
+ 	cfg->evt_handler[WLC_E_PFN_BSSID_NET_LOST] = wl_notify_gscan_event;
++	cfg->evt_handler[WLC_E_PFN_SSID_EXT] = wl_notify_gscan_event;
++#ifdef DHD_ANQPO_SUPPORT
+ 	cfg->evt_handler[WLC_E_GAS_FRAGMENT_RX] = wl_notify_gscan_event;
++#endif /* DHD_ANQPO_SUPPORT */
+ 	cfg->evt_handler[WLC_E_ROAM_EXP_EVENT] = wl_handle_roam_exp_event;
+ #endif /* GSCAN_SUPPORT */
+ 	cfg->evt_handler[WLC_E_RSSI_LQM] = wl_handle_rssi_monitor_event;
+diff --git a/drivers/net/wireless/bcmdhd/wl_cfgvendor.c b/drivers/net/wireless/bcmdhd/wl_cfgvendor.c
+index 5be16a72aa43f..b156660ed053a 100644
+--- a/drivers/net/wireless/bcmdhd/wl_cfgvendor.c
++++ b/drivers/net/wireless/bcmdhd/wl_cfgvendor.c
+@@ -939,10 +939,13 @@ static int wl_cfgvendor_epno_cfg(struct wiphy *wiphy,
+ 	return err;
+ }
+ 
++#ifdef DHD_ANQPO_SUPPORT
+ static int wl_cfgvendor_gscan_anqpo_config(struct wiphy *wiphy,
+ 	struct wireless_dev *wdev, const void  *data, int len)
+ {
+-	int err = BCME_ERROR, rem, type, hs_list_size = 0, malloc_size, i = 0, j, k, num_oi, oi_len;
++	int err = BCME_ERROR, rem, type, malloc_size, i = 0;
++	uint32 hs_list_size = 0;
++	int j, k, num_oi, oi_len;
+ 	wifi_passpoint_network *hs_list = NULL, *src_hs;
+ 	wl_anqpo_pfn_hs_list_t *anqpo_hs_list;
+ 	wl_anqpo_pfn_hs_t *dst_hs;
+@@ -953,52 +956,100 @@ static int wl_cfgvendor_gscan_anqpo_config(struct wiphy *wiphy,
+ 	char *rcid;
+ 
+ 	nla_for_each_attr(iter, data, len, rem) {
+-		type = nla_type(iter);
+-		switch (type) {
+-			case GSCAN_ATTRIBUTE_ANQPO_HS_LIST:
+-				if (hs_list_size > 0) {
+-					hs_list = kmalloc(hs_list_size*sizeof(wifi_passpoint_network), GFP_KERNEL);
+-					if (hs_list == NULL) {
+-						WL_ERR(("failed to allocate hs_list\n"));
+-						return -ENOMEM;
+-					}
+-				}
+-				nla_for_each_nested(outer, iter, tmp) {
+-					nla_for_each_nested(inner, outer, tmp1) {
+-						type = nla_type(inner);
++	type = nla_type(iter);
++	switch (type) {
++	case GSCAN_ATTRIBUTE_ANQPO_HS_LIST:
++		if (hs_list) {
++			err = -EINVAL;
++			goto exit;
++		}
++		if (hs_list_size > GSCAN_ANQPO_MAX_HS_LIST_SIZE) {
++			err = -EINVAL;
++			goto exit;
++		}
++		if (hs_list_size > 0) {
++			hs_list = kzalloc(hs_list_size *
++				sizeof(wifi_passpoint_network), GFP_KERNEL);
++			if (!hs_list) {
++				WL_ERR(("failed to allocate hs_list\n"));
++				return -ENOMEM;
++			}
++		}
++		nla_for_each_nested(outer, iter, tmp) {
++			if (i == hs_list_size)
++				break;
++			nla_for_each_nested(inner, outer, tmp1) {
++			type = nla_type(inner);
+ 
+-						switch (type) {
+-							case GSCAN_ATTRIBUTE_ANQPO_HS_NETWORK_ID:
+-								hs_list[i].id = nla_get_u32(inner);
+-								WL_ERR(("%s: net id: %d\n", __func__, hs_list[i].id));
+-								break;
+-							case GSCAN_ATTRIBUTE_ANQPO_HS_NAI_REALM:
+-								memcpy(hs_list[i].realm,
+-								  nla_data(inner), 256);
+-								WL_ERR(("%s: realm: %s\n", __func__, hs_list[i].realm));
+-								break;
+-							case GSCAN_ATTRIBUTE_ANQPO_HS_ROAM_CONSORTIUM_ID:
+-								memcpy(hs_list[i].roamingConsortiumIds,
+-								  nla_data(inner), 128);
+-								break;
+-							case GSCAN_ATTRIBUTE_ANQPO_HS_PLMN:
+-								memcpy(hs_list[i].plmn,
+-								  nla_data(inner), 3);
+-								WL_ERR(("%s: plmn: %c %c %c\n", __func__, hs_list[i].plmn[0], hs_list[i].plmn[1], hs_list[i].plmn[2]));
+-								break;
+-						}
+-					}
+-					i++;
++			switch (type) {
++			case GSCAN_ATTRIBUTE_ANQPO_HS_NETWORK_ID:
++				if (nla_len(inner) != sizeof(hs_list[i].id)) {
++					err = -EINVAL;
++					goto exit;
+ 				}
++				hs_list[i].id = nla_get_u32(inner);
++				WL_DBG(("%s: net id: %d\n",
++					__func__, hs_list[i].id));
+ 				break;
+-			case GSCAN_ATTRIBUTE_ANQPO_HS_LIST_SIZE:
+-				hs_list_size = nla_get_u32(iter);
+-				WL_ERR(("%s: ANQPO: %d\n", __func__, hs_list_size));
++			case GSCAN_ATTRIBUTE_ANQPO_HS_NAI_REALM:
++				if (nla_len(inner) !=
++					sizeof(hs_list[i].realm)) {
++					err = -EINVAL;
++					goto exit;
++				}
++				memcpy(hs_list[i].realm, nla_data(inner),
++				       sizeof(hs_list[i].realm));
++				WL_DBG(("%s: realm: %s\n",
++					__func__, hs_list[i].realm));
+ 				break;
+-			default:
+-				WL_ERR(("Unknown type: %d\n", type));
+-				return err;
++			case GSCAN_ATTRIBUTE_ANQPO_HS_ROAM_CONSORTIUM_ID:
++				if (nla_len(inner) != sizeof(hs_list[i].
++					roamingConsortiumIds)) {
++					err = -EINVAL;
++					goto exit;
++				}
++				memcpy(hs_list[i].roamingConsortiumIds,
++				       nla_data(inner),
++				       sizeof(hs_list[i].roamingConsortiumIds));
++				break;
++			case GSCAN_ATTRIBUTE_ANQPO_HS_PLMN:
++				if (nla_len(inner) != sizeof(hs_list[i].plmn)) {
++					err = -EINVAL;
++					goto exit;
++				}
++				memcpy(hs_list[i].plmn,
++				       nla_data(inner),
++				       sizeof(hs_list[i].plmn));
++				WL_DBG(("%s: plmn: %c %c %c\n",
++					__func__, hs_list[i].plmn[0],
++					hs_list[i].plmn[1],
++					hs_list[i].plmn[2]));
++				break;
++			}
++			}
++			i++;
+ 		}
++		break;
++	case GSCAN_ATTRIBUTE_ANQPO_HS_LIST_SIZE:
++		if (nla_len(iter) != sizeof(hs_list_size)) {
++			err = -EINVAL;
++			goto exit;
++		}
++		hs_list_size = nla_get_u32(iter);
++		if ((hs_list_size == 0) ||
++		    (hs_list_size > GSCAN_ANQPO_MAX_HS_LIST_SIZE)) {
++			WL_ERR(("%s: ANQPO: %d\n", __func__, hs_list_size));
++			err = -EINVAL;
++			goto exit;
++		}
++		WL_DBG(("%s: ANQPO: %d\n", __func__, hs_list_size));
++		break;
++	default:
++		WL_ERR(("Unknown type: %d\n", type));
++		err = -EINVAL;
++		goto exit;
++	}
++
+ 	}
+ 
+ 	malloc_size = OFFSETOF(wl_anqpo_pfn_hs_list_t, hs) +
+@@ -1046,7 +1097,7 @@ static int wl_cfgvendor_gscan_anqpo_config(struct wiphy *wiphy,
+ 	kfree(hs_list);
+ 	return err;
+ }
+-
++#endif /* DHD_ANQPO_SUPPORT */
+ static int wl_cfgvendor_set_batch_scan_cfg(struct wiphy *wiphy,
+ 	struct wireless_dev *wdev, const void  *data, int len)
+ {
+@@ -3065,6 +3116,7 @@ static const struct wiphy_vendor_command wl_vendor_cmds [] = {
+ 		.flags = WIPHY_VENDOR_CMD_NEED_WDEV | WIPHY_VENDOR_CMD_NEED_NETDEV,
+ 		.doit = wl_cfgvendor_set_bssid_blacklist
+ 	},
++#ifdef DHD_ANQPO_SUPPORT
+ 	{
+ 		{
+ 			.vendor_id = OUI_GOOGLE,
+@@ -3073,6 +3125,7 @@ static const struct wiphy_vendor_command wl_vendor_cmds [] = {
+ 		.flags = WIPHY_VENDOR_CMD_NEED_WDEV | WIPHY_VENDOR_CMD_NEED_NETDEV,
+ 		.doit = wl_cfgvendor_gscan_anqpo_config
+ 	},
++#endif /* DHD_ANQPO_SUPPORT */
+ #endif /* GSCAN_SUPPORT */
+ 	{
+ 		{
+@@ -3233,7 +3286,9 @@ static const struct  nl80211_vendor_cmd_info wl_vendor_events [] = {
+ 		{ OUI_GOOGLE, GOOGLE_SCAN_EPNO_EVENT },
+ 		{ OUI_GOOGLE, GOOGLE_DEBUG_RING_EVENT },
+ 		{ OUI_GOOGLE, GOOGLE_FW_DUMP_EVENT },
++#ifdef DHD_ANQPO_SUPPORT
+ 		{ OUI_GOOGLE, GOOGLE_PNO_HOTSPOT_FOUND_EVENT },
++#endif /* DHD_ANQPO_SUPPORT */
+ 		{ OUI_GOOGLE, GOOGLE_RSSI_MONITOR_EVENT },
+ 		{ OUI_GOOGLE, GOOGLE_MKEEP_ALIVE_EVENT }
+ };
diff --git a/Patches/Linux_CVEs/CVE-2016-8458/3.10/0.patch b/Patches/Linux_CVEs/CVE-2016-8458/3.10/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8458/3.10/0.patch
rename to Patches/Linux_CVEs/CVE-2016-8458/3.10/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8458/3.18/1.patch b/Patches/Linux_CVEs/CVE-2016-8458/3.18/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8458/3.18/1.patch
rename to Patches/Linux_CVEs/CVE-2016-8458/3.18/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8463/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-8463/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8463/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-8463/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8463/ANY/1.patch b/Patches/Linux_CVEs/CVE-2016-8463/ANY/1.patch
deleted file mode 100644
index 49ee240d..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8463/ANY/1.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From cd0fa86de6ca1d40c0a93d86d1c0f7846e8a9a10 Mon Sep 17 00:00:00 2001
-From: Laura Abbott <lauraa@codeaurora.org>
-Date: Fri, 3 Jan 2014 10:47:00 -0800
-Subject: [PATCH] fs: fuse: Add replacment for CMA pages into the LRU cache
-
-CMA pages are currently replaced in the FUSE file system since
-FUSE may hold on to CMA pages for a long time, preventing migration.
-The replacement page is added to the file cache but not the LRU
-cache. This may prevent the page from being properly aged and dropped,
-creating poor performance under tight memory condition. Fix this by
-adding the new page to the LRU cache after creation.
-
-Change-Id: Ib349abf1024d48386b835335f3fbacae040b6241
-CRs-Fixed: 586855
-Signed-off-by: Laura Abbott <lauraa@codeaurora.org>
----
- fs/fuse/file.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/fs/fuse/file.c b/fs/fuse/file.c
-index e231a7ff11390..3411ed834bbac 100644
---- a/fs/fuse/file.c
-+++ b/fs/fuse/file.c
-@@ -822,6 +822,8 @@ static int fuse_readpages_fill(void *_data, struct page *page)
- 		lock_page(newpage);
- 		put_page(newpage);
- 
-+		lru_cache_add_file(newpage);
-+
- 		/* finally release the old page and swap pointers */
- 		unlock_page(oldpage);
- 		page_cache_release(oldpage);
diff --git a/Patches/Linux_CVEs/CVE-2016-8463/ANY/2.patch b/Patches/Linux_CVEs/CVE-2016-8463/ANY/2.patch
deleted file mode 100644
index 07b1b7cf..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8463/ANY/2.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From d1ac033d7862a7ec45fb1be8c06b8f51b36deb1a Mon Sep 17 00:00:00 2001
-From: Laura Abbott <lauraa@codeaurora.org>
-Date: Fri, 3 Jan 2014 10:47:00 -0800
-Subject: fs: fuse: Add replacment for CMA pages into the LRU cache
-
-CMA pages are currently replaced in the FUSE file system since
-FUSE may hold on to CMA pages for a long time, preventing migration.
-The replacement page is added to the file cache but not the LRU
-cache. This may prevent the page from being properly aged and dropped,
-creating poor performance under tight memory condition. Fix this by
-adding the new page to the LRU cache after creation.
-
-Change-Id: Ib349abf1024d48386b835335f3fbacae040b6241
-CRs-Fixed: 586855
-Signed-off-by: Laura Abbott <lauraa@codeaurora.org>
----
- fs/fuse/file.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/fs/fuse/file.c b/fs/fuse/file.c
-index c4ced86..e3181a3 100644
---- a/fs/fuse/file.c
-+++ b/fs/fuse/file.c
-@@ -929,6 +929,8 @@ static int fuse_readpages_fill(void *_data, struct page *page)
- 		 */
- 		put_page(newpage);
- 
-+		lru_cache_add_file(newpage);
-+
- 		/* finally release the old page and swap pointers */
- 		unlock_page(oldpage);
- 		page_cache_release(oldpage);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-8464/3.10/0.patch b/Patches/Linux_CVEs/CVE-2016-8464/3.10/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8464/3.10/0.patch
rename to Patches/Linux_CVEs/CVE-2016-8464/3.10/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8464/3.18/1.patch b/Patches/Linux_CVEs/CVE-2016-8464/3.18/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8464/3.18/1.patch
rename to Patches/Linux_CVEs/CVE-2016-8464/3.18/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8464/3.18/1.patch.base64 b/Patches/Linux_CVEs/CVE-2016-8464/3.18/0002.patch.base64
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8464/3.18/1.patch.base64
rename to Patches/Linux_CVEs/CVE-2016-8464/3.18/0002.patch.base64
diff --git a/Patches/Linux_CVEs/CVE-2016-8465/3.10/0.patch b/Patches/Linux_CVEs/CVE-2016-8465/3.10/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8465/3.10/0.patch
rename to Patches/Linux_CVEs/CVE-2016-8465/3.10/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8465/3.10/1.patch b/Patches/Linux_CVEs/CVE-2016-8465/3.10/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8465/3.10/1.patch
rename to Patches/Linux_CVEs/CVE-2016-8465/3.10/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8465/3.18/2.patch b/Patches/Linux_CVEs/CVE-2016-8465/3.18/0003.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8465/3.18/2.patch
rename to Patches/Linux_CVEs/CVE-2016-8465/3.18/0003.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8465/3.18/3.patch b/Patches/Linux_CVEs/CVE-2016-8465/3.18/0004.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8465/3.18/3.patch
rename to Patches/Linux_CVEs/CVE-2016-8465/3.18/0004.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8466/3.10/0.patch b/Patches/Linux_CVEs/CVE-2016-8466/3.10/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8466/3.10/0.patch
rename to Patches/Linux_CVEs/CVE-2016-8466/3.10/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8466/3.18/1.patch b/Patches/Linux_CVEs/CVE-2016-8466/3.18/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8466/3.18/1.patch
rename to Patches/Linux_CVEs/CVE-2016-8466/3.18/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8468/3.18/0.patch b/Patches/Linux_CVEs/CVE-2016-8468/3.18/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8468/3.18/0.patch
rename to Patches/Linux_CVEs/CVE-2016-8468/3.18/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8473/3.10/0.patch b/Patches/Linux_CVEs/CVE-2016-8473/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8473/3.10/0.patch
rename to Patches/Linux_CVEs/CVE-2016-8473/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8474/3.10/0.patch b/Patches/Linux_CVEs/CVE-2016-8474/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8474/3.10/0.patch
rename to Patches/Linux_CVEs/CVE-2016-8474/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8475/3.18/0.patch b/Patches/Linux_CVEs/CVE-2016-8475/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8475/3.18/0.patch
rename to Patches/Linux_CVEs/CVE-2016-8475/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8476/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-8476/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8476/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-8476/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8476/ANY/1.patch b/Patches/Linux_CVEs/CVE-2016-8476/ANY/1.patch
deleted file mode 100644
index 1e3111c5..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8476/ANY/1.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 391b6eea59269ce8962c2ae160de6c8ac8bb4967 Mon Sep 17 00:00:00 2001
-From: Srinivas Girigowda <sgirigow@codeaurora.org>
-Date: Mon, 21 Nov 2016 19:05:28 -0800
-Subject: [PATCH] qcacld-2.0: Validate "set passpoint list" network count
-
-Currently when processing the "set passpoint list" vendor command the
-"number of networks" parameter is not limit checked. This value is
-subsequently used to calculate the size of a buffer. Add a limit check
-to ensure that an appropriately sized buffer is always allocated.
-
-Change-Id: Ibc2346b8a62898fc47e2d1efe457c57c08b0cada
-CRs-Fixed: 1091940
-Bug: 32879283
-Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
----
- drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c | 7 ++++++-
- drivers/staging/qcacld-2.0/CORE/MAC/inc/sirApi.h            | 1 +
- 2 files changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-index e628b575350e4..82275c27ae587 100644
---- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-@@ -5111,8 +5111,13 @@ static int __wlan_hdd_cfg80211_set_passpoint_list(struct wiphy *wiphy,
- 	}
- 	num_networks = nla_get_u32(
- 		tb[QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_LIST_PARAM_NUM]);
--	hddLog(LOG1, FL("num networks %u"), num_networks);
-+	if (num_networks > SIR_PASSPOINT_LIST_MAX_NETWORKS) {
-+		hddLog(LOGE, FL("num networks %u exceeds max %u"),
-+		       num_networks, SIR_PASSPOINT_LIST_MAX_NETWORKS);
-+		return -EINVAL;
-+	}
- 
-+	hddLog(LOG1, FL("num networks %u"), num_networks);
- 	req_msg = vos_mem_malloc(sizeof(*req_msg) +
- 			(num_networks * sizeof(req_msg->networks[0])));
- 	if (!req_msg) {
-diff --git a/drivers/staging/qcacld-2.0/CORE/MAC/inc/sirApi.h b/drivers/staging/qcacld-2.0/CORE/MAC/inc/sirApi.h
-index e6ff7c0967ddb..34287b3c3095d 100644
---- a/drivers/staging/qcacld-2.0/CORE/MAC/inc/sirApi.h
-+++ b/drivers/staging/qcacld-2.0/CORE/MAC/inc/sirApi.h
-@@ -5580,6 +5580,7 @@ struct wifi_epno_params
- 	struct wifi_epno_network networks[];
- };
- 
-+#define SIR_PASSPOINT_LIST_MAX_NETWORKS 8
- #define SIR_PASSPOINT_REALM_LEN 256
- #define SIR_PASSPOINT_ROAMING_CONSORTIUM_ID_NUM 16
- #define SIR_PASSPOINT_PLMN_LEN 3
diff --git a/Patches/Linux_CVEs/CVE-2016-8477/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-8477/3.10/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8477/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-8477/3.10/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8477/ANY/1.patch b/Patches/Linux_CVEs/CVE-2016-8477/3.18/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8477/ANY/1.patch
rename to Patches/Linux_CVEs/CVE-2016-8477/3.18/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8478/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-8478/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8478/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-8478/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8479/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-8479/3.18/0001.patch
similarity index 73%
rename from Patches/Linux_CVEs/CVE-2016-8479/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-8479/3.18/0001.patch
index 5e4067a8..55e0cb67 100644
--- a/Patches/Linux_CVEs/CVE-2016-8479/ANY/0.patch
+++ b/Patches/Linux_CVEs/CVE-2016-8479/3.18/0001.patch
@@ -1,15 +1,13 @@
-From 14139f66e4f4a678e30ed06764603cd050e06ffd Mon Sep 17 00:00:00 2001
-From: Bulbul Dabi <bdabi@codeaurora.org>
+From 1a9d60a353d6c8191cfec089f8cb502626bb0b0e Mon Sep 17 00:00:00 2001
+From: Jordan Crouse <jcrouse@codeaurora.org>
 Date: Tue, 31 May 2016 11:24:22 -0600
-Subject: [PATCH] msm: kgsl: Reserve a context ID slot but don't populate
- immediately
+Subject: msm: kgsl: Reserve a context ID slot but don't populate immediately
 
 When creating a context allocate an ID but don't populate the slot
 with the context pointer until we are done setup up the rest of the
 process. This avoids a race if somebody tries to free the same
 identifier before the create operation is complete.
 
-Bug: 31824853
 Change-Id: Ic0dedbadca5b4cc4ce567afad48a33078b549439
 Signed-off-by: Jordan Crouse <jcrouse@codeaurora.org>
 ---
@@ -17,16 +15,16 @@ Signed-off-by: Jordan Crouse <jcrouse@codeaurora.org>
  1 file changed, 13 insertions(+), 8 deletions(-)
 
 diff --git a/drivers/gpu/msm/kgsl.c b/drivers/gpu/msm/kgsl.c
-index f8ab3d042a728..4383e77776163 100644
+index ccd8a1d..61be1f339 100644
 --- a/drivers/gpu/msm/kgsl.c
 +++ b/drivers/gpu/msm/kgsl.c
-@@ -516,21 +516,18 @@ void kgsl_context_dump(struct kgsl_context *context)
+@@ -525,21 +525,18 @@ void kgsl_context_dump(struct kgsl_context *context)
  EXPORT_SYMBOL(kgsl_context_dump);
  
  /* Allocate a new context ID */
--int _kgsl_get_context_id(struct kgsl_device *device,
+-static int _kgsl_get_context_id(struct kgsl_device *device,
 -		struct kgsl_context *context)
-+int _kgsl_get_context_id(struct kgsl_device *device)
++static int _kgsl_get_context_id(struct kgsl_device *device)
  {
  	int id;
  
@@ -45,7 +43,7 @@ index f8ab3d042a728..4383e77776163 100644
  	return id;
  }
  
-@@ -554,7 +551,7 @@ int kgsl_context_init(struct kgsl_device_private *dev_priv,
+@@ -563,7 +560,7 @@ int kgsl_context_init(struct kgsl_device_private *dev_priv,
  	char name[64];
  	int ret = 0, id;
  
@@ -54,16 +52,16 @@ index f8ab3d042a728..4383e77776163 100644
  	if (id == -ENOSPC) {
  		/*
  		 * Before declaring that there are no contexts left try
-@@ -565,7 +562,7 @@ int kgsl_context_init(struct kgsl_device_private *dev_priv,
- 		mutex_unlock(&device->mutex);
+@@ -572,7 +569,7 @@ int kgsl_context_init(struct kgsl_device_private *dev_priv,
+ 		 */
+ 
  		flush_workqueue(device->events_wq);
- 		mutex_lock(&device->mutex);
 -		id = _kgsl_get_context_id(device, context);
 +		id = _kgsl_get_context_id(device);
  	}
  
  	if (id < 0) {
-@@ -577,6 +574,8 @@ int kgsl_context_init(struct kgsl_device_private *dev_priv,
+@@ -584,6 +581,8 @@ int kgsl_context_init(struct kgsl_device_private *dev_priv,
  		return id;
  	}
  
@@ -72,7 +70,7 @@ index f8ab3d042a728..4383e77776163 100644
  	kref_init(&context->refcount);
  	/*
  	 * Get a refernce to the process private so its not destroyed, until
-@@ -2580,6 +2579,12 @@ long kgsl_ioctl_drawctxt_create(struct kgsl_device_private *dev_priv,
+@@ -1713,6 +1712,12 @@ long kgsl_ioctl_drawctxt_create(struct kgsl_device_private *dev_priv,
  		goto done;
  	}
  	trace_kgsl_context_create(dev_priv->device, context, param->flags);
@@ -84,4 +82,7 @@ index f8ab3d042a728..4383e77776163 100644
 +
  	param->drawctxt_id = context->id;
  done:
- 	mutex_unlock(&device->mutex);
+ 	return result;
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-8479/4.4/0002.patch b/Patches/Linux_CVEs/CVE-2016-8479/4.4/0002.patch
new file mode 100644
index 00000000..7cb6476a
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-8479/4.4/0002.patch
@@ -0,0 +1,89 @@
+From eed663a48bec729bb66aaad18ab3fac3b7269581 Mon Sep 17 00:00:00 2001
+From: Jordan Crouse <jcrouse@codeaurora.org>
+Date: Tue, 31 May 2016 11:24:22 -0600
+Subject: msm: kgsl: Reserve a context ID slot but don't populate immediately
+
+When creating a context allocate an ID but don't populate the slot
+with the context pointer until we are done setup up the rest of the
+process. This avoids a race if somebody tries to free the same
+identifier before the create operation is complete.
+
+Change-Id: Ic0dedbadca5b4cc4ce567afad48a33078b549439
+Signed-off-by: Jordan Crouse <jcrouse@codeaurora.org>
+Signed-off-by: Dumpeti Sathish Kumar <sathyanov14@codeaurora.org>
+---
+ drivers/gpu/msm/kgsl.c | 21 +++++++++++++--------
+ 1 file changed, 13 insertions(+), 8 deletions(-)
+
+diff --git a/drivers/gpu/msm/kgsl.c b/drivers/gpu/msm/kgsl.c
+index 699d996..e204478 100644
+--- a/drivers/gpu/msm/kgsl.c
++++ b/drivers/gpu/msm/kgsl.c
+@@ -491,21 +491,18 @@ void kgsl_context_dump(struct kgsl_context *context)
+ EXPORT_SYMBOL(kgsl_context_dump);
+ 
+ /* Allocate a new context ID */
+-static int _kgsl_get_context_id(struct kgsl_device *device,
+-		struct kgsl_context *context)
++static int _kgsl_get_context_id(struct kgsl_device *device)
+ {
+ 	int id;
+ 
+ 	idr_preload(GFP_KERNEL);
+ 	write_lock(&device->context_lock);
+-	id = idr_alloc(&device->context_idr, context, 1,
++	/* Allocate the slot but don't put a pointer in it yet */
++	id = idr_alloc(&device->context_idr, NULL, 1,
+ 		KGSL_MEMSTORE_MAX, GFP_NOWAIT);
+ 	write_unlock(&device->context_lock);
+ 	idr_preload_end();
+ 
+-	if (id > 0)
+-		context->id = id;
+-
+ 	return id;
+ }
+ 
+@@ -529,7 +526,7 @@ int kgsl_context_init(struct kgsl_device_private *dev_priv,
+ 	char name[64];
+ 	int ret = 0, id;
+ 
+-	id = _kgsl_get_context_id(device, context);
++	id = _kgsl_get_context_id(device);
+ 	if (id == -ENOSPC) {
+ 		/*
+ 		 * Before declaring that there are no contexts left try
+@@ -538,7 +535,7 @@ int kgsl_context_init(struct kgsl_device_private *dev_priv,
+ 		 */
+ 
+ 		flush_workqueue(device->events_wq);
+-		id = _kgsl_get_context_id(device, context);
++		id = _kgsl_get_context_id(device);
+ 	}
+ 
+ 	if (id < 0) {
+@@ -550,6 +547,8 @@ int kgsl_context_init(struct kgsl_device_private *dev_priv,
+ 		return id;
+ 	}
+ 
++	context->id = id;
++
+ 	kref_init(&context->refcount);
+ 	/*
+ 	 * Get a refernce to the process private so its not destroyed, until
+@@ -1733,6 +1732,12 @@ long kgsl_ioctl_drawctxt_create(struct kgsl_device_private *dev_priv,
+ 		goto done;
+ 	}
+ 	trace_kgsl_context_create(dev_priv->device, context, param->flags);
++
++	/* Commit the pointer to the context in context_idr */
++	write_lock(&device->context_lock);
++	idr_replace(&device->context_idr, context, context->id);
++	write_unlock(&device->context_lock);
++
+ 	param->drawctxt_id = context->id;
+ done:
+ 	return result;
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-8480/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-8480/3.10/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8480/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-8480/3.10/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8480/ANY/1.patch b/Patches/Linux_CVEs/CVE-2016-8480/3.18/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8480/ANY/1.patch
rename to Patches/Linux_CVEs/CVE-2016-8480/3.18/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8480/4.4/0003.patch b/Patches/Linux_CVEs/CVE-2016-8480/4.4/0003.patch
new file mode 100644
index 00000000..8a85ad8e
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-8480/4.4/0003.patch
@@ -0,0 +1,55 @@
+From 420d51e0733e72830fa591f1e67f5a40ce11dc51 Mon Sep 17 00:00:00 2001
+From: Zhen Kong <zkong@codeaurora.org>
+Date: Fri, 4 Nov 2016 17:35:19 -0700
+Subject: qseecom: remove entry from qseecom_registered_app_list
+
+In an error handling case, the QSEECOM_IOCTL_LOAD_APP_REQ ioctl
+freed the entry for new TA, but didn't removed it from
+qseecom_registered_app_list. Make change to remove it.
+
+Change-Id: Id681fbf3c923027d3db875d506cbe3f971919a8d
+Signed-off-by: Zhen Kong <zkong@codeaurora.org>
+---
+ drivers/misc/qseecom.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/misc/qseecom.c b/drivers/misc/qseecom.c
+index 3402a1b..249a76b 100644
+--- a/drivers/misc/qseecom.c
++++ b/drivers/misc/qseecom.c
+@@ -2071,6 +2071,7 @@ static int qseecom_load_app(struct qseecom_dev_handle *data, void __user *argp)
+ 	struct qseecom_load_app_64bit_ireq load_req_64bit;
+ 	void *cmd_buf = NULL;
+ 	size_t cmd_len;
++	bool first_time = false;
+ 
+ 	/* Copy the relevant information needed for loading the image */
+ 	if (copy_from_user(&load_img_req,
+@@ -2142,6 +2143,7 @@ static int qseecom_load_app(struct qseecom_dev_handle *data, void __user *argp)
+ 		&qseecom.registered_app_list_lock, flags);
+ 		ret = 0;
+ 	} else {
++		first_time = true;
+ 		pr_warn("App (%s) does'nt exist, loading apps for first time\n",
+ 			(char *)(load_img_req.img_name));
+ 		/* Get the handle of the shared fd */
+@@ -2273,8 +2275,15 @@ static int qseecom_load_app(struct qseecom_dev_handle *data, void __user *argp)
+ 	load_img_req.app_id = app_id;
+ 	if (copy_to_user(argp, &load_img_req, sizeof(load_img_req))) {
+ 		pr_err("copy_to_user failed\n");
+-		kzfree(entry);
+ 		ret = -EFAULT;
++		if (first_time == true) {
++			spin_lock_irqsave(
++				&qseecom.registered_app_list_lock, flags);
++			list_del(&entry->list);
++			spin_unlock_irqrestore(
++				&qseecom.registered_app_list_lock, flags);
++			kzfree(entry);
++		}
+ 	}
+ 
+ loadapp_err:
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-8481/4.4/0002.patch b/Patches/Linux_CVEs/CVE-2016-8481/4.4/0002.patch
new file mode 100644
index 00000000..3be89d8f
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2016-8481/4.4/0002.patch
@@ -0,0 +1,185 @@
+From c8c16b7406c68a5a9f35c5afbfcafd893e197425 Mon Sep 17 00:00:00 2001
+From: Sudheer Papothi <spapothi@codeaurora.org>
+Date: Wed, 26 Oct 2016 01:07:04 +0530
+Subject: drivers: qcom: ultrasound: Lock async driver calls
+
+Adds lock to ioctl and other external calls to driver.
+Adds missing null check in __usf_set_stream_param.
+
+Change-Id: I142f31c6bb46d6a394ad012077e1703875a120ad
+Signed-off-by: Sudheer Papothi <spapothi@codeaurora.org>
+---
+ drivers/misc/qcom/qdsp6v2/ultrasound/usf.c | 66 ++++++++++++++++++++++++++----
+ 1 file changed, 59 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/misc/qcom/qdsp6v2/ultrasound/usf.c b/drivers/misc/qcom/qdsp6v2/ultrasound/usf.c
+index 7572374..3bb95f5 100644
+--- a/drivers/misc/qcom/qdsp6v2/ultrasound/usf.c
++++ b/drivers/misc/qcom/qdsp6v2/ultrasound/usf.c
+@@ -23,6 +23,7 @@
+ #include <linux/time.h>
+ #include <linux/kmemleak.h>
+ #include <linux/wakelock.h>
++#include <linux/mutex.h>
+ #include <sound/apr_audio.h>
+ #include <linux/qdsp6v2/usf.h>
+ #include "q6usm.h"
+@@ -135,6 +136,8 @@ struct usf_type {
+ 	uint16_t conflicting_event_filters;
+ 	/* The requested buttons bitmap */
+ 	uint16_t req_buttons_bitmap;
++	/* Mutex for exclusive operations (all public APIs) */
++	struct mutex mutex;
+ };
+ 
+ struct usf_input_dev_type {
+@@ -1403,9 +1406,22 @@ static int __usf_set_stream_param(struct usf_xx_type *usf_xx,
+ 				int dir)
+ {
+ 	struct us_client *usc = usf_xx->usc;
+-	struct us_port_data *port = &usc->port[dir];
++	struct us_port_data *port;
+ 	int rc = 0;
+ 
++	if (usc == NULL) {
++		pr_err("%s: usc is null\n",
++			__func__);
++		return -EFAULT;
++	}
++
++	port = &usc->port[dir];
++	if (port == NULL) {
++		pr_err("%s: port is null\n",
++			__func__);
++		return -EFAULT;
++	}
++
+ 	if (port->param_buf == NULL) {
+ 		pr_err("%s: parameter buffer is null\n",
+ 			__func__);
+@@ -1538,10 +1554,12 @@ static int usf_get_stream_param(struct usf_xx_type *usf_xx,
+ 	return __usf_get_stream_param(usf_xx, &get_stream_param, dir);
+ } /* usf_get_stream_param */
+ 
+-static long usf_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
++static long __usf_ioctl(struct usf_type *usf,
++		unsigned int cmd,
++		unsigned long arg)
+ {
++
+ 	int rc = 0;
+-	struct usf_type *usf = file->private_data;
+ 	struct usf_xx_type *usf_xx = NULL;
+ 
+ 	switch (cmd) {
+@@ -1704,6 +1722,18 @@ static long usf_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+ 		release_xx(usf_xx);
+ 
+ 	return rc;
++} /* __usf_ioctl */
++
++static long usf_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
++{
++	struct usf_type *usf = file->private_data;
++	int rc = 0;
++
++	mutex_lock(&usf->mutex);
++	rc = __usf_ioctl(usf, cmd, arg);
++	mutex_unlock(&usf->mutex);
++
++	return rc;
+ } /* usf_ioctl */
+ 
+ #ifdef CONFIG_COMPAT
+@@ -2147,12 +2177,11 @@ static int usf_get_stream_param32(struct usf_xx_type *usf_xx,
+ 	return __usf_get_stream_param(usf_xx, &get_stream_param, dir);
+ } /* usf_get_stream_param32 */
+ 
+-static long usf_compat_ioctl(struct file *file,
++static long __usf_compat_ioctl(struct usf_type *usf,
+ 			     unsigned int cmd,
+ 			     unsigned long arg)
+ {
+ 	int rc = 0;
+-	struct usf_type *usf = file->private_data;
+ 	struct usf_xx_type *usf_xx = NULL;
+ 
+ 	switch (cmd) {
+@@ -2160,7 +2189,7 @@ static long usf_compat_ioctl(struct file *file,
+ 	case US_START_RX:
+ 	case US_STOP_TX:
+ 	case US_STOP_RX: {
+-		return usf_ioctl(file, cmd, arg);
++		return __usf_ioctl(usf, cmd, arg);
+ 	}
+ 
+ 	case US_SET_TX_INFO32: {
+@@ -2269,6 +2298,20 @@ static long usf_compat_ioctl(struct file *file,
+ 		release_xx(usf_xx);
+ 
+ 	return rc;
++} /* __usf_compat_ioctl */
++
++static long usf_compat_ioctl(struct file *file,
++			     unsigned int cmd,
++			     unsigned long arg)
++{
++	struct usf_type *usf = file->private_data;
++	int rc = 0;
++
++	mutex_lock(&usf->mutex);
++	rc = __usf_compat_ioctl(usf, cmd, arg);
++	mutex_unlock(&usf->mutex);
++
++	return rc;
+ } /* usf_compat_ioctl */
+ #endif /* CONFIG_COMPAT */
+ 
+@@ -2277,13 +2320,17 @@ static int usf_mmap(struct file *file, struct vm_area_struct *vms)
+ 	struct usf_type *usf = file->private_data;
+ 	int dir = OUT;
+ 	struct usf_xx_type *usf_xx = &usf->usf_tx;
++	int rc = 0;
+ 
++	mutex_lock(&usf->mutex);
+ 	if (vms->vm_flags & USF_VM_WRITE) { /* RX buf mapping */
+ 		dir = IN;
+ 		usf_xx = &usf->usf_rx;
+ 	}
++	rc = q6usm_get_virtual_address(dir, usf_xx->usc, vms);
++	mutex_unlock(&usf->mutex);
+ 
+-	return q6usm_get_virtual_address(dir, usf_xx->usc, vms);
++	return rc;
+ }
+ 
+ static uint16_t add_opened_dev(int minor)
+@@ -2336,6 +2383,8 @@ static int usf_open(struct inode *inode, struct file *file)
+ 	usf->usf_tx.us_detect_type = USF_US_DETECT_UNDEF;
+ 	usf->usf_rx.us_detect_type = USF_US_DETECT_UNDEF;
+ 
++	mutex_init(&usf->mutex);
++
+ 	pr_debug("%s:usf in open\n", __func__);
+ 	return 0;
+ }
+@@ -2346,6 +2395,7 @@ static int usf_release(struct inode *inode, struct file *file)
+ 
+ 	pr_debug("%s: release entry\n", __func__);
+ 
++	mutex_lock(&usf->mutex);
+ 	usf_release_input(usf);
+ 
+ 	usf_disable(&usf->usf_tx);
+@@ -2354,6 +2404,8 @@ static int usf_release(struct inode *inode, struct file *file)
+ 	s_opened_devs[usf->dev_ind] = 0;
+ 
+ 	wakeup_source_trash(&usf_wakeup_source);
++	mutex_unlock(&usf->mutex);
++	mutex_destroy(&usf->mutex);
+ 	kfree(usf);
+ 	pr_debug("%s: release exit\n", __func__);
+ 	return 0;
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2016-8481/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-8481/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8481/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-8481/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8481/ANY/1.patch b/Patches/Linux_CVEs/CVE-2016-8481/ANY/0003.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8481/ANY/1.patch
rename to Patches/Linux_CVEs/CVE-2016-8481/ANY/0003.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8483/3.10/1.patch b/Patches/Linux_CVEs/CVE-2016-8483/3.10/1.patch
deleted file mode 100644
index e4c3c216..00000000
--- a/Patches/Linux_CVEs/CVE-2016-8483/3.10/1.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 7e147f4532394f06c3d7bce9cc6e682785754e45 Mon Sep 17 00:00:00 2001
-From: Mohammed Khajapasha <mkhaja@codeaurora.org>
-Date: Tue, 28 Jun 2016 11:55:34 +0530
-Subject: msm-core: use get_user() API to read userspace data/settings
-
-Currently userspace data is getting accessed directly
-and leading to crash, So use get_user() API to copy
-userspace data/settings to kernel space.
-
-Change-Id: I3a75ec9503d8207829640bf88e1c3160bf72c9f0
-Signed-off-by: Mohammed Khajapasha <mkhaja@codeaurora.org>
-Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
----
- drivers/power/qcom/msm-core.c | 9 +++++----
- 1 file changed, 5 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/power/qcom/msm-core.c b/drivers/power/qcom/msm-core.c
-index 406f097..f644950 100644
---- a/drivers/power/qcom/msm-core.c
-+++ b/drivers/power/qcom/msm-core.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2014-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2014-2016, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -441,14 +441,15 @@ static long msm_core_ioctl(struct file *file, unsigned int cmd,
- 	struct sched_params __user *argp = (struct sched_params __user *)arg;
- 	int i, cpu = num_possible_cpus();
- 	int mpidr;
--	int cpumask;
-+	int cluster, cpumask;
- 
- 	if (!argp)
- 		return -EINVAL;
- 
--	mpidr = (argp->cluster << (MAX_CORES_PER_CLUSTER *
-+	get_user(cluster, &argp->cluster);
-+	mpidr = (cluster << (MAX_CORES_PER_CLUSTER *
- 			MAX_NUM_OF_CLUSTERS));
--	cpumask = argp->cpumask;
-+	get_user(cpumask, &argp->cpumask);
- 
- 	switch (cmd) {
- 	case EA_LEAKAGE:
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-8483/3.18/0.patch b/Patches/Linux_CVEs/CVE-2016-8483/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8483/3.18/0.patch
rename to Patches/Linux_CVEs/CVE-2016-8483/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8650/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-8650/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8650/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-8650/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-8655/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-8655/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-8655/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-8655/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-9120/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-9120/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-9120/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-9120/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-9120/ANY/1.patch b/Patches/Linux_CVEs/CVE-2016-9120/ANY/1.patch
deleted file mode 100644
index 6216356e..00000000
--- a/Patches/Linux_CVEs/CVE-2016-9120/ANY/1.patch
+++ /dev/null
@@ -1,89 +0,0 @@
-From e9fde8664651a566df43c7439e27d59cc5d60460 Mon Sep 17 00:00:00 2001
-From: Daniel Rosenberg <drosen@google.com>
-Date: Wed, 2 Nov 2016 17:43:51 -0700
-Subject: [PATCH] ion: Fix use after free during ION_IOC_ALLOC
-
-If a user happens to call ION_IOC_FREE during an
-ION_IOC_ALLOC on the just allocated id, and the
-copy_to_user fails, the cleanup code will attempt
-to free an already freed handle.
-
-This adds a wrapper for ion_alloc that adds an
-ion_handle_get to avoid this.
-
-Bug: 31568617
-Change-Id: I476e5bd5372b5178a213f1fea143d270cf9361ed
-Signed-off-by: Daniel Rosenberg <drosen@google.com>
----
- drivers/staging/android/ion/ion.c | 23 ++++++++++++++++++-----
- 1 file changed, 18 insertions(+), 5 deletions(-)
-
-diff --git a/drivers/staging/android/ion/ion.c b/drivers/staging/android/ion/ion.c
-index 8bbbb38dc7c41..63e6b7d795f47 100755
---- a/drivers/staging/android/ion/ion.c
-+++ b/drivers/staging/android/ion/ion.c
-@@ -507,9 +507,9 @@ static int ion_handle_add(struct ion_client *client, struct ion_handle *handle)
- 	return 0;
- }
- 
--struct ion_handle *ion_alloc(struct ion_client *client, size_t len,
-+static struct ion_handle *__ion_alloc(struct ion_client *client, size_t len,
- 			     size_t align, unsigned int heap_id_mask,
--			     unsigned int flags)
-+			     unsigned int flags, bool grab_handle)
- {
- 	struct ion_handle *handle;
- 	struct ion_device *dev = client->dev;
-@@ -604,6 +604,8 @@ struct ion_handle *ion_alloc(struct ion_client *client, size_t len,
- 		return handle;
- 
- 	mutex_lock(&client->lock);
-+	if (grab_handle)
-+		ion_handle_get(handle);
- 	ret = ion_handle_add(client, handle);
- 	mutex_unlock(&client->lock);
- 	if (ret) {
-@@ -613,6 +615,13 @@ struct ion_handle *ion_alloc(struct ion_client *client, size_t len,
- 
- 	return handle;
- }
-+
-+struct ion_handle *ion_alloc(struct ion_client *client, size_t len,
-+			     size_t align, unsigned int heap_id_mask,
-+			     unsigned int flags)
-+{
-+	return __ion_alloc(client, len, align, heap_id_mask, flags, false);
-+}
- EXPORT_SYMBOL(ion_alloc);
- 
- static void ion_free_nolock(struct ion_client *client, struct ion_handle *handle)
-@@ -1488,10 +1497,10 @@ static long ion_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 	{
- 		struct ion_handle *handle;
- 
--		handle = ion_alloc(client, data.allocation.len,
-+		handle = __ion_alloc(client, data.allocation.len,
- 						data.allocation.align,
- 						data.allocation.heap_id_mask,
--						data.allocation.flags);
-+						data.allocation.flags, true);
- 		if (IS_ERR(handle))
- 			return PTR_ERR(handle);
- 
-@@ -1568,11 +1577,15 @@ static long ion_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
- 
- 	if (dir & _IOC_READ) {
- 		if (copy_to_user((void __user *)arg, &data, _IOC_SIZE(cmd))) {
--			if (cleanup_handle)
-+			if (cleanup_handle) {
- 				ion_free(client, cleanup_handle);
-+				ion_handle_put(cleanup_handle);
-+			}
- 			return -EFAULT;
- 		}
- 	}
-+	if (cleanup_handle)
-+		ion_handle_put(cleanup_handle);
- 	return ret;
- }
- 
diff --git a/Patches/Linux_CVEs/CVE-2016-9191/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-9191/3.11-4.8/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-9191/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-9191/3.11-4.8/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-9555/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-9555/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-9555/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-9555/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-9576/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-9576/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-9576/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-9576/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-9604/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-9604/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-9604/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-9604/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-9754/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-9754/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-9754/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-9754/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-9793/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-9793/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-9793/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-9793/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-9794/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-9794/ANY/0.patch
deleted file mode 100644
index 0c23cfde..00000000
--- a/Patches/Linux_CVEs/CVE-2016-9794/ANY/0.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 3aa02cb664c5fb1042958c8d1aa8c35055a2ebc4 Mon Sep 17 00:00:00 2001
-From: Takashi Iwai <tiwai@suse.de>
-Date: Thu, 14 Apr 2016 18:02:37 +0200
-Subject: ALSA: pcm : Call kill_fasync() in stream lock
-
-Currently kill_fasync() is called outside the stream lock in
-snd_pcm_period_elapsed().  This is potentially racy, since the stream
-may get released even during the irq handler is running.  Although
-snd_pcm_release_substream() calls snd_pcm_drop(), this doesn't
-guarantee that the irq handler finishes, thus the kill_fasync() call
-outside the stream spin lock may be invoked after the substream is
-detached, as recently reported by KASAN.
-
-As a quick workaround, move kill_fasync() call inside the stream
-lock.  The fasync is rarely used interface, so this shouldn't have a
-big impact from the performance POV.
-
-Ideally, we should implement some sync mechanism for the proper finish
-of stream and irq handler.  But this oneliner should suffice for most
-cases, so far.
-
-Reported-by: Baozeng Ding <sploving1@gmail.com>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
----
- sound/core/pcm_lib.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/sound/core/pcm_lib.c b/sound/core/pcm_lib.c
-index 3a9b66c..0aca397 100644
---- a/sound/core/pcm_lib.c
-+++ b/sound/core/pcm_lib.c
-@@ -1886,8 +1886,8 @@ void snd_pcm_period_elapsed(struct snd_pcm_substream *substream)
- 		snd_timer_interrupt(substream->timer, 1);
- #endif
-  _end:
--	snd_pcm_stream_unlock_irqrestore(substream, flags);
- 	kill_fasync(&runtime->fasync, SIGIO, POLL_IN);
-+	snd_pcm_stream_unlock_irqrestore(substream, flags);
- }
- 
- EXPORT_SYMBOL(snd_pcm_period_elapsed);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2016-9794/ANY/1.patch b/Patches/Linux_CVEs/CVE-2016-9794/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-9794/ANY/1.patch
rename to Patches/Linux_CVEs/CVE-2016-9794/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2016-9806/ANY/0.patch b/Patches/Linux_CVEs/CVE-2016-9806/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2016-9806/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2016-9806/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0403/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0403/3.0-3.18/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0403/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0403/3.0-3.18/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0404/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0404/^3.18/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0404/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0404/^3.18/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0427/3.10/1.patch b/Patches/Linux_CVEs/CVE-2017-0427/3.10/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0427/3.10/1.patch
rename to Patches/Linux_CVEs/CVE-2017-0427/3.10/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0427/3.18/0.patch b/Patches/Linux_CVEs/CVE-2017-0427/3.18/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0427/3.18/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0427/3.18/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0430/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0430/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0430/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0430/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0433/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0433/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0433/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0433/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0433/ANY/1.patch b/Patches/Linux_CVEs/CVE-2017-0433/ANY/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0433/ANY/1.patch
rename to Patches/Linux_CVEs/CVE-2017-0433/ANY/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0434/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0434/3.18/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0434/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0434/3.18/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0435/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0435/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0435/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0435/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0435/ANY/1.patch b/Patches/Linux_CVEs/CVE-2017-0435/ANY/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0435/ANY/1.patch
rename to Patches/Linux_CVEs/CVE-2017-0435/ANY/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0436/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0436/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0436/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0436/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0437/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0437/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0437/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0437/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0438/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0438/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0438/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0438/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0438/ANY/1.patch b/Patches/Linux_CVEs/CVE-2017-0438/ANY/1.patch
deleted file mode 100644
index acb3c306..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0438/ANY/1.patch
+++ /dev/null
@@ -1,127 +0,0 @@
-From 138c690bd39a3f1ba14450e308ebc56bbda1f5b2 Mon Sep 17 00:00:00 2001
-From: Srinivas Girigowda <sgirigow@codeaurora.org>
-Date: Mon, 28 Nov 2016 20:47:30 -0800
-Subject: [PATCH] qcacld-2.0: Avoid overflow of roam subcmd params
-
-Currently when processing the QCA_NL80211_VENDOR_SUBCMD_ROAM vendor
-command, for the following roam commands there are input validation
-issues:
-        QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BSSID_PREFS
-        QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BLACKLIST_BSSID
-
-Both of these commands have a "number of BSSIDs" attribute as well as a
-list of BSSIDs. However there is no validation that the number of
-BSSIDs provided won't overflow the destination buffer.  In addition
-there is no validation that the number of BSSIDs actually provided
-matches the number of BSSIDs expected.
-
-To address these issues, for the above mentioned commands:
-* Verify that the expected number of BSSIDs doesn't exceed the maximum
-  allowed number of BSSIDs
-* Verify that the actual number of BSSIDs supplied doesn't exceed the
-  expected number of BSSIDs
-* Only process the actual number of supplied BSSIDs if it is less than
-  the expected number of BSSIDs.
-
-Change-Id: Ifa6121ee1b1441ec415198897ef815b40cb5aff6
-CRs-Fixed: 1092497
-Bug: 32402310 32402604 32871330
-Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
----
- .../qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c    | 43 +++++++++++++++++++---
- 1 file changed, 37 insertions(+), 6 deletions(-)
-
-diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-index 89dba5d54b627..fd23a304b93bd 100644
---- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-@@ -1799,6 +1799,7 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
- 	struct nlattr *tb2[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX + 1];
- 	int rem, i;
- 	uint32_t buf_len = 0;
-+	uint32_t count;
- 	int ret;
- 
- 	if (VOS_FTM_MODE == hdd_get_conparam()) {
-@@ -1974,15 +1975,25 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
- 			hddLog(LOGE, FL("attr num of preferred bssid failed"));
- 			goto fail;
- 		}
--		roam_params.num_bssid_favored = nla_get_u32(
-+		count = nla_get_u32(
- 			tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_LAZY_ROAM_NUM_BSSID]);
-+		if (count > MAX_BSSID_FAVORED) {
-+			hddLog(LOGE, FL("Preferred BSSID count %u exceeds max %u"),
-+			       count, MAX_BSSID_FAVORED);
-+			goto fail;
-+		}
- 		hddLog(VOS_TRACE_LEVEL_DEBUG,
--			FL("Num of Preferred BSSID (%d)"),
--			roam_params.num_bssid_favored);
-+			FL("Num of Preferred BSSID: %d"), count);
- 		i = 0;
- 		nla_for_each_nested(curr_attr,
- 			tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PREFS],
- 			rem) {
-+
-+			if (i == count) {
-+				hddLog(LOGW, FL("Ignoring excess Preferred BSSID"));
-+				break;
-+			}
-+
- 			if (nla_parse(tb2,
- 				QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX,
- 				nla_data(curr_attr), nla_len(curr_attr),
-@@ -2012,6 +2023,11 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
- 				roam_params.bssid_favored_factor[i]);
- 			i++;
- 		}
-+		if (i < count)
-+			hddLog(LOGW,
-+			       FL("Num Preferred BSSID %u less than expected %u"),
-+			       i, count);
-+		roam_params.num_bssid_favored = i;
- 		sme_update_roam_params(pHddCtx->hHal, session_id,
- 			roam_params, REASON_ROAM_SET_FAVORED_BSSID);
- 		break;
-@@ -2021,15 +2037,25 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
- 			hddLog(LOGE, FL("attr num of blacklist bssid failed"));
- 			goto fail;
- 		}
--		roam_params.num_bssid_avoid_list = nla_get_u32(
-+		count = nla_get_u32(
- 			tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS_NUM_BSSID]);
-+		if (count > MAX_BSSID_AVOID_LIST) {
-+			hddLog(LOGE, FL("Blacklist BSSID count %u exceeds max %u"),
-+			       count, MAX_BSSID_AVOID_LIST);
-+			goto fail;
-+		}
- 		hddLog(VOS_TRACE_LEVEL_DEBUG,
--			FL("Num of blacklist BSSID (%d)"),
--			roam_params.num_bssid_avoid_list);
-+			FL("Num of blacklist BSSID: %d"), count);
- 		i = 0;
- 		nla_for_each_nested(curr_attr,
- 			tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS],
- 			rem) {
-+
-+			if (i == count) {
-+				hddLog(LOGW, FL("Ignoring excess Blacklist BSSID"));
-+				break;
-+			}
-+
- 			if (nla_parse(tb2,
- 				QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX,
- 				nla_data(curr_attr), nla_len(curr_attr),
-@@ -2050,6 +2076,11 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
- 				roam_params.bssid_avoid_list[i]));
- 			i++;
- 		}
-+		if (i < count)
-+			hddLog(LOGW,
-+			       FL("Num Blacklist BSSID %u less than expected %u"),
-+			       i, count);
-+		roam_params.num_bssid_avoid_list = i;
- 		sme_update_roam_params(pHddCtx->hHal, session_id,
- 			roam_params, REASON_ROAM_SET_BLACKLIST_BSSID);
- 		break;
diff --git a/Patches/Linux_CVEs/CVE-2017-0439/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0439/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0439/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0439/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0439/ANY/1.patch b/Patches/Linux_CVEs/CVE-2017-0439/ANY/0002.patch
similarity index 59%
rename from Patches/Linux_CVEs/CVE-2017-0439/ANY/1.patch
rename to Patches/Linux_CVEs/CVE-2017-0439/ANY/0002.patch
index e577a3e3..58045e51 100644
--- a/Patches/Linux_CVEs/CVE-2017-0439/ANY/1.patch
+++ b/Patches/Linux_CVEs/CVE-2017-0439/ANY/0002.patch
@@ -1,7 +1,9 @@
-From 5b3f9bb678b1f5a57f7664965ee6e082553c1e40 Mon Sep 17 00:00:00 2001
-From: Srinivas Girigowda <sgirigow@codeaurora.org>
-Date: Mon, 21 Nov 2016 19:10:09 -0800
-Subject: [PATCH] qcacld-2.0: Avoid overflow of passpoint network list
+From ff866a1e9a0f653252b5d5b7eb087374c5bad65d Mon Sep 17 00:00:00 2001
+From: Jeff Johnson <jjohnson@codeaurora.org>
+Date: Fri, 18 Nov 2016 11:44:29 -0800
+Subject: qcacld-3.0: Avoid overflow of passpoint network list
+
+This is a qcacld-2.0 to qcacld-3.0 propagation.
 
 Currently when processing a passpoint vendor command the "num
 networks" attribute is limit checked and if it exceeds a MAX value
@@ -16,17 +18,15 @@ been parsed.
 
 Change-Id: I38d9f19b08b42fa9a850eb70a42920fbc3b99cf6
 CRs-Fixed: 1092059
-Bug: 32450647
-Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
 ---
- drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c | 9 +++++++++
+ core/hdd/src/wlan_hdd_ext_scan.c | 9 +++++++++
  1 file changed, 9 insertions(+)
 
-diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-index 82275c27ae587..89dba5d54b627 100644
---- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-@@ -4992,11 +4992,19 @@ static int hdd_extscan_passpoint_fill_network_list(
+diff --git a/core/hdd/src/wlan_hdd_ext_scan.c b/core/hdd/src/wlan_hdd_ext_scan.c
+index 6515bd4..44c574b 100644
+--- a/core/hdd/src/wlan_hdd_ext_scan.c
++++ b/core/hdd/src/wlan_hdd_ext_scan.c
+@@ -4080,11 +4080,19 @@ static int hdd_extscan_passpoint_fill_network_list(
  	struct nlattr *networks;
  	int rem1, len;
  	uint8_t index;
@@ -39,14 +39,14 @@ index 82275c27ae587..89dba5d54b627 100644
  		rem1) {
 +
 +		if (index == expected_networks) {
-+			hddLog(LOGW, FL("ignoring excess networks"));
++			hdd_warn("ignoring excess networks");
 +			break;
 +		}
 +
  		if (nla_parse(network,
  			QCA_WLAN_VENDOR_ATTR_PNO_MAX,
  			nla_data(networks), nla_len(networks), NULL)) {
-@@ -5058,6 +5066,7 @@ static int hdd_extscan_passpoint_fill_network_list(
+@@ -4143,6 +4151,7 @@ static int hdd_extscan_passpoint_fill_network_list(
  
  		index++;
  	}
@@ -54,3 +54,6 @@ index 82275c27ae587..89dba5d54b627 100644
  	return 0;
  }
  
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-0440/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0440/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0440/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0440/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0440/ANY/1.patch b/Patches/Linux_CVEs/CVE-2017-0440/ANY/1.patch
deleted file mode 100644
index 5c58be37..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0440/ANY/1.patch
+++ /dev/null
@@ -1,71 +0,0 @@
-From 054ce0761e900c5f63089393f8b6cadf17d55ade Mon Sep 17 00:00:00 2001
-From: Hanumanth Reddy Pothula <c_hpothu@codeaurora.org>
-Date: Fri, 27 Jan 2017 16:43:45 +0530
-Subject: prima: Avoid overflow of "set_bssid_hotlist" params
-
-qcacld2.0 to prima propgation
-
-The wlan driver supports the following vendor command:
-      QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_SET_BSSID_HOTLIST
-
-This command supplies a "number of APs" attribute as well as a list of
-per-AP attributes.  However there is no validation that the number of
-APs provided won't overflow the destination buffer.  In addition there
-is no validation that the number of APs actually provided matches the
-number of APs expected.
-
-To address these issues:
-* Verify that the expected number of APs doesn't exceed the maximum
-  allowed number of APs
-* Verify that the actual number of APs supplied doesn't exceed the
-  expected number of APs
-* Only process the actual number of supplied APs if it is less than
-  the expected number of APs.
-
-Change-Id: I41e36d11bc3e71928866a27afc2fbf046b59f0f5
-CRs-Fixed: 1095770
----
- CORE/HDD/src/wlan_hdd_cfg80211.c | 16 ++++++++++++++++
- 1 file changed, 16 insertions(+)
-
-diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
-index 8aa38d1..f130174 100644
---- a/CORE/HDD/src/wlan_hdd_cfg80211.c
-+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
-@@ -3764,10 +3764,20 @@ static int __wlan_hdd_cfg80211_extscan_set_bssid_hotlist(struct wiphy *wiphy,
- 
-     pReqMsg->numBssid = nla_get_u32(
-               tb[QCA_WLAN_VENDOR_ATTR_EXTSCAN_BSSID_HOTLIST_PARAMS_NUM_AP]);
-+    if (pReqMsg->numBssid > WLAN_EXTSCAN_MAX_HOTLIST_APS) {
-+        hddLog(LOGE, FL("Number of AP: %u exceeds max: %u"),
-+               pReqMsg->numBssid, WLAN_EXTSCAN_MAX_HOTLIST_APS);
-+        goto fail;
-+    }
-     hddLog(VOS_TRACE_LEVEL_INFO, FL("Number of AP (%d)"), pReqMsg->numBssid);
- 
-     nla_for_each_nested(apTh,
-                 tb[QCA_WLAN_VENDOR_ATTR_EXTSCAN_AP_THRESHOLD_PARAM], rem) {
-+        if (i == pReqMsg->numBssid) {
-+            hddLog(LOGW, FL("Ignoring excess AP"));
-+            break;
-+        }
-+
-         if(nla_parse(tb2, QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_MAX,
-                 nla_data(apTh), nla_len(apTh),
-                 NULL)) {
-@@ -3806,6 +3816,12 @@ static int __wlan_hdd_cfg80211_extscan_set_bssid_hotlist(struct wiphy *wiphy,
-         i++;
-     }
- 
-+    if (i < pReqMsg->numBssid) {
-+        hddLog(LOGW, FL("Number of AP %u less than expected %u"),
-+               i, pReqMsg->numBssid);
-+        pReqMsg->numBssid = i;
-+    }
-+
-     context = &pHddCtx->ext_scan_context;
-     spin_lock(&hdd_context_lock);
-     INIT_COMPLETION(context->response_event);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0440/ANY/2.patch b/Patches/Linux_CVEs/CVE-2017-0440/ANY/2.patch
deleted file mode 100644
index 9ec0e384..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0440/ANY/2.patch
+++ /dev/null
@@ -1,96 +0,0 @@
-From 8fc2d90f0be55051ff2efa8d3fbea1097f910458 Mon Sep 17 00:00:00 2001
-From: Srinivas Girigowda <sgirigow@codeaurora.org>
-Date: Wed, 30 Nov 2016 19:21:30 -0800
-Subject: [PATCH] qcacld-2.0: Avoid overflow of "set_bssid_hotlist" params
-
-The wlan driver supports the following vendor command:
-        QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_SET_BSSID_HOTLIST
-
-This command supplies a "number of APs" attribute as well as a list of
-per-AP attributes.  However there is no validation that the number of
-APs provided won't overflow the destination buffer.  In addition there
-is no validation that the number of APs actually provided matches the
-number of APs expected.
-
-To address these issues:
-* Verify that the expected number of APs doesn't exceed the maximum
-  allowed number of APs
-* Verify that the actual number of APs supplied doesn't exceed the
-  expected number of APs
-* Only process the actual number of supplied APs if it is less than
-  the expected number of APs.
-
-Change-Id: I41e36d11bc3e71928866a27afc2fbf046b59f0f5
-CRs-Fixed: 1095770
-Bug: 33252788
-Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
----
- .../staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c  | 16 ++++++++++++++++
- drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c       |  6 +++---
- 2 files changed, 19 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-index 301ef98c20d13..9ed9f6335834d 100644
---- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-@@ -2752,6 +2752,11 @@ static int __wlan_hdd_cfg80211_extscan_set_bssid_hotlist(struct wiphy *wiphy,
-     }
-     pReqMsg->numAp = nla_get_u32(
-               tb[QCA_WLAN_VENDOR_ATTR_EXTSCAN_BSSID_HOTLIST_PARAMS_NUM_AP]);
-+    if (pReqMsg->numAp > WLAN_EXTSCAN_MAX_HOTLIST_APS) {
-+        hddLog(LOGE, FL("Number of AP: %u exceeds max: %u"),
-+               pReqMsg->numAp, WLAN_EXTSCAN_MAX_HOTLIST_APS);
-+        goto fail;
-+    }
-     hddLog(LOG1, FL("Number of AP %d"), pReqMsg->numAp);
- 
-     /* Parse and fetch lost ap sample size */
-@@ -2770,6 +2775,11 @@ static int __wlan_hdd_cfg80211_extscan_set_bssid_hotlist(struct wiphy *wiphy,
-     i = 0;
-     nla_for_each_nested(apTh,
-                 tb[QCA_WLAN_VENDOR_ATTR_EXTSCAN_AP_THRESHOLD_PARAM], rem) {
-+        if (i == pReqMsg->numAp) {
-+            hddLog(LOGW, FL("Ignoring excess AP"));
-+            break;
-+        }
-+
-         if (nla_parse(tb2, QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_MAX,
-                 nla_data(apTh), nla_len(apTh),
-                 wlan_hdd_extscan_config_policy)) {
-@@ -2808,6 +2818,12 @@ static int __wlan_hdd_cfg80211_extscan_set_bssid_hotlist(struct wiphy *wiphy,
-         i++;
-     }
- 
-+    if (i < pReqMsg->numAp) {
-+        hddLog(LOGW, FL("Number of AP %u less than expected %u"),
-+               i, pReqMsg->numAp);
-+        pReqMsg->numAp = i;
-+    }
-+
-     context = &pHddCtx->ext_scan_context;
-     spin_lock(&hdd_context_lock);
-     INIT_COMPLETION(context->response_event);
-diff --git a/drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c b/drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c
-index 53898a83d9d45..ec41442b4b240 100644
---- a/drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c
-+++ b/drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c
-@@ -27091,7 +27091,7 @@ VOS_STATUS wma_get_buf_extscan_hotlist_cmd(tp_wma_handle wma_handle,
- 	int cmd_len = 0;
- 	int num_entries = 0;
- 	int min_entries = 0;
--	int numap = photlist->numAp;
-+	uint32_t numap = photlist->numAp;
- 	int len = sizeof(*cmd);
- 
- 	len += WMI_TLV_HDR_SIZE;
-@@ -27100,8 +27100,8 @@ VOS_STATUS wma_get_buf_extscan_hotlist_cmd(tp_wma_handle wma_handle,
- 	/* setbssid hotlist expects the bssid list
- 	 * to be non zero value
- 	 */
--	if (!numap) {
--		WMA_LOGE("%s: Invalid number of bssid's", __func__);
-+	if (!numap || (numap > WLAN_EXTSCAN_MAX_HOTLIST_APS)) {
-+		WMA_LOGE("%s: Invalid number of APs: %d", __func__, numap);
- 		return VOS_STATUS_E_INVAL;
- 	}
- 	num_entries = wma_get_hotlist_entries_per_page(wma_handle->wmi_handle,
diff --git a/Patches/Linux_CVEs/CVE-2017-0441/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0441/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0441/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0441/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0441/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2017-0441/ANY/0002.patch
new file mode 100644
index 00000000..aca2f6a2
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-0441/ANY/0002.patch
@@ -0,0 +1,76 @@
+From e578706506f98a4962220066d92d81e853ac7212 Mon Sep 17 00:00:00 2001
+From: Jeff Johnson <jjohnson@codeaurora.org>
+Date: Tue, 29 Nov 2016 08:54:18 -0800
+Subject: qcacld-3.0: Avoid overflow of "significant change" params
+
+This is a qcacld-2.0 to qcacld-3.0 propagation.
+
+The wlan driver supports the following vendor command:
+	QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_SET_SIGNIFICANT_CHANGE
+
+This command supplies a "number of APs" attribute as well as a list of
+per-AP attributes.  However there is no validation that the number of
+APs provided won't overflow the destination buffer.  In addition there
+is no validation that the number of APs actually provided matches the
+number of APs expected.
+
+To address these issues:
+* Verify that the expected number of APs doesn't exceed the maximum
+  allowed number of APs
+* Verify that the actual number of APs supplied doesn't exceed the
+  expected number of APs
+* Only process the actual number of supplied APs if it is less than
+  the expected number of APs.
+
+Change-Id: I0513ffbc4a38f1d7ddbc0815d3618fc9a2ea4f77
+CRs-Fixed: 1095009
+---
+ core/hdd/src/wlan_hdd_ext_scan.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/core/hdd/src/wlan_hdd_ext_scan.c b/core/hdd/src/wlan_hdd_ext_scan.c
+index 86a51f7..320ea3c 100644
+--- a/core/hdd/src/wlan_hdd_ext_scan.c
++++ b/core/hdd/src/wlan_hdd_ext_scan.c
+@@ -2320,6 +2320,13 @@ __wlan_hdd_cfg80211_extscan_set_significant_change(struct wiphy *wiphy,
+ 	pReqMsg->numAp =
+ 		nla_get_u32(tb
+ 		    [QCA_WLAN_VENDOR_ATTR_EXTSCAN_SIGNIFICANT_CHANGE_PARAMS_NUM_AP]);
++	if (pReqMsg->numAp > WLAN_EXTSCAN_MAX_SIGNIFICANT_CHANGE_APS) {
++		hdd_err("Number of AP %u exceeds max %u",
++			pReqMsg->numAp,
++			WLAN_EXTSCAN_MAX_SIGNIFICANT_CHANGE_APS);
++		goto fail;
++	}
++
+ 	pReqMsg->sessionId = pAdapter->sessionId;
+ 	hdd_notice("Number of AP %d Session Id %d",
+ 		pReqMsg->numAp, pReqMsg->sessionId);
+@@ -2328,6 +2335,12 @@ __wlan_hdd_cfg80211_extscan_set_significant_change(struct wiphy *wiphy,
+ 	nla_for_each_nested(apTh,
+ 			    tb[QCA_WLAN_VENDOR_ATTR_EXTSCAN_AP_THRESHOLD_PARAM],
+ 			    rem) {
++
++		if (i == pReqMsg->numAp) {
++			hdd_warn("Ignoring excess AP");
++			break;
++		}
++
+ 		if (nla_parse
+ 		    (tb2, QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_MAX,
+ 		    nla_data(apTh), nla_len(apTh),
+@@ -2372,6 +2385,11 @@ __wlan_hdd_cfg80211_extscan_set_significant_change(struct wiphy *wiphy,
+ 
+ 		i++;
+ 	}
++	if (i < pReqMsg->numAp) {
++		hdd_warn("Number of AP %u less than expected %u",
++			 i, pReqMsg->numAp);
++		pReqMsg->numAp = i;
++	}
+ 
+ 	context = &ext_scan_context;
+ 	spin_lock(&context->context_lock);
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-0441/ANY/1.patch b/Patches/Linux_CVEs/CVE-2017-0441/ANY/1.patch
deleted file mode 100644
index 79872663..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0441/ANY/1.patch
+++ /dev/null
@@ -1,93 +0,0 @@
-From 26e873d1ea24db46362ed80fc53f74c1201af0b1 Mon Sep 17 00:00:00 2001
-From: Srinivas Girigowda <sgirigow@codeaurora.org>
-Date: Wed, 30 Nov 2016 19:20:45 -0800
-Subject: [PATCH] qcacld-2.0: Avoid overflow of "significant change" params
-
-The wlan driver supports the following vendor command:
-        QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_SET_SIGNIFICANT_CHANGE
-
-This command supplies a "number of APs" attribute as well as a list of
-per-AP attributes.  However there is no validation that the number of
-APs provided won't overflow the destination buffer.  In addition there
-is no validation that the number of APs actually provided matches the
-number of APs expected.
-
-To address these issues:
-* Verify that the expected number of APs doesn't exceed the maximum
-  allowed number of APs
-* Verify that the actual number of APs supplied doesn't exceed the
-  expected number of APs
-* Only process the actual number of supplied APs if it is less than
-  the expected number of APs.
-
-Change-Id: I0513ffbc4a38f1d7ddbc0815d3618fc9a2ea4f77
-CRs-Fixed: 1095009
-Bug: 32872662
-Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
----
- .../staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c  | 16 ++++++++++++++++
- drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c       |  8 ++++----
- 2 files changed, 20 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-index fd23a304b93bd..301ef98c20d13 100644
---- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-@@ -3201,6 +3201,11 @@ static int __wlan_hdd_cfg80211_extscan_set_significant_change(
-     }
-     pReqMsg->numAp = nla_get_u32(
-             tb[QCA_WLAN_VENDOR_ATTR_EXTSCAN_SIGNIFICANT_CHANGE_PARAMS_NUM_AP]);
-+    if (pReqMsg->numAp > WLAN_EXTSCAN_MAX_SIGNIFICANT_CHANGE_APS) {
-+        hddLog(LOGE, FL("Number of AP %u exceeds max %u"),
-+               pReqMsg->numAp, WLAN_EXTSCAN_MAX_SIGNIFICANT_CHANGE_APS);
-+        goto fail;
-+    }
- 
-     pReqMsg->sessionId = pAdapter->sessionId;
-     hddLog(LOG1, FL("Number of AP %d Session Id %d"), pReqMsg->numAp,
-@@ -3209,6 +3214,12 @@ static int __wlan_hdd_cfg80211_extscan_set_significant_change(
-     i = 0;
-     nla_for_each_nested(apTh,
-                 tb[QCA_WLAN_VENDOR_ATTR_EXTSCAN_AP_THRESHOLD_PARAM], rem) {
-+
-+        if (i == pReqMsg->numAp) {
-+            hddLog(LOGW, FL("Ignoring excess AP"));
-+            break;
-+        }
-+
-         if (nla_parse(tb2,
-                 QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_MAX,
-                 nla_data(apTh), nla_len(apTh),
-@@ -3248,6 +3259,11 @@ static int __wlan_hdd_cfg80211_extscan_set_significant_change(
- 
-         i++;
-     }
-+    if (i < pReqMsg->numAp) {
-+        hddLog(LOGW, FL("Number of AP %u less than expected %u"),
-+               i, pReqMsg->numAp);
-+        pReqMsg->numAp = i;
-+    }
- 
-     context = &pHddCtx->ext_scan_context;
-     spin_lock(&hdd_context_lock);
-diff --git a/drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c b/drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c
-index f1c4eb4e2c5db..53898a83d9d45 100644
---- a/drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c
-+++ b/drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c
-@@ -27390,12 +27390,12 @@ VOS_STATUS wma_get_buf_extscan_change_monitor_cmd(tp_wma_handle wma_handle,
- 	u_int8_t *buf_ptr;
- 	int j;
- 	int len = sizeof(*cmd);
--	int numap = psigchange->numAp;
-+	uint32_t numap = psigchange->numAp;
- 	tSirAPThresholdParam  *src_ap = psigchange->ap;
- 
--	if (!numap) {
--		WMA_LOGE("%s: Invalid number of bssid's",
--			__func__);
-+	if (!numap || (numap > WLAN_EXTSCAN_MAX_SIGNIFICANT_CHANGE_APS)) {
-+		WMA_LOGE("%s: Invalid number of APs: %d",
-+			__func__, numap);
- 		return VOS_STATUS_E_INVAL;
- 	}
- 	len += WMI_TLV_HDR_SIZE;
diff --git a/Patches/Linux_CVEs/CVE-2017-0442/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0442/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0442/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0442/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0442/ANY/1.patch b/Patches/Linux_CVEs/CVE-2017-0442/ANY/1.patch
deleted file mode 100644
index acb3c306..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0442/ANY/1.patch
+++ /dev/null
@@ -1,127 +0,0 @@
-From 138c690bd39a3f1ba14450e308ebc56bbda1f5b2 Mon Sep 17 00:00:00 2001
-From: Srinivas Girigowda <sgirigow@codeaurora.org>
-Date: Mon, 28 Nov 2016 20:47:30 -0800
-Subject: [PATCH] qcacld-2.0: Avoid overflow of roam subcmd params
-
-Currently when processing the QCA_NL80211_VENDOR_SUBCMD_ROAM vendor
-command, for the following roam commands there are input validation
-issues:
-        QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BSSID_PREFS
-        QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BLACKLIST_BSSID
-
-Both of these commands have a "number of BSSIDs" attribute as well as a
-list of BSSIDs. However there is no validation that the number of
-BSSIDs provided won't overflow the destination buffer.  In addition
-there is no validation that the number of BSSIDs actually provided
-matches the number of BSSIDs expected.
-
-To address these issues, for the above mentioned commands:
-* Verify that the expected number of BSSIDs doesn't exceed the maximum
-  allowed number of BSSIDs
-* Verify that the actual number of BSSIDs supplied doesn't exceed the
-  expected number of BSSIDs
-* Only process the actual number of supplied BSSIDs if it is less than
-  the expected number of BSSIDs.
-
-Change-Id: Ifa6121ee1b1441ec415198897ef815b40cb5aff6
-CRs-Fixed: 1092497
-Bug: 32402310 32402604 32871330
-Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
----
- .../qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c    | 43 +++++++++++++++++++---
- 1 file changed, 37 insertions(+), 6 deletions(-)
-
-diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-index 89dba5d54b627..fd23a304b93bd 100644
---- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-@@ -1799,6 +1799,7 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
- 	struct nlattr *tb2[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX + 1];
- 	int rem, i;
- 	uint32_t buf_len = 0;
-+	uint32_t count;
- 	int ret;
- 
- 	if (VOS_FTM_MODE == hdd_get_conparam()) {
-@@ -1974,15 +1975,25 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
- 			hddLog(LOGE, FL("attr num of preferred bssid failed"));
- 			goto fail;
- 		}
--		roam_params.num_bssid_favored = nla_get_u32(
-+		count = nla_get_u32(
- 			tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_LAZY_ROAM_NUM_BSSID]);
-+		if (count > MAX_BSSID_FAVORED) {
-+			hddLog(LOGE, FL("Preferred BSSID count %u exceeds max %u"),
-+			       count, MAX_BSSID_FAVORED);
-+			goto fail;
-+		}
- 		hddLog(VOS_TRACE_LEVEL_DEBUG,
--			FL("Num of Preferred BSSID (%d)"),
--			roam_params.num_bssid_favored);
-+			FL("Num of Preferred BSSID: %d"), count);
- 		i = 0;
- 		nla_for_each_nested(curr_attr,
- 			tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PREFS],
- 			rem) {
-+
-+			if (i == count) {
-+				hddLog(LOGW, FL("Ignoring excess Preferred BSSID"));
-+				break;
-+			}
-+
- 			if (nla_parse(tb2,
- 				QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX,
- 				nla_data(curr_attr), nla_len(curr_attr),
-@@ -2012,6 +2023,11 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
- 				roam_params.bssid_favored_factor[i]);
- 			i++;
- 		}
-+		if (i < count)
-+			hddLog(LOGW,
-+			       FL("Num Preferred BSSID %u less than expected %u"),
-+			       i, count);
-+		roam_params.num_bssid_favored = i;
- 		sme_update_roam_params(pHddCtx->hHal, session_id,
- 			roam_params, REASON_ROAM_SET_FAVORED_BSSID);
- 		break;
-@@ -2021,15 +2037,25 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
- 			hddLog(LOGE, FL("attr num of blacklist bssid failed"));
- 			goto fail;
- 		}
--		roam_params.num_bssid_avoid_list = nla_get_u32(
-+		count = nla_get_u32(
- 			tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS_NUM_BSSID]);
-+		if (count > MAX_BSSID_AVOID_LIST) {
-+			hddLog(LOGE, FL("Blacklist BSSID count %u exceeds max %u"),
-+			       count, MAX_BSSID_AVOID_LIST);
-+			goto fail;
-+		}
- 		hddLog(VOS_TRACE_LEVEL_DEBUG,
--			FL("Num of blacklist BSSID (%d)"),
--			roam_params.num_bssid_avoid_list);
-+			FL("Num of blacklist BSSID: %d"), count);
- 		i = 0;
- 		nla_for_each_nested(curr_attr,
- 			tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS],
- 			rem) {
-+
-+			if (i == count) {
-+				hddLog(LOGW, FL("Ignoring excess Blacklist BSSID"));
-+				break;
-+			}
-+
- 			if (nla_parse(tb2,
- 				QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX,
- 				nla_data(curr_attr), nla_len(curr_attr),
-@@ -2050,6 +2076,11 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
- 				roam_params.bssid_avoid_list[i]));
- 			i++;
- 		}
-+		if (i < count)
-+			hddLog(LOGW,
-+			       FL("Num Blacklist BSSID %u less than expected %u"),
-+			       i, count);
-+		roam_params.num_bssid_avoid_list = i;
- 		sme_update_roam_params(pHddCtx->hHal, session_id,
- 			roam_params, REASON_ROAM_SET_BLACKLIST_BSSID);
- 		break;
diff --git a/Patches/Linux_CVEs/CVE-2017-0443/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0443/ANY/0001.patch
similarity index 98%
rename from Patches/Linux_CVEs/CVE-2017-0443/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0443/ANY/0001.patch
index 3e7bc3db..c157c6d2 100644
--- a/Patches/Linux_CVEs/CVE-2017-0443/ANY/0.patch
+++ b/Patches/Linux_CVEs/CVE-2017-0443/ANY/0001.patch
@@ -1,4 +1,4 @@
-From 1f0b036dc74ccb6e9f0a03a540efdb0876f5ca77 Mon Sep 17 00:00:00 2001
+From f1081e78eff75ca665c662493736b17cb792b46d Mon Sep 17 00:00:00 2001
 From: Jeff Johnson <jjohnson@codeaurora.org>
 Date: Mon, 28 Nov 2016 09:19:02 -0800
 Subject: qcacld-2.0: Avoid overflow of roam subcmd params
diff --git a/Patches/Linux_CVEs/CVE-2017-0437/ANY/1.patch b/Patches/Linux_CVEs/CVE-2017-0443/ANY/0002.patch
similarity index 54%
rename from Patches/Linux_CVEs/CVE-2017-0437/ANY/1.patch
rename to Patches/Linux_CVEs/CVE-2017-0443/ANY/0002.patch
index acb3c306..21823da6 100644
--- a/Patches/Linux_CVEs/CVE-2017-0437/ANY/1.patch
+++ b/Patches/Linux_CVEs/CVE-2017-0443/ANY/0002.patch
@@ -1,13 +1,15 @@
-From 138c690bd39a3f1ba14450e308ebc56bbda1f5b2 Mon Sep 17 00:00:00 2001
-From: Srinivas Girigowda <sgirigow@codeaurora.org>
-Date: Mon, 28 Nov 2016 20:47:30 -0800
-Subject: [PATCH] qcacld-2.0: Avoid overflow of roam subcmd params
+From a4c5eefd5dd761445784963f3b6605d24d2bc3af Mon Sep 17 00:00:00 2001
+From: Jeff Johnson <jjohnson@codeaurora.org>
+Date: Tue, 29 Nov 2016 07:22:08 -0800
+Subject: qcacld-3.0: Avoid overflow of roam subcmd params
+
+This is a qcacld-2.0 to qcacld-3.0 propagation.
 
 Currently when processing the QCA_NL80211_VENDOR_SUBCMD_ROAM vendor
 command, for the following roam commands there are input validation
 issues:
-        QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BSSID_PREFS
-        QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BLACKLIST_BSSID
+	QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BSSID_PREFS
+	QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BLACKLIST_BSSID
 
 Both of these commands have a "number of BSSIDs" attribute as well as a
 list of BSSIDs. However there is no validation that the number of
@@ -25,103 +27,100 @@ To address these issues, for the above mentioned commands:
 
 Change-Id: Ifa6121ee1b1441ec415198897ef815b40cb5aff6
 CRs-Fixed: 1092497
-Bug: 32402310 32402604 32871330
-Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
 ---
- .../qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c    | 43 +++++++++++++++++++---
- 1 file changed, 37 insertions(+), 6 deletions(-)
+ core/hdd/src/wlan_hdd_cfg80211.c | 41 ++++++++++++++++++++++++++++++++++------
+ 1 file changed, 35 insertions(+), 6 deletions(-)
 
-diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-index 89dba5d54b627..fd23a304b93bd 100644
---- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-@@ -1799,6 +1799,7 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
+diff --git a/core/hdd/src/wlan_hdd_cfg80211.c b/core/hdd/src/wlan_hdd_cfg80211.c
+index 169629a..c457140 100644
+--- a/core/hdd/src/wlan_hdd_cfg80211.c
++++ b/core/hdd/src/wlan_hdd_cfg80211.c
+@@ -2339,6 +2339,7 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
  	struct nlattr *tb2[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX + 1];
  	int rem, i;
  	uint32_t buf_len = 0;
 +	uint32_t count;
  	int ret;
  
- 	if (VOS_FTM_MODE == hdd_get_conparam()) {
-@@ -1974,15 +1975,25 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
- 			hddLog(LOGE, FL("attr num of preferred bssid failed"));
+ 	ENTER_DEV(dev);
+@@ -2509,14 +2510,24 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
+ 			hdd_err("attr num of preferred bssid failed");
  			goto fail;
  		}
 -		roam_params.num_bssid_favored = nla_get_u32(
 +		count = nla_get_u32(
  			tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_LAZY_ROAM_NUM_BSSID]);
+-		hdd_debug("Num of Preferred BSSID (%d)",
+-			roam_params.num_bssid_favored);
 +		if (count > MAX_BSSID_FAVORED) {
-+			hddLog(LOGE, FL("Preferred BSSID count %u exceeds max %u"),
-+			       count, MAX_BSSID_FAVORED);
++			hdd_err("Preferred BSSID count %u exceeds max %u",
++				count, MAX_BSSID_FAVORED);
 +			goto fail;
 +		}
- 		hddLog(VOS_TRACE_LEVEL_DEBUG,
--			FL("Num of Preferred BSSID (%d)"),
--			roam_params.num_bssid_favored);
-+			FL("Num of Preferred BSSID: %d"), count);
++		hdd_debug("Num of Preferred BSSID (%d)", count);
  		i = 0;
  		nla_for_each_nested(curr_attr,
  			tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PREFS],
  			rem) {
 +
 +			if (i == count) {
-+				hddLog(LOGW, FL("Ignoring excess Preferred BSSID"));
++				hdd_warn("Ignoring excess Preferred BSSID");
 +				break;
 +			}
 +
  			if (nla_parse(tb2,
  				QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX,
  				nla_data(curr_attr), nla_len(curr_attr),
-@@ -2012,6 +2023,11 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
+@@ -2545,6 +2556,10 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
  				roam_params.bssid_favored_factor[i]);
  			i++;
  		}
 +		if (i < count)
-+			hddLog(LOGW,
-+			       FL("Num Preferred BSSID %u less than expected %u"),
-+			       i, count);
++			hdd_warn("Num Preferred BSSID %u less than expected %u",
++				 i, count);
 +		roam_params.num_bssid_favored = i;
  		sme_update_roam_params(pHddCtx->hHal, session_id,
  			roam_params, REASON_ROAM_SET_FAVORED_BSSID);
  		break;
-@@ -2021,15 +2037,25 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
- 			hddLog(LOGE, FL("attr num of blacklist bssid failed"));
+@@ -2554,14 +2569,24 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
+ 			hdd_err("attr num of blacklist bssid failed");
  			goto fail;
  		}
 -		roam_params.num_bssid_avoid_list = nla_get_u32(
 +		count = nla_get_u32(
  			tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS_NUM_BSSID]);
+-		hdd_debug("Num of blacklist BSSID (%d)",
+-			roam_params.num_bssid_avoid_list);
 +		if (count > MAX_BSSID_AVOID_LIST) {
-+			hddLog(LOGE, FL("Blacklist BSSID count %u exceeds max %u"),
-+			       count, MAX_BSSID_AVOID_LIST);
++			hdd_err("Blacklist BSSID count %u exceeds max %u",
++				count, MAX_BSSID_AVOID_LIST);
 +			goto fail;
 +		}
- 		hddLog(VOS_TRACE_LEVEL_DEBUG,
--			FL("Num of blacklist BSSID (%d)"),
--			roam_params.num_bssid_avoid_list);
-+			FL("Num of blacklist BSSID: %d"), count);
++		hdd_debug("Num of blacklist BSSID (%d)", count);
  		i = 0;
  		nla_for_each_nested(curr_attr,
  			tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS],
  			rem) {
 +
 +			if (i == count) {
-+				hddLog(LOGW, FL("Ignoring excess Blacklist BSSID"));
++				hdd_warn("Ignoring excess Blacklist BSSID");
 +				break;
 +			}
 +
  			if (nla_parse(tb2,
  				QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX,
  				nla_data(curr_attr), nla_len(curr_attr),
-@@ -2050,6 +2076,11 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
- 				roam_params.bssid_avoid_list[i]));
+@@ -2582,6 +2607,10 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
+ 				roam_params.bssid_avoid_list[i].bytes));
  			i++;
  		}
 +		if (i < count)
-+			hddLog(LOGW,
-+			       FL("Num Blacklist BSSID %u less than expected %u"),
-+			       i, count);
++			hdd_warn("Num Blacklist BSSID %u less than expected %u",
++				 i, count);
 +		roam_params.num_bssid_avoid_list = i;
  		sme_update_roam_params(pHddCtx->hHal, session_id,
  			roam_params, REASON_ROAM_SET_BLACKLIST_BSSID);
  		break;
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-0443/ANY/1.patch b/Patches/Linux_CVEs/CVE-2017-0443/ANY/1.patch
deleted file mode 100644
index acb3c306..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0443/ANY/1.patch
+++ /dev/null
@@ -1,127 +0,0 @@
-From 138c690bd39a3f1ba14450e308ebc56bbda1f5b2 Mon Sep 17 00:00:00 2001
-From: Srinivas Girigowda <sgirigow@codeaurora.org>
-Date: Mon, 28 Nov 2016 20:47:30 -0800
-Subject: [PATCH] qcacld-2.0: Avoid overflow of roam subcmd params
-
-Currently when processing the QCA_NL80211_VENDOR_SUBCMD_ROAM vendor
-command, for the following roam commands there are input validation
-issues:
-        QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BSSID_PREFS
-        QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BLACKLIST_BSSID
-
-Both of these commands have a "number of BSSIDs" attribute as well as a
-list of BSSIDs. However there is no validation that the number of
-BSSIDs provided won't overflow the destination buffer.  In addition
-there is no validation that the number of BSSIDs actually provided
-matches the number of BSSIDs expected.
-
-To address these issues, for the above mentioned commands:
-* Verify that the expected number of BSSIDs doesn't exceed the maximum
-  allowed number of BSSIDs
-* Verify that the actual number of BSSIDs supplied doesn't exceed the
-  expected number of BSSIDs
-* Only process the actual number of supplied BSSIDs if it is less than
-  the expected number of BSSIDs.
-
-Change-Id: Ifa6121ee1b1441ec415198897ef815b40cb5aff6
-CRs-Fixed: 1092497
-Bug: 32402310 32402604 32871330
-Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
----
- .../qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c    | 43 +++++++++++++++++++---
- 1 file changed, 37 insertions(+), 6 deletions(-)
-
-diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-index 89dba5d54b627..fd23a304b93bd 100644
---- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-@@ -1799,6 +1799,7 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
- 	struct nlattr *tb2[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX + 1];
- 	int rem, i;
- 	uint32_t buf_len = 0;
-+	uint32_t count;
- 	int ret;
- 
- 	if (VOS_FTM_MODE == hdd_get_conparam()) {
-@@ -1974,15 +1975,25 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
- 			hddLog(LOGE, FL("attr num of preferred bssid failed"));
- 			goto fail;
- 		}
--		roam_params.num_bssid_favored = nla_get_u32(
-+		count = nla_get_u32(
- 			tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_LAZY_ROAM_NUM_BSSID]);
-+		if (count > MAX_BSSID_FAVORED) {
-+			hddLog(LOGE, FL("Preferred BSSID count %u exceeds max %u"),
-+			       count, MAX_BSSID_FAVORED);
-+			goto fail;
-+		}
- 		hddLog(VOS_TRACE_LEVEL_DEBUG,
--			FL("Num of Preferred BSSID (%d)"),
--			roam_params.num_bssid_favored);
-+			FL("Num of Preferred BSSID: %d"), count);
- 		i = 0;
- 		nla_for_each_nested(curr_attr,
- 			tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PREFS],
- 			rem) {
-+
-+			if (i == count) {
-+				hddLog(LOGW, FL("Ignoring excess Preferred BSSID"));
-+				break;
-+			}
-+
- 			if (nla_parse(tb2,
- 				QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX,
- 				nla_data(curr_attr), nla_len(curr_attr),
-@@ -2012,6 +2023,11 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
- 				roam_params.bssid_favored_factor[i]);
- 			i++;
- 		}
-+		if (i < count)
-+			hddLog(LOGW,
-+			       FL("Num Preferred BSSID %u less than expected %u"),
-+			       i, count);
-+		roam_params.num_bssid_favored = i;
- 		sme_update_roam_params(pHddCtx->hHal, session_id,
- 			roam_params, REASON_ROAM_SET_FAVORED_BSSID);
- 		break;
-@@ -2021,15 +2037,25 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
- 			hddLog(LOGE, FL("attr num of blacklist bssid failed"));
- 			goto fail;
- 		}
--		roam_params.num_bssid_avoid_list = nla_get_u32(
-+		count = nla_get_u32(
- 			tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS_NUM_BSSID]);
-+		if (count > MAX_BSSID_AVOID_LIST) {
-+			hddLog(LOGE, FL("Blacklist BSSID count %u exceeds max %u"),
-+			       count, MAX_BSSID_AVOID_LIST);
-+			goto fail;
-+		}
- 		hddLog(VOS_TRACE_LEVEL_DEBUG,
--			FL("Num of blacklist BSSID (%d)"),
--			roam_params.num_bssid_avoid_list);
-+			FL("Num of blacklist BSSID: %d"), count);
- 		i = 0;
- 		nla_for_each_nested(curr_attr,
- 			tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS],
- 			rem) {
-+
-+			if (i == count) {
-+				hddLog(LOGW, FL("Ignoring excess Blacklist BSSID"));
-+				break;
-+			}
-+
- 			if (nla_parse(tb2,
- 				QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX,
- 				nla_data(curr_attr), nla_len(curr_attr),
-@@ -2050,6 +2076,11 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
- 				roam_params.bssid_avoid_list[i]));
- 			i++;
- 		}
-+		if (i < count)
-+			hddLog(LOGW,
-+			       FL("Num Blacklist BSSID %u less than expected %u"),
-+			       i, count);
-+		roam_params.num_bssid_avoid_list = i;
- 		sme_update_roam_params(pHddCtx->hHal, session_id,
- 			roam_params, REASON_ROAM_SET_BLACKLIST_BSSID);
- 		break;
diff --git a/Patches/Linux_CVEs/CVE-2017-0444/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0444/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0444/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0444/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0445/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0445/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0445/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0445/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0445/ANY/1.patch b/Patches/Linux_CVEs/CVE-2017-0445/ANY/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0445/ANY/1.patch
rename to Patches/Linux_CVEs/CVE-2017-0445/ANY/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0445/ANY/2.patch b/Patches/Linux_CVEs/CVE-2017-0445/ANY/0003.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0445/ANY/2.patch
rename to Patches/Linux_CVEs/CVE-2017-0445/ANY/0003.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0445/ANY/3.patch b/Patches/Linux_CVEs/CVE-2017-0445/ANY/0004.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0445/ANY/3.patch
rename to Patches/Linux_CVEs/CVE-2017-0445/ANY/0004.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0446/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0446/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0446/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0446/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0447/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0447/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0447/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0447/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0449/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0449/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0449/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0449/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0451/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0451/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0451/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0451/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0451/ANY/1.patch b/Patches/Linux_CVEs/CVE-2017-0451/ANY/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0451/ANY/1.patch
rename to Patches/Linux_CVEs/CVE-2017-0451/ANY/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0452/ANY/0.patch.base64 b/Patches/Linux_CVEs/CVE-2017-0452/ANY/0.patch.base64
deleted file mode 100644
index e80cf439..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0452/ANY/0.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL2RyaXZlcnMvbWVkaWEvcGxhdGZvcm0vbXNtL3ZpZGMvbXNtX3ZpZGMuYyBiL2RyaXZlcnMvbWVkaWEvcGxhdGZvcm0vbXNtL3ZpZGMvbXNtX3ZpZGMuYwppbmRleCAwZjU1ZjMyLi5iOTBlYmMxIDEwMDY0NAotLS0gYS9kcml2ZXJzL21lZGlhL3BsYXRmb3JtL21zbS92aWRjL21zbV92aWRjLmMKKysrIGIvZHJpdmVycy9tZWRpYS9wbGF0Zm9ybS9tc20vdmlkYy9tc21fdmlkYy5jCkBAIC0xNDA1LDcgKzE0MDUsOCBAQAogCQlkZWJ1Z2ZzX3JlbW92ZV9yZWN1cnNpdmUoaW5zdC0+ZGVidWdmc19yb290KTsKIAogCQltdXRleF9sb2NrKCZpbnN0LT5wZW5kaW5nX2dldHByb3BxLmxvY2spOwotCQlXQVJOX09OKCFsaXN0X2VtcHR5KCZpbnN0LT5wZW5kaW5nX2dldHByb3BxLmxpc3QpKTsKKwkJV0FSTl9PTighbGlzdF9lbXB0eSgmaW5zdC0+cGVuZGluZ19nZXRwcm9wcS5saXN0KQorCQkJJiYgKG1zbV92aWRjX2RlYnVnICYgVklEQ19JTkZPKSk7CiAJCW11dGV4X3VubG9jaygmaW5zdC0+cGVuZGluZ19nZXRwcm9wcS5sb2NrKTsKIAl9CiB9CmRpZmYgLS1naXQgYS9kcml2ZXJzL21lZGlhL3BsYXRmb3JtL21zbS92aWRjL3ZlbnVzX2hmaS5jIGIvZHJpdmVycy9tZWRpYS9wbGF0Zm9ybS9tc20vdmlkYy92ZW51c19oZmkuYwppbmRleCBhN2EzOTFmLi42ZjZkNzlhIDEwMDY0NAotLS0gYS9kcml2ZXJzL21lZGlhL3BsYXRmb3JtL21zbS92aWRjL3ZlbnVzX2hmaS5jCisrKyBiL2RyaXZlcnMvbWVkaWEvcGxhdGZvcm0vbXNtL3ZpZGMvdmVudXNfaGZpLmMKQEAgLTI2MSw3ICsyNjEsNyBAQAogCQkJCQlyaW5mby0+bmFtZSk7CiAJCX0KIAl9Ci0JV0FSTl9PTighcmVndWxhdG9yX2lzX2VuYWJsZWQocmluZm8tPnJlZ3VsYXRvcikpOworCVdBUk5fT04oIXJlZ3VsYXRvcl9pc19lbmFibGVkKHJpbmZvLT5yZWd1bGF0b3IpICYmIChtc21fdmlkY19kZWJ1ZyAmIFZJRENfSU5GTykpOwogCXJldHVybiByYzsKIH0KIApAQCAtMzk1NCw3ICszOTU0LDcgQEAKIGRpc2FibGVfcmVndWxhdG9yX2ZhaWxlZDoKIAogCS8qIEJyaW5nIGF0dGVudGlvbiB0byB0aGlzIGlzc3VlICovCi0JV0FSTl9PTigxKTsKKwlXQVJOX09OKG1zbV92aWRjX2RlYnVnICYgVklEQ19JTkZPKTsKIAlyZXR1cm4gcmM7CiB9CiAK
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-0452/ANY/0.patch.dupe b/Patches/Linux_CVEs/CVE-2017-0452/ANY/0.patch.dupe
deleted file mode 100644
index 82e484ca..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0452/ANY/0.patch.dupe
+++ /dev/null
@@ -1,36 +0,0 @@
-diff --git a/drivers/media/platform/msm/vidc/msm_vidc.c b/drivers/media/platform/msm/vidc/msm_vidc.c
-index 0f55f32..b90ebc1 100644
---- a/drivers/media/platform/msm/vidc/msm_vidc.c
-+++ b/drivers/media/platform/msm/vidc/msm_vidc.c
-@@ -1405,7 +1405,8 @@
- 		debugfs_remove_recursive(inst->debugfs_root);
- 
- 		mutex_lock(&inst->pending_getpropq.lock);
--		WARN_ON(!list_empty(&inst->pending_getpropq.list));
-+		WARN_ON(!list_empty(&inst->pending_getpropq.list)
-+			&& (msm_vidc_debug & VIDC_INFO));
- 		mutex_unlock(&inst->pending_getpropq.lock);
- 	}
- }
-diff --git a/drivers/media/platform/msm/vidc/venus_hfi.c b/drivers/media/platform/msm/vidc/venus_hfi.c
-index a7a391f..6f6d79a 100644
---- a/drivers/media/platform/msm/vidc/venus_hfi.c
-+++ b/drivers/media/platform/msm/vidc/venus_hfi.c
-@@ -261,7 +261,7 @@
- 					rinfo->name);
- 		}
- 	}
--	WARN_ON(!regulator_is_enabled(rinfo->regulator));
-+	WARN_ON(!regulator_is_enabled(rinfo->regulator) && (msm_vidc_debug & VIDC_INFO));
- 	return rc;
- }
- 
-@@ -3954,7 +3954,7 @@
- disable_regulator_failed:
- 
- 	/* Bring attention to this issue */
--	WARN_ON(1);
-+	WARN_ON(msm_vidc_debug & VIDC_INFO);
- 	return rc;
- }
- 
diff --git a/Patches/Linux_CVEs/CVE-2017-0452/ANY/1.patch b/Patches/Linux_CVEs/CVE-2017-0452/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0452/ANY/1.patch
rename to Patches/Linux_CVEs/CVE-2017-0452/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0453/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0453/ANY/0001.patch
similarity index 95%
rename from Patches/Linux_CVEs/CVE-2017-0453/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0453/ANY/0001.patch
index 9caa26bc..e41b97d8 100644
--- a/Patches/Linux_CVEs/CVE-2017-0453/ANY/0.patch
+++ b/Patches/Linux_CVEs/CVE-2017-0453/ANY/0001.patch
@@ -1,4 +1,4 @@
-From 05af1f34723939f477cb7d25adb320d016d68513 Mon Sep 17 00:00:00 2001
+From 29c4ddb447b2d49409a9d0b93631f84a9d2e922e Mon Sep 17 00:00:00 2001
 From: Manjeet Singh <manjee@codeaurora.org>
 Date: Tue, 27 Dec 2016 17:48:37 +0530
 Subject: qcacld-2.0: Add buf len check in wlan_hdd_cfg80211_testmode
diff --git a/Patches/Linux_CVEs/CVE-2017-0453/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2017-0453/ANY/0002.patch
new file mode 100644
index 00000000..3f8a3310
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-0453/ANY/0002.patch
@@ -0,0 +1,40 @@
+From a2959858f428acfca3ca4c61d3c10b446bfe9b60 Mon Sep 17 00:00:00 2001
+From: Manjeet Singh <manjee@codeaurora.org>
+Date: Tue, 3 Jan 2017 12:08:10 +0530
+Subject: qcacld-3.0: Add buf len check in wlan_hdd_cfg80211_testmode
+
+qcacld-2.0 to qcacld-3.0 propagation.
+
+In __wlan_hdd_cfg80211_testmode API no checks are in place that
+ensure that buflen is smaller or equal the size of the stack
+variable hb_params. Hence, the vos_mem_copy() call can overflow
+stack memory.
+
+Add buf len check to avoid stack overflow
+
+CRs-Fixed: 1105085
+Change-Id: I6af6a74cc38ebce3337120adcf7e9595f22d3d8c
+---
+ core/hdd/src/wlan_hdd_cfg80211.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/core/hdd/src/wlan_hdd_cfg80211.c b/core/hdd/src/wlan_hdd_cfg80211.c
+index 98b0012..1f34e4c 100644
+--- a/core/hdd/src/wlan_hdd_cfg80211.c
++++ b/core/hdd/src/wlan_hdd_cfg80211.c
+@@ -14974,6 +14974,12 @@ static int __wlan_hdd_cfg80211_testmode(struct wiphy *wiphy,
+ 			timePeriodSec == 0))
+ 			return -EINVAL;
+ 
++		if (buf_len > sizeof(*hb_params)) {
++			hdd_err("buf_len=%d exceeded hb_params size limit",
++				buf_len);
++			return -ERANGE;
++		}
++
+ 		hb_params =
+ 			(tSirLPHBReq *) qdf_mem_malloc(sizeof(tSirLPHBReq));
+ 		if (NULL == hb_params) {
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-0453/ANY/1.patch b/Patches/Linux_CVEs/CVE-2017-0453/ANY/0003.patch
similarity index 89%
rename from Patches/Linux_CVEs/CVE-2017-0453/ANY/1.patch
rename to Patches/Linux_CVEs/CVE-2017-0453/ANY/0003.patch
index adf06bec..7aef755b 100644
--- a/Patches/Linux_CVEs/CVE-2017-0453/ANY/1.patch
+++ b/Patches/Linux_CVEs/CVE-2017-0453/ANY/0003.patch
@@ -1,4 +1,4 @@
-From dd88a6eb22a0df94c6414d1fe815d61e9dfb0a34 Mon Sep 17 00:00:00 2001
+From ddf864f37134df0960d337ff16e6f2435b4fe90c Mon Sep 17 00:00:00 2001
 From: Manjeet Singh <manjee@codeaurora.org>
 Date: Fri, 10 Feb 2017 19:03:38 +0530
 Subject: wlan: Add buf len check in wlan_hdd_cfg80211_testmode
@@ -17,10 +17,10 @@ Change-Id: I6af6a74cc38ebce3337120adcf7e9595f22d3d8c
  1 file changed, 6 insertions(+)
 
 diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
-index 35e33db..10d3da4 100644
+index 81c3944..0c0bca2 100644
 --- a/CORE/HDD/src/wlan_hdd_cfg80211.c
 +++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
-@@ -19275,6 +19275,12 @@ static int __wlan_hdd_cfg80211_testmode(struct wiphy *wiphy, void *data, int len
+@@ -16424,6 +16424,12 @@ static int __wlan_hdd_cfg80211_testmode(struct wiphy *wiphy, void *data, int len
              buf = nla_data(tb[WLAN_HDD_TM_ATTR_DATA]);
              buf_len = nla_len(tb[WLAN_HDD_TM_ATTR_DATA]);
  
diff --git a/Patches/Linux_CVEs/CVE-2017-0454/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-0454/3.10/0001.patch
new file mode 100644
index 00000000..48e7fed3
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-0454/3.10/0001.patch
@@ -0,0 +1,119 @@
+From 01f3ad23574c85a060e6add7a20173621b5b2c77 Mon Sep 17 00:00:00 2001
+From: kunleiz <kunleiz@codeaurora.org>
+Date: Thu, 22 Dec 2016 18:03:37 +0800
+Subject: ASoC: msm: qdspv2: add mutex lock when access output buffer length
+
+Add mutex protection to avoid access output_len in parallel.
+
+CRs-Fixed: 1104067
+Change-Id: I4e17258e2abee9cd68152f4b79520b00003aa80d
+Signed-off-by: kunleiz <kunleiz@codeaurora.org>
+---
+ drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c b/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
+index d4fddf3..7a8e6f8 100644
+--- a/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
++++ b/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2014, 2016, The Linux Foundation. All rights reserved.
++ * Copyright (c) 2014, 2016-2017, The Linux Foundation. All rights reserved.
+  *
+  * This software is licensed under the terms of the GNU General Public
+  * License version 2, as published by the Free Software Foundation, and
+@@ -29,6 +29,8 @@ struct q6audio_effects {
+ 	struct audio_client             *ac;
+ 	struct msm_hwacc_effects_config  config;
+ 
++	struct mutex			lock;
++
+ 	atomic_t			in_count;
+ 	atomic_t			out_count;
+ 
+@@ -231,8 +233,11 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
+ 		uint32_t idx = 0;
+ 		uint32_t size = 0;
+ 
++		mutex_lock(&effects->lock);
++
+ 		if (!effects->started) {
+ 			rc = -EFAULT;
++			mutex_unlock(&effects->lock);
+ 			goto ioctl_fail;
+ 		}
+ 
+@@ -242,11 +247,13 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
+ 		if (!rc) {
+ 			pr_err("%s: write wait_event_timeout\n", __func__);
+ 			rc = -EFAULT;
++			 mutex_unlock(&effects->lock);
+ 			goto ioctl_fail;
+ 		}
+ 		if (!atomic_read(&effects->out_count)) {
+ 			pr_err("%s: pcm stopped out_count 0\n", __func__);
+ 			rc = -EFAULT;
++			mutex_unlock(&effects->lock);
+ 			goto ioctl_fail;
+ 		}
+ 
+@@ -256,6 +263,7 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
+ 				copy_from_user(bufptr, (void *)arg,
+ 					effects->config.buf_cfg.output_len)) {
+ 				rc = -EFAULT;
++				mutex_unlock(&effects->lock);
+ 				goto ioctl_fail;
+ 			}
+ 			rc = q6asm_write(effects->ac,
+@@ -263,6 +271,7 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
+ 					 0, 0, NO_TIMESTAMP);
+ 			if (rc < 0) {
+ 				rc = -EFAULT;
++				mutex_unlock(&effects->lock);
+ 				goto ioctl_fail;
+ 			}
+ 			atomic_dec(&effects->out_count);
+@@ -270,6 +279,7 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
+ 			pr_err("%s: AUDIO_EFFECTS_WRITE: Buffer dropped\n",
+ 				__func__);
+ 		}
++		mutex_unlock(&effects->lock);
+ 		break;
+ 	}
+ 	case AUDIO_EFFECTS_READ: {
+@@ -458,6 +468,7 @@ static long audio_effects_ioctl(struct file *file, unsigned int cmd,
+ 		break;
+ 	}
+ 	case AUDIO_EFFECTS_SET_BUF_LEN: {
++		mutex_lock(&effects->lock);
+ 		if (copy_from_user(&effects->config.buf_cfg, (void *)arg,
+ 				   sizeof(effects->config.buf_cfg))) {
+ 			pr_err("%s: copy from user for AUDIO_EFFECTS_SET_BUF_LEN failed\n",
+@@ -467,6 +478,7 @@ static long audio_effects_ioctl(struct file *file, unsigned int cmd,
+ 		pr_debug("%s: write buf len: %d, read buf len: %d\n",
+ 			 __func__, effects->config.buf_cfg.output_len,
+ 			 effects->config.buf_cfg.input_len);
++		mutex_unlock(&effects->lock);
+ 		break;
+ 	}
+ 	case AUDIO_EFFECTS_GET_BUF_AVAIL: {
+@@ -711,6 +723,7 @@ static int audio_effects_release(struct inode *inode, struct file *file)
+ 	}
+ 	q6asm_audio_client_free(effects->ac);
+ 
++	mutex_destroy(&effects->lock);
+ 	kfree(effects);
+ 
+ 	pr_debug("%s: close session success\n", __func__);
+@@ -741,6 +754,7 @@ static int audio_effects_open(struct inode *inode, struct file *file)
+ 
+ 	init_waitqueue_head(&effects->read_wait);
+ 	init_waitqueue_head(&effects->write_wait);
++	mutex_init(&effects->lock);
+ 
+ 	effects->opened = 0;
+ 	effects->started = 0;
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-0454/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0454/3.18/0002.patch
similarity index 98%
rename from Patches/Linux_CVEs/CVE-2017-0454/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0454/3.18/0002.patch
index af327397..ffa49b26 100644
--- a/Patches/Linux_CVEs/CVE-2017-0454/ANY/0.patch
+++ b/Patches/Linux_CVEs/CVE-2017-0454/3.18/0002.patch
@@ -1,4 +1,4 @@
-From cb0701a2f99fa19f01fbd4249bda9a8eadb0241f Mon Sep 17 00:00:00 2001
+From 484349ebc927b7be6cc9187c6bd71ffb3f4112d1 Mon Sep 17 00:00:00 2001
 From: kunleiz <kunleiz@codeaurora.org>
 Date: Thu, 22 Dec 2016 18:03:37 +0800
 Subject: ASoC: msm: qdspv2: add mutex lock when access output buffer length
diff --git a/Patches/Linux_CVEs/CVE-2017-0454/4.4/0003.patch b/Patches/Linux_CVEs/CVE-2017-0454/4.4/0003.patch
new file mode 100644
index 00000000..48fd99e3
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-0454/4.4/0003.patch
@@ -0,0 +1,119 @@
+From 263bb8242e005803529cb7cd785354de817db88a Mon Sep 17 00:00:00 2001
+From: kunleiz <kunleiz@codeaurora.org>
+Date: Thu, 22 Dec 2016 18:03:37 +0800
+Subject: ASoC: msm: qdspv2: add mutex lock when access output buffer length
+
+Add mutex protection to avoid access output_len in parallel.
+
+CRs-Fixed: 1104067
+Change-Id: I4e17258e2abee9cd68152f4b79520b00003aa80d
+Signed-off-by: kunleiz <kunleiz@codeaurora.org>
+---
+ drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c b/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
+index 940fd08..9889d9c 100644
+--- a/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
++++ b/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2014-2016, The Linux Foundation. All rights reserved.
++ * Copyright (c) 2014-2017, The Linux Foundation. All rights reserved.
+  *
+  * This software is licensed under the terms of the GNU General Public
+  * License version 2, as published by the Free Software Foundation, and
+@@ -29,6 +29,8 @@ struct q6audio_effects {
+ 	struct audio_client             *ac;
+ 	struct msm_hwacc_effects_config  config;
+ 
++	struct mutex			lock;
++
+ 	atomic_t			in_count;
+ 	atomic_t			out_count;
+ 
+@@ -230,8 +232,11 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
+ 		uint32_t idx = 0;
+ 		uint32_t size = 0;
+ 
++		mutex_lock(&effects->lock);
++
+ 		if (!effects->started) {
+ 			rc = -EFAULT;
++			mutex_unlock(&effects->lock);
+ 			goto ioctl_fail;
+ 		}
+ 
+@@ -241,11 +246,13 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
+ 		if (!rc) {
+ 			pr_err("%s: write wait_event_timeout\n", __func__);
+ 			rc = -EFAULT;
++			 mutex_unlock(&effects->lock);
+ 			goto ioctl_fail;
+ 		}
+ 		if (!atomic_read(&effects->out_count)) {
+ 			pr_err("%s: pcm stopped out_count 0\n", __func__);
+ 			rc = -EFAULT;
++			mutex_unlock(&effects->lock);
+ 			goto ioctl_fail;
+ 		}
+ 
+@@ -255,6 +262,7 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
+ 				copy_from_user(bufptr, (void *)arg,
+ 					effects->config.buf_cfg.output_len)) {
+ 				rc = -EFAULT;
++				mutex_unlock(&effects->lock);
+ 				goto ioctl_fail;
+ 			}
+ 			rc = q6asm_write(effects->ac,
+@@ -262,6 +270,7 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
+ 					 0, 0, NO_TIMESTAMP);
+ 			if (rc < 0) {
+ 				rc = -EFAULT;
++				mutex_unlock(&effects->lock);
+ 				goto ioctl_fail;
+ 			}
+ 			atomic_dec(&effects->out_count);
+@@ -269,6 +278,7 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
+ 			pr_err("%s: AUDIO_EFFECTS_WRITE: Buffer dropped\n",
+ 				__func__);
+ 		}
++		mutex_unlock(&effects->lock);
+ 		break;
+ 	}
+ 	case AUDIO_EFFECTS_READ: {
+@@ -466,6 +476,7 @@ static long audio_effects_ioctl(struct file *file, unsigned int cmd,
+ 		break;
+ 	}
+ 	case AUDIO_EFFECTS_SET_BUF_LEN: {
++		mutex_lock(&effects->lock);
+ 		if (copy_from_user(&effects->config.buf_cfg, (void *)arg,
+ 				   sizeof(effects->config.buf_cfg))) {
+ 			pr_err("%s: copy from user for AUDIO_EFFECTS_SET_BUF_LEN failed\n",
+@@ -475,6 +486,7 @@ static long audio_effects_ioctl(struct file *file, unsigned int cmd,
+ 		pr_debug("%s: write buf len: %d, read buf len: %d\n",
+ 			 __func__, effects->config.buf_cfg.output_len,
+ 			 effects->config.buf_cfg.input_len);
++		mutex_unlock(&effects->lock);
+ 		break;
+ 	}
+ 	case AUDIO_EFFECTS_GET_BUF_AVAIL: {
+@@ -719,6 +731,7 @@ static int audio_effects_release(struct inode *inode, struct file *file)
+ 	}
+ 	q6asm_audio_client_free(effects->ac);
+ 
++	mutex_destroy(&effects->lock);
+ 	kfree(effects);
+ 
+ 	pr_debug("%s: close session success\n", __func__);
+@@ -749,6 +762,7 @@ static int audio_effects_open(struct inode *inode, struct file *file)
+ 
+ 	init_waitqueue_head(&effects->read_wait);
+ 	init_waitqueue_head(&effects->write_wait);
++	mutex_init(&effects->lock);
+ 
+ 	effects->opened = 0;
+ 	effects->started = 0;
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-0455/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0455/ANY/0001.patch
new file mode 100644
index 00000000..21f3f63d
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-0455/ANY/0001.patch
@@ -0,0 +1,30 @@
+From 2c00928b4884fdb0b1661bcc530d7e68c9561a2f Mon Sep 17 00:00:00 2001
+From: Parth Dixit <parthd@codeaurora.org>
+Date: Tue, 1 Nov 2016 16:06:21 +0530
+Subject: platform: msm_shared: return correct random number value
+
+random value returned from tz is truncated to one byte in
+existing implementation. Copy all the bytes of random number
+returned from tz.
+
+Change-Id: I12b609206448702d46a98d0fd5fb64b68b2c9801
+---
+ platform/msm_shared/scm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/platform/msm_shared/scm.c b/platform/msm_shared/scm.c
+index d5653b5..403441c 100644
+--- a/platform/msm_shared/scm.c
++++ b/platform/msm_shared/scm.c
+@@ -1117,7 +1117,7 @@ int scm_random(uintptr_t * rbuf, uint32_t  r_len)
+ 	}
+ 
+ 	//Copy back into the return buffer
+-	*rbuf = *rand_buf;
++	memscpy(rbuf, r_len, rand_buf, sizeof(rand_buf));
+ 	return ret;
+ }
+ 
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-0456/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0456/ANY/0001.patch
new file mode 100644
index 00000000..3f291a36
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-0456/ANY/0001.patch
@@ -0,0 +1,38 @@
+From dfb170e243a3082a668f77ec0190af2c2bed9161 Mon Sep 17 00:00:00 2001
+From: Ghanim Fodi <gfodi@codeaurora.org>
+Date: Wed, 8 Feb 2017 17:37:27 +0200
+Subject: msm: ipa: Update IPA rule temp buffer size
+
+IPA filtering and routing temp buffer size
+should be big enough to contain the maximum possible
+rule being composed.
+
+Change-Id: I3f4d7200a0117f41a69adaffcaec07abb19c46ee
+CRs-fixed: 1099598
+Signed-off-by: Ghanim Fodi <gfodi@codeaurora.org>
+---
+ drivers/platform/msm/ipa/ipa_v2/ipa_i.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/platform/msm/ipa/ipa_v2/ipa_i.h b/drivers/platform/msm/ipa/ipa_v2/ipa_i.h
+index 2407f6c..e5f04fd 100644
+--- a/drivers/platform/msm/ipa/ipa_v2/ipa_i.h
++++ b/drivers/platform/msm/ipa/ipa_v2/ipa_i.h
+@@ -1,4 +1,4 @@
+-/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
++/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -133,7 +133,7 @@
+ 
+ #define IPA_HW_TABLE_ALIGNMENT(start_ofst) \
+ 	(((start_ofst) + 127) & ~127)
+-#define IPA_RT_FLT_HW_RULE_BUF_SIZE	(128)
++#define IPA_RT_FLT_HW_RULE_BUF_SIZE	(256)
+ 
+ #define IPA_HDR_PROC_CTX_TABLE_ALIGNMENT_BYTE 8
+ #define IPA_HDR_PROC_CTX_TABLE_ALIGNMENT(start_ofst) \
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-0457/3.10/0.patch b/Patches/Linux_CVEs/CVE-2017-0457/3.10/0.patch
deleted file mode 100644
index 886cd9c8..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0457/3.10/0.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From c257f35acc3841f7b99730f01ba834c0575030de Mon Sep 17 00:00:00 2001
-From: Biswajit Paul <biswajitpaul@codeaurora.org>
-Date: Fri, 2 Dec 2016 12:54:53 -0800
-Subject: [PATCH] msm: ADSPRPC: Buffer length truncated while validation
-
-The buffer length that is being used to validate gets truncated
-due to it being assigned to wrong type causing invalid memory
-to be accessed when the actual buffer length is used to copy
-user buffer contents.
-
-Bug: 31695439
-CRs-Fixed: 1086123
-Change-Id: If04dee27b8bae04eef7455773d9f4327fd008a21
-Signed-off-by: Sathish Ambley <sathishambley@codeaurora.org>
-Signed-off-by: Biswajit Paul <biswajitpaul@codeaurora.org>
----
- drivers/char/adsprpc.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/char/adsprpc.c b/drivers/char/adsprpc.c
-index f99855c0cacf5..53396b7839497 100644
---- a/drivers/char/adsprpc.c
-+++ b/drivers/char/adsprpc.c
-@@ -719,7 +719,8 @@ static int get_page_list(uint32_t kernel, struct smq_invoke_ctx *ctx)
- 	pgstart->size = obuf->size;
- 	for (i = 0; i < inbufs + outbufs; ++i) {
- 		void *buf;
--		int len, num;
-+		int num;
-+		ssize_t len;
- 
- 		list[i].num = 0;
- 		list[i].pgidx = 0;
diff --git a/Patches/Linux_CVEs/CVE-2017-0457/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-0457/3.10/0001.patch
new file mode 100644
index 00000000..98cf6c68
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-0457/3.10/0001.patch
@@ -0,0 +1,68 @@
+From 7d87c5cf051c49c7b3bdb8abe4051b0aef41c87d Mon Sep 17 00:00:00 2001
+From: Sathish Ambley <sathishambley@codeaurora.org>
+Date: Tue, 13 Dec 2016 15:27:30 -0800
+Subject: msm: ADSPRPC: Buffer length to be copied is truncated
+
+The buffer length that is being used to allocate gets truncated
+due to it being assigned to wrong type causing a much smaller
+buffer to be allocated than what is required for copying.
+
+Change-Id: I30818acd42bd282837c7c7aa16d56d3b95d4dfe7
+Signed-off-by: Sathish Ambley <sathishambley@codeaurora.org>
+---
+ drivers/char/adsprpc.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/char/adsprpc.c b/drivers/char/adsprpc.c
+index f505d09..1224843 100644
+--- a/drivers/char/adsprpc.c
++++ b/drivers/char/adsprpc.c
+@@ -787,9 +787,9 @@ static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx,
+ 	void *args;
+ 	remote_arg_t *pra = ctx->pra;
+ 	remote_arg_t *rpra = ctx->rpra;
+-	ssize_t rlen, used, size;
++	ssize_t rlen, used, size, copylen = 0;
+ 	uint32_t sc = ctx->sc, start;
+-	int i, inh, bufs = 0, err = 0, oix, copylen = 0;
++	int i, inh, bufs = 0, err = 0, oix;
+ 	int inbufs = REMOTE_SCALARS_INBUFS(sc);
+ 	int outbufs = REMOTE_SCALARS_OUTBUFS(sc);
+ 	int cid = ctx->fdata->cid;
+@@ -838,13 +838,23 @@ static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx,
+ 	/* calculate len requreed for copying */
+ 	for (oix = 0; oix < inbufs + outbufs; ++oix) {
+ 		int i = ctx->overps[oix]->raix;
++		uintptr_t mstart, mend;
++
+ 		if (!pra[i].buf.len)
+ 			continue;
+ 		if (list[i].num)
+ 			continue;
+ 		if (ctx->overps[oix]->offset == 0)
+ 			copylen = ALIGN(copylen, BALIGN);
+-		copylen += ctx->overps[oix]->mend - ctx->overps[oix]->mstart;
++		mstart = ctx->overps[oix]->mstart;
++		mend = ctx->overps[oix]->mend;
++		VERIFY(err, (mend - mstart) <= LONG_MAX);
++		if (err)
++			goto bail;
++		copylen += mend - mstart;
++		VERIFY(err, copylen >= 0);
++		if (err)
++			goto bail;
+ 	}
+ 
+ 	/* alocate new buffer */
+@@ -870,7 +880,7 @@ static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx,
+ 	/* copy non ion buffers */
+ 	for (oix = 0; oix < inbufs + outbufs; ++oix) {
+ 		int i = ctx->overps[oix]->raix;
+-		int mlen = ctx->overps[oix]->mend - ctx->overps[oix]->mstart;
++		ssize_t mlen = ctx->overps[oix]->mend - ctx->overps[oix]->mstart;
+ 		if (!pra[i].buf.len)
+ 			continue;
+ 		if (list[i].num)
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-0457/3.10/1.patch b/Patches/Linux_CVEs/CVE-2017-0457/3.10/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0457/3.10/1.patch
rename to Patches/Linux_CVEs/CVE-2017-0457/3.10/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0457/3.18/2.patch b/Patches/Linux_CVEs/CVE-2017-0457/3.18/0003.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0457/3.18/2.patch
rename to Patches/Linux_CVEs/CVE-2017-0457/3.18/0003.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0458/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0458/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0458/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0458/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0459/3.10/1.patch b/Patches/Linux_CVEs/CVE-2017-0459/3.10/1.patch
deleted file mode 100644
index 6196e87f..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0459/3.10/1.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From b4e374926ddc325840cda704aea1eb0c49d7f0e3 Mon Sep 17 00:00:00 2001
-From: Skylar Chang <chiaweic@codeaurora.org>
-Date: Wed, 30 Nov 2016 14:41:24 -0800
-Subject: msm: ipa: fix the potential heap overflow on wan-driver
-
-Add the check on rmnet_ipa3_set_tether_client_pipe API
-to make sure not accessing move than QMI_IPA_MAX_PIPES_V01
-entries when user-space module compromised.
-
-Change-Id: I59d39c7e5743dfea17853b6c4709605d4ebae962
-Signed-off-by: Skylar Chang <chiaweic@codeaurora.org>
----
- drivers/platform/msm/ipa/rmnet_ipa.c | 19 ++++++++++++++++++-
- 1 file changed, 18 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/platform/msm/ipa/rmnet_ipa.c b/drivers/platform/msm/ipa/rmnet_ipa.c
-index ddae8c5..c274ee1 100644
---- a/drivers/platform/msm/ipa/rmnet_ipa.c
-+++ b/drivers/platform/msm/ipa/rmnet_ipa.c
-@@ -2426,7 +2426,7 @@ int rmnet_ipa_set_data_quota(struct wan_ioctl_set_data_quota *data)
-  *
-  * Return codes:
-  * 0: Success
-- * -EFAULT: Invalid interface name provided
-+ * -EFAULT: Invalid src/dst pipes provided
-  * other: See ipa_qmi_set_data_quota
-  */
- int rmnet_ipa_set_tether_client_pipe(
-@@ -2434,6 +2434,23 @@ int rmnet_ipa_set_tether_client_pipe(
- {
- 	int number, i;
- 
-+	/* error checking if ul_src_pipe_len valid or not*/
-+	if (data->ul_src_pipe_len > QMI_IPA_MAX_PIPES_V01 ||
-+		data->ul_src_pipe_len < 0) {
-+		IPAWANERR("UL src pipes %d exceeding max %d\n",
-+			data->ul_src_pipe_len,
-+			QMI_IPA_MAX_PIPES_V01);
-+		return -EFAULT;
-+	}
-+	/* error checking if dl_dst_pipe_len valid or not*/
-+	if (data->dl_dst_pipe_len > QMI_IPA_MAX_PIPES_V01 ||
-+		data->dl_dst_pipe_len < 0) {
-+		IPAWANERR("DL dst pipes %d exceeding max %d\n",
-+			data->dl_dst_pipe_len,
-+			QMI_IPA_MAX_PIPES_V01);
-+		return -EFAULT;
-+	}
-+
- 	IPAWANDBG("client %d, UL %d, DL %d, reset %d\n",
- 	data->ipa_client,
- 	data->ul_src_pipe_len,
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0459/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0459/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0459/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0459/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0460/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-0460/3.10/0001.patch
new file mode 100644
index 00000000..1894a635
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-0460/3.10/0001.patch
@@ -0,0 +1,52 @@
+From 93dd37c412dbadff9d5b1b6f7b317713192cab2b Mon Sep 17 00:00:00 2001
+From: Conner Huff <chuff@codeaurora.org>
+Date: Thu, 26 Jan 2017 11:52:17 -0800
+Subject: net: rmnet_data: Fix incorrect netlink handling
+
+rmnet_data netlink handler currently does not check for the
+incoming process pid and instead just loops back the pid.
+A malicious root user could potentially send a message with
+source pid 0 and this could cause rmnet_data to loop the message
+back till an out of memory situation occurs.
+
+rmnet_data also does not check for the message length of the
+incoming netlink messages and instead casts the netlink message
+without checking for the boundary.
+
+Fix these two scenarios by adding the pid and message length checks
+respectively.
+
+Bug: 31252965
+CRs-Fixed: 1098801
+Change-Id: I172c1a7112e67e82959b397af7ddfd963d819bdc
+Signed-off-by: Conner Huff <chuff@codeaurora.org>
+---
+ net/rmnet_data/rmnet_data_config.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/net/rmnet_data/rmnet_data_config.c b/net/rmnet_data/rmnet_data_config.c
+index 2a4f56b..04d63989 100644
+--- a/net/rmnet_data/rmnet_data_config.c
++++ b/net/rmnet_data/rmnet_data_config.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2013-2015, The Linux Foundation. All rights reserved.
++ * Copyright (c) 2013-2015, 2017 The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -531,6 +531,11 @@ void rmnet_config_netlink_msg_handler(struct sk_buff *skb)
+ 	nlmsg_header = (struct nlmsghdr *) skb->data;
+ 	rmnet_header = (struct rmnet_nl_msg_s *) nlmsg_data(nlmsg_header);
+ 
++	if (!nlmsg_header->nlmsg_pid ||
++	    (nlmsg_header->nlmsg_len < sizeof(struct nlmsghdr) +
++				       sizeof(struct rmnet_nl_msg_s)))
++		return;
++
+ 	LOGL("Netlink message pid=%d, seq=%d, length=%d, rmnet_type=%d",
+ 		nlmsg_header->nlmsg_pid,
+ 		nlmsg_header->nlmsg_seq,
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-0460/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2017-0460/3.18/0002.patch
new file mode 100644
index 00000000..28fe2cee
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-0460/3.18/0002.patch
@@ -0,0 +1,52 @@
+From 8e2e23126709ebffa1bd91e1a6ac77e16714d852 Mon Sep 17 00:00:00 2001
+From: Conner Huff <chuff@codeaurora.org>
+Date: Thu, 12 Jan 2017 22:09:16 -0700
+Subject: net: rmnet_data: Fix incorrect netlink handling
+
+rmnet_data netlink handler currently does not check for the
+incoming process pid and instead just loops back the pid.
+A malicious root user could potentially send a message with
+source pid 0 and this could cause rmnet_data to loop the message
+back till an out of memory situation occurs.
+
+rmnet_data also does not check for the message length of the
+incoming netlink messages and instead casts the netlink message
+without checking for the boundary.
+
+Fix these two scenarios by adding the pid and message length checks
+respectively.
+
+Bug: 31252965
+CRs-Fixed: 1098801
+Change-Id: I172c1a7112e67e82959b397af7ddfd963d819bdc
+Signed-off-by: Conner Huff <chuff@codeaurora.org>
+---
+ net/rmnet_data/rmnet_data_config.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/net/rmnet_data/rmnet_data_config.c b/net/rmnet_data/rmnet_data_config.c
+index 9f5a2cc..7876b74 100644
+--- a/net/rmnet_data/rmnet_data_config.c
++++ b/net/rmnet_data/rmnet_data_config.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2013-2015, The Linux Foundation. All rights reserved.
++ * Copyright (c) 2013-2015, 2017 The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -531,6 +531,11 @@ void rmnet_config_netlink_msg_handler(struct sk_buff *skb)
+ 	nlmsg_header = (struct nlmsghdr *) skb->data;
+ 	rmnet_header = (struct rmnet_nl_msg_s *) nlmsg_data(nlmsg_header);
+ 
++	if (!nlmsg_header->nlmsg_pid ||
++	    (nlmsg_header->nlmsg_len < sizeof(struct nlmsghdr) +
++				       sizeof(struct rmnet_nl_msg_s)))
++		return;
++
+ 	LOGL("Netlink message pid=%d, seq=%d, length=%d, rmnet_type=%d",
+ 		nlmsg_header->nlmsg_pid,
+ 		nlmsg_header->nlmsg_seq,
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-0460/3.10/1.patch b/Patches/Linux_CVEs/CVE-2017-0460/4.4/0003.patch
similarity index 63%
rename from Patches/Linux_CVEs/CVE-2017-0460/3.10/1.patch
rename to Patches/Linux_CVEs/CVE-2017-0460/4.4/0003.patch
index b74435bc..f42e4f26 100644
--- a/Patches/Linux_CVEs/CVE-2017-0460/3.10/1.patch
+++ b/Patches/Linux_CVEs/CVE-2017-0460/4.4/0003.patch
@@ -1,7 +1,7 @@
-From 3d63c530096ccd118ab7078c7b9f93c040f803bd Mon Sep 17 00:00:00 2001
-From: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
+From 85cccedb0cae0331228cc58fa91d31810018df98 Mon Sep 17 00:00:00 2001
+From: Conner Huff <chuff@codeaurora.org>
 Date: Thu, 12 Jan 2017 22:09:16 -0700
-Subject: [PATCH] net: rmnet_data: Fix incorrect netlink handling
+Subject: net: rmnet_data: Fix incorrect netlink handling
 
 rmnet_data netlink handler currently does not check for the
 incoming process pid and instead just loops back the pid.
@@ -19,16 +19,23 @@ respectively.
 Bug: 31252965
 CRs-Fixed: 1098801
 Change-Id: I172c1a7112e67e82959b397af7ddfd963d819bdc
-Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
+Signed-off-by: Conner Huff <chuff@codeaurora.org>
 ---
- net/rmnet_data/rmnet_data_config.c | 5 +++++
- 1 file changed, 5 insertions(+)
+ net/rmnet_data/rmnet_data_config.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
 
 diff --git a/net/rmnet_data/rmnet_data_config.c b/net/rmnet_data/rmnet_data_config.c
-index f6653588c023d..d47389806161e 100644
+index ebce455..fb4c60f 100644
 --- a/net/rmnet_data/rmnet_data_config.c
 +++ b/net/rmnet_data/rmnet_data_config.c
-@@ -529,6 +529,11 @@ void rmnet_config_netlink_msg_handler(struct sk_buff *skb)
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2013-2016, The Linux Foundation. All rights reserved.
++ * Copyright (c) 2013-2017, The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -540,6 +540,11 @@ void rmnet_config_netlink_msg_handler(struct sk_buff *skb)
  	nlmsg_header = (struct nlmsghdr *) skb->data;
  	rmnet_header = (struct rmnet_nl_msg_s *) nlmsg_data(nlmsg_header);
  
@@ -40,3 +47,6 @@ index f6653588c023d..d47389806161e 100644
  	LOGL("Netlink message pid=%d, seq=%d, length=%d, rmnet_type=%d",
  		nlmsg_header->nlmsg_pid,
  		nlmsg_header->nlmsg_seq,
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-0460/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0460/ANY/0.patch
deleted file mode 100644
index fdb304ea..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0460/ANY/0.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-diff --git a/net/rmnet_data/rmnet_data_config.c b/net/rmnet_data/rmnet_data_config.c
-index f665358..d473898 100644
---- a/net/rmnet_data/rmnet_data_config.c
-+++ b/net/rmnet_data/rmnet_data_config.c
-@@ -529,6 +529,11 @@
- 	nlmsg_header = (struct nlmsghdr *) skb->data;
- 	rmnet_header = (struct rmnet_nl_msg_s *) nlmsg_data(nlmsg_header);
- 
-+	if (!nlmsg_header->nlmsg_pid ||
-+	    (nlmsg_header->nlmsg_len < sizeof(struct nlmsghdr) +
-+				       sizeof(struct rmnet_nl_msg_s)))
-+		return;
-+
- 	LOGL("Netlink message pid=%d, seq=%d, length=%d, rmnet_type=%d",
- 		nlmsg_header->nlmsg_pid,
- 		nlmsg_header->nlmsg_seq,
diff --git a/Patches/Linux_CVEs/CVE-2017-0460/ANY/0.patch.base64 b/Patches/Linux_CVEs/CVE-2017-0460/ANY/0.patch.base64
deleted file mode 100644
index ee5a8d76..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0460/ANY/0.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL25ldC9ybW5ldF9kYXRhL3JtbmV0X2RhdGFfY29uZmlnLmMgYi9uZXQvcm1uZXRfZGF0YS9ybW5ldF9kYXRhX2NvbmZpZy5jCmluZGV4IGY2NjUzNTguLmQ0NzM4OTggMTAwNjQ0Ci0tLSBhL25ldC9ybW5ldF9kYXRhL3JtbmV0X2RhdGFfY29uZmlnLmMKKysrIGIvbmV0L3JtbmV0X2RhdGEvcm1uZXRfZGF0YV9jb25maWcuYwpAQCAtNTI5LDYgKzUyOSwxMSBAQAogCW5sbXNnX2hlYWRlciA9IChzdHJ1Y3Qgbmxtc2doZHIgKikgc2tiLT5kYXRhOwogCXJtbmV0X2hlYWRlciA9IChzdHJ1Y3Qgcm1uZXRfbmxfbXNnX3MgKikgbmxtc2dfZGF0YShubG1zZ19oZWFkZXIpOwogCisJaWYgKCFubG1zZ19oZWFkZXItPm5sbXNnX3BpZCB8fAorCSAgICAobmxtc2dfaGVhZGVyLT5ubG1zZ19sZW4gPCBzaXplb2Yoc3RydWN0IG5sbXNnaGRyKSArCisJCQkJICAgICAgIHNpemVvZihzdHJ1Y3Qgcm1uZXRfbmxfbXNnX3MpKSkKKwkJcmV0dXJuOworCiAJTE9HTCgiTmV0bGluayBtZXNzYWdlIHBpZD0lZCwgc2VxPSVkLCBsZW5ndGg9JWQsIHJtbmV0X3R5cGU9JWQiLAogCQlubG1zZ19oZWFkZXItPm5sbXNnX3BpZCwKIAkJbmxtc2dfaGVhZGVyLT5ubG1zZ19zZXEsCg==
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-0461/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0461/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0461/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0461/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0461/ANY/1.patch b/Patches/Linux_CVEs/CVE-2017-0461/ANY/1.patch
deleted file mode 100644
index d893b235..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0461/ANY/1.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From 02bd3c61ccb5a68eee42e6cfc59fc8d7120167a2 Mon Sep 17 00:00:00 2001
-From: Pothula Hanumantha Reddy <c_hpothu@codeaurora.org>
-Date: Wed, 28 Dec 2016 17:55:19 +0530
-Subject: prima: Fix array out-of-bounds & integer underflow in _iw_set_genie
-
-qcacld-2.0 to prima propagation
-
-'wrqu->data.length' holds the total number of IE data buffer.
-Add a check to make sure the number of remaining data to be read is
-greater than or equal to IE length.
-Also, advance the buffer pointer to point to the next element only
-if next element is present.
-
-Change-Id: Ic60f3e0650f365955dab4099eb8740e9789e00cc
-CRs-Fixed: 1100132
----
- CORE/HDD/src/wlan_hdd_wext.c | 12 +++++++++++-
- 1 file changed, 11 insertions(+), 1 deletion(-)
-
-diff --git a/CORE/HDD/src/wlan_hdd_wext.c b/CORE/HDD/src/wlan_hdd_wext.c
-index 07d2e6b..91bc35c 100644
---- a/CORE/HDD/src/wlan_hdd_wext.c
-+++ b/CORE/HDD/src/wlan_hdd_wext.c
-@@ -2565,6 +2565,13 @@ static int __iw_set_genie(struct net_device *dev,
-         hddLog(VOS_TRACE_LEVEL_INFO, "%s: IE[0x%X], LEN[%d]",
-             __func__, elementId, eLen);
- 
-+        if (remLen < eLen) {
-+            hddLog(LOGE, "Remaining len: %u less than ie len: %u",
-+                   remLen, eLen);
-+            ret = -EINVAL;
-+            goto exit;
-+        }
-+
-         switch ( elementId )
-          {
-             case IE_EID_VENDOR:
-@@ -2647,8 +2654,11 @@ static int __iw_set_genie(struct net_device *dev,
-                 hddLog (LOGE, "%s Set UNKNOWN IE %X",__func__, elementId);
-                 goto exit;
-     }
--        genie += eLen;
-         remLen -= eLen;
-+
-+        /* Move genie only if next element is present */
-+        if (remLen >= 2)
-+            genie += eLen;
-     }
- 
- exit:
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0462/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0462/3.18/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0462/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0462/3.18/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0462/4.4/0002.patch b/Patches/Linux_CVEs/CVE-2017-0462/4.4/0002.patch
new file mode 100644
index 00000000..aeb09e15
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-0462/4.4/0002.patch
@@ -0,0 +1,63 @@
+From 9a71e9a686942ae3c491061ab275a3678ee2819a Mon Sep 17 00:00:00 2001
+From: ahmedsh <ahmedsh@codeaurora.org>
+Date: Mon, 9 Jan 2017 17:24:09 -0500
+Subject: seemp: use local stack mem when encoding params
+
+Avoid race condition in driver when encoding param by
+reading contents from a local copy instead of msg buffer
+itself which can be mapped to user space.
+
+Change-Id: I405ca6c7fcb0afa112e0851907b5dca805ac5411
+Signed-off-by: Ahmed Sheikh <ahmedsh@codeaurora.org>
+---
+ .../platform/msm/seemp_core/seemp_event_encoder.c   | 21 ++++++++++++++++-----
+ 1 file changed, 16 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/platform/msm/seemp_core/seemp_event_encoder.c b/drivers/platform/msm/seemp_core/seemp_event_encoder.c
+index df56a84..36901f5 100644
+--- a/drivers/platform/msm/seemp_core/seemp_event_encoder.c
++++ b/drivers/platform/msm/seemp_core/seemp_event_encoder.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2015, The Linux Foundation. All rights reserved.
++ * Copyright (c) 2015, 2017, The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -48,9 +48,15 @@ static void check_param_range(char *section_eq, bool param,
+ 
+ void encode_seemp_params(struct seemp_logk_blk *blk)
+ {
+-	char *s = blk->payload.msg + 1;
++	struct seemp_logk_blk tmp;
++	char *s = 0;
++	char *msg_section_start = 0;
++	char *msg_section_eq = 0;
++	char *msg_s = 0;
+ 
+-	blk->payload.msg[BLK_MAX_MSG_SZ - 1] = 0; /* zero-terminate */
++	memcpy(tmp.payload.msg, blk->payload.msg, BLK_MAX_MSG_SZ);
++	s = tmp.payload.msg + 1;
++	tmp.payload.msg[BLK_MAX_MSG_SZ - 1] = 0; /* zero-terminate */
+ 
+ 	while (true) {
+ 		char *section_start = s;
+@@ -105,8 +111,13 @@ void encode_seemp_params(struct seemp_logk_blk *blk)
+ 			}
+ 		}
+ 
+-		encode_seemp_section(section_start, section_eq, s, param,
+-					numeric, id, numeric_value);
++		msg_section_start = blk->payload.msg + (section_start -
++				tmp.payload.msg);
++		msg_section_eq = blk->payload.msg + (section_eq -
++				tmp.payload.msg);
++		msg_s = blk->payload.msg + (s - tmp.payload.msg);
++		encode_seemp_section(msg_section_start, msg_section_eq,
++				msg_s, param, numeric, id, numeric_value);
+ 
+ 		if (*s == 0)
+ 			break;
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-0463/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0463/3.18/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0463/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0463/3.18/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0463/4.4/0002.patch b/Patches/Linux_CVEs/CVE-2017-0463/4.4/0002.patch
new file mode 100644
index 00000000..03048d21
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-0463/4.4/0002.patch
@@ -0,0 +1,35 @@
+From 32c229060ca33b816c50eedc136ea2800f9974df Mon Sep 17 00:00:00 2001
+From: Karthikeyan Ramasubramanian <kramasub@codeaurora.org>
+Date: Thu, 15 Dec 2016 08:13:20 -0700
+Subject: net: ipc_router: Register services only on client port
+
+Allowing services to be registered on a non-client port will cause either
+an existing service or a control port to be over-written. This will cause
+undefined functional behavior.
+
+Allow the services to be registered only on client ports.
+
+CRs-Fixed: 1101792
+Change-Id: If6cfc75e9314204b7b44957f1598a8a2e1a45325
+Signed-off-by: Karthikeyan Ramasubramanian <kramasub@codeaurora.org>
+---
+ net/ipc_router/ipc_router_core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/ipc_router/ipc_router_core.c b/net/ipc_router/ipc_router_core.c
+index 008d034f..d23799a 100644
+--- a/net/ipc_router/ipc_router_core.c
++++ b/net/ipc_router/ipc_router_core.c
+@@ -2809,6 +2809,9 @@ int msm_ipc_router_register_server(struct msm_ipc_port *port_ptr,
+ 	if (!port_ptr || !name)
+ 		return -EINVAL;
+ 
++	if (port_ptr->type != CLIENT_PORT)
++		return -EINVAL;
++
+ 	if (name->addrtype != MSM_IPC_ADDR_NAME)
+ 		return -EINVAL;
+ 
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-0464/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0464/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0464/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0464/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0464/ANY/1.patch b/Patches/Linux_CVEs/CVE-2017-0464/ANY/1.patch
deleted file mode 100644
index c61af867..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0464/ANY/1.patch
+++ /dev/null
@@ -1,2021 +0,0 @@
-From c593cd332c42b2a813f0ab72e2e33980430fb47b Mon Sep 17 00:00:00 2001
-From: Hanumanth Reddy Pothula <c_hpothu@codeaurora.org>
-Date: Fri, 21 Aug 2015 19:58:01 +0530
-Subject: wlan: Remove obsolete set/reset ssid hotlist
-
-Remove obsolete set/reset ssid hotlist.
-
-Change-Id: Ie6c4a9847f2daa9ba2aebd17f386d584201b86d6
-CRs-Fixed: 2049138
----
- CORE/HDD/inc/wlan_hdd_cfg80211.h  |  19 +-
- CORE/HDD/src/wlan_hdd_cfg80211.c  | 612 --------------------------------------
- CORE/MAC/inc/sirApi.h             |  60 ----
- CORE/SME/inc/sme_Api.h            |  21 --
- CORE/SME/src/sme_common/sme_Api.c | 111 -------
- CORE/WDA/src/wlan_qct_wda.c       | 265 -----------------
- CORE/WDI/CP/inc/wlan_qct_wdi.h    |  65 +---
- CORE/WDI/CP/inc/wlan_qct_wdi_i.h  |  41 ---
- CORE/WDI/CP/src/wlan_qct_wdi.c    | 462 +---------------------------
- 9 files changed, 13 insertions(+), 1643 deletions(-)
-
-diff --git a/CORE/HDD/inc/wlan_hdd_cfg80211.h b/CORE/HDD/inc/wlan_hdd_cfg80211.h
-index d1ca157..6307b18 100644
---- a/CORE/HDD/inc/wlan_hdd_cfg80211.h
-+++ b/CORE/HDD/inc/wlan_hdd_cfg80211.h
-@@ -179,10 +179,12 @@ enum qca_nl80211_vendor_subcmds {
-     QCA_NL80211_VENDOR_SUBCMD_GET_WIFI_INFO = 61,
-     /* Start Wifi Memory Dump */
-     QCA_NL80211_VENDOR_SUBCMD_WIFI_LOGGER_MEMORY_DUMP = 63,
--    QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_SET_SSID_HOTLIST = 65,
--    QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_RESET_SSID_HOTLIST = 66,
--    QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_HOTLIST_SSID_FOUND = 67,
--    QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_HOTLIST_SSID_LOST = 68,
-+
-+    /*
-+     * APIs corresponding to the sub commands 65-68 are deprecated.
-+     * These sub commands are reserved and not supposed to be used
-+     * for any other purpose
-+     */
- 
-     /* Wi-Fi Configuration subcommands */
-     QCA_NL80211_VENDOR_SUBCMD_SET_WIFI_CONFIGURATION = 74,
-@@ -230,11 +232,6 @@ enum qca_nl80211_vendor_subcmds_index {
-     QCA_NL80211_VENDOR_SUBCMD_NAN_INDEX,
-     QCA_NL80211_VENDOR_SUBCMD_WIFI_LOGGER_MEMORY_DUMP_INDEX,
- 
--    QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_SET_SSID_HOTLIST_INDEX,
--    QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_RESET_SSID_HOTLIST_INDEX,
--    QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_HOTLIST_SSID_FOUND_INDEX,
--    QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_HOTLIST_SSID_LOST_INDEX,
--
-     QCA_NL80211_VENDOR_SUBCMD_MONITOR_RSSI_INDEX,
-     QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_HOTLIST_AP_LOST_INDEX,
-     QCA_NL80211_VENDOR_SUBCMD_NUD_STATS_GET_INDEX,
-@@ -1046,10 +1043,6 @@ enum qca_wlan_vendor_attr_extscan_results
-     /* Unsigned 32bit value; a EXTSCAN Capabilities attribute. */
-     QCA_WLAN_VENDOR_ATTR_EXTSCAN_RESULTS_CAPABILITIES_MAX_NUM_WHITELISTED_SSID,
- 
--    /* EXTSCAN attributes for
--     * QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_HOTLIST_SSID_FOUND sub-command &
--     * QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_HOTLIST_SSID_LOST sub-command
--     */
-     /* Use attr QCA_WLAN_VENDOR_ATTR_EXTSCAN_NUM_RESULTS_AVAILABLE
-      * to indicate number of results.
-      */
-diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
-index 719a56c..2caef5e 100644
---- a/CORE/HDD/src/wlan_hdd_cfg80211.c
-+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
-@@ -2533,70 +2533,6 @@ static void wlan_hdd_cfg80211_extscan_reset_bss_hotlist_rsp(void *ctx,
-     return;
- }
- 
--static void wlan_hdd_cfg80211_extscan_set_ssid_hotlist_rsp(void *ctx,
--                                                        void *pMsg)
--{
--    hdd_context_t *pHddCtx    = (hdd_context_t *)ctx;
--    tpSirEXTScanSetSsidHotListRspParams pData =
--                    (tpSirEXTScanSetSsidHotListRspParams) pMsg;
--    struct hdd_ext_scan_context *context;
--
--    if (wlan_hdd_validate_context(pHddCtx)){
--        return;
--    }
--
--    if (!pMsg)
--    {
--        hddLog(VOS_TRACE_LEVEL_ERROR, FL("pMsg is null"));
--        return;
--    }
--
--    hddLog(VOS_TRACE_LEVEL_INFO, "Req Id %u Status %u", pData->requestId,
--                                                        pData->status);
--
--    context = &pHddCtx->ext_scan_context;
--    spin_lock(&hdd_context_lock);
--    if (context->request_id == pData->requestId) {
--        context->response_status = pData->status ? -EINVAL : 0;
--        complete(&context->response_event);
--    }
--    spin_unlock(&hdd_context_lock);
--
--    return;
--}
--
--static void wlan_hdd_cfg80211_extscan_reset_ssid_hotlist_rsp(void *ctx,
--                                                          void *pMsg)
--{
--    hdd_context_t *pHddCtx  = (hdd_context_t *)ctx;
--    tpSirEXTScanResetSsidHotlistRspParams pData =
--                    (tpSirEXTScanResetSsidHotlistRspParams) pMsg;
--    struct hdd_ext_scan_context *context;
--
--    if (wlan_hdd_validate_context(pHddCtx)) {
--        return;
--    }
--    if (!pMsg)
--    {
--        hddLog(VOS_TRACE_LEVEL_ERROR, FL("pMsg is null"));
--        return;
--    }
--
--    hddLog(VOS_TRACE_LEVEL_INFO, "Req Id %u Status %u", pData->requestId,
--                                                        pData->status);
--
--    context = &pHddCtx->ext_scan_context;
--    spin_lock(&hdd_context_lock);
--    if (context->request_id == pData->requestId) {
--        context->response_status = pData->status ? -EINVAL : 0;
--        complete(&context->response_event);
--    }
--    spin_unlock(&hdd_context_lock);
--
--    return;
--}
--
--
- static void wlan_hdd_cfg80211_extscan_cached_results_ind(void *ctx,
-                                                        void *pMsg)
- {
-@@ -3004,156 +2940,6 @@ fail:
- 
- }
- 
--/**
-- * wlan_hdd_cfg80211_extscan_hotlist_ssid_match_ind() -
-- *	Handle an SSID hotlist match event
-- * @ctx: HDD context registered with SME
-- * @event: The SSID hotlist match event
-- *
-- * This function will take an SSID match event that was generated by
-- * firmware and will convert it into a cfg80211 vendor event which is
-- * sent to userspace.
-- *
-- * Return: none
-- */
--static void
--wlan_hdd_cfg80211_extscan_hotlist_ssid_match_ind(void *ctx,
--                                                void *pMsg)
--{
--   hdd_context_t *hdd_ctx = ctx;
--   struct sk_buff *skb;
--   tANI_U32 i, index;
--   tpSirEXTScanSsidHotlistMatch pData = (tpSirEXTScanSsidHotlistMatch) pMsg;
--
--   ENTER();
--
--   if (wlan_hdd_validate_context(hdd_ctx)) {
--       hddLog(LOGE,
--              FL("HDD context is not valid or response"));
--       return;
--   }
--   if (!pMsg)
--   {
--       hddLog(VOS_TRACE_LEVEL_ERROR, FL("pMsg is null"));
--       return;
--   }
--
--    if (pData->ssid_found) {
--        index = QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_HOTLIST_SSID_FOUND_INDEX;
--        hddLog(LOG1, "SSID hotlist found");
--    } else {
--        index = QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_HOTLIST_SSID_LOST_INDEX;
--        hddLog(LOG1, "SSID hotlist lost");
--    }
--
--    skb = cfg80211_vendor_event_alloc(hdd_ctx->wiphy,
--#if (LINUX_VERSION_CODE >= KERNEL_VERSION(3, 18, 0))
--                       NULL,
--#endif
--          EXTSCAN_EVENT_BUF_SIZE + NLMSG_HDRLEN,
--          index, GFP_KERNEL);
--
--    if (!skb) {
--        hddLog(LOGE, FL("cfg80211_vendor_event_alloc failed"));
--        return;
--    }
--    hddLog(LOG1, "Req Id %u, Num of SSIDs %u, More Data (%u)",
--           pData->requestId, pData->numHotlistSsid, pData->moreData);
--
--    for (i = 0; i < pData->numHotlistSsid; i++) {
--         hddLog(LOG1, "[i=%d] Timestamp %llu "
--               "Ssid: %s "
--               "Bssid (" MAC_ADDRESS_STR ") "
--               "Channel %u "
--               "Rssi %d "
--               "RTT %u "
--               "RTT_SD %u",
--               i,
--               pData->ssidHotlist[i].ts,
--               pData->ssidHotlist[i].ssid,
--               MAC_ADDR_ARRAY(pData->ssidHotlist[i].bssid),
--               pData->ssidHotlist[i].channel,
--               pData->ssidHotlist[i].rssi,
--               pData->ssidHotlist[i].rtt,
--               pData->ssidHotlist[i].rtt_sd);
--   }
--
--    if (nla_put_u32(skb,
--            QCA_WLAN_VENDOR_ATTR_EXTSCAN_RESULTS_REQUEST_ID,
--            pData->requestId) ||
--        nla_put_u32(skb,
--            QCA_WLAN_VENDOR_ATTR_EXTSCAN_RESULTS_NUM_RESULTS_AVAILABLE,
--            pData->numHotlistSsid)) {
--        hddLog(LOGE, FL("put fail"));
--        goto fail;
--    }
--
--    if (pData->numHotlistSsid) {
--        struct nlattr *aps;
--        aps = nla_nest_start(skb,
--                   QCA_WLAN_VENDOR_ATTR_EXTSCAN_RESULTS_LIST);
--        if (!aps) {
--            hddLog(LOGE, FL("nest fail"));
--            goto fail;
--        }
--
--        for (i = 0; i < pData->numHotlistSsid; i++) {
--            struct nlattr *ap;
--
--            ap = nla_nest_start(skb, i);
--            if (!ap) {
--                hddLog(LOGE, FL("nest fail"));
--                goto fail;
--            }
--
--            if (nla_put_u64(skb,
--                    QCA_WLAN_VENDOR_ATTR_EXTSCAN_RESULTS_SCAN_RESULT_TIME_STAMP,
--                    pData->ssidHotlist[i].ts) ||
--                nla_put(skb,
--                    QCA_WLAN_VENDOR_ATTR_EXTSCAN_RESULTS_SCAN_RESULT_SSID,
--                    sizeof(pData->ssidHotlist[i].ssid),
--                    pData->ssidHotlist[i].ssid) ||
--                nla_put(skb,
--                    QCA_WLAN_VENDOR_ATTR_EXTSCAN_RESULTS_SCAN_RESULT_BSSID,
--                    sizeof(pData->ssidHotlist[i].bssid),
--                    pData->ssidHotlist[i].bssid) ||
--                nla_put_u32(skb,
--                    QCA_WLAN_VENDOR_ATTR_EXTSCAN_RESULTS_SCAN_RESULT_CHANNEL,
--                    pData->ssidHotlist[i].channel) ||
--                nla_put_s32(skb,
--                    QCA_WLAN_VENDOR_ATTR_EXTSCAN_RESULTS_SCAN_RESULT_RSSI,
--                    pData->ssidHotlist[i].rssi) ||
--                nla_put_u32(skb,
--                    QCA_WLAN_VENDOR_ATTR_EXTSCAN_RESULTS_SCAN_RESULT_RTT,
--                    pData->ssidHotlist[i].rtt) ||
--                nla_put_u32(skb,
--                    QCA_WLAN_VENDOR_ATTR_EXTSCAN_RESULTS_SCAN_RESULT_RTT_SD,
--                    pData->ssidHotlist[i].rtt_sd)) {
--                hddLog(LOGE, FL("put fail"));
--                goto fail;
--            }
--            nla_nest_end(skb, ap);
--        }
--        nla_nest_end(skb, aps);
--
--        if (nla_put_u8(skb,
--                   QCA_WLAN_VENDOR_ATTR_EXTSCAN_RESULTS_SCAN_RESULT_MORE_DATA,
--                   pData->moreData)) {
--            hddLog(LOGE, FL("put fail"));
--            goto fail;
--        }
--    }
--
--    cfg80211_vendor_event(skb, GFP_KERNEL);
--    return;
--
--fail:
--    kfree_skb(skb);
--    return;
--
--}
--
--
- static void wlan_hdd_cfg80211_extscan_full_scan_result_event(void *ctx,
-                                                            void *pMsg)
- {
-@@ -3429,14 +3215,6 @@ void wlan_hdd_cfg80211_extscan_callback(void *ctx, const tANI_U16 evType,
-         wlan_hdd_cfg80211_extscan_reset_bss_hotlist_rsp(ctx, pMsg);
-         break;
- 
--    case SIR_HAL_EXTSCAN_SET_SSID_HOTLIST_RSP:
--        wlan_hdd_cfg80211_extscan_set_ssid_hotlist_rsp(ctx, pMsg);
--        break;
--
--    case SIR_HAL_EXTSCAN_RESET_SSID_HOTLIST_RSP:
--        wlan_hdd_cfg80211_extscan_reset_ssid_hotlist_rsp(ctx, pMsg);
--        break;
--
-     case SIR_HAL_EXTSCAN_GET_CAPABILITIES_RSP:
-         wlan_hdd_cfg80211_extscan_get_capabilities_rsp(ctx, pMsg);
-         break;
-@@ -3452,9 +3230,6 @@ void wlan_hdd_cfg80211_extscan_callback(void *ctx, const tANI_U16 evType,
-     case SIR_HAL_EXTSCAN_HOTLIST_MATCH_IND:
-         wlan_hdd_cfg80211_extscan_hotlist_match_ind(ctx, pMsg);
-         break;
--    case SIR_HAL_EXTSCAN_SSID_HOTLIST_MATCH_IND:
--        wlan_hdd_cfg80211_extscan_hotlist_ssid_match_ind(ctx, pMsg);
--        break;
-     case SIR_HAL_EXTSCAN_FULL_SCAN_RESULT_IND:
-         wlan_hdd_cfg80211_extscan_full_scan_result_event(ctx, pMsg);
-         break;
-@@ -3875,361 +3650,6 @@ static int wlan_hdd_cfg80211_extscan_set_bssid_hotlist(struct wiphy *wiphy,
-    return ret;
- }
- 
--/*
-- * define short names for the global vendor params
-- * used by wlan_hdd_cfg80211_extscan_set_ssid_hotlist()
-- */
--#define PARAM_MAX \
--QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_MAX
--#define PARAM_REQUEST_ID \
--QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_REQUEST_ID
--#define PARAMS_LOST_SSID_SAMPLE_SIZE \
--QCA_WLAN_VENDOR_ATTR_EXTSCAN_SSID_HOTLIST_PARAMS_LOST_SSID_SAMPLE_SIZE
--#define PARAMS_NUM_SSID \
--QCA_WLAN_VENDOR_ATTR_EXTSCAN_SSID_HOTLIST_PARAMS_NUM_SSID
--#define THRESHOLD_PARAM \
--QCA_WLAN_VENDOR_ATTR_EXTSCAN_SSID_THRESHOLD_PARAM
--#define PARAM_SSID \
--QCA_WLAN_VENDOR_ATTR_EXTSCAN_SSID_THRESHOLD_PARAM_SSID
--#define PARAM_BAND \
--QCA_WLAN_VENDOR_ATTR_EXTSCAN_SSID_THRESHOLD_PARAM_BAND
--#define PARAM_RSSI_LOW \
--QCA_WLAN_VENDOR_ATTR_EXTSCAN_SSID_THRESHOLD_PARAM_RSSI_LOW
--#define PARAM_RSSI_HIGH \
--QCA_WLAN_VENDOR_ATTR_EXTSCAN_SSID_THRESHOLD_PARAM_RSSI_HIGH
--
--/**
-- * __wlan_hdd_cfg80211_extscan_set_ssid_hotlist() - set ssid hot list
-- * @wiphy: Pointer to wireless phy
-- * @wdev: Pointer to wireless device
-- * @data: Pointer to data
-- * @data_len: Data length
-- *
-- * Return: 0 on success, negative errno on failure
-- */
--static int
--__wlan_hdd_cfg80211_extscan_set_ssid_hotlist(struct wiphy *wiphy,
--                       struct wireless_dev *wdev,
--                       const void *data,
--                       int data_len)
--{
--    tSirEXTScanSetSsidHotListReqParams *request;
--    struct net_device *dev = wdev->netdev;
--    hdd_adapter_t *adapter = WLAN_HDD_GET_PRIV_PTR(dev);
--    hdd_context_t *hdd_ctx = wiphy_priv(wiphy);
--    struct nlattr *tb[PARAM_MAX + 1];
--    struct nlattr *tb2[PARAM_MAX + 1];
--    struct nlattr *ssids;
--    struct hdd_ext_scan_context *context;
--    uint32_t request_id;
--    char ssid_string[SIR_MAC_MAX_SSID_LENGTH + 1] = {'\0'};
--    int ssid_len;
--    int ssid_length;
--    eHalStatus status;
--    int i, rem, retval;
--    unsigned long rc;
--
--    ENTER();
--
--    if (VOS_FTM_MODE == hdd_get_conparam()) {
--        hddLog(LOGE, FL("Command not allowed in FTM mode"));
--        return -EINVAL;
--    }
--
--    retval = wlan_hdd_validate_context(hdd_ctx);
--    if (0 != retval) {
--        hddLog(LOGE, FL("HDD context is not valid"));
--        return -EINVAL;
--    }
--
--    /* check the EXTScan Capability */
--    if ( (TRUE != hdd_ctx->cfg_ini->fEnableEXTScan) ||
--         (TRUE != sme_IsFeatureSupportedByFW(EXTENDED_SCAN)) ||
--         (TRUE != sme_IsFeatureSupportedByFW(EXT_SCAN_ENHANCED)))
--    {
--        hddLog(VOS_TRACE_LEVEL_ERROR,
--               FL("EXTScan not enabled/supported by Firmware"));
--        return -EINVAL;
--    }
--
--    if (nla_parse(tb, PARAM_MAX,
--        data, data_len,
--              wlan_hdd_extscan_config_policy)) {
--        hddLog(LOGE, FL("Invalid ATTR"));
--        return -EINVAL;
--    }
--
--    request = vos_mem_malloc(sizeof(*request));
--    if (!request) {
--        hddLog(LOGE, FL("vos_mem_malloc failed"));
--        return -ENOMEM;
--    }
--
--    /* Parse and fetch request Id */
--    if (!tb[PARAM_REQUEST_ID]) {
--        hddLog(LOGE, FL("attr request id failed"));
--        goto fail;
--    }
--
--    request->request_id = nla_get_u32(tb[PARAM_REQUEST_ID]);
--    hddLog(LOG1, FL("Request Id %d"), request->request_id);
--
--    /* Parse and fetch lost SSID sample size */
--    if (!tb[PARAMS_LOST_SSID_SAMPLE_SIZE]) {
--        hddLog(LOGE, FL("attr number of Ssid failed"));
--        goto fail;
--    }
--    request->lost_ssid_sample_size =
--        nla_get_u32(tb[PARAMS_LOST_SSID_SAMPLE_SIZE]);
--    hddLog(LOG1, FL("Lost SSID Sample Size %d"),
--           request->lost_ssid_sample_size);
--
--    /* Parse and fetch number of hotlist SSID */
--    if (!tb[PARAMS_NUM_SSID]) {
--        hddLog(LOGE, FL("attr number of Ssid failed"));
--        goto fail;
--    }
--    request->ssid_count = nla_get_u32(tb[PARAMS_NUM_SSID]);
--    hddLog(LOG1, FL("Number of SSID %d"), request->ssid_count);
--
--    request->session_id = adapter->sessionId;
--    hddLog(LOG1, FL("Session Id (%d)"), request->session_id);
--
--    i = 0;
--    nla_for_each_nested(ssids, tb[THRESHOLD_PARAM], rem) {
--        if (i >= WLAN_EXTSCAN_MAX_HOTLIST_SSIDS) {
--            hddLog(LOGE,
--                   FL("Too Many SSIDs, %d exceeds %d"),
--                   i, WLAN_EXTSCAN_MAX_HOTLIST_SSIDS);
--            break;
--        }
--        if (nla_parse(tb2, PARAM_MAX,
--                  nla_data(ssids), nla_len(ssids),
--                  wlan_hdd_extscan_config_policy)) {
--            hddLog(LOGE, FL("nla_parse failed"));
--            goto fail;
--        }
--
--        /* Parse and fetch SSID */
--        if (!tb2[PARAM_SSID]) {
--            hddLog(LOGE, FL("attr ssid failed"));
--            goto fail;
--        }
--        ssid_length = nla_strlcpy(ssid_string, tb2[PARAM_SSID],
--                                  sizeof(ssid_string));
--        hddLog(LOG1, FL("SSID %s"),
--               ssid_string);
--        ssid_len = strlen(ssid_string);
--        if (ssid_length >= SIR_MAC_MAX_SSID_LENGTH) {
--                hddLog(LOGE, FL("Invalid ssid length"));
--                goto fail;
--        }
--        memcpy(request->ssid[i].ssid.ssId, ssid_string, ssid_len);
--        request->ssid[i].ssid.length = ssid_len;
--        request->ssid[i].ssid.ssId[ssid_len] = '\0';
--        hddLog(LOG1, FL("After copying SSID %s"),
--               request->ssid[i].ssid.ssId);
--        hddLog(LOG1, FL("After copying length: %d"),
--                        ssid_len);
--
--        /* Parse and fetch low RSSI */
--        if (!tb2[PARAM_BAND]) {
--            hddLog(LOGE, FL("attr band failed"));
--            goto fail;
--        }
--        request->ssid[i].band = nla_get_u8(tb2[PARAM_BAND]);
--        hddLog(LOG1, FL("band %d"), request->ssid[i].band);
--
--        /* Parse and fetch low RSSI */
--        if (!tb2[PARAM_RSSI_LOW]) {
--            hddLog(LOGE, FL("attr low RSSI failed"));
--            goto fail;
--        }
--        request->ssid[i].rssi_low = nla_get_s32(tb2[PARAM_RSSI_LOW]);
--        hddLog(LOG1, FL("RSSI low %d"), request->ssid[i].rssi_low);
--
--        /* Parse and fetch high RSSI */
--        if (!tb2[PARAM_RSSI_HIGH]) {
--            hddLog(LOGE, FL("attr high RSSI failed"));
--            goto fail;
--        }
--        request->ssid[i].rssi_high = nla_get_u32(tb2[PARAM_RSSI_HIGH]);
--        hddLog(LOG1, FL("RSSI high %d"), request->ssid[i].rssi_high);
--        i++;
--    }
--
--    context = &hdd_ctx->ext_scan_context;
--    spin_lock(&hdd_context_lock);
--    INIT_COMPLETION(context->response_event);
--    context->request_id = request_id = request->request_id;
--    spin_unlock(&hdd_context_lock);
--
--    status = sme_set_ssid_hotlist(hdd_ctx->hHal, request);
--    if (!HAL_STATUS_SUCCESS(status)) {
--        hddLog(LOGE,
--               FL("sme_set_ssid_hotlist failed(err=%d)"), status);
--        goto fail;
--    }
--
--    vos_mem_free(request);
--
--    /* request was sent -- wait for the response */
--    rc = wait_for_completion_timeout(&context->response_event,
--                      msecs_to_jiffies
--                         (WLAN_WAIT_TIME_EXTSCAN));
--    if (!rc) {
--        hddLog(LOGE, FL("sme_set_ssid_hotlist timed out"));
--        retval = -ETIMEDOUT;
--    } else {
--        spin_lock(&hdd_context_lock);
--        if (context->request_id == request_id)
--            retval = context->response_status;
--        else
--            retval = -EINVAL;
--        spin_unlock(&hdd_context_lock);
--    }
--
--    return retval;
--
--fail:
--    vos_mem_free(request);
--    return -EINVAL;
--}
--
--/*
-- * done with short names for the global vendor params
-- * used by wlan_hdd_cfg80211_extscan_set_ssid_hotlist()
-- */
--#undef PARAM_MAX
--#undef PARAM_REQUEST_ID
--#undef PARAMS_NUM_SSID
--#undef THRESHOLD_PARAM
--#undef PARAM_SSID
--#undef PARAM_BAND
--#undef PARAM_RSSI_LOW
--#undef PARAM_RSSI_HIGH
--
--static int wlan_hdd_cfg80211_extscan_set_ssid_hotlist(struct wiphy *wiphy,
--                                        struct wireless_dev *wdev,
--                                        const void *data, int dataLen)
--{
--   int ret = 0;
--
--   vos_ssr_protect(__func__);
--   ret = __wlan_hdd_cfg80211_extscan_set_ssid_hotlist(wiphy, wdev, data,
--                                                       dataLen);
--   vos_ssr_unprotect(__func__);
--
--   return ret;
--}
--
--static int
--__wlan_hdd_cfg80211_extscan_reset_ssid_hotlist(struct wiphy *wiphy,
--                         struct wireless_dev *wdev,
--                         const void *data,
--                         int data_len)
--{
--    tSirEXTScanResetSsidHotlistReqParams request;
--    struct net_device *dev = wdev->netdev;
--    hdd_adapter_t *adapter = WLAN_HDD_GET_PRIV_PTR(dev);
--    hdd_context_t *hdd_ctx = wiphy_priv(wiphy);
--    struct nlattr *tb[QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_MAX + 1];
--    struct hdd_ext_scan_context *context;
--    uint32_t request_id;
--    eHalStatus status;
--    int retval;
--    unsigned long rc;
--
--    ENTER();
--
--    if (VOS_FTM_MODE == hdd_get_conparam()) {
--        hddLog(LOGE, FL("Command not allowed in FTM mode"));
--        return -EINVAL;
--    }
--
--    retval = wlan_hdd_validate_context(hdd_ctx);
--    if (0 != retval) {
--        hddLog(LOGE, FL("HDD context is not valid"));
--        return -EINVAL;
--    }
--
--    /* check the EXTScan Capability */
--    if ( (TRUE != hdd_ctx->cfg_ini->fEnableEXTScan) ||
--         (TRUE != sme_IsFeatureSupportedByFW(EXTENDED_SCAN)) ||
--         (TRUE != sme_IsFeatureSupportedByFW(EXT_SCAN_ENHANCED)))
--    {
--        hddLog(LOGE,
--               FL("EXTScan not enabled/supported by Firmware"));
--        return -EINVAL;
--    }
--
--    if (nla_parse(tb, QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_MAX,
--        data, data_len,
--               wlan_hdd_extscan_config_policy)) {
--        hddLog(LOGE, FL("Invalid ATTR"));
--        return -EINVAL;
--    }
--
--    /* Parse and fetch request Id */
--    if (!tb[QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_REQUEST_ID]) {
--        hddLog(LOGE, FL("attr request id failed"));
--        return -EINVAL;
--    }
--
--    request.requestId = nla_get_u32(
--            tb[QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_REQUEST_ID]);
--    request.sessionId = adapter->sessionId;
--    hddLog(LOG1, FL("Request Id %d Session Id %d"), request.requestId,
--           request.sessionId);
--
--    context = &hdd_ctx->ext_scan_context;
--    spin_lock(&hdd_context_lock);
--    INIT_COMPLETION(context->response_event);
--    context->request_id = request_id = request.requestId;
--    spin_unlock(&hdd_context_lock);
--
--    status = sme_reset_ssid_hotlist(hdd_ctx->hHal, &request);
--    if (!HAL_STATUS_SUCCESS(status)) {
--        hddLog(LOGE,
--               FL("sme_reset_ssid_hotlist failed(err=%d)"), status);
--        return -EINVAL;
--    }
--
--    /* request was sent -- wait for the response */
--    rc = wait_for_completion_timeout(&context->response_event,
--                     msecs_to_jiffies
--                     (WLAN_WAIT_TIME_EXTSCAN));
--    if (!rc) {
--        hddLog(LOGE, FL("sme_reset_ssid_hotlist timed out"));
--        retval = -ETIMEDOUT;
--    } else {
--        spin_lock(&hdd_context_lock);
--        if (context->request_id == request_id)
--            retval = context->response_status;
--        else
--            retval = -EINVAL;
--        spin_unlock(&hdd_context_lock);
--    }
--
--    return retval;
--}
--
--static int
--wlan_hdd_cfg80211_extscan_reset_ssid_hotlist(struct wiphy *wiphy,
--                     struct wireless_dev *wdev,
--                     const void *data,
--                     int data_len)
--{
--    int ret;
--
--    vos_ssr_protect(__func__);
--    ret = __wlan_hdd_cfg80211_extscan_reset_ssid_hotlist(wiphy, wdev,
--                            data, data_len);
--    vos_ssr_unprotect(__func__);
--
--    return ret;
--}
--
- static int __wlan_hdd_cfg80211_extscan_get_valid_channels(struct wiphy *wiphy,
-                                         struct wireless_dev *wdev,
-                                         const void *data, int dataLen)
-@@ -8017,22 +7437,6 @@ const struct wiphy_vendor_command hdd_wiphy_vendor_commands[] =
-                  WIPHY_VENDOR_CMD_NEED_RUNNING,
-         .doit = wlan_hdd_cfg80211_extscan_reset_bssid_hotlist
-     },
--    {
--        .info.vendor_id = QCA_NL80211_VENDOR_ID,
--        .info.subcmd = QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_SET_SSID_HOTLIST,
--        .flags = WIPHY_VENDOR_CMD_NEED_WDEV |
--                 WIPHY_VENDOR_CMD_NEED_NETDEV |
--                 WIPHY_VENDOR_CMD_NEED_RUNNING,
--        .doit = wlan_hdd_cfg80211_extscan_set_ssid_hotlist
--    },
--    {
--        .info.vendor_id = QCA_NL80211_VENDOR_ID,
--        .info.subcmd = QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_RESET_SSID_HOTLIST,
--        .flags = WIPHY_VENDOR_CMD_NEED_WDEV |
--                 WIPHY_VENDOR_CMD_NEED_NETDEV |
--                 WIPHY_VENDOR_CMD_NEED_RUNNING,
--        .doit = wlan_hdd_cfg80211_extscan_reset_ssid_hotlist
--    },
- #endif /* WLAN_FEATURE_EXTSCAN */
- /*EXT TDLS*/
-     {
-@@ -8260,22 +7664,6 @@ struct nl80211_vendor_cmd_info wlan_hdd_cfg80211_vendor_events[] =
-         .vendor_id = QCA_NL80211_VENDOR_ID,
-         .subcmd = QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_RESET_BSSID_HOTLIST
-     },
--    {
--        .vendor_id = QCA_NL80211_VENDOR_ID,
--        .subcmd = QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_SET_SSID_HOTLIST
--    },
--    {
--        .vendor_id = QCA_NL80211_VENDOR_ID,
--        .subcmd = QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_RESET_SSID_HOTLIST
--    },
--    [QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_HOTLIST_SSID_FOUND_INDEX] = {
--        .vendor_id = QCA_NL80211_VENDOR_ID,
--        .subcmd = QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_HOTLIST_SSID_FOUND
--    },
--    [QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_HOTLIST_SSID_LOST_INDEX] = {
--        .vendor_id = QCA_NL80211_VENDOR_ID,
--        .subcmd = QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_HOTLIST_SSID_LOST
--    },
- #endif /* WLAN_FEATURE_EXTSCAN */
- /*EXT TDLS*/
-     {
-diff --git a/CORE/MAC/inc/sirApi.h b/CORE/MAC/inc/sirApi.h
-index bf39d4b..f1d59c4 100644
---- a/CORE/MAC/inc/sirApi.h
-+++ b/CORE/MAC/inc/sirApi.h
-@@ -143,7 +143,6 @@ typedef tANI_U8 tSirVersionString[SIR_VERSION_STRING_LEN];
- #define WLAN_EXTSCAN_MAX_BUCKETS                  16
- #define WLAN_EXTSCAN_MAX_HOTLIST_APS              128
- #define WLAN_EXTSCAN_MAX_RSSI_SAMPLE_SIZE     8
--#define WLAN_EXTSCAN_MAX_HOTLIST_SSIDS            8
- #endif /* WLAN_FEATURE_EXTSCAN */
- 
- #define WLAN_DISA_MAX_PAYLOAD_SIZE                1600
-@@ -5630,22 +5629,6 @@ typedef PACKED_PRE struct PACKED_POST
-     tANI_U8 result[1];
- } tSirWifiScanResultEvent, *tpSirWifiScanResultEvent;
- 
--/* WLAN_HAL_SSID_HOTLIST_RESULT_IND */
--
--typedef PACKED_PRE struct PACKED_POST
--{
--    tANI_U32             requestId;
--    tANI_BOOLEAN         ssid_found;
--    tANI_U32             numHotlistSsid;     // numbers of SSIDs
--
--    /*
--     * 0 for last fragment
--     * 1 still more fragment(s) coming
--     */
--    tANI_BOOLEAN         moreData;
--    tSirWifiScanResult   ssidHotlist[1];
--} tSirEXTScanSsidHotlistMatch, *tpSirEXTScanSsidHotlistMatch;
--
- typedef PACKED_PRE struct PACKED_POST
- {
-     tANI_U8       elemId;       // Element Identifier
-@@ -5775,49 +5758,6 @@ typedef PACKED_PRE struct PACKED_POST
-     tANI_U32      status;
- } tSirEXTScanResetBssidHotlistRspParams, *tpSirEXTScanResetBssidHotlistRspParams;
- 
--typedef struct
--{
--    tANI_U32      requestId;
--    tANI_U8       sessionId;
--} tSirEXTScanResetSsidHotlistReqParams, *tpSirEXTScanResetSsidHotlistReqParams;
--
--typedef PACKED_PRE struct PACKED_POST
--{
--    tANI_U32      requestId;
--    tANI_U32      status;
--} tSirEXTScanResetSsidHotlistRspParams, *tpSirEXTScanResetSsidHotlistRspParams;
--
--
--/**
-- * struct sir_ssid_hotlist_param - param for SSID Hotlist
-- * @ssid: SSID which is being hotlisted
-- * @band: Band in which the given SSID should be scanned
-- * @rssi_low: Low bound on RSSI
-- * @rssi_high: High bound on RSSI
-- */
--typedef struct
--{
--    tSirMacSSid ssid;
--    tANI_U8 band;
--    tANI_S32 rssi_low;
--    tANI_S32 rssi_high;
--}tSirSsidThresholdParam, *tpSirSsidThresholdParam;
--
--typedef struct
--{
--    tANI_U32 request_id;
--    tANI_U8 session_id;
--    tANI_U32 lost_ssid_sample_size;
--    tANI_U32 ssid_count;
--    tSirSsidThresholdParam ssid[WLAN_EXTSCAN_MAX_HOTLIST_SSIDS];
--}tSirEXTScanSetSsidHotListReqParams, *tpSirEXTScanSetSsidHotListReqParams;
--
--typedef PACKED_PRE struct PACKED_POST
--{
--    tANI_U32      requestId;
--    tANI_U32      status;
--} tSirEXTScanSetSsidHotListRspParams, *tpSirEXTScanSetSsidHotListRspParams;
--
- /*---------------------------------------------------------------------------
-  *  * WLAN_HAL_EXTSCAN_RESULT_AVAILABLE_IND
-  *  *-------------------------------------------------------------------------*/
-diff --git a/CORE/SME/inc/sme_Api.h b/CORE/SME/inc/sme_Api.h
-index cf65a45..7039efc 100644
---- a/CORE/SME/inc/sme_Api.h
-+++ b/CORE/SME/inc/sme_Api.h
-@@ -293,27 +293,6 @@ eHalStatus sme_SetBssHotlist (tHalHandle hHal,
- eHalStatus sme_ResetBssHotlist (tHalHandle hHal,
-                               tSirEXTScanResetBssidHotlistReqParams *pResetReq);
- 
--/**
-- * sme_set_ssid_hotlist() - Set the SSID hotlist
-- * @hal: SME handle
-- * @request: set ssid hotlist request
-- *
-- * Return: eHalStatus
-- */
--eHalStatus sme_set_ssid_hotlist(tHalHandle hal,
--             tSirEXTScanSetSsidHotListReqParams *request);
--
--/* ---------------------------------------------------------------------------
--    \fn sme_ResetBssHotlist
--    \brief  SME API to reset BSSID hotlist
--    \param  hHal
--    \param  pSetHotListReq: Extented Scan set hotlist structure
--    \- return eHalStatus
--    -------------------------------------------------------------------------*/
--eHalStatus sme_reset_ssid_hotlist (tHalHandle hHal,
--                              tSirEXTScanResetSsidHotlistReqParams *pResetReq);
--
--
- /* ---------------------------------------------------------------------------
-     \fn sme_getCachedResults
-     \brief  SME API to get cached results
-diff --git a/CORE/SME/src/sme_common/sme_Api.c b/CORE/SME/src/sme_common/sme_Api.c
-index 2caf735..05d20d2 100644
---- a/CORE/SME/src/sme_common/sme_Api.c
-+++ b/CORE/SME/src/sme_common/sme_Api.c
-@@ -13416,117 +13416,6 @@ eHalStatus sme_ResetBssHotlist (tHalHandle hHal,
-     return(status);
- }
- 
--/**
-- * sme_set_ssid_hotlist() - Set the SSID hotlist
-- * @hal: SME handle
-- * @request: set ssid hotlist request
-- *
-- * Return: eHalStatus
-- */
--eHalStatus
--sme_set_ssid_hotlist(tHalHandle hal,
--             tSirEXTScanSetSsidHotListReqParams *request)
--{
--    eHalStatus status;
--    VOS_STATUS vstatus;
--    tpAniSirGlobal mac = PMAC_STRUCT(hal);
--    vos_msg_t vos_message;
--    tSirEXTScanSetSsidHotListReqParams *set_req;
--    int i;
--
--    set_req = vos_mem_malloc(sizeof(*set_req));
--    if (!set_req) {
--        VOS_TRACE(VOS_MODULE_ID_SME, VOS_TRACE_LEVEL_ERROR,
--              "%s: Not able to allocate memory for WDA_EXTSCAN_SET_SSID_HOTLIST_REQ",
--              __func__);
--        return eHAL_STATUS_FAILURE;
--    }
--
--    *set_req = *request;
--
--
--
--   for( i = 0; i < set_req->ssid_count; i++){
--
--        VOS_TRACE(VOS_MODULE_ID_SME, VOS_TRACE_LEVEL_ERROR,
--         "%s: SSID %s \n length: %d",
--              __func__, set_req->ssid[i].ssid.ssId, set_req->ssid[i].ssid.length);
--  }
--
--     MTRACE(vos_trace(VOS_MODULE_ID_SME,
--            TRACE_CODE_SME_RX_HDD_EXTSCAN_SET_SSID_HOTLIST, NO_SESSION, 0));
--
--    status = sme_AcquireGlobalLock(&mac->sme);
--    if (eHAL_STATUS_SUCCESS == status) {
--        /* Serialize the req through MC thread */
--        vos_message.bodyptr = set_req;
--        vos_message.type    = WDA_EXTSCAN_SET_SSID_HOTLIST_REQ;
--        vstatus = vos_mq_post_message(VOS_MQ_ID_WDA, &vos_message);
--        sme_ReleaseGlobalLock(&mac->sme);
--        if (!VOS_IS_STATUS_SUCCESS(vstatus)) {
--            vos_mem_free(set_req);
--            status = eHAL_STATUS_FAILURE;
--        }
--    } else {
--      VOS_TRACE(VOS_MODULE_ID_SME, VOS_TRACE_LEVEL_ERROR,
--            "%s: sme_AcquireGlobalLock error", __func__);
--        vos_mem_free(set_req);
--        status = eHAL_STATUS_FAILURE;
--    }
--    return status;
--}
--
--/**
-- * sme_reset_ssid_hotlist() - Set the SSID hotlist
-- * @hal: SME handle
-- * @request: reset ssid hotlist request
-- *
-- * Return: eHalStatus
-- */
--eHalStatus
--sme_reset_ssid_hotlist(tHalHandle hal,
--        tSirEXTScanResetSsidHotlistReqParams *request)
--{
--    eHalStatus status;
--    VOS_STATUS vstatus;
--    tpAniSirGlobal mac = PMAC_STRUCT(hal);
--    vos_msg_t vos_message;
--    tSirEXTScanResetSsidHotlistReqParams *set_req;
--
--    set_req = vos_mem_malloc(sizeof(*set_req));
--    if (!set_req) {
--        VOS_TRACE(VOS_MODULE_ID_SME, VOS_TRACE_LEVEL_ERROR,
--                "%s: Not able to allocate memory for WDA_EXTSCAN_SET_SSID_HOTLIST_REQ",
--                __func__);
--        return eHAL_STATUS_FAILURE;
--    }
--
--    *set_req = *request;
--
--    MTRACE(vos_trace(VOS_MODULE_ID_SME,
--            TRACE_CODE_SME_RX_HDD_EXTSCAN_RESET_SSID_HOTLIST, NO_SESSION, 0));
--
--    status = sme_AcquireGlobalLock(&mac->sme);
--    if (eHAL_STATUS_SUCCESS == status) {
--        /* Serialize the req through MC thread */
--        vos_message.bodyptr = set_req;
--        vos_message.type    = WDA_EXTSCAN_RESET_SSID_HOTLIST_REQ;
--        vstatus = vos_mq_post_message(VOS_MQ_ID_WDA, &vos_message);
--        sme_ReleaseGlobalLock(&mac->sme);
--        if (!VOS_IS_STATUS_SUCCESS(vstatus)) {
--            vos_mem_free(set_req);
--            status = eHAL_STATUS_FAILURE;
--        }
--    } else {
--        VOS_TRACE(VOS_MODULE_ID_SME, VOS_TRACE_LEVEL_ERROR,
--                 "%s: sme_AcquireGlobalLock error", __func__);
--        vos_mem_free(set_req);
--        status = eHAL_STATUS_FAILURE;
--    }
--    return status;
--}
--
--
- /* ---------------------------------------------------------------------------
-     \fn sme_getCachedResults
-     \brief  SME API to get cached results
-diff --git a/CORE/WDA/src/wlan_qct_wda.c b/CORE/WDA/src/wlan_qct_wda.c
-index 5d58542..83a5229 100644
---- a/CORE/WDA/src/wlan_qct_wda.c
-+++ b/CORE/WDA/src/wlan_qct_wda.c
-@@ -259,10 +259,6 @@ VOS_STATUS WDA_ProcessEXTScanSetBSSIDHotlistReq(tWDA_CbContext *pWDA,
-                             tSirEXTScanSetBssidHotListReqParams *wdaRequest);
- VOS_STATUS WDA_ProcessEXTScanResetBSSIDHotlistReq(tWDA_CbContext *pWDA,
-                             tSirEXTScanResetBssidHotlistReqParams *wdaRequest);
--VOS_STATUS WDA_ProcessEXTScanSetSSIDHotlistReq(tWDA_CbContext *pWDA,
--                            tSirEXTScanSetSsidHotListReqParams *wdaRequest);
--VOS_STATUS WDA_ProcessEXTScanResetSSIDHotlistReq(tWDA_CbContext *pWDA,
--                            tSirEXTScanResetSsidHotlistReqParams *wdaRequest);
- VOS_STATUS WDA_ProcessHighPriorityDataInfoInd(tWDA_CbContext *pWDA,
-                             tSirHighPriorityDataInfoInd *wdaRequest);
- #endif /* WLAN_FEATURE_EXTSCAN */
-@@ -16144,18 +16140,6 @@ VOS_STATUS WDA_McProcessMsg( v_CONTEXT_t pVosContext, vos_msg_t *pMsg )
-                         (tSirEXTScanResetBssidHotlistReqParams *)pMsg->bodyptr);
-          break;
-       }
--     case WDA_EXTSCAN_SET_SSID_HOTLIST_REQ:
--      {
--         WDA_ProcessEXTScanSetSSIDHotlistReq(pWDA,
--                         (tSirEXTScanSetSsidHotListReqParams *)pMsg->bodyptr);
--         break;
--      }
--      case WDA_EXTSCAN_RESET_SSID_HOTLIST_REQ:
--      {
--         WDA_ProcessEXTScanResetSSIDHotlistReq(pWDA,
--                        (tSirEXTScanResetSsidHotlistReqParams *)pMsg->bodyptr);
--         break;
--      }
-       case WDA_HIGH_PRIORITY_DATA_INFO_IND:
-       {
-          WDA_ProcessHighPriorityDataInfoInd(pWDA,
-@@ -17384,7 +17368,6 @@ void WDA_lowLevelIndCallback(WDI_LowLevelIndType *wdiLowLevelInd,
-      case  WDI_EXTSCAN_SCAN_AVAILABLE_IND:
-      case  WDI_EXTSCAN_SCAN_RESULT_IND:
-      case  WDI_EXTSCAN_BSSID_HOTLIST_RESULT_IND:
--     case  WDI_EXTSCAN_SSID_HOTLIST_RESULT_IND:
-      {
-          void *pEXTScanData;
-          void *pCallbackContext;
-@@ -17431,14 +17414,6 @@ void WDA_lowLevelIndCallback(WDI_LowLevelIndType *wdiLowLevelInd,
-              VOS_TRACE(VOS_MODULE_ID_WDA, VOS_TRACE_LEVEL_INFO,
-               "WDI_EXTSCAN Indication is WDI_EXTSCAN_BSSID_HOTLIST_RESULT_IND");
-          }
--         if (wdiLowLevelInd->wdiIndicationType ==
--                 WDI_EXTSCAN_SSID_HOTLIST_RESULT_IND)
--         {
--             indType = WDA_EXTSCAN_SSID_HOTLIST_RESULT_IND;
--
--             VOS_TRACE(VOS_MODULE_ID_WDA, VOS_TRACE_LEVEL_INFO,
--              "WDI_EXTSCAN Indication is WDI_EXTSCAN_SSID_HOTLIST_RESULT_IND");
--         }
- 
-          pEXTScanData =
-             (void *)wdiLowLevelInd->wdiIndicationData.pEXTScanIndData;
-@@ -21017,160 +20992,6 @@ error:
- }
- 
- /*==========================================================================
--  FUNCTION   WDA_EXTScanSetSSIDHotlistRspCallback
--
--  DESCRIPTION
--    API to send EXTScan Set SSID Hotlist Response to HDD
--
--  PARAMETERS
--    pEventData: Response from FW
--   pUserData:
--===========================================================================*/
--void WDA_EXTScanSetSSIDHotlistRspCallback(void *pEventData, void* pUserData)
--{
--    tWDA_ReqParams *pWdaParams = (tWDA_ReqParams *)pUserData;
--    tWDA_CbContext *pWDA = NULL;
--    void *pCallbackContext;
--    tpAniSirGlobal pMac;
--
--    VOS_TRACE( VOS_MODULE_ID_WDA, VOS_TRACE_LEVEL_INFO,
--            "%s: ", __func__);
--    if (NULL == pWdaParams)
--    {
--        VOS_TRACE( VOS_MODULE_ID_WDA, VOS_TRACE_LEVEL_ERROR,
--                "%s: pWdaParams received NULL", __func__);
--        VOS_ASSERT(0) ;
--        return;
--    }
--
--    pWDA = (tWDA_CbContext *) pWdaParams->pWdaContext;
--
--    if (NULL == pWDA)
--    {
--        VOS_TRACE( VOS_MODULE_ID_WDA, VOS_TRACE_LEVEL_ERROR,
--                "%s: pWDA received NULL", __func__);
--        VOS_ASSERT(0);
--        goto error;
--    }
--
--    pMac = (tpAniSirGlobal )VOS_GET_MAC_CTXT(pWDA->pVosContext);
--    if (NULL == pMac)
--    {
--        VOS_TRACE( VOS_MODULE_ID_WDA, VOS_TRACE_LEVEL_ERROR,
--                "%s:pMac is NULL", __func__);
--        VOS_ASSERT(0);
--        goto error;
--    }
--
--    pCallbackContext = pMac->sme.pEXTScanCallbackContext;
--
--    if (pMac->sme.pEXTScanIndCb)
--    {
--        pMac->sme.pEXTScanIndCb(pCallbackContext,
--                WDA_EXTSCAN_SET_SSID_HOTLIST_RSP,
--                pEventData);
--    }
--    else
--    {
--        VOS_TRACE( VOS_MODULE_ID_WDA, VOS_TRACE_LEVEL_ERROR,
--                "%s:HDD callback is null", __func__);
--        VOS_ASSERT(0);
--    }
--
--
--error:
--
--    if (pWdaParams->wdaWdiApiMsgParam != NULL)
--    {
--        vos_mem_free(pWdaParams->wdaWdiApiMsgParam);
--    }
--    if (pWdaParams->wdaMsgParam != NULL)
--    {
--        vos_mem_free(pWdaParams->wdaMsgParam);
--    }
--    vos_mem_free(pWdaParams) ;
--
--    return;
--}
--
--/*==========================================================================
--  FUNCTION   WDA_EXTScanResetSSIDHotlistRspCallback
--
--  DESCRIPTION
--    API to send EXTScan ReSet SSID Hotlist Response to HDD
--
--  PARAMETERS
--    pEventData: Response from FW
--   pUserData:
--===========================================================================*/
--void WDA_EXTScanResetSSIDHotlistRspCallback(void *pEventData, void* pUserData)
--{
--    tWDA_ReqParams *pWdaParams = (tWDA_ReqParams *)pUserData;
--    tWDA_CbContext *pWDA = NULL;
--    void *pCallbackContext;
--    tpAniSirGlobal pMac;
--
--    VOS_TRACE( VOS_MODULE_ID_WDA, VOS_TRACE_LEVEL_INFO,
--            "%s:", __func__);
--    if (NULL == pWdaParams)
--    {
--        VOS_TRACE( VOS_MODULE_ID_WDA, VOS_TRACE_LEVEL_ERROR,
--                "%s: pWdaParams received NULL", __func__);
--        VOS_ASSERT(0) ;
--        return;
--    }
--
--    pWDA = (tWDA_CbContext *) pWdaParams->pWdaContext;
--
--    if (NULL == pWDA)
--    {
--        VOS_TRACE( VOS_MODULE_ID_WDA, VOS_TRACE_LEVEL_ERROR,
--                "%s: pWDA received NULL", __func__);
--        VOS_ASSERT(0);
--        goto error;
--    }
--
--    pMac = (tpAniSirGlobal )VOS_GET_MAC_CTXT(pWDA->pVosContext);
--    if (NULL == pMac)
--    {
--        VOS_TRACE( VOS_MODULE_ID_WDA, VOS_TRACE_LEVEL_ERROR,
--                "%s:pMac is NULL", __func__);
--        VOS_ASSERT(0);
--        goto error;
--    }
--
--    pCallbackContext = pMac->sme.pEXTScanCallbackContext;
--
--    if (pMac->sme.pEXTScanIndCb)
--    {
--        pMac->sme.pEXTScanIndCb(pCallbackContext,
--                WDA_EXTSCAN_RESET_SSID_HOTLIST_RSP,
--                pEventData);
--    }
--    else
--    {
--        VOS_TRACE( VOS_MODULE_ID_WDA, VOS_TRACE_LEVEL_ERROR,
--                "%s:HDD callback is null", __func__);
--        VOS_ASSERT(0);
--    }
--
--
--error:
--
--    if (pWdaParams->wdaWdiApiMsgParam != NULL)
--    {
--        vos_mem_free(pWdaParams->wdaWdiApiMsgParam);
--    }
--    if (pWdaParams->wdaMsgParam != NULL)
--    {
--        vos_mem_free(pWdaParams->wdaMsgParam);
--    }
--    vos_mem_free(pWdaParams) ;
--
--    return;
--}
--
--/*==========================================================================
-   FUNCTION   WDA_ProcessEXTScanStartReq
- 
-   DESCRIPTION
-@@ -21429,92 +21250,6 @@ VOS_STATUS WDA_ProcessEXTScanResetBSSIDHotlistReq(tWDA_CbContext *pWDA,
- }
- 
- /*==========================================================================
--  FUNCTION   WDA_ProcessEXTScanSetSSIDHotlistReq
--
--  DESCRIPTION
--    API to send Set SSID Hotlist Request to WDI
--
--  PARAMETERS
--    pWDA: Pointer to WDA context
--    wdaRequest: Pointer to EXTScan req parameters
--===========================================================================*/
--VOS_STATUS WDA_ProcessEXTScanSetSSIDHotlistReq(tWDA_CbContext *pWDA,
--        tSirEXTScanSetSsidHotListReqParams *wdaRequest)
--{
--    WDI_Status status = WDI_STATUS_SUCCESS;
--    tWDA_ReqParams *pWdaParams;
--
--    VOS_TRACE( VOS_MODULE_ID_WDA, VOS_TRACE_LEVEL_INFO,
--            "%s: ", __func__);
--    pWdaParams = (tWDA_ReqParams *)vos_mem_malloc(sizeof(tWDA_ReqParams));
--    if (NULL == pWdaParams)
--    {
--        VOS_TRACE( VOS_MODULE_ID_WDA, VOS_TRACE_LEVEL_ERROR,
--                "%s: VOS MEM Alloc Failure", __func__);
--        VOS_ASSERT(0);
--        return VOS_STATUS_E_NOMEM;
--    }
--    pWdaParams->pWdaContext = pWDA;
--    pWdaParams->wdaMsgParam = wdaRequest;
--    pWdaParams->wdaWdiApiMsgParam = NULL;
--
--    status = WDI_EXTScanSetSSIDHotlistReq((void *)wdaRequest,
--         (WDI_EXTScanSetSSIDHotlistRspCb)WDA_EXTScanSetSSIDHotlistRspCallback,
--            (void *)pWdaParams);
--    if (IS_WDI_STATUS_FAILURE(status))
--    {
--        VOS_TRACE( VOS_MODULE_ID_WDA, VOS_TRACE_LEVEL_ERROR,
--                "Failure to request.  Free all the memory " );
--        vos_mem_free(pWdaParams->wdaMsgParam);
--        vos_mem_free(pWdaParams);
--    }
--    return CONVERT_WDI2VOS_STATUS(status);
--}
--
--/*==========================================================================
--  FUNCTION   WDA_ProcessEXTScanReSetSSIDHotlistReq
--
--  DESCRIPTION
--    API to send Reset SSID Hotlist Request to WDI
--
--  PARAMETERS
--    pWDA: Pointer to WDA context
--    wdaRequest: Pointer to EXTScan req parameters
--===========================================================================*/
--VOS_STATUS WDA_ProcessEXTScanResetSSIDHotlistReq(tWDA_CbContext *pWDA,
--        tSirEXTScanResetSsidHotlistReqParams *wdaRequest)
--{
--    WDI_Status status = WDI_STATUS_SUCCESS;
--    tWDA_ReqParams *pWdaParams;
--
--    VOS_TRACE( VOS_MODULE_ID_WDA, VOS_TRACE_LEVEL_INFO,
--            "%s:", __func__);
--    pWdaParams = (tWDA_ReqParams *)vos_mem_malloc(sizeof(tWDA_ReqParams));
--    if (NULL == pWdaParams)
--    {
--        VOS_TRACE( VOS_MODULE_ID_WDA, VOS_TRACE_LEVEL_ERROR,
--                "%s: VOS MEM Alloc Failure", __func__);
--        VOS_ASSERT(0);
--        return VOS_STATUS_E_NOMEM;
--    }
--    pWdaParams->pWdaContext = pWDA;
--    pWdaParams->wdaMsgParam = wdaRequest;
--    pWdaParams->wdaWdiApiMsgParam = NULL;
--
--    status = WDI_EXTScanResetSSIDHotlistReq((void *)wdaRequest,
--     (WDI_EXTScanResetSSIDHotlistRspCb)WDA_EXTScanResetSSIDHotlistRspCallback,
--            (void *)pWdaParams);
--    if (IS_WDI_STATUS_FAILURE(status))
--    {
--        VOS_TRACE( VOS_MODULE_ID_WDA, VOS_TRACE_LEVEL_ERROR,
--                "Failure to request.  Free all the memory " );
--        vos_mem_free(pWdaParams->wdaMsgParam);
--        vos_mem_free(pWdaParams);
--    }
--    return CONVERT_WDI2VOS_STATUS(status);
--}
--
--/*==========================================================================
-   FUNCTION   WDA_ProcessHighPriorityDataInfoInd
- 
-   DESCRIPTION
-diff --git a/CORE/WDI/CP/inc/wlan_qct_wdi.h b/CORE/WDI/CP/inc/wlan_qct_wdi.h
-index 595dec2..65461f7 100644
---- a/CORE/WDI/CP/inc/wlan_qct_wdi.h
-+++ b/CORE/WDI/CP/inc/wlan_qct_wdi.h
-@@ -421,7 +421,6 @@ typedef enum
-   WDI_EXTSCAN_SCAN_RESULT_IND,
-   WDI_EXTSCAN_GET_CAPABILITIES_IND,
-   WDI_EXTSCAN_BSSID_HOTLIST_RESULT_IND,
--  WDI_EXTSCAN_SSID_HOTLIST_RESULT_IND,
- #endif
-   /*Delete BA Ind*/
-   WDI_DEL_BA_IND,
-@@ -6126,7 +6125,6 @@ typedef struct
- #define WDI_WLAN_EXTSCAN_MAX_CHANNELS                 16
- #define WDI_WLAN_EXTSCAN_MAX_BUCKETS                  16
- #define WDI_WLAN_EXTSCAN_MAX_HOTLIST_APS              128
--#define WDI_WLAN_EXTSCAN_MAX_HOTLIST_SSID             8
- 
- typedef enum
- {
-@@ -6234,14 +6232,6 @@ typedef struct
- 
- typedef struct
- {
--   WDI_MacSSid  ssid;     /* SSID */
--   wpt_uint8 band;    /* band */
--   wpt_int32 lowRssiThreshold; /* low threshold */
--   wpt_int32 highRssiThreshold; /* high threshold */
--} WDI_SSIDThresholdParam;
--
--typedef struct
--{
-     wpt_int32   requestId;
-     wpt_int8    sessionId;    // session Id mapped to vdev_id
-     wpt_uint32  lostBssidSampleSize;
-@@ -6261,21 +6251,6 @@ typedef struct
-     wpt_uint32 reserved;
- } WDI_HighPriorityDataInfoIndParams;
- 
--typedef struct
--{
--    wpt_int32   requestId;
--    wpt_int8    sessionId;    // session Id mapped to vdev_id
--    wpt_uint32  lostSsidSampleSize;
--    wpt_uint32   numSsid;        // number of hotlist APs
--    WDI_SSIDThresholdParam   ssid[WDI_WLAN_EXTSCAN_MAX_HOTLIST_SSID]; // hotlist SSIDs
--} WDI_EXTScanSetSSIDHotlistReqParams;
--
--typedef struct
--{
--    wpt_uint32    requestId;
--    wpt_uint8     sessionId;
--} WDI_EXTScanResetSSIDHotlistReqParams;
--
- #endif /* WLAN_FEATURE_EXTSCAN */
- 
- #ifdef WLAN_FEATURE_LINK_LAYER_STATS
-@@ -8409,10 +8384,8 @@ typedef void  (*WDI_EXTScanSetBSSIDHotlistRspCb)(void *pEventData,
-                                        void *pUserData);
- typedef void  (*WDI_EXTScanResetBSSIDHotlistRspCb)(void *pEventData,
-                                        void *pUserData);
--typedef void  (*WDI_EXTScanSetSSIDHotlistRspCb)(void *pEventData,
--                                       void *pUserData);
--typedef void  (*WDI_EXTScanResetSSIDHotlistRspCb)(void *pEventData,
--                                       void *pUserData);
-+
-+
- #endif /* WLAN_FEATURE_EXTSCAN */
- 
- #ifdef WLAN_FEATURE_LINK_LAYER_STATS
-@@ -11865,40 +11838,6 @@ WDI_Status WDI_EXTScanResetBSSIDHotlistReq
- );
- 
- /**
-- @brief WDI_EXTScanSetSSIDHotlistReq
--    This API is called to send Set SSID Hotlist Request FW
--
-- @param pwdiEXTScanSetBssidHotlistReqParams : pointer to the request params.
--        wdiEXTScanSetBSSIDHotlistRspCb   : callback on getting the response.
--        usrData : Client context
-- @see
-- @return SUCCESS or FAIL
--*/
--WDI_Status WDI_EXTScanSetSSIDHotlistReq
--(
--   WDI_EXTScanSetSSIDHotlistReqParams* pwdiEXTScanSetSSIDHotlistReqParams,
--   WDI_EXTScanSetSSIDHotlistRspCb     wdiEXTScanSetSSIDHotlistRspCb,
--   void*                   pUserData
--);
--
--/**
-- @brief WDI_EXTScanResetSSIDHotlistReq
--    This API is called to send Reset SSID Hotlist Request FW
--
-- @param pwdiEXTScanResetSsidHotlistReqParams : pointer to the request params.
--        wdiEXTScanGetCachedResultsRspCb   : callback on getting the response.
--        usrData : Client context
-- @see
-- @return SUCCESS or FAIL
--*/
--WDI_Status WDI_EXTScanResetSSIDHotlistReq
--(
--   WDI_EXTScanResetSSIDHotlistReqParams* pwdiEXTScanResetSSIDHotlistReqParams,
--   WDI_EXTScanResetSSIDHotlistRspCb     wdiEXTScanResetSSIDHotlistRspCb,
--   void*                   pUserData
--);
--
--/**
-  @brief WDI_HighPriorityDataInfoInd
- 
-  @param pHighPriorityDataInfoIndParams: Req parameter for the FW
-diff --git a/CORE/WDI/CP/inc/wlan_qct_wdi_i.h b/CORE/WDI/CP/inc/wlan_qct_wdi_i.h
-index 4b74e41..d0faaf0 100644
---- a/CORE/WDI/CP/inc/wlan_qct_wdi_i.h
-+++ b/CORE/WDI/CP/inc/wlan_qct_wdi_i.h
-@@ -465,8 +465,6 @@ typedef enum
-   WDI_EXTSCAN_GET_CAPABILITIES_REQ               = 98,
-   WDI_EXTSCAN_SET_BSSID_HOTLIST_REQ              = 99,
-   WDI_EXTSCAN_RESET_BSSID_HOTLIST_REQ            = 100,
--  WDI_EXTSCAN_SET_SSID_HOTLIST_REQ               = 101,
--  WDI_EXTSCAN_RESET_SSID_HOTLIST_REQ             = 102,
- #endif
- 
-   WDI_SPOOF_MAC_ADDR_REQ                         = 103,
-@@ -847,8 +845,6 @@ typedef enum
-   WDI_EXTSCAN_GET_CAPABILITIES_RSP               = 98,
-   WDI_EXTSCAN_SET_HOTLIST_BSSID_RSP              = 99,
-   WDI_EXTSCAN_RESET_HOTLIST_BSSID_RSP            = 100,
--  WDI_EXTSCAN_SET_HOTLIST_SSID_RSP               = 101,
--  WDI_EXTSCAN_RESET_HOTLIST_SSID_RSP             = 102,
- #endif
-   WDI_SPOOF_MAC_ADDR_RSP                         = 103,
-   WDI_GET_FW_STATS_RSP                           = 104,
-@@ -958,7 +954,6 @@ typedef enum
-   WDI_HAL_EXTSCAN_SCAN_AVAILABLE_IND = WDI_HAL_IND_MIN + 24,
-   WDI_HAL_EXTSCAN_RESULT_IND         = WDI_HAL_IND_MIN + 25,
-   WDI_HAL_EXTSCAN_BSSID_HOTLIST_RESULT_IND    = WDI_HAL_IND_MIN + 26,
--  WDI_HAL_EXTSCAN_SSID_HOTLIST_RESULT_IND    = WDI_HAL_IND_MIN + 27,
- #endif
-   WDI_TDLS_CHAN_SWITCH_REQ_RESP      = WDI_HAL_IND_MIN + 28,
-   WDI_HAL_DEL_BA_IND                 = WDI_HAL_IND_MIN + 29,
-@@ -6197,34 +6192,6 @@ WDI_ProcessEXTScanResetHotlistBSSIDRsp
- );
- 
- WDI_Status
--WDI_ProcessEXTScanSetSSIDHotlistReq
--(
--  WDI_ControlBlockType*  pWDICtx,
--  WDI_EventInfoType*     pEventData
--);
--
--WDI_Status
--WDI_ProcessEXTScanSetHotlistSSIDRsp
--(
--  WDI_ControlBlockType*  pWDICtx,
--  WDI_EventInfoType*     pEventData
--);
--
--WDI_Status
--WDI_ProcessEXTScanResetSSIDHotlistReq
--(
--  WDI_ControlBlockType*  pWDICtx,
--  WDI_EventInfoType*     pEventData
--);
--
--WDI_Status
--WDI_ProcessEXTScanResetHotlistSSIDRsp
--(
--  WDI_ControlBlockType*  pWDICtx,
--  WDI_EventInfoType*     pEventData
--);
--
--WDI_Status
- WDI_ProcessHighPriorityDataInfoInd
- (
-   WDI_ControlBlockType*  pWDICtx,
-@@ -6252,14 +6219,6 @@ WDI_ProcessEXTScanBssidHotListResultInd
-    WDI_EventInfoType*     pEventData
- );
- 
--WDI_Status
--WDI_ProcessEXTScanSsidHotListResultInd
--(
--   WDI_ControlBlockType*  pWDICtx,
--   WDI_EventInfoType*     pEventData
--);
--
--
- #endif /* WLAN_FEATURE_EXTSCAN */
- 
- #ifdef WLAN_FEATURE_LINK_LAYER_STATS
-diff --git a/CORE/WDI/CP/src/wlan_qct_wdi.c b/CORE/WDI/CP/src/wlan_qct_wdi.c
-index ec83707..4dd8722 100644
---- a/CORE/WDI/CP/src/wlan_qct_wdi.c
-+++ b/CORE/WDI/CP/src/wlan_qct_wdi.c
-@@ -485,8 +485,8 @@ WDI_ReqProcFuncType  pfnReqProcTbl[WDI_MAX_UMAC_IND] =
-   WDI_ProcessEXTScanGetCapabilitiesReq,      /* WDI_EXTSCAN_GET_CAPABILITIES_REQ */
-   WDI_ProcessEXTScanSetBSSIDHotlistReq,      /* WDI_EXTSCAN_SET_BSSID_HOTLIST_REQ */
-   WDI_ProcessEXTScanResetBSSIDHotlistReq,    /* WDI_EXTSCAN_RESET_BSSID_HOTLIST_REQ */
--  WDI_ProcessEXTScanSetSSIDHotlistReq,       /* WDI_EXTSCAN_SET_SSID_HOTLIST_REQ */
--  WDI_ProcessEXTScanResetSSIDHotlistReq,     /* WDI_EXTSCAN_RESET_SSID_HOTLIST_REQ */
-+  NULL,                                      /* maintain synchronization though SSID_HOTLIST is deprecated */
-+  NULL,
- #else
-   NULL,
-   NULL,
-@@ -812,8 +812,8 @@ WDI_RspProcFuncType  pfnRspProcTbl[WDI_MAX_RESP] =
-     WDI_ProcessEXTScanGetCapabilitiesRsp,      /* WDI_EXTSCAN_GET_CAPABILITIES_RSP */
-     WDI_ProcessEXTScanSetHotlistBSSIDRsp,      /* WDI_EXTSCAN_SET_HOTLIST_BSSID_RSP */
-     WDI_ProcessEXTScanResetHotlistBSSIDRsp,    /* WDI_EXTSCAN_RESET_HOTLIST_BSSID_RSP */
--    WDI_ProcessEXTScanSetHotlistSSIDRsp,      /* WDI_EXTSCAN_SET_HOTLIST_SSID_RSP */
--    WDI_ProcessEXTScanResetHotlistSSIDRsp,    /* WDI_EXTSCAN_RESET_HOTLIST_SSID_RSP */
-+    NULL,                                      /* maintain synchronization though SSID_HOTLIST is deprecated */
-+    NULL,
- #else
-     NULL,
-     NULL,
-@@ -934,7 +934,7 @@ WDI_RspProcFuncType  pfnRspProcTbl[WDI_MAX_RESP] =
-   WDI_ProcessEXTScanScanAvailableInd,       /* WDI_HAL_EXTSCAN_SCAN_AVAILABLE_IND */
-   WDI_ProcessEXTScanResultInd,              /* WDI_HAL_EXTSCAN_RESULT_IND */
-   WDI_ProcessEXTScanBssidHotListResultInd,  /* WDI_HAL_EXTSCAN_BSSID_HOTLIST_RESULT_IND */
--  WDI_ProcessEXTScanSsidHotListResultInd,  /* WDI_HAL_EXTSCAN_SSID_HOTLIST_RESULT_IND */
-+  NULL,                                     /* maintain synchronization though SSID_HOTLIST is deprecated */
- #else
-   NULL,
-   NULL,
-@@ -1290,8 +1290,6 @@ static char *WDI_getReqMsgString(wpt_uint16 wdiReqMsgId)
-     CASE_RETURN_STRING( WDI_EXTSCAN_GET_CAPABILITIES_REQ);
-     CASE_RETURN_STRING( WDI_EXTSCAN_SET_BSSID_HOTLIST_REQ);
-     CASE_RETURN_STRING( WDI_EXTSCAN_RESET_BSSID_HOTLIST_REQ);
--    CASE_RETURN_STRING( WDI_EXTSCAN_SET_SSID_HOTLIST_REQ);
--    CASE_RETURN_STRING( WDI_EXTSCAN_RESET_SSID_HOTLIST_REQ);
-     CASE_RETURN_STRING( WDI_HIGH_PRIORITY_DATA_INFO_IND);
- #endif /* WLAN_FEATURE_EXTSCAN */
-     CASE_RETURN_STRING( WDI_SPOOF_MAC_ADDR_REQ);
-@@ -1523,13 +1521,10 @@ static char *WDI_getRespMsgString(wpt_uint16 wdiRespMsgId)
-     CASE_RETURN_STRING( WDI_EXTSCAN_GET_CAPABILITIES_RSP);
-     CASE_RETURN_STRING( WDI_EXTSCAN_SET_HOTLIST_BSSID_RSP);
-     CASE_RETURN_STRING( WDI_EXTSCAN_RESET_HOTLIST_BSSID_RSP);
--    CASE_RETURN_STRING( WDI_EXTSCAN_SET_HOTLIST_SSID_RSP);
--    CASE_RETURN_STRING( WDI_EXTSCAN_RESET_HOTLIST_SSID_RSP);
-     CASE_RETURN_STRING( WDI_HAL_EXTSCAN_PROGRESS_IND);
-     CASE_RETURN_STRING( WDI_HAL_EXTSCAN_SCAN_AVAILABLE_IND);
-     CASE_RETURN_STRING( WDI_HAL_EXTSCAN_RESULT_IND);
-     CASE_RETURN_STRING( WDI_HAL_EXTSCAN_BSSID_HOTLIST_RESULT_IND);
--    CASE_RETURN_STRING( WDI_HAL_EXTSCAN_SSID_HOTLIST_RESULT_IND);
- #endif /* WLAN_FEATURE_EXTSCAN */
-     CASE_RETURN_STRING( WDI_GET_FW_STATS_RSP);
-     CASE_RETURN_STRING( WDI_ENCRYPT_MSG_RSP);
-@@ -24849,10 +24844,6 @@ WDI_2_HAL_REQ_TYPE
-        return WLAN_HAL_BSSID_HOTLIST_SET_REQ;
-   case WDI_EXTSCAN_RESET_BSSID_HOTLIST_REQ:
-        return WLAN_HAL_BSSID_HOTLIST_RESET_REQ;
--  case WDI_EXTSCAN_SET_SSID_HOTLIST_REQ:
--       return WLAN_HAL_SSID_HOTLIST_SET_REQ;
--  case WDI_EXTSCAN_RESET_SSID_HOTLIST_REQ:
--       return WLAN_HAL_SSID_HOTLIST_RESET_REQ;
-   case WDI_HIGH_PRIORITY_DATA_INFO_IND:
-        return WLAN_HAL_HIGH_PRIORITY_DATA_INFO_REQ;
- #endif /* WLAN_FEATURE_EXTSCAN */
-@@ -25216,10 +25207,6 @@ case WLAN_HAL_DEL_STA_SELF_RSP:
-        return WDI_EXTSCAN_SET_HOTLIST_BSSID_RSP;
-   case WLAN_HAL_BSSID_HOTLIST_RESET_RSP:
-        return WDI_EXTSCAN_RESET_HOTLIST_BSSID_RSP;
--  case WLAN_HAL_SSID_HOTLIST_SET_RSP:
--       return WDI_EXTSCAN_SET_HOTLIST_SSID_RSP;
--  case WLAN_HAL_SSID_HOTLIST_RESET_RSP:
--       return WDI_EXTSCAN_RESET_HOTLIST_SSID_RSP;
-   case WLAN_HAL_EXT_SCAN_PROGRESS_IND:
-        return WDI_HAL_EXTSCAN_PROGRESS_IND;
-   case WLAN_HAL_EXT_SCAN_RESULT_AVAILABLE_IND:
-@@ -25228,8 +25215,6 @@ case WLAN_HAL_DEL_STA_SELF_RSP:
-        return WDI_HAL_EXTSCAN_RESULT_IND;
-   case WLAN_HAL_BSSID_HOTLIST_RESULT_IND:
-        return WDI_HAL_EXTSCAN_BSSID_HOTLIST_RESULT_IND;
--  case WLAN_HAL_SSID_HOTLIST_RESULT_IND:
--       return WDI_HAL_EXTSCAN_SSID_HOTLIST_RESULT_IND;
- #endif /* WLAN_FEATURE_EXTSCAN */
-   case WLAN_HAL_MAC_SPOOFED_SCAN_RSP:
-        return WDI_SPOOF_MAC_ADDR_RSP;
-@@ -34293,60 +34278,6 @@ WDI_ProcessEXTScanBssidHotListResultInd
- } /* End of WDI_ProcessEXTScanBssidHotListResultInd  */
- 
- /**
-- @brief Process EXTScan SSID Hotlist Result Indication indication from FW
--
-- @param  pWDICtx:         pointer to the WLAN DAL context
--         pEventData:      pointer to the event information structure
--
-- @see
-- @return Result of the function call
--*/
--WDI_Status
--WDI_ProcessEXTScanSsidHotListResultInd
--(
--  WDI_ControlBlockType*  pWDICtx,
--  WDI_EventInfoType*     pEventData
--)
--{
--    WDI_LowLevelIndType wdiInd;
--    /*- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - */
--
--    VOS_TRACE( VOS_MODULE_ID_WDI, VOS_TRACE_LEVEL_INFO,
--                "%s: ", __func__);
--
--    /* sanity check */
--    if (( NULL == pWDICtx ) || ( NULL == pEventData ) ||
--      ( NULL == pEventData->pEventData))
--    {
--        WPAL_TRACE( eWLAN_MODULE_DAL_CTRL, eWLAN_PAL_TRACE_LEVEL_ERROR,
--                 "%s: Invalid parameters", __func__);
--        WDI_ASSERT(0);
--        return WDI_STATUS_E_FAILURE;
--    }
--
--    /* Fill in the indication parameters */
--    wdiInd.wdiIndicationType = WDI_EXTSCAN_SSID_HOTLIST_RESULT_IND;
--
--    /* extract response and send it to UMAC */
--    wdiInd.wdiIndicationData.pEXTScanIndData = (void *)pEventData->pEventData;
--
--    /* Notify UMAC */
--    if (pWDICtx->wdiLowLevelIndCB)
--    {
--        pWDICtx->wdiLowLevelIndCB( &wdiInd, pWDICtx->pIndUserData );
--    }
--    else
--    {
--        VOS_TRACE( VOS_MODULE_ID_WDI, VOS_TRACE_LEVEL_INFO,
--                 "%s: WDILowLevelIndCb is null", __func__);
--        WDI_ASSERT(0);
--        return WDI_STATUS_E_FAILURE;
--    }
--    return WDI_STATUS_SUCCESS;
--} /* End of WDI_ProcessEXTScanSsidHotListResultInd  */
--
--
--/**
-  @brief WDI_EXTScanGetCapabilitiesReq
- 
-  @param WDI_EXTScanGetCapabilitiesReqParams: Req parameter for the FW
-@@ -35199,286 +35130,6 @@ WDI_ProcessEXTScanResetBSSIDHotlistReq
-                        WDI_EXTSCAN_RESET_HOTLIST_BSSID_RSP);
- }
- 
--
--/**
-- @brief WDI_EXTScanSetSSIDHotlistReq
--
-- @param WDI_EXTScanSetSSIDHotlistReqParams: Req parameter for the FW
--        WDI_EXTScanSetSSIDHotlistRspCb: callback for passing back the response
--        of the Req operation received from the device
--        pUserData: user data will be passed back with the callback
--
-- @return SUCCESS or FAIL
--*/
--WDI_Status
--WDI_EXTScanSetSSIDHotlistReq(
--      WDI_EXTScanSetSSIDHotlistReqParams* pwdiEXTScanSetSSIDHotlistReqParams,
--      WDI_EXTScanSetSSIDHotlistRspCb  wdiEXTScanSetSSIDHotlistRspCb,
--      void*                   pUserData)
--{
--   WDI_EventInfoType      wdiEventData;
--
--  VOS_TRACE( VOS_MODULE_ID_WDI, VOS_TRACE_LEVEL_INFO,
--                  "%s: %d Enter ",__func__, __LINE__);
--  /*------------------------------------------------------------------------
--    Sanity Check
--  ------------------------------------------------------------------------*/
--  if ( eWLAN_PAL_FALSE == gWDIInitialized )
--  {
--     VOS_TRACE( VOS_MODULE_ID_WDI, VOS_TRACE_LEVEL_ERROR,
--                "WDI API call before module is initialized - Fail request");
--
--     return WDI_STATUS_E_NOT_ALLOWED;
--  }
--
--  wdiEventData.wdiRequest      = WDI_EXTSCAN_SET_SSID_HOTLIST_REQ;
--  wdiEventData.pEventData      = pwdiEXTScanSetSSIDHotlistReqParams;
--  wdiEventData.uEventDataSize  = sizeof(*pwdiEXTScanSetSSIDHotlistReqParams);
--  wdiEventData.pCBfnc          = wdiEXTScanSetSSIDHotlistRspCb;
--  wdiEventData.pUserData       = pUserData;
--
--  return WDI_PostMainEvent(&gWDICb, WDI_REQUEST_EVENT, &wdiEventData);
--}
--
--/**
-- @brief WDI_ProcessEXTScanSetSSIDHotlistReq -
--    Extended Scan Set SSSID Hotlist Request to FW
--
-- @param  pWDICtx : wdi context
--         pEventData : indication data
--
-- @see
-- @return none
--*/
--WDI_Status
--WDI_ProcessEXTScanSetSSIDHotlistReq
--(
--  WDI_ControlBlockType*  pWDICtx,
--  WDI_EventInfoType*     pEventData
--)
--{
--  WDI_EXTScanSetSSIDHotlistReqParams* pwdiEXTScanSetSSIDHotlistReqParams;
--  WDI_EXTScanSetSSIDHotlistRspCb  wdiEXTScanSetSSIDHotlistRspCb;
--  wpt_uint8*               pSendBuffer         = NULL;
--  wpt_uint16               usSendSize          = 0;
--  wpt_uint16               usDataOffset        = 0;
--  tpHalSsidHotlistSetReq   pHalSsidHotlistSetReqParams;
--  int i;
--
--  VOS_TRACE( VOS_MODULE_ID_WDI, VOS_TRACE_LEVEL_INFO,
--                  "%s: %d Enter",__func__, __LINE__);
--
--  if (( NULL == pEventData ) || ( NULL == pEventData->pEventData ) ||
--      ( NULL == pEventData->pCBfnc ))
--  {
--     WPAL_TRACE( eWLAN_MODULE_DAL_CTRL, eWLAN_PAL_TRACE_LEVEL_WARN,
--                 "%s: Invalid parameters", __func__);
--     WDI_ASSERT(0);
--     return WDI_STATUS_E_FAILURE;
--  }
--
--  pwdiEXTScanSetSSIDHotlistReqParams =
--      (WDI_EXTScanSetSSIDHotlistReqParams *)pEventData->pEventData;
--  wdiEXTScanSetSSIDHotlistRspCb   =
--      (WDI_EXTScanSetSSIDHotlistRspCb)pEventData->pCBfnc;
--
--  /*-----------------------------------------------------------------------
--    Get message buffer
--    ! TO DO : proper conversion into the HAL Message Request Format
--  -----------------------------------------------------------------------*/
--  if (( WDI_STATUS_SUCCESS != WDI_GetMessageBuffer(
--                                        pWDICtx,
--                                        WDI_EXTSCAN_SET_SSID_HOTLIST_REQ,
--                                        sizeof(tHalSsidHotlistSetReq),
--                                        &pSendBuffer, &usDataOffset,
--                                        &usSendSize))||
--      ( usSendSize < (usDataOffset + sizeof(tHalSsidHotlistSetReq) )))
--  {
--     WPAL_TRACE( eWLAN_MODULE_DAL_CTRL,  eWLAN_PAL_TRACE_LEVEL_WARN,
--              "Unable to get send buffer in %s %p %p %p", __func__,
--                pEventData, pwdiEXTScanSetSSIDHotlistReqParams,
--                wdiEXTScanSetSSIDHotlistRspCb);
--     WDI_ASSERT(0);
--     return WDI_STATUS_E_FAILURE;
--  }
--  pHalSsidHotlistSetReqParams =
--      (tpHalSsidHotlistSetReq) (pSendBuffer + usDataOffset);
--
--  pHalSsidHotlistSetReqParams->requestId =
--                    pwdiEXTScanSetSSIDHotlistReqParams->requestId;
--
--  pHalSsidHotlistSetReqParams->sessionId =
--                    pwdiEXTScanSetSSIDHotlistReqParams->sessionId;
--
--  pHalSsidHotlistSetReqParams->lostSsidSampleSize =
--                    pwdiEXTScanSetSSIDHotlistReqParams->lostSsidSampleSize;;
--
--  pHalSsidHotlistSetReqParams->numSsid =
--                    pwdiEXTScanSetSSIDHotlistReqParams->numSsid;
--
--  for( i = 0; i < pHalSsidHotlistSetReqParams->numSsid; i++){
--
--    wpalMemoryZero(pHalSsidHotlistSetReqParams->ssid[i].ssid, 33);
--    wpalMemoryCopy(pHalSsidHotlistSetReqParams->ssid[i].ssid,
--              pwdiEXTScanSetSSIDHotlistReqParams->ssid[i].ssid.sSSID,
--              pwdiEXTScanSetSSIDHotlistReqParams->ssid[i].ssid.ucLength);
--
--    pHalSsidHotlistSetReqParams->ssid[i].lowRssiThreshold =
--       pwdiEXTScanSetSSIDHotlistReqParams->ssid[i].lowRssiThreshold;
--
--    pHalSsidHotlistSetReqParams->ssid[i].highRssiThreshold =
--        pwdiEXTScanSetSSIDHotlistReqParams->ssid[i].highRssiThreshold;
--
--    pHalSsidHotlistSetReqParams->ssid[i].band =
--        pwdiEXTScanSetSSIDHotlistReqParams->ssid[i].band;
--  }
--
--  VOS_TRACE( VOS_MODULE_ID_WDI, VOS_TRACE_LEVEL_INFO,
--          "ReqID %u sessionId %u numSsid %u lost_ssid_sample_size: %u",
--      pHalSsidHotlistSetReqParams->requestId,
--      pHalSsidHotlistSetReqParams->sessionId,
--      pHalSsidHotlistSetReqParams->numSsid,
--      pHalSsidHotlistSetReqParams->lostSsidSampleSize);
--
--  for( i = 0; i < pHalSsidHotlistSetReqParams->numSsid; i++){
--
--    VOS_TRACE( VOS_MODULE_ID_WDI, VOS_TRACE_LEVEL_INFO,
--         "%s %d %d) SSID = %s lowRssiThreshold %d highRssiThreshold %d band: %d",
--            __func__, __LINE__, i,
--            pHalSsidHotlistSetReqParams->ssid[i].ssid,
--            pHalSsidHotlistSetReqParams->ssid[i].lowRssiThreshold,
--            pHalSsidHotlistSetReqParams->ssid[i].highRssiThreshold,
--            pHalSsidHotlistSetReqParams->ssid[i].band);
--  }
--
--  pWDICtx->pReqStatusUserData = pEventData->pUserData;
--
--
--  /*-------------------------------------------------------------------------
--    Send EXTScan Stop Request to HAL
--  -------------------------------------------------------------------------*/
--  return  WDI_SendMsg( pWDICtx, pSendBuffer, usSendSize,
--                       wdiEXTScanSetSSIDHotlistRspCb, pEventData->pUserData,
--                       WDI_EXTSCAN_SET_HOTLIST_SSID_RSP);
--}
--
--/**
-- @brief WDI_EXTScanResetSSIDHotlistReq
--
-- @param WDI_EXTScanResetSSIDHotlistReqParams: Req parameter for the FW
--        WDI_EXTScanResetSSIDHotlistRspCb: callback for passing back the response
--        of the Req operation received from the device
--        pUserData: user data will be passed back with the callback
--
-- @return SUCCESS or FAIL
--*/
--WDI_Status
--WDI_EXTScanResetSSIDHotlistReq(
--   WDI_EXTScanResetSSIDHotlistReqParams* pwdiEXTScanResetSSIDHotlistReqParams,
--   WDI_EXTScanResetSSIDHotlistRspCb  wdiEXTScanResetSSIDHotlistRspCb,
--   void*                   pUserData)
--{
--   WDI_EventInfoType      wdiEventData;
--
--  VOS_TRACE( VOS_MODULE_ID_WDI, VOS_TRACE_LEVEL_INFO,
--                  "%s: %d",__func__, __LINE__);
--  /*------------------------------------------------------------------------
--    Sanity Check
--  ------------------------------------------------------------------------*/
--  if ( eWLAN_PAL_FALSE == gWDIInitialized )
--  {
--     VOS_TRACE( VOS_MODULE_ID_WDI, VOS_TRACE_LEVEL_ERROR,
--                "WDI API call before module is initialized - Fail request");
--
--     return WDI_STATUS_E_NOT_ALLOWED;
--  }
--
--  wdiEventData.wdiRequest      = WDI_EXTSCAN_RESET_SSID_HOTLIST_REQ;
--  wdiEventData.pEventData      = pwdiEXTScanResetSSIDHotlistReqParams;
--  wdiEventData.uEventDataSize  = sizeof(*pwdiEXTScanResetSSIDHotlistReqParams);
--  wdiEventData.pCBfnc          = wdiEXTScanResetSSIDHotlistRspCb;
--  wdiEventData.pUserData       = pUserData;
--
--  return WDI_PostMainEvent(&gWDICb, WDI_REQUEST_EVENT, &wdiEventData);
--}
--
--/**
-- @brief WDI_ProcessEXTScanResetSSIDHotlistReq -
--    Extended Scan reset SSID hotlist Request to FW
--
-- @param  pWDICtx : wdi context
--         pEventData : indication data
--
-- @see
-- @return none
--*/
--WDI_Status
--WDI_ProcessEXTScanResetSSIDHotlistReq
--(
--  WDI_ControlBlockType*  pWDICtx,
--  WDI_EventInfoType*     pEventData
--)
--{
--  WDI_EXTScanResetSSIDHotlistReqParams* pwdiEXTScanResetSSIDHotlistReqParams;
--  WDI_EXTScanResetSSIDHotlistRspCb  wdiEXTScanResetSSIDHotlistRspCb;
--  wpt_uint8*               pSendBuffer         = NULL;
--  wpt_uint16               usSendSize          = 0;
--  wpt_uint16               usDataOffset        = 0;
--  tpHalSsidHotlistResetReq     pHalSsidHotlistResetReqParams;
--
--  VOS_TRACE( VOS_MODULE_ID_WDI, VOS_TRACE_LEVEL_INFO,
--                  "%s: %d",__func__, __LINE__);
--
--  if (( NULL == pEventData ) || ( NULL == pEventData->pEventData ) ||
--      ( NULL == pEventData->pCBfnc ))
--  {
--     WPAL_TRACE( eWLAN_MODULE_DAL_CTRL, eWLAN_PAL_TRACE_LEVEL_WARN,
--                 "%s: Invalid parameters", __func__);
--     WDI_ASSERT(0);
--     return WDI_STATUS_E_FAILURE;
--  }
--
--  pwdiEXTScanResetSSIDHotlistReqParams =
--      (WDI_EXTScanResetSSIDHotlistReqParams *)pEventData->pEventData;
--  wdiEXTScanResetSSIDHotlistRspCb   =
--      (WDI_EXTScanResetSSIDHotlistRspCb)pEventData->pCBfnc;
--
--  /*-----------------------------------------------------------------------
--    Get message buffer
--    ! TO DO : proper conversion into the HAL Message Request Format
--  -----------------------------------------------------------------------*/
--  if (( WDI_STATUS_SUCCESS != WDI_GetMessageBuffer(
--                                        pWDICtx,
--                                        WDI_EXTSCAN_RESET_SSID_HOTLIST_REQ,
--                                        sizeof(tHalSsidHotlistResetReq),
--                                        &pSendBuffer, &usDataOffset,
--                                        &usSendSize))||
--     ( usSendSize < (usDataOffset + sizeof(tHalSsidHotlistResetReq) )))
--  {
--     WPAL_TRACE( eWLAN_MODULE_DAL_CTRL,  eWLAN_PAL_TRACE_LEVEL_WARN,
--              "Unable to get send buffer in %s %p %p %p", __func__,
--                pEventData, pwdiEXTScanResetSSIDHotlistReqParams,
--                wdiEXTScanResetSSIDHotlistRspCb);
--     WDI_ASSERT(0);
--     return WDI_STATUS_E_FAILURE;
--  }
--  pHalSsidHotlistResetReqParams =
--      (tpHalSsidHotlistResetReq) (pSendBuffer+usDataOffset);
--
--  pHalSsidHotlistResetReqParams->requestId =
--                    pwdiEXTScanResetSSIDHotlistReqParams->requestId;
--
--  pWDICtx->pReqStatusUserData = pEventData->pUserData;
--
--  /*-------------------------------------------------------------------------
--    Send RESET_HOTLIST_SSID Request to HAL
--  -------------------------------------------------------------------------*/
--  return  WDI_SendMsg( pWDICtx, pSendBuffer, usSendSize,
--                       wdiEXTScanResetSSIDHotlistRspCb, pEventData->pUserData,
--                       WDI_EXTSCAN_RESET_HOTLIST_SSID_RSP);
--}
--
--
- /**
-  @brief WDI_HighPriorityDataInfoInd
- 
-@@ -35887,109 +35538,6 @@ WDI_ProcessEXTScanResetHotlistBSSIDRsp
- 
-   return WDI_STATUS_SUCCESS;
- }
--
--/**
-- @brief Process Extended Scan Set hotlist SSID Rsp function (called when a
--        response is being received over the bus from HAL)
--
-- @param  pWDICtx:         pointer to the WLAN DAL context
--         pEventData:      pointer to the event information structure
--
-- @see
-- @return Result of the function call
--*/
--WDI_Status
--WDI_ProcessEXTScanSetHotlistSSIDRsp
--(
--  WDI_ControlBlockType*  pWDICtx,
--  WDI_EventInfoType*     pEventData
--)
--{
--  WDI_EXTScanSetSSIDHotlistRspCb   wdiEXTScanSetSSIDHotlistRspCb;
--
--  VOS_TRACE( VOS_MODULE_ID_WDI, VOS_TRACE_LEVEL_INFO,
--                  "%s: %d ",__func__, __LINE__);
--
--
--  /*-------------------------------------------------------------------------
--    Sanity check
--  -------------------------------------------------------------------------*/
--  if (( NULL == pWDICtx ) || ( NULL == pEventData ) ||
--      ( NULL == pEventData->pEventData))
--  {
--     WPAL_TRACE( eWLAN_MODULE_DAL_CTRL, eWLAN_PAL_TRACE_LEVEL_WARN,
--                 "%s: Invalid parameters", __func__);
--     WDI_ASSERT(0);
--     return WDI_STATUS_E_FAILURE;
--  }
--
--  wdiEXTScanSetSSIDHotlistRspCb =
--                (WDI_EXTScanSetSSIDHotlistRspCb)pWDICtx->pfncRspCB;
--  if ( NULL == wdiEXTScanSetSSIDHotlistRspCb)
--  {
--     WPAL_TRACE( eWLAN_MODULE_DAL_CTRL, eWLAN_PAL_TRACE_LEVEL_WARN,
--                 "%s: Callback function Invalid", __func__);
--     WDI_ASSERT(0);
--     return WDI_STATUS_E_FAILURE;
--  }
--
--  wdiEXTScanSetSSIDHotlistRspCb(
--          (void *) pEventData->pEventData, pWDICtx->pRspCBUserData);
--
--  return WDI_STATUS_SUCCESS;
--}
--
--
--/**
-- @brief Process Extended Scan Reset Hotlist BSSID Rsp function (called
--        when a response is being received over the bus from HAL)
--
-- @param  pWDICtx:         pointer to the WLAN DAL context
--         pEventData:      pointer to the event information structure
--
-- @see
-- @return Result of the function call
--*/
--WDI_Status
--WDI_ProcessEXTScanResetHotlistSSIDRsp
--(
--  WDI_ControlBlockType*  pWDICtx,
--  WDI_EventInfoType*     pEventData
--)
--{
--  WDI_EXTScanResetSSIDHotlistRspCb   wdiEXTScanResetSSIDHotlistRspCb;
--
--  VOS_TRACE( VOS_MODULE_ID_WDI, VOS_TRACE_LEVEL_INFO,
--                  "%s: %d ",__func__, __LINE__);
--
--
--  /*-------------------------------------------------------------------------
--    Sanity check
--  -------------------------------------------------------------------------*/
--  if (( NULL == pWDICtx ) || ( NULL == pEventData ) ||
--      ( NULL == pEventData->pEventData))
--  {
--     WPAL_TRACE( eWLAN_MODULE_DAL_CTRL, eWLAN_PAL_TRACE_LEVEL_WARN,
--                 "%s: Invalid parameters", __func__);
--     WDI_ASSERT(0);
--     return WDI_STATUS_E_FAILURE;
--  }
--
--  wdiEXTScanResetSSIDHotlistRspCb =
--                (WDI_EXTScanResetSSIDHotlistRspCb)pWDICtx->pfncRspCB;
--  if ( NULL == wdiEXTScanResetSSIDHotlistRspCb)
--  {
--     WPAL_TRACE( eWLAN_MODULE_DAL_CTRL, eWLAN_PAL_TRACE_LEVEL_WARN,
--                 "%s: Callback function Invalid", __func__);
--     WDI_ASSERT(0);
--     return WDI_STATUS_E_FAILURE;
--  }
--
--  wdiEXTScanResetSSIDHotlistRspCb(
--          (void *) pEventData->pEventData, pWDICtx->pRspCBUserData);
--
--  return WDI_STATUS_SUCCESS;
--}
- #endif /* WLAN_FEATURE_EXTSCAN */
- 
- /**
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0465/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0465/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0465/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0465/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0507/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0507/ANY/0.patch
deleted file mode 100644
index 45b2e4e0..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0507/ANY/0.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-diff --git a/drivers/staging/android/ion/ion.c b/drivers/staging/android/ion/ion.c
-index cc1b3bf..48b6b86 100644
---- a/drivers/staging/android/ion/ion.c
-+++ b/drivers/staging/android/ion/ion.c
-@@ -16,6 +16,8 @@
-  *
-  */
- 
-+#include <linux/atomic.h>
-+#include <linux/err.h>
- #include <linux/file.h>
- #include <linux/freezer.h>
- #include <linux/fs.h>
-@@ -400,6 +402,15 @@
- 	kref_get(&handle->ref);
- }
- 
-+/* Must hold the client lock */
-+static struct ion_handle* ion_handle_get_check_overflow(struct ion_handle *handle)
-+{
-+	if (atomic_read(&handle->ref.refcount) + 1 == 0)
-+		return ERR_PTR(-EOVERFLOW);
-+	ion_handle_get(handle);
-+	return handle;
-+}
-+
- int ion_handle_put_nolock(struct ion_handle *handle)
- {
- 	int ret;
-@@ -445,9 +456,9 @@
- 
- 	handle = idr_find(&client->idr, id);
- 	if (handle)
--		ion_handle_get(handle);
-+		return ion_handle_get_check_overflow(handle);
- 
--	return handle ? handle : ERR_PTR(-EINVAL);
-+	return ERR_PTR(-EINVAL);
- }
- 
- struct ion_handle *ion_handle_get_by_id(struct ion_client *client,
-@@ -1339,7 +1350,7 @@
- 	/* if a handle exists for this buffer just take a reference to it */
- 	handle = ion_handle_lookup(client, buffer);
- 	if (!IS_ERR(handle)) {
--		ion_handle_get(handle);
-+		handle = ion_handle_get_check_overflow(handle);
- 		mutex_unlock(&client->lock);
- 		goto end;
- 	}
diff --git a/Patches/Linux_CVEs/CVE-2017-0507/ANY/0.patch.base64 b/Patches/Linux_CVEs/CVE-2017-0507/ANY/0.patch.base64
deleted file mode 100644
index 12fb178a..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0507/ANY/0.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL2RyaXZlcnMvc3RhZ2luZy9hbmRyb2lkL2lvbi9pb24uYyBiL2RyaXZlcnMvc3RhZ2luZy9hbmRyb2lkL2lvbi9pb24uYwppbmRleCBjYzFiM2JmLi40OGI2Yjg2IDEwMDY0NAotLS0gYS9kcml2ZXJzL3N0YWdpbmcvYW5kcm9pZC9pb24vaW9uLmMKKysrIGIvZHJpdmVycy9zdGFnaW5nL2FuZHJvaWQvaW9uL2lvbi5jCkBAIC0xNiw2ICsxNiw4IEBACiAgKgogICovCiAKKyNpbmNsdWRlIDxsaW51eC9hdG9taWMuaD4KKyNpbmNsdWRlIDxsaW51eC9lcnIuaD4KICNpbmNsdWRlIDxsaW51eC9maWxlLmg+CiAjaW5jbHVkZSA8bGludXgvZnJlZXplci5oPgogI2luY2x1ZGUgPGxpbnV4L2ZzLmg+CkBAIC00MDAsNiArNDAyLDE1IEBACiAJa3JlZl9nZXQoJmhhbmRsZS0+cmVmKTsKIH0KIAorLyogTXVzdCBob2xkIHRoZSBjbGllbnQgbG9jayAqLworc3RhdGljIHN0cnVjdCBpb25faGFuZGxlKiBpb25faGFuZGxlX2dldF9jaGVja19vdmVyZmxvdyhzdHJ1Y3QgaW9uX2hhbmRsZSAqaGFuZGxlKQoreworCWlmIChhdG9taWNfcmVhZCgmaGFuZGxlLT5yZWYucmVmY291bnQpICsgMSA9PSAwKQorCQlyZXR1cm4gRVJSX1BUUigtRU9WRVJGTE9XKTsKKwlpb25faGFuZGxlX2dldChoYW5kbGUpOworCXJldHVybiBoYW5kbGU7Cit9CisKIGludCBpb25faGFuZGxlX3B1dF9ub2xvY2soc3RydWN0IGlvbl9oYW5kbGUgKmhhbmRsZSkKIHsKIAlpbnQgcmV0OwpAQCAtNDQ1LDkgKzQ1Niw5IEBACiAKIAloYW5kbGUgPSBpZHJfZmluZCgmY2xpZW50LT5pZHIsIGlkKTsKIAlpZiAoaGFuZGxlKQotCQlpb25faGFuZGxlX2dldChoYW5kbGUpOworCQlyZXR1cm4gaW9uX2hhbmRsZV9nZXRfY2hlY2tfb3ZlcmZsb3coaGFuZGxlKTsKIAotCXJldHVybiBoYW5kbGUgPyBoYW5kbGUgOiBFUlJfUFRSKC1FSU5WQUwpOworCXJldHVybiBFUlJfUFRSKC1FSU5WQUwpOwogfQogCiBzdHJ1Y3QgaW9uX2hhbmRsZSAqaW9uX2hhbmRsZV9nZXRfYnlfaWQoc3RydWN0IGlvbl9jbGllbnQgKmNsaWVudCwKQEAgLTEzMzksNyArMTM1MCw3IEBACiAJLyogaWYgYSBoYW5kbGUgZXhpc3RzIGZvciB0aGlzIGJ1ZmZlciBqdXN0IHRha2UgYSByZWZlcmVuY2UgdG8gaXQgKi8KIAloYW5kbGUgPSBpb25faGFuZGxlX2xvb2t1cChjbGllbnQsIGJ1ZmZlcik7CiAJaWYgKCFJU19FUlIoaGFuZGxlKSkgewotCQlpb25faGFuZGxlX2dldChoYW5kbGUpOworCQloYW5kbGUgPSBpb25faGFuZGxlX2dldF9jaGVja19vdmVyZmxvdyhoYW5kbGUpOwogCQltdXRleF91bmxvY2soJmNsaWVudC0+bG9jayk7CiAJCWdvdG8gZW5kOwogCX0K
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-0507/ANY/1.patch b/Patches/Linux_CVEs/CVE-2017-0507/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0507/ANY/1.patch
rename to Patches/Linux_CVEs/CVE-2017-0507/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0509/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0509/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0509/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0509/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0510/3.10/0.patch b/Patches/Linux_CVEs/CVE-2017-0510/3.10/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0510/3.10/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0510/3.10/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0510/3.18/1.patch b/Patches/Linux_CVEs/CVE-2017-0510/3.18/0003.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0510/3.18/1.patch
rename to Patches/Linux_CVEs/CVE-2017-0510/3.18/0003.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0510/3.4/3.patch b/Patches/Linux_CVEs/CVE-2017-0510/3.4/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0510/3.4/3.patch
rename to Patches/Linux_CVEs/CVE-2017-0510/3.4/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0510/3.4/3.patch.base64 b/Patches/Linux_CVEs/CVE-2017-0510/3.4/0001.patch.base64
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0510/3.4/3.patch.base64
rename to Patches/Linux_CVEs/CVE-2017-0510/3.4/0001.patch.base64
diff --git a/Patches/Linux_CVEs/CVE-2017-0510/ANY/2.patch b/Patches/Linux_CVEs/CVE-2017-0510/ANY/2.patch
deleted file mode 100644
index 63421040..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0510/ANY/2.patch
+++ /dev/null
@@ -1,177 +0,0 @@
-diff --git a/drivers/staging/android/fiq_debugger/fiq_debugger.c b/drivers/staging/android/fiq_debugger/fiq_debugger.c
-index 1d73362..ceb45bc9e 100644
---- a/drivers/staging/android/fiq_debugger/fiq_debugger.c
-+++ b/drivers/staging/android/fiq_debugger/fiq_debugger.c
-@@ -30,6 +30,7 @@
- #include <linux/sched.h>
- #include <linux/slab.h>
- #include <linux/smp.h>
-+#include <linux/sysrq.h>
- #include <linux/timer.h>
- #include <linux/tty.h>
- #include <linux/tty_flip.h>
-@@ -395,7 +396,7 @@
- 		cmd += 6;
- 		while (*cmd == ' ')
- 			cmd++;
--		if (cmd != '\0')
-+		if ((cmd != '\0') && sysrq_on())
- 			kernel_restart(cmd);
- 		else
- 			kernel_restart(NULL);
-@@ -425,30 +426,39 @@
- static void fiq_debugger_help(struct fiq_debugger_state *state)
- {
- 	fiq_debugger_printf(&state->output,
--				"FIQ Debugger commands:\n"
--				" pc            PC status\n"
--				" regs          Register dump\n"
--				" allregs       Extended Register dump\n"
--				" bt            Stack trace\n");
-+			"FIQ Debugger commands:\n");
-+	if (sysrq_on()) {
-+		fiq_debugger_printf(&state->output,
-+			" pc            PC status\n"
-+			" regs          Register dump\n"
-+			" allregs       Extended Register dump\n"
-+			" bt            Stack trace\n");
-+		fiq_debugger_printf(&state->output,
-+			" reboot [<c>]  Reboot with command <c>\n"
-+			" reset [<c>]   Hard reset with command <c>\n"
-+			" irqs          Interrupt status\n"
-+			" kmsg          Kernel log\n"
-+			" version       Kernel version\n");
-+		fiq_debugger_printf(&state->output,
-+			" cpu           Current CPU\n"
-+			" cpu <number>  Switch to CPU<number>\n"
-+			" sysrq         sysrq options\n"
-+			" sysrq <param> Execute sysrq with <param>\n");
-+	} else {
-+		fiq_debugger_printf(&state->output,
-+			" reboot        Reboot\n"
-+			" reset         Hard reset\n"
-+			" irqs          Interrupt status\n");
-+	}
- 	fiq_debugger_printf(&state->output,
--				" reboot [<c>]  Reboot with command <c>\n"
--				" reset [<c>]   Hard reset with command <c>\n"
--				" irqs          Interupt status\n"
--				" kmsg          Kernel log\n"
--				" version       Kernel version\n");
--	fiq_debugger_printf(&state->output,
--				" sleep         Allow sleep while in FIQ\n"
--				" nosleep       Disable sleep while in FIQ\n"
--				" console       Switch terminal to console\n"
--				" cpu           Current CPU\n"
--				" cpu <number>  Switch to CPU<number>\n");
--	fiq_debugger_printf(&state->output,
--				" ps            Process list\n"
--				" sysrq         sysrq options\n"
--				" sysrq <param> Execute sysrq with <param>\n");
-+			" sleep         Allow sleep while in FIQ\n"
-+			" nosleep       Disable sleep while in FIQ\n"
-+			" console       Switch terminal to console\n"
-+			" ps            Process list\n");
- #ifdef CONFIG_KGDB
--	fiq_debugger_printf(&state->output,
--				" kgdb          Enter kernel debugger\n");
-+	if (fiq_kgdb_enable) {
-+		fiq_debugger_printf(&state->output,
-+			" kgdb          Enter kernel debugger\n");
- #endif
- }
- 
-@@ -480,18 +490,23 @@
- 	if (!strcmp(cmd, "help") || !strcmp(cmd, "?")) {
- 		fiq_debugger_help(state);
- 	} else if (!strcmp(cmd, "pc")) {
--		fiq_debugger_dump_pc(&state->output, regs);
-+		if (sysrq_on())
-+			fiq_debugger_dump_pc(&state->output, regs);
- 	} else if (!strcmp(cmd, "regs")) {
--		fiq_debugger_dump_regs(&state->output, regs);
-+		if (sysrq_on())
-+			fiq_debugger_dump_regs(&state->output, regs);
- 	} else if (!strcmp(cmd, "allregs")) {
--		fiq_debugger_dump_allregs(&state->output, regs);
-+		if (sysrq_on())
-+			fiq_debugger_dump_allregs(&state->output, regs);
- 	} else if (!strcmp(cmd, "bt")) {
--		fiq_debugger_dump_stacktrace(&state->output, regs, 100, svc_sp);
-+		if (sysrq_on())
-+			fiq_debugger_dump_stacktrace(&state->output, regs,
-+						     100, svc_sp);
- 	} else if (!strncmp(cmd, "reset", 5)) {
- 		cmd += 5;
- 		while (*cmd == ' ')
- 			cmd++;
--		if (*cmd) {
-+		if (*cmd && sysrq_on()) {
- 			char tmp_cmd[32];
- 			strlcpy(tmp_cmd, cmd, sizeof(tmp_cmd));
- 			machine_restart(tmp_cmd);
-@@ -501,9 +516,12 @@
- 	} else if (!strcmp(cmd, "irqs")) {
- 		fiq_debugger_dump_irqs(state);
- 	} else if (!strcmp(cmd, "kmsg")) {
--		fiq_debugger_dump_kernel_log(state);
-+		if (sysrq_on())
-+			fiq_debugger_dump_kernel_log(state);
- 	} else if (!strcmp(cmd, "version")) {
--		fiq_debugger_printf(&state->output, "%s\n", linux_banner);
-+		if (sysrq_on())
-+			fiq_debugger_printf(&state->output, "%s\n",
-+					    linux_banner);
- 	} else if (!strcmp(cmd, "sleep")) {
- 		state->no_sleep = false;
- 		fiq_debugger_printf(&state->output, "enabling sleep\n");
-@@ -515,14 +533,17 @@
- 		fiq_debugger_uart_flush(state);
- 		state->console_enable = true;
- 	} else if (!strcmp(cmd, "cpu")) {
--		fiq_debugger_printf(&state->output, "cpu %d\n", state->current_cpu);
--	} else if (!strncmp(cmd, "cpu ", 4)) {
-+		if (sysrq_on())
-+			fiq_debugger_printf(&state->output, "cpu %d\n",
-+					    state->current_cpu);
-+	} else if (!strncmp(cmd, "cpu ", 4) && sysrq_on()) {
- 		unsigned long cpu = 0;
- 		if (strict_strtoul(cmd + 4, 10, &cpu) == 0)
- 			fiq_debugger_switch_cpu(state, cpu);
- 		else
- 			fiq_debugger_printf(&state->output, "invalid cpu\n");
--		fiq_debugger_printf(&state->output, "cpu %d\n", state->current_cpu);
-+		fiq_debugger_printf(&state->output, "cpu %d\n",
-+				    state->current_cpu);
- 	} else {
- 		if (state->debug_busy) {
- 			fiq_debugger_printf(&state->output,
-diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c
-index b51c154..08c9406 100644
---- a/drivers/tty/sysrq.c
-+++ b/drivers/tty/sysrq.c
-@@ -55,10 +55,11 @@
- unsigned short platform_sysrq_reset_seq[] __weak = { KEY_RESERVED };
- int sysrq_reset_downtime_ms __weak;
- 
--static bool sysrq_on(void)
-+bool sysrq_on(void)
- {
- 	return sysrq_enabled || sysrq_always_enabled;
- }
-+EXPORT_SYMBOL(sysrq_on);
- 
- /*
-  * A value of 1 means 'all', other nonzero values are an op mask:
-diff --git a/include/linux/sysrq.h b/include/linux/sysrq.h
-index 7faf933..5a0bd93 100644
---- a/include/linux/sysrq.h
-+++ b/include/linux/sysrq.h
-@@ -45,6 +45,7 @@
-  * are available -- else NULL's).
-  */
- 
-+bool sysrq_on(void);
- void handle_sysrq(int key);
- void __handle_sysrq(int key, bool check_mask);
- int register_sysrq_key(int key, struct sysrq_key_op *op);
diff --git a/Patches/Linux_CVEs/CVE-2017-0510/ANY/2.patch.base64 b/Patches/Linux_CVEs/CVE-2017-0510/ANY/2.patch.base64
deleted file mode 100644
index a3dfb08b..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0510/ANY/2.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL2RyaXZlcnMvc3RhZ2luZy9hbmRyb2lkL2ZpcV9kZWJ1Z2dlci9maXFfZGVidWdnZXIuYyBiL2RyaXZlcnMvc3RhZ2luZy9hbmRyb2lkL2ZpcV9kZWJ1Z2dlci9maXFfZGVidWdnZXIuYwppbmRleCAxZDczMzYyLi5jZWI0NWJjOWUgMTAwNjQ0Ci0tLSBhL2RyaXZlcnMvc3RhZ2luZy9hbmRyb2lkL2ZpcV9kZWJ1Z2dlci9maXFfZGVidWdnZXIuYworKysgYi9kcml2ZXJzL3N0YWdpbmcvYW5kcm9pZC9maXFfZGVidWdnZXIvZmlxX2RlYnVnZ2VyLmMKQEAgLTMwLDYgKzMwLDcgQEAKICNpbmNsdWRlIDxsaW51eC9zY2hlZC5oPgogI2luY2x1ZGUgPGxpbnV4L3NsYWIuaD4KICNpbmNsdWRlIDxsaW51eC9zbXAuaD4KKyNpbmNsdWRlIDxsaW51eC9zeXNycS5oPgogI2luY2x1ZGUgPGxpbnV4L3RpbWVyLmg+CiAjaW5jbHVkZSA8bGludXgvdHR5Lmg+CiAjaW5jbHVkZSA8bGludXgvdHR5X2ZsaXAuaD4KQEAgLTM5NSw3ICszOTYsNyBAQAogCQljbWQgKz0gNjsKIAkJd2hpbGUgKCpjbWQgPT0gJyAnKQogCQkJY21kKys7Ci0JCWlmIChjbWQgIT0gJ1wwJykKKwkJaWYgKChjbWQgIT0gJ1wwJykgJiYgc3lzcnFfb24oKSkKIAkJCWtlcm5lbF9yZXN0YXJ0KGNtZCk7CiAJCWVsc2UKIAkJCWtlcm5lbF9yZXN0YXJ0KE5VTEwpOwpAQCAtNDI1LDMwICs0MjYsMzkgQEAKIHN0YXRpYyB2b2lkIGZpcV9kZWJ1Z2dlcl9oZWxwKHN0cnVjdCBmaXFfZGVidWdnZXJfc3RhdGUgKnN0YXRlKQogewogCWZpcV9kZWJ1Z2dlcl9wcmludGYoJnN0YXRlLT5vdXRwdXQsCi0JCQkJIkZJUSBEZWJ1Z2dlciBjb21tYW5kczpcbiIKLQkJCQkiIHBjICAgICAgICAgICAgUEMgc3RhdHVzXG4iCi0JCQkJIiByZWdzICAgICAgICAgIFJlZ2lzdGVyIGR1bXBcbiIKLQkJCQkiIGFsbHJlZ3MgICAgICAgRXh0ZW5kZWQgUmVnaXN0ZXIgZHVtcFxuIgotCQkJCSIgYnQgICAgICAgICAgICBTdGFjayB0cmFjZVxuIik7CisJCQkiRklRIERlYnVnZ2VyIGNvbW1hbmRzOlxuIik7CisJaWYgKHN5c3JxX29uKCkpIHsKKwkJZmlxX2RlYnVnZ2VyX3ByaW50Zigmc3RhdGUtPm91dHB1dCwKKwkJCSIgcGMgICAgICAgICAgICBQQyBzdGF0dXNcbiIKKwkJCSIgcmVncyAgICAgICAgICBSZWdpc3RlciBkdW1wXG4iCisJCQkiIGFsbHJlZ3MgICAgICAgRXh0ZW5kZWQgUmVnaXN0ZXIgZHVtcFxuIgorCQkJIiBidCAgICAgICAgICAgIFN0YWNrIHRyYWNlXG4iKTsKKwkJZmlxX2RlYnVnZ2VyX3ByaW50Zigmc3RhdGUtPm91dHB1dCwKKwkJCSIgcmVib290IFs8Yz5dICBSZWJvb3Qgd2l0aCBjb21tYW5kIDxjPlxuIgorCQkJIiByZXNldCBbPGM+XSAgIEhhcmQgcmVzZXQgd2l0aCBjb21tYW5kIDxjPlxuIgorCQkJIiBpcnFzICAgICAgICAgIEludGVycnVwdCBzdGF0dXNcbiIKKwkJCSIga21zZyAgICAgICAgICBLZXJuZWwgbG9nXG4iCisJCQkiIHZlcnNpb24gICAgICAgS2VybmVsIHZlcnNpb25cbiIpOworCQlmaXFfZGVidWdnZXJfcHJpbnRmKCZzdGF0ZS0+b3V0cHV0LAorCQkJIiBjcHUgICAgICAgICAgIEN1cnJlbnQgQ1BVXG4iCisJCQkiIGNwdSA8bnVtYmVyPiAgU3dpdGNoIHRvIENQVTxudW1iZXI+XG4iCisJCQkiIHN5c3JxICAgICAgICAgc3lzcnEgb3B0aW9uc1xuIgorCQkJIiBzeXNycSA8cGFyYW0+IEV4ZWN1dGUgc3lzcnEgd2l0aCA8cGFyYW0+XG4iKTsKKwl9IGVsc2UgeworCQlmaXFfZGVidWdnZXJfcHJpbnRmKCZzdGF0ZS0+b3V0cHV0LAorCQkJIiByZWJvb3QgICAgICAgIFJlYm9vdFxuIgorCQkJIiByZXNldCAgICAgICAgIEhhcmQgcmVzZXRcbiIKKwkJCSIgaXJxcyAgICAgICAgICBJbnRlcnJ1cHQgc3RhdHVzXG4iKTsKKwl9CiAJZmlxX2RlYnVnZ2VyX3ByaW50Zigmc3RhdGUtPm91dHB1dCwKLQkJCQkiIHJlYm9vdCBbPGM+XSAgUmVib290IHdpdGggY29tbWFuZCA8Yz5cbiIKLQkJCQkiIHJlc2V0IFs8Yz5dICAgSGFyZCByZXNldCB3aXRoIGNvbW1hbmQgPGM+XG4iCi0JCQkJIiBpcnFzICAgICAgICAgIEludGVydXB0IHN0YXR1c1xuIgotCQkJCSIga21zZyAgICAgICAgICBLZXJuZWwgbG9nXG4iCi0JCQkJIiB2ZXJzaW9uICAgICAgIEtlcm5lbCB2ZXJzaW9uXG4iKTsKLQlmaXFfZGVidWdnZXJfcHJpbnRmKCZzdGF0ZS0+b3V0cHV0LAotCQkJCSIgc2xlZXAgICAgICAgICBBbGxvdyBzbGVlcCB3aGlsZSBpbiBGSVFcbiIKLQkJCQkiIG5vc2xlZXAgICAgICAgRGlzYWJsZSBzbGVlcCB3aGlsZSBpbiBGSVFcbiIKLQkJCQkiIGNvbnNvbGUgICAgICAgU3dpdGNoIHRlcm1pbmFsIHRvIGNvbnNvbGVcbiIKLQkJCQkiIGNwdSAgICAgICAgICAgQ3VycmVudCBDUFVcbiIKLQkJCQkiIGNwdSA8bnVtYmVyPiAgU3dpdGNoIHRvIENQVTxudW1iZXI+XG4iKTsKLQlmaXFfZGVidWdnZXJfcHJpbnRmKCZzdGF0ZS0+b3V0cHV0LAotCQkJCSIgcHMgICAgICAgICAgICBQcm9jZXNzIGxpc3RcbiIKLQkJCQkiIHN5c3JxICAgICAgICAgc3lzcnEgb3B0aW9uc1xuIgotCQkJCSIgc3lzcnEgPHBhcmFtPiBFeGVjdXRlIHN5c3JxIHdpdGggPHBhcmFtPlxuIik7CisJCQkiIHNsZWVwICAgICAgICAgQWxsb3cgc2xlZXAgd2hpbGUgaW4gRklRXG4iCisJCQkiIG5vc2xlZXAgICAgICAgRGlzYWJsZSBzbGVlcCB3aGlsZSBpbiBGSVFcbiIKKwkJCSIgY29uc29sZSAgICAgICBTd2l0Y2ggdGVybWluYWwgdG8gY29uc29sZVxuIgorCQkJIiBwcyAgICAgICAgICAgIFByb2Nlc3MgbGlzdFxuIik7CiAjaWZkZWYgQ09ORklHX0tHREIKLQlmaXFfZGVidWdnZXJfcHJpbnRmKCZzdGF0ZS0+b3V0cHV0LAotCQkJCSIga2dkYiAgICAgICAgICBFbnRlciBrZXJuZWwgZGVidWdnZXJcbiIpOworCWlmIChmaXFfa2dkYl9lbmFibGUpIHsKKwkJZmlxX2RlYnVnZ2VyX3ByaW50Zigmc3RhdGUtPm91dHB1dCwKKwkJCSIga2dkYiAgICAgICAgICBFbnRlciBrZXJuZWwgZGVidWdnZXJcbiIpOwogI2VuZGlmCiB9CiAKQEAgLTQ4MCwxOCArNDkwLDIzIEBACiAJaWYgKCFzdHJjbXAoY21kLCAiaGVscCIpIHx8ICFzdHJjbXAoY21kLCAiPyIpKSB7CiAJCWZpcV9kZWJ1Z2dlcl9oZWxwKHN0YXRlKTsKIAl9IGVsc2UgaWYgKCFzdHJjbXAoY21kLCAicGMiKSkgewotCQlmaXFfZGVidWdnZXJfZHVtcF9wYygmc3RhdGUtPm91dHB1dCwgcmVncyk7CisJCWlmIChzeXNycV9vbigpKQorCQkJZmlxX2RlYnVnZ2VyX2R1bXBfcGMoJnN0YXRlLT5vdXRwdXQsIHJlZ3MpOwogCX0gZWxzZSBpZiAoIXN0cmNtcChjbWQsICJyZWdzIikpIHsKLQkJZmlxX2RlYnVnZ2VyX2R1bXBfcmVncygmc3RhdGUtPm91dHB1dCwgcmVncyk7CisJCWlmIChzeXNycV9vbigpKQorCQkJZmlxX2RlYnVnZ2VyX2R1bXBfcmVncygmc3RhdGUtPm91dHB1dCwgcmVncyk7CiAJfSBlbHNlIGlmICghc3RyY21wKGNtZCwgImFsbHJlZ3MiKSkgewotCQlmaXFfZGVidWdnZXJfZHVtcF9hbGxyZWdzKCZzdGF0ZS0+b3V0cHV0LCByZWdzKTsKKwkJaWYgKHN5c3JxX29uKCkpCisJCQlmaXFfZGVidWdnZXJfZHVtcF9hbGxyZWdzKCZzdGF0ZS0+b3V0cHV0LCByZWdzKTsKIAl9IGVsc2UgaWYgKCFzdHJjbXAoY21kLCAiYnQiKSkgewotCQlmaXFfZGVidWdnZXJfZHVtcF9zdGFja3RyYWNlKCZzdGF0ZS0+b3V0cHV0LCByZWdzLCAxMDAsIHN2Y19zcCk7CisJCWlmIChzeXNycV9vbigpKQorCQkJZmlxX2RlYnVnZ2VyX2R1bXBfc3RhY2t0cmFjZSgmc3RhdGUtPm91dHB1dCwgcmVncywKKwkJCQkJCSAgICAgMTAwLCBzdmNfc3ApOwogCX0gZWxzZSBpZiAoIXN0cm5jbXAoY21kLCAicmVzZXQiLCA1KSkgewogCQljbWQgKz0gNTsKIAkJd2hpbGUgKCpjbWQgPT0gJyAnKQogCQkJY21kKys7Ci0JCWlmICgqY21kKSB7CisJCWlmICgqY21kICYmIHN5c3JxX29uKCkpIHsKIAkJCWNoYXIgdG1wX2NtZFszMl07CiAJCQlzdHJsY3B5KHRtcF9jbWQsIGNtZCwgc2l6ZW9mKHRtcF9jbWQpKTsKIAkJCW1hY2hpbmVfcmVzdGFydCh0bXBfY21kKTsKQEAgLTUwMSw5ICs1MTYsMTIgQEAKIAl9IGVsc2UgaWYgKCFzdHJjbXAoY21kLCAiaXJxcyIpKSB7CiAJCWZpcV9kZWJ1Z2dlcl9kdW1wX2lycXMoc3RhdGUpOwogCX0gZWxzZSBpZiAoIXN0cmNtcChjbWQsICJrbXNnIikpIHsKLQkJZmlxX2RlYnVnZ2VyX2R1bXBfa2VybmVsX2xvZyhzdGF0ZSk7CisJCWlmIChzeXNycV9vbigpKQorCQkJZmlxX2RlYnVnZ2VyX2R1bXBfa2VybmVsX2xvZyhzdGF0ZSk7CiAJfSBlbHNlIGlmICghc3RyY21wKGNtZCwgInZlcnNpb24iKSkgewotCQlmaXFfZGVidWdnZXJfcHJpbnRmKCZzdGF0ZS0+b3V0cHV0LCAiJXNcbiIsIGxpbnV4X2Jhbm5lcik7CisJCWlmIChzeXNycV9vbigpKQorCQkJZmlxX2RlYnVnZ2VyX3ByaW50Zigmc3RhdGUtPm91dHB1dCwgIiVzXG4iLAorCQkJCQkgICAgbGludXhfYmFubmVyKTsKIAl9IGVsc2UgaWYgKCFzdHJjbXAoY21kLCAic2xlZXAiKSkgewogCQlzdGF0ZS0+bm9fc2xlZXAgPSBmYWxzZTsKIAkJZmlxX2RlYnVnZ2VyX3ByaW50Zigmc3RhdGUtPm91dHB1dCwgImVuYWJsaW5nIHNsZWVwXG4iKTsKQEAgLTUxNSwxNCArNTMzLDE3IEBACiAJCWZpcV9kZWJ1Z2dlcl91YXJ0X2ZsdXNoKHN0YXRlKTsKIAkJc3RhdGUtPmNvbnNvbGVfZW5hYmxlID0gdHJ1ZTsKIAl9IGVsc2UgaWYgKCFzdHJjbXAoY21kLCAiY3B1IikpIHsKLQkJZmlxX2RlYnVnZ2VyX3ByaW50Zigmc3RhdGUtPm91dHB1dCwgImNwdSAlZFxuIiwgc3RhdGUtPmN1cnJlbnRfY3B1KTsKLQl9IGVsc2UgaWYgKCFzdHJuY21wKGNtZCwgImNwdSAiLCA0KSkgeworCQlpZiAoc3lzcnFfb24oKSkKKwkJCWZpcV9kZWJ1Z2dlcl9wcmludGYoJnN0YXRlLT5vdXRwdXQsICJjcHUgJWRcbiIsCisJCQkJCSAgICBzdGF0ZS0+Y3VycmVudF9jcHUpOworCX0gZWxzZSBpZiAoIXN0cm5jbXAoY21kLCAiY3B1ICIsIDQpICYmIHN5c3JxX29uKCkpIHsKIAkJdW5zaWduZWQgbG9uZyBjcHUgPSAwOwogCQlpZiAoc3RyaWN0X3N0cnRvdWwoY21kICsgNCwgMTAsICZjcHUpID09IDApCiAJCQlmaXFfZGVidWdnZXJfc3dpdGNoX2NwdShzdGF0ZSwgY3B1KTsKIAkJZWxzZQogCQkJZmlxX2RlYnVnZ2VyX3ByaW50Zigmc3RhdGUtPm91dHB1dCwgImludmFsaWQgY3B1XG4iKTsKLQkJZmlxX2RlYnVnZ2VyX3ByaW50Zigmc3RhdGUtPm91dHB1dCwgImNwdSAlZFxuIiwgc3RhdGUtPmN1cnJlbnRfY3B1KTsKKwkJZmlxX2RlYnVnZ2VyX3ByaW50Zigmc3RhdGUtPm91dHB1dCwgImNwdSAlZFxuIiwKKwkJCQkgICAgc3RhdGUtPmN1cnJlbnRfY3B1KTsKIAl9IGVsc2UgewogCQlpZiAoc3RhdGUtPmRlYnVnX2J1c3kpIHsKIAkJCWZpcV9kZWJ1Z2dlcl9wcmludGYoJnN0YXRlLT5vdXRwdXQsCmRpZmYgLS1naXQgYS9kcml2ZXJzL3R0eS9zeXNycS5jIGIvZHJpdmVycy90dHkvc3lzcnEuYwppbmRleCBiNTFjMTU0Li4wOGM5NDA2IDEwMDY0NAotLS0gYS9kcml2ZXJzL3R0eS9zeXNycS5jCisrKyBiL2RyaXZlcnMvdHR5L3N5c3JxLmMKQEAgLTU1LDEwICs1NSwxMSBAQAogdW5zaWduZWQgc2hvcnQgcGxhdGZvcm1fc3lzcnFfcmVzZXRfc2VxW10gX193ZWFrID0geyBLRVlfUkVTRVJWRUQgfTsKIGludCBzeXNycV9yZXNldF9kb3dudGltZV9tcyBfX3dlYWs7CiAKLXN0YXRpYyBib29sIHN5c3JxX29uKHZvaWQpCitib29sIHN5c3JxX29uKHZvaWQpCiB7CiAJcmV0dXJuIHN5c3JxX2VuYWJsZWQgfHwgc3lzcnFfYWx3YXlzX2VuYWJsZWQ7CiB9CitFWFBPUlRfU1lNQk9MKHN5c3JxX29uKTsKIAogLyoKICAqIEEgdmFsdWUgb2YgMSBtZWFucyAnYWxsJywgb3RoZXIgbm9uemVybyB2YWx1ZXMgYXJlIGFuIG9wIG1hc2s6CmRpZmYgLS1naXQgYS9pbmNsdWRlL2xpbnV4L3N5c3JxLmggYi9pbmNsdWRlL2xpbnV4L3N5c3JxLmgKaW5kZXggN2ZhZjkzMy4uNWEwYmQ5MyAxMDA2NDQKLS0tIGEvaW5jbHVkZS9saW51eC9zeXNycS5oCisrKyBiL2luY2x1ZGUvbGludXgvc3lzcnEuaApAQCAtNDUsNiArNDUsNyBAQAogICogYXJlIGF2YWlsYWJsZSAtLSBlbHNlIE5VTEwncykuCiAgKi8KIAorYm9vbCBzeXNycV9vbih2b2lkKTsKIHZvaWQgaGFuZGxlX3N5c3JxKGludCBrZXkpOwogdm9pZCBfX2hhbmRsZV9zeXNycShpbnQga2V5LCBib29sIGNoZWNrX21hc2spOwogaW50IHJlZ2lzdGVyX3N5c3JxX2tleShpbnQga2V5LCBzdHJ1Y3Qgc3lzcnFfa2V5X29wICpvcCk7Cg==
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-0516/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0516/ANY/0001.patch
similarity index 70%
rename from Patches/Linux_CVEs/CVE-2017-0516/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0516/ANY/0001.patch
index 0c26e111..84d7b87f 100644
--- a/Patches/Linux_CVEs/CVE-2017-0516/ANY/0.patch
+++ b/Patches/Linux_CVEs/CVE-2017-0516/ANY/0001.patch
@@ -1,25 +1,22 @@
-From 1e2b69bf3ab61979a05e796e76c8ecd1ec251c42 Mon Sep 17 00:00:00 2001
-From: Dennis Cagle <d-cagle@codeaurora.org>
-Date: Thu, 5 Jan 2017 17:22:13 -0800
-Subject: [PATCH] input: misc: fix heap overflow issue in hbtp_input.c
+From 0dba52cf7955306c71fb76d16437d848c953e462 Mon Sep 17 00:00:00 2001
+From: Vevek Venkatesan <vevekv@codeaurora.org>
+Date: Fri, 23 Dec 2016 11:34:32 +0530
+Subject: input: misc: fix heap overflow issue in hbtp_input.c
 
 Add the boundary check for ABS code before setting ABS params,
 to avoid heap overflow.
 
-Bug: 32341680
-CRs-fixed: 1096301
 Change-Id: I6aad9916c92d2f775632406374dbb803063148de
 Signed-off-by: Vevek Venkatesan <vevekv@codeaurora.org>
-Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
 ---
  drivers/input/misc/hbtp_input.c | 8 ++++++--
  1 file changed, 6 insertions(+), 2 deletions(-)
 
 diff --git a/drivers/input/misc/hbtp_input.c b/drivers/input/misc/hbtp_input.c
-index ef17d386644c9..7877e9b9f5162 100644
+index 4c0e9a9..e80afcf 100644
 --- a/drivers/input/misc/hbtp_input.c
 +++ b/drivers/input/misc/hbtp_input.c
-@@ -129,9 +129,13 @@ static int hbtp_input_create_input_dev(struct hbtp_input_absinfo *absinfo)
+@@ -130,9 +130,13 @@ static int hbtp_input_create_input_dev(struct hbtp_input_absinfo *absinfo)
  	input_mt_init_slots(input_dev, HBTP_MAX_FINGER, 0);
  	for (i = 0; i <= ABS_MT_LAST - ABS_MT_FIRST; i++) {
  		abs = absinfo + i;
@@ -35,3 +32,6 @@ index ef17d386644c9..7877e9b9f5162 100644
  	}
  
  	error = input_register_device(input_dev);
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-0518/3.18/0.patch b/Patches/Linux_CVEs/CVE-2017-0518/3.18/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0518/3.18/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0518/3.18/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0518/3.18/1.patch b/Patches/Linux_CVEs/CVE-2017-0518/3.18/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0518/3.18/1.patch
rename to Patches/Linux_CVEs/CVE-2017-0518/3.18/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0519/3.18/0.patch b/Patches/Linux_CVEs/CVE-2017-0519/3.18/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0519/3.18/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0519/3.18/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0520/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0520/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0520/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0520/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0521/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0521/3.18/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0521/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0521/3.18/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0521/4.4/0002.patch b/Patches/Linux_CVEs/CVE-2017-0521/4.4/0002.patch
new file mode 100644
index 00000000..6171f882
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-0521/4.4/0002.patch
@@ -0,0 +1,46 @@
+From 77c4aba67d89ba4055b7c9bd417f49593cba497b Mon Sep 17 00:00:00 2001
+From: Kumar Behera <mohanb@codeaurora.org>
+Date: Fri, 9 Dec 2016 09:55:00 -0800
+Subject: msm: cpp: Fix for integer overflow in cpp
+
+Due to integer overflow ,the bound check in config frame function
+may pass and this may allow user to access invalid buffer. This
+fix takes care of proper bound and don't allow integer overflow.
+
+CRs-Fxied: 1097709
+Change-Id: I504ad591633afaba82268b5ee27a321691d75c80
+Signed-off-by: Kumar Behera <mohanb@codeaurora.org>
+---
+ drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
+index b7724b4..5be2748 100644
+--- a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
++++ b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
+@@ -2479,7 +2479,7 @@ static int msm_cpp_cfg_frame(struct cpp_device *cpp_dev,
+ 	struct msm_buf_mngr_info buff_mgr_info, dup_buff_mgr_info;
+ 	int32_t in_fd;
+ 	int32_t num_output_bufs = 1;
+-	int32_t stripe_base = 0;
++	uint32_t stripe_base = 0;
+ 	uint32_t stripe_size;
+ 	uint8_t tnr_enabled;
+ 	enum msm_camera_buf_mngr_buf_type buf_type =
+@@ -2514,6 +2514,13 @@ static int msm_cpp_cfg_frame(struct cpp_device *cpp_dev,
+ 		return -EINVAL;
+ 	}
+ 
++	if (stripe_base == UINT_MAX || new_frame->num_strips >
++		(UINT_MAX - 1 - stripe_base) / stripe_size) {
++		pr_err("Invalid frame message,num_strips %d is large\n",
++			new_frame->num_strips);
++		return -EINVAL;
++	}
++
+ 	if ((stripe_base + new_frame->num_strips * stripe_size + 1) !=
+ 		new_frame->msg_len) {
+ 		pr_err("Invalid frame message,len=%d,expected=%d\n",
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-0523/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0523/3.18/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0523/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0523/3.18/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0523/4.4/0002.patch b/Patches/Linux_CVEs/CVE-2017-0523/4.4/0002.patch
new file mode 100644
index 00000000..3c107112
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-0523/4.4/0002.patch
@@ -0,0 +1,75 @@
+From 2c7b4349b858398caf0ae146e87554c3502d20a5 Mon Sep 17 00:00:00 2001
+From: Hamad Kadmany <hkadmany@codeaurora.org>
+Date: Sun, 18 Dec 2016 15:03:11 +0200
+Subject: wil6210: Block write ioctl to the card by default
+
+The ability to write to the card is used for debug purposes.
+The ability is disabled by default to prevent misuse of
+this functionality.
+
+CRs-Fixed: 1096945
+Change-Id: I8fc3f646a0127ec705239be6a7de858a4f805acc
+Signed-off-by: Hamad Kadmany <hkadmany@codeaurora.org>
+---
+ drivers/net/wireless/ath/wil6210/Kconfig | 11 +++++++++++
+ drivers/net/wireless/ath/wil6210/ioctl.c |  4 ++++
+ 2 files changed, 15 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/wil6210/Kconfig b/drivers/net/wireless/ath/wil6210/Kconfig
+index 9e3961c..8f0bde5 100644
+--- a/drivers/net/wireless/ath/wil6210/Kconfig
++++ b/drivers/net/wireless/ath/wil6210/Kconfig
+@@ -41,6 +41,17 @@ config WIL6210_TRACING
+ 
+ 	  If unsure, say Y to make it easier to debug problems.
+ 
++config WIL6210_WRITE_IOCTL
++	bool "wil6210 write ioctl to the device"
++	depends on WIL6210
++	default n
++	---help---
++	  Say Y here to allow write-access from user-space to
++	  the device memory through ioctl. This is useful for
++	  debugging purposes only.
++
++	  If unsure, say N.
++
+ config WIL6210_PLATFORM_MSM
+ 	bool "wil6210 MSM platform specific support"
+ 	depends on WIL6210
+diff --git a/drivers/net/wireless/ath/wil6210/ioctl.c b/drivers/net/wireless/ath/wil6210/ioctl.c
+index 47058ccc..bbdd232 100644
+--- a/drivers/net/wireless/ath/wil6210/ioctl.c
++++ b/drivers/net/wireless/ath/wil6210/ioctl.c
+@@ -87,10 +87,12 @@ static int wil_ioc_memio_dword(struct wil6210_priv *wil, void __user *data)
+ 		io.val = readl(a);
+ 		need_copy = true;
+ 		break;
++#if defined(CONFIG_WIL6210_WRITE_IOCTL)
+ 	case wil_mmio_write:
+ 		writel(io.val, a);
+ 		wmb(); /* make sure write propagated to HW */
+ 		break;
++#endif
+ 	default:
+ 		wil_err(wil, "Unsupported operation, op = 0x%08x\n", io.op);
+ 		return -EINVAL;
+@@ -147,6 +149,7 @@ static int wil_ioc_memio_block(struct wil6210_priv *wil, void __user *data)
+ 			goto out_free;
+ 		}
+ 		break;
++#if defined(CONFIG_WIL6210_WRITE_IOCTL)
+ 	case wil_mmio_write:
+ 		if (copy_from_user(block, io.block, io.size)) {
+ 			rc = -EFAULT;
+@@ -156,6 +159,7 @@ static int wil_ioc_memio_block(struct wil6210_priv *wil, void __user *data)
+ 		wmb(); /* make sure write propagated to HW */
+ 		wil_hex_dump_ioctl("Write ", block, io.size);
+ 		break;
++#endif
+ 	default:
+ 		wil_err(wil, "Unsupported operation, op = 0x%08x\n", io.op);
+ 		rc = -EINVAL;
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-0524/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0524/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0524/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0524/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0524/ANY/1.patch b/Patches/Linux_CVEs/CVE-2017-0524/ANY/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0524/ANY/1.patch
rename to Patches/Linux_CVEs/CVE-2017-0524/ANY/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0524/ANY/2.patch b/Patches/Linux_CVEs/CVE-2017-0524/ANY/0003.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0524/ANY/2.patch
rename to Patches/Linux_CVEs/CVE-2017-0524/ANY/0003.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0525/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-0525/3.10/0001.patch
new file mode 100644
index 00000000..e259c4d6
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-0525/3.10/0001.patch
@@ -0,0 +1,323 @@
+From 58a0d46820909166c89286bdbffbae3358daf778 Mon Sep 17 00:00:00 2001
+From: Ghanim Fodi <gfodi@codeaurora.org>
+Date: Mon, 16 Jan 2017 00:17:04 +0200
+Subject: msm: ipa: Prevent multiple header deletion from user space
+
+An IPA header or processing context can be added once
+and later deleted once from user space.
+Multiple deletion may cause invalid state of the headers
+software cache.
+
+Change-Id: Ic0b8472b7fd8a76233a007d90c832af726184574
+CRs-fixed: 1097714
+Signed-off-by: Ghanim Fodi <gfodi@codeaurora.org>
+---
+ drivers/platform/msm/ipa/ipa.c     | 13 ++++---
+ drivers/platform/msm/ipa/ipa_hdr.c | 77 +++++++++++++++++++++++++++++++-------
+ drivers/platform/msm/ipa/ipa_i.h   | 11 +++++-
+ 3 files changed, 79 insertions(+), 22 deletions(-)
+
+diff --git a/drivers/platform/msm/ipa/ipa.c b/drivers/platform/msm/ipa/ipa.c
+index ddb716c..82caefc 100644
+--- a/drivers/platform/msm/ipa/ipa.c
++++ b/drivers/platform/msm/ipa/ipa.c
+@@ -1,4 +1,4 @@
+-/* Copyright (c) 2012-2014, The Linux Foundation. All rights reserved.
++/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -436,7 +436,8 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
+ 			retval = -EFAULT;
+ 			break;
+ 		}
+-		if (ipa_del_hdr((struct ipa_ioc_del_hdr *)param)) {
++		if (ipa_del_hdr_by_user((struct ipa_ioc_del_hdr *)param,
++			true)) {
+ 			retval = -EFAULT;
+ 			break;
+ 		}
+@@ -1117,8 +1118,8 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
+ 			retval = -EFAULT;
+ 			break;
+ 		}
+-		if (ipa_del_hdr_proc_ctx(
+-			(struct ipa_ioc_del_hdr_proc_ctx *)param)) {
++		if (ipa_del_hdr_proc_ctx_by_user(
++			(struct ipa_ioc_del_hdr_proc_ctx *)param, true)) {
+ 			retval = -EFAULT;
+ 			break;
+ 		}
+@@ -2256,7 +2257,7 @@ fail_schedule_delayed_work:
+ 	if (ipa_ctx->dflt_v4_rt_rule_hdl)
+ 		__ipa_del_rt_rule(ipa_ctx->dflt_v4_rt_rule_hdl);
+ 	if (ipa_ctx->excp_hdr_hdl)
+-		__ipa_del_hdr(ipa_ctx->excp_hdr_hdl);
++		__ipa_del_hdr(ipa_ctx->excp_hdr_hdl, false);
+ 	ipa_teardown_sys_pipe(ipa_ctx->clnt_hdl_cmd);
+ fail_cmd:
+ 	return result;
+@@ -2268,7 +2269,7 @@ static void ipa_teardown_apps_pipes(void)
+ 	ipa_teardown_sys_pipe(ipa_ctx->clnt_hdl_data_in);
+ 	__ipa_del_rt_rule(ipa_ctx->dflt_v6_rt_rule_hdl);
+ 	__ipa_del_rt_rule(ipa_ctx->dflt_v4_rt_rule_hdl);
+-	__ipa_del_hdr(ipa_ctx->excp_hdr_hdl);
++	__ipa_del_hdr(ipa_ctx->excp_hdr_hdl, false);
+ 	ipa_teardown_sys_pipe(ipa_ctx->clnt_hdl_cmd);
+ }
+ 
+diff --git a/drivers/platform/msm/ipa/ipa_hdr.c b/drivers/platform/msm/ipa/ipa_hdr.c
+index 67aa787..45b0ef6 100644
+--- a/drivers/platform/msm/ipa/ipa_hdr.c
++++ b/drivers/platform/msm/ipa/ipa_hdr.c
+@@ -1,4 +1,4 @@
+-/* Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
++/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -719,7 +719,8 @@ error:
+ 	return -EPERM;
+ }
+ 
+-static int __ipa_del_hdr_proc_ctx(u32 proc_ctx_hdl, bool release_hdr)
++static int __ipa_del_hdr_proc_ctx(u32 proc_ctx_hdl,
++	bool release_hdr, bool by_user)
+ {
+ 	struct ipa_hdr_proc_ctx_entry *entry;
+ 	struct ipa_hdr_proc_ctx_tbl *htbl = &ipa_ctx->hdr_proc_ctx_tbl;
+@@ -733,6 +734,14 @@ static int __ipa_del_hdr_proc_ctx(u32 proc_ctx_hdl, bool release_hdr)
+ 	IPADBG("del ctx proc cnt=%d ofst=%d\n",
+ 		htbl->proc_ctx_cnt, entry->offset_entry->offset);
+ 
++	if (by_user && entry->user_deleted) {
++		IPAERR("proc_ctx already deleted by user\n");
++		return -EINVAL;
++	}
++
++	if (by_user)
++		entry->user_deleted = true;
++
+ 	if (--entry->ref_cnt) {
+ 		IPADBG("proc_ctx_hdl %x ref_cnt %d\n",
+ 			proc_ctx_hdl, entry->ref_cnt);
+@@ -740,7 +749,7 @@ static int __ipa_del_hdr_proc_ctx(u32 proc_ctx_hdl, bool release_hdr)
+ 	}
+ 
+ 	if (release_hdr)
+-		__ipa_release_hdr(entry->hdr->id);
++		__ipa_del_hdr(entry->hdr->id, false);
+ 
+ 	/* move the offset entry to appropriate free list */
+ 	list_move(&entry->offset_entry->link,
+@@ -757,7 +766,7 @@ static int __ipa_del_hdr_proc_ctx(u32 proc_ctx_hdl, bool release_hdr)
+ }
+ 
+ 
+-int __ipa_del_hdr(u32 hdr_hdl)
++int __ipa_del_hdr(u32 hdr_hdl, bool by_user)
+ {
+ 	struct ipa_hdr_entry *entry;
+ 	struct ipa_hdr_tbl *htbl = &ipa_ctx->hdr_tbl;
+@@ -776,6 +785,14 @@ int __ipa_del_hdr(u32 hdr_hdl)
+ 	IPADBG("del hdr of sz=%d hdr_cnt=%d ofst=%d\n", entry->hdr_len,
+ 			htbl->hdr_cnt, entry->offset_entry->offset);
+ 
++	if (by_user && entry->user_deleted) {
++		IPAERR("hdr already deleted by user\n");
++		return -EINVAL;
++	}
++
++	if (by_user)
++		entry->user_deleted = true;
++
+ 	if (--entry->ref_cnt) {
+ 		IPADBG("hdr_hdl %x ref_cnt %d\n", hdr_hdl, entry->ref_cnt);
+ 		return 0;
+@@ -786,7 +803,7 @@ int __ipa_del_hdr(u32 hdr_hdl)
+ 			entry->phys_base,
+ 			entry->hdr_len,
+ 			DMA_TO_DEVICE);
+-		__ipa_del_hdr_proc_ctx(entry->proc_ctx->id, false);
++		__ipa_del_hdr_proc_ctx(entry->proc_ctx->id, false, false);
+ 	} else {
+ 		/* move the offset entry to appropriate free list */
+ 		list_move(&entry->offset_entry->link,
+@@ -849,15 +866,16 @@ bail:
+ EXPORT_SYMBOL(ipa_add_hdr);
+ 
+ /**
+- * ipa_del_hdr() - Remove the specified headers from SW and optionally commit them
+- * to IPA HW
++ * ipa_del_hdr_by_user() - Remove the specified headers
++ * from SW and optionally commit them to IPA HW
+  * @hdls:	[inout] set of headers to delete
++ * @by_user:	Operation requested by user?
+  *
+  * Returns:	0 on success, negative on failure
+  *
+  * Note:	Should not be called from atomic context
+  */
+-int ipa_del_hdr(struct ipa_ioc_del_hdr *hdls)
++int ipa_del_hdr_by_user(struct ipa_ioc_del_hdr *hdls, bool by_user)
+ {
+ 	int i;
+ 	int result = -EFAULT;
+@@ -869,7 +887,7 @@ int ipa_del_hdr(struct ipa_ioc_del_hdr *hdls)
+ 
+ 	mutex_lock(&ipa_ctx->lock);
+ 	for (i = 0; i < hdls->num_hdls; i++) {
+-		if (__ipa_del_hdr(hdls->hdl[i].hdl)) {
++		if (__ipa_del_hdr(hdls->hdl[i].hdl, by_user)) {
+ 			IPAERR("failed to del hdr %i\n", i);
+ 			hdls->hdl[i].status = -1;
+ 		} else {
+@@ -888,6 +906,20 @@ bail:
+ 	mutex_unlock(&ipa_ctx->lock);
+ 	return result;
+ }
++
++/**
++ * ipa_del_hdr() - Remove the specified headers from SW and optionally commit them
++ * to IPA HW
++ * @hdls:	[inout] set of headers to delete
++ *
++ * Returns:	0 on success, negative on failure
++ *
++ * Note:	Should not be called from atomic context
++ */
++int ipa_del_hdr(struct ipa_ioc_del_hdr *hdls)
++{
++	return ipa_del_hdr_by_user(hdls, false);
++}
+ EXPORT_SYMBOL(ipa_del_hdr);
+ 
+ /**
+@@ -936,16 +968,18 @@ bail:
+ EXPORT_SYMBOL(ipa_add_hdr_proc_ctx);
+ 
+ /**
+- * ipa_del_hdr_proc_ctx() -
++ * ipa_del_hdr_proc_ctx_by_user() -
+  * Remove the specified processing context headers from SW and
+  * optionally commit them to IPA HW.
+  * @hdls:	[inout] set of processing context headers to delete
++ * @by_user:	Operation requested by user?
+  *
+  * Returns:	0 on success, negative on failure
+  *
+  * Note:	Should not be called from atomic context
+  */
+-int ipa_del_hdr_proc_ctx(struct ipa_ioc_del_hdr_proc_ctx *hdls)
++int ipa_del_hdr_proc_ctx_by_user(struct ipa_ioc_del_hdr_proc_ctx *hdls,
++	bool by_user)
+ {
+ 	int i;
+ 	int result;
+@@ -957,7 +991,7 @@ int ipa_del_hdr_proc_ctx(struct ipa_ioc_del_hdr_proc_ctx *hdls)
+ 
+ 	mutex_lock(&ipa_ctx->lock);
+ 	for (i = 0; i < hdls->num_hdls; i++) {
+-		if (__ipa_del_hdr_proc_ctx(hdls->hdl[i].hdl, true)) {
++		if (__ipa_del_hdr_proc_ctx(hdls->hdl[i].hdl, true, by_user)) {
+ 			IPAERR("failed to del hdr %i\n", i);
+ 			hdls->hdl[i].status = -1;
+ 		} else {
+@@ -976,6 +1010,21 @@ bail:
+ 	mutex_unlock(&ipa_ctx->lock);
+ 	return result;
+ }
++
++/**
++ * ipa_del_hdr_proc_ctx() -
++ * Remove the specified processing context headers from SW and
++ * optionally commit them to IPA HW.
++ * @hdls:	[inout] set of processing context headers to delete
++ *
++ * Returns:	0 on success, negative on failure
++ *
++ * Note:	Should not be called from atomic context
++ */
++int ipa_del_hdr_proc_ctx(struct ipa_ioc_del_hdr_proc_ctx *hdls)
++{
++	return ipa_del_hdr_proc_ctx_by_user(hdls, false);
++}
+ EXPORT_SYMBOL(ipa_del_hdr_proc_ctx);
+ 
+ /**
+@@ -1197,7 +1246,7 @@ int __ipa_release_hdr(u32 hdr_hdl)
+ {
+ 	int result = 0;
+ 
+-	if (__ipa_del_hdr(hdr_hdl)) {
++	if (__ipa_del_hdr(hdr_hdl, false)) {
+ 		IPADBG("fail to del hdr %x\n", hdr_hdl);
+ 		result = -EFAULT;
+ 		goto bail;
+@@ -1225,7 +1274,7 @@ int __ipa_release_hdr_proc_ctx(u32 proc_ctx_hdl)
+ {
+ 	int result = 0;
+ 
+-	if (__ipa_del_hdr_proc_ctx(proc_ctx_hdl, true)) {
++	if (__ipa_del_hdr_proc_ctx(proc_ctx_hdl, true, false)) {
+ 		IPADBG("fail to del hdr %x\n", proc_ctx_hdl);
+ 		result = -EFAULT;
+ 		goto bail;
+diff --git a/drivers/platform/msm/ipa/ipa_i.h b/drivers/platform/msm/ipa/ipa_i.h
+index ed05434..c71862c 100644
+--- a/drivers/platform/msm/ipa/ipa_i.h
++++ b/drivers/platform/msm/ipa/ipa_i.h
+@@ -1,4 +1,4 @@
+-/* Copyright (c) 2012-2014, The Linux Foundation. All rights reserved.
++/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -224,6 +224,7 @@ struct ipa_rt_tbl {
+  * @id: header entry id
+  * @is_eth2_ofst_valid: is eth2_ofst field valid?
+  * @eth2_ofst: offset to start of Ethernet-II/802.3 header
++ * @user_deleted: is the header deleted by the user?
+  */
+ struct ipa_hdr_entry {
+ 	struct list_head link;
+@@ -241,6 +242,7 @@ struct ipa_hdr_entry {
+ 	int id;
+ 	u8 is_eth2_ofst_valid;
+ 	u16 eth2_ofst;
++	bool user_deleted;
+ };
+ 
+ /**
+@@ -316,6 +318,7 @@ struct ipa_hdr_proc_ctx_add_hdr_cmd_seq {
+  * @cookie: cookie used for validity check
+  * @ref_cnt: reference counter of routing table
+  * @id: processing context header entry id
++ * @user_deleted: is the hdr processing context deleted by the user?
+  */
+ struct ipa_hdr_proc_ctx_entry {
+ 	struct list_head link;
+@@ -325,6 +328,7 @@ struct ipa_hdr_proc_ctx_entry {
+ 	u32 cookie;
+ 	u32 ref_cnt;
+ 	int id;
++	bool user_deleted;
+ };
+ 
+ /**
+@@ -1136,8 +1140,11 @@ void ipa_inc_client_enable_clks(void);
+ int ipa_inc_client_enable_clks_no_block(void);
+ void ipa_dec_client_disable_clks(void);
+ int ipa_interrupts_init(u32 ipa_irq, u32 ee, struct device *ipa_dev);
++int ipa_del_hdr_by_user(struct ipa_ioc_del_hdr *hdls, bool by_user);
++int ipa_del_hdr_proc_ctx_by_user(struct ipa_ioc_del_hdr_proc_ctx *hdls,
++	bool by_user);
+ int __ipa_del_rt_rule(u32 rule_hdl);
+-int __ipa_del_hdr(u32 hdr_hdl);
++int __ipa_del_hdr(u32 hdr_hdl, bool by_user);
+ int __ipa_release_hdr(u32 hdr_hdl);
+ int __ipa_release_hdr_proc_ctx(u32 proc_ctx_hdl);
+ int _ipa_read_gen_reg_v1_0(char *buff, int max_len);
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-0525/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0525/3.18/0002.patch
similarity index 83%
rename from Patches/Linux_CVEs/CVE-2017-0525/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0525/3.18/0002.patch
index 7f1b17e4..54ca163d 100644
--- a/Patches/Linux_CVEs/CVE-2017-0525/ANY/0.patch
+++ b/Patches/Linux_CVEs/CVE-2017-0525/3.18/0002.patch
@@ -1,5 +1,5 @@
-From 050ee9e77ca89e9997792a0ab371470218da9a97 Mon Sep 17 00:00:00 2001
-From: Aaron Tzeng <Aaron.Tzeng@quantatw.com>
+From a6a6e4993aca80b7cddab8752f7d8636eb45a8c5 Mon Sep 17 00:00:00 2001
+From: Ghanim Fodi <gfodi@codeaurora.org>
 Date: Thu, 12 Jan 2017 15:14:15 +0200
 Subject: msm: ipa: Prevent multiple header deletion from user space
 
@@ -21,16 +21,16 @@ Signed-off-by: Ghanim Fodi <gfodi@codeaurora.org>
  6 files changed, 162 insertions(+), 44 deletions(-)
 
 diff --git a/drivers/platform/msm/ipa/ipa_v2/ipa.c b/drivers/platform/msm/ipa/ipa_v2/ipa.c
-index 393d580..011500c 100644
+index 7bcb267..d6f2ce6 100644
 --- a/drivers/platform/msm/ipa/ipa_v2/ipa.c
 +++ b/drivers/platform/msm/ipa/ipa_v2/ipa.c
 @@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
+-/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
 +/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
   *
   * This program is free software; you can redistribute it and/or modify
   * it under the terms of the GNU General Public License version 2 and
-@@ -777,7 +777,8 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
+@@ -734,7 +734,8 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
  			retval = -EINVAL;
  			break;
  		}
@@ -40,7 +40,7 @@ index 393d580..011500c 100644
  			retval = -EFAULT;
  			break;
  		}
-@@ -1461,8 +1462,8 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
+@@ -1418,8 +1419,8 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
  			retval = -EINVAL;
  			break;
  		}
@@ -51,7 +51,7 @@ index 393d580..011500c 100644
  			retval = -EFAULT;
  			break;
  		}
-@@ -2755,7 +2756,7 @@ fail_schedule_delayed_work:
+@@ -2801,7 +2802,7 @@ fail_schedule_delayed_work:
  	if (ipa_ctx->dflt_v4_rt_rule_hdl)
  		__ipa_del_rt_rule(ipa_ctx->dflt_v4_rt_rule_hdl);
  	if (ipa_ctx->excp_hdr_hdl)
@@ -60,7 +60,7 @@ index 393d580..011500c 100644
  	ipa2_teardown_sys_pipe(ipa_ctx->clnt_hdl_cmd);
  fail_cmd:
  	return result;
-@@ -2767,7 +2768,7 @@ static void ipa_teardown_apps_pipes(void)
+@@ -2813,7 +2814,7 @@ static void ipa_teardown_apps_pipes(void)
  	ipa2_teardown_sys_pipe(ipa_ctx->clnt_hdl_data_in);
  	__ipa_del_rt_rule(ipa_ctx->dflt_v6_rt_rule_hdl);
  	__ipa_del_rt_rule(ipa_ctx->dflt_v4_rt_rule_hdl);
@@ -70,16 +70,16 @@ index 393d580..011500c 100644
  }
  
 diff --git a/drivers/platform/msm/ipa/ipa_v2/ipa_hdr.c b/drivers/platform/msm/ipa/ipa_v2/ipa_hdr.c
-index 1452c59..a3caf3e 100644
+index ee4ddbb..6a66b0b 100644
 --- a/drivers/platform/msm/ipa/ipa_v2/ipa_hdr.c
 +++ b/drivers/platform/msm/ipa/ipa_v2/ipa_hdr.c
 @@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2015, 2017, The Linux Foundation. All rights reserved.
+-/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
++/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
   *
   * This program is free software; you can redistribute it and/or modify
   * it under the terms of the GNU General Public License version 2 and
-@@ -731,7 +731,8 @@ error:
+@@ -805,7 +805,8 @@ error:
  	return -EPERM;
  }
  
@@ -89,7 +89,7 @@ index 1452c59..a3caf3e 100644
  {
  	struct ipa_hdr_proc_ctx_entry *entry;
  	struct ipa_hdr_proc_ctx_tbl *htbl = &ipa_ctx->hdr_proc_ctx_tbl;
-@@ -745,6 +746,14 @@ static int __ipa_del_hdr_proc_ctx(u32 proc_ctx_hdl, bool release_hdr)
+@@ -819,6 +820,14 @@ static int __ipa_del_hdr_proc_ctx(u32 proc_ctx_hdl, bool release_hdr)
  	IPADBG("del ctx proc cnt=%d ofst=%d\n",
  		htbl->proc_ctx_cnt, entry->offset_entry->offset);
  
@@ -104,16 +104,16 @@ index 1452c59..a3caf3e 100644
  	if (--entry->ref_cnt) {
  		IPADBG("proc_ctx_hdl %x ref_cnt %d\n",
  			proc_ctx_hdl, entry->ref_cnt);
-@@ -752,7 +761,7 @@ static int __ipa_del_hdr_proc_ctx(u32 proc_ctx_hdl, bool release_hdr)
+@@ -826,7 +835,7 @@ static int __ipa_del_hdr_proc_ctx(u32 proc_ctx_hdl, bool release_hdr)
  	}
  
  	if (release_hdr)
--		__ipa_release_hdr(entry->hdr->id);
+-		__ipa_del_hdr(entry->hdr->id);
 +		__ipa_del_hdr(entry->hdr->id, false);
  
  	/* move the offset entry to appropriate free list */
  	list_move(&entry->offset_entry->link,
-@@ -769,7 +778,7 @@ static int __ipa_del_hdr_proc_ctx(u32 proc_ctx_hdl, bool release_hdr)
+@@ -843,7 +852,7 @@ static int __ipa_del_hdr_proc_ctx(u32 proc_ctx_hdl, bool release_hdr)
  }
  
  
@@ -122,7 +122,7 @@ index 1452c59..a3caf3e 100644
  {
  	struct ipa_hdr_entry *entry;
  	struct ipa_hdr_tbl *htbl = &ipa_ctx->hdr_tbl;
-@@ -780,7 +789,7 @@ int __ipa_del_hdr(u32 hdr_hdl)
+@@ -854,7 +863,7 @@ int __ipa_del_hdr(u32 hdr_hdl)
  		return -EINVAL;
  	}
  
@@ -131,8 +131,8 @@ index 1452c59..a3caf3e 100644
  		IPAERR("bad parm\n");
  		return -EINVAL;
  	}
-@@ -788,6 +797,14 @@ int __ipa_del_hdr(u32 hdr_hdl)
- 	IPADBG("del hdr of sz=%d hdr_cnt=%d ofst=%d\n", entry->hdr_len,
+@@ -866,6 +875,14 @@ int __ipa_del_hdr(u32 hdr_hdl)
+ 		IPADBG("del hdr of sz=%d hdr_cnt=%d ofst=%d\n", entry->hdr_len,
  			htbl->hdr_cnt, entry->offset_entry->offset);
  
 +	if (by_user && entry->user_deleted) {
@@ -146,7 +146,7 @@ index 1452c59..a3caf3e 100644
  	if (--entry->ref_cnt) {
  		IPADBG("hdr_hdl %x ref_cnt %d\n", hdr_hdl, entry->ref_cnt);
  		return 0;
-@@ -798,7 +815,7 @@ int __ipa_del_hdr(u32 hdr_hdl)
+@@ -876,7 +893,7 @@ int __ipa_del_hdr(u32 hdr_hdl)
  			entry->phys_base,
  			entry->hdr_len,
  			DMA_TO_DEVICE);
@@ -155,7 +155,7 @@ index 1452c59..a3caf3e 100644
  	} else {
  		/* move the offset entry to appropriate free list */
  		list_move(&entry->offset_entry->link,
-@@ -865,15 +882,16 @@ bail:
+@@ -943,15 +960,16 @@ bail:
  }
  
  /**
@@ -175,7 +175,7 @@ index 1452c59..a3caf3e 100644
  {
  	int i;
  	int result = -EFAULT;
-@@ -890,7 +908,7 @@ int ipa2_del_hdr(struct ipa_ioc_del_hdr *hdls)
+@@ -968,7 +986,7 @@ int ipa2_del_hdr(struct ipa_ioc_del_hdr *hdls)
  
  	mutex_lock(&ipa_ctx->lock);
  	for (i = 0; i < hdls->num_hdls; i++) {
@@ -184,7 +184,7 @@ index 1452c59..a3caf3e 100644
  			IPAERR("failed to del hdr %i\n", i);
  			hdls->hdl[i].status = -1;
  		} else {
-@@ -911,6 +929,20 @@ bail:
+@@ -989,6 +1007,20 @@ bail:
  }
  
  /**
@@ -205,7 +205,7 @@ index 1452c59..a3caf3e 100644
   * ipa2_add_hdr_proc_ctx() - add the specified headers to SW
   * and optionally commit them to IPA HW
   * @proc_ctxs:	[inout] set of processing context headers to add
-@@ -962,16 +994,18 @@ bail:
+@@ -1040,16 +1072,18 @@ bail:
  }
  
  /**
@@ -226,7 +226,7 @@ index 1452c59..a3caf3e 100644
  {
  	int i;
  	int result;
-@@ -990,7 +1024,7 @@ int ipa2_del_hdr_proc_ctx(struct ipa_ioc_del_hdr_proc_ctx *hdls)
+@@ -1068,7 +1102,7 @@ int ipa2_del_hdr_proc_ctx(struct ipa_ioc_del_hdr_proc_ctx *hdls)
  
  	mutex_lock(&ipa_ctx->lock);
  	for (i = 0; i < hdls->num_hdls; i++) {
@@ -235,7 +235,7 @@ index 1452c59..a3caf3e 100644
  			IPAERR("failed to del hdr %i\n", i);
  			hdls->hdl[i].status = -1;
  		} else {
-@@ -1011,6 +1045,21 @@ bail:
+@@ -1089,6 +1123,21 @@ bail:
  }
  
  /**
@@ -257,7 +257,7 @@ index 1452c59..a3caf3e 100644
   * ipa2_commit_hdr() - commit to IPA HW the current header table in SW
   *
   * Returns:	0 on success, negative on failure
-@@ -1231,7 +1280,7 @@ int __ipa_release_hdr(u32 hdr_hdl)
+@@ -1316,7 +1365,7 @@ int __ipa_release_hdr(u32 hdr_hdl)
  {
  	int result = 0;
  
@@ -266,7 +266,7 @@ index 1452c59..a3caf3e 100644
  		IPADBG("fail to del hdr %x\n", hdr_hdl);
  		result = -EFAULT;
  		goto bail;
-@@ -1259,7 +1308,7 @@ int __ipa_release_hdr_proc_ctx(u32 proc_ctx_hdl)
+@@ -1344,7 +1393,7 @@ int __ipa_release_hdr_proc_ctx(u32 proc_ctx_hdl)
  {
  	int result = 0;
  
@@ -276,7 +276,7 @@ index 1452c59..a3caf3e 100644
  		result = -EFAULT;
  		goto bail;
 diff --git a/drivers/platform/msm/ipa/ipa_v2/ipa_i.h b/drivers/platform/msm/ipa/ipa_v2/ipa_i.h
-index b3827ab..13892ce 100644
+index 67d8c94..9094f19 100644
 --- a/drivers/platform/msm/ipa/ipa_v2/ipa_i.h
 +++ b/drivers/platform/msm/ipa/ipa_v2/ipa_i.h
 @@ -1,4 +1,4 @@
@@ -285,7 +285,7 @@ index b3827ab..13892ce 100644
   *
   * This program is free software; you can redistribute it and/or modify
   * it under the terms of the GNU General Public License version 2 and
-@@ -367,6 +367,7 @@ struct ipa_rt_tbl {
+@@ -254,6 +254,7 @@ struct ipa_rt_tbl {
   * @id: header entry id
   * @is_eth2_ofst_valid: is eth2_ofst field valid?
   * @eth2_ofst: offset to start of Ethernet-II/802.3 header
@@ -293,7 +293,7 @@ index b3827ab..13892ce 100644
   */
  struct ipa_hdr_entry {
  	struct list_head link;
-@@ -384,6 +385,7 @@ struct ipa_hdr_entry {
+@@ -271,6 +272,7 @@ struct ipa_hdr_entry {
  	int id;
  	u8 is_eth2_ofst_valid;
  	u16 eth2_ofst;
@@ -301,7 +301,7 @@ index b3827ab..13892ce 100644
  };
  
  /**
-@@ -459,6 +461,7 @@ struct ipa_hdr_proc_ctx_add_hdr_cmd_seq {
+@@ -334,6 +336,7 @@ struct ipa_hdr_proc_ctx_add_hdr_cmd_seq {
   * @cookie: cookie used for validity check
   * @ref_cnt: reference counter of routing table
   * @id: processing context header entry id
@@ -309,7 +309,7 @@ index b3827ab..13892ce 100644
   */
  struct ipa_hdr_proc_ctx_entry {
  	struct list_head link;
-@@ -468,6 +471,7 @@ struct ipa_hdr_proc_ctx_entry {
+@@ -343,6 +346,7 @@ struct ipa_hdr_proc_ctx_entry {
  	u32 cookie;
  	u32 ref_cnt;
  	int id;
@@ -317,7 +317,7 @@ index b3827ab..13892ce 100644
  };
  
  /**
-@@ -1634,6 +1638,8 @@ int ipa2_add_hdr(struct ipa_ioc_add_hdr *hdrs);
+@@ -1361,6 +1365,8 @@ int ipa2_add_hdr(struct ipa_ioc_add_hdr *hdrs);
  
  int ipa2_del_hdr(struct ipa_ioc_del_hdr *hdls);
  
@@ -326,7 +326,7 @@ index b3827ab..13892ce 100644
  int ipa2_commit_hdr(void);
  
  int ipa2_reset_hdr(void);
-@@ -1651,6 +1657,9 @@ int ipa2_add_hdr_proc_ctx(struct ipa_ioc_add_hdr_proc_ctx *proc_ctxs);
+@@ -1378,6 +1384,9 @@ int ipa2_add_hdr_proc_ctx(struct ipa_ioc_add_hdr_proc_ctx *proc_ctxs);
  
  int ipa2_del_hdr_proc_ctx(struct ipa_ioc_del_hdr_proc_ctx *hdls);
  
@@ -336,7 +336,7 @@ index b3827ab..13892ce 100644
  /*
   * Routing
   */
-@@ -1979,7 +1988,7 @@ int ipa2_active_clients_log_print_table(char *buf, int size);
+@@ -1669,7 +1678,7 @@ int ipa2_active_clients_log_print_table(char *buf, int size);
  void ipa2_active_clients_log_clear(void);
  int ipa_interrupts_init(u32 ipa_irq, u32 ee, struct device *ipa_dev);
  int __ipa_del_rt_rule(u32 rule_hdl);
@@ -346,10 +346,10 @@ index b3827ab..13892ce 100644
  int __ipa_release_hdr_proc_ctx(u32 proc_ctx_hdl);
  int _ipa_read_gen_reg_v1_1(char *buff, int max_len);
 diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa.c b/drivers/platform/msm/ipa/ipa_v3/ipa.c
-index 96089b1..56e7ab8 100644
+index e87c4e2..aa83cbd 100644
 --- a/drivers/platform/msm/ipa/ipa_v3/ipa.c
 +++ b/drivers/platform/msm/ipa/ipa_v3/ipa.c
-@@ -794,7 +794,8 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
+@@ -784,7 +784,8 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
  			retval = -EINVAL;
  			break;
  		}
@@ -359,7 +359,7 @@ index 96089b1..56e7ab8 100644
  			retval = -EFAULT;
  			break;
  		}
-@@ -1563,8 +1564,8 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
+@@ -1553,8 +1554,8 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
  			retval = -EINVAL;
  			break;
  		}
@@ -370,7 +370,7 @@ index 96089b1..56e7ab8 100644
  			retval = -EFAULT;
  			break;
  		}
-@@ -3038,7 +3039,7 @@ fail_schedule_delayed_work:
+@@ -3003,7 +3004,7 @@ fail_schedule_delayed_work:
  	if (ipa3_ctx->dflt_v4_rt_rule_hdl)
  		__ipa3_del_rt_rule(ipa3_ctx->dflt_v4_rt_rule_hdl);
  	if (ipa3_ctx->excp_hdr_hdl)
@@ -379,7 +379,7 @@ index 96089b1..56e7ab8 100644
  	ipa3_teardown_sys_pipe(ipa3_ctx->clnt_hdl_cmd);
  fail_cmd:
  	return result;
-@@ -3050,7 +3051,7 @@ static void ipa3_teardown_apps_pipes(void)
+@@ -3015,7 +3016,7 @@ static void ipa3_teardown_apps_pipes(void)
  	ipa3_teardown_sys_pipe(ipa3_ctx->clnt_hdl_data_in);
  	__ipa3_del_rt_rule(ipa3_ctx->dflt_v6_rt_rule_hdl);
  	__ipa3_del_rt_rule(ipa3_ctx->dflt_v4_rt_rule_hdl);
@@ -389,7 +389,7 @@ index 96089b1..56e7ab8 100644
  }
  
 diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa_hdr.c b/drivers/platform/msm/ipa/ipa_v3/ipa_hdr.c
-index b8baa53..523c1df 100644
+index c7202be..1c3af6e 100644
 --- a/drivers/platform/msm/ipa/ipa_v3/ipa_hdr.c
 +++ b/drivers/platform/msm/ipa/ipa_v3/ipa_hdr.c
 @@ -1,4 +1,4 @@
@@ -398,7 +398,7 @@ index b8baa53..523c1df 100644
   *
   * This program is free software; you can redistribute it and/or modify
   * it under the terms of the GNU General Public License version 2 and
-@@ -603,7 +603,8 @@ error:
+@@ -573,7 +573,8 @@ error:
  	return -EPERM;
  }
  
@@ -408,8 +408,8 @@ index b8baa53..523c1df 100644
  {
  	struct ipa3_hdr_proc_ctx_entry *entry;
  	struct ipa3_hdr_proc_ctx_tbl *htbl = &ipa3_ctx->hdr_proc_ctx_tbl;
-@@ -617,6 +618,14 @@ static int __ipa3_del_hdr_proc_ctx(u32 proc_ctx_hdl, bool release_hdr)
- 	IPADBG("del ctx proc cnt=%d ofst=%d\n",
+@@ -587,6 +588,14 @@ static int __ipa3_del_hdr_proc_ctx(u32 proc_ctx_hdl, bool release_hdr)
+ 	IPADBG("del proc ctx cnt=%d ofst=%d\n",
  		htbl->proc_ctx_cnt, entry->offset_entry->offset);
  
 +	if (by_user && entry->user_deleted) {
@@ -423,16 +423,16 @@ index b8baa53..523c1df 100644
  	if (--entry->ref_cnt) {
  		IPADBG("proc_ctx_hdl %x ref_cnt %d\n",
  			proc_ctx_hdl, entry->ref_cnt);
-@@ -624,7 +633,7 @@ static int __ipa3_del_hdr_proc_ctx(u32 proc_ctx_hdl, bool release_hdr)
+@@ -594,7 +603,7 @@ static int __ipa3_del_hdr_proc_ctx(u32 proc_ctx_hdl, bool release_hdr)
  	}
  
  	if (release_hdr)
--		__ipa3_release_hdr(entry->hdr->id);
+-		__ipa3_del_hdr(entry->hdr->id);
 +		__ipa3_del_hdr(entry->hdr->id, false);
  
  	/* move the offset entry to appropriate free list */
  	list_move(&entry->offset_entry->link,
-@@ -641,7 +650,7 @@ static int __ipa3_del_hdr_proc_ctx(u32 proc_ctx_hdl, bool release_hdr)
+@@ -611,7 +620,7 @@ static int __ipa3_del_hdr_proc_ctx(u32 proc_ctx_hdl, bool release_hdr)
  }
  
  
@@ -441,7 +441,7 @@ index b8baa53..523c1df 100644
  {
  	struct ipa3_hdr_entry *entry;
  	struct ipa3_hdr_tbl *htbl = &ipa3_ctx->hdr_tbl;
-@@ -652,7 +661,7 @@ int __ipa3_del_hdr(u32 hdr_hdl)
+@@ -622,7 +631,7 @@ int __ipa3_del_hdr(u32 hdr_hdl)
  		return -EINVAL;
  	}
  
@@ -450,9 +450,9 @@ index b8baa53..523c1df 100644
  		IPAERR("bad parm\n");
  		return -EINVAL;
  	}
-@@ -660,6 +669,14 @@ int __ipa3_del_hdr(u32 hdr_hdl)
- 	IPADBG("del hdr of sz=%d hdr_cnt=%d ofst=%d\n", entry->hdr_len,
- 			htbl->hdr_cnt, entry->offset_entry->offset);
+@@ -635,6 +644,14 @@ int __ipa3_del_hdr(u32 hdr_hdl)
+ 			entry->hdr_len, htbl->hdr_cnt,
+ 			entry->offset_entry->offset);
  
 +	if (by_user && entry->user_deleted) {
 +		IPAERR("proc_ctx already deleted by user\n");
@@ -465,7 +465,7 @@ index b8baa53..523c1df 100644
  	if (--entry->ref_cnt) {
  		IPADBG("hdr_hdl %x ref_cnt %d\n", hdr_hdl, entry->ref_cnt);
  		return 0;
-@@ -670,7 +687,7 @@ int __ipa3_del_hdr(u32 hdr_hdl)
+@@ -645,7 +662,7 @@ int __ipa3_del_hdr(u32 hdr_hdl)
  			entry->phys_base,
  			entry->hdr_len,
  			DMA_TO_DEVICE);
@@ -474,7 +474,7 @@ index b8baa53..523c1df 100644
  	} else {
  		/* move the offset entry to appropriate free list */
  		list_move(&entry->offset_entry->link,
-@@ -732,15 +749,16 @@ bail:
+@@ -707,15 +724,16 @@ bail:
  }
  
  /**
@@ -494,7 +494,7 @@ index b8baa53..523c1df 100644
  {
  	int i;
  	int result = -EFAULT;
-@@ -752,7 +770,7 @@ int ipa3_del_hdr(struct ipa_ioc_del_hdr *hdls)
+@@ -727,7 +745,7 @@ int ipa3_del_hdr(struct ipa_ioc_del_hdr *hdls)
  
  	mutex_lock(&ipa3_ctx->lock);
  	for (i = 0; i < hdls->num_hdls; i++) {
@@ -503,7 +503,7 @@ index b8baa53..523c1df 100644
  			IPAERR("failed to del hdr %i\n", i);
  			hdls->hdl[i].status = -1;
  		} else {
-@@ -773,6 +791,20 @@ bail:
+@@ -748,6 +766,20 @@ bail:
  }
  
  /**
@@ -524,7 +524,7 @@ index b8baa53..523c1df 100644
   * ipa3_add_hdr_proc_ctx() - add the specified headers to SW
   * and optionally commit them to IPA HW
   * @proc_ctxs:	[inout] set of processing context headers to add
-@@ -817,16 +849,18 @@ bail:
+@@ -792,16 +824,18 @@ bail:
  }
  
  /**
@@ -545,7 +545,7 @@ index b8baa53..523c1df 100644
  {
  	int i;
  	int result;
-@@ -838,7 +872,7 @@ int ipa3_del_hdr_proc_ctx(struct ipa_ioc_del_hdr_proc_ctx *hdls)
+@@ -813,7 +847,7 @@ int ipa3_del_hdr_proc_ctx(struct ipa_ioc_del_hdr_proc_ctx *hdls)
  
  	mutex_lock(&ipa3_ctx->lock);
  	for (i = 0; i < hdls->num_hdls; i++) {
@@ -554,7 +554,7 @@ index b8baa53..523c1df 100644
  			IPAERR("failed to del hdr %i\n", i);
  			hdls->hdl[i].status = -1;
  		} else {
-@@ -859,6 +893,21 @@ bail:
+@@ -834,6 +868,21 @@ bail:
  }
  
  /**
@@ -576,7 +576,7 @@ index b8baa53..523c1df 100644
   * ipa3_commit_hdr() - commit to IPA HW the current header table in SW
   *
   * Returns:	0 on success, negative on failure
-@@ -1079,7 +1128,7 @@ int __ipa3_release_hdr(u32 hdr_hdl)
+@@ -1061,7 +1110,7 @@ int __ipa3_release_hdr(u32 hdr_hdl)
  {
  	int result = 0;
  
@@ -585,7 +585,7 @@ index b8baa53..523c1df 100644
  		IPADBG("fail to del hdr %x\n", hdr_hdl);
  		result = -EFAULT;
  		goto bail;
-@@ -1107,7 +1156,7 @@ int __ipa3_release_hdr_proc_ctx(u32 proc_ctx_hdl)
+@@ -1089,7 +1138,7 @@ int __ipa3_release_hdr_proc_ctx(u32 proc_ctx_hdl)
  {
  	int result = 0;
  
@@ -595,10 +595,10 @@ index b8baa53..523c1df 100644
  		result = -EFAULT;
  		goto bail;
 diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa_i.h b/drivers/platform/msm/ipa/ipa_v3/ipa_i.h
-index b4a9ac3..b2e6b90 100644
+index a6c74973..3f19c21 100644
 --- a/drivers/platform/msm/ipa/ipa_v3/ipa_i.h
 +++ b/drivers/platform/msm/ipa/ipa_v3/ipa_i.h
-@@ -430,6 +430,7 @@ struct ipa3_rt_tbl {
+@@ -316,6 +316,7 @@ struct ipa3_rt_tbl {
   * @id: header entry id
   * @is_eth2_ofst_valid: is eth2_ofst field valid?
   * @eth2_ofst: offset to start of Ethernet-II/802.3 header
@@ -606,7 +606,7 @@ index b4a9ac3..b2e6b90 100644
   */
  struct ipa3_hdr_entry {
  	struct list_head link;
-@@ -447,6 +448,7 @@ struct ipa3_hdr_entry {
+@@ -333,6 +334,7 @@ struct ipa3_hdr_entry {
  	int id;
  	u8 is_eth2_ofst_valid;
  	u16 eth2_ofst;
@@ -614,7 +614,7 @@ index b4a9ac3..b2e6b90 100644
  };
  
  /**
-@@ -522,6 +524,7 @@ struct ipa3_hdr_proc_ctx_add_hdr_cmd_seq {
+@@ -372,6 +374,7 @@ struct ipa3_hdr_proc_ctx_offset_entry {
   * @cookie: cookie used for validity check
   * @ref_cnt: reference counter of routing table
   * @id: processing context header entry id
@@ -622,7 +622,7 @@ index b4a9ac3..b2e6b90 100644
   */
  struct ipa3_hdr_proc_ctx_entry {
  	struct list_head link;
-@@ -531,6 +534,7 @@ struct ipa3_hdr_proc_ctx_entry {
+@@ -381,6 +384,7 @@ struct ipa3_hdr_proc_ctx_entry {
  	u32 cookie;
  	u32 ref_cnt;
  	int id;
@@ -630,7 +630,7 @@ index b4a9ac3..b2e6b90 100644
  };
  
  /**
-@@ -1816,6 +1820,8 @@ int ipa3_add_hdr(struct ipa_ioc_add_hdr *hdrs);
+@@ -1520,6 +1524,8 @@ int ipa3_add_hdr(struct ipa_ioc_add_hdr *hdrs);
  
  int ipa3_del_hdr(struct ipa_ioc_del_hdr *hdls);
  
@@ -639,7 +639,7 @@ index b4a9ac3..b2e6b90 100644
  int ipa3_commit_hdr(void);
  
  int ipa3_reset_hdr(void);
-@@ -1833,6 +1839,9 @@ int ipa3_add_hdr_proc_ctx(struct ipa_ioc_add_hdr_proc_ctx *proc_ctxs);
+@@ -1537,6 +1543,9 @@ int ipa3_add_hdr_proc_ctx(struct ipa_ioc_add_hdr_proc_ctx *proc_ctxs);
  
  int ipa3_del_hdr_proc_ctx(struct ipa_ioc_del_hdr_proc_ctx *hdls);
  
@@ -649,7 +649,7 @@ index b4a9ac3..b2e6b90 100644
  /*
   * Routing
   */
-@@ -2175,7 +2184,7 @@ int ipa3_active_clients_log_print_table(char *buf, int size);
+@@ -1842,7 +1851,7 @@ int ipa3_active_clients_log_print_table(char *buf, int size);
  void ipa3_active_clients_log_clear(void);
  int ipa3_interrupts_init(u32 ipa_irq, u32 ee, struct device *ipa_dev);
  int __ipa3_del_rt_rule(u32 rule_hdl);
diff --git a/Patches/Linux_CVEs/CVE-2017-0525/4.4/0003.patch b/Patches/Linux_CVEs/CVE-2017-0525/4.4/0003.patch
new file mode 100644
index 00000000..f26370ee
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-0525/4.4/0003.patch
@@ -0,0 +1,669 @@
+From 7452cc75cbd363107a1e5d4c5f1327d3edc797ef Mon Sep 17 00:00:00 2001
+From: Ghanim Fodi <gfodi@codeaurora.org>
+Date: Thu, 12 Jan 2017 15:14:15 +0200
+Subject: msm: ipa: Prevent multiple header deletion from user space
+
+An IPA header or processing context can be added once
+and later deleted once from user space.
+Multiple deletion may cause invalid state of the headers
+software cache.
+
+Change-Id: Ic0b8472b7fd8a76233a007d90c832af726184574
+CRs-fixed: 1097714
+Signed-off-by: Ghanim Fodi <gfodi@codeaurora.org>
+---
+ drivers/platform/msm/ipa/ipa_v2/ipa.c     | 13 ++---
+ drivers/platform/msm/ipa/ipa_v2/ipa_hdr.c | 79 +++++++++++++++++++++++++------
+ drivers/platform/msm/ipa/ipa_v2/ipa_i.h   | 11 ++++-
+ drivers/platform/msm/ipa/ipa_v3/ipa.c     | 13 ++---
+ drivers/platform/msm/ipa/ipa_v3/ipa_hdr.c | 79 +++++++++++++++++++++++++------
+ drivers/platform/msm/ipa/ipa_v3/ipa_i.h   | 13 ++++-
+ 6 files changed, 163 insertions(+), 45 deletions(-)
+
+diff --git a/drivers/platform/msm/ipa/ipa_v2/ipa.c b/drivers/platform/msm/ipa/ipa_v2/ipa.c
+index d82651f..09ec845 100644
+--- a/drivers/platform/msm/ipa/ipa_v2/ipa.c
++++ b/drivers/platform/msm/ipa/ipa_v2/ipa.c
+@@ -1,4 +1,4 @@
+-/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
++/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -733,7 +733,8 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
+ 			retval = -EFAULT;
+ 			break;
+ 		}
+-		if (ipa2_del_hdr((struct ipa_ioc_del_hdr *)param)) {
++		if (ipa2_del_hdr_by_user((struct ipa_ioc_del_hdr *)param,
++			true)) {
+ 			retval = -EFAULT;
+ 			break;
+ 		}
+@@ -1417,8 +1418,8 @@ static long ipa_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
+ 			retval = -EFAULT;
+ 			break;
+ 		}
+-		if (ipa2_del_hdr_proc_ctx(
+-			(struct ipa_ioc_del_hdr_proc_ctx *)param)) {
++		if (ipa2_del_hdr_proc_ctx_by_user(
++			(struct ipa_ioc_del_hdr_proc_ctx *)param, true)) {
+ 			retval = -EFAULT;
+ 			break;
+ 		}
+@@ -2715,7 +2716,7 @@ fail_schedule_delayed_work:
+ 	if (ipa_ctx->dflt_v4_rt_rule_hdl)
+ 		__ipa_del_rt_rule(ipa_ctx->dflt_v4_rt_rule_hdl);
+ 	if (ipa_ctx->excp_hdr_hdl)
+-		__ipa_del_hdr(ipa_ctx->excp_hdr_hdl);
++		__ipa_del_hdr(ipa_ctx->excp_hdr_hdl, false);
+ 	ipa2_teardown_sys_pipe(ipa_ctx->clnt_hdl_cmd);
+ fail_cmd:
+ 	return result;
+@@ -2727,7 +2728,7 @@ static void ipa_teardown_apps_pipes(void)
+ 	ipa2_teardown_sys_pipe(ipa_ctx->clnt_hdl_data_in);
+ 	__ipa_del_rt_rule(ipa_ctx->dflt_v6_rt_rule_hdl);
+ 	__ipa_del_rt_rule(ipa_ctx->dflt_v4_rt_rule_hdl);
+-	__ipa_del_hdr(ipa_ctx->excp_hdr_hdl);
++	__ipa_del_hdr(ipa_ctx->excp_hdr_hdl, false);
+ 	ipa2_teardown_sys_pipe(ipa_ctx->clnt_hdl_cmd);
+ }
+ 
+diff --git a/drivers/platform/msm/ipa/ipa_v2/ipa_hdr.c b/drivers/platform/msm/ipa/ipa_v2/ipa_hdr.c
+index 40d42e17..51f34f0 100644
+--- a/drivers/platform/msm/ipa/ipa_v2/ipa_hdr.c
++++ b/drivers/platform/msm/ipa/ipa_v2/ipa_hdr.c
+@@ -1,4 +1,4 @@
+-/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
++/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -741,7 +741,8 @@ error:
+ 	return -EPERM;
+ }
+ 
+-static int __ipa_del_hdr_proc_ctx(u32 proc_ctx_hdl, bool release_hdr)
++static int __ipa_del_hdr_proc_ctx(u32 proc_ctx_hdl,
++	bool release_hdr, bool by_user)
+ {
+ 	struct ipa_hdr_proc_ctx_entry *entry;
+ 	struct ipa_hdr_proc_ctx_tbl *htbl = &ipa_ctx->hdr_proc_ctx_tbl;
+@@ -755,6 +756,14 @@ static int __ipa_del_hdr_proc_ctx(u32 proc_ctx_hdl, bool release_hdr)
+ 	IPADBG("del ctx proc cnt=%d ofst=%d\n",
+ 		htbl->proc_ctx_cnt, entry->offset_entry->offset);
+ 
++	if (by_user && entry->user_deleted) {
++		IPAERR("proc_ctx already deleted by user\n");
++		return -EINVAL;
++	}
++
++	if (by_user)
++		entry->user_deleted = true;
++
+ 	if (--entry->ref_cnt) {
+ 		IPADBG("proc_ctx_hdl %x ref_cnt %d\n",
+ 			proc_ctx_hdl, entry->ref_cnt);
+@@ -762,7 +771,7 @@ static int __ipa_del_hdr_proc_ctx(u32 proc_ctx_hdl, bool release_hdr)
+ 	}
+ 
+ 	if (release_hdr)
+-		__ipa_del_hdr(entry->hdr->id);
++		__ipa_del_hdr(entry->hdr->id, false);
+ 
+ 	/* move the offset entry to appropriate free list */
+ 	list_move(&entry->offset_entry->link,
+@@ -779,7 +788,7 @@ static int __ipa_del_hdr_proc_ctx(u32 proc_ctx_hdl, bool release_hdr)
+ }
+ 
+ 
+-int __ipa_del_hdr(u32 hdr_hdl)
++int __ipa_del_hdr(u32 hdr_hdl, bool by_user)
+ {
+ 	struct ipa_hdr_entry *entry;
+ 	struct ipa_hdr_tbl *htbl = &ipa_ctx->hdr_tbl;
+@@ -790,7 +799,7 @@ int __ipa_del_hdr(u32 hdr_hdl)
+ 		return -EINVAL;
+ 	}
+ 
+-	if (!entry || (entry->cookie != IPA_COOKIE)) {
++	if (entry->cookie != IPA_COOKIE) {
+ 		IPAERR("bad parm\n");
+ 		return -EINVAL;
+ 	}
+@@ -802,6 +811,14 @@ int __ipa_del_hdr(u32 hdr_hdl)
+ 		IPADBG("del hdr of sz=%d hdr_cnt=%d ofst=%d\n", entry->hdr_len,
+ 			htbl->hdr_cnt, entry->offset_entry->offset);
+ 
++	if (by_user && entry->user_deleted) {
++		IPAERR("hdr already deleted by user\n");
++		return -EINVAL;
++	}
++
++	if (by_user)
++		entry->user_deleted = true;
++
+ 	if (--entry->ref_cnt) {
+ 		IPADBG("hdr_hdl %x ref_cnt %d\n", hdr_hdl, entry->ref_cnt);
+ 		return 0;
+@@ -812,7 +829,7 @@ int __ipa_del_hdr(u32 hdr_hdl)
+ 			entry->phys_base,
+ 			entry->hdr_len,
+ 			DMA_TO_DEVICE);
+-		__ipa_del_hdr_proc_ctx(entry->proc_ctx->id, false);
++		__ipa_del_hdr_proc_ctx(entry->proc_ctx->id, false, false);
+ 	} else {
+ 		/* move the offset entry to appropriate free list */
+ 		list_move(&entry->offset_entry->link,
+@@ -879,15 +896,16 @@ bail:
+ }
+ 
+ /**
+- * ipa2_del_hdr() - Remove the specified headers from SW and optionally commit them
+- * to IPA HW
++ * ipa2_del_hdr_by_user() - Remove the specified headers
++ * from SW and optionally commit them to IPA HW
+  * @hdls:	[inout] set of headers to delete
++ * @by_user:	Operation requested by user?
+  *
+  * Returns:	0 on success, negative on failure
+  *
+  * Note:	Should not be called from atomic context
+  */
+-int ipa2_del_hdr(struct ipa_ioc_del_hdr *hdls)
++int ipa2_del_hdr_by_user(struct ipa_ioc_del_hdr *hdls, bool by_user)
+ {
+ 	int i;
+ 	int result = -EFAULT;
+@@ -904,7 +922,7 @@ int ipa2_del_hdr(struct ipa_ioc_del_hdr *hdls)
+ 
+ 	mutex_lock(&ipa_ctx->lock);
+ 	for (i = 0; i < hdls->num_hdls; i++) {
+-		if (__ipa_del_hdr(hdls->hdl[i].hdl)) {
++		if (__ipa_del_hdr(hdls->hdl[i].hdl, by_user)) {
+ 			IPAERR("failed to del hdr %i\n", i);
+ 			hdls->hdl[i].status = -1;
+ 		} else {
+@@ -925,6 +943,20 @@ bail:
+ }
+ 
+ /**
++ * ipa2_del_hdr() - Remove the specified headers from SW
++ * and optionally commit them to IPA HW
++ * @hdls:	[inout] set of headers to delete
++ *
++ * Returns:	0 on success, negative on failure
++ *
++ * Note:	Should not be called from atomic context
++ */
++int ipa2_del_hdr(struct ipa_ioc_del_hdr *hdls)
++{
++	return ipa2_del_hdr_by_user(hdls, false);
++}
++
++/**
+  * ipa2_add_hdr_proc_ctx() - add the specified headers to SW
+  * and optionally commit them to IPA HW
+  * @proc_ctxs:	[inout] set of processing context headers to add
+@@ -976,16 +1008,18 @@ bail:
+ }
+ 
+ /**
+- * ipa2_del_hdr_proc_ctx() -
++ * ipa2_del_hdr_proc_ctx_by_user() -
+  * Remove the specified processing context headers from SW and
+  * optionally commit them to IPA HW.
+  * @hdls:	[inout] set of processing context headers to delete
++ * @by_user:	Operation requested by user?
+  *
+  * Returns:	0 on success, negative on failure
+  *
+  * Note:	Should not be called from atomic context
+  */
+-int ipa2_del_hdr_proc_ctx(struct ipa_ioc_del_hdr_proc_ctx *hdls)
++int ipa2_del_hdr_proc_ctx_by_user(struct ipa_ioc_del_hdr_proc_ctx *hdls,
++	bool by_user)
+ {
+ 	int i;
+ 	int result;
+@@ -1004,7 +1038,7 @@ int ipa2_del_hdr_proc_ctx(struct ipa_ioc_del_hdr_proc_ctx *hdls)
+ 
+ 	mutex_lock(&ipa_ctx->lock);
+ 	for (i = 0; i < hdls->num_hdls; i++) {
+-		if (__ipa_del_hdr_proc_ctx(hdls->hdl[i].hdl, true)) {
++		if (__ipa_del_hdr_proc_ctx(hdls->hdl[i].hdl, true, by_user)) {
+ 			IPAERR("failed to del hdr %i\n", i);
+ 			hdls->hdl[i].status = -1;
+ 		} else {
+@@ -1025,6 +1059,21 @@ bail:
+ }
+ 
+ /**
++ * ipa2_del_hdr_proc_ctx() -
++ * Remove the specified processing context headers from SW and
++ * optionally commit them to IPA HW.
++ * @hdls:	[inout] set of processing context headers to delete
++ *
++ * Returns:	0 on success, negative on failure
++ *
++ * Note:	Should not be called from atomic context
++ */
++int ipa2_del_hdr_proc_ctx(struct ipa_ioc_del_hdr_proc_ctx *hdls)
++{
++	return ipa2_del_hdr_proc_ctx_by_user(hdls, false);
++}
++
++/**
+  * ipa2_commit_hdr() - commit to IPA HW the current header table in SW
+  *
+  * Returns:	0 on success, negative on failure
+@@ -1252,7 +1301,7 @@ int __ipa_release_hdr(u32 hdr_hdl)
+ {
+ 	int result = 0;
+ 
+-	if (__ipa_del_hdr(hdr_hdl)) {
++	if (__ipa_del_hdr(hdr_hdl, false)) {
+ 		IPADBG("fail to del hdr %x\n", hdr_hdl);
+ 		result = -EFAULT;
+ 		goto bail;
+@@ -1280,7 +1329,7 @@ int __ipa_release_hdr_proc_ctx(u32 proc_ctx_hdl)
+ {
+ 	int result = 0;
+ 
+-	if (__ipa_del_hdr_proc_ctx(proc_ctx_hdl, true)) {
++	if (__ipa_del_hdr_proc_ctx(proc_ctx_hdl, true, false)) {
+ 		IPADBG("fail to del hdr %x\n", proc_ctx_hdl);
+ 		result = -EFAULT;
+ 		goto bail;
+diff --git a/drivers/platform/msm/ipa/ipa_v2/ipa_i.h b/drivers/platform/msm/ipa/ipa_v2/ipa_i.h
+index 967036a..2c2a9c6 100644
+--- a/drivers/platform/msm/ipa/ipa_v2/ipa_i.h
++++ b/drivers/platform/msm/ipa/ipa_v2/ipa_i.h
+@@ -281,6 +281,7 @@ struct ipa_rt_tbl {
+  * @id: header entry id
+  * @is_eth2_ofst_valid: is eth2_ofst field valid?
+  * @eth2_ofst: offset to start of Ethernet-II/802.3 header
++ * @user_deleted: is the header deleted by the user?
+  */
+ struct ipa_hdr_entry {
+ 	struct list_head link;
+@@ -298,6 +299,7 @@ struct ipa_hdr_entry {
+ 	int id;
+ 	u8 is_eth2_ofst_valid;
+ 	u16 eth2_ofst;
++	bool user_deleted;
+ };
+ 
+ /**
+@@ -361,6 +363,7 @@ struct ipa_hdr_proc_ctx_add_hdr_cmd_seq {
+  * @cookie: cookie used for validity check
+  * @ref_cnt: reference counter of routing table
+  * @id: processing context header entry id
++ * @user_deleted: is the hdr processing context deleted by the user?
+  */
+ struct ipa_hdr_proc_ctx_entry {
+ 	struct list_head link;
+@@ -370,6 +373,7 @@ struct ipa_hdr_proc_ctx_entry {
+ 	u32 cookie;
+ 	u32 ref_cnt;
+ 	int id;
++	bool user_deleted;
+ };
+ 
+ /**
+@@ -1400,6 +1404,8 @@ int ipa2_add_hdr(struct ipa_ioc_add_hdr *hdrs);
+ 
+ int ipa2_del_hdr(struct ipa_ioc_del_hdr *hdls);
+ 
++int ipa2_del_hdr_by_user(struct ipa_ioc_del_hdr *hdls, bool by_user);
++
+ int ipa2_commit_hdr(void);
+ 
+ int ipa2_reset_hdr(void);
+@@ -1417,6 +1423,9 @@ int ipa2_add_hdr_proc_ctx(struct ipa_ioc_add_hdr_proc_ctx *proc_ctxs);
+ 
+ int ipa2_del_hdr_proc_ctx(struct ipa_ioc_del_hdr_proc_ctx *hdls);
+ 
++int ipa2_del_hdr_proc_ctx_by_user(struct ipa_ioc_del_hdr_proc_ctx *hdls,
++	bool by_user);
++
+ /*
+  * Routing
+  */
+@@ -1709,7 +1718,7 @@ int ipa2_active_clients_log_print_table(char *buf, int size);
+ void ipa2_active_clients_log_clear(void);
+ int ipa_interrupts_init(u32 ipa_irq, u32 ee, struct device *ipa_dev);
+ int __ipa_del_rt_rule(u32 rule_hdl);
+-int __ipa_del_hdr(u32 hdr_hdl);
++int __ipa_del_hdr(u32 hdr_hdl, bool by_user);
+ int __ipa_release_hdr(u32 hdr_hdl);
+ int __ipa_release_hdr_proc_ctx(u32 proc_ctx_hdl);
+ int _ipa_read_gen_reg_v1_1(char *buff, int max_len);
+diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa.c b/drivers/platform/msm/ipa/ipa_v3/ipa.c
+index 3d276b0..2da3b0d 100644
+--- a/drivers/platform/msm/ipa/ipa_v3/ipa.c
++++ b/drivers/platform/msm/ipa/ipa_v3/ipa.c
+@@ -1,4 +1,4 @@
+-/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
++/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -784,7 +784,8 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
+ 			retval = -EFAULT;
+ 			break;
+ 		}
+-		if (ipa3_del_hdr((struct ipa_ioc_del_hdr *)param)) {
++		if (ipa3_del_hdr_by_user((struct ipa_ioc_del_hdr *)param,
++			true)) {
+ 			retval = -EFAULT;
+ 			break;
+ 		}
+@@ -1553,8 +1554,8 @@ static long ipa3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
+ 			retval = -EFAULT;
+ 			break;
+ 		}
+-		if (ipa3_del_hdr_proc_ctx(
+-			(struct ipa_ioc_del_hdr_proc_ctx *)param)) {
++		if (ipa3_del_hdr_proc_ctx_by_user(
++			(struct ipa_ioc_del_hdr_proc_ctx *)param, true)) {
+ 			retval = -EFAULT;
+ 			break;
+ 		}
+@@ -2921,7 +2922,7 @@ fail_schedule_delayed_work:
+ 	if (ipa3_ctx->dflt_v4_rt_rule_hdl)
+ 		__ipa3_del_rt_rule(ipa3_ctx->dflt_v4_rt_rule_hdl);
+ 	if (ipa3_ctx->excp_hdr_hdl)
+-		__ipa3_del_hdr(ipa3_ctx->excp_hdr_hdl);
++		__ipa3_del_hdr(ipa3_ctx->excp_hdr_hdl, false);
+ 	ipa3_teardown_sys_pipe(ipa3_ctx->clnt_hdl_cmd);
+ fail_cmd:
+ 	return result;
+@@ -2933,7 +2934,7 @@ static void ipa3_teardown_apps_pipes(void)
+ 	ipa3_teardown_sys_pipe(ipa3_ctx->clnt_hdl_data_in);
+ 	__ipa3_del_rt_rule(ipa3_ctx->dflt_v6_rt_rule_hdl);
+ 	__ipa3_del_rt_rule(ipa3_ctx->dflt_v4_rt_rule_hdl);
+-	__ipa3_del_hdr(ipa3_ctx->excp_hdr_hdl);
++	__ipa3_del_hdr(ipa3_ctx->excp_hdr_hdl, false);
+ 	ipa3_teardown_sys_pipe(ipa3_ctx->clnt_hdl_cmd);
+ }
+ 
+diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa_hdr.c b/drivers/platform/msm/ipa/ipa_v3/ipa_hdr.c
+index 93fa149..69dca76 100644
+--- a/drivers/platform/msm/ipa/ipa_v3/ipa_hdr.c
++++ b/drivers/platform/msm/ipa/ipa_v3/ipa_hdr.c
+@@ -1,4 +1,4 @@
+-/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
++/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -576,7 +576,8 @@ error:
+ 	return -EPERM;
+ }
+ 
+-static int __ipa3_del_hdr_proc_ctx(u32 proc_ctx_hdl, bool release_hdr)
++static int __ipa3_del_hdr_proc_ctx(u32 proc_ctx_hdl,
++	bool release_hdr, bool by_user)
+ {
+ 	struct ipa3_hdr_proc_ctx_entry *entry;
+ 	struct ipa3_hdr_proc_ctx_tbl *htbl = &ipa3_ctx->hdr_proc_ctx_tbl;
+@@ -590,6 +591,14 @@ static int __ipa3_del_hdr_proc_ctx(u32 proc_ctx_hdl, bool release_hdr)
+ 	IPADBG("del proc ctx cnt=%d ofst=%d\n",
+ 		htbl->proc_ctx_cnt, entry->offset_entry->offset);
+ 
++	if (by_user && entry->user_deleted) {
++		IPAERR("proc_ctx already deleted by user\n");
++		return -EINVAL;
++	}
++
++	if (by_user)
++		entry->user_deleted = true;
++
+ 	if (--entry->ref_cnt) {
+ 		IPADBG("proc_ctx_hdl %x ref_cnt %d\n",
+ 			proc_ctx_hdl, entry->ref_cnt);
+@@ -597,7 +606,7 @@ static int __ipa3_del_hdr_proc_ctx(u32 proc_ctx_hdl, bool release_hdr)
+ 	}
+ 
+ 	if (release_hdr)
+-		__ipa3_del_hdr(entry->hdr->id);
++		__ipa3_del_hdr(entry->hdr->id, false);
+ 
+ 	/* move the offset entry to appropriate free list */
+ 	list_move(&entry->offset_entry->link,
+@@ -614,7 +623,7 @@ static int __ipa3_del_hdr_proc_ctx(u32 proc_ctx_hdl, bool release_hdr)
+ }
+ 
+ 
+-int __ipa3_del_hdr(u32 hdr_hdl)
++int __ipa3_del_hdr(u32 hdr_hdl, bool by_user)
+ {
+ 	struct ipa3_hdr_entry *entry;
+ 	struct ipa3_hdr_tbl *htbl = &ipa3_ctx->hdr_tbl;
+@@ -625,7 +634,7 @@ int __ipa3_del_hdr(u32 hdr_hdl)
+ 		return -EINVAL;
+ 	}
+ 
+-	if (!entry || (entry->cookie != IPA_COOKIE)) {
++	if (entry->cookie != IPA_COOKIE) {
+ 		IPAERR("bad parm\n");
+ 		return -EINVAL;
+ 	}
+@@ -638,6 +647,14 @@ int __ipa3_del_hdr(u32 hdr_hdl)
+ 			entry->hdr_len, htbl->hdr_cnt,
+ 			entry->offset_entry->offset);
+ 
++	if (by_user && entry->user_deleted) {
++		IPAERR("proc_ctx already deleted by user\n");
++		return -EINVAL;
++	}
++
++	if (by_user)
++		entry->user_deleted = true;
++
+ 	if (--entry->ref_cnt) {
+ 		IPADBG("hdr_hdl %x ref_cnt %d\n", hdr_hdl, entry->ref_cnt);
+ 		return 0;
+@@ -648,7 +665,7 @@ int __ipa3_del_hdr(u32 hdr_hdl)
+ 			entry->phys_base,
+ 			entry->hdr_len,
+ 			DMA_TO_DEVICE);
+-		__ipa3_del_hdr_proc_ctx(entry->proc_ctx->id, false);
++		__ipa3_del_hdr_proc_ctx(entry->proc_ctx->id, false, false);
+ 	} else {
+ 		/* move the offset entry to appropriate free list */
+ 		list_move(&entry->offset_entry->link,
+@@ -710,15 +727,16 @@ bail:
+ }
+ 
+ /**
+- * ipa3_del_hdr() - Remove the specified headers from SW and optionally commit them
+- * to IPA HW
++ * ipa3_del_hdr_by_user() - Remove the specified headers
++ * from SW and optionally commit them to IPA HW
+  * @hdls:	[inout] set of headers to delete
++ * @by_user:	Operation requested by user?
+  *
+  * Returns:	0 on success, negative on failure
+  *
+  * Note:	Should not be called from atomic context
+  */
+-int ipa3_del_hdr(struct ipa_ioc_del_hdr *hdls)
++int ipa3_del_hdr_by_user(struct ipa_ioc_del_hdr *hdls, bool by_user)
+ {
+ 	int i;
+ 	int result = -EFAULT;
+@@ -730,7 +748,7 @@ int ipa3_del_hdr(struct ipa_ioc_del_hdr *hdls)
+ 
+ 	mutex_lock(&ipa3_ctx->lock);
+ 	for (i = 0; i < hdls->num_hdls; i++) {
+-		if (__ipa3_del_hdr(hdls->hdl[i].hdl)) {
++		if (__ipa3_del_hdr(hdls->hdl[i].hdl, by_user)) {
+ 			IPAERR("failed to del hdr %i\n", i);
+ 			hdls->hdl[i].status = -1;
+ 		} else {
+@@ -751,6 +769,20 @@ bail:
+ }
+ 
+ /**
++ * ipa3_del_hdr() - Remove the specified headers from SW
++ * and optionally commit them to IPA HW
++ * @hdls:	[inout] set of headers to delete
++ *
++ * Returns:	0 on success, negative on failure
++ *
++ * Note:	Should not be called from atomic context
++ */
++int ipa3_del_hdr(struct ipa_ioc_del_hdr *hdls)
++{
++	return ipa3_del_hdr_by_user(hdls, false);
++}
++
++/**
+  * ipa3_add_hdr_proc_ctx() - add the specified headers to SW
+  * and optionally commit them to IPA HW
+  * @proc_ctxs:	[inout] set of processing context headers to add
+@@ -795,16 +827,18 @@ bail:
+ }
+ 
+ /**
+- * ipa3_del_hdr_proc_ctx() -
++ * ipa3_del_hdr_proc_ctx_by_user() -
+  * Remove the specified processing context headers from SW and
+  * optionally commit them to IPA HW.
+  * @hdls:	[inout] set of processing context headers to delete
++ * @by_user:	Operation requested by user?
+  *
+  * Returns:	0 on success, negative on failure
+  *
+  * Note:	Should not be called from atomic context
+  */
+-int ipa3_del_hdr_proc_ctx(struct ipa_ioc_del_hdr_proc_ctx *hdls)
++int ipa3_del_hdr_proc_ctx_by_user(struct ipa_ioc_del_hdr_proc_ctx *hdls,
++	bool by_user)
+ {
+ 	int i;
+ 	int result;
+@@ -816,7 +850,7 @@ int ipa3_del_hdr_proc_ctx(struct ipa_ioc_del_hdr_proc_ctx *hdls)
+ 
+ 	mutex_lock(&ipa3_ctx->lock);
+ 	for (i = 0; i < hdls->num_hdls; i++) {
+-		if (__ipa3_del_hdr_proc_ctx(hdls->hdl[i].hdl, true)) {
++		if (__ipa3_del_hdr_proc_ctx(hdls->hdl[i].hdl, true, by_user)) {
+ 			IPAERR("failed to del hdr %i\n", i);
+ 			hdls->hdl[i].status = -1;
+ 		} else {
+@@ -837,6 +871,21 @@ bail:
+ }
+ 
+ /**
++ * ipa3_del_hdr_proc_ctx() -
++ * Remove the specified processing context headers from SW and
++ * optionally commit them to IPA HW.
++ * @hdls:	[inout] set of processing context headers to delete
++ *
++ * Returns:	0 on success, negative on failure
++ *
++ * Note:	Should not be called from atomic context
++ */
++int ipa3_del_hdr_proc_ctx(struct ipa_ioc_del_hdr_proc_ctx *hdls)
++{
++	return ipa3_del_hdr_proc_ctx_by_user(hdls, false);
++}
++
++/**
+  * ipa3_commit_hdr() - commit to IPA HW the current header table in SW
+  *
+  * Returns:	0 on success, negative on failure
+@@ -1064,7 +1113,7 @@ int __ipa3_release_hdr(u32 hdr_hdl)
+ {
+ 	int result = 0;
+ 
+-	if (__ipa3_del_hdr(hdr_hdl)) {
++	if (__ipa3_del_hdr(hdr_hdl, false)) {
+ 		IPADBG("fail to del hdr %x\n", hdr_hdl);
+ 		result = -EFAULT;
+ 		goto bail;
+@@ -1092,7 +1141,7 @@ int __ipa3_release_hdr_proc_ctx(u32 proc_ctx_hdl)
+ {
+ 	int result = 0;
+ 
+-	if (__ipa3_del_hdr_proc_ctx(proc_ctx_hdl, true)) {
++	if (__ipa3_del_hdr_proc_ctx(proc_ctx_hdl, true, false)) {
+ 		IPADBG("fail to del hdr %x\n", proc_ctx_hdl);
+ 		result = -EFAULT;
+ 		goto bail;
+diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa_i.h b/drivers/platform/msm/ipa/ipa_v3/ipa_i.h
+index fe7c88a..b3ce524 100644
+--- a/drivers/platform/msm/ipa/ipa_v3/ipa_i.h
++++ b/drivers/platform/msm/ipa/ipa_v3/ipa_i.h
+@@ -1,4 +1,4 @@
+-/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
++/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -279,6 +279,7 @@ struct ipa3_rt_tbl {
+  * @id: header entry id
+  * @is_eth2_ofst_valid: is eth2_ofst field valid?
+  * @eth2_ofst: offset to start of Ethernet-II/802.3 header
++ * @user_deleted: is the header deleted by the user?
+  */
+ struct ipa3_hdr_entry {
+ 	struct list_head link;
+@@ -296,6 +297,7 @@ struct ipa3_hdr_entry {
+ 	int id;
+ 	u8 is_eth2_ofst_valid;
+ 	u16 eth2_ofst;
++	bool user_deleted;
+ };
+ 
+ /**
+@@ -335,6 +337,7 @@ struct ipa3_hdr_proc_ctx_offset_entry {
+  * @cookie: cookie used for validity check
+  * @ref_cnt: reference counter of routing table
+  * @id: processing context header entry id
++ * @user_deleted: is the hdr processing context deleted by the user?
+  */
+ struct ipa3_hdr_proc_ctx_entry {
+ 	struct list_head link;
+@@ -344,6 +347,7 @@ struct ipa3_hdr_proc_ctx_entry {
+ 	u32 cookie;
+ 	u32 ref_cnt;
+ 	int id;
++	bool user_deleted;
+ };
+ 
+ /**
+@@ -1548,6 +1552,8 @@ int ipa3_add_hdr(struct ipa_ioc_add_hdr *hdrs);
+ 
+ int ipa3_del_hdr(struct ipa_ioc_del_hdr *hdls);
+ 
++int ipa3_del_hdr_by_user(struct ipa_ioc_del_hdr *hdls, bool by_user);
++
+ int ipa3_commit_hdr(void);
+ 
+ int ipa3_reset_hdr(void);
+@@ -1565,6 +1571,9 @@ int ipa3_add_hdr_proc_ctx(struct ipa_ioc_add_hdr_proc_ctx *proc_ctxs);
+ 
+ int ipa3_del_hdr_proc_ctx(struct ipa_ioc_del_hdr_proc_ctx *hdls);
+ 
++int ipa3_del_hdr_proc_ctx_by_user(struct ipa_ioc_del_hdr_proc_ctx *hdls,
++	bool by_user);
++
+ /*
+  * Routing
+  */
+@@ -1869,7 +1878,7 @@ int ipa3_active_clients_log_print_table(char *buf, int size);
+ void ipa3_active_clients_log_clear(void);
+ int ipa3_interrupts_init(u32 ipa_irq, u32 ee, struct device *ipa_dev);
+ int __ipa3_del_rt_rule(u32 rule_hdl);
+-int __ipa3_del_hdr(u32 hdr_hdl);
++int __ipa3_del_hdr(u32 hdr_hdl, bool by_user);
+ int __ipa3_release_hdr(u32 hdr_hdl);
+ int __ipa3_release_hdr_proc_ctx(u32 proc_ctx_hdl);
+ int _ipa_read_ep_reg_v3_0(char *buf, int max_len, int pipe);
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-0531/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0531/3.18/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0531/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0531/3.18/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0531/4.4/0002.patch b/Patches/Linux_CVEs/CVE-2017-0531/4.4/0002.patch
new file mode 100644
index 00000000..c2daf375
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-0531/4.4/0002.patch
@@ -0,0 +1,275 @@
+From d342da7d820af9c7c0b0b8049adb53beb713e0f0 Mon Sep 17 00:00:00 2001
+From: Bhalchandra Gajare <gajare@codeaurora.org>
+Date: Thu, 15 Dec 2016 16:43:45 -0800
+Subject: ASoC: msm-lsm-client: cleanup ioctl functions
+
+Some of the ioctl command handling is not properly using the
+copy_from_user interface. Fix these issues and cleanup the ioctl
+functions to make sure there is no illegal memory access.
+
+CRs-Fixed: 1087469
+Change-Id: Ieb1beb92e7854a05b8045de0ce179d12c9a6da74
+Signed-off-by: Bhalchandra Gajare <gajare@codeaurora.org>
+---
+ sound/soc/msm/qdsp6v2/msm-lsm-client.c | 131 ++++++++++-----------------------
+ 1 file changed, 40 insertions(+), 91 deletions(-)
+
+diff --git a/sound/soc/msm/qdsp6v2/msm-lsm-client.c b/sound/soc/msm/qdsp6v2/msm-lsm-client.c
+index 52830c9..efb6644e 100644
+--- a/sound/soc/msm/qdsp6v2/msm-lsm-client.c
++++ b/sound/soc/msm/qdsp6v2/msm-lsm-client.c
+@@ -730,8 +730,13 @@ static int msm_lsm_ioctl_shared(struct snd_pcm_substream *substream,
+ 	switch (cmd) {
+ 	case SNDRV_LSM_SET_SESSION_DATA:
+ 		dev_dbg(rtd->dev, "%s: set session data\n", __func__);
+-		memcpy(&session_data, arg,
+-		       sizeof(struct snd_lsm_session_data));
++		if (copy_from_user(&session_data, arg,
++				   sizeof(session_data))) {
++			dev_err(rtd->dev, "%s: %s: copy_from_user failed\n",
++				__func__, "LSM_SET_SESSION_DATA");
++			return -EFAULT;
++		}
++
+ 		if (session_data.app_id != LSM_VOICE_WAKEUP_APP_ID_V2) {
+ 			dev_err(rtd->dev,
+ 				"%s:Invalid App id %d for Listen client\n",
+@@ -820,13 +825,6 @@ static int msm_lsm_ioctl_shared(struct snd_pcm_substream *substream,
+ 		break;
+ 
+ 	case SNDRV_LSM_SET_PARAMS:
+-		if (!arg) {
+-			dev_err(rtd->dev,
+-				"%s: %s Invalid argument\n",
+-				__func__, "SNDRV_LSM_SET_PARAMS");
+-			return -EINVAL;
+-		}
+-
+ 		dev_dbg(rtd->dev, "%s: set_params\n", __func__);
+ 		memcpy(&det_params, arg,
+ 			sizeof(det_params));
+@@ -978,45 +976,43 @@ static int msm_lsm_ioctl_shared(struct snd_pcm_substream *substream,
+ 		break;
+ 	}
+ 	case SNDRV_LSM_LAB_CONTROL: {
+-		u32 *enable = NULL;
+-		if (!arg) {
+-			dev_err(rtd->dev,
+-				"%s: Invalid param arg for ioctl %s session %d\n",
+-				__func__, "SNDRV_LSM_LAB_CONTROL",
+-				prtd->lsm_client->session);
+-			rc = -EINVAL;
+-			break;
++		u32 enable;
++
++		if (copy_from_user(&enable, arg, sizeof(enable))) {
++			dev_err(rtd->dev, "%s: %s: copy_frm_user failed\n",
++				__func__, "LSM_LAB_CONTROL");
++			return -EFAULT;
+ 		}
+-		enable = (int *)arg;
++
+ 		dev_dbg(rtd->dev, "%s: ioctl %s, enable = %d\n",
+-			 __func__, "SNDRV_LSM_LAB_CONTROL", *enable);
++			 __func__, "SNDRV_LSM_LAB_CONTROL", enable);
+ 		if (!prtd->lsm_client->started) {
+-			if (prtd->lsm_client->lab_enable == *enable) {
++			if (prtd->lsm_client->lab_enable == enable) {
+ 				dev_dbg(rtd->dev,
+ 					"%s: Lab for session %d already %s\n",
+ 					__func__, prtd->lsm_client->session,
+-					((*enable) ? "enabled" : "disabled"));
++					enable ? "enabled" : "disabled");
+ 				rc = 0;
+ 				break;
+ 			}
+-			rc = q6lsm_lab_control(prtd->lsm_client, *enable);
++			rc = q6lsm_lab_control(prtd->lsm_client, enable);
+ 			if (rc) {
+ 				dev_err(rtd->dev,
+ 					"%s: ioctl %s failed rc %d to %s lab for session %d\n",
+ 					__func__, "SNDRV_LAB_CONTROL", rc,
+-					((*enable) ? "enable" : "disable"),
++					enable ? "enable" : "disable",
+ 					prtd->lsm_client->session);
+ 			} else {
+ 				rc = msm_lsm_lab_buffer_alloc(prtd,
+-					((*enable) ? LAB_BUFFER_ALLOC
+-					: LAB_BUFFER_DEALLOC));
++					enable ? LAB_BUFFER_ALLOC
++					: LAB_BUFFER_DEALLOC);
+ 				if (rc)
+ 					dev_err(rtd->dev,
+ 						"%s: msm_lsm_lab_buffer_alloc failed rc %d for %s",
+ 						__func__, rc,
+-					((*enable) ? "ALLOC" : "DEALLOC"));
++						enable ? "ALLOC" : "DEALLOC");
+ 				if (!rc)
+-					prtd->lsm_client->lab_enable = *enable;
++					prtd->lsm_client->lab_enable = enable;
+ 			}
+ 		} else {
+ 			dev_err(rtd->dev, "%s: ioctl %s issued after start",
+@@ -1057,12 +1053,6 @@ static int msm_lsm_ioctl_shared(struct snd_pcm_substream *substream,
+ 	return rc;
+ }
+ #ifdef CONFIG_COMPAT
+-struct snd_lsm_event_status32 {
+-	u16 status;
+-	u16 payload_size;
+-	u8 payload[0];
+-};
+-
+ struct snd_lsm_sound_model_v2_32 {
+ 	compat_uptr_t data;
+ 	compat_uptr_t confidence_level;
+@@ -1094,8 +1084,6 @@ struct snd_lsm_module_params_32 {
+ };
+ 
+ enum {
+-	SNDRV_LSM_EVENT_STATUS32 =
+-		_IOW('U', 0x02, struct snd_lsm_event_status32),
+ 	SNDRV_LSM_REG_SND_MODEL_V2_32 =
+ 		_IOW('U', 0x07, struct snd_lsm_sound_model_v2_32),
+ 	SNDRV_LSM_SET_PARAMS_32 =
+@@ -1126,12 +1114,12 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream,
+ 	prtd = runtime->private_data;
+ 
+ 	switch (cmd) {
+-	case SNDRV_LSM_EVENT_STATUS32: {
+-		struct snd_lsm_event_status32 userarg32, *user32 = NULL;
+-		struct snd_lsm_event_status *user = NULL;
++	case SNDRV_LSM_EVENT_STATUS: {
++		struct snd_lsm_event_status *user = NULL, userarg32;
++		struct snd_lsm_event_status *user32 = NULL;
+ 		if (copy_from_user(&userarg32, arg, sizeof(userarg32))) {
+ 			dev_err(rtd->dev, "%s: err copyuser ioctl %s\n",
+-				__func__, "SNDRV_LSM_EVENT_STATUS32");
++				__func__, "SNDRV_LSM_EVENT_STATUS");
+ 			return -EFAULT;
+ 		}
+ 
+@@ -1285,13 +1273,6 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream,
+ 			return -EINVAL;
+ 		}
+ 
+-		if (!arg) {
+-			dev_err(rtd->dev,
+-				"%s: %s: No Param data to set\n",
+-				__func__, "SET_MODULE_PARAMS_32");
+-			return -EINVAL;
+-		}
+-
+ 		if (copy_from_user(&p_data_32, arg,
+ 				   sizeof(p_data_32))) {
+ 			dev_err(rtd->dev,
+@@ -1376,6 +1357,19 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream,
+ 		kfree(params32);
+ 		break;
+ 	}
++	case SNDRV_LSM_REG_SND_MODEL_V2:
++	case SNDRV_LSM_SET_PARAMS:
++	case SNDRV_LSM_SET_MODULE_PARAMS:
++		/*
++		 * In ideal cases, the compat_ioctl should never be called
++		 * with the above unlocked ioctl commands. Print error
++		 * and return error if it does.
++		 */
++		dev_err(rtd->dev,
++			"%s: Invalid cmd for compat_ioctl\n",
++			__func__);
++		err = -EINVAL;
++		break;
+ 	default:
+ 		err = msm_lsm_ioctl_shared(substream, cmd, arg);
+ 		break;
+@@ -1391,7 +1385,6 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream,
+ {
+ 	int err = 0;
+ 	u32 size = 0;
+-	struct snd_lsm_session_data session_data;
+ 	struct snd_pcm_runtime *runtime;
+ 	struct snd_soc_pcm_runtime *rtd;
+ 	struct lsm_priv *prtd;
+@@ -1406,26 +1399,6 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream,
+ 	rtd = substream->private_data;
+ 
+ 	switch (cmd) {
+-	case SNDRV_LSM_SET_SESSION_DATA:
+-		dev_dbg(rtd->dev,
+-			"%s: SNDRV_LSM_SET_SESSION_DATA\n",
+-			__func__);
+-		if (copy_from_user(&session_data, (void *)arg,
+-				   sizeof(struct snd_lsm_session_data))) {
+-			err = -EFAULT;
+-			dev_err(rtd->dev,
+-				"%s: copy from user failed, size %zd\n",
+-				__func__, sizeof(struct snd_lsm_session_data));
+-			break;
+-		}
+-		if (!err)
+-			err = msm_lsm_ioctl_shared(substream,
+-						   cmd, &session_data);
+-		if (err)
+-			dev_err(rtd->dev,
+-				"%s REG_SND_MODEL failed err %d\n",
+-				__func__, err);
+-		break;
+ 	case SNDRV_LSM_REG_SND_MODEL_V2: {
+ 		struct snd_lsm_sound_model_v2 snd_model_v2;
+ 
+@@ -1436,11 +1409,6 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream,
+ 			return -EINVAL;
+ 		}
+ 
+-		if (!arg) {
+-			dev_err(rtd->dev,
+-				"%s: Invalid params snd_model\n", __func__);
+-			return -EINVAL;
+-		}
+ 		if (copy_from_user(&snd_model_v2, arg, sizeof(snd_model_v2))) {
+ 			err = -EFAULT;
+ 			dev_err(rtd->dev,
+@@ -1469,12 +1437,6 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream,
+ 		}
+ 
+ 		pr_debug("%s: SNDRV_LSM_SET_PARAMS\n", __func__);
+-		if (!arg) {
+-			dev_err(rtd->dev,
+-				"%s: %s, Invalid params\n",
+-				__func__, "SNDRV_LSM_SET_PARAMS");
+-			return -EINVAL;
+-		}
+ 
+ 		if (copy_from_user(&det_params, arg,
+ 				   sizeof(det_params))) {
+@@ -1507,13 +1469,6 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream,
+ 			return -EINVAL;
+ 		}
+ 
+-		if (!arg) {
+-			dev_err(rtd->dev,
+-				"%s: %s: No Param data to set\n",
+-				__func__, "SET_MODULE_PARAMS");
+-			return -EINVAL;
+-		}
+-
+ 		if (copy_from_user(&p_data, arg,
+ 				   sizeof(p_data))) {
+ 			dev_err(rtd->dev,
+@@ -1571,12 +1526,6 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream,
+ 		struct snd_lsm_event_status *user = NULL, userarg;
+ 		dev_dbg(rtd->dev,
+ 			"%s: SNDRV_LSM_EVENT_STATUS\n", __func__);
+-		if (!arg) {
+-			dev_err(rtd->dev,
+-				"%s: Invalid params event status\n",
+-				__func__);
+-			return -EINVAL;
+-		}
+ 		if (copy_from_user(&userarg, arg, sizeof(userarg))) {
+ 			dev_err(rtd->dev,
+ 				"%s: err copyuser event_status\n",
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-0533/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0533/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0533/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0533/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0534/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0534/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0534/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0534/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0535/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0535/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0535/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0535/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0535/ANY/0.patch.base64 b/Patches/Linux_CVEs/CVE-2017-0535/ANY/0001.patch.base64
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0535/ANY/0.patch.base64
rename to Patches/Linux_CVEs/CVE-2017-0535/ANY/0001.patch.base64
diff --git a/Patches/Linux_CVEs/CVE-2017-0536/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0536/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0536/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0536/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0537/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0537/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0537/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0537/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0564/3.10/0.patch b/Patches/Linux_CVEs/CVE-2017-0564/3.10/0.patch
deleted file mode 100644
index 85e93ed0..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0564/3.10/0.patch
+++ /dev/null
@@ -1,137 +0,0 @@
-diff --git a/drivers/staging/android/ion/ion.c b/drivers/staging/android/ion/ion.c
-index c3826ba..3b890ab 100755
---- a/drivers/staging/android/ion/ion.c
-+++ b/drivers/staging/android/ion/ion.c
-@@ -113,6 +113,7 @@
-  */
- struct ion_handle {
- 	struct kref ref;
-+	unsigned int user_ref_count;
- 	struct ion_client *client;
- 	struct ion_buffer *buffer;
- 	struct rb_node node;
-@@ -434,6 +435,48 @@
- 	return ret;
- }
- 
-+/* Must hold the client lock */
-+static void user_ion_handle_get(struct ion_handle *handle)
-+{
-+	if (handle->user_ref_count++ == 0)
-+		kref_get(&handle->ref);
-+}
-+
-+/* Must hold the client lock */
-+static struct ion_handle *user_ion_handle_get_check_overflow(struct ion_handle *handle)
-+{
-+	if (handle->user_ref_count + 1 == 0)
-+		return ERR_PTR(-EOVERFLOW);
-+	user_ion_handle_get(handle);
-+	return handle;
-+}
-+
-+/* passes a kref to the user ref count.
-+ * We know we're holding a kref to the object before and
-+ * after this call, so no need to reverify handle. */
-+static struct ion_handle *pass_to_user(struct ion_handle *handle)
-+{
-+	struct ion_client *client = handle->client;
-+	struct ion_handle *ret;
-+
-+	mutex_lock(&client->lock);
-+	ret = user_ion_handle_get_check_overflow(handle);
-+	ion_handle_put_nolock(handle);
-+	mutex_unlock(&client->lock);
-+	return ret;
-+}
-+
-+/* Must hold the client lock */
-+static int user_ion_handle_put_nolock(struct ion_handle *handle)
-+{
-+	int ret;
-+
-+	if (--handle->user_ref_count == 0)
-+		ret = ion_handle_put_nolock(handle);
-+
-+	return ret;
-+}
-+
- static struct ion_handle *ion_handle_lookup(struct ion_client *client,
- 					    struct ion_buffer *buffer)
- {
-@@ -650,6 +693,25 @@
- 	ion_handle_put_nolock(handle);
- }
- 
-+/* Must hold the client lock */
-+static void user_ion_free_nolock(struct ion_client *client, struct ion_handle *handle)
-+{
-+	bool valid_handle;
-+
-+	BUG_ON(client != handle->client);
-+
-+	valid_handle = ion_handle_validate(client, handle);
-+	if (!valid_handle) {
-+		WARN(1, "%s: invalid handle passed to free.\n", __func__);
-+		return;
-+	}
-+	if (handle->user_ref_count == 0) {
-+		WARN(1, "%s: User does not have access!\n", __func__);
-+		return;
-+	}
-+	user_ion_handle_put_nolock(handle);
-+}
-+
- void ion_free(struct ion_client *client, struct ion_handle *handle)
- {
- 	BUG_ON(client != handle->client);
-@@ -1472,7 +1534,7 @@
- 						data.allocation.flags, true);
- 		if (IS_ERR(handle))
- 			return PTR_ERR(handle);
--
-+		pass_to_user(handle);
- 		data.allocation.handle = handle->id;
- 
- 		cleanup_handle = handle;
-@@ -1488,7 +1550,7 @@
- 			mutex_unlock(&client->lock);
- 			return PTR_ERR(handle);
- 		}
--		ion_free_nolock(client, handle);
-+		user_ion_free_nolock(client, handle);
- 		ion_handle_put_nolock(handle);
- 		mutex_unlock(&client->lock);
- 		break;
-@@ -1511,10 +1573,15 @@
- 	{
- 		struct ion_handle *handle;
- 		handle = ion_import_dma_buf(client, data.fd.fd);
--		if (IS_ERR(handle))
-+		if (IS_ERR(handle)) {
- 			ret = PTR_ERR(handle);
--		else
--			data.handle.handle = handle->id;
-+		} else {
-+			handle = pass_to_user(handle);
-+			if (IS_ERR(handle))
-+				ret = PTR_ERR(handle);
-+			else
-+				data.handle.handle = handle->id;
-+		}
- 		break;
- 	}
- 	case ION_IOC_SYNC:
-@@ -1546,8 +1613,10 @@
- 	if (dir & _IOC_READ) {
- 		if (copy_to_user((void __user *)arg, &data, _IOC_SIZE(cmd))) {
- 			if (cleanup_handle) {
--				ion_free(client, cleanup_handle);
--				ion_handle_put(cleanup_handle);
-+				mutex_lock(&client->lock);
-+				user_ion_free_nolock(client, cleanup_handle);
-+				ion_handle_put_nolock(cleanup_handle);
-+				mutex_unlock(&client->lock);
- 			}
- 			return -EFAULT;
- 		}
diff --git a/Patches/Linux_CVEs/CVE-2017-0564/3.10/0.patch.base64 b/Patches/Linux_CVEs/CVE-2017-0564/3.10/0.patch.base64
deleted file mode 100644
index 07d6fe79..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0564/3.10/0.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL2RyaXZlcnMvc3RhZ2luZy9hbmRyb2lkL2lvbi9pb24uYyBiL2RyaXZlcnMvc3RhZ2luZy9hbmRyb2lkL2lvbi9pb24uYwppbmRleCBjMzgyNmJhLi4zYjg5MGFiIDEwMDc1NQotLS0gYS9kcml2ZXJzL3N0YWdpbmcvYW5kcm9pZC9pb24vaW9uLmMKKysrIGIvZHJpdmVycy9zdGFnaW5nL2FuZHJvaWQvaW9uL2lvbi5jCkBAIC0xMTMsNiArMTEzLDcgQEAKICAqLwogc3RydWN0IGlvbl9oYW5kbGUgewogCXN0cnVjdCBrcmVmIHJlZjsKKwl1bnNpZ25lZCBpbnQgdXNlcl9yZWZfY291bnQ7CiAJc3RydWN0IGlvbl9jbGllbnQgKmNsaWVudDsKIAlzdHJ1Y3QgaW9uX2J1ZmZlciAqYnVmZmVyOwogCXN0cnVjdCByYl9ub2RlIG5vZGU7CkBAIC00MzQsNiArNDM1LDQ4IEBACiAJcmV0dXJuIHJldDsKIH0KIAorLyogTXVzdCBob2xkIHRoZSBjbGllbnQgbG9jayAqLworc3RhdGljIHZvaWQgdXNlcl9pb25faGFuZGxlX2dldChzdHJ1Y3QgaW9uX2hhbmRsZSAqaGFuZGxlKQoreworCWlmIChoYW5kbGUtPnVzZXJfcmVmX2NvdW50KysgPT0gMCkKKwkJa3JlZl9nZXQoJmhhbmRsZS0+cmVmKTsKK30KKworLyogTXVzdCBob2xkIHRoZSBjbGllbnQgbG9jayAqLworc3RhdGljIHN0cnVjdCBpb25faGFuZGxlICp1c2VyX2lvbl9oYW5kbGVfZ2V0X2NoZWNrX292ZXJmbG93KHN0cnVjdCBpb25faGFuZGxlICpoYW5kbGUpCit7CisJaWYgKGhhbmRsZS0+dXNlcl9yZWZfY291bnQgKyAxID09IDApCisJCXJldHVybiBFUlJfUFRSKC1FT1ZFUkZMT1cpOworCXVzZXJfaW9uX2hhbmRsZV9nZXQoaGFuZGxlKTsKKwlyZXR1cm4gaGFuZGxlOworfQorCisvKiBwYXNzZXMgYSBrcmVmIHRvIHRoZSB1c2VyIHJlZiBjb3VudC4KKyAqIFdlIGtub3cgd2UncmUgaG9sZGluZyBhIGtyZWYgdG8gdGhlIG9iamVjdCBiZWZvcmUgYW5kCisgKiBhZnRlciB0aGlzIGNhbGwsIHNvIG5vIG5lZWQgdG8gcmV2ZXJpZnkgaGFuZGxlLiAqLworc3RhdGljIHN0cnVjdCBpb25faGFuZGxlICpwYXNzX3RvX3VzZXIoc3RydWN0IGlvbl9oYW5kbGUgKmhhbmRsZSkKK3sKKwlzdHJ1Y3QgaW9uX2NsaWVudCAqY2xpZW50ID0gaGFuZGxlLT5jbGllbnQ7CisJc3RydWN0IGlvbl9oYW5kbGUgKnJldDsKKworCW11dGV4X2xvY2soJmNsaWVudC0+bG9jayk7CisJcmV0ID0gdXNlcl9pb25faGFuZGxlX2dldF9jaGVja19vdmVyZmxvdyhoYW5kbGUpOworCWlvbl9oYW5kbGVfcHV0X25vbG9jayhoYW5kbGUpOworCW11dGV4X3VubG9jaygmY2xpZW50LT5sb2NrKTsKKwlyZXR1cm4gcmV0OworfQorCisvKiBNdXN0IGhvbGQgdGhlIGNsaWVudCBsb2NrICovCitzdGF0aWMgaW50IHVzZXJfaW9uX2hhbmRsZV9wdXRfbm9sb2NrKHN0cnVjdCBpb25faGFuZGxlICpoYW5kbGUpCit7CisJaW50IHJldDsKKworCWlmICgtLWhhbmRsZS0+dXNlcl9yZWZfY291bnQgPT0gMCkKKwkJcmV0ID0gaW9uX2hhbmRsZV9wdXRfbm9sb2NrKGhhbmRsZSk7CisKKwlyZXR1cm4gcmV0OworfQorCiBzdGF0aWMgc3RydWN0IGlvbl9oYW5kbGUgKmlvbl9oYW5kbGVfbG9va3VwKHN0cnVjdCBpb25fY2xpZW50ICpjbGllbnQsCiAJCQkJCSAgICBzdHJ1Y3QgaW9uX2J1ZmZlciAqYnVmZmVyKQogewpAQCAtNjUwLDYgKzY5MywyNSBAQAogCWlvbl9oYW5kbGVfcHV0X25vbG9jayhoYW5kbGUpOwogfQogCisvKiBNdXN0IGhvbGQgdGhlIGNsaWVudCBsb2NrICovCitzdGF0aWMgdm9pZCB1c2VyX2lvbl9mcmVlX25vbG9jayhzdHJ1Y3QgaW9uX2NsaWVudCAqY2xpZW50LCBzdHJ1Y3QgaW9uX2hhbmRsZSAqaGFuZGxlKQoreworCWJvb2wgdmFsaWRfaGFuZGxlOworCisJQlVHX09OKGNsaWVudCAhPSBoYW5kbGUtPmNsaWVudCk7CisKKwl2YWxpZF9oYW5kbGUgPSBpb25faGFuZGxlX3ZhbGlkYXRlKGNsaWVudCwgaGFuZGxlKTsKKwlpZiAoIXZhbGlkX2hhbmRsZSkgeworCQlXQVJOKDEsICIlczogaW52YWxpZCBoYW5kbGUgcGFzc2VkIHRvIGZyZWUuXG4iLCBfX2Z1bmNfXyk7CisJCXJldHVybjsKKwl9CisJaWYgKGhhbmRsZS0+dXNlcl9yZWZfY291bnQgPT0gMCkgeworCQlXQVJOKDEsICIlczogVXNlciBkb2VzIG5vdCBoYXZlIGFjY2VzcyFcbiIsIF9fZnVuY19fKTsKKwkJcmV0dXJuOworCX0KKwl1c2VyX2lvbl9oYW5kbGVfcHV0X25vbG9jayhoYW5kbGUpOworfQorCiB2b2lkIGlvbl9mcmVlKHN0cnVjdCBpb25fY2xpZW50ICpjbGllbnQsIHN0cnVjdCBpb25faGFuZGxlICpoYW5kbGUpCiB7CiAJQlVHX09OKGNsaWVudCAhPSBoYW5kbGUtPmNsaWVudCk7CkBAIC0xNDcyLDcgKzE1MzQsNyBAQAogCQkJCQkJZGF0YS5hbGxvY2F0aW9uLmZsYWdzLCB0cnVlKTsKIAkJaWYgKElTX0VSUihoYW5kbGUpKQogCQkJcmV0dXJuIFBUUl9FUlIoaGFuZGxlKTsKLQorCQlwYXNzX3RvX3VzZXIoaGFuZGxlKTsKIAkJZGF0YS5hbGxvY2F0aW9uLmhhbmRsZSA9IGhhbmRsZS0+aWQ7CiAKIAkJY2xlYW51cF9oYW5kbGUgPSBoYW5kbGU7CkBAIC0xNDg4LDcgKzE1NTAsNyBAQAogCQkJbXV0ZXhfdW5sb2NrKCZjbGllbnQtPmxvY2spOwogCQkJcmV0dXJuIFBUUl9FUlIoaGFuZGxlKTsKIAkJfQotCQlpb25fZnJlZV9ub2xvY2soY2xpZW50LCBoYW5kbGUpOworCQl1c2VyX2lvbl9mcmVlX25vbG9jayhjbGllbnQsIGhhbmRsZSk7CiAJCWlvbl9oYW5kbGVfcHV0X25vbG9jayhoYW5kbGUpOwogCQltdXRleF91bmxvY2soJmNsaWVudC0+bG9jayk7CiAJCWJyZWFrOwpAQCAtMTUxMSwxMCArMTU3MywxNSBAQAogCXsKIAkJc3RydWN0IGlvbl9oYW5kbGUgKmhhbmRsZTsKIAkJaGFuZGxlID0gaW9uX2ltcG9ydF9kbWFfYnVmKGNsaWVudCwgZGF0YS5mZC5mZCk7Ci0JCWlmIChJU19FUlIoaGFuZGxlKSkKKwkJaWYgKElTX0VSUihoYW5kbGUpKSB7CiAJCQlyZXQgPSBQVFJfRVJSKGhhbmRsZSk7Ci0JCWVsc2UKLQkJCWRhdGEuaGFuZGxlLmhhbmRsZSA9IGhhbmRsZS0+aWQ7CisJCX0gZWxzZSB7CisJCQloYW5kbGUgPSBwYXNzX3RvX3VzZXIoaGFuZGxlKTsKKwkJCWlmIChJU19FUlIoaGFuZGxlKSkKKwkJCQlyZXQgPSBQVFJfRVJSKGhhbmRsZSk7CisJCQllbHNlCisJCQkJZGF0YS5oYW5kbGUuaGFuZGxlID0gaGFuZGxlLT5pZDsKKwkJfQogCQlicmVhazsKIAl9CiAJY2FzZSBJT05fSU9DX1NZTkM6CkBAIC0xNTQ2LDggKzE2MTMsMTAgQEAKIAlpZiAoZGlyICYgX0lPQ19SRUFEKSB7CiAJCWlmIChjb3B5X3RvX3VzZXIoKHZvaWQgX191c2VyICopYXJnLCAmZGF0YSwgX0lPQ19TSVpFKGNtZCkpKSB7CiAJCQlpZiAoY2xlYW51cF9oYW5kbGUpIHsKLQkJCQlpb25fZnJlZShjbGllbnQsIGNsZWFudXBfaGFuZGxlKTsKLQkJCQlpb25faGFuZGxlX3B1dChjbGVhbnVwX2hhbmRsZSk7CisJCQkJbXV0ZXhfbG9jaygmY2xpZW50LT5sb2NrKTsKKwkJCQl1c2VyX2lvbl9mcmVlX25vbG9jayhjbGllbnQsIGNsZWFudXBfaGFuZGxlKTsKKwkJCQlpb25faGFuZGxlX3B1dF9ub2xvY2soY2xlYW51cF9oYW5kbGUpOworCQkJCW11dGV4X3VubG9jaygmY2xpZW50LT5sb2NrKTsKIAkJCX0KIAkJCXJldHVybiAtRUZBVUxUOwogCQl9Cg==
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-0564/3.10/1.patch b/Patches/Linux_CVEs/CVE-2017-0564/3.10/1.patch
deleted file mode 100644
index 3354d18e..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0564/3.10/1.patch
+++ /dev/null
@@ -1,138 +0,0 @@
-diff --git a/drivers/staging/android/ion/ion.c b/drivers/staging/android/ion/ion.c
-index ee1c2f3..e99ea9a 100755
---- a/drivers/staging/android/ion/ion.c
-+++ b/drivers/staging/android/ion/ion.c
-@@ -116,6 +116,7 @@
-  */
- struct ion_handle {
- 	struct kref ref;
-+	unsigned int user_ref_count;
- 	struct ion_client *client;
- 	struct ion_buffer *buffer;
- 	struct rb_node node;
-@@ -429,6 +430,50 @@
- 	return ret;
- }
- 
-+/* Must hold the client lock */
-+static void user_ion_handle_get(struct ion_handle *handle)
-+{
-+	if (handle->user_ref_count++ == 0) {
-+		kref_get(&handle->ref);
-+	}
-+}
-+
-+/* Must hold the client lock */
-+static struct ion_handle* user_ion_handle_get_check_overflow(struct ion_handle *handle)
-+{
-+	if (handle->user_ref_count + 1 == 0)
-+		return ERR_PTR(-EOVERFLOW);
-+	user_ion_handle_get(handle);
-+	return handle;
-+}
-+
-+/* passes a kref to the user ref count.
-+ * We know we're holding a kref to the object before and
-+ * after this call, so no need to reverify handle. */
-+static struct ion_handle* pass_to_user(struct ion_handle *handle)
-+{
-+	struct ion_client *client = handle->client;
-+	struct ion_handle *ret;
-+
-+	mutex_lock(&client->lock);
-+	ret = user_ion_handle_get_check_overflow(handle);
-+	ion_handle_put_nolock(handle);
-+	mutex_unlock(&client->lock);
-+	return ret;
-+}
-+
-+/* Must hold the client lock */
-+static int user_ion_handle_put_nolock(struct ion_handle *handle)
-+{
-+	int ret;
-+
-+	if (--handle->user_ref_count == 0) {
-+		ret = ion_handle_put_nolock(handle);
-+	}
-+
-+	return ret;
-+}
-+
- static struct ion_handle *ion_handle_lookup(struct ion_client *client,
- 					    struct ion_buffer *buffer)
- {
-@@ -645,6 +690,24 @@
- 	ion_handle_put_nolock(handle);
- }
- 
-+static void user_ion_free_nolock(struct ion_client *client, struct ion_handle *handle)
-+{
-+	bool valid_handle;
-+
-+	BUG_ON(client != handle->client);
-+
-+	valid_handle = ion_handle_validate(client, handle);
-+	if (!valid_handle) {
-+		WARN(1, "%s: invalid handle passed to free.\n", __func__);
-+		return;
-+	}
-+	if (!handle->user_ref_count > 0) {
-+		WARN(1, "%s: User does not have access!\n", __func__);
-+		return;
-+	}
-+	user_ion_handle_put_nolock(handle);
-+}
-+
- void ion_free(struct ion_client *client, struct ion_handle *handle)
- {
- 	BUG_ON(client != handle->client);
-@@ -1439,7 +1502,7 @@
- 						data.allocation.flags, true);
- 		if (IS_ERR(handle))
- 			return PTR_ERR(handle);
--
-+		pass_to_user(handle);
- 		data.allocation.handle = handle->id;
- 
- 		cleanup_handle = handle;
-@@ -1455,7 +1518,7 @@
- 			mutex_unlock(&client->lock);
- 			return PTR_ERR(handle);
- 		}
--		ion_free_nolock(client, handle);
-+		user_ion_free_nolock(client, handle);
- 		ion_handle_put_nolock(handle);
- 		mutex_unlock(&client->lock);
- 		break;
-@@ -1478,10 +1541,15 @@
- 	{
- 		struct ion_handle *handle;
- 		handle = ion_import_dma_buf(client, data.fd.fd);
--		if (IS_ERR(handle))
-+		if (IS_ERR(handle)) {
- 			ret = PTR_ERR(handle);
--		else
--			data.handle.handle = handle->id;
-+		} else {
-+			handle = pass_to_user(handle);
-+			if (IS_ERR(handle))
-+				ret = PTR_ERR(handle);
-+			else
-+				data.handle.handle = handle->id;
-+		}
- 		break;
- 	}
- 	case ION_IOC_SYNC:
-@@ -1518,8 +1586,10 @@
- 	if (dir & _IOC_READ) {
- 		if (copy_to_user((void __user *)arg, &data, _IOC_SIZE(cmd))) {
- 			if (cleanup_handle) {
--				ion_free(client, cleanup_handle);
--				ion_handle_put(cleanup_handle);
-+				mutex_lock(&client->lock);
-+				user_ion_free_nolock(client, cleanup_handle);
-+				ion_handle_put_nolock(cleanup_handle);
-+				mutex_unlock(&client->lock);
- 			}
- 			return -EFAULT;
- 		}
diff --git a/Patches/Linux_CVEs/CVE-2017-0564/3.10/1.patch.base64 b/Patches/Linux_CVEs/CVE-2017-0564/3.10/1.patch.base64
deleted file mode 100644
index 291e7e6c..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0564/3.10/1.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL2RyaXZlcnMvc3RhZ2luZy9hbmRyb2lkL2lvbi9pb24uYyBiL2RyaXZlcnMvc3RhZ2luZy9hbmRyb2lkL2lvbi9pb24uYwppbmRleCBlZTFjMmYzLi5lOTllYTlhIDEwMDc1NQotLS0gYS9kcml2ZXJzL3N0YWdpbmcvYW5kcm9pZC9pb24vaW9uLmMKKysrIGIvZHJpdmVycy9zdGFnaW5nL2FuZHJvaWQvaW9uL2lvbi5jCkBAIC0xMTYsNiArMTE2LDcgQEAKICAqLwogc3RydWN0IGlvbl9oYW5kbGUgewogCXN0cnVjdCBrcmVmIHJlZjsKKwl1bnNpZ25lZCBpbnQgdXNlcl9yZWZfY291bnQ7CiAJc3RydWN0IGlvbl9jbGllbnQgKmNsaWVudDsKIAlzdHJ1Y3QgaW9uX2J1ZmZlciAqYnVmZmVyOwogCXN0cnVjdCByYl9ub2RlIG5vZGU7CkBAIC00MjksNiArNDMwLDUwIEBACiAJcmV0dXJuIHJldDsKIH0KIAorLyogTXVzdCBob2xkIHRoZSBjbGllbnQgbG9jayAqLworc3RhdGljIHZvaWQgdXNlcl9pb25faGFuZGxlX2dldChzdHJ1Y3QgaW9uX2hhbmRsZSAqaGFuZGxlKQoreworCWlmIChoYW5kbGUtPnVzZXJfcmVmX2NvdW50KysgPT0gMCkgeworCQlrcmVmX2dldCgmaGFuZGxlLT5yZWYpOworCX0KK30KKworLyogTXVzdCBob2xkIHRoZSBjbGllbnQgbG9jayAqLworc3RhdGljIHN0cnVjdCBpb25faGFuZGxlKiB1c2VyX2lvbl9oYW5kbGVfZ2V0X2NoZWNrX292ZXJmbG93KHN0cnVjdCBpb25faGFuZGxlICpoYW5kbGUpCit7CisJaWYgKGhhbmRsZS0+dXNlcl9yZWZfY291bnQgKyAxID09IDApCisJCXJldHVybiBFUlJfUFRSKC1FT1ZFUkZMT1cpOworCXVzZXJfaW9uX2hhbmRsZV9nZXQoaGFuZGxlKTsKKwlyZXR1cm4gaGFuZGxlOworfQorCisvKiBwYXNzZXMgYSBrcmVmIHRvIHRoZSB1c2VyIHJlZiBjb3VudC4KKyAqIFdlIGtub3cgd2UncmUgaG9sZGluZyBhIGtyZWYgdG8gdGhlIG9iamVjdCBiZWZvcmUgYW5kCisgKiBhZnRlciB0aGlzIGNhbGwsIHNvIG5vIG5lZWQgdG8gcmV2ZXJpZnkgaGFuZGxlLiAqLworc3RhdGljIHN0cnVjdCBpb25faGFuZGxlKiBwYXNzX3RvX3VzZXIoc3RydWN0IGlvbl9oYW5kbGUgKmhhbmRsZSkKK3sKKwlzdHJ1Y3QgaW9uX2NsaWVudCAqY2xpZW50ID0gaGFuZGxlLT5jbGllbnQ7CisJc3RydWN0IGlvbl9oYW5kbGUgKnJldDsKKworCW11dGV4X2xvY2soJmNsaWVudC0+bG9jayk7CisJcmV0ID0gdXNlcl9pb25faGFuZGxlX2dldF9jaGVja19vdmVyZmxvdyhoYW5kbGUpOworCWlvbl9oYW5kbGVfcHV0X25vbG9jayhoYW5kbGUpOworCW11dGV4X3VubG9jaygmY2xpZW50LT5sb2NrKTsKKwlyZXR1cm4gcmV0OworfQorCisvKiBNdXN0IGhvbGQgdGhlIGNsaWVudCBsb2NrICovCitzdGF0aWMgaW50IHVzZXJfaW9uX2hhbmRsZV9wdXRfbm9sb2NrKHN0cnVjdCBpb25faGFuZGxlICpoYW5kbGUpCit7CisJaW50IHJldDsKKworCWlmICgtLWhhbmRsZS0+dXNlcl9yZWZfY291bnQgPT0gMCkgeworCQlyZXQgPSBpb25faGFuZGxlX3B1dF9ub2xvY2soaGFuZGxlKTsKKwl9CisKKwlyZXR1cm4gcmV0OworfQorCiBzdGF0aWMgc3RydWN0IGlvbl9oYW5kbGUgKmlvbl9oYW5kbGVfbG9va3VwKHN0cnVjdCBpb25fY2xpZW50ICpjbGllbnQsCiAJCQkJCSAgICBzdHJ1Y3QgaW9uX2J1ZmZlciAqYnVmZmVyKQogewpAQCAtNjQ1LDYgKzY5MCwyNCBAQAogCWlvbl9oYW5kbGVfcHV0X25vbG9jayhoYW5kbGUpOwogfQogCitzdGF0aWMgdm9pZCB1c2VyX2lvbl9mcmVlX25vbG9jayhzdHJ1Y3QgaW9uX2NsaWVudCAqY2xpZW50LCBzdHJ1Y3QgaW9uX2hhbmRsZSAqaGFuZGxlKQoreworCWJvb2wgdmFsaWRfaGFuZGxlOworCisJQlVHX09OKGNsaWVudCAhPSBoYW5kbGUtPmNsaWVudCk7CisKKwl2YWxpZF9oYW5kbGUgPSBpb25faGFuZGxlX3ZhbGlkYXRlKGNsaWVudCwgaGFuZGxlKTsKKwlpZiAoIXZhbGlkX2hhbmRsZSkgeworCQlXQVJOKDEsICIlczogaW52YWxpZCBoYW5kbGUgcGFzc2VkIHRvIGZyZWUuXG4iLCBfX2Z1bmNfXyk7CisJCXJldHVybjsKKwl9CisJaWYgKCFoYW5kbGUtPnVzZXJfcmVmX2NvdW50ID4gMCkgeworCQlXQVJOKDEsICIlczogVXNlciBkb2VzIG5vdCBoYXZlIGFjY2VzcyFcbiIsIF9fZnVuY19fKTsKKwkJcmV0dXJuOworCX0KKwl1c2VyX2lvbl9oYW5kbGVfcHV0X25vbG9jayhoYW5kbGUpOworfQorCiB2b2lkIGlvbl9mcmVlKHN0cnVjdCBpb25fY2xpZW50ICpjbGllbnQsIHN0cnVjdCBpb25faGFuZGxlICpoYW5kbGUpCiB7CiAJQlVHX09OKGNsaWVudCAhPSBoYW5kbGUtPmNsaWVudCk7CkBAIC0xNDM5LDcgKzE1MDIsNyBAQAogCQkJCQkJZGF0YS5hbGxvY2F0aW9uLmZsYWdzLCB0cnVlKTsKIAkJaWYgKElTX0VSUihoYW5kbGUpKQogCQkJcmV0dXJuIFBUUl9FUlIoaGFuZGxlKTsKLQorCQlwYXNzX3RvX3VzZXIoaGFuZGxlKTsKIAkJZGF0YS5hbGxvY2F0aW9uLmhhbmRsZSA9IGhhbmRsZS0+aWQ7CiAKIAkJY2xlYW51cF9oYW5kbGUgPSBoYW5kbGU7CkBAIC0xNDU1LDcgKzE1MTgsNyBAQAogCQkJbXV0ZXhfdW5sb2NrKCZjbGllbnQtPmxvY2spOwogCQkJcmV0dXJuIFBUUl9FUlIoaGFuZGxlKTsKIAkJfQotCQlpb25fZnJlZV9ub2xvY2soY2xpZW50LCBoYW5kbGUpOworCQl1c2VyX2lvbl9mcmVlX25vbG9jayhjbGllbnQsIGhhbmRsZSk7CiAJCWlvbl9oYW5kbGVfcHV0X25vbG9jayhoYW5kbGUpOwogCQltdXRleF91bmxvY2soJmNsaWVudC0+bG9jayk7CiAJCWJyZWFrOwpAQCAtMTQ3OCwxMCArMTU0MSwxNSBAQAogCXsKIAkJc3RydWN0IGlvbl9oYW5kbGUgKmhhbmRsZTsKIAkJaGFuZGxlID0gaW9uX2ltcG9ydF9kbWFfYnVmKGNsaWVudCwgZGF0YS5mZC5mZCk7Ci0JCWlmIChJU19FUlIoaGFuZGxlKSkKKwkJaWYgKElTX0VSUihoYW5kbGUpKSB7CiAJCQlyZXQgPSBQVFJfRVJSKGhhbmRsZSk7Ci0JCWVsc2UKLQkJCWRhdGEuaGFuZGxlLmhhbmRsZSA9IGhhbmRsZS0+aWQ7CisJCX0gZWxzZSB7CisJCQloYW5kbGUgPSBwYXNzX3RvX3VzZXIoaGFuZGxlKTsKKwkJCWlmIChJU19FUlIoaGFuZGxlKSkKKwkJCQlyZXQgPSBQVFJfRVJSKGhhbmRsZSk7CisJCQllbHNlCisJCQkJZGF0YS5oYW5kbGUuaGFuZGxlID0gaGFuZGxlLT5pZDsKKwkJfQogCQlicmVhazsKIAl9CiAJY2FzZSBJT05fSU9DX1NZTkM6CkBAIC0xNTE4LDggKzE1ODYsMTAgQEAKIAlpZiAoZGlyICYgX0lPQ19SRUFEKSB7CiAJCWlmIChjb3B5X3RvX3VzZXIoKHZvaWQgX191c2VyICopYXJnLCAmZGF0YSwgX0lPQ19TSVpFKGNtZCkpKSB7CiAJCQlpZiAoY2xlYW51cF9oYW5kbGUpIHsKLQkJCQlpb25fZnJlZShjbGllbnQsIGNsZWFudXBfaGFuZGxlKTsKLQkJCQlpb25faGFuZGxlX3B1dChjbGVhbnVwX2hhbmRsZSk7CisJCQkJbXV0ZXhfbG9jaygmY2xpZW50LT5sb2NrKTsKKwkJCQl1c2VyX2lvbl9mcmVlX25vbG9jayhjbGllbnQsIGNsZWFudXBfaGFuZGxlKTsKKwkJCQlpb25faGFuZGxlX3B1dF9ub2xvY2soY2xlYW51cF9oYW5kbGUpOworCQkJCW11dGV4X3VubG9jaygmY2xpZW50LT5sb2NrKTsKIAkJCX0KIAkJCXJldHVybiAtRUZBVUxUOwogCQl9Cg==
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-0564/ANY/2.patch b/Patches/Linux_CVEs/CVE-2017-0564/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0564/ANY/2.patch
rename to Patches/Linux_CVEs/CVE-2017-0564/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0568/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0568/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0568/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0568/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0568/ANY/1.patch b/Patches/Linux_CVEs/CVE-2017-0568/ANY/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0568/ANY/1.patch
rename to Patches/Linux_CVEs/CVE-2017-0568/ANY/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0569/3.10/0.patch b/Patches/Linux_CVEs/CVE-2017-0569/3.10/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0569/3.10/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0569/3.10/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0570/3.10/0.patch b/Patches/Linux_CVEs/CVE-2017-0570/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0570/3.10/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0570/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0571/3.10/0.patch b/Patches/Linux_CVEs/CVE-2017-0571/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0571/3.10/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0571/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0572/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0572/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0572/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0572/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0573/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0573/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0573/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0573/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0574/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0574/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0574/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0574/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0575/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0575/ANY/0001.patch
similarity index 63%
rename from Patches/Linux_CVEs/CVE-2017-0575/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0575/ANY/0001.patch
index a0f7642f..e034def0 100644
--- a/Patches/Linux_CVEs/CVE-2017-0575/ANY/0.patch
+++ b/Patches/Linux_CVEs/CVE-2017-0575/ANY/0001.patch
@@ -1,4 +1,4 @@
-From 0440277461826c6f2122ef3ffca51358cc823fd2 Mon Sep 17 00:00:00 2001
+From a4f790c140d9813c3af66a9b367b4568e053278a Mon Sep 17 00:00:00 2001
 From: Ashish Kumar Goswami <agoswa@codeaurora.org>
 Date: Fri, 23 Dec 2016 13:20:45 +0530
 Subject: qcacld-2.0: Avoid integer overflow in wma_enable_arp_ns_offload
@@ -17,9 +17,9 @@ Change-Id: I5063df9551074e964eef67abeb8afcf104e50808
 CRs-Fixed: 1103099
 ---
  CORE/SERVICES/COMMON/wmi_unified_api.h | 4 ++--
- CORE/SERVICES/WMA/wma.c                | 7 ++++++-
- CORE/SERVICES/WMI/wmi_unified.c        | 2 +-
- 3 files changed, 9 insertions(+), 4 deletions(-)
+ CORE/SERVICES/WMA/wma.c                | 9 +++++++--
+ CORE/SERVICES/WMI/wmi_unified.c        | 4 ++--
+ 3 files changed, 11 insertions(+), 6 deletions(-)
 
 diff --git a/CORE/SERVICES/COMMON/wmi_unified_api.h b/CORE/SERVICES/COMMON/wmi_unified_api.h
 index cd9f923..2912d47 100644
@@ -42,34 +42,48 @@ index cd9f923..2912d47 100644
  
  /**
 diff --git a/CORE/SERVICES/WMA/wma.c b/CORE/SERVICES/WMA/wma.c
-index 6810329..243c2cc 100644
+index f09c8fd..c802405 100644
 --- a/CORE/SERVICES/WMA/wma.c
 +++ b/CORE/SERVICES/WMA/wma.c
-@@ -26726,7 +26726,7 @@ static VOS_STATUS wma_enable_arp_ns_offload(tp_wma_handle wma,
- 	WMI_SET_ARP_NS_OFFLOAD_CMD_fixed_param *cmd;
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2013-2016 The Linux Foundation. All rights reserved.
++ * Copyright (c) 2013-2017 The Linux Foundation. All rights reserved.
+  *
+  * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
+  *
+@@ -22719,7 +22719,7 @@ static VOS_STATUS wma_enable_arp_ns_offload(tp_wma_handle wma, tpSirHostOffloadR
+ 	WMI_ARP_OFFLOAD_TUPLE *arp_tuple;
  	A_UINT8* buf_ptr;
  	wmi_buf_t buf;
 -	int32_t len;
 +	uint32_t len;
- 	VOS_STATUS status = VOS_STATUS_SUCCESS;
  	u_int8_t vdev_id;
- 	tpSirHostOffloadReq ns_offload_req;
-@@ -26760,6 +26760,11 @@ static VOS_STATUS wma_enable_arp_ns_offload(tp_wma_handle wma,
- 		count = hostoffloadreq->num_ns_offload_count;
- 	}
+ 	uint32_t count = 0, num_ns_ext_tuples = 0;
+ 
+@@ -22740,6 +22740,11 @@ static VOS_STATUS wma_enable_arp_ns_offload(tp_wma_handle wma, tpSirHostOffloadR
+ 	if (!bArpOnly)
+ 		count = pHostOffloadParams->num_ns_offload_count;
  
 +	if (count >= SIR_MAC_NUM_TARGET_IPV6_NS_OFFLOAD_NA) {
-+		status = VOS_STATUS_E_INVAL;
-+		goto err_vdev;
++		vos_mem_free(pHostOffloadParams);
++		return VOS_STATUS_E_FAILURE;
 +	}
 +
  	len = sizeof(WMI_SET_ARP_NS_OFFLOAD_CMD_fixed_param) +
- 		WMI_TLV_HDR_SIZE + /* Add size for array of NS tuples */
+ 		WMI_TLV_HDR_SIZE + // TLV place holder size for array of NS tuples
  		WMI_MAX_NS_OFFLOADS*sizeof(WMI_NS_OFFLOAD_TUPLE) +
 diff --git a/CORE/SERVICES/WMI/wmi_unified.c b/CORE/SERVICES/WMI/wmi_unified.c
-index b0ace6c..150bd3e 100644
+index 463a324..c0663d3 100644
 --- a/CORE/SERVICES/WMI/wmi_unified.c
 +++ b/CORE/SERVICES/WMI/wmi_unified.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2014-2016 The Linux Foundation. All rights reserved.
++ * Copyright (c) 2014-2017 The Linux Foundation. All rights reserved.
+  *
+  * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
+  *
 @@ -131,7 +131,7 @@ uint16_t wmi_get_max_msg_len(wmi_unified_t wmi_handle)
  }
  
diff --git a/Patches/Linux_CVEs/CVE-2017-0575/ANY/1.patch b/Patches/Linux_CVEs/CVE-2017-0575/ANY/1.patch
deleted file mode 100644
index f0da5bab..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0575/ANY/1.patch
+++ /dev/null
@@ -1,91 +0,0 @@
-From ddc398c5d658b5b33c23dbca617e0d1d021a5c6d Mon Sep 17 00:00:00 2001
-From: Srinivas Girigowda <sgirigow@codeaurora.org>
-Date: Tue, 31 Jan 2017 14:32:12 -0800
-Subject: [PATCH] qcacld-2.0: Avoid integer overflow in
- wma_enable_arp_ns_offload
-
-In the function wma_enable_arp_ns_offload(), the len variable is
-defined as signed 32 bit, whereas wmi_buf_alloc() takes unsigned
-16 bit as input also there is no limit on input of
-num_ns_offload_count.
-
-Fix is to define the len variable in wma_enable_arp_ns_offload()
-as unsigned 32 bit. The length input for wmi_buf_alloc() is also
-extended and re-defined as unsigned 32 bit. Add limit check before
-using num_ns_offload_count.
-
-Change-Id: I5063df9551074e964eef67abeb8afcf104e50808
-CRs-Fixed: 1103099
-Bug: 32658595
-Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
----
- drivers/staging/qcacld-2.0/CORE/SERVICES/COMMON/wmi_unified_api.h | 4 ++--
- drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c                | 7 ++++++-
- drivers/staging/qcacld-2.0/CORE/SERVICES/WMI/wmi_unified.c        | 4 ++--
- 3 files changed, 10 insertions(+), 5 deletions(-)
-
-diff --git a/drivers/staging/qcacld-2.0/CORE/SERVICES/COMMON/wmi_unified_api.h b/drivers/staging/qcacld-2.0/CORE/SERVICES/COMMON/wmi_unified_api.h
-index cd9f923beca83..2912d471158f7 100644
---- a/drivers/staging/qcacld-2.0/CORE/SERVICES/COMMON/wmi_unified_api.h
-+++ b/drivers/staging/qcacld-2.0/CORE/SERVICES/COMMON/wmi_unified_api.h
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2013-2014 The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2013-2017 The Linux Foundation. All rights reserved.
-  *
-  * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
-  *
-@@ -69,7 +69,7 @@ wmi_unified_remove_work(struct wmi_unified* wmi_handle);
-  *  @return wmi_buf_t.
-  */
- wmi_buf_t
--wmi_buf_alloc(wmi_unified_t wmi_handle, u_int16_t len);
-+wmi_buf_alloc(wmi_unified_t wmi_handle, uint32_t len);
- 
- 
- /**
-diff --git a/drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c b/drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c
-index 72564ac017ebe..9ca604952e03b 100644
---- a/drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c
-+++ b/drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c
-@@ -24576,7 +24576,7 @@ static VOS_STATUS wma_enable_arp_ns_offload(tp_wma_handle wma,
- 	WMI_SET_ARP_NS_OFFLOAD_CMD_fixed_param *cmd;
- 	A_UINT8* buf_ptr;
- 	wmi_buf_t buf;
--	int32_t len;
-+	uint32_t len;
- 	VOS_STATUS status = VOS_STATUS_SUCCESS;
- 	u_int8_t vdev_id;
- 	tpSirHostOffloadReq ns_offload_req;
-@@ -24610,6 +24610,11 @@ static VOS_STATUS wma_enable_arp_ns_offload(tp_wma_handle wma,
- 		count = hostoffloadreq->num_ns_offload_count;
- 	}
- 
-+	if (count >= SIR_MAC_NUM_TARGET_IPV6_NS_OFFLOAD_NA) {
-+		status = VOS_STATUS_E_INVAL;
-+		goto err_vdev;
-+	}
-+
- 	len = sizeof(WMI_SET_ARP_NS_OFFLOAD_CMD_fixed_param) +
- 		WMI_TLV_HDR_SIZE + /* Add size for array of NS tuples */
- 		WMI_MAX_NS_OFFLOADS*sizeof(WMI_NS_OFFLOAD_TUPLE) +
-diff --git a/drivers/staging/qcacld-2.0/CORE/SERVICES/WMI/wmi_unified.c b/drivers/staging/qcacld-2.0/CORE/SERVICES/WMI/wmi_unified.c
-index fe72942417bbc..11107d6a5b6d8 100644
---- a/drivers/staging/qcacld-2.0/CORE/SERVICES/WMI/wmi_unified.c
-+++ b/drivers/staging/qcacld-2.0/CORE/SERVICES/WMI/wmi_unified.c
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2014-2016 The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2014-2017 The Linux Foundation. All rights reserved.
-  *
-  * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
-  *
-@@ -131,7 +131,7 @@ uint16_t wmi_get_max_msg_len(wmi_unified_t wmi_handle)
- }
- 
- wmi_buf_t
--wmi_buf_alloc(wmi_unified_t wmi_handle, u_int16_t len)
-+wmi_buf_alloc(wmi_unified_t wmi_handle, uint32_t len)
- {
- 	wmi_buf_t wmi_buf;
- 
diff --git a/Patches/Linux_CVEs/CVE-2017-0576/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0576/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0576/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0576/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0583/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-0583/3.10/0001.patch
new file mode 100644
index 00000000..52c6a22d
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-0583/3.10/0001.patch
@@ -0,0 +1,58 @@
+From b8f70068650a6e6bef0a41de2e30c17087d3a84d Mon Sep 17 00:00:00 2001
+From: Srinivasarao P <spathi@codeaurora.org>
+Date: Tue, 14 Feb 2017 13:52:08 +0530
+Subject: defconfig: disable cp_access
+
+cpaccess module gives userspace control over system control
+registers so disable cp_access module.
+
+Change-Id: Ib49412957f91ce65f4350c5c72358b1c53eed43e
+Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
+---
+ arch/arm/configs/msm8916-perf_defconfig | 2 +-
+ arch/arm/configs/msm8916_defconfig      | 2 +-
+ arch/arm64/configs/msm_defconfig        | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/arch/arm/configs/msm8916-perf_defconfig b/arch/arm/configs/msm8916-perf_defconfig
+index 08a43de..94d2321 100644
+--- a/arch/arm/configs/msm8916-perf_defconfig
++++ b/arch/arm/configs/msm8916-perf_defconfig
+@@ -64,7 +64,7 @@ CONFIG_AEABI=y
+ CONFIG_BALANCE_ANON_FILE_RECLAIM=y
+ CONFIG_HIGHMEM=y
+ CONFIG_ENABLE_VMALLOC_SAVING=y
+-CONFIG_CP_ACCESS=y
++# CONFIG_CP_ACCESS is not set
+ CONFIG_AUTO_ZRELADDR=y
+ CONFIG_ARM_DECOMPRESSOR_LIMIT=0x3200000
+ CONFIG_SCHED_FREQ_INPUT=y
+diff --git a/arch/arm/configs/msm8916_defconfig b/arch/arm/configs/msm8916_defconfig
+index b7caf59..30a81e3 100644
+--- a/arch/arm/configs/msm8916_defconfig
++++ b/arch/arm/configs/msm8916_defconfig
+@@ -62,7 +62,7 @@ CONFIG_AEABI=y
+ CONFIG_BALANCE_ANON_FILE_RECLAIM=y
+ CONFIG_HIGHMEM=y
+ CONFIG_ENABLE_VMALLOC_SAVING=y
+-CONFIG_CP_ACCESS=y
++# CONFIG_CP_ACCESS is not set
+ CONFIG_AUTO_ZRELADDR=y
+ CONFIG_ARM_DECOMPRESSOR_LIMIT=0x3200000
+ CONFIG_SCHED_FREQ_INPUT=y
+diff --git a/arch/arm64/configs/msm_defconfig b/arch/arm64/configs/msm_defconfig
+index 4a26793..d8e8a826 100644
+--- a/arch/arm64/configs/msm_defconfig
++++ b/arch/arm64/configs/msm_defconfig
+@@ -528,7 +528,7 @@ CONFIG_CORESIGHT_REMOTE_ETM=y
+ CONFIG_CORESIGHT_QPDI=y
+ CONFIG_SENSORS=y
+ CONFIG_SENSORS_SSC=y
+-CONFIG_CP_ACCESS64=y
++# CONFIG_CP_ACCESS64 is not set
+ CONFIG_MSM_GLADIATOR_ERP=y
+ CONFIG_MSM_BAM_DMUX=y
+ CONFIG_MSM_IPC_ROUTER_SMD_XPRT=y
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-0583/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0583/3.18/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0583/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0583/3.18/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0584/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0584/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0584/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0584/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0584/ANY/1.patch b/Patches/Linux_CVEs/CVE-2017-0584/ANY/1.patch
deleted file mode 100644
index b3213554..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0584/ANY/1.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From 47918a436fa424a5eb81afc6a9eae6ad91b8b366 Mon Sep 17 00:00:00 2001
-From: Srinivas Girigowda <sgirigow@codeaurora.org>
-Date: Wed, 1 Feb 2017 11:49:43 -0800
-Subject: [PATCH] qcacld-2.0: Do not copy buffer to user-space if diag read
- fails
-
-ATH diag procfs read is copying read_buffer to user space
-unconditionally, causing kernel heap information leak of
-uninitialized read_buffer if hif diag read fails.
-
-Do not copy buffer to user space if diag read fails to
-avoid information leak to user space.
-
-Change-Id: I5e07cad4f90e5e9b3c461268b8fa3635c3128b9f
-CRs-Fixed: 1104731
-Bug: 32074353
-Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
----
- drivers/staging/qcacld-2.0/CORE/SERVICES/HIF/ath_procfs.c | 11 +++++------
- 1 file changed, 5 insertions(+), 6 deletions(-)
-
-diff --git a/drivers/staging/qcacld-2.0/CORE/SERVICES/HIF/ath_procfs.c b/drivers/staging/qcacld-2.0/CORE/SERVICES/HIF/ath_procfs.c
-index 7b653a1dd72c8..ed0cfd69d7228 100644
---- a/drivers/staging/qcacld-2.0/CORE/SERVICES/HIF/ath_procfs.c
-+++ b/drivers/staging/qcacld-2.0/CORE/SERVICES/HIF/ath_procfs.c
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2013 The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2013, 2016-2017 The Linux Foundation. All rights reserved.
-  *
-  * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
-  *
-@@ -110,17 +110,16 @@ static ssize_t ath_procfs_diag_read(struct file *file, char __user *buf,
- 					(A_UINT8 *)read_buffer, count);
- 	}
- 
-+	if (rv)
-+		return -EIO;
-+
- 	if(copy_to_user(buf, read_buffer, count)) {
- 		vos_mem_free(read_buffer);
- 		return -EFAULT;
- 	} else
- 		vos_mem_free(read_buffer);
- 
--	if (rv == 0) {
--		return count;
--	} else {
--		return -EIO;
--	}
-+	return count;
- }
- 
- static ssize_t ath_procfs_diag_write(struct file *file, const char __user *buf,
diff --git a/Patches/Linux_CVEs/CVE-2017-0586/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0586/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0586/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0586/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0604/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0604/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0604/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0604/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0606/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0606/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0606/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0606/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0607/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0607/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0607/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0607/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0608/4.4/0001.patch b/Patches/Linux_CVEs/CVE-2017-0608/4.4/0001.patch
new file mode 100644
index 00000000..7927afa7
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-0608/4.4/0001.patch
@@ -0,0 +1,49 @@
+From 167a094eac4383809dd703d96fb88c406dd8786b Mon Sep 17 00:00:00 2001
+From: Xiaoyu Ye <benyxy@codeaurora.org>
+Date: Tue, 20 Dec 2016 10:56:59 -0800
+Subject: mfd: wcd9xxx: Add range checking in function wcd9xxx_init_slimslave
+
+Range checking is added to prevent buffer overflow.
+
+CRs-Fixed: 1098363
+Change-Id: I5871a3a11ec5f5106a386bf149d7ec22605f3db8
+Signed-off-by: Xiaoyu Ye <benyxy@codeaurora.org>
+---
+ drivers/mfd/wcd9xxx-slimslave.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/mfd/wcd9xxx-slimslave.c b/drivers/mfd/wcd9xxx-slimslave.c
+index 4bce440..1ac7b59 100644
+--- a/drivers/mfd/wcd9xxx-slimslave.c
++++ b/drivers/mfd/wcd9xxx-slimslave.c
+@@ -1,4 +1,4 @@
+-/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
++/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -62,6 +62,10 @@ int wcd9xxx_init_slimslave(struct wcd9xxx *wcd9xxx, u8 wcd9xxx_pgd_la,
+ 		goto err;
+ 	}
+ 
++	if (!rx_num || rx_num > wcd9xxx->num_rx_port) {
++		pr_err("%s: invalid rx num %d\n", __func__, rx_num);
++		return -EINVAL;
++	}
+ 	if (wcd9xxx->rx_chs) {
+ 		wcd9xxx->num_rx_port = rx_num;
+ 		for (i = 0; i < rx_num; i++) {
+@@ -84,6 +88,10 @@ int wcd9xxx_init_slimslave(struct wcd9xxx *wcd9xxx, u8 wcd9xxx_pgd_la,
+ 			wcd9xxx->num_rx_port);
+ 	}
+ 
++	if (!tx_num || tx_num > wcd9xxx->num_tx_port) {
++		pr_err("%s: invalid tx num %d\n", __func__, tx_num);
++		return -EINVAL;
++	}
+ 	if (wcd9xxx->tx_chs) {
+ 		wcd9xxx->num_tx_port = tx_num;
+ 		for (i = 0; i < tx_num; i++) {
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-0608/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0608/4.4/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0608/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0608/4.4/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0609/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0609/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0609/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0609/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0610/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0610/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0610/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0610/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0610/ANY/1.patch b/Patches/Linux_CVEs/CVE-2017-0610/ANY/1.patch
deleted file mode 100644
index 88feecdf..00000000
--- a/Patches/Linux_CVEs/CVE-2017-0610/ANY/1.patch
+++ /dev/null
@@ -1,59 +0,0 @@
-From 2bf336ed7ff29768b63fcf0d9528dd129f516643 Mon Sep 17 00:00:00 2001
-From: Siena Richard <sienar@codeaurora.org>
-Date: Tue, 31 Jan 2017 12:21:38 -0800
-Subject: ASoC: msm: qdsp6v2: return error when copy from userspace fails
-
-A copy_from_user is not always expected to succeed. Therefore, check
-for an error before operating on the buffer post copy.
-
-CRs-Fixed: 1116070
-Change-Id: I21032719e6e85f280ca0cda875c84ac8dee8916b
-Signed-off-by: Siena Richard <sienar@codeaurora.org>
----
- sound/soc/msm/qdsp6v2/msm-pcm-voip-v2.c | 17 +++++++++++------
- 1 file changed, 11 insertions(+), 6 deletions(-)
-
-diff --git a/sound/soc/msm/qdsp6v2/msm-pcm-voip-v2.c b/sound/soc/msm/qdsp6v2/msm-pcm-voip-v2.c
-index c444a27..b2387a7 100644
---- a/sound/soc/msm/qdsp6v2/msm-pcm-voip-v2.c
-+++ b/sound/soc/msm/qdsp6v2/msm-pcm-voip-v2.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -814,20 +814,25 @@ static int msm_pcm_playback_copy(struct snd_pcm_substream *substream, int a,
- 			if (prtd->mode == MODE_PCM) {
- 				ret = copy_from_user(&buf_node->frame.voc_pkt,
- 							buf, count);
-+				if (ret) {
-+					pr_err("%s: copy from user failed %d\n",
-+					       __func__, ret);
-+					return -EFAULT;
-+				}
- 				buf_node->frame.pktlen = count;
- 			} else {
- 				ret = copy_from_user(&buf_node->frame,
- 							buf, count);
-+				if (ret) {
-+					pr_err("%s: copy from user failed %d\n",
-+					       __func__, ret);
-+					return -EFAULT;
-+				}
- 				if (buf_node->frame.pktlen >= count)
- 					buf_node->frame.pktlen = count -
- 					(sizeof(buf_node->frame.frm_hdr) +
- 					 sizeof(buf_node->frame.pktlen));
- 			}
--			if (ret) {
--				pr_err("%s: copy from user failed %d\n",
--				       __func__, ret);
--				return -EFAULT;
--			}
- 			spin_lock_irqsave(&prtd->dsp_lock, dsp_flags);
- 			list_add_tail(&buf_node->list, &prtd->in_queue);
- 			spin_unlock_irqrestore(&prtd->dsp_lock, dsp_flags);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-0611/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0611/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0611/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0611/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0612/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0612/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0612/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0612/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0613/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0613/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0613/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0613/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0614/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0614/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0614/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0614/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0619/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0619/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0619/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0619/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0620/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0620/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0620/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0620/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0621/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0621/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0621/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0621/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0622/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0622/3.18/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0622/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0622/3.18/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0622/4.4/0002.patch b/Patches/Linux_CVEs/CVE-2017-0622/4.4/0002.patch
new file mode 100644
index 00000000..8848c1d7
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-0622/4.4/0002.patch
@@ -0,0 +1,51 @@
+From 2881d2bbc26ff321fd9e717ad6f968aebd277d22 Mon Sep 17 00:00:00 2001
+From: Vevek Venkatesan <vevekv@codeaurora.org>
+Date: Mon, 23 Jan 2017 18:04:53 +0530
+Subject: input: touchscreen: gt9xx: fix memory corruption in Goodix driver
+
+Fix memory corruption in Goodix touchscreen driver, by resetting
+the global structure cmd_head to zero (except *data and wr flag)
+in goodix_tool_write handler on error case.
+
+Change-Id: I4f7f8f464b93571627b922b10c10a65826228e42
+Signed-off-by: Vevek Venkatesan <vevekv@codeaurora.org>
+---
+ drivers/input/touchscreen/gt9xx/goodix_tool.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/input/touchscreen/gt9xx/goodix_tool.c b/drivers/input/touchscreen/gt9xx/goodix_tool.c
+index 1657f56..ded8c88 100644
+--- a/drivers/input/touchscreen/gt9xx/goodix_tool.c
++++ b/drivers/input/touchscreen/gt9xx/goodix_tool.c
+@@ -1,7 +1,7 @@
+ /* drivers/input/touchscreen/goodix_tool.c
+  *
+  * 2010 - 2012 Goodix Technology.
+- * Copyright (c) 2013-2016, The Linux Foundation. All rights reserved.
++ * Copyright (c) 2013-2017, The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License as published by
+@@ -308,6 +308,7 @@ static ssize_t goodix_tool_write(struct file *filp, const char __user *userbuf,
+ 						size_t count, loff_t *ppos)
+ {
+ 	s32 ret = 0;
++	u8 *dataptr = NULL;
+ 
+ 	mutex_lock(&lock);
+ 	ret = copy_from_user(&cmd_head, userbuf, CMD_HEAD_LENGTH);
+@@ -463,6 +464,11 @@ static ssize_t goodix_tool_write(struct file *filp, const char __user *userbuf,
+ 	ret = CMD_HEAD_LENGTH;
+ 
+ exit:
++	dataptr = cmd_head.data;
++	memset(&cmd_head, 0, sizeof(cmd_head));
++	cmd_head.wr = 0xFF;
++	cmd_head.data = dataptr;
++
+ 	mutex_unlock(&lock);
+ 	return ret;
+ }
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-0624/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0624/ANY/0001.patch
new file mode 100644
index 00000000..40c87b93
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-0624/ANY/0001.patch
@@ -0,0 +1,71 @@
+From 0ac5f6f2f221efb93fc0ddb1fec6487c76d95acd Mon Sep 17 00:00:00 2001
+From: Srinivas Girigowda <sgirigow@codeaurora.org>
+Date: Tue, 14 Feb 2017 19:10:47 -0800
+Subject: qcacld-2.0: Acquire lock to protect hdd_ctx in
+ hdd_driver_memdump_read()
+
+Two threads accessing the procfs entry might end up in race condition and
+lead to use-after-free for hdd_ctx->driver_dump_mem.
+
+Hence, acquire a lock to protect hdd_ctx.
+
+Change-Id: If871f4ceadf650978e16b4a336f688a0dae1c494
+CRs-Fixed: 2005832
+---
+ CORE/HDD/src/wlan_hdd_memdump.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/CORE/HDD/src/wlan_hdd_memdump.c b/CORE/HDD/src/wlan_hdd_memdump.c
+index 4433107..778ec07 100644
+--- a/CORE/HDD/src/wlan_hdd_memdump.c
++++ b/CORE/HDD/src/wlan_hdd_memdump.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2015-2016 The Linux Foundation. All rights reserved.
++ * Copyright (c) 2015-2017 The Linux Foundation. All rights reserved.
+  *
+  * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
+  *
+@@ -741,11 +741,14 @@ static ssize_t hdd_driver_memdump_read(struct file *file, char __user *buf,
+ 	if (0 != status)
+ 		return -EINVAL;
+ 
++	mutex_lock(&hdd_ctx->memdump_lock);
+ 	if (*pos < 0) {
++		mutex_unlock(&hdd_ctx->memdump_lock);
+ 		hddLog(LOGE, FL("Invalid start offset for memdump read"));
+ 		return -EINVAL;
+ 	} else if (!count || (hdd_ctx->driver_dump_size &&
+ 				(*pos >= hdd_ctx->driver_dump_size))) {
++		mutex_unlock(&hdd_ctx->memdump_lock);
+ 		hddLog(LOGE, FL("No more data to copy"));
+ 		return 0;
+ 	} else if ((*pos == 0) || (hdd_ctx->driver_dump_mem == NULL)) {
+@@ -756,6 +759,7 @@ static ssize_t hdd_driver_memdump_read(struct file *file, char __user *buf,
+ 			hdd_ctx->driver_dump_mem =
+ 				vos_mem_malloc(DRIVER_MEM_DUMP_SIZE);
+ 			if (!hdd_ctx->driver_dump_mem) {
++				mutex_unlock(&hdd_ctx->memdump_lock);
+ 				hddLog(LOGE, FL("vos_mem_malloc failed"));
+ 				return -ENOMEM;
+ 			}
+@@ -784,6 +788,7 @@ static ssize_t hdd_driver_memdump_read(struct file *file, char __user *buf,
+ 
+ 	if (copy_to_user(buf, hdd_ctx->driver_dump_mem + *pos,
+ 					no_of_bytes_read)) {
++		mutex_unlock(&hdd_ctx->memdump_lock);
+ 		hddLog(LOGE, FL("copy to user space failed"));
+ 		return -EFAULT;
+ 	}
+@@ -795,6 +800,8 @@ static ssize_t hdd_driver_memdump_read(struct file *file, char __user *buf,
+ 	if (*pos >= hdd_ctx->driver_dump_size)
+ 		hdd_driver_mem_cleanup();
+ 
++	mutex_unlock(&hdd_ctx->memdump_lock);
++
+ 	return no_of_bytes_read;
+ }
+ 
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-0626/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0626/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0626/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0626/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0627/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0627/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0627/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0627/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0628/4.4/0.patch b/Patches/Linux_CVEs/CVE-2017-0628/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0628/4.4/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0628/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0629/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0629/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0629/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0629/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0631/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0631/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0631/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0631/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0632/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0632/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0632/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0632/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0633/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0633/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0633/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0633/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0648/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0648/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0648/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0648/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0648/ANY/0.patch.base64 b/Patches/Linux_CVEs/CVE-2017-0648/ANY/0001.patch.base64
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0648/ANY/0.patch.base64
rename to Patches/Linux_CVEs/CVE-2017-0648/ANY/0001.patch.base64
diff --git a/Patches/Linux_CVEs/CVE-2017-0650/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0650/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0650/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0650/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0651/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0651/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0651/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0651/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0651/ANY/0.patch.base64 b/Patches/Linux_CVEs/CVE-2017-0651/ANY/0001.patch.base64
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0651/ANY/0.patch.base64
rename to Patches/Linux_CVEs/CVE-2017-0651/ANY/0001.patch.base64
diff --git a/Patches/Linux_CVEs/CVE-2017-0705/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0705/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0705/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0705/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0706/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0706/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0706/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0706/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0706/ANY/0.patch.base64 b/Patches/Linux_CVEs/CVE-2017-0706/ANY/0001.patch.base64
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0706/ANY/0.patch.base64
rename to Patches/Linux_CVEs/CVE-2017-0706/ANY/0001.patch.base64
diff --git a/Patches/Linux_CVEs/CVE-2017-0710/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0710/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0710/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0710/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0710/ANY/0.patch.base64 b/Patches/Linux_CVEs/CVE-2017-0710/ANY/0001.patch.base64
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0710/ANY/0.patch.base64
rename to Patches/Linux_CVEs/CVE-2017-0710/ANY/0001.patch.base64
diff --git a/Patches/Linux_CVEs/CVE-2017-0740/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0740/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0740/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0740/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0744/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0744/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0744/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0744/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0744/ANY/0.patch.base64 b/Patches/Linux_CVEs/CVE-2017-0744/ANY/0001.patch.base64
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0744/ANY/0.patch.base64
rename to Patches/Linux_CVEs/CVE-2017-0744/ANY/0001.patch.base64
diff --git a/Patches/Linux_CVEs/CVE-2017-0746/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0746/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0746/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0746/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0747/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-0747/ANY/0001.patch
new file mode 100644
index 00000000..01d079ae
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-0747/ANY/0001.patch
@@ -0,0 +1,47 @@
+From c0021edb9ee6b2a37322cd6cf6ebdf160d09b8d7 Mon Sep 17 00:00:00 2001
+From: Brahmaji K <bkomma@codeaurora.org>
+Date: Mon, 15 May 2017 16:02:15 +0530
+Subject: qcdev: Check the digest length during the SHA operations
+
+Check the digest length to avoid buffer overflow while
+doing the SHA operations.
+
+Change-Id: I4d3fb20723f59e905a672edaf84ee5d0865905b1
+Signed-off-by: Brahmaji K <bkomma@codeaurora.org>
+---
+ drivers/crypto/msm/qcedev.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/drivers/crypto/msm/qcedev.c b/drivers/crypto/msm/qcedev.c
+index d04ca6f..beeb99e 100644
+--- a/drivers/crypto/msm/qcedev.c
++++ b/drivers/crypto/msm/qcedev.c
+@@ -1741,6 +1741,12 @@ long qcedev_ioctl(struct file *file, unsigned cmd, unsigned long arg)
+ 			mutex_unlock(&hash_access_lock);
+ 			return err;
+ 		}
++		if (handle->sha_ctxt.diglen > QCEDEV_MAX_SHA_DIGEST) {
++			pr_err("Invalid sha_ctxt.diglen %d\n",
++					handle->sha_ctxt.diglen);
++			mutex_unlock(&hash_access_lock);
++			return -EINVAL;
++		}
+ 		qcedev_areq.sha_op_req.diglen = handle->sha_ctxt.diglen;
+ 		memcpy(&qcedev_areq.sha_op_req.digest[0],
+ 				&handle->sha_ctxt.digest[0],
+@@ -1777,6 +1783,12 @@ long qcedev_ioctl(struct file *file, unsigned cmd, unsigned long arg)
+ 			mutex_unlock(&hash_access_lock);
+ 			return err;
+ 		}
++		if (handle->sha_ctxt.diglen > QCEDEV_MAX_SHA_DIGEST) {
++			pr_err("Invalid sha_ctxt.diglen %d\n",
++					handle->sha_ctxt.diglen);
++			mutex_unlock(&hash_access_lock);
++			return -EINVAL;
++		}
+ 		qcedev_areq.sha_op_req.diglen =	handle->sha_ctxt.diglen;
+ 		memcpy(&qcedev_areq.sha_op_req.digest[0],
+ 				&handle->sha_ctxt.digest[0],
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-0748/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0748/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0748/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0748/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0749/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0749/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0749/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0749/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0749/ANY/0.patch.base64 b/Patches/Linux_CVEs/CVE-2017-0749/ANY/0001.patch.base64
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0749/ANY/0.patch.base64
rename to Patches/Linux_CVEs/CVE-2017-0749/ANY/0001.patch.base64
diff --git a/Patches/Linux_CVEs/CVE-2017-0750/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0750/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0750/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0750/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0751/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0751/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0751/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0751/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0786/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0786/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0786/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0786/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0787/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0787/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0787/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0787/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0788/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0788/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0788/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0788/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0789/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0789/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0789/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0789/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0790/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0790/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0790/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0790/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0791/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0791/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0791/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0791/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0792/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-0792/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0792/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0792/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0794/3.10/0.patch.disabled b/Patches/Linux_CVEs/CVE-2017-0794/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0794/3.10/0.patch.disabled
rename to Patches/Linux_CVEs/CVE-2017-0794/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0824/3.18/0.patch b/Patches/Linux_CVEs/CVE-2017-0824/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0824/3.18/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0824/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-0825/3.10/0.patch b/Patches/Linux_CVEs/CVE-2017-0825/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-0825/3.10/0.patch
rename to Patches/Linux_CVEs/CVE-2017-0825/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-1000251/3.0/2.patch b/Patches/Linux_CVEs/CVE-2017-1000251/3.0/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-1000251/3.0/2.patch
rename to Patches/Linux_CVEs/CVE-2017-1000251/3.0/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-1000251/3.0/2.patch.base64 b/Patches/Linux_CVEs/CVE-2017-1000251/3.0/0001.patch.base64
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-1000251/3.0/2.patch.base64
rename to Patches/Linux_CVEs/CVE-2017-1000251/3.0/0001.patch.base64
diff --git a/Patches/Linux_CVEs/CVE-2017-1000251/3.4/1.patch b/Patches/Linux_CVEs/CVE-2017-1000251/3.4/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-1000251/3.4/1.patch
rename to Patches/Linux_CVEs/CVE-2017-1000251/3.4/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-1000251/3.4/1.patch.base64 b/Patches/Linux_CVEs/CVE-2017-1000251/3.4/0002.patch.base64
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-1000251/3.4/1.patch.base64
rename to Patches/Linux_CVEs/CVE-2017-1000251/3.4/0002.patch.base64
diff --git a/Patches/Linux_CVEs/CVE-2017-1000251/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-1000251/ANY/0003.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-1000251/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-1000251/ANY/0003.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-1000364/3.10/1.patch b/Patches/Linux_CVEs/CVE-2017-1000364/3.10/0005.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-1000364/3.10/1.patch
rename to Patches/Linux_CVEs/CVE-2017-1000364/3.10/0005.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-1000364/3.10/1.patch.base64 b/Patches/Linux_CVEs/CVE-2017-1000364/3.10/0005.patch.base64
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-1000364/3.10/1.patch.base64
rename to Patches/Linux_CVEs/CVE-2017-1000364/3.10/0005.patch.base64
diff --git a/Patches/Linux_CVEs/CVE-2017-1000364/3.10/2.patch b/Patches/Linux_CVEs/CVE-2017-1000364/3.10/0006.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-1000364/3.10/2.patch
rename to Patches/Linux_CVEs/CVE-2017-1000364/3.10/0006.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-1000364/3.10/2.patch.base64 b/Patches/Linux_CVEs/CVE-2017-1000364/3.10/0006.patch.base64
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-1000364/3.10/2.patch.base64
rename to Patches/Linux_CVEs/CVE-2017-1000364/3.10/0006.patch.base64
diff --git a/Patches/Linux_CVEs/CVE-2017-1000364/3.10/0.patch b/Patches/Linux_CVEs/CVE-2017-1000364/3.10/0007.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-1000364/3.10/0.patch
rename to Patches/Linux_CVEs/CVE-2017-1000364/3.10/0007.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-1000364/3.10/0.patch.base64 b/Patches/Linux_CVEs/CVE-2017-1000364/3.10/0007.patch.base64
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-1000364/3.10/0.patch.base64
rename to Patches/Linux_CVEs/CVE-2017-1000364/3.10/0007.patch.base64
diff --git a/Patches/Linux_CVEs/CVE-2017-1000364/3.18/3.patch b/Patches/Linux_CVEs/CVE-2017-1000364/3.18/0008.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-1000364/3.18/3.patch
rename to Patches/Linux_CVEs/CVE-2017-1000364/3.18/0008.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-1000364/3.18/6.patch b/Patches/Linux_CVEs/CVE-2017-1000364/3.18/0009.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-1000364/3.18/6.patch
rename to Patches/Linux_CVEs/CVE-2017-1000364/3.18/0009.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-1000364/3.18/7.patch b/Patches/Linux_CVEs/CVE-2017-1000364/3.18/0010.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-1000364/3.18/7.patch
rename to Patches/Linux_CVEs/CVE-2017-1000364/3.18/0010.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-1000364/3.2/8.patch b/Patches/Linux_CVEs/CVE-2017-1000364/3.2/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-1000364/3.2/8.patch
rename to Patches/Linux_CVEs/CVE-2017-1000364/3.2/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-1000364/3.2/9.patch b/Patches/Linux_CVEs/CVE-2017-1000364/3.2/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-1000364/3.2/9.patch
rename to Patches/Linux_CVEs/CVE-2017-1000364/3.2/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-1000364/3.4/4.patch b/Patches/Linux_CVEs/CVE-2017-1000364/3.4/0003.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-1000364/3.4/4.patch
rename to Patches/Linux_CVEs/CVE-2017-1000364/3.4/0003.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-1000364/3.4/4.patch.base64 b/Patches/Linux_CVEs/CVE-2017-1000364/3.4/0003.patch.base64
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-1000364/3.4/4.patch.base64
rename to Patches/Linux_CVEs/CVE-2017-1000364/3.4/0003.patch.base64
diff --git a/Patches/Linux_CVEs/CVE-2017-1000364/3.4/5.patch b/Patches/Linux_CVEs/CVE-2017-1000364/3.4/0004.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-1000364/3.4/5.patch
rename to Patches/Linux_CVEs/CVE-2017-1000364/3.4/0004.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-1000364/3.4/5.patch.base64 b/Patches/Linux_CVEs/CVE-2017-1000364/3.4/0004.patch.base64
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-1000364/3.4/5.patch.base64
rename to Patches/Linux_CVEs/CVE-2017-1000364/3.4/0004.patch.base64
diff --git a/Patches/Linux_CVEs/CVE-2017-1000365/3.10/0.patch b/Patches/Linux_CVEs/CVE-2017-1000365/3.10/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-1000365/3.10/0.patch
rename to Patches/Linux_CVEs/CVE-2017-1000365/3.10/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-1000365/3.10/0.patch.base64 b/Patches/Linux_CVEs/CVE-2017-1000365/3.10/0001.patch.base64
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-1000365/3.10/0.patch.base64
rename to Patches/Linux_CVEs/CVE-2017-1000365/3.10/0001.patch.base64
diff --git a/Patches/Linux_CVEs/CVE-2017-1000365/3.18/1.patch b/Patches/Linux_CVEs/CVE-2017-1000365/3.18/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-1000365/3.18/1.patch
rename to Patches/Linux_CVEs/CVE-2017-1000365/3.18/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-1000380/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-1000380/^4.11/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-1000380/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-1000380/^4.11/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-1000380/ANY/1.patch b/Patches/Linux_CVEs/CVE-2017-1000380/^4.11/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-1000380/ANY/1.patch
rename to Patches/Linux_CVEs/CVE-2017-1000380/^4.11/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-10661/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-10661/ANY/0001.patch
similarity index 73%
rename from Patches/Linux_CVEs/CVE-2017-10661/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-10661/ANY/0001.patch
index e3a8ed31..7c808aa5 100644
--- a/Patches/Linux_CVEs/CVE-2017-10661/ANY/0.patch
+++ b/Patches/Linux_CVEs/CVE-2017-10661/ANY/0001.patch
@@ -1,9 +1,7 @@
-From 24a4020b992c7f3cd3320d574947c5a1f51f264d Mon Sep 17 00:00:00 2001
+From 1e38da300e1e395a15048b0af1e5305bd91402f6 Mon Sep 17 00:00:00 2001
 From: Thomas Gleixner <tglx@linutronix.de>
 Date: Tue, 31 Jan 2017 15:24:03 +0100
-Subject: [PATCH] timerfd: Protect the might cancel mechanism proper
-
-commit 1e38da300e1e395a15048b0af1e5305bd91402f6 upstream.
+Subject: timerfd: Protect the might cancel mechanism proper
 
 The handling of the might_cancel queueing is not properly protected, so
 parallel operations on the file descriptor can race with each other and
@@ -16,8 +14,6 @@ lock inversion scenario vs. the cancel lock. Replacing might_cancel with an
 atomic (atomic_t or atomic bit) does not help either because it still can
 race vs. the actual list operation.
 
-Bug: 36266767
-
 Reported-by: Dmitry Vyukov <dvyukov@google.com>
 Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
 Cc: "linux-fsdevel@vger.kernel.org"
@@ -26,15 +22,12 @@ Cc: Al Viro <viro@zeniv.linux.org.uk>
 Cc: linux-fsdevel@vger.kernel.org
 Link: http://lkml.kernel.org/r/alpine.DEB.2.20.1701311521430.3457@nanos
 Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Signed-off-by: Siqi Lin <siqilin@google.com>
-Change-Id: I122753e0920e51757d3012cd1a133e823719be51
 ---
  fs/timerfd.c | 17 ++++++++++++++---
  1 file changed, 14 insertions(+), 3 deletions(-)
 
 diff --git a/fs/timerfd.c b/fs/timerfd.c
-index 86b32c3cb247f..31374ec8f9bd2 100644
+index c173cc1..384fa75 100644
 --- a/fs/timerfd.c
 +++ b/fs/timerfd.c
 @@ -40,6 +40,7 @@ struct timerfd_ctx {
@@ -45,7 +38,7 @@ index 86b32c3cb247f..31374ec8f9bd2 100644
  	bool might_cancel;
  };
  
-@@ -113,7 +114,7 @@ void timerfd_clock_was_set(void)
+@@ -112,7 +113,7 @@ void timerfd_clock_was_set(void)
  	rcu_read_unlock();
  }
  
@@ -54,7 +47,7 @@ index 86b32c3cb247f..31374ec8f9bd2 100644
  {
  	if (ctx->might_cancel) {
  		ctx->might_cancel = false;
-@@ -123,6 +124,13 @@ static void timerfd_remove_cancel(struct timerfd_ctx *ctx)
+@@ -122,6 +123,13 @@ static void timerfd_remove_cancel(struct timerfd_ctx *ctx)
  	}
  }
  
@@ -67,16 +60,16 @@ index 86b32c3cb247f..31374ec8f9bd2 100644
 +
  static bool timerfd_canceled(struct timerfd_ctx *ctx)
  {
- 	if (!ctx->might_cancel || ctx->moffs.tv64 != KTIME_MAX)
-@@ -133,6 +141,7 @@ static bool timerfd_canceled(struct timerfd_ctx *ctx)
+ 	if (!ctx->might_cancel || ctx->moffs != KTIME_MAX)
+@@ -132,6 +140,7 @@ static bool timerfd_canceled(struct timerfd_ctx *ctx)
  
  static void timerfd_setup_cancel(struct timerfd_ctx *ctx, int flags)
  {
 +	spin_lock(&ctx->cancel_lock);
  	if ((ctx->clockid == CLOCK_REALTIME ||
- 	     ctx->clockid == CLOCK_REALTIME_ALARM ||
- 	     ctx->clockid == CLOCK_POWEROFF_ALARM) &&
-@@ -143,9 +152,10 @@ static void timerfd_setup_cancel(struct timerfd_ctx *ctx, int flags)
+ 	     ctx->clockid == CLOCK_REALTIME_ALARM) &&
+ 	    (flags & TFD_TIMER_ABSTIME) && (flags & TFD_TIMER_CANCEL_ON_SET)) {
+@@ -141,9 +150,10 @@ static void timerfd_setup_cancel(struct timerfd_ctx *ctx, int flags)
  			list_add_rcu(&ctx->clist, &cancel_list);
  			spin_unlock(&cancel_lock);
  		}
@@ -89,11 +82,14 @@ index 86b32c3cb247f..31374ec8f9bd2 100644
  }
  
  static ktime_t timerfd_get_remaining(struct timerfd_ctx *ctx)
-@@ -397,6 +407,7 @@ SYSCALL_DEFINE2(timerfd_create, int, clockid, int, flags)
+@@ -400,6 +410,7 @@ SYSCALL_DEFINE2(timerfd_create, int, clockid, int, flags)
  		return -ENOMEM;
  
  	init_waitqueue_head(&ctx->wqh);
 +	spin_lock_init(&ctx->cancel_lock);
  	ctx->clockid = clockid;
  
- 	if (isalarm(ctx)) {
+ 	if (isalarm(ctx))
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-10662/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-10662/ANY/0001.patch
similarity index 60%
rename from Patches/Linux_CVEs/CVE-2017-10662/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-10662/ANY/0001.patch
index 92c89cee..89dc91f3 100644
--- a/Patches/Linux_CVEs/CVE-2017-10662/ANY/0.patch
+++ b/Patches/Linux_CVEs/CVE-2017-10662/ANY/0001.patch
@@ -1,32 +1,26 @@
-From b69c3038bb41fa18c038ed93cf52123fda7f8c69 Mon Sep 17 00:00:00 2001
+From b9dd46188edc2f0d1f37328637860bb65a771124 Mon Sep 17 00:00:00 2001
 From: Jin Qian <jinqian@google.com>
 Date: Tue, 25 Apr 2017 16:28:48 -0700
-Subject: [PATCH] UPSTREAM: f2fs: sanity check segment count
-
-commit b9dd46188edc2f0d1f37328637860bb65a771124 upstream.
+Subject: f2fs: sanity check segment count
 
 F2FS uses 4 bytes to represent block address. As a result, supported
 size of disk is 16 TB and it equals to 16 * 1024 * 1024 / 2 segments.
 
 Signed-off-by: Jin Qian <jinqian@google.com>
 Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-Bug: 36815012
-Change-Id: I30ea36df066bc07e32e767336b7cae12063fe415
 ---
- fs/f2fs/super.c         | 8 ++++++++
+ fs/f2fs/super.c         | 7 +++++++
  include/linux/f2fs_fs.h | 6 ++++++
- 2 files changed, 14 insertions(+)
+ 2 files changed, 13 insertions(+)
 
 diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
-index 03ab8b830940b..77b2cd5ddd569 100644
+index 97c07a5..4cd3bee 100644
 --- a/fs/f2fs/super.c
 +++ b/fs/f2fs/super.c
-@@ -434,6 +434,14 @@ static int sanity_check_raw_super(struct super_block *sb,
- 		f2fs_msg(sb, KERN_INFO, "Invalid log sectors per block");
+@@ -1494,6 +1494,13 @@ static int sanity_check_raw_super(struct f2fs_sb_info *sbi,
  		return 1;
  	}
-+
+ 
 +	if (le32_to_cpu(raw_super->segment_count) > F2FS_MAX_SEGMENT) {
 +		f2fs_msg(sb, KERN_INFO,
 +			"Invalid segment count (%u)",
@@ -34,15 +28,15 @@ index 03ab8b830940b..77b2cd5ddd569 100644
 +		return 1;
 +	}
 +
- 	return 0;
- }
- 
+ 	/* check CP/SIT/NAT/SSA/MAIN_AREA area boundary */
+ 	if (sanity_check_area_boundary(sbi, bh))
+ 		return 1;
 diff --git a/include/linux/f2fs_fs.h b/include/linux/f2fs_fs.h
-index df6fab82f87e7..fdb6cb9fe0bb3 100644
+index 639cbdf..093549e 100644
 --- a/include/linux/f2fs_fs.h
 +++ b/include/linux/f2fs_fs.h
-@@ -235,6 +235,12 @@ struct f2fs_nat_block {
- #define SIT_ENTRY_PER_BLOCK (PAGE_CACHE_SIZE / sizeof(struct f2fs_sit_entry))
+@@ -302,6 +302,12 @@ struct f2fs_nat_block {
+ #define SIT_ENTRY_PER_BLOCK (PAGE_SIZE / sizeof(struct f2fs_sit_entry))
  
  /*
 + * F2FS uses 4 bytes to represent block address. As a result, supported size of
@@ -54,3 +48,6 @@ index df6fab82f87e7..fdb6cb9fe0bb3 100644
   * Note that f2fs_sit_entry->vblocks has the following bit-field information.
   * [15:10] : allocation type such as CURSEG_XXXX_TYPE
   * [9:0] : valid block count
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-10663/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-10663/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-10663/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-10663/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-10663/3.18/1.patch b/Patches/Linux_CVEs/CVE-2017-10663/ANY/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-10663/3.18/1.patch
rename to Patches/Linux_CVEs/CVE-2017-10663/ANY/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-10996/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-10996/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-10996/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-10996/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-10997/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-10997/3.10/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-10997/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-10997/3.10/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-10997/4.4/0002.patch b/Patches/Linux_CVEs/CVE-2017-10997/4.4/0002.patch
new file mode 100644
index 00000000..6434aa06
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-10997/4.4/0002.patch
@@ -0,0 +1,48 @@
+From a395a070880acc679e3832b21d96504edbbe4af2 Mon Sep 17 00:00:00 2001
+From: Tony Truong <truong@codeaurora.org>
+Date: Fri, 6 Jan 2017 14:03:03 -0800
+Subject: msm: pcie: add bounds check for debugfs register write
+
+Via debugfs nodes, users have the option to read and write to
+any PCIe register. To ensure clients do not access registers
+outside the PCIe range, add checks to validate the offset clients
+provide.
+
+Change-Id: Ia35cd04c57f01c21a47962be596bca395b5ca247
+Signed-off-by: Tony Truong <truong@codeaurora.org>
+---
+ drivers/pci/host/pci-msm.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/pci/host/pci-msm.c b/drivers/pci/host/pci-msm.c
+index 7c8b5e3..cd105a0 100644
+--- a/drivers/pci/host/pci-msm.c
++++ b/drivers/pci/host/pci-msm.c
+@@ -1,4 +1,4 @@
+-/* Copyright (c) 2014-2016, The Linux Foundation. All rights reserved.
++/* Copyright (c) 2014-2017, The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -2414,8 +2414,16 @@ static void msm_pcie_sel_debug_testcase(struct msm_pcie_dev_t *dev,
+ 			dev->res[base_sel - 1].base,
+ 			wr_offset, wr_mask, wr_value);
+ 
+-		msm_pcie_write_reg_field(dev->res[base_sel - 1].base,
+-			wr_offset, wr_mask, wr_value);
++		base_sel_size = resource_size(dev->res[base_sel - 1].resource);
++
++		if (wr_offset >  base_sel_size - 4 ||
++			msm_pcie_check_align(dev, wr_offset))
++			PCIE_DBG_FS(dev,
++				"PCIe: RC%d: Invalid wr_offset: 0x%x. wr_offset should be no more than 0x%x\n",
++				dev->rc_idx, wr_offset, base_sel_size - 4);
++		else
++			msm_pcie_write_reg_field(dev->res[base_sel - 1].base,
++				wr_offset, wr_mask, wr_value);
+ 
+ 		break;
+ 	case 13: /* dump all registers of base_sel */
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-10998/3.10/0.patch b/Patches/Linux_CVEs/CVE-2017-10998/3.10/0.patch
deleted file mode 100644
index 8429a974..00000000
--- a/Patches/Linux_CVEs/CVE-2017-10998/3.10/0.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From 9ffb3cdd7279b011a509267caa4a5119fd6346c0 Mon Sep 17 00:00:00 2001
-From: Siena Richard <sienar@codeaurora.org>
-Date: Wed, 11 Jan 2017 11:09:24 -0800
-Subject: ASoC: msm: qdsp6v2: extend validation of virtual address
-
-Validate a buffer virtual address is fully within the region before
-returning the region to ensure functionality for an extended edge case.
-
-Change-Id: Iba3e080889980f393d6a9f0afe0231408b92d654
-Signed-off-by: Siena Richard <sienar@codeaurora.org>
-CRs-fixed: 1108461
-
-Bug: 38195131
-Change-Id: Ib527a380a857719bff8254be514133528bd64c75
----
- drivers/misc/qcom/qdsp6v2/audio_utils_aio.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c b/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c
-index 07de5a2..42a3ea7 100644
---- a/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c
-+++ b/drivers/misc/qcom/qdsp6v2/audio_utils_aio.c
-@@ -1,6 +1,6 @@
- /* Copyright (C) 2008 Google, Inc.
-  * Copyright (C) 2008 HTC Corporation
-- * Copyright (c) 2009-2016, The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2009-2017, The Linux Foundation. All rights reserved.
-  *
-  * This software is licensed under the terms of the GNU General Public
-  * License version 2, as published by the Free Software Foundation, and
-@@ -119,7 +119,10 @@ static int audio_aio_ion_lookup_vaddr(struct q6audio_aio *audio, void *addr,
- 	list_for_each_entry(region_elt, &audio->ion_region_queue, list) {
- 		if (addr >= region_elt->vaddr &&
- 			addr < region_elt->vaddr + region_elt->len &&
--			addr + len <= region_elt->vaddr + region_elt->len) {
-+			addr + len <= region_elt->vaddr + region_elt->len &&
-+			addr + len > addr) {
-+			/* to avoid integer addition overflow */
-+
- 			/* offset since we could pass vaddr inside a registerd
- 			* ion buffer
- 			*/
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-10998/3.18/1.patch b/Patches/Linux_CVEs/CVE-2017-10998/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-10998/3.18/1.patch
rename to Patches/Linux_CVEs/CVE-2017-10998/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-10999/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-10999/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-10999/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-10999/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-11000/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-11000/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-11000/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-11000/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-11001/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-11001/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-11001/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-11001/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-11002/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-11002/ANY/0001.patch
new file mode 100644
index 00000000..eaa262c5
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-11002/ANY/0001.patch
@@ -0,0 +1,85 @@
+From 64c0865bb0c5a642ba420967b23e0f66e035b300 Mon Sep 17 00:00:00 2001
+From: Rajeev Kumar Sirasanagandla <rsirasan@codeaurora.org>
+Date: Tue, 13 Jun 2017 12:04:09 +0530
+Subject: wlan: Avoid concurrent matrix max param overread
+
+qcacld-3.0 to prima propagation.
+
+Currently there is no nl policy defined for vendor sub command
+QCA_NL80211_VENDOR_SUBCMD_GET_CONCURRENCY_MATRIX which may result in
+buffer overread error.
+
+To resolve this, add nl policy.
+
+Change-Id: I155efdbb07f1c5fe300bb2be0c2a3fe07c7e134b
+CRs-Fixed: 2058455
+---
+ CORE/HDD/src/wlan_hdd_cfg80211.c | 23 +++++++++++++++++------
+ 1 file changed, 17 insertions(+), 6 deletions(-)
+
+diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
+index b8f74cc..0c36e73 100644
+--- a/CORE/HDD/src/wlan_hdd_cfg80211.c
++++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
+@@ -4985,6 +4985,15 @@ wlan_hdd_cfg80211_get_supported_features(struct wiphy *wiphy,
+     return ret;
+ }
+ 
++#define MAX_CONCURRENT_MATRIX \
++    QCA_WLAN_VENDOR_ATTR_GET_CONCURRENCY_MATRIX_MAX
++#define MATRIX_CONFIG_PARAM_SET_SIZE_MAX \
++    QCA_WLAN_VENDOR_ATTR_GET_CONCURRENCY_MATRIX_CONFIG_PARAM_SET_SIZE_MAX
++static const struct nla_policy
++wlan_hdd_get_concurrency_matrix_policy[MAX_CONCURRENT_MATRIX + 1] = {
++    [MATRIX_CONFIG_PARAM_SET_SIZE_MAX] = {.type = NLA_U32},
++};
++
+ static int
+ __wlan_hdd_cfg80211_get_concurrency_matrix(struct wiphy *wiphy,
+                                          struct wireless_dev *wdev,
+@@ -4992,7 +5001,7 @@ __wlan_hdd_cfg80211_get_concurrency_matrix(struct wiphy *wiphy,
+ {
+     uint32_t feature_set_matrix[WLAN_HDD_MAX_FEATURE_SET] = {0};
+     uint8_t i, feature_sets, max_feature_sets;
+-    struct nlattr *tb[QCA_WLAN_VENDOR_ATTR_GET_CONCURRENCY_MATRIX_MAX + 1];
++    struct nlattr *tb[MAX_CONCURRENT_MATRIX + 1];
+     struct sk_buff *reply_skb;
+     hdd_context_t *pHddCtx = wiphy_priv(wiphy);
+     int ret;
+@@ -5005,19 +5014,18 @@ __wlan_hdd_cfg80211_get_concurrency_matrix(struct wiphy *wiphy,
+         return ret;
+     }
+ 
+-    if (nla_parse(tb, QCA_WLAN_VENDOR_ATTR_GET_CONCURRENCY_MATRIX_MAX,
+-                  data, data_len, NULL)) {
++    if (nla_parse(tb, MAX_CONCURRENT_MATRIX, data, data_len,
++                  wlan_hdd_get_concurrency_matrix_policy)) {
+         hddLog(LOGE, FL("Invalid ATTR"));
+         return -EINVAL;
+     }
+ 
+     /* Parse and fetch max feature set */
+-    if (!tb[QCA_WLAN_VENDOR_ATTR_GET_CONCURRENCY_MATRIX_CONFIG_PARAM_SET_SIZE_MAX]) {
++    if (!tb[MATRIX_CONFIG_PARAM_SET_SIZE_MAX]) {
+         hddLog(LOGE, FL("Attr max feature set size failed"));
+         return -EINVAL;
+     }
+-    max_feature_sets = nla_get_u32(
+-     tb[QCA_WLAN_VENDOR_ATTR_GET_CONCURRENCY_MATRIX_CONFIG_PARAM_SET_SIZE_MAX]);
++    max_feature_sets = nla_get_u32(tb[MATRIX_CONFIG_PARAM_SET_SIZE_MAX]);
+     hddLog(LOG1, FL("Max feature set size (%d)"), max_feature_sets);
+ 
+     /* Fill feature combination matrix */
+@@ -5068,6 +5076,9 @@ __wlan_hdd_cfg80211_get_concurrency_matrix(struct wiphy *wiphy,
+ 
+ }
+ 
++#undef MAX_CONCURRENT_MATRIX
++#undef MATRIX_CONFIG_PARAM_SET_SIZE_MAX
++
+ static int
+ wlan_hdd_cfg80211_get_concurrency_matrix(struct wiphy *wiphy,
+                                          struct wireless_dev *wdev,
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-11002/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-11002/ANY/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-11002/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-11002/ANY/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-11012/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-11012/ANY/0001.patch
new file mode 100644
index 00000000..fdd7dc56
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-11012/ANY/0001.patch
@@ -0,0 +1,94 @@
+From 7d0e40d328fa092c36b9585516ed29fc6041be55 Mon Sep 17 00:00:00 2001
+From: Jeff Johnson <jjohnson@codeaurora.org>
+Date: Tue, 6 Jun 2017 12:53:28 -0700
+Subject: qcacld-3.0: Fix buffer overread & overflow in DISA handler
+
+Currently in hdd_fill_encrypt_decrypt_params() there are multiple
+issues with the incoming cfg80211 vendor command handling:
+1) A policy is not supplied when invoking nla_parse() which prevents
+   basic sanity of the incoming attribute stream.
+2) The length of attribute QCA_WLAN_VENDOR_ATTR_ENCRYPTION_TEST_PN is
+   not properly validated.
+3) The length of attribute QCA_WLAN_VENDOR_ATTR_ENCRYPTION_TEST_DATA
+   is not properly validated.
+
+To address these issues:
+1) Create an appropriate nla_policy and specify this policy when
+   invoking nla_parse().
+2) Validate the length of QCA_WLAN_VENDOR_ATTR_ENCRYPTION_TEST_PN to
+   prevent potential buffer overflow.
+3) Validate the length of QCA_WLAN_VENDOR_ATTR_ENCRYPTION_TEST_DATA to
+   prevent potential buffer overread.
+
+Change-Id: Ibb86897f249010c94c4098b283aad7a7f95ab9a2
+CRs-Fixed: 2054760
+---
+ core/hdd/src/wlan_hdd_disa.c | 24 +++++++++++++++++++-----
+ 1 file changed, 19 insertions(+), 5 deletions(-)
+
+diff --git a/core/hdd/src/wlan_hdd_disa.c b/core/hdd/src/wlan_hdd_disa.c
+index c2e99d1..39e6bd1 100644
+--- a/core/hdd/src/wlan_hdd_disa.c
++++ b/core/hdd/src/wlan_hdd_disa.c
+@@ -159,6 +159,16 @@ nla_put_failure:
+ 	return -EINVAL;
+ }
+ 
++static const struct nla_policy
++encrypt_decrypt_policy[QCA_WLAN_VENDOR_ATTR_ENCRYPTION_TEST_MAX + 1] = {
++	[QCA_WLAN_VENDOR_ATTR_ENCRYPTION_TEST_NEEDS_DECRYPTION] = {
++		.type = NLA_FLAG},
++	[QCA_WLAN_VENDOR_ATTR_ENCRYPTION_TEST_KEYID] = {
++		.type = NLA_U8},
++	[QCA_WLAN_VENDOR_ATTR_ENCRYPTION_TEST_CIPHER] = {
++		.type = NLA_U32},
++};
++
+ /**
+  * hdd_fill_encrypt_decrypt_params () - parses data from user space
+  * and fills encrypt/decrypt parameters
+@@ -181,7 +191,7 @@ static int hdd_fill_encrypt_decrypt_params(struct encrypt_decrypt_req_params
+ 	uint8_t fc[2];
+ 
+ 	if (nla_parse(tb, QCA_WLAN_VENDOR_ATTR_ENCRYPTION_TEST_MAX,
+-		      data, data_len, NULL)) {
++		      data, data_len, encrypt_decrypt_policy)) {
+ 		hdd_err("Invalid ATTR");
+ 		return -EINVAL;
+ 	}
+@@ -243,8 +253,8 @@ static int hdd_fill_encrypt_decrypt_params(struct encrypt_decrypt_req_params
+ 		return -EINVAL;
+ 	}
+ 	len = nla_len(tb[QCA_WLAN_VENDOR_ATTR_ENCRYPTION_TEST_PN]);
+-	if (!len) {
+-		hdd_err("Invalid PN length");
++	if (!len || len > sizeof(encrypt_decrypt_params->pn)) {
++		hdd_err("Invalid PN length %u", len);
+ 		return -EINVAL;
+ 	}
+ 
+@@ -260,8 +270,8 @@ static int hdd_fill_encrypt_decrypt_params(struct encrypt_decrypt_req_params
+ 		return -EINVAL;
+ 	}
+ 	len = nla_len(tb[QCA_WLAN_VENDOR_ATTR_ENCRYPTION_TEST_DATA]);
+-	if (!len) {
+-		hdd_err("Invalid header and payload length");
++	if (len < MIN_MAC_HEADER_LEN) {
++		hdd_err("Invalid header and payload length %u", len);
+ 		return -EINVAL;
+ 	}
+ 
+@@ -298,6 +308,10 @@ static int hdd_fill_encrypt_decrypt_params(struct encrypt_decrypt_req_params
+ 
+ 	hdd_notice("mac_hdr_len %d", mac_hdr_len);
+ 
++	if (len < mac_hdr_len) {
++		hdd_err("Invalid header and payload length %u", len);
++		return -EINVAL;
++	}
+ 	qdf_mem_copy(encrypt_decrypt_params->mac_header,
+ 			tmp, mac_hdr_len);
+ 
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-11013/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-11013/ANY/0001.patch
new file mode 100644
index 00000000..9fe9afdb
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-11013/ANY/0001.patch
@@ -0,0 +1,87 @@
+From 64297e4caffdf6b1a90807bbdb65a66b43582228 Mon Sep 17 00:00:00 2001
+From: Sridhar Selvaraj <sselvara@codeaurora.org>
+Date: Fri, 30 Jun 2017 19:11:21 +0530
+Subject: prima: Skip an IE if found more its max times in a frame
+
+Check if a IE has been encountered more than max possible for that IE
+while parsing a frame.
+
+Change-Id: I1054c7df18780469849be55fc4343f09ac502a49
+CRs-Fixed: 2069927
+---
+ CORE/MAC/src/include/dot11f.h          | 6 +++---
+ CORE/SYS/legacy/src/utils/src/dot11f.c | 9 +++++++--
+ 2 files changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/CORE/MAC/src/include/dot11f.h b/CORE/MAC/src/include/dot11f.h
+index ab2228e..52c714e 100644
+--- a/CORE/MAC/src/include/dot11f.h
++++ b/CORE/MAC/src/include/dot11f.h
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2012-2014 The Linux Foundation. All rights reserved.
++ * Copyright (c) 2012-2014, 2017 The Linux Foundation. All rights reserved.
+  *
+  * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
+  *
+@@ -30,7 +30,7 @@
+   *
+   *
+   * This file was automatically generated by 'framesc'
+-  * Mon Nov 10 19:49:53 2014 from the following file(s):
++  * Tue Jul  4 11:19:48 2017 from the following file(s):
+   *
+   * dot11f.frms
+   *
+@@ -84,8 +84,8 @@ typedef tANI_U32 tDOT11F_U64[2];
+ #define DOT11F_BUFFER_OVERFLOW       ( 0x10000005 )
+ #define DOT11F_MANDATORY_TLV_MISSING ( 0x00001000 )
+ #define DOT11F_FAILED(code)          ( (code) & 0x10000000 )
+-#define DOT11F_WARNED(code)          ( ( ( 0 == (code) ) & 0x10000000 ) && code)
+ #define DOT11F_SUCCEEDED(code)       ( (code) == 0 )
++#define DOT11F_WARNED(code)          (!DOT11F_SUCCEEDED(code) && !DOT11F_FAILED(code))
+ 
+ /*********************************************************************
+  * Fixed Fields                                                      *
+diff --git a/CORE/SYS/legacy/src/utils/src/dot11f.c b/CORE/SYS/legacy/src/utils/src/dot11f.c
+index a4fbb05..f3f621c 100644
+--- a/CORE/SYS/legacy/src/utils/src/dot11f.c
++++ b/CORE/SYS/legacy/src/utils/src/dot11f.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2012-2014 The Linux Foundation. All rights reserved.
++ * Copyright (c) 2012-2014, 2017 The Linux Foundation. All rights reserved.
+  *
+  * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
+  *
+@@ -28,7 +28,7 @@
+   *
+   *
+   * This file was automatically generated by 'framesc'
+-  * Mon Nov 10 19:49:53 2014 from the following file(s):
++  * Tue Jul  4 11:19:48 2017 from the following file(s):
+   *
+   * dot11f.frms
+   *
+@@ -20733,6 +20733,10 @@ static tANI_U32 UnpackCore(tpAniSirGlobal pCtx,
+                 }
+ 
+         countOffset = ( (0 != pIe->arraybound) * ( *(tANI_U16* )(pFrm + pIe->countOffset)));
++        if (0 != pIe->arraybound && countOffset >= pIe->arraybound) {
++            status |= DOT11F_DUPLICATE_IE;
++            goto skip_dup_ie;
++        }
+                 switch (pIe->sig)
+                 {
+                 case SigIeAPName:
+@@ -21207,6 +21211,7 @@ static tANI_U32 UnpackCore(tpAniSirGlobal pCtx,
+             status |= DOT11F_UNKNOWN_IES;
+         }
+ 
++skip_dup_ie:
+         pBufRemaining += len;
+ 
+          if (len > nBufRemaining)
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-11013/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2017-11013/ANY/0002.patch
new file mode 100644
index 00000000..eca9ffd7
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-11013/ANY/0002.patch
@@ -0,0 +1,98 @@
+From c9f8654b11a1e693022ad7f163b3bc477fea8ce8 Mon Sep 17 00:00:00 2001
+From: Naveen Rawat <naveenrawat@codeaurora.org>
+Date: Fri, 9 Jun 2017 14:25:45 -0700
+Subject: qcacld-3.0: Skip an IE if found more its max times in a frame
+
+Check if a IE has been encountered more than max possible for that IE
+while parsing a frame.
+
+Change-Id: I1054c7df18780469849be55fc4343f09ac502a49
+CRs-Fixed: 2058261
+---
+ core/mac/src/include/dot11f.h                  |  4 ++--
+ core/mac/src/sys/legacy/src/utils/src/dot11f.c | 25 +++++++++++++------------
+ 2 files changed, 15 insertions(+), 14 deletions(-)
+
+diff --git a/core/mac/src/include/dot11f.h b/core/mac/src/include/dot11f.h
+index 96b8c6c..c5be2fd 100644
+--- a/core/mac/src/include/dot11f.h
++++ b/core/mac/src/include/dot11f.h
+@@ -35,7 +35,7 @@
+  *
+  *
+  * This file was automatically generated by 'framesc'
+- * Mon Mar 13 16:17:19 2017 from the following file(s):
++ * Fri Jun  9 14:23:47 2017 from the following file(s):
+  *
+  * dot11f.frms
+  *
+@@ -88,8 +88,8 @@ typedef uint32_t tDOT11F_U64[2];
+ #define DOT11F_BUFFER_OVERFLOW       (0x10000005)
+ #define DOT11F_MANDATORY_TLV_MISSING (0x00001000)
+ #define DOT11F_FAILED(code)          ((code) & 0x10000000)
+-#define DOT11F_WARNED(code)          (((0 == (code)) & 0x10000000) && code)
+ #define DOT11F_SUCCEEDED(code)       ((code) == 0)
++#define DOT11F_WARNED(code)          (!DOT11F_SUCCEEDED(code) && !DOT11F_FAILED(code))
+ 
+ /*********************************************************************
+  * Fixed Fields                                                      *
+diff --git a/core/mac/src/sys/legacy/src/utils/src/dot11f.c b/core/mac/src/sys/legacy/src/utils/src/dot11f.c
+index 210cf89..a6089b3 100644
+--- a/core/mac/src/sys/legacy/src/utils/src/dot11f.c
++++ b/core/mac/src/sys/legacy/src/utils/src/dot11f.c
+@@ -33,7 +33,7 @@
+  *
+  *
+  * This file was automatically generated by 'framesc'
+- * Mon Mar 13 16:17:19 2017 from the following file(s):
++ * Fri Jun  9 14:23:47 2017 from the following file(s):
+  *
+  * dot11f.frms
+  *
+@@ -9240,6 +9240,10 @@ static uint32_t unpack_core(tpAniSirGlobal pCtx,
+ 
+ 				countOffset = ((0 != pIe->arraybound) *
+ 						(*(uint16_t *)(pFrm + pIe->countOffset)));
++				if (0 != pIe->arraybound && countOffset >= pIe->arraybound) {
++					status |= DOT11F_DUPLICATE_IE;
++					goto skip_dup_ie;
++				}
+ 				switch (pIe->sig) {
+ 				case SigIeGTK:
+ 					status |=
+@@ -9819,17 +9823,13 @@ static uint32_t unpack_core(tpAniSirGlobal pCtx,
+ 						    countOffset));
+ 					break;
+ 				case SigIeNeighborReport:
+-					if (countOffset < MAX_SUPPORTED_NEIGHBOR_RPT) {
+-						status |=
+-							dot11f_unpack_ie_neighbor_report(
+-							    pCtx, pBufRemaining, len,
+-							    (tDot11fIENeighborReport *)
+-							    (pFrm + pIe->offset +
+-							    sizeof(tDot11fIENeighborReport) *
+-							    countOffset));
+-					} else {
+-						status |= DOT11F_BUFFER_OVERFLOW;
+-					}
++					status |=
++						dot11f_unpack_ie_neighbor_report(
++						    pCtx, pBufRemaining, len,
++						    (tDot11fIENeighborReport *)
++						    (pFrm + pIe->offset +
++						    sizeof(tDot11fIENeighborReport) *
++						    countOffset));
+ 					break;
+ 				case SigIeOBSSScanParameters:
+ 					status |=
+@@ -10427,6 +10427,7 @@ static uint32_t unpack_core(tpAniSirGlobal pCtx,
+ 			status |= DOT11F_UNKNOWN_IES;
+ 		}
+ 
++skip_dup_ie:
+ 		pBufRemaining += len;
+ 
+ 		if (len > nBufRemaining) {
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-11014/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-11014/ANY/0001.patch
new file mode 100644
index 00000000..4a03b1cb
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-11014/ANY/0001.patch
@@ -0,0 +1,53 @@
+From ec58bc99e29d89f8e164954999ef8a45cec21754 Mon Sep 17 00:00:00 2001
+From: Krishna Kumaar Natarajan <kknatara@codeaurora.org>
+Date: Wed, 5 Jul 2017 16:47:45 -0700
+Subject: qcacld-3.0: Update lim_compute_crc32() to pass uint16_t
+
+Update lim_compute_crc32() to pass uint16_t as a length type.
+Currently uint8_t is being passed as length and there will be type
+mismatch when authentication frame to be encrypted will be larger
+than 255 bytes.
+
+Change-Id: Ic009197c13a2d70c9015a184acff2e82bf80eaba
+CRs-Fixed: 2060959
+---
+ core/mac/src/pe/lim/lim_security_utils.c | 2 +-
+ core/mac/src/pe/lim/lim_security_utils.h | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/core/mac/src/pe/lim/lim_security_utils.c b/core/mac/src/pe/lim/lim_security_utils.c
+index c5938c2..1a2964c 100644
+--- a/core/mac/src/pe/lim/lim_security_utils.c
++++ b/core/mac/src/pe/lim/lim_security_utils.c
+@@ -596,7 +596,7 @@ lim_encrypt_auth_frame(tpAniSirGlobal pMac, uint8_t keyId, uint8_t *pKey,
+  * @return None
+  */
+ 
+-void lim_compute_crc32(uint8_t *pDest, uint8_t *pSrc, uint8_t len)
++void lim_compute_crc32(uint8_t *pDest, uint8_t *pSrc, uint16_t len)
+ {
+ 	uint32_t crc;
+ 	int i;
+diff --git a/core/mac/src/pe/lim/lim_security_utils.h b/core/mac/src/pe/lim/lim_security_utils.h
+index c5b30ba..c3410ea 100644
+--- a/core/mac/src/pe/lim/lim_security_utils.h
++++ b/core/mac/src/pe/lim/lim_security_utils.h
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2011-2015 The Linux Foundation. All rights reserved.
++ * Copyright (c) 2011-2015, 2017 The Linux Foundation. All rights reserved.
+  *
+  * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
+  *
+@@ -58,7 +58,7 @@ void lim_restore_from_auth_state(tpAniSirGlobal,
+ uint8_t lim_delete_open_auth_pre_auth_node(tpAniSirGlobal mac_ctx);
+ 
+ /* Encryption/Decryption related functions */
+-void lim_compute_crc32(uint8_t *, uint8_t *, uint8_t);
++void lim_compute_crc32(uint8_t *, uint8_t *, uint16_t);
+ void lim_rc4(uint8_t *, uint8_t *, uint8_t *, uint32_t, uint16_t);
+ void lim_encrypt_auth_frame(tpAniSirGlobal, uint8_t, uint8_t *, uint8_t *,
+ 			    uint8_t *, uint32_t);
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-11015/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-11015/ANY/0001.patch
new file mode 100644
index 00000000..4a03b1cb
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-11015/ANY/0001.patch
@@ -0,0 +1,53 @@
+From ec58bc99e29d89f8e164954999ef8a45cec21754 Mon Sep 17 00:00:00 2001
+From: Krishna Kumaar Natarajan <kknatara@codeaurora.org>
+Date: Wed, 5 Jul 2017 16:47:45 -0700
+Subject: qcacld-3.0: Update lim_compute_crc32() to pass uint16_t
+
+Update lim_compute_crc32() to pass uint16_t as a length type.
+Currently uint8_t is being passed as length and there will be type
+mismatch when authentication frame to be encrypted will be larger
+than 255 bytes.
+
+Change-Id: Ic009197c13a2d70c9015a184acff2e82bf80eaba
+CRs-Fixed: 2060959
+---
+ core/mac/src/pe/lim/lim_security_utils.c | 2 +-
+ core/mac/src/pe/lim/lim_security_utils.h | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/core/mac/src/pe/lim/lim_security_utils.c b/core/mac/src/pe/lim/lim_security_utils.c
+index c5938c2..1a2964c 100644
+--- a/core/mac/src/pe/lim/lim_security_utils.c
++++ b/core/mac/src/pe/lim/lim_security_utils.c
+@@ -596,7 +596,7 @@ lim_encrypt_auth_frame(tpAniSirGlobal pMac, uint8_t keyId, uint8_t *pKey,
+  * @return None
+  */
+ 
+-void lim_compute_crc32(uint8_t *pDest, uint8_t *pSrc, uint8_t len)
++void lim_compute_crc32(uint8_t *pDest, uint8_t *pSrc, uint16_t len)
+ {
+ 	uint32_t crc;
+ 	int i;
+diff --git a/core/mac/src/pe/lim/lim_security_utils.h b/core/mac/src/pe/lim/lim_security_utils.h
+index c5b30ba..c3410ea 100644
+--- a/core/mac/src/pe/lim/lim_security_utils.h
++++ b/core/mac/src/pe/lim/lim_security_utils.h
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2011-2015 The Linux Foundation. All rights reserved.
++ * Copyright (c) 2011-2015, 2017 The Linux Foundation. All rights reserved.
+  *
+  * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
+  *
+@@ -58,7 +58,7 @@ void lim_restore_from_auth_state(tpAniSirGlobal,
+ uint8_t lim_delete_open_auth_pre_auth_node(tpAniSirGlobal mac_ctx);
+ 
+ /* Encryption/Decryption related functions */
+-void lim_compute_crc32(uint8_t *, uint8_t *, uint8_t);
++void lim_compute_crc32(uint8_t *, uint8_t *, uint16_t);
+ void lim_rc4(uint8_t *, uint8_t *, uint8_t *, uint32_t, uint16_t);
+ void lim_encrypt_auth_frame(tpAniSirGlobal, uint8_t, uint8_t *, uint8_t *,
+ 			    uint8_t *, uint32_t);
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-11015/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2017-11015/ANY/0002.patch
new file mode 100644
index 00000000..5ceaaed6
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-11015/ANY/0002.patch
@@ -0,0 +1,33 @@
+From 1ef6add65a36de6c4da788f776de2b5b5c528d8e Mon Sep 17 00:00:00 2001
+From: Krishna Kumaar Natarajan <kknatara@codeaurora.org>
+Date: Wed, 5 Jul 2017 16:38:54 -0700
+Subject: qcacld-3.0: Update SIR_MAC_AUTH_CHALLENGE_LENGTH as per IEEE spec
+
+Update SIR_MAC_AUTH_CHALLENGE_LENGTH to 253 as per IEEE spec.
+Currently value of SIR_MAC_AUTH_CHALLENGE_LENGTH is set to 128.
+This may result in potential buffer overflow since frame parser
+allows challenge text of length upto 253 but driver can not handle
+challenge text longer than 128 bytes.
+
+Change-Id: I7baf860fdde51a14a6573b4f0f26817f5071193e
+CRs-Fixed: 2060959
+---
+ core/mac/inc/sir_mac_prot_def.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/core/mac/inc/sir_mac_prot_def.h b/core/mac/inc/sir_mac_prot_def.h
+index fbbd37e..be47e13 100644
+--- a/core/mac/inc/sir_mac_prot_def.h
++++ b/core/mac/inc/sir_mac_prot_def.h
+@@ -554,7 +554,7 @@
+ #define SIR_MAC_MAX_NUMBER_OF_RATES          12
+ #define SIR_MAC_MAX_NUM_OF_DEFAULT_KEYS      4
+ #define SIR_MAC_KEY_LENGTH                   13 /* WEP Maximum key length size */
+-#define SIR_MAC_AUTH_CHALLENGE_LENGTH        128
++#define SIR_MAC_AUTH_CHALLENGE_LENGTH        253
+ #define SIR_MAC_WEP_IV_LENGTH                4
+ #define SIR_MAC_WEP_ICV_LENGTH               4
+ 
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-11018/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-11018/ANY/0001.patch
new file mode 100644
index 00000000..95654041
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-11018/ANY/0001.patch
@@ -0,0 +1,531 @@
+From 1d718286c4c482502a2c4356cebef28aef2fb01f Mon Sep 17 00:00:00 2001
+From: Rahul Sharma <sharah@codeaurora.org>
+Date: Wed, 28 Jun 2017 15:46:19 +0530
+Subject: msm: vfe : Fix for multiple buffer over read/write
+
+Implemented validation of user space values in ioctl call
+before processing buffers in response to user commands.
+
+Change-Id: Icf6e49650bab358b764ebf1db24925a4063c5842
+Signed-off-by: Rahul Sharma <sharah@codeaurora.org>
+---
+ drivers/media/video/msm/vfe/msm_vfe32.c | 246 ++++++++++++++++++++++++++++++++
+ 1 file changed, 246 insertions(+)
+
+diff --git a/drivers/media/video/msm/vfe/msm_vfe32.c b/drivers/media/video/msm/vfe/msm_vfe32.c
+index 64f3e7b..1509a04 100644
+--- a/drivers/media/video/msm/vfe/msm_vfe32.c
++++ b/drivers/media/video/msm/vfe/msm_vfe32.c
+@@ -2275,6 +2275,7 @@ static int vfe32_proc_general(
+ 	uint32_t *cmdp_local = NULL;
+ 	uint32_t snapshot_cnt = 0;
+ 	uint32_t temp1 = 0, temp2 = 0;
++	uint32_t maxvalue = 0;
+ 	struct msm_camera_vfe_params_t vfe_params;
+ 
+ 	switch (cmd->id) {
+@@ -2373,6 +2374,14 @@ static int vfe32_proc_general(
+ 				 __func__);
+ 			goto proc_general_done;
+ 		}
++		if (cmd->id < 0 || cmd->id >= ARRAY_SIZE(vfe32_cmd)) {
++			rc = -EINVAL;
++			goto proc_general_done;
++		}
++		if (cmd->length < vfe32_cmd[cmd->id].length) {
++			rc = -EINVAL;
++			goto proc_general_done;
++		}
+ 		cmdp = kmalloc(cmd->length, GFP_ATOMIC);
+ 		if (!cmdp) {
+ 			rc = -ENOMEM;
+@@ -2407,6 +2416,14 @@ static int vfe32_proc_general(
+ 				__func__);
+ 			goto proc_general_done;
+ 		}
++		if (cmd->id < 0 || cmd->id >= ARRAY_SIZE(vfe32_cmd)) {
++			rc = -EINVAL;
++			goto proc_general_done;
++		}
++		if (cmd->length < vfe32_cmd[cmd->id].length) {
++			rc = -EINVAL;
++			goto proc_general_done;
++		}
+ 		cmdp = kmalloc(cmd->length, GFP_ATOMIC);
+ 		if (!cmdp) {
+ 			rc = -ENOMEM;
+@@ -2441,6 +2458,14 @@ static int vfe32_proc_general(
+ 				 __func__);
+ 			goto proc_general_done;
+ 		}
++		if (cmd->id < 0 || cmd->id >= ARRAY_SIZE(vfe32_cmd)) {
++			rc = -EINVAL;
++			goto proc_general_done;
++		}
++		if (cmd->length < vfe32_cmd[cmd->id].length) {
++			rc = -EINVAL;
++			goto proc_general_done;
++		}
+ 		cmdp = kmalloc(cmd->length, GFP_ATOMIC);
+ 		if (!cmdp) {
+ 			rc = -ENOMEM;
+@@ -2471,6 +2496,14 @@ static int vfe32_proc_general(
+ 				 __func__);
+ 			goto proc_general_done;
+ 		}
++		if (cmd->id < 0 || cmd->id >= ARRAY_SIZE(vfe32_cmd)) {
++			rc = -EINVAL;
++			goto proc_general_done;
++		}
++		if (cmd->length < vfe32_cmd[cmd->id].length) {
++			rc = -EINVAL;
++			goto proc_general_done;
++		}
+ 		cmdp = kmalloc(cmd->length, GFP_ATOMIC);
+ 		if (!cmdp) {
+ 			rc = -ENOMEM;
+@@ -2502,6 +2535,14 @@ static int vfe32_proc_general(
+ 				__func__);
+ 			goto proc_general_done;
+ 		}
++		if (cmd->id < 0 || cmd->id >= ARRAY_SIZE(vfe32_cmd)) {
++			rc = -EINVAL;
++			goto proc_general_done;
++		}
++		if (cmd->length < vfe32_cmd[cmd->id].length) {
++			rc = -EINVAL;
++			goto proc_general_done;
++		}
+ 		cmdp = kmalloc(cmd->length, GFP_ATOMIC);
+ 		if (!cmdp) {
+ 			rc = -ENOMEM;
+@@ -2527,6 +2568,14 @@ static int vfe32_proc_general(
+ 				__func__);
+ 			goto proc_general_done;
+ 		}
++		if (cmd->id < 0 || cmd->id >= ARRAY_SIZE(vfe32_cmd)) {
++			rc = -EINVAL;
++			goto proc_general_done;
++		}
++		if (cmd->length < vfe32_cmd[cmd->id].length) {
++			rc = -EINVAL;
++			goto proc_general_done;
++		}
+ 		cmdp = kmalloc(cmd->length, GFP_ATOMIC);
+ 		if (!cmdp) {
+ 			rc = -ENOMEM;
+@@ -2589,6 +2638,14 @@ static int vfe32_proc_general(
+ 			VFE_STATS_CFG);
+ 		msm_camera_io_w(module_val,
+ 			vfe32_ctrl->share_ctrl->vfebase + VFE_MODULE_CFG);
++		if (cmd->id < 0 || cmd->id >= ARRAY_SIZE(vfe32_cmd)) {
++			rc = -EINVAL;
++			goto proc_general_done;
++		}
++		if (cmd->length < vfe32_cmd[cmd->id].length) {
++			rc = -EINVAL;
++			goto proc_general_done;
++		}
+ 		cmdp = kmalloc(cmd->length, GFP_ATOMIC);
+ 		if (!cmdp) {
+ 			rc = -ENOMEM;
+@@ -2627,6 +2684,10 @@ static int vfe32_proc_general(
+ 		new_val = *cmdp_local;
+ 		old_val &= MCE_EN_MASK;
+ 		new_val = new_val | old_val;
++		if (cmd->length < 4) {
++			rc = -EINVAL;
++			goto proc_general_done;
++		}
+ 		msm_camera_io_memcpy(
+ 			vfe32_ctrl->share_ctrl->vfebase +
+ 			V32_CHROMA_SUP_OFF + 4, &new_val, 4);
+@@ -2637,10 +2698,23 @@ static int vfe32_proc_general(
+ 		new_val = *cmdp_local;
+ 		old_val &= MCE_Q_K_MASK;
+ 		new_val = new_val | old_val;
++		if (cmd->length < (4 + sizeof(uint32_t)*1)) {
++			rc = -EINVAL;
++			goto proc_general_done;
++		}
+ 		msm_camera_io_memcpy(
+ 			vfe32_ctrl->share_ctrl->vfebase +
+ 			V32_CHROMA_SUP_OFF + 8, &new_val, 4);
+ 		cmdp_local += 1;
++		if (cmd->id < 0 || cmd->id >= ARRAY_SIZE(vfe32_cmd)) {
++			rc = -EINVAL;
++			goto proc_general_done;
++		}
++		if (cmd->length < (vfe32_cmd[cmd->id].length +
++		sizeof(uint32_t) * (1 + 1))) {
++			rc = -EINVAL;
++			goto proc_general_done;
++		}
+ 		msm_camera_io_memcpy(
+ 			vfe32_ctrl->share_ctrl->vfebase +
+ 			vfe32_cmd[cmd->id].offset,
+@@ -2661,6 +2735,10 @@ static int vfe32_proc_general(
+ 			goto proc_general_done;
+ 		}
+ 		cmdp_local = cmdp;
++		if (cmd->length < 4) {
++			rc = -EINVAL;
++			goto proc_general_done;
++		}
+ 		msm_camera_io_memcpy(vfe32_ctrl->share_ctrl->vfebase +
+ 			V32_CHROMA_SUP_OFF, cmdp_local, 4);
+ 
+@@ -2673,6 +2751,11 @@ static int vfe32_proc_general(
+ 			V32_CHROMA_SUP_OFF + 4);
+ 		old_val &= ~MCE_EN_MASK;
+ 		new_val = new_val | old_val;
++		/* As cmdp_local got incremented by 1*/
++		if (cmd->length < (4 + sizeof(uint32_t) * 1)) {
++			rc = -EINVAL;
++			goto proc_general_done;
++		}
+ 		msm_camera_io_memcpy(
+ 			vfe32_ctrl->share_ctrl->vfebase +
+ 			V32_CHROMA_SUP_OFF + 4, &new_val, 4);
+@@ -2683,6 +2766,10 @@ static int vfe32_proc_general(
+ 		new_val = *cmdp_local;
+ 		old_val &= ~MCE_Q_K_MASK;
+ 		new_val = new_val | old_val;
++		if (cmd->length < (4 + sizeof(uint32_t) * (1 + 1)))	{
++			rc = -EINVAL;
++			goto proc_general_done;
++		}
+ 		msm_camera_io_memcpy(
+ 			vfe32_ctrl->share_ctrl->vfebase +
+ 			V32_CHROMA_SUP_OFF + 8, &new_val, 4);
+@@ -2704,12 +2791,22 @@ static int vfe32_proc_general(
+ 			goto proc_general_done;
+ 		}
+ 		cmdp_local = cmdp;
++		if (cmd->length < 16) {
++			rc = -EINVAL;
++			goto proc_general_done;
++		}
+ 		msm_camera_io_memcpy(
+ 			vfe32_ctrl->share_ctrl->vfebase +
+ 			vfe32_cmd[cmd->id].offset,
+ 			cmdp_local, 16);
+ 		cmdp_local += 4;
+ 		vfe32_program_dmi_cfg(ROLLOFF_RAM0_BANK0, vfe32_ctrl);
++		if (cmd->length < (sizeof(uint32_t) *
++		(4 + V32_MESH_ROLL_OFF_INIT_TABLE_SIZE * 2 +
++		V32_MESH_ROLL_OFF_DELTA_TABLE_SIZE * 2))) {
++			rc = -EINVAL;
++			goto proc_general_done;
++		}
+ 		/* for loop for extrcting init table. */
+ 		for (i = 0; i < (V32_MESH_ROLL_OFF_INIT_TABLE_SIZE * 2); i++) {
+ 			msm_camera_io_w(*cmdp_local ,
+@@ -2773,6 +2870,14 @@ static int vfe32_proc_general(
+ 		}
+ 		break;
+ 	case VFE_CMD_LA_CFG:
++		if (cmd->id < 0 || cmd->id >= ARRAY_SIZE(vfe32_cmd)) {
++			rc = -EINVAL;
++			goto proc_general_done;
++		}
++		if (cmd->length < vfe32_cmd[cmd->id].length) {
++			rc = -EINVAL;
++			goto proc_general_done;
++		}
+ 		cmdp = kmalloc(cmd->length, GFP_ATOMIC);
+ 		if (!cmdp) {
+ 			rc = -ENOMEM;
+@@ -2813,6 +2918,11 @@ static int vfe32_proc_general(
+ 		cmdp_local = cmdp + 1;
+ 		old_val = msm_camera_io_r(
+ 			vfe32_ctrl->share_ctrl->vfebase + V32_LA_OFF);
++		if (cmd->length < (sizeof(uint32_t) * (1 +
++		(VFE32_LA_TABLE_LENGTH / 2)))) {
++			rc  = -EINVAL;
++			goto proc_general_done;
++		}
+ 		if (old_val != 0x0)
+ 			vfe32_write_la_cfg(LUMA_ADAPT_LUT_RAM_BANK0,
+ 				cmdp_local, vfe32_ctrl);
+@@ -2861,6 +2971,10 @@ static int vfe32_proc_general(
+ 		break;
+ 	case VFE_CMD_SK_ENHAN_CFG:
+ 	case VFE_CMD_SK_ENHAN_UPDATE:{
++		if (cmd->length < V32_SCE_LEN) {
++			rc = -EINVAL;
++			goto proc_general_done;
++		}
+ 		cmdp = kmalloc(cmd->length, GFP_ATOMIC);
+ 		if (!cmdp) {
+ 			rc = -ENOMEM;
+@@ -2895,17 +3009,31 @@ static int vfe32_proc_general(
+ 			goto proc_general_done;
+ 		}
+ 		cmdp_local = cmdp;
++		if (cmd->length < V32_LINEARIZATION_LEN1) {
++			rc = -EINVAL;
++			goto proc_general_done;
++		}
+ 		msm_camera_io_memcpy(
+ 			vfe32_ctrl->share_ctrl->vfebase +
+ 			V32_LINEARIZATION_OFF1,
+ 			cmdp_local, V32_LINEARIZATION_LEN1);
+ 		cmdp_local += 4;
++		if (cmd->length < (V32_LINEARIZATION_LEN2 +
++		sizeof(uint32_t) * 4)) {
++			rc = -EINVAL;
++			goto proc_general_done;
++		}
+ 		msm_camera_io_memcpy(
+ 			vfe32_ctrl->share_ctrl->vfebase +
+ 			V32_LINEARIZATION_OFF2,
+ 			cmdp_local, V32_LINEARIZATION_LEN2);
+ 
+ 		cmdp_local = cmdp + 17;
++		if (cmd->length < (sizeof(uint32_t) *
++		(VFE32_LINEARIZATON_TABLE_LENGTH + 17))) {
++			rc = -EINVAL;
++			goto proc_general_done;
++		}
+ 		vfe32_write_linear_cfg(BLACK_LUT_RAM_BANK0,
+ 					cmdp_local, vfe32_ctrl);
+ 		break;
+@@ -2923,11 +3051,20 @@ static int vfe32_proc_general(
+ 		}
+ 		cmdp_local = cmdp;
+ 		cmdp_local++;
++		if (cmd->length < V32_LINEARIZATION_LEN1) {
++			rc = -EINVAL;
++			goto proc_general_done;
++		}
+ 		msm_camera_io_memcpy(
+ 			vfe32_ctrl->share_ctrl->vfebase +
+ 			V32_LINEARIZATION_OFF1 + 4,
+ 			cmdp_local, (V32_LINEARIZATION_LEN1 - 4));
+ 		cmdp_local += 3;
++		if (cmd->length < (V32_LINEARIZATION_LEN2 +
++		sizeof(uint32_t) * (1 + 3))) {
++			rc = -EINVAL;
++			goto proc_general_done;
++		}
+ 		msm_camera_io_memcpy(
+ 			vfe32_ctrl->share_ctrl->vfebase +
+ 			V32_LINEARIZATION_OFF2,
+@@ -2938,6 +3075,11 @@ static int vfe32_proc_general(
+ 				vfe32_ctrl->share_ctrl->vfebase +
+ 				V32_LINEARIZATION_OFF1);
+ 
++		if (cmd->length < (sizeof(uint32_t) *
++		(VFE32_LINEARIZATON_TABLE_LENGTH + 17))) {
++			rc = -EINVAL;
++			goto proc_general_done;
++		}
+ 		if (old_val != 0x0)
+ 			vfe32_write_linear_cfg(BLACK_LUT_RAM_BANK0,
+ 						cmdp_local, vfe32_ctrl);
+@@ -3084,11 +3226,24 @@ static int vfe32_proc_general(
+ 		new_val = new_val | old_val;
+ 		*cmdp_local = new_val;
+ 
++		if (cmd->length < 4) {
++			rc = -EINVAL;
++			goto proc_general_done;
++		}
+ 		msm_camera_io_memcpy(
+ 			vfe32_ctrl->share_ctrl->vfebase + V32_DEMOSAICV3_0_OFF,
+ 			cmdp_local, 4);
+ 
+ 		cmdp_local += 1;
++		if (cmd->id < 0 || cmd->id >= ARRAY_SIZE(vfe32_cmd)) {
++			rc  = -EINVAL;
++			goto proc_general_done;
++		}
++		if (cmd->length < (vfe32_cmd[cmd->id].length +
++		sizeof(uint32_t) * 1)) {
++			rc = -EINVAL;
++			goto proc_general_done;
++		}
+ 		msm_camera_io_memcpy(
+ 			vfe32_ctrl->share_ctrl->vfebase +
+ 			vfe32_cmd[cmd->id].offset,
+@@ -3118,10 +3273,23 @@ static int vfe32_proc_general(
+ 
+ 		new_val = new_val | old_val;
+ 		*cmdp_local = new_val;
++		if (cmd->length < 4) {
++			rc = -EINVAL;
++			goto proc_general_done;
++		}
+ 		msm_camera_io_memcpy(
+ 			vfe32_ctrl->share_ctrl->vfebase + V32_DEMOSAICV3_0_OFF,
+ 			cmdp_local, 4);
+ 		cmdp_local += 1;
++		if (cmd->id < 0 || cmd->id >= ARRAY_SIZE(vfe32_cmd)) {
++			rc  = -EINVAL;
++			goto proc_general_done;
++		}
++		if (cmd->length < (vfe32_cmd[cmd->id].length +
++		sizeof(uint32_t) * 1)) {
++			rc = -EINVAL;
++			goto proc_general_done;
++		}
+ 		msm_camera_io_memcpy(
+ 			vfe32_ctrl->share_ctrl->vfebase +
+ 			vfe32_cmd[cmd->id].offset,
+@@ -3150,9 +3318,18 @@ static int vfe32_proc_general(
+ 
+ 		new_val = new_val | old_val;
+ 		*cmdp_local = new_val;
++		if (cmd->length < V32_DEMOSAICV3_LEN) {
++			rc = -EINVAL;
++			goto proc_general_done;
++		}
+ 		msm_camera_io_memcpy(vfe32_ctrl->share_ctrl->vfebase +
+ 			V32_DEMOSAICV3_0_OFF,
+ 			cmdp_local, V32_DEMOSAICV3_LEN);
++		if (cmd->length < (V32_DEMOSAICV3_DBPC_LEN +
++		sizeof(uint32_t) * 4)) {
++			rc = -EINVAL;
++			goto proc_general_done;
++		}
+ 		cmdp_local += 1;
+ 		msm_camera_io_memcpy(vfe32_ctrl->share_ctrl->vfebase +
+ 			V32_DEMOSAICV3_DBPC_CFG_OFF,
+@@ -3183,6 +3360,11 @@ static int vfe32_proc_general(
+ 			rc = -EFAULT;
+ 			goto proc_general_done;
+ 		}
++		if (cmd->length < (sizeof(uint32_t) * (1 +
++		VFE32_GAMMA_NUM_ENTRIES / 2))) {
++			rc  = -EINVAL;
++			goto proc_general_done;
++		}
+ 		msm_camera_io_memcpy(
+ 			vfe32_ctrl->share_ctrl->vfebase + V32_RGB_G_OFF,
+ 			cmdp, 4);
+@@ -3207,6 +3389,16 @@ static int vfe32_proc_general(
+ 			rc = -EFAULT;
+ 			goto proc_general_done;
+ 		}
++		maxvalue = (VFE32_GAMMA_CH0_G_POS > VFE32_GAMMA_CH1_B_POS) ?
++		VFE32_GAMMA_CH0_G_POS : VFE32_GAMMA_CH1_B_POS;
++		maxvalue = (maxvalue > VFE32_GAMMA_CH2_R_POS) ?
++		maxvalue : VFE32_GAMMA_CH2_R_POS;
++
++		if (cmd->length < (sizeof(uint32_t) * (1 +
++		maxvalue + (VFE32_GAMMA_NUM_ENTRIES / 2)))) {
++			rc  = -EINVAL;
++			goto proc_general_done;
++		}
+ 		msm_camera_io_memcpy(
+ 			vfe32_ctrl->share_ctrl->vfebase + V32_RGB_G_OFF,
+ 			cmdp, 4);
+@@ -3236,6 +3428,17 @@ static int vfe32_proc_general(
+ 		old_val = msm_camera_io_r(
+ 			vfe32_ctrl->share_ctrl->vfebase + V32_RGB_G_OFF);
+ 			cmdp += 1;
++
++		maxvalue = (VFE32_GAMMA_CH0_G_POS > VFE32_GAMMA_CH1_B_POS) ?
++		VFE32_GAMMA_CH0_G_POS : VFE32_GAMMA_CH1_B_POS;
++		maxvalue = (maxvalue > VFE32_GAMMA_CH2_R_POS) ?
++		maxvalue : VFE32_GAMMA_CH2_R_POS;
++
++		if (cmd->length < (sizeof(uint32_t) * (1 +
++		maxvalue + (VFE32_GAMMA_NUM_ENTRIES / 2)))) {
++			rc  = -EINVAL;
++			goto proc_general_done;
++		}
+ 		if (old_val != 0x0) {
+ 			vfe32_write_gamma_cfg(RGBLUT_RAM_CH0_BANK0,
+ 				cmdp + VFE32_GAMMA_CH0_G_POS, vfe32_ctrl);
+@@ -3271,6 +3474,11 @@ static int vfe32_proc_general(
+ 		old_val = msm_camera_io_r(
+ 			vfe32_ctrl->share_ctrl->vfebase + V32_RGB_G_OFF);
+ 		cmdp += 1;
++		if (cmd->length < (sizeof(uint32_t) * (1 + (
++		VFE32_GAMMA_NUM_ENTRIES / 2)))) {
++			rc  = -EINVAL;
++			goto proc_general_done;
++		}
+ 		if (old_val != 0x0) {
+ 			vfe32_write_gamma_cfg(
+ 				RGBLUT_RAM_CH0_BANK0, cmdp, vfe32_ctrl);
+@@ -3442,10 +3650,24 @@ static int vfe32_proc_general(
+ 			rc = -EFAULT;
+ 			goto proc_general_done;
+ 		}
++		/* As cmdp gets incremented 7 times in function
++		vfe32_sync_timer_start() */
++		if (cmd->length < (sizeof(uint32_t) * 7)) {
++			rc  = -EINVAL;
++			goto proc_general_done;
++		}
+ 		vfe32_sync_timer_start(cmdp, vfe32_ctrl);
+ 		break;
+ 
+ 	case VFE_CMD_MODULE_CFG: {
++		if (cmd->id < 0 || cmd->id >= ARRAY_SIZE(vfe32_cmd)) {
++			rc = -EINVAL;
++			goto proc_general_done;
++		}
++		if (cmd->length < vfe32_cmd[cmd->id].length) {
++			rc = -EINVAL;
++			goto proc_general_done;
++		}
+ 		cmdp = kmalloc(cmd->length, GFP_ATOMIC);
+ 		if (!cmdp) {
+ 			rc = -ENOMEM;
+@@ -3496,11 +3718,24 @@ static int vfe32_proc_general(
+ 			rc = -EFAULT;
+ 			goto proc_general_done;
+ 		}
++		if (cmd->id < 0 || cmd->id >= ARRAY_SIZE(vfe32_cmd)) {
++			rc  = -EINVAL;
++			goto proc_general_done;
++		}
++		if (cmd->length < vfe32_cmd[cmd->id].length) {
++			rc  = -EINVAL;
++			goto proc_general_done;
++		}
+ 		msm_camera_io_memcpy(
+ 			vfe32_ctrl->share_ctrl->vfebase +
+ 			vfe32_cmd[cmd->id].offset,
+ 			cmdp, (vfe32_cmd[cmd->id].length));
+ 		cmdp_local = cmdp + V32_ASF_LEN/4;
++		if (cmd->length < (sizeof(uint32_t) * (V32_ASF_LEN / 4) +
++		V32_ASF_SPECIAL_EFX_CFG_LEN)) {
++			rc  = -EINVAL;
++			goto proc_general_done;
++		}
+ 		msm_camera_io_memcpy(
+ 			vfe32_ctrl->share_ctrl->vfebase +
+ 			V32_ASF_SPECIAL_EFX_CFG_OFF,
+@@ -3508,6 +3743,12 @@ static int vfe32_proc_general(
+ 		break;
+ 
+ 	case VFE_CMD_PCA_ROLL_OFF_CFG:
++
++		if (cmd->length < (sizeof(uint32_t) * (8 + 4 *
++		V33_PCA_ROLL_OFF_TABLE_SIZE))) {
++			rc = -EINVAL;
++			goto proc_general_done;
++		}
+ 		cmdp = kmalloc(cmd->length, GFP_ATOMIC);
+ 		if (!cmdp) {
+ 			rc = -ENOMEM;
+@@ -3566,6 +3807,11 @@ static int vfe32_proc_general(
+ 		break;
+ 
+ 	case VFE_CMD_PCA_ROLL_OFF_UPDATE:
++		if (cmd->length < (sizeof(uint32_t) * (8 + 4 *
++		V33_PCA_ROLL_OFF_TABLE_SIZE))) {
++			rc = -EINVAL;
++			goto proc_general_done;
++		}
+ 		cmdp = kmalloc(cmd->length, GFP_ATOMIC);
+ 		if (!cmdp) {
+ 			rc = -ENOMEM;
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-11022/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-11022/ANY/0001.patch
new file mode 100644
index 00000000..ef987dcb
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-11022/ANY/0001.patch
@@ -0,0 +1,1217 @@
+From 1379bfb6c09ee2ad5969db45c27fb675602b4ed0 Mon Sep 17 00:00:00 2001
+From: Rajeev Kumar Sirasanagandla <rsirasan@codeaurora.org>
+Date: Sat, 5 Nov 2016 18:37:04 +0530
+Subject: qcacld-2.0: Add support to include selective scan IEs only
+
+Add support to include only selective IEs in probe requests in
+order to improve user's privacy.
+
+Change-Id: Ib874af7ec2f5453282ffe0e8fc2e50934460b745
+CRs-Fixed: 1086582
+---
+ CORE/HDD/inc/wlan_hdd_cfg.h                    |  79 ++++++
+ CORE/HDD/inc/wlan_hdd_main.h                   |   5 +
+ CORE/HDD/src/wlan_hdd_cfg.c                    | 317 +++++++++++++++++++++++++
+ CORE/HDD/src/wlan_hdd_cfg80211.c               | 100 +++++++-
+ CORE/HDD/src/wlan_hdd_main.c                   |  26 +-
+ CORE/MAC/inc/sirApi.h                          |  39 ++-
+ CORE/MAC/src/pe/lim/limProcessSmeReqMessages.c |  22 +-
+ CORE/SERVICES/WMA/wma.c                        | 128 +++++++++-
+ CORE/SME/inc/csrApi.h                          |   4 +
+ CORE/SME/src/csr/csrApiScan.c                  |  62 ++++-
+ CORE/SME/src/pmc/pmcApi.c                      |   7 +-
+ 11 files changed, 774 insertions(+), 15 deletions(-)
+
+diff --git a/CORE/HDD/inc/wlan_hdd_cfg.h b/CORE/HDD/inc/wlan_hdd_cfg.h
+index 6207a15..301ded4 100644
+--- a/CORE/HDD/inc/wlan_hdd_cfg.h
++++ b/CORE/HDD/inc/wlan_hdd_cfg.h
+@@ -58,6 +58,8 @@
+ 
+ //Number of items that can be configured
+ #define MAX_CFG_INI_ITEMS   1024
++#define MAX_PRB_REQ_VENDOR_OUI_INI_LEN 160
++#define VENDOR_SPECIFIC_IE_BITMAP 0x20000000
+ 
+ #ifdef SAP_AUTH_OFFLOAD
+ /* 802.11 pre-share key length */
+@@ -4206,6 +4208,66 @@ FG_BTC_BT_INTERVAL_PAGE_P2P_STA_DEFAULT
+ #define CFG_5G_MAX_RSSI_PENALIZE_MAX             (20)
+ #define CFG_5G_MAX_RSSI_PENALIZE_DEFAULT         (10)
+ 
++/* enable/disable probe request whiltelist IE feature */
++#define CFG_PRB_REQ_IE_WHITELIST_NAME    "g_enable_probereq_whitelist_ies"
++#define CFG_PRB_REQ_IE_WHITELIST_MIN     (0)
++#define CFG_PRB_REQ_IE_WHITELIST_MAX     (1)
++#define CFG_PRB_REQ_IE_WHITELIST_DEFAULT (0)
++/*
++ * For IE white listing in Probe Req, following ini parameters from
++ * g_probe_req_ie_bitmap_0 to g_probe_req_ie_bitmap_7 are used. User needs to
++ * input this values in hexa decimal format, when bit is set, corresponding ie
++ * needs to be included in probe request.
++ */
++#define CFG_PRB_REQ_IE_BIT_MAP0_NAME    "g_probe_req_ie_bitmap_0"
++#define CFG_PRB_REQ_IE_BIT_MAP0_MIN     (0x00000000)
++#define CFG_PRB_REQ_IE_BIT_MAP0_MAX     (0xFFFFFFFF)
++#define CFG_PRB_REQ_IE_BIT_MAP0_DEFAULT (0x00000000)
++
++#define CFG_PRB_REQ_IE_BIT_MAP1_NAME    "g_probe_req_ie_bitmap_1"
++#define CFG_PRB_REQ_IE_BIT_MAP1_MIN     (0x00000000)
++#define CFG_PRB_REQ_IE_BIT_MAP1_MAX     (0xFFFFFFFF)
++#define CFG_PRB_REQ_IE_BIT_MAP1_DEFAULT (0x00000000)
++
++#define CFG_PRB_REQ_IE_BIT_MAP2_NAME    "g_probe_req_ie_bitmap_2"
++#define CFG_PRB_REQ_IE_BIT_MAP2_MIN     (0x00000000)
++#define CFG_PRB_REQ_IE_BIT_MAP2_MAX     (0xFFFFFFFF)
++#define CFG_PRB_REQ_IE_BIT_MAP2_DEFAULT (0x00000000)
++
++#define CFG_PRB_REQ_IE_BIT_MAP3_NAME    "g_probe_req_ie_bitmap_3"
++#define CFG_PRB_REQ_IE_BIT_MAP3_MIN     (0x00000000)
++#define CFG_PRB_REQ_IE_BIT_MAP3_MAX     (0xFFFFFFFF)
++#define CFG_PRB_REQ_IE_BIT_MAP3_DEFAULT (0x00000000)
++
++#define CFG_PRB_REQ_IE_BIT_MAP4_NAME    "g_probe_req_ie_bitmap_4"
++#define CFG_PRB_REQ_IE_BIT_MAP4_MIN     (0x00000000)
++#define CFG_PRB_REQ_IE_BIT_MAP4_MAX     (0xFFFFFFFF)
++#define CFG_PRB_REQ_IE_BIT_MAP4_DEFAULT (0x00000000)
++
++#define CFG_PRB_REQ_IE_BIT_MAP5_NAME    "g_probe_req_ie_bitmap_5"
++#define CFG_PRB_REQ_IE_BIT_MAP5_MIN     (0x00000000)
++#define CFG_PRB_REQ_IE_BIT_MAP5_MAX     (0xFFFFFFFF)
++#define CFG_PRB_REQ_IE_BIT_MAP5_DEFAULT (0x00000000)
++
++#define CFG_PRB_REQ_IE_BIT_MAP6_NAME    "g_probe_req_ie_bitmap_6"
++#define CFG_PRB_REQ_IE_BIT_MAP6_MIN     (0x00000000)
++#define CFG_PRB_REQ_IE_BIT_MAP6_MAX     (0xFFFFFFFF)
++#define CFG_PRB_REQ_IE_BIT_MAP6_DEFAULT (0x00000000)
++
++#define CFG_PRB_REQ_IE_BIT_MAP7_NAME    "g_probe_req_ie_bitmap_7"
++#define CFG_PRB_REQ_IE_BIT_MAP7_MIN     (0x00000000)
++#define CFG_PRB_REQ_IE_BIT_MAP7_MAX     (0xFFFFFFFF)
++#define CFG_PRB_REQ_IE_BIT_MAP7_DEFAULT (0x00000000)
++
++/*
++ * For vendor specific IE, Probe Req OUI types and sub types which are
++ * to be white listed are specifed in gProbeReqOUIs in the following
++ * example format - gProbeReqOUIs=AABBCCDD EEFF1122
++ */
++#define CFG_PROBE_REQ_OUI_NAME    "gProbeReqOUIs"
++#define CFG_PROBE_REQ_OUI_DEFAULT ""
++
++
+ /*---------------------------------------------------------------------------
+   Type declarations
+   -------------------------------------------------------------------------*/
+@@ -5020,6 +5082,20 @@ struct hdd_config {
+    int8_t                      rssi_penalize_threshold_5g;
+    uint8_t                     rssi_penalize_factor_5g;
+    uint8_t                     max_rssi_penalize_5g;
++
++   bool probe_req_ie_whitelist;
++   /* probe request bit map ies */
++   uint32_t probe_req_ie_bitmap_0;
++   uint32_t probe_req_ie_bitmap_1;
++   uint32_t probe_req_ie_bitmap_2;
++   uint32_t probe_req_ie_bitmap_3;
++   uint32_t probe_req_ie_bitmap_4;
++   uint32_t probe_req_ie_bitmap_5;
++   uint32_t probe_req_ie_bitmap_6;
++   uint32_t probe_req_ie_bitmap_7;
++
++   /* Probe Request multiple vendor OUIs */
++   uint8_t probe_req_ouis[MAX_PRB_REQ_VENDOR_OUI_INI_LEN];
+ };
+ 
+ typedef struct hdd_config hdd_config_t;
+@@ -5137,6 +5213,9 @@ static __inline unsigned long utilMin( unsigned long a, unsigned long b )
+   Function declarations and documentation
+   -------------------------------------------------------------------------*/
+ VOS_STATUS hdd_parse_config_ini(hdd_context_t *pHddCtx);
++uint32_t hdd_validate_prb_req_ie_bitmap(hdd_context_t* pHddCtx);
++VOS_STATUS hdd_parse_probe_req_ouis(hdd_context_t* pHddCtx);
++void hdd_free_probe_req_ouis(hdd_context_t* pHddCtx);
+ VOS_STATUS hdd_update_mac_config(hdd_context_t *pHddCtx);
+ VOS_STATUS hdd_set_sme_config( hdd_context_t *pHddCtx );
+ VOS_STATUS hdd_set_sme_chan_list(hdd_context_t *hdd_ctx);
+diff --git a/CORE/HDD/inc/wlan_hdd_main.h b/CORE/HDD/inc/wlan_hdd_main.h
+index 8a70ab5..953aca0 100644
+--- a/CORE/HDD/inc/wlan_hdd_main.h
++++ b/CORE/HDD/inc/wlan_hdd_main.h
+@@ -265,6 +265,8 @@ typedef v_U8_t tWlanHddMacAddr[HDD_MAC_ADDR_LEN];
+ 
+ #define HDD_BW_GET_DIFF(_x, _y) (unsigned long)((ULONG_MAX - (_y)) + (_x) + 1)
+ 
++#define MAX_PROBE_REQ_OUIS 16
++
+ /*
+  * Generic asynchronous request/response support
+  *
+@@ -1894,6 +1896,9 @@ struct hdd_context_s
+     vos_timer_t tdls_source_timer;
+     struct hdd_scan_chan_info *chan_info;
+     struct mutex chan_info_lock;
++
++    uint32_t no_of_probe_req_ouis;
++    struct vendor_oui *probe_req_voui;
+ };
+ 
+ /*---------------------------------------------------------------------------
+diff --git a/CORE/HDD/src/wlan_hdd_cfg.c b/CORE/HDD/src/wlan_hdd_cfg.c
+index c00ade7..787ae45 100644
+--- a/CORE/HDD/src/wlan_hdd_cfg.c
++++ b/CORE/HDD/src/wlan_hdd_cfg.c
+@@ -4835,6 +4835,74 @@ REG_TABLE_ENTRY g_registry_table[] =
+                 CFG_5G_MAX_RSSI_PENALIZE_DEFAULT,
+                 CFG_5G_MAX_RSSI_PENALIZE_MIN,
+                 CFG_5G_MAX_RSSI_PENALIZE_MAX),
++
++   REG_VARIABLE(CFG_PRB_REQ_IE_WHITELIST_NAME, WLAN_PARAM_Integer,
++                hdd_config_t, probe_req_ie_whitelist,
++                VAR_FLAGS_OPTIONAL | VAR_FLAGS_RANGE_CHECK_ASSUME_DEFAULT,
++                CFG_PRB_REQ_IE_WHITELIST_DEFAULT,
++                CFG_PRB_REQ_IE_WHITELIST_MIN,
++                CFG_PRB_REQ_IE_WHITELIST_MAX),
++
++   REG_VARIABLE(CFG_PRB_REQ_IE_BIT_MAP0_NAME, WLAN_PARAM_HexInteger,
++                hdd_config_t, probe_req_ie_bitmap_0,
++                VAR_FLAGS_OPTIONAL | VAR_FLAGS_RANGE_CHECK_ASSUME_DEFAULT,
++                CFG_PRB_REQ_IE_BIT_MAP0_DEFAULT,
++                CFG_PRB_REQ_IE_BIT_MAP0_MIN,
++                CFG_PRB_REQ_IE_BIT_MAP0_MAX),
++
++   REG_VARIABLE(CFG_PRB_REQ_IE_BIT_MAP1_NAME, WLAN_PARAM_HexInteger,
++                hdd_config_t, probe_req_ie_bitmap_1,
++                VAR_FLAGS_OPTIONAL | VAR_FLAGS_RANGE_CHECK_ASSUME_DEFAULT,
++                CFG_PRB_REQ_IE_BIT_MAP1_DEFAULT,
++                CFG_PRB_REQ_IE_BIT_MAP1_MIN,
++                CFG_PRB_REQ_IE_BIT_MAP1_MAX),
++
++   REG_VARIABLE(CFG_PRB_REQ_IE_BIT_MAP2_NAME, WLAN_PARAM_HexInteger,
++                hdd_config_t, probe_req_ie_bitmap_2,
++                VAR_FLAGS_OPTIONAL | VAR_FLAGS_RANGE_CHECK_ASSUME_DEFAULT,
++                CFG_PRB_REQ_IE_BIT_MAP2_DEFAULT,
++                CFG_PRB_REQ_IE_BIT_MAP2_MIN,
++                CFG_PRB_REQ_IE_BIT_MAP2_MAX),
++
++   REG_VARIABLE(CFG_PRB_REQ_IE_BIT_MAP3_NAME, WLAN_PARAM_HexInteger,
++                hdd_config_t, probe_req_ie_bitmap_3,
++                VAR_FLAGS_OPTIONAL | VAR_FLAGS_RANGE_CHECK_ASSUME_DEFAULT,
++                CFG_PRB_REQ_IE_BIT_MAP3_DEFAULT,
++                CFG_PRB_REQ_IE_BIT_MAP3_MIN,
++                CFG_PRB_REQ_IE_BIT_MAP3_MAX),
++
++   REG_VARIABLE(CFG_PRB_REQ_IE_BIT_MAP4_NAME, WLAN_PARAM_HexInteger,
++                hdd_config_t, probe_req_ie_bitmap_4,
++                VAR_FLAGS_OPTIONAL | VAR_FLAGS_RANGE_CHECK_ASSUME_DEFAULT,
++                CFG_PRB_REQ_IE_BIT_MAP4_DEFAULT,
++                CFG_PRB_REQ_IE_BIT_MAP4_MIN,
++                CFG_PRB_REQ_IE_BIT_MAP4_MAX),
++
++   REG_VARIABLE(CFG_PRB_REQ_IE_BIT_MAP5_NAME, WLAN_PARAM_HexInteger,
++                hdd_config_t, probe_req_ie_bitmap_5,
++                VAR_FLAGS_OPTIONAL | VAR_FLAGS_RANGE_CHECK_ASSUME_DEFAULT,
++                CFG_PRB_REQ_IE_BIT_MAP5_DEFAULT,
++                CFG_PRB_REQ_IE_BIT_MAP5_MIN,
++                CFG_PRB_REQ_IE_BIT_MAP5_MAX),
++
++   REG_VARIABLE(CFG_PRB_REQ_IE_BIT_MAP6_NAME, WLAN_PARAM_HexInteger,
++                hdd_config_t, probe_req_ie_bitmap_6,
++                VAR_FLAGS_OPTIONAL | VAR_FLAGS_RANGE_CHECK_ASSUME_DEFAULT,
++                CFG_PRB_REQ_IE_BIT_MAP6_DEFAULT,
++                CFG_PRB_REQ_IE_BIT_MAP6_MIN,
++                CFG_PRB_REQ_IE_BIT_MAP6_MAX),
++
++   REG_VARIABLE(CFG_PRB_REQ_IE_BIT_MAP7_NAME, WLAN_PARAM_HexInteger,
++                hdd_config_t, probe_req_ie_bitmap_7,
++                VAR_FLAGS_OPTIONAL | VAR_FLAGS_RANGE_CHECK_ASSUME_DEFAULT,
++                CFG_PRB_REQ_IE_BIT_MAP7_DEFAULT,
++                CFG_PRB_REQ_IE_BIT_MAP7_MIN,
++                CFG_PRB_REQ_IE_BIT_MAP7_MAX),
++
++   REG_VARIABLE_STRING(CFG_PROBE_REQ_OUI_NAME, WLAN_PARAM_String,
++                       hdd_config_t, probe_req_ouis,
++                       VAR_FLAGS_OPTIONAL,
++                       (void *)CFG_PROBE_REQ_OUI_DEFAULT),
+ };
+ 
+ 
+@@ -5691,6 +5759,46 @@ void print_hdd_cfg(hdd_context_t *pHddCtx)
+   hddLog(LOG2, "Name = [%s] Value = [%u] ",
+                  CFG_TDLS_ENABLE_DEFER_TIMER,
+                  pHddCtx->cfg_ini->tdls_enable_defer_time);
++
++  hddLog(LOG2, "Name = [%s] Value = [%x] ",
++               CFG_PRB_REQ_IE_WHITELIST_NAME,
++               pHddCtx->cfg_ini->probe_req_ie_whitelist);
++
++  hddLog(LOG2, "Name = [%s] Value = [%x] ",
++               CFG_PRB_REQ_IE_BIT_MAP0_NAME,
++               pHddCtx->cfg_ini->probe_req_ie_bitmap_0);
++
++  hddLog(LOG2, "Name = [%s] Value = [%x] ",
++               CFG_PRB_REQ_IE_BIT_MAP1_NAME,
++               pHddCtx->cfg_ini->probe_req_ie_bitmap_1);
++
++  hddLog(LOG2, "Name = [%s] Value = [%x] ",
++               CFG_PRB_REQ_IE_BIT_MAP2_NAME,
++               pHddCtx->cfg_ini->probe_req_ie_bitmap_2);
++
++  hddLog(LOG2, "Name = [%s] Value = [%x] ",
++               CFG_PRB_REQ_IE_BIT_MAP3_NAME,
++               pHddCtx->cfg_ini->probe_req_ie_bitmap_3);
++
++  hddLog(LOG2, "Name = [%s] Value = [%x] ",
++               CFG_PRB_REQ_IE_BIT_MAP4_NAME,
++               pHddCtx->cfg_ini->probe_req_ie_bitmap_4);
++
++  hddLog(LOG2, "Name = [%s] Value = [%x] ",
++               CFG_PRB_REQ_IE_BIT_MAP5_NAME,
++               pHddCtx->cfg_ini->probe_req_ie_bitmap_5);
++
++  hddLog(LOG2, "Name = [%s] Value = [%x] ",
++               CFG_PRB_REQ_IE_BIT_MAP6_NAME,
++               pHddCtx->cfg_ini->probe_req_ie_bitmap_6);
++
++  hddLog(LOG2, "Name = [%s] Value = [%x] ",
++               CFG_PRB_REQ_IE_BIT_MAP7_NAME,
++               pHddCtx->cfg_ini->probe_req_ie_bitmap_7);
++
++  hddLog(LOG2, "Name = [%s] Value =[%s]",
++               CFG_PROBE_REQ_OUI_NAME,
++               pHddCtx->cfg_ini->probe_req_ouis);
+ }
+ 
+ #define CFG_VALUE_MAX_LEN 256
+@@ -8187,3 +8295,212 @@ void hdd_set_btc_bt_wlan_interval(hdd_context_t *hdd_ctx)
+ 	if (VOS_STATUS_SUCCESS != status)
+ 		hddLog(LOGE, "Fail to set enable bt wlan coex parameters");
+ }
++
++/**
++ * hdd_validate_prb_req_ie_bitmap - validates user input for ie bit map
++ * @hdd_ctx: the pointer to hdd context
++ *
++ * This function checks whether user have entered valid probe request
++ * ie bitmap and also verifies vendor ouis if vendor specific ie is set
++ *
++ * Return: status of verification
++ *              1 - valid input
++ *              0 - invalid input
++ */
++uint32_t hdd_validate_prb_req_ie_bitmap(hdd_context_t* pHddCtx)
++{
++	if (!(pHddCtx->cfg_ini->probe_req_ie_bitmap_0 ||
++	    pHddCtx->cfg_ini->probe_req_ie_bitmap_1 ||
++	    pHddCtx->cfg_ini->probe_req_ie_bitmap_2 ||
++	    pHddCtx->cfg_ini->probe_req_ie_bitmap_3 ||
++	    pHddCtx->cfg_ini->probe_req_ie_bitmap_4 ||
++	    pHddCtx->cfg_ini->probe_req_ie_bitmap_5 ||
++	    pHddCtx->cfg_ini->probe_req_ie_bitmap_6 ||
++	    pHddCtx->cfg_ini->probe_req_ie_bitmap_7))
++		return 0;
++
++	/**
++	 * check whether vendor oui IE is set and OUIs are present, each OUI
++	 * is eneterd in the form of string of 8 characters from ini, therefore,
++	 * for atleast one OUI, minimum length is 8 and hence this string length
++	 * is checked for minimum of 8
++	 */
++	if ((pHddCtx->cfg_ini->probe_req_ie_bitmap_6 &
++	     VENDOR_SPECIFIC_IE_BITMAP) &&
++	     (strlen(pHddCtx->cfg_ini->probe_req_ouis) < 8))
++		return 0;
++
++	/* check whether vendor oui IE is not set but OUIs are present */
++	if (!(pHddCtx->cfg_ini->probe_req_ie_bitmap_6 &
++	    VENDOR_SPECIFIC_IE_BITMAP) &&
++	    (strlen(pHddCtx->cfg_ini->probe_req_ouis) > 0))
++		return 0;
++
++	return 1;
++}
++
++/**
++ * probe_req_voui_convert_to_hex - converts str of 8 chars into two hex values
++ * @temp: string to be converted
++ * @voui: contains the type and subtype values
++ *
++ * This function converts the string length of 8 characters into two
++ * hexa-decimal values, oui_type and oui_subtype, where oui_type is the
++ * hexa decimal value converted from first 6 characters and oui_subtype is
++ * hexa decimal value converted from last 2 characters.
++ * strings which doesn't match with the specified pattern are ignored.
++ *
++ * Return: status of conversion
++ *	   1 - if conversion is successful
++ *	   0 - if conversion is failed
++ */
++static uint32_t hdd_probe_req_voui_convert_to_hex(uint8_t *temp,
++						  struct vendor_oui *voui)
++{
++	uint32_t hex_value[4];
++	uint32_t i = 0;
++	uint32_t indx = 0;
++
++	memset(hex_value, 0x00, sizeof(hex_value));
++	memset(voui, 0x00, sizeof(*voui));
++
++	/* convert string to hex */
++	for (i = 0; i < 8; i++) {
++		if (temp[i] >= '0' && temp[i] <= '9') {
++			hex_value[indx] = (temp[i] - '0') << 4;
++		} else if (temp[i] >= 'A' && temp[i] <= 'F') {
++			hex_value[indx] = (temp[i] - 'A') + 0xA;
++			hex_value[indx] = hex_value[indx] << 4;
++		} else {
++			/* invalid character in oui */
++			return 0;
++		}
++
++		if (temp[i + 1] >= '0' && temp[i + 1] <= '9') {
++			hex_value[indx] |= (temp[i + 1] - '0');
++			i = i + 1;
++			indx = indx + 1;
++		} else if (temp[i + 1] >= 'A' && temp[i + 1] <= 'F') {
++			hex_value[indx] |= ((temp[i + 1] - 'A') + 0xA);
++			i = i + 1;
++			indx = indx + 1;
++		} else {
++			/* invalid character in oui */
++			return 0;
++		}
++	}
++
++	voui->oui_type = (hex_value[0] | (hex_value[1] << 8) |
++			 (hex_value[2] << 16));
++	voui->oui_subtype = hex_value[3];
++
++	hddLog(LOG1, FL("OUI_type = %x and OUI_subtype = %x"), voui->oui_type,
++							voui->oui_subtype);
++	return 1;
++}
++
++/**
++ * hdd_parse_probe_req_ouis - form ouis from ini gProbeReqOUIs
++ * @hdd_ctx: the pointer to hdd context
++ *
++ * This function parses the ini string gProbeReqOUIs which needs to in the
++ * following format:
++ * "<8 characters of [0-9] or [A-F]>space<8 characters from [0-9] etc.,"
++ * example: "AABBCCDD 1122EEFF"
++ * and the logic counts the number of OUIS and allocates the memory
++ * for every valid OUI and is stored in hdd_context_t
++ *
++ * Return: status of parsing
++ */
++VOS_STATUS hdd_parse_probe_req_ouis(hdd_context_t* pHddCtx)
++{
++	struct vendor_oui voui[MAX_PROBE_REQ_OUIS];
++	uint8_t *str;
++	uint8_t temp[9];
++	uint32_t start = 0, end = 0;
++	uint32_t oui_indx = 0;
++	uint32_t i = 0;
++
++	pHddCtx->cfg_ini->probe_req_ouis[MAX_PRB_REQ_VENDOR_OUI_INI_LEN - 1] =
++									'\0';
++	if (!strlen(pHddCtx->cfg_ini->probe_req_ouis)) {
++		pHddCtx->no_of_probe_req_ouis = 0;
++		pHddCtx->probe_req_voui = NULL;
++		hddLog(LOG1, FL("NO OUIS to parse"));
++		return VOS_STATUS_SUCCESS;
++	}
++
++	str = (uint8_t *)(pHddCtx->cfg_ini->probe_req_ouis);
++
++	while(str[i] != '\0') {
++		if (str[i] == ' ') {
++			if ((end - start) != 8)
++			{
++				end = start = 0;
++				i++;
++				continue;
++			} else {
++				memcpy(temp, &str[i - 8], 8);
++				i++;
++				temp[8] = '\0';
++				if (hdd_probe_req_voui_convert_to_hex(temp,
++					&voui[oui_indx]) == 0) {
++					continue;
++				}
++				oui_indx++;
++				if (oui_indx > MAX_PROBE_REQ_OUIS) {
++					hddLog(LOGE, "Max no.of OUIS supported "
++						"is 16. ignoring the rest");
++					return VOS_STATUS_SUCCESS;
++				}
++			}
++			start = end = 0;
++		} else {
++			i++;
++			end++;
++		}
++	}
++
++	if ((end - start) == 8) {
++		memcpy(temp, &str[i - 8], 8);
++		temp[8] = '\0';
++		if (hdd_probe_req_voui_convert_to_hex(temp,
++		    &voui[oui_indx]) == 1)
++			oui_indx++;
++	}
++
++	if (!oui_indx)
++		return VOS_STATUS_SUCCESS;
++
++	pHddCtx->probe_req_voui = (struct vendor_oui *)vos_mem_malloc(oui_indx *
++						sizeof(struct vendor_oui));
++	if (pHddCtx->probe_req_voui == NULL) {
++		hddLog(LOGE,"Not Enough memory for OUI");
++		pHddCtx->no_of_probe_req_ouis = 0;
++		return VOS_STATUS_E_FAILURE;
++	}
++	vos_mem_zero(pHddCtx->probe_req_voui,
++				oui_indx * sizeof(struct vendor_oui));
++	pHddCtx->no_of_probe_req_ouis = oui_indx;
++	vos_mem_copy(pHddCtx->probe_req_voui, voui,
++				oui_indx * sizeof(struct vendor_oui));
++
++	return VOS_STATUS_SUCCESS;
++}
++
++/**
++ * hdd_free_probe_req_ouis - de-allocates the probe req ouis
++ * @hdd_ctx: the pointer to hdd context
++ *
++ * This function de-alloactes the probe req ouis which are
++ * allocated while parsing of ini string gProbeReqOUIs
++ *
++ * Return: None
++ */
++void hdd_free_probe_req_ouis(hdd_context_t* pHddCtx)
++{
++	if (!pHddCtx->probe_req_voui)
++		vos_mem_free(pHddCtx->probe_req_voui);
++
++	pHddCtx->no_of_probe_req_ouis = 0;
++}
+diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
+index b61bbdb..d51350e 100644
+--- a/CORE/HDD/src/wlan_hdd_cfg80211.c
++++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
+@@ -1578,6 +1578,49 @@ wlan_hdd_cfg80211_get_supported_features(struct wiphy *wiphy,
+ }
+ 
+ /**
++ * wlan_hdd_fill_whitelist_ie_attrs - fill the white list members
++ * @ie_whitelist: enables whitelist
++ * @probe_req_ie_bitmap: bitmap to be filled
++ * @num_vendor_oui: pointer to no of ouis
++ * @voui: pointer to ouis to be filled
++ * @pHddCtx: pointer to hdd ctx
++ *
++ * This function fills the ie bitmap and vendor oui fields with the
++ * corresponding values present in cfg_ini and PHddCtx
++ *
++ * Return:   Return none
++ */
++static void wlan_hdd_fill_whitelist_ie_attrs(bool *ie_whitelist,
++					     uint32_t *probe_req_ie_bitmap,
++					     uint32_t *num_vendor_oui,
++					     struct vendor_oui *voui,
++					     hdd_context_t *pHddCtx)
++{
++	uint32_t i = 0;
++
++	*ie_whitelist = true;
++	probe_req_ie_bitmap[0] = pHddCtx->cfg_ini->probe_req_ie_bitmap_0;
++	probe_req_ie_bitmap[1] = pHddCtx->cfg_ini->probe_req_ie_bitmap_1;
++	probe_req_ie_bitmap[2] = pHddCtx->cfg_ini->probe_req_ie_bitmap_2;
++	probe_req_ie_bitmap[3] = pHddCtx->cfg_ini->probe_req_ie_bitmap_3;
++	probe_req_ie_bitmap[4] = pHddCtx->cfg_ini->probe_req_ie_bitmap_4;
++	probe_req_ie_bitmap[5] = pHddCtx->cfg_ini->probe_req_ie_bitmap_5;
++	probe_req_ie_bitmap[6] = pHddCtx->cfg_ini->probe_req_ie_bitmap_6;
++	probe_req_ie_bitmap[7] = pHddCtx->cfg_ini->probe_req_ie_bitmap_7;
++
++	*num_vendor_oui = 0;
++
++	if ((pHddCtx->no_of_probe_req_ouis != 0) && (voui != NULL)) {
++		*num_vendor_oui = pHddCtx->no_of_probe_req_ouis;
++		for (i = 0; i < pHddCtx->no_of_probe_req_ouis; i++) {
++			voui[i].oui_type = pHddCtx->probe_req_voui[i].oui_type;
++			voui[i].oui_subtype =
++					pHddCtx->probe_req_voui[i].oui_subtype;
++		}
++	}
++}
++
++/**
+  * __wlan_hdd_cfg80211_set_scanning_mac_oui() - set scan MAC
+  * @wiphy:   pointer to wireless wiphy structure.
+  * @wdev:    pointer to wireless_dev structure.
+@@ -1625,12 +1668,16 @@ __wlan_hdd_cfg80211_set_scanning_mac_oui(struct wiphy *wiphy,
+         return -EINVAL;
+     }
+ 
+-    pReqMsg = vos_mem_malloc(sizeof(*pReqMsg));
++    pReqMsg = vos_mem_malloc(sizeof(*pReqMsg) +
++                    (pHddCtx->no_of_probe_req_ouis) *
++                    (sizeof(struct vendor_oui)));
+     if (!pReqMsg) {
+         hddLog(LOGE, FL("vos_mem_malloc failed"));
+         return -ENOMEM;
+     }
+-    vos_mem_zero(pReqMsg, sizeof(*pReqMsg));
++    vos_mem_zero(pReqMsg, sizeof(*pReqMsg) +
++                    (pHddCtx->no_of_probe_req_ouis) *
++                    (sizeof(struct vendor_oui)));
+ 
+     /* Parse and fetch oui */
+     if (!tb[QCA_WLAN_VENDOR_ATTR_SET_SCANNING_MAC_OUI]) {
+@@ -1647,7 +1694,15 @@ __wlan_hdd_cfg80211_set_scanning_mac_oui(struct wiphy *wiphy,
+     pReqMsg->enb_probe_req_sno_randomization = 1;
+ 
+     hddLog(LOG1, FL("Oui (%02x:%02x:%02x), vdev_id = %d"), pReqMsg->oui[0],
+-                    pReqMsg->oui[1], pReqMsg->oui[2], pReqMsg->vdev_id);
++                     pReqMsg->oui[1], pReqMsg->oui[2], pReqMsg->vdev_id);
++
++    if (pHddCtx->cfg_ini->probe_req_ie_whitelist)
++         wlan_hdd_fill_whitelist_ie_attrs(&pReqMsg->ie_whitelist,
++                                      pReqMsg->probe_req_ie_bitmap,
++                                      &pReqMsg->num_vendor_oui,
++                                      (struct vendor_oui *)((uint8_t *)pReqMsg +
++                                      sizeof(*pReqMsg)),
++                                      pHddCtx);
+ 
+     status = sme_SetScanningMacOui(pHddCtx->hHal, pReqMsg);
+     if (!HAL_STATUS_SUCCESS(status)) {
+@@ -18805,6 +18860,25 @@ int __wlan_hdd_cfg80211_scan( struct wiphy *wiphy,
+     wlan_hdd_update_scan_rand_attrs((void *)&scanRequest, (void *)request,
+                                     WLAN_HDD_HOST_SCAN);
+ 
++    if (pHddCtx->no_of_probe_req_ouis != 0) {
++        scanRequest.voui = (struct vendor_oui *)vos_mem_malloc(
++                                              pHddCtx->no_of_probe_req_ouis *
++                                              sizeof(struct vendor_oui));
++        if (!scanRequest.voui) {
++            hddLog(LOGE, FL("Not enough memory for voui"));
++            scanRequest.num_vendor_oui = 0;
++            status = -ENOMEM;
++            goto free_mem;
++        }
++    }
++
++    if (pHddCtx->cfg_ini->probe_req_ie_whitelist)
++        wlan_hdd_fill_whitelist_ie_attrs(&scanRequest.ie_whitelist,
++                                         scanRequest.probe_req_ie_bitmap,
++                                         &scanRequest.num_vendor_oui,
++                                         scanRequest.voui,
++                                         pHddCtx);
++
+     vos_runtime_pm_prevent_suspend(pHddCtx->runtime_context.scan);
+     status = sme_ScanRequest( WLAN_HDD_GET_HAL_CTX(pAdapter),
+                               pAdapter->sessionId, &scanRequest, &scanId,
+@@ -18846,6 +18920,9 @@ free_mem:
+     if( channelList )
+       vos_mem_free( channelList );
+ 
++    if(scanRequest.voui)
++        vos_mem_free(scanRequest.voui);
++
+     EXIT();
+     return status;
+ }
+@@ -22819,7 +22896,9 @@ static int __wlan_hdd_cfg80211_sched_scan_start(struct wiphy *wiphy,
+         return -ENOTSUPP;
+     }
+ 
+-    pPnoRequest = (tpSirPNOScanReq) vos_mem_malloc(sizeof (tSirPNOScanReq));
++    pPnoRequest = (tpSirPNOScanReq) vos_mem_malloc(sizeof(tSirPNOScanReq) +
++                                    (pHddCtx->no_of_probe_req_ouis) *
++                                    (sizeof(struct vendor_oui)));
+     if (NULL == pPnoRequest)
+     {
+         VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_FATAL,
+@@ -22827,7 +22906,9 @@ static int __wlan_hdd_cfg80211_sched_scan_start(struct wiphy *wiphy,
+         return -ENOMEM;
+     }
+ 
+-    memset(pPnoRequest, 0, sizeof (tSirPNOScanReq));
++    memset(pPnoRequest, 0, sizeof (tSirPNOScanReq) +
++                           (pHddCtx->no_of_probe_req_ouis) *
++                           (sizeof(struct vendor_oui)));
+     pPnoRequest->enable = 1; /*Enable PNO */
+     pPnoRequest->ucNetworksCount = request->n_match_sets;
+     if ((!pPnoRequest->ucNetworksCount ) ||
+@@ -22985,6 +23066,15 @@ static int __wlan_hdd_cfg80211_sched_scan_start(struct wiphy *wiphy,
+     wlan_hdd_update_scan_rand_attrs((void *)pPnoRequest, (void *)request,
+                                     WLAN_HDD_PNO_SCAN);
+ 
++    if (pHddCtx->cfg_ini->probe_req_ie_whitelist)
++        wlan_hdd_fill_whitelist_ie_attrs(&pPnoRequest->ie_whitelist,
++                                         pPnoRequest->probe_req_ie_bitmap,
++                                         &pPnoRequest->num_vendor_oui,
++                                         (struct vendor_oui *)(
++                                         (uint8_t *)pPnoRequest +
++                                         sizeof(*pPnoRequest)),
++                                         pHddCtx);
++
+     status = sme_SetPreferredNetworkList(WLAN_HDD_GET_HAL_CTX(pAdapter),
+                               pPnoRequest, pAdapter->sessionId,
+                               hdd_cfg80211_sched_scan_done_callback, pAdapter);
+diff --git a/CORE/HDD/src/wlan_hdd_main.c b/CORE/HDD/src/wlan_hdd_main.c
+index 9a1922b..b967a67 100644
+--- a/CORE/HDD/src/wlan_hdd_main.c
++++ b/CORE/HDD/src/wlan_hdd_main.c
+@@ -13334,6 +13334,7 @@ free_hdd_ctx:
+ 
+    wlan_hdd_deinit_chan_info(pHddCtx);
+    wlan_hdd_deinit_tx_rx_histogram(pHddCtx);
++   hdd_free_probe_req_ouis(pHddCtx);
+    wiphy_unregister(wiphy) ;
+    wlan_hdd_cfg80211_deinit(wiphy);
+    wiphy_free(wiphy) ;
+@@ -14926,6 +14927,27 @@ int hdd_wlan_startup(struct device *dev, v_VOID_t *hif_sc)
+    if (!hdd_ipa_is_present(pHddCtx))
+       hdd_ipa_reset_ipaconfig(pHddCtx, 0);
+ 
++   if (pHddCtx->cfg_ini->probe_req_ie_whitelist)
++   {
++      if (hdd_validate_prb_req_ie_bitmap(pHddCtx))
++      {
++         /* parse ini string probe req oui */
++         status = hdd_parse_probe_req_ouis(pHddCtx);
++         if (VOS_STATUS_SUCCESS != status)
++         {
++            hddLog(LOGE, FL("Error parsing probe req ouis - Ignoring them"
++                            " disabling white list"));
++            pHddCtx->cfg_ini->probe_req_ie_whitelist = false;
++         }
++      }
++      else
++      {
++         hddLog(LOGE, FL("invalid probe req ie bitmap and ouis,"
++                         " disabling white list"));
++         pHddCtx->cfg_ini->probe_req_ie_whitelist = false;
++      }
++   }
++
+    if (0 == pHddCtx->cfg_ini->max_go_peers)
+       pHddCtx->cfg_ini->max_go_peers = pHddCtx->cfg_ini->max_sap_peers;
+ 
+@@ -15944,8 +15966,10 @@ err_histogram:
+ 
+ err_free_hdd_context:
+    /* wiphy_free() will free the HDD context so remove global reference */
+-   if (pVosContext)
++   if (pVosContext) {
++      hdd_free_probe_req_ouis(pHddCtx);
+       ((VosContextType*)(pVosContext))->pHDDContext = NULL;
++   }
+ 
+    wiphy_free(wiphy) ;
+    //kfree(wdev) ;
+diff --git a/CORE/MAC/inc/sirApi.h b/CORE/MAC/inc/sirApi.h
+index 83d53be..36f71b6 100644
+--- a/CORE/MAC/inc/sirApi.h
++++ b/CORE/MAC/inc/sirApi.h
+@@ -89,6 +89,7 @@ typedef tANI_U8 tSirVersionString[SIR_VERSION_STRING_LEN];
+ #define MAXNUM_PERIODIC_TX_PTRNS 6
+ 
+ #define WIFI_SCANNING_MAC_OUI_LENGTH 3
++#define PROBE_REQ_BITMAP_LEN 8
+ 
+ #define MAX_LEN_UDP_RESP_OFFLOAD 128
+ 
+@@ -945,6 +946,11 @@ typedef struct sSirSmeScanReq
+     uint32_t enable_scan_randomization;
+     uint8_t mac_addr[VOS_MAC_ADDR_SIZE];
+     uint8_t mac_addr_mask[VOS_MAC_ADDR_SIZE];
++    bool ie_whitelist;
++    uint32_t probe_req_ie_bitmap[PROBE_REQ_BITMAP_LEN];
++    uint32_t num_vendor_oui;
++    uint32_t oui_field_len;
++    uint32_t oui_field_offset;
+ 
+     //channelList MUST be the last field of this structure
+     tSirChannelList channelList;
+@@ -964,7 +970,10 @@ typedef struct sSirSmeScanReq
+       ----------------------------- <--+
+       ... variable size uIEFiled
+       up to uIEFieldLen (can be 0)
+-      -----------------------------*/
++      -----------------------------
++      ... variable size upto num_vendor_oui
++      struct vendor_oui voui;
++    */
+ } tSirSmeScanReq, *tpSirSmeScanReq;
+ 
+ typedef struct sSirSmeScanAbortReq
+@@ -3810,6 +3819,10 @@ typedef struct sSirPNOScanReq {
+ 	uint32_t enable_pno_scan_randomization;
+ 	uint8_t mac_addr[VOS_MAC_ADDR_SIZE];
+ 	uint8_t mac_addr_mask[VOS_MAC_ADDR_SIZE];
++	bool ie_whitelist;
++	uint32_t probe_req_ie_bitmap[PROBE_REQ_BITMAP_LEN];
++	uint32_t num_vendor_oui;
++	/* followed by one or more struct vendor_oui */
+ } tSirPNOScanReq, *tpSirPNOScanReq;
+ 
+ typedef struct sSirSetRSSIFilterReq
+@@ -4536,6 +4549,11 @@ typedef struct sSirScanOffloadReq {
+     uint32_t enable_scan_randomization;
+     uint8_t mac_addr[VOS_MAC_ADDR_SIZE];
+     uint8_t mac_addr_mask[VOS_MAC_ADDR_SIZE];
++    bool ie_whitelist;
++    uint32_t probe_req_ie_bitmap[PROBE_REQ_BITMAP_LEN];
++    uint32_t num_vendor_oui;
++    uint32_t oui_field_len;
++    uint32_t oui_field_offset;
+ 
+     tSirChannelList channelList;
+     /*-----------------------------
+@@ -4554,7 +4572,10 @@ typedef struct sSirScanOffloadReq {
+       ----------------------------- <--+
+       ... variable size uIEField
+       up to uIEFieldLen (can be 0)
+-      -----------------------------*/
++      -----------------------------
++      ... variable size upto num_vendor_oui
++      struct vendor_oui voui;
++      ------------------------*/
+ } tSirScanOffloadReq, *tpSirScanOffloadReq;
+ 
+ /**
+@@ -5823,11 +5844,25 @@ typedef struct
+   tANI_U8   stopReq;
+ } tSirLLStatsClearReq, *tpSirLLStatsClearReq;
+ 
++/**
++ * struct vendor_oui - probe request ie vendor oui information
++ * @oui_type: type of the vendor oui (3 valid octets)
++ * @oui_subtype: subtype of the vendor oui (1 valid octet)
++ */
++struct vendor_oui {
++	uint32_t oui_type;
++	uint32_t oui_subtype;
++};
++
+ typedef struct
+ {
+     tANI_U8 oui[WIFI_SCANNING_MAC_OUI_LENGTH];
+     uint32_t vdev_id;
+     uint32_t enb_probe_req_sno_randomization;
++    bool ie_whitelist;
++    uint32_t probe_req_ie_bitmap[PROBE_REQ_BITMAP_LEN];
++    uint32_t num_vendor_oui;
++    /* Followed by 0 or more struct vendor_oui */
+ } tSirScanMacOui, *tpSirScanMacOui;
+ 
+ enum {
+diff --git a/CORE/MAC/src/pe/lim/limProcessSmeReqMessages.c b/CORE/MAC/src/pe/lim/limProcessSmeReqMessages.c
+index a6a7879..d1629bc 100644
+--- a/CORE/MAC/src/pe/lim/limProcessSmeReqMessages.c
++++ b/CORE/MAC/src/pe/lim/limProcessSmeReqMessages.c
+@@ -1233,7 +1233,7 @@ static eHalStatus limSendHalStartScanOffloadReq(tpAniSirGlobal pMac,
+     /* The tSirScanOffloadReq will reserve the space for first channel,
+        so allocate the memory for (numChannels - 1) and uIEFieldLen */
+     len = sizeof(tSirScanOffloadReq) + (pScanReq->channelList.numChannels - 1) +
+-        pScanReq->uIEFieldLen;
++        pScanReq->uIEFieldLen + pScanReq->oui_field_len;
+ 
+     if (!pMac->per_band_chainmask_supp) {
+         if (IS_DOT11_MODE_HT(pScanReq->dot11mode)) {
+@@ -1332,7 +1332,8 @@ static eHalStatus limSendHalStartScanOffloadReq(tpAniSirGlobal pMac,
+ 
+     pScanOffloadReq->uIEFieldLen = pScanReq->uIEFieldLen;
+     pScanOffloadReq->uIEFieldOffset = len - addn_ie_len -
+-                                      pScanOffloadReq->uIEFieldLen;
++                                      pScanOffloadReq->uIEFieldLen -
++                                      pScanReq->oui_field_len;
+     vos_mem_copy(
+             (tANI_U8 *) pScanOffloadReq + pScanOffloadReq->uIEFieldOffset,
+             (tANI_U8 *) pScanReq + pScanReq->uIEFieldOffset,
+@@ -1395,6 +1396,23 @@ static eHalStatus limSendHalStartScanOffloadReq(tpAniSirGlobal pMac,
+                      VOS_MAC_ADDR_SIZE);
+     }
+ 
++    pScanOffloadReq->oui_field_len = pScanReq->oui_field_len;
++    pScanOffloadReq->num_vendor_oui = pScanReq->num_vendor_oui;
++    pScanOffloadReq->ie_whitelist = pScanReq->ie_whitelist;
++    if (pScanOffloadReq->ie_whitelist)
++        vos_mem_copy(pScanOffloadReq->probe_req_ie_bitmap,
++                     pScanReq->probe_req_ie_bitmap,
++                     PROBE_REQ_BITMAP_LEN * sizeof(uint32_t));
++    pScanOffloadReq->oui_field_offset = sizeof(tSirScanOffloadReq) +
++                               (pScanOffloadReq->channelList.numChannels - 1) +
++                               pScanOffloadReq->uIEFieldLen;
++    if (pScanOffloadReq->num_vendor_oui != 0) {
++        vos_mem_copy(
++            (tANI_U8 *) pScanOffloadReq + pScanOffloadReq->oui_field_offset,
++            (uint8_t *) pScanReq + pScanReq->oui_field_offset,
++            pScanReq->oui_field_len);
++    }
++
+     rc = wdaPostCtrlMsg(pMac, &msg);
+     if (rc != eSIR_SUCCESS)
+     {
+diff --git a/CORE/SERVICES/WMA/wma.c b/CORE/SERVICES/WMA/wma.c
+index c89f31b..e24b0e6 100644
+--- a/CORE/SERVICES/WMA/wma.c
++++ b/CORE/SERVICES/WMA/wma.c
+@@ -9884,6 +9884,8 @@ VOS_STATUS wma_get_buf_start_scan_cmd(tp_wma_handle wma_handle,
+ 	u_int8_t SSID_num;
+ 	int i;
+ 	int len = sizeof(*cmd);
++	wmi_vendor_oui *voui = NULL;
++	struct vendor_oui *pvoui = NULL;
+ 	tpAniSirGlobal pMac = (tpAniSirGlobal )vos_get_context(VOS_MODULE_ID_PE,
+ 				wma_handle->vos_context);
+ 
+@@ -9908,6 +9910,10 @@ VOS_STATUS wma_get_buf_start_scan_cmd(tp_wma_handle wma_handle,
+ 	if (scan_req->uIEFieldLen)
+ 		len += roundup(scan_req->uIEFieldLen, sizeof(u_int32_t));
+ 
++	len += WMI_TLV_HDR_SIZE; /* Length of TLV for array of wmi_vendor_oui */
++	if (scan_req->num_vendor_oui)
++		len += scan_req->num_vendor_oui * sizeof(wmi_vendor_oui);
++
+ 	/* Allocate the memory */
+ 	*buf = wmi_buf_alloc(wma_handle->wmi_handle, len);
+         if (!*buf) {
+@@ -10010,8 +10016,19 @@ VOS_STATUS wma_get_buf_start_scan_cmd(tp_wma_handle wma_handle,
+ 		WMI_CHAR_ARRAY_TO_MAC_ADDR(scan_req->mac_addr_mask,
+ 						&cmd->mac_mask);
+ 	}
++	if (scan_req->ie_whitelist)
++		cmd->scan_ctrl_flags |=
++				WMI_SCAN_ENABLE_IE_WHTELIST_IN_PROBE_REQ;
++
+ 	WMA_LOGI("scan_ctrl_flags = %x", cmd->scan_ctrl_flags);
+ 
++	if (scan_req->ie_whitelist) {
++		for (i = 0; i < PROBE_REQ_BITMAP_LEN; i++)
++			cmd->ie_bitmap[i] = scan_req->probe_req_ie_bitmap[i];
++	}
++
++	cmd->num_vendor_oui = scan_req->num_vendor_oui;
++
+ 	if (!scan_req->p2pScanType) {
+ 		WMA_LOGD("Normal Scan request");
+ 		cmd->scan_ctrl_flags |= WMI_SCAN_ADD_CCK_RATES;
+@@ -10233,6 +10250,29 @@ VOS_STATUS wma_get_buf_start_scan_cmd(tp_wma_handle wma_handle,
+ 	}
+ 	buf_ptr += WMI_TLV_HDR_SIZE + ie_len_with_pad;
+ 
++	/* mac randomization */
++	WMITLV_SET_HDR(buf_ptr, WMITLV_TAG_ARRAY_STRUC,
++		       scan_req->num_vendor_oui *
++		       sizeof(wmi_vendor_oui));
++
++	buf_ptr += WMI_TLV_HDR_SIZE;
++
++	if (cmd->num_vendor_oui != 0) {
++		voui = (wmi_vendor_oui *)buf_ptr;
++		pvoui = (struct vendor_oui *)((u_int8_t *)scan_req +
++			(scan_req->oui_field_offset));
++		for (i = 0; i < cmd->num_vendor_oui; i++) {
++			WMITLV_SET_HDR(&voui[i].tlv_header,
++				WMITLV_TAG_STRUC_wmi_vendor_oui,
++				WMITLV_GET_STRUCT_TLVLEN(
++				wmi_vendor_oui));
++			voui[i].oui_type_subtype = pvoui[i].oui_type |
++						(pvoui[i].oui_subtype << 24);
++		}
++		buf_ptr += cmd->num_vendor_oui *
++				sizeof(wmi_vendor_oui);
++	}
++
+ 	*buf_len = len;
+ 	return VOS_STATUS_SUCCESS;
+ error:
+@@ -20530,17 +20570,24 @@ static VOS_STATUS wma_pno_start(tp_wma_handle wma, tpSirPNOScanReq pno)
+ 	u_int8_t *buf_ptr;
+ 	u_int8_t i;
+ 	int ret;
++	wmi_vendor_oui *voui = NULL;
++	struct vendor_oui *pvoui = NULL;
+ 
+ 	WMA_LOGD("PNO Start");
+ 
+ 	len = sizeof(*cmd) +
+ 	      WMI_TLV_HDR_SIZE + /* TLV place holder for array of structures nlo_configured_parameters(nlo_list) */
+-	      WMI_TLV_HDR_SIZE; /* TLV place holder for array of uint32 channel_list */
++	      WMI_TLV_HDR_SIZE + /* TLV place holder for array of uint32 channel_list */
++	      WMI_TLV_HDR_SIZE + /* TLV of nlo_channel_prediction_cfg */
++	      WMI_TLV_HDR_SIZE; /* array of wmi_vendor_oui */
+ 
+ 	len += sizeof(u_int32_t) * MIN(pno->aNetworks[0].ucChannelCount,
+ 				   WMI_NLO_MAX_CHAN);
+ 	len += sizeof(nlo_configured_parameters) *
+ 				MIN(pno->ucNetworksCount, WMI_NLO_MAX_SSIDS);
++	/* Add the fixed length of enlo_candidate_score_params */
++	len += sizeof(enlo_candidate_score_params);
++	len += sizeof(wmi_vendor_oui) * pno->num_vendor_oui;
+ 
+ 	buf = wmi_buf_alloc(wma->wmi_handle, len);
+ 	if (!buf) {
+@@ -20578,8 +20625,19 @@ static VOS_STATUS wma_pno_start(tp_wma_handle wma, tpSirPNOScanReq pno)
+ 		WMI_CHAR_ARRAY_TO_MAC_ADDR(pno->mac_addr, &cmd->mac_addr);
+ 		WMI_CHAR_ARRAY_TO_MAC_ADDR(pno->mac_addr_mask, &cmd->mac_mask);
+ 	}
++
++	if (pno->ie_whitelist)
++		cmd->flags |= WMI_NLO_CONFIG_ENABLE_IE_WHITELIST_IN_PROBE_REQ;
++
+ 	WMA_LOGI("pno flags = %x", cmd->flags);
+ 
++	cmd->num_vendor_oui = pno->num_vendor_oui;
++
++	if (pno->ie_whitelist) {
++		for (i = 0; i < PROBE_REQ_BITMAP_LEN; i++)
++			cmd->ie_bitmap[i] = pno->probe_req_ie_bitmap[i];
++	}
++
+ 	buf_ptr += sizeof(wmi_nlo_config_cmd_fixed_param);
+ 
+ 	cmd->no_of_ssids = MIN(pno->ucNetworksCount, WMI_NLO_MAX_SSIDS);
+@@ -20640,6 +20698,37 @@ static VOS_STATUS wma_pno_start(tp_wma_handle wma, tpSirPNOScanReq pno)
+ 	}
+ 	buf_ptr += cmd->num_of_channels * sizeof(u_int32_t);
+ 
++	/*
++	 * For pno start, this is not needed but to get the correct offset of
++	 * wmi_vendor_oui, this is needed
++	 */
++	WMITLV_SET_HDR(buf_ptr, WMITLV_TAG_ARRAY_STRUC, 0);
++	buf_ptr += WMI_TLV_HDR_SIZE; /* zero no.of nlo_channel_prediction_cfg */
++	WMITLV_SET_HDR(buf_ptr, WMITLV_TAG_STRUC_enlo_candidate_score_param,
++			WMITLV_GET_STRUCT_TLVLEN(enlo_candidate_score_params));
++	buf_ptr += sizeof(enlo_candidate_score_params);
++
++	/* ie white list */
++	WMITLV_SET_HDR(buf_ptr, WMITLV_TAG_ARRAY_STRUC,
++		       pno->num_vendor_oui *
++		       sizeof(wmi_vendor_oui));
++
++	buf_ptr += WMI_TLV_HDR_SIZE;
++
++	if (cmd->num_vendor_oui != 0) {
++		voui = (wmi_vendor_oui *)buf_ptr;
++		pvoui = (struct vendor_oui *)((uint8_t *)pno + sizeof(*pno));
++		for (i = 0; i < cmd->num_vendor_oui; i++) {
++			WMITLV_SET_HDR(&voui[i].tlv_header,
++				WMITLV_TAG_STRUC_wmi_vendor_oui,
++				WMITLV_GET_STRUCT_TLVLEN(
++				wmi_vendor_oui));
++			voui[i].oui_type_subtype = pvoui[i].oui_type |
++						(pvoui[i].oui_subtype << 24);
++		}
++		buf_ptr += cmd->num_vendor_oui * sizeof(wmi_vendor_oui);
++	}
++
+ 	/* TODO: Discrete firmware doesn't have command/option to configure
+ 	 * App IE which comes from wpa_supplicant as of part PNO start request.
+ 	 */
+@@ -29358,13 +29447,17 @@ VOS_STATUS  wma_scan_probe_setoui(tp_wma_handle wma,
+ 	uint32_t   len;
+ 	u_int8_t *buf_ptr;
+ 	u_int32_t *oui_buf;
++	uint32_t i = 0;
++	wmi_vendor_oui *voui = NULL;
++	struct vendor_oui *pvoui = NULL;
+ 
+ 	if (!wma || !wma->wmi_handle) {
+ 		WMA_LOGE("%s: WMA is closed, can not issue  cmd",
+ 			__func__);
+ 		return VOS_STATUS_E_INVAL;
+ 	}
+-	len  = sizeof(*cmd);
++	len  = sizeof(*cmd) + WMI_TLV_HDR_SIZE +
++               psetoui->num_vendor_oui * sizeof(wmi_vendor_oui);
+ 	wmi_buf = wmi_buf_alloc(wma->wmi_handle, len);
+ 	if (!wmi_buf) {
+ 		WMA_LOGE("%s: wmi_buf_alloc failed", __func__);
+@@ -29388,8 +29481,39 @@ VOS_STATUS  wma_scan_probe_setoui(tp_wma_handle wma,
+ 	cmd->flags = WMI_SCAN_PROBE_OUI_SPOOFED_MAC_IN_PROBE_REQ;
+ 	if (psetoui->enb_probe_req_sno_randomization)
+ 		cmd->flags |= WMI_SCAN_PROBE_OUI_RANDOM_SEQ_NO_IN_PROBE_REQ;
++
++	if (psetoui->ie_whitelist)
++		cmd->flags |=
++			WMI_SCAN_PROBE_OUI_ENABLE_IE_WHITELIST_IN_PROBE_REQ;
++
+ 	WMA_LOGI(FL("vdev_id = %d, flags = %x"), cmd->vdev_id, cmd->flags);
+ 
++	cmd->num_vendor_oui = psetoui->num_vendor_oui;
++
++	if (psetoui->ie_whitelist) {
++		for (i = 0; i < PROBE_REQ_BITMAP_LEN; i++)
++			cmd->ie_bitmap[i] = psetoui->probe_req_ie_bitmap[i];
++	}
++
++	buf_ptr += sizeof(*cmd);
++	WMITLV_SET_HDR(buf_ptr, WMITLV_TAG_ARRAY_STRUC,
++		       psetoui->num_vendor_oui *
++		       sizeof(wmi_vendor_oui));
++
++	buf_ptr += WMI_TLV_HDR_SIZE;
++	if (cmd->num_vendor_oui != 0) {
++		voui = (wmi_vendor_oui *)buf_ptr;
++		pvoui = (struct vendor_oui *)((u_int8_t *)psetoui +
++						sizeof(*psetoui));
++		for (i = 0; i < cmd->num_vendor_oui; i++) {
++			WMITLV_SET_HDR(&voui[i].tlv_header,
++				WMITLV_TAG_STRUC_wmi_vendor_oui,
++				WMITLV_GET_STRUCT_TLVLEN(
++				wmi_vendor_oui));
++			voui[i].oui_type_subtype = pvoui[i].oui_type |
++						(pvoui[i].oui_subtype << 24);
++		}
++	}
+ 
+ 	if (wmi_unified_cmd_send(wma->wmi_handle, wmi_buf, len,
+ 		WMI_SCAN_PROB_REQ_OUI_CMDID)) {
+diff --git a/CORE/SME/inc/csrApi.h b/CORE/SME/inc/csrApi.h
+index 5c03abe..a1606fe 100644
+--- a/CORE/SME/inc/csrApi.h
++++ b/CORE/SME/inc/csrApi.h
+@@ -314,6 +314,10 @@ typedef struct tagCsrScanRequest
+     uint32_t enable_scan_randomization;
+     uint8_t mac_addr[VOS_MAC_ADDR_SIZE];
+     uint8_t mac_addr_mask[VOS_MAC_ADDR_SIZE];
++    bool ie_whitelist;
++    uint32_t probe_req_ie_bitmap[PROBE_REQ_BITMAP_LEN];
++    uint32_t num_vendor_oui;
++    struct vendor_oui *voui;
+ }tCsrScanRequest;
+ 
+ typedef struct tagCsrBGScanRequest
+diff --git a/CORE/SME/src/csr/csrApiScan.c b/CORE/SME/src/csr/csrApiScan.c
+index 37e5a0f..65a8dc4 100644
+--- a/CORE/SME/src/csr/csrApiScan.c
++++ b/CORE/SME/src/csr/csrApiScan.c
+@@ -5827,7 +5827,8 @@ eHalStatus csrSendMBScanReq( tpAniSirGlobal pMac, tANI_U16 sessionId,
+ 
+     msgLen = (tANI_U16)(sizeof( tSirSmeScanReq ) - sizeof( pMsg->channelList.channelNumber ) +
+                         ( sizeof( pMsg->channelList.channelNumber ) * pScanReq->ChannelInfo.numOfChannels )) +
+-                   ( pScanReq->uIEFieldLen ) ;
++                   ( pScanReq->uIEFieldLen ) +
++                   pScanReq->num_vendor_oui * sizeof(struct vendor_oui);
+ 
+     pMsg = vos_mem_malloc(msgLen);
+     if ( NULL == pMsg )
+@@ -5999,6 +6000,28 @@ eHalStatus csrSendMBScanReq( tpAniSirGlobal pMac, tANI_U16 sessionId,
+                 vos_mem_copy(pMsg->mac_addr_mask, pScanReq->mac_addr_mask,
+                              VOS_MAC_ADDR_SIZE);
+             }
++
++            pMsg->ie_whitelist = pScanReq->ie_whitelist;
++            if (pMsg->ie_whitelist)
++                vos_mem_copy(pMsg->probe_req_ie_bitmap,
++                             pScanReq->probe_req_ie_bitmap,
++                             PROBE_REQ_BITMAP_LEN * sizeof(uint32_t));
++            pMsg->num_vendor_oui = pScanReq->num_vendor_oui;
++            pMsg->oui_field_len = pScanReq->num_vendor_oui *
++                                  sizeof(struct vendor_oui);
++            pMsg->oui_field_offset = (tANI_U16)(sizeof( tSirSmeScanReq ) -
++                                   sizeof( pMsg->channelList.channelNumber ) +
++                                   (sizeof( pMsg->channelList.channelNumber ) *
++                                   pScanReq->ChannelInfo.numOfChannels )) +
++                                   pScanReq->uIEFieldLen;
++
++            if (pScanReq->num_vendor_oui != 0)
++            {
++                vos_mem_copy((tANI_U8 *)pMsg + pMsg->oui_field_offset,
++                             (uint8_t*)(pScanReq->voui),
++                             pMsg->oui_field_len);
++            }
++
+         }while(0);
+         smsLog(pMac, LOG1, FL("domainIdCurrent %s (%d) scanType %s (%d)"
+                               "bssType %s (%d), requestType %s(%d)"
+@@ -6479,6 +6502,7 @@ eHalStatus csrScanCopyRequest(tpAniSirGlobal pMac, tCsrScanRequest *pDstReq, tCs
+             pDstReq->pIEField = NULL;
+             pDstReq->ChannelInfo.ChannelList = NULL;
+             pDstReq->SSIDs.SSIDList = NULL;
++            pDstReq->voui = NULL;
+ 
+             if(pSrcReq->uIEFieldLen == 0)
+             {
+@@ -6721,6 +6745,35 @@ eHalStatus csrScanCopyRequest(tpAniSirGlobal pMac, tCsrScanRequest *pDstReq, tCs
+             pDstReq->p2pSearch = pSrcReq->p2pSearch;
+             pDstReq->skipDfsChnlInP2pSearch = pSrcReq->skipDfsChnlInP2pSearch;
+ 
++            if (pSrcReq->num_vendor_oui == 0)
++            {
++                pDstReq->num_vendor_oui = 0;
++                pDstReq->voui = NULL;
++            }
++            else
++            {
++                pDstReq->voui = vos_mem_malloc(pSrcReq->num_vendor_oui *
++                                         sizeof(*pDstReq->voui));
++                if (NULL == pDstReq->voui)
++                        status = eHAL_STATUS_FAILURE;
++                else
++                        status = eHAL_STATUS_SUCCESS;
++
++                if (HAL_STATUS_SUCCESS(status))
++                {
++                    pDstReq->num_vendor_oui = pSrcReq->num_vendor_oui;
++                    vos_mem_copy(pDstReq->voui,
++                                 pSrcReq->voui,
++                                 pSrcReq->num_vendor_oui *
++                                 sizeof(*pDstReq->voui));
++                }
++                else
++                {
++                    pDstReq->num_vendor_oui = 0;
++                    smsLog(pMac, LOGE, FL("No memory for voui"));
++                    break;
++                }
++            }
+         }
+     }while(0);
+ 
+@@ -6755,6 +6808,13 @@ eHalStatus csrScanFreeRequest(tpAniSirGlobal pMac, tCsrScanRequest *pReq)
+     }
+     pReq->SSIDs.numOfSSIDs = 0;
+ 
++    if(pReq->voui)
++    {
++        vos_mem_free(pReq->voui);
++        pReq->voui = NULL;
++    }
++    pReq->num_vendor_oui = 0;
++
+     return eHAL_STATUS_SUCCESS;
+ }
+ 
+diff --git a/CORE/SME/src/pmc/pmcApi.c b/CORE/SME/src/pmc/pmcApi.c
+index c1f7653..45313c1 100644
+--- a/CORE/SME/src/pmc/pmcApi.c
++++ b/CORE/SME/src/pmc/pmcApi.c
+@@ -2867,14 +2867,17 @@ eHalStatus pmcSetPreferredNetworkList
+         return eHAL_STATUS_FAILURE;
+     }
+ 
+-    pRequestBuf = vos_mem_malloc(sizeof(tSirPNOScanReq));
++    pRequestBuf = vos_mem_malloc(sizeof(tSirPNOScanReq) +
++                  (pRequest->num_vendor_oui) *
++                  (sizeof(struct vendor_oui)));
+     if (NULL == pRequestBuf)
+     {
+         VOS_TRACE(VOS_MODULE_ID_SME, VOS_TRACE_LEVEL_ERROR, "%s: Not able to allocate memory for PNO request", __func__);
+         return eHAL_STATUS_FAILED_ALLOC;
+     }
+ 
+-    vos_mem_copy(pRequestBuf, pRequest, sizeof(tSirPNOScanReq));
++    vos_mem_copy(pRequestBuf, pRequest, sizeof(tSirPNOScanReq) +
++                 (pRequest->num_vendor_oui) * (sizeof(struct vendor_oui)));
+ 
+     /*Must translate the mode first*/
+     ucDot11Mode = (tANI_U8) csrTranslateToWNICfgDot11Mode(pMac,
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-11022/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2017-11022/ANY/0002.patch
new file mode 100644
index 00000000..c599bbff
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-11022/ANY/0002.patch
@@ -0,0 +1,1297 @@
+From f41e3dbc92d448d3d56cae5517e41a4bafafdf3f Mon Sep 17 00:00:00 2001
+From: Rajeev Kumar Sirasanagandla <rsirasan@codeaurora.org>
+Date: Tue, 3 Jan 2017 00:22:10 +0530
+Subject: qcacld-3.0: Add support to include selective scan IEs only
+
+qcacld-2.0 to qcacld-3.0 propagation
+
+Add support to include only selective IEs in probe requests in
+order to improve user's privacy.
+
+Change-Id: Ib874af7ec2f5453282ffe0e8fc2e50934460b745
+CRs-Fixed: 1086582
+---
+ core/hdd/inc/wlan_hdd_cfg.h                        | 313 +++++++++++++++++++++
+ core/hdd/inc/wlan_hdd_main.h                       |   5 +
+ core/hdd/src/wlan_hdd_cfg.c                        | 283 ++++++++++++++++++-
+ core/hdd/src/wlan_hdd_cfg80211.c                   |  14 +-
+ core/hdd/src/wlan_hdd_main.c                       |  18 ++
+ core/hdd/src/wlan_hdd_power.c                      |   2 +
+ core/hdd/src/wlan_hdd_scan.c                       |  76 ++++-
+ core/hdd/src/wlan_hdd_scan.h                       |  21 +-
+ core/mac/inc/sir_api.h                             |  35 ++-
+ core/mac/src/pe/lim/lim_process_sme_req_messages.c |  24 +-
+ core/sme/inc/csr_api.h                             |   6 +
+ core/sme/src/common/sme_power_save.c               |   9 +-
+ core/sme/src/csr/csr_api_scan.c                    |  53 +++-
+ core/wma/src/wma_scan_roam.c                       |  36 +++
+ 14 files changed, 880 insertions(+), 15 deletions(-)
+
+diff --git a/core/hdd/inc/wlan_hdd_cfg.h b/core/hdd/inc/wlan_hdd_cfg.h
+index 92c8669..d2cb3be 100644
+--- a/core/hdd/inc/wlan_hdd_cfg.h
++++ b/core/hdd/inc/wlan_hdd_cfg.h
+@@ -61,6 +61,8 @@
+ 
+ /* Number of items that can be configured */
+ #define MAX_CFG_INI_ITEMS   1024
++#define MAX_PRB_REQ_VENDOR_OUI_INI_LEN 160
++#define VENDOR_SPECIFIC_IE_BITMAP 0x20000000
+ 
+ /* Defines for all of the things we read from the configuration (registry). */
+ 
+@@ -10049,6 +10051,261 @@ enum dot11p_mode {
+ #define CFG_ARP_AC_CATEGORY_MAX            (3)
+ #define CFG_ARP_AC_CATEGORY_DEFAULT        (3)
+ 
++
++/*
++ * <ini>
++ * g_enable_probereq_whitelist_ies - Enable IE white listing
++ * @Min: 0
++ * @Max: 1
++ * @Default: 0
++ *
++ * This ini is used to enable/disable probe request IE white listing feature.
++ * Values 0 and 1 are used to disable and enable respectively, by default this
++ * feature is disabled.
++ *
++ * Related: None
++ *
++ * Supported Feature: Probe request IE whitelisting
++ *
++ * Usage: Internal/External
++ *
++ * </ini>
++ */
++#define CFG_PRB_REQ_IE_WHITELIST_NAME    "g_enable_probereq_whitelist_ies"
++#define CFG_PRB_REQ_IE_WHITELIST_MIN     (0)
++#define CFG_PRB_REQ_IE_WHITELIST_MAX     (1)
++#define CFG_PRB_REQ_IE_WHITELIST_DEFAULT (0)
++
++/*
++ * For IE white listing in Probe Req, following ini parameters from
++ * g_probe_req_ie_bitmap_0 to g_probe_req_ie_bitmap_7 are used. User needs to
++ * input this values in hexa decimal format, when bit is set in bitmap,
++ * corresponding IE needs to be included in probe request.
++ *
++ * Example:
++ * ========
++ * If IE 221 needs to be in the probe request, set the corresponding bit
++ * as follows:
++ * a= IE/32 = 221/32 = 6 = g_probe_req_ie_bitmap_6
++ * b = IE modulo 32 = 29,
++ * means set the bth bit in g_probe_req_ie_bitmap_a,
++ * therefore set 29th bit in g_probe_req_ie_bitmap_6,
++ * as a result, g_probe_req_ie_bitmap_6=20000000
++ *
++ * Note: For IE 221, its mandatory to set the gProbeReqOUIs.
++ */
++
++/*
++ * <ini>
++ * g_probe_req_ie_bitmap_0 - Used to set the bitmap of IEs from 0 to 31
++ * @Min: 0x00000000
++ * @Max: 0xFFFFFFFF
++ * @Default: 0x00000000
++ *
++ * This ini is used to include the IEs from 0 to 31 in probe request,
++ * when corresponding bit is set.
++ *
++ * Related: Need to enable g_enable_probereq_whitelist_ies.
++ *
++ * Supported Feature: Probe request ie whitelisting
++ *
++ * Usage: Internal/External
++ *
++ * </ini>
++ */
++#define CFG_PRB_REQ_IE_BIT_MAP0_NAME    "g_probe_req_ie_bitmap_0"
++#define CFG_PRB_REQ_IE_BIT_MAP0_MIN     (0x00000000)
++#define CFG_PRB_REQ_IE_BIT_MAP0_MAX     (0xFFFFFFFF)
++#define CFG_PRB_REQ_IE_BIT_MAP0_DEFAULT (0x00000000)
++
++/*
++ * <ini>
++ * g_probe_req_ie_bitmap_1 - Used to set the bitmap of IEs from 32 to 63
++ * @Min: 0x00000000
++ * @Max: 0xFFFFFFFF
++ * @Default: 0x00000000
++ *
++ * This ini is used to include the IEs from 32 to 63 in probe request,
++ * when corresponding bit is set.
++ *
++ * Related: Need to enable g_enable_probereq_whitelist_ies.
++ *
++ * Supported Feature: Probe request ie whitelisting
++ *
++ * Usage: Internal/External
++ *
++ * </ini>
++ */
++#define CFG_PRB_REQ_IE_BIT_MAP1_NAME    "g_probe_req_ie_bitmap_1"
++#define CFG_PRB_REQ_IE_BIT_MAP1_MIN     (0x00000000)
++#define CFG_PRB_REQ_IE_BIT_MAP1_MAX     (0xFFFFFFFF)
++#define CFG_PRB_REQ_IE_BIT_MAP1_DEFAULT (0x00000000)
++
++/*
++ * <ini>
++ * g_probe_req_ie_bitmap_2 - Used to set the bitmap of IEs from 64 to 95
++ * @Min: 0x00000000
++ * @Max: 0xFFFFFFFF
++ * @Default: 0x00000000
++ *
++ * This ini is used to include the IEs from 64 to 95 in probe request,
++ * when corresponding bit is set.
++ *
++ * Related: Need to enable g_enable_probereq_whitelist_ies.
++ *
++ * Supported Feature: Probe request ie whitelisting
++ *
++ * Usage: Internal/External
++ *
++ * </ini>
++ */
++#define CFG_PRB_REQ_IE_BIT_MAP2_NAME    "g_probe_req_ie_bitmap_2"
++#define CFG_PRB_REQ_IE_BIT_MAP2_MIN     (0x00000000)
++#define CFG_PRB_REQ_IE_BIT_MAP2_MAX     (0xFFFFFFFF)
++#define CFG_PRB_REQ_IE_BIT_MAP2_DEFAULT (0x00000000)
++
++/*
++ * <ini>
++ * g_probe_req_ie_bitmap_3 - Used to set the bitmap of IEs from 96 to 127
++ * @Min: 0x00000000
++ * @Max: 0xFFFFFFFF
++ * @Default: 0x00000000
++ *
++ * This ini is used to include the IEs from 96 to 127 in probe request,
++ * when corresponding bit is set.
++ *
++ * Related: Need to enable g_enable_probereq_whitelist_ies.
++ *
++ * Supported Feature: Probe request ie whitelisting
++ *
++ * Usage: Internal/External
++ *
++ * </ini>
++ */
++#define CFG_PRB_REQ_IE_BIT_MAP3_NAME    "g_probe_req_ie_bitmap_3"
++#define CFG_PRB_REQ_IE_BIT_MAP3_MIN     (0x00000000)
++#define CFG_PRB_REQ_IE_BIT_MAP3_MAX     (0xFFFFFFFF)
++#define CFG_PRB_REQ_IE_BIT_MAP3_DEFAULT (0x00000000)
++
++/*
++ * <ini>
++ * g_probe_req_ie_bitmap_4 - Used to set the bitmap of IEs from 128 to 159
++ * @Min: 0x00000000
++ * @Max: 0xFFFFFFFF
++ * @Default: 0x00000000
++ *
++ * This ini is used to include the IEs from 128 to 159 in probe request,
++ * when corresponding bit is set.
++ *
++ * Related: Need to enable g_enable_probereq_whitelist_ies.
++ *
++ * Supported Feature: Probe request ie whitelisting
++ *
++ * Usage: Internal/External
++ *
++ * </ini>
++ */
++#define CFG_PRB_REQ_IE_BIT_MAP4_NAME    "g_probe_req_ie_bitmap_4"
++#define CFG_PRB_REQ_IE_BIT_MAP4_MIN     (0x00000000)
++#define CFG_PRB_REQ_IE_BIT_MAP4_MAX     (0xFFFFFFFF)
++#define CFG_PRB_REQ_IE_BIT_MAP4_DEFAULT (0x00000000)
++
++/*
++ * <ini>
++ * g_probe_req_ie_bitmap_5 - Used to set the bitmap of IEs from 160 to 191
++ * @Min: 0x00000000
++ * @Max: 0xFFFFFFFF
++ * @Default: 0x00000000
++ *
++ * This ini is used to include the IEs from 160 to 191 in probe request,
++ * when corresponding bit is set.
++ *
++ * Related: Need to enable g_enable_probereq_whitelist_ies.
++ *
++ * Supported Feature: Probe request ie whitelisting
++ *
++ * Usage: Internal/External
++ *
++ * </ini>
++ */
++#define CFG_PRB_REQ_IE_BIT_MAP5_NAME    "g_probe_req_ie_bitmap_5"
++#define CFG_PRB_REQ_IE_BIT_MAP5_MIN     (0x00000000)
++#define CFG_PRB_REQ_IE_BIT_MAP5_MAX     (0xFFFFFFFF)
++#define CFG_PRB_REQ_IE_BIT_MAP5_DEFAULT (0x00000000)
++
++/*
++ * <ini>
++ * g_probe_req_ie_bitmap_6 - Used to set the bitmap of IEs from 192 to 223
++ * @Min: 0x00000000
++ * @Max: 0xFFFFFFFF
++ * @Default: 0x00000000
++ *
++ * This ini is used to include the IEs from 192 to 223 in probe request,
++ * when corresponding bit is set.
++ *
++ * Related: Need to enable g_enable_probereq_whitelist_ies.
++ *
++ * Supported Feature: Probe request ie whitelisting
++ *
++ * Usage: Internal/External
++ *
++ * </ini>
++ */
++#define CFG_PRB_REQ_IE_BIT_MAP6_NAME    "g_probe_req_ie_bitmap_6"
++#define CFG_PRB_REQ_IE_BIT_MAP6_MIN     (0x00000000)
++#define CFG_PRB_REQ_IE_BIT_MAP6_MAX     (0xFFFFFFFF)
++#define CFG_PRB_REQ_IE_BIT_MAP6_DEFAULT (0x00000000)
++
++/*
++ * <ini>
++ * g_probe_req_ie_bitmap_7 - Used to set the bitmap of IEs from 224 to 255
++ * @Min: 0x00000000
++ * @Max: 0xFFFFFFFF
++ * @Default: 0x00000000
++ *
++ * This ini is used to include the IEs from 224 to 255 in probe request,
++ * when corresponding bit is set.
++ *
++ * Related: Need to enable g_enable_probereq_whitelist_ies.
++ *
++ * Supported Feature: Probe request ie whitelisting
++ *
++ * Usage: Internal/External
++ *
++ * </ini>
++ */
++#define CFG_PRB_REQ_IE_BIT_MAP7_NAME    "g_probe_req_ie_bitmap_7"
++#define CFG_PRB_REQ_IE_BIT_MAP7_MIN     (0x00000000)
++#define CFG_PRB_REQ_IE_BIT_MAP7_MAX     (0xFFFFFFFF)
++#define CFG_PRB_REQ_IE_BIT_MAP7_DEFAULT (0x00000000)
++
++/*
++ * For vendor specific IE, Probe Req OUI types and sub types which are
++ * to be white listed are specified in gProbeReqOUIs in the following
++ * example format - gProbeReqOUIs=AABBCCDD EEFF1122
++ */
++
++/*
++ * <ini>
++ * gProbeReqOUIs - Used to specify vendor specific OUIs
++ * @Default: Empty string
++ *
++ * This ini is used to include the specified OUIs in vendor specific IE
++ * of probe request.
++ *
++ * Related: Need to enable g_enable_probereq_whitelist_ies and
++ * vendor specific IE should be set in g_probe_req_ie_bitmap_6.
++ *
++ * Supported Feature: Probe request ie whitelisting
++ *
++ * Usage: Internal/External
++ *
++ * </ini>
++ */
++#define CFG_PROBE_REQ_OUI_NAME    "gProbeReqOUIs"
++#define CFG_PROBE_REQ_OUI_DEFAULT ""
++
++
+ /*---------------------------------------------------------------------------
+    Type declarations
+    -------------------------------------------------------------------------*/
+@@ -10779,6 +11036,20 @@ struct hdd_config {
+ 
+ 	uint8_t packet_filters_bitmap;
+ 	uint32_t                    arp_ac_category;
++
++	bool probe_req_ie_whitelist;
++	/* probe request bit map ies */
++	uint32_t probe_req_ie_bitmap_0;
++	uint32_t probe_req_ie_bitmap_1;
++	uint32_t probe_req_ie_bitmap_2;
++	uint32_t probe_req_ie_bitmap_3;
++	uint32_t probe_req_ie_bitmap_4;
++	uint32_t probe_req_ie_bitmap_5;
++	uint32_t probe_req_ie_bitmap_6;
++	uint32_t probe_req_ie_bitmap_7;
++
++	/* Probe Request multiple vendor OUIs */
++	uint8_t probe_req_ouis[MAX_PRB_REQ_VENDOR_OUI_INI_LEN];
+ };
+ 
+ #define VAR_OFFSET(_Struct, _Var) (offsetof(_Struct, _Var))
+@@ -10891,6 +11162,48 @@ static __inline unsigned long util_min(unsigned long a, unsigned long b)
+ 
+ /* Function declarations and documenation */
+ QDF_STATUS hdd_parse_config_ini(hdd_context_t *pHddCtx);
++
++/**
++ * hdd_validate_prb_req_ie_bitmap - validates user input for ie bit map
++ * @hdd_ctx: the pointer to hdd context
++ *
++ * This function checks whether user has entered valid probe request
++ * ie bitmap and also verifies vendor ouis if vendor specific ie is set
++ *
++ * Return: status of verification
++ *         true - valid input
++ *         false - invalid input
++ */
++bool hdd_validate_prb_req_ie_bitmap(hdd_context_t *hdd_ctx);
++
++/**
++ * hdd_parse_probe_req_ouis - form ouis from ini gProbeReqOUIs
++ * @hdd_ctx: the pointer to hdd context
++ *
++ * This function parses the ini string gProbeReqOUIs which needs be to in the
++ * following format:
++ * "<8 characters of [0-9] or [A-F]>space<8 characters from [0-9] etc.,"
++ * example: "AABBCCDD 1122EEFF"
++ * and the logic counts the number of OUIS and allocates the memory
++ * for every valid OUI and is stored in hdd_context_t
++ *
++ * Return: status of parsing
++ *         0 - success
++ *         negative value - failure
++ */
++int hdd_parse_probe_req_ouis(hdd_context_t *hdd_ctx);
++
++/**
++ * hdd_free_probe_req_ouis - de-allocates the probe req ouis
++ * @hdd_ctx: the pointer to hdd context
++ *
++ * This function de-alloactes the probe req ouis which are
++ * allocated while parsing of ini string gProbeReqOUIs
++ *
++ * Return: None
++ */
++void hdd_free_probe_req_ouis(hdd_context_t *hdd_ctx);
++
+ QDF_STATUS hdd_update_mac_config(hdd_context_t *pHddCtx);
+ QDF_STATUS hdd_set_sme_config(hdd_context_t *pHddCtx);
+ QDF_STATUS hdd_set_sme_chan_list(hdd_context_t *hdd_ctx);
+diff --git a/core/hdd/inc/wlan_hdd_main.h b/core/hdd/inc/wlan_hdd_main.h
+index d0d0531..38522ea 100644
+--- a/core/hdd/inc/wlan_hdd_main.h
++++ b/core/hdd/inc/wlan_hdd_main.h
+@@ -285,6 +285,8 @@ typedef enum {
+ 	eHDD_SAP_EAPOL_IN_PROGRESS,
+ } scan_reject_states;
+ 
++#define MAX_PROBE_REQ_OUIS 16
++
+ /*
+  * Generic asynchronous request/response support
+  *
+@@ -1658,6 +1660,9 @@ struct hdd_context_s {
+ 	bool rcpi_enabled;
+ 	bool imps_enabled;
+ 	int user_configured_pkt_filter_rules;
++
++	uint32_t no_of_probe_req_ouis;
++	struct vendor_oui *probe_req_voui;
+ };
+ 
+ /*---------------------------------------------------------------------------
+diff --git a/core/hdd/src/wlan_hdd_cfg.c b/core/hdd/src/wlan_hdd_cfg.c
+index 0ab8662..72a1647 100644
+--- a/core/hdd/src/wlan_hdd_cfg.c
++++ b/core/hdd/src/wlan_hdd_cfg.c
+@@ -4408,6 +4408,74 @@ REG_TABLE_ENTRY g_registry_table[] = {
+ 		CFG_ARP_AC_CATEGORY_DEFAULT,
+ 		CFG_ARP_AC_CATEGORY_MIN,
+ 		CFG_ARP_AC_CATEGORY_MAX),
++
++	REG_VARIABLE(CFG_PRB_REQ_IE_WHITELIST_NAME, WLAN_PARAM_Integer,
++		     struct hdd_config, probe_req_ie_whitelist,
++		     VAR_FLAGS_OPTIONAL | VAR_FLAGS_RANGE_CHECK_ASSUME_DEFAULT,
++		     CFG_PRB_REQ_IE_WHITELIST_DEFAULT,
++		     CFG_PRB_REQ_IE_WHITELIST_MIN,
++		     CFG_PRB_REQ_IE_WHITELIST_MAX),
++
++	REG_VARIABLE(CFG_PRB_REQ_IE_BIT_MAP0_NAME, WLAN_PARAM_HexInteger,
++		     struct hdd_config, probe_req_ie_bitmap_0,
++		     VAR_FLAGS_OPTIONAL | VAR_FLAGS_RANGE_CHECK_ASSUME_DEFAULT,
++		     CFG_PRB_REQ_IE_BIT_MAP0_DEFAULT,
++		     CFG_PRB_REQ_IE_BIT_MAP0_MIN,
++		     CFG_PRB_REQ_IE_BIT_MAP0_MAX),
++
++	REG_VARIABLE(CFG_PRB_REQ_IE_BIT_MAP1_NAME, WLAN_PARAM_HexInteger,
++		     struct hdd_config, probe_req_ie_bitmap_1,
++		     VAR_FLAGS_OPTIONAL | VAR_FLAGS_RANGE_CHECK_ASSUME_DEFAULT,
++		     CFG_PRB_REQ_IE_BIT_MAP1_DEFAULT,
++		     CFG_PRB_REQ_IE_BIT_MAP1_MIN,
++		     CFG_PRB_REQ_IE_BIT_MAP1_MAX),
++
++	REG_VARIABLE(CFG_PRB_REQ_IE_BIT_MAP2_NAME, WLAN_PARAM_HexInteger,
++		     struct hdd_config, probe_req_ie_bitmap_2,
++		     VAR_FLAGS_OPTIONAL | VAR_FLAGS_RANGE_CHECK_ASSUME_DEFAULT,
++		     CFG_PRB_REQ_IE_BIT_MAP2_DEFAULT,
++		     CFG_PRB_REQ_IE_BIT_MAP2_MIN,
++		     CFG_PRB_REQ_IE_BIT_MAP2_MAX),
++
++	REG_VARIABLE(CFG_PRB_REQ_IE_BIT_MAP3_NAME, WLAN_PARAM_HexInteger,
++		     struct hdd_config, probe_req_ie_bitmap_3,
++		     VAR_FLAGS_OPTIONAL | VAR_FLAGS_RANGE_CHECK_ASSUME_DEFAULT,
++		     CFG_PRB_REQ_IE_BIT_MAP3_DEFAULT,
++		     CFG_PRB_REQ_IE_BIT_MAP3_MIN,
++		     CFG_PRB_REQ_IE_BIT_MAP3_MAX),
++
++	REG_VARIABLE(CFG_PRB_REQ_IE_BIT_MAP4_NAME, WLAN_PARAM_HexInteger,
++		     struct hdd_config, probe_req_ie_bitmap_4,
++		     VAR_FLAGS_OPTIONAL | VAR_FLAGS_RANGE_CHECK_ASSUME_DEFAULT,
++		     CFG_PRB_REQ_IE_BIT_MAP4_DEFAULT,
++		     CFG_PRB_REQ_IE_BIT_MAP4_MIN,
++		     CFG_PRB_REQ_IE_BIT_MAP4_MAX),
++
++	REG_VARIABLE(CFG_PRB_REQ_IE_BIT_MAP5_NAME, WLAN_PARAM_HexInteger,
++		     struct hdd_config, probe_req_ie_bitmap_5,
++		     VAR_FLAGS_OPTIONAL | VAR_FLAGS_RANGE_CHECK_ASSUME_DEFAULT,
++		     CFG_PRB_REQ_IE_BIT_MAP5_DEFAULT,
++		     CFG_PRB_REQ_IE_BIT_MAP5_MIN,
++		     CFG_PRB_REQ_IE_BIT_MAP5_MAX),
++
++	REG_VARIABLE(CFG_PRB_REQ_IE_BIT_MAP6_NAME, WLAN_PARAM_HexInteger,
++		     struct hdd_config, probe_req_ie_bitmap_6,
++		     VAR_FLAGS_OPTIONAL | VAR_FLAGS_RANGE_CHECK_ASSUME_DEFAULT,
++		     CFG_PRB_REQ_IE_BIT_MAP6_DEFAULT,
++		     CFG_PRB_REQ_IE_BIT_MAP6_MIN,
++		     CFG_PRB_REQ_IE_BIT_MAP6_MAX),
++
++	REG_VARIABLE(CFG_PRB_REQ_IE_BIT_MAP7_NAME, WLAN_PARAM_HexInteger,
++		     struct hdd_config, probe_req_ie_bitmap_7,
++		     VAR_FLAGS_OPTIONAL | VAR_FLAGS_RANGE_CHECK_ASSUME_DEFAULT,
++		     CFG_PRB_REQ_IE_BIT_MAP7_DEFAULT,
++		     CFG_PRB_REQ_IE_BIT_MAP7_MIN,
++		     CFG_PRB_REQ_IE_BIT_MAP7_MAX),
++
++	REG_VARIABLE_STRING(CFG_PROBE_REQ_OUI_NAME, WLAN_PARAM_String,
++			    struct hdd_config, probe_req_ouis,
++			    VAR_FLAGS_OPTIONAL,
++			    (void *)CFG_PROBE_REQ_OUI_DEFAULT),
+ };
+ 
+ /**
+@@ -5898,8 +5966,38 @@ void hdd_cfg_print(hdd_context_t *pHddCtx)
+ 	hdd_debug("Name = [%s] Value = [%d]",
+ 		CFG_ARP_AC_CATEGORY,
+ 		pHddCtx->config->arp_ac_category);
+-}
+ 
++	hdd_info("Name = [%s] Value = [%x] ",
++		 CFG_PRB_REQ_IE_WHITELIST_NAME,
++		 pHddCtx->config->probe_req_ie_whitelist);
++	hdd_info("Name = [%s] Value = [%x] ",
++		 CFG_PRB_REQ_IE_BIT_MAP0_NAME,
++		 pHddCtx->config->probe_req_ie_bitmap_0);
++	hdd_info("Name = [%s] Value = [%x] ",
++		 CFG_PRB_REQ_IE_BIT_MAP1_NAME,
++		 pHddCtx->config->probe_req_ie_bitmap_1);
++	hdd_info("Name = [%s] Value = [%x] ",
++		 CFG_PRB_REQ_IE_BIT_MAP2_NAME,
++		 pHddCtx->config->probe_req_ie_bitmap_2);
++	hdd_info("Name = [%s] Value = [%x] ",
++		 CFG_PRB_REQ_IE_BIT_MAP3_NAME,
++		 pHddCtx->config->probe_req_ie_bitmap_3);
++	hdd_info("Name = [%s] Value = [%x] ",
++		 CFG_PRB_REQ_IE_BIT_MAP4_NAME,
++		 pHddCtx->config->probe_req_ie_bitmap_4);
++	hdd_info("Name = [%s] Value = [%x] ",
++		 CFG_PRB_REQ_IE_BIT_MAP5_NAME,
++		 pHddCtx->config->probe_req_ie_bitmap_5);
++	hdd_info("Name = [%s] Value = [%x] ",
++		 CFG_PRB_REQ_IE_BIT_MAP6_NAME,
++		 pHddCtx->config->probe_req_ie_bitmap_6);
++	hdd_info("Name = [%s] Value = [%x] ",
++		 CFG_PRB_REQ_IE_BIT_MAP7_NAME,
++		 pHddCtx->config->probe_req_ie_bitmap_7);
++	hdd_info("Name = [%s] Value =[%s]",
++		 CFG_PROBE_REQ_OUI_NAME,
++		 pHddCtx->config->probe_req_ouis);
++}
+ 
+ /**
+  * hdd_update_mac_config() - update MAC address from cfg file
+@@ -6160,8 +6258,7 @@ QDF_STATUS hdd_parse_config_ini(hdd_context_t *pHddCtx)
+ 					buffer = i_trim(buffer);
+ 					if (strlen(buffer) > 0) {
+ 						value = buffer;
+-						while (!i_isspace(*buffer)
+-						       && *buffer != '\0')
++						while (*buffer != '\0')
+ 							buffer++;
+ 						*buffer = '\0';
+ 						cfgIniTable[i].name = name;
+@@ -7682,3 +7779,183 @@ QDF_STATUS hdd_update_nss(hdd_context_t *hdd_ctx, uint8_t nss)
+ 
+ 	return (status == false) ? QDF_STATUS_E_FAILURE : QDF_STATUS_SUCCESS;
+ }
++
++bool hdd_validate_prb_req_ie_bitmap(hdd_context_t *hdd_ctx)
++{
++	if (!(hdd_ctx->config->probe_req_ie_bitmap_0 ||
++	    hdd_ctx->config->probe_req_ie_bitmap_1 ||
++	    hdd_ctx->config->probe_req_ie_bitmap_2 ||
++	    hdd_ctx->config->probe_req_ie_bitmap_3 ||
++	    hdd_ctx->config->probe_req_ie_bitmap_4 ||
++	    hdd_ctx->config->probe_req_ie_bitmap_5 ||
++	    hdd_ctx->config->probe_req_ie_bitmap_6 ||
++	    hdd_ctx->config->probe_req_ie_bitmap_7))
++		return false;
++
++	/*
++	 * check whether vendor oui IE is set and OUIs are present, each OUI
++	 * is entered in the form of string of 8 characters from ini, therefore,
++	 * for atleast one OUI, minimum length is 8 and hence this string length
++	 * is checked for minimum of 8
++	 */
++	if ((hdd_ctx->config->probe_req_ie_bitmap_6 &
++	    VENDOR_SPECIFIC_IE_BITMAP) &&
++	    (strlen(hdd_ctx->config->probe_req_ouis) < 8))
++		return false;
++
++	/* check whether vendor oui IE is not set but OUIs are present */
++	if (!(hdd_ctx->config->probe_req_ie_bitmap_6 &
++	    VENDOR_SPECIFIC_IE_BITMAP) &&
++	    (strlen(hdd_ctx->config->probe_req_ouis) > 0))
++		return false;
++
++	return true;
++}
++
++/**
++ * probe_req_voui_convert_to_hex - converts str of 8 chars into two hex values
++ * @temp: string to be converted
++ * @voui: contains the type and subtype values
++ *
++ * This function converts the string length of 8 characters into two
++ * hexa-decimal values, oui_type and oui_subtype, where oui_type is the
++ * hexa decimal value converted from first 6 characters and oui_subtype is
++ * hexa decimal value converted from last 2 characters.
++ * strings which doesn't match with the specified pattern are ignored.
++ *
++ * Return: status of conversion
++ *         true - if conversion is successful
++ *         false - if conversion is failed
++ */
++static bool hdd_probe_req_voui_convert_to_hex(uint8_t *temp,
++					      struct vendor_oui *voui)
++{
++	uint32_t hex_value[4] = {0};
++	uint32_t i = 0;
++	uint32_t indx = 0;
++
++	memset(voui, 0x00, sizeof(*voui));
++
++	/* convert string to hex */
++	for (i = 0; i < 8; i++) {
++		if (temp[i] >= '0' && temp[i] <= '9') {
++			hex_value[indx] = (temp[i] - '0') << 4;
++		} else if (temp[i] >= 'A' && temp[i] <= 'F') {
++			hex_value[indx] = (temp[i] - 'A') + 0xA;
++			hex_value[indx] = hex_value[indx] << 4;
++		} else {
++			/* invalid character in oui */
++			return false;
++		}
++
++		if (temp[i + 1] >= '0' && temp[i + 1] <= '9') {
++			hex_value[indx] |= (temp[i + 1] - '0');
++			i = i + 1;
++			indx = indx + 1;
++		} else if (temp[i + 1] >= 'A' && temp[i + 1] <= 'F') {
++			hex_value[indx] |= ((temp[i + 1] - 'A') + 0xA);
++			i = i + 1;
++			indx = indx + 1;
++		} else {
++			/* invalid character in oui */
++			return false;
++		}
++	}
++
++	voui->oui_type = (hex_value[0] | (hex_value[1] << 8) |
++			 (hex_value[2] << 16));
++	voui->oui_subtype = hex_value[3];
++
++	hdd_info("OUI_type = %x and OUI_subtype = %x",
++		 voui->oui_type, voui->oui_subtype);
++
++	return true;
++}
++
++int hdd_parse_probe_req_ouis(hdd_context_t *hdd_ctx)
++{
++	struct vendor_oui voui[MAX_PROBE_REQ_OUIS];
++	uint8_t *str;
++	uint8_t temp[9];
++	uint32_t start = 0, end = 0;
++	uint32_t oui_indx = 0;
++	uint32_t i = 0;
++
++	hdd_ctx->config->probe_req_ouis[MAX_PRB_REQ_VENDOR_OUI_INI_LEN - 1] =
++									'\0';
++	if (!strlen(hdd_ctx->config->probe_req_ouis)) {
++		hdd_ctx->no_of_probe_req_ouis = 0;
++		hdd_ctx->probe_req_voui = NULL;
++		hdd_info("NO OUIS to parse");
++		return 0;
++	}
++
++	str = (uint8_t *)(hdd_ctx->config->probe_req_ouis);
++
++	while (str[i] != '\0') {
++		if (str[i] == ' ') {
++			if ((end - start) != 8) {
++				end = start = 0;
++				i++;
++				continue;
++			} else {
++				memcpy(temp, &str[i - 8], 8);
++				i++;
++				temp[8] = '\0';
++				if (hdd_probe_req_voui_convert_to_hex(temp,
++				    &voui[oui_indx]) == 0) {
++					continue;
++				}
++				oui_indx++;
++				if (oui_indx > MAX_PROBE_REQ_OUIS) {
++					/*
++					 * Max number of OUIs supported is 16,
++					 * ignoring the rest
++					 */
++					hdd_info("Max OUIs-supported: 16");
++					return 0;
++				}
++			}
++			start = end = 0;
++		} else {
++			i++;
++			end++;
++		}
++	}
++
++	if ((end - start) == 8) {
++		memcpy(temp, &str[i - 8], 8);
++		temp[8] = '\0';
++		if (hdd_probe_req_voui_convert_to_hex(temp,
++		    &voui[oui_indx]) == 1)
++			oui_indx++;
++	}
++
++	if (!oui_indx)
++		return 0;
++
++	hdd_ctx->probe_req_voui = qdf_mem_malloc(oui_indx *
++					sizeof(*hdd_ctx->probe_req_voui));
++	if (hdd_ctx->probe_req_voui == NULL) {
++		hdd_err("Not Enough memory for OUI");
++		hdd_ctx->no_of_probe_req_ouis = 0;
++		return -ENOMEM;
++	}
++	hdd_ctx->no_of_probe_req_ouis = oui_indx;
++	qdf_mem_copy(hdd_ctx->probe_req_voui, voui,
++		     oui_indx * sizeof(*hdd_ctx->probe_req_voui));
++
++	return 0;
++}
++
++void hdd_free_probe_req_ouis(hdd_context_t *hdd_ctx)
++{
++	struct vendor_oui *probe_req_voui = hdd_ctx->probe_req_voui;
++
++	if (probe_req_voui) {
++		hdd_ctx->probe_req_voui = NULL;
++		qdf_mem_free(probe_req_voui);
++	}
++
++	hdd_ctx->no_of_probe_req_ouis = 0;
++}
+diff --git a/core/hdd/src/wlan_hdd_cfg80211.c b/core/hdd/src/wlan_hdd_cfg80211.c
+index 2f3a7f9..836d6dc 100644
+--- a/core/hdd/src/wlan_hdd_cfg80211.c
++++ b/core/hdd/src/wlan_hdd_cfg80211.c
+@@ -1987,7 +1987,10 @@ __wlan_hdd_cfg80211_set_scanning_mac_oui(struct wiphy *wiphy,
+ 		hdd_err("Invalid ATTR");
+ 		return -EINVAL;
+ 	}
+-	pReqMsg = qdf_mem_malloc(sizeof(*pReqMsg));
++	pReqMsg = qdf_mem_malloc(sizeof(*pReqMsg) +
++			(pHddCtx->no_of_probe_req_ouis) *
++			(sizeof(struct vendor_oui)));
++
+ 	if (!pReqMsg) {
+ 		hdd_err("qdf_mem_malloc failed");
+ 		return -ENOMEM;
+@@ -2006,6 +2009,15 @@ __wlan_hdd_cfg80211_set_scanning_mac_oui(struct wiphy *wiphy,
+ 
+ 	hdd_debug("Oui (%02x:%02x:%02x), vdev_id = %d", pReqMsg->oui[0],
+ 		   pReqMsg->oui[1], pReqMsg->oui[2], pReqMsg->vdev_id);
++
++	if (pHddCtx->config->probe_req_ie_whitelist)
++		wlan_hdd_fill_whitelist_ie_attrs(&pReqMsg->ie_whitelist,
++				pReqMsg->probe_req_ie_bitmap,
++				&pReqMsg->num_vendor_oui,
++				(struct vendor_oui *)((uint8_t *)pReqMsg +
++				sizeof(*pReqMsg)),
++				pHddCtx);
++
+ 	status = sme_set_scanning_mac_oui(pHddCtx->hHal, pReqMsg);
+ 	if (!QDF_IS_STATUS_SUCCESS(status)) {
+ 		hdd_err("sme_set_scanning_mac_oui failed(err=%d)", status);
+diff --git a/core/hdd/src/wlan_hdd_main.c b/core/hdd/src/wlan_hdd_main.c
+index c726f88..103f529 100644
+--- a/core/hdd/src/wlan_hdd_main.c
++++ b/core/hdd/src/wlan_hdd_main.c
+@@ -4993,6 +4993,8 @@ static void hdd_context_destroy(hdd_context_t *hdd_ctx)
+ 
+ 	hdd_context_deinit(hdd_ctx);
+ 
++	hdd_free_probe_req_ouis(hdd_ctx);
++
+ 	qdf_mem_free(hdd_ctx->config);
+ 	hdd_ctx->config = NULL;
+ 
+@@ -6875,6 +6877,21 @@ static hdd_context_t *hdd_context_create(struct device *dev)
+ 	hdd_debug("Setting configuredMcastBcastFilter: %d",
+ 		   hdd_ctx->config->mcastBcastFilterSetting);
+ 
++	if (hdd_ctx->config->probe_req_ie_whitelist) {
++		if (hdd_validate_prb_req_ie_bitmap(hdd_ctx)) {
++			/* parse ini string probe req oui */
++			if (hdd_parse_probe_req_ouis(hdd_ctx)) {
++				hdd_err("Error parsing probe req ouis");
++				hdd_err("disable probe req ie whitelisting");
++				hdd_ctx->config->probe_req_ie_whitelist = false;
++			}
++		} else {
++			hdd_err("invalid probe req ie bitmap and ouis");
++			hdd_err("disable probe req ie whitelisting");
++			hdd_ctx->config->probe_req_ie_whitelist = false;
++		}
++	}
++
+ 	if (hdd_ctx->config->fhostNSOffload)
+ 		hdd_ctx->ns_offload_enable = true;
+ 
+@@ -6934,6 +6951,7 @@ err_free_config:
+ 	qdf_mem_free(hdd_ctx->config);
+ 
+ err_free_hdd_context:
++	hdd_free_probe_req_ouis(hdd_ctx);
+ 	wiphy_free(hdd_ctx->wiphy);
+ 
+ err_out:
+diff --git a/core/hdd/src/wlan_hdd_power.c b/core/hdd/src/wlan_hdd_power.c
+index 8b48f42..5e3ecb2 100644
+--- a/core/hdd/src/wlan_hdd_power.c
++++ b/core/hdd/src/wlan_hdd_power.c
+@@ -1673,6 +1673,8 @@ err_wiphy_unregister:
+ 		ptt_sock_deactivate_svc();
+ 		nl_srv_exit();
+ 
++		hdd_free_probe_req_ouis(pHddCtx);
++
+ 		/* Free up dynamically allocated members inside HDD Adapter */
+ 		qdf_mem_free(pHddCtx->config);
+ 		pHddCtx->config = NULL;
+diff --git a/core/hdd/src/wlan_hdd_scan.c b/core/hdd/src/wlan_hdd_scan.c
+index 84b14ed..1f97c66 100644
+--- a/core/hdd/src/wlan_hdd_scan.c
++++ b/core/hdd/src/wlan_hdd_scan.c
+@@ -1557,6 +1557,7 @@ static int __wlan_hdd_cfg80211_scan(struct wiphy *wiphy,
+ 	hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
+ 	hdd_context_t *pHddCtx = WLAN_HDD_GET_CTX(pAdapter);
+ 	hdd_wext_state_t *pwextBuf = WLAN_HDD_GET_WEXT_STATE_PTR(pAdapter);
++	hdd_station_ctx_t *station_ctx = WLAN_HDD_GET_STATION_CTX_PTR(pAdapter);
+ 	struct hdd_config *cfg_param = NULL;
+ 	tCsrScanRequest scan_req;
+ 	uint8_t *channelList = NULL, i;
+@@ -1970,6 +1971,27 @@ static int __wlan_hdd_cfg80211_scan(struct wiphy *wiphy,
+ 	wlan_hdd_update_scan_rand_attrs((void *)&scan_req, (void *)request,
+ 					WLAN_HDD_HOST_SCAN);
+ 
++	if (!hdd_conn_is_connected(station_ctx) &&
++	    (pHddCtx->config->probe_req_ie_whitelist)) {
++		if (pHddCtx->no_of_probe_req_ouis != 0) {
++			scan_req.voui = qdf_mem_malloc(
++						pHddCtx->no_of_probe_req_ouis *
++						sizeof(struct vendor_oui));
++			if (!scan_req.voui) {
++				hdd_info("Not enough memory for voui");
++				scan_req.num_vendor_oui = 0;
++				status = -ENOMEM;
++				goto free_mem;
++			}
++		}
++
++		wlan_hdd_fill_whitelist_ie_attrs(&scan_req.ie_whitelist,
++						scan_req.probe_req_ie_bitmap,
++						&scan_req.num_vendor_oui,
++						scan_req.voui,
++						pHddCtx);
++	}
++
+ 	qdf_runtime_pm_prevent_suspend(&pHddCtx->runtime_context.scan);
+ 	status = sme_scan_request(WLAN_HDD_GET_HAL_CTX(pAdapter),
+ 				pAdapter->sessionId, &scan_req,
+@@ -2005,6 +2027,9 @@ free_mem:
+ 	if (status == 0)
+ 		scan_ebusy_cnt = 0;
+ 
++	if (scan_req.voui)
++		qdf_mem_free(scan_req.voui);
++
+ 	EXIT();
+ 	return status;
+ }
+@@ -2796,6 +2821,7 @@ static int __wlan_hdd_cfg80211_sched_scan_start(struct wiphy *wiphy,
+ 	hdd_scaninfo_t *pScanInfo = &pAdapter->scan_info;
+ 	struct hdd_config *config = NULL;
+ 	uint32_t num_ignore_dfs_ch = 0;
++	hdd_station_ctx_t *station_ctx = WLAN_HDD_GET_STATION_CTX_PTR(pAdapter);
+ 
+ 	ENTER();
+ 
+@@ -2853,7 +2879,15 @@ static int __wlan_hdd_cfg80211_sched_scan_start(struct wiphy *wiphy,
+ 		}
+ 	}
+ 
+-	pPnoRequest = (tpSirPNOScanReq) qdf_mem_malloc(sizeof(tSirPNOScanReq));
++	if (!hdd_conn_is_connected(station_ctx) &&
++	    (pHddCtx->config->probe_req_ie_whitelist))
++		pPnoRequest =
++			(tpSirPNOScanReq)qdf_mem_malloc(sizeof(tSirPNOScanReq) +
++				(pHddCtx->no_of_probe_req_ouis) *
++				(sizeof(struct vendor_oui)));
++	else
++		pPnoRequest = qdf_mem_malloc(sizeof(tSirPNOScanReq));
++
+ 	if (NULL == pPnoRequest) {
+ 		hdd_err("qdf_mem_malloc failed");
+ 		return -ENOMEM;
+@@ -3013,6 +3047,16 @@ static int __wlan_hdd_cfg80211_sched_scan_start(struct wiphy *wiphy,
+ 	wlan_hdd_update_scan_rand_attrs((void *)pPnoRequest, (void *)request,
+ 					WLAN_HDD_PNO_SCAN);
+ 
++	if (pHddCtx->config->probe_req_ie_whitelist &&
++	    !hdd_conn_is_connected(station_ctx))
++		wlan_hdd_fill_whitelist_ie_attrs(&pPnoRequest->ie_whitelist,
++					pPnoRequest->probe_req_ie_bitmap,
++					&pPnoRequest->num_vendor_oui,
++					(struct vendor_oui *)(
++					(uint8_t *)pPnoRequest +
++					sizeof(*pPnoRequest)),
++					pHddCtx);
++
+ 	status = sme_set_preferred_network_list(WLAN_HDD_GET_HAL_CTX(pAdapter),
+ 						pPnoRequest,
+ 						pAdapter->sessionId,
+@@ -3322,3 +3366,33 @@ int hdd_scan_context_init(hdd_context_t *hdd_ctx)
+ 
+ 	return 0;
+ }
++
++void wlan_hdd_fill_whitelist_ie_attrs(bool *ie_whitelist,
++				      uint32_t *probe_req_ie_bitmap,
++				      uint32_t *num_vendor_oui,
++				      struct vendor_oui *voui,
++				      hdd_context_t *hdd_ctx)
++{
++	uint32_t i = 0;
++
++	*ie_whitelist = true;
++	probe_req_ie_bitmap[0] = hdd_ctx->config->probe_req_ie_bitmap_0;
++	probe_req_ie_bitmap[1] = hdd_ctx->config->probe_req_ie_bitmap_1;
++	probe_req_ie_bitmap[2] = hdd_ctx->config->probe_req_ie_bitmap_2;
++	probe_req_ie_bitmap[3] = hdd_ctx->config->probe_req_ie_bitmap_3;
++	probe_req_ie_bitmap[4] = hdd_ctx->config->probe_req_ie_bitmap_4;
++	probe_req_ie_bitmap[5] = hdd_ctx->config->probe_req_ie_bitmap_5;
++	probe_req_ie_bitmap[6] = hdd_ctx->config->probe_req_ie_bitmap_6;
++	probe_req_ie_bitmap[7] = hdd_ctx->config->probe_req_ie_bitmap_7;
++
++	*num_vendor_oui = 0;
++
++	if ((hdd_ctx->no_of_probe_req_ouis != 0) && (voui != NULL)) {
++		*num_vendor_oui = hdd_ctx->no_of_probe_req_ouis;
++		for (i = 0; i < hdd_ctx->no_of_probe_req_ouis; i++) {
++			voui[i].oui_type = hdd_ctx->probe_req_voui[i].oui_type;
++			voui[i].oui_subtype =
++					hdd_ctx->probe_req_voui[i].oui_subtype;
++		}
++	}
++}
+diff --git a/core/hdd/src/wlan_hdd_scan.h b/core/hdd/src/wlan_hdd_scan.h
+index 96c96f4..49cce33 100644
+--- a/core/hdd/src/wlan_hdd_scan.h
++++ b/core/hdd/src/wlan_hdd_scan.h
+@@ -129,5 +129,24 @@ void hdd_cleanup_scan_queue(hdd_context_t *hdd_ctx);
+ void wlan_hdd_cfg80211_abort_scan(struct wiphy *wiphy,
+ 				  struct wireless_dev *wdev);
+ #endif
+-#endif /* end #if !defined(WLAN_HDD_SCAN_H) */
+ 
++/**
++ * wlan_hdd_fill_whitelist_ie_attrs - fill the white list members
++ * @ie_whitelist: enables whitelist
++ * @probe_req_ie_bitmap: bitmap to be filled
++ * @num_vendor_oui: pointer to no of ouis
++ * @voui: pointer to ouis to be filled
++ * @hdd_ctx: pointer to hdd ctx
++ *
++ * This function fills the ie bitmap and vendor oui fields with the
++ * corresponding values present in config and hdd_ctx
++ *
++ * Return: None
++ */
++void wlan_hdd_fill_whitelist_ie_attrs(bool *ie_whitelist,
++				      uint32_t *probe_req_ie_bitmap,
++				      uint32_t *num_vendor_oui,
++				      struct vendor_oui *voui,
++				      hdd_context_t *hdd_ctx);
++
++#endif /* end #if !defined(WLAN_HDD_SCAN_H) */
+diff --git a/core/mac/inc/sir_api.h b/core/mac/inc/sir_api.h
+index f414035..644b8a8 100644
+--- a/core/mac/inc/sir_api.h
++++ b/core/mac/inc/sir_api.h
+@@ -910,6 +910,13 @@ typedef struct sSirSmeScanReq {
+ 	uint8_t mac_addr[QDF_MAC_ADDR_SIZE];
+ 	uint8_t mac_addr_mask[QDF_MAC_ADDR_SIZE];
+ 
++	/* probe req ie whitelisting attrs */
++	bool ie_whitelist;
++	uint32_t probe_req_ie_bitmap[PROBE_REQ_BITMAP_LEN];
++	uint32_t num_vendor_oui;
++	uint32_t oui_field_len;
++	uint32_t oui_field_offset;
++
+ 	/* channelList MUST be the last field of this structure */
+ 	tSirChannelList channelList;
+ 	/*-----------------------------
+@@ -928,7 +935,10 @@ typedef struct sSirSmeScanReq {
+ 	   ----------------------------- <--+
+ 	   ... variable size uIEFiled
+ 	   up to uIEFieldLen (can be 0)
+-	   -----------------------------*/
++	   -----------------------------
++	   ... variable size upto num_vendor_oui
++	   struct vendor_oui voui;
++	   -----------------------------------*/
+ } tSirSmeScanReq, *tpSirSmeScanReq;
+ 
+ typedef struct sSirSmeScanAbortReq {
+@@ -2972,6 +2982,12 @@ typedef struct sSirPNOScanReq {
+ 	bool relative_rssi_set;
+ 	int8_t relative_rssi;
+ 	struct connected_pno_band_rssi_pref band_rssi_pref;
++
++	/* probe req ie whitelisting attrs */
++	bool ie_whitelist;
++	uint32_t probe_req_ie_bitmap[PROBE_REQ_BITMAP_LEN];
++	uint32_t num_vendor_oui;
++	/* followed by one or more struct vendor_oui */
+ } tSirPNOScanReq, *tpSirPNOScanReq;
+ 
+ /* Preferred Network Found Indication */
+@@ -3819,6 +3835,13 @@ typedef struct sSirScanOffloadReq {
+ 	uint8_t mac_addr[QDF_MAC_ADDR_SIZE];
+ 	uint8_t mac_addr_mask[QDF_MAC_ADDR_SIZE];
+ 
++	/* probe req ie whitelisting attrs */
++	bool ie_whitelist;
++	uint32_t probe_req_ie_bitmap[PROBE_REQ_BITMAP_LEN];
++	uint32_t num_vendor_oui;
++	uint32_t oui_field_len;
++	uint32_t oui_field_offset;
++
+ 	tSirChannelList channelList;
+ 	/*-----------------------------
+ 	  sSirScanOffloadReq....
+@@ -3836,7 +3859,10 @@ typedef struct sSirScanOffloadReq {
+ 	  ----------------------------- <--+
+ 	  ... variable size uIEField
+ 	  up to uIEFieldLen (can be 0)
+-	  -----------------------------*/
++	  -----------------------------
++	  ... variable size upto num_vendor_oui
++	  struct vendor_oui voui;
++	  ------------------------*/
+ } tSirScanOffloadReq, *tpSirScanOffloadReq;
+ 
+ /**
+@@ -4999,6 +5025,11 @@ typedef struct {
+ 	uint8_t oui[WIFI_SCANNING_MAC_OUI_LENGTH];
+ 	uint32_t vdev_id;
+ 	bool enb_probe_req_sno_randomization;
++	/* probe req ie whitelisting attrs */
++	bool ie_whitelist;
++	uint32_t probe_req_ie_bitmap[PROBE_REQ_BITMAP_LEN];
++	uint32_t num_vendor_oui;
++	/* Followed by 0 or more struct vendor_oui */
+ } tSirScanMacOui, *tpSirScanMacOui;
+ 
+ enum {
+diff --git a/core/mac/src/pe/lim/lim_process_sme_req_messages.c b/core/mac/src/pe/lim/lim_process_sme_req_messages.c
+index 4c653fb..0703dec 100644
+--- a/core/mac/src/pe/lim/lim_process_sme_req_messages.c
++++ b/core/mac/src/pe/lim/lim_process_sme_req_messages.c
+@@ -1222,7 +1222,6 @@ static QDF_STATUS lim_send_hal_start_scan_offload_req(tpAniSirGlobal pMac,
+ 	uint8_t *p;
+ 	tSirMsgQ msg;
+ 	uint16_t i, len;
+-	uint16_t addn_ie_len = 0;
+ 	tSirRetStatus status, rc = eSIR_SUCCESS;
+ 	tDot11fIEExtCap extracted_extcap = {0};
+ 	bool extcap_present = true;
+@@ -1255,7 +1254,7 @@ static QDF_STATUS lim_send_hal_start_scan_offload_req(tpAniSirGlobal pMac,
+ 	 */
+ 	len = sizeof(tSirScanOffloadReq) +
+ 		(pScanReq->channelList.numChannels - 1) +
+-		pScanReq->uIEFieldLen;
++		pScanReq->uIEFieldLen + pScanReq->oui_field_len;
+ 
+ 	pScanOffloadReq = qdf_mem_malloc(len);
+ 	if (NULL == pScanOffloadReq) {
+@@ -1335,8 +1334,8 @@ static QDF_STATUS lim_send_hal_start_scan_offload_req(tpAniSirGlobal pMac,
+ 		p[i] = pScanReq->channelList.channelNumber[i];
+ 
+ 	pScanOffloadReq->uIEFieldLen = pScanReq->uIEFieldLen;
+-	pScanOffloadReq->uIEFieldOffset = len - addn_ie_len -
+-						pScanOffloadReq->uIEFieldLen;
++	pScanOffloadReq->uIEFieldOffset = len - pScanOffloadReq->uIEFieldLen -
++						pScanReq->oui_field_len;
+ 	qdf_mem_copy((uint8_t *) pScanOffloadReq +
+ 		     pScanOffloadReq->uIEFieldOffset,
+ 		     (uint8_t *) pScanReq + pScanReq->uIEFieldOffset,
+@@ -1351,6 +1350,23 @@ static QDF_STATUS lim_send_hal_start_scan_offload_req(tpAniSirGlobal pMac,
+ 			     pScanReq->mac_addr_mask, QDF_MAC_ADDR_SIZE);
+ 	}
+ 
++	pScanOffloadReq->oui_field_len = pScanReq->oui_field_len;
++	pScanOffloadReq->num_vendor_oui = pScanReq->num_vendor_oui;
++	pScanOffloadReq->ie_whitelist = pScanReq->ie_whitelist;
++	if (pScanOffloadReq->ie_whitelist)
++		qdf_mem_copy(pScanOffloadReq->probe_req_ie_bitmap,
++			     pScanReq->probe_req_ie_bitmap,
++			     PROBE_REQ_BITMAP_LEN * sizeof(uint32_t));
++	pScanOffloadReq->oui_field_offset = sizeof(tSirScanOffloadReq) +
++				(pScanOffloadReq->channelList.numChannels - 1) +
++				pScanOffloadReq->uIEFieldLen;
++	if (pScanOffloadReq->num_vendor_oui != 0) {
++		qdf_mem_copy(
++		(uint8_t *) pScanOffloadReq + pScanOffloadReq->oui_field_offset,
++		(uint8_t *) pScanReq + pScanReq->oui_field_offset,
++		pScanReq->oui_field_len);
++	}
++
+ 	rc = wma_post_ctrl_msg(pMac, &msg);
+ 	if (rc != eSIR_SUCCESS) {
+ 		lim_log(pMac, LOGE, FL("wma_post_ctrl_msg() return failure"));
+diff --git a/core/sme/inc/csr_api.h b/core/sme/inc/csr_api.h
+index 788e688..211d489 100644
+--- a/core/sme/inc/csr_api.h
++++ b/core/sme/inc/csr_api.h
+@@ -297,6 +297,12 @@ typedef struct tagCsrScanRequest {
+ 	bool enable_scan_randomization;
+ 	uint8_t mac_addr[QDF_MAC_ADDR_SIZE];
+ 	uint8_t mac_addr_mask[QDF_MAC_ADDR_SIZE];
++
++	/* probe req ie whitelisting attrs */
++	bool ie_whitelist;
++	uint32_t probe_req_ie_bitmap[PROBE_REQ_BITMAP_LEN];
++	uint32_t num_vendor_oui;
++	struct vendor_oui *voui;
+ } tCsrScanRequest;
+ 
+ typedef struct tagCsrScanResultInfo {
+diff --git a/core/sme/src/common/sme_power_save.c b/core/sme/src/common/sme_power_save.c
+index 4ded194..298e0b5 100644
+--- a/core/sme/src/common/sme_power_save.c
++++ b/core/sme/src/common/sme_power_save.c
+@@ -771,14 +771,19 @@ QDF_STATUS sme_set_ps_preferred_network_list(tHalHandle hal_ctx,
+ 		return QDF_STATUS_E_FAILURE;
+ 	}
+ 
+-	request_buf = qdf_mem_malloc(sizeof(tSirPNOScanReq));
++	request_buf = qdf_mem_malloc(sizeof(tSirPNOScanReq) +
++		      (request->num_vendor_oui) *
++		      (sizeof(struct vendor_oui)));
++
+ 	if (NULL == request_buf) {
+ 		QDF_TRACE(QDF_MODULE_ID_SME, QDF_TRACE_LEVEL_ERROR,
+ 			FL("Not able to allocate memory for PNO request"));
+ 		return QDF_STATUS_E_NOMEM;
+ 	}
+ 
+-	qdf_mem_copy(request_buf, request, sizeof(tSirPNOScanReq));
++	qdf_mem_copy(request_buf, request, sizeof(tSirPNOScanReq) +
++			(request->num_vendor_oui) *
++			(sizeof(struct vendor_oui)));
+ 
+ 	/*Must translate the mode first */
+ 	uc_dot11_mode = (uint8_t) csr_translate_to_wni_cfg_dot11_mode(mac_ctx,
+diff --git a/core/sme/src/csr/csr_api_scan.c b/core/sme/src/csr/csr_api_scan.c
+index bb53967..a810f14 100644
+--- a/core/sme/src/csr/csr_api_scan.c
++++ b/core/sme/src/csr/csr_api_scan.c
+@@ -5066,7 +5066,8 @@ static QDF_STATUS csr_send_mb_scan_req(tpAniSirGlobal pMac, uint16_t sessionId,
+ 		 sizeof(pMsg->channelList.channelNumber) +
+ 		 (sizeof(pMsg->channelList.channelNumber) *
+ 		 pScanReq->ChannelInfo.numOfChannels)) +
+-		 (pScanReq->uIEFieldLen);
++		 (pScanReq->uIEFieldLen) +
++		 pScanReq->num_vendor_oui * sizeof(*pScanReq->voui);
+ 
+ 	pMsg = qdf_mem_malloc(msgLen);
+ 	if (NULL == pMsg) {
+@@ -5237,6 +5238,26 @@ static QDF_STATUS csr_send_mb_scan_req(tpAniSirGlobal pMac, uint16_t sessionId,
+ 			     QDF_MAC_ADDR_SIZE);
+ 	}
+ 
++	pMsg->ie_whitelist = pScanReq->ie_whitelist;
++	if (pMsg->ie_whitelist)
++		qdf_mem_copy(pMsg->probe_req_ie_bitmap,
++			     pScanReq->probe_req_ie_bitmap,
++			     PROBE_REQ_BITMAP_LEN * sizeof(uint32_t));
++		pMsg->num_vendor_oui = pScanReq->num_vendor_oui;
++		pMsg->oui_field_len = pScanReq->num_vendor_oui *
++				      sizeof(*pScanReq->voui);
++		pMsg->oui_field_offset = (sizeof(tSirSmeScanReq) -
++				sizeof(pMsg->channelList.channelNumber) +
++				(sizeof(pMsg->channelList.channelNumber) *
++				pScanReq->ChannelInfo.numOfChannels)) +
++				pScanReq->uIEFieldLen;
++
++	if (pScanReq->num_vendor_oui != 0) {
++		qdf_mem_copy((uint8_t *)pMsg + pMsg->oui_field_offset,
++			     (uint8_t *)(pScanReq->voui),
++			     pMsg->oui_field_len);
++	}
++
+ send_scan_req:
+ 	sms_log(pMac, LOGD,
+ 		FL("scanId %d domainIdCurrent %d scanType %s (%d) bssType %s (%d) requestType %s (%d) numChannels %d"),
+@@ -5652,6 +5673,7 @@ QDF_STATUS csr_scan_copy_request(tpAniSirGlobal mac_ctx,
+ 	dst_req->pIEField = NULL;
+ 	dst_req->ChannelInfo.ChannelList = NULL;
+ 	dst_req->SSIDs.SSIDList = NULL;
++	dst_req->voui = NULL;
+ 
+ 	if (src_req->uIEFieldLen) {
+ 		dst_req->pIEField =
+@@ -5809,6 +5831,29 @@ QDF_STATUS csr_scan_copy_request(tpAniSirGlobal mac_ctx,
+ 	dst_req->scan_id = src_req->scan_id;
+ 	dst_req->timestamp = src_req->timestamp;
+ 
++	if (src_req->num_vendor_oui == 0) {
++		dst_req->num_vendor_oui = 0;
++		dst_req->voui = NULL;
++	} else {
++		dst_req->voui = qdf_mem_malloc(src_req->num_vendor_oui *
++					       sizeof(*dst_req->voui));
++		if (!dst_req->voui)
++			status = QDF_STATUS_E_NOMEM;
++		else
++			status = QDF_STATUS_SUCCESS;
++
++		if (QDF_IS_STATUS_SUCCESS(status)) {
++			dst_req->num_vendor_oui = src_req->num_vendor_oui;
++			qdf_mem_copy(dst_req->voui,
++				     src_req->voui,
++				     src_req->num_vendor_oui *
++				     sizeof(*dst_req->voui));
++		} else {
++			dst_req->num_vendor_oui = 0;
++			sms_log(mac_ctx, LOGE, FL("No memory for voui"));
++		}
++	}
++
+ complete:
+ 	if (!QDF_IS_STATUS_SUCCESS(status)) {
+ 		csr_scan_free_request(mac_ctx, dst_req);
+@@ -5836,6 +5881,12 @@ QDF_STATUS csr_scan_free_request(tpAniSirGlobal pMac, tCsrScanRequest *pReq)
+ 	}
+ 	pReq->SSIDs.numOfSSIDs = 0;
+ 
++	if (pReq->voui) {
++		qdf_mem_free(pReq->voui);
++		pReq->voui = NULL;
++	}
++	pReq->num_vendor_oui = 0;
++
+ 	return QDF_STATUS_SUCCESS;
+ }
+ 
+diff --git a/core/wma/src/wma_scan_roam.c b/core/wma/src/wma_scan_roam.c
+index d2dceca..8a78323 100644
+--- a/core/wma/src/wma_scan_roam.c
++++ b/core/wma/src/wma_scan_roam.c
+@@ -283,6 +283,17 @@ QDF_STATUS wma_get_buf_start_scan_cmd(tp_wma_handle wma_handle,
+ 	qdf_mem_copy(cmd->mac_addr_mask, scan_req->mac_addr_mask,
+ 		     QDF_MAC_ADDR_SIZE);
+ 
++	/* probe req ie whitelisting attributes */
++	cmd->ie_whitelist = scan_req->ie_whitelist;
++	if (cmd->ie_whitelist) {
++		for (i = 0; i < PROBE_REQ_BITMAP_LEN; i++)
++			cmd->probe_req_ie_bitmap[i] =
++					scan_req->probe_req_ie_bitmap[i];
++		cmd->num_vendor_oui = scan_req->num_vendor_oui;
++		cmd->oui_field_len = scan_req->oui_field_len;
++		cmd->voui = (uint8_t *)scan_req + scan_req->oui_field_offset;
++	}
++
+ 	if (!scan_req->p2pScanType) {
+ 		WMA_LOGD("Normal Scan request");
+ 		cmd->scan_ctrl_flags |= WMI_SCAN_ADD_CCK_RATES;
+@@ -3174,6 +3185,18 @@ QDF_STATUS wma_pno_start(tp_wma_handle wma, tpSirPNOScanReq pno)
+ 	params->band_rssi_pref.band = pno->band_rssi_pref.band;
+ 	params->band_rssi_pref.rssi = pno->band_rssi_pref.rssi;
+ 
++	/* probe req ie whitelisting attributes */
++	params->ie_whitelist = pno->ie_whitelist;
++	if (params->ie_whitelist) {
++		for (i = 0; i < PROBE_REQ_BITMAP_LEN; i++)
++			params->probe_req_ie_bitmap[i] =
++					pno->probe_req_ie_bitmap[i];
++		params->num_vendor_oui = pno->num_vendor_oui;
++		params->oui_field_len = pno->num_vendor_oui *
++					sizeof(struct vendor_oui);
++		params->voui = (uint8_t *)pno;
++	}
++
+ 	status = wmi_unified_pno_start_cmd(wma->wmi_handle,
+ 					params, channel_list);
+ 	if (QDF_IS_STATUS_SUCCESS(status)) {
+@@ -5599,6 +5622,7 @@ QDF_STATUS wma_reset_passpoint_network_list(tp_wma_handle wma,
+ QDF_STATUS wma_scan_probe_setoui(tp_wma_handle wma, tSirScanMacOui *psetoui)
+ {
+ 	struct scan_mac_oui set_oui;
++	uint32_t i = 0;
+ 
+ 	qdf_mem_set(&set_oui, sizeof(struct scan_mac_oui), 0);
+ 
+@@ -5614,6 +5638,18 @@ QDF_STATUS wma_scan_probe_setoui(tp_wma_handle wma, tSirScanMacOui *psetoui)
+ 	set_oui.enb_probe_req_sno_randomization =
+ 				psetoui->enb_probe_req_sno_randomization;
+ 
++	/* probe req ie whitelisting attributes */
++	set_oui.ie_whitelist = psetoui->ie_whitelist;
++	if (set_oui.ie_whitelist) {
++		for (i = 0; i < PROBE_REQ_BITMAP_LEN; i++)
++			set_oui.probe_req_ie_bitmap[i] =
++						psetoui->probe_req_ie_bitmap[i];
++		set_oui.num_vendor_oui = psetoui->num_vendor_oui;
++		set_oui.oui_field_len = psetoui->num_vendor_oui *
++					sizeof(struct vendor_oui);
++		set_oui.voui = (uint8_t *)psetoui;
++	}
++
+ 	return wmi_unified_scan_probe_setoui_cmd(wma->wmi_handle,
+ 						&set_oui);
+ }
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-11023/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-11023/ANY/0001.patch
new file mode 100644
index 00000000..b910235f
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-11023/ANY/0001.patch
@@ -0,0 +1,172 @@
+From c36e61af0f770125d0061a8d988d0987cc8d116a Mon Sep 17 00:00:00 2001
+From: Hardik Arya <harya@codeaurora.org>
+Date: Thu, 15 Jun 2017 10:39:34 +0530
+Subject: diag: Add protection while processing non-hdlc packets
+
+Currently, there is possibility of out-of-bound accesses during
+handling of data in non-hdlc path. The patch adds proper protection
+when processing non-hdlc packet information to fix the issue.
+
+CRs-Fixed: 2029216
+Change-Id: I07c466f85bd8ac08226948fea86b1d8567e68431
+Signed-off-by: Hardik Arya <harya@codeaurora.org>
+---
+ drivers/char/diag/diagchar.h      |  1 +
+ drivers/char/diag/diagchar_core.c |  1 +
+ drivers/char/diag/diagfwd.c       | 42 ++++++++++++++++++++++++++++++---------
+ 3 files changed, 35 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/char/diag/diagchar.h b/drivers/char/diag/diagchar.h
+index 92cf24d..cc56d68 100644
+--- a/drivers/char/diag/diagchar.h
++++ b/drivers/char/diag/diagchar.h
+@@ -578,6 +578,7 @@ struct diagchar_dev {
+ 	unsigned char *buf_feature_mask_update;
+ 	uint8_t hdlc_disabled;
+ 	struct mutex hdlc_disable_mutex;
++	struct mutex hdlc_recovery_mutex;
+ 	struct timer_list hdlc_reset_timer;
+ 	struct mutex diag_hdlc_mutex;
+ 	unsigned char *hdlc_buf;
+diff --git a/drivers/char/diag/diagchar_core.c b/drivers/char/diag/diagchar_core.c
+index d8fcfe2..54f638a 100644
+--- a/drivers/char/diag/diagchar_core.c
++++ b/drivers/char/diag/diagchar_core.c
+@@ -3621,6 +3621,7 @@ static int __init diagchar_init(void)
+ 	mutex_init(&driver->delayed_rsp_mutex);
+ 	mutex_init(&apps_data_mutex);
+ 	mutex_init(&driver->msg_mask_lock);
++	mutex_init(&driver->hdlc_recovery_mutex);
+ 	for (i = 0; i < NUM_PERIPHERALS; i++)
+ 		mutex_init(&driver->diagfwd_channel_mutex[i]);
+ 	init_waitqueue_head(&driver->wait_q);
+diff --git a/drivers/char/diag/diagfwd.c b/drivers/char/diag/diagfwd.c
+index 019bf19..7dc2eab 100644
+--- a/drivers/char/diag/diagfwd.c
++++ b/drivers/char/diag/diagfwd.c
+@@ -1405,7 +1405,9 @@ static void diag_hdlc_start_recovery(unsigned char *buf, int len,
+ 
+ 	if (start_ptr) {
+ 		/* Discard any partial packet reads */
++		mutex_lock(&driver->hdlc_recovery_mutex);
+ 		driver->incoming_pkt.processing = 0;
++		mutex_unlock(&driver->hdlc_recovery_mutex);
+ 		diag_process_non_hdlc_pkt(start_ptr, len - i, info);
+ 	}
+ }
+@@ -1419,18 +1421,24 @@ void diag_process_non_hdlc_pkt(unsigned char *buf, int len,
+ 	const uint32_t header_len = sizeof(struct diag_pkt_frame_t);
+ 	struct diag_pkt_frame_t *actual_pkt = NULL;
+ 	unsigned char *data_ptr = NULL;
+-	struct diag_partial_pkt_t *partial_pkt = &driver->incoming_pkt;
++	struct diag_partial_pkt_t *partial_pkt = NULL;
+ 
+-	if (!buf || len <= 0)
++	mutex_lock(&driver->hdlc_recovery_mutex);
++	if (!buf || len <= 0) {
++		mutex_unlock(&driver->hdlc_recovery_mutex);
+ 		return;
+-
+-	if (!partial_pkt->processing)
++	}
++	partial_pkt = &driver->incoming_pkt;
++	if (!partial_pkt->processing) {
++		mutex_unlock(&driver->hdlc_recovery_mutex);
+ 		goto start;
++	}
+ 
+ 	if (partial_pkt->remaining > len) {
+ 		if ((partial_pkt->read_len + len) > partial_pkt->capacity) {
+ 			pr_err("diag: Invalid length %d, %d received in %s\n",
+ 			       partial_pkt->read_len, len, __func__);
++			mutex_unlock(&driver->hdlc_recovery_mutex);
+ 			goto end;
+ 		}
+ 		memcpy(partial_pkt->data + partial_pkt->read_len, buf, len);
+@@ -1444,6 +1452,7 @@ void diag_process_non_hdlc_pkt(unsigned char *buf, int len,
+ 			pr_err("diag: Invalid length during partial read %d, %d received in %s\n",
+ 			       partial_pkt->read_len,
+ 			       partial_pkt->remaining, __func__);
++			mutex_unlock(&driver->hdlc_recovery_mutex);
+ 			goto end;
+ 		}
+ 		memcpy(partial_pkt->data + partial_pkt->read_len, buf,
+@@ -1457,20 +1466,27 @@ void diag_process_non_hdlc_pkt(unsigned char *buf, int len,
+ 	if (partial_pkt->remaining == 0) {
+ 		actual_pkt = (struct diag_pkt_frame_t *)(partial_pkt->data);
+ 		data_ptr = partial_pkt->data + header_len;
+-		if (*(uint8_t *)(data_ptr + actual_pkt->length) != CONTROL_CHAR)
++		if (*(uint8_t *)(data_ptr + actual_pkt->length) !=
++						CONTROL_CHAR) {
++			mutex_unlock(&driver->hdlc_recovery_mutex);
+ 			diag_hdlc_start_recovery(buf, len, info);
++			mutex_lock(&driver->hdlc_recovery_mutex);
++		}
+ 		err = diag_process_apps_pkt(data_ptr,
+ 					    actual_pkt->length, info);
+ 		if (err) {
+ 			pr_err("diag: In %s, unable to process incoming data packet, err: %d\n",
+ 			       __func__, err);
++			mutex_unlock(&driver->hdlc_recovery_mutex);
+ 			goto end;
+ 		}
+ 		partial_pkt->read_len = 0;
+ 		partial_pkt->total_len = 0;
+ 		partial_pkt->processing = 0;
++		mutex_unlock(&driver->hdlc_recovery_mutex);
+ 		goto start;
+ 	}
++	mutex_unlock(&driver->hdlc_recovery_mutex);
+ 	goto end;
+ 
+ start:
+@@ -1483,14 +1499,14 @@ start:
+ 			diag_send_error_rsp(buf, len, info);
+ 			goto end;
+ 		}
+-
++		mutex_lock(&driver->hdlc_recovery_mutex);
+ 		if (pkt_len + header_len > partial_pkt->capacity) {
+ 			pr_err("diag: In %s, incoming data is too large for the request buffer %d\n",
+ 			       __func__, pkt_len);
++			mutex_unlock(&driver->hdlc_recovery_mutex);
+ 			diag_hdlc_start_recovery(buf, len, info);
+ 			break;
+ 		}
+-
+ 		if ((pkt_len + header_len) > (len - read_bytes)) {
+ 			partial_pkt->read_len = len - read_bytes;
+ 			partial_pkt->total_len = pkt_len + header_len;
+@@ -1498,19 +1514,27 @@ start:
+ 						 partial_pkt->read_len;
+ 			partial_pkt->processing = 1;
+ 			memcpy(partial_pkt->data, buf, partial_pkt->read_len);
++			mutex_unlock(&driver->hdlc_recovery_mutex);
+ 			break;
+ 		}
+ 		data_ptr = buf + header_len;
+-		if (*(uint8_t *)(data_ptr + actual_pkt->length) != CONTROL_CHAR)
++		if (*(uint8_t *)(data_ptr + actual_pkt->length) !=
++						CONTROL_CHAR) {
++			mutex_unlock(&driver->hdlc_recovery_mutex);
+ 			diag_hdlc_start_recovery(buf, len, info);
++			mutex_lock(&driver->hdlc_recovery_mutex);
++		}
+ 		else
+ 			hdlc_reset = 0;
+ 		err = diag_process_apps_pkt(data_ptr,
+ 					    actual_pkt->length, info);
+-		if (err)
++		if (err) {
++			mutex_unlock(&driver->hdlc_recovery_mutex);
+ 			break;
++		}
+ 		read_bytes += header_len + pkt_len + 1;
+ 		buf += header_len + pkt_len + 1; /* advance to next pkt */
++		mutex_unlock(&driver->hdlc_recovery_mutex);
+ 	}
+ end:
+ 	return;
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-11024/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-11024/ANY/0001.patch
new file mode 100644
index 00000000..984003aa
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-11024/ANY/0001.patch
@@ -0,0 +1,115 @@
+From f2a482422fefadfa0fa9b4146fc0e2b46ac04922 Mon Sep 17 00:00:00 2001
+From: Liangliang Lu <luliang@codeaurora.org>
+Date: Fri, 5 May 2017 08:50:32 +0800
+Subject: net: usb: rmnet_usb_ctrl:Make sure list_head operate atomically
+
+Get and delete operation on variables "list_elem" are not atomic.
+Multiple threads may get the same "list_elem", may lead to race
+conditions.
+
+Add mutex in rmnet_ctl_open to resolve current potential race condition
+between test_bit and set_bit.
+
+Change-Id: I00c4e2fd4854ee17a13a0757da98c46a78eee4cb
+Signed-off-by: Liangliang Lu <luliang@codeaurora.org>
+---
+ drivers/net/usb/rmnet_usb_ctrl.c | 32 +++++++++++++++++++++++---------
+ 1 file changed, 23 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/usb/rmnet_usb_ctrl.c b/drivers/net/usb/rmnet_usb_ctrl.c
+index 58fd1f6..75e9783 100644
+--- a/drivers/net/usb/rmnet_usb_ctrl.c
++++ b/drivers/net/usb/rmnet_usb_ctrl.c
+@@ -1,4 +1,4 @@
+-/* Copyright (c) 2011-2014, The Linux Foundation. All rights reserved.
++/* Copyright (c) 2011-2014, 2017, The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -514,8 +514,13 @@ static int rmnet_ctl_open(struct inode *inode, struct file *file)
+ 	if (!dev)
+ 		return -ENODEV;
+ 
+-	if (test_bit(RMNET_CTRL_DEV_OPEN, &dev->status))
++	mutex_lock(&dev->dev_lock);
++	if (test_bit(RMNET_CTRL_DEV_OPEN, &dev->status)) {
++		mutex_unlock(&dev->dev_lock);
+ 		goto already_opened;
++	}
++	set_bit(RMNET_CTRL_DEV_OPEN, &dev->status);
++	mutex_unlock(&dev->dev_lock);
+ 
+ 	if (dev->mdm_wait_timeout &&
+ 			!test_bit(RMNET_CTRL_DEV_READY, &dev->cudev->status)) {
+@@ -527,10 +532,15 @@ static int rmnet_ctl_open(struct inode *inode, struct file *file)
+ 		if (retval == 0) {
+ 			dev_err(dev->devicep, "%s: Timeout opening %s\n",
+ 						__func__, dev->name);
+-			return -ETIMEDOUT;
+-		} else if (retval < 0) {
++			retval = -ETIMEDOUT;
++		} else if (retval < 0)
+ 			dev_err(dev->devicep, "%s: Error waiting for %s\n",
+ 						__func__, dev->name);
++
++		if (retval < 0) {
++			mutex_lock(&dev->dev_lock);
++			clear_bit(RMNET_CTRL_DEV_OPEN, &dev->status);
++			mutex_unlock(&dev->dev_lock);
+ 			return retval;
+ 		}
+ 	}
+@@ -538,14 +548,15 @@ static int rmnet_ctl_open(struct inode *inode, struct file *file)
+ 	if (!test_bit(RMNET_CTRL_DEV_READY, &dev->cudev->status)) {
+ 		dev_dbg(dev->devicep, "%s: Connection timedout opening %s\n",
+ 					__func__, dev->name);
++		mutex_lock(&dev->dev_lock);
++		clear_bit(RMNET_CTRL_DEV_OPEN, &dev->status);
++		mutex_unlock(&dev->dev_lock);
+ 		return -ETIMEDOUT;
+ 	}
+ 
+ 	/* clear stale data if device close called but channel was ready */
+ 	rmnet_usb_ctrl_free_rx_list(dev);
+ 
+-	set_bit(RMNET_CTRL_DEV_OPEN, &dev->status);
+-
+ 	file->private_data = dev;
+ 
+ already_opened:
+@@ -564,7 +575,9 @@ static int rmnet_ctl_release(struct inode *inode, struct file *file)
+ 
+ 	DBG("%s Called on %s device\n", __func__, dev->name);
+ 
++	mutex_lock(&dev->dev_lock);
+ 	clear_bit(RMNET_CTRL_DEV_OPEN, &dev->status);
++	mutex_unlock(&dev->dev_lock);
+ 
+ 	file->private_data = NULL;
+ 
+@@ -638,6 +651,7 @@ ctrl_read:
+ 
+ 	list_elem = list_first_entry(&dev->rx_list,
+ 				     struct ctrl_pkt_list_elem, list);
++	list_del(&list_elem->list);
+ 	bytes_to_read = (uint32_t)(list_elem->cpkt.data_size);
+ 	if (bytes_to_read > count) {
+ 		spin_unlock_irqrestore(&dev->rx_lock, flags);
+@@ -654,11 +668,11 @@ ctrl_read:
+ 			dev_err(dev->devicep,
+ 				"%s: copy_to_user failed for %s\n",
+ 				__func__, dev->name);
++		spin_lock_irqsave(&dev->rx_lock, flags);
++		list_add(&list_elem->list, &dev->rx_list);
++		spin_unlock_irqrestore(&dev->rx_lock, flags);
+ 		return -EFAULT;
+ 	}
+-	spin_lock_irqsave(&dev->rx_lock, flags);
+-	list_del(&list_elem->list);
+-	spin_unlock_irqrestore(&dev->rx_lock, flags);
+ 
+ 	kfree(list_elem->cpkt.data);
+ 	kfree(list_elem);
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-11025/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-11025/ANY/0001.patch
new file mode 100644
index 00000000..1969cbbf
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-11025/ANY/0001.patch
@@ -0,0 +1,248 @@
+From 95e72ae9281b77abc3ed0cc6a33c17b989241efa Mon Sep 17 00:00:00 2001
+From: kunleiz <kunleiz@codeaurora.org>
+Date: Sun, 26 Mar 2017 20:07:43 +0800
+Subject: ASoC: msm: qdspv2: add mutex to prevent access same memory
+ simultaneously
+
+Add mutex protection to avoid simultaneous access the
+same memory by multiple threads.
+
+CRs-Fixed: 2013494
+Change-Id: I440ea633ceb7312637c9a3b29d22236166d21a39
+Signed-off-by: kunleiz <kunleiz@codeaurora.org>
+---
+ drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c | 34 +++++++++++++++++++++++++
+ 1 file changed, 34 insertions(+)
+
+diff --git a/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c b/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
+index 089a827..e7c28a6 100644
+--- a/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
++++ b/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c
+@@ -148,6 +148,8 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
+ 	case AUDIO_START: {
+ 		pr_debug("%s: AUDIO_START\n", __func__);
+ 
++		mutex_lock(&effects->lock);
++
+ 		rc = q6asm_open_read_write_v2(effects->ac,
+ 					FORMAT_LINEAR_PCM,
+ 					FORMAT_MULTI_CHANNEL_LINEAR_PCM,
+@@ -159,6 +161,7 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
+ 			pr_err("%s: Open failed for hw accelerated effects:rc=%d\n",
+ 				__func__, rc);
+ 			rc = -EINVAL;
++			mutex_unlock(&effects->lock);
+ 			goto ioctl_fail;
+ 		}
+ 		effects->opened = 1;
+@@ -175,6 +178,7 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
+ 			pr_err("%s: Write buffer Allocation failed rc = %d\n",
+ 				__func__, rc);
+ 			rc = -ENOMEM;
++			mutex_unlock(&effects->lock);
+ 			goto ioctl_fail;
+ 		}
+ 		atomic_set(&effects->in_count, effects->config.input.num_buf);
+@@ -185,6 +189,7 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
+ 			pr_err("%s: Read buffer Allocation failed rc = %d\n",
+ 				__func__, rc);
+ 			rc = -ENOMEM;
++			mutex_unlock(&effects->lock);
+ 			goto readbuf_fail;
+ 		}
+ 		atomic_set(&effects->out_count, effects->config.output.num_buf);
+@@ -199,6 +204,7 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
+ 		if (rc < 0) {
+ 			pr_err("%s: pcm read block config failed\n", __func__);
+ 			rc = -EINVAL;
++			mutex_unlock(&effects->lock);
+ 			goto cfg_fail;
+ 		}
+ 		pr_debug("%s: dec: sample_rate: %d, num_channels: %d, bit_width: %d\n",
+@@ -213,6 +219,7 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
+ 			pr_err("%s: pcm write format block config failed\n",
+ 				__func__);
+ 			rc = -EINVAL;
++			mutex_unlock(&effects->lock);
+ 			goto cfg_fail;
+ 		}
+ 
+@@ -225,6 +232,7 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
+ 			effects->started = 0;
+ 			pr_err("%s: ASM run state failed\n", __func__);
+ 		}
++		mutex_unlock(&effects->lock);
+ 		break;
+ 	}
+ 	case AUDIO_EFFECTS_WRITE: {
+@@ -286,8 +294,11 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
+ 		uint32_t idx = 0;
+ 		uint32_t size = 0;
+ 
++		mutex_lock(&effects->lock);
++
+ 		if (!effects->started) {
+ 			rc = -EFAULT;
++			mutex_unlock(&effects->lock);
+ 			goto ioctl_fail;
+ 		}
+ 
+@@ -304,11 +315,13 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
+ 		if (!rc) {
+ 			pr_err("%s: read wait_event_timeout\n", __func__);
+ 			rc = -EFAULT;
++			mutex_unlock(&effects->lock);
+ 			goto ioctl_fail;
+ 		}
+ 		if (!atomic_read(&effects->in_count)) {
+ 			pr_err("%s: pcm stopped in_count 0\n", __func__);
+ 			rc = -EFAULT;
++			mutex_unlock(&effects->lock);
+ 			goto ioctl_fail;
+ 		}
+ 
+@@ -316,15 +329,18 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd,
+ 		if (bufptr) {
+ 			if (!((void *)arg)) {
+ 				rc = -EFAULT;
++				mutex_unlock(&effects->lock);
+ 				goto ioctl_fail;
+ 			}
+ 			if ((effects->config.buf_cfg.input_len > size) ||
+ 				copy_to_user((void *)arg, bufptr,
+ 					  effects->config.buf_cfg.input_len)) {
+ 				rc = -EFAULT;
++				mutex_unlock(&effects->lock);
+ 				goto ioctl_fail;
+ 			}
+ 		}
++		mutex_unlock(&effects->lock);
+ 		break;
+ 	}
+ 	default:
+@@ -456,6 +472,7 @@ static long audio_effects_ioctl(struct file *file, unsigned int cmd,
+ 	switch (cmd) {
+ 	case AUDIO_SET_EFFECTS_CONFIG: {
+ 		pr_debug("%s: AUDIO_SET_EFFECTS_CONFIG\n", __func__);
++		mutex_lock(&effects->lock);
+ 		memset(&effects->config, 0, sizeof(effects->config));
+ 		if (copy_from_user(&effects->config, (void *)arg,
+ 				   sizeof(effects->config))) {
+@@ -473,6 +490,7 @@ static long audio_effects_ioctl(struct file *file, unsigned int cmd,
+ 			 effects->config.input.num_buf,
+ 			 effects->config.input.sample_rate,
+ 			 effects->config.input.num_channels);
++		mutex_unlock(&effects->lock);
+ 		break;
+ 	}
+ 	case AUDIO_EFFECTS_SET_BUF_LEN: {
+@@ -494,6 +512,7 @@ static long audio_effects_ioctl(struct file *file, unsigned int cmd,
+ 
+ 		buf_avail.input_num_avail = atomic_read(&effects->in_count);
+ 		buf_avail.output_num_avail = atomic_read(&effects->out_count);
++		mutex_lock(&effects->lock);
+ 		pr_debug("%s: write buf avail: %d, read buf avail: %d\n",
+ 			 __func__, buf_avail.output_num_avail,
+ 			 buf_avail.input_num_avail);
+@@ -503,16 +522,20 @@ static long audio_effects_ioctl(struct file *file, unsigned int cmd,
+ 				__func__);
+ 			rc = -EFAULT;
+ 		}
++		mutex_unlock(&effects->lock);
+ 		break;
+ 	}
+ 	case AUDIO_EFFECTS_SET_PP_PARAMS: {
++		mutex_lock(&effects->lock);
+ 		if (copy_from_user(argvalues, (void *)arg,
+ 				   MAX_PP_PARAMS_SZ*sizeof(long))) {
+ 			pr_err("%s: copy from user for pp params failed\n",
+ 				__func__);
++			mutex_unlock(&effects->lock);
+ 			return -EFAULT;
+ 		}
+ 		rc = audio_effects_set_pp_param(effects, argvalues);
++		mutex_unlock(&effects->lock);
+ 		break;
+ 	}
+ 	default:
+@@ -578,12 +601,14 @@ static long audio_effects_compat_ioctl(struct file *file, unsigned int cmd,
+ 	case AUDIO_SET_EFFECTS_CONFIG32: {
+ 		struct msm_hwacc_effects_config32 config32;
+ 		struct msm_hwacc_effects_config *config = &effects->config;
++		mutex_lock(&effects->lock);
+ 		memset(&effects->config, 0, sizeof(effects->config));
+ 		if (copy_from_user(&config32, (void *)arg,
+ 				   sizeof(config32))) {
+ 			pr_err("%s: copy to user for AUDIO_SET_EFFECTS_CONFIG failed\n",
+ 				__func__);
+ 			rc = -EFAULT;
++			mutex_unlock(&effects->lock);
+ 			break;
+ 		}
+ 		config->input.buf_size = config32.input.buf_size;
+@@ -620,16 +645,19 @@ static long audio_effects_compat_ioctl(struct file *file, unsigned int cmd,
+ 			 effects->config.input.num_buf,
+ 			 effects->config.input.sample_rate,
+ 			 effects->config.input.num_channels);
++		mutex_unlock(&effects->lock);
+ 		break;
+ 	}
+ 	case AUDIO_EFFECTS_SET_BUF_LEN32: {
+ 		struct msm_hwacc_buf_cfg32 buf_cfg32;
+ 		struct msm_hwacc_effects_config *config = &effects->config;
++		mutex_lock(&effects->lock);
+ 		if (copy_from_user(&buf_cfg32, (void *)arg,
+ 				   sizeof(buf_cfg32))) {
+ 			pr_err("%s: copy from user for AUDIO_EFFECTS_SET_BUF_LEN failed\n",
+ 				__func__);
+ 			rc = -EFAULT;
++			mutex_unlock(&effects->lock);
+ 			break;
+ 		}
+ 		config->buf_cfg.input_len = buf_cfg32.input_len;
+@@ -637,6 +665,7 @@ static long audio_effects_compat_ioctl(struct file *file, unsigned int cmd,
+ 		pr_debug("%s: write buf len: %d, read buf len: %d\n",
+ 			 __func__, effects->config.buf_cfg.output_len,
+ 			 effects->config.buf_cfg.input_len);
++		mutex_unlock(&effects->lock);
+ 		break;
+ 	}
+ 	case AUDIO_EFFECTS_GET_BUF_AVAIL32: {
+@@ -644,6 +673,7 @@ static long audio_effects_compat_ioctl(struct file *file, unsigned int cmd,
+ 
+ 		memset(&buf_avail, 0, sizeof(buf_avail));
+ 
++		mutex_lock(&effects->lock);
+ 		buf_avail.input_num_avail = atomic_read(&effects->in_count);
+ 		buf_avail.output_num_avail = atomic_read(&effects->out_count);
+ 		pr_debug("%s: write buf avail: %d, read buf avail: %d\n",
+@@ -655,22 +685,26 @@ static long audio_effects_compat_ioctl(struct file *file, unsigned int cmd,
+ 				__func__);
+ 			rc = -EFAULT;
+ 		}
++		mutex_unlock(&effects->lock);
+ 		break;
+ 	}
+ 	case AUDIO_EFFECTS_SET_PP_PARAMS32: {
+ 		long argvalues[MAX_PP_PARAMS_SZ] = {0};
+ 		int argvalues32[MAX_PP_PARAMS_SZ] = {0};
+ 
++		mutex_lock(&effects->lock);
+ 		if (copy_from_user(argvalues32, (void *)arg,
+ 				   MAX_PP_PARAMS_SZ*sizeof(int))) {
+ 			pr_err("%s: copy from user failed for pp params\n",
+ 				__func__);
++			mutex_unlock(&effects->lock);
+ 			return -EFAULT;
+ 		}
+ 		for (i = 0; i < MAX_PP_PARAMS_SZ; i++)
+ 			argvalues[i] = argvalues32[i];
+ 
+ 		rc = audio_effects_set_pp_param(effects, argvalues);
++		mutex_unlock(&effects->lock);
+ 		break;
+ 	}
+ 	case AUDIO_START32: {
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-11028/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-11028/ANY/0001.patch
new file mode 100644
index 00000000..e6d4075c
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-11028/ANY/0001.patch
@@ -0,0 +1,57 @@
+From fd70b655d901e626403f132b65fc03d993f0a09b Mon Sep 17 00:00:00 2001
+From: Senthil Kumar Rajagopal <skrajago@codeaurora.org>
+Date: Mon, 10 Apr 2017 15:11:14 +0530
+Subject: msm: camera: isp: add bound check to handle array out of access
+
+The pointer req_frm comes from userspace,
+req_frm->stream_handle is passed as an argument to
+the function msm_isp_get_stream_common_data,
+stream_idx can overflow common_data->streams[] and
+the code ends up copying an out of bound
+kernel address into stream_info. Adding bound check to
+handle the same.
+
+CRs-fixed: 2008683
+Change-Id: Ib4a059bfd573cdc4e18ce630b4091576ff8edc7e
+Signed-off-by: Senthil Kumar Rajagopal <skrajago@codeaurora.org>
+---
+ drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c | 6 ++++++
+ drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.h | 5 +++++
+ 2 files changed, 11 insertions(+)
+
+diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c
+index dce474e..8ab2e85 100644
+--- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c
++++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c
+@@ -3909,6 +3909,12 @@ int msm_isp_update_axi_stream(struct vfe_device *vfe_dev, void *arg)
+ 			&update_cmd->req_frm_ver2;
+ 		stream_info = msm_isp_get_stream_common_data(vfe_dev,
+ 				HANDLE_TO_IDX(req_frm->stream_handle));
++		if (stream_info == NULL) {
++			pr_err_ratelimited("%s: stream_info is NULL\n",
++				__func__);
++			rc = -EINVAL;
++			break;
++		}
+ 		rc = msm_isp_request_frame(vfe_dev, stream_info,
+ 			req_frm->user_stream_id,
+ 			req_frm->frame_id,
+diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.h b/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.h
+index 65009cb..a8d4cfb 100644
+--- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.h
++++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.h
+@@ -141,6 +141,11 @@ static inline struct msm_vfe_axi_stream *msm_isp_get_stream_common_data(
+ 	struct msm_vfe_common_dev_data *common_data = vfe_dev->common_data;
+ 	struct msm_vfe_axi_stream *stream_info;
+ 
++	if (stream_idx >= VFE_AXI_SRC_MAX) {
++		pr_err("invalid stream_idx %d\n", stream_idx);
++		return NULL;
++	}
++
+ 	if (vfe_dev->is_split &&  stream_idx < RDI_INTF_0)
+ 		stream_info = &common_data->streams[stream_idx];
+ 	else
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-11028/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2017-11028/ANY/0002.patch
new file mode 100644
index 00000000..d3e560cc
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-11028/ANY/0002.patch
@@ -0,0 +1,36 @@
+From 6724296d3f3b2821b83219768c1b9e971e380a9f Mon Sep 17 00:00:00 2001
+From: Sriraj Hebbar <srirajh@qti.qualcomm.com>
+Date: Fri, 30 Jun 2017 13:14:28 +0530
+Subject: msm: camera: isp: Handle array out of bound access
+
+The pointer req_frm is coming from userspace, it may overflow stream_info.
+Adding a bound check to prevent the same.
+
+CRs-fixed: 2008683
+Change-Id: I8682e09ff2ab7ba490bbbd9e20db978493c5f3e4
+Signed-off-by: Senthil Kumar Rajagopal <skrajago@codeaurora.org>
+Signed-off-by: Andy Sun <bins@codeaurora.org>
+---
+ drivers/media/platform/msm/ais/isp/msm_isp_axi_util.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/media/platform/msm/ais/isp/msm_isp_axi_util.c b/drivers/media/platform/msm/ais/isp/msm_isp_axi_util.c
+index 373a963..a85ee30 100644
+--- a/drivers/media/platform/msm/ais/isp/msm_isp_axi_util.c
++++ b/drivers/media/platform/msm/ais/isp/msm_isp_axi_util.c
+@@ -3889,6 +3889,12 @@ int msm_isp_update_axi_stream(struct vfe_device *vfe_dev, void *arg)
+ 	case UPDATE_STREAM_REQUEST_FRAMES_VER2: {
+ 		struct msm_vfe_axi_stream_cfg_update_info_req_frm *req_frm =
+ 			&update_cmd->req_frm_ver2;
++		if (HANDLE_TO_IDX(req_frm->stream_handle) >= VFE_AXI_SRC_MAX) {
++			pr_err("%s: Invalid stream handle\n", __func__);
++			rc = -EINVAL;
++			break;
++		}
++
+ 		stream_info = &axi_data->stream_info[HANDLE_TO_IDX(
+ 				req_frm->stream_handle)];
+ 		rc = msm_isp_request_frame(vfe_dev, stream_info,
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-11029/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-11029/ANY/0001.patch
new file mode 100644
index 00000000..e5441156
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-11029/ANY/0001.patch
@@ -0,0 +1,147 @@
+From 86f0d207d478e1681f6711b46766cfb3c6a30fb5 Mon Sep 17 00:00:00 2001
+From: Ravi kumar Koyyana <rkoyyana@codeaurora.org>
+Date: Mon, 27 Mar 2017 17:44:36 -0700
+Subject: msm: camera2: cpp: Fix iommu_attach/detach compat_ioctl issue
+
+When the Camera application exercises 32-bit version of the V4L2 ioctl
+operation, it results accessing  user space  memory illegally. This is
+due to the direct access of user space buffer by Camera CPP driver.
+
+Thus, fix this by copying user space buffer contents into kernel space
+buffer of the  driver for  further processing. Only after checking for
+proper length of user space buffer, proceed further. This will prevent
+the buffer overflow and invalid memory access.
+
+CRs-fixed: 2025367
+Change-Id: I85cf4a961884c7bb0d036299b886044aef7baf7c
+Signed-off-by: Ravi kumar Koyyana <rkoyyana@codeaurora.org>
+---
+ .../platform/msm/camera_v2/pproc/cpp/msm_cpp.c     | 49 ++++++++++++++++------
+ 1 file changed, 37 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
+index 8402e31..95aac07 100644
+--- a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
++++ b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
+@@ -2953,8 +2953,9 @@ static int msm_cpp_validate_input(unsigned int cmd, void *arg,
+ 		}
+ 
+ 		*ioctl_ptr = arg;
+-		if ((*ioctl_ptr == NULL) ||
+-			((*ioctl_ptr)->ioctl_ptr == NULL)) {
++		if (((*ioctl_ptr) == NULL) ||
++			((*ioctl_ptr)->ioctl_ptr == NULL) ||
++			((*ioctl_ptr)->len == 0)) {
+ 			pr_err("Error invalid ioctl argument cmd %u", cmd);
+ 			return -EINVAL;
+ 		}
+@@ -3503,13 +3504,18 @@ STREAM_BUFF_END:
+ 		if (cpp_dev->iommu_state == CPP_IOMMU_STATE_DETACHED) {
+ 			struct msm_camera_smmu_attach_type cpp_attach_info;
+ 
++			if (ioctl_ptr->len !=
++				sizeof(struct msm_camera_smmu_attach_type)) {
++				rc = -EINVAL;
++				break;
++			}
++
+ 			memset(&cpp_attach_info, 0, sizeof(cpp_attach_info));
+ 			rc = msm_cpp_copy_from_ioctl_ptr(&cpp_attach_info,
+ 				ioctl_ptr);
+ 			if (rc < 0) {
+ 				pr_err("CPP_IOMMU_ATTACH copy from user fail");
+-				ERR_COPY_FROM_USER();
+-				return -EINVAL;
++				break;
+ 			}
+ 
+ 			cpp_dev->security_mode = cpp_attach_info.attach;
+@@ -3538,16 +3544,20 @@ STREAM_BUFF_END:
+ 	case VIDIOC_MSM_CPP_IOMMU_DETACH: {
+ 		if ((cpp_dev->iommu_state == CPP_IOMMU_STATE_ATTACHED) &&
+ 			(cpp_dev->stream_cnt == 0)) {
+-
+ 			struct msm_camera_smmu_attach_type cpp_attach_info;
+ 
++			if (ioctl_ptr->len !=
++				sizeof(struct msm_camera_smmu_attach_type)) {
++				rc = -EINVAL;
++				break;
++			}
++
+ 			memset(&cpp_attach_info, 0, sizeof(cpp_attach_info));
+ 			rc = msm_cpp_copy_from_ioctl_ptr(&cpp_attach_info,
+ 				ioctl_ptr);
+ 			if (rc < 0) {
+ 				pr_err("CPP_IOMMU_DETTACH copy from user fail");
+-				ERR_COPY_FROM_USER();
+-				return -EINVAL;
++				break;
+ 			}
+ 
+ 			cpp_dev->security_mode = cpp_attach_info.attach;
+@@ -3568,6 +3578,7 @@ STREAM_BUFF_END:
+ 		} else {
+ 			pr_err("%s:%d IOMMMU attach triggered in invalid state\n",
+ 				__func__, __LINE__);
++			rc = -EINVAL;
+ 		}
+ 		break;
+ 	}
+@@ -3883,6 +3894,7 @@ static long msm_cpp_subdev_fops_compat_ioctl(struct file *file,
+ 	struct msm_cpp_stream_buff_info_t k_cpp_buff_info;
+ 	struct msm_cpp_frame_info32_t k32_frame_info;
+ 	struct msm_cpp_frame_info_t k64_frame_info;
++	struct msm_camera_smmu_attach_type kb_cpp_smmu_attach_info;
+ 	uint32_t identity_k = 0;
+ 	bool is_copytouser_req = true;
+ 	void __user *up = (void __user *)arg;
+@@ -4187,11 +4199,23 @@ static long msm_cpp_subdev_fops_compat_ioctl(struct file *file,
+ 		break;
+ 	}
+ 	case VIDIOC_MSM_CPP_IOMMU_ATTACH32:
+-		cmd = VIDIOC_MSM_CPP_IOMMU_ATTACH;
+-		break;
+ 	case VIDIOC_MSM_CPP_IOMMU_DETACH32:
+-		cmd = VIDIOC_MSM_CPP_IOMMU_DETACH;
++	{
++		if ((kp_ioctl.len != sizeof(struct msm_camera_smmu_attach_type))
++			|| (copy_from_user(&kb_cpp_smmu_attach_info,
++				(void __user *)kp_ioctl.ioctl_ptr,
++				sizeof(kb_cpp_smmu_attach_info)))) {
++			mutex_unlock(&cpp_dev->mutex);
++			return -EINVAL;
++		}
++
++		kp_ioctl.ioctl_ptr = (void *)&kb_cpp_smmu_attach_info;
++		is_copytouser_req = false;
++		cmd = (cmd == VIDIOC_MSM_CPP_IOMMU_ATTACH32) ?
++			VIDIOC_MSM_CPP_IOMMU_ATTACH :
++			VIDIOC_MSM_CPP_IOMMU_DETACH;
+ 		break;
++	}
+ 	case MSM_SD_NOTIFY_FREEZE:
+ 		break;
+ 	case MSM_SD_UNNOTIFY_FREEZE:
+@@ -4202,7 +4226,8 @@ static long msm_cpp_subdev_fops_compat_ioctl(struct file *file,
+ 	default:
+ 		pr_err_ratelimited("%s: unsupported compat type :%x LOAD %lu\n",
+ 				__func__, cmd, VIDIOC_MSM_CPP_LOAD_FIRMWARE);
+-		break;
++		mutex_unlock(&cpp_dev->mutex);
++		return -EINVAL;
+ 	}
+ 
+ 	mutex_unlock(&cpp_dev->mutex);
+@@ -4233,7 +4258,7 @@ static long msm_cpp_subdev_fops_compat_ioctl(struct file *file,
+ 	default:
+ 		pr_err_ratelimited("%s: unsupported compat type :%d\n",
+ 				__func__, cmd);
+-		break;
++		return -EINVAL;
+ 	}
+ 
+ 	if (is_copytouser_req) {
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-11029/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2017-11029/ANY/0002.patch
new file mode 100644
index 00000000..20b8fd68
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-11029/ANY/0002.patch
@@ -0,0 +1,43 @@
+From 74ab23917b82769644a3299da47b58e080aa63f2 Mon Sep 17 00:00:00 2001
+From: Terence Ho <terenceh@codeaurora.org>
+Date: Fri, 26 May 2017 15:05:07 -0400
+Subject: msm: ais: cpp fix to check zero length ioctl
+
+Port of ioctl validation for zero length ioctl
+from camera_v2.
+
+Change-Id: I635522f331d1e18641196ee3101c64ccc285636a
+CRs-fixed: 2025367
+Signed-off-by: Terence Ho <terenceh@codeaurora.org>
+---
+ drivers/media/platform/msm/ais/pproc/cpp/msm_cpp.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/media/platform/msm/ais/pproc/cpp/msm_cpp.c b/drivers/media/platform/msm/ais/pproc/cpp/msm_cpp.c
+index 0e1c6b4..d265210 100644
+--- a/drivers/media/platform/msm/ais/pproc/cpp/msm_cpp.c
++++ b/drivers/media/platform/msm/ais/pproc/cpp/msm_cpp.c
+@@ -2889,6 +2889,8 @@ static int msm_cpp_validate_ioctl_input(unsigned int cmd, void *arg,
+ 	case MSM_SD_SHUTDOWN:
+ 	case MSM_SD_NOTIFY_FREEZE:
+ 	case MSM_SD_UNNOTIFY_FREEZE:
++	case VIDIOC_MSM_CPP_IOMMU_ATTACH:
++	case VIDIOC_MSM_CPP_IOMMU_DETACH:
+ 		break;
+ 	default: {
+ 		if (ioctl_ptr == NULL) {
+@@ -2897,8 +2899,9 @@ static int msm_cpp_validate_ioctl_input(unsigned int cmd, void *arg,
+ 		}
+ 
+ 		*ioctl_ptr = arg;
+-		if ((*ioctl_ptr == NULL) ||
+-			(*ioctl_ptr)->ioctl_ptr == NULL) {
++		if (((*ioctl_ptr) == NULL) ||
++			((*ioctl_ptr)->ioctl_ptr == NULL) ||
++			((*ioctl_ptr)->len == 0)) {
+ 			pr_err("Error invalid ioctl argument cmd %u", cmd);
+ 			return -EINVAL;
+ 		}
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-11032/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-11032/ANY/0001.patch
new file mode 100644
index 00000000..117f5efa
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-11032/ANY/0001.patch
@@ -0,0 +1,33 @@
+From 2720294757d0ad5294283c15dc837852f7b2329a Mon Sep 17 00:00:00 2001
+From: Gaurav Kohli <gkohli@codeaurora.org>
+Date: Thu, 4 Aug 2016 17:40:15 +0530
+Subject: soc: qcom: Initialize message pointer with NULL
+
+During service locator call there is a chance in which
+resp message is used or freed while uninitialized.So to
+prevent it initialize the same with NULL.
+
+Change-Id: I65f854e184606684ce2ca711f19cf61d26c1ecb5
+Signed-off-by: Gaurav Kohli <gkohli@codeaurora.org>
+---
+ drivers/soc/qcom/service-locator.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/soc/qcom/service-locator.c b/drivers/soc/qcom/service-locator.c
+index 76d754d..c204947 100644
+--- a/drivers/soc/qcom/service-locator.c
++++ b/drivers/soc/qcom/service-locator.c
+@@ -202,8 +202,8 @@ static int servreg_loc_send_msg(struct msg_desc *req_desc,
+ static int service_locator_send_msg(struct pd_qmi_client_data *pd)
+ {
+ 	struct msg_desc req_desc, resp_desc;
+-	struct qmi_servreg_loc_get_domain_list_resp_msg_v01 *resp;
+-	struct qmi_servreg_loc_get_domain_list_req_msg_v01 *req;
++	struct qmi_servreg_loc_get_domain_list_resp_msg_v01 *resp = NULL;
++	struct qmi_servreg_loc_get_domain_list_req_msg_v01 *req = NULL;
+ 	int rc;
+ 	int db_rev_count = 0, domains_read = 0;
+ 
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-11035/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-11035/ANY/0001.patch
new file mode 100644
index 00000000..1e2f4867
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-11035/ANY/0001.patch
@@ -0,0 +1,62 @@
+From c5060da3e741577578d66dfadb7922d853da6156 Mon Sep 17 00:00:00 2001
+From: Naveen Rawat <naveenrawat@codeaurora.org>
+Date: Tue, 13 Jun 2017 17:29:51 -0700
+Subject: qcacld-3.0: Add check for set_ft_ies buffer length
+
+Add check for buffer length in function sme_set_ft_ies.
+
+Change-Id: I7adc56e23316c0ceb193a5bdf8c4c0b5f4fbd20a
+CRs-Fixed: 2055659
+---
+ core/hdd/src/wlan_hdd_wext.c     | 5 +++++
+ core/sme/src/common/sme_ft_api.c | 4 ++--
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/core/hdd/src/wlan_hdd_wext.c b/core/hdd/src/wlan_hdd_wext.c
+index 637588d..9b35d19 100644
+--- a/core/hdd/src/wlan_hdd_wext.c
++++ b/core/hdd/src/wlan_hdd_wext.c
+@@ -13692,6 +13692,11 @@ static const struct iw_priv_args we_private_args[] = {
+ 	 IW_PRIV_TYPE_INT | IW_PRIV_SIZE_FIXED | 1,
+ 	 "hostroamdelay"}
+ 	,
++
++	{WLAN_PRIV_SET_FTIES,
++	 IW_PRIV_TYPE_CHAR | MAX_FTIE_SIZE,
++	 0,
++	 "set_ft_ies"},
+ };
+ 
+ const struct iw_handler_def we_handler_def = {
+diff --git a/core/sme/src/common/sme_ft_api.c b/core/sme/src/common/sme_ft_api.c
+index de4b656..f97b2e4 100644
+--- a/core/sme/src/common/sme_ft_api.c
++++ b/core/sme/src/common/sme_ft_api.c
+@@ -150,6 +150,7 @@ void sme_set_ft_ies(tHalHandle hal_ptr, uint32_t session_id,
+ 	switch (session->ftSmeContext.FTState) {
+ 	case eFT_START_READY:
+ 	case eFT_AUTH_REQ_READY:
++		sme_debug("ft_ies_length: %d", ft_ies_length);
+ 		if ((session->ftSmeContext.auth_ft_ies) &&
+ 			(session->ftSmeContext.auth_ft_ies_length)) {
+ 			/* Free the one we recvd last from supplicant */
+@@ -157,6 +158,7 @@ void sme_set_ft_ies(tHalHandle hal_ptr, uint32_t session_id,
+ 			session->ftSmeContext.auth_ft_ies_length = 0;
+ 			session->ftSmeContext.auth_ft_ies = NULL;
+ 		}
++		ft_ies_length = QDF_MIN(ft_ies_length, MAX_FTIE_SIZE);
+ 		/* Save the FT IEs */
+ 		session->ftSmeContext.auth_ft_ies =
+ 					qdf_mem_malloc(ft_ies_length);
+@@ -169,8 +171,6 @@ void sme_set_ft_ies(tHalHandle hal_ptr, uint32_t session_id,
+ 		qdf_mem_copy((uint8_t *)session->ftSmeContext.auth_ft_ies,
+ 				ft_ies, ft_ies_length);
+ 		session->ftSmeContext.FTState = eFT_AUTH_REQ_READY;
+-
+-		sme_debug("ft_ies_length: %d", ft_ies_length);
+ 		break;
+ 
+ 	case eFT_AUTH_COMPLETE:
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-11035/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2017-11035/ANY/0002.patch
new file mode 100644
index 00000000..511300b0
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-11035/ANY/0002.patch
@@ -0,0 +1,72 @@
+From cc1896424ae7a346090f601bc69c6ca51d9c3e04 Mon Sep 17 00:00:00 2001
+From: Nishank Aggarwal <naggar@codeaurora.org>
+Date: Tue, 27 Jun 2017 12:34:21 +0530
+Subject: qcacld-2.0: Add check for set_ft_ies buffer length
+
+qcacld-3.0 to qcacld-2.0 propagation
+
+Add check for buffer length in function sme_set_ft_ies.
+
+Change-Id: I7adc56e23316c0ceb193a5bdf8c4c0b5f4fbd20a
+CRs-Fixed: 2070583
+---
+ CORE/HDD/src/wlan_hdd_wext.c        | 4 ++++
+ CORE/SME/src/sme_common/sme_FTApi.c | 8 +++-----
+ 2 files changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/CORE/HDD/src/wlan_hdd_wext.c b/CORE/HDD/src/wlan_hdd_wext.c
+index 72d499c..562f20f 100644
+--- a/CORE/HDD/src/wlan_hdd_wext.c
++++ b/CORE/HDD/src/wlan_hdd_wext.c
+@@ -12598,6 +12598,10 @@ static const struct iw_priv_args we_private_args[] = {
+     {   WE_DUMP_DP_TRACE_LEVEL,
+         IW_PRIV_TYPE_INT | IW_PRIV_SIZE_FIXED | 2,
+         0, "dump_dp_trace"},
++    {
++        WLAN_PRIV_SET_FTIES,
++        IW_PRIV_TYPE_CHAR | MAX_FTIE_SIZE,
++        0, "set_ft_ies"},
+ };
+ 
+ 
+diff --git a/CORE/SME/src/sme_common/sme_FTApi.c b/CORE/SME/src/sme_common/sme_FTApi.c
+index 26a7ef8..16b1f09 100644
+--- a/CORE/SME/src/sme_common/sme_FTApi.c
++++ b/CORE/SME/src/sme_common/sme_FTApi.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2012-2014, 2016 The Linux Foundation. All rights reserved.
++ * Copyright (c) 2012-2014, 2017 The Linux Foundation. All rights reserved.
+  *
+  * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
+  *
+@@ -163,6 +163,7 @@ void sme_SetFTIEs(tHalHandle hHal, tANI_U32 sessionId, const tANI_U8 *ft_ies,
+    {
+       case eFT_START_READY:
+       case eFT_AUTH_REQ_READY:
++         smsLog( pMac, LOG1, FL("ft_ies_length: %d"), ft_ies_length);
+          if ((pSession->ftSmeContext.auth_ft_ies) &&
+                (pSession->ftSmeContext.auth_ft_ies_length))
+          {
+@@ -171,7 +172,7 @@ void sme_SetFTIEs(tHalHandle hHal, tANI_U32 sessionId, const tANI_U8 *ft_ies,
+             pSession->ftSmeContext.auth_ft_ies_length = 0;
+             pSession->ftSmeContext.auth_ft_ies = NULL;
+          }
+-
++         ft_ies_length = MIN(ft_ies_length, MAX_FTIE_SIZE);
+          // Save the FT IEs
+          pSession->ftSmeContext.auth_ft_ies =
+             vos_mem_malloc(ft_ies_length);
+@@ -187,9 +188,6 @@ void sme_SetFTIEs(tHalHandle hHal, tANI_U32 sessionId, const tANI_U8 *ft_ies,
+                ft_ies,ft_ies_length);
+          pSession->ftSmeContext.FTState = eFT_AUTH_REQ_READY;
+ 
+-#if defined WLAN_FEATURE_VOWIFI_11R_DEBUG
+-         smsLog( pMac, LOG1, "ft_ies_length=%d", ft_ies_length);
+-#endif
+          break;
+ 
+       case eFT_AUTH_COMPLETE:
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-11040/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-11040/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-11040/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-11040/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-11046/3.10/0.patch b/Patches/Linux_CVEs/CVE-2017-11046/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-11046/3.10/0.patch
rename to Patches/Linux_CVEs/CVE-2017-11046/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-11048/3.10/0.patch b/Patches/Linux_CVEs/CVE-2017-11048/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-11048/3.10/0.patch
rename to Patches/Linux_CVEs/CVE-2017-11048/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-11050/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-11050/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-11050/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-11050/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-11050/ANY/1.patch b/Patches/Linux_CVEs/CVE-2017-11050/ANY/1.patch
deleted file mode 100644
index c45ab055..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11050/ANY/1.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From 4d7233954031dcb34e08fb4f6a82fc3e9f08ce12 Mon Sep 17 00:00:00 2001
-From: "Poddar, Siddarth" <siddpodd@codeaurora.org>
-Date: Mon, 3 Jul 2017 15:57:19 +0530
-Subject: [PATCH] qcacld-2.0: Restrict max/min pktlog buffer size using
- pktlogconf tool
-
-Restrict the pktlog buffer size to a minimum of 1MB and maximum
-of 16MB using pktlogconf tool or through sysctl command.
-
-Bug: 62085265
-CRs-Fixed: 2064785
-Change-Id: I2951de86de083b610bb114ff4b9ddcb51c4c3042
-Signed-off-by: Ecco Park <eccopark@google.com>
----
- drivers/staging/qcacld-2.0/CORE/UTILS/PKTLOG/pktlog_ac.c | 10 +++++++++-
- 1 file changed, 9 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/staging/qcacld-2.0/CORE/UTILS/PKTLOG/pktlog_ac.c b/drivers/staging/qcacld-2.0/CORE/UTILS/PKTLOG/pktlog_ac.c
-index 3d38ca44617d6..542ff90ba5952 100644
---- a/drivers/staging/qcacld-2.0/CORE/UTILS/PKTLOG/pktlog_ac.c
-+++ b/drivers/staging/qcacld-2.0/CORE/UTILS/PKTLOG/pktlog_ac.c
-@@ -389,14 +389,22 @@ pktlog_enable(struct ol_softc *scn, int32_t log_state)
- 	return 0;
- }
- 
-+#define ONE_MEGABYTE (1024 * 1024)
-+#define MAX_ALLOWED_PKTLOG_SIZE (16 * ONE_MEGABYTE)
-+
- int
- pktlog_setsize(struct ol_softc *scn, int32_t size)
- {
- 	struct ol_pktlog_dev_t *pl_dev = scn->pdev_txrx_handle->pl_dev;
- 	struct ath_pktlog_info *pl_info = pl_dev->pl_info;
- 
--	if (size < 0)
-+	if (size < ONE_MEGABYTE || size > MAX_ALLOWED_PKTLOG_SIZE) {
-+		printk("%s: Cannot Set Pktlog Buffer size of %d bytes."
-+			"Min required is %d MB and Max allowed is %d MB.\n",
-+			__func__, size, (ONE_MEGABYTE/ONE_MEGABYTE),
-+			(MAX_ALLOWED_PKTLOG_SIZE/ONE_MEGABYTE));
- 		return -EINVAL;
-+	}
- 
- 	if (size == pl_info->buf_size)
- 		return 0;
diff --git a/Patches/Linux_CVEs/CVE-2017-11051/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-11051/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-11051/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-11051/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-11051/ANY/1.patch b/Patches/Linux_CVEs/CVE-2017-11051/ANY/1.patch
deleted file mode 100644
index 03320fd4..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11051/ANY/1.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 9e08c4d35fc520e9c375884abdf04493e157a0ea Mon Sep 17 00:00:00 2001
-From: Ashish Kumar Dhanotiya <adhanoti@codeaurora.org>
-Date: Thu, 6 Jul 2017 16:51:53 +0530
-Subject: [PATCH] qcacld-2.0: Fix Uninitialized memory issue
-
-There is a possibility to read uninitialized memory within api
-__wlan_hdd_cfg80211_testmode.
-
-To resolve this issue, initilaize buffer hb_params with zero.
-
-Bug: 62456806
-Change-Id: Ia8061610a8c35aa7290177c0dcd2c5c36d9fcb35
-CRs-Fixed: 2061755
-Signed-off-by: Ecco Park <eccopark@google.com>
----
- drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-index 13956f9063ede..9338b4b98ed5e 100644
---- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-@@ -21990,6 +21990,7 @@ static int __wlan_hdd_cfg80211_testmode(struct wiphy *wiphy,
-                 return -ENOMEM;
-             }
- 
-+            vos_mem_zero(hb_params, sizeof(tSirLPHBReq));
-             vos_mem_copy(hb_params, buf, buf_len);
-             smeStatus = sme_LPHBConfigReq((tHalHandle)(pHddCtx->hHal),
-                                hb_params,
diff --git a/Patches/Linux_CVEs/CVE-2017-11052/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-11052/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-11052/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-11052/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-11052/ANY/1.patch b/Patches/Linux_CVEs/CVE-2017-11052/ANY/1.patch
deleted file mode 100644
index 3e1ea966..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11052/ANY/1.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From c18c5935d437e4b06ec630d755a42b49e11bd071 Mon Sep 17 00:00:00 2001
-From: Jeff Johnson <jjohnson@codeaurora.org>
-Date: Thu, 15 Jun 2017 12:47:46 -0700
-Subject: [PATCH] qcacld-2.0: Properly validate
- QCA_WLAN_VENDOR_ATTR_NDP_IFACE_STR
-
-Currently the QCA_WLAN_VENDOR_ATTR_NDP_IFACE_STR nla_policy specifies
-a type of NLA_STRING, but the underlying implementation expects a
-NUL-terminated string. Update the policy to correctly use a type of
-NLA_NUL_STRING with the len updated to remove the allocation needed
-for the terminating NUL.
-
-Bug: 37687303
-Change-Id: Ic73241511ab73ae63fd7c1a8d6422da91931919c
-CRs-Fixed: 2061688
----
- drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_nan_datapath.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_nan_datapath.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_nan_datapath.c
-index 1b5e4db3100c7..469ae96818cf4 100644
---- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_nan_datapath.c
-+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_nan_datapath.c
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2016 The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2016-2017 The Linux Foundation. All rights reserved.
-  *
-  * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
-  *
-@@ -38,8 +38,8 @@ static const struct nla_policy
- qca_wlan_vendor_ndp_policy[QCA_WLAN_VENDOR_ATTR_NDP_PARAMS_MAX + 1] = {
- 	[QCA_WLAN_VENDOR_ATTR_NDP_SUBCMD] = { .type = NLA_U32 },
- 	[QCA_WLAN_VENDOR_ATTR_NDP_TRANSACTION_ID] = { .type = NLA_U16 },
--	[QCA_WLAN_VENDOR_ATTR_NDP_IFACE_STR] = { .type = NLA_STRING,
--					.len = IFNAMSIZ },
-+	[QCA_WLAN_VENDOR_ATTR_NDP_IFACE_STR] = { .type = NLA_NUL_STRING,
-+					.len = IFNAMSIZ - 1 },
- 	[QCA_WLAN_VENDOR_ATTR_NDP_SERVICE_INSTANCE_ID] = { .type = NLA_U32 },
- 	[QCA_WLAN_VENDOR_ATTR_NDP_CHANNEL_SPEC_CHANNEL] = { .type = NLA_U32 },
- 	[QCA_WLAN_VENDOR_ATTR_NDP_PEER_DISCOVERY_MAC_ADDR] = {
diff --git a/Patches/Linux_CVEs/CVE-2017-11053/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-11053/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-11053/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-11053/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-11053/ANY/1.patch b/Patches/Linux_CVEs/CVE-2017-11053/ANY/1.patch
deleted file mode 100644
index d014b1c2..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11053/ANY/1.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From 6a16567622ff6ccc2a23bd8884b0781995a481b1 Mon Sep 17 00:00:00 2001
-From: Srinivas Girigowda <sgirigow@codeaurora.org>
-Date: Thu, 3 Aug 2017 16:59:51 -0700
-Subject: [PATCH] qcacld-2.0: Fix kernel memory corruption
-
-Buffer overflow in ConvertQosMapsetFrame function
-when num_dscp_exceptions value is less than 16.
-
-Fix is to return from function if num_dscp_exceptions
-is less than 16.
-
-Change-Id: I2fcce60b7fe5e988348cee786e9a4d493d9512fe
-CRs-Fixed: 2061544
-Bug: 36895857
-Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
----
- .../staging/qcacld-2.0/CORE/SYS/legacy/src/utils/src/utilsParser.c  | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/staging/qcacld-2.0/CORE/SYS/legacy/src/utils/src/utilsParser.c b/drivers/staging/qcacld-2.0/CORE/SYS/legacy/src/utils/src/utilsParser.c
-index 6c9993935b481..887e33ada81ae 100644
---- a/drivers/staging/qcacld-2.0/CORE/SYS/legacy/src/utils/src/utilsParser.c
-+++ b/drivers/staging/qcacld-2.0/CORE/SYS/legacy/src/utils/src/utilsParser.c
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2011-2015 The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2011-2015, 2017 The Linux Foundation. All rights reserved.
-  *
-  * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
-  *
-@@ -706,6 +706,10 @@ void ConvertQosMapsetFrame(tpAniSirGlobal pMac, tSirQosMapSet* Qos, tDot11fIEQos
-     tANI_U8 i,j=0;
-     if (dot11fIE->num_dscp_exceptions > 58)
-         dot11fIE->num_dscp_exceptions = 58;
-+
-+	if (dot11fIE->num_dscp_exceptions < 16)
-+		return;
-+
-     Qos->num_dscp_exceptions = (dot11fIE->num_dscp_exceptions - 16)/2;
-     for (i = 0; i < Qos->num_dscp_exceptions; i++)
-     {
diff --git a/Patches/Linux_CVEs/CVE-2017-11054/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-11054/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-11054/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-11054/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-11055/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-11055/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-11055/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-11055/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-11055/ANY/1.patch b/Patches/Linux_CVEs/CVE-2017-11055/ANY/1.patch
deleted file mode 100644
index 1521b173..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11055/ANY/1.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 9f5af4954a048f408f70c7dfeef0d8f655abca10 Mon Sep 17 00:00:00 2001
-From: Jeff Johnson <jjohnson@codeaurora.org>
-Date: Thu, 15 Jun 2017 09:24:17 -0700
-Subject: [PATCH] qcacld-2.0: Apply policy to fine time measurement
-
-Currently QCA_WLAN_VENDOR_ATTR_CONFIG_FINE_TIME_MEASUREMENT is not
-properly represented in the wlan_hdd_wifi_config_policy table, so add
-a proper initializer.
-
-Bug: 37721426
-
-Change-Id: I95ba66337c30cae67b23c9942b9360522ad60df0
-CRs-Fixed: 2061241
-Signed-off-by: Ecco Park <eccopark@google.com>
----
- drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-index 9338b4b98ed5e..af3ab9bc4bd57 100644
---- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-@@ -8051,6 +8051,7 @@ wlan_hdd_wifi_config_policy[QCA_WLAN_VENDOR_ATTR_CONFIG_MAX
- 	[QCA_WLAN_VENDOR_ATTR_CONFIG_MODULATED_DTIM] = {.type = NLA_U32 },
- 	[QCA_WLAN_VENDOR_ATTR_CONFIG_STATS_AVG_FACTOR] = {.type = NLA_U16 },
- 	[QCA_WLAN_VENDOR_ATTR_CONFIG_GUARD_TIME] = {.type = NLA_U32 },
-+	[QCA_WLAN_VENDOR_ATTR_CONFIG_FINE_TIME_MEASUREMENT] = {.type = NLA_U32},
- 	[QCA_WLAN_VENDOR_ATTR_CONFIG_TX_RATE] = {.type = NLA_U16 },
- 	[QCA_WLAN_VENDOR_ATTR_CONFIG_CHANNEL_AVOIDANCE_IND] = {.type = NLA_U8 },
- 	[QCA_WLAN_VENDOR_ATTR_CONFIG_TX_MPDU_AGGREGATION] = {.type = NLA_U8 },
diff --git a/Patches/Linux_CVEs/CVE-2017-11056/3.10/0.patch b/Patches/Linux_CVEs/CVE-2017-11056/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-11056/3.10/0.patch
rename to Patches/Linux_CVEs/CVE-2017-11056/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-11057/3.10/0.patch b/Patches/Linux_CVEs/CVE-2017-11057/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-11057/3.10/0.patch
rename to Patches/Linux_CVEs/CVE-2017-11057/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-11054/ANY/1.patch b/Patches/Linux_CVEs/CVE-2017-11058/ANY/0001.patch
similarity index 75%
rename from Patches/Linux_CVEs/CVE-2017-11054/ANY/1.patch
rename to Patches/Linux_CVEs/CVE-2017-11058/ANY/0001.patch
index e417f8bc..772c38c8 100644
--- a/Patches/Linux_CVEs/CVE-2017-11054/ANY/1.patch
+++ b/Patches/Linux_CVEs/CVE-2017-11058/ANY/0001.patch
@@ -1,26 +1,24 @@
-From 7dff4291c6aecad9143b8fc2c0769f818834c33a Mon Sep 17 00:00:00 2001
+From 4d9812973e8b12700afd8c3d6f36a94506ffb6fc Mon Sep 17 00:00:00 2001
 From: Jeff Johnson <jjohnson@codeaurora.org>
 Date: Thu, 15 Jun 2017 10:51:02 -0700
-Subject: [PATCH] qcacld-2.0: Avoid overread when configuring MAC addresses
+Subject: qcacld-2.0: Avoid overread when configuring MAC addresses
 
 Currently there are multiple cfg80211 vendor commands where MAC
 address attributes are defined in a nla_policy table with a type of
 NLA_UNSPEC but without a minimum length. Add the proper minimum length
 to avoid buffer overread.
 
-Bug: 37713609
 Change-Id: I11ff2bd813dc4e6784a7cdee66a0c10ca0e69fcf
 CRs-Fixed: 2061251
-Signed-off-by: Ecco Park <eccopark@google.com>
 ---
- .../qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c    | 24 +++++++++++++++-------
- 1 file changed, 17 insertions(+), 7 deletions(-)
+ CORE/HDD/src/wlan_hdd_cfg80211.c | 26 ++++++++++++++++++--------
+ 1 file changed, 18 insertions(+), 8 deletions(-)
 
-diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-index 6849a6c82f821..94b161e37a59a 100644
---- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-@@ -833,7 +833,9 @@ wlan_hdd_extscan_config_policy[QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_
+diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
+index 1ac1fc1..2ec3d68 100644
+--- a/CORE/HDD/src/wlan_hdd_cfg80211.c
++++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
+@@ -841,7 +841,9 @@ wlan_hdd_extscan_config_policy[QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_
      [QCA_WLAN_VENDOR_ATTR_EXTSCAN_GET_CACHED_SCAN_RESULTS_CONFIG_PARAM_FLUSH] = { .type = NLA_U8 },
  
      [QCA_WLAN_VENDOR_ATTR_EXTSCAN_GET_CACHED_SCAN_RESULTS_CONFIG_PARAM_MAX] = { .type = NLA_U32 },
@@ -31,7 +29,7 @@ index 6849a6c82f821..94b161e37a59a 100644
      [QCA_WLAN_VENDOR_ATTR_EXTSCAN_AP_THRESHOLD_PARAM_RSSI_LOW] = { .type = NLA_S32 },
      [QCA_WLAN_VENDOR_ATTR_EXTSCAN_AP_THRESHOLD_PARAM_RSSI_HIGH] = { .type = NLA_S32 },
      [QCA_WLAN_VENDOR_ATTR_EXTSCAN_AP_THRESHOLD_PARAM_CHANNEL] = { .type = NLA_U32 },
-@@ -6742,7 +6744,9 @@ int wlan_hdd_send_roam_auth_event(hdd_context_t *hdd_ctx_ptr, uint8_t *bssid,
+@@ -8080,7 +8082,9 @@ wlan_hdd_cfg80211_get_logger_supp_feature(struct wiphy *wiphy,
  static const struct nla_policy
  wlan_hdd_tdls_config_enable_policy[QCA_WLAN_VENDOR_ATTR_TDLS_ENABLE_MAX +1] =
  {
@@ -42,7 +40,7 @@ index 6849a6c82f821..94b161e37a59a 100644
      [QCA_WLAN_VENDOR_ATTR_TDLS_ENABLE_CHANNEL] = {.type = NLA_S32 },
      [QCA_WLAN_VENDOR_ATTR_TDLS_ENABLE_GLOBAL_OPERATING_CLASS] =
                                                         {.type = NLA_S32 },
-@@ -6754,15 +6758,18 @@ wlan_hdd_tdls_config_enable_policy[QCA_WLAN_VENDOR_ATTR_TDLS_ENABLE_MAX +1] =
+@@ -8092,15 +8096,18 @@ wlan_hdd_tdls_config_enable_policy[QCA_WLAN_VENDOR_ATTR_TDLS_ENABLE_MAX +1] =
  static const struct nla_policy
  wlan_hdd_tdls_config_disable_policy[QCA_WLAN_VENDOR_ATTR_TDLS_DISABLE_MAX +1] =
  {
@@ -64,7 +62,7 @@ index 6849a6c82f821..94b161e37a59a 100644
      [QCA_WLAN_VENDOR_ATTR_TDLS_NEW_STATE] = {.type = NLA_U32 },
      [QCA_WLAN_VENDOR_ATTR_TDLS_STATE_REASON] = {.type = NLA_S32 },
      [QCA_WLAN_VENDOR_ATTR_TDLS_STATE_CHANNEL] = {.type = NLA_U32 },
-@@ -6775,7 +6782,9 @@ static const struct nla_policy
+@@ -8113,7 +8120,9 @@ static const struct nla_policy
  wlan_hdd_tdls_config_get_status_policy[
                       QCA_WLAN_VENDOR_ATTR_TDLS_GET_STATUS_MAX +1] =
  {
@@ -75,13 +73,18 @@ index 6849a6c82f821..94b161e37a59a 100644
      [QCA_WLAN_VENDOR_ATTR_TDLS_GET_STATUS_STATE] = {.type = NLA_U32 },
      [QCA_WLAN_VENDOR_ATTR_TDLS_GET_STATUS_REASON] = {.type = NLA_S32 },
      [QCA_WLAN_VENDOR_ATTR_TDLS_GET_STATUS_CHANNEL] = {.type = NLA_U32 },
-@@ -8493,7 +8502,8 @@ static const struct
+@@ -10761,8 +10770,9 @@ static int __wlan_hdd_cfg80211_wifi_logger_start(struct wiphy *wiphy,
+ static const struct
  nla_policy
  qca_wlan_vendor_attr_policy[QCA_WLAN_VENDOR_ATTR_MAX+1] = {
- 	[QCA_WLAN_VENDOR_ATTR_MAC_ADDR] = {
--		.type = NLA_BINARY, .len = VOS_MAC_ADDR_SIZE },
+-	[QCA_WLAN_VENDOR_ATTR_MAC_ADDR] =
+-		{ .type = NLA_BINARY, .len = VOS_MAC_ADDR_SIZE },
++	[QCA_WLAN_VENDOR_ATTR_MAC_ADDR] = {
 +		.type = NLA_BINARY,
 +		.len = HDD_MAC_ADDR_LEN},
  };
  
  /**
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-11059/3.10/0.patch b/Patches/Linux_CVEs/CVE-2017-11059/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-11059/3.10/0.patch
rename to Patches/Linux_CVEs/CVE-2017-11059/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-11060/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-11060/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-11060/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-11060/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-11060/ANY/1.patch b/Patches/Linux_CVEs/CVE-2017-11060/ANY/1.patch
deleted file mode 100644
index 99dd14b9..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11060/ANY/1.patch
+++ /dev/null
@@ -1,97 +0,0 @@
-From 5204ea3cae1b07aad76d9d831e46dfaea492f488 Mon Sep 17 00:00:00 2001
-From: Mukul Sharma <mukul@codeaurora.org>
-Date: Mon, 19 Jun 2017 19:21:42 +0530
-Subject: [PATCH] qcacld-2.0: Avoid buffer overread when parsing PNO commands
-
-Propagation from qcacld-3.0 to qcacld-2.0
-
-There are currently three issues which can result in a buffer overread
-when processing PNO vendor commands:
-1) __wlan_hdd_cfg80211_set_passpoint_list() specifies the wrong policy
-   when invoking nla_parse().
-2) hdd_extscan_passpoint_fill_network_list() does not specify a policy
-   when invoking nla_parse().
-3) __wlan_hdd_cfg80211_set_epno_list() specifies a policy but not all
-   of the attributes that are parsed are present in the policy.
-To prevent buffer overread:
-1) Update __wlan_hdd_cfg80211_set_passpoint_list() and
-   hdd_extscan_passpoint_fill_network_list() to use the policy
-   wlan_hdd_pno_config_policy.
-2) Update wlan_hdd_pno_config_policy to contain all the fixed-length
-   attributes needed by __wlan_hdd_cfg80211_set_passpoint_list(),
-   hdd_extscan_passpoint_fill_network_list(), and
-   __wlan_hdd_cfg80211_set_epno_list().
-
-Bug: 36817548
-Bug: 36815952
-Change-Id: I4a20e77ce87967ae78323b83a2aa9085fed2647f
-CRs-Fixed: 2058447
-Signed-off-by: Ecco Park <eccopark@google.com>
----
- .../qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c    | 32 ++++++++++++++++++++--
- 1 file changed, 30 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-index 94b161e37a59a..c7d271f91ceb9 100644
---- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-@@ -857,6 +857,12 @@ wlan_hdd_extscan_config_policy[QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_
- 
- static const struct nla_policy
- wlan_hdd_pno_config_policy[QCA_WLAN_VENDOR_ATTR_PNO_MAX + 1] = {
-+	[QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_LIST_PARAM_NUM] = {
-+		.type = NLA_U32
-+	},
-+	[QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_NETWORK_PARAM_ID] = {
-+		.type = NLA_U32
-+	},
- 	[QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_NUM_NETWORKS] = {
- 		.type = NLA_U32
- 	},
-@@ -870,6 +876,27 @@ wlan_hdd_pno_config_policy[QCA_WLAN_VENDOR_ATTR_PNO_MAX + 1] = {
- 	[QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_EPNO_NETWORK_AUTH_BIT] = {
- 		.type = NLA_U8
- 	},
-+	[QCA_WLAN_VENDOR_ATTR_EPNO_MIN5GHZ_RSSI] = {
-+		.type = NLA_U32
-+	},
-+	[QCA_WLAN_VENDOR_ATTR_EPNO_MIN24GHZ_RSSI] = {
-+		.type = NLA_U32
-+	},
-+	[QCA_WLAN_VENDOR_ATTR_EPNO_INITIAL_SCORE_MAX] = {
-+		.type = NLA_U32
-+	},
-+	[QCA_WLAN_VENDOR_ATTR_EPNO_CURRENT_CONNECTION_BONUS] = {
-+		.type = NLA_U32
-+	},
-+	[QCA_WLAN_VENDOR_ATTR_EPNO_SAME_NETWORK_BONUS] = {
-+		.type = NLA_U32
-+	},
-+	[QCA_WLAN_VENDOR_ATTR_EPNO_SECURE_BONUS] = {
-+		.type = NLA_U32
-+	},
-+	[QCA_WLAN_VENDOR_ATTR_EPNO_BAND5GHZ_BONUS] = {
-+		.type = NLA_U32
-+	},
- };
- 
- static const struct nla_policy
-@@ -4696,7 +4723,8 @@ static int hdd_extscan_passpoint_fill_network_list(
- 
- 		if (nla_parse(network,
- 			QCA_WLAN_VENDOR_ATTR_PNO_MAX,
--			nla_data(networks), nla_len(networks), NULL)) {
-+			nla_data(networks), nla_len(networks),
-+			wlan_hdd_pno_config_policy)) {
- 			hddLog(LOGE, FL("nla_parse failed"));
- 			return -EINVAL;
- 		}
-@@ -4918,7 +4946,7 @@ static int __wlan_hdd_cfg80211_reset_passpoint_list(struct wiphy *wiphy,
- 	}
- 
- 	if (nla_parse(tb, QCA_WLAN_VENDOR_ATTR_PNO_MAX, data, data_len,
--		wlan_hdd_extscan_config_policy)) {
-+		wlan_hdd_pno_config_policy)) {
- 		hddLog(LOGE, FL("Invalid ATTR"));
- 		return -EINVAL;
- 	}
diff --git a/Patches/Linux_CVEs/CVE-2017-11060/ANY/2.patch b/Patches/Linux_CVEs/CVE-2017-11060/ANY/2.patch
deleted file mode 100644
index 2de4d635..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11060/ANY/2.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From 49eec96af9448e23a8fc2e41f67db948983b8427 Mon Sep 17 00:00:00 2001
-From: Ecco Park <eccopark@google.com>
-Date: Wed, 16 Aug 2017 16:45:03 -0700
-Subject: [PATCH] qcacld-2.0: Avoid buffer overread when parsing PNO commands
-
-fix merge of 5204ea3cae1b07aad76d9d831e46dfaea492f488
-
-Bug: 36817548
-Change-Id: Ie5abe6ed5797588688f3a83cf12a964429ed11d3
-Signed-off-by: Ecco Park <eccopark@google.com>
----
- drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-index da139cf225ce2..9029ef3b9e4a3 100644
---- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-@@ -4873,7 +4873,7 @@ static int __wlan_hdd_cfg80211_set_passpoint_list(struct wiphy *wiphy,
- 	}
- 
- 	if (nla_parse(tb, QCA_WLAN_VENDOR_ATTR_PNO_MAX, data, data_len,
--		wlan_hdd_extscan_config_policy)) {
-+		wlan_hdd_pno_config_policy)) {
- 		hddLog(LOGE, FL("Invalid ATTR"));
- 		return -EINVAL;
- 	}
-@@ -4994,7 +4994,7 @@ static int __wlan_hdd_cfg80211_reset_passpoint_list(struct wiphy *wiphy,
- 	}
- 
- 	if (nla_parse(tb, QCA_WLAN_VENDOR_ATTR_PNO_MAX, data, data_len,
--		wlan_hdd_pno_config_policy)) {
-+		wlan_hdd_extscan_config_policy)) {
- 		hddLog(LOGE, FL("Invalid ATTR"));
- 		return -EINVAL;
- 	}
diff --git a/Patches/Linux_CVEs/CVE-2017-11061/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-11061/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-11061/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-11061/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-11061/ANY/1.patch b/Patches/Linux_CVEs/CVE-2017-11061/ANY/1.patch
deleted file mode 100644
index 22bcd96e..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11061/ANY/1.patch
+++ /dev/null
@@ -1,109 +0,0 @@
-From 42a28a93ef19863c39ade86843efb83efc845344 Mon Sep 17 00:00:00 2001
-From: Ravi Kumar Bokka <brkum@codeaurora.org>
-Date: Mon, 12 Jun 2017 21:34:30 +0530
-Subject: [PATCH] qcacld-2.0: Validate vendor set roaming params command
-
-Currently there is no nl policy defined for vendor sub command
-QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX which may result in
-buffer overread error.
-
-To resolve this, add nl policy.
-
-Bug: 36816726
-Change-Id: Ib5d3c34dbcec29a98766753efc4e9c4ecf748c2e
-CRs-Fixed: 2059701
-Signed-off-by: Ecco Park <eccopark@google.com>
----
- .../qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c    | 51 ++++++++++++++++++++--
- 1 file changed, 47 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-index b788566363d87..5ca269bab9cf6 100644
---- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-@@ -1809,6 +1809,49 @@ wlan_hdd_cfg80211_get_concurrency_matrix(struct wiphy *wiphy,
- 	return ret;
- }
- 
-+#define MAX_ROAMING_PARAM \
-+       QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX
-+
-+static const struct nla_policy
-+wlan_hdd_set_roam_param_policy[MAX_ROAMING_PARAM + 1] = {
-+	[QCA_WLAN_VENDOR_ATTR_ROAMING_SUBCMD] = {.type = NLA_U32},
-+	[QCA_WLAN_VENDOR_ATTR_ROAMING_REQ_ID] = {.type = NLA_U32},
-+	[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_WHITE_LIST_SSID_NUM_NETWORKS] = {
-+					.type = NLA_U32},
-+	[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_WHITE_LIST_SSID_LIST] = {
-+					.type = NLA_U32},
-+	[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_WHITE_LIST_SSID] = {
-+					.type = NLA_U32},
-+	[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_A_BAND_BOOST_THRESHOLD] = {
-+					.type = NLA_S32},
-+	[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_A_BAND_PENALTY_THRESHOLD] = {
-+					.type = NLA_S32},
-+	[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_A_BAND_BOOST_FACTOR] = {
-+					.type = NLA_U32},
-+	[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_A_BAND_PENALTY_FACTOR] = {
-+					.type = NLA_U32},
-+	[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_A_BAND_MAX_BOOST] = {
-+					.type = NLA_U32},
-+	[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_LAZY_ROAM_HISTERESYS] = {
-+					.type = NLA_S32},
-+	[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_ALERT_ROAM_RSSI_TRIGGER] = {
-+					.type = NLA_U32},
-+	[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_LAZY_ROAM_ENABLE] = {
-+					.type = NLA_S32},
-+	[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_LAZY_ROAM_NUM_BSSID] = {
-+					.type = NLA_U32},
-+	[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_LAZY_ROAM_BSSID] = {
-+					.type = NLA_BINARY,
-+					.len = MAC_ADDRESS_STR_LEN},
-+	[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_LAZY_ROAM_RSSI_MODIFIER] = {
-+					.type = NLA_U32},
-+	[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS_NUM_BSSID] = {
-+					.type = NLA_U32},
-+	[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS_BSSID] = {
-+					.type = NLA_BINARY,
-+					.len = MAC_ADDRESS_STR_LEN},
-+};
-+
- static int
- __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
-                                    struct wireless_dev *wdev,
-@@ -1840,7 +1883,7 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
- 
- 	if (nla_parse(tb, QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX,
- 		data, data_len,
--		NULL)) {
-+		wlan_hdd_set_roam_param_policy)) {
- 		hddLog(LOGE, FL("Invalid ATTR"));
- 		return -EINVAL;
- 	}
-@@ -1869,7 +1912,7 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
- 			if (nla_parse(tb2,
- 				QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_MAX,
- 				nla_data(curr_attr), nla_len(curr_attr),
--				NULL)) {
-+				wlan_hdd_set_roam_param_policy)) {
- 				hddLog(LOGE, FL("nla_parse failed"));
- 				goto fail;
- 			}
-@@ -2024,7 +2067,7 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
- 			if (nla_parse(tb2,
- 				QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX,
- 				nla_data(curr_attr), nla_len(curr_attr),
--				NULL)) {
-+				wlan_hdd_set_roam_param_policy)) {
- 				hddLog(LOGE, FL("nla_parse failed"));
- 				goto fail;
- 			}
-@@ -2086,7 +2129,7 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
- 			if (nla_parse(tb2,
- 				QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX,
- 				nla_data(curr_attr), nla_len(curr_attr),
--				NULL)) {
-+				wlan_hdd_set_roam_param_policy)) {
- 				hddLog(LOGE, FL("nla_parse failed"));
- 				goto fail;
- 			}
diff --git a/Patches/Linux_CVEs/CVE-2017-11062/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-11062/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-11062/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-11062/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-11062/ANY/1.patch b/Patches/Linux_CVEs/CVE-2017-11062/ANY/1.patch
deleted file mode 100644
index f517a6f9..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11062/ANY/1.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-From 6d19d7d4e0ff7e7e4c80c49414a016035ac70a3c Mon Sep 17 00:00:00 2001
-From: Ashish Kumar Dhanotiya <adhanoti@codeaurora.org>
-Date: Tue, 13 Jun 2017 18:41:49 +0530
-Subject: [PATCH] qcacld-2.0: Validate vendor command do_acs
-
-Currently attributes are not validated in __wlan_hdd_cfg80211_do_acs,
-this can lead to a buffer overread.
-
-To resolve this issue, Define an nla_policy and validate the
-attributes.
-
-Bug: 37720349
-CRs-Fixed: 2058448
-Change-Id: Ic1bd5abbef09407f925625b709f10cf9cb7c3d7f
-Signed-off-by: Ecco Park <eccopark@google.com>
----
- .../qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c    | 24 ++++++++++------------
- 1 file changed, 11 insertions(+), 13 deletions(-)
-
-diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-index af3ab9bc4bd57..6849a6c82f821 100644
---- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-@@ -7665,6 +7665,16 @@ static int wlan_hdd_cfg80211_start_acs(hdd_adapter_t *adapter)
- 	return 0;
- }
- 
-+static const struct nla_policy
-+wlan_hdd_cfg80211_do_acs_policy[QCA_WLAN_VENDOR_ATTR_ACS_MAX+1] = {
-+	[QCA_WLAN_VENDOR_ATTR_ACS_HW_MODE] = { .type = NLA_U8 },
-+	[QCA_WLAN_VENDOR_ATTR_ACS_HT_ENABLED] = { .type = NLA_FLAG },
-+	[QCA_WLAN_VENDOR_ATTR_ACS_HT40_ENABLED] = { .type = NLA_FLAG },
-+	[QCA_WLAN_VENDOR_ATTR_ACS_VHT_ENABLED] = { .type = NLA_FLAG },
-+	[QCA_WLAN_VENDOR_ATTR_ACS_CHWIDTH] = { .type = NLA_U16 },
-+	[QCA_WLAN_VENDOR_ATTR_ACS_CH_LIST] = { .type = NLA_UNSPEC },
-+};
-+
- /**
-  * __wlan_hdd_cfg80211_do_acs : CFG80211 handler fucntion for DO_ACS Vendor CMD
-  * @wiphy:  Linux wiphy struct pointer
-@@ -7710,18 +7720,6 @@ static int __wlan_hdd_cfg80211_do_acs(struct wiphy *wiphy,
- 	 * config shall be set only from start_acs.
- 	 */
- 
--	/* nla_policy Policy template. Policy not applied as some attributes are
--	 * optional and QCA_WLAN_VENDOR_ATTR_ACS_CH_LIST has variable length
--	 *
--	 * [QCA_WLAN_VENDOR_ATTR_ACS_HW_MODE] = { .type = NLA_U8 },
--	 * [QCA_WLAN_VENDOR_ATTR_ACS_HT_ENABLED] = { .type = NLA_FLAG },
--	 * [QCA_WLAN_VENDOR_ATTR_ACS_HT40_ENABLED] = { .type = NLA_FLAG },
--	 * [QCA_WLAN_VENDOR_ATTR_ACS_VHT_ENABLED] = { .type = NLA_FLAG },
--	 * [QCA_WLAN_VENDOR_ATTR_ACS_CHWIDTH] = { .type = NLA_U16 },
--	 * [QCA_WLAN_VENDOR_ATTR_ACS_CH_LIST] = { .type = NLA_NESTED },
--	 */
--
--
- 	status = wlan_hdd_validate_context(hdd_ctx);
- 	if (0 != status)
- 		return status;
-@@ -7730,7 +7728,7 @@ static int __wlan_hdd_cfg80211_do_acs(struct wiphy *wiphy,
- 	vos_mem_zero(&sap_config->acs_cfg, sizeof(struct sap_acs_cfg));
- 
- 	status = nla_parse(tb, QCA_WLAN_VENDOR_ATTR_ACS_MAX, data, data_len,
--						NULL);
-+						wlan_hdd_cfg80211_do_acs_policy);
- 	if (status) {
- 		hddLog(VOS_TRACE_LEVEL_ERROR, FL("Invalid ATTR"));
- 		goto out;
diff --git a/Patches/Linux_CVEs/CVE-2017-11064/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-11064/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-11064/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-11064/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-11064/ANY/1.patch b/Patches/Linux_CVEs/CVE-2017-11064/ANY/1.patch
deleted file mode 100644
index 39b5f6b8..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11064/ANY/1.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From 856abd9ad16d9d69e688d06a1f548c2f8df67c02 Mon Sep 17 00:00:00 2001
-From: Srinivas Girigowda <sgirigow@codeaurora.org>
-Date: Fri, 11 Aug 2017 12:58:11 -0700
-Subject: [PATCH] qcacld-2.0: Add an attribute to represent PNO/EPNO Request ID
-
-This request ID was wrongly referred from the REQUEST_ID in
-enum qca_wlan_vendor_attr_gscan_config_params which is mapped to
-QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_LIST_PARAM_NUM in PNO Config.
-Hence define a different attribute to represent the request ID
-for the PNO Config.
-
-CRs-Fixed: 2066628
-Change-Id: I2b5efe78605d07d92db564a987ea0ae4ff0a2cc8
-Bug: 36815952
-Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
----
- drivers/staging/qcacld-2.0/CORE/HDD/inc/wlan_hdd_cfg80211.h | 2 ++
- drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c | 7 +++++--
- 2 files changed, 7 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/inc/wlan_hdd_cfg80211.h b/drivers/staging/qcacld-2.0/CORE/HDD/inc/wlan_hdd_cfg80211.h
-index 23770788afd2a..bf3b4fe65d961 100644
---- a/drivers/staging/qcacld-2.0/CORE/HDD/inc/wlan_hdd_cfg80211.h
-+++ b/drivers/staging/qcacld-2.0/CORE/HDD/inc/wlan_hdd_cfg80211.h
-@@ -1285,6 +1285,8 @@ enum qca_wlan_vendor_attr_pno_config_params {
- 	 */
- 	QCA_WLAN_VENDOR_ATTR_EPNO_BAND5GHZ_BONUS = 22,
- 
-+	/* Unsigned 32-bit value, representing the PNO Request ID */
-+	QCA_WLAN_VENDOR_ATTR_PNO_CONFIG_REQUEST_ID = 23,
- 
- 	/* keep last */
- 	QCA_WLAN_VENDOR_ATTR_PNO_AFTER_LAST,
-diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-index 9029ef3b9e4a3..178cf32975efb 100644
---- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-@@ -901,6 +901,9 @@ wlan_hdd_pno_config_policy[QCA_WLAN_VENDOR_ATTR_PNO_MAX + 1] = {
- 	[QCA_WLAN_VENDOR_ATTR_EPNO_BAND5GHZ_BONUS] = {
- 		.type = NLA_U32
- 	},
-+	[QCA_WLAN_VENDOR_ATTR_PNO_CONFIG_REQUEST_ID] = {
-+		.type = NLA_U32
-+	},
- };
- 
- static const struct nla_policy
-@@ -4607,12 +4610,12 @@ static int __wlan_hdd_cfg80211_set_epno_list(struct wiphy *wiphy,
- 	req_msg->num_networks = num_networks;
- 
- 	/* Parse and fetch request Id */
--	if (!tb[QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_REQUEST_ID]) {
-+	if (!tb[QCA_WLAN_VENDOR_ATTR_PNO_CONFIG_REQUEST_ID]) {
- 		hddLog(LOGE, FL("attr request id failed"));
- 		goto fail;
- 	}
- 	req_msg->request_id = nla_get_u32(
--	    tb[QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_REQUEST_ID]);
-+	    tb[QCA_WLAN_VENDOR_ATTR_PNO_CONFIG_REQUEST_ID]);
- 
- 	req_msg->session_id = adapter->sessionId;
- 	hddLog(LOG1, FL("Req Id %u Session Id %d"),
diff --git a/Patches/Linux_CVEs/CVE-2017-11067/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-11067/ANY/0.patch
deleted file mode 100644
index 1cf5d43b..00000000
--- a/Patches/Linux_CVEs/CVE-2017-11067/ANY/0.patch
+++ /dev/null
@@ -1,147 +0,0 @@
-From a172c24c714b118cd15a5295d11e992216785a82 Mon Sep 17 00:00:00 2001
-From: Govind Singh <govinds@codeaurora.org>
-Date: Fri, 2 Dec 2016 15:31:18 +0530
-Subject: qcacld-2.0: Check target address boundary before access
-
-LTP tests each procfs entry with random address, as athdiag
-procfs does not have address sanity check. This is resulting in
-invalid ioread32/iowrite32.
-
-Fix this by checking address with in PCIE BAR range.
-
-Change-Id: I8365eacca7ccc4f489b7d0bda6c998384d0fec7b
-CRs-Fixed: 1097111
----
- CORE/SERVICES/COMMON/hif.h       |  8 ++++++++
- CORE/SERVICES/HIF/PCIe/hif_pci.c | 26 ++++++++++++++++++++++++++
- CORE/SERVICES/HIF/PCIe/if_pci.c  |  1 +
- CORE/SERVICES/HIF/PCIe/if_pci.h  |  2 +-
- CORE/SERVICES/HIF/ath_procfs.c   | 11 ++++++++---
- 5 files changed, 44 insertions(+), 4 deletions(-)
-
-diff --git a/CORE/SERVICES/COMMON/hif.h b/CORE/SERVICES/COMMON/hif.h
-index a3c31af..06a02ee 100644
---- a/CORE/SERVICES/COMMON/hif.h
-+++ b/CORE/SERVICES/COMMON/hif.h
-@@ -880,4 +880,12 @@ static inline void hif_request_runtime_pm_resume(void *ol_sc)
- 
- A_BOOL HIFIsMailBoxSwapped(HIF_DEVICE *hd);
- 
-+#ifdef HIF_PCI
-+int hif_addr_in_boundary(HIF_DEVICE *hif_device, A_UINT32 offset);
-+#else
-+static inline int hif_addr_in_boundary(HIF_DEVICE *hif_device, A_UINT32 offset)
-+{
-+	return 0;
-+}
-+#endif
- #endif /* _HIF_H_ */
-diff --git a/CORE/SERVICES/HIF/PCIe/hif_pci.c b/CORE/SERVICES/HIF/PCIe/hif_pci.c
-index 2e1d580..e640b45 100644
---- a/CORE/SERVICES/HIF/PCIe/hif_pci.c
-+++ b/CORE/SERVICES/HIF/PCIe/hif_pci.c
-@@ -3627,3 +3627,29 @@ bool hif_is_80211_fw_wow_required(void)
- {
- 	return false;
- }
-+
-+/* hif_addr_in_boundary() - API to check if addr is with in PCIE BAR range
-+ * @hif_device:  context of cd
-+ * @offset: offset from PCI BAR mapped base address.
-+ *
-+ * API determines if address to be accessed is with in range or out
-+ * of bound.
-+ *
-+ * Return: success if address is with in PCI BAR range.
-+ */
-+int hif_addr_in_boundary(HIF_DEVICE *hif_device, A_UINT32 offset)
-+{
-+	struct HIF_CE_state *hif_state;
-+	struct hif_pci_softc *sc;
-+
-+	hif_state = (struct HIF_CE_state *)hif_device;
-+	sc = hif_state->sc;
-+	if (unlikely(offset + sizeof(unsigned int) > sc->mem_len)) {
-+		VOS_TRACE(VOS_MODULE_ID_HIF, VOS_TRACE_LEVEL_ERROR,
-+			"refusing to read mmio out of bounds at 0x%08x - 0x%08zx (max 0x%08zx)\n",
-+			offset, offset + sizeof(unsigned int), sc->mem_len);
-+		return -EINVAL;
-+	}
-+
-+	return 0;
-+}
-diff --git a/CORE/SERVICES/HIF/PCIe/if_pci.c b/CORE/SERVICES/HIF/PCIe/if_pci.c
-index 018855c..f4988c7 100644
---- a/CORE/SERVICES/HIF/PCIe/if_pci.c
-+++ b/CORE/SERVICES/HIF/PCIe/if_pci.c
-@@ -1682,6 +1682,7 @@ again:
- 
-     OS_MEMZERO(sc, sizeof(*sc));
-     sc->mem = mem;
-+    sc->mem_len = pci_resource_len(pdev, BAR_NUM);
-     sc->pdev = pdev;
-     sc->dev = &pdev->dev;
- 
-diff --git a/CORE/SERVICES/HIF/PCIe/if_pci.h b/CORE/SERVICES/HIF/PCIe/if_pci.h
-index ffb4df9..0abd26a 100644
---- a/CORE/SERVICES/HIF/PCIe/if_pci.h
-+++ b/CORE/SERVICES/HIF/PCIe/if_pci.h
-@@ -82,7 +82,7 @@ struct hif_pci_pm_stats {
- struct hif_pci_softc {
-     void __iomem *mem; /* PCI address. */
-                        /* For efficiency, should be first in struct */
--
-+    size_t mem_len;
-     struct device *dev;
-     struct pci_dev *pdev;
-     struct _NIC_DEV aps_osdev;
-diff --git a/CORE/SERVICES/HIF/ath_procfs.c b/CORE/SERVICES/HIF/ath_procfs.c
-index 7b653a1..cfdf97a 100644
---- a/CORE/SERVICES/HIF/ath_procfs.c
-+++ b/CORE/SERVICES/HIF/ath_procfs.c
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2013 The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2013, 2016 The Linux Foundation. All rights reserved.
-  *
-  * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
-  *
-@@ -90,13 +90,16 @@ static ssize_t ath_procfs_diag_read(struct file *file, char __user *buf,
- 	int rv;
- 	A_UINT8 *read_buffer = NULL;
- 
-+	hif_hdl = get_hif_hdl_from_file(file);
-+	if (hif_addr_in_boundary(hif_hdl, (A_UINT32)(*pos)))
-+		return -EINVAL;
-+
- 	read_buffer = (A_UINT8 *)vos_mem_malloc(count);
- 	if (NULL == read_buffer) {
- 		pr_debug("%s: vos_mem_alloc failed\n", __func__);
- 		return -EINVAL;
- 	}
- 
--	hif_hdl = get_hif_hdl_from_file(file);
- 	pr_debug("rd buff 0x%p cnt %zu offset 0x%x buf 0x%p\n",
- 			read_buffer,count,
- 			(int)*pos, buf);
-@@ -130,6 +133,9 @@ static ssize_t ath_procfs_diag_write(struct file *file, const char __user *buf,
- 	int rv;
- 	A_UINT8 *write_buffer = NULL;
- 
-+	hif_hdl = get_hif_hdl_from_file(file);
-+	if (hif_addr_in_boundary(hif_hdl, (A_UINT32)(*pos)))
-+		return -EINVAL;
- 	write_buffer = (A_UINT8 *)vos_mem_malloc(count);
- 	if (NULL == write_buffer) {
- 		pr_debug("%s: vos_mem_alloc failed\n", __func__);
-@@ -140,7 +146,6 @@ static ssize_t ath_procfs_diag_write(struct file *file, const char __user *buf,
- 		return -EFAULT;
- 	}
- 
--	hif_hdl = get_hif_hdl_from_file(file);
- 	pr_debug("wr buff 0x%p buf 0x%p cnt %zu offset 0x%x value 0x%x\n",
- 			write_buffer, buf, count,
- 			(int)*pos, *((A_UINT32 *)write_buffer));
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-11067/ANY/1.patch b/Patches/Linux_CVEs/CVE-2017-11067/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-11067/ANY/1.patch
rename to Patches/Linux_CVEs/CVE-2017-11067/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-11600/3.10/0.patch b/Patches/Linux_CVEs/CVE-2017-11600/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-11600/3.10/0.patch
rename to Patches/Linux_CVEs/CVE-2017-11600/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-12146/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-12146/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-12146/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-12146/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-12153/3.16/0.patch b/Patches/Linux_CVEs/CVE-2017-12153/3.2-3.16/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-12153/3.16/0.patch
rename to Patches/Linux_CVEs/CVE-2017-12153/3.2-3.16/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-13080-Extra/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-13080-Extra/ANY/0001.patch
similarity index 59%
rename from Patches/Linux_CVEs/CVE-2017-13080-Extra/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-13080-Extra/ANY/0001.patch
index 7d726744..f5f18700 100644
--- a/Patches/Linux_CVEs/CVE-2017-13080-Extra/ANY/0.patch
+++ b/Patches/Linux_CVEs/CVE-2017-13080-Extra/ANY/0001.patch
@@ -1,7 +1,7 @@
-From 3f83649ff66900caab28f576b5169e011afe1580 Mon Sep 17 00:00:00 2001
+From 6fef7504fdb639dea2fbc0cbbd10963953f443da Mon Sep 17 00:00:00 2001
 From: James Yonan <james@openvpn.net>
 Date: Thu, 26 Sep 2013 02:20:39 -0600
-Subject: [PATCH 1/3] crypto: crypto_memneq - add equality testing of memory
+Subject: [PATCH] crypto: crypto_memneq - add equality testing of memory
  regions w/o timing leaks
 
 When comparing MAC hashes, AEAD authentication tags, or other hash
@@ -369,263 +369,3 @@ index 418d270e180..e73c19e90e3 100644
 +}
  
 +#endif	/* _CRYPTO_ALGAPI_H */
--- 
-2.15.0
-
-
-From cc5616af91b2ac309c62afe2b784fde49f92ff18 Mon Sep 17 00:00:00 2001
-From: Cesar Eduardo Barros <cesarb@cesarb.eti.br>
-Date: Mon, 25 Nov 2013 22:00:41 -0200
-Subject: [PATCH 2/3] crypto: more robust crypto_memneq
-
-Disabling compiler optimizations can be fragile, since a new
-optimization could be added to -O0 or -Os that breaks the assumptions
-the code is making.
-
-Instead of disabling compiler optimizations, use a dummy inline assembly
-(based on RELOC_HIDE) to block the problematic kinds of optimization,
-while still allowing other optimizations to be applied to the code.
-
-The dummy inline assembly is added after every OR, and has the
-accumulator variable as its input and output. The compiler is forced to
-assume that the dummy inline assembly could both depend on the
-accumulator variable and change the accumulator variable, so it is
-forced to compute the value correctly before the inline assembly, and
-cannot assume anything about its value after the inline assembly.
-
-This change should be enough to make crypto_memneq work correctly (with
-data-independent timing) even if it is inlined at its call sites. That
-can be done later in a followup patch.
-
-Compile-tested on x86_64.
-
-Change-Id: Ib82641bedec576d2be3793db4d8da36a4ccbbe75
-Signed-off-by: Cesar Eduardo Barros <cesarb@cesarb.eti.br>
-Acked-by: Daniel Borkmann <dborkman@redhat.com>
-Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
----
- crypto/Makefile                |  5 ---
- crypto/memneq.c                | 79 +++++++++++++++++++++++++++++-------------
- include/linux/compiler-gcc.h   |  3 ++
- include/linux/compiler-intel.h |  7 ++++
- include/linux/compiler.h       |  4 +++
- 5 files changed, 68 insertions(+), 30 deletions(-)
-
-diff --git a/crypto/Makefile b/crypto/Makefile
-index ae3684d16f3..4c75316f7d6 100644
---- a/crypto/Makefile
-+++ b/crypto/Makefile
-@@ -2,11 +2,6 @@
- # Cryptographic API
- #
- 
--# memneq MUST be built with -Os or -O0 to prevent early-return optimizations
--# that will defeat memneq's actual purpose to prevent timing attacks.
--CFLAGS_REMOVE_memneq.o := -O1 -O2 -O3
--CFLAGS_memneq.o := -Os
--
- obj-$(CONFIG_CRYPTO) += crypto.o
- crypto-y := api.o cipher.o compress.o memneq.o
- 
-diff --git a/crypto/memneq.c b/crypto/memneq.c
-index 40dfa50d39b..a285a744bc7 100644
---- a/crypto/memneq.c
-+++ b/crypto/memneq.c
-@@ -73,6 +73,7 @@ __crypto_memneq_generic(const void *a, const void *b, size_t size)
- #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)
- 	while (size >= sizeof(unsigned long)) {
- 		neq |= *(unsigned long *)a ^ *(unsigned long *)b;
-+		OPTIMIZER_HIDE_VAR(neq);
- 		a += sizeof(unsigned long);
- 		b += sizeof(unsigned long);
- 		size -= sizeof(unsigned long);
-@@ -80,6 +81,7 @@ __crypto_memneq_generic(const void *a, const void *b, size_t size)
- #endif /* CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS */
- 	while (size > 0) {
- 		neq |= *(unsigned char *)a ^ *(unsigned char *)b;
-+		OPTIMIZER_HIDE_VAR(neq);
- 		a += 1;
- 		b += 1;
- 		size -= 1;
-@@ -90,33 +92,60 @@ __crypto_memneq_generic(const void *a, const void *b, size_t size)
- /* Loop-free fast-path for frequently used 16-byte size */
- static inline unsigned long __crypto_memneq_16(const void *a, const void *b)
- {
-+	unsigned long neq = 0;
-+
- #ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
--	if (sizeof(unsigned long) == 8)
--		return ((*(unsigned long *)(a)   ^ *(unsigned long *)(b))
--		      | (*(unsigned long *)(a+8) ^ *(unsigned long *)(b+8)));
--	else if (sizeof(unsigned int) == 4)
--		return ((*(unsigned int *)(a)    ^ *(unsigned int *)(b))
--                      | (*(unsigned int *)(a+4)  ^ *(unsigned int *)(b+4))
--		      | (*(unsigned int *)(a+8)  ^ *(unsigned int *)(b+8))
--	              | (*(unsigned int *)(a+12) ^ *(unsigned int *)(b+12)));
--	else
-+	if (sizeof(unsigned long) == 8) {
-+		neq |= *(unsigned long *)(a)   ^ *(unsigned long *)(b);
-+		OPTIMIZER_HIDE_VAR(neq);
-+		neq |= *(unsigned long *)(a+8) ^ *(unsigned long *)(b+8);
-+		OPTIMIZER_HIDE_VAR(neq);
-+	} else if (sizeof(unsigned int) == 4) {
-+		neq |= *(unsigned int *)(a)    ^ *(unsigned int *)(b);
-+		OPTIMIZER_HIDE_VAR(neq);
-+		neq |= *(unsigned int *)(a+4)  ^ *(unsigned int *)(b+4);
-+		OPTIMIZER_HIDE_VAR(neq);
-+		neq |= *(unsigned int *)(a+8)  ^ *(unsigned int *)(b+8);
-+		OPTIMIZER_HIDE_VAR(neq);
-+		neq |= *(unsigned int *)(a+12) ^ *(unsigned int *)(b+12);
-+		OPTIMIZER_HIDE_VAR(neq);
-+	} else {
- #endif /* CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS */
--		return ((*(unsigned char *)(a)    ^ *(unsigned char *)(b))
--		      | (*(unsigned char *)(a+1)  ^ *(unsigned char *)(b+1))
--		      | (*(unsigned char *)(a+2)  ^ *(unsigned char *)(b+2))
--		      | (*(unsigned char *)(a+3)  ^ *(unsigned char *)(b+3))
--		      | (*(unsigned char *)(a+4)  ^ *(unsigned char *)(b+4))
--		      | (*(unsigned char *)(a+5)  ^ *(unsigned char *)(b+5))
--		      | (*(unsigned char *)(a+6)  ^ *(unsigned char *)(b+6))
--		      | (*(unsigned char *)(a+7)  ^ *(unsigned char *)(b+7))
--		      | (*(unsigned char *)(a+8)  ^ *(unsigned char *)(b+8))
--		      | (*(unsigned char *)(a+9)  ^ *(unsigned char *)(b+9))
--		      | (*(unsigned char *)(a+10) ^ *(unsigned char *)(b+10))
--		      | (*(unsigned char *)(a+11) ^ *(unsigned char *)(b+11))
--		      | (*(unsigned char *)(a+12) ^ *(unsigned char *)(b+12))
--		      | (*(unsigned char *)(a+13) ^ *(unsigned char *)(b+13))
--		      | (*(unsigned char *)(a+14) ^ *(unsigned char *)(b+14))
--		      | (*(unsigned char *)(a+15) ^ *(unsigned char *)(b+15)));
-+		neq |= *(unsigned char *)(a)    ^ *(unsigned char *)(b);
-+		OPTIMIZER_HIDE_VAR(neq);
-+		neq |= *(unsigned char *)(a+1)  ^ *(unsigned char *)(b+1);
-+		OPTIMIZER_HIDE_VAR(neq);
-+		neq |= *(unsigned char *)(a+2)  ^ *(unsigned char *)(b+2);
-+		OPTIMIZER_HIDE_VAR(neq);
-+		neq |= *(unsigned char *)(a+3)  ^ *(unsigned char *)(b+3);
-+		OPTIMIZER_HIDE_VAR(neq);
-+		neq |= *(unsigned char *)(a+4)  ^ *(unsigned char *)(b+4);
-+		OPTIMIZER_HIDE_VAR(neq);
-+		neq |= *(unsigned char *)(a+5)  ^ *(unsigned char *)(b+5);
-+		OPTIMIZER_HIDE_VAR(neq);
-+		neq |= *(unsigned char *)(a+6)  ^ *(unsigned char *)(b+6);
-+		OPTIMIZER_HIDE_VAR(neq);
-+		neq |= *(unsigned char *)(a+7)  ^ *(unsigned char *)(b+7);
-+		OPTIMIZER_HIDE_VAR(neq);
-+		neq |= *(unsigned char *)(a+8)  ^ *(unsigned char *)(b+8);
-+		OPTIMIZER_HIDE_VAR(neq);
-+		neq |= *(unsigned char *)(a+9)  ^ *(unsigned char *)(b+9);
-+		OPTIMIZER_HIDE_VAR(neq);
-+		neq |= *(unsigned char *)(a+10) ^ *(unsigned char *)(b+10);
-+		OPTIMIZER_HIDE_VAR(neq);
-+		neq |= *(unsigned char *)(a+11) ^ *(unsigned char *)(b+11);
-+		OPTIMIZER_HIDE_VAR(neq);
-+		neq |= *(unsigned char *)(a+12) ^ *(unsigned char *)(b+12);
-+		OPTIMIZER_HIDE_VAR(neq);
-+		neq |= *(unsigned char *)(a+13) ^ *(unsigned char *)(b+13);
-+		OPTIMIZER_HIDE_VAR(neq);
-+		neq |= *(unsigned char *)(a+14) ^ *(unsigned char *)(b+14);
-+		OPTIMIZER_HIDE_VAR(neq);
-+		neq |= *(unsigned char *)(a+15) ^ *(unsigned char *)(b+15);
-+		OPTIMIZER_HIDE_VAR(neq);
-+	}
-+
-+	return neq;
- }
- 
- /* Compare two areas of memory without leaking timing information,
-diff --git a/include/linux/compiler-gcc.h b/include/linux/compiler-gcc.h
-index e5834aa24b9..8c999ad4545 100644
---- a/include/linux/compiler-gcc.h
-+++ b/include/linux/compiler-gcc.h
-@@ -34,6 +34,9 @@
-     __asm__ ("" : "=r"(__ptr) : "0"(ptr));		\
-     (typeof(ptr)) (__ptr + (off)); })
- 
-+/* Make the optimizer believe the variable can be manipulated arbitrarily. */
-+#define OPTIMIZER_HIDE_VAR(var) __asm__ ("" : "=r" (var) : "0" (var))
-+
- #ifdef __CHECKER__
- #define __must_be_array(arr) 0
- #else
-diff --git a/include/linux/compiler-intel.h b/include/linux/compiler-intel.h
-index d8e636e5607..966fa6820d9 100644
---- a/include/linux/compiler-intel.h
-+++ b/include/linux/compiler-intel.h
-@@ -15,6 +15,7 @@
-  */
- #undef barrier
- #undef RELOC_HIDE
-+#undef OPTIMIZER_HIDE_VAR
- 
- #define barrier() __memory_barrier()
- 
-@@ -23,6 +24,12 @@
-      __ptr = (unsigned long) (ptr);				\
-     (typeof(ptr)) (__ptr + (off)); })
- 
-+/* This should act as an optimization barrier on var.
-+ * Given that this compiler does not have inline assembly, a compiler barrier
-+ * is the best we can do.
-+ */
-+#define OPTIMIZER_HIDE_VAR(var) barrier()
-+
- /* Intel ECC compiler doesn't support __builtin_types_compatible_p() */
- #define __must_be_array(a) 0
- 
-diff --git a/include/linux/compiler.h b/include/linux/compiler.h
-index 923d093c9ce..a8ef3ca7af2 100644
---- a/include/linux/compiler.h
-+++ b/include/linux/compiler.h
-@@ -164,6 +164,10 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect);
-     (typeof(ptr)) (__ptr + (off)); })
- #endif
- 
-+#ifndef OPTIMIZER_HIDE_VAR
-+#define OPTIMIZER_HIDE_VAR(var) barrier()
-+#endif
-+
- #endif /* __KERNEL__ */
- 
- #endif /* __ASSEMBLY__ */
--- 
-2.15.0
-
-
-From df07b54fc3e647ef666b3d3c6da4badfba273ad9 Mon Sep 17 00:00:00 2001
-From: Daniel Borkmann <dborkman@redhat.com>
-Date: Fri, 6 Dec 2013 00:33:33 +0100
-Subject: [PATCH 3/3] crypto: memneq - fix for archs without efficient
- unaligned access
-
-Commit fe8c8a126806 introduced a possible build error for archs
-that do not have CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS set. :/
-Fix this up by bringing else braces outside of the ifdef.
-
-Change-Id: I08195a468653062a87eaaa01031b6ee6ab8c7508
-Reported-by: Fengguang Wu <fengguang.wu@intel.com>
-Fixes: fe8c8a126806 ("crypto: more robust crypto_memneq")
-Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
-Acked-By: Cesar Eduardo Barros <cesarb@cesarb.eti.br>
-Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
----
- crypto/memneq.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/crypto/memneq.c b/crypto/memneq.c
-index a285a744bc7..3cfae80ed48 100644
---- a/crypto/memneq.c
-+++ b/crypto/memneq.c
-@@ -109,8 +109,9 @@ static inline unsigned long __crypto_memneq_16(const void *a, const void *b)
- 		OPTIMIZER_HIDE_VAR(neq);
- 		neq |= *(unsigned int *)(a+12) ^ *(unsigned int *)(b+12);
- 		OPTIMIZER_HIDE_VAR(neq);
--	} else {
-+	} else
- #endif /* CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS */
-+	{
- 		neq |= *(unsigned char *)(a)    ^ *(unsigned char *)(b);
- 		OPTIMIZER_HIDE_VAR(neq);
- 		neq |= *(unsigned char *)(a+1)  ^ *(unsigned char *)(b+1);
--- 
-2.15.0
-
diff --git a/Patches/Linux_CVEs/CVE-2017-13080-Extra/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2017-13080-Extra/ANY/0002.patch
new file mode 100644
index 00000000..6334e865
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-13080-Extra/ANY/0002.patch
@@ -0,0 +1,214 @@
+From a9803a869bfc274d57ab33862ad7a5ea31df4559 Mon Sep 17 00:00:00 2001
+From: Cesar Eduardo Barros <cesarb@cesarb.eti.br>
+Date: Mon, 25 Nov 2013 22:00:41 -0200
+Subject: [PATCH] crypto: more robust crypto_memneq
+
+Disabling compiler optimizations can be fragile, since a new
+optimization could be added to -O0 or -Os that breaks the assumptions
+the code is making.
+
+Instead of disabling compiler optimizations, use a dummy inline assembly
+(based on RELOC_HIDE) to block the problematic kinds of optimization,
+while still allowing other optimizations to be applied to the code.
+
+The dummy inline assembly is added after every OR, and has the
+accumulator variable as its input and output. The compiler is forced to
+assume that the dummy inline assembly could both depend on the
+accumulator variable and change the accumulator variable, so it is
+forced to compute the value correctly before the inline assembly, and
+cannot assume anything about its value after the inline assembly.
+
+This change should be enough to make crypto_memneq work correctly (with
+data-independent timing) even if it is inlined at its call sites. That
+can be done later in a followup patch.
+
+Compile-tested on x86_64.
+
+Change-Id: Ib82641bedec576d2be3793db4d8da36a4ccbbe75
+Signed-off-by: Cesar Eduardo Barros <cesarb@cesarb.eti.br>
+Acked-by: Daniel Borkmann <dborkman@redhat.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+---
+ crypto/Makefile                |  5 ---
+ crypto/memneq.c                | 79 +++++++++++++++++++++++++++++-------------
+ include/linux/compiler-gcc.h   |  3 ++
+ include/linux/compiler-intel.h |  7 ++++
+ include/linux/compiler.h       |  4 +++
+ 5 files changed, 68 insertions(+), 30 deletions(-)
+
+diff --git a/crypto/Makefile b/crypto/Makefile
+index ae3684d16f3..4c75316f7d6 100644
+--- a/crypto/Makefile
++++ b/crypto/Makefile
+@@ -2,11 +2,6 @@
+ # Cryptographic API
+ #
+ 
+-# memneq MUST be built with -Os or -O0 to prevent early-return optimizations
+-# that will defeat memneq's actual purpose to prevent timing attacks.
+-CFLAGS_REMOVE_memneq.o := -O1 -O2 -O3
+-CFLAGS_memneq.o := -Os
+-
+ obj-$(CONFIG_CRYPTO) += crypto.o
+ crypto-y := api.o cipher.o compress.o memneq.o
+ 
+diff --git a/crypto/memneq.c b/crypto/memneq.c
+index 40dfa50d39b..a285a744bc7 100644
+--- a/crypto/memneq.c
++++ b/crypto/memneq.c
+@@ -73,6 +73,7 @@ __crypto_memneq_generic(const void *a, const void *b, size_t size)
+ #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)
+ 	while (size >= sizeof(unsigned long)) {
+ 		neq |= *(unsigned long *)a ^ *(unsigned long *)b;
++		OPTIMIZER_HIDE_VAR(neq);
+ 		a += sizeof(unsigned long);
+ 		b += sizeof(unsigned long);
+ 		size -= sizeof(unsigned long);
+@@ -80,6 +81,7 @@ __crypto_memneq_generic(const void *a, const void *b, size_t size)
+ #endif /* CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS */
+ 	while (size > 0) {
+ 		neq |= *(unsigned char *)a ^ *(unsigned char *)b;
++		OPTIMIZER_HIDE_VAR(neq);
+ 		a += 1;
+ 		b += 1;
+ 		size -= 1;
+@@ -90,33 +92,60 @@ __crypto_memneq_generic(const void *a, const void *b, size_t size)
+ /* Loop-free fast-path for frequently used 16-byte size */
+ static inline unsigned long __crypto_memneq_16(const void *a, const void *b)
+ {
++	unsigned long neq = 0;
++
+ #ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
+-	if (sizeof(unsigned long) == 8)
+-		return ((*(unsigned long *)(a)   ^ *(unsigned long *)(b))
+-		      | (*(unsigned long *)(a+8) ^ *(unsigned long *)(b+8)));
+-	else if (sizeof(unsigned int) == 4)
+-		return ((*(unsigned int *)(a)    ^ *(unsigned int *)(b))
+-                      | (*(unsigned int *)(a+4)  ^ *(unsigned int *)(b+4))
+-		      | (*(unsigned int *)(a+8)  ^ *(unsigned int *)(b+8))
+-	              | (*(unsigned int *)(a+12) ^ *(unsigned int *)(b+12)));
+-	else
++	if (sizeof(unsigned long) == 8) {
++		neq |= *(unsigned long *)(a)   ^ *(unsigned long *)(b);
++		OPTIMIZER_HIDE_VAR(neq);
++		neq |= *(unsigned long *)(a+8) ^ *(unsigned long *)(b+8);
++		OPTIMIZER_HIDE_VAR(neq);
++	} else if (sizeof(unsigned int) == 4) {
++		neq |= *(unsigned int *)(a)    ^ *(unsigned int *)(b);
++		OPTIMIZER_HIDE_VAR(neq);
++		neq |= *(unsigned int *)(a+4)  ^ *(unsigned int *)(b+4);
++		OPTIMIZER_HIDE_VAR(neq);
++		neq |= *(unsigned int *)(a+8)  ^ *(unsigned int *)(b+8);
++		OPTIMIZER_HIDE_VAR(neq);
++		neq |= *(unsigned int *)(a+12) ^ *(unsigned int *)(b+12);
++		OPTIMIZER_HIDE_VAR(neq);
++	} else {
+ #endif /* CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS */
+-		return ((*(unsigned char *)(a)    ^ *(unsigned char *)(b))
+-		      | (*(unsigned char *)(a+1)  ^ *(unsigned char *)(b+1))
+-		      | (*(unsigned char *)(a+2)  ^ *(unsigned char *)(b+2))
+-		      | (*(unsigned char *)(a+3)  ^ *(unsigned char *)(b+3))
+-		      | (*(unsigned char *)(a+4)  ^ *(unsigned char *)(b+4))
+-		      | (*(unsigned char *)(a+5)  ^ *(unsigned char *)(b+5))
+-		      | (*(unsigned char *)(a+6)  ^ *(unsigned char *)(b+6))
+-		      | (*(unsigned char *)(a+7)  ^ *(unsigned char *)(b+7))
+-		      | (*(unsigned char *)(a+8)  ^ *(unsigned char *)(b+8))
+-		      | (*(unsigned char *)(a+9)  ^ *(unsigned char *)(b+9))
+-		      | (*(unsigned char *)(a+10) ^ *(unsigned char *)(b+10))
+-		      | (*(unsigned char *)(a+11) ^ *(unsigned char *)(b+11))
+-		      | (*(unsigned char *)(a+12) ^ *(unsigned char *)(b+12))
+-		      | (*(unsigned char *)(a+13) ^ *(unsigned char *)(b+13))
+-		      | (*(unsigned char *)(a+14) ^ *(unsigned char *)(b+14))
+-		      | (*(unsigned char *)(a+15) ^ *(unsigned char *)(b+15)));
++		neq |= *(unsigned char *)(a)    ^ *(unsigned char *)(b);
++		OPTIMIZER_HIDE_VAR(neq);
++		neq |= *(unsigned char *)(a+1)  ^ *(unsigned char *)(b+1);
++		OPTIMIZER_HIDE_VAR(neq);
++		neq |= *(unsigned char *)(a+2)  ^ *(unsigned char *)(b+2);
++		OPTIMIZER_HIDE_VAR(neq);
++		neq |= *(unsigned char *)(a+3)  ^ *(unsigned char *)(b+3);
++		OPTIMIZER_HIDE_VAR(neq);
++		neq |= *(unsigned char *)(a+4)  ^ *(unsigned char *)(b+4);
++		OPTIMIZER_HIDE_VAR(neq);
++		neq |= *(unsigned char *)(a+5)  ^ *(unsigned char *)(b+5);
++		OPTIMIZER_HIDE_VAR(neq);
++		neq |= *(unsigned char *)(a+6)  ^ *(unsigned char *)(b+6);
++		OPTIMIZER_HIDE_VAR(neq);
++		neq |= *(unsigned char *)(a+7)  ^ *(unsigned char *)(b+7);
++		OPTIMIZER_HIDE_VAR(neq);
++		neq |= *(unsigned char *)(a+8)  ^ *(unsigned char *)(b+8);
++		OPTIMIZER_HIDE_VAR(neq);
++		neq |= *(unsigned char *)(a+9)  ^ *(unsigned char *)(b+9);
++		OPTIMIZER_HIDE_VAR(neq);
++		neq |= *(unsigned char *)(a+10) ^ *(unsigned char *)(b+10);
++		OPTIMIZER_HIDE_VAR(neq);
++		neq |= *(unsigned char *)(a+11) ^ *(unsigned char *)(b+11);
++		OPTIMIZER_HIDE_VAR(neq);
++		neq |= *(unsigned char *)(a+12) ^ *(unsigned char *)(b+12);
++		OPTIMIZER_HIDE_VAR(neq);
++		neq |= *(unsigned char *)(a+13) ^ *(unsigned char *)(b+13);
++		OPTIMIZER_HIDE_VAR(neq);
++		neq |= *(unsigned char *)(a+14) ^ *(unsigned char *)(b+14);
++		OPTIMIZER_HIDE_VAR(neq);
++		neq |= *(unsigned char *)(a+15) ^ *(unsigned char *)(b+15);
++		OPTIMIZER_HIDE_VAR(neq);
++	}
++
++	return neq;
+ }
+ 
+ /* Compare two areas of memory without leaking timing information,
+diff --git a/include/linux/compiler-gcc.h b/include/linux/compiler-gcc.h
+index e5834aa24b9..8c999ad4545 100644
+--- a/include/linux/compiler-gcc.h
++++ b/include/linux/compiler-gcc.h
+@@ -34,6 +34,9 @@
+     __asm__ ("" : "=r"(__ptr) : "0"(ptr));		\
+     (typeof(ptr)) (__ptr + (off)); })
+ 
++/* Make the optimizer believe the variable can be manipulated arbitrarily. */
++#define OPTIMIZER_HIDE_VAR(var) __asm__ ("" : "=r" (var) : "0" (var))
++
+ #ifdef __CHECKER__
+ #define __must_be_array(arr) 0
+ #else
+diff --git a/include/linux/compiler-intel.h b/include/linux/compiler-intel.h
+index d8e636e5607..966fa6820d9 100644
+--- a/include/linux/compiler-intel.h
++++ b/include/linux/compiler-intel.h
+@@ -15,6 +15,7 @@
+  */
+ #undef barrier
+ #undef RELOC_HIDE
++#undef OPTIMIZER_HIDE_VAR
+ 
+ #define barrier() __memory_barrier()
+ 
+@@ -23,6 +24,12 @@
+      __ptr = (unsigned long) (ptr);				\
+     (typeof(ptr)) (__ptr + (off)); })
+ 
++/* This should act as an optimization barrier on var.
++ * Given that this compiler does not have inline assembly, a compiler barrier
++ * is the best we can do.
++ */
++#define OPTIMIZER_HIDE_VAR(var) barrier()
++
+ /* Intel ECC compiler doesn't support __builtin_types_compatible_p() */
+ #define __must_be_array(a) 0
+ 
+diff --git a/include/linux/compiler.h b/include/linux/compiler.h
+index 923d093c9ce..a8ef3ca7af2 100644
+--- a/include/linux/compiler.h
++++ b/include/linux/compiler.h
+@@ -164,6 +164,10 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect);
+     (typeof(ptr)) (__ptr + (off)); })
+ #endif
+ 
++#ifndef OPTIMIZER_HIDE_VAR
++#define OPTIMIZER_HIDE_VAR(var) barrier()
++#endif
++
+ #endif /* __KERNEL__ */
+ 
+ #endif /* __ASSEMBLY__ */
diff --git a/Patches/Linux_CVEs/CVE-2017-13080-Extra/ANY/0003.patch b/Patches/Linux_CVEs/CVE-2017-13080-Extra/ANY/0003.patch
new file mode 100644
index 00000000..1ec87bd7
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-13080-Extra/ANY/0003.patch
@@ -0,0 +1,35 @@
+From dc0c59d66b8679dc870c9aa568647d0be71501b7 Mon Sep 17 00:00:00 2001
+From: Daniel Borkmann <dborkman@redhat.com>
+Date: Fri, 6 Dec 2013 00:33:33 +0100
+Subject: [PATCH] crypto: memneq - fix for archs without efficient unaligned
+ access
+
+Commit fe8c8a126806 introduced a possible build error for archs
+that do not have CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS set. :/
+Fix this up by bringing else braces outside of the ifdef.
+
+Change-Id: I08195a468653062a87eaaa01031b6ee6ab8c7508
+Reported-by: Fengguang Wu <fengguang.wu@intel.com>
+Fixes: fe8c8a126806 ("crypto: more robust crypto_memneq")
+Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
+Acked-By: Cesar Eduardo Barros <cesarb@cesarb.eti.br>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+---
+ crypto/memneq.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/crypto/memneq.c b/crypto/memneq.c
+index a285a744bc7..3cfae80ed48 100644
+--- a/crypto/memneq.c
++++ b/crypto/memneq.c
+@@ -109,8 +109,9 @@ static inline unsigned long __crypto_memneq_16(const void *a, const void *b)
+ 		OPTIMIZER_HIDE_VAR(neq);
+ 		neq |= *(unsigned int *)(a+12) ^ *(unsigned int *)(b+12);
+ 		OPTIMIZER_HIDE_VAR(neq);
+-	} else {
++	} else
+ #endif /* CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS */
++	{
+ 		neq |= *(unsigned char *)(a)    ^ *(unsigned char *)(b);
+ 		OPTIMIZER_HIDE_VAR(neq);
+ 		neq |= *(unsigned char *)(a+1)  ^ *(unsigned char *)(b+1);
diff --git a/Patches/Linux_CVEs/CVE-2017-13080-Extra/ANY/1.patch b/Patches/Linux_CVEs/CVE-2017-13080-Extra/ANY/0004.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-13080-Extra/ANY/1.patch
rename to Patches/Linux_CVEs/CVE-2017-13080-Extra/ANY/0004.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-13080/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-13080/ANY/0001.patch
similarity index 76%
rename from Patches/Linux_CVEs/CVE-2017-13080/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-13080/ANY/0001.patch
index f110d56b..3a88a75c 100644
--- a/Patches/Linux_CVEs/CVE-2017-13080/ANY/0.patch
+++ b/Patches/Linux_CVEs/CVE-2017-13080/ANY/0001.patch
@@ -1,4 +1,4 @@
-From 6bd7e74005e90ef79402a9c94e1044f845aa49f1 Mon Sep 17 00:00:00 2001
+From fdf7cb4185b60c68e1a75e61691c4afdc15dea0e Mon Sep 17 00:00:00 2001
 From: Johannes Berg <johannes.berg@intel.com>
 Date: Tue, 5 Sep 2017 14:54:54 +0200
 Subject: [PATCH] mac80211: accept key reinstall without changing anything
@@ -18,25 +18,25 @@ In case this happens, simply silently accept the new key
 coming from userspace but don't take any action on it since
 it's the same key; this keeps the PN replay counters intact.
 
-Change-Id: If973789c12d2afcd9192f796e27bc9598c5dd1c0
 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
 ---
- net/mac80211/key.c | 20 +++++++++++++++++---
- 1 file changed, 17 insertions(+), 3 deletions(-)
+ net/mac80211/key.c | 21 +++++++++++++++++----
+ 1 file changed, 17 insertions(+), 4 deletions(-)
 
 diff --git a/net/mac80211/key.c b/net/mac80211/key.c
-index 5bb600d93d7..cebe30315d9 100644
+index a98fc2b5e0dc9..ae995c8480db9 100644
 --- a/net/mac80211/key.c
 +++ b/net/mac80211/key.c
-@@ -3,6 +3,7 @@
-  * Copyright 2005-2006, Devicescape Software, Inc.
+@@ -4,7 +4,7 @@
   * Copyright 2006-2007	Jiri Benc <jbenc@suse.cz>
   * Copyright 2007-2008	Johannes Berg <johannes@sipsolutions.net>
+  * Copyright 2013-2014  Intel Mobile Communications GmbH
+- * Copyright 2015	Intel Deutschland GmbH
 + * Copyright 2015-2017	Intel Deutschland GmbH
   *
   * This program is free software; you can redistribute it and/or modify
   * it under the terms of the GNU General Public License version 2 as
-@@ -452,9 +453,6 @@ int ieee80211_key_link(struct ieee80211_key *key,
+@@ -620,9 +620,6 @@ int ieee80211_key_link(struct ieee80211_key *key,
  
  	pairwise = key->conf.flags & IEEE80211_KEY_FLAG_PAIRWISE;
  	idx = key->conf.keyidx;
@@ -44,9 +44,9 @@ index 5bb600d93d7..cebe30315d9 100644
 -	key->sdata = sdata;
 -	key->sta = sta;
  
- 	if (sta) {
- 		/*
-@@ -491,6 +489,21 @@ int ieee80211_key_link(struct ieee80211_key *key,
+ 	mutex_lock(&sdata->local->key_mtx);
+ 
+@@ -633,6 +630,21 @@ int ieee80211_key_link(struct ieee80211_key *key,
  	else
  		old_key = key_mtx_dereference(sdata->local, sdata->keys[idx]);
  
@@ -67,10 +67,10 @@ index 5bb600d93d7..cebe30315d9 100644
 +
  	increment_tailroom_need_count(sdata);
  
- 	__ieee80211_key_replace(sdata, sta, pairwise, old_key, key);
-@@ -500,6 +513,7 @@ int ieee80211_key_link(struct ieee80211_key *key,
- 
- 	ret = ieee80211_key_enable_hw_accel(key);
+ 	ieee80211_key_replace(sdata, sta, pairwise, old_key, key);
+@@ -648,6 +660,7 @@ int ieee80211_key_link(struct ieee80211_key *key,
+ 		ret = 0;
+ 	}
  
 + out:
  	mutex_unlock(&sdata->local->key_mtx);
diff --git a/Patches/Linux_CVEs/CVE-2017-15265/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-15265/^4.14/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-15265/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-15265/^4.14/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-2618/3.10/0.patch b/Patches/Linux_CVEs/CVE-2017-2618/3.10/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-2618/3.10/0.patch
rename to Patches/Linux_CVEs/CVE-2017-2618/3.10/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-2636/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-2636/^4.10/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-2636/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-2636/^4.10/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-2671/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-2671/^4.10/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-2671/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-2671/^4.10/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-5546/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-5546/4.7-4.9/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-5546/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-5546/4.7-4.9/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-5547/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-5547/4.9/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-5547/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-5547/4.9/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-5550/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-5550/4.9/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-5550/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-5550/4.9/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-5551/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-5551/3.14-4.9/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-5551/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-5551/3.14-4.9/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-5669/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-5669/ANY/0.patch
deleted file mode 100644
index 6ee31aef..00000000
--- a/Patches/Linux_CVEs/CVE-2017-5669/ANY/0.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-From e1d35d4dc7f089e6c9c080d556feedf9c706f0c7 Mon Sep 17 00:00:00 2001
-From: Davidlohr Bueso <dave@stgolabs.net>
-Date: Wed, 8 Feb 2017 10:28:24 +1100
-Subject: [PATCH] ipc/shm: Fix shmat mmap nil-page protection
-
-The issue is described here, with a nice testcase:
-
-    https://bugzilla.kernel.org/show_bug.cgi?id=192931
-
-The problem is that shmat() calls do_mmap_pgoff() with MAP_FIXED, and the
-address rounded down to 0.  For the regular mmap case, the protection
-mentioned above is that the kernel gets to generate the address --
-arch_get_unmapped_area() will always check for MAP_FIXED and return that
-address.  So by the time we do security_mmap_addr(0) things get funky for
-shmat().
-
-The testcase itself shows that while a regular user crashes, root will not
-have a problem attaching a nil-page.  There are two possible fixes to
-this.  The first, and which this patch does, is to simply allow root to
-crash as well -- this is also regular mmap behavior, ie when hacking up
-the testcase and adding mmap(...  |MAP_FIXED).  While this approach is the
-safer option, the second alternative is to ignore SHM_RND if the rounded
-address is 0, thus only having MAP_SHARED flags.  This makes the behavior
-of shmat() identical to the mmap() case.  The downside of this is
-obviously user visible, but does make sense in that it maintains semantics
-after the round-down wrt 0 address and mmap.
-
-Passes shm related ltp tests.
-
-Link: http://lkml.kernel.org/r/1486050195-18629-1-git-send-email-dave@stgolabs.net
-Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
-Reported-by: Gareth Evans <gareth.evans@contextis.co.uk>
-Cc: Manfred Spraul <manfred@colorfullife.com>
-Cc: Michael Kerrisk <mtk.manpages@googlemail.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
----
- ipc/shm.c | 13 +++++++++----
- 1 file changed, 9 insertions(+), 4 deletions(-)
-
-diff --git a/ipc/shm.c b/ipc/shm.c
-index d7805acb44fd4..06ea9ef7f54a7 100644
---- a/ipc/shm.c
-+++ b/ipc/shm.c
-@@ -1091,8 +1091,8 @@ SYSCALL_DEFINE3(shmctl, int, shmid, int, cmd, struct shmid_ds __user *, buf)
-  * "raddr" thing points to kernel space, and there has to be a wrapper around
-  * this.
-  */
--long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr,
--	      unsigned long shmlba)
-+long do_shmat(int shmid, char __user *shmaddr, int shmflg,
-+	      ulong *raddr, unsigned long shmlba)
- {
- 	struct shmid_kernel *shp;
- 	unsigned long addr;
-@@ -1113,8 +1113,13 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr,
- 		goto out;
- 	else if ((addr = (ulong)shmaddr)) {
- 		if (addr & (shmlba - 1)) {
--			if (shmflg & SHM_RND)
--				addr &= ~(shmlba - 1);	   /* round down */
-+			/*
-+			 * Round down to the nearest multiple of shmlba.
-+			 * For sane do_mmap_pgoff() parameters, avoid
-+			 * round downs that trigger nil-page and MAP_FIXED.
-+			 */
-+			if ((shmflg & SHM_RND) && addr >= shmlba)
-+				addr &= ~(shmlba - 1);
- 			else
- #ifndef __ARCH_FORCE_SHMLBA
- 				if (addr & ~PAGE_MASK)
diff --git a/Patches/Linux_CVEs/CVE-2017-5669/ANY/1.patch.dupe b/Patches/Linux_CVEs/CVE-2017-5669/^4.9/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-5669/ANY/1.patch.dupe
rename to Patches/Linux_CVEs/CVE-2017-5669/^4.9/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-5897/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-5897/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-5897/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-5897/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-5967/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-5967/3.10/0001.patch
new file mode 100644
index 00000000..596f8405
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-5967/3.10/0001.patch
@@ -0,0 +1,908 @@
+From 0407c7a2f4734cd55902753d788fdbdc32ed7fd9 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 08 Feb 2017 11:26:59 -0800
+Subject: [PATCH] time: Remove CONFIG_TIMER_STATS
+
+Currently CONFIG_TIMER_STATS exposes process information across namespaces:
+
+kernel/time/timer_list.c print_timer():
+
+        SEQ_printf(m, ", %s/%d", tmp, timer->start_pid);
+
+/proc/timer_list:
+
+ #11: <0000000000000000>, hrtimer_wakeup, S:01, do_nanosleep, cron/2570
+
+Given that the tracer can give the same information, this patch entirely
+removes CONFIG_TIMER_STATS.
+
+Change-Id: Ice26d74094d3ad563808342c1604ad444234844b
+Suggested-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Acked-by: John Stultz <john.stultz@linaro.org>
+Cc: Nicolas Pitre <nicolas.pitre@linaro.org>
+Cc: linux-doc@vger.kernel.org
+Cc: Lai Jiangshan <jiangshanlai@gmail.com>
+Cc: Shuah Khan <shuah@kernel.org>
+Cc: Xing Gao <xgao01@email.wm.edu>
+Cc: Jonathan Corbet <corbet@lwn.net>
+Cc: Jessica Frazelle <me@jessfraz.com>
+Cc: kernel-hardening@lists.openwall.com
+Cc: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
+Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
+Cc: Petr Mladek <pmladek@suse.com>
+Cc: Richard Cochran <richardcochran@gmail.com>
+Cc: Tejun Heo <tj@kernel.org>
+Cc: Michal Marek <mmarek@suse.com>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Cc: "Eric W. Biederman" <ebiederm@xmission.com>
+Cc: Olof Johansson <olof@lixom.net>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: linux-api@vger.kernel.org
+Cc: Arjan van de Ven <arjan@linux.intel.com>
+Link: http://lkml.kernel.org/r/20170208192659.GA32582@beast
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+---
+
+diff --git a/Documentation/timers/timer_stats.txt b/Documentation/timers/timer_stats.txt
+deleted file mode 100644
+index 8abd40b..0000000
+--- a/Documentation/timers/timer_stats.txt
++++ /dev/null
+@@ -1,73 +0,0 @@
+-timer_stats - timer usage statistics
+-------------------------------------
+-
+-timer_stats is a debugging facility to make the timer (ab)usage in a Linux
+-system visible to kernel and userspace developers. If enabled in the config
+-but not used it has almost zero runtime overhead, and a relatively small
+-data structure overhead. Even if collection is enabled runtime all the
+-locking is per-CPU and lookup is hashed.
+-
+-timer_stats should be used by kernel and userspace developers to verify that
+-their code does not make unduly use of timers. This helps to avoid unnecessary
+-wakeups, which should be avoided to optimize power consumption.
+-
+-It can be enabled by CONFIG_TIMER_STATS in the "Kernel hacking" configuration
+-section.
+-
+-timer_stats collects information about the timer events which are fired in a
+-Linux system over a sample period:
+-
+-- the pid of the task(process) which initialized the timer
+-- the name of the process which initialized the timer
+-- the function where the timer was initialized
+-- the callback function which is associated to the timer
+-- the number of events (callbacks)
+-
+-timer_stats adds an entry to /proc: /proc/timer_stats
+-
+-This entry is used to control the statistics functionality and to read out the
+-sampled information.
+-
+-The timer_stats functionality is inactive on bootup.
+-
+-To activate a sample period issue:
+-# echo 1 >/proc/timer_stats
+-
+-To stop a sample period issue:
+-# echo 0 >/proc/timer_stats
+-
+-The statistics can be retrieved by:
+-# cat /proc/timer_stats
+-
+-The readout of /proc/timer_stats automatically disables sampling. The sampled
+-information is kept until a new sample period is started. This allows multiple
+-readouts.
+-
+-Sample output of /proc/timer_stats:
+-
+-Timerstats sample period: 3.888770 s
+-  12,     0 swapper          hrtimer_stop_sched_tick (hrtimer_sched_tick)
+-  15,     1 swapper          hcd_submit_urb (rh_timer_func)
+-   4,   959 kedac            schedule_timeout (process_timeout)
+-   1,     0 swapper          page_writeback_init (wb_timer_fn)
+-  28,     0 swapper          hrtimer_stop_sched_tick (hrtimer_sched_tick)
+-  22,  2948 IRQ 4            tty_flip_buffer_push (delayed_work_timer_fn)
+-   3,  3100 bash             schedule_timeout (process_timeout)
+-   1,     1 swapper          queue_delayed_work_on (delayed_work_timer_fn)
+-   1,     1 swapper          queue_delayed_work_on (delayed_work_timer_fn)
+-   1,     1 swapper          neigh_table_init_no_netlink (neigh_periodic_timer)
+-   1,  2292 ip               __netdev_watchdog_up (dev_watchdog)
+-   1,    23 events/1         do_cache_clean (delayed_work_timer_fn)
+-90 total events, 30.0 events/sec
+-
+-The first column is the number of events, the second column the pid, the third
+-column is the name of the process. The forth column shows the function which
+-initialized the timer and in parenthesis the callback function which was
+-executed on expiry.
+-
+-    Thomas, Ingo
+-
+-Added flag to indicate 'deferrable timer' in /proc/timer_stats. A deferrable
+-timer will appear as follows
+-  10D,     1 swapper          queue_delayed_work_on (delayed_work_timer_fn)
+-
+diff --git a/include/linux/hrtimer.h b/include/linux/hrtimer.h
+index 0302bbe..765d9e7 100644
+--- a/include/linux/hrtimer.h
++++ b/include/linux/hrtimer.h
+@@ -96,12 +96,6 @@
+  * @function:	timer expiry callback function
+  * @base:	pointer to the timer base (per cpu and per clock)
+  * @state:	state information (See bit values above)
+- * @start_site:	timer statistics field to store the site where the timer
+- *		was started
+- * @start_comm: timer statistics field to store the name of the process which
+- *		started the timer
+- * @start_pid: timer statistics field to store the pid of the task which
+- *		started the timer
+  *
+  * The hrtimer structure must be initialized by hrtimer_init()
+  */
+@@ -111,11 +105,6 @@
+ 	enum hrtimer_restart		(*function)(struct hrtimer *);
+ 	struct hrtimer_clock_base	*base;
+ 	unsigned long			state;
+-#ifdef CONFIG_TIMER_STATS
+-	int				start_pid;
+-	void				*start_site;
+-	char				start_comm[16];
+-#endif
+ };
+ 
+ /**
+diff --git a/include/linux/timer.h b/include/linux/timer.h
+index 8c5a197..7c8adfa 100644
+--- a/include/linux/timer.h
++++ b/include/linux/timer.h
+@@ -23,11 +23,6 @@
+ 
+ 	int slack;
+ 
+-#ifdef CONFIG_TIMER_STATS
+-	int start_pid;
+-	void *start_site;
+-	char start_comm[16];
+-#endif
+ #ifdef CONFIG_LOCKDEP
+ 	struct lockdep_map lockdep_map;
+ #endif
+@@ -193,49 +188,6 @@
+  * jiffie.
+  */
+ extern unsigned long get_next_timer_interrupt(unsigned long now);
+-
+-/*
+- * Timer-statistics info:
+- */
+-#ifdef CONFIG_TIMER_STATS
+-
+-extern int timer_stats_active;
+-
+-#define TIMER_STATS_FLAG_DEFERRABLE	0x1
+-
+-extern void init_timer_stats(void);
+-
+-extern void timer_stats_update_stats(void *timer, pid_t pid, void *startf,
+-				     void *timerf, char *comm,
+-				     unsigned int timer_flag);
+-
+-extern void __timer_stats_timer_set_start_info(struct timer_list *timer,
+-					       void *addr);
+-
+-static inline void timer_stats_timer_set_start_info(struct timer_list *timer)
+-{
+-	if (likely(!timer_stats_active))
+-		return;
+-	__timer_stats_timer_set_start_info(timer, __builtin_return_address(0));
+-}
+-
+-static inline void timer_stats_timer_clear_start_info(struct timer_list *timer)
+-{
+-	timer->start_site = NULL;
+-}
+-#else
+-static inline void init_timer_stats(void)
+-{
+-}
+-
+-static inline void timer_stats_timer_set_start_info(struct timer_list *timer)
+-{
+-}
+-
+-static inline void timer_stats_timer_clear_start_info(struct timer_list *timer)
+-{
+-}
+-#endif
+ 
+ extern void add_timer(struct timer_list *timer);
+ 
+diff --git a/kernel/hrtimer.c b/kernel/hrtimer.c
+index 47067de..c9c3a6c 100644
+--- a/kernel/hrtimer.c
++++ b/kernel/hrtimer.c
+@@ -827,34 +827,6 @@
+ 	clock_was_set_delayed();
+ }
+ 
+-static inline void timer_stats_hrtimer_set_start_info(struct hrtimer *timer)
+-{
+-#ifdef CONFIG_TIMER_STATS
+-	if (timer->start_site)
+-		return;
+-	timer->start_site = __builtin_return_address(0);
+-	memcpy(timer->start_comm, current->comm, TASK_COMM_LEN);
+-	timer->start_pid = current->pid;
+-#endif
+-}
+-
+-static inline void timer_stats_hrtimer_clear_start_info(struct hrtimer *timer)
+-{
+-#ifdef CONFIG_TIMER_STATS
+-	timer->start_site = NULL;
+-#endif
+-}
+-
+-static inline void timer_stats_account_hrtimer(struct hrtimer *timer)
+-{
+-#ifdef CONFIG_TIMER_STATS
+-	if (likely(!timer_stats_active))
+-		return;
+-	timer_stats_update_stats(timer, timer->start_pid, timer->start_site,
+-				 timer->function, timer->start_comm, 0);
+-#endif
+-}
+-
+ /*
+  * Counterpart to lock_hrtimer_base above:
+  */
+@@ -988,7 +960,6 @@
+ 		 * rare case and less expensive than a smp call.
+ 		 */
+ 		debug_deactivate(timer);
+-		timer_stats_hrtimer_clear_start_info(timer);
+ 		reprogram = base->cpu_base == &__get_cpu_var(hrtimer_bases);
+ 		/*
+ 		 * We must preserve the CALLBACK state flag here,
+@@ -1033,8 +1004,6 @@
+ 
+ 	/* Switch the timer base, if necessary: */
+ 	new_base = switch_hrtimer_base(timer, base, mode & HRTIMER_MODE_PINNED);
+-
+-	timer_stats_hrtimer_set_start_info(timer);
+ 
+ 	leftmost = enqueue_hrtimer(timer, new_base);
+ 
+@@ -1211,12 +1180,6 @@
+ 	base = hrtimer_clockid_to_base(clock_id);
+ 	timer->base = &cpu_base->clock_base[base];
+ 	timerqueue_init(&timer->node);
+-
+-#ifdef CONFIG_TIMER_STATS
+-	timer->start_site = NULL;
+-	timer->start_pid = -1;
+-	memset(timer->start_comm, 0, TASK_COMM_LEN);
+-#endif
+ }
+ 
+ /**
+@@ -1264,7 +1227,6 @@
+ 
+ 	debug_deactivate(timer);
+ 	__remove_hrtimer(timer, base, HRTIMER_STATE_CALLBACK, 0);
+-	timer_stats_account_hrtimer(timer);
+ 	fn = timer->function;
+ 
+ 	/*
+diff --git a/kernel/time/Makefile b/kernel/time/Makefile
+index aa91af5..fd87e51 100644
+--- a/kernel/time/Makefile
++++ b/kernel/time/Makefile
+@@ -7,4 +7,3 @@
+ obj-$(CONFIG_GENERIC_SCHED_CLOCK)		+= sched_clock.o
+ obj-$(CONFIG_TICK_ONESHOT)			+= tick-oneshot.o
+ obj-$(CONFIG_TICK_ONESHOT)			+= tick-sched.o
+-obj-$(CONFIG_TIMER_STATS)			+= timer_stats.o
+diff --git a/kernel/time/timer_list.c b/kernel/time/timer_list.c
+index 61ed862..f6a1043 100644
+--- a/kernel/time/timer_list.c
++++ b/kernel/time/timer_list.c
+@@ -57,21 +57,11 @@
+ print_timer(struct seq_file *m, struct hrtimer *taddr, struct hrtimer *timer,
+ 	    int idx, u64 now)
+ {
+-#ifdef CONFIG_TIMER_STATS
+-	char tmp[TASK_COMM_LEN + 1];
+-#endif
+ 	SEQ_printf(m, " #%d: ", idx);
+ 	print_name_offset(m, taddr);
+ 	SEQ_printf(m, ", ");
+ 	print_name_offset(m, timer->function);
+ 	SEQ_printf(m, ", S:%02lx", timer->state);
+-#ifdef CONFIG_TIMER_STATS
+-	SEQ_printf(m, ", ");
+-	print_name_offset(m, timer->start_site);
+-	memcpy(tmp, timer->start_comm, TASK_COMM_LEN);
+-	tmp[TASK_COMM_LEN] = 0;
+-	SEQ_printf(m, ", %s/%d", tmp, timer->start_pid);
+-#endif
+ 	SEQ_printf(m, "\n");
+ 	SEQ_printf(m, " # expires at %Lu-%Lu nsecs [in %Ld to %Ld nsecs]\n",
+ 		(unsigned long long)ktime_to_ns(hrtimer_get_softexpires(timer)),
+diff --git a/kernel/time/timer_stats.c b/kernel/time/timer_stats.c
+deleted file mode 100644
+index 0b537f2..0000000
+--- a/kernel/time/timer_stats.c
++++ /dev/null
+@@ -1,425 +0,0 @@
+-/*
+- * kernel/time/timer_stats.c
+- *
+- * Collect timer usage statistics.
+- *
+- * Copyright(C) 2006, Red Hat, Inc., Ingo Molnar
+- * Copyright(C) 2006 Timesys Corp., Thomas Gleixner <tglx@timesys.com>
+- *
+- * timer_stats is based on timer_top, a similar functionality which was part of
+- * Con Kolivas dyntick patch set. It was developed by Daniel Petrini at the
+- * Instituto Nokia de Tecnologia - INdT - Manaus. timer_top's design was based
+- * on dynamic allocation of the statistics entries and linear search based
+- * lookup combined with a global lock, rather than the static array, hash
+- * and per-CPU locking which is used by timer_stats. It was written for the
+- * pre hrtimer kernel code and therefore did not take hrtimers into account.
+- * Nevertheless it provided the base for the timer_stats implementation and
+- * was a helpful source of inspiration. Kudos to Daniel and the Nokia folks
+- * for this effort.
+- *
+- * timer_top.c is
+- *	Copyright (C) 2005 Instituto Nokia de Tecnologia - INdT - Manaus
+- *	Written by Daniel Petrini <d.pensator@gmail.com>
+- *	timer_top.c was released under the GNU General Public License version 2
+- *
+- * We export the addresses and counting of timer functions being called,
+- * the pid and cmdline from the owner process if applicable.
+- *
+- * Start/stop data collection:
+- * # echo [1|0] >/proc/timer_stats
+- *
+- * Display the information collected so far:
+- * # cat /proc/timer_stats
+- *
+- * This program is free software; you can redistribute it and/or modify
+- * it under the terms of the GNU General Public License version 2 as
+- * published by the Free Software Foundation.
+- */
+-
+-#include <linux/proc_fs.h>
+-#include <linux/module.h>
+-#include <linux/spinlock.h>
+-#include <linux/sched.h>
+-#include <linux/seq_file.h>
+-#include <linux/kallsyms.h>
+-
+-#include <asm/uaccess.h>
+-
+-/*
+- * This is our basic unit of interest: a timer expiry event identified
+- * by the timer, its start/expire functions and the PID of the task that
+- * started the timer. We count the number of times an event happens:
+- */
+-struct entry {
+-	/*
+-	 * Hash list:
+-	 */
+-	struct entry		*next;
+-
+-	/*
+-	 * Hash keys:
+-	 */
+-	void			*timer;
+-	void			*start_func;
+-	void			*expire_func;
+-	pid_t			pid;
+-
+-	/*
+-	 * Number of timeout events:
+-	 */
+-	unsigned long		count;
+-	unsigned int		timer_flag;
+-
+-	/*
+-	 * We save the command-line string to preserve
+-	 * this information past task exit:
+-	 */
+-	char			comm[TASK_COMM_LEN + 1];
+-
+-} ____cacheline_aligned_in_smp;
+-
+-/*
+- * Spinlock protecting the tables - not taken during lookup:
+- */
+-static DEFINE_RAW_SPINLOCK(table_lock);
+-
+-/*
+- * Per-CPU lookup locks for fast hash lookup:
+- */
+-static DEFINE_PER_CPU(raw_spinlock_t, tstats_lookup_lock);
+-
+-/*
+- * Mutex to serialize state changes with show-stats activities:
+- */
+-static DEFINE_MUTEX(show_mutex);
+-
+-/*
+- * Collection status, active/inactive:
+- */
+-int __read_mostly timer_stats_active;
+-
+-/*
+- * Beginning/end timestamps of measurement:
+- */
+-static ktime_t time_start, time_stop;
+-
+-/*
+- * tstat entry structs only get allocated while collection is
+- * active and never freed during that time - this simplifies
+- * things quite a bit.
+- *
+- * They get freed when a new collection period is started.
+- */
+-#define MAX_ENTRIES_BITS	10
+-#define MAX_ENTRIES		(1UL << MAX_ENTRIES_BITS)
+-
+-static unsigned long nr_entries;
+-static struct entry entries[MAX_ENTRIES];
+-
+-static atomic_t overflow_count;
+-
+-/*
+- * The entries are in a hash-table, for fast lookup:
+- */
+-#define TSTAT_HASH_BITS		(MAX_ENTRIES_BITS - 1)
+-#define TSTAT_HASH_SIZE		(1UL << TSTAT_HASH_BITS)
+-#define TSTAT_HASH_MASK		(TSTAT_HASH_SIZE - 1)
+-
+-#define __tstat_hashfn(entry)						\
+-	(((unsigned long)(entry)->timer       ^				\
+-	  (unsigned long)(entry)->start_func  ^				\
+-	  (unsigned long)(entry)->expire_func ^				\
+-	  (unsigned long)(entry)->pid		) & TSTAT_HASH_MASK)
+-
+-#define tstat_hashentry(entry)	(tstat_hash_table + __tstat_hashfn(entry))
+-
+-static struct entry *tstat_hash_table[TSTAT_HASH_SIZE] __read_mostly;
+-
+-static void reset_entries(void)
+-{
+-	nr_entries = 0;
+-	memset(entries, 0, sizeof(entries));
+-	memset(tstat_hash_table, 0, sizeof(tstat_hash_table));
+-	atomic_set(&overflow_count, 0);
+-}
+-
+-static struct entry *alloc_entry(void)
+-{
+-	if (nr_entries >= MAX_ENTRIES)
+-		return NULL;
+-
+-	return entries + nr_entries++;
+-}
+-
+-static int match_entries(struct entry *entry1, struct entry *entry2)
+-{
+-	return entry1->timer       == entry2->timer	  &&
+-	       entry1->start_func  == entry2->start_func  &&
+-	       entry1->expire_func == entry2->expire_func &&
+-	       entry1->pid	   == entry2->pid;
+-}
+-
+-/*
+- * Look up whether an entry matching this item is present
+- * in the hash already. Must be called with irqs off and the
+- * lookup lock held:
+- */
+-static struct entry *tstat_lookup(struct entry *entry, char *comm)
+-{
+-	struct entry **head, *curr, *prev;
+-
+-	head = tstat_hashentry(entry);
+-	curr = *head;
+-
+-	/*
+-	 * The fastpath is when the entry is already hashed,
+-	 * we do this with the lookup lock held, but with the
+-	 * table lock not held:
+-	 */
+-	while (curr) {
+-		if (match_entries(curr, entry))
+-			return curr;
+-
+-		curr = curr->next;
+-	}
+-	/*
+-	 * Slowpath: allocate, set up and link a new hash entry:
+-	 */
+-	prev = NULL;
+-	curr = *head;
+-
+-	raw_spin_lock(&table_lock);
+-	/*
+-	 * Make sure we have not raced with another CPU:
+-	 */
+-	while (curr) {
+-		if (match_entries(curr, entry))
+-			goto out_unlock;
+-
+-		prev = curr;
+-		curr = curr->next;
+-	}
+-
+-	curr = alloc_entry();
+-	if (curr) {
+-		*curr = *entry;
+-		curr->count = 0;
+-		curr->next = NULL;
+-		memcpy(curr->comm, comm, TASK_COMM_LEN);
+-
+-		smp_mb(); /* Ensure that curr is initialized before insert */
+-
+-		if (prev)
+-			prev->next = curr;
+-		else
+-			*head = curr;
+-	}
+- out_unlock:
+-	raw_spin_unlock(&table_lock);
+-
+-	return curr;
+-}
+-
+-/**
+- * timer_stats_update_stats - Update the statistics for a timer.
+- * @timer:	pointer to either a timer_list or a hrtimer
+- * @pid:	the pid of the task which set up the timer
+- * @startf:	pointer to the function which did the timer setup
+- * @timerf:	pointer to the timer callback function of the timer
+- * @comm:	name of the process which set up the timer
+- *
+- * When the timer is already registered, then the event counter is
+- * incremented. Otherwise the timer is registered in a free slot.
+- */
+-void timer_stats_update_stats(void *timer, pid_t pid, void *startf,
+-			      void *timerf, char *comm,
+-			      unsigned int timer_flag)
+-{
+-	/*
+-	 * It doesn't matter which lock we take:
+-	 */
+-	raw_spinlock_t *lock;
+-	struct entry *entry, input;
+-	unsigned long flags;
+-
+-	if (likely(!timer_stats_active))
+-		return;
+-
+-	lock = &per_cpu(tstats_lookup_lock, raw_smp_processor_id());
+-
+-	input.timer = timer;
+-	input.start_func = startf;
+-	input.expire_func = timerf;
+-	input.pid = pid;
+-	input.timer_flag = timer_flag;
+-
+-	raw_spin_lock_irqsave(lock, flags);
+-	if (!timer_stats_active)
+-		goto out_unlock;
+-
+-	entry = tstat_lookup(&input, comm);
+-	if (likely(entry))
+-		entry->count++;
+-	else
+-		atomic_inc(&overflow_count);
+-
+- out_unlock:
+-	raw_spin_unlock_irqrestore(lock, flags);
+-}
+-
+-static void print_name_offset(struct seq_file *m, unsigned long addr)
+-{
+-	char symname[KSYM_NAME_LEN];
+-
+-	if (lookup_symbol_name(addr, symname) < 0)
+-		seq_printf(m, "<%p>", (void *)addr);
+-	else
+-		seq_printf(m, "%s", symname);
+-}
+-
+-static int tstats_show(struct seq_file *m, void *v)
+-{
+-	struct timespec period;
+-	struct entry *entry;
+-	unsigned long ms;
+-	long events = 0;
+-	ktime_t time;
+-	int i;
+-
+-	mutex_lock(&show_mutex);
+-	/*
+-	 * If still active then calculate up to now:
+-	 */
+-	if (timer_stats_active)
+-		time_stop = ktime_get();
+-
+-	time = ktime_sub(time_stop, time_start);
+-
+-	period = ktime_to_timespec(time);
+-	ms = period.tv_nsec / 1000000;
+-
+-	seq_puts(m, "Timer Stats Version: v0.2\n");
+-	seq_printf(m, "Sample period: %ld.%03ld s\n", period.tv_sec, ms);
+-	if (atomic_read(&overflow_count))
+-		seq_printf(m, "Overflow: %d entries\n",
+-			atomic_read(&overflow_count));
+-
+-	for (i = 0; i < nr_entries; i++) {
+-		entry = entries + i;
+- 		if (entry->timer_flag & TIMER_STATS_FLAG_DEFERRABLE) {
+-			seq_printf(m, "%4luD, %5d %-16s ",
+-				entry->count, entry->pid, entry->comm);
+-		} else {
+-			seq_printf(m, " %4lu, %5d %-16s ",
+-				entry->count, entry->pid, entry->comm);
+-		}
+-
+-		print_name_offset(m, (unsigned long)entry->start_func);
+-		seq_puts(m, " (");
+-		print_name_offset(m, (unsigned long)entry->expire_func);
+-		seq_puts(m, ")\n");
+-
+-		events += entry->count;
+-	}
+-
+-	ms += period.tv_sec * 1000;
+-	if (!ms)
+-		ms = 1;
+-
+-	if (events && period.tv_sec)
+-		seq_printf(m, "%ld total events, %ld.%03ld events/sec\n",
+-			   events, events * 1000 / ms,
+-			   (events * 1000000 / ms) % 1000);
+-	else
+-		seq_printf(m, "%ld total events\n", events);
+-
+-	mutex_unlock(&show_mutex);
+-
+-	return 0;
+-}
+-
+-/*
+- * After a state change, make sure all concurrent lookup/update
+- * activities have stopped:
+- */
+-static void sync_access(void)
+-{
+-	unsigned long flags;
+-	int cpu;
+-
+-	for_each_online_cpu(cpu) {
+-		raw_spinlock_t *lock = &per_cpu(tstats_lookup_lock, cpu);
+-
+-		raw_spin_lock_irqsave(lock, flags);
+-		/* nothing */
+-		raw_spin_unlock_irqrestore(lock, flags);
+-	}
+-}
+-
+-static ssize_t tstats_write(struct file *file, const char __user *buf,
+-			    size_t count, loff_t *offs)
+-{
+-	char ctl[2];
+-
+-	if (count != 2 || *offs)
+-		return -EINVAL;
+-
+-	if (copy_from_user(ctl, buf, count))
+-		return -EFAULT;
+-
+-	mutex_lock(&show_mutex);
+-	switch (ctl[0]) {
+-	case '0':
+-		if (timer_stats_active) {
+-			timer_stats_active = 0;
+-			time_stop = ktime_get();
+-			sync_access();
+-		}
+-		break;
+-	case '1':
+-		if (!timer_stats_active) {
+-			reset_entries();
+-			time_start = ktime_get();
+-			smp_mb();
+-			timer_stats_active = 1;
+-		}
+-		break;
+-	default:
+-		count = -EINVAL;
+-	}
+-	mutex_unlock(&show_mutex);
+-
+-	return count;
+-}
+-
+-static int tstats_open(struct inode *inode, struct file *filp)
+-{
+-	return single_open(filp, tstats_show, NULL);
+-}
+-
+-static const struct file_operations tstats_fops = {
+-	.open		= tstats_open,
+-	.read		= seq_read,
+-	.write		= tstats_write,
+-	.llseek		= seq_lseek,
+-	.release	= single_release,
+-};
+-
+-void __init init_timer_stats(void)
+-{
+-	int cpu;
+-
+-	for_each_possible_cpu(cpu)
+-		raw_spin_lock_init(&per_cpu(tstats_lookup_lock, cpu));
+-}
+-
+-static int __init init_tstats_procfs(void)
+-{
+-	struct proc_dir_entry *pe;
+-
+-	pe = proc_create("timer_stats", 0644, NULL, &tstats_fops);
+-	if (!pe)
+-		return -ENOMEM;
+-	return 0;
+-}
+-__initcall(init_tstats_procfs);
+diff --git a/kernel/timer.c b/kernel/timer.c
+index 5733076..8bff0a9 100644
+--- a/kernel/timer.c
++++ b/kernel/timer.c
+@@ -397,34 +397,6 @@
+ 	}
+ }
+ 
+-#ifdef CONFIG_TIMER_STATS
+-void __timer_stats_timer_set_start_info(struct timer_list *timer, void *addr)
+-{
+-	if (timer->start_site)
+-		return;
+-
+-	timer->start_site = addr;
+-	memcpy(timer->start_comm, current->comm, TASK_COMM_LEN);
+-	timer->start_pid = current->pid;
+-}
+-
+-static void timer_stats_account_timer(struct timer_list *timer)
+-{
+-	unsigned int flag = 0;
+-
+-	if (likely(!timer->start_site))
+-		return;
+-	if (unlikely(tbase_get_deferrable(timer->base)))
+-		flag |= TIMER_STATS_FLAG_DEFERRABLE;
+-
+-	timer_stats_update_stats(timer, timer->start_pid, timer->start_site,
+-				 timer->function, timer->start_comm, flag);
+-}
+-
+-#else
+-static void timer_stats_account_timer(struct timer_list *timer) {}
+-#endif
+-
+ #ifdef CONFIG_DEBUG_OBJECTS_TIMERS
+ 
+ static struct debug_obj_descr timer_debug_descr;
+@@ -637,11 +609,6 @@
+ 	timer->entry.next = NULL;
+ 	timer->base = (void *)((unsigned long)base | flags);
+ 	timer->slack = -1;
+-#ifdef CONFIG_TIMER_STATS
+-	timer->start_site = NULL;
+-	timer->start_pid = -1;
+-	memset(timer->start_comm, 0, TASK_COMM_LEN);
+-#endif
+ 	lockdep_init_map(&timer->lockdep_map, name, key, 0);
+ }
+ 
+@@ -739,7 +706,6 @@
+ 	unsigned long flags;
+ 	int ret = 0 , cpu;
+ 
+-	timer_stats_timer_set_start_info(timer);
+ 	BUG_ON(!timer->function);
+ 
+ 	base = lock_timer_base(timer, &flags);
+@@ -943,7 +909,6 @@
+ 	struct tvec_base *base = per_cpu(tvec_bases, cpu);
+ 	unsigned long flags;
+ 
+-	timer_stats_timer_set_start_info(timer);
+ 	BUG_ON(timer_pending(timer) || !timer->function);
+ 	spin_lock_irqsave(&base->lock, flags);
+ 	timer_set_base(timer, base);
+@@ -981,7 +946,6 @@
+ 
+ 	debug_assert_init(timer);
+ 
+-	timer_stats_timer_clear_start_info(timer);
+ 	if (timer_pending(timer)) {
+ 		base = lock_timer_base(timer, &flags);
+ 		ret = detach_if_pending(timer, base, true);
+@@ -1009,10 +973,9 @@
+ 
+ 	base = lock_timer_base(timer, &flags);
+ 
+-	if (base->running_timer != timer) {
+-		timer_stats_timer_clear_start_info(timer);
++	if (base->running_timer != timer)
+ 		ret = detach_if_pending(timer, base, true);
+-	}
++
+ 	spin_unlock_irqrestore(&base->lock, flags);
+ 
+ 	return ret;
+@@ -1192,8 +1155,6 @@
+ 			fn = timer->function;
+ 			data = timer->data;
+ 			irqsafe = tbase_get_irqsafe(timer->base);
+-
+-			timer_stats_account_timer(timer);
+ 
+ 			base->running_timer = timer;
+ 			detach_expired_timer(timer, base);
+@@ -1695,7 +1656,6 @@
+ 
+ 	err = timer_cpu_notify(&timers_nb, (unsigned long)CPU_UP_PREPARE,
+ 			       (void *)(long)smp_processor_id());
+-	init_timer_stats();
+ 
+ 	BUG_ON(err != NOTIFY_OK);
+ 
+diff --git a/kernel/workqueue.c b/kernel/workqueue.c
+index 2505648..562f1a5 100755
+--- a/kernel/workqueue.c
++++ b/kernel/workqueue.c
+@@ -1448,8 +1448,6 @@
+ 		return;
+ 	}
+ 
+-	timer_stats_timer_set_start_info(&dwork->timer);
+-
+ 	dwork->wq = wq;
+ 	dwork->cpu = cpu;
+ 	timer->expires = jiffies + delay;
+diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
+index a0818f1..822e2be 100755
+--- a/lib/Kconfig.debug
++++ b/lib/Kconfig.debug
+@@ -400,20 +400,6 @@
+ 	  application, you can say N to avoid the very slight overhead
+ 	  this adds.
+ 
+-config TIMER_STATS
+-	bool "Collect kernel timers statistics"
+-	depends on DEBUG_KERNEL && PROC_FS
+-	help
+-	  If you say Y here, additional code will be inserted into the
+-	  timer routines to collect statistics about kernel timers being
+-	  reprogrammed. The statistics can be read from /proc/timer_stats.
+-	  The statistics collection is started by writing 1 to /proc/timer_stats,
+-	  writing 0 stops it. This feature is useful to collect information
+-	  about timer usage patterns in kernel and userspace. This feature
+-	  is lightweight if enabled in the kernel config but not activated
+-	  (it defaults to deactivated on bootup and will only be activated
+-	  if some application like powertop activates it explicitly).
+-
+ config DEBUG_OBJECTS
+ 	bool "Debug object operations"
+ 	depends on DEBUG_KERNEL
diff --git a/Patches/Linux_CVEs/CVE-2017-5967/3.10/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2017-5967/3.10/0001.patch.base64
new file mode 100644
index 00000000..1883365e
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-5967/3.10/0001.patch.base64
@@ -0,0 +1 @@
+RnJvbSAwNDA3YzdhMmY0NzM0Y2Q1NTkwMjc1M2Q3ODhmZGJkYzMyZWQ3ZmQ5IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBLZWVzIENvb2sgPGtlZXNjb29rQGNocm9taXVtLm9yZz4KRGF0ZTogV2VkLCAwOCBGZWIgMjAxNyAxMToyNjo1OSAtMDgwMApTdWJqZWN0OiBbUEFUQ0hdIHRpbWU6IFJlbW92ZSBDT05GSUdfVElNRVJfU1RBVFMKCkN1cnJlbnRseSBDT05GSUdfVElNRVJfU1RBVFMgZXhwb3NlcyBwcm9jZXNzIGluZm9ybWF0aW9uIGFjcm9zcyBuYW1lc3BhY2VzOgoKa2VybmVsL3RpbWUvdGltZXJfbGlzdC5jIHByaW50X3RpbWVyKCk6CgogICAgICAgIFNFUV9wcmludGYobSwgIiwgJXMvJWQiLCB0bXAsIHRpbWVyLT5zdGFydF9waWQpOwoKL3Byb2MvdGltZXJfbGlzdDoKCiAjMTE6IDwwMDAwMDAwMDAwMDAwMDAwPiwgaHJ0aW1lcl93YWtldXAsIFM6MDEsIGRvX25hbm9zbGVlcCwgY3Jvbi8yNTcwCgpHaXZlbiB0aGF0IHRoZSB0cmFjZXIgY2FuIGdpdmUgdGhlIHNhbWUgaW5mb3JtYXRpb24sIHRoaXMgcGF0Y2ggZW50aXJlbHkKcmVtb3ZlcyBDT05GSUdfVElNRVJfU1RBVFMuCgpDaGFuZ2UtSWQ6IEljZTI2ZDc0MDk0ZDNhZDU2MzgwODM0MmMxNjA0YWQ0NDQyMzQ4NDRiClN1Z2dlc3RlZC1ieTogVGhvbWFzIEdsZWl4bmVyIDx0Z2x4QGxpbnV0cm9uaXguZGU+ClNpZ25lZC1vZmYtYnk6IEtlZXMgQ29vayA8a2Vlc2Nvb2tAY2hyb21pdW0ub3JnPgpBY2tlZC1ieTogSm9obiBTdHVsdHogPGpvaG4uc3R1bHR6QGxpbmFyby5vcmc+CkNjOiBOaWNvbGFzIFBpdHJlIDxuaWNvbGFzLnBpdHJlQGxpbmFyby5vcmc+CkNjOiBsaW51eC1kb2NAdmdlci5rZXJuZWwub3JnCkNjOiBMYWkgSmlhbmdzaGFuIDxqaWFuZ3NoYW5sYWlAZ21haWwuY29tPgpDYzogU2h1YWggS2hhbiA8c2h1YWhAa2VybmVsLm9yZz4KQ2M6IFhpbmcgR2FvIDx4Z2FvMDFAZW1haWwud20uZWR1PgpDYzogSm9uYXRoYW4gQ29yYmV0IDxjb3JiZXRAbHduLm5ldD4KQ2M6IEplc3NpY2EgRnJhemVsbGUgPG1lQGplc3NmcmF6LmNvbT4KQ2M6IGtlcm5lbC1oYXJkZW5pbmdAbGlzdHMub3BlbndhbGwuY29tCkNjOiBOaWNvbGFzIElvb3NzIDxuaWNvbGFzLmlvb3NzX2xpbnV4QG00eC5vcmc+CkNjOiAiUGF1bCBFLiBNY0tlbm5leSIgPHBhdWxtY2tAbGludXgudm5ldC5pYm0uY29tPgpDYzogUGV0ciBNbGFkZWsgPHBtbGFkZWtAc3VzZS5jb20+CkNjOiBSaWNoYXJkIENvY2hyYW4gPHJpY2hhcmRjb2NocmFuQGdtYWlsLmNvbT4KQ2M6IFRlanVuIEhlbyA8dGpAa2VybmVsLm9yZz4KQ2M6IE1pY2hhbCBNYXJlayA8bW1hcmVrQHN1c2UuY29tPgpDYzogSm9zaCBQb2ltYm9ldWYgPGpwb2ltYm9lQHJlZGhhdC5jb20+CkNjOiBEbWl0cnkgVnl1a292IDxkdnl1a292QGdvb2dsZS5jb20+CkNjOiBPbGVnIE5lc3Rlcm92IDxvbGVnQHJlZGhhdC5jb20+CkNjOiAiRXJpYyBXLiBCaWVkZXJtYW4iIDxlYmllZGVybUB4bWlzc2lvbi5jb20+CkNjOiBPbG9mIEpvaGFuc3NvbiA8b2xvZkBsaXhvbS5uZXQ+CkNjOiBBbmRyZXcgTW9ydG9uIDxha3BtQGxpbnV4LWZvdW5kYXRpb24ub3JnPgpDYzogbGludXgtYXBpQHZnZXIua2VybmVsLm9yZwpDYzogQXJqYW4gdmFuIGRlIFZlbiA8YXJqYW5AbGludXguaW50ZWwuY29tPgpMaW5rOiBodHRwOi8vbGttbC5rZXJuZWwub3JnL3IvMjAxNzAyMDgxOTI2NTkuR0EzMjU4MkBiZWFzdApTaWduZWQtb2ZmLWJ5OiBUaG9tYXMgR2xlaXhuZXIgPHRnbHhAbGludXRyb25peC5kZT4KLS0tCgpkaWZmIC0tZ2l0IGEvRG9jdW1lbnRhdGlvbi90aW1lcnMvdGltZXJfc3RhdHMudHh0IGIvRG9jdW1lbnRhdGlvbi90aW1lcnMvdGltZXJfc3RhdHMudHh0CmRlbGV0ZWQgZmlsZSBtb2RlIDEwMDY0NAppbmRleCA4YWJkNDBiLi4wMDAwMDAwCi0tLSBhL0RvY3VtZW50YXRpb24vdGltZXJzL3RpbWVyX3N0YXRzLnR4dAorKysgL2Rldi9udWxsCkBAIC0xLDczICswLDAgQEAKLXRpbWVyX3N0YXRzIC0gdGltZXIgdXNhZ2Ugc3RhdGlzdGljcwotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tCi0KLXRpbWVyX3N0YXRzIGlzIGEgZGVidWdnaW5nIGZhY2lsaXR5IHRvIG1ha2UgdGhlIHRpbWVyIChhYil1c2FnZSBpbiBhIExpbnV4Ci1zeXN0ZW0gdmlzaWJsZSB0byBrZXJuZWwgYW5kIHVzZXJzcGFjZSBkZXZlbG9wZXJzLiBJZiBlbmFibGVkIGluIHRoZSBjb25maWcKLWJ1dCBub3QgdXNlZCBpdCBoYXMgYWxtb3N0IHplcm8gcnVudGltZSBvdmVyaGVhZCwgYW5kIGEgcmVsYXRpdmVseSBzbWFsbAotZGF0YSBzdHJ1Y3R1cmUgb3ZlcmhlYWQuIEV2ZW4gaWYgY29sbGVjdGlvbiBpcyBlbmFibGVkIHJ1bnRpbWUgYWxsIHRoZQotbG9ja2luZyBpcyBwZXItQ1BVIGFuZCBsb29rdXAgaXMgaGFzaGVkLgotCi10aW1lcl9zdGF0cyBzaG91bGQgYmUgdXNlZCBieSBrZXJuZWwgYW5kIHVzZXJzcGFjZSBkZXZlbG9wZXJzIHRvIHZlcmlmeSB0aGF0Ci10aGVpciBjb2RlIGRvZXMgbm90IG1ha2UgdW5kdWx5IHVzZSBvZiB0aW1lcnMuIFRoaXMgaGVscHMgdG8gYXZvaWQgdW5uZWNlc3NhcnkKLXdha2V1cHMsIHdoaWNoIHNob3VsZCBiZSBhdm9pZGVkIHRvIG9wdGltaXplIHBvd2VyIGNvbnN1bXB0aW9uLgotCi1JdCBjYW4gYmUgZW5hYmxlZCBieSBDT05GSUdfVElNRVJfU1RBVFMgaW4gdGhlICJLZXJuZWwgaGFja2luZyIgY29uZmlndXJhdGlvbgotc2VjdGlvbi4KLQotdGltZXJfc3RhdHMgY29sbGVjdHMgaW5mb3JtYXRpb24gYWJvdXQgdGhlIHRpbWVyIGV2ZW50cyB3aGljaCBhcmUgZmlyZWQgaW4gYQotTGludXggc3lzdGVtIG92ZXIgYSBzYW1wbGUgcGVyaW9kOgotCi0tIHRoZSBwaWQgb2YgdGhlIHRhc2socHJvY2Vzcykgd2hpY2ggaW5pdGlhbGl6ZWQgdGhlIHRpbWVyCi0tIHRoZSBuYW1lIG9mIHRoZSBwcm9jZXNzIHdoaWNoIGluaXRpYWxpemVkIHRoZSB0aW1lcgotLSB0aGUgZnVuY3Rpb24gd2hlcmUgdGhlIHRpbWVyIHdhcyBpbml0aWFsaXplZAotLSB0aGUgY2FsbGJhY2sgZnVuY3Rpb24gd2hpY2ggaXMgYXNzb2NpYXRlZCB0byB0aGUgdGltZXIKLS0gdGhlIG51bWJlciBvZiBldmVudHMgKGNhbGxiYWNrcykKLQotdGltZXJfc3RhdHMgYWRkcyBhbiBlbnRyeSB0byAvcHJvYzogL3Byb2MvdGltZXJfc3RhdHMKLQotVGhpcyBlbnRyeSBpcyB1c2VkIHRvIGNvbnRyb2wgdGhlIHN0YXRpc3RpY3MgZnVuY3Rpb25hbGl0eSBhbmQgdG8gcmVhZCBvdXQgdGhlCi1zYW1wbGVkIGluZm9ybWF0aW9uLgotCi1UaGUgdGltZXJfc3RhdHMgZnVuY3Rpb25hbGl0eSBpcyBpbmFjdGl2ZSBvbiBib290dXAuCi0KLVRvIGFjdGl2YXRlIGEgc2FtcGxlIHBlcmlvZCBpc3N1ZToKLSMgZWNobyAxID4vcHJvYy90aW1lcl9zdGF0cwotCi1UbyBzdG9wIGEgc2FtcGxlIHBlcmlvZCBpc3N1ZToKLSMgZWNobyAwID4vcHJvYy90aW1lcl9zdGF0cwotCi1UaGUgc3RhdGlzdGljcyBjYW4gYmUgcmV0cmlldmVkIGJ5OgotIyBjYXQgL3Byb2MvdGltZXJfc3RhdHMKLQotVGhlIHJlYWRvdXQgb2YgL3Byb2MvdGltZXJfc3RhdHMgYXV0b21hdGljYWxseSBkaXNhYmxlcyBzYW1wbGluZy4gVGhlIHNhbXBsZWQKLWluZm9ybWF0aW9uIGlzIGtlcHQgdW50aWwgYSBuZXcgc2FtcGxlIHBlcmlvZCBpcyBzdGFydGVkLiBUaGlzIGFsbG93cyBtdWx0aXBsZQotcmVhZG91dHMuCi0KLVNhbXBsZSBvdXRwdXQgb2YgL3Byb2MvdGltZXJfc3RhdHM6Ci0KLVRpbWVyc3RhdHMgc2FtcGxlIHBlcmlvZDogMy44ODg3NzAgcwotICAxMiwgICAgIDAgc3dhcHBlciAgICAgICAgICBocnRpbWVyX3N0b3Bfc2NoZWRfdGljayAoaHJ0aW1lcl9zY2hlZF90aWNrKQotICAxNSwgICAgIDEgc3dhcHBlciAgICAgICAgICBoY2Rfc3VibWl0X3VyYiAocmhfdGltZXJfZnVuYykKLSAgIDQsICAgOTU5IGtlZGFjICAgICAgICAgICAgc2NoZWR1bGVfdGltZW91dCAocHJvY2Vzc190aW1lb3V0KQotICAgMSwgICAgIDAgc3dhcHBlciAgICAgICAgICBwYWdlX3dyaXRlYmFja19pbml0ICh3Yl90aW1lcl9mbikKLSAgMjgsICAgICAwIHN3YXBwZXIgICAgICAgICAgaHJ0aW1lcl9zdG9wX3NjaGVkX3RpY2sgKGhydGltZXJfc2NoZWRfdGljaykKLSAgMjIsICAyOTQ4IElSUSA0ICAgICAgICAgICAgdHR5X2ZsaXBfYnVmZmVyX3B1c2ggKGRlbGF5ZWRfd29ya190aW1lcl9mbikKLSAgIDMsICAzMTAwIGJhc2ggICAgICAgICAgICAgc2NoZWR1bGVfdGltZW91dCAocHJvY2Vzc190aW1lb3V0KQotICAgMSwgICAgIDEgc3dhcHBlciAgICAgICAgICBxdWV1ZV9kZWxheWVkX3dvcmtfb24gKGRlbGF5ZWRfd29ya190aW1lcl9mbikKLSAgIDEsICAgICAxIHN3YXBwZXIgICAgICAgICAgcXVldWVfZGVsYXllZF93b3JrX29uIChkZWxheWVkX3dvcmtfdGltZXJfZm4pCi0gICAxLCAgICAgMSBzd2FwcGVyICAgICAgICAgIG5laWdoX3RhYmxlX2luaXRfbm9fbmV0bGluayAobmVpZ2hfcGVyaW9kaWNfdGltZXIpCi0gICAxLCAgMjI5MiBpcCAgICAgICAgICAgICAgIF9fbmV0ZGV2X3dhdGNoZG9nX3VwIChkZXZfd2F0Y2hkb2cpCi0gICAxLCAgICAyMyBldmVudHMvMSAgICAgICAgIGRvX2NhY2hlX2NsZWFuIChkZWxheWVkX3dvcmtfdGltZXJfZm4pCi05MCB0b3RhbCBldmVudHMsIDMwLjAgZXZlbnRzL3NlYwotCi1UaGUgZmlyc3QgY29sdW1uIGlzIHRoZSBudW1iZXIgb2YgZXZlbnRzLCB0aGUgc2Vjb25kIGNvbHVtbiB0aGUgcGlkLCB0aGUgdGhpcmQKLWNvbHVtbiBpcyB0aGUgbmFtZSBvZiB0aGUgcHJvY2Vzcy4gVGhlIGZvcnRoIGNvbHVtbiBzaG93cyB0aGUgZnVuY3Rpb24gd2hpY2gKLWluaXRpYWxpemVkIHRoZSB0aW1lciBhbmQgaW4gcGFyZW50aGVzaXMgdGhlIGNhbGxiYWNrIGZ1bmN0aW9uIHdoaWNoIHdhcwotZXhlY3V0ZWQgb24gZXhwaXJ5LgotCi0gICAgVGhvbWFzLCBJbmdvCi0KLUFkZGVkIGZsYWcgdG8gaW5kaWNhdGUgJ2RlZmVycmFibGUgdGltZXInIGluIC9wcm9jL3RpbWVyX3N0YXRzLiBBIGRlZmVycmFibGUKLXRpbWVyIHdpbGwgYXBwZWFyIGFzIGZvbGxvd3MKLSAgMTBELCAgICAgMSBzd2FwcGVyICAgICAgICAgIHF1ZXVlX2RlbGF5ZWRfd29ya19vbiAoZGVsYXllZF93b3JrX3RpbWVyX2ZuKQotCmRpZmYgLS1naXQgYS9pbmNsdWRlL2xpbnV4L2hydGltZXIuaCBiL2luY2x1ZGUvbGludXgvaHJ0aW1lci5oCmluZGV4IDAzMDJiYmUuLjc2NWQ5ZTcgMTAwNjQ0Ci0tLSBhL2luY2x1ZGUvbGludXgvaHJ0aW1lci5oCisrKyBiL2luY2x1ZGUvbGludXgvaHJ0aW1lci5oCkBAIC05NiwxMiArOTYsNiBAQAogICogQGZ1bmN0aW9uOgl0aW1lciBleHBpcnkgY2FsbGJhY2sgZnVuY3Rpb24KICAqIEBiYXNlOglwb2ludGVyIHRvIHRoZSB0aW1lciBiYXNlIChwZXIgY3B1IGFuZCBwZXIgY2xvY2spCiAgKiBAc3RhdGU6CXN0YXRlIGluZm9ybWF0aW9uIChTZWUgYml0IHZhbHVlcyBhYm92ZSkKLSAqIEBzdGFydF9zaXRlOgl0aW1lciBzdGF0aXN0aWNzIGZpZWxkIHRvIHN0b3JlIHRoZSBzaXRlIHdoZXJlIHRoZSB0aW1lcgotICoJCXdhcyBzdGFydGVkCi0gKiBAc3RhcnRfY29tbTogdGltZXIgc3RhdGlzdGljcyBmaWVsZCB0byBzdG9yZSB0aGUgbmFtZSBvZiB0aGUgcHJvY2VzcyB3aGljaAotICoJCXN0YXJ0ZWQgdGhlIHRpbWVyCi0gKiBAc3RhcnRfcGlkOiB0aW1lciBzdGF0aXN0aWNzIGZpZWxkIHRvIHN0b3JlIHRoZSBwaWQgb2YgdGhlIHRhc2sgd2hpY2gKLSAqCQlzdGFydGVkIHRoZSB0aW1lcgogICoKICAqIFRoZSBocnRpbWVyIHN0cnVjdHVyZSBtdXN0IGJlIGluaXRpYWxpemVkIGJ5IGhydGltZXJfaW5pdCgpCiAgKi8KQEAgLTExMSwxMSArMTA1LDYgQEAKIAllbnVtIGhydGltZXJfcmVzdGFydAkJKCpmdW5jdGlvbikoc3RydWN0IGhydGltZXIgKik7CiAJc3RydWN0IGhydGltZXJfY2xvY2tfYmFzZQkqYmFzZTsKIAl1bnNpZ25lZCBsb25nCQkJc3RhdGU7Ci0jaWZkZWYgQ09ORklHX1RJTUVSX1NUQVRTCi0JaW50CQkJCXN0YXJ0X3BpZDsKLQl2b2lkCQkJCSpzdGFydF9zaXRlOwotCWNoYXIJCQkJc3RhcnRfY29tbVsxNl07Ci0jZW5kaWYKIH07CiAKIC8qKgpkaWZmIC0tZ2l0IGEvaW5jbHVkZS9saW51eC90aW1lci5oIGIvaW5jbHVkZS9saW51eC90aW1lci5oCmluZGV4IDhjNWExOTcuLjdjOGFkZmEgMTAwNjQ0Ci0tLSBhL2luY2x1ZGUvbGludXgvdGltZXIuaAorKysgYi9pbmNsdWRlL2xpbnV4L3RpbWVyLmgKQEAgLTIzLDExICsyMyw2IEBACiAKIAlpbnQgc2xhY2s7CiAKLSNpZmRlZiBDT05GSUdfVElNRVJfU1RBVFMKLQlpbnQgc3RhcnRfcGlkOwotCXZvaWQgKnN0YXJ0X3NpdGU7Ci0JY2hhciBzdGFydF9jb21tWzE2XTsKLSNlbmRpZgogI2lmZGVmIENPTkZJR19MT0NLREVQCiAJc3RydWN0IGxvY2tkZXBfbWFwIGxvY2tkZXBfbWFwOwogI2VuZGlmCkBAIC0xOTMsNDkgKzE4OCw2IEBACiAgKiBqaWZmaWUuCiAgKi8KIGV4dGVybiB1bnNpZ25lZCBsb25nIGdldF9uZXh0X3RpbWVyX2ludGVycnVwdCh1bnNpZ25lZCBsb25nIG5vdyk7Ci0KLS8qCi0gKiBUaW1lci1zdGF0aXN0aWNzIGluZm86Ci0gKi8KLSNpZmRlZiBDT05GSUdfVElNRVJfU1RBVFMKLQotZXh0ZXJuIGludCB0aW1lcl9zdGF0c19hY3RpdmU7Ci0KLSNkZWZpbmUgVElNRVJfU1RBVFNfRkxBR19ERUZFUlJBQkxFCTB4MQotCi1leHRlcm4gdm9pZCBpbml0X3RpbWVyX3N0YXRzKHZvaWQpOwotCi1leHRlcm4gdm9pZCB0aW1lcl9zdGF0c191cGRhdGVfc3RhdHModm9pZCAqdGltZXIsIHBpZF90IHBpZCwgdm9pZCAqc3RhcnRmLAotCQkJCSAgICAgdm9pZCAqdGltZXJmLCBjaGFyICpjb21tLAotCQkJCSAgICAgdW5zaWduZWQgaW50IHRpbWVyX2ZsYWcpOwotCi1leHRlcm4gdm9pZCBfX3RpbWVyX3N0YXRzX3RpbWVyX3NldF9zdGFydF9pbmZvKHN0cnVjdCB0aW1lcl9saXN0ICp0aW1lciwKLQkJCQkJICAgICAgIHZvaWQgKmFkZHIpOwotCi1zdGF0aWMgaW5saW5lIHZvaWQgdGltZXJfc3RhdHNfdGltZXJfc2V0X3N0YXJ0X2luZm8oc3RydWN0IHRpbWVyX2xpc3QgKnRpbWVyKQotewotCWlmIChsaWtlbHkoIXRpbWVyX3N0YXRzX2FjdGl2ZSkpCi0JCXJldHVybjsKLQlfX3RpbWVyX3N0YXRzX3RpbWVyX3NldF9zdGFydF9pbmZvKHRpbWVyLCBfX2J1aWx0aW5fcmV0dXJuX2FkZHJlc3MoMCkpOwotfQotCi1zdGF0aWMgaW5saW5lIHZvaWQgdGltZXJfc3RhdHNfdGltZXJfY2xlYXJfc3RhcnRfaW5mbyhzdHJ1Y3QgdGltZXJfbGlzdCAqdGltZXIpCi17Ci0JdGltZXItPnN0YXJ0X3NpdGUgPSBOVUxMOwotfQotI2Vsc2UKLXN0YXRpYyBpbmxpbmUgdm9pZCBpbml0X3RpbWVyX3N0YXRzKHZvaWQpCi17Ci19Ci0KLXN0YXRpYyBpbmxpbmUgdm9pZCB0aW1lcl9zdGF0c190aW1lcl9zZXRfc3RhcnRfaW5mbyhzdHJ1Y3QgdGltZXJfbGlzdCAqdGltZXIpCi17Ci19Ci0KLXN0YXRpYyBpbmxpbmUgdm9pZCB0aW1lcl9zdGF0c190aW1lcl9jbGVhcl9zdGFydF9pbmZvKHN0cnVjdCB0aW1lcl9saXN0ICp0aW1lcikKLXsKLX0KLSNlbmRpZgogCiBleHRlcm4gdm9pZCBhZGRfdGltZXIoc3RydWN0IHRpbWVyX2xpc3QgKnRpbWVyKTsKIApkaWZmIC0tZ2l0IGEva2VybmVsL2hydGltZXIuYyBiL2tlcm5lbC9ocnRpbWVyLmMKaW5kZXggNDcwNjdkZS4uYzljM2E2YyAxMDA2NDQKLS0tIGEva2VybmVsL2hydGltZXIuYworKysgYi9rZXJuZWwvaHJ0aW1lci5jCkBAIC04MjcsMzQgKzgyNyw2IEBACiAJY2xvY2tfd2FzX3NldF9kZWxheWVkKCk7CiB9CiAKLXN0YXRpYyBpbmxpbmUgdm9pZCB0aW1lcl9zdGF0c19ocnRpbWVyX3NldF9zdGFydF9pbmZvKHN0cnVjdCBocnRpbWVyICp0aW1lcikKLXsKLSNpZmRlZiBDT05GSUdfVElNRVJfU1RBVFMKLQlpZiAodGltZXItPnN0YXJ0X3NpdGUpCi0JCXJldHVybjsKLQl0aW1lci0+c3RhcnRfc2l0ZSA9IF9fYnVpbHRpbl9yZXR1cm5fYWRkcmVzcygwKTsKLQltZW1jcHkodGltZXItPnN0YXJ0X2NvbW0sIGN1cnJlbnQtPmNvbW0sIFRBU0tfQ09NTV9MRU4pOwotCXRpbWVyLT5zdGFydF9waWQgPSBjdXJyZW50LT5waWQ7Ci0jZW5kaWYKLX0KLQotc3RhdGljIGlubGluZSB2b2lkIHRpbWVyX3N0YXRzX2hydGltZXJfY2xlYXJfc3RhcnRfaW5mbyhzdHJ1Y3QgaHJ0aW1lciAqdGltZXIpCi17Ci0jaWZkZWYgQ09ORklHX1RJTUVSX1NUQVRTCi0JdGltZXItPnN0YXJ0X3NpdGUgPSBOVUxMOwotI2VuZGlmCi19Ci0KLXN0YXRpYyBpbmxpbmUgdm9pZCB0aW1lcl9zdGF0c19hY2NvdW50X2hydGltZXIoc3RydWN0IGhydGltZXIgKnRpbWVyKQotewotI2lmZGVmIENPTkZJR19USU1FUl9TVEFUUwotCWlmIChsaWtlbHkoIXRpbWVyX3N0YXRzX2FjdGl2ZSkpCi0JCXJldHVybjsKLQl0aW1lcl9zdGF0c191cGRhdGVfc3RhdHModGltZXIsIHRpbWVyLT5zdGFydF9waWQsIHRpbWVyLT5zdGFydF9zaXRlLAotCQkJCSB0aW1lci0+ZnVuY3Rpb24sIHRpbWVyLT5zdGFydF9jb21tLCAwKTsKLSNlbmRpZgotfQotCiAvKgogICogQ291bnRlcnBhcnQgdG8gbG9ja19ocnRpbWVyX2Jhc2UgYWJvdmU6CiAgKi8KQEAgLTk4OCw3ICs5NjAsNiBAQAogCQkgKiByYXJlIGNhc2UgYW5kIGxlc3MgZXhwZW5zaXZlIHRoYW4gYSBzbXAgY2FsbC4KIAkJICovCiAJCWRlYnVnX2RlYWN0aXZhdGUodGltZXIpOwotCQl0aW1lcl9zdGF0c19ocnRpbWVyX2NsZWFyX3N0YXJ0X2luZm8odGltZXIpOwogCQlyZXByb2dyYW0gPSBiYXNlLT5jcHVfYmFzZSA9PSAmX19nZXRfY3B1X3ZhcihocnRpbWVyX2Jhc2VzKTsKIAkJLyoKIAkJICogV2UgbXVzdCBwcmVzZXJ2ZSB0aGUgQ0FMTEJBQ0sgc3RhdGUgZmxhZyBoZXJlLApAQCAtMTAzMyw4ICsxMDA0LDYgQEAKIAogCS8qIFN3aXRjaCB0aGUgdGltZXIgYmFzZSwgaWYgbmVjZXNzYXJ5OiAqLwogCW5ld19iYXNlID0gc3dpdGNoX2hydGltZXJfYmFzZSh0aW1lciwgYmFzZSwgbW9kZSAmIEhSVElNRVJfTU9ERV9QSU5ORUQpOwotCi0JdGltZXJfc3RhdHNfaHJ0aW1lcl9zZXRfc3RhcnRfaW5mbyh0aW1lcik7CiAKIAlsZWZ0bW9zdCA9IGVucXVldWVfaHJ0aW1lcih0aW1lciwgbmV3X2Jhc2UpOwogCkBAIC0xMjExLDEyICsxMTgwLDYgQEAKIAliYXNlID0gaHJ0aW1lcl9jbG9ja2lkX3RvX2Jhc2UoY2xvY2tfaWQpOwogCXRpbWVyLT5iYXNlID0gJmNwdV9iYXNlLT5jbG9ja19iYXNlW2Jhc2VdOwogCXRpbWVycXVldWVfaW5pdCgmdGltZXItPm5vZGUpOwotCi0jaWZkZWYgQ09ORklHX1RJTUVSX1NUQVRTCi0JdGltZXItPnN0YXJ0X3NpdGUgPSBOVUxMOwotCXRpbWVyLT5zdGFydF9waWQgPSAtMTsKLQltZW1zZXQodGltZXItPnN0YXJ0X2NvbW0sIDAsIFRBU0tfQ09NTV9MRU4pOwotI2VuZGlmCiB9CiAKIC8qKgpAQCAtMTI2NCw3ICsxMjI3LDYgQEAKIAogCWRlYnVnX2RlYWN0aXZhdGUodGltZXIpOwogCV9fcmVtb3ZlX2hydGltZXIodGltZXIsIGJhc2UsIEhSVElNRVJfU1RBVEVfQ0FMTEJBQ0ssIDApOwotCXRpbWVyX3N0YXRzX2FjY291bnRfaHJ0aW1lcih0aW1lcik7CiAJZm4gPSB0aW1lci0+ZnVuY3Rpb247CiAKIAkvKgpkaWZmIC0tZ2l0IGEva2VybmVsL3RpbWUvTWFrZWZpbGUgYi9rZXJuZWwvdGltZS9NYWtlZmlsZQppbmRleCBhYTkxYWY1Li5mZDg3ZTUxIDEwMDY0NAotLS0gYS9rZXJuZWwvdGltZS9NYWtlZmlsZQorKysgYi9rZXJuZWwvdGltZS9NYWtlZmlsZQpAQCAtNyw0ICs3LDMgQEAKIG9iai0kKENPTkZJR19HRU5FUklDX1NDSEVEX0NMT0NLKQkJKz0gc2NoZWRfY2xvY2subwogb2JqLSQoQ09ORklHX1RJQ0tfT05FU0hPVCkJCQkrPSB0aWNrLW9uZXNob3Qubwogb2JqLSQoQ09ORklHX1RJQ0tfT05FU0hPVCkJCQkrPSB0aWNrLXNjaGVkLm8KLW9iai0kKENPTkZJR19USU1FUl9TVEFUUykJCQkrPSB0aW1lcl9zdGF0cy5vCmRpZmYgLS1naXQgYS9rZXJuZWwvdGltZS90aW1lcl9saXN0LmMgYi9rZXJuZWwvdGltZS90aW1lcl9saXN0LmMKaW5kZXggNjFlZDg2Mi4uZjZhMTA0MyAxMDA2NDQKLS0tIGEva2VybmVsL3RpbWUvdGltZXJfbGlzdC5jCisrKyBiL2tlcm5lbC90aW1lL3RpbWVyX2xpc3QuYwpAQCAtNTcsMjEgKzU3LDExIEBACiBwcmludF90aW1lcihzdHJ1Y3Qgc2VxX2ZpbGUgKm0sIHN0cnVjdCBocnRpbWVyICp0YWRkciwgc3RydWN0IGhydGltZXIgKnRpbWVyLAogCSAgICBpbnQgaWR4LCB1NjQgbm93KQogewotI2lmZGVmIENPTkZJR19USU1FUl9TVEFUUwotCWNoYXIgdG1wW1RBU0tfQ09NTV9MRU4gKyAxXTsKLSNlbmRpZgogCVNFUV9wcmludGYobSwgIiAjJWQ6ICIsIGlkeCk7CiAJcHJpbnRfbmFtZV9vZmZzZXQobSwgdGFkZHIpOwogCVNFUV9wcmludGYobSwgIiwgIik7CiAJcHJpbnRfbmFtZV9vZmZzZXQobSwgdGltZXItPmZ1bmN0aW9uKTsKIAlTRVFfcHJpbnRmKG0sICIsIFM6JTAybHgiLCB0aW1lci0+c3RhdGUpOwotI2lmZGVmIENPTkZJR19USU1FUl9TVEFUUwotCVNFUV9wcmludGYobSwgIiwgIik7Ci0JcHJpbnRfbmFtZV9vZmZzZXQobSwgdGltZXItPnN0YXJ0X3NpdGUpOwotCW1lbWNweSh0bXAsIHRpbWVyLT5zdGFydF9jb21tLCBUQVNLX0NPTU1fTEVOKTsKLQl0bXBbVEFTS19DT01NX0xFTl0gPSAwOwotCVNFUV9wcmludGYobSwgIiwgJXMvJWQiLCB0bXAsIHRpbWVyLT5zdGFydF9waWQpOwotI2VuZGlmCiAJU0VRX3ByaW50ZihtLCAiXG4iKTsKIAlTRVFfcHJpbnRmKG0sICIgIyBleHBpcmVzIGF0ICVMdS0lTHUgbnNlY3MgW2luICVMZCB0byAlTGQgbnNlY3NdXG4iLAogCQkodW5zaWduZWQgbG9uZyBsb25nKWt0aW1lX3RvX25zKGhydGltZXJfZ2V0X3NvZnRleHBpcmVzKHRpbWVyKSksCmRpZmYgLS1naXQgYS9rZXJuZWwvdGltZS90aW1lcl9zdGF0cy5jIGIva2VybmVsL3RpbWUvdGltZXJfc3RhdHMuYwpkZWxldGVkIGZpbGUgbW9kZSAxMDA2NDQKaW5kZXggMGI1MzdmMi4uMDAwMDAwMAotLS0gYS9rZXJuZWwvdGltZS90aW1lcl9zdGF0cy5jCisrKyAvZGV2L251bGwKQEAgLTEsNDI1ICswLDAgQEAKLS8qCi0gKiBrZXJuZWwvdGltZS90aW1lcl9zdGF0cy5jCi0gKgotICogQ29sbGVjdCB0aW1lciB1c2FnZSBzdGF0aXN0aWNzLgotICoKLSAqIENvcHlyaWdodChDKSAyMDA2LCBSZWQgSGF0LCBJbmMuLCBJbmdvIE1vbG5hcgotICogQ29weXJpZ2h0KEMpIDIwMDYgVGltZXN5cyBDb3JwLiwgVGhvbWFzIEdsZWl4bmVyIDx0Z2x4QHRpbWVzeXMuY29tPgotICoKLSAqIHRpbWVyX3N0YXRzIGlzIGJhc2VkIG9uIHRpbWVyX3RvcCwgYSBzaW1pbGFyIGZ1bmN0aW9uYWxpdHkgd2hpY2ggd2FzIHBhcnQgb2YKLSAqIENvbiBLb2xpdmFzIGR5bnRpY2sgcGF0Y2ggc2V0LiBJdCB3YXMgZGV2ZWxvcGVkIGJ5IERhbmllbCBQZXRyaW5pIGF0IHRoZQotICogSW5zdGl0dXRvIE5va2lhIGRlIFRlY25vbG9naWEgLSBJTmRUIC0gTWFuYXVzLiB0aW1lcl90b3AncyBkZXNpZ24gd2FzIGJhc2VkCi0gKiBvbiBkeW5hbWljIGFsbG9jYXRpb24gb2YgdGhlIHN0YXRpc3RpY3MgZW50cmllcyBhbmQgbGluZWFyIHNlYXJjaCBiYXNlZAotICogbG9va3VwIGNvbWJpbmVkIHdpdGggYSBnbG9iYWwgbG9jaywgcmF0aGVyIHRoYW4gdGhlIHN0YXRpYyBhcnJheSwgaGFzaAotICogYW5kIHBlci1DUFUgbG9ja2luZyB3aGljaCBpcyB1c2VkIGJ5IHRpbWVyX3N0YXRzLiBJdCB3YXMgd3JpdHRlbiBmb3IgdGhlCi0gKiBwcmUgaHJ0aW1lciBrZXJuZWwgY29kZSBhbmQgdGhlcmVmb3JlIGRpZCBub3QgdGFrZSBocnRpbWVycyBpbnRvIGFjY291bnQuCi0gKiBOZXZlcnRoZWxlc3MgaXQgcHJvdmlkZWQgdGhlIGJhc2UgZm9yIHRoZSB0aW1lcl9zdGF0cyBpbXBsZW1lbnRhdGlvbiBhbmQKLSAqIHdhcyBhIGhlbHBmdWwgc291cmNlIG9mIGluc3BpcmF0aW9uLiBLdWRvcyB0byBEYW5pZWwgYW5kIHRoZSBOb2tpYSBmb2xrcwotICogZm9yIHRoaXMgZWZmb3J0LgotICoKLSAqIHRpbWVyX3RvcC5jIGlzCi0gKglDb3B5cmlnaHQgKEMpIDIwMDUgSW5zdGl0dXRvIE5va2lhIGRlIFRlY25vbG9naWEgLSBJTmRUIC0gTWFuYXVzCi0gKglXcml0dGVuIGJ5IERhbmllbCBQZXRyaW5pIDxkLnBlbnNhdG9yQGdtYWlsLmNvbT4KLSAqCXRpbWVyX3RvcC5jIHdhcyByZWxlYXNlZCB1bmRlciB0aGUgR05VIEdlbmVyYWwgUHVibGljIExpY2Vuc2UgdmVyc2lvbiAyCi0gKgotICogV2UgZXhwb3J0IHRoZSBhZGRyZXNzZXMgYW5kIGNvdW50aW5nIG9mIHRpbWVyIGZ1bmN0aW9ucyBiZWluZyBjYWxsZWQsCi0gKiB0aGUgcGlkIGFuZCBjbWRsaW5lIGZyb20gdGhlIG93bmVyIHByb2Nlc3MgaWYgYXBwbGljYWJsZS4KLSAqCi0gKiBTdGFydC9zdG9wIGRhdGEgY29sbGVjdGlvbjoKLSAqICMgZWNobyBbMXwwXSA+L3Byb2MvdGltZXJfc3RhdHMKLSAqCi0gKiBEaXNwbGF5IHRoZSBpbmZvcm1hdGlvbiBjb2xsZWN0ZWQgc28gZmFyOgotICogIyBjYXQgL3Byb2MvdGltZXJfc3RhdHMKLSAqCi0gKiBUaGlzIHByb2dyYW0gaXMgZnJlZSBzb2Z0d2FyZTsgeW91IGNhbiByZWRpc3RyaWJ1dGUgaXQgYW5kL29yIG1vZGlmeQotICogaXQgdW5kZXIgdGhlIHRlcm1zIG9mIHRoZSBHTlUgR2VuZXJhbCBQdWJsaWMgTGljZW5zZSB2ZXJzaW9uIDIgYXMKLSAqIHB1Ymxpc2hlZCBieSB0aGUgRnJlZSBTb2Z0d2FyZSBGb3VuZGF0aW9uLgotICovCi0KLSNpbmNsdWRlIDxsaW51eC9wcm9jX2ZzLmg+Ci0jaW5jbHVkZSA8bGludXgvbW9kdWxlLmg+Ci0jaW5jbHVkZSA8bGludXgvc3BpbmxvY2suaD4KLSNpbmNsdWRlIDxsaW51eC9zY2hlZC5oPgotI2luY2x1ZGUgPGxpbnV4L3NlcV9maWxlLmg+Ci0jaW5jbHVkZSA8bGludXgva2FsbHN5bXMuaD4KLQotI2luY2x1ZGUgPGFzbS91YWNjZXNzLmg+Ci0KLS8qCi0gKiBUaGlzIGlzIG91ciBiYXNpYyB1bml0IG9mIGludGVyZXN0OiBhIHRpbWVyIGV4cGlyeSBldmVudCBpZGVudGlmaWVkCi0gKiBieSB0aGUgdGltZXIsIGl0cyBzdGFydC9leHBpcmUgZnVuY3Rpb25zIGFuZCB0aGUgUElEIG9mIHRoZSB0YXNrIHRoYXQKLSAqIHN0YXJ0ZWQgdGhlIHRpbWVyLiBXZSBjb3VudCB0aGUgbnVtYmVyIG9mIHRpbWVzIGFuIGV2ZW50IGhhcHBlbnM6Ci0gKi8KLXN0cnVjdCBlbnRyeSB7Ci0JLyoKLQkgKiBIYXNoIGxpc3Q6Ci0JICovCi0Jc3RydWN0IGVudHJ5CQkqbmV4dDsKLQotCS8qCi0JICogSGFzaCBrZXlzOgotCSAqLwotCXZvaWQJCQkqdGltZXI7Ci0Jdm9pZAkJCSpzdGFydF9mdW5jOwotCXZvaWQJCQkqZXhwaXJlX2Z1bmM7Ci0JcGlkX3QJCQlwaWQ7Ci0KLQkvKgotCSAqIE51bWJlciBvZiB0aW1lb3V0IGV2ZW50czoKLQkgKi8KLQl1bnNpZ25lZCBsb25nCQljb3VudDsKLQl1bnNpZ25lZCBpbnQJCXRpbWVyX2ZsYWc7Ci0KLQkvKgotCSAqIFdlIHNhdmUgdGhlIGNvbW1hbmQtbGluZSBzdHJpbmcgdG8gcHJlc2VydmUKLQkgKiB0aGlzIGluZm9ybWF0aW9uIHBhc3QgdGFzayBleGl0OgotCSAqLwotCWNoYXIJCQljb21tW1RBU0tfQ09NTV9MRU4gKyAxXTsKLQotfSBfX19fY2FjaGVsaW5lX2FsaWduZWRfaW5fc21wOwotCi0vKgotICogU3BpbmxvY2sgcHJvdGVjdGluZyB0aGUgdGFibGVzIC0gbm90IHRha2VuIGR1cmluZyBsb29rdXA6Ci0gKi8KLXN0YXRpYyBERUZJTkVfUkFXX1NQSU5MT0NLKHRhYmxlX2xvY2spOwotCi0vKgotICogUGVyLUNQVSBsb29rdXAgbG9ja3MgZm9yIGZhc3QgaGFzaCBsb29rdXA6Ci0gKi8KLXN0YXRpYyBERUZJTkVfUEVSX0NQVShyYXdfc3BpbmxvY2tfdCwgdHN0YXRzX2xvb2t1cF9sb2NrKTsKLQotLyoKLSAqIE11dGV4IHRvIHNlcmlhbGl6ZSBzdGF0ZSBjaGFuZ2VzIHdpdGggc2hvdy1zdGF0cyBhY3Rpdml0aWVzOgotICovCi1zdGF0aWMgREVGSU5FX01VVEVYKHNob3dfbXV0ZXgpOwotCi0vKgotICogQ29sbGVjdGlvbiBzdGF0dXMsIGFjdGl2ZS9pbmFjdGl2ZToKLSAqLwotaW50IF9fcmVhZF9tb3N0bHkgdGltZXJfc3RhdHNfYWN0aXZlOwotCi0vKgotICogQmVnaW5uaW5nL2VuZCB0aW1lc3RhbXBzIG9mIG1lYXN1cmVtZW50OgotICovCi1zdGF0aWMga3RpbWVfdCB0aW1lX3N0YXJ0LCB0aW1lX3N0b3A7Ci0KLS8qCi0gKiB0c3RhdCBlbnRyeSBzdHJ1Y3RzIG9ubHkgZ2V0IGFsbG9jYXRlZCB3aGlsZSBjb2xsZWN0aW9uIGlzCi0gKiBhY3RpdmUgYW5kIG5ldmVyIGZyZWVkIGR1cmluZyB0aGF0IHRpbWUgLSB0aGlzIHNpbXBsaWZpZXMKLSAqIHRoaW5ncyBxdWl0ZSBhIGJpdC4KLSAqCi0gKiBUaGV5IGdldCBmcmVlZCB3aGVuIGEgbmV3IGNvbGxlY3Rpb24gcGVyaW9kIGlzIHN0YXJ0ZWQuCi0gKi8KLSNkZWZpbmUgTUFYX0VOVFJJRVNfQklUUwkxMAotI2RlZmluZSBNQVhfRU5UUklFUwkJKDFVTCA8PCBNQVhfRU5UUklFU19CSVRTKQotCi1zdGF0aWMgdW5zaWduZWQgbG9uZyBucl9lbnRyaWVzOwotc3RhdGljIHN0cnVjdCBlbnRyeSBlbnRyaWVzW01BWF9FTlRSSUVTXTsKLQotc3RhdGljIGF0b21pY190IG92ZXJmbG93X2NvdW50OwotCi0vKgotICogVGhlIGVudHJpZXMgYXJlIGluIGEgaGFzaC10YWJsZSwgZm9yIGZhc3QgbG9va3VwOgotICovCi0jZGVmaW5lIFRTVEFUX0hBU0hfQklUUwkJKE1BWF9FTlRSSUVTX0JJVFMgLSAxKQotI2RlZmluZSBUU1RBVF9IQVNIX1NJWkUJCSgxVUwgPDwgVFNUQVRfSEFTSF9CSVRTKQotI2RlZmluZSBUU1RBVF9IQVNIX01BU0sJCShUU1RBVF9IQVNIX1NJWkUgLSAxKQotCi0jZGVmaW5lIF9fdHN0YXRfaGFzaGZuKGVudHJ5KQkJCQkJCVwKLQkoKCh1bnNpZ25lZCBsb25nKShlbnRyeSktPnRpbWVyICAgICAgIF4JCQkJXAotCSAgKHVuc2lnbmVkIGxvbmcpKGVudHJ5KS0+c3RhcnRfZnVuYyAgXgkJCQlcCi0JICAodW5zaWduZWQgbG9uZykoZW50cnkpLT5leHBpcmVfZnVuYyBeCQkJCVwKLQkgICh1bnNpZ25lZCBsb25nKShlbnRyeSktPnBpZAkJKSAmIFRTVEFUX0hBU0hfTUFTSykKLQotI2RlZmluZSB0c3RhdF9oYXNoZW50cnkoZW50cnkpCSh0c3RhdF9oYXNoX3RhYmxlICsgX190c3RhdF9oYXNoZm4oZW50cnkpKQotCi1zdGF0aWMgc3RydWN0IGVudHJ5ICp0c3RhdF9oYXNoX3RhYmxlW1RTVEFUX0hBU0hfU0laRV0gX19yZWFkX21vc3RseTsKLQotc3RhdGljIHZvaWQgcmVzZXRfZW50cmllcyh2b2lkKQotewotCW5yX2VudHJpZXMgPSAwOwotCW1lbXNldChlbnRyaWVzLCAwLCBzaXplb2YoZW50cmllcykpOwotCW1lbXNldCh0c3RhdF9oYXNoX3RhYmxlLCAwLCBzaXplb2YodHN0YXRfaGFzaF90YWJsZSkpOwotCWF0b21pY19zZXQoJm92ZXJmbG93X2NvdW50LCAwKTsKLX0KLQotc3RhdGljIHN0cnVjdCBlbnRyeSAqYWxsb2NfZW50cnkodm9pZCkKLXsKLQlpZiAobnJfZW50cmllcyA+PSBNQVhfRU5UUklFUykKLQkJcmV0dXJuIE5VTEw7Ci0KLQlyZXR1cm4gZW50cmllcyArIG5yX2VudHJpZXMrKzsKLX0KLQotc3RhdGljIGludCBtYXRjaF9lbnRyaWVzKHN0cnVjdCBlbnRyeSAqZW50cnkxLCBzdHJ1Y3QgZW50cnkgKmVudHJ5MikKLXsKLQlyZXR1cm4gZW50cnkxLT50aW1lciAgICAgICA9PSBlbnRyeTItPnRpbWVyCSAgJiYKLQkgICAgICAgZW50cnkxLT5zdGFydF9mdW5jICA9PSBlbnRyeTItPnN0YXJ0X2Z1bmMgICYmCi0JICAgICAgIGVudHJ5MS0+ZXhwaXJlX2Z1bmMgPT0gZW50cnkyLT5leHBpcmVfZnVuYyAmJgotCSAgICAgICBlbnRyeTEtPnBpZAkgICA9PSBlbnRyeTItPnBpZDsKLX0KLQotLyoKLSAqIExvb2sgdXAgd2hldGhlciBhbiBlbnRyeSBtYXRjaGluZyB0aGlzIGl0ZW0gaXMgcHJlc2VudAotICogaW4gdGhlIGhhc2ggYWxyZWFkeS4gTXVzdCBiZSBjYWxsZWQgd2l0aCBpcnFzIG9mZiBhbmQgdGhlCi0gKiBsb29rdXAgbG9jayBoZWxkOgotICovCi1zdGF0aWMgc3RydWN0IGVudHJ5ICp0c3RhdF9sb29rdXAoc3RydWN0IGVudHJ5ICplbnRyeSwgY2hhciAqY29tbSkKLXsKLQlzdHJ1Y3QgZW50cnkgKipoZWFkLCAqY3VyciwgKnByZXY7Ci0KLQloZWFkID0gdHN0YXRfaGFzaGVudHJ5KGVudHJ5KTsKLQljdXJyID0gKmhlYWQ7Ci0KLQkvKgotCSAqIFRoZSBmYXN0cGF0aCBpcyB3aGVuIHRoZSBlbnRyeSBpcyBhbHJlYWR5IGhhc2hlZCwKLQkgKiB3ZSBkbyB0aGlzIHdpdGggdGhlIGxvb2t1cCBsb2NrIGhlbGQsIGJ1dCB3aXRoIHRoZQotCSAqIHRhYmxlIGxvY2sgbm90IGhlbGQ6Ci0JICovCi0Jd2hpbGUgKGN1cnIpIHsKLQkJaWYgKG1hdGNoX2VudHJpZXMoY3VyciwgZW50cnkpKQotCQkJcmV0dXJuIGN1cnI7Ci0KLQkJY3VyciA9IGN1cnItPm5leHQ7Ci0JfQotCS8qCi0JICogU2xvd3BhdGg6IGFsbG9jYXRlLCBzZXQgdXAgYW5kIGxpbmsgYSBuZXcgaGFzaCBlbnRyeToKLQkgKi8KLQlwcmV2ID0gTlVMTDsKLQljdXJyID0gKmhlYWQ7Ci0KLQlyYXdfc3Bpbl9sb2NrKCZ0YWJsZV9sb2NrKTsKLQkvKgotCSAqIE1ha2Ugc3VyZSB3ZSBoYXZlIG5vdCByYWNlZCB3aXRoIGFub3RoZXIgQ1BVOgotCSAqLwotCXdoaWxlIChjdXJyKSB7Ci0JCWlmIChtYXRjaF9lbnRyaWVzKGN1cnIsIGVudHJ5KSkKLQkJCWdvdG8gb3V0X3VubG9jazsKLQotCQlwcmV2ID0gY3VycjsKLQkJY3VyciA9IGN1cnItPm5leHQ7Ci0JfQotCi0JY3VyciA9IGFsbG9jX2VudHJ5KCk7Ci0JaWYgKGN1cnIpIHsKLQkJKmN1cnIgPSAqZW50cnk7Ci0JCWN1cnItPmNvdW50ID0gMDsKLQkJY3Vyci0+bmV4dCA9IE5VTEw7Ci0JCW1lbWNweShjdXJyLT5jb21tLCBjb21tLCBUQVNLX0NPTU1fTEVOKTsKLQotCQlzbXBfbWIoKTsgLyogRW5zdXJlIHRoYXQgY3VyciBpcyBpbml0aWFsaXplZCBiZWZvcmUgaW5zZXJ0ICovCi0KLQkJaWYgKHByZXYpCi0JCQlwcmV2LT5uZXh0ID0gY3VycjsKLQkJZWxzZQotCQkJKmhlYWQgPSBjdXJyOwotCX0KLSBvdXRfdW5sb2NrOgotCXJhd19zcGluX3VubG9jaygmdGFibGVfbG9jayk7Ci0KLQlyZXR1cm4gY3VycjsKLX0KLQotLyoqCi0gKiB0aW1lcl9zdGF0c191cGRhdGVfc3RhdHMgLSBVcGRhdGUgdGhlIHN0YXRpc3RpY3MgZm9yIGEgdGltZXIuCi0gKiBAdGltZXI6CXBvaW50ZXIgdG8gZWl0aGVyIGEgdGltZXJfbGlzdCBvciBhIGhydGltZXIKLSAqIEBwaWQ6CXRoZSBwaWQgb2YgdGhlIHRhc2sgd2hpY2ggc2V0IHVwIHRoZSB0aW1lcgotICogQHN0YXJ0ZjoJcG9pbnRlciB0byB0aGUgZnVuY3Rpb24gd2hpY2ggZGlkIHRoZSB0aW1lciBzZXR1cAotICogQHRpbWVyZjoJcG9pbnRlciB0byB0aGUgdGltZXIgY2FsbGJhY2sgZnVuY3Rpb24gb2YgdGhlIHRpbWVyCi0gKiBAY29tbToJbmFtZSBvZiB0aGUgcHJvY2VzcyB3aGljaCBzZXQgdXAgdGhlIHRpbWVyCi0gKgotICogV2hlbiB0aGUgdGltZXIgaXMgYWxyZWFkeSByZWdpc3RlcmVkLCB0aGVuIHRoZSBldmVudCBjb3VudGVyIGlzCi0gKiBpbmNyZW1lbnRlZC4gT3RoZXJ3aXNlIHRoZSB0aW1lciBpcyByZWdpc3RlcmVkIGluIGEgZnJlZSBzbG90LgotICovCi12b2lkIHRpbWVyX3N0YXRzX3VwZGF0ZV9zdGF0cyh2b2lkICp0aW1lciwgcGlkX3QgcGlkLCB2b2lkICpzdGFydGYsCi0JCQkgICAgICB2b2lkICp0aW1lcmYsIGNoYXIgKmNvbW0sCi0JCQkgICAgICB1bnNpZ25lZCBpbnQgdGltZXJfZmxhZykKLXsKLQkvKgotCSAqIEl0IGRvZXNuJ3QgbWF0dGVyIHdoaWNoIGxvY2sgd2UgdGFrZToKLQkgKi8KLQlyYXdfc3BpbmxvY2tfdCAqbG9jazsKLQlzdHJ1Y3QgZW50cnkgKmVudHJ5LCBpbnB1dDsKLQl1bnNpZ25lZCBsb25nIGZsYWdzOwotCi0JaWYgKGxpa2VseSghdGltZXJfc3RhdHNfYWN0aXZlKSkKLQkJcmV0dXJuOwotCi0JbG9jayA9ICZwZXJfY3B1KHRzdGF0c19sb29rdXBfbG9jaywgcmF3X3NtcF9wcm9jZXNzb3JfaWQoKSk7Ci0KLQlpbnB1dC50aW1lciA9IHRpbWVyOwotCWlucHV0LnN0YXJ0X2Z1bmMgPSBzdGFydGY7Ci0JaW5wdXQuZXhwaXJlX2Z1bmMgPSB0aW1lcmY7Ci0JaW5wdXQucGlkID0gcGlkOwotCWlucHV0LnRpbWVyX2ZsYWcgPSB0aW1lcl9mbGFnOwotCi0JcmF3X3NwaW5fbG9ja19pcnFzYXZlKGxvY2ssIGZsYWdzKTsKLQlpZiAoIXRpbWVyX3N0YXRzX2FjdGl2ZSkKLQkJZ290byBvdXRfdW5sb2NrOwotCi0JZW50cnkgPSB0c3RhdF9sb29rdXAoJmlucHV0LCBjb21tKTsKLQlpZiAobGlrZWx5KGVudHJ5KSkKLQkJZW50cnktPmNvdW50Kys7Ci0JZWxzZQotCQlhdG9taWNfaW5jKCZvdmVyZmxvd19jb3VudCk7Ci0KLSBvdXRfdW5sb2NrOgotCXJhd19zcGluX3VubG9ja19pcnFyZXN0b3JlKGxvY2ssIGZsYWdzKTsKLX0KLQotc3RhdGljIHZvaWQgcHJpbnRfbmFtZV9vZmZzZXQoc3RydWN0IHNlcV9maWxlICptLCB1bnNpZ25lZCBsb25nIGFkZHIpCi17Ci0JY2hhciBzeW1uYW1lW0tTWU1fTkFNRV9MRU5dOwotCi0JaWYgKGxvb2t1cF9zeW1ib2xfbmFtZShhZGRyLCBzeW1uYW1lKSA8IDApCi0JCXNlcV9wcmludGYobSwgIjwlcD4iLCAodm9pZCAqKWFkZHIpOwotCWVsc2UKLQkJc2VxX3ByaW50ZihtLCAiJXMiLCBzeW1uYW1lKTsKLX0KLQotc3RhdGljIGludCB0c3RhdHNfc2hvdyhzdHJ1Y3Qgc2VxX2ZpbGUgKm0sIHZvaWQgKnYpCi17Ci0Jc3RydWN0IHRpbWVzcGVjIHBlcmlvZDsKLQlzdHJ1Y3QgZW50cnkgKmVudHJ5OwotCXVuc2lnbmVkIGxvbmcgbXM7Ci0JbG9uZyBldmVudHMgPSAwOwotCWt0aW1lX3QgdGltZTsKLQlpbnQgaTsKLQotCW11dGV4X2xvY2soJnNob3dfbXV0ZXgpOwotCS8qCi0JICogSWYgc3RpbGwgYWN0aXZlIHRoZW4gY2FsY3VsYXRlIHVwIHRvIG5vdzoKLQkgKi8KLQlpZiAodGltZXJfc3RhdHNfYWN0aXZlKQotCQl0aW1lX3N0b3AgPSBrdGltZV9nZXQoKTsKLQotCXRpbWUgPSBrdGltZV9zdWIodGltZV9zdG9wLCB0aW1lX3N0YXJ0KTsKLQotCXBlcmlvZCA9IGt0aW1lX3RvX3RpbWVzcGVjKHRpbWUpOwotCW1zID0gcGVyaW9kLnR2X25zZWMgLyAxMDAwMDAwOwotCi0Jc2VxX3B1dHMobSwgIlRpbWVyIFN0YXRzIFZlcnNpb246IHYwLjJcbiIpOwotCXNlcV9wcmludGYobSwgIlNhbXBsZSBwZXJpb2Q6ICVsZC4lMDNsZCBzXG4iLCBwZXJpb2QudHZfc2VjLCBtcyk7Ci0JaWYgKGF0b21pY19yZWFkKCZvdmVyZmxvd19jb3VudCkpCi0JCXNlcV9wcmludGYobSwgIk92ZXJmbG93OiAlZCBlbnRyaWVzXG4iLAotCQkJYXRvbWljX3JlYWQoJm92ZXJmbG93X2NvdW50KSk7Ci0KLQlmb3IgKGkgPSAwOyBpIDwgbnJfZW50cmllczsgaSsrKSB7Ci0JCWVudHJ5ID0gZW50cmllcyArIGk7Ci0gCQlpZiAoZW50cnktPnRpbWVyX2ZsYWcgJiBUSU1FUl9TVEFUU19GTEFHX0RFRkVSUkFCTEUpIHsKLQkJCXNlcV9wcmludGYobSwgIiU0bHVELCAlNWQgJS0xNnMgIiwKLQkJCQllbnRyeS0+Y291bnQsIGVudHJ5LT5waWQsIGVudHJ5LT5jb21tKTsKLQkJfSBlbHNlIHsKLQkJCXNlcV9wcmludGYobSwgIiAlNGx1LCAlNWQgJS0xNnMgIiwKLQkJCQllbnRyeS0+Y291bnQsIGVudHJ5LT5waWQsIGVudHJ5LT5jb21tKTsKLQkJfQotCi0JCXByaW50X25hbWVfb2Zmc2V0KG0sICh1bnNpZ25lZCBsb25nKWVudHJ5LT5zdGFydF9mdW5jKTsKLQkJc2VxX3B1dHMobSwgIiAoIik7Ci0JCXByaW50X25hbWVfb2Zmc2V0KG0sICh1bnNpZ25lZCBsb25nKWVudHJ5LT5leHBpcmVfZnVuYyk7Ci0JCXNlcV9wdXRzKG0sICIpXG4iKTsKLQotCQlldmVudHMgKz0gZW50cnktPmNvdW50OwotCX0KLQotCW1zICs9IHBlcmlvZC50dl9zZWMgKiAxMDAwOwotCWlmICghbXMpCi0JCW1zID0gMTsKLQotCWlmIChldmVudHMgJiYgcGVyaW9kLnR2X3NlYykKLQkJc2VxX3ByaW50ZihtLCAiJWxkIHRvdGFsIGV2ZW50cywgJWxkLiUwM2xkIGV2ZW50cy9zZWNcbiIsCi0JCQkgICBldmVudHMsIGV2ZW50cyAqIDEwMDAgLyBtcywKLQkJCSAgIChldmVudHMgKiAxMDAwMDAwIC8gbXMpICUgMTAwMCk7Ci0JZWxzZQotCQlzZXFfcHJpbnRmKG0sICIlbGQgdG90YWwgZXZlbnRzXG4iLCBldmVudHMpOwotCi0JbXV0ZXhfdW5sb2NrKCZzaG93X211dGV4KTsKLQotCXJldHVybiAwOwotfQotCi0vKgotICogQWZ0ZXIgYSBzdGF0ZSBjaGFuZ2UsIG1ha2Ugc3VyZSBhbGwgY29uY3VycmVudCBsb29rdXAvdXBkYXRlCi0gKiBhY3Rpdml0aWVzIGhhdmUgc3RvcHBlZDoKLSAqLwotc3RhdGljIHZvaWQgc3luY19hY2Nlc3Modm9pZCkKLXsKLQl1bnNpZ25lZCBsb25nIGZsYWdzOwotCWludCBjcHU7Ci0KLQlmb3JfZWFjaF9vbmxpbmVfY3B1KGNwdSkgewotCQlyYXdfc3BpbmxvY2tfdCAqbG9jayA9ICZwZXJfY3B1KHRzdGF0c19sb29rdXBfbG9jaywgY3B1KTsKLQotCQlyYXdfc3Bpbl9sb2NrX2lycXNhdmUobG9jaywgZmxhZ3MpOwotCQkvKiBub3RoaW5nICovCi0JCXJhd19zcGluX3VubG9ja19pcnFyZXN0b3JlKGxvY2ssIGZsYWdzKTsKLQl9Ci19Ci0KLXN0YXRpYyBzc2l6ZV90IHRzdGF0c193cml0ZShzdHJ1Y3QgZmlsZSAqZmlsZSwgY29uc3QgY2hhciBfX3VzZXIgKmJ1ZiwKLQkJCSAgICBzaXplX3QgY291bnQsIGxvZmZfdCAqb2ZmcykKLXsKLQljaGFyIGN0bFsyXTsKLQotCWlmIChjb3VudCAhPSAyIHx8ICpvZmZzKQotCQlyZXR1cm4gLUVJTlZBTDsKLQotCWlmIChjb3B5X2Zyb21fdXNlcihjdGwsIGJ1ZiwgY291bnQpKQotCQlyZXR1cm4gLUVGQVVMVDsKLQotCW11dGV4X2xvY2soJnNob3dfbXV0ZXgpOwotCXN3aXRjaCAoY3RsWzBdKSB7Ci0JY2FzZSAnMCc6Ci0JCWlmICh0aW1lcl9zdGF0c19hY3RpdmUpIHsKLQkJCXRpbWVyX3N0YXRzX2FjdGl2ZSA9IDA7Ci0JCQl0aW1lX3N0b3AgPSBrdGltZV9nZXQoKTsKLQkJCXN5bmNfYWNjZXNzKCk7Ci0JCX0KLQkJYnJlYWs7Ci0JY2FzZSAnMSc6Ci0JCWlmICghdGltZXJfc3RhdHNfYWN0aXZlKSB7Ci0JCQlyZXNldF9lbnRyaWVzKCk7Ci0JCQl0aW1lX3N0YXJ0ID0ga3RpbWVfZ2V0KCk7Ci0JCQlzbXBfbWIoKTsKLQkJCXRpbWVyX3N0YXRzX2FjdGl2ZSA9IDE7Ci0JCX0KLQkJYnJlYWs7Ci0JZGVmYXVsdDoKLQkJY291bnQgPSAtRUlOVkFMOwotCX0KLQltdXRleF91bmxvY2soJnNob3dfbXV0ZXgpOwotCi0JcmV0dXJuIGNvdW50OwotfQotCi1zdGF0aWMgaW50IHRzdGF0c19vcGVuKHN0cnVjdCBpbm9kZSAqaW5vZGUsIHN0cnVjdCBmaWxlICpmaWxwKQotewotCXJldHVybiBzaW5nbGVfb3BlbihmaWxwLCB0c3RhdHNfc2hvdywgTlVMTCk7Ci19Ci0KLXN0YXRpYyBjb25zdCBzdHJ1Y3QgZmlsZV9vcGVyYXRpb25zIHRzdGF0c19mb3BzID0gewotCS5vcGVuCQk9IHRzdGF0c19vcGVuLAotCS5yZWFkCQk9IHNlcV9yZWFkLAotCS53cml0ZQkJPSB0c3RhdHNfd3JpdGUsCi0JLmxsc2VlawkJPSBzZXFfbHNlZWssCi0JLnJlbGVhc2UJPSBzaW5nbGVfcmVsZWFzZSwKLX07Ci0KLXZvaWQgX19pbml0IGluaXRfdGltZXJfc3RhdHModm9pZCkKLXsKLQlpbnQgY3B1OwotCi0JZm9yX2VhY2hfcG9zc2libGVfY3B1KGNwdSkKLQkJcmF3X3NwaW5fbG9ja19pbml0KCZwZXJfY3B1KHRzdGF0c19sb29rdXBfbG9jaywgY3B1KSk7Ci19Ci0KLXN0YXRpYyBpbnQgX19pbml0IGluaXRfdHN0YXRzX3Byb2Nmcyh2b2lkKQotewotCXN0cnVjdCBwcm9jX2Rpcl9lbnRyeSAqcGU7Ci0KLQlwZSA9IHByb2NfY3JlYXRlKCJ0aW1lcl9zdGF0cyIsIDA2NDQsIE5VTEwsICZ0c3RhdHNfZm9wcyk7Ci0JaWYgKCFwZSkKLQkJcmV0dXJuIC1FTk9NRU07Ci0JcmV0dXJuIDA7Ci19Ci1fX2luaXRjYWxsKGluaXRfdHN0YXRzX3Byb2Nmcyk7CmRpZmYgLS1naXQgYS9rZXJuZWwvdGltZXIuYyBiL2tlcm5lbC90aW1lci5jCmluZGV4IDU3MzMwNzYuLjhiZmYwYTkgMTAwNjQ0Ci0tLSBhL2tlcm5lbC90aW1lci5jCisrKyBiL2tlcm5lbC90aW1lci5jCkBAIC0zOTcsMzQgKzM5Nyw2IEBACiAJfQogfQogCi0jaWZkZWYgQ09ORklHX1RJTUVSX1NUQVRTCi12b2lkIF9fdGltZXJfc3RhdHNfdGltZXJfc2V0X3N0YXJ0X2luZm8oc3RydWN0IHRpbWVyX2xpc3QgKnRpbWVyLCB2b2lkICphZGRyKQotewotCWlmICh0aW1lci0+c3RhcnRfc2l0ZSkKLQkJcmV0dXJuOwotCi0JdGltZXItPnN0YXJ0X3NpdGUgPSBhZGRyOwotCW1lbWNweSh0aW1lci0+c3RhcnRfY29tbSwgY3VycmVudC0+Y29tbSwgVEFTS19DT01NX0xFTik7Ci0JdGltZXItPnN0YXJ0X3BpZCA9IGN1cnJlbnQtPnBpZDsKLX0KLQotc3RhdGljIHZvaWQgdGltZXJfc3RhdHNfYWNjb3VudF90aW1lcihzdHJ1Y3QgdGltZXJfbGlzdCAqdGltZXIpCi17Ci0JdW5zaWduZWQgaW50IGZsYWcgPSAwOwotCi0JaWYgKGxpa2VseSghdGltZXItPnN0YXJ0X3NpdGUpKQotCQlyZXR1cm47Ci0JaWYgKHVubGlrZWx5KHRiYXNlX2dldF9kZWZlcnJhYmxlKHRpbWVyLT5iYXNlKSkpCi0JCWZsYWcgfD0gVElNRVJfU1RBVFNfRkxBR19ERUZFUlJBQkxFOwotCi0JdGltZXJfc3RhdHNfdXBkYXRlX3N0YXRzKHRpbWVyLCB0aW1lci0+c3RhcnRfcGlkLCB0aW1lci0+c3RhcnRfc2l0ZSwKLQkJCQkgdGltZXItPmZ1bmN0aW9uLCB0aW1lci0+c3RhcnRfY29tbSwgZmxhZyk7Ci19Ci0KLSNlbHNlCi1zdGF0aWMgdm9pZCB0aW1lcl9zdGF0c19hY2NvdW50X3RpbWVyKHN0cnVjdCB0aW1lcl9saXN0ICp0aW1lcikge30KLSNlbmRpZgotCiAjaWZkZWYgQ09ORklHX0RFQlVHX09CSkVDVFNfVElNRVJTCiAKIHN0YXRpYyBzdHJ1Y3QgZGVidWdfb2JqX2Rlc2NyIHRpbWVyX2RlYnVnX2Rlc2NyOwpAQCAtNjM3LDExICs2MDksNiBAQAogCXRpbWVyLT5lbnRyeS5uZXh0ID0gTlVMTDsKIAl0aW1lci0+YmFzZSA9ICh2b2lkICopKCh1bnNpZ25lZCBsb25nKWJhc2UgfCBmbGFncyk7CiAJdGltZXItPnNsYWNrID0gLTE7Ci0jaWZkZWYgQ09ORklHX1RJTUVSX1NUQVRTCi0JdGltZXItPnN0YXJ0X3NpdGUgPSBOVUxMOwotCXRpbWVyLT5zdGFydF9waWQgPSAtMTsKLQltZW1zZXQodGltZXItPnN0YXJ0X2NvbW0sIDAsIFRBU0tfQ09NTV9MRU4pOwotI2VuZGlmCiAJbG9ja2RlcF9pbml0X21hcCgmdGltZXItPmxvY2tkZXBfbWFwLCBuYW1lLCBrZXksIDApOwogfQogCkBAIC03MzksNyArNzA2LDYgQEAKIAl1bnNpZ25lZCBsb25nIGZsYWdzOwogCWludCByZXQgPSAwICwgY3B1OwogCi0JdGltZXJfc3RhdHNfdGltZXJfc2V0X3N0YXJ0X2luZm8odGltZXIpOwogCUJVR19PTighdGltZXItPmZ1bmN0aW9uKTsKIAogCWJhc2UgPSBsb2NrX3RpbWVyX2Jhc2UodGltZXIsICZmbGFncyk7CkBAIC05NDMsNyArOTA5LDYgQEAKIAlzdHJ1Y3QgdHZlY19iYXNlICpiYXNlID0gcGVyX2NwdSh0dmVjX2Jhc2VzLCBjcHUpOwogCXVuc2lnbmVkIGxvbmcgZmxhZ3M7CiAKLQl0aW1lcl9zdGF0c190aW1lcl9zZXRfc3RhcnRfaW5mbyh0aW1lcik7CiAJQlVHX09OKHRpbWVyX3BlbmRpbmcodGltZXIpIHx8ICF0aW1lci0+ZnVuY3Rpb24pOwogCXNwaW5fbG9ja19pcnFzYXZlKCZiYXNlLT5sb2NrLCBmbGFncyk7CiAJdGltZXJfc2V0X2Jhc2UodGltZXIsIGJhc2UpOwpAQCAtOTgxLDcgKzk0Niw2IEBACiAKIAlkZWJ1Z19hc3NlcnRfaW5pdCh0aW1lcik7CiAKLQl0aW1lcl9zdGF0c190aW1lcl9jbGVhcl9zdGFydF9pbmZvKHRpbWVyKTsKIAlpZiAodGltZXJfcGVuZGluZyh0aW1lcikpIHsKIAkJYmFzZSA9IGxvY2tfdGltZXJfYmFzZSh0aW1lciwgJmZsYWdzKTsKIAkJcmV0ID0gZGV0YWNoX2lmX3BlbmRpbmcodGltZXIsIGJhc2UsIHRydWUpOwpAQCAtMTAwOSwxMCArOTczLDkgQEAKIAogCWJhc2UgPSBsb2NrX3RpbWVyX2Jhc2UodGltZXIsICZmbGFncyk7CiAKLQlpZiAoYmFzZS0+cnVubmluZ190aW1lciAhPSB0aW1lcikgewotCQl0aW1lcl9zdGF0c190aW1lcl9jbGVhcl9zdGFydF9pbmZvKHRpbWVyKTsKKwlpZiAoYmFzZS0+cnVubmluZ190aW1lciAhPSB0aW1lcikKIAkJcmV0ID0gZGV0YWNoX2lmX3BlbmRpbmcodGltZXIsIGJhc2UsIHRydWUpOwotCX0KKwogCXNwaW5fdW5sb2NrX2lycXJlc3RvcmUoJmJhc2UtPmxvY2ssIGZsYWdzKTsKIAogCXJldHVybiByZXQ7CkBAIC0xMTkyLDggKzExNTUsNiBAQAogCQkJZm4gPSB0aW1lci0+ZnVuY3Rpb247CiAJCQlkYXRhID0gdGltZXItPmRhdGE7CiAJCQlpcnFzYWZlID0gdGJhc2VfZ2V0X2lycXNhZmUodGltZXItPmJhc2UpOwotCi0JCQl0aW1lcl9zdGF0c19hY2NvdW50X3RpbWVyKHRpbWVyKTsKIAogCQkJYmFzZS0+cnVubmluZ190aW1lciA9IHRpbWVyOwogCQkJZGV0YWNoX2V4cGlyZWRfdGltZXIodGltZXIsIGJhc2UpOwpAQCAtMTY5NSw3ICsxNjU2LDYgQEAKIAogCWVyciA9IHRpbWVyX2NwdV9ub3RpZnkoJnRpbWVyc19uYiwgKHVuc2lnbmVkIGxvbmcpQ1BVX1VQX1BSRVBBUkUsCiAJCQkgICAgICAgKHZvaWQgKikobG9uZylzbXBfcHJvY2Vzc29yX2lkKCkpOwotCWluaXRfdGltZXJfc3RhdHMoKTsKIAogCUJVR19PTihlcnIgIT0gTk9USUZZX09LKTsKIApkaWZmIC0tZ2l0IGEva2VybmVsL3dvcmtxdWV1ZS5jIGIva2VybmVsL3dvcmtxdWV1ZS5jCmluZGV4IDI1MDU2NDguLjU2MmYxYTUgMTAwNzU1Ci0tLSBhL2tlcm5lbC93b3JrcXVldWUuYworKysgYi9rZXJuZWwvd29ya3F1ZXVlLmMKQEAgLTE0NDgsOCArMTQ0OCw2IEBACiAJCXJldHVybjsKIAl9CiAKLQl0aW1lcl9zdGF0c190aW1lcl9zZXRfc3RhcnRfaW5mbygmZHdvcmstPnRpbWVyKTsKLQogCWR3b3JrLT53cSA9IHdxOwogCWR3b3JrLT5jcHUgPSBjcHU7CiAJdGltZXItPmV4cGlyZXMgPSBqaWZmaWVzICsgZGVsYXk7CmRpZmYgLS1naXQgYS9saWIvS2NvbmZpZy5kZWJ1ZyBiL2xpYi9LY29uZmlnLmRlYnVnCmluZGV4IGEwODE4ZjEuLjgyMmUyYmUgMTAwNzU1Ci0tLSBhL2xpYi9LY29uZmlnLmRlYnVnCisrKyBiL2xpYi9LY29uZmlnLmRlYnVnCkBAIC00MDAsMjAgKzQwMCw2IEBACiAJICBhcHBsaWNhdGlvbiwgeW91IGNhbiBzYXkgTiB0byBhdm9pZCB0aGUgdmVyeSBzbGlnaHQgb3ZlcmhlYWQKIAkgIHRoaXMgYWRkcy4KIAotY29uZmlnIFRJTUVSX1NUQVRTCi0JYm9vbCAiQ29sbGVjdCBrZXJuZWwgdGltZXJzIHN0YXRpc3RpY3MiCi0JZGVwZW5kcyBvbiBERUJVR19LRVJORUwgJiYgUFJPQ19GUwotCWhlbHAKLQkgIElmIHlvdSBzYXkgWSBoZXJlLCBhZGRpdGlvbmFsIGNvZGUgd2lsbCBiZSBpbnNlcnRlZCBpbnRvIHRoZQotCSAgdGltZXIgcm91dGluZXMgdG8gY29sbGVjdCBzdGF0aXN0aWNzIGFib3V0IGtlcm5lbCB0aW1lcnMgYmVpbmcKLQkgIHJlcHJvZ3JhbW1lZC4gVGhlIHN0YXRpc3RpY3MgY2FuIGJlIHJlYWQgZnJvbSAvcHJvYy90aW1lcl9zdGF0cy4KLQkgIFRoZSBzdGF0aXN0aWNzIGNvbGxlY3Rpb24gaXMgc3RhcnRlZCBieSB3cml0aW5nIDEgdG8gL3Byb2MvdGltZXJfc3RhdHMsCi0JICB3cml0aW5nIDAgc3RvcHMgaXQuIFRoaXMgZmVhdHVyZSBpcyB1c2VmdWwgdG8gY29sbGVjdCBpbmZvcm1hdGlvbgotCSAgYWJvdXQgdGltZXIgdXNhZ2UgcGF0dGVybnMgaW4ga2VybmVsIGFuZCB1c2Vyc3BhY2UuIFRoaXMgZmVhdHVyZQotCSAgaXMgbGlnaHR3ZWlnaHQgaWYgZW5hYmxlZCBpbiB0aGUga2VybmVsIGNvbmZpZyBidXQgbm90IGFjdGl2YXRlZAotCSAgKGl0IGRlZmF1bHRzIHRvIGRlYWN0aXZhdGVkIG9uIGJvb3R1cCBhbmQgd2lsbCBvbmx5IGJlIGFjdGl2YXRlZAotCSAgaWYgc29tZSBhcHBsaWNhdGlvbiBsaWtlIHBvd2VydG9wIGFjdGl2YXRlcyBpdCBleHBsaWNpdGx5KS4KLQogY29uZmlnIERFQlVHX09CSkVDVFMKIAlib29sICJEZWJ1ZyBvYmplY3Qgb3BlcmF0aW9ucyIKIAlkZXBlbmRzIG9uIERFQlVHX0tFUk5FTAo=
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-5967/3.18/0002.patch b/Patches/Linux_CVEs/CVE-2017-5967/3.18/0002.patch
new file mode 100644
index 00000000..90b2f55c
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-5967/3.18/0002.patch
@@ -0,0 +1,20 @@
+From 63d41fb2b101ff0bd786deab3c60114d38d47048 Mon Sep 17 00:00:00 2001
+From: Christopher R. Palmer <crpalmer@gmail.com>
+Date: Sat, 29 Apr 2017 06:44:14 -0400
+Subject: [PATCH] pme: defconfig: Remove CONFIG_TIMER_STATS
+
+Change-Id: Ib4c88393eccc70e998f3a7dcc9f9a4de5230735c
+---
+
+diff --git a/arch/arm64/configs/pme_defconfig b/arch/arm64/configs/pme_defconfig
+index b145bb6..6ad8818 100644
+--- a/arch/arm64/configs/pme_defconfig
++++ b/arch/arm64/configs/pme_defconfig
+@@ -4414,7 +4414,6 @@
+ # CONFIG_PANIC_ON_RT_THROTTLING is not set
+ # CONFIG_SCHEDSTATS is not set
+ # CONFIG_SCHED_STACK_END_CHECK is not set
+-CONFIG_TIMER_STATS=y
+ # CONFIG_DEBUG_MODULE_SCAN_OFF is not set
+ # CONFIG_DEBUG_TASK_STACK_SCAN_OFF is not set
+ # CONFIG_DEBUG_PREEMPT is not set
diff --git a/Patches/Linux_CVEs/CVE-2017-5967/3.18/0002.patch.base64 b/Patches/Linux_CVEs/CVE-2017-5967/3.18/0002.patch.base64
new file mode 100644
index 00000000..577a36e4
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-5967/3.18/0002.patch.base64
@@ -0,0 +1 @@
+RnJvbSA2M2Q0MWZiMmIxMDFmZjBiZDc4NmRlYWIzYzYwMTE0ZDM4ZDQ3MDQ4IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBDaHJpc3RvcGhlciBSLiBQYWxtZXIgPGNycGFsbWVyQGdtYWlsLmNvbT4KRGF0ZTogU2F0LCAyOSBBcHIgMjAxNyAwNjo0NDoxNCAtMDQwMApTdWJqZWN0OiBbUEFUQ0hdIHBtZTogZGVmY29uZmlnOiBSZW1vdmUgQ09ORklHX1RJTUVSX1NUQVRTCgpDaGFuZ2UtSWQ6IEliNGM4ODM5M2VjY2M3MGU5OThmM2E3ZGNjOWY5YTRkZTUyMzA3MzVjCi0tLQoKZGlmZiAtLWdpdCBhL2FyY2gvYXJtNjQvY29uZmlncy9wbWVfZGVmY29uZmlnIGIvYXJjaC9hcm02NC9jb25maWdzL3BtZV9kZWZjb25maWcKaW5kZXggYjE0NWJiNi4uNmFkODgxOCAxMDA2NDQKLS0tIGEvYXJjaC9hcm02NC9jb25maWdzL3BtZV9kZWZjb25maWcKKysrIGIvYXJjaC9hcm02NC9jb25maWdzL3BtZV9kZWZjb25maWcKQEAgLTQ0MTQsNyArNDQxNCw2IEBACiAjIENPTkZJR19QQU5JQ19PTl9SVF9USFJPVFRMSU5HIGlzIG5vdCBzZXQKICMgQ09ORklHX1NDSEVEU1RBVFMgaXMgbm90IHNldAogIyBDT05GSUdfU0NIRURfU1RBQ0tfRU5EX0NIRUNLIGlzIG5vdCBzZXQKLUNPTkZJR19USU1FUl9TVEFUUz15CiAjIENPTkZJR19ERUJVR19NT0RVTEVfU0NBTl9PRkYgaXMgbm90IHNldAogIyBDT05GSUdfREVCVUdfVEFTS19TVEFDS19TQ0FOX09GRiBpcyBub3Qgc2V0CiAjIENPTkZJR19ERUJVR19QUkVFTVBUIGlzIG5vdCBzZXQK
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-5967/^4.9/0003.patch b/Patches/Linux_CVEs/CVE-2017-5967/^4.9/0003.patch
new file mode 100644
index 00000000..b7bd1067
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-5967/^4.9/0003.patch
@@ -0,0 +1,939 @@
+From dfb4357da6ddbdf57d583ba64361c9d792b0e0b1 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 8 Feb 2017 11:26:59 -0800
+Subject: time: Remove CONFIG_TIMER_STATS
+
+Currently CONFIG_TIMER_STATS exposes process information across namespaces:
+
+kernel/time/timer_list.c print_timer():
+
+        SEQ_printf(m, ", %s/%d", tmp, timer->start_pid);
+
+/proc/timer_list:
+
+ #11: <0000000000000000>, hrtimer_wakeup, S:01, do_nanosleep, cron/2570
+
+Given that the tracer can give the same information, this patch entirely
+removes CONFIG_TIMER_STATS.
+
+Suggested-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Acked-by: John Stultz <john.stultz@linaro.org>
+Cc: Nicolas Pitre <nicolas.pitre@linaro.org>
+Cc: linux-doc@vger.kernel.org
+Cc: Lai Jiangshan <jiangshanlai@gmail.com>
+Cc: Shuah Khan <shuah@kernel.org>
+Cc: Xing Gao <xgao01@email.wm.edu>
+Cc: Jonathan Corbet <corbet@lwn.net>
+Cc: Jessica Frazelle <me@jessfraz.com>
+Cc: kernel-hardening@lists.openwall.com
+Cc: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
+Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
+Cc: Petr Mladek <pmladek@suse.com>
+Cc: Richard Cochran <richardcochran@gmail.com>
+Cc: Tejun Heo <tj@kernel.org>
+Cc: Michal Marek <mmarek@suse.com>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Cc: "Eric W. Biederman" <ebiederm@xmission.com>
+Cc: Olof Johansson <olof@lixom.net>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: linux-api@vger.kernel.org
+Cc: Arjan van de Ven <arjan@linux.intel.com>
+Link: http://lkml.kernel.org/r/20170208192659.GA32582@beast
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+---
+ Documentation/timers/timer_stats.txt |  73 ------
+ include/linux/hrtimer.h              |  11 -
+ include/linux/timer.h                |  45 ----
+ kernel/kthread.c                     |   1 -
+ kernel/time/Makefile                 |   1 -
+ kernel/time/hrtimer.c                |  38 ----
+ kernel/time/timer.c                  |  48 +---
+ kernel/time/timer_list.c             |  10 -
+ kernel/time/timer_stats.c            | 425 -----------------------------------
+ kernel/workqueue.c                   |   2 -
+ lib/Kconfig.debug                    |  14 --
+ 11 files changed, 2 insertions(+), 666 deletions(-)
+ delete mode 100644 Documentation/timers/timer_stats.txt
+ delete mode 100644 kernel/time/timer_stats.c
+
+diff --git a/Documentation/timers/timer_stats.txt b/Documentation/timers/timer_stats.txt
+deleted file mode 100644
+index de835ee..0000000
+--- a/Documentation/timers/timer_stats.txt
++++ /dev/null
+@@ -1,73 +0,0 @@
+-timer_stats - timer usage statistics
+-------------------------------------
+-
+-timer_stats is a debugging facility to make the timer (ab)usage in a Linux
+-system visible to kernel and userspace developers. If enabled in the config
+-but not used it has almost zero runtime overhead, and a relatively small
+-data structure overhead. Even if collection is enabled runtime all the
+-locking is per-CPU and lookup is hashed.
+-
+-timer_stats should be used by kernel and userspace developers to verify that
+-their code does not make unduly use of timers. This helps to avoid unnecessary
+-wakeups, which should be avoided to optimize power consumption.
+-
+-It can be enabled by CONFIG_TIMER_STATS in the "Kernel hacking" configuration
+-section.
+-
+-timer_stats collects information about the timer events which are fired in a
+-Linux system over a sample period:
+-
+-- the pid of the task(process) which initialized the timer
+-- the name of the process which initialized the timer
+-- the function where the timer was initialized
+-- the callback function which is associated to the timer
+-- the number of events (callbacks)
+-
+-timer_stats adds an entry to /proc: /proc/timer_stats
+-
+-This entry is used to control the statistics functionality and to read out the
+-sampled information.
+-
+-The timer_stats functionality is inactive on bootup.
+-
+-To activate a sample period issue:
+-# echo 1 >/proc/timer_stats
+-
+-To stop a sample period issue:
+-# echo 0 >/proc/timer_stats
+-
+-The statistics can be retrieved by:
+-# cat /proc/timer_stats
+-
+-While sampling is enabled, each readout from /proc/timer_stats will see
+-newly updated statistics. Once sampling is disabled, the sampled information
+-is kept until a new sample period is started. This allows multiple readouts.
+-
+-Sample output of /proc/timer_stats:
+-
+-Timerstats sample period: 3.888770 s
+-  12,     0 swapper          hrtimer_stop_sched_tick (hrtimer_sched_tick)
+-  15,     1 swapper          hcd_submit_urb (rh_timer_func)
+-   4,   959 kedac            schedule_timeout (process_timeout)
+-   1,     0 swapper          page_writeback_init (wb_timer_fn)
+-  28,     0 swapper          hrtimer_stop_sched_tick (hrtimer_sched_tick)
+-  22,  2948 IRQ 4            tty_flip_buffer_push (delayed_work_timer_fn)
+-   3,  3100 bash             schedule_timeout (process_timeout)
+-   1,     1 swapper          queue_delayed_work_on (delayed_work_timer_fn)
+-   1,     1 swapper          queue_delayed_work_on (delayed_work_timer_fn)
+-   1,     1 swapper          neigh_table_init_no_netlink (neigh_periodic_timer)
+-   1,  2292 ip               __netdev_watchdog_up (dev_watchdog)
+-   1,    23 events/1         do_cache_clean (delayed_work_timer_fn)
+-90 total events, 30.0 events/sec
+-
+-The first column is the number of events, the second column the pid, the third
+-column is the name of the process. The forth column shows the function which
+-initialized the timer and in parenthesis the callback function which was
+-executed on expiry.
+-
+-    Thomas, Ingo
+-
+-Added flag to indicate 'deferrable timer' in /proc/timer_stats. A deferrable
+-timer will appear as follows
+-  10D,     1 swapper          queue_delayed_work_on (delayed_work_timer_fn)
+-
+diff --git a/include/linux/hrtimer.h b/include/linux/hrtimer.h
+index cdab81b..e52b427 100644
+--- a/include/linux/hrtimer.h
++++ b/include/linux/hrtimer.h
+@@ -88,12 +88,6 @@ enum hrtimer_restart {
+  * @base:	pointer to the timer base (per cpu and per clock)
+  * @state:	state information (See bit values above)
+  * @is_rel:	Set if the timer was armed relative
+- * @start_pid:  timer statistics field to store the pid of the task which
+- *		started the timer
+- * @start_site:	timer statistics field to store the site where the timer
+- *		was started
+- * @start_comm: timer statistics field to store the name of the process which
+- *		started the timer
+  *
+  * The hrtimer structure must be initialized by hrtimer_init()
+  */
+@@ -104,11 +98,6 @@ struct hrtimer {
+ 	struct hrtimer_clock_base	*base;
+ 	u8				state;
+ 	u8				is_rel;
+-#ifdef CONFIG_TIMER_STATS
+-	int				start_pid;
+-	void				*start_site;
+-	char				start_comm[16];
+-#endif
+ };
+ 
+ /**
+diff --git a/include/linux/timer.h b/include/linux/timer.h
+index 51d601f..5a209b8 100644
+--- a/include/linux/timer.h
++++ b/include/linux/timer.h
+@@ -20,11 +20,6 @@ struct timer_list {
+ 	unsigned long		data;
+ 	u32			flags;
+ 
+-#ifdef CONFIG_TIMER_STATS
+-	int			start_pid;
+-	void			*start_site;
+-	char			start_comm[16];
+-#endif
+ #ifdef CONFIG_LOCKDEP
+ 	struct lockdep_map	lockdep_map;
+ #endif
+@@ -197,46 +192,6 @@ extern int mod_timer_pending(struct timer_list *timer, unsigned long expires);
+  */
+ #define NEXT_TIMER_MAX_DELTA	((1UL << 30) - 1)
+ 
+-/*
+- * Timer-statistics info:
+- */
+-#ifdef CONFIG_TIMER_STATS
+-
+-extern int timer_stats_active;
+-
+-extern void init_timer_stats(void);
+-
+-extern void timer_stats_update_stats(void *timer, pid_t pid, void *startf,
+-				     void *timerf, char *comm, u32 flags);
+-
+-extern void __timer_stats_timer_set_start_info(struct timer_list *timer,
+-					       void *addr);
+-
+-static inline void timer_stats_timer_set_start_info(struct timer_list *timer)
+-{
+-	if (likely(!timer_stats_active))
+-		return;
+-	__timer_stats_timer_set_start_info(timer, __builtin_return_address(0));
+-}
+-
+-static inline void timer_stats_timer_clear_start_info(struct timer_list *timer)
+-{
+-	timer->start_site = NULL;
+-}
+-#else
+-static inline void init_timer_stats(void)
+-{
+-}
+-
+-static inline void timer_stats_timer_set_start_info(struct timer_list *timer)
+-{
+-}
+-
+-static inline void timer_stats_timer_clear_start_info(struct timer_list *timer)
+-{
+-}
+-#endif
+-
+ extern void add_timer(struct timer_list *timer);
+ 
+ extern int try_to_del_timer_sync(struct timer_list *timer);
+diff --git a/kernel/kthread.c b/kernel/kthread.c
+index 2318fba..8461a43 100644
+--- a/kernel/kthread.c
++++ b/kernel/kthread.c
+@@ -850,7 +850,6 @@ void __kthread_queue_delayed_work(struct kthread_worker *worker,
+ 
+ 	list_add(&work->node, &worker->delayed_work_list);
+ 	work->worker = worker;
+-	timer_stats_timer_set_start_info(&dwork->timer);
+ 	timer->expires = jiffies + delay;
+ 	add_timer(timer);
+ }
+diff --git a/kernel/time/Makefile b/kernel/time/Makefile
+index 976840d..938dbf3 100644
+--- a/kernel/time/Makefile
++++ b/kernel/time/Makefile
+@@ -15,6 +15,5 @@ ifeq ($(CONFIG_GENERIC_CLOCKEVENTS_BROADCAST),y)
+ endif
+ obj-$(CONFIG_GENERIC_SCHED_CLOCK)		+= sched_clock.o
+ obj-$(CONFIG_TICK_ONESHOT)			+= tick-oneshot.o tick-sched.o
+-obj-$(CONFIG_TIMER_STATS)			+= timer_stats.o
+ obj-$(CONFIG_DEBUG_FS)				+= timekeeping_debug.o
+ obj-$(CONFIG_TEST_UDELAY)			+= test_udelay.o
+diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c
+index c6ecedd..edabde6 100644
+--- a/kernel/time/hrtimer.c
++++ b/kernel/time/hrtimer.c
+@@ -766,34 +766,6 @@ void hrtimers_resume(void)
+ 	clock_was_set_delayed();
+ }
+ 
+-static inline void timer_stats_hrtimer_set_start_info(struct hrtimer *timer)
+-{
+-#ifdef CONFIG_TIMER_STATS
+-	if (timer->start_site)
+-		return;
+-	timer->start_site = __builtin_return_address(0);
+-	memcpy(timer->start_comm, current->comm, TASK_COMM_LEN);
+-	timer->start_pid = current->pid;
+-#endif
+-}
+-
+-static inline void timer_stats_hrtimer_clear_start_info(struct hrtimer *timer)
+-{
+-#ifdef CONFIG_TIMER_STATS
+-	timer->start_site = NULL;
+-#endif
+-}
+-
+-static inline void timer_stats_account_hrtimer(struct hrtimer *timer)
+-{
+-#ifdef CONFIG_TIMER_STATS
+-	if (likely(!timer_stats_active))
+-		return;
+-	timer_stats_update_stats(timer, timer->start_pid, timer->start_site,
+-				 timer->function, timer->start_comm, 0);
+-#endif
+-}
+-
+ /*
+  * Counterpart to lock_hrtimer_base above:
+  */
+@@ -932,7 +904,6 @@ remove_hrtimer(struct hrtimer *timer, struct hrtimer_clock_base *base, bool rest
+ 		 * rare case and less expensive than a smp call.
+ 		 */
+ 		debug_deactivate(timer);
+-		timer_stats_hrtimer_clear_start_info(timer);
+ 		reprogram = base->cpu_base == this_cpu_ptr(&hrtimer_bases);
+ 
+ 		if (!restart)
+@@ -990,8 +961,6 @@ void hrtimer_start_range_ns(struct hrtimer *timer, ktime_t tim,
+ 	/* Switch the timer base, if necessary: */
+ 	new_base = switch_hrtimer_base(timer, base, mode & HRTIMER_MODE_PINNED);
+ 
+-	timer_stats_hrtimer_set_start_info(timer);
+-
+ 	leftmost = enqueue_hrtimer(timer, new_base);
+ 	if (!leftmost)
+ 		goto unlock;
+@@ -1128,12 +1097,6 @@ static void __hrtimer_init(struct hrtimer *timer, clockid_t clock_id,
+ 	base = hrtimer_clockid_to_base(clock_id);
+ 	timer->base = &cpu_base->clock_base[base];
+ 	timerqueue_init(&timer->node);
+-
+-#ifdef CONFIG_TIMER_STATS
+-	timer->start_site = NULL;
+-	timer->start_pid = -1;
+-	memset(timer->start_comm, 0, TASK_COMM_LEN);
+-#endif
+ }
+ 
+ /**
+@@ -1217,7 +1180,6 @@ static void __run_hrtimer(struct hrtimer_cpu_base *cpu_base,
+ 	raw_write_seqcount_barrier(&cpu_base->seq);
+ 
+ 	__remove_hrtimer(timer, base, HRTIMER_STATE_INACTIVE, 0);
+-	timer_stats_account_hrtimer(timer);
+ 	fn = timer->function;
+ 
+ 	/*
+diff --git a/kernel/time/timer.c b/kernel/time/timer.c
+index ec33a69..82a6bfa 100644
+--- a/kernel/time/timer.c
++++ b/kernel/time/timer.c
+@@ -571,38 +571,6 @@ internal_add_timer(struct timer_base *base, struct timer_list *timer)
+ 	trigger_dyntick_cpu(base, timer);
+ }
+ 
+-#ifdef CONFIG_TIMER_STATS
+-void __timer_stats_timer_set_start_info(struct timer_list *timer, void *addr)
+-{
+-	if (timer->start_site)
+-		return;
+-
+-	timer->start_site = addr;
+-	memcpy(timer->start_comm, current->comm, TASK_COMM_LEN);
+-	timer->start_pid = current->pid;
+-}
+-
+-static void timer_stats_account_timer(struct timer_list *timer)
+-{
+-	void *site;
+-
+-	/*
+-	 * start_site can be concurrently reset by
+-	 * timer_stats_timer_clear_start_info()
+-	 */
+-	site = READ_ONCE(timer->start_site);
+-	if (likely(!site))
+-		return;
+-
+-	timer_stats_update_stats(timer, timer->start_pid, site,
+-				 timer->function, timer->start_comm,
+-				 timer->flags);
+-}
+-
+-#else
+-static void timer_stats_account_timer(struct timer_list *timer) {}
+-#endif
+-
+ #ifdef CONFIG_DEBUG_OBJECTS_TIMERS
+ 
+ static struct debug_obj_descr timer_debug_descr;
+@@ -789,11 +757,6 @@ static void do_init_timer(struct timer_list *timer, unsigned int flags,
+ {
+ 	timer->entry.pprev = NULL;
+ 	timer->flags = flags | raw_smp_processor_id();
+-#ifdef CONFIG_TIMER_STATS
+-	timer->start_site = NULL;
+-	timer->start_pid = -1;
+-	memset(timer->start_comm, 0, TASK_COMM_LEN);
+-#endif
+ 	lockdep_init_map(&timer->lockdep_map, name, key, 0);
+ }
+ 
+@@ -1001,8 +964,6 @@ __mod_timer(struct timer_list *timer, unsigned long expires, bool pending_only)
+ 		base = lock_timer_base(timer, &flags);
+ 	}
+ 
+-	timer_stats_timer_set_start_info(timer);
+-
+ 	ret = detach_if_pending(timer, base, false);
+ 	if (!ret && pending_only)
+ 		goto out_unlock;
+@@ -1130,7 +1091,6 @@ void add_timer_on(struct timer_list *timer, int cpu)
+ 	struct timer_base *new_base, *base;
+ 	unsigned long flags;
+ 
+-	timer_stats_timer_set_start_info(timer);
+ 	BUG_ON(timer_pending(timer) || !timer->function);
+ 
+ 	new_base = get_timer_cpu_base(timer->flags, cpu);
+@@ -1176,7 +1136,6 @@ int del_timer(struct timer_list *timer)
+ 
+ 	debug_assert_init(timer);
+ 
+-	timer_stats_timer_clear_start_info(timer);
+ 	if (timer_pending(timer)) {
+ 		base = lock_timer_base(timer, &flags);
+ 		ret = detach_if_pending(timer, base, true);
+@@ -1204,10 +1163,9 @@ int try_to_del_timer_sync(struct timer_list *timer)
+ 
+ 	base = lock_timer_base(timer, &flags);
+ 
+-	if (base->running_timer != timer) {
+-		timer_stats_timer_clear_start_info(timer);
++	if (base->running_timer != timer)
+ 		ret = detach_if_pending(timer, base, true);
+-	}
++
+ 	spin_unlock_irqrestore(&base->lock, flags);
+ 
+ 	return ret;
+@@ -1331,7 +1289,6 @@ static void expire_timers(struct timer_base *base, struct hlist_head *head)
+ 		unsigned long data;
+ 
+ 		timer = hlist_entry(head->first, struct timer_list, entry);
+-		timer_stats_account_timer(timer);
+ 
+ 		base->running_timer = timer;
+ 		detach_timer(timer, true);
+@@ -1868,7 +1825,6 @@ static void __init init_timer_cpus(void)
+ void __init init_timers(void)
+ {
+ 	init_timer_cpus();
+-	init_timer_stats();
+ 	open_softirq(TIMER_SOFTIRQ, run_timer_softirq);
+ }
+ 
+diff --git a/kernel/time/timer_list.c b/kernel/time/timer_list.c
+index afe6cd1..387a3a5 100644
+--- a/kernel/time/timer_list.c
++++ b/kernel/time/timer_list.c
+@@ -62,21 +62,11 @@ static void
+ print_timer(struct seq_file *m, struct hrtimer *taddr, struct hrtimer *timer,
+ 	    int idx, u64 now)
+ {
+-#ifdef CONFIG_TIMER_STATS
+-	char tmp[TASK_COMM_LEN + 1];
+-#endif
+ 	SEQ_printf(m, " #%d: ", idx);
+ 	print_name_offset(m, taddr);
+ 	SEQ_printf(m, ", ");
+ 	print_name_offset(m, timer->function);
+ 	SEQ_printf(m, ", S:%02x", timer->state);
+-#ifdef CONFIG_TIMER_STATS
+-	SEQ_printf(m, ", ");
+-	print_name_offset(m, timer->start_site);
+-	memcpy(tmp, timer->start_comm, TASK_COMM_LEN);
+-	tmp[TASK_COMM_LEN] = 0;
+-	SEQ_printf(m, ", %s/%d", tmp, timer->start_pid);
+-#endif
+ 	SEQ_printf(m, "\n");
+ 	SEQ_printf(m, " # expires at %Lu-%Lu nsecs [in %Ld to %Ld nsecs]\n",
+ 		(unsigned long long)ktime_to_ns(hrtimer_get_softexpires(timer)),
+diff --git a/kernel/time/timer_stats.c b/kernel/time/timer_stats.c
+deleted file mode 100644
+index afddded..0000000
+--- a/kernel/time/timer_stats.c
++++ /dev/null
+@@ -1,425 +0,0 @@
+-/*
+- * kernel/time/timer_stats.c
+- *
+- * Collect timer usage statistics.
+- *
+- * Copyright(C) 2006, Red Hat, Inc., Ingo Molnar
+- * Copyright(C) 2006 Timesys Corp., Thomas Gleixner <tglx@timesys.com>
+- *
+- * timer_stats is based on timer_top, a similar functionality which was part of
+- * Con Kolivas dyntick patch set. It was developed by Daniel Petrini at the
+- * Instituto Nokia de Tecnologia - INdT - Manaus. timer_top's design was based
+- * on dynamic allocation of the statistics entries and linear search based
+- * lookup combined with a global lock, rather than the static array, hash
+- * and per-CPU locking which is used by timer_stats. It was written for the
+- * pre hrtimer kernel code and therefore did not take hrtimers into account.
+- * Nevertheless it provided the base for the timer_stats implementation and
+- * was a helpful source of inspiration. Kudos to Daniel and the Nokia folks
+- * for this effort.
+- *
+- * timer_top.c is
+- *	Copyright (C) 2005 Instituto Nokia de Tecnologia - INdT - Manaus
+- *	Written by Daniel Petrini <d.pensator@gmail.com>
+- *	timer_top.c was released under the GNU General Public License version 2
+- *
+- * We export the addresses and counting of timer functions being called,
+- * the pid and cmdline from the owner process if applicable.
+- *
+- * Start/stop data collection:
+- * # echo [1|0] >/proc/timer_stats
+- *
+- * Display the information collected so far:
+- * # cat /proc/timer_stats
+- *
+- * This program is free software; you can redistribute it and/or modify
+- * it under the terms of the GNU General Public License version 2 as
+- * published by the Free Software Foundation.
+- */
+-
+-#include <linux/proc_fs.h>
+-#include <linux/module.h>
+-#include <linux/spinlock.h>
+-#include <linux/sched.h>
+-#include <linux/seq_file.h>
+-#include <linux/kallsyms.h>
+-
+-#include <linux/uaccess.h>
+-
+-/*
+- * This is our basic unit of interest: a timer expiry event identified
+- * by the timer, its start/expire functions and the PID of the task that
+- * started the timer. We count the number of times an event happens:
+- */
+-struct entry {
+-	/*
+-	 * Hash list:
+-	 */
+-	struct entry		*next;
+-
+-	/*
+-	 * Hash keys:
+-	 */
+-	void			*timer;
+-	void			*start_func;
+-	void			*expire_func;
+-	pid_t			pid;
+-
+-	/*
+-	 * Number of timeout events:
+-	 */
+-	unsigned long		count;
+-	u32			flags;
+-
+-	/*
+-	 * We save the command-line string to preserve
+-	 * this information past task exit:
+-	 */
+-	char			comm[TASK_COMM_LEN + 1];
+-
+-} ____cacheline_aligned_in_smp;
+-
+-/*
+- * Spinlock protecting the tables - not taken during lookup:
+- */
+-static DEFINE_RAW_SPINLOCK(table_lock);
+-
+-/*
+- * Per-CPU lookup locks for fast hash lookup:
+- */
+-static DEFINE_PER_CPU(raw_spinlock_t, tstats_lookup_lock);
+-
+-/*
+- * Mutex to serialize state changes with show-stats activities:
+- */
+-static DEFINE_MUTEX(show_mutex);
+-
+-/*
+- * Collection status, active/inactive:
+- */
+-int __read_mostly timer_stats_active;
+-
+-/*
+- * Beginning/end timestamps of measurement:
+- */
+-static ktime_t time_start, time_stop;
+-
+-/*
+- * tstat entry structs only get allocated while collection is
+- * active and never freed during that time - this simplifies
+- * things quite a bit.
+- *
+- * They get freed when a new collection period is started.
+- */
+-#define MAX_ENTRIES_BITS	10
+-#define MAX_ENTRIES		(1UL << MAX_ENTRIES_BITS)
+-
+-static unsigned long nr_entries;
+-static struct entry entries[MAX_ENTRIES];
+-
+-static atomic_t overflow_count;
+-
+-/*
+- * The entries are in a hash-table, for fast lookup:
+- */
+-#define TSTAT_HASH_BITS		(MAX_ENTRIES_BITS - 1)
+-#define TSTAT_HASH_SIZE		(1UL << TSTAT_HASH_BITS)
+-#define TSTAT_HASH_MASK		(TSTAT_HASH_SIZE - 1)
+-
+-#define __tstat_hashfn(entry)						\
+-	(((unsigned long)(entry)->timer       ^				\
+-	  (unsigned long)(entry)->start_func  ^				\
+-	  (unsigned long)(entry)->expire_func ^				\
+-	  (unsigned long)(entry)->pid		) & TSTAT_HASH_MASK)
+-
+-#define tstat_hashentry(entry)	(tstat_hash_table + __tstat_hashfn(entry))
+-
+-static struct entry *tstat_hash_table[TSTAT_HASH_SIZE] __read_mostly;
+-
+-static void reset_entries(void)
+-{
+-	nr_entries = 0;
+-	memset(entries, 0, sizeof(entries));
+-	memset(tstat_hash_table, 0, sizeof(tstat_hash_table));
+-	atomic_set(&overflow_count, 0);
+-}
+-
+-static struct entry *alloc_entry(void)
+-{
+-	if (nr_entries >= MAX_ENTRIES)
+-		return NULL;
+-
+-	return entries + nr_entries++;
+-}
+-
+-static int match_entries(struct entry *entry1, struct entry *entry2)
+-{
+-	return entry1->timer       == entry2->timer	  &&
+-	       entry1->start_func  == entry2->start_func  &&
+-	       entry1->expire_func == entry2->expire_func &&
+-	       entry1->pid	   == entry2->pid;
+-}
+-
+-/*
+- * Look up whether an entry matching this item is present
+- * in the hash already. Must be called with irqs off and the
+- * lookup lock held:
+- */
+-static struct entry *tstat_lookup(struct entry *entry, char *comm)
+-{
+-	struct entry **head, *curr, *prev;
+-
+-	head = tstat_hashentry(entry);
+-	curr = *head;
+-
+-	/*
+-	 * The fastpath is when the entry is already hashed,
+-	 * we do this with the lookup lock held, but with the
+-	 * table lock not held:
+-	 */
+-	while (curr) {
+-		if (match_entries(curr, entry))
+-			return curr;
+-
+-		curr = curr->next;
+-	}
+-	/*
+-	 * Slowpath: allocate, set up and link a new hash entry:
+-	 */
+-	prev = NULL;
+-	curr = *head;
+-
+-	raw_spin_lock(&table_lock);
+-	/*
+-	 * Make sure we have not raced with another CPU:
+-	 */
+-	while (curr) {
+-		if (match_entries(curr, entry))
+-			goto out_unlock;
+-
+-		prev = curr;
+-		curr = curr->next;
+-	}
+-
+-	curr = alloc_entry();
+-	if (curr) {
+-		*curr = *entry;
+-		curr->count = 0;
+-		curr->next = NULL;
+-		memcpy(curr->comm, comm, TASK_COMM_LEN);
+-
+-		smp_mb(); /* Ensure that curr is initialized before insert */
+-
+-		if (prev)
+-			prev->next = curr;
+-		else
+-			*head = curr;
+-	}
+- out_unlock:
+-	raw_spin_unlock(&table_lock);
+-
+-	return curr;
+-}
+-
+-/**
+- * timer_stats_update_stats - Update the statistics for a timer.
+- * @timer:	pointer to either a timer_list or a hrtimer
+- * @pid:	the pid of the task which set up the timer
+- * @startf:	pointer to the function which did the timer setup
+- * @timerf:	pointer to the timer callback function of the timer
+- * @comm:	name of the process which set up the timer
+- * @tflags:	The flags field of the timer
+- *
+- * When the timer is already registered, then the event counter is
+- * incremented. Otherwise the timer is registered in a free slot.
+- */
+-void timer_stats_update_stats(void *timer, pid_t pid, void *startf,
+-			      void *timerf, char *comm, u32 tflags)
+-{
+-	/*
+-	 * It doesn't matter which lock we take:
+-	 */
+-	raw_spinlock_t *lock;
+-	struct entry *entry, input;
+-	unsigned long flags;
+-
+-	if (likely(!timer_stats_active))
+-		return;
+-
+-	lock = &per_cpu(tstats_lookup_lock, raw_smp_processor_id());
+-
+-	input.timer = timer;
+-	input.start_func = startf;
+-	input.expire_func = timerf;
+-	input.pid = pid;
+-	input.flags = tflags;
+-
+-	raw_spin_lock_irqsave(lock, flags);
+-	if (!timer_stats_active)
+-		goto out_unlock;
+-
+-	entry = tstat_lookup(&input, comm);
+-	if (likely(entry))
+-		entry->count++;
+-	else
+-		atomic_inc(&overflow_count);
+-
+- out_unlock:
+-	raw_spin_unlock_irqrestore(lock, flags);
+-}
+-
+-static void print_name_offset(struct seq_file *m, unsigned long addr)
+-{
+-	char symname[KSYM_NAME_LEN];
+-
+-	if (lookup_symbol_name(addr, symname) < 0)
+-		seq_printf(m, "<%p>", (void *)addr);
+-	else
+-		seq_printf(m, "%s", symname);
+-}
+-
+-static int tstats_show(struct seq_file *m, void *v)
+-{
+-	struct timespec64 period;
+-	struct entry *entry;
+-	unsigned long ms;
+-	long events = 0;
+-	ktime_t time;
+-	int i;
+-
+-	mutex_lock(&show_mutex);
+-	/*
+-	 * If still active then calculate up to now:
+-	 */
+-	if (timer_stats_active)
+-		time_stop = ktime_get();
+-
+-	time = ktime_sub(time_stop, time_start);
+-
+-	period = ktime_to_timespec64(time);
+-	ms = period.tv_nsec / 1000000;
+-
+-	seq_puts(m, "Timer Stats Version: v0.3\n");
+-	seq_printf(m, "Sample period: %ld.%03ld s\n", (long)period.tv_sec, ms);
+-	if (atomic_read(&overflow_count))
+-		seq_printf(m, "Overflow: %d entries\n", atomic_read(&overflow_count));
+-	seq_printf(m, "Collection: %s\n", timer_stats_active ? "active" : "inactive");
+-
+-	for (i = 0; i < nr_entries; i++) {
+-		entry = entries + i;
+-		if (entry->flags & TIMER_DEFERRABLE) {
+-			seq_printf(m, "%4luD, %5d %-16s ",
+-				entry->count, entry->pid, entry->comm);
+-		} else {
+-			seq_printf(m, " %4lu, %5d %-16s ",
+-				entry->count, entry->pid, entry->comm);
+-		}
+-
+-		print_name_offset(m, (unsigned long)entry->start_func);
+-		seq_puts(m, " (");
+-		print_name_offset(m, (unsigned long)entry->expire_func);
+-		seq_puts(m, ")\n");
+-
+-		events += entry->count;
+-	}
+-
+-	ms += period.tv_sec * 1000;
+-	if (!ms)
+-		ms = 1;
+-
+-	if (events && period.tv_sec)
+-		seq_printf(m, "%ld total events, %ld.%03ld events/sec\n",
+-			   events, events * 1000 / ms,
+-			   (events * 1000000 / ms) % 1000);
+-	else
+-		seq_printf(m, "%ld total events\n", events);
+-
+-	mutex_unlock(&show_mutex);
+-
+-	return 0;
+-}
+-
+-/*
+- * After a state change, make sure all concurrent lookup/update
+- * activities have stopped:
+- */
+-static void sync_access(void)
+-{
+-	unsigned long flags;
+-	int cpu;
+-
+-	for_each_online_cpu(cpu) {
+-		raw_spinlock_t *lock = &per_cpu(tstats_lookup_lock, cpu);
+-
+-		raw_spin_lock_irqsave(lock, flags);
+-		/* nothing */
+-		raw_spin_unlock_irqrestore(lock, flags);
+-	}
+-}
+-
+-static ssize_t tstats_write(struct file *file, const char __user *buf,
+-			    size_t count, loff_t *offs)
+-{
+-	char ctl[2];
+-
+-	if (count != 2 || *offs)
+-		return -EINVAL;
+-
+-	if (copy_from_user(ctl, buf, count))
+-		return -EFAULT;
+-
+-	mutex_lock(&show_mutex);
+-	switch (ctl[0]) {
+-	case '0':
+-		if (timer_stats_active) {
+-			timer_stats_active = 0;
+-			time_stop = ktime_get();
+-			sync_access();
+-		}
+-		break;
+-	case '1':
+-		if (!timer_stats_active) {
+-			reset_entries();
+-			time_start = ktime_get();
+-			smp_mb();
+-			timer_stats_active = 1;
+-		}
+-		break;
+-	default:
+-		count = -EINVAL;
+-	}
+-	mutex_unlock(&show_mutex);
+-
+-	return count;
+-}
+-
+-static int tstats_open(struct inode *inode, struct file *filp)
+-{
+-	return single_open(filp, tstats_show, NULL);
+-}
+-
+-static const struct file_operations tstats_fops = {
+-	.open		= tstats_open,
+-	.read		= seq_read,
+-	.write		= tstats_write,
+-	.llseek		= seq_lseek,
+-	.release	= single_release,
+-};
+-
+-void __init init_timer_stats(void)
+-{
+-	int cpu;
+-
+-	for_each_possible_cpu(cpu)
+-		raw_spin_lock_init(&per_cpu(tstats_lookup_lock, cpu));
+-}
+-
+-static int __init init_tstats_procfs(void)
+-{
+-	struct proc_dir_entry *pe;
+-
+-	pe = proc_create("timer_stats", 0644, NULL, &tstats_fops);
+-	if (!pe)
+-		return -ENOMEM;
+-	return 0;
+-}
+-__initcall(init_tstats_procfs);
+diff --git a/kernel/workqueue.c b/kernel/workqueue.c
+index 1d9fb65..072cbc9 100644
+--- a/kernel/workqueue.c
++++ b/kernel/workqueue.c
+@@ -1523,8 +1523,6 @@ static void __queue_delayed_work(int cpu, struct workqueue_struct *wq,
+ 		return;
+ 	}
+ 
+-	timer_stats_timer_set_start_info(&dwork->timer);
+-
+ 	dwork->wq = wq;
+ 	dwork->cpu = cpu;
+ 	timer->expires = jiffies + delay;
+diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
+index eb9e9a7..132af33 100644
+--- a/lib/Kconfig.debug
++++ b/lib/Kconfig.debug
+@@ -980,20 +980,6 @@ config DEBUG_TIMEKEEPING
+ 
+ 	  If unsure, say N.
+ 
+-config TIMER_STATS
+-	bool "Collect kernel timers statistics"
+-	depends on DEBUG_KERNEL && PROC_FS
+-	help
+-	  If you say Y here, additional code will be inserted into the
+-	  timer routines to collect statistics about kernel timers being
+-	  reprogrammed. The statistics can be read from /proc/timer_stats.
+-	  The statistics collection is started by writing 1 to /proc/timer_stats,
+-	  writing 0 stops it. This feature is useful to collect information
+-	  about timer usage patterns in kernel and userspace. This feature
+-	  is lightweight if enabled in the kernel config but not activated
+-	  (it defaults to deactivated on bootup and will only be activated
+-	  if some application like powertop activates it explicitly).
+-
+ config DEBUG_PREEMPT
+ 	bool "Debug preemptible kernel"
+ 	depends on DEBUG_KERNEL && PREEMPT && TRACE_IRQFLAGS_SUPPORT
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-5970/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-5970/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-5970/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-5970/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-5972/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-5972/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-5972/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-5972/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-5986/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-5986/^4.9/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-5986/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-5986/^4.9/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-6001/3.4/0.patch b/Patches/Linux_CVEs/CVE-2017-6001/ANY/0001.patch
similarity index 88%
rename from Patches/Linux_CVEs/CVE-2017-6001/3.4/0.patch
rename to Patches/Linux_CVEs/CVE-2017-6001/ANY/0001.patch
index a9442471..c4fd6944 100644
--- a/Patches/Linux_CVEs/CVE-2017-6001/3.4/0.patch
+++ b/Patches/Linux_CVEs/CVE-2017-6001/ANY/0001.patch
@@ -1,9 +1,11 @@
-From 9eb0e01be831d0f37ea6278a92c32424141f55fb Mon Sep 17 00:00:00 2001
+From 857ea07fb0096e0964ced18ad85a1d9591562114 Mon Sep 17 00:00:00 2001
 From: Peter Zijlstra <peterz@infradead.org>
 Date: Wed, 11 Jan 2017 21:09:50 +0100
-Subject: perf/core: Fix concurrent sys_perf_event_open() vs. 'move_group' race
+Subject: [PATCH] perf/core: Fix concurrent sys_perf_event_open() vs. 'move_group' race
 
 commit 321027c1fe77f892f4ea07846aeae08cefbbb290 upstream.
+commit fe525a280e8b5f04c7666fe22d1a4ef592f7b953 in 3.16.40
+bug: 37901413
 
 Di Shen reported a race between two concurrent sys_perf_event_open()
 calls where both try and move the same pre-existing software group
@@ -46,21 +48,20 @@ Cc: Vince Weaver <vincent.weaver@maine.edu>
 Fixes: f63a8daa5812 ("perf: Fix event->ctx locking")
 Link: http://lkml.kernel.org/r/20170106131444.GZ3174@twins.programming.kicks-ass.net
 Signed-off-by: Ingo Molnar <mingo@kernel.org>
-[bwh: Backported to 3.2:
+[bwh: Backported to 3.16:
  - Use ACCESS_ONCE() instead of READ_ONCE()
  - Test perf_event::group_flags instead of group_caps
  - Add the err_locked cleanup block, which we didn't need before
  - Adjust context]
 Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Suren Baghdasaryan <surenb@google.com>
 ---
- kernel/events/core.c | 61 ++++++++++++++++++++++++++++++++++++++++++++++++----
- 1 file changed, 57 insertions(+), 4 deletions(-)
 
 diff --git a/kernel/events/core.c b/kernel/events/core.c
-index a301c68..49a1db4 100644
+index 1a0530f..1c53a5c 100644
 --- a/kernel/events/core.c
 +++ b/kernel/events/core.c
-@@ -6474,6 +6474,37 @@ static void mutex_lock_double(struct mutex *a, struct mutex *b)
+@@ -7440,6 +7440,37 @@
  	mutex_lock_nested(b, SINGLE_DEPTH_NESTING);
  }
  
@@ -98,7 +99,7 @@ index a301c68..49a1db4 100644
  /**
   * sys_perf_event_open - open a performance event, associate it to a task/cpu
   *
-@@ -6661,14 +6692,31 @@ SYSCALL_DEFINE5(perf_event_open,
+@@ -7656,14 +7687,31 @@
  	}
  
  	if (move_group) {
@@ -133,7 +134,7 @@ index a301c68..49a1db4 100644
  		perf_remove_from_context(group_leader, false);
  
  		/*
-@@ -6710,7 +6758,7 @@ SYSCALL_DEFINE5(perf_event_open,
+@@ -7704,7 +7752,7 @@
  	perf_unpin_context(ctx);
  
  	if (move_group) {
@@ -142,7 +143,7 @@ index a301c68..49a1db4 100644
  		put_ctx(gctx);
  	}
  	mutex_unlock(&ctx->mutex);
-@@ -6737,6 +6785,11 @@ SYSCALL_DEFINE5(perf_event_open,
+@@ -7733,6 +7781,11 @@
  	fd_install(event_fd, event_file);
  	return event_fd;
  
@@ -154,6 +155,3 @@ index a301c68..49a1db4 100644
  err_context:
  	perf_unpin_context(ctx);
  	put_ctx(ctx);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-6001/ANY/0001.patch.base64 b/Patches/Linux_CVEs/CVE-2017-6001/ANY/0001.patch.base64
new file mode 100644
index 00000000..feef43bd
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-6001/ANY/0001.patch.base64
@@ -0,0 +1 @@
+RnJvbSA4NTdlYTA3ZmIwMDk2ZTA5NjRjZWQxOGFkODVhMWQ5NTkxNTYyMTE0IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBQZXRlciBaaWpsc3RyYSA8cGV0ZXJ6QGluZnJhZGVhZC5vcmc+CkRhdGU6IFdlZCwgMTEgSmFuIDIwMTcgMjE6MDk6NTAgKzAxMDAKU3ViamVjdDogW1BBVENIXSBwZXJmL2NvcmU6IEZpeCBjb25jdXJyZW50IHN5c19wZXJmX2V2ZW50X29wZW4oKSB2cy4gJ21vdmVfZ3JvdXAnIHJhY2UKCmNvbW1pdCAzMjEwMjdjMWZlNzdmODkyZjRlYTA3ODQ2YWVhZTA4Y2VmYmJiMjkwIHVwc3RyZWFtLgpjb21taXQgZmU1MjVhMjgwZThiNWYwNGM3NjY2ZmUyMmQxYTRlZjU5MmY3Yjk1MyBpbiAzLjE2LjQwCmJ1ZzogMzc5MDE0MTMKCkRpIFNoZW4gcmVwb3J0ZWQgYSByYWNlIGJldHdlZW4gdHdvIGNvbmN1cnJlbnQgc3lzX3BlcmZfZXZlbnRfb3BlbigpCmNhbGxzIHdoZXJlIGJvdGggdHJ5IGFuZCBtb3ZlIHRoZSBzYW1lIHByZS1leGlzdGluZyBzb2Z0d2FyZSBncm91cAppbnRvIGEgaGFyZHdhcmUgY29udGV4dC4KClRoZSBwcm9ibGVtIGlzIGV4YWN0bHkgdGhhdCBkZXNjcmliZWQgaW4gY29tbWl0OgoKICBmNjNhOGRhYTU4MTIgKCJwZXJmOiBGaXggZXZlbnQtPmN0eCBsb2NraW5nIikKCi4uLiB3aGVyZSwgd2hpbGUgd2Ugd2FpdCBmb3IgYSBjdHgtPm11dGV4IGFjcXVpc2l0aW9uLCB0aGUgZXZlbnQtPmN0eApyZWxhdGlvbiBjYW4gaGF2ZSBjaGFuZ2VkIHVuZGVyIHVzLgoKVGhhdCB2ZXJ5IHNhbWUgY29tbWl0IGZhaWxlZCB0byByZWNvZ25pc2Ugc3lzX3BlcmZfZXZlbnRfY29udGV4dCgpIGFzIGFuCmV4dGVybmFsIGFjY2VzcyB2ZWN0b3IgdG8gdGhlIGV2ZW50cyBhbmQgdGhlcmVieSBkaWRuJ3QgYXBwbHkgdGhlCmVzdGFibGlzaGVkIGxvY2tpbmcgcnVsZXMgY29ycmVjdGx5LgoKU28gd2hpbGUgb25lIHN5c19wZXJmX2V2ZW50X29wZW4oKSBjYWxsIGlzIHN0dWNrIHdhaXRpbmcgb24KbXV0ZXhfbG9ja19kb3VibGUoKSwgdGhlIG90aGVyICh3aGljaCBvd25zIHNhaWQgbG9ja3MpIG1vdmVzIHRoZSBncm91cAphYm91dC4gU28gYnkgdGhlIHRpbWUgdGhlIGZvcm1lciBzeXNfcGVyZl9ldmVudF9vcGVuKCkgYWNxdWlyZXMgdGhlCmxvY2tzLCB0aGUgY29udGV4dCB3ZSd2ZSBhY3F1aXJlZCBpcyBzdGFsZSAoYW5kIHBvc3NpYmx5IGRlYWQpLgoKQXBwbHkgdGhlIGVzdGFibGlzaGVkIGxvY2tpbmcgcnVsZXMgYXMgcGVyIHBlcmZfZXZlbnRfY3R4X2xvY2tfbmVzdGVkKCkKdG8gdGhlIG11dGV4X2xvY2tfZG91YmxlKCkgZm9yIHRoZSAnbW92ZV9ncm91cCcgY2FzZS4gVGhpcyBvYnZpb3VzbHkgbWVhbnMKd2UgbmVlZCB0byB2YWxpZGF0ZSBzdGF0ZSBhZnRlciB3ZSBhY3F1aXJlIHRoZSBsb2Nrcy4KClJlcG9ydGVkLWJ5OiBEaSBTaGVuIChLZWVuIExhYikKVGVzdGVkLWJ5OiBKb2huIERpYXMgPGpvYW9kaWFzQGdvb2dsZS5jb20+ClNpZ25lZC1vZmYtYnk6IFBldGVyIFppamxzdHJhIChJbnRlbCkgPHBldGVyekBpbmZyYWRlYWQub3JnPgpDYzogQWxleGFuZGVyIFNoaXNoa2luIDxhbGV4YW5kZXIuc2hpc2hraW5AbGludXguaW50ZWwuY29tPgpDYzogQXJuYWxkbyBDYXJ2YWxobyBkZSBNZWxvIDxhY21lQGtlcm5lbC5vcmc+CkNjOiBBcm5hbGRvIENhcnZhbGhvIGRlIE1lbG8gPGFjbWVAcmVkaGF0LmNvbT4KQ2M6IEppcmkgT2xzYSA8am9sc2FAcmVkaGF0LmNvbT4KQ2M6IEtlZXMgQ29vayA8a2Vlc2Nvb2tAY2hyb21pdW0ub3JnPgpDYzogTGludXMgVG9ydmFsZHMgPHRvcnZhbGRzQGxpbnV4LWZvdW5kYXRpb24ub3JnPgpDYzogTWluIENob25nIDxtY2hvbmdAZ29vZ2xlLmNvbT4KQ2M6IFBldGVyIFppamxzdHJhIDxwZXRlcnpAaW5mcmFkZWFkLm9yZz4KQ2M6IFN0ZXBoYW5lIEVyYW5pYW4gPGVyYW5pYW5AZ29vZ2xlLmNvbT4KQ2M6IFRob21hcyBHbGVpeG5lciA8dGdseEBsaW51dHJvbml4LmRlPgpDYzogVmluY2UgV2VhdmVyIDx2aW5jZW50LndlYXZlckBtYWluZS5lZHU+CkZpeGVzOiBmNjNhOGRhYTU4MTIgKCJwZXJmOiBGaXggZXZlbnQtPmN0eCBsb2NraW5nIikKTGluazogaHR0cDovL2xrbWwua2VybmVsLm9yZy9yLzIwMTcwMTA2MTMxNDQ0LkdaMzE3NEB0d2lucy5wcm9ncmFtbWluZy5raWNrcy1hc3MubmV0ClNpZ25lZC1vZmYtYnk6IEluZ28gTW9sbmFyIDxtaW5nb0BrZXJuZWwub3JnPgpbYndoOiBCYWNrcG9ydGVkIHRvIDMuMTY6CiAtIFVzZSBBQ0NFU1NfT05DRSgpIGluc3RlYWQgb2YgUkVBRF9PTkNFKCkKIC0gVGVzdCBwZXJmX2V2ZW50Ojpncm91cF9mbGFncyBpbnN0ZWFkIG9mIGdyb3VwX2NhcHMKIC0gQWRkIHRoZSBlcnJfbG9ja2VkIGNsZWFudXAgYmxvY2ssIHdoaWNoIHdlIGRpZG4ndCBuZWVkIGJlZm9yZQogLSBBZGp1c3QgY29udGV4dF0KU2lnbmVkLW9mZi1ieTogQmVuIEh1dGNoaW5ncyA8YmVuQGRlY2FkZW50Lm9yZy51az4KU2lnbmVkLW9mZi1ieTogU3VyZW4gQmFnaGRhc2FyeWFuIDxzdXJlbmJAZ29vZ2xlLmNvbT4KLS0tCgpkaWZmIC0tZ2l0IGEva2VybmVsL2V2ZW50cy9jb3JlLmMgYi9rZXJuZWwvZXZlbnRzL2NvcmUuYwppbmRleCAxYTA1MzBmLi4xYzUzYTVjIDEwMDY0NAotLS0gYS9rZXJuZWwvZXZlbnRzL2NvcmUuYworKysgYi9rZXJuZWwvZXZlbnRzL2NvcmUuYwpAQCAtNzQ0MCw2ICs3NDQwLDM3IEBACiAJbXV0ZXhfbG9ja19uZXN0ZWQoYiwgU0lOR0xFX0RFUFRIX05FU1RJTkcpOwogfQogCisvKgorICogVmFyaWF0aW9uIG9uIHBlcmZfZXZlbnRfY3R4X2xvY2tfbmVzdGVkKCksIGV4Y2VwdCB3ZSB0YWtlIHR3byBjb250ZXh0CisgKiBtdXRleGVzLgorICovCitzdGF0aWMgc3RydWN0IHBlcmZfZXZlbnRfY29udGV4dCAqCitfX3BlcmZfZXZlbnRfY3R4X2xvY2tfZG91YmxlKHN0cnVjdCBwZXJmX2V2ZW50ICpncm91cF9sZWFkZXIsCisJCQkgICAgIHN0cnVjdCBwZXJmX2V2ZW50X2NvbnRleHQgKmN0eCkKK3sKKwlzdHJ1Y3QgcGVyZl9ldmVudF9jb250ZXh0ICpnY3R4OworCithZ2FpbjoKKwlyY3VfcmVhZF9sb2NrKCk7CisJZ2N0eCA9IEFDQ0VTU19PTkNFKGdyb3VwX2xlYWRlci0+Y3R4KTsKKwlpZiAoIWF0b21pY19pbmNfbm90X3plcm8oJmdjdHgtPnJlZmNvdW50KSkgeworCQlyY3VfcmVhZF91bmxvY2soKTsKKwkJZ290byBhZ2FpbjsKKwl9CisJcmN1X3JlYWRfdW5sb2NrKCk7CisKKwltdXRleF9sb2NrX2RvdWJsZSgmZ2N0eC0+bXV0ZXgsICZjdHgtPm11dGV4KTsKKworCWlmIChncm91cF9sZWFkZXItPmN0eCAhPSBnY3R4KSB7CisJCW11dGV4X3VubG9jaygmY3R4LT5tdXRleCk7CisJCW11dGV4X3VubG9jaygmZ2N0eC0+bXV0ZXgpOworCQlwdXRfY3R4KGdjdHgpOworCQlnb3RvIGFnYWluOworCX0KKworCXJldHVybiBnY3R4OworfQorCiAvKioKICAqIHN5c19wZXJmX2V2ZW50X29wZW4gLSBvcGVuIGEgcGVyZm9ybWFuY2UgZXZlbnQsIGFzc29jaWF0ZSBpdCB0byBhIHRhc2svY3B1CiAgKgpAQCAtNzY1NiwxNCArNzY4NywzMSBAQAogCX0KIAogCWlmIChtb3ZlX2dyb3VwKSB7Ci0JCWdjdHggPSBncm91cF9sZWFkZXItPmN0eDsKKwkJZ2N0eCA9IF9fcGVyZl9ldmVudF9jdHhfbG9ja19kb3VibGUoZ3JvdXBfbGVhZGVyLCBjdHgpOworCisJCS8qCisJCSAqIENoZWNrIGlmIHdlIHJhY2VkIGFnYWluc3QgYW5vdGhlciBzeXNfcGVyZl9ldmVudF9vcGVuKCkgY2FsbAorCQkgKiBtb3ZpbmcgdGhlIHNvZnR3YXJlIGdyb3VwIHVuZGVybmVhdGggdXMuCisJCSAqLworCQlpZiAoIShncm91cF9sZWFkZXItPmdyb3VwX2ZsYWdzICYgUEVSRl9HUk9VUF9TT0ZUV0FSRSkpIHsKKwkJCS8qCisJCQkgKiBJZiBzb21lb25lIG1vdmVkIHRoZSBncm91cCBvdXQgZnJvbSB1bmRlciB1cywgY2hlY2sKKwkJCSAqIGlmIHRoaXMgbmV3IGV2ZW50IHdvdW5kIHVwIG9uIHRoZSBzYW1lIGN0eCwgaWYgc28KKwkJCSAqIGl0cyB0aGUgcmVndWxhciAhbW92ZV9ncm91cCBjYXNlLCBvdGhlcndpc2UgZmFpbC4KKwkJCSAqLworCQkJaWYgKGdjdHggIT0gY3R4KSB7CisJCQkJZXJyID0gLUVJTlZBTDsKKwkJCQlnb3RvIGVycl9sb2NrZWQ7CisJCQl9IGVsc2UgeworCQkJCXBlcmZfZXZlbnRfY3R4X3VubG9jayhncm91cF9sZWFkZXIsIGdjdHgpOworCQkJCW1vdmVfZ3JvdXAgPSAwOworCQkJfQorCQl9CiAKIAkJLyoKIAkJICogU2VlIHBlcmZfZXZlbnRfY3R4X2xvY2soKSBmb3IgY29tbWVudHMgb24gdGhlIGRldGFpbHMKIAkJICogb2Ygc3dpenpsaW5nIHBlcmZfZXZlbnQ6OmN0eC4KIAkJICovCi0JCW11dGV4X2xvY2tfZG91YmxlKCZnY3R4LT5tdXRleCwgJmN0eC0+bXV0ZXgpOwotCiAJCXBlcmZfcmVtb3ZlX2Zyb21fY29udGV4dChncm91cF9sZWFkZXIsIGZhbHNlKTsKIAogCQkvKgpAQCAtNzcwNCw3ICs3NzUyLDcgQEAKIAlwZXJmX3VucGluX2NvbnRleHQoY3R4KTsKIAogCWlmIChtb3ZlX2dyb3VwKSB7Ci0JCW11dGV4X3VubG9jaygmZ2N0eC0+bXV0ZXgpOworCQlwZXJmX2V2ZW50X2N0eF91bmxvY2soZ3JvdXBfbGVhZGVyLCBnY3R4KTsKIAkJcHV0X2N0eChnY3R4KTsKIAl9CiAJbXV0ZXhfdW5sb2NrKCZjdHgtPm11dGV4KTsKQEAgLTc3MzMsNiArNzc4MSwxMSBAQAogCWZkX2luc3RhbGwoZXZlbnRfZmQsIGV2ZW50X2ZpbGUpOwogCXJldHVybiBldmVudF9mZDsKIAorZXJyX2xvY2tlZDoKKwlpZiAobW92ZV9ncm91cCkKKwkJcGVyZl9ldmVudF9jdHhfdW5sb2NrKGdyb3VwX2xlYWRlciwgZ2N0eCk7CisJbXV0ZXhfdW5sb2NrKCZjdHgtPm11dGV4KTsKKwlmcHV0KGV2ZW50X2ZpbGUpOwogZXJyX2NvbnRleHQ6CiAJcGVyZl91bnBpbl9jb250ZXh0KGN0eCk7CiAJcHV0X2N0eChjdHgpOwo=
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-6074/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-6074/ANY/0.patch
deleted file mode 100644
index e833c55a..00000000
--- a/Patches/Linux_CVEs/CVE-2017-6074/ANY/0.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4 Mon Sep 17 00:00:00 2001
-From: Andrey Konovalov <andreyknvl@google.com>
-Date: Thu, 16 Feb 2017 17:22:46 +0100
-Subject: [PATCH] dccp: fix freeing skb too early for IPV6_RECVPKTINFO
-
-In the current DCCP implementation an skb for a DCCP_PKT_REQUEST packet
-is forcibly freed via __kfree_skb in dccp_rcv_state_process if
-dccp_v6_conn_request successfully returns.
-
-However, if IPV6_RECVPKTINFO is set on a socket, the address of the skb
-is saved to ireq->pktopts and the ref count for skb is incremented in
-dccp_v6_conn_request, so skb is still in use. Nevertheless, it gets freed
-in dccp_rcv_state_process.
-
-Fix by calling consume_skb instead of doing goto discard and therefore
-calling __kfree_skb.
-
-Similar fixes for TCP:
-
-fb7e2399ec17f1004c0e0ccfd17439f8759ede01 [TCP]: skb is unexpectedly freed.
-0aea76d35c9651d55bbaf746e7914e5f9ae5a25d tcp: SYN packets are now
-simply consumed
-
-Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
-Acked-by: Eric Dumazet <edumazet@google.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/dccp/input.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/net/dccp/input.c b/net/dccp/input.c
-index ba347184bda9b..8fedc2d497709 100644
---- a/net/dccp/input.c
-+++ b/net/dccp/input.c
-@@ -606,7 +606,8 @@ int dccp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
- 			if (inet_csk(sk)->icsk_af_ops->conn_request(sk,
- 								    skb) < 0)
- 				return 1;
--			goto discard;
-+			consume_skb(skb);
-+			return 0;
- 		}
- 		if (dh->dccph_type == DCCP_PKT_RESET)
- 			goto discard;
diff --git a/Patches/Linux_CVEs/CVE-2017-6074/ANY/1.patch.dupe b/Patches/Linux_CVEs/CVE-2017-6074/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-6074/ANY/1.patch.dupe
rename to Patches/Linux_CVEs/CVE-2017-6074/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-6214/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-6214/ANY/0.patch
deleted file mode 100644
index 81b25ec3..00000000
--- a/Patches/Linux_CVEs/CVE-2017-6214/ANY/0.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From ccf7abb93af09ad0868ae9033d1ca8108bdaec82 Mon Sep 17 00:00:00 2001
-From: Eric Dumazet <edumazet@google.com>
-Date: Fri, 3 Feb 2017 14:59:38 -0800
-Subject: [PATCH] tcp: avoid infinite loop in tcp_splice_read()
-
-Splicing from TCP socket is vulnerable when a packet with URG flag is
-received and stored into receive queue.
-
-__tcp_splice_read() returns 0, and sk_wait_data() immediately
-returns since there is the problematic skb in queue.
-
-This is a nice way to burn cpu (aka infinite loop) and trigger
-soft lockups.
-
-Again, this gem was found by syzkaller tool.
-
-Fixes: 9c55e01c0cc8 ("[TCP]: Splice receive support.")
-Signed-off-by: Eric Dumazet <edumazet@google.com>
-Reported-by: Dmitry Vyukov  <dvyukov@google.com>
-Cc: Willy Tarreau <w@1wt.eu>
-Signed-off-by: David S. Miller <davem@davemloft.net>
----
- net/ipv4/tcp.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
-index 4a044964da667..0efb4c7f6704f 100644
---- a/net/ipv4/tcp.c
-+++ b/net/ipv4/tcp.c
-@@ -770,6 +770,12 @@ ssize_t tcp_splice_read(struct socket *sock, loff_t *ppos,
- 				ret = -EAGAIN;
- 				break;
- 			}
-+			/* if __tcp_splice_read() got nothing while we have
-+			 * an skb in receive queue, we do not want to loop.
-+			 * This might happen with URG data.
-+			 */
-+			if (!skb_queue_empty(&sk->sk_receive_queue))
-+				break;
- 			sk_wait_data(sk, &timeo, NULL);
- 			if (signal_pending(current)) {
- 				ret = sock_intr_errno(timeo);
diff --git a/Patches/Linux_CVEs/CVE-2017-6214/ANY/1.patch b/Patches/Linux_CVEs/CVE-2017-6214/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-6214/ANY/1.patch
rename to Patches/Linux_CVEs/CVE-2017-6214/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-6345/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-6345/^4.9/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-6345/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-6345/^4.9/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-6346/3.18/1.patch b/Patches/Linux_CVEs/CVE-2017-6346/3.18/1.patch
deleted file mode 100644
index 665dc9ea..00000000
--- a/Patches/Linux_CVEs/CVE-2017-6346/3.18/1.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
-index 05cfee7..2ae5ae2 100644
---- a/net/packet/af_packet.c
-+++ b/net/packet/af_packet.c
-@@ -1429,13 +1429,16 @@
- 		return -EINVAL;
- 	}
- 
--	if (!po->running)
--		return -EINVAL;
--
--	if (po->fanout)
--		return -EALREADY;
--
- 	mutex_lock(&fanout_mutex);
-+
-+	err = -EINVAL;
-+	if (!po->running)
-+		goto out;
-+
-+	err = -EALREADY;
-+	if (po->fanout)
-+		goto out;
-+
- 	match = NULL;
- 	list_for_each_entry(f, &fanout_list, list) {
- 		if (f->id == id &&
-@@ -1491,17 +1494,16 @@
- 	struct packet_sock *po = pkt_sk(sk);
- 	struct packet_fanout *f;
- 
--	f = po->fanout;
--	if (!f)
--		return;
--
- 	mutex_lock(&fanout_mutex);
--	po->fanout = NULL;
-+	f = po->fanout;
-+	if (f) {
-+		po->fanout = NULL;
- 
--	if (atomic_dec_and_test(&f->sk_ref)) {
--		list_del(&f->list);
--		dev_remove_pack(&f->prot_hook);
--		kfree(f);
-+		if (atomic_dec_and_test(&f->sk_ref)) {
-+			list_del(&f->list);
-+			dev_remove_pack(&f->prot_hook);
-+			kfree(f);
-+		}
- 	}
- 	mutex_unlock(&fanout_mutex);
- }
diff --git a/Patches/Linux_CVEs/CVE-2017-6346/3.18/1.patch.base64 b/Patches/Linux_CVEs/CVE-2017-6346/3.18/1.patch.base64
deleted file mode 100644
index 57eacd49..00000000
--- a/Patches/Linux_CVEs/CVE-2017-6346/3.18/1.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL25ldC9wYWNrZXQvYWZfcGFja2V0LmMgYi9uZXQvcGFja2V0L2FmX3BhY2tldC5jCmluZGV4IDA1Y2ZlZTcuLjJhZTVhZTIgMTAwNjQ0Ci0tLSBhL25ldC9wYWNrZXQvYWZfcGFja2V0LmMKKysrIGIvbmV0L3BhY2tldC9hZl9wYWNrZXQuYwpAQCAtMTQyOSwxMyArMTQyOSwxNiBAQAogCQlyZXR1cm4gLUVJTlZBTDsKIAl9CiAKLQlpZiAoIXBvLT5ydW5uaW5nKQotCQlyZXR1cm4gLUVJTlZBTDsKLQotCWlmIChwby0+ZmFub3V0KQotCQlyZXR1cm4gLUVBTFJFQURZOwotCiAJbXV0ZXhfbG9jaygmZmFub3V0X211dGV4KTsKKworCWVyciA9IC1FSU5WQUw7CisJaWYgKCFwby0+cnVubmluZykKKwkJZ290byBvdXQ7CisKKwllcnIgPSAtRUFMUkVBRFk7CisJaWYgKHBvLT5mYW5vdXQpCisJCWdvdG8gb3V0OworCiAJbWF0Y2ggPSBOVUxMOwogCWxpc3RfZm9yX2VhY2hfZW50cnkoZiwgJmZhbm91dF9saXN0LCBsaXN0KSB7CiAJCWlmIChmLT5pZCA9PSBpZCAmJgpAQCAtMTQ5MSwxNyArMTQ5NCwxNiBAQAogCXN0cnVjdCBwYWNrZXRfc29jayAqcG8gPSBwa3Rfc2soc2spOwogCXN0cnVjdCBwYWNrZXRfZmFub3V0ICpmOwogCi0JZiA9IHBvLT5mYW5vdXQ7Ci0JaWYgKCFmKQotCQlyZXR1cm47Ci0KIAltdXRleF9sb2NrKCZmYW5vdXRfbXV0ZXgpOwotCXBvLT5mYW5vdXQgPSBOVUxMOworCWYgPSBwby0+ZmFub3V0OworCWlmIChmKSB7CisJCXBvLT5mYW5vdXQgPSBOVUxMOwogCi0JaWYgKGF0b21pY19kZWNfYW5kX3Rlc3QoJmYtPnNrX3JlZikpIHsKLQkJbGlzdF9kZWwoJmYtPmxpc3QpOwotCQlkZXZfcmVtb3ZlX3BhY2soJmYtPnByb3RfaG9vayk7Ci0JCWtmcmVlKGYpOworCQlpZiAoYXRvbWljX2RlY19hbmRfdGVzdCgmZi0+c2tfcmVmKSkgeworCQkJbGlzdF9kZWwoJmYtPmxpc3QpOworCQkJZGV2X3JlbW92ZV9wYWNrKCZmLT5wcm90X2hvb2spOworCQkJa2ZyZWUoZik7CisJCX0KIAl9CiAJbXV0ZXhfdW5sb2NrKCZmYW5vdXRfbXV0ZXgpOwogfQo=
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-6346/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-6346/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-6346/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-6346/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-6347/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-6347/^4.10/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-6347/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-6347/^4.10/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-6348/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-6348/^4.9/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-6348/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-6348/^4.9/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-6353/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-6353/^4.10/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-6353/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-6353/^4.10/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-6421/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-6421/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-6421/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-6421/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-6423/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-6423/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-6423/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-6423/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-6424/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-6424/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-6424/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-6424/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-6424/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2017-6424/ANY/0002.patch
new file mode 100644
index 00000000..6f2cfdad
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-6424/ANY/0002.patch
@@ -0,0 +1,41 @@
+From 4e44b25b26a594aa8180827729d2b298c894fc5d Mon Sep 17 00:00:00 2001
+From: Nishank Aggarwal <naggar@codeaurora.org>
+Date: Mon, 30 Jan 2017 15:32:32 +0530
+Subject: qcacld-3.0: Fix buffer overflow in WLANSAP_Set_WPARSNIes()
+
+qcacld-2.0 to qcacld-3.0 propagation
+
+Currently In WLANSAP_Set_WPARSNIes() the parameter WPARSNIEsLen
+is user-controllable and never validates which uses as the length
+for a memory copy. This enables user-space applications to corrupt
+heap memory and potentially crash the kernel.
+
+Fix is to validate the WPARSNIes length to its max before use as the
+length for a memory copy.
+
+Change-Id: I7aff731aeae22bfd84beb955439a799abef37f68
+CRs-Fixed: 1102648
+---
+ core/hdd/src/wlan_hdd_hostapd.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/core/hdd/src/wlan_hdd_hostapd.c b/core/hdd/src/wlan_hdd_hostapd.c
+index c01d6a6..78c9df6 100644
+--- a/core/hdd/src/wlan_hdd_hostapd.c
++++ b/core/hdd/src/wlan_hdd_hostapd.c
+@@ -4979,6 +4979,12 @@ static int __iw_set_ap_genie(struct net_device *dev,
+ 		return 0;
+ 	}
+ 
++	if (wrqu->data.length > DOT11F_IE_RSN_MAX_LEN) {
++		hdd_err("%s: WPARSN Ie input length is more than max[%d]",
++			__func__, wrqu->data.length);
++		return QDF_STATUS_E_INVAL;
++	}
++
+ 	switch (genie[0]) {
+ 	case DOT11F_EID_WPA:
+ 	case DOT11F_EID_RSN:
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-6424/ANY/1.patch b/Patches/Linux_CVEs/CVE-2017-6424/ANY/1.patch
deleted file mode 100644
index a91f45c3..00000000
--- a/Patches/Linux_CVEs/CVE-2017-6424/ANY/1.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 8cac3c4aac106b917e60e7aa7d4c4189e376913c Mon Sep 17 00:00:00 2001
-From: Nishank Aggarwal <naggar@codeaurora.org>
-Date: Fri, 10 Feb 2017 15:48:13 +0530
-Subject: wlan: Fix buffer overflow in WLANSAP_Set_WPARSNIes()
-
-qcacld-2.0 to prima propagation
-
-Currently In WLANSAP_Set_WPARSNIes() the parameter WPARSNIEsLen
-is user-controllable and never validates which uses as the length
-for a memory copy. This enables user-space applications to corrupt
-heap memory and potentially crash the kernel.
-
-Fix is to validate the WPARSNIes length to its max before use as the
-length for a memory copy.
-
-Change-Id: I7aff731aeae22bfd84beb955439a799abef37f68
-CRs-Fixed: 1102648
----
- CORE/HDD/src/wlan_hdd_hostapd.c | 10 +++++++++-
- 1 file changed, 9 insertions(+), 1 deletion(-)
-
-diff --git a/CORE/HDD/src/wlan_hdd_hostapd.c b/CORE/HDD/src/wlan_hdd_hostapd.c
-index 33f7d50..c0c5c14 100644
---- a/CORE/HDD/src/wlan_hdd_hostapd.c
-+++ b/CORE/HDD/src/wlan_hdd_hostapd.c
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2012-2016 The Linux Foundation. All rights reserved.
-+ * Copyright (c) 2012-2017 The Linux Foundation. All rights reserved.
-  *
-  * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
-  *
-@@ -4180,6 +4180,14 @@ static int __iw_set_ap_genie(struct net_device *dev,
-         return 0;
-     }
- 
-+    if (wrqu->data.length > DOT11F_IE_RSN_MAX_LEN)
-+    {
-+        VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
-+                  "%s: WPARSN Ie input length is more than max[%d]", __func__,
-+                  wrqu->data.length);
-+        return -EINVAL;
-+   }
-+
-     switch (genie[0])
-     {
-         case DOT11F_EID_WPA:
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-6425/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-6425/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-6425/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-6425/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-6426/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-6426/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-6426/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-6426/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-6874/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-6874/^4.10/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-6874/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-6874/^4.10/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-6951/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-6951/^3.14/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-6951/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-6951/^3.14/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-7184/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-7184/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-7184/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-7184/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-7184/ANY/1.patch b/Patches/Linux_CVEs/CVE-2017-7184/ANY/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-7184/ANY/1.patch
rename to Patches/Linux_CVEs/CVE-2017-7184/ANY/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-7187/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-7187/ANY/0.patch
deleted file mode 100644
index 818fca1d..00000000
--- a/Patches/Linux_CVEs/CVE-2017-7187/ANY/0.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-<!DOCTYPE html>
-<html lang='en'>
-<head>
-<title>kernel/git/torvalds/linux.git - Linux kernel source tree</title>
-<meta name='generator' content='cgit v1.1'/>
-<meta name='robots' content='noindex, nofollow'/>
-<link rel='stylesheet' type='text/css' href='/cgit-data/cgit.css'/>
-<link rel='shortcut icon' href='/favicon.ico'/>
-<link rel='alternate' title='Atom feed' href='http://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/atom/?h=master' type='application/atom+xml'/>
-<link rel='vcs-git' href='git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git' title='kernel/git/torvalds/linux.git Git repository'/>
-<link rel='vcs-git' href='https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git' title='kernel/git/torvalds/linux.git Git repository'/>
-<link rel='vcs-git' href='https://kernel.googlesource.com/pub/scm/linux/kernel/git/torvalds/linux.git' title='kernel/git/torvalds/linux.git Git repository'/>
-</head>
-<body>
-<div id='cgit'><table id='header'>
-<tr>
-<td class='logo' rowspan='2'><a href='/'><img src='/cgit-data/cgit.png' alt='cgit logo'/></a></td>
-<td class='main'><a href='/'>index</a> : <a title='kernel/git/torvalds/linux.git' href='/pub/scm/linux/kernel/git/torvalds/linux.git/'>kernel/git/torvalds/linux.git</a></td><td class='form'><form method='get'>
-<input type='hidden' name='id' value='bf33f87dd04c371ea33feb821b60d63d754e3124'/><select name='h' onchange='this.form.submit();'>
-<option value='master' selected='selected'>master</option>
-</select> <input type='submit' value='switch'/></form></td></tr>
-<tr><td class='sub'>Linux kernel source tree</td><td class='sub right'>Linus Torvalds</td></tr></table>
-<table class='tabs'><tr><td>
-<a href='/pub/scm/linux/kernel/git/torvalds/linux.git/about/'>about</a><a href='/pub/scm/linux/kernel/git/torvalds/linux.git/'>summary</a><a href='/pub/scm/linux/kernel/git/torvalds/linux.git/refs/?id=bf33f87dd04c371ea33feb821b60d63d754e3124'>refs</a><a href='/pub/scm/linux/kernel/git/torvalds/linux.git/log/'>log</a><a href='/pub/scm/linux/kernel/git/torvalds/linux.git/tree/?id=bf33f87dd04c371ea33feb821b60d63d754e3124'>tree</a><a class='active' href='/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=bf33f87dd04c371ea33feb821b60d63d754e3124'>commit</a><a href='/pub/scm/linux/kernel/git/torvalds/linux.git/diff/?id=bf33f87dd04c371ea33feb821b60d63d754e3124'>diff</a><a href='/pub/scm/linux/kernel/git/torvalds/linux.git/stats/'>stats</a></td><td class='form'><form class='right' method='get' action='/pub/scm/linux/kernel/git/torvalds/linux.git/log/'>
-<input type='hidden' name='id' value='bf33f87dd04c371ea33feb821b60d63d754e3124'/><select name='qt'>
-<option value='grep'>log msg</option>
-<option value='author'>author</option>
-<option value='committer'>committer</option>
-<option value='range'>range</option>
-</select>
-<input class='txt' type='text' size='10' name='q' value=''/>
-<input type='submit' value='search'/>
-</form>
-</td></tr></table>
-<div class='content'><div class='cgit-panel'><b>diff options</b><form method='get'><input type='hidden' name='id' value='bf33f87dd04c371ea33feb821b60d63d754e3124'/><table><tr><td colspan='2'/></tr><tr><td class='label'>context:</td><td class='ctrl'><select name='context' onchange='this.form.submit();'><option value='1'>1</option><option value='2'>2</option><option value='3' selected='selected'>3</option><option value='4'>4</option><option value='5'>5</option><option value='6'>6</option><option value='7'>7</option><option value='8'>8</option><option value='9'>9</option><option value='10'>10</option><option value='15'>15</option><option value='20'>20</option><option value='25'>25</option><option value='30'>30</option><option value='35'>35</option><option value='40'>40</option></select></td></tr><tr><td class='label'>space:</td><td class='ctrl'><select name='ignorews' onchange='this.form.submit();'><option value='0' selected='selected'>include</option><option value='1'>ignore</option></select></td></tr><tr><td class='label'>mode:</td><td class='ctrl'><select name='dt' onchange='this.form.submit();'><option value='0' selected='selected'>unified</option><option value='1'>ssdiff</option><option value='2'>stat only</option></select></td></tr><tr><td/><td class='ctrl'><noscript><input type='submit' value='reload'/></noscript></td></tr></table></form></div><table summary='commit info' class='commit-info'>
-<tr><th>author</th><td><span class='libravatar'><img class='inline' src='//seccdn.libravatar.org/avatar/4eec58130038acd6aaabcca082619069?s=13&amp;d=retro' /><img class='onhover' src='//seccdn.libravatar.org/avatar/4eec58130038acd6aaabcca082619069?s=128&amp;d=retro' /></span>peter chang &lt;dpf@google.com&gt;</td><td class='right'>2017-02-15 14:11:54 -0800</td></tr>
-<tr><th>committer</th><td><span class='libravatar'><img class='inline' src='//seccdn.libravatar.org/avatar/5fa3a7a6a7d7cc494ebd696ac297e701?s=13&amp;d=retro' /><img class='onhover' src='//seccdn.libravatar.org/avatar/5fa3a7a6a7d7cc494ebd696ac297e701?s=128&amp;d=retro' /></span>Martin K. Petersen &lt;martin.petersen@oracle.com&gt;</td><td class='right'>2017-03-16 19:46:33 -0400</td></tr>
-<tr><th>commit</th><td colspan='2' class='sha1'><a href='/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=bf33f87dd04c371ea33feb821b60d63d754e3124'>bf33f87dd04c371ea33feb821b60d63d754e3124</a> (<a href='/pub/scm/linux/kernel/git/torvalds/linux.git/patch/?id=bf33f87dd04c371ea33feb821b60d63d754e3124'>patch</a>)</td></tr>
-<tr><th>tree</th><td colspan='2' class='sha1'><a href='/pub/scm/linux/kernel/git/torvalds/linux.git/tree/?id=bf33f87dd04c371ea33feb821b60d63d754e3124'>4207379ccff4dd625ff04a3cbc44fddfe819fac9</a></td></tr>
-<tr><th>parent</th><td colspan='2' class='sha1'><a href='/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=645b8ef5943f95b74240568105ce2be21c6640b4'>645b8ef5943f95b74240568105ce2be21c6640b4</a> (<a href='/pub/scm/linux/kernel/git/torvalds/linux.git/diff/?id=bf33f87dd04c371ea33feb821b60d63d754e3124&amp;id2=645b8ef5943f95b74240568105ce2be21c6640b4'>diff</a>)</td></tr><tr><th>download</th><td colspan='2' class='sha1'><a href='/pub/scm/linux/kernel/git/torvalds/linux.git/snapshot/linux-bf33f87dd04c371ea33feb821b60d63d754e3124.tar.gz'>linux-bf33f87dd04c371ea33feb821b60d63d754e3124.tar.gz</a><br/></td></tr></table>
-<div class='commit-subject'>scsi: sg: check length passed to SG_NEXT_CMD_LEN</div><div class='commit-msg'>The user can control the size of the next command passed along, but the
-value passed to the ioctl isn't checked against the usable max command
-size.
-
-Cc: &lt;stable@vger.kernel.org&gt;
-Signed-off-by: Peter Chang &lt;dpf@google.com&gt;
-Acked-by: Douglas Gilbert &lt;dgilbert@interlog.com&gt;
-Signed-off-by: Martin K. Petersen &lt;martin.petersen@oracle.com&gt;
-</div><div class='diffstat-header'><a href='/pub/scm/linux/kernel/git/torvalds/linux.git/diff/?id=bf33f87dd04c371ea33feb821b60d63d754e3124'>Diffstat</a></div><table summary='diffstat' class='diffstat'><tr><td class='mode'>-rw-r--r--</td><td class='upd'><a href='/pub/scm/linux/kernel/git/torvalds/linux.git/diff/drivers/scsi/sg.c?id=bf33f87dd04c371ea33feb821b60d63d754e3124'>drivers/scsi/sg.c</a></td><td class='right'>2</td><td class='graph'><table summary='file diffstat' width='2%'><tr><td class='add' style='width: 100.0%;'/><td class='rem' style='width: 0.0%;'/><td class='none' style='width: 0.0%;'/></tr></table></td></tr>
-</table><div class='diffstat-summary'>1 files changed, 2 insertions, 0 deletions</div><table summary='diff' class='diff'><tr><td><div class='head'>diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c<br/>index e831e01..849ff810 100644<br/>--- a/<a href='/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/scsi/sg.c?id=645b8ef5943f95b74240568105ce2be21c6640b4'>drivers/scsi/sg.c</a><br/>+++ b/<a href='/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/scsi/sg.c?id=bf33f87dd04c371ea33feb821b60d63d754e3124'>drivers/scsi/sg.c</a></div><div class='hunk'>@@ -996,6 +996,8 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)</div><div class='ctx'> 		result = get_user(val, ip);</div><div class='ctx'> 		if (result)</div><div class='ctx'> 			return result;</div><div class='add'>+		if (val &gt; SG_MAX_CDB_SIZE)</div><div class='add'>+			return -ENOMEM;</div><div class='ctx'> 		sfp-&gt;next_cmd_len = (val &gt; 0) ? val : 0;</div><div class='ctx'> 		return 0;</div><div class='ctx'> 	case SG_GET_VERSION_NUM:</div></td></tr></table></div> <!-- class=content -->
-<div class='footer'>generated by <a href='https://git.zx2c4.com/cgit/about/'>cgit v1.1</a> at 2017-11-02 19:04:29 +0000</div>
-</div> <!-- id=cgit -->
-</body>
-</html>
diff --git a/Patches/Linux_CVEs/CVE-2017-7187/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-7187/ANY/0001.patch
new file mode 100644
index 00000000..c36739f0
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-7187/ANY/0001.patch
@@ -0,0 +1,33 @@
+From bf33f87dd04c371ea33feb821b60d63d754e3124 Mon Sep 17 00:00:00 2001
+From: peter chang <dpf@google.com>
+Date: Wed, 15 Feb 2017 14:11:54 -0800
+Subject: scsi: sg: check length passed to SG_NEXT_CMD_LEN
+
+The user can control the size of the next command passed along, but the
+value passed to the ioctl isn't checked against the usable max command
+size.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Peter Chang <dpf@google.com>
+Acked-by: Douglas Gilbert <dgilbert@interlog.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+---
+ drivers/scsi/sg.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
+index e831e01..849ff810 100644
+--- a/drivers/scsi/sg.c
++++ b/drivers/scsi/sg.c
+@@ -996,6 +996,8 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
+ 		result = get_user(val, ip);
+ 		if (result)
+ 			return result;
++		if (val > SG_MAX_CDB_SIZE)
++			return -ENOMEM;
+ 		sfp->next_cmd_len = (val > 0) ? val : 0;
+ 		return 0;
+ 	case SG_GET_VERSION_NUM:
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-7277/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-7277/^4.10/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-7277/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-7277/^4.10/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-7277/ANY/1.patch b/Patches/Linux_CVEs/CVE-2017-7277/^4.10/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-7277/ANY/1.patch
rename to Patches/Linux_CVEs/CVE-2017-7277/^4.10/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-7308/3.18/0.patch b/Patches/Linux_CVEs/CVE-2017-7308/3.18/0.patch
deleted file mode 100644
index e1efaa13..00000000
--- a/Patches/Linux_CVEs/CVE-2017-7308/3.18/0.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
-index bcd8142..86b3e2f 100644
---- a/net/packet/af_packet.c
-+++ b/net/packet/af_packet.c
-@@ -3808,8 +3808,8 @@
- 		if (unlikely(req->tp_block_size & (PAGE_SIZE - 1)))
- 			goto out;
- 		if (po->tp_version >= TPACKET_V3 &&
--		    (int)(req->tp_block_size -
--			  BLK_PLUS_PRIV(req_u->req3.tp_sizeof_priv)) <= 0)
-+		    req->tp_block_size <=
-+			  BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv))
- 			goto out;
- 		if (unlikely(req->tp_frame_size < po->tp_hdrlen +
- 					po->tp_reserve))
diff --git a/Patches/Linux_CVEs/CVE-2017-7308/3.18/0.patch.base64 b/Patches/Linux_CVEs/CVE-2017-7308/3.18/0.patch.base64
deleted file mode 100644
index c19832cd..00000000
--- a/Patches/Linux_CVEs/CVE-2017-7308/3.18/0.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL25ldC9wYWNrZXQvYWZfcGFja2V0LmMgYi9uZXQvcGFja2V0L2FmX3BhY2tldC5jCmluZGV4IGJjZDgxNDIuLjg2YjNlMmYgMTAwNjQ0Ci0tLSBhL25ldC9wYWNrZXQvYWZfcGFja2V0LmMKKysrIGIvbmV0L3BhY2tldC9hZl9wYWNrZXQuYwpAQCAtMzgwOCw4ICszODA4LDggQEAKIAkJaWYgKHVubGlrZWx5KHJlcS0+dHBfYmxvY2tfc2l6ZSAmIChQQUdFX1NJWkUgLSAxKSkpCiAJCQlnb3RvIG91dDsKIAkJaWYgKHBvLT50cF92ZXJzaW9uID49IFRQQUNLRVRfVjMgJiYKLQkJICAgIChpbnQpKHJlcS0+dHBfYmxvY2tfc2l6ZSAtCi0JCQkgIEJMS19QTFVTX1BSSVYocmVxX3UtPnJlcTMudHBfc2l6ZW9mX3ByaXYpKSA8PSAwKQorCQkgICAgcmVxLT50cF9ibG9ja19zaXplIDw9CisJCQkgIEJMS19QTFVTX1BSSVYoKHU2NClyZXFfdS0+cmVxMy50cF9zaXplb2ZfcHJpdikpCiAJCQlnb3RvIG91dDsKIAkJaWYgKHVubGlrZWx5KHJlcS0+dHBfZnJhbWVfc2l6ZSA8IHBvLT50cF9oZHJsZW4gKwogCQkJCQlwby0+dHBfcmVzZXJ2ZSkpCg==
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-7308/3.18/1.patch b/Patches/Linux_CVEs/CVE-2017-7308/3.18/1.patch
deleted file mode 100644
index f6203084..00000000
--- a/Patches/Linux_CVEs/CVE-2017-7308/3.18/1.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
-index 86b3e2f..9c80212 100644
---- a/net/packet/af_packet.c
-+++ b/net/packet/af_packet.c
-@@ -3820,6 +3820,8 @@
- 		rb->frames_per_block = req->tp_block_size/req->tp_frame_size;
- 		if (unlikely(rb->frames_per_block <= 0))
- 			goto out;
-+		if (unlikely(req->tp_block_size > UINT_MAX / req->tp_block_nr))
-+			goto out;
- 		if (unlikely((rb->frames_per_block * req->tp_block_nr) !=
- 					req->tp_frame_nr))
- 			goto out;
diff --git a/Patches/Linux_CVEs/CVE-2017-7308/3.18/1.patch.base64 b/Patches/Linux_CVEs/CVE-2017-7308/3.18/1.patch.base64
deleted file mode 100644
index fc2a099a..00000000
--- a/Patches/Linux_CVEs/CVE-2017-7308/3.18/1.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL25ldC9wYWNrZXQvYWZfcGFja2V0LmMgYi9uZXQvcGFja2V0L2FmX3BhY2tldC5jCmluZGV4IDg2YjNlMmYuLjljODAyMTIgMTAwNjQ0Ci0tLSBhL25ldC9wYWNrZXQvYWZfcGFja2V0LmMKKysrIGIvbmV0L3BhY2tldC9hZl9wYWNrZXQuYwpAQCAtMzgyMCw2ICszODIwLDggQEAKIAkJcmItPmZyYW1lc19wZXJfYmxvY2sgPSByZXEtPnRwX2Jsb2NrX3NpemUvcmVxLT50cF9mcmFtZV9zaXplOwogCQlpZiAodW5saWtlbHkocmItPmZyYW1lc19wZXJfYmxvY2sgPD0gMCkpCiAJCQlnb3RvIG91dDsKKwkJaWYgKHVubGlrZWx5KHJlcS0+dHBfYmxvY2tfc2l6ZSA+IFVJTlRfTUFYIC8gcmVxLT50cF9ibG9ja19ucikpCisJCQlnb3RvIG91dDsKIAkJaWYgKHVubGlrZWx5KChyYi0+ZnJhbWVzX3Blcl9ibG9jayAqIHJlcS0+dHBfYmxvY2tfbnIpICE9CiAJCQkJCXJlcS0+dHBfZnJhbWVfbnIpKQogCQkJZ290byBvdXQ7Cg==
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-7308/3.18/2.patch b/Patches/Linux_CVEs/CVE-2017-7308/3.18/2.patch
deleted file mode 100644
index d268e7b0..00000000
--- a/Patches/Linux_CVEs/CVE-2017-7308/3.18/2.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
-index 9c80212..05cfee7 100644
---- a/net/packet/af_packet.c
-+++ b/net/packet/af_packet.c
-@@ -3314,6 +3314,8 @@
- 			return -EBUSY;
- 		if (copy_from_user(&val, optval, sizeof(val)))
- 			return -EFAULT;
-+		if (val > INT_MAX)
-+			return -EINVAL;
- 		po->tp_reserve = val;
- 		return 0;
- 	}
diff --git a/Patches/Linux_CVEs/CVE-2017-7308/3.18/2.patch.base64 b/Patches/Linux_CVEs/CVE-2017-7308/3.18/2.patch.base64
deleted file mode 100644
index 1dfb5aab..00000000
--- a/Patches/Linux_CVEs/CVE-2017-7308/3.18/2.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL25ldC9wYWNrZXQvYWZfcGFja2V0LmMgYi9uZXQvcGFja2V0L2FmX3BhY2tldC5jCmluZGV4IDljODAyMTIuLjA1Y2ZlZTcgMTAwNjQ0Ci0tLSBhL25ldC9wYWNrZXQvYWZfcGFja2V0LmMKKysrIGIvbmV0L3BhY2tldC9hZl9wYWNrZXQuYwpAQCAtMzMxNCw2ICszMzE0LDggQEAKIAkJCXJldHVybiAtRUJVU1k7CiAJCWlmIChjb3B5X2Zyb21fdXNlcigmdmFsLCBvcHR2YWwsIHNpemVvZih2YWwpKSkKIAkJCXJldHVybiAtRUZBVUxUOworCQlpZiAodmFsID4gSU5UX01BWCkKKwkJCXJldHVybiAtRUlOVkFMOwogCQlwby0+dHBfcmVzZXJ2ZSA9IHZhbDsKIAkJcmV0dXJuIDA7CiAJfQo=
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-7308/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-7308/ANY/0001.patch
new file mode 100644
index 00000000..1992f96b
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-7308/ANY/0001.patch
@@ -0,0 +1,39 @@
+From 2b6867c2ce76c596676bec7d2d525af525fdc6e2 Mon Sep 17 00:00:00 2001
+From: Andrey Konovalov <andreyknvl@google.com>
+Date: Wed, 29 Mar 2017 16:11:20 +0200
+Subject: net/packet: fix overflow in check for priv area size
+
+Subtracting tp_sizeof_priv from tp_block_size and casting to int
+to check whether one is less then the other doesn't always work
+(both of them are unsigned ints).
+
+Compare them as is instead.
+
+Also cast tp_sizeof_priv to u64 before using BLK_PLUS_PRIV, as
+it can overflow inside BLK_PLUS_PRIV otherwise.
+
+Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/packet/af_packet.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index a0dbe7c..2323ee3 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -4193,8 +4193,8 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
+ 		if (unlikely(!PAGE_ALIGNED(req->tp_block_size)))
+ 			goto out;
+ 		if (po->tp_version >= TPACKET_V3 &&
+-		    (int)(req->tp_block_size -
+-			  BLK_PLUS_PRIV(req_u->req3.tp_sizeof_priv)) <= 0)
++		    req->tp_block_size <=
++			  BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv))
+ 			goto out;
+ 		if (unlikely(req->tp_frame_size < po->tp_hdrlen +
+ 					po->tp_reserve))
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-7308/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2017-7308/ANY/0002.patch
new file mode 100644
index 00000000..d856dfa0
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-7308/ANY/0002.patch
@@ -0,0 +1,36 @@
+From 8f8d28e4d6d815a391285e121c3a53a0b6cb9e7b Mon Sep 17 00:00:00 2001
+From: Andrey Konovalov <andreyknvl@google.com>
+Date: Wed, 29 Mar 2017 16:11:21 +0200
+Subject: net/packet: fix overflow in check for tp_frame_nr
+
+When calculating rb->frames_per_block * req->tp_block_nr the result
+can overflow.
+
+Add a check that tp_block_size * tp_block_nr <= UINT_MAX.
+
+Since frames_per_block <= tp_block_size, the expression would
+never overflow.
+
+Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/packet/af_packet.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index 2323ee3..3ac286e 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -4205,6 +4205,8 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
+ 		rb->frames_per_block = req->tp_block_size / req->tp_frame_size;
+ 		if (unlikely(rb->frames_per_block == 0))
+ 			goto out;
++		if (unlikely(req->tp_block_size > UINT_MAX / req->tp_block_nr))
++			goto out;
+ 		if (unlikely((rb->frames_per_block * req->tp_block_nr) !=
+ 					req->tp_frame_nr))
+ 			goto out;
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-7308/ANY/0003.patch b/Patches/Linux_CVEs/CVE-2017-7308/ANY/0003.patch
new file mode 100644
index 00000000..8065045a
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-7308/ANY/0003.patch
@@ -0,0 +1,32 @@
+From bcc5364bdcfe131e6379363f089e7b4108d35b70 Mon Sep 17 00:00:00 2001
+From: Andrey Konovalov <andreyknvl@google.com>
+Date: Wed, 29 Mar 2017 16:11:22 +0200
+Subject: net/packet: fix overflow in check for tp_reserve
+
+When calculating po->tp_hdrlen + po->tp_reserve the result can overflow.
+
+Fix by checking that tp_reserve <= INT_MAX on assign.
+
+Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
+Acked-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/packet/af_packet.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
+index 3ac286e..8489bef 100644
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -3665,6 +3665,8 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv
+ 			return -EBUSY;
+ 		if (copy_from_user(&val, optval, sizeof(val)))
+ 			return -EFAULT;
++		if (val > INT_MAX)
++			return -EINVAL;
+ 		po->tp_reserve = val;
+ 		return 0;
+ 	}
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-7364/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-7364/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-7364/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-7364/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-7366/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-7366/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-7366/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-7366/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-7366/ANY/1.patch b/Patches/Linux_CVEs/CVE-2017-7366/ANY/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-7366/ANY/1.patch
rename to Patches/Linux_CVEs/CVE-2017-7366/ANY/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-7368/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-7368/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-7368/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-7368/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-7369/3.10/0.patch b/Patches/Linux_CVEs/CVE-2017-7369/3.10/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-7369/3.10/0.patch
rename to Patches/Linux_CVEs/CVE-2017-7369/3.10/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-7369/3.18/1.patch b/Patches/Linux_CVEs/CVE-2017-7369/3.18/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-7369/3.18/1.patch
rename to Patches/Linux_CVEs/CVE-2017-7369/3.18/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-7369/4.4/0003.patch b/Patches/Linux_CVEs/CVE-2017-7369/4.4/0003.patch
new file mode 100644
index 00000000..457e6d96
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-7369/4.4/0003.patch
@@ -0,0 +1,50 @@
+From 05f4374845738d2146075e77d9139e60a558de18 Mon Sep 17 00:00:00 2001
+From: Walter Yang <yandongy@codeaurora.org>
+Date: Thu, 2 Mar 2017 12:13:34 +0800
+Subject: ASoC: Add backend user count checking
+
+Add backend user count checking to protect the index
+boundary.
+
+Change-Id: Ic1b61d1f7130252cc54da0b16553858714988dbd
+CRs-Fixed: 2009216
+Signed-off-by: Walter Yang <yandongy@codeaurora.org>
+---
+ sound/soc/soc-compress.c | 5 +++++
+ sound/soc/soc-pcm.c      | 4 ++++
+ 2 files changed, 9 insertions(+)
+
+diff --git a/sound/soc/soc-compress.c b/sound/soc/soc-compress.c
+index eb894d0..736b9c4 100644
+--- a/sound/soc/soc-compress.c
++++ b/sound/soc/soc-compress.c
+@@ -527,6 +527,11 @@ static int soc_compr_set_params_fe(struct snd_compr_stream *cstream,
+ 				cstream, &async_domain);
+ 			} else {
+ 				be_list[j++] = be;
++				if (j == DPCM_MAX_BE_USERS) {
++					dev_dbg(fe->dev,
++						"ASoC: MAX backend users!\n");
++					break;
++				}
+ 			}
+ 		}
+ 		for (i = 0; i < j; i++) {
+diff --git a/sound/soc/soc-pcm.c b/sound/soc/soc-pcm.c
+index 13649f9..0ba9dfb 100644
+--- a/sound/soc/soc-pcm.c
++++ b/sound/soc/soc-pcm.c
+@@ -2403,6 +2403,10 @@ void dpcm_be_dai_prepare_async(struct snd_soc_pcm_runtime *fe, int stream,
+ 							    dpcm, domain);
+ 		} else {
+ 			dpcm_async[i++] = dpcm;
++			if (i == DPCM_MAX_BE_USERS) {
++				dev_dbg(fe->dev, "ASoC: MAX backend users!\n");
++				break;
++			}
+ 		}
+ 	}
+ 
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-7370/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-7370/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-7370/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-7370/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-7371/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-7371/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-7371/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-7371/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-7371/ANY/1.patch.dupe b/Patches/Linux_CVEs/CVE-2017-7371/ANY/1.patch.dupe
deleted file mode 100644
index 19b01e18..00000000
--- a/Patches/Linux_CVEs/CVE-2017-7371/ANY/1.patch.dupe
+++ /dev/null
@@ -1,45 +0,0 @@
-From 9d5a0bc7f6318821fddf9fc0ac9a05e58bb00a6b Mon Sep 17 00:00:00 2001
-From: Sungjun Park <sjpark@codeaurora.org>
-Date: Mon, 23 Jan 2017 13:28:44 -0800
-Subject: bluetooth: Fix free data pointer routine
-
-Data pointer has been reused after freed it. So,
-it has been moved to after using the data pointer
-to clean up resource and freed it.
-
-Change-Id: Ibc94e092134ff1f36e896c679ade7f639254a24d
-Signed-off-by: Sungjun Park <sjpark@codeaurora.org>
----
- drivers/bluetooth/btfm_slim.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/bluetooth/btfm_slim.c b/drivers/bluetooth/btfm_slim.c
-index 5fb00b9..1c6e256 100644
---- a/drivers/bluetooth/btfm_slim.c
-+++ b/drivers/bluetooth/btfm_slim.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -509,7 +509,6 @@ static int btfm_slim_remove(struct slim_device *slim)
- 	BTFMSLIM_DBG("");
- 	mutex_destroy(&btfm_slim->io_lock);
- 	mutex_destroy(&btfm_slim->xfer_lock);
--	kfree(btfm_slim);
- 	snd_soc_unregister_codec(&slim->dev);
- 
- 	BTFMSLIM_DBG("slim_remove_device() - btfm_slim->slim_ifd");
-@@ -517,6 +516,8 @@ static int btfm_slim_remove(struct slim_device *slim)
- 
- 	BTFMSLIM_DBG("slim_remove_device() - btfm_slim->slim_pgd");
- 	slim_remove_device(slim);
-+
-+	kfree(btfm_slim);
- 	return 0;
- }
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-7372/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-7372/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-7372/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-7372/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-7373/3.10/1.patch b/Patches/Linux_CVEs/CVE-2017-7373/3.10/1.patch
deleted file mode 100644
index d7b5ea41..00000000
--- a/Patches/Linux_CVEs/CVE-2017-7373/3.10/1.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From eac4a77bb71750b02e91508b15c9aaf4fe2b94ae Mon Sep 17 00:00:00 2001
-From: Sachin Bhayare <sachin.bhayare@codeaurora.org>
-Date: Fri, 23 Dec 2016 11:22:44 +0530
-Subject: msm: mdss: Fix invalid dma attachment during fb shutdown
-
-If DMA attachment fail during fb_mmap, all ION memory will get free. It
-is necessary to reset the fbmem and fb_attachemnt pointer to NULL,
-otherwise during shutdown will perform another free and causing issue.
-
-CRs-Fixed: 1090244
-Change-Id: I92affcf2ce039eecfc72b7c191e058f37815c726
-Signed-off-by: Benjamin Chan <bkchan@codeaurora.org>
-Signed-off-by: Sachin Bhayare <sachin.bhayare@codeaurora.org>
----
- drivers/video/msm/mdss/mdss_fb.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/drivers/video/msm/mdss/mdss_fb.c b/drivers/video/msm/mdss/mdss_fb.c
-index 2e8092d..c2d1441 100644
---- a/drivers/video/msm/mdss/mdss_fb.c
-+++ b/drivers/video/msm/mdss/mdss_fb.c
-@@ -1660,6 +1660,8 @@ int mdss_fb_alloc_fb_ion_memory(struct msm_fb_data_type *mfd, size_t fb_size)
- 
- fb_mmap_failed:
- 	ion_free(mfd->fb_ion_client, mfd->fb_ion_handle);
-+	mfd->fb_ion_handle = NULL;
-+	mfd->fbmem_buf = NULL;
- 	return rc;
- }
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-7373/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-7373/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-7373/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-7373/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-7374/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-7374/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-7374/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-7374/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-7472/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-7472/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-7472/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-7472/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-7487/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-7487/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-7487/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-7487/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-7495/3.18/1.patch b/Patches/Linux_CVEs/CVE-2017-7495/3.18/1.patch
deleted file mode 100644
index 6204174f..00000000
--- a/Patches/Linux_CVEs/CVE-2017-7495/3.18/1.patch
+++ /dev/null
@@ -1,87 +0,0 @@
-From 3127779c064c6358310e542c725fe1f64dd6a60f Mon Sep 17 00:00:00 2001
-From: Jan Kara <jack@suse.cz>
-Date: Mon, 17 Sep 2001 00:00:00 +0200
-Subject: [PATCH] ext4: fix data exposure after a crash
-
-commit 06bd3c36a733ac27962fea7d6f47168841376824 upstream.
-
-Huang has reported that in his powerfail testing he is seeing stale
-block contents in some of recently allocated blocks although he mounts
-ext4 in data=ordered mode. After some investigation I have found out
-that indeed when delayed allocation is used, we don't add inode to
-transaction's list of inodes needing flushing before commit. Originally
-we were doing that but commit f3b59291a69d removed the logic with a
-flawed argument that it is not needed.
-
-The problem is that although for delayed allocated blocks we write their
-contents immediately after allocating them, there is no guarantee that
-the IO scheduler or device doesn't reorder things and thus transaction
-allocating blocks and attaching them to inode can reach stable storage
-before actual block contents. Actually whenever we attach freshly
-allocated blocks to inode using a written extent, we should add inode to
-transaction's ordered inode list to make sure we properly wait for block
-contents to be written before committing the transaction. So that is
-what we do in this patch. This also handles other cases where stale data
-exposure was possible - like filling hole via mmap in
-data=ordered,nodelalloc mode.
-
-The only exception to the above rule are extending direct IO writes where
-blkdev_direct_IO() waits for IO to complete before increasing i_size and
-thus stale data exposure is not possible. For now we don't complicate
-the code with optimizing this special case since the overhead is pretty
-low. In case this is observed to be a performance problem we can always
-handle it using a special flag to ext4_map_blocks().
-
-Change-Id: I9f8b371c9fd716bf3d8af3780ce43e73d80cfb28
-Fixes: f3b59291a69d0b734be1fc8be489fef2dd846d3d
-Reported-by: "HUANG Weller (CM/ESW12-CN)" <Weller.Huang@cn.bosch.com>
-Tested-by: "HUANG Weller (CM/ESW12-CN)" <Weller.Huang@cn.bosch.com>
-Signed-off-by: Jan Kara <jack@suse.cz>
-Signed-off-by: Theodore Ts'o <tytso@mit.edu>
-[bwh: Backported to 3.16:
- - Drop check for EXT4_GET_BLOCKS_ZERO flag
- - Adjust context]
-Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
----
-
-diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
-index 9d358dc..f472aed 100644
---- a/fs/ext4/inode.c
-+++ b/fs/ext4/inode.c
-@@ -661,6 +661,20 @@
- 		ret = check_block_validity(inode, map);
- 		if (ret != 0)
- 			return ret;
-+
-+		/*
-+		 * Inodes with freshly allocated blocks where contents will be
-+		 * visible after transaction commit must be on transaction's
-+		 * ordered data list.
-+		 */
-+		if (map->m_flags & EXT4_MAP_NEW &&
-+		    !(map->m_flags & EXT4_MAP_UNWRITTEN) &&
-+		    !IS_NOQUOTA(inode) &&
-+		    ext4_should_order_data(inode)) {
-+			ret = ext4_jbd2_file_inode(handle, inode);
-+			if (ret)
-+				return ret;
-+		}
- 	}
- 	return retval;
- }
-@@ -1116,15 +1130,6 @@
- 	int i_size_changed = 0;
- 
- 	trace_ext4_write_end(inode, pos, len, copied);
--	if (ext4_test_inode_state(inode, EXT4_STATE_ORDERED_MODE)) {
--		ret = ext4_jbd2_file_inode(handle, inode);
--		if (ret) {
--			unlock_page(page);
--			page_cache_release(page);
--			goto errout;
--		}
--	}
--
- 	if (ext4_has_inline_data(inode)) {
- 		ret = ext4_write_inline_data_end(inode, pos, len,
- 						 copied, page);
diff --git a/Patches/Linux_CVEs/CVE-2017-7495/3.18/1.patch.base64 b/Patches/Linux_CVEs/CVE-2017-7495/3.18/1.patch.base64
deleted file mode 100644
index 9708ac07..00000000
--- a/Patches/Linux_CVEs/CVE-2017-7495/3.18/1.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-RnJvbSAzMTI3Nzc5YzA2NGM2MzU4MzEwZTU0MmM3MjVmZTFmNjRkZDZhNjBmIE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBKYW4gS2FyYSA8amFja0BzdXNlLmN6PgpEYXRlOiBNb24sIDE3IFNlcCAyMDAxIDAwOjAwOjAwICswMjAwClN1YmplY3Q6IFtQQVRDSF0gZXh0NDogZml4IGRhdGEgZXhwb3N1cmUgYWZ0ZXIgYSBjcmFzaAoKY29tbWl0IDA2YmQzYzM2YTczM2FjMjc5NjJmZWE3ZDZmNDcxNjg4NDEzNzY4MjQgdXBzdHJlYW0uCgpIdWFuZyBoYXMgcmVwb3J0ZWQgdGhhdCBpbiBoaXMgcG93ZXJmYWlsIHRlc3RpbmcgaGUgaXMgc2VlaW5nIHN0YWxlCmJsb2NrIGNvbnRlbnRzIGluIHNvbWUgb2YgcmVjZW50bHkgYWxsb2NhdGVkIGJsb2NrcyBhbHRob3VnaCBoZSBtb3VudHMKZXh0NCBpbiBkYXRhPW9yZGVyZWQgbW9kZS4gQWZ0ZXIgc29tZSBpbnZlc3RpZ2F0aW9uIEkgaGF2ZSBmb3VuZCBvdXQKdGhhdCBpbmRlZWQgd2hlbiBkZWxheWVkIGFsbG9jYXRpb24gaXMgdXNlZCwgd2UgZG9uJ3QgYWRkIGlub2RlIHRvCnRyYW5zYWN0aW9uJ3MgbGlzdCBvZiBpbm9kZXMgbmVlZGluZyBmbHVzaGluZyBiZWZvcmUgY29tbWl0LiBPcmlnaW5hbGx5CndlIHdlcmUgZG9pbmcgdGhhdCBidXQgY29tbWl0IGYzYjU5MjkxYTY5ZCByZW1vdmVkIHRoZSBsb2dpYyB3aXRoIGEKZmxhd2VkIGFyZ3VtZW50IHRoYXQgaXQgaXMgbm90IG5lZWRlZC4KClRoZSBwcm9ibGVtIGlzIHRoYXQgYWx0aG91Z2ggZm9yIGRlbGF5ZWQgYWxsb2NhdGVkIGJsb2NrcyB3ZSB3cml0ZSB0aGVpcgpjb250ZW50cyBpbW1lZGlhdGVseSBhZnRlciBhbGxvY2F0aW5nIHRoZW0sIHRoZXJlIGlzIG5vIGd1YXJhbnRlZSB0aGF0CnRoZSBJTyBzY2hlZHVsZXIgb3IgZGV2aWNlIGRvZXNuJ3QgcmVvcmRlciB0aGluZ3MgYW5kIHRodXMgdHJhbnNhY3Rpb24KYWxsb2NhdGluZyBibG9ja3MgYW5kIGF0dGFjaGluZyB0aGVtIHRvIGlub2RlIGNhbiByZWFjaCBzdGFibGUgc3RvcmFnZQpiZWZvcmUgYWN0dWFsIGJsb2NrIGNvbnRlbnRzLiBBY3R1YWxseSB3aGVuZXZlciB3ZSBhdHRhY2ggZnJlc2hseQphbGxvY2F0ZWQgYmxvY2tzIHRvIGlub2RlIHVzaW5nIGEgd3JpdHRlbiBleHRlbnQsIHdlIHNob3VsZCBhZGQgaW5vZGUgdG8KdHJhbnNhY3Rpb24ncyBvcmRlcmVkIGlub2RlIGxpc3QgdG8gbWFrZSBzdXJlIHdlIHByb3Blcmx5IHdhaXQgZm9yIGJsb2NrCmNvbnRlbnRzIHRvIGJlIHdyaXR0ZW4gYmVmb3JlIGNvbW1pdHRpbmcgdGhlIHRyYW5zYWN0aW9uLiBTbyB0aGF0IGlzCndoYXQgd2UgZG8gaW4gdGhpcyBwYXRjaC4gVGhpcyBhbHNvIGhhbmRsZXMgb3RoZXIgY2FzZXMgd2hlcmUgc3RhbGUgZGF0YQpleHBvc3VyZSB3YXMgcG9zc2libGUgLSBsaWtlIGZpbGxpbmcgaG9sZSB2aWEgbW1hcCBpbgpkYXRhPW9yZGVyZWQsbm9kZWxhbGxvYyBtb2RlLgoKVGhlIG9ubHkgZXhjZXB0aW9uIHRvIHRoZSBhYm92ZSBydWxlIGFyZSBleHRlbmRpbmcgZGlyZWN0IElPIHdyaXRlcyB3aGVyZQpibGtkZXZfZGlyZWN0X0lPKCkgd2FpdHMgZm9yIElPIHRvIGNvbXBsZXRlIGJlZm9yZSBpbmNyZWFzaW5nIGlfc2l6ZSBhbmQKdGh1cyBzdGFsZSBkYXRhIGV4cG9zdXJlIGlzIG5vdCBwb3NzaWJsZS4gRm9yIG5vdyB3ZSBkb24ndCBjb21wbGljYXRlCnRoZSBjb2RlIHdpdGggb3B0aW1pemluZyB0aGlzIHNwZWNpYWwgY2FzZSBzaW5jZSB0aGUgb3ZlcmhlYWQgaXMgcHJldHR5Cmxvdy4gSW4gY2FzZSB0aGlzIGlzIG9ic2VydmVkIHRvIGJlIGEgcGVyZm9ybWFuY2UgcHJvYmxlbSB3ZSBjYW4gYWx3YXlzCmhhbmRsZSBpdCB1c2luZyBhIHNwZWNpYWwgZmxhZyB0byBleHQ0X21hcF9ibG9ja3MoKS4KCkNoYW5nZS1JZDogSTlmOGIzNzFjOWZkNzE2YmYzZDhhZjM3ODBjZTQzZTczZDgwY2ZiMjgKRml4ZXM6IGYzYjU5MjkxYTY5ZDBiNzM0YmUxZmM4YmU0ODlmZWYyZGQ4NDZkM2QKUmVwb3J0ZWQtYnk6ICJIVUFORyBXZWxsZXIgKENNL0VTVzEyLUNOKSIgPFdlbGxlci5IdWFuZ0Bjbi5ib3NjaC5jb20+ClRlc3RlZC1ieTogIkhVQU5HIFdlbGxlciAoQ00vRVNXMTItQ04pIiA8V2VsbGVyLkh1YW5nQGNuLmJvc2NoLmNvbT4KU2lnbmVkLW9mZi1ieTogSmFuIEthcmEgPGphY2tAc3VzZS5jej4KU2lnbmVkLW9mZi1ieTogVGhlb2RvcmUgVHMnbyA8dHl0c29AbWl0LmVkdT4KW2J3aDogQmFja3BvcnRlZCB0byAzLjE2OgogLSBEcm9wIGNoZWNrIGZvciBFWFQ0X0dFVF9CTE9DS1NfWkVSTyBmbGFnCiAtIEFkanVzdCBjb250ZXh0XQpTaWduZWQtb2ZmLWJ5OiBCZW4gSHV0Y2hpbmdzIDxiZW5AZGVjYWRlbnQub3JnLnVrPgotLS0KCmRpZmYgLS1naXQgYS9mcy9leHQ0L2lub2RlLmMgYi9mcy9leHQ0L2lub2RlLmMKaW5kZXggOWQzNThkYy4uZjQ3MmFlZCAxMDA2NDQKLS0tIGEvZnMvZXh0NC9pbm9kZS5jCisrKyBiL2ZzL2V4dDQvaW5vZGUuYwpAQCAtNjYxLDYgKzY2MSwyMCBAQAogCQlyZXQgPSBjaGVja19ibG9ja192YWxpZGl0eShpbm9kZSwgbWFwKTsKIAkJaWYgKHJldCAhPSAwKQogCQkJcmV0dXJuIHJldDsKKworCQkvKgorCQkgKiBJbm9kZXMgd2l0aCBmcmVzaGx5IGFsbG9jYXRlZCBibG9ja3Mgd2hlcmUgY29udGVudHMgd2lsbCBiZQorCQkgKiB2aXNpYmxlIGFmdGVyIHRyYW5zYWN0aW9uIGNvbW1pdCBtdXN0IGJlIG9uIHRyYW5zYWN0aW9uJ3MKKwkJICogb3JkZXJlZCBkYXRhIGxpc3QuCisJCSAqLworCQlpZiAobWFwLT5tX2ZsYWdzICYgRVhUNF9NQVBfTkVXICYmCisJCSAgICAhKG1hcC0+bV9mbGFncyAmIEVYVDRfTUFQX1VOV1JJVFRFTikgJiYKKwkJICAgICFJU19OT1FVT1RBKGlub2RlKSAmJgorCQkgICAgZXh0NF9zaG91bGRfb3JkZXJfZGF0YShpbm9kZSkpIHsKKwkJCXJldCA9IGV4dDRfamJkMl9maWxlX2lub2RlKGhhbmRsZSwgaW5vZGUpOworCQkJaWYgKHJldCkKKwkJCQlyZXR1cm4gcmV0OworCQl9CiAJfQogCXJldHVybiByZXR2YWw7CiB9CkBAIC0xMTE2LDE1ICsxMTMwLDYgQEAKIAlpbnQgaV9zaXplX2NoYW5nZWQgPSAwOwogCiAJdHJhY2VfZXh0NF93cml0ZV9lbmQoaW5vZGUsIHBvcywgbGVuLCBjb3BpZWQpOwotCWlmIChleHQ0X3Rlc3RfaW5vZGVfc3RhdGUoaW5vZGUsIEVYVDRfU1RBVEVfT1JERVJFRF9NT0RFKSkgewotCQlyZXQgPSBleHQ0X2piZDJfZmlsZV9pbm9kZShoYW5kbGUsIGlub2RlKTsKLQkJaWYgKHJldCkgewotCQkJdW5sb2NrX3BhZ2UocGFnZSk7Ci0JCQlwYWdlX2NhY2hlX3JlbGVhc2UocGFnZSk7Ci0JCQlnb3RvIGVycm91dDsKLQkJfQotCX0KLQogCWlmIChleHQ0X2hhc19pbmxpbmVfZGF0YShpbm9kZSkpIHsKIAkJcmV0ID0gZXh0NF93cml0ZV9pbmxpbmVfZGF0YV9lbmQoaW5vZGUsIHBvcywgbGVuLAogCQkJCQkJIGNvcGllZCwgcGFnZSk7Cg==
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-7495/3.18/2.patch b/Patches/Linux_CVEs/CVE-2017-7495/3.18/2.patch
deleted file mode 100644
index b56d5a52..00000000
--- a/Patches/Linux_CVEs/CVE-2017-7495/3.18/2.patch
+++ /dev/null
@@ -1,77 +0,0 @@
-From df6099279dc346ec77158d5f52d3176dbd0a1e4c Mon Sep 17 00:00:00 2001
-From: Jan Kara <jack@suse.cz>
-Date: Mon, 04 Jul 2016 10:14:01 -0400
-Subject: [PATCH] ext4: fix deadlock during page writeback
-
-[ Upstream commit 646caa9c8e196880b41cd3e3d33a2ebc752bdb85 ]
-
-Commit 06bd3c36a733 (ext4: fix data exposure after a crash) uncovered a
-deadlock in ext4_writepages() which was previously much harder to hit.
-After this commit xfstest generic/130 reproduces the deadlock on small
-filesystems.
-
-The problem happens when ext4_do_update_inode() sets LARGE_FILE feature
-and marks current inode handle as synchronous. That subsequently results
-in ext4_journal_stop() called from ext4_writepages() to block waiting for
-transaction commit while still holding page locks, reference to io_end,
-and some prepared bio in mpd structure each of which can possibly block
-transaction commit from completing and thus results in deadlock.
-
-Fix the problem by releasing page locks, io_end reference, and
-submitting prepared bio before calling ext4_journal_stop().
-
-[ Changed to defer the call to ext4_journal_stop() only if the handle
-  is synchronous.  --tytso ]
-
-Change-Id: I724640d96ffaa03e512cd0b48cea056b4030c382
-Reported-and-tested-by: Eryu Guan <eguan@redhat.com>
-Signed-off-by: Theodore Ts'o <tytso@mit.edu>
-CC: stable@vger.kernel.org
-Signed-off-by: Jan Kara <jack@suse.cz>
-Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
----
-
-diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
-index f472aed..5aa499f 100644
---- a/fs/ext4/inode.c
-+++ b/fs/ext4/inode.c
-@@ -2554,13 +2554,36 @@
- 				done = true;
- 			}
- 		}
--		ext4_journal_stop(handle);
-+		/*
-+		 * Caution: If the handle is synchronous,
-+		 * ext4_journal_stop() can wait for transaction commit
-+		 * to finish which may depend on writeback of pages to
-+		 * complete or on page lock to be released.  In that
-+		 * case, we have to wait until after after we have
-+		 * submitted all the IO, released page locks we hold,
-+		 * and dropped io_end reference (for extent conversion
-+		 * to be able to complete) before stopping the handle.
-+		 */
-+		if (!ext4_handle_valid(handle) || handle->h_sync == 0) {
-+			ext4_journal_stop(handle);
-+			handle = NULL;
-+		}
- 		/* Submit prepared bio */
- 		ext4_io_submit(&mpd.io_submit);
- 		/* Unlock pages we didn't use */
- 		mpage_release_unused_pages(&mpd, give_up_on_write);
--		/* Drop our io_end reference we got from init */
--		ext4_put_io_end(mpd.io_submit.io_end);
-+		/*
-+		 * Drop our io_end reference we got from init. We have
-+		 * to be careful and use deferred io_end finishing if
-+		 * we are still holding the transaction as we can
-+		 * release the last reference to io_end which may end
-+		 * up doing unwritten extent conversion.
-+		 */
-+		if (handle) {
-+			ext4_put_io_end_defer(mpd.io_submit.io_end);
-+			ext4_journal_stop(handle);
-+		} else
-+			ext4_put_io_end(mpd.io_submit.io_end);
- 
- 		if (ret == -ENOSPC && sbi->s_journal) {
- 			/*
diff --git a/Patches/Linux_CVEs/CVE-2017-7495/3.18/2.patch.base64 b/Patches/Linux_CVEs/CVE-2017-7495/3.18/2.patch.base64
deleted file mode 100644
index 70d51e63..00000000
--- a/Patches/Linux_CVEs/CVE-2017-7495/3.18/2.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-RnJvbSBkZjYwOTkyNzlkYzM0NmVjNzcxNThkNWY1MmQzMTc2ZGJkMGExZTRjIE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBKYW4gS2FyYSA8amFja0BzdXNlLmN6PgpEYXRlOiBNb24sIDA0IEp1bCAyMDE2IDEwOjE0OjAxIC0wNDAwClN1YmplY3Q6IFtQQVRDSF0gZXh0NDogZml4IGRlYWRsb2NrIGR1cmluZyBwYWdlIHdyaXRlYmFjawoKWyBVcHN0cmVhbSBjb21taXQgNjQ2Y2FhOWM4ZTE5Njg4MGI0MWNkM2UzZDMzYTJlYmM3NTJiZGI4NSBdCgpDb21taXQgMDZiZDNjMzZhNzMzIChleHQ0OiBmaXggZGF0YSBleHBvc3VyZSBhZnRlciBhIGNyYXNoKSB1bmNvdmVyZWQgYQpkZWFkbG9jayBpbiBleHQ0X3dyaXRlcGFnZXMoKSB3aGljaCB3YXMgcHJldmlvdXNseSBtdWNoIGhhcmRlciB0byBoaXQuCkFmdGVyIHRoaXMgY29tbWl0IHhmc3Rlc3QgZ2VuZXJpYy8xMzAgcmVwcm9kdWNlcyB0aGUgZGVhZGxvY2sgb24gc21hbGwKZmlsZXN5c3RlbXMuCgpUaGUgcHJvYmxlbSBoYXBwZW5zIHdoZW4gZXh0NF9kb191cGRhdGVfaW5vZGUoKSBzZXRzIExBUkdFX0ZJTEUgZmVhdHVyZQphbmQgbWFya3MgY3VycmVudCBpbm9kZSBoYW5kbGUgYXMgc3luY2hyb25vdXMuIFRoYXQgc3Vic2VxdWVudGx5IHJlc3VsdHMKaW4gZXh0NF9qb3VybmFsX3N0b3AoKSBjYWxsZWQgZnJvbSBleHQ0X3dyaXRlcGFnZXMoKSB0byBibG9jayB3YWl0aW5nIGZvcgp0cmFuc2FjdGlvbiBjb21taXQgd2hpbGUgc3RpbGwgaG9sZGluZyBwYWdlIGxvY2tzLCByZWZlcmVuY2UgdG8gaW9fZW5kLAphbmQgc29tZSBwcmVwYXJlZCBiaW8gaW4gbXBkIHN0cnVjdHVyZSBlYWNoIG9mIHdoaWNoIGNhbiBwb3NzaWJseSBibG9jawp0cmFuc2FjdGlvbiBjb21taXQgZnJvbSBjb21wbGV0aW5nIGFuZCB0aHVzIHJlc3VsdHMgaW4gZGVhZGxvY2suCgpGaXggdGhlIHByb2JsZW0gYnkgcmVsZWFzaW5nIHBhZ2UgbG9ja3MsIGlvX2VuZCByZWZlcmVuY2UsIGFuZApzdWJtaXR0aW5nIHByZXBhcmVkIGJpbyBiZWZvcmUgY2FsbGluZyBleHQ0X2pvdXJuYWxfc3RvcCgpLgoKWyBDaGFuZ2VkIHRvIGRlZmVyIHRoZSBjYWxsIHRvIGV4dDRfam91cm5hbF9zdG9wKCkgb25seSBpZiB0aGUgaGFuZGxlCiAgaXMgc3luY2hyb25vdXMuICAtLXR5dHNvIF0KCkNoYW5nZS1JZDogSTcyNDY0MGQ5NmZmYWEwM2U1MTJjZDBiNDhjZWEwNTZiNDAzMGMzODIKUmVwb3J0ZWQtYW5kLXRlc3RlZC1ieTogRXJ5dSBHdWFuIDxlZ3VhbkByZWRoYXQuY29tPgpTaWduZWQtb2ZmLWJ5OiBUaGVvZG9yZSBUcydvIDx0eXRzb0BtaXQuZWR1PgpDQzogc3RhYmxlQHZnZXIua2VybmVsLm9yZwpTaWduZWQtb2ZmLWJ5OiBKYW4gS2FyYSA8amFja0BzdXNlLmN6PgpTaWduZWQtb2ZmLWJ5OiBTYXNoYSBMZXZpbiA8YWxleGFuZGVyLmxldmluQHZlcml6b24uY29tPgotLS0KCmRpZmYgLS1naXQgYS9mcy9leHQ0L2lub2RlLmMgYi9mcy9leHQ0L2lub2RlLmMKaW5kZXggZjQ3MmFlZC4uNWFhNDk5ZiAxMDA2NDQKLS0tIGEvZnMvZXh0NC9pbm9kZS5jCisrKyBiL2ZzL2V4dDQvaW5vZGUuYwpAQCAtMjU1NCwxMyArMjU1NCwzNiBAQAogCQkJCWRvbmUgPSB0cnVlOwogCQkJfQogCQl9Ci0JCWV4dDRfam91cm5hbF9zdG9wKGhhbmRsZSk7CisJCS8qCisJCSAqIENhdXRpb246IElmIHRoZSBoYW5kbGUgaXMgc3luY2hyb25vdXMsCisJCSAqIGV4dDRfam91cm5hbF9zdG9wKCkgY2FuIHdhaXQgZm9yIHRyYW5zYWN0aW9uIGNvbW1pdAorCQkgKiB0byBmaW5pc2ggd2hpY2ggbWF5IGRlcGVuZCBvbiB3cml0ZWJhY2sgb2YgcGFnZXMgdG8KKwkJICogY29tcGxldGUgb3Igb24gcGFnZSBsb2NrIHRvIGJlIHJlbGVhc2VkLiAgSW4gdGhhdAorCQkgKiBjYXNlLCB3ZSBoYXZlIHRvIHdhaXQgdW50aWwgYWZ0ZXIgYWZ0ZXIgd2UgaGF2ZQorCQkgKiBzdWJtaXR0ZWQgYWxsIHRoZSBJTywgcmVsZWFzZWQgcGFnZSBsb2NrcyB3ZSBob2xkLAorCQkgKiBhbmQgZHJvcHBlZCBpb19lbmQgcmVmZXJlbmNlIChmb3IgZXh0ZW50IGNvbnZlcnNpb24KKwkJICogdG8gYmUgYWJsZSB0byBjb21wbGV0ZSkgYmVmb3JlIHN0b3BwaW5nIHRoZSBoYW5kbGUuCisJCSAqLworCQlpZiAoIWV4dDRfaGFuZGxlX3ZhbGlkKGhhbmRsZSkgfHwgaGFuZGxlLT5oX3N5bmMgPT0gMCkgeworCQkJZXh0NF9qb3VybmFsX3N0b3AoaGFuZGxlKTsKKwkJCWhhbmRsZSA9IE5VTEw7CisJCX0KIAkJLyogU3VibWl0IHByZXBhcmVkIGJpbyAqLwogCQlleHQ0X2lvX3N1Ym1pdCgmbXBkLmlvX3N1Ym1pdCk7CiAJCS8qIFVubG9jayBwYWdlcyB3ZSBkaWRuJ3QgdXNlICovCiAJCW1wYWdlX3JlbGVhc2VfdW51c2VkX3BhZ2VzKCZtcGQsIGdpdmVfdXBfb25fd3JpdGUpOwotCQkvKiBEcm9wIG91ciBpb19lbmQgcmVmZXJlbmNlIHdlIGdvdCBmcm9tIGluaXQgKi8KLQkJZXh0NF9wdXRfaW9fZW5kKG1wZC5pb19zdWJtaXQuaW9fZW5kKTsKKwkJLyoKKwkJICogRHJvcCBvdXIgaW9fZW5kIHJlZmVyZW5jZSB3ZSBnb3QgZnJvbSBpbml0LiBXZSBoYXZlCisJCSAqIHRvIGJlIGNhcmVmdWwgYW5kIHVzZSBkZWZlcnJlZCBpb19lbmQgZmluaXNoaW5nIGlmCisJCSAqIHdlIGFyZSBzdGlsbCBob2xkaW5nIHRoZSB0cmFuc2FjdGlvbiBhcyB3ZSBjYW4KKwkJICogcmVsZWFzZSB0aGUgbGFzdCByZWZlcmVuY2UgdG8gaW9fZW5kIHdoaWNoIG1heSBlbmQKKwkJICogdXAgZG9pbmcgdW53cml0dGVuIGV4dGVudCBjb252ZXJzaW9uLgorCQkgKi8KKwkJaWYgKGhhbmRsZSkgeworCQkJZXh0NF9wdXRfaW9fZW5kX2RlZmVyKG1wZC5pb19zdWJtaXQuaW9fZW5kKTsKKwkJCWV4dDRfam91cm5hbF9zdG9wKGhhbmRsZSk7CisJCX0gZWxzZQorCQkJZXh0NF9wdXRfaW9fZW5kKG1wZC5pb19zdWJtaXQuaW9fZW5kKTsKIAogCQlpZiAocmV0ID09IC1FTk9TUEMgJiYgc2JpLT5zX2pvdXJuYWwpIHsKIAkJCS8qCg==
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-7495/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-7495/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-7495/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-7495/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-7541/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-7541/ANY/0001.patch
new file mode 100644
index 00000000..33661483
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-7541/ANY/0001.patch
@@ -0,0 +1,45 @@
+From 8f44c9a41386729fea410e688959ddaa9d51be7c Mon Sep 17 00:00:00 2001
+From: Arend van Spriel <arend.vanspriel@broadcom.com>
+Date: Fri, 7 Jul 2017 21:09:06 +0100
+Subject: brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The lower level nl80211 code in cfg80211 ensures that "len" is between
+25 and NL80211_ATTR_FRAME (2304).  We subtract DOT11_MGMT_HDR_LEN (24) from
+"len" so thats's max of 2280.  However, the action_frame->data[] buffer is
+only BRCMF_FIL_ACTION_FRAME_SIZE (1800) bytes long so this memcpy() can
+overflow.
+
+	memcpy(action_frame->data, &buf[DOT11_MGMT_HDR_LEN],
+	       le16_to_cpu(action_frame->len));
+
+Cc: stable@vger.kernel.org # 3.9.x
+Fixes: 18e2f61db3b70 ("brcmfmac: P2P action frame tx.")
+Reported-by: "freenerguo(郭大兴)" <freenerguo@tencent.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+index dcde596..7e689c8 100644
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -4934,6 +4934,11 @@ brcmf_cfg80211_mgmt_tx(struct wiphy *wiphy, struct wireless_dev *wdev,
+ 		cfg80211_mgmt_tx_status(wdev, *cookie, buf, len, true,
+ 					GFP_KERNEL);
+ 	} else if (ieee80211_is_action(mgmt->frame_control)) {
++		if (len > BRCMF_FIL_ACTION_FRAME_SIZE + DOT11_MGMT_HDR_LEN) {
++			brcmf_err("invalid action frame length\n");
++			err = -EINVAL;
++			goto exit;
++		}
+ 		af_params = kzalloc(sizeof(*af_params), GFP_KERNEL);
+ 		if (af_params == NULL) {
+ 			brcmf_err("unable to allocate frame\n");
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-7616/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-7616/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-7616/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-7616/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-7618/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-7618/^4.10/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-7618/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-7618/^4.10/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-7889/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-7889/^4.10/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-7889/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-7889/^4.10/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-7979/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-7979/^4.11/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-7979/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-7979/^4.11/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-8233/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-8233/3.18/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-8233/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-8233/3.18/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-8233/4.4/0002.patch b/Patches/Linux_CVEs/CVE-2017-8233/4.4/0002.patch
new file mode 100644
index 00000000..ab69c5dc
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-8233/4.4/0002.patch
@@ -0,0 +1,60 @@
+From 8b0cb658b568e4b160a5b57fb3cef0063aff56d9 Mon Sep 17 00:00:00 2001
+From: Pratap Nirujogi <pratapn@codeaurora.org>
+Date: Mon, 20 Feb 2017 17:29:33 +0530
+Subject: msm: camera: cpp: Fixing Heap overflow in output buffer
+
+Issue:
+Missing bound check when writing into the output array
+buffer, which can lead to out-of-bound heap write.
+
+Fix:
+Addding hardcoded constant 8 in the MSM_OUTPUT_BUF_CNT
+macro and size check to the place where the array is
+accessed. Returning '0' if exceeds MSM_OUTPUT_BUF_CNT.
+Caller will return -EINVAL for '0'.
+
+Change-Id: Ic03f86e3e47ece9ca7069527e741a75ad9a0f83f
+CRs-Fixed: 2004036
+Signed-off-by: Pratap Nirujogi <pratapn@codeaurora.org>
+---
+ drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c | 2 ++
+ include/uapi/media/msmb_pproc.h                          | 3 ++-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
+index 064c1e8..08aab07 100644
+--- a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
++++ b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
+@@ -2116,6 +2116,8 @@ static int msm_cpp_check_buf_type(struct msm_buf_mngr_info *buff_mgr_info,
+ 			/* More or equal bufs as Input buffer */
+ 			num_output_bufs = new_frame->batch_info.batch_size;
+ 		}
++		if (num_output_bufs > MSM_OUTPUT_BUF_CNT)
++			return 0;
+ 		for (i = 0; i < num_output_bufs; i++) {
+ 			new_frame->output_buffer_info[i].index =
+ 				buff_mgr_info->user_buf.buf_idx[i];
+diff --git a/include/uapi/media/msmb_pproc.h b/include/uapi/media/msmb_pproc.h
+index b65669b..8f45457 100644
+--- a/include/uapi/media/msmb_pproc.h
++++ b/include/uapi/media/msmb_pproc.h
+@@ -16,6 +16,7 @@
+ #define MSM_CPP_MAX_FRAME_LENGTH 4096
+ #define MSM_CPP_MAX_FW_NAME_LEN 32
+ #define MAX_FREQ_TBL 10
++#define MSM_OUTPUT_BUF_CNT 8
+ 
+ enum msm_cpp_frame_type {
+ 	MSM_CPP_OFFLINE_FRAME,
+@@ -76,7 +77,7 @@ struct msm_cpp_frame_info_t {
+ 	uint32_t feature_mask;
+ 	uint8_t we_disable;
+ 	struct msm_cpp_buffer_info_t input_buffer_info;
+-	struct msm_cpp_buffer_info_t output_buffer_info[8];
++	struct msm_cpp_buffer_info_t output_buffer_info[MSM_OUTPUT_BUF_CNT];
+ 	struct msm_cpp_buffer_info_t duplicate_buffer_info;
+ 	struct msm_cpp_buffer_info_t tnr_scratch_buffer_info[2];
+ 	uint32_t reserved;
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-8234/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-8234/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-8234/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-8234/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-8235/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-8235/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-8235/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-8235/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-8236/3.10/0001.patch b/Patches/Linux_CVEs/CVE-2017-8236/3.10/0001.patch
new file mode 100644
index 00000000..02c0d5af
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-8236/3.10/0001.patch
@@ -0,0 +1,81 @@
+From 8a079632f447be9fd86f92b8e02b1940a26c8a2a Mon Sep 17 00:00:00 2001
+From: Skylar Chang <chiaweic@codeaurora.org>
+Date: Wed, 1 Mar 2017 16:08:27 -0800
+Subject: msm: IPA: add the check on intf query
+
+The ipa_ioc_query_intf_rx_props structure comes
+from the ioctl handler, and it is verified that
+the size of rx buffer does not exceed the
+IPA_NUM_PROPS_MAX elements. It is also verified
+that the "entry->rx" buffer does not exceed
+IPA_NUM_PROPS_MAX when "entry" is allocated.
+However, the sizes of the buffer "rx->rx" and
+the buffer "entry->rx" are not guaranteed to
+be the same and will lead memory corruption
+issue. The fix is to add the check before
+memcpy.
+
+Change-Id: Idf5c2d32f47c1a1cffeaa5607193855188893ddb
+Signed-off-by: Skylar Chang <chiaweic@codeaurora.org>
+---
+ drivers/platform/msm/ipa/ipa_intf.c | 26 +++++++++++++++++++++++++-
+ 1 file changed, 25 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/platform/msm/ipa/ipa_intf.c b/drivers/platform/msm/ipa/ipa_intf.c
+index 9a74107..18924a7 100644
+--- a/drivers/platform/msm/ipa/ipa_intf.c
++++ b/drivers/platform/msm/ipa/ipa_intf.c
+@@ -1,4 +1,4 @@
+-/* Copyright (c) 2013-2015, The Linux Foundation. All rights reserved.
++/* Copyright (c) 2013-2017, The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -275,6 +275,14 @@ int ipa_query_intf_tx_props(struct ipa_ioc_query_intf_tx_props *tx)
+ 	mutex_lock(&ipa_ctx->lock);
+ 	list_for_each_entry(entry, &ipa_ctx->intf_list, link) {
+ 		if (!strncmp(entry->name, tx->name, IPA_RESOURCE_NAME_MAX)) {
++			/* add the entry check */
++			if (entry->num_tx_props != tx->num_tx_props) {
++				IPAERR("invalid entry number(%u %u)\n",
++					entry->num_tx_props,
++						tx->num_tx_props);
++				mutex_unlock(&ipa_ctx->lock);
++				return result;
++			}
+ 			memcpy(tx->tx, entry->tx, entry->num_tx_props *
+ 			       sizeof(struct ipa_ioc_tx_intf_prop));
+ 			result = 0;
+@@ -308,6 +316,14 @@ int ipa_query_intf_rx_props(struct ipa_ioc_query_intf_rx_props *rx)
+ 	mutex_lock(&ipa_ctx->lock);
+ 	list_for_each_entry(entry, &ipa_ctx->intf_list, link) {
+ 		if (!strncmp(entry->name, rx->name, IPA_RESOURCE_NAME_MAX)) {
++			/* add the entry check */
++			if (entry->num_rx_props != rx->num_rx_props) {
++				IPAERR("invalid entry number(%u %u)\n",
++					entry->num_rx_props,
++						rx->num_rx_props);
++				mutex_unlock(&ipa_ctx->lock);
++				return result;
++			}
+ 			memcpy(rx->rx, entry->rx, entry->num_rx_props *
+ 					sizeof(struct ipa_ioc_rx_intf_prop));
+ 			result = 0;
+@@ -341,6 +357,14 @@ int ipa_query_intf_ext_props(struct ipa_ioc_query_intf_ext_props *ext)
+ 	mutex_lock(&ipa_ctx->lock);
+ 	list_for_each_entry(entry, &ipa_ctx->intf_list, link) {
+ 		if (!strcmp(entry->name, ext->name)) {
++			/* add the entry check */
++			if (entry->num_ext_props != ext->num_ext_props) {
++				IPAERR("invalid entry number(%u %u)\n",
++					entry->num_ext_props,
++						ext->num_ext_props);
++				mutex_unlock(&ipa_ctx->lock);
++				return result;
++			}
+ 			memcpy(ext->ext, entry->ext, entry->num_ext_props *
+ 					sizeof(struct ipa_ioc_ext_intf_prop));
+ 			result = 0;
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-8236/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-8236/3.18/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-8236/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-8236/3.18/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-8237/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-8237/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-8237/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-8237/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-8239/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-8239/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-8239/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-8239/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-8240/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-8240/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-8240/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-8240/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-8241/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-8241/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-8241/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-8241/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-8242/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-8242/3.18/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-8242/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-8242/3.18/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-8242/4.4/0002.patch b/Patches/Linux_CVEs/CVE-2017-8242/4.4/0002.patch
new file mode 100644
index 00000000..6cfd583d
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-8242/4.4/0002.patch
@@ -0,0 +1,34 @@
+From 364643660e49ec22f657d3e624bee2c7b9738d98 Mon Sep 17 00:00:00 2001
+From: Zhen Kong <zkong@codeaurora.org>
+Date: Mon, 27 Feb 2017 13:41:07 -0800
+Subject: qseecom: add mutex around qseecom_set_client_mem_param
+
+Add mutex around qseecom_set_client_mem_param to prevent an
+ioctl thread modifying and corrupting data which is being
+processed by another ioctl in the other thread
+
+Change-Id: I0cfb8afab4001c2913be693dfe44c761b9568893
+Signed-off-by: Zhen Kong <zkong@codeaurora.org>
+---
+ drivers/misc/qseecom.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/misc/qseecom.c b/drivers/misc/qseecom.c
+index 134995c..8d03c36 100644
+--- a/drivers/misc/qseecom.c
++++ b/drivers/misc/qseecom.c
+@@ -7043,7 +7043,11 @@ long qseecom_ioctl(struct file *file, unsigned cmd, unsigned long arg)
+ 			break;
+ 		}
+ 		pr_debug("SET_MEM_PARAM: qseecom addr = 0x%pK\n", data);
++		mutex_lock(&app_access_lock);
++		atomic_inc(&data->ioctl_count);
+ 		ret = qseecom_set_client_mem_param(data, argp);
++		atomic_dec(&data->ioctl_count);
++		mutex_unlock(&app_access_lock);
+ 		if (ret)
+ 			pr_err("failed Qqseecom_set_mem_param request: %d\n",
+ 								ret);
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-8243/4.4/0001.patch b/Patches/Linux_CVEs/CVE-2017-8243/4.4/0001.patch
new file mode 100644
index 00000000..8e874940
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-8243/4.4/0001.patch
@@ -0,0 +1,39 @@
+From cae0d5a6f32e52e06c0841bb7142452062dc2ac8 Mon Sep 17 00:00:00 2001
+From: Kishor PK <kpbhat@codeaurora.org>
+Date: Thu, 30 Mar 2017 14:23:37 +0530
+Subject: soc: qcom: pil: Avoid possible buffer overflow during Modem boot
+
+Buffer overflow can occur if MBA firmware size exceeds 1MB.
+So validate size before copying the firmware.
+
+CRs-Fixed: 2001803
+Change-Id: I070ddf85fbc47df072e7258369272366262ebf46
+Signed-off-by: Kishor PK <kpbhat@codeaurora.org>
+---
+ drivers/soc/qcom/pil-msa.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/soc/qcom/pil-msa.c b/drivers/soc/qcom/pil-msa.c
+index 53bddc5..988b6e8 100644
+--- a/drivers/soc/qcom/pil-msa.c
++++ b/drivers/soc/qcom/pil-msa.c
+@@ -616,7 +616,15 @@ int pil_mss_reset_load_mba(struct pil_desc *pil)
+ 
+ 	/* Load the MBA image into memory */
+ 	count = fw->size;
+-	memcpy(mba_dp_virt, data, count);
++	if (count <= SZ_1M) {
++		/* Ensures memcpy is done for max 1MB fw size */
++		memcpy(mba_dp_virt, data, count);
++	} else {
++		dev_err(pil->dev, "%s fw image loading into memory is failed due to fw size overflow\n",
++			__func__);
++		 ret = -EINVAL;
++		 goto err_mba_data;
++	}
+ 	/* Ensure memcpy of the MBA memory is done before loading the DP */
+ 	wmb();
+ 
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-8244/3.10/0.patch b/Patches/Linux_CVEs/CVE-2017-8244/3.10/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-8244/3.10/0.patch
rename to Patches/Linux_CVEs/CVE-2017-8244/3.10/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-8244/3.18/1.patch b/Patches/Linux_CVEs/CVE-2017-8244/3.18/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-8244/3.18/1.patch
rename to Patches/Linux_CVEs/CVE-2017-8244/3.18/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-8244/4.4/2.patch b/Patches/Linux_CVEs/CVE-2017-8244/4.4/0003.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-8244/4.4/2.patch
rename to Patches/Linux_CVEs/CVE-2017-8244/4.4/0003.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-8245/3.10/0.patch b/Patches/Linux_CVEs/CVE-2017-8245/3.10/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-8245/3.10/0.patch
rename to Patches/Linux_CVEs/CVE-2017-8245/3.10/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-8245/3.18/1.patch b/Patches/Linux_CVEs/CVE-2017-8245/3.18/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-8245/3.18/1.patch
rename to Patches/Linux_CVEs/CVE-2017-8245/3.18/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-8245/4.4/2.patch b/Patches/Linux_CVEs/CVE-2017-8245/4.4/0003.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-8245/4.4/2.patch
rename to Patches/Linux_CVEs/CVE-2017-8245/4.4/0003.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-8246/3.10/0.patch b/Patches/Linux_CVEs/CVE-2017-8246/3.10/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-8246/3.10/0.patch
rename to Patches/Linux_CVEs/CVE-2017-8246/3.10/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-8246/3.18/1.patch b/Patches/Linux_CVEs/CVE-2017-8246/3.18/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-8246/3.18/1.patch
rename to Patches/Linux_CVEs/CVE-2017-8246/3.18/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-8246/4.4/2.patch b/Patches/Linux_CVEs/CVE-2017-8246/4.4/0003.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-8246/4.4/2.patch
rename to Patches/Linux_CVEs/CVE-2017-8246/4.4/0003.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-8247/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-8247/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-8247/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-8247/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-8250/3.18/0.patch b/Patches/Linux_CVEs/CVE-2017-8250/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-8250/3.18/0.patch
rename to Patches/Linux_CVEs/CVE-2017-8250/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-8251/3.10/0.patch b/Patches/Linux_CVEs/CVE-2017-8251/3.10/0.patch
deleted file mode 100644
index 8a334400..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8251/3.10/0.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From 3a42f1b79ed696f29350f170c00f27712ae84a36 Mon Sep 17 00:00:00 2001
-From: Maggie White <maggiewhite@google.com>
-Date: Wed, 5 Jul 2017 13:00:40 -0700
-Subject: msm: camera: isp: fix for out of bound access array
-
-There is no bound check in stream_cfg_cmd->num_streams and it's used in
-several places as a maximum index into the stream_cfg_cmd->stream_handle
-array which has a size of 15. Current code didn't check the maximum
-index to make sure it didn't exceed the array size.
-
-Bug: 62379525
-Change-Id: Idcf639486d235551882dafc34d9e798d78c70bf0
-Signed-off-by: Maggie White <maggiewhite@google.com>
----
- .../platform/msm/camera_v2/isp/msm_isp_stats_util.c   | 19 +++++++++++++++++++
- 1 file changed, 19 insertions(+)
-
-diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
-index 82da3e0..43a2c77 100644
---- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
-+++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
-@@ -550,6 +550,12 @@ static int msm_isp_stats_update_cgc_override(struct vfe_device *vfe_dev,
- 	int i;
- 	uint32_t stats_mask = 0, idx;
- 
-+	if (stream_cfg_cmd->num_streams > MSM_ISP_STATS_MAX) {
-+		pr_err("%s invalid num_streams %d\n", __func__,
-+			stream_cfg_cmd->num_streams);
-+		return -EINVAL;
-+	}
-+
- 	for (i = 0; i < stream_cfg_cmd->num_streams; i++) {
- 		idx = STATS_IDX(stream_cfg_cmd->stream_handle[i]);
- 
-@@ -630,6 +636,13 @@ static int msm_isp_start_stats_stream(struct vfe_device *vfe_dev,
- 		stats_data->stream_info);
- 	if (rc < 0)
- 		return rc;
-+
-+	if (stream_cfg_cmd->num_streams > MSM_ISP_STATS_MAX) {
-+		pr_err("%s invalid num_streams %d\n", __func__,
-+			stream_cfg_cmd->num_streams);
-+		return -EINVAL;
-+	}
-+
- 	for (i = 0; i < stream_cfg_cmd->num_streams; i++) {
- 		idx = STATS_IDX(stream_cfg_cmd->stream_handle[i]);
- 
-@@ -702,6 +715,12 @@ static int msm_isp_stop_stats_stream(struct vfe_device *vfe_dev,
- 	num_stats_comp_mask =
- 		vfe_dev->hw_info->stats_hw_info->num_stats_comp_mask;
- 
-+	if (stream_cfg_cmd->num_streams > MSM_ISP_STATS_MAX) {
-+		pr_err("%s invalid num_streams %d\n", __func__,
-+			stream_cfg_cmd->num_streams);
-+		return -EINVAL;
-+	}
-+
- 	for (i = 0; i < stream_cfg_cmd->num_streams; i++) {
- 
- 		idx = STATS_IDX(stream_cfg_cmd->stream_handle[i]);
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8251/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-8251/ANY/0001.patch
new file mode 100644
index 00000000..8b96d464
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-8251/ANY/0001.patch
@@ -0,0 +1,52 @@
+From 771254edea3486535453dbb76d090cd6bcf92af9 Mon Sep 17 00:00:00 2001
+From: Senthil Kumar Rajagopal <skrajago@codeaurora.org>
+Date: Sat, 4 Mar 2017 12:05:44 +0530
+Subject: msm: camera: isp: fix for out of bound access array
+
+There is no bound check in stream_cfg_cmd->num_streams,
+in functions msm_isp_check_stream_cfg_cmd and
+msm_isp_stats_update_cgc_override num_streams is used as
+the index for stream_cfg_cmd->stream_handle array which
+has a size of 15. Current code did not check the num_streams
+to make sure that did not exceed the array size
+
+CRs-Fixed: 2006015
+
+Change-Id: I7f195c764a4e6c12e4f7c680bc3c9aa7b078e625
+Signed-off-by: Senthil Kumar Rajagopal <skrajago@codeaurora.org>
+---
+ drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
+index f40af6e..b38226a 100644
+--- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
++++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
+@@ -832,6 +832,12 @@ static int msm_isp_stats_update_cgc_override(struct vfe_device *vfe_dev,
+ 	struct msm_vfe_stats_stream *stream_info;
+ 	int k;
+ 
++	if (stream_cfg_cmd->num_streams > MSM_ISP_STATS_MAX) {
++		pr_err("%s invalid num_streams %d\n", __func__,
++			stream_cfg_cmd->num_streams);
++		return -EINVAL;
++	}
++
+ 	for (i = 0; i < stream_cfg_cmd->num_streams; i++) {
+ 		idx = STATS_IDX(stream_cfg_cmd->stream_handle[i]);
+ 
+@@ -961,6 +967,11 @@ static int msm_isp_check_stream_cfg_cmd(struct vfe_device *vfe_dev,
+ 	int vfe_idx;
+ 	uint32_t stats_idx[MSM_ISP_STATS_MAX];
+ 
++	if (stream_cfg_cmd->num_streams > MSM_ISP_STATS_MAX) {
++		pr_err("%s invalid num_streams %d\n", __func__,
++			stream_cfg_cmd->num_streams);
++		return -EINVAL;
++	}
+ 	memset(stats_idx, 0, sizeof(stats_idx));
+ 	for (i = 0; i < stream_cfg_cmd->num_streams; i++) {
+ 		idx = STATS_IDX(stream_cfg_cmd->stream_handle[i]);
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-8253/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-8253/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-8253/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-8253/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-8254/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-8254/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-8254/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-8254/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-8256/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-8256/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-8256/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-8256/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-8257/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-8257/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-8257/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-8257/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-8258/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-8258/ANY/0001.patch
new file mode 100644
index 00000000..ad4c1a65
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-8258/ANY/0001.patch
@@ -0,0 +1,38 @@
+From 31e2a2f0f2f3615cefd4400c707709bbc3e26170 Mon Sep 17 00:00:00 2001
+From: Senthil Kumar Rajagopal <skrajago@codeaurora.org>
+Date: Wed, 15 Feb 2017 15:08:09 +0530
+Subject: msm: isp: fix for potentitial array out of bound access
+
+There is no bound check on dual_hw_ms_cmd->num_src,
+which is coming from userspace
+num_src is used as the index for the input_src array
+which has a size of 5.
+The current code did not check the num_src to make sure
+that it never exceeds the input_src array size.
+
+CRs-Fixed: 2006169
+Change-Id: If5927e06e70cce4afb0ae9f2cdfec80f76f83771
+Signed-off-by: Senthil Kumar Rajagopal <skrajago@codeaurora.org>
+---
+ drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
+index d8227e7..b2b39e0 100644
+--- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
++++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c
+@@ -618,6 +618,11 @@ static int msm_isp_set_dual_HW_master_slave_mode(
+ 	}
+ 	ISP_DBG("%s: vfe %d num_src %d\n", __func__, vfe_dev->pdev->id,
+ 		dual_hw_ms_cmd->num_src);
++	if (dual_hw_ms_cmd->num_src > VFE_SRC_MAX) {
++		pr_err("%s: Error! Invalid num_src %d\n", __func__,
++			dual_hw_ms_cmd->num_src);
++		return -EINVAL;
++	}
+ 	/* This for loop is for non-primary intf to be marked with Master/Slave
+ 	 * in order for frame id sync. But their timestamp is not saved.
+ 	 * So no sof_info resource is allocated */
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-8259/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-8259/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-8259/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-8259/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-8260/3.10/0.patch b/Patches/Linux_CVEs/CVE-2017-8260/3.10/0.patch
deleted file mode 100644
index 4dcd6ac3..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8260/3.10/0.patch
+++ /dev/null
@@ -1,82 +0,0 @@
-From 52a2a62a5b0e9dd917bcd9a6d86d674833cc91b7 Mon Sep 17 00:00:00 2001
-From: Gaoxiang Chen <gaochen@codeaurora.org>
-Date: Fri, 31 Mar 2017 14:28:33 +0800
-Subject: msm: camera: don't cut to 8bits for validating enum variable
-
-In msm_ispif_is_intf_valid(),
-we convert a enum variable msm_ispif_vfe_intf,
-to uint8_t type for validating.
-
-This could cause potential issue,
-if the value is crafted in such a way that lower 8bits pass the validation.
-
-Don't use uint8_t as input parm to avoid such vulnerability.
-
-CRs-Fixed: 2008469
-Change-Id: I4ee400ac0edd830decfbe5712966d968976a268a
-Signed-off-by: Gaoxiang Chen <gaochen@codeaurora.org>
----
- drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c | 12 ++++++------
- 1 file changed, 6 insertions(+), 6 deletions(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c b/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c
-index 4e07d4d..8409a64 100644
---- a/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c
-+++ b/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c
-@@ -64,7 +64,7 @@ static void msm_ispif_io_dump_reg(struct ispif_device *ispif)
- 
- 
- static inline int msm_ispif_is_intf_valid(uint32_t csid_version,
--	uint8_t intf_type)
-+	enum msm_ispif_vfe_intf intf_type)
- {
- 	return ((csid_version <= CSID_VERSION_V22 && intf_type != VFE0) ||
- 		(intf_type >= VFE_MAX)) ? false : true;
-@@ -347,7 +347,7 @@ static int msm_ispif_subdev_g_chip_ident(struct v4l2_subdev *sd,
- }
- 
- static void msm_ispif_sel_csid_core(struct ispif_device *ispif,
--	uint8_t intftype, uint8_t csid, uint8_t vfe_intf)
-+	uint8_t intftype, uint8_t csid, enum msm_ispif_vfe_intf vfe_intf)
- {
- 	uint32_t data;
- 
-@@ -387,7 +387,7 @@ static void msm_ispif_sel_csid_core(struct ispif_device *ispif,
- }
- 
- static void msm_ispif_enable_crop(struct ispif_device *ispif,
--	uint8_t intftype, uint8_t vfe_intf, uint16_t start_pixel,
-+	uint8_t intftype, enum msm_ispif_vfe_intf vfe_intf, uint16_t start_pixel,
- 	uint16_t end_pixel)
- {
- 	uint32_t data;
-@@ -419,7 +419,7 @@ static void msm_ispif_enable_crop(struct ispif_device *ispif,
- }
- 
- static void msm_ispif_enable_intf_cids(struct ispif_device *ispif,
--	uint8_t intftype, uint16_t cid_mask, uint8_t vfe_intf, uint8_t enable)
-+	uint8_t intftype, uint16_t cid_mask, enum msm_ispif_vfe_intf vfe_intf, uint8_t enable)
- {
- 	uint32_t intf_addr, data;
- 
-@@ -461,7 +461,7 @@ static void msm_ispif_enable_intf_cids(struct ispif_device *ispif,
- }
- 
- static int msm_ispif_validate_intf_status(struct ispif_device *ispif,
--	uint8_t intftype, uint8_t vfe_intf)
-+	uint8_t intftype, enum msm_ispif_vfe_intf vfe_intf)
- {
- 	int rc = 0;
- 	uint32_t data = 0;
-@@ -501,7 +501,7 @@ static int msm_ispif_validate_intf_status(struct ispif_device *ispif,
- }
- 
- static void msm_ispif_select_clk_mux(struct ispif_device *ispif,
--	uint8_t intftype, uint8_t csid, uint8_t vfe_intf)
-+	uint8_t intftype, uint8_t csid, enum msm_ispif_vfe_intf vfe_intf)
- {
- 	uint32_t data = 0;
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8260/3.18/0001.patch b/Patches/Linux_CVEs/CVE-2017-8260/3.18/0001.patch
new file mode 100644
index 00000000..33705f5a
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-8260/3.18/0001.patch
@@ -0,0 +1,32 @@
+From 8f236391e5187c05f7f4b937856944be0af7aaa5 Mon Sep 17 00:00:00 2001
+From: Junzhe Zou <jnzhezou@codeaurora.org>
+Date: Wed, 15 Mar 2017 15:06:04 -0700
+Subject: msm: ispif: fix a bug in checking the validity of vfe intf
+
+Parse the whole length of vfe intf to the validate function to avoid
+the situation that the lower 8bits pass the validation while intf is
+crafted to a large value which can cause buffer overflow later.
+
+CRs-Fixed: 2008469
+Change-Id: I0de19ec36d73918ab2f38eb7ba1f833c02a3face
+Signed-off-by: Junzhe Zou <jnzhezou@codeaurora.org>
+---
+ drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c b/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c
+index 03aa65d..ccc983f 100644
+--- a/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c
++++ b/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c
+@@ -87,7 +87,7 @@ static void msm_ispif_io_dump_reg(struct ispif_device *ispif)
+ 
+ 
+ static inline int msm_ispif_is_intf_valid(uint32_t csid_version,
+-	uint8_t intf_type)
++	enum msm_ispif_vfe_intf intf_type)
+ {
+ 	return ((csid_version <= CSID_VERSION_V22 && intf_type != VFE0) ||
+ 		(intf_type >= VFE_MAX)) ? false : true;
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-8260/4.4/0002.patch b/Patches/Linux_CVEs/CVE-2017-8260/4.4/0002.patch
new file mode 100644
index 00000000..f6dfaab4
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-8260/4.4/0002.patch
@@ -0,0 +1,32 @@
+From 7b7534d96813ffe502271b0b3fae0d0d12e3e05b Mon Sep 17 00:00:00 2001
+From: Junzhe Zou <jnzhezou@codeaurora.org>
+Date: Wed, 15 Mar 2017 15:06:04 -0700
+Subject: msm: ispif: fix a bug in checking the validity of vfe intf
+
+Parse the whole length of vfe intf to the validate function to avoid
+the situation that the lower 8bits pass the validation while intf is
+crafted to a large value which can cause buffer overflow later.
+
+CRs-Fixed: 2008469
+Change-Id: I0de19ec36d73918ab2f38eb7ba1f833c02a3face
+Signed-off-by: Junzhe Zou <jnzhezou@codeaurora.org>
+---
+ drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c b/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c
+index 1628c098..cb7b2a1 100644
+--- a/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c
++++ b/drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c
+@@ -73,7 +73,7 @@ static void msm_ispif_io_dump_reg(struct ispif_device *ispif)
+ 
+ 
+ static inline int msm_ispif_is_intf_valid(uint32_t csid_version,
+-	uint8_t intf_type)
++	enum msm_ispif_vfe_intf intf_type)
+ {
+ 	return ((csid_version <= CSID_VERSION_V22 && intf_type != VFE0) ||
+ 		(intf_type >= VFE_MAX)) ? false : true;
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-8261/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-8261/ANY/0.patch
deleted file mode 100644
index 8480a4d8..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8261/ANY/0.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 8576feebaf688dadf0548b9a16d2b90b76ed714c Mon Sep 17 00:00:00 2001
-From: Trishansh Bhardwaj <tbhardwa@codeaurora.org>
-Date: Tue, 18 Apr 2017 14:44:43 +0530
-Subject: msm: camera: Fix kernel overwrite GET_BUF_BY_IDX ioctl
-
-Assign address of buf_info into ioctl_ptr.
-Previously we were copying first 8 bytes of buf_info (content)
-into ioctl_ptr. Which is dereferenced and written later causing
-kernel overwrite vulnerability.
-
-Change-Id: Ie5deae249da8208523027f8ec5632f960757e9bd
-Signed-off-by: Trishansh Bhardwaj <tbhardwa@codeaurora.org>
----
- drivers/media/platform/msm/camera_v2/msm_buf_mgr/msm_generic_buf_mgr.c | 3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
-
-diff --git a/drivers/media/platform/msm/camera_v2/msm_buf_mgr/msm_generic_buf_mgr.c b/drivers/media/platform/msm/camera_v2/msm_buf_mgr/msm_generic_buf_mgr.c
-index 882ab03..d0b265a 100644
---- a/drivers/media/platform/msm/camera_v2/msm_buf_mgr/msm_generic_buf_mgr.c
-+++ b/drivers/media/platform/msm/camera_v2/msm_buf_mgr/msm_generic_buf_mgr.c
-@@ -554,8 +554,7 @@ static long msm_buf_mngr_subdev_ioctl(struct v4l2_subdev *sd,
- 				sizeof(struct msm_buf_mngr_info))) {
- 				return -EFAULT;
- 			}
--			MSM_CAM_GET_IOCTL_ARG_PTR(&k_ioctl.ioctl_ptr,
--				&buf_info, sizeof(void *));
-+			k_ioctl.ioctl_ptr = (uintptr_t)&buf_info;
- 			argp = &k_ioctl;
- 			rc = msm_cam_buf_mgr_ops(cmd, argp);
- 			}
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8267/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-8261/ANY/0001.patch
similarity index 54%
rename from Patches/Linux_CVEs/CVE-2017-8267/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-8261/ANY/0001.patch
index c98858d7..61f054bd 100644
--- a/Patches/Linux_CVEs/CVE-2017-8267/ANY/0.patch
+++ b/Patches/Linux_CVEs/CVE-2017-8261/ANY/0001.patch
@@ -1,5 +1,22 @@
+From 2a2f0b7463f4de9ca225769204ff62c71760709c Mon Sep 17 00:00:00 2001
+From: Sudarshan Rajagopalan <sudaraja@codeaurora.org>
+Date: Thu, 6 Apr 2017 16:15:48 -0700
+Subject: ashmem: remove cache maintenance support
+
+The cache maintenance routines in ashmem were causing
+several security issues. Since they are not being used
+anymore by any drivers, its well to remove them entirely.
+
+CRs-Fixed: 1107034, 2001129, 2007786
+Change-Id: I955e33d90b888d58db5cf6bb490905283374425b
+Signed-off-by: Sudarshan Rajagopalan <sudaraja@codeaurora.org>
+---
+ drivers/staging/android/ashmem.c | 41 ----------------------------------------
+ include/uapi/linux/ashmem.h      |  3 ---
+ 2 files changed, 44 deletions(-)
+
 diff --git a/drivers/staging/android/ashmem.c b/drivers/staging/android/ashmem.c
-index 7fbdf65..79ec3da 100644
+index ee79ac8..f13aab2 100644
 --- a/drivers/staging/android/ashmem.c
 +++ b/drivers/staging/android/ashmem.c
 @@ -32,7 +32,6 @@
@@ -8,21 +25,17 @@ index 7fbdf65..79ec3da 100644
  #include <linux/ashmem.h>
 -#include <asm/cacheflush.h>
  
- #define ASHMEM_NAME_PREFIX "dev/ashmem/"
- #define ASHMEM_NAME_PREFIX_LEN (sizeof(ASHMEM_NAME_PREFIX) - 1)
-@@ -704,51 +703,6 @@
+ #include "ashmem.h"
+ 
+@@ -659,37 +658,6 @@ static int ashmem_pin_unpin(struct ashmem_area *asma, unsigned long cmd,
+ 	return ret;
  }
- #endif
  
 -static int ashmem_cache_op(struct ashmem_area *asma,
--	void (*cache_func)(unsigned long vstart, unsigned long length,
--				unsigned long pstart))
+-	void (*cache_func)(const void *vstart, const void *vend))
 -{
 -	int ret = 0;
 -	struct vm_area_struct *vma;
--#ifdef CONFIG_OUTER_CACHE
--	unsigned long vaddr;
--#endif
 -	if (!asma->vm_start)
 -		return -EINVAL;
 -
@@ -40,18 +53,8 @@ index 7fbdf65..79ec3da 100644
 -		ret = -EINVAL;
 -		goto done;
 -	}
--#ifndef CONFIG_OUTER_CACHE
--	cache_func(asma->vm_start, asma->size, 0);
--#else
--	for (vaddr = asma->vm_start; vaddr < asma->vm_start + asma->size;
--		vaddr += PAGE_SIZE) {
--		unsigned long physaddr;
--		physaddr = virtaddr_to_physaddr(vaddr);
--		if (!physaddr)
--			return -EINVAL;
--		cache_func(vaddr, PAGE_SIZE, physaddr);
--	}
--#endif
+-	cache_func((void *)asma->vm_start,
+-			(void *)(asma->vm_start + asma->size));
 -done:
 -	up_read(&current->mm->mmap_sem);
 -	if (ret)
@@ -62,27 +65,27 @@ index 7fbdf65..79ec3da 100644
  static long ashmem_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
  {
  	struct ashmem_area *asma = file->private_data;
-@@ -794,15 +748,6 @@
+@@ -735,15 +703,6 @@ static long ashmem_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
  			ashmem_shrink(&ashmem_shrinker, &sc);
  		}
  		break;
 -	case ASHMEM_CACHE_FLUSH_RANGE:
--		ret = ashmem_cache_op(asma, &clean_and_invalidate_caches);
+-		ret = ashmem_cache_op(asma, &dmac_flush_range);
 -		break;
 -	case ASHMEM_CACHE_CLEAN_RANGE:
--		ret = ashmem_cache_op(asma, &clean_caches);
+-		ret = ashmem_cache_op(asma, &dmac_clean_range);
 -		break;
 -	case ASHMEM_CACHE_INV_RANGE:
--		ret = ashmem_cache_op(asma, &invalidate_caches);
+-		ret = ashmem_cache_op(asma, &dmac_inv_range);
 -		break;
  	}
  
  	return ret;
 diff --git a/include/uapi/linux/ashmem.h b/include/uapi/linux/ashmem.h
-index 7965b39..0a8a9aa 100644
+index 7ec977f..7797439 100644
 --- a/include/uapi/linux/ashmem.h
 +++ b/include/uapi/linux/ashmem.h
-@@ -34,9 +34,6 @@
+@@ -34,8 +34,5 @@ struct ashmem_pin {
  #define ASHMEM_UNPIN		_IOW(__ASHMEMIOC, 8, struct ashmem_pin)
  #define ASHMEM_GET_PIN_STATUS	_IO(__ASHMEMIOC, 9)
  #define ASHMEM_PURGE_ALL_CACHES	_IO(__ASHMEMIOC, 10)
@@ -90,5 +93,7 @@ index 7965b39..0a8a9aa 100644
 -#define ASHMEM_CACHE_CLEAN_RANGE	_IO(__ASHMEMIOC, 12)
 -#define ASHMEM_CACHE_INV_RANGE		_IO(__ASHMEMIOC, 13)
  
- /* support of 32bit userspace on 64bit platforms */
- #ifdef CONFIG_COMPAT
+ #endif /* _UAPI_LINUX_ASHMEM_H */
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-8262/3.10/1.patch b/Patches/Linux_CVEs/CVE-2017-8262/3.10/1.patch
deleted file mode 100644
index 62263ec7..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8262/3.10/1.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-diff --git a/drivers/gpu/msm/kgsl.c b/drivers/gpu/msm/kgsl.c
-index 640e6c1..57e3ea3 100644
---- a/drivers/gpu/msm/kgsl.c
-+++ b/drivers/gpu/msm/kgsl.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2008-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2008-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -167,8 +167,11 @@
- {
- 	struct kgsl_mem_entry *entry = kzalloc(sizeof(*entry), GFP_KERNEL);
- 
--	if (entry)
-+	if (entry) {
- 		kref_init(&entry->refcount);
-+		/* put this ref in the caller functions after init */
-+		kref_get(&entry->refcount);
-+	}
- 
- 	return entry;
- }
-@@ -3019,6 +3022,9 @@
- 	trace_kgsl_mem_map(entry, param->fd);
- 
- 	kgsl_mem_entry_commit_process(private, entry);
-+
-+	/* put the extra refcount for kgsl_mem_entry_create() */
-+	kgsl_mem_entry_put(entry);
- 	return result;
- 
- error_attach:
-@@ -3343,6 +3349,9 @@
- 	param->flags = entry->memdesc.flags;
- 
- 	kgsl_mem_entry_commit_process(private, entry);
-+
-+	/* put the extra refcount for kgsl_mem_entry_create() */
-+	kgsl_mem_entry_put(entry);
- 	return result;
- err:
- 	kgsl_sharedmem_free(&entry->memdesc);
-@@ -3382,6 +3391,9 @@
- 	param->gpuaddr = entry->memdesc.gpuaddr;
- 
- 	kgsl_mem_entry_commit_process(private, entry);
-+
-+	/* put the extra refcount for kgsl_mem_entry_create() */
-+	kgsl_mem_entry_put(entry);
- 	return result;
- err:
- 	if (entry)
diff --git a/Patches/Linux_CVEs/CVE-2017-8262/3.10/1.patch.base64 b/Patches/Linux_CVEs/CVE-2017-8262/3.10/1.patch.base64
deleted file mode 100644
index 126f126e..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8262/3.10/1.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL2RyaXZlcnMvZ3B1L21zbS9rZ3NsLmMgYi9kcml2ZXJzL2dwdS9tc20va2dzbC5jCmluZGV4IDY0MGU2YzEuLjU3ZTNlYTMgMTAwNjQ0Ci0tLSBhL2RyaXZlcnMvZ3B1L21zbS9rZ3NsLmMKKysrIGIvZHJpdmVycy9ncHUvbXNtL2tnc2wuYwpAQCAtMSw0ICsxLDQgQEAKLS8qIENvcHlyaWdodCAoYykgMjAwOC0yMDE2LCBUaGUgTGludXggRm91bmRhdGlvbi4gQWxsIHJpZ2h0cyByZXNlcnZlZC4KKy8qIENvcHlyaWdodCAoYykgMjAwOC0yMDE3LCBUaGUgTGludXggRm91bmRhdGlvbi4gQWxsIHJpZ2h0cyByZXNlcnZlZC4KICAqCiAgKiBUaGlzIHByb2dyYW0gaXMgZnJlZSBzb2Z0d2FyZTsgeW91IGNhbiByZWRpc3RyaWJ1dGUgaXQgYW5kL29yIG1vZGlmeQogICogaXQgdW5kZXIgdGhlIHRlcm1zIG9mIHRoZSBHTlUgR2VuZXJhbCBQdWJsaWMgTGljZW5zZSB2ZXJzaW9uIDIgYW5kCkBAIC0xNjcsOCArMTY3LDExIEBACiB7CiAJc3RydWN0IGtnc2xfbWVtX2VudHJ5ICplbnRyeSA9IGt6YWxsb2Moc2l6ZW9mKCplbnRyeSksIEdGUF9LRVJORUwpOwogCi0JaWYgKGVudHJ5KQorCWlmIChlbnRyeSkgewogCQlrcmVmX2luaXQoJmVudHJ5LT5yZWZjb3VudCk7CisJCS8qIHB1dCB0aGlzIHJlZiBpbiB0aGUgY2FsbGVyIGZ1bmN0aW9ucyBhZnRlciBpbml0ICovCisJCWtyZWZfZ2V0KCZlbnRyeS0+cmVmY291bnQpOworCX0KIAogCXJldHVybiBlbnRyeTsKIH0KQEAgLTMwMTksNiArMzAyMiw5IEBACiAJdHJhY2Vfa2dzbF9tZW1fbWFwKGVudHJ5LCBwYXJhbS0+ZmQpOwogCiAJa2dzbF9tZW1fZW50cnlfY29tbWl0X3Byb2Nlc3MocHJpdmF0ZSwgZW50cnkpOworCisJLyogcHV0IHRoZSBleHRyYSByZWZjb3VudCBmb3Iga2dzbF9tZW1fZW50cnlfY3JlYXRlKCkgKi8KKwlrZ3NsX21lbV9lbnRyeV9wdXQoZW50cnkpOwogCXJldHVybiByZXN1bHQ7CiAKIGVycm9yX2F0dGFjaDoKQEAgLTMzNDMsNiArMzM0OSw5IEBACiAJcGFyYW0tPmZsYWdzID0gZW50cnktPm1lbWRlc2MuZmxhZ3M7CiAKIAlrZ3NsX21lbV9lbnRyeV9jb21taXRfcHJvY2Vzcyhwcml2YXRlLCBlbnRyeSk7CisKKwkvKiBwdXQgdGhlIGV4dHJhIHJlZmNvdW50IGZvciBrZ3NsX21lbV9lbnRyeV9jcmVhdGUoKSAqLworCWtnc2xfbWVtX2VudHJ5X3B1dChlbnRyeSk7CiAJcmV0dXJuIHJlc3VsdDsKIGVycjoKIAlrZ3NsX3NoYXJlZG1lbV9mcmVlKCZlbnRyeS0+bWVtZGVzYyk7CkBAIC0zMzgyLDYgKzMzOTEsOSBAQAogCXBhcmFtLT5ncHVhZGRyID0gZW50cnktPm1lbWRlc2MuZ3B1YWRkcjsKIAogCWtnc2xfbWVtX2VudHJ5X2NvbW1pdF9wcm9jZXNzKHByaXZhdGUsIGVudHJ5KTsKKworCS8qIHB1dCB0aGUgZXh0cmEgcmVmY291bnQgZm9yIGtnc2xfbWVtX2VudHJ5X2NyZWF0ZSgpICovCisJa2dzbF9tZW1fZW50cnlfcHV0KGVudHJ5KTsKIAlyZXR1cm4gcmVzdWx0OwogZXJyOgogCWlmIChlbnRyeSkK
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-8262/3.18/0001.patch b/Patches/Linux_CVEs/CVE-2017-8262/3.18/0001.patch
new file mode 100644
index 00000000..f0df1059
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-8262/3.18/0001.patch
@@ -0,0 +1,83 @@
+From 20c8f1c393ec2726ac46642ae8883643f2427c4f Mon Sep 17 00:00:00 2001
+From: Sunil Khatri <sunilkh@codeaurora.org>
+Date: Thu, 6 Apr 2017 16:56:47 +0530
+Subject: msm: kgsl: Fix kgsl memory allocation and free race condition
+
+When allocating userspace memory keep reference to memory
+allocation till it is completely initialized and info is sent back
+to userspace.
+
+Change-Id: Id72c82bf98c094ecbd4722813c732a998dcbb188
+Signed-off-by: Tarun Karra <tkarra@codeaurora.org>
+Signed-off-by: Sunil Khatri <sunilkh@codeaurora.org>
+---
+ drivers/gpu/msm/kgsl.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/msm/kgsl.c b/drivers/gpu/msm/kgsl.c
+index 0ba75e0..8f6ff24 100644
+--- a/drivers/gpu/msm/kgsl.c
++++ b/drivers/gpu/msm/kgsl.c
+@@ -250,8 +250,11 @@ kgsl_mem_entry_create(void)
+ {
+ 	struct kgsl_mem_entry *entry = kzalloc(sizeof(*entry), GFP_KERNEL);
+ 
+-	if (entry != NULL)
++	if (entry != NULL) {
+ 		kref_init(&entry->refcount);
++		/* put this ref in the caller functions after init */
++		kref_get(&entry->refcount);
++	}
+ 
+ 	return entry;
+ }
+@@ -2300,6 +2303,9 @@ long kgsl_ioctl_gpuobj_import(struct kgsl_device_private *dev_priv,
+ 	trace_kgsl_mem_map(entry, fd);
+ 
+ 	kgsl_mem_entry_commit_process(entry);
++
++	/* put the extra refcount for kgsl_mem_entry_create() */
++	kgsl_mem_entry_put(entry);
+ 	return 0;
+ 
+ unmap:
+@@ -2606,6 +2612,9 @@ long kgsl_ioctl_map_user_mem(struct kgsl_device_private *dev_priv,
+ 	trace_kgsl_mem_map(entry, param->fd);
+ 
+ 	kgsl_mem_entry_commit_process(entry);
++
++	/* put the extra refcount for kgsl_mem_entry_create() */
++	kgsl_mem_entry_put(entry);
+ 	return result;
+ 
+ error_attach:
+@@ -3044,6 +3053,8 @@ long kgsl_ioctl_gpuobj_alloc(struct kgsl_device_private *dev_priv,
+ 	param->mmapsize = kgsl_memdesc_footprint(&entry->memdesc);
+ 	param->id = entry->id;
+ 
++	/* put the extra refcount for kgsl_mem_entry_create() */
++	kgsl_mem_entry_put(entry);
+ 	return 0;
+ }
+ 
+@@ -3067,6 +3078,8 @@ long kgsl_ioctl_gpumem_alloc(struct kgsl_device_private *dev_priv,
+ 	param->size = (size_t) entry->memdesc.size;
+ 	param->flags = (unsigned int) entry->memdesc.flags;
+ 
++	/* put the extra refcount for kgsl_mem_entry_create() */
++	kgsl_mem_entry_put(entry);
+ 	return 0;
+ }
+ 
+@@ -3090,6 +3103,8 @@ long kgsl_ioctl_gpumem_alloc_id(struct kgsl_device_private *dev_priv,
+ 	param->mmapsize = (size_t) kgsl_memdesc_footprint(&entry->memdesc);
+ 	param->gpuaddr = (unsigned long) entry->memdesc.gpuaddr;
+ 
++	/* put the extra refcount for kgsl_mem_entry_create() */
++	kgsl_mem_entry_put(entry);
+ 	return 0;
+ }
+ 
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-8262/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-8262/4.4/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-8262/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-8262/4.4/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-8263/ANY/0.patch.base64 b/Patches/Linux_CVEs/CVE-2017-8263/ANY/0.patch.base64
deleted file mode 100644
index b3699e58..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8263/ANY/0.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL2RyaXZlcnMvc3RhZ2luZy9hbmRyb2lkL2FzaG1lbS5jIGIvZHJpdmVycy9zdGFnaW5nL2FuZHJvaWQvYXNobWVtLmMKaW5kZXggN2ZiZGY2NS4uNzllYzNkYSAxMDA2NDQKLS0tIGEvZHJpdmVycy9zdGFnaW5nL2FuZHJvaWQvYXNobWVtLmMKKysrIGIvZHJpdmVycy9zdGFnaW5nL2FuZHJvaWQvYXNobWVtLmMKQEAgLTMyLDcgKzMyLDYgQEAKICNpbmNsdWRlIDxsaW51eC9tdXRleC5oPgogI2luY2x1ZGUgPGxpbnV4L3NobWVtX2ZzLmg+CiAjaW5jbHVkZSA8bGludXgvYXNobWVtLmg+Ci0jaW5jbHVkZSA8YXNtL2NhY2hlZmx1c2guaD4KIAogI2RlZmluZSBBU0hNRU1fTkFNRV9QUkVGSVggImRldi9hc2htZW0vIgogI2RlZmluZSBBU0hNRU1fTkFNRV9QUkVGSVhfTEVOIChzaXplb2YoQVNITUVNX05BTUVfUFJFRklYKSAtIDEpCkBAIC03MDQsNTEgKzcwMyw2IEBACiB9CiAjZW5kaWYKIAotc3RhdGljIGludCBhc2htZW1fY2FjaGVfb3Aoc3RydWN0IGFzaG1lbV9hcmVhICphc21hLAotCXZvaWQgKCpjYWNoZV9mdW5jKSh1bnNpZ25lZCBsb25nIHZzdGFydCwgdW5zaWduZWQgbG9uZyBsZW5ndGgsCi0JCQkJdW5zaWduZWQgbG9uZyBwc3RhcnQpKQotewotCWludCByZXQgPSAwOwotCXN0cnVjdCB2bV9hcmVhX3N0cnVjdCAqdm1hOwotI2lmZGVmIENPTkZJR19PVVRFUl9DQUNIRQotCXVuc2lnbmVkIGxvbmcgdmFkZHI7Ci0jZW5kaWYKLQlpZiAoIWFzbWEtPnZtX3N0YXJ0KQotCQlyZXR1cm4gLUVJTlZBTDsKLQotCWRvd25fcmVhZCgmY3VycmVudC0+bW0tPm1tYXBfc2VtKTsKLQl2bWEgPSBmaW5kX3ZtYShjdXJyZW50LT5tbSwgYXNtYS0+dm1fc3RhcnQpOwotCWlmICghdm1hKSB7Ci0JCXJldCA9IC1FSU5WQUw7Ci0JCWdvdG8gZG9uZTsKLQl9Ci0JaWYgKHZtYS0+dm1fZmlsZSAhPSBhc21hLT5maWxlKSB7Ci0JCXJldCA9IC1FSU5WQUw7Ci0JCWdvdG8gZG9uZTsKLQl9Ci0JaWYgKChhc21hLT52bV9zdGFydCArIGFzbWEtPnNpemUpID4gdm1hLT52bV9lbmQpIHsKLQkJcmV0ID0gLUVJTlZBTDsKLQkJZ290byBkb25lOwotCX0KLSNpZm5kZWYgQ09ORklHX09VVEVSX0NBQ0hFCi0JY2FjaGVfZnVuYyhhc21hLT52bV9zdGFydCwgYXNtYS0+c2l6ZSwgMCk7Ci0jZWxzZQotCWZvciAodmFkZHIgPSBhc21hLT52bV9zdGFydDsgdmFkZHIgPCBhc21hLT52bV9zdGFydCArIGFzbWEtPnNpemU7Ci0JCXZhZGRyICs9IFBBR0VfU0laRSkgewotCQl1bnNpZ25lZCBsb25nIHBoeXNhZGRyOwotCQlwaHlzYWRkciA9IHZpcnRhZGRyX3RvX3BoeXNhZGRyKHZhZGRyKTsKLQkJaWYgKCFwaHlzYWRkcikKLQkJCXJldHVybiAtRUlOVkFMOwotCQljYWNoZV9mdW5jKHZhZGRyLCBQQUdFX1NJWkUsIHBoeXNhZGRyKTsKLQl9Ci0jZW5kaWYKLWRvbmU6Ci0JdXBfcmVhZCgmY3VycmVudC0+bW0tPm1tYXBfc2VtKTsKLQlpZiAocmV0KQotCQlhc21hLT52bV9zdGFydCA9IDA7Ci0JcmV0dXJuIHJldDsKLX0KLQogc3RhdGljIGxvbmcgYXNobWVtX2lvY3RsKHN0cnVjdCBmaWxlICpmaWxlLCB1bnNpZ25lZCBpbnQgY21kLCB1bnNpZ25lZCBsb25nIGFyZykKIHsKIAlzdHJ1Y3QgYXNobWVtX2FyZWEgKmFzbWEgPSBmaWxlLT5wcml2YXRlX2RhdGE7CkBAIC03OTQsMTUgKzc0OCw2IEBACiAJCQlhc2htZW1fc2hyaW5rKCZhc2htZW1fc2hyaW5rZXIsICZzYyk7CiAJCX0KIAkJYnJlYWs7Ci0JY2FzZSBBU0hNRU1fQ0FDSEVfRkxVU0hfUkFOR0U6Ci0JCXJldCA9IGFzaG1lbV9jYWNoZV9vcChhc21hLCAmY2xlYW5fYW5kX2ludmFsaWRhdGVfY2FjaGVzKTsKLQkJYnJlYWs7Ci0JY2FzZSBBU0hNRU1fQ0FDSEVfQ0xFQU5fUkFOR0U6Ci0JCXJldCA9IGFzaG1lbV9jYWNoZV9vcChhc21hLCAmY2xlYW5fY2FjaGVzKTsKLQkJYnJlYWs7Ci0JY2FzZSBBU0hNRU1fQ0FDSEVfSU5WX1JBTkdFOgotCQlyZXQgPSBhc2htZW1fY2FjaGVfb3AoYXNtYSwgJmludmFsaWRhdGVfY2FjaGVzKTsKLQkJYnJlYWs7CiAJfQogCiAJcmV0dXJuIHJldDsKZGlmZiAtLWdpdCBhL2luY2x1ZGUvdWFwaS9saW51eC9hc2htZW0uaCBiL2luY2x1ZGUvdWFwaS9saW51eC9hc2htZW0uaAppbmRleCA3OTY1YjM5Li4wYThhOWFhIDEwMDY0NAotLS0gYS9pbmNsdWRlL3VhcGkvbGludXgvYXNobWVtLmgKKysrIGIvaW5jbHVkZS91YXBpL2xpbnV4L2FzaG1lbS5oCkBAIC0zNCw5ICszNCw2IEBACiAjZGVmaW5lIEFTSE1FTV9VTlBJTgkJX0lPVyhfX0FTSE1FTUlPQywgOCwgc3RydWN0IGFzaG1lbV9waW4pCiAjZGVmaW5lIEFTSE1FTV9HRVRfUElOX1NUQVRVUwlfSU8oX19BU0hNRU1JT0MsIDkpCiAjZGVmaW5lIEFTSE1FTV9QVVJHRV9BTExfQ0FDSEVTCV9JTyhfX0FTSE1FTUlPQywgMTApCi0jZGVmaW5lIEFTSE1FTV9DQUNIRV9GTFVTSF9SQU5HRQlfSU8oX19BU0hNRU1JT0MsIDExKQotI2RlZmluZSBBU0hNRU1fQ0FDSEVfQ0xFQU5fUkFOR0UJX0lPKF9fQVNITUVNSU9DLCAxMikKLSNkZWZpbmUgQVNITUVNX0NBQ0hFX0lOVl9SQU5HRQkJX0lPKF9fQVNITUVNSU9DLCAxMykKIAogLyogc3VwcG9ydCBvZiAzMmJpdCB1c2Vyc3BhY2Ugb24gNjRiaXQgcGxhdGZvcm1zICovCiAjaWZkZWYgQ09ORklHX0NPTVBBVAo=
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-8263/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-8263/ANY/0001.patch
similarity index 54%
rename from Patches/Linux_CVEs/CVE-2017-8263/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-8263/ANY/0001.patch
index c98858d7..61f054bd 100644
--- a/Patches/Linux_CVEs/CVE-2017-8263/ANY/0.patch
+++ b/Patches/Linux_CVEs/CVE-2017-8263/ANY/0001.patch
@@ -1,5 +1,22 @@
+From 2a2f0b7463f4de9ca225769204ff62c71760709c Mon Sep 17 00:00:00 2001
+From: Sudarshan Rajagopalan <sudaraja@codeaurora.org>
+Date: Thu, 6 Apr 2017 16:15:48 -0700
+Subject: ashmem: remove cache maintenance support
+
+The cache maintenance routines in ashmem were causing
+several security issues. Since they are not being used
+anymore by any drivers, its well to remove them entirely.
+
+CRs-Fixed: 1107034, 2001129, 2007786
+Change-Id: I955e33d90b888d58db5cf6bb490905283374425b
+Signed-off-by: Sudarshan Rajagopalan <sudaraja@codeaurora.org>
+---
+ drivers/staging/android/ashmem.c | 41 ----------------------------------------
+ include/uapi/linux/ashmem.h      |  3 ---
+ 2 files changed, 44 deletions(-)
+
 diff --git a/drivers/staging/android/ashmem.c b/drivers/staging/android/ashmem.c
-index 7fbdf65..79ec3da 100644
+index ee79ac8..f13aab2 100644
 --- a/drivers/staging/android/ashmem.c
 +++ b/drivers/staging/android/ashmem.c
 @@ -32,7 +32,6 @@
@@ -8,21 +25,17 @@ index 7fbdf65..79ec3da 100644
  #include <linux/ashmem.h>
 -#include <asm/cacheflush.h>
  
- #define ASHMEM_NAME_PREFIX "dev/ashmem/"
- #define ASHMEM_NAME_PREFIX_LEN (sizeof(ASHMEM_NAME_PREFIX) - 1)
-@@ -704,51 +703,6 @@
+ #include "ashmem.h"
+ 
+@@ -659,37 +658,6 @@ static int ashmem_pin_unpin(struct ashmem_area *asma, unsigned long cmd,
+ 	return ret;
  }
- #endif
  
 -static int ashmem_cache_op(struct ashmem_area *asma,
--	void (*cache_func)(unsigned long vstart, unsigned long length,
--				unsigned long pstart))
+-	void (*cache_func)(const void *vstart, const void *vend))
 -{
 -	int ret = 0;
 -	struct vm_area_struct *vma;
--#ifdef CONFIG_OUTER_CACHE
--	unsigned long vaddr;
--#endif
 -	if (!asma->vm_start)
 -		return -EINVAL;
 -
@@ -40,18 +53,8 @@ index 7fbdf65..79ec3da 100644
 -		ret = -EINVAL;
 -		goto done;
 -	}
--#ifndef CONFIG_OUTER_CACHE
--	cache_func(asma->vm_start, asma->size, 0);
--#else
--	for (vaddr = asma->vm_start; vaddr < asma->vm_start + asma->size;
--		vaddr += PAGE_SIZE) {
--		unsigned long physaddr;
--		physaddr = virtaddr_to_physaddr(vaddr);
--		if (!physaddr)
--			return -EINVAL;
--		cache_func(vaddr, PAGE_SIZE, physaddr);
--	}
--#endif
+-	cache_func((void *)asma->vm_start,
+-			(void *)(asma->vm_start + asma->size));
 -done:
 -	up_read(&current->mm->mmap_sem);
 -	if (ret)
@@ -62,27 +65,27 @@ index 7fbdf65..79ec3da 100644
  static long ashmem_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
  {
  	struct ashmem_area *asma = file->private_data;
-@@ -794,15 +748,6 @@
+@@ -735,15 +703,6 @@ static long ashmem_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
  			ashmem_shrink(&ashmem_shrinker, &sc);
  		}
  		break;
 -	case ASHMEM_CACHE_FLUSH_RANGE:
--		ret = ashmem_cache_op(asma, &clean_and_invalidate_caches);
+-		ret = ashmem_cache_op(asma, &dmac_flush_range);
 -		break;
 -	case ASHMEM_CACHE_CLEAN_RANGE:
--		ret = ashmem_cache_op(asma, &clean_caches);
+-		ret = ashmem_cache_op(asma, &dmac_clean_range);
 -		break;
 -	case ASHMEM_CACHE_INV_RANGE:
--		ret = ashmem_cache_op(asma, &invalidate_caches);
+-		ret = ashmem_cache_op(asma, &dmac_inv_range);
 -		break;
  	}
  
  	return ret;
 diff --git a/include/uapi/linux/ashmem.h b/include/uapi/linux/ashmem.h
-index 7965b39..0a8a9aa 100644
+index 7ec977f..7797439 100644
 --- a/include/uapi/linux/ashmem.h
 +++ b/include/uapi/linux/ashmem.h
-@@ -34,9 +34,6 @@
+@@ -34,8 +34,5 @@ struct ashmem_pin {
  #define ASHMEM_UNPIN		_IOW(__ASHMEMIOC, 8, struct ashmem_pin)
  #define ASHMEM_GET_PIN_STATUS	_IO(__ASHMEMIOC, 9)
  #define ASHMEM_PURGE_ALL_CACHES	_IO(__ASHMEMIOC, 10)
@@ -90,5 +93,7 @@ index 7965b39..0a8a9aa 100644
 -#define ASHMEM_CACHE_CLEAN_RANGE	_IO(__ASHMEMIOC, 12)
 -#define ASHMEM_CACHE_INV_RANGE		_IO(__ASHMEMIOC, 13)
  
- /* support of 32bit userspace on 64bit platforms */
- #ifdef CONFIG_COMPAT
+ #endif /* _UAPI_LINUX_ASHMEM_H */
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-8264/3.10/0.patch b/Patches/Linux_CVEs/CVE-2017-8264/3.10/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-8264/3.10/0.patch
rename to Patches/Linux_CVEs/CVE-2017-8264/3.10/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-8264/3.18/1.patch b/Patches/Linux_CVEs/CVE-2017-8264/3.18/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-8264/3.18/1.patch
rename to Patches/Linux_CVEs/CVE-2017-8264/3.18/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-8265/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-8265/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-8265/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-8265/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-8266/3.10/1.patch b/Patches/Linux_CVEs/CVE-2017-8266/3.10/1.patch
deleted file mode 100644
index c620412f..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8266/3.10/1.patch
+++ /dev/null
@@ -1,182 +0,0 @@
-From aa23820b001ab1cfb86b79014e9fc44cd2be9ece Mon Sep 17 00:00:00 2001
-From: Ingrid Gallardo <ingridg@codeaurora.org>
-Date: Wed, 1 Mar 2017 12:24:06 -0800
-Subject: msm: mdss: fix race condition in mdp debugfs
-
-Fix race condition in mdp debugfs properties
-during the read and write of the panel and
-mdp registers. This race condition can cause
-accessing memory out bounderies.
-
-Change-Id: I97a90a154237343d4aaf237c11f525bcc2c3a8e3
-Signed-off-by: Ingrid Gallardo <ingridg@codeaurora.org>
-Signed-off-by: Nirmal Abraham <nabrah@codeaurora.org>
----
- drivers/video/msm/mdss/mdss_debug.c | 48 ++++++++++++++++++++++++++++++-------
- 1 file changed, 40 insertions(+), 8 deletions(-)
-
-diff --git a/drivers/video/msm/mdss/mdss_debug.c b/drivers/video/msm/mdss/mdss_debug.c
-index a95fa43..cedd40cd 100644
---- a/drivers/video/msm/mdss/mdss_debug.c
-+++ b/drivers/video/msm/mdss/mdss_debug.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2009-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2009-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -39,6 +39,8 @@
- #define PANEL_CMD_MIN_TX_COUNT 2
- #define PANEL_DATA_NODE_LEN 80
- 
-+static DEFINE_MUTEX(mdss_debug_lock);
-+
- static char panel_reg[2] = {DEFAULT_READ_PANEL_POWER_MODE_REG, 0x00};
- 
- static int panel_debug_base_open(struct inode *inode, struct file *file)
-@@ -88,8 +90,10 @@ static ssize_t panel_debug_base_offset_write(struct file *file,
- 	if (cnt > (dbg->max_offset - off))
- 		cnt = dbg->max_offset - off;
- 
-+	mutex_lock(&mdss_debug_lock);
- 	dbg->off = off;
- 	dbg->cnt = cnt;
-+	mutex_unlock(&mdss_debug_lock);
- 
- 	pr_debug("offset=%x cnt=%d\n", off, cnt);
- 
-@@ -109,15 +113,21 @@ static ssize_t panel_debug_base_offset_read(struct file *file,
- 	if (*ppos)
- 		return 0;	/* the end */
- 
-+	mutex_lock(&mdss_debug_lock);
- 	len = snprintf(buf, sizeof(buf), "0x%02zx %zx\n", dbg->off, dbg->cnt);
--	if (len < 0 || len >= sizeof(buf))
-+	if (len < 0 || len >= sizeof(buf)) {
-+		mutex_unlock(&mdss_debug_lock);
- 		return 0;
-+	}
- 
--	if ((count < sizeof(buf)) || copy_to_user(buff, buf, len))
-+	if ((count < sizeof(buf)) || copy_to_user(buff, buf, len)) {
-+		mutex_unlock(&mdss_debug_lock);
- 		return -EFAULT;
-+	}
- 
- 	*ppos += len;	/* increase offset */
- 
-+	mutex_unlock(&mdss_debug_lock);
- 	return len;
- }
- 
-@@ -206,11 +216,16 @@ static ssize_t panel_debug_base_reg_read(struct file *file,
- 	if (!dbg)
- 		return -ENODEV;
- 
--	if (!dbg->cnt)
-+	mutex_lock(&mdss_debug_lock);
-+	if (!dbg->cnt) {
-+		mutex_unlock(&mdss_debug_lock);
- 		return 0;
-+	}
- 
--	if (*ppos)
-+	if (*ppos) {
-+		mutex_unlock(&mdss_debug_lock);
- 		return 0;	/* the end */
-+	}
- 
- 	/* '0x' + 2 digit + blank = 5 bytes for each number */
- 	reg_buf_len = (dbg->cnt * PANEL_REG_FORMAT_LEN)
-@@ -251,11 +266,13 @@ static ssize_t panel_debug_base_reg_read(struct file *file,
- 	kfree(panel_reg_buf);
- 
- 	*ppos += len;	/* increase offset */
-+	mutex_unlock(&mdss_debug_lock);
- 	return len;
- 
- read_reg_fail:
- 	kfree(rx_buf);
- 	kfree(panel_reg_buf);
-+	mutex_unlock(&mdss_debug_lock);
- 	return rc;
- }
- 
-@@ -386,8 +403,10 @@ static ssize_t mdss_debug_base_offset_write(struct file *file,
- 	if (cnt > (dbg->max_offset - off))
- 		cnt = dbg->max_offset - off;
- 
-+	mutex_lock(&mdss_debug_lock);
- 	dbg->off = off;
- 	dbg->cnt = cnt;
-+	mutex_unlock(&mdss_debug_lock);
- 
- 	pr_debug("offset=%x cnt=%x\n", off, cnt);
- 
-@@ -407,15 +426,21 @@ static ssize_t mdss_debug_base_offset_read(struct file *file,
- 	if (*ppos)
- 		return 0;	/* the end */
- 
-+	mutex_lock(&mdss_debug_lock);
- 	len = snprintf(buf, sizeof(buf), "0x%08zx %zx\n", dbg->off, dbg->cnt);
--	if (len < 0 || len >= sizeof(buf))
-+	if (len < 0 || len >= sizeof(buf)) {
-+		mutex_unlock(&mdss_debug_lock);
- 		return 0;
-+	}
- 
--	if ((count < sizeof(buf)) || copy_to_user(buff, buf, len))
-+	if ((count < sizeof(buf)) || copy_to_user(buff, buf, len)) {
-+		mutex_unlock(&mdss_debug_lock);
- 		return -EFAULT;
-+	}
- 
- 	*ppos += len;	/* increase offset */
- 
-+	mutex_unlock(&mdss_debug_lock);
- 	return len;
- }
- 
-@@ -472,6 +497,8 @@ static ssize_t mdss_debug_base_reg_read(struct file *file,
- 		return -ENODEV;
- 	}
- 
-+	mutex_lock(&mdss_debug_lock);
-+
- 	if (!dbg->buf) {
- 		char dump_buf[64];
- 		char *ptr;
-@@ -483,6 +510,7 @@ static ssize_t mdss_debug_base_reg_read(struct file *file,
- 
- 		if (!dbg->buf) {
- 			pr_err("not enough memory to hold reg dump\n");
-+			mutex_unlock(&mdss_debug_lock);
- 			return -ENOMEM;
- 		}
- 
-@@ -513,17 +541,21 @@ static ssize_t mdss_debug_base_reg_read(struct file *file,
- 		dbg->buf_len = tot;
- 	}
- 
--	if (*ppos >= dbg->buf_len)
-+	if (*ppos >= dbg->buf_len) {
-+		mutex_unlock(&mdss_debug_lock);
- 		return 0; /* done reading */
-+	}
- 
- 	len = min(count, dbg->buf_len - (size_t) *ppos);
- 	if (copy_to_user(user_buf, dbg->buf + *ppos, len)) {
- 		pr_err("failed to copy to user\n");
-+		mutex_unlock(&mdss_debug_lock);
- 		return -EFAULT;
- 	}
- 
- 	*ppos += len; /* increase offset */
- 
-+	mutex_unlock(&mdss_debug_lock);
- 	return len;
- }
- 
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-8266/3.18/0.patch b/Patches/Linux_CVEs/CVE-2017-8266/3.18/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-8266/3.18/0.patch
rename to Patches/Linux_CVEs/CVE-2017-8266/3.18/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-8266/4.4/0002.patch b/Patches/Linux_CVEs/CVE-2017-8266/4.4/0002.patch
new file mode 100644
index 00000000..3f7a27f3
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-8266/4.4/0002.patch
@@ -0,0 +1,52 @@
+From 64e4e29356928bea60ae4be5b387eb7d8d7a7f45 Mon Sep 17 00:00:00 2001
+From: Harsh Sahu <hsahu@codeaurora.org>
+Date: Thu, 13 Apr 2017 15:38:46 -0700
+Subject: msm: mdss: fix race condition during mdp debugfs release
+
+Fix race condition in the release of the mdp debugfs functions
+panel_debug_base_release and mdss_debug_base_release by adding
+the lock for unpreempted freeing of the buffer so that multiple
+concurrent processes cannot affect the release which can possibly
+lead to use-after-free operation on the buffer.
+
+Change-Id: I9586081b65ae2eb0e7f6e30c606ee748ae9ef7e8
+Signed-off-by: Harsh Sahu <hsahu@codeaurora.org>
+---
+ drivers/video/fbdev/msm/mdss_debug.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/video/fbdev/msm/mdss_debug.c b/drivers/video/fbdev/msm/mdss_debug.c
+index e6086914..0ecf1ef 100644
+--- a/drivers/video/fbdev/msm/mdss_debug.c
++++ b/drivers/video/fbdev/msm/mdss_debug.c
+@@ -59,11 +59,13 @@ static int panel_debug_base_open(struct inode *inode, struct file *file)
+ static int panel_debug_base_release(struct inode *inode, struct file *file)
+ {
+ 	struct mdss_debug_base *dbg = file->private_data;
++	mutex_lock(&mdss_debug_lock);
+ 	if (dbg && dbg->buf) {
+ 		kfree(dbg->buf);
+ 		dbg->buf_len = 0;
+ 		dbg->buf = NULL;
+ 	}
++	mutex_unlock(&mdss_debug_lock);
+ 	return 0;
+ }
+ 
+@@ -385,11 +387,13 @@ static int mdss_debug_base_open(struct inode *inode, struct file *file)
+ static int mdss_debug_base_release(struct inode *inode, struct file *file)
+ {
+ 	struct mdss_debug_base *dbg = file->private_data;
++	mutex_lock(&mdss_debug_lock);
+ 	if (dbg && dbg->buf) {
+ 		kfree(dbg->buf);
+ 		dbg->buf_len = 0;
+ 		dbg->buf = NULL;
+ 	}
++	mutex_unlock(&mdss_debug_lock);
+ 	return 0;
+ }
+ 
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-8267/ANY/0.patch.base64 b/Patches/Linux_CVEs/CVE-2017-8267/ANY/0.patch.base64
deleted file mode 100644
index b3699e58..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8267/ANY/0.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-ZGlmZiAtLWdpdCBhL2RyaXZlcnMvc3RhZ2luZy9hbmRyb2lkL2FzaG1lbS5jIGIvZHJpdmVycy9zdGFnaW5nL2FuZHJvaWQvYXNobWVtLmMKaW5kZXggN2ZiZGY2NS4uNzllYzNkYSAxMDA2NDQKLS0tIGEvZHJpdmVycy9zdGFnaW5nL2FuZHJvaWQvYXNobWVtLmMKKysrIGIvZHJpdmVycy9zdGFnaW5nL2FuZHJvaWQvYXNobWVtLmMKQEAgLTMyLDcgKzMyLDYgQEAKICNpbmNsdWRlIDxsaW51eC9tdXRleC5oPgogI2luY2x1ZGUgPGxpbnV4L3NobWVtX2ZzLmg+CiAjaW5jbHVkZSA8bGludXgvYXNobWVtLmg+Ci0jaW5jbHVkZSA8YXNtL2NhY2hlZmx1c2guaD4KIAogI2RlZmluZSBBU0hNRU1fTkFNRV9QUkVGSVggImRldi9hc2htZW0vIgogI2RlZmluZSBBU0hNRU1fTkFNRV9QUkVGSVhfTEVOIChzaXplb2YoQVNITUVNX05BTUVfUFJFRklYKSAtIDEpCkBAIC03MDQsNTEgKzcwMyw2IEBACiB9CiAjZW5kaWYKIAotc3RhdGljIGludCBhc2htZW1fY2FjaGVfb3Aoc3RydWN0IGFzaG1lbV9hcmVhICphc21hLAotCXZvaWQgKCpjYWNoZV9mdW5jKSh1bnNpZ25lZCBsb25nIHZzdGFydCwgdW5zaWduZWQgbG9uZyBsZW5ndGgsCi0JCQkJdW5zaWduZWQgbG9uZyBwc3RhcnQpKQotewotCWludCByZXQgPSAwOwotCXN0cnVjdCB2bV9hcmVhX3N0cnVjdCAqdm1hOwotI2lmZGVmIENPTkZJR19PVVRFUl9DQUNIRQotCXVuc2lnbmVkIGxvbmcgdmFkZHI7Ci0jZW5kaWYKLQlpZiAoIWFzbWEtPnZtX3N0YXJ0KQotCQlyZXR1cm4gLUVJTlZBTDsKLQotCWRvd25fcmVhZCgmY3VycmVudC0+bW0tPm1tYXBfc2VtKTsKLQl2bWEgPSBmaW5kX3ZtYShjdXJyZW50LT5tbSwgYXNtYS0+dm1fc3RhcnQpOwotCWlmICghdm1hKSB7Ci0JCXJldCA9IC1FSU5WQUw7Ci0JCWdvdG8gZG9uZTsKLQl9Ci0JaWYgKHZtYS0+dm1fZmlsZSAhPSBhc21hLT5maWxlKSB7Ci0JCXJldCA9IC1FSU5WQUw7Ci0JCWdvdG8gZG9uZTsKLQl9Ci0JaWYgKChhc21hLT52bV9zdGFydCArIGFzbWEtPnNpemUpID4gdm1hLT52bV9lbmQpIHsKLQkJcmV0ID0gLUVJTlZBTDsKLQkJZ290byBkb25lOwotCX0KLSNpZm5kZWYgQ09ORklHX09VVEVSX0NBQ0hFCi0JY2FjaGVfZnVuYyhhc21hLT52bV9zdGFydCwgYXNtYS0+c2l6ZSwgMCk7Ci0jZWxzZQotCWZvciAodmFkZHIgPSBhc21hLT52bV9zdGFydDsgdmFkZHIgPCBhc21hLT52bV9zdGFydCArIGFzbWEtPnNpemU7Ci0JCXZhZGRyICs9IFBBR0VfU0laRSkgewotCQl1bnNpZ25lZCBsb25nIHBoeXNhZGRyOwotCQlwaHlzYWRkciA9IHZpcnRhZGRyX3RvX3BoeXNhZGRyKHZhZGRyKTsKLQkJaWYgKCFwaHlzYWRkcikKLQkJCXJldHVybiAtRUlOVkFMOwotCQljYWNoZV9mdW5jKHZhZGRyLCBQQUdFX1NJWkUsIHBoeXNhZGRyKTsKLQl9Ci0jZW5kaWYKLWRvbmU6Ci0JdXBfcmVhZCgmY3VycmVudC0+bW0tPm1tYXBfc2VtKTsKLQlpZiAocmV0KQotCQlhc21hLT52bV9zdGFydCA9IDA7Ci0JcmV0dXJuIHJldDsKLX0KLQogc3RhdGljIGxvbmcgYXNobWVtX2lvY3RsKHN0cnVjdCBmaWxlICpmaWxlLCB1bnNpZ25lZCBpbnQgY21kLCB1bnNpZ25lZCBsb25nIGFyZykKIHsKIAlzdHJ1Y3QgYXNobWVtX2FyZWEgKmFzbWEgPSBmaWxlLT5wcml2YXRlX2RhdGE7CkBAIC03OTQsMTUgKzc0OCw2IEBACiAJCQlhc2htZW1fc2hyaW5rKCZhc2htZW1fc2hyaW5rZXIsICZzYyk7CiAJCX0KIAkJYnJlYWs7Ci0JY2FzZSBBU0hNRU1fQ0FDSEVfRkxVU0hfUkFOR0U6Ci0JCXJldCA9IGFzaG1lbV9jYWNoZV9vcChhc21hLCAmY2xlYW5fYW5kX2ludmFsaWRhdGVfY2FjaGVzKTsKLQkJYnJlYWs7Ci0JY2FzZSBBU0hNRU1fQ0FDSEVfQ0xFQU5fUkFOR0U6Ci0JCXJldCA9IGFzaG1lbV9jYWNoZV9vcChhc21hLCAmY2xlYW5fY2FjaGVzKTsKLQkJYnJlYWs7Ci0JY2FzZSBBU0hNRU1fQ0FDSEVfSU5WX1JBTkdFOgotCQlyZXQgPSBhc2htZW1fY2FjaGVfb3AoYXNtYSwgJmludmFsaWRhdGVfY2FjaGVzKTsKLQkJYnJlYWs7CiAJfQogCiAJcmV0dXJuIHJldDsKZGlmZiAtLWdpdCBhL2luY2x1ZGUvdWFwaS9saW51eC9hc2htZW0uaCBiL2luY2x1ZGUvdWFwaS9saW51eC9hc2htZW0uaAppbmRleCA3OTY1YjM5Li4wYThhOWFhIDEwMDY0NAotLS0gYS9pbmNsdWRlL3VhcGkvbGludXgvYXNobWVtLmgKKysrIGIvaW5jbHVkZS91YXBpL2xpbnV4L2FzaG1lbS5oCkBAIC0zNCw5ICszNCw2IEBACiAjZGVmaW5lIEFTSE1FTV9VTlBJTgkJX0lPVyhfX0FTSE1FTUlPQywgOCwgc3RydWN0IGFzaG1lbV9waW4pCiAjZGVmaW5lIEFTSE1FTV9HRVRfUElOX1NUQVRVUwlfSU8oX19BU0hNRU1JT0MsIDkpCiAjZGVmaW5lIEFTSE1FTV9QVVJHRV9BTExfQ0FDSEVTCV9JTyhfX0FTSE1FTUlPQywgMTApCi0jZGVmaW5lIEFTSE1FTV9DQUNIRV9GTFVTSF9SQU5HRQlfSU8oX19BU0hNRU1JT0MsIDExKQotI2RlZmluZSBBU0hNRU1fQ0FDSEVfQ0xFQU5fUkFOR0UJX0lPKF9fQVNITUVNSU9DLCAxMikKLSNkZWZpbmUgQVNITUVNX0NBQ0hFX0lOVl9SQU5HRQkJX0lPKF9fQVNITUVNSU9DLCAxMykKIAogLyogc3VwcG9ydCBvZiAzMmJpdCB1c2Vyc3BhY2Ugb24gNjRiaXQgcGxhdGZvcm1zICovCiAjaWZkZWYgQ09ORklHX0NPTVBBVAo=
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-8267/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-8267/ANY/0001.patch
new file mode 100644
index 00000000..61f054bd
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-8267/ANY/0001.patch
@@ -0,0 +1,99 @@
+From 2a2f0b7463f4de9ca225769204ff62c71760709c Mon Sep 17 00:00:00 2001
+From: Sudarshan Rajagopalan <sudaraja@codeaurora.org>
+Date: Thu, 6 Apr 2017 16:15:48 -0700
+Subject: ashmem: remove cache maintenance support
+
+The cache maintenance routines in ashmem were causing
+several security issues. Since they are not being used
+anymore by any drivers, its well to remove them entirely.
+
+CRs-Fixed: 1107034, 2001129, 2007786
+Change-Id: I955e33d90b888d58db5cf6bb490905283374425b
+Signed-off-by: Sudarshan Rajagopalan <sudaraja@codeaurora.org>
+---
+ drivers/staging/android/ashmem.c | 41 ----------------------------------------
+ include/uapi/linux/ashmem.h      |  3 ---
+ 2 files changed, 44 deletions(-)
+
+diff --git a/drivers/staging/android/ashmem.c b/drivers/staging/android/ashmem.c
+index ee79ac8..f13aab2 100644
+--- a/drivers/staging/android/ashmem.c
++++ b/drivers/staging/android/ashmem.c
+@@ -32,7 +32,6 @@
+ #include <linux/mutex.h>
+ #include <linux/shmem_fs.h>
+ #include <linux/ashmem.h>
+-#include <asm/cacheflush.h>
+ 
+ #include "ashmem.h"
+ 
+@@ -659,37 +658,6 @@ static int ashmem_pin_unpin(struct ashmem_area *asma, unsigned long cmd,
+ 	return ret;
+ }
+ 
+-static int ashmem_cache_op(struct ashmem_area *asma,
+-	void (*cache_func)(const void *vstart, const void *vend))
+-{
+-	int ret = 0;
+-	struct vm_area_struct *vma;
+-	if (!asma->vm_start)
+-		return -EINVAL;
+-
+-	down_read(&current->mm->mmap_sem);
+-	vma = find_vma(current->mm, asma->vm_start);
+-	if (!vma) {
+-		ret = -EINVAL;
+-		goto done;
+-	}
+-	if (vma->vm_file != asma->file) {
+-		ret = -EINVAL;
+-		goto done;
+-	}
+-	if ((asma->vm_start + asma->size) > vma->vm_end) {
+-		ret = -EINVAL;
+-		goto done;
+-	}
+-	cache_func((void *)asma->vm_start,
+-			(void *)(asma->vm_start + asma->size));
+-done:
+-	up_read(&current->mm->mmap_sem);
+-	if (ret)
+-		asma->vm_start = 0;
+-	return ret;
+-}
+-
+ static long ashmem_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+ {
+ 	struct ashmem_area *asma = file->private_data;
+@@ -735,15 +703,6 @@ static long ashmem_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+ 			ashmem_shrink(&ashmem_shrinker, &sc);
+ 		}
+ 		break;
+-	case ASHMEM_CACHE_FLUSH_RANGE:
+-		ret = ashmem_cache_op(asma, &dmac_flush_range);
+-		break;
+-	case ASHMEM_CACHE_CLEAN_RANGE:
+-		ret = ashmem_cache_op(asma, &dmac_clean_range);
+-		break;
+-	case ASHMEM_CACHE_INV_RANGE:
+-		ret = ashmem_cache_op(asma, &dmac_inv_range);
+-		break;
+ 	}
+ 
+ 	return ret;
+diff --git a/include/uapi/linux/ashmem.h b/include/uapi/linux/ashmem.h
+index 7ec977f..7797439 100644
+--- a/include/uapi/linux/ashmem.h
++++ b/include/uapi/linux/ashmem.h
+@@ -34,8 +34,5 @@ struct ashmem_pin {
+ #define ASHMEM_UNPIN		_IOW(__ASHMEMIOC, 8, struct ashmem_pin)
+ #define ASHMEM_GET_PIN_STATUS	_IO(__ASHMEMIOC, 9)
+ #define ASHMEM_PURGE_ALL_CACHES	_IO(__ASHMEMIOC, 10)
+-#define ASHMEM_CACHE_FLUSH_RANGE	_IO(__ASHMEMIOC, 11)
+-#define ASHMEM_CACHE_CLEAN_RANGE	_IO(__ASHMEMIOC, 12)
+-#define ASHMEM_CACHE_INV_RANGE		_IO(__ASHMEMIOC, 13)
+ 
+ #endif /* _UAPI_LINUX_ASHMEM_H */
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-8268/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-8268/3.10/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-8268/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-8268/3.10/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-8268/4.4/0002.patch b/Patches/Linux_CVEs/CVE-2017-8268/4.4/0002.patch
new file mode 100644
index 00000000..dc7ee887
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-8268/4.4/0002.patch
@@ -0,0 +1,79 @@
+From fab64410d005a7dee8ed02557a0ca26e4c5242ff Mon Sep 17 00:00:00 2001
+From: Ravi kumar Koyyana <rkoyyana@codeaurora.org>
+Date: Tue, 11 Apr 2017 18:47:44 -0700
+Subject: msm: camera2: cpp: Fix out-of-bounds frame or command buffer access
+
+When user application provides invalid (out of range) stripe size and
+stripe indices, while submitting  requests for the stripe based image
+processing by the CPP kernel driver, the driver could  perform out of
+bounds access of the internal buffers.
+
+This fix ensures that stripe size and indices of frame/command buffer
+are properly validated during the configuration and before processing
+such requests through the CPP hardware block.
+
+CRs-fixed: 2002207
+Change-Id: Ib79e36fb507d8e75d8fc28afb990020a0e1bf845
+Signed-off-by: Ravi kumar Koyyana <rkoyyana@codeaurora.org>
+---
+ .../platform/msm/camera_v2/pproc/cpp/msm_cpp.c     | 33 ++++++++++++++++++----
+ 1 file changed, 27 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
+index 95aac07..b7feb12 100644
+--- a/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
++++ b/drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c
+@@ -2542,9 +2542,29 @@ static int msm_cpp_cfg_frame(struct cpp_device *cpp_dev,
+ 		return -EINVAL;
+ 	}
+ 
+-	if (stripe_base == UINT_MAX || new_frame->num_strips >
+-		(UINT_MAX - 1 - stripe_base) / stripe_size) {
+-		pr_err("Invalid frame message,num_strips %d is large\n",
++	/* Stripe index starts at zero */
++	if ((!new_frame->num_strips) ||
++		(new_frame->first_stripe_index >= new_frame->num_strips) ||
++		(new_frame->last_stripe_index  >= new_frame->num_strips) ||
++		(new_frame->first_stripe_index >
++			new_frame->last_stripe_index)) {
++		pr_err("Invalid frame message, #stripes=%d, stripe indices=[%d,%d]\n",
++			new_frame->num_strips,
++			new_frame->first_stripe_index,
++			new_frame->last_stripe_index);
++		return -EINVAL;
++	}
++
++	if (!stripe_size) {
++		pr_err("Invalid frame message, invalid stripe_size (%d)!\n",
++			stripe_size);
++		return -EINVAL;
++	}
++
++	if ((stripe_base == UINT_MAX) ||
++		(new_frame->num_strips >
++			(UINT_MAX - 1 - stripe_base) / stripe_size)) {
++		pr_err("Invalid frame message, num_strips %d is large\n",
+ 			new_frame->num_strips);
+ 		return -EINVAL;
+ 	}
+@@ -2785,13 +2805,14 @@ static int msm_cpp_cfg(struct cpp_device *cpp_dev,
+ 	struct msm_cpp_frame_info_t *frame = NULL;
+ 	struct msm_cpp_frame_info_t k_frame_info;
+ 	int32_t rc = 0;
+-	int32_t i = 0;
+-	int32_t num_buff = sizeof(k_frame_info.output_buffer_info)/
++	uint32_t i = 0;
++	uint32_t num_buff = sizeof(k_frame_info.output_buffer_info) /
+ 				sizeof(struct msm_cpp_buffer_info_t);
++
+ 	if (copy_from_user(&k_frame_info,
+ 			(void __user *)ioctl_ptr->ioctl_ptr,
+ 			sizeof(k_frame_info)))
+-			return -EFAULT;
++		return -EFAULT;
+ 
+ 	frame = msm_cpp_get_frame(ioctl_ptr);
+ 	if (!frame) {
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-8269/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-8269/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-8269/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-8269/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-8270/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-8270/ANY/0001.patch
new file mode 100644
index 00000000..2824db06
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-8270/ANY/0001.patch
@@ -0,0 +1,204 @@
+From ff96565f1dbabfeb7fb2c1604f40af768579d9df Mon Sep 17 00:00:00 2001
+From: Ashish Kumar Dhanotiya <adhanoti@codeaurora.org>
+Date: Fri, 14 Apr 2017 16:55:34 +0530
+Subject: qcacld-3.0: Race condition while using pkt log buffer
+
+There can be a race condition if two different threads use the
+pkt log buffer at the same time. This issue can lead to Use-After-Free
+of the packet log buffer.
+
+To address this issue, protect the pktlog buffer access using spinlock.
+
+Change-Id: I8098bb78a8e2462e109cee3407683c669f151fd5
+CRs-Fixed: 2021363
+---
+ core/utils/pktlog/linux_ac.c  | 31 +++++++++++++++++++++++++------
+ core/utils/pktlog/pktlog_ac.c |  5 +++++
+ 2 files changed, 30 insertions(+), 6 deletions(-)
+
+diff --git a/core/utils/pktlog/linux_ac.c b/core/utils/pktlog/linux_ac.c
+index 974cd2a..eb0943f 100644
+--- a/core/utils/pktlog/linux_ac.c
++++ b/core/utils/pktlog/linux_ac.c
+@@ -520,12 +520,15 @@ static void pktlog_detach(struct hif_opaque_softc *scn)
+ 	pl_info = pl_dev->pl_info;
+ 	remove_proc_entry(WLANDEV_BASENAME, g_pktlog_pde);
+ 	pktlog_sysctl_unregister(pl_dev);
+-	pktlog_cleanup(pl_info);
++
++	spin_lock_bh(&pl_info->log_lock);
+ 
+ 	if (pl_info->buf) {
+ 		pktlog_release_buf(scn);
+ 		pl_dev->tgt_pktlog_alloced = false;
+ 	}
++	spin_unlock_bh(&pl_info->log_lock);
++	pktlog_cleanup(pl_info);
+ 
+ 	if (pl_dev) {
+ 		kfree(pl_info);
+@@ -701,11 +704,16 @@ pktlog_read_proc_entry(char *buf, size_t nbytes, loff_t *ppos,
+ 	int rem_len;
+ 	int start_offset, end_offset;
+ 	int fold_offset, ppos_data, cur_rd_offset, cur_wr_offset;
+-	struct ath_pktlog_buf *log_buf = pl_info->buf;
++	struct ath_pktlog_buf *log_buf;
++
++	spin_lock_bh(&pl_info->log_lock);
++	log_buf = pl_info->buf;
++
+ 	*read_complete = false;
+ 
+ 	if (log_buf == NULL) {
+ 		*read_complete = true;
++		spin_unlock_bh(&pl_info->log_lock);
+ 		return 0;
+ 	}
+ 
+@@ -808,7 +816,6 @@ rd_done:
+ 	*ppos += ret_val;
+ 
+ 	if (ret_val == 0) {
+-		PKTLOG_LOCK(pl_info);
+ 		/* Write pointer might have been updated during the read.
+ 		 * So, if some data is written into, lets not reset the pointers
+ 		 * We can continue to read from the offset position
+@@ -822,9 +829,8 @@ rd_done:
+ 			pl_info->buf->offset = PKTLOG_READ_OFFSET;
+ 			*read_complete = true;
+ 		}
+-		PKTLOG_UNLOCK(pl_info);
+ 	}
+-
++	spin_unlock_bh(&pl_info->log_lock);
+ 	return ret_val;
+ }
+ 
+@@ -849,16 +855,20 @@ __pktlog_read(struct file *file, char *buf, size_t nbytes, loff_t *ppos)
+ 	if (!pl_info)
+ 		return 0;
+ 
++	spin_lock_bh(&pl_info->log_lock);
+ 	log_buf = pl_info->buf;
+ 
+-	if (log_buf == NULL)
++	if (log_buf == NULL) {
++		spin_unlock_bh(&pl_info->log_lock);
+ 		return 0;
++	}
+ 
+ 	if (pl_info->log_state) {
+ 		/* Read is not allowed when write is going on
+ 		 * When issuing cat command, ensure to send
+ 		 * pktlog disable command first.
+ 		 */
++		spin_unlock_bh(&pl_info->log_lock);
+ 		return -EINVAL;
+ 	}
+ 
+@@ -875,11 +885,13 @@ __pktlog_read(struct file *file, char *buf, size_t nbytes, loff_t *ppos)
+ 
+ 	if (*ppos < bufhdr_size) {
+ 		count = QDF_MIN((bufhdr_size - *ppos), rem_len);
++		spin_unlock_bh(&pl_info->log_lock);
+ 		if (copy_to_user(buf, ((char *)&log_buf->bufhdr) + *ppos,
+ 				 count))
+ 			return -EFAULT;
+ 		rem_len -= count;
+ 		ret_val += count;
++		spin_lock_bh(&pl_info->log_lock);
+ 	}
+ 
+ 	start_offset = log_buf->rd_offset;
+@@ -921,19 +933,23 @@ __pktlog_read(struct file *file, char *buf, size_t nbytes, loff_t *ppos)
+ 			goto rd_done;
+ 
+ 		count = QDF_MIN(rem_len, (end_offset - ppos_data + 1));
++		spin_unlock_bh(&pl_info->log_lock);
+ 		if (copy_to_user(buf + ret_val,
+ 				 log_buf->log_data + ppos_data, count))
+ 			return -EFAULT;
+ 		ret_val += count;
+ 		rem_len -= count;
++		spin_lock_bh(&pl_info->log_lock);
+ 	} else {
+ 		if (ppos_data <= fold_offset) {
+ 			count = QDF_MIN(rem_len, (fold_offset - ppos_data + 1));
++			spin_unlock_bh(&pl_info->log_lock);
+ 			if (copy_to_user(buf + ret_val,
+ 					 log_buf->log_data + ppos_data, count))
+ 				return -EFAULT;
+ 			ret_val += count;
+ 			rem_len -= count;
++			spin_lock_bh(&pl_info->log_lock);
+ 		}
+ 
+ 		if (rem_len == 0)
+@@ -945,11 +961,13 @@ __pktlog_read(struct file *file, char *buf, size_t nbytes, loff_t *ppos)
+ 
+ 		if (ppos_data <= end_offset) {
+ 			count = QDF_MIN(rem_len, (end_offset - ppos_data + 1));
++			spin_unlock_bh(&pl_info->log_lock);
+ 			if (copy_to_user(buf + ret_val,
+ 					 log_buf->log_data + ppos_data, count))
+ 				return -EFAULT;
+ 			ret_val += count;
+ 			rem_len -= count;
++			spin_lock_bh(&pl_info->log_lock);
+ 		}
+ 	}
+ 
+@@ -960,6 +978,7 @@ rd_done:
+ 	}
+ 	*ppos += ret_val;
+ 
++	spin_unlock_bh(&pl_info->log_lock);
+ 	return ret_val;
+ }
+ 
+diff --git a/core/utils/pktlog/pktlog_ac.c b/core/utils/pktlog/pktlog_ac.c
+index ab0be7c..524591b 100644
+--- a/core/utils/pktlog/pktlog_ac.c
++++ b/core/utils/pktlog/pktlog_ac.c
+@@ -457,6 +457,7 @@ int pktlog_enable(struct hif_opaque_softc *scn, int32_t log_state,
+ 
+ 		}
+ 
++		spin_lock_bh(&pl_info->log_lock);
+ 		pl_info->buf->bufhdr.version = CUR_PKTLOG_VER;
+ 		pl_info->buf->bufhdr.magic_num = PKTLOG_MAGIC_NUM;
+ 		pl_info->buf->wr_offset = 0;
+@@ -465,6 +466,7 @@ int pktlog_enable(struct hif_opaque_softc *scn, int32_t log_state,
+ 		pl_info->buf->bytes_written = 0;
+ 		pl_info->buf->msg_index = 1;
+ 		pl_info->buf->offset = PKTLOG_READ_OFFSET;
++		spin_unlock_bh(&pl_info->log_lock);
+ 
+ 		pl_info->start_time_thruput = os_get_timestamp();
+ 		pl_info->start_time_per = pl_info->start_time_thruput;
+@@ -542,12 +544,14 @@ int pktlog_setsize(struct hif_opaque_softc *scn, int32_t size)
+ 		return -EINVAL;
+ 	}
+ 
++	spin_lock_bh(&pl_info->log_lock);
+ 	if (pl_info->buf != NULL) {
+ 		if (pl_dev->is_pktlog_cb_subscribed &&
+ 			wdi_pktlog_unsubscribe(pdev_txrx_handle,
+ 					 pl_info->log_state)) {
+ 			pl_info->curr_pkt_state = PKTLOG_OPR_NOT_IN_PROGRESS;
+ 			printk("Cannot unsubscribe pktlog from the WDI\n");
++			spin_unlock_bh(&pl_info->log_lock);
+ 			return -EFAULT;
+ 		}
+ 		pktlog_release_buf(scn);
+@@ -560,6 +564,7 @@ int pktlog_setsize(struct hif_opaque_softc *scn, int32_t size)
+ 		pl_info->buf_size = size;
+ 	}
+ 	pl_info->curr_pkt_state = PKTLOG_OPR_NOT_IN_PROGRESS;
++	spin_unlock_bh(&pl_info->log_lock);
+ 	return 0;
+ }
+ 
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-8272/4.4/0001.patch b/Patches/Linux_CVEs/CVE-2017-8272/4.4/0001.patch
new file mode 100644
index 00000000..e83bab49
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-8272/4.4/0001.patch
@@ -0,0 +1,60 @@
+From a8cb976e7c8f25191728b655e0b38328a6d7d81f Mon Sep 17 00:00:00 2001
+From: Benjamin Chan <bkchan@codeaurora.org>
+Date: Wed, 19 Apr 2017 16:24:40 -0400
+Subject: msm: mdss: Add plane_count range check in mdss WFD
+
+For any given output buffer to the MDSS WFD, it is necessary to check
+the range of the plane_count against the MAX_PLANES definition, in order
+to avoid any out of bound access.
+
+CRs-Fixed: 2028702
+Change-Id: I4f1497a3a2e4ca2d30fc268e68cfdacc0d8539ea
+Signed-off-by: Benjamin Chan <bkchan@codeaurora.org>
+---
+ drivers/video/fbdev/msm/mdss_mdp_layer.c | 6 ++++++
+ drivers/video/fbdev/msm/mdss_mdp_wfd.c   | 8 +++++++-
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/video/fbdev/msm/mdss_mdp_layer.c b/drivers/video/fbdev/msm/mdss_mdp_layer.c
+index 09a3422..5e96a08 100644
+--- a/drivers/video/fbdev/msm/mdss_mdp_layer.c
++++ b/drivers/video/fbdev/msm/mdss_mdp_layer.c
+@@ -3035,6 +3035,12 @@ int mdss_mdp_layer_pre_commit_wfd(struct msm_fb_data_type *mfd,
+ 		wfd = mdp5_data->wfd;
+ 		output_layer = commit->output_layer;
+ 
++		if (output_layer->buffer.plane_count > MAX_PLANES) {
++			pr_err("Output buffer plane_count exceeds MAX_PLANES limit:%d\n",
++					output_layer->buffer.plane_count);
++			return -EINVAL;
++		}
++
+ 		data = mdss_mdp_wfd_add_data(wfd, output_layer);
+ 		if (IS_ERR_OR_NULL(data))
+ 			return PTR_ERR(data);
+diff --git a/drivers/video/fbdev/msm/mdss_mdp_wfd.c b/drivers/video/fbdev/msm/mdss_mdp_wfd.c
+index 71a07f6..7868dc0 100644
+--- a/drivers/video/fbdev/msm/mdss_mdp_wfd.c
++++ b/drivers/video/fbdev/msm/mdss_mdp_wfd.c
+@@ -1,4 +1,4 @@
+-/* Copyright (c) 2015-2016, The Linux Foundation. All rights reserved.
++/* Copyright (c) 2015-2017, The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -322,6 +322,12 @@ int mdss_mdp_wb_import_data(struct device *device,
+ 	if (wfd_data->layer.flags & MDP_LAYER_SECURE_SESSION)
+ 		flags = MDP_SECURE_OVERLAY_SESSION;
+ 
++	if (buffer->plane_count > MAX_PLANES) {
++		pr_err("buffer plane_count exceeds MAX_PLANES limit:%d",
++				buffer->plane_count);
++		return -EINVAL;
++	}
++
+ 	memset(planes, 0, sizeof(planes));
+ 
+ 	for (i = 0; i < buffer->plane_count; i++) {
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-8277/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-8277/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-8277/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-8277/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-8279/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-8279/ANY/0001.patch
new file mode 100644
index 00000000..32cedec5
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-8279/ANY/0001.patch
@@ -0,0 +1,388 @@
+From f09aee50c2ee6b79d94cb42eafc82413968b15cb Mon Sep 17 00:00:00 2001
+From: Gopikrishna Mogasati <gmogas@codeaurora.org>
+Date: Fri, 5 May 2017 16:04:35 +0530
+Subject: diag: Add proper synchronization checks to msg mask table
+
+This fix removes dependency between real time message mask
+table and build time message mask table. Also this fix
+synchronizes retrieval and modification of real time message
+mask table.
+
+CRs-Fixed: 2015227
+Change-Id: Id0a0964337ec4645d7061fc35120dfa061a990ff
+Signed-off-by: Gopikrishna Mogasati <gmogas@codeaurora.org>
+---
+ drivers/char/diag/diag_masks.c    | 65 +++++++++++++++++++++++----------------
+ drivers/char/diag/diagchar.h      |  2 ++
+ drivers/char/diag/diagchar_core.c |  1 +
+ drivers/char/diag/diagfwd_cntl.c  | 11 ++++---
+ 4 files changed, 49 insertions(+), 30 deletions(-)
+
+diff --git a/drivers/char/diag/diag_masks.c b/drivers/char/diag/diag_masks.c
+index 3c10462..382717b 100644
+--- a/drivers/char/diag/diag_masks.c
++++ b/drivers/char/diag/diag_masks.c
+@@ -309,10 +309,12 @@ static void diag_send_msg_mask_update(uint8_t peripheral, int first, int last)
+ 
+ 	if (!mask_info || !mask_info->ptr || !mask_info->update_buf)
+ 		return;
+-
++	mutex_lock(&driver->msg_mask_lock);
+ 	mask = (struct diag_msg_mask_t *)mask_info->ptr;
+-	if (!mask->ptr)
++	if (!mask->ptr) {
++		mutex_unlock(&driver->msg_mask_lock);
+ 		return;
++	}
+ 	buf = mask_info->update_buf;
+ 	mutex_lock(&mask_info->lock);
+ 	switch (mask_info->status) {
+@@ -385,6 +387,7 @@ proceed:
+ 	}
+ err:
+ 	mutex_unlock(&mask_info->lock);
++	mutex_unlock(&driver->msg_mask_lock);
+ }
+ 
+ static void diag_send_time_sync_update(uint8_t peripheral)
+@@ -506,7 +509,7 @@ static int diag_cmd_get_ssid_range(unsigned char *src_buf, int src_len,
+ 
+ 	if (!diag_apps_responds())
+ 		return 0;
+-
++	mutex_lock(&driver->msg_mask_lock);
+ 	rsp.cmd_code = DIAG_CMD_MSG_CONFIG;
+ 	rsp.sub_cmd = DIAG_CMD_OP_GET_SSID_RANGE;
+ 	rsp.status = MSG_STATUS_SUCCESS;
+@@ -514,7 +517,6 @@ static int diag_cmd_get_ssid_range(unsigned char *src_buf, int src_len,
+ 	rsp.count = driver->msg_mask_tbl_count;
+ 	memcpy(dest_buf, &rsp, sizeof(rsp));
+ 	write_len += sizeof(rsp);
+-
+ 	mask_ptr = (struct diag_msg_mask_t *)mask_info->ptr;
+ 	for (i = 0; i <  driver->msg_mask_tbl_count; i++, mask_ptr++) {
+ 		if (write_len + sizeof(ssid_range) > dest_len) {
+@@ -527,7 +529,7 @@ static int diag_cmd_get_ssid_range(unsigned char *src_buf, int src_len,
+ 		memcpy(dest_buf + write_len, &ssid_range, sizeof(ssid_range));
+ 		write_len += sizeof(ssid_range);
+ 	}
+-
++	mutex_unlock(&driver->msg_mask_lock);
+ 	return write_len;
+ }
+ 
+@@ -551,7 +553,7 @@ static int diag_cmd_get_build_mask(unsigned char *src_buf, int src_len,
+ 
+ 	if (!diag_apps_responds())
+ 		return 0;
+-
++	mutex_lock(&driver->msg_mask_lock);
+ 	req = (struct diag_build_mask_req_t *)src_buf;
+ 	rsp.cmd_code = DIAG_CMD_MSG_CONFIG;
+ 	rsp.sub_cmd = DIAG_CMD_OP_GET_BUILD_MASK;
+@@ -559,9 +561,8 @@ static int diag_cmd_get_build_mask(unsigned char *src_buf, int src_len,
+ 	rsp.ssid_last = req->ssid_last;
+ 	rsp.status = MSG_STATUS_FAIL;
+ 	rsp.padding = 0;
+-
+ 	build_mask = (struct diag_msg_mask_t *)msg_bt_mask.ptr;
+-	for (i = 0; i < driver->msg_mask_tbl_count; i++, build_mask++) {
++	for (i = 0; i < driver->bt_msg_mask_tbl_count; i++, build_mask++) {
+ 		if (build_mask->ssid_first != req->ssid_first)
+ 			continue;
+ 		num_entries = req->ssid_last - req->ssid_first + 1;
+@@ -582,7 +583,7 @@ static int diag_cmd_get_build_mask(unsigned char *src_buf, int src_len,
+ 	}
+ 	memcpy(dest_buf, &rsp, sizeof(rsp));
+ 	write_len += sizeof(rsp);
+-
++	mutex_unlock(&driver->msg_mask_lock);
+ 	return write_len;
+ }
+ 
+@@ -610,6 +611,7 @@ static int diag_cmd_get_msg_mask(unsigned char *src_buf, int src_len,
+ 	if (!diag_apps_responds())
+ 		return 0;
+ 
++	mutex_lock(&driver->msg_mask_lock);
+ 	req = (struct diag_build_mask_req_t *)src_buf;
+ 	rsp.cmd_code = DIAG_CMD_MSG_CONFIG;
+ 	rsp.sub_cmd = DIAG_CMD_OP_GET_MSG_MASK;
+@@ -617,7 +619,6 @@ static int diag_cmd_get_msg_mask(unsigned char *src_buf, int src_len,
+ 	rsp.ssid_last = req->ssid_last;
+ 	rsp.status = MSG_STATUS_FAIL;
+ 	rsp.padding = 0;
+-
+ 	mask = (struct diag_msg_mask_t *)mask_info->ptr;
+ 	for (i = 0; i < driver->msg_mask_tbl_count; i++, mask++) {
+ 		if ((req->ssid_first < mask->ssid_first) ||
+@@ -635,7 +636,7 @@ static int diag_cmd_get_msg_mask(unsigned char *src_buf, int src_len,
+ 	}
+ 	memcpy(dest_buf, &rsp, sizeof(rsp));
+ 	write_len += sizeof(rsp);
+-
++	mutex_unlock(&driver->msg_mask_lock);
+ 	return write_len;
+ }
+ 
+@@ -666,7 +667,7 @@ static int diag_cmd_set_msg_mask(unsigned char *src_buf, int src_len,
+ 	}
+ 
+ 	req = (struct diag_msg_build_mask_t *)src_buf;
+-
++	mutex_lock(&driver->msg_mask_lock);
+ 	mutex_lock(&mask_info->lock);
+ 	mask = (struct diag_msg_mask_t *)mask_info->ptr;
+ 	for (i = 0; i < driver->msg_mask_tbl_count; i++, mask++) {
+@@ -726,7 +727,7 @@ static int diag_cmd_set_msg_mask(unsigned char *src_buf, int src_len,
+ 		break;
+ 	}
+ 	mutex_unlock(&mask_info->lock);
+-
++	mutex_unlock(&driver->msg_mask_lock);
+ 	if (diag_check_update(APPS_DATA))
+ 		diag_update_userspace_clients(MSG_MASKS_TYPE);
+ 
+@@ -779,7 +780,7 @@ static int diag_cmd_set_all_msg_mask(unsigned char *src_buf, int src_len,
+ 	}
+ 
+ 	req = (struct diag_msg_config_rsp_t *)src_buf;
+-
++	mutex_lock(&driver->msg_mask_lock);
+ 	mask = (struct diag_msg_mask_t *)mask_info->ptr;
+ 	mutex_lock(&mask_info->lock);
+ 	mask_info->status = (req->rt_mask) ? DIAG_CTRL_MASK_ALL_ENABLED :
+@@ -791,6 +792,7 @@ static int diag_cmd_set_all_msg_mask(unsigned char *src_buf, int src_len,
+ 		mutex_unlock(&mask->lock);
+ 	}
+ 	mutex_unlock(&mask_info->lock);
++	mutex_unlock(&driver->msg_mask_lock);
+ 
+ 	if (diag_check_update(APPS_DATA))
+ 		diag_update_userspace_clients(MSG_MASKS_TYPE);
+@@ -1294,6 +1296,7 @@ static int diag_create_msg_mask_table(void)
+ 	struct diag_msg_mask_t *mask = (struct diag_msg_mask_t *)msg_mask.ptr;
+ 	struct diag_ssid_range_t range;
+ 
++	mutex_lock(&driver->msg_mask_lock);
+ 	mutex_lock(&msg_mask.lock);
+ 	driver->msg_mask_tbl_count = MSG_MASK_TBL_CNT;
+ 	for (i = 0; i < driver->msg_mask_tbl_count; i++, mask++) {
+@@ -1304,6 +1307,7 @@ static int diag_create_msg_mask_table(void)
+ 			break;
+ 	}
+ 	mutex_unlock(&msg_mask.lock);
++	mutex_unlock(&driver->msg_mask_lock);
+ 	return err;
+ }
+ 
+@@ -1316,9 +1320,11 @@ static int diag_create_build_time_mask(void)
+ 	struct diag_msg_mask_t *build_mask = NULL;
+ 	struct diag_ssid_range_t range;
+ 
++	mutex_lock(&driver->msg_mask_lock);
+ 	mutex_lock(&msg_bt_mask.lock);
++	driver->bt_msg_mask_tbl_count = MSG_MASK_TBL_CNT;
+ 	build_mask = (struct diag_msg_mask_t *)msg_bt_mask.ptr;
+-	for (i = 0; i < driver->msg_mask_tbl_count; i++, build_mask++) {
++	for (i = 0; i < driver->bt_msg_mask_tbl_count; i++, build_mask++) {
+ 		range.ssid_first = msg_mask_tbl[i].ssid_first;
+ 		range.ssid_last = msg_mask_tbl[i].ssid_last;
+ 		err = diag_create_msg_mask_table_entry(build_mask, &range);
+@@ -1429,6 +1435,7 @@ static int diag_create_build_time_mask(void)
+ 		memcpy(build_mask->ptr, tbl, tbl_size);
+ 	}
+ 	mutex_unlock(&msg_bt_mask.lock);
++	mutex_unlock(&driver->msg_mask_lock);
+ 
+ 	return err;
+ }
+@@ -1576,10 +1583,11 @@ static int diag_msg_mask_init(void)
+ 		pr_err("diag: Unable to create msg masks, err: %d\n", err);
+ 		return err;
+ 	}
++	mutex_lock(&driver->msg_mask_lock);
+ 	driver->msg_mask = &msg_mask;
+-
+ 	for (i = 0; i < NUM_PERIPHERALS; i++)
+ 		driver->max_ssid_count[i] = 0;
++	mutex_unlock(&driver->msg_mask_lock);
+ 
+ 	return 0;
+ }
+@@ -1598,7 +1606,7 @@ int diag_msg_mask_copy(struct diag_mask_info *dest, struct diag_mask_info *src)
+ 	err = __diag_mask_init(dest, MSG_MASK_SIZE, APPS_BUF_SIZE);
+ 	if (err)
+ 		return err;
+-
++	mutex_lock(&driver->msg_mask_lock);
+ 	mutex_lock(&dest->lock);
+ 	src_mask = (struct diag_msg_mask_t *)src->ptr;
+ 	dest_mask = (struct diag_msg_mask_t *)dest->ptr;
+@@ -1617,6 +1625,7 @@ int diag_msg_mask_copy(struct diag_mask_info *dest, struct diag_mask_info *src)
+ 		dest_mask++;
+ 	}
+ 	mutex_unlock(&dest->lock);
++	mutex_unlock(&driver->msg_mask_lock);
+ 
+ 	return err;
+ }
+@@ -1628,7 +1637,7 @@ void diag_msg_mask_free(struct diag_mask_info *mask_info)
+ 
+ 	if (!mask_info)
+ 		return;
+-
++	mutex_lock(&driver->msg_mask_lock);
+ 	mutex_lock(&mask_info->lock);
+ 	mask = (struct diag_msg_mask_t *)mask_info->ptr;
+ 	for (i = 0; i < driver->msg_mask_tbl_count; i++, mask++) {
+@@ -1636,7 +1645,7 @@ void diag_msg_mask_free(struct diag_mask_info *mask_info)
+ 		mask->ptr = NULL;
+ 	}
+ 	mutex_unlock(&mask_info->lock);
+-
++	mutex_unlock(&driver->msg_mask_lock);
+ 	__diag_mask_exit(mask_info);
+ }
+ 
+@@ -1644,15 +1653,17 @@ static void diag_msg_mask_exit(void)
+ {
+ 	int i;
+ 	struct diag_msg_mask_t *mask = NULL;
+-
++	mutex_lock(&driver->msg_mask_lock);
+ 	mask = (struct diag_msg_mask_t *)(msg_mask.ptr);
+ 	if (mask) {
+ 		for (i = 0; i < driver->msg_mask_tbl_count; i++, mask++)
+ 			kfree(mask->ptr);
+ 		kfree(msg_mask.ptr);
++		msg_mask.ptr = NULL;
+ 	}
+-
+ 	kfree(msg_mask.update_buf);
++	msg_mask.update_buf = NULL;
++	mutex_unlock(&driver->msg_mask_lock);
+ }
+ 
+ static int diag_build_time_mask_init(void)
+@@ -1677,13 +1688,15 @@ static void diag_build_time_mask_exit(void)
+ {
+ 	int i;
+ 	struct diag_msg_mask_t *mask = NULL;
+-
++	mutex_lock(&driver->msg_mask_lock);
+ 	mask = (struct diag_msg_mask_t *)(msg_bt_mask.ptr);
+ 	if (mask) {
+-		for (i = 0; i < driver->msg_mask_tbl_count; i++, mask++)
++		for (i = 0; i < driver->bt_msg_mask_tbl_count; i++, mask++)
+ 			kfree(mask->ptr);
+-		kfree(msg_mask.ptr);
++		kfree(msg_bt_mask.ptr);
++		msg_bt_mask.ptr = NULL;
+ 	}
++	mutex_unlock(&driver->msg_mask_lock);
+ }
+ 
+ static int diag_log_mask_init(void)
+@@ -1801,7 +1814,7 @@ int diag_copy_to_user_msg_mask(char __user *buf, size_t count,
+ 		return -EIO;
+ 	}
+ 	mutex_unlock(&driver->diag_maskclear_mutex);
+-
++	mutex_lock(&driver->msg_mask_lock);
+ 	mutex_lock(&mask_info->lock);
+ 	mask = (struct diag_msg_mask_t *)(mask_info->ptr);
+ 	for (i = 0; i < driver->msg_mask_tbl_count; i++, mask++) {
+@@ -1840,7 +1853,7 @@ int diag_copy_to_user_msg_mask(char __user *buf, size_t count,
+ 		total_len += len;
+ 	}
+ 	mutex_unlock(&mask_info->lock);
+-
++	mutex_unlock(&driver->msg_mask_lock);
+ 	return err ? err : total_len;
+ }
+ 
+diff --git a/drivers/char/diag/diagchar.h b/drivers/char/diag/diagchar.h
+index b17538a..4047a2c 100644
+--- a/drivers/char/diag/diagchar.h
++++ b/drivers/char/diag/diagchar.h
+@@ -627,8 +627,10 @@ struct diagchar_dev {
+ 	struct diag_mask_info *event_mask;
+ 	struct diag_mask_info *build_time_mask;
+ 	uint8_t msg_mask_tbl_count;
++	uint8_t bt_msg_mask_tbl_count;
+ 	uint16_t event_mask_size;
+ 	uint16_t last_event_id;
++	struct mutex msg_mask_lock;
+ 	/* Variables for Mask Centralization */
+ 	uint16_t num_event_id[NUM_PERIPHERALS];
+ 	uint32_t num_equip_id[NUM_PERIPHERALS];
+diff --git a/drivers/char/diag/diagchar_core.c b/drivers/char/diag/diagchar_core.c
+index 682c035..afba265 100644
+--- a/drivers/char/diag/diagchar_core.c
++++ b/drivers/char/diag/diagchar_core.c
+@@ -3568,6 +3568,7 @@ static int __init diagchar_init(void)
+ 	mutex_init(&driver->diag_file_mutex);
+ 	mutex_init(&driver->delayed_rsp_mutex);
+ 	mutex_init(&apps_data_mutex);
++	mutex_init(&driver->msg_mask_lock);
+ 	for (i = 0; i < NUM_PERIPHERALS; i++)
+ 		mutex_init(&driver->diagfwd_channel_mutex[i]);
+ 	mutex_init(&driver->diagfwd_untag_mutex);
+diff --git a/drivers/char/diag/diagfwd_cntl.c b/drivers/char/diag/diagfwd_cntl.c
+index 82a67f1..729fbf4 100644
+--- a/drivers/char/diag/diagfwd_cntl.c
++++ b/drivers/char/diag/diagfwd_cntl.c
+@@ -548,6 +548,7 @@ static void process_ssid_range_report(uint8_t *buf, uint32_t len,
+ 	/* Don't account for pkt_id and length */
+ 	read_len += header_len - (2 * sizeof(uint32_t));
+ 
++	mutex_lock(&driver->msg_mask_lock);
+ 	driver->max_ssid_count[peripheral] = header->count;
+ 	for (i = 0; i < header->count && read_len < len; i++) {
+ 		ssid_range = (struct diag_ssid_range_t *)ptr;
+@@ -591,6 +592,7 @@ static void process_ssid_range_report(uint8_t *buf, uint32_t len,
+ 		}
+ 		driver->msg_mask_tbl_count += 1;
+ 	}
++	mutex_unlock(&driver->msg_mask_lock);
+ }
+ 
+ static void diag_build_time_mask_update(uint8_t *buf,
+@@ -615,11 +617,11 @@ static void diag_build_time_mask_update(uint8_t *buf,
+ 		       __func__, range->ssid_first, range->ssid_last);
+ 		return;
+ 	}
+-
++	mutex_lock(&driver->msg_mask_lock);
+ 	build_mask = (struct diag_msg_mask_t *)(driver->build_time_mask->ptr);
+ 	num_items = range->ssid_last - range->ssid_first + 1;
+ 
+-	for (i = 0; i < driver->msg_mask_tbl_count; i++, build_mask++) {
++	for (i = 0; i < driver->bt_msg_mask_tbl_count; i++, build_mask++) {
+ 		if (build_mask->ssid_first != range->ssid_first)
+ 			continue;
+ 		found = 1;
+@@ -638,7 +640,7 @@ static void diag_build_time_mask_update(uint8_t *buf,
+ 
+ 	if (found)
+ 		goto end;
+-	new_size = (driver->msg_mask_tbl_count + 1) *
++	new_size = (driver->bt_msg_mask_tbl_count + 1) *
+ 		   sizeof(struct diag_msg_mask_t);
+ 	temp = krealloc(driver->build_time_mask->ptr, new_size, GFP_KERNEL);
+ 	if (!temp) {
+@@ -653,8 +655,9 @@ static void diag_build_time_mask_update(uint8_t *buf,
+ 		       __func__, err);
+ 		goto end;
+ 	}
+-	driver->msg_mask_tbl_count += 1;
++	driver->bt_msg_mask_tbl_count += 1;
+ end:
++	mutex_unlock(&driver->msg_mask_lock);
+ 	return;
+ }
+ 
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-8280/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-8280/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-8280/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-8280/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-8281/3.18/0001.patch b/Patches/Linux_CVEs/CVE-2017-8281/3.18/0001.patch
new file mode 100644
index 00000000..93ed6a1d
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-8281/3.18/0001.patch
@@ -0,0 +1,40 @@
+From 9be5b16de622c2426408425e3df29e945cd21d37 Mon Sep 17 00:00:00 2001
+From: Kasin Li <donglil@codeaurora.org>
+Date: Wed, 22 Feb 2017 18:25:36 +0800
+Subject: drm/msm: Fix potential buffer overflow issue
+
+In function submit_create, if nr_cmds or nr_bos is assigned with
+negative value, the allocated buffer may be small than intended.
+Using this buffer will lead to buffer overflow issue.
+
+Change-Id: I0b61cccffd836e2dd3c859446470af4b6451b9ed
+Signed-off-by: Kasin Li <donglil@codeaurora.org>
+---
+ drivers/gpu/drm/msm/msm_gem_submit.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/gpu/drm/msm/msm_gem_submit.c b/drivers/gpu/drm/msm/msm_gem_submit.c
+index adbb0cb..fa9b641 100644
+--- a/drivers/gpu/drm/msm/msm_gem_submit.c
++++ b/drivers/gpu/drm/msm/msm_gem_submit.c
+@@ -34,12 +34,15 @@ static inline void __user *to_user_ptr(u64 address)
+ }
+ 
+ static struct msm_gem_submit *submit_create(struct drm_device *dev,
+-		struct msm_gpu *gpu, int nr_cmds, int nr_bos)
++		struct msm_gpu *gpu, uint32_t nr_cmds, uint32_t nr_bos)
+ {
+ 	struct msm_gem_submit *submit;
+-	int sz = sizeof(*submit) + (nr_bos * sizeof(submit->bos[0])) +
++	uint64_t sz = sizeof(*submit) + (nr_bos * sizeof(submit->bos[0])) +
+ 		(nr_cmds * sizeof(submit->cmd[0]));
+ 
++	if (sz > SIZE_MAX)
++		return NULL;
++
+ 	submit = kmalloc(sz, GFP_TEMPORARY | __GFP_NOWARN | __GFP_NORETRY);
+ 	if (submit) {
+ 		submit->dev = dev;
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-8281/ANY/1.patch b/Patches/Linux_CVEs/CVE-2017-8281/4.4/0002.patch
similarity index 77%
rename from Patches/Linux_CVEs/CVE-2017-8281/ANY/1.patch
rename to Patches/Linux_CVEs/CVE-2017-8281/4.4/0002.patch
index 529968fd..7d248fb1 100644
--- a/Patches/Linux_CVEs/CVE-2017-8281/ANY/1.patch
+++ b/Patches/Linux_CVEs/CVE-2017-8281/4.4/0002.patch
@@ -1,4 +1,4 @@
-From d4ff2f45e486f532f4c9a01deb1c79f659ef3438 Mon Sep 17 00:00:00 2001
+From 9b209c4552779edb86221787fb8681dd212e3a0c Mon Sep 17 00:00:00 2001
 From: Mohit Aggarwal <maggarwa@codeaurora.org>
 Date: Sat, 22 Apr 2017 10:49:18 +0530
 Subject: diag: dci: Add protection while querying event status
@@ -16,11 +16,11 @@ Signed-off-by: Mohit Aggarwal <maggarwa@codeaurora.org>
  1 file changed, 2 insertions(+)
 
 diff --git a/drivers/char/diag/diagchar_core.c b/drivers/char/diag/diagchar_core.c
-index ffb34fb..ed473f9 100644
+index 574a13d..9a5f196 100644
 --- a/drivers/char/diag/diagchar_core.c
 +++ b/drivers/char/diag/diagchar_core.c
-@@ -1379,7 +1379,9 @@ long diagchar_ioctl(struct file *filp,
- 		result = diag_ioctl_dci_log_status(ioarg);
+@@ -2336,7 +2336,9 @@ long diagchar_ioctl(struct file *filp,
+ 		mutex_unlock(&driver->dci_mutex);
  		break;
  	case DIAG_IOCTL_DCI_EVENT_STATUS:
 +		mutex_lock(&driver->dci_mutex);
@@ -28,7 +28,7 @@ index ffb34fb..ed473f9 100644
 +		mutex_unlock(&driver->dci_mutex);
  		break;
  	case DIAG_IOCTL_DCI_CLEAR_LOGS:
- 		if (copy_from_user((void *)&client_id, (void __user *)ioarg,
+ 		mutex_lock(&driver->dci_mutex);
 -- 
 cgit v1.1
 
diff --git a/Patches/Linux_CVEs/CVE-2017-8890/3.4/0.patch.base64 b/Patches/Linux_CVEs/CVE-2017-8890/3.4/0.patch.base64
deleted file mode 100644
index 8f12cd9d..00000000
--- a/Patches/Linux_CVEs/CVE-2017-8890/3.4/0.patch.base64
+++ /dev/null
@@ -1 +0,0 @@
-RnJvbSBmNTJkNjczOWY2YTY3Y2YxYzkxOGE0NTU3ZTg4YjUxOWI5MTM1OTMwIE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQpGcm9tOiBFcmljIER1bWF6ZXQgPGVkdW1hemV0QGdvb2dsZS5jb20+CkRhdGU6IFR1ZSwgMDkgTWF5IDIwMTcgMDY6Mjk6MTkgLTA3MDAKU3ViamVjdDogW1BBVENIXSBkY2NwL3RjcDogZG8gbm90IGluaGVyaXQgbWNfbGlzdCBmcm9tIHBhcmVudAoKc3l6a2FsbGVyIGZvdW5kIGEgd2F5IHRvIHRyaWdnZXIgZG91YmxlIGZyZWVzIGZyb20gaXBfbWNfZHJvcF9zb2NrZXQoKQoKSXQgdHVybnMgb3V0IHRoYXQgbGVhdmUgYSBjb3B5IG9mIHBhcmVudCBtY19saXN0IGF0IGFjY2VwdCgpIHRpbWUsCndoaWNoIGlzIHZlcnkgYmFkLgoKVmVyeSBzaW1pbGFyIHRvIGNvbW1pdCA4YjQ4NWNlNjk4NzYgKCJ0Y3A6IGRvIG5vdCBpbmhlcml0CmZhc3RvcGVuX3JlcSBmcm9tIHBhcmVudCIpCgpJbml0aWFsIHJlcG9ydCBmcm9tIFByYXkzciwgY29tcGxldGVkIGJ5IEFuZHJleSBvbmUuClRoYW5rcyBhIGxvdCB0byB0aGVtICEKCkNoYW5nZS1JZDogSTJlYWM3YjgyNWE1YjU5N2FmMTRhMDU3M2I3NmI2ODUxMzFjNDY3MjYKU2lnbmVkLW9mZi1ieTogRXJpYyBEdW1hemV0IDxlZHVtYXpldEBnb29nbGUuY29tPgpSZXBvcnRlZC1ieTogUHJheTNyIDxwcmF5M3IuekBnbWFpbC5jb20+ClJlcG9ydGVkLWJ5OiBBbmRyZXkgS29ub3ZhbG92IDxhbmRyZXlrbnZsQGdvb2dsZS5jb20+ClRlc3RlZC1ieTogQW5kcmV5IEtvbm92YWxvdiA8YW5kcmV5a252bEBnb29nbGUuY29tPgpTaWduZWQtb2ZmLWJ5OiBEYXZpZCBTLiBNaWxsZXIgPGRhdmVtQGRhdmVtbG9mdC5uZXQ+Ci0tLQoKZGlmZiAtLWdpdCBhL25ldC9pcHY0L2luZXRfY29ubmVjdGlvbl9zb2NrLmMgYi9uZXQvaXB2NC9pbmV0X2Nvbm5lY3Rpb25fc29jay5jCmluZGV4IGZiMTBkNTguLjMyNWVkZmUgMTAwNjQ0Ci0tLSBhL25ldC9pcHY0L2luZXRfY29ubmVjdGlvbl9zb2NrLmMKKysrIGIvbmV0L2lwdjQvaW5ldF9jb25uZWN0aW9uX3NvY2suYwpAQCAtNjE4LDYgKzYxOCw4IEBACiAJCWluZXRfc2sobmV3c2spLT5pbmV0X3Nwb3J0ID0gaW5ldF9yc2socmVxKS0+bG9jX3BvcnQ7CiAJCW5ld3NrLT5za193cml0ZV9zcGFjZSA9IHNrX3N0cmVhbV93cml0ZV9zcGFjZTsKIAorCQlpbmV0X3NrKG5ld3NrKS0+bWNfbGlzdCA9IE5VTEw7CisKIAkJbmV3c2stPnNrX21hcmsgPSBpbmV0X3JzayhyZXEpLT5pcl9tYXJrOwogCiAJCW5ld2ljc2stPmljc2tfcmV0cmFuc21pdHMgPSAwOwo=
\ No newline at end of file
diff --git a/Patches/Linux_CVEs/CVE-2017-8890/3.4/0.patch b/Patches/Linux_CVEs/CVE-2017-8890/ANY/0001.patch
similarity index 61%
rename from Patches/Linux_CVEs/CVE-2017-8890/3.4/0.patch
rename to Patches/Linux_CVEs/CVE-2017-8890/ANY/0001.patch
index f2e74280..5a46f955 100644
--- a/Patches/Linux_CVEs/CVE-2017-8890/3.4/0.patch
+++ b/Patches/Linux_CVEs/CVE-2017-8890/ANY/0001.patch
@@ -1,7 +1,7 @@
-From f52d6739f6a67cf1c918a4557e88b519b9135930 Mon Sep 17 00:00:00 2001
+From 657831ffc38e30092a2d5f03d385d710eb88b09a Mon Sep 17 00:00:00 2001
 From: Eric Dumazet <edumazet@google.com>
-Date: Tue, 09 May 2017 06:29:19 -0700
-Subject: [PATCH] dccp/tcp: do not inherit mc_list from parent
+Date: Tue, 9 May 2017 06:29:19 -0700
+Subject: dccp/tcp: do not inherit mc_list from parent
 
 syzkaller found a way to trigger double frees from ip_mc_drop_socket()
 
@@ -14,24 +14,28 @@ fastopen_req from parent")
 Initial report from Pray3r, completed by Andrey one.
 Thanks a lot to them !
 
-Change-Id: I2eac7b825a5b597af14a0573b76b685131c46726
 Signed-off-by: Eric Dumazet <edumazet@google.com>
 Reported-by: Pray3r <pray3r.z@gmail.com>
 Reported-by: Andrey Konovalov <andreyknvl@google.com>
 Tested-by: Andrey Konovalov <andreyknvl@google.com>
 Signed-off-by: David S. Miller <davem@davemloft.net>
 ---
+ net/ipv4/inet_connection_sock.c | 2 ++
+ 1 file changed, 2 insertions(+)
 
 diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
-index fb10d58..325edfe 100644
+index 5e313c1..1054d33 100644
 --- a/net/ipv4/inet_connection_sock.c
 +++ b/net/ipv4/inet_connection_sock.c
-@@ -618,6 +618,8 @@
- 		inet_sk(newsk)->inet_sport = inet_rsk(req)->loc_port;
- 		newsk->sk_write_space = sk_stream_write_space;
+@@ -794,6 +794,8 @@ struct sock *inet_csk_clone_lock(const struct sock *sk,
+ 		/* listeners have SOCK_RCU_FREE, not the children */
+ 		sock_reset_flag(newsk, SOCK_RCU_FREE);
  
 +		inet_sk(newsk)->mc_list = NULL;
 +
  		newsk->sk_mark = inet_rsk(req)->ir_mark;
- 
- 		newicsk->icsk_retransmits = 0;
+ 		atomic64_set(&newsk->sk_cookie,
+ 			     atomic64_read(&inet_rsk(req)->ir_cookie));
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-9074/3.2/1.patch b/Patches/Linux_CVEs/CVE-2017-9074/3.2/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-9074/3.2/1.patch
rename to Patches/Linux_CVEs/CVE-2017-9074/3.2/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-9074/3.2/2.patch b/Patches/Linux_CVEs/CVE-2017-9074/3.2/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-9074/3.2/2.patch
rename to Patches/Linux_CVEs/CVE-2017-9074/3.2/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-9074/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-9074/^4.11/0003.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-9074/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-9074/^4.11/0003.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-9075/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-9075/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-9075/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-9075/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-9076/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-9076/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-9076/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-9076/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-9077/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-9077/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-9077/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-9077/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-9150/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-9150/ANY/0001.patch
similarity index 96%
rename from Patches/Linux_CVEs/CVE-2017-9150/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-9150/ANY/0001.patch
index 7894fb62..aac6bc7c 100644
--- a/Patches/Linux_CVEs/CVE-2017-9150/ANY/0.patch
+++ b/Patches/Linux_CVEs/CVE-2017-9150/ANY/0001.patch
@@ -1,7 +1,7 @@
 From 0d0e57697f162da4aa218b5feafe614fb666db07 Mon Sep 17 00:00:00 2001
 From: Daniel Borkmann <daniel@iogearbox.net>
 Date: Mon, 8 May 2017 00:04:09 +0200
-Subject: [PATCH] bpf: don't let ldimm64 leak map addresses on unprivileged
+Subject: bpf: don't let ldimm64 leak map addresses on unprivileged
 
 The patch fixes two things at once:
 
@@ -28,7 +28,7 @@ Signed-off-by: David S. Miller <davem@davemloft.net>
  1 file changed, 16 insertions(+), 5 deletions(-)
 
 diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
-index c2ff608c1984e..c5b56c92f8e25 100644
+index c2ff608..c5b56c9 100644
 --- a/kernel/bpf/verifier.c
 +++ b/kernel/bpf/verifier.c
 @@ -298,7 +298,8 @@ static const char *const bpf_jmp_string[16] = {
@@ -73,3 +73,6 @@ index c2ff608c1984e..c5b56c92f8e25 100644
  		}
  
  		err = ext_analyzer_insn_hook(env, insn_idx, prev_insn_idx);
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-9242/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-9242/^4.11/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-9242/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-9242/^4.11/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-9676/3.0/1.patch b/Patches/Linux_CVEs/CVE-2017-9676/3.0/1.patch
deleted file mode 100644
index 44facbac..00000000
--- a/Patches/Linux_CVEs/CVE-2017-9676/3.0/1.patch
+++ /dev/null
@@ -1,272 +0,0 @@
-From d109d8d7e2998a635406215a559e298fa7ef4bb8 Mon Sep 17 00:00:00 2001
-From: "lianwei.wang" <lian-wei.wang@motorola.com>
-Date: Fri, 30 Mar 2012 12:05:50 +0800
-Subject: [PATCH] IKHSS7-18791 msm:fix the list usage in msm_bus_dbg
-
-The list usage in msm_bus_dbg driver are not correct which will cause
-kernel panic.
-  . The list operation should be protected by a lock, e.g. mutex_lock.
-  . The list entry should only be operated on a valid entry.
-
-Change-Id: I19efeb346d1bacf129ccfd7a6511bc795c029afc
-Signed-off-by: Lianwei Wang <lian-wei.wang@motorola.com>
-Reviewed-on: http://gerrit.pcs.mot.com/384275
-Reviewed-by: Guo-Jian Chen <A21757@motorola.com>
-Reviewed-by: Ke Lv <a2435c@motorola.com>
-Tested-by: Jira Key <JIRAKEY@motorola.com>
-Reviewed-by: Jeffrey Carlyle <jeff.carlyle@motorola.com>
-Reviewed-by: Check Patch <CHEKPACH@motorola.com>
-Reviewed-by: Klocwork kwcheck <klocwork-kwcheck@sourceforge.mot.com>
-Reviewed-by: Tao Hu <taohu@motorola.com>
----
- arch/arm/mach-msm/msm_bus/msm_bus_dbg.c | 74 ++++++++++++++++++++++++++-------
- 1 file changed, 58 insertions(+), 16 deletions(-)
-
-diff --git a/arch/arm/mach-msm/msm_bus/msm_bus_dbg.c b/arch/arm/mach-msm/msm_bus/msm_bus_dbg.c
-index abd986bca68..76173529d35 100644
---- a/arch/arm/mach-msm/msm_bus/msm_bus_dbg.c
-+++ b/arch/arm/mach-msm/msm_bus/msm_bus_dbg.c
-@@ -28,6 +28,7 @@
- static struct dentry *clients;
- static struct dentry *dir;
- static DEFINE_MUTEX(msm_bus_dbg_fablist_lock);
-+static DEFINE_MUTEX(msm_bus_dbg_cllist_lock);
- struct msm_bus_dbg_state {
- 	uint32_t cl;
- 	uint8_t enable;
-@@ -271,16 +272,21 @@ static ssize_t client_data_read(struct file *file, char __user *buf,
- 	size_t count, loff_t *ppos)
- {
- 	int bsize = 0;
-+	ssize_t read_count = 0;
- 	uint32_t cl = (uint32_t)file->private_data;
- 	struct msm_bus_cldata *cldata = NULL;
- 
-+	mutex_lock(&msm_bus_dbg_cllist_lock);
- 	list_for_each_entry(cldata, &cl_list, list) {
--		if (cldata->clid == cl)
-+		if (cldata->clid == cl) {
-+			bsize = cldata->size;
-+			read_count = simple_read_from_buffer(buf, count, ppos,
-+						cldata->buffer, bsize);
- 			break;
-+		}
- 	}
--	bsize = cldata->size;
--	return simple_read_from_buffer(buf, count, ppos,
--		cldata->buffer, bsize);
-+	mutex_unlock(&msm_bus_dbg_cllist_lock);
-+	return read_count;
- }
- 
- static int client_data_open(struct inode *inode, struct file *file)
-@@ -310,9 +316,11 @@ static int msm_bus_dbg_record_client(const struct msm_bus_scale_pdata *pdata,
- {
- 	struct msm_bus_cldata *cldata;
- 
-+	mutex_lock(&msm_bus_dbg_cllist_lock);
- 	cldata = kmalloc(sizeof(struct msm_bus_cldata), GFP_KERNEL);
- 	if (!cldata) {
- 		MSM_BUS_DBG("Failed to allocate memory for client data\n");
-+		mutex_unlock(&msm_bus_dbg_cllist_lock);
- 		return -ENOMEM;
- 	}
- 	cldata->pdata = pdata;
-@@ -321,6 +329,7 @@ static int msm_bus_dbg_record_client(const struct msm_bus_scale_pdata *pdata,
- 	cldata->file = file;
- 	cldata->size = 0;
- 	list_add_tail(&cldata->list, &cl_list);
-+	mutex_unlock(&msm_bus_dbg_cllist_lock);
- 	return 0;
- }
- 
-@@ -328,6 +337,7 @@ static void msm_bus_dbg_free_client(uint32_t clid)
- {
- 	struct msm_bus_cldata *cldata = NULL;
- 
-+	mutex_lock(&msm_bus_dbg_cllist_lock);
- 	list_for_each_entry(cldata, &cl_list, list) {
- 		if (cldata->clid == clid) {
- 			debugfs_remove(cldata->file);
-@@ -336,23 +346,34 @@ static void msm_bus_dbg_free_client(uint32_t clid)
- 			break;
- 		}
- 	}
-+	mutex_unlock(&msm_bus_dbg_cllist_lock);
- }
- 
- static int msm_bus_dbg_fill_cl_buffer(const struct msm_bus_scale_pdata *pdata,
- 	int index, uint32_t clid)
- {
--	int i = 0, j;
-+	int i = 0, j, found = 0;
- 	char *buf = NULL;
- 	struct msm_bus_cldata *cldata = NULL;
- 	struct timespec ts;
- 
-+	mutex_lock(&msm_bus_dbg_cllist_lock);
- 	list_for_each_entry(cldata, &cl_list, list) {
--		if (cldata->clid == clid)
-+		if (cldata->clid == clid) {
-+			found = 1;
- 			break;
-+		}
-+	}
-+
-+	if (!found) {
-+		MSM_BUS_DBG("Client(clid=%d) doesn't exist\n", clid);
-+		mutex_unlock(&msm_bus_dbg_cllist_lock);
-+		return -EINVAL;
- 	}
- 	if (cldata->file == NULL) {
- 		if (pdata->name == NULL) {
- 			MSM_BUS_DBG("Client doesn't have a name\n");
-+			mutex_unlock(&msm_bus_dbg_cllist_lock);
- 			return -EINVAL;
- 		}
- 		cldata->file = msm_bus_dbg_create(pdata->name, S_IRUGO,
-@@ -390,6 +411,9 @@ static int msm_bus_dbg_fill_cl_buffer(const struct msm_bus_scale_pdata *pdata,
- 	i += scnprintf(buf + i, MAX_BUFF_SIZE - i, "\n");
- 
- 	cldata->size = i;
-+
-+	mutex_unlock(&msm_bus_dbg_cllist_lock);
-+
- 	return i;
- }
- 
-@@ -426,6 +450,7 @@ static ssize_t  msm_bus_dbg_update_request_write(struct file *file,
- 	chid = buf;
- 	MSM_BUS_DBG("buffer: %s\n size: %d\n", buf, sizeof(ubuf));
- 
-+	mutex_lock(&msm_bus_dbg_cllist_lock);
- 	list_for_each_entry(cldata, &cl_list, list) {
- 		if (strstr(chid, cldata->pdata->name)) {
- 			cldata = cldata;
-@@ -435,16 +460,19 @@ static ssize_t  msm_bus_dbg_update_request_write(struct file *file,
- 				if (ret) {
- 					MSM_BUS_DBG("Index conversion"
- 						" failed\n");
-+					mutex_unlock(&msm_bus_dbg_cllist_lock);
- 					return -EFAULT;
- 				}
- 			} else
- 				MSM_BUS_DBG("Error parsing input. Index not"
- 					" found\n");
-+			msm_bus_dbg_update_request(cldata, index);
- 			break;
- 		}
- 	}
- 
--	msm_bus_dbg_update_request(cldata, index);
-+	mutex_unlock(&msm_bus_dbg_cllist_lock);
-+
- 	kfree(buf);
- 	return cnt;
- }
-@@ -458,17 +486,18 @@ static ssize_t fabric_data_read(struct file *file, char __user *buf,
- {
- 	struct msm_bus_fab_list *fablist = NULL;
- 	int bsize = 0;
--	ssize_t ret;
-+	ssize_t ret = 0;
- 	const char *name = file->private_data;
- 
- 	mutex_lock(&msm_bus_dbg_fablist_lock);
- 	list_for_each_entry(fablist, &fabdata_list, list) {
--		if (strcmp(fablist->name, name) == 0)
-+		if (strcmp(fablist->name, name) == 0) {
-+			bsize = fablist->size;
-+			ret = simple_read_from_buffer(buf, count, ppos,
-+				fablist->buffer, bsize);
- 			break;
-+		}
- 	}
--	bsize = fablist->size;
--	ret = simple_read_from_buffer(buf, count, ppos,
--		fablist->buffer, bsize);
- 	mutex_unlock(&msm_bus_dbg_fablist_lock);
- 	return ret;
- }
-@@ -519,16 +548,25 @@ static int msm_bus_dbg_fill_fab_buffer(const char *fabname,
- 	void *cdata, int nmasters, int nslaves,
- 	int ntslaves)
- {
--	int i;
-+	int i, found = 0;
- 	char *buf = NULL;
- 	struct msm_bus_fab_list *fablist = NULL;
- 	struct timespec ts;
- 
- 	mutex_lock(&msm_bus_dbg_fablist_lock);
- 	list_for_each_entry(fablist, &fabdata_list, list) {
--		if (strcmp(fablist->name, fabname) == 0)
-+		if (strcmp(fablist->name, fabname) == 0) {
-+			found = 1;
- 			break;
-+		}
-+	}
-+
-+	if (!found) {
-+		MSM_BUS_DBG("Fabric dbg entry %s does not exist, fabname\n");
-+		mutex_unlock(&msm_bus_dbg_fablist_lock);
-+		return -EINVAL;
- 	}
-+
- 	if (fablist->file == NULL) {
- 		MSM_BUS_DBG("Fabric dbg entry does not exist\n");
- 		mutex_unlock(&msm_bus_dbg_fablist_lock);
-@@ -542,7 +580,6 @@ static int msm_bus_dbg_fill_fab_buffer(const char *fabname,
- 		fablist->size = 0;
- 	}
- 	buf = fablist->buffer;
--	mutex_unlock(&msm_bus_dbg_fablist_lock);
- 	ts = ktime_to_timespec(ktime_get());
- 	i += scnprintf(buf + i, MAX_BUFF_SIZE - i, "\n%d.%d\n",
- 		(int)ts.tv_sec, (int)ts.tv_nsec);
-@@ -550,7 +587,6 @@ static int msm_bus_dbg_fill_fab_buffer(const char *fabname,
- 	msm_bus_rpm_fill_cdata_buffer(&i, buf + i, MAX_BUFF_SIZE, cdata,
- 		nmasters, nslaves, ntslaves);
- 	i += scnprintf(buf + i, MAX_BUFF_SIZE - i, "\n");
--	mutex_lock(&msm_bus_dbg_fablist_lock);
- 	fablist->size = i;
- 	mutex_unlock(&msm_bus_dbg_fablist_lock);
- 	return 0;
-@@ -660,6 +696,7 @@ static int __init msm_bus_debugfs_init(void)
- 		clients, NULL, &msm_bus_dbg_update_request_fops) == NULL)
- 		goto err;
- 
-+	mutex_lock(&msm_bus_dbg_cllist_lock);
- 	list_for_each_entry(cldata, &cl_list, list) {
- 		if (cldata->pdata->name == NULL) {
- 			MSM_BUS_DBG("Client name not found\n");
-@@ -668,6 +705,7 @@ static int __init msm_bus_debugfs_init(void)
- 		cldata->file = msm_bus_dbg_create(cldata->
- 			pdata->name, S_IRUGO, clients, cldata->clid);
- 	}
-+	mutex_unlock(&msm_bus_dbg_cllist_lock);
- 
- 	mutex_lock(&msm_bus_dbg_fablist_lock);
- 	list_for_each_entry(fablist, &fabdata_list, list) {
-@@ -675,6 +713,7 @@ static int __init msm_bus_debugfs_init(void)
- 			commit, (void *)fablist->name, &fabric_data_fops);
- 		if (fablist->file == NULL) {
- 			MSM_BUS_DBG("Cannot create files for commit data\n");
-+			mutex_unlock(&msm_bus_dbg_fablist_lock);
- 			goto err;
- 		}
- 	}
-@@ -694,10 +733,13 @@ static void __exit msm_bus_dbg_teardown(void)
- 	struct msm_bus_cldata *cldata = NULL, *cldata_temp;
- 
- 	debugfs_remove_recursive(dir);
-+	mutex_lock(&msm_bus_dbg_cllist_lock);
- 	list_for_each_entry_safe(cldata, cldata_temp, &cl_list, list) {
- 		list_del(&cldata->list);
- 		kfree(cldata);
- 	}
-+	mutex_unlock(&msm_bus_dbg_cllist_lock);
-+
- 	mutex_lock(&msm_bus_dbg_fablist_lock);
- 	list_for_each_entry_safe(fablist, fablist_temp, &fabdata_list, list) {
- 		list_del(&fablist->list);
diff --git a/Patches/Linux_CVEs/CVE-2017-9676/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-9676/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-9676/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-9676/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-9677/3.10/0.patch b/Patches/Linux_CVEs/CVE-2017-9677/3.10/0.patch
deleted file mode 100644
index a367d6ff..00000000
--- a/Patches/Linux_CVEs/CVE-2017-9677/3.10/0.patch
+++ /dev/null
@@ -1,1858 +0,0 @@
-From b62291edb424281ed31a4e15140b16972ce9eef1 Mon Sep 17 00:00:00 2001
-From: Xiaojun Sang <xsang@codeaurora.org>
-Date: Thu, 27 Apr 2017 14:44:25 +0800
-Subject: ASoC: msm: remove unused msm-compr-q6-v2
-
-msm-compr-q6-v2.c and msm-compr-q6-v2.h are no longer used.
-
-CRs-Fixed: 2022953
-Bug: 62379475
-Change-Id: I856d90a212a3e123a2c8b80092aff003f7c608c7
-Signed-off-by: Xiaojun Sang <xsang@codeaurora.org>
----
- sound/soc/msm/apq8084-i2s.c             |    2 +-
- sound/soc/msm/apq8084.c                 |    2 +-
- sound/soc/msm/msm8226.c                 |    2 +-
- sound/soc/msm/msm8974.c                 |    2 +-
- sound/soc/msm/msm8994.c                 |    2 +-
- sound/soc/msm/qdsp6v2/Makefile          |    2 +-
- sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c | 1707 -------------------------------
- sound/soc/msm/qdsp6v2/msm-compr-q6-v2.h |   36 -
- 8 files changed, 6 insertions(+), 1749 deletions(-)
- delete mode 100644 sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c
- delete mode 100644 sound/soc/msm/qdsp6v2/msm-compr-q6-v2.h
-
-diff --git a/sound/soc/msm/apq8084-i2s.c b/sound/soc/msm/apq8084-i2s.c
-index 794aa25..5897e9c 100644
---- a/sound/soc/msm/apq8084-i2s.c
-+++ b/sound/soc/msm/apq8084-i2s.c
-@@ -1826,7 +1826,7 @@ static struct snd_soc_dai_link apq8084_dai_links[] = {
- 		.name = "APQ8084 Compr8",
- 		.stream_name = "COMPR8",
- 		.cpu_dai_name	= "MultiMedia8",
--		.platform_name  = "msm-compr-dsp",
-+		.platform_name  = "msm-compress-dsp",
- 		.dynamic = 1,
- 		.trigger = {SND_SOC_DPCM_TRIGGER_POST,
- 			 SND_SOC_DPCM_TRIGGER_POST},
-diff --git a/sound/soc/msm/apq8084.c b/sound/soc/msm/apq8084.c
-index aa2e25f..2b02e5d 100644
---- a/sound/soc/msm/apq8084.c
-+++ b/sound/soc/msm/apq8084.c
-@@ -3046,7 +3046,7 @@ static struct snd_soc_dai_link apq8084_common_dai_links[] = {
- 		.name = "APQ8084 Compr8",
- 		.stream_name = "COMPR8",
- 		.cpu_dai_name	= "MultiMedia8",
--		.platform_name  = "msm-compr-dsp",
-+		.platform_name  = "msm-compress-dsp",
- 		.dynamic = 1,
- 		.async_ops = ASYNC_DPCM_SND_SOC_PREPARE
- 			| ASYNC_DPCM_SND_SOC_HW_PARAMS,
-diff --git a/sound/soc/msm/msm8226.c b/sound/soc/msm/msm8226.c
-index 4095c12..113d77b 100644
---- a/sound/soc/msm/msm8226.c
-+++ b/sound/soc/msm/msm8226.c
-@@ -1495,7 +1495,7 @@ static struct snd_soc_dai_link msm8226_common_dai[] = {
- 		.name = "MSM8226 Compr8",
- 		.stream_name = "COMPR8",
- 		.cpu_dai_name   = "MultiMedia8",
--		.platform_name  = "msm-compr-dsp",
-+		.platform_name  = "msm-compress-dsp",
- 		.dynamic = 1,
- 		.trigger = {SND_SOC_DPCM_TRIGGER_POST,
- 			SND_SOC_DPCM_TRIGGER_POST},
-diff --git a/sound/soc/msm/msm8974.c b/sound/soc/msm/msm8974.c
-index fd69611..4cfd7c3 100644
---- a/sound/soc/msm/msm8974.c
-+++ b/sound/soc/msm/msm8974.c
-@@ -2164,7 +2164,7 @@ static struct snd_soc_dai_link msm8974_common_dai_links[] = {
- 		.name = "MSM8974 Compr8",
- 		.stream_name = "COMPR8",
- 		.cpu_dai_name	= "MultiMedia8",
--		.platform_name  = "msm-compr-dsp",
-+		.platform_name  = "msm-compress-dsp",
- 		.dynamic = 1,
- 		.trigger = {SND_SOC_DPCM_TRIGGER_POST,
- 			 SND_SOC_DPCM_TRIGGER_POST},
-diff --git a/sound/soc/msm/msm8994.c b/sound/soc/msm/msm8994.c
-index 1285c59..8678fb1 100644
---- a/sound/soc/msm/msm8994.c
-+++ b/sound/soc/msm/msm8994.c
-@@ -2684,7 +2684,7 @@ static struct snd_soc_dai_link msm8994_common_dai_links[] = {
- 		.name = "MSM8994 Compr8",
- 		.stream_name = "COMPR8",
- 		.cpu_dai_name = "MultiMedia8",
--		.platform_name = "msm-compr-dsp",
-+		.platform_name = "msm-compress-dsp",
- 		.dynamic = 1,
- 		.trigger = {SND_SOC_DPCM_TRIGGER_POST,
- 			 SND_SOC_DPCM_TRIGGER_POST},
-diff --git a/sound/soc/msm/qdsp6v2/Makefile b/sound/soc/msm/qdsp6v2/Makefile
-index 5865eb9..41f3984 100644
---- a/sound/soc/msm/qdsp6v2/Makefile
-+++ b/sound/soc/msm/qdsp6v2/Makefile
-@@ -1,5 +1,5 @@
- snd-soc-qdsp6v2-objs += msm-dai-q6-v2.o msm-pcm-q6-v2.o msm-pcm-routing-v2.o \
--			msm-compress-q6-v2.o msm-compr-q6-v2.o \
-+			msm-compress-q6-v2.o \
- 			msm-pcm-lpa-v2.o \
- 			msm-pcm-afe-v2.o msm-pcm-voip-v2.o \
- 			msm-pcm-voice-v2.o msm-dai-q6-hdmi-v2.o \
-diff --git a/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c b/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c
-deleted file mode 100644
-index 5fe5f24..0000000
---- a/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c
-+++ /dev/null
-@@ -1,1707 +0,0 @@
--/* Copyright (c) 2012-2014, 2016 The Linux Foundation. All rights reserved.
-- *
-- * This program is free software; you can redistribute it and/or modify
-- * it under the terms of the GNU General Public License version 2 and
-- * only version 2 as published by the Free Software Foundation.
-- *
-- * This program is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-- * GNU General Public License for more details.
-- */
--
--
--#include <linux/init.h>
--#include <linux/err.h>
--#include <linux/module.h>
--#include <linux/moduleparam.h>
--#include <linux/time.h>
--#include <linux/wait.h>
--#include <linux/platform_device.h>
--#include <linux/slab.h>
--#include <sound/core.h>
--#include <sound/soc.h>
--#include <sound/soc-dapm.h>
--#include <sound/pcm.h>
--#include <sound/initval.h>
--#include <sound/control.h>
--#include <sound/q6asm-v2.h>
--#include <sound/pcm_params.h>
--#include <asm/dma.h>
--#include <linux/dma-mapping.h>
--#include <linux/msm_audio_ion.h>
--
--#include <sound/timer.h>
--
--#include "msm-compr-q6-v2.h"
--#include "msm-pcm-routing-v2.h"
--#include "audio_ocmem.h"
--#include <sound/tlv.h>
--
--#define COMPRE_CAPTURE_NUM_PERIODS	16
--/* Allocate the worst case frame size for compressed audio */
--#define COMPRE_CAPTURE_HEADER_SIZE	(sizeof(struct snd_compr_audio_info))
--/* Changing period size to 4032. 4032 will make sure COMPRE_CAPTURE_PERIOD_SIZE
-- * is 4096 with meta data size of 64 and MAX_NUM_FRAMES_PER_BUFFER 1
-- */
--#define COMPRE_CAPTURE_MAX_FRAME_SIZE	(4032)
--#define COMPRE_CAPTURE_PERIOD_SIZE	((COMPRE_CAPTURE_MAX_FRAME_SIZE + \
--					  COMPRE_CAPTURE_HEADER_SIZE) * \
--					  MAX_NUM_FRAMES_PER_BUFFER)
--#define COMPRE_OUTPUT_METADATA_SIZE	(sizeof(struct output_meta_data_st))
--#define COMPRESSED_LR_VOL_MAX_STEPS	0x20002000
--
--#define MAX_AC3_PARAM_SIZE		(18*2*sizeof(int))
--#define AMR_WB_BAND_MODE 8
--#define AMR_WB_DTX_MODE 0
--
--
--const DECLARE_TLV_DB_LINEAR(compr_rx_vol_gain, 0,
--			    COMPRESSED_LR_VOL_MAX_STEPS);
--struct snd_msm {
--	atomic_t audio_ocmem_req;
--};
--static struct snd_msm compressed_audio;
--
--static struct audio_locks the_locks;
--
--static struct snd_pcm_hardware msm_compr_hardware_capture = {
--	.info =		 (SNDRV_PCM_INFO_MMAP |
--				SNDRV_PCM_INFO_BLOCK_TRANSFER |
--				SNDRV_PCM_INFO_MMAP_VALID |
--				SNDRV_PCM_INFO_INTERLEAVED |
--				SNDRV_PCM_INFO_PAUSE | SNDRV_PCM_INFO_RESUME),
--	.formats =	      SNDRV_PCM_FMTBIT_S16_LE,
--	.rates =		SNDRV_PCM_RATE_8000_48000,
--	.rate_min =	     8000,
--	.rate_max =	     48000,
--	.channels_min =	 1,
--	.channels_max =	 8,
--	.buffer_bytes_max =
--		COMPRE_CAPTURE_PERIOD_SIZE * COMPRE_CAPTURE_NUM_PERIODS ,
--	.period_bytes_min =	COMPRE_CAPTURE_PERIOD_SIZE,
--	.period_bytes_max = COMPRE_CAPTURE_PERIOD_SIZE,
--	.periods_min =	  COMPRE_CAPTURE_NUM_PERIODS,
--	.periods_max =	  COMPRE_CAPTURE_NUM_PERIODS,
--	.fifo_size =	    0,
--};
--
--static struct snd_pcm_hardware msm_compr_hardware_playback = {
--	.info =		 (SNDRV_PCM_INFO_MMAP |
--				SNDRV_PCM_INFO_BLOCK_TRANSFER |
--				SNDRV_PCM_INFO_MMAP_VALID |
--				SNDRV_PCM_INFO_INTERLEAVED |
--				SNDRV_PCM_INFO_PAUSE | SNDRV_PCM_INFO_RESUME),
--	.formats =	      SNDRV_PCM_FMTBIT_S16_LE | SNDRV_PCM_FMTBIT_S24_LE,
--	.rates =		SNDRV_PCM_RATE_8000_48000 | SNDRV_PCM_RATE_KNOT,
--	.rate_min =	     8000,
--	.rate_max =	     48000,
--	.channels_min =	 1,
--	.channels_max =	 8,
--	.buffer_bytes_max =     1024 * 1024,
--	.period_bytes_min =	128 * 1024,
--	.period_bytes_max =     256 * 1024,
--	.periods_min =	  4,
--	.periods_max =	  8,
--	.fifo_size =	    0,
--};
--
--/* Conventional and unconventional sample rate supported */
--static unsigned int supported_sample_rates[] = {
--	8000, 11025, 12000, 16000, 22050, 24000, 32000, 44100, 48000
--};
--
--/* Add supported codecs for compress capture path */
--static uint32_t supported_compr_capture_codecs[] = {
--	SND_AUDIOCODEC_AMRWB
--};
--
--static struct snd_pcm_hw_constraint_list constraints_sample_rates = {
--	.count = ARRAY_SIZE(supported_sample_rates),
--	.list = supported_sample_rates,
--	.mask = 0,
--};
--
--static bool msm_compr_capture_codecs(uint32_t req_codec)
--{
--	int i;
--	pr_debug("%s req_codec:%d\n", __func__, req_codec);
--	if (req_codec == 0)
--		return false;
--	for (i = 0; i < ARRAY_SIZE(supported_compr_capture_codecs); i++) {
--		if (req_codec == supported_compr_capture_codecs[i])
--			return true;
--	}
--	return false;
--}
--
--static void compr_event_handler(uint32_t opcode,
--		uint32_t token, uint32_t *payload, void *priv)
--{
--	struct compr_audio *compr = priv;
--	struct msm_audio *prtd = &compr->prtd;
--	struct snd_pcm_substream *substream = prtd->substream;
--	struct snd_pcm_runtime *runtime = substream->runtime;
--	struct audio_aio_write_param param;
--	struct audio_aio_read_param read_param;
--	struct audio_buffer *buf = NULL;
--	phys_addr_t temp;
--	struct output_meta_data_st output_meta_data;
--	uint32_t *ptrmem = (uint32_t *)payload;
--	int i = 0;
--	int time_stamp_flag = 0;
--	int buffer_length = 0;
--	int stop_playback = 0;
--
--	pr_debug("%s opcode =%08x\n", __func__, opcode);
--	switch (opcode) {
--	case ASM_DATA_EVENT_WRITE_DONE_V2: {
--		uint32_t *ptrmem = (uint32_t *)&param;
--		pr_debug("ASM_DATA_EVENT_WRITE_DONE\n");
--		pr_debug("Buffer Consumed = 0x%08x\n", *ptrmem);
--		prtd->pcm_irq_pos += prtd->pcm_count;
--		if (atomic_read(&prtd->start))
--			snd_pcm_period_elapsed(substream);
--		else
--			if (substream->timer_running)
--				snd_timer_interrupt(substream->timer, 1);
--		atomic_inc(&prtd->out_count);
--		wake_up(&the_locks.write_wait);
--		if (!atomic_read(&prtd->start)) {
--			atomic_set(&prtd->pending_buffer, 1);
--			break;
--		} else
--			atomic_set(&prtd->pending_buffer, 0);
--
--		/*
--		 * check for underrun
--		 */
--		snd_pcm_stream_lock_irq(substream);
--		if (runtime->status->hw_ptr >= runtime->control->appl_ptr) {
--			runtime->render_flag |= SNDRV_RENDER_STOPPED;
--			stop_playback = 1;
--		}
--		snd_pcm_stream_unlock_irq(substream);
--
--		if (stop_playback) {
--			pr_err("underrun! render stopped\n");
--			break;
--		}
--
--		buf = prtd->audio_client->port[IN].buf;
--		pr_debug("%s:writing %d bytes of buffer[%d] to dsp 2\n",
--				__func__, prtd->pcm_count, prtd->out_head);
--		temp = buf[0].phys + (prtd->out_head * prtd->pcm_count);
--		pr_debug("%s:writing buffer[%d] from 0x%pa\n",
--			__func__, prtd->out_head, &temp);
--
--		if (runtime->tstamp_mode == SNDRV_PCM_TSTAMP_ENABLE)
--			time_stamp_flag = SET_TIMESTAMP;
--		else
--			time_stamp_flag = NO_TIMESTAMP;
--		memcpy(&output_meta_data, (char *)(buf->data +
--			prtd->out_head * prtd->pcm_count),
--			COMPRE_OUTPUT_METADATA_SIZE);
--
--		buffer_length = output_meta_data.frame_size;
--		pr_debug("meta_data_length: %d, frame_length: %d\n",
--			 output_meta_data.meta_data_length,
--			 output_meta_data.frame_size);
--		pr_debug("timestamp_msw: %d, timestamp_lsw: %d\n",
--			 output_meta_data.timestamp_msw,
--			 output_meta_data.timestamp_lsw);
--		if (buffer_length == 0) {
--			pr_debug("Recieved a zero length buffer-break out");
--			break;
--		}
--		param.paddr = temp + output_meta_data.meta_data_length;
--		param.len = buffer_length;
--		param.msw_ts = output_meta_data.timestamp_msw;
--		param.lsw_ts = output_meta_data.timestamp_lsw;
--		param.flags = time_stamp_flag;
--		param.uid = prtd->session_id;
--		for (i = 0; i < sizeof(struct audio_aio_write_param)/4;
--					i++, ++ptrmem)
--			pr_debug("cmd[%d]=0x%08x\n", i, *ptrmem);
--		if (q6asm_async_write(prtd->audio_client,
--					&param) < 0)
--			pr_err("%s:q6asm_async_write failed\n",
--				__func__);
--		else
--			prtd->out_head =
--				(prtd->out_head + 1) & (runtime->periods - 1);
--		break;
--	}
--	case ASM_DATA_EVENT_RENDERED_EOS:
--		pr_debug("ASM_DATA_CMDRSP_EOS\n");
--		if (atomic_read(&prtd->eos)) {
--			pr_debug("ASM_DATA_CMDRSP_EOS wake up\n");
--			prtd->cmd_ack = 1;
--			wake_up(&the_locks.eos_wait);
--			atomic_set(&prtd->eos, 0);
--		}
--		break;
--	case ASM_DATA_EVENT_READ_DONE_V2: {
--		pr_debug("ASM_DATA_EVENT_READ_DONE\n");
--		pr_debug("buf = %pK, data = 0x%X, *data = %pK,\n"
--			 "prtd->pcm_irq_pos = %d\n",
--				prtd->audio_client->port[OUT].buf,
--			 *(uint32_t *)prtd->audio_client->port[OUT].buf->data,
--				prtd->audio_client->port[OUT].buf->data,
--				prtd->pcm_irq_pos);
--
--		memcpy(prtd->audio_client->port[OUT].buf->data +
--			   prtd->pcm_irq_pos, (ptrmem + READDONE_IDX_SIZE),
--			   COMPRE_CAPTURE_HEADER_SIZE);
--		pr_debug("buf = %pK, updated data = 0x%X, *data = %pK\n",
--				prtd->audio_client->port[OUT].buf,
--			*(uint32_t *)(prtd->audio_client->port[OUT].buf->data +
--				prtd->pcm_irq_pos),
--				prtd->audio_client->port[OUT].buf->data);
--		if (!atomic_read(&prtd->start))
--			break;
--		pr_debug("frame size=%d, buffer = 0x%X\n",
--				ptrmem[READDONE_IDX_SIZE],
--				ptrmem[READDONE_IDX_BUFADD_LSW]);
--		if (ptrmem[READDONE_IDX_SIZE] > COMPRE_CAPTURE_MAX_FRAME_SIZE) {
--			pr_err("Frame length exceeded the max length");
--			break;
--		}
--		buf = prtd->audio_client->port[OUT].buf;
--
--		pr_debug("pcm_irq_pos=%d, buf[0].phys = 0x%pa\n",
--				prtd->pcm_irq_pos, &buf[0].phys);
--		read_param.len = prtd->pcm_count - COMPRE_CAPTURE_HEADER_SIZE;
--		read_param.paddr = buf[0].phys +
--			prtd->pcm_irq_pos + COMPRE_CAPTURE_HEADER_SIZE;
--		prtd->pcm_irq_pos += prtd->pcm_count;
--
--		if (atomic_read(&prtd->start))
--			snd_pcm_period_elapsed(substream);
--
--		q6asm_async_read(prtd->audio_client, &read_param);
--		break;
--	}
--	case APR_BASIC_RSP_RESULT: {
--		switch (payload[0]) {
--		case ASM_SESSION_CMD_RUN_V2: {
--			if (substream->stream
--				!= SNDRV_PCM_STREAM_PLAYBACK) {
--				atomic_set(&prtd->start, 1);
--				break;
--			}
--			if (!atomic_read(&prtd->pending_buffer))
--				break;
--			pr_debug("%s: writing %d bytes of buffer[%d] to dsp\n",
--				__func__, prtd->pcm_count, prtd->out_head);
--			buf = prtd->audio_client->port[IN].buf;
--			pr_debug("%s: writing buffer[%d] from 0x%pa head %d count %d\n",
--				__func__, prtd->out_head, &buf[0].phys,
--				prtd->pcm_count, prtd->out_head);
--			if (runtime->tstamp_mode == SNDRV_PCM_TSTAMP_ENABLE)
--				time_stamp_flag = SET_TIMESTAMP;
--			else
--				time_stamp_flag = NO_TIMESTAMP;
--			memcpy(&output_meta_data, (char *)(buf->data +
--				prtd->out_head * prtd->pcm_count),
--				COMPRE_OUTPUT_METADATA_SIZE);
--			buffer_length = output_meta_data.frame_size;
--			pr_debug("meta_data_length: %d, frame_length: %d\n",
--				 output_meta_data.meta_data_length,
--				 output_meta_data.frame_size);
--			pr_debug("timestamp_msw: %d, timestamp_lsw: %d\n",
--				 output_meta_data.timestamp_msw,
--				 output_meta_data.timestamp_lsw);
--			param.paddr = buf[prtd->out_head].phys
--					+ output_meta_data.meta_data_length;
--			param.len = buffer_length;
--			param.msw_ts = output_meta_data.timestamp_msw;
--			param.lsw_ts = output_meta_data.timestamp_lsw;
--			param.flags = time_stamp_flag;
--			param.uid = prtd->session_id;
--			param.metadata_len = COMPRE_OUTPUT_METADATA_SIZE;
--			if (q6asm_async_write(prtd->audio_client,
--						&param) < 0)
--				pr_err("%s:q6asm_async_write failed\n",
--					__func__);
--			else
--				prtd->out_head =
--					(prtd->out_head + 1)
--					& (runtime->periods - 1);
--			atomic_set(&prtd->pending_buffer, 0);
--		}
--			break;
--		case ASM_STREAM_CMD_FLUSH:
--			pr_debug("ASM_STREAM_CMD_FLUSH\n");
--			prtd->cmd_ack = 1;
--			wake_up(&the_locks.flush_wait);
--			break;
--		default:
--			break;
--		}
--		break;
--	}
--	default:
--		pr_debug("Not Supported Event opcode[0x%x]\n", opcode);
--		break;
--	}
--}
--
--static int msm_compr_send_ddp_cfg(struct audio_client *ac,
--					struct snd_dec_ddp *ddp)
--{
--	int i, rc;
--	pr_debug("%s\n", __func__);
--	for (i = 0; i < ddp->params_length/2; i++) {
--		rc = q6asm_ds1_set_endp_params(ac, ddp->params_id[i],
--						ddp->params_value[i]);
--		if (rc) {
--			pr_err("sending params_id: %d failed\n",
--				ddp->params_id[i]);
--			return rc;
--		}
--	}
--	return 0;
--}
--
--static int msm_compr_playback_prepare(struct snd_pcm_substream *substream)
--{
--	struct snd_pcm_runtime *runtime = substream->runtime;
--	struct compr_audio *compr = runtime->private_data;
--	struct snd_soc_pcm_runtime *soc_prtd = substream->private_data;
--	struct msm_audio *prtd = &compr->prtd;
--	struct snd_pcm_hw_params *params;
--	struct asm_aac_cfg aac_cfg;
--	uint16_t bits_per_sample = 16;
--	int ret;
--
--	struct asm_softpause_params softpause = {
--		.enable = SOFT_PAUSE_ENABLE,
--		.period = SOFT_PAUSE_PERIOD,
--		.step = SOFT_PAUSE_STEP,
--		.rampingcurve = SOFT_PAUSE_CURVE_LINEAR,
--	};
--	struct asm_softvolume_params softvol = {
--		.period = SOFT_VOLUME_PERIOD,
--		.step = SOFT_VOLUME_STEP,
--		.rampingcurve = SOFT_VOLUME_CURVE_LINEAR,
--	};
--
--	pr_debug("%s\n", __func__);
--
--	params = &soc_prtd->dpcm[substream->stream].hw_params;
--	if (runtime->format == SNDRV_PCM_FORMAT_S24_LE)
--		bits_per_sample = 24;
--
--	ret = q6asm_open_write_v2(prtd->audio_client,
--			compr->codec, bits_per_sample);
--	if (ret < 0) {
--		pr_err("%s: Session out open failed\n",
--				__func__);
--		return -ENOMEM;
--	}
--	msm_pcm_routing_reg_phy_stream(
--			soc_prtd->dai_link->be_id,
--			prtd->audio_client->perf_mode,
--			prtd->session_id,
--			substream->stream);
--	/*
--	 * the number of channels are required to call volume api
--	 * accoridngly. So, get channels from hw params
--	 */
--	if ((params_channels(params) > 0) &&
--			(params_periods(params) <= runtime->hw.channels_max))
--		prtd->channel_mode = params_channels(params);
--
--	ret = q6asm_set_softpause(prtd->audio_client, &softpause);
--	if (ret < 0)
--		pr_err("%s: Send SoftPause Param failed ret=%d\n",
--				__func__, ret);
--	ret = q6asm_set_softvolume(prtd->audio_client, &softvol);
--	if (ret < 0)
--		pr_err("%s: Send SoftVolume Param failed ret=%d\n",
--				__func__, ret);
--
--	ret = q6asm_set_io_mode(prtd->audio_client,
--			(COMPRESSED_IO | ASYNC_IO_MODE));
--	if (ret < 0) {
--		pr_err("%s: Set IO mode failed\n", __func__);
--		return -ENOMEM;
--	}
--
--	prtd->pcm_size = snd_pcm_lib_buffer_bytes(substream);
--	prtd->pcm_count = snd_pcm_lib_period_bytes(substream);
--	prtd->pcm_irq_pos = 0;
--	/* rate and channels are sent to audio driver */
--	prtd->samp_rate = runtime->rate;
--	prtd->channel_mode = runtime->channels;
--	prtd->out_head = 0;
--	atomic_set(&prtd->out_count, runtime->periods);
--
--	if (prtd->enabled)
--		return 0;
--
--	switch (compr->info.codec_param.codec.id) {
--	case SND_AUDIOCODEC_MP3:
--		/* No media format block for mp3 */
--		break;
--	case SND_AUDIOCODEC_AAC:
--		pr_debug("%s: SND_AUDIOCODEC_AAC\n", __func__);
--		memset(&aac_cfg, 0x0, sizeof(struct asm_aac_cfg));
--		aac_cfg.aot = AAC_ENC_MODE_EAAC_P;
--		aac_cfg.format = 0x03;
--		aac_cfg.ch_cfg = runtime->channels;
--		aac_cfg.sample_rate =  runtime->rate;
--		ret = q6asm_media_format_block_aac(prtd->audio_client,
--					&aac_cfg);
--		if (ret < 0)
--			pr_err("%s: CMD Format block failed\n", __func__);
--		break;
--	case SND_AUDIOCODEC_AC3: {
--		struct snd_dec_ddp *ddp =
--				&compr->info.codec_param.codec.options.ddp;
--		pr_debug("%s: SND_AUDIOCODEC_AC3\n", __func__);
--		ret = msm_compr_send_ddp_cfg(prtd->audio_client, ddp);
--		if (ret < 0)
--			pr_err("%s: DDP CMD CFG failed\n", __func__);
--		break;
--	}
--	case SND_AUDIOCODEC_EAC3: {
--		struct snd_dec_ddp *ddp =
--				&compr->info.codec_param.codec.options.ddp;
--		pr_debug("%s: SND_AUDIOCODEC_EAC3\n", __func__);
--		ret = msm_compr_send_ddp_cfg(prtd->audio_client, ddp);
--		if (ret < 0)
--			pr_err("%s: DDP CMD CFG failed\n", __func__);
--		break;
--	}
--	default:
--		return -EINVAL;
--	}
--
--	prtd->enabled = 1;
--	prtd->cmd_ack = 0;
--	prtd->cmd_interrupt = 0;
--
--	return 0;
--}
--
--static int msm_compr_capture_prepare(struct snd_pcm_substream *substream)
--{
--	struct snd_pcm_runtime *runtime = substream->runtime;
--	struct compr_audio *compr = runtime->private_data;
--	struct msm_audio *prtd = &compr->prtd;
--	struct audio_buffer *buf = prtd->audio_client->port[OUT].buf;
--	struct snd_codec *codec = &compr->info.codec_param.codec;
--	struct snd_soc_pcm_runtime *soc_prtd = substream->private_data;
--	struct audio_aio_read_param read_param;
--	uint16_t bits_per_sample = 16;
--	int ret = 0;
--	int i;
--
--	prtd->pcm_size = snd_pcm_lib_buffer_bytes(substream);
--	prtd->pcm_count = snd_pcm_lib_period_bytes(substream);
--	prtd->pcm_irq_pos = 0;
--
--	if (runtime->format == SNDRV_PCM_FORMAT_S24_LE)
--		bits_per_sample = 24;
--
--	if (!msm_compr_capture_codecs(
--				compr->info.codec_param.codec.id)) {
--		/*
--		 * request codec invalid or not supported,
--		 * use default compress format
--		 */
--		compr->info.codec_param.codec.id =
--			SND_AUDIOCODEC_AMRWB;
--	}
--	switch (compr->info.codec_param.codec.id) {
--	case SND_AUDIOCODEC_AMRWB:
--		pr_debug("q6asm_open_read(FORMAT_AMRWB)\n");
--		ret = q6asm_open_read(prtd->audio_client,
--				FORMAT_AMRWB);
--		if (ret < 0) {
--			pr_err("%s: compressed Session out open failed\n",
--					__func__);
--			return -ENOMEM;
--		}
--		pr_debug("msm_pcm_routing_reg_phy_stream\n");
--		msm_pcm_routing_reg_phy_stream(
--				soc_prtd->dai_link->be_id,
--				prtd->audio_client->perf_mode,
--				prtd->session_id, substream->stream);
--		break;
--	default:
--		pr_debug("q6asm_open_read_compressed(COMPRESSED_META_DATA_MODE)\n");
--		/*
--		   ret = q6asm_open_read_compressed(prtd->audio_client,
--		   MAX_NUM_FRAMES_PER_BUFFER,
--		   COMPRESSED_META_DATA_MODE);
--		 */
--			ret = -EINVAL;
--			break;
--	}
--
--	if (ret < 0) {
--		pr_err("%s: compressed Session out open failed\n",
--				__func__);
--		return -ENOMEM;
--	}
--
--	ret = q6asm_set_io_mode(prtd->audio_client,
--		(COMPRESSED_IO | ASYNC_IO_MODE));
--		if (ret < 0) {
--			pr_err("%s: Set IO mode failed\n", __func__);
--				return -ENOMEM;
--		}
--
--	if (!msm_compr_capture_codecs(codec->id)) {
--		/*
--		 * request codec invalid or not supported,
--		 * use default compress format
--		 */
--		codec->id = SND_AUDIOCODEC_AMRWB;
--	}
--	/* rate and channels are sent to audio driver */
--	prtd->samp_rate = runtime->rate;
--	prtd->channel_mode = runtime->channels;
--
--	if (prtd->enabled)
--		return ret;
--	read_param.len = prtd->pcm_count;
--
--	switch (codec->id) {
--	case SND_AUDIOCODEC_AMRWB:
--		pr_debug("SND_AUDIOCODEC_AMRWB\n");
--		ret = q6asm_enc_cfg_blk_amrwb(prtd->audio_client,
--			MAX_NUM_FRAMES_PER_BUFFER,
--			/*
--			 * use fixed band mode and dtx mode
--			 * band mode - 23.85 kbps
--			 */
--			AMR_WB_BAND_MODE,
--			/* dtx mode - disable */
--			AMR_WB_DTX_MODE);
--		if (ret < 0)
--			pr_err("%s: CMD Format block failed: %d\n",
--				__func__, ret);
--		break;
--	default:
--		pr_debug("No config for codec %d\n", codec->id);
--	}
--	pr_debug("%s: Samp_rate = %d, Channel = %d, pcm_size = %d,\n"
--			 "pcm_count = %d, periods = %d\n",
--			 __func__, prtd->samp_rate, prtd->channel_mode,
--			 prtd->pcm_size, prtd->pcm_count, runtime->periods);
--
--	for (i = 0; i < runtime->periods; i++) {
--		read_param.uid = i;
--		switch (codec->id) {
--		case SND_AUDIOCODEC_AMRWB:
--			read_param.len = prtd->pcm_count
--					- COMPRE_CAPTURE_HEADER_SIZE;
--			read_param.paddr = buf[i].phys
--					+ COMPRE_CAPTURE_HEADER_SIZE;
--			pr_debug("Push buffer [%d] to DSP, paddr: %pa, vaddr: %pK\n",
--					i, &read_param.paddr,
--					buf[i].data);
--			q6asm_async_read(prtd->audio_client, &read_param);
--			break;
--		default:
--			read_param.paddr = buf[i].phys;
--			/*q6asm_async_read_compressed(prtd->audio_client,
--				&read_param);*/
--			pr_debug("%s: To add support for read compressed\n",
--								__func__);
--			ret = -EINVAL;
--			break;
--		}
--	}
--	prtd->periods = runtime->periods;
--
--	prtd->enabled = 1;
--
--	return ret;
--}
--
--static int msm_compr_trigger(struct snd_pcm_substream *substream, int cmd)
--{
--	int ret = 0;
--	struct snd_pcm_runtime *runtime = substream->runtime;
--	struct snd_soc_pcm_runtime *soc_prtd = substream->private_data;
--	struct compr_audio *compr = runtime->private_data;
--	struct msm_audio *prtd = &compr->prtd;
--
--	pr_debug("%s\n", __func__);
--	switch (cmd) {
--	case SNDRV_PCM_TRIGGER_START:
--		prtd->pcm_irq_pos = 0;
--
--		if (substream->stream == SNDRV_PCM_STREAM_CAPTURE) {
--			if (!msm_compr_capture_codecs(
--				compr->info.codec_param.codec.id)) {
--				/*
--				 * request codec invalid or not supported,
--				 * use default compress format
--				 */
--				compr->info.codec_param.codec.id =
--				SND_AUDIOCODEC_AMRWB;
--			}
--			switch (compr->info.codec_param.codec.id) {
--			case SND_AUDIOCODEC_AMRWB:
--				break;
--			default:
--				msm_pcm_routing_reg_psthr_stream(
--					soc_prtd->dai_link->be_id,
--					prtd->session_id, substream->stream);
--				break;
--			}
--		}
--		atomic_set(&prtd->pending_buffer, 1);
--	case SNDRV_PCM_TRIGGER_RESUME:
--	case SNDRV_PCM_TRIGGER_PAUSE_RELEASE:
--		pr_debug("%s: Trigger start\n", __func__);
--		q6asm_run_nowait(prtd->audio_client, 0, 0, 0);
--		atomic_set(&prtd->start, 1);
--		break;
--	case SNDRV_PCM_TRIGGER_STOP:
--		pr_debug("SNDRV_PCM_TRIGGER_STOP\n");
--		if (substream->stream == SNDRV_PCM_STREAM_CAPTURE) {
--			switch (compr->info.codec_param.codec.id) {
--			case SND_AUDIOCODEC_AMRWB:
--				break;
--			default:
--				msm_pcm_routing_reg_psthr_stream(
--					soc_prtd->dai_link->be_id,
--					prtd->session_id, substream->stream);
--				break;
--			}
--		}
--		atomic_set(&prtd->start, 0);
--		runtime->render_flag &= ~SNDRV_RENDER_STOPPED;
--		break;
--	case SNDRV_PCM_TRIGGER_SUSPEND:
--	case SNDRV_PCM_TRIGGER_PAUSE_PUSH:
--		pr_debug("SNDRV_PCM_TRIGGER_PAUSE\n");
--		q6asm_cmd_nowait(prtd->audio_client, CMD_PAUSE);
--		atomic_set(&prtd->start, 0);
--		runtime->render_flag &= ~SNDRV_RENDER_STOPPED;
--		break;
--	default:
--		ret = -EINVAL;
--		break;
--	}
--
--	return ret;
--}
--
--static void populate_codec_list(struct compr_audio *compr,
--		struct snd_pcm_runtime *runtime)
--{
--	pr_debug("%s\n", __func__);
--	/* MP3 Block */
--	compr->info.compr_cap.num_codecs = 5;
--	compr->info.compr_cap.min_fragment_size = runtime->hw.period_bytes_min;
--	compr->info.compr_cap.max_fragment_size = runtime->hw.period_bytes_max;
--	compr->info.compr_cap.min_fragments = runtime->hw.periods_min;
--	compr->info.compr_cap.max_fragments = runtime->hw.periods_max;
--	compr->info.compr_cap.codecs[0] = SND_AUDIOCODEC_MP3;
--	compr->info.compr_cap.codecs[1] = SND_AUDIOCODEC_AAC;
--	compr->info.compr_cap.codecs[2] = SND_AUDIOCODEC_AC3;
--	compr->info.compr_cap.codecs[3] = SND_AUDIOCODEC_EAC3;
--	compr->info.compr_cap.codecs[4] = SND_AUDIOCODEC_AMRWB;
--	/* Add new codecs here */
--}
--
--static int msm_compr_open(struct snd_pcm_substream *substream)
--{
--	struct snd_pcm_runtime *runtime = substream->runtime;
--	struct compr_audio *compr;
--	struct msm_audio *prtd;
--	int ret = 0;
--
--	pr_debug("%s\n", __func__);
--	compr = kzalloc(sizeof(struct compr_audio), GFP_KERNEL);
--	if (compr == NULL) {
--		pr_err("Failed to allocate memory for msm_audio\n");
--		return -ENOMEM;
--	}
--	prtd = &compr->prtd;
--	prtd->substream = substream;
--	runtime->render_flag = SNDRV_DMA_MODE;
--	prtd->audio_client = q6asm_audio_client_alloc(
--				(app_cb)compr_event_handler, compr);
--	if (!prtd->audio_client) {
--		pr_info("%s: Could not allocate memory\n", __func__);
--		kfree(prtd);
--		return -ENOMEM;
--	}
--
--	prtd->audio_client->perf_mode = false;
--	pr_info("%s: session ID %d\n", __func__, prtd->audio_client->session);
--
--	prtd->session_id = prtd->audio_client->session;
--
--	if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) {
--		runtime->hw = msm_compr_hardware_playback;
--		prtd->cmd_ack = 1;
--	} else {
--		runtime->hw = msm_compr_hardware_capture;
--	}
--
--
--	ret = snd_pcm_hw_constraint_list(runtime, 0,
--			SNDRV_PCM_HW_PARAM_RATE,
--			&constraints_sample_rates);
--	if (ret < 0)
--		pr_info("snd_pcm_hw_constraint_list failed\n");
--	/* Ensure that buffer size is a multiple of period size */
--	ret = snd_pcm_hw_constraint_integer(runtime,
--			    SNDRV_PCM_HW_PARAM_PERIODS);
--	if (ret < 0)
--		pr_info("snd_pcm_hw_constraint_integer failed\n");
--
--	prtd->dsp_cnt = 0;
--	atomic_set(&prtd->pending_buffer, 1);
--	if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK)
--		compr->codec = FORMAT_MP3;
--	populate_codec_list(compr, runtime);
--	runtime->private_data = compr;
--	atomic_set(&prtd->eos, 0);
--	if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) {
--		if (!atomic_cmpxchg(&compressed_audio.audio_ocmem_req, 0, 1))
--			audio_ocmem_process_req(AUDIO, true);
--		else
--			atomic_inc(&compressed_audio.audio_ocmem_req);
--		pr_debug("%s: req: %d\n", __func__,
--			atomic_read(&compressed_audio.audio_ocmem_req));
--	}
--	return 0;
--}
--
--static int compressed_set_volume(struct msm_audio *prtd, uint32_t volume)
--{
--	int rc = 0;
--	int avg_vol = 0;
--	int lgain = (volume >> 16) & 0xFFFF;
--	int rgain = volume & 0xFFFF;
--	if (prtd && prtd->audio_client) {
--		pr_debug("%s: channels %d volume 0x%x\n", __func__,
--			prtd->channel_mode, volume);
--		if ((prtd->channel_mode == 2) &&
--			(lgain != rgain)) {
--			pr_debug("%s: call q6asm_set_lrgain\n", __func__);
--			rc = q6asm_set_lrgain(prtd->audio_client, lgain, rgain);
--		} else {
--			avg_vol = (lgain + rgain)/2;
--			pr_debug("%s: call q6asm_set_volume\n", __func__);
--			rc = q6asm_set_volume(prtd->audio_client, avg_vol);
--		}
--		if (rc < 0) {
--			pr_err("%s: Send Volume command failed rc=%d\n",
--				__func__, rc);
--		}
--	}
--	return rc;
--}
--
--static int msm_compr_playback_close(struct snd_pcm_substream *substream)
--{
--	struct snd_pcm_runtime *runtime = substream->runtime;
--	struct snd_soc_pcm_runtime *soc_prtd = substream->private_data;
--	struct compr_audio *compr = runtime->private_data;
--	struct msm_audio *prtd = &compr->prtd;
--	int dir = 0;
--
--	pr_debug("%s\n", __func__);
--
--	dir = IN;
--	atomic_set(&prtd->pending_buffer, 0);
--
--	if (atomic_read(&compressed_audio.audio_ocmem_req) > 1)
--		atomic_dec(&compressed_audio.audio_ocmem_req);
--	else if (atomic_cmpxchg(&compressed_audio.audio_ocmem_req, 1, 0))
--		audio_ocmem_process_req(AUDIO, false);
--
--	pr_debug("%s: req: %d\n", __func__,
--		atomic_read(&compressed_audio.audio_ocmem_req));
--	prtd->pcm_irq_pos = 0;
--	q6asm_cmd(prtd->audio_client, CMD_CLOSE);
--	q6asm_audio_client_buf_free_contiguous(dir,
--				prtd->audio_client);
--		msm_pcm_routing_dereg_phy_stream(
--			soc_prtd->dai_link->be_id,
--			SNDRV_PCM_STREAM_PLAYBACK);
--	q6asm_audio_client_free(prtd->audio_client);
--	kfree(prtd);
--	return 0;
--}
--
--static int msm_compr_capture_close(struct snd_pcm_substream *substream)
--{
--	struct snd_pcm_runtime *runtime = substream->runtime;
--	struct snd_soc_pcm_runtime *soc_prtd = substream->private_data;
--	struct compr_audio *compr = runtime->private_data;
--	struct msm_audio *prtd = &compr->prtd;
--	int dir = OUT;
--
--	pr_debug("%s\n", __func__);
--	atomic_set(&prtd->pending_buffer, 0);
--	q6asm_cmd(prtd->audio_client, CMD_CLOSE);
--	q6asm_audio_client_buf_free_contiguous(dir,
--				prtd->audio_client);
--	msm_pcm_routing_dereg_phy_stream(soc_prtd->dai_link->be_id,
--				SNDRV_PCM_STREAM_CAPTURE);
--	q6asm_audio_client_free(prtd->audio_client);
--	kfree(prtd);
--	return 0;
--}
--
--static int msm_compr_close(struct snd_pcm_substream *substream)
--{
--	int ret = 0;
--
--	if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK)
--		ret = msm_compr_playback_close(substream);
--	else if (substream->stream == SNDRV_PCM_STREAM_CAPTURE)
--		ret = msm_compr_capture_close(substream);
--	return ret;
--}
--
--static int msm_compr_prepare(struct snd_pcm_substream *substream)
--{
--	int ret = 0;
--
--	if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK)
--		ret = msm_compr_playback_prepare(substream);
--	else if (substream->stream == SNDRV_PCM_STREAM_CAPTURE)
--		ret = msm_compr_capture_prepare(substream);
--	return ret;
--}
--
--static snd_pcm_uframes_t msm_compr_pointer(struct snd_pcm_substream *substream)
--{
--
--	struct snd_pcm_runtime *runtime = substream->runtime;
--	struct compr_audio *compr = runtime->private_data;
--	struct msm_audio *prtd = &compr->prtd;
--
--	if (prtd->pcm_irq_pos >= prtd->pcm_size)
--		prtd->pcm_irq_pos = 0;
--
--	pr_debug("%s: pcm_irq_pos = %d, pcm_size = %d, sample_bits = %d,\n"
--			 "frame_bits = %d\n", __func__, prtd->pcm_irq_pos,
--			 prtd->pcm_size, runtime->sample_bits,
--			 runtime->frame_bits);
--	return bytes_to_frames(runtime, (prtd->pcm_irq_pos));
--}
--
--static int msm_compr_mmap(struct snd_pcm_substream *substream,
--				struct vm_area_struct *vma)
--{
--	struct snd_pcm_runtime *runtime = substream->runtime;
--	struct msm_audio *prtd = runtime->private_data;
--	struct audio_client *ac = prtd->audio_client;
--	struct audio_port_data *apd = ac->port;
--	struct audio_buffer *ab;
--	int dir = -1;
--
--	prtd->mmap_flag = 1;
--	runtime->render_flag = SNDRV_NON_DMA_MODE;
--	if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK)
--		dir = IN;
--	else
--		dir = OUT;
--	ab = &(apd[dir].buf[0]);
--
--	return msm_audio_ion_mmap(ab, vma);
--}
--
--static int msm_compr_hw_params(struct snd_pcm_substream *substream,
--				struct snd_pcm_hw_params *params)
--{
--	struct snd_pcm_runtime *runtime = substream->runtime;
--	struct compr_audio *compr = runtime->private_data;
--	struct msm_audio *prtd = &compr->prtd;
--	struct snd_dma_buffer *dma_buf = &substream->dma_buffer;
--	struct audio_buffer *buf;
--	int dir, ret;
--
--	if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK)
--		dir = IN;
--	else
--		dir = OUT;
--	/* Modifying kernel hardware params based on userspace config */
--	if (params_periods(params) > 0 &&
--		(params_periods(params) != runtime->hw.periods_max)) {
--		runtime->hw.periods_max = params_periods(params);
--	}
--	if (params_period_bytes(params) > 0 &&
--		(params_period_bytes(params) != runtime->hw.period_bytes_min)) {
--		runtime->hw.period_bytes_min = params_period_bytes(params);
--	}
--	runtime->hw.buffer_bytes_max =
--			runtime->hw.period_bytes_min * runtime->hw.periods_max;
--	pr_debug("allocate %zd buffers each of size %d\n",
--		runtime->hw.period_bytes_min,
--		runtime->hw.periods_max);
--	ret = q6asm_audio_client_buf_alloc_contiguous(dir,
--			prtd->audio_client,
--			runtime->hw.period_bytes_min,
--			runtime->hw.periods_max);
--	if (ret < 0) {
--		pr_err("Audio Start: Buffer Allocation failed rc = %d\n",
--						ret);
--		return -ENOMEM;
--	}
--	buf = prtd->audio_client->port[dir].buf;
--
--	dma_buf->dev.type = SNDRV_DMA_TYPE_DEV;
--	dma_buf->dev.dev = substream->pcm->card->dev;
--	dma_buf->private_data = NULL;
--	dma_buf->area = buf[0].data;
--	dma_buf->addr =  buf[0].phys;
--	dma_buf->bytes = runtime->hw.buffer_bytes_max;
--
--	pr_debug("%s: buf[%pK]dma_buf->area[%pK]dma_buf->addr[%pa]\n"
--		 "dma_buf->bytes[%zd]\n", __func__,
--		 (void *)buf, (void *)dma_buf->area,
--		 &dma_buf->addr, dma_buf->bytes);
--	if (!dma_buf->area)
--		return -ENOMEM;
--
--	snd_pcm_set_runtime_buffer(substream, &substream->dma_buffer);
--	return 0;
--}
--
--static int msm_compr_ioctl_shared(struct snd_pcm_substream *substream,
--		unsigned int cmd, void *arg)
--{
--	int rc = 0;
--	struct snd_pcm_runtime *runtime = substream->runtime;
--	struct compr_audio *compr = runtime->private_data;
--	struct msm_audio *prtd = &compr->prtd;
--	uint64_t timestamp;
--	uint64_t temp;
--
--	switch (cmd) {
--	case SNDRV_COMPRESS_TSTAMP: {
--		struct snd_compr_tstamp *tstamp;
--		pr_debug("SNDRV_COMPRESS_TSTAMP\n");
--		tstamp = arg;
--		memset(tstamp, 0x0, sizeof(*tstamp));
--		rc = q6asm_get_session_time(prtd->audio_client, &timestamp);
--		if (rc < 0) {
--			pr_err("%s: Get Session Time return value =%lld\n",
--				__func__, timestamp);
--			return -EAGAIN;
--		}
--		temp = (timestamp * 2 * runtime->channels);
--		temp = temp * (runtime->rate/1000);
--		temp = div_u64(temp, 1000);
--		tstamp->sampling_rate = runtime->rate;
--		tstamp->timestamp = timestamp;
--		pr_debug("%s: bytes_consumed:,timestamp = %lld,\n",
--						__func__,
--			tstamp->timestamp);
--		return 0;
--	}
--	case SNDRV_COMPRESS_GET_CAPS: {
--		struct snd_compr_caps *caps;
--		caps = arg;
--		memset(caps, 0, sizeof(*caps));
--		pr_debug("SNDRV_COMPRESS_GET_CAPS\n");
--		memcpy(caps, &compr->info.compr_cap, sizeof(*caps));
--		return 0;
--	}
--	case SNDRV_COMPRESS_SET_PARAMS:
--		pr_debug("SNDRV_COMPRESS_SET_PARAMS:\n");
--		memcpy(&compr->info.codec_param, (void *) arg,
--			sizeof(struct snd_compr_params));
--		switch (compr->info.codec_param.codec.id) {
--		case SND_AUDIOCODEC_MP3:
--			/* For MP3 we dont need any other parameter */
--			pr_debug("SND_AUDIOCODEC_MP3\n");
--			compr->codec = FORMAT_MP3;
--			break;
--		case SND_AUDIOCODEC_AAC:
--			pr_debug("SND_AUDIOCODEC_AAC\n");
--			compr->codec = FORMAT_MPEG4_AAC;
--			break;
--		case SND_AUDIOCODEC_AC3: {
--			char params_value[MAX_AC3_PARAM_SIZE];
--			int *params_value_data = (int *)params_value;
--			/* 36 is the max param length for ddp */
--			int i;
--			struct snd_dec_ddp *ddp =
--				&compr->info.codec_param.codec.options.ddp;
--			uint32_t params_length = 0;
--			memset(params_value, 0, MAX_AC3_PARAM_SIZE);
--			/* check integer overflow */
--			if (ddp->params_length > UINT_MAX/sizeof(int)) {
--				pr_err("%s: Integer overflow ddp->params_length %d\n",
--				__func__, ddp->params_length);
--				return -EINVAL;
--			}
--			params_length = ddp->params_length*sizeof(int);
--			if (params_length > MAX_AC3_PARAM_SIZE) {
--				/*MAX is 36*sizeof(int) this should not happen*/
--				pr_err("%s: params_length(%d) is greater than %zd\n",
--				__func__, params_length, MAX_AC3_PARAM_SIZE);
--				return -EINVAL;
--			}
--			pr_debug("SND_AUDIOCODEC_AC3\n");
--			compr->codec = FORMAT_AC3;
--			pr_debug("params_length: %d\n", ddp->params_length);
--			for (i = 0; i < params_length/sizeof(int); i++)
--				pr_debug("params_value[%d]: %x\n", i,
--					params_value_data[i]);
--			for (i = 0; i < ddp->params_length/2; i++) {
--				ddp->params_id[i] = params_value_data[2*i];
--				ddp->params_value[i] = params_value_data[2*i+1];
--			}
--			if (atomic_read(&prtd->start)) {
--				rc = msm_compr_send_ddp_cfg(prtd->audio_client,
--								ddp);
--				if (rc < 0)
--					pr_err("%s: DDP CMD CFG failed\n",
--						__func__);
--			}
--			break;
--		}
--		case SND_AUDIOCODEC_EAC3: {
--			char params_value[MAX_AC3_PARAM_SIZE];
--			int *params_value_data = (int *)params_value;
--			/* 36 is the max param length for ddp */
--			int i;
--			struct snd_dec_ddp *ddp =
--				&compr->info.codec_param.codec.options.ddp;
--			uint32_t params_length = 0;
--			memset(params_value, 0, MAX_AC3_PARAM_SIZE);
--			/* check integer overflow */
--			if (ddp->params_length > UINT_MAX/sizeof(int)) {
--				pr_err("%s: Integer overflow ddp->params_length %d\n",
--				__func__, ddp->params_length);
--				return -EINVAL;
--			}
--                        params_length = ddp->params_length*sizeof(int);
--			if (params_length > MAX_AC3_PARAM_SIZE) {
--				/*MAX is 36*sizeof(int) this should not happen*/
--				pr_err("%s: params_length(%d) is greater than %zd\n",
--				__func__, params_length, MAX_AC3_PARAM_SIZE);
--				return -EINVAL;
--			}
--			pr_debug("SND_AUDIOCODEC_EAC3\n");
--			compr->codec = FORMAT_EAC3;
--			pr_debug("params_length: %d\n", ddp->params_length);
--			for (i = 0; i < ddp->params_length; i++)
--				pr_debug("params_value[%d]: %x\n", i,
--					params_value_data[i]);
--			for (i = 0; i < ddp->params_length/2; i++) {
--				ddp->params_id[i] = params_value_data[2*i];
--				ddp->params_value[i] = params_value_data[2*i+1];
--			}
--			if (atomic_read(&prtd->start)) {
--				rc = msm_compr_send_ddp_cfg(prtd->audio_client,
--								ddp);
--				if (rc < 0)
--					pr_err("%s: DDP CMD CFG failed\n",
--						__func__);
--			}
--			break;
--		}
--		default:
--			pr_debug("FORMAT_LINEAR_PCM\n");
--			compr->codec = FORMAT_LINEAR_PCM;
--			break;
--		}
--		return 0;
--	case SNDRV_PCM_IOCTL1_RESET:
--		pr_debug("SNDRV_PCM_IOCTL1_RESET\n");
--		/* Flush only when session is started during CAPTURE,
--		   while PLAYBACK has no such restriction. */
--		if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK ||
--			  (substream->stream == SNDRV_PCM_STREAM_CAPTURE &&
--						atomic_read(&prtd->start))) {
--			if (atomic_read(&prtd->eos)) {
--				prtd->cmd_interrupt = 1;
--				wake_up(&the_locks.eos_wait);
--				atomic_set(&prtd->eos, 0);
--			}
--
--			/* A unlikely race condition possible with FLUSH
--			   DRAIN if ack is set by flush and reset by drain */
--			prtd->cmd_ack = 0;
--			rc = q6asm_cmd(prtd->audio_client, CMD_FLUSH);
--			if (rc < 0) {
--				pr_err("%s: flush cmd failed rc=%d\n",
--					__func__, rc);
--				return rc;
--			}
--			rc = wait_event_timeout(the_locks.flush_wait,
--				prtd->cmd_ack, 5 * HZ);
--			if (!rc)
--				pr_err("Flush cmd timeout\n");
--			prtd->pcm_irq_pos = 0;
--		}
--		break;
--	case SNDRV_COMPRESS_DRAIN:
--		pr_debug("%s: SNDRV_COMPRESS_DRAIN\n", __func__);
--		if (atomic_read(&prtd->pending_buffer)) {
--			pr_debug("%s: no pending writes, drain would block\n",
--			 __func__);
--			return -EWOULDBLOCK;
--		}
--
--		atomic_set(&prtd->eos, 1);
--		atomic_set(&prtd->pending_buffer, 0);
--		prtd->cmd_ack = 0;
--		q6asm_cmd_nowait(prtd->audio_client, CMD_EOS);
--		/* Wait indefinitely for  DRAIN. Flush can also signal this*/
--		rc = wait_event_interruptible(the_locks.eos_wait,
--			(prtd->cmd_ack || prtd->cmd_interrupt));
--
--		if (rc < 0)
--			pr_err("EOS cmd interrupted\n");
--		pr_debug("%s: SNDRV_COMPRESS_DRAIN  out of wait\n", __func__);
--
--		if (prtd->cmd_interrupt)
--			rc = -EINTR;
--
--		prtd->cmd_interrupt = 0;
--		return rc;
--	default:
--		break;
--	}
--	return snd_pcm_lib_ioctl(substream, cmd, arg);
--}
--#ifdef CONFIG_COMPAT
--struct snd_enc_wma32 {
--	u32 super_block_align; /* WMA Type-specific data */
--	u32 encodeopt1;
--	u32 encodeopt2;
--};
--
--struct snd_enc_vorbis32 {
--	s32 quality;
--	u32 managed;
--	u32 max_bit_rate;
--	u32 min_bit_rate;
--	u32 downmix;
--};
--
--struct snd_enc_real32 {
--	u32 quant_bits;
--	u32 start_region;
--	u32 num_regions;
--};
--
--struct snd_enc_flac32 {
--	u32 num;
--	u32 gain;
--};
--
--struct snd_enc_generic32 {
--	u32 bw;	/* encoder bandwidth */
--	s32 reserved[15];
--};
--struct snd_dec_ddp32 {
--	u32 params_length;
--	u32 params_id[18];
--	u32 params_value[18];
--};
--
--union snd_codec_options32 {
--	struct snd_enc_wma32 wma;
--	struct snd_enc_vorbis32 vorbis;
--	struct snd_enc_real32 real;
--	struct snd_enc_flac32 flac;
--	struct snd_enc_generic32 generic;
--	struct snd_dec_ddp32 ddp;
--};
--
--struct snd_codec32 {
--	u32 id;
--	u32 ch_in;
--	u32 ch_out;
--	u32 sample_rate;
--	u32 bit_rate;
--	u32 rate_control;
--	u32 profile;
--	u32 level;
--	u32 ch_mode;
--	u32 format;
--	u32 align;
--	union snd_codec_options32 options;
--	u32 reserved[3];
--};
--
--struct snd_compressed_buffer32 {
--	u32 fragment_size;
--	u32 fragments;
--};
--
--struct snd_compr_params32 {
--	struct snd_compressed_buffer32 buffer;
--	struct snd_codec32 codec;
--	u8 no_wake_mode;
--};
--
--struct snd_compr_caps32 {
--	u32 num_codecs;
--	u32 direction;
--	u32 min_fragment_size;
--	u32 max_fragment_size;
--	u32 min_fragments;
--	u32 max_fragments;
--	u32 codecs[MAX_NUM_CODECS];
--	u32 reserved[11];
--};
--struct snd_compr_tstamp32 {
--	u32 byte_offset;
--	u32 copied_total;
--	compat_ulong_t pcm_frames;
--	compat_ulong_t pcm_io_frames;
--	u32 sampling_rate;
--	compat_u64 timestamp;
--};
--enum {
--	SNDRV_COMPRESS_TSTAMP32 = _IOR('C', 0x20, struct snd_compr_tstamp32),
--	SNDRV_COMPRESS_GET_CAPS32 = _IOWR('C', 0x10, struct snd_compr_caps32),
--	SNDRV_COMPRESS_SET_PARAMS32 =
--	_IOW('C', 0x12, struct snd_compr_params32),
--};
--static int msm_compr_compat_ioctl(struct snd_pcm_substream *substream,
--		unsigned int cmd, void *arg)
--{
--	int err = 0;
--	switch (cmd) {
--	case SNDRV_COMPRESS_TSTAMP32: {
--		struct snd_compr_tstamp tstamp;
--		struct snd_compr_tstamp32 tstamp32;
--		memset(&tstamp, 0, sizeof(tstamp));
--		memset(&tstamp32, 0, sizeof(tstamp32));
--		cmd = SNDRV_COMPRESS_TSTAMP;
--		err = msm_compr_ioctl_shared(substream, cmd, &tstamp);
--		if (err) {
--			pr_err("%s: COMPRESS_TSTAMP failed rc %d\n",
--			__func__, err);
--			goto bail_out;
--		}
--		tstamp32.byte_offset = tstamp.byte_offset;
--		tstamp32.copied_total = tstamp.copied_total;
--		tstamp32.pcm_frames = tstamp.pcm_frames;
--		tstamp32.pcm_io_frames = tstamp.pcm_io_frames;
--		tstamp32.sampling_rate = tstamp.sampling_rate;
--		tstamp32.timestamp = tstamp.timestamp;
--		if (copy_to_user(arg, &tstamp32, sizeof(tstamp32))) {
--			pr_err("%s: copytouser failed COMPRESS_TSTAMP32\n",
--			__func__);
--			err = -EFAULT;
--		}
--		break;
--	}
--	case SNDRV_COMPRESS_GET_CAPS32: {
--		struct snd_compr_caps caps;
--		struct snd_compr_caps32 caps32;
--		u32 i;
--		memset(&caps, 0, sizeof(caps));
--		memset(&caps32, 0, sizeof(caps32));
--		cmd = SNDRV_COMPRESS_GET_CAPS;
--		err = msm_compr_ioctl_shared(substream, cmd, &caps);
--		if (err) {
--			pr_err("%s: GET_CAPS failed rc %d\n",
--			__func__, err);
--			goto bail_out;
--		}
--		pr_debug("SNDRV_COMPRESS_GET_CAPS_32\n");
--		if (!err && caps.num_codecs >= MAX_NUM_CODECS) {
--			pr_err("%s: Invalid number of codecs\n", __func__);
--			err = -EINVAL;
--			goto bail_out;
--		}
--		caps32.direction = caps.direction;
--		caps32.max_fragment_size = caps.max_fragment_size;
--		caps32.max_fragments = caps.max_fragments;
--		caps32.min_fragment_size = caps.min_fragment_size;
--		caps32.num_codecs = caps.num_codecs;
--		for (i = 0; i < caps.num_codecs; i++)
--			caps32.codecs[i] = caps.codecs[i];
--		if (copy_to_user(arg, &caps32, sizeof(caps32))) {
--			pr_err("%s: copytouser failed COMPRESS_GETCAPS32\n",
--			__func__);
--			err = -EFAULT;
--		}
--		break;
--	}
--	case SNDRV_COMPRESS_SET_PARAMS32: {
--		struct snd_compr_params32 params32;
--		struct snd_compr_params params;
--		memset(&params32, 0 , sizeof(params32));
--		memset(&params, 0 , sizeof(params));
--		cmd = SNDRV_COMPRESS_SET_PARAMS;
--		if (copy_from_user(&params32, arg, sizeof(params32))) {
--			pr_err("%s: copyfromuser failed SET_PARAMS32\n",
--			__func__);
--			err = -EFAULT;
--			goto bail_out;
--		}
--		params.no_wake_mode = params32.no_wake_mode;
--		params.codec.id = params32.codec.id;
--		params.codec.ch_in = params32.codec.ch_in;
--		params.codec.ch_out = params32.codec.ch_out;
--		params.codec.sample_rate = params32.codec.sample_rate;
--		params.codec.bit_rate = params32.codec.bit_rate;
--		params.codec.rate_control = params32.codec.rate_control;
--		params.codec.profile = params32.codec.profile;
--		params.codec.level = params32.codec.level;
--		params.codec.ch_mode = params32.codec.ch_mode;
--		params.codec.format = params32.codec.format;
--		params.codec.align = params32.codec.align;
--
--		switch (params.codec.id) {
--		case SND_AUDIOCODEC_WMA:
--		case SND_AUDIOCODEC_WMA_PRO:
--			params.codec.options.wma.encodeopt1 =
--			params32.codec.options.wma.encodeopt1;
--			params.codec.options.wma.encodeopt2 =
--			params32.codec.options.wma.encodeopt2;
--			params.codec.options.wma.super_block_align =
--			params32.codec.options.wma.super_block_align;
--		break;
--		case SND_AUDIOCODEC_VORBIS:
--			params.codec.options.vorbis.downmix =
--			params32.codec.options.vorbis.downmix;
--			params.codec.options.vorbis.managed =
--			params32.codec.options.vorbis.managed;
--			params.codec.options.vorbis.max_bit_rate =
--			params32.codec.options.vorbis.max_bit_rate;
--			params.codec.options.vorbis.min_bit_rate =
--			params32.codec.options.vorbis.min_bit_rate;
--			params.codec.options.vorbis.quality =
--			params32.codec.options.vorbis.quality;
--		break;
--		case SND_AUDIOCODEC_REAL:
--			params.codec.options.real.num_regions =
--			params32.codec.options.real.num_regions;
--			params.codec.options.real.quant_bits =
--			params32.codec.options.real.quant_bits;
--			params.codec.options.real.start_region =
--			params32.codec.options.real.start_region;
--		break;
--		case SND_AUDIOCODEC_FLAC:
--			params.codec.options.flac.gain =
--			params32.codec.options.flac.gain;
--			params.codec.options.flac.num =
--			params32.codec.options.flac.num;
--		break;
--		case SND_AUDIOCODEC_DTS:
--		case SND_AUDIOCODEC_DTS_PASS_THROUGH:
--		case SND_AUDIOCODEC_DTS_LBR:
--		case SND_AUDIOCODEC_DTS_LBR_PASS_THROUGH:
--		case SND_AUDIOCODEC_DTS_TRANSCODE_LOOPBACK:
--		break;
--		case SND_AUDIOCODEC_AC3:
--		case SND_AUDIOCODEC_EAC3:
--			params.codec.options.ddp.params_length =
--			params32.codec.options.ddp.params_length;
--			memcpy(params.codec.options.ddp.params_value,
--			params32.codec.options.ddp.params_value,
--			sizeof(params32.codec.options.ddp.params_value));
--			memcpy(params.codec.options.ddp.params_id,
--			params32.codec.options.ddp.params_id,
--			sizeof(params32.codec.options.ddp.params_id));
--		break;
--		default:
--			params.codec.options.generic.bw =
--			params32.codec.options.generic.bw;
--		break;
--		}
--		if (!err)
--			err = msm_compr_ioctl_shared(substream, cmd, &params);
--		break;
--	}
--	default:
--		err = msm_compr_ioctl_shared(substream, cmd, arg);
--	}
--bail_out:
--	return err;
--
--}
--#endif
--static int msm_compr_ioctl(struct snd_pcm_substream *substream,
--		unsigned int cmd, void *arg)
--{
--	int err = 0;
--	if (!substream) {
--		pr_err("%s: Invalid params\n", __func__);
--		return -EINVAL;
--	}
--	pr_debug("%s called with cmd = %d\n", __func__, cmd);
--	switch (cmd) {
--	case SNDRV_COMPRESS_TSTAMP: {
--		struct snd_compr_tstamp tstamp;
--		if (!arg) {
--			pr_err("%s: Invalid params Tstamp\n", __func__);
--			return -EINVAL;
--		}
--		err = msm_compr_ioctl_shared(substream, cmd, &tstamp);
--		if (err)
--			pr_err("%s: COMPRESS_TSTAMP failed rc %d\n",
--			__func__, err);
--		if (!err && copy_to_user(arg, &tstamp, sizeof(tstamp))) {
--			pr_err("%s: copytouser failed COMPRESS_TSTAMP\n",
--			__func__);
--			err = -EFAULT;
--		}
--		break;
--	}
--	case SNDRV_COMPRESS_GET_CAPS: {
--		struct snd_compr_caps cap;
--		if (!arg) {
--			pr_err("%s: Invalid params getcaps\n", __func__);
--			return -EINVAL;
--		}
--		pr_debug("SNDRV_COMPRESS_GET_CAPS\n");
--		err = msm_compr_ioctl_shared(substream, cmd, &cap);
--		if (err)
--			pr_err("%s: GET_CAPS failed rc %d\n",
--			__func__, err);
--		if (!err && copy_to_user(arg, &cap, sizeof(cap))) {
--			pr_err("%s: copytouser failed GET_CAPS\n",
--			__func__);
--			err = -EFAULT;
--		}
--		break;
--	}
--	case SNDRV_COMPRESS_SET_PARAMS: {
--		struct snd_compr_params params;
--		if (!arg) {
--			pr_err("%s: Invalid params setparam\n", __func__);
--			return -EINVAL;
--		}
--		if (copy_from_user(&params, arg,
--			sizeof(struct snd_compr_params))) {
--			pr_err("%s: SET_PARAMS\n", __func__);
--			return -EFAULT;
--		}
--		err = msm_compr_ioctl_shared(substream, cmd, &params);
--		if (err)
--			pr_err("%s: SET_PARAMS failed rc %d\n",
--			__func__, err);
--		break;
--	}
--	default:
--		err = msm_compr_ioctl_shared(substream, cmd, arg);
--	}
--	return err;
--}
--
--static int msm_compr_restart(struct snd_pcm_substream *substream)
--{
--	struct snd_pcm_runtime *runtime = substream->runtime;
--	struct compr_audio *compr = runtime->private_data;
--	struct msm_audio *prtd = &compr->prtd;
--	struct audio_aio_write_param param;
--	struct audio_buffer *buf = NULL;
--	struct output_meta_data_st output_meta_data;
--	int time_stamp_flag = 0;
--	int buffer_length = 0;
--
--	pr_debug("%s, trigger restart\n", __func__);
--
--	if (runtime->render_flag & SNDRV_RENDER_STOPPED) {
--		buf = prtd->audio_client->port[IN].buf;
--		pr_debug("%s:writing %d bytes of buffer[%d] to dsp 2\n",
--				__func__, prtd->pcm_count, prtd->out_head);
--		pr_debug("%s:writing buffer[%d] from 0x%08x\n",
--				__func__, prtd->out_head,
--				((unsigned int)buf[0].phys
--				+ (prtd->out_head * prtd->pcm_count)));
--
--		if (runtime->tstamp_mode == SNDRV_PCM_TSTAMP_ENABLE)
--			time_stamp_flag = SET_TIMESTAMP;
--		else
--			time_stamp_flag = NO_TIMESTAMP;
--		memcpy(&output_meta_data, (char *)(buf->data +
--			prtd->out_head * prtd->pcm_count),
--			COMPRE_OUTPUT_METADATA_SIZE);
--
--		buffer_length = output_meta_data.frame_size;
--		pr_debug("meta_data_length: %d, frame_length: %d\n",
--			 output_meta_data.meta_data_length,
--			 output_meta_data.frame_size);
--		pr_debug("timestamp_msw: %d, timestamp_lsw: %d\n",
--			 output_meta_data.timestamp_msw,
--			 output_meta_data.timestamp_lsw);
--
--		param.paddr = (unsigned long)buf[0].phys
--				+ (prtd->out_head * prtd->pcm_count)
--				+ output_meta_data.meta_data_length;
--		param.len = buffer_length;
--		param.msw_ts = output_meta_data.timestamp_msw;
--		param.lsw_ts = output_meta_data.timestamp_lsw;
--		param.flags = time_stamp_flag;
--		param.uid = prtd->session_id;
--		if (q6asm_async_write(prtd->audio_client,
--					&param) < 0)
--			pr_err("%s:q6asm_async_write failed\n",
--				__func__);
--		else
--			prtd->out_head =
--				(prtd->out_head + 1) & (runtime->periods - 1);
--
--		runtime->render_flag &= ~SNDRV_RENDER_STOPPED;
--		return 0;
--	}
--	return 0;
--}
--
--static int msm_compr_volume_ctl_put(struct snd_kcontrol *kcontrol,
--				    struct snd_ctl_elem_value *ucontrol)
--{
--	int rc = 0;
--	struct snd_pcm_volume *vol = snd_kcontrol_chip(kcontrol);
--	struct snd_pcm_substream *substream =
--			 vol->pcm->streams[SNDRV_PCM_STREAM_PLAYBACK].substream;
--	struct msm_audio *prtd;
--	int volume = ucontrol->value.integer.value[0];
--
--	pr_debug("%s: volume : %x\n", __func__, volume);
--	if (!substream)
--		return -ENODEV;
--	if (!substream->runtime)
--		return 0;
--	prtd = substream->runtime->private_data;
--	if (prtd)
--		rc = compressed_set_volume(prtd, volume);
--
--	return rc;
--}
--
--static int msm_compr_volume_ctl_get(struct snd_kcontrol *kcontrol,
--				  struct snd_ctl_elem_value *ucontrol)
--{
--	struct snd_pcm_volume *vol = snd_kcontrol_chip(kcontrol);
--	struct snd_pcm_substream *substream =
--			 vol->pcm->streams[SNDRV_PCM_STREAM_PLAYBACK].substream;
--	struct msm_audio *prtd;
--
--	pr_debug("%s\n", __func__);
--	if (!substream)
--		return -ENODEV;
--	if (!substream->runtime)
--		return 0;
--	prtd = substream->runtime->private_data;
--	if (prtd)
--		ucontrol->value.integer.value[0] = prtd->volume;
--	return 0;
--}
--
--static int msm_compr_add_controls(struct snd_soc_pcm_runtime *rtd)
--{
--	int ret = 0;
--	struct snd_pcm *pcm = rtd->pcm;
--	struct snd_pcm_volume *volume_info;
--	struct snd_kcontrol *kctl;
--
--	dev_dbg(rtd->dev, "%s, Volume cntrl add\n", __func__);
--	ret = snd_pcm_add_volume_ctls(pcm, SNDRV_PCM_STREAM_PLAYBACK,
--				      NULL, 1, rtd->dai_link->be_id,
--				      &volume_info);
--	if (ret < 0)
--		return ret;
--	kctl = volume_info->kctl;
--	kctl->put = msm_compr_volume_ctl_put;
--	kctl->get = msm_compr_volume_ctl_get;
--	kctl->tlv.p = compr_rx_vol_gain;
--	return 0;
--}
--
--static struct snd_pcm_ops msm_compr_ops = {
--	.open	   = msm_compr_open,
--	.hw_params	= msm_compr_hw_params,
--	.close	  = msm_compr_close,
--	.ioctl	  = msm_compr_ioctl,
--	.prepare	= msm_compr_prepare,
--	.trigger	= msm_compr_trigger,
--	.pointer	= msm_compr_pointer,
--	.mmap		= msm_compr_mmap,
--	.restart	= msm_compr_restart,
--#ifdef CONFIG_COMPAT
--	.compat_ioctl   = msm_compr_compat_ioctl,
--#endif
--};
--
--static int msm_asoc_pcm_new(struct snd_soc_pcm_runtime *rtd)
--{
--	struct snd_card *card = rtd->card->snd_card;
--	int ret = 0;
--
--	if (!card->dev->coherent_dma_mask)
--		card->dev->coherent_dma_mask = DMA_BIT_MASK(32);
--
--	ret = msm_compr_add_controls(rtd);
--	if (ret)
--		pr_err("%s, kctl add failed\n", __func__);
--	return ret;
--}
--
--static struct snd_soc_platform_driver msm_soc_platform = {
--	.ops		= &msm_compr_ops,
--	.pcm_new	= msm_asoc_pcm_new,
--};
--
--static int msm_compr_probe(struct platform_device *pdev)
--{
--
--	dev_info(&pdev->dev, "%s: dev name %s\n",
--			 __func__, dev_name(&pdev->dev));
--
--	atomic_set(&compressed_audio.audio_ocmem_req, 0);
--	return snd_soc_register_platform(&pdev->dev,
--				   &msm_soc_platform);
--}
--
--static int msm_compr_remove(struct platform_device *pdev)
--{
--	snd_soc_unregister_platform(&pdev->dev);
--	return 0;
--}
--
--static const struct of_device_id msm_compr_dt_match[] = {
--	{.compatible = "qcom,msm-compr-dsp"},
--	{}
--};
--MODULE_DEVICE_TABLE(of, msm_compr_dt_match);
--
--static struct platform_driver msm_compr_driver = {
--	.driver = {
--		.name = "msm-compr-dsp",
--		.owner = THIS_MODULE,
--		.of_match_table = msm_compr_dt_match,
--	},
--	.probe = msm_compr_probe,
--	.remove = msm_compr_remove,
--};
--
--static int __init msm_soc_platform_init(void)
--{
--	init_waitqueue_head(&the_locks.enable_wait);
--	init_waitqueue_head(&the_locks.eos_wait);
--	init_waitqueue_head(&the_locks.write_wait);
--	init_waitqueue_head(&the_locks.read_wait);
--	init_waitqueue_head(&the_locks.flush_wait);
--
--	return platform_driver_register(&msm_compr_driver);
--}
--module_init(msm_soc_platform_init);
--
--static void __exit msm_soc_platform_exit(void)
--{
--	platform_driver_unregister(&msm_compr_driver);
--}
--module_exit(msm_soc_platform_exit);
--
--MODULE_DESCRIPTION("PCM module platform driver");
--MODULE_LICENSE("GPL v2");
-diff --git a/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.h b/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.h
-deleted file mode 100644
-index d6e3ec6..0000000
---- a/sound/soc/msm/qdsp6v2/msm-compr-q6-v2.h
-+++ /dev/null
-@@ -1,36 +0,0 @@
--/*
-- * Copyright (c) 2012, The Linux Foundation. All rights reserved.
-- *
-- * This program is free software; you can redistribute it and/or modify
-- * it under the terms of the GNU General Public License version 2 and
-- * only version 2 as published by the Free Software Foundation.
-- *
-- * This program is distributed in the hope that it will be useful,
-- * but WITHOUT ANY WARRANTY; without even the implied warranty of
-- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-- * GNU General Public License for more details.
-- */
--
--#ifndef _MSM_COMPR_H
--#define _MSM_COMPR_H
--#include <sound/apr_audio-v2.h>
--#include <sound/q6asm-v2.h>
--#include <sound/compress_params.h>
--#include <sound/compress_offload.h>
--#include <sound/compress_driver.h>
--
--#include "msm-pcm-q6-v2.h"
--
--struct compr_info {
--	struct snd_compr_caps compr_cap;
--	struct snd_compr_codec_caps codec_caps;
--	struct snd_compr_params codec_param;
--};
--
--struct compr_audio {
--	struct msm_audio prtd;
--	struct compr_info info;
--	uint32_t codec;
--};
--
--#endif /*_MSM_COMPR_H*/
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-9677/3.18/1.patch b/Patches/Linux_CVEs/CVE-2017-9677/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-9677/3.18/1.patch
rename to Patches/Linux_CVEs/CVE-2017-9677/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-9678/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-9678/3.18/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-9678/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-9678/3.18/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-9678/4.4/0002.patch b/Patches/Linux_CVEs/CVE-2017-9678/4.4/0002.patch
new file mode 100644
index 00000000..6dfb96ca
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-9678/4.4/0002.patch
@@ -0,0 +1,42 @@
+From ad8e758d30164290a71d9c59fbf7854029556a3e Mon Sep 17 00:00:00 2001
+From: Harsh Sahu <hsahu@codeaurora.org>
+Date: Fri, 21 Apr 2017 16:12:22 -0700
+Subject: msm: mdss: fix memcpy source and dest memory buffer size mismatch
+
+Currently memcpy is copying from a bigger memory size to a smaller
+memory size. This change corrects this issue by performing the
+memcopy restricted to the smaller of the src or dest memory buffer.
+
+CRs-fixed: 2028228
+Change-Id: Ibbe5665083799a4262d3cfbb06f94f3e35e03748
+Signed-off-by: Harsh Sahu <hsahu@codeaurora.org>
+---
+ drivers/video/fbdev/msm/mdss_compat_utils.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/video/fbdev/msm/mdss_compat_utils.c b/drivers/video/fbdev/msm/mdss_compat_utils.c
+index e9ba775..ba3dec2 100644
+--- a/drivers/video/fbdev/msm/mdss_compat_utils.c
++++ b/drivers/video/fbdev/msm/mdss_compat_utils.c
+@@ -119,6 +119,9 @@ static unsigned int __do_compat_ioctl_nr(unsigned int cmd32)
+ static void  __copy_atomic_commit_struct(struct mdp_layer_commit  *commit,
+ 	struct mdp_layer_commit32 *commit32)
+ {
++	unsigned int destSize = sizeof(commit->commit_v1.reserved);
++	unsigned int srcSize = sizeof(commit32->commit_v1.reserved);
++	unsigned int count = (destSize <= srcSize ? destSize : srcSize);
+ 	commit->version = commit32->version;
+ 	commit->commit_v1.flags = commit32->commit_v1.flags;
+ 	commit->commit_v1.input_layer_cnt =
+@@ -127,7 +130,7 @@ static void  __copy_atomic_commit_struct(struct mdp_layer_commit  *commit,
+ 	commit->commit_v1.right_roi = commit32->commit_v1.right_roi;
+ 	commit->commit_v1.bl_level = commit32->commit_v1.bl_level;
+ 	memcpy(&commit->commit_v1.reserved, &commit32->commit_v1.reserved,
+-		sizeof(commit32->commit_v1.reserved));
++		count);
+ }
+ 
+ static struct mdp_input_layer32 *__create_layer_list32(
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-9679/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-9679/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-9679/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-9679/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-9680/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-9680/ANY/0001.patch
similarity index 79%
rename from Patches/Linux_CVEs/CVE-2017-9680/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-9680/ANY/0001.patch
index 37486924..a58d2bd4 100644
--- a/Patches/Linux_CVEs/CVE-2017-9680/ANY/0.patch
+++ b/Patches/Linux_CVEs/CVE-2017-9680/ANY/0001.patch
@@ -1,12 +1,11 @@
-From b256cd87d50eede2dae6185fbe8828d7223db0d6 Mon Sep 17 00:00:00 2001
+From dcd0a696c33dd3ab824151833d787f3ff90abbba Mon Sep 17 00:00:00 2001
 From: Abir Ghosh <abirg@codeaurora.org>
 Date: Tue, 11 Apr 2017 10:10:23 +0530
-Subject: [PATCH] qbt1000: Initialize drvdata structure before usage
+Subject: qbt1000: Initialize drvdata structure before usage
 
 Fix uninitialized local variable error which might have lead to
 crash
 
-Bug: 35764241
 Change-Id: I3fd95cb343c3175e4190c8ebfe209399db0602a6
 CRs-Fixed: 2030137
 Signed-off-by: Abir Ghosh <abirg@codeaurora.org>
@@ -15,10 +14,10 @@ Signed-off-by: Abir Ghosh <abirg@codeaurora.org>
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/drivers/soc/qcom/qbt1000.c b/drivers/soc/qcom/qbt1000.c
-index f76cf0f45ecaa..bd6f0e6005f31 100755
+index b24978c..7f99c86 100644
 --- a/drivers/soc/qcom/qbt1000.c
 +++ b/drivers/soc/qcom/qbt1000.c
-@@ -752,13 +752,14 @@ static long qbt1000_ioctl(struct file *file, unsigned cmd, unsigned long arg)
+@@ -753,13 +753,14 @@ static long qbt1000_ioctl(struct file *file, unsigned cmd, unsigned long arg)
  	void __user *priv_arg = (void __user *)arg;
  	struct qbt1000_drvdata *drvdata;
  
@@ -34,3 +33,6 @@ index f76cf0f45ecaa..bd6f0e6005f31 100755
  	pm_runtime_get_sync(drvdata->dev);
  	mutex_lock(&drvdata->mutex);
  	if (((drvdata->sensor_conn_type == SPI) && (!drvdata->clock_state)) ||
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-9682/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-9682/3.18/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-9682/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-9682/3.18/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-9682/4.4/0002.patch b/Patches/Linux_CVEs/CVE-2017-9682/4.4/0002.patch
new file mode 100644
index 00000000..7c9e3a92
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-9682/4.4/0002.patch
@@ -0,0 +1,33 @@
+From 1c4ddc4c7a4fcdf9371048ce01a6b0e5d2a2bae9 Mon Sep 17 00:00:00 2001
+From: Sunil Khatri <sunilkh@codeaurora.org>
+Date: Thu, 6 Apr 2017 18:28:31 +0530
+Subject: msm: kgsl: Fix the race between context create and destroy
+
+Hold the context lock before updating the context id in
+param->drawctxt_id to avoid race condition between context
+creation and context destroy.
+
+Change-Id: Ic26d3e5b68078c02d15c38080b1a262ea4b1f7fe
+Signed-off-by: Sunil Khatri <sunilkh@codeaurora.org>
+---
+ drivers/gpu/msm/kgsl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/msm/kgsl.c b/drivers/gpu/msm/kgsl.c
+index 1de8e21..54f591e4 100644
+--- a/drivers/gpu/msm/kgsl.c
++++ b/drivers/gpu/msm/kgsl.c
+@@ -1764,9 +1764,9 @@ long kgsl_ioctl_drawctxt_create(struct kgsl_device_private *dev_priv,
+ 	/* Commit the pointer to the context in context_idr */
+ 	write_lock(&device->context_lock);
+ 	idr_replace(&device->context_idr, context, context->id);
++	param->drawctxt_id = context->id;
+ 	write_unlock(&device->context_lock);
+ 
+-	param->drawctxt_id = context->id;
+ done:
+ 	return result;
+ }
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-9684/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-9684/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-9684/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-9684/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-9684/ANY/1.patch b/Patches/Linux_CVEs/CVE-2017-9684/ANY/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-9684/ANY/1.patch
rename to Patches/Linux_CVEs/CVE-2017-9684/ANY/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-9684/ANY/2.patch b/Patches/Linux_CVEs/CVE-2017-9684/ANY/0003.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-9684/ANY/2.patch
rename to Patches/Linux_CVEs/CVE-2017-9684/ANY/0003.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-9686/3.18/0.patch b/Patches/Linux_CVEs/CVE-2017-9686/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-9686/3.18/0.patch
rename to Patches/Linux_CVEs/CVE-2017-9686/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-9687/3.18/0.patch b/Patches/Linux_CVEs/CVE-2017-9687/3.18/0.patch
deleted file mode 100644
index 8ad40b53..00000000
--- a/Patches/Linux_CVEs/CVE-2017-9687/3.18/0.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From 34cff2eb2adc663de32ca682b57551c50c9253c6 Mon Sep 17 00:00:00 2001
-From: Skylar Chang <chiaweic@codeaurora.org>
-Date: Fri, 21 Apr 2017 10:42:57 -0700
-Subject: [PATCH] msm: ipa: fix IPC low priority logging
-
-Allocate IPC low priority on first usage only.
-
-Bug: 62827190
-Change-Id: Icea7f0fad9ed34c93641296f68736bbaf2e6eaa9
-CRs-Fixed: 2016076
-Acked-by: Ady Abraham <adya@qti,qualcomm.com>
-Signed-off-by: Skylar Chang <chiaweic@codeaurora.org>
----
- drivers/platform/msm/ipa/ipa_v3/ipa_debugfs.c | 17 ++++++++---------
- 1 file changed, 8 insertions(+), 9 deletions(-)
-
-diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa_debugfs.c b/drivers/platform/msm/ipa/ipa_v3/ipa_debugfs.c
-index 12127a2304bbc..66482e2dc0634 100644
---- a/drivers/platform/msm/ipa/ipa_v3/ipa_debugfs.c
-+++ b/drivers/platform/msm/ipa/ipa_v3/ipa_debugfs.c
-@@ -105,6 +105,7 @@ static char dbg_buff[IPA_MAX_MSG_LEN];
- static char *active_clients_buf;
- 
- static s8 ep_reg_idx;
-+static void *ipa_ipc_low_buff;
- 
- 
- static ssize_t ipa3_read_gen_reg(struct file *file, char __user *ubuf,
-@@ -1610,22 +1611,20 @@ static ssize_t ipa3_enable_ipc_low(struct file *file,
- 	if (kstrtos8(dbg_buff, 0, &option))
- 		return -EFAULT;
- 
-+	mutex_lock(&ipa3_ctx->lock);
- 	if (option) {
--		if (!ipa3_ctx->logbuf_low) {
--			ipa3_ctx->logbuf_low =
-+		if (!ipa_ipc_low_buff) {
-+			ipa_ipc_low_buff =
- 				ipc_log_context_create(IPA_IPC_LOG_PAGES,
- 					"ipa_low", 0);
- 		}
--
--		if (ipa3_ctx->logbuf_low == NULL) {
--			IPAERR("failed to get logbuf_low\n");
--			return -EFAULT;
--		}
-+			if (ipa_ipc_low_buff == NULL)
-+				IPAERR("failed to get logbuf_low\n");
-+		ipa3_ctx->logbuf_low = ipa_ipc_low_buff;
- 	} else {
--		if (ipa3_ctx->logbuf_low)
--			ipc_log_context_destroy(ipa3_ctx->logbuf_low);
- 		ipa3_ctx->logbuf_low = NULL;
- 	}
-+	mutex_unlock(&ipa3_ctx->lock);
- 
- 	return count;
- }
diff --git a/Patches/Linux_CVEs/CVE-2017-9687/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-9687/ANY/0001.patch
new file mode 100644
index 00000000..71235954
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-9687/ANY/0001.patch
@@ -0,0 +1,60 @@
+From 8f1a77f5da53edd2b5a1c42ddd766712a90109d6 Mon Sep 17 00:00:00 2001
+From: Skylar Chang <chiaweic@codeaurora.org>
+Date: Thu, 20 Apr 2017 10:25:43 -0700
+Subject: msm: gsi: fix IPC low priority logging
+
+Allocate IPC low priority on first usage only.
+
+Change-Id: Ic44f5af02d1d7fd72b255c8989cfc6b7dcd7766d
+CRs-Fixed: 2016076
+Acked-by: Ady Abraham <adya@qti,qualcomm.com>
+Signed-off-by: Skylar Chang <chiaweic@codeaurora.org>
+---
+ drivers/platform/msm/gsi/gsi_dbg.c | 17 ++++++++---------
+ 1 file changed, 8 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/platform/msm/gsi/gsi_dbg.c b/drivers/platform/msm/gsi/gsi_dbg.c
+index 717c8917..eaf50ca 100644
+--- a/drivers/platform/msm/gsi/gsi_dbg.c
++++ b/drivers/platform/msm/gsi/gsi_dbg.c
+@@ -29,6 +29,7 @@
+ 
+ static struct dentry *dent;
+ static char dbg_buff[4096];
++static void *gsi_ipc_logbuf_low;
+ 
+ static void gsi_wq_print_dp_stats(struct work_struct *work);
+ static DECLARE_DELAYED_WORK(gsi_print_dp_stats_work, gsi_wq_print_dp_stats);
+@@ -764,22 +765,20 @@ static ssize_t gsi_enable_ipc_low(struct file *file,
+ 	if (kstrtos8(dbg_buff, 0, &option))
+ 		return -EFAULT;
+ 
++	mutex_lock(&gsi_ctx->mlock);
+ 	if (option) {
+-		if (!gsi_ctx->ipc_logbuf_low) {
+-			gsi_ctx->ipc_logbuf_low =
++		if (!gsi_ipc_logbuf_low) {
++			gsi_ipc_logbuf_low =
+ 				ipc_log_context_create(GSI_IPC_LOG_PAGES,
+ 					"gsi_low", 0);
++			if (gsi_ipc_logbuf_low == NULL)
++				TERR("failed to get ipc_logbuf_low\n");
+ 		}
+-
+-		if (gsi_ctx->ipc_logbuf_low == NULL) {
+-			TERR("failed to get ipc_logbuf_low\n");
+-			return -EFAULT;
+-		}
++		gsi_ctx->ipc_logbuf_low = gsi_ipc_logbuf_low;
+ 	} else {
+-		if (gsi_ctx->ipc_logbuf_low)
+-			ipc_log_context_destroy(gsi_ctx->ipc_logbuf_low);
+ 		gsi_ctx->ipc_logbuf_low = NULL;
+ 	}
++	mutex_unlock(&gsi_ctx->mlock);
+ 
+ 	return count;
+ }
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-9691/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-9691/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-9691/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-9691/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-9691/ANY/1.patch b/Patches/Linux_CVEs/CVE-2017-9691/ANY/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-9691/ANY/1.patch
rename to Patches/Linux_CVEs/CVE-2017-9691/ANY/0002.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-9692/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-9692/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-9692/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-9692/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-9693/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-9693/ANY/0001.patch
similarity index 56%
rename from Patches/Linux_CVEs/CVE-2017-9693/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-9693/ANY/0001.patch
index c63ea19e..8f77168b 100644
--- a/Patches/Linux_CVEs/CVE-2017-9693/ANY/0.patch
+++ b/Patches/Linux_CVEs/CVE-2017-9693/ANY/0001.patch
@@ -1,8 +1,7 @@
-From 41c47c76d3672de1a091b53878e1abad583b413d Mon Sep 17 00:00:00 2001
-From: Srinivas Girigowda <sgirigow@codeaurora.org>
-Date: Thu, 25 May 2017 15:16:36 -0700
-Subject: [PATCH] qcacld-2.0: Trim extn capability to max supported in change
- station
+From 05a5abb21e4d97001f77d344444a3ec2f9c275f9 Mon Sep 17 00:00:00 2001
+From: SaidiReddy Yenuga <saidir@codeaurora.org>
+Date: Tue, 16 May 2017 19:02:16 +0530
+Subject: qcacld-2.0: Trim extn capability to max supported in change station
 
 extn capabilities can be controlled by user, which can
 be sent greater than the max supported value. This results
@@ -14,27 +13,24 @@ value.
 
 CRs-Fixed: 2044820
 Change-Id: I531799dd06c41069e85ad969de6182363dbf9f05
-Bug: 36817798
-Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
 ---
- drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
+ CORE/HDD/src/wlan_hdd_cfg80211.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
 
-diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-index 3580d2b73494b..0fd39f568de4d 100644
---- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-@@ -14887,9 +14887,16 @@ static int __wlan_hdd_change_station(struct wiphy *wiphy,
+diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
+index 19c2c61..e1f5f0a 100644
+--- a/CORE/HDD/src/wlan_hdd_cfg80211.c
++++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
+@@ -16209,9 +16209,15 @@ static int __wlan_hdd_change_station(struct wiphy *wiphy,
              StaParams.supported_oper_classes_len  =
                                               params->supported_oper_classes_len;
  
 +            if (params->ext_capab_len > sizeof(StaParams.extn_capability)) {
 +                VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO,
-+                          "received extn capabilities: %d, reset to max supported",
++                          "received extn capabilities:%d, resetting it to max supported",
 +                          params->ext_capab_len);
 +                params->ext_capab_len = sizeof(StaParams.extn_capability);
 +            }
-+
              if (0 != params->ext_capab_len)
                  vos_mem_copy(StaParams.extn_capability, params->ext_capab,
 -                             sizeof(StaParams.extn_capability));
@@ -42,3 +38,6 @@ index 3580d2b73494b..0fd39f568de4d 100644
  
              if (NULL != params->ht_capa) {
                  StaParams.htcap_present = 1;
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-9694/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-9694/ANY/0.patch
deleted file mode 100644
index 3ce016ee..00000000
--- a/Patches/Linux_CVEs/CVE-2017-9694/ANY/0.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 7f60f02336d5506aeb81c5fec9e213f729fb83e6 Mon Sep 17 00:00:00 2001
-From: Srinivas Girigowda <sgirigow@codeaurora.org>
-Date: Thu, 25 May 2017 15:12:16 -0700
-Subject: [PATCH] qcacld-2.0: Add lost AP sample size entry to nla policy
-
-Incorrect validation of
-QCA_WLAN_VENDOR_ATTR_EXTSCAN_BSSID_HOTLIST_PARAMS_LOST_AP_SAMPLE_SIZE
-results in assigning an unchecked user-controller value.
-This can lead to buffer overflow.
-
-validate
-  QCA_WLAN_VENDOR_ATTR_EXTSCAN_BSSID_HOTLIST_PARAMS_LOST_AP_SAMPLE_SIZE.
-
-CRs-Fixed: 2045470
-Change-Id: I7c33b6d78054672e9effbe9100c29e5604c250c6
-Bug: 36818198
-Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
----
- drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-index d5e63ef797c91..3580d2b73494b 100644
---- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-@@ -852,6 +852,9 @@ wlan_hdd_extscan_config_policy[QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_
-     [QCA_WLAN_VENDOR_ATTR_EXTSCAN_SSID_THRESHOLD_PARAM_RSSI_LOW] = { .type = NLA_S32 },
-     [QCA_WLAN_VENDOR_ATTR_EXTSCAN_SSID_THRESHOLD_PARAM_RSSI_HIGH] = { .type = NLA_S32 },
-     [QCA_WLAN_VENDOR_ATTR_EXTSCAN_CONFIGURATION_FLAGS] = { .type = NLA_U32 },
-+    [QCA_WLAN_VENDOR_ATTR_EXTSCAN_BSSID_HOTLIST_PARAMS_LOST_AP_SAMPLE_SIZE] = {
-+		.type = NLA_U32
-+	},
- };
- 
- static const struct nla_policy
diff --git a/Patches/Linux_CVEs/CVE-2017-9694/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-9694/ANY/0001.patch
new file mode 100644
index 00000000..bdc5a5ca
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-9694/ANY/0001.patch
@@ -0,0 +1,33 @@
+From 1e47d44de7bab5500d27f17ae5c4ebebc7d2b4ef Mon Sep 17 00:00:00 2001
+From: SaidiReddy Yenuga <saidir@codeaurora.org>
+Date: Tue, 16 May 2017 18:00:47 +0530
+Subject: qcacld-2.0: Add lost AP sample size entry to nla policy
+
+improper validation of
+QCA_WLAN_VENDOR_ATTR_EXTSCAN_BSSID_HOTLIST_PARAMS_LOST_AP_SAMPLE_SIZE
+results in assigning an unchecked user-controller value.
+This can lead to buffer overflow.
+
+validate QCA_WLAN_VENDOR_ATTR_EXTSCAN_BSSID_HOTLIST_PARAMS_LOST_AP_SAMPLE_SIZE.
+
+CRs-Fixed: 2045470
+Change-Id: I7c33b6d78054672e9effbe9100c29e5604c250c6
+---
+ CORE/HDD/src/wlan_hdd_cfg80211.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
+index b53ba75..69b13b5 100644
+--- a/CORE/HDD/src/wlan_hdd_cfg80211.c
++++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
+@@ -837,6 +837,7 @@ wlan_hdd_extscan_config_policy[QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_
+     [QCA_WLAN_VENDOR_ATTR_EXTSCAN_SSID_THRESHOLD_PARAM_RSSI_LOW] = { .type = NLA_S32 },
+     [QCA_WLAN_VENDOR_ATTR_EXTSCAN_SSID_THRESHOLD_PARAM_RSSI_HIGH] = { .type = NLA_S32 },
+     [QCA_WLAN_VENDOR_ATTR_EXTSCAN_CONFIGURATION_FLAGS] = { .type = NLA_U32 },
++    [QCA_WLAN_VENDOR_ATTR_EXTSCAN_BSSID_HOTLIST_PARAMS_LOST_AP_SAMPLE_SIZE] = { .type = NLA_U32 },
+ };
+ 
+ static const struct nla_policy
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-9697/3.18/0.patch b/Patches/Linux_CVEs/CVE-2017-9697/ANY/0001.patch
similarity index 63%
rename from Patches/Linux_CVEs/CVE-2017-9697/3.18/0.patch
rename to Patches/Linux_CVEs/CVE-2017-9697/ANY/0001.patch
index ec34d811..9e19707d 100644
--- a/Patches/Linux_CVEs/CVE-2017-9697/3.18/0.patch
+++ b/Patches/Linux_CVEs/CVE-2017-9697/ANY/0001.patch
@@ -1,7 +1,7 @@
-From 4b788ca419ec37e4cdb421fef9edc208a491ce30 Mon Sep 17 00:00:00 2001
+From 7e45e3a6c1f6dd46d71fb6824a7cf702d2e79225 Mon Sep 17 00:00:00 2001
 From: Mohit Aggarwal <maggarwa@codeaurora.org>
 Date: Thu, 25 May 2017 20:21:12 +0530
-Subject: [PATCH] diag: Synchronize command registration table access
+Subject: diag: Synchronize command registration table access
 
 Currently, command registration table is being read
 in debugfs without any protection which may lead to
@@ -9,24 +9,17 @@ access of stale entries. The patch takes care of the
 issue by adding proper protection.
 
 CRs-Fixed: 2032672
-Bug: 63868628
 Change-Id: I6ae058c16873f9ed52ae6516a1a70fd6d2d0da80
 Signed-off-by: Mohit Aggarwal <maggarwa@codeaurora.org>
 ---
- drivers/char/diag/diag_debugfs.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
+ drivers/char/diag/diag_debugfs.c | 4 ++++
+ 1 file changed, 4 insertions(+)
 
 diff --git a/drivers/char/diag/diag_debugfs.c b/drivers/char/diag/diag_debugfs.c
-index f5e4eba1e96bc..b66c8cb8257c2 100644
+index ca7dd88..86e626d 100644
 --- a/drivers/char/diag/diag_debugfs.c
 +++ b/drivers/char/diag/diag_debugfs.c
-@@ -1,4 +1,4 @@
--/* Copyright (c) 2011-2016, The Linux Foundation. All rights reserved.
-+/* Copyright (c) 2011-2017, The Linux Foundation. All rights reserved.
-  *
-  * This program is free software; you can redistribute it and/or modify
-  * it under the terms of the GNU General Public License version 2 and
-@@ -268,8 +268,10 @@ static ssize_t diag_dbgfs_read_table(struct file *file, char __user *ubuf,
+@@ -273,8 +273,10 @@ static ssize_t diag_dbgfs_read_table(struct file *file, char __user *ubuf,
  	struct list_head *temp;
  	struct diag_cmd_reg_t *item = NULL;
  
@@ -37,7 +30,7 @@ index f5e4eba1e96bc..b66c8cb8257c2 100644
  		return 0;
  	}
  
-@@ -278,6 +280,7 @@ static ssize_t diag_dbgfs_read_table(struct file *file, char __user *ubuf,
+@@ -283,6 +285,7 @@ static ssize_t diag_dbgfs_read_table(struct file *file, char __user *ubuf,
  	buf = kzalloc(sizeof(char) * buf_size, GFP_KERNEL);
  	if (ZERO_OR_NULL_PTR(buf)) {
  		pr_err("diag: %s, Error allocating memory\n", __func__);
@@ -45,7 +38,7 @@ index f5e4eba1e96bc..b66c8cb8257c2 100644
  		return -ENOMEM;
  	}
  	buf_size = ksize(buf);
-@@ -322,6 +325,7 @@ static ssize_t diag_dbgfs_read_table(struct file *file, char __user *ubuf,
+@@ -327,6 +330,7 @@ static ssize_t diag_dbgfs_read_table(struct file *file, char __user *ubuf,
  			break;
  	}
  	diag_dbgfs_table_index = i;
@@ -53,3 +46,6 @@ index f5e4eba1e96bc..b66c8cb8257c2 100644
  
  	*ppos = 0;
  	ret = simple_read_from_buffer(ubuf, count, ppos, buf, bytes_in_buffer);
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-9706/3.10/0.patch b/Patches/Linux_CVEs/CVE-2017-9706/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-9706/3.10/0.patch
rename to Patches/Linux_CVEs/CVE-2017-9706/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-9714/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-9714/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-9714/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-9714/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-9714/ANY/1.patch b/Patches/Linux_CVEs/CVE-2017-9714/ANY/1.patch
deleted file mode 100644
index 6ff454e6..00000000
--- a/Patches/Linux_CVEs/CVE-2017-9714/ANY/1.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From 822958b55703d8a3d7f7e2d9b1cd1736c9878a3b Mon Sep 17 00:00:00 2001
-From: Kapil Gupta <kapgupta@codeaurora.org>
-Date: Tue, 16 May 2017 12:39:54 +0530
-Subject: [PATCH] qcacld-2.0: Drop assoc request if RSNIE/WPAIE parsing fail
-
-Add changes to drop assoc request and return error if RSNIE or
-WPAIE parsing fail during parsing of assoc request.
-
-Bug: 63868020
-
-CRs-Fixed: 2046578
-Change-Id: I88d779399c2eba5d33c30144bf9600a1f3a00b77
-Signed-off-by: Ecco Park <eccopark@google.com>
----
- .../CORE/MAC/src/pe/lim/limProcessAssocReqFrame.c  | 23 ++++++++++++++++++----
- 1 file changed, 19 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/lim/limProcessAssocReqFrame.c b/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/lim/limProcessAssocReqFrame.c
-index 4e7fbe2341811..5e2bb2dd04f2c 100644
---- a/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/lim/limProcessAssocReqFrame.c
-+++ b/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/lim/limProcessAssocReqFrame.c
-@@ -711,10 +711,18 @@ limProcessAssocReqFrame(tpAniSirGlobal pMac, tANI_U8 *pRxPacketInfo,
-                 if(pAssocReq->rsn.length)
-                 {
-                     // Unpack the RSN IE
--                    dot11fUnpackIeRSN(pMac,
-+                    if (dot11fUnpackIeRSN(pMac,
-                                         &pAssocReq->rsn.info[0],
-                                         pAssocReq->rsn.length,
--                                        &Dot11fIERSN);
-+                                        &Dot11fIERSN) != DOT11F_PARSE_SUCCESS)
-+                    {
-+                        limLog(pMac, LOG1,
-+                            FL("Invalid RSNIE received"));
-+                        limSendAssocRspMgmtFrame(pMac,
-+                            eSIR_MAC_INVALID_RSN_IE_CAPABILITIES_STATUS,
-+                            1, pHdr->sa, subType, 0,psessionEntry);
-+                        goto error;
-+                    }
- 
-                     /* Check RSN version is supported or not */
-                     if(SIR_MAC_OUI_VERSION_1 == Dot11fIERSN.version)
-@@ -780,10 +788,17 @@ limProcessAssocReqFrame(tpAniSirGlobal pMac, tANI_U8 *pRxPacketInfo,
-                 // Unpack the WPA IE
-                 if(pAssocReq->wpa.length)
-                 {
--                    dot11fUnpackIeWPA(pMac,
-+                    if (dot11fUnpackIeWPA(pMac,
-                                         &pAssocReq->wpa.info[4], //OUI is not taken care
-                                         pAssocReq->wpa.length,
--                                        &Dot11fIEWPA);
-+                                        &Dot11fIEWPA) != DOT11F_PARSE_SUCCESS)
-+                    {
-+                        limLog(pMac, LOGE, FL("Invalid WPA IE"));
-+                        limSendAssocRspMgmtFrame(pMac,
-+                                eSIR_MAC_INVALID_INFORMATION_ELEMENT_STATUS,
-+                                1, pHdr->sa, subType, 0,psessionEntry);
-+                        goto error;
-+                    }
-                     /* check the groupwise and pairwise cipher suites */
-                     if(eSIR_SUCCESS != (status = limCheckRxWPAIeMatch(pMac, Dot11fIEWPA, psessionEntry, pAssocReq->HTCaps.present)))
-                     {
diff --git a/Patches/Linux_CVEs/CVE-2017-9715/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-9715/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-9715/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-9715/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-9715/ANY/1.patch b/Patches/Linux_CVEs/CVE-2017-9715/ANY/1.patch
deleted file mode 100644
index fb016fef..00000000
--- a/Patches/Linux_CVEs/CVE-2017-9715/ANY/1.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From ed6814c11abf9f96d4060b2825c50842ef83bdba Mon Sep 17 00:00:00 2001
-From: Jeff Johnson <jjohnson@codeaurora.org>
-Date: Tue, 6 Jun 2017 08:56:33 -0700
-Subject: [PATCH] qcacld-2.0: Avoid extscan bucket spec overread
-
-Currently in hdd_extscan_start_fill_bucket_channel_spec() the
-QCA_WLAN_VENDOR_ATTR_EXTSCAN_BUCKET_SPEC attribute is parsed without
-specifying a policy. This means that no policy is enforced.
-Subsequently the values of the nested attributes are retrieved, but
-again without any length limits enforced. This could result in a
-buffer overread.
-To prevent this issue:
-* Parse using the existing policy wlan_hdd_extscan_config_policy
-* Update the policy to add missing attributes
-
-Bug: 36730104
-Change-Id: I3b20cb28d1beccd2e804b022b531413ad1edb533
-CRs-Fixed: 2057034
-Signed-off-by: Ecco Park <eccopark@google.com>
----
- drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-index 5ca269bab9cf6..da139cf225ce2 100644
---- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-@@ -845,6 +845,9 @@ wlan_hdd_extscan_config_policy[QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_
-     [QCA_WLAN_VENDOR_ATTR_EXTSCAN_SIGNIFICANT_CHANGE_PARAMS_LOST_AP_SAMPLE_SIZE] = { .type = NLA_U32 },
-     [QCA_WLAN_VENDOR_ATTR_EXTSCAN_SIGNIFICANT_CHANGE_PARAMS_MIN_BREACHING] = { .type = NLA_U32 },
-     [QCA_WLAN_VENDOR_ATTR_EXTSCAN_SIGNIFICANT_CHANGE_PARAMS_NUM_AP] = { .type = NLA_U32 },
-+    [QCA_WLAN_VENDOR_ATTR_EXTSCAN_BUCKET_SPEC_MAX_PERIOD] = { .type = NLA_U32 },
-+    [QCA_WLAN_VENDOR_ATTR_EXTSCAN_BUCKET_SPEC_BASE] = { .type = NLA_U32 },
-+    [QCA_WLAN_VENDOR_ATTR_EXTSCAN_BUCKET_SPEC_STEP_COUNT] = { .type = NLA_U32 },
-     [QCA_WLAN_VENDOR_ATTR_EXTSCAN_SSID_THRESHOLD_PARAM_SSID] = { .type = NLA_BINARY,
- 							.len = IEEE80211_MAX_SSID_LEN + 1 },
-     [QCA_WLAN_VENDOR_ATTR_EXTSCAN_SSID_HOTLIST_PARAMS_LOST_SSID_SAMPLE_SIZE] = { .type = NLA_U32 },
-@@ -3448,8 +3451,9 @@ static int hdd_extscan_start_fill_bucket_channel_spec(
- 		}
- 
- 		if (nla_parse(bucket,
--			QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_MAX,
--			nla_data(buckets), nla_len(buckets), NULL)) {
-+			      QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_MAX,
-+			      nla_data(buckets), nla_len(buckets),
-+			      wlan_hdd_extscan_config_policy)) {
- 			hddLog(LOGE, FL("nla_parse failed"));
- 			return -EINVAL;
- 		}
diff --git a/Patches/Linux_CVEs/CVE-2017-9717/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-9717/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-9717/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-9717/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-9717/ANY/1.patch b/Patches/Linux_CVEs/CVE-2017-9717/ANY/1.patch
deleted file mode 100644
index fcbe2bd6..00000000
--- a/Patches/Linux_CVEs/CVE-2017-9717/ANY/1.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 68898d364c0f67100186663af55e0b9fd38de7a9 Mon Sep 17 00:00:00 2001
-From: SaidiReddy Yenuga <saidir@codeaurora.org>
-Date: Thu, 25 May 2017 15:53:53 +0530
-Subject: [PATCH] qcacld-2.0: Add get valid channels entry to NLA policy
-
-improper validation of
-QCA_WLAN_VENDOR_ATTR_EXTSCAN_GET_VALID_CHANNELS_CONFIG_PARAM_MAX_CHANNELS.
-
-validate QCA_WLAN_VENDOR_ATTR_EXTSCAN_GET_VALID_CHANNELS_CONFIG_PARAM_MAX_CHANNELS.
-
-Bug: 36817053
-
-CRs-Fixed: 2051450
-Change-Id: I16e5808492b5b35dc8b646af45d6ac6d65561804
-Signed-off-by: Ecco Park <eccopark@google.com>
----
- drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-index c7d271f91ceb9..b788566363d87 100644
---- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
-@@ -815,6 +815,7 @@ wlan_hdd_extscan_config_policy[QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_
- {
-     [QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_REQUEST_ID] = { .type = NLA_U32 },
-     [QCA_WLAN_VENDOR_ATTR_EXTSCAN_GET_VALID_CHANNELS_CONFIG_PARAM_WIFI_BAND] = { .type = NLA_U32 },
-+    [QCA_WLAN_VENDOR_ATTR_EXTSCAN_GET_VALID_CHANNELS_CONFIG_PARAM_MAX_CHANNELS] = { .type = NLA_U32 },
-     [QCA_WLAN_VENDOR_ATTR_EXTSCAN_CHANNEL_SPEC_CHANNEL] = { .type = NLA_U32 },
-     [QCA_WLAN_VENDOR_ATTR_EXTSCAN_CHANNEL_SPEC_DWELL_TIME] = { .type = NLA_U32 },
-     [QCA_WLAN_VENDOR_ATTR_EXTSCAN_CHANNEL_SPEC_PASSIVE] = { .type = NLA_U8 },
diff --git a/Patches/Linux_CVEs/CVE-2017-9719/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-9719/ANY/0001.patch
new file mode 100644
index 00000000..ed13eefa
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-9719/ANY/0001.patch
@@ -0,0 +1,47 @@
+From a491499c3490999555b7ccf8ad1a7d6455625807 Mon Sep 17 00:00:00 2001
+From: zhaoyuan <yzhao@codeaurora.org>
+Date: Mon, 20 Feb 2017 13:42:20 +0800
+Subject: msm: mdss: hdmi: check up-bound of CEC frame size
+
+the spec says the frame size will not be greater than
+14, but this have a security hole when somebody sends
+a message with a size greater than 14. So need check
+up-boud of the CEC frame size.
+
+Change-Id: I743208badc5e77ae911cfb2d102f758d4843138f
+Signed-off-by: zhaoyuan <yzhao@codeaurora.org>
+---
+ drivers/video/msm/mdss/mdss_hdmi_cec.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/video/msm/mdss/mdss_hdmi_cec.c b/drivers/video/msm/mdss/mdss_hdmi_cec.c
+index a424d98..a4ed012 100644
+--- a/drivers/video/msm/mdss/mdss_hdmi_cec.c
++++ b/drivers/video/msm/mdss/mdss_hdmi_cec.c
+@@ -1,4 +1,4 @@
+-/* Copyright (c) 2010-2016, The Linux Foundation. All rights reserved.
++/* Copyright (c) 2010-2017, The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -196,7 +196,7 @@ static void hdmi_cec_msg_recv(struct work_struct *work)
+ 		msg.sender_id, msg.recvr_id,
+ 		msg.frame_size);
+ 
+-	if (msg.frame_size < 1) {
++	if (msg.frame_size < 1 || msg.frame_size > MAX_CEC_FRAME_SIZE) {
+ 		DEV_ERR("%s: invalid message (frame length = %d)\n",
+ 			__func__, msg.frame_size);
+ 		return;
+@@ -216,7 +216,7 @@ static void hdmi_cec_msg_recv(struct work_struct *work)
+ 		msg.operand[i] = data & 0xFF;
+ 	}
+ 
+-	for (; i < 14; i++)
++	for (; i < MAX_OPERAND_SIZE; i++)
+ 		msg.operand[i] = 0;
+ 
+ 	DEV_DBG("%s: opcode 0x%x, wakup_en %d, device_suspend %d\n", __func__,
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-9719/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2017-9719/ANY/0002.patch
new file mode 100644
index 00000000..3c4d99fe
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-9719/ANY/0002.patch
@@ -0,0 +1,47 @@
+From d815f54f15d765b5e0035a9d208d71567bcaace0 Mon Sep 17 00:00:00 2001
+From: zhaoyuan <yzhao@codeaurora.org>
+Date: Mon, 20 Feb 2017 13:42:20 +0800
+Subject: msm: mdss: hdmi: check up-bound of CEC frame size
+
+the spec says the frame size will not be greater than
+14, but this have a security hole when somebody sends
+a message with a size greater than 14. So need check
+up-boud of the CEC frame size.
+
+Change-Id: I743208badc5e77ae911cfb2d102f758d4843138f
+Signed-off-by: zhaoyuan <yzhao@codeaurora.org>
+---
+ drivers/video/fbdev/msm/mdss_hdmi_cec.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/video/fbdev/msm/mdss_hdmi_cec.c b/drivers/video/fbdev/msm/mdss_hdmi_cec.c
+index a424d98..a4ed012 100644
+--- a/drivers/video/fbdev/msm/mdss_hdmi_cec.c
++++ b/drivers/video/fbdev/msm/mdss_hdmi_cec.c
+@@ -1,4 +1,4 @@
+-/* Copyright (c) 2010-2016, The Linux Foundation. All rights reserved.
++/* Copyright (c) 2010-2017, The Linux Foundation. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 and
+@@ -196,7 +196,7 @@ static void hdmi_cec_msg_recv(struct work_struct *work)
+ 		msg.sender_id, msg.recvr_id,
+ 		msg.frame_size);
+ 
+-	if (msg.frame_size < 1) {
++	if (msg.frame_size < 1 || msg.frame_size > MAX_CEC_FRAME_SIZE) {
+ 		DEV_ERR("%s: invalid message (frame length = %d)\n",
+ 			__func__, msg.frame_size);
+ 		return;
+@@ -216,7 +216,7 @@ static void hdmi_cec_msg_recv(struct work_struct *work)
+ 		msg.operand[i] = data & 0xFF;
+ 	}
+ 
+-	for (; i < 14; i++)
++	for (; i < MAX_OPERAND_SIZE; i++)
+ 		msg.operand[i] = 0;
+ 
+ 	DEV_DBG("%s: opcode 0x%x, wakup_en %d, device_suspend %d\n", __func__,
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-9720/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-9720/ANY/0001.patch
similarity index 71%
rename from Patches/Linux_CVEs/CVE-2017-9720/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-9720/ANY/0001.patch
index ef6036d0..fbda8515 100644
--- a/Patches/Linux_CVEs/CVE-2017-9720/ANY/0.patch
+++ b/Patches/Linux_CVEs/CVE-2017-9720/ANY/0001.patch
@@ -1,29 +1,31 @@
-From c74dbab508c7c07d8e2cf8230cc78bff4b710272 Mon Sep 17 00:00:00 2001
+From 737f415a5c637802786ec6d36288220cb4d3ae4d Mon Sep 17 00:00:00 2001
 From: Fei Zhang <feizhang@codeaurora.org>
-Date: Wed, 17 May 2017 15:33:02 +0800
+Date: Wed, 17 May 2017 14:14:54 +0800
 Subject: msm:camera: correct stats query out of boundary
 
 fix one potential out of boundary query of stats info.
 
-Bug: 36264696
 Change-Id: I13e4bf8802fcce529f9268c272e4727619d5ad8f
 Signed-off-by: Fei Zhang <feizhang@codeaurora.org>
 ---
  drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
+ mode change 100644 => 100755 drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
 
 diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
-index a0eed95..82da3e0 100644
+old mode 100644
+new mode 100755
+index d4d2c82..8d2d8e7
 --- a/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
 +++ b/drivers/media/platform/msm/camera_v2/isp/msm_isp_stats_util.c
-@@ -803,7 +803,7 @@ int msm_isp_update_stats_stream(struct vfe_device *vfe_dev, void *arg)
- 		update_info = &update_cmd->update_info[i];
+@@ -885,7 +885,7 @@ int msm_isp_update_stats_stream(struct vfe_device *vfe_dev, void *arg)
+ 				&update_cmd->update_info[i];
  		/*check array reference bounds*/
  		if (STATS_IDX(update_info->stream_handle)
 -			> vfe_dev->hw_info->stats_hw_info->num_stats_type) {
 +			>= vfe_dev->hw_info->stats_hw_info->num_stats_type) {
  			pr_err("%s: stats idx %d out of bound!", __func__,
- 				STATS_IDX(update_info->stream_handle));
+ 			STATS_IDX(update_info->stream_handle));
  			return -EINVAL;
 -- 
 cgit v1.1
diff --git a/Patches/Linux_CVEs/CVE-2017-9720/ANY/0002.patch b/Patches/Linux_CVEs/CVE-2017-9720/ANY/0002.patch
new file mode 100644
index 00000000..2b1f0f4c
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-9720/ANY/0002.patch
@@ -0,0 +1,30 @@
+From 2c5616295a5411812188f515d6ecf1984b9c1798 Mon Sep 17 00:00:00 2001
+From: Terence Ho <terenceh@codeaurora.org>
+Date: Wed, 14 Jun 2017 14:17:50 -0400
+Subject: msm:camera: correct stats query out of boundary
+
+fix one potential out of boundary query of stats info.
+
+Change-Id: Ic3224f2f08e6dd2bb05a846d0300df251f9fb192
+CRs-Fixed: 2041066
+Signed-off-by: Terence Ho <terenceh@codeaurora.org>
+---
+ drivers/media/platform/msm/ais/isp/msm_isp_stats_util.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/media/platform/msm/ais/isp/msm_isp_stats_util.c b/drivers/media/platform/msm/ais/isp/msm_isp_stats_util.c
+index feb4a62..1b24a13 100644
+--- a/drivers/media/platform/msm/ais/isp/msm_isp_stats_util.c
++++ b/drivers/media/platform/msm/ais/isp/msm_isp_stats_util.c
+@@ -890,7 +890,7 @@ int msm_isp_update_stats_stream(struct vfe_device *vfe_dev, void *arg)
+ 				&update_cmd->update_info[i];
+ 		/* check array reference bounds */
+ 		if (STATS_IDX(update_info->stream_handle)
+-			> vfe_dev->hw_info->stats_hw_info->num_stats_type) {
++			>= vfe_dev->hw_info->stats_hw_info->num_stats_type) {
+ 			pr_err("%s: stats idx %d out of bound!", __func__,
+ 			STATS_IDX(update_info->stream_handle));
+ 			return -EINVAL;
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/CVE-2017-9724/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-9724/ANY/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/CVE-2017-9724/ANY/0.patch
rename to Patches/Linux_CVEs/CVE-2017-9724/ANY/0001.patch
diff --git a/Patches/Linux_CVEs/CVE-2017-9725/ANY/0.patch b/Patches/Linux_CVEs/CVE-2017-9725/ANY/0.patch
deleted file mode 100644
index d34ee8d6..00000000
--- a/Patches/Linux_CVEs/CVE-2017-9725/ANY/0.patch
+++ /dev/null
@@ -1,79 +0,0 @@
-From 5479a3c164c8762b5bf91c5fae452882366adb6a Mon Sep 17 00:00:00 2001
-From: Maggie White <maggiewhite@google.com>
-Date: Wed, 5 Jul 2017 16:47:15 -0700
-Subject: mm: Fix incorrect type conversion for size during dma allocation
-
-This was found during userspace fuzzing test when a large size
-allocation is made from ion
-
-[<ffffffc00008a098>] show_stack+0x10/0x1c
-[<ffffffc00119c390>] dump_stack+0x74/0xc8
-[<ffffffc00020d9a0>] kasan_report_error+0x2b0/0x408
-[<ffffffc00020dbd4>] kasan_report+0x34/0x40
-[<ffffffc00020cfec>] __asan_storeN+0x15c/0x168
-[<ffffffc00020d228>] memset+0x20/0x44
-[<ffffffc00009b730>] __dma_alloc_coherent+0x114/0x18c
-[<ffffffc00009c6e8>] __dma_alloc_noncoherent+0xbc/0x19c
-[<ffffffc000c2b3e0>] ion_cma_allocate+0x178/0x2f0
-[<ffffffc000c2b750>] ion_secure_cma_allocate+0xdc/0x190
-[<ffffffc000c250dc>] ion_alloc+0x264/0xb88
-[<ffffffc000c25e94>] ion_ioctl+0x1f4/0x480
-[<ffffffc00022f650>] do_vfs_ioctl+0x67c/0x764
-[<ffffffc00022f790>] SyS_ioctl+0x58/0x8c
-
-Bug: 38195738
-Signed-off-by: Rohit Vaswani <rvaswani@codeaurora.org>
-Signed-off-by: Maggie White <maggiewhite@google.com>
-Change-Id: I6b1a0a3eaec10500cd4e73290efad4023bc83da5
----
- drivers/base/dma-contiguous.c  | 4 ++--
- include/linux/dma-contiguous.h | 4 ++--
- 2 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/base/dma-contiguous.c b/drivers/base/dma-contiguous.c
-index f6e779e..9313bfc1 100644
---- a/drivers/base/dma-contiguous.c
-+++ b/drivers/base/dma-contiguous.c
-@@ -589,7 +589,7 @@ static void clear_cma_bitmap(struct cma *cma, unsigned long pfn, int count)
-  * global one. Requires architecture specific get_dev_cma_area() helper
-  * function.
-  */
--unsigned long dma_alloc_from_contiguous(struct device *dev, int count,
-+unsigned long dma_alloc_from_contiguous(struct device *dev, size_t count,
- 				       unsigned int align)
- {
- 	unsigned long mask, pfn = 0, pageno, start = 0;
-@@ -604,7 +604,7 @@ unsigned long dma_alloc_from_contiguous(struct device *dev, int count,
- 	if (align > CONFIG_CMA_ALIGNMENT)
- 		align = CONFIG_CMA_ALIGNMENT;
- 
--	pr_debug("%s(cma %p, count %d, align %d)\n", __func__, (void *)cma,
-+	pr_debug("%s(cma %p, count %zu, align %d)\n", __func__, (void *)cma,
- 		 count, align);
- 
- 	if (!count)
-diff --git a/include/linux/dma-contiguous.h b/include/linux/dma-contiguous.h
-index 9e6fee9..d8d124e 100644
---- a/include/linux/dma-contiguous.h
-+++ b/include/linux/dma-contiguous.h
-@@ -117,7 +117,7 @@ static inline int dma_declare_contiguous_reserved(struct device *dev,
- 	return ret;
- }
- 
--unsigned long dma_alloc_from_contiguous(struct device *dev, int count,
-+unsigned long dma_alloc_from_contiguous(struct device *dev, size_t count,
- 				       unsigned int order);
- bool dma_release_from_contiguous(struct device *dev, unsigned long pfn,
- 				 int count);
-@@ -136,7 +136,7 @@ int dma_declare_contiguous(struct device *dev, phys_addr_t size,
- }
- 
- static inline
--unsigned long dma_alloc_from_contiguous(struct device *dev, int count,
-+unsigned long dma_alloc_from_contiguous(struct device *dev, size_t count,
- 				       unsigned int order)
- {
- 	return 0;
--- 
-cgit v1.1
-
diff --git a/Patches/Linux_CVEs/CVE-2017-9725/ANY/0001.patch b/Patches/Linux_CVEs/CVE-2017-9725/ANY/0001.patch
new file mode 100644
index 00000000..4b363ca8
--- /dev/null
+++ b/Patches/Linux_CVEs/CVE-2017-9725/ANY/0001.patch
@@ -0,0 +1,105 @@
+From 1f8f9b566e8446c13b954220c226c58d22076f88 Mon Sep 17 00:00:00 2001
+From: Rohit Vaswani <rvaswani@codeaurora.org>
+Date: Thu, 17 Sep 2015 17:28:13 -0700
+Subject: mm: Fix incorrect type conversion for size during dma allocation
+
+This was found during userspace fuzzing test when a large size
+allocation is made from ion
+
+[<ffffffc00008a098>] show_stack+0x10/0x1c
+[<ffffffc00119c390>] dump_stack+0x74/0xc8
+[<ffffffc00020d9a0>] kasan_report_error+0x2b0/0x408
+[<ffffffc00020dbd4>] kasan_report+0x34/0x40
+[<ffffffc00020cfec>] __asan_storeN+0x15c/0x168
+[<ffffffc00020d228>] memset+0x20/0x44
+[<ffffffc00009b730>] __dma_alloc_coherent+0x114/0x18c
+[<ffffffc00009c6e8>] __dma_alloc_noncoherent+0xbc/0x19c
+[<ffffffc000c2b3e0>] ion_cma_allocate+0x178/0x2f0
+[<ffffffc000c2b750>] ion_secure_cma_allocate+0xdc/0x190
+[<ffffffc000c250dc>] ion_alloc+0x264/0xb88
+[<ffffffc000c25e94>] ion_ioctl+0x1f4/0x480
+[<ffffffc00022f650>] do_vfs_ioctl+0x67c/0x764
+[<ffffffc00022f790>] SyS_ioctl+0x58/0x8c
+
+Change-Id: Idc9c19977a8cc62c7d092f689d30368704b400bc
+Signed-off-by: Rohit Vaswani <rvaswani@codeaurora.org>
+---
+ drivers/base/dma-contiguous.c  | 2 +-
+ include/linux/cma.h            | 3 ++-
+ include/linux/dma-contiguous.h | 4 ++--
+ mm/cma.c                       | 4 ++--
+ 4 files changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/base/dma-contiguous.c b/drivers/base/dma-contiguous.c
+index 950fff9..a12ff98 100644
+--- a/drivers/base/dma-contiguous.c
++++ b/drivers/base/dma-contiguous.c
+@@ -187,7 +187,7 @@ int __init dma_contiguous_reserve_area(phys_addr_t size, phys_addr_t base,
+  * global one. Requires architecture specific dev_get_cma_area() helper
+  * function.
+  */
+-struct page *dma_alloc_from_contiguous(struct device *dev, int count,
++struct page *dma_alloc_from_contiguous(struct device *dev, size_t count,
+ 				       unsigned int align)
+ {
+ 	if (align > CONFIG_CMA_ALIGNMENT)
+diff --git a/include/linux/cma.h b/include/linux/cma.h
+index a93438b..a76f8df 100644
+--- a/include/linux/cma.h
++++ b/include/linux/cma.h
+@@ -25,6 +25,7 @@ extern int __init cma_declare_contiguous(phys_addr_t base,
+ extern int cma_init_reserved_mem(phys_addr_t base,
+ 					phys_addr_t size, int order_per_bit,
+ 					struct cma **res_cma);
+-extern struct page *cma_alloc(struct cma *cma, int count, unsigned int align);
++extern struct page *cma_alloc(struct cma *cma, size_t count,
++				unsigned int align);
+ extern bool cma_release(struct cma *cma, struct page *pages, int count);
+ #endif
+diff --git a/include/linux/dma-contiguous.h b/include/linux/dma-contiguous.h
+index 569bbd0..fec734d 100644
+--- a/include/linux/dma-contiguous.h
++++ b/include/linux/dma-contiguous.h
+@@ -111,7 +111,7 @@ static inline int dma_declare_contiguous(struct device *dev, phys_addr_t size,
+ 	return ret;
+ }
+ 
+-struct page *dma_alloc_from_contiguous(struct device *dev, int count,
++struct page *dma_alloc_from_contiguous(struct device *dev, size_t count,
+ 				       unsigned int order);
+ bool dma_release_from_contiguous(struct device *dev, struct page *pages,
+ 				 int count);
+@@ -144,7 +144,7 @@ int dma_declare_contiguous(struct device *dev, phys_addr_t size,
+ }
+ 
+ static inline
+-struct page *dma_alloc_from_contiguous(struct device *dev, int count,
++struct page *dma_alloc_from_contiguous(struct device *dev, size_t count,
+ 				       unsigned int order)
+ {
+ 	return NULL;
+diff --git a/mm/cma.c b/mm/cma.c
+index 8e9ec13..6343f77 100644
+--- a/mm/cma.c
++++ b/mm/cma.c
+@@ -338,7 +338,7 @@ err:
+  * This function allocates part of contiguous memory on specific
+  * contiguous memory area.
+  */
+-struct page *cma_alloc(struct cma *cma, int count, unsigned int align)
++struct page *cma_alloc(struct cma *cma, size_t count, unsigned int align)
+ {
+ 	unsigned long mask, pfn, start = 0;
+ 	unsigned long bitmap_maxno, bitmap_no, bitmap_count;
+@@ -348,7 +348,7 @@ struct page *cma_alloc(struct cma *cma, int count, unsigned int align)
+ 	if (!cma || !cma->count)
+ 		return NULL;
+ 
+-	pr_debug("%s(cma %p, count %d, align %d)\n", __func__, (void *)cma,
++	pr_debug("%s(cma %p, count %zu, align %d)\n", __func__, (void *)cma,
+ 		 count, align);
+ 
+ 	if (!count)
+-- 
+cgit v1.1
+
diff --git a/Patches/Linux_CVEs/Kernel_CVE_Patch_List.txt b/Patches/Linux_CVEs/Kernel_CVE_Patch_List.txt
index a1b8d8a3..96047442 100644
--- a/Patches/Linux_CVEs/Kernel_CVE_Patch_List.txt
+++ b/Patches/Linux_CVEs/Kernel_CVE_Patch_List.txt
@@ -750,7 +750,7 @@ CVE-2016-3841
 CVE-2016-3842
 	Pulled
 	Link - 3.4 - https://github.com/aosp-mirror/kernel_msm/commit/15701ca335357e98a0eb98ef079fe45e3b830591
-	Link - 3.10 https://github.com/aosp-mirror/kernel_msm/commit/f5f0a2fe84b589793baa5713ea2aa16779e00d5e
+	Link - 3.10 - https://github.com/aosp-mirror/kernel_msm/commit/f5f0a2fe84b589793baa5713ea2aa16779e00d5e
 	Link - 3.18 - https://github.com/aosp-mirror/kernel_msm/commit/905de01dda0bc6663f8ce5c8f0f3831dae49bb36
 CVE-2016-3843
 	Pulled
@@ -1438,7 +1438,7 @@ CVE-2017-0621
 	Link - https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=9656e2c2b3523af20502bf1e933e35a397f5e82f
 CVE-2017-0622
 	Link - 3.18 - https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=40efa25345003a96db34effbd23ed39530b3ac10
-	Link - 4.4 -https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=2881d2bbc26ff321fd9e717ad6f968aebd277d22
+	Link - 4.4 - https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm-4.4.git;a=commit;h=2881d2bbc26ff321fd9e717ad6f968aebd277d22
 CVE-2017-0624
 	Link - https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-2.0/commit/?id=0ac5f6f2f221efb93fc0ddb1fec6487c76d95acd
 CVE-2017-0626
diff --git a/Patches/Linux_CVEs/LVT-2017-0001/3.0/0.patch b/Patches/Linux_CVEs/LVT-2017-0001/3.0/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/LVT-2017-0001/3.0/0.patch
rename to Patches/Linux_CVEs/LVT-2017-0001/3.0/0001.patch
diff --git a/Patches/Linux_CVEs/LVT-2017-0001/3.0/0.patch.base64 b/Patches/Linux_CVEs/LVT-2017-0001/3.0/0001.patch.base64
similarity index 100%
rename from Patches/Linux_CVEs/LVT-2017-0001/3.0/0.patch.base64
rename to Patches/Linux_CVEs/LVT-2017-0001/3.0/0001.patch.base64
diff --git a/Patches/Linux_CVEs/LVT-2017-0001/3.10/2.patch b/Patches/Linux_CVEs/LVT-2017-0001/3.10/0003.patch
similarity index 100%
rename from Patches/Linux_CVEs/LVT-2017-0001/3.10/2.patch
rename to Patches/Linux_CVEs/LVT-2017-0001/3.10/0003.patch
diff --git a/Patches/Linux_CVEs/LVT-2017-0001/3.10/2.patch.base64 b/Patches/Linux_CVEs/LVT-2017-0001/3.10/0003.patch.base64
similarity index 100%
rename from Patches/Linux_CVEs/LVT-2017-0001/3.10/2.patch.base64
rename to Patches/Linux_CVEs/LVT-2017-0001/3.10/0003.patch.base64
diff --git a/Patches/Linux_CVEs/LVT-2017-0001/3.18/3.patch b/Patches/Linux_CVEs/LVT-2017-0001/3.18/0004.patch
similarity index 100%
rename from Patches/Linux_CVEs/LVT-2017-0001/3.18/3.patch
rename to Patches/Linux_CVEs/LVT-2017-0001/3.18/0004.patch
diff --git a/Patches/Linux_CVEs/LVT-2017-0001/3.18/3.patch.base64 b/Patches/Linux_CVEs/LVT-2017-0001/3.18/0004.patch.base64
similarity index 100%
rename from Patches/Linux_CVEs/LVT-2017-0001/3.18/3.patch.base64
rename to Patches/Linux_CVEs/LVT-2017-0001/3.18/0004.patch.base64
diff --git a/Patches/Linux_CVEs/LVT-2017-0001/3.4/1.patch b/Patches/Linux_CVEs/LVT-2017-0001/3.4/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/LVT-2017-0001/3.4/1.patch
rename to Patches/Linux_CVEs/LVT-2017-0001/3.4/0002.patch
diff --git a/Patches/Linux_CVEs/LVT-2017-0001/3.4/1.patch.base64 b/Patches/Linux_CVEs/LVT-2017-0001/3.4/0002.patch.base64
similarity index 100%
rename from Patches/Linux_CVEs/LVT-2017-0001/3.4/1.patch.base64
rename to Patches/Linux_CVEs/LVT-2017-0001/3.4/0002.patch.base64
diff --git a/Patches/Linux_CVEs/LVT-2017-0002/3.10/1.patch b/Patches/Linux_CVEs/LVT-2017-0002/3.10/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/LVT-2017-0002/3.10/1.patch
rename to Patches/Linux_CVEs/LVT-2017-0002/3.10/0002.patch
diff --git a/Patches/Linux_CVEs/LVT-2017-0002/3.10/1.patch.base64 b/Patches/Linux_CVEs/LVT-2017-0002/3.10/0002.patch.base64
similarity index 100%
rename from Patches/Linux_CVEs/LVT-2017-0002/3.10/1.patch.base64
rename to Patches/Linux_CVEs/LVT-2017-0002/3.10/0002.patch.base64
diff --git a/Patches/Linux_CVEs/LVT-2017-0002/3.18/2.patch b/Patches/Linux_CVEs/LVT-2017-0002/3.18/0003.patch
similarity index 100%
rename from Patches/Linux_CVEs/LVT-2017-0002/3.18/2.patch
rename to Patches/Linux_CVEs/LVT-2017-0002/3.18/0003.patch
diff --git a/Patches/Linux_CVEs/LVT-2017-0002/3.18/2.patch.base64 b/Patches/Linux_CVEs/LVT-2017-0002/3.18/0003.patch.base64
similarity index 100%
rename from Patches/Linux_CVEs/LVT-2017-0002/3.18/2.patch.base64
rename to Patches/Linux_CVEs/LVT-2017-0002/3.18/0003.patch.base64
diff --git a/Patches/Linux_CVEs/LVT-2017-0002/3.4/0.patch b/Patches/Linux_CVEs/LVT-2017-0002/3.4/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/LVT-2017-0002/3.4/0.patch
rename to Patches/Linux_CVEs/LVT-2017-0002/3.4/0001.patch
diff --git a/Patches/Linux_CVEs/LVT-2017-0002/3.4/0.patch.base64 b/Patches/Linux_CVEs/LVT-2017-0002/3.4/0001.patch.base64
similarity index 100%
rename from Patches/Linux_CVEs/LVT-2017-0002/3.4/0.patch.base64
rename to Patches/Linux_CVEs/LVT-2017-0002/3.4/0001.patch.base64
diff --git a/Patches/Linux_CVEs/LVT-2017-0003/3.10/0.patch b/Patches/Linux_CVEs/LVT-2017-0003/3.10/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/LVT-2017-0003/3.10/0.patch
rename to Patches/Linux_CVEs/LVT-2017-0003/3.10/0001.patch
diff --git a/Patches/Linux_CVEs/LVT-2017-0003/3.10/0.patch.base64 b/Patches/Linux_CVEs/LVT-2017-0003/3.10/0001.patch.base64
similarity index 100%
rename from Patches/Linux_CVEs/LVT-2017-0003/3.10/0.patch.base64
rename to Patches/Linux_CVEs/LVT-2017-0003/3.10/0001.patch.base64
diff --git a/Patches/Linux_CVEs/LVT-2017-0004/3.10/1.patch b/Patches/Linux_CVEs/LVT-2017-0004/3.10/0002.patch
similarity index 100%
rename from Patches/Linux_CVEs/LVT-2017-0004/3.10/1.patch
rename to Patches/Linux_CVEs/LVT-2017-0004/3.10/0002.patch
diff --git a/Patches/Linux_CVEs/LVT-2017-0004/3.10/1.patch.base64 b/Patches/Linux_CVEs/LVT-2017-0004/3.10/0002.patch.base64
similarity index 100%
rename from Patches/Linux_CVEs/LVT-2017-0004/3.10/1.patch.base64
rename to Patches/Linux_CVEs/LVT-2017-0004/3.10/0002.patch.base64
diff --git a/Patches/Linux_CVEs/LVT-2017-0004/3.18/2.patch b/Patches/Linux_CVEs/LVT-2017-0004/3.18/0003.patch
similarity index 100%
rename from Patches/Linux_CVEs/LVT-2017-0004/3.18/2.patch
rename to Patches/Linux_CVEs/LVT-2017-0004/3.18/0003.patch
diff --git a/Patches/Linux_CVEs/LVT-2017-0004/3.18/2.patch.base64 b/Patches/Linux_CVEs/LVT-2017-0004/3.18/0003.patch.base64
similarity index 100%
rename from Patches/Linux_CVEs/LVT-2017-0004/3.18/2.patch.base64
rename to Patches/Linux_CVEs/LVT-2017-0004/3.18/0003.patch.base64
diff --git a/Patches/Linux_CVEs/LVT-2017-0004/3.4/0.patch b/Patches/Linux_CVEs/LVT-2017-0004/3.4/0001.patch
similarity index 100%
rename from Patches/Linux_CVEs/LVT-2017-0004/3.4/0.patch
rename to Patches/Linux_CVEs/LVT-2017-0004/3.4/0001.patch
diff --git a/Patches/Linux_CVEs/LVT-2017-0004/3.4/0.patch.base64 b/Patches/Linux_CVEs/LVT-2017-0004/3.4/0001.patch.base64
similarity index 100%
rename from Patches/Linux_CVEs/LVT-2017-0004/3.4/0.patch.base64
rename to Patches/Linux_CVEs/LVT-2017-0004/3.4/0001.patch.base64